static void
choose_enc(Enc *enc, char *client, char *server)
{
char *name = match_list(client, server, NULL);
if (name == NULL)
fatal("no matching cipher found: client %s server %s",
client, server);
if ((enc->cipher = cipher_by_name(name)) == NULL)
fatal("matching cipher is not supported: %s", name);
enc->name = name;
enc->enabled = 0;
enc->iv = NULL;
enc->iv_len = cipher_ivlen(enc->cipher);
enc->key = NULL;
enc->key_len = cipher_keylen(enc->cipher);
enc->block_size = cipher_blocksize(enc->cipher);
}
static int
choose_enc(struct sshenc *enc, char *client, char *server)
{
char *name = match_list(client, server, NULL);
if (name == NULL)
return SSH_ERR_NO_CIPHER_ALG_MATCH;
if ((enc->cipher = cipher_by_name(name)) == NULL)
return SSH_ERR_INTERNAL_ERROR;
enc->name = name;
enc->enabled = 0;
enc->iv = NULL;
enc->iv_len = cipher_ivlen(enc->cipher);
enc->key = NULL;
enc->key_len = cipher_keylen(enc->cipher);
enc->block_size = cipher_blocksize(enc->cipher);
return 0;
}
int
sshkey_xmss_init_enc_key(struct sshkey *k, const char *ciphername)
{
struct ssh_xmss_state *state = k->xmss_state;
const struct sshcipher *cipher;
size_t keylen = 0, ivlen = 0;
if (state == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if ((cipher = cipher_by_name(ciphername)) == NULL)
return SSH_ERR_INTERNAL_ERROR;
if ((state->enc_ciphername = strdup(ciphername)) == NULL)
return SSH_ERR_ALLOC_FAIL;
keylen = cipher_keylen(cipher);
ivlen = cipher_ivlen(cipher);
state->enc_keyiv_len = keylen + ivlen;
if ((state->enc_keyiv = calloc(state->enc_keyiv_len, 1)) == NULL) {
free(state->enc_ciphername);
state->enc_ciphername = NULL;
return SSH_ERR_ALLOC_FAIL;
}
arc4random_buf(state->enc_keyiv, state->enc_keyiv_len);
return 0;
}
int
cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
int do_encrypt)
{
struct sshcipher_ctx *cc = NULL;
int ret = SSH_ERR_INTERNAL_ERROR;
#ifdef WITH_OPENSSL
const EVP_CIPHER *type;
int klen;
u_char *junk, *discard;
#endif
*ccp = NULL;
if ((cc = calloc(sizeof(*cc), 1)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if (cipher->number == SSH_CIPHER_DES) {
if (keylen > 8)
keylen = 8;
}
cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
cc->encrypt = do_encrypt;
if (keylen < cipher->key_len ||
(iv != NULL && ivlen < cipher_ivlen(cipher))) {
ret = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
cc->cipher = cipher;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
ret = chachapoly_init(&cc->cp_ctx, key, keylen);
goto out;
}
#ifndef WITH_OPENSSL
if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
aesctr_ivsetup(&cc->ac_ctx, iv);
ret = 0;
goto out;
}
if ((cc->cipher->flags & CFLAG_NONE) != 0) {
ret = 0;
goto out;
}
ret = SSH_ERR_INVALID_ARGUMENT;
goto out;
#else /* WITH_OPENSSL */
type = (*cipher->evptype)();
if ((cc->evp = EVP_CIPHER_CTX_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (EVP_CipherInit(cc->evp, type, NULL, (const u_char *)iv,
(do_encrypt == CIPHER_ENCRYPT)) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (cipher_authlen(cipher) &&
!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
-1, __UNCONST(iv))) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
klen = EVP_CIPHER_CTX_key_length(cc->evp);
if (klen > 0 && keylen != (u_int)klen) {
if (EVP_CIPHER_CTX_set_key_length(cc->evp, keylen) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
}
if (EVP_CipherInit(cc->evp, NULL, __UNCONST(key), NULL, -1) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (cipher->discard_len > 0) {
if ((junk = malloc(cipher->discard_len)) == NULL ||
(discard = malloc(cipher->discard_len)) == NULL) {
free(junk);
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
ret = EVP_Cipher(cc->evp, discard, junk, cipher->discard_len);
explicit_bzero(discard, cipher->discard_len);
free(junk);
free(discard);
if (ret != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
}
ret = 0;
#endif /* WITH_OPENSSL */
out:
if (ret == 0) {
/* success */
*ccp = cc;
} else {
if (cc != NULL) {
#ifdef WITH_OPENSSL
if (cc->evp != NULL)
EVP_CIPHER_CTX_free(cc->evp);
#endif /* WITH_OPENSSL */
explicit_bzero(cc, sizeof(*cc));
free(cc);
}
}
return ret;
}
int
cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
int do_encrypt)
{
#ifdef WITH_OPENSSL
int ret = SSH_ERR_INTERNAL_ERROR;
