static int FIPS_des3_test(void)
{
int ret = 0;
unsigned char pltmp[8];
unsigned char citmp[8];
unsigned char key[] =
{ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,
19, 20, 21, 22, 23, 24
};
unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(&ctx);
if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 1) <= 0)
goto err;
EVP_Cipher(&ctx, citmp, plaintext, 8);
if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 0) <= 0)
goto err;
EVP_Cipher(&ctx, pltmp, citmp, 8);
if (memcmp(pltmp, plaintext, 8))
goto err;
ret = 1;
err:
EVP_CIPHER_CTX_cleanup(&ctx);
return ret;
}
/*
* This function decrypts a buffer using AES GCM mode
*
* Parameters:
* c Crypto context
* buf data to encrypt
* enc_len length of encrypt buffer
*/
err_status_t aes_gcm_openssl_decrypt (aes_gcm_ctx_t *c, unsigned char *buf,
unsigned int *enc_len)
{
if (c->dir != direction_encrypt && c->dir != direction_decrypt) {
return (err_status_bad_param);
}
/*
* Set the tag before decrypting
*/
EVP_CIPHER_CTX_ctrl(&c->ctx, EVP_CTRL_GCM_SET_TAG, c->tag_len,
buf + (*enc_len - c->tag_len));
EVP_Cipher(&c->ctx, buf, buf, *enc_len - c->tag_len);
/*
* Check the tag
*/
if (EVP_Cipher(&c->ctx, NULL, NULL, 0)) {
return (err_status_auth_fail);
}
/*
* Reduce the buffer size by the tag length since the tag
* is not part of the original payload
*/
*enc_len -= c->tag_len;
return (err_status_ok);
}
static int
test_cipher(int i, const EVP_CIPHER *c, struct tests *t)
{
EVP_CIPHER_CTX ectx;
EVP_CIPHER_CTX dctx;
void *d;
if (c == NULL) {
printf("%s not supported\n", t->name);
return 0;
}
EVP_CIPHER_CTX_init(&ectx);
EVP_CIPHER_CTX_init(&dctx);
if (EVP_CipherInit_ex(&ectx, c, NULL, NULL, NULL, 1) != 1)
errx(1, "%s: %d EVP_CipherInit_ex einit", t->name, i);
if (EVP_CipherInit_ex(&dctx, c, NULL, NULL, NULL, 0) != 1)
errx(1, "%s: %d EVP_CipherInit_ex dinit", t->name, i);
EVP_CIPHER_CTX_set_key_length(&ectx, t->keysize);
EVP_CIPHER_CTX_set_key_length(&dctx, t->keysize);
if (EVP_CipherInit_ex(&ectx, NULL, NULL, t->key, t->iv, 1) != 1)
errx(1, "%s: %d EVP_CipherInit_ex encrypt", t->name, i);
if (EVP_CipherInit_ex(&dctx, NULL, NULL, t->key, t->iv, 0) != 1)
errx(1, "%s: %d EVP_CipherInit_ex decrypt", t->name, i);
d = emalloc(t->datasize);
if (!EVP_Cipher(&ectx, d, t->indata, t->datasize))
errx(1, "%s: %d EVP_Cipher encrypt failed", t->name, i);
if (memcmp(d, t->outdata, t->datasize) != 0) {
char *s, *s2;
hex_encode(d, t->datasize, &s);
hex_encode(t->outdata, t->datasize, &s2);
errx(1, "%s: %d encrypt not the same: %s != %s", t->name, i, s, s2);
}
if (!EVP_Cipher(&dctx, d, d, t->datasize))
errx(1, "%s: %d EVP_Cipher decrypt failed", t->name, i);
if (memcmp(d, t->indata, t->datasize) != 0) {
char *s;
hex_encode(d, t->datasize, &s);
errx(1, "%s: %d decrypt not the same: %s", t->name, i, s);
}
if (t->outiv)
/* XXXX check */;
EVP_CIPHER_CTX_cleanup(&ectx);
EVP_CIPHER_CTX_cleanup(&dctx);
free(d);
return 0;
}
int
_krb5_evp_encrypt_iov(krb5_context context,
struct _krb5_key_data *key,
struct krb5_crypto_iov *iov,
int niov,
krb5_boolean encryptp,
int usage,
void *ivec)
{
size_t blocksize, blockmask, wholeblocks;
struct _krb5_evp_schedule *ctx = key->schedule->data;
unsigned char tmp[EVP_MAX_BLOCK_LENGTH];
EVP_CIPHER_CTX *c;
struct _krb5_evp_iov_cursor cursor;
c = encryptp ? &ctx->ectx : &ctx->dctx;
blocksize = EVP_CIPHER_CTX_block_size(c);
blockmask = ~(blocksize - 1);
