[openssh.git] / cipher.c

/*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 *
 * As far as I am concerned, the code I have written for this software
 * can be used freely for any purpose.  Any derived versions of this
 * software must be clearly marked as such, and if the derived work is
 * incompatible with the protocol description in the RFC file, it must be
 * called by a name other than "ssh" or "Secure Shell".
 *
 *
 * Copyright (c) 1999 Niels Provos.  All rights reserved.
 * Copyright (c) 1999, 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"
RCSID("$OpenBSD: cipher.c,v 1.64 2003/05/15 03:08:29 markus Exp $");

#include "xmalloc.h"
#include "log.h"
#include "cipher.h"

#include <openssl/md5.h>

#if OPENSSL_VERSION_NUMBER < 0x00906000L
#define SSH_OLD_EVP
#define EVP_CIPHER_CTX_get_app_data(e)          ((e)->app_data)
#endif

#if OPENSSL_VERSION_NUMBER < 0x00907000L
extern const EVP_CIPHER *evp_rijndael(void);
extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
#endif
extern const EVP_CIPHER *evp_ssh1_bf(void);
extern const EVP_CIPHER *evp_ssh1_3des(void);
extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);

struct Cipher {
	char	*name;
	int	number;		/* for ssh1 only */
	u_int	block_size;
	u_int	key_len;
	const EVP_CIPHER	*(*evptype)(void);
} ciphers[] = {
	{ "none", 		SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
	{ "des", 		SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
	{ "3des", 		SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
	{ "blowfish", 		SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },

	{ "3des-cbc", 		SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
	{ "blowfish-cbc", 	SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
	{ "cast128-cbc", 	SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
	{ "arcfour", 		SSH_CIPHER_SSH2, 8, 16, EVP_rc4 },
#if OPENSSL_VERSION_NUMBER < 0x00907000L
	{ "aes128-cbc", 	SSH_CIPHER_SSH2, 16, 16, evp_rijndael },
	{ "aes192-cbc", 	SSH_CIPHER_SSH2, 16, 24, evp_rijndael },
	{ "aes256-cbc", 	SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
	{ "rijndael-cbc@lysator.liu.se",
				SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
#else
	{ "aes128-cbc",		SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc },
	{ "aes192-cbc",		SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc },
	{ "aes256-cbc",		SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
	{ "rijndael-cbc@lysator.liu.se",
				SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
#endif

	{ NULL,			SSH_CIPHER_ILLEGAL, 0, 0, NULL }
};

/*--*/

u_int
cipher_blocksize(Cipher *c)
{
	return (c->block_size);
}

u_int
cipher_keylen(Cipher *c)
{
	return (c->key_len);
}

u_int
cipher_get_number(Cipher *c)
{
	return (c->number);
}

u_int
cipher_mask_ssh1(int client)
{
	u_int mask = 0;
	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
	mask |= 1 << SSH_CIPHER_BLOWFISH;
	if (client) {
		mask |= 1 << SSH_CIPHER_DES;
	}
	return mask;
}

Cipher *
cipher_by_name(const char *name)
{
	Cipher *c;
	for (c = ciphers; c->name != NULL; c++)
		if (strcasecmp(c->name, name) == 0)
			return c;
	return NULL;
}

Cipher *
cipher_by_number(int id)
{
	Cipher *c;
	for (c = ciphers; c->name != NULL; c++)
		if (c->number == id)
			return c;
	return NULL;
}

#define	CIPHER_SEP	","
int
ciphers_valid(const char *names)
{
	Cipher *c;
	char *ciphers, *cp;
	char *p;

	if (names == NULL || strcmp(names, "") == 0)
		return 0;
	ciphers = cp = xstrdup(names);
	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
	    (p = strsep(&cp, CIPHER_SEP))) {
		c = cipher_by_name(p);
		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
			debug("bad cipher %s [%s]", p, names);
			xfree(ciphers);
			return 0;
		} else {
			debug3("cipher ok: %s [%s]", p, names);
		}
	}
	debug3("ciphers ok: [%s]", names);
	xfree(ciphers);
	return 1;
}

