[thirdparty/openssh-portable.git] / cipher.c

/* $OpenBSD: cipher.c,v 1.120 2023/10/10 06:49:54 tb Exp $ */
/*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 *
 * As far as I am concerned, the code I have written for this software
 * can be used freely for any purpose.  Any derived versions of this
 * software must be clearly marked as such, and if the derived work is
 * incompatible with the protocol description in the RFC file, it must be
 * called by a name other than "ssh" or "Secure Shell".
 *
 *
 * Copyright (c) 1999 Niels Provos.  All rights reserved.
 * Copyright (c) 1999, 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#include <sys/types.h>

#include <string.h>
#include <stdarg.h>
#include <stdio.h>

#include "cipher.h"
#include "misc.h"
#include "sshbuf.h"
#include "ssherr.h"
#include "digest.h"

#include "openbsd-compat/openssl-compat.h"

#ifndef WITH_OPENSSL
#define EVP_CIPHER_CTX void
#endif

struct sshcipher_ctx {
	int	plaintext;
	int	encrypt;
	EVP_CIPHER_CTX *evp;
	struct chachapoly_ctx *cp_ctx;
	struct aesctr_ctx ac_ctx; /* XXX union with evp? */
	const struct sshcipher *cipher;
};

struct sshcipher {
	char	*name;
	u_int	block_size;
	u_int	key_len;
	u_int	iv_len;		/* defaults to block_size */
	u_int	auth_len;
	u_int	flags;
#define CFLAG_CBC		(1<<0)
#define CFLAG_CHACHAPOLY	(1<<1)
#define CFLAG_AESCTR		(1<<2)
#define CFLAG_NONE		(1<<3)
#define CFLAG_INTERNAL		CFLAG_NONE /* Don't use "none" for packets */
#ifdef WITH_OPENSSL
	const EVP_CIPHER	*(*evptype)(void);
#else
	void	*ignored;
#endif
};

static const struct sshcipher ciphers[] = {
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
	{ "3des-cbc",		8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
#endif
	{ "aes128-cbc",		16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
	{ "aes192-cbc",		16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
	{ "aes256-cbc",		16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
	{ "aes128-ctr",		16, 16, 0, 0, 0, EVP_aes_128_ctr },
	{ "aes192-ctr",		16, 24, 0, 0, 0, EVP_aes_192_ctr },
	{ "aes256-ctr",		16, 32, 0, 0, 0, EVP_aes_256_ctr },
	{ "aes128-gcm@openssh.com",
				16, 16, 12, 16, 0, EVP_aes_128_gcm },
	{ "aes256-gcm@openssh.com",
				16, 32, 12, 16, 0, EVP_aes_256_gcm },
#else
	{ "aes128-ctr",		16, 16, 0, 0, CFLAG_AESCTR, NULL },
	{ "aes192-ctr",		16, 24, 0, 0, CFLAG_AESCTR, NULL },
	{ "aes256-ctr",		16, 32, 0, 0, CFLAG_AESCTR, NULL },
#endif
	{ "chacha20-poly1305@openssh.com",
				8, 64, 0, 16, CFLAG_CHACHAPOLY, NULL },
	{ "none",		8, 0, 0, 0, CFLAG_NONE, NULL },

	{ NULL,			0, 0, 0, 0, 0, NULL }
};

/*--*/

/* Returns a comma-separated list of supported ciphers. */
char *
cipher_alg_list(char sep, int auth_only)
{
	char *tmp, *ret = NULL;
	size_t nlen, rlen = 0;
	const struct sshcipher *c;

	for (c = ciphers; c->name != NULL; c++) {
		if ((c->flags & CFLAG_INTERNAL) != 0)
			continue;
		if (auth_only && c->auth_len == 0)
			continue;
		if (ret != NULL)
			ret[rlen++] = sep;
		nlen = strlen(c->name);
		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
			free(ret);
			return NULL;
		}
		ret = tmp;
		memcpy(ret + rlen, c->name, nlen + 1);
		rlen += nlen;
	}
	return ret;
}

const char *
compression_alg_list(int compression)
{
#ifdef WITH_ZLIB
	return compression ? "zlib@openssh.com,zlib,none" :
	    "none,zlib@openssh.com,zlib";
#else
	return "none";
#endif
}

u_int
cipher_blocksize(const struct sshcipher *c)
{
	return (c->block_size);
}

u_int
cipher_keylen(const struct sshcipher *c)
{
	return (c->key_len);
}

u_int
cipher_seclen(const struct sshcipher *c)
{
	if (strcmp("3des-cbc", c->name) == 0)
		return 14;
	return cipher_keylen(c);
}