if (ivec)
EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
else
EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
_krb5_evp_iov_cursor_init(&cursor, iov, niov);
while (!_krb5_evp_iov_cursor_done(&cursor)) {
/* Number of bytes of data in this iovec that are in whole blocks */
wholeblocks = cursor.current.length & ~blockmask;
if (wholeblocks != 0) {
EVP_Cipher(c, cursor.current.data,
cursor.current.data, wholeblocks);
_krb5_evp_iov_cursor_advance(&cursor, wholeblocks);
}
/* If there's a partial block of data remaining in the current
* iovec, steal enough from subsequent iovecs to form a whole block */
if (cursor.current.length > 0 && cursor.current.length < blocksize) {
/* Build up a block's worth of data in tmp, leaving the cursor
* pointing at where we started */
_krb5_evp_iov_cursor_fillbuf(&cursor, tmp, blocksize, NULL);
EVP_Cipher(c, tmp, tmp, blocksize);
/* Copy the data in tmp back into the iovecs that it came from,
* advancing the cursor */
_krb5_evp_iov_cursor_fillvec(&cursor, tmp, blocksize);
}
}
return 0;
}
void
cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
if (len % cc->cipher->block_size)
fatal("cipher_encrypt: bad plaintext length %d", len);
#ifdef SSH_OLD_EVP
EVP_Cipher(&cc->evp, dest, (u_char *)src, len);
#else
if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
fatal("evp_crypt: EVP_Cipher failed");
#endif
}
static int
ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, size_t len)
{
struct ssh1_3des_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
return 0;
if (EVP_Cipher(&c->k1, dest, __UNCONST(src), len) == 0 ||
EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
EVP_Cipher(&c->k3, dest, dest, len) == 0)
return 0;
return 1;
}
static int
ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, size_t len)
{
struct ssh1_3des_ctx *c;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
error("ssh1_3des_cbc: no context");
return (0);
}
if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
EVP_Cipher(&c->k3, dest, dest, len) == 0)
return (0);
return (1);
}
static int
test_bulk_cipher(const char *cname, const EVP_CIPHER *c)
{
static unsigned char key[16];
static unsigned char iv[16];
int i;
int64_t M = 0;
for (i = 0; i < loops; i++) {
EVP_CIPHER_CTX ectx;
EVP_CIPHER_CTX dctx;
STATS_START(M)
EVP_CIPHER_CTX_init(&ectx);
EVP_CIPHER_CTX_init(&dctx);
if (EVP_CipherInit_ex(&ectx, c, NULL, NULL, NULL, 1) != 1)
errx(1, "can't init encrypt");
if (EVP_CipherInit_ex(&dctx, c, NULL, NULL, NULL, 0) != 1)
errx(1, "can't init decrypt");
EVP_CIPHER_CTX_set_key_length(&ectx, sizeof(key));
EVP_CIPHER_CTX_set_key_length(&dctx, sizeof(key));
if (EVP_CipherInit_ex(&ectx, NULL, NULL, key, iv, 1) != 1)
errx(1, "can't init encrypt");
if (EVP_CipherInit_ex(&dctx, NULL, NULL, key, iv, 0) != 1)
errx(1, "can't init decrypt");
if (!EVP_Cipher(&ectx, d, d, len))
errx(1, "can't encrypt");
if (!EVP_Cipher(&dctx, d, d, len))
errx(1, "can't decrypt");
EVP_CIPHER_CTX_cleanup(&ectx);
EVP_CIPHER_CTX_cleanup(&dctx);
STATS_END(M);
if (d[0] != 0x00 || d[len - 1] != ((len - 1) & 0xff))
errx(1, "encrypt/decrypt inconsistent");
}
printf("%s: mean time %llu usec%s\n", cname, M, (M == 1) ? "" : "s");
return 0;
}
/*
* cipher_crypt() operates as following:
* Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
* Theses bytes are treated as additional authenticated data for
* authenticated encryption modes.
