Coverage Report

Created: 2026-07-16 06:54

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/openssh/cipher.c
Line
Count
Source
1
/* $OpenBSD: cipher.c,v 1.129 2026/06/19 05:26:04 djm Exp $ */
2
/*
3
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5
 *                    All rights reserved
6
 *
7
 * As far as I am concerned, the code I have written for this software
8
 * can be used freely for any purpose.  Any derived versions of this
9
 * software must be clearly marked as such, and if the derived work is
10
 * incompatible with the protocol description in the RFC file, it must be
11
 * called by a name other than "ssh" or "Secure Shell".
12
 *
13
 *
14
 * Copyright (c) 1999 Niels Provos.  All rights reserved.
15
 * Copyright (c) 1999, 2000 Markus Friedl.  All rights reserved.
16
 *
17
 * Redistribution and use in source and binary forms, with or without
18
 * modification, are permitted provided that the following conditions
19
 * are met:
20
 * 1. Redistributions of source code must retain the above copyright
21
 *    notice, this list of conditions and the following disclaimer.
22
 * 2. Redistributions in binary form must reproduce the above copyright
23
 *    notice, this list of conditions and the following disclaimer in the
24
 *    documentation and/or other materials provided with the distribution.
25
 *
26
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36
 */
37
38
#include "includes.h"
39
40
#include <sys/types.h>
41
42
#include <string.h>
43
#include <stdarg.h>
44
#include <stdio.h>
45
46
#include "cipher.h"
47
#include "misc.h"
48
#include "sshbuf.h"
49
#include "ssherr.h"
50
51
#include "openbsd-compat/openssl-compat.h"
52
53
#ifndef WITH_OPENSSL
54
#define EVP_CIPHER_CTX void
55
#endif
56
57
struct sshcipher_ctx {
58
  int plaintext;
59
  int encrypt;
60
  EVP_CIPHER_CTX *evp;
61
  struct chachapoly_ctx *cp_ctx;
62
  struct aesctr_ctx ac_ctx; /* XXX union with evp? */
63
  const struct sshcipher *cipher;
64
};
65
66
struct sshcipher {
67
  char  *name;
68
  u_int block_size;
69
  u_int key_len;
70
  u_int iv_len;   /* defaults to block_size */
71
  u_int auth_len;
72
  u_int flags;
73
0
#define CFLAG_CBC   (1<<0)
74
0
#define CFLAG_CHACHAPOLY  (1<<1)
75
0
#define CFLAG_AESCTR    (1<<2)
76
0
#define CFLAG_NONE    (1<<3)
77
0
#define CFLAG_INTERNAL 0
78
#ifdef WITH_OPENSSL
79
  const EVP_CIPHER  *(*evptype)(void);
80
#else
81
  void  *ignored;
82
#endif
83
};
84
85
static const struct sshcipher ciphers[] = {
86
#ifdef WITH_OPENSSL
87
#ifndef OPENSSL_NO_DES
88
  { "3des-cbc",   8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
89
#endif
90
  { "aes128-cbc",   16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
91
  { "aes192-cbc",   16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
92
  { "aes256-cbc",   16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
93
  { "aes128-ctr",   16, 16, 0, 0, 0, EVP_aes_128_ctr },
94
  { "aes192-ctr",   16, 24, 0, 0, 0, EVP_aes_192_ctr },
95
  { "aes256-ctr",   16, 32, 0, 0, 0, EVP_aes_256_ctr },
96
  { "aes128-gcm@openssh.com",
97
        16, 16, 12, 16, 0, EVP_aes_128_gcm },
98
  { "aes256-gcm@openssh.com",
99
        16, 32, 12, 16, 0, EVP_aes_256_gcm },
100
#else
101
  { "aes128-ctr",   16, 16, 0, 0, CFLAG_AESCTR, NULL },
102
  { "aes192-ctr",   16, 24, 0, 0, CFLAG_AESCTR, NULL },
