Hi all,
Will you try my following patch to enable the Camellia block cipher on
OpenSSH? The Camellia block cipher is one of the approved encryption
method in European Union (NESSIE) and Japan (CRYPTREC) as well as has
been specified in several Internet RFCs. It is also used by several
OSS
projects, such as Linux, FreeBSD, OpenSSL, Firefox and so on.
My patch contains two parts. First part enables Camellia in OpenSSL,
and second part makes it available in OpenSSH. It is patch for
lib/libssl and usr.bin/ssh, respectively.
In 2009, Biryukov showed AES was not as safe as expected. [1]
Is it a good time to have an alternative?
Thank you in advance,
Yoshisato Yanagisawa.
[1] http://eprint.iacr.org/2009/317
Index: crypto/Makefile
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/Makefile,v
retrieving revision 1.52
diff -c -r1.52 Makefile
*** crypto/Makefile 3 Feb 2010 20:49:00 -0000 1.52
--- crypto/Makefile 20 Jun 2010 03:56:10 -0000
***************
*** 82,89 ****
SRCS+= bn_sqr.c bn_recp.c bn_mont.c bn_mpi.c bn_mod.c
SRCS+= bn_exp2.c bn_ctx.c bn_opt.c
SRCS+= bn_sqrt.c bn_kron.c bn_x931p.c bn_const.c bn_depr.c
bn_gf2m.c
bn_nist.c
! #SRCS+= camellia.c cmll_cbc.c cmll_cfb.c cmll_ctr.c
! #SRCS+= cmll_ecb.c cmll_misc.c cmll_ofb.cq
#SRCS+= cms_asn1.c cms_att.c cms_cd.c cms_dd.c cms_enc.c cms_env.c
#SRCS+= cms_err.c cms_ess.c cms_io.c cms_lib.c cms_sd.c
cms_smime.c
SRCS+= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c
--- 82,89 ----
SRCS+= bn_sqr.c bn_recp.c bn_mont.c bn_mpi.c bn_mod.c
SRCS+= bn_exp2.c bn_ctx.c bn_opt.c
SRCS+= bn_sqrt.c bn_kron.c bn_x931p.c bn_const.c bn_depr.c
bn_gf2m.c
bn_nist.c
! SRCS+= camellia.c cmll_cbc.c cmll_cfb.c cmll_ctr.c
! SRCS+= cmll_ecb.c cmll_misc.c cmll_ofb.c
#SRCS+= cms_asn1.c cms_att.c cms_cd.c cms_dd.c cms_enc.c cms_env.c
#SRCS+= cms_err.c cms_ess.c cms_io.c cms_lib.c cms_sd.c
cms_smime.c
SRCS+= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c
***************
*** 115,121 ****
SRCS+= bio_enc.c e_cast.c e_xcbc_d.c m_dss.c m_sha1.c p_seal.c
SRCS+= bio_md.c e_des.c encode.c m_dss1.c names.c p_sign.c
SRCS+= bio_ok.c e_des3.c dig_eng.c evp_enc.c m_md2.c p_verify.c
m_ecdsa.c
! #SRCS+= e_camellia.c e_seed.c
SRCS+= c_all.c evp_err.c evp_acnf.c evp_cnf.c m_md4.c p5_crpt.c
e_old.c
SRCS+= c_allc.c evp_key.c m_md5.c p5_crpt2.c
SRCS+= c_alld.c e_null.c evp_lib.c p_dec.c
--- 115,122 ----
SRCS+= bio_enc.c e_cast.c e_xcbc_d.c m_dss.c m_sha1.c p_seal.c
SRCS+= bio_md.c e_des.c encode.c m_dss1.c names.c p_sign.c
SRCS+= bio_ok.c e_des3.c dig_eng.c evp_enc.c m_md2.c p_verify.c
m_ecdsa.c
! SRCS+= e_camellia.c
! #SRCS+= e_seed.c
SRCS+= c_all.c evp_err.c evp_acnf.c evp_cnf.c m_md4.c p5_crpt.c
e_old.c
SRCS+= c_allc.c evp_key.c m_md5.c p5_crpt2.c
SRCS+= c_alld.c e_null.c evp_lib.c p_dec.c
Index: crypto/arch/alpha/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/alpha/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/alpha/opensslconf.h 9 Jan 2009 12:32:25 -0000
1.5
--- crypto/arch/alpha/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/amd64/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/amd64/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/amd64/opensslconf.h 9 Jan 2009 12:32:25 -0000
1.5
--- crypto/arch/amd64/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/arm/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/arm/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/arm/opensslconf.h 9 Jan 2009 12:32:25 -0000 1.5
--- crypto/arch/arm/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/hppa/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/hppa/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/hppa/opensslconf.h 9 Jan 2009 12:32:25 -0000 1.5
