1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 * 12 * 13 * Copyright (c) 1999 Niels Provos. All rights reserved. 14 * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 37 #include "includes.h" 38 RCSID("$OpenBSD: cipher.c,v 1.47 2001/08/23 11:31:59 markus Exp $"); 39 40 #include "xmalloc.h" 41 #include "log.h" 42 #include "cipher.h" 43 44 #include <openssl/md5.h> 45 46 /* no encryption */ 47 static void 48 none_setkey(CipherContext *cc, const u_char *key, u_int keylen) 49 { 50 } 51 static void 52 none_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 53 { 54 } 55 static void 56 none_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 57 { 58 memcpy(dest, src, len); 59 } 60 61 /* DES */ 62 static void 63 des_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen) 64 { 65 static int dowarn = 1; 66 if (dowarn) { 67 error("Warning: use of DES is strongly discouraged " 68 "due to cryptographic weaknesses"); 69 dowarn = 0; 70 } 71 des_set_key((void *)key, cc->u.des.key); 72 } 73 static void 74 des_ssh1_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 75 { 76 memset(cc->u.des.iv, 0, sizeof(cc->u.des.iv)); 77 } 78 static void 79 des_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 80 { 81 des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv, 82 DES_ENCRYPT); 83 } 84 static void 85 des_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 86 { 87 des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv, 88 DES_DECRYPT); 89 } 90 91 /* 3DES */ 92 static void 93 des3_setkey(CipherContext *cc, const u_char *key, u_int keylen) 94 { 95 des_set_key((void *) key, cc->u.des3.key1); 96 des_set_key((void *) (key+8), cc->u.des3.key2); 97 des_set_key((void *) (key+16), cc->u.des3.key3); 98 } 99 static void 100 des3_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 101 { 102 memset(cc->u.des3.iv1, 0, sizeof(cc->u.des3.iv1)); 103 memset(cc->u.des3.iv2, 0, sizeof(cc->u.des3.iv2)); 104 memset(cc->u.des3.iv3, 0, sizeof(cc->u.des3.iv3)); 105 if (iv == NULL) 106 return; 107 memcpy(cc->u.des3.iv3, (char *)iv, 8); 108 } 109 static void 110 des3_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 111 { 112 des_ede3_cbc_encrypt(src, dest, len, 113 cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3, 114 &cc->u.des3.iv3, DES_ENCRYPT); 115 } 116 static void 117 des3_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 118 { 119 des_ede3_cbc_encrypt(src, dest, len, 120 cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3, 121 &cc->u.des3.iv3, DES_DECRYPT); 122 } 123 124 /* 125 * This is used by SSH1: 126 * 127 * What kind of triple DES are these 2 routines? 128 * 129 * Why is there a redundant initialization vector? 130 * 131 * If only iv3 was used, then, this would till effect have been 132 * outer-cbc. However, there is also a private iv1 == iv2 which 133 * perhaps makes differential analysis easier. On the other hand, the 134 * private iv1 probably makes the CRC-32 attack ineffective. This is a 135 * result of that there is no longer any known iv1 to use when 136 * choosing the X block. 137 */ 138 static void 139 des3_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen) 140 { 141 des_set_key((void *) key, cc->u.des3.key1); 142 des_set_key((void *) (key+8), cc->u.des3.key2); 143 if (keylen <= 16) 144 des_set_key((void *) key, cc->u.des3.key3); 145 else 146 des_set_key((void *) (key+16), cc->u.des3.key3); 147 } 148 static void 149 des3_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, 150 u_int len) 151 { 152 des_ncbc_encrypt(src, dest, len, cc->u.des3.key1, &cc->u.des3.iv1, 153 DES_ENCRYPT); 154 des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, &cc->u.des3.iv2, 