/src/libssh2/src/crypt.c

Source (jump to first uncovered line)
/* Copyright (C) Simon Josefsson <simon@josefsson.org>
 * Copyright (C) Sara Golemon <sarag@libssh2.org>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms,
 * with or without modification, are permitted provided
 * that the following conditions are met:
 *
 *   Redistributions of source code must retain the above
 *   copyright notice, this list of conditions and the
 *   following disclaimer.
 *
 *   Redistributions in binary form must reproduce the above
 *   copyright notice, this list of conditions and the following
 *   disclaimer in the documentation and/or other materials
 *   provided with the distribution.
 *
 *   Neither the name of the copyright holder nor the names
 *   of any other contributors may be used to endorse or
 *   promote products derived from this software without
 *   specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
 * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
 * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
 * OF SUCH DAMAGE.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

#include "libssh2_priv.h"
#include "cipher-chachapoly.h"

#include <assert.h>

#if defined(LIBSSH2DEBUG) && defined(LIBSSH2_CRYPT_NONE_INSECURE)
/* crypt_none_crypt
 * Minimalist cipher: no encryption. DO NOT USE.
 *
 * The SSH2 Transport allows for unencrypted data transmission using
 * the "none" cipher.  Because this is such a huge security hole, it is
 * typically disabled on SSH2 implementations and is disabled in libssh2
 * by default as well.
 *
 * Enabling this option will allow for "none" as a negotiable method,
 * however it still requires that the method be advertised by the remote
 * end and that no more-preferable methods are available.
 *
 */
static int
crypt_none_crypt(LIBSSH2_SESSION * session,
                 unsigned int seqno,
                 unsigned char *buf,
                 size_t buf_len,
                 void **abstract,
                 int firstlast)
{
    /* Do nothing to the data! */
    return 0;
}

static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_none = {
    "none",
    "DEK-Info: NONE",
    8,                /* blocksize (SSH2 defines minimum blocksize as 8) */
    0,                /* iv_len */
    0,                /* secret_len */
    0,                /* flags */
    NULL,
    crypt_none_crypt,
    NULL
};
#endif /* defined(LIBSSH2DEBUG) && defined(LIBSSH2_CRYPT_NONE_INSECURE) */

struct crypt_ctx
{
    int encrypt;
    _libssh2_cipher_type(algo);
    _libssh2_cipher_ctx h;
    struct chachapoly_ctx chachapoly_ctx;
};

static int
crypt_init(LIBSSH2_SESSION * session,
           const LIBSSH2_CRYPT_METHOD * method,
           unsigned char *iv, int *free_iv,
           unsigned char *secret, int *free_secret,
           int encrypt, void **abstract)
{
    struct crypt_ctx *ctx = LIBSSH2_ALLOC(session,
                                          sizeof(struct crypt_ctx));
    if(!ctx)
        return LIBSSH2_ERROR_ALLOC;

    ctx->encrypt = encrypt;
    ctx->algo = method->algo;
    if(_libssh2_cipher_init(&ctx->h, ctx->algo, iv, secret, encrypt)) {
        LIBSSH2_FREE(session, ctx);
        return -1;
    }
    *abstract = ctx;
    *free_iv = 1;
    *free_secret = 1;
    return 0;
}

static int
crypt_encrypt(LIBSSH2_SESSION * session,
              unsigned int seqno,
              unsigned char *buf,
              size_t buf_len,
              void **abstract,
              int firstlast)
{
    struct crypt_ctx *cctx = *(struct crypt_ctx **) abstract;
    (void) session;
    (void) seqno;
    return _libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, buf,
                                 buf_len, firstlast);
}

static int
crypt_dtor(LIBSSH2_SESSION * session, void **abstract)
{
    struct crypt_ctx **cctx = (struct crypt_ctx **) abstract;
    if(cctx && *cctx) {
        _libssh2_cipher_dtor(&(*cctx)->h);
        LIBSSH2_FREE(session, *cctx);
        *abstract = NULL;
    }
    return 0;
}

