Annotation of src/usr.bin/ssh/cipher.c, Revision 1.27
1.1 deraadt 1: /*
1.26 markus 2: *
1.17 deraadt 3: * cipher.c
1.26 markus 4: *
1.17 deraadt 5: * Author: Tatu Ylonen <ylo@cs.hut.fi>
1.26 markus 6: *
1.17 deraadt 7: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: * All rights reserved
1.26 markus 9: *
1.17 deraadt 10: * Created: Wed Apr 19 17:41:39 1995 ylo
1.26 markus 11: *
1.17 deraadt 12: */
1.1 deraadt 13:
14: #include "includes.h"
1.27 ! markus 15: RCSID("$Id: cipher.c,v 1.26 2000/04/14 10:30:30 markus Exp $");
1.1 deraadt 16:
17: #include "ssh.h"
18: #include "cipher.h"
1.24 markus 19: #include "xmalloc.h"
1.8 deraadt 20:
1.25 markus 21: #include <openssl/md5.h>
1.1 deraadt 22:
23: /*
1.24 markus 24: * This is used by SSH1:
25: *
1.23 deraadt 26: * What kind of triple DES are these 2 routines?
1.1 deraadt 27: *
28: * Why is there a redundant initialization vector?
29: *
30: * If only iv3 was used, then, this would till effect have been
31: * outer-cbc. However, there is also a private iv1 == iv2 which
32: * perhaps makes differential analysis easier. On the other hand, the
33: * private iv1 probably makes the CRC-32 attack ineffective. This is a
34: * result of that there is no longer any known iv1 to use when
35: * choosing the X block.
36: */
37: void
38: SSH_3CBC_ENCRYPT(des_key_schedule ks1,
1.16 markus 39: des_key_schedule ks2, des_cblock * iv2,
40: des_key_schedule ks3, des_cblock * iv3,
1.19 markus 41: unsigned char *dest, unsigned char *src,
1.1 deraadt 42: unsigned int len)
43: {
1.16 markus 44: des_cblock iv1;
1.1 deraadt 45:
1.16 markus 46: memcpy(&iv1, iv2, 8);
1.1 deraadt 47:
1.16 markus 48: des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
49: memcpy(&iv1, dest + len - 8, 8);
1.1 deraadt 50:
1.16 markus 51: des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
52: memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */
1.1 deraadt 53:
1.16 markus 54: des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
55: memcpy(iv3, dest + len - 8, 8);
1.1 deraadt 56: }
57:
58: void
59: SSH_3CBC_DECRYPT(des_key_schedule ks1,
1.16 markus 60: des_key_schedule ks2, des_cblock * iv2,
61: des_key_schedule ks3, des_cblock * iv3,
1.19 markus 62: unsigned char *dest, unsigned char *src,
1.1 deraadt 63: unsigned int len)
64: {
1.16 markus 65: des_cblock iv1;
1.1 deraadt 66:
1.16 markus 67: memcpy(&iv1, iv2, 8);
1.1 deraadt 68:
1.16 markus 69: des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
70: memcpy(iv3, src + len - 8, 8);
1.1 deraadt 71:
1.16 markus 72: des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
73: memcpy(iv2, dest + len - 8, 8);
1.1 deraadt 74:
1.16 markus 75: des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
76: /* memcpy(&iv1, iv2, 8); */
77: /* Note how iv1 == iv2 on entry and exit. */
1.1 deraadt 78: }
79:
80: /*
1.24 markus 81: * SSH1 uses a variation on Blowfish, all bytes must be swapped before
1.1 deraadt 82: * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
83: */
1.16 markus 84: static void
1.1 deraadt 85: swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
86: {
1.16 markus 87: /* dst must be properly aligned. */
88: u_int32_t *dst = (u_int32_t *) dst_;
89: union {
90: u_int32_t i;
91: char c[4];
92: } t;
93:
94: /* Process 8 bytes every lap. */
95: for (n = n / 8; n > 0; n--) {
96: t.c[3] = *src++;
97: t.c[2] = *src++;
98: t.c[1] = *src++;
99: t.c[0] = *src++;
100: *dst++ = t.i;
101:
102: t.c[3] = *src++;
103: t.c[2] = *src++;
104: t.c[1] = *src++;
105: t.c[0] = *src++;
106: *dst++ = t.i;
107: }
1.1 deraadt 108: }
109:
1.18 markus 110: /*
111: * Names of all encryption algorithms.
