1 /* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */ 2 /* $FreeBSD$ */ 3 /* 4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 6 * All rights reserved 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 * 14 * 15 * Copyright (c) 1999 Niels Provos. All rights reserved. 16 * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. 17 * 18 * Redistribution and use in source and binary forms, with or without 19 * modification, are permitted provided that the following conditions 20 * are met: 21 * 1. Redistributions of source code must retain the above copyright 22 * notice, this list of conditions and the following disclaimer. 23 * 2. Redistributions in binary form must reproduce the above copyright 24 * notice, this list of conditions and the following disclaimer in the 25 * documentation and/or other materials provided with the distribution. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 28 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 29 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 30 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37 */ 38 39 #include "includes.h" 40 41 #include <sys/types.h> 42 43 #include <openssl/md5.h> 44 45 #include <string.h> 46 #include <stdarg.h> 47 48 #include "xmalloc.h" 49 #include "log.h" 50 #include "cipher.h" 51 52 /* compatibility with old or broken OpenSSL versions */ 53 #include "openbsd-compat/openssl-compat.h" 54 55 extern const EVP_CIPHER *evp_ssh1_bf(void); 56 extern const EVP_CIPHER *evp_ssh1_3des(void); 57 extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); 58 extern const EVP_CIPHER *evp_aes_128_ctr(void); 59 extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); 60 61 struct Cipher { 62 char *name; 63 int number; /* for ssh1 only */ 64 u_int block_size; 65 u_int key_len; 66 u_int discard_len; 67 u_int cbc_mode; 68 const EVP_CIPHER *(*evptype)(void); 69 } ciphers[] = { 70 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, 71 { "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc }, 72 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, 73 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 1, evp_ssh1_bf }, 74 75 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, 76 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc }, 77 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc }, 78 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 }, 79 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 }, 80 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 }, 81 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, 82 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, 83 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 84 { "rijndael-cbc@lysator.liu.se", 85 SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 86 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, 87 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, 88 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, 89 #ifdef USE_CIPHER_ACSS 90 { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss }, 91 #endif 92 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } 93 }; 94 95 /*--*/ 96 97 u_int 98 cipher_blocksize(const Cipher *c) 99 { 100 return (c->block_size); 101 } 102 103 u_int 104 cipher_keylen(const Cipher *c) 105 { 106 return (c->key_len); 107 } 108 109 u_int 110 cipher_get_number(const Cipher *c) 111 { 112 return (c->number); 113 } 114 115 u_int 116 cipher_is_cbc(const Cipher *c) 117 { 118 return (c->cbc_mode); 119 } 120 121 u_int 122 cipher_mask_ssh1(int client) 123 { 124 u_int mask = 0; 125 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 126 mask |= 1 << SSH_CIPHER_BLOWFISH; 127 if (client) { 128 mask |= 1 << SSH_CIPHER_DES; 129 } 130 return mask; 131 } 132 133 Cipher * 134 cipher_by_name(const char *name) 135 { 136 Cipher *c; 137 for (c = ciphers; c->name != NULL; c++) 138 if (strcmp(c->name, name) == 0) 139 return c; 140 return NULL; 141 } 