/*
 * Parses the name of the cipher.  Returns the number of the corresponding
 * cipher, or -1 on error.
 */

int
cipher_number(const char *name)
{
	Cipher *c;
	if (name == NULL)
		return -1;
	c = cipher_by_name(name);
	return (c==NULL) ? -1 : c->number;
}

char *
cipher_name(int id)
{
	Cipher *c = cipher_by_number(id);
	return (c==NULL) ? "<unknown>" : c->name;
}

void
cipher_init(CipherContext *cc, Cipher *cipher,
    const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
    int encrypt)
{
	static int dowarn = 1;
#ifdef SSH_OLD_EVP
	EVP_CIPHER *type;
#else
	const EVP_CIPHER *type;
#endif
	int klen;

	if (cipher->number == SSH_CIPHER_DES) {
		if (dowarn) {
			error("Warning: use of DES is strongly discouraged "
			    "due to cryptographic weaknesses");
			dowarn = 0;
		}
		if (keylen > 8)
			keylen = 8;
	}
	cc->plaintext = (cipher->number == SSH_CIPHER_NONE);

	if (keylen < cipher->key_len)
		fatal("cipher_init: key length %d is insufficient for %s.",
		    keylen, cipher->name);
	if (iv != NULL && ivlen < cipher->block_size)
		fatal("cipher_init: iv length %d is insufficient for %s.",
		    ivlen, cipher->name);
	cc->cipher = cipher;

	type = (*cipher->evptype)();

	EVP_CIPHER_CTX_init(&cc->evp);
#ifdef SSH_OLD_EVP
	if (type->key_len > 0 && type->key_len != keylen) {
		debug("cipher_init: set keylen (%d -> %d)",
		    type->key_len, keylen);
		type->key_len = keylen;
	}
	EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv,
	    (encrypt == CIPHER_ENCRYPT));
#else
	if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
	    (encrypt == CIPHER_ENCRYPT)) == 0)
		fatal("cipher_init: EVP_CipherInit failed for %s",
		    cipher->name);
	klen = EVP_CIPHER_CTX_key_length(&cc->evp);
	if (klen > 0 && keylen != klen) {
		debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
		if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
			fatal("cipher_init: set keylen failed (%d -> %d)",
			    klen, keylen);
	}
	if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
		fatal("cipher_init: EVP_CipherInit: set key failed for %s",
		    cipher->name);
#endif
}

void
cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
	if (len % cc->cipher->block_size)
		fatal("cipher_encrypt: bad plaintext length %d", len);
#ifdef SSH_OLD_EVP
	EVP_Cipher(&cc->evp, dest, (u_char *)src, len);
#else
	if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
		fatal("evp_crypt: EVP_Cipher failed");
#endif
}

void
cipher_cleanup(CipherContext *cc)
{
#ifdef SSH_OLD_EVP
	EVP_CIPHER_CTX_cleanup(&cc->evp);
#else
	if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
		error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
#endif
}

/*
 * Selects the cipher, and keys if by computing the MD5 checksum of the
 * passphrase and using the resulting 16 bytes as the key.
 */

void
cipher_set_key_string(CipherContext *cc, Cipher *cipher,
    const char *passphrase, int encrypt)
{
	MD5_CTX md;
	u_char digest[16];

	MD5_Init(&md);
	MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
	MD5_Final(digest, &md);

	cipher_init(cc, cipher, digest, 16, NULL, 0, encrypt);

	memset(digest, 0, sizeof(digest));
	memset(&md, 0, sizeof(md));
}

/*
 * Exports an IV from the CipherContext required to export the key
 * state back from the unprivileged child to the privileged parent
 * process.
 */

int
cipher_get_keyiv_len(CipherContext *cc)
{
	Cipher *c = cc->cipher;
	int ivlen;

	if (c->number == SSH_CIPHER_3DES)
		ivlen = 24;
	else
		ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
	return (ivlen);
}

void
cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
{
	Cipher *c = cc->cipher;
	int evplen;

	switch (c->number) {
	case SSH_CIPHER_SSH2:
	case SSH_CIPHER_DES:
	case SSH_CIPHER_BLOWFISH:
		evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
		if (evplen == 0)
			return;
		if (evplen != len)
			fatal("%s: wrong iv length %d != %d", __func__,
			    evplen, len);
#if OPENSSL_VERSION_NUMBER < 0x00907000L
		if (c->evptype == evp_rijndael)
			ssh_rijndael_iv(&cc->evp, 0, iv, len);
		else
#endif
			memcpy(iv, cc->evp.iv, len);
		break;
	case SSH_CIPHER_3DES:
		ssh1_3des_iv(&cc->evp, 0, iv, 24);
		break;
	default:
		fatal("%s: bad cipher %d", __func__, c->number);
	}
}

