1 /* $OpenBSD: cipher.c,v 1.102 2016/08/03 05:41:57 djm Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 * 13 * 14 * Copyright (c) 1999 Niels Provos. All rights reserved. 15 * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 #include <sys/types.h> 39 40 #include <string.h> 41 #include <stdarg.h> 42 #include <stdio.h> 43 44 #include "cipher.h" 45 #include "misc.h" 46 #include "sshbuf.h" 47 #include "ssherr.h" 48 #include "digest.h" 49 50 #ifdef WITH_SSH1 51 extern const EVP_CIPHER *evp_ssh1_bf(void); 52 extern const EVP_CIPHER *evp_ssh1_3des(void); 53 extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); 54 #endif 55 56 struct sshcipher_ctx { 57 int plaintext; 58 int encrypt; 59 EVP_CIPHER_CTX *evp; 60 struct chachapoly_ctx cp_ctx; /* XXX union with evp? */ 61 struct aesctr_ctx ac_ctx; /* XXX union with evp? */ 62 const struct sshcipher *cipher; 63 }; 64 65 struct sshcipher { 66 char *name; 67 int number; /* for ssh1 only */ 68 u_int block_size; 69 u_int key_len; 70 u_int iv_len; /* defaults to block_size */ 71 u_int auth_len; 72 u_int discard_len; 73 u_int flags; 74 #define CFLAG_CBC (1<<0) 75 #define CFLAG_CHACHAPOLY (1<<1) 76 #define CFLAG_AESCTR (1<<2) 77 #define CFLAG_NONE (1<<3) 78 #ifdef WITH_OPENSSL 79 const EVP_CIPHER *(*evptype)(void); 80 #else 81 void *ignored; 82 #endif 83 }; 84 85 static const struct sshcipher ciphers[] = { 86 #ifdef WITH_SSH1 87 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, 88 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, 89 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, 90 #endif 91 #ifdef WITH_OPENSSL 92 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, 93 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, 94 { "blowfish-cbc", 95 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, 96 { "cast128-cbc", 97 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc }, 98 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 }, 99 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 }, 100 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 }, 101 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, 102 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc }, 103 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, 104 { "rijndael-cbc@lysator.liu.se", 105 SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, 106 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, 107 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, 108 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, 109 { "aes128-gcm@openssh.com", 110 SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, 111 { "aes256-gcm@openssh.com", 112 SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, 113 #else 114 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL }, 115 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL }, 116 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL }, 117 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, CFLAG_NONE, NULL }, 118 #endif 119 { "chacha20-poly1305@openssh.com", 120 SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL }, 121 122 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } 123 }; 124 125 /*--*/ 126 127 /* Returns a comma-separated list of supported ciphers. */ 128 char * 129 cipher_alg_list(char sep, int auth_only) 130 { 131 char *tmp, *ret = NULL; 132 size_t nlen, rlen = 0; 133 const struct sshcipher *c; 134 135 for (c = ciphers; c->name != NULL; c++) { 136 if (c->number != SSH_CIPHER_SSH2) 137 continue; 138 if (auth_only && c->auth_len == 0) 139 continue; 140 if (ret != NULL) 