1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 * 12 * 13 * Copyright (c) 1999 Niels Provos. All rights reserved. 14 * Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 37 #include "includes.h" 38 RCSID("$OpenBSD: cipher.c,v 1.30 2000/09/07 20:27:50 deraadt Exp $"); 39 RCSID("$FreeBSD$"); 40 41 #include "ssh.h" 42 #include "cipher.h" 43 #include "xmalloc.h" 44 45 #include <openssl/md5.h> 46 47 /* 48 * This is used by SSH1: 49 * 50 * What kind of triple DES are these 2 routines? 51 * 52 * Why is there a redundant initialization vector? 53 * 54 * If only iv3 was used, then, this would till effect have been 55 * outer-cbc. However, there is also a private iv1 == iv2 which 56 * perhaps makes differential analysis easier. On the other hand, the 57 * private iv1 probably makes the CRC-32 attack ineffective. This is a 58 * result of that there is no longer any known iv1 to use when 59 * choosing the X block. 60 */ 61 void 62 SSH_3CBC_ENCRYPT(des_key_schedule ks1, 63 des_key_schedule ks2, des_cblock * iv2, 64 des_key_schedule ks3, des_cblock * iv3, 65 unsigned char *dest, unsigned char *src, 66 unsigned int len) 67 { 68 des_cblock iv1; 69 70 memcpy(&iv1, iv2, 8); 71 72 des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT); 73 memcpy(&iv1, dest + len - 8, 8); 74 75 des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT); 76 memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */ 77 78 des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT); 79 memcpy(iv3, dest + len - 8, 8); 80 } 81 82 void 83 SSH_3CBC_DECRYPT(des_key_schedule ks1, 84 des_key_schedule ks2, des_cblock * iv2, 85 des_key_schedule ks3, des_cblock * iv3, 86 unsigned char *dest, unsigned char *src, 87 unsigned int len) 88 { 89 des_cblock iv1; 90 91 memcpy(&iv1, iv2, 8); 92 93 des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT); 94 memcpy(iv3, src + len - 8, 8); 95 96 des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT); 97 memcpy(iv2, dest + len - 8, 8); 98 99 des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT); 100 /* memcpy(&iv1, iv2, 8); */ 101 /* Note how iv1 == iv2 on entry and exit. */ 102 } 103 104 /* 105 * SSH1 uses a variation on Blowfish, all bytes must be swapped before 106 * and after encryption/decryption. Thus the swap_bytes stuff (yuk). 107 */ 108 static void 109 swap_bytes(const unsigned char *src, unsigned char *dst_, int n) 110 { 111 /* dst must be properly aligned. */ 112 u_int32_t *dst = (u_int32_t *) dst_; 113 union { 114 u_int32_t i; 115 char c[4]; 116 } t; 117 118 /* Process 8 bytes every lap. */ 119 for (n = n / 8; n > 0; n--) { 120 t.c[3] = *src++; 121 t.c[2] = *src++; 122 t.c[1] = *src++; 123 t.c[0] = *src++; 124 *dst++ = t.i; 125 126 t.c[3] = *src++; 127 t.c[2] = *src++; 128 t.c[1] = *src++; 129 t.c[0] = *src++; 130 *dst++ = t.i; 131 } 132 } 133 134 /* 135 * Names of all encryption algorithms. 136 * These must match the numbers defined in cipher.h. 137 */ 138 static char *cipher_names[] = 139 { 140 "none", 141 "idea", 142 "des", 143 "3des", 144 "tss", 145 "rc4", 146 "blowfish", 147 "reserved", 148 "blowfish-cbc", 149 "3des-cbc", 150 "arcfour", 151 "cast128-cbc" 152 }; 153 154 /* 155 * Returns a bit mask indicating which ciphers are supported by this 156 * implementation. The bit mask has the corresponding bit set of each 157 * supported cipher. 158 */ 159 160 unsigned int 161 cipher_mask1() 162 { 163 unsigned int mask = 0; 164 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 165 mask |= 1 << SSH_CIPHER_BLOWFISH; 166 return mask; 167 } 168 unsigned int 169 cipher_mask2() 170 { 171 unsigned int mask = 0; 172 mask |= 1 << SSH_CIPHER_BLOWFISH_CBC; 173 mask |= 1 << SSH_CIPHER_3DES_CBC; 174 mask |= 1 << SSH_CIPHER_ARCFOUR; 175 mask |= 1 << SSH_CIPHER_CAST128_CBC; 176 return mask; 177 } 178 unsigned int 179 cipher_mask() 180 { 181 return cipher_mask1() | cipher_mask2(); 182 } 183 184 /* Returns the name of the cipher. */ 185 186 const char * 187 cipher_name(int cipher) 188 { 189 if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) || 190 cipher_names[cipher] == NULL) 191 fatal("cipher_name: bad cipher name: %d", cipher); 192 return cipher_names[cipher]; 193 } 194 195 /* Returns 1 if the name of the ciphers are valid. */ 196 197 #define CIPHER_SEP "," 198 int 199 ciphers_valid(const char *names) 200 { 201 char *ciphers, *cp; 202 char *p; 203 int i; 204 205 if (names == NULL || strcmp(names, "") == 0) 206 return 0; 207 ciphers = cp = xstrdup(names); 208 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 209 (p = strsep(&cp, CIPHER_SEP))) { 210 i = cipher_number(p); 211 if (i == -1 || !