1 /* $OpenBSD: cipher.c,v 1.100 2015/01/14 10:29:45 djm Exp $ */
2 /*
3  * Author: Tatu Ylonen <ylo@cs.hut.fi>
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  *
13  *
14  * Copyright (c) 1999 Niels Provos.  All rights reserved.
15  * Copyright (c) 1999, 2000 Markus Friedl.  All rights reserved.
16  *
17  * Redistribution and use in source and binary forms, with or without
18  * modification, are permitted provided that the following conditions
19  * are met:
20  * 1. Redistributions of source code must retain the above copyright
21  *    notice, this list of conditions and the following disclaimer.
22  * 2. Redistributions in binary form must reproduce the above copyright
23  *    notice, this list of conditions and the following disclaimer in the
24  *    documentation and/or other materials provided with the distribution.
25  *
26  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36  */
37 
38 #include "includes.h"
39 
40 #include <sys/types.h>
41 
42 #include <string.h>
43 #include <stdarg.h>
44 #include <stdio.h>
45 
46 #include "cipher.h"
47 #include "misc.h"
48 #include "sshbuf.h"
49 #include "ssherr.h"
50 #include "digest.h"
51 
52 #include "openbsd-compat/openssl-compat.h"
53 
54 #ifdef WITH_SSH1
55 extern const EVP_CIPHER *evp_ssh1_bf(void);
56 extern const EVP_CIPHER *evp_ssh1_3des(void);
57 extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
58 #endif
59 
60 struct sshcipher {
61 	char	*name;
62 	int	number;		/* for ssh1 only */
63 	u_int	block_size;
64 	u_int	key_len;
65 	u_int	iv_len;		/* defaults to block_size */
66 	u_int	auth_len;
67 	u_int	discard_len;
68 	u_int	flags;
69 #define CFLAG_CBC		(1<<0)
70 #define CFLAG_CHACHAPOLY	(1<<1)
71 #define CFLAG_AESCTR		(1<<2)
72 #define CFLAG_NONE		(1<<3)
73 #ifdef WITH_OPENSSL
74 	const EVP_CIPHER	*(*evptype)(void);
75 #else
76 	void	*ignored;
77 #endif
78 };
79 
80 static const struct sshcipher ciphers[] = {
81 #ifdef WITH_SSH1
82 	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
83 	{ "3des",	SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
84 	{ "blowfish",	SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
85 #endif /* WITH_SSH1 */
86 #ifdef WITH_OPENSSL
87 	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
88 #if !defined(ANDROID)
89 	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
90 	{ "blowfish-cbc",
91 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
92 	{ "cast128-cbc",
93 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
94 #endif
95 	{ "arcfour",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
96 	{ "arcfour128",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
97 	{ "arcfour256",	SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
98 	{ "aes128-cbc",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
99 	{ "aes192-cbc",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
100 	{ "aes256-cbc",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
101 	{ "rijndael-cbc@lysator.liu.se",
102 			SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
103 	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
104 #if !defined(ANDROID)
105 	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
106 #endif
107 	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
108 # ifdef OPENSSL_HAVE_EVPGCM
109 	{ "aes128-gcm@openssh.com",
110 			SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
111 	{ "aes256-gcm@openssh.com",
112 			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
113 # endif /* OPENSSL_HAVE_EVPGCM */
114 #else /* WITH_OPENSSL */
115 	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL },
116 	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL },
117 	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL },
118 	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, CFLAG_NONE, NULL },
119 #endif /* WITH_OPENSSL */
120 	{ "chacha20-poly1305@openssh.com",
121 			SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL },
122 
123 	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
124 };
125 
126 /*--*/
127 
128 /* Returns a comma-separated list of supported ciphers. */
129 char *
cipher_alg_list(char sep,int auth_only)130 cipher_alg_list(char sep, int auth_only)
131 {
132 	char *tmp, *ret = NULL;
133 	size_t nlen, rlen = 0;
134 	const struct sshcipher *c;
135 
136 	for (c = ciphers; c->name != NULL; c++) {
137 		if (c->number != SSH_CIPHER_SSH2)
138 			continue;
139 		if (auth_only && c->auth_len == 0)
140 			continue;
141 		if (ret != NULL)
142 			ret[rlen++] = sep;
143 		nlen = strlen(c->name);
144 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
145 			free(ret);
146 			return NULL;
147 		}
148 		ret = tmp;
149 		memcpy(ret + rlen, c->name, nlen + 1);
150 		rlen += nlen;
151 	}
152 	return ret;
153 }
154 
155 u_int
cipher_blocksize(const struct sshcipher * c)156 cipher_blocksize(const struct sshcipher *c)
157 {
158 	return (c->block_size);
159 }
160 
161 u_int
cipher_keylen(const struct sshcipher * c)162 cipher_keylen(const struct sshcipher *c)
163 {
164 	return (c->key_len);
165 }
166 
167 u_int
cipher_seclen(const struct sshcipher * c)168 cipher_seclen(const struct sshcipher *c)
169 {
170 	if (strcmp("3des-cbc", c->name) == 0)
171 		return 14;
172 	return cipher_keylen(c);
173 }
174 
175 u_int
cipher_authlen(const struct sshcipher * c)176 cipher_authlen(const struct sshcipher *c)
177 {
178 	return (c->auth_len);
179 }
180 
181 u_int
cipher_ivlen(const struct sshcipher * c)182 cipher_ivlen(const struct sshcipher *c)
183 {
184 	/*
185 	 * Default is cipher block size, except for chacha20+poly1305 that
186 	 * needs no IV. XXX make iv_len == -1 default?