141 ret[rlen++] = sep; 142 nlen = strlen(c->name); 143 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 144 free(ret); 145 return NULL; 146 } 147 ret = tmp; 148 memcpy(ret + rlen, c->name, nlen + 1); 149 rlen += nlen; 150 } 151 return ret; 152 } 153 154 u_int 155 cipher_blocksize(const struct sshcipher *c) 156 { 157 return (c->block_size); 158 } 159 160 u_int 161 cipher_keylen(const struct sshcipher *c) 162 { 163 return (c->key_len); 164 } 165 166 u_int 167 cipher_seclen(const struct sshcipher *c) 168 { 169 if (strcmp("3des-cbc", c->name) == 0) 170 return 14; 171 return cipher_keylen(c); 172 } 173 174 u_int 175 cipher_authlen(const struct sshcipher *c) 176 { 177 return (c->auth_len); 178 } 179 180 u_int 181 cipher_ivlen(const struct sshcipher *c) 182 { 183 /* 184 * Default is cipher block size, except for chacha20+poly1305 that 185 * needs no IV. XXX make iv_len == -1 default? 186 */ 187 return (c->iv_len != 0 || (c->flags & CFLAG_CHACHAPOLY) != 0) ? 188 c->iv_len : c->block_size; 189 } 190 191 u_int 192 cipher_get_number(const struct sshcipher *c) 193 { 194 return (c->number); 195 } 196 197 u_int 198 cipher_is_cbc(const struct sshcipher *c) 199 { 200 return (c->flags & CFLAG_CBC) != 0; 201 } 202 203 u_int 204 cipher_ctx_is_plaintext(struct sshcipher_ctx *cc) 205 { 206 return cc->plaintext; 207 } 208 209 u_int 210 cipher_ctx_get_number(struct sshcipher_ctx *cc) 211 { 212 return cc->cipher->number; 213 } 214 215 u_int 216 cipher_mask_ssh1(int client) 217 { 218 u_int mask = 0; 219 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 220 mask |= 1 << SSH_CIPHER_BLOWFISH; 221 if (client) { 222 mask |= 1 << SSH_CIPHER_DES; 223 } 224 return mask; 225 } 226 227 const struct sshcipher * 228 cipher_by_name(const char *name) 229 { 230 const struct sshcipher *c; 231 for (c = ciphers; c->name != NULL; c++) 232 if (strcmp(c->name, name) == 0) 233 return c; 234 return NULL; 235 } 236 237 const struct sshcipher * 238 cipher_by_number(int id) 239 { 240 const struct sshcipher *c; 241 for (c = ciphers; c->name != NULL; c++) 242 if (c->number == id) 243 return c; 244 return NULL; 245 } 246 247 #define CIPHER_SEP "," 248 int 249 ciphers_valid(const char *names) 250 { 251 const struct sshcipher *c; 252 char *cipher_list, *cp; 253 char *p; 254 255 if (names == NULL || strcmp(names, "") == 0) 256 return 0; 257 if ((cipher_list = cp = strdup(names)) == NULL) 258 return 0; 259 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 260 (p = strsep(&cp, CIPHER_SEP))) { 261 c = cipher_by_name(p); 262 if (c == NULL || c->number != SSH_CIPHER_SSH2) { 263 free(cipher_list); 264 return 0; 265 } 266 } 267 free(cipher_list); 268 return 1; 269 } 270 271 /* 272 * Parses the name of the cipher. Returns the number of the corresponding 273 * cipher, or -1 on error. 274 */ 275 276 int 277 cipher_number(const char *name) 278 { 279 const struct sshcipher *c; 280 if (name == NULL) 281 return -1; 282 for (c = ciphers; c->name != NULL; c++) 283 if (strcasecmp(c->name, name) == 0) 284 return c->number; 285 return -1; 286 } 287 288 char * 289 cipher_name(int id) 290 { 291 const struct sshcipher *c = cipher_by_number(id); 292 return (c==NULL) ? "<unknown>" : c->name; 293 } 294 295 const char * 296 cipher_warning_message(const struct sshcipher_ctx *cc) 297 { 298 if (cc == NULL || cc->cipher == NULL) 299 return NULL; 300 if (cc->cipher->number == SSH_CIPHER_DES) 301 return "use of DES is strongly discouraged due to " 302 "cryptographic weaknesses"; 303 return NULL; 304 } 305 306 int 307 cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher, 