[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Missing signed-off for pkg chacha20 patches


On 6/8/18 7:09 AM, Andreas Schneider wrote:
> I'm currently working on chacha20 to merge Aris his work. There are two pkd 
> patches from you which don't have a Signed-off-by tag from you.
> 
> Could you please give me the permission to add it or send the attached patch 
> back with them?
> 
> Also, could you test this patchset?

Excited to see the chacha20 work headed to master.

I gave the patchset some review and testing this afternoon and I've attached
a respin of the patchset that includes:

 * fixes for current master pkd: https://www.libssh.org/archive/libssh/2018-05/0000009.html
 * the older chacha20 patches now with my Signed-off
 * a couple of minor adjustments plus fix for the mbedTLS build

These should apply cleanly on to 0940b0f29b4fef86e56dffdd13d978f9692b78fc.

I tested this series with these combinations of pkd:

 * Debian Jessie with OpenSSL 1.0.1, libgcrypt20
 * Debian Stretch with OpenSSL 1.1.0, libgcrypt20, mbedTLS

Please let me know if I can be of any further help or if you'd like to
see any changes to the adjustments I made.  I can also send out the patches
in another format if that would be helpful.


Thanks,
-Jon
From aa4ade54f781eec6362a6d57f66243d27c220dd4 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Thu, 24 May 2018 19:49:46 -0700
Subject: [PATCH 01/27] pkd: fix missing config.h #include

Ensure to include config.h so that the `HAVE_DSA` value is properly set
when building the pkd tests.

Introduced with 778652460f7cceb3e760964a890ffd99ec8230e7,

Testing done: with this change, the `pkd_hello` test is passing on an
OpenSSL 1.1.0 build for me.  Previously it would fail pubkey exchange
early on for DSA- and ECDSA-type host keys.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 tests/pkd/pkd_daemon.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/pkd/pkd_daemon.h b/tests/pkd/pkd_daemon.h
index 3107ed1e..7bdf894d 100644
--- a/tests/pkd/pkd_daemon.h
+++ b/tests/pkd/pkd_daemon.h
@@ -8,6 +8,8 @@
 #ifndef __PKD_DAEMON_H__
 #define __PKD_DAEMON_H__
 
+#include "config.h"
+
 enum pkd_hostkey_type_e {
     PKD_RSA,
 #ifdef HAVE_DSA
-- 
2.14.1


From 50bf63f4286ae620b3f4a04208b390d143526875 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 25 May 2018 03:00:33 -0700
Subject: [PATCH 02/27] ecdh: fix SSH_MSG_KEXDH_REPLY for libcrypto

Ensure to provide the `ssh_string` pubkey blob to the buffer packing
routine when computing the SSH_MSG_KEXDH_REPLY message, rather than
the new `ssh_key` type.

Introduced with 16217454d576511f37f39c3169963629f9d5082f.

Testing done: with this change, `pkd_hello` test is passing on an
OpenSSL 1.1.0 build for me.  Previously it would segfault during
pubkey exchange with "ecdh-sha2-nistp256".

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 src/ecdh_crypto.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
index 041e6c0e..24f21c03 100644
--- a/src/ecdh_crypto.c
+++ b/src/ecdh_crypto.c
@@ -206,6 +206,7 @@ int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){
     /* SSH host keys (rsa,dsa,ecdsa) */
     ssh_key privkey;
     ssh_string sig_blob = NULL;
+    ssh_string pubkey_blob = NULL;
     int curve;
     int len;
     int rc;
@@ -289,14 +290,22 @@ int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){
         return SSH_ERROR;
     }
 
+    rc = ssh_dh_get_next_server_publickey_blob(session, &pubkey_blob);
+    if (rc != SSH_OK) {
+        ssh_set_error(session, SSH_FATAL, "Could not export server public key");
+        ssh_string_free(sig_blob);
+        return SSH_ERROR;
+    }
+
     rc = ssh_buffer_pack(session->out_buffer,
                          "bSSS",
                          SSH2_MSG_KEXDH_REPLY,
-                         session->next_crypto->server_pubkey, /* host's pubkey */
+                         pubkey_blob, /* host's pubkey */
                          q_s_string, /* ecdh public key */
                          sig_blob); /* signature blob */
 
     ssh_string_free(sig_blob);
+    ssh_string_free(pubkey_blob);
 
     if (rc != SSH_OK) {
         ssh_set_error_oom(session);
-- 
2.14.1


From 41dba131d58e261e6477f183323222b980a8c95b Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 25 May 2018 03:29:06 -0700
Subject: [PATCH 03/27] ecdh: fix SSH_MSG_KEXDH_REPLY for libgcrypt

Ensure to provide the `ssh_string` pubkey blob to the buffer packing
routine when computing the SSH_MSG_KEXDH_REPLY message, rather than
the new `ssh_key` type.

Introduced with 16217454d576511f37f39c3169963629f9d5082f.

Testing done: with this change, the `pkd_hello` test is passing on a
libgcrypt build for me.  Previously it would segfault during pubkey
exchange with "ecdh-sha2-nistp256".

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 src/ecdh_gcrypt.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
index e4b73dc2..7bbccc25 100644
--- a/src/ecdh_gcrypt.c
+++ b/src/ecdh_gcrypt.c
@@ -268,6 +268,7 @@ int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet) {
     /* SSH host keys (rsa,dsa,ecdsa) */
     ssh_key privkey;
     ssh_string sig_blob = NULL;
+    ssh_string pubkey_blob = NULL;
     int rc = SSH_ERROR;
     const char *curve = NULL;
 
@@ -333,14 +334,22 @@ int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet) {
         goto out;
     }
 
+    rc = ssh_dh_get_next_server_publickey_blob(session, &pubkey_blob);
+    if (rc != SSH_OK) {
+        ssh_set_error(session, SSH_FATAL, "Could not export server public key");
+        ssh_string_free(sig_blob);
+        goto out;
+    }
+
     rc = ssh_buffer_pack(session->out_buffer,
                          "bSSS",
                          SSH2_MSG_KEXDH_REPLY,
-                         session->next_crypto->server_pubkey, /* host's pubkey */
+                         pubkey_blob, /* host's pubkey */
                          q_s_string, /* ecdh public key */
                          sig_blob); /* signature blob */
 
     ssh_string_free(sig_blob);
+    ssh_string_free(pubkey_blob);
 
     if (rc != SSH_OK) {
         ssh_set_error_oom(session);
-- 
2.14.1


From b9661829539463f4ca1844d7f455927a8847a968 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 25 May 2018 03:39:21 -0700
Subject: [PATCH 04/27] ecdh: fix SSH_MSG_KEXDH_REPLY for mbedTLS

Ensure to provide the `ssh_string` pubkey blob to the buffer packing
routine when computing the SSH_MSG_KEXDH_REPLY message, rather than
the new `ssh_key` type.

Introduced with 16217454d576511f37f39c3169963629f9d5082f.

Testing done: with this change, the `pkd_hello` test is passing on a
mbedTLS build for me.  Previously it would segfault during pubkey
exchange with "ecdh-sha2-nistp256".

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 src/ecdh_mbedcrypto.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c
index d4e7a774..aebc7bac 100644
--- a/src/ecdh_mbedcrypto.c
+++ b/src/ecdh_mbedcrypto.c
@@ -181,6 +181,7 @@ int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet)
     mbedtls_ecp_group grp;
     ssh_key privkey = NULL;
     ssh_string sig_blob = NULL;
+    ssh_string pubkey_blob = NULL;
     int rc;
     mbedtls_ecp_group_id curve;
 
@@ -256,12 +257,21 @@ int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet)
         goto out;
     }
 
+    rc = ssh_dh_get_next_server_publickey_blob(session, &pubkey_blob);
+    if (rc != SSH_OK) {
+        ssh_set_error(session, SSH_FATAL, "Could not export server public key");
+        ssh_string_free(sig_blob);
+        goto out;
+    }
+
     rc = ssh_buffer_pack(session->out_buffer, "bSSS",
-            SSH2_MSG_KEXDH_REPLY, session->next_crypto->server_pubkey,
-            q_s_string,
-            sig_blob);
+                         SSH2_MSG_KEXDH_REPLY,
+                         pubkey_blob, /* host's pubkey */
+                         q_s_string, /* ecdh public key */
+                         sig_blob); /* signature blob */
 
     ssh_string_free(sig_blob);
+    ssh_string_free(pubkey_blob);
 
     if (rc != SSH_OK) {
         ssh_set_error_oom(session);
-- 
2.14.1


From 87b468bf41dafb2dfffbf6d8291ce5cc6b2e05bb Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 25 May 2018 03:42:59 -0700
Subject: [PATCH 05/27] tests: fix -Wunused-function warning in
 torture_pki_ecdsa.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wrap some function definitions with `HAVE_LIBCRYPTO` ifdefs to
match their usages in `torture_run_tests`.

Fixes this warning I observe when building locally:

    torture_pki_ecdsa.c:341:13: warning:
         ‘torture_pki_ecdsa_write_privkey’ defined but not used
         [-Wunused-function]

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 tests/unittests/torture_pki_ecdsa.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/unittests/torture_pki_ecdsa.c b/tests/unittests/torture_pki_ecdsa.c
index 6587a60d..e9939d56 100644
--- a/tests/unittests/torture_pki_ecdsa.c
+++ b/tests/unittests/torture_pki_ecdsa.c
@@ -338,6 +338,7 @@ static void torture_pki_generate_key_ecdsa(void **state)
     ssh_free(session);
 }
 
+#ifdef HAVE_LIBCRYPTO
 static void torture_pki_ecdsa_write_privkey(void **state)
 {
     ssh_key origkey;
@@ -412,6 +413,7 @@ static void torture_pki_ecdsa_write_privkey(void **state)
     ssh_key_free(origkey);
     ssh_key_free(privkey);
 }
+#endif /* HAVE_LIBCRYPTO */
 
 static void torture_pki_ecdsa_name(void **state, const char *expected_name)
 {
-- 
2.14.1


From c7b3cdda8f2d50c035b35a505abd29d50415c95d Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 25 May 2018 03:52:25 -0700
Subject: [PATCH 06/27] dh: fix `ssh_get_pubkey_hash` indentation

Fix `ssh_get_pubkey_hash` indentation to use softabs
with 4 spaces.  No change in behavior.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 src/dh.c | 75 ++++++++++++++++++++++++++++++++--------------------------------
 1 file changed, 37 insertions(+), 38 deletions(-)

diff --git a/src/dh.c b/src/dh.c
index d2ddfabd..733c6e76 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -980,51 +980,50 @@ error:
  * @deprecated Use ssh_get_publickey_hash()
  */
 int ssh_get_pubkey_hash(ssh_session session, unsigned char **hash) {
-  ssh_key pubkey = NULL;
-  ssh_string pubkey_blob = NULL;
-  MD5CTX ctx;
-  unsigned char *h;
-  int rc;
+    ssh_key pubkey = NULL;
+    ssh_string pubkey_blob = NULL;
+    MD5CTX ctx;
+    unsigned char *h;
+    int rc;
 
-  if (session == NULL || hash == NULL) {
-    return SSH_ERROR;
-  }
-  *hash = NULL;
-  if (session->current_crypto == NULL ||
-      session->current_crypto->server_pubkey == NULL){
-    ssh_set_error(session,SSH_FATAL,"No current cryptographic context");
-    return SSH_ERROR;
-  }
+    if (session == NULL || hash == NULL) {
+        return SSH_ERROR;
+    }
+    *hash = NULL;
+    if (session->current_crypto == NULL ||
+        session->current_crypto->server_pubkey == NULL) {
+        ssh_set_error(session,SSH_FATAL,"No current cryptographic context");
+        return SSH_ERROR;
+    }
 
-  h = calloc(MD5_DIGEST_LEN, sizeof(unsigned char));
-  if (h == NULL) {
-    return SSH_ERROR;
-  }
+    h = calloc(MD5_DIGEST_LEN, sizeof(unsigned char));
+    if (h == NULL) {
+        return SSH_ERROR;
+    }
 
-  ctx = md5_init();
-  if (ctx == NULL) {
-    SAFE_FREE(h);
-    return SSH_ERROR;
-  }
+    ctx = md5_init();
+    if (ctx == NULL) {
+        SAFE_FREE(h);
+        return SSH_ERROR;
+    }
 
-  rc = ssh_get_server_publickey(session, &pubkey);
-  if (rc != 0) {
-    SAFE_FREE(h);
-    return SSH_ERROR;
-  }
+    rc = ssh_get_server_publickey(session, &pubkey);
+    if (rc != 0) {
+        SAFE_FREE(h);
+        return SSH_ERROR;
+    }
 
-  rc = ssh_pki_export_pubkey_blob(pubkey,
-                                  &pubkey_blob);
-  ssh_key_free(pubkey);
-  if (rc != 0) {
-  }
-  md5_update(ctx, ssh_string_data(pubkey_blob), ssh_string_len(pubkey_blob));
-  ssh_string_free(pubkey_blob);
-  md5_final(h, ctx);
+    rc = ssh_pki_export_pubkey_blob(pubkey, &pubkey_blob);
+    ssh_key_free(pubkey);
+    if (rc != 0) {
+    }
+    md5_update(ctx, ssh_string_data(pubkey_blob), ssh_string_len(pubkey_blob));
+    ssh_string_free(pubkey_blob);
+    md5_final(h, ctx);
 
-  *hash = h;
+    *hash = h;
 
-  return MD5_DIGEST_LEN;
+    return MD5_DIGEST_LEN;
 }
 
 /**
-- 
2.14.1


From 518a683bfaeb350e334d22980b486e67411090a1 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 25 May 2018 03:56:54 -0700
Subject: [PATCH 07/27] dh: fix two leaks in `ssh_get_pubkey_hash`

Fix two memory leaks in `ssh_get_pubkey_hash` for some error paths.
The local `h` buffer and `ctx` MD5 context each must be free'd for
the SSH_ERROR cases.

Introduced with 16217454d576511f37f39c3169963629f9d5082f.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 src/dh.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/dh.c b/src/dh.c
index 733c6e76..c3de5b99 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -1008,15 +1008,20 @@ int ssh_get_pubkey_hash(ssh_session session, unsigned char **hash) {
     }
 
     rc = ssh_get_server_publickey(session, &pubkey);
-    if (rc != 0) {
+    if (rc != SSH_OK) {
+        md5_final(h, ctx);
         SAFE_FREE(h);
         return SSH_ERROR;
     }
 
     rc = ssh_pki_export_pubkey_blob(pubkey, &pubkey_blob);
     ssh_key_free(pubkey);
-    if (rc != 0) {
+    if (rc != SSH_OK) {
+        md5_final(h, ctx);
+        SAFE_FREE(h);
+        return SSH_ERROR;
     }
+
     md5_update(ctx, ssh_string_data(pubkey_blob), ssh_string_len(pubkey_blob));
     ssh_string_free(pubkey_blob);
     md5_final(h, ctx);
-- 
2.14.1


From 43a0d359fd558de656048ca5c4aad6fd08c6488a Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 25 May 2018 04:35:04 -0700
Subject: [PATCH 08/27] pkd: add_test pkd_hello_i1 for `make test`

Add an entry for a `pkd_hello_i1` test which runs one iteration
through each of the pkd algorithm combinations.

Testing done: now `make test` will run `pkd_hello -i1` which
completes in ~25 seconds on my local machine.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 tests/pkd/CMakeLists.txt | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/pkd/CMakeLists.txt b/tests/pkd/CMakeLists.txt
index 07384341..ff23ba95 100644
--- a/tests/pkd/CMakeLists.txt
+++ b/tests/pkd/CMakeLists.txt
@@ -32,4 +32,12 @@ set(pkd_libs
 add_executable(pkd_hello ${pkd_hello_src})
 target_link_libraries(pkd_hello ${pkd_libs})
 
+#
+# pkd_hello_i1 runs only one iteration per algorithm combination for
+# sake of speeding up overall test run time.  More iterations can be
+# specified with `-i` and may be helpful for chasing down bugs that
+# are not 100% reproducible.
+#
+add_test(pkd_hello_i1 ${CMAKE_CURRENT_BINARY_DIR}/pkd_hello -i1)
+
 endif (WITH_SERVER AND UNIX AND NOT WIN32)
-- 
2.14.1


From fb0be6ee04b2e7724cb4b595666d7dd12d9f4a77 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 25 May 2018 06:09:03 -0700
Subject: [PATCH 09/27] pkd: run with SOCKET_WRAPPER_LIBRARY

Use the socket_wrapper preload shim when running the `pkd_hello`
test with `make test`.  The end goal here is to get this test
running alongside normal tests in regular CI.  Changes to do
this:

 * Configure PKD_ENVIRONMENT for the `pkd_hello_i1` test in the
   CMakeLists.txt file.

 * Add a `--socket-wrapper-dir|-w` flag that is used to opt-in to
   initializing a SOCKET_WRAPPER_DIR as expected by the socket_wrapper
   library.

   A runtime flag is used here to make it easy to run `pkd_hello`
   with the socket_wrapper library while avoiding a hard dependency.

