Annotation of src/usr.bin/ssh/cipher.c, Revision 1.72
1.1 deraadt 1: /*
1.30 deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
1.26 markus 5: *
1.30 deraadt 6: * As far as I am concerned, the code I have written for this software
7: * can be used freely for any purpose. Any derived versions of this
8: * software must be clearly marked as such, and if the derived work is
9: * incompatible with the protocol description in the RFC file, it must be
10: * called by a name other than "ssh" or "Secure Shell".
1.26 markus 11: *
12: *
1.30 deraadt 13: * Copyright (c) 1999 Niels Provos. All rights reserved.
1.46 markus 14: * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved.
1.26 markus 15: *
1.30 deraadt 16: * Redistribution and use in source and binary forms, with or without
17: * modification, are permitted provided that the following conditions
18: * are met:
19: * 1. Redistributions of source code must retain the above copyright
20: * notice, this list of conditions and the following disclaimer.
21: * 2. Redistributions in binary form must reproduce the above copyright
22: * notice, this list of conditions and the following disclaimer in the
23: * documentation and/or other materials provided with the distribution.
1.26 markus 24: *
1.30 deraadt 25: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.17 deraadt 35: */
1.1 deraadt 36:
37: #include "includes.h"
1.72 ! djm 38: RCSID("$OpenBSD: cipher.c,v 1.71 2004/07/28 09:40:29 markus Exp $");
1.1 deraadt 39:
1.24 markus 40: #include "xmalloc.h"
1.42 markus 41: #include "log.h"
42: #include "cipher.h"
1.8 deraadt 43:
1.25 markus 44: #include <openssl/md5.h>
1.57 markus 45:
1.64 markus 46: extern const EVP_CIPHER *evp_ssh1_bf(void);
47: extern const EVP_CIPHER *evp_ssh1_3des(void);
48: extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
1.65 markus 49: extern const EVP_CIPHER *evp_aes_128_ctr(void);
50: extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
1.1 deraadt 51:
1.51 markus 52: struct Cipher {
53: char *name;
54: int number; /* for ssh1 only */
55: u_int block_size;
56: u_int key_len;
1.56 markus 57: const EVP_CIPHER *(*evptype)(void);
1.52 markus 58: } ciphers[] = {
1.70 deraadt 59: { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
60: { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
61: { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
62: { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },
1.52 markus 63:
1.70 deraadt 64: { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
65: { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
66: { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
67: { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 },
1.57 markus 68: { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc },
69: { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc },
70: { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
71: { "rijndael-cbc@lysator.liu.se",
72: SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
1.70 deraadt 73: { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr },
74: { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr },
75: { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr },
1.68 hshoexer 76: { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss },
1.47 markus 77:
1.71 markus 78: { NULL, SSH_CIPHER_INVALID, 0, 0, NULL }
1.32 markus 79: };
80:
81: /*--*/
1.1 deraadt 82:
1.54 markus 83: u_int
1.66 jakob 84: cipher_blocksize(const Cipher *c)
1.51 markus 85: {
86: return (c->block_size);
87: }
1.60 deraadt 88:
1.54 markus 89: u_int
1.66 jakob 90: cipher_keylen(const Cipher *c)
1.51 markus 91: {
92: return (c->key_len);
93: }
1.60 deraadt 94:
1.54 markus 95: u_int
1.66 jakob 96: cipher_get_number(const Cipher *c)
1.53 markus 97: {
98: return (c->number);
99: }
1.51 markus 100:
1.41 markus 101: u_int
1.34 markus 102: cipher_mask_ssh1(int client)
1.1 deraadt 103: {
1.41 markus 104: u_int mask = 0;
1.48 deraadt 105: mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
1.34 markus 106: mask |= 1 << SSH_CIPHER_BLOWFISH;
107: if (client) {
108: mask |= 1 << SSH_CIPHER_DES;
1.32 markus 109: }
110: return mask;
1.1 deraadt 111: }
112:
1.32 markus 113: Cipher *
114: cipher_by_name(const char *name)
115: {
116: Cipher *c;
