[openssh.git] / cipher.c

/*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 *
 * As far as I am concerned, the code I have written for this software
 * can be used freely for any purpose.  Any derived versions of this
 * software must be clearly marked as such, and if the derived work is
 * incompatible with the protocol description in the RFC file, it must be
 * called by a name other than "ssh" or "Secure Shell".
 *
 *
 * Copyright (c) 1999 Niels Provos.  All rights reserved.
 * Copyright (c) 1999, 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"
RCSID("$OpenBSD: cipher.c,v 1.51 2002/02/14 23:41:01 markus Exp $");

#include "xmalloc.h"
#include "log.h"
#include "cipher.h"

#include <openssl/md5.h>

struct Cipher {
	char	*name;
	int	number;		/* for ssh1 only */
	u_int	block_size;
	u_int	key_len;
	void	(*setkey)(CipherContext *, const u_char *, u_int);
	void	(*setiv)(CipherContext *, const u_char *, u_int);
	void	(*encrypt)(CipherContext *, u_char *, const u_char *, u_int);
	void	(*decrypt)(CipherContext *, u_char *, const u_char *, u_int);
};

/* no encryption */
static void
none_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
}
static void
none_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
}
static void
none_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	memcpy(dest, src, len);
}

/* DES */
static void
des_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	static int dowarn = 1;
	if (dowarn) {
		error("Warning: use of DES is strongly discouraged "
		    "due to cryptographic weaknesses");
		dowarn = 0;
	}
	des_set_key((void *)key, cc->u.des.key);
}
static void
des_ssh1_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
	memset(cc->u.des.iv, 0, sizeof(cc->u.des.iv));
}
static void
des_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
	    DES_ENCRYPT);
}
static void
des_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
	    DES_DECRYPT);
}

/* 3DES */
static void
des3_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	des_set_key((void *) key, cc->u.des3.key1);
	des_set_key((void *) (key+8), cc->u.des3.key2);
	des_set_key((void *) (key+16), cc->u.des3.key3);
}
static void
des3_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
	memset(cc->u.des3.iv1, 0, sizeof(cc->u.des3.iv1));
	memset(cc->u.des3.iv2, 0, sizeof(cc->u.des3.iv2));
	memset(cc->u.des3.iv3, 0, sizeof(cc->u.des3.iv3));
	if (iv == NULL)
		return;
	memcpy(cc->u.des3.iv3, (char *)iv, 8);
}
static void
des3_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	des_ede3_cbc_encrypt(src, dest, len,
	    cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
	    &cc->u.des3.iv3, DES_ENCRYPT);
}
static void
des3_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	des_ede3_cbc_encrypt(src, dest, len,
	    cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
	    &cc->u.des3.iv3, DES_DECRYPT);
}

/*
 * This is used by SSH1:
 *
 * What kind of triple DES are these 2 routines?
 *
 * Why is there a redundant initialization vector?
 *
 * If only iv3 was used, then, this would till effect have been
 * outer-cbc. However, there is also a private iv1 == iv2 which
 * perhaps makes differential analysis easier. On the other hand, the
 * private iv1 probably makes the CRC-32 attack ineffective. This is a
 * result of that there is no longer any known iv1 to use when
 * choosing the X block.
 */
static void
des3_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	des_set_key((void *) key, cc->u.des3.key1);
	des_set_key((void *) (key+8), cc->u.des3.key2);
	if (keylen <= 16)
		des_set_key((void *) key, cc->u.des3.key3);
	else
		des_set_key((void *) (key+16), cc->u.des3.key3);
}
static void
des3_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	des_ncbc_encrypt(src,  dest, len, cc->u.des3.key1, &cc->u.des3.iv1,
	    DES_ENCRYPT);
	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, &cc->u.des3.iv2,
	    DES_DECRYPT);
	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key3, &cc->u.des3.iv3,
	    DES_ENCRYPT);
}
static void
des3_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	des_ncbc_encrypt(src,  dest, len, cc->u.des3.key3, &cc->u.des3.iv3,
	    DES_DECRYPT);
	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, &cc->u.des3.iv2,
	    DES_ENCRYPT);
	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key1, &cc->u.des3.iv1,
	    DES_DECRYPT);
}

/* Blowfish */
static void
blowfish_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	BF_set_key(&cc->u.bf.key, keylen, (u_char *)key);
}
static void
blowfish_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
	if (iv == NULL)
		memset(cc->u.bf.iv, 0, 8);
	else
		memcpy(cc->u.bf.iv, (char *)iv, 8);
}
static void
blowfish_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	    BF_ENCRYPT);
}
static void
blowfish_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	    BF_DECRYPT);
}

/*
 * SSH1 uses a variation on Blowfish, all bytes must be swapped before
 * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
 */
static void
swap_bytes(const u_char *src, u_char *dst, int n)
{
	char c[4];

