[openssh.git] / cipher.c

/*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 *
 * As far as I am concerned, the code I have written for this software
 * can be used freely for any purpose.  Any derived versions of this
 * software must be clearly marked as such, and if the derived work is
 * incompatible with the protocol description in the RFC file, it must be
 * called by a name other than "ssh" or "Secure Shell".
 *
 *
 * Copyright (c) 1999 Niels Provos.  All rights reserved.
 * Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"
RCSID("$OpenBSD: cipher.c,v 1.31 2000/09/12 00:38:32 deraadt Exp $");

#include "ssh.h"
#include "cipher.h"
#include "xmalloc.h"

#include <openssl/md5.h>

/*
 * This is used by SSH1:
 *
 * What kind of triple DES are these 2 routines?
 *
 * Why is there a redundant initialization vector?
 *
 * If only iv3 was used, then, this would till effect have been
 * outer-cbc. However, there is also a private iv1 == iv2 which
 * perhaps makes differential analysis easier. On the other hand, the
 * private iv1 probably makes the CRC-32 attack ineffective. This is a
 * result of that there is no longer any known iv1 to use when
 * choosing the X block.
 */
void
SSH_3CBC_ENCRYPT(des_key_schedule ks1,
		 des_key_schedule ks2, des_cblock * iv2,
		 des_key_schedule ks3, des_cblock * iv3,
		 unsigned char *dest, unsigned char *src,
		 unsigned int len)
{
	des_cblock iv1;

	memcpy(&iv1, iv2, 8);

	des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
	memcpy(&iv1, dest + len - 8, 8);

	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
	memcpy(iv2, &iv1, 8);	/* Note how iv1 == iv2 on entry and exit. */

	des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
	memcpy(iv3, dest + len - 8, 8);
}

void
SSH_3CBC_DECRYPT(des_key_schedule ks1,
		 des_key_schedule ks2, des_cblock * iv2,
		 des_key_schedule ks3, des_cblock * iv3,
		 unsigned char *dest, unsigned char *src,
		 unsigned int len)
{
	des_cblock iv1;

	memcpy(&iv1, iv2, 8);

	des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
	memcpy(iv3, src + len - 8, 8);

	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
	memcpy(iv2, dest + len - 8, 8);

	des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
	/* memcpy(&iv1, iv2, 8); */
	/* Note how iv1 == iv2 on entry and exit. */
}

/*
 * SSH1 uses a variation on Blowfish, all bytes must be swapped before
 * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
 */
static void
swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
{
	/* dst must be properly aligned. */
	u_int32_t *dst = (u_int32_t *) dst_;
	union {
		u_int32_t i;
		char c[4];
	} t;

	/* Process 8 bytes every lap. */
	for (n = n / 8; n > 0; n--) {
		t.c[3] = *src++;
		t.c[2] = *src++;
		t.c[1] = *src++;
		t.c[0] = *src++;
		*dst++ = t.i;

		t.c[3] = *src++;
		t.c[2] = *src++;
		t.c[1] = *src++;
		t.c[0] = *src++;
		*dst++ = t.i;
	}
}

/*
 * Names of all encryption algorithms.
 * These must match the numbers defined in cipher.h.
 */
static char *cipher_names[] =
{
	"none",
	"idea",
	"des",
	"3des",
	"tss",
	"rc4",		/* Alleged RC4 */
	"blowfish",
	"reserved",
	"blowfish-cbc",
	"3des-cbc",
	"arcfour",
	"cast128-cbc"
};

/*
 * Returns a bit mask indicating which ciphers are supported by this
 * implementation.  The bit mask has the corresponding bit set of each
 * supported cipher.
 */

unsigned int
cipher_mask1()
{
	unsigned int mask = 0;
	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
	mask |= 1 << SSH_CIPHER_BLOWFISH;
	return mask;
}
unsigned int
cipher_mask2()
{
	unsigned int mask = 0;
	mask |= 1 << SSH_CIPHER_BLOWFISH_CBC;
	mask |= 1 << SSH_CIPHER_3DES_CBC;
	mask |= 1 << SSH_CIPHER_ARCFOUR;
	mask |= 1 << SSH_CIPHER_CAST128_CBC;
	return mask;
}
unsigned int
cipher_mask()
{
	return cipher_mask1() | cipher_mask2();
}