* En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
* Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
* This tag is written on encryption and verified on decryption.
* Both 'aadlen' and 'authlen' can be set to 0.
* cipher_crypt() returns 0 on success and -1 if the decryption integrity
* check fails.
*/
int
cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src,
u_int len, u_int aadlen, u_int authlen)
{
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, len,
aadlen, authlen, cc->encrypt);
if (authlen) {
u_char lastiv[1];
if (authlen != cipher_authlen(cc->cipher))
fatal("%s: authlen mismatch %d", __func__, authlen);
/* increment IV */
if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
1, lastiv))
fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__);
/* set tag on decyption */
if (!cc->encrypt &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
authlen, (u_char *)src + aadlen + len))
fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__);
}
if (aadlen) {
if (authlen &&
EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
fatal("%s: EVP_Cipher(aad) failed", __func__);
memcpy(dest, src, aadlen);
}
if (len % cc->cipher->block_size)
fatal("%s: bad plaintext length %d", __func__, len);
if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
len) < 0)
fatal("%s: EVP_Cipher failed", __func__);
if (authlen) {
/* compute tag (on encrypt) or verify tag (on decrypt) */
if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) {
if (cc->encrypt)
fatal("%s: EVP_Cipher(final) failed", __func__);
else
return -1;
}
if (cc->encrypt &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
authlen, dest + aadlen + len))
fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__);
}
return 0;
}
krb5_error_code
_krb5_evp_encrypt(krb5_context context,
struct _krb5_key_data *key,
void *data,
size_t len,
krb5_boolean encryptp,
int usage,
void *ivec)
{
struct _krb5_evp_schedule *ctx = key->schedule->data;
EVP_CIPHER_CTX *c;
c = encryptp ? &ctx->ectx : &ctx->dctx;
if (ivec == NULL) {
/* alloca ? */
size_t len2 = EVP_CIPHER_CTX_iv_length(c);
void *loiv = malloc(len2);
if (loiv == NULL)
return krb5_enomem(context);
memset(loiv, 0, len2);
EVP_CipherInit_ex(c, NULL, NULL, NULL, loiv, -1);
free(loiv);
} else
EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
EVP_Cipher(c, data, data, len);
return 0;
}
int
tls_process_record_data(struct SSLConnection *conn, const opaque *fragment, const int len,
uint8_t **out, uint32_t *outl)
{
EVP_CIPHER_CTX *evp;
unsigned char pad;
unsigned char *decoded;
uint32_t dlen;
if (conn->direction == 0) {
evp = &conn->client_cipher_ctx;
} else {
evp = &conn->server_cipher_ctx;
}
decoded = sng_malloc(len);
EVP_Cipher(evp, decoded, (unsigned char *) fragment, len);
// Get padding counter and remove from data
pad = decoded[len - 1];
dlen = (len - (pad + 1) - /* Trailing MAC */20);
if ((int32_t)dlen > 0 && dlen <= *outl) {
memcpy(*out, decoded, dlen);
*outl = dlen;
}
// Clenaup decoded memory
sng_free(decoded);
return *outl;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_des_checksum(krb5_context context,
const EVP_MD *evp_md,
struct _krb5_key_data *key,
const void *data,
size_t len,
Checksum *cksum)
{
struct _krb5_evp_schedule *ctx = key->schedule->data;
EVP_MD_CTX *m;
DES_cblock ivec;
unsigned char *p = cksum->checksum.data;
krb5_generate_random_block(p, 8);
m = EVP_MD_CTX_create();
if (m == NULL)
return krb5_enomem(context);
EVP_DigestInit_ex(m, evp_md, NULL);
EVP_DigestUpdate(m, p, 8);
EVP_DigestUpdate(m, data, len);
EVP_DigestFinal_ex (m, p + 8, NULL);
EVP_MD_CTX_destroy(m);
memset (&ivec, 0, sizeof(ivec));
EVP_CipherInit_ex(&ctx->ectx, NULL, NULL, NULL, (void *)&ivec, -1);
EVP_Cipher(&ctx->ectx, p, p, 24);
return 0;
}
int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
const EVP_CIPHER *cipher, ENGINE *impl)
{
static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH];
#ifdef OPENSSL_FIPS
if (FIPS_mode())
{
/* If we have an ENGINE need to allow non FIPS */
if ((impl || ctx->cctx.engine)
&& !(ctx->cctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
{
EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
return 0;
}
/* Other algorithm blocking will be done in FIPS_cmac_init,
* via FIPS_cipherinit().
