Annotation of src/usr.bin/ssh/cipher.c, Revision 1.54
1.1 deraadt 1: /*
1.30 deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
1.26 markus 5: *
1.30 deraadt 6: * As far as I am concerned, the code I have written for this software
7: * can be used freely for any purpose. Any derived versions of this
8: * software must be clearly marked as such, and if the derived work is
9: * incompatible with the protocol description in the RFC file, it must be
10: * called by a name other than "ssh" or "Secure Shell".
1.26 markus 11: *
12: *
1.30 deraadt 13: * Copyright (c) 1999 Niels Provos. All rights reserved.
1.46 markus 14: * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved.
1.26 markus 15: *
1.30 deraadt 16: * Redistribution and use in source and binary forms, with or without
17: * modification, are permitted provided that the following conditions
18: * are met:
19: * 1. Redistributions of source code must retain the above copyright
20: * notice, this list of conditions and the following disclaimer.
21: * 2. Redistributions in binary form must reproduce the above copyright
22: * notice, this list of conditions and the following disclaimer in the
23: * documentation and/or other materials provided with the distribution.
1.26 markus 24: *
1.30 deraadt 25: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.17 deraadt 35: */
1.1 deraadt 36:
37: #include "includes.h"
1.54 ! markus 38: RCSID("$OpenBSD: cipher.c,v 1.53 2002/03/18 17:13:15 markus Exp $");
1.1 deraadt 39:
1.24 markus 40: #include "xmalloc.h"
1.42 markus 41: #include "log.h"
42: #include "cipher.h"
1.8 deraadt 43:
1.25 markus 44: #include <openssl/md5.h>
1.52 markus 45: #include "rijndael.h"
46:
47: static EVP_CIPHER *evp_ssh1_3des(void);
48: static EVP_CIPHER *evp_ssh1_bf(void);
49: static EVP_CIPHER *evp_rijndael(void);
1.1 deraadt 50:
1.51 markus 51: struct Cipher {
52: char *name;
53: int number; /* for ssh1 only */
54: u_int block_size;
55: u_int key_len;
1.52 markus 56: EVP_CIPHER *(*evptype)(void);
57: } ciphers[] = {
58: { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
59: { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
60: { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
61: { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },
62:
63: { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
64: { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
65: { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
66: { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 },
67: { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael },
68: { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael },
69: { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
1.47 markus 70:
1.52 markus 71: { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL }
1.32 markus 72: };
73:
74: /*--*/
1.1 deraadt 75:
1.54 ! markus 76: u_int
1.51 markus 77: cipher_blocksize(Cipher *c)
78: {
79: return (c->block_size);
80: }
1.54 ! markus 81: u_int
1.51 markus 82: cipher_keylen(Cipher *c)
83: {
84: return (c->key_len);
85: }
1.54 ! markus 86: u_int
1.53 markus 87: cipher_get_number(Cipher *c)
88: {
89: return (c->number);
90: }
1.51 markus 91:
1.41 markus 92: u_int
1.34 markus 93: cipher_mask_ssh1(int client)
1.1 deraadt 94: {
1.41 markus 95: u_int mask = 0;
1.48 deraadt 96: mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
1.34 markus 97: mask |= 1 << SSH_CIPHER_BLOWFISH;
98: if (client) {
99: mask |= 1 << SSH_CIPHER_DES;
1.32 markus 100: }
101: return mask;
1.1 deraadt 102: }
103:
1.32 markus 104: Cipher *
105: cipher_by_name(const char *name)
106: {
107: Cipher *c;
108: for (c = ciphers; c->name != NULL; c++)
109: if (strcasecmp(c->name, name) == 0)
110: return c;
111: return NULL;
112: }
113:
114: Cipher *
115: cipher_by_number(int id)
116: {
117: Cipher *c;
118: for (c = ciphers; c->name != NULL; c++)
119: if (c->number == id)
120: return c;
121: return NULL;
122: }
1.24 markus 123:
124: #define CIPHER_SEP ","
125: int
126: ciphers_valid(const char *names)
127: {
1.32 markus 128: Cipher *c;
1.29 ho 129: char *ciphers, *cp;
1.24 markus 130: char *p;
131:
1.27 markus 132: if (names == NULL || strcmp(names, "") == 0)
1.24 markus 133: return 0;
1.29 ho 134: ciphers = cp = xstrdup(names);
1.32 markus 135: for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
1.48 deraadt 136: (p = strsep(&cp, CIPHER_SEP))) {
1.32 markus 137: c = cipher_by_name(p);
138: if (c == NULL || c->number != SSH_CIPHER_SSH2) {
139: debug("bad cipher %s [%s]", p, names);
1.24 markus 140: xfree(ciphers);
141: return 0;
1.32 markus 142: } else {
1.36 markus 143: debug3("cipher ok: %s [%s]", p, names);
1.24 markus 144: }
145: }
1.36 markus 146: debug3("ciphers ok: [%s]", names);
1.24 markus 147: xfree(ciphers);
148: return 1;
149: }
150:
1.18 markus 151: /*
152: * Parses the name of the cipher. Returns the number of the corresponding
153: * cipher, or -1 on error.