Testing done: observed socker_wrapper in effect with `strace`;
running `make test` uses the wrapper correctly on my local
machine.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 tests/pkd/CMakeLists.txt | 14 +++++++-
 tests/pkd/pkd_daemon.h   |  4 +++
 tests/pkd/pkd_hello.c    | 89 +++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 105 insertions(+), 2 deletions(-)

diff --git a/tests/pkd/CMakeLists.txt b/tests/pkd/CMakeLists.txt
index ff23ba95..a07021ec 100644
--- a/tests/pkd/CMakeLists.txt
+++ b/tests/pkd/CMakeLists.txt
@@ -38,6 +38,18 @@ target_link_libraries(pkd_hello ${pkd_libs})
 # specified with `-i` and may be helpful for chasing down bugs that
 # are not 100% reproducible.
 #
-add_test(pkd_hello_i1 ${CMAKE_CURRENT_BINARY_DIR}/pkd_hello -i1)
+add_test(pkd_hello_i1 ${CMAKE_CURRENT_BINARY_DIR}/pkd_hello -i1 -w /tmp/pkd_socket_wrapper_XXXXXX)
+
+#
+# Configure environment for cwrap socket wrapper.
+#
+find_package(socket_wrapper 1.1.5 REQUIRED)
+if (OSX)
+    set(PKD_ENVIRONMENT "DYLD_FORCE_FLAT_NAMESPACE=1;DYLD_INSERT_LIBRARIES=${SOCKET_WRAPPER_LIBRARY}")
+else ()
+    set(PKD_ENVIRONMENT "LD_PRELOAD=${SOCKET_WRAPPER_LIBRARY}")
+endif ()
+message(STATUS "PKD_ENVIRONMENT=${PKD_ENVIRONMENT}")
+set_property(TEST pkd_hello_i1 PROPERTY ENVIRONMENT ${PKD_ENVIRONMENT})
 
 endif (WITH_SERVER AND UNIX AND NOT WIN32)
diff --git a/tests/pkd/pkd_daemon.h b/tests/pkd/pkd_daemon.h
index 7bdf894d..abb07acd 100644
--- a/tests/pkd/pkd_daemon.h
+++ b/tests/pkd/pkd_daemon.h
@@ -32,6 +32,10 @@ struct pkd_daemon_args {
         const char *testname;
         const char *testmatch;
         unsigned int iterations;
+
+        struct {
+            const char *mkdtemp_str;
+        } socket_wrapper;
     } opts;
 };
 
diff --git a/tests/pkd/pkd_hello.c b/tests/pkd/pkd_hello.c
index e0c0cbf6..951bd7b1 100644
--- a/tests/pkd/pkd_hello.c
+++ b/tests/pkd/pkd_hello.c
@@ -1,13 +1,14 @@
 /*
  * pkd_hello.c --
  *
- * (c) 2014, 2017 Jon Simons <jon@xxxxxxxxxxxxx>
+ * (c) 2014, 2017-2018 Jon Simons <jon@xxxxxxxxxxxxx>
  */
 #include "config.h"
 
 #include <setjmp.h> // for cmocka
 #include <stdarg.h> // for cmocka
 #include <stdio.h>
+#include <stdlib.h>
 #include <unistd.h> // for cmocka
 #include <cmocka.h>
 
@@ -51,6 +52,8 @@ static struct argp_option options[] = {
       "Run each test for the given number of iterations (default is 10)", 0 },
     { "match", 'm', "testmatch", 0,
       "Run all tests with the given string", 0 },
+    { "socket-wrapper-dir", 'w', "<mkdtemp-template>", 0,
+      "Run in socket-wrapper mode using the given mkdtemp directory template", 0 },
     { "stdout", 'o', NULL, 0,
       "Emit pkd stdout messages", 0 },
     { "test", 't', "testname", 0,
@@ -87,6 +90,9 @@ static error_t parse_opt(int key, char *arg, struct argp_state *state) {
     case 'v':
         pkd_dargs.opts.libssh_log_level += 1;
         break;
+    case 'w':
+        pkd_dargs.opts.socket_wrapper.mkdtemp_str = arg;
+        break;
     default:
         return ARGP_ERR_UNKNOWN;
     }
@@ -651,6 +657,75 @@ static int pkd_run_tests(void) {
     return rc;
 }
 
+static int pkd_init_socket_wrapper(void) {
+    int rc = 0;
+    char *mkdtemp_str = NULL;
+
+    if (pkd_dargs.opts.socket_wrapper.mkdtemp_str == NULL) {
+        goto out;
+    }
+
+    mkdtemp_str = strdup(pkd_dargs.opts.socket_wrapper.mkdtemp_str);
+    if (mkdtemp_str == NULL) {
+        fprintf(stderr, "pkd_init_socket_wrapper strdup failed\n");
+        goto errstrdup;
+    }
+    pkd_dargs.opts.socket_wrapper.mkdtemp_str = mkdtemp_str;
+
+    if (mkdtemp(mkdtemp_str) == NULL) {
+        fprintf(stderr, "pkd_init_socket_wrapper mkdtemp '%s' failed\n", mkdtemp_str);
+        goto errmkdtemp;
+    }
+
+    if (setenv("SOCKET_WRAPPER_DIR", mkdtemp_str, 1) != 0) {
+        fprintf(stderr, "pkd_init_socket_wrapper setenv failed\n");
+        goto errsetenv;
+    }
+
+    goto out;
+errsetenv:
+errmkdtemp:
+    free(mkdtemp_str);
+errstrdup:
+    rc = -1;
+out:
+    return rc;
+}
+
+static int pkd_rmfiles(const char *path) {
+    char bin[1024] = { 0 };
+    snprintf(&bin[0], sizeof(bin), "rm -f %s/*", path);
+    return system_checked(bin);
+}
+
+static int pkd_cleanup_socket_wrapper(void) {
+    int rc = 0;
+
+    if (pkd_dargs.opts.socket_wrapper.mkdtemp_str == NULL) {
+        goto out;
+    }
+
+    /* clean up socket-wrapper unix domain sockets */
+    if (pkd_rmfiles(pkd_dargs.opts.socket_wrapper.mkdtemp_str) != 0) {
+        fprintf(stderr, "pkd_cleanup_socket_wrapper pkd_rmfiles '%s' failed\n",
+                        pkd_dargs.opts.socket_wrapper.mkdtemp_str);
+        goto errrmfiles;
+    }
+
+    if (rmdir(pkd_dargs.opts.socket_wrapper.mkdtemp_str) != 0) {
+        fprintf(stderr, "pkd_cleanup_socket_wrapper rmdir '%s' failed\n",
+                        pkd_dargs.opts.socket_wrapper.mkdtemp_str);
+        goto errrmdir;
+    }
+
+    goto out;
+errrmdir:
+errrmfiles:
+    rc = -1;
+out:
+    return rc;
+}
+
 int main(int argc, char **argv) {
     int i = 0;
     int rc = 0;
@@ -670,6 +745,12 @@ int main(int argc, char **argv) {
     (void) argc;  (void) argv;
 #endif /* HAVE_ARGP_H */
 
+    rc = pkd_init_socket_wrapper();
+    if (rc != 0) {
+        fprintf(stderr, "pkd_init_socket_wrapper failed: %d\n", rc);
+        goto out_finalize;
+    }
+
     if (pkd_dargs.opts.list != 0) {
         while (testmap[i].testname != NULL) {
             printf("%s\n", testmap[i++].testname);
@@ -681,6 +762,12 @@ int main(int argc, char **argv) {
         }
     }
 
+    rc = pkd_cleanup_socket_wrapper();
+    if (rc != 0) {
+        fprintf(stderr, "pkd_cleanup_socket_wrapper failed: %d\n", rc);
+    }
+
+out_finalize:
     rc = ssh_finalize();
     if (rc != 0) {
         fprintf(stderr, "ssh_finalize: %d\n", rc);
-- 
2.14.1


From 59360c0efa36ec882116612b6fab3d8221455d57 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Date: Wed, 28 Feb 2018 10:24:51 -0600
Subject: [PATCH 10/27] external: Add ChaCha and Poly1305 implementations from
 OpenSSH

Signed-off-by: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Reviewed-by: Andreas Schneider <asn@xxxxxxxxx>
---
 ConfigureChecks.cmake     |   1 +
 config.h.cmake            |   3 +
 include/libssh/chacha.h   |  32 +++++++
 include/libssh/poly1305.h |  18 ++++
 src/CMakeLists.txt        |   2 +
 src/external/chacha.c     | 218 ++++++++++++++++++++++++++++++++++++++++++++++
 src/external/poly1305.c   | 156 +++++++++++++++++++++++++++++++++
 7 files changed, 430 insertions(+)
 create mode 100644 include/libssh/chacha.h
 create mode 100644 include/libssh/poly1305.h
 create mode 100644 src/external/chacha.c
 create mode 100644 src/external/poly1305.c

diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake
index 4f0ecf8a..2e1348f1 100644
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -56,6 +56,7 @@ check_include_file(pty.h HAVE_PTY_H)
 check_include_file(utmp.h HAVE_UTMP_H)
 check_include_file(termios.h HAVE_TERMIOS_H)
 check_include_file(unistd.h HAVE_UNISTD_H)
+check_include_file(stdint.h HAVE_STDINT_H)
 check_include_file(util.h HAVE_UTIL_H)
 check_include_file(libutil.h HAVE_LIBUTIL_H)
 check_include_file(sys/time.h HAVE_SYS_TIME_H)
diff --git a/config.h.cmake b/config.h.cmake
index 50a50ed7..e8786b1e 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -50,6 +50,9 @@
 /* Define to 1 if you have the <unistd.h> header file. */
 #cmakedefine HAVE_UNISTD_H 1
 
+/* Define to 1 if you have the <stdint.h> header file. */
+#cmakedefine HAVE_STDINT_H 1
+
 /* Define to 1 if you have the <openssl/aes.h> header file. */
 #cmakedefine HAVE_OPENSSL_AES_H 1
 
diff --git a/include/libssh/chacha.h b/include/libssh/chacha.h
new file mode 100644
index 00000000..84ff66a2
--- /dev/null
+++ b/include/libssh/chacha.h
@@ -0,0 +1,32 @@
+/* $OpenBSD: chacha.h,v 1.3 2014/05/02 03:27:54 djm Exp $ */
+
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+*/
+
+#ifndef CHACHA_H
+#define CHACHA_H
+
+struct chacha_ctx {
+    uint32_t input[16];
+};
+
+#define CHACHA_MINKEYLEN  16
+#define CHACHA_NONCELEN   8
+#define CHACHA_CTRLEN     8
+#define CHACHA_STATELEN   (CHACHA_NONCELEN+CHACHA_CTRLEN)
+#define CHACHA_BLOCKLEN   64
+
+void chacha_keysetup(struct chacha_ctx *x, const uint8_t *k, uint32_t kbits)
+    __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
+void chacha_ivsetup(struct chacha_ctx *x, const uint8_t *iv, const uint8_t *ctr)
+    __attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN)))
+    __attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)));
+void chacha_encrypt_bytes(struct chacha_ctx *x, const uint8_t *m,
+    uint8_t *c, uint32_t bytes)
+    __attribute__((__bounded__(__buffer__, 2, 4)))
+    __attribute__((__bounded__(__buffer__, 3, 4)));
+
+#endif    /* CHACHA_H */
diff --git a/include/libssh/poly1305.h b/include/libssh/poly1305.h
new file mode 100644
index 00000000..7126ecbf
--- /dev/null
+++ b/include/libssh/poly1305.h
@@ -0,0 +1,18 @@
+/*
+ * Public Domain poly1305 from Andrew Moon
+ * poly1305-donna-unrolled.c from https://github.com/floodyberry/poly1305-donna
+ */
+
+#ifndef POLY1305_H
+#define POLY1305_H
+
+#define POLY1305_KEYLEN    32
+#define POLY1305_TAGLEN    16
+
+void poly1305_auth(uint8_t out[POLY1305_TAGLEN], const uint8_t *m, size_t inlen,
+    const uint8_t key[POLY1305_KEYLEN])
+    __attribute__((__bounded__(__minbytes__, 1, POLY1305_TAGLEN)))
+    __attribute__((__bounded__(__buffer__, 2, 3)))
+    __attribute__((__bounded__(__minbytes__, 4, POLY1305_KEYLEN)));
+
+#endif	/* POLY1305_H */
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 7ecee06c..edbf3520 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -158,9 +158,11 @@ set(libssh_SRCS
   wrapper.c
   external/bcrypt_pbkdf.c
   external/blowfish.c
+  external/chacha.c
   external/ed25519.c
   external/fe25519.c
   external/ge25519.c
+  external/poly1305.c
   external/sc25519.c
 )
 