const EVP_CIPHER *type;
int klen;
u_char *junk, *discard;
if (cipher->number == SSH_CIPHER_DES) {
if (keylen > 8)
keylen = 8;
}
#endif
cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
cc->encrypt = do_encrypt;
if (keylen < cipher->key_len ||
(iv != NULL && ivlen < cipher_ivlen(cipher)))
return SSH_ERR_INVALID_ARGUMENT;
cc->cipher = cipher;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
return chachapoly_init(&cc->cp_ctx, key, keylen);
}
#ifndef WITH_OPENSSL
if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
aesctr_ivsetup(&cc->ac_ctx, iv);
return 0;
}
if ((cc->cipher->flags & CFLAG_NONE) != 0)
return 0;
return SSH_ERR_INVALID_ARGUMENT;
#else
type = (*cipher->evptype)();
EVP_CIPHER_CTX_init(&cc->evp);
if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
(do_encrypt == CIPHER_ENCRYPT)) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
}
if (cipher_authlen(cipher) &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
-1, (u_char *)iv)) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
}
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
if (klen > 0 && keylen != (u_int)klen) {
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
}
}
if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
}
if (cipher->discard_len > 0) {
if ((junk = malloc(cipher->discard_len)) == NULL ||
(discard = malloc(cipher->discard_len)) == NULL) {
if (junk != NULL)
free(junk);
ret = SSH_ERR_ALLOC_FAIL;
goto bad;
}
ret = EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len);
explicit_bzero(discard, cipher->discard_len);
free(junk);
free(discard);
if (ret != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
bad:
EVP_CIPHER_CTX_cleanup(&cc->evp);
return ret;
}
}
#endif
return 0;
}
void
cipher_init(CipherContext *cc, const Cipher *cipher,
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
int do_encrypt)
{
static int dowarn = 1;
const EVP_CIPHER *type;
int klen;
u_char *junk, *discard;
if (cipher->number == SSH_CIPHER_DES) {
if (dowarn) {
error("Warning: use of DES is strongly discouraged "
"due to cryptographic weaknesses");
dowarn = 0;
}
if (keylen > 8)
keylen = 8;
}
cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
cc->encrypt = do_encrypt;
if (keylen < cipher->key_len)
fatal("cipher_init: key length %d is insufficient for %s.",
keylen, cipher->name);
if (iv != NULL && ivlen < cipher_ivlen(cipher))
fatal("cipher_init: iv length %d is insufficient for %s.",
ivlen, cipher->name);
cc->cipher = cipher;
type = (*cipher->evptype)();
EVP_CIPHER_CTX_init(&cc->evp);
if (EVP_CipherInit(&cc->evp, type, NULL, __UNCONST(iv),
(do_encrypt == CIPHER_ENCRYPT)) == 0)
fatal("cipher_init: EVP_CipherInit failed for %s",
cipher->name);
if (cipher_authlen(cipher) &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
-1, __UNCONST(iv)))
fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s",
cipher->name);
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
if (klen > 0 && keylen != (u_int)klen) {
debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
fatal("cipher_init: set keylen failed (%d -> %d)",
klen, keylen);
}
if (EVP_CipherInit(&cc->evp, NULL, __UNCONST(key), NULL, -1) == 0)
fatal("cipher_init: EVP_CipherInit: set key failed for %s",
cipher->name);
if (cipher->discard_len > 0) {
junk = xmalloc(cipher->discard_len);
discard = xmalloc(cipher->discard_len);
if (EVP_Cipher(&cc->evp, discard, junk,
cipher->discard_len) == 0)
fatal("evp_crypt: EVP_Cipher failed during discard");
memset(discard, 0, cipher->discard_len);
free(junk);
free(discard);
}
}
int
ciphers_valid(const char *names)
{
const Cipher *c;
char *cipher_list, *cp;
char *p;
if (names == NULL || strcmp(names, "") == 0)
return 0;
cipher_list = cp = xstrdup(names);
for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
(p = strsep(&cp, CIPHER_SEP))) {
c = cipher_by_name(p);
#ifdef NONE_CIPHER_ENABLED
if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
c->number != SSH_CIPHER_NONE)) {
#else
if (c == NULL || (c->number != SSH_CIPHER_SSH2)) {
#endif
debug("bad cipher %s [%s]", p, names);
free(cipher_list);
return 0;
}
}
debug3("ciphers ok: [%s]", names);
free(cipher_list);
return 1;
}
/*
* Parses the name of the cipher. Returns the number of the corresponding
* cipher, or -1 on error.