u_int
cipher_authlen(const struct sshcipher *c)
{
	return (c->auth_len);
}

u_int
cipher_ivlen(const struct sshcipher *c)
{
	/*
	 * Default is cipher block size, except for chacha20+poly1305 that
	 * needs no IV. XXX make iv_len == -1 default?
	 */
	return (c->iv_len != 0 || (c->flags & CFLAG_CHACHAPOLY) != 0) ?
	    c->iv_len : c->block_size;
}

u_int
cipher_is_cbc(const struct sshcipher *c)
{
	return (c->flags & CFLAG_CBC) != 0;
}

u_int
cipher_ctx_is_plaintext(struct sshcipher_ctx *cc)
{
	return cc->plaintext;
}

const struct sshcipher *
cipher_by_name(const char *name)
{
	const struct sshcipher *c;
	for (c = ciphers; c->name != NULL; c++)
		if (strcmp(c->name, name) == 0)
			return c;
	return NULL;
}

#define	CIPHER_SEP	","
int
ciphers_valid(const char *names)
{
	const struct sshcipher *c;
	char *cipher_list, *cp;
	char *p;

	if (names == NULL || strcmp(names, "") == 0)
		return 0;
	if ((cipher_list = cp = strdup(names)) == NULL)
		return 0;
	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
	    (p = strsep(&cp, CIPHER_SEP))) {
		c = cipher_by_name(p);
		if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
			free(cipher_list);
			return 0;
		}
	}
	free(cipher_list);
	return 1;
}

const char *
cipher_warning_message(const struct sshcipher_ctx *cc)
{
	if (cc == NULL || cc->cipher == NULL)
		return NULL;
	/* XXX repurpose for CBC warning */
	return NULL;
}

int
cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
    const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
    int do_encrypt)
{
	struct sshcipher_ctx *cc = NULL;
	int ret = SSH_ERR_INTERNAL_ERROR;
#ifdef WITH_OPENSSL
	const EVP_CIPHER *type;
	int klen;
#endif

	*ccp = NULL;
	if ((cc = calloc(sizeof(*cc), 1)) == NULL)
		return SSH_ERR_ALLOC_FAIL;

	cc->plaintext = (cipher->flags & CFLAG_NONE) != 0;
	cc->encrypt = do_encrypt;

	if (keylen < cipher->key_len ||
	    (iv != NULL && ivlen < cipher_ivlen(cipher))) {
		ret = SSH_ERR_INVALID_ARGUMENT;
		goto out;
	}

	cc->cipher = cipher;
	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
		cc->cp_ctx = chachapoly_new(key, keylen);
		ret = cc->cp_ctx != NULL ? 0 : SSH_ERR_INVALID_ARGUMENT;
		goto out;
	}
	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
		ret = 0;
		goto out;
	}
#ifndef WITH_OPENSSL
	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
		aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
		aesctr_ivsetup(&cc->ac_ctx, iv);
		ret = 0;
		goto out;
	}
	ret = SSH_ERR_INVALID_ARGUMENT;
	goto out;
#else /* WITH_OPENSSL */
	type = (*cipher->evptype)();
	if ((cc->evp = EVP_CIPHER_CTX_new()) == NULL) {
		ret = SSH_ERR_ALLOC_FAIL;
		goto out;
	}
	if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv,
	    (do_encrypt == CIPHER_ENCRYPT)) == 0) {
		ret = SSH_ERR_LIBCRYPTO_ERROR;
		goto out;
	}
	if (cipher_authlen(cipher) &&
	    !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
	    -1, (u_char *)iv)) {
		ret = SSH_ERR_LIBCRYPTO_ERROR;
		goto out;
	}
	klen = EVP_CIPHER_CTX_key_length(cc->evp);
	if (klen > 0 && keylen != (u_int)klen) {
		if (EVP_CIPHER_CTX_set_key_length(cc->evp, keylen) == 0) {
			ret = SSH_ERR_LIBCRYPTO_ERROR;
			goto out;
		}
	}
	if (EVP_CipherInit(cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
		ret = SSH_ERR_LIBCRYPTO_ERROR;
		goto out;
	}
	ret = 0;
#endif /* WITH_OPENSSL */
 out:
	if (ret == 0) {
		/* success */
		*ccp = cc;
	} else {
		if (cc != NULL) {
#ifdef WITH_OPENSSL
			EVP_CIPHER_CTX_free(cc->evp);
#endif /* WITH_OPENSSL */
			freezero(cc, sizeof(*cc));
		}
	}
	return ret;
}