#if LIBSSH2_AES_GCM
static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes256_gcm = {
    "aes256-gcm@openssh.com",
    "",
    16,                         /* blocksize */
    12,                         /* initial value length */
    32,                         /* secret length -- 32*8 == 256bit */
    16,                         /* length of the authentication tag */
    LIBSSH2_CRYPT_FLAG_INTEGRATED_MAC | LIBSSH2_CRYPT_FLAG_PKTLEN_AAD,
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_aes256gcm
};

static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes128_gcm = {
    "aes128-gcm@openssh.com",
    "",
    16,                         /* blocksize */
    12,                         /* initial value length */
    16,                         /* secret length -- 16*8 == 128bit */
    16,                         /* length of the authentication tag */
    LIBSSH2_CRYPT_FLAG_INTEGRATED_MAC | LIBSSH2_CRYPT_FLAG_PKTLEN_AAD,
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_aes128gcm
};
#endif

#if LIBSSH2_AES_CTR
static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes128_ctr = {
    "aes128-ctr",
    "",
    16,                         /* blocksize */
    16,                         /* initial value length */
    16,                         /* secret length -- 16*8 == 128bit */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_aes128ctr
};

static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes192_ctr = {
    "aes192-ctr",
    "",
    16,                         /* blocksize */
    16,                         /* initial value length */
    24,                         /* secret length -- 24*8 == 192bit */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_aes192ctr
};

static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes256_ctr = {
    "aes256-ctr",
    "",
    16,                         /* blocksize */
    16,                         /* initial value length */
    32,                         /* secret length -- 32*8 == 256bit */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_aes256ctr
};
#endif

#if LIBSSH2_AES_CBC
static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes128_cbc = {
    "aes128-cbc",
    "DEK-Info: AES-128-CBC",
    16,                         /* blocksize */
    16,                         /* initial value length */
    16,                         /* secret length -- 16*8 == 128bit */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_aes128
};

static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes192_cbc = {
    "aes192-cbc",
    "DEK-Info: AES-192-CBC",
    16,                         /* blocksize */
    16,                         /* initial value length */
    24,                         /* secret length -- 24*8 == 192bit */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_aes192
};

static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes256_cbc = {
    "aes256-cbc",
    "DEK-Info: AES-256-CBC",
    16,                         /* blocksize */
    16,                         /* initial value length */
    32,                         /* secret length -- 32*8 == 256bit */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_aes256
};

/* rijndael-cbc@lysator.liu.se == aes256-cbc */
static const LIBSSH2_CRYPT_METHOD
    libssh2_crypt_method_rijndael_cbc_lysator_liu_se = {
    "rijndael-cbc@lysator.liu.se",
    "DEK-Info: AES-256-CBC",
    16,                         /* blocksize */
    16,                         /* initial value length */
    32,                         /* secret length -- 32*8 == 256bit */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_aes256
};
#endif /* LIBSSH2_AES_CBC */

#if LIBSSH2_BLOWFISH
static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_blowfish_cbc = {
    "blowfish-cbc",
    "",
    8,                          /* blocksize */
    8,                          /* initial value length */
    16,                         /* secret length */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_blowfish
};
#endif /* LIBSSH2_BLOWFISH */

#if LIBSSH2_RC4
static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_arcfour = {
    "arcfour",
    "DEK-Info: RC4",
    8,                          /* blocksize */
    8,                          /* initial value length */
    16,                         /* secret length */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_arcfour
};

static int
crypt_init_arcfour128(LIBSSH2_SESSION * session,
                      const LIBSSH2_CRYPT_METHOD * method,
                      unsigned char *iv, int *free_iv,
                      unsigned char *secret, int *free_secret,
                      int encrypt, void **abstract)
{
    int rc;

    rc = crypt_init(session, method, iv, free_iv, secret, free_secret,
                    encrypt, abstract);
    if(rc == 0) {
        struct crypt_ctx *cctx = *(struct crypt_ctx **) abstract;
        unsigned char block[8];
        size_t discard = 1536;
        for(; discard; discard -= 8)
            _libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, block,
                                  method->blocksize, MIDDLE_BLOCK);
                               /* Not all middle, but here it doesn't matter */
    }

    return rc;
}

static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_arcfour128 = {
    "arcfour128",
    "",
    8,                          /* blocksize */
    8,                          /* initial value length */
    16,                         /* secret length */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init_arcfour128,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_arcfour
};
#endif /* LIBSSH2_RC4 */