	/* Process 4 bytes every lap. */
	for (n = n / 4; n > 0; n--) {
		c[3] = *src++;
		c[2] = *src++;
		c[1] = *src++;
		c[0] = *src++;

		*dst++ = c[0];
		*dst++ = c[1];
		*dst++ = c[2];
		*dst++ = c[3];
	}
}

static void
blowfish_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	swap_bytes(src, dest, len);
	BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	    BF_ENCRYPT);
	swap_bytes(dest, dest, len);
}
static void
blowfish_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	swap_bytes(src, dest, len);
	BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	    BF_DECRYPT);
	swap_bytes(dest, dest, len);
}

/* alleged rc4 */
static void
arcfour_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	RC4_set_key(&cc->u.rc4, keylen, (u_char *)key);
}
static void
arcfour_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	RC4(&cc->u.rc4, len, (u_char *)src, dest);
}

/* CAST */
static void
cast_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	CAST_set_key(&cc->u.cast.key, keylen, (u_char *) key);
}
static void
cast_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
	if (iv == NULL)
		fatal("no IV for %s.", cc->cipher->name);
	memcpy(cc->u.cast.iv, (char *)iv, 8);
}
static void
cast_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
	    CAST_ENCRYPT);
}
static void
cast_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
	    CAST_DECRYPT);
}

/* RIJNDAEL */

#define RIJNDAEL_BLOCKSIZE 16
static void
rijndael_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
	rijndael_set_key(&cc->u.rijndael.enc, (char *)key, 8*keylen, 1);
	rijndael_set_key(&cc->u.rijndael.dec, (char *)key, 8*keylen, 0);
}
static void
rijndael_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
	if (iv == NULL || ivlen != RIJNDAEL_BLOCKSIZE)
		fatal("bad/no IV for %s.", cc->cipher->name);
	memcpy(cc->u.rijndael.iv, iv, RIJNDAEL_BLOCKSIZE);
}
static void
rijndael_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	rijndael_ctx *ctx = &cc->u.rijndael.enc;
	u_char *iv = cc->u.rijndael.iv;
	u_char in[RIJNDAEL_BLOCKSIZE];
	u_char *cprev, *cnow, *plain;
	int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;

	if (len == 0)
		return;
	if (len % RIJNDAEL_BLOCKSIZE)
		fatal("rijndael_cbc_encrypt: bad len %d", len);
	cnow  = dest;
	plain = (u_char *)src;
	cprev = iv;
	for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
	    cnow+=RIJNDAEL_BLOCKSIZE) {
		for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
			in[j] = plain[j] ^ cprev[j];
		rijndael_encrypt(ctx, in, cnow);
		cprev = cnow;
	}
	memcpy(iv, cprev, RIJNDAEL_BLOCKSIZE);
}
static void
rijndael_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
    u_int len)
{
	rijndael_ctx *ctx = &cc->u.rijndael.dec;
	u_char *iv = cc->u.rijndael.iv;
	u_char ivsaved[RIJNDAEL_BLOCKSIZE];
	u_char *cnow  = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
	u_char *plain = dest+len-RIJNDAEL_BLOCKSIZE;
	u_char *ivp;
	int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;

	if (len == 0)
		return;
	if (len % RIJNDAEL_BLOCKSIZE)
		fatal("rijndael_cbc_decrypt: bad len %d", len);
	memcpy(ivsaved, cnow, RIJNDAEL_BLOCKSIZE);
	for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
	    plain-=RIJNDAEL_BLOCKSIZE) {
		rijndael_decrypt(ctx, cnow, plain);
		ivp = (i == 1) ? iv : cnow-RIJNDAEL_BLOCKSIZE;
		for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
			plain[j] ^= ivp[j];
	}
	memcpy(iv, ivsaved, RIJNDAEL_BLOCKSIZE);
}

Cipher ciphers[] = {
	{ "none",
		SSH_CIPHER_NONE, 8, 0,
		none_setkey, none_setiv,
		none_crypt, none_crypt },
	{ "des",
		SSH_CIPHER_DES, 8, 8,
		des_ssh1_setkey, des_ssh1_setiv,
		des_ssh1_encrypt, des_ssh1_decrypt },
	{ "3des",
		SSH_CIPHER_3DES, 8, 16,
		des3_ssh1_setkey, des3_setiv,
		des3_ssh1_encrypt, des3_ssh1_decrypt },
	{ "blowfish",
		SSH_CIPHER_BLOWFISH, 8, 16,
		blowfish_setkey, blowfish_setiv,
		blowfish_ssh1_encrypt, blowfish_ssh1_decrypt },

