Annotation of src/usr.bin/ssh/cipher.c, Revision 1.61
1.1 deraadt 1: /*
1.30 deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
1.26 markus 5: *
1.30 deraadt 6: * As far as I am concerned, the code I have written for this software
7: * can be used freely for any purpose. Any derived versions of this
8: * software must be clearly marked as such, and if the derived work is
9: * incompatible with the protocol description in the RFC file, it must be
10: * called by a name other than "ssh" or "Secure Shell".
1.26 markus 11: *
12: *
1.30 deraadt 13: * Copyright (c) 1999 Niels Provos. All rights reserved.
1.46 markus 14: * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved.
1.26 markus 15: *
1.30 deraadt 16: * Redistribution and use in source and binary forms, with or without
17: * modification, are permitted provided that the following conditions
18: * are met:
19: * 1. Redistributions of source code must retain the above copyright
20: * notice, this list of conditions and the following disclaimer.
21: * 2. Redistributions in binary form must reproduce the above copyright
22: * notice, this list of conditions and the following disclaimer in the
23: * documentation and/or other materials provided with the distribution.
1.26 markus 24: *
1.30 deraadt 25: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.17 deraadt 35: */
1.1 deraadt 36:
37: #include "includes.h"
1.61 ! markus 38: RCSID("$OpenBSD: cipher.c,v 1.60 2002/06/23 03:26:52 deraadt Exp $");
1.1 deraadt 39:
1.24 markus 40: #include "xmalloc.h"
1.42 markus 41: #include "log.h"
42: #include "cipher.h"
1.8 deraadt 43:
1.25 markus 44: #include <openssl/md5.h>
1.57 markus 45:
46: #if OPENSSL_VERSION_NUMBER < 0x00907000L
1.52 markus 47: #include "rijndael.h"
1.57 markus 48: static const EVP_CIPHER *evp_rijndael(void);
49: #endif
1.56 markus 50: static const EVP_CIPHER *evp_ssh1_3des(void);
51: static const EVP_CIPHER *evp_ssh1_bf(void);
1.1 deraadt 52:
1.51 markus 53: struct Cipher {
54: char *name;
55: int number; /* for ssh1 only */
56: u_int block_size;
57: u_int key_len;
1.56 markus 58: const EVP_CIPHER *(*evptype)(void);
1.52 markus 59: } ciphers[] = {
60: { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
61: { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
62: { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
63: { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },
64:
65: { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
66: { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
67: { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
68: { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 },
1.57 markus 69: #if OPENSSL_VERSION_NUMBER < 0x00907000L
1.52 markus 70: { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael },
71: { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael },
72: { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
1.55 markus 73: { "rijndael-cbc@lysator.liu.se",
74: SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
1.57 markus 75: #else
76: { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc },
77: { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc },
78: { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
79: { "rijndael-cbc@lysator.liu.se",
80: SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
81: #endif
1.47 markus 82:
1.52 markus 83: { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL }
1.32 markus 84: };
85:
86: /*--*/
1.1 deraadt 87:
1.54 markus 88: u_int
1.51 markus 89: cipher_blocksize(Cipher *c)
90: {
91: return (c->block_size);
92: }
1.60 deraadt 93:
1.54 markus 94: u_int
1.51 markus 95: cipher_keylen(Cipher *c)
96: {
97: return (c->key_len);
98: }
1.60 deraadt 99:
1.54 markus 100: u_int
1.53 markus 101: cipher_get_number(Cipher *c)
102: {
103: return (c->number);
104: }
1.51 markus 105:
1.41 markus 106: u_int
1.34 markus 107: cipher_mask_ssh1(int client)
1.1 deraadt 108: {
1.41 markus 109: u_int mask = 0;
1.48 deraadt 110: mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
1.34 markus 111: mask |= 1 << SSH_CIPHER_BLOWFISH;
112: if (client) {
113: mask |= 1 << SSH_CIPHER_DES;
1.32 markus 114: }
115: return mask;
1.1 deraadt 116: }
117:
1.32 markus 118: Cipher *
