[openssh.git] / cipher.c

/*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 *
 * As far as I am concerned, the code I have written for this software
 * can be used freely for any purpose.  Any derived versions of this
 * software must be clearly marked as such, and if the derived work is
 * incompatible with the protocol description in the RFC file, it must be
 * called by a name other than "ssh" or "Secure Shell".
 *
 *
 * Copyright (c) 1999 Niels Provos.  All rights reserved.
 * Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"
RCSID("$OpenBSD: cipher.c,v 1.36 2000/10/14 10:01:15 markus Exp $");

#include "ssh.h"
#include "xmalloc.h"

#include <openssl/md5.h>


/* no encryption */
void
none_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
}
void
none_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
}
void
none_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	memcpy(dest, src, len);
}

/* DES */
void
des_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	static int dowarn = 1;
	if (dowarn) {
		error("Warning: use of DES is strongly discouraged "
		    "due to cryptographic weaknesses");
		dowarn = 0;
	}
	des_set_key((void *)key, cc->u.des.key);
}
void
des_ssh1_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
	memset(cc->u.des.iv, 0, sizeof(cc->u.des.iv));
}
void
des_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
	    DES_ENCRYPT);
}
void
des_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
	    DES_DECRYPT);
}

/* 3DES */
void
des3_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	des_set_key((void *) key, cc->u.des3.key1);
	des_set_key((void *) (key+8), cc->u.des3.key2);
	des_set_key((void *) (key+16), cc->u.des3.key3);
}
void
des3_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
	memset(cc->u.des3.iv2, 0, sizeof(cc->u.des3.iv2));
	memset(cc->u.des3.iv3, 0, sizeof(cc->u.des3.iv3));
	if (iv == NULL)
		return;
	memcpy(cc->u.des3.iv3, (char *)iv, 8);
}
void
des3_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	des_ede3_cbc_encrypt(src, dest, len,
	    cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
	    &cc->u.des3.iv3, DES_ENCRYPT);
}
void
des3_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	des_ede3_cbc_encrypt(src, dest, len,
	    cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
	    &cc->u.des3.iv3, DES_DECRYPT);
}

/*
 * This is used by SSH1:
 *
 * What kind of triple DES are these 2 routines?
 *
 * Why is there a redundant initialization vector?
 *
 * If only iv3 was used, then, this would till effect have been
 * outer-cbc. However, there is also a private iv1 == iv2 which
 * perhaps makes differential analysis easier. On the other hand, the
 * private iv1 probably makes the CRC-32 attack ineffective. This is a
 * result of that there is no longer any known iv1 to use when
 * choosing the X block.
 */
void
des3_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	des_set_key((void *) key, cc->u.des3.key1);
	des_set_key((void *) (key+8), cc->u.des3.key2);
	if (keylen <= 16)
		des_set_key((void *) key, cc->u.des3.key3);
	else
		des_set_key((void *) (key+16), cc->u.des3.key3);
}
void
des3_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	des_cblock iv1;
	des_cblock *iv2 = &cc->u.des3.iv2;
	des_cblock *iv3 = &cc->u.des3.iv3;

	memcpy(&iv1, iv2, 8);

	des_cbc_encrypt(src, dest, len, cc->u.des3.key1, &iv1, DES_ENCRYPT);
	memcpy(&iv1, dest + len - 8, 8);

	des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_DECRYPT);
	memcpy(iv2, &iv1, 8);	/* Note how iv1 == iv2 on entry and exit. */

	des_cbc_encrypt(dest, dest, len, cc->u.des3.key3, iv3, DES_ENCRYPT);
	memcpy(iv3, dest + len - 8, 8);
}
void
des3_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	des_cblock iv1;
	des_cblock *iv2 = &cc->u.des3.iv2;
	des_cblock *iv3 = &cc->u.des3.iv3;

	memcpy(&iv1, iv2, 8);

	des_cbc_encrypt(src, dest, len, cc->u.des3.key3, iv3, DES_DECRYPT);
	memcpy(iv3, src + len - 8, 8);

	des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_ENCRYPT);
	memcpy(iv2, dest + len - 8, 8);

	des_cbc_encrypt(dest, dest, len, cc->u.des3.key1, &iv1, DES_DECRYPT);
	/* memcpy(&iv1, iv2, 8); */
	/* Note how iv1 == iv2 on entry and exit. */
}

/* Blowfish */
void
blowfish_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	BF_set_key(&cc->u.bf.key, keylen, (unsigned char *)key);
}
void
blowfish_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
	if (iv == NULL)
		memset(cc->u.bf.iv, 0, 8);
	else
		memcpy(cc->u.bf.iv, (char *)iv, 8);
}
void
blowfish_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
     u_int len)
{
	BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	    BF_ENCRYPT);
}
void
blowfish_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
     u_int len)
{
	BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	    BF_DECRYPT);
}

