void
cipher_ctx_set_nonce(cipher_ctx_t *cipher_ctx, uint8_t *nonce, size_t nonce_len,
int enc)
{
const unsigned char *true_key;
cipher_t *cipher = cipher_ctx->cipher;
if (nonce == NULL) {
LOGE("cipher_ctx_set_nonce(): NONCE is null");
return;
}
if (cipher->method >= SALSA20) {
return;
}
if (cipher->method == RC4_MD5) {
unsigned char key_nonce[32];
memcpy(key_nonce, cipher->key, 16);
memcpy(key_nonce + 16, nonce, 16);
true_key = crypto_md5(key_nonce, 32, NULL);
nonce_len = 0;
} else {
true_key = cipher->key;
}
cipher_evp_t *evp = cipher_ctx->evp;
if (evp == NULL) {
LOGE("cipher_ctx_set_nonce(): Cipher context is null");
return;
}
if (mbedtls_cipher_setkey(evp, true_key, cipher->key_len * 8, enc) != 0) {
mbedtls_cipher_free(evp);
FATAL("Cannot set mbed TLS cipher key");
}
if (mbedtls_cipher_set_iv(evp, nonce, nonce_len) != 0) {
mbedtls_cipher_free(evp);
FATAL("Cannot set mbed TLS cipher NONCE");
}
if (mbedtls_cipher_reset(evp) != 0) {
mbedtls_cipher_free(evp);
FATAL("Cannot finalize mbed TLS cipher context");
}
#ifdef SS_DEBUG
dump("NONCE", (char *)nonce, nonce_len);
dump("KEY", (char *)true_key, 32);
#endif
}
void cipher_context_release(cipher_ctx_t *ctx)
{
if (enc_method >= SALSA20) {
return;
}
#ifdef USE_CRYPTO_APPLECC
cipher_cc_t *cc = &ctx->cc;
if (cc->cryptor != NULL) {
CCCryptorRelease(cc->cryptor);
cc->cryptor = NULL;
}
if (cc->valid == kCCContextValid) {
return;
}
#endif
cipher_evp_t *evp = &ctx->evp;
#if defined(USE_CRYPTO_OPENSSL)
EVP_CIPHER_CTX_cleanup(evp);
#elif defined(USE_CRYPTO_POLARSSL)
// NOTE: cipher_free_ctx deprecated in PolarSSL 1.3.11
cipher_free_ctx(evp);
#elif defined(USE_CRYPTO_MBEDTLS)
// NOTE: cipher_free_ctx deprecated
mbedtls_cipher_free(evp);
#endif
}
void Cipher::reset()
{
mbedtls_cipher_free(&m_ctx);
mbedtls_cipher_setup(&m_ctx, m_info);
if (m_iv.length())
mbedtls_cipher_set_iv(&m_ctx, (unsigned char *)m_iv.c_str(), m_iv.length());
}
Cipher::~Cipher()
{
if (m_key.length())
memset(&m_key[0], 0, m_key.length());
if (m_iv.length())
memset(&m_iv[0], 0, m_iv.length());
mbedtls_cipher_free(&m_ctx);
}
static int cipher_set_encrypt_key_cbc(struct ssh_cipher_struct *cipher, void *key,
void *IV)
{
const mbedtls_cipher_info_t *cipher_info = NULL;
int rc;
mbedtls_cipher_init(&cipher->encrypt_ctx);
cipher_info = mbedtls_cipher_info_from_type(cipher->type);
rc = mbedtls_cipher_setup(&cipher->encrypt_ctx, cipher_info);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_setup failed");
goto error;
}
rc = mbedtls_cipher_setkey(&cipher->encrypt_ctx, key,
cipher_info->key_bitlen,
MBEDTLS_ENCRYPT);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_setkey failed");
goto error;
}
rc = mbedtls_cipher_set_iv(&cipher->encrypt_ctx, IV, cipher_info->iv_size);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_set_iv failed");
goto error;
}
/* libssh only encypts and decrypts packets that are multiples of a block
* size, and no padding is used */
rc = mbedtls_cipher_set_padding_mode(&cipher->encrypt_ctx,
MBEDTLS_PADDING_NONE);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_set_padding_mode failed");
goto error;
}
rc = mbedtls_cipher_reset(&cipher->encrypt_ctx);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_reset failed");
goto error;
}
return SSH_OK;
error:
mbedtls_cipher_free(&cipher->encrypt_ctx);
return SSH_ERROR;
}
static int cipher_set_decrypt_key_cbc(struct ssh_cipher_struct *cipher, void *key,
void *IV)
{
const mbedtls_cipher_info_t *cipher_info;
int rc;
mbedtls_cipher_init(&cipher->decrypt_ctx);
cipher_info = mbedtls_cipher_info_from_type(cipher->type);
rc = mbedtls_cipher_setup(&cipher->decrypt_ctx, cipher_info);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_setkey failed");
goto error;
}