119: cipher_by_name(const char *name)
120: {
121: Cipher *c;
122: for (c = ciphers; c->name != NULL; c++)
123: if (strcasecmp(c->name, name) == 0)
124: return c;
125: return NULL;
126: }
127:
128: Cipher *
129: cipher_by_number(int id)
130: {
131: Cipher *c;
132: for (c = ciphers; c->name != NULL; c++)
133: if (c->number == id)
134: return c;
135: return NULL;
136: }
1.24 markus 137:
138: #define CIPHER_SEP ","
139: int
140: ciphers_valid(const char *names)
141: {
1.32 markus 142: Cipher *c;
1.29 ho 143: char *ciphers, *cp;
1.24 markus 144: char *p;
145:
1.27 markus 146: if (names == NULL || strcmp(names, "") == 0)
1.24 markus 147: return 0;
1.29 ho 148: ciphers = cp = xstrdup(names);
1.32 markus 149: for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
1.48 deraadt 150: (p = strsep(&cp, CIPHER_SEP))) {
1.32 markus 151: c = cipher_by_name(p);
152: if (c == NULL || c->number != SSH_CIPHER_SSH2) {
153: debug("bad cipher %s [%s]", p, names);
1.24 markus 154: xfree(ciphers);
155: return 0;
1.32 markus 156: } else {
1.36 markus 157: debug3("cipher ok: %s [%s]", p, names);
1.24 markus 158: }
159: }
1.36 markus 160: debug3("ciphers ok: [%s]", names);
1.24 markus 161: xfree(ciphers);
162: return 1;
163: }
164:
1.18 markus 165: /*
166: * Parses the name of the cipher. Returns the number of the corresponding
167: * cipher, or -1 on error.
168: */
1.1 deraadt 169:
1.4 provos 170: int
171: cipher_number(const char *name)
1.1 deraadt 172: {
1.32 markus 173: Cipher *c;
1.27 markus 174: if (name == NULL)
175: return -1;
1.32 markus 176: c = cipher_by_name(name);
177: return (c==NULL) ? -1 : c->number;
1.1 deraadt 178: }
179:
1.32 markus 180: char *
181: cipher_name(int id)
1.1 deraadt 182: {
1.32 markus 183: Cipher *c = cipher_by_number(id);
184: return (c==NULL) ? "<unknown>" : c->name;
1.1 deraadt 185: }
186:
1.26 markus 187: void
1.52 markus 188: cipher_init(CipherContext *cc, Cipher *cipher,
189: const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
190: int encrypt)
1.16 markus 191: {
1.52 markus 192: static int dowarn = 1;
193: const EVP_CIPHER *type;
194: int klen;
195:
196: if (cipher->number == SSH_CIPHER_DES) {
197: if (dowarn) {
198: error("Warning: use of DES is strongly discouraged "
199: "due to cryptographic weaknesses");
200: dowarn = 0;
201: }
202: if (keylen > 8)
203: keylen = 8;
204: }
205: cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
206:
1.32 markus 207: if (keylen < cipher->key_len)
208: fatal("cipher_init: key length %d is insufficient for %s.",
209: keylen, cipher->name);
210: if (iv != NULL && ivlen < cipher->block_size)
211: fatal("cipher_init: iv length %d is insufficient for %s.",
212: ivlen, cipher->name);
213: cc->cipher = cipher;
1.52 markus 214:
215: type = (*cipher->evptype)();
216:
217: EVP_CIPHER_CTX_init(&cc->evp);
218: if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
219: (encrypt == CIPHER_ENCRYPT)) == 0)
220: fatal("cipher_init: EVP_CipherInit failed for %s",
221: cipher->name);
222: klen = EVP_CIPHER_CTX_key_length(&cc->evp);
223: if (klen > 0 && keylen != klen) {
224: debug("cipher_init: set keylen (%d -> %d)", klen, keylen);
225: if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
226: fatal("cipher_init: set keylen failed (%d -> %d)",
227: klen, keylen);
228: }
229: if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
230: fatal("cipher_init: EVP_CipherInit: set key failed for %s",
231: cipher->name);
1.1 deraadt 232: }
1.21 markus 233:
1.26 markus 234: void
1.51 markus 235: cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
1.32 markus 236: {
237: if (len % cc->cipher->block_size)
238: fatal("cipher_encrypt: bad plaintext length %d", len);
1.52 markus 239: if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
240: fatal("evp_crypt: EVP_Cipher failed");
1.21 markus 241: }
242:
1.26 markus 243: void
1.51 markus 244: cipher_cleanup(CipherContext *cc)
1.16 markus 245: {
1.52 markus 246: if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
247: error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
1.16 markus 248: }
1.1 deraadt 249:
1.32 markus 250: /*
251: * Selects the cipher, and keys if by computing the MD5 checksum of the
252: * passphrase and using the resulting 16 bytes as the key.
