upstream commit

remove SSHv1 ciphers; ok markus@ Upstream-ID: e5ebc5e540d7f23a8c1266db1839794d4d177890
2017-04-30 23:15:04 +00:00 · 2017-04-30 23:15:04 +00:00 · cdccebdf85
parent 97f4d3083b
commit cdccebdf85
9 changed files with 88 additions and 501 deletions
--- a/Makefile.in
+++ b/Makefile.in
@ -78,7 +78,7 @@ LIBOPENSSH_OBJS=\
 LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \
 	canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
-	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
+	cipher-ctr.o cleanup.o \
 	compat.o crc32.o deattack.o fatal.o hostfile.o \
 	log.o match.o moduli.o nchan.o packet.o opacket.o \
 	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
--- a/cipher-3des1.c
+++ b/cipher-3des1.c
@ -1,158 +0,0 @@
 /* $OpenBSD: cipher-3des1.c,v 1.12 2015/01/14 10:24:42 markus Exp $ */
 /*
 * Copyright (c) 2003 Markus Friedl.  All rights reserved.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
 #ifdef WITH_SSH1
 #include <sys/types.h>
 #include <string.h>
 #include <openssl/evp.h>
 #include "ssherr.h"
 /*
 * This is used by SSH1:
 *
 * What kind of triple DES are these 2 routines?
 *
 * Why is there a redundant initialization vector?
 *
 * If only iv3 was used, then, this would till effect have been
 * outer-cbc. However, there is also a private iv1 == iv2 which
 * perhaps makes differential analysis easier. On the other hand, the
 * private iv1 probably makes the CRC-32 attack ineffective. This is a
 * result of that there is no longer any known iv1 to use when
 * choosing the X block.
 */
 struct ssh1_3des_ctx
 {
 	EVP_CIPHER_CTX	k1, k2, k3;
 };
 const EVP_CIPHER * evp_ssh1_3des(void);
 int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
 static int
 ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
    int enc)
 {
 	struct ssh1_3des_ctx *c;
 	u_char *k1, *k2, *k3;
 	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
 		if ((c = calloc(1, sizeof(*c))) == NULL)
 			return 0;
 		EVP_CIPHER_CTX_set_app_data(ctx, c);
 	}
 	if (key == NULL)
 		return 1;
 	if (enc == -1)
 		enc = ctx->encrypt;
 	k1 = k2 = k3 = (u_char *) key;
 	k2 += 8;
 	if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) {
 		if (enc)
 			k3 += 16;
 		else
 			k1 += 16;
 	}
 	EVP_CIPHER_CTX_init(&c->k1);
 	EVP_CIPHER_CTX_init(&c->k2);
 	EVP_CIPHER_CTX_init(&c->k3);
 	if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
 	    EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
 	    EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
 		explicit_bzero(c, sizeof(*c));
 		free(c);
 		EVP_CIPHER_CTX_set_app_data(ctx, NULL);
 		return 0;
 	}
 	return 1;
 }
 static int
 ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, size_t len)
 {
 	struct ssh1_3des_ctx *c;
 	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
 		return 0;
 	if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
 	    EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
 	    EVP_Cipher(&c->k3, dest, dest, len) == 0)
 		return 0;
 	return 1;
 }
 static int
 ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
 {
 	struct ssh1_3des_ctx *c;
 	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
 		EVP_CIPHER_CTX_cleanup(&c->k1);
 		EVP_CIPHER_CTX_cleanup(&c->k2);
 		EVP_CIPHER_CTX_cleanup(&c->k3);
 		explicit_bzero(c, sizeof(*c));
 		free(c);
 		EVP_CIPHER_CTX_set_app_data(ctx, NULL);
 	}
 	return 1;
 }
 int
 ssh1_3des_iv(EVP_CIPHER_CTX *evp, int doset, u_char *iv, int len)
 {
 	struct ssh1_3des_ctx *c;
 	if (len != 24)
 		return SSH_ERR_INVALID_ARGUMENT;
 	if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
 		return SSH_ERR_INTERNAL_ERROR;
 	if (doset) {
 		memcpy(c->k1.iv, iv, 8);