/*
 * cipher_crypt() operates as following:
 * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
 * These bytes are treated as additional authenticated data for
 * authenticated encryption modes.
 * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
 * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
 * This tag is written on encryption and verified on decryption.
 * Both 'aadlen' and 'authlen' can be set to 0.
 */
int
cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
   const u_char *src, u_int len, u_int aadlen, u_int authlen)
{
	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
		return chachapoly_crypt(cc->cp_ctx, seqnr, dest, src,
		    len, aadlen, authlen, cc->encrypt);
	}
	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
		memcpy(dest, src, aadlen + len);
		return 0;
	}
#ifndef WITH_OPENSSL
	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
		if (aadlen)
			memcpy(dest, src, aadlen);
		aesctr_encrypt_bytes(&cc->ac_ctx, src + aadlen,
		    dest + aadlen, len);
		return 0;
	}
	return SSH_ERR_INVALID_ARGUMENT;
#else
	if (authlen) {
		u_char lastiv[1];

		if (authlen != cipher_authlen(cc->cipher))
			return SSH_ERR_INVALID_ARGUMENT;
		/* increment IV */
		if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
		    1, lastiv))
			return SSH_ERR_LIBCRYPTO_ERROR;
		/* set tag on decyption */
		if (!cc->encrypt &&
		    !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
		    authlen, (u_char *)src + aadlen + len))
			return SSH_ERR_LIBCRYPTO_ERROR;
	}
	if (aadlen) {
		if (authlen &&
		    EVP_Cipher(cc->evp, NULL, (u_char *)src, aadlen) < 0)
			return SSH_ERR_LIBCRYPTO_ERROR;
		memcpy(dest, src, aadlen);
	}
	if (len % cc->cipher->block_size)
		return SSH_ERR_INVALID_ARGUMENT;
	if (EVP_Cipher(cc->evp, dest + aadlen, (u_char *)src + aadlen,
	    len) < 0)
		return SSH_ERR_LIBCRYPTO_ERROR;
	if (authlen) {
		/* compute tag (on encrypt) or verify tag (on decrypt) */
		if (EVP_Cipher(cc->evp, NULL, NULL, 0) < 0)
			return cc->encrypt ?
			    SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
		if (cc->encrypt &&
		    !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG,
		    authlen, dest + aadlen + len))
			return SSH_ERR_LIBCRYPTO_ERROR;
	}
	return 0;
#endif
}

/* Extract the packet length, including any decryption necessary beforehand */
int
cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
    const u_char *cp, u_int len)
{
	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
		return chachapoly_get_length(cc->cp_ctx, plenp, seqnr,
		    cp, len);
	if (len < 4)
		return SSH_ERR_MESSAGE_INCOMPLETE;
	*plenp = PEEK_U32(cp);
	return 0;
}

void
cipher_free(struct sshcipher_ctx *cc)
{
	if (cc == NULL)
		return;
	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
		chachapoly_free(cc->cp_ctx);
		cc->cp_ctx = NULL;
	} else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
		explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
#ifdef WITH_OPENSSL
	EVP_CIPHER_CTX_free(cc->evp);
	cc->evp = NULL;
#endif
	freezero(cc, sizeof(*cc));
}

int
cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, size_t len)
{
#ifdef WITH_OPENSSL
	const struct sshcipher *c = cc->cipher;
	int evplen;
#endif

	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
		if (len != 0)
			return SSH_ERR_INVALID_ARGUMENT;
		return 0;
	}
	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
		if (len != sizeof(cc->ac_ctx.ctr))
			return SSH_ERR_INVALID_ARGUMENT;
		memcpy(iv, cc->ac_ctx.ctr, len);
		return 0;
	}
	if ((cc->cipher->flags & CFLAG_NONE) != 0)
		return 0;

#ifdef WITH_OPENSSL
	evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
	if (evplen == 0)
		return 0;
	else if (evplen < 0)
		return SSH_ERR_LIBCRYPTO_ERROR;
	if ((size_t)evplen != len)
		return SSH_ERR_INVALID_ARGUMENT;
	if (cipher_authlen(c)) {
		if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
		    len, iv))
			return SSH_ERR_LIBCRYPTO_ERROR;
	} else if (!EVP_CIPHER_CTX_get_iv(cc->evp, iv, len))
		return SSH_ERR_LIBCRYPTO_ERROR;
#endif
	return 0;
}

int
cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv, size_t len)
{
#ifdef WITH_OPENSSL
	const struct sshcipher *c = cc->cipher;
	int evplen = 0;
#endif

	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
		return 0;
	if ((cc->cipher->flags & CFLAG_NONE) != 0)
		return 0;