/*
 * SSH1 uses a variation on Blowfish, all bytes must be swapped before
 * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
 */
static void
swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
{
	/* dst must be properly aligned. */
	u_int32_t *dst = (u_int32_t *) dst_;
	union {
		u_int32_t i;
		char c[4];
	} t;

	/* Process 8 bytes every lap. */
	for (n = n / 8; n > 0; n--) {
		t.c[3] = *src++;
		t.c[2] = *src++;
		t.c[1] = *src++;
		t.c[0] = *src++;
		*dst++ = t.i;

		t.c[3] = *src++;
		t.c[2] = *src++;
		t.c[1] = *src++;
		t.c[0] = *src++;
		*dst++ = t.i;
	}
}

void
blowfish_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	swap_bytes(src, dest, len);
	BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	    BF_ENCRYPT);
	swap_bytes(dest, dest, len);
}
void
blowfish_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	swap_bytes(src, dest, len);
	BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	    BF_DECRYPT);
	swap_bytes(dest, dest, len);
}

/* alleged rc4 */
void
arcfour_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	RC4_set_key(&cc->u.rc4, keylen, (u_char *)key);
}
void
arcfour_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	RC4(&cc->u.rc4, len, (u_char *)src, dest);
}

/* CAST */
void
cast_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	CAST_set_key(&cc->u.cast.key, keylen, (unsigned char *) key);
}
void
cast_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
	if (iv == NULL) 
		fatal("no IV for %s.", cc->cipher->name);
	memcpy(cc->u.cast.iv, (char *)iv, 8);
}
void
cast_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
	    CAST_ENCRYPT);
}
void
cast_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
	    CAST_DECRYPT);
}

/* RIJNDAEL */

#define RIJNDAEL_BLOCKSIZE 16
void
rijndael_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	rijndael_set_key(&cc->u.rijndael.enc, (u4byte *)key, 8*keylen, 1);
	rijndael_set_key(&cc->u.rijndael.dec, (u4byte *)key, 8*keylen, 0);
}
void
rijndael_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
	if (iv == NULL) 
		fatal("no IV for %s.", cc->cipher->name);
	memcpy((u_char *)cc->u.rijndael.iv, iv, RIJNDAEL_BLOCKSIZE);
}
void
rijndael_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	rijndael_ctx *ctx = &cc->u.rijndael.enc;
	u4byte *iv = cc->u.rijndael.iv;
	u4byte in[4];
	u4byte *cprev, *cnow, *plain;
	int i, blocks = len / RIJNDAEL_BLOCKSIZE;
	if (len == 0)
		return;
	if (len % RIJNDAEL_BLOCKSIZE)
		fatal("rijndael_cbc_encrypt: bad len %d", len);
	cnow  = (u4byte*) dest;
	plain = (u4byte*) src;
	cprev = iv;
	for(i = 0; i < blocks; i++, plain+=4, cnow+=4) {
		in[0] = plain[0] ^ cprev[0];
		in[1] = plain[1] ^ cprev[1];
		in[2] = plain[2] ^ cprev[2];
		in[3] = plain[3] ^ cprev[3];
		rijndael_encrypt(ctx, in, cnow);
		cprev = cnow;
	}
	memcpy(iv, cprev, RIJNDAEL_BLOCKSIZE);
}

void
rijndael_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	rijndael_ctx *ctx = &cc->u.rijndael.dec;
	u4byte *iv = cc->u.rijndael.iv;
	u4byte ivsaved[4];
	u4byte *cnow =  (u4byte*) (src+len-RIJNDAEL_BLOCKSIZE);
	u4byte *plain = (u4byte*) (dest+len-RIJNDAEL_BLOCKSIZE);
	u4byte *ivp;
	int i, blocks = len / RIJNDAEL_BLOCKSIZE;
	if (len == 0)
		return;
	if (len % RIJNDAEL_BLOCKSIZE)
		fatal("rijndael_cbc_decrypt: bad len %d", len);
	memcpy(ivsaved, cnow, RIJNDAEL_BLOCKSIZE);
	for(i = blocks; i > 0; i--, cnow-=4, plain-=4) {
		rijndael_decrypt(ctx, cnow, plain);
		ivp =  (i == 1) ? iv : cnow-4;
		plain[0] ^= ivp[0];
		plain[1] ^= ivp[1];
		plain[2] ^= ivp[2];
		plain[3] ^= ivp[3];
	}
	memcpy(iv, ivsaved, RIJNDAEL_BLOCKSIZE);
}

Cipher ciphers[] = {
	{ "none",
		SSH_CIPHER_NONE, 8, 0,
		none_setkey, none_setiv,
		none_crypt, none_crypt },
	{ "des",
		SSH_CIPHER_DES, 8, 8,
		des_ssh1_setkey, des_ssh1_setiv,
		des_ssh1_encrypt, des_ssh1_decrypt },
	{ "3des",
		SSH_CIPHER_3DES, 8, 16,
		des3_ssh1_setkey, des3_setiv,
		des3_ssh1_encrypt, des3_ssh1_decrypt },
	{ "blowfish",
		SSH_CIPHER_BLOWFISH, 8, 16,
		blowfish_setkey, blowfish_setiv,
		blowfish_ssh1_encrypt, blowfish_ssh1_decrypt },

