diff options
author | Damien Miller <djm@mindrot.org> | 2014-07-02 15:28:02 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-07-02 15:28:02 +1000 |
commit | 8668706d0f52654fe64c0ca41a96113aeab8d2b8 (patch) | |
tree | 73e78e1ea3d39206e39870bbe0af17d6c430fb51 /packet.c | |
parent | 2cd7929250cf9e9f658d70dcd452f529ba08c942 (diff) |
- djm@cvs.openbsd.org 2014/06/24 01:13:21
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
[auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
[cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
[digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
[hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
[ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
[ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
[sshconnect2.c sshd.c sshkey.c sshkey.h
[openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
New key API: refactor key-related functions to be more library-like,
existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review a few months ago.
NB. This commit also removes portable OpenSSH support for OpenSSL
<0.9.8e.
Diffstat (limited to 'packet.c')
-rw-r--r-- | packet.c | 38 |
1 files changed, 24 insertions, 14 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.c,v 1.196 2014/05/03 17:20:34 markus Exp $ */ | 1 | /* $OpenBSD: packet.c,v 1.197 2014/06/24 01:13:21 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -78,6 +78,7 @@ | |||
78 | #include "canohost.h" | 78 | #include "canohost.h" |
79 | #include "misc.h" | 79 | #include "misc.h" |
80 | #include "ssh.h" | 80 | #include "ssh.h" |
81 | #include "ssherr.h" | ||
81 | #include "roaming.h" | 82 | #include "roaming.h" |
82 | 83 | ||
83 | #ifdef PACKET_DEBUG | 84 | #ifdef PACKET_DEBUG |
@@ -222,6 +223,7 @@ void | |||
222 | packet_set_connection(int fd_in, int fd_out) | 223 | packet_set_connection(int fd_in, int fd_out) |
223 | { | 224 | { |
224 | const Cipher *none = cipher_by_name("none"); | 225 | const Cipher *none = cipher_by_name("none"); |
226 | int r; | ||
225 | 227 | ||
226 | if (none == NULL) | 228 | if (none == NULL) |
227 | fatal("packet_set_connection: cannot load cipher 'none'"); | 229 | fatal("packet_set_connection: cannot load cipher 'none'"); |
@@ -229,10 +231,11 @@ packet_set_connection(int fd_in, int fd_out) | |||
229 | active_state = alloc_session_state(); | 231 | active_state = alloc_session_state(); |
230 | active_state->connection_in = fd_in; | 232 | active_state->connection_in = fd_in; |
231 | active_state->connection_out = fd_out; | 233 | active_state->connection_out = fd_out; |
232 | cipher_init(&active_state->send_context, none, (const u_char *)"", | 234 | if ((r = cipher_init(&active_state->send_context, none, |
233 | 0, NULL, 0, CIPHER_ENCRYPT); | 235 | (const u_char *)"", 0, NULL, 0, CIPHER_ENCRYPT)) != 0 || |
234 | cipher_init(&active_state->receive_context, none, (const u_char *)"", | 236 | (r = cipher_init(&active_state->receive_context, none, |
235 | 0, NULL, 0, CIPHER_DECRYPT); | 237 | (const u_char *)"", 0, NULL, 0, CIPHER_DECRYPT)) != 0) |
238 | fatal("%s: cipher_init: %s", __func__, ssh_err(r)); | ||
236 | active_state->newkeys[MODE_IN] = active_state->newkeys[MODE_OUT] = NULL; | 239 | active_state->newkeys[MODE_IN] = active_state->newkeys[MODE_OUT] = NULL; |
237 | if (!active_state->initialized) { | 240 | if (!active_state->initialized) { |
238 | active_state->initialized = 1; | 241 | active_state->initialized = 1; |
@@ -329,13 +332,15 @@ void | |||
329 | packet_get_keyiv(int mode, u_char *iv, u_int len) | 332 | packet_get_keyiv(int mode, u_char *iv, u_int len) |
330 | { | 333 | { |
331 | CipherContext *cc; | 334 | CipherContext *cc; |
335 | int r; | ||
332 | 336 | ||
333 | if (mode == MODE_OUT) | 337 | if (mode == MODE_OUT) |
334 | cc = &active_state->send_context; | 338 | cc = &active_state->send_context; |
335 | else | 339 | else |
