RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- markus@cvs.openbsd.org 2002/02/18 13:05:32 

[cipher.c cipher.h]
     switch to EVP, ok djm@ deraadt@
This commit is contained in:
Damien Miller 2002-02-19 15:26:42 +11:00
parent a93c6d87ef
commit 21cf4e0628
3 changed files with 318 additions and 404 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -34,6 +34,9 @@
[auth.h]
Manual cleanup of remaining userland __P use (excluding packages
maintained outside the tree)
- markus@cvs.openbsd.org 2002/02/18 13:05:32
[cipher.c cipher.h]
switch to EVP, ok djm@ deraadt@
20020218
- (tim) newer config.guess from ftp://ftp.gnu.org/gnu/config/config.guess
@ -7631,4 +7634,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
$Id: ChangeLog,v 1.1862 2002/02/19 04:25:29 djm Exp $
$Id: ChangeLog,v 1.1863 2002/02/19 04:26:42 djm Exp $

679
cipher.c
View File

@ -35,386 +35,50 @@
*/
#include "includes.h"
RCSID("$OpenBSD: cipher.c,v 1.51 2002/02/14 23:41:01 markus Exp $");
RCSID("$OpenBSD: cipher.c,v 1.52 2002/02/18 13:05:32 markus Exp $");
#include "xmalloc.h"
#include "log.h"
#include "cipher.h"
#include <openssl/md5.h>
#include "rijndael.h"
static EVP_CIPHER *evp_ssh1_3des(void);
static EVP_CIPHER *evp_ssh1_bf(void);
static EVP_CIPHER *evp_rijndael(void);
struct Cipher {
char *name;
int number; /* for ssh1 only */
u_int block_size;
u_int key_len;
void (*setkey)(CipherContext *, const u_char *, u_int);
void (*setiv)(CipherContext *, const u_char *, u_int);
void (*encrypt)(CipherContext *, u_char *, const u_char *, u_int);
void (*decrypt)(CipherContext *, u_char *, const u_char *, u_int);
};
EVP_CIPHER *(*evptype)(void);
} ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },
/* no encryption */
static void
none_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
}
static void
none_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
}
static void
none_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
memcpy(dest, src, len);
}
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
{ "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
{ "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
{ "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 },
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
/* DES */
static void
des_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
static int dowarn = 1;
if (dowarn) {
error("Warning: use of DES is strongly discouraged "
"due to cryptographic weaknesses");
dowarn = 0;
}
des_set_key((void *)key, cc->u.des.key);
}
static void
des_ssh1_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
memset(cc->u.des.iv, 0, sizeof(cc->u.des.iv));
}
static void
des_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
DES_ENCRYPT);
}
static void
des_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
DES_DECRYPT);
}
/* 3DES */
static void
des3_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
des_set_key((void *) key, cc->u.des3.key1);
des_set_key((void *) (key+8), cc->u.des3.key2);
des_set_key((void *) (key+16), cc->u.des3.key3);
}
static void
des3_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
memset(cc->u.des3.iv1, 0, sizeof(cc->u.des3.iv1));
memset(cc->u.des3.iv2, 0, sizeof(cc->u.des3.iv2));
memset(cc->u.des3.iv3, 0, sizeof(cc->u.des3.iv3));
if (iv == NULL)
return;
memcpy(cc->u.des3.iv3, (char *)iv, 8);
}
static void
des3_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
des_ede3_cbc_encrypt(src, dest, len,
cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
&cc->u.des3.iv3, DES_ENCRYPT);
}
static void
des3_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
des_ede3_cbc_encrypt(src, dest, len,
cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
&cc->u.des3.iv3, DES_DECRYPT);
}
/*
* This is used by SSH1:
*
* What kind of triple DES are these 2 routines?
*
* Why is there a redundant initialization vector?
*
* If only iv3 was used, then, this would till effect have been
* outer-cbc. However, there is also a private iv1 == iv2 which
* perhaps makes differential analysis easier. On the other hand, the
* private iv1 probably makes the CRC-32 attack ineffective. This is a
* result of that there is no longer any known iv1 to use when
* choosing the X block.
