1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 * 12 * 13 * Copyright (c) 1999 Niels Provos. All rights reserved. 14 * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 37 #include "includes.h" 38 RCSID("$OpenBSD: cipher.c,v 1.61 2002/07/12 15:50:17 markus Exp $"); 39 RCSID("$FreeBSD: src/crypto/openssh/cipher.c,v 1.2.2.6 2003/02/03 17:31:06 des Exp $"); 40 RCSID("$DragonFly: src/crypto/openssh/Attic/cipher.c,v 1.2 2003/06/17 04:24:36 dillon Exp $"); 41 42 #include "xmalloc.h" 43 #include "log.h" 44 #include "cipher.h" 45 46 #include <openssl/md5.h> 47 48 #if OPENSSL_VERSION_NUMBER < 0x00906000L 49 #define SSH_OLD_EVP 50 #define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) 51 #endif 52 53 #if OPENSSL_VERSION_NUMBER < 0x00907000L 54 #include "rijndael.h" 55 static const EVP_CIPHER *evp_rijndael(void); 56 #endif 57 static const EVP_CIPHER *evp_ssh1_3des(void); 58 static const EVP_CIPHER *evp_ssh1_bf(void); 59 60 struct Cipher { 61 char *name; 62 int number; /* for ssh1 only */ 63 u_int block_size; 64 u_int key_len; 65 const EVP_CIPHER *(*evptype)(void); 66 } ciphers[] = { 67 { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null }, 68 { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc }, 69 { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des }, 70 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf }, 71 72 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc }, 73 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc }, 74 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc }, 75 { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 }, 76 #if OPENSSL_VERSION_NUMBER < 0x00907000L 77 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael }, 78 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael }, 79 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, 80 { "rijndael-cbc@lysator.liu.se", 81 SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, 82 #else 83 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc }, 84 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc }, 85 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, 86 { "rijndael-cbc@lysator.liu.se", 87 SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, 88 #endif 89 90 { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL } 91 }; 92 93 /*--*/ 94 95 u_int 96 cipher_blocksize(Cipher *c) 97 { 98 return (c->block_size); 99 } 100 101 u_int 102 cipher_keylen(Cipher *c) 103 { 104 return (c->key_len); 105 } 106 107 u_int 108 cipher_get_number(Cipher *c) 109 { 110 return (c->number); 111 } 112 113 u_int 114 cipher_mask_ssh1(int client) 115 { 116 u_int mask = 0; 117 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 118 mask |= 1 << SSH_CIPHER_BLOWFISH; 119 if (client) { 120 mask |= 1 << SSH_CIPHER_DES; 121 } 122 return mask; 123 } 124 125 Cipher * 126 cipher_by_name(const char *name) 127 { 128 Cipher *c; 129 for (c = ciphers; c->name != NULL; c++) 130 if (strcasecmp(c->name, name) == 0) 131 return c; 132 return NULL; 133 } 134 135 Cipher * 136 cipher_by_number(int id) 137 { 138 Cipher *c; 139 for (c = ciphers; c->name != NULL; c++) 140 if (c->number == id) 141 return c; 142 return NULL; 143 } 144 145 #define CIPHER_SEP "," 146 int 147 ciphers_valid(const char *names) 148 { 149 Cipher *c; 150 char *ciphers, *cp; 151 char *p; 152 153 if (names == NULL || strcmp(names, "") == 0) 154 return 0; 155 ciphers = cp = xstrdup(names); 156 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 157 (p = strsep(&cp, CIPHER_SEP))) { 158 c = cipher_by_name(p); 159 if (c == NULL || c->number != SSH_CIPHER_SSH2) { 160 debug("bad cipher %s [%s]", p, names); 161 xfree(ciphers); 162 return 0; 163 } else { 164 debug3("cipher ok: %s [%s]", p, names); 165 } 166 } 167 debug3("ciphers ok: [%s]", names); 168 xfree(ciphers); 169 return 1; 170 } 171 172 /* 173 * Parses the name of the cipher. Returns the number of the corresponding 174 * cipher, or -1 on error. 