[openssh.git] / cipher.c

/*
 * 
 * cipher.c
 * 
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * 
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 * 
 * Created: Wed Apr 19 17:41:39 1995 ylo
 * 
 */

#include "includes.h"
RCSID("$Id$");

#include "ssh.h"
#include "cipher.h"
#include "xmalloc.h"

#ifdef HAVE_OPENSSL
#include <openssl/md5.h>
#endif
#ifdef HAVE_SSL
#include <ssl/md5.h>
#endif

/*
 * This is used by SSH1:
 *
 * What kind of triple DES are these 2 routines?
 *
 * Why is there a redundant initialization vector?
 *
 * If only iv3 was used, then, this would till effect have been
 * outer-cbc. However, there is also a private iv1 == iv2 which
 * perhaps makes differential analysis easier. On the other hand, the
 * private iv1 probably makes the CRC-32 attack ineffective. This is a
 * result of that there is no longer any known iv1 to use when
 * choosing the X block.
 */
void
SSH_3CBC_ENCRYPT(des_key_schedule ks1,
		 des_key_schedule ks2, des_cblock * iv2,
		 des_key_schedule ks3, des_cblock * iv3,
		 unsigned char *dest, unsigned char *src,
		 unsigned int len)
{
	des_cblock iv1;

	memcpy(&iv1, iv2, 8);

	des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
	memcpy(&iv1, dest + len - 8, 8);

	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
	memcpy(iv2, &iv1, 8);	/* Note how iv1 == iv2 on entry and exit. */

	des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
	memcpy(iv3, dest + len - 8, 8);
}

void
SSH_3CBC_DECRYPT(des_key_schedule ks1,
		 des_key_schedule ks2, des_cblock * iv2,
		 des_key_schedule ks3, des_cblock * iv3,
		 unsigned char *dest, unsigned char *src,
		 unsigned int len)
{
	des_cblock iv1;

	memcpy(&iv1, iv2, 8);

	des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
	memcpy(iv3, src + len - 8, 8);

	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
	memcpy(iv2, dest + len - 8, 8);

	des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
	/* memcpy(&iv1, iv2, 8); */
	/* Note how iv1 == iv2 on entry and exit. */
}

/*
 * SSH1 uses a variation on Blowfish, all bytes must be swapped before
 * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
 */
static void
swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
{
	/* dst must be properly aligned. */
	u_int32_t *dst = (u_int32_t *) dst_;
	union {
		u_int32_t i;
		char c[4];
	} t;

	/* Process 8 bytes every lap. */
	for (n = n / 8; n > 0; n--) {
		t.c[3] = *src++;
		t.c[2] = *src++;
		t.c[1] = *src++;
		t.c[0] = *src++;
		*dst++ = t.i;

		t.c[3] = *src++;
		t.c[2] = *src++;
		t.c[1] = *src++;
		t.c[0] = *src++;
		*dst++ = t.i;
	}
}

/*
 * Names of all encryption algorithms.
 * These must match the numbers defined in cipher.h.
 */
static char *cipher_names[] =
{
	"none",
	"idea",
	"des",
	"3des",
	"tss",
	"rc4",
	"blowfish",
	"reserved",
	"blowfish-cbc",
	"3des-cbc",
	"arcfour",
	"cast128-cbc"
};

/*
 * Returns a bit mask indicating which ciphers are supported by this
 * implementation.  The bit mask has the corresponding bit set of each
 * supported cipher.
 */

unsigned int 
cipher_mask1()
{
	unsigned int mask = 0;
	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
	mask |= 1 << SSH_CIPHER_BLOWFISH;
	return mask;
}
unsigned int 
cipher_mask2()
{
	unsigned int mask = 0;
	mask |= 1 << SSH_CIPHER_BLOWFISH_CBC;
	mask |= 1 << SSH_CIPHER_3DES_CBC;
	mask |= 1 << SSH_CIPHER_ARCFOUR;
	mask |= 1 << SSH_CIPHER_CAST128_CBC;
	return mask;
}
unsigned int 
cipher_mask()
{
	return cipher_mask1() | cipher_mask2();
}

/* Returns the name of the cipher. */

const char *
cipher_name(int cipher)
{
	if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) ||
	    cipher_names[cipher] == NULL)
		fatal("cipher_name: bad cipher name: %d", cipher);
	return cipher_names[cipher];
}

