1 /* $OpenBSD: cipher.c,v 1.99 2014/06/24 01:13:21 djm Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 * 13 * 14 * Copyright (c) 1999 Niels Provos. All rights reserved. 15 * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 #include "includes.h" 39 40 #include <sys/types.h> 41 42 #include <string.h> 43 #include <stdarg.h> 44 #include <stdio.h> 45 46 #include "cipher.h" 47 #include "misc.h" 48 #include "sshbuf.h" 49 #include "ssherr.h" 50 #include "digest.h" 51 52 #include "openbsd-compat/openssl-compat.h" 53 54 #ifdef WITH_SSH1 55 extern const EVP_CIPHER *evp_ssh1_bf(void); 56 extern const EVP_CIPHER *evp_ssh1_3des(void); 57 extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); 58 #endif 59 60 /* for multi-threaded aes-ctr cipher */ 61 extern const EVP_CIPHER *evp_aes_ctr_mt(void); 62 63 /* no longer needed. replaced by evp pointer swap */ 64 /* extern void ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx); */ 65 /* extern void ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx); */ 66 67 struct sshcipher { 68 char *name; 69 int number; /* for ssh1 only */ 70 u_int block_size; 71 u_int key_len; 72 u_int iv_len; /* defaults to block_size */ 73 u_int auth_len; 74 u_int discard_len; 75 u_int flags; 76 #define CFLAG_CBC (1<<0) 77 #define CFLAG_CHACHAPOLY (1<<1) 78 #define CFLAG_AESCTR (1<<2) 79 #define CFLAG_NONE (1<<3) 80 #ifdef WITH_OPENSSL 81 const EVP_CIPHER *(*evptype)(void); 82 #else 83 void *ignored; 84 #endif 85 }; 86 87 static struct sshcipher ciphers[] = { 88 #ifdef WITH_SSH1 89 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, 90 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, 91 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, 92 #endif /* WITH_SSH1 */ 93 #ifdef WITH_OPENSSL 94 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, 95 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, 96 { "blowfish-cbc", 97 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, 98 { "cast128-cbc", 99 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc }, 100 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 }, 101 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 }, 102 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 }, 103 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, 104 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc }, 105 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, 106 { "rijndael-cbc@lysator.liu.se", 107 SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, 108 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, 109 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, 110 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, 111 # ifdef OPENSSL_HAVE_EVPGCM 112 { "aes128-gcm@openssh.com", 113 SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, 114 { "aes256-gcm@openssh.com", 115 SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, 116 # endif /* OPENSSL_HAVE_EVPGCM */ 117 #else /* WITH_OPENSSL */ 118 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL }, 119 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL }, 120 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL }, 121 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, CFLAG_NONE, NULL }, 122 #endif /* WITH_OPENSSL */ 123 { "chacha20-poly1305@openssh.com", 124 SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL }, 125 126 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } 127 }; 128 129 /*--*/ 130 131 /* used to get the cipher name so when force rekeying to handle the 132 * single to multithreaded ctr cipher swap we only rekey when appropriate 133 */ 134 char * 135 