18void seq_nonce(uint32_t seqnr, uint8_t iv[8])
24 iv[4] = (uint8_t)(seqnr >> 24);
25 iv[5] = (uint8_t)(seqnr >> 16);
26 iv[6] = (uint8_t)(seqnr >> 8);
27 iv[7] = (uint8_t)seqnr;
31bool ct_eq16(
const uint8_t *a,
const uint8_t *b)
34 for (
int i = 0; i < 16; i++)
35 d |= (uint8_t)(a[i] ^ b[i]);
47 return ((uint32_t)len[0] << 24) | ((uint32_t)len[1] << 16) | ((uint32_t)len[2] << 8) | len[3];
51 const uint8_t *src, uint32_t payload_len)
59 ssh_poly1305(dest + 4 + payload_len, dest, 4 + payload_len, poly_key);
63 const uint8_t *src, uint32_t payload_len)
71 if (!ct_eq16(tag, src + 4 + payload_len))
void ssh_chacha20_xor(const uint8_t key[SSH_CHACHA20_KEY_LEN], const uint8_t iv[8], uint64_t counter, const uint8_t *in, uint8_t *out, size_t len)
XOR len bytes of in with the ChaCha20 keystream into out (OpenSSH layout).
ChaCha20 stream cipher (D. J. Bernstein; RFC 8439).
void ssh_chachapoly_encrypt(const uint8_t key[SSH_CHACHAPOLY_KEY_LEN], uint32_t seqnr, uint8_t *dest, const uint8_t *src, uint32_t payload_len)
Encrypt+authenticate one packet.
uint32_t ssh_chachapoly_get_length(const uint8_t key[SSH_CHACHAPOLY_KEY_LEN], uint32_t seqnr, const uint8_t enc_len[SSH_CHACHAPOLY_AAD_LEN])
Decrypt just the 4-byte length field to learn the packet length before reading the body.
bool ssh_chachapoly_decrypt(const uint8_t key[SSH_CHACHAPOLY_KEY_LEN], uint32_t seqnr, uint8_t *dest, const uint8_t *src, uint32_t payload_len)
Verify+decrypt one packet.
chacha20-poly1305@openssh.com AEAD cipher (OpenSSH PROTOCOL.chacha20poly1305).
#define SSH_CHACHAPOLY_AAD_LEN
the encrypted packet-length field
#define SSH_CHACHAPOLY_KEY_LEN
two 256-bit ChaCha20 keys
void ssh_poly1305(uint8_t tag[SSH_POLY1305_TAG_LEN], const uint8_t *msg, size_t len, const uint8_t key[SSH_POLY1305_KEY_LEN])
Compute the 16-byte Poly1305 tag over msg under the 32-byte one-time key.
Poly1305 one-time authenticator (D. J. Bernstein; RFC 8439 Section 2.5).