rc = mbedtls_cipher_setkey(&cipher->decrypt_ctx, key,
cipher_info->key_bitlen,
MBEDTLS_DECRYPT);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_setkey failed");
goto error;
}
rc = mbedtls_cipher_set_iv(&cipher->decrypt_ctx, IV, cipher_info->iv_size);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_set_iv failed");
goto error;
}
rc = mbedtls_cipher_set_padding_mode(&cipher->decrypt_ctx,
MBEDTLS_PADDING_NONE);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_set_padding_mode failed");
goto error;
}
mbedtls_cipher_reset(&cipher->decrypt_ctx);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_reset failed");
goto error;
}
return SSH_OK;
error:
mbedtls_cipher_free(&cipher->decrypt_ctx);
return SSH_ERROR;
}
void
aead_ctx_release(cipher_ctx_t *cipher_ctx)
{
if (cipher_ctx->chunk != NULL) {
bfree(cipher_ctx->chunk);
ss_free(cipher_ctx->chunk);
cipher_ctx->chunk = NULL;
}
if (cipher_ctx->cipher->method >= CHACHA20POLY1305IETF) {
return;
}
mbedtls_cipher_free(cipher_ctx->evp);
ss_free(cipher_ctx->evp);
}
void
stream_ctx_release(cipher_ctx_t *cipher_ctx)
{
if (cipher_ctx->chunk != NULL) {
bfree(cipher_ctx->chunk);
ss_free(cipher_ctx->chunk);
cipher_ctx->chunk = NULL;
}
if (cipher_ctx->cipher->method >= SALSA20) {
return;
}
mbedtls_cipher_free(cipher_ctx->evp);
ss_free(cipher_ctx->evp);
}
int mbedtls_nist_kw_setkey( mbedtls_nist_kw_context *ctx,
mbedtls_cipher_id_t cipher,
const unsigned char *key,
unsigned int keybits,
const int is_wrap )
{
int ret;
const mbedtls_cipher_info_t *cipher_info;
cipher_info = mbedtls_cipher_info_from_values( cipher,
keybits,
MBEDTLS_MODE_ECB );
if( cipher_info == NULL )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
if( cipher_info->block_size != 16 )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
/*
* SP 800-38F currently defines AES cipher as the only block cipher allowed:
* "For KW and KWP, the underlying block cipher shall be approved, and the
* block size shall be 128 bits. Currently, the AES block cipher, with key
* lengths of 128, 192, or 256 bits, is the only block cipher that fits
* this profile."
* Currently we don't support other 128 bit block ciphers for key wrapping,
* such as Camellia and Aria.
*/
if( cipher != MBEDTLS_CIPHER_ID_AES )
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
mbedtls_cipher_free( &ctx->cipher_ctx );
if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
return( ret );
if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
is_wrap ? MBEDTLS_ENCRYPT :
MBEDTLS_DECRYPT )
) != 0 )
{
return( ret );
}
return( 0 );
}
static int cipher_set_encrypt_key(struct ssh_cipher_struct *cipher, void *key,
void *IV)
{
const mbedtls_cipher_info_t *cipher_info = NULL;
int rc;
mbedtls_cipher_init(&cipher->encrypt_ctx);
cipher_info = mbedtls_cipher_info_from_type(cipher->type);
rc = mbedtls_cipher_setup(&cipher->encrypt_ctx, cipher_info);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_setup failed");
goto error;
}
rc = mbedtls_cipher_setkey(&cipher->encrypt_ctx, key,
cipher_info->key_bitlen,
MBEDTLS_ENCRYPT);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_setkey failed");
goto error;
}
rc = mbedtls_cipher_set_iv(&cipher->encrypt_ctx, IV, cipher_info->iv_size);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_set_iv failed");
goto error;
}
rc = mbedtls_cipher_reset(&cipher->encrypt_ctx);
if (rc != 0) {
SSH_LOG(SSH_LOG_WARNING, "mbedtls_cipher_reset failed");
goto error;
}
return SSH_OK;
error:
mbedtls_cipher_free(&cipher->encrypt_ctx);
return SSH_ERROR;
}
void cipher_context_set_iv(cipher_ctx_t *ctx, uint8_t *iv, size_t iv_len,
int enc)
{
const unsigned char *true_key;
if (iv == NULL) {
LOGE("cipher_context_set_iv(): IV is null");
return;
}
if (!enc) {
memcpy(ctx->iv, iv, iv_len);
}
if (enc_method >= SALSA20) {
