Annotation of src/usr.bin/ssh/cipher.c, Revision 1.23
1.1 deraadt 1: /*
1.17 deraadt 2: *
3: * cipher.c
4: *
5: * Author: Tatu Ylonen <ylo@cs.hut.fi>
6: *
7: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: * All rights reserved
9: *
10: * Created: Wed Apr 19 17:41:39 1995 ylo
11: *
12: */
1.1 deraadt 13:
14: #include "includes.h"
1.23 ! deraadt 15: RCSID("$Id: cipher.c,v 1.22 2000/04/04 21:37:27 markus Exp $");
1.1 deraadt 16:
17: #include "ssh.h"
18: #include "cipher.h"
1.8 deraadt 19:
1.12 deraadt 20: #include <ssl/md5.h>
1.1 deraadt 21:
22: /*
1.23 ! deraadt 23: * What kind of triple DES are these 2 routines?
1.1 deraadt 24: *
25: * Why is there a redundant initialization vector?
26: *
27: * If only iv3 was used, then, this would till effect have been
28: * outer-cbc. However, there is also a private iv1 == iv2 which
29: * perhaps makes differential analysis easier. On the other hand, the
30: * private iv1 probably makes the CRC-32 attack ineffective. This is a
31: * result of that there is no longer any known iv1 to use when
32: * choosing the X block.
33: */
34: void
35: SSH_3CBC_ENCRYPT(des_key_schedule ks1,
1.16 markus 36: des_key_schedule ks2, des_cblock * iv2,
37: des_key_schedule ks3, des_cblock * iv3,
1.19 markus 38: unsigned char *dest, unsigned char *src,
1.1 deraadt 39: unsigned int len)
40: {
1.16 markus 41: des_cblock iv1;
1.1 deraadt 42:
1.16 markus 43: memcpy(&iv1, iv2, 8);
1.1 deraadt 44:
1.16 markus 45: des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
46: memcpy(&iv1, dest + len - 8, 8);
1.1 deraadt 47:
1.16 markus 48: des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
49: memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */
1.1 deraadt 50:
1.16 markus 51: des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
52: memcpy(iv3, dest + len - 8, 8);
1.1 deraadt 53: }
54:
55: void
56: SSH_3CBC_DECRYPT(des_key_schedule ks1,
1.16 markus 57: des_key_schedule ks2, des_cblock * iv2,
58: des_key_schedule ks3, des_cblock * iv3,
1.19 markus 59: unsigned char *dest, unsigned char *src,
1.1 deraadt 60: unsigned int len)
61: {
1.16 markus 62: des_cblock iv1;
1.1 deraadt 63:
1.16 markus 64: memcpy(&iv1, iv2, 8);
1.1 deraadt 65:
1.16 markus 66: des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
67: memcpy(iv3, src + len - 8, 8);
1.1 deraadt 68:
1.16 markus 69: des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
70: memcpy(iv2, dest + len - 8, 8);
1.1 deraadt 71:
1.16 markus 72: des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
73: /* memcpy(&iv1, iv2, 8); */
74: /* Note how iv1 == iv2 on entry and exit. */
1.1 deraadt 75: }
76:
77: /*
78: * SSH uses a variation on Blowfish, all bytes must be swapped before
79: * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
80: */
1.16 markus 81: static void
1.1 deraadt 82: swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
83: {
1.16 markus 84: /* dst must be properly aligned. */
85: u_int32_t *dst = (u_int32_t *) dst_;
86: union {
87: u_int32_t i;
88: char c[4];
89: } t;
90:
91: /* Process 8 bytes every lap. */
92: for (n = n / 8; n > 0; n--) {
93: t.c[3] = *src++;
94: t.c[2] = *src++;
95: t.c[1] = *src++;
96: t.c[0] = *src++;
97: *dst++ = t.i;
98:
99: t.c[3] = *src++;
100: t.c[2] = *src++;
101: t.c[1] = *src++;
102: t.c[0] = *src++;
103: *dst++ = t.i;
104: }
1.1 deraadt 105: }
106:
1.18 markus 107: /*
108: * Names of all encryption algorithms.