diff --git a/src/external/chacha.c b/src/external/chacha.c
new file mode 100644
index 00000000..062aafb8
--- /dev/null
+++ b/src/external/chacha.c
@@ -0,0 +1,218 @@
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+ */
+
+#include <stdint.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#include "libssh/chacha.h"
+
+typedef unsigned int uint32_t;
+
+typedef struct chacha_ctx chacha_ctx;
+
+#define U8C(v) (v##U)
+#define U32C(v) (v##U)
+
+#define U8V(v) ((uint8_t)(v) & U8C(0xFF))
+#define U32V(v) ((uint32_t)(v) & U32C(0xFFFFFFFF))
+
+#define ROTL32(v, n) \
+        (U32V((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U8TO32_LITTLE(p) \
+        (((uint32_t)((p)[0])      ) | \
+         ((uint32_t)((p)[1]) <<  8) | \
+         ((uint32_t)((p)[2]) << 16) | \
+         ((uint32_t)((p)[3]) << 24))
+
+#define U32TO8_LITTLE(p, v) \
+        do { \
+            (p)[0] = U8V((v)      ); \
+            (p)[1] = U8V((v) >>  8); \
+            (p)[2] = U8V((v) >> 16); \
+            (p)[3] = U8V((v) >> 24); \
+        } while (0)
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+#define QUARTERROUND(a,b,c,d) \
+        a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
+        c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
+        a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
+        c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
+
+static const char sigma[16] = "expand 32-byte k";
+static const char tau[16] = "expand 16-byte k";
+
+void
+chacha_keysetup(chacha_ctx *x,const uint8_t *k,uint32_t kbits)
+{
+    const char *constants;
+
+    x->input[4] = U8TO32_LITTLE(k + 0);
+    x->input[5] = U8TO32_LITTLE(k + 4);
+    x->input[6] = U8TO32_LITTLE(k + 8);
+    x->input[7] = U8TO32_LITTLE(k + 12);
+    if (kbits == 256) { /* recommended */
+        k += 16;
+        constants = sigma;
+    } else { /* kbits == 128 */
+        constants = tau;
+    }
+    x->input[8] = U8TO32_LITTLE(k + 0);
+    x->input[9] = U8TO32_LITTLE(k + 4);
+    x->input[10] = U8TO32_LITTLE(k + 8);
+    x->input[11] = U8TO32_LITTLE(k + 12);
+    x->input[0] = U8TO32_LITTLE(constants + 0);
+    x->input[1] = U8TO32_LITTLE(constants + 4);
+    x->input[2] = U8TO32_LITTLE(constants + 8);
+    x->input[3] = U8TO32_LITTLE(constants + 12);
+}
+
+void
+chacha_ivsetup(chacha_ctx *x, const uint8_t *iv, const uint8_t *counter)
+{
+    x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
+    x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
+    x->input[14] = U8TO32_LITTLE(iv + 0);
+    x->input[15] = U8TO32_LITTLE(iv + 4);
+}
+
+void
+chacha_encrypt_bytes(chacha_ctx *x,const uint8_t *m,uint8_t *c,uint32_t bytes)
+{
+    uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+    uint32_t j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+    uint8_t *ctarget = NULL;
+    uint8_t tmp[64];
+    u_int i;
+
+    if (!bytes) return;
+
+    j0 = x->input[0];
+    j1 = x->input[1];
+    j2 = x->input[2];
+    j3 = x->input[3];
+    j4 = x->input[4];
+    j5 = x->input[5];
+    j6 = x->input[6];
+    j7 = x->input[7];
+    j8 = x->input[8];
+    j9 = x->input[9];
+    j10 = x->input[10];
+    j11 = x->input[11];
+    j12 = x->input[12];
+    j13 = x->input[13];
+    j14 = x->input[14];
+    j15 = x->input[15];
+
+    for (;;) {
+        if (bytes < 64) {
+            for (i = 0;i < bytes;++i) tmp[i] = m[i];
+            m = tmp;
+            ctarget = c;
+            c = tmp;
+        }
+        x0 = j0;
+        x1 = j1;
+        x2 = j2;
+        x3 = j3;
+        x4 = j4;
+        x5 = j5;
+        x6 = j6;
+        x7 = j7;
+        x8 = j8;
+        x9 = j9;
+        x10 = j10;
+        x11 = j11;
+        x12 = j12;
+        x13 = j13;
+        x14 = j14;
+        x15 = j15;
+        for (i = 20;i > 0;i -= 2) {
+            QUARTERROUND( x0, x4, x8,x12)
+                      QUARTERROUND( x1, x5, x9,x13)
+                      QUARTERROUND( x2, x6,x10,x14)
+                      QUARTERROUND( x3, x7,x11,x15)
+                      QUARTERROUND( x0, x5,x10,x15)
+                      QUARTERROUND( x1, x6,x11,x12)
+                      QUARTERROUND( x2, x7, x8,x13)
+                      QUARTERROUND( x3, x4, x9,x14)
+        }
+        x0 = PLUS(x0,j0);
+        x1 = PLUS(x1,j1);
+        x2 = PLUS(x2,j2);
+        x3 = PLUS(x3,j3);
+        x4 = PLUS(x4,j4);
+        x5 = PLUS(x5,j5);
+        x6 = PLUS(x6,j6);
+        x7 = PLUS(x7,j7);
+        x8 = PLUS(x8,j8);
+        x9 = PLUS(x9,j9);
+        x10 = PLUS(x10,j10);
+        x11 = PLUS(x11,j11);
+        x12 = PLUS(x12,j12);
+        x13 = PLUS(x13,j13);
+        x14 = PLUS(x14,j14);
+        x15 = PLUS(x15,j15);
+
+        x0 = XOR(x0,U8TO32_LITTLE(m + 0));
+        x1 = XOR(x1,U8TO32_LITTLE(m + 4));
+        x2 = XOR(x2,U8TO32_LITTLE(m + 8));
+        x3 = XOR(x3,U8TO32_LITTLE(m + 12));
+        x4 = XOR(x4,U8TO32_LITTLE(m + 16));
+        x5 = XOR(x5,U8TO32_LITTLE(m + 20));
+        x6 = XOR(x6,U8TO32_LITTLE(m + 24));
+        x7 = XOR(x7,U8TO32_LITTLE(m + 28));
+        x8 = XOR(x8,U8TO32_LITTLE(m + 32));
+        x9 = XOR(x9,U8TO32_LITTLE(m + 36));
+        x10 = XOR(x10,U8TO32_LITTLE(m + 40));
+        x11 = XOR(x11,U8TO32_LITTLE(m + 44));
+        x12 = XOR(x12,U8TO32_LITTLE(m + 48));
+        x13 = XOR(x13,U8TO32_LITTLE(m + 52));
+        x14 = XOR(x14,U8TO32_LITTLE(m + 56));
+        x15 = XOR(x15,U8TO32_LITTLE(m + 60));
+
+        j12 = PLUSONE(j12);
+        if (!j12) {
+            j13 = PLUSONE(j13);
+            /* stopping at 2^70 bytes per nonce is user's responsibility */
+        }
+
+        U32TO8_LITTLE(c + 0,x0);
+        U32TO8_LITTLE(c + 4,x1);
+        U32TO8_LITTLE(c + 8,x2);
+        U32TO8_LITTLE(c + 12,x3);
+        U32TO8_LITTLE(c + 16,x4);
+        U32TO8_LITTLE(c + 20,x5);
+        U32TO8_LITTLE(c + 24,x6);
+        U32TO8_LITTLE(c + 28,x7);
+        U32TO8_LITTLE(c + 32,x8);
+        U32TO8_LITTLE(c + 36,x9);
+        U32TO8_LITTLE(c + 40,x10);
+        U32TO8_LITTLE(c + 44,x11);
+        U32TO8_LITTLE(c + 48,x12);
+        U32TO8_LITTLE(c + 52,x13);
+        U32TO8_LITTLE(c + 56,x14);
+        U32TO8_LITTLE(c + 60,x15);
+
+        if (bytes <= 64) {
+            if (bytes < 64) {
+                for (i = 0;i < bytes;++i) ctarget[i] = c[i];
+            }
+            x->input[12] = j12;
+            x->input[13] = j13;
+            return;
+        }
+        bytes -= 64;
+        c += 64;
+        m += 64;
+    }
+}
diff --git a/src/external/poly1305.c b/src/external/poly1305.c
new file mode 100644
index 00000000..916dd625
--- /dev/null
+++ b/src/external/poly1305.c
@@ -0,0 +1,156 @@
+/*
+ * Public Domain poly1305 from Andrew Moon
+ * poly1305-donna-unrolled.c from https://github.com/floodyberry/poly1305-donna
+ */
+
+#include "config.h"
+
+#include <stdint.h>
+#include <sys/types.h>
+
+#include "libssh/poly1305.h"
+
+#define mul32x32_64(a,b) ((uint64_t)(a) * (b))
+
+#define U8TO32_LE(p) \
+    (((uint32_t)((p)[0])) | \
+     ((uint32_t)((p)[1]) <<  8) | \
+     ((uint32_t)((p)[2]) << 16) | \
+     ((uint32_t)((p)[3]) << 24))
+
+#define U32TO8_LE(p, v) \
+    do { \
+        (p)[0] = (uint8_t)((v)); \
+        (p)[1] = (uint8_t)((v) >>  8); \
+        (p)[2] = (uint8_t)((v) >> 16); \
+        (p)[3] = (uint8_t)((v) >> 24); \
+    } while (0)
+
+void
+poly1305_auth(unsigned char out[POLY1305_TAGLEN], const unsigned char *m, size_t inlen, const unsigned char key[POLY1305_KEYLEN]) {
+    uint32_t t0,t1,t2,t3;
+    uint32_t h0,h1,h2,h3,h4;
+    uint32_t r0,r1,r2,r3,r4;
+    uint32_t s1,s2,s3,s4;
+    uint32_t b, nb;
+    size_t j;
+    uint64_t t[5];
+    uint64_t f0,f1,f2,f3;
+    uint32_t g0,g1,g2,g3,g4;
+    uint64_t c;
+    unsigned char mp[16];
+
+    /* clamp key */
+    t0 = U8TO32_LE(key+0);
+    t1 = U8TO32_LE(key+4);
+    t2 = U8TO32_LE(key+8);
+    t3 = U8TO32_LE(key+12);
+
+    /* precompute multipliers */
+    r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6;
+    r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12;
+    r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18;
+    r3 = t2 & 0x3f03fff; t3 >>= 8;
+    r4 = t3 & 0x00fffff;
+
+    s1 = r1 * 5;
+    s2 = r2 * 5;
+    s3 = r3 * 5;
+    s4 = r4 * 5;
+
+    /* init state */
+    h0 = 0;
+    h1 = 0;
+    h2 = 0;
+    h3 = 0;
+    h4 = 0;
+
+    /* full blocks */
+    if (inlen < 16) goto poly1305_donna_atmost15bytes;
+poly1305_donna_16bytes:
+    m += 16;
+    inlen -= 16;
+
+    t0 = U8TO32_LE(m-16);
+    t1 = U8TO32_LE(m-12);
+    t2 = U8TO32_LE(m-8);
+    t3 = U8TO32_LE(m-4);
+
+    h0 += t0 & 0x3ffffff;
+    h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
+    h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
+    h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
+    h4 += (t3 >> 8) | (1 << 24);
+
+
+poly1305_donna_mul:
+    t[0]  = mul32x32_64(h0,r0) + mul32x32_64(h1,s4) + mul32x32_64(h2,s3) + mul32x32_64(h3,s2) + mul32x32_64(h4,s1);
+    t[1]  = mul32x32_64(h0,r1) + mul32x32_64(h1,r0) + mul32x32_64(h2,s4) + mul32x32_64(h3,s3) + mul32x32_64(h4,s2);
+    t[2]  = mul32x32_64(h0,r2) + mul32x32_64(h1,r1) + mul32x32_64(h2,r0) + mul32x32_64(h3,s4) + mul32x32_64(h4,s3);
+    t[3]  = mul32x32_64(h0,r3) + mul32x32_64(h1,r2) + mul32x32_64(h2,r1) + mul32x32_64(h3,r0) + mul32x32_64(h4,s4);
+    t[4]  = mul32x32_64(h0,r4) + mul32x32_64(h1,r3) + mul32x32_64(h2,r2) + mul32x32_64(h3,r1) + mul32x32_64(h4,r0);
+
+                    h0 = (uint32_t)t[0] & 0x3ffffff; c =           (t[0] >> 26);
+    t[1] += c;      h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26);
+    t[2] += b;      h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26);
+    t[3] += b;      h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26);
+    t[4] += b;      h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26);
+    h0 += b * 5;
+
+    if (inlen >= 16) goto poly1305_donna_16bytes;
+
+    /* final bytes */
+poly1305_donna_atmost15bytes:
+    if (!inlen) goto poly1305_donna_finish;
+
+    for (j = 0; j < inlen; j++) mp[j] = m[j];
+    mp[j++] = 1;
+    for (; j < 16; j++)    mp[j] = 0;
+    inlen = 0;
+
+    t0 = U8TO32_LE(mp+0);
+    t1 = U8TO32_LE(mp+4);
+    t2 = U8TO32_LE(mp+8);
+    t3 = U8TO32_LE(mp+12);
+
+    h0 += t0 & 0x3ffffff;
+    h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
+    h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
+    h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
+    h4 += (t3 >> 8);
+
+    goto poly1305_donna_mul;
+
+poly1305_donna_finish:
+                 b = h0 >> 26; h0 = h0 & 0x3ffffff;
+    h1 +=     b; b = h1 >> 26; h1 = h1 & 0x3ffffff;
+    h2 +=     b; b = h2 >> 26; h2 = h2 & 0x3ffffff;
+    h3 +=     b; b = h3 >> 26; h3 = h3 & 0x3ffffff;
+    h4 +=     b; b = h4 >> 26; h4 = h4 & 0x3ffffff;
+    h0 += b * 5; b = h0 >> 26; h0 = h0 & 0x3ffffff;
+    h1 +=     b;
+
+    g0 = h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff;
+    g1 = h1 + b; b = g1 >> 26; g1 &= 0x3ffffff;
+    g2 = h2 + b; b = g2 >> 26; g2 &= 0x3ffffff;
+    g3 = h3 + b; b = g3 >> 26; g3 &= 0x3ffffff;
+    g4 = h4 + b - (1 << 26);
+
+    b = (g4 >> 31) - 1;
+    nb = ~b;
+    h0 = (h0 & nb) | (g0 & b);
+    h1 = (h1 & nb) | (g1 & b);
+    h2 = (h2 & nb) | (g2 & b);
+    h3 = (h3 & nb) | (g3 & b);
+    h4 = (h4 & nb) | (g4 & b);
+
+    f0 = ((h0      ) | (h1 << 26)) + (uint64_t)U8TO32_LE(&key[16]);
+    f1 = ((h1 >>  6) | (h2 << 20)) + (uint64_t)U8TO32_LE(&key[20]);
+    f2 = ((h2 >> 12) | (h3 << 14)) + (uint64_t)U8TO32_LE(&key[24]);
+    f3 = ((h3 >> 18) | (h4 <<  8)) + (uint64_t)U8TO32_LE(&key[28]);
+
+    U32TO8_LE(&out[ 0], f0); f1 += (f0 >> 32);
+    U32TO8_LE(&out[ 4], f1); f2 += (f1 >> 32);
+    U32TO8_LE(&out[ 8], f2); f3 += (f2 >> 32);
+    U32TO8_LE(&out[12], f3);
+}
-- 
2.14.1


From b59ec47b8672759490507194f29b33ae22ac5cd3 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Date: Wed, 28 Feb 2018 10:24:52 -0600
Subject: [PATCH 11/27] cmake: detect "bounded" compiler attribute

Signed-off-by: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Reviewed-by: Andreas Schneider <asn@xxxxxxxxxxxxxx>
---
 ConfigureChecks.cmake     |  5 +++++
 config.h.cmake            |  2 ++
 include/libssh/chacha.h   | 15 ++++++++++++---
 include/libssh/poly1305.h |  5 ++++-
 4 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake
index 2e1348f1..fd8ff136 100644
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -327,6 +327,11 @@ int main(void) {
 }" HAVE_COMPILER__FUNCTION__)
 
 
+check_c_source_compiles("
+void chacha_keysetup(struct chacha_ctx *x, const u_char *k, u_int kbits)
+    __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
+int main(void) { return 0; }" HAVE_GCC_BOUNDED_ATTRIBUTE)
+
 if (WITH_DEBUG_CRYPTO)
   set(DEBUG_CRYPTO 1)
 endif (WITH_DEBUG_CRYPTO)
diff --git a/config.h.cmake b/config.h.cmake
index e8786b1e..61d20acb 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -199,6 +199,8 @@
 #cmakedefine HAVE_COMPILER__FUNC__ 1
 #cmakedefine HAVE_COMPILER__FUNCTION__ 1
 
+#cmakedefine HAVE_GCC_BOUNDED_ATTRIBUTE 1
+
 /* Define to 1 if you want to enable GSSAPI */
 #cmakedefine WITH_GSSAPI 1
 
diff --git a/include/libssh/chacha.h b/include/libssh/chacha.h
index 84ff66a2..bac78c67 100644
--- a/include/libssh/chacha.h
+++ b/include/libssh/chacha.h
@@ -20,13 +20,22 @@ struct chacha_ctx {
 #define CHACHA_BLOCKLEN   64
 
 void chacha_keysetup(struct chacha_ctx *x, const uint8_t *k, uint32_t kbits)
-    __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
+#ifdef HAVE_GCC_BOUNDED_ATTRIBUTE
+    __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)))
+#endif
+    ;
 void chacha_ivsetup(struct chacha_ctx *x, const uint8_t *iv, const uint8_t *ctr)
+#ifdef HAVE_GCC_BOUNDED_ATTRIBUTE
     __attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN)))
-    __attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)));
+    __attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)))
+#endif
+    ;
 void chacha_encrypt_bytes(struct chacha_ctx *x, const uint8_t *m,
     uint8_t *c, uint32_t bytes)
+#ifdef HAVE_GCC_BOUNDED_ATTRIBUTE
     __attribute__((__bounded__(__buffer__, 2, 4)))
-    __attribute__((__bounded__(__buffer__, 3, 4)));
+    __attribute__((__bounded__(__buffer__, 3, 4)))
+#endif
+    ;
 
 #endif    /* CHACHA_H */
diff --git a/include/libssh/poly1305.h b/include/libssh/poly1305.h
index 7126ecbf..9174bd17 100644
--- a/include/libssh/poly1305.h
+++ b/include/libssh/poly1305.h
@@ -11,8 +11,11 @@
 
 void poly1305_auth(uint8_t out[POLY1305_TAGLEN], const uint8_t *m, size_t inlen,
     const uint8_t key[POLY1305_KEYLEN])
+#ifdef HAVE_GCC_BOUNDED_ATTRIBUTE
     __attribute__((__bounded__(__minbytes__, 1, POLY1305_TAGLEN)))
     __attribute__((__bounded__(__buffer__, 2, 3)))
-    __attribute__((__bounded__(__minbytes__, 4, POLY1305_KEYLEN)));
+    __attribute__((__bounded__(__minbytes__, 4, POLY1305_KEYLEN)))
+#endif
+    ;
 
 #endif	/* POLY1305_H */
-- 
2.14.1


From 3241d735f9b948b50c4ce81435385141045283e0 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Date: Wed, 28 Feb 2018 10:24:53 -0600
Subject: [PATCH 12/27] chacha: packet encryption

Signed-off-by: Aris Adamantiadis <aris@xxxxxxxxxxxx>
---
 include/libssh/crypto.h    |   6 +++
 include/libssh/libcrypto.h |   1 +
 include/libssh/wrapper.h   |   3 +-
 src/CMakeLists.txt         |   1 +
 src/chachapoly.c           | 126 +++++++++++++++++++++++++++++++++++++++++++++
 src/dh.c                   |   3 ++
 src/kex.c                  |   4 +-
 src/libcrypto.c            |  21 +++++++-
 src/packet.c               |  43 +++++++++++-----
 src/packet_crypt.c         |  46 ++++++++++-------
 src/wrapper.c              |  96 ++++++++++++++++++++++++----------
 11 files changed, 288 insertions(+), 62 deletions(-)
 create mode 100644 src/chachapoly.c

diff --git a/include/libssh/crypto.h b/include/libssh/crypto.h
index fab39ed1..e6e5b8f6 100644
--- a/include/libssh/crypto.h
+++ b/include/libssh/crypto.h
@@ -128,10 +128,12 @@ struct ssh_cipher_struct {
     const char *name; /* ssh name of the algorithm */
     unsigned int blocksize; /* blocksize of the algo */
     enum ssh_cipher_e ciphertype;
+    uint32_t lenfield_blocksize; /* blocksize of the packet length field */
 #ifdef HAVE_LIBGCRYPT
     size_t keylen; /* length of the key structure */
     gcry_cipher_hd_t *key;
 #elif defined HAVE_LIBCRYPTO
+    size_t keylen; /* length of the key structure */
     struct ssh_3des_key_schedule *des3_key;
     struct ssh_aes_key_schedule *aes_key;
     const EVP_CIPHER *cipher;
@@ -141,7 +143,9 @@ struct ssh_cipher_struct {
     mbedtls_cipher_context_t decrypt_ctx;
     mbedtls_cipher_type_t type;
 #endif
+    struct chacha20_poly1305_keysched *chacha20_schedule;
     unsigned int keysize; /* bytes of key used. != keylen */
+    size_t tag_size; /* overhead required for tag */
     /* sets the new key for immediate use */
     int (*set_encrypt_key)(struct ssh_cipher_struct *cipher, void *key, void *IV);
     int (*set_decrypt_key)(struct ssh_cipher_struct *cipher, void *key, void *IV);
@@ -149,6 +153,8 @@ struct ssh_cipher_struct {
         unsigned long len);
     void (*decrypt)(struct ssh_cipher_struct *cipher, void *in, void *out,
         unsigned long len);
+    void (*aead_encrypt)(struct ssh_cipher_struct *cipher, void *in, void *out,
+        size_t len, uint8_t *mac, uint64_t seq);
     void (*cleanup)(struct ssh_cipher_struct *cipher);
 };
 
diff --git a/include/libssh/libcrypto.h b/include/libssh/libcrypto.h
index 6a08837a..4b8e5414 100644
--- a/include/libssh/libcrypto.h
+++ b/include/libssh/libcrypto.h
@@ -95,6 +95,7 @@ SHA512CTX sha512_init(void);
 void sha512_update(SHA512CTX c, const void *data, unsigned long len);
 void sha512_final(unsigned char *md, SHA512CTX c);
 