void
cipher_set_keyiv(CipherContext *cc, u_char *iv)
{
	Cipher *c = cc->cipher;
	int evplen = 0;

	switch (c->number) {
	case SSH_CIPHER_SSH2:
	case SSH_CIPHER_DES:
	case SSH_CIPHER_BLOWFISH:
		evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
		if (evplen == 0)
			return;
#if OPENSSL_VERSION_NUMBER < 0x00907000L
		if (c->evptype == evp_rijndael)
			ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
		else
#endif
			memcpy(cc->evp.iv, iv, evplen);
		break;
	case SSH_CIPHER_3DES:
		ssh1_3des_iv(&cc->evp, 1, iv, 24);
		break;
	default:
		fatal("%s: bad cipher %d", __func__, c->number);
	}
}

#if OPENSSL_VERSION_NUMBER < 0x00907000L
#define EVP_X_STATE(evp)	&(evp).c
#define EVP_X_STATE_LEN(evp)	sizeof((evp).c)
#else
#define EVP_X_STATE(evp)	(evp).cipher_data
#define EVP_X_STATE_LEN(evp)	(evp).cipher->ctx_size
#endif

int
cipher_get_keycontext(CipherContext *cc, u_char *dat)
{
	Cipher *c = cc->cipher;
	int plen = 0;

	if (c->evptype == EVP_rc4) {
		plen = EVP_X_STATE_LEN(cc->evp);
		if (dat == NULL)
			return (plen);
		memcpy(dat, EVP_X_STATE(cc->evp), plen);
	}
	return (plen);
}

void
cipher_set_keycontext(CipherContext *cc, u_char *dat)
{
	Cipher *c = cc->cipher;
	int plen;