/* Returns 1 if the name of the ciphers are valid. */

#define	CIPHER_SEP	","
int
ciphers_valid(const char *names)
{
	char *ciphers;
	char *p;
	int i;

	if (strcmp(names, "") == 0)
		return 0;
	ciphers = xstrdup(names);
	for ((p = strtok(ciphers, CIPHER_SEP)); p; (p = strtok(NULL, CIPHER_SEP))) {
		i = cipher_number(p);
		if (i == -1 || !(cipher_mask2() & (1 << i))) {
			xfree(ciphers);
			return 0;
		}
	}
	xfree(ciphers);
	return 1;
}

/*
 * Parses the name of the cipher.  Returns the number of the corresponding
 * cipher, or -1 on error.
 */

int
cipher_number(const char *name)
{
	int i;
	for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
		if (strcmp(cipher_names[i], name) == 0 &&
		    (cipher_mask() & (1 << i)))
			return i;
	return -1;
}

/*
 * Selects the cipher, and keys if by computing the MD5 checksum of the
 * passphrase and using the resulting 16 bytes as the key.
 */

void 
cipher_set_key_string(CipherContext *context, int cipher, const char *passphrase)
{
	MD5_CTX md;
	unsigned char digest[16];

	MD5_Init(&md);
	MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase));
	MD5_Final(digest, &md);

	cipher_set_key(context, cipher, digest, 16);

	memset(digest, 0, sizeof(digest));
	memset(&md, 0, sizeof(md));
}

/* Selects the cipher to use and sets the key. */

void 
cipher_set_key(CipherContext *context, int cipher, const unsigned char *key,
    int keylen)
{
	unsigned char padded[32];

	/* Set cipher type. */
	context->type = cipher;

	/* Get 32 bytes of key data.  Pad if necessary.  (So that code
	   below does not need to worry about key size). */
	memset(padded, 0, sizeof(padded));
	memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));

	/* Initialize the initialization vector. */
	switch (cipher) {
	case SSH_CIPHER_NONE:
		/*
		 * Has to stay for authfile saving of private key with no
		 * passphrase
		 */
		break;

	case SSH_CIPHER_3DES:
		/*
		 * Note: the least significant bit of each byte of key is
		 * parity, and must be ignored by the implementation.  16
		 * bytes of key are used (first and last keys are the same).
		 */
		if (keylen < 16)
			error("Key length %d is insufficient for 3DES.", keylen);
		des_set_key((void *) padded, context->u.des3.key1);
		des_set_key((void *) (padded + 8), context->u.des3.key2);
		if (keylen <= 16)
			des_set_key((void *) padded, context->u.des3.key3);
		else
			des_set_key((void *) (padded + 16), context->u.des3.key3);
		memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
		memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
		break;

	case SSH_CIPHER_BLOWFISH:
		if (keylen < 16)
			error("Key length %d is insufficient for blowfish.", keylen);
		BF_set_key(&context->u.bf.key, keylen, padded);
		memset(context->u.bf.iv, 0, 8);
		break;

	case SSH_CIPHER_3DES_CBC:
	case SSH_CIPHER_BLOWFISH_CBC:
	case SSH_CIPHER_ARCFOUR:
	case SSH_CIPHER_CAST128_CBC:
		fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher));
		break;

	default:
		fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
	}
	memset(padded, 0, sizeof(padded));
}

void 
cipher_set_key_iv(CipherContext * context, int cipher,
    const unsigned char *key, int keylen, 
    const unsigned char *iv, int ivlen)
{
	/* Set cipher type. */
	context->type = cipher;

	/* Initialize the initialization vector. */
	switch (cipher) {
	case SSH_CIPHER_NONE:
		break;

	case SSH_CIPHER_3DES:
	case SSH_CIPHER_BLOWFISH:
		fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher));
		break;

	case SSH_CIPHER_3DES_CBC:
		if (keylen < 24)
			error("Key length %d is insufficient for 3des-cbc.", keylen);
		des_set_key((void *) key, context->u.des3.key1);
		des_set_key((void *) (key+8), context->u.des3.key2);
		des_set_key((void *) (key+16), context->u.des3.key3);
		if (ivlen < 8)
			error("IV length %d is insufficient for 3des-cbc.", ivlen);
		memcpy(context->u.des3.iv3, (char *)iv, 8);
		break;

