cipher.c revision 1.16 
1/*
2
3cipher.c
4
5Author: Tatu Ylonen <ylo@cs.hut.fi>
6
7Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8                   All rights reserved
9
10Created: Wed Apr 19 17:41:39 1995 ylo
11
12*/
13
14#include "includes.h"
15RCSID("$Id: cipher.c,v 1.16 1999/11/23 22:25:53 markus Exp $");
16
17#include "ssh.h"
18#include "cipher.h"
19
20#include <ssl/md5.h>
21
22/*
23 * What kind of tripple DES are these 2 routines?
24 *
25 * Why is there a redundant initialization vector?
26 *
27 * If only iv3 was used, then, this would till effect have been
28 * outer-cbc. However, there is also a private iv1 == iv2 which
29 * perhaps makes differential analysis easier. On the other hand, the
30 * private iv1 probably makes the CRC-32 attack ineffective. This is a
31 * result of that there is no longer any known iv1 to use when
32 * choosing the X block.
33 */
34void
35SSH_3CBC_ENCRYPT(des_key_schedule ks1,
36		 des_key_schedule ks2, des_cblock * iv2,
37		 des_key_schedule ks3, des_cblock * iv3,
38		 void *dest, void *src,
39		 unsigned int len)
40{
41	des_cblock iv1;
42
43	memcpy(&iv1, iv2, 8);
44
45	des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
46	memcpy(&iv1, dest + len - 8, 8);
47
48	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
49	memcpy(iv2, &iv1, 8);	/* Note how iv1 == iv2 on entry and exit. */
50
51	des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
52	memcpy(iv3, dest + len - 8, 8);
53}
54
55void
56SSH_3CBC_DECRYPT(des_key_schedule ks1,
57		 des_key_schedule ks2, des_cblock * iv2,
58		 des_key_schedule ks3, des_cblock * iv3,
59		 void *dest, void *src,
60		 unsigned int len)
61{
62	des_cblock iv1;
63
64	memcpy(&iv1, iv2, 8);
65
66	des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
67	memcpy(iv3, src + len - 8, 8);
68
69	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
70	memcpy(iv2, dest + len - 8, 8);
71
72	des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
73	/* memcpy(&iv1, iv2, 8); */
74	/* Note how iv1 == iv2 on entry and exit. */
75}
76
77/*
78 * SSH uses a variation on Blowfish, all bytes must be swapped before
79 * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
80 */
81static void
82swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
83{
84	/* dst must be properly aligned. */
85	u_int32_t *dst = (u_int32_t *) dst_;
86	union {
87		u_int32_t i;
88		char c[4];
89	} t;
90
91	/* Process 8 bytes every lap. */
92	for (n = n / 8; n > 0; n--) {
93		t.c[3] = *src++;
94		t.c[2] = *src++;
95		t.c[1] = *src++;
96		t.c[0] = *src++;
97		*dst++ = t.i;
98
99		t.c[3] = *src++;
100		t.c[2] = *src++;
101		t.c[1] = *src++;
102		t.c[0] = *src++;
103		*dst++ = t.i;
104	}
105}
106
107void (*cipher_attack_detected) (const char *fmt,...) = fatal;
108
109static inline void
110detect_cbc_attack(const unsigned char *src,
111		  unsigned int len)
112{
113	return;
114
115	log("CRC-32 CBC insertion attack detected");
116	cipher_attack_detected("CRC-32 CBC insertion attack detected");
117}
118
119/* Names of all encryption algorithms.  These must match the numbers defined
120   int cipher.h. */
121static char *cipher_names[] =
122{
123	"none",
124	"idea",
125	"des",
126	"3des",
127	"tss",
128	"rc4",
129	"blowfish"
130};
131
132/* Returns a bit mask indicating which ciphers are supported by this
133   implementation.  The bit mask has the corresponding bit set of each
134   supported cipher. */
135
136unsigned int
137cipher_mask()
138{
139	unsigned int mask = 0;
140	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
141	mask |= 1 << SSH_CIPHER_BLOWFISH;
142	return mask;
143}
144
145/* Returns the name of the cipher. */
146
147const char *
148cipher_name(int cipher)
149{
150	if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) ||
151	    cipher_names[cipher] == NULL)
152		fatal("cipher_name: bad cipher number: %d", cipher);
153	return cipher_names[cipher];
154}
155
156/* Parses the name of the cipher.  Returns the number of the corresponding
157   cipher, or -1 on error. */
158
159int
160cipher_number(const char *name)
161{
162	int i;
163	for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
164		if (strcmp(cipher_names[i], name) == 0 &&
165		    (cipher_mask() & (1 << i)))
166			return i;
