1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 * 12 * 13 * Copyright (c) 1999 Niels Provos. All rights reserved. 14 * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 37 /* 38 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 39 * Use is subject to license terms. 40 */ 41 42 #include "includes.h" 43 RCSID("$OpenBSD: cipher.c,v 1.61 2002/07/12 15:50:17 markus Exp $"); 44 45 #include "xmalloc.h" 46 #include "log.h" 47 #include "cipher.h" 48 49 #include <openssl/md5.h> 50 51 #if OPENSSL_VERSION_NUMBER < 0x00906000L 52 #define SSH_OLD_EVP 53 #define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) 54 #endif 55 56 /* 57 * Symmetric ciphers can be offloaded to any engine through the EVP API only. 58 * However, OpenSSL doesn't offer AES in counter mode through EVP. So, we must 59 * define our own EVP functions. 60 */ 61 extern const EVP_CIPHER *evp_aes_128_ctr(void); 62 extern const EVP_CIPHER *evp_aes_192_ctr(void); 63 extern const EVP_CIPHER *evp_aes_256_ctr(void); 64 extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); 65 66 static const EVP_CIPHER *evp_ssh1_3des(void); 67 static const EVP_CIPHER *evp_ssh1_bf(void); 68 69 struct Cipher { 70 char *name; 71 int number; /* for ssh1 only */ 72 u_int block_size; 73 u_int key_len; 74 const EVP_CIPHER *(*evptype)(void); 75 } ciphers[] = { 76 { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null }, 77 { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc }, 78 { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des }, 79 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf }, 80 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc }, 81 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc }, 82 #ifdef SOLARIS_SSH_ENABLE_CAST5_128 83 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc }, 84 #endif /* SOLARIS_SSH_ENABLE_CAST5_128 */ 85 { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 }, 86 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc }, 87 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc }, 88 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, 89 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr }, 90 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_192_ctr }, 91 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_256_ctr }, 92 { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL } 93 }; 94 95 /*--*/ 96 97 u_int 98 cipher_blocksize(Cipher *c) 99 { 100 return (c->block_size); 101 } 102 103 u_int 104 cipher_keylen(Cipher *c) 105 { 106 return (c->key_len); 107 } 108 109 u_int 110 cipher_get_number(Cipher *c) 111 { 112 return (c->number); 113 } 114 115 u_int 116 cipher_mask_ssh1(int client) 117 { 118 u_int mask = 0; 119 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ 120 mask |= 1 << SSH_CIPHER_BLOWFISH; 121 if (client) { 122 mask |= 1 << SSH_CIPHER_DES; 123 } 124 return mask; 125 } 126 127 Cipher * 128 cipher_by_name(const char *name) 129 { 130 Cipher *c; 131 for (c = ciphers; c->name != NULL; c++) 132 if (strcasecmp(c->name, name) == 0) 133 return c; 134 return NULL; 135 } 136 137 Cipher * 138 cipher_by_number(int id) 139 { 140 Cipher *c; 141 for (c = ciphers; c->name != NULL; c++) 142 if (c->number == id) 143 return c; 144 return NULL; 145 } 146 147 #define CIPHER_SEP "," 148 int 149 ciphers_valid(const char *names) 150 { 151 Cipher *c; 152 char *ciphers, *cp; 153 char *p; 154 155 if (names == NULL || strcmp(names, "") == 0) 156 return 0; 157 ciphers = cp = xstrdup(names); 158 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; 159 (p = strsep(&cp, CIPHER_SEP))) { 160 c = cipher_by_name(p); 161 if (c == NULL || c->number != SSH_CIPHER_SSH2) { 162 debug("bad cipher %s [%s]", p, names); 163 xfree(ciphers); 164 return 0; 165 } else { 166 debug3("cipher ok: %s [%s]", p, names); 167 } 168 } 169 debug3("ciphers ok: [%s]", names); 170 xfree(ciphers); 171 return 1; 172 } 173 174 /* 175 * Parses the name of the cipher. Returns the number of the corresponding 176 * cipher, or -1 on error. 