search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dropbear 2015.71
[tomato.git] / release / src-rt-6.x.4708 / router / dropbear / common-algo.c
blob002ae667fd75e2b804e7ceb72f25cf3d94413f89
1 /*
2 * Dropbear SSH
3 *
4 * Copyright (c) 2002,2003 Matt Johnston
5 * Copyright (c) 2004 by Mihnea Stoenescu
6 * All rights reserved.
7 *
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
14 *
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
17 *
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24 * SOFTWARE. */
25
26 #include "includes.h"
27 #include "algo.h"
28 #include "session.h"
29 #include "dbutil.h"
30 #include "kex.h"
31 #include "ltc_prng.h"
32 #include "ecc.h"
33
34 /* This file (algo.c) organises the ciphers which can be used, and is used to
35 * decide which ciphers/hashes/compression/signing to use during key exchange*/
36
37 static int void_cipher(const unsigned char* in, unsigned char* out,
38 unsigned long len, void* UNUSED(cipher_state)) {
39 if (in != out) {
40 memmove(out, in, len);
41 }
42 return CRYPT_OK;
43 }
44
45 static int void_start(int UNUSED(cipher), const unsigned char* UNUSED(IV),
46 const unsigned char* UNUSED(key),
47 int UNUSED(keylen), int UNUSED(num_rounds), void* UNUSED(cipher_state)) {
48 return CRYPT_OK;
49 }
50
51 /* Mappings for ciphers, parameters are
52 {&cipher_desc, keysize, blocksize} */
53
54 /* Remember to add new ciphers/hashes to regciphers/reghashes too */
55
56 #ifdef DROPBEAR_AES256
57 static const struct dropbear_cipher dropbear_aes256 =
58 {&aes_desc, 32, 16};
59 #endif
60 #ifdef DROPBEAR_AES128
61 static const struct dropbear_cipher dropbear_aes128 =
62 {&aes_desc, 16, 16};
63 #endif
64 #ifdef DROPBEAR_BLOWFISH
65 static const struct dropbear_cipher dropbear_blowfish =
66 {&blowfish_desc, 16, 8};
67 #endif
68 #ifdef DROPBEAR_TWOFISH256
69 static const struct dropbear_cipher dropbear_twofish256 =
70 {&twofish_desc, 32, 16};
71 #endif
72 #ifdef DROPBEAR_TWOFISH128
73 static const struct dropbear_cipher dropbear_twofish128 =
74 {&twofish_desc, 16, 16};
75 #endif
76 #ifdef DROPBEAR_3DES
77 static const struct dropbear_cipher dropbear_3des =
78 {&des3_desc, 24, 8};
79 #endif
80
81 /* used to indicate no encryption, as defined in rfc2410 */
82 const struct dropbear_cipher dropbear_nocipher =
83 {NULL, 16, 8};
84
85 /* A few void* s are required to silence warnings
86 * about the symmetric_CBC vs symmetric_CTR cipher_state pointer */
87 #ifdef DROPBEAR_ENABLE_CBC_MODE
88 const struct dropbear_cipher_mode dropbear_mode_cbc =
89 {(void*)cbc_start, (void*)cbc_encrypt, (void*)cbc_decrypt};
90 #endif /* DROPBEAR_ENABLE_CBC_MODE */
91
92 const struct dropbear_cipher_mode dropbear_mode_none =
93 {void_start, void_cipher, void_cipher};
94
95 #ifdef DROPBEAR_ENABLE_CTR_MODE
96 /* a wrapper to make ctr_start and cbc_start look the same */
97 static int dropbear_big_endian_ctr_start(int cipher,
98 const unsigned char *IV,
99 const unsigned char *key, int keylen,
100 int num_rounds, symmetric_CTR *ctr) {
101 return ctr_start(cipher, IV, key, keylen, num_rounds, CTR_COUNTER_BIG_ENDIAN, ctr);
102 }
103 const struct dropbear_cipher_mode dropbear_mode_ctr =
104 {(void*)dropbear_big_endian_ctr_start, (void*)ctr_encrypt, (void*)ctr_decrypt};
105 #endif /* DROPBEAR_ENABLE_CTR_MODE */
106
107 /* Mapping of ssh hashes to libtomcrypt hashes, including keysize etc.