154: */
1.1 deraadt 155:
1.4 provos 156: int
157: cipher_number(const char *name)
1.1 deraadt 158: {
1.32 markus 159: Cipher *c;
1.27 markus 160: if (name == NULL)
161: return -1;
1.32 markus 162: c = cipher_by_name(name);
163: return (c==NULL) ? -1 : c->number;
1.1 deraadt 164: }
165:
1.32 markus 166: char *
167: cipher_name(int id)
1.1 deraadt 168: {
1.32 markus 169: Cipher *c = cipher_by_number(id);
170: return (c==NULL) ? "<unknown>" : c->name;
1.1 deraadt 171: }
172:
1.26 markus 173: void
1.52 markus 174: cipher_init(CipherContext *cc, Cipher *cipher,
175: const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
176: int encrypt)
1.16 markus 177: {
1.52 markus 178: static int dowarn = 1;
179: const EVP_CIPHER *type;
180: int klen;
181:
182: if (cipher->number == SSH_CIPHER_DES) {
183: if (dowarn) {
184: error("Warning: use of DES is strongly discouraged "
185: "due to cryptographic weaknesses");
186: dowarn = 0;
187: }
188: if (keylen > 8)
189: keylen = 8;
190: }
191: cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
192:
1.32 markus 193: if (keylen < cipher->key_len)
194: fatal("cipher_init: key length %d is insufficient for %s.",
195: keylen, cipher->name);
196: if (iv != NULL && ivlen < cipher->block_size)
197: fatal("cipher_init: iv length %d is insufficient for %s.",
198: ivlen, cipher->name);
199: cc->cipher = cipher;
1.52 markus 200:
201: type = (*cipher->evptype)();
202:
203: EVP_CIPHER_CTX_init(&cc->evp);
204: if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
205: (encrypt == CIPHER_ENCRYPT)) == 0)
206: fatal("cipher_init: EVP_CipherInit failed for %s",
207: cipher->name);
208: klen = EVP_CIPHER_CTX_key_length(&cc->evp);
209: if (klen > 0 && keylen != klen) {
210: debug("cipher_init: set keylen (%d -> %d)", klen, keylen);
211: if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
212: fatal("cipher_init: set keylen failed (%d -> %d)",
213: klen, keylen);
214: }
215: if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
216: fatal("cipher_init: EVP_CipherInit: set key failed for %s",
217: cipher->name);
1.1 deraadt 218: }
1.21 markus 219:
1.26 markus 220: void
1.51 markus 221: cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
1.32 markus 222: {
223: if (len % cc->cipher->block_size)
224: fatal("cipher_encrypt: bad plaintext length %d", len);
1.52 markus 225: if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
226: fatal("evp_crypt: EVP_Cipher failed");
1.21 markus 227: }
228:
1.26 markus 229: void
1.51 markus 230: cipher_cleanup(CipherContext *cc)
1.16 markus 231: {
1.52 markus 232: if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
233: error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
1.16 markus 234: }
1.1 deraadt 235:
1.32 markus 236: /*
237: * Selects the cipher, and keys if by computing the MD5 checksum of the
238: * passphrase and using the resulting 16 bytes as the key.
239: */
1.1 deraadt 240:
1.26 markus 241: void
1.32 markus 242: cipher_set_key_string(CipherContext *cc, Cipher *cipher,
1.51 markus 243: const char *passphrase, int encrypt)
1.16 markus 244: {
1.32 markus 245: MD5_CTX md;
1.41 markus 246: u_char digest[16];
1.32 markus 247:
248: MD5_Init(&md);
249: MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
250: MD5_Final(digest, &md);
1.16 markus 251:
1.51 markus 252: cipher_init(cc, cipher, digest, 16, NULL, 0, encrypt);
1.16 markus 253:
1.32 markus 254: memset(digest, 0, sizeof(digest));
255: memset(&md, 0, sizeof(md));
1.52 markus 256: }
257:
258: /* Implementations for other non-EVP ciphers */
259:
260: /*
261: * This is used by SSH1:
262: *
263: * What kind of triple DES are these 2 routines?