 		memcpy(c->k2.iv, iv + 8, 8);
 		memcpy(c->k3.iv, iv + 16, 8);
 	} else {
 		memcpy(iv, c->k1.iv, 8);
 		memcpy(iv + 8, c->k2.iv, 8);
 		memcpy(iv + 16, c->k3.iv, 8);
 	}
 	return 0;
 }
 const EVP_CIPHER *
 evp_ssh1_3des(void)
 {
 	static EVP_CIPHER ssh1_3des;
 	memset(&ssh1_3des, 0, sizeof(ssh1_3des));
 	ssh1_3des.nid = NID_undef;
 	ssh1_3des.block_size = 8;
 	ssh1_3des.iv_len = 0;
 	ssh1_3des.key_len = 16;
 	ssh1_3des.init = ssh1_3des_init;
 	ssh1_3des.cleanup = ssh1_3des_cleanup;
 	ssh1_3des.do_cipher = ssh1_3des_cbc;
 	ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
 	return &ssh1_3des;
 }
 #endif /* WITH_SSH1 */
--- a/cipher-bf1.c
+++ b/cipher-bf1.c
@ -1,106 +0,0 @@
 /* $OpenBSD: cipher-bf1.c,v 1.7 2015/01/14 10:24:42 markus Exp $ */
 /*
 * Copyright (c) 2003 Markus Friedl.  All rights reserved.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
 #ifdef WITH_SSH1
 #if defined(WITH_OPENSSL) && !defined(OPENSSL_NO_BF)
 #include <sys/types.h>
 #include <stdarg.h>
 #include <string.h>
 #include <openssl/evp.h>
 #include "openbsd-compat/openssl-compat.h"
 /*
 * SSH1 uses a variation on Blowfish, all bytes must be swapped before
 * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
 */
 const EVP_CIPHER * evp_ssh1_bf(void);
 static void
 swap_bytes(const u_char *src, u_char *dst, int n)
 {
 	u_char c[4];
 	/* Process 4 bytes every lap. */
 	for (n = n / 4; n > 0; n--) {
 		c[3] = *src++;
 		c[2] = *src++;
 		c[1] = *src++;
 		c[0] = *src++;
 		*dst++ = c[0];
 		*dst++ = c[1];
 		*dst++ = c[2];
 		*dst++ = c[3];
 	}
 }
 #ifdef SSH_OLD_EVP
 static void bf_ssh1_init (EVP_CIPHER_CTX * ctx, const unsigned char *key,
 			  const unsigned char *iv, int enc)
 {
 	if (iv != NULL)
 		memcpy (&(ctx->oiv[0]), iv, 8);
 	memcpy (&(ctx->iv[0]), &(ctx->oiv[0]), 8);
 	if (key != NULL)
 		BF_set_key (&(ctx->c.bf_ks), EVP_CIPHER_CTX_key_length (ctx),
 			    key);
 }
 #endif
 static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *,
    const u_char *, LIBCRYPTO_EVP_INL_TYPE) = NULL;
 static int
 bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in,
    LIBCRYPTO_EVP_INL_TYPE len)
 {
 	int ret;
 	swap_bytes(in, out, len);
 	ret = (*orig_bf)(ctx, out, out, len);
 	swap_bytes(out, out, len);
 	return (ret);
 }
 const EVP_CIPHER *
 evp_ssh1_bf(void)
 {
 	static EVP_CIPHER ssh1_bf;
 	memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER));
 	orig_bf = ssh1_bf.do_cipher;
 	ssh1_bf.nid = NID_undef;
 #ifdef SSH_OLD_EVP
 	ssh1_bf.init = bf_ssh1_init;
 #endif
 	ssh1_bf.do_cipher = bf_ssh1_cipher;
 	ssh1_bf.key_len = 32;
 	return (&ssh1_bf);
 }
 #endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_NO_BF) */
 #endif /* WITH_SSH1 */
--- a/cipher.c
+++ b/cipher.c
@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.103 2017/04/30 23:10:43 djm Exp $ */
+/* $OpenBSD: cipher.c,v 1.104 2017/04/30 23:15:04 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -63,7 +63,6 @@ struct sshcipher_ctx {
 struct sshcipher {
 	char	*name;
 	int	number;		/* for ssh1 only */
 	u_int	block_size;
 	u_int	key_len;
 	u_int	iv_len;		/* defaults to block_size */
@ -74,6 +73,7 @@ struct sshcipher {
 #define CFLAG_CHACHAPOLY	(1<<1)
 #define CFLAG_AESCTR		(1<<2)
 #define CFLAG_NONE		(1<<3)
 #define CFLAG_INTERNAL		CFLAG_NONE /* Don't use "none" for packets */
 #ifdef WITH_OPENSSL
 	const EVP_CIPHER	*(*evptype)(void);
 #else
@ -83,45 +83,42 @@ struct sshcipher {
 static const struct sshcipher ciphers[] = {
 #ifdef WITH_OPENSSL
-	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+	{ "3des-cbc",		8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
 	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
 # ifndef OPENSSL_NO_BF
-	{ "blowfish-cbc",
