Annotation of src/usr.bin/ssh/cipher.c, Revision 1.30
1.1 deraadt 1: /*
1.30 ! deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
! 3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
! 4: * All rights reserved
1.26 markus 5: *
1.30 ! deraadt 6: * As far as I am concerned, the code I have written for this software
! 7: * can be used freely for any purpose. Any derived versions of this
! 8: * software must be clearly marked as such, and if the derived work is
! 9: * incompatible with the protocol description in the RFC file, it must be
! 10: * called by a name other than "ssh" or "Secure Shell".
1.26 markus 11: *
12: *
1.30 ! deraadt 13: * Copyright (c) 1999 Niels Provos. All rights reserved.
! 14: * Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
1.26 markus 15: *
1.30 ! deraadt 16: * Redistribution and use in source and binary forms, with or without
! 17: * modification, are permitted provided that the following conditions
! 18: * are met:
! 19: * 1. Redistributions of source code must retain the above copyright
! 20: * notice, this list of conditions and the following disclaimer.
! 21: * 2. Redistributions in binary form must reproduce the above copyright
! 22: * notice, this list of conditions and the following disclaimer in the
! 23: * documentation and/or other materials provided with the distribution.
1.26 markus 24: *
1.30 ! deraadt 25: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
! 26: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
! 27: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
! 28: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
! 29: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
! 30: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
! 31: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
! 32: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
! 33: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
! 34: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.17 deraadt 35: */
1.1 deraadt 36:
37: #include "includes.h"
1.30 ! deraadt 38: RCSID("$OpenBSD: cipher.c,v 1.29 2000/07/10 16:30:25 ho Exp $");
1.1 deraadt 39:
40: #include "ssh.h"
41: #include "cipher.h"
1.24 markus 42: #include "xmalloc.h"
1.8 deraadt 43:
1.25 markus 44: #include <openssl/md5.h>
1.1 deraadt 45:
46: /*
1.24 markus 47: * This is used by SSH1:
48: *
1.23 deraadt 49: * What kind of triple DES are these 2 routines?
1.1 deraadt 50: *
51: * Why is there a redundant initialization vector?
52: *
53: * If only iv3 was used, then, this would till effect have been
54: * outer-cbc. However, there is also a private iv1 == iv2 which
55: * perhaps makes differential analysis easier. On the other hand, the
56: * private iv1 probably makes the CRC-32 attack ineffective. This is a
57: * result of that there is no longer any known iv1 to use when
58: * choosing the X block.
59: */
60: void
61: SSH_3CBC_ENCRYPT(des_key_schedule ks1,
1.16 markus 62: des_key_schedule ks2, des_cblock * iv2,
63: des_key_schedule ks3, des_cblock * iv3,
1.19 markus 64: unsigned char *dest, unsigned char *src,
1.1 deraadt 65: unsigned int len)
66: {
1.16 markus 67: des_cblock iv1;
1.1 deraadt 68:
1.16 markus 69: memcpy(&iv1, iv2, 8);
1.1 deraadt 70:
1.16 markus 71: des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
72: memcpy(&iv1, dest + len - 8, 8);
1.1 deraadt 73:
1.16 markus 74: des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
75: memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */
1.1 deraadt 76:
1.16 markus 77: des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
78: memcpy(iv3, dest + len - 8, 8);
1.1 deraadt 79: }
80:
81: void
82: SSH_3CBC_DECRYPT(des_key_schedule ks1,
1.16 markus 83: des_key_schedule ks2, des_cblock * iv2,
84: des_key_schedule ks3, des_cblock * iv3,
1.19 markus 85: unsigned char *dest, unsigned char *src,
1.1 deraadt 86: unsigned int len)
87: {
1.16 markus 88: des_cblock iv1;
1.1 deraadt 89:
1.16 markus 90: memcpy(&iv1, iv2, 8);
1.1 deraadt 91:
1.16 markus 92: des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
93: memcpy(iv3, src + len - 8, 8);
1.1 deraadt 94:
1.16 markus 95: des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
96: memcpy(iv2, dest + len - 8, 8);
1.1 deraadt 97:
1.16 markus 98: des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
99: /* memcpy(&iv1, iv2, 8); */
100: /* Note how iv1 == iv2 on entry and exit. */
1.1 deraadt 101: }
102:
103: /*
1.24 markus 104: * SSH1 uses a variation on Blowfish, all bytes must be swapped before
1.1 deraadt 105: * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
106: */
1.16 markus 107: static void
1.1 deraadt 108: swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
109: {
1.16 markus 110: /* dst must be properly aligned. */
111: u_int32_t *dst = (u_int32_t *) dst_;
112: union {
113: u_int32_t i;
114: char c[4];
115: } t;
116:
117: /* Process 8 bytes every lap. */
118: for (n = n / 8; n > 0; n--) {
119: t.c[3] = *src++;
120: t.c[2] = *src++;
121: t.c[1] = *src++;
122: t.c[0] = *src++;
123: *dst++ = t.i;
124:
125: t.c[3] = *src++;
126: t.c[2] = *src++;
127: t.c[1] = *src++;
128: t.c[0] = *src++;
129: *dst++ = t.i;
130: }
1.1 deraadt 131: }
132:
1.18 markus 133: /*
134: * Names of all encryption algorithms.