108 {&hash_desc, keysize, hashsize} */
109
110 #ifdef DROPBEAR_SHA1_HMAC
111 static const struct dropbear_hash dropbear_sha1 =
112 {&sha1_desc, 20, 20};
113 #endif
114 #ifdef DROPBEAR_SHA1_96_HMAC
115 static const struct dropbear_hash dropbear_sha1_96 =
116 {&sha1_desc, 20, 12};
117 #endif
118 #ifdef DROPBEAR_SHA2_256_HMAC
119 static const struct dropbear_hash dropbear_sha2_256 =
120 {&sha256_desc, 32, 32};
121 #endif
122 #ifdef DROPBEAR_SHA2_512_HMAC
123 static const struct dropbear_hash dropbear_sha2_512 =
124 {&sha512_desc, 64, 64};
125 #endif
126 #ifdef DROPBEAR_MD5_HMAC
127 static const struct dropbear_hash dropbear_md5 =
128 {&md5_desc, 16, 16};
129 #endif
130
131 const struct dropbear_hash dropbear_nohash =
132 {NULL, 16, 0}; /* used initially */
133
134
135 /* The following map ssh names to internal values.
136 * The ordering here is important for the client - the first mode
137 * that is also supported by the server will get used. */
138
139 algo_type sshciphers[] = {
140 #ifdef DROPBEAR_ENABLE_CTR_MODE
141 #ifdef DROPBEAR_AES128
142 {"aes128-ctr", 0, &dropbear_aes128, 1, &dropbear_mode_ctr},
143 #endif
144 #ifdef DROPBEAR_AES256
145 {"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr},
146 #endif
147 #ifdef DROPBEAR_TWOFISH_CTR
148 /* twofish ctr is conditional as it hasn't been tested for interoperability, see options.h */
149 #ifdef DROPBEAR_TWOFISH256
150 {"twofish256-ctr", 0, &dropbear_twofish256, 1, &dropbear_mode_ctr},
151 #endif
152 #ifdef DROPBEAR_TWOFISH128
153 {"twofish128-ctr", 0, &dropbear_twofish128, 1, &dropbear_mode_ctr},
154 #endif
155 #endif /* DROPBEAR_TWOFISH_CTR */
156 #endif /* DROPBEAR_ENABLE_CTR_MODE */
157
158 #ifdef DROPBEAR_ENABLE_CBC_MODE
159 #ifdef DROPBEAR_AES128
160 {"aes128-cbc", 0, &dropbear_aes128, 1, &dropbear_mode_cbc},
161 #endif
162 #ifdef DROPBEAR_AES256
163 {"aes256-cbc", 0, &dropbear_aes256, 1, &dropbear_mode_cbc},
164 #endif
165 #ifdef DROPBEAR_TWOFISH256
166 {"twofish256-cbc", 0, &dropbear_twofish256, 1, &dropbear_mode_cbc},
167 {"twofish-cbc", 0, &dropbear_twofish256, 1, &dropbear_mode_cbc},
168 #endif
169 #ifdef DROPBEAR_TWOFISH128
170 {"twofish128-cbc", 0, &dropbear_twofish128, 1, &dropbear_mode_cbc},
171 #endif
172 #ifdef DROPBEAR_3DES
173 {"3des-ctr", 0, &dropbear_3des, 1, &dropbear_mode_ctr},
174 #endif
175 #ifdef DROPBEAR_3DES
176 {"3des-cbc", 0, &dropbear_3des, 1, &dropbear_mode_cbc},
177 #endif
178 #ifdef DROPBEAR_BLOWFISH
179 {"blowfish-cbc", 0, &dropbear_blowfish, 1, &dropbear_mode_cbc},
180 #endif
181 #endif /* DROPBEAR_ENABLE_CBC_MODE */
182 #ifdef DROPBEAR_NONE_CIPHER
183 {"none", 0, (void*)&dropbear_nocipher, 1, &dropbear_mode_none},
184 #endif
185 {NULL, 0, NULL, 0, NULL}
186 };
187
188 algo_type sshhashes[] = {
189 #ifdef DROPBEAR_SHA1_96_HMAC
190 {"hmac-sha1-96", 0, &dropbear_sha1_96, 1, NULL},
191 #endif
192 #ifdef DROPBEAR_SHA1_HMAC
193 {"hmac-sha1", 0, &dropbear_sha1, 1, NULL},
194 #endif
195 #ifdef DROPBEAR_SHA2_256_HMAC
196 {"hmac-sha2-256", 0, &dropbear_sha2_256, 1, NULL},
197 #endif
198 #ifdef DROPBEAR_SHA2_512_HMAC
199 {"hmac-sha2-512", 0, &dropbear_sha2_512, 1, NULL},
200 #endif
201 #ifdef DROPBEAR_MD5_HMAC
202 {"hmac-md5", 0, (void*)&dropbear_md5, 1, NULL},
203 #endif
204 #ifdef DROPBEAR_NONE_INTEGRITY
