1 files changed, 116 insertions, 57 deletions
diff --git a/cipher.c b/cipher.c
index 031bda9ec..2def333b1 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.101 2015/12/10 17:08:40 mmcc Exp $ */
+/* $OpenBSD: cipher.c,v 1.102 2016/08/03 05:41:57 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -57,6 +57,15 @@ extern const EVP_CIPHER *evp_ssh1_3des(void);
 extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
 #endif
+struct sshcipher_ctx {
+        int     plaintext;
+        int     encrypt;
+        EVP_CIPHER_CTX *evp;
+        struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
+        struct aesctr_ctx ac_ctx; /* XXX union with evp? */
+        const struct sshcipher *cipher;
+};
 struct sshcipher {
        char    *name;
        int     number;         /* for ssh1 only */
@@ -206,6 +215,18 @@ cipher_is_cbc(const struct sshcipher *c)
 }
 u_int
+cipher_ctx_is_plaintext(struct sshcipher_ctx *cc)
+{
+        return cc->plaintext;
+}
+u_int
+cipher_ctx_get_number(struct sshcipher_ctx *cc)
+{
+        return cc->cipher->number;
+}
+u_int
 cipher_mask_ssh1(int client)
 {
        u_int mask = 0;
@@ -297,65 +318,81 @@ cipher_warning_message(const struct sshcipher_ctx *cc)
 }
 int
-cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
+cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
    const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
    int do_encrypt)
 {
-#ifdef WITH_OPENSSL
+        struct sshcipher_ctx *cc = NULL;
        int ret = SSH_ERR_INTERNAL_ERROR;
+#ifdef WITH_OPENSSL
        const EVP_CIPHER *type;
        int klen;
        u_char *junk, *discard;
+#endif
+        *ccp = NULL;
+        if ((cc = calloc(sizeof(*cc), 1)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
        if (cipher->number == SSH_CIPHER_DES) {
                if (keylen > 8)
                        keylen = 8;
        }
-#endif
        cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
        cc->encrypt = do_encrypt;
        if (keylen < cipher->key_len ||
-            (iv != NULL && ivlen < cipher_ivlen(cipher)))
+            (iv != NULL && ivlen < cipher_ivlen(cipher))) {
-                return SSH_ERR_INVALID_ARGUMENT;
+                ret = SSH_ERR_INVALID_ARGUMENT;
+                goto out;
+        }
        cc->cipher = cipher;
        if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
-                return chachapoly_init(&cc->cp_ctx, key, keylen);
+                ret = chachapoly_init(&cc->cp_ctx, key, keylen);
+                goto out;
        }
 #ifndef WITH_OPENSSL
        if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
                aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
                aesctr_ivsetup(&cc->ac_ctx, iv);
-                return 0;
+                ret = 0;
+                goto out;
        }
-        if ((cc->cipher->flags & CFLAG_NONE) != 0)
+        if ((cc->cipher->flags & CFLAG_NONE) != 0) {
-                return 0;
+                ret = 0;
-        return SSH_ERR_INVALID_ARGUMENT;
+                goto out;
-#else
+        }
+        ret = SSH_ERR_INVALID_ARGUMENT;
+        goto out;
+#else /* WITH_OPENSSL */
        type = (*cipher->evptype)();
-        EVP_CIPHER_CTX_init(&cc->evp);
+        if ((cc->evp = EVP_CIPHER_CTX_new()) == NULL) {
-        if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv,
            (do_encrypt == CIPHER_ENCRYPT)) == 0) {
                ret = SSH_ERR_LIBCRYPTO_ERROR;
-                goto bad;
+                goto out;
        }
        if (cipher_authlen(cipher) &&
-            !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
+            !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
            -1, (u_char *)iv)) {
                ret = SSH_ERR_LIBCRYPTO_ERROR;
-                goto bad;
+                goto out;
        }
-        klen = EVP_CIPHER_CTX_key_length(&cc->evp);
+        klen = EVP_CIPHER_CTX_key_length(cc->evp);
        if (klen > 0 && keylen != (u_int)klen) {
-                if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) {
+                if (EVP_CIPHER_CTX_set_key_length(cc->evp, keylen) == 0) {
                        ret = SSH_ERR_LIBCRYPTO_ERROR;
-                        goto bad;
+                        goto out;
                }
        }
-        if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
+        if (EVP_CipherInit(cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
                ret = SSH_ERR_LIBCRYPTO_ERROR;
-                goto bad;
+                goto out;
        }
