Add a key-length field to 'struct ssh_mac'.

The key derivation code has been assuming (though non-critically, as
it happens) that the size of the MAC output is the same as the size of
the MAC key. That isn't even a good assumption for the HMAC family,
due to HMAC-SHA1-96 and also the bug-compatible versions of HMAC-SHA1
that only use 16 bytes of key material; so now we have an explicit
key-length field separate from the MAC-length field.

diff --git a/ssh.c b/ssh.c
index 79c6ebf73c1f5455f1fb2578505d34e67519f4ce..f1d62e83b51926bffb128a312d199165d6b2eeab 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -7164,7 +7164,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen,
               ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
        ssh->cscipher->setiv(ssh->cs_cipher_ctx, keyspace);
        ssh2_mkkey(ssh,s->K,s->exchange_hash,'E',keyspace);
-       assert(ssh->csmac->len <=
+       assert(ssh->csmac->keylen <=
               ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
        ssh->csmac->setkey(ssh->cs_mac_ctx, keyspace);
        smemclr(keyspace, sizeof(keyspace));
@@ -7233,7 +7233,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen,
               ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
        ssh->sccipher->setiv(ssh->sc_cipher_ctx, keyspace);
        ssh2_mkkey(ssh,s->K,s->exchange_hash,'F',keyspace);
-       assert(ssh->scmac->len <=
+       assert(ssh->scmac->keylen <=
               ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
        ssh->scmac->setkey(ssh->sc_mac_ctx, keyspace);
        smemclr(keyspace, sizeof(keyspace));

diff --git a/ssh.h b/ssh.h
index 139ea33f114f90d8128e58f7b4bd79cf5b2a2711..ef488e8307d991bc856ca3eb778c3d959216c6ec 100644 (file)
--- a/ssh.h
+++ b/ssh.h
@@ -347,7 +347,7 @@ struct ssh_mac {
     void (*genresult) (void *, unsigned char *);
     int (*verresult) (void *, unsigned char const *);
     const char *name, *etm_name;
-    int len;
+    int len, keylen;
     const char *text_name;
 };
 

diff --git a/sshccp.c b/sshccp.c
index 82aca02bb12faa79abdd4f56e4aae9ac16f8f02e..5400d36cbead016443552b3ddba720779e4f2393 100644 (file)
--- a/sshccp.c
+++ b/sshccp.c
@@ -1238,7 +1238,7 @@ static const struct ssh_mac ssh2_poly1305 = {
     poly_start, poly_bytes, poly_genresult, poly_verresult,
 
     "", "", /* Not selectable individually, just part of ChaCha20-Poly1305 */
-    16, "Poly1305"
+    16, 0, "Poly1305"
 };
 
 static void *ccp_make_context(void)

diff --git a/sshmd5.c b/sshmd5.c
index 4988223ee703e6c0c049e394bb1c2186467f9e2a..b39dfd3e52dba4a399706c3769193c05ff738168 100644 (file)
--- a/sshmd5.c
+++ b/sshmd5.c
@@ -337,6 +337,6 @@ const struct ssh_mac ssh_hmac_md5 = {
     hmacmd5_generate, hmacmd5_verify,
     hmacmd5_start, hmacmd5_bytes, hmacmd5_genresult, hmacmd5_verresult,
     "hmac-md5", "hmac-md5-etm@openssh.com",
-    16,
+    16, 16,
     "HMAC-MD5"
 };

diff --git a/sshsh256.c b/sshsh256.c
index b2bd862e6ad15f0b8b2a197f47197ae145766f77..4186f3e8180fc54b54fdefa19851200fd17157fe 100644 (file)
--- a/sshsh256.c
+++ b/sshsh256.c
@@ -345,7 +345,7 @@ const struct ssh_mac ssh_hmac_sha256 = {
     hmacsha256_start, hmacsha256_bytes,
     hmacsha256_genresult, hmacsha256_verresult,
     "hmac-sha2-256", "hmac-sha2-256-etm@openssh.com",
-    32,
+    32, 32,
     "HMAC-SHA-256"
 };
 

diff --git a/sshsha.c b/sshsha.c
index 07a71ca2e349e20bc0a6c6c2657f43b4991b9b35..c10a82177ced3d64294a51747ec0f3155bd72bd8 100644 (file)
--- a/sshsha.c
+++ b/sshsha.c
@@ -421,7 +421,7 @@ const struct ssh_mac ssh_hmac_sha1 = {
     sha1_generate, sha1_verify,
     hmacsha1_start, hmacsha1_bytes, hmacsha1_genresult, hmacsha1_verresult,
     "hmac-sha1", "hmac-sha1-etm@openssh.com",
-    20,
+    20, 20,
     "HMAC-SHA1"
 };
 
@@ -431,7 +431,7 @@ const struct ssh_mac ssh_hmac_sha1_96 = {
     hmacsha1_start, hmacsha1_bytes,
     hmacsha1_96_genresult, hmacsha1_96_verresult,
     "hmac-sha1-96", "hmac-sha1-96-etm@openssh.com",
-    12,
+    12, 20,
     "HMAC-SHA1-96"
 };
 
@@ -440,7 +440,7 @@ const struct ssh_mac ssh_hmac_sha1_buggy = {
     sha1_generate, sha1_verify,
     hmacsha1_start, hmacsha1_bytes, hmacsha1_genresult, hmacsha1_verresult,
     "hmac-sha1", NULL,
-    20,
+    20, 16,
     "bug-compatible HMAC-SHA1"
 };
 
@@ -450,6 +450,6 @@ const struct ssh_mac ssh_hmac_sha1_96_buggy = {
     hmacsha1_start, hmacsha1_bytes,
     hmacsha1_96_genresult, hmacsha1_96_verresult,
     "hmac-sha1-96", NULL,
-    12,
+    12, 16,
     "bug-compatible HMAC-SHA1-96"
 };