|
Packit |
6c0a39 |
/*
|
|
Packit |
6c0a39 |
* crypt.c - blowfish-cbc code
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* This file is part of the SSH Library
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* Copyright (c) 2003 by Aris Adamantiadis
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* The SSH Library is free software; you can redistribute it and/or modify
|
|
Packit |
6c0a39 |
* it under the terms of the GNU Lesser General Public License as published by
|
|
Packit |
6c0a39 |
* the Free Software Foundation; either version 2.1 of the License, or (at your
|
|
Packit |
6c0a39 |
* option) any later version.
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* The SSH Library is distributed in the hope that it will be useful, but
|
|
Packit |
6c0a39 |
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
Packit |
6c0a39 |
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
|
|
Packit |
6c0a39 |
* License for more details.
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit |
6c0a39 |
* along with the SSH Library; see the file COPYING. If not, write to
|
|
Packit |
6c0a39 |
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
|
|
Packit |
6c0a39 |
* MA 02111-1307, USA.
|
|
Packit |
6c0a39 |
*/
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
#include "config.h"
|
|
Packit |
6c0a39 |
#include <assert.h>
|
|
Packit |
6c0a39 |
#include <stdlib.h>
|
|
Packit |
6c0a39 |
#include <stdio.h>
|
|
Packit |
6c0a39 |
#include <string.h>
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
#ifndef _WIN32
|
|
Packit |
6c0a39 |
#include <netinet/in.h>
|
|
Packit |
6c0a39 |
#include <arpa/inet.h>
|
|
Packit |
6c0a39 |
#endif
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
#ifdef OPENSSL_CRYPTO
|
|
Packit |
6c0a39 |
#include <openssl/evp.h>
|
|
Packit |
6c0a39 |
#include <openssl/hmac.h>
|
|
Packit |
6c0a39 |
#endif
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
#include "libssh/priv.h"
|
|
Packit |
6c0a39 |
#include "libssh/session.h"
|
|
Packit |
6c0a39 |
#include "libssh/wrapper.h"
|
|
Packit |
6c0a39 |
#include "libssh/crypto.h"
|
|
Packit |
6c0a39 |
#include "libssh/buffer.h"
|
|
Packit |
6c0a39 |
#include "libssh/bytearray.h"
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
/** @internal
|
|
Packit |
6c0a39 |
* @brief decrypt the packet length from a raw encrypted packet, and store the first decrypted
|
|
Packit |
6c0a39 |
* blocksize.
|
|
Packit |
6c0a39 |
* @returns native byte-ordered decrypted length of the upcoming packet
|
|
Packit |
6c0a39 |
*/
|
|
Packit |
6c0a39 |
uint32_t ssh_packet_decrypt_len(ssh_session session,
|
|
Packit |
6c0a39 |
uint8_t *destination,
|
|
Packit |
6c0a39 |
uint8_t *source)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
struct ssh_crypto_struct *crypto = NULL;
|
|
Packit |
6c0a39 |
uint32_t decrypted;
|
|
Packit |
6c0a39 |
int rc;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN);
|
|
Packit |
6c0a39 |
if (crypto != NULL) {
|
|
Packit |
6c0a39 |
if (crypto->in_cipher->aead_decrypt_length != NULL) {
|
|
Packit Service |
fcc0d2 |
rc = crypto->in_cipher->aead_decrypt_length(
|
|
Packit |
6c0a39 |
crypto->in_cipher, source, destination,
|
|
Packit |
6c0a39 |
crypto->in_cipher->lenfield_blocksize,
|
|
Packit |
6c0a39 |
session->recv_seq);
|
|
Packit |
6c0a39 |
} else {
|
|
Packit |
6c0a39 |
rc = ssh_packet_decrypt(
|
|
Packit |
6c0a39 |
session,
|
|
Packit |
6c0a39 |
destination,
|
|
Packit |
6c0a39 |
source,
|
|
Packit |
6c0a39 |
0,
|
|
Packit |
6c0a39 |
crypto->in_cipher->blocksize);
|
|
Packit Service |
fcc0d2 |
}
|
|
Packit Service |
fcc0d2 |
if (rc < 0) {
|
|
Packit Service |
fcc0d2 |
return 0;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
} else {
|
|
Packit |
6c0a39 |
memcpy(destination, source, 8);
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
memcpy(&decrypted,destination,sizeof(decrypted));
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
return ntohl(decrypted);
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
/** @internal
|
|
Packit |
6c0a39 |
* @brief decrypts the content of an SSH packet.
|
|
Packit |
6c0a39 |
* @param[source] source packet, including the encrypted length field
|
|
Packit |
6c0a39 |
* @param[start] index in the packet that was not decrypted yet.
|
|
Packit |
6c0a39 |
* @param[encrypted_size] size of the encrypted data to be decrypted after start.