187 	 */
188 	return (c->iv_len != 0 || (c->flags & CFLAG_CHACHAPOLY) != 0) ?
189 	    c->iv_len : c->block_size;
190 }
191 
192 u_int
cipher_get_number(const struct sshcipher * c)193 cipher_get_number(const struct sshcipher *c)
194 {
195 	return (c->number);
196 }
197 
198 u_int
cipher_is_cbc(const struct sshcipher * c)199 cipher_is_cbc(const struct sshcipher *c)
200 {
201 	return (c->flags & CFLAG_CBC) != 0;
202 }
203 
204 u_int
cipher_mask_ssh1(int client)205 cipher_mask_ssh1(int client)
206 {
207 	u_int mask = 0;
208 	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
209 	mask |= 1 << SSH_CIPHER_BLOWFISH;
210 	if (client) {
211 		mask |= 1 << SSH_CIPHER_DES;
212 	}
213 	return mask;
214 }
215 
216 const struct sshcipher *
cipher_by_name(const char * name)217 cipher_by_name(const char *name)
218 {
219 	const struct sshcipher *c;
220 	for (c = ciphers; c->name != NULL; c++)
221 		if (strcmp(c->name, name) == 0)
222 			return c;
223 	return NULL;
224 }
225 
226 const struct sshcipher *
cipher_by_number(int id)227 cipher_by_number(int id)
228 {
229 	const struct sshcipher *c;
230 	for (c = ciphers; c->name != NULL; c++)
231 		if (c->number == id)
232 			return c;
233 	return NULL;
234 }
235 
236 #define	CIPHER_SEP	","
237 int
ciphers_valid(const char * names)238 ciphers_valid(const char *names)
239 {
240 	const struct sshcipher *c;
241 	char *cipher_list, *cp;
242 	char *p;
243 
244 	if (names == NULL || strcmp(names, "") == 0)
245 		return 0;
246 	if ((cipher_list = cp = strdup(names)) == NULL)
247 		return 0;
248 	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
249 	    (p = strsep(&cp, CIPHER_SEP))) {
250 		c = cipher_by_name(p);
251 		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
252 			free(cipher_list);
253 			return 0;
254 		}
255 	}
256 	free(cipher_list);
257 	return 1;
258 }
259 
260 /*
261  * Parses the name of the cipher.  Returns the number of the corresponding
262  * cipher, or -1 on error.