253: */
1.1 deraadt 254:
1.26 markus 255: void
1.32 markus 256: cipher_set_key_string(CipherContext *cc, Cipher *cipher,
1.51 markus 257: const char *passphrase, int encrypt)
1.16 markus 258: {
1.32 markus 259: MD5_CTX md;
1.41 markus 260: u_char digest[16];
1.32 markus 261:
262: MD5_Init(&md);
263: MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
264: MD5_Final(digest, &md);
1.16 markus 265:
1.51 markus 266: cipher_init(cc, cipher, digest, 16, NULL, 0, encrypt);
1.16 markus 267:
1.32 markus 268: memset(digest, 0, sizeof(digest));
269: memset(&md, 0, sizeof(md));
1.52 markus 270: }
271:
272: /* Implementations for other non-EVP ciphers */
273:
274: /*
275: * This is used by SSH1:
276: *
277: * What kind of triple DES are these 2 routines?
278: *
279: * Why is there a redundant initialization vector?
280: *
281: * If only iv3 was used, then, this would till effect have been
282: * outer-cbc. However, there is also a private iv1 == iv2 which
283: * perhaps makes differential analysis easier. On the other hand, the
284: * private iv1 probably makes the CRC-32 attack ineffective. This is a
285: * result of that there is no longer any known iv1 to use when
286: * choosing the X block.
287: */
288: struct ssh1_3des_ctx
289: {
290: EVP_CIPHER_CTX k1, k2, k3;
291: };
1.60 deraadt 292:
1.52 markus 293: static int
294: ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
295: int enc)
296: {
297: struct ssh1_3des_ctx *c;
298: u_char *k1, *k2, *k3;
299:
300: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
301: c = xmalloc(sizeof(*c));
302: EVP_CIPHER_CTX_set_app_data(ctx, c);
303: }
304: if (key == NULL)
305: return (1);
306: if (enc == -1)
307: enc = ctx->encrypt;
308: k1 = k2 = k3 = (u_char *) key;
309: k2 += 8;
310: if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) {
311: if (enc)
312: k3 += 16;
313: else
314: k1 += 16;
315: }
316: EVP_CIPHER_CTX_init(&c->k1);
317: EVP_CIPHER_CTX_init(&c->k2);
318: EVP_CIPHER_CTX_init(&c->k3);
319: if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
320: EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
321: EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
322: memset(c, 0, sizeof(*c));
323: xfree(c);
324: EVP_CIPHER_CTX_set_app_data(ctx, NULL);
325: return (0);
326: }
327: return (1);
328: }
1.60 deraadt 329:
1.52 markus 330: static int
331: ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len)
332: {
333: struct ssh1_3des_ctx *c;
334:
335: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
336: error("ssh1_3des_cbc: no context");
337: return (0);
338: }
339: if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
340: EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
341: EVP_Cipher(&c->k3, dest, dest, len) == 0)
342: return (0);
343: return (1);
344: }
1.60 deraadt 345:
1.52 markus 346: static int
347: ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
348: {
349: struct ssh1_3des_ctx *c;
350:
351: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
352: memset(c, 0, sizeof(*c));
353: xfree(c);
354: EVP_CIPHER_CTX_set_app_data(ctx, NULL);
355: }
356: return (1);
357: }
1.60 deraadt 358:
1.56 markus 359: static const EVP_CIPHER *
