Annotation of src/usr.bin/ssh/cipher.c, Revision 1.29
1.1 deraadt 1: /*
1.26 markus 2: *
1.17 deraadt 3: * cipher.c
1.26 markus 4: *
1.17 deraadt 5: * Author: Tatu Ylonen <ylo@cs.hut.fi>
1.26 markus 6: *
1.17 deraadt 7: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: * All rights reserved
1.26 markus 9: *
1.17 deraadt 10: * Created: Wed Apr 19 17:41:39 1995 ylo
1.26 markus 11: *
1.17 deraadt 12: */
1.1 deraadt 13:
14: #include "includes.h"
1.29 ! ho 15: RCSID("$OpenBSD: cipher.c,v 1.28 2000/06/20 01:39:40 markus Exp $");
1.1 deraadt 16:
17: #include "ssh.h"
18: #include "cipher.h"
1.24 markus 19: #include "xmalloc.h"
1.8 deraadt 20:
1.25 markus 21: #include <openssl/md5.h>
1.1 deraadt 22:
23: /*
1.24 markus 24: * This is used by SSH1:
25: *
1.23 deraadt 26: * What kind of triple DES are these 2 routines?
1.1 deraadt 27: *
28: * Why is there a redundant initialization vector?
29: *
30: * If only iv3 was used, then, this would till effect have been
31: * outer-cbc. However, there is also a private iv1 == iv2 which
32: * perhaps makes differential analysis easier. On the other hand, the
33: * private iv1 probably makes the CRC-32 attack ineffective. This is a
34: * result of that there is no longer any known iv1 to use when
35: * choosing the X block.
36: */
37: void
38: SSH_3CBC_ENCRYPT(des_key_schedule ks1,
1.16 markus 39: des_key_schedule ks2, des_cblock * iv2,
40: des_key_schedule ks3, des_cblock * iv3,
1.19 markus 41: unsigned char *dest, unsigned char *src,
1.1 deraadt 42: unsigned int len)
43: {
1.16 markus 44: des_cblock iv1;
1.1 deraadt 45:
1.16 markus 46: memcpy(&iv1, iv2, 8);
1.1 deraadt 47:
1.16 markus 48: des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
49: memcpy(&iv1, dest + len - 8, 8);
1.1 deraadt 50:
1.16 markus 51: des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
52: memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */
1.1 deraadt 53:
1.16 markus 54: des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
55: memcpy(iv3, dest + len - 8, 8);
1.1 deraadt 56: }
57:
58: void
59: SSH_3CBC_DECRYPT(des_key_schedule ks1,
1.16 markus 60: des_key_schedule ks2, des_cblock * iv2,
61: des_key_schedule ks3, des_cblock * iv3,
1.19 markus 62: unsigned char *dest, unsigned char *src,
1.1 deraadt 63: unsigned int len)
64: {
1.16 markus 65: des_cblock iv1;
1.1 deraadt 66:
1.16 markus 67: memcpy(&iv1, iv2, 8);
1.1 deraadt 68:
1.16 markus 69: des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
70: memcpy(iv3, src + len - 8, 8);
1.1 deraadt 71:
1.16 markus 72: des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
73: memcpy(iv2, dest + len - 8, 8);
1.1 deraadt 74:
1.16 markus 75: des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
76: /* memcpy(&iv1, iv2, 8); */
77: /* Note how iv1 == iv2 on entry and exit. */
1.1 deraadt 78: }
79:
80: /*
1.24 markus 81: * SSH1 uses a variation on Blowfish, all bytes must be swapped before
1.1 deraadt 82: * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
83: */
1.16 markus 84: static void
1.1 deraadt 85: swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
86: {
1.16 markus 87: /* dst must be properly aligned. */
88: u_int32_t *dst = (u_int32_t *) dst_;
89: union {
90: u_int32_t i;
91: char c[4];
92: } t;
93:
94: /* Process 8 bytes every lap. */
95: for (n = n / 8; n > 0; n--) {
96: t.c[3] = *src++;
97: t.c[2] = *src++;
98: t.c[1] = *src++;
99: t.c[0] = *src++;
100: *dst++ = t.i;
101:
102: t.c[3] = *src++;
103: t.c[2] = *src++;
104: t.c[1] = *src++;
105: t.c[0] = *src++;
106: *dst++ = t.i;
107: }
1.1 deraadt 108: }
109:
1.18 markus 110: /*
111: * Names of all encryption algorithms.
