cipher.c revision 1.1.1.1
1 /* $NetBSD: cipher.c,v 1.1.1.1 2009/06/07 22:19:06 christos Exp $ */ 2 /* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */ 3 /* 4 * Author: Tatu Ylonen <ylo (at) cs.hut.fi> 5 * Copyright (c) 1995 Tatu Ylonen <ylo (at) cs.hut.fi>, Espoo, Finland 6 * All rights reserved 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 * 14 * 15 * Copyright (c) 1999 Niels Provos. All rights reserved. 16 * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. 17 * 18 * Redistribution and use in source and binary forms, with or without 19 * modification, are permitted provided that the following conditions 20 * are met: 21 * 1. Redistributions of source code must retain the above copyright 22 * notice, this list of conditions and the following disclaimer. 23 * 2. Redistributions in binary form must reproduce the above copyright 24 * notice, this list of conditions and the following disclaimer in the 25 * documentation and/or other materials provided with the distribution. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 28 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 29 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 30 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37 */ 38 39 #include <sys/types.h> 40 41 #include <openssl/md5.h> 42 43 #include <string.h> 44 #include <stdarg.h> 45 46 #include "xmalloc.h" 47 #include "log.h" 48 #include "cipher.h" 49 50 extern const EVP_CIPHER *evp_ssh1_bf(void); 51 extern const EVP_CIPHER *evp_ssh1_3des(void); 52 extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); 53 extern const EVP_CIPHER *evp_aes_128_ctr(void); 54 extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); 55 56 struct Cipher { 57 char *name; 58 int number; /* for ssh1 only */ 59 u_int block_size; 60 u_int key_len; 61 u_int discard_len; 62 u_int cbc_mode; 63 const EVP_CIPHER *(*evptype)(void); 64 } ciphers[] = { 65 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, 66 { "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc }, 67 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, 68 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 1, evp_ssh1_bf }, 69 70 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, 71 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc }, 72 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc }, 73 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 }, 74 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 }, 75 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 }, 76 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, 77 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, 78 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 79 { "rijndael-cbc (at) lysator.liu.se", 80 SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 81 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, 82 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, 83 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, 84 { "acss (at) openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss }, 85 86 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } 87 }; 88 89 /*--*/ 90 91 u_int 92 cipher_blocksize(const Cipher *c) 93 { 94 return (c->block_size); 95 } 96 97 u_int 98 cipher_keylen(const Cipher *c) 99 { 100 return (c->key_len); 101 } 102 103 u_int 104 cipher_get_number(const Cipher *c) 105 { 106 return (c->number); 107 } 108 109 u_int 110 cipher_is_cbc(const Cipher *c) 111 { 112 return (c->cbc_mode); 113 } 114 115 u_int 116 cipher_mask_ssh1(int client) 117 { 118 u_int mask = 0; 119 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 120 mask |= 1 << SSH_CIPHER_BLOWFISH; 121 if (client) { 122 mask |= 1 << SSH_CIPHER_DES; 123 } 124 return mask; 125 } 126 127 Cipher * 128 cipher_by_name(const char *name) 129 { 130 Cipher *c; 131 for (c = ciphers; c->name != NULL; c++) 132 if (strcmp(c->name, name) == 0) 133 return c; 134 return NULL; 135 } 136 137 Cipher * 138 cipher_by_number(int id) 139 { 140 Cipher *c; 141 for (c = ciphers; c->name != NULL; c++) 142 if (c->number == id) 143 return c; 144 return NULL; 145 } 146 147 #define CIPHER_SEP "," 148 int 149 ciphers_valid(const char *names) 150 { 151 Cipher *c; 152 char *cipher_list, *cp; 153 char *p; 154 155 if (names == NULL || strcmp(names, "") == 0) 156 return 0; 157 cipher_list = cp = xstrdup(names); 158 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 159 (p = strsep(&cp, CIPHER_SEP))) { 160 c = cipher_by_name(p); 161 if (c == NULL || c->number != SSH_CIPHER_SSH2) { 162 debug("bad cipher %s [%s]", p, names); 163 xfree(cipher_list); 164 return 0; 165 } else { 166 debug3("cipher ok: %s [%s]", p, names); 167 } 168 } 169 debug3("ciphers ok: [%s]", names); 170 xfree(cipher_list); 171 return 1; 172 } 173 174 /* 175 * Parses the name of the cipher. Returns the number of the corresponding 176 * cipher, or -1 on error. 