142 143 Cipher * 144 cipher_by_number(int id) 145 { 146 Cipher *c; 147 for (c = ciphers; c->name != NULL; c++) 148 if (c->number == id) 149 return c; 150 return NULL; 151 } 152 153 #define CIPHER_SEP "," 154 int 155 ciphers_valid(const char *names) 156 { 157 Cipher *c; 158 char *cipher_list, *cp; 159 char *p; 160 161 if (names == NULL || strcmp(names, "") == 0) 162 return 0; 163 cipher_list = cp = xstrdup(names); 164 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 165 (p = strsep(&cp, CIPHER_SEP))) { 166 c = cipher_by_name(p); 167 #ifdef NONE_CIPHER_ENABLED 168 if (c == NULL || (c->number != SSH_CIPHER_SSH2 && 169 c->number != SSH_CIPHER_NONE)) { 170 #else 171 if (c == NULL || (c->number != SSH_CIPHER_SSH2)) { 172 #endif 173 debug("bad cipher %s [%s]", p, names); 174 xfree(cipher_list); 175 return 0; 176 } else { 177 debug3("cipher ok: %s [%s]", p, names); 178 } 179 } 180 debug3("ciphers ok: [%s]", names); 181 xfree(cipher_list); 182 return 1; 183 } 184 185 /* 186 * Parses the name of the cipher. Returns the number of the corresponding 187 * cipher, or -1 on error. 188 */ 189 190 int 191 cipher_number(const char *name) 192 { 193 Cipher *c; 194 if (name == NULL) 195 return -1; 196 for (c = ciphers; c->name != NULL; c++) 197 if (strcasecmp(c->name, name) == 0) 198 return c->number; 199 return -1; 200 } 201 202 char * 203 cipher_name(int id) 204 { 205 Cipher *c = cipher_by_number(id); 206 return (c==NULL) ? "<unknown>" : c->name; 207 } 208 209 void 210 cipher_init(CipherContext *cc, Cipher *cipher, 211 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, 212 int do_encrypt) 213 { 214 static int dowarn = 1; 215 #ifdef SSH_OLD_EVP 216 EVP_CIPHER *type; 217 #else 218 const EVP_CIPHER *type; 219 int klen; 220 #endif 221 u_char *junk, *discard; 222 223 if (cipher->number == SSH_CIPHER_DES) { 224 if (dowarn) { 225 error("Warning: use of DES is strongly discouraged " 226 "due to cryptographic weaknesses"); 227 dowarn = 0; 228 } 229 if (keylen > 8) 230 keylen = 8; 231 } 232 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 233 234 if (keylen < cipher->key_len) 235 fatal("cipher_init: key length %d is insufficient for %s.", 236 keylen, cipher->name); 237 if (iv != NULL && ivlen < cipher->block_size) 238 fatal("cipher_init: iv length %d is insufficient for %s.", 239 ivlen, cipher->name); 240 cc->cipher = cipher; 241 242 type = (*cipher->evptype)(); 243 244 EVP_CIPHER_CTX_init(&cc->evp); 245 #ifdef SSH_OLD_EVP 246 if (type->key_len > 0 && type->key_len != keylen) { 247 debug("cipher_init: set keylen (%d -> %d)", 248 type->key_len, keylen); 249 type->key_len = keylen; 250 } 251 EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv, 252 (do_encrypt == CIPHER_ENCRYPT)); 253 #else 254 if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv, 255 (do_encrypt == CIPHER_ENCRYPT)) == 0) 256 fatal("cipher_init: EVP_CipherInit failed for %s", 257 cipher->name); 258 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 259 if (klen > 0 && keylen != (u_int)klen) { 260 debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); 261 if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) 262 fatal("cipher_init: set keylen failed (%d -> %d)", 263 klen, keylen); 264 } 265 if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) 266 fatal("cipher_init: EVP_CipherInit: set key failed for %s", 267 cipher->name); 268 #endif 269 270 if (cipher->discard_len > 0) { 271 junk = xmalloc(cipher->discard_len); 272 discard = xmalloc(cipher->discard_len); 273 if (EVP_Cipher(&cc->evp, discard, junk, 274 cipher->discard_len) == 0) 275 fatal("evp_crypt: EVP_Cipher failed during discard"); 276 memset(discard, 0, cipher->discard_len); 277 xfree(junk); 278 xfree(discard); 279 } 280 } 281 282 void 283 cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 284 { 285 if (len % cc->cipher->block_size) 286 fatal("cipher_encrypt: bad plaintext length %d", len); 287 