1 /* 2 * This file is part of the SSH Library 3 * 4 * Copyright (c) 2003-2009 by Aris Adamantiadis 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, write to the Free Software 18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 19 */ 20 21 /* 22 * crypto.h is an include file for internal cryptographic structures of libssh 23 */ 24 25 #ifndef _CRYPTO_H_ 26 #define _CRYPTO_H_ 27 28 #include <stdbool.h> 29 #include "config.h" 30 31 #ifdef HAVE_LIBGCRYPT 32 #include <gcrypt.h> 33 #elif defined(HAVE_LIBMBEDCRYPTO) 34 #include <mbedtls/gcm.h> 35 #endif 36 #include "libssh/wrapper.h" 37 38 #ifdef cbc_encrypt 39 #undef cbc_encrypt 40 #endif 41 #ifdef cbc_decrypt 42 #undef cbc_decrypt 43 #endif 44 45 #ifdef HAVE_OPENSSL_ECDH_H 46 #include <openssl/ecdh.h> 47 #endif 48 #include "libssh/dh.h" 49 #include "libssh/ecdh.h" 50 #include "libssh/kex.h" 51 #include "libssh/curve25519.h" 52 53 #define DIGEST_MAX_LEN 64 54 55 #define AES_GCM_TAGLEN 16 56 #define AES_GCM_IVLEN 12 57 58 enum ssh_key_exchange_e { 59 /* diffie-hellman-group1-sha1 */ 60 SSH_KEX_DH_GROUP1_SHA1=1, 61 /* diffie-hellman-group14-sha1 */ 62 SSH_KEX_DH_GROUP14_SHA1, 63 #ifdef WITH_GEX 64 /* diffie-hellman-group-exchange-sha1 */ 65 SSH_KEX_DH_GEX_SHA1, 66 /* diffie-hellman-group-exchange-sha256 */ 67 SSH_KEX_DH_GEX_SHA256, 68 #endif /* WITH_GEX */ 69 /* ecdh-sha2-nistp256 */ 70 SSH_KEX_ECDH_SHA2_NISTP256, 71 /* ecdh-sha2-nistp384 */ 72 SSH_KEX_ECDH_SHA2_NISTP384, 73 /* ecdh-sha2-nistp521 */ 74 SSH_KEX_ECDH_SHA2_NISTP521, 75 /* curve25519-sha256@libssh.org */ 76 SSH_KEX_CURVE25519_SHA256_LIBSSH_ORG, 77 /* curve25519-sha256 */ 78 SSH_KEX_CURVE25519_SHA256, 79 /* diffie-hellman-group16-sha512 */ 80 SSH_KEX_DH_GROUP16_SHA512, 81 /* diffie-hellman-group18-sha512 */ 82 SSH_KEX_DH_GROUP18_SHA512, 83 /* diffie-hellman-group14-sha256 */ 84 SSH_KEX_DH_GROUP14_SHA256, 85 }; 86 87 enum ssh_cipher_e { 88 SSH_NO_CIPHER=0, 89 #ifdef WITH_BLOWFISH_CIPHER 90 SSH_BLOWFISH_CBC, 91 #endif /* WITH_BLOWFISH_CIPHER */ 92 SSH_3DES_CBC, 93 SSH_AES128_CBC, 94 SSH_AES192_CBC, 95 SSH_AES256_CBC, 96 SSH_AES128_CTR, 97 SSH_AES192_CTR, 98 SSH_AES256_CTR, 99 SSH_AEAD_AES128_GCM, 100 SSH_AEAD_AES256_GCM, 101 SSH_AEAD_CHACHA20_POLY1305 102 }; 103 104 struct dh_ctx; 105 106 struct ssh_crypto_struct { 107 bignum shared_secret; 108 struct dh_ctx *dh_ctx; 109 #ifdef WITH_GEX 110 size_t dh_pmin; size_t dh_pn; size_t dh_pmax; /* preferred group parameters */ 111 #endif /* WITH_GEX */ 112 #ifdef HAVE_ECDH 113 #ifdef HAVE_OPENSSL_ECC 114 EC_KEY *ecdh_privkey; 115 #elif defined HAVE_GCRYPT_ECC 116 gcry_sexp_t ecdh_privkey; 117 #elif defined HAVE_LIBMBEDCRYPTO 118 mbedtls_ecp_keypair *ecdh_privkey; 119 #endif 120 ssh_string ecdh_client_pubkey; 121 ssh_string ecdh_server_pubkey; 122 #endif 123 #ifdef HAVE_CURVE25519 124 ssh_curve25519_privkey curve25519_privkey; 125 ssh_curve25519_pubkey curve25519_client_pubkey; 126 ssh_curve25519_pubkey curve25519_server_pubkey; 127 #endif 128 ssh_string dh_server_signature; /* information used by dh_handshake. */ 129 size_t session_id_len; 130 unsigned char *session_id; 131 size_t digest_len; /* len of the secret hash */ 132 unsigned char *secret_hash; /* Secret hash is same as session id until re-kex */ 133 unsigned char *encryptIV; 134 unsigned char *decryptIV; 135 unsigned char *decryptkey; 136 unsigned char *encryptkey; 137 unsigned char *encryptMAC; 138 unsigned