109: * These must match the numbers defined in cipher.h.
110: */
1.1 deraadt 111: static char *cipher_names[] =
1.4 provos 112: {
1.16 markus 113: "none",
114: "idea",
115: "des",
116: "3des",
117: "tss",
118: "rc4",
1.21 markus 119: "blowfish",
120: "reserved",
121: "blowfish-cbc",
122: "3des-cbc",
123: "arcfour",
124: "cast128-cbc"
1.1 deraadt 125: };
126:
1.18 markus 127: /*
128: * Returns a bit mask indicating which ciphers are supported by this
129: * implementation. The bit mask has the corresponding bit set of each
130: * supported cipher.
131: */
1.1 deraadt 132:
1.16 markus 133: unsigned int
1.22 markus 134: cipher_mask1()
1.1 deraadt 135: {
1.16 markus 136: unsigned int mask = 0;
137: mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
138: mask |= 1 << SSH_CIPHER_BLOWFISH;
1.22 markus 139: return mask;
140: }
141: unsigned int
142: cipher_mask2()
143: {
144: unsigned int mask = 0;
1.21 markus 145: mask |= 1 << SSH_CIPHER_BLOWFISH_CBC;
146: mask |= 1 << SSH_CIPHER_3DES_CBC;
147: mask |= 1 << SSH_CIPHER_ARCFOUR;
148: mask |= 1 << SSH_CIPHER_CAST128_CBC;
1.16 markus 149: return mask;
1.1 deraadt 150: }
1.22 markus 151: unsigned int
152: cipher_mask()
153: {
154: return cipher_mask1() | cipher_mask2();
155: }
1.1 deraadt 156:
157: /* Returns the name of the cipher. */
158:
1.16 markus 159: const char *
160: cipher_name(int cipher)
1.1 deraadt 161: {
1.16 markus 162: if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) ||
163: cipher_names[cipher] == NULL)
164: fatal("cipher_name: bad cipher number: %d", cipher);
165: return cipher_names[cipher];
1.1 deraadt 166: }
167:
1.18 markus 168: /*
169: * Parses the name of the cipher. Returns the number of the corresponding
170: * cipher, or -1 on error.
171: */
1.1 deraadt 172:
1.4 provos 173: int
174: cipher_number(const char *name)
1.1 deraadt 175: {
1.16 markus 176: int i;
177: for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
178: if (strcmp(cipher_names[i], name) == 0 &&
179: (cipher_mask() & (1 << i)))
180: return i;
181: return -1;
1.1 deraadt 182: }
183:
1.18 markus 184: /*
185: * Selects the cipher, and keys if by computing the MD5 checksum of the
186: * passphrase and using the resulting 16 bytes as the key.
187: */
1.1 deraadt 188:
1.16 markus 189: void
1.22 markus 190: cipher_set_key_string(CipherContext *context, int cipher, const char *passphrase)
1.1 deraadt 191: {
1.16 markus 192: MD5_CTX md;
193: unsigned char digest[16];
194:
195: MD5_Init(&md);
196: MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase));
197: MD5_Final(digest, &md);
198:
1.22 markus 199: cipher_set_key(context, cipher, digest, 16);
1.16 markus 200:
201: memset(digest, 0, sizeof(digest));
202: memset(&md, 0, sizeof(md));
1.1 deraadt 203: }
204:
205: /* Selects the cipher to use and sets the key. */
206:
1.16 markus 207: void
1.22 markus 208: cipher_set_key(CipherContext *context, int cipher, const unsigned char *key,
209: int keylen)
1.16 markus 210: {
211: unsigned char padded[32];
212:
213: /* Set cipher type. */
214: context->type = cipher;
215:
216: /* Get 32 bytes of key data. Pad if necessary. (So that code
217: below does not need to worry about key size). */
218: memset(padded, 0, sizeof(padded));
219: memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
220:
221: /* Initialize the initialization vector. */
222: switch (cipher) {
223: case SSH_CIPHER_NONE:
1.18 markus 224: /*
225: * Has to stay for authfile saving of private key with no
226: * passphrase
227: */
1.16 markus 228: break;
229:
230: case SSH_CIPHER_3DES:
1.18 markus 231: /*
232: * Note: the least significant bit of each byte of key is
233: * parity, and must be ignored by the implementation. 16
234: * bytes of key are used (first and last keys are the same).