	{ "3des-cbc",
		SSH_CIPHER_SSH2, 8, 24,
		des3_setkey, des3_setiv,
		des3_cbc_encrypt, des3_cbc_decrypt },
	{ "blowfish-cbc",
		SSH_CIPHER_SSH2, 8, 16,
		blowfish_setkey, blowfish_setiv,
		blowfish_cbc_encrypt, blowfish_cbc_decrypt },
	{ "cast128-cbc",
		SSH_CIPHER_SSH2, 8, 16,
		cast_setkey, cast_setiv,
		cast_cbc_encrypt, cast_cbc_decrypt },
	{ "arcfour",
		SSH_CIPHER_SSH2, 8, 16,
		arcfour_setkey, none_setiv,
		arcfour_crypt, arcfour_crypt },
	{ "aes128-cbc",
		SSH_CIPHER_SSH2, 16, 16,
		rijndael_setkey, rijndael_setiv,
		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
	{ "aes192-cbc",
		SSH_CIPHER_SSH2, 16, 24,
		rijndael_setkey, rijndael_setiv,
		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
	{ "aes256-cbc",
		SSH_CIPHER_SSH2, 16, 32,
		rijndael_setkey, rijndael_setiv,
		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
	{ NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL }
};

/*--*/

u_int   
cipher_blocksize(Cipher *c)
{
	return (c->block_size);
}

u_int   
cipher_keylen(Cipher *c)
{
	return (c->key_len);
}

u_int
cipher_mask_ssh1(int client)
{
	u_int mask = 0;
	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
	mask |= 1 << SSH_CIPHER_BLOWFISH;
	if (client) {
		mask |= 1 << SSH_CIPHER_DES;
	}
	return mask;
}

Cipher *
cipher_by_name(const char *name)
{
	Cipher *c;
	for (c = ciphers; c->name != NULL; c++)
		if (strcasecmp(c->name, name) == 0)
			return c;
	return NULL;
}

Cipher *
cipher_by_number(int id)
{
	Cipher *c;
	for (c = ciphers; c->name != NULL; c++)
		if (c->number == id)
			return c;
	return NULL;
}

#define	CIPHER_SEP	","
int
ciphers_valid(const char *names)
{
	Cipher *c;
	char *ciphers, *cp;
	char *p;

	if (names == NULL || strcmp(names, "") == 0)
		return 0;
	ciphers = cp = xstrdup(names);
	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
	    (p = strsep(&cp, CIPHER_SEP))) {
		c = cipher_by_name(p);
		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
			debug("bad cipher %s [%s]", p, names);
			xfree(ciphers);
			return 0;
		} else {
			debug3("cipher ok: %s [%s]", p, names);
		}
	}
	debug3("ciphers ok: [%s]", names);
	xfree(ciphers);
	return 1;
}

/*
 * Parses the name of the cipher.  Returns the number of the corresponding
 * cipher, or -1 on error.
 */

int
cipher_number(const char *name)
{
	Cipher *c;
	if (name == NULL)
		return -1;
	c = cipher_by_name(name);
	return (c==NULL) ? -1 : c->number;
}

char *
cipher_name(int id)
{
	Cipher *c = cipher_by_number(id);
	return (c==NULL) ? "<unknown>" : c->name;
}

void
cipher_init(CipherContext *cc, Cipher *cipher, const u_char *key,
     u_int keylen, const u_char *iv, u_int ivlen, int encrypt)
{
	if (keylen < cipher->key_len)
		fatal("cipher_init: key length %d is insufficient for %s.",
		    keylen, cipher->name);
	if (iv != NULL && ivlen < cipher->block_size)
		fatal("cipher_init: iv length %d is insufficient for %s.",
		    ivlen, cipher->name);
	cc->cipher = cipher;
	cc->encrypt = (encrypt == CIPHER_ENCRYPT);
	cipher->setkey(cc, key, keylen);
	cipher->setiv(cc, iv, ivlen);
}

void
cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	if (len % cc->cipher->block_size)
		fatal("cipher_encrypt: bad plaintext length %d", len);
	if (cc->encrypt)
		cc->cipher->encrypt(cc, dest, src, len);
	else
		cc->cipher->decrypt(cc, dest, src, len);
}

void
cipher_cleanup(CipherContext *cc)
{
	memset(cc, 0, sizeof(*cc));
}

/*
 * Selects the cipher, and keys if by computing the MD5 checksum of the
 * passphrase and using the resulting 16 bytes as the key.
 */

void
cipher_set_key_string(CipherContext *cc, Cipher *cipher,
    const char *passphrase, int encrypt)
{
	MD5_CTX md;
	u_char digest[16];