	{ "3des-cbc",
		SSH_CIPHER_SSH2, 8, 24,
		des3_setkey, des3_setiv,
		des3_cbc_encrypt, des3_cbc_decrypt },
	{ "blowfish-cbc",
		SSH_CIPHER_SSH2, 8, 16,
		blowfish_setkey, blowfish_setiv,
		blowfish_cbc_encrypt, blowfish_cbc_decrypt },
	{ "cast128-cbc",
		SSH_CIPHER_SSH2, 8, 16,
		cast_setkey, cast_setiv,
		cast_cbc_encrypt, cast_cbc_decrypt },
	{ "arcfour",
		SSH_CIPHER_SSH2, 8, 16,
		arcfour_setkey, none_setiv,
		arcfour_crypt, arcfour_crypt },
	{ "aes128-cbc",
		SSH_CIPHER_SSH2, 16, 16,
		rijndael_setkey, rijndael_setiv,
		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
	{ "aes192-cbc",
		SSH_CIPHER_SSH2, 16, 24,
		rijndael_setkey, rijndael_setiv,
		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
	{ "aes256-cbc",
		SSH_CIPHER_SSH2, 16, 32,
		rijndael_setkey, rijndael_setiv,
		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
	{ "rijndael128-cbc",
		SSH_CIPHER_SSH2, 16, 16,
		rijndael_setkey, rijndael_setiv,
		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
	{ "rijndael192-cbc",
		SSH_CIPHER_SSH2, 16, 24,
		rijndael_setkey, rijndael_setiv,
		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
	{ "rijndael256-cbc",
		SSH_CIPHER_SSH2, 16, 32,
		rijndael_setkey, rijndael_setiv,
		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
	{ "rijndael-cbc@lysator.liu.se",
		SSH_CIPHER_SSH2, 16, 32,
		rijndael_setkey, rijndael_setiv,
		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
        { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL }
};

/*--*/

unsigned int
cipher_mask_ssh1(int client)
{
	unsigned int mask = 0;
	mask |= 1 << SSH_CIPHER_3DES;           /* Mandatory */
	mask |= 1 << SSH_CIPHER_BLOWFISH;
	if (client) {
		mask |= 1 << SSH_CIPHER_DES;
	}
	return mask;
}

Cipher *
cipher_by_name(const char *name)
{
	Cipher *c;
	for (c = ciphers; c->name != NULL; c++)
		if (strcasecmp(c->name, name) == 0)
			return c;
	return NULL;
}

Cipher *
cipher_by_number(int id)
{
	Cipher *c;
	for (c = ciphers; c->name != NULL; c++)
		if (c->number == id)
			return c;
	return NULL;
}

#define	CIPHER_SEP	","
int
ciphers_valid(const char *names)
{
	Cipher *c;
	char *ciphers, *cp;
	char *p;

	if (names == NULL || strcmp(names, "") == 0)
		return 0;
	ciphers = cp = xstrdup(names);
	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
	     (p = strsep(&cp, CIPHER_SEP))) {
		c = cipher_by_name(p);
		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
			debug("bad cipher %s [%s]", p, names);
			xfree(ciphers);
			return 0;
		} else {
			debug3("cipher ok: %s [%s]", p, names);
		}
	}
	debug3("ciphers ok: [%s]", names);
	xfree(ciphers);
	return 1;
}

/*
 * Parses the name of the cipher.  Returns the number of the corresponding
 * cipher, or -1 on error.
 */

int
cipher_number(const char *name)
{
	Cipher *c;
	if (name == NULL)
		return -1;
	c = cipher_by_name(name);
	return (c==NULL) ? -1 : c->number;
}

char *
cipher_name(int id)
{
	Cipher *c = cipher_by_number(id);
	return (c==NULL) ? "<unknown>" : c->name;
}

void
cipher_init(CipherContext *cc, Cipher *cipher,
    const u_char *key, u_int keylen, const u_char *iv, u_int ivlen)
{
	if (keylen < cipher->key_len)
		fatal("cipher_init: key length %d is insufficient for %s.",
		    keylen, cipher->name);
	if (iv != NULL && ivlen < cipher->block_size)
		fatal("cipher_init: iv length %d is insufficient for %s.",
		    ivlen, cipher->name);
	cc->cipher = cipher;
	cipher->setkey(cc, key, keylen);
	cipher->setiv(cc, iv, ivlen);
}

void
cipher_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	if (len % cc->cipher->block_size)
		fatal("cipher_encrypt: bad plaintext length %d", len);
	cc->cipher->encrypt(cc, dest, src, len);
}

void
cipher_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	if (len % cc->cipher->block_size)
		fatal("cipher_decrypt: bad ciphertext length %d", len);
	cc->cipher->decrypt(cc, dest, src, len);
}

