Make ssh2_mac_setkey take the key as a ptrlen.

This makes the API more flexible, so that it's not restricted to taking a key of precisely the length specified in the ssh2_macalg structure. Instead, ssh2bpp looks up that length to construct the MAC's key. Some MACs (e.g. Poly1305) will only _work_ with a single key length. But this way, I can run standard test vectors against MACs that can take a variable length (e.g. everything in the HMAC family).
2025-01-09 09:27:59 +00:00 · 2019-01-03 13:49:02 +00:00 · 2019-01-03 13:49:02 +00:00 · febef916a5
commit febef916a5
parent d169b04dba
6 changed files with 17 additions and 19 deletions
--- a/ssh.h
+++ b/ssh.h
@ -716,7 +716,7 @@ struct ssh2_macalg {
    /* Passes in the cipher context */
    ssh2_mac *(*new)(const struct ssh2_macalg *alg, ssh2_cipher *cipher);
    void (*free)(ssh2_mac *);
-    void (*setkey)(ssh2_mac *, const void *key);
+    void (*setkey)(ssh2_mac *, ptrlen key);
    void (*start)(ssh2_mac *);
    void (*genresult)(ssh2_mac *, unsigned char *);
    const char *name, *etm_name;
--- a/ssh2bpp.c
+++ b/ssh2bpp.c
@ -137,7 +137,7 @@ void ssh2_bpp_new_outgoing_crypto(
    s->out.etm_mode = etm_mode;
    if (mac) {
        s->out.mac = ssh2_mac_new(mac, s->out.cipher);
-        ssh2_mac_setkey(s->out.mac, mac_key);
+        ssh2_mac_setkey(s->out.mac, make_ptrlen(mac_key, mac->keylen));

        bpp_logevent("Initialised %s outbound MAC algorithm%s%s",
                     ssh2_mac_alg(s->out.mac)->text_name,
@ -194,7 +194,7 @@ void ssh2_bpp_new_incoming_crypto(
    s->in.etm_mode = etm_mode;
    if (mac) {
        s->in.mac = ssh2_mac_new(mac, s->in.cipher);
-        ssh2_mac_setkey(s->in.mac, mac_key);
+        ssh2_mac_setkey(s->in.mac, make_ptrlen(mac_key, mac->keylen));

        bpp_logevent("Initialised %s inbound MAC algorithm%s%s",
                     ssh2_mac_alg(s->in.mac)->text_name,
--- a/sshccp.c
+++ b/sshccp.c
@ -772,11 +772,12 @@ static void poly1305_init(struct poly1305 *ctx)
    bigval_clear(&ctx->h);
 }

-/* Takes a 256 bit key */
-static void poly1305_key(struct poly1305 *ctx, const unsigned char *key)
+static void poly1305_key(struct poly1305 *ctx, ptrlen key)
 {
+    assert(key.len == 32);             /* Takes a 256 bit key */
+
    unsigned char key_copy[16];
-    memcpy(key_copy, key, 16);
+    memcpy(key_copy, key.ptr, 16);

    /* Key the MAC itself
     * bytes 4, 8, 12 and 16 are required to have their top four bits clear */
@ -791,8 +792,8 @@ static void poly1305_key(struct poly1305 *ctx, const unsigned char *key)
    bigval_import_le(&ctx->r, key_copy, 16);
    smemclr(key_copy, sizeof(key_copy));

-    /* Use second 128 bits are the nonce */
-    memcpy(ctx->nonce, key+16, 16);
+    /* Use second 128 bits as the nonce */
+    memcpy(ctx->nonce, (const char *)key.ptr + 16, 16);
 }

 /* Feed up to 16 bytes (should only be less for the last chunk) */
@ -884,7 +885,7 @@ static void poly_ssh2_free(ssh2_mac *mac)
    /* Not allocated, just forwarded, no need to free */
 }

-static void poly_setkey(ssh2_mac *mac, const void *key)
+static void poly_setkey(ssh2_mac *mac, ptrlen key)
 {
    /* Uses the same context as ChaCha20, so ignore */
 }
@ -919,7 +920,7 @@ static void poly_BinarySink_write(BinarySink *bs, const void *blkv, size_t len)
        chacha20_round(&ctx->b_cipher);

        /* Set the poly key */
-        poly1305_key(&ctx->mac, ctx->b_cipher.current);
+        poly1305_key(&ctx->mac, make_ptrlen(ctx->b_cipher.current, 32));

        /* Set the first round as used */
        ctx->b_cipher.currentIndex = 64;
--- a/sshmd5.c
+++ b/sshmd5.c
@ -273,11 +273,11 @@ void hmacmd5_key(struct hmacmd5_context *ctx, void const *keyv, int len)
    smemclr(foo, 64);		       /* burn the evidence */
 }

-static void hmacmd5_ssh2_setkey(ssh2_mac *mac, const void *key)
+static void hmacmd5_ssh2_setkey(ssh2_mac *mac, ptrlen key)
 {
    struct hmacmd5_context *ctx =
        container_of(mac, struct hmacmd5_context, mac);
-    hmacmd5_key(ctx, key, ctx->mac.vt->keylen);
+    hmacmd5_key(ctx, key.ptr, key.len);
 }

 static void hmacmd5_start(ssh2_mac *mac)
--- a/sshsh256.c
+++ b/sshsh256.c
@ -293,10 +293,10 @@ static void sha256_key_internal(struct hmacsha256 *ctx,
    smemclr(foo, 64);		       /* burn the evidence */
 }

-static void hmacsha256_key(ssh2_mac *mac, const void *key)
+static void hmacsha256_key(ssh2_mac *mac, ptrlen key)
 {
    struct hmacsha256 *ctx = container_of(mac, struct hmacsha256, mac);
-    sha256_key_internal(ctx, key, ctx->mac.vt->keylen);
+    sha256_key_internal(ctx, key.ptr, key.len);
 }

 static void hmacsha256_start(ssh2_mac *mac)
--- a/sshsha.c
+++ b/sshsha.c
@ -322,13 +322,10 @@ static void sha1_key_internal(SHA_State *keys,
    smemclr(foo, 64);		       /* burn the evidence */
 }

-static void hmacsha1_key(ssh2_mac *mac, const void *key)
+static void hmacsha1_key(ssh2_mac *mac, ptrlen key)
 {
    struct hmacsha1 *ctx = container_of(mac, struct hmacsha1, mac);
-    /* Reading the key length out of the ssh2_macalg structure means
-     * this same method can be used for the _buggy variants which use
-     * a shorter key */
-    sha1_key_internal(ctx->sha, key, ctx->mac.vt->keylen);
+    sha1_key_internal(ctx->sha, key.ptr, key.len);
 }

 static void hmacsha1_start(ssh2_mac *mac)