chacha20+poly1305 authenticated encryption
Damien Miller
djm at mindrot.org
Mon Nov 18 01:01:40 EST 2013
On Sun, 17 Nov 2013, Damien Miller wrote:
> On Sun, 17 Nov 2013, Christian Weisgerber wrote:
>
> > Christian Weisgerber <naddy at mips.inka.de> wrote:
> >
> > > There must be a bug somewhere else, but I don't see it.
> >
> > Found it. The authentication tag size was wrong in the ciphers
> > table. With the changes below, this now passes the relevant
> > regression tests on alpha, amd64, and sparc64; and I verified that
> > these architectures all interoperate successfully.
>
> Thanks, good catches.
This incorporates naddy's fixes, adds a "cipher-auth" query mode
(ssh -Q cipher-auth) that lists only ciphers that offer authenticated
encryption and uses this to better automate the regress tests.
Index: usr.bin/ssh/PROTOCOL
===================================================================
RCS file: /cvs/src/usr.bin/ssh/PROTOCOL,v
retrieving revision 1.21
diff -u -p -r1.21 PROTOCOL
--- usr.bin/ssh/PROTOCOL 17 Oct 2013 00:30:13 -0000 1.21
+++ usr.bin/ssh/PROTOCOL 17 Nov 2013 13:57:29 -0000
@@ -91,6 +91,11 @@ an MAC algorithm. Additionally, if AES-G
the exchanged MAC algorithms are ignored and there doesn't have to be
a matching MAC.
+1.7 transport: chacha20-poly1305 at openssh.com authenticated encryption
+
+OpenSSH supports authenticated encryption using ChaCha20 and Poly1305
+as described in PROTOCOL.chacha20poly1305.
+
2. Connection protocol changes
2.1. connection: Channel write close extension "eow at openssh.com"
Index: usr.bin/ssh/PROTOCOL.chacha20poly1305
===================================================================
RCS file: usr.bin/ssh/PROTOCOL.chacha20poly1305
diff -N usr.bin/ssh/PROTOCOL.chacha20poly1305
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ usr.bin/ssh/PROTOCOL.chacha20poly1305 17 Nov 2013 13:57:29 -0000
@@ -0,0 +1,102 @@
+This document describes the chacha20-poly1305 at openssh.com authenticated
+encryption cipher supported by OpenSSH.
+
+Background
+----------
+
+ChaCha20 is a stream cipher designed by Daniel Bernstein and described
+in [1]. It operates by permuting 128 fixed bits, 128 or 256 bits of key,
+a 64 bit nonce and a 64 bit counter into 64 bytes of output. This output
+is used as a keystream, with any unused bytes simply discarded.
+
+Poly1305[2] also by Daniel Bernstien is a one-time Carter-Wegman MAC
+that computes a 128 bit integrity tag given a message and a 256 bit key.
+
+The chacha20-poly1305 at openssh.com combines these two primitives into an
+authenticated encryption mode. The construction used is based on that
+proposed for TLS by Adam Langley in [3], but differs in the layout of
+data passed to the MAC and in the addition of encyption of the packet
+lengths.
+
+Negotiation
+-----------
+
+The chacha20-poly1305 at openssh.com offers both encryption and
+authentication. As such, no separate MAC is required. If the
+chacha20-poly1305 at openssh.com cipher is selected in key exchange,
+the offered MAC algorithms are ignored and no MAC is required to be
+negotiated.
+
+Detailed Construction
+---------------------
+
+The chacha20-poly1305 at openssh.com cipher requires 512 bits of key
+material as output from the SSH key exchange. This forms two 256 bit
+keys (K_1 and K_2), used by two separate instances of chacha20.
+
+The instance keyed by K_1 is a stream cipher that is used only
+to encrypt the 4 byte packet length field. The second instance,
+keyed by K_2, is used in conjunction with poly1305 to build an AEAD
+(Authenticated Encryption with Associated Data) that is used to encrypt
+and authenticate the entire packet.
+
+Two separate cipher instances are used here so as to keep the packet
+lengths confidential but not create an oracle for the packet payload
+encryption by decrypting and using the packet length prior to checking
+the MAC. By using an independently-keyed cipher instance to encrypt the
+length, an active attacker seeking to exploit the packet input handling
+as a decryption oracle can learn nothing about the payload contents or
+its MAC (assuming key derivation is secure).
+
+The AEAD is constructed as follows: for each packet, generate a Poly1305
+key by taking the first 256 bits of ChaCha20 stream output generated
+using K_2, an IV consisting of the packet sequence number encoded as an
+uint64 under the SSH wire encoding rules and a ChaCha20 block counter of
+zero. The K_2 ChaCha20 block counter is then set to the little-endian
+encoding of 1 (i.e. {1, 0, 0, 0, 0, 0, 0, 0}) and this instance is used
+for encryption of the packet payload.
+
+Packet Handling
+---------------
+
+When receiving a packet, the length must be decrypted first. When 4
+bytes of ciphertext length have been received, they may be decrypted
+using the K_1 key, a nonce consisting of the packet sequence number
+encoded as a uint64 under the usual SSH wire encoding and a zero block
+counter to obtain the plaintext length.
+
+Once the entire packet has been received, the MAC MUST be checked
+before decryption. A per-packet Poly1305 key is generated as described
+above and the MAC tag calculated using Poly1305 with this key over the
+ciphertext of the packet length and the payload together. The calculated
+MAC is then compared with the one appended to the packet and the packet
+decrypted using ChaCha20 as described above (with K_2, the packet
+sequence number as nonce and a starting block counter of 1).
+
+To send a packet, first encode the 4 byte length and encrypt it using
+K_1. Encrypt the packet payload (using K_2) and append it to the
+encrypted length. Finally, calculate a MAC tag and append it.
