summaryrefslogtreecommitdiff
path: root/cipher.c
diff options
context:
space:
mode:
Diffstat (limited to 'cipher.c')
-rw-r--r--cipher.c380
1 files changed, 31 insertions, 349 deletions
diff --git a/cipher.c b/cipher.c
index b5d38747e..e7c3c5411 100644
--- a/cipher.c
+++ b/cipher.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: cipher.c,v 1.62 2002/11/21 22:45:31 markus Exp $"); 38RCSID("$OpenBSD: cipher.c,v 1.65 2003/05/17 04:27:52 markus Exp $");
39 39
40#include "xmalloc.h" 40#include "xmalloc.h"
41#include "log.h" 41#include "log.h"
@@ -49,11 +49,14 @@ RCSID("$OpenBSD: cipher.c,v 1.62 2002/11/21 22:45:31 markus Exp $");
49#endif 49#endif
50 50
51#if OPENSSL_VERSION_NUMBER < 0x00907000L 51#if OPENSSL_VERSION_NUMBER < 0x00907000L
52#include "rijndael.h" 52extern const EVP_CIPHER *evp_rijndael(void);
53static const EVP_CIPHER *evp_rijndael(void); 53extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
54#endif 54#endif
55static const EVP_CIPHER *evp_ssh1_3des(void); 55extern const EVP_CIPHER *evp_ssh1_bf(void);
56static const EVP_CIPHER *evp_ssh1_bf(void); 56extern const EVP_CIPHER *evp_ssh1_3des(void);
57extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
58extern const EVP_CIPHER *evp_aes_128_ctr(void);
59extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
57 60
58struct Cipher { 61struct Cipher {
59 char *name; 62 char *name;
@@ -84,6 +87,9 @@ struct Cipher {
84 { "rijndael-cbc@lysator.liu.se", 87 { "rijndael-cbc@lysator.liu.se",
85 SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, 88 SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
86#endif 89#endif
90 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr },
91 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr },
92 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr },
87 93
88 { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL } 94 { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL }
89}; 95};
@@ -296,298 +302,6 @@ cipher_set_key_string(CipherContext *cc, Cipher *cipher,
296 memset(&md, 0, sizeof(md)); 302 memset(&md, 0, sizeof(md));
297} 303}
298 304
299/* Implementations for other non-EVP ciphers */
300
301/*
302 * This is used by SSH1:
303 *
304 * What kind of triple DES are these 2 routines?
305 *
306 * Why is there a redundant initialization vector?
307 *
308 * If only iv3 was used, then, this would till effect have been
309 * outer-cbc. However, there is also a private iv1 == iv2 which
310 * perhaps makes differential analysis easier. On the other hand, the
311 * private iv1 probably makes the CRC-32 attack ineffective. This is a
312 * result of that there is no longer any known iv1 to use when
313 * choosing the X block.