*/
static void
des3_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
des_set_key((void *) key, cc->u.des3.key1);
des_set_key((void *) (key+8), cc->u.des3.key2);
if (keylen <= 16)
des_set_key((void *) key, cc->u.des3.key3);
else
des_set_key((void *) (key+16), cc->u.des3.key3);
}
static void
des3_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
u_int len)
{
des_ncbc_encrypt(src, dest, len, cc->u.des3.key1, &cc->u.des3.iv1,
DES_ENCRYPT);
des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, &cc->u.des3.iv2,
DES_DECRYPT);
des_ncbc_encrypt(dest, dest, len, cc->u.des3.key3, &cc->u.des3.iv3,
DES_ENCRYPT);
}
static void
des3_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
u_int len)
{
des_ncbc_encrypt(src, dest, len, cc->u.des3.key3, &cc->u.des3.iv3,
DES_DECRYPT);
des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, &cc->u.des3.iv2,
DES_ENCRYPT);
des_ncbc_encrypt(dest, dest, len, cc->u.des3.key1, &cc->u.des3.iv1,
DES_DECRYPT);
}
/* Blowfish */
static void
blowfish_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
BF_set_key(&cc->u.bf.key, keylen, (u_char *)key);
}
static void
blowfish_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
if (iv == NULL)
memset(cc->u.bf.iv, 0, 8);
else
memcpy(cc->u.bf.iv, (char *)iv, 8);
}
static void
blowfish_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
u_int len)
{
BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
BF_ENCRYPT);
}
static void
blowfish_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
u_int len)
{
BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
BF_DECRYPT);
}
/*
* SSH1 uses a variation on Blowfish, all bytes must be swapped before
* and after encryption/decryption. Thus the swap_bytes stuff (yuk).
*/
static void
swap_bytes(const u_char *src, u_char *dst, int n)
{
char c[4];
/* Process 4 bytes every lap. */
for (n = n / 4; n > 0; n--) {
c[3] = *src++;
c[2] = *src++;
c[1] = *src++;
c[0] = *src++;
*dst++ = c[0];
*dst++ = c[1];
*dst++ = c[2];
*dst++ = c[3];
}
}
static void
blowfish_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
u_int len)
{
swap_bytes(src, dest, len);
BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
BF_ENCRYPT);
swap_bytes(dest, dest, len);
}
static void
blowfish_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
u_int len)
{
swap_bytes(src, dest, len);
BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
BF_DECRYPT);
swap_bytes(dest, dest, len);
}
/* alleged rc4 */
static void
arcfour_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
RC4_set_key(&cc->u.rc4, keylen, (u_char *)key);
}
static void
arcfour_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
RC4(&cc->u.rc4, len, (u_char *)src, dest);
}
/* CAST */
static void
cast_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
CAST_set_key(&cc->u.cast.key, keylen, (u_char *) key);
}
static void
cast_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
if (iv == NULL)
fatal("no IV for %s.", cc->cipher->name);
memcpy(cc->u.cast.iv, (char *)iv, 8);
}
static void
cast_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
CAST_ENCRYPT);
}
static void
cast_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
CAST_DECRYPT);
}
/* RIJNDAEL */
#define RIJNDAEL_BLOCKSIZE 16
static void
rijndael_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
rijndael_set_key(&cc->u.rijndael.enc, (char *)key, 8*keylen, 1);
rijndael_set_key(&cc->u.rijndael.dec, (char *)key, 8*keylen, 0);
}
static void
rijndael_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
{
if (iv == NULL || ivlen != RIJNDAEL_BLOCKSIZE)
fatal("bad/no IV for %s.", cc->cipher->name);
memcpy(cc->u.rijndael.iv, iv, RIJNDAEL_BLOCKSIZE);
}
static void
rijndael_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
u_int len)
{
rijndael_ctx *ctx = &cc->u.rijndael.enc;
