=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/cipher.c,v retrieving revision 1.98 retrieving revision 1.99 diff -u -r1.98 -r1.99 --- src/usr.bin/ssh/cipher.c 2014/04/29 18:01:49 1.98 +++ src/usr.bin/ssh/cipher.c 2014/06/24 01:13:21 1.99 @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.98 2014/04/29 18:01:49 markus Exp $ */ +/* $OpenBSD: cipher.c,v 1.99 2014/06/24 01:13:21 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -41,20 +41,19 @@ #include #include -#include "xmalloc.h" -#include "log.h" -#include "misc.h" #include "cipher.h" -#include "buffer.h" +#include "misc.h" +#include "sshbuf.h" +#include "ssherr.h" #include "digest.h" #ifdef WITH_SSH1 extern const EVP_CIPHER *evp_ssh1_bf(void); extern const EVP_CIPHER *evp_ssh1_3des(void); -extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); +extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); #endif -struct Cipher { +struct sshcipher { char *name; int number; /* for ssh1 only */ u_int block_size; @@ -74,7 +73,7 @@ #endif }; -static const struct Cipher ciphers[] = { +static const struct sshcipher ciphers[] = { #ifdef WITH_SSH1 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, @@ -116,13 +115,13 @@ /*--*/ -/* Returns a list of supported ciphers separated by the specified char. */ +/* Returns a comma-separated list of supported ciphers. */ char * cipher_alg_list(char sep, int auth_only) { - char *ret = NULL; + char *tmp, *ret = NULL; size_t nlen, rlen = 0; - const Cipher *c; + const struct sshcipher *c; for (c = ciphers; c->name != NULL; c++) { if (c->number != SSH_CIPHER_SSH2) @@ -132,7 +131,11 @@ if (ret != NULL) ret[rlen++] = sep; nlen = strlen(c->name); - ret = xrealloc(ret, 1, rlen + nlen + 2); + if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { + free(ret); + return NULL; + } + ret = tmp; memcpy(ret + rlen, c->name, nlen + 1); rlen += nlen; } @@ -140,19 +143,19 @@ } u_int -cipher_blocksize(const Cipher *c) +cipher_blocksize(const struct sshcipher *c) { return (c->block_size); } u_int -cipher_keylen(const Cipher *c) +cipher_keylen(const struct sshcipher *c) { return (c->key_len); } u_int -cipher_seclen(const Cipher *c) +cipher_seclen(const struct sshcipher *c) { if (strcmp("3des-cbc", c->name) == 0) return 14; @@ -160,13 +163,13 @@ } u_int -cipher_authlen(const Cipher *c) +cipher_authlen(const struct sshcipher *c) { return (c->auth_len); } u_int -cipher_ivlen(const Cipher *c) +cipher_ivlen(const struct sshcipher *c) { /* * Default is cipher block size, except for chacha20+poly1305 that @@ -177,13 +180,13 @@ } u_int -cipher_get_number(const Cipher *c) +cipher_get_number(const struct sshcipher *c) { return (c->number); } u_int -cipher_is_cbc(const Cipher *c) +cipher_is_cbc(const struct sshcipher *c) { return (c->flags & CFLAG_CBC) != 0; } @@ -200,20 +203,20 @@ return mask; } -const Cipher * +const struct sshcipher * cipher_by_name(const char *name) { - const Cipher *c; + const struct sshcipher *c; for (c = ciphers; c->name != NULL; c++) if (strcmp(c->name, name) == 0) return c; return NULL; } -const Cipher * +const struct sshcipher * cipher_by_number(int id) { - const Cipher *c; + const struct sshcipher *c; for (c = ciphers; c->name != NULL; c++) if (c->number == id) return c; @@ -224,23 +227,22 @@ int ciphers_valid(const char *names) { - const Cipher *c; + const struct sshcipher *c; char *cipher_list, *cp; char *p; if (names == NULL || strcmp(names, "") == 0) return 0; - cipher_list = cp = xstrdup(names); + if ((cipher_list = cp = strdup(names)) == NULL) + return 0; for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; (p = strsep(&cp, CIPHER_SEP))) { c = cipher_by_name(p); if (c == NULL || c->number != SSH_CIPHER_SSH2) { - debug("bad cipher %s [%s]", p, names); free(cipher_list); return 0; } } - debug3("ciphers ok: [%s]", names); free(cipher_list); return 1; } @@ -253,7 +255,7 @@ int cipher_number(const char *name) { - const Cipher *c; + const struct sshcipher *c; if (name == NULL) return -1; for (c = ciphers; c->name != NULL; c++) @@ -265,27 +267,33 @@ char * cipher_name(int id) { - const Cipher *c = cipher_by_number(id); + const struct sshcipher *c = cipher_by_number(id); return (c==NULL) ? "" : c->name; } -void -cipher_init(CipherContext *cc, const Cipher *cipher, +const char * +cipher_warning_message(const struct sshcipher_ctx *cc) +{ + if (cc == NULL || cc->cipher == NULL) + return NULL; + if (cc->cipher->number == SSH_CIPHER_DES) + return "use of DES is strongly discouraged due to " + "cryptographic weaknesses"; + return NULL; +} + +int +cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher, const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, int do_encrypt) { #ifdef WITH_OPENSSL - static int dowarn = 1; + int ret = SSH_ERR_INTERNAL_ERROR; const EVP_CIPHER *type; int klen; u_char *junk, *discard; if (cipher->number == SSH_CIPHER_DES) { - if (dowarn) { - error("Warning: use of DES is strongly discouraged " - "due to cryptographic weaknesses"); - dowarn = 0; - } if (keylen > 8) keylen = 8; } @@ -293,61 +301,70 @@ cc->plaintext = (cipher->number == SSH_CIPHER_NONE); cc->encrypt = do_encrypt; - if (keylen < cipher->key_len) - fatal("cipher_init: key length %d is insufficient for %s.", - keylen, cipher->name); - if (iv != NULL && ivlen < cipher_ivlen(cipher)) - fatal("cipher_init: iv length %d is insufficient for %s.", - ivlen, cipher->name); - cc->cipher = cipher; + if (keylen < cipher->key_len || + (iv != NULL && ivlen < cipher_ivlen(cipher))) + return SSH_ERR_INVALID_ARGUMENT; + cc->cipher = cipher; if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { - chachapoly_init(&cc->cp_ctx, key, keylen); - return; + return chachapoly_init(&cc->cp_ctx, key, keylen); } #ifndef WITH_OPENSSL if ((cc->cipher->flags & CFLAG_AESCTR) != 0) { aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen); aesctr_ivsetup(&cc->ac_ctx, iv); - return; + return 0; } if ((cc->cipher->flags & CFLAG_NONE) != 0) - return; - fatal("unsupported cipher"); + return 0; + return SSH_ERR_INVALID_ARGUMENT; #else type = (*cipher->evptype)(); EVP_CIPHER_CTX_init(&cc->evp); if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv, - (do_encrypt == CIPHER_ENCRYPT)) == 0) - fatal("cipher_init: EVP_CipherInit failed for %s", - cipher->name); + (do_encrypt == CIPHER_ENCRYPT)) == 0) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto bad; + } if (cipher_authlen(cipher) && !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED, - -1, (u_char *)iv)) - fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s", - cipher->name); + -1, (u_char *)iv)) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto bad; + } klen = EVP_CIPHER_CTX_key_length(&cc->evp); if (klen > 0 && keylen != (u_int)klen) { - debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); - if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) - fatal("cipher_init: set keylen failed (%d -> %d)", - klen, keylen); + if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto bad; + } } - if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) - fatal("cipher_init: EVP_CipherInit: set key failed for %s", - cipher->name); + if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto bad; + } if (cipher->discard_len > 0) { - junk = xmalloc(cipher->discard_len); - discard = xmalloc(cipher->discard_len); - if (EVP_Cipher(&cc->evp, discard, junk, - cipher->discard_len) == 0) - fatal("evp_crypt: EVP_Cipher failed during discard"); + if ((junk = malloc(cipher->discard_len)) == NULL || + (discard = malloc(cipher->discard_len)) == NULL) { + if (junk != NULL) + free(junk); + ret = SSH_ERR_ALLOC_FAIL; + goto bad; + } + ret = EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len); explicit_bzero(discard, cipher->discard_len); free(junk); free(discard); + if (ret != 1) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + bad: + EVP_CIPHER_CTX_cleanup(&cc->evp); + return ret; + } } #endif + return 0; } /* @@ -359,16 +376,15 @@ * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag. * This tag is written on encryption and verified on decryption. * Both 'aadlen' and 'authlen' can be set to 0. - * cipher_crypt() returns 0 on success and -1 if the decryption integrity - * check