103
  { "aes256-ctr",   16, 32, 0, 0, CFLAG_AESCTR, NULL },
104
#endif
105
  { "chacha20-poly1305@openssh.com",
106
        8, 64, 0, 16, CFLAG_CHACHAPOLY, NULL },
107
  { "none",   8, 0, 0, 0, CFLAG_NONE, NULL },
108
109
  { NULL,     0, 0, 0, 0, 0, NULL }
110
};
111
112
/*--*/
113
114
/* Returns a comma-separated list of supported ciphers. */
115
char *
116
cipher_alg_list(char sep, int auth_only)
117
0
{
118
0
  char *ret = NULL;
119
0
  const struct sshcipher *c;
120
0
  char sep_str[2] = {sep, '\0'};
121
122
0
  for (c = ciphers; c->name != NULL; c++) {
123
0
    if ((c->flags & CFLAG_INTERNAL) != 0)
124
0
      continue;
125
0
    if (auth_only && c->auth_len == 0)
126
0
      continue;
127
0
    xextendf(&ret, sep_str, "%s", c->name);
128
0
  }
129
0
  return ret;
130
0
}
131
132
const char *
133
compression_alg_list(int compression)
134
0
{
135
0
#ifdef WITH_ZLIB
136
0
  return compression ? "zlib@openssh.com,none" :
137
0
      "none,zlib@openssh.com";
138
#else
139
  return "none";
140
#endif
141
0
}
142
143
u_int
144
cipher_blocksize(const struct sshcipher *c)
145
0
{
146
0
  return (c->block_size);
147
0
}
148
149
u_int
150
cipher_keylen(const struct sshcipher *c)
151
0
{
152
0
  return (c->key_len);
153
0
}
154
155
u_int
156
cipher_seclen(const struct sshcipher *c)
157
0
{
158
0
  if (strcmp("3des-cbc", c->name) == 0)
159
0
    return 14;
160
0
  return cipher_keylen(c);
161
0
}
162
163
u_int
164
cipher_authlen(const struct sshcipher *c)
165
0
{
166
0
  return (c->auth_len);
167
0
}
168
169
u_int
170
cipher_ivlen(const struct sshcipher *c)
171
0
{
172
  /*
173
   * Default is cipher block size, except for chacha20+poly1305 that
174
   * needs no IV. XXX make iv_len == -1 default?
175
   */
176
0
  return (c->iv_len != 0 || (c->flags & CFLAG_CHACHAPOLY) != 0) ?
177
0
      c->iv_len : c->block_size;
178
0
}
179
180
u_int
181
cipher_is_cbc(const struct sshcipher *c)
182
0
{
183
0
  return (c->flags & CFLAG_CBC) != 0;
184
0
}
185
186
u_int
187
cipher_is_internal(const struct sshcipher *c)
188
0
{
189
0
  return (c->flags & CFLAG_INTERNAL) != 0;
190
0
}
191
192
u_int
193
cipher_ctx_is_plaintext(struct sshcipher_ctx *cc)
194
0
{
195
0
  return cc->plaintext;
196
0
}
197
198
const struct sshcipher *
199
cipher_by_name(const char *name)
200
0
{
201
0
  const struct sshcipher *c;
202
0
  for (c = ciphers; c->name != NULL; c++)
203
0
    if (strcmp(c->name, name) == 0)
204
0
      return c;
205
0
  return NULL;
206
0
}
207
208
0
#define CIPHER_SEP  ","
209
int
210
ciphers_valid(const char *names)
211
0
{
212
0
  const struct sshcipher *c;
213
0
  char *cipher_list, *cp;
214
0
  char *p;
215
0
  int found = 0;
216
217
0
  if (names == NULL || strcmp(names, "") == 0)
218
0
    return 0;
219
0
  if ((cipher_list = cp = strdup(names)) == NULL)
220
0
    return 0;
221
0
  for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
222
0
      (p = strsep(&cp, CIPHER_SEP))) {
223
0
    c = cipher_by_name(p);
224
0
    if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
225
0
      free(cipher_list);
226
0
      return 0;
227
0
    } else
228
0
      found = 1;
229
0
  }
230
0
  free(cipher_list);
231
0
  return found;
232
0
}
233
234
const char *
235
cipher_warning_message(const struct sshcipher_ctx *cc)
236
0
{
237
0
