summaryrefslogtreecommitdiff
path: root/cipher.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-05-07 10:06:42 +0100
committerColin Watson <cjwatson@debian.org>2013-05-07 10:06:42 +0100
commitecebda56da46a03dafff923d91c382f31faa9eec (patch)
tree449614b6c06a2622c74a609b31fcc46c60037c56 /cipher.c
parentc6a2c0334e45419875687d250aed9bea78480f2e (diff)
parentffc06452028ba78cd693d4ed43df8b60a10d6163 (diff)
merge 6.2p1; reorder additions to monitor.h for easier merging in future
Diffstat (limited to 'cipher.c')
-rw-r--r--cipher.c147
1 files changed, 106 insertions, 41 deletions
diff --git a/cipher.c b/cipher.c
index bb5c0ac3a..9ca1d0065 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */ 1/* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -54,41 +54,46 @@
54extern const EVP_CIPHER *evp_ssh1_bf(void); 54extern const EVP_CIPHER *evp_ssh1_bf(void);
55extern const EVP_CIPHER *evp_ssh1_3des(void); 55extern const EVP_CIPHER *evp_ssh1_3des(void);
56extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); 56extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
57extern const EVP_CIPHER *evp_aes_128_ctr(void);
58extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
59 57
60struct Cipher { 58struct Cipher {
61 char *name; 59 char *name;
62 int number; /* for ssh1 only */ 60 int number; /* for ssh1 only */
63 u_int block_size; 61 u_int block_size;
64 u_int key_len; 62 u_int key_len;
63 u_int iv_len; /* defaults to block_size */
64 u_int auth_len;
65 u_int discard_len; 65 u_int discard_len;
66 u_int cbc_mode; 66 u_int cbc_mode;
67 const EVP_CIPHER *(*evptype)(void); 67 const EVP_CIPHER *(*evptype)(void);
68} ciphers[] = { 68} ciphers[] = {
69 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, 69 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
70 { "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc }, 70 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
71 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, 71 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
72 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 1, evp_ssh1_bf }, 72 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
73 73
74 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, 74 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
75 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc }, 75 { "blowfish-cbc",
76 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc }, 76 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
77 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 }, 77 { "cast128-cbc",
78 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 }, 78 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
79 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 }, 79 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
80 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, 80 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
81 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, 81 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
82 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 82 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
83 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
84 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
83 { "rijndael-cbc@lysator.liu.se", 85 { "rijndael-cbc@lysator.liu.se",
84 SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 86 SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
85 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, 87 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
86 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, 88 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
87 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, 89 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
88#ifdef USE_CIPHER_ACSS 90#ifdef OPENSSL_HAVE_EVPGCM
89 { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss }, 91 { "aes128-gcm@openssh.com",
92 SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
93 { "aes256-gcm@openssh.com",
94 SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
90#endif 95#endif
91 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } 96 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
92}; 97};
93 98
94/*--*/ 99/*--*/
@@ -106,6 +111,18 @@ cipher_keylen(const Cipher *c)
106} 111}
107 112
108u_int 113u_int
114cipher_authlen(const Cipher *c)
115{
116 return (c->auth_len);
117}
118
119u_int
120cipher_ivlen(const Cipher *c)
121{
122 return (c->iv_len ? c->iv_len : c->block_size);
123}
124
125u_int
109cipher_get_number(const Cipher *c) 126cipher_get_number(const Cipher *c)
110{ 127{
111 return (c->number); 128 return (c->number);
@@ -224,11 +241,12 @@ cipher_init(CipherContext *cc, Cipher *cipher,
224 keylen = 8; 241 keylen = 8;
225 } 242 }
226 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 243 cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
244 cc->encrypt = do_encrypt;
227 245
228 if (keylen < cipher->key_len) 246 if (keylen < cipher->key_len)
229 fatal("cipher_init: key length %d is insufficient for %s.", 247 fatal("cipher_init: key length %d is insufficient for %s.",
230 keylen, cipher->name); 248 keylen, cipher->name);
231 if (iv != NULL && ivlen < cipher->block_size) 249 if (iv != NULL && ivlen < cipher_ivlen(cipher))
232 fatal("cipher_init: iv length %d is insufficient for %s.", 250 fatal("cipher_init: iv length %d is insufficient for %s.",
233 ivlen, cipher->name); 251 ivlen, cipher->name);
234 cc->cipher = cipher; 252 cc->cipher = cipher;
@@ -249,6 +267,11 @@ cipher_init(CipherContext *cc, Cipher *cipher,
249 (do_encrypt == CIPHER_ENCRYPT)) == 0) 267 (do_encrypt == CIPHER_ENCRYPT)) == 0)
250 fatal("cipher_init: EVP_CipherInit failed for %s", 268 fatal("cipher_init: EVP_CipherInit failed for %s",
251 cipher->name); 269 cipher->name);
270 if (cipher_authlen(cipher) &&
271 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
272 -1, (u_char *)iv))
273 fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s",
274 cipher->name);
252 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 275 klen = EVP_CIPHER_CTX_key_length(&cc->evp);
253 if (klen > 0 && keylen != (u_int)klen) { 276 if (klen > 0 && keylen != (u_int)klen) {
254 debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); 277 debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
@@ -273,13 +296,59 @@ cipher_init(CipherContext *cc, Cipher *cipher,
273 } 296 }
274} 297}
275 298
299/*
300 * cipher_crypt() operates as following:
301 * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
302 * Theses bytes are treated as additional authenticated data for
303 * authenticated encryption modes.
