1/* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */ 2/* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 * 13 * 14 * Copyright (c) 1999 Niels Provos. All rights reserved. 15 * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38#include "includes.h" 39 40#include <sys/types.h> 41 42#include <openssl/md5.h> 43 44#include <string.h> 45#include <stdarg.h> 46 47#include "xmalloc.h" 48#include "log.h" 49#include "cipher.h" 50 51/* compatibility with old or broken OpenSSL versions */ 52#include "openbsd-compat/openssl-compat.h" 53 54extern const EVP_CIPHER *evp_ssh1_bf(void); 55extern const EVP_CIPHER *evp_ssh1_3des(void); 56extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); 57extern const EVP_CIPHER *evp_aes_128_ctr(void); 58extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); 59 60struct Cipher { 61 char *name; 62 int number; /* for ssh1 only */ 63 u_int block_size; 64 u_int key_len; 65 u_int discard_len; 66 u_int cbc_mode; 67 const EVP_CIPHER *(*evptype)(void); 68} ciphers[] = { 69 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, 70 { "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc }, 71 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, 72 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 1, evp_ssh1_bf }, 73 74 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, 75 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc }, 76#ifndef ANDROID 77 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc }, 78#endif 79 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 }, 80 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 }, 81 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 }, 82 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, 83 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, 84 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 85 { "rijndael-cbc@lysator.liu.se", 86 SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 87 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, 88 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, 89 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, 90#ifdef USE_CIPHER_ACSS 91 { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss }, 92#endif 93 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } 94}; 95 96/*--*/ 97 98u_int 99cipher_blocksize(const Cipher *c) 100{ 101 return (c->block_size); 102} 103 104u_int 105cipher_keylen(const Cipher *c) 106{ 107 return (c->key_len); 108} 109 110u_int 111cipher_get_number(const Cipher *c) 112{ 113 return (c->number); 114} 115 116u_int 117cipher_is_cbc(const Cipher *c) 118{ 119 return (c->cbc_mode); 120} 121 122u_int 123cipher_mask_ssh1(int client) 124{ 125 u_int mask = 0; 126 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 127 mask |= 1 << SSH_CIPHER_BLOWFISH; 128 if (client) { 129 mask |= 1 << SSH_CIPHER_DES; 130 } 131 return mask; 132} 133 134Cipher * 135cipher_by_name(const char *name) 136{ 137 Cipher *c; 138 for (c = ciphers; c->name != NULL; c++) 139 if (strcmp(c->name, name) == 0) 140 return c; 141 return NULL; 142} 143 144Cipher * 145cipher_by_number(int id) 146{ 147 Cipher *c; 148 for (c = ciphers; c->name != NULL; c++) 149 if (c->number == id) 150 return c; 151 return NULL; 152} 153 154#define CIPHER_SEP "," 155int 156ciphers_valid(const char *names) 157{ 158 Cipher *c; 159 char *cipher_list, *cp; 160 char *p; 161 162 if (names == NULL || strcmp(names, "") == 0) 163 return 0; 164 cipher_list = cp = xstrdup(names); 165 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 166 (p = strsep(&cp, CIPHER_SEP))) { 167 c = cipher_by_name(p); 168 if (c == NULL || c->number != SSH_CIPHER_SSH2) { 169 debug("bad cipher %s [%s]", p, names); 170 xfree(cipher_list); 171 return 0; 172 } else { 173 debug3("cipher ok: %s [%s]", p, names); 174 } 175 } 176 debug3("ciphers ok: [%s]", names); 177 xfree(cipher_list); 178 return 1; 179} 180 181/* 182 * Parses the name of the cipher. Returns the number of the corresponding 183 * cipher, or -1 on error. 184 */ 185 186int 187cipher_number(const char *name) 188{ 189 Cipher *c; 190 if (name == NULL) 191 return -1; 192 for (c = ciphers; c->name != NULL; c++) 193 if (strcasecmp(c->name, name) == 0) 194 return c->number; 195 return -1; 196} 197 198char * 199cipher_name(int id) 200{ 201 Cipher *c = cipher_by_number(id); 202 return (c==NULL) ? "<unknown>" : c->name; 203} 204 205void 206cipher_init(CipherContext *cc, Cipher *cipher, 207 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, 208 int do_encrypt) 209{ 210 static int dowarn = 1; 211#ifdef SSH_OLD_EVP 212 EVP_CIPHER *type; 213#else 214 const EVP_CIPHER *type; 215 int klen; 216#endif 217 u_char *junk, *discard; 218 219 if (cipher->number == SSH_CIPHER_DES) { 220 if (dowarn) { 221 error("Warning: use of DES is strongly discouraged " 222 "due to cryptographic weaknesses"); 223 dowarn = 0; 224 } 225 if (keylen > 8) 226 keylen = 8; 227 } 228 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 229 230 if (keylen < cipher->key_len) 231 fatal("cipher_init: key length %d is insufficient for %s.", 232 keylen, cipher->name); 233 if (iv != NULL && ivlen < cipher->block_size) 234 fatal("cipher_init: iv length %d is insufficient for %s.", 235 ivlen, cipher->name); 236 cc->cipher = cipher; 237 238 type = (*cipher->evptype)(); 