/* Returns the name of the cipher. */

const char *
cipher_name(int cipher)
{
	if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) ||
	    cipher_names[cipher] == NULL)
		fatal("cipher_name: bad cipher name: %d", cipher);
	return cipher_names[cipher];
}

/* Returns 1 if the name of the ciphers are valid. */

#define	CIPHER_SEP	","
int
ciphers_valid(const char *names)
{
	char *ciphers, *cp;
	char *p;
	int i;

	if (names == NULL || strcmp(names, "") == 0)
		return 0;
	ciphers = cp = xstrdup(names);
	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 
	     (p = strsep(&cp, CIPHER_SEP))) {
		i = cipher_number(p);
		if (i == -1 || !(cipher_mask2() & (1 << i))) {
			xfree(ciphers);
			return 0;
		}
	}
	xfree(ciphers);
	return 1;
}

/*
 * Parses the name of the cipher.  Returns the number of the corresponding
 * cipher, or -1 on error.
 */

int
cipher_number(const char *name)
{
	int i;
	if (name == NULL)
		return -1;
	for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
		if (strcmp(cipher_names[i], name) == 0 &&
		    (cipher_mask() & (1 << i)))
			return i;
	return -1;
}

/*
 * Selects the cipher, and keys if by computing the MD5 checksum of the
 * passphrase and using the resulting 16 bytes as the key.
 */

void
cipher_set_key_string(CipherContext *context, int cipher, const char *passphrase)
{
	MD5_CTX md;
	unsigned char digest[16];

	MD5_Init(&md);
	MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase));
	MD5_Final(digest, &md);

	cipher_set_key(context, cipher, digest, 16);

	memset(digest, 0, sizeof(digest));
	memset(&md, 0, sizeof(md));
}

/* Selects the cipher to use and sets the key. */

void
cipher_set_key(CipherContext *context, int cipher, const unsigned char *key,
    int keylen)
{
	unsigned char padded[32];

	/* Set cipher type. */
	context->type = cipher;

	/* Get 32 bytes of key data.  Pad if necessary.  (So that code
	   below does not need to worry about key size). */
	memset(padded, 0, sizeof(padded));
	memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));

	/* Initialize the initialization vector. */
	switch (cipher) {
	case SSH_CIPHER_NONE:
		/*
		 * Has to stay for authfile saving of private key with no
		 * passphrase
		 */
		break;

	case SSH_CIPHER_3DES:
		/*
		 * Note: the least significant bit of each byte of key is
		 * parity, and must be ignored by the implementation.  16
		 * bytes of key are used (first and last keys are the same).
		 */
		if (keylen < 16)
			error("Key length %d is insufficient for 3DES.", keylen);
		des_set_key((void *) padded, context->u.des3.key1);
		des_set_key((void *) (padded + 8), context->u.des3.key2);
		if (keylen <= 16)
			des_set_key((void *) padded, context->u.des3.key3);
		else
			des_set_key((void *) (padded + 16), context->u.des3.key3);
		memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
		memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
		break;

	case SSH_CIPHER_BLOWFISH:
		if (keylen < 16)
			error("Key length %d is insufficient for blowfish.", keylen);
		BF_set_key(&context->u.bf.key, keylen, padded);
		memset(context->u.bf.iv, 0, 8);
		break;

	case SSH_CIPHER_3DES_CBC:
	case SSH_CIPHER_BLOWFISH_CBC:
	case SSH_CIPHER_ARCFOUR:
	case SSH_CIPHER_CAST128_CBC:
		fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher));
		break;

	default:
		fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
	}
	memset(padded, 0, sizeof(padded));
}

void
cipher_set_key_iv(CipherContext * context, int cipher,
    const unsigned char *key, int keylen,
    const unsigned char *iv, int ivlen)
{
	/* Set cipher type. */
	context->type = cipher;

