cipher.c revision 60576
1/* 2 * 3 * cipher.c 4 * 5 * Author: Tatu Ylonen <ylo@cs.hut.fi> 6 * 7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8 * All rights reserved 9 * 10 * Created: Wed Apr 19 17:41:39 1995 ylo 11 * 12 * $FreeBSD: head/crypto/openssh/cipher.c 60576 2000-05-15 05:24:25Z kris $ 13 */ 14 15#include "includes.h" 16RCSID("$Id: cipher.c,v 1.26 2000/04/14 10:30:30 markus Exp $"); 17 18#include "ssh.h" 19#include "cipher.h" 20#include "xmalloc.h" 21 22#include <openssl/md5.h> 23 24/* 25 * This is used by SSH1: 26 * 27 * What kind of triple DES are these 2 routines? 28 * 29 * Why is there a redundant initialization vector? 30 * 31 * If only iv3 was used, then, this would till effect have been 32 * outer-cbc. However, there is also a private iv1 == iv2 which 33 * perhaps makes differential analysis easier. On the other hand, the 34 * private iv1 probably makes the CRC-32 attack ineffective. This is a 35 * result of that there is no longer any known iv1 to use when 36 * choosing the X block. 37 */ 38void 39SSH_3CBC_ENCRYPT(des_key_schedule ks1, 40 des_key_schedule ks2, des_cblock * iv2, 41 des_key_schedule ks3, des_cblock * iv3, 42 unsigned char *dest, unsigned char *src, 43 unsigned int len) 44{ 45 des_cblock iv1; 46 47 memcpy(&iv1, iv2, 8); 48 49 des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT); 50 memcpy(&iv1, dest + len - 8, 8); 51 52 des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT); 53 memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */ 54 55 des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT); 56 memcpy(iv3, dest + len - 8, 8); 57} 58 59void 60SSH_3CBC_DECRYPT(des_key_schedule ks1, 61 des_key_schedule ks2, des_cblock * iv2, 62 des_key_schedule ks3, des_cblock * iv3, 63 unsigned char *dest, unsigned char *src, 64 unsigned int len) 65{ 66 des_cblock iv1; 67 68 memcpy(&iv1, iv2, 8); 69 70 des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT); 71 memcpy(iv3, src + len - 8, 8); 72 73 des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT); 74 memcpy(iv2, dest + len - 8, 8); 75 76 des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT); 77 /* memcpy(&iv1, iv2, 8); */ 78 /* Note how iv1 == iv2 on entry and exit. */ 79} 80 81/* 82 * SSH1 uses a variation on Blowfish, all bytes must be swapped before 83 * and after encryption/decryption. Thus the swap_bytes stuff (yuk). 84 */ 85static void 86swap_bytes(const unsigned char *src, unsigned char *dst_, int n) 87{ 88 /* dst must be properly aligned. */ 89 u_int32_t *dst = (u_int32_t *) dst_; 90 union { 91 u_int32_t i; 92 char c[4]; 93 } t; 94 95 /* Process 8 bytes every lap. */ 96 for (n = n / 8; n > 0; n--) { 97 t.c[3] = *src++; 98 t.c[2] = *src++; 99 t.c[1] = *src++; 100 t.c[0] = *src++; 101 *dst++ = t.i; 102 103 t.c[3] = *src++; 104 t.c[2] = *src++; 105 t.c[1] = *src++; 106 t.c[0] = *src++; 107 *dst++ = t.i; 108 } 109} 110 111/* 112 * Names of all encryption algorithms. 113 * These must match the numbers defined in cipher.h. 114 */ 115static char *cipher_names[] = 116{ 117 "none", 118 "idea", 119 "des", 120 "3des", 121 "tss", 122 "rc4", 123 "blowfish", 124 "reserved", 125 "blowfish-cbc", 126 "3des-cbc", 127 "arcfour", 128 "cast128-cbc" 129}; 130 131/* 132 * Returns a bit mask indicating which ciphers are supported by this 133 * implementation. The bit mask has the corresponding bit set of each 134 * supported cipher. 135 */ 136 137unsigned int 138cipher_mask1() 139{ 140 unsigned int mask = 0; 141 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 142 mask |= 1 << SSH_CIPHER_BLOWFISH; 143 return mask; 144} 145unsigned int 146cipher_mask2() 147{ 148 unsigned int mask = 0; 149 mask |= 1 << SSH_CIPHER_BLOWFISH_CBC; 150 mask |= 1 << SSH_CIPHER_3DES_CBC; 151 mask |= 1 << SSH_CIPHER_ARCFOUR; 152 mask |= 1 << SSH_CIPHER_CAST128_CBC; 153 return mask; 154} 155unsigned int 156cipher_mask() 157{ 158 return cipher_mask1() | cipher_mask2(); 159} 160 161/* Returns the name of the cipher. */ 162 163const char * 164cipher_name(int cipher) 165{ 166 if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) || 167 cipher_names[cipher] == NULL) 168 fatal("cipher_name: bad cipher name: %d", cipher); 169 return cipher_names[cipher]; 170} 171 172/* Returns 1 if the name of the ciphers are valid. */ 173 174#define CIPHER_SEP "," 175int 176ciphers_valid(const char *names) 177{ 178 char *ciphers; 179 char *p; 180 int i; 181 182 if (strcmp(names, "") == 0) 183 return 0; 184 ciphers = xstrdup(names); 185 for ((p = strtok(ciphers, CIPHER_SEP)); p; (p = strtok(NULL, CIPHER_SEP))) { 186 i = cipher_number(p); 187 if (i == -1 || !