175 */ 176 177 int 178 cipher_number(const char *name) 179 { 180 Cipher *c; 181 if (name == NULL) 182 return -1; 183 c = cipher_by_name(name); 184 return (c==NULL) ? -1 : c->number; 185 } 186 187 char * 188 cipher_name(int id) 189 { 190 Cipher *c = cipher_by_number(id); 191 return (c==NULL) ? "<unknown>" : c->name; 192 } 193 194 void 195 cipher_init(CipherContext *cc, Cipher *cipher, 196 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, 197 int encrypt) 198 { 199 static int dowarn = 1; 200 #ifdef SSH_OLD_EVP 201 EVP_CIPHER *type; 202 #else 203 const EVP_CIPHER *type; 204 #endif 205 int klen; 206 207 if (cipher->number == SSH_CIPHER_DES) { 208 if (dowarn) { 209 error("Warning: use of DES is strongly discouraged " 210 "due to cryptographic weaknesses"); 211 dowarn = 0; 212 } 213 if (keylen > 8) 214 keylen = 8; 215 } 216 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 217 218 if (keylen < cipher->key_len) 219 fatal("cipher_init: key length %d is insufficient for %s.", 220 keylen, cipher->name); 221 if (iv != NULL && ivlen < cipher->block_size) 222 fatal("cipher_init: iv length %d is insufficient for %s.", 223 ivlen, cipher->name); 224 cc->cipher = cipher; 225 226 type = (*cipher->evptype)(); 227 228 EVP_CIPHER_CTX_init(&cc->evp); 229 #ifdef SSH_OLD_EVP 230 if (type->key_len > 0 && type->key_len != keylen) { 231 debug("cipher_init: set keylen (%d -> %d)", 232 type->key_len, keylen); 233 type->key_len = keylen; 234 } 235 EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv, 236 (encrypt == CIPHER_ENCRYPT)); 237 #else 238 if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv, 239 (encrypt == CIPHER_ENCRYPT)) == 0) 240 fatal("cipher_init: EVP_CipherInit failed for %s", 241 cipher->name); 242 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 243 if (klen > 0 && keylen != klen) { 244 debug("cipher_init: set keylen (%d -> %d)", klen, keylen); 245 if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) 246 fatal("cipher_init: set keylen failed (%d -> %d)", 247 klen, keylen); 248 } 249 if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) 250 fatal("cipher_init: EVP_CipherInit: set key failed for %s", 251 cipher->name); 252 #endif 253 } 254 255 void 256 cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 257 { 258 if (len % cc->cipher->block_size) 259 fatal("cipher_encrypt: bad plaintext length %d", len); 260 #ifdef SSH_OLD_EVP 261 EVP_Cipher(&cc->evp, dest, (u_char *)src, len); 262 #else 263 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) 264 fatal("evp_crypt: EVP_Cipher failed"); 265 #endif 266 } 267 268 void 269 cipher_cleanup(CipherContext *cc) 270 { 271 #ifdef SSH_OLD_EVP 272 EVP_CIPHER_CTX_cleanup(&cc->evp); 273 #else 274 if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) 275 error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); 276 #endif 277 } 278 279 /* 280 * Selects the cipher, and keys if by computing the MD5 checksum of the 281 * passphrase and using the resulting 16 bytes as the key. 282 */ 283 284 void 285 cipher_set_key_string(CipherContext *cc, Cipher *cipher, 286 const char *passphrase, int encrypt) 287 { 288 MD5_CTX md; 289 u_char digest[16]; 290 291 MD5_Init(&md); 292 MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); 293 MD5_Final(digest, &md); 294 295 cipher_init(cc, cipher, digest, 16, NULL, 0, encrypt); 296 297 memset(digest, 0, sizeof(digest)); 298 memset(&md, 0, sizeof(md)); 299 } 300 301 /* Implementations for other non-EVP ciphers */ 302 303 /* 304 * This is used by SSH1: 305 * 306 * What kind of triple DES are these 2 routines? 307 * 308 * Why is there a redundant initialization vector? 