1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 * 12 * 13 * Copyright (c) 1999 Niels Provos. All rights reserved. 14 * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 37 /* 38 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 39 * Use is subject to license terms. 40 */ 41 42 #include "includes.h" 43 RCSID("$OpenBSD: cipher.c,v 1.61 2002/07/12 15:50:17 markus Exp $"); 44 45 #pragma ident "%Z%%M% %I% %E% SMI" 46 47 #include "xmalloc.h" 48 #include "log.h" 49 #include "cipher.h" 50 51 #include <openssl/md5.h> 52 53 #if OPENSSL_VERSION_NUMBER < 0x00906000L 54 #define SSH_OLD_EVP 55 #define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) 56 #endif 57 58 extern const EVP_CIPHER *evp_aes_128_ctr(void); 59 extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); 60 61 static const EVP_CIPHER *evp_ssh1_3des(void); 62 static const EVP_CIPHER *evp_ssh1_bf(void); 63 64 struct Cipher { 65 char *name; 66 int number; /* for ssh1 only */ 67 u_int block_size; 68 u_int key_len; 69 const EVP_CIPHER *(*evptype)(void); 70 } ciphers[] = { 71 { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null }, 72 { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc }, 73 { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des }, 74 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf }, 75 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc }, 76 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc }, 77 #ifdef SOLARIS_SSH_ENABLE_CAST5_128 78 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc }, 79 #endif /* SOLARIS_SSH_ENABLE_CAST5_128 */ 80 { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 }, 81 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc }, 82 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc }, 83 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, 84 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr }, 85 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr }, 86 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr }, 87 { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL } 88 }; 89 90 /*--*/ 91 92 u_int 93 cipher_blocksize(Cipher *c) 94 { 95 return (c->block_size); 96 } 97 98 u_int 99 cipher_keylen(Cipher *c) 100 { 101 return (c->key_len); 102 } 103 104 u_int 105 cipher_get_number(Cipher *c) 106 { 107 return (c->number); 108 } 109 110 u_int 111 cipher_mask_ssh1(int client) 112 { 113 u_int mask = 0; 114 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 115 mask |= 1 << SSH_CIPHER_BLOWFISH; 116 if (client) { 117 mask |= 1 << SSH_CIPHER_DES; 118 } 119 return mask; 120 } 121 122 Cipher * 123 cipher_by_name(const char *name) 124 { 125 Cipher *c; 126 for (c = ciphers; c->name != NULL; c++) 127 if (strcasecmp(c->name, name) == 0) 128 return c; 129 return NULL; 130 } 131 132 Cipher * 133 cipher_by_number(int id) 134 { 135 Cipher *c; 136 for (c = ciphers; c->name != NULL; c++) 137 if (c->number == id) 138 return c; 139 return NULL; 140 } 141 142 #define CIPHER_SEP "," 143 int 144 ciphers_valid(const char *names) 145 { 146 Cipher *c; 147 char *ciphers, *cp; 148 char *p; 149 150 if (names == NULL || strcmp(names, "") == 0) 151 return 0; 152 ciphers = cp = xstrdup(names); 153 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 154 (p = strsep(&cp, CIPHER_SEP))) { 155 c = cipher_by_name(p); 156 if (c == NULL || c->number != SSH_CIPHER_SSH2) { 157 debug("bad cipher %s [%s]", p, names); 158 xfree(ciphers); 159 return 0; 160 } else { 161 debug3("cipher ok: %s [%s]", p, names); 162 } 163 } 164 debug3("ciphers ok: [%s]", names); 165 xfree(ciphers); 166 return 1; 167 } 168 169 /* 170 * Parses the name of the cipher. Returns the number of the corresponding 171 * cipher, or -1 on error. 