235: */
1.16 markus 236: if (keylen < 16)
237: error("Key length %d is insufficient for 3DES.", keylen);
238: des_set_key((void *) padded, context->u.des3.key1);
239: des_set_key((void *) (padded + 8), context->u.des3.key2);
240: if (keylen <= 16)
241: des_set_key((void *) padded, context->u.des3.key3);
242: else
243: des_set_key((void *) (padded + 16), context->u.des3.key3);
244: memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
245: memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
246: break;
247:
248: case SSH_CIPHER_BLOWFISH:
1.21 markus 249: if (keylen < 16)
250: error("Key length %d is insufficient for blowfish.", keylen);
1.16 markus 251: BF_set_key(&context->u.bf.key, keylen, padded);
252: memset(context->u.bf.iv, 0, 8);
253: break;
254:
1.21 markus 255: case SSH_CIPHER_3DES_CBC:
256: case SSH_CIPHER_BLOWFISH_CBC:
257: case SSH_CIPHER_ARCFOUR:
258: case SSH_CIPHER_CAST128_CBC:
259: fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher));
260: break;
261:
1.16 markus 262: default:
263: fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
264: }
265: memset(padded, 0, sizeof(padded));
1.1 deraadt 266: }
267:
1.21 markus 268:
269: void
270: cipher_set_key_iv(CipherContext * context, int cipher,
271: const unsigned char *key, int keylen,
272: const unsigned char *iv, int ivlen)
273: {
274: /* Set cipher type. */
275: context->type = cipher;
276:
277: /* Initialize the initialization vector. */
278: switch (cipher) {
279: case SSH_CIPHER_NONE:
280: break;
281:
282: case SSH_CIPHER_3DES:
283: case SSH_CIPHER_BLOWFISH:
284: fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher));
285: break;
286:
287: case SSH_CIPHER_3DES_CBC:
288: if (keylen < 24)
289: error("Key length %d is insufficient for 3des-cbc.", keylen);
290: des_set_key((void *) key, context->u.des3.key1);
291: des_set_key((void *) (key+8), context->u.des3.key2);
292: des_set_key((void *) (key+16), context->u.des3.key3);
293: if (ivlen < 8)
294: error("IV length %d is insufficient for 3des-cbc.", ivlen);
295: memcpy(context->u.des3.iv3, (char *)iv, 8);
296: break;
297:
298: case SSH_CIPHER_BLOWFISH_CBC:
299: if (keylen < 16)
300: error("Key length %d is insufficient for blowfish.", keylen);
301: if (ivlen < 8)
302: error("IV length %d is insufficient for blowfish.", ivlen);
303: BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key);
304: memcpy(context->u.bf.iv, (char *)iv, 8);
305: break;
306:
307: case SSH_CIPHER_ARCFOUR:
308: if (keylen < 16)
309: error("Key length %d is insufficient for arcfour.", keylen);
310: RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key);
311: break;
312:
313: case SSH_CIPHER_CAST128_CBC:
314: if (keylen < 16)
315: error("Key length %d is insufficient for cast128.", keylen);
316: if (ivlen < 8)
317: error("IV length %d is insufficient for cast128.", ivlen);
318: CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key);
319: memcpy(context->u.cast.iv, (char *)iv, 8);
320: break;
321:
322: default:
323: fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
324: }
325: }
326:
1.1 deraadt 327: /* Encrypts data using the cipher. */
328:
1.16 markus 329: void