(cipher_mask2() & (1 << i))) { 188 xfree(ciphers); 189 return 0; 190 } 191 } 192 xfree(ciphers); 193 return 1; 194} 195 196/* 197 * Parses the name of the cipher. Returns the number of the corresponding 198 * cipher, or -1 on error. 199 */ 200 201int 202cipher_number(const char *name) 203{ 204 int i; 205 for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++) 206 if (strcmp(cipher_names[i], name) == 0 && 207 (cipher_mask() & (1 << i))) 208 return i; 209 return -1; 210} 211 212/* 213 * Selects the cipher, and keys if by computing the MD5 checksum of the 214 * passphrase and using the resulting 16 bytes as the key. 215 */ 216 217void 218cipher_set_key_string(CipherContext *context, int cipher, const char *passphrase) 219{ 220 MD5_CTX md; 221 unsigned char digest[16]; 222 223 MD5_Init(&md); 224 MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase)); 225 MD5_Final(digest, &md); 226 227 cipher_set_key(context, cipher, digest, 16); 228 229 memset(digest, 0, sizeof(digest)); 230 memset(&md, 0, sizeof(md)); 231} 232 233/* Selects the cipher to use and sets the key. */ 234 235void 236cipher_set_key(CipherContext *context, int cipher, const unsigned char *key, 237 int keylen) 238{ 239 unsigned char padded[32]; 240 241 /* Set cipher type. */ 242 context->type = cipher; 243 244 /* Get 32 bytes of key data. Pad if necessary. (So that code 245 below does not need to worry about key size). */ 246 memset(padded, 0, sizeof(padded)); 247 memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded)); 248 249 /* Initialize the initialization vector. */ 250 switch (cipher) { 251 case SSH_CIPHER_NONE: 252 /* 253 * Has to stay for authfile saving of private key with no 254 * passphrase 255 */ 256 break; 257 258 case SSH_CIPHER_3DES: 259 /* 260 * Note: the least significant bit of each byte of key is 261 * parity, and must be ignored by the implementation. 16 262 * bytes of key are used (first and last keys are the same). 263 */ 264 if (keylen < 16) 265 error("Key length %d is insufficient for 3DES.", keylen); 266 des_set_key((void *) padded, context->u.des3.key1); 267 des_set_key((void *) (padded + 8), context->u.des3.key2); 268 if (keylen <= 16) 269 des_set_key((void *) padded, context->u.des3.key3); 270 else 271 des_set_key((void *) (padded + 16), context->u.des3.key3); 272 memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2)); 273 memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3)); 274 break; 275 276 case SSH_CIPHER_BLOWFISH: 277 if (keylen < 16) 278 error("Key length %d is insufficient for blowfish.", keylen); 279 BF_set_key(&context->u.bf.key, keylen, padded); 280 memset(context->u.bf.iv, 0, 8); 281 break; 282 283 case SSH_CIPHER_3DES_CBC: 284 case SSH_CIPHER_BLOWFISH_CBC: 285 case SSH_CIPHER_ARCFOUR: 286 case SSH_CIPHER_CAST128_CBC: 287 fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher)); 288 break; 289 290 default: 291 fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher)); 292 } 293 memset(padded, 0, sizeof(padded)); 294} 295 296void 297cipher_set_key_iv(CipherContext * context, int cipher, 298 const unsigned char *key, int keylen, 299 const unsigned char *iv, int ivlen) 300{ 301 /* Set cipher type. */ 302 context->type = cipher; 303 304 /* Initialize the initialization vector. */ 305 switch (cipher) { 306 case SSH_CIPHER_NONE: 307 break; 308 309 case SSH_CIPHER_3DES: 310 case SSH_CIPHER_BLOWFISH: 311 fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher)); 312 break; 313 314 case SSH_CIPHER_3DES_CBC: 315 if (keylen < 24) 316 error("Key length %d is insufficient for 3des-cbc.", keylen); 317 des_set_key((void *) key, context->u.des3.key1); 318 des_set_key((void *) (key+8), context->u.des3.key2); 