177 */ 178 179 int 180 cipher_number(const char *name) 181 { 182 Cipher *c; 183 if (name == NULL) 184 return -1; 185 for (c = ciphers; c->name != NULL; c++) 186 if (strcasecmp(c->name, name) == 0) 187 return c->number; 188 return -1; 189 } 190 191 char * 192 cipher_name(int id) 193 { 194 Cipher *c = cipher_by_number(id); 195 return (c==NULL) ? "<unknown>" : c->name; 196 } 197 198 void 199 cipher_init(CipherContext *cc, Cipher *cipher, 200 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, 201 int do_encrypt) 202 { 203 static int dowarn = 1; 204 const EVP_CIPHER *type; 205 int klen; 206 u_char *junk, *discard; 207 208 if (cipher->number == SSH_CIPHER_DES) { 209 if (dowarn) { 210 error("Warning: use of DES is strongly discouraged " 211 "due to cryptographic weaknesses"); 212 dowarn = 0; 213 } 214 if (keylen > 8) 215 keylen = 8; 216 } 217 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 218 219 if (keylen < cipher->key_len) 220 fatal("cipher_init: key length %d is insufficient for %s.", 221 keylen, cipher->name); 222 if (iv != NULL && ivlen < cipher->block_size) 223 fatal("cipher_init: iv length %d is insufficient for %s.", 224 ivlen, cipher->name); 225 cc->cipher = cipher; 226 227 type = (*cipher->evptype)(); 228 229 EVP_CIPHER_CTX_init(&cc->evp); 230 if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv, 231 (do_encrypt == CIPHER_ENCRYPT)) == 0) 232 fatal("cipher_init: EVP_CipherInit failed for %s", 233 cipher->name); 234 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 235 if (klen > 0 && keylen != (u_int)klen) { 236 debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); 237 if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) 238 fatal("cipher_init: set keylen failed (%d -> %d)", 239 klen, keylen); 240 } 241 if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) 242 fatal("cipher_init: EVP_CipherInit: set key failed for %s", 243 cipher->name); 244 245 if (cipher->discard_len > 0) { 246 junk = xmalloc(cipher->discard_len); 247 discard = xmalloc(cipher->discard_len); 248 if (EVP_Cipher(&cc->evp, discard, junk, 249 cipher->discard_len) == 0) 250 fatal("evp_crypt: EVP_Cipher failed during discard"); 251 memset(discard, 0, cipher->discard_len); 252 xfree(junk); 253 xfree(discard); 254 } 255 } 256 257 void 258 cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 259 { 260 if (len % cc->cipher->block_size) 261 fatal("cipher_encrypt: bad plaintext length %d", len); 262 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) 263 fatal("evp_crypt: EVP_Cipher failed"); 264 } 265 266 void 267 cipher_cleanup(CipherContext *cc) 268 { 269 if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) 270 error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); 271 } 272 273 /* 274 * Selects the cipher, and keys if by computing the MD5 checksum of the 275 * passphrase and using the resulting 16 bytes as the key. 276 */ 277 278 void 279 cipher_set_key_string(CipherContext *cc, Cipher *cipher, 280 const char *passphrase, int do_encrypt) 281 { 282 MD5_CTX md; 283 u_char digest[16]; 284 285 MD5_Init(&md); 286 MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); 287 MD5_Final(digest, &md); 288 289 cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt); 290 291 memset(digest, 0, sizeof(digest)); 292 memset(&md, 0, sizeof(md)); 293 } 294 295 /* 296 * Exports an IV from the CipherContext required to export the key 297 * state back from the unprivileged child to the privileged parent 298 * process. 299 */ 300 301 int 302 cipher_get_keyiv_len(const CipherContext *cc) 303 { 304 Cipher *c = cc->cipher; 305 int ivlen; 306 307 if (c->number == SSH_CIPHER_3DES) 308 ivlen = 24; 309 else 310 ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp); 311 return (ivlen); 312 } 313 314 void 315 cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) 316 { 317 Cipher *c = cc->cipher; 318 int evplen; 319 320 switch (c->number) { 321 case SSH_CIPHER_SSH2: 322 case SSH_CIPHER_DES: 323 case SSH_CIPHER_BLOWFISH: 324 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 325 if (evplen <= 0) 326 return; 327 if ((u_int)evplen != len) 328 fatal("%s: wrong iv length %d != %d", __func__, 329 evplen, len); 330 if (c->evptype == evp_aes_128_ctr) 331 ssh_aes_ctr_iv(&cc->evp, 0, iv, len); 332 else 333 memcpy(iv, cc->evp.iv, len); 334 break; 335 case SSH_CIPHER_3DES: 336 ssh1_3des_iv(&cc->evp, 0, iv, 24); 337 break; 338 default: 339 fatal("%s: bad cipher %d", __func__, c->number); 340 } 341 } 342 343 void 344 cipher_set_keyiv(CipherContext *cc, u_char *iv) 345 { 346 Cipher *c = cc->cipher; 347 int evplen = 0; 348 349 switch (c->number) { 350 case SSH_CIPHER_SSH2: 351 case SSH_CIPHER_DES: 352 case SSH_CIPHER_BLOWFISH: 353 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 354 if (evplen == 0) 355 return; 356 if (c->evptype == evp_aes_128_ctr) 357 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); 358 else 359 memcpy(cc->evp.iv, iv, evplen); 360 break; 361 case SSH_CIPHER_3DES: 362 ssh1_3des_iv(&cc->evp, 1, iv, 24); 363 break; 364 default: 365 fatal("%s: bad cipher %d", __func__, c->number); 366 } 367 } 368 369 #define EVP_X_STATE(evp) (evp).cipher_data 370 #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size 371 372 int 373 cipher_get_keycontext(const CipherContext *cc, u_char *dat) 374 { 375 Cipher *c = cc->cipher; 376 int plen = 0; 377 378 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 379 plen = EVP_X_STATE_LEN(cc->evp); 380 if (dat == NULL) 381 return (plen); 382 memcpy(dat, EVP_X_STATE(cc->evp), plen); 383 } 384 return (plen); 385 } 386 387 void 388 cipher_set_keycontext(CipherContext *cc, u_char *dat) 389 { 390 Cipher *c = cc->cipher; 391 int plen; 392 393 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 394 plen = EVP_X_STATE_LEN(cc->evp); 395 memcpy(EVP_X_STATE(cc->evp), dat, plen); 396 } 397 } 398
Indexes created Mon Mar 02 05:31:46 UTC 2026