Annotation of src/usr.bin/ssh/cipher.c, Revision 1.58
1.1 deraadt 1: /*
1.30 deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
1.26 markus 5: *
1.30 deraadt 6: * As far as I am concerned, the code I have written for this software
7: * can be used freely for any purpose. Any derived versions of this
8: * software must be clearly marked as such, and if the derived work is
9: * incompatible with the protocol description in the RFC file, it must be
10: * called by a name other than "ssh" or "Secure Shell".
1.26 markus 11: *
12: *
1.30 deraadt 13: * Copyright (c) 1999 Niels Provos. All rights reserved.
1.46 markus 14: * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved.
1.26 markus 15: *
1.30 deraadt 16: * Redistribution and use in source and binary forms, with or without
17: * modification, are permitted provided that the following conditions
18: * are met:
19: * 1. Redistributions of source code must retain the above copyright
20: * notice, this list of conditions and the following disclaimer.
21: * 2. Redistributions in binary form must reproduce the above copyright
22: * notice, this list of conditions and the following disclaimer in the
23: * documentation and/or other materials provided with the distribution.
1.26 markus 24: *
1.30 deraadt 25: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.17 deraadt 35: */
1.1 deraadt 36:
37: #include "includes.h"
1.58 ! markus 38: RCSID("$OpenBSD: cipher.c,v 1.57 2002/05/30 08:07:31 markus Exp $");
1.1 deraadt 39:
1.24 markus 40: #include "xmalloc.h"
1.42 markus 41: #include "log.h"
42: #include "cipher.h"
1.8 deraadt 43:
1.25 markus 44: #include <openssl/md5.h>
1.57 markus 45:
46: #if OPENSSL_VERSION_NUMBER < 0x00907000L
1.52 markus 47: #include "rijndael.h"
1.57 markus 48: static const EVP_CIPHER *evp_rijndael(void);
49: #endif
1.56 markus 50: static const EVP_CIPHER *evp_ssh1_3des(void);
51: static const EVP_CIPHER *evp_ssh1_bf(void);
1.1 deraadt 52:
1.51 markus 53: struct Cipher {
54: char *name;
55: int number; /* for ssh1 only */
56: u_int block_size;
57: u_int key_len;
1.56 markus 58: const EVP_CIPHER *(*evptype)(void);
1.52 markus 59: } ciphers[] = {
60: { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
61: { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
62: { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
63: { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },
64:
65: { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
66: { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
67: { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
68: { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 },
1.57 markus 69: #if OPENSSL_VERSION_NUMBER < 0x00907000L
1.52 markus 70: { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael },
71: { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael },
72: { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
1.55 markus 73: { "rijndael-cbc@lysator.liu.se",
74: SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
1.57 markus 75: #else
76: { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc },
77: { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc },
78: { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
79: { "rijndael-cbc@lysator.liu.se",
80: SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
81: #endif
1.47 markus 82:
1.52 markus 83: { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL }
1.32 markus 84: };
85:
86: /*--*/
1.1 deraadt 87:
1.54 markus 88: u_int
1.51 markus 89: cipher_blocksize(Cipher *c)
90: {
91: return (c->block_size);
92: }
1.54 markus 93: u_int
1.51 markus 94: cipher_keylen(Cipher *c)
95: {
96: return (c->key_len);
97: }
1.54 markus 98: u_int
1.53 markus 99: cipher_get_number(Cipher *c)
100: {
101: return (c->number);
102: }
1.51 markus 103:
1.41 markus 104: u_int
1.34 markus 105: cipher_mask_ssh1(int client)
1.1 deraadt 106: {
1.41 markus 107: u_int mask = 0;
1.48 deraadt 108: mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
1.34 markus 109: mask |= 1 << SSH_CIPHER_BLOWFISH;
110: if (client) {
111: mask |= 1 << SSH_CIPHER_DES;
1.32 markus 112: }
113: return mask;
1.1 deraadt 114: }
115:
1.32 markus 116: Cipher *
117: cipher_by_name(const char *name)