155 DES_DECRYPT); 156 des_ncbc_encrypt(dest, dest, len, cc->u.des3.key3, &cc->u.des3.iv3, 157 DES_ENCRYPT); 158 } 159 static void 160 des3_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, 161 u_int len) 162 { 163 des_ncbc_encrypt(src, dest, len, cc->u.des3.key3, &cc->u.des3.iv3, 164 DES_DECRYPT); 165 des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, &cc->u.des3.iv2, 166 DES_ENCRYPT); 167 des_ncbc_encrypt(dest, dest, len, cc->u.des3.key1, &cc->u.des3.iv1, 168 DES_DECRYPT); 169 } 170 171 /* Blowfish */ 172 static void 173 blowfish_setkey(CipherContext *cc, const u_char *key, u_int keylen) 174 { 175 BF_set_key(&cc->u.bf.key, keylen, (u_char *)key); 176 } 177 static void 178 blowfish_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 179 { 180 if (iv == NULL) 181 memset(cc->u.bf.iv, 0, 8); 182 else 183 memcpy(cc->u.bf.iv, (char *)iv, 8); 184 } 185 static void 186 blowfish_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, 187 u_int len) 188 { 189 BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv, 190 BF_ENCRYPT); 191 } 192 static void 193 blowfish_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, 194 u_int len) 195 { 196 BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv, 197 BF_DECRYPT); 198 } 199 200 /* 201 * SSH1 uses a variation on Blowfish, all bytes must be swapped before 202 * and after encryption/decryption. Thus the swap_bytes stuff (yuk). 203 */ 204 static void 205 swap_bytes(const u_char *src, u_char *dst, int n) 206 { 207 char c[4]; 208 209 /* Process 4 bytes every lap. */ 210 for (n = n / 4; n > 0; n--) { 211 c[3] = *src++; 212 c[2] = *src++; 213 c[1] = *src++; 214 c[0] = *src++; 215 216 *dst++ = c[0]; 217 *dst++ = c[1]; 218 *dst++ = c[2]; 219 *dst++ = c[3]; 220 } 221 } 222 223 static void 224 blowfish_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, 225 u_int len) 226 { 227 swap_bytes(src, dest, len); 228 BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv, 229 BF_ENCRYPT); 230 swap_bytes(dest, dest, len); 231 } 232 static void 233 blowfish_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, 234 u_int len) 235 { 236 swap_bytes(src, dest, len); 237 BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv, 238 BF_DECRYPT); 239 swap_bytes(dest, dest, len); 240 } 241 242 /* alleged rc4 */ 243 static void 244 arcfour_setkey(CipherContext *cc, const u_char *key, u_int keylen) 245 { 246 RC4_set_key(&cc->u.rc4, keylen, (u_char *)key); 247 } 248 static void 249 arcfour_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 250 { 251 RC4(&cc->u.rc4, len, (u_char *)src, dest); 252 } 253 254 /* CAST */ 255 static void 256 cast_setkey(CipherContext *cc, const u_char *key, u_int keylen) 257 { 258 CAST_set_key(&cc->u.cast.key, keylen, (u_char *) key); 259 } 260 static void 261 cast_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 262 { 263 if (iv == NULL) 264 fatal("no IV for %s.", cc->cipher->name); 265 memcpy(cc->u.cast.iv, (char *)iv, 8); 266 } 267 static void 268 cast_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 269 { 270 CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv, 271 CAST_ENCRYPT); 272 } 273 static void 274 cast_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 275 { 276 CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv, 277 CAST_DECRYPT); 278 } 279 280 /* RIJNDAEL */ 281 282 #define RIJNDAEL_BLOCKSIZE 16 283 static void 284 rijndael_setkey(CipherContext *cc, const u_char *key, u_int keylen) 285 { 286 rijndael_set_key(&cc->u.rijndael.enc, (char *)key, 8*keylen, 1); 287 rijndael_set_key(&cc->u.rijndael.dec, (char *)key, 8*keylen, 0); 288 } 289 static void 