#ifdef WITH_OPENSSL
	evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
	if (evplen <= 0)
		return SSH_ERR_LIBCRYPTO_ERROR;
	if ((size_t)evplen != len)
		return SSH_ERR_INVALID_ARGUMENT;
	if (cipher_authlen(c)) {
		/* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
		if (!EVP_CIPHER_CTX_ctrl(cc->evp,
		    EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
			return SSH_ERR_LIBCRYPTO_ERROR;
	} else if (!EVP_CIPHER_CTX_set_iv(cc->evp, iv, evplen))
		return SSH_ERR_LIBCRYPTO_ERROR;
#endif
	return 0;
}
Commit	Line	Data
03547908	1	/* $OpenBSD: cipher.c,v 1.120 2023/10/10 06:49:54 tb Exp $ */
d4a8b7e3	2	/*
95def098	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
95def098 DM	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
95def098 DM	5	* All rights reserved
4af51306	6	*
e4340be5 DM	7	* As far as I am concerned, the code I have written for this software
	8	* can be used freely for any purpose. Any derived versions of this
	9	* software must be clearly marked as such, and if the derived work is
	10	* incompatible with the protocol description in the RFC file, it must be
	11	* called by a name other than "ssh" or "Secure Shell".
	12	*
	13	*
	14	* Copyright (c) 1999 Niels Provos. All rights reserved.
44697233	15	* Copyright (c) 1999, 2000 Markus Friedl. All rights reserved.
e4340be5 DM	16	*
	17	* Redistribution and use in source and binary forms, with or without
	18	* modification, are permitted provided that the following conditions
	19	* are met:
	20	* 1. Redistributions of source code must retain the above copyright
	21	* notice, this list of conditions and the following disclaimer.
	22	* 2. Redistributions in binary form must reproduce the above copyright
	23	* notice, this list of conditions and the following disclaimer in the
	24	* documentation and/or other materials provided with the distribution.
4af51306	25	*
e4340be5 DM	26	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	27	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	28	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	29	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	30	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	31	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	32	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	33	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	34	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	35	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
95def098	36	*/
d4a8b7e3 DM	37
d4a8b7e3 DM	38	#include "includes.h"
d4a8b7e3	39
d7834353 DM	40	#include <sys/types.h>
d7834353 DM	41
e3476ed0	42	#include <string.h>
d7834353	43	#include <stdarg.h>
0fde8acd	44	#include <stdio.h>
e3476ed0	45
226cfa03	46	#include "cipher.h"
8668706d DM	47	#include "misc.h"
	48	#include "sshbuf.h"
	49	#include "ssherr.h"
4a1c7aa6	50	#include "digest.h"
d4a8b7e3	51
55731713 DT	52	#include "openbsd-compat/openssl-compat.h"
55731713 DT	53
670104b9	54	#ifndef WITH_OPENSSL
	55	#define EVP_CIPHER_CTX void
	56	#endif
d4a8b7e3	57
4706c1d8	58	struct sshcipher_ctx {
	59	int plaintext;
	60	int encrypt;
	61	EVP_CIPHER_CTX *evp;
eba523f0	62	struct chachapoly_ctx *cp_ctx;
4706c1d8	63	struct aesctr_ctx ac_ctx; /* XXX union with evp? */
	64	const struct sshcipher *cipher;
	65	};
	66
8668706d	67	struct sshcipher {
963f6b25	68	char *name;
963f6b25 DM	69	u_int block_size;
963f6b25 DM	70	u_int key_len;
d522c688 DM	71	u_int iv_len; /* defaults to block_size */
d522c688 DM	72	u_int auth_len;
0fde8acd DM	73	u_int flags;
	74	#define CFLAG_CBC (1<<0)
	75	#define CFLAG_CHACHAPOLY (1<<1)
1f0311c7 DM	76	#define CFLAG_AESCTR (1<<2)
1f0311c7 DM	77	#define CFLAG_NONE (1<<3)
