From febef916a51463f628737efc394f02d051895704 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Thu, 3 Jan 2019 13:49:02 +0000 Subject: [PATCH] Make ssh2_mac_setkey take the key as a ptrlen. This makes the API more flexible, so that it's not restricted to taking a key of precisely the length specified in the ssh2_macalg structure. Instead, ssh2bpp looks up that length to construct the MAC's key. Some MACs (e.g. Poly1305) will only _work_ with a single key length. But this way, I can run standard test vectors against MACs that can take a variable length (e.g. everything in the HMAC family). --- ssh.h | 2 +- ssh2bpp.c | 4 ++-- sshccp.c | 15 ++++++++------- sshmd5.c | 4 ++-- sshsh256.c | 4 ++-- sshsha.c | 7 ++----- 6 files changed, 17 insertions(+), 19 deletions(-) diff --git a/ssh.h b/ssh.h index b860e7a8..e3b967fd 100644 --- a/ssh.h +++ b/ssh.h @@ -716,7 +716,7 @@ struct ssh2_macalg { /* Passes in the cipher context */ ssh2_mac *(*new)(const struct ssh2_macalg *alg, ssh2_cipher *cipher); void (*free)(ssh2_mac *); - void (*setkey)(ssh2_mac *, const void *key); + void (*setkey)(ssh2_mac *, ptrlen key); void (*start)(ssh2_mac *); void (*genresult)(ssh2_mac *, unsigned char *); const char *name, *etm_name; diff --git a/ssh2bpp.c b/ssh2bpp.c index 8cb82356..1343f79b 100644 --- a/ssh2bpp.c +++ b/ssh2bpp.c @@ -137,7 +137,7 @@ void ssh2_bpp_new_outgoing_crypto( s->out.etm_mode = etm_mode; if (mac) { s->out.mac = ssh2_mac_new(mac, s->out.cipher); - ssh2_mac_setkey(s->out.mac, mac_key); + ssh2_mac_setkey(s->out.mac, make_ptrlen(mac_key, mac->keylen)); bpp_logevent("Initialised %s outbound MAC algorithm%s%s", ssh2_mac_alg(s->out.mac)->text_name, @@ -194,7 +194,7 @@ void ssh2_bpp_new_incoming_crypto( s->in.etm_mode = etm_mode; if (mac) { s->in.mac = ssh2_mac_new(mac, s->in.cipher); - ssh2_mac_setkey(s->in.mac, mac_key); + ssh2_mac_setkey(s->in.mac, make_ptrlen(mac_key, mac->keylen)); bpp_logevent("Initialised %s inbound MAC algorithm%s%s", ssh2_mac_alg(s->in.mac)->text_name, diff --git a/sshccp.c b/sshccp.c index 81ae45b6..2a15c164 100644 --- a/sshccp.c +++ b/sshccp.c @@ -772,11 +772,12 @@ static void poly1305_init(struct poly1305 *ctx) bigval_clear(&ctx->h); } -/* Takes a 256 bit key */ -static void poly1305_key(struct poly1305 *ctx, const unsigned char *key) +static void poly1305_key(struct poly1305 *ctx, ptrlen key) { + assert(key.len == 32); /* Takes a 256 bit key */ + unsigned char key_copy[16]; - memcpy(key_copy, key, 16); + memcpy(key_copy, key.ptr, 16); /* Key the MAC itself * bytes 4, 8, 12 and 16 are required to have their top four bits clear */ @@ -791,8 +792,8 @@ static void poly1305_key(struct poly1305 *ctx, const unsigned char *key) bigval_import_le(&ctx->r, key_copy, 16); smemclr(key_copy, sizeof(key_copy)); - /* Use second 128 bits are the nonce */ - memcpy(ctx->nonce, key+16, 16); + /* Use second 128 bits as the nonce */ + memcpy(ctx->nonce, (const char *)key.ptr + 16, 16); } /* Feed up to 16 bytes (should only be less for the last chunk) */ @@ -884,7 +885,7 @@ static void poly_ssh2_free(ssh2_mac *mac) /* Not allocated, just forwarded, no need to free */ } -static void poly_setkey(ssh2_mac *mac, const void *key) +static void poly_setkey(ssh2_mac *mac, ptrlen key) { /* Uses the same context as ChaCha20, so ignore */ } @@ -919,7 +920,7 @@ static void poly_BinarySink_write(BinarySink *bs, const void *blkv, size_t len) chacha20_round(&ctx->b_cipher); /* Set the poly key */ - poly1305_key(&ctx->mac, ctx->b_cipher.current); + poly1305_key(&ctx->mac, make_ptrlen(ctx->b_cipher.current, 32)); /* Set the first round as used */ ctx->b_cipher.currentIndex = 64; diff --git a/sshmd5.c b/sshmd5.c index b4121aa5..12e70b1f 100644 --- a/sshmd5.c +++ b/sshmd5.c @@ -273,11 +273,11 @@ void hmacmd5_key(struct hmacmd5_context *ctx, void const *keyv, int len) smemclr(foo, 64); /* burn the evidence */ } -static void hmacmd5_ssh2_setkey(ssh2_mac *mac, const void *key) +static void hmacmd5_ssh2_setkey(ssh2_mac *mac, ptrlen key) { struct hmacmd5_context *ctx = container_of(mac, struct hmacmd5_context, mac); - hmacmd5_key(ctx, key, ctx->mac.vt->keylen); + hmacmd5_key(ctx, key.ptr, key.len); } static void hmacmd5_start(ssh2_mac *mac) diff --git a/sshsh256.c b/sshsh256.c index d8438e25..a3377ade 100644 --- a/sshsh256.c +++ b/sshsh256.c @@ -293,10 +293,10 @@ static void sha256_key_internal(struct hmacsha256 *ctx, smemclr(foo, 64); /* burn the evidence */ } -static void hmacsha256_key(ssh2_mac *mac, const void *key) +static void hmacsha256_key(ssh2_mac *mac, ptrlen key) { struct hmacsha256 *ctx = container_of(mac, struct hmacsha256, mac); - sha256_key_internal(ctx, key, ctx->mac.vt->keylen); + sha256_key_internal(ctx, key.ptr, key.len); } static void hmacsha256_start(ssh2_mac *mac) diff --git a/sshsha.c b/sshsha.c index b49355c5..545e8c48 100644 --- a/sshsha.c +++ b/sshsha.c @@ -322,13 +322,10 @@ static void sha1_key_internal(SHA_State *keys, smemclr(foo, 64); /* burn the evidence */ } -static void hmacsha1_key(ssh2_mac *mac, const void *key) +static void hmacsha1_key(ssh2_mac *mac, ptrlen key) { struct hmacsha1 *ctx = container_of(mac, struct hmacsha1, mac); - /* Reading the key length out of the ssh2_macalg structure means - * this same method can be used for the _buggy variants which use - * a shorter key */ - sha1_key_internal(ctx->sha, key, ctx->mac.vt->keylen); + sha1_key_internal(ctx->sha, key.ptr, key.len); } static void hmacsha1_start(ssh2_mac *mac)