	MD5_Init(&md);
	MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
	MD5_Final(digest, &md);

	cipher_init(cc, cipher, digest, 16, NULL, 0, encrypt);

	memset(digest, 0, sizeof(digest));
	memset(&md, 0, sizeof(md));
}
Commit	Line	Data
8efc0c15	1	/*
5260325f	2	* Author: Tatu Ylonen <ylo@cs.hut.fi>
5260325f	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5260325f	4	* All rights reserved
6ae2364d	5	*
bcbf86ec	6	* As far as I am concerned, the code I have written for this software
	7	* can be used freely for any purpose. Any derived versions of this
	8	* software must be clearly marked as such, and if the derived work is
	9	* incompatible with the protocol description in the RFC file, it must be
	10	* called by a name other than "ssh" or "Secure Shell".
	11	*
	12	*
	13	* Copyright (c) 1999 Niels Provos. All rights reserved.
a96070d4	14	* Copyright (c) 1999, 2000 Markus Friedl. All rights reserved.
bcbf86ec	15	*
	16	* Redistribution and use in source and binary forms, with or without
	17	* modification, are permitted provided that the following conditions
	18	* are met:
	19	* 1. Redistributions of source code must retain the above copyright
	20	* notice, this list of conditions and the following disclaimer.
	21	* 2. Redistributions in binary form must reproduce the above copyright
	22	* notice, this list of conditions and the following disclaimer in the
	23	* documentation and/or other materials provided with the distribution.
6ae2364d	24	*
bcbf86ec	25	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	26	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	27	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	28	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	29	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	30	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	31	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	32	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	33	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	34	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
5260325f	35	*/
8efc0c15	36
8efc0c15	37	#include "includes.h"
3ee832e5	38	RCSID("$OpenBSD: cipher.c,v 1.51 2002/02/14 23:41:01 markus Exp $");
8efc0c15	39
a8be9f80	40	#include "xmalloc.h"
42f11eb2	41	#include "log.h"
42f11eb2	42	#include "cipher.h"
8efc0c15	43
	44	#include <openssl/md5.h>
	45
3ee832e5	46	struct Cipher {
	47	char *name;
	48	int number; /* for ssh1 only */
	49	u_int block_size;
	50	u_int key_len;
	51	void (setkey)(CipherContext , const u_char *, u_int);
	52	void (setiv)(CipherContext , const u_char *, u_int);
	53	void (encrypt)(CipherContext , u_char , const u_char , u_int);
	54	void (decrypt)(CipherContext , u_char , const u_char , u_int);
	55	};
	56
94ec8c6b	57	/* no encryption */
396c147e	58	static void
94ec8c6b	59	none_setkey(CipherContext cc, const u_char key, u_int keylen)
	60	{
	61	}
396c147e	62	static void
94ec8c6b	63	none_setiv(CipherContext cc, const u_char iv, u_int ivlen)
	64	{
	65	}
396c147e	66	static void
94ec8c6b	67	none_crypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	68	{
	69	memcpy(dest, src, len);
	70	}
	71
	72	/* DES */
396c147e	73	static void
94ec8c6b	74	des_ssh1_setkey(CipherContext cc, const u_char key, u_int keylen)
	75	{
	76	static int dowarn = 1;
	77	if (dowarn) {
	78	error("Warning: use of DES is strongly discouraged "
	79	"due to cryptographic weaknesses");
	80	dowarn = 0;
	81	}
	82	des_set_key((void *)key, cc->u.des.key);
	83	}
396c147e	84	static void
94ec8c6b	85	des_ssh1_setiv(CipherContext cc, const u_char iv, u_int ivlen)
	86	{
	87	memset(cc->u.des.iv, 0, sizeof(cc->u.des.iv));
	88	}
396c147e	89	static void
94ec8c6b	90	des_ssh1_encrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	91	{