172 */ 173 174 int 175 cipher_number(const char *name) 176 { 177 Cipher *c; 178 if (name == NULL) 179 return -1; 180 c = cipher_by_name(name); 181 return (c==NULL) ? -1 : c->number; 182 } 183 184 char * 185 cipher_name(int id) 186 { 187 Cipher *c = cipher_by_number(id); 188 return (c==NULL) ? "<unknown>" : c->name; 189 } 190 191 void 192 cipher_init(CipherContext *cc, Cipher *cipher, 193 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, 194 int encrypt) 195 { 196 static int dowarn = 1; 197 #ifdef SSH_OLD_EVP 198 EVP_CIPHER *type; 199 #else 200 const EVP_CIPHER *type; 201 #endif 202 int klen; 203 204 if (cipher->number == SSH_CIPHER_DES) { 205 if (dowarn) { 206 error("Warning: use of DES is strongly discouraged " 207 "due to cryptographic weaknesses"); 208 dowarn = 0; 209 } 210 if (keylen > 8) 211 keylen = 8; 212 } 213 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 214 215 if (keylen < cipher->key_len) 216 fatal("cipher_init: key length %d is insufficient for %s.", 217 keylen, cipher->name); 218 if (iv != NULL && ivlen < cipher->block_size) 219 fatal("cipher_init: iv length %d is insufficient for %s.", 220 ivlen, cipher->name); 221 cc->cipher = cipher; 222 223 type = (*cipher->evptype)(); 224 225 EVP_CIPHER_CTX_init(&cc->evp); 226 #ifdef SSH_OLD_EVP 227 if (type->key_len > 0 && type->key_len != keylen) { 228 debug("cipher_init: set keylen (%d -> %d)", 229 type->key_len, keylen); 230 type->key_len = keylen; 231 } 232 EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv, 233 (encrypt == CIPHER_ENCRYPT)); 234 #else 235 if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv, 236 (encrypt == CIPHER_ENCRYPT)) == 0) 237 fatal("cipher_init: EVP_CipherInit failed for %s", 238 cipher->name); 239 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 240 if (klen > 0 && keylen != klen) { 241 debug("cipher_init: set keylen (%d -> %d)", klen, keylen); 242 if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) 243 fatal("cipher_init: set keylen failed (%d -> %d)", 244 klen, keylen); 245 } 246 if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) 247 fatal("cipher_init: EVP_CipherInit: set key failed for %s", 248 cipher->name); 249 #endif 250 } 251 252 void 253 cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 254 { 255 if (len % cc->cipher->block_size) 256 fatal("cipher_encrypt: bad plaintext length %d", len); 257 #ifdef SSH_OLD_EVP 258 EVP_Cipher(&cc->evp, dest, (u_char *)src, len); 259 #else 260 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) 261 fatal("evp_crypt: EVP_Cipher failed"); 262 #endif 263 } 264 265 void 266 cipher_cleanup(CipherContext *cc) 267 { 268 #ifdef SSH_OLD_EVP 269 EVP_CIPHER_CTX_cleanup(&cc->evp); 270 #else 271 if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) 272 error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); 273 #endif 274 } 275 276 /* 277 * Selects the cipher, and keys if by computing the MD5 checksum of the 278 * passphrase and using the resulting 16 bytes as the key. 279 */ 280 281 void 282 cipher_set_key_string(CipherContext *cc, Cipher *cipher, 283 const char *passphrase, int encrypt) 284 { 285 MD5_CTX md; 286 u_char digest[16]; 287 288 MD5_Init(&md); 289 MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); 290 MD5_Final(digest, &md); 291 292 cipher_init(cc, cipher, digest, 16, NULL, 0, encrypt); 293 294 memset(digest, 0, sizeof(digest)); 295 memset(&md, 0, sizeof(md)); 296 } 297 298 /* Implementations for other non-EVP ciphers */ 299 300 /* 301 * This is used by SSH1: 302 * 303 * What kind of triple DES are these 2 routines? 304 * 305 * Why is there a redundant initialization vector? 306 * 307 * If only iv3 was used, then, this would till effect have been 308 * outer-cbc. However, there is also a private iv1 == iv2 which 309 * perhaps makes differential analysis easier. On the other hand, the 310 * private iv1 probably makes the CRC-32 attack ineffective. This is a 311 * result of that there is no longer any known iv1 to use when 312 * choosing the X block. 