cdccebdf	78	#define CFLAG_INTERNAL CFLAG_NONE /* Don't use "none" for packets */
1f0311c7	79	#ifdef WITH_OPENSSL
6a246413	80	const EVP_CIPHER (evptype)(void);
1f0311c7 DM	81	#else
	82	void *ignored;
	83	#endif
ea11119e DM	84	};
ea11119e DM	85
8668706d	86	static const struct sshcipher ciphers[] = {
1f0311c7	87	#ifdef WITH_OPENSSL
cec33896	88	#ifndef OPENSSL_NO_DES
acaf34fd	89	{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
cec33896	90	#endif
acaf34fd	91	{ "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
	92	{ "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
	93	{ "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
acaf34fd	94	{ "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr },
	95	{ "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr },
	96	{ "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr },
1d75abfe	97	{ "aes128-gcm@openssh.com",
acaf34fd	98	16, 16, 12, 16, 0, EVP_aes_128_gcm },
1d75abfe	99	{ "aes256-gcm@openssh.com",
acaf34fd	100	16, 32, 12, 16, 0, EVP_aes_256_gcm },
cdccebdf	101	#else
acaf34fd	102	{ "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL },
	103	{ "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL },
	104	{ "aes256-ctr", 16, 32, 0, 0, CFLAG_AESCTR, NULL },
cdccebdf	105	#endif
0fde8acd	106	{ "chacha20-poly1305@openssh.com",
acaf34fd	107	8, 64, 0, 16, CFLAG_CHACHAPOLY, NULL },
acaf34fd	108	{ "none", 8, 0, 0, 0, CFLAG_NONE, NULL },
8668706d	109
acaf34fd	110	{ NULL, 0, 0, 0, 0, 0, NULL }
874d77bb DM	111	};
	112
	113	/--/
	114
8668706d	115	/* Returns a comma-separated list of supported ciphers. */
ea11119e	116	char *
0fde8acd	117	cipher_alg_list(char sep, int auth_only)
ea11119e	118	{
8668706d	119	char tmp, ret = NULL;
ea11119e	120	size_t nlen, rlen = 0;
8668706d	121	const struct sshcipher *c;
ea11119e DM	122
ea11119e DM	123	for (c = ciphers; c->name != NULL; c++) {
cdccebdf	124	if ((c->flags & CFLAG_INTERNAL) != 0)
ea11119e	125	continue;
0fde8acd DM	126	if (auth_only && c->auth_len == 0)
0fde8acd DM	127	continue;
ea11119e	128	if (ret != NULL)
690d9890	129	ret[rlen++] = sep;
ea11119e	130	nlen = strlen(c->name);
8668706d DM	131	if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
	132	free(ret);
	133	return NULL;
	134	}
	135	ret = tmp;
ea11119e DM	136	memcpy(ret + rlen, c->name, nlen + 1);
	137	rlen += nlen;
	138	}
	139	return ret;
	140	}
	141
7f8e66fe	142	const char *
	143	compression_alg_list(int compression)
	144	{
	145	#ifdef WITH_ZLIB
	146	return compression ? "zlib@openssh.com,zlib,none" :
	147	"none,zlib@openssh.com,zlib";
	148	#else
	149	return "none";
	150	#endif
	151	}
	152
6328ab39	153	u_int
8668706d	154	cipher_blocksize(const struct sshcipher *c)
963f6b25 DM	155	{
	156	return (c->block_size);
	157	}
836f0e9d	158
6328ab39	159	u_int
8668706d	160	cipher_keylen(const struct sshcipher *c)
963f6b25 DM	161	{
	162	return (c->key_len);
	163	}
836f0e9d	164
76eea4ab	165	u_int
8668706d	166	cipher_seclen(const struct sshcipher *c)
76eea4ab DM	167	{
	168	if (strcmp("3des-cbc", c->name) == 0)
	169	return 14;
	170	return cipher_keylen(c);
	171	}
	172
1d75abfe	173	u_int
8668706d	174	cipher_authlen(const struct sshcipher *c)
1d75abfe DM	175	{
	176	return (c->auth_len);
	177	}
	178
	179	u_int
8668706d	180	cipher_ivlen(const struct sshcipher *c)
1d75abfe	181	{
0fde8acd DM	182	/*
	183	* Default is cipher block size, except for chacha20+poly1305 that
	184	* needs no IV. XXX make iv_len == -1 default?
	185	*/
	186	return (c->iv_len != 0 \|\| (c->flags & CFLAG_CHACHAPOLY) != 0) ?
	187	c->iv_len : c->block_size;
1d75abfe DM	188	}
1d75abfe DM	189
13ae44ce	190	u_int
8668706d	191	cipher_is_cbc(const struct sshcipher *c)
13ae44ce	192	{
0fde8acd	193	return (c->flags & CFLAG_CBC) != 0;
13ae44ce DM	194	}