118: {
119: Cipher *c;
120: for (c = ciphers; c->name != NULL; c++)
121: if (strcasecmp(c->name, name) == 0)
122: return c;
123: return NULL;
124: }
125:
126: Cipher *
127: cipher_by_number(int id)
128: {
129: Cipher *c;
130: for (c = ciphers; c->name != NULL; c++)
131: if (c->number == id)
132: return c;
133: return NULL;
134: }
1.24 markus 135:
136: #define CIPHER_SEP ","
137: int
138: ciphers_valid(const char *names)
139: {
1.32 markus 140: Cipher *c;
1.29 ho 141: char *ciphers, *cp;
1.24 markus 142: char *p;
143:
1.27 markus 144: if (names == NULL || strcmp(names, "") == 0)
1.24 markus 145: return 0;
1.29 ho 146: ciphers = cp = xstrdup(names);
1.32 markus 147: for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
1.48 deraadt 148: (p = strsep(&cp, CIPHER_SEP))) {
1.32 markus 149: c = cipher_by_name(p);
150: if (c == NULL || c->number != SSH_CIPHER_SSH2) {
151: debug("bad cipher %s [%s]", p, names);
1.24 markus 152: xfree(ciphers);
153: return 0;
1.32 markus 154: } else {
1.36 markus 155: debug3("cipher ok: %s [%s]", p, names);
1.24 markus 156: }
157: }
1.36 markus 158: debug3("ciphers ok: [%s]", names);
1.24 markus 159: xfree(ciphers);
160: return 1;
161: }
162:
1.18 markus 163: /*
164: * Parses the name of the cipher. Returns the number of the corresponding
165: * cipher, or -1 on error.
166: */
1.1 deraadt 167:
1.4 provos 168: int
169: cipher_number(const char *name)
1.1 deraadt 170: {
1.32 markus 171: Cipher *c;
1.27 markus 172: if (name == NULL)
173: return -1;
1.32 markus 174: c = cipher_by_name(name);
175: return (c==NULL) ? -1 : c->number;
1.1 deraadt 176: }
177:
1.32 markus 178: char *
179: cipher_name(int id)
1.1 deraadt 180: {
1.32 markus 181: Cipher *c = cipher_by_number(id);
182: return (c==NULL) ? "<unknown>" : c->name;
1.1 deraadt 183: }
184:
1.26 markus 185: void
1.52 markus 186: cipher_init(CipherContext *cc, Cipher *cipher,
187: const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
188: int encrypt)
1.16 markus 189: {
1.52 markus 190: static int dowarn = 1;
191: const EVP_CIPHER *type;
192: int klen;
193:
194: if (cipher->number == SSH_CIPHER_DES) {
195: if (dowarn) {
196: error("Warning: use of DES is strongly discouraged "
197: "due to cryptographic weaknesses");
198: dowarn = 0;
199: }
200: if (keylen > 8)
201: keylen = 8;
202: }
203: cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
204:
1.32 markus 205: if (keylen < cipher->key_len)
206: fatal("cipher_init: key length %d is insufficient for %s.",
207: keylen, cipher->name);
208: if (iv != NULL && ivlen < cipher->block_size)
209: fatal("cipher_init: iv length %d is insufficient for %s.",
210: ivlen, cipher->name);
211: cc->cipher = cipher;
1.52 markus 212:
213: type = (*cipher->evptype)();
214:
215: EVP_CIPHER_CTX_init(&cc->evp);
216: if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
217: (encrypt == CIPHER_ENCRYPT)) == 0)
218: fatal("cipher_init: EVP_CipherInit failed for %s",
219: cipher->name);
220: klen = EVP_CIPHER_CTX_key_length(&cc->evp);
221: if (klen > 0 && keylen != klen) {
222: debug("cipher_init: set keylen (%d -> %d)", klen, keylen);
223: if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
224: fatal("cipher_init: set keylen failed (%d -> %d)",
225: klen, keylen);
226: }
227: if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
228: fatal("cipher_init: EVP_CipherInit: set key failed for %s",
229: cipher->name);
1.1 deraadt 230: }
1.21 markus 231:
1.26 markus 232: void
1.51 markus 233: cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
1.32 markus 234: {
235: if (len % cc->cipher->block_size)
236: fatal("cipher_encrypt: bad plaintext length %d", len);
1.52 markus 237: if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
238: fatal("evp_crypt: EVP_Cipher failed");
1.21 markus 239: }
240:
1.26 markus 241: void
1.51 markus 242: cipher_cleanup(CipherContext *cc)
1.16 markus 243: {
1.52 markus 244: if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
245: error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
1.16 markus 246: }
1.1 deraadt 247:
1.32 markus 248: /*
249: * Selects the cipher, and keys if by computing the MD5 checksum of the
250: * passphrase and using the resulting 16 bytes as the key.