313 */ 314 struct ssh1_3des_ctx 315 { 316 EVP_CIPHER_CTX k1, k2, k3; 317 }; 318 319 static int 320 ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, 321 int enc) 322 { 323 struct ssh1_3des_ctx *c; 324 u_char *k1, *k2, *k3; 325 326 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 327 c = xmalloc(sizeof(*c)); 328 EVP_CIPHER_CTX_set_app_data(ctx, c); 329 } 330 if (key == NULL) 331 return (1); 332 if (enc == -1) 333 enc = ctx->encrypt; 334 k1 = k2 = k3 = (u_char *) key; 335 k2 += 8; 336 if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) { 337 if (enc) 338 k3 += 16; 339 else 340 k1 += 16; 341 } 342 EVP_CIPHER_CTX_init(&c->k1); 343 EVP_CIPHER_CTX_init(&c->k2); 344 EVP_CIPHER_CTX_init(&c->k3); 345 #ifdef SSH_OLD_EVP 346 EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc); 347 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc); 348 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc); 349 #else 350 if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 || 351 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 || 352 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) { 353 memset(c, 0, sizeof(*c)); 354 xfree(c); 355 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 356 return (0); 357 } 358 #endif 359 return (1); 360 } 361 362 static int 363 ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len) 364 { 365 struct ssh1_3des_ctx *c; 366 367 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 368 error("ssh1_3des_cbc: no context"); 369 return (0); 370 } 371 #ifdef SSH_OLD_EVP 372 EVP_Cipher(&c->k1, dest, (u_char *)src, len); 373 EVP_Cipher(&c->k2, dest, dest, len); 374 EVP_Cipher(&c->k3, dest, dest, len); 375 #else 376 if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 || 377 EVP_Cipher(&c->k2, dest, dest, len) == 0 || 378 EVP_Cipher(&c->k3, dest, dest, len) == 0) 379 return (0); 380 #endif 381 return (1); 382 } 383 384 static int 385 ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx) 386 { 387 struct ssh1_3des_ctx *c; 388 389 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { 390 memset(c, 0, sizeof(*c)); 391 xfree(c); 392 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 393 } 394 return (1); 395 } 396 397 static const EVP_CIPHER * 398 evp_ssh1_3des(void) 399 { 400 static EVP_CIPHER ssh1_3des; 401 402 memset(&ssh1_3des, 0, sizeof(EVP_CIPHER)); 403 ssh1_3des.nid = NID_undef; 404 ssh1_3des.block_size = 8; 405 ssh1_3des.iv_len = 0; 406 ssh1_3des.key_len = 16; 407 ssh1_3des.init = ssh1_3des_init; 408 ssh1_3des.cleanup = ssh1_3des_cleanup; 409 ssh1_3des.do_cipher = ssh1_3des_cbc; 410 #ifndef SSH_OLD_EVP 411 ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH; 412 #endif 413 return (&ssh1_3des); 414 } 415 416 /* 417 * SSH1 uses a variation on Blowfish, all bytes must be swapped before 418 * and after encryption/decryption. Thus the swap_bytes stuff (yuk). 419 */ 420 static void 421 swap_bytes(const u_char *src, u_char *dst, int n) 422 { 423 u_char c[4]; 424 425 /* Process 4 bytes every lap. */ 426 for (n = n / 4; n > 0; n--) { 427 c[3] = *src++; 428 c[2] = *src++; 429 c[1] = *src++; 430 c[0] = *src++; 431 432 *dst++ = c[0]; 433 *dst++ = c[1]; 434 *dst++ = c[2]; 435 *dst++ = c[3]; 436 } 437 } 438 439 #ifdef SSH_OLD_EVP 440 static void bf_ssh1_init (EVP_CIPHER_CTX * ctx, const unsigned char *key, 441 const unsigned char *iv, int enc) 442 { 443 if (iv != NULL) 444 memcpy (&(ctx->oiv[0]), iv, 8); 445 memcpy (&(ctx->iv[0]), &(ctx->oiv[0]), 8); 446 if (key != NULL) 447 BF_set_key (&(ctx->c.bf_ks), EVP_CIPHER_CTX_key_length (ctx), 448 key); 449 } 450 #endif 451 static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL; 452 453 static int 454 bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len) 455 { 456 int ret; 457 458 swap_bytes(in, out, len); 459 ret = (*orig_bf)(ctx, out, out, len); 460 swap_bytes(out, out, len); 461 return (ret); 462 } 463 464 static const EVP_CIPHER * 465 evp_ssh1_bf(void) 466 { 467 static EVP_CIPHER ssh1_bf; 468 469 memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER)); 470 orig_bf = ssh1_bf.do_cipher; 471 ssh1_bf.nid = NID_undef; 472 #ifdef SSH_OLD_EVP 473 ssh1_bf.init = bf_ssh1_init; 474 #endif 475 ssh1_bf.do_cipher = bf_ssh1_cipher; 476 ssh1_bf.key_len = 32; 477 return (&ssh1_bf); 478 } 479 480 #if (OPENSSL_VERSION_NUMBER < 0x00907000L) 481 /* RIJNDAEL */ 482 #define RIJNDAEL_BLOCKSIZE 16 483 struct ssh_rijndael_ctx 484 { 485 rijndael_ctx r_ctx; 486 u_char r_iv[RIJNDAEL_BLOCKSIZE]; 487 }; 488 489 static int 490 ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, 491 int enc) 492 { 493 struct ssh_rijndael_ctx *c; 494 495 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 496 c = xmalloc(sizeof(*c)); 497 EVP_CIPHER_CTX_set_app_data(ctx, c); 498 } 499 if (key != NULL) { 500 if (enc == -1) 501 enc = ctx->encrypt; 502 rijndael_set_key(&c->r_ctx, (u_char *)key, 503 8*EVP_CIPHER_CTX_key_length(ctx), enc); 504 } 505 if (iv != NULL) 506 memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE); 507 return (1); 508 } 509 510 static int 511 ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, 512 u_int len) 513 { 514 struct ssh_rijndael_ctx *c; 515 u_char buf[RIJNDAEL_BLOCKSIZE]; 516 u_char *cprev, *cnow, *plain, *ivp; 517 int i, j, blocks = len / RIJNDAEL_BLOCKSIZE; 518 519 if (len == 0) 520 return (1); 521 if (len % RIJNDAEL_BLOCKSIZE) 522 fatal("ssh_rijndael_cbc: bad len %d", len); 523 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 524 error("ssh_rijndael_cbc: no context"); 525 return (0); 526 } 527 if (ctx->encrypt) { 528 cnow = dest; 529 plain = (u_char *)src; 530 cprev = c->r_iv; 531 for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE, 532 cnow+=RIJNDAEL_BLOCKSIZE) { 533 for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++) 534 buf[j] = plain[j] ^ cprev[j]; 535 rijndael_encrypt(&c->r_ctx, buf, cnow); 536 cprev = cnow; 537 } 538 memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE); 539 } else { 540 cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE); 541 plain = dest+len-RIJNDAEL_BLOCKSIZE; 542 543 memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE); 544 for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE, 545 plain-=RIJNDAEL_BLOCKSIZE) { 546 rijndael_decrypt(&c->r_ctx, cnow, plain); 547 ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE; 548 for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++) 549 plain[j] ^= ivp[j]; 550 } 551 memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE); 552 } 553 return (1); 554 } 555 556 static int 557 ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx) 558 { 559 struct ssh_rijndael_ctx *c; 560 561 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { 562 memset(c, 0, sizeof(*c)); 563 xfree(c); 564 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 565 } 566 return (1); 567 } 568 569 static const EVP_CIPHER * 570 evp_rijndael(void) 571 { 572 static EVP_CIPHER rijndal_cbc; 573 574 memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER)); 575 rijndal_cbc.nid = NID_undef; 576 rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE; 577 rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE; 578 rijndal_cbc.key_len = 16; 579 rijndal_cbc.init = ssh_rijndael_init; 580 rijndal_cbc.cleanup = ssh_rijndael_cleanup; 581 rijndal_cbc.do_cipher = ssh_rijndael_cbc; 582 #ifndef SSH_OLD_EVP 583 rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | 584 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; 585 #endif 586 return (&rijndal_cbc); 587 } 588 #endif 589 590 /* 591 * Exports an IV from the CipherContext required to export the key 592 * state back from the unprivileged child to the privileged parent 593 * process. 