+	{ "blowfish-cbc",	8, 16, 0, 0, 0, 1, EVP_bf_cbc },
 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
 # endif /* OPENSSL_NO_BF */
 # ifndef OPENSSL_NO_CAST
-	{ "cast128-cbc",
+	{ "cast128-cbc",	8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
 # endif /* OPENSSL_NO_CAST */
 # ifndef OPENSSL_NO_RC4
-	{ "arcfour",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
+	{ "arcfour",		8, 16, 0, 0, 0, 0, EVP_rc4 },
-	{ "arcfour128",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
+	{ "arcfour128",		8, 16, 0, 0, 1536, 0, EVP_rc4 },
-	{ "arcfour256",	SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
+	{ "arcfour256",		8, 32, 0, 0, 1536, 0, EVP_rc4 },
 # endif /* OPENSSL_NO_RC4 */
-	{ "aes128-cbc",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
+	{ "aes128-cbc",		16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
-	{ "aes192-cbc",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
+	{ "aes192-cbc",		16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
-	{ "aes256-cbc",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+	{ "aes256-cbc",		16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
 	{ "rijndael-cbc@lysator.liu.se",
-			SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+				16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
-	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+	{ "aes128-ctr",		16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
-	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
+	{ "aes192-ctr",		16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
-	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
+	{ "aes256-ctr",		16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
 # ifdef OPENSSL_HAVE_EVPGCM
 	{ "aes128-gcm@openssh.com",
-			SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
+				16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
 	{ "aes256-gcm@openssh.com",
-			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
+				16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
 # endif /* OPENSSL_HAVE_EVPGCM */
-#else /* WITH_OPENSSL */
+#else
-	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL },
+	{ "aes128-ctr",		16, 16, 0, 0, 0, CFLAG_AESCTR, NULL },
-	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL },
+	{ "aes192-ctr",		16, 24, 0, 0, 0, CFLAG_AESCTR, NULL },
-	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL },
+	{ "aes256-ctr",		16, 32, 0, 0, 0, CFLAG_AESCTR, NULL },
-	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, CFLAG_NONE, NULL },
+#endif
 #endif /* WITH_OPENSSL */
 	{ "chacha20-poly1305@openssh.com",
-			SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL },
+				8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL },
 	{ "none",		8, 0, 0, 0, 0, CFLAG_NONE, NULL },
-	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+	{ NULL,			0, 0, 0, 0, 0, 0, NULL }
 };
 /*--*/
@ -135,7 +132,7 @@ cipher_alg_list(char sep, int auth_only)
 	const struct sshcipher *c;
 	for (c = ciphers; c->name != NULL; c++) {
-		if (c->number != SSH_CIPHER_SSH2)
+		if ((c->flags & CFLAG_INTERNAL) != 0)
 			continue;
 		if (auth_only && c->auth_len == 0)
 			continue;
@ -190,12 +187,6 @@ cipher_ivlen(const struct sshcipher *c)
 	    c->iv_len : c->block_size;
 }
 u_int
 cipher_get_number(const struct sshcipher *c)
 {
 	return (c->number);
 }
 u_int
 cipher_is_cbc(const struct sshcipher *c)
 {
@ -208,24 +199,6 @@ cipher_ctx_is_plaintext(struct sshcipher_ctx *cc)
 	return cc->plaintext;
 }
 u_int
 cipher_ctx_get_number(struct sshcipher_ctx *cc)
 {
 	return cc->cipher->number;
 }
 u_int
 cipher_mask_ssh1(int client)
 {
 	u_int mask = 0;