314 */
315struct ssh1_3des_ctx
316{
317 EVP_CIPHER_CTX k1, k2, k3;
318};
319
320static int
321ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
322 int enc)
323{
324 struct ssh1_3des_ctx *c;
325 u_char *k1, *k2, *k3;
326
327 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
328 c = xmalloc(sizeof(*c));
329 EVP_CIPHER_CTX_set_app_data(ctx, c);
330 }
331 if (key == NULL)
332 return (1);
333 if (enc == -1)
334 enc = ctx->encrypt;
335 k1 = k2 = k3 = (u_char *) key;
336 k2 += 8;
337 if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) {
338 if (enc)
339 k3 += 16;
340 else
341 k1 += 16;
342 }
343 EVP_CIPHER_CTX_init(&c->k1);
344 EVP_CIPHER_CTX_init(&c->k2);
345 EVP_CIPHER_CTX_init(&c->k3);
346#ifdef SSH_OLD_EVP
347 EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc);
348 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc);
349 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc);
350#else
351 if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
352 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
353 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
354 memset(c, 0, sizeof(*c));
355 xfree(c);
356 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
357 return (0);
358 }
359#endif
360 return (1);
361}
362
363static int
364ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len)
365{
366 struct ssh1_3des_ctx *c;
367
368 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
369 error("ssh1_3des_cbc: no context");
370 return (0);
371 }
372#ifdef SSH_OLD_EVP
373 EVP_Cipher(&c->k1, dest, (u_char *)src, len);
374 EVP_Cipher(&c->k2, dest, dest, len);
375 EVP_Cipher(&c->k3, dest, dest, len);
376#else
377 if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
378 EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
379 EVP_Cipher(&c->k3, dest, dest, len) == 0)
380 return (0);
381#endif
382 return (1);
383}
384
385static int
386ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
387{
388 struct ssh1_3des_ctx *c;
389
390 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
391 memset(c, 0, sizeof(*c));
392 xfree(c);
393 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
394 }
395 return (1);
396}
397
398static const EVP_CIPHER *
399evp_ssh1_3des(void)
400{
401 static EVP_CIPHER ssh1_3des;
402
403 memset(&ssh1_3des, 0, sizeof(EVP_CIPHER));
404 ssh1_3des.nid = NID_undef;
405 ssh1_3des.block_size = 8;
406 ssh1_3des.iv_len = 0;
407 ssh1_3des.key_len = 16;
408 ssh1_3des.init = ssh1_3des_init;
409 ssh1_3des.cleanup = ssh1_3des_cleanup;
410 ssh1_3des.do_cipher = ssh1_3des_cbc;
411#ifndef SSH_OLD_EVP
412 ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
413#endif
414 return (&ssh1_3des);
415}
416
417/*
418 * SSH1 uses a variation on Blowfish, all bytes must be swapped before
419 * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
420 */
421static void
422swap_bytes(const u_char *src, u_char *dst, int n)
423{
424 u_char c[4];
425
426 /* Process 4 bytes every lap. */
427 for (n = n / 4; n > 0; n--) {
428 c[3] = *src++;
429 c[2] = *src++;
430 c[1] = *src++;
431 c[0] = *src++;
432
433 *dst++ = c[0];
434 *dst++ = c[1];
435 *dst++ = c[2];
436 *dst++ = c[3];
437 }
438}
439
440#ifdef SSH_OLD_EVP
441static void bf_ssh1_init (EVP_CIPHER_CTX * ctx, const unsigned char *key,
442 const unsigned char *iv, int enc)
443{
444 if (iv != NULL)
445 memcpy (&(ctx->oiv[0]), iv, 8);
446 memcpy (&(ctx->iv[0]), &(ctx->oiv[0]), 8);
447 if (key != NULL)
448 BF_set_key (&(ctx->c.bf_ks), EVP_CIPHER_CTX_key_length (ctx),
449 key);
450}
451#endif
452static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL;
453
454static int
455bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len)
456{
457 int ret;
458
459 swap_bytes(in, out, len);
460 ret = (*orig_bf)(ctx, out, out, len);
461 swap_bytes(out, out, len);
462 return (ret);
463}
464
465static const EVP_CIPHER *
466evp_ssh1_bf(void)