177 */ 178 179 int 180 cipher_number(const char *name) 181 { 182 Cipher *c; 183 if (name == NULL) 184 return -1; 185 c = cipher_by_name(name); 186 return (c==NULL) ? -1 : c->number; 187 } 188 189 char * 190 cipher_name(int id) 191 { 192 Cipher *c = cipher_by_number(id); 193 return (c==NULL) ? "<unknown>" : c->name; 194 } 195 196 void 197 cipher_init(CipherContext *cc, Cipher *cipher, 198 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, 199 int encrypt) 200 { 201 static int dowarn = 1; 202 #ifdef SSH_OLD_EVP 203 EVP_CIPHER *type; 204 #else 205 const EVP_CIPHER *type; 206 #endif 207 int klen; 208 209 if (cipher->number == SSH_CIPHER_DES) { 210 if (dowarn) { 211 error("Warning: use of DES is strongly discouraged " 212 "due to cryptographic weaknesses"); 213 dowarn = 0; 214 } 215 if (keylen > 8) 216 keylen = 8; 217 } 218 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 219 220 if (keylen < cipher->key_len) 221 fatal("cipher_init: key length %d is insufficient for %s.", 222 keylen, cipher->name); 223 if (iv != NULL && ivlen < cipher->block_size) 224 fatal("cipher_init: iv length %d is insufficient for %s.", 225 ivlen, cipher->name); 226 cc->cipher = cipher; 227 228 type = (*cipher->evptype)(); 229 230 EVP_CIPHER_CTX_init(&cc->evp); 231 #ifdef SSH_OLD_EVP 232 if (type->key_len > 0 && type->key_len != keylen) { 233 debug("cipher_init: set keylen (%d -> %d)", 234 type->key_len, keylen); 235 type->key_len = keylen; 236 } 237 EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv, 238 (encrypt == CIPHER_ENCRYPT)); 239 #else 240 if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv, 241 (encrypt == CIPHER_ENCRYPT)) == 0) 242 fatal("cipher_init: EVP_CipherInit failed for %s", 243 cipher->name); 244 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 245 if (klen > 0 && keylen != klen) { 246 debug("cipher_init: set keylen (%d -> %d)", klen, keylen); 247 if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) 248 fatal("cipher_init: set keylen failed (%d -> %d)", 249 klen, keylen); 250 } 251 if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) 252 fatal("cipher_init: EVP_CipherInit: set key failed for %s", 253 cipher->name); 254 #endif 255 } 256 257 void 258 cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 259 { 260 if (len % cc->cipher->block_size) 261 fatal("cipher_encrypt: bad plaintext length %d", len); 262 #ifdef SSH_OLD_EVP 263 EVP_Cipher(&cc->evp, dest, (u_char *)src, len); 264 #else 265 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) 266 fatal("evp_crypt: EVP_Cipher failed"); 267 #endif 268 } 269 270 void 271 cipher_cleanup(CipherContext *cc) 272 { 273 #ifdef SSH_OLD_EVP 274 EVP_CIPHER_CTX_cleanup(&cc->evp); 275 #else 276 if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) 277 error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); 278 #endif 279 } 280 281 /* 282 * Selects the cipher, and keys if by computing the MD5 checksum of the 283 * passphrase and using the resulting 16 bytes as the key. 284 */ 285 286 void 287 cipher_set_key_string(CipherContext *cc, Cipher *cipher, 288 const char *passphrase, int encrypt) 289 { 290 MD5_CTX md; 291 u_char digest[16]; 292 293 MD5_Init(&md); 294 MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); 295 MD5_Final(digest, &md); 296 297 cipher_init(cc, cipher, digest, 16, NULL, 0, encrypt); 298 299 memset(digest, 0, sizeof(digest)); 300 memset(&md, 0, sizeof(md)); 301 } 302 303 /* Implementations for other non-EVP ciphers */ 304 305 /* 306 * This is used by SSH1: 307 * 308 * What kind of triple DES are these 2 routines? 309 * 310 * Why is there a redundant initialization vector? 