[erlang-bugs] Erlang R13B01 ssh and crypto module patch of aes128-cbc support on ssh
Niclas Eklund
nick@REDACTED
Sat Sep 5 19:55:57 CEST 2009
Hello!
The crypto stuff will make into R13B02 and hopefullly also the SSH fixes
as well.
/Niclas @ Erlang/OTP
On Thu, 13 Aug 2009, Kenji Rikitake wrote:
> The following patch includes a feature enhancement of Erlang R13B01 ssh
> and crypto modules to support aes128-cbc mode on SSH.
>
> BUG FOUND: ssh_transport:unpack/3 causes crypto:aes_cbc_ivec/1 to crash,
> by passing a null binary (<<>>), which causes erlang:split_binary/2 to
> crash by badarg.
>
> By tracing the exchange between a FreeBSD OpenSSH implementation, I
> found a case where the internal variable SshLength in
> ssh_transport:unpack/3 goes to zero, which leads to passing a null
> binary as an argument to ssh_transport:decrypt_blocks/3 and to
> aes_cbc_ivec/1. So I added a case statement to avoid calling the
> decrypt_blocks/3 when SshLength = 0.
>
> Patches follow.
>
> Kenji Rikitake
>
> --- lib/ssh/src/ssh_transport.erl.FCS 2009-06-05 21:55:34.000000000 +0900
> +++ lib/ssh/src/ssh_transport.erl 2009-08-13 17:42:28.000000000 +0900
> @@ -228,8 +228,10 @@
> cookie = Random,
> kex_algorithms = ["diffie-hellman-group1-sha1"],
> server_host_key_algorithms = ["ssh-rsa", "ssh-dss"],
> - encryption_algorithms_client_to_server = ["3des-cbc"],
> - encryption_algorithms_server_to_client = ["3des-cbc"],
> + %% encryption_algorithms_client_to_server = ["3des-cbc"],
> + %% encryption_algorithms_server_to_client = ["3des-cbc"],
> + encryption_algorithms_client_to_server = ["aes128-cbc","3des-cbc"],
> + encryption_algorithms_server_to_client = ["aes128-cbc","3des-cbc"],
> mac_algorithms_client_to_server = ["hmac-sha1"],
> mac_algorithms_server_to_client = ["hmac-sha1"],
> compression_algorithms_client_to_server = Compression,
> @@ -243,8 +245,10 @@
> cookie = Random,
> kex_algorithms = ["diffie-hellman-group1-sha1"],
> server_host_key_algorithms = ["ssh-dss"],
> - encryption_algorithms_client_to_server = ["3des-cbc"],
> - encryption_algorithms_server_to_client = ["3des-cbc"],
> + %% encryption_algorithms_client_to_server = ["3des-cbc"],
> + %% encryption_algorithms_server_to_client = ["3des-cbc"],
> + encryption_algorithms_client_to_server = ["aes128-cbc","3des-cbc"],
> + encryption_algorithms_server_to_client = ["aes128-cbc","3des-cbc"],
> mac_algorithms_client_to_server = ["hmac-sha1"],
> mac_algorithms_server_to_client = ["hmac-sha1"],
> compression_algorithms_client_to_server = Compression,
> @@ -703,6 +707,9 @@
>
> unpack(EncodedSoFar, ReminingLenght, #ssh{recv_mac_size = MacSize} = Ssh0) ->
> SshLength = ReminingLenght - MacSize,
> + %%?dbg(?DBG_CRYPTO,
> + %% "unpack: EncodedsoFar=~p SshLength=~p ReminingLenght=~p MacSize=~p ~n",
> + %% [EncodedSoFar, SshLength, ReminingLenght, MacSize]),
> {NoMac, Mac, Rest} = case MacSize of
> 0 ->
> <<NoMac0:SshLength/binary,
> @@ -714,8 +721,16 @@
> Rest0/binary>> = EncodedSoFar,
> {NoMac0, Mac0, Rest0}
> end,
> - {Ssh1, DecData, <<>>} =
> - ssh_transport:decrypt_blocks(NoMac, SshLength, Ssh0),
> + %%?dbg(?DBG_CRYPTO, "unpack: NoMac=~p Mac=~p Rest=~p ~n",
> + %% [NoMac, Mac, Rest]),
> + {Ssh1, DecData, <<>>} = case SshLength of
> + 0 ->
> + {Ssh0, <<>>, <<>>};
> + _ ->
> + ssh_transport:decrypt_blocks(NoMac, SshLength, Ssh0)
> + end,
> + %%?dbg(?DBG_CRYPTO, "unpack: Ssh1=~p DecData=~p Rest=~p Mac=~p ~n",
> + %% [Ssh1, DecData, Rest, Mac]),
> {Ssh1, DecData, Rest, Mac}.
>
> msg_data(PacketData) ->
> @@ -800,6 +815,18 @@
> <<K1:8/binary, K2:8/binary, K3:8/binary>> = hash(Ssh, "D", 192),
> {ok, Ssh#ssh{encrypt_keys = {K1,K2,K3},
> encrypt_block_size = 8,
> + encrypt_ctx = IV}};
> +encrypt_init(#ssh{encrypt = 'aes128-cbc', role = client} = Ssh) ->
> + IV = hash(Ssh, "A", 128),
> + <<K:16/binary>> = hash(Ssh, "C", 128),
> + {ok, Ssh#ssh{encrypt_keys = K,
> + encrypt_block_size = 16,
> + encrypt_ctx = IV}};
> +encrypt_init(#ssh{encrypt = 'aes128-cbc', role = server} = Ssh) ->
> + IV = hash(Ssh, "B", 128),
> + <<K:16/binary>> = hash(Ssh, "D", 128),
> + {ok, Ssh#ssh{encrypt_keys = K,
> + encrypt_block_size = 16,
> encrypt_ctx = IV}}.