/*
 * Selects the cipher, and keys if by computing the MD5 checksum of the
 * passphrase and using the resulting 16 bytes as the key.
 */

void
cipher_set_key_string(CipherContext *cc, Cipher *cipher,
    const char *passphrase)
{
	MD5_CTX md;
	unsigned char digest[16];

	MD5_Init(&md);
	MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
	MD5_Final(digest, &md);

	cipher_init(cc, cipher, digest, 16, NULL, 0);

	memset(digest, 0, sizeof(digest));
	memset(&md, 0, sizeof(md));
}
Commit	Line	Data
8efc0c15	1	/*
5260325f	2	* Author: Tatu Ylonen <ylo@cs.hut.fi>
5260325f	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5260325f	4	* All rights reserved
6ae2364d	5	*
bcbf86ec	6	* As far as I am concerned, the code I have written for this software
	7	* can be used freely for any purpose. Any derived versions of this
	8	* software must be clearly marked as such, and if the derived work is
	9	* incompatible with the protocol description in the RFC file, it must be
	10	* called by a name other than "ssh" or "Secure Shell".
	11	*
	12	*
	13	* Copyright (c) 1999 Niels Provos. All rights reserved.
	14	* Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
	15	*
	16	* Redistribution and use in source and binary forms, with or without
	17	* modification, are permitted provided that the following conditions
	18	* are met:
	19	* 1. Redistributions of source code must retain the above copyright
	20	* notice, this list of conditions and the following disclaimer.
	21	* 2. Redistributions in binary form must reproduce the above copyright
	22	* notice, this list of conditions and the following disclaimer in the
	23	* documentation and/or other materials provided with the distribution.
6ae2364d	24	*
bcbf86ec	25	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	26	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	27	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	28	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	29	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	30	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	31	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	32	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	33	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	34	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
5260325f	35	*/
8efc0c15	36
8efc0c15	37	#include "includes.h"
33de75a3	38	RCSID("$OpenBSD: cipher.c,v 1.36 2000/10/14 10:01:15 markus Exp $");
8efc0c15	39
8efc0c15	40	#include "ssh.h"
a8be9f80	41	#include "xmalloc.h"
8efc0c15	42
	43	#include <openssl/md5.h>
	44
94ec8c6b	45
	46	/* no encryption */
	47	void
	48	none_setkey(CipherContext cc, const u_char key, u_int keylen)
	49	{
	50	}
	51	void
	52	none_setiv(CipherContext cc, const u_char iv, u_int ivlen)
	53	{
	54	}
	55	void
	56	none_crypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	57	{
	58	memcpy(dest, src, len);
	59	}
	60
	61	/* DES */
	62	void
	63	des_ssh1_setkey(CipherContext cc, const u_char key, u_int keylen)
	64	{
	65	static int dowarn = 1;
	66	if (dowarn) {
	67	error("Warning: use of DES is strongly discouraged "
	68	"due to cryptographic weaknesses");
	69	dowarn = 0;
	70	}
	71	des_set_key((void *)key, cc->u.des.key);
	72	}
	73	void
	74	des_ssh1_setiv(CipherContext cc, const u_char iv, u_int ivlen)
	75	{
	76	memset(cc->u.des.iv, 0, sizeof(cc->u.des.iv));
	77	}
	78	void
	79	des_ssh1_encrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	80	{
	81	des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
	82	DES_ENCRYPT);
	83	}
	84	void
	85	des_ssh1_decrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	86	{
	87	des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
	88	DES_DECRYPT);
	89	}
	90
	91	/* 3DES */