	/* Initialize the initialization vector. */
	switch (cipher) {
	case SSH_CIPHER_NONE:
		break;

	case SSH_CIPHER_3DES:
	case SSH_CIPHER_BLOWFISH:
		fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher));
		break;

	case SSH_CIPHER_3DES_CBC:
		if (keylen < 24)
			error("Key length %d is insufficient for 3des-cbc.", keylen);
		des_set_key((void *) key, context->u.des3.key1);
		des_set_key((void *) (key+8), context->u.des3.key2);
		des_set_key((void *) (key+16), context->u.des3.key3);
		if (ivlen < 8)
			error("IV length %d is insufficient for 3des-cbc.", ivlen);
		memcpy(context->u.des3.iv3, (char *)iv, 8);
		break;

	case SSH_CIPHER_BLOWFISH_CBC:
		if (keylen < 16)
			error("Key length %d is insufficient for blowfish.", keylen);
		if (ivlen < 8)
			error("IV length %d is insufficient for blowfish.", ivlen);
		BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key);
		memcpy(context->u.bf.iv, (char *)iv, 8);
		break;

	case SSH_CIPHER_ARCFOUR:
		if (keylen < 16)
			error("Key length %d is insufficient for arcfour.", keylen);
		RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key);
		break;

	case SSH_CIPHER_CAST128_CBC:
		if (keylen < 16)
			error("Key length %d is insufficient for cast128.", keylen);
		if (ivlen < 8)
			error("IV length %d is insufficient for cast128.", ivlen);
		CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key);
		memcpy(context->u.cast.iv, (char *)iv, 8);
		break;

	default:
		fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
	}
}

/* Encrypts data using the cipher. */

void
cipher_encrypt(CipherContext *context, unsigned char *dest,
	       const unsigned char *src, unsigned int len)
{
	if ((len & 7) != 0)
		fatal("cipher_encrypt: bad plaintext length %d", len);

	switch (context->type) {
	case SSH_CIPHER_NONE:
		memcpy(dest, src, len);
		break;

	case SSH_CIPHER_3DES:
		SSH_3CBC_ENCRYPT(context->u.des3.key1,
				 context->u.des3.key2, &context->u.des3.iv2,
				 context->u.des3.key3, &context->u.des3.iv3,
				 dest, (unsigned char *) src, len);
		break;

	case SSH_CIPHER_BLOWFISH:
		swap_bytes(src, dest, len);
		BF_cbc_encrypt(dest, dest, len,
			       &context->u.bf.key, context->u.bf.iv,
			       BF_ENCRYPT);
		swap_bytes(dest, dest, len);
		break;

	case SSH_CIPHER_BLOWFISH_CBC:
		BF_cbc_encrypt((void *)src, dest, len,
			       &context->u.bf.key, context->u.bf.iv,
			       BF_ENCRYPT);
		break;

	case SSH_CIPHER_3DES_CBC:
		des_ede3_cbc_encrypt(src, dest, len,
		    context->u.des3.key1, context->u.des3.key2,
		    context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT);
		break;

	case SSH_CIPHER_ARCFOUR:
		RC4(&context->u.rc4, len, (unsigned char *)src, dest);
		break;

	case SSH_CIPHER_CAST128_CBC:
		CAST_cbc_encrypt(src, dest, len,
		    &context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT);
		break;

	default:
		fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type));
	}
}

/* Decrypts data using the cipher. */

void
cipher_decrypt(CipherContext *context, unsigned char *dest,
	       const unsigned char *src, unsigned int len)
{
	if ((len & 7) != 0)
		fatal("cipher_decrypt: bad ciphertext length %d", len);

	switch (context->type) {
	case SSH_CIPHER_NONE:
		memcpy(dest, src, len);
		break;

	case SSH_CIPHER_3DES:
		SSH_3CBC_DECRYPT(context->u.des3.key1,
				 context->u.des3.key2, &context->u.des3.iv2,
				 context->u.des3.key3, &context->u.des3.iv3,
				 dest, (unsigned char *) src, len);
		break;