	92	des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
	93	DES_ENCRYPT);
	94	}
396c147e	95	static void
94ec8c6b	96	des_ssh1_decrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	97	{
	98	des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
	99	DES_DECRYPT);
	100	}
	101
	102	/* 3DES */
396c147e	103	static void
94ec8c6b	104	des3_setkey(CipherContext cc, const u_char key, u_int keylen)
	105	{
	106	des_set_key((void *) key, cc->u.des3.key1);
	107	des_set_key((void *) (key+8), cc->u.des3.key2);
	108	des_set_key((void *) (key+16), cc->u.des3.key3);
	109	}
396c147e	110	static void
94ec8c6b	111	des3_setiv(CipherContext cc, const u_char iv, u_int ivlen)
94ec8c6b	112	{
2cf27bc4	113	memset(cc->u.des3.iv1, 0, sizeof(cc->u.des3.iv1));
94ec8c6b	114	memset(cc->u.des3.iv2, 0, sizeof(cc->u.des3.iv2));
	115	memset(cc->u.des3.iv3, 0, sizeof(cc->u.des3.iv3));
	116	if (iv == NULL)
	117	return;
	118	memcpy(cc->u.des3.iv3, (char *)iv, 8);
	119	}
396c147e	120	static void
94ec8c6b	121	des3_cbc_encrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	122	{
	123	des_ede3_cbc_encrypt(src, dest, len,
	124	cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
	125	&cc->u.des3.iv3, DES_ENCRYPT);
	126	}
396c147e	127	static void
94ec8c6b	128	des3_cbc_decrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	129	{
	130	des_ede3_cbc_encrypt(src, dest, len,
	131	cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
	132	&cc->u.des3.iv3, DES_DECRYPT);
	133	}
	134
8efc0c15	135	/*
a8be9f80	136	* This is used by SSH1:
	137	*
	138	* What kind of triple DES are these 2 routines?
8efc0c15	139	*
	140	* Why is there a redundant initialization vector?
	141	*
	142	* If only iv3 was used, then, this would till effect have been
	143	* outer-cbc. However, there is also a private iv1 == iv2 which
	144	* perhaps makes differential analysis easier. On the other hand, the
	145	* private iv1 probably makes the CRC-32 attack ineffective. This is a
	146	* result of that there is no longer any known iv1 to use when
	147	* choosing the X block.
	148	*/
396c147e	149	static void
94ec8c6b	150	des3_ssh1_setkey(CipherContext cc, const u_char key, u_int keylen)
	151	{
	152	des_set_key((void *) key, cc->u.des3.key1);
	153	des_set_key((void *) (key+8), cc->u.des3.key2);
	154	if (keylen <= 16)
	155	des_set_key((void *) key, cc->u.des3.key3);
	156	else
	157	des_set_key((void *) (key+16), cc->u.des3.key3);
	158	}
396c147e	159	static void
94ec8c6b	160	des3_ssh1_encrypt(CipherContext cc, u_char dest, const u_char *src,
94ec8c6b	161	u_int len)
8efc0c15	162	{
2cf27bc4	163	des_ncbc_encrypt(src, dest, len, cc->u.des3.key1, &cc->u.des3.iv1,
	164	DES_ENCRYPT);
	165	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, &cc->u.des3.iv2,
	166	DES_DECRYPT);
	167	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key3, &cc->u.des3.iv3,
	168	DES_ENCRYPT);
8efc0c15	169	}
396c147e	170	static void
94ec8c6b	171	des3_ssh1_decrypt(CipherContext cc, u_char dest, const u_char *src,
94ec8c6b	172	u_int len)
8efc0c15	173	{
2cf27bc4	174	des_ncbc_encrypt(src, dest, len, cc->u.des3.key3, &cc->u.des3.iv3,
	175	DES_DECRYPT);
	176	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, &cc->u.des3.iv2,
	177	DES_ENCRYPT);
	178	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key1, &cc->u.des3.iv1,
	179	DES_DECRYPT);
8efc0c15	180	}
8efc0c15	181
94ec8c6b	182	/* Blowfish */
396c147e	183	static void
94ec8c6b	184	blowfish_setkey(CipherContext cc, const u_char key, u_int keylen)
94ec8c6b	185	{
1e3b8b07	186	BF_set_key(&cc->u.bf.key, keylen, (u_char *)key);
94ec8c6b	187	}
396c147e	188	static void
94ec8c6b	189	blowfish_setiv(CipherContext cc, const u_char iv, u_int ivlen)
	190	{
	191	if (iv == NULL)
	192	memset(cc->u.bf.iv, 0, 8);
	193	else
	194	memcpy(cc->u.bf.iv, (char *)iv, 8);
