]>
Commit | Line | Data |
---|---|---|
03547908 | 1 | /* $OpenBSD: cipher.c,v 1.120 2023/10/10 06:49:54 tb Exp $ */ |
d4a8b7e3 | 2 | /* |
95def098 | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
95def098 DM |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | |
4af51306 | 6 | * |
e4340be5 DM |
7 | * As far as I am concerned, the code I have written for this software |
8 | * can be used freely for any purpose. Any derived versions of this | |
9 | * software must be clearly marked as such, and if the derived work is | |
10 | * incompatible with the protocol description in the RFC file, it must be | |
11 | * called by a name other than "ssh" or "Secure Shell". | |
12 | * | |
13 | * | |
14 | * Copyright (c) 1999 Niels Provos. All rights reserved. | |
44697233 | 15 | * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. |
e4340be5 DM |
16 | * |
17 | * Redistribution and use in source and binary forms, with or without | |
18 | * modification, are permitted provided that the following conditions | |
19 | * are met: | |
20 | * 1. Redistributions of source code must retain the above copyright | |
21 | * notice, this list of conditions and the following disclaimer. | |
22 | * 2. Redistributions in binary form must reproduce the above copyright | |
23 | * notice, this list of conditions and the following disclaimer in the | |
24 | * documentation and/or other materials provided with the distribution. | |
4af51306 | 25 | * |
e4340be5 DM |
26 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
27 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
28 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
29 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
30 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
31 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
32 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
33 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
34 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
35 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
95def098 | 36 | */ |
d4a8b7e3 DM |
37 | |
38 | #include "includes.h" | |
d4a8b7e3 | 39 | |
d7834353 DM |
40 | #include <sys/types.h> |
41 | ||
e3476ed0 | 42 | #include <string.h> |
d7834353 | 43 | #include <stdarg.h> |
0fde8acd | 44 | #include <stdio.h> |
e3476ed0 | 45 | |
226cfa03 | 46 | #include "cipher.h" |
8668706d DM |
47 | #include "misc.h" |
48 | #include "sshbuf.h" | |
49 | #include "ssherr.h" | |
4a1c7aa6 | 50 | #include "digest.h" |
d4a8b7e3 | 51 | |
55731713 DT |
52 | #include "openbsd-compat/openssl-compat.h" |
53 | ||
670104b9 | 54 | #ifndef WITH_OPENSSL |
55 | #define EVP_CIPHER_CTX void | |
56 | #endif | |
d4a8b7e3 | 57 | |
4706c1d8 | 58 | struct sshcipher_ctx { |
59 | int plaintext; | |
60 | int encrypt; | |
61 | EVP_CIPHER_CTX *evp; | |
eba523f0 | 62 | struct chachapoly_ctx *cp_ctx; |
4706c1d8 | 63 | struct aesctr_ctx ac_ctx; /* XXX union with evp? */ |
64 | const struct sshcipher *cipher; | |
65 | }; | |
66 | ||
8668706d | 67 | struct sshcipher { |
963f6b25 | 68 | char *name; |
963f6b25 DM |
69 | u_int block_size; |
70 | u_int key_len; | |
d522c688 DM |
71 | u_int iv_len; /* defaults to block_size */ |
72 | u_int auth_len; | |
0fde8acd DM |
73 | u_int flags; |
74 | #define CFLAG_CBC (1<<0) | |
75 | #define CFLAG_CHACHAPOLY (1<<1) | |
1f0311c7 DM |
76 | #define CFLAG_AESCTR (1<<2) |