	case SSH_CIPHER_BLOWFISH:
		swap_bytes(src, dest, len);
		BF_cbc_encrypt((void *) dest, dest, len,
			       &context->u.bf.key, context->u.bf.iv,
			       BF_DECRYPT);
		swap_bytes(dest, dest, len);
		break;

	case SSH_CIPHER_BLOWFISH_CBC:
		BF_cbc_encrypt((void *) src, dest, len,
			       &context->u.bf.key, context->u.bf.iv,
			       BF_DECRYPT);
		break;

	case SSH_CIPHER_3DES_CBC:
		des_ede3_cbc_encrypt(src, dest, len,
		    context->u.des3.key1, context->u.des3.key2,
		    context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT);
		break;

	case SSH_CIPHER_ARCFOUR:
		RC4(&context->u.rc4, len, (unsigned char *)src, dest);
		break;

	case SSH_CIPHER_CAST128_CBC:
		CAST_cbc_encrypt(src, dest, len,
		    &context->u.cast.key, context->u.cast.iv, CAST_DECRYPT);
		break;

	default:
		fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type));
	}
}
Commit	Line	Data
8efc0c15	1	/*
5260325f	2	* Author: Tatu Ylonen <ylo@cs.hut.fi>
5260325f	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5260325f	4	* All rights reserved
6ae2364d	5	*
bcbf86ec	6	* As far as I am concerned, the code I have written for this software
	7	* can be used freely for any purpose. Any derived versions of this
	8	* software must be clearly marked as such, and if the derived work is
	9	* incompatible with the protocol description in the RFC file, it must be
	10	* called by a name other than "ssh" or "Secure Shell".
	11	*
	12	*
	13	* Copyright (c) 1999 Niels Provos. All rights reserved.
	14	* Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
	15	*
	16	* Redistribution and use in source and binary forms, with or without
	17	* modification, are permitted provided that the following conditions
	18	* are met:
	19	* 1. Redistributions of source code must retain the above copyright
	20	* notice, this list of conditions and the following disclaimer.
	21	* 2. Redistributions in binary form must reproduce the above copyright
	22	* notice, this list of conditions and the following disclaimer in the
	23	* documentation and/or other materials provided with the distribution.
6ae2364d	24	*
bcbf86ec	25	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	26	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	27	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	28	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	29	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	30	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	31	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	32	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	33	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	34	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
5260325f	35	*/
8efc0c15	36
8efc0c15	37	#include "includes.h"
bcbf86ec	38	RCSID("$OpenBSD: cipher.c,v 1.31 2000/09/12 00:38:32 deraadt Exp $");
8efc0c15	39
	40	#include "ssh.h"
	41	#include "cipher.h"
a8be9f80	42	#include "xmalloc.h"
8efc0c15	43
	44	#include <openssl/md5.h>
	45
	46	/*
a8be9f80	47	* This is used by SSH1:
	48	*
	49	* What kind of triple DES are these 2 routines?
8efc0c15	50	*
	51	* Why is there a redundant initialization vector?
	52	*
	53	* If only iv3 was used, then, this would till effect have been
	54	* outer-cbc. However, there is also a private iv1 == iv2 which
	55	* perhaps makes differential analysis easier. On the other hand, the