	92	void
	93	des3_setkey(CipherContext cc, const u_char key, u_int keylen)
	94	{
	95	des_set_key((void *) key, cc->u.des3.key1);
	96	des_set_key((void *) (key+8), cc->u.des3.key2);
	97	des_set_key((void *) (key+16), cc->u.des3.key3);
	98	}
	99	void
	100	des3_setiv(CipherContext cc, const u_char iv, u_int ivlen)
	101	{
	102	memset(cc->u.des3.iv2, 0, sizeof(cc->u.des3.iv2));
	103	memset(cc->u.des3.iv3, 0, sizeof(cc->u.des3.iv3));
	104	if (iv == NULL)
	105	return;
	106	memcpy(cc->u.des3.iv3, (char *)iv, 8);
	107	}
	108	void
109	des3_cbc_encrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
110	{
111	des_ede3_cbc_encrypt(src, dest, len,
112	cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
113	&cc->u.des3.iv3, DES_ENCRYPT);
114	}
115	void
116	des3_cbc_decrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
117	{
118	des_ede3_cbc_encrypt(src, dest, len,
119	cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
120	&cc->u.des3.iv3, DES_DECRYPT);
121	}
122
8efc0c15	123	/*
a8be9f80	124	* This is used by SSH1:
	125	*
	126	* What kind of triple DES are these 2 routines?
8efc0c15	127	*
	128	* Why is there a redundant initialization vector?
	129	*
	130	* If only iv3 was used, then, this would till effect have been
	131	* outer-cbc. However, there is also a private iv1 == iv2 which
	132	* perhaps makes differential analysis easier. On the other hand, the
	133	* private iv1 probably makes the CRC-32 attack ineffective. This is a
	134	* result of that there is no longer any known iv1 to use when
	135	* choosing the X block.
	136	*/
	137	void
94ec8c6b	138	des3_ssh1_setkey(CipherContext cc, const u_char key, u_int keylen)
	139	{
	140	des_set_key((void *) key, cc->u.des3.key1);
	141	des_set_key((void *) (key+8), cc->u.des3.key2);
	142	if (keylen <= 16)
	143	des_set_key((void *) key, cc->u.des3.key3);
	144	else
	145	des_set_key((void *) (key+16), cc->u.des3.key3);
	146	}
	147	void
	148	des3_ssh1_encrypt(CipherContext cc, u_char dest, const u_char *src,
	149	u_int len)
8efc0c15	150	{
5260325f	151	des_cblock iv1;
94ec8c6b	152	des_cblock *iv2 = &cc->u.des3.iv2;
94ec8c6b	153	des_cblock *iv3 = &cc->u.des3.iv3;
8efc0c15	154
5260325f	155	memcpy(&iv1, iv2, 8);
8efc0c15	156
94ec8c6b	157	des_cbc_encrypt(src, dest, len, cc->u.des3.key1, &iv1, DES_ENCRYPT);
c8d54615	158	memcpy(&iv1, dest + len - 8, 8);
8efc0c15	159
94ec8c6b	160	des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_DECRYPT);
5260325f	161	memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */
8efc0c15	162
94ec8c6b	163	des_cbc_encrypt(dest, dest, len, cc->u.des3.key3, iv3, DES_ENCRYPT);
c8d54615	164	memcpy(iv3, dest + len - 8, 8);
8efc0c15	165	}
8efc0c15	166	void
94ec8c6b	167	des3_ssh1_decrypt(CipherContext cc, u_char dest, const u_char *src,
94ec8c6b	168	u_int len)
8efc0c15	169	{
5260325f	170	des_cblock iv1;
94ec8c6b	171	des_cblock *iv2 = &cc->u.des3.iv2;
94ec8c6b	172	des_cblock *iv3 = &cc->u.des3.iv3;
8efc0c15	173
5260325f	174	memcpy(&iv1, iv2, 8);
8efc0c15	175
94ec8c6b	176	des_cbc_encrypt(src, dest, len, cc->u.des3.key3, iv3, DES_DECRYPT);
c8d54615	177	memcpy(iv3, src + len - 8, 8);
8efc0c15	178
94ec8c6b	179	des_cbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_ENCRYPT);
c8d54615	180	memcpy(iv2, dest + len - 8, 8);
8efc0c15	181
94ec8c6b	182	des_cbc_encrypt(dest, dest, len, cc->u.des3.key1, &iv1, DES_DECRYPT);
5260325f	183	/* memcpy(&iv1, iv2, 8); */
5260325f	184	/* Note how iv1 == iv2 on entry and exit. */
8efc0c15	185	}
8efc0c15	186
94ec8c6b	187	/* Blowfish */
	188	void
	189	blowfish_setkey(CipherContext cc, const u_char key, u_int keylen)
	190	{
	191	BF_set_key(&cc->u.bf.key, keylen, (unsigned char *)key);
	192	}
	193	void