264: *
265: * Why is there a redundant initialization vector?
266: *
267: * If only iv3 was used, then, this would till effect have been
268: * outer-cbc. However, there is also a private iv1 == iv2 which
269: * perhaps makes differential analysis easier. On the other hand, the
270: * private iv1 probably makes the CRC-32 attack ineffective. This is a
271: * result of that there is no longer any known iv1 to use when
272: * choosing the X block.
273: */
274: struct ssh1_3des_ctx
275: {
276: EVP_CIPHER_CTX k1, k2, k3;
277: };
278: static int
279: ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
280: int enc)
281: {
282: struct ssh1_3des_ctx *c;
283: u_char *k1, *k2, *k3;
284:
285: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
286: c = xmalloc(sizeof(*c));
287: EVP_CIPHER_CTX_set_app_data(ctx, c);
288: }
289: if (key == NULL)
290: return (1);
291: if (enc == -1)
292: enc = ctx->encrypt;
293: k1 = k2 = k3 = (u_char *) key;
294: k2 += 8;
295: if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) {
296: if (enc)
297: k3 += 16;
298: else
299: k1 += 16;
300: }
301: EVP_CIPHER_CTX_init(&c->k1);
302: EVP_CIPHER_CTX_init(&c->k2);
303: EVP_CIPHER_CTX_init(&c->k3);
304: if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
305: EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
306: EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
307: memset(c, 0, sizeof(*c));
308: xfree(c);
309: EVP_CIPHER_CTX_set_app_data(ctx, NULL);
310: return (0);
311: }
312: return (1);
313: }
314: static int
315: ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len)
316: {
317: struct ssh1_3des_ctx *c;
318:
319: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
320: error("ssh1_3des_cbc: no context");
321: return (0);
322: }
323: if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
324: EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
325: EVP_Cipher(&c->k3, dest, dest, len) == 0)
326: return (0);
327: return (1);
328: }
329: static int
330: ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
331: {
332: struct ssh1_3des_ctx *c;
333:
334: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
335: memset(c, 0, sizeof(*c));
336: xfree(c);
337: EVP_CIPHER_CTX_set_app_data(ctx, NULL);
338: }
339: return (1);
340: }
341: static EVP_CIPHER *
342: evp_ssh1_3des(void)
343: {
344: static EVP_CIPHER ssh1_3des;
345:
346: memset(&ssh1_3des, 0, sizeof(EVP_CIPHER));
347: ssh1_3des.nid = NID_undef;
348: ssh1_3des.block_size = 8;
349: ssh1_3des.iv_len = 0;
350: ssh1_3des.key_len = 16;
351: ssh1_3des.init = ssh1_3des_init;
352: ssh1_3des.cleanup = ssh1_3des_cleanup;
353: ssh1_3des.do_cipher = ssh1_3des_cbc;
354: ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
355: return (&ssh1_3des);
356: }
357:
358: /*
359: * SSH1 uses a variation on Blowfish, all bytes must be swapped before
360: * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
361: */
362: static void
363: swap_bytes(const u_char *src, u_char *dst, int n)
364: {
365: u_char c[4];
366:
367: /* Process 4 bytes every lap. */
368: for (n = n / 4; n > 0; n--) {
369: c[3] = *src++;
370: c[2] = *src++;
371: c[1] = *src++;
372: c[0] = *src++;
373:
374: *dst++ = c[0];
375: *dst++ = c[1];
376: *dst++ = c[2];
377: *dst++ = c[3];
378: }
379: }
380: static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL;
381: static int
382: bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len)
383: {
384: int ret;
385:
386: swap_bytes(in, out, len);
387: ret = (*orig_bf)(ctx, out, out, len);
388: swap_bytes(out, out, len);
389: return (ret);
390: }
391: static EVP_CIPHER *
392: evp_ssh1_bf(void)
393: {