	case SSH_CIPHER_BLOWFISH_CBC:
		if (keylen < 16)
			error("Key length %d is insufficient for blowfish.", keylen);
		if (ivlen < 8)
			error("IV length %d is insufficient for blowfish.", ivlen);
		BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key);
		memcpy(context->u.bf.iv, (char *)iv, 8);
		break;

	case SSH_CIPHER_ARCFOUR:
		if (keylen < 16)
			error("Key length %d is insufficient for arcfour.", keylen);
		RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key);
		break;

	case SSH_CIPHER_CAST128_CBC:
		if (keylen < 16)
			error("Key length %d is insufficient for cast128.", keylen);
		if (ivlen < 8)
			error("IV length %d is insufficient for cast128.", ivlen);
		CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key);
		memcpy(context->u.cast.iv, (char *)iv, 8);
		break;

	default:
		fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
	}
}

/* Encrypts data using the cipher. */

void 
cipher_encrypt(CipherContext *context, unsigned char *dest,
	       const unsigned char *src, unsigned int len)
{
	if ((len & 7) != 0)
		fatal("cipher_encrypt: bad plaintext length %d", len);

	switch (context->type) {
	case SSH_CIPHER_NONE:
		memcpy(dest, src, len);
		break;

	case SSH_CIPHER_3DES:
		SSH_3CBC_ENCRYPT(context->u.des3.key1,
				 context->u.des3.key2, &context->u.des3.iv2,
				 context->u.des3.key3, &context->u.des3.iv3,
				 dest, (unsigned char *) src, len);
		break;

	case SSH_CIPHER_BLOWFISH:
		swap_bytes(src, dest, len);
		BF_cbc_encrypt(dest, dest, len,
		               &context->u.bf.key, context->u.bf.iv,
			       BF_ENCRYPT);
		swap_bytes(dest, dest, len);
		break;

	case SSH_CIPHER_BLOWFISH_CBC:
		BF_cbc_encrypt((void *)src, dest, len,
		               &context->u.bf.key, context->u.bf.iv,
			       BF_ENCRYPT);
		break;

	case SSH_CIPHER_3DES_CBC:
		des_ede3_cbc_encrypt(src, dest, len,
		    context->u.des3.key1, context->u.des3.key2,
		    context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT);
		break;

	case SSH_CIPHER_ARCFOUR:
		RC4(&context->u.rc4, len, (unsigned char *)src, dest);
		break;

	case SSH_CIPHER_CAST128_CBC:
		CAST_cbc_encrypt(src, dest, len,
		    &context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT);
		break;

	default:
		fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type));
	}
}

/* Decrypts data using the cipher. */

void 
cipher_decrypt(CipherContext *context, unsigned char *dest,
	       const unsigned char *src, unsigned int len)
{
	if ((len & 7) != 0)
		fatal("cipher_decrypt: bad ciphertext length %d", len);

	switch (context->type) {
	case SSH_CIPHER_NONE:
		memcpy(dest, src, len);
		break;

	case SSH_CIPHER_3DES:
		SSH_3CBC_DECRYPT(context->u.des3.key1,
				 context->u.des3.key2, &context->u.des3.iv2,
				 context->u.des3.key3, &context->u.des3.iv3,
				 dest, (unsigned char *) src, len);
		break;

	case SSH_CIPHER_BLOWFISH:
		swap_bytes(src, dest, len);
		BF_cbc_encrypt((void *) dest, dest, len,
			       &context->u.bf.key, context->u.bf.iv,
			       BF_DECRYPT);
		swap_bytes(dest, dest, len);
		break;

	case SSH_CIPHER_BLOWFISH_CBC:
		BF_cbc_encrypt((void *) src, dest, len,
			       &context->u.bf.key, context->u.bf.iv,
			       BF_DECRYPT);
		break;

	case SSH_CIPHER_3DES_CBC:
		des_ede3_cbc_encrypt(src, dest, len,
		    context->u.des3.key1, context->u.des3.key2,
		    context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT);
		break;

	case SSH_CIPHER_ARCFOUR:
		RC4(&context->u.rc4, len, (unsigned char *)src, dest);
		break;

	case SSH_CIPHER_CAST128_CBC:
		CAST_cbc_encrypt(src, dest, len,
		    &context->u.cast.key, context->u.cast.iv, CAST_DECRYPT);
		break;