135: * These must match the numbers defined in cipher.h.
136: */
1.1 deraadt 137: static char *cipher_names[] =
1.4 provos 138: {
1.16 markus 139: "none",
140: "idea",
141: "des",
142: "3des",
143: "tss",
144: "rc4",
1.21 markus 145: "blowfish",
146: "reserved",
147: "blowfish-cbc",
148: "3des-cbc",
149: "arcfour",
150: "cast128-cbc"
1.1 deraadt 151: };
152:
1.18 markus 153: /*
154: * Returns a bit mask indicating which ciphers are supported by this
155: * implementation. The bit mask has the corresponding bit set of each
156: * supported cipher.
157: */
1.1 deraadt 158:
1.26 markus 159: unsigned int
1.22 markus 160: cipher_mask1()
1.1 deraadt 161: {
1.16 markus 162: unsigned int mask = 0;
163: mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
164: mask |= 1 << SSH_CIPHER_BLOWFISH;
1.22 markus 165: return mask;
166: }
1.26 markus 167: unsigned int
1.22 markus 168: cipher_mask2()
169: {
170: unsigned int mask = 0;
1.21 markus 171: mask |= 1 << SSH_CIPHER_BLOWFISH_CBC;
172: mask |= 1 << SSH_CIPHER_3DES_CBC;
173: mask |= 1 << SSH_CIPHER_ARCFOUR;
174: mask |= 1 << SSH_CIPHER_CAST128_CBC;
1.16 markus 175: return mask;
1.1 deraadt 176: }
1.26 markus 177: unsigned int
1.22 markus 178: cipher_mask()
179: {
180: return cipher_mask1() | cipher_mask2();
181: }
1.1 deraadt 182:
183: /* Returns the name of the cipher. */
184:
1.16 markus 185: const char *
186: cipher_name(int cipher)
1.1 deraadt 187: {
1.16 markus 188: if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) ||
189: cipher_names[cipher] == NULL)
1.24 markus 190: fatal("cipher_name: bad cipher name: %d", cipher);
1.16 markus 191: return cipher_names[cipher];
1.1 deraadt 192: }
193:
1.24 markus 194: /* Returns 1 if the name of the ciphers are valid. */
195:
196: #define CIPHER_SEP ","
197: int
198: ciphers_valid(const char *names)
199: {
1.29 ho 200: char *ciphers, *cp;
1.24 markus 201: char *p;
202: int i;
203:
1.27 markus 204: if (names == NULL || strcmp(names, "") == 0)
1.24 markus 205: return 0;
1.29 ho 206: ciphers = cp = xstrdup(names);
207: for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
208: (p = strsep(&cp, CIPHER_SEP))) {
1.24 markus 209: i = cipher_number(p);
210: if (i == -1 || !(cipher_mask2() & (1 << i))) {
211: xfree(ciphers);
212: return 0;
213: }
214: }
215: xfree(ciphers);
216: return 1;
217: }
218:
1.18 markus 219: /*
220: * Parses the name of the cipher. Returns the number of the corresponding
221: * cipher, or -1 on error.
222: */
1.1 deraadt 223:
1.4 provos 224: int
225: cipher_number(const char *name)
1.1 deraadt 226: {
1.16 markus 227: int i;
1.27 markus 228: if (name == NULL)
229: return -1;
1.16 markus 230: for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
231: if (strcmp(cipher_names[i], name) == 0 &&
232: (cipher_mask() & (1 << i)))
233: return i;
234: return -1;
1.1 deraadt 235: }
236:
1.18 markus 237: /*
238: * Selects the cipher, and keys if by computing the MD5 checksum of the
239: * passphrase and using the resulting 16 bytes as the key.