1.52 markus 360: evp_ssh1_3des(void)
361: {
362: static EVP_CIPHER ssh1_3des;
363:
364: memset(&ssh1_3des, 0, sizeof(EVP_CIPHER));
365: ssh1_3des.nid = NID_undef;
366: ssh1_3des.block_size = 8;
367: ssh1_3des.iv_len = 0;
368: ssh1_3des.key_len = 16;
369: ssh1_3des.init = ssh1_3des_init;
370: ssh1_3des.cleanup = ssh1_3des_cleanup;
371: ssh1_3des.do_cipher = ssh1_3des_cbc;
372: ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
373: return (&ssh1_3des);
374: }
375:
376: /*
377: * SSH1 uses a variation on Blowfish, all bytes must be swapped before
378: * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
379: */
380: static void
381: swap_bytes(const u_char *src, u_char *dst, int n)
382: {
383: u_char c[4];
384:
385: /* Process 4 bytes every lap. */
386: for (n = n / 4; n > 0; n--) {
387: c[3] = *src++;
388: c[2] = *src++;
389: c[1] = *src++;
390: c[0] = *src++;
391:
392: *dst++ = c[0];
393: *dst++ = c[1];
394: *dst++ = c[2];
395: *dst++ = c[3];
396: }
397: }
1.60 deraadt 398:
1.52 markus 399: static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL;
1.60 deraadt 400:
1.52 markus 401: static int
402: bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len)
403: {
404: int ret;
405:
406: swap_bytes(in, out, len);
407: ret = (*orig_bf)(ctx, out, out, len);
408: swap_bytes(out, out, len);
409: return (ret);
410: }
1.60 deraadt 411:
1.56 markus 412: static const EVP_CIPHER *
1.52 markus 413: evp_ssh1_bf(void)
414: {
415: static EVP_CIPHER ssh1_bf;
416:
417: memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER));
418: orig_bf = ssh1_bf.do_cipher;
419: ssh1_bf.nid = NID_undef;
420: ssh1_bf.do_cipher = bf_ssh1_cipher;
421: ssh1_bf.key_len = 32;
422: return (&ssh1_bf);
423: }
424:
1.57 markus 425: #if OPENSSL_VERSION_NUMBER < 0x00907000L
1.52 markus 426: /* RIJNDAEL */
427: #define RIJNDAEL_BLOCKSIZE 16
428: struct ssh_rijndael_ctx
429: {
430: rijndael_ctx r_ctx;
431: u_char r_iv[RIJNDAEL_BLOCKSIZE];
432: };
433:
434: static int
435: ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
436: int enc)
437: {
438: struct ssh_rijndael_ctx *c;
439:
440: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
441: c = xmalloc(sizeof(*c));
442: EVP_CIPHER_CTX_set_app_data(ctx, c);
443: }
444: if (key != NULL) {
445: if (enc == -1)
446: enc = ctx->encrypt;
447: rijndael_set_key(&c->r_ctx, (u_char *)key,
448: 8*EVP_CIPHER_CTX_key_length(ctx), enc);
449: }
450: if (iv != NULL)
451: memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE);
452: return (1);
453: }
1.60 deraadt 454:
1.52 markus 455: static int
456: ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
457: u_int len)
458: {
459: struct ssh_rijndael_ctx *c;
460: u_char buf[RIJNDAEL_BLOCKSIZE];
461: u_char *cprev, *cnow, *plain, *ivp;
462: int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
463:
464: if (len == 0)
465: return (1);
466: if (len % RIJNDAEL_BLOCKSIZE)
467: fatal("ssh_rijndael_cbc: bad len %d", len);
468: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
469: error("ssh_rijndael_cbc: no context");
470: return (0);
471: }
472: if (ctx->encrypt) {
473: cnow = dest;
474: plain = (u_char *)src;
475: cprev = c->r_iv;