        if (cipher->discard_len > 0) {
@@ -363,21 +400,34 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
                    (discard = malloc(cipher->discard_len)) == NULL) {
                        free(junk);
                        ret = SSH_ERR_ALLOC_FAIL;
-                        goto bad;
+                        goto out;
                }
-                ret = EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len);
+                ret = EVP_Cipher(cc->evp, discard, junk, cipher->discard_len);
                explicit_bzero(discard, cipher->discard_len);
                free(junk);
                free(discard);
                if (ret != 1) {
                        ret = SSH_ERR_LIBCRYPTO_ERROR;
- bad:
+                        goto out;
-                        EVP_CIPHER_CTX_cleanup(&cc->evp);
-                        return ret;
                }
        }
-#endif
+        ret = 0;
-        return 0;
+#endif /* WITH_OPENSSL */
+ out:
+        if (ret == 0) {
+                /* success */
+                *ccp = cc;
+        } else {
+                if (cc != NULL) {
+#ifdef WITH_OPENSSL
+                        if (cc->evp != NULL)
+                                EVP_CIPHER_CTX_free(cc->evp);
+#endif /* WITH_OPENSSL */
+                        explicit_bzero(cc, sizeof(*cc));
+                        free(cc);
+                }
+        }
+        return ret;
 }
 /*
@@ -418,33 +468,33 @@ cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
                if (authlen != cipher_authlen(cc->cipher))
                        return SSH_ERR_INVALID_ARGUMENT;
                /* increment IV */
-                if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
+                if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
                    1, lastiv))
                        return SSH_ERR_LIBCRYPTO_ERROR;
                /* set tag on decyption */
                if (!cc->encrypt &&
-                    !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
+                    !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
                    authlen, (u_char *)src + aadlen + len))
                        return SSH_ERR_LIBCRYPTO_ERROR;
        }
        if (aadlen) {
                if (authlen &&
-                    EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
+                    EVP_Cipher(cc->evp, NULL, (u_char *)src, aadlen) < 0)
                        return SSH_ERR_LIBCRYPTO_ERROR;
                memcpy(dest, src, aadlen);
        }
        if (len % cc->cipher->block_size)
                return SSH_ERR_INVALID_ARGUMENT;
-        if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
+        if (EVP_Cipher(cc->evp, dest + aadlen, (u_char *)src + aadlen,
            len) < 0)
                return SSH_ERR_LIBCRYPTO_ERROR;
        if (authlen) {
                /* compute tag (on encrypt) or verify tag (on decrypt) */
-                if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0)
+                if (EVP_Cipher(cc->evp, NULL, NULL, 0) < 0)
                        return cc->encrypt ?
                            SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
                if (cc->encrypt &&
-                    !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
+                    !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG,
                    authlen, dest + aadlen + len))
                        return SSH_ERR_LIBCRYPTO_ERROR;
        }
@@ -466,20 +516,23 @@ cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
        return 0;
 }
-int
+void
-cipher_cleanup(struct sshcipher_ctx *cc)
+cipher_free(struct sshcipher_ctx *cc)
 {
-        if (cc == NULL || cc->cipher == NULL)
+        if (cc == NULL)
-                return 0;
+                return;
        if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
                explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
        else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
                explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
 #ifdef WITH_OPENSSL
-        else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
+        if (cc->evp != NULL) {
-                return SSH_ERR_LIBCRYPTO_ERROR;
+                EVP_CIPHER_CTX_free(cc->evp);
+                cc->evp = NULL;
+        }
 #endif
-        return 0;
+        explicit_bzero(cc, sizeof(*cc));
+        free(cc);
 }
 /*
@@ -487,8 +540,8 @@ cipher_cleanup(struct sshcipher_ctx *cc)
 * passphrase and using the resulting 16 bytes as the key.
