Erlang R13B01 ssh and crypto module patch of aes128-cbc support on ssh

Kenji Rikitake <>
Thu Aug 13 12:09:26 CEST 2009


The following patch includes a feature enhancement of Erlang R13B01 ssh
and crypto modules to support aes128-cbc mode on SSH.

BUG FOUND: ssh_transport:unpack/3 causes crypto:aes_cbc_ivec/1 to crash,
by passing a null binary (<<>>), which causes erlang:split_binary/2 to
crash by badarg.

By tracing the exchange between a FreeBSD OpenSSH implementation, I
found a case where the internal variable SshLength in
ssh_transport:unpack/3 goes to zero, which leads to passing a null
binary as an argument to ssh_transport:decrypt_blocks/3 and to
aes_cbc_ivec/1.  So I added a case statement to avoid calling the
decrypt_blocks/3 when SshLength = 0.

Patches follow.

Kenji Rikitake

--- lib/ssh/src/ssh_transport.erl.FCS	2009-06-05 21:55:34.000000000 +0900
+++ lib/ssh/src/ssh_transport.erl	2009-08-13 17:42:28.000000000 +0900
@@ -228,8 +228,10 @@
 		  cookie = Random,
 		  kex_algorithms = ["diffie-hellman-group1-sha1"],
 		  server_host_key_algorithms = ["ssh-rsa", "ssh-dss"],
-		  encryption_algorithms_client_to_server = ["3des-cbc"],
-		  encryption_algorithms_server_to_client = ["3des-cbc"],
+		  %% encryption_algorithms_client_to_server = ["3des-cbc"],
+		  %% encryption_algorithms_server_to_client = ["3des-cbc"],
+		  encryption_algorithms_client_to_server = ["aes128-cbc","3des-cbc"],
+		  encryption_algorithms_server_to_client = ["aes128-cbc","3des-cbc"],
 		  mac_algorithms_client_to_server = ["hmac-sha1"],
 		  mac_algorithms_server_to_client = ["hmac-sha1"],
 		  compression_algorithms_client_to_server = Compression,
@@ -243,8 +245,10 @@
 		  cookie = Random,
 		  kex_algorithms = ["diffie-hellman-group1-sha1"],
 		  server_host_key_algorithms = ["ssh-dss"],
-		  encryption_algorithms_client_to_server = ["3des-cbc"],
-		  encryption_algorithms_server_to_client = ["3des-cbc"],
+		  %% encryption_algorithms_client_to_server = ["3des-cbc"],
+		  %% encryption_algorithms_server_to_client = ["3des-cbc"],
+		  encryption_algorithms_client_to_server = ["aes128-cbc","3des-cbc"],
+		  encryption_algorithms_server_to_client = ["aes128-cbc","3des-cbc"],
 		  mac_algorithms_client_to_server = ["hmac-sha1"],
 		  mac_algorithms_server_to_client = ["hmac-sha1"],
 		  compression_algorithms_client_to_server = Compression,
@@ -703,6 +707,9 @@
 
 unpack(EncodedSoFar, ReminingLenght, #ssh{recv_mac_size = MacSize} = Ssh0) ->
     SshLength = ReminingLenght - MacSize,
+    %%?dbg(?DBG_CRYPTO, 
+    %%     "unpack: EncodedsoFar=~p SshLength=~p ReminingLenght=~p MacSize=~p ~n",
+    %%     [EncodedSoFar, SshLength, ReminingLenght, MacSize]),
     {NoMac, Mac, Rest} = case MacSize of
 			     0 ->
 				 <<NoMac0:SshLength/binary, 
@@ -714,8 +721,16 @@
 				  Rest0/binary>> = EncodedSoFar,
 				 {NoMac0, Mac0, Rest0}
 			 end,
-    {Ssh1, DecData, <<>>} = 
-	ssh_transport:decrypt_blocks(NoMac, SshLength, Ssh0),
+    %%?dbg(?DBG_CRYPTO, "unpack: NoMac=~p Mac=~p Rest=~p ~n",
+    %%     [NoMac, Mac, Rest]),
+    {Ssh1, DecData, <<>>} = case SshLength of
+			        0 ->
+				    {Ssh0, <<>>, <<>>};
+				_ ->
+				     ssh_transport:decrypt_blocks(NoMac, SshLength, Ssh0)
+			    end,
+    %%?dbg(?DBG_CRYPTO, "unpack: Ssh1=~p DecData=~p Rest=~p Mac=~p ~n",
+    %%     [Ssh1, DecData, Rest, Mac]),
     {Ssh1, DecData, Rest, Mac}.
 
