Startseite Erkunden Hilfe
Anmelden
trn
/
j-hpn-ssh
Mirror von git://github.com/johnsonjh/j-hpn-ssh
Beobachten 1
Favorit hinzufügen 1
Fork 0
Dateien
Branch: master
Branches Tags
j-hpn-ssh
/
cipher-chachapoly.c

cipher-chachapoly.c 4.1 KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140 
  1. /*
    2. 

  2.  * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
    3. 

  3.  *
    4. 

  4.  * Permission to use, copy, modify, and distribute this software for any
    5. 

  5.  * purpose with or without fee is hereby granted, provided that the above
    6. 

  6.  * copyright notice and this permission notice appear in all copies.
    7. 

  7.  *
    8. 

  8.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
    9. 

  9.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
    10. 

  10.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
    11. 

  11.  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
    12. 

  12.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
    13. 

  13.  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
    14. 

  14.  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
    15. 

  15.  */
    16. 

  16. 

  17. /* $OpenBSD: cipher-chachapoly.c,v 1.9 2020/04/03 04:27:03 djm Exp $ */
    18. 

  18. 

  19. #include "includes.h"
    20. 

  20. #ifdef WITH_OPENSSL
    21. 

  21. #include "openbsd-compat/openssl-compat.h"
    22. 

  22. #endif
    23. 

  23. 

  24. #if !defined(HAVE_EVP_CHACHA20) || defined(HAVE_BROKEN_CHACHA20)
    25. 

  25. 

  26. #include <sys/types.h>
    27. 

  27. #include <stdarg.h> /* needed for log.h */
    28. 

  28. #include <string.h>
    29. 

  29. #include <stdio.h>  /* needed for misc.h */
    30. 

  30. 

  31. #include "log.h"
    32. 

  32. #include "sshbuf.h"
    33. 

  33. #include "ssherr.h"
    34. 

  34. #include "cipher-chachapoly.h"
    35. 

  35. 

  36. struct chachapoly_ctx {
    37. 

  37. 	struct chacha_ctx main_ctx, header_ctx;
    38. 

  38. };
    39. 

  39. 

  40. struct chachapoly_ctx *
    41. 

  41. chachapoly_new(const u_char *key, u_int keylen)
    42. 

  42. {
    43. 

  43. 	struct chachapoly_ctx *ctx;
    44. 

  44. 

  45. 	if (keylen != (32 + 32)) /* 2 x 256 bit keys */
    46. 

  46. 		return NULL;
    47. 

  47. 	if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
    48. 

  48. 		return NULL;
    49. 

  49. 	chacha_keysetup(&ctx->main_ctx, key, 256);
    50. 

  50. 	chacha_keysetup(&ctx->header_ctx, key + 32, 256);
    51. 

  51. 	return ctx;
    52. 

  52. }
    53. 

  53. 

  54. void
    55. 

  55. chachapoly_free(struct chachapoly_ctx *cpctx)
    56. 

  56. {
    57. 

  57. 	freezero(cpctx, sizeof(*cpctx));
    58. 

  58. }
    59. 

  59. 

  60. /*
    61. 

  61.  * chachapoly_crypt() operates as following:
    62. 

  62.  * En/decrypt with header key 'aadlen' bytes from 'src', storing result
    63. 

  63.  * to 'dest'. The ciphertext here is treated as additional authenticated
    64. 

  64.  * data for MAC calculation.
    65. 

  65.  * En/decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. Use
    66. 

  66.  * POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the authentication
    67. 

  67.  * tag. This tag is written on encryption and verified on decryption.
    68. 

  68.  */
    69. 

  69. int
    70. 

  70. chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
    71. 

  71.     const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt)
    72. 

  72. {
    73. 

  73. 	u_char seqbuf[8];
    74. 

  74. 	const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */
    75. 

  75. 	u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
    76. 

  76. 	int r = SSH_ERR_INTERNAL_ERROR;
    77. 

  77. 

  78. 	/*
    79. 

  79. 	 * Run ChaCha20 once to generate the Poly1305 key. The IV is the
    80. 

  80. 	 * packet sequence number.
    81. 

  81. 	 */
    82. 

  82. 	memset(poly_key, 0, sizeof(poly_key));
    83. 

  83. 	POKE_U64(seqbuf, seqnr);
    84. 

  84. 	chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
    85. 

  85. 	chacha_encrypt_bytes(&ctx->main_ctx,
    86. 

  86. 	    poly_key, poly_key, sizeof(poly_key));
    87. 

  87. 

  88. 	/* If decrypting, check tag before anything else */
    89. 

  89. 	if (!do_encrypt) {
    90. 

  90. 		const u_char *tag = src + aadlen + len;
    91. 

  91. 

  92. 		poly1305_auth(expected_tag, src, aadlen + len, poly_key);
    93. 

  93. 		if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) {
    94. 

  94. 			r = SSH_ERR_MAC_INVALID;
    95. 

  95. 			goto out;
    96. 

  96. 		}
    97. 

  97. 	}
    98. 

  98. 

  99. 	/* Crypt additional data */
    100. 

  100. 	if (aadlen) {
    101. 

  101. 		chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
    102. 

  102. 		chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
    103. 

  103. 	}
    104. 

  104. 

  105. 	/* Set Chacha's block counter to 1 */
    106. 

  106. 	chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
    107. 

  107. 	chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
    108. 

  108. 	    dest + aadlen, len);
    109. 

  109. 

  110. 	/* If encrypting, calculate and append tag */
    111. 

  111. 	if (do_encrypt) {
    112. 

  112. 		poly1305_auth(dest + aadlen + len, dest, aadlen + len,
    113. 

  113. 		    poly_key);
    114. 

  114. 	}
    115. 

  115. 	r = 0;
    116. 

  116.  out:
    117. 

  117. 	explicit_bzero(expected_tag, sizeof(expected_tag));
    118. 

  118. 	explicit_bzero(seqbuf, sizeof(seqbuf));
    119. 

  119. 	explicit_bzero(poly_key, sizeof(poly_key));
    120. 

  120. 	return r;
    121. 

  121. }
    122. 

  122. 

  123. /* Decrypt and extract the encrypted packet length */
    124. 

  124. int
    125. 

  125. chachapoly_get_length(struct chachapoly_ctx *ctx,
    126. 

  126.     u_int *plenp, u_int seqnr, const u_char *cp, u_int len)
    127. 

  127. {
    128. 

  128. 	u_char buf[4], seqbuf[8];
    129. 

  129. 

  130. 	if (len < 4)
    131. 

  131. 		return SSH_ERR_MESSAGE_INCOMPLETE;
    132. 

  132. 	POKE_U64(seqbuf, seqnr);
    133. 

  133. 	chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
    134. 

  134. 	chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4);
    135. 

  135. 	*plenp = PEEK_U32(buf);
    136. 

  136. 	return 0;
    137. 

  137. }
    138. 

  138. 

  139. #endif /* !defined(HAVE_EVP_CHACHA20) || defined(HAVE_BROKEN_CHACHA20) */
    140. 

  140.