	194	blowfish_setiv(CipherContext cc, const u_char iv, u_int ivlen)
	195	{
	196	if (iv == NULL)
	197	memset(cc->u.bf.iv, 0, 8);
	198	else
	199	memcpy(cc->u.bf.iv, (char *)iv, 8);
	200	}
	201	void
	202	blowfish_cbc_encrypt(CipherContext cc, u_char dest, const u_char *src,
	203	u_int len)
	204	{
	205	BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	206	BF_ENCRYPT);
	207	}
	208	void
	209	blowfish_cbc_decrypt(CipherContext cc, u_char dest, const u_char *src,
	210	u_int len)
	211	{
	212	BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	213	BF_DECRYPT);
	214	}
	215
8efc0c15	216	/*
a8be9f80	217	* SSH1 uses a variation on Blowfish, all bytes must be swapped before
8efc0c15	218	* and after encryption/decryption. Thus the swap_bytes stuff (yuk).
8efc0c15	219	*/
5260325f	220	static void
8efc0c15	221	swap_bytes(const unsigned char src, unsigned char dst_, int n)
8efc0c15	222	{
5260325f	223	/* dst must be properly aligned. */
	224	u_int32_t dst = (u_int32_t ) dst_;
	225	union {
	226	u_int32_t i;
	227	char c[4];
	228	} t;
	229
	230	/* Process 8 bytes every lap. */
	231	for (n = n / 8; n > 0; n--) {
	232	t.c[3] = *src++;
	233	t.c[2] = *src++;
	234	t.c[1] = *src++;
	235	t.c[0] = *src++;
	236	*dst++ = t.i;
	237
	238	t.c[3] = *src++;
	239	t.c[2] = *src++;
	240	t.c[1] = *src++;
	241	t.c[0] = *src++;
	242	*dst++ = t.i;
	243	}
8efc0c15	244	}
8efc0c15	245
94ec8c6b	246	void
	247	blowfish_ssh1_encrypt(CipherContext cc, u_char dest, const u_char *src,
	248	u_int len)
	249	{
	250	swap_bytes(src, dest, len);
	251	BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	252	BF_ENCRYPT);
	253	swap_bytes(dest, dest, len);
	254	}
	255	void
	256	blowfish_ssh1_decrypt(CipherContext cc, u_char dest, const u_char *src,
	257	u_int len)
	258	{
	259	swap_bytes(src, dest, len);
	260	BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	261	BF_DECRYPT);
	262	swap_bytes(dest, dest, len);
	263	}
8efc0c15	264
94ec8c6b	265	/* alleged rc4 */
	266	void
	267	arcfour_setkey(CipherContext cc, const u_char key, u_int keylen)
	268	{
	269	RC4_set_key(&cc->u.rc4, keylen, (u_char *)key);
	270	}
	271	void
	272	arcfour_crypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	273	{
	274	RC4(&cc->u.rc4, len, (u_char *)src, dest);
	275	}
8efc0c15	276
94ec8c6b	277	/* CAST */
	278	void
	279	cast_setkey(CipherContext cc, const u_char key, u_int keylen)
8efc0c15	280	{
94ec8c6b	281	CAST_set_key(&cc->u.cast.key, keylen, (unsigned char *) key);
	282	}
	283	void
	284	cast_setiv(CipherContext cc, const u_char iv, u_int ivlen)
	285	{
	286	if (iv == NULL)
	287	fatal("no IV for %s.", cc->cipher->name);
	288	memcpy(cc->u.cast.iv, (char *)iv, 8);
	289	}
	290	void
	291	cast_cbc_encrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	292	{
	293	CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
	294	CAST_ENCRYPT);
	295	}
	296	void
	297	cast_cbc_decrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	298	{
	299	CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
	300	CAST_DECRYPT);
	301	}
	302
	303	/* RIJNDAEL */
	304
	305	#define RIJNDAEL_BLOCKSIZE 16
	306	void
	307	rijndael_setkey(CipherContext cc, const u_char key, u_int keylen)
	308	{
	309	rijndael_set_key(&cc->u.rijndael.enc, (u4byte )key, 8keylen, 1);
	310	rijndael_set_key(&cc->u.rijndael.dec, (u4byte )key, 8keylen, 0);
	311	}
	312	void
	313	rijndael_setiv(CipherContext cc, const u_char iv, u_int ivlen)
	314	{
	315	if (iv == NULL)
	316	fatal("no IV for %s.", cc->cipher->name);
	317	memcpy((u_char *)cc->u.rijndael.iv, iv, RIJNDAEL_BLOCKSIZE);
8ce64345	318	}
94ec8c6b	319	void
	320	rijndael_cbc_encrypt(CipherContext cc, u_char dest, const u_char *src,
	321	u_int len)
	322	{
	323	rijndael_ctx *ctx = &cc->u.rijndael.enc;
	324	u4byte *iv = cc->u.rijndael.iv;