112: * These must match the numbers defined in cipher.h.
113: */
1.1 deraadt 114: static char *cipher_names[] =
1.4 provos 115: {
1.16 markus 116: "none",
117: "idea",
118: "des",
119: "3des",
120: "tss",
121: "rc4",
1.21 markus 122: "blowfish",
123: "reserved",
124: "blowfish-cbc",
125: "3des-cbc",
126: "arcfour",
127: "cast128-cbc"
1.1 deraadt 128: };
129:
1.18 markus 130: /*
131: * Returns a bit mask indicating which ciphers are supported by this
132: * implementation. The bit mask has the corresponding bit set of each
133: * supported cipher.
134: */
1.1 deraadt 135:
1.26 markus 136: unsigned int
1.22 markus 137: cipher_mask1()
1.1 deraadt 138: {
1.16 markus 139: unsigned int mask = 0;
140: mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
141: mask |= 1 << SSH_CIPHER_BLOWFISH;
1.22 markus 142: return mask;
143: }
1.26 markus 144: unsigned int
1.22 markus 145: cipher_mask2()
146: {
147: unsigned int mask = 0;
1.21 markus 148: mask |= 1 << SSH_CIPHER_BLOWFISH_CBC;
149: mask |= 1 << SSH_CIPHER_3DES_CBC;
150: mask |= 1 << SSH_CIPHER_ARCFOUR;
151: mask |= 1 << SSH_CIPHER_CAST128_CBC;
1.16 markus 152: return mask;
1.1 deraadt 153: }
1.26 markus 154: unsigned int
1.22 markus 155: cipher_mask()
156: {
157: return cipher_mask1() | cipher_mask2();
158: }
1.1 deraadt 159:
160: /* Returns the name of the cipher. */
161:
1.16 markus 162: const char *
163: cipher_name(int cipher)
1.1 deraadt 164: {
1.16 markus 165: if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) ||
166: cipher_names[cipher] == NULL)
1.24 markus 167: fatal("cipher_name: bad cipher name: %d", cipher);
1.16 markus 168: return cipher_names[cipher];
1.1 deraadt 169: }
170:
1.24 markus 171: /* Returns 1 if the name of the ciphers are valid. */
172:
173: #define CIPHER_SEP ","
174: int
175: ciphers_valid(const char *names)
176: {
1.29 ! ho 177: char *ciphers, *cp;
1.24 markus 178: char *p;
179: int i;
180:
1.27 markus 181: if (names == NULL || strcmp(names, "") == 0)
1.24 markus 182: return 0;
1.29 ! ho 183: ciphers = cp = xstrdup(names);
! 184: for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
! 185: (p = strsep(&cp, CIPHER_SEP))) {
1.24 markus 186: i = cipher_number(p);
187: if (i == -1 || !(cipher_mask2() & (1 << i))) {
188: xfree(ciphers);
189: return 0;
190: }
191: }
192: xfree(ciphers);
193: return 1;
194: }
195:
1.18 markus 196: /*
197: * Parses the name of the cipher. Returns the number of the corresponding
198: * cipher, or -1 on error.
199: */
1.1 deraadt 200:
1.4 provos 201: int
202: cipher_number(const char *name)
1.1 deraadt 203: {
1.16 markus 204: int i;
1.27 markus 205: if (name == NULL)
206: return -1;
1.16 markus 207: for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
208: if (strcmp(cipher_names[i], name) == 0 &&
209: (cipher_mask() & (1 << i)))
210: return i;
211: return -1;
1.1 deraadt 212: }
213:
1.18 markus 214: /*
215: * Selects the cipher, and keys if by computing the MD5 checksum of the
216: * passphrase and using the resulting 16 bytes as the key.