fails. */ int -cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src, - u_int len, u_int aadlen, u_int authlen) +cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest, + const u_char *src, u_int len, u_int aadlen, u_int authlen) { - if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) - return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, len, - aadlen, authlen, cc->encrypt); + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { + return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, + len, aadlen, authlen, cc->encrypt); + } #ifndef WITH_OPENSSL if ((cc->cipher->flags & CFLAG_AESCTR) != 0) { if (aadlen) @@ -381,46 +397,43 @@ memcpy(dest, src, aadlen + len); return 0; } - fatal("unsupported cipher"); + return SSH_ERR_INVALID_ARGUMENT; #else if (authlen) { u_char lastiv[1]; if (authlen != cipher_authlen(cc->cipher)) - fatal("%s: authlen mismatch %d", __func__, authlen); + return SSH_ERR_INVALID_ARGUMENT; /* increment IV */ if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN, 1, lastiv)) - fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__); + return SSH_ERR_LIBCRYPTO_ERROR; /* set tag on decyption */ if (!cc->encrypt && !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG, authlen, (u_char *)src + aadlen + len)) - fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__); + return SSH_ERR_LIBCRYPTO_ERROR; } if (aadlen) { if (authlen && EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0) - fatal("%s: EVP_Cipher(aad) failed", __func__); + return SSH_ERR_LIBCRYPTO_ERROR; memcpy(dest, src, aadlen); } if (len % cc->cipher->block_size) - fatal("%s: bad plaintext length %d", __func__, len); + return SSH_ERR_INVALID_ARGUMENT; if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen, len) < 0) - fatal("%s: EVP_Cipher failed", __func__); + return SSH_ERR_LIBCRYPTO_ERROR; if (authlen) { /* compute tag (on encrypt) or verify tag (on decrypt) */ - if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) { - if (cc->encrypt) - fatal("%s: EVP_Cipher(final) failed", __func__); - else - return -1; - } + if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) + return cc->encrypt ? + SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID; if (cc->encrypt && !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG, authlen, dest + aadlen + len)) - fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__); + return SSH_ERR_LIBCRYPTO_ERROR; } return 0; #endif @@ -428,61 +441,65 @@ /* Extract the packet length, including any decryption necessary beforehand */ int -cipher_get_length(CipherContext *cc, u_int *plenp, u_int seqnr, +cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr, const u_char *cp, u_int len) { if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr, cp, len); if (len < 4) - return -1; + return SSH_ERR_MESSAGE_INCOMPLETE; *plenp = get_u32(cp); return 0; } -void -cipher_cleanup(CipherContext *cc) +int +cipher_cleanup(struct sshcipher_ctx *cc) { + if (cc == NULL || cc->cipher == NULL) + return 0; if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx)); else if ((cc->cipher->flags & CFLAG_AESCTR) != 0) explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx)); #ifdef WITH_OPENSSL else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) - error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); + return SSH_ERR_LIBCRYPTO_ERROR; #endif + return 0; } /* * Selects the cipher, and keys if by computing the MD5 checksum of the * passphrase and using the resulting 16 bytes as the key. */ - -void -cipher_set_key_string(CipherContext *cc, const Cipher *cipher, +int +cipher_set_key_string(struct sshcipher_ctx *cc, const struct sshcipher *cipher, const char *passphrase, int do_encrypt) { u_char digest[16]; + int r = SSH_ERR_INTERNAL_ERROR; - if (ssh_digest_memory(SSH_DIGEST_MD5, passphrase, strlen(passphrase), - digest, sizeof(digest)) < 0) - fatal("%s: md5 failed", __func__); + if ((r = ssh_digest_memory(SSH_DIGEST_MD5, + passphrase, strlen(passphrase), + digest, sizeof(digest))) != 0) + goto out; - cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt); - + r = cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt); + out: explicit_bzero(digest, sizeof(digest)); + return r; } /* - * Exports an IV from the CipherContext required to export the key + * Exports an IV from the sshcipher_ctx required to export the key * state back from the unprivileged child to the privileged parent * process. */ - int -cipher_get_keyiv_len(const CipherContext *cc) +cipher_get_keyiv_len(const struct sshcipher_ctx *cc) { - const Cipher *c = cc->cipher; + const struct sshcipher *c = cc->cipher; int ivlen = 0; if (c->number == SSH_CIPHER_3DES) @@ -492,25 +509,25 @@ #ifdef WITH_OPENSSL else ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp); -#endif +#endif /* WITH_OPENSSL */ return (ivlen); } -void -cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) +int +cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) { - const Cipher *c = cc->cipher; + const struct sshcipher *c = cc->cipher; #ifdef WITH_OPENSSL - int evplen; + int evplen; #endif if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { if (len != 0) - fatal("%s: wrong iv length %d != %d", __func__, len, 0); - return; + return SSH_ERR_INVALID_ARGUMENT; + return 0; } if ((cc->cipher->flags & CFLAG_NONE) != 0) - return; + return 0; switch (c->number) { #ifdef WITH_OPENSSL @@ -518,41 +535,42 @@ case SSH_CIPHER_DES: case SSH_CIPHER_BLOWFISH: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); - if (evplen <= 0) - return; + if (evplen == 0) + return 0; + else if (evplen < 0) + return SSH_ERR_LIBCRYPTO_ERROR; if ((u_int)evplen != len) - fatal("%s: wrong iv length %d != %d", __func__, - evplen, len); + return SSH_ERR_INVALID_ARGUMENT; if (cipher_authlen(c)) { if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN, len, iv)) - fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__); + return SSH_ERR_LIBCRYPTO_ERROR; } else memcpy(iv, cc->evp.iv, len); break; #endif #ifdef WITH_SSH1 case SSH_CIPHER_3DES: - ssh1_3des_iv(&cc->evp, 0, iv, 24); - break; + return ssh1_3des_iv(&cc->evp, 0, iv, 24); #endif default: - fatal("%s: bad cipher %d", __func__, c->number); + return SSH_ERR_INVALID_ARGUMENT; } + return 0; } -void -cipher_set_keyiv(CipherContext *cc, u_char *iv) +int +cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) { - const Cipher *c = cc->cipher; + const struct sshcipher *c = cc->cipher; #ifdef WITH_OPENSSL - int evplen = 0; + int evplen = 0; #endif if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) - return; + return 0; if ((cc->cipher->flags & CFLAG_NONE) != 0) - return; + return 0; switch (c->number) { #ifdef WITH_OPENSSL @@ -560,25 +578,25 @@ case SSH_CIPHER_DES: case SSH_CIPHER_BLOWFISH: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); - if (evplen == 0) - return; + if (evplen <= 0) + return SSH_ERR_LIBCRYPTO_ERROR; if (cipher_authlen(c)) { + /* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */ if (!EVP_CIPHER_CTX_ctrl(&cc->evp, - EVP_CTRL_GCM_SET_IV_FIXED, -1, iv)) - fatal("%s: EVP_CTRL_GCM_SET_IV_FIXED failed", - __func__); + EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv)) + return SSH_ERR_LIBCRYPTO_ERROR; } else memcpy(cc->evp.iv, iv, evplen); break; #endif #ifdef WITH_SSH1 case SSH_CIPHER_3DES: - ssh1_3des_iv(&cc->evp, 1, iv, 24); - break; + return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24); #endif default: - fatal("%s: bad cipher %d", __func__, c->number); + return SSH_ERR_INVALID_ARGUMENT; } + return 0; } #ifdef WITH_OPENSSL @@ -587,10 +605,10 @@ #endif int -cipher_get_keycontext(const CipherContext *cc, u_char *dat) +cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat) { #ifdef WITH_OPENSSL - const Cipher *c = cc->cipher; + const struct sshcipher *c = cc->cipher; int plen = 0; if (c->evptype == EVP_rc4) { @@ -601,15 +619,15 @@ } return (plen); #else - return (0); + return 0; #endif } void -cipher_set_keycontext(CipherContext *cc, u_char *dat) +cipher_set_keycontext(struct sshcipher_ctx *cc, const u_char *dat) { #ifdef WITH_OPENSSL - const Cipher *c = cc->cipher; + const struct sshcipher *c = cc->cipher; int plen; if (c->evptype == EVP_rc4) {