+
+Rekeying
+--------
+
+ChaCha20 must never reuse a {key, nonce} for encryption nor may it be
+used to encrypt more than 2^70 bytes under the same {key, nonce}. The
+SSH Transport protocol (RFC4253) recommends rekeying every 1GB of data
+sent or received. If this recommendation is followed, then
+chacha20-poly1305 at openssh.com requires no special handling in this area.
+
+References
+----------
+
+[1] "ChaCha, a variant of Salsa20", Daniel Bernstein
+ http://cr.yp.to/chacha/chacha-20080128.pdf
+
+[2] "The Poly1305-AES message-authentication code", Daniel Bernstein
+ http://cr.yp.to/mac/poly1305-20050329.pdf
+
+[3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley
+ http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
+
+$OpenBSD$
+
Index: usr.bin/ssh/authfile.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/authfile.c,v
retrieving revision 1.97
diff -u -p -r1.97 authfile.c
--- usr.bin/ssh/authfile.c 17 May 2013 00:13:13 -0000 1.97
+++ usr.bin/ssh/authfile.c 17 Nov 2013 13:57:29 -0000
@@ -144,7 +144,7 @@ key_private_rsa1_to_blob(Key *key, Buffe
cipher_set_key_string(&ciphercontext, cipher, passphrase,
CIPHER_ENCRYPT);
- cipher_crypt(&ciphercontext, cp,
+ cipher_crypt(&ciphercontext, 0, cp,
buffer_ptr(&buffer), buffer_len(&buffer), 0, 0);
cipher_cleanup(&ciphercontext);
memset(&ciphercontext, 0, sizeof(ciphercontext));
@@ -462,7 +462,7 @@ key_parse_private_rsa1(Buffer *blob, con
/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
cipher_set_key_string(&ciphercontext, cipher, passphrase,
CIPHER_DECRYPT);
- cipher_crypt(&ciphercontext, cp,
+ cipher_crypt(&ciphercontext, 0, cp,
buffer_ptr(©), buffer_len(©), 0, 0);
cipher_cleanup(&ciphercontext);
memset(&ciphercontext, 0, sizeof(ciphercontext));
Index: usr.bin/ssh/chacha.c
===================================================================
RCS file: usr.bin/ssh/chacha.c
diff -N usr.bin/ssh/chacha.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ usr.bin/ssh/chacha.c 17 Nov 2013 13:57:29 -0000
@@ -0,0 +1,217 @@
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+*/
+
+#include "chacha.h"
+
+/* $OpenBSD$ */
+
+typedef unsigned char u8;
+typedef unsigned int u32;
+
+typedef struct chacha_ctx chacha_ctx;
+
+#define U8C(v) (v##U)
+#define U32C(v) (v##U)
+
+#define U8V(v) ((u8)(v) & U8C(0xFF))
+#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
+
+#define ROTL32(v, n) \
+ (U32V((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U8TO32_LITTLE(p) \
+ (((u32)((p)[0]) ) | \
+ ((u32)((p)[1]) << 8) | \
+ ((u32)((p)[2]) << 16) | \
+ ((u32)((p)[3]) << 24))
+
+#define U32TO8_LITTLE(p, v) \
+ do { \
+ (p)[0] = U8V((v) ); \
+ (p)[1] = U8V((v) >> 8); \
+ (p)[2] = U8V((v) >> 16); \
+ (p)[3] = U8V((v) >> 24); \
+ } while (0)
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+#define QUARTERROUND(a,b,c,d) \
+ a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
+ c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
+ a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
+ c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
+
+static const char sigma[16] = "expand 32-byte k";
+static const char tau[16] = "expand 16-byte k";
+
+void
+chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
+{
+ const char *constants;
+
+ x->input[4] = U8TO32_LITTLE(k + 0);
+ x->input[5] = U8TO32_LITTLE(k + 4);
+ x->input[6] = U8TO32_LITTLE(k + 8);
+ x->input[7] = U8TO32_LITTLE(k + 12);
+ if (kbits == 256) { /* recommended */
+ k += 16;
+ constants = sigma;
+ } else { /* kbits == 128 */
+ constants = tau;
+ }
+ x->input[8] = U8TO32_LITTLE(k + 0);
+ x->input[9] = U8TO32_LITTLE(k + 4);
+ x->input[10] = U8TO32_LITTLE(k + 8);
+ x->input[11] = U8TO32_LITTLE(k + 12);
+ x->input[0] = U8TO32_LITTLE(constants + 0);
+ x->input[1] = U8TO32_LITTLE(constants + 4);
+ x->input[2] = U8TO32_LITTLE(constants + 8);
+ x->input[3] = U8TO32_LITTLE(constants + 12);
+}
+
+void
+chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
+{
+ x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
+ x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
+ x->input[14] = U8TO32_LITTLE(iv + 0);
+ x->input[15] = U8TO32_LITTLE(iv + 4);
+}
+
+void
+chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
+{
+ u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+ u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+ u8 *ctarget = NULL;
+ u8 tmp[64];
+ u_int i;
+
+ if (!bytes) return;
+
+ j0 = x->input[0];
+ j1 = x->input[1];
+ j2 = x->input[2];
+ j3 = x->input[3];
+ j4 = x->input[4];
+ j5 = x->input[5];
+ j6 = x->input[6];
+ j7 = x->input[7];
+ j8 = x->input[8];
+ j9 = x->input[9];
+ j10 = x->input[10];
+ j11 = x->input[11];
+ j12 = x->input[12];