13ae44ce DM	195
4706c1d8	196	u_int
	197	cipher_ctx_is_plaintext(struct sshcipher_ctx *cc)
	198	{
	199	return cc->plaintext;
	200	}
	201
8668706d	202	const struct sshcipher *
874d77bb	203	cipher_by_name(const char *name)
1383bd8e	204	{
8668706d	205	const struct sshcipher *c;
874d77bb	206	for (c = ciphers; c->name != NULL; c++)
660db78a	207	if (strcmp(c->name, name) == 0)
874d77bb DM	208	return c;
874d77bb DM	209	return NULL;
1383bd8e	210	}
d4a8b7e3	211
78928793 DM	212	#define CIPHER_SEP ","
	213	int
	214	ciphers_valid(const char *names)
	215	{
8668706d	216	const struct sshcipher *c;
3f9fdc71	217	char cipher_list, cp;
78928793	218	char *p;
78928793	219
b1715dc0	220	if (names == NULL \|\| strcmp(names, "") == 0)
78928793	221	return 0;
8668706d DM	222	if ((cipher_list = cp = strdup(names)) == NULL)
8668706d DM	223	return 0;
874d77bb	224	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
9f0f5c64	225	(p = strsep(&cp, CIPHER_SEP))) {
874d77bb	226	c = cipher_by_name(p);
cdccebdf	227	if (c == NULL \|\| (c->flags & CFLAG_INTERNAL) != 0) {
a627d42e	228	free(cipher_list);
78928793 DM	229	return 0;
	230	}
	231	}
a627d42e	232	free(cipher_list);
78928793 DM	233	return 1;
	234	}
	235
8668706d DM	236	const char *
	237	cipher_warning_message(const struct sshcipher_ctx *cc)
	238	{
	239	if (cc == NULL \|\| cc->cipher == NULL)
	240	return NULL;
cdccebdf	241	/* XXX repurpose for CBC warning */
8668706d DM	242	return NULL;
	243	}
	244
	245	int
4706c1d8	246	cipher_init(struct sshcipher_ctx *ccp, const struct sshcipher cipher,
21cf4e06	247	const u_char key, u_int keylen, const u_char iv, u_int ivlen,
3f9fdc71	248	int do_encrypt)
874d77bb	249	{
4706c1d8	250	struct sshcipher_ctx *cc = NULL;
8668706d	251	int ret = SSH_ERR_INTERNAL_ERROR;
4706c1d8	252	#ifdef WITH_OPENSSL
21cf4e06 DM	253	const EVP_CIPHER *type;
21cf4e06 DM	254	int klen;
4706c1d8	255	#endif
	256
	257	*ccp = NULL;
	258	if ((cc = calloc(sizeof(*cc), 1)) == NULL)
	259	return SSH_ERR_ALLOC_FAIL;
21cf4e06	260
e77e1562	261	cc->plaintext = (cipher->flags & CFLAG_NONE) != 0;
1d75abfe	262	cc->encrypt = do_encrypt;
21cf4e06	263
8668706d	264	if (keylen < cipher->key_len \|\|
4706c1d8	265	(iv != NULL && ivlen < cipher_ivlen(cipher))) {
	266	ret = SSH_ERR_INVALID_ARGUMENT;
	267	goto out;
	268	}
21cf4e06	269
8668706d	270	cc->cipher = cipher;
0fde8acd	271	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
eba523f0	272	cc->cp_ctx = chachapoly_new(key, keylen);
eba523f0	273	ret = cc->cp_ctx != NULL ? 0 : SSH_ERR_INVALID_ARGUMENT;
4706c1d8	274	goto out;
0fde8acd	275	}
cdccebdf	276	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
	277	ret = 0;
	278	goto out;
	279	}
1f0311c7 DM	280	#ifndef WITH_OPENSSL
	281	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
	282	aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
	283	aesctr_ivsetup(&cc->ac_ctx, iv);
4706c1d8	284	ret = 0;
4706c1d8	285	goto out;
1f0311c7	286	}
4706c1d8	287	ret = SSH_ERR_INVALID_ARGUMENT;
	288	goto out;
	289	#else /* WITH_OPENSSL */
21cf4e06	290	type = (*cipher->evptype)();
4706c1d8	291	if ((cc->evp = EVP_CIPHER_CTX_new()) == NULL) {
	292	ret = SSH_ERR_ALLOC_FAIL;
	293	goto out;
	294	}
	295	if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv,
8668706d DM	296	(do_encrypt == CIPHER_ENCRYPT)) == 0) {
8668706d DM	297	ret = SSH_ERR_LIBCRYPTO_ERROR;
4706c1d8	298	goto out;
8668706d	299	}
1d75abfe	300	if (cipher_authlen(cipher) &&
4706c1d8	301	!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
8668706d DM	302	-1, (u_char *)iv)) {
8668706d DM	303	ret = SSH_ERR_LIBCRYPTO_ERROR;
4706c1d8	304	goto out;
8668706d	305	}
4706c1d8	306	klen = EVP_CIPHER_CTX_key_length(cc->evp);
eccb9de7	307	if (klen > 0 && keylen != (u_int)klen) {