263  */
264 
265 int
cipher_number(const char * name)266 cipher_number(const char *name)
267 {
268 	const struct sshcipher *c;
269 	if (name == NULL)
270 		return -1;
271 	for (c = ciphers; c->name != NULL; c++)
272 		if (strcasecmp(c->name, name) == 0)
273 			return c->number;
274 	return -1;
275 }
276 
277 char *
cipher_name(int id)278 cipher_name(int id)
279 {
280 	const struct sshcipher *c = cipher_by_number(id);
281 	return (c==NULL) ? "<unknown>" : c->name;
282 }
283 
284 const char *
cipher_warning_message(const struct sshcipher_ctx * cc)285 cipher_warning_message(const struct sshcipher_ctx *cc)
286 {
287 	if (cc == NULL || cc->cipher == NULL)
288 		return NULL;
289 	if (cc->cipher->number == SSH_CIPHER_DES)
290 		return "use of DES is strongly discouraged due to "
291 		    "cryptographic weaknesses";
292 	return NULL;
293 }
294 
295 int
cipher_init(struct sshcipher_ctx * cc,const struct sshcipher * cipher,const u_char * key,u_int keylen,const u_char * iv,u_int ivlen,int do_encrypt)296 cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
297     const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
298     int do_encrypt)
299 {
300 #ifdef WITH_OPENSSL
301 	int ret = SSH_ERR_INTERNAL_ERROR;
302 	const EVP_CIPHER *type;
303 	int klen;
304 	u_char *junk, *discard;
305 
306 	if (cipher->number == SSH_CIPHER_DES) {
307 		if (keylen > 8)
308 			keylen = 8;
309 	}
310 #endif
311 	cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
312 	cc->encrypt = do_encrypt;
313 
314 	if (keylen < cipher->key_len ||
315 	    (iv != NULL && ivlen < cipher_ivlen(cipher)))
316 		return SSH_ERR_INVALID_ARGUMENT;
317 
318 	cc->cipher = cipher;
319 	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
320 		return chachapoly_init(&cc->cp_ctx, key, keylen);
321 	}
322 #ifndef WITH_OPENSSL
323 	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
324 		aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
325 		aesctr_ivsetup(&cc->ac_ctx, iv);
326 		return 0;
327 	}
328 	if ((cc->cipher->flags & CFLAG_NONE) != 0)
329 		return 0;
330 	return SSH_ERR_INVALID_ARGUMENT;
331 #else
332 	type = (*cipher->evptype)();
333 	EVP_CIPHER_CTX_init(&cc->evp);
334 	if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
335 	    (do_encrypt == CIPHER_ENCRYPT)) == 0) {
336 		ret = SSH_ERR_LIBCRYPTO_ERROR;
337 		goto bad;
338 	}
339 	if (cipher_authlen(cipher) &&
340 	    !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
341 	    -1, (u_char *)iv)) {
342 		ret = SSH_ERR_LIBCRYPTO_ERROR;
343 		goto bad;
344 	}
345 	klen = EVP_CIPHER_CTX_key_length(&cc->evp);
346 	if (klen > 0 && keylen != (u_int)klen) {
347 		if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) {
348 			ret = SSH_ERR_LIBCRYPTO_ERROR;
349 			goto bad;
350 		}
351 	}
352 	if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
353 		ret = SSH_ERR_LIBCRYPTO_ERROR;
354 		goto bad;
355 	}
356 
357 	if (cipher->discard_len > 0) {
358 		if ((junk = malloc(cipher->discard_len)) == NULL ||
359 		    (discard = malloc(cipher->discard_len)) == NULL) {
360 			if (junk != NULL)
361 				free(junk);
362 			ret = SSH_ERR_ALLOC_FAIL;
363 			goto bad;
364 		}
365 		ret = EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len);
366 		explicit_bzero(discard, cipher->discard_len);
367 		free(junk);
368 		free(discard);
369 		if (ret != 1) {
370 			ret = SSH_ERR_LIBCRYPTO_ERROR;
371  bad:
372 			EVP_CIPHER_CTX_cleanup(&cc->evp);
373 			return ret;
374 		}
375 	}
376 #endif
377 	return 0;
378 }
379 
380 /*
381  * cipher_crypt() operates as following:
382  * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
383  * Theses bytes are treated as additional authenticated data for
384  * authenticated encryption modes.
385  * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
386  * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
387  * This tag is written on encryption and verified on decryption.
388  * Both 'aadlen' and 'authlen' can be set to 0.