 msg_data(PacketData) ->
@@ -800,6 +815,18 @@
     <<K1:8/binary, K2:8/binary, K3:8/binary>> = hash(Ssh, "D", 192),
     {ok, Ssh#ssh{encrypt_keys = {K1,K2,K3},
 		 encrypt_block_size = 8,
+		 encrypt_ctx = IV}};
+encrypt_init(#ssh{encrypt = 'aes128-cbc', role = client} = Ssh) ->
+    IV = hash(Ssh, "A", 128),
+    <<K:16/binary>> = hash(Ssh, "C", 128),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
+		 encrypt_ctx = IV}};
+encrypt_init(#ssh{encrypt = 'aes128-cbc', role = server} = Ssh) ->
+    IV = hash(Ssh, "B", 128),
+    <<K:16/binary>> = hash(Ssh, "D", 128),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
 		 encrypt_ctx = IV}}.
 
 encrypt_final(Ssh) ->
@@ -815,10 +842,19 @@
 	     encrypt_keys = {K1,K2,K3},
 	     encrypt_ctx = IV0} = Ssh, Data) ->
     %%?dbg(?DBG_CRYPTO, "encrypt: IV=~p K1=~p, K2=~p, K3=~p ~n",
-    %%	 [IV0,K1,K2,K3]),
+    %%         [IV0,K1,K2,K3]),
     Enc = crypto:des3_cbc_encrypt(K1,K2,K3,IV0,Data),
     %%?dbg(?DBG_CRYPTO, "encrypt: ~p -> ~p ~n", [Data, Enc]),
     IV = crypto:des_cbc_ivec(Enc),
+    {Ssh#ssh{encrypt_ctx = IV}, Enc};
+encrypt(#ssh{encrypt = 'aes128-cbc',
+	     encrypt_keys = K,
+	     encrypt_ctx = IV0} = Ssh, Data) ->
+    %%?dbg(?DBG_CRYPTO, "encrypt: IV=~p K=~p ~n",
+    %%     [IV0,K]),
+    Enc = crypto:aes_cbc_128_encrypt(K,IV0,Data),
+    %%?dbg(?DBG_CRYPTO, "encrypt: ~p -> ~p ~n", [Data, Enc]),
+    IV = crypto:aes_cbc_ivec(Enc),
     {Ssh#ssh{encrypt_ctx = IV}, Enc}.
   
 
@@ -840,7 +876,21 @@
 		hash(Ssh, "C", 192)},
     <<K1:8/binary, K2:8/binary, K3:8/binary>> = KD,
     {ok, Ssh#ssh{decrypt_keys = {K1, K2, K3}, decrypt_ctx = IV,
-		 decrypt_block_size = 8}}.
+		 decrypt_block_size = 8}};
+
+decrypt_init(#ssh{decrypt = 'aes128-cbc', role = client} = Ssh) ->
+    {IV, KD} = {hash(Ssh, "B", 128),
+		hash(Ssh, "D", 128)},
+    <<K:16/binary>> = KD,
+    {ok, Ssh#ssh{decrypt_keys = K, decrypt_ctx = IV,
+			 decrypt_block_size = 16}}; 
+
+decrypt_init(#ssh{decrypt = 'aes128-cbc', role = server} = Ssh) ->
+    {IV, KD} = {hash(Ssh, "A", 128),
+		hash(Ssh, "C", 128)},
+    <<K:16/binary>> = KD,
+    {ok, Ssh#ssh{decrypt_keys = K, decrypt_ctx = IV,
+		 decrypt_block_size = 16}}.
   