u_char *iv = cc->u.rijndael.iv;
u_char in[RIJNDAEL_BLOCKSIZE];
u_char *cprev, *cnow, *plain;
int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
if (len == 0)
return;
if (len % RIJNDAEL_BLOCKSIZE)
fatal("rijndael_cbc_encrypt: bad len %d", len);
cnow = dest;
plain = (u_char *)src;
cprev = iv;
for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
cnow+=RIJNDAEL_BLOCKSIZE) {
for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
in[j] = plain[j] ^ cprev[j];
rijndael_encrypt(ctx, in, cnow);
cprev = cnow;
}
memcpy(iv, cprev, RIJNDAEL_BLOCKSIZE);
}
static void
rijndael_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
u_int len)
{
rijndael_ctx *ctx = &cc->u.rijndael.dec;
u_char *iv = cc->u.rijndael.iv;
u_char ivsaved[RIJNDAEL_BLOCKSIZE];
u_char *cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
u_char *plain = dest+len-RIJNDAEL_BLOCKSIZE;
u_char *ivp;
int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
if (len == 0)
return;
if (len % RIJNDAEL_BLOCKSIZE)
fatal("rijndael_cbc_decrypt: bad len %d", len);
memcpy(ivsaved, cnow, RIJNDAEL_BLOCKSIZE);
for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
plain-=RIJNDAEL_BLOCKSIZE) {
rijndael_decrypt(ctx, cnow, plain);
ivp = (i == 1) ? iv : cnow-RIJNDAEL_BLOCKSIZE;
for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
plain[j] ^= ivp[j];
}
memcpy(iv, ivsaved, RIJNDAEL_BLOCKSIZE);
}
Cipher ciphers[] = {
{ "none",
SSH_CIPHER_NONE, 8, 0,
none_setkey, none_setiv,
none_crypt, none_crypt },
{ "des",
SSH_CIPHER_DES, 8, 8,
des_ssh1_setkey, des_ssh1_setiv,
des_ssh1_encrypt, des_ssh1_decrypt },
{ "3des",
SSH_CIPHER_3DES, 8, 16,
des3_ssh1_setkey, des3_setiv,
des3_ssh1_encrypt, des3_ssh1_decrypt },
{ "blowfish",
SSH_CIPHER_BLOWFISH, 8, 16,
blowfish_setkey, blowfish_setiv,
blowfish_ssh1_encrypt, blowfish_ssh1_decrypt },
{ "3des-cbc",
SSH_CIPHER_SSH2, 8, 24,
des3_setkey, des3_setiv,
des3_cbc_encrypt, des3_cbc_decrypt },
{ "blowfish-cbc",
SSH_CIPHER_SSH2, 8, 16,
blowfish_setkey, blowfish_setiv,
blowfish_cbc_encrypt, blowfish_cbc_decrypt },
{ "cast128-cbc",
SSH_CIPHER_SSH2, 8, 16,
cast_setkey, cast_setiv,
cast_cbc_encrypt, cast_cbc_decrypt },
{ "arcfour",
SSH_CIPHER_SSH2, 8, 16,
arcfour_setkey, none_setiv,
arcfour_crypt, arcfour_crypt },
{ "aes128-cbc",
SSH_CIPHER_SSH2, 16, 16,
rijndael_setkey, rijndael_setiv,
rijndael_cbc_encrypt, rijndael_cbc_decrypt },
{ "aes192-cbc",
SSH_CIPHER_SSH2, 16, 24,
rijndael_setkey, rijndael_setiv,
rijndael_cbc_encrypt, rijndael_cbc_decrypt },
{ "aes256-cbc",
SSH_CIPHER_SSH2, 16, 32,
rijndael_setkey, rijndael_setiv,
rijndael_cbc_encrypt, rijndael_cbc_decrypt },
{ NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL }
{ NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL }
};
/*--*/
u_int
u_int
cipher_blocksize(Cipher *c)
{
return (c->block_size);
}
u_int
u_int
cipher_keylen(Cipher *c)
{
return (c->key_len);
@ -502,9 +166,25 @@ cipher_name(int id)
}
void
cipher_init(CipherContext *cc, Cipher *cipher, const u_char *key,
u_int keylen, const u_char *iv, u_int ivlen, int encrypt)
cipher_init(CipherContext *cc, Cipher *cipher,
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
int encrypt)
{
static int dowarn = 1;
const EVP_CIPHER *type;
int klen;
if (cipher->number == SSH_CIPHER_DES) {
if (dowarn) {
error("Warning: use of DES is strongly discouraged "
"due to cryptographic weaknesses");
dowarn = 0;
}
if (keylen > 8)
keylen = 8;
}
cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
if (keylen < cipher->key_len)
fatal("cipher_init: key length %d is insufficient for %s.",
keylen, cipher->name);
@ -512,9 +192,24 @@ cipher_init(CipherContext *cc, Cipher *cipher, const u_char *key,
fatal("cipher_init: iv length %d is insufficient for %s.",
ivlen, cipher->name);
cc->cipher = cipher;