308 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, 309 int do_encrypt) 310 { 311 struct sshcipher_ctx *cc = NULL; 312 int ret = SSH_ERR_INTERNAL_ERROR; 313 #ifdef WITH_OPENSSL 314 const EVP_CIPHER *type; 315 int klen; 316 u_char *junk, *discard; 317 #endif 318 319 *ccp = NULL; 320 if ((cc = calloc(sizeof(*cc), 1)) == NULL) 321 return SSH_ERR_ALLOC_FAIL; 322 323 if (cipher->number == SSH_CIPHER_DES) { 324 if (keylen > 8) 325 keylen = 8; 326 } 327 328 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 329 cc->encrypt = do_encrypt; 330 331 if (keylen < cipher->key_len || 332 (iv != NULL && ivlen < cipher_ivlen(cipher))) { 333 ret = SSH_ERR_INVALID_ARGUMENT; 334 goto out; 335 } 336 337 cc->cipher = cipher; 338 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { 339 ret = chachapoly_init(&cc->cp_ctx, key, keylen); 340 goto out; 341 } 342 #ifndef WITH_OPENSSL 343 if ((cc->cipher->flags & CFLAG_AESCTR) != 0) { 344 aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen); 345 aesctr_ivsetup(&cc->ac_ctx, iv); 346 ret = 0; 347 goto out; 348 } 349 if ((cc->cipher->flags & CFLAG_NONE) != 0) { 350 ret = 0; 351 goto out; 352 } 353 ret = SSH_ERR_INVALID_ARGUMENT; 354 goto out; 355 #else /* WITH_OPENSSL */ 356 type = (*cipher->evptype)(); 357 if ((cc->evp = EVP_CIPHER_CTX_new()) == NULL) { 358 ret = SSH_ERR_ALLOC_FAIL; 359 goto out; 360 } 361 if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv, 362 (do_encrypt == CIPHER_ENCRYPT)) == 0) { 363 ret = SSH_ERR_LIBCRYPTO_ERROR; 364 goto out; 365 } 366 if (cipher_authlen(cipher) && 367 !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED, 368 -1, (u_char *)iv)) { 369 ret = SSH_ERR_LIBCRYPTO_ERROR; 370 goto out; 371 } 372 klen = EVP_CIPHER_CTX_key_length(cc->evp); 373 if (klen > 0 && keylen != (u_int)klen) { 374 if (EVP_CIPHER_CTX_set_key_length(cc->evp, keylen) == 0) { 375 ret = SSH_ERR_LIBCRYPTO_ERROR; 376 goto out; 377 } 378 } 379 if (EVP_CipherInit(cc->evp, NULL, (u_char *)key, NULL, -1) == 0) { 380 ret = SSH_ERR_LIBCRYPTO_ERROR; 381 goto out; 382 } 383 384 if (cipher->discard_len > 0) { 385 if ((junk = malloc(cipher->discard_len)) == NULL || 386 (discard = malloc(cipher->discard_len)) == NULL) { 387 free(junk); 388 ret = SSH_ERR_ALLOC_FAIL; 389 goto out; 390 } 391 ret = EVP_Cipher(cc->evp, discard, junk, cipher->discard_len); 392 explicit_bzero(discard, cipher->discard_len); 393 free(junk); 394 free(discard); 395 if (ret != 1) { 396 ret = SSH_ERR_LIBCRYPTO_ERROR; 397 goto out; 398 } 399 } 400 ret = 0; 401 #endif /* WITH_OPENSSL */ 402 out: 403 if (ret == 0) { 404 /* success */ 405 *ccp = cc; 406 } else { 407 if (cc != NULL) { 408 #ifdef WITH_OPENSSL 409 if (cc->evp != NULL) 410 EVP_CIPHER_CTX_free(cc->evp); 411 #endif /* WITH_OPENSSL */ 412 explicit_bzero(cc, sizeof(*cc)); 413 free(cc); 414 } 415 } 416 return ret; 417 } 418 419 /* 420 * cipher_crypt() operates as following: 421 * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'. 422 * Theses bytes are treated as additional authenticated data for 423 * authenticated encryption modes. 424 * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. 425 * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag. 426 * This tag is written on encryption and verified on decryption. 427 * Both 'aadlen' and 'authlen' can be set to 0. 