311 * 312 * If only iv3 was used, then, this would till effect have been 313 * outer-cbc. However, there is also a private iv1 == iv2 which 314 * perhaps makes differential analysis easier. On the other hand, the 315 * private iv1 probably makes the CRC-32 attack ineffective. This is a 316 * result of that there is no longer any known iv1 to use when 317 * choosing the X block. 318 */ 319 struct ssh1_3des_ctx 320 { 321 EVP_CIPHER_CTX k1, k2, k3; 322 }; 323 324 static int 325 ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, 326 int enc) 327 { 328 struct ssh1_3des_ctx *c; 329 u_char *k1, *k2, *k3; 330 331 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 332 c = xmalloc(sizeof(*c)); 333 EVP_CIPHER_CTX_set_app_data(ctx, c); 334 } 335 if (key == NULL) 336 return (1); 337 if (enc == -1) 338 enc = ctx->encrypt; 339 k1 = k2 = k3 = (u_char *) key; 340 k2 += 8; 341 if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) { 342 if (enc) 343 k3 += 16; 344 else 345 k1 += 16; 346 } 347 EVP_CIPHER_CTX_init(&c->k1); 348 EVP_CIPHER_CTX_init(&c->k2); 349 EVP_CIPHER_CTX_init(&c->k3); 350 #ifdef SSH_OLD_EVP 351 EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc); 352 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc); 353 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc); 354 #else 355 if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 || 356 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 || 357 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) { 358 memset(c, 0, sizeof(*c)); 359 xfree(c); 360 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 361 return (0); 362 } 363 #endif 364 return (1); 365 } 366 367 static int 368 ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len) 369 { 370 struct ssh1_3des_ctx *c; 371 372 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 373 error("ssh1_3des_cbc: no context"); 374 return (0); 375 } 376 #ifdef SSH_OLD_EVP 377 EVP_Cipher(&c->k1, dest, (u_char *)src, len); 378 EVP_Cipher(&c->k2, dest, dest, len); 379 EVP_Cipher(&c->k3, dest, dest, len); 380 #else 381 if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 || 382 EVP_Cipher(&c->k2, dest, dest, len) == 0 || 383 EVP_Cipher(&c->k3, dest, dest, len) == 0) 384 return (0); 385 #endif 386 return (1); 387 } 388 389 static int 390 ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx) 391 { 392 struct ssh1_3des_ctx *c; 393 394 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { 395 memset(c, 0, sizeof(*c)); 396 xfree(c); 397 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 398 } 399 return (1); 400 } 401 402 static const EVP_CIPHER * 403 evp_ssh1_3des(void) 404 { 405 static EVP_CIPHER ssh1_3des; 406 407 memset(&ssh1_3des, 0, sizeof(EVP_CIPHER)); 408 ssh1_3des.nid = NID_undef; 409 ssh1_3des.block_size = 8; 410 ssh1_3des.iv_len = 0; 411 ssh1_3des.key_len = 16; 412 ssh1_3des.init = ssh1_3des_init; 413 ssh1_3des.cleanup = ssh1_3des_cleanup; 414 ssh1_3des.do_cipher = ssh1_3des_cbc; 415 #ifndef SSH_OLD_EVP 416 ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH; 417 #endif 418 return (&ssh1_3des); 419 } 420 421 /* 422 * SSH1 uses a variation on Blowfish, all bytes must be swapped before 423 * and after encryption/decryption. Thus the swap_bytes stuff (yuk). 424 */ 425 static void 426 swap_bytes(const u_char *src, u_char *dst, int n) 427 { 428 u_char c[4]; 429 430 /* Process 4 bytes every lap. */ 431 for (n = n / 4; n > 0; n--) { 432 c[3] = *src++; 433 c[2] = *src++; 434 c[1] = *src++; 435 c[0] = *src++; 436 437 *dst++ = c[0]; 438 *dst++ = c[1]; 439 *dst++ = c[2]; 440 *dst++ = c[3]; 441 } 442 } 443 444 #ifdef SSH_OLD_EVP 445 static void bf_ssh1_init (EVP_CIPHER_CTX * ctx, const unsigned char *key, 446 const unsigned char *iv, int enc) 447 { 448 if (iv != NULL) 449 memcpy (&(ctx->oiv[0]), iv, 8); 450 memcpy (&(ctx->iv[0]), &(ctx->oiv[0]), 8); 451 if (key != NULL) 452 BF_set_key (&(ctx->c.bf_ks), EVP_CIPHER_CTX_key_length (ctx), 453 key); 454 } 455 #endif 456 static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL; 457 458 static int 459 bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len) 460 { 461 int ret; 462 463 swap_bytes(in, out, len); 464 ret = (*orig_bf)(ctx, out, out, len); 465 swap_bytes(out, out, len); 466 return (ret); 467 } 468 469 static const EVP_CIPHER * 470 evp_ssh1_bf(void) 471 { 472 static EVP_CIPHER ssh1_bf; 473 474 memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER)); 475 orig_bf = ssh1_bf.do_cipher; 476 ssh1_bf.nid = NID_undef; 477 #ifdef SSH_OLD_EVP 478 ssh1_bf.init = bf_ssh1_init; 479 #endif 480 ssh1_bf.do_cipher = bf_ssh1_cipher; 481 ssh1_bf.key_len = 32; 482 return (&ssh1_bf); 483 } 484 485 #if (OPENSSL_VERSION_NUMBER < 0x00907000L) 486 /* RIJNDAEL */ 487 #define RIJNDAEL_BLOCKSIZE 16 488 struct ssh_rijndael_ctx 489 { 490 rijndael_ctx r_ctx; 491 u_char r_iv[RIJNDAEL_BLOCKSIZE]; 492 }; 493 494 static int 495 ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, 496 int enc) 497 { 498 struct ssh_rijndael_ctx *c; 499 500 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 501 c = xmalloc(sizeof(*c)); 502 EVP_CIPHER_CTX_set_app_data(ctx, c); 503 } 504 if (key != NULL) { 505 if (enc == -1) 506 enc = ctx->encrypt; 507 rijndael_set_key(&c->r_ctx, (u_char *)key, 508 8*EVP_CIPHER_CTX_key_length(ctx), enc); 509 } 510 if (iv != NULL) 511 memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE); 512 return (1); 513 } 514 515 static int 516 ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, 517 u_int len) 518 { 519 struct ssh_rijndael_ctx *c; 520 u_char buf[RIJNDAEL_BLOCKSIZE]; 521 u_char *cprev, *cnow, *plain, *ivp; 522 int i, j, blocks = len / RIJNDAEL_BLOCKSIZE; 523 524 if (len == 0) 525 return (1); 526 if (len % RIJNDAEL_BLOCKSIZE) 527 fatal("ssh_rijndael_cbc: bad len %d", len); 528 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { 529 error("ssh_rijndael_cbc: no context"); 530 return (0); 531 } 532 if (ctx->encrypt) { 533 cnow = dest; 534 plain = (u_char *)src; 535 cprev = c->r_iv; 536 for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE, 537 cnow+=RIJNDAEL_BLOCKSIZE) { 538 for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++) 539 buf[j] = plain[j] ^ cprev[j]; 540 rijndael_encrypt(&c->r_ctx, buf, cnow); 541 cprev = cnow; 542 } 543 memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE); 544 } else { 545 cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE); 546 plain = dest+len-RIJNDAEL_BLOCKSIZE; 547 548 memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE); 549 for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE, 550 plain-=RIJNDAEL_BLOCKSIZE) { 551 rijndael_decrypt(&c->r_ctx, cnow, plain); 552 ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE; 553 for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++) 554 plain[j] ^= ivp[j]; 555 } 556 memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE); 557 } 558 return (1); 559 } 560 561 static int 562 ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx) 563 { 564 struct ssh_rijndael_ctx *c; 565 566 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { 567 memset(c, 0, sizeof(*c)); 568 xfree(c); 569 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 570 } 571 return (1); 572 } 573 574 static const EVP_CIPHER * 575 evp_rijndael(void) 576 { 577 static EVP_CIPHER rijndal_cbc; 578 579 memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER)); 580 rijndal_cbc.nid = NID_undef; 581 rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE; 582 rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE; 583 rijndal_cbc.key_len = 16; 584 rijndal_cbc.init = ssh_rijndael_init; 585 rijndal_cbc.cleanup = ssh_rijndael_cleanup; 586 rijndal_cbc.do_cipher = ssh_rijndael_cbc; 587 #ifndef SSH_OLD_EVP 588 rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | 589 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; 590 #endif 591 return (&rijndal_cbc); 592 } 593 #endif 594 595 /* 596 * Exports an IV from the CipherContext required to export the key 597 * state back from the unprivileged child to the privileged parent 598 * process. 