+void libcrypto_init(void);
 struct ssh_cipher_struct *ssh_get_ciphertab(void);
 
 #endif /* HAVE_LIBCRYPTO */
diff --git a/include/libssh/wrapper.h b/include/libssh/wrapper.h
index 6b6cf0b1..c23c9061 100644
--- a/include/libssh/wrapper.h
+++ b/include/libssh/wrapper.h
@@ -39,7 +39,8 @@ enum ssh_hmac_e {
   SSH_HMAC_SHA256,
   SSH_HMAC_SHA384,
   SSH_HMAC_SHA512,
-  SSH_HMAC_MD5
+  SSH_HMAC_MD5,
+  SSH_HMAC_AEAD_POLY1305
 };
 
 enum ssh_des_e {
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index edbf3520..90e44253 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -122,6 +122,7 @@ set(libssh_SRCS
   bignum.c
   buffer.c
   callbacks.c
+  chachapoly.c
   channels.c
   client.c
   config.c
diff --git a/src/chachapoly.c b/src/chachapoly.c
new file mode 100644
index 00000000..16032179
--- /dev/null
+++ b/src/chachapoly.c
@@ -0,0 +1,126 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2015 by Aris Adamantiadis
+ *
+ * The SSH Library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The SSH Library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the SSH Library; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include "libssh/libssh.h"
+#include "libssh/crypto.h"
+#include "libssh/chacha.h"
+#include "libssh/poly1305.h"
+#include "libssh/misc.h"
+
+/* size of the keys k1 and k2 as defined in specs */
+#define CHACHA20_KEYLEN 32
+struct chacha20_poly1305_keysched {
+    /* key used for encrypting the length field*/
+    struct chacha_ctx k1;
+    /* key used for encrypting the packets */
+    struct chacha_ctx k2;
+};
+
+#pragma pack(push, 1)
+struct ssh_packet_header {
+    uint32_t length;
+    uint8_t payload[];
+};
+#pragma pack(pop)
+
+const uint8_t zero_block_counter[8] = {0, 0, 0, 0, 0, 0, 0, 0};
+const uint8_t payload_block_counter[8] = {1, 0, 0, 0, 0, 0, 0, 0};
+
+static int chacha20_set_encrypt_key(struct ssh_cipher_struct *cipher,
+                                    void *key,
+                                    void *IV)
+{
+    struct chacha20_poly1305_keysched *sched;
+    uint8_t *u8key = key;
+    (void)IV;
+
+    if (cipher->chacha20_schedule == NULL) {
+        sched = malloc(sizeof *sched);
+        if (sched == NULL){
+            return -1;
+        }
+    } else {
+        sched = cipher->chacha20_schedule;
+    }
+
+    chacha_keysetup(&sched->k2, u8key, CHACHA20_KEYLEN * 8);
+    chacha_keysetup(&sched->k1, u8key + CHACHA20_KEYLEN, CHACHA20_KEYLEN * 8);
+    cipher->chacha20_schedule = sched;
+
+    return 0;
+}
+
+/**
+ * @internal
+ *
+ * @brief encrypts an outgoing packet with chacha20 and authenticate it
+ * with poly1305.
+ */
+static void chacha20_poly1305_aead_encrypt(struct ssh_cipher_struct *cipher,
+                                           void *in,
+                                           void *out,
+                                           size_t len,
+                                           uint8_t *tag,
+                                           uint64_t seq)
+{
+    struct ssh_packet_header *in_packet = in, *out_packet = out;
+    uint8_t poly1305_ctx[POLY1305_KEYLEN] = {0};
+    struct chacha20_poly1305_keysched *keys = cipher->chacha20_schedule;
+
+    seq = htonll(seq);
+    /* step 1, prepare the poly1305 key */
+    chacha_ivsetup(&keys->k2, (uint8_t *)&seq, zero_block_counter);
+    chacha_encrypt_bytes(&keys->k2,
+                         poly1305_ctx,
+                         poly1305_ctx,
+                         POLY1305_KEYLEN);
+
+    /* step 2, encrypt length field */
+    chacha_ivsetup(&keys->k1, (uint8_t *)&seq, zero_block_counter);
+    chacha_encrypt_bytes(&keys->k1,
+                         (uint8_t *)&in_packet->length,
+                         (uint8_t *)&out_packet->length,
+                         sizeof(uint32_t));
+
+    /* step 3, encrypt packet payload */
+    chacha_ivsetup(&keys->k2, (uint8_t *)&seq, payload_block_counter);
+    chacha_encrypt_bytes(&keys->k2,
+                         in_packet->payload,
+                         out_packet->payload,
+                         len - sizeof(uint32_t));
+
+    /* step 4, compute the MAC */
+    poly1305_auth(tag, (uint8_t *)out_packet, len, poly1305_ctx);
+}
+
+const struct ssh_cipher_struct chacha20poly1305_cipher = {
+    .name = "chacha20-poly1305@xxxxxxxxxxx",
+    .blocksize = 8,
+    .lenfield_blocksize = 4,
+    .keylen = sizeof(struct chacha20_poly1305_keysched),
+    .keysize = 512,
+    .tag_size = POLY1305_TAGLEN,
+    .set_encrypt_key = chacha20_set_encrypt_key,
+    .set_decrypt_key = chacha20_set_encrypt_key,
+    .aead_encrypt = chacha20_poly1305_aead_encrypt,
+};
diff --git a/src/dh.c b/src/dh.c
index c3de5b99..2bc0a9d6 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -68,6 +68,7 @@
 #include <openssl/rand.h>
 #include <openssl/evp.h>
 #include <openssl/err.h>
+#include "libssh/libcrypto.h"
 #endif
 
 static unsigned char p_group1_value[] = {
@@ -210,6 +211,8 @@ int ssh_crypto_init(void) {
     bignum_bin2bn(p_group14_value, P_GROUP14_LEN, p_group14);
 
     OpenSSL_add_all_algorithms();
+
+    libcrypto_init();
 #elif defined HAVE_LIBMBEDCRYPTO
     p_group1 = bignum_new();
     bignum_bin2bn(p_group1_value, P_GROUP1_LEN, p_group1);
diff --git a/src/kex.c b/src/kex.c
index b658ed44..20044c32 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -95,6 +95,8 @@
 #define ECDH ""
 #endif
 
+#define CHACHA20 "chacha20-poly1305@xxxxxxxxxxx,"
+
 #define KEY_EXCHANGE CURVE25519 ECDH "diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
 #define KEX_METHODS_SIZE 10
 
@@ -117,7 +119,7 @@ static const char *default_methods[] = {
 static const char *supported_methods[] = {
   KEY_EXCHANGE,
   HOSTKEYS,
-  AES BLOWFISH DES_SUPPORTED,
+  CHACHA20 AES BLOWFISH DES_SUPPORTED,
   AES BLOWFISH DES_SUPPORTED,
   "hmac-sha2-256,hmac-sha2-512,hmac-sha1",
   "hmac-sha2-256,hmac-sha2-512,hmac-sha1",
diff --git a/src/libcrypto.c b/src/libcrypto.c
index 66453666..982c9c84 100644
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -60,6 +60,7 @@
 
 #include "libssh/crypto.h"
 
+extern const struct ssh_cipher_struct chacha20poly1305_cipher;
 struct ssh_mac_ctx_struct {
   enum ssh_mac_e mac_type;
   union {
@@ -860,11 +861,30 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
     .cleanup = des_cleanup
   },
 #endif /* HAS_DES */
+  {
+    .name = "chacha20-poly1305@xxxxxxxxxxx"
+  },
   {
     .name = NULL
   }
 };
 
+void libcrypto_init(void)
+{
+    size_t i;
+
+    for (i = 0; ssh_ciphertab[i].name != NULL; i++) {
+        int cmp;
+
+        cmp = strcmp(ssh_ciphertab[i].name, "chacha20-poly1305@xxxxxxxxxxx");
+        if (cmp == 0) {
+            memcpy(&ssh_ciphertab[i],
+                   &chacha20poly1305_cipher,
+                   sizeof(struct ssh_cipher_struct));
+            break;
+        }
+    }
+}
 
 struct ssh_cipher_struct *ssh_get_ciphertab(void)
 {
@@ -872,4 +892,3 @@ struct ssh_cipher_struct *ssh_get_ciphertab(void)
 }
 
 #endif /* LIBCRYPTO */
-
diff --git a/src/packet.c b/src/packet.c
index b66e3d22..f6fb6bff 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -555,6 +555,8 @@ static int ssh_packet_write(ssh_session session) {
 static int packet_send2(ssh_session session) {
   unsigned int blocksize = (session->current_crypto ?
       session->current_crypto->out_cipher->blocksize : 8);
+  unsigned int lenfield_blocksize = (session->current_crypto ?
+      session->current_crypto->out_cipher->lenfield_blocksize : 0);
   enum ssh_hmac_e hmac_type = (session->current_crypto ?
       session->current_crypto->out_hmac : session->next_crypto->out_hmac);
   uint32_t currentlen = ssh_buffer_get_len(session->out_buffer);
@@ -563,8 +565,7 @@ static int packet_send2(ssh_session session) {
   int rc = SSH_ERROR;
   uint32_t finallen,payloadsize,compsize;
   uint8_t padding;
-
-  uint8_t header[sizeof(padding) + sizeof(finallen)] = { 0 };
+  ssh_buffer header_buffer = ssh_buffer_new();
 
   payloadsize = currentlen;
 #ifdef WITH_ZLIB
@@ -578,20 +579,30 @@ static int packet_send2(ssh_session session) {
   }
 #endif /* WITH_ZLIB */
   compsize = currentlen;
-  padding = (blocksize - ((currentlen +5) % blocksize));
+  /* compressed payload + packet len (4) + padding len (1) */
+  /* totallen - lenfield_blocksize must be equal to 0 (mod blocksize) */
+  padding = (blocksize - ((blocksize - lenfield_blocksize + currentlen + 5) % blocksize));
   if(padding < 4) {
     padding += blocksize;
   }
 
-  if (session->current_crypto) {
+  if (session->current_crypto != NULL) {
     ssh_get_random(padstring, padding, 0);
   }
 
-  finallen = htonl(currentlen + padding + 1);
+  if (header_buffer == NULL){
+    ssh_set_error_oom(session);
+    goto error;
+  }
+  finallen = currentlen + padding + 1;
+  rc = ssh_buffer_pack(header_buffer, "db", finallen, padding);
+  if (rc == SSH_ERROR){
+    goto error;
+  }
 
-  memcpy(&header[0], &finallen, sizeof(finallen));
-  header[sizeof(finallen)] = padding;
-  rc = ssh_buffer_prepend_data(session->out_buffer, &header, sizeof(header));
+  rc = ssh_buffer_prepend_data(session->out_buffer,
+                               ssh_buffer_get(header_buffer),
+                               ssh_buffer_get_len(header_buffer));
   if (rc < 0) {
     goto error;
   }
@@ -600,10 +611,12 @@ static int packet_send2(ssh_session session) {
     goto error;
   }
 #ifdef WITH_PCAP
-  if(session->pcap_ctx){
-  	ssh_pcap_context_write(session->pcap_ctx,SSH_PCAP_DIR_OUT,
-  			ssh_buffer_get(session->out_buffer),ssh_buffer_get_len(session->out_buffer)
-  			,ssh_buffer_get_len(session->out_buffer));
+  if (session->pcap_ctx) {
+      ssh_pcap_context_write(session->pcap_ctx,
+                             SSH_PCAP_DIR_OUT,
+                             ssh_buffer_get(session->out_buffer),
+                             ssh_buffer_get_len(session->out_buffer),
+                             ssh_buffer_get_len(session->out_buffer));
   }
 #endif
   hmac = ssh_packet_encrypt(session, ssh_buffer_get(session->out_buffer),
@@ -624,12 +637,14 @@ static int packet_send2(ssh_session session) {
 
   SSH_LOG(SSH_LOG_PACKET,
           "packet: wrote [len=%d,padding=%hhd,comp=%d,payload=%d]",
-          ntohl(finallen), padding, compsize, payloadsize);
+          finallen, padding, compsize, payloadsize);
   if (ssh_buffer_reinit(session->out_buffer) < 0) {
     rc = SSH_ERROR;
   }
 error:
-
+  if (header_buffer != NULL) {
+      ssh_buffer_free(header_buffer);
+  }
   return rc; /* SSH_OK, AGAIN or ERROR */
 }
 
diff --git a/src/packet_crypt.c b/src/packet_crypt.c
index 7a30e661..5bcb6d65 100644
--- a/src/packet_crypt.c
+++ b/src/packet_crypt.c
@@ -93,7 +93,7 @@ unsigned char *ssh_packet_encrypt(ssh_session session, void *data, uint32_t len)
   if (!session->current_crypto) {
     return NULL; /* nothing to do here */
   }
-  if(len % session->current_crypto->in_cipher->blocksize != 0){
+  if((len - session->current_crypto->out_cipher->lenfield_blocksize) % session->current_crypto->out_cipher->blocksize != 0){
       ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len);
       return NULL;
   }
@@ -106,26 +106,36 @@ unsigned char *ssh_packet_encrypt(ssh_session session, void *data, uint32_t len)
   seq = ntohl(session->send_seq);
   crypto = session->current_crypto->out_cipher;
 
-  if (session->version == 2) {
-    ctx = hmac_init(session->current_crypto->encryptMAC, hmac_digest_len(type), type);
-    if (ctx == NULL) {
-      SAFE_FREE(out);
-      return NULL;
-    }
-    hmac_update(ctx,(unsigned char *)&seq,sizeof(uint32_t));
-    hmac_update(ctx,data,len);
-    hmac_final(ctx,session->current_crypto->hmacbuf,&finallen);
+  if (crypto->aead_encrypt != NULL) {
+    crypto->aead_encrypt(crypto, data, out, len,
+            session->current_crypto->hmacbuf, session->send_seq);
+  } else {
+    if (session->version == 2) {
+      ctx = hmac_init(session->current_crypto->encryptMAC, hmac_digest_len(type), type);
+      if (ctx == NULL) {
+        SAFE_FREE(out);
+        return NULL;
+      }
+      hmac_update(ctx,(unsigned char *)&seq,sizeof(uint32_t));
+      hmac_update(ctx,data,len);
+      hmac_final(ctx,session->current_crypto->hmacbuf,&finallen);
+
+      if (crypto->set_encrypt_key(crypto, session->current_crypto->encryptkey,
+          session->current_crypto->encryptIV) < 0) {
+        SAFE_FREE(out);
+        return NULL;
+      }
+
 #ifdef DEBUG_CRYPTO
-    ssh_print_hexa("mac: ",data,hmac_digest_len(type));
-    if (finallen != hmac_digest_len(type)) {
-      printf("Final len is %d\n",finallen);
-    }
-    ssh_print_hexa("Packet hmac", session->current_crypto->hmacbuf, hmac_digest_len(type));
+      ssh_print_hexa("mac: ",data,hmac_digest_len(type));
+      if (finallen != hmac_digest_len(type)) {
+        printf("Final len is %d\n",finallen);
+      }
+      ssh_print_hexa("Packet hmac", session->current_crypto->hmacbuf, hmac_digest_len(type));
 #endif
-  }
-
+    }
   crypto->encrypt(crypto, data, out, len);
-
+  }
   memcpy(data, out, len);
   explicit_bzero(out, len);
   SAFE_FREE(out);
diff --git a/src/wrapper.c b/src/wrapper.c
index 16f93274..69484fff 100644
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -47,6 +47,7 @@
 #include "libssh/crypto.h"
 #include "libssh/wrapper.h"
 #include "libssh/pki.h"
+#include "libssh/poly1305.h"
 
 static struct ssh_hmac_struct ssh_hmac_tab[] = {
   { "hmac-sha1",     SSH_HMAC_SHA1 },
@@ -54,6 +55,7 @@ static struct ssh_hmac_struct ssh_hmac_tab[] = {
   { "hmac-sha2-384", SSH_HMAC_SHA384 },
   { "hmac-sha2-512", SSH_HMAC_SHA512 },
   { "hmac-md5",      SSH_HMAC_MD5 },
+  { "aead-poly1305", SSH_HMAC_AEAD_POLY1305 },
   { NULL,            0}
 };
 