+ j13 = x->input[13];
+ j14 = x->input[14];
+ j15 = x->input[15];
+
+ for (;;) {
+ if (bytes < 64) {
+ for (i = 0;i < bytes;++i) tmp[i] = m[i];
+ m = tmp;
+ ctarget = c;
+ c = tmp;
+ }
+ x0 = j0;
+ x1 = j1;
+ x2 = j2;
+ x3 = j3;
+ x4 = j4;
+ x5 = j5;
+ x6 = j6;
+ x7 = j7;
+ x8 = j8;
+ x9 = j9;
+ x10 = j10;
+ x11 = j11;
+ x12 = j12;
+ x13 = j13;
+ x14 = j14;
+ x15 = j15;
+ for (i = 20;i > 0;i -= 2) {
+ QUARTERROUND( x0, x4, x8,x12)
+ QUARTERROUND( x1, x5, x9,x13)
+ QUARTERROUND( x2, x6,x10,x14)
+ QUARTERROUND( x3, x7,x11,x15)
+ QUARTERROUND( x0, x5,x10,x15)
+ QUARTERROUND( x1, x6,x11,x12)
+ QUARTERROUND( x2, x7, x8,x13)
+ QUARTERROUND( x3, x4, x9,x14)
+ }
+ x0 = PLUS(x0,j0);
+ x1 = PLUS(x1,j1);
+ x2 = PLUS(x2,j2);
+ x3 = PLUS(x3,j3);
+ x4 = PLUS(x4,j4);
+ x5 = PLUS(x5,j5);
+ x6 = PLUS(x6,j6);
+ x7 = PLUS(x7,j7);
+ x8 = PLUS(x8,j8);
+ x9 = PLUS(x9,j9);
+ x10 = PLUS(x10,j10);
+ x11 = PLUS(x11,j11);
+ x12 = PLUS(x12,j12);
+ x13 = PLUS(x13,j13);
+ x14 = PLUS(x14,j14);
+ x15 = PLUS(x15,j15);
+
+ x0 = XOR(x0,U8TO32_LITTLE(m + 0));
+ x1 = XOR(x1,U8TO32_LITTLE(m + 4));
+ x2 = XOR(x2,U8TO32_LITTLE(m + 8));
+ x3 = XOR(x3,U8TO32_LITTLE(m + 12));
+ x4 = XOR(x4,U8TO32_LITTLE(m + 16));
+ x5 = XOR(x5,U8TO32_LITTLE(m + 20));
+ x6 = XOR(x6,U8TO32_LITTLE(m + 24));
+ x7 = XOR(x7,U8TO32_LITTLE(m + 28));
+ x8 = XOR(x8,U8TO32_LITTLE(m + 32));
+ x9 = XOR(x9,U8TO32_LITTLE(m + 36));
+ x10 = XOR(x10,U8TO32_LITTLE(m + 40));
+ x11 = XOR(x11,U8TO32_LITTLE(m + 44));
+ x12 = XOR(x12,U8TO32_LITTLE(m + 48));
+ x13 = XOR(x13,U8TO32_LITTLE(m + 52));
+ x14 = XOR(x14,U8TO32_LITTLE(m + 56));
+ x15 = XOR(x15,U8TO32_LITTLE(m + 60));
+
+ j12 = PLUSONE(j12);
+ if (!j12) {
+ j13 = PLUSONE(j13);
+ /* stopping at 2^70 bytes per nonce is user's responsibility */
+ }
+
+ U32TO8_LITTLE(c + 0,x0);
+ U32TO8_LITTLE(c + 4,x1);
+ U32TO8_LITTLE(c + 8,x2);
+ U32TO8_LITTLE(c + 12,x3);
+ U32TO8_LITTLE(c + 16,x4);
+ U32TO8_LITTLE(c + 20,x5);
+ U32TO8_LITTLE(c + 24,x6);
+ U32TO8_LITTLE(c + 28,x7);
+ U32TO8_LITTLE(c + 32,x8);
+ U32TO8_LITTLE(c + 36,x9);
+ U32TO8_LITTLE(c + 40,x10);
+ U32TO8_LITTLE(c + 44,x11);
+ U32TO8_LITTLE(c + 48,x12);
+ U32TO8_LITTLE(c + 52,x13);
+ U32TO8_LITTLE(c + 56,x14);
+ U32TO8_LITTLE(c + 60,x15);
+
+ if (bytes <= 64) {
+ if (bytes < 64) {
+ for (i = 0;i < bytes;++i) ctarget[i] = c[i];
+ }
+ x->input[12] = j12;
+ x->input[13] = j13;
+ return;
+ }
+ bytes -= 64;
+ c += 64;
+ m += 64;
+ }
+}
Index: usr.bin/ssh/chacha.h
===================================================================
RCS file: usr.bin/ssh/chacha.h
diff -N usr.bin/ssh/chacha.h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ usr.bin/ssh/chacha.h 17 Nov 2013 13:57:29 -0000
@@ -0,0 +1,35 @@
+/* $OpenBSD$ */
+
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+*/
+
+#ifndef CHACHA_H
+#define CHACHA_H
+
+#include <sys/types.h>
+
+struct chacha_ctx {
+ u_int input[16];
+};
+
+#define CHACHA_MINKEYLEN 16
+#define CHACHA_NONCELEN 8
+#define CHACHA_CTRLEN 8
+#define CHACHA_STATELEN (CHACHA_NONCELEN+CHACHA_CTRLEN)
+#define CHACHA_BLOCKLEN 64
+
+void chacha_keysetup(struct chacha_ctx *x, const u_char *k, u_int kbits)
+ __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
+void chacha_ivsetup(struct chacha_ctx *x, const u_char *iv, const u_char *ctr)
+ __attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN)))
+ __attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)));
+void chacha_encrypt_bytes(struct chacha_ctx *x, const u_char *m,
+ u_char *c, u_int bytes)
+ __attribute__((__bounded__(__buffer__, 2, 4)))
+ __attribute__((__bounded__(__buffer__, 3, 4)));
+
+#endif /* CHACHA_H */
+
Index: usr.bin/ssh/chacha20poly1305aead.c
===================================================================
RCS file: usr.bin/ssh/chacha20poly1305aead.c
diff -N usr.bin/ssh/chacha20poly1305aead.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ usr.bin/ssh/chacha20poly1305aead.c 17 Nov 2013 13:57:30 -0000
@@ -0,0 +1,110 @@
+/*
+ * Copyright (c) 2013 Damien Miller <djm at mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <stdarg.h> /* needed for log.h */
+#include <string.h>
+#include <stdio.h> /* needed for misc.h */
+
+#include "log.h"
+#include "misc.h"
+#include "chacha20poly1305aead.h"
+
+void cp_aead_init(struct chacha_poly_aead_ctx *ctx,
+ const u_char *key, u_int keylen)
+{
+ if (keylen != (32 + 32)) /* 2 x 256 bit keys */
+ fatal("%s: invalid keylen %u", __func__, keylen);
+ chacha_keysetup(&ctx->main_ctx, key, 256);
+ chacha_keysetup(&ctx->header_ctx, key + 32, 256);
+}
+
+/*
+ * cp_aead_crypt() operates as following:
+ * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
+ * Theses bytes are treated as additional authenticated data.
+ * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
+ * Use POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the
+ * authentication tag.
+ * This tag is written on encryption and verified on decryption.
+ * Both 'aadlen' and 'authlen' can be set to 0.
+ */
+int
+cp_aead_crypt(struct chacha_poly_aead_ctx *ctx, u_int seqnr, u_char *dest,
+ const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt)
+{
+ u_char seqbuf[8];
+ u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB. little-endian */
+ u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
+ int r = -1;
+
+ /*
+ * Run ChaCha20 once to generate the Poly1305 key. The IV is the
+ * packet sequence number.
+ */
+ bzero(poly_key, sizeof(poly_key));
+ put_u64(seqbuf, seqnr);
+ chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
+ chacha_encrypt_bytes(&ctx->main_ctx,
+ poly_key, poly_key, sizeof(poly_key));
+ /* Set Chacha's block counter to 1 */
+ chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
+
+ /* If decrypting, check tag before anything else */
+ if (!do_encrypt) {
+ const u_char *tag = src + aadlen + len;
+
+ poly1305_auth(expected_tag, src, aadlen + len, poly_key);
+ if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0)
+ goto out;
+ }
+ /* Crypt additional data */
+ if (aadlen) {
+ chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
+ chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
+ }
+ chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
+ dest + aadlen, len);
+
+ /* If encrypting, calculate and append tag */
+ if (do_encrypt) {
+ poly1305_auth(dest + aadlen + len, dest, aadlen + len,
+ poly_key);
+ }
+ r = 0;
+
+ out:
+ bzero(expected_tag, sizeof(expected_tag));
+ bzero(seqbuf, sizeof(seqbuf));
+ bzero(poly_key, sizeof(poly_key));
+ return r;
+}
+
+int
+cp_aead_get_length(struct chacha_poly_aead_ctx *ctx,
+ u_int *plenp, u_int seqnr, const u_char *cp, u_int len)
+{
+ u_char buf[4], seqbuf[8];
+
+ if (len < 4)
+ return -1; /* Insufficient length */
+ put_u64(seqbuf, seqnr);
+ chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
+ chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4);
+ *plenp = get_u32(buf);
+ return 0;
+}
+
Index: usr.bin/ssh/chacha20poly1305aead.h
===================================================================
RCS file: usr.bin/ssh/chacha20poly1305aead.h
diff -N usr.bin/ssh/chacha20poly1305aead.h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ usr.bin/ssh/chacha20poly1305aead.h 17 Nov 2013 13:57:30 -0000
@@ -0,0 +1,41 @@
+/* $OpenBSD$ */
+
+/*
+ * Copyright (c) Damien Miller 2013 <djm at mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#ifndef CHACHA_POLY_AEAD_H
+#define CHACHA_POLY_AEAD_H
+
+#include <sys/types.h>
+#include "chacha.h"
+#include "poly1305-donna-unrolled.h"
+
+#define CHACHA_KEYLEN 32 /* Only 256 bit keys used here */
+
+struct chacha_poly_aead_ctx {
+ struct chacha_ctx main_ctx, header_ctx;
+};
+
+void cp_aead_init(struct chacha_poly_aead_ctx *cpctx,
+ const u_char *key, u_int keylen)
+ __attribute__((__bounded__(__buffer__, 2, 3)));
+int cp_aead_crypt(struct chacha_poly_aead_ctx *cpctx, u_int seqnr,
+ u_char *dest, const u_char *src, u_int len, u_int aadlen, u_int authlen,
+ int do_encrypt);
+int cp_aead_get_length(struct chacha_poly_aead_ctx *cpctx,
+ u_int *plenp, u_int seqnr, const u_char *cp, u_int len)
+ __attribute__((__bounded__(__buffer__, 4, 5)));
+
+#endif /* CHACHA_POLY_AEAD_H */
Index: usr.bin/ssh/cipher.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/cipher.c,v
retrieving revision 1.90
diff -u -p -r1.90 cipher.c
--- usr.bin/ssh/cipher.c 7 Nov 2013 11:58:27 -0000 1.90
+++ usr.bin/ssh/cipher.c 17 Nov 2013 13:57:30 -0000
@@ -41,9 +41,11 @@
#include <string.h>
#include <stdarg.h>
+#include <stdio.h>
#include "xmalloc.h"
#include "log.h"
+#include "misc.h"
#include "cipher.h"
extern const EVP_CIPHER *evp_ssh1_bf(void);
@@ -58,7 +60,9 @@ struct Cipher {
u_int iv_len; /* defaults to block_size */
u_int auth_len;
u_int discard_len;
- u_int cbc_mode;
+ u_int flags;
+#define CFLAG_CBC (1<<0)
+#define CFLAG_CP_AEAD (1<<1)
const EVP_CIPHER *(*evptype)(void);
};
@@ -88,6 +92,8 @@ static const struct Cipher ciphers[] = {
SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
{ "aes256-gcm at openssh.com",
SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
+ { "chacha20-poly1305 at openssh.com",
+ SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CP_AEAD, NULL },
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
@@ -96,7 +102,7 @@ static const struct Cipher ciphers[] = {
/* Returns a list of supported ciphers separated by the specified char. */
char *
-cipher_alg_list(char sep)
+cipher_alg_list(char sep, int auth_only)
{
char *ret = NULL;
size_t nlen, rlen = 0;
@@ -105,6 +111,8 @@ cipher_alg_list(char sep)
for (c = ciphers; c->name != NULL; c++) {
if (c->number != SSH_CIPHER_SSH2)
continue;
+ if (auth_only && c->auth_len == 0)
+ continue;
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(c->name);
@@ -136,7 +144,12 @@ cipher_authlen(const Cipher *c)
u_int
cipher_ivlen(const Cipher *c)
{
- return (c->iv_len ? c->iv_len : c->block_size);
+ /*
+ * Default is cipher block size, except for chacha20+poly1305 that
+ * needs no IV. XXX make iv_len == -1 default?
