1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 * 12 * 13 * Copyright (c) 1999 Niels Provos. All rights reserved. 14 * Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 37 #include "includes.h" 38 RCSID("$OpenBSD: cipher.c,v 1.43 2001/02/04 15:32:23 stevesk Exp $"); 39 RCSID("$FreeBSD$"); 40 41 #include "xmalloc.h" 42 #include "log.h" 43 #include "cipher.h" 44 45 #include <openssl/md5.h> 46 47 48 /* no encryption */ 49 void 50 none_setkey(CipherContext *cc, const u_char *key, u_int keylen) 51 { 52 } 53 void 54 none_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 55 { 56 } 57 void 58 none_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 59 { 60 memcpy(dest, src, len); 61 } 62 63 /* DES */ 64 void 65 des_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen) 66 { 67 static int dowarn = 1; 68 if (dowarn) { 69 error("Warning: use of DES is strongly discouraged " 70 "due to cryptographic weaknesses"); 71 dowarn = 0; 72 } 73 des_set_key((void *)key, cc->u.des.key); 74 } 75 void 76 des_ssh1_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 77 { 78 memset(cc->u.des.iv, 0, sizeof(cc->u.des.iv)); 79 } 80 void 81 des_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 82 { 83 des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv, 84 DES_ENCRYPT); 85 } 86 void 87 des_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 88 { 89 des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv, 90 DES_DECRYPT); 91 } 92 93 /* 3DES */ 94 void 95 des3_setkey(CipherContext *cc, const u_char *key, u_int keylen) 96 { 97 des_set_key((void *) key, cc->u.des3.key1); 98 des_set_key((void *) (key+8), cc->u.des3.key2); 99 des_set_key((void *) (key+16), cc->u.des3.key3); 100 } 101 void 102 des3_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 103 { 104 memset(cc->u.des3.iv2, 0, sizeof(cc->u.des3.iv2)); 105 memset(cc->u.des3.iv3, 0, sizeof(cc->u.des3.iv3)); 106 if (iv == NULL) 107 return; 108 memcpy(cc->u.des3.iv3, (char *)iv, 8); 109 } 110 void 111 des3_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 112 { 113 des_ede3_cbc_encrypt(src, dest, len, 114 cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3, 115 &cc->u.des3.iv3, DES_ENCRYPT); 116 } 117 void 118 des3_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 119 { 120 des_ede3_cbc_encrypt(src, dest, len, 121 cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3, 122 &cc->u.des3.iv3, DES_DECRYPT); 123 } 124 125 /* 126 * This is used by SSH1: 127 * 128 * What kind of triple DES are these 2 routines? 129 * 130 * Why is there a redundant initialization vector? 131 * 132 * If only iv3 was used, then, this would till effect have been 133 * outer-cbc. However, there is also a private iv1 == iv2 which 134 * perhaps makes differential analysis easier. On the other hand, the 135 * private iv1 probably makes the CRC-32 attack ineffective. This is a 136 * result of that there is no longer any known iv1 to use when 137 * choosing the X block. 138 */ 139 void 140 des3_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen) 141 { 142 des_set_key((void *) key, cc->u.des3.key1); 143 des_set_key((void *) (key+8), cc->u.des3.key2); 144 if (keylen <= 16) 145 des_set_key((void *) key, cc->u.des3.key3); 146 else 147 des_set_key((void *) (key+16), cc->u.des3.key3); 148 } 149 void 150 des3_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, 151 u_int len) 152 { 153 des_cblock iv1; 154 des_cblock *iv2 = &cc->u.des3.iv2; 155 des_cblock *iv3 = &cc->u.des3.iv3; 156 157 memcpy(&iv1, iv2, 8); 158 159 des_ncbc_encrypt(src, dest, len, cc->u.des3.key1, &iv1, DES_ENCRYPT); 