167	return -1;
168}
169
170/* Selects the cipher, and keys if by computing the MD5 checksum of the
171   passphrase and using the resulting 16 bytes as the key. */
172
173void
174cipher_set_key_string(CipherContext *context, int cipher,
175		      const char *passphrase, int for_encryption)
176{
177	MD5_CTX md;
178	unsigned char digest[16];
179
180	MD5_Init(&md);
181	MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase));
182	MD5_Final(digest, &md);
183
184	cipher_set_key(context, cipher, digest, 16, for_encryption);
185
186	memset(digest, 0, sizeof(digest));
187	memset(&md, 0, sizeof(md));
188}
189
190/* Selects the cipher to use and sets the key. */
191
192void
193cipher_set_key(CipherContext *context, int cipher,
194	       const unsigned char *key, int keylen, int for_encryption)
195{
196	unsigned char padded[32];
197
198	/* Set cipher type. */
199	context->type = cipher;
200
201	/* Get 32 bytes of key data.  Pad if necessary.  (So that code
202	   below does not need to worry about key size). */
203	memset(padded, 0, sizeof(padded));
204	memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
205
206	/* Initialize the initialization vector. */
207	switch (cipher) {
208	case SSH_CIPHER_NONE:
209		/* Has to stay for authfile saving of private key with
210		   no passphrase */
211		break;
212
213	case SSH_CIPHER_3DES:
214		/* Note: the least significant bit of each byte of key is
215		   parity, and must be ignored by the implementation.  16
216		   bytes of key are used (first and last keys are the
217		   same). */
218		if (keylen < 16)
219			error("Key length %d is insufficient for 3DES.", keylen);
220		des_set_key((void *) padded, context->u.des3.key1);
221		des_set_key((void *) (padded + 8), context->u.des3.key2);
222		if (keylen <= 16)
223			des_set_key((void *) padded, context->u.des3.key3);
224		else
225			des_set_key((void *) (padded + 16), context->u.des3.key3);
226		memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
227		memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
228		break;
229
230	case SSH_CIPHER_BLOWFISH:
231		BF_set_key(&context->u.bf.key, keylen, padded);
232		memset(context->u.bf.iv, 0, 8);
233		break;
234
235	default:
236		fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
237	}
238	memset(padded, 0, sizeof(padded));
239}
240
241/* Encrypts data using the cipher. */
242
243void
244cipher_encrypt(CipherContext *context, unsigned char *dest,
245	       const unsigned char *src, unsigned int len)
246{
247	if ((len & 7) != 0)
248		fatal("cipher_encrypt: bad plaintext length %d", len);
249
250	switch (context->type) {
251	case SSH_CIPHER_NONE:
252		memcpy(dest, src, len);
253		break;
254
255	case SSH_CIPHER_3DES:
256		SSH_3CBC_ENCRYPT(context->u.des3.key1,
257				 context->u.des3.key2, &context->u.des3.iv2,
258				 context->u.des3.key3, &context->u.des3.iv3,
259				 dest, (void *) src, len);
260		break;
261
262	case SSH_CIPHER_BLOWFISH:
263		swap_bytes(src, dest, len);
264		BF_cbc_encrypt(dest, dest, len,
265		               &context->u.bf.key, context->u.bf.iv,
266			       BF_ENCRYPT);
267		swap_bytes(dest, dest, len);
268		break;
269
270	default:
271		fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type));
272	}
273}
274
275/* Decrypts data using the cipher. */
276
277void
278cipher_decrypt(CipherContext *context, unsigned char *dest,
279	       const unsigned char *src, unsigned int len)
280{
281	if ((len & 7) != 0)
282		fatal("cipher_decrypt: bad ciphertext length %d", len);
283
284	switch (context->type) {
285	case SSH_CIPHER_NONE:
286		memcpy(dest, src, len);
287		break;
288
289	case SSH_CIPHER_3DES:
290		/* CRC-32 attack? */
291		SSH_3CBC_DECRYPT(context->u.des3.key1,
292				 context->u.des3.key2, &context->u.des3.iv2,
293				 context->u.des3.key3, &context->u.des3.iv3,
294				 dest, (void *) src, len);
295		break;
296
297	case SSH_CIPHER_BLOWFISH:
298		detect_cbc_attack(src, len);
299		swap_bytes(src, dest, len);
300		BF_cbc_encrypt((void *) dest, dest, len,
301			       &context->u.bf.key, context->u.bf.iv,
302			       BF_DECRYPT);
303		swap_bytes(dest, dest, len);
304		break;
305
306	default:
307		fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type));
308	}
309}
310