251: */
1.1 deraadt 252:
1.26 markus 253: void
1.32 markus 254: cipher_set_key_string(CipherContext *cc, Cipher *cipher,
1.51 markus 255: const char *passphrase, int encrypt)
1.16 markus 256: {
1.32 markus 257: MD5_CTX md;
1.41 markus 258: u_char digest[16];
1.32 markus 259:
260: MD5_Init(&md);
261: MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
262: MD5_Final(digest, &md);
1.16 markus 263:
1.51 markus 264: cipher_init(cc, cipher, digest, 16, NULL, 0, encrypt);
1.16 markus 265:
1.32 markus 266: memset(digest, 0, sizeof(digest));
267: memset(&md, 0, sizeof(md));
1.52 markus 268: }
269:
270: /* Implementations for other non-EVP ciphers */
271:
272: /*
273: * This is used by SSH1:
274: *
275: * What kind of triple DES are these 2 routines?
276: *
277: * Why is there a redundant initialization vector?
278: *
279: * If only iv3 was used, then, this would till effect have been
280: * outer-cbc. However, there is also a private iv1 == iv2 which
281: * perhaps makes differential analysis easier. On the other hand, the
282: * private iv1 probably makes the CRC-32 attack ineffective. This is a
283: * result of that there is no longer any known iv1 to use when
284: * choosing the X block.
285: */
286: struct ssh1_3des_ctx
287: {
288: EVP_CIPHER_CTX k1, k2, k3;
289: };
290: static int
291: ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
292: int enc)
293: {
294: struct ssh1_3des_ctx *c;
295: u_char *k1, *k2, *k3;
296:
297: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
298: c = xmalloc(sizeof(*c));
299: EVP_CIPHER_CTX_set_app_data(ctx, c);
300: }
301: if (key == NULL)
302: return (1);
303: if (enc == -1)
304: enc = ctx->encrypt;
305: k1 = k2 = k3 = (u_char *) key;
306: k2 += 8;
307: if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) {
308: if (enc)
309: k3 += 16;
310: else
311: k1 += 16;
312: }
313: EVP_CIPHER_CTX_init(&c->k1);
314: EVP_CIPHER_CTX_init(&c->k2);
315: EVP_CIPHER_CTX_init(&c->k3);
316: if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
317: EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
318: EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
319: memset(c, 0, sizeof(*c));
320: xfree(c);
321: EVP_CIPHER_CTX_set_app_data(ctx, NULL);
322: return (0);
323: }
324: return (1);
325: }
326: static int
327: ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len)
328: {
329: struct ssh1_3des_ctx *c;
330:
331: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
332: error("ssh1_3des_cbc: no context");
333: return (0);
334: }
335: if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
336: EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
337: EVP_Cipher(&c->k3, dest, dest, len) == 0)
338: return (0);
339: return (1);
340: }
341: static int
342: ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
343: {
344: struct ssh1_3des_ctx *c;
345:
346: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
347: memset(c, 0, sizeof(*c));
348: xfree(c);
349: EVP_CIPHER_CTX_set_app_data(ctx, NULL);
350: }
351: return (1);
352: }
1.56 markus 353: static const EVP_CIPHER *
1.52 markus 354: evp_ssh1_3des(void)
355: {
356: static EVP_CIPHER ssh1_3des;
357:
358: memset(&ssh1_3des, 0, sizeof(EVP_CIPHER));
359: ssh1_3des.nid = NID_undef;
360: ssh1_3des.block_size = 8;
361: ssh1_3des.iv_len = 0;