	if (c->evptype == EVP_rc4) {
		plen = EVP_X_STATE_LEN(cc->evp);
		memcpy(EVP_X_STATE(cc->evp), dat, plen);
	}
}
Commit	Line	Data
8efc0c15	1	/*
5260325f	2	* Author: Tatu Ylonen <ylo@cs.hut.fi>
5260325f	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5260325f	4	* All rights reserved
6ae2364d	5	*
bcbf86ec	6	* As far as I am concerned, the code I have written for this software
	7	* can be used freely for any purpose. Any derived versions of this
	8	* software must be clearly marked as such, and if the derived work is
	9	* incompatible with the protocol description in the RFC file, it must be
	10	* called by a name other than "ssh" or "Secure Shell".
	11	*
	12	*
	13	* Copyright (c) 1999 Niels Provos. All rights reserved.
a96070d4	14	* Copyright (c) 1999, 2000 Markus Friedl. All rights reserved.
bcbf86ec	15	*
	16	* Redistribution and use in source and binary forms, with or without
	17	* modification, are permitted provided that the following conditions
	18	* are met:
	19	* 1. Redistributions of source code must retain the above copyright
	20	* notice, this list of conditions and the following disclaimer.
	21	* 2. Redistributions in binary form must reproduce the above copyright
	22	* notice, this list of conditions and the following disclaimer in the
	23	* documentation and/or other materials provided with the distribution.
6ae2364d	24	*
bcbf86ec	25	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	26	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	27	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	28	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	29	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	30	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	31	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	32	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	33	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	34	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
5260325f	35	*/
8efc0c15	36
8efc0c15	37	#include "includes.h"
3b6e3da9	38	RCSID("$OpenBSD: cipher.c,v 1.64 2003/05/15 03:08:29 markus Exp $");
8efc0c15	39
a8be9f80	40	#include "xmalloc.h"
42f11eb2	41	#include "log.h"
42f11eb2	42	#include "cipher.h"
8efc0c15	43
8efc0c15	44	#include <openssl/md5.h>
70fc1609	45
a068d86f	46	#if OPENSSL_VERSION_NUMBER < 0x00906000L
	47	#define SSH_OLD_EVP
	48	#define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
	49	#endif
	50
135247df	51	#if OPENSSL_VERSION_NUMBER < 0x00907000L
3b6e3da9	52	extern const EVP_CIPHER *evp_rijndael(void);
3b6e3da9	53	extern void ssh_rijndael_iv(EVP_CIPHER_CTX , int, u_char , u_int);
135247df	54	#endif
3b6e3da9	55	extern const EVP_CIPHER *evp_ssh1_bf(void);
	56	extern const EVP_CIPHER *evp_ssh1_3des(void);
	57	extern void ssh1_3des_iv(EVP_CIPHER_CTX , int, u_char , int);
8efc0c15	58
3ee832e5	59	struct Cipher {
	60	char *name;
	61	int number; /* for ssh1 only */
	62	u_int block_size;
	63	u_int key_len;
7b5edc2b	64	const EVP_CIPHER (evptype)(void);
70fc1609	65	} ciphers[] = {
	66	{ "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
	67	{ "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
	68	{ "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
	69	{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },
	70
	71	{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
	72	{ "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
	73	{ "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
	74	{ "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 },
135247df	75	#if OPENSSL_VERSION_NUMBER < 0x00907000L
70fc1609	76	{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael },
	77	{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael },
	78	{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
bf03f2da	79	{ "rijndael-cbc@lysator.liu.se",
bf03f2da	80	SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
135247df	81	#else
	82	{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc },
	83	{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc },
	84	{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
	85	{ "rijndael-cbc@lysator.liu.se",
	86	SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
	87	#endif
70fc1609	88
70fc1609	89	{ NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL }
94ec8c6b	90	};
	91
	92	/--/
	93
762715ce	94	u_int
3ee832e5	95	cipher_blocksize(Cipher *c)
	96	{
	97	return (c->block_size);
	98	}
3ddc795d	99
762715ce	100	u_int
3ee832e5	101	cipher_keylen(Cipher *c)
	102	{
	103	return (c->key_len);