return;
}
if (enc_method == RC4_MD5) {
unsigned char key_iv[32];
memcpy(key_iv, enc_key, 16);
memcpy(key_iv + 16, iv, 16);
true_key = enc_md5(key_iv, 32, NULL);
iv_len = 0;
} else {
true_key = enc_key;
}
#ifdef USE_CRYPTO_APPLECC
cipher_cc_t *cc = &ctx->cc;
if (cc->valid == kCCContextValid) {
memcpy(cc->iv, iv, iv_len);
memcpy(cc->key, true_key, enc_key_len);
cc->iv_len = iv_len;
cc->key_len = enc_key_len;
cc->encrypt = enc ? kCCEncrypt : kCCDecrypt;
if (cc->cryptor != NULL) {
CCCryptorRelease(cc->cryptor);
cc->cryptor = NULL;
}
CCCryptorStatus ret;
ret = CCCryptorCreateWithMode(
cc->encrypt,
cc->mode,
cc->cipher,
cc->padding,
cc->iv, cc->key, cc->key_len,
NULL, 0, 0, 0,
&cc->cryptor);
if (ret != kCCSuccess) {
if (cc->cryptor != NULL) {
CCCryptorRelease(cc->cryptor);
cc->cryptor = NULL;
}
FATAL("Cannot set CommonCrypto key and IV");
}
return;
}
#endif
cipher_evp_t *evp = &ctx->evp;
if (evp == NULL) {
LOGE("cipher_context_set_iv(): Cipher context is null");
return;
}
#if defined(USE_CRYPTO_OPENSSL)
if (!EVP_CipherInit_ex(evp, NULL, NULL, true_key, iv, enc)) {
EVP_CIPHER_CTX_cleanup(evp);
FATAL("Cannot set key and IV");
}
#elif defined(USE_CRYPTO_POLARSSL)
// XXX: PolarSSL 1.3.11: cipher_free_ctx deprecated, Use cipher_free() instead.
if (cipher_setkey(evp, true_key, enc_key_len * 8, enc) != 0) {
cipher_free_ctx(evp);
FATAL("Cannot set PolarSSL cipher key");
}
#if POLARSSL_VERSION_NUMBER >= 0x01030000
if (cipher_set_iv(evp, iv, iv_len) != 0) {
cipher_free_ctx(evp);
FATAL("Cannot set PolarSSL cipher IV");
}
if (cipher_reset(evp) != 0) {
cipher_free_ctx(evp);
FATAL("Cannot finalize PolarSSL cipher context");
}
#else
if (cipher_reset(evp, iv) != 0) {
cipher_free_ctx(evp);
FATAL("Cannot set PolarSSL cipher IV");
}
#endif
#elif defined(USE_CRYPTO_MBEDTLS)
if (mbedtls_cipher_setkey(evp, true_key, enc_key_len * 8, enc) != 0) {
mbedtls_cipher_free(evp);
FATAL("Cannot set mbed TLS cipher key");
}
if (mbedtls_cipher_set_iv(evp, iv, iv_len) != 0) {
mbedtls_cipher_free(evp);
FATAL("Cannot set mbed TLS cipher IV");
}
if (mbedtls_cipher_reset(evp) != 0) {
mbedtls_cipher_free(evp);
FATAL("Cannot finalize mbed TLS cipher context");
}
#endif
#ifdef DEBUG
dump("IV", (char *)iv, iv_len);
#endif
}
void CipherContext::destructor(State & state, mbedtls_cipher_context_t * context){
mbedtls_cipher_free(context);
delete context;
}
int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t datalen,
unsigned char *output )
{
int ret, iterations = 0, keylen = 0;
unsigned char *p, *end;
mbedtls_asn1_buf kdf_alg_oid, enc_scheme_oid, kdf_alg_params, enc_scheme_params;
mbedtls_asn1_buf salt;
mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
unsigned char key[32], iv[32];
size_t olen = 0;
const mbedtls_md_info_t *md_info;
const mbedtls_cipher_info_t *cipher_info;
mbedtls_md_context_t md_ctx;
mbedtls_cipher_type_t cipher_alg;
mbedtls_cipher_context_t cipher_ctx;
p = pbe_params->p;
end = p + pbe_params->len;
/*
* PBES2-params ::= SEQUENCE {
* keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
* }
*/
if( pbe_params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
if( ( ret = mbedtls_asn1_get_alg( &p, end, &kdf_alg_oid, &kdf_alg_params ) ) != 0 )
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
// Only PBKDF2 supported at the moment
//
if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBKDF2, &kdf_alg_oid ) != 0 )
return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
if( ( ret = pkcs5_parse_pbkdf2_params( &kdf_alg_params,
&salt, &iterations, &keylen,
&md_type ) ) != 0 )
{
return( ret );
}
md_info = mbedtls_md_info_from_type( md_type );
if( md_info == NULL )
return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
if( ( ret = mbedtls_asn1_get_alg( &p, end, &enc_scheme_oid,