476: for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
477: cnow+=RIJNDAEL_BLOCKSIZE) {
478: for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
479: buf[j] = plain[j] ^ cprev[j];
480: rijndael_encrypt(&c->r_ctx, buf, cnow);
481: cprev = cnow;
482: }
483: memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE);
484: } else {
485: cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
486: plain = dest+len-RIJNDAEL_BLOCKSIZE;
487:
488: memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE);
489: for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
490: plain-=RIJNDAEL_BLOCKSIZE) {
491: rijndael_decrypt(&c->r_ctx, cnow, plain);
492: ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
493: for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
494: plain[j] ^= ivp[j];
495: }
496: memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
497: }
498: return (1);
499: }
1.60 deraadt 500:
1.52 markus 501: static int
502: ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
503: {
504: struct ssh_rijndael_ctx *c;
505:
506: if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
507: memset(c, 0, sizeof(*c));
508: xfree(c);
509: EVP_CIPHER_CTX_set_app_data(ctx, NULL);
510: }
511: return (1);
512: }
1.60 deraadt 513:
1.56 markus 514: static const EVP_CIPHER *
1.52 markus 515: evp_rijndael(void)
516: {
517: static EVP_CIPHER rijndal_cbc;
518:
519: memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER));
520: rijndal_cbc.nid = NID_undef;
521: rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE;
522: rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE;
523: rijndal_cbc.key_len = 16;
524: rijndal_cbc.init = ssh_rijndael_init;
525: rijndal_cbc.cleanup = ssh_rijndael_cleanup;
526: rijndal_cbc.do_cipher = ssh_rijndael_cbc;
527: rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
1.61 ! markus 528: EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
1.52 markus 529: return (&rijndal_cbc);
1.53 markus 530: }
1.57 markus 531: #endif
1.53 markus 532:
1.54 markus 533: /*
1.53 markus 534: * Exports an IV from the CipherContext required to export the key
535: * state back from the unprivileged child to the privileged parent
536: * process.
537: */
538:
539: int
540: cipher_get_keyiv_len(CipherContext *cc)
541: {
542: Cipher *c = cc->cipher;
543: int ivlen;
544:
545: if (c->number == SSH_CIPHER_3DES)
546: ivlen = 24;
547: else
548: ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
549: return (ivlen);
550: }
551:
552: void
553: cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
554: {
555: Cipher *c = cc->cipher;
556: u_char *civ = NULL;
557: int evplen;
558:
559: switch (c->number) {
560: case SSH_CIPHER_SSH2:
561: case SSH_CIPHER_DES:
562: case SSH_CIPHER_BLOWFISH:
563: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
564: if (evplen == 0)
565: return;
566: if (evplen != len)
1.58 markus 567: fatal("%s: wrong iv length %d != %d", __func__,
1.53 markus 568: evplen, len);
569:
1.57 markus 570: #if OPENSSL_VERSION_NUMBER < 0x00907000L
1.55 markus 571: if (c->evptype == evp_rijndael) {
1.53 markus 572: struct ssh_rijndael_ctx *aesc;
573:
574: aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