428 */ 429 int 430 cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest, 431 const u_char *src, u_int len, u_int aadlen, u_int authlen) 432 { 433 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { 434 return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, 435 len, aadlen, authlen, cc->encrypt); 436 } 437 #ifndef WITH_OPENSSL 438 if ((cc->cipher->flags & CFLAG_AESCTR) != 0) { 439 if (aadlen) 440 memcpy(dest, src, aadlen); 441 aesctr_encrypt_bytes(&cc->ac_ctx, src + aadlen, 442 dest + aadlen, len); 443 return 0; 444 } 445 if ((cc->cipher->flags & CFLAG_NONE) != 0) { 446 memcpy(dest, src, aadlen + len); 447 return 0; 448 } 449 return SSH_ERR_INVALID_ARGUMENT; 450 #else 451 if (authlen) { 452 u_char lastiv[1]; 453 454 if (authlen != cipher_authlen(cc->cipher)) 455 return SSH_ERR_INVALID_ARGUMENT; 456 /* increment IV */ 457 if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN, 458 1, lastiv)) 459 return SSH_ERR_LIBCRYPTO_ERROR; 460 /* set tag on decyption */ 461 if (!cc->encrypt && 462 !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG, 463 authlen, (u_char *)src + aadlen + len)) 464 return SSH_ERR_LIBCRYPTO_ERROR; 465 } 466 if (aadlen) { 467 if (authlen && 468 EVP_Cipher(cc->evp, NULL, (u_char *)src, aadlen) < 0) 469 return SSH_ERR_LIBCRYPTO_ERROR; 470 memcpy(dest, src, aadlen); 471 } 472 if (len % cc->cipher->block_size) 473 return SSH_ERR_INVALID_ARGUMENT; 474 if (EVP_Cipher(cc->evp, dest + aadlen, (u_char *)src + aadlen, 475 len) < 0) 476 return SSH_ERR_LIBCRYPTO_ERROR; 477 if (authlen) { 478 /* compute tag (on encrypt) or verify tag (on decrypt) */ 479 if (EVP_Cipher(cc->evp, NULL, NULL, 0) < 0) 480 return cc->encrypt ? 481 SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID; 482 if (cc->encrypt && 483 !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG, 484 authlen, dest + aadlen + len)) 485 return SSH_ERR_LIBCRYPTO_ERROR; 486 } 487 return 0; 488 #endif 489 } 490 491 /* Extract the packet length, including any decryption necessary beforehand */ 492 int 493 cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr, 494 const u_char *cp, u_int len) 495 { 496 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) 497 return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr, 498 cp, len); 499 if (len < 4) 500 return SSH_ERR_MESSAGE_INCOMPLETE; 501 *plenp = get_u32(cp); 502 return 0; 503 } 504 505 void 506 cipher_free(struct sshcipher_ctx *cc) 507 { 508 if (cc == NULL) 509 return; 510 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) 511 explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx)); 512 else if ((cc->cipher->flags & CFLAG_AESCTR) != 0) 513 explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx)); 514 #ifdef WITH_OPENSSL 515 if (cc->evp != NULL) { 516 EVP_CIPHER_CTX_free(cc->evp); 517 cc->evp = NULL; 518 } 519 #endif 520 explicit_bzero(cc, sizeof(*cc)); 521 free(cc); 522 } 523 524 /* 525 * Selects the cipher, and keys if by computing the MD5 checksum of the 526 * passphrase and using the resulting 16 bytes as the key. 527 */ 528 int 529 cipher_set_key_string(struct sshcipher_ctx **ccp, 530 const struct sshcipher *cipher, const char *passphrase, int do_encrypt) 531 { 532 u_char digest[16]; 533 int r = SSH_ERR_INTERNAL_ERROR; 534 535 if ((r = ssh_digest_memory(SSH_DIGEST_MD5, 536 passphrase, strlen(passphrase), 537 digest, sizeof(digest))) != 0) 538 goto out; 539 540 r = cipher_init(ccp, cipher, digest, 16, NULL, 0, do_encrypt); 541 out: 542 explicit_bzero(digest, sizeof(digest)); 543 return r; 544 } 545 546 /* 547 * Exports an IV from the sshcipher_ctx required to export the key 548 * state back from the unprivileged child to the privileged parent 549 * process. 