*/
int
cipher_number(const char *name)
{
const Cipher *c;
if (name == NULL)
return -1;
for (c = ciphers; c->name != NULL; c++)
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
}
char *
cipher_name(int id)
{
const Cipher *c = cipher_by_number(id);
return (c==NULL) ? "<unknown>" : c->name;
}
void
cipher_init(CipherContext *cc, const Cipher *cipher,
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
int do_encrypt)
{
static int dowarn = 1;
#ifdef SSH_OLD_EVP
EVP_CIPHER *type;
#else
const EVP_CIPHER *type;
int klen;
#endif
u_char *junk, *discard;
if (cipher->number == SSH_CIPHER_DES) {
if (dowarn) {
error("Warning: use of DES is strongly discouraged "
"due to cryptographic weaknesses");
dowarn = 0;
}
if (keylen > 8)
keylen = 8;
}
cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
cc->encrypt = do_encrypt;
if (keylen < cipher->key_len)
fatal("cipher_init: key length %d is insufficient for %s.",
keylen, cipher->name);
if (iv != NULL && ivlen < cipher_ivlen(cipher))
fatal("cipher_init: iv length %d is insufficient for %s.",
ivlen, cipher->name);
cc->cipher = cipher;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
chachapoly_init(&cc->cp_ctx, key, keylen);
return;
}
type = (*cipher->evptype)();
EVP_CIPHER_CTX_init(&cc->evp);
#ifdef SSH_OLD_EVP
if (type->key_len > 0 && type->key_len != keylen) {
debug("cipher_init: set keylen (%d -> %d)",
type->key_len, keylen);
type->key_len = keylen;
}
EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv,
(do_encrypt == CIPHER_ENCRYPT));
#else
if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
(do_encrypt == CIPHER_ENCRYPT)) == 0)
fatal("cipher_init: EVP_CipherInit failed for %s",
cipher->name);
if (cipher_authlen(cipher) &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
-1, (u_char *)iv))
fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s",
cipher->name);
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
if (klen > 0 && keylen != (u_int)klen) {
debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
fatal("cipher_init: set keylen failed (%d -> %d)",
klen, keylen);
}
if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
fatal("cipher_init: EVP_CipherInit: set key failed for %s",
cipher->name);
#endif
if (cipher->discard_len > 0) {
junk = xmalloc(cipher->discard_len);
discard = xmalloc(cipher->discard_len);
if (EVP_Cipher(&cc->evp, discard, junk,
cipher->discard_len) == 0)
fatal("evp_crypt: EVP_Cipher failed during discard");
explicit_bzero(discard, cipher->discard_len);
free(junk);
free(discard);
}
}
/*
* cipher_crypt() operates as following:
* Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
* Theses bytes are treated as additional authenticated data for
* authenticated encryption modes.
* En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
* Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
* This tag is written on encryption and verified on decryption.
* Both 'aadlen' and 'authlen' can be set to 0.
* cipher_crypt() returns 0 on success and -1 if the decryption integrity
* check fails.
