1 files changed, 106 insertions, 41 deletions

diff --git a/crypto/openssh/cipher.c b/crypto/openssh/cipher.c
index 28afa45..91bd11e 100644
--- a/crypto/openssh/cipher.c
+++ b/crypto/openssh/cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */
+/* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */
 /* $FreeBSD$ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -55,41 +55,46 @@
 extern const EVP_CIPHER *evp_ssh1_bf(void);
 extern const EVP_CIPHER *evp_ssh1_3des(void);
 extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-extern const EVP_CIPHER *evp_aes_128_ctr(void);
-extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
 
 struct Cipher {
 	char	*name;
 	int	number;		/* for ssh1 only */
 	u_int	block_size;
 	u_int	key_len;
+	u_int	iv_len;		/* defaults to block_size */
+	u_int	auth_len;
 	u_int	discard_len;
 	u_int	cbc_mode;
 	const EVP_CIPHER	*(*evptype)(void);
 } ciphers[] = {
-	{ "none",		SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
-	{ "des",		SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
-	{ "3des",		SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
-	{ "blowfish",		SSH_CIPHER_BLOWFISH, 8, 32, 0, 1, evp_ssh1_bf },
-
-	{ "3des-cbc",		SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc },
-	{ "blowfish-cbc",	SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc },
-	{ "cast128-cbc",	SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc },
-	{ "arcfour",		SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 },
-	{ "arcfour128",		SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 },
-	{ "arcfour256",		SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 },
-	{ "aes128-cbc",		SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc },
-	{ "aes192-cbc",		SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc },
-	{ "aes256-cbc",		SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
+	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
+	{ "3des",	SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
+	{ "blowfish",	SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
+
+	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+	{ "blowfish-cbc",
+			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
+	{ "cast128-cbc",
+			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
+	{ "arcfour",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
+	{ "arcfour128",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
+	{ "arcfour256",	SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
+	{ "aes128-cbc",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
+	{ "aes192-cbc",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
+	{ "aes256-cbc",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
 	{ "rijndael-cbc@lysator.liu.se",
-				SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
-	{ "aes128-ctr",		SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr },
-	{ "aes192-ctr",		SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr },
-	{ "aes256-ctr",		SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr },
-#ifdef USE_CIPHER_ACSS
-	{ "acss@openssh.org",	SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss },
+			SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
+	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
+#ifdef OPENSSL_HAVE_EVPGCM
+	{ "aes128-gcm@openssh.com",
+			SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
+	{ "aes256-gcm@openssh.com",
+			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
 #endif
-	{ NULL,			SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
+	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
 };
 
 /*--*/
@@ -107,6 +112,18 @@ cipher_keylen(const Cipher *c)
 }
 
 u_int
+cipher_authlen(const Cipher *c)
+{
+	return (c->auth_len);
+}
+
+u_int
+cipher_ivlen(const Cipher *c)
+{
+	return (c->iv_len ? c->iv_len : c->block_size);
+}
+
+u_int
 cipher_get_number(const Cipher *c)
 {
 	return (c->number);
@@ -230,11 +247,12 @@ cipher_init(CipherContext *cc, Cipher *cipher,
 			keylen = 8;
 	}
 	cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
+	cc->encrypt = do_encrypt;
 
 	if (keylen < cipher->key_len)
 		fatal("cipher_init: key length %d is insufficient for %s.",
 		    keylen, cipher->name);
-	if (iv != NULL && ivlen < cipher->block_size)
+	if (iv != NULL && ivlen < cipher_ivlen(cipher))
 		fatal("cipher_init: iv length %d is insufficient for %s.",
 		    ivlen, cipher->name);
 	cc->cipher = cipher;
@@ -255,6 +273,11 @@ cipher_init(CipherContext *cc, Cipher *cipher,
 	    (do_encrypt == CIPHER_ENCRYPT)) == 0)
 		fatal("cipher_init: EVP_CipherInit failed for %s",
 		    cipher->name);
+	if (cipher_authlen(cipher) &&
+	    !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
+	    -1, (u_char *)iv))
+		fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s",
+		    cipher->name);
 	klen = EVP_CIPHER_CTX_key_length(&cc->evp);
 	if (klen > 0 && keylen != (u_int)klen) {
 		debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
@@ -279,13 +302,59 @@ cipher_init(CipherContext *cc, Cipher *cipher,
 	}
 }
 