205 {"none", 0, (void*)&dropbear_nohash, 1, NULL},
206 #endif
207 {NULL, 0, NULL, 0, NULL}
208 };
209
210 #ifndef DISABLE_ZLIB
211 algo_type ssh_compress[] = {
212 {"zlib@openssh.com", DROPBEAR_COMP_ZLIB_DELAY, NULL, 1, NULL},
213 {"zlib", DROPBEAR_COMP_ZLIB, NULL, 1, NULL},
214 {"none", DROPBEAR_COMP_NONE, NULL, 1, NULL},
215 {NULL, 0, NULL, 0, NULL}
216 };
217
218 algo_type ssh_delaycompress[] = {
219 {"zlib@openssh.com", DROPBEAR_COMP_ZLIB_DELAY, NULL, 1, NULL},
220 {"none", DROPBEAR_COMP_NONE, NULL, 1, NULL},
221 {NULL, 0, NULL, 0, NULL}
222 };
223 #endif
224
225 algo_type ssh_nocompress[] = {
226 {"none", DROPBEAR_COMP_NONE, NULL, 1, NULL},
227 {NULL, 0, NULL, 0, NULL}
228 };
229
230 algo_type sshhostkey[] = {
231 #ifdef DROPBEAR_ECDSA
232 #ifdef DROPBEAR_ECC_256
233 {"ecdsa-sha2-nistp256", DROPBEAR_SIGNKEY_ECDSA_NISTP256, NULL, 1, NULL},
234 #endif
235 #ifdef DROPBEAR_ECC_384
236 {"ecdsa-sha2-nistp384", DROPBEAR_SIGNKEY_ECDSA_NISTP384, NULL, 1, NULL},
237 #endif
238 #ifdef DROPBEAR_ECC_521
239 {"ecdsa-sha2-nistp521", DROPBEAR_SIGNKEY_ECDSA_NISTP521, NULL, 1, NULL},
240 #endif
241 #endif
242 #ifdef DROPBEAR_RSA
243 {"ssh-rsa", DROPBEAR_SIGNKEY_RSA, NULL, 1, NULL},
244 #endif
245 #ifdef DROPBEAR_DSS
246 {"ssh-dss", DROPBEAR_SIGNKEY_DSS, NULL, 1, NULL},
247 #endif
248 {NULL, 0, NULL, 0, NULL}
249 };
250
251 static const struct dropbear_kex kex_dh_group1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_1, DH_P_1_LEN, NULL, &sha1_desc };
252 static const struct dropbear_kex kex_dh_group14 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc };
253
254 /* These can't be const since dropbear_ecc_fill_dp() fills out
255 ecc_curve at runtime */
256 #ifdef DROPBEAR_ECDH
257 #ifdef DROPBEAR_ECC_256
258 static struct dropbear_kex kex_ecdh_nistp256 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc_curve_nistp256, &sha256_desc };
259 #endif
260 #ifdef DROPBEAR_ECC_384
261 static struct dropbear_kex kex_ecdh_nistp384 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc_curve_nistp384, &sha384_desc };
262 #endif
263 #ifdef DROPBEAR_ECC_521
264 static struct dropbear_kex kex_ecdh_nistp521 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc_curve_nistp521, &sha512_desc };
265 #endif
266 #endif /* DROPBEAR_ECDH */
267
268 #ifdef DROPBEAR_CURVE25519
269 /* Referred to directly */
270 static const struct dropbear_kex kex_curve25519 = {DROPBEAR_KEX_CURVE25519, NULL, 0, NULL, &sha256_desc };
271 #endif
272
273 algo_type sshkex[] = {
274 #ifdef DROPBEAR_CURVE25519
275 {"curve25519-sha256@libssh.org", 0, &kex_curve25519, 1, NULL},
276 #endif
277 #ifdef DROPBEAR_ECDH
278 #ifdef DROPBEAR_ECC_521
279 {"ecdh-sha2-nistp521", 0, &kex_ecdh_nistp521, 1, NULL},
280 #endif
281 #ifdef DROPBEAR_ECC_384
282 {"ecdh-sha2-nistp384", 0, &kex_ecdh_nistp384, 1, NULL},
283 #endif
284 #ifdef DROPBEAR_ECC_256
285 {"ecdh-sha2-nistp256", 0, &kex_ecdh_nistp256, 1, NULL},
286 #endif
287 #endif
288 {"diffie-hellman-group14-sha1", 0, &kex_dh_group14, 1, NULL},
289 {"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL},
290 #ifdef USE_KEXGUESS2
291 {KEXGUESS2_ALGO_NAME, KEXGUESS2_ALGO_ID, NULL, 1, NULL},
292 #endif
293 {NULL, 0, NULL, 0, NULL}
294 };
295
296 /* algolen specifies the length of algo, algos is our local list to match
297 * against.
