Develop and Download Open Source Software

Tera Term

Browse Subversion Repository

/[ttssh2]/trunk/ttssh2/ttxssh/cipher-chachapoly-libcrypto.c

Annotation of /trunk/ttssh2/ttxssh/cipher-chachapoly-libcrypto.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 9255 - (hide annotations) (download) (as text)
Wed May 19 14:11:26 2021 UTC (2 years, 10 months ago) by nmaya
File MIME type: text/x-csrc
File size: 5959 byte(s) 
SSH2 暗号化方式 chacha20-poly1305@openssh.com をサポート

merge from branches/ssh_chacha20poly1305
r9209, r9210, r9211, r9212, r9217, r9229, r9248, r9249, r9250, r9251, r9252, r9253
1 nmaya 9212 /* Imported from OpenSSH-8.5p1, TeraTerm Project */
2    
3     /*
4     * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
5     *
6     * Permission to use, copy, modify, and distribute this software for any
7     * purpose with or without fee is hereby granted, provided that the above
8     * copyright notice and this permission notice appear in all copies.
9     *
10     * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11     * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12     * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13     * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14     * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15     * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16     * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17     */
18    
19     /* $OpenBSD: cipher-chachapoly-libcrypto.c,v 1.1 2020/04/03 04:32:21 djm Exp $ */
20    
21 nmaya 9255 // for Visual Studio 2005
22     #pragma warning(disable : 4244)
23    
24 nmaya 9212 #include <sys/types.h>
25    
26     #include <stdarg.h> /* needed for log.h */
27     #include <string.h>
28     #include <stdio.h> /* needed for misc.h */
29     #include <windows.h>
30    
31     #include <openssl/evp.h>
32    
33     #include "ssherr.h"
34     #include "cipher-chachapoly.h"
35    
36    
37     // import from sshbuf.h
38     /* $OpenBSD: sshbuf.h,v 1.23 2020/06/22 05:54:10 djm Exp $ */
39     #define PEEK_U32(p) \
40     (((u_int32_t)(((const u_char *)(p))[0]) << 24) | \
41     ((u_int32_t)(((const u_char *)(p))[1]) << 16) | \
42     ((u_int32_t)(((const u_char *)(p))[2]) << 8) | \
43     (u_int32_t)(((const u_char *)(p))[3]))
44     #define POKE_U64(p, v) \
45     do { \
46     const u_int64_t __v = (v); \
47     ((u_char *)(p))[0] = (__v >> 56) & 0xff; \
48     ((u_char *)(p))[1] = (__v >> 48) & 0xff; \
49     ((u_char *)(p))[2] = (__v >> 40) & 0xff; \
50     ((u_char *)(p))[3] = (__v >> 32) & 0xff; \
51     ((u_char *)(p))[4] = (__v >> 24) & 0xff; \
52     ((u_char *)(p))[5] = (__v >> 16) & 0xff; \
53     ((u_char *)(p))[6] = (__v >> 8) & 0xff; \
54     ((u_char *)(p))[7] = __v & 0xff; \
55     } while (0)
56    
57    
58     // import from openbsd-compat/timingsafe_bcmp.c
59     /* $OpenBSD: timingsafe_bcmp.c,v 1.1 2010/09/24 13:33:00 matthew Exp $ */
60     int
61     timingsafe_bcmp(const void* b1, const void* b2, size_t n)
62     {
63     const unsigned char* p1 = b1, * p2 = b2;
64     int ret = 0;
65    
66     for (; n > 0; n--)
67     ret |= *p1++ ^ *p2++;
68     return (ret != 0);
69     }
70    
71    
72     struct chachapoly_ctx {
73     EVP_CIPHER_CTX *main_evp, *header_evp;
74     };
75    
76     struct chachapoly_ctx *
77     chachapoly_new(const u_char *key, u_int keylen)
78     {
79     struct chachapoly_ctx *ctx;
80    
81     if (keylen != (32 + 32)) /* 2 x 256 bit keys */
82     return NULL;
83     if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
84     return NULL;
85     if ((ctx->main_evp = EVP_CIPHER_CTX_new()) == NULL ||
86     (ctx->header_evp = EVP_CIPHER_CTX_new()) == NULL)
87     goto fail;
88     if (!EVP_CipherInit(ctx->main_evp, EVP_chacha20(), key, NULL, 1))
89     goto fail;
90     if (!EVP_CipherInit(ctx->header_evp, EVP_chacha20(), key + 32, NULL, 1))