(cipher_mask2() & (1 << i))) { 212 xfree(ciphers); 213 return 0; 214 } 215 } 216 xfree(ciphers); 217 return 1; 218 } 219 220 /* 221 * Parses the name of the cipher. Returns the number of the corresponding 222 * cipher, or -1 on error. 223 */ 224 225 int 226 cipher_number(const char *name) 227 { 228 int i; 229 if (name == NULL) 230 return -1; 231 for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++) 232 if (strcmp(cipher_names[i], name) == 0 && 233 (cipher_mask() & (1 << i))) 234 return i; 235 return -1; 236 } 237 238 /* 239 * Selects the cipher, and keys if by computing the MD5 checksum of the 240 * passphrase and using the resulting 16 bytes as the key. 241 */ 242 243 void 244 cipher_set_key_string(CipherContext *context, int cipher, const char *passphrase) 245 { 246 MD5_CTX md; 247 unsigned char digest[16]; 248 249 MD5_Init(&md); 250 MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase)); 251 MD5_Final(digest, &md); 252 253 cipher_set_key(context, cipher, digest, 16); 254 255 memset(digest, 0, sizeof(digest)); 256 memset(&md, 0, sizeof(md)); 257 } 258 259 /* Selects the cipher to use and sets the key. */ 260 261 void 262 cipher_set_key(CipherContext *context, int cipher, const unsigned char *key, 263 int keylen) 264 { 265 unsigned char padded[32]; 266 267 /* Set cipher type. */ 268 context->type = cipher; 269 270 /* Get 32 bytes of key data. Pad if necessary. (So that code 271 below does not need to worry about key size). */ 272 memset(padded, 0, sizeof(padded)); 273 memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded)); 274 275 /* Initialize the initialization vector. */ 276 switch (cipher) { 277 case SSH_CIPHER_NONE: 278 /* 279 * Has to stay for authfile saving of private key with no 280 * passphrase 281 */ 282 break; 283 284 case SSH_CIPHER_3DES: 285 /* 286 * Note: the least significant bit of each byte of key is 287 * parity, and must be ignored by the implementation. 16 288 * bytes of key are used (first and last keys are the same). 289 */ 290 if (keylen < 16) 291 error("Key length %d is insufficient for 3DES.", keylen); 292 des_set_key((void *) padded, context->u.des3.key1); 293 des_set_key((void *) (padded + 8), context->u.des3.key2); 294 if (keylen <= 16) 295 des_set_key((void *) padded, context->u.des3.key3); 296 else 297 des_set_key((void *) (padded + 16), context->u.des3.key3); 298 memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2)); 299 memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3)); 300 break; 301 302 case SSH_CIPHER_BLOWFISH: 303 if (keylen < 16) 304 error("Key length %d is insufficient for blowfish.", keylen); 305 BF_set_key(&context->u.bf.key, keylen, padded); 306 memset(context->u.bf.iv, 0, 8); 307 break; 308 309 case SSH_CIPHER_3DES_CBC: 310 case SSH_CIPHER_BLOWFISH_CBC: 311 case SSH_CIPHER_ARCFOUR: 312 case SSH_CIPHER_CAST128_CBC: 313 fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher)); 314 break; 315 316 default: 317 fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher)); 318 } 319 memset(padded, 0, sizeof(padded)); 320 } 321 322 void 323 cipher_set_key_iv(CipherContext * context, int cipher, 324 const unsigned char *key, int keylen, 325 const unsigned char *iv, int ivlen) 326 { 327 /* Set cipher type. */ 328 context->type = cipher; 329 330 /* Initialize the initialization vector. */ 331 switch (cipher) { 332 case SSH_CIPHER_NONE: 333 break; 334 335 case SSH_CIPHER_3DES: 336 case SSH_CIPHER_BLOWFISH: 337 fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher)); 338 break; 339 340 case SSH_CIPHER_3DES_CBC: 341 if (keylen < 24) 342 error("Key length %d is insufficient for 3des-cbc.", keylen); 343 des_set_key((void *) key, context->u.des3.key1); 344 des_set_key((void *) (key+8), context->u.des3.key2); 345 des_set_key((void *) (key+16), context->u.des3.key3); 346 if (ivlen < 8) 347 error("IV length %d is insufficient for 3des-cbc.", ivlen); 348 memcpy(context->u.des3.iv3, (char *)iv, 8); 349 break; 350 351 case SSH_CIPHER_BLOWFISH_CBC: 352 if (keylen < 16) 353 error("Key length %d is insufficient for blowfish.", keylen); 354 if (ivlen < 8) 355 error("IV length %d is insufficient for blowfish.", ivlen); 356 BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key); 357 memcpy(context->u.bf.iv, (char *)iv, 8); 358 break; 359 360 case SSH_CIPHER_ARCFOUR: 361 if (keylen < 16) 362 error("Key length %d is insufficient for arcfour.", keylen); 363 RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key); 364 break; 365 366 case SSH_CIPHER_CAST128_CBC: 367 if (keylen < 16) 368 error("Key length %d is insufficient for cast128.", keylen); 369 if (ivlen < 8) 370 error("IV length %d is insufficient for cast128.", ivlen); 371 CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key); 372 memcpy(context->u.cast.iv, (char *)iv, 8); 373 break; 374 375 default: 376 fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher)); 377 } 378 } 379 380 /* Encrypts data using the cipher. */ 381 382 void 383 cipher_encrypt(CipherContext *context, unsigned char *dest, 384 const unsigned char *src, unsigned int len) 385 { 386 if ((len & 7) != 0) 387 fatal("cipher_encrypt: bad plaintext length %d", len); 388 389 switch (context->type) { 390 case SSH_CIPHER_NONE: 391 memcpy(dest, src, len); 392 break; 393 394 case SSH_CIPHER_3DES: 395 SSH_3CBC_ENCRYPT(context->u.des3.key1, 396 context->u.des3.key2, &context->u.des3.iv2, 397 context->u.des3.key3, &context->u.des3.iv3, 398 dest, (unsigned char *) src, len); 399 break; 400 401 case SSH_CIPHER_BLOWFISH: 402 swap_bytes(src, dest, len); 403 BF_cbc_encrypt(dest, dest, len, 404 &context->u.bf.key, context->u.bf.iv, 405 BF_ENCRYPT); 406 swap_bytes(dest, dest, len); 407 break; 408 409 case SSH_CIPHER_BLOWFISH_CBC: 410 BF_cbc_encrypt((void *)src, dest, len, 411 &context->u.bf.key, context->u.bf.iv, 412 BF_ENCRYPT); 413 break; 414 415 case SSH_CIPHER_3DES_CBC: 416 des_ede3_cbc_encrypt(src, dest, len, 417 context->u.des3.key1, context->u.des3.key2, 418 context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT); 419 break; 420 421 case SSH_CIPHER_ARCFOUR: 422 RC4(&context->u.rc4, len, (unsigned char *)src, dest); 423 break; 424 425 case SSH_CIPHER_CAST128_CBC: 426 CAST_cbc_encrypt(src, dest, len, 427 &context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT); 428 break; 429 430 default: 431 fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type)); 432 } 433 } 434 435 /* Decrypts data using the cipher. */ 436 437 void 438 cipher_decrypt(CipherContext *context, unsigned char *dest, 439 const unsigned char *src, unsigned int len) 440 { 441 if ((len & 7) != 0) 442 fatal("cipher_decrypt: bad ciphertext length %d", len); 443 444 switch (context->type) { 445 case SSH_CIPHER_NONE: 446 memcpy(dest, src, len); 447 break; 448 449 case SSH_CIPHER_3DES: 450 SSH_3CBC_DECRYPT(context->u.des3.key1, 451 context->u.des3.key2, &context->u.des3.iv2, 452 context->u.des3.key3, &context->u.des3.iv3, 453 dest, (unsigned char *) src, len); 454 break; 455 456 case SSH_CIPHER_BLOWFISH: 457 swap_bytes(src, dest, len); 458 BF_cbc_encrypt((void *) dest, dest, len, 459 &context->u.bf.key, context->u.bf.iv, 460 BF_DECRYPT); 461 swap_bytes(dest, dest, len); 462 break; 463 464 case SSH_CIPHER_BLOWFISH_CBC: 465 BF_cbc_encrypt((void *) src, dest, len, 466 &context->u.bf.key, context->u.bf.iv, 467 BF_DECRYPT); 468 break; 469 470 case SSH_CIPHER_3DES_CBC: 471 des_ede3_cbc_encrypt(src, dest, len, 472 context->u.des3.key1, context->u.des3.key2, 473 context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT); 474 break; 475 476 case SSH_CIPHER_ARCFOUR: 477 RC4(&context->u.rc4, len, (unsigned char *)src, dest); 478 break; 479 480 case SSH_CIPHER_CAST128_CBC: 481 CAST_cbc_encrypt(src, dest, len, 482 &context->u.cast.key, context->u.cast.iv, CAST_DECRYPT); 483 break; 484 485 default: 486 fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type)); 487 } 488 } 489