362: ssh1_3des.key_len = 16;
363: ssh1_3des.init = ssh1_3des_init;
364: ssh1_3des.cleanup = ssh1_3des_cleanup;
365: ssh1_3des.do_cipher = ssh1_3des_cbc;
366: ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
367: return (&ssh1_3des);
368: }
369:
370: /*
371: * SSH1 uses a variation on Blowfish, all bytes must be swapped before
372: * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
373: */
374: static void
375: swap_bytes(const u_char *src, u_char *dst, int n)
376: {
377: u_char c[4];
378:
379: /* Process 4 bytes every lap. */
380: for (n = n / 4; n > 0; n--) {
381: c[3] = *src++;
382: c[2] = *src++;
383: c[1] = *src++;
384: c[0] = *src++;
385:
386: *dst++ = c[0];
387: *dst++ = c[1];
388: *dst++ = c[2];
389: *dst++ = c[3];
390: }
391: }
392: static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL;
393: static int
394: bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len)
395: {
396: int ret;
397:
398: swap_bytes(in, out, len);
399: ret = (*orig_bf)(ctx, out, out, len);
400: swap_bytes(out, out, len);
401: return (ret);
402: }
1.56 markus 403: static const EVP_CIPHER *
1.52 markus 404: evp_ssh1_bf(void)
405: {
406: static EVP_CIPHER ssh1_bf;
407:
408: memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER));
409: orig_bf = ssh1_bf.do_cipher;
410: ssh1_bf.nid = NID_undef;
411: ssh1_bf.do_cipher = bf_ssh1_cipher;
412: ssh1_bf.key_len = 32;
413: return (&ssh1_bf);
414: }
415:
1.57 markus 416: #if OPENSSL_VERSION_NUMBER < 0x00907000L
1.52 markus 417: /* RIJNDAEL */
418: #define RIJNDAEL_BLOCKSIZE 16
419: struct ssh_rijndael_ctx
420: {
421: rijndael_ctx r_ctx;
422: u_char r_iv[RIJNDAEL_BLOCKSIZE];
423: };
424:
425: static int
426: ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
427: int enc)
428: {
429: struct ssh_rijndael_ctx *c;
430:
431: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
432: c = xmalloc(sizeof(*c));
433: EVP_CIPHER_CTX_set_app_data(ctx, c);
434: }
435: if (key != NULL) {
436: if (enc == -1)
437: enc = ctx->encrypt;
438: rijndael_set_key(&c->r_ctx, (u_char *)key,
439: 8*EVP_CIPHER_CTX_key_length(ctx), enc);
440: }
441: if (iv != NULL)
442: memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE);
443: return (1);
444: }
445: static int
446: ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
447: u_int len)
448: {
449: struct ssh_rijndael_ctx *c;
450: u_char buf[RIJNDAEL_BLOCKSIZE];
451: u_char *cprev, *cnow, *plain, *ivp;
452: int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
453:
454: if (len == 0)
455: return (1);
456: if (len % RIJNDAEL_BLOCKSIZE)
457: fatal("ssh_rijndael_cbc: bad len %d", len);
458: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
459: error("ssh_rijndael_cbc: no context");
460: return (0);
461: }
462: if (ctx->encrypt) {
463: cnow = dest;
464: plain = (u_char *)src;
465: cprev = c->r_iv;
466: for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
467: cnow+=RIJNDAEL_BLOCKSIZE) {
468: for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
469: buf[j] = plain[j] ^ cprev[j];
470: rijndael_encrypt(&c->r_ctx, buf, cnow);
471: cprev = cnow;
472: }
473: memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE);
474: } else {
475: cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
476: plain = dest+len-RIJNDAEL_BLOCKSIZE;
477:
478: memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE);
479: for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
480: plain-=RIJNDAEL_BLOCKSIZE) {
481: rijndael_decrypt(&c->r_ctx, cnow, plain);
482: ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
483: for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
484: plain[j] ^= ivp[j];
485: }
486: memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
487: }
488: return (1);
489: }
490: static int
491: ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
492: {
493: struct ssh_rijndael_ctx *c;
494:
495: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
496: memset(c, 0, sizeof(*c));
497: xfree(c);
498: EVP_CIPHER_CTX_set_app_data(ctx, NULL);
499: }
500: return (1);
501: }
1.56 markus 502: static const EVP_CIPHER *
1.52 markus 503: evp_rijndael(void)
504: {
505: static EVP_CIPHER rijndal_cbc;
506:
507: memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER));
508: rijndal_cbc.nid = NID_undef;
509: rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE;
510: rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE;
511: rijndal_cbc.key_len = 16;
512: rijndal_cbc.init = ssh_rijndael_init;
513: rijndal_cbc.cleanup = ssh_rijndael_cleanup;
514: rijndal_cbc.do_cipher = ssh_rijndael_cbc;
515: rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
516: EVP_CIPH_ALWAYS_CALL_INIT;
517: return (&rijndal_cbc);
1.53 markus 518: }
1.57 markus 519: #endif
1.53 markus 520:
1.54 markus 521: /*
1.53 markus 522: * Exports an IV from the CipherContext required to export the key
523: * state back from the unprivileged child to the privileged parent
524: * process.
525: */
526:
527: int
528: cipher_get_keyiv_len(CipherContext *cc)
529: {
530: Cipher *c = cc->cipher;
531: int ivlen;
532:
533: if (c->number == SSH_CIPHER_3DES)
534: ivlen = 24;
535: else
536: ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
537: return (ivlen);
538: }
539:
540: void
541: cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
542: {
543: Cipher *c = cc->cipher;
544: u_char *civ = NULL;
545: int evplen;
546:
547: switch (c->number) {
548: case SSH_CIPHER_SSH2:
549: case SSH_CIPHER_DES:
550: case SSH_CIPHER_BLOWFISH:
551: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
552: if (evplen == 0)
553: return;
554: if (evplen != len)
1.58 ! markus 555: fatal("%s: wrong iv length %d != %d", __func__,
1.53 markus 556: evplen, len);
557:
1.57 markus 558: #if OPENSSL_VERSION_NUMBER < 0x00907000L
1.55 markus 559: if (c->evptype == evp_rijndael) {
1.53 markus 560: struct ssh_rijndael_ctx *aesc;
561:
562: aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
563: if (aesc == NULL)
1.58 ! markus 564: fatal("%s: no rijndael context", __func__);
1.53 markus 565: civ = aesc->r_iv;
1.57 markus 566: } else
567: #endif
568: {
1.53 markus 569: civ = cc->evp.iv;
570: }
571: break;
572: case SSH_CIPHER_3DES: {
573: struct ssh1_3des_ctx *desc;
574: if (len != 24)
1.58 ! markus 575: fatal("%s: bad 3des iv length: %d", __func__, len);
1.53 markus 576: desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
577: if (desc == NULL)
1.58 ! markus 578: fatal("%s: no 3des context", __func__);
! 579: debug3("%s: Copying 3DES IV", __func__);
1.53 markus 580: memcpy(iv, desc->k1.iv, 8);
581: memcpy(iv + 8, desc->k2.iv, 8);
582: memcpy(iv + 16, desc->k3.iv, 8);