 */
 int
-cipher_set_key_string(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
+cipher_set_key_string(struct sshcipher_ctx **ccp,
-    const char *passphrase, int do_encrypt)
+    const struct sshcipher *cipher, const char *passphrase, int do_encrypt)
 {
        u_char digest[16];
        int r = SSH_ERR_INTERNAL_ERROR;
@@ -498,7 +551,7 @@ cipher_set_key_string(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
            digest, sizeof(digest))) != 0)
                goto out;
-        r = cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
+        r = cipher_init(ccp, cipher, digest, 16, NULL, 0, do_encrypt);
 out:
        explicit_bzero(digest, sizeof(digest));
        return r;
@@ -523,7 +576,7 @@ cipher_get_keyiv_len(const struct sshcipher_ctx *cc)
                ivlen = sizeof(cc->ac_ctx.ctr);
 #ifdef WITH_OPENSSL
        else
-                ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
+                ivlen = EVP_CIPHER_CTX_iv_length(cc->evp);
 #endif /* WITH_OPENSSL */
        return (ivlen);
 }
@@ -555,7 +608,7 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
        case SSH_CIPHER_SSH2:
        case SSH_CIPHER_DES:
        case SSH_CIPHER_BLOWFISH:
-                evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
+                evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
                if (evplen == 0)
                        return 0;
                else if (evplen < 0)
@@ -564,20 +617,20 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
                        return SSH_ERR_INVALID_ARGUMENT;
 #ifndef OPENSSL_HAVE_EVPCTR
                if (c->evptype == evp_aes_128_ctr)
-                        ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
+                        ssh_aes_ctr_iv(cc->evp, 0, iv, len);
                else
 #endif
                if (cipher_authlen(c)) {
-                        if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
+                        if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
                           len, iv))
                               return SSH_ERR_LIBCRYPTO_ERROR;
                } else
-                        memcpy(iv, cc->evp.iv, len);
+                        memcpy(iv, cc->evp->iv, len);
                break;
 #endif
 #ifdef WITH_SSH1
        case SSH_CIPHER_3DES:
-                return ssh1_3des_iv(&cc->evp, 0, iv, 24);
+                return ssh1_3des_iv(cc->evp, 0, iv, 24);
 #endif
        default:
                return SSH_ERR_INVALID_ARGUMENT;
@@ -603,21 +656,27 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
        case SSH_CIPHER_SSH2:
        case SSH_CIPHER_DES:
        case SSH_CIPHER_BLOWFISH:
-                evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
+                evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
                if (evplen <= 0)
                        return SSH_ERR_LIBCRYPTO_ERROR;
+#ifndef OPENSSL_HAVE_EVPCTR
+                /* XXX iv arg is const, but ssh_aes_ctr_iv isn't */
+                if (c->evptype == evp_aes_128_ctr)
+                        ssh_aes_ctr_iv(cc->evp, 1, (u_char *)iv, evplen);
+                else
+#endif
                if (cipher_authlen(c)) {
                        /* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