 	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
 	mask |= 1 << SSH_CIPHER_BLOWFISH;
 	if (client) {
 		mask |= 1 << SSH_CIPHER_DES;
 	}
 	return mask;
 }
 const struct sshcipher *
 cipher_by_name(const char *name)
 {
@ -236,16 +209,6 @@ cipher_by_name(const char *name)
 	return NULL;
 }
 const struct sshcipher *
 cipher_by_number(int id)
 {
 	const struct sshcipher *c;
 	for (c = ciphers; c->name != NULL; c++)
 		if (c->number == id)
 			return c;
 	return NULL;
 }
 #define	CIPHER_SEP	","
 int
 ciphers_valid(const char *names)
@ -261,7 +224,7 @@ ciphers_valid(const char *names)
 	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
 	    (p = strsep(&cp, CIPHER_SEP))) {
 		c = cipher_by_name(p);
-		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
+		if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
 			free(cipher_list);
 			return 0;
 		}
@ -270,38 +233,12 @@ ciphers_valid(const char *names)
 	return 1;
 }
 /*
 * Parses the name of the cipher.  Returns the number of the corresponding
 * cipher, or -1 on error.
 */
 int
 cipher_number(const char *name)
 {
 	const struct sshcipher *c;
 	if (name == NULL)
 		return -1;
 	for (c = ciphers; c->name != NULL; c++)
 		if (strcasecmp(c->name, name) == 0)
 			return c->number;
 	return -1;
 }
 char *
 cipher_name(int id)
 {
 	const struct sshcipher *c = cipher_by_number(id);
 	return (c==NULL) ? "<unknown>" : c->name;
 }
 const char *
 cipher_warning_message(const struct sshcipher_ctx *cc)
 {
 	if (cc == NULL || cc->cipher == NULL)
 		return NULL;
-	if (cc->cipher->number == SSH_CIPHER_DES)
+	/* XXX repurpose for CBC warning */
 		return "use of DES is strongly discouraged due to "
 		    "cryptographic weaknesses";
 	return NULL;
 }
@ -322,12 +259,7 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
 	if ((cc = calloc(sizeof(*cc), 1)) == NULL)
 		return SSH_ERR_ALLOC_FAIL;
-	if (cipher->number == SSH_CIPHER_DES) {
+	cc->plaintext = 0; /* XXX */
 		if (keylen > 8)
 			keylen = 8;
 	}
 	cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
 	cc->encrypt = do_encrypt;
 	if (keylen < cipher->key_len ||
@ -341,6 +273,10 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
 		ret = chachapoly_init(&cc->cp_ctx, key, keylen);
 		goto out;
 	}
 	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
 		ret = 0;
 		goto out;
 	}
 #ifndef WITH_OPENSSL
 	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
 		aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
@ -348,10 +284,6 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
 		ret = 0;
 		goto out;
 	}
 	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
 		ret = 0;
 		goto out;
 	}
 	ret = SSH_ERR_INVALID_ARGUMENT;
 	goto out;
 #else /* WITH_OPENSSL */
@ -436,6 +368,10 @@ cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
 		return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src,
 		    len, aadlen, authlen, cc->encrypt);
 	}
 	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
 		memcpy(dest, src, aadlen + len);
 		return 0;
 	}
 #ifndef WITH_OPENSSL
 	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
 		if (aadlen)
@ -444,10 +380,6 @@ cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
 		    dest + aadlen, len);
 		return 0;
 	}
 	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
 		memcpy(dest, src, aadlen + len);
 		return 0;
 	}
 	return SSH_ERR_INVALID_ARGUMENT;
 #else
 	if (authlen) {
@ -554,19 +486,16 @@ int
 cipher_get_keyiv_len(const struct sshcipher_ctx *cc)
 {
 	const struct sshcipher *c = cc->cipher;
 	int ivlen = 0;
-	if (c->number == SSH_CIPHER_3DES)
+	if ((c->flags & CFLAG_CHACHAPOLY) != 0)
-		ivlen = 24;
+		return 0;
-	else if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