#if LIBSSH2_CAST
static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_cast128_cbc = {
    "cast128-cbc",
    "",
    8,                          /* blocksize */
    8,                          /* initial value length */
    16,                         /* secret length */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_cast5
};
#endif /* LIBSSH2_CAST */

#if LIBSSH2_3DES
static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_3des_cbc = {
    "3des-cbc",
    "DEK-Info: DES-EDE3-CBC",
    8,                          /* blocksize */
    8,                          /* initial value length */
    24,                         /* secret length */
    0,                          /* length of the authentication tag */
    0,                          /* flags */
    &crypt_init,
    NULL,
    &crypt_encrypt,
    &crypt_dtor,
    _libssh2_cipher_3des
};
#endif

static int
crypt_init_chacha20_poly(LIBSSH2_SESSION * session,
           const LIBSSH2_CRYPT_METHOD * method,
           unsigned char *iv, int *free_iv,
           unsigned char *secret, int *free_secret,
           int encrypt, void **abstract)
{
    struct crypt_ctx *ctx = LIBSSH2_ALLOC(session,
                                          sizeof(struct crypt_ctx));

    (void)iv;

    if(!ctx)
        return LIBSSH2_ERROR_ALLOC;

    ctx->encrypt = encrypt;
    ctx->algo = method->algo;

    if(chachapoly_init(&ctx->chachapoly_ctx, secret, method->secret_len)) {
        LIBSSH2_FREE(session, ctx);
        return -1;
    }

    *abstract = ctx;
    *free_iv = 1;
    *free_secret = 1;
    return 0;
}


static int
crypt_encrypt_chacha20_poly_buffer(LIBSSH2_SESSION * session,
                                   unsigned int seqno,
                                   unsigned char *buf,
                                   size_t buf_len,
                                   void **abstract,
                                   int firstlast)
{
    int ret = 1;
    struct crypt_ctx *ctx = *(struct crypt_ctx **) abstract;

    (void)session;
    (void)firstlast;

    if(ctx) {
        if(ctx->encrypt) {
            /* requires out_buf to be large enough to hold encrypted output
               plus auth tag (auth len)

               buf is a full packet so we need to subtract packet length from
               length
             */
            ret = chachapoly_crypt(&ctx->chachapoly_ctx, seqno, buf, buf,
                                   ((u_int)buf_len) - 4, 4, ctx->encrypt);
        }
        else {
            /* buf is full packet including size and auth tag but buf_len
               doesn't include size */
            ret = chachapoly_crypt(&ctx->chachapoly_ctx, seqno, buf, buf,
                                   ((u_int)buf_len), 4, ctx->encrypt);

            /* the api expects the size field to already be removed
               from the decrypted packet so we'll help it out */
            if(ret == 0) {
                memmove(buf, buf + 4, buf_len - 4);
            }
        }
    }

    return (ret == 0 ? 0 : 1);
}

static int
crypt_get_length_chacha20_poly(LIBSSH2_SESSION * session, unsigned int seqno,
                               unsigned char *data, size_t data_size,
                               unsigned int *len, void **abstract)
{
    struct crypt_ctx *ctx = *(struct crypt_ctx **) abstract;

    (void)session;

    return chachapoly_get_length(&ctx->chachapoly_ctx, len, seqno, data,
                                 (u_int)data_size);
}

static int
crypt_dtor_chacha20_poly(LIBSSH2_SESSION * session, void **abstract)
{
    struct crypt_ctx **cctx = (struct crypt_ctx **) abstract;
    if(cctx && *cctx) {
        LIBSSH2_FREE(session, *cctx);
        *abstract = NULL;
    }
    return 0;
}

static const LIBSSH2_CRYPT_METHOD
    libssh2_crypt_method_chacha20_poly1305_openssh = {
    "chacha20-poly1305@openssh.com",
    "",
    8,                                          /* blocksize */
    0,                                          /* initial value length */
    64,                                         /* secret length */
    16,                                         /* length of the auth_tag */
    LIBSSH2_CRYPT_FLAG_REQUIRES_FULL_PACKET,    /* flags */
    &crypt_init_chacha20_poly,
    &crypt_get_length_chacha20_poly,
    &crypt_encrypt_chacha20_poly_buffer,
    &crypt_dtor_chacha20_poly,
    _libssh2_cipher_chacha20                    /* not actually used */
};