-                        if (!EVP_CIPHER_CTX_ctrl(&cc->evp,
+                        if (!EVP_CIPHER_CTX_ctrl(cc->evp,
                            EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
                                return SSH_ERR_LIBCRYPTO_ERROR;
                } else
-                        memcpy(cc->evp.iv, iv, evplen);
+                        memcpy(cc->evp->iv, iv, evplen);
                break;
 #endif
 #ifdef WITH_SSH1
        case SSH_CIPHER_3DES:
-                return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);
+                return ssh1_3des_iv(cc->evp, 1, (u_char *)iv, 24);
 #endif
        default:
                return SSH_ERR_INVALID_ARGUMENT;
@@ -626,8 +685,8 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
 }
 #ifdef WITH_OPENSSL
-#define EVP_X_STATE(evp)        (evp).cipher_data
+#define EVP_X_STATE(evp)        (evp)->cipher_data
-#define EVP_X_STATE_LEN(evp)    (evp).cipher->ctx_size
+#define EVP_X_STATE_LEN(evp)    (evp)->cipher->ctx_size
 #endif
 int

diff --git a/cipher.c b/cipher.c index 031bda9ec..2def333b1 100644 --- a/cipher.c +++ b/cipher.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cipher.c,v 1.101 2015/12/10 17:08:40 mmcc Exp $ */	1	/* $OpenBSD: cipher.c,v 1.102 2016/08/03 05:41:57 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -57,6 +57,15 @@ extern const EVP_CIPHER *evp_ssh1_3des(void);
57	extern int ssh1_3des_iv(EVP_CIPHER_CTX , int, u_char , int);	57	extern int ssh1_3des_iv(EVP_CIPHER_CTX , int, u_char , int);
58	#endif	58	#endif
59		59
		60	struct sshcipher_ctx {
		61	int plaintext;
		62	int encrypt;
		63	EVP_CIPHER_CTX *evp;
		64	struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
		65	struct aesctr_ctx ac_ctx; /* XXX union with evp? */
		66	const struct sshcipher *cipher;
		67	};
		68
60	struct sshcipher {	69	struct sshcipher {
61	char *name;	70	char *name;
62	int number; /* for ssh1 only */	71	int number; /* for ssh1 only */
@@ -206,6 +215,18 @@ cipher_is_cbc(const struct sshcipher *c)
206	}	215	}
207		216
208	u_int	217	u_int
		218	cipher_ctx_is_plaintext(struct sshcipher_ctx *cc)
		219	{
		220	return cc->plaintext;
		221	}
		222
		223	u_int
		224	cipher_ctx_get_number(struct sshcipher_ctx *cc)
		225	{
		226	return cc->cipher->number;
		227	}
		228
		229	u_int
209	cipher_mask_ssh1(int client)	230	cipher_mask_ssh1(int client)
210	{	231	{
211	u_int mask = 0;	232	u_int mask = 0;
@@ -297,65 +318,81 @@ cipher_warning_message(const struct sshcipher_ctx *cc)
297	}	318	}
298		319
299	int	320	int
300	cipher_init(struct sshcipher_ctx cc, const struct sshcipher cipher,	321	cipher_init(struct sshcipher_ctx *ccp, const struct sshcipher cipher,
301	const u_char key, u_int keylen, const u_char iv, u_int ivlen,	322	const u_char key, u_int keylen, const u_char iv, u_int ivlen,
302	int do_encrypt)	323	int do_encrypt)
303	{	324	{
304	#ifdef WITH_OPENSSL	325	struct sshcipher_ctx *cc = NULL;
305	int ret = SSH_ERR_INTERNAL_ERROR;	326	int ret = SSH_ERR_INTERNAL_ERROR;
		327	#ifdef WITH_OPENSSL
306	const EVP_CIPHER *type;	328	const EVP_CIPHER *type;
307	int klen;	329	int klen;
308	u_char junk, discard;	330	u_char junk, discard;
		331	#endif
		332
		333	*ccp = NULL;
		334	if ((cc = calloc(sizeof(*cc), 1)) == NULL)