|
|
Packit |
6c0a39 |
*/
|
|
Packit |
6c0a39 |
int ssh_packet_decrypt(ssh_session session,
|
|
Packit |
6c0a39 |
uint8_t *destination,
|
|
Packit |
6c0a39 |
uint8_t *source,
|
|
Packit |
6c0a39 |
size_t start,
|
|
Packit |
6c0a39 |
size_t encrypted_size)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
struct ssh_crypto_struct *crypto = NULL;
|
|
Packit |
6c0a39 |
struct ssh_cipher_struct *cipher = NULL;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if (encrypted_size <= 0) {
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN);
|
|
Packit Service |
fcc0d2 |
if (crypto == NULL) {
|
|
Packit Service |
fcc0d2 |
return SSH_ERROR;
|
|
Packit Service |
fcc0d2 |
}
|
|
Packit |
6c0a39 |
cipher = crypto->in_cipher;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if (encrypted_size % cipher->blocksize != 0) {
|
|
Packit |
6c0a39 |
ssh_set_error(session,
|
|
Packit |
6c0a39 |
SSH_FATAL,
|
|
Packit |
6c0a39 |
"Cryptographic functions must be used on multiple of "
|
|
Packit |
6c0a39 |
"blocksize (received %" PRIdS ")",
|
|
Packit |
6c0a39 |
encrypted_size);
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if (cipher->aead_decrypt != NULL) {
|
|
Packit |
6c0a39 |
return cipher->aead_decrypt(cipher,
|
|
Packit |
6c0a39 |
source,
|
|
Packit |
6c0a39 |
destination,
|
|
Packit |
6c0a39 |
encrypted_size,
|
|
Packit |
6c0a39 |
session->recv_seq);
|
|
Packit |
6c0a39 |
} else {
|
|
Packit |
6c0a39 |
cipher->decrypt(cipher, source + start, destination, encrypted_size);
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
return 0;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
unsigned char *ssh_packet_encrypt(ssh_session session, void *data, uint32_t len)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
struct ssh_crypto_struct *crypto = NULL;
|
|
Packit |
6c0a39 |
struct ssh_cipher_struct *cipher = NULL;
|
|
Packit |
6c0a39 |
HMACCTX ctx = NULL;
|
|
Packit |
6c0a39 |
char *out = NULL;
|
|
Packit |
6c0a39 |
int etm_packet_offset = 0;
|
|
Packit |
6c0a39 |
unsigned int finallen, blocksize;
|
|
Packit |
6c0a39 |
uint32_t seq, lenfield_blocksize;
|
|
Packit |
6c0a39 |
enum ssh_hmac_e type;
|
|
Packit |
6c0a39 |
bool etm;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
assert(len);
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_OUT);
|
|
Packit |
6c0a39 |
if (crypto == NULL) {
|
|
Packit |
6c0a39 |
return NULL; /* nothing to do here */
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
blocksize = crypto->out_cipher->blocksize;
|
|
Packit |
6c0a39 |
lenfield_blocksize = crypto->out_cipher->lenfield_blocksize;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
type = crypto->out_hmac;
|
|
Packit |
6c0a39 |
etm = crypto->out_hmac_etm;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if (etm) {
|
|
Packit |
6c0a39 |
etm_packet_offset = sizeof(uint32_t);
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if ((len - lenfield_blocksize - etm_packet_offset) % blocksize != 0) {
|
|
Packit |
6c0a39 |
ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set"
|
|
Packit |
6c0a39 |
" on at least one blocksize (received %d)", len);
|
|
Packit |
6c0a39 |
return NULL;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
out = calloc(1, len);
|
|
Packit |
6c0a39 |
if (out == NULL) {
|
|
Packit |
6c0a39 |
return NULL;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
seq = ntohl(session->send_seq);
|
|
Packit |
6c0a39 |
cipher = crypto->out_cipher;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if (cipher->aead_encrypt != NULL) {
|
|
Packit |
6c0a39 |
cipher->aead_encrypt(cipher, data, out, len,
|
|
Packit |
6c0a39 |
crypto->hmacbuf, session->send_seq);
|
|
Packit |
6c0a39 |
memcpy(data, out, len);
|
|
Packit |
6c0a39 |
} else {
|
|
Packit |
6c0a39 |
ctx = hmac_init(crypto->encryptMAC, hmac_digest_len(type), type);
|
|
Packit |
6c0a39 |
if (ctx == NULL) {
|
|
Packit |
6c0a39 |
SAFE_FREE(out);
|
|
Packit |
6c0a39 |
return NULL;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if (!etm) {
|
|
Packit |
6c0a39 |
hmac_update(ctx, (unsigned char *)&seq, sizeof(uint32_t));
|
|
Packit |
6c0a39 |
hmac_update(ctx, data, len);
|
|
Packit |
6c0a39 |
hmac_final(ctx, crypto->hmacbuf, &finallen);
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