@@ -73,6 +75,8 @@ size_t hmac_digest_len(enum ssh_hmac_e type) {
       return SHA512_DIGEST_LEN;
     case SSH_HMAC_MD5:
       return MD5_DIGEST_LEN;
+    case SSH_HMAC_AEAD_POLY1305:
+      return POLY1305_TAGLEN;
     default:
       return 0;
   }
@@ -124,6 +128,9 @@ void ssh_cipher_clear(struct ssh_cipher_struct *cipher){
     if (cipher->cleanup != NULL) {
         cipher->cleanup(cipher);
     }
+    if (cipher->chacha20_schedule != NULL){
+        SAFE_FREE(cipher->chacha20_schedule);
+    }
 }
 
 static void cipher_free(struct ssh_cipher_struct *cipher) {
@@ -247,9 +254,14 @@ static int crypt_set_algorithms2(ssh_session session){
   }
   i = 0;
 
-  /* we must scan the kex entries to find hmac algorithms and set their appropriate structure */
-  /* out */
-  wanted = session->next_crypto->kex_methods[SSH_MAC_C_S];
+  if (session->next_crypto->out_cipher->aead_encrypt != NULL){
+      /* this cipher has integrated MAC */
+      wanted = "aead-poly1305";
+  } else {
+      /* we must scan the kex entries to find hmac algorithms and set their appropriate structure */
+      /* out */
+      wanted = session->next_crypto->kex_methods[SSH_MAC_C_S];
+  }
   while (ssh_hmactab[i].name && strcmp(wanted, ssh_hmactab[i].name)) {
     i++;
   }
@@ -357,7 +369,7 @@ int crypt_set_algorithms(ssh_session session, enum ssh_des_e des_type) {
 
 #ifdef WITH_SERVER
 int crypt_set_algorithms_server(ssh_session session){
-    char *method = NULL;
+    const char *method = NULL;
     int i = 0;
     struct ssh_cipher_struct *ssh_ciphertab=ssh_get_ciphertab();
     struct ssh_hmac_struct   *ssh_hmactab=ssh_get_hmactab();
@@ -372,9 +384,17 @@ int crypt_set_algorithms_server(ssh_session session){
      */
     /* out */
     method = session->next_crypto->kex_methods[SSH_CRYPT_S_C];
-    while(ssh_ciphertab[i].name && strcmp(method,ssh_ciphertab[i].name))
-        i++;
-    if(!ssh_ciphertab[i].name){
+
+    for (i = 0; ssh_ciphertab[i].name != NULL; i++) {
+        int cmp;
+
+        cmp = strcmp(method, ssh_ciphertab[i].name);
+        if (cmp == 0) {
+          break;
+        }
+    }
+
+    if (ssh_ciphertab[i].name == NULL) {
         ssh_set_error(session,SSH_FATAL,"crypt_set_algorithms_server : "
                 "no crypto algorithm function found for %s",method);
         return SSH_ERROR;
@@ -387,26 +407,16 @@ int crypt_set_algorithms_server(ssh_session session){
         return SSH_ERROR;
     }
     i=0;
-    /* in */
-    method = session->next_crypto->kex_methods[SSH_CRYPT_C_S];
-    while(ssh_ciphertab[i].name && strcmp(method,ssh_ciphertab[i].name))
-        i++;
-    if(!ssh_ciphertab[i].name){
-        ssh_set_error(session,SSH_FATAL,"Crypt_set_algorithms_server :"
-                "no crypto algorithm function found for %s",method);
-        return SSH_ERROR;
-    }
-    SSH_LOG(SSH_LOG_PACKET,"Set input algorithm %s",method);
-
-    session->next_crypto->in_cipher = cipher_new(i);
-    if (session->next_crypto->in_cipher == NULL) {
-        ssh_set_error_oom(session);
-        return SSH_ERROR;
+    if (session->next_crypto->out_cipher->aead_encrypt != NULL){
+        /* this cipher has integrated MAC */
+        method = "aead-poly1305";
+    } else {
+        /* we must scan the kex entries to find hmac algorithms and set their appropriate structure */
+        /* out */
+        method = session->next_crypto->kex_methods[SSH_MAC_S_C];
     }
-    i=0;
-
     /* HMAC algorithm selection */
-    method = session->next_crypto->kex_methods[SSH_MAC_S_C];
+
     while (ssh_hmactab[i].name && strcmp(method, ssh_hmactab[i].name)) {
       i++;
     }
@@ -420,11 +430,43 @@ int crypt_set_algorithms_server(ssh_session session){
     SSH_LOG(SSH_LOG_PACKET, "Set HMAC output algorithm to %s", method);
 
     session->next_crypto->out_hmac = ssh_hmactab[i].hmac_type;
+
+    /* in */
+    i=0;
+    method = session->next_crypto->kex_methods[SSH_CRYPT_C_S];
+
+    for (i = 0; ssh_ciphertab[i].name; i++) {
+      int cmp;
+
+      cmp = strcmp(method, ssh_ciphertab[i].name);
+      if (cmp == 0) {
+        break;
+      }
+    }
+
+    if (ssh_ciphertab[i].name == NULL) {
+        ssh_set_error(session,SSH_FATAL,"Crypt_set_algorithms_server :"
+                "no crypto algorithm function found for %s",method);
+        return SSH_ERROR;
+    }
+    SSH_LOG(SSH_LOG_PACKET,"Set input algorithm %s",method);
+
+    session->next_crypto->in_cipher = cipher_new(i);
+    if (session->next_crypto->in_cipher == NULL) {
+        ssh_set_error_oom(session);
+        return SSH_ERROR;
+    }
     i=0;
 
     method = session->next_crypto->kex_methods[SSH_MAC_C_S];
-    while (ssh_hmactab[i].name && strcmp(method, ssh_hmactab[i].name)) {
-      i++;
+
+    for (i = 0; ssh_hmactab[i].name != NULL; i++) {
+      int cmp;
+
+      cmp = strcmp(method, ssh_hmactab[i].name);
+      if (cmp == 0) {
+        break;
+      }
     }
 
     if (ssh_hmactab[i].name == NULL) {
-- 
2.14.1


From 494cf5e8040fe4492c722dcad72b18ed19e8ccb6 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Date: Wed, 28 Feb 2018 10:24:54 -0600
Subject: [PATCH 13/27] chacha: packet decryption

Signed-off-by: Aris Adamantiadis <aris@xxxxxxxxxxxx>
---
 include/libssh/crypto.h |   4 ++
 include/libssh/packet.h |   5 +-
 src/chachapoly.c        |  76 +++++++++++++++++++++++++++++
 src/kex.c               |   2 +-
 src/packet.c            | 110 +++++++++++++++++++++---------------------
 src/packet_crypt.c      | 125 ++++++++++++++++++++++++++++++++++++------------
 src/wrapper.c           |  58 ++++++++++++++++------
 7 files changed, 276 insertions(+), 104 deletions(-)

diff --git a/include/libssh/crypto.h b/include/libssh/crypto.h
index e6e5b8f6..495a9c4c 100644
--- a/include/libssh/crypto.h
+++ b/include/libssh/crypto.h
@@ -155,6 +155,10 @@ struct ssh_cipher_struct {
         unsigned long len);
     void (*aead_encrypt)(struct ssh_cipher_struct *cipher, void *in, void *out,
         size_t len, uint8_t *mac, uint64_t seq);
+    int (*aead_decrypt_length)(struct ssh_cipher_struct *cipher, void *in,
+        uint8_t *out, size_t len, uint64_t seq);
+    int (*aead_decrypt)(struct ssh_cipher_struct *cipher, void *complete_packet, uint8_t *out,
+        size_t encrypted_size, uint64_t seq);
     void (*cleanup)(struct ssh_cipher_struct *cipher);
 };
 
diff --git a/include/libssh/packet.h b/include/libssh/packet.h
index 3a84eb70..b10308f7 100644
--- a/include/libssh/packet.h
+++ b/include/libssh/packet.h
@@ -78,8 +78,9 @@ void ssh_packet_set_default_callbacks(ssh_session session);
 void ssh_packet_process(ssh_session session, uint8_t type);
 
 /* PACKET CRYPT */
-uint32_t ssh_packet_decrypt_len(ssh_session session, char *crypted);
-int ssh_packet_decrypt(ssh_session session, void *packet, unsigned int len);
+uint32_t ssh_packet_decrypt_len(ssh_session session, uint8_t *destination, uint8_t *source);
+int ssh_packet_decrypt(ssh_session session, uint8_t *destination, uint8_t *source,
+        size_t start, size_t encrypted_size);
 unsigned char *ssh_packet_encrypt(ssh_session session,
                                   void *packet,
                                   unsigned int len);
diff --git a/src/chachapoly.c b/src/chachapoly.c
index 16032179..f3319b62 100644
--- a/src/chachapoly.c
+++ b/src/chachapoly.c
@@ -109,8 +109,82 @@ static void chacha20_poly1305_aead_encrypt(struct ssh_cipher_struct *cipher,
                          out_packet->payload,
                          len - sizeof(uint32_t));
 
+    /* ssh_print_hexa("poly1305_ctx", poly1305_ctx, sizeof(poly1305_ctx)); */
     /* step 4, compute the MAC */
     poly1305_auth(tag, (uint8_t *)out_packet, len, poly1305_ctx);
+    /* ssh_print_hexa("poly1305 src", (uint8_t *)out_packet, len);
+    ssh_print_hexa("poly1305 tag", tag, POLY1305_TAGLEN); */
+}
+
+static int chacha20_poly1305_aead_decrypt_length(
+        struct ssh_cipher_struct *cipher,
+        void *in,
+        uint8_t *out,
+        size_t len,
+        uint64_t seq)
+{
+    struct chacha20_poly1305_keysched *keys = cipher->chacha20_schedule;
+
+    if (len < sizeof(uint32_t)) {
+        return SSH_ERROR;
+    }
+    seq = htonll(seq);
+
+    chacha_ivsetup(&keys->k1, (uint8_t *)&seq, zero_block_counter);
+    chacha_encrypt_bytes(&keys->k1,
+                         in,
+                         (uint8_t *)out,
+                         sizeof(uint32_t));
+    return SSH_OK;
+}
+
+static int chacha20_poly1305_aead_decrypt(struct ssh_cipher_struct *cipher,
+                                          void *complete_packet,
+                                          uint8_t *out,
+                                          size_t encrypted_size,
+                                          uint64_t seq)
+{
+    uint8_t poly1305_ctx[POLY1305_KEYLEN] = {0};
+    uint8_t tag[POLY1305_TAGLEN] = {0};
+    struct chacha20_poly1305_keysched *keys = cipher->chacha20_schedule;
+    uint8_t *mac = (uint8_t *)complete_packet + sizeof(uint32_t) + encrypted_size;
+    int cmp;
+
+    seq = htonll(seq);
+
+    ZERO_STRUCT(poly1305_ctx);
+    chacha_ivsetup(&keys->k2, (uint8_t *)&seq, zero_block_counter);
+    chacha_encrypt_bytes(&keys->k2,
+                         poly1305_ctx,
+                         poly1305_ctx,
+                         POLY1305_KEYLEN);
+#if 0
+    ssh_print_hexa("poly1305_ctx", poly1305_ctx, sizeof(poly1305_ctx));
+#endif
+
+    poly1305_auth(tag, (uint8_t *)complete_packet, encrypted_size +
+            sizeof(uint32_t), poly1305_ctx);
+#if 0
+    ssh_print_hexa("poly1305 src",
+                   (uint8_t*)complete_packet,
+                   encrypted_size + 4);
+    ssh_print_hexa("poly1305 tag", tag, POLY1305_TAGLEN);
+    ssh_print_hexa("received tag", mac, POLY1305_TAGLEN);
+#endif
+
+    cmp = memcmp(tag, mac, POLY1305_TAGLEN);
+    if(cmp != 0) {
+        /* mac error */
+        SSH_LOG(SSH_LOG_PACKET,"poly1305 verify error");
+        return SSH_ERROR;
+    }
+    chacha_ivsetup(&keys->k2, (uint8_t *)&seq, payload_block_counter);
+    chacha_encrypt_bytes(&keys->k2,
+                         (uint8_t *)complete_packet + sizeof(uint32_t),
+                         out,
+                         encrypted_size);
+
+    return SSH_OK;
 }
 
 const struct ssh_cipher_struct chacha20poly1305_cipher = {
@@ -123,4 +197,6 @@ const struct ssh_cipher_struct chacha20poly1305_cipher = {
     .set_encrypt_key = chacha20_set_encrypt_key,
     .set_decrypt_key = chacha20_set_encrypt_key,
     .aead_encrypt = chacha20_poly1305_aead_encrypt,
+    .aead_decrypt_length = chacha20_poly1305_aead_decrypt_length,
+    .aead_decrypt = chacha20_poly1305_aead_decrypt
 };
diff --git a/src/kex.c b/src/kex.c
index 20044c32..00f4e00f 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -120,7 +120,7 @@ static const char *supported_methods[] = {
   KEY_EXCHANGE,
   HOSTKEYS,
   CHACHA20 AES BLOWFISH DES_SUPPORTED,
-  AES BLOWFISH DES_SUPPORTED,
+  CHACHA20 AES BLOWFISH DES_SUPPORTED,
   "hmac-sha2-256,hmac-sha2-512,hmac-sha1",
   "hmac-sha2-256,hmac-sha2-512,hmac-sha1",
   ZLIB,
diff --git a/src/packet.c b/src/packet.c
index f6fb6bff..7d3c14b1 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -144,20 +144,26 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
     ssh_session session= (ssh_session) user;
     unsigned int blocksize = (session->current_crypto ?
                               session->current_crypto->in_cipher->blocksize : 8);
-    unsigned char mac[DIGEST_MAX_LEN] = {0};
-    char buffer[16] = {0};
+    unsigned int lenfield_blocksize = (session->current_crypto ?
+                                  session->current_crypto->in_cipher->lenfield_blocksize : 8);
     size_t current_macsize = 0;
-    const uint8_t *packet;
+    uint8_t *ptr = NULL;
     int to_be_read;
     int rc;
-    uint32_t len, compsize, payloadsize;
+    uint8_t *cleartext_packet = NULL;
+    uint8_t *packet_second_block = NULL;
+    uint8_t *mac = NULL;
+    size_t packet_remaining;
+    uint32_t packet_len, compsize, payloadsize;
     uint8_t padding;
     size_t processed = 0; /* number of byte processed from the callback */
 
     if(session->current_crypto != NULL) {
       current_macsize = hmac_digest_len(session->current_crypto->in_hmac);
     }
-
+    if (lenfield_blocksize == 0) {
+        lenfield_blocksize = blocksize;
+    }
     if (data == NULL) {
         goto error;
     }
@@ -178,7 +184,7 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
 #endif
     switch(session->packet_state) {
         case PACKET_STATE_INIT:
-            if (receivedlen < blocksize) {
+            if (receivedlen < lenfield_blocksize) {
                 /*
                  * We didn't receive enough data to read at least one
                  * block size, give up
@@ -187,7 +193,7 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
                 SSH_LOG(SSH_LOG_PACKET,
                         "Waiting for more data (%zu < %zu)",
                         receivedlen,
-                        blocksize);
+                        lenfield_blocksize);
 #endif
                 return 0;
             }
@@ -206,24 +212,21 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
                 }
             }
 
-            memcpy(buffer, data, blocksize);
-            processed += blocksize;
-            len = ssh_packet_decrypt_len(session, buffer);
-
-            rc = ssh_buffer_add_data(session->in_buffer, buffer, blocksize);
-            if (rc < 0) {
+            ptr = ssh_buffer_allocate(session->in_buffer, lenfield_blocksize);
+            if (ptr == NULL) {
                 goto error;
             }
+            processed += lenfield_blocksize;
+            packet_len = ssh_packet_decrypt_len(session, ptr, (uint8_t *)data);
 
-            if (len > MAX_PACKET_LEN) {
+            if (packet_len > MAX_PACKET_LEN) {
                 ssh_set_error(session,
                               SSH_FATAL,
                               "read_packet(): Packet len too high(%u %.4x)",
-                              len, len);
+                              packet_len, packet_len);
                 goto error;
             }
-
-            to_be_read = len - blocksize + sizeof(uint32_t);
+            to_be_read = packet_len - lenfield_blocksize + sizeof(uint32_t);
             if (to_be_read < 0) {
                 /* remote sshd sends invalid sizes? */
                 ssh_set_error(session,
@@ -233,59 +236,52 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
                 goto error;
             }
 
-            /* Saves the status of the current operations */
-            session->in_packet.len = len;
+            session->in_packet.len = packet_len;
             session->packet_state = PACKET_STATE_SIZEREAD;
             FALL_THROUGH;
         case PACKET_STATE_SIZEREAD:
-            len = session->in_packet.len;
-            to_be_read = len - blocksize + sizeof(uint32_t) + current_macsize;
+            packet_len = session->in_packet.len;
+            processed = lenfield_blocksize;
+            to_be_read = packet_len + sizeof(uint32_t) + current_macsize;
             /* if to_be_read is zero, the whole packet was blocksize bytes. */
             if (to_be_read != 0) {
-                if (receivedlen - processed < (unsigned int)to_be_read) {
+                if (receivedlen  < (unsigned int)to_be_read) {
                     /* give up, not enough data in buffer */
-                    SSH_LOG(SSH_LOG_PACKET,"packet: partial packet (read len) [len=%d]",len);
-                    return processed;
+                    SSH_LOG(SSH_LOG_PACKET,
+                            "packet: partial packet (read len) "
+                            "[len=%d, receivedlen=%d, to_be_read=%d]",
+                            packet_len,
+                            (int)receivedlen,
+                            to_be_read);
+                    return 0;
                 }
 