		335	return SSH_ERR_ALLOC_FAIL;
309		336
310	if (cipher->number == SSH_CIPHER_DES) {	337	if (cipher->number == SSH_CIPHER_DES) {
311	if (keylen > 8)	338	if (keylen > 8)
312	keylen = 8;	339	keylen = 8;
313	}	340	}
314	#endif	341
315	cc->plaintext = (cipher->number == SSH_CIPHER_NONE);	342	cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
316	cc->encrypt = do_encrypt;	343	cc->encrypt = do_encrypt;
317		344
318	if (keylen < cipher->key_len \|\|	345	if (keylen < cipher->key_len \|\|
319	(iv != NULL && ivlen < cipher_ivlen(cipher)))	346	(iv != NULL && ivlen < cipher_ivlen(cipher))) {
320	return SSH_ERR_INVALID_ARGUMENT;	347	ret = SSH_ERR_INVALID_ARGUMENT;
		348	goto out;
		349	}
321		350
322	cc->cipher = cipher;	351	cc->cipher = cipher;
323	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {	352	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
324	return chachapoly_init(&cc->cp_ctx, key, keylen);	353	ret = chachapoly_init(&cc->cp_ctx, key, keylen);
		354	goto out;
325	}	355	}
326	#ifndef WITH_OPENSSL	356	#ifndef WITH_OPENSSL
327	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {	357	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
328	aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);	358	aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
329	aesctr_ivsetup(&cc->ac_ctx, iv);	359	aesctr_ivsetup(&cc->ac_ctx, iv);
330	return 0;	360	ret = 0;
		361	goto out;
331	}	362	}
332	if ((cc->cipher->flags & CFLAG_NONE) != 0)	363	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
333	return 0;	364	ret = 0;
334	return SSH_ERR_INVALID_ARGUMENT;	365	goto out;
335	#else	366	}
		367	ret = SSH_ERR_INVALID_ARGUMENT;
		368	goto out;
		369	#else /* WITH_OPENSSL */
336	type = (*cipher->evptype)();	370	type = (*cipher->evptype)();
337	EVP_CIPHER_CTX_init(&cc->evp);	371	if ((cc->evp = EVP_CIPHER_CTX_new()) == NULL) {
338	if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,	372	ret = SSH_ERR_ALLOC_FAIL;
		373	goto out;
		374	}
		375	if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv,
339	(do_encrypt == CIPHER_ENCRYPT)) == 0) {	376	(do_encrypt == CIPHER_ENCRYPT)) == 0) {
340	ret = SSH_ERR_LIBCRYPTO_ERROR;	377	ret = SSH_ERR_LIBCRYPTO_ERROR;
341	goto bad;	378	goto out;
342	}	379	}
343	if (cipher_authlen(cipher) &&	380	if (cipher_authlen(cipher) &&
344	!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,	381	!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
345	-1, (u_char *)iv)) {	382	-1, (u_char *)iv)) {
346	ret = SSH_ERR_LIBCRYPTO_ERROR;	383	ret = SSH_ERR_LIBCRYPTO_ERROR;
347	goto bad;	384	goto out;
348	}	385	}
349	klen = EVP_CIPHER_CTX_key_length(&cc->evp);	386	klen = EVP_CIPHER_CTX_key_length(cc->evp);
350	if (klen > 0 && keylen != (u_int)klen) {	387	if (klen > 0 && keylen != (u_int)klen) {
351	if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) {	388	if (EVP_CIPHER_CTX_set_key_length(cc->evp, keylen) == 0) {
352	ret = SSH_ERR_LIBCRYPTO_ERROR;	389	ret = SSH_ERR_LIBCRYPTO_ERROR;
353	goto bad;	390	goto out;
354	}	391	}
355	}	392	}
356	if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {	393	if (EVP_CipherInit(cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
357	ret = SSH_ERR_LIBCRYPTO_ERROR;	394	ret = SSH_ERR_LIBCRYPTO_ERROR;
358	goto bad;	395	goto out;
359	}	396	}
360		397
