1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 * 12 * 13 * Copyright (c) 1999 Niels Provos. All rights reserved. 14 * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 37 /* 38 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 39 * Use is subject to license terms. 40 */ 41 42 #include "includes.h" 43 RCSID("$OpenBSD: cipher.c,v 1.61 2002/07/12 15:50:17 markus Exp $"); 44 45 #include "xmalloc.h" 46 #include "log.h" 47 #include "cipher.h" 48 49 #include <openssl/md5.h> 50 51 /* 52 * Symmetric ciphers can be offloaded to any engine through the EVP API only. 53 * However, OpenSSL doesn't offer AES in counter mode through EVP. So, we must 54 * define our own EVP functions. 55 */ 56 extern const EVP_CIPHER *evp_aes_128_ctr(void); 57 extern const EVP_CIPHER *evp_aes_192_ctr(void); 58 extern const EVP_CIPHER *evp_aes_256_ctr(void); 59 extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); 60 61 static const EVP_CIPHER *evp_ssh1_3des(void); 62 static const EVP_CIPHER *evp_ssh1_bf(void); 63 64 struct Cipher { 65 char *name; 66 int number; /* for ssh1 only */ 67 u_int block_size; 68 u_int key_len; 69 u_int discard_len; 70 const EVP_CIPHER *(*evptype)(void); 71 } ciphers[] = { 72 { "none", SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null }, 73 { "des", SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc }, 74 { "3des", SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des }, 75 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf }, 76 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc }, 77 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc }, 78 #ifdef SOLARIS_SSH_ENABLE_CAST5_128 79 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc }, 80 #endif /* SOLARIS_SSH_ENABLE_CAST5_128 */ 81 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 }, 82 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 }, 83 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 }, 84 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc }, 85 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc }, 86 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc }, 87 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr }, 88 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_192_ctr }, 89 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_256_ctr }, 90 { NULL, SSH_CIPHER_ILLEGAL, 0, 0, 0, NULL } 91 }; 92 93 /*--*/ 94 95 u_int 96 cipher_blocksize(Cipher *c) 97 { 98 return (c->block_size); 99 } 100 101 u_int 102 cipher_keylen(Cipher *c) 103 { 104 return (c->key_len); 105 } 106 107 u_int 108 cipher_get_number(Cipher *c) 109 { 110 return (c->number); 111 } 112 113 u_int 114 cipher_mask_ssh1(int client) 115 { 116 u_int mask = 0; 117 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 118 mask |= 1 << SSH_CIPHER_BLOWFISH; 119 if (client) { 120 mask |= 1 << SSH_CIPHER_DES; 121 } 122 return mask; 123 } 124 125 Cipher * 126 cipher_by_name(const char *name) 127 { 128 Cipher *c; 129 for (c = ciphers; c->name != NULL; c++) 130 if (strcasecmp(c->name, name) == 0) 131 return c; 132 return NULL; 133 } 134 135 Cipher * 136 cipher_by_number(int id) 137 { 138 Cipher *c; 139 for (c = ciphers; c->name != NULL; c++) 140 if (c->number == id) 141 return c; 142 return NULL; 143 } 144 145 #define CIPHER_SEP "," 146 int 147 ciphers_valid(const char *names) 148 { 149 Cipher *c; 150 char *ciphers, *cp; 151 char *p; 152 153 if (names == NULL || strcmp(names, "") == 0) 154 return 0; 155 ciphers = cp = xstrdup(names); 156 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 157 (p = strsep(&cp, CIPHER_SEP))) { 158 c = cipher_by_name(p); 159 if (c == NULL || c->number != SSH_CIPHER_SSH2) { 160 debug("bad cipher %s [%s]", p, names); 161 xfree(ciphers); 162 return 0; 163 } else { 164 debug3("cipher ok: %s [%s]", p, names); 165 } 166 } 167 debug3("ciphers ok: [%s]", names); 168 xfree(ciphers); 169 return 1; 170 } 171 172 /* 173 * Parses the name of the cipher. Returns the number of the corresponding 174 * cipher, or -1 on error. 