330: cipher_encrypt(CipherContext *context, unsigned char *dest,
331: const unsigned char *src, unsigned int len)
332: {
333: if ((len & 7) != 0)
334: fatal("cipher_encrypt: bad plaintext length %d", len);
335:
336: switch (context->type) {
337: case SSH_CIPHER_NONE:
338: memcpy(dest, src, len);
339: break;
340:
341: case SSH_CIPHER_3DES:
342: SSH_3CBC_ENCRYPT(context->u.des3.key1,
343: context->u.des3.key2, &context->u.des3.iv2,
344: context->u.des3.key3, &context->u.des3.iv3,
1.19 markus 345: dest, (unsigned char *) src, len);
1.16 markus 346: break;
347:
348: case SSH_CIPHER_BLOWFISH:
349: swap_bytes(src, dest, len);
350: BF_cbc_encrypt(dest, dest, len,
351: &context->u.bf.key, context->u.bf.iv,
352: BF_ENCRYPT);
353: swap_bytes(dest, dest, len);
354: break;
355:
1.21 markus 356: case SSH_CIPHER_BLOWFISH_CBC:
357: BF_cbc_encrypt((void *)src, dest, len,
358: &context->u.bf.key, context->u.bf.iv,
359: BF_ENCRYPT);
360: break;
361:
362: case SSH_CIPHER_3DES_CBC:
363: des_ede3_cbc_encrypt(src, dest, len,
364: context->u.des3.key1, context->u.des3.key2,
365: context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT);
366: break;
367:
368: case SSH_CIPHER_ARCFOUR:
369: RC4(&context->u.rc4, len, (unsigned char *)src, dest);
370: break;
371:
372: case SSH_CIPHER_CAST128_CBC:
373: CAST_cbc_encrypt(src, dest, len,
374: &context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT);
375: break;
376:
1.16 markus 377: default:
378: fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type));
379: }
380: }
1.1 deraadt 381:
382: /* Decrypts data using the cipher. */
383:
1.16 markus 384: void
385: cipher_decrypt(CipherContext *context, unsigned char *dest,
386: const unsigned char *src, unsigned int len)
387: {
388: if ((len & 7) != 0)
389: fatal("cipher_decrypt: bad ciphertext length %d", len);
390:
391: switch (context->type) {
392: case SSH_CIPHER_NONE:
393: memcpy(dest, src, len);
394: break;
395:
396: case SSH_CIPHER_3DES:
397: SSH_3CBC_DECRYPT(context->u.des3.key1,
398: context->u.des3.key2, &context->u.des3.iv2,
399: context->u.des3.key3, &context->u.des3.iv3,
1.19 markus 400: dest, (unsigned char *) src, len);
1.16 markus 401: break;
402:
403: case SSH_CIPHER_BLOWFISH:
404: swap_bytes(src, dest, len);
405: BF_cbc_encrypt((void *) dest, dest, len,
406: &context->u.bf.key, context->u.bf.iv,
407: BF_DECRYPT);
408: swap_bytes(dest, dest, len);
1.21 markus 409: break;
410:
411: case SSH_CIPHER_BLOWFISH_CBC:
412: BF_cbc_encrypt((void *) src, dest, len,
413: &context->u.bf.key, context->u.bf.iv,
414: BF_DECRYPT);
415: break;
416:
417: case SSH_CIPHER_3DES_CBC:
418: des_ede3_cbc_encrypt(src, dest, len,
419: context->u.des3.key1, context->u.des3.key2,
420: context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT);
421: break;
422:
423: case SSH_CIPHER_ARCFOUR:
424: RC4(&context->u.rc4, len, (unsigned char *)src, dest);
425: break;
426:
427: case SSH_CIPHER_CAST128_CBC:
428: CAST_cbc_encrypt(src, dest, len,
429: &context->u.cast.key, context->u.cast.iv, CAST_DECRYPT);
1.16 markus 430: break;
431:
432: default:
433: fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type));
434: }
1.1 deraadt 435: }