*/
if (!impl && !ctx->cctx.engine)
return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
}
#endif
/* All zeros means restart */
if (!key && !cipher && !impl && keylen == 0)
{
/* Not initialised */
if (ctx->nlast_block == -1)
return 0;
if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv))
return 0;
return 1;
}
/* Initialiase context */
if (cipher && !EVP_EncryptInit_ex(&ctx->cctx, cipher, impl, NULL, NULL))
return 0;
/* Non-NULL key means initialisation complete */
if (key)
{
int bl;
if (!EVP_CIPHER_CTX_cipher(&ctx->cctx))
return 0;
if (!EVP_CIPHER_CTX_set_key_length(&ctx->cctx, keylen))
return 0;
if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, key, zero_iv))
return 0;
bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
if (!EVP_Cipher(&ctx->cctx, ctx->tbl, zero_iv, bl))
return 0;
make_kn(ctx->k1, ctx->tbl, bl);
make_kn(ctx->k2, ctx->k1, bl);
OPENSSL_cleanse(ctx->tbl, bl);
/* Reset context again ready for first data block */
if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv))
return 0;
/* Zero tbl so resume works */
memset(ctx->tbl, 0, bl);
ctx->nlast_block = 0;
}
return 1;
}
/*
* This function processes the AAD
*
* Parameters:
* c Crypto context
* aad Additional data to process for AEAD cipher suites
* aad_len length of aad buffer
*/
static srtp_err_status_t srtp_aes_gcm_openssl_set_aad(void *cv,
const uint8_t *aad,
uint32_t aad_len)
{
srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
int rv;
/*
* Set dummy tag, OpenSSL requires the Tag to be set before
* processing AAD
*/
/*
* OpenSSL never write to address pointed by the last parameter of
* EVP_CIPHER_CTX_ctrl while EVP_CTRL_GCM_SET_TAG (in reality,
* OpenSSL copy its content to the context), so we can make
* aad read-only in this function and all its wrappers.
*/
unsigned char dummy_tag[GCM_AUTH_TAG_LEN];
memset(dummy_tag, 0x0, GCM_AUTH_TAG_LEN);
EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_TAG, c->tag_len, &dummy_tag);
rv = EVP_Cipher(c->ctx, NULL, aad, aad_len);
if (rv != aad_len) {
return (srtp_err_status_algo_fail);
} else {
return (srtp_err_status_ok);
}
}
krb5_error_code
_krb5_des_checksum(krb5_context context,
CCDigestAlg alg,
struct _krb5_key_data *key,
const void *data,
size_t len,
Checksum *cksum)
{
struct _krb5_evp_schedule *ctx = key->schedule->data;
CCDigestRef m;
unsigned char ivec[8];
unsigned char *p = cksum->checksum.data;
krb5_generate_random_block(p, 8);
m = CCDigestCreate(alg);
if (m == NULL) {
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
CCDigestUpdate(m, p, 8);
CCDigestUpdate(m, data, len);
CCDigestFinal(m, p + 8);
CCDigestDestroy(m);
memset (&ivec, 0, sizeof(ivec));
EVP_CipherInit_ex(&ctx->ectx, NULL, NULL, NULL, (void *)ivec, -1);
EVP_Cipher(&ctx->ectx, p, p, 24);
return 0;
}
int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
{
int i, bl, lb;
#ifdef OPENSSL_FIPS
if (FIPS_mode() && !ctx->cctx.engine)
return FIPS_cmac_final(ctx, out, poutlen);