361	if (cipher->discard_len > 0) {	398	if (cipher->discard_len > 0) {
@@ -363,21 +400,34 @@ cipher_init(struct sshcipher_ctx cc, const struct sshcipher cipher,
363	(discard = malloc(cipher->discard_len)) == NULL) {	400	(discard = malloc(cipher->discard_len)) == NULL) {
364	free(junk);	401	free(junk);
365	ret = SSH_ERR_ALLOC_FAIL;	402	ret = SSH_ERR_ALLOC_FAIL;
366	goto bad;	403	goto out;
367	}	404	}
368	ret = EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len);	405	ret = EVP_Cipher(cc->evp, discard, junk, cipher->discard_len);
369	explicit_bzero(discard, cipher->discard_len);	406	explicit_bzero(discard, cipher->discard_len);
370	free(junk);	407	free(junk);
371	free(discard);	408	free(discard);
372	if (ret != 1) {	409	if (ret != 1) {
373	ret = SSH_ERR_LIBCRYPTO_ERROR;	410	ret = SSH_ERR_LIBCRYPTO_ERROR;
374	bad:	411	goto out;
375	EVP_CIPHER_CTX_cleanup(&cc->evp);
376	return ret;
377	}	412	}
378	}	413	}
379	#endif	414	ret = 0;
380	return 0;	415	#endif /* WITH_OPENSSL */
		416	out:
		417	if (ret == 0) {
		418	/* success */
		419	*ccp = cc;
		420	} else {
		421	if (cc != NULL) {
		422	#ifdef WITH_OPENSSL
		423	if (cc->evp != NULL)
		424	EVP_CIPHER_CTX_free(cc->evp);
		425	#endif /* WITH_OPENSSL */
		426	explicit_bzero(cc, sizeof(*cc));
		427	free(cc);
		428	}
		429	}
		430	return ret;
381	}	431	}
382		432
383	/*	433	/*
@@ -418,33 +468,33 @@ cipher_crypt(struct sshcipher_ctx cc, u_int seqnr, u_char dest,
418	if (authlen != cipher_authlen(cc->cipher))	468	if (authlen != cipher_authlen(cc->cipher))
419	return SSH_ERR_INVALID_ARGUMENT;	469	return SSH_ERR_INVALID_ARGUMENT;
420	/* increment IV */	470	/* increment IV */
421	if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,	471	if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
422	1, lastiv))	472	1, lastiv))
423	return SSH_ERR_LIBCRYPTO_ERROR;	473	return SSH_ERR_LIBCRYPTO_ERROR;
424	/* set tag on decyption */	474	/* set tag on decyption */
425	if (!cc->encrypt &&	475	if (!cc->encrypt &&
426	!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,	476	!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
427	authlen, (u_char *)src + aadlen + len))	477	authlen, (u_char *)src + aadlen + len))
428	return SSH_ERR_LIBCRYPTO_ERROR;	478	return SSH_ERR_LIBCRYPTO_ERROR;
429	}	479	}
430	if (aadlen) {	480	if (aadlen) {
431	if (authlen &&	481	if (authlen &&
432	EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)	482	EVP_Cipher(cc->evp, NULL, (u_char *)src, aadlen) < 0)
433	return SSH_ERR_LIBCRYPTO_ERROR;	483	return SSH_ERR_LIBCRYPTO_ERROR;
434	memcpy(dest, src, aadlen);	484	memcpy(dest, src, aadlen);
435	}	485	}
436	if (len % cc->cipher->block_size)	486	if (len % cc->cipher->block_size)
437	return SSH_ERR_INVALID_ARGUMENT;	487	return SSH_ERR_INVALID_ARGUMENT;
438	if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,	488	if (EVP_Cipher(cc->evp, dest + aadlen, (u_char *)src + aadlen,
439	len) < 0)	489	len) < 0)
440	return SSH_ERR_LIBCRYPTO_ERROR;	490	return SSH_ERR_LIBCRYPTO_ERROR;
441	if (authlen) {	491	if (authlen) {
442	/* compute tag (on encrypt) or verify tag (on decrypt) */	492	/* compute tag (on encrypt) or verify tag (on decrypt) */
443	if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0)	493	if (EVP_Cipher(cc->evp, NULL, NULL, 0) < 0)
444	return cc->encrypt ?	494	return cc->encrypt ?