	325	u4byte in[4];
	326	u4byte cprev, cnow, *plain;
	327	int i, blocks = len / RIJNDAEL_BLOCKSIZE;
	328	if (len == 0)
	329	return;
	330	if (len % RIJNDAEL_BLOCKSIZE)
	331	fatal("rijndael_cbc_encrypt: bad len %d", len);
	332	cnow = (u4byte*) dest;
	333	plain = (u4byte*) src;
	334	cprev = iv;
	335	for(i = 0; i < blocks; i++, plain+=4, cnow+=4) {
	336	in[0] = plain[0] ^ cprev[0];
	337	in[1] = plain[1] ^ cprev[1];
	338	in[2] = plain[2] ^ cprev[2];
	339	in[3] = plain[3] ^ cprev[3];
	340	rijndael_encrypt(ctx, in, cnow);
	341	cprev = cnow;
	342	}
	343	memcpy(iv, cprev, RIJNDAEL_BLOCKSIZE);
	344	}
	345
	346	void
	347	rijndael_cbc_decrypt(CipherContext cc, u_char dest, const u_char *src,
	348	u_int len)
	349	{
	350	rijndael_ctx *ctx = &cc->u.rijndael.dec;
	351	u4byte *iv = cc->u.rijndael.iv;
	352	u4byte ivsaved[4];
	353	u4byte cnow = (u4byte) (src+len-RIJNDAEL_BLOCKSIZE);
	354	u4byte plain = (u4byte) (dest+len-RIJNDAEL_BLOCKSIZE);
	355	u4byte *ivp;
	356	int i, blocks = len / RIJNDAEL_BLOCKSIZE;
	357	if (len == 0)
	358	return;
	359	if (len % RIJNDAEL_BLOCKSIZE)
	360	fatal("rijndael_cbc_decrypt: bad len %d", len);
	361	memcpy(ivsaved, cnow, RIJNDAEL_BLOCKSIZE);
	362	for(i = blocks; i > 0; i--, cnow-=4, plain-=4) {
	363	rijndael_decrypt(ctx, cnow, plain);
	364	ivp = (i == 1) ? iv : cnow-4;
	365	plain[0] ^= ivp[0];
	366	plain[1] ^= ivp[1];
	367	plain[2] ^= ivp[2];
	368	plain[3] ^= ivp[3];
	369	}
	370	memcpy(iv, ivsaved, RIJNDAEL_BLOCKSIZE);
	371	}
	372
	373	Cipher ciphers[] = {
	374	{ "none",
	375	SSH_CIPHER_NONE, 8, 0,
	376	none_setkey, none_setiv,
	377	none_crypt, none_crypt },
	378	{ "des",
	379	SSH_CIPHER_DES, 8, 8,
	380	des_ssh1_setkey, des_ssh1_setiv,
	381	des_ssh1_encrypt, des_ssh1_decrypt },
	382	{ "3des",
383	SSH_CIPHER_3DES, 8, 16,
384	des3_ssh1_setkey, des3_setiv,
385	des3_ssh1_encrypt, des3_ssh1_decrypt },
386	{ "blowfish",
387	SSH_CIPHER_BLOWFISH, 8, 16,
388	blowfish_setkey, blowfish_setiv,
389	blowfish_ssh1_encrypt, blowfish_ssh1_decrypt },
390
391	{ "3des-cbc",
392	SSH_CIPHER_SSH2, 8, 24,
393	des3_setkey, des3_setiv,
394	des3_cbc_encrypt, des3_cbc_decrypt },
395	{ "blowfish-cbc",
396	SSH_CIPHER_SSH2, 8, 16,
397	blowfish_setkey, blowfish_setiv,
398	blowfish_cbc_encrypt, blowfish_cbc_decrypt },
399	{ "cast128-cbc",
400	SSH_CIPHER_SSH2, 8, 16,
401	cast_setkey, cast_setiv,
402	cast_cbc_encrypt, cast_cbc_decrypt },
403	{ "arcfour",
404	SSH_CIPHER_SSH2, 8, 16,
405	arcfour_setkey, none_setiv,
406	arcfour_crypt, arcfour_crypt },
407	{ "aes128-cbc",
408	SSH_CIPHER_SSH2, 16, 16,
409	rijndael_setkey, rijndael_setiv,
410	rijndael_cbc_encrypt, rijndael_cbc_decrypt },
411	{ "aes192-cbc",
412	SSH_CIPHER_SSH2, 16, 24,
413	rijndael_setkey, rijndael_setiv,
414	rijndael_cbc_encrypt, rijndael_cbc_decrypt },
415	{ "aes256-cbc",
416	SSH_CIPHER_SSH2, 16, 32,
417	rijndael_setkey, rijndael_setiv,
418	rijndael_cbc_encrypt, rijndael_cbc_decrypt },
419	{ "rijndael128-cbc",
420	SSH_CIPHER_SSH2, 16, 16,
421	rijndael_setkey, rijndael_setiv,
422	rijndael_cbc_encrypt, rijndael_cbc_decrypt },
423	{ "rijndael192-cbc",
424	SSH_CIPHER_SSH2, 16, 24,
425	rijndael_setkey, rijndael_setiv,
426	rijndael_cbc_encrypt, rijndael_cbc_decrypt },
427	{ "rijndael256-cbc",
428	SSH_CIPHER_SSH2, 16, 32,
429	rijndael_setkey, rijndael_setiv,
430	rijndael_cbc_encrypt, rijndael_cbc_decrypt },
431	{ "rijndael-cbc@lysator.liu.se",
432	SSH_CIPHER_SSH2, 16, 32,
433	rijndael_setkey, rijndael_setiv,
434	rijndael_cbc_encrypt, rijndael_cbc_decrypt },
435	{ NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL }
436	};
437
438	/--/
439
6ae2364d	440	unsigned int
94ec8c6b	441	cipher_mask_ssh1(int client)
8ce64345	442	{
8ce64345	443	unsigned int mask = 0;