--- crypto/arch/hppa/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/i386/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/i386/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/i386/opensslconf.h 9 Jan 2009 12:32:25 -0000 1.5
--- crypto/arch/i386/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/m68k/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/m68k/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/m68k/opensslconf.h 9 Jan 2009 12:32:25 -0000 1.5
--- crypto/arch/m68k/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/m88k/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/m88k/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/m88k/opensslconf.h 9 Jan 2009 12:32:25 -0000 1.5
--- crypto/arch/m88k/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/mips64/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/mips64/opensslconf.h,v
retrieving revision 1.6
diff -c -r1.6 opensslconf.h
*** crypto/arch/mips64/opensslconf.h 9 Jan 2009 12:32:25 -0000
1.6
--- crypto/arch/mips64/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/powerpc/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/powerpc/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/powerpc/opensslconf.h 9 Jan 2009 12:32:25
-0000 1.5
--- crypto/arch/powerpc/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/sh/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/sh/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/sh/opensslconf.h 9 Jan 2009 12:32:25 -0000 1.5
--- crypto/arch/sh/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/sparc/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/sparc/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/sparc/opensslconf.h 9 Jan 2009 12:32:25 -0000
1.5
--- crypto/arch/sparc/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/sparc64/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/sparc64/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/sparc64/opensslconf.h 9 Jan 2009 12:32:25
-0000 1.5
--- crypto/arch/sparc64/opensslconf.h 20 Jun 2010 03:56:10 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: crypto/arch/vax/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/vax/opensslconf.h,v
retrieving revision 1.5
diff -c -r1.5 opensslconf.h
*** crypto/arch/vax/opensslconf.h 9 Jan 2009 12:32:25 -0000 1.5
--- crypto/arch/vax/opensslconf.h 20 Jun 2010 03:56:11 -0000
***************
*** 4,12 ****
/* OpenSSL was configured with the following options: */
#ifndef OPENSSL_DOING_MAKEDEPEND
- #ifndef OPENSSL_NO_CAMELLIA
- # define OPENSSL_NO_CAMELLIA
- #endif
#ifndef OPENSSL_NO_CAPIENG
# define OPENSSL_NO_CAPIENG
#endif
--- 4,9 ----
Index: src/Configure
===================================================================
RCS file: /cvs/src/lib/libssl/src/Configure,v
retrieving revision 1.27
diff -c -r1.27 Configure
*** src/Configure 6 Apr 2009 06:33:15 -0000 1.27
--- src/Configure 20 Jun 2010 03:56:11 -0000
***************
*** 648,654 ****
# This is what $depflags will look like with the above defaults
# (we need this to see if we should advise the user to run "make
depend"):
! my $default_depflags = " -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_CAPIENG
-DOPENSSL_NO_CMS -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MDC2
-DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED";
# Explicit "no-..." options will be collected in %disabled along with
the defaults.
--- 648,654 ----
# This is what $depflags will look like with the above defaults
# (we need this to see if we should advise the user to run "make
depend"):
! my $default_depflags = " -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_CMS
-DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5
-DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED";
# Explicit "no-..." options will be collected in %disabled along with
the defaults.