>
> encrypt_final(Ssh) ->
> @@ -815,10 +842,19 @@
> encrypt_keys = {K1,K2,K3},
> encrypt_ctx = IV0} = Ssh, Data) ->
> %%?dbg(?DBG_CRYPTO, "encrypt: IV=~p K1=~p, K2=~p, K3=~p ~n",
> - %% [IV0,K1,K2,K3]),
> + %% [IV0,K1,K2,K3]),
> Enc = crypto:des3_cbc_encrypt(K1,K2,K3,IV0,Data),
> %%?dbg(?DBG_CRYPTO, "encrypt: ~p -> ~p ~n", [Data, Enc]),
> IV = crypto:des_cbc_ivec(Enc),
> + {Ssh#ssh{encrypt_ctx = IV}, Enc};
> +encrypt(#ssh{encrypt = 'aes128-cbc',
> + encrypt_keys = K,
> + encrypt_ctx = IV0} = Ssh, Data) ->
> + %%?dbg(?DBG_CRYPTO, "encrypt: IV=~p K=~p ~n",
> + %% [IV0,K]),
> + Enc = crypto:aes_cbc_128_encrypt(K,IV0,Data),
> + %%?dbg(?DBG_CRYPTO, "encrypt: ~p -> ~p ~n", [Data, Enc]),
> + IV = crypto:aes_cbc_ivec(Enc),
> {Ssh#ssh{encrypt_ctx = IV}, Enc}.
>
>
> @@ -840,7 +876,21 @@
> hash(Ssh, "C", 192)},
> <<K1:8/binary, K2:8/binary, K3:8/binary>> = KD,
> {ok, Ssh#ssh{decrypt_keys = {K1, K2, K3}, decrypt_ctx = IV,
> - decrypt_block_size = 8}}.
> + decrypt_block_size = 8}};
> +
> +decrypt_init(#ssh{decrypt = 'aes128-cbc', role = client} = Ssh) ->
> + {IV, KD} = {hash(Ssh, "B", 128),
> + hash(Ssh, "D", 128)},
> + <<K:16/binary>> = KD,
> + {ok, Ssh#ssh{decrypt_keys = K, decrypt_ctx = IV,
> + decrypt_block_size = 16}};
> +
> +decrypt_init(#ssh{decrypt = 'aes128-cbc', role = server} = Ssh) ->
> + {IV, KD} = {hash(Ssh, "A", 128),
> + hash(Ssh, "C", 128)},
> + <<K:16/binary>> = KD,
> + {ok, Ssh#ssh{decrypt_keys = K, decrypt_ctx = IV,
> + decrypt_block_size = 16}}.
>
> decrypt_final(Ssh) ->
> {ok, Ssh#ssh {decrypt = none,
> @@ -858,6 +908,14 @@
> Dec = crypto:des3_cbc_decrypt(K1,K2,K3,IV0,Data),
> %%?dbg(?DBG_CRYPTO, "decrypt: ~p -> ~p ~n", [Data, Dec]),
> IV = crypto:des_cbc_ivec(Data),
> + {Ssh#ssh{decrypt_ctx = IV}, Dec};
> +decrypt(#ssh{decrypt = 'aes128-cbc', decrypt_keys = Key,
> + decrypt_ctx = IV0} = Ssh, Data) ->
> + %%?dbg(?DBG_CRYPTO, "decrypt: IV=~p Key=~p ~n",
> + %% [IV0,Key]),
> + Dec = crypto:aes_cbc_128_decrypt(Key,IV0,Data),
> + %%?dbg(?DBG_CRYPTO, "decrypt: ~p -> ~p ~n", [Data, Dec]),
> + IV = crypto:aes_cbc_ivec(Data),
> {Ssh#ssh{decrypt_ctx = IV}, Dec}.
>
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> --- lib/crypto/src/crypto.erl.FCS 2009-03-12 21:28:35.000000000 +0900
> +++ lib/crypto/src/crypto.erl 2009-08-13 13:27:09.000000000 +0900
> @@ -45,6 +45,7 @@
> %% -export([idea_cbc_encrypt/3, idea_cbc_decrypt/3]).
> -export([aes_cbc_128_encrypt/3, aes_cbc_128_decrypt/3]).
> -export([aes_cbc_256_encrypt/3, aes_cbc_256_decrypt/3]).
> +-export([aes_cbc_ivec/1]).
>
> -export([dh_generate_parameters/2, dh_check/1]). %% Testing see below
>
> @@ -469,6 +470,19 @@
> control(?AES_CBC_256_DECRYPT, [Key, IVec, Data]).
>
> %%
> +%% aes_cbc_ivec(Data) -> binary()
> +%%
> +%% Returns the IVec to be used in the next iteration of
> +%% aes_cbc_*_[encrypt|decrypt].
> +%% IVec size: 16 bytes
> +%%
> +aes_cbc_ivec(Data) when is_binary(Data) ->
> + {_, IVec} = split_binary(Data, size(Data) - 16),
> + IVec;
> +aes_cbc_ivec(Data) when is_list(Data) ->
> + aes_cbc_ivec(list_to_binary(Data)).
> +
> +%%
> %% XOR - xor to iolists and return a binary
> %% NB doesn't check that they are the same size, just concatenates
> %% them and sends them to the driver
>
More information about the erlang-bugs
mailing list