77 | #define CFLAG_NONE (1<<3) | |
cdccebdf | 78 | #define CFLAG_INTERNAL CFLAG_NONE /* Don't use "none" for packets */ |
1f0311c7 | 79 | #ifdef WITH_OPENSSL |
6a246413 | 80 | const EVP_CIPHER *(*evptype)(void); |
1f0311c7 DM |
81 | #else |
82 | void *ignored; | |
83 | #endif | |
ea11119e DM |
84 | }; |
85 | ||
8668706d | 86 | static const struct sshcipher ciphers[] = { |
1f0311c7 | 87 | #ifdef WITH_OPENSSL |
cec33896 | 88 | #ifndef OPENSSL_NO_DES |
acaf34fd | 89 | { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, |
cec33896 | 90 | #endif |
acaf34fd | 91 | { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc }, |
92 | { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc }, | |
93 | { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc }, | |
acaf34fd | 94 | { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr }, |
95 | { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr }, | |
96 | { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr }, | |
1d75abfe | 97 | { "aes128-gcm@openssh.com", |
acaf34fd | 98 | 16, 16, 12, 16, 0, EVP_aes_128_gcm }, |
1d75abfe | 99 | { "aes256-gcm@openssh.com", |
acaf34fd | 100 | 16, 32, 12, 16, 0, EVP_aes_256_gcm }, |
cdccebdf | 101 | #else |
acaf34fd | 102 | { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL }, |
103 | { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL }, | |
104 | { "aes256-ctr", 16, 32, 0, 0, CFLAG_AESCTR, NULL }, | |
cdccebdf | 105 | #endif |
0fde8acd | 106 | { "chacha20-poly1305@openssh.com", |
acaf34fd | 107 | 8, 64, 0, 16, CFLAG_CHACHAPOLY, NULL }, |
108 | { "none", 8, 0, 0, 0, CFLAG_NONE, NULL }, | |
8668706d | 109 | |
acaf34fd | 110 | { NULL, 0, 0, 0, 0, 0, NULL } |
874d77bb DM |
111 | }; |
112 | ||
113 | /*--*/ | |
114 | ||
8668706d | 115 | /* Returns a comma-separated list of supported ciphers. */ |
ea11119e | 116 | char * |
0fde8acd | 117 | cipher_alg_list(char sep, int auth_only) |
ea11119e | 118 | { |
8668706d | 119 | char *tmp, *ret = NULL; |
ea11119e | 120 | size_t nlen, rlen = 0; |
8668706d | 121 | const struct sshcipher *c; |
ea11119e DM |
122 | |
123 | for (c = ciphers; c->name != NULL; c++) { | |
cdccebdf | 124 | if ((c->flags & CFLAG_INTERNAL) != 0) |
ea11119e | 125 | continue; |
0fde8acd DM |
126 | if (auth_only && c->auth_len == 0) |
127 | continue; | |
ea11119e | 128 | if (ret != NULL) |
690d9890 | 129 | ret[rlen++] = sep; |
ea11119e | 130 | nlen = strlen(c->name); |
8668706d DM |
131 | if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { |
132 | free(ret); | |
133 | return NULL; | |
134 | } | |
135 | ret = tmp; | |
ea11119e DM |
136 | memcpy(ret + rlen, c->name, nlen + 1); |
137 | rlen += nlen; | |
138 | } | |
139 | return ret; | |
140 | } | |
141 | ||
7f8e66fe | 142 | const char * |
143 | compression_alg_list(int compression) | |
144 | { | |
145 | #ifdef WITH_ZLIB | |
146 | return compression ? "zlib@openssh.com,zlib,none" : | |
147 | "none,zlib@openssh.com,zlib"; | |
148 | #else | |
149 | return "none"; | |
150 | #endif | |
151 | } | |
152 | ||
6328ab39 | 153 | u_int |
8668706d | 154 | cipher_blocksize(const struct sshcipher *c) |
963f6b25 DM |
155 | { |
156 | return (c->block_size); | |
157 | } | |
836f0e9d | 158 | |
6328ab39 | 159 | u_int |
8668706d | 160 | cipher_keylen(const struct sshcipher *c) |
963f6b25 DM |
161 | { |
162 | return (c->key_len); | |
163 | } | |
836f0e9d | 164 | |