309 * 310 * If only iv3 was used, then, this would till effect have been 311 * outer-cbc. However, there is also a private iv1 == iv2 which 312 * perhaps makes differential analysis easier. On the other hand, the 313 * private iv1 probably makes the CRC-32 attack ineffective. This is a 314 * result of that there is no longer any known iv1 to use when 315 * choosing the X block. 316 */ 317 struct ssh1_3des_ctx 318 { 319 EVP_CIPHER_CTX k1, k2, k3; 320 }; 321 322 static int 323 ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, 324 int enc) 325 { 326 struct ssh1_3des_ctx *c; 327 u_char *k1, *k2, *k3; 328 329 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 330 c = xmalloc(sizeof(*c)); 331 EVP_CIPHER_CTX_set_app_data(ctx, c); 332 } 333 if (key == NULL) 334 return (1); 335 if (enc == -1) 336 enc = ctx->encrypt; 337 k1 = k2 = k3 = (u_char *) key; 338 k2 += 8; 339 if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) { 340 if (enc) 341 k3 += 16; 342 else 343 k1 += 16; 344 } 345 EVP_CIPHER_CTX_init(&c->k1); 346 EVP_CIPHER_CTX_init(&c->k2); 347 EVP_CIPHER_CTX_init(&c->k3); 348 #ifdef SSH_OLD_EVP 349 EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc); 350 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc); 351 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc); 352 #else 353 if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 || 354 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 || 355 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) { 356 memset(c, 0, sizeof(*c)); 357 xfree(c); 358 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 359 return (0); 360 } 361 #endif 362 return (1); 363 } 364 365 static int 366 ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len) 367 { 368 struct ssh1_3des_ctx *c; 369 370 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 371 error("ssh1_3des_cbc: no context"); 372 return (0); 373 } 374 #ifdef SSH_OLD_EVP 375 EVP_Cipher(&c->k1, dest, (u_char *)src, len); 376 EVP_Cipher(&c->k2, dest, dest, len); 377 EVP_Cipher(&c->k3, dest, dest, len); 378 #else 379 if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 || 380 EVP_Cipher(&c->k2, dest, dest, len) == 0 || 381 EVP_Cipher(&c->k3, dest, dest, len) == 0) 382 return (0); 383 #endif 384 return (1); 385 } 386 387 static int 388 ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx) 389 { 390 struct ssh1_3des_ctx *c; 391 392 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { 393 memset(c, 0, sizeof(*c)); 394 xfree(c); 395 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 396 } 397 return (1); 398 } 399 400 static const EVP_CIPHER * 401 evp_ssh1_3des(void) 402 { 403 static EVP_CIPHER ssh1_3des; 404 405 memset(&ssh1_3des, 0, sizeof(EVP_CIPHER)); 406 ssh1_3des.nid = NID_undef; 407 ssh1_3des.block_size = 8; 408 ssh1_3des.iv_len = 0; 409 ssh1_3des.key_len = 16; 410 ssh1_3des.init = ssh1_3des_init; 411 ssh1_3des.cleanup = ssh1_3des_cleanup; 412 ssh1_3des.do_cipher = ssh1_3des_cbc; 413 #ifndef SSH_OLD_EVP 414 ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH; 415 #endif 416 return (&ssh1_3des); 417 } 418 419 /* 420 * SSH1 uses a variation on Blowfish, all bytes must be swapped before 421 * and after encryption/decryption. Thus the swap_bytes stuff (yuk). 422 */ 423 static void 424 swap_bytes(const u_char *src, u_char *dst, int n) 425 { 426 u_char c[4]; 427 428 /* Process 4 bytes every lap. */ 429 for (n = n / 4; n > 0; n--) { 430 c[3] = *src++; 431 c[2] = *src++; 432 c[1] = *src++; 433 c[0] = *src++; 434 435 *dst++ = c[0]; 436 *dst++ = c[1]; 437 *dst++ = c[2]; 438 *dst++ = c[3]; 439 } 440 } 441 442 #ifdef SSH_OLD_EVP 443 static void bf_ssh1_init (EVP_CIPHER_CTX * ctx, const unsigned char *key, 444 const unsigned char *iv, int enc) 445 { 446 if (iv != NULL) 447 memcpy (&(ctx->oiv[0]), iv, 8); 448 memcpy (&(ctx->iv[0]), &(ctx->oiv[0]), 8); 449 if (key != NULL) 450 BF_set_key (&(ctx->c.bf_ks), EVP_CIPHER_CTX_key_length (ctx), 451 key); 452 } 453 #endif 454 static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL; 455 456 static int 457 bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len) 458 { 459 int ret; 460 461 swap_bytes(in, out, len); 462 ret = (*orig_bf)(ctx, out, out, len); 463 swap_bytes(out, out, len); 464 return (ret); 465 } 466 467 static const EVP_CIPHER * 468 evp_ssh1_bf(void) 469 { 470 static EVP_CIPHER ssh1_bf; 471 472 memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER)); 473 orig_bf = ssh1_bf.do_cipher; 474 ssh1_bf.nid = NID_undef; 475 #ifdef SSH_OLD_EVP 476 ssh1_bf.init = bf_ssh1_init; 477 #endif 478 ssh1_bf.do_cipher = bf_ssh1_cipher; 479 ssh1_bf.key_len = 32; 480 return (&ssh1_bf); 481 } 482 483 #if OPENSSL_VERSION_NUMBER < 0x00907000L 484 /* RIJNDAEL */ 485 #define RIJNDAEL_BLOCKSIZE 16 486 struct ssh_rijndael_ctx 487 { 488 rijndael_ctx r_ctx; 489 u_char r_iv[RIJNDAEL_BLOCKSIZE]; 490 }; 491 492 static int 493 ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, 494 int enc) 495 { 496 struct ssh_rijndael_ctx *c; 497 498 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 499 c = xmalloc(sizeof(*c)); 500 EVP_CIPHER_CTX_set_app_data(ctx, c); 501 } 502 if (key != NULL) { 503 if (enc == -1) 504 enc = ctx->encrypt; 505 rijndael_set_key(&c->r_ctx, (u_char *)key, 506 8*EVP_CIPHER_CTX_key_length(ctx), enc); 507 } 508 if (iv != NULL) 509 memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE); 510 return (1); 511 } 512 513 static int 514 ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, 515 u_int len) 516 { 517 struct ssh_rijndael_ctx *c; 518 u_char buf[RIJNDAEL_BLOCKSIZE]; 519 u_char *cprev, *cnow, *plain, *ivp; 520 int i, j, blocks = len / RIJNDAEL_BLOCKSIZE; 521 522 if (len == 0) 523 return (1); 524 if (len % RIJNDAEL_BLOCKSIZE) 525 fatal("ssh_rijndael_cbc: bad len %d", len); 526 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 527 error("ssh_rijndael_cbc: no context"); 528 return (0); 529 } 530 if (ctx->encrypt) { 531 cnow = dest; 532 plain = (u_char *)src; 533 cprev = c->r_iv; 534 for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE, 535 cnow+=RIJNDAEL_BLOCKSIZE) { 536 for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++) 537 buf[j] = plain[j] ^ cprev[j]; 538 rijndael_encrypt(&c->r_ctx, buf, cnow); 539 cprev = cnow; 540 } 541 memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE); 542 } else { 543 cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE); 544 plain = dest+len-RIJNDAEL_BLOCKSIZE; 545 546 memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE); 547 for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE, 548 plain-=RIJNDAEL_BLOCKSIZE) { 549 rijndael_decrypt(&c->r_ctx, cnow, plain); 550 ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE; 551 for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++) 552 plain[j] ^= ivp[j]; 553 } 554 memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE); 555 } 556 return (1); 557 } 558 559 static int 560 ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx) 561 { 562 struct ssh_rijndael_ctx *c; 563 564 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { 565 memset(c, 0, sizeof(*c)); 566 xfree(c); 567 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 568 } 569 return (1); 570 } 571 572 static const EVP_CIPHER * 573 evp_rijndael(void) 574 { 575 static EVP_CIPHER rijndal_cbc; 576 577 memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER)); 578 rijndal_cbc.nid = NID_undef; 579 rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE; 580 rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE; 581 rijndal_cbc.key_len = 16; 582 rijndal_cbc.init = ssh_rijndael_init; 583 rijndal_cbc.cleanup = ssh_rijndael_cleanup; 584 rijndal_cbc.do_cipher = ssh_rijndael_cbc; 585 #ifndef SSH_OLD_EVP 586 rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | 587 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; 588 #endif 589 return (&rijndal_cbc); 590 } 591 #endif 592 593 /* 594 * Exports an IV from the CipherContext required to export the key 595 * state back from the unprivileged child to the privileged parent 596 * process. 