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) 288 fatal("evp_crypt: EVP_Cipher failed"); 289 } 290 291 void 292 cipher_cleanup(CipherContext *cc) 293 { 294 if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) 295 error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); 296 } 297 298 /* 299 * Selects the cipher, and keys if by computing the MD5 checksum of the 300 * passphrase and using the resulting 16 bytes as the key. 301 */ 302 303 void 304 cipher_set_key_string(CipherContext *cc, Cipher *cipher, 305 const char *passphrase, int do_encrypt) 306 { 307 MD5_CTX md; 308 u_char digest[16]; 309 310 MD5_Init(&md); 311 MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); 312 MD5_Final(digest, &md); 313 314 cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt); 315 316 memset(digest, 0, sizeof(digest)); 317 memset(&md, 0, sizeof(md)); 318 } 319 320 /* 321 * Exports an IV from the CipherContext required to export the key 322 * state back from the unprivileged child to the privileged parent 323 * process. 324 */ 325 326 int 327 cipher_get_keyiv_len(const CipherContext *cc) 328 { 329 Cipher *c = cc->cipher; 330 int ivlen; 331 332 if (c->number == SSH_CIPHER_3DES) 333 ivlen = 24; 334 else 335 ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp); 336 return (ivlen); 337 } 338 339 void 340 cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) 341 { 342 Cipher *c = cc->cipher; 343 int evplen; 344 345 switch (c->number) { 346 #ifdef NONE_CIPHER_ENABLED 347 case SSH_CIPHER_NONE: 348 #endif 349 case SSH_CIPHER_SSH2: 350 case SSH_CIPHER_DES: 351 case SSH_CIPHER_BLOWFISH: 352 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 353 if (evplen <= 0) 354 return; 355 if ((u_int)evplen != len) 356 fatal("%s: wrong iv length %d != %d", __func__, 357 evplen, len); 358 #ifdef USE_BUILTIN_RIJNDAEL 359 if (c->evptype == evp_rijndael) 360 ssh_rijndael_iv(&cc->evp, 0, iv, len); 361 else 362 #endif 363 if (c->evptype == evp_aes_128_ctr) 364 ssh_aes_ctr_iv(&cc->evp, 0, iv, len); 365 else 366 memcpy(iv, cc->evp.iv, len); 367 break; 368 case SSH_CIPHER_3DES: 369 ssh1_3des_iv(&cc->evp, 0, iv, 24); 370 break; 371 default: 372 fatal("%s: bad cipher %d", __func__, c->number); 373 } 374 } 375 376 void 377 cipher_set_keyiv(CipherContext *cc, u_char *iv) 378 { 379 Cipher *c = cc->cipher; 380 int evplen = 0; 381 382 switch (c->number) { 383 #ifdef NONE_CIPHER_ENABLED 384 case SSH_CIPHER_NONE: 385 #endif 386 case SSH_CIPHER_SSH2: 387 case SSH_CIPHER_DES: 388 case SSH_CIPHER_BLOWFISH: 389 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 390 if (evplen == 0) 391 return; 392 #ifdef USE_BUILTIN_RIJNDAEL 393 if (c->evptype == evp_rijndael) 394 ssh_rijndael_iv(&cc->evp, 1, iv, evplen); 395 else 396 #endif 397 if (c->evptype == evp_aes_128_ctr) 398 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); 399 else 400 memcpy(cc->evp.iv, iv, evplen); 401 break; 402 case SSH_CIPHER_3DES: 403 ssh1_3des_iv(&cc->evp, 1, iv, 24); 404 break; 405 default: 406 fatal("%s: bad cipher %d", __func__, c->number); 407 } 408 } 409 410 #if OPENSSL_VERSION_NUMBER < 0x00907000L 411 #define EVP_X_STATE(evp) &(evp).c 412 #define EVP_X_STATE_LEN(evp) sizeof((evp).c) 413 #else 414 #define EVP_X_STATE(evp) (evp).cipher_data 415 #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size 416 #endif 417 418 int 419 cipher_get_keycontext(const CipherContext *cc, u_char *dat) 420 { 421 Cipher *c = cc->cipher; 422 int plen = 0; 423 424 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 425 plen = EVP_X_STATE_LEN(cc->evp); 426 if (dat == NULL) 427 return (plen); 428 memcpy(dat, EVP_X_STATE(cc->evp), plen); 429 } 430 return (plen); 431 } 432 433 void 434 cipher_set_keycontext(CipherContext *cc, u_char *dat) 435 { 436 Cipher *c = cc->cipher; 437 int plen; 438 439 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 440 plen = EVP_X_STATE_LEN(cc->evp); 441 memcpy(EVP_X_STATE(cc->evp), dat, plen); 442 } 443 } 444