cipher_return_name(const struct sshcipher *c) 136 { 137 return (c->name); 138 } 139 140 /* in order to get around sandbox and forking issues with a threaded cipher 141 * we set the initial pre-auth aes-ctr cipher to the default OpenSSH cipher 142 * post auth we set them to the new evp as defined by cipher-ctr-mt 143 */ 144 145 void 146 cipher_reset_multithreaded() 147 { 148 (cipher_by_name("aes128-ctr"))->evptype = evp_aes_ctr_mt; 149 (cipher_by_name("aes192-ctr"))->evptype = evp_aes_ctr_mt; 150 (cipher_by_name("aes256-ctr"))->evptype = evp_aes_ctr_mt; 151 } 152 153 154 /* Returns a comma-separated list of supported ciphers. */ 155 char * 156 cipher_alg_list(char sep, int auth_only) 157 { 158 char *tmp, *ret = NULL; 159 size_t nlen, rlen = 0; 160 const struct sshcipher *c; 161 162 for (c = ciphers; c->name != NULL; c++) { 163 if (c->number != SSH_CIPHER_SSH2) 164 continue; 165 if (auth_only && c->auth_len == 0) 166 continue; 167 if (ret != NULL) 168 ret[rlen++] = sep; 169 nlen = strlen(c->name); 170 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 171 free(ret); 172 return NULL; 173 } 174 ret = tmp; 175 memcpy(ret + rlen, c->name, nlen + 1); 176 rlen += nlen; 177 } 178 return ret; 179 } 180 181 u_int 182 cipher_blocksize(const struct sshcipher *c) 183 { 184 return (c->block_size); 185 } 186 187 u_int 188 cipher_keylen(const struct sshcipher *c) 189 { 190 return (c->key_len); 191 } 192 193 u_int 194 cipher_seclen(const struct sshcipher *c) 195 { 196 if (strcmp("3des-cbc", c->name) == 0) 197 return 14; 198 return cipher_keylen(c); 199 } 200 201 u_int 202 cipher_authlen(const struct sshcipher *c) 203 { 204 return (c->auth_len); 205 } 206 207 u_int 208 cipher_ivlen(const struct sshcipher *c) 209 { 210 /* 211 * Default is cipher block size, except for chacha20+poly1305 that 212 * needs no IV. XXX make iv_len == -1 default? 213 */ 214 return (c->iv_len != 0 || (c->flags & CFLAG_CHACHAPOLY) != 0) ? 215 c->iv_len : c->block_size; 216 } 217 218 u_int 219 cipher_get_number(const struct sshcipher *c) 220 { 221 return (c->number); 222 } 223 224 u_int 225 cipher_is_cbc(const struct sshcipher *c) 226 { 227 return (c->flags & CFLAG_CBC) != 0; 228 } 229 230 u_int 231 cipher_mask_ssh1(int client) 232 { 233 u_int mask = 0; 234 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 235 mask |= 1 << SSH_CIPHER_BLOWFISH; 236 if (client) { 237 mask |= 1 << SSH_CIPHER_DES; 238 } 239 return mask; 240 } 241 242 struct sshcipher * 243 cipher_by_name(const char *name) 244 { 245 struct sshcipher *c; 246 for (c = ciphers; c->name != NULL; c++) 247 if (strcmp(c->name, name) == 0) 248 return c; 249 return NULL; 250 } 251 252 const struct sshcipher * 253 cipher_by_number(int id) 254 { 255 struct sshcipher *c; 256 for (c = ciphers; c->name != NULL; c++) 257 if (c->number == id) 258 return c; 259 return NULL; 260 } 261 262 #define CIPHER_SEP "," 263 int 264 ciphers_valid(const char *names) 265 { 266 const struct sshcipher *c; 267 char *cipher_list, *cp; 268 char *p; 269 270 if (names == NULL || strcmp(names, "") == 0) 271 return 0; 272 if ((cipher_list = cp = strdup(names)) == NULL) 273 return 0; 274 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 275 (p = strsep(&cp, CIPHER_SEP))) { 276 c = cipher_by_name(p); 277 if (c == NULL || (c->number != SSH_CIPHER_SSH2 && 278 c->number != SSH_CIPHER_NONE)) { 279 free(cipher_list); 280 return 0; 281 } 282 } 283 free(cipher_list); 284 return 1; 285 } 286 287 /* 288 * Parses the name of the cipher. Returns the number of the corresponding 289 * cipher, or -1 on error. 