467{
468 static EVP_CIPHER ssh1_bf;
469
470 memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER));
471 orig_bf = ssh1_bf.do_cipher;
472 ssh1_bf.nid = NID_undef;
473#ifdef SSH_OLD_EVP
474 ssh1_bf.init = bf_ssh1_init;
475#endif
476 ssh1_bf.do_cipher = bf_ssh1_cipher;
477 ssh1_bf.key_len = 32;
478 return (&ssh1_bf);
479}
480
481#if OPENSSL_VERSION_NUMBER < 0x00907000L
482/* RIJNDAEL */
483#define RIJNDAEL_BLOCKSIZE 16
484struct ssh_rijndael_ctx
485{
486 rijndael_ctx r_ctx;
487 u_char r_iv[RIJNDAEL_BLOCKSIZE];
488};
489
490static int
491ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
492 int enc)
493{
494 struct ssh_rijndael_ctx *c;
495
496 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
497 c = xmalloc(sizeof(*c));
498 EVP_CIPHER_CTX_set_app_data(ctx, c);
499 }
500 if (key != NULL) {
501 if (enc == -1)
502 enc = ctx->encrypt;
503 rijndael_set_key(&c->r_ctx, (u_char *)key,
504 8*EVP_CIPHER_CTX_key_length(ctx), enc);
505 }
506 if (iv != NULL)
507 memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE);
508 return (1);
509}
510
511static int
512ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
513 u_int len)
514{
515 struct ssh_rijndael_ctx *c;
516 u_char buf[RIJNDAEL_BLOCKSIZE];
517 u_char *cprev, *cnow, *plain, *ivp;
518 int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
519
520 if (len == 0)
521 return (1);
522 if (len % RIJNDAEL_BLOCKSIZE)
523 fatal("ssh_rijndael_cbc: bad len %d", len);
524 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
525 error("ssh_rijndael_cbc: no context");
526 return (0);
527 }
528 if (ctx->encrypt) {
529 cnow = dest;
530 plain = (u_char *)src;
531 cprev = c->r_iv;
532 for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
533 cnow+=RIJNDAEL_BLOCKSIZE) {
534 for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
535 buf[j] = plain[j] ^ cprev[j];
536 rijndael_encrypt(&c->r_ctx, buf, cnow);
537 cprev = cnow;
538 }
539 memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE);
540 } else {
541 cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
542 plain = dest+len-RIJNDAEL_BLOCKSIZE;
543
544 memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE);
545 for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
546 plain-=RIJNDAEL_BLOCKSIZE) {
547 rijndael_decrypt(&c->r_ctx, cnow, plain);
548 ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
549 for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
550 plain[j] ^= ivp[j];
551 }
552 memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
553 }
554 return (1);
555}
556
557static int
558ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
559{
560 struct ssh_rijndael_ctx *c;
561
562 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
563 memset(c, 0, sizeof(*c));
564 xfree(c);
565 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
566 }
567 return (1);
568}
569
570static const EVP_CIPHER *
571evp_rijndael(void)
572{
573 static EVP_CIPHER rijndal_cbc;
574
575 memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER));
576 rijndal_cbc.nid = NID_undef;
577 rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE;
578 rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE;
579 rijndal_cbc.key_len = 16;
580 rijndal_cbc.init = ssh_rijndael_init;
581 rijndal_cbc.cleanup = ssh_rijndael_cleanup;
582 rijndal_cbc.do_cipher = ssh_rijndael_cbc;
583#ifndef SSH_OLD_EVP
584 rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
585 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
586#endif
587 return (&rijndal_cbc);
588}
589#endif
590
591/* 305/*
592 * Exports an IV from the CipherContext required to export the key 306 * Exports an IV from the CipherContext required to export the key
593 * state back from the unprivileged child to the privileged parent 307 * state back from the unprivileged child to the privileged parent
@@ -611,7 +325,6 @@ void
611cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) 325cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
612{ 326{
613 Cipher *c = cc->cipher; 327 Cipher *c = cc->cipher;
614 u_char *civ = NULL;
615 int evplen; 328 int evplen;
616 329
617 switch (c->number) { 330 switch (c->number) {
@@ -624,45 +337,28 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
624 if (evplen != len) 337 if (evplen != len)
625 fatal("%s: wrong iv length %d != %d", __func__, 338 fatal("%s: wrong iv length %d != %d", __func__,
626 evplen, len); 339 evplen, len);
627
628#if OPENSSL_VERSION_NUMBER < 0x00907000L 340#if OPENSSL_VERSION_NUMBER < 0x00907000L
629 if (c->evptype == evp_rijndael) { 341 if (c->evptype == evp_rijndael)
630 struct ssh_rijndael_ctx *aesc; 342 ssh_rijndael_iv(&cc->evp, 0, iv, len);
631 343 else
632 aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
633 if (aesc == NULL)
634 fatal("%s: no rijndael context", __func__);
635 civ = aesc->r_iv;
636 } else
637#endif 344#endif
638 { 345 if (c->evptype == evp_aes_128_ctr)
639 civ = cc->evp.iv; 346 ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
640 } 347 else
348 memcpy(iv, cc->evp.iv, len);
349 break;
350 case SSH_CIPHER_3DES:
351 ssh1_3des_iv(&cc->evp, 0, iv, 24);
641 break; 352 break;
642 case SSH_CIPHER_3DES: {
643 struct ssh1_3des_ctx *desc;
644 if (len != 24)
645 fatal("%s: bad 3des iv length: %d", __func__, len);
646 desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
647 if (desc == NULL)
648 fatal("%s: no 3des context", __func__);
649 debug3("%s: Copying 3DES IV", __func__);
650 memcpy(iv, desc->k1.iv, 8);
651 memcpy(iv + 8, desc->k2.iv, 8);
652 memcpy(iv + 16, desc->k3.iv, 8);
653 return;
654 }
655 default: 353 default:
656 fatal("%s: bad cipher %d", __func__, c->number); 354 fatal("%s: bad cipher %d", __func__, c->number);
657 } 355 }
658 memcpy(iv, civ, len);
659} 356}
660 357
661void 358void
662cipher_set_keyiv(CipherContext *cc, u_char *iv) 359cipher_set_keyiv(CipherContext *cc, u_char *iv)
663{ 360{
664 Cipher *c = cc->cipher; 361 Cipher *c = cc->cipher;
665 u_char *div = NULL;
666 int evplen = 0; 362 int evplen = 0;
667 363
668 switch (c->number) { 364 switch (c->number) {
@@ -672,36 +368,22 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
672 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 368 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
673 if (evplen == 0) 369 if (evplen == 0)
674 return; 370 return;
675
676#if OPENSSL_VERSION_NUMBER < 0x00907000L 371#if OPENSSL_VERSION_NUMBER < 0x00907000L
677 if (c->evptype == evp_rijndael) { 372 if (c->evptype == evp_rijndael)
678 struct ssh_rijndael_ctx *aesc; 373 ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
679 374 else
680 aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
681 if (aesc == NULL)
682 fatal("%s: no rijndael context", __func__);
683 div = aesc->r_iv;
684 } else
685#endif 375#endif
686 { 376 if (c->evptype == evp_aes_128_ctr)
687 div = cc->evp.iv; 377 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen);
688 } 378 else
379 memcpy(cc->evp.iv, iv, evplen);
380 break;
381 case SSH_CIPHER_3DES:
382 ssh1_3des_iv(&cc->evp, 1, iv, 24);
689 break; 383 break;
690 case SSH_CIPHER_3DES: {
691 struct ssh1_3des_ctx *desc;
692 desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
693 if (desc == NULL)
694 fatal("%s: no 3des context", __func__);
695 debug3("%s: Installed 3DES IV", __func__);
696 memcpy(desc->k1.iv, iv, 8);
697 memcpy(desc->k2.iv, iv + 8, 8);
698 memcpy(desc->k3.iv, iv + 16, 8);
699 return;
700 }
701 default: 384 default:
702 fatal("%s: bad cipher %d", __func__, c->number); 385 fatal("%s: bad cipher %d", __func__, c->number);
703 } 386 }
704 memcpy(div, iv, evplen);
705} 387}
706 388
707#if OPENSSL_VERSION_NUMBER < 0x00907000L 389#if OPENSSL_VERSION_NUMBER < 0x00907000L
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-03 00:15:38 +0000