290 rijndael_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 291 { 292 if (iv == NULL || ivlen != RIJNDAEL_BLOCKSIZE) 293 fatal("bad/no IV for %s.", cc->cipher->name); 294 memcpy(cc->u.rijndael.iv, iv, RIJNDAEL_BLOCKSIZE); 295 } 296 static void 297 rijndael_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, 298 u_int len) 299 { 300 rijndael_ctx *ctx = &cc->u.rijndael.enc; 301 u_char *iv = cc->u.rijndael.iv; 302 u_char in[RIJNDAEL_BLOCKSIZE]; 303 u_char *cprev, *cnow, *plain; 304 int i, j, blocks = len / RIJNDAEL_BLOCKSIZE; 305 306 if (len == 0) 307 return; 308 if (len % RIJNDAEL_BLOCKSIZE) 309 fatal("rijndael_cbc_encrypt: bad len %d", len); 310 cnow = dest; 311 plain = (u_char *) src; 312 cprev = iv; 313 for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE, 314 cnow+=RIJNDAEL_BLOCKSIZE) { 315 for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++) 316 in[j] = plain[j] ^ cprev[j]; 317 rijndael_encrypt(ctx, in, cnow); 318 cprev = cnow; 319 } 320 memcpy(iv, cprev, RIJNDAEL_BLOCKSIZE); 321 } 322 static void 323 rijndael_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, 324 u_int len) 325 { 326 rijndael_ctx *ctx = &cc->u.rijndael.dec; 327 u_char *iv = cc->u.rijndael.iv; 328 u_char ivsaved[RIJNDAEL_BLOCKSIZE]; 329 u_char *cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE); 330 u_char *plain = dest+len-RIJNDAEL_BLOCKSIZE; 331 u_char *ivp; 332 int i, j, blocks = len / RIJNDAEL_BLOCKSIZE; 333 334 if (len == 0) 335 return; 336 if (len % RIJNDAEL_BLOCKSIZE) 337 fatal("rijndael_cbc_decrypt: bad len %d", len); 338 memcpy(ivsaved, cnow, RIJNDAEL_BLOCKSIZE); 339 for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE, 340 plain-=RIJNDAEL_BLOCKSIZE) { 341 rijndael_decrypt(ctx, cnow, plain); 342 ivp = (i == 1) ? iv : cnow-RIJNDAEL_BLOCKSIZE; 343 for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++) 344 plain[j] ^= ivp[j]; 345 } 346 memcpy(iv, ivsaved, RIJNDAEL_BLOCKSIZE); 347 } 348 349 Cipher ciphers[] = { 350 { "none", 351 SSH_CIPHER_NONE, 8, 0, 352 none_setkey, none_setiv, 353 none_crypt, none_crypt }, 354 { "des", 355 SSH_CIPHER_DES, 8, 8, 356 des_ssh1_setkey, des_ssh1_setiv, 357 des_ssh1_encrypt, des_ssh1_decrypt }, 358 { "3des", 359 SSH_CIPHER_3DES, 8, 16, 360 des3_ssh1_setkey, des3_setiv, 361 des3_ssh1_encrypt, des3_ssh1_decrypt }, 362 { "blowfish", 363 SSH_CIPHER_BLOWFISH, 8, 16, 364 blowfish_setkey, blowfish_setiv, 365 blowfish_ssh1_encrypt, blowfish_ssh1_decrypt }, 366 367 { "3des-cbc", 368 SSH_CIPHER_SSH2, 8, 24, 369 des3_setkey, des3_setiv, 370 des3_cbc_encrypt, des3_cbc_decrypt }, 371 { "blowfish-cbc", 372 SSH_CIPHER_SSH2, 8, 16, 373 blowfish_setkey, blowfish_setiv, 374 blowfish_cbc_encrypt, blowfish_cbc_decrypt }, 375 { "cast128-cbc", 376 SSH_CIPHER_SSH2, 8, 16, 377 cast_setkey, cast_setiv, 378 cast_cbc_encrypt, cast_cbc_decrypt }, 379 { "arcfour", 380 SSH_CIPHER_SSH2, 8, 16, 381 arcfour_setkey, none_setiv, 382 arcfour_crypt, arcfour_crypt }, 383 { "aes128-cbc", 384 SSH_CIPHER_SSH2, 16, 16, 385 rijndael_setkey, rijndael_setiv, 386 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 387 { "aes192-cbc", 388 SSH_CIPHER_SSH2, 16, 24, 389 rijndael_setkey, rijndael_setiv, 390 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 391 { "aes256-cbc", 392 SSH_CIPHER_SSH2, 16, 32, 393 rijndael_setkey, rijndael_setiv, 394 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 395 { "rijndael128-cbc", 396 SSH_CIPHER_SSH2, 16, 16, 397 rijndael_setkey, rijndael_setiv, 398 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 399 { "rijndael192-cbc", 400 SSH_CIPHER_SSH2, 16, 24, 401 rijndael_setkey, rijndael_setiv, 402 