+ */
+ return (c->iv_len != 0 || (c->flags & CFLAG_CP_AEAD) != 0) ?
+ c->iv_len : c->block_size;
}
u_int
@@ -148,7 +161,7 @@ cipher_get_number(const Cipher *c)
u_int
cipher_is_cbc(const Cipher *c)
{
- return (c->cbc_mode);
+ return (c->flags & CFLAG_CBC) != 0;
}
u_int
@@ -264,8 +277,11 @@ cipher_init(CipherContext *cc, const Cip
ivlen, cipher->name);
cc->cipher = cipher;
+ if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0) {
+ cp_aead_init(&cc->cp_ctx, key, keylen);
+ return;
+ }
type = (*cipher->evptype)();
-
EVP_CIPHER_CTX_init(&cc->evp);
if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
(do_encrypt == CIPHER_ENCRYPT)) == 0)
@@ -310,9 +326,15 @@ cipher_init(CipherContext *cc, const Cip
* Both 'aadlen' and 'authlen' can be set to 0.
*/
void
-cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src,
+cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src,
u_int len, u_int aadlen, u_int authlen)
{
+ if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0) {
+ if (cp_aead_crypt(&cc->cp_ctx, seqnr, dest, src, len, aadlen,
+ authlen, cc->encrypt) != 0)
+ fatal("Decryption integrity check failed");
+ return;
+ }
if (authlen) {
u_char lastiv[1];
@@ -354,10 +376,29 @@ cipher_crypt(CipherContext *cc, u_char *
}
}
+/*
+ * Extract the packet length for an AEAD cipher, including any decryption
+ * necessary beforehand.
+ */
+int
+cipher_aead_get_length(CipherContext *cc, u_int *plenp, u_int seqnr,
+ const u_char *cp, u_int len)
+{
+ if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0)
+ return cp_aead_get_length(&cc->cp_ctx, plenp, seqnr,
+ cp, len);
+ if (len < 4)
+ return -1;
+ *plenp = get_u32(cp);
+ return 0;
+}
+
void
cipher_cleanup(CipherContext *cc)
{
- if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
+ if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0)
+ bzero(&cc->cp_ctx, sizeof(&cc->cp_ctx));
+ else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
}
@@ -397,6 +438,8 @@ cipher_get_keyiv_len(const CipherContext
if (c->number == SSH_CIPHER_3DES)
ivlen = 24;
+ else if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0)
+ ivlen = 0;
else
ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
return (ivlen);
@@ -408,6 +451,12 @@ cipher_get_keyiv(CipherContext *cc, u_ch
const Cipher *c = cc->cipher;
int evplen;
+ if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0) {
+ if (len != 0)
+ fatal("%s: wrong iv length %d != %d", __func__, len, 0);
+ return;
+ }
+
switch (c->number) {
case SSH_CIPHER_SSH2:
case SSH_CIPHER_DES:
@@ -438,6 +487,9 @@ cipher_set_keyiv(CipherContext *cc, u_ch
{
const Cipher *c = cc->cipher;
int evplen = 0;
+
+ if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0)
+ return;
switch (c->number) {
case SSH_CIPHER_SSH2:
Index: usr.bin/ssh/cipher.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/cipher.h,v
retrieving revision 1.41
diff -u -p -r1.41 cipher.h
--- usr.bin/ssh/cipher.h 7 Nov 2013 11:58:27 -0000 1.41
+++ usr.bin/ssh/cipher.h 17 Nov 2013 13:57:30 -0000
@@ -38,6 +38,8 @@
#define CIPHER_H
#include <openssl/evp.h>
+#include "chacha20poly1305aead.h"
+
/*
* Cipher types for SSH-1. New types can be added, but old types should not
* be removed for compatibility. The maximum allowed value is 31.