	195	}
396c147e	196	static void
94ec8c6b	197	blowfish_cbc_encrypt(CipherContext cc, u_char dest, const u_char *src,
184eed6a	198	u_int len)
94ec8c6b	199	{
	200	BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	201	BF_ENCRYPT);
	202	}
396c147e	203	static void
94ec8c6b	204	blowfish_cbc_decrypt(CipherContext cc, u_char dest, const u_char *src,
184eed6a	205	u_int len)
94ec8c6b	206	{
	207	BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	208	BF_DECRYPT);
	209	}
	210
8efc0c15	211	/*
a8be9f80	212	* SSH1 uses a variation on Blowfish, all bytes must be swapped before
8efc0c15	213	* and after encryption/decryption. Thus the swap_bytes stuff (yuk).
8efc0c15	214	*/
5260325f	215	static void
1e3b8b07	216	swap_bytes(const u_char src, u_char dst, int n)
8efc0c15	217	{
a22aff1f	218	char c[4];
5260325f	219
a22aff1f	220	/* Process 4 bytes every lap. */
	221	for (n = n / 4; n > 0; n--) {
	222	c[3] = *src++;
	223	c[2] = *src++;
	224	c[1] = *src++;
	225	c[0] = *src++;
5260325f	226
a22aff1f	227	*dst++ = c[0];
	228	*dst++ = c[1];
	229	*dst++ = c[2];
	230	*dst++ = c[3];
5260325f	231	}
8efc0c15	232	}
8efc0c15	233
396c147e	234	static void
94ec8c6b	235	blowfish_ssh1_encrypt(CipherContext cc, u_char dest, const u_char *src,
	236	u_int len)
	237	{
	238	swap_bytes(src, dest, len);
	239	BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	240	BF_ENCRYPT);
	241	swap_bytes(dest, dest, len);
	242	}
396c147e	243	static void
94ec8c6b	244	blowfish_ssh1_decrypt(CipherContext cc, u_char dest, const u_char *src,
	245	u_int len)
	246	{
	247	swap_bytes(src, dest, len);
	248	BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
	249	BF_DECRYPT);
	250	swap_bytes(dest, dest, len);
	251	}
8efc0c15	252
94ec8c6b	253	/* alleged rc4 */
396c147e	254	static void
94ec8c6b	255	arcfour_setkey(CipherContext cc, const u_char key, u_int keylen)
	256	{
	257	RC4_set_key(&cc->u.rc4, keylen, (u_char *)key);
	258	}
396c147e	259	static void
94ec8c6b	260	arcfour_crypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	261	{
	262	RC4(&cc->u.rc4, len, (u_char *)src, dest);
	263	}
8efc0c15	264
94ec8c6b	265	/* CAST */
396c147e	266	static void
94ec8c6b	267	cast_setkey(CipherContext cc, const u_char key, u_int keylen)
8efc0c15	268	{
1e3b8b07	269	CAST_set_key(&cc->u.cast.key, keylen, (u_char *) key);
94ec8c6b	270	}
396c147e	271	static void
94ec8c6b	272	cast_setiv(CipherContext cc, const u_char iv, u_int ivlen)
94ec8c6b	273	{
2b87da3b	274	if (iv == NULL)
94ec8c6b	275	fatal("no IV for %s.", cc->cipher->name);
	276	memcpy(cc->u.cast.iv, (char *)iv, 8);
	277	}
396c147e	278	static void
94ec8c6b	279	cast_cbc_encrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	280	{
	281	CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
	282	CAST_ENCRYPT);
	283	}
396c147e	284	static void
94ec8c6b	285	cast_cbc_decrypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
	286	{
	287	CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
	288	CAST_DECRYPT);
	289	}
	290
	291	/* RIJNDAEL */
	292
	293	#define RIJNDAEL_BLOCKSIZE 16
396c147e	294	static void
94ec8c6b	295	rijndael_setkey(CipherContext cc, const u_char key, u_int keylen)
94ec8c6b	296	{
88c3bfe0	297	rijndael_set_key(&cc->u.rijndael.enc, (char )key, 8keylen, 1);
88c3bfe0	298	rijndael_set_key(&cc->u.rijndael.dec, (char )key, 8keylen, 0);
94ec8c6b	299	}
396c147e	300	static void
94ec8c6b	301	rijndael_setiv(CipherContext cc, const u_char iv, u_int ivlen)
94ec8c6b	302	{
184eed6a	303	if (iv == NULL \|\| ivlen != RIJNDAEL_BLOCKSIZE)
88c3bfe0	304	fatal("bad/no IV for %s.", cc->cipher->name);
88c3bfe0	305	memcpy(cc->u.rijndael.iv, iv, RIJNDAEL_BLOCKSIZE);
8ce64345	306	}
396c147e	307	static void
94ec8c6b	308	rijndael_cbc_encrypt(CipherContext cc, u_char dest, const u_char *src,
	309	u_int len)
	310	{