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 403 { "rijndael256-cbc", 404 SSH_CIPHER_SSH2, 16, 32, 405 rijndael_setkey, rijndael_setiv, 406 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 407 { "rijndael-cbc@lysator.liu.se", 408 SSH_CIPHER_SSH2, 16, 32, 409 rijndael_setkey, rijndael_setiv, 410 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 411 { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL } 412 }; 413 414 /*--*/ 415 416 u_int 417 cipher_mask_ssh1(int client) 418 { 419 u_int mask = 0; 420 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 421 mask |= 1 << SSH_CIPHER_BLOWFISH; 422 if (client) { 423 mask |= 1 << SSH_CIPHER_DES; 424 } 425 return mask; 426 } 427 428 Cipher * 429 cipher_by_name(const char *name) 430 { 431 Cipher *c; 432 for (c = ciphers; c->name != NULL; c++) 433 if (strcasecmp(c->name, name) == 0) 434 return c; 435 return NULL; 436 } 437 438 Cipher * 439 cipher_by_number(int id) 440 { 441 Cipher *c; 442 for (c = ciphers; c->name != NULL; c++) 443 if (c->number == id) 444 return c; 445 return NULL; 446 } 447 448 #define CIPHER_SEP "," 449 int 450 ciphers_valid(const char *names) 451 { 452 Cipher *c; 453 char *ciphers, *cp; 454 char *p; 455 456 if (names == NULL || strcmp(names, "") == 0) 457 return 0; 458 ciphers = cp = xstrdup(names); 459 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 460 (p = strsep(&cp, CIPHER_SEP))) { 461 c = cipher_by_name(p); 462 if (c == NULL || c->number != SSH_CIPHER_SSH2) { 463 debug("bad cipher %s [%s]", p, names); 464 xfree(ciphers); 465 return 0; 466 } else { 467 debug3("cipher ok: %s [%s]", p, names); 468 } 469 } 470 debug3("ciphers ok: [%s]", names); 471 xfree(ciphers); 472 return 1; 473 } 474 475 /* 476 * Parses the name of the cipher. Returns the number of the corresponding 477 * cipher, or -1 on error. 478 */ 479 480 int 481 cipher_number(const char *name) 482 { 483 Cipher *c; 484 if (name == NULL) 485 return -1; 486 c = cipher_by_name(name); 487 return (c==NULL) ? -1 : c->number; 488 } 489 490 char * 491 cipher_name(int id) 492 { 493 Cipher *c = cipher_by_number(id); 494 return (c==NULL) ? "<unknown>" : c->name; 495 } 496 497 void 498 cipher_init(CipherContext *cc, Cipher *cipher, 499 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen) 500 { 501 if (keylen < cipher->key_len) 502 fatal("cipher_init: key length %d is insufficient for %s.", 503 keylen, cipher->name); 504 if (iv != NULL && ivlen < cipher->block_size) 505 fatal("cipher_init: iv length %d is insufficient for %s.", 506 ivlen, cipher->name); 507 cc->cipher = cipher; 508 cipher->setkey(cc, key, keylen); 509 cipher->setiv(cc, iv, ivlen); 510 } 511 512 void 513 cipher_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 514 { 515 if (len % cc->cipher->block_size) 516 fatal("cipher_encrypt: bad plaintext length %d", len); 517 cc->cipher->encrypt(cc, dest, src, len); 518 } 519 520 void 521 cipher_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 522 { 523 if (len % cc->cipher->block_size) 524 fatal("cipher_decrypt: bad ciphertext length %d", len); 525 cc->cipher->decrypt(cc, dest, src, len); 526 } 527 528 /* 529 * Selects the cipher, and keys if by computing the MD5 checksum of the 530 * passphrase and using the resulting 16 bytes as the key. 531 */ 532 533 void 534 cipher_set_key_string(CipherContext *cc, Cipher *cipher, 535 const char *passphrase) 536 { 537 MD5_CTX md; 538 u_char digest[16]; 539 540 MD5_Init(&md); 541 MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); 542 MD5_Final(digest, &md); 543 544 cipher_init(cc, cipher, digest, 16, NULL, 0); 545 546 memset(digest, 0, sizeof(digest)); 547 memset(&md, 0, sizeof(md)); 548 } 549