112: * These must match the numbers defined in cipher.h.
113: */
1.1 deraadt 114: static char *cipher_names[] =
1.4 provos 115: {
1.16 markus 116: "none",
117: "idea",
118: "des",
119: "3des",
120: "tss",
121: "rc4",
1.21 markus 122: "blowfish",
123: "reserved",
124: "blowfish-cbc",
125: "3des-cbc",
126: "arcfour",
127: "cast128-cbc"
1.1 deraadt 128: };
129:
1.18 markus 130: /*
131: * Returns a bit mask indicating which ciphers are supported by this
132: * implementation. The bit mask has the corresponding bit set of each
133: * supported cipher.
134: */
1.1 deraadt 135:
1.26 markus 136: unsigned int
1.22 markus 137: cipher_mask1()
1.1 deraadt 138: {
1.16 markus 139: unsigned int mask = 0;
140: mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
141: mask |= 1 << SSH_CIPHER_BLOWFISH;
1.22 markus 142: return mask;
143: }
1.26 markus 144: unsigned int
1.22 markus 145: cipher_mask2()
146: {
147: unsigned int mask = 0;
1.21 markus 148: mask |= 1 << SSH_CIPHER_BLOWFISH_CBC;
149: mask |= 1 << SSH_CIPHER_3DES_CBC;
150: mask |= 1 << SSH_CIPHER_ARCFOUR;
151: mask |= 1 << SSH_CIPHER_CAST128_CBC;
1.16 markus 152: return mask;
1.1 deraadt 153: }
1.26 markus 154: unsigned int
1.22 markus 155: cipher_mask()
156: {
157: return cipher_mask1() | cipher_mask2();
158: }
1.1 deraadt 159:
160: /* Returns the name of the cipher. */
161:
1.16 markus 162: const char *
163: cipher_name(int cipher)
1.1 deraadt 164: {
1.16 markus 165: if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) ||
166: cipher_names[cipher] == NULL)
1.24 markus 167: fatal("cipher_name: bad cipher name: %d", cipher);
1.16 markus 168: return cipher_names[cipher];
1.1 deraadt 169: }
170:
1.24 markus 171: /* Returns 1 if the name of the ciphers are valid. */
172:
173: #define CIPHER_SEP ","
174: int
175: ciphers_valid(const char *names)
176: {
177: char *ciphers;
178: char *p;
179: int i;
180:
1.27 ! markus 181: if (names == NULL || strcmp(names, "") == 0)
1.24 markus 182: return 0;
183: ciphers = xstrdup(names);
184: for ((p = strtok(ciphers, CIPHER_SEP)); p; (p = strtok(NULL, CIPHER_SEP))) {
185: i = cipher_number(p);
186: if (i == -1 || !(cipher_mask2() & (1 << i))) {
187: xfree(ciphers);
188: return 0;
189: }
190: }
191: xfree(ciphers);
192: return 1;
193: }
194:
1.18 markus 195: /*
196: * Parses the name of the cipher. Returns the number of the corresponding
197: * cipher, or -1 on error.
198: */
1.1 deraadt 199:
1.4 provos 200: int
201: cipher_number(const char *name)
1.1 deraadt 202: {
1.16 markus 203: int i;
1.27 ! markus 204: if (name == NULL)
! 205: return -1;
1.16 markus 206: for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
207: if (strcmp(cipher_names[i], name) == 0 &&
208: (cipher_mask() & (1 << i)))
209: return i;
210: return -1;
1.1 deraadt 211: }
212:
1.18 markus 213: /*
214: * Selects the cipher, and keys if by computing the MD5 checksum of the
215: * passphrase and using the resulting 16 bytes as the key.