394: static EVP_CIPHER ssh1_bf;
395:
396: memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER));
397: orig_bf = ssh1_bf.do_cipher;
398: ssh1_bf.nid = NID_undef;
399: ssh1_bf.do_cipher = bf_ssh1_cipher;
400: ssh1_bf.key_len = 32;
401: return (&ssh1_bf);
402: }
403:
404: /* RIJNDAEL */
405: #define RIJNDAEL_BLOCKSIZE 16
406: struct ssh_rijndael_ctx
407: {
408: rijndael_ctx r_ctx;
409: u_char r_iv[RIJNDAEL_BLOCKSIZE];
410: };
411:
412: static int
413: ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
414: int enc)
415: {
416: struct ssh_rijndael_ctx *c;
417:
418: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
419: c = xmalloc(sizeof(*c));
420: EVP_CIPHER_CTX_set_app_data(ctx, c);
421: }
422: if (key != NULL) {
423: if (enc == -1)
424: enc = ctx->encrypt;
425: rijndael_set_key(&c->r_ctx, (u_char *)key,
426: 8*EVP_CIPHER_CTX_key_length(ctx), enc);
427: }
428: if (iv != NULL)
429: memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE);
430: return (1);
431: }
432: static int
433: ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
434: u_int len)
435: {
436: struct ssh_rijndael_ctx *c;
437: u_char buf[RIJNDAEL_BLOCKSIZE];
438: u_char *cprev, *cnow, *plain, *ivp;
439: int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
440:
441: if (len == 0)
442: return (1);
443: if (len % RIJNDAEL_BLOCKSIZE)
444: fatal("ssh_rijndael_cbc: bad len %d", len);
445: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
446: error("ssh_rijndael_cbc: no context");
447: return (0);
448: }
449: if (ctx->encrypt) {
450: cnow = dest;
451: plain = (u_char *)src;
452: cprev = c->r_iv;
453: for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
454: cnow+=RIJNDAEL_BLOCKSIZE) {
455: for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
456: buf[j] = plain[j] ^ cprev[j];
457: rijndael_encrypt(&c->r_ctx, buf, cnow);
458: cprev = cnow;
459: }
460: memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE);
461: } else {
462: cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
463: plain = dest+len-RIJNDAEL_BLOCKSIZE;
464:
465: memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE);
466: for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
467: plain-=RIJNDAEL_BLOCKSIZE) {
468: rijndael_decrypt(&c->r_ctx, cnow, plain);
469: ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
470: for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
471: plain[j] ^= ivp[j];
472: }
473: memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
474: }
475: return (1);
476: }
477: static int
478: ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
479: {
480: struct ssh_rijndael_ctx *c;
481:
482: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
483: memset(c, 0, sizeof(*c));
484: xfree(c);
485: EVP_CIPHER_CTX_set_app_data(ctx, NULL);
486: }
487: return (1);
488: }
489: static EVP_CIPHER *
490: evp_rijndael(void)
491: {
492: static EVP_CIPHER rijndal_cbc;
493:
494: memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER));
495: rijndal_cbc.nid = NID_undef;
496: rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE;
497: rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE;
498: rijndal_cbc.key_len = 16;
499: rijndal_cbc.init = ssh_rijndael_init;
500: rijndal_cbc.cleanup = ssh_rijndael_cleanup;
501: rijndal_cbc.do_cipher = ssh_rijndael_cbc;
502: rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
503: EVP_CIPH_ALWAYS_CALL_INIT;
504: return (&rijndal_cbc);
1.53 markus 505: }
506:
1.54 ! markus 507: /*
1.53 markus 508: * Exports an IV from the CipherContext required to export the key
509: * state back from the unprivileged child to the privileged parent
510: * process.