cipher->encrypt(cipher, (uint8_t*)data + etm_packet_offset, out, len - etm_packet_offset);
|
|
Packit |
6c0a39 |
memcpy((uint8_t*)data + etm_packet_offset, out, len - etm_packet_offset);
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if (etm) {
|
|
Packit |
6c0a39 |
PUSH_BE_U32(data, 0, len - etm_packet_offset);
|
|
Packit |
6c0a39 |
hmac_update(ctx, (unsigned char *)&seq, sizeof(uint32_t));
|
|
Packit |
6c0a39 |
hmac_update(ctx, data, len);
|
|
Packit |
6c0a39 |
hmac_final(ctx, crypto->hmacbuf, &finallen);
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
#ifdef DEBUG_CRYPTO
|
|
Packit Service |
fcc0d2 |
ssh_log_hexdump("mac: ", data, len);
|
|
Packit |
6c0a39 |
if (finallen != hmac_digest_len(type)) {
|
|
Packit Service |
fcc0d2 |
printf("Final len is %d\n", finallen);
|
|
Packit |
6c0a39 |
}
|
|
Packit Service |
fcc0d2 |
ssh_log_hexdump("Packet hmac", crypto->hmacbuf, hmac_digest_len(type));
|
|
Packit |
6c0a39 |
#endif
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
explicit_bzero(out, len);
|
|
Packit |
6c0a39 |
SAFE_FREE(out);
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
return crypto->hmacbuf;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
static int secure_memcmp(const void *s1, const void *s2, size_t n)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
int rc = 0;
|
|
Packit |
6c0a39 |
const unsigned char *p1 = s1;
|
|
Packit |
6c0a39 |
const unsigned char *p2 = s2;
|
|
Packit |
6c0a39 |
for (; n > 0; --n) {
|
|
Packit |
6c0a39 |
rc |= *p1++ ^ *p2++;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
return (rc != 0);
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
/**
|
|
Packit |
6c0a39 |
* @internal
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* @brief Verify the hmac of a packet
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* @param session The session to use.
|
|
Packit |
6c0a39 |
* @param data The pointer to the data to verify the hmac from.
|
|
Packit |
6c0a39 |
* @param len The length of the given data.
|
|
Packit |
6c0a39 |
* @param mac The mac to compare with the hmac.
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* @return 0 if hmac and mac are equal, < 0 if not or an error
|
|
Packit |
6c0a39 |
* occurred.
|
|
Packit |
6c0a39 |
*/
|
|
Packit |
6c0a39 |
int ssh_packet_hmac_verify(ssh_session session,
|
|
Packit |
6c0a39 |
const void *data,
|
|
Packit |
6c0a39 |
size_t len,
|
|
Packit |
6c0a39 |
uint8_t *mac,
|
|
Packit |
6c0a39 |
enum ssh_hmac_e type)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
struct ssh_crypto_struct *crypto = NULL;
|
|
Packit |
6c0a39 |
unsigned char hmacbuf[DIGEST_MAX_LEN] = {0};
|
|
Packit |
6c0a39 |
HMACCTX ctx;
|
|
Packit |
6c0a39 |
unsigned int hmaclen;
|
|
Packit |
6c0a39 |
uint32_t seq;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
/* AEAD types have no mac checking */
|
|
Packit |
6c0a39 |
if (type == SSH_HMAC_AEAD_POLY1305 ||
|
|
Packit |
6c0a39 |
type == SSH_HMAC_AEAD_GCM) {
|
|
Packit |
6c0a39 |
return SSH_OK;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN);
|
|
Packit Service |
fcc0d2 |
if (crypto == NULL) {
|
|
Packit Service |
fcc0d2 |
return SSH_ERROR;
|
|
Packit Service |
fcc0d2 |
}
|
|
Packit Service |
fcc0d2 |
|
|
Packit |
6c0a39 |
ctx = hmac_init(crypto->decryptMAC, hmac_digest_len(type), type);
|
|
Packit |
6c0a39 |
if (ctx == NULL) {
|
|
Packit |
6c0a39 |
return -1;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
seq = htonl(session->recv_seq);
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
hmac_update(ctx, (unsigned char *) &seq, sizeof(uint32_t));
|
|
Packit |
6c0a39 |
hmac_update(ctx, data, len);
|
|
Packit |
6c0a39 |
hmac_final(ctx, hmacbuf, &hmaclen);
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
#ifdef DEBUG_CRYPTO
|
|
Packit Service |
fcc0d2 |
ssh_log_hexdump("received mac",mac,hmaclen);
|
|
Packit Service |
fcc0d2 |
ssh_log_hexdump("Computed mac",hmacbuf,hmaclen);
|
|
Packit Service |
fcc0d2 |
ssh_log_hexdump("seq",(unsigned char *)&seq,sizeof(uint32_t));
|
|
Packit |
6c0a39 |
#endif
|
|
Packit |
6c0a39 |
if (secure_memcmp(mac, hmacbuf, hmaclen) == 0) {
|
|
Packit |
6c0a39 |
return 0;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
return -1;
|
|
Packit |
6c0a39 |
}
|