#endif
if (ctx->nlast_block == -1)
return 0;
bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
*poutlen = (size_t)bl;
if (!out)
return 1;
lb = ctx->nlast_block;
/* Is last block complete? */
if (lb == bl)
{
for (i = 0; i < bl; i++)
out[i] = ctx->last_block[i] ^ ctx->k1[i];
}
else
{
ctx->last_block[lb] = 0x80;
if (bl - lb > 1)
memset(ctx->last_block + lb + 1, 0, bl - lb - 1);
for (i = 0; i < bl; i++)
out[i] = ctx->last_block[i] ^ ctx->k2[i];
}
if (!EVP_Cipher(&ctx->cctx, out, out, bl))
{
OPENSSL_cleanse(out, bl);
return 0;
}
return 1;
}
/* read/writes from s->s2->mac_data using length for encrypt and
* decrypt. It sets s->s2->padding and s->[rw]length
* if we are encrypting */
void ssl2_enc(SSL *s, int send)
{
EVP_CIPHER_CTX *ds;
unsigned long l;
int bs;
if (send)
{
ds=s->enc_write_ctx;
l=s->s2->wlength;
}
else
{
ds=s->enc_read_ctx;
l=s->s2->rlength;
}
/* check for NULL cipher */
if (ds == NULL) return;
bs=ds->cipher->block_size;
/* This should be using (bs-1) and bs instead of 7 and 8, but
* what the hell. */
if (bs == 8)
l=(l+7)/8*8;
EVP_Cipher(ds,s->s2->mac_data,s->s2->mac_data,l);
}
static int
test_cipher(struct tests *t)
{
const EVP_CIPHER *c = t->cipher();
EVP_CIPHER_CTX ectx;
EVP_CIPHER_CTX dctx;
void *d;
EVP_CIPHER_CTX_init(&ectx);
EVP_CIPHER_CTX_init(&dctx);
if (EVP_CipherInit_ex(&ectx, c, NULL, NULL, NULL, 1) != 1)
errx(1, "%s: EVP_CipherInit_ex einit", t->name);
if (EVP_CipherInit_ex(&dctx, c, NULL, NULL, NULL, 0) != 1)
errx(1, "%s: EVP_CipherInit_ex dinit", t->name);
EVP_CIPHER_CTX_set_key_length(&ectx, t->keysize);
EVP_CIPHER_CTX_set_key_length(&dctx, t->keysize);
if (EVP_CipherInit_ex(&ectx, NULL, NULL, t->key, t->iv, 1) != 1)
errx(1, "%s: EVP_CipherInit_ex encrypt", t->name);
if (EVP_CipherInit_ex(&dctx, NULL, NULL, t->key, t->iv, 0) != 1)
errx(1, "%s: EVP_CipherInit_ex decrypt", t->name);
d = emalloc(t->datasize);
if (!EVP_Cipher(&ectx, d, t->indata, t->datasize))
return 1;
if (memcmp(d, t->outdata, t->datasize) != 0)
errx(1, "%s: encrypt not the same", t->name);
if (!EVP_Cipher(&dctx, d, d, t->datasize))
return 1;
if (memcmp(d, t->indata, t->datasize) != 0)
errx(1, "%s: decrypt not the same", t->name);
if (t->outiv)
/* XXXX check */;
EVP_CIPHER_CTX_cleanup(&ectx);
EVP_CIPHER_CTX_cleanup(&dctx);
free(d);
return 0;
}
void
cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
if (len % cc->cipher->block_size)
fatal("cipher_encrypt: bad plaintext length %d", len);
if (EVP_Cipher(&cc->evp, dest, __UNCONST(src), len) == 0)
fatal("evp_crypt: EVP_Cipher failed");
}
void
cipher_init(CipherContext *cc, Cipher *cipher,
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
int do_encrypt)
{
static int dowarn = 1;
const EVP_CIPHER *type;
int klen;
u_char *junk, *discard;
if (cipher->number == SSH_CIPHER_DES) {
if (dowarn) {
error("Warning: use of DES is strongly discouraged "
"due to cryptographic weaknesses");
dowarn = 0;
}
if (keylen > 8)