117: for (c = ciphers; c->name != NULL; c++)
118: if (strcasecmp(c->name, name) == 0)
119: return c;
120: return NULL;
121: }
122:
123: Cipher *
124: cipher_by_number(int id)
125: {
126: Cipher *c;
127: for (c = ciphers; c->name != NULL; c++)
128: if (c->number == id)
129: return c;
130: return NULL;
131: }
1.24 markus 132:
133: #define CIPHER_SEP ","
134: int
135: ciphers_valid(const char *names)
136: {
1.32 markus 137: Cipher *c;
1.69 avsm 138: char *cipher_list, *cp;
1.24 markus 139: char *p;
140:
1.27 markus 141: if (names == NULL || strcmp(names, "") == 0)
1.24 markus 142: return 0;
1.69 avsm 143: cipher_list = cp = xstrdup(names);
1.32 markus 144: for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
1.48 deraadt 145: (p = strsep(&cp, CIPHER_SEP))) {
1.32 markus 146: c = cipher_by_name(p);
147: if (c == NULL || c->number != SSH_CIPHER_SSH2) {
148: debug("bad cipher %s [%s]", p, names);
1.69 avsm 149: xfree(cipher_list);
1.24 markus 150: return 0;
1.32 markus 151: } else {
1.36 markus 152: debug3("cipher ok: %s [%s]", p, names);
1.24 markus 153: }
154: }
1.36 markus 155: debug3("ciphers ok: [%s]", names);
1.69 avsm 156: xfree(cipher_list);
1.24 markus 157: return 1;
158: }
159:
1.18 markus 160: /*
161: * Parses the name of the cipher. Returns the number of the corresponding
162: * cipher, or -1 on error.
163: */
1.1 deraadt 164:
1.4 provos 165: int
166: cipher_number(const char *name)
1.1 deraadt 167: {
1.32 markus 168: Cipher *c;
1.27 markus 169: if (name == NULL)
170: return -1;
1.32 markus 171: c = cipher_by_name(name);
172: return (c==NULL) ? -1 : c->number;
1.1 deraadt 173: }
174:
1.32 markus 175: char *
176: cipher_name(int id)
1.1 deraadt 177: {
1.32 markus 178: Cipher *c = cipher_by_number(id);
179: return (c==NULL) ? "<unknown>" : c->name;
1.1 deraadt 180: }
181:
1.26 markus 182: void
1.52 markus 183: cipher_init(CipherContext *cc, Cipher *cipher,
184: const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
1.69 avsm 185: int do_encrypt)
1.16 markus 186: {
1.52 markus 187: static int dowarn = 1;
188: const EVP_CIPHER *type;
189: int klen;
190:
191: if (cipher->number == SSH_CIPHER_DES) {
192: if (dowarn) {
193: error("Warning: use of DES is strongly discouraged "
194: "due to cryptographic weaknesses");
195: dowarn = 0;
196: }
197: if (keylen > 8)
198: keylen = 8;
199: }
200: cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
201:
1.32 markus 202: if (keylen < cipher->key_len)
203: fatal("cipher_init: key length %d is insufficient for %s.",
204: keylen, cipher->name);
205: if (iv != NULL && ivlen < cipher->block_size)
206: fatal("cipher_init: iv length %d is insufficient for %s.",
207: ivlen, cipher->name);
208: cc->cipher = cipher;
1.52 markus 209:
210: type = (*cipher->evptype)();
211:
212: EVP_CIPHER_CTX_init(&cc->evp);
213: if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
1.69 avsm 214: (do_encrypt == CIPHER_ENCRYPT)) == 0)
1.52 markus 215: fatal("cipher_init: EVP_CipherInit failed for %s",
216: cipher->name);
217: klen = EVP_CIPHER_CTX_key_length(&cc->evp);
218: if (klen > 0 && keylen != klen) {
1.62 markus 219: debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
1.52 markus 220: if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
221: fatal("cipher_init: set keylen failed (%d -> %d)",
222: klen, keylen);
223: }
224: if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
225: fatal("cipher_init: EVP_CipherInit: set key failed for %s",
226: cipher->name);
1.1 deraadt 227: }
1.21 markus 228:
1.26 markus 229: void
1.51 markus 230: cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
1.32 markus 231: {
232: if (len % cc->cipher->block_size)
233: fatal("cipher_encrypt: bad plaintext length %d", len);
1.52 markus 234: if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
235: fatal("evp_crypt: EVP_Cipher failed");
1.21 markus 236: }
237:
1.26 markus 238: void
1.51 markus 239: cipher_cleanup(CipherContext *cc)
1.16 markus 240: {
1.52 markus 241: if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
242: error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
1.16 markus 243: }
1.1 deraadt 244:
1.32 markus 245: /*
246: * Selects the cipher, and keys if by computing the MD5 checksum of the
247: * passphrase and using the resulting 16 bytes as the key.
