From 42cf086b6bdf05e2d48504508fb4849c11e60298 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Fri, 21 Aug 2015 23:20:12 +0100 Subject: [PATCH] Add a key-length field to 'struct ssh_mac'. The key derivation code has been assuming (though non-critically, as it happens) that the size of the MAC output is the same as the size of the MAC key. That isn't even a good assumption for the HMAC family, due to HMAC-SHA1-96 and also the bug-compatible versions of HMAC-SHA1 that only use 16 bytes of key material; so now we have an explicit key-length field separate from the MAC-length field. --- ssh.c | 4 ++-- ssh.h | 2 +- sshccp.c | 2 +- sshmd5.c | 2 +- sshsh256.c | 2 +- sshsha.c | 8 ++++---- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/ssh.c b/ssh.c index 79c6ebf7..f1d62e83 100644 --- a/ssh.c +++ b/ssh.c @@ -7164,7 +7164,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); ssh->cscipher->setiv(ssh->cs_cipher_ctx, keyspace); ssh2_mkkey(ssh,s->K,s->exchange_hash,'E',keyspace); - assert(ssh->csmac->len <= + assert(ssh->csmac->keylen <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); ssh->csmac->setkey(ssh->cs_mac_ctx, keyspace); smemclr(keyspace, sizeof(keyspace)); @@ -7233,7 +7233,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); ssh->sccipher->setiv(ssh->sc_cipher_ctx, keyspace); ssh2_mkkey(ssh,s->K,s->exchange_hash,'F',keyspace); - assert(ssh->scmac->len <= + assert(ssh->scmac->keylen <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); ssh->scmac->setkey(ssh->sc_mac_ctx, keyspace); smemclr(keyspace, sizeof(keyspace)); diff --git a/ssh.h b/ssh.h index 139ea33f..ef488e83 100644 --- a/ssh.h +++ b/ssh.h @@ -347,7 +347,7 @@ struct ssh_mac { void (*genresult) (void *, unsigned char *); int (*verresult) (void *, unsigned char const *); const char *name, *etm_name; - int len; + int len, keylen; const char *text_name; }; diff --git a/sshccp.c b/sshccp.c index 82aca02b..5400d36c 100644 --- a/sshccp.c +++ b/sshccp.c @@ -1238,7 +1238,7 @@ static const struct ssh_mac ssh2_poly1305 = { poly_start, poly_bytes, poly_genresult, poly_verresult, "", "", /* Not selectable individually, just part of ChaCha20-Poly1305 */ - 16, "Poly1305" + 16, 0, "Poly1305" }; static void *ccp_make_context(void) diff --git a/sshmd5.c b/sshmd5.c index 4988223e..b39dfd3e 100644 --- a/sshmd5.c +++ b/sshmd5.c @@ -337,6 +337,6 @@ const struct ssh_mac ssh_hmac_md5 = { hmacmd5_generate, hmacmd5_verify, hmacmd5_start, hmacmd5_bytes, hmacmd5_genresult, hmacmd5_verresult, "hmac-md5", "hmac-md5-etm@openssh.com", - 16, + 16, 16, "HMAC-MD5" }; diff --git a/sshsh256.c b/sshsh256.c index b2bd862e..4186f3e8 100644 --- a/sshsh256.c +++ b/sshsh256.c @@ -345,7 +345,7 @@ const struct ssh_mac ssh_hmac_sha256 = { hmacsha256_start, hmacsha256_bytes, hmacsha256_genresult, hmacsha256_verresult, "hmac-sha2-256", "hmac-sha2-256-etm@openssh.com", - 32, + 32, 32, "HMAC-SHA-256" }; diff --git a/sshsha.c b/sshsha.c index 07a71ca2..c10a8217 100644 --- a/sshsha.c +++ b/sshsha.c @@ -421,7 +421,7 @@ const struct ssh_mac ssh_hmac_sha1 = { sha1_generate, sha1_verify, hmacsha1_start, hmacsha1_bytes, hmacsha1_genresult, hmacsha1_verresult, "hmac-sha1", "hmac-sha1-etm@openssh.com", - 20, + 20, 20, "HMAC-SHA1" }; @@ -431,7 +431,7 @@ const struct ssh_mac ssh_hmac_sha1_96 = { hmacsha1_start, hmacsha1_bytes, hmacsha1_96_genresult, hmacsha1_96_verresult, "hmac-sha1-96", "hmac-sha1-96-etm@openssh.com", - 12, + 12, 20, "HMAC-SHA1-96" }; @@ -440,7 +440,7 @@ const struct ssh_mac ssh_hmac_sha1_buggy = { sha1_generate, sha1_verify, hmacsha1_start, hmacsha1_bytes, hmacsha1_genresult, hmacsha1_verresult, "hmac-sha1", NULL, - 20, + 20, 16, "bug-compatible HMAC-SHA1" }; @@ -450,6 +450,6 @@ const struct ssh_mac ssh_hmac_sha1_96_buggy = { hmacsha1_start, hmacsha1_bytes, hmacsha1_96_genresult, hmacsha1_96_verresult, "hmac-sha1-96", NULL, - 12, + 12, 16, "bug-compatible HMAC-SHA1-96" };