Use OpenSSL cipher to get cipher input lengths

Author: jas14

lib/net/ssh/authentication/ed25519.rb

@@ -64,26 +64,29 @@ def self.read(datafull, password)
 
             len = buffer.read_long
 
-            keylen, blocksize, ivlen = CipherFactory.get_lengths(ciphername, iv_len: true)
-            raise ArgumentError.new("Private key len:#{len} is not a multiple of #{blocksize}") if
-              ((len < blocksize) || ((blocksize > 0) && (len % blocksize) != 0))
-
-            if kdfname == 'bcrypt'
-              salt = kdfopts.read_string
-              rounds = kdfopts.read_long
-
-              raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
-
-              key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
-              raise DecryptError.new("BCyryptPbkdf failed", encrypted_key: true) unless key
-            else
-              key = '\x00' * (keylen + ivlen)
-            end
-
             if ciphername == 'none'
               cipher = Transport::IdentityCipher
             else
               cipher = OpenSSL::Cipher.new(CipherFactory::SSH_TO_OSSL[ciphername])
+              keylen = cipher.key_len
+              ivlen = cipher.iv_len
+              blocksize = cipher.block_size
+
+              raise ArgumentError.new("Private key len:#{len} is not a multiple of #{blocksize}") if
+                ((len < blocksize) || ((blocksize > 0) && (len % blocksize) != 0))
+
+              if kdfname == 'bcrypt'
+                salt = kdfopts.read_string
+                rounds = kdfopts.read_long
+
+                raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
+
+                key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
+                raise DecryptError.new("BCryptPbkdf failed", encrypted_key: true) unless key
+              else
+                key = '\x00' * (keylen + ivlen)
+              end
+
               cipher.decrypt
               cipher.key = key[0...keylen]
               cipher.iv  = key[keylen...keylen + ivlen]
@@ -94,14 +97,12 @@ def self.read(datafull, password)
 
             # TODO: test with chacha poly
             decoded = if cipher.authenticated?
-                        # tested with GCM
                         ciphertext = encrypted_data[0...-16]
                         auth_tag = encrypted_data[-16..]
                         cipher.auth_tag = auth_tag
                         cipher.auth_data = ''
                         cipher.update(ciphertext)
                       else
-                        # tested with CBC
                         cipher.update(encrypted_data)
                       end
 

test/authentication/test_open_ssh_private_key_loader.rb

@@ -49,11 +49,11 @@ def test_chacha20_poly1305_key
         key = <<~PRIVATEKEY
           -----BEGIN OPENSSH PRIVATE KEY-----
           b3BlbnNzaC1rZXktdjEAAAAAHWNoYWNoYTIwLXBvbHkxMzA1QG9wZW5zc2guY29tAAAABm
-          JjcnlwdAAAABgAAAAQYf8G9VsDZqFN+GKW7A0XewAAABgAAAABAAAAMwAAAAtzc2gtZWQy
-          NTUxOQAAACAF+rfLEozMyDub+8gOsb+WssHKSzh+5ffWiyKC3efLfQAAAJDcniGJhUGXaK
-          A7v6DMkskqZA70Sqs1Pjz4ahZ6uBXImAHk04VYskUkcD9FW6GkevWrQA69stLQcmMvuS1Y
-          AyrWopSzwJ0HEZj55b5mnjH8Iob0jPVjAuf5vtjfFeb/rncVgprs6AtEVItgIwZ+LoJTLN
-          yytSz1DNyO0oyZiowww6RMmr3lNjPHNtB71X4XZ3jDo7ySUF24MKmdsPiOjc+R
+          JjcnlwdAAAABgAAAAQgMsN42jlw2C+pMgTPx+suAAAABgAAAABAAAAMwAAAAtzc2gtZWQy
+          NTUxOQAAACCHThbU/SJU7ntvbok6ANB0ob4Q36gXQxUj40PDGJGw4AAAAJADmcQtG5SDxI
+          srhPwRMOUvwK3niQ6R/vxuHrAXiCt9oMymG2ALOmt08no/MVgxeQwKGGFgSzVjFaq6Nyzg
+          yWA5df/AxUK72z7cqUaGzyMWQ+N4pC1q5pOINIiDxtjUTgo2Nv3ZbNV8EBGeDYX95iTN5G
+          YHeAFEd6hZKLOSMUDcKdj1vkZClWTHZBNJtIg4a4ZlQ8/mSJCf7TBv9z1ibaOh
           -----END OPENSSH PRIVATE KEY-----
         PRIVATEKEY
         pwd = 'test'