+	else if ((c->flags & CFLAG_AESCTR) != 0)
-		ivlen = 0;
+		return sizeof(cc->ac_ctx.ctr);
 	else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
 		ivlen = sizeof(cc->ac_ctx.ctr);
 #ifdef WITH_OPENSSL
-	else
+	return EVP_CIPHER_CTX_iv_length(cc->evp);
-		ivlen = EVP_CIPHER_CTX_iv_length(cc->evp);
+#else
-#endif /* WITH_OPENSSL */
+	return 0;
-	return (ivlen);
+#endif
 }
 int
@ -591,34 +520,26 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
 	if ((cc->cipher->flags & CFLAG_NONE) != 0)
 		return 0;
 	switch (c->number) {
 #ifdef WITH_OPENSSL
-	case SSH_CIPHER_SSH2:
+	evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
-	case SSH_CIPHER_DES:
+	if (evplen == 0)
-	case SSH_CIPHER_BLOWFISH:
+		return 0;
-		evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
+	else if (evplen < 0)
-		if (evplen == 0)
+		return SSH_ERR_LIBCRYPTO_ERROR;
-			return 0;
+	if ((u_int)evplen != len)
 		else if (evplen < 0)
 			return SSH_ERR_LIBCRYPTO_ERROR;
 		if ((u_int)evplen != len)
 			return SSH_ERR_INVALID_ARGUMENT;
 #ifndef OPENSSL_HAVE_EVPCTR
 		if (c->evptype == evp_aes_128_ctr)
 			ssh_aes_ctr_iv(cc->evp, 0, iv, len);
 		else
 #endif
 		if (cipher_authlen(c)) {
 			if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
 			   len, iv))
 			       return SSH_ERR_LIBCRYPTO_ERROR;
 		} else
 			memcpy(iv, cc->evp->iv, len);
 		break;
 #endif
 	default:
 		return SSH_ERR_INVALID_ARGUMENT;
-	}
+#ifndef OPENSSL_HAVE_EVPCTR
 	if (c->evptype == evp_aes_128_ctr)
 		ssh_aes_ctr_iv(cc->evp, 0, iv, len);
 	else
 #endif
 	if (cipher_authlen(c)) {
 		if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
 		   len, iv))
 		       return SSH_ERR_LIBCRYPTO_ERROR;
 	} else
 		memcpy(iv, cc->evp->iv, len);
 #endif
 	return 0;
 }
@ -635,32 +556,24 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
 	if ((cc->cipher->flags & CFLAG_NONE) != 0)
 		return 0;
 	switch (c->number) {
 #ifdef WITH_OPENSSL
-	case SSH_CIPHER_SSH2:
+	evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
-	case SSH_CIPHER_DES:
+	if (evplen <= 0)
-	case SSH_CIPHER_BLOWFISH:
+		return SSH_ERR_LIBCRYPTO_ERROR;
 		evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
 		if (evplen <= 0)
 			return SSH_ERR_LIBCRYPTO_ERROR;
 #ifndef OPENSSL_HAVE_EVPCTR
-		/* XXX iv arg is const, but ssh_aes_ctr_iv isn't */
+	/* XXX iv arg is const, but ssh_aes_ctr_iv isn't */
-		if (c->evptype == evp_aes_128_ctr)
+	if (c->evptype == evp_aes_128_ctr)
-			ssh_aes_ctr_iv(cc->evp, 1, (u_char *)iv, evplen);
+		ssh_aes_ctr_iv(cc->evp, 1, (u_char *)iv, evplen);
-		else
+	else
 #endif
-		if (cipher_authlen(c)) {
+	if (cipher_authlen(c)) {
-			/* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
+		/* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
-			if (!EVP_CIPHER_CTX_ctrl(cc->evp,
+		if (!EVP_CIPHER_CTX_ctrl(cc->evp,
-			    EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
+		    EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
-				return SSH_ERR_LIBCRYPTO_ERROR;
+			return SSH_ERR_LIBCRYPTO_ERROR;
-		} else
+	} else
-			memcpy(cc->evp->iv, iv, evplen);
+		memcpy(cc->evp->iv, iv, evplen);
 		break;
 #endif
 	default:
 		return SSH_ERR_INVALID_ARGUMENT;
 	}
 	return 0;
 }
--- a/cipher.h
+++ b/cipher.h
@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.h,v 1.49 2016/08/03 05:41:57 djm Exp $ */
+/* $OpenBSD: cipher.h,v 1.50 2017/04/30 23:15:04 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -42,34 +42,13 @@
 #include "cipher-chachapoly.h"
 #include "cipher-aesctr.h"
 /*
 * Cipher types for SSH-1.  New types can be added, but old types should not
 * be removed for compatibility.  The maximum allowed value is 31.