216: */
1.1 deraadt 217:
1.26 markus 218: void
1.22 markus 219: cipher_set_key_string(CipherContext *context, int cipher, const char *passphrase)
1.1 deraadt 220: {
1.16 markus 221: MD5_CTX md;
222: unsigned char digest[16];
223:
224: MD5_Init(&md);
225: MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase));
226: MD5_Final(digest, &md);
227:
1.22 markus 228: cipher_set_key(context, cipher, digest, 16);
1.16 markus 229:
230: memset(digest, 0, sizeof(digest));
231: memset(&md, 0, sizeof(md));
1.1 deraadt 232: }
233:
234: /* Selects the cipher to use and sets the key. */
235:
1.26 markus 236: void
1.22 markus 237: cipher_set_key(CipherContext *context, int cipher, const unsigned char *key,
238: int keylen)
1.16 markus 239: {
240: unsigned char padded[32];
241:
242: /* Set cipher type. */
243: context->type = cipher;
244:
245: /* Get 32 bytes of key data. Pad if necessary. (So that code
246: below does not need to worry about key size). */
247: memset(padded, 0, sizeof(padded));
248: memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
249:
250: /* Initialize the initialization vector. */
251: switch (cipher) {
252: case SSH_CIPHER_NONE:
1.18 markus 253: /*
254: * Has to stay for authfile saving of private key with no
255: * passphrase
256: */
1.16 markus 257: break;
258:
259: case SSH_CIPHER_3DES:
1.18 markus 260: /*
261: * Note: the least significant bit of each byte of key is
262: * parity, and must be ignored by the implementation. 16
263: * bytes of key are used (first and last keys are the same).
264: */
1.16 markus 265: if (keylen < 16)
266: error("Key length %d is insufficient for 3DES.", keylen);
267: des_set_key((void *) padded, context->u.des3.key1);
268: des_set_key((void *) (padded + 8), context->u.des3.key2);
269: if (keylen <= 16)
270: des_set_key((void *) padded, context->u.des3.key3);
271: else
272: des_set_key((void *) (padded + 16), context->u.des3.key3);
273: memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
274: memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
275: break;
276:
277: case SSH_CIPHER_BLOWFISH:
1.21 markus 278: if (keylen < 16)
279: error("Key length %d is insufficient for blowfish.", keylen);
1.16 markus 280: BF_set_key(&context->u.bf.key, keylen, padded);
281: memset(context->u.bf.iv, 0, 8);
282: break;
283:
1.21 markus 284: case SSH_CIPHER_3DES_CBC:
285: case SSH_CIPHER_BLOWFISH_CBC:
286: case SSH_CIPHER_ARCFOUR:
287: case SSH_CIPHER_CAST128_CBC:
288: fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher));
289: break;
290:
1.16 markus 291: default:
292: fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
293: }
294: memset(padded, 0, sizeof(padded));
1.1 deraadt 295: }
1.21 markus 296:
1.26 markus 297: void
1.21 markus 298: cipher_set_key_iv(CipherContext * context, int cipher,
1.26 markus 299: const unsigned char *key, int keylen,
1.21 markus 300: const unsigned char *iv, int ivlen)
301: {
302: /* Set cipher type. */
303: context->type = cipher;
304:
305: /* Initialize the initialization vector. */
306: switch (cipher) {
307: case SSH_CIPHER_NONE:
308: break;
309:
310: case SSH_CIPHER_3DES:
311: case SSH_CIPHER_BLOWFISH:
312: fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher));
313: break;
314:
315: case SSH_CIPHER_3DES_CBC:
316: if (keylen < 24)
317: error("Key length %d is insufficient for 3des-cbc.", keylen);
318: des_set_key((void *) key, context->u.des3.key1);
319: des_set_key((void *) (key+8), context->u.des3.key2);
320: des_set_key((void *) (key+16), context->u.des3.key3);
321: if (ivlen < 8)
322: error("IV length %d is insufficient for 3des-cbc.", ivlen);
323: memcpy(context->u.des3.iv3, (char *)iv, 8);
324: break;
325:
326: case SSH_CIPHER_BLOWFISH_CBC:
327: if (keylen < 16)
328: error("Key length %d is insufficient for blowfish.", keylen);
329: if (ivlen < 8)
330: error("IV length %d is insufficient for blowfish.", ivlen);
331: BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key);
332: memcpy(context->u.bf.iv, (char *)iv, 8);