175 */ 176 177 int 178 cipher_number(const char *name) 179 { 180 Cipher *c; 181 if (name == NULL) 182 return -1; 183 c = cipher_by_name(name); 184 return (c==NULL) ? -1 : c->number; 185 } 186 187 char * 188 cipher_name(int id) 189 { 190 Cipher *c = cipher_by_number(id); 191 return (c==NULL) ? "<unknown>" : c->name; 192 } 193 194 void 195 cipher_init(CipherContext *cc, Cipher *cipher, 196 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, 197 int encrypt) 198 { 199 static int dowarn = 1; 200 const EVP_CIPHER *type; 201 int klen; 202 u_char *junk, *discard; 203 204 if (cipher->number == SSH_CIPHER_DES) { 205 if (dowarn) { 206 error("Warning: use of DES is strongly discouraged " 207 "due to cryptographic weaknesses"); 208 dowarn = 0; 209 } 210 if (keylen > 8) 211 keylen = 8; 212 } 213 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 214 215 if (keylen < cipher->key_len) 216 fatal("cipher_init: key length %d is insufficient for %s.", 217 keylen, cipher->name); 218 if (iv != NULL && ivlen < cipher->block_size) 219 fatal("cipher_init: iv length %d is insufficient for %s.", 220 ivlen, cipher->name); 221 cc->cipher = cipher; 222 223 type = (*cipher->evptype)(); 224 225 EVP_CIPHER_CTX_init(&cc->evp); 226 /* 227 * cc->evp is of type EVP_CIPHER_CTX and its key_len will be set to the 228 * default value here for the cipher type. If the requested key length 229 * is different from the default value we will call EVP_CipherInit() 230 * again, see below. 231 */ 232 if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv, 233 (encrypt == CIPHER_ENCRYPT)) == 0) 234 fatal("cipher_init: EVP_CipherInit failed for %s", 235 cipher->name); 236 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 237 if (klen > 0 && keylen != klen) { 238 debug("cipher_init: set keylen (%d -> %d)", klen, keylen); 239 if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) 240 fatal("cipher_init: set keylen failed (%d -> %d)", 241 klen, keylen); 242 } 243 if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) 244 fatal("cipher_init: EVP_CipherInit: set key failed for %s", 245 cipher->name); 246 247 if (cipher->discard_len > 0) { 248 junk = xmalloc(cipher->discard_len); 249 discard = xmalloc(cipher->discard_len); 250 if (EVP_Cipher(&cc->evp, discard, junk, 251 cipher->discard_len) == 0) 252 fatal("cipher_init: EVP_Cipher failed during discard"); 253 memset(discard, 0, cipher->discard_len); 254 xfree(junk); 255 xfree(discard); 256 } 257 } 258 259 void 260 cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 261 { 262 if (len % cc->cipher->block_size) 263 fatal("cipher_encrypt: bad plaintext length %d", len); 264 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) 265 fatal("evp_crypt: EVP_Cipher failed"); 266 } 267 268 void 269 cipher_cleanup(CipherContext *cc) 270 { 271 if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) 272 error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); 273 } 274 275 /* 276 * Selects the cipher, and keys if by computing the MD5 checksum of the 277 * passphrase and using the resulting 16 bytes as the key. 278 */ 279 280 void 281 cipher_set_key_string(CipherContext *cc, Cipher *cipher, 282 const char *passphrase, int encrypt) 283 { 284 MD5_CTX md; 285 u_char digest[16]; 286 287 MD5_Init(&md); 288 MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); 289 MD5_Final(digest, &md); 290 291 cipher_init(cc, cipher, digest, 16, NULL, 0, encrypt); 292 293 memset(digest, 0, sizeof(digest)); 294 memset(&md, 0, sizeof(md)); 295 } 296 297 /* Implementations for other non-EVP ciphers */ 298 299 /* 300 * This is used by SSH1: 301 * 302 * What kind of triple DES are these 2 routines? 