/* These are the crypt methods that are available to be negotiated. Methods
   towards the start are chosen in preference to ones further down the list. */
static const LIBSSH2_CRYPT_METHOD *_libssh2_crypt_methods[] = {
    &libssh2_crypt_method_chacha20_poly1305_openssh,
#if LIBSSH2_AES_GCM
    &libssh2_crypt_method_aes256_gcm,
    &libssh2_crypt_method_aes128_gcm,
#endif /* LIBSSH2_AES_GCM */
#if LIBSSH2_AES_CTR
    &libssh2_crypt_method_aes256_ctr,
    &libssh2_crypt_method_aes192_ctr,
    &libssh2_crypt_method_aes128_ctr,
#endif /* LIBSSH2_AES_CTR */
#if LIBSSH2_AES_CBC
    &libssh2_crypt_method_aes256_cbc,
    &libssh2_crypt_method_rijndael_cbc_lysator_liu_se,  /* == aes256-cbc */
    &libssh2_crypt_method_aes192_cbc,
    &libssh2_crypt_method_aes128_cbc,
#endif /* LIBSSH2_AES_CBC */
#if LIBSSH2_BLOWFISH
    &libssh2_crypt_method_blowfish_cbc,
#endif /* LIBSSH2_BLOWFISH */
#if LIBSSH2_RC4
    &libssh2_crypt_method_arcfour128,
    &libssh2_crypt_method_arcfour,
#endif /* LIBSSH2_RC4 */
#if LIBSSH2_CAST
    &libssh2_crypt_method_cast128_cbc,
#endif /* LIBSSH2_CAST */
#if LIBSSH2_3DES
    &libssh2_crypt_method_3des_cbc,
#endif /*  LIBSSH2_DES */
#if defined(LIBSSH2DEBUG) && defined(LIBSSH2_CRYPT_NONE_INSECURE)
    &libssh2_crypt_method_none,
#endif
    NULL
};

/* Expose to kex.c */
const LIBSSH2_CRYPT_METHOD **
libssh2_crypt_methods(void)
{
    return _libssh2_crypt_methods;
}