-                packet = ((uint8_t*)data) + processed;
-#if 0
-                ssh_socket_read(session->socket,
-                                packet,
-                                to_be_read - current_macsize);
-#endif
-
-                rc = ssh_buffer_add_data(session->in_buffer,
-                                     packet,
-                                     to_be_read - current_macsize);
-                if (rc < 0) {
-                    goto error;
-                }
-                processed += to_be_read - current_macsize;
+                packet_second_block = (uint8_t*)data + lenfield_blocksize;
+                processed = to_be_read - current_macsize;
             }
 
+            /* remaining encrypted bytes from the packet, MAC not included */
+            packet_remaining =
+                packet_len - (lenfield_blocksize - sizeof(uint32_t));
+            cleartext_packet = ssh_buffer_allocate(session->in_buffer,
+                                                   packet_remaining);
             if (session->current_crypto) {
                 /*
-                 * Decrypt the rest of the packet (blocksize bytes already
+                 * Decrypt the rest of the packet (lenfield_blocksize bytes already
                  * have been decrypted)
                  */
-                uint32_t buffer_len = ssh_buffer_get_len(session->in_buffer);
-
-                /* The following check avoids decrypting zero bytes */
-                if (buffer_len > blocksize) {
-                    uint8_t *payload = ((uint8_t*)ssh_buffer_get(session->in_buffer) + blocksize);
-                    uint32_t plen = buffer_len - blocksize;
-
-                    rc = ssh_packet_decrypt(session, payload, plen);
+                if (packet_remaining > 0) {
+                    rc = ssh_packet_decrypt(session,
+                                            cleartext_packet,
+                                            (uint8_t *)data,
+                                            lenfield_blocksize,
+                                            processed - lenfield_blocksize);
                     if (rc < 0) {
-                        ssh_set_error(session, SSH_FATAL, "Decrypt error");
+                        ssh_set_error(session, SSH_FATAL, "Decryption error");
                         goto error;
                     }
                 }
-
-                /* copy the last part from the incoming buffer */
-                packet = ((uint8_t *)data) + processed;
-                memcpy(mac, packet, current_macsize);
+                mac = packet_second_block + packet_remaining;
 
                 rc = ssh_packet_hmac_verify(session, session->in_buffer, mac, session->current_crypto->in_hmac);
                 if (rc < 0) {
@@ -293,6 +289,8 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
                     goto error;
                 }
                 processed += current_macsize;
+            } else {
+                memcpy(cleartext_packet, packet_second_block, packet_remaining);
             }
 
             /* skip the size field which has been processed before */
@@ -342,7 +340,7 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
             ssh_packet_parse_type(session);
             SSH_LOG(SSH_LOG_PACKET,
                     "packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]",
-                    session->in_packet.type, len, padding, compsize, payloadsize);
+                    session->in_packet.type, packet_len, padding, compsize, payloadsize);
 
             /* Execute callbacks */
             ssh_packet_process(session, session->in_packet.type);
@@ -353,9 +351,9 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
                         "Processing %" PRIdS " bytes left in socket buffer",
                         receivedlen-processed);
 
-                packet = ((uint8_t*)data) + processed;
+                ptr = ((uint8_t*)data) + processed;
 
-                rc = ssh_packet_socket_callback(packet, receivedlen - processed,user);
+                rc = ssh_packet_socket_callback(ptr, receivedlen - processed,user);
                 processed += rc;
             }
 
@@ -372,7 +370,7 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
 
 error:
     session->session_state= SSH_SESSION_STATE_ERROR;
-
+    SSH_LOG(SSH_LOG_PACKET,"Packet: processed %" PRIdS " bytes", processed);
     return processed;
 }
 
diff --git a/src/packet_crypt.c b/src/packet_crypt.c
index 5bcb6d65..fb09a225 100644
--- a/src/packet_crypt.c
+++ b/src/packet_crypt.c
@@ -44,40 +44,97 @@
 #include "libssh/crypto.h"
 #include "libssh/buffer.h"
 
-uint32_t ssh_packet_decrypt_len(ssh_session session, char *crypted){
-  uint32_t decrypted;
-
-  if (session->current_crypto) {
-    if (ssh_packet_decrypt(session, crypted,
-          session->current_crypto->in_cipher->blocksize) < 0) {
-      return 0;
+/** @internal
+ * @brief decrypt the packet length from a raw encrypted packet, and store the first decrypted
+ * blocksize.
+ * @returns native byte-ordered decrypted length of the upcoming packet
+ */
+uint32_t ssh_packet_decrypt_len(ssh_session session,
+                                uint8_t *destination,
+                                uint8_t *source)
+{
+    uint32_t decrypted;
+    int rc;
+
+    if (session->current_crypto != NULL) {
+        if (session->current_crypto->in_cipher->aead_decrypt_length != NULL) {
+            rc =
+              session->current_crypto->in_cipher->set_decrypt_key(
+                  session->current_crypto->in_cipher,
+                  session->current_crypto->decryptkey,
+                  session->current_crypto->decryptIV);
+            if (rc < 0) {
+                return (uint32_t)-1;
+            }
+            session->current_crypto->in_cipher->aead_decrypt_length(
+                    session->current_crypto->in_cipher, source, destination,
+                    session->current_crypto->in_cipher->lenfield_blocksize,
+                    session->recv_seq);
+        } else {
+            rc = ssh_packet_decrypt(
+                    session,
+                    destination,
+                    source,
+                    0,
+                    session->current_crypto->in_cipher->blocksize);
+            if (rc < 0) {
+                return 0;
+            }
+        }
+    } else {
+        memcpy(destination, source, 8);
     }
-  }
-  memcpy(&decrypted,crypted,sizeof(decrypted));
-  return ntohl(decrypted);
+    memcpy(&decrypted,destination,sizeof(decrypted));
+
+    return ntohl(decrypted);
 }
 
-int ssh_packet_decrypt(ssh_session session, void *data,uint32_t len) {
-  struct ssh_cipher_struct *crypto = session->current_crypto->in_cipher;
-  char *out = NULL;
+/** @internal
+ * @brief decrypts the content of an SSH packet.
+ * @param[source] source packet, including the encrypted length field
+ * @param[start] index in the packet that was not decrypted yet.
+ * @param[encrypted_size] size of the encrypted data to be decrypted after start.
+ */
+int ssh_packet_decrypt(ssh_session session,
+                       uint8_t *destination,
+                       uint8_t *source,
+                       size_t start,
+                       size_t encrypted_size)
+{
+    struct ssh_cipher_struct *crypto = session->current_crypto->in_cipher;
+    int rc;
+
+    if (encrypted_size <= 0) {
+        return SSH_ERROR;
+    }
 
-  assert(len);
+    if (encrypted_size % session->current_crypto->in_cipher->blocksize != 0) {
+        ssh_set_error(session,
+                      SSH_FATAL,
+                      "Cryptographic functions must be used on multiple of "
+                      "blocksize (received %" PRIdS ")",
+                      encrypted_size);
+        return SSH_ERROR;
+    }
 
-  if(len % session->current_crypto->in_cipher->blocksize != 0){
-    ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len);
-    return SSH_ERROR;
-  }
-  out = malloc(len);
-  if (out == NULL) {
-    return -1;
-  }
+    rc = crypto->set_decrypt_key(crypto,
+                                 session->current_crypto->decryptkey,
+                                 session->current_crypto->decryptIV);
+    if (rc < 0) {
+        return -1;
+    }
 
-  crypto->decrypt(crypto,data,out,len);
+    if (crypto->aead_decrypt != NULL) {
+        return crypto->aead_decrypt(crypto,
+                                    source,
+                                    destination,
+                                    encrypted_size,
+                                    session->recv_seq);
+    } else {
+        crypto->decrypt(crypto, source + start, destination, encrypted_size);
+    }
 
-  memcpy(data,out,len);
-  explicit_bzero(out, len);
-  SAFE_FREE(out);
-  return 0;
+    return 0;
 }
 
 unsigned char *ssh_packet_encrypt(ssh_session session, void *data, uint32_t len) {
@@ -159,13 +216,21 @@ unsigned char *ssh_packet_encrypt(ssh_session session, void *data, uint32_t len)
  * @return              0 if hmac and mac are equal, < 0 if not or an error
  *                      occurred.
  */
-int ssh_packet_hmac_verify(ssh_session session, ssh_buffer buffer,
-    unsigned char *mac, enum ssh_hmac_e type) {
+int ssh_packet_hmac_verify(ssh_session session,
+                           ssh_buffer buffer,
+                           uint8_t *mac,
+                           enum ssh_hmac_e type)
+{
   unsigned char hmacbuf[DIGEST_MAX_LEN] = {0};
   HMACCTX ctx;
   unsigned int len;
   uint32_t seq;
 
+  /* AEAD type have no mac checking */
+  if (type == SSH_HMAC_AEAD_POLY1305) {
+      return SSH_OK;
+  }
+
   ctx = hmac_init(session->current_crypto->decryptMAC, hmac_digest_len(type), type);
   if (ctx == NULL) {
     return -1;
@@ -188,5 +253,3 @@ int ssh_packet_hmac_verify(ssh_session session, ssh_buffer buffer,
 
   return -1;
 }
-
-/* vim: set ts=2 sw=2 et cindent: */
diff --git a/src/wrapper.c b/src/wrapper.c
index 69484fff..77af522d 100644
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -231,8 +231,13 @@ static int crypt_set_algorithms2(ssh_session session){
   int i = 0;
   struct ssh_cipher_struct *ssh_ciphertab=ssh_get_ciphertab();
   struct ssh_hmac_struct *ssh_hmactab=ssh_get_hmactab();
+  int cmp;
+
+  /*
+   * We must scan the kex entries to find crypto algorithms and set their
+   * appropriate structure.
+   */
 
-  /* we must scan the kex entries to find crypto algorithms and set their appropriate structure */
   /* out */
   wanted = session->next_crypto->kex_methods[SSH_CRYPT_C_S];
   while (ssh_ciphertab[i].name && strcmp(wanted, ssh_ciphertab[i].name)) {
@@ -258,12 +263,20 @@ static int crypt_set_algorithms2(ssh_session session){
       /* this cipher has integrated MAC */
       wanted = "aead-poly1305";
   } else {
-      /* we must scan the kex entries to find hmac algorithms and set their appropriate structure */
+      /*
+       * We must scan the kex entries to find hmac algorithms and set their
+       * appropriate structure.
+       */
+
       /* out */
       wanted = session->next_crypto->kex_methods[SSH_MAC_C_S];
   }
-  while (ssh_hmactab[i].name && strcmp(wanted, ssh_hmactab[i].name)) {
-    i++;
+
+  for (i = 0; ssh_hmactab[i].name != NULL; i++) {
+      cmp = strcmp(wanted, ssh_hmactab[i].name);
+      if (cmp == 0) {
+          break;
+      }
   }
 
   if (ssh_hmactab[i].name == NULL) {
@@ -275,12 +288,15 @@ static int crypt_set_algorithms2(ssh_session session){
   SSH_LOG(SSH_LOG_PACKET, "Set HMAC output algorithm to %s", wanted);
 
   session->next_crypto->out_hmac = ssh_hmactab[i].hmac_type;
-  i = 0;
 
   /* in */
   wanted = session->next_crypto->kex_methods[SSH_CRYPT_S_C];
-  while (ssh_ciphertab[i].name && strcmp(wanted, ssh_ciphertab[i].name)) {
-    i++;
+
+  for (i = 0; ssh_ciphertab[i].name != NULL; i++) {
+      cmp = strcmp(wanted, ssh_ciphertab[i].name);
+      if (cmp == 0) {
+        break;
+      }
   }
 
   if (ssh_ciphertab[i].name == NULL) {
@@ -296,12 +312,20 @@ static int crypt_set_algorithms2(ssh_session session){
       ssh_set_error_oom(session);
       return SSH_ERROR;
   }
-  i = 0;
 
-  /* we must scan the kex entries to find hmac algorithms and set their appropriate structure */
-  wanted = session->next_crypto->kex_methods[SSH_MAC_S_C];
-  while (ssh_hmactab[i].name && strcmp(wanted, ssh_hmactab[i].name)) {
-    i++;
+  if (session->next_crypto->in_cipher->aead_encrypt != NULL){
+      /* this cipher has integrated MAC */
+      wanted = "aead-poly1305";
+  } else {
+      /* we must scan the kex entries to find hmac algorithms and set their appropriate structure */
+      wanted = session->next_crypto->kex_methods[SSH_MAC_S_C];
+  }
+
+  for (i = 0; ssh_hmactab[i].name != NULL; i++) {
+      cmp = strcmp(wanted, ssh_hmactab[i].name);
+      if (cmp == 0) {
+          break;
+      }
   }
 
   if (ssh_hmactab[i].name == NULL) {
@@ -310,7 +334,7 @@ static int crypt_set_algorithms2(ssh_session session){
         wanted);
       return SSH_ERROR;
   }
-  SSH_LOG(SSH_LOG_PACKET, "Set HMAC output algorithm to %s", wanted);
+  SSH_LOG(SSH_LOG_PACKET, "Set HMAC input algorithm to %s", wanted);
 
   session->next_crypto->in_hmac = ssh_hmactab[i].hmac_type;
   i = 0;
@@ -458,7 +482,13 @@ int crypt_set_algorithms_server(ssh_session session){
     }
     i=0;
 
-    method = session->next_crypto->kex_methods[SSH_MAC_C_S];
+    if (session->next_crypto->in_cipher->aead_encrypt != NULL){
+        /* this cipher has integrated MAC */
+        method = "aead-poly1305";
+    } else {
+        /* we must scan the kex entries to find hmac algorithms and set their appropriate structure */
+        method = session->next_crypto->kex_methods[SSH_MAC_C_S];
+    }
 
     for (i = 0; ssh_hmactab[i].name != NULL; i++) {
       int cmp;
-- 
2.14.1


From f8497cf2c28292001b260845aa97b4c2abf885d9 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Date: Wed, 28 Feb 2018 10:24:55 -0600
Subject: [PATCH 14/27] libgcrypt: make it compatible with chacha20

Signed-off-by: Aris Adamantiadis <aris@xxxxxxxxxxxx>
---
 include/libssh/libgcrypt.h |  1 +
 src/dh.c                   |  1 +
 src/libgcrypt.c            | 21 +++++++++++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/include/libssh/libgcrypt.h b/include/libssh/libgcrypt.h
index ec353910..307920d3 100644
--- a/include/libssh/libgcrypt.h
+++ b/include/libssh/libgcrypt.h
@@ -88,6 +88,7 @@ ssh_string ssh_sexp_extract_mpi(const gcry_sexp_t sexp,
 
 #endif /* HAVE_LIBGCRYPT */
 
+void libgcrypt_init(void);
 struct ssh_cipher_struct *ssh_get_ciphertab(void);
 
 #endif /* LIBGCRYPT_H_ */
diff --git a/src/dh.c b/src/dh.c
index 2bc0a9d6..2b6b3f78 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -190,6 +190,7 @@ int ssh_crypto_init(void) {
       p_group1 = NULL;
       return -1;
     }
+    libgcrypt_init();
 
 #elif defined HAVE_LIBCRYPTO
     p_group1 = bignum_new();
diff --git a/src/libgcrypt.c b/src/libgcrypt.c
index d9dd5be6..b695b6bb 100644
--- a/src/libgcrypt.c
+++ b/src/libgcrypt.c
@@ -35,6 +35,8 @@
 #ifdef HAVE_LIBGCRYPT
 #include <gcrypt.h>
 
+extern const struct ssh_cipher_struct chacha20poly1305_cipher;
+
 struct ssh_mac_ctx_struct {
   enum ssh_mac_e mac_type;
   gcry_md_hd_t ctx;
@@ -637,6 +639,9 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
     .encrypt     = des1_1_encrypt,
     .decrypt     = des1_1_decrypt
   },
+  {
+    .name = "chacha20-poly1305@xxxxxxxxxxx"
+  },
   {
     .name            = NULL,
     .blocksize       = 0,
@@ -650,6 +655,22 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
   }
 };
 
+void libgcrypt_init(void)
+{
+    size_t i;
+
+    for (i = 0; ssh_ciphertab[i].name != NULL; i++) {
+        int cmp;
+        cmp = strcmp(ssh_ciphertab[i].name, "chacha20-poly1305@xxxxxxxxxxx");
+        if (cmp == 0) {
+            memcpy(&ssh_ciphertab[i],
+                   &chacha20poly1305_cipher,
+                   sizeof(struct ssh_cipher_struct));
+            break;
+        }
+    }
+}
+
 struct ssh_cipher_struct *ssh_get_ciphertab(void)
 {
   return ssh_ciphertab;
-- 
2.14.1


From 40f896e553e81358425d3e127faf9003df49049b Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Date: Wed, 28 Feb 2018 10:24:56 -0600
Subject: [PATCH 15/27] tests: test for chacha20-poly1305@xxxxxxxxxxx

Signed-off-by: Aris Adamantiadis <aris@xxxxxxxxxxxx>
---
 tests/client/torture_algorithms.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tests/client/torture_algorithms.c b/tests/client/torture_algorithms.c
index 76ea2cef..857ba190 100644
--- a/tests/client/torture_algorithms.c
+++ b/tests/client/torture_algorithms.c
@@ -261,6 +261,10 @@ static void torture_algorithms_blowfish_cbc_hmac_sha2_512(void **state) {
 }
 #endif
 
+static void torture_algorithms_chacha20_poly1305(void **state) {
+    test_algorithm(*state, NULL/*kex*/, "chacha20-poly1305@xxxxxxxxxxx", NULL);
+}
+
 static void torture_algorithms_zlib(void **state) {
     struct torture_state *s = *state;
     ssh_session session = s->ssh.session;
@@ -441,6 +445,9 @@ int torture_run_tests(void) {
                                         session_setup,
                                         session_teardown),
 #endif
+        cmocka_unit_test_setup_teardown(torture_algorithms_chacha20_poly1305,
+                                        session_setup,
+                                        session_teardown),
         cmocka_unit_test_setup_teardown(torture_algorithms_zlib,
                                         session_setup,
                                         session_teardown),
-- 
2.14.1


From 7ae788c0e3b74c14127623e0e623d911ea8e72cd Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Date: Wed, 28 Feb 2018 10:24:57 -0600
Subject: [PATCH 16/27] tests: packet encryption unit testing

That code is really ugly, but it wasn't meant to be modular at all in the
first place.