keylen = 8;
}
cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
if (keylen < cipher->key_len)
fatal("cipher_init: key length %d is insufficient for %s.",
keylen, cipher->name);
if (iv != NULL && ivlen < cipher->block_size)
fatal("cipher_init: iv length %d is insufficient for %s.",
ivlen, cipher->name);
cc->cipher = cipher;
type = (*cipher->evptype)();
EVP_CIPHER_CTX_init(&cc->evp);
if (EVP_CipherInit(&cc->evp, type, NULL, __UNCONST(iv),
(do_encrypt == CIPHER_ENCRYPT)) == 0)
fatal("cipher_init: EVP_CipherInit failed for %s",
cipher->name);
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
if (klen > 0 && keylen != (u_int)klen) {
debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
fatal("cipher_init: set keylen failed (%d -> %d)",
klen, keylen);
}
if (EVP_CipherInit(&cc->evp, NULL, __UNCONST(key), NULL, -1) == 0)
fatal("cipher_init: EVP_CipherInit: set key failed for %s",
cipher->name);
if (cipher->discard_len > 0) {
junk = xmalloc(cipher->discard_len);
discard = xmalloc(cipher->discard_len);
if (EVP_Cipher(&cc->evp, discard, junk,
cipher->discard_len) == 0)
fatal("evp_crypt: EVP_Cipher failed during discard");
memset(discard, 0, cipher->discard_len);
xfree(junk);
xfree(discard);
}
}
int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
{
const unsigned char *data = in;
size_t bl;
#ifdef OPENSSL_FIPS
if (FIPS_mode() && !ctx->cctx.engine)
return FIPS_cmac_update(ctx, in, dlen);
#endif
if (ctx->nlast_block == -1)
return 0;
if (dlen == 0)
return 1;
bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
/* Copy into partial block if we need to */
if (ctx->nlast_block > 0)
{
size_t nleft;
nleft = bl - ctx->nlast_block;
if (dlen < nleft)
nleft = dlen;
memcpy(ctx->last_block + ctx->nlast_block, data, nleft);
dlen -= nleft;
ctx->nlast_block += nleft;
/* If no more to process return */
if (dlen == 0)
return 1;
data += nleft;
/* Else not final block so encrypt it */
if (!EVP_Cipher(&ctx->cctx, ctx->tbl, ctx->last_block,bl))
return 0;
}
/* Encrypt all but one of the complete blocks left */
while(dlen > bl)
{
if (!EVP_Cipher(&ctx->cctx, ctx->tbl, data, bl))
return 0;
dlen -= bl;
data += bl;
}
/* Copy any data left to last block buffer */
memcpy(ctx->last_block, data, dlen);
ctx->nlast_block = dlen;
return 1;
}
static int
cipher_do_cipher(hc_EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int len)
{
struct ossl_cipher_ctx *ossl_ctx = ctx->cipher_data;
assert(ossl_ctx != NULL);
return EVP_Cipher(ossl_ctx->ossl_cipher_ctx, out, in, len);
}
/*
* cipher_crypt() operates as following:
* Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
* Theses bytes are treated as additional authenticated data for
* authenticated encryption modes.
* En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
* Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
* This tag is written on encryption and verified on decryption.
* Both 'aadlen' and 'authlen' can be set to 0.