290 */ 291 292 int 293 cipher_number(const char *name) 294 { 295 const struct sshcipher *c; 296 if (name == NULL) 297 return -1; 298 for (c = ciphers; c->name != NULL; c++) 299 if (strcasecmp(c->name, name) == 0) 300 return c->number; 301 return -1; 302 } 303 304 char * 305 cipher_name(int id) 306 { 307 const struct sshcipher *c = cipher_by_number(id); 308 return (c==NULL) ? "<unknown>" : c->name; 309 } 310 311 const char * 312 cipher_warning_message(const struct sshcipher_ctx *cc) 313 { 314 if (cc == NULL || cc->cipher == NULL) 315 return NULL; 316 if (cc->cipher->number == SSH_CIPHER_DES) 317 return "use of DES is strongly discouraged due to " 318 "cryptographic weaknesses"; 319 return NULL; 320 } 321 322 int 323 cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher, 324 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, 325 int do_encrypt) 326 { 327 #ifdef WITH_OPENSSL 328 int ret = SSH_ERR_INTERNAL_ERROR; 329 const EVP_CIPHER *type; 330 int klen; 331 u_char *junk, *discard; 332 333 if (cipher->number == SSH_CIPHER_DES) { 334 if (keylen > 8) 335 keylen = 8; 336 } 337 #endif 338 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 339 cc->encrypt = do_encrypt; 340 341 if (keylen < cipher->key_len || 342 (iv != NULL && ivlen < cipher_ivlen(cipher))) 343 return SSH_ERR_INVALID_ARGUMENT; 344 345 cc->cipher = cipher; 346 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { 347 return chachapoly_init(&cc->cp_ctx, key, keylen); 348 } 349 #ifndef WITH_OPENSSL 350 if ((cc->cipher->flags & CFLAG_AESCTR) != 0) { 351 aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen); 352 aesctr_ivsetup(&cc->ac_ctx, iv); 353 return 0; 354 } 355 if ((cc->cipher->flags & CFLAG_NONE) != 0) 356 return 0; 357 return SSH_ERR_INVALID_ARGUMENT; 358 #else 359 type = (*cipher->evptype)(); 360 EVP_CIPHER_CTX_init(&cc->evp); 361 if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv, 362 (do_encrypt == CIPHER_ENCRYPT)) == 0) { 363 ret = SSH_ERR_LIBCRYPTO_ERROR; 364 goto bad; 365 } 366 if (cipher_authlen(cipher) && 367 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED, 368 -1, (u_char *)iv)) { 369 ret = SSH_ERR_LIBCRYPTO_ERROR; 370 goto bad; 371 } 372 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 373 if (klen > 0 && keylen != (u_int)klen) { 374 if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) { 375 ret = SSH_ERR_LIBCRYPTO_ERROR; 376 goto bad; 377 } 378 } 379 if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) { 380 ret = SSH_ERR_LIBCRYPTO_ERROR; 381 goto bad; 382 } 383 384 if (cipher->discard_len > 0) { 385 if ((junk = malloc(cipher->discard_len)) == NULL || 386 (discard = malloc(cipher->discard_len)) == NULL) { 387 if (junk != NULL) 388 free(junk); 389 ret = SSH_ERR_ALLOC_FAIL; 390 goto bad; 391 } 392 ret = EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len); 393 explicit_bzero(discard, cipher->discard_len); 394 free(junk); 395 free(discard); 396 if (ret != 1) { 397 ret = SSH_ERR_LIBCRYPTO_ERROR; 398 bad: 399 EVP_CIPHER_CTX_cleanup(&cc->evp); 400 return ret; 401 } 402 } 403 #endif 404 return 0; 405 } 406 407 /* 408 * cipher_crypt() operates as following: 409 * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'. 410 * Theses bytes are treated as additional authenticated data for 411 * authenticated encryption modes. 412 * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. 413 * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag. 414 * This tag is written on encryption and verified on decryption. 415 * Both 'aadlen' and 'authlen' can be set to 0. 