217: */
1.1 deraadt 218:
1.26 markus 219: void
1.22 markus 220: cipher_set_key_string(CipherContext *context, int cipher, const char *passphrase)
1.1 deraadt 221: {
1.16 markus 222: MD5_CTX md;
223: unsigned char digest[16];
224:
225: MD5_Init(&md);
226: MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase));
227: MD5_Final(digest, &md);
228:
1.22 markus 229: cipher_set_key(context, cipher, digest, 16);
1.16 markus 230:
231: memset(digest, 0, sizeof(digest));
232: memset(&md, 0, sizeof(md));
1.1 deraadt 233: }
234:
235: /* Selects the cipher to use and sets the key. */
236:
1.26 markus 237: void
1.22 markus 238: cipher_set_key(CipherContext *context, int cipher, const unsigned char *key,
239: int keylen)
1.16 markus 240: {
241: unsigned char padded[32];
242:
243: /* Set cipher type. */
244: context->type = cipher;
245:
246: /* Get 32 bytes of key data. Pad if necessary. (So that code
247: below does not need to worry about key size). */
248: memset(padded, 0, sizeof(padded));
249: memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
250:
251: /* Initialize the initialization vector. */
252: switch (cipher) {
253: case SSH_CIPHER_NONE:
1.18 markus 254: /*
255: * Has to stay for authfile saving of private key with no
256: * passphrase
257: */
1.16 markus 258: break;
259:
260: case SSH_CIPHER_3DES:
1.18 markus 261: /*
262: * Note: the least significant bit of each byte of key is
263: * parity, and must be ignored by the implementation. 16
264: * bytes of key are used (first and last keys are the same).
265: */
1.16 markus 266: if (keylen < 16)
267: error("Key length %d is insufficient for 3DES.", keylen);
268: des_set_key((void *) padded, context->u.des3.key1);
269: des_set_key((void *) (padded + 8), context->u.des3.key2);
270: if (keylen <= 16)
271: des_set_key((void *) padded, context->u.des3.key3);
272: else
273: des_set_key((void *) (padded + 16), context->u.des3.key3);
274: memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
275: memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
276: break;
277:
278: case SSH_CIPHER_BLOWFISH:
1.21 markus 279: if (keylen < 16)
280: error("Key length %d is insufficient for blowfish.", keylen);
1.16 markus 281: BF_set_key(&context->u.bf.key, keylen, padded);
282: memset(context->u.bf.iv, 0, 8);
283: break;
284:
1.21 markus 285: case SSH_CIPHER_3DES_CBC:
286: case SSH_CIPHER_BLOWFISH_CBC:
287: case SSH_CIPHER_ARCFOUR:
288: case SSH_CIPHER_CAST128_CBC:
289: fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher));
290: break;
291:
1.16 markus 292: default:
293: fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
294: }
295: memset(padded, 0, sizeof(padded));
1.1 deraadt 296: }
1.21 markus 297:
1.26 markus 298: void
1.21 markus 299: cipher_set_key_iv(CipherContext * context, int cipher,
1.26 markus 300: const unsigned char *key, int keylen,
1.21 markus 301: const unsigned char *iv, int ivlen)
302: {
303: /* Set cipher type. */
304: context->type = cipher;
305:
306: /* Initialize the initialization vector. */
307: switch (cipher) {
308: case SSH_CIPHER_NONE:
309: break;
310:
311: case SSH_CIPHER_3DES:
312: case SSH_CIPHER_BLOWFISH:
313: fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher));
314: break;
315:
316: case SSH_CIPHER_3DES_CBC:
317: if (keylen < 24)
318: error("Key length %d is insufficient for 3des-cbc.", keylen);
319: des_set_key((void *) key, context->u.des3.key1);
320: des_set_key((void *) (key+8), context->u.des3.key2);
321: des_set_key((void *) (key+16), context->u.des3.key3);
322: if (ivlen < 8)
323: error("IV length %d is insufficient for 3des-cbc.", ivlen);
324: memcpy(context->u.des3.iv3, (char *)iv, 8);
325: break;
326:
327: case SSH_CIPHER_BLOWFISH_CBC:
328: if (keylen < 16)
329: error("Key length %d is insufficient for blowfish.", keylen);
330: if (ivlen < 8)
331: error("IV length %d is insufficient for blowfish.", ivlen);
332: BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key);
333: memcpy(context->u.bf.iv, (char *)iv, 8);