*/
void
cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src,
u_int len, u_int aadlen, u_int authlen)
{
if (authlen) {
u_char lastiv[1];
if (authlen != cipher_authlen(cc->cipher))
fatal("%s: authlen mismatch %d", __func__, authlen);
/* increment IV */
if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
1, lastiv))
fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__);
/* set tag on decyption */
if (!cc->encrypt &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
authlen, __UNCONST(src + aadlen + len)))
fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__);
}
if (aadlen) {
if (authlen &&
EVP_Cipher(&cc->evp, NULL, (const u_char *)src, aadlen) < 0)
fatal("%s: EVP_Cipher(aad) failed", __func__);
memcpy(dest, src, aadlen);
}
if (len % cc->cipher->block_size)
fatal("%s: bad plaintext length %d", __func__, len);
if (EVP_Cipher(&cc->evp, dest + aadlen, (const u_char *)src + aadlen,
len) < 0)
fatal("%s: EVP_Cipher failed", __func__);
if (authlen) {
/* compute tag (on encrypt) or verify tag (on decrypt) */
if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) {
if (cc->encrypt)
fatal("%s: EVP_Cipher(final) failed", __func__);
else
fatal("Decryption integrity check failed");
}
if (cc->encrypt &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
authlen, dest + aadlen + len))
fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__);
}
}
int sftp_cipher_write_data(struct ssh2_packet *pkt, unsigned char *buf,
size_t *buflen) {
struct sftp_cipher *cipher;
EVP_CIPHER_CTX *cipher_ctx;
cipher = &(write_ciphers[write_cipher_idx]);
cipher_ctx = write_ctxs[write_cipher_idx];
if (cipher->key) {
int res;
unsigned char *data, *ptr;
uint32_t datalen, datasz = sizeof(uint32_t) + pkt->packet_len;
datalen = datasz;
ptr = data = palloc(pkt->pool, datasz);
sftp_msg_write_int(&data, &datalen, pkt->packet_len);
sftp_msg_write_byte(&data, &datalen, pkt->padding_len);
sftp_msg_write_data(&data, &datalen, pkt->payload, pkt->payload_len, FALSE);
sftp_msg_write_data(&data, &datalen, pkt->padding, pkt->padding_len, FALSE);
res = EVP_Cipher(cipher_ctx, buf, ptr, (datasz - datalen));
if (res != 1) {
(void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
"error encrypting %s data for client: %s", cipher->algo,
sftp_crypto_get_errors());
errno = EIO;
return -1;
}
*buflen = (datasz - datalen);
#ifdef SFTP_DEBUG_PACKET
{
unsigned int i;
(void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
"encrypted packet data (len %lu):", (unsigned long) *buflen);
for (i = 0; i < *buflen;) {
(void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
" %02x%02x %02x%02x %02x%02x %02x%02x",
((unsigned char *) buf)[i], ((unsigned char *) buf)[i+1],
((unsigned char *) buf)[i+2], ((unsigned char *) buf)[i+3],
((unsigned char *) buf)[i+4], ((unsigned char *) buf)[i+5],
((unsigned char *) buf)[i+6], ((unsigned char *) buf)[i+7]);
i += 8;
}
}
#endif
return 0;
}
*buflen = 0;
return 0;
}
int
cipher_crypt(struct sshcipher_ctx *cc, u_char *dest,
const u_char *src, u_int len)
{
if (len % cc->cipher->block_size)
return SSH_ERR_INVALID_ARGUMENT;
if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
return SSH_ERR_LIBCRYPTO_ERROR;
return 0;
}
static krb5_error_code
AES_PRF(krb5_context context,
krb5_crypto crypto,
const krb5_data *in,
krb5_data *out)
{
struct _krb5_checksum_type *ct = crypto->et->checksum;
krb5_error_code ret;
Checksum result;
krb5_keyblock *derived;
result.cksumtype = ct->type;
ret = krb5_data_alloc(&result.checksum, ct->checksumsize);
if (ret) {
krb5_set_error_message(context, ret, N_("malloc: out memory", ""));
return ret;
}
ret = (*ct->checksum)(context, NULL, in->data, in->length, 0, &result);