594 */ 595 596 int 597 cipher_get_keyiv_len(CipherContext *cc) 598 { 599 Cipher *c = cc->cipher; 600 int ivlen; 601 602 if (c->number == SSH_CIPHER_3DES) 603 ivlen = 24; 604 else 605 ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp); 606 return (ivlen); 607 } 608 609 void 610 cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) 611 { 612 Cipher *c = cc->cipher; 613 u_char *civ = NULL; 614 int evplen; 615 616 switch (c->number) { 617 case SSH_CIPHER_SSH2: 618 case SSH_CIPHER_DES: 619 case SSH_CIPHER_BLOWFISH: 620 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 621 if (evplen == 0) 622 return; 623 if (evplen != len) 624 fatal("%s: wrong iv length %d != %d", __func__, 625 evplen, len); 626 627 #if (OPENSSL_VERSION_NUMBER < 0x00907000L) 628 if (c->evptype == evp_rijndael) { 629 struct ssh_rijndael_ctx *aesc; 630 631 aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 632 if (aesc == NULL) 633 fatal("%s: no rijndael context", __func__); 634 civ = aesc->r_iv; 635 } else 636 #endif 637 if (c->evptype == evp_aes_128_ctr) { 638 ssh_aes_ctr_iv(&cc->evp, 0, iv, len); 639 return; 640 } else { 641 civ = cc->evp.iv; 642 } 643 break; 644 case SSH_CIPHER_3DES: { 645 struct ssh1_3des_ctx *desc; 646 if (len != 24) 647 fatal("%s: bad 3des iv length: %d", __func__, len); 648 desc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 649 if (desc == NULL) 650 fatal("%s: no 3des context", __func__); 651 debug3("%s: Copying 3DES IV", __func__); 652 memcpy(iv, desc->k1.iv, 8); 653 memcpy(iv + 8, desc->k2.iv, 8); 654 memcpy(iv + 16, desc->k3.iv, 8); 655 return; 656 } 657 default: 658 fatal("%s: bad cipher %d", __func__, c->number); 659 } 660 memcpy(iv, civ, len); 661 } 662 663 void 664 cipher_set_keyiv(CipherContext *cc, u_char *iv) 665 { 666 Cipher *c = cc->cipher; 667 u_char *div = NULL; 668 int evplen = 0; 669 670 switch (c->number) { 671 case SSH_CIPHER_SSH2: 672 case SSH_CIPHER_DES: 673 case SSH_CIPHER_BLOWFISH: 674 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 675 if (evplen == 0) 676 return; 677 678 #if (OPENSSL_VERSION_NUMBER < 0x00907000L) 679 if (c->evptype == evp_rijndael) { 680 struct ssh_rijndael_ctx *aesc; 681 682 aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 683 if (aesc == NULL) 684 fatal("%s: no rijndael context", __func__); 685 div = aesc->r_iv; 686 } else 687 #endif 688 if (c->evptype == evp_aes_128_ctr) { 689 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); 690 return; 691 } else { 692 div = cc->evp.iv; 693 } 694 break; 695 case SSH_CIPHER_3DES: { 696 struct ssh1_3des_ctx *desc; 697 desc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 698 if (desc == NULL) 699 fatal("%s: no 3des context", __func__); 700 debug3("%s: Installed 3DES IV", __func__); 701 memcpy(desc->k1.iv, iv, 8); 702 memcpy(desc->k2.iv, iv + 8, 8); 703 memcpy(desc->k3.iv, iv + 16, 8); 704 return; 705 } 706 default: 707 fatal("%s: bad cipher %d", __func__, c->number); 708 } 709 memcpy(div, iv, evplen); 710 } 711 712 #if OPENSSL_VERSION_NUMBER < 0x00907000L 713 #define EVP_X_STATE(evp) &(evp).c 714 #define EVP_X_STATE_LEN(evp) sizeof((evp).c) 715 #else 716 #define EVP_X_STATE(evp) (evp).cipher_data 717 #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size 718 #endif 719 720 int 721 cipher_get_keycontext(CipherContext *cc, u_char *dat) 722 { 723 int plen = 0; 724 Cipher *c = cc->cipher; 725 726 if (c->evptype == EVP_rc4) { 727 plen = EVP_X_STATE_LEN(cc->evp); 728 if (dat == NULL) 729 return (plen); 730 memcpy(dat, EVP_X_STATE(cc->evp), plen); 731 } 732 return (plen); 733 } 734 735 void 736 cipher_set_keycontext(CipherContext *cc, u_char *dat) 737 { 738 Cipher *c = cc->cipher; 739 int plen; 740 741 if (c->evptype == EVP_rc4) { 742 plen = EVP_X_STATE_LEN(cc->evp); 743 memcpy(EVP_X_STATE(cc->evp), dat, plen); 744 } 745 } 746