Signed-off-by: Aris Adamantiadis <aris@xxxxxxxxxxxx>
---
 tests/unittests/CMakeLists.txt   |   1 +
 tests/unittests/torture_packet.c | 193 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 194 insertions(+)
 create mode 100644 tests/unittests/torture_packet.c

diff --git a/tests/unittests/CMakeLists.txt b/tests/unittests/CMakeLists.txt
index ee8db1d2..0afe11b4 100644
--- a/tests/unittests/CMakeLists.txt
+++ b/tests/unittests/CMakeLists.txt
@@ -12,6 +12,7 @@ add_cmocka_test(torture_config torture_config.c ${TORTURE_LIBRARY})
 add_cmocka_test(torture_options torture_options.c ${TORTURE_LIBRARY})
 add_cmocka_test(torture_isipaddr torture_isipaddr.c ${TORTURE_LIBRARY})
 add_cmocka_test(torture_knownhosts_parsing torture_knownhosts_parsing.c ${TORTURE_LIBRARY})
+add_cmocka_test(torture_packet torture_packet.c ${TORTURE_LIBRARY})
 if (UNIX AND NOT WIN32)
     # requires ssh-keygen
     add_cmocka_test(torture_keyfiles torture_keyfiles.c ${TORTURE_LIBRARY})
diff --git a/tests/unittests/torture_packet.c b/tests/unittests/torture_packet.c
new file mode 100644
index 00000000..0e7d3f1e
--- /dev/null
+++ b/tests/unittests/torture_packet.c
@@ -0,0 +1,193 @@
+#include "config.h"
+
+#define LIBSSH_STATIC
+
+#include "torture.h"
+#include "libssh/libssh.h"
+#include "libssh/session.h"
+#include "libssh/crypto.h"
+#include "libssh/buffer.h"
+#include "libssh/socket.h"
+#include "libssh/callbacks.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+#include "socket.c"
+
+uint8_t test_data[]="AThis is test data. Use it to check the validity of packet functions";
+uint8_t key[]="iekaeshoa7ooCie2shai8shahngee3ONsee3xoishooj0ojei6aeChieth1iraPh";
+uint8_t iv[]="eixaxughoomah4ui7Aew3ohxuolaifuu";
+uint8_t mac[]="thook2Jai0ahmahyae7ChuuruoPhee8Y";
+
+static uint8_t *copy_data(uint8_t *data, size_t len){
+    uint8_t *ret = malloc(len);
+    assert_non_null(ret);
+    memcpy(ret, data, len);
+    return ret;
+}
+
+static SSH_PACKET_CALLBACK(copy_packet_data){
+    uint8_t *response = user;
+    size_t len = ssh_buffer_get_len(packet);
+    (void)type;
+    (void)session;
+
+    if(len > 1024){
+        len = 1024;
+    }
+    ssh_buffer_get_data(packet, response, len);
+
+    return 0;
+}
+
+static void torture_packet(const char *cipher,
+        const char *mac_type, size_t payload_len) {
+
+    ssh_session session = ssh_new();
+    int verbosity = torture_libssh_verbosity();
+    struct ssh_crypto_struct *crypto;
+    int rc;
+    int sockets[2];
+    uint8_t buffer[1024];
+    uint8_t response[1024];
+    size_t encrypted_packet_len;
+    ssh_packet_callback callbacks[]={copy_packet_data};
+    struct ssh_packet_callbacks_struct cb = {
+            .start='A',
+            .n_callbacks=1,
+            .callbacks=callbacks,
+            .user=response
+    };
+
+    assert_non_null(session);
+    ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
+    crypto = session->next_crypto;
+
+    rc = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets);
+    assert_int_equal(rc, 0);
+
+    session->version = 2;
+    crypto->kex_methods[SSH_KEX] = strdup("curve25519-sha256@xxxxxxxxxx");
+    crypto->kex_methods[SSH_HOSTKEYS] = strdup("ssh-rsa");
+    crypto->kex_methods[SSH_CRYPT_C_S] = strdup(cipher);
+    crypto->kex_methods[SSH_CRYPT_S_C] = strdup(cipher);
+    crypto->kex_methods[SSH_MAC_C_S] = strdup(mac_type);
+    crypto->kex_methods[SSH_MAC_S_C] = strdup(mac_type);
+    crypto->kex_methods[SSH_COMP_C_S] = strdup("none");
+    crypto->kex_methods[SSH_COMP_S_C] = strdup("none");
+    crypto->kex_methods[SSH_LANG_C_S] = strdup("none");
+    crypto->kex_methods[SSH_LANG_S_C] = strdup("none");
+    rc = crypt_set_algorithms(session, 0);
+    assert_int_equal(rc, SSH_OK);
+    session->current_crypto = session->next_crypto;
+    session->next_crypto = crypto_new();
+    crypto->encryptkey = copy_data(key, sizeof(key));
+    crypto->decryptkey = copy_data(key, sizeof(key));
+    crypto->encryptIV = copy_data(iv, sizeof(iv));
+    crypto->decryptIV = copy_data(iv, sizeof(iv));
+    crypto->encryptMAC = copy_data(mac, sizeof(mac));
+    crypto->decryptMAC = copy_data(mac, sizeof(mac));
+
+    assert_non_null(session->out_buffer);
+    ssh_buffer_add_data(session->out_buffer, test_data, payload_len);
+    session->socket->fd_out = sockets[0];
+    session->socket->fd_in = -2;
+    session->socket->write_wontblock = 1;
+    rc = ssh_packet_send(session);
+    assert_int_equal(rc, SSH_OK);
+
+    rc = recv(sockets[1], buffer, sizeof(buffer), 0);
+    assert_true(rc > 0);
+    encrypted_packet_len = rc;
+    assert_in_range(encrypted_packet_len, payload_len + 4, payload_len + (32 * 3));
+    rc = send(sockets[0], buffer, encrypted_packet_len, 0);
+    assert_int_equal(rc, encrypted_packet_len);
+
+    ssh_packet_set_callbacks(session, &cb);
+    explicit_bzero(response, sizeof(response));
+    rc = ssh_packet_socket_callback(buffer, encrypted_packet_len, session);
+    assert_int_not_equal(rc, SSH_ERROR);
+    if(payload_len > 0){
+        assert_memory_equal(response, test_data+1, payload_len-1);
+    }
+    close(sockets[0]);
+    close(sockets[1]);
+    session->socket->fd_in = SSH_INVALID_SOCKET;
+    session->socket->fd_out = SSH_INVALID_SOCKET;
+    ssh_free(session);
+}
+
+static void torture_packet_aes128_ctr() {
+    int i;
+    for (i=1;i<256;++i){
+        torture_packet("aes128-ctr","hmac-sha1",i);
+    }
+}
+
+static void torture_packet_aes192_ctr(){
+    int i;
+    for (i=1;i<256;++i){
+        torture_packet("aes192-ctr","hmac-sha1",i);
+    }
+}
+
+static void torture_packet_aes256_ctr(){
+    int i;
+    for (i=1;i<256;++i){
+        torture_packet("aes256-ctr","hmac-sha1",i);
+    }
+}
+
+static void torture_packet_aes128_cbc() {
+    int i;
+    for (i=1;i<256;++i){
+        torture_packet("aes128-cbc","hmac-sha1",i);
+    }
+}
+
+static void torture_packet_aes192_cbc(){
+    int i;
+    for (i=1;i<256;++i){
+        torture_packet("aes192-cbc","hmac-sha1",i);
+    }
+}
+
+static void torture_packet_aes256_cbc(){
+    int i;
+    for (i=1;i<256;++i){
+        torture_packet("aes256-cbc","hmac-sha1",i);
+    }
+}
+
+static void torture_packet_3des_cbc(){
+    int i;
+    for (i=1;i<256;++i){
+        torture_packet("3des-cbc","hmac-sha1",i);
+    }
+}
+
+static void torture_packet_chacha20(){
+    int i;
+    for (i=1;i<256;++i){
+        torture_packet("chacha20-poly1305@xxxxxxxxxxx","none",i);
+    }
+}
+
+int torture_run_tests(void) {
+    int rc;
+    struct CMUnitTest tests[] = {
+        cmocka_unit_test(torture_packet_aes128_ctr),
+        cmocka_unit_test(torture_packet_aes192_ctr),
+        cmocka_unit_test(torture_packet_aes256_ctr),
+        cmocka_unit_test(torture_packet_aes128_cbc),
+        cmocka_unit_test(torture_packet_aes192_cbc),
+        cmocka_unit_test(torture_packet_aes256_cbc),
+        cmocka_unit_test(torture_packet_3des_cbc),
+        cmocka_unit_test(torture_packet_chacha20)
+    };
+
+    ssh_init();
+    torture_filter_tests(tests);
+    rc = cmocka_run_group_tests(tests, NULL, NULL);
+    ssh_finalize();
+    return rc;
+}
-- 
2.14.1


From d12cd0749540f1b01843aec1959c7a3695289041 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
Date: Wed, 28 Feb 2018 10:24:58 -0600
Subject: [PATCH 17/27] tests: send more packets of various sizes

Signed-off-by: Aris Adamantiadis <aris@xxxxxxxxxxxx>
---
 tests/client/torture_algorithms.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/tests/client/torture_algorithms.c b/tests/client/torture_algorithms.c
index 857ba190..edeb697d 100644
--- a/tests/client/torture_algorithms.c
+++ b/tests/client/torture_algorithms.c
@@ -26,6 +26,7 @@
 #include "torture.h"
 #include "libssh/libssh.h"
 #include "libssh/priv.h"
+#include "libssh/session.h"
 
 #include <errno.h>
 #include <sys/types.h>
@@ -49,7 +50,6 @@ static int session_setup(void **state) {
     int verbosity = torture_libssh_verbosity();
     struct passwd *pwd;
     int rc;
-
     pwd = getpwnam("bob");
     assert_non_null(pwd);
 
@@ -80,6 +80,15 @@ static void test_algorithm(ssh_session session,
                            const char *cipher,
                            const char *hmac) {
     int rc;
+    char data[256];
+    size_t len_to_test[] = {
+        1, 2, 3, 4, 5, 6, 7, 8, 10,
+        12, 15, 16, 20,
+        31, 32, 33,
+        63, 64, 65,
+        100, 127, 128
+    };
+    unsigned int i;
 
     int verbosity = torture_libssh_verbosity();
     ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
@@ -106,6 +115,14 @@ static void test_algorithm(ssh_session session,
     rc = ssh_connect(session);
     assert_int_equal(rc, SSH_OK);
 
+    /* send ignore packets of all sizes */
+    memset(data, 0, sizeof(data));
+    for (i = 0; i < (sizeof(len_to_test) / sizeof(size_t)); i++) {
+        memset(data, 'A', len_to_test[i]);
+        ssh_send_ignore(session, data);
+        ssh_handle_packets(session, 50);
+    }
+
     rc = ssh_userauth_none(session, NULL);
     if (rc != SSH_OK) {
         rc = ssh_get_error_code(session);
-- 
2.14.1


From 3cf6352e2a3d8e3951b129eb43b2fa1cfb4fc176 Mon Sep 17 00:00:00 2001
From: Alberto Aguirre <albaguirre@xxxxxxxxx>
Date: Wed, 28 Feb 2018 10:25:02 -0600
Subject: [PATCH 18/27] packet_crypt: Avoid setting keys every time

Avoid setting keys on every packet decrypt or encrypt operation.

Signed-off-by: Alberto Aguirre <albaguirre@xxxxxxxxx>
---
 src/packet_crypt.c | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/src/packet_crypt.c b/src/packet_crypt.c
index fb09a225..68103afb 100644
--- a/src/packet_crypt.c
+++ b/src/packet_crypt.c
@@ -117,13 +117,6 @@ int ssh_packet_decrypt(ssh_session session,
         return SSH_ERROR;
     }
 
-    rc = crypto->set_decrypt_key(crypto,
-                                 session->current_crypto->decryptkey,
-                                 session->current_crypto->decryptIV);
-    if (rc < 0) {
-        return -1;
-    }
-
     if (crypto->aead_decrypt != NULL) {
         return crypto->aead_decrypt(crypto,
                                     source,
@@ -177,12 +170,6 @@ unsigned char *ssh_packet_encrypt(ssh_session session, void *data, uint32_t len)
       hmac_update(ctx,data,len);
       hmac_final(ctx,session->current_crypto->hmacbuf,&finallen);
 
-      if (crypto->set_encrypt_key(crypto, session->current_crypto->encryptkey,
-          session->current_crypto->encryptIV) < 0) {
-        SAFE_FREE(out);
-        return NULL;
-      }
-
 #ifdef DEBUG_CRYPTO
       ssh_print_hexa("mac: ",data,hmac_digest_len(type));
       if (finallen != hmac_digest_len(type)) {
-- 
2.14.1


From ae45a112ea0aa87c7b5ebea536c3dc9e5a252482 Mon Sep 17 00:00:00 2001
From: Alberto Aguirre <albaguirre@xxxxxxxxx>
Date: Wed, 28 Feb 2018 10:25:04 -0600
Subject: [PATCH 19/27] torture_packet: Set encryption/decryption keys

Signed-off-by: Alberto Aguirre <albaguirre@xxxxxxxxx>
---
 tests/unittests/torture_packet.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/tests/unittests/torture_packet.c b/tests/unittests/torture_packet.c
index 0e7d3f1e..a01ea218 100644
--- a/tests/unittests/torture_packet.c
+++ b/tests/unittests/torture_packet.c
@@ -45,6 +45,8 @@ static void torture_packet(const char *cipher,
     ssh_session session = ssh_new();
     int verbosity = torture_libssh_verbosity();
     struct ssh_crypto_struct *crypto;
+    struct ssh_cipher_struct *in_cipher;
+    struct ssh_cipher_struct *out_cipher;
     int rc;
     int sockets[2];
     uint8_t buffer[1024];
@@ -87,6 +89,18 @@ static void torture_packet(const char *cipher,
     crypto->encryptMAC = copy_data(mac, sizeof(mac));
     crypto->decryptMAC = copy_data(mac, sizeof(mac));
 
+    in_cipher = session->current_crypto->in_cipher;
+    rc = in_cipher->set_decrypt_key(in_cipher,
+                                    session->current_crypto->decryptkey,
+                                    session->current_crypto->decryptIV);
+    assert_int_equal(rc, SSH_OK);
+
+    out_cipher = session->current_crypto->out_cipher;
+    rc = out_cipher->set_encrypt_key(out_cipher,
+                                     session->current_crypto->encryptkey,
+                                     session->current_crypto->encryptIV);
+    assert_int_equal(rc, SSH_OK);
+
     assert_non_null(session->out_buffer);
     ssh_buffer_add_data(session->out_buffer, test_data, payload_len);
     session->socket->fd_out = sockets[0];
-- 
2.14.1


From 5df1af0945bf2a36259bb4d893531440a1a5e817 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Wed, 28 Feb 2018 10:24:59 -0600
Subject: [PATCH 20/27] pkd: add passes for chacha20-poly1305@xxxxxxxxxxx
 cipher

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 tests/pkd/pkd_hello.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tests/pkd/pkd_hello.c b/tests/pkd/pkd_hello.c
index 951bd7b1..7a429e94 100644
--- a/tests/pkd/pkd_hello.c
+++ b/tests/pkd/pkd_hello.c
@@ -258,6 +258,7 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
 #endif
 