	default:
		fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type));
	}
}
Commit	Line	Data
8efc0c15	1	/*
5260325f	2	*
	3	* cipher.c
	4	*
	5	* Author: Tatu Ylonen <ylo@cs.hut.fi>
	6	*
	7	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	8	* All rights reserved
	9	*
	10	* Created: Wed Apr 19 17:41:39 1995 ylo
	11	*
	12	*/
8efc0c15	13
	14	#include "includes.h"
	15	RCSID("$Id$");
	16
	17	#include "ssh.h"
	18	#include "cipher.h"
a8be9f80	19	#include "xmalloc.h"
8efc0c15	20
5881cd60	21	#ifdef HAVE_OPENSSL
8efc0c15	22	#include <openssl/md5.h>
5881cd60	23	#endif
	24	#ifdef HAVE_SSL
	25	#include <ssl/md5.h>
	26	#endif
8efc0c15	27
8efc0c15	28	/*
a8be9f80	29	* This is used by SSH1:
	30	*
	31	* What kind of triple DES are these 2 routines?
8efc0c15	32	*
	33	* Why is there a redundant initialization vector?
	34	*
	35	* If only iv3 was used, then, this would till effect have been
	36	* outer-cbc. However, there is also a private iv1 == iv2 which
	37	* perhaps makes differential analysis easier. On the other hand, the
	38	* private iv1 probably makes the CRC-32 attack ineffective. This is a
	39	* result of that there is no longer any known iv1 to use when
	40	* choosing the X block.
	41	*/
	42	void
	43	SSH_3CBC_ENCRYPT(des_key_schedule ks1,
5260325f	44	des_key_schedule ks2, des_cblock * iv2,
5260325f	45	des_key_schedule ks3, des_cblock * iv3,
c8d54615	46	unsigned char dest, unsigned char src,
8efc0c15	47	unsigned int len)
8efc0c15	48	{
5260325f	49	des_cblock iv1;
8efc0c15	50
5260325f	51	memcpy(&iv1, iv2, 8);
8efc0c15	52
5260325f	53	des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
c8d54615	54	memcpy(&iv1, dest + len - 8, 8);
8efc0c15	55
5260325f	56	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
5260325f	57	memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */
8efc0c15	58
5260325f	59	des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
c8d54615	60	memcpy(iv3, dest + len - 8, 8);
8efc0c15	61	}
	62
	63	void
	64	SSH_3CBC_DECRYPT(des_key_schedule ks1,
5260325f	65	des_key_schedule ks2, des_cblock * iv2,
5260325f	66	des_key_schedule ks3, des_cblock * iv3,
c8d54615	67	unsigned char dest, unsigned char src,
8efc0c15	68	unsigned int len)
8efc0c15	69	{
5260325f	70	des_cblock iv1;
8efc0c15	71
5260325f	72	memcpy(&iv1, iv2, 8);
8efc0c15	73
5260325f	74	des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
c8d54615	75	memcpy(iv3, src + len - 8, 8);
8efc0c15	76
5260325f	77	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
c8d54615	78	memcpy(iv2, dest + len - 8, 8);
8efc0c15	79
5260325f	80	des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
	81	/* memcpy(&iv1, iv2, 8); */
	82	/* Note how iv1 == iv2 on entry and exit. */
8efc0c15	83	}
	84
	85	/*
a8be9f80	86	* SSH1 uses a variation on Blowfish, all bytes must be swapped before
8efc0c15	87	* and after encryption/decryption. Thus the swap_bytes stuff (yuk).
8efc0c15	88	*/
5260325f	89	static void
8efc0c15	90	swap_bytes(const unsigned char src, unsigned char dst_, int n)
8efc0c15	91	{
5260325f	92	/* dst must be properly aligned. */
	93	u_int32_t dst = (u_int32_t ) dst_;
	94	union {
	95	u_int32_t i;
	96	char c[4];
	97	} t;
	98
	99	/* Process 8 bytes every lap. */
	100	for (n = n / 8; n > 0; n--) {
	101	t.c[3] = *src++;
	102	t.c[2] = *src++;
	103	t.c[1] = *src++;
	104	t.c[0] = *src++;
	105	*dst++ = t.i;
	106
	107	t.c[3] = *src++;
	108	t.c[2] = *src++;
	109	t.c[1] = *src++;
	110	t.c[0] = *src++;
	111	*dst++ = t.i;
	112	}
8efc0c15	113	}
8efc0c15	114
aa3378df	115	/*
	116	* Names of all encryption algorithms.