Coverage Report

Created: 2025-08-26 06:42

Line	Count	Source (jump to first uncovered line)
1		/* Copyright (C) Simon Josefsson <simon@josefsson.org>
2		* Copyright (C) Sara Golemon <sarag@libssh2.org>
3		* All rights reserved.
4		*
5		* Redistribution and use in source and binary forms,
6		* with or without modification, are permitted provided
7		* that the following conditions are met:
8		*
9		* Redistributions of source code must retain the above
10		* copyright notice, this list of conditions and the
11		* following disclaimer.
12		*
13		* Redistributions in binary form must reproduce the above
14		* copyright notice, this list of conditions and the following
15		* disclaimer in the documentation and/or other materials
16		* provided with the distribution.
17		*
18		* Neither the name of the copyright holder nor the names
19		* of any other contributors may be used to endorse or
20		* promote products derived from this software without
21		* specific prior written permission.
22		*
23		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
24		* CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
25		* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
26		* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27		* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
28		* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29		* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
30		* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
31		* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
32		* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
33		* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
34		* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
35		* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
36		* OF SUCH DAMAGE.
37		*
38		* SPDX-License-Identifier: BSD-3-Clause
39		*/
40
41		#include "libssh2_priv.h"
42		#include "cipher-chachapoly.h"
43
44		#include <assert.h>
45
46		#if defined(LIBSSH2DEBUG) && defined(LIBSSH2_CRYPT_NONE_INSECURE)
47		/* crypt_none_crypt
48		* Minimalist cipher: no encryption. DO NOT USE.
49		*
50		* The SSH2 Transport allows for unencrypted data transmission using
51		* the "none" cipher. Because this is such a huge security hole, it is
52		* typically disabled on SSH2 implementations and is disabled in libssh2
53		* by default as well.
54		*
55		* Enabling this option will allow for "none" as a negotiable method,
56		* however it still requires that the method be advertised by the remote
57		* end and that no more-preferable methods are available.
58		*
59		*/
60		static int
61		crypt_none_crypt(LIBSSH2_SESSION * session,
62		unsigned int seqno,
63		unsigned char *buf,
64		size_t buf_len,
65		void **abstract,
66		int firstlast)
67		{
68		/* Do nothing to the data! */
69		return 0;
70		}
71
72		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_none = {
73		"none",
74		"DEK-Info: NONE",
75		8, /* blocksize (SSH2 defines minimum blocksize as 8) */
76		0, /* iv_len */
77		0, /* secret_len */
78		0, /* flags */
79		NULL,
80		crypt_none_crypt,
81		NULL
82		};
83		#endif /* defined(LIBSSH2DEBUG) && defined(LIBSSH2_CRYPT_NONE_INSECURE) */
84
85		struct crypt_ctx
86		{
87		int encrypt;
88		_libssh2_cipher_type(algo);
89		_libssh2_cipher_ctx h;
90		struct chachapoly_ctx chachapoly_ctx;
91		};
92
93		static int
94		crypt_init(LIBSSH2_SESSION * session,
95		const LIBSSH2_CRYPT_METHOD * method,
96		unsigned char iv, int free_iv,
97		unsigned char secret, int free_secret,
98		int encrypt, void **abstract)
99	0	{
100	0	struct crypt_ctx *ctx = LIBSSH2_ALLOC(session,
101	0	sizeof(struct crypt_ctx));
102	0	if(!ctx)
103	0	return LIBSSH2_ERROR_ALLOC;
104
105	0	ctx->encrypt = encrypt;
106	0	ctx->algo = method->algo;
107	0	if(_libssh2_cipher_init(&ctx->h, ctx->algo, iv, secret, encrypt)) {
108	0	LIBSSH2_FREE(session, ctx);
109	0	return -1;
110	0	}
111	0	*abstract = ctx;
112	0	*free_iv = 1;
113	0	*free_secret = 1;
114	0	return 0;
115	0	}
116
117		static int