160 des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_DECRYPT); 161 des_ncbc_encrypt(dest, dest, len, cc->u.des3.key3, iv3, DES_ENCRYPT); 162 } 163 void 164 des3_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, 165 u_int len) 166 { 167 des_cblock iv1; 168 des_cblock *iv2 = &cc->u.des3.iv2; 169 des_cblock *iv3 = &cc->u.des3.iv3; 170 171 memcpy(&iv1, iv2, 8); 172 173 des_ncbc_encrypt(src, dest, len, cc->u.des3.key3, iv3, DES_DECRYPT); 174 des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_ENCRYPT); 175 des_ncbc_encrypt(dest, dest, len, cc->u.des3.key1, &iv1, DES_DECRYPT); 176 } 177 178 /* Blowfish */ 179 void 180 blowfish_setkey(CipherContext *cc, const u_char *key, u_int keylen) 181 { 182 BF_set_key(&cc->u.bf.key, keylen, (u_char *)key); 183 } 184 void 185 blowfish_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 186 { 187 if (iv == NULL) 188 memset(cc->u.bf.iv, 0, 8); 189 else 190 memcpy(cc->u.bf.iv, (char *)iv, 8); 191 } 192 void 193 blowfish_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, 194 u_int len) 195 { 196 BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv, 197 BF_ENCRYPT); 198 } 199 void 200 blowfish_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, 201 u_int len) 202 { 203 BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv, 204 BF_DECRYPT); 205 } 206 207 /* 208 * SSH1 uses a variation on Blowfish, all bytes must be swapped before 209 * and after encryption/decryption. Thus the swap_bytes stuff (yuk). 210 */ 211 static void 212 swap_bytes(const u_char *src, u_char *dst, int n) 213 { 214 char c[4]; 215 216 /* Process 4 bytes every lap. */ 217 for (n = n / 4; n > 0; n--) { 218 c[3] = *src++; 219 c[2] = *src++; 220 c[1] = *src++; 221 c[0] = *src++; 222 223 *dst++ = c[0]; 224 *dst++ = c[1]; 225 *dst++ = c[2]; 226 *dst++ = c[3]; 227 } 228 } 229 230 void 231 blowfish_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, 232 u_int len) 233 { 234 swap_bytes(src, dest, len); 235 BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv, 236 BF_ENCRYPT); 237 swap_bytes(dest, dest, len); 238 } 239 void 240 blowfish_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, 241 u_int len) 242 { 243 swap_bytes(src, dest, len); 244 BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv, 245 BF_DECRYPT); 246 swap_bytes(dest, dest, len); 247 } 248 249 /* alleged rc4 */ 250 void 251 arcfour_setkey(CipherContext *cc, const u_char *key, u_int keylen) 252 { 253 RC4_set_key(&cc->u.rc4, keylen, (u_char *)key); 254 } 255 void 256 arcfour_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 257 { 258 RC4(&cc->u.rc4, len, (u_char *)src, dest); 259 } 260 261 /* CAST */ 262 void 263 cast_setkey(CipherContext *cc, const u_char *key, u_int keylen) 264 { 265 CAST_set_key(&cc->u.cast.key, keylen, (u_char *) key); 266 } 267 void 268 cast_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 269 { 270 if (iv == NULL) 271 fatal("no IV for %s.", cc->cipher->name); 272 memcpy(cc->u.cast.iv, (char *)iv, 8); 273 } 274 void 275 cast_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 276 { 277 CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv, 278 CAST_ENCRYPT); 279 } 280 void 281 cast_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 282 { 283 CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv, 284 CAST_DECRYPT); 285 } 286 287 /* RIJNDAEL */ 288 289 #define RIJNDAEL_BLOCKSIZE 16 290 void 291 rijndael_setkey(CipherContext *cc, const u_char *key, u_int keylen) 292 { 293 rijndael_set_key(&cc->u.rijndael.enc, (u4byte *)key, 8*keylen, 1); 294 rijndael_set_key(&cc->u.rijndael.dec, (u4byte *)key, 8*keylen, 0); 295 } 296 void 297 rijndael_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) 298 { 299 if (iv == NULL) 300 fatal("no IV for %s.", cc->cipher->name); 301 memcpy((u_char *)cc->u.rijndael.iv, iv, RIJNDAEL_BLOCKSIZE); 302 } 303 void 304 rijndael_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, 305 u_int len) 306 { 307 rijndael_ctx *ctx = &cc->u.rijndael.enc; 308 u4byte *iv = cc->u.rijndael.iv; 309 u4byte in[4]; 310 u4byte *cprev, *cnow, *plain; 311 int i, blocks = len / RIJNDAEL_BLOCKSIZE; 312 if (len == 0) 313 return; 314 if (len % RIJNDAEL_BLOCKSIZE) 315 fatal("rijndael_cbc_encrypt: bad len %d", len); 316 cnow = (u4byte*) dest; 317 plain = (u4byte*) src; 318 cprev = iv; 319 for(i = 0; i < blocks; i++, plain+=4, cnow+=4) { 320 in[0] = plain[0] ^ cprev[0]; 321 in[1] = plain[1] ^ cprev[1]; 322 in[2] = plain[2] ^ cprev[2]; 323 in[3] = plain[3] ^ cprev[3]; 324 rijndael_encrypt(ctx, in, cnow); 325 cprev = cnow; 326 } 327 memcpy(iv, cprev, RIJNDAEL_BLOCKSIZE); 328 } 329 330 void 331 rijndael_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, 332 u_int len) 333 { 334 rijndael_ctx *ctx = &cc->u.rijndael.dec; 335 u4byte *iv = cc->u.rijndael.iv; 336 u4byte ivsaved[4]; 337 u4byte *cnow = (u4byte*) (src+len-RIJNDAEL_BLOCKSIZE); 338 u4byte *plain = (u4byte*) (dest+len-RIJNDAEL_BLOCKSIZE); 339 u4byte *ivp; 340 int i, blocks = len / RIJNDAEL_BLOCKSIZE; 341 if (len == 0) 342 return; 343 if (len % RIJNDAEL_BLOCKSIZE) 344 fatal("rijndael_cbc_decrypt: bad len %d", len); 345 memcpy(ivsaved, cnow, RIJNDAEL_BLOCKSIZE); 346 for(i = blocks; i > 0; i--, cnow-=4, plain-=4) { 347 rijndael_decrypt(ctx, cnow, plain); 348 ivp = (i == 1) ? iv : cnow-4; 349 plain[0] ^= ivp[0]; 350 plain[1] ^= ivp[1]; 351 plain[2] ^= ivp[2]; 352 plain[3] ^= ivp[3]; 353 } 354 memcpy(iv, ivsaved, RIJNDAEL_BLOCKSIZE); 355 } 356 357 Cipher ciphers[] = { 358 { "none", 359 SSH_CIPHER_NONE, 8, 0, 360 none_setkey, none_setiv, 361 none_crypt, none_crypt }, 362 { "des", 363 SSH_CIPHER_DES, 8, 8, 364 des_ssh1_setkey, des_ssh1_setiv, 365 des_ssh1_encrypt, des_ssh1_decrypt }, 366 { "3des", 367 SSH_CIPHER_3DES, 8, 16, 368 des3_ssh1_setkey, des3_setiv, 369 des3_ssh1_encrypt, des3_ssh1_decrypt }, 370 { "blowfish", 371 SSH_CIPHER_BLOWFISH, 8, 16, 372 blowfish_setkey, blowfish_setiv, 373 blowfish_ssh1_encrypt, blowfish_ssh1_decrypt }, 374 375 { "3des-cbc", 376 SSH_CIPHER_SSH2, 8, 24, 377 des3_setkey, des3_setiv, 378 des3_cbc_encrypt, des3_cbc_decrypt }, 379 { "blowfish-cbc", 380 SSH_CIPHER_SSH2, 8, 16, 381 blowfish_setkey, blowfish_setiv, 382 blowfish_cbc_encrypt, blowfish_cbc_decrypt }, 383 { "cast128-cbc", 384 SSH_CIPHER_SSH2, 8, 16, 385 cast_setkey, cast_setiv, 386 cast_cbc_encrypt, cast_cbc_decrypt }, 387 { "arcfour", 388 SSH_CIPHER_SSH2, 8, 16, 389 arcfour_setkey, none_setiv, 390 arcfour_crypt, arcfour_crypt }, 391 { "aes128-cbc", 392 SSH_CIPHER_SSH2, 16, 16, 393 rijndael_setkey, rijndael_setiv, 394 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 395 { "aes192-cbc", 396 SSH_CIPHER_SSH2, 16, 24, 397 rijndael_setkey, rijndael_setiv, 398 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 399 { "aes256-cbc", 400 SSH_CIPHER_SSH2, 16, 32, 401 rijndael_setkey, rijndael_setiv, 402 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 403 { "rijndael128-cbc", 404 SSH_CIPHER_SSH2, 16, 16, 405 rijndael_setkey, rijndael_setiv, 406 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 407 { "rijndael192-cbc", 408 SSH_CIPHER_SSH2, 16, 24, 409 rijndael_setkey, rijndael_setiv, 410 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 411 { "rijndael256-cbc", 