	117	* These must match the numbers defined in cipher.h.
	118	*/
8efc0c15	119	static char *cipher_names[] =
8efc0c15	120	{
5260325f	121	"none",
	122	"idea",
	123	"des",
	124	"3des",
	125	"tss",
	126	"rc4",
7368a6c8	127	"blowfish",
	128	"reserved",
	129	"blowfish-cbc",
	130	"3des-cbc",
	131	"arcfour",
	132	"cast128-cbc"
8efc0c15	133	};
8efc0c15	134
aa3378df	135	/*
	136	* Returns a bit mask indicating which ciphers are supported by this
	137	* implementation. The bit mask has the corresponding bit set of each
	138	* supported cipher.
	139	*/
8efc0c15	140
5260325f	141	unsigned int
8ce64345	142	cipher_mask1()
8efc0c15	143	{
5260325f	144	unsigned int mask = 0;
	145	mask \|= 1 << SSH_CIPHER_3DES; /* Mandatory */
	146	mask \|= 1 << SSH_CIPHER_BLOWFISH;
8ce64345	147	return mask;
	148	}
	149	unsigned int
	150	cipher_mask2()
	151	{
	152	unsigned int mask = 0;
7368a6c8	153	mask \|= 1 << SSH_CIPHER_BLOWFISH_CBC;
	154	mask \|= 1 << SSH_CIPHER_3DES_CBC;
	155	mask \|= 1 << SSH_CIPHER_ARCFOUR;
	156	mask \|= 1 << SSH_CIPHER_CAST128_CBC;
5260325f	157	return mask;
8efc0c15	158	}
8ce64345	159	unsigned int
	160	cipher_mask()
	161	{
	162	return cipher_mask1() \| cipher_mask2();
	163	}
8efc0c15	164
	165	/* Returns the name of the cipher. */
	166
5260325f	167	const char *
5260325f	168	cipher_name(int cipher)
8efc0c15	169	{
5260325f	170	if (cipher < 0 \|\| cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) \|\|
5260325f	171	cipher_names[cipher] == NULL)
a8be9f80	172	fatal("cipher_name: bad cipher name: %d", cipher);
5260325f	173	return cipher_names[cipher];
8efc0c15	174	}
8efc0c15	175
a8be9f80	176	/* Returns 1 if the name of the ciphers are valid. */
	177
	178	#define CIPHER_SEP ","
	179	int
	180	ciphers_valid(const char *names)
	181	{
	182	char *ciphers;
	183	char *p;
	184	int i;
	185
	186	if (strcmp(names, "") == 0)
	187	return 0;
	188	ciphers = xstrdup(names);
	189	for ((p = strtok(ciphers, CIPHER_SEP)); p; (p = strtok(NULL, CIPHER_SEP))) {
	190	i = cipher_number(p);
	191	if (i == -1 \|\| !(cipher_mask2() & (1 << i))) {
	192	xfree(ciphers);
	193	return 0;
	194	}
	195	}
	196	xfree(ciphers);
	197	return 1;
	198	}
	199
aa3378df	200	/*
	201	* Parses the name of the cipher. Returns the number of the corresponding
	202	* cipher, or -1 on error.
	203	*/
8efc0c15	204
	205	int
	206	cipher_number(const char *name)
	207	{
5260325f	208	int i;
	209	for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
	210	if (strcmp(cipher_names[i], name) == 0 &&
	211	(cipher_mask() & (1 << i)))
	212	return i;
	213	return -1;
8efc0c15	214	}
8efc0c15	215
aa3378df	216	/*
	217	* Selects the cipher, and keys if by computing the MD5 checksum of the
	218	* passphrase and using the resulting 16 bytes as the key.
	219	*/
8efc0c15	220
5260325f	221	void
8ce64345	222	cipher_set_key_string(CipherContext context, int cipher, const char passphrase)
8efc0c15	223	{
5260325f	224	MD5_CTX md;
	225	unsigned char digest[16];
	226
	227	MD5_Init(&md);
	228	MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase));
	229	MD5_Final(digest, &md);
	230
8ce64345	231	cipher_set_key(context, cipher, digest, 16);
5260325f	232
	233	memset(digest, 0, sizeof(digest));
	234	memset(&md, 0, sizeof(md));
8efc0c15	235	}
	236
	237	/* Selects the cipher to use and sets the key. */
	238
5260325f	239	void
8ce64345	240	cipher_set_key(CipherContext context, int cipher, const unsigned char key,
8ce64345	241	int keylen)
8efc0c15	242	{
5260325f	243	unsigned char padded[32];
	244
	245	/* Set cipher type. */