@@ -65,7 +67,9 @@ struct Cipher;
struct CipherContext {
int plaintext;
int encrypt;
+ int is_cp_aead;
EVP_CIPHER_CTX evp;
+ struct chacha_poly_aead_ctx cp_ctx; /* XXX union with evp? */
const Cipher *cipher;
};
@@ -75,11 +79,13 @@ const Cipher *cipher_by_number(int);
int cipher_number(const char *);
char *cipher_name(int);
int ciphers_valid(const char *);
-char *cipher_alg_list(char);
+char *cipher_alg_list(char, int);
void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int,
const u_char *, u_int, int);
-void cipher_crypt(CipherContext *, u_char *, const u_char *,
+void cipher_crypt(CipherContext *, u_int, u_char *, const u_char *,
u_int, u_int, u_int);
+int cipher_aead_get_length(CipherContext *, u_int *, u_int,
+ const u_char *, u_int);
void cipher_cleanup(CipherContext *);
void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
u_int cipher_blocksize(const Cipher *);
Index: usr.bin/ssh/myproposal.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/myproposal.h,v
retrieving revision 1.33
diff -u -p -r1.33 myproposal.h
--- usr.bin/ssh/myproposal.h 2 Nov 2013 21:59:15 -0000 1.33
+++ usr.bin/ssh/myproposal.h 17 Nov 2013 13:57:30 -0000
@@ -52,6 +52,7 @@
"aes128-ctr,aes192-ctr,aes256-ctr," \
"arcfour256,arcfour128," \
"aes128-gcm at openssh.com,aes256-gcm at openssh.com," \
+ "chacha20-poly1305 at openssh.com," \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se"
#define KEX_DEFAULT_MAC \
Index: usr.bin/ssh/packet.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/packet.c,v
retrieving revision 1.189
diff -u -p -r1.189 packet.c
--- usr.bin/ssh/packet.c 8 Nov 2013 00:39:15 -0000 1.189
+++ usr.bin/ssh/packet.c 17 Nov 2013 13:57:30 -0000
@@ -702,7 +702,7 @@ packet_send1(void)
buffer_append(&active_state->output, buf, 4);
cp = buffer_append_space(&active_state->output,
buffer_len(&active_state->outgoing_packet));
- cipher_crypt(&active_state->send_context, cp,
+ cipher_crypt(&active_state->send_context, 0, cp,
buffer_ptr(&active_state->outgoing_packet),
buffer_len(&active_state->outgoing_packet), 0, 0);
@@ -935,8 +935,8 @@ packet_send2_wrapped(void)
}
/* encrypt packet and append to output buffer. */
cp = buffer_append_space(&active_state->output, len + authlen);
- cipher_crypt(&active_state->send_context, cp,
- buffer_ptr(&active_state->outgoing_packet),
+ cipher_crypt(&active_state->send_context, active_state->p_send.seqnr,
+ cp, buffer_ptr(&active_state->outgoing_packet),
len - aadlen, aadlen, authlen);
/* append unencrypted MAC */
if (mac && mac->enabled) {
@@ -1196,7 +1196,7 @@ packet_read_poll1(void)
/* Decrypt data to incoming_packet. */
buffer_clear(&active_state->incoming_packet);
cp = buffer_append_space(&active_state->incoming_packet, padded_len);
- cipher_crypt(&active_state->receive_context, cp,
+ cipher_crypt(&active_state->receive_context, 0, cp,
buffer_ptr(&active_state->input), padded_len, 0, 0);
buffer_consume(&active_state->input, padded_len);
@@ -1267,10 +1267,12 @@ packet_read_poll2(u_int32_t *seqnr_p)
aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
if (aadlen && active_state->packlen == 0) {
- if (buffer_len(&active_state->input) < 4)
+ if (cipher_aead_get_length(&active_state->receive_context,
+ &active_state->packlen,
+ active_state->p_read.seqnr,
+ buffer_ptr(&active_state->input),
+ buffer_len(&active_state->input)) != 0)
return SSH_MSG_NONE;
- cp = buffer_ptr(&active_state->input);
- active_state->packlen = get_u32(cp);
if (active_state->packlen < 1 + 4 ||
active_state->packlen > PACKET_MAX_SIZE) {
#ifdef PACKET_DEBUG
@@ -1290,7 +1292,8 @@ packet_read_poll2(u_int32_t *seqnr_p)
buffer_clear(&active_state->incoming_packet);
cp = buffer_append_space(&active_state->incoming_packet,
block_size);
- cipher_crypt(&active_state->receive_context, cp,
+ cipher_crypt(&active_state->receive_context,
+ active_state->p_read.seqnr, cp,
buffer_ptr(&active_state->input), block_size, 0, 0);
cp = buffer_ptr(&active_state->incoming_packet);
active_state->packlen = get_u32(cp);
@@ -1345,7 +1348,8 @@ packet_read_poll2(u_int32_t *seqnr_p)
macbuf = mac_compute(mac, active_state->p_read.seqnr,
buffer_ptr(&active_state->input), aadlen + need);
cp = buffer_append_space(&active_state->incoming_packet, aadlen + need);
- cipher_crypt(&active_state->receive_context, cp,
+ cipher_crypt(&active_state->receive_context,
+ active_state->p_read.seqnr, cp,
buffer_ptr(&active_state->input), need, aadlen, authlen);
buffer_consume(&active_state->input, aadlen + need + authlen);
/*
Index: usr.bin/ssh/poly1305-donna-unrolled.c
===================================================================
RCS file: usr.bin/ssh/poly1305-donna-unrolled.c
diff -N usr.bin/ssh/poly1305-donna-unrolled.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ usr.bin/ssh/poly1305-donna-unrolled.c 17 Nov 2013 13:57:30 -0000
@@ -0,0 +1,154 @@
+/*
+ * Public Domain poly1305-donna from Andrew M.