599 */ 600 601 int 602 cipher_get_keyiv_len(CipherContext *cc) 603 { 604 Cipher *c = cc->cipher; 605 int ivlen; 606 607 if (c->number == SSH_CIPHER_3DES) 608 ivlen = 24; 609 else 610 ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp); 611 return (ivlen); 612 } 613 614 void 615 cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) 616 { 617 Cipher *c = cc->cipher; 618 u_char *civ = NULL; 619 int evplen; 620 621 switch (c->number) { 622 case SSH_CIPHER_SSH2: 623 case SSH_CIPHER_DES: 624 case SSH_CIPHER_BLOWFISH: 625 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 626 if (evplen == 0) 627 return; 628 if (evplen != len) 629 fatal("%s: wrong iv length %d != %d", __func__, 630 evplen, len); 631 632 #if (OPENSSL_VERSION_NUMBER < 0x00907000L) 633 if (c->evptype == evp_rijndael) { 634 struct ssh_rijndael_ctx *aesc; 635 636 aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 637 if (aesc == NULL) 638 fatal("%s: no rijndael context", __func__); 639 civ = aesc->r_iv; 640 } else 641 #endif 642 if (c->evptype == evp_aes_128_ctr) { 643 ssh_aes_ctr_iv(&cc->evp, 0, iv, len); 644 return; 645 } else { 646 civ = cc->evp.iv; 647 } 648 break; 649 case SSH_CIPHER_3DES: { 650 struct ssh1_3des_ctx *desc; 651 if (len != 24) 652 fatal("%s: bad 3des iv length: %d", __func__, len); 653 desc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 654 if (desc == NULL) 655 fatal("%s: no 3des context", __func__); 656 debug3("%s: Copying 3DES IV", __func__); 657 memcpy(iv, desc->k1.iv, 8); 658 memcpy(iv + 8, desc->k2.iv, 8); 659 memcpy(iv + 16, desc->k3.iv, 8); 660 return; 661 } 662 default: 663 fatal("%s: bad cipher %d", __func__, c->number); 664 } 665 memcpy(iv, civ, len); 666 } 667 668 void 669 cipher_set_keyiv(CipherContext *cc, u_char *iv) 670 { 671 Cipher *c = cc->cipher; 672 u_char *div = NULL; 673 int evplen = 0; 674 675 switch (c->number) { 676 case SSH_CIPHER_SSH2: 677 case SSH_CIPHER_DES: 678 case SSH_CIPHER_BLOWFISH: 679 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 680 if (evplen == 0) 681 return; 682 683 #if (OPENSSL_VERSION_NUMBER < 0x00907000L) 684 if (c->evptype == evp_rijndael) { 685 struct ssh_rijndael_ctx *aesc; 686 687 aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 688 if (aesc == NULL) 689 fatal("%s: no rijndael context", __func__); 690 div = aesc->r_iv; 691 } else 692 #endif 693 if (c->evptype == evp_aes_128_ctr) { 694 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); 695 return; 696 } else { 697 div = cc->evp.iv; 698 } 699 break; 700 case SSH_CIPHER_3DES: { 701 struct ssh1_3des_ctx *desc; 702 desc = EVP_CIPHER_CTX_get_app_data(&cc->evp); 703 if (desc == NULL) 704 fatal("%s: no 3des context", __func__); 705 debug3("%s: Installed 3DES IV", __func__); 706 memcpy(desc->k1.iv, iv, 8); 707 memcpy(desc->k2.iv, iv + 8, 8); 708 memcpy(desc->k3.iv, iv + 16, 8); 709 return; 710 } 711 default: 712 fatal("%s: bad cipher %d", __func__, c->number); 713 } 714 memcpy(div, iv, evplen); 715 } 716 717 #if OPENSSL_VERSION_NUMBER < 0x00907000L 718 #define EVP_X_STATE(evp) &(evp).c 719 #define EVP_X_STATE_LEN(evp) sizeof((evp).c) 720 #else 721 #define EVP_X_STATE(evp) (evp).cipher_data 722 #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size 723 #endif 724 725 int 726 cipher_get_keycontext(CipherContext *cc, u_char *dat) 727 { 728 int plen = 0; 729 Cipher *c = cc->cipher; 730 731 if (c->evptype == EVP_rc4) { 732 plen = EVP_X_STATE_LEN(cc->evp); 733 if (dat == NULL) 734 return (plen); 735 memcpy(dat, EVP_X_STATE(cc->evp), plen); 736 } 737 return (plen); 738 } 739 740 void 741 cipher_set_keycontext(CipherContext *cc, u_char *dat) 742 { 743 Cipher *c = cc->cipher; 744 int plen; 745 746 if (c->evptype == EVP_rc4) { 747 plen = EVP_X_STATE_LEN(cc->evp); 748 memcpy(EVP_X_STATE(cc->evp), dat, plen); 749 } 750 } 751