 decrypt_final(Ssh) ->
     {ok, Ssh#ssh {decrypt = none, 
@@ -858,6 +908,14 @@
     Dec = crypto:des3_cbc_decrypt(K1,K2,K3,IV0,Data),
     %%?dbg(?DBG_CRYPTO, "decrypt: ~p -> ~p ~n", [Data, Dec]),
     IV = crypto:des_cbc_ivec(Data),
+    {Ssh#ssh{decrypt_ctx = IV}, Dec};
+decrypt(#ssh{decrypt = 'aes128-cbc', decrypt_keys = Key,
+	     decrypt_ctx = IV0} = Ssh, Data) ->
+    %%?dbg(?DBG_CRYPTO, "decrypt: IV=~p Key=~p ~n",
+    %%     [IV0,Key]),
+    Dec = crypto:aes_cbc_128_decrypt(Key,IV0,Data),
+    %%?dbg(?DBG_CRYPTO, "decrypt: ~p -> ~p ~n", [Data, Dec]),
+    IV = crypto:aes_cbc_ivec(Data),
     {Ssh#ssh{decrypt_ctx = IV}, Dec}.
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
--- lib/crypto/src/crypto.erl.FCS	2009-03-12 21:28:35.000000000 +0900
+++ lib/crypto/src/crypto.erl	2009-08-13 13:27:09.000000000 +0900
@@ -45,6 +45,7 @@
 %% -export([idea_cbc_encrypt/3, idea_cbc_decrypt/3]).
 -export([aes_cbc_128_encrypt/3, aes_cbc_128_decrypt/3]).
 -export([aes_cbc_256_encrypt/3, aes_cbc_256_decrypt/3]).
+-export([aes_cbc_ivec/1]).
 
 -export([dh_generate_parameters/2, dh_check/1]). %% Testing see below
 
@@ -469,6 +470,19 @@
     control(?AES_CBC_256_DECRYPT, [Key, IVec, Data]).
 
 %%
+%% aes_cbc_ivec(Data) -> binary()
+%%
+%% Returns the IVec to be used in the next iteration of 
+%% aes_cbc_*_[encrypt|decrypt].
+%% IVec size: 16 bytes
+%%
+aes_cbc_ivec(Data) when is_binary(Data) -> 
+    {_, IVec} = split_binary(Data, size(Data) - 16),
+    IVec;
+aes_cbc_ivec(Data) when is_list(Data) ->
+    aes_cbc_ivec(list_to_binary(Data)).
+
+%%
 %% XOR - xor to iolists and return a binary
 %% NB doesn't check that they are the same size, just concatenates
 %% them and sends them to the driver
-------------- next part --------------
--- lib/ssh/src/ssh_transport.erl.FCS	2009-06-05 21:55:34.000000000 +0900
+++ lib/ssh/src/ssh_transport.erl	2009-08-13 17:42:28.000000000 +0900
@@ -228,8 +228,10 @@
 		  cookie = Random,
 		  kex_algorithms = ["diffie-hellman-group1-sha1"],
 		  server_host_key_algorithms = ["ssh-rsa", "ssh-dss"],
-		  encryption_algorithms_client_to_server = ["3des-cbc"],
-		  encryption_algorithms_server_to_client = ["3des-cbc"],
+		  %% encryption_algorithms_client_to_server = ["3des-cbc"],
+		  %% encryption_algorithms_server_to_client = ["3des-cbc"],
+		  encryption_algorithms_client_to_server = ["aes128-cbc","3des-cbc"],
+		  encryption_algorithms_server_to_client = ["aes128-cbc","3des-cbc"],
 		  mac_algorithms_client_to_server = ["hmac-sha1"],
 		  mac_algorithms_server_to_client = ["hmac-sha1"],
 		  compression_algorithms_client_to_server = Compression,
@@ -243,8 +245,10 @@
 		  cookie = Random,
 		  kex_algorithms = ["diffie-hellman-group1-sha1"],
 		  server_host_key_algorithms = ["ssh-dss"],
-		  encryption_algorithms_client_to_server = ["3des-cbc"],
-		  encryption_algorithms_server_to_client = ["3des-cbc"],
+		  %% encryption_algorithms_client_to_server = ["3des-cbc"],
+		  %% encryption_algorithms_server_to_client = ["3des-cbc"],
+		  encryption_algorithms_client_to_server = ["aes128-cbc","3des-cbc"],
+		  encryption_algorithms_server_to_client = ["aes128-cbc","3des-cbc"],
 		  mac_algorithms_client_to_server = ["hmac-sha1"],
 		  mac_algorithms_server_to_client = ["hmac-sha1"],
 		  compression_algorithms_client_to_server = Compression,
@@ -703,6 +707,9 @@
 
