diff options
author | Damien Miller <djm@mindrot.org> | 2014-07-02 15:28:02 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-07-02 15:28:02 +1000 |
commit | 8668706d0f52654fe64c0ca41a96113aeab8d2b8 (patch) | |
tree | 73e78e1ea3d39206e39870bbe0af17d6c430fb51 /cipher-chachapoly.c | |
parent | 2cd7929250cf9e9f658d70dcd452f529ba08c942 (diff) |
- djm@cvs.openbsd.org 2014/06/24 01:13:21
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
[auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
[cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
[digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
[hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
[ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
[ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
[sshconnect2.c sshd.c sshkey.c sshkey.h
[openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
New key API: refactor key-related functions to be more library-like,
existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review a few months ago.
NB. This commit also removes portable OpenSSH support for OpenSSL
<0.9.8e.
Diffstat (limited to 'cipher-chachapoly.c')
-rw-r--r-- | cipher-chachapoly.c | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/cipher-chachapoly.c b/cipher-chachapoly.c index 251b94ec8..0caccd297 100644 --- a/cipher-chachapoly.c +++ b/cipher-chachapoly.c | |||
@@ -14,7 +14,7 @@ | |||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
15 | */ | 15 | */ |
16 | 16 | ||
17 | /* $OpenBSD: cipher-chachapoly.c,v 1.4 2014/01/31 16:39:19 tedu Exp $ */ | 17 | /* $OpenBSD: cipher-chachapoly.c,v 1.5 2014/06/24 01:13:21 djm Exp $ */ |
18 | 18 | ||
19 | #include "includes.h" | 19 | #include "includes.h" |
20 | 20 | ||
@@ -24,16 +24,18 @@ | |||
24 | #include <stdio.h> /* needed for misc.h */ | 24 | #include <stdio.h> /* needed for misc.h */ |
25 | 25 | ||
26 | #include "log.h" | 26 | #include "log.h" |
27 | #include "misc.h" | 27 | #include "sshbuf.h" |
28 | #include "ssherr.h" | ||
28 | #include "cipher-chachapoly.h" | 29 | #include "cipher-chachapoly.h" |
29 | 30 | ||
30 | void chachapoly_init(struct chachapoly_ctx *ctx, | 31 | int chachapoly_init(struct chachapoly_ctx *ctx, |
31 | const u_char *key, u_int keylen) | 32 | const u_char *key, u_int keylen) |
32 | { | 33 | { |
33 | if (keylen != (32 + 32)) /* 2 x 256 bit keys */ | 34 | if (keylen != (32 + 32)) /* 2 x 256 bit keys */ |
34 | fatal("%s: invalid keylen %u", __func__, keylen); | 35 | return SSH_ERR_INVALID_ARGUMENT; |
35 | chacha_keysetup(&ctx->main_ctx, key, 256); | 36 | chacha_keysetup(&ctx->main_ctx, key, 256); |
36 | chacha_keysetup(&ctx->header_ctx, key + 32, 256); | 37 | chacha_keysetup(&ctx->header_ctx, key + 32, 256); |
38 | return 0; | ||
37 | } | 39 | } |
38 | 40 | ||
39 | /* | 41 | /* |
@@ -52,14 +54,14 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, | |||
52 | u_char seqbuf[8]; | 54 | u_char seqbuf[8]; |
53 | const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */ | 55 | const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */ |
54 | u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN]; | 56 | u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN]; |
55 | int r = -1; | 57 | int r = SSH_ERR_INTERNAL_ERROR; |
56 | 58 | ||
57 | /* | 59 | /* |
58 | * Run ChaCha20 once to generate the Poly1305 key. The IV is the | 60 | * Run ChaCha20 once to generate the Poly1305 key. The IV is the |
59 | * packet sequence number. | 61 | * packet sequence number. |
60 | */ | 62 | */ |
61 | memset(poly_key, 0, sizeof(poly_key)); | 63 | memset(poly_key, 0, sizeof(poly_key)); |
62 | put_u64(seqbuf, seqnr); | 64 | POKE_U64(seqbuf, seqnr); |
63 | chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL); | 65 | chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL); |
64 | chacha_encrypt_bytes(&ctx->main_ctx, | 66 | chacha_encrypt_bytes(&ctx->main_ctx, |
65 | poly_key, poly_key, sizeof(poly_key)); | 67 | poly_key, poly_key, sizeof(poly_key)); |
@@ -71,8 +73,10 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, | |||
71 | const u_char *tag = src + aadlen + len; | 73 | const u_char *tag = src + aadlen + len; |
72 | 74 | ||
73 | poly1305_auth(expected_tag, src, aadlen + len, poly_key); | 75 | poly1305_auth(expected_tag, src, aadlen + len, poly_key); |
74 | if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) | 76 | if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) { |
77 | r = SSH_ERR_MAC_INVALID; | ||
75 | goto out; | 78 | goto out; |
79 | } | ||
76 | } | 80 | } |
77 | /* Crypt additional data */ | 81 | /* Crypt additional data */ |
78 | if (aadlen) { | 82 | if (aadlen) { |
@@ -88,7 +92,6 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, | |||
88 | poly_key); | 92 | poly_key); |
89 | } | 93 | } |
90 | r = 0; | 94 | r = 0; |
91 | |||
92 | out: | 95 | out: |
93 | explicit_bzero(expected_tag, sizeof(expected_tag)); | 96 | explicit_bzero(expected_tag, sizeof(expected_tag)); |
94 | explicit_bzero(seqbuf, sizeof(seqbuf)); | 97 | explicit_bzero(seqbuf, sizeof(seqbuf)); |
@@ -104,11 +107,11 @@ chachapoly_get_length(struct chachapoly_ctx *ctx, | |||
104 | u_char buf[4], seqbuf[8]; | 107 | u_char buf[4], seqbuf[8]; |
105 | 108 | ||
106 | if (len < 4) | 109 | if (len < 4) |
107 | return -1; /* Insufficient length */ | 110 | return SSH_ERR_MESSAGE_INCOMPLETE; |
108 | put_u64(seqbuf, seqnr); | 111 | POKE_U64(seqbuf, seqnr); |
109 | chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); | 112 | chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); |
110 | chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4); | 113 | chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4); |
111 | *plenp = get_u32(buf); | 114 | *plenp = PEEK_U32(buf); |
112 | return 0; | 115 | return 0; |
113 | } | 116 | } |
114 | 117 | ||