	56	* private iv1 probably makes the CRC-32 attack ineffective. This is a
	57	* result of that there is no longer any known iv1 to use when
	58	* choosing the X block.
	59	*/
	60	void
	61	SSH_3CBC_ENCRYPT(des_key_schedule ks1,
5260325f	62	des_key_schedule ks2, des_cblock * iv2,
5260325f	63	des_key_schedule ks3, des_cblock * iv3,
c8d54615	64	unsigned char dest, unsigned char src,
8efc0c15	65	unsigned int len)
8efc0c15	66	{
5260325f	67	des_cblock iv1;
8efc0c15	68
5260325f	69	memcpy(&iv1, iv2, 8);
8efc0c15	70
5260325f	71	des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
c8d54615	72	memcpy(&iv1, dest + len - 8, 8);
8efc0c15	73
5260325f	74	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
5260325f	75	memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */
8efc0c15	76
5260325f	77	des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
c8d54615	78	memcpy(iv3, dest + len - 8, 8);
8efc0c15	79	}
	80
	81	void
	82	SSH_3CBC_DECRYPT(des_key_schedule ks1,
5260325f	83	des_key_schedule ks2, des_cblock * iv2,
5260325f	84	des_key_schedule ks3, des_cblock * iv3,
c8d54615	85	unsigned char dest, unsigned char src,
8efc0c15	86	unsigned int len)
8efc0c15	87	{
5260325f	88	des_cblock iv1;
8efc0c15	89
5260325f	90	memcpy(&iv1, iv2, 8);
8efc0c15	91
5260325f	92	des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
c8d54615	93	memcpy(iv3, src + len - 8, 8);
8efc0c15	94
5260325f	95	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
c8d54615	96	memcpy(iv2, dest + len - 8, 8);
8efc0c15	97
5260325f	98	des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
	99	/* memcpy(&iv1, iv2, 8); */
	100	/* Note how iv1 == iv2 on entry and exit. */
8efc0c15	101	}
	102
	103	/*
a8be9f80	104	* SSH1 uses a variation on Blowfish, all bytes must be swapped before
8efc0c15	105	* and after encryption/decryption. Thus the swap_bytes stuff (yuk).
8efc0c15	106	*/
5260325f	107	static void
8efc0c15	108	swap_bytes(const unsigned char src, unsigned char dst_, int n)
8efc0c15	109	{
5260325f	110	/* dst must be properly aligned. */
	111	u_int32_t dst = (u_int32_t ) dst_;
	112	union {
	113	u_int32_t i;
	114	char c[4];
	115	} t;
	116
	117	/* Process 8 bytes every lap. */
	118	for (n = n / 8; n > 0; n--) {
	119	t.c[3] = *src++;
	120	t.c[2] = *src++;
	121	t.c[1] = *src++;
	122	t.c[0] = *src++;
	123	*dst++ = t.i;
	124
	125	t.c[3] = *src++;
	126	t.c[2] = *src++;
	127	t.c[1] = *src++;
	128	t.c[0] = *src++;
	129	*dst++ = t.i;
	130	}
8efc0c15	131	}
8efc0c15	132
aa3378df	133	/*
	134	* Names of all encryption algorithms.
	135	* These must match the numbers defined in cipher.h.
	136	*/
8efc0c15	137	static char *cipher_names[] =
8efc0c15	138	{
5260325f	139	"none",
	140	"idea",
	141	"des",
	142	"3des",
	143	"tss",
bcbf86ec	144	"rc4", /* Alleged RC4 */
7368a6c8	145	"blowfish",
	146	"reserved",
	147	"blowfish-cbc",
	148	"3des-cbc",
	149	"arcfour",
	150	"cast128-cbc"
8efc0c15	151	};
8efc0c15	152
aa3378df	153	/*
	154	* Returns a bit mask indicating which ciphers are supported by this
	155	* implementation. The bit mask has the corresponding bit set of each
	156	* supported cipher.
	157	*/
8efc0c15	158
6ae2364d	159	unsigned int
8ce64345	160	cipher_mask1()
8efc0c15	161	{
5260325f	162	unsigned int mask = 0;
	163	mask \|= 1 << SSH_CIPHER_3DES; /* Mandatory */
	164	mask \|= 1 << SSH_CIPHER_BLOWFISH;
8ce64345	165	return mask;
8ce64345	166	}