240: */
1.1 deraadt 241:
1.26 markus 242: void
1.22 markus 243: cipher_set_key_string(CipherContext *context, int cipher, const char *passphrase)
1.1 deraadt 244: {
1.16 markus 245: MD5_CTX md;
246: unsigned char digest[16];
247:
248: MD5_Init(&md);
249: MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase));
250: MD5_Final(digest, &md);
251:
1.22 markus 252: cipher_set_key(context, cipher, digest, 16);
1.16 markus 253:
254: memset(digest, 0, sizeof(digest));
255: memset(&md, 0, sizeof(md));
1.1 deraadt 256: }
257:
258: /* Selects the cipher to use and sets the key. */
259:
1.26 markus 260: void
1.22 markus 261: cipher_set_key(CipherContext *context, int cipher, const unsigned char *key,
262: int keylen)
1.16 markus 263: {
264: unsigned char padded[32];
265:
266: /* Set cipher type. */
267: context->type = cipher;
268:
269: /* Get 32 bytes of key data. Pad if necessary. (So that code
270: below does not need to worry about key size). */
271: memset(padded, 0, sizeof(padded));
272: memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
273:
274: /* Initialize the initialization vector. */
275: switch (cipher) {
276: case SSH_CIPHER_NONE:
1.18 markus 277: /*
278: * Has to stay for authfile saving of private key with no
279: * passphrase
280: */
1.16 markus 281: break;
282:
283: case SSH_CIPHER_3DES:
1.18 markus 284: /*
285: * Note: the least significant bit of each byte of key is
286: * parity, and must be ignored by the implementation. 16
287: * bytes of key are used (first and last keys are the same).
288: */
1.16 markus 289: if (keylen < 16)
290: error("Key length %d is insufficient for 3DES.", keylen);
291: des_set_key((void *) padded, context->u.des3.key1);
292: des_set_key((void *) (padded + 8), context->u.des3.key2);
293: if (keylen <= 16)
294: des_set_key((void *) padded, context->u.des3.key3);
295: else
296: des_set_key((void *) (padded + 16), context->u.des3.key3);
297: memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
298: memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
299: break;
300:
301: case SSH_CIPHER_BLOWFISH:
1.21 markus 302: if (keylen < 16)
303: error("Key length %d is insufficient for blowfish.", keylen);
1.16 markus 304: BF_set_key(&context->u.bf.key, keylen, padded);
305: memset(context->u.bf.iv, 0, 8);
306: break;
307:
1.21 markus 308: case SSH_CIPHER_3DES_CBC:
309: case SSH_CIPHER_BLOWFISH_CBC:
310: case SSH_CIPHER_ARCFOUR:
311: case SSH_CIPHER_CAST128_CBC:
312: fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher));
313: break;
314:
1.16 markus 315: default:
316: fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
317: }
318: memset(padded, 0, sizeof(padded));
1.1 deraadt 319: }
1.21 markus 320:
1.26 markus 321: void
1.21 markus 322: cipher_set_key_iv(CipherContext * context, int cipher,
1.26 markus 323: const unsigned char *key, int keylen,
1.21 markus 324: const unsigned char *iv, int ivlen)
325: {
326: /* Set cipher type. */
327: context->type = cipher;
328:
329: /* Initialize the initialization vector. */
330: switch (cipher) {
331: case SSH_CIPHER_NONE:
332: break;
333:
334: case SSH_CIPHER_3DES:
335: case SSH_CIPHER_BLOWFISH:
336: fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher));
337: break;
338:
339: case SSH_CIPHER_3DES_CBC:
340: if (keylen < 24)
341: error("Key length %d is insufficient for 3des-cbc.", keylen);
342: des_set_key((void *) key, context->u.des3.key1);
343: des_set_key((void *) (key+8), context->u.des3.key2);
344: des_set_key((void *) (key+16), context->u.des3.key3);
345: if (ivlen < 8)
346: error("IV length %d is insufficient for 3des-cbc.", ivlen);
347: memcpy(context->u.des3.iv3, (char *)iv, 8);
348: break;
349:
350: case SSH_CIPHER_BLOWFISH_CBC:
351: if (keylen < 16)
352: error("Key length %d is insufficient for blowfish.", keylen);
353: if (ivlen < 8)
354: error("IV length %d is insufficient for blowfish.", ivlen);
355: BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key);
356: memcpy(context->u.bf.iv, (char *)iv, 8);