+ * https://github.com/floodyberry/poly1305-donna
+ */
+
+#include <sys/types.h>
+#include <stdint.h>
+
+#include "poly1305-donna-unrolled.h"
+
+#define mul32x32_64(a,b) ((uint64_t)(a) * (b))
+
+#define U8TO32_LE(p) \
+ (((uint32_t)((p)[0])) | \
+ ((uint32_t)((p)[1]) << 8) | \
+ ((uint32_t)((p)[2]) << 16) | \
+ ((uint32_t)((p)[3]) << 24))
+
+#define U32TO8_LE(p, v) \
+ do { \
+ (p)[0] = (uint8_t)((v)); \
+ (p)[1] = (uint8_t)((v) >> 8); \
+ (p)[2] = (uint8_t)((v) >> 16); \
+ (p)[3] = (uint8_t)((v) >> 24); \
+ } while (0)
+
+void
+poly1305_auth(unsigned char out[POLY1305_TAGLEN], const unsigned char *m, size_t inlen, const unsigned char key[POLY1305_KEYLEN]) {
+ uint32_t t0,t1,t2,t3;
+ uint32_t h0,h1,h2,h3,h4;
+ uint32_t r0,r1,r2,r3,r4;
+ uint32_t s1,s2,s3,s4;
+ uint32_t b, nb;
+ size_t j;
+ uint64_t t[5];
+ uint64_t f0,f1,f2,f3;
+ uint32_t g0,g1,g2,g3,g4;
+ uint64_t c;
+ unsigned char mp[16];
+
+ /* clamp key */
+ t0 = U8TO32_LE(key+0);
+ t1 = U8TO32_LE(key+4);
+ t2 = U8TO32_LE(key+8);
+ t3 = U8TO32_LE(key+12);
+
+ /* precompute multipliers */
+ r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6;
+ r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12;
+ r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18;
+ r3 = t2 & 0x3f03fff; t3 >>= 8;
+ r4 = t3 & 0x00fffff;
+
+ s1 = r1 * 5;
+ s2 = r2 * 5;
+ s3 = r3 * 5;
+ s4 = r4 * 5;
+
+ /* init state */
+ h0 = 0;
+ h1 = 0;
+ h2 = 0;
+ h3 = 0;
+ h4 = 0;
+
+ /* full blocks */
+ if (inlen < 16) goto poly1305_donna_atmost15bytes;
+poly1305_donna_16bytes:
+ m += 16;
+ inlen -= 16;
+
+ t0 = U8TO32_LE(m-16);
+ t1 = U8TO32_LE(m-12);
+ t2 = U8TO32_LE(m-8);
+ t3 = U8TO32_LE(m-4);
+
+ h0 += t0 & 0x3ffffff;
+ h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
+ h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
+ h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
+ h4 += (t3 >> 8) | (1 << 24);
+
+
+poly1305_donna_mul:
+ t[0] = mul32x32_64(h0,r0) + mul32x32_64(h1,s4) + mul32x32_64(h2,s3) + mul32x32_64(h3,s2) + mul32x32_64(h4,s1);
+ t[1] = mul32x32_64(h0,r1) + mul32x32_64(h1,r0) + mul32x32_64(h2,s4) + mul32x32_64(h3,s3) + mul32x32_64(h4,s2);
+ t[2] = mul32x32_64(h0,r2) + mul32x32_64(h1,r1) + mul32x32_64(h2,r0) + mul32x32_64(h3,s4) + mul32x32_64(h4,s3);
+ t[3] = mul32x32_64(h0,r3) + mul32x32_64(h1,r2) + mul32x32_64(h2,r1) + mul32x32_64(h3,r0) + mul32x32_64(h4,s4);
+ t[4] = mul32x32_64(h0,r4) + mul32x32_64(h1,r3) + mul32x32_64(h2,r2) + mul32x32_64(h3,r1) + mul32x32_64(h4,r0);
+
+ h0 = (uint32_t)t[0] & 0x3ffffff; c = (t[0] >> 26);
+ t[1] += c; h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26);
+ t[2] += b; h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26);
+ t[3] += b; h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26);
+ t[4] += b; h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26);
+ h0 += b * 5;
+
+ if (inlen >= 16) goto poly1305_donna_16bytes;
+
+ /* final bytes */
+poly1305_donna_atmost15bytes:
+ if (!inlen) goto poly1305_donna_finish;
+
+ for (j = 0; j < inlen; j++) mp[j] = m[j];
+ mp[j++] = 1;
+ for (; j < 16; j++) mp[j] = 0;
+ inlen = 0;
+
+ t0 = U8TO32_LE(mp+0);
+ t1 = U8TO32_LE(mp+4);
+ t2 = U8TO32_LE(mp+8);
+ t3 = U8TO32_LE(mp+12);
+
+ h0 += t0 & 0x3ffffff;
+ h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
+ h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
+ h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
+ h4 += (t3 >> 8);
+
+ goto poly1305_donna_mul;
+
+poly1305_donna_finish:
+ b = h0 >> 26; h0 = h0 & 0x3ffffff;
+ h1 += b; b = h1 >> 26; h1 = h1 & 0x3ffffff;
+ h2 += b; b = h2 >> 26; h2 = h2 & 0x3ffffff;
+ h3 += b; b = h3 >> 26; h3 = h3 & 0x3ffffff;
+ h4 += b; b = h4 >> 26; h4 = h4 & 0x3ffffff;
+ h0 += b * 5; b = h0 >> 26; h0 = h0 & 0x3ffffff;
+ h1 += b;
+
+ g0 = h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff;
+ g1 = h1 + b; b = g1 >> 26; g1 &= 0x3ffffff;
+ g2 = h2 + b; b = g2 >> 26; g2 &= 0x3ffffff;
+ g3 = h3 + b; b = g3 >> 26; g3 &= 0x3ffffff;
+ g4 = h4 + b - (1 << 26);
+
+ b = (g4 >> 31) - 1;
+ nb = ~b;
+ h0 = (h0 & nb) | (g0 & b);
+ h1 = (h1 & nb) | (g1 & b);
+ h2 = (h2 & nb) | (g2 & b);
+ h3 = (h3 & nb) | (g3 & b);
+ h4 = (h4 & nb) | (g4 & b);
+
+ f0 = ((h0 ) | (h1 << 26)) + (uint64_t)U8TO32_LE(&key[16]);
+ f1 = ((h1 >> 6) | (h2 << 20)) + (uint64_t)U8TO32_LE(&key[20]);
+ f2 = ((h2 >> 12) | (h3 << 14)) + (uint64_t)U8TO32_LE(&key[24]);
+ f3 = ((h3 >> 18) | (h4 << 8)) + (uint64_t)U8TO32_LE(&key[28]);
+
+ U32TO8_LE(&out[ 0], f0); f1 += (f0 >> 32);
+ U32TO8_LE(&out[ 4], f1); f2 += (f1 >> 32);
+ U32TO8_LE(&out[ 8], f2); f3 += (f2 >> 32);
+ U32TO8_LE(&out[12], f3);
+}
Index: usr.bin/ssh/poly1305-donna-unrolled.h
===================================================================
RCS file: usr.bin/ssh/poly1305-donna-unrolled.h
diff -N usr.bin/ssh/poly1305-donna-unrolled.h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ usr.bin/ssh/poly1305-donna-unrolled.h 17 Nov 2013 13:57:30 -0000
@@ -0,0 +1,22 @@
+/* $OpenBSD$ */
+
+/*
+ * Public Domain poly1305-donna from Andrew M.