445	SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;	495	SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
446	if (cc->encrypt &&	496	if (cc->encrypt &&
447	!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,	497	!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG,
448	authlen, dest + aadlen + len))	498	authlen, dest + aadlen + len))
449	return SSH_ERR_LIBCRYPTO_ERROR;	499	return SSH_ERR_LIBCRYPTO_ERROR;
450	}	500	}
@@ -466,20 +516,23 @@ cipher_get_length(struct sshcipher_ctx cc, u_int plenp, u_int seqnr,
466	return 0;	516	return 0;
467	}	517	}
468		518
469	int	519	void
470	cipher_cleanup(struct sshcipher_ctx *cc)	520	cipher_free(struct sshcipher_ctx *cc)
471	{	521	{
472	if (cc == NULL \|\| cc->cipher == NULL)	522	if (cc == NULL)
473	return 0;	523	return;
474	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)	524	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
475	explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));	525	explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
476	else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)	526	else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
477	explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));	527	explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
478	#ifdef WITH_OPENSSL	528	#ifdef WITH_OPENSSL
479	else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)	529	if (cc->evp != NULL) {
480	return SSH_ERR_LIBCRYPTO_ERROR;	530	EVP_CIPHER_CTX_free(cc->evp);
		531	cc->evp = NULL;
		532	}
481	#endif	533	#endif
482	return 0;	534	explicit_bzero(cc, sizeof(*cc));
		535	free(cc);
483	}	536	}
484		537
485	/*	538	/*
@@ -487,8 +540,8 @@ cipher_cleanup(struct sshcipher_ctx *cc)
487	* passphrase and using the resulting 16 bytes as the key.	540	* passphrase and using the resulting 16 bytes as the key.
488	*/	541	*/
489	int	542	int
490	cipher_set_key_string(struct sshcipher_ctx cc, const struct sshcipher cipher,	543	cipher_set_key_string(struct sshcipher_ctx **ccp,
491	const char *passphrase, int do_encrypt)	544	const struct sshcipher cipher, const char passphrase, int do_encrypt)
492	{	545	{
493	u_char digest[16];	546	u_char digest[16];
494	int r = SSH_ERR_INTERNAL_ERROR;	547	int r = SSH_ERR_INTERNAL_ERROR;
@@ -498,7 +551,7 @@ cipher_set_key_string(struct sshcipher_ctx cc, const struct sshcipher cipher,
498	digest, sizeof(digest))) != 0)	551	digest, sizeof(digest))) != 0)
499	goto out;	552	goto out;
500		553
501	r = cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);	554	r = cipher_init(ccp, cipher, digest, 16, NULL, 0, do_encrypt);
502	out:	555	out:
503	explicit_bzero(digest, sizeof(digest));	556	explicit_bzero(digest, sizeof(digest));
504	return r;	557	return r;
@@ -523,7 +576,7 @@ cipher_get_keyiv_len(const struct sshcipher_ctx *cc)
523	ivlen = sizeof(cc->ac_ctx.ctr);	576	ivlen = sizeof(cc->ac_ctx.ctr);
524	#ifdef WITH_OPENSSL	577	#ifdef WITH_OPENSSL
525	else	578	else
526	ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);	579	ivlen = EVP_CIPHER_CTX_iv_length(cc->evp);
527	#endif /* WITH_OPENSSL */	580	#endif /* WITH_OPENSSL */
528	return (ivlen);	581	return (ivlen);
529	}	582	}
@@ -555,7 +608,7 @@ cipher_get_keyiv(struct sshcipher_ctx cc, u_char iv, u_int len)
555	case SSH_CIPHER_SSH2:	608	case SSH_CIPHER_SSH2:
556	case SSH_CIPHER_DES:	609	case SSH_CIPHER_DES:
557	case SSH_CIPHER_BLOWFISH:	610	case SSH_CIPHER_BLOWFISH:
558	evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);	611	evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
559	if (evplen == 0)	612	if (evplen == 0)
560	return 0;	613	return 0;
561	else if (evplen < 0)	614	else if (evplen < 0)
@@ -564,20 +617,20 @@ cipher_get_keyiv(struct sshcipher_ctx cc, u_char iv, u_int len)
564	return SSH_ERR_INVALID_ARGUMENT;	617	return SSH_ERR_INVALID_ARGUMENT;
565	#ifndef OPENSSL_HAVE_EVPCTR	618	#ifndef OPENSSL_HAVE_EVPCTR
566	if (c->evptype == evp_aes_128_ctr)	619	if (c->evptype == evp_aes_128_ctr)
567	ssh_aes_ctr_iv(&cc->evp, 0, iv, len);	620	ssh_aes_ctr_iv(cc->evp, 0, iv, len);
568	else	621	else
569	#endif	622	#endif
570	if (cipher_authlen(c)) {	623	if (cipher_authlen(c)) {
571	if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,	624	if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
572	len, iv))	625	len, iv))
573	return SSH_ERR_LIBCRYPTO_ERROR;	626	return SSH_ERR_LIBCRYPTO_ERROR;
574	} else	627	} else
575	memcpy(iv, cc->evp.iv, len);	628	memcpy(iv, cc->evp->iv, len);
576	break;	629	break;
577	#endif	630	#endif
578	#ifdef WITH_SSH1	631	#ifdef WITH_SSH1
579	case SSH_CIPHER_3DES:	632	case SSH_CIPHER_3DES:
580	return ssh1_3des_iv(&cc->evp, 0, iv, 24);	633	return ssh1_3des_iv(cc->evp, 0, iv, 24);
581	#endif	634	#endif
582	default:	635	default:
583	return SSH_ERR_INVALID_ARGUMENT;	636	return SSH_ERR_INVALID_ARGUMENT;
@@ -603,21 +656,27 @@ cipher_set_keyiv(struct sshcipher_ctx cc, const u_char iv)
603	case SSH_CIPHER_SSH2:	656	case SSH_CIPHER_SSH2:
604	case SSH_CIPHER_DES:	657	case SSH_CIPHER_DES:
605	case SSH_CIPHER_BLOWFISH:	658	case SSH_CIPHER_BLOWFISH:
606	evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);	659	evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
607	if (evplen <= 0)	660	if (evplen <= 0)
608	return SSH_ERR_LIBCRYPTO_ERROR;	661	return SSH_ERR_LIBCRYPTO_ERROR;
		662	#ifndef OPENSSL_HAVE_EVPCTR
		663	/* XXX iv arg is const, but ssh_aes_ctr_iv isn't */
		664	if (c->evptype == evp_aes_128_ctr)
		665	ssh_aes_ctr_iv(cc->evp, 1, (u_char *)iv, evplen);
		666	else
		667	#endif
609	if (cipher_authlen(c)) {	668	if (cipher_authlen(c)) {
610	/* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */	669	/* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
611	if (!EVP_CIPHER_CTX_ctrl(&cc->evp,	670	if (!EVP_CIPHER_CTX_ctrl(cc->evp,
612	EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))	671	EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
613	return SSH_ERR_LIBCRYPTO_ERROR;	672	return SSH_ERR_LIBCRYPTO_ERROR;
614	} else	673	} else
615	memcpy(cc->evp.iv, iv, evplen);	674	memcpy(cc->evp->iv, iv, evplen);
616	break;	675	break;
617	#endif	676	#endif
618	#ifdef WITH_SSH1	677	#ifdef WITH_SSH1
619	case SSH_CIPHER_3DES:	678	case SSH_CIPHER_3DES:
620	return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);	679	return ssh1_3des_iv(cc->evp, 1, (u_char *)iv, 24);
621	#endif	680	#endif
622	default:	681	default:
623	return SSH_ERR_INVALID_ARGUMENT;	682	return SSH_ERR_INVALID_ARGUMENT;
@@ -626,8 +685,8 @@ cipher_set_keyiv(struct sshcipher_ctx cc, const u_char iv)
626	}	685	}
627		686
628	#ifdef WITH_OPENSSL	687	#ifdef WITH_OPENSSL
629	#define EVP_X_STATE(evp) (evp).cipher_data	688	#define EVP_X_STATE(evp) (evp)->cipher_data
630	#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size	689	#define EVP_X_STATE_LEN(evp) (evp)->cipher->ctx_size
631	#endif	690	#endif
632		691
633	int	692	int