Support decoding private keys that use the chacha20-poly1305@openssh.…

…com cipher.

README.md

@@ -447,6 +447,7 @@ Supported private key encryption cyphers:
 - OpenSSH Keys `OPENSSH PRIVATE KEY` (`openssh-key-v1`)
  - aes[128|192|256]-[cbc|ctr]
  - aes[128|256]-gcm@openssh.com
+ - chacha20-poly1305@openssh.com
 
 Supported client key algorithms:
 - ssh-ed25519

src/Tmds.Ssh/AesCtr.cs

@@ -7,8 +7,11 @@ namespace Tmds.Ssh;
 
 static class AesCtr
 {
- public static void DecryptCtr(ReadOnlySpan<byte> key, Span<byte> counter, ReadOnlySpan<byte> ciphertext, Span<byte> plaintext)
+ public static void DecryptCtr(ReadOnlySpan<byte> key, ReadOnlySpan<byte> iv, ReadOnlySpan<byte> ciphertext, Span<byte> plaintext)
  {
+ Span<byte> counter = stackalloc byte[iv.Length];
+ iv.CopyTo(counter);
+
  if (plaintext.Length < ciphertext.Length)
  {
  throw new ArgumentException("Plaintext buffer is too small.");

src/Tmds.Ssh/OpenSshKeyCipher.cs

@@ -3,12 +3,15 @@
 
 using System.Diagnostics.CodeAnalysis;
 using System.Security.Cryptography;
+using Org.BouncyCastle.Crypto.Engines;
+using Org.BouncyCastle.Crypto.Macs;
+using Org.BouncyCastle.Crypto.Parameters;
 
 namespace Tmds.Ssh;
 
 sealed class OpenSshKeyCipher
 {
- private delegate byte[] DecryptDelegate(ReadOnlySpan<byte> key, Span<byte> iv, ReadOnlySpan<byte> data, ReadOnlySpan<byte> tag);
+ private delegate byte[] DecryptDelegate(ReadOnlySpan<byte> key, ReadOnlySpan<byte> iv, ReadOnlySpan<byte> data, ReadOnlySpan<byte> tag);
 
  private readonly DecryptDelegate _decryptData;
 
@@ -28,7 +31,7 @@ private OpenSshKeyCipher(
  public int IVLength { get; }
  public int TagLength { get; }
 
- public byte[] Decrypt(ReadOnlySpan<byte> key, Span<byte> iv, ReadOnlySpan<byte> data, ReadOnlySpan<byte> tag)
+ public byte[] Decrypt(ReadOnlySpan<byte> key, ReadOnlySpan<byte> iv, ReadOnlySpan<byte> data, ReadOnlySpan<byte> tag)
  {
  if (KeyLength != key.Length)
  {
@@ -59,42 +62,80 @@ public static bool TryGetCipher(Name name, [NotNullWhen(true)] out OpenSshKeyCip
  { AlgorithmNames.Aes256Ctr, CreateAesCtrCipher(32) },
  { AlgorithmNames.Aes128Gcm, CreateAesGcmCipher(16) },
  { AlgorithmNames.Aes256Gcm, CreateAesGcmCipher(32) },
+ {AlgorithmNames.ChaCha20Poly1305,
+ new OpenSshKeyCipher(
+ keyLength: 64,
+ ivLength: 0,
+ DecryptChaCha20Poly1305,
+ tagLength: 16) },
  };
 
  private static OpenSshKeyCipher CreateAesCbcCipher(int keyLength)
  => new OpenSshKeyCipher(keyLength: keyLength, ivLength: 16,
- (ReadOnlySpan<byte> key, Span<byte> iv, ReadOnlySpan<byte> data, ReadOnlySpan<byte> _)
+ (ReadOnlySpan<byte> key, ReadOnlySpan<byte> iv, ReadOnlySpan<byte> data, ReadOnlySpan<byte> _)
  => DecryptAesCbc(key, iv, data));
 
  private static OpenSshKeyCipher CreateAesCtrCipher(int keyLength)
  => new OpenSshKeyCipher(keyLength: keyLength, ivLength: 16,
- (ReadOnlySpan<byte> key, Span<byte> iv, ReadOnlySpan<byte> data, ReadOnlySpan<byte> _)
+ (ReadOnlySpan<byte> key, ReadOnlySpan<byte> iv, ReadOnlySpan<byte> data, ReadOnlySpan<byte> _)
  => DecryptAesCtr(key, iv, data));
 
  private static OpenSshKeyCipher CreateAesGcmCipher(int keyLength)
  => new OpenSshKeyCipher(keyLength: keyLength, ivLength: 12,
  DecryptAesGcm,
  tagLength: 16);
 