 */
 #define SSH_CIPHER_SSH2		-3
 #define SSH_CIPHER_INVALID	-2	/* No valid cipher selected. */
 #define SSH_CIPHER_NOT_SET	-1	/* None selected (invalid number). */
 #define SSH_CIPHER_NONE		0	/* no encryption */
 #define SSH_CIPHER_IDEA		1	/* IDEA CFB */
 #define SSH_CIPHER_DES		2	/* DES CBC */
 #define SSH_CIPHER_3DES		3	/* 3DES CBC */
 #define SSH_CIPHER_BROKEN_TSS	4	/* TRI's Simple Stream encryption CBC */
 #define SSH_CIPHER_BROKEN_RC4	5	/* Alleged RC4 */
 #define SSH_CIPHER_BLOWFISH	6
 #define SSH_CIPHER_RESERVED	7
 #define SSH_CIPHER_MAX		31
 #define CIPHER_ENCRYPT		1
 #define CIPHER_DECRYPT		0
 struct sshcipher;
 struct sshcipher_ctx;
 u_int	 cipher_mask_ssh1(int);
 const struct sshcipher *cipher_by_name(const char *);
 const struct sshcipher *cipher_by_number(int);
 int	 cipher_number(const char *);
 char	*cipher_name(int);
 const char *cipher_warning_message(const struct sshcipher_ctx *);
 int	 ciphers_valid(const char *);
 char	*cipher_alg_list(char, int);
@ -90,9 +69,7 @@ u_int	 cipher_ivlen(const struct sshcipher *);
 u_int	 cipher_is_cbc(const struct sshcipher *);
 u_int	 cipher_ctx_is_plaintext(struct sshcipher_ctx *);
 u_int	 cipher_ctx_get_number(struct sshcipher_ctx *);
 u_int	 cipher_get_number(const struct sshcipher *);
 int	 cipher_get_keyiv(struct sshcipher_ctx *, u_char *, u_int);
 int	 cipher_set_keyiv(struct sshcipher_ctx *, const u_char *);
 int	 cipher_get_keyiv_len(const struct sshcipher_ctx *);
--- a/readconf.c
+++ b/readconf.c
@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.273 2017/04/30 23:11:45 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.274 2017/04/30 23:15:04 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -182,6 +182,7 @@ static struct {
 } keywords[] = {
 	/* Deprecated options */
 	{ "protocol", oIgnore }, /* NB. silently ignored */
 	{ "cipher", oDeprecated },
 	{ "fallbacktorsh", oDeprecated },
 	{ "globalknownhostsfile2", oDeprecated },
 	{ "rhostsauthentication", oDeprecated },
@ -240,7 +241,6 @@ static struct {
 	{ "hostkeyalias", oHostKeyAlias },
 	{ "proxycommand", oProxyCommand },
 	{ "port", oPort },
 	{ "cipher", oCipher },
 	{ "ciphers", oCiphers },
 	{ "macs", oMacs },
 	{ "remoteforward", oRemoteForward },
@ -1175,19 +1175,6 @@ parse_int:
 		intptr = &options->connection_attempts;
 		goto parse_int;
 	case oCipher:
 		intptr = &options->cipher;
 		arg = strdelim(&s);
 		if (!arg || *arg == '\0')
 			fatal("%.200s line %d: Missing argument.", filename, linenum);
 		value = cipher_number(arg);
 		if (value == -1)
 			fatal("%.200s line %d: Bad cipher '%s'.",
 			    filename, linenum, arg ? arg : "<NONE>");
 		if (*activep && *intptr == -1)
 			*intptr = value;
 		break;
 	case oCiphers:
 		arg = strdelim(&s);
 		if (!arg || *arg == '\0')
@ -1811,7 +1798,6 @@ initialize_options(Options * options)
 	options->connection_attempts = -1;
 	options->connection_timeout = -1;
 	options->number_of_password_prompts = -1;
 	options->cipher = -1;
 	options->ciphers = NULL;
 	options->macs = NULL;
 	options->kex_algorithms = NULL;
@ -1968,9 +1954,6 @@ fill_default_options(Options * options)
 		options->connection_attempts = 1;