76eea4ab | 165 | u_int |
8668706d | 166 | cipher_seclen(const struct sshcipher *c) |
76eea4ab DM |
167 | { |
168 | if (strcmp("3des-cbc", c->name) == 0) | |
169 | return 14; | |
170 | return cipher_keylen(c); | |
171 | } | |
172 | ||
1d75abfe | 173 | u_int |
8668706d | 174 | cipher_authlen(const struct sshcipher *c) |
1d75abfe DM |
175 | { |
176 | return (c->auth_len); | |
177 | } | |
178 | ||
179 | u_int | |
8668706d | 180 | cipher_ivlen(const struct sshcipher *c) |
1d75abfe | 181 | { |
0fde8acd DM |
182 | /* |
183 | * Default is cipher block size, except for chacha20+poly1305 that | |
184 | * needs no IV. XXX make iv_len == -1 default? | |
185 | */ | |
186 | return (c->iv_len != 0 || (c->flags & CFLAG_CHACHAPOLY) != 0) ? | |
187 | c->iv_len : c->block_size; | |
1d75abfe DM |
188 | } |
189 | ||
13ae44ce | 190 | u_int |
8668706d | 191 | cipher_is_cbc(const struct sshcipher *c) |
13ae44ce | 192 | { |
0fde8acd | 193 | return (c->flags & CFLAG_CBC) != 0; |
13ae44ce DM |
194 | } |
195 | ||
4706c1d8 | 196 | u_int |
197 | cipher_ctx_is_plaintext(struct sshcipher_ctx *cc) | |
198 | { | |
199 | return cc->plaintext; | |
200 | } | |
201 | ||
8668706d | 202 | const struct sshcipher * |
874d77bb | 203 | cipher_by_name(const char *name) |
1383bd8e | 204 | { |
8668706d | 205 | const struct sshcipher *c; |
874d77bb | 206 | for (c = ciphers; c->name != NULL; c++) |
660db78a | 207 | if (strcmp(c->name, name) == 0) |
874d77bb DM |
208 | return c; |
209 | return NULL; | |
1383bd8e | 210 | } |
d4a8b7e3 | 211 | |
78928793 DM |
212 | #define CIPHER_SEP "," |
213 | int | |
214 | ciphers_valid(const char *names) | |
215 | { | |
8668706d | 216 | const struct sshcipher *c; |
3f9fdc71 | 217 | char *cipher_list, *cp; |
78928793 | 218 | char *p; |
78928793 | 219 | |
b1715dc0 | 220 | if (names == NULL || strcmp(names, "") == 0) |
78928793 | 221 | return 0; |
8668706d DM |
222 | if ((cipher_list = cp = strdup(names)) == NULL) |
223 | return 0; | |
874d77bb | 224 | for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; |
9f0f5c64 | 225 | (p = strsep(&cp, CIPHER_SEP))) { |
874d77bb | 226 | c = cipher_by_name(p); |
cdccebdf | 227 | if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) { |
a627d42e | 228 | free(cipher_list); |
78928793 DM |
229 | return 0; |
230 | } | |
231 | } | |
a627d42e | 232 | free(cipher_list); |
78928793 DM |
233 | return 1; |
234 | } | |
235 | ||
8668706d DM |
236 | const char * |
237 | cipher_warning_message(const struct sshcipher_ctx *cc) | |
238 | { | |
239 | if (cc == NULL || cc->cipher == NULL) | |
240 | return NULL; | |
cdccebdf | 241 | /* XXX repurpose for CBC warning */ |
8668706d DM |
242 | return NULL; |
243 | } | |
244 | ||
245 | int | |
4706c1d8 | 246 | cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher, |
21cf4e06 | 247 | const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, |
3f9fdc71 | 248 | int do_encrypt) |
874d77bb | 249 | { |
4706c1d8 | 250 | struct sshcipher_ctx *cc = NULL; |
8668706d | 251 | int ret = SSH_ERR_INTERNAL_ERROR; |
4706c1d8 | 252 | #ifdef WITH_OPENSSL |
21cf4e06 DM |
253 | const EVP_CIPHER *type; |
254 | int klen; | |
4706c1d8 | 255 | #endif |
256 | ||
257 | *ccp = NULL; | |
258 | if ((cc = calloc(sizeof(*cc), 1)) == NULL) | |
259 | return SSH_ERR_ALLOC_FAIL; | |
21cf4e06 | 260 | |
e77e1562 | 261 | cc->plaintext = (cipher->flags & CFLAG_NONE) != 0; |