357: break;
358:
359: case SSH_CIPHER_ARCFOUR:
360: if (keylen < 16)
361: error("Key length %d is insufficient for arcfour.", keylen);
362: RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key);
363: break;
364:
365: case SSH_CIPHER_CAST128_CBC:
366: if (keylen < 16)
367: error("Key length %d is insufficient for cast128.", keylen);
368: if (ivlen < 8)
369: error("IV length %d is insufficient for cast128.", ivlen);
370: CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key);
371: memcpy(context->u.cast.iv, (char *)iv, 8);
372: break;
373:
374: default:
375: fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
376: }
377: }
378:
1.1 deraadt 379: /* Encrypts data using the cipher. */
380:
1.26 markus 381: void
1.16 markus 382: cipher_encrypt(CipherContext *context, unsigned char *dest,
383: const unsigned char *src, unsigned int len)
384: {
385: if ((len & 7) != 0)
386: fatal("cipher_encrypt: bad plaintext length %d", len);
387:
388: switch (context->type) {
389: case SSH_CIPHER_NONE:
390: memcpy(dest, src, len);
391: break;
392:
393: case SSH_CIPHER_3DES:
394: SSH_3CBC_ENCRYPT(context->u.des3.key1,
395: context->u.des3.key2, &context->u.des3.iv2,
396: context->u.des3.key3, &context->u.des3.iv3,
1.19 markus 397: dest, (unsigned char *) src, len);
1.16 markus 398: break;
399:
400: case SSH_CIPHER_BLOWFISH:
401: swap_bytes(src, dest, len);
402: BF_cbc_encrypt(dest, dest, len,
1.26 markus 403: &context->u.bf.key, context->u.bf.iv,
1.16 markus 404: BF_ENCRYPT);
405: swap_bytes(dest, dest, len);
406: break;
407:
1.21 markus 408: case SSH_CIPHER_BLOWFISH_CBC:
409: BF_cbc_encrypt((void *)src, dest, len,
1.26 markus 410: &context->u.bf.key, context->u.bf.iv,
1.21 markus 411: BF_ENCRYPT);
412: break;
413:
414: case SSH_CIPHER_3DES_CBC:
415: des_ede3_cbc_encrypt(src, dest, len,
416: context->u.des3.key1, context->u.des3.key2,
417: context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT);
418: break;
419:
420: case SSH_CIPHER_ARCFOUR:
421: RC4(&context->u.rc4, len, (unsigned char *)src, dest);
422: break;
423:
424: case SSH_CIPHER_CAST128_CBC:
425: CAST_cbc_encrypt(src, dest, len,
426: &context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT);
427: break;
428:
1.16 markus 429: default:
430: fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type));
431: }
432: }
1.1 deraadt 433:
434: /* Decrypts data using the cipher. */
435:
1.26 markus 436: void
1.16 markus 437: cipher_decrypt(CipherContext *context, unsigned char *dest,
438: const unsigned char *src, unsigned int len)
439: {
440: if ((len & 7) != 0)
441: fatal("cipher_decrypt: bad ciphertext length %d", len);
442:
443: switch (context->type) {
444: case SSH_CIPHER_NONE:
445: memcpy(dest, src, len);
446: break;
447:
448: case SSH_CIPHER_3DES:
449: SSH_3CBC_DECRYPT(context->u.des3.key1,
450: context->u.des3.key2, &context->u.des3.iv2,
451: context->u.des3.key3, &context->u.des3.iv3,
1.19 markus 452: dest, (unsigned char *) src, len);
1.16 markus 453: break;
454:
455: case SSH_CIPHER_BLOWFISH:
456: swap_bytes(src, dest, len);
457: BF_cbc_encrypt((void *) dest, dest, len,
458: &context->u.bf.key, context->u.bf.iv,
459: BF_DECRYPT);
460: swap_bytes(dest, dest, len);
1.21 markus 461: break;
462:
463: case SSH_CIPHER_BLOWFISH_CBC:
464: BF_cbc_encrypt((void *) src, dest, len,
465: &context->u.bf.key, context->u.bf.iv,
466: BF_DECRYPT);
467: break;
468:
469: case SSH_CIPHER_3DES_CBC:
470: des_ede3_cbc_encrypt(src, dest, len,
471: context->u.des3.key1, context->u.des3.key2,
472: context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT);
473: break;
474:
475: case SSH_CIPHER_ARCFOUR:
476: RC4(&context->u.rc4, len, (unsigned char *)src, dest);
477: break;
478:
479: case SSH_CIPHER_CAST128_CBC:
480: CAST_cbc_encrypt(src, dest, len,
481: &context->u.cast.key, context->u.cast.iv, CAST_DECRYPT);
1.16 markus 482: break;
483:
484: default:
485: fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type));
486: }
1.1 deraadt 487: }