303 * 304 * Why is there a redundant initialization vector? 305 * 306 * If only iv3 was used, then, this would till effect have been 307 * outer-cbc. However, there is also a private iv1 == iv2 which 308 * perhaps makes differential analysis easier. On the other hand, the 309 * private iv1 probably makes the CRC-32 attack ineffective. This is a 310 * result of that there is no longer any known iv1 to use when 311 * choosing the X block. 312 */ 313 struct ssh1_3des_ctx 314 { 315 EVP_CIPHER_CTX k1, k2, k3; 316 }; 317 318 static int 319 ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, 320 int enc) 321 { 322 struct ssh1_3des_ctx *c; 323 u_char *k1, *k2, *k3; 324 325 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 326 c = xmalloc(sizeof(*c)); 327 EVP_CIPHER_CTX_set_app_data(ctx, c); 328 } 329 if (key == NULL) 330 return (1); 331 if (enc == -1) 332 enc = ctx->encrypt; 333 k1 = k2 = k3 = (u_char *) key; 334 k2 += 8; 335 if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) { 336 if (enc) 337 k3 += 16; 338 else 339 k1 += 16; 340 } 341 EVP_CIPHER_CTX_init(&c->k1); 342 EVP_CIPHER_CTX_init(&c->k2); 343 EVP_CIPHER_CTX_init(&c->k3); 344 if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 || 345 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 || 346 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) { 347 memset(c, 0, sizeof(*c)); 348 xfree(c); 349 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 350 return (0); 351 } 352 return (1); 353 } 354 355 static int 356 ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len) 357 { 358 struct ssh1_3des_ctx *c; 359 360 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 361 error("ssh1_3des_cbc: no context"); 362 return (0); 363 } 364 if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 || 365 EVP_Cipher(&c->k2, dest, dest, len) == 0 || 366 EVP_Cipher(&c->k3, dest, dest, len) == 0) 367 return (0); 368 return (1); 369 } 370 371 static int 372 ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx) 373 { 374 struct ssh1_3des_ctx *c; 375 376 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { 377 memset(c, 0, sizeof(*c)); 378 xfree(c); 379 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 380 } 381 return (1); 382 } 383 384 static const EVP_CIPHER * 385 evp_ssh1_3des(void) 386 { 387 static EVP_CIPHER ssh1_3des; 388 389 memset(&ssh1_3des, 0, sizeof(EVP_CIPHER)); 390 ssh1_3des.nid = NID_undef; 391 ssh1_3des.block_size = 8; 392 ssh1_3des.iv_len = 0; 393 ssh1_3des.key_len = 16; 394 ssh1_3des.init = ssh1_3des_init; 395 ssh1_3des.cleanup = ssh1_3des_cleanup; 396 ssh1_3des.do_cipher = ssh1_3des_cbc; 397 ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH; 398 return (&ssh1_3des); 399 } 400 401 /* 402 * SSH1 uses a variation on Blowfish, all bytes must be swapped before 403 * and after encryption/decryption. Thus the swap_bytes stuff (yuk). 404 */ 405 static void 406 swap_bytes(const u_char *src, u_char *dst, int n) 407 { 408 u_char c[4]; 409 410 /* Process 4 bytes every lap. */ 411 for (n = n / 4; n > 0; n--) { 412 c[3] = *src++; 413 c[2] = *src++; 414 c[1] = *src++; 415 c[0] = *src++; 416 417 *dst++ = c[0]; 418 *dst++ = c[1]; 419 *dst++ = c[2]; 420 *dst++ = c[3]; 421 } 422 } 423 424 static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL; 425 426 static int 427 bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len) 428 { 429 int ret; 430 431 swap_bytes(in, out, len); 432 ret = (*orig_bf)(ctx, out, out, len); 433 swap_bytes(out, out, len); 434 return (ret); 435 } 436 437 static const EVP_CIPHER * 438 evp_ssh1_bf(void) 439 { 440 static EVP_CIPHER ssh1_bf; 441 442 memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER)); 443 orig_bf = ssh1_bf.do_cipher; 444 ssh1_bf.nid = NID_undef; 445 ssh1_bf.do_cipher = bf_ssh1_cipher; 446 ssh1_bf.key_len = 32; 447 return (&ssh1_bf); 448 } 449 450 /* 451 * Exports an IV from the CipherContext required to export the key 452 * state back from the unprivileged child to the privileged parent 453 * process. 