304 * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
305 * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
306 * This tag is written on encryption and verified on decryption.
307 * Both 'aadlen' and 'authlen' can be set to 0.
308 */
276void 309void
277cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 310cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src,
311 u_int len, u_int aadlen, u_int authlen)
278{ 312{
313 if (authlen) {
314 u_char lastiv[1];
315
316 if (authlen != cipher_authlen(cc->cipher))
317 fatal("%s: authlen mismatch %d", __func__, authlen);
318 /* increment IV */
319 if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
320 1, lastiv))
321 fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__);
322 /* set tag on decyption */
323 if (!cc->encrypt &&
324 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
325 authlen, (u_char *)src + aadlen + len))
326 fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__);
327 }
328 if (aadlen) {
329 if (authlen &&
330 EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
331 fatal("%s: EVP_Cipher(aad) failed", __func__);
332 memcpy(dest, src, aadlen);
333 }
279 if (len % cc->cipher->block_size) 334 if (len % cc->cipher->block_size)
280 fatal("cipher_encrypt: bad plaintext length %d", len); 335 fatal("%s: bad plaintext length %d", __func__, len);
281 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) 336 if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
282 fatal("evp_crypt: EVP_Cipher failed"); 337 len) < 0)
338 fatal("%s: EVP_Cipher failed", __func__);
339 if (authlen) {
340 /* compute tag (on encrypt) or verify tag (on decrypt) */
341 if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) {
342 if (cc->encrypt)
343 fatal("%s: EVP_Cipher(final) failed", __func__);
344 else
345 fatal("Decryption integrity check failed");
346 }
347 if (cc->encrypt &&
348 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
349 authlen, dest + aadlen + len))
350 fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__);
351 }
283} 352}
284 353
285void 354void
@@ -351,10 +420,12 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
351 ssh_rijndael_iv(&cc->evp, 0, iv, len); 420 ssh_rijndael_iv(&cc->evp, 0, iv, len);
352 else 421 else
353#endif 422#endif
423#ifndef OPENSSL_HAVE_EVPCTR
354 if (c->evptype == evp_aes_128_ctr) 424 if (c->evptype == evp_aes_128_ctr)
355 ssh_aes_ctr_iv(&cc->evp, 0, iv, len); 425 ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
356 else 426 else
357 memcpy(iv, cc->evp.iv, len); 427#endif
428 memcpy(iv, cc->evp.iv, len);
358 break; 429 break;
359 case SSH_CIPHER_3DES: 430 case SSH_CIPHER_3DES:
360 ssh1_3des_iv(&cc->evp, 0, iv, 24); 431 ssh1_3des_iv(&cc->evp, 0, iv, 24);
@@ -382,10 +453,12 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
382 ssh_rijndael_iv(&cc->evp, 1, iv, evplen); 453 ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
383 else 454 else
384#endif 455#endif
456#ifndef OPENSSL_HAVE_EVPCTR
385 if (c->evptype == evp_aes_128_ctr) 457 if (c->evptype == evp_aes_128_ctr)
386 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); 458 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen);
387 else 459 else
388 memcpy(cc->evp.iv, iv, evplen); 460#endif
461 memcpy(cc->evp.iv, iv, evplen);
389 break; 462 break;
390 case SSH_CIPHER_3DES: 463 case SSH_CIPHER_3DES:
391 ssh1_3des_iv(&cc->evp, 1, iv, 24); 464 ssh1_3des_iv(&cc->evp, 1, iv, 24);
@@ -395,21 +468,13 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
395 } 468 }
396} 469}
397 470
398#if OPENSSL_VERSION_NUMBER < 0x00907000L
399#define EVP_X_STATE(evp) &(evp).c
400#define EVP_X_STATE_LEN(evp) sizeof((evp).c)
401#else
402#define EVP_X_STATE(evp) (evp).cipher_data
403#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
404#endif
405
406int 471int
407cipher_get_keycontext(const CipherContext *cc, u_char *dat) 472cipher_get_keycontext(const CipherContext *cc, u_char *dat)
408{ 473{
409 Cipher *c = cc->cipher; 474 Cipher *c = cc->cipher;
410 int plen = 0; 475 int plen = 0;
411 476
412 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 477 if (c->evptype == EVP_rc4) {
413 plen = EVP_X_STATE_LEN(cc->evp); 478 plen = EVP_X_STATE_LEN(cc->evp);
414 if (dat == NULL) 479 if (dat == NULL)
415 return (plen); 480 return (plen);
@@ -424,7 +489,7 @@ cipher_set_keycontext(CipherContext *cc, u_char *dat)
424 Cipher *c = cc->cipher; 489 Cipher *c = cc->cipher;
425 int plen; 490 int plen;
426 491
427 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 492 if (c->evptype == EVP_rc4) {
428 plen = EVP_X_STATE_LEN(cc->evp); 493 plen = EVP_X_STATE_LEN(cc->evp);
429 memcpy(EVP_X_STATE(cc->evp), dat, plen); 494 memcpy(EVP_X_STATE(cc->evp), dat, plen);
430 } 495 }