- private static byte[] DecryptAesCbc(ReadOnlySpan<byte> key, Span<byte> iv, ReadOnlySpan<byte> data)
+ private static byte[] DecryptAesCbc(ReadOnlySpan<byte> key, ReadOnlySpan<byte> iv, ReadOnlySpan<byte> data)
  {
  using Aes aes = Aes.Create();
  aes.Key = key.ToArray();
  return aes.DecryptCbc(data, iv, PaddingMode.None);
  }
 
- private static byte[] DecryptAesCtr(ReadOnlySpan<byte> key, Span<byte> iv, ReadOnlySpan<byte> data)
+ private static byte[] DecryptAesCtr(ReadOnlySpan<byte> key, ReadOnlySpan<byte> iv, ReadOnlySpan<byte> data)
  {
  byte[] plaintext = new byte[data.Length];
  AesCtr.DecryptCtr(key, iv, data, plaintext);
  return plaintext;
  }
 
- private static byte[] DecryptAesGcm(ReadOnlySpan<byte> key, Span<byte> iv, ReadOnlySpan<byte> data, ReadOnlySpan<byte> tag)
+ private static byte[] DecryptAesGcm(ReadOnlySpan<byte> key, ReadOnlySpan<byte> iv, ReadOnlySpan<byte> data, ReadOnlySpan<byte> tag)
  {
  using AesGcm aesGcm = new AesGcm(key, tag.Length);
  byte[] plaintext = new byte[data.Length];
  aesGcm.Decrypt(iv, data, tag, plaintext, null);
  return plaintext;
  }
+
+ private static byte[] DecryptChaCha20Poly1305(ReadOnlySpan<byte> key, ReadOnlySpan<byte> _, ReadOnlySpan<byte> ciphertext, ReadOnlySpan<byte> tag)
+ {
+ ReadOnlySpan<byte> iv = stackalloc byte[12];
+ ReadOnlySpan<byte> K_1 = key[..32];
+
+ ChaCha7539Engine chacha = new();
+ chacha.Init(forEncryption: false, new ParametersWithIV(new KeyParameter(K_1), iv));
+
+ // Calculate poly key
+ Span<byte> polyKey = stackalloc byte[64];
+ chacha.ProcessBytes(input: polyKey, output: polyKey);
+
+ // Calculate mac
+ Poly1305 poly = new();
+ poly.Init(new KeyParameter(polyKey[..32]));
+ poly.BlockUpdate(ciphertext);
+ Span<byte> ciphertextTag = stackalloc byte[16];
+ poly.DoFinal(ciphertextTag);
+
+ // Check mac
+ if (!CryptographicOperations.FixedTimeEquals(ciphertextTag, tag))
+ {
+ throw new CryptographicException();
+ }
+
+ // Decode plaintext
+ byte[] plaintext = new byte[ciphertext.Length];
+ chacha.ProcessBytes(ciphertext, plaintext);
+
+ return plaintext;
+ }
 }

src/Tmds.Ssh/PacketEncryptionAlgorithm.cs

@@ -16,16 +16,15 @@ private PacketEncryptionAlgorithm(int keyLength, int ivLength,
  {
  KeyLength = keyLength;
  IVLength = ivLength;
- IsAuthenticated = isAuthenticated;
  TagLength = tagLength;
  _createPacketEncryptor = createPacketEncryptor;
  _createPacketDecryptor = createPacketDecryptor;
  }
 
  public int KeyLength { get; }
  public int IVLength { get; }
- public bool IsAuthenticated { get; }
- public int TagLength { get; } // When IsAuthenticated == true
+ public bool IsAuthenticated => TagLength > 0;
+ private int TagLength { get; }
 
  public IPacketEncryptor CreatePacketEncryptor(byte[] key, byte[] iv, HMacAlgorithm? hmacAlgorithm, byte[] hmacKey)
  {

test/Tmds.Ssh.Tests/PrivateKeyCredentialTests.cs

@@ -101,6 +101,7 @@ await RunWithKeyConversion(_sshServer.TestUserIdentityFile, async (string localK
  [InlineData("aes256-ctr")]
  [InlineData("[email protected]")]
  [InlineData("[email protected]")]
+ [InlineData("[email protected]")]
  public async Task OpenSshRsaKey(string? cipher)
  {
  await RunWithKeyConversion(_sshServer.TestUserIdentityFile, async (string localKey) =>