454 */ 455 456 int 457 cipher_get_keyiv_len(CipherContext *cc) 458 { 459 Cipher *c = cc->cipher; 460 int ivlen; 461 462 if (c->number == SSH_CIPHER_3DES) 463 ivlen = 24; 464 else 465 ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp); 466 return (ivlen); 467 } 468 469 void 470 cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) 471 { 472 Cipher *c = cc->cipher; 473 u_char *civ = NULL; 474 int evplen; 475 476 switch (c->number) { 477 case SSH_CIPHER_SSH2: 478 case SSH_CIPHER_DES: 479 case SSH_CIPHER_BLOWFISH: 480 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 481 if (evplen == 0) 482 return; 483 if (evplen != len) 484 fatal("%s: wrong iv length %d != %d", __func__, 485 evplen, len); 486 487 if (c->evptype == evp_aes_128_ctr) { 488 ssh_aes_ctr_iv(&cc->evp, 0, iv, len); 489 return; 490 } else { 491 civ = cc->evp.iv; 492 } 493 break; 494 case SSH_CIPHER_3DES: { 495 struct ssh1_3des_ctx *desc; 496 if (len != 24) 497 fatal("%s: bad 3des iv length: %d", __func__, len); 498 desc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 499 if (desc == NULL) 500 fatal("%s: no 3des context", __func__); 501 debug3("%s: Copying 3DES IV", __func__); 502 memcpy(iv, desc->k1.iv, 8); 503 memcpy(iv + 8, desc->k2.iv, 8); 504 memcpy(iv + 16, desc->k3.iv, 8); 505 return; 506 } 507 default: 508 fatal("%s: bad cipher %d", __func__, c->number); 509 } 510 memcpy(iv, civ, len); 511 } 512 513 void 514 cipher_set_keyiv(CipherContext *cc, u_char *iv) 515 { 516 Cipher *c = cc->cipher; 517 u_char *div = NULL; 518 int evplen = 0; 519 520 switch (c->number) { 521 case SSH_CIPHER_SSH2: 522 case SSH_CIPHER_DES: 523 case SSH_CIPHER_BLOWFISH: 524 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 525 if (evplen == 0) 526 return; 527 528 if (c->evptype == evp_aes_128_ctr) { 529 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); 530 return; 531 } else { 532 div = cc->evp.iv; 533 } 534 break; 535 case SSH_CIPHER_3DES: { 536 struct ssh1_3des_ctx *desc; 537 desc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 538 if (desc == NULL) 539 fatal("%s: no 3des context", __func__); 540 debug3("%s: Installed 3DES IV", __func__); 541 memcpy(desc->k1.iv, iv, 8); 542 memcpy(desc->k2.iv, iv + 8, 8); 543 memcpy(desc->k3.iv, iv + 16, 8); 544 return; 545 } 546 default: 547 fatal("%s: bad cipher %d", __func__, c->number); 548 } 549 memcpy(div, iv, evplen); 550 } 551 552 #if OPENSSL_VERSION_NUMBER < 0x00907000L 553 #define EVP_X_STATE(evp) &(evp).c 554 #define EVP_X_STATE_LEN(evp) sizeof((evp).c) 555 #else 556 #define EVP_X_STATE(evp) (evp).cipher_data 557 #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size 558 #endif 559 560 int 561 cipher_get_keycontext(CipherContext *cc, u_char *dat) 562 { 563 int plen = 0; 564 Cipher *c = cc->cipher; 565 566 if (c->evptype == EVP_rc4) { 567 plen = EVP_X_STATE_LEN(cc->evp); 568 if (dat == NULL) 569 return (plen); 570 memcpy(dat, EVP_X_STATE(cc->evp), plen); 571 } 572 return (plen); 573 } 574 575 void 576 cipher_set_keycontext(CipherContext *cc, u_char *dat) 577 { 578 Cipher *c = cc->cipher; 579 int plen; 580 581 if (c->evptype == EVP_rc4) { 582 plen = EVP_X_STATE_LEN(cc->evp); 583 memcpy(EVP_X_STATE(cc->evp), dat, plen); 584 } 585 } 586