550 */ 551 int 552 cipher_get_keyiv_len(const struct sshcipher_ctx *cc) 553 { 554 const struct sshcipher *c = cc->cipher; 555 int ivlen = 0; 556 557 if (c->number == SSH_CIPHER_3DES) 558 ivlen = 24; 559 else if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) 560 ivlen = 0; 561 else if ((cc->cipher->flags & CFLAG_AESCTR) != 0) 562 ivlen = sizeof(cc->ac_ctx.ctr); 563 #ifdef WITH_OPENSSL 564 else 565 ivlen = EVP_CIPHER_CTX_iv_length(cc->evp); 566 #endif /* WITH_OPENSSL */ 567 return (ivlen); 568 } 569 570 int 571 cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) 572 { 573 const struct sshcipher *c = cc->cipher; 574 #ifdef WITH_OPENSSL 575 int evplen; 576 #endif 577 578 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { 579 if (len != 0) 580 return SSH_ERR_INVALID_ARGUMENT; 581 return 0; 582 } 583 if ((cc->cipher->flags & CFLAG_AESCTR) != 0) { 584 if (len != sizeof(cc->ac_ctx.ctr)) 585 return SSH_ERR_INVALID_ARGUMENT; 586 memcpy(iv, cc->ac_ctx.ctr, len); 587 return 0; 588 } 589 if ((cc->cipher->flags & CFLAG_NONE) != 0) 590 return 0; 591 592 switch (c->number) { 593 #ifdef WITH_OPENSSL 594 case SSH_CIPHER_SSH2: 595 case SSH_CIPHER_DES: 596 case SSH_CIPHER_BLOWFISH: 597 evplen = EVP_CIPHER_CTX_iv_length(cc->evp); 598 if (evplen == 0) 599 return 0; 600 else if (evplen < 0) 601 return SSH_ERR_LIBCRYPTO_ERROR; 602 if ((u_int)evplen != len) 603 return SSH_ERR_INVALID_ARGUMENT; 604 if (cipher_authlen(c)) { 605 if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN, 606 len, iv)) 607 return SSH_ERR_LIBCRYPTO_ERROR; 608 } else 609 memcpy(iv, cc->evp->iv, len); 610 break; 611 #endif 612 #ifdef WITH_SSH1 613 case SSH_CIPHER_3DES: 614 return ssh1_3des_iv(cc->evp, 0, iv, 24); 615 #endif 616 default: 617 return SSH_ERR_INVALID_ARGUMENT; 618 } 619 return 0; 620 } 621 622 int 623 cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) 624 { 625 const struct sshcipher *c = cc->cipher; 626 #ifdef WITH_OPENSSL 627 int evplen = 0; 628 #endif 629 630 if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) 631 return 0; 632 if ((cc->cipher->flags & CFLAG_NONE) != 0) 633 return 0; 634 635 switch (c->number) { 636 #ifdef WITH_OPENSSL 637 case SSH_CIPHER_SSH2: 638 case SSH_CIPHER_DES: 639 case SSH_CIPHER_BLOWFISH: 640 evplen = EVP_CIPHER_CTX_iv_length(cc->evp); 641 if (evplen <= 0) 642 return SSH_ERR_LIBCRYPTO_ERROR; 643 if (cipher_authlen(c)) { 644 /* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */ 645 if (!EVP_CIPHER_CTX_ctrl(cc->evp, 646 EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv)) 647 return SSH_ERR_LIBCRYPTO_ERROR; 648 } else 649 memcpy(cc->evp->iv, iv, evplen); 650 break; 651 #endif 652 #ifdef WITH_SSH1 653 case SSH_CIPHER_3DES: 654 return ssh1_3des_iv(cc->evp, 1, (u_char *)iv, 24); 655 #endif 656 default: 657 return SSH_ERR_INVALID_ARGUMENT; 658 } 659 return 0; 660 } 661 662 #ifdef WITH_OPENSSL 663 #define EVP_X_STATE(evp) (evp)->cipher_data 664 #define EVP_X_STATE_LEN(evp) (evp)->cipher->ctx_size 665 #endif 666 667 int 668 cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat) 669 { 670 #ifdef WITH_OPENSSL 671 const struct sshcipher *c = cc->cipher; 672 int plen = 0; 673 674 if (c->evptype == EVP_rc4) { 675 plen = EVP_X_STATE_LEN(cc->evp); 676 if (dat == NULL) 677 return (plen); 678 memcpy(dat, EVP_X_STATE(cc->evp), plen); 679 } 680 return (plen); 681 #else 682 return 0; 683 #endif 684 } 685 686 void 687 cipher_set_keycontext(struct sshcipher_ctx *cc, const u_char *dat) 688 { 689 #ifdef WITH_OPENSSL 690 const struct sshcipher *c = cc->cipher; 691 int plen; 692 693 if (c->evptype == EVP_rc4) { 694 plen = EVP_X_STATE_LEN(cc->evp); 695 memcpy(EVP_X_STATE(cc->evp), dat, plen); 696 } 697 #endif 698 } 699