319 des_set_key((void *) (key+16), context->u.des3.key3); 320 if (ivlen < 8) 321 error("IV length %d is insufficient for 3des-cbc.", ivlen); 322 memcpy(context->u.des3.iv3, (char *)iv, 8); 323 break; 324 325 case SSH_CIPHER_BLOWFISH_CBC: 326 if (keylen < 16) 327 error("Key length %d is insufficient for blowfish.", keylen); 328 if (ivlen < 8) 329 error("IV length %d is insufficient for blowfish.", ivlen); 330 BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key); 331 memcpy(context->u.bf.iv, (char *)iv, 8); 332 break; 333 334 case SSH_CIPHER_ARCFOUR: 335 if (keylen < 16) 336 error("Key length %d is insufficient for arcfour.", keylen); 337 RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key); 338 break; 339 340 case SSH_CIPHER_CAST128_CBC: 341 if (keylen < 16) 342 error("Key length %d is insufficient for cast128.", keylen); 343 if (ivlen < 8) 344 error("IV length %d is insufficient for cast128.", ivlen); 345 CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key); 346 memcpy(context->u.cast.iv, (char *)iv, 8); 347 break; 348 349 default: 350 fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher)); 351 } 352} 353 354/* Encrypts data using the cipher. */ 355 356void 357cipher_encrypt(CipherContext *context, unsigned char *dest, 358 const unsigned char *src, unsigned int len) 359{ 360 if ((len & 7) != 0) 361 fatal("cipher_encrypt: bad plaintext length %d", len); 362 363 switch (context->type) { 364 case SSH_CIPHER_NONE: 365 memcpy(dest, src, len); 366 break; 367 368 case SSH_CIPHER_3DES: 369 SSH_3CBC_ENCRYPT(context->u.des3.key1, 370 context->u.des3.key2, &context->u.des3.iv2, 371 context->u.des3.key3, &context->u.des3.iv3, 372 dest, (unsigned char *) src, len); 373 break; 374 375 case SSH_CIPHER_BLOWFISH: 376 swap_bytes(src, dest, len); 377 BF_cbc_encrypt(dest, dest, len, 378 &context->u.bf.key, context->u.bf.iv, 379 BF_ENCRYPT); 380 swap_bytes(dest, dest, len); 381 break; 382 383 case SSH_CIPHER_BLOWFISH_CBC: 384 BF_cbc_encrypt((void *)src, dest, len, 385 &context->u.bf.key, context->u.bf.iv, 386 BF_ENCRYPT); 387 break; 388 389 case SSH_CIPHER_3DES_CBC: 390 des_ede3_cbc_encrypt(src, dest, len, 391 context->u.des3.key1, context->u.des3.key2, 392 context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT); 393 break; 394 395 case SSH_CIPHER_ARCFOUR: 396 RC4(&context->u.rc4, len, (unsigned char *)src, dest); 397 break; 398 399 case SSH_CIPHER_CAST128_CBC: 400 CAST_cbc_encrypt(src, dest, len, 401 &context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT); 402 break; 403 404 default: 405 fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type)); 406 } 407} 408 409/* Decrypts data using the cipher. */ 410 411void 412cipher_decrypt(CipherContext *context, unsigned char *dest, 413 const unsigned char *src, unsigned int len) 414{ 415 if ((len & 7) != 0) 416 fatal("cipher_decrypt: bad ciphertext length %d", len); 417 418 switch (context->type) { 419 case SSH_CIPHER_NONE: 420 memcpy(dest, src, len); 421 break; 422 423 case SSH_CIPHER_3DES: 424 SSH_3CBC_DECRYPT(context->u.des3.key1, 425 context->u.des3.key2, &context->u.des3.iv2, 426 context->u.des3.key3, &context->u.des3.iv3, 427 dest, (unsigned char *) src, len); 428 break; 429 430 case SSH_CIPHER_BLOWFISH: 431 swap_bytes(src, dest, len); 432 BF_cbc_encrypt((void *) dest, dest, len, 433 &context->u.bf.key, context->u.bf.iv, 434 BF_DECRYPT); 435 swap_bytes(dest, dest, len); 436 break; 437 438 case SSH_CIPHER_BLOWFISH_CBC: 439 BF_cbc_encrypt((void *) src, dest, len, 440 &context->u.bf.key, context->u.bf.iv, 441 BF_DECRYPT); 442 break; 443 444 case SSH_CIPHER_3DES_CBC: 445 des_ede3_cbc_encrypt(src, dest, len, 446 context->u.des3.key1, context->u.des3.key2, 447 context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT); 448 break; 449 450 case SSH_CIPHER_ARCFOUR: 451 RC4(&context->u.rc4, len, (unsigned char *)src, dest); 452 break; 453 454 case SSH_CIPHER_CAST128_CBC: 455 CAST_cbc_encrypt(src, dest, len, 456 &context->u.cast.key, context->u.cast.iv, CAST_DECRYPT); 457 break; 458 459 default: 460 fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type)); 461 } 462} 463