&enc_scheme_params ) ) != 0 )
{
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
}
if( mbedtls_oid_get_cipher_alg( &enc_scheme_oid, &cipher_alg ) != 0 )
return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
cipher_info = mbedtls_cipher_info_from_type( cipher_alg );
if( cipher_info == NULL )
return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
/*
* The value of keylen from pkcs5_parse_pbkdf2_params() is ignored
* since it is optional and we don't know if it was set or not
*/
keylen = cipher_info->key_bitlen / 8;
if( enc_scheme_params.tag != MBEDTLS_ASN1_OCTET_STRING ||
enc_scheme_params.len != cipher_info->iv_size )
{
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT );
}
mbedtls_md_init( &md_ctx );
mbedtls_cipher_init( &cipher_ctx );
memcpy( iv, enc_scheme_params.p, enc_scheme_params.len );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
goto exit;
if( ( ret = mbedtls_pkcs5_pbkdf2_hmac( &md_ctx, pwd, pwdlen, salt.p, salt.len,
iterations, keylen, key ) ) != 0 )
{
goto exit;
}
if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 )
goto exit;
if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 )
goto exit;
if( ( ret = mbedtls_cipher_crypt( &cipher_ctx, iv, enc_scheme_params.len,
data, datalen, output, &olen ) ) != 0 )
ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
exit:
mbedtls_md_free( &md_ctx );
mbedtls_cipher_free( &cipher_ctx );
return( ret );
}
static void cipher_cleanup(struct ssh_cipher_struct *cipher)
{
mbedtls_cipher_free(&cipher->encrypt_ctx);
mbedtls_cipher_free(&cipher->decrypt_ctx);
}
/*
* Free context
*/
void mbedtls_nist_kw_free( mbedtls_nist_kw_context *ctx )
{
mbedtls_cipher_free( &ctx->cipher_ctx );
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_nist_kw_context ) );
}
void
cipher_ctx_cleanup(mbedtls_cipher_context_t *ctx)
{
mbedtls_cipher_free(ctx);
}
int DeviceKey::get_derived_key(uint32_t *ikey_buff, size_t ikey_size, const unsigned char *isalt,
size_t isalt_size, unsigned char *output, uint32_t ikey_type)
{
//KDF in counter mode implementation as described in Section 5.1
//of NIST SP 800-108, Recommendation for Key Derivation Using Pseudorandom Functions
int ret;
size_t counter = 0;
char separator = 0x00;
mbedtls_cipher_context_t ctx;
unsigned char output_len_enc[ 4 ] = {0};
unsigned char counter_enc[ 1 ] = {0};
DEVKEY_WRITE_UINT32_LE(output_len_enc, ikey_type);
mbedtls_cipher_type_t mbedtls_cipher_type = MBEDTLS_CIPHER_AES_128_ECB;
if (DEVICE_KEY_32BYTE == ikey_size) {
mbedtls_cipher_type = MBEDTLS_CIPHER_AES_256_ECB;
}
const mbedtls_cipher_info_t *cipher_info = mbedtls_cipher_info_from_type(mbedtls_cipher_type);
do {
mbedtls_cipher_init(&ctx);
ret = mbedtls_cipher_setup(&ctx, cipher_info);
if (ret != 0) {
goto finish;
}
ret = mbedtls_cipher_cmac_starts(&ctx, (unsigned char *)ikey_buff, ikey_size * 8);
if (ret != 0) {
goto finish;
}
DEVKEY_WRITE_UINT8_LE(counter_enc, (counter + 1));
ret = mbedtls_cipher_cmac_update(&ctx, (unsigned char *)counter_enc, sizeof(counter_enc));
if (ret != 0) {
goto finish;
}
ret = mbedtls_cipher_cmac_update(&ctx, isalt, isalt_size);
if (ret != 0) {
goto finish;
}
ret = mbedtls_cipher_cmac_update(&ctx, (unsigned char *)&separator, sizeof(char));
if (ret != 0) {
goto finish;
}
ret = mbedtls_cipher_cmac_update(&ctx, (unsigned char *)&output_len_enc, sizeof(output_len_enc));
if (ret != 0) {
goto finish;
}
ret = mbedtls_cipher_cmac_finish(&ctx, output + (DEVICE_KEY_16BYTE * (counter)));
if (ret != 0) {
goto finish;
}
mbedtls_cipher_free(&ctx);
counter++;
} while (DEVICE_KEY_16BYTE * counter < ikey_type);
finish:
if (DEVICEKEY_SUCCESS != ret) {
mbedtls_cipher_free(&ctx);
return DEVICEKEY_ERR_CMAC_GENERIC_FAILURE;
}
return DEVICEKEY_SUCCESS;
}