1d75abfe | 262 | cc->encrypt = do_encrypt; |
21cf4e06 | 263 | |
8668706d | 264 | if (keylen < cipher->key_len || |
4706c1d8 | 265 | (iv != NULL && ivlen < cipher_ivlen(cipher))) { |
266 | ret = SSH_ERR_INVALID_ARGUMENT; | |
267 | goto out; | |
268 | } | |
21cf4e06 | 269 | |
8668706d | 270 | cc->cipher = cipher; |
0fde8acd | 271 | if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { |
eba523f0 | 272 | cc->cp_ctx = chachapoly_new(key, keylen); |
273 | ret = cc->cp_ctx != NULL ? 0 : SSH_ERR_INVALID_ARGUMENT; | |
4706c1d8 | 274 | goto out; |
0fde8acd | 275 | } |
cdccebdf | 276 | if ((cc->cipher->flags & CFLAG_NONE) != 0) { |
277 | ret = 0; | |
278 | goto out; | |
279 | } | |
1f0311c7 DM |
280 | #ifndef WITH_OPENSSL |
281 | if ((cc->cipher->flags & CFLAG_AESCTR) != 0) { | |
282 | aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen); | |
283 | aesctr_ivsetup(&cc->ac_ctx, iv); | |
4706c1d8 | 284 | ret = 0; |
285 | goto out; | |
1f0311c7 | 286 | } |
4706c1d8 | 287 | ret = SSH_ERR_INVALID_ARGUMENT; |
288 | goto out; | |
289 | #else /* WITH_OPENSSL */ | |
21cf4e06 | 290 | type = (*cipher->evptype)(); |
4706c1d8 | 291 | if ((cc->evp = EVP_CIPHER_CTX_new()) == NULL) { |
292 | ret = SSH_ERR_ALLOC_FAIL; | |
293 | goto out; | |
294 | } | |
295 | if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv, | |
8668706d DM |
296 | (do_encrypt == CIPHER_ENCRYPT)) == 0) { |
297 | ret = SSH_ERR_LIBCRYPTO_ERROR; | |
4706c1d8 | 298 | goto out; |
8668706d | 299 | } |
1d75abfe | 300 | if (cipher_authlen(cipher) && |
4706c1d8 | 301 | !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED, |
8668706d DM |
302 | -1, (u_char *)iv)) { |
303 | ret = SSH_ERR_LIBCRYPTO_ERROR; | |
4706c1d8 | 304 | goto out; |
8668706d | 305 | } |
4706c1d8 | 306 | klen = EVP_CIPHER_CTX_key_length(cc->evp); |
eccb9de7 | 307 | if (klen > 0 && keylen != (u_int)klen) { |
4706c1d8 | 308 | if (EVP_CIPHER_CTX_set_key_length(cc->evp, keylen) == 0) { |
8668706d | 309 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
4706c1d8 | 310 | goto out; |
8668706d DM |
311 | } |
312 | } | |
4706c1d8 | 313 | if (EVP_CipherInit(cc->evp, NULL, (u_char *)key, NULL, -1) == 0) { |
8668706d | 314 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
4706c1d8 | 315 | goto out; |
21cf4e06 | 316 | } |
4706c1d8 | 317 | ret = 0; |
318 | #endif /* WITH_OPENSSL */ | |
319 | out: | |
320 | if (ret == 0) { | |
321 | /* success */ | |
322 | *ccp = cc; | |
323 | } else { | |
324 | if (cc != NULL) { | |
325 | #ifdef WITH_OPENSSL | |
7cd31632 | 326 | EVP_CIPHER_CTX_free(cc->evp); |
4706c1d8 | 327 | #endif /* WITH_OPENSSL */ |
d5ba1c03 | 328 | freezero(cc, sizeof(*cc)); |
4706c1d8 | 329 | } |
330 | } | |
331 | return ret; | |
874d77bb DM |
332 | } |
333 | ||
af43a7ac DM |
334 | /* |
335 | * cipher_crypt() operates as following: | |
336 | * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'. | |
d081f017 | 337 | * These bytes are treated as additional authenticated data for |
af43a7ac DM |
338 | * authenticated encryption modes. |
339 | * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. | |
1d75abfe DM |
340 | * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag. |
341 | * This tag is written on encryption and verified on decryption. | |
af43a7ac DM |
342 | * Both 'aadlen' and 'authlen' can be set to 0. |
343 | */ | |
bcd00abd | 344 | int |
8668706d DM |