if (ret) {
krb5_data_free(&result.checksum);
return ret;
}
if (result.checksum.length < crypto->et->blocksize)
krb5_abortx(context, "internal prf error");
derived = NULL;
ret = krb5_derive_key(context, crypto->key.key,
crypto->et->type, "prf", 3, &derived);
if (ret)
krb5_abortx(context, "krb5_derive_key");
ret = krb5_data_alloc(out, crypto->et->blocksize);
if (ret)
krb5_abortx(context, "malloc failed");
{
const EVP_CIPHER *c = (*crypto->et->keytype->evp)();
EVP_CIPHER_CTX *ctx;
ctx = EVP_CIPHER_CTX_new(); /* ivec all zero */
if (ctx == NULL)
krb5_abortx(context, "malloc failed");
EVP_CipherInit_ex(ctx, c, NULL, derived->keyvalue.data, NULL, 1);
EVP_Cipher(ctx, out->data, result.checksum.data,
crypto->et->blocksize);
EVP_CIPHER_CTX_free(ctx);
}
krb5_data_free(&result.checksum);
krb5_free_keyblock(context, derived);
return ret;
}
int
_libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx,
_libssh2_cipher_type(algo),
int encrypt, unsigned char *block, size_t blocksize)
{
unsigned char buf[EVP_MAX_BLOCK_LENGTH];
int ret;
(void) algo;
(void) encrypt;
#ifdef HAVE_OPAQUE_STRUCTS
ret = EVP_Cipher(*ctx, buf, block, blocksize);
#else
ret = EVP_Cipher(ctx, buf, block, blocksize);
#endif
if(ret == 1) {
memcpy(block, buf, blocksize);
}
return ret == 1 ? 0 : 1;
}
/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
*/
static int FIPS_aes_test(void)
{
int ret = 0;
unsigned char pltmp[16];
unsigned char citmp[16];
unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
unsigned char plaintext[16] = "etaonrishdlcu";
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(&ctx);
if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0)
goto err;
EVP_Cipher(&ctx, citmp, plaintext, 16);
if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0)
goto err;
EVP_Cipher(&ctx, pltmp, citmp, 16);
if (memcmp(pltmp, plaintext, 16))
goto err;
ret = 1;
err:
EVP_CIPHER_CTX_cleanup(&ctx);
return ret;
}
/*
* This function encrypts a buffer using AES GCM mode
*
* Parameters:
* c Crypto context
* buf data to encrypt
* enc_len length of encrypt buffer
*/
static srtp_err_status_t srtp_aes_gcm_openssl_encrypt (srtp_aes_gcm_ctx_t *c, unsigned char *buf, unsigned int *enc_len)
{
if (c->dir != direction_encrypt && c->dir != direction_decrypt) {
return (srtp_err_status_bad_param);
}
/*
* Encrypt the data
*/
EVP_Cipher(&c->ctx, buf, buf, *enc_len);
return (srtp_err_status_ok);
}
/*
* this will adjust ndo_packetp and ndo_snapend to new buffer!
*/
int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
int initiator,
u_char spii[8], u_char spir[8],
__capability u_char *buf,
packetbody_t end)
{
struct sa_list *sa;
__capability const u_char *iv;
int len;
EVP_CIPHER_CTX ctx;
/* initiator arg is any non-zero value */
if(initiator) initiator=1;
/* see if we can find the SA, and if so, decode it */
for (sa = ndo->ndo_sa_list_head; sa != NULL; sa = sa->next) {
if (sa->spi == 0
&& initiator == sa->initiator
&& memcmp(spii, sa->spii, 8) == 0
&& memcmp(spir, sa->spir, 8) == 0)
break;
}
if(sa == NULL) return 0;
if(sa->evp == NULL) return 0;
/*
* remove authenticator, and see if we still have something to
* work with
*/
end = end - sa->authlen;
iv = buf;
buf = buf + sa->ivlen;
len = end-buf;
if(end <= buf) return 0;
memset(&ctx, 0, sizeof(ctx));
if (EVP_CipherInit(&ctx, sa->evp, sa->secret, NULL, 0) < 0)
(*ndo->ndo_warning)(ndo, "espkey init failed");
EVP_CipherInit(&ctx, NULL, NULL, iv, 0);
EVP_Cipher(&ctx, buf, buf, len);
EVP_CIPHER_CTX_cleanup(&ctx);
/* XXX-BD: should create new capability on CHERI */
ndo->ndo_packetp = buf;
ndo->ndo_snapend = end;
return 1;
}