6b523bae	311	rijndael_ctx *ctx = &cc->u.rijndael.enc;
88c3bfe0	312	u_char *iv = cc->u.rijndael.iv;
	313	u_char in[RIJNDAEL_BLOCKSIZE];
	314	u_char cprev, cnow, *plain;
	315	int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
	316
94ec8c6b	317	if (len == 0)
	318	return;
	319	if (len % RIJNDAEL_BLOCKSIZE)
	320	fatal("rijndael_cbc_encrypt: bad len %d", len);
88c3bfe0	321	cnow = dest;
e6207598	322	plain = (u_char *)src;
94ec8c6b	323	cprev = iv;
88c3bfe0	324	for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
	325	cnow+=RIJNDAEL_BLOCKSIZE) {
	326	for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
	327	in[j] = plain[j] ^ cprev[j];
94ec8c6b	328	rijndael_encrypt(ctx, in, cnow);
	329	cprev = cnow;
	330	}
	331	memcpy(iv, cprev, RIJNDAEL_BLOCKSIZE);
	332	}
396c147e	333	static void
94ec8c6b	334	rijndael_cbc_decrypt(CipherContext cc, u_char dest, const u_char *src,
	335	u_int len)
	336	{
6b523bae	337	rijndael_ctx *ctx = &cc->u.rijndael.dec;
88c3bfe0	338	u_char *iv = cc->u.rijndael.iv;
	339	u_char ivsaved[RIJNDAEL_BLOCKSIZE];
	340	u_char cnow = (u_char ) (src+len-RIJNDAEL_BLOCKSIZE);
	341	u_char *plain = dest+len-RIJNDAEL_BLOCKSIZE;
	342	u_char *ivp;
	343	int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
	344
94ec8c6b	345	if (len == 0)
	346	return;
	347	if (len % RIJNDAEL_BLOCKSIZE)
	348	fatal("rijndael_cbc_decrypt: bad len %d", len);
	349	memcpy(ivsaved, cnow, RIJNDAEL_BLOCKSIZE);
88c3bfe0	350	for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
88c3bfe0	351	plain-=RIJNDAEL_BLOCKSIZE) {
94ec8c6b	352	rijndael_decrypt(ctx, cnow, plain);
88c3bfe0	353	ivp = (i == 1) ? iv : cnow-RIJNDAEL_BLOCKSIZE;
	354	for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
	355	plain[j] ^= ivp[j];
94ec8c6b	356	}
	357	memcpy(iv, ivsaved, RIJNDAEL_BLOCKSIZE);
	358	}
	359
	360	Cipher ciphers[] = {
	361	{ "none",
	362	SSH_CIPHER_NONE, 8, 0,
	363	none_setkey, none_setiv,
	364	none_crypt, none_crypt },
	365	{ "des",
	366	SSH_CIPHER_DES, 8, 8,
	367	des_ssh1_setkey, des_ssh1_setiv,
	368	des_ssh1_encrypt, des_ssh1_decrypt },
	369	{ "3des",
	370	SSH_CIPHER_3DES, 8, 16,
	371	des3_ssh1_setkey, des3_setiv,
	372	des3_ssh1_encrypt, des3_ssh1_decrypt },
	373	{ "blowfish",
	374	SSH_CIPHER_BLOWFISH, 8, 16,
	375	blowfish_setkey, blowfish_setiv,
	376	blowfish_ssh1_encrypt, blowfish_ssh1_decrypt },
	377
	378	{ "3des-cbc",
	379	SSH_CIPHER_SSH2, 8, 24,
	380	des3_setkey, des3_setiv,
	381	des3_cbc_encrypt, des3_cbc_decrypt },
	382	{ "blowfish-cbc",
	383	SSH_CIPHER_SSH2, 8, 16,
	384	blowfish_setkey, blowfish_setiv,
	385	blowfish_cbc_encrypt, blowfish_cbc_decrypt },
	386	{ "cast128-cbc",
	387	SSH_CIPHER_SSH2, 8, 16,
	388	cast_setkey, cast_setiv,
	389	cast_cbc_encrypt, cast_cbc_decrypt },
	390	{ "arcfour",
	391	SSH_CIPHER_SSH2, 8, 16,
	392	arcfour_setkey, none_setiv,
	393	arcfour_crypt, arcfour_crypt },
	394	{ "aes128-cbc",
	395	SSH_CIPHER_SSH2, 16, 16,
	396	rijndael_setkey, rijndael_setiv,
	397	rijndael_cbc_encrypt, rijndael_cbc_decrypt },
	398	{ "aes192-cbc",
	399	SSH_CIPHER_SSH2, 16, 24,
	400	rijndael_setkey, rijndael_setiv,
	401	rijndael_cbc_encrypt, rijndael_cbc_decrypt },
	402	{ "aes256-cbc",
	403	SSH_CIPHER_SSH2, 16, 32,
	404	rijndael_setkey, rijndael_setiv,
	405	rijndael_cbc_encrypt, rijndael_cbc_decrypt },
2b87da3b	406	{ NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL }
94ec8c6b	407	};
	408
	409	/--/
	410
3ee832e5	411	u_int
	412	cipher_blocksize(Cipher *c)
	413	{
	414	return (c->block_size);
	415	}
	416
	417	u_int
	418	cipher_keylen(Cipher *c)
	419	{
	420	return (c->key_len);
	421	}
	422
1e3b8b07	423	u_int
94ec8c6b	424	cipher_mask_ssh1(int client)
8ce64345	425	{
1e3b8b07	426	u_int mask = 0;
184eed6a	427	mask \|= 1 << SSH_CIPHER_3DES; /* Mandatory */
94ec8c6b	428	mask \|= 1 << SSH_CIPHER_BLOWFISH;