583: return;
584: }
585: default:
1.58 ! markus 586: fatal("%s: bad cipher %d", __func__, c->number);
1.53 markus 587: }
588: memcpy(iv, civ, len);
589: }
590:
591: void
592: cipher_set_keyiv(CipherContext *cc, u_char *iv)
593: {
594: Cipher *c = cc->cipher;
595: u_char *div = NULL;
596: int evplen = 0;
597:
598: switch (c->number) {
599: case SSH_CIPHER_SSH2:
600: case SSH_CIPHER_DES:
601: case SSH_CIPHER_BLOWFISH:
602: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
603: if (evplen == 0)
604: return;
605:
1.57 markus 606: #if OPENSSL_VERSION_NUMBER < 0x00907000L
1.55 markus 607: if (c->evptype == evp_rijndael) {
1.53 markus 608: struct ssh_rijndael_ctx *aesc;
609:
610: aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
611: if (aesc == NULL)
1.58 ! markus 612: fatal("%s: no rijndael context", __func__);
1.53 markus 613: div = aesc->r_iv;
1.57 markus 614: } else
615: #endif
616: {
1.53 markus 617: div = cc->evp.iv;
618: }
619: break;
620: case SSH_CIPHER_3DES: {
621: struct ssh1_3des_ctx *desc;
622: desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
623: if (desc == NULL)
1.58 ! markus 624: fatal("%s: no 3des context", __func__);
! 625: debug3("%s: Installed 3DES IV", __func__);
1.53 markus 626: memcpy(desc->k1.iv, iv, 8);
627: memcpy(desc->k2.iv, iv + 8, 8);
628: memcpy(desc->k3.iv, iv + 16, 8);
629: return;
1.54 markus 630: }
1.53 markus 631: default:
1.58 ! markus 632: fatal("%s: bad cipher %d", __func__, c->number);
1.53 markus 633: }
634: memcpy(div, iv, evplen);
635: }
636:
637: #if OPENSSL_VERSION_NUMBER < 0x00907000L
638: #define EVP_X_STATE(evp) &(evp).c
639: #define EVP_X_STATE_LEN(evp) sizeof((evp).c)
640: #else
641: #define EVP_X_STATE(evp) (evp).cipher_data
642: #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
643: #endif
644:
645: int
646: cipher_get_keycontext(CipherContext *cc, u_char *dat)
647: {
648: Cipher *c = cc->cipher;
649: int plen;
650:
651: if (c->number == SSH_CIPHER_3DES) {
652: struct ssh1_3des_ctx *desc;
653: desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
654: if (desc == NULL)
1.58 ! markus 655: fatal("%s: no 3des context", __func__);
1.53 markus 656: plen = EVP_X_STATE_LEN(desc->k1);
657: if (dat == NULL)
658: return (3*plen);
659: memcpy(dat, EVP_X_STATE(desc->k1), plen);
660: memcpy(dat + plen, EVP_X_STATE(desc->k2), plen);
661: memcpy(dat + 2*plen, EVP_X_STATE(desc->k3), plen);
662: return (3*plen);
663: }
664:
665: /* Generic EVP */
666: plen = EVP_X_STATE_LEN(cc->evp);
667: if (dat == NULL)
668: return (plen);
669:
670: memcpy(dat, EVP_X_STATE(cc->evp), plen);
671: return (plen);
672: }
673:
674: void
675: cipher_set_keycontext(CipherContext *cc, u_char *dat)
676: {
677: Cipher *c = cc->cipher;
678: int plen;
679:
680: if (c->number == SSH_CIPHER_3DES) {
681: struct ssh1_3des_ctx *desc;
682: desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
683: if (desc == NULL)
1.58 ! markus 684: fatal("%s: no 3des context", __func__);
1.53 markus 685: plen = EVP_X_STATE_LEN(desc->k1);
686: memcpy(EVP_X_STATE(desc->k1), dat, plen);
687: memcpy(EVP_X_STATE(desc->k2), dat + plen, plen);
688: memcpy(EVP_X_STATE(desc->k3), dat + 2*plen, plen);
689: } else {
690: plen = EVP_X_STATE_LEN(cc->evp);
691: memcpy(EVP_X_STATE(cc->evp), dat, plen);
692: }
1.1 deraadt 693: }