597 */ 598 599 int 600 cipher_get_keyiv_len(CipherContext *cc) 601 { 602 Cipher *c = cc->cipher; 603 int ivlen; 604 605 if (c->number == SSH_CIPHER_3DES) 606 ivlen = 24; 607 else 608 ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp); 609 return (ivlen); 610 } 611 612 void 613 cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) 614 { 615 Cipher *c = cc->cipher; 616 u_char *civ = NULL; 617 int evplen; 618 619 switch (c->number) { 620 case SSH_CIPHER_SSH2: 621 case SSH_CIPHER_DES: 622 case SSH_CIPHER_BLOWFISH: 623 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 624 if (evplen == 0) 625 return; 626 if (evplen != len) 627 fatal("%s: wrong iv length %d != %d", __func__, 628 evplen, len); 629 630 #if OPENSSL_VERSION_NUMBER < 0x00907000L 631 if (c->evptype == evp_rijndael) { 632 struct ssh_rijndael_ctx *aesc; 633 634 aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 635 if (aesc == NULL) 636 fatal("%s: no rijndael context", __func__); 637 civ = aesc->r_iv; 638 } else 639 #endif 640 { 641 civ = cc->evp.iv; 642 } 643 break; 644 case SSH_CIPHER_3DES: { 645 struct ssh1_3des_ctx *desc; 646 if (len != 24) 647 fatal("%s: bad 3des iv length: %d", __func__, len); 648 desc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 649 if (desc == NULL) 650 fatal("%s: no 3des context", __func__); 651 debug3("%s: Copying 3DES IV", __func__); 652 memcpy(iv, desc->k1.iv, 8); 653 memcpy(iv + 8, desc->k2.iv, 8); 654 memcpy(iv + 16, desc->k3.iv, 8); 655 return; 656 } 657 default: 658 fatal("%s: bad cipher %d", __func__, c->number); 659 } 660 memcpy(iv, civ, len); 661 } 662 663 void 664 cipher_set_keyiv(CipherContext *cc, u_char *iv) 665 { 666 Cipher *c = cc->cipher; 667 u_char *div = NULL; 668 int evplen = 0; 669 670 switch (c->number) { 671 case SSH_CIPHER_SSH2: 672 case SSH_CIPHER_DES: 673 case SSH_CIPHER_BLOWFISH: 674 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 675 if (evplen == 0) 676 return; 677 678 #if OPENSSL_VERSION_NUMBER < 0x00907000L 679 if (c->evptype == evp_rijndael) { 680 struct ssh_rijndael_ctx *aesc; 681 682 aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 683 if (aesc == NULL) 684 fatal("%s: no rijndael context", __func__); 685 div = aesc->r_iv; 686 } else 687 #endif 688 { 689 div = cc->evp.iv; 690 } 691 break; 692 case SSH_CIPHER_3DES: { 693 struct ssh1_3des_ctx *desc; 694 desc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 695 if (desc == NULL) 696 fatal("%s: no 3des context", __func__); 697 debug3("%s: Installed 3DES IV", __func__); 698 memcpy(desc->k1.iv, iv, 8); 699 memcpy(desc->k2.iv, iv + 8, 8); 700 memcpy(desc->k3.iv, iv + 16, 8); 701 return; 702 } 703 default: 704 fatal("%s: bad cipher %d", __func__, c->number); 705 } 706 memcpy(div, iv, evplen); 707 } 708 709 #if OPENSSL_VERSION_NUMBER < 0x00907000L 710 #define EVP_X_STATE(evp) &(evp).c 711 #define EVP_X_STATE_LEN(evp) sizeof((evp).c) 712 #else 713 #define EVP_X_STATE(evp) (evp).cipher_data 714 #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size 715 #endif 716 717 int 718 cipher_get_keycontext(CipherContext *cc, u_char *dat) 719 { 720 Cipher *c = cc->cipher; 721 int plen = 0; 722 723 if (c->evptype == EVP_rc4) { 724 plen = EVP_X_STATE_LEN(cc->evp); 725 if (dat == NULL) 726 return (plen); 727 memcpy(dat, EVP_X_STATE(cc->evp), plen); 728 } 729 return (plen); 730 } 731 732 void 733 cipher_set_keycontext(CipherContext *cc, u_char *dat) 734 { 735 Cipher *c = cc->cipher; 736 int plen; 737 738 if (c->evptype == EVP_rc4) { 739 plen = EVP_X_STATE_LEN(cc->evp); 740 memcpy(EVP_X_STATE(cc->evp), dat, plen); 741 } 742 } 743