cc->encrypt = (encrypt == CIPHER_ENCRYPT);
cipher->setkey(cc, key, keylen);
cipher->setiv(cc, iv, ivlen);
type = (*cipher->evptype)();
EVP_CIPHER_CTX_init(&cc->evp);
if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
(encrypt == CIPHER_ENCRYPT)) == 0)
fatal("cipher_init: EVP_CipherInit failed for %s",
cipher->name);
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
if (klen > 0 && keylen != klen) {
debug("cipher_init: set keylen (%d -> %d)", klen, keylen);
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
fatal("cipher_init: set keylen failed (%d -> %d)",
klen, keylen);
}
if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
fatal("cipher_init: EVP_CipherInit: set key failed for %s",
cipher->name);
}
void
@ -522,16 +217,15 @@ cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
if (len % cc->cipher->block_size)
fatal("cipher_encrypt: bad plaintext length %d", len);
if (cc->encrypt)
cc->cipher->encrypt(cc, dest, src, len);
else
cc->cipher->decrypt(cc, dest, src, len);
if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
fatal("evp_crypt: EVP_Cipher failed");
}
void
cipher_cleanup(CipherContext *cc)
{
memset(cc, 0, sizeof(*cc));
if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
}
/*
@ -555,3 +249,252 @@ cipher_set_key_string(CipherContext *cc, Cipher *cipher,
memset(digest, 0, sizeof(digest));
memset(&md, 0, sizeof(md));
}
/* Implementations for other non-EVP ciphers */
/*
* This is used by SSH1:
*
* What kind of triple DES are these 2 routines?
*
* Why is there a redundant initialization vector?
*
* If only iv3 was used, then, this would till effect have been
* outer-cbc. However, there is also a private iv1 == iv2 which
* perhaps makes differential analysis easier. On the other hand, the
* private iv1 probably makes the CRC-32 attack ineffective. This is a
* result of that there is no longer any known iv1 to use when
* choosing the X block.
*/
struct ssh1_3des_ctx
{
EVP_CIPHER_CTX k1, k2, k3;
};
static int
ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
int enc)
{
struct ssh1_3des_ctx *c;
u_char *k1, *k2, *k3;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
c = xmalloc(sizeof(*c));
EVP_CIPHER_CTX_set_app_data(ctx, c);
}
if (key == NULL)
return (1);
if (enc == -1)
enc = ctx->encrypt;
k1 = k2 = k3 = (u_char *) key;
k2 += 8;
if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) {
if (enc)
k3 += 16;
else
k1 += 16;
}
EVP_CIPHER_CTX_init(&c->k1);
EVP_CIPHER_CTX_init(&c->k2);
EVP_CIPHER_CTX_init(&c->k3);
if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
memset(c, 0, sizeof(*c));
xfree(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
return (0);
}
return (1);
}
static int
ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len)
{
struct ssh1_3des_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
error("ssh1_3des_cbc: no context");
return (0);
}
if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
EVP_Cipher(&c->k3, dest, dest, len) == 0)
return (0);
return (1);
}
static int
ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
{
struct ssh1_3des_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
memset(c, 0, sizeof(*c));
xfree(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
}
return (1);
}
static EVP_CIPHER *
evp_ssh1_3des(void)
{
static EVP_CIPHER ssh1_3des;
memset(&ssh1_3des, 0, sizeof(EVP_CIPHER));
ssh1_3des.nid = NID_undef;
ssh1_3des.block_size = 8;
ssh1_3des.iv_len = 0;
ssh1_3des.key_len = 16;
ssh1_3des.init = ssh1_3des_init;
ssh1_3des.cleanup = ssh1_3des_cleanup;
ssh1_3des.do_cipher = ssh1_3des_cbc;
ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
return (&ssh1_3des);
}
/*
* SSH1 uses a variation on Blowfish, all bytes must be swapped before
* and after encryption/decryption. Thus the swap_bytes stuff (yuk).
