5 Author: Tatu Ylonen <ylo@cs.hut.fi>
7 Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
10 Created: Wed Apr 19 17:41:39 1995 ylo
22 #include <openssl/md5.h>
29 * What kind of tripple DES are these 2 routines?
31 * Why is there a redundant initialization vector?
33 * If only iv3 was used, then, this would till effect have been
34 * outer-cbc. However, there is also a private iv1 == iv2 which
35 * perhaps makes differential analysis easier. On the other hand, the
36 * private iv1 probably makes the CRC-32 attack ineffective. This is a
37 * result of that there is no longer any known iv1 to use when
38 * choosing the X block.
41 SSH_3CBC_ENCRYPT(des_key_schedule ks1,
42 des_key_schedule ks2, des_cblock *iv2,
43 des_key_schedule ks3, des_cblock *iv3,
44 void *dest, void *src,
51 des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
52 memcpy(&iv1, dest + len - 8, 8);
54 des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
55 memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */
57 des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
58 memcpy(iv3, dest + len - 8, 8);
62 SSH_3CBC_DECRYPT(des_key_schedule ks1,
63 des_key_schedule ks2, des_cblock *iv2,
64 des_key_schedule ks3, des_cblock *iv3,
65 void *dest, void *src,
72 des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
73 memcpy(iv3, src + len - 8, 8);
75 des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
76 memcpy(iv2, dest + len - 8, 8);
78 des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
79 /* memcpy(&iv1, iv2, 8); */ /* Note how iv1 == iv2 on entry and exit. */
83 * SSH uses a variation on Blowfish, all bytes must be swapped before
84 * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
88 swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
90 u_int32_t *dst = (u_int32_t *)dst_; /* dst must be properly aligned. */
96 /* assert((n & 7) == 0); */
98 /* Process 8 bytes every lap. */
99 for (n = n / 8; n > 0; n--)
115 void (*cipher_attack_detected)(const char *fmt, ...) = fatal;
119 detect_cbc_attack(const unsigned char *src,
124 log("CRC-32 CBC insertion attack detected");
125 cipher_attack_detected("CRC-32 CBC insertion attack detected");
128 /* Names of all encryption algorithms. These must match the numbers defined
130 static char *cipher_names[] =
141 /* Returns a bit mask indicating which ciphers are supported by this
142 implementation. The bit mask has the corresponding bit set of each
145 unsigned int cipher_mask()
147 unsigned int mask = 0;
148 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
149 mask |= 1 << SSH_CIPHER_BLOWFISH;
153 /* Returns the name of the cipher. */
156 char *cipher_name(int cipher)
158 if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) ||
159 cipher_names[cipher] == NULL)
160 fatal("cipher_name: bad cipher number: %d", cipher);
161 return cipher_names[cipher];
164 /* Parses the name of the cipher. Returns the number of the corresponding
165 cipher, or -1 on error. */
168 cipher_number(const char *name)
171 for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
172 if (strcmp(cipher_names[i], name) == 0 &&
173 (cipher_mask() & (1 << i)))
178 /* Selects the cipher, and keys if by computing the MD5 checksum of the
179 passphrase and using the resulting 16 bytes as the key. */
181 void cipher_set_key_string(CipherContext *context, int cipher,
182 const char *passphrase, int for_encryption)
185 unsigned char digest[16];
188 MD5_Update(&md, (const unsigned char *)passphrase, strlen(passphrase));
189 MD5_Final(digest, &md);
191 cipher_set_key(context, cipher, digest, 16, for_encryption);
193 memset(digest, 0, sizeof(digest));
194 memset(&md, 0, sizeof(md));
197 /* Selects the cipher to use and sets the key. */
199 void cipher_set_key(CipherContext *context, int cipher,
200 const unsigned char *key, int keylen, int for_encryption)
202 unsigned char padded[32];
204 /* Set cipher type. */
205 context->type = cipher;
207 /* Get 32 bytes of key data. Pad if necessary. (So that code below does
208 not need to worry about key size). */
209 memset(padded, 0, sizeof(padded));
210 memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
212 /* Initialize the initialization vector. */
215 case SSH_CIPHER_NONE:
216 /* Has to stay for authfile saving of private key with no passphrase */
219 case SSH_CIPHER_3DES:
220 /* Note: the least significant bit of each byte of key is parity,
221 and must be ignored by the implementation. 16 bytes of key are
222 used (first and last keys are the same). */
224 error("Key length %d is insufficient for 3DES.", keylen);
225 des_set_key((void*)padded, context->u.des3.key1);
226 des_set_key((void*)(padded + 8), context->u.des3.key2);
228 des_set_key((void*)padded, context->u.des3.key3);
230 des_set_key((void*)(padded + 16), context->u.des3.key3);
231 memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
232 memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
235 case SSH_CIPHER_BLOWFISH:
236 BF_set_key(&context->u.bf.key, keylen, padded);
237 memset(context->u.bf.iv, 0, 8);
241 fatal("cipher_set_key: unknown cipher: %d", cipher);
243 memset(padded, 0, sizeof(padded));
246 /* Encrypts data using the cipher. */
248 void cipher_encrypt(CipherContext *context, unsigned char *dest,
249 const unsigned char *src, unsigned int len)
251 assert((len & 7) == 0);
253 switch (context->type)
255 case SSH_CIPHER_NONE:
256 memcpy(dest, src, len);
259 case SSH_CIPHER_3DES:
260 SSH_3CBC_ENCRYPT(context->u.des3.key1,
261 context->u.des3.key2, &context->u.des3.iv2,
262 context->u.des3.key3, &context->u.des3.iv3,
263 dest, (void*)src, len);
266 case SSH_CIPHER_BLOWFISH:
267 swap_bytes(src, dest, len);
268 BF_cbc_encrypt(dest, dest, len,
269 &context->u.bf.key, context->u.bf.iv, BF_ENCRYPT);
270 swap_bytes(dest, dest, len);
274 fatal("cipher_encrypt: unknown cipher: %d", context->type);
278 /* Decrypts data using the cipher. */
280 void cipher_decrypt(CipherContext *context, unsigned char *dest,
281 const unsigned char *src, unsigned int len)
283 assert((len & 7) == 0);
285 switch (context->type)
287 case SSH_CIPHER_NONE:
288 memcpy(dest, src, len);
291 case SSH_CIPHER_3DES:
293 SSH_3CBC_DECRYPT(context->u.des3.key1,
294 context->u.des3.key2, &context->u.des3.iv2,
295 context->u.des3.key3, &context->u.des3.iv3,
296 dest, (void*)src, len);
299 case SSH_CIPHER_BLOWFISH:
300 detect_cbc_attack(src, len);
301 swap_bytes(src, dest, len);
302 BF_cbc_encrypt((void*)dest, dest, len,
303 &context->u.bf.key, context->u.bf.iv, BF_DECRYPT);
304 swap_bytes(dest, dest, len);
308 fatal("cipher_decrypt: unknown cipher: %d", context->type);