Index: src/Makefile
===================================================================
RCS file: /cvs/src/lib/libssl/src/Makefile,v
retrieving revision 1.4
diff -c -r1.4 Makefile
*** src/Makefile 6 Apr 2009 06:33:15 -0000 1.4
--- src/Makefile 20 Jun 2010 03:56:11 -0000
***************
*** 13,19 ****
SHLIB_MINOR=9.8
SHLIB_EXT=
PLATFORM=dist
! OPTIONS= no-camellia no-capieng no-cms no-gmp no-jpake no-krb5 no-
mdc2
no-montasm no-rc5 no-rfc3779 no-seed no-shared no-zlib no-zlib-dynamic
CONFIGURE_ARGS=dist
SHLIB_TARGET=
--- 13,19 ----
SHLIB_MINOR=9.8
SHLIB_EXT=
PLATFORM=dist
! OPTIONS= no-capieng no-cms no-gmp no-jpake no-krb5 no-mdc2 no-
montasm
no-rc5 no-rfc3779 no-seed no-shared no-zlib no-zlib-dynamic
CONFIGURE_ARGS=dist
SHLIB_TARGET=
Index: cipher-ctr.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/cipher-ctr.c,v
retrieving revision 1.10
diff -c -r1.10 cipher-ctr.c
*** cipher-ctr.c 3 Aug 2006 03:34:42 -0000 1.10
--- cipher-ctr.c 20 Jun 2010 15:04:17 -0000
***************
*** 21,26 ****
--- 21,27 ----
#include <openssl/evp.h>
#include <openssl/aes.h>
+ #include <openssl/camellia.h>
#include "xmalloc.h"
#include "log.h"
***************
*** 34,39 ****
--- 35,49 ----
u_char aes_counter[AES_BLOCK_SIZE];
};
+ const EVP_CIPHER *evp_camellia_128_ctr(void);
+ void ssh_camellia_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
+
+ struct ssh_camellia_ctr_ctx
+ {
+ CAMELLIA_KEY camellia_ctx;
+ u_char camellia_counter[CAMELLIA_BLOCK_SIZE];
+ };
+
/*
* increment counter 'ctr',
* the counter is of size 'len' bytes and stored in network-byte-
order.
***************
*** 133,136 ****
--- 143,233 ----
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
return (&aes_ctr);
+ }
+
+ static int
+ ssh_camellia_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char
*src,
+ u_int len)
+ {
+ struct ssh_camellia_ctr_ctx *c;
+ u_int n = 0;
+ u_char buf[CAMELLIA_BLOCK_SIZE];
+
+ if (len == 0)
+ return (1);
+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
+ return (0);
+
+ while ((len--) > 0) {
+ if (n == 0) {
+ Camellia_encrypt(c->camellia_counter, buf,
+ &c->camellia_ctx);
+ ssh_ctr_inc(c->camellia_counter, CAMELLIA_BLOCK_SIZE);
+ }
+ *(dest++) = *(src++) ^ buf[n];
+ n = (n + 1) % CAMELLIA_BLOCK_SIZE;
+ }
+ return (1);
+ }
+
+ static int
+ ssh_camellia_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const
u_char *iv,
+ int enc)
+ {
+ struct ssh_camellia_ctr_ctx *c;
+
+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
+ c = xmalloc(sizeof(*c));
+ EVP_CIPHER_CTX_set_app_data(ctx, c);
+ }
+ if (key != NULL)
+ Camellia_set_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
+ &c->camellia_ctx);
+ if (iv != NULL)
+ memcpy(c->camellia_counter, iv, CAMELLIA_BLOCK_SIZE);
+ return (1);
+ }
+
+ static int
+ ssh_camellia_ctr_cleanup(EVP_CIPHER_CTX *ctx)
+ {
+ struct ssh_camellia_ctr_ctx *c;
+
+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
+ memset(c, 0, sizeof(*c));
+ xfree(c);
+ EVP_CIPHER_CTX_set_app_data(ctx, NULL);
+ }
+ return (1);
+ }
+
+ void
+ ssh_camellia_ctr_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv,
u_int
len)
+ {
+ struct ssh_camellia_ctr_ctx *c;
+
+ if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
+ fatal("ssh_camellia_ctr_iv: no context");
+ if (doset)
+ memcpy(c->camellia_counter, iv, len);
+ else
+ memcpy(iv, c->camellia_counter, len);
+ }
+
+ const EVP_CIPHER *
+ evp_camellia_128_ctr(void)
+ {
+ static EVP_CIPHER camellia_ctr;
+
+ memset(&camellia_ctr, 0, sizeof(EVP_CIPHER));
+ camellia_ctr.nid = NID_undef;
+ camellia_ctr.block_siz