*/
static void
swap_bytes(const u_char *src, u_char *dst, int n)
{
u_char c[4];
/* Process 4 bytes every lap. */
for (n = n / 4; n > 0; n--) {
c[3] = *src++;
c[2] = *src++;
c[1] = *src++;
c[0] = *src++;
*dst++ = c[0];
*dst++ = c[1];
*dst++ = c[2];
*dst++ = c[3];
}
}
static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL;
static int
bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len)
{
int ret;
swap_bytes(in, out, len);
ret = (*orig_bf)(ctx, out, out, len);
swap_bytes(out, out, len);
return (ret);
}
static EVP_CIPHER *
evp_ssh1_bf(void)
{
static EVP_CIPHER ssh1_bf;
memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER));
orig_bf = ssh1_bf.do_cipher;
ssh1_bf.nid = NID_undef;
ssh1_bf.do_cipher = bf_ssh1_cipher;
ssh1_bf.key_len = 32;
return (&ssh1_bf);
}
/* RIJNDAEL */
#define RIJNDAEL_BLOCKSIZE 16
struct ssh_rijndael_ctx
{
rijndael_ctx r_ctx;
u_char r_iv[RIJNDAEL_BLOCKSIZE];
};
static int
ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
int enc)
{
struct ssh_rijndael_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
c = xmalloc(sizeof(*c));
EVP_CIPHER_CTX_set_app_data(ctx, c);
}
if (key != NULL) {
if (enc == -1)
enc = ctx->encrypt;
rijndael_set_key(&c->r_ctx, (u_char *)key,
8*EVP_CIPHER_CTX_key_length(ctx), enc);
}
if (iv != NULL)
memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE);
return (1);
}
static int
ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
u_int len)
{
struct ssh_rijndael_ctx *c;
u_char buf[RIJNDAEL_BLOCKSIZE];
u_char *cprev, *cnow, *plain, *ivp;
int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
if (len == 0)
return (1);
if (len % RIJNDAEL_BLOCKSIZE)
fatal("ssh_rijndael_cbc: bad len %d", len);
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
error("ssh_rijndael_cbc: no context");
return (0);
}
if (ctx->encrypt) {
cnow = dest;
plain = (u_char *)src;
cprev = c->r_iv;
for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
cnow+=RIJNDAEL_BLOCKSIZE) {
for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
buf[j] = plain[j] ^ cprev[j];
rijndael_encrypt(&c->r_ctx, buf, cnow);
cprev = cnow;
}
memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE);
} else {
cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
plain = dest+len-RIJNDAEL_BLOCKSIZE;
memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE);
for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
plain-=RIJNDAEL_BLOCKSIZE) {
rijndael_decrypt(&c->r_ctx, cnow, plain);
ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
plain[j] ^= ivp[j];
}
memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
}
return (1);
}
static int
ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
{
struct ssh_rijndael_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
memset(c, 0, sizeof(*c));
xfree(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
}
return (1);
}
static EVP_CIPHER *
evp_rijndael(void)
{
static EVP_CIPHER rijndal_cbc;
memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER));
rijndal_cbc.nid = NID_undef;
rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE;
rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE;
rijndal_cbc.key_len = 16;
rijndal_cbc.init = ssh_rijndael_init;
rijndal_cbc.cleanup = ssh_rijndael_cleanup;
rijndal_cbc.do_cipher = ssh_rijndael_cbc;
rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
EVP_CIPH_ALWAYS_CALL_INIT;
return (&rijndal_cbc);
}

38
cipher.h
View File

@ -32,16 +32,12 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* RCSID("$OpenBSD: cipher.h,v 1.30 2002/02/14 23:41:01 markus Exp $"); */
/* RCSID("$OpenBSD: cipher.h,v 1.31 2002/02/18 13:05:32 markus Exp $"); */
#ifndef CIPHER_H
#define CIPHER_H
#include <openssl/des.h>
#include <openssl/blowfish.h>
#include <openssl/rc4.h>
#include <openssl/cast.h>
#include "rijndael.h"
#include <openssl/evp.h>
/*
* Cipher types for SSH-1. New types can be added, but old types should not
* be removed for compatibility. The maximum allowed value is 31.
@ -67,36 +63,8 @@ typedef struct CipherContext CipherContext;
struct Cipher;
struct CipherContext {
union {
struct {
des_key_schedule key;
des_cblock iv;
} des;
struct {
des_key_schedule key1;
des_key_schedule key2;
des_key_schedule key3;
des_cblock iv1;
des_cblock iv2;
des_cblock iv3;
} des3;
struct {
struct bf_key_st key;
u_char iv[8];
} bf;
struct {
CAST_KEY key;
u_char iv[8];
} cast;
struct {
u_char iv[16];
rijndael_ctx enc;
rijndael_ctx dec;
} rijndael;
RC4_KEY rc4;
} u;
int plaintext;
int encrypt;
EVP_CIPHER_CTX evp;
Cipher *cipher;
};