239 240 EVP_CIPHER_CTX_init(&cc->evp); 241#ifdef SSH_OLD_EVP 242 if (type->key_len > 0 && type->key_len != keylen) { 243 debug("cipher_init: set keylen (%d -> %d)", 244 type->key_len, keylen); 245 type->key_len = keylen; 246 } 247 EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv, 248 (do_encrypt == CIPHER_ENCRYPT)); 249#else 250 if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv, 251 (do_encrypt == CIPHER_ENCRYPT)) == 0) 252 fatal("cipher_init: EVP_CipherInit failed for %s", 253 cipher->name); 254 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 255 if (klen > 0 && keylen != (u_int)klen) { 256 debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); 257 if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) 258 fatal("cipher_init: set keylen failed (%d -> %d)", 259 klen, keylen); 260 } 261 if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) 262 fatal("cipher_init: EVP_CipherInit: set key failed for %s", 263 cipher->name); 264#endif 265 266 if (cipher->discard_len > 0) { 267 junk = xmalloc(cipher->discard_len); 268 discard = xmalloc(cipher->discard_len); 269 if (EVP_Cipher(&cc->evp, discard, junk, 270 cipher->discard_len) == 0) 271 fatal("evp_crypt: EVP_Cipher failed during discard"); 272 memset(discard, 0, cipher->discard_len); 273 xfree(junk); 274 xfree(discard); 275 } 276} 277 278void 279cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 280{ 281 if (len % cc->cipher->block_size) 282 fatal("cipher_encrypt: bad plaintext length %d", len); 283 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) 284 fatal("evp_crypt: EVP_Cipher failed"); 285} 286 287void 288cipher_cleanup(CipherContext *cc) 289{ 290 if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) 291 error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); 292} 293 294/* 295 * Selects the cipher, and keys if by computing the MD5 checksum of the 296 * passphrase and using the resulting 16 bytes as the key. 297 */ 298 299void 300cipher_set_key_string(CipherContext *cc, Cipher *cipher, 301 const char *passphrase, int do_encrypt) 302{ 303 MD5_CTX md; 304 u_char digest[16]; 305 306 MD5_Init(&md); 307 MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); 308 MD5_Final(digest, &md); 309 310 cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt); 311 312 memset(digest, 0, sizeof(digest)); 313 memset(&md, 0, sizeof(md)); 314} 315 316/* 317 * Exports an IV from the CipherContext required to export the key 318 * state back from the unprivileged child to the privileged parent 319 * process. 320 */ 321 322int 323cipher_get_keyiv_len(const CipherContext *cc) 324{ 325 Cipher *c = cc->cipher; 326 int ivlen; 327 328 if (c->number == SSH_CIPHER_3DES) 329 ivlen = 24; 330 else 331 ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp); 332 return (ivlen); 333} 334 335void 336cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) 337{ 338 Cipher *c = cc->cipher; 339 int evplen; 340 341 switch (c->number) { 342 case SSH_CIPHER_SSH2: 343 case SSH_CIPHER_DES: 344 case SSH_CIPHER_BLOWFISH: 345 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 346 if (evplen <= 0) 347 return; 348 if ((u_int)evplen != len) 349 fatal("%s: wrong iv length %d != %d", __func__, 350 evplen, len); 351#ifdef USE_BUILTIN_RIJNDAEL 352 if (c->evptype == evp_rijndael) 353 ssh_rijndael_iv(&cc->evp, 0, iv, len); 354 else 355#endif 356 if (c->evptype == evp_aes_128_ctr) 357 ssh_aes_ctr_iv(&cc->evp, 0, iv, len); 358 else 359 memcpy(iv, cc->evp.iv, len); 360 break; 361 case SSH_CIPHER_3DES: 362 ssh1_3des_iv(&cc->evp, 0, iv, 24); 363 break; 364 default: 365 fatal("%s: bad cipher %d", __func__, c->number); 366 } 367} 368 369void 370cipher_set_keyiv(CipherContext *cc, u_char *iv) 371{ 372 Cipher *c = cc->cipher; 373 int evplen = 0; 374 375 switch (c->number) { 376 case SSH_CIPHER_SSH2: 377 case SSH_CIPHER_DES: 378 case SSH_CIPHER_BLOWFISH: 379 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 380 if (evplen == 0) 381 return; 382#ifdef USE_BUILTIN_RIJNDAEL 383 if (c->evptype == evp_rijndael) 384 ssh_rijndael_iv(&cc->evp, 1, iv, evplen); 385 else 386#endif 387 if (c->evptype == evp_aes_128_ctr) 388 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); 389 else 390 memcpy(cc->evp.iv, iv, evplen); 391 break; 392 case SSH_CIPHER_3DES: 393 ssh1_3des_iv(&cc->evp, 1, iv, 24); 394 break; 395 default: 396 fatal("%s: bad cipher %d", __func__, c->number); 397 } 398} 399 400#if OPENSSL_VERSION_NUMBER < 0x00907000L 401#define EVP_X_STATE(evp) &(evp).c 402#define EVP_X_STATE_LEN(evp) sizeof((evp).c) 403#else 404#define EVP_X_STATE(evp) (evp).cipher_data 405#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size 406#endif 407 408int 409cipher_get_keycontext(const CipherContext *cc, u_char *dat) 410{ 411 Cipher *c = cc->cipher; 412 int plen = 0; 413 414 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 415 plen = EVP_X_STATE_LEN(cc->evp); 416 if (dat == NULL) 417 return (plen); 418 memcpy(dat, EVP_X_STATE(cc->evp), plen); 419 } 420 return (plen); 421} 422 423void 424cipher_set_keycontext(CipherContext *cc, u_char *dat) 425{ 426 Cipher *c = cc->cipher; 427 int plen; 428 429 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 430 plen = EVP_X_STATE_LEN(cc->evp); 431 memcpy(EVP_X_STATE(cc->evp), dat, plen); 432 } 433} 434