	104	}
3ddc795d	105
762715ce	106	u_int
bf8269a9	107	cipher_get_number(Cipher *c)
	108	{
	109	return (c->number);
	110	}
3ee832e5	111
1e3b8b07	112	u_int
94ec8c6b	113	cipher_mask_ssh1(int client)
8ce64345	114	{
1e3b8b07	115	u_int mask = 0;
184eed6a	116	mask \|= 1 << SSH_CIPHER_3DES; /* Mandatory */
94ec8c6b	117	mask \|= 1 << SSH_CIPHER_BLOWFISH;
	118	if (client) {
	119	mask \|= 1 << SSH_CIPHER_DES;
	120	}
5260325f	121	return mask;
8efc0c15	122	}
94ec8c6b	123
	124	Cipher *
	125	cipher_by_name(const char *name)
8ce64345	126	{
94ec8c6b	127	Cipher *c;
	128	for (c = ciphers; c->name != NULL; c++)
	129	if (strcasecmp(c->name, name) == 0)
	130	return c;
	131	return NULL;
8ce64345	132	}
8efc0c15	133
94ec8c6b	134	Cipher *
94ec8c6b	135	cipher_by_number(int id)
8efc0c15	136	{
94ec8c6b	137	Cipher *c;
	138	for (c = ciphers; c->name != NULL; c++)
	139	if (c->number == id)
	140	return c;
	141	return NULL;
8efc0c15	142	}
8efc0c15	143
a8be9f80	144	#define CIPHER_SEP ","
	145	int
	146	ciphers_valid(const char *names)
	147	{
94ec8c6b	148	Cipher *c;
089fbbd2	149	char ciphers, cp;
a8be9f80	150	char *p;
a8be9f80	151
71276795	152	if (names == NULL \|\| strcmp(names, "") == 0)
a8be9f80	153	return 0;
089fbbd2	154	ciphers = cp = xstrdup(names);
94ec8c6b	155	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
184eed6a	156	(p = strsep(&cp, CIPHER_SEP))) {
94ec8c6b	157	c = cipher_by_name(p);
	158	if (c == NULL \|\| c->number != SSH_CIPHER_SSH2) {
	159	debug("bad cipher %s [%s]", p, names);
a8be9f80	160	xfree(ciphers);
a8be9f80	161	return 0;
94ec8c6b	162	} else {
33de75a3	163	debug3("cipher ok: %s [%s]", p, names);
a8be9f80	164	}
a8be9f80	165	}
33de75a3	166	debug3("ciphers ok: [%s]", names);
a8be9f80	167	xfree(ciphers);
	168	return 1;
	169	}
	170
aa3378df	171	/*
	172	* Parses the name of the cipher. Returns the number of the corresponding
	173	* cipher, or -1 on error.
	174	*/
8efc0c15	175
	176	int
	177	cipher_number(const char *name)
	178	{
94ec8c6b	179	Cipher *c;
71276795	180	if (name == NULL)
71276795	181	return -1;
94ec8c6b	182	c = cipher_by_name(name);
	183	return (c==NULL) ? -1 : c->number;
	184	}
	185
	186	char *
	187	cipher_name(int id)
	188	{
	189	Cipher *c = cipher_by_number(id);
	190	return (c==NULL) ? "<unknown>" : c->name;
	191	}
	192
	193	void
70fc1609	194	cipher_init(CipherContext cc, Cipher cipher,
	195	const u_char key, u_int keylen, const u_char iv, u_int ivlen,
	196	int encrypt)
94ec8c6b	197	{
70fc1609	198	static int dowarn = 1;
a068d86f	199	#ifdef SSH_OLD_EVP
	200	EVP_CIPHER *type;
	201	#else
70fc1609	202	const EVP_CIPHER *type;
a068d86f	203	#endif
70fc1609	204	int klen;
	205
	206	if (cipher->number == SSH_CIPHER_DES) {
	207	if (dowarn) {
	208	error("Warning: use of DES is strongly discouraged "
	209	"due to cryptographic weaknesses");
	210	dowarn = 0;
	211	}
	212	if (keylen > 8)
	213	keylen = 8;
	214	}
	215	cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
	216
94ec8c6b	217	if (keylen < cipher->key_len)
	218	fatal("cipher_init: key length %d is insufficient for %s.",
	219	keylen, cipher->name);
	220	if (iv != NULL && ivlen < cipher->block_size)
	221	fatal("cipher_init: iv length %d is insufficient for %s.",
	222	ivlen, cipher->name);
	223	cc->cipher = cipher;
70fc1609	224
	225	type = (*cipher->evptype)();
	226
	227	EVP_CIPHER_CTX_init(&cc->evp);
a068d86f	228	#ifdef SSH_OLD_EVP
	229	if (type->key_len > 0 && type->key_len != keylen) {
	230	debug("cipher_init: set keylen (%d -> %d)",
	231	type->key_len, keylen);
	232	type->key_len = keylen;
	233	}
	234	EVP_CipherInit(&cc->evp, type, (u_char )key, (u_char )iv,
	235	(encrypt == CIPHER_ENCRYPT));
	236	#else
70fc1609	237	if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
	238	(encrypt == CIPHER_ENCRYPT)) == 0)
	239	fatal("cipher_init: EVP_CipherInit failed for %s",
	240	cipher->name);
	241	klen = EVP_CIPHER_CTX_key_length(&cc->evp);
	242	if (klen > 0 && keylen != klen) {
a77673cc	243	debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
70fc1609	244	if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
	245	fatal("cipher_init: set keylen failed (%d -> %d)",
	246	klen, keylen);
	247	}
	248	if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
	249	fatal("cipher_init: EVP_CipherInit: set key failed for %s",
	250	cipher->name);
a068d86f	251	#endif
94ec8c6b	252	}
	253
	254	void
3ee832e5	255	cipher_crypt(CipherContext cc, u_char dest, const u_char *src, u_int len)
94ec8c6b	256	{
	257	if (len % cc->cipher->block_size)
