5 * Author: Tatu Ylonen <ylo@cs.hut.fi>
7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
10 * Created: Wed Apr 19 17:41:39 1995 ylo
21 #include <openssl/md5.h>
28 * What kind of tripple DES are these 2 routines?
30 * Why is there a redundant initialization vector?
32 * If only iv3 was used, then, this would till effect have been
33 * outer-cbc. However, there is also a private iv1 == iv2 which
34 * perhaps makes differential analysis easier. On the other hand, the
35 * private iv1 probably makes the CRC-32 attack ineffective. This is a
36 * result of that there is no longer any known iv1 to use when
37 * choosing the X block.
40 SSH_3CBC_ENCRYPT(des_key_schedule ks1,
41 des_key_schedule ks2, des_cblock * iv2,
42 des_key_schedule ks3, des_cblock * iv3,
43 void *dest, void *src,
50 des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
51 memcpy(&iv1, dest + len - 8, 8);
53 des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
54 memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */
56 des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
57 memcpy(iv3, dest + len - 8, 8);
61 SSH_3CBC_DECRYPT(des_key_schedule ks1,
62 des_key_schedule ks2, des_cblock * iv2,
63 des_key_schedule ks3, des_cblock * iv3,
64 void *dest, void *src,
71 des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
72 memcpy(iv3, src + len - 8, 8);
74 des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
75 memcpy(iv2, dest + len - 8, 8);
77 des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
78 /* memcpy(&iv1, iv2, 8); */
79 /* Note how iv1 == iv2 on entry and exit. */
83 * SSH uses a variation on Blowfish, all bytes must be swapped before
84 * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
87 swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
89 /* dst must be properly aligned. */
90 u_int32_t *dst = (u_int32_t *) dst_;
96 /* Process 8 bytes every lap. */
97 for (n = n / 8; n > 0; n--) {
112 void (*cipher_attack_detected) (const char *fmt,...) = fatal;
115 detect_cbc_attack(const unsigned char *src,
120 log("CRC-32 CBC insertion attack detected");
121 cipher_attack_detected("CRC-32 CBC insertion attack detected");
124 /* Names of all encryption algorithms. These must match the numbers defined
126 static char *cipher_names[] =
137 /* Returns a bit mask indicating which ciphers are supported by this
138 implementation. The bit mask has the corresponding bit set of each
144 unsigned int mask = 0;
145 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
146 mask |= 1 << SSH_CIPHER_BLOWFISH;
150 /* Returns the name of the cipher. */
153 cipher_name(int cipher)
155 if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) ||
156 cipher_names[cipher] == NULL)
157 fatal("cipher_name: bad cipher number: %d", cipher);
158 return cipher_names[cipher];
161 /* Parses the name of the cipher. Returns the number of the corresponding
162 cipher, or -1 on error. */
165 cipher_number(const char *name)
168 for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
169 if (strcmp(cipher_names[i], name) == 0 &&
170 (cipher_mask() & (1 << i)))
175 /* Selects the cipher, and keys if by computing the MD5 checksum of the
176 passphrase and using the resulting 16 bytes as the key. */
179 cipher_set_key_string(CipherContext *context, int cipher,
180 const char *passphrase, int for_encryption)
183 unsigned char digest[16];
186 MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase));
187 MD5_Final(digest, &md);
189 cipher_set_key(context, cipher, digest, 16, for_encryption);
191 memset(digest, 0, sizeof(digest));
192 memset(&md, 0, sizeof(md));
195 /* Selects the cipher to use and sets the key. */
198 cipher_set_key(CipherContext *context, int cipher,
199 const unsigned char *key, int keylen, int for_encryption)
201 unsigned char padded[32];
203 /* Set cipher type. */
204 context->type = cipher;
206 /* Get 32 bytes of key data. Pad if necessary. (So that code
207 below does not need to worry about key size). */
208 memset(padded, 0, sizeof(padded));
209 memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
211 /* Initialize the initialization vector. */
213 case SSH_CIPHER_NONE:
214 /* Has to stay for authfile saving of private key with
218 case SSH_CIPHER_3DES:
219 /* Note: the least significant bit of each byte of key is
220 parity, and must be ignored by the implementation. 16
221 bytes of key are used (first and last keys are the
224 error("Key length %d is insufficient for 3DES.", keylen);
225 des_set_key((void *) padded, context->u.des3.key1);
226 des_set_key((void *) (padded + 8), context->u.des3.key2);
228 des_set_key((void *) padded, context->u.des3.key3);
230 des_set_key((void *) (padded + 16), context->u.des3.key3);
231 memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
232 memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
235 case SSH_CIPHER_BLOWFISH:
236 BF_set_key(&context->u.bf.key, keylen, padded);
237 memset(context->u.bf.iv, 0, 8);
241 fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
243 memset(padded, 0, sizeof(padded));
246 /* Encrypts data using the cipher. */
249 cipher_encrypt(CipherContext *context, unsigned char *dest,
250 const unsigned char *src, unsigned int len)
253 fatal("cipher_encrypt: bad plaintext length %d", len);
255 switch (context->type) {
256 case SSH_CIPHER_NONE:
257 memcpy(dest, src, len);
260 case SSH_CIPHER_3DES:
261 SSH_3CBC_ENCRYPT(context->u.des3.key1,
262 context->u.des3.key2, &context->u.des3.iv2,
263 context->u.des3.key3, &context->u.des3.iv3,
264 dest, (void *) src, len);
267 case SSH_CIPHER_BLOWFISH:
268 swap_bytes(src, dest, len);
269 BF_cbc_encrypt(dest, dest, len,
270 &context->u.bf.key, context->u.bf.iv,
272 swap_bytes(dest, dest, len);
276 fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type));
280 /* Decrypts data using the cipher. */
283 cipher_decrypt(CipherContext *context, unsigned char *dest,
284 const unsigned char *src, unsigned int len)
287 fatal("cipher_decrypt: bad ciphertext length %d", len);
289 switch (context->type) {
290 case SSH_CIPHER_NONE:
291 memcpy(dest, src, len);
294 case SSH_CIPHER_3DES:
296 SSH_3CBC_DECRYPT(context->u.des3.key1,
297 context->u.des3.key2, &context->u.des3.iv2,
298 context->u.des3.key3, &context->u.des3.iv3,
299 dest, (void *) src, len);
302 case SSH_CIPHER_BLOWFISH:
303 detect_cbc_attack(src, len);
304 swap_bytes(src, dest, len);
305 BF_cbc_encrypt((void *) dest, dest, len,
306 &context->u.bf.key, context->u.bf.iv,
308 swap_bytes(dest, dest, len);
312 fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type));