118		crypt_encrypt(LIBSSH2_SESSION * session,
119		unsigned int seqno,
120		unsigned char *buf,
121		size_t buf_len,
122		void **abstract,
123		int firstlast)
124	0	{
125	0	struct crypt_ctx cctx = (struct crypt_ctx **) abstract;
126	0	(void) session;
127	0	(void) seqno;
128	0	return _libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, buf,
129	0	buf_len, firstlast);
130	0	}
131
132		static int
133		crypt_dtor(LIBSSH2_SESSION * session, void **abstract)
134	0	{
135	0	struct crypt_ctx cctx = (struct crypt_ctx ) abstract;
136	0	if(cctx && *cctx) {
137	0	_libssh2_cipher_dtor(&(*cctx)->h);
138	0	LIBSSH2_FREE(session, *cctx);
139	0	*abstract = NULL;
140	0	}
141	0	return 0;
142	0	}
143
144		#if LIBSSH2_AES_GCM
145		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes256_gcm = {
146		"aes256-gcm@openssh.com",
147		"",
148		16, /* blocksize */
149		12, /* initial value length */
150		32, /* secret length -- 328 == 256bit /
151		16, /* length of the authentication tag */
152		LIBSSH2_CRYPT_FLAG_INTEGRATED_MAC \| LIBSSH2_CRYPT_FLAG_PKTLEN_AAD,
153		&crypt_init,
154		NULL,
155		&crypt_encrypt,
156		&crypt_dtor,
157		_libssh2_cipher_aes256gcm
158		};
159
160		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes128_gcm = {
161		"aes128-gcm@openssh.com",
162		"",
163		16, /* blocksize */
164		12, /* initial value length */
165		16, /* secret length -- 168 == 128bit /
166		16, /* length of the authentication tag */
167		LIBSSH2_CRYPT_FLAG_INTEGRATED_MAC \| LIBSSH2_CRYPT_FLAG_PKTLEN_AAD,
168		&crypt_init,
169		NULL,
170		&crypt_encrypt,
171		&crypt_dtor,
172		_libssh2_cipher_aes128gcm
173		};
174		#endif
175
176		#if LIBSSH2_AES_CTR
177		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes128_ctr = {
178		"aes128-ctr",
179		"",
180		16, /* blocksize */
181		16, /* initial value length */
182		16, /* secret length -- 168 == 128bit /
183		0, /* length of the authentication tag */
184		0, /* flags */
185		&crypt_init,
186		NULL,
187		&crypt_encrypt,
188		&crypt_dtor,
189		_libssh2_cipher_aes128ctr
190		};
191
192		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes192_ctr = {
193		"aes192-ctr",
194		"",
195		16, /* blocksize */
196		16, /* initial value length */
197		24, /* secret length -- 248 == 192bit /
198		0, /* length of the authentication tag */
199		0, /* flags */
200		&crypt_init,
201		NULL,
202		&crypt_encrypt,
203		&crypt_dtor,
204		_libssh2_cipher_aes192ctr
205		};
206
207		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes256_ctr = {
208		"aes256-ctr",
209		"",
210		16, /* blocksize */
211		16, /* initial value length */
212		32, /* secret length -- 328 == 256bit /
213		0, /* length of the authentication tag */
214		0, /* flags */
215		&crypt_init,
216		NULL,
217		&crypt_encrypt,
218		&crypt_dtor,
219		_libssh2_cipher_aes256ctr
220		};
221		#endif
222
223		#if LIBSSH2_AES_CBC
224		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes128_cbc = {
225		"aes128-cbc",
226		"DEK-Info: AES-128-CBC",
227		16, /* blocksize */
228		16, /* initial value length */
229		16, /* secret length -- 168 == 128bit /
230		0, /* length of the authentication tag */
231		0, /* flags */
232		&crypt_init,
233		NULL,
234		&crypt_encrypt,
235		&crypt_dtor,
236		_libssh2_cipher_aes128
237		};
238
239		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes192_cbc = {
240		"aes192-cbc",
241		"DEK-Info: AES-192-CBC",
242		16, /* blocksize */
243		16, /* initial value length */
244		24, /* secret length -- 248 == 192bit /
245		0, /* length of the authentication tag */
246		0, /* flags */
247		&crypt_init,
248		NULL,
249		&crypt_encrypt,
250		&crypt_dtor,
251		_libssh2_cipher_aes192
252		};
253
254		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes256_cbc = {
255		"aes256-cbc",
256		"DEK-Info: AES-256-CBC",
257		16, /* blocksize */
258		16, /* initial value length */
259		32, /* secret length -- 328 == 256bit /
260		0, /* length of the authentication tag */
261		0, /* flags */
262		&crypt_init,
263		NULL,
264		&crypt_encrypt,
265		&crypt_dtor,