*/
int
cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src,
u_int len, u_int aadlen, u_int authlen)
{
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, len,
aadlen, authlen, cc->encrypt);
if (authlen) {
u_char lastiv[1];
if (authlen != cipher_authlen(cc->cipher))
fatal("%s: authlen mismatch %d", __func__, authlen);
/* increment IV */
if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
1, lastiv))
fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__);
/* set tag on decyption */
if (!cc->encrypt &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
authlen, (u_char *)src + aadlen + len))
fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__);
}
if (aadlen) {
if (authlen &&
EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
fatal("%s: EVP_Cipher(aad) failed", __func__);
memcpy(dest, src, aadlen);
}
if (len % cc->cipher->block_size)
fatal("%s: bad plaintext length %d", __func__, len);
if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
len) < 0)
fatal("%s: EVP_Cipher failed", __func__);
if (authlen) {
/* compute tag (on encrypt) or verify tag (on decrypt) */
if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) {
if (cc->encrypt)
fatal("%s: EVP_Cipher(final) failed", __func__);
else
return -1;
}
if (cc->encrypt &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
authlen, dest + aadlen + len))
fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__);
}
return 0;
}
/* Extract the packet length, including any decryption necessary beforehand */
int
cipher_get_length(CipherContext *cc, u_int *plenp, u_int seqnr,
const u_char *cp, u_int len)
{
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr,
cp, len);
if (len < 4)
return -1;
*plenp = get_u32(cp);
return 0;
}
void
cipher_cleanup(CipherContext *cc)
{
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
}
/*
* Selects the cipher, and keys if by computing the MD5 checksum of the
* passphrase and using the resulting 16 bytes as the key.
*/
void
cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
const char *passphrase, int do_encrypt)
{
u_char digest[16];
if (ssh_digest_memory(SSH_DIGEST_MD5, passphrase, strlen(passphrase),
digest, sizeof(digest)) < 0)
fatal("%s: md5 failed", __func__);
cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
explicit_bzero(digest, sizeof(digest));
}
int
sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
struct sshbuf **retp)
{
struct ssh_xmss_state *state = k->xmss_state;
struct sshbuf *copy = NULL, *decrypted = NULL;
struct sshcipher_ctx *ciphercontext = NULL;
const struct sshcipher *cipher = NULL;
u_char *key, *iv = NULL, *dp;
size_t keylen, ivlen, authlen, aadlen;
u_int blocksize, encrypted_len, index;
int r = SSH_ERR_INTERNAL_ERROR;
if (retp != NULL)
*retp = NULL;
if (state == NULL ||
state->enc_keyiv == NULL ||
state->enc_ciphername == NULL)
return SSH_ERR_INTERNAL_ERROR;
if ((cipher = cipher_by_name(state->enc_ciphername)) == NULL) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
blocksize = cipher_blocksize(cipher);
keylen = cipher_keylen(cipher);
ivlen = cipher_ivlen(cipher);
authlen = cipher_authlen(cipher);
if (state->enc_keyiv_len != keylen + ivlen) {
r = SSH_ERR_INTERNAL_ERROR;
goto out;
}
key = state->enc_keyiv;
if ((copy = sshbuf_fromb(encoded)) == NULL ||
(decrypted = sshbuf_new()) == NULL ||
(iv = malloc(ivlen)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* check magic */
if (sshbuf_len(encoded) < sizeof(XMSS_MAGIC) ||
memcmp(sshbuf_ptr(encoded), XMSS_MAGIC, sizeof(XMSS_MAGIC))) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* parse public portion */
if ((r = sshbuf_consume(encoded, sizeof(XMSS_MAGIC))) != 0 ||
(r = sshbuf_get_u32(encoded, &index)) != 0 ||
