From 8668706d0f52654fe64c0ca41a96113aeab8d2b8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 2 Jul 2014 15:28:02 +1000 Subject: - djm@cvs.openbsd.org 2014/06/24 01:13:21 [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c [sshconnect2.c sshd.c sshkey.c sshkey.h [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. NB. This commit also removes portable OpenSSH support for OpenSSL <0.9.8e. --- cipher-chachapoly.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) (limited to 'cipher-chachapoly.c') diff --git a/cipher-chachapoly.c b/cipher-chachapoly.c index 251b94ec..0caccd29 100644 --- a/cipher-chachapoly.c +++ b/cipher-chachapoly.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: cipher-chachapoly.c,v 1.4 2014/01/31 16:39:19 tedu Exp $ */ +/* $OpenBSD: cipher-chachapoly.c,v 1.5 2014/06/24 01:13:21 djm Exp $ */ #include "includes.h" @@ -24,16 +24,18 @@ #include /* needed for misc.h */ #include "log.h" -#include "misc.h" +#include "sshbuf.h" +#include "ssherr.h" #include "cipher-chachapoly.h" -void chachapoly_init(struct chachapoly_ctx *ctx, +int chachapoly_init(struct chachapoly_ctx *ctx, const u_char *key, u_int keylen) { if (keylen != (32 + 32)) /* 2 x 256 bit keys */ - fatal("%s: invalid keylen %u", __func__, keylen); + return SSH_ERR_INVALID_ARGUMENT; chacha_keysetup(&ctx->main_ctx, key, 256); chacha_keysetup(&ctx->header_ctx, key + 32, 256); + return 0; } /* @@ -52,14 +54,14 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, u_char seqbuf[8]; const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */ u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN]; - int r = -1; + int r = SSH_ERR_INTERNAL_ERROR; /* * Run ChaCha20 once to generate the Poly1305 key. The IV is the * packet sequence number. */ memset(poly_key, 0, sizeof(poly_key)); - put_u64(seqbuf, seqnr); + POKE_U64(seqbuf, seqnr); chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL); chacha_encrypt_bytes(&ctx->main_ctx, poly_key, poly_key, sizeof(poly_key)); @@ -71,8 +73,10 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, const u_char *tag = src + aadlen + len; poly1305_auth(expected_tag, src, aadlen + len, poly_key); - if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) + if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) { + r = SSH_ERR_MAC_INVALID; goto out; + } } /* Crypt additional data */ if (aadlen) { @@ -88,7 +92,6 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, poly_key); } r = 0; - out: explicit_bzero(expected_tag, sizeof(expected_tag)); explicit_bzero(seqbuf, sizeof(seqbuf)); @@ -104,11 +107,11 @@ chachapoly_get_length(struct chachapoly_ctx *ctx, u_char buf[4], seqbuf[8]; if (len < 4) - return -1; /* Insufficient length */ - put_u64(seqbuf, seqnr); + return SSH_ERR_MESSAGE_INCOMPLETE; + POKE_U64(seqbuf, seqnr); chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4); - *plenp = get_u32(buf); + *plenp = PEEK_U32(buf); return 0; } -- cgit v1.2.3