416 */ 417 int 418 cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest, 419 const u_char *src, u_int len, u_int aadlen, u_int authlen) 420 { 421 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { 422 return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, 423 len, aadlen, authlen, cc->encrypt); 424 } 425 #ifndef WITH_OPENSSL 426 if ((cc->cipher->flags & CFLAG_AESCTR) != 0) { 427 if (aadlen) 428 memcpy(dest, src, aadlen); 429 aesctr_encrypt_bytes(&cc->ac_ctx, src + aadlen, 430 dest + aadlen, len); 431 return 0; 432 } 433 if ((cc->cipher->flags & CFLAG_NONE) != 0) { 434 memcpy(dest, src, aadlen + len); 435 return 0; 436 } 437 return SSH_ERR_INVALID_ARGUMENT; 438 #else 439 if (authlen) { 440 u_char lastiv[1]; 441 442 if (authlen != cipher_authlen(cc->cipher)) 443 return SSH_ERR_INVALID_ARGUMENT; 444 /* increment IV */ 445 if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN, 446 1, lastiv)) 447 return SSH_ERR_LIBCRYPTO_ERROR; 448 /* set tag on decyption */ 449 if (!cc->encrypt && 450 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG, 451 authlen, (u_char *)src + aadlen + len)) 452 return SSH_ERR_LIBCRYPTO_ERROR; 453 } 454 if (aadlen) { 455 if (authlen && 456 EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0) 457 return SSH_ERR_LIBCRYPTO_ERROR; 458 memcpy(dest, src, aadlen); 459 } 460 if (len % cc->cipher->block_size) 461 return SSH_ERR_INVALID_ARGUMENT; 462 if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen, 463 len) < 0) 464 return SSH_ERR_LIBCRYPTO_ERROR; 465 if (authlen) { 466 /* compute tag (on encrypt) or verify tag (on decrypt) */ 467 if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) 468 return cc->encrypt ? 469 SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID; 470 if (cc->encrypt && 471 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG, 472 authlen, dest + aadlen + len)) 473 return SSH_ERR_LIBCRYPTO_ERROR; 474 } 475 return 0; 476 #endif 477 } 478 479 /* Extract the packet length, including any decryption necessary beforehand */ 480 int 481 cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr, 482 const u_char *cp, u_int len) 483 { 484 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) 485 return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr, 486 cp, len); 487 if (len < 4) 488 return SSH_ERR_MESSAGE_INCOMPLETE; 489 *plenp = get_u32(cp); 490 return 0; 491 } 492 493 int 494 cipher_cleanup(struct sshcipher_ctx *cc) 495 { 496 if (cc == NULL || cc->cipher == NULL) 497 return 0; 498 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) 499 explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx)); 500 else if ((cc->cipher->flags & CFLAG_AESCTR) != 0) 501 explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx)); 502 #ifdef WITH_OPENSSL 503 else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) 504 return SSH_ERR_LIBCRYPTO_ERROR; 505 #endif 506 return 0; 507 } 508 509 /* 510 * Selects the cipher, and keys if by computing the MD5 checksum of the 511 * passphrase and using the resulting 16 bytes as the key. 512 */ 513 int 514 cipher_set_key_string(struct sshcipher_ctx *cc, const struct sshcipher *cipher, 515 const char *passphrase, int do_encrypt) 516 { 517 u_char digest[16]; 518 int r = SSH_ERR_INTERNAL_ERROR; 519 520 if ((r = ssh_digest_memory(SSH_DIGEST_MD5, 521 passphrase, strlen(passphrase), 522 digest, sizeof(digest))) != 0) 523 goto out; 524 525 r = cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt); 526 out: 527 explicit_bzero(digest, sizeof(digest)); 528 return r; 529 } 530 531 /* 532 * Exports an IV from the sshcipher_ctx required to export the key 533 * state back from the unprivileged child to the privileged parent 534 * process. 