6ae2364d	167	unsigned int
8ce64345	168	cipher_mask2()
	169	{
	170	unsigned int mask = 0;
7368a6c8	171	mask \|= 1 << SSH_CIPHER_BLOWFISH_CBC;
	172	mask \|= 1 << SSH_CIPHER_3DES_CBC;
	173	mask \|= 1 << SSH_CIPHER_ARCFOUR;
	174	mask \|= 1 << SSH_CIPHER_CAST128_CBC;
5260325f	175	return mask;
8efc0c15	176	}
6ae2364d	177	unsigned int
8ce64345	178	cipher_mask()
	179	{
	180	return cipher_mask1() \| cipher_mask2();
	181	}
8efc0c15	182
	183	/* Returns the name of the cipher. */
	184
5260325f	185	const char *
5260325f	186	cipher_name(int cipher)
8efc0c15	187	{
5260325f	188	if (cipher < 0 \|\| cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) \|\|
5260325f	189	cipher_names[cipher] == NULL)
a8be9f80	190	fatal("cipher_name: bad cipher name: %d", cipher);
5260325f	191	return cipher_names[cipher];
8efc0c15	192	}
8efc0c15	193
a8be9f80	194	/* Returns 1 if the name of the ciphers are valid. */
	195
	196	#define CIPHER_SEP ","
	197	int
	198	ciphers_valid(const char *names)
	199	{
089fbbd2	200	char ciphers, cp;
a8be9f80	201	char *p;
	202	int i;
	203
71276795	204	if (names == NULL \|\| strcmp(names, "") == 0)
a8be9f80	205	return 0;
089fbbd2	206	ciphers = cp = xstrdup(names);
	207	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
	208	(p = strsep(&cp, CIPHER_SEP))) {
a8be9f80	209	i = cipher_number(p);
	210	if (i == -1 \|\| !(cipher_mask2() & (1 << i))) {
	211	xfree(ciphers);
	212	return 0;
	213	}
	214	}
	215	xfree(ciphers);
	216	return 1;
	217	}
	218
aa3378df	219	/*
	220	* Parses the name of the cipher. Returns the number of the corresponding
	221	* cipher, or -1 on error.
	222	*/
8efc0c15	223
	224	int
	225	cipher_number(const char *name)
	226	{
5260325f	227	int i;
71276795	228	if (name == NULL)
71276795	229	return -1;
5260325f	230	for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
	231	if (strcmp(cipher_names[i], name) == 0 &&
	232	(cipher_mask() & (1 << i)))
	233	return i;
	234	return -1;
8efc0c15	235	}
8efc0c15	236
aa3378df	237	/*
	238	* Selects the cipher, and keys if by computing the MD5 checksum of the
	239	* passphrase and using the resulting 16 bytes as the key.
	240	*/
8efc0c15	241
6ae2364d	242	void
8ce64345	243	cipher_set_key_string(CipherContext context, int cipher, const char passphrase)
8efc0c15	244	{
5260325f	245	MD5_CTX md;
	246	unsigned char digest[16];
	247
	248	MD5_Init(&md);
	249	MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase));
	250	MD5_Final(digest, &md);
	251
8ce64345	252	cipher_set_key(context, cipher, digest, 16);
5260325f	253
	254	memset(digest, 0, sizeof(digest));
	255	memset(&md, 0, sizeof(md));
8efc0c15	256	}
	257
	258	/* Selects the cipher to use and sets the key. */
	259
6ae2364d	260	void
8ce64345	261	cipher_set_key(CipherContext context, int cipher, const unsigned char key,
8ce64345	262	int keylen)
8efc0c15	263	{
5260325f	264	unsigned char padded[32];
	265
	266	/* Set cipher type. */
	267	context->type = cipher;
	268
	269	/* Get 32 bytes of key data. Pad if necessary. (So that code
	270	below does not need to worry about key size). */
	271	memset(padded, 0, sizeof(padded));
	272	memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
	273
	274	/* Initialize the initialization vector. */
	275	switch (cipher) {
	276	case SSH_CIPHER_NONE:
aa3378df	277	/*
	278	* Has to stay for authfile saving of private key with no
	279	* passphrase