91     goto fail;
92     if (EVP_CIPHER_CTX_iv_length(ctx->header_evp) != 16)
93     goto fail;
94     return ctx;
95     fail:
96     chachapoly_free(ctx);
97     return NULL;
98     }
99    
100     void
101     chachapoly_free(struct chachapoly_ctx *cpctx)
102     {
103     if (cpctx == NULL)
104     return;
105     EVP_CIPHER_CTX_free(cpctx->main_evp);
106     EVP_CIPHER_CTX_free(cpctx->header_evp);
107     SecureZeroMemory(cpctx, sizeof(*cpctx));
108     }
109    
110     /*
111     * chachapoly_crypt() operates as following:
112     * En/decrypt with header key 'aadlen' bytes from 'src', storing result
113     * to 'dest'. The ciphertext here is treated as additional authenticated
114     * data for MAC calculation.
115     * En/decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. Use
116     * POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the authentication
117     * tag. This tag is written on encryption and verified on decryption.
118     */
119     int
120     chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
121     const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt)
122     {
123     u_char seqbuf[16]; /* layout: u64 counter || u64 seqno */
124     int r = SSH_ERR_INTERNAL_ERROR;
125     u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
126    
127     /*
128     * Run ChaCha20 once to generate the Poly1305 key. The IV is the
129     * packet sequence number.
130     */
131     memset(seqbuf, 0, sizeof(seqbuf));
132     POKE_U64(seqbuf + 8, seqnr);
133     memset(poly_key, 0, sizeof(poly_key));
134     if (!EVP_CipherInit(ctx->main_evp, NULL, NULL, seqbuf, 1) ||
135     EVP_Cipher(ctx->main_evp, poly_key,
136     poly_key, sizeof(poly_key)) < 0) {
137     r = SSH_ERR_LIBCRYPTO_ERROR;
138     goto out;
139     }
140    
141     /* If decrypting, check tag before anything else */
142     if (!do_encrypt) {
143     const u_char *tag = src + aadlen + len;
144    
145     poly1305_auth(expected_tag, src, aadlen + len, poly_key);
146     if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) {
147     r = SSH_ERR_MAC_INVALID;
148     goto out;
149     }
150     }
151    
152     /* Crypt additional data */
153     if (aadlen) {
154     if (!EVP_CipherInit(ctx->header_evp, NULL, NULL, seqbuf, 1) ||
155     EVP_Cipher(ctx->header_evp, dest, src, aadlen) < 0) {
156     r = SSH_ERR_LIBCRYPTO_ERROR;
157     goto out;
158     }
159     }
160    
161     /* Set Chacha's block counter to 1 */
162     seqbuf[0] = 1;
163     if (!EVP_CipherInit(ctx->main_evp, NULL, NULL, seqbuf, 1) ||
164     EVP_Cipher(ctx->main_evp, dest + aadlen, src + aadlen, len) < 0) {
165     r = SSH_ERR_LIBCRYPTO_ERROR;
166     goto out;
167     }
168    
169     /* If encrypting, calculate and append tag */
170     if (do_encrypt) {
171     poly1305_auth(dest + aadlen + len, dest, aadlen + len,
172     poly_key);
173     }
174     r = 0;
175     out:
176     SecureZeroMemory(expected_tag, sizeof(expected_tag));
177     SecureZeroMemory(seqbuf, sizeof(seqbuf));
178     SecureZeroMemory(poly_key, sizeof(poly_key));
179     return r;
180     }
181    
182     /* Decrypt and extract the encrypted packet length */
183     int
184     chachapoly_get_length(struct chachapoly_ctx *ctx,
185     u_int *plenp, u_int seqnr, const u_char *cp, u_int len)
186     {
187     u_char buf[4], seqbuf[16];
188    
189     if (len < 4)
190     return SSH_ERR_MESSAGE_INCOMPLETE;
191     memset(seqbuf, 0, sizeof(seqbuf));
192     POKE_U64(seqbuf + 8, seqnr);
193     if (!EVP_CipherInit(ctx->header_evp, NULL, NULL, seqbuf, 0))
194     return SSH_ERR_LIBCRYPTO_ERROR;
195     if (EVP_Cipher(ctx->header_evp, buf, (u_char *)cp, sizeof(buf)) < 0)
196     return SSH_ERR_LIBCRYPTO_ERROR;
197     *plenp = PEEK_U32(buf);
198     return 0;
199     }
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
About OSDN
Find Software
Develop Software
Help