(r = sshbuf_get_u32(encoded, &encrypted_len)) != 0)
goto out;
/* check size of encrypted key blob */
if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* check that an appropriate amount of auth data is present */
if (sshbuf_len(encoded) < encrypted_len + authlen) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
aadlen = sshbuf_len(copy) - sshbuf_len(encoded);
/* replace first 4 bytes of IV with index to ensure uniqueness */
memcpy(iv, key + keylen, ivlen);
POKE_U32(iv, index);
/* decrypt private state of key */
if ((r = sshbuf_reserve(decrypted, aadlen + encrypted_len, &dp)) != 0 ||
(r = cipher_init(&ciphercontext, cipher, key, keylen,
iv, ivlen, 0)) != 0 ||
(r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(copy),
encrypted_len, aadlen, authlen)) != 0)
goto out;
/* there should be no trailing data */
if ((r = sshbuf_consume(encoded, encrypted_len + authlen)) != 0)
goto out;
if (sshbuf_len(encoded) != 0) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* remove AAD */
if ((r = sshbuf_consume(decrypted, aadlen)) != 0)
goto out;
/* XXX encrypted includes unchecked padding */
/* success */
r = 0;
if (retp != NULL) {
*retp = decrypted;
decrypted = NULL;
}
out:
cipher_free(ciphercontext);
sshbuf_free(copy);
sshbuf_free(decrypted);
free(iv);
return r;
}
int
sshkey_xmss_encrypt_state(const struct sshkey *k, struct sshbuf *b,
struct sshbuf **retp)
{
struct ssh_xmss_state *state = k->xmss_state;
struct sshbuf *encrypted = NULL, *encoded = NULL, *padded = NULL;
struct sshcipher_ctx *ciphercontext = NULL;
const struct sshcipher *cipher;
u_char *cp, *key, *iv = NULL;
size_t i, keylen, ivlen, blocksize, authlen, encrypted_len, aadlen;
int r = SSH_ERR_INTERNAL_ERROR;
if (retp != NULL)
*retp = NULL;
if (state == NULL ||
state->enc_keyiv == NULL ||
state->enc_ciphername == NULL)
return SSH_ERR_INTERNAL_ERROR;
if ((cipher = cipher_by_name(state->enc_ciphername)) == NULL) {
r = SSH_ERR_INTERNAL_ERROR;
goto out;
}
blocksize = cipher_blocksize(cipher);
keylen = cipher_keylen(cipher);
ivlen = cipher_ivlen(cipher);
authlen = cipher_authlen(cipher);
if (state->enc_keyiv_len != keylen + ivlen) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
key = state->enc_keyiv;
if ((encrypted = sshbuf_new()) == NULL ||
(encoded = sshbuf_new()) == NULL ||
(padded = sshbuf_new()) == NULL ||
(iv = malloc(ivlen)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* replace first 4 bytes of IV with index to ensure uniqueness */
memcpy(iv, key + keylen, ivlen);
POKE_U32(iv, state->idx);
if ((r = sshbuf_put(encoded, XMSS_MAGIC, sizeof(XMSS_MAGIC))) != 0 ||
(r = sshbuf_put_u32(encoded, state->idx)) != 0)
goto out;
/* padded state will be encrypted */
if ((r = sshbuf_putb(padded, b)) != 0)
goto out;
i = 0;
while (sshbuf_len(padded) % blocksize) {
if ((r = sshbuf_put_u8(padded, ++i & 0xff)) != 0)
goto out;
}
encrypted_len = sshbuf_len(padded);
/* header including the length of state is used as AAD */
if ((r = sshbuf_put_u32(encoded, encrypted_len)) != 0)
goto out;
aadlen = sshbuf_len(encoded);
/* concat header and state */
if ((r = sshbuf_putb(encoded, padded)) != 0)
goto out;
/* reserve space for encryption of encoded data plus auth tag */
/* encrypt at offset addlen */
if ((r = sshbuf_reserve(encrypted,
encrypted_len + aadlen + authlen, &cp)) != 0 ||
(r = cipher_init(&ciphercontext, cipher, key, keylen,
iv, ivlen, 1)) != 0 ||
(r = cipher_crypt(ciphercontext, 0, cp, sshbuf_ptr(encoded),
encrypted_len, aadlen, authlen)) != 0)
goto out;
/* success */
r = 0;
out:
if (retp != NULL) {
*retp = encrypted;
encrypted = NULL;
}
sshbuf_free(padded);
sshbuf_free(encoded);
sshbuf_free(encrypted);
cipher_free(ciphercontext);
free(iv);
return r;
}