412 SSH_CIPHER_SSH2, 16, 32, 413 rijndael_setkey, rijndael_setiv, 414 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 415 { "rijndael-cbc@lysator.liu.se", 416 SSH_CIPHER_SSH2, 16, 32, 417 rijndael_setkey, rijndael_setiv, 418 rijndael_cbc_encrypt, rijndael_cbc_decrypt }, 419 { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL } 420 }; 421 422 /*--*/ 423 424 u_int 425 cipher_mask_ssh1(int client) 426 { 427 u_int mask = 0; 428 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 429 mask |= 1 << SSH_CIPHER_BLOWFISH; 430 if (client) { 431 mask |= 1 << SSH_CIPHER_DES; 432 } 433 return mask; 434 } 435 436 Cipher * 437 cipher_by_name(const char *name) 438 { 439 Cipher *c; 440 for (c = ciphers; c->name != NULL; c++) 441 if (strcasecmp(c->name, name) == 0) 442 return c; 443 return NULL; 444 } 445 446 Cipher * 447 cipher_by_number(int id) 448 { 449 Cipher *c; 450 for (c = ciphers; c->name != NULL; c++) 451 if (c->number == id) 452 return c; 453 return NULL; 454 } 455 456 #define CIPHER_SEP "," 457 int 458 ciphers_valid(const char *names) 459 { 460 Cipher *c; 461 char *ciphers, *cp; 462 char *p; 463 464 if (names == NULL || strcmp(names, "") == 0) 465 return 0; 466 ciphers = cp = xstrdup(names); 467 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 468 (p = strsep(&cp, CIPHER_SEP))) { 469 c = cipher_by_name(p); 470 if (c == NULL || c->number != SSH_CIPHER_SSH2) { 471 debug("bad cipher %s [%s]", p, names); 472 xfree(ciphers); 473 return 0; 474 } else { 475 debug3("cipher ok: %s [%s]", p, names); 476 } 477 } 478 debug3("ciphers ok: [%s]", names); 479 xfree(ciphers); 480 return 1; 481 } 482 483 /* 484 * Parses the name of the cipher. Returns the number of the corresponding 485 * cipher, or -1 on error. 486 */ 487 488 int 489 cipher_number(const char *name) 490 { 491 Cipher *c; 492 if (name == NULL) 493 return -1; 494 c = cipher_by_name(name); 495 return (c==NULL) ? -1 : c->number; 496 } 497 498 char * 499 cipher_name(int id) 500 { 501 Cipher *c = cipher_by_number(id); 502 return (c==NULL) ? "<unknown>" : c->name; 503 } 504 505 void 506 cipher_init(CipherContext *cc, Cipher *cipher, 507 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen) 508 { 509 if (keylen < cipher->key_len) 510 fatal("cipher_init: key length %d is insufficient for %s.", 511 keylen, cipher->name); 512 if (iv != NULL && ivlen < cipher->block_size) 513 fatal("cipher_init: iv length %d is insufficient for %s.", 514 ivlen, cipher->name); 515 cc->cipher = cipher; 516 cipher->setkey(cc, key, keylen); 517 cipher->setiv(cc, iv, ivlen); 518 } 519 520 void 521 cipher_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 522 { 523 if (len % cc->cipher->block_size) 524 fatal("cipher_encrypt: bad plaintext length %d", len); 525 cc->cipher->encrypt(cc, dest, src, len); 526 } 527 528 void 529 cipher_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 530 { 531 if (len % cc->cipher->block_size) 532 fatal("cipher_decrypt: bad ciphertext length %d", len); 533 cc->cipher->decrypt(cc, dest, src, len); 534 } 535 536 /* 537 * Selects the cipher, and keys if by computing the MD5 checksum of the 538 * passphrase and using the resulting 16 bytes as the key. 539 */ 540 541 void 542 cipher_set_key_string(CipherContext *cc, Cipher *cipher, 543 const char *passphrase) 544 { 545 MD5_CTX md; 546 u_char digest[16]; 547 548 MD5_Init(&md); 549 MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); 550 MD5_Final(digest, &md); 551 552 cipher_init(cc, cipher, digest, 16, NULL, 0); 553 554 memset(digest, 0, sizeof(digest)); 555 memset(&md, 0, sizeof(md)); 556 } 557