266		_libssh2_cipher_aes256
267		};
268
269		/* rijndael-cbc@lysator.liu.se == aes256-cbc */
270		static const LIBSSH2_CRYPT_METHOD
271		libssh2_crypt_method_rijndael_cbc_lysator_liu_se = {
272		"rijndael-cbc@lysator.liu.se",
273		"DEK-Info: AES-256-CBC",
274		16, /* blocksize */
275		16, /* initial value length */
276		32, /* secret length -- 328 == 256bit /
277		0, /* length of the authentication tag */
278		0, /* flags */
279		&crypt_init,
280		NULL,
281		&crypt_encrypt,
282		&crypt_dtor,
283		_libssh2_cipher_aes256
284		};
285		#endif /* LIBSSH2_AES_CBC */
286
287		#if LIBSSH2_BLOWFISH
288		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_blowfish_cbc = {
289		"blowfish-cbc",
290		"",
291		8, /* blocksize */
292		8, /* initial value length */
293		16, /* secret length */
294		0, /* length of the authentication tag */
295		0, /* flags */
296		&crypt_init,
297		NULL,
298		&crypt_encrypt,
299		&crypt_dtor,
300		_libssh2_cipher_blowfish
301		};
302		#endif /* LIBSSH2_BLOWFISH */
303
304		#if LIBSSH2_RC4
305		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_arcfour = {
306		"arcfour",
307		"DEK-Info: RC4",
308		8, /* blocksize */
309		8, /* initial value length */
310		16, /* secret length */
311		0, /* length of the authentication tag */
312		0, /* flags */
313		&crypt_init,
314		NULL,
315		&crypt_encrypt,
316		&crypt_dtor,
317		_libssh2_cipher_arcfour
318		};
319
320		static int
321		crypt_init_arcfour128(LIBSSH2_SESSION * session,
322		const LIBSSH2_CRYPT_METHOD * method,
323		unsigned char iv, int free_iv,
324		unsigned char secret, int free_secret,
325		int encrypt, void **abstract)
326		{
327		int rc;
328
329		rc = crypt_init(session, method, iv, free_iv, secret, free_secret,
330		encrypt, abstract);
331		if(rc == 0) {
332		struct crypt_ctx cctx = (struct crypt_ctx **) abstract;
333		unsigned char block[8];
334		size_t discard = 1536;
335		for(; discard; discard -= 8)
336		_libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, block,
337		method->blocksize, MIDDLE_BLOCK);
338		/* Not all middle, but here it doesn't matter */
339		}
340
341		return rc;
342		}
343
344		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_arcfour128 = {
345		"arcfour128",
346		"",
347		8, /* blocksize */
348		8, /* initial value length */
349		16, /* secret length */
350		0, /* length of the authentication tag */
351		0, /* flags */
352		&crypt_init_arcfour128,
353		NULL,
354		&crypt_encrypt,
355		&crypt_dtor,
356		_libssh2_cipher_arcfour
357		};
358		#endif /* LIBSSH2_RC4 */
359
360		#if LIBSSH2_CAST
361		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_cast128_cbc = {
362		"cast128-cbc",
363		"",
364		8, /* blocksize */
365		8, /* initial value length */
366		16, /* secret length */
367		0, /* length of the authentication tag */
368		0, /* flags */
369		&crypt_init,
370		NULL,
371		&crypt_encrypt,
372		&crypt_dtor,
373		_libssh2_cipher_cast5
374		};
375		#endif /* LIBSSH2_CAST */
376
377		#if LIBSSH2_3DES
378		static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_3des_cbc = {
379		"3des-cbc",
380		"DEK-Info: DES-EDE3-CBC",
381		8, /* blocksize */
382		8, /* initial value length */
383		24, /* secret length */
384		0, /* length of the authentication tag */
385		0, /* flags */
386		&crypt_init,
387		NULL,
388		&crypt_encrypt,
389		&crypt_dtor,
390		_libssh2_cipher_3des
391		};
392		#endif
393
394		static int
395		crypt_init_chacha20_poly(LIBSSH2_SESSION * session,
396		const LIBSSH2_CRYPT_METHOD * method,
397		unsigned char iv, int free_iv,
398		unsigned char secret, int free_secret,
399		int encrypt, void **abstract)
400	0	{
401	0	struct crypt_ctx *ctx = LIBSSH2_ALLOC(session,
402	0	sizeof(struct crypt_ctx));
403
404	0	(void)iv;
405
406	0	if(!ctx)
407	0	return LIBSSH2_ERROR_ALLOC;
408
409	0	ctx->encrypt = encrypt;
410	0	ctx->algo = method->algo;
411
412	0	if(chachapoly_init(&ctx->chachapoly_ctx, secret, method->secret_len)) {
413	0	LIBSSH2_FREE(session, ctx);
414	0	return -1;
415	0	}
416
417	0	*abstract = ctx;