	246	context->type = cipher;
	247
	248	/* Get 32 bytes of key data. Pad if necessary. (So that code
	249	below does not need to worry about key size). */
	250	memset(padded, 0, sizeof(padded));
	251	memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
	252
	253	/* Initialize the initialization vector. */
	254	switch (cipher) {
	255	case SSH_CIPHER_NONE:
aa3378df	256	/*
	257	* Has to stay for authfile saving of private key with no
	258	* passphrase
	259	*/
5260325f	260	break;
	261
	262	case SSH_CIPHER_3DES:
aa3378df	263	/*
	264	* Note: the least significant bit of each byte of key is
	265	* parity, and must be ignored by the implementation. 16
	266	* bytes of key are used (first and last keys are the same).
	267	*/
5260325f	268	if (keylen < 16)
	269	error("Key length %d is insufficient for 3DES.", keylen);
	270	des_set_key((void *) padded, context->u.des3.key1);
	271	des_set_key((void *) (padded + 8), context->u.des3.key2);
	272	if (keylen <= 16)
	273	des_set_key((void *) padded, context->u.des3.key3);
	274	else
	275	des_set_key((void *) (padded + 16), context->u.des3.key3);
	276	memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
	277	memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
	278	break;
	279
	280	case SSH_CIPHER_BLOWFISH:
7368a6c8	281	if (keylen < 16)
7368a6c8	282	error("Key length %d is insufficient for blowfish.", keylen);
5260325f	283	BF_set_key(&context->u.bf.key, keylen, padded);
	284	memset(context->u.bf.iv, 0, 8);
	285	break;
	286
7368a6c8	287	case SSH_CIPHER_3DES_CBC:
	288	case SSH_CIPHER_BLOWFISH_CBC:
	289	case SSH_CIPHER_ARCFOUR:
	290	case SSH_CIPHER_CAST128_CBC:
	291	fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher));
	292	break;
	293
5260325f	294	default:
	295	fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
	296	}
	297	memset(padded, 0, sizeof(padded));
8efc0c15	298	}
8efc0c15	299
7368a6c8	300	void
	301	cipher_set_key_iv(CipherContext * context, int cipher,
	302	const unsigned char *key, int keylen,
	303	const unsigned char *iv, int ivlen)
	304	{
	305	/* Set cipher type. */
	306	context->type = cipher;
	307
	308	/* Initialize the initialization vector. */
	309	switch (cipher) {
	310	case SSH_CIPHER_NONE:
	311	break;
	312
	313	case SSH_CIPHER_3DES:
	314	case SSH_CIPHER_BLOWFISH:
	315	fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher));
	316	break;
	317
	318	case SSH_CIPHER_3DES_CBC:
	319	if (keylen < 24)
	320	error("Key length %d is insufficient for 3des-cbc.", keylen);
	321	des_set_key((void *) key, context->u.des3.key1);
	322	des_set_key((void *) (key+8), context->u.des3.key2);
	323	des_set_key((void *) (key+16), context->u.des3.key3);
	324	if (ivlen < 8)
	325	error("IV length %d is insufficient for 3des-cbc.", ivlen);
	326	memcpy(context->u.des3.iv3, (char *)iv, 8);
	327	break;
	328
	329	case SSH_CIPHER_BLOWFISH_CBC:
	330	if (keylen < 16)
	331	error("Key length %d is insufficient for blowfish.", keylen);
	332	if (ivlen < 8)
	333	error("IV length %d is insufficient for blowfish.", ivlen);
	334	BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key);
	335	memcpy(context->u.bf.iv, (char *)iv, 8);
	336	break;
	337
	338	case SSH_CIPHER_ARCFOUR:
	339	if (keylen < 16)
	340	error("Key length %d is insufficient for arcfour.", keylen);
	341	RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key);
	342	break;
	343
	344	case SSH_CIPHER_CAST128_CBC:
	345	if (keylen < 16)
	346	error("Key length %d is insufficient for cast128.", keylen);
	347	if (ivlen < 8)
	348	error("IV length %d is insufficient for cast128.", ivlen);
