34#elif defined(HAVE_LIBMBEDCRYPTO)
35#include <mbedtls/gcm.h>
37#ifdef HAVE_OPENSSL_ECDH_H
38#include <openssl/ecdh.h>
41#include "libssh/wrapper.h"
50#include "libssh/curve25519.h"
52#include "libssh/ecdh.h"
53#include "libssh/kex.h"
54#include "libssh/sntrup761.h"
56#define DIGEST_MAX_LEN 64
58#define AES_GCM_TAGLEN 16
59#define AES_GCM_IVLEN 12
61enum ssh_key_exchange_e {
63 SSH_KEX_DH_GROUP1_SHA1 = 1,
65 SSH_KEX_DH_GROUP14_SHA1,
70 SSH_KEX_DH_GEX_SHA256,
73 SSH_KEX_ECDH_SHA2_NISTP256,
75 SSH_KEX_ECDH_SHA2_NISTP384,
77 SSH_KEX_ECDH_SHA2_NISTP521,
79 SSH_KEX_CURVE25519_SHA256_LIBSSH_ORG,
81 SSH_KEX_CURVE25519_SHA256,
83 SSH_KEX_DH_GROUP16_SHA512,
85 SSH_KEX_DH_GROUP18_SHA512,
87 SSH_KEX_DH_GROUP14_SHA256,
89 SSH_KEX_SNTRUP761X25519_SHA512_OPENSSH_COM,
91 SSH_KEX_SNTRUP761X25519_SHA512,
93 SSH_KEX_MLKEM768X25519_SHA256,
95 SSH_KEX_MLKEM768NISTP256_SHA256,
98 SSH_KEX_MLKEM1024NISTP384_SHA384,
101 SSH_GSS_KEX_DH_GROUP14_SHA256,
103 SSH_GSS_KEX_DH_GROUP16_SHA512,
105 SSH_GSS_KEX_ECDH_NISTP256_SHA256,
107 SSH_GSS_KEX_CURVE25519_SHA256,
124 SSH_AEAD_CHACHA20_POLY1305
129struct ssh_crypto_struct {
130 bignum shared_secret;
131 ssh_string hybrid_client_init;
132 ssh_string hybrid_server_reply;
133 ssh_string hybrid_shared_secret;
134 struct dh_ctx *dh_ctx;
136 size_t dh_pmin;
size_t dh_pn;
size_t dh_pmax;
139#ifdef HAVE_OPENSSL_ECC
140#if OPENSSL_VERSION_NUMBER < 0x30000000L
141 EC_KEY *ecdh_privkey;
143 EVP_PKEY *ecdh_privkey;
145#elif defined HAVE_GCRYPT_ECC
146 gcry_sexp_t ecdh_privkey;
147#elif defined HAVE_LIBMBEDCRYPTO
148 mbedtls_ecp_keypair *ecdh_privkey;
150 ssh_string ecdh_client_pubkey;
151 ssh_string ecdh_server_pubkey;
153#ifdef HAVE_CURVE25519
155 EVP_PKEY *curve25519_privkey;
156#elif defined(HAVE_GCRYPT_CURVE25519)
157 gcry_sexp_t curve25519_privkey;
159 ssh_curve25519_privkey curve25519_privkey;
161 ssh_curve25519_pubkey curve25519_client_pubkey;
162 ssh_curve25519_pubkey curve25519_server_pubkey;
164#ifdef HAVE_OPENSSL_MLKEM
165 EVP_PKEY *mlkem_privkey;
167 unsigned char *mlkem_privkey;
168 size_t mlkem_privkey_len;
170 ssh_string mlkem_client_pubkey;
171 ssh_string mlkem_ciphertext;
173 ssh_sntrup761_privkey sntrup761_privkey;
174 ssh_sntrup761_pubkey sntrup761_client_pubkey;
175 ssh_sntrup761_ciphertext sntrup761_ciphertext;
177 ssh_string dh_server_signature;
178 size_t session_id_len;
179 unsigned char *session_id;
181 unsigned char *secret_hash;
182 unsigned char *encryptIV;
183 unsigned char *decryptIV;
184 unsigned char *decryptkey;
185 unsigned char *encryptkey;
186 unsigned char *encryptMAC;
187 unsigned char *decryptMAC;
188 unsigned char hmacbuf[DIGEST_MAX_LEN];
189 struct ssh_cipher_struct *in_cipher, *out_cipher;
190 enum ssh_hmac_e in_hmac, out_hmac;
191 bool in_hmac_etm, out_hmac_etm;
193 ssh_key server_pubkey;
196 int delayed_compress_in;
197 int delayed_compress_out;
198 void *compress_out_ctx;
199 void *compress_in_ctx;
201 struct ssh_kex_struct server_kex;
202 struct ssh_kex_struct client_kex;
203 char *kex_methods[SSH_KEX_METHODS];
204 enum ssh_key_exchange_e kex_type;
205 enum ssh_kdf_digest digest_type;
206 enum ssh_crypto_direction_e used;
209struct ssh_cipher_struct {
211 unsigned int blocksize;
212 enum ssh_cipher_e ciphertype;
213 uint32_t lenfield_blocksize;
216 gcry_cipher_hd_t *key;
217 unsigned char last_iv[AES_GCM_IVLEN];
218#elif defined HAVE_LIBCRYPTO
219 struct ssh_3des_key_schedule *des3_key;
220 struct ssh_aes_key_schedule *aes_key;
221 const EVP_CIPHER *cipher;
223#elif defined HAVE_LIBMBEDCRYPTO
224 mbedtls_cipher_context_t encrypt_ctx;
225 mbedtls_cipher_context_t decrypt_ctx;
226 mbedtls_cipher_type_t type;
228 mbedtls_gcm_context gcm_ctx;
229 unsigned char last_iv[AES_GCM_IVLEN];
232 struct chacha20_poly1305_keysched *chacha20_schedule;
233 unsigned int keysize;
241 int (*set_encrypt_key)(
struct ssh_cipher_struct *cipher,
void *key,
void *IV);
242 int (*set_decrypt_key)(
struct ssh_cipher_struct *cipher,
void *key,
void *IV);
243 void (*encrypt)(
struct ssh_cipher_struct *cipher,
247 void (*decrypt)(
struct ssh_cipher_struct *cipher,
251 void (*aead_encrypt)(
struct ssh_cipher_struct *cipher,
void *in,
void *out,
252 size_t len, uint8_t *mac, uint64_t seq);
253 int (*aead_decrypt_length)(
struct ssh_cipher_struct *cipher,
void *in,
254 uint8_t *out,
size_t len, uint64_t seq);
255 int (*aead_decrypt)(
struct ssh_cipher_struct *cipher,
void *complete_packet, uint8_t *out,
256 size_t encrypted_size, uint64_t seq);
257 void (*cleanup)(
struct ssh_cipher_struct *cipher);
264const struct ssh_cipher_struct *ssh_get_chacha20poly1305_cipher(
void);
265int sshkdf_derive_key(
struct ssh_crypto_struct *crypto,
266 unsigned char *key,
size_t key_len,
267 uint8_t key_type,
unsigned char *output,
268 size_t requested_len);
270int secure_memcmp(
const void *s1,
const void *s2,
size_t n);
272void compress_cleanup(
struct ssh_crypto_struct *crypto);