298 * Returns DROPBEAR_SUCCESS if we have a match for algo, DROPBEAR_FAILURE
299 * otherwise */
300 int have_algo(char* algo, size_t algolen, algo_type algos[]) {
301
302 int i;
303
304 for (i = 0; algos[i].name != NULL; i++) {
305 if (strlen(algos[i].name) == algolen
306 && (strncmp(algos[i].name, algo, algolen) == 0)) {
307 return DROPBEAR_SUCCESS;
308 }
309 }
310
311 return DROPBEAR_FAILURE;
312 }
313
314 /* Output a comma separated list of algorithms to a buffer */
315 void buf_put_algolist(buffer * buf, algo_type localalgos[]) {
316
317 unsigned int i, len;
318 unsigned int donefirst = 0;
319 buffer *algolist = NULL;
320
321 algolist = buf_new(200);
322 for (i = 0; localalgos[i].name != NULL; i++) {
323 if (localalgos[i].usable) {
324 if (donefirst)
325 buf_putbyte(algolist, ',');
326 donefirst = 1;
327 len = strlen(localalgos[i].name);
328 buf_putbytes(algolist, (const unsigned char *) localalgos[i].name, len);
329 }
330 }
331 buf_putstring(buf, (const char*)algolist->data, algolist->len);
332 buf_free(algolist);
333 }
334
335 /* match the first algorithm in the comma-separated list in buf which is
336 * also in localalgos[], or return NULL on failure.
337 * (*goodguess) is set to 1 if the preferred client/server algos match,
338 * 0 otherwise. This is used for checking if the kexalgo/hostkeyalgos are
339 * guessed correctly */
340 algo_type * buf_match_algo(buffer* buf, algo_type localalgos[],
341 enum kexguess2_used *kexguess2, int *goodguess)
342 {
343
344 char * algolist = NULL;
345 const char *remotenames[MAX_PROPOSED_ALGO], *localnames[MAX_PROPOSED_ALGO];
346 unsigned int len;
347 unsigned int remotecount, localcount, clicount, servcount, i, j;
348 algo_type * ret = NULL;
349 const char **clinames, **servnames;
350
351 if (goodguess) {
352 *goodguess = 0;
353 }
354
355 /* get the comma-separated list from the buffer ie "algo1,algo2,algo3" */
356 algolist = buf_getstring(buf, &len);
357 TRACE(("buf_match_algo: %s", algolist))
358 if (len > MAX_PROPOSED_ALGO*(MAX_NAME_LEN+1)) {
359 goto out;
360 }
361
362 /* remotenames will contain a list of the strings parsed out */
363 /* We will have at least one string (even if it's just "") */
364 remotenames[0] = algolist;
365 remotecount = 1;
366 for (i = 0; i < len; i++) {
367 if (algolist[i] == '\0') {
368 /* someone is trying something strange */
369 goto out;
370 }
371 if (algolist[i] == ',') {
372 algolist[i] = '\0';
373 remotenames[remotecount] = &algolist[i+1];
374 remotecount++;
375 }
376 if (remotecount >= MAX_PROPOSED_ALGO) {
377 break;
378 }
379 }
380 if (kexguess2 && *kexguess2 == KEXGUESS2_LOOK) {
381 for (i = 0; i < remotecount; i++)
382 {
383 if (strcmp(remotenames[i], KEXGUESS2_ALGO_NAME) == 0) {
384 *kexguess2 = KEXGUESS2_YES;
385 break;
386 }
387 }
388 if (*kexguess2 == KEXGUESS2_LOOK) {
389 *kexguess2 = KEXGUESS2_NO;
390 }
391 }
392
393 for (i = 0; localalgos[i].name != NULL; i++) {
394 if (localalgos[i].usable) {
395 localnames[i] = localalgos[i].name;
396 } else {
397 localnames[i] = NULL;
398 }
399 }
400 localcount = i;
401
402 if (IS_DROPBEAR_SERVER) {
403 clinames = remotenames;
404 clicount = remotecount;
405 servnames = localnames;
406 servcount = localcount;
407 } else {
408 clinames = localnames;
409 clicount = localcount;
410 servnames = remotenames;
411 servcount = remotecount;
412 }
413
414 /* iterate and find the first match */
415 for (i = 0; i < clicount; i++) {