	349	CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key);
	350	memcpy(context->u.cast.iv, (char *)iv, 8);
	351	break;
	352
	353	default:
	354	fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
	355	}
	356	}
	357
8efc0c15	358	/* Encrypts data using the cipher. */
8efc0c15	359
5260325f	360	void
	361	cipher_encrypt(CipherContext context, unsigned char dest,
	362	const unsigned char *src, unsigned int len)
8efc0c15	363	{
5260325f	364	if ((len & 7) != 0)
	365	fatal("cipher_encrypt: bad plaintext length %d", len);
	366
	367	switch (context->type) {
	368	case SSH_CIPHER_NONE:
	369	memcpy(dest, src, len);
	370	break;
	371
	372	case SSH_CIPHER_3DES:
	373	SSH_3CBC_ENCRYPT(context->u.des3.key1,
	374	context->u.des3.key2, &context->u.des3.iv2,
	375	context->u.des3.key3, &context->u.des3.iv3,
c8d54615	376	dest, (unsigned char *) src, len);
5260325f	377	break;
	378
	379	case SSH_CIPHER_BLOWFISH:
	380	swap_bytes(src, dest, len);
	381	BF_cbc_encrypt(dest, dest, len,
	382	&context->u.bf.key, context->u.bf.iv,
	383	BF_ENCRYPT);
	384	swap_bytes(dest, dest, len);
	385	break;
	386
7368a6c8	387	case SSH_CIPHER_BLOWFISH_CBC:
	388	BF_cbc_encrypt((void *)src, dest, len,
	389	&context->u.bf.key, context->u.bf.iv,
	390	BF_ENCRYPT);
	391	break;
	392
	393	case SSH_CIPHER_3DES_CBC:
	394	des_ede3_cbc_encrypt(src, dest, len,
	395	context->u.des3.key1, context->u.des3.key2,
	396	context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT);
	397	break;
	398
	399	case SSH_CIPHER_ARCFOUR:
	400	RC4(&context->u.rc4, len, (unsigned char *)src, dest);
	401	break;
	402
	403	case SSH_CIPHER_CAST128_CBC:
	404	CAST_cbc_encrypt(src, dest, len,
	405	&context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT);
	406	break;
	407
5260325f	408	default:
	409	fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type));
	410	}
8efc0c15	411	}
5260325f	412
8efc0c15	413	/* Decrypts data using the cipher. */
8efc0c15	414
5260325f	415	void
	416	cipher_decrypt(CipherContext context, unsigned char dest,
	417	const unsigned char *src, unsigned int len)
8efc0c15	418	{
5260325f	419	if ((len & 7) != 0)
	420	fatal("cipher_decrypt: bad ciphertext length %d", len);
	421
	422	switch (context->type) {
	423	case SSH_CIPHER_NONE:
	424	memcpy(dest, src, len);
	425	break;
	426
	427	case SSH_CIPHER_3DES:
5260325f	428	SSH_3CBC_DECRYPT(context->u.des3.key1,
	429	context->u.des3.key2, &context->u.des3.iv2,
	430	context->u.des3.key3, &context->u.des3.iv3,
c8d54615	431	dest, (unsigned char *) src, len);
5260325f	432	break;
	433
	434	case SSH_CIPHER_BLOWFISH:
5260325f	435	swap_bytes(src, dest, len);
	436	BF_cbc_encrypt((void *) dest, dest, len,
	437	&context->u.bf.key, context->u.bf.iv,
	438	BF_DECRYPT);
	439	swap_bytes(dest, dest, len);
	440	break;
	441
7368a6c8	442	case SSH_CIPHER_BLOWFISH_CBC:
	443	BF_cbc_encrypt((void *) src, dest, len,
	444	&context->u.bf.key, context->u.bf.iv,
	445	BF_DECRYPT);
	446	break;
	447
	448	case SSH_CIPHER_3DES_CBC:
	449	des_ede3_cbc_encrypt(src, dest, len,
	450	context->u.des3.key1, context->u.des3.key2,
	451	context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT);
	452	break;
	453
	454	case SSH_CIPHER_ARCFOUR:
	455	RC4(&context->u.rc4, len, (unsigned char *)src, dest);
	456	break;
	457
	458	case SSH_CIPHER_CAST128_CBC:
	459	CAST_cbc_encrypt(src, dest, len,
	460	&context->u.cast.key, context->u.cast.iv, CAST_DECRYPT);
	461	break;
	462
5260325f	463	default:
	464	fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type));
	465	}
8efc0c15	466	}