+/*
+ * cipher_crypt() operates as following:
+ * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
+ * Theses bytes are treated as additional authenticated data for
+ * authenticated encryption modes.
+ * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
+ * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
+ * This tag is written on encryption and verified on decryption.
+ * Both 'aadlen' and 'authlen' can be set to 0.
+ */
 void
-cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src,
+    u_int len, u_int aadlen, u_int authlen)
 {
+	if (authlen) {
+		u_char lastiv[1];
+
+		if (authlen != cipher_authlen(cc->cipher))
+			fatal("%s: authlen mismatch %d", __func__, authlen);
+		/* increment IV */
+		if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
+		    1, lastiv))
+			fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__);
+		/* set tag on decyption */
+		if (!cc->encrypt &&
+		    !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
+		    authlen, (u_char *)src + aadlen + len))
+			fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__);
+	}
+	if (aadlen) {
+		if (authlen &&
+		    EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
+			fatal("%s: EVP_Cipher(aad) failed", __func__);
+		memcpy(dest, src, aadlen);
+	}
 	if (len % cc->cipher->block_size)
-		fatal("cipher_encrypt: bad plaintext length %d", len);
-	if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
-		fatal("evp_crypt: EVP_Cipher failed");
+		fatal("%s: bad plaintext length %d", __func__, len);
+	if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
+	    len) < 0)
+		fatal("%s: EVP_Cipher failed", __func__);
+	if (authlen) {
+		/* compute tag (on encrypt) or verify tag (on decrypt) */
+		if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) {
+			if (cc->encrypt)
+				fatal("%s: EVP_Cipher(final) failed", __func__);
+			else
+				fatal("Decryption integrity check failed");
+		}
+		if (cc->encrypt &&
+		    !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
+		    authlen, dest + aadlen + len))
+			fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__);
+	}
 }
 
 void
@@ -360,10 +429,12 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
 			ssh_rijndael_iv(&cc->evp, 0, iv, len);
 		else
 #endif
+#ifndef OPENSSL_HAVE_EVPCTR
 		if (c->evptype == evp_aes_128_ctr)
 			ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
 		else
-			memcpy(iv, cc->evp.iv, len);
+#endif
+		memcpy(iv, cc->evp.iv, len);
 		break;
 	case SSH_CIPHER_3DES:
 		ssh1_3des_iv(&cc->evp, 0, iv, 24);
@@ -394,10 +465,12 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
 			ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
 		else
 #endif
+#ifndef OPENSSL_HAVE_EVPCTR
 		if (c->evptype == evp_aes_128_ctr)
 			ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen);
 		else
-			memcpy(cc->evp.iv, iv, evplen);
+#endif
+		memcpy(cc->evp.iv, iv, evplen);
 		break;
 	case SSH_CIPHER_3DES:
 		ssh1_3des_iv(&cc->evp, 1, iv, 24);
@@ -407,21 +480,13 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
 	}
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
-#define EVP_X_STATE(evp)	&(evp).c
-#define EVP_X_STATE_LEN(evp)	sizeof((evp).c)
-#else
-#define EVP_X_STATE(evp)	(evp).cipher_data
-#define EVP_X_STATE_LEN(evp)	(evp).cipher->ctx_size
-#endif
-
 int
 cipher_get_keycontext(const CipherContext *cc, u_char *dat)
 {
 	Cipher *c = cc->cipher;
 	int plen = 0;
 
-	if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) {
+	if (c->evptype == EVP_rc4) {
 		plen = EVP_X_STATE_LEN(cc->evp);
 		if (dat == NULL)
 			return (plen);
@@ -436,7 +501,7 @@ cipher_set_keycontext(CipherContext *cc, u_char *dat)
 	Cipher *c = cc->cipher;
 	int plen;
 
-	if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) {
+	if (c->evptype == EVP_rc4) {
 		plen = EVP_X_STATE_LEN(cc->evp);
 		memcpy(EVP_X_STATE(cc->evp), dat, plen);
 	}