345 | cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest, |
346 | const u_char *src, u_int len, u_int aadlen, u_int authlen) | |
874d77bb | 347 | { |
8668706d | 348 | if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { |
eba523f0 | 349 | return chachapoly_crypt(cc->cp_ctx, seqnr, dest, src, |
8668706d DM |
350 | len, aadlen, authlen, cc->encrypt); |
351 | } | |
cdccebdf | 352 | if ((cc->cipher->flags & CFLAG_NONE) != 0) { |
353 | memcpy(dest, src, aadlen + len); | |
354 | return 0; | |
355 | } | |
1f0311c7 DM |
356 | #ifndef WITH_OPENSSL |
357 | if ((cc->cipher->flags & CFLAG_AESCTR) != 0) { | |
358 | if (aadlen) | |
359 | memcpy(dest, src, aadlen); | |
360 | aesctr_encrypt_bytes(&cc->ac_ctx, src + aadlen, | |
361 | dest + aadlen, len); | |
362 | return 0; | |
363 | } | |
8668706d | 364 | return SSH_ERR_INVALID_ARGUMENT; |
1f0311c7 | 365 | #else |
1d75abfe DM |
366 | if (authlen) { |
367 | u_char lastiv[1]; | |
368 | ||
369 | if (authlen != cipher_authlen(cc->cipher)) | |
8668706d | 370 | return SSH_ERR_INVALID_ARGUMENT; |
1d75abfe | 371 | /* increment IV */ |
4706c1d8 | 372 | if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN, |
1d75abfe | 373 | 1, lastiv)) |
8668706d | 374 | return SSH_ERR_LIBCRYPTO_ERROR; |
1d75abfe DM |
375 | /* set tag on decyption */ |
376 | if (!cc->encrypt && | |
4706c1d8 | 377 | !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG, |
1d75abfe | 378 | authlen, (u_char *)src + aadlen + len)) |
8668706d | 379 | return SSH_ERR_LIBCRYPTO_ERROR; |
1d75abfe DM |
380 | } |
381 | if (aadlen) { | |
382 | if (authlen && | |
4706c1d8 | 383 | EVP_Cipher(cc->evp, NULL, (u_char *)src, aadlen) < 0) |
8668706d | 384 | return SSH_ERR_LIBCRYPTO_ERROR; |
af43a7ac | 385 | memcpy(dest, src, aadlen); |
1d75abfe | 386 | } |
874d77bb | 387 | if (len % cc->cipher->block_size) |
8668706d | 388 | return SSH_ERR_INVALID_ARGUMENT; |
4706c1d8 | 389 | if (EVP_Cipher(cc->evp, dest + aadlen, (u_char *)src + aadlen, |
af43a7ac | 390 | len) < 0) |
8668706d | 391 | return SSH_ERR_LIBCRYPTO_ERROR; |
1d75abfe DM |
392 | if (authlen) { |
393 | /* compute tag (on encrypt) or verify tag (on decrypt) */ | |
4706c1d8 | 394 | if (EVP_Cipher(cc->evp, NULL, NULL, 0) < 0) |
8668706d DM |
395 | return cc->encrypt ? |
396 | SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID; | |
1d75abfe | 397 | if (cc->encrypt && |
4706c1d8 | 398 | !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG, |
1d75abfe | 399 | authlen, dest + aadlen + len)) |
8668706d | 400 | return SSH_ERR_LIBCRYPTO_ERROR; |
1d75abfe | 401 | } |
bcd00abd | 402 | return 0; |
1f0311c7 | 403 | #endif |
874d77bb DM |
404 | } |
405 | ||
0fde8acd DM |
406 | /* Extract the packet length, including any decryption necessary beforehand */ |
407 | int | |
8668706d | 408 | cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr, |
0fde8acd DM |
409 | const u_char *cp, u_int len) |
410 | { | |
411 | if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) | |
eba523f0 | 412 | return chachapoly_get_length(cc->cp_ctx, plenp, seqnr, |
0fde8acd DM |
413 | cp, len); |
414 | if (len < 4) | |
8668706d | 415 | return SSH_ERR_MESSAGE_INCOMPLETE; |
1b11ea7c | 416 | *plenp = PEEK_U32(cp); |
0fde8acd DM |
417 | return 0; |
418 | } | |
419 | ||
4706c1d8 | 420 | void |
421 | cipher_free(struct sshcipher_ctx *cc) | |
874d77bb | 422 | { |