4706c1d8	308	if (EVP_CIPHER_CTX_set_key_length(cc->evp, keylen) == 0) {
8668706d	309	ret = SSH_ERR_LIBCRYPTO_ERROR;
4706c1d8	310	goto out;
8668706d DM	311	}
8668706d DM	312	}
4706c1d8	313	if (EVP_CipherInit(cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
8668706d	314	ret = SSH_ERR_LIBCRYPTO_ERROR;
4706c1d8	315	goto out;
21cf4e06	316	}
4706c1d8	317	ret = 0;
	318	#endif /* WITH_OPENSSL */
	319	out:
	320	if (ret == 0) {
	321	/* success */
	322	*ccp = cc;
	323	} else {
	324	if (cc != NULL) {
	325	#ifdef WITH_OPENSSL
7cd31632	326	EVP_CIPHER_CTX_free(cc->evp);
4706c1d8	327	#endif /* WITH_OPENSSL */
d5ba1c03	328	freezero(cc, sizeof(*cc));
4706c1d8	329	}
	330	}
	331	return ret;
874d77bb DM	332	}
874d77bb DM	333
af43a7ac DM	334	/*
	335	* cipher_crypt() operates as following:
	336	* Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
d081f017	337	* These bytes are treated as additional authenticated data for
af43a7ac DM	338	* authenticated encryption modes.
af43a7ac DM	339	* En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
1d75abfe DM	340	* Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
1d75abfe DM	341	* This tag is written on encryption and verified on decryption.
af43a7ac DM	342	* Both 'aadlen' and 'authlen' can be set to 0.
af43a7ac DM	343	*/
bcd00abd	344	int
8668706d DM	345	cipher_crypt(struct sshcipher_ctx cc, u_int seqnr, u_char dest,
8668706d DM	346	const u_char *src, u_int len, u_int aadlen, u_int authlen)
874d77bb	347	{
8668706d	348	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
eba523f0	349	return chachapoly_crypt(cc->cp_ctx, seqnr, dest, src,
8668706d DM	350	len, aadlen, authlen, cc->encrypt);
8668706d DM	351	}
cdccebdf	352	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
	353	memcpy(dest, src, aadlen + len);
	354	return 0;
	355	}
1f0311c7 DM	356	#ifndef WITH_OPENSSL
	357	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
	358	if (aadlen)
	359	memcpy(dest, src, aadlen);
	360	aesctr_encrypt_bytes(&cc->ac_ctx, src + aadlen,
	361	dest + aadlen, len);
	362	return 0;
	363	}
8668706d	364	return SSH_ERR_INVALID_ARGUMENT;
1f0311c7	365	#else
1d75abfe DM	366	if (authlen) {
	367	u_char lastiv[1];
	368
	369	if (authlen != cipher_authlen(cc->cipher))
8668706d	370	return SSH_ERR_INVALID_ARGUMENT;
1d75abfe	371	/* increment IV */
4706c1d8	372	if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
1d75abfe	373	1, lastiv))
8668706d	374	return SSH_ERR_LIBCRYPTO_ERROR;
1d75abfe DM	375	/* set tag on decyption */
1d75abfe DM	376	if (!cc->encrypt &&
4706c1d8	377	!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
1d75abfe	378	authlen, (u_char *)src + aadlen + len))
8668706d	379	return SSH_ERR_LIBCRYPTO_ERROR;
1d75abfe DM	380	}
	381	if (aadlen) {
	382	if (authlen &&
4706c1d8	383	EVP_Cipher(cc->evp, NULL, (u_char *)src, aadlen) < 0)
8668706d	384	return SSH_ERR_LIBCRYPTO_ERROR;
af43a7ac	385	memcpy(dest, src, aadlen);
1d75abfe	386	}
874d77bb	387	if (len % cc->cipher->block_size)
8668706d	388	return SSH_ERR_INVALID_ARGUMENT;
4706c1d8	389	if (EVP_Cipher(cc->evp, dest + aadlen, (u_char *)src + aadlen,
af43a7ac	390	len) < 0)
8668706d	391	return SSH_ERR_LIBCRYPTO_ERROR;
1d75abfe DM	392	if (authlen) {
1d75abfe DM	393	/* compute tag (on encrypt) or verify tag (on decrypt) */
4706c1d8	394	if (EVP_Cipher(cc->evp, NULL, NULL, 0) < 0)
8668706d DM	395	return cc->encrypt ?
8668706d DM	396	SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
1d75abfe	397	if (cc->encrypt &&
4706c1d8	398	!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG,
1d75abfe	399	authlen, dest + aadlen + len))
8668706d	400	return SSH_ERR_LIBCRYPTO_ERROR;
1d75abfe	401	}
bcd00abd	402	return 0;
1f0311c7	403	#endif