94ec8c6b	444	mask \|= 1 << SSH_CIPHER_3DES; /* Mandatory */
	445	mask \|= 1 << SSH_CIPHER_BLOWFISH;
	446	if (client) {
	447	mask \|= 1 << SSH_CIPHER_DES;
	448	}
5260325f	449	return mask;
8efc0c15	450	}
94ec8c6b	451
	452	Cipher *
	453	cipher_by_name(const char *name)
8ce64345	454	{
94ec8c6b	455	Cipher *c;
	456	for (c = ciphers; c->name != NULL; c++)
	457	if (strcasecmp(c->name, name) == 0)
	458	return c;
	459	return NULL;
8ce64345	460	}
8efc0c15	461
94ec8c6b	462	Cipher *
94ec8c6b	463	cipher_by_number(int id)
8efc0c15	464	{
94ec8c6b	465	Cipher *c;
	466	for (c = ciphers; c->name != NULL; c++)
	467	if (c->number == id)
	468	return c;
	469	return NULL;
8efc0c15	470	}
8efc0c15	471
a8be9f80	472	#define CIPHER_SEP ","
	473	int
	474	ciphers_valid(const char *names)
	475	{
94ec8c6b	476	Cipher *c;
089fbbd2	477	char ciphers, cp;
a8be9f80	478	char *p;
a8be9f80	479
71276795	480	if (names == NULL \|\| strcmp(names, "") == 0)
a8be9f80	481	return 0;
089fbbd2	482	ciphers = cp = xstrdup(names);
94ec8c6b	483	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
089fbbd2	484	(p = strsep(&cp, CIPHER_SEP))) {
94ec8c6b	485	c = cipher_by_name(p);
	486	if (c == NULL \|\| c->number != SSH_CIPHER_SSH2) {
	487	debug("bad cipher %s [%s]", p, names);
a8be9f80	488	xfree(ciphers);
a8be9f80	489	return 0;
94ec8c6b	490	} else {
33de75a3	491	debug3("cipher ok: %s [%s]", p, names);
a8be9f80	492	}
a8be9f80	493	}
33de75a3	494	debug3("ciphers ok: [%s]", names);
a8be9f80	495	xfree(ciphers);
	496	return 1;
	497	}
	498
aa3378df	499	/*
	500	* Parses the name of the cipher. Returns the number of the corresponding
	501	* cipher, or -1 on error.
	502	*/
8efc0c15	503
	504	int
	505	cipher_number(const char *name)
	506	{
94ec8c6b	507	Cipher *c;
71276795	508	if (name == NULL)
71276795	509	return -1;
94ec8c6b	510	c = cipher_by_name(name);
	511	return (c==NULL) ? -1 : c->number;
	512	}
	513
	514	char *
	515	cipher_name(int id)
	516	{
	517	Cipher *c = cipher_by_number(id);
	518	return (c==NULL) ? "<unknown>" : c->name;
	519	}
	520
	521	void
	522	cipher_init(CipherContext cc, Cipher cipher,
	523	const u_char key, u_int keylen, const u_char iv, u_int ivlen)
	524	{
	525	if (keylen < cipher->key_len)
	526	fatal("cipher_init: key length %d is insufficient for %s.",
	527	keylen, cipher->name);
	528	if (iv != NULL && ivlen < cipher->block_size)
	529	fatal("cipher_init: iv length %d is insufficient for %s.",
	530	ivlen, cipher->name);
	531	cc->cipher = cipher;
	532	cipher->setkey(cc, key, keylen);
	533	cipher->setiv(cc, iv, ivlen);
	534	}
	535
	536	void
	537	cipher_encrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	538	{
	539	if (len % cc->cipher->block_size)
	540	fatal("cipher_encrypt: bad plaintext length %d", len);
	541	cc->cipher->encrypt(cc, dest, src, len);
	542	}
	543
	544	void
	545	cipher_decrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	546	{
	547	if (len % cc->cipher->block_size)
	548	fatal("cipher_decrypt: bad ciphertext length %d", len);
	549	cc->cipher->decrypt(cc, dest, src, len);
8efc0c15	550	}
8efc0c15	551
aa3378df	552	/*
	553	* Selects the cipher, and keys if by computing the MD5 checksum of the
	554	* passphrase and using the resulting 16 bytes as the key.
	555	*/
8efc0c15	556
6ae2364d	557	void
94ec8c6b	558	cipher_set_key_string(CipherContext cc, Cipher cipher,
94ec8c6b	559	const char *passphrase)
8efc0c15	560	{
5260325f	561	MD5_CTX md;
	562	unsigned char digest[16];
	563
	564	MD5_Init(&md);
94ec8c6b	565	MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
5260325f	566	MD5_Final(digest, &md);
5260325f	567
94ec8c6b	568	cipher_init(cc, cipher, digest, 16, NULL, 0);
5260325f	569
	570	memset(digest, 0, sizeof(digest));
	571	memset(&md, 0, sizeof(md));
8efc0c15	572	}