511: */
512:
513: int
514: cipher_get_keyiv_len(CipherContext *cc)
515: {
516: Cipher *c = cc->cipher;
517: int ivlen;
518:
519: if (c->number == SSH_CIPHER_3DES)
520: ivlen = 24;
521: else
522: ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
523: return (ivlen);
524: }
525:
526: void
527: cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
528: {
529: Cipher *c = cc->cipher;
530: u_char *civ = NULL;
531: int evplen;
532:
533: switch (c->number) {
534: case SSH_CIPHER_SSH2:
535: case SSH_CIPHER_DES:
536: case SSH_CIPHER_BLOWFISH:
537: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
538: if (evplen == 0)
539: return;
540: if (evplen != len)
541: fatal("%s: wrong iv length %d != %d", __FUNCTION__,
542: evplen, len);
543:
544: if (strncmp(c->name, "aes", 3) == 0) {
545: struct ssh_rijndael_ctx *aesc;
546:
547: aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
548: if (aesc == NULL)
549: fatal("%s: no rijndael context", __FUNCTION__);
550: civ = aesc->r_iv;
551: } else {
552: civ = cc->evp.iv;
553: }
554: break;
555: case SSH_CIPHER_3DES: {
556: struct ssh1_3des_ctx *desc;
557: if (len != 24)
558: fatal("%s: bad 3des iv length: %d", __FUNCTION__, len);
559: desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
560: if (desc == NULL)
561: fatal("%s: no 3des context", __FUNCTION__);
562: debug3("%s: Copying 3DES IV", __FUNCTION__);
563: memcpy(iv, desc->k1.iv, 8);
564: memcpy(iv + 8, desc->k2.iv, 8);
565: memcpy(iv + 16, desc->k3.iv, 8);
566: return;
567: }
568: default:
569: fatal("%s: bad cipher %d", __FUNCTION__, c->number);
570: }
571: memcpy(iv, civ, len);
572: }
573:
574: void
575: cipher_set_keyiv(CipherContext *cc, u_char *iv)
576: {
577: Cipher *c = cc->cipher;
578: u_char *div = NULL;
579: int evplen = 0;
580:
581: switch (c->number) {
582: case SSH_CIPHER_SSH2:
583: case SSH_CIPHER_DES:
584: case SSH_CIPHER_BLOWFISH:
585: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
586: if (evplen == 0)
587: return;
588:
589: if (strncmp(c->name, "aes", 3) == 0) {
590: struct ssh_rijndael_ctx *aesc;
591:
592: aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
593: if (aesc == NULL)
594: fatal("%s: no rijndael context", __FUNCTION__);
595: div = aesc->r_iv;
596: }else {
597: div = cc->evp.iv;
598: }
599: break;
600: case SSH_CIPHER_3DES: {
601: struct ssh1_3des_ctx *desc;
602: desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
603: if (desc == NULL)
604: fatal("%s: no 3des context", __FUNCTION__);
605: debug3("%s: Installed 3DES IV", __FUNCTION__);
606: memcpy(desc->k1.iv, iv, 8);
607: memcpy(desc->k2.iv, iv + 8, 8);
608: memcpy(desc->k3.iv, iv + 16, 8);
609: return;
1.54 ! markus 610: }
1.53 markus 611: default:
612: fatal("%s: bad cipher %d", __FUNCTION__, c->number);
613: }
614: memcpy(div, iv, evplen);
615: }
616:
617: #if OPENSSL_VERSION_NUMBER < 0x00907000L
618: #define EVP_X_STATE(evp) &(evp).c
619: #define EVP_X_STATE_LEN(evp) sizeof((evp).c)
620: #else
621: #define EVP_X_STATE(evp) (evp).cipher_data
622: #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
623: #endif
624:
625: int
626: cipher_get_keycontext(CipherContext *cc, u_char *dat)
627: {
628: Cipher *c = cc->cipher;
629: int plen;
630:
631: if (c->number == SSH_CIPHER_3DES) {
632: struct ssh1_3des_ctx *desc;
633: desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
634: if (desc == NULL)
635: fatal("%s: no 3des context", __FUNCTION__);
636: plen = EVP_X_STATE_LEN(desc->k1);
637: if (dat == NULL)
638: return (3*plen);
639: memcpy(dat, EVP_X_STATE(desc->k1), plen);
640: memcpy(dat + plen, EVP_X_STATE(desc->k2), plen);
641: memcpy(dat + 2*plen, EVP_X_STATE(desc->k3), plen);
642: return (3*plen);
643: }
644:
645: /* Generic EVP */
646: plen = EVP_X_STATE_LEN(cc->evp);
647: if (dat == NULL)
648: return (plen);
649:
650: memcpy(dat, EVP_X_STATE(cc->evp), plen);
651: return (plen);
652: }
653:
654: void
655: cipher_set_keycontext(CipherContext *cc, u_char *dat)
656: {
657: Cipher *c = cc->cipher;
658: int plen;
659:
660: if (c->number == SSH_CIPHER_3DES) {
661: struct ssh1_3des_ctx *desc;
662: desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
663: if (desc == NULL)
664: fatal("%s: no 3des context", __FUNCTION__);
665: plen = EVP_X_STATE_LEN(desc->k1);
666: memcpy(EVP_X_STATE(desc->k1), dat, plen);
667: memcpy(EVP_X_STATE(desc->k2), dat + plen, plen);
668: memcpy(EVP_X_STATE(desc->k3), dat + 2*plen, plen);
669: } else {
670: plen = EVP_X_STATE_LEN(cc->evp);
671: memcpy(EVP_X_STATE(cc->evp), dat, plen);
672: }
1.1 deraadt 673: }