 unpack(EncodedSoFar, ReminingLenght, #ssh{recv_mac_size = MacSize} = Ssh0) ->
     SshLength = ReminingLenght - MacSize,
+    %%?dbg(?DBG_CRYPTO, 
+    %%     "unpack: EncodedsoFar=~p SshLength=~p ReminingLenght=~p MacSize=~p ~n",
+    %%     [EncodedSoFar, SshLength, ReminingLenght, MacSize]),
     {NoMac, Mac, Rest} = case MacSize of
 			     0 ->
 				 <<NoMac0:SshLength/binary, 
@@ -714,8 +721,16 @@
 				  Rest0/binary>> = EncodedSoFar,
 				 {NoMac0, Mac0, Rest0}
 			 end,
-    {Ssh1, DecData, <<>>} = 
-	ssh_transport:decrypt_blocks(NoMac, SshLength, Ssh0),
+    %%?dbg(?DBG_CRYPTO, "unpack: NoMac=~p Mac=~p Rest=~p ~n",
+    %%     [NoMac, Mac, Rest]),
+    {Ssh1, DecData, <<>>} = case SshLength of
+			        0 ->
+				    {Ssh0, <<>>, <<>>};
+				_ ->
+				     ssh_transport:decrypt_blocks(NoMac, SshLength, Ssh0)
+			    end,
+    %%?dbg(?DBG_CRYPTO, "unpack: Ssh1=~p DecData=~p Rest=~p Mac=~p ~n",
+    %%     [Ssh1, DecData, Rest, Mac]),
     {Ssh1, DecData, Rest, Mac}.
 
 msg_data(PacketData) ->
@@ -800,6 +815,18 @@
     <<K1:8/binary, K2:8/binary, K3:8/binary>> = hash(Ssh, "D", 192),
     {ok, Ssh#ssh{encrypt_keys = {K1,K2,K3},
 		 encrypt_block_size = 8,
+		 encrypt_ctx = IV}};
+encrypt_init(#ssh{encrypt = 'aes128-cbc', role = client} = Ssh) ->
+    IV = hash(Ssh, "A", 128),
+    <<K:16/binary>> = hash(Ssh, "C", 128),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
+		 encrypt_ctx = IV}};
+encrypt_init(#ssh{encrypt = 'aes128-cbc', role = server} = Ssh) ->
+    IV = hash(Ssh, "B", 128),
+    <<K:16/binary>> = hash(Ssh, "D", 128),
+    {ok, Ssh#ssh{encrypt_keys = K,
+		 encrypt_block_size = 16,
 		 encrypt_ctx = IV}}.
 
 encrypt_final(Ssh) ->
@@ -815,10 +842,19 @@
 	     encrypt_keys = {K1,K2,K3},
 	     encrypt_ctx = IV0} = Ssh, Data) ->
     %%?dbg(?DBG_CRYPTO, "encrypt: IV=~p K1=~p, K2=~p, K3=~p ~n",
-    %%	 [IV0,K1,K2,K3]),
+    %%         [IV0,K1,K2,K3]),
     Enc = crypto:des3_cbc_encrypt(K1,K2,K3,IV0,Data),
     %%?dbg(?DBG_CRYPTO, "encrypt: ~p -> ~p ~n", [Data, Enc]),
     IV = crypto:des_cbc_ivec(Enc),
+    {Ssh#ssh{encrypt_ctx = IV}, Enc};
+encrypt(#ssh{encrypt = 'aes128-cbc',
+	     encrypt_keys = K,
+	     encrypt_ctx = IV0} = Ssh, Data) ->
+    %%?dbg(?DBG_CRYPTO, "encrypt: IV=~p K=~p ~n",
+    %%     [IV0,K]),
+    Enc = crypto:aes_cbc_128_encrypt(K,IV0,Data),
+    %%?dbg(?DBG_CRYPTO, "encrypt: ~p -> ~p ~n", [Data, Enc]),
+    IV = crypto:aes_cbc_ivec(Enc),
     {Ssh#ssh{encrypt_ctx = IV}, Enc}.
   