	280	*/
5260325f	281	break;
	282
	283	case SSH_CIPHER_3DES:
aa3378df	284	/*
	285	* Note: the least significant bit of each byte of key is
	286	* parity, and must be ignored by the implementation. 16
	287	* bytes of key are used (first and last keys are the same).
	288	*/
5260325f	289	if (keylen < 16)
	290	error("Key length %d is insufficient for 3DES.", keylen);
	291	des_set_key((void *) padded, context->u.des3.key1);
	292	des_set_key((void *) (padded + 8), context->u.des3.key2);
	293	if (keylen <= 16)
	294	des_set_key((void *) padded, context->u.des3.key3);
	295	else
	296	des_set_key((void *) (padded + 16), context->u.des3.key3);
	297	memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
	298	memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
	299	break;
	300
	301	case SSH_CIPHER_BLOWFISH:
7368a6c8	302	if (keylen < 16)
7368a6c8	303	error("Key length %d is insufficient for blowfish.", keylen);
5260325f	304	BF_set_key(&context->u.bf.key, keylen, padded);
	305	memset(context->u.bf.iv, 0, 8);
	306	break;
	307
7368a6c8	308	case SSH_CIPHER_3DES_CBC:
	309	case SSH_CIPHER_BLOWFISH_CBC:
	310	case SSH_CIPHER_ARCFOUR:
	311	case SSH_CIPHER_CAST128_CBC:
	312	fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher));
	313	break;
	314
5260325f	315	default:
	316	fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
	317	}
	318	memset(padded, 0, sizeof(padded));
8efc0c15	319	}
8efc0c15	320
6ae2364d	321	void
7368a6c8	322	cipher_set_key_iv(CipherContext * context, int cipher,
6ae2364d	323	const unsigned char *key, int keylen,
7368a6c8	324	const unsigned char *iv, int ivlen)
	325	{
	326	/* Set cipher type. */
	327	context->type = cipher;
	328
	329	/* Initialize the initialization vector. */
	330	switch (cipher) {
	331	case SSH_CIPHER_NONE:
	332	break;
	333
	334	case SSH_CIPHER_3DES:
	335	case SSH_CIPHER_BLOWFISH:
	336	fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher));
	337	break;
	338
	339	case SSH_CIPHER_3DES_CBC:
	340	if (keylen < 24)
	341	error("Key length %d is insufficient for 3des-cbc.", keylen);
	342	des_set_key((void *) key, context->u.des3.key1);
	343	des_set_key((void *) (key+8), context->u.des3.key2);
	344	des_set_key((void *) (key+16), context->u.des3.key3);
	345	if (ivlen < 8)
	346	error("IV length %d is insufficient for 3des-cbc.", ivlen);
	347	memcpy(context->u.des3.iv3, (char *)iv, 8);
	348	break;
	349
	350	case SSH_CIPHER_BLOWFISH_CBC:
	351	if (keylen < 16)
	352	error("Key length %d is insufficient for blowfish.", keylen);
	353	if (ivlen < 8)
	354	error("IV length %d is insufficient for blowfish.", ivlen);
	355	BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key);
	356	memcpy(context->u.bf.iv, (char *)iv, 8);
	357	break;
	358
	359	case SSH_CIPHER_ARCFOUR:
	360	if (keylen < 16)
	361	error("Key length %d is insufficient for arcfour.", keylen);
	362	RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key);
	363	break;
	364
	365	case SSH_CIPHER_CAST128_CBC:
	366	if (keylen < 16)
	367	error("Key length %d is insufficient for cast128.", keylen);
	368	if (ivlen < 8)
	369	error("IV length %d is insufficient for cast128.", ivlen);
	370	CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key);
	371	memcpy(context->u.cast.iv, (char *)iv, 8);
	372	break;
	373
	374	default:
	375	fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
	376	}
	377	}
	378