 #ifdef HAVE_DSA
+#define CHACHA20 "chacha20-poly1305@xxxxxxxxxxx"
 #define PKDTESTS_CIPHER(f, client, ciphercmd) \
     /* Ciphers. */ \
     f(client, rsa_3des_cbc,            ciphercmd("3des-cbc"),      setup_rsa,        teardown) \
@@ -266,24 +267,28 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, rsa_aes256_cbc,          ciphercmd("aes256-cbc"),    setup_rsa,        teardown) \
     f(client, rsa_aes256_ctr,          ciphercmd("aes256-ctr"),    setup_rsa,        teardown) \
     f(client, rsa_blowfish_cbc,        ciphercmd("blowfish-cbc"),  setup_rsa,        teardown) \
+    f(client, rsa_chacha20,            ciphercmd(CHACHA20),        setup_rsa,        teardown) \
     f(client, dsa_3des_cbc,            ciphercmd("3des-cbc"),      setup_dsa,        teardown) \
     f(client, dsa_aes128_cbc,          ciphercmd("aes128-cbc"),    setup_dsa,        teardown) \
     f(client, dsa_aes128_ctr,          ciphercmd("aes128-ctr"),    setup_dsa,        teardown) \
     f(client, dsa_aes256_cbc,          ciphercmd("aes256-cbc"),    setup_dsa,        teardown) \
     f(client, dsa_aes256_ctr,          ciphercmd("aes256-ctr"),    setup_dsa,        teardown) \
     f(client, dsa_blowfish_cbc,        ciphercmd("blowfish-cbc"),  setup_dsa,        teardown) \
+    f(client, dsa_chacha20,            ciphercmd(CHACHA20),        setup_dsa,        teardown) \
     f(client, ecdsa_256_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_blowfish_cbc,  ciphercmd("blowfish-cbc"),  setup_ecdsa_256,  teardown) \
+    f(client, ecdsa_256_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_256,  teardown) \
     f(client, ecdsa_384_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_blowfish_cbc,  ciphercmd("blowfish-cbc"),  setup_ecdsa_384,  teardown) \
+    f(client, ecdsa_384_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_384,  teardown) \
     f(client, ecdsa_521_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_521,  teardown) \
@@ -316,7 +321,7 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, ecdsa_521_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_blowfish_cbc,  ciphercmd("blowfish-cbc"),  setup_ecdsa_521,  teardown)
+    f(client, ecdsa_521_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_521,  teardown)
 #endif
 
 #ifdef HAVE_DSA
-- 
2.14.1


From 97f2649c1771e569a96f9057e4956b5fbea5a1f3 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Wed, 28 Feb 2018 10:25:00 -0600
Subject: [PATCH 21/27] pkd: move chacha20-poly1305@xxxxxxxxxxx tests to
 OPENSSHONLY section

Dropbear does not currently implement the 'chacha20-poly1305@xxxxxxxxxxx'
cipher, so move it into the OPENSSHONLY suite.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 tests/pkd/pkd_hello.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/tests/pkd/pkd_hello.c b/tests/pkd/pkd_hello.c
index 7a429e94..7c499be1 100644
--- a/tests/pkd/pkd_hello.c
+++ b/tests/pkd/pkd_hello.c
@@ -258,7 +258,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
 #endif
 
 #ifdef HAVE_DSA
-#define CHACHA20 "chacha20-poly1305@xxxxxxxxxxx"
 #define PKDTESTS_CIPHER(f, client, ciphercmd) \
     /* Ciphers. */ \
     f(client, rsa_3des_cbc,            ciphercmd("3des-cbc"),      setup_rsa,        teardown) \
@@ -267,28 +266,24 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, rsa_aes256_cbc,          ciphercmd("aes256-cbc"),    setup_rsa,        teardown) \
     f(client, rsa_aes256_ctr,          ciphercmd("aes256-ctr"),    setup_rsa,        teardown) \
     f(client, rsa_blowfish_cbc,        ciphercmd("blowfish-cbc"),  setup_rsa,        teardown) \
-    f(client, rsa_chacha20,            ciphercmd(CHACHA20),        setup_rsa,        teardown) \
     f(client, dsa_3des_cbc,            ciphercmd("3des-cbc"),      setup_dsa,        teardown) \
     f(client, dsa_aes128_cbc,          ciphercmd("aes128-cbc"),    setup_dsa,        teardown) \
     f(client, dsa_aes128_ctr,          ciphercmd("aes128-ctr"),    setup_dsa,        teardown) \
     f(client, dsa_aes256_cbc,          ciphercmd("aes256-cbc"),    setup_dsa,        teardown) \
     f(client, dsa_aes256_ctr,          ciphercmd("aes256-ctr"),    setup_dsa,        teardown) \
     f(client, dsa_blowfish_cbc,        ciphercmd("blowfish-cbc"),  setup_dsa,        teardown) \
-    f(client, dsa_chacha20,            ciphercmd(CHACHA20),        setup_dsa,        teardown) \
     f(client, ecdsa_256_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_blowfish_cbc,  ciphercmd("blowfish-cbc"),  setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_256,  teardown) \
     f(client, ecdsa_384_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_blowfish_cbc,  ciphercmd("blowfish-cbc"),  setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_384,  teardown) \
     f(client, ecdsa_521_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_521,  teardown) \
@@ -325,16 +320,21 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
 #endif
 
 #ifdef HAVE_DSA
+#define CHACHA20 "chacha20-poly1305@xxxxxxxxxxx"
 #define PKDTESTS_CIPHER_OPENSSHONLY(f, client, ciphercmd) \
     /* Ciphers. */ \
     f(client, rsa_aes192_cbc,          ciphercmd("aes192-cbc"),    setup_rsa,        teardown) \
     f(client, rsa_aes192_ctr,          ciphercmd("aes192-ctr"),    setup_rsa,        teardown) \
+    f(client, rsa_chacha20,            ciphercmd(CHACHA20),        setup_rsa,        teardown) \
     f(client, dsa_aes192_cbc,          ciphercmd("aes192-cbc"),    setup_dsa,        teardown) \
     f(client, dsa_aes192_ctr,          ciphercmd("aes192-ctr"),    setup_dsa,        teardown) \
+    f(client, dsa_chacha20,            ciphercmd(CHACHA20),        setup_dsa,        teardown) \
     f(client, ecdsa_256_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_256,  teardown) \
+    f(client, ecdsa_256_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_256,  teardown) \
     f(client, ecdsa_384_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_384,  teardown) \
+    f(client, ecdsa_384_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_384,  teardown) \
     f(client, ecdsa_521_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_521,  teardown)
 #else
@@ -347,7 +347,8 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, ecdsa_384_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_521_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_521,  teardown)
+    f(client, ecdsa_521_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_521,  teardown) \
+    f(client, ecdsa_521_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_521,  teardown)
 #endif
 
 #ifdef HAVE_DSA
-- 
2.14.1


From ff325390c4c1229c8d8076bc5dae84d8683f69e2 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Thu, 10 May 2018 16:46:57 -0400
Subject: [PATCH 22/27] tests: fix torture_packet.c `test_data`

Make the `test_data` larger so that tests do not read beyond
its length.  Observed in testing with an `-fsanitize=address`
build locally.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 tests/unittests/torture_packet.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/unittests/torture_packet.c b/tests/unittests/torture_packet.c
index a01ea218..729aaccd 100644
--- a/tests/unittests/torture_packet.c
+++ b/tests/unittests/torture_packet.c
@@ -13,7 +13,10 @@
 #include <sys/socket.h>
 #include "socket.c"
 
-uint8_t test_data[]="AThis is test data. Use it to check the validity of packet functions";
+uint8_t test_data[]="AThis is test data. Use it to check the validity of packet functions"
+                    "AThis is test data. Use it to check the validity of packet functions"
+                    "AThis is test data. Use it to check the validity of packet functions"
+                    "AThis is test data. Use it to check the validity of packet functions";
 uint8_t key[]="iekaeshoa7ooCie2shai8shahngee3ONsee3xoishooj0ojei6aeChieth1iraPh";
 uint8_t iv[]="eixaxughoomah4ui7Aew3ohxuolaifuu";
 uint8_t mac[]="thook2Jai0ahmahyae7ChuuruoPhee8Y";
-- 
2.14.1


From 7d80a39135eb789d1f35929ce496252118167f22 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 8 Jun 2018 17:32:27 -0400
Subject: [PATCH 23/27] packet_crypt: fix unused variable compiler warning

The local `rc` variable here is never set.  Fix a warning that is
emitted due to `-Wunused-variable`.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 src/packet_crypt.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/packet_crypt.c b/src/packet_crypt.c
index 68103afb..57be946f 100644
--- a/src/packet_crypt.c
+++ b/src/packet_crypt.c
@@ -102,7 +102,6 @@ int ssh_packet_decrypt(ssh_session session,
                        size_t encrypted_size)
 {
     struct ssh_cipher_struct *crypto = session->current_crypto->in_cipher;
-    int rc;
 
     if (encrypted_size <= 0) {
         return SSH_ERROR;
-- 
2.14.1


From 4e885fc2b6c3586721176c733f1db42182e81fd9 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Wed, 19 Jul 2017 17:23:16 -0400
Subject: [PATCH 24/27] chacha: use a cipher cleanup callback

With this change there is less code specific to the
chacha20-poly1305 cipher found in src/wrapper.c.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 src/chachapoly.c | 7 ++++++-
 src/wrapper.c    | 3 ---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/chachapoly.c b/src/chachapoly.c
index f3319b62..12600e85 100644
--- a/src/chachapoly.c
+++ b/src/chachapoly.c
@@ -187,6 +187,10 @@ static int chacha20_poly1305_aead_decrypt(struct ssh_cipher_struct *cipher,
     return SSH_OK;
 }
 
+static void chacha20_cleanup(struct ssh_cipher_struct *cipher) {
+    SAFE_FREE(cipher->chacha20_schedule);
+}
+
 const struct ssh_cipher_struct chacha20poly1305_cipher = {
     .name = "chacha20-poly1305@xxxxxxxxxxx",
     .blocksize = 8,
@@ -198,5 +202,6 @@ const struct ssh_cipher_struct chacha20poly1305_cipher = {
     .set_decrypt_key = chacha20_set_encrypt_key,
     .aead_encrypt = chacha20_poly1305_aead_encrypt,
     .aead_decrypt_length = chacha20_poly1305_aead_decrypt_length,
-    .aead_decrypt = chacha20_poly1305_aead_decrypt
+    .aead_decrypt = chacha20_poly1305_aead_decrypt,
+    .cleanup = chacha20_cleanup
 };
diff --git a/src/wrapper.c b/src/wrapper.c
index 77af522d..961c3d05 100644
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -128,9 +128,6 @@ void ssh_cipher_clear(struct ssh_cipher_struct *cipher){
     if (cipher->cleanup != NULL) {
         cipher->cleanup(cipher);
     }
-    if (cipher->chacha20_schedule != NULL){
-        SAFE_FREE(cipher->chacha20_schedule);
-    }
 }
 
 static void cipher_free(struct ssh_cipher_struct *cipher) {
-- 
2.14.1


From 8895b9337fa08b3af33909840eb081ff8944fa95 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 8 Jun 2018 18:32:32 -0400
Subject: [PATCH 25/27] packet_crypt: remove `set_decrypt_key` upon
 `ssh_packet_decrypt_len`

In 06b9901e64f1ea2a1141115e5645552034d25850, invocations of `set_decrypt_key`
and `set_encrypt_key` were moved into the `ssh_packet_newkeys` callback, away
from the packet decrypt and encrypt functions.

Remove the extra `set_decrypt_key` for the case that an `aead_decrypt_length`
is not NULL.  At this time, only the chacha20-poly1305@xxxxxxxxxxx cipher
is affected by this change.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 src/packet_crypt.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/src/packet_crypt.c b/src/packet_crypt.c
index 57be946f..b2f075c4 100644
--- a/src/packet_crypt.c
+++ b/src/packet_crypt.c
@@ -58,14 +58,6 @@ uint32_t ssh_packet_decrypt_len(ssh_session session,
 
     if (session->current_crypto != NULL) {
         if (session->current_crypto->in_cipher->aead_decrypt_length != NULL) {
-            rc =
-              session->current_crypto->in_cipher->set_decrypt_key(
-                  session->current_crypto->in_cipher,
-                  session->current_crypto->decryptkey,
-                  session->current_crypto->decryptIV);
-            if (rc < 0) {
-                return (uint32_t)-1;
-            }
             session->current_crypto->in_cipher->aead_decrypt_length(
                     session->current_crypto->in_cipher, source, destination,
                     session->current_crypto->in_cipher->lenfield_blocksize,
-- 
2.14.1


From 3ae630aca316b4aa1c9dd8f7ab2b43734ff597dd Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 8 Jun 2018 16:16:49 -0700
Subject: [PATCH 26/27] pkd: fix CHACHA20 test lists

Ensure that the CHACHA20 test entires are only included for OpenSSH.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 tests/pkd/pkd_hello.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/pkd/pkd_hello.c b/tests/pkd/pkd_hello.c
index 7c499be1..c0994f15 100644
--- a/tests/pkd/pkd_hello.c
+++ b/tests/pkd/pkd_hello.c
@@ -316,7 +316,7 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, ecdsa_521_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_521,  teardown)
+    f(client, ecdsa_521_blowfish_cbc,  ciphercmd("blowfish-cbc"),  setup_ecdsa_521,  teardown)
 #endif
 
 #ifdef HAVE_DSA
@@ -336,7 +336,8 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, ecdsa_384_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_384,  teardown) \
     f(client, ecdsa_521_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_521,  teardown)
+    f(client, ecdsa_521_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_521,  teardown) \
+    f(client, ecdsa_521_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_521,  teardown)
 #else
 #define PKDTESTS_CIPHER_OPENSSHONLY(f, client, ciphercmd) \
     /* Ciphers. */ \
@@ -347,8 +348,7 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, ecdsa_384_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_384,  teardown) \
     f(client, ecdsa_521_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_521,  teardown)
+    f(client, ecdsa_521_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_521,  teardown)
 #endif
 
 #ifdef HAVE_DSA
-- 
2.14.1


From 0c1681553d74db4906f236d40c3c6faaab4f7e7a Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Fri, 8 Jun 2018 16:18:06 -0700
Subject: [PATCH 27/27] chacha: fix build for mbedTLS

Fix the build for mbedTLS:
 * set HAVE_CHACHA for non-mbedTLS builds
 * only compile chachapoly.c when HAVE_CHACHA
 * use empty CHACHA20 in src/kex.c unless HAVE_CHACHA

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 ConfigureChecks.cmake | 3 ++-
 config.h.cmake        | 3 +++
 src/CMakeLists.txt    | 8 +++++++-
 src/kex.c             | 4 ++++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake
index fd8ff136..3bb4a5e0 100644
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -138,7 +138,8 @@ endif ()
 
 if (NOT WITH_MBEDTLS)
     set(HAVE_DSA 1)
-endif()
+    set(HAVE_CHACHA 1)
+endif (NOT WITH_MBEDTLS)
 
 # FUNCTIONS
 
diff --git a/config.h.cmake b/config.h.cmake
index 61d20acb..044e6032 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -89,6 +89,9 @@
 /* Define to 1 if you have DSA */
 #cmakedefine HAVE_DSA 1
 
+/* Define to 1 if you have chacha20-poly1305 */
+#cmakedefine HAVE_CHACHA 1
+
 /*************************** FUNCTIONS ***************************/
 
 /* Define to 1 if you have the `EVP_aes128_ctr' function. */
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 90e44253..4edc59f4 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -122,7 +122,6 @@ set(libssh_SRCS
   bignum.c
   buffer.c
   callbacks.c
-  chachapoly.c
   channels.c
   client.c
   config.c
@@ -167,6 +166,13 @@ set(libssh_SRCS
   external/sc25519.c
 )
 
+if (NOT WITH_MBEDTLS)
+    set(libssh_SRCS
+        ${libssh_SRCS}
+        chachapoly.c
+       )
+endif (NOT WITH_MBEDTLS)
+
 if (WITH_GCRYPT)
     set(libssh_SRCS
         ${libssh_SRCS}
diff --git a/src/kex.c b/src/kex.c
index 00f4e00f..8c51566e 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -95,7 +95,11 @@
 #define ECDH ""
 #endif
 
+#ifdef    HAVE_CHACHA
 #define CHACHA20 "chacha20-poly1305@xxxxxxxxxxx,"
+#else  /* HAVE_CHACHA */
+#define CHACHA20
+#endif /* HAVE_CHACHA */
 
 #define KEY_EXCHANGE CURVE25519 ECDH "diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
 #define KEX_METHODS_SIZE 10
-- 
2.14.1


Follow-Ups:
Re: Missing signed-off for pkg chacha20 patchesAndreas Schneider <asn@xxxxxxxxxxxxxx>
Re: Missing signed-off for pkg chacha20 patchesAndreas Schneider <asn@xxxxxxxxxxxxxx>
Re: Missing signed-off for pkg chacha20 patchesAndreas Schneider <asn@xxxxxxxxxxxxxx>
References:
Missing signed-off for pkg chacha20 patchesAndreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org