	258	fatal("cipher_encrypt: bad plaintext length %d", len);
a068d86f	259	#ifdef SSH_OLD_EVP
	260	EVP_Cipher(&cc->evp, dest, (u_char *)src, len);
	261	#else
70fc1609	262	if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
70fc1609	263	fatal("evp_crypt: EVP_Cipher failed");
a068d86f	264	#endif
94ec8c6b	265	}
	266
	267	void
3ee832e5	268	cipher_cleanup(CipherContext *cc)
94ec8c6b	269	{
a068d86f	270	#ifdef SSH_OLD_EVP
	271	EVP_CIPHER_CTX_cleanup(&cc->evp);
	272	#else
70fc1609	273	if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
70fc1609	274	error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
a068d86f	275	#endif
8efc0c15	276	}
8efc0c15	277
aa3378df	278	/*
	279	* Selects the cipher, and keys if by computing the MD5 checksum of the
	280	* passphrase and using the resulting 16 bytes as the key.
	281	*/
8efc0c15	282
6ae2364d	283	void
94ec8c6b	284	cipher_set_key_string(CipherContext cc, Cipher cipher,
3ee832e5	285	const char *passphrase, int encrypt)
8efc0c15	286	{
5260325f	287	MD5_CTX md;
1e3b8b07	288	u_char digest[16];
5260325f	289
5260325f	290	MD5_Init(&md);
94ec8c6b	291	MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
5260325f	292	MD5_Final(digest, &md);
5260325f	293
3ee832e5	294	cipher_init(cc, cipher, digest, 16, NULL, 0, encrypt);
5260325f	295
	296	memset(digest, 0, sizeof(digest));
	297	memset(&md, 0, sizeof(md));
8efc0c15	298	}
70fc1609	299
762715ce	300	/*
bf8269a9	301	* Exports an IV from the CipherContext required to export the key
	302	* state back from the unprivileged child to the privileged parent
	303	* process.
	304	*/
	305
	306	int
	307	cipher_get_keyiv_len(CipherContext *cc)
	308	{
	309	Cipher *c = cc->cipher;
	310	int ivlen;
	311
	312	if (c->number == SSH_CIPHER_3DES)
	313	ivlen = 24;
	314	else
	315	ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
	316	return (ivlen);
	317	}
	318
	319	void
	320	cipher_get_keyiv(CipherContext cc, u_char iv, u_int len)
	321	{
	322	Cipher *c = cc->cipher;
bf8269a9	323	int evplen;
	324
	325	switch (c->number) {
	326	case SSH_CIPHER_SSH2:
	327	case SSH_CIPHER_DES:
	328	case SSH_CIPHER_BLOWFISH:
	329	evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
	330	if (evplen == 0)
	331	return;
	332	if (evplen != len)
1588c277	333	fatal("%s: wrong iv length %d != %d", __func__,
bf8269a9	334	evplen, len);
135247df	335	#if OPENSSL_VERSION_NUMBER < 0x00907000L
18ae3c67	336	if (c->evptype == evp_rijndael)
	337	ssh_rijndael_iv(&cc->evp, 0, iv, len);
	338	else
135247df	339	#endif
18ae3c67	340	memcpy(iv, cc->evp.iv, len);
	341	break;
	342	case SSH_CIPHER_3DES:
	343	ssh1_3des_iv(&cc->evp, 0, iv, 24);
bf8269a9	344	break;
bf8269a9	345	default:
1588c277	346	fatal("%s: bad cipher %d", __func__, c->number);
bf8269a9	347	}
bf8269a9	348	}
	349
	350	void
	351	cipher_set_keyiv(CipherContext cc, u_char iv)
	352	{
	353	Cipher *c = cc->cipher;
bf8269a9	354	int evplen = 0;
	355
	356	switch (c->number) {
	357	case SSH_CIPHER_SSH2:
	358	case SSH_CIPHER_DES:
	359	case SSH_CIPHER_BLOWFISH:
	360	evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
	361	if (evplen == 0)
	362	return;
135247df	363	#if OPENSSL_VERSION_NUMBER < 0x00907000L
18ae3c67	364	if (c->evptype == evp_rijndael)
	365	ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
	366	else
135247df	367	#endif
18ae3c67	368	memcpy(cc->evp.iv, iv, evplen);
	369	break;
	370	case SSH_CIPHER_3DES:
	371	ssh1_3des_iv(&cc->evp, 1, iv, 24);
bf8269a9	372	break;
bf8269a9	373	default:
1588c277	374	fatal("%s: bad cipher %d", __func__, c->number);
bf8269a9	375	}
bf8269a9	376	}
	377
	378	#if OPENSSL_VERSION_NUMBER < 0x00907000L
	379	#define EVP_X_STATE(evp) &(evp).c
	380	#define EVP_X_STATE_LEN(evp) sizeof((evp).c)
	381	#else
	382	#define EVP_X_STATE(evp) (evp).cipher_data
	383	#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
	384	#endif
	385
	386	int
	387	cipher_get_keycontext(CipherContext cc, u_char dat)
	388	{
	389	Cipher *c = cc->cipher;
9459414c	390	int plen = 0;
bf8269a9	391
9459414c	392	if (c->evptype == EVP_rc4) {
9459414c	393	plen = EVP_X_STATE_LEN(cc->evp);
bf8269a9	394	if (dat == NULL)
9459414c	395	return (plen);
9459414c	396	memcpy(dat, EVP_X_STATE(cc->evp), plen);
bf8269a9	397	}
bf8269a9	398	return (plen);
	399	}
	400
	401	void
	402	cipher_set_keycontext(CipherContext cc, u_char dat)
	403	{
	404	Cipher *c = cc->cipher;
	405	int plen;
	406
9459414c	407	if (c->evptype == EVP_rc4) {
bf8269a9	408	plen = EVP_X_STATE_LEN(cc->evp);
	409	memcpy(EVP_X_STATE(cc->evp), dat, plen);
	410	}
70fc1609	411	}