334: break;
335:
336: case SSH_CIPHER_ARCFOUR:
337: if (keylen < 16)
338: error("Key length %d is insufficient for arcfour.", keylen);
339: RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key);
340: break;
341:
342: case SSH_CIPHER_CAST128_CBC:
343: if (keylen < 16)
344: error("Key length %d is insufficient for cast128.", keylen);
345: if (ivlen < 8)
346: error("IV length %d is insufficient for cast128.", ivlen);
347: CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key);
348: memcpy(context->u.cast.iv, (char *)iv, 8);
349: break;
350:
351: default:
352: fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
353: }
354: }
355:
1.1 deraadt 356: /* Encrypts data using the cipher. */
357:
1.26 markus 358: void
1.16 markus 359: cipher_encrypt(CipherContext *context, unsigned char *dest,
360: const unsigned char *src, unsigned int len)
361: {
362: if ((len & 7) != 0)
363: fatal("cipher_encrypt: bad plaintext length %d", len);
364:
365: switch (context->type) {
366: case SSH_CIPHER_NONE:
367: memcpy(dest, src, len);
368: break;
369:
370: case SSH_CIPHER_3DES:
371: SSH_3CBC_ENCRYPT(context->u.des3.key1,
372: context->u.des3.key2, &context->u.des3.iv2,
373: context->u.des3.key3, &context->u.des3.iv3,
1.19 markus 374: dest, (unsigned char *) src, len);
1.16 markus 375: break;
376:
377: case SSH_CIPHER_BLOWFISH:
378: swap_bytes(src, dest, len);
379: BF_cbc_encrypt(dest, dest, len,
1.26 markus 380: &context->u.bf.key, context->u.bf.iv,
1.16 markus 381: BF_ENCRYPT);
382: swap_bytes(dest, dest, len);
383: break;
384:
1.21 markus 385: case SSH_CIPHER_BLOWFISH_CBC:
386: BF_cbc_encrypt((void *)src, dest, len,
1.26 markus 387: &context->u.bf.key, context->u.bf.iv,
1.21 markus 388: BF_ENCRYPT);
389: break;
390:
391: case SSH_CIPHER_3DES_CBC:
392: des_ede3_cbc_encrypt(src, dest, len,
393: context->u.des3.key1, context->u.des3.key2,
394: context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT);
395: break;
396:
397: case SSH_CIPHER_ARCFOUR:
398: RC4(&context->u.rc4, len, (unsigned char *)src, dest);
399: break;
400:
401: case SSH_CIPHER_CAST128_CBC:
402: CAST_cbc_encrypt(src, dest, len,
403: &context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT);
404: break;
405:
1.16 markus 406: default:
407: fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type));
408: }
409: }
1.1 deraadt 410:
411: /* Decrypts data using the cipher. */
412:
1.26 markus 413: void
1.16 markus 414: cipher_decrypt(CipherContext *context, unsigned char *dest,
415: const unsigned char *src, unsigned int len)
416: {
417: if ((len & 7) != 0)
418: fatal("cipher_decrypt: bad ciphertext length %d", len);
419:
420: switch (context->type) {
421: case SSH_CIPHER_NONE:
422: memcpy(dest, src, len);
423: break;
424:
425: case SSH_CIPHER_3DES:
426: SSH_3CBC_DECRYPT(context->u.des3.key1,
427: context->u.des3.key2, &context->u.des3.iv2,
428: context->u.des3.key3, &context->u.des3.iv3,
1.19 markus 429: dest, (unsigned char *) src, len);
1.16 markus 430: break;
431:
432: case SSH_CIPHER_BLOWFISH:
433: swap_bytes(src, dest, len);
434: BF_cbc_encrypt((void *) dest, dest, len,
435: &context->u.bf.key, context->u.bf.iv,
436: BF_DECRYPT);
437: swap_bytes(dest, dest, len);
1.21 markus 438: break;
439:
440: case SSH_CIPHER_BLOWFISH_CBC:
441: BF_cbc_encrypt((void *) src, dest, len,
442: &context->u.bf.key, context->u.bf.iv,
443: BF_DECRYPT);
444: break;
445:
446: case SSH_CIPHER_3DES_CBC:
447: des_ede3_cbc_encrypt(src, dest, len,
448: context->u.des3.key1, context->u.des3.key2,
449: context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT);
450: break;
451:
452: case SSH_CIPHER_ARCFOUR:
453: RC4(&context->u.rc4, len, (unsigned char *)src, dest);
454: break;
455:
456: case SSH_CIPHER_CAST128_CBC:
457: CAST_cbc_encrypt(src, dest, len,
458: &context->u.cast.key, context->u.cast.iv, CAST_DECRYPT);
1.16 markus 459: break;
460:
461: default:
462: fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type));
463: }
1.1 deraadt 464: }