 	if (options->number_of_password_prompts == -1)
 		options->number_of_password_prompts = 3;
 	/* Selected in ssh_login(). */
 	if (options->cipher == -1)
 		options->cipher = SSH_CIPHER_NOT_SET;
 	/* options->hostkeyalgorithms, default set in myproposals.h */
 	if (options->add_keys_to_agent == -1)
 		options->add_keys_to_agent = 0;
@ -2603,10 +2586,6 @@ dump_client_config(Options *o, const char *host)
 		printf("\n");
 	}
 	/* oCipher */
 	if (o->cipher != SSH_CIPHER_NOT_SET)
 		printf("Cipher %s\n", cipher_name(o->cipher));
 	/* oControlPersist */
 	if (o->control_persist == 0 || o->control_persist_timeout == 0)
 		dump_cfg_fmtint(oControlPersist, o->control_persist);
--- a/readconf.h
+++ b/readconf.h
@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.119 2017/04/30 23:11:45 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.120 2017/04/30 23:15:04 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -70,7 +70,6 @@ typedef struct {
 					 * aborting connection attempt */
 	int     number_of_password_prompts;	/* Max number of password
 						 * prompts. */
 	int     cipher;		/* Cipher to use. */
 	char   *ciphers;	/* SSH2 ciphers in order of preference. */
 	char   *macs;		/* SSH2 macs in order of preference. */
 	char   *hostkeyalgorithms;	/* SSH2 server key types in order of preference. */
--- a/ssh.c
+++ b/ssh.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.455 2017/04/30 23:13:25 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.456 2017/04/30 23:15:04 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -813,27 +813,14 @@ main(int ac, char **av)
 			}
 			break;
 		case 'c':
-			if (ciphers_valid(*optarg == '+' ?
+			if (!ciphers_valid(*optarg == '+' ?
 			    optarg + 1 : optarg)) {
 				/* SSH2 only */
 				free(options.ciphers);
 				options.ciphers = xstrdup(optarg);
 				options.cipher = SSH_CIPHER_INVALID;
 				break;
 			}
 			/* SSH1 only */
 			options.cipher = cipher_number(optarg);
 			if (options.cipher == -1) {
 				fprintf(stderr, "Unknown cipher type '%s'\n",
 				    optarg);
 				exit(255);
 			}
-			if (options.cipher == SSH_CIPHER_3DES)
+			free(options.ciphers);
-				options.ciphers = xstrdup("3des-cbc");
+			options.ciphers = xstrdup(optarg);
 			else if (options.cipher == SSH_CIPHER_BLOWFISH)
 				options.ciphers = xstrdup("blowfish-cbc");
 			else
 				options.ciphers = xstrdup(KEX_CLIENT_ENCRYPT);
 			break;
 		case 'm':
 			if (mac_valid(optarg)) {
--- a/sshkey.c
+++ b/sshkey.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.46 2017/04/30 23:10:43 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.47 2017/04/30 23:15:04 djm Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
 * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@ -2971,12 +2971,8 @@ sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob,
 		kdfname = "none";
 	} else if (ciphername == NULL)
 		ciphername = DEFAULT_CIPHERNAME;
 	else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) {
 		r = SSH_ERR_INVALID_ARGUMENT;
 		goto out;
 	}
 	if ((cipher = cipher_by_name(ciphername)) == NULL) {
-		r = SSH_ERR_INTERNAL_ERROR;
+		r = SSH_ERR_INVALID_ARGUMENT;
 		goto out;
 	}