  if (cc == NULL || cc->cipher == NULL)
238
0
    return NULL;
239
  /* XXX repurpose for CBC warning */
240
0
  return NULL;
241
0
}
242
243
int
244
cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
245
    const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
246
    int do_encrypt)
247
0
{
248
0
  struct sshcipher_ctx *cc = NULL;
249
0
  int ret = SSH_ERR_INTERNAL_ERROR;
250
0
#ifdef WITH_OPENSSL
251
0
  const EVP_CIPHER *type;
252
0
  int klen;
253
0
#endif
254
255
0
  *ccp = NULL;
256
0
  if ((cc = calloc(1, sizeof(*cc))) == NULL)
257
0
    return SSH_ERR_ALLOC_FAIL;
258
259
0
  cc->plaintext = (cipher->flags & CFLAG_NONE) != 0;
260
0
  cc->encrypt = do_encrypt;
261
262
0
  if (keylen < cipher->key_len ||
263
0
      (iv != NULL && ivlen < cipher_ivlen(cipher))) {
264
0
    ret = SSH_ERR_INVALID_ARGUMENT;
265
0
    goto out;
266
0
  }
267
268
0
  cc->cipher = cipher;
269
0
  if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
270
0
    cc->cp_ctx = chachapoly_new(key, keylen);
271
0
    ret = cc->cp_ctx != NULL ? 0 : SSH_ERR_INVALID_ARGUMENT;
272
0
    goto out;
273
0
  }
274
0
  if ((cc->cipher->flags & CFLAG_NONE) != 0) {
275
0
    ret = 0;
276
0
    goto out;
277
0
  }
278
#ifndef WITH_OPENSSL
279
  if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
280
    aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
281
    aesctr_ivsetup(&cc->ac_ctx, iv);
282
    ret = 0;
283
    goto out;
284
  }
285
  ret = SSH_ERR_INVALID_ARGUMENT;
286
  goto out;
287
#else /* WITH_OPENSSL */
288
0
  type = (*cipher->evptype)();
289
0
  if ((cc->evp = EVP_CIPHER_CTX_new()) == NULL) {
290
0
    ret = SSH_ERR_ALLOC_FAIL;
291
0
    goto out;
292
0
  }
293
0
  if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv,
294
0
      (do_encrypt == CIPHER_ENCRYPT)) == 0) {
295
0
    ret = SSH_ERR_LIBCRYPTO_ERROR;
296
0
    goto out;
297
0
  }
298
0
  if (cipher_authlen(cipher) &&
299
0
      EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
300
0
      -1, (u_char *)iv) <= 0) {
301
0
    ret = SSH_ERR_LIBCRYPTO_ERROR;
302
0
    goto out;
303
0
  }
304
0
  klen = EVP_CIPHER_CTX_key_length(cc->evp);
305
0
  if (klen > 0 && keylen != (u_int)klen) {
306
0
    if (EVP_CIPHER_CTX_set_key_length(cc->evp, keylen) == 0) {
307
0
      ret = SSH_ERR_LIBCRYPTO_ERROR;
308
0
      goto out;
309
0
    }
310
0
  }
311
0
  if (EVP_CipherInit(cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
312
0
    ret = SSH_ERR_LIBCRYPTO_ERROR;
313
0
    goto out;
314
0
  }
315
0
  ret = 0;
316
0
#endif /* WITH_OPENSSL */
317
0
 out:
318
0
  if (ret == 0) {
319
    /* success */
320
0
    *ccp = cc;
321
0
  } else {
322
0
    if (cc != NULL) {
323
0
#ifdef WITH_OPENSSL
324
0
      EVP_CIPHER_CTX_free(cc->evp);
325
0
#endif /* WITH_OPENSSL */
326
0
      freezero(cc, sizeof(*cc));
327
0
    }
328
0
  }
329
0
  return ret;
330
0
}
331
332
/*
333
 * cipher_crypt() operates as following:
334
 * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
335
 * These bytes are treated as additional authenticated data for
336
 * authenticated encryption modes.
337
 * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
338
 * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
339
 * This tag is written on encryption and verified on decryption.
340
 * Both 'aadlen' and 'authlen' can be set to 0.