8efc0c15	379	/* Encrypts data using the cipher. */
8efc0c15	380
6ae2364d	381	void
5260325f	382	cipher_encrypt(CipherContext context, unsigned char dest,
5260325f	383	const unsigned char *src, unsigned int len)
8efc0c15	384	{
5260325f	385	if ((len & 7) != 0)
	386	fatal("cipher_encrypt: bad plaintext length %d", len);
	387
	388	switch (context->type) {
	389	case SSH_CIPHER_NONE:
	390	memcpy(dest, src, len);
	391	break;
	392
	393	case SSH_CIPHER_3DES:
	394	SSH_3CBC_ENCRYPT(context->u.des3.key1,
	395	context->u.des3.key2, &context->u.des3.iv2,
	396	context->u.des3.key3, &context->u.des3.iv3,
c8d54615	397	dest, (unsigned char *) src, len);
5260325f	398	break;
	399
	400	case SSH_CIPHER_BLOWFISH:
	401	swap_bytes(src, dest, len);
	402	BF_cbc_encrypt(dest, dest, len,
6ae2364d	403	&context->u.bf.key, context->u.bf.iv,
5260325f	404	BF_ENCRYPT);
	405	swap_bytes(dest, dest, len);
	406	break;
	407
7368a6c8	408	case SSH_CIPHER_BLOWFISH_CBC:
7368a6c8	409	BF_cbc_encrypt((void *)src, dest, len,
6ae2364d	410	&context->u.bf.key, context->u.bf.iv,
7368a6c8	411	BF_ENCRYPT);
	412	break;
	413
	414	case SSH_CIPHER_3DES_CBC:
	415	des_ede3_cbc_encrypt(src, dest, len,
	416	context->u.des3.key1, context->u.des3.key2,
	417	context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT);
	418	break;
	419
	420	case SSH_CIPHER_ARCFOUR:
	421	RC4(&context->u.rc4, len, (unsigned char *)src, dest);
	422	break;
	423
	424	case SSH_CIPHER_CAST128_CBC:
	425	CAST_cbc_encrypt(src, dest, len,
	426	&context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT);
	427	break;
	428
5260325f	429	default:
	430	fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type));
	431	}
8efc0c15	432	}
5260325f	433
8efc0c15	434	/* Decrypts data using the cipher. */
8efc0c15	435
6ae2364d	436	void
5260325f	437	cipher_decrypt(CipherContext context, unsigned char dest,
5260325f	438	const unsigned char *src, unsigned int len)
8efc0c15	439	{
5260325f	440	if ((len & 7) != 0)
	441	fatal("cipher_decrypt: bad ciphertext length %d", len);
	442
	443	switch (context->type) {
	444	case SSH_CIPHER_NONE:
	445	memcpy(dest, src, len);
	446	break;
	447
	448	case SSH_CIPHER_3DES:
5260325f	449	SSH_3CBC_DECRYPT(context->u.des3.key1,
	450	context->u.des3.key2, &context->u.des3.iv2,
	451	context->u.des3.key3, &context->u.des3.iv3,
c8d54615	452	dest, (unsigned char *) src, len);
5260325f	453	break;
	454
	455	case SSH_CIPHER_BLOWFISH:
5260325f	456	swap_bytes(src, dest, len);
	457	BF_cbc_encrypt((void *) dest, dest, len,
	458	&context->u.bf.key, context->u.bf.iv,
	459	BF_DECRYPT);
	460	swap_bytes(dest, dest, len);
	461	break;
	462
7368a6c8	463	case SSH_CIPHER_BLOWFISH_CBC:
	464	BF_cbc_encrypt((void *) src, dest, len,
	465	&context->u.bf.key, context->u.bf.iv,
	466	BF_DECRYPT);
	467	break;
	468
	469	case SSH_CIPHER_3DES_CBC:
	470	des_ede3_cbc_encrypt(src, dest, len,
	471	context->u.des3.key1, context->u.des3.key2,
	472	context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT);
	473	break;
	474
	475	case SSH_CIPHER_ARCFOUR:
	476	RC4(&context->u.rc4, len, (unsigned char *)src, dest);
	477	break;
	478
	479	case SSH_CIPHER_CAST128_CBC:
	480	CAST_cbc_encrypt(src, dest, len,
	481	&context->u.cast.key, context->u.cast.iv, CAST_DECRYPT);
	482	break;
	483
5260325f	484	default:
	485	fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type));
	486	}
8efc0c15	487	}