416 for (j = 0; j < servcount; j++) {
417 if (!(servnames[j] && clinames[i])) {
418 /* unusable algos are NULL */
419 continue;
420 }
421 if (strcmp(servnames[j], clinames[i]) == 0) {
422 /* set if it was a good guess */
423 if (goodguess && kexguess2) {
424 if (*kexguess2 == KEXGUESS2_YES) {
425 if (i == 0) {
426 *goodguess = 1;
427 }
428
429 } else {
430 if (i == 0 && j == 0) {
431 *goodguess = 1;
432 }
433 }
434 }
435 /* set the algo to return */
436 if (IS_DROPBEAR_SERVER) {
437 ret = &localalgos[j];
438 } else {
439 ret = &localalgos[i];
440 }
441 goto out;
442 }
443 }
444 }
445
446 out:
447 m_free(algolist);
448 return ret;
449 }
450
451 #ifdef DROPBEAR_NONE_CIPHER
452
453 void
454 set_algo_usable(algo_type algos[], const char * algo_name, int usable)
455 {
456 algo_type *a;
457 for (a = algos; a->name != NULL; a++)
458 {
459 if (strcmp(a->name, algo_name) == 0)
460 {
461 a->usable = usable;
462 return;
463 }
464 }
465 }
466
467 int
468 get_algo_usable(algo_type algos[], const char * algo_name)
469 {
470 algo_type *a;
471 for (a = algos; a->name != NULL; a++)
472 {
473 if (strcmp(a->name, algo_name) == 0)
474 {
475 return a->usable;
476 }
477 }
478 return 0;
479 }
480
481 #endif /* DROPBEAR_NONE_CIPHER */
482
483 #ifdef ENABLE_USER_ALGO_LIST
484
485 char *
486 algolist_string(algo_type algos[])
487 {
488 char *ret_list;
489 buffer *b = buf_new(200);
490 buf_put_algolist(b, algos);
491 buf_setpos(b, b->len);
492 buf_putbyte(b, '\0');
493 buf_setpos(b, 4);
494 ret_list = m_strdup((const char *) buf_getptr(b, b->len - b->pos));
495 buf_free(b);
496 return ret_list;
497 }
498
499 static algo_type*
500 check_algo(const char* algo_name, algo_type *algos)
501 {
502 algo_type *a;
503 for (a = algos; a->name != NULL; a++)
504 {
505 if (strcmp(a->name, algo_name) == 0)
506 {
507 return a;
508 }
509 }
510
511 return NULL;
512 }
513
514 static void
515 try_add_algo(const char *algo_name, algo_type *algos,
516 const char *algo_desc, algo_type * new_algos, int *num_ret)
517 {
518 algo_type *match_algo = check_algo(algo_name, algos);
519 if (!match_algo)
520 {
521 dropbear_log(LOG_WARNING, "This Dropbear program does not support '%s' %s algorithm", algo_name, algo_desc);
522 return;
523 }
524
525 new_algos[*num_ret] = *match_algo;
526 (*num_ret)++;
527 }
528
529 /* Checks a user provided comma-separated algorithm list for available
530 * options. Any that are not acceptable are removed in-place. Returns the
531 * number of valid algorithms. */
532 int
533 check_user_algos(const char* user_algo_list, algo_type * algos,
534 const char *algo_desc)
535 {
536 algo_type new_algos[MAX_PROPOSED_ALGO];
537 /* this has two passes. first we sweep through the given list of
538 * algorithms and mark them as usable=2 in the algo_type[] array... */
539 int num_ret = 0;
540 char *work_list = m_strdup(user_algo_list);
541 char *last_name = work_list;
542 char *c;
543 for (c = work_list; *c; c++)
544 {
545 if (*c == ',')
546 {
547 *c = '\0';
548 try_add_algo(last_name, algos, algo_desc, new_algos, &num_ret);
549 c++;
550 last_name = c;
551 }
552 }
553 try_add_algo(last_name, algos, algo_desc, new_algos, &num_ret);
554 m_free(work_list);
555
556 new_algos[num_ret].name = NULL;
557
558 /* Copy one more as a blank delimiter */
559 memcpy(algos, new_algos, sizeof(*new_algos) * (num_ret+1));
560 return num_ret;
561 }
562 #endif /* ENABLE_USER_ALGO_LIST */
Tomato firmware and modifications.