	429	if (client) {
	430	mask \|= 1 << SSH_CIPHER_DES;
	431	}
5260325f	432	return mask;
8efc0c15	433	}
94ec8c6b	434
	435	Cipher *
	436	cipher_by_name(const char *name)
8ce64345	437	{
94ec8c6b	438	Cipher *c;
	439	for (c = ciphers; c->name != NULL; c++)
	440	if (strcasecmp(c->name, name) == 0)
	441	return c;
	442	return NULL;
8ce64345	443	}
8efc0c15	444
94ec8c6b	445	Cipher *
94ec8c6b	446	cipher_by_number(int id)
8efc0c15	447	{
94ec8c6b	448	Cipher *c;
	449	for (c = ciphers; c->name != NULL; c++)
	450	if (c->number == id)
	451	return c;
	452	return NULL;
8efc0c15	453	}
8efc0c15	454
a8be9f80	455	#define CIPHER_SEP ","
	456	int
	457	ciphers_valid(const char *names)
	458	{
94ec8c6b	459	Cipher *c;
089fbbd2	460	char ciphers, cp;
a8be9f80	461	char *p;
a8be9f80	462
71276795	463	if (names == NULL \|\| strcmp(names, "") == 0)
a8be9f80	464	return 0;
089fbbd2	465	ciphers = cp = xstrdup(names);
94ec8c6b	466	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
184eed6a	467	(p = strsep(&cp, CIPHER_SEP))) {
94ec8c6b	468	c = cipher_by_name(p);
	469	if (c == NULL \|\| c->number != SSH_CIPHER_SSH2) {
	470	debug("bad cipher %s [%s]", p, names);
a8be9f80	471	xfree(ciphers);
a8be9f80	472	return 0;
94ec8c6b	473	} else {
33de75a3	474	debug3("cipher ok: %s [%s]", p, names);
a8be9f80	475	}
a8be9f80	476	}
33de75a3	477	debug3("ciphers ok: [%s]", names);
a8be9f80	478	xfree(ciphers);
	479	return 1;
	480	}
	481
aa3378df	482	/*
	483	* Parses the name of the cipher. Returns the number of the corresponding
	484	* cipher, or -1 on error.
	485	*/
8efc0c15	486
	487	int
	488	cipher_number(const char *name)
	489	{
94ec8c6b	490	Cipher *c;
71276795	491	if (name == NULL)
71276795	492	return -1;
94ec8c6b	493	c = cipher_by_name(name);
	494	return (c==NULL) ? -1 : c->number;
	495	}
	496
	497	char *
	498	cipher_name(int id)
	499	{
	500	Cipher *c = cipher_by_number(id);
	501	return (c==NULL) ? "<unknown>" : c->name;
	502	}
	503
	504	void
3ee832e5	505	cipher_init(CipherContext cc, Cipher cipher, const u_char *key,
3ee832e5	506	u_int keylen, const u_char *iv, u_int ivlen, int encrypt)
94ec8c6b	507	{
	508	if (keylen < cipher->key_len)
	509	fatal("cipher_init: key length %d is insufficient for %s.",
	510	keylen, cipher->name);
	511	if (iv != NULL && ivlen < cipher->block_size)
	512	fatal("cipher_init: iv length %d is insufficient for %s.",
	513	ivlen, cipher->name);
	514	cc->cipher = cipher;
3ee832e5	515	cc->encrypt = (encrypt == CIPHER_ENCRYPT);
94ec8c6b	516	cipher->setkey(cc, key, keylen);
	517	cipher->setiv(cc, iv, ivlen);
	518	}
	519
	520	void
3ee832e5	521	cipher_crypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
94ec8c6b	522	{
	523	if (len % cc->cipher->block_size)
	524	fatal("cipher_encrypt: bad plaintext length %d", len);
3ee832e5	525	if (cc->encrypt)
	526	cc->cipher->encrypt(cc, dest, src, len);
	527	else
	528	cc->cipher->decrypt(cc, dest, src, len);
94ec8c6b	529	}
	530
	531	void
3ee832e5	532	cipher_cleanup(CipherContext *cc)
94ec8c6b	533	{
3ee832e5	534	memset(cc, 0, sizeof(*cc));
8efc0c15	535	}
8efc0c15	536
aa3378df	537	/*
	538	* Selects the cipher, and keys if by computing the MD5 checksum of the
	539	* passphrase and using the resulting 16 bytes as the key.
	540	*/
8efc0c15	541
6ae2364d	542	void
94ec8c6b	543	cipher_set_key_string(CipherContext cc, Cipher cipher,
3ee832e5	544	const char *passphrase, int encrypt)
8efc0c15	545	{
5260325f	546	MD5_CTX md;
1e3b8b07	547	u_char digest[16];
5260325f	548
5260325f	549	MD5_Init(&md);
94ec8c6b	550	MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
5260325f	551	MD5_Final(digest, &md);
5260325f	552
3ee832e5	553	cipher_init(cc, cipher, digest, 16, NULL, 0, encrypt);
5260325f	554
	555	memset(digest, 0, sizeof(digest));
	556	memset(&md, 0, sizeof(md));
8efc0c15	557	}