248: */
1.1 deraadt 249:
1.26 markus 250: void
1.32 markus 251: cipher_set_key_string(CipherContext *cc, Cipher *cipher,
1.69 avsm 252: const char *passphrase, int do_encrypt)
1.16 markus 253: {
1.32 markus 254: MD5_CTX md;
1.41 markus 255: u_char digest[16];
1.32 markus 256:
257: MD5_Init(&md);
258: MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
259: MD5_Final(digest, &md);
1.16 markus 260:
1.69 avsm 261: cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
1.16 markus 262:
1.32 markus 263: memset(digest, 0, sizeof(digest));
264: memset(&md, 0, sizeof(md));
1.52 markus 265: }
1.53 markus 266:
1.54 markus 267: /*
1.53 markus 268: * Exports an IV from the CipherContext required to export the key
269: * state back from the unprivileged child to the privileged parent
270: * process.
271: */
272:
273: int
1.66 jakob 274: cipher_get_keyiv_len(const CipherContext *cc)
1.53 markus 275: {
276: Cipher *c = cc->cipher;
277: int ivlen;
278:
279: if (c->number == SSH_CIPHER_3DES)
280: ivlen = 24;
281: else
282: ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
283: return (ivlen);
284: }
285:
286: void
287: cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
288: {
289: Cipher *c = cc->cipher;
290: int evplen;
291:
292: switch (c->number) {
293: case SSH_CIPHER_SSH2:
294: case SSH_CIPHER_DES:
295: case SSH_CIPHER_BLOWFISH:
296: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
297: if (evplen == 0)
298: return;
299: if (evplen != len)
1.58 markus 300: fatal("%s: wrong iv length %d != %d", __func__,
1.53 markus 301: evplen, len);
1.65 markus 302: if (c->evptype == evp_aes_128_ctr)
303: ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
304: else
1.63 markus 305: memcpy(iv, cc->evp.iv, len);
306: break;
307: case SSH_CIPHER_3DES:
308: ssh1_3des_iv(&cc->evp, 0, iv, 24);
1.53 markus 309: break;
310: default:
1.58 markus 311: fatal("%s: bad cipher %d", __func__, c->number);
1.53 markus 312: }
313: }
314:
315: void
316: cipher_set_keyiv(CipherContext *cc, u_char *iv)
317: {
318: Cipher *c = cc->cipher;
319: int evplen = 0;
320:
321: switch (c->number) {
322: case SSH_CIPHER_SSH2:
323: case SSH_CIPHER_DES:
324: case SSH_CIPHER_BLOWFISH:
325: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
326: if (evplen == 0)
327: return;
1.65 markus 328: if (c->evptype == evp_aes_128_ctr)
329: ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen);
330: else
1.63 markus 331: memcpy(cc->evp.iv, iv, evplen);
332: break;
333: case SSH_CIPHER_3DES:
334: ssh1_3des_iv(&cc->evp, 1, iv, 24);
1.53 markus 335: break;
336: default:
1.58 markus 337: fatal("%s: bad cipher %d", __func__, c->number);
1.53 markus 338: }
339: }
340:
341: #define EVP_X_STATE(evp) (evp).cipher_data
342: #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
343:
344: int
1.66 jakob 345: cipher_get_keycontext(const CipherContext *cc, u_char *dat)
1.53 markus 346: {
347: Cipher *c = cc->cipher;
1.59 markus 348: int plen = 0;
1.53 markus 349:
1.67 hshoexer 350: if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) {
1.59 markus 351: plen = EVP_X_STATE_LEN(cc->evp);
1.53 markus 352: if (dat == NULL)
1.59 markus 353: return (plen);
354: memcpy(dat, EVP_X_STATE(cc->evp), plen);
1.53 markus 355: }
356: return (plen);
357: }
358:
359: void
360: cipher_set_keycontext(CipherContext *cc, u_char *dat)
361: {
362: Cipher *c = cc->cipher;
363: int plen;
364:
1.67 hshoexer 365: if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) {
1.53 markus 366: plen = EVP_X_STATE_LEN(cc->evp);
367: memcpy(EVP_X_STATE(cc->evp), dat, plen);
368: }
1.1 deraadt 369: }