418	0	*free_iv = 1;
419	0	*free_secret = 1;
420	0	return 0;
421	0	}
422
423
424		static int
425		crypt_encrypt_chacha20_poly_buffer(LIBSSH2_SESSION * session,
426		unsigned int seqno,
427		unsigned char *buf,
428		size_t buf_len,
429		void **abstract,
430		int firstlast)
431	0	{
432	0	int ret = 1;
433	0	struct crypt_ctx ctx = (struct crypt_ctx **) abstract;
434
435	0	(void)session;
436	0	(void)firstlast;
437
438	0	if(ctx) {
439	0	if(ctx->encrypt) {
440		/* requires out_buf to be large enough to hold encrypted output
441		plus auth tag (auth len)
442
443		buf is a full packet so we need to subtract packet length from
444		length
445		*/
446	0	ret = chachapoly_crypt(&ctx->chachapoly_ctx, seqno, buf, buf,
447	0	((u_int)buf_len) - 4, 4, ctx->encrypt);
448	0	}
449	0	else {
450		/* buf is full packet including size and auth tag but buf_len
451		doesn't include size */
452	0	ret = chachapoly_crypt(&ctx->chachapoly_ctx, seqno, buf, buf,
453	0	((u_int)buf_len), 4, ctx->encrypt);
454
455		/* the api expects the size field to already be removed
456		from the decrypted packet so we'll help it out */
457	0	if(ret == 0) {
458	0	memmove(buf, buf + 4, buf_len - 4);
459	0	}
460	0	}
461	0	}
462
463	0	return (ret == 0 ? 0 : 1);
464	0	}
465
466		static int
467		crypt_get_length_chacha20_poly(LIBSSH2_SESSION * session, unsigned int seqno,
468		unsigned char *data, size_t data_size,
469		unsigned int len, void *abstract)
470	0	{
471	0	struct crypt_ctx ctx = (struct crypt_ctx **) abstract;
472
473	0	(void)session;
474
475	0	return chachapoly_get_length(&ctx->chachapoly_ctx, len, seqno, data,
476	0	(u_int)data_size);
477	0	}
478
479		static int
480		crypt_dtor_chacha20_poly(LIBSSH2_SESSION * session, void **abstract)
481	0	{
482	0	struct crypt_ctx cctx = (struct crypt_ctx ) abstract;
483	0	if(cctx && *cctx) {
484	0	LIBSSH2_FREE(session, *cctx);
485	0	*abstract = NULL;
486	0	}
487	0	return 0;
488	0	}
489
490		static const LIBSSH2_CRYPT_METHOD
491		libssh2_crypt_method_chacha20_poly1305_openssh = {
492		"chacha20-poly1305@openssh.com",
493		"",
494		8, /* blocksize */
495		0, /* initial value length */
496		64, /* secret length */
497		16, /* length of the auth_tag */
498		LIBSSH2_CRYPT_FLAG_REQUIRES_FULL_PACKET, /* flags */
499		&crypt_init_chacha20_poly,
500		&crypt_get_length_chacha20_poly,
501		&crypt_encrypt_chacha20_poly_buffer,
502		&crypt_dtor_chacha20_poly,
503		_libssh2_cipher_chacha20 /* not actually used */
504		};
505
506		/* These are the crypt methods that are available to be negotiated. Methods
507		towards the start are chosen in preference to ones further down the list. */
508		static const LIBSSH2_CRYPT_METHOD *_libssh2_crypt_methods[] = {
509		&libssh2_crypt_method_chacha20_poly1305_openssh,
510		#if LIBSSH2_AES_GCM
511		&libssh2_crypt_method_aes256_gcm,
512		&libssh2_crypt_method_aes128_gcm,
513		#endif /* LIBSSH2_AES_GCM */
514		#if LIBSSH2_AES_CTR
515		&libssh2_crypt_method_aes256_ctr,
516		&libssh2_crypt_method_aes192_ctr,
517		&libssh2_crypt_method_aes128_ctr,
518		#endif /* LIBSSH2_AES_CTR */
519		#if LIBSSH2_AES_CBC
520		&libssh2_crypt_method_aes256_cbc,
521		&libssh2_crypt_method_rijndael_cbc_lysator_liu_se, /* == aes256-cbc */
522		&libssh2_crypt_method_aes192_cbc,
523		&libssh2_crypt_method_aes128_cbc,
524		#endif /* LIBSSH2_AES_CBC */
525		#if LIBSSH2_BLOWFISH
526		&libssh2_crypt_method_blowfish_cbc,
527		#endif /* LIBSSH2_BLOWFISH */
528		#if LIBSSH2_RC4
529		&libssh2_crypt_method_arcfour128,
530		&libssh2_crypt_method_arcfour,
531		#endif /* LIBSSH2_RC4 */
532		#if LIBSSH2_CAST
533		&libssh2_crypt_method_cast128_cbc,
534		#endif /* LIBSSH2_CAST */
535		#if LIBSSH2_3DES
536		&libssh2_crypt_method_3des_cbc,
537		#endif /* LIBSSH2_DES */
538		#if defined(LIBSSH2DEBUG) && defined(LIBSSH2_CRYPT_NONE_INSECURE)
539		&libssh2_crypt_method_none,
540		#endif
541		NULL
542		};
543
544		/* Expose to kex.c */
545		const LIBSSH2_CRYPT_METHOD **
546		libssh2_crypt_methods(void)
547	54.2k	{
548	54.2k	return _libssh2_crypt_methods;
549	54.2k	}