341
 */
342
int
343
cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
344
   const u_char *src, u_int len, u_int aadlen, u_int authlen)
345
0
{
346
0
  if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
347
0
    return chachapoly_crypt(cc->cp_ctx, seqnr, dest, src,
348
0
        len, aadlen, authlen, cc->encrypt);
349
0
  }
350
0
  if ((cc->cipher->flags & CFLAG_NONE) != 0) {
351
0
    memcpy(dest, src, aadlen + len);
352
0
    return 0;
353
0
  }
354
#ifndef WITH_OPENSSL
355
  if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
356
    if (aadlen)
357
      memcpy(dest, src, aadlen);
358
    aesctr_encrypt_bytes(&cc->ac_ctx, src + aadlen,
359
        dest + aadlen, len);
360
    return 0;
361
  }
362
  return SSH_ERR_INVALID_ARGUMENT;
363
#else
364
0
  if (authlen) {
365
0
    u_char lastiv[1];
366
367
0
    if (authlen != cipher_authlen(cc->cipher))
368
0
      return SSH_ERR_INVALID_ARGUMENT;
369
    /* increment IV */
370
0
    if (EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
371
0
        1, lastiv) <= 0)
372
0
      return SSH_ERR_LIBCRYPTO_ERROR;
373
    /* set tag on decryption */
374
0
    if (!cc->encrypt &&
375
0
        EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
376
0
        authlen, (u_char *)src + aadlen + len) <= 0)
377
0
      return SSH_ERR_LIBCRYPTO_ERROR;
378
0
  }
379
0
  if (aadlen) {
380
0
    if (authlen &&
381
0
        EVP_Cipher(cc->evp, NULL, (u_char *)src, aadlen) < 0)
382
0
      return SSH_ERR_LIBCRYPTO_ERROR;
383
0
    memcpy(dest, src, aadlen);
384
0
  }
385
0
  if (len % cc->cipher->block_size)
386
0
    return SSH_ERR_INVALID_ARGUMENT;
387
0
  if (EVP_Cipher(cc->evp, dest + aadlen, (u_char *)src + aadlen,
388
0
      len) < 0)
389
0
    return SSH_ERR_LIBCRYPTO_ERROR;
390
0
  if (authlen) {
391
    /* compute tag (on encrypt) or verify tag (on decrypt) */
392
0
    if (EVP_Cipher(cc->evp, NULL, NULL, 0) < 0)
393
0
      return cc->encrypt ?
394
0
          SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
395
0
    if (cc->encrypt &&
396
0
        EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG,
397
0
        authlen, dest + aadlen + len) <= 0)
398
0
      return SSH_ERR_LIBCRYPTO_ERROR;
399
0
  }
400
0
  return 0;
401
0
#endif
402
0
}
403
404
/* Extract the packet length, including any decryption necessary beforehand */
405
int
406
cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
407
    const u_char *cp, u_int len)
408
0
{
409
0
  if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
410
0
    return chachapoly_get_length(cc->cp_ctx, plenp, seqnr,
411
0
        cp, len);
412
0
  if (len < 4)
413
0
    return SSH_ERR_MESSAGE_INCOMPLETE;
414
0
  *plenp = PEEK_U32(cp);
415
0
  return 0;
416
0
}
417
418
void
419
cipher_free(struct sshcipher_ctx *cc)
420
0
{
421
0
  if (cc == NULL)
422
0
    return;
423
0
  if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
424
0
    chachapoly_free(cc->cp_ctx);
425
0
    cc->cp_ctx = NULL;
426
0
  } else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
427
0
    explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
428
0
#ifdef WITH_OPENSSL
429
0
  EVP_CIPHER_CTX_free(cc->evp);
430
0
  cc->evp = NULL;
431
0
#endif
432
0
  freezero(cc, sizeof(*cc));
433
0
}
434
435
int
436
cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, size_t len)
437
0
{
438
0
#ifdef WITH_OPENSSL
439
0
  const struct sshcipher *c = cc->cipher;
440
0
  int evplen;
441
0
#endif
442
443
0
  if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
444
0
    if (len != 0)
445
0
      return SSH_ERR_INVALID_ARGUMENT;
446
0
    return 0;
447
0
  }
448
0
  if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
449
0
    if (len != sizeof(cc->ac_ctx.ctr))
450
0
      return SSH_ERR_INVALID_ARGUMENT;
451
0
    memcpy(iv, cc->ac_ctx.ctr, len);
452
0
    return 0;
453
0
  }
454
0
  if ((cc->cipher->flags & CFLAG_NONE) != 0)
455
0
    return 0;
456
457
0
#ifdef WITH_OPENSSL
458
0
  evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
459
0
  if (evplen == 0)
460
0
    return 0;
461
0
  else if (evplen < 0)
462
0
    return SSH_ERR_LIBCRYPTO_ERROR;
463
0
  if ((size_t)evplen != len)
464
0
    return SSH_ERR_INVALID_ARGUMENT;
465
0
  if (cipher_authlen(c)) {
466
0
    if (EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN, len,
467
0
        iv) <= 0)
468
0
      return SSH_ERR_LIBCRYPTO_ERROR;
469
0
  } else if (EVP_CIPHER_CTX_get_iv(cc->evp, iv, len) <= 0)
470
0
    return SSH_ERR_LIBCRYPTO_ERROR;
471
0
#endif
472
0
  return 0;
473
0
}