535 */ 536 int 537 cipher_get_keyiv_len(const struct sshcipher_ctx *cc) 538 { 539 const struct sshcipher *c = cc->cipher; 540 int ivlen = 0; 541 542 if (c->number == SSH_CIPHER_3DES) 543 ivlen = 24; 544 else if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) 545 ivlen = 0; 546 #ifdef WITH_OPENSSL 547 else 548 ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp); 549 #endif /* WITH_OPENSSL */ 550 return (ivlen); 551 } 552 553 int 554 cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) 555 { 556 const struct sshcipher *c = cc->cipher; 557 #ifdef WITH_OPENSSL 558 int evplen; 559 #endif 560 561 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { 562 if (len != 0) 563 return SSH_ERR_INVALID_ARGUMENT; 564 return 0; 565 } 566 if ((cc->cipher->flags & CFLAG_NONE) != 0) 567 return 0; 568 569 switch (c->number) { 570 #ifdef WITH_OPENSSL 571 case SSH_CIPHER_NONE: 572 case SSH_CIPHER_SSH2: 573 case SSH_CIPHER_DES: 574 case SSH_CIPHER_BLOWFISH: 575 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 576 if (evplen == 0) 577 return 0; 578 else if (evplen < 0) 579 return SSH_ERR_LIBCRYPTO_ERROR; 580 if ((u_int)evplen != len) 581 return SSH_ERR_INVALID_ARGUMENT; 582 #ifndef OPENSSL_HAVE_EVPCTR 583 if (c->evptype == evp_aes_128_ctr) 584 ssh_aes_ctr_iv(&cc->evp, 0, iv, len); 585 else 586 #endif 587 if (cipher_authlen(c)) { 588 if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN, 589 len, iv)) 590 return SSH_ERR_LIBCRYPTO_ERROR; 591 } else 592 memcpy(iv, cc->evp.iv, len); 593 break; 594 #endif 595 #ifdef WITH_SSH1 596 case SSH_CIPHER_3DES: 597 return ssh1_3des_iv(&cc->evp, 0, iv, 24); 598 #endif 599 default: 600 return SSH_ERR_INVALID_ARGUMENT; 601 } 602 return 0; 603 } 604 605 int 606 cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) 607 { 608 const struct sshcipher *c = cc->cipher; 609 #ifdef WITH_OPENSSL 610 int evplen = 0; 611 #endif 612 613 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) 614 return 0; 615 if ((cc->cipher->flags & CFLAG_NONE) != 0) 616 return 0; 617 618 switch (c->number) { 619 #ifdef WITH_OPENSSL 620 case SSH_CIPHER_NONE: 621 case SSH_CIPHER_SSH2: 622 case SSH_CIPHER_DES: 623 case SSH_CIPHER_BLOWFISH: 624 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 625 if (evplen <= 0) 626 return SSH_ERR_LIBCRYPTO_ERROR; 627 if (cipher_authlen(c)) { 628 /* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */ 629 if (!EVP_CIPHER_CTX_ctrl(&cc->evp, 630 EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv)) 631 return SSH_ERR_LIBCRYPTO_ERROR; 632 } else 633 memcpy(cc->evp.iv, iv, evplen); 634 break; 635 #endif 636 #ifdef WITH_SSH1 637 case SSH_CIPHER_3DES: 638 return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24); 639 #endif 640 default: 641 return SSH_ERR_INVALID_ARGUMENT; 642 } 643 return 0; 644 } 645 646 #ifdef WITH_OPENSSL 647 #define EVP_X_STATE(evp) (evp).cipher_data 648 #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size 649 #endif 650 651 int 652 cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat) 653 { 654 #ifdef WITH_OPENSSL 655 const struct sshcipher *c = cc->cipher; 656 int plen = 0; 657 658 if (c->evptype == EVP_rc4) { 659 plen = EVP_X_STATE_LEN(cc->evp); 660 if (dat == NULL) 661 return (plen); 662 memcpy(dat, EVP_X_STATE(cc->evp), plen); 663 } 664 return (plen); 665 #else 666 return 0; 667 #endif 668 } 669 670 void 671 cipher_set_keycontext(struct sshcipher_ctx *cc, const u_char *dat) 672 { 673 #ifdef WITH_OPENSSL 674 const struct sshcipher *c = cc->cipher; 675 int plen; 676 677 if (c->evptype == EVP_rc4) { 678 plen = EVP_X_STATE_LEN(cc->evp); 679 memcpy(EVP_X_STATE(cc->evp), dat, plen); 680 } 681 #endif 682 } 683