575: if (aesc == NULL)
1.58 markus 576: fatal("%s: no rijndael context", __func__);
1.53 markus 577: civ = aesc->r_iv;
1.57 markus 578: } else
579: #endif
580: {
1.53 markus 581: civ = cc->evp.iv;
582: }
583: break;
584: case SSH_CIPHER_3DES: {
585: struct ssh1_3des_ctx *desc;
586: if (len != 24)
1.58 markus 587: fatal("%s: bad 3des iv length: %d", __func__, len);
1.53 markus 588: desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
589: if (desc == NULL)
1.58 markus 590: fatal("%s: no 3des context", __func__);
591: debug3("%s: Copying 3DES IV", __func__);
1.53 markus 592: memcpy(iv, desc->k1.iv, 8);
593: memcpy(iv + 8, desc->k2.iv, 8);
594: memcpy(iv + 16, desc->k3.iv, 8);
595: return;
596: }
597: default:
1.58 markus 598: fatal("%s: bad cipher %d", __func__, c->number);
1.53 markus 599: }
600: memcpy(iv, civ, len);
601: }
602:
603: void
604: cipher_set_keyiv(CipherContext *cc, u_char *iv)
605: {
606: Cipher *c = cc->cipher;
607: u_char *div = NULL;
608: int evplen = 0;
609:
610: switch (c->number) {
611: case SSH_CIPHER_SSH2:
612: case SSH_CIPHER_DES:
613: case SSH_CIPHER_BLOWFISH:
614: evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
615: if (evplen == 0)
616: return;
617:
1.57 markus 618: #if OPENSSL_VERSION_NUMBER < 0x00907000L
1.55 markus 619: if (c->evptype == evp_rijndael) {
1.53 markus 620: struct ssh_rijndael_ctx *aesc;
621:
622: aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
623: if (aesc == NULL)
1.58 markus 624: fatal("%s: no rijndael context", __func__);
1.53 markus 625: div = aesc->r_iv;
1.57 markus 626: } else
627: #endif
628: {
1.53 markus 629: div = cc->evp.iv;
630: }
631: break;
632: case SSH_CIPHER_3DES: {
633: struct ssh1_3des_ctx *desc;
634: desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
635: if (desc == NULL)
1.58 markus 636: fatal("%s: no 3des context", __func__);
637: debug3("%s: Installed 3DES IV", __func__);
1.53 markus 638: memcpy(desc->k1.iv, iv, 8);
639: memcpy(desc->k2.iv, iv + 8, 8);
640: memcpy(desc->k3.iv, iv + 16, 8);
641: return;
1.54 markus 642: }
1.53 markus 643: default:
1.58 markus 644: fatal("%s: bad cipher %d", __func__, c->number);
1.53 markus 645: }
646: memcpy(div, iv, evplen);
647: }
648:
649: #if OPENSSL_VERSION_NUMBER < 0x00907000L
650: #define EVP_X_STATE(evp) &(evp).c
651: #define EVP_X_STATE_LEN(evp) sizeof((evp).c)
652: #else
653: #define EVP_X_STATE(evp) (evp).cipher_data
654: #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
655: #endif
656:
657: int
658: cipher_get_keycontext(CipherContext *cc, u_char *dat)
659: {
660: Cipher *c = cc->cipher;
1.59 markus 661: int plen = 0;
1.53 markus 662:
1.59 markus 663: if (c->evptype == EVP_rc4) {
664: plen = EVP_X_STATE_LEN(cc->evp);
1.53 markus 665: if (dat == NULL)
1.59 markus 666: return (plen);
667: memcpy(dat, EVP_X_STATE(cc->evp), plen);
1.53 markus 668: }
669: return (plen);
670: }
671:
672: void
673: cipher_set_keycontext(CipherContext *cc, u_char *dat)
674: {
675: Cipher *c = cc->cipher;
676: int plen;
677:
1.59 markus 678: if (c->evptype == EVP_rc4) {
1.53 markus 679: plen = EVP_X_STATE_LEN(cc->evp);
680: memcpy(EVP_X_STATE(cc->evp), dat, plen);
681: }
1.1 deraadt 682: }