4706c1d8 | 423 | if (cc == NULL) |
424 | return; | |
eba523f0 | 425 | if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { |
426 | chachapoly_free(cc->cp_ctx); | |
427 | cc->cp_ctx = NULL; | |
428 | } else if ((cc->cipher->flags & CFLAG_AESCTR) != 0) | |
1f0311c7 DM |
429 | explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx)); |
430 | #ifdef WITH_OPENSSL | |
7cd31632 | 431 | EVP_CIPHER_CTX_free(cc->evp); |
432 | cc->evp = NULL; | |
1f0311c7 | 433 | #endif |
d5ba1c03 | 434 | freezero(cc, sizeof(*cc)); |
d4a8b7e3 DM |
435 | } |
436 | ||
8668706d | 437 | int |
482d23bc | 438 | cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, size_t len) |
212facac | 439 | { |
1f0311c7 | 440 | #ifdef WITH_OPENSSL |
41bff4da | 441 | const struct sshcipher *c = cc->cipher; |
b8bbff3b | 442 | int evplen; |
1f0311c7 | 443 | #endif |
212facac | 444 | |
0fde8acd DM |
445 | if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { |
446 | if (len != 0) | |
8668706d DM |
447 | return SSH_ERR_INVALID_ARGUMENT; |
448 | return 0; | |
0fde8acd | 449 | } |
540e8911 | 450 | if ((cc->cipher->flags & CFLAG_AESCTR) != 0) { |
451 | if (len != sizeof(cc->ac_ctx.ctr)) | |
452 | return SSH_ERR_INVALID_ARGUMENT; | |
453 | memcpy(iv, cc->ac_ctx.ctr, len); | |
454 | return 0; | |
455 | } | |
1f0311c7 | 456 | if ((cc->cipher->flags & CFLAG_NONE) != 0) |
8668706d | 457 | return 0; |
0fde8acd | 458 | |
1f0311c7 | 459 | #ifdef WITH_OPENSSL |
cdccebdf | 460 | evplen = EVP_CIPHER_CTX_iv_length(cc->evp); |
461 | if (evplen == 0) | |
462 | return 0; | |
463 | else if (evplen < 0) | |
464 | return SSH_ERR_LIBCRYPTO_ERROR; | |
482d23bc | 465 | if ((size_t)evplen != len) |
cdccebdf | 466 | return SSH_ERR_INVALID_ARGUMENT; |
cdccebdf | 467 | if (cipher_authlen(c)) { |
468 | if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN, | |
57ed647e | 469 | len, iv)) |
31d8d231 | 470 | return SSH_ERR_LIBCRYPTO_ERROR; |
482d23bc | 471 | } else if (!EVP_CIPHER_CTX_get_iv(cc->evp, iv, len)) |
31d8d231 | 472 | return SSH_ERR_LIBCRYPTO_ERROR; |
8668706d | 473 | #endif |
8668706d | 474 | return 0; |
212facac BL |
475 | } |
476 | ||
8668706d | 477 | int |
482d23bc | 478 | cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv, size_t len) |
212facac | 479 | { |
1f0311c7 | 480 | #ifdef WITH_OPENSSL |
41bff4da | 481 | const struct sshcipher *c = cc->cipher; |
b8bbff3b | 482 | int evplen = 0; |
1f0311c7 | 483 | #endif |
212facac | 484 | |
0fde8acd | 485 | if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) |
8668706d | 486 | return 0; |
1f0311c7 | 487 | if ((cc->cipher->flags & CFLAG_NONE) != 0) |
8668706d | 488 | return 0; |
0fde8acd | 489 | |
1f0311c7 | 490 | #ifdef WITH_OPENSSL |
cdccebdf | 491 | evplen = EVP_CIPHER_CTX_iv_length(cc->evp); |
492 | if (evplen <= 0) | |
493 | return SSH_ERR_LIBCRYPTO_ERROR; | |
482d23bc | 494 | if ((size_t)evplen != len) |
495 | return SSH_ERR_INVALID_ARGUMENT; | |
cdccebdf | 496 | if (cipher_authlen(c)) { |
497 | /* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */ | |
498 | if (!EVP_CIPHER_CTX_ctrl(cc->evp, | |
499 | EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv)) | |
500 | return SSH_ERR_LIBCRYPTO_ERROR; | |
482d23bc | 501 | } else if (!EVP_CIPHER_CTX_set_iv(cc->evp, iv, evplen)) |
502 | return SSH_ERR_LIBCRYPTO_ERROR; | |
8668706d | 503 | #endif |
8668706d | 504 | return 0; |
212facac | 505 | } |