336 | cc = &active_state->receive_context; | 340 | cc = &active_state->receive_context; |
337 | 341 | ||
338 | cipher_get_keyiv(cc, iv, len); | 342 | if ((r = cipher_get_keyiv(cc, iv, len)) != 0) |
343 | fatal("%s: cipher_get_keyiv: %s", __func__, ssh_err(r)); | ||
339 | } | 344 | } |
340 | 345 | ||
341 | int | 346 | int |
@@ -381,13 +386,15 @@ void | |||
381 | packet_set_iv(int mode, u_char *dat) | 386 | packet_set_iv(int mode, u_char *dat) |
382 | { | 387 | { |
383 | CipherContext *cc; | 388 | CipherContext *cc; |
389 | int r; | ||
384 | 390 | ||
385 | if (mode == MODE_OUT) | 391 | if (mode == MODE_OUT) |
386 | cc = &active_state->send_context; | 392 | cc = &active_state->send_context; |
387 | else | 393 | else |
388 | cc = &active_state->receive_context; | 394 | cc = &active_state->receive_context; |
389 | 395 | ||
390 | cipher_set_keyiv(cc, dat); | 396 | if ((r = cipher_set_keyiv(cc, dat)) != 0) |
397 | fatal("%s: cipher_set_keyiv: %s", __func__, ssh_err(r)); | ||
391 | } | 398 | } |
392 | 399 | ||
393 | int | 400 | int |
@@ -552,6 +559,7 @@ void | |||
552 | packet_set_encryption_key(const u_char *key, u_int keylen, int number) | 559 | packet_set_encryption_key(const u_char *key, u_int keylen, int number) |
553 | { | 560 | { |
554 | const Cipher *cipher = cipher_by_number(number); | 561 | const Cipher *cipher = cipher_by_number(number); |
562 | int r; | ||
555 | 563 | ||
556 | if (cipher == NULL) | 564 | if (cipher == NULL) |
557 | fatal("packet_set_encryption_key: unknown cipher number %d", number); | 565 | fatal("packet_set_encryption_key: unknown cipher number %d", number); |
@@ -561,10 +569,11 @@ packet_set_encryption_key(const u_char *key, u_int keylen, int number) | |||
561 | fatal("packet_set_encryption_key: keylen too big: %d", keylen); | 569 | fatal("packet_set_encryption_key: keylen too big: %d", keylen); |
562 | memcpy(active_state->ssh1_key, key, keylen); | 570 | memcpy(active_state->ssh1_key, key, keylen); |
563 | active_state->ssh1_keylen = keylen; | 571 | active_state->ssh1_keylen = keylen; |
564 | cipher_init(&active_state->send_context, cipher, key, keylen, NULL, | 572 | if ((r = cipher_init(&active_state->send_context, cipher, |
565 | 0, CIPHER_ENCRYPT); | 573 | key, keylen, NULL, 0, CIPHER_ENCRYPT)) != 0 || |
566 | cipher_init(&active_state->receive_context, cipher, key, keylen, NULL, | 574 | (r = cipher_init(&active_state->receive_context, cipher, |
567 | 0, CIPHER_DECRYPT); | 575 | key, keylen, NULL, 0, CIPHER_DECRYPT)) != 0) |
576 | fatal("%s: cipher_init: %s", __func__, ssh_err(r)); | ||
568 | } | 577 | } |
569 | 578 | ||
570 | u_int | 579 | u_int |
@@ -744,7 +753,7 @@ set_newkeys(int mode) | |||
744 | Comp *comp; | 753 | Comp *comp; |
745 | CipherContext *cc; | 754 | CipherContext *cc; |
746 | u_int64_t *max_blocks; | 755 | u_int64_t *max_blocks; |
747 | int crypt_type; | 756 | int r, crypt_type; |
748 | 757 | ||
749 | debug2("set_newkeys: mode %d", mode); | 758 | debug2("set_newkeys: mode %d", mode); |
750 | 759 | ||
@@ -786,8 +795,9 @@ set_newkeys(int mode) | |||
786 | if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0) | 795 | if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0) |
787 | mac->enabled = 1; | 796 | mac->enabled = 1; |
788 | DBG(debug("cipher_init_context: %d", mode)); | 797 | DBG(debug("cipher_init_context: %d", mode)); |
789 | cipher_init(cc, enc->cipher, enc->key, enc->key_len, | 798 | if ((r = cipher_init(cc, enc->cipher, enc->key, enc->key_len, |
790 | enc->iv, enc->iv_len, crypt_type); | 799 | enc->iv, enc->iv_len, crypt_type)) != 0) |
800 | fatal("%s: cipher_init: %s", __func__, ssh_err(r)); | ||
791 | /* Deleting the keys does not gain extra security */ | 801 | /* Deleting the keys does not gain extra security */ |
792 | /* explicit_bzero(enc->iv, enc->block_size); | 802 | /* explicit_bzero(enc->iv, enc->block_size); |
793 | explicit_bzero(enc->key, enc->key_len); | 803 | explicit_bzero(enc->key, enc->key_len); |