389  */
390 int
cipher_crypt(struct sshcipher_ctx * cc,u_int seqnr,u_char * dest,const u_char * src,u_int len,u_int aadlen,u_int authlen)391 cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
392    const u_char *src, u_int len, u_int aadlen, u_int authlen)
393 {
394 	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
395 		return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src,
396 		    len, aadlen, authlen, cc->encrypt);
397 	}
398 #ifndef WITH_OPENSSL
399 	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
400 		if (aadlen)
401 			memcpy(dest, src, aadlen);
402 		aesctr_encrypt_bytes(&cc->ac_ctx, src + aadlen,
403 		    dest + aadlen, len);
404 		return 0;
405 	}
406 	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
407 		memcpy(dest, src, aadlen + len);
408 		return 0;
409 	}
410 	return SSH_ERR_INVALID_ARGUMENT;
411 #else
412 	if (authlen) {
413 		u_char lastiv[1];
414 
415 		if (authlen != cipher_authlen(cc->cipher))
416 			return SSH_ERR_INVALID_ARGUMENT;
417 		/* increment IV */
418 		if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
419 		    1, lastiv))
420 			return SSH_ERR_LIBCRYPTO_ERROR;
421 		/* set tag on decyption */
422 		if (!cc->encrypt &&
423 		    !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
424 		    authlen, (u_char *)src + aadlen + len))
425 			return SSH_ERR_LIBCRYPTO_ERROR;
426 	}
427 	if (aadlen) {
428 		if (authlen &&
429 		    EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
430 			return SSH_ERR_LIBCRYPTO_ERROR;
431 		memcpy(dest, src, aadlen);
432 	}
433 	if (len % cc->cipher->block_size)
434 		return SSH_ERR_INVALID_ARGUMENT;
435 	if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
436 	    len) < 0)
437 		return SSH_ERR_LIBCRYPTO_ERROR;
438 	if (authlen) {
439 		/* compute tag (on encrypt) or verify tag (on decrypt) */
440 		if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0)
441 			return cc->encrypt ?
442 			    SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
443 		if (cc->encrypt &&
444 		    !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
445 		    authlen, dest + aadlen + len))
446 			return SSH_ERR_LIBCRYPTO_ERROR;
447 	}
448 	return 0;
449 #endif
450 }
451 
452 /* Extract the packet length, including any decryption necessary beforehand */
453 int
cipher_get_length(struct sshcipher_ctx * cc,u_int * plenp,u_int seqnr,const u_char * cp,u_int len)454 cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
455     const u_char *cp, u_int len)
456 {
457 	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
458 		return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr,
459 		    cp, len);
460 	if (len < 4)
461 		return SSH_ERR_MESSAGE_INCOMPLETE;
462 	*plenp = get_u32(cp);
463 	return 0;
464 }
465 
466 int
cipher_cleanup(struct sshcipher_ctx * cc)467 cipher_cleanup(struct sshcipher_ctx *cc)
468 {
469 	if (cc == NULL || cc->cipher == NULL)
470 		return 0;
471 	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
472 		explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
473 	else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
474 		explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
475 #ifdef WITH_OPENSSL
476 	else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
477 		return SSH_ERR_LIBCRYPTO_ERROR;
478 #endif
479 	return 0;
480 }
481 
482 /*
483  * Selects the cipher, and keys if by computing the MD5 checksum of the
484  * passphrase and using the resulting 16 bytes as the key.
485  */
486 int
cipher_set_key_string(struct sshcipher_ctx * cc,const struct sshcipher * cipher,const char * passphrase,int do_encrypt)487 cipher_set_key_string(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
488     const char *passphrase, int do_encrypt)
489 {
490 	u_char digest[16];
491 	int r = SSH_ERR_INTERNAL_ERROR;
492 
493 	if ((r = ssh_digest_memory(SSH_DIGEST_MD5,
494 	    passphrase, strlen(passphrase),
495 	    digest, sizeof(digest))) != 0)
496 		goto out;
497 
498 	r = cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
499  out:
500 	explicit_bzero(digest, sizeof(digest));
501 	return r;
502 }
503 
504 /*
505  * Exports an IV from the sshcipher_ctx required to export the key
506  * state back from the unprivileged child to the privileged parent
507  * process.