874d77bb DM	404	}
874d77bb DM	405
0fde8acd DM	406	/* Extract the packet length, including any decryption necessary beforehand */
0fde8acd DM	407	int
8668706d	408	cipher_get_length(struct sshcipher_ctx cc, u_int plenp, u_int seqnr,
0fde8acd DM	409	const u_char *cp, u_int len)
	410	{
	411	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
eba523f0	412	return chachapoly_get_length(cc->cp_ctx, plenp, seqnr,
0fde8acd DM	413	cp, len);
0fde8acd DM	414	if (len < 4)
8668706d	415	return SSH_ERR_MESSAGE_INCOMPLETE;
1b11ea7c	416	*plenp = PEEK_U32(cp);
0fde8acd DM	417	return 0;
	418	}
	419
4706c1d8	420	void
4706c1d8	421	cipher_free(struct sshcipher_ctx *cc)
874d77bb	422	{
4706c1d8	423	if (cc == NULL)
4706c1d8	424	return;
eba523f0	425	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
	426	chachapoly_free(cc->cp_ctx);
	427	cc->cp_ctx = NULL;
	428	} else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
1f0311c7 DM	429	explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
1f0311c7 DM	430	#ifdef WITH_OPENSSL
7cd31632	431	EVP_CIPHER_CTX_free(cc->evp);
7cd31632	432	cc->evp = NULL;
1f0311c7	433	#endif
d5ba1c03	434	freezero(cc, sizeof(*cc));
d4a8b7e3 DM	435	}
d4a8b7e3 DM	436
8668706d	437	int
482d23bc	438	cipher_get_keyiv(struct sshcipher_ctx cc, u_char iv, size_t len)
212facac	439	{
1f0311c7	440	#ifdef WITH_OPENSSL
41bff4da	441	const struct sshcipher *c = cc->cipher;
b8bbff3b	442	int evplen;
1f0311c7	443	#endif
212facac	444
0fde8acd DM	445	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
0fde8acd DM	446	if (len != 0)
8668706d DM	447	return SSH_ERR_INVALID_ARGUMENT;
8668706d DM	448	return 0;
0fde8acd	449	}
540e8911	450	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
	451	if (len != sizeof(cc->ac_ctx.ctr))
	452	return SSH_ERR_INVALID_ARGUMENT;
	453	memcpy(iv, cc->ac_ctx.ctr, len);
	454	return 0;
	455	}
1f0311c7	456	if ((cc->cipher->flags & CFLAG_NONE) != 0)
8668706d	457	return 0;
0fde8acd	458
1f0311c7	459	#ifdef WITH_OPENSSL
cdccebdf	460	evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
	461	if (evplen == 0)
	462	return 0;
	463	else if (evplen < 0)
	464	return SSH_ERR_LIBCRYPTO_ERROR;
482d23bc	465	if ((size_t)evplen != len)
cdccebdf	466	return SSH_ERR_INVALID_ARGUMENT;
cdccebdf	467	if (cipher_authlen(c)) {
cdccebdf	468	if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
57ed647e	469	len, iv))
31d8d231	470	return SSH_ERR_LIBCRYPTO_ERROR;
482d23bc	471	} else if (!EVP_CIPHER_CTX_get_iv(cc->evp, iv, len))
31d8d231	472	return SSH_ERR_LIBCRYPTO_ERROR;
8668706d	473	#endif
8668706d	474	return 0;
212facac BL	475	}
212facac BL	476
8668706d	477	int
482d23bc	478	cipher_set_keyiv(struct sshcipher_ctx cc, const u_char iv, size_t len)
212facac	479	{
1f0311c7	480	#ifdef WITH_OPENSSL
41bff4da	481	const struct sshcipher *c = cc->cipher;
b8bbff3b	482	int evplen = 0;
1f0311c7	483	#endif
212facac	484
0fde8acd	485	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
8668706d	486	return 0;
1f0311c7	487	if ((cc->cipher->flags & CFLAG_NONE) != 0)
8668706d	488	return 0;
0fde8acd	489
1f0311c7	490	#ifdef WITH_OPENSSL
cdccebdf	491	evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
	492	if (evplen <= 0)
	493	return SSH_ERR_LIBCRYPTO_ERROR;
482d23bc	494	if ((size_t)evplen != len)
482d23bc	495	return SSH_ERR_INVALID_ARGUMENT;
cdccebdf	496	if (cipher_authlen(c)) {
	497	/* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
	498	if (!EVP_CIPHER_CTX_ctrl(cc->evp,
	499	EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
	500	return SSH_ERR_LIBCRYPTO_ERROR;
482d23bc	501	} else if (!EVP_CIPHER_CTX_set_iv(cc->evp, iv, evplen))
482d23bc	502	return SSH_ERR_LIBCRYPTO_ERROR;
8668706d	503	#endif
8668706d	504	return 0;
212facac	505	}