 
@@ -840,7 +876,21 @@
 		hash(Ssh, "C", 192)},
     <<K1:8/binary, K2:8/binary, K3:8/binary>> = KD,
     {ok, Ssh#ssh{decrypt_keys = {K1, K2, K3}, decrypt_ctx = IV,
-		 decrypt_block_size = 8}}.
+		 decrypt_block_size = 8}};
+
+decrypt_init(#ssh{decrypt = 'aes128-cbc', role = client} = Ssh) ->
+    {IV, KD} = {hash(Ssh, "B", 128),
+		hash(Ssh, "D", 128)},
+    <<K:16/binary>> = KD,
+    {ok, Ssh#ssh{decrypt_keys = K, decrypt_ctx = IV,
+			 decrypt_block_size = 16}}; 
+
+decrypt_init(#ssh{decrypt = 'aes128-cbc', role = server} = Ssh) ->
+    {IV, KD} = {hash(Ssh, "A", 128),
+		hash(Ssh, "C", 128)},
+    <<K:16/binary>> = KD,
+    {ok, Ssh#ssh{decrypt_keys = K, decrypt_ctx = IV,
+		 decrypt_block_size = 16}}.
   
 decrypt_final(Ssh) ->
     {ok, Ssh#ssh {decrypt = none, 
@@ -858,6 +908,14 @@
     Dec = crypto:des3_cbc_decrypt(K1,K2,K3,IV0,Data),
     %%?dbg(?DBG_CRYPTO, "decrypt: ~p -> ~p ~n", [Data, Dec]),
     IV = crypto:des_cbc_ivec(Data),
+    {Ssh#ssh{decrypt_ctx = IV}, Dec};
+decrypt(#ssh{decrypt = 'aes128-cbc', decrypt_keys = Key,
+	     decrypt_ctx = IV0} = Ssh, Data) ->
+    %%?dbg(?DBG_CRYPTO, "decrypt: IV=~p Key=~p ~n",
+    %%     [IV0,Key]),
+    Dec = crypto:aes_cbc_128_decrypt(Key,IV0,Data),
+    %%?dbg(?DBG_CRYPTO, "decrypt: ~p -> ~p ~n", [Data, Dec]),
+    IV = crypto:aes_cbc_ivec(Data),
     {Ssh#ssh{decrypt_ctx = IV}, Dec}.
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-------------- next part --------------
--- lib/crypto/src/crypto.erl.FCS	2009-03-12 21:28:35.000000000 +0900
+++ lib/crypto/src/crypto.erl	2009-08-13 13:27:09.000000000 +0900
@@ -45,6 +45,7 @@
 %% -export([idea_cbc_encrypt/3, idea_cbc_decrypt/3]).
 -export([aes_cbc_128_encrypt/3, aes_cbc_128_decrypt/3]).
 -export([aes_cbc_256_encrypt/3, aes_cbc_256_decrypt/3]).
+-export([aes_cbc_ivec/1]).
 
 -export([dh_generate_parameters/2, dh_check/1]). %% Testing see below
 
@@ -469,6 +470,19 @@
     control(?AES_CBC_256_DECRYPT, [Key, IVec, Data]).
 
 %%
+%% aes_cbc_ivec(Data) -> binary()
+%%
+%% Returns the IVec to be used in the next iteration of 
+%% aes_cbc_*_[encrypt|decrypt].
+%% IVec size: 16 bytes
+%%
+aes_cbc_ivec(Data) when is_binary(Data) -> 
+    {_, IVec} = split_binary(Data, size(Data) - 16),
+    IVec;
+aes_cbc_ivec(Data) when is_list(Data) ->
+    aes_cbc_ivec(list_to_binary(Data)).
+
+%%
 %% XOR - xor to iolists and return a binary
 %% NB doesn't check that they are the same size, just concatenates
 %% them and sends them to the driver


More information about the erlang-patches mailing list