508  */
509 int
cipher_get_keyiv_len(const struct sshcipher_ctx * cc)510 cipher_get_keyiv_len(const struct sshcipher_ctx *cc)
511 {
512 	const struct sshcipher *c = cc->cipher;
513 	int ivlen = 0;
514 
515 	if (c->number == SSH_CIPHER_3DES)
516 		ivlen = 24;
517 	else if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
518 		ivlen = 0;
519 	else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
520 		ivlen = sizeof(cc->ac_ctx.ctr);
521 #ifdef WITH_OPENSSL
522 	else
523 		ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
524 #endif /* WITH_OPENSSL */
525 	return (ivlen);
526 }
527 
528 int
cipher_get_keyiv(struct sshcipher_ctx * cc,u_char * iv,u_int len)529 cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
530 {
531 	const struct sshcipher *c = cc->cipher;
532 #ifdef WITH_OPENSSL
533  	int evplen;
534 #endif
535 
536 	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
537 		if (len != 0)
538 			return SSH_ERR_INVALID_ARGUMENT;
539 		return 0;
540 	}
541 	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
542 		if (len != sizeof(cc->ac_ctx.ctr))
543 			return SSH_ERR_INVALID_ARGUMENT;
544 		memcpy(iv, cc->ac_ctx.ctr, len);
545 		return 0;
546 	}
547 	if ((cc->cipher->flags & CFLAG_NONE) != 0)
548 		return 0;
549 
550 	switch (c->number) {
551 #ifdef WITH_OPENSSL
552 	case SSH_CIPHER_SSH2:
553 	case SSH_CIPHER_DES:
554 	case SSH_CIPHER_BLOWFISH:
555 		evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
556 		if (evplen == 0)
557 			return 0;
558 		else if (evplen < 0)
559 			return SSH_ERR_LIBCRYPTO_ERROR;
560 		if ((u_int)evplen != len)
561 			return SSH_ERR_INVALID_ARGUMENT;
562 #ifndef OPENSSL_HAVE_EVPCTR
563 		if (c->evptype == evp_aes_128_ctr)
564 			ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
565 		else
566 #endif
567 		if (cipher_authlen(c)) {
568 			if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
569 			   len, iv))
570 			       return SSH_ERR_LIBCRYPTO_ERROR;
571 		} else
572 			memcpy(iv, cc->evp.iv, len);
573 		break;
574 #endif
575 #ifdef WITH_SSH1
576 	case SSH_CIPHER_3DES:
577 		return ssh1_3des_iv(&cc->evp, 0, iv, 24);
578 #endif
579 	default:
580 		return SSH_ERR_INVALID_ARGUMENT;
581 	}
582 	return 0;
583 }
584 
585 int
cipher_set_keyiv(struct sshcipher_ctx * cc,const u_char * iv)586 cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
587 {
588 	const struct sshcipher *c = cc->cipher;
589 #ifdef WITH_OPENSSL
590  	int evplen = 0;
591 #endif
592 
593 	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
594 		return 0;
595 	if ((cc->cipher->flags & CFLAG_NONE) != 0)
596 		return 0;
597 
598 	switch (c->number) {
599 #ifdef WITH_OPENSSL
600 	case SSH_CIPHER_SSH2:
601 	case SSH_CIPHER_DES:
602 	case SSH_CIPHER_BLOWFISH:
603 		evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
604 		if (evplen <= 0)
605 			return SSH_ERR_LIBCRYPTO_ERROR;
606 		if (cipher_authlen(c)) {
607 			/* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
608 			if (!EVP_CIPHER_CTX_ctrl(&cc->evp,
609 			    EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
610 				return SSH_ERR_LIBCRYPTO_ERROR;
611 		} else
612 			memcpy(cc->evp.iv, iv, evplen);
613 		break;
614 #endif
615 #ifdef WITH_SSH1
616 	case SSH_CIPHER_3DES:
617 		return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);
618 #endif
619 	default:
620 		return SSH_ERR_INVALID_ARGUMENT;
621 	}
622 	return 0;
623 }
624 
625 #ifdef WITH_OPENSSL
626 #define EVP_X_STATE(evp)	(evp).cipher_data
627 #define EVP_X_STATE_LEN(evp)	(evp).cipher->ctx_size
628 #endif
629 
630 int
cipher_get_keycontext(const struct sshcipher_ctx * cc,u_char * dat)631 cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat)
632 {
633 #ifdef WITH_OPENSSL
634 	const struct sshcipher *c = cc->cipher;
635 	int plen = 0;
636 
637 	if (c->evptype == EVP_rc4) {
638 		plen = EVP_X_STATE_LEN(cc->evp);
639 		if (dat == NULL)
640 			return (plen);
641 		memcpy(dat, EVP_X_STATE(cc->evp), plen);
642 	}
643 	return (plen);
644 #else
645 	return 0;
646 #endif
647 }
648 
649 void
cipher_set_keycontext(struct sshcipher_ctx * cc,const u_char * dat)650 cipher_set_keycontext(struct sshcipher_ctx *cc, const u_char *dat)
651 {
652 #ifdef WITH_OPENSSL
653 	const struct sshcipher *c = cc->cipher;
654 	int plen;
655 
656 	if (c->evptype == EVP_rc4) {
657 		plen = EVP_X_STATE_LEN(cc->evp);
658 		memcpy(EVP_X_STATE(cc->evp), dat, plen);
659 	}
660 #endif
661 }
662