char *decryptMAC; 139 unsigned char hmacbuf[DIGEST_MAX_LEN]; 140 struct ssh_cipher_struct *in_cipher, *out_cipher; /* the cipher structures/objects */ 141 enum ssh_hmac_e in_hmac, out_hmac; /* the MAC algorithms used */ 142 bool in_hmac_etm, out_hmac_etm; /* Whether EtM mode is used or not */ 143 144 ssh_key server_pubkey; 145 int do_compress_out; /* idem */ 146 int do_compress_in; /* don't set them, set the option instead */ 147 int delayed_compress_in; /* Use of zlib@openssh.org */ 148 int delayed_compress_out; 149 void *compress_out_ctx; /* don't touch it */ 150 void *compress_in_ctx; /* really, don't */ 151 /* kex sent by server, client, and mutually elected methods */ 152 struct ssh_kex_struct server_kex; 153 struct ssh_kex_struct client_kex; 154 char *kex_methods[SSH_KEX_METHODS]; 155 enum ssh_key_exchange_e kex_type; 156 enum ssh_kdf_digest digest_type; /* Digest type for session keys derivation */ 157 enum ssh_crypto_direction_e used; /* Is this crypto still used for either of directions? */ 158 }; 159 160 struct ssh_cipher_struct { 161 const char *name; /* ssh name of the algorithm */ 162 unsigned int blocksize; /* blocksize of the algo */ 163 enum ssh_cipher_e ciphertype; 164 uint32_t lenfield_blocksize; /* blocksize of the packet length field */ 165 size_t keylen; /* length of the key structure */ 166 #ifdef HAVE_LIBGCRYPT 167 gcry_cipher_hd_t *key; 168 unsigned char last_iv[AES_GCM_IVLEN]; 169 #elif defined HAVE_LIBCRYPTO 170 struct ssh_3des_key_schedule *des3_key; 171 struct ssh_aes_key_schedule *aes_key; 172 const EVP_CIPHER *cipher; 173 EVP_CIPHER_CTX *ctx; 174 #elif defined HAVE_LIBMBEDCRYPTO 175 mbedtls_cipher_context_t encrypt_ctx; 176 mbedtls_cipher_context_t decrypt_ctx; 177 mbedtls_cipher_type_t type; 178 #ifdef MBEDTLS_GCM_C 179 mbedtls_gcm_context gcm_ctx; 180 unsigned char last_iv[AES_GCM_IVLEN]; 181 #endif /* MBEDTLS_GCM_C */ 182 #endif 183 struct chacha20_poly1305_keysched *chacha20_schedule; 184 unsigned int keysize; /* bytes of key used. != keylen */ 185 size_t tag_size; /* overhead required for tag */ 186 /* Counters for rekeying initialization */ 187 uint32_t packets; 188 uint64_t blocks; 189 /* Rekeying limit for the cipher or manually enforced */ 190 uint64_t max_blocks; 191 /* sets the new key for immediate use */ 192 int (*set_encrypt_key)(struct ssh_cipher_struct *cipher, void *key, void *IV); 193 int (*set_decrypt_key)(struct ssh_cipher_struct *cipher, void *key, void *IV); 194 void (*encrypt)(struct ssh_cipher_struct *cipher, 195 void *in, 196 void *out, 197 size_t len); 198 void (*decrypt)(struct ssh_cipher_struct *cipher, 199 void *in, 200 void *out, 201 size_t len); 202 void (*aead_encrypt)(struct ssh_cipher_struct *cipher, void *in, void *out, 203 size_t len, uint8_t *mac, uint64_t seq); 204 int (*aead_decrypt_length)(struct ssh_cipher_struct *cipher, void *in, 205 uint8_t *out, size_t len, uint64_t seq); 206 int (*aead_decrypt)(struct ssh_cipher_struct *cipher, void *complete_packet, uint8_t *out, 207 size_t encrypted_size, uint64_t seq); 208 void (*cleanup)(struct ssh_cipher_struct *cipher); 209 }; 210 211 const struct ssh_cipher_struct *ssh_get_chacha20poly1305_cipher(void); 212 int sshkdf_derive_key(struct ssh_crypto_struct *crypto, 213 unsigned char *key, size_t key_len, 214 int key_type, unsigned char *output, 215 size_t requested_len); 216 217 #endif /* _CRYPTO_H_ */ 218