333: break;
334:
335: case SSH_CIPHER_ARCFOUR:
336: if (keylen < 16)
337: error("Key length %d is insufficient for arcfour.", keylen);
338: RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key);
339: break;
340:
341: case SSH_CIPHER_CAST128_CBC:
342: if (keylen < 16)
343: error("Key length %d is insufficient for cast128.", keylen);
344: if (ivlen < 8)
345: error("IV length %d is insufficient for cast128.", ivlen);
346: CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key);
347: memcpy(context->u.cast.iv, (char *)iv, 8);
348: break;
349:
350: default:
351: fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
352: }
353: }
354:
1.1 deraadt 355: /* Encrypts data using the cipher. */
356:
1.26 markus 357: void
1.16 markus 358: cipher_encrypt(CipherContext *context, unsigned char *dest,
359: const unsigned char *src, unsigned int len)
360: {
361: if ((len & 7) != 0)
362: fatal("cipher_encrypt: bad plaintext length %d", len);
363:
364: switch (context->type) {
365: case SSH_CIPHER_NONE:
366: memcpy(dest, src, len);
367: break;
368:
369: case SSH_CIPHER_3DES:
370: SSH_3CBC_ENCRYPT(context->u.des3.key1,
371: context->u.des3.key2, &context->u.des3.iv2,
372: context->u.des3.key3, &context->u.des3.iv3,
1.19 markus 373: dest, (unsigned char *) src, len);
1.16 markus 374: break;
375:
376: case SSH_CIPHER_BLOWFISH:
377: swap_bytes(src, dest, len);
378: BF_cbc_encrypt(dest, dest, len,
1.26 markus 379: &context->u.bf.key, context->u.bf.iv,
1.16 markus 380: BF_ENCRYPT);
381: swap_bytes(dest, dest, len);
382: break;
383:
1.21 markus 384: case SSH_CIPHER_BLOWFISH_CBC:
385: BF_cbc_encrypt((void *)src, dest, len,
1.26 markus 386: &context->u.bf.key, context->u.bf.iv,
1.21 markus 387: BF_ENCRYPT);
388: break;
389:
390: case SSH_CIPHER_3DES_CBC:
391: des_ede3_cbc_encrypt(src, dest, len,
392: context->u.des3.key1, context->u.des3.key2,
393: context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT);
394: break;
395:
396: case SSH_CIPHER_ARCFOUR:
397: RC4(&context->u.rc4, len, (unsigned char *)src, dest);
398: break;
399:
400: case SSH_CIPHER_CAST128_CBC:
401: CAST_cbc_encrypt(src, dest, len,
402: &context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT);
403: break;
404:
1.16 markus 405: default:
406: fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type));
407: }
408: }
1.1 deraadt 409:
410: /* Decrypts data using the cipher. */
411:
1.26 markus 412: void
1.16 markus 413: cipher_decrypt(CipherContext *context, unsigned char *dest,
414: const unsigned char *src, unsigned int len)
415: {
416: if ((len & 7) != 0)
417: fatal("cipher_decrypt: bad ciphertext length %d", len);
418:
419: switch (context->type) {
420: case SSH_CIPHER_NONE:
421: memcpy(dest, src, len);
422: break;
423:
424: case SSH_CIPHER_3DES:
425: SSH_3CBC_DECRYPT(context->u.des3.key1,
426: context->u.des3.key2, &context->u.des3.iv2,
427: context->u.des3.key3, &context->u.des3.iv3,
1.19 markus 428: dest, (unsigned char *) src, len);
1.16 markus 429: break;
430:
431: case SSH_CIPHER_BLOWFISH:
432: swap_bytes(src, dest, len);
433: BF_cbc_encrypt((void *) dest, dest, len,
434: &context->u.bf.key, context->u.bf.iv,
435: BF_DECRYPT);
436: swap_bytes(dest, dest, len);
1.21 markus 437: break;
438:
439: case SSH_CIPHER_BLOWFISH_CBC:
440: BF_cbc_encrypt((void *) src, dest, len,
441: &context->u.bf.key, context->u.bf.iv,
442: BF_DECRYPT);
443: break;
444:
445: case SSH_CIPHER_3DES_CBC:
446: des_ede3_cbc_encrypt(src, dest, len,
447: context->u.des3.key1, context->u.des3.key2,
448: context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT);
449: break;
450:
451: case SSH_CIPHER_ARCFOUR:
452: RC4(&context->u.rc4, len, (unsigned char *)src, dest);
453: break;
454:
455: case SSH_CIPHER_CAST128_CBC:
456: CAST_cbc_encrypt(src, dest, len,
457: &context->u.cast.key, context->u.cast.iv, CAST_DECRYPT);
1.16 markus 458: break;
459:
460: default:
461: fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type));
462: }
1.1 deraadt 463: }