+ * https://github.com/floodyberry/poly1305-donna
+ */
+
+#ifndef POLY1305_H
+#define POLY1305_H
+
+#include <sys/types.h>
+
+#define POLY1305_KEYLEN 32
+#define POLY1305_TAGLEN 16
+
+void poly1305_auth(u_char out[POLY1305_TAGLEN], const u_char *m, size_t inlen,
+ const u_char key[POLY1305_KEYLEN])
+ __attribute__((__bounded__(__minbytes__, 1, POLY1305_TAGLEN)))
+ __attribute__((__bounded__(__buffer__, 2, 3)))
+ __attribute__((__bounded__(__minbytes__, 4, POLY1305_KEYLEN)));
+
+#endif /* POLY1305_H */
Index: usr.bin/ssh/servconf.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.245
diff -u -p -r1.245 servconf.c
--- usr.bin/ssh/servconf.c 7 Nov 2013 11:58:27 -0000 1.245
+++ usr.bin/ssh/servconf.c 17 Nov 2013 13:57:30 -0000
@@ -1986,7 +1986,7 @@ dump_config(ServerOptions *o)
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
- cipher_alg_list(','));
+ cipher_alg_list(',', 0));
dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(','));
dump_cfg_string(sBanner, o->banner);
dump_cfg_string(sForceCommand, o->adm_forced_command);
Index: usr.bin/ssh/ssh.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh.c,v
retrieving revision 1.392
diff -u -p -r1.392 ssh.c
--- usr.bin/ssh/ssh.c 7 Nov 2013 11:58:27 -0000 1.392
+++ usr.bin/ssh/ssh.c 17 Nov 2013 13:57:30 -0000
@@ -492,7 +492,9 @@ main(int ac, char **av)
case 'Q': /* deprecated */
cp = NULL;
if (strcasecmp(optarg, "cipher") == 0)
- cp = cipher_alg_list('\n');
+ cp = cipher_alg_list('\n', 0);
+ else if (strcasecmp(optarg, "cipher-auth") == 0)
+ cp = cipher_alg_list('\n', 1);
else if (strcasecmp(optarg, "mac") == 0)
cp = mac_alg_list('\n');
else if (strcasecmp(optarg, "kex") == 0)
Index: usr.bin/ssh/lib/Makefile
===================================================================
RCS file: /cvs/src/usr.bin/ssh/lib/Makefile,v
retrieving revision 1.68
diff -u -p -r1.68 Makefile
--- usr.bin/ssh/lib/Makefile 2 Nov 2013 21:59:15 -0000 1.68
+++ usr.bin/ssh/lib/Makefile 17 Nov 2013 13:57:30 -0000
@@ -13,7 +13,8 @@ SRCS= authfd.c authfile.c bufaux.c bufec
ssh-dss.c ssh-rsa.c ssh-ecdsa.c dh.c kexdh.c kexgex.c kexecdh.c \
kexdhc.c kexgexc.c kexecdhc.c msg.c progressmeter.c dns.c \
monitor_fdpass.c umac.c addrmatch.c schnorr.c jpake.c ssh-pkcs11.c \
- krl.c smult_curve25519_ref.c kexc25519.c kexc25519c.c
+ krl.c smult_curve25519_ref.c kexc25519.c kexc25519c.c \
+ chacha.c poly1305-donna-unrolled.c chacha20poly1305aead.c
SRCS+= umac128.c
CLEANFILES+= umac128.c
Index: regress/usr.bin/ssh/integrity.sh
===================================================================
RCS file: /cvs/src/regress/usr.bin/ssh/integrity.sh,v
retrieving revision 1.11
diff -u -p -r1.11 integrity.sh
--- regress/usr.bin/ssh/integrity.sh 7 Nov 2013 02:48:38 -0000 1.11
+++ regress/usr.bin/ssh/integrity.sh 17 Nov 2013 13:57:30 -0000
@@ -11,7 +11,7 @@ startoffset=2900
macs=`${SSH} -Q mac`
# The following are not MACs, but ciphers with integrated integrity. They are
# handled specially below.
-macs="$macs `${SSH} -Q cipher | grep gcm at openssh.com`"
+macs="$macs `${SSH} -Q cipher-auth`"
# sshd-command for proxy (see test-exec.sh)
cmd="sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy"
@@ -30,12 +30,14 @@ for m in $macs; do
fi
# modify output from sshd at offset $off
pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
- case $m in
- aes*gcm*) macopt="-c $m";;
- *) macopt="-m $m";;
- esac
+ if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then
+ macopt="-c $m"
+ else
+ macopt="-m $m -c aes128-ctr"
+ fi
verbose "test $tid: $m @$off"
${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
+ -oServerAliveInterval=1 -oServerAliveCountMax=30 \
999.999.999.999 'printf "%4096s" " "' >/dev/null
if [ $? -eq 0 ]; then
fail "ssh -m $m succeeds with bit-flip at $off"
More information about the openssh-unix-dev
mailing list