~mdw
/
tripe
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
server/bulkcrypto.c: Abstract out MAC-failure tracing.
[tripe]
/
server
/
keyexch.c
diff --git
a/server/keyexch.c
b/server/keyexch.c
index
8cc4ad6
..
0c1ed82
100644
(file)
--- a/
server/keyexch.c
+++ b/
server/keyexch.c
@@
-125,20
+125,20
@@
static void hashge(ghash *h, group *g, ge *x)
* @const octet *k@ = pointer to key material
* @size_t ksz@ = size of the key
*
* @const octet *k@ = pointer to key material
* @size_t ksz@ = size of the key
*
- * Returns:
Pointer to the output.
+ * Returns:
---
*
* Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so
* it's a random oracle thing rather than an encryption thing.
*
* Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so
* it's a random oracle thing rather than an encryption thing.
+ * Breaks the output buffer on error.
*/
*/
-static
octet *
mpmask(buf *b, mp *x, size_t n,
-
const gccipher *mgfc, const octet *k, size_t ksz)
+static
void
mpmask(buf *b, mp *x, size_t n,
+ const gccipher *mgfc, const octet *k, size_t ksz)
{
gcipher *mgf;
octet *p;
{
gcipher *mgf;
octet *p;
- if ((p = buf_get(b, n)) == 0)
- return (0);
+ if ((p = buf_get(b, n)) == 0) return;
mgf = GC_INIT(mgfc, k, ksz);
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
trace(T_CRYPTO, "crypto: masking index = %s", mpstr(x));
mgf = GC_INIT(mgfc, k, ksz);
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
trace(T_CRYPTO, "crypto: masking index = %s", mpstr(x));
@@
-151,7
+151,6
@@
static octet *mpmask(buf *b, mp *x, size_t n,
trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n);
}))
GC_DESTROY(mgf);
trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n);
}))
GC_DESTROY(mgf);
- return (p);
}
/* --- @mpunmask@ --- *
}
/* --- @mpunmask@ --- *
@@
-428,6
+427,8
@@
static void kxc_stoptimer(kxchal *kxc)
* Returns: A pointer to the challenge block.
*
* Use: Returns a pointer to a new challenge block to fill in.
* Returns: A pointer to the challenge block.
*
* Use: Returns a pointer to a new challenge block to fill in.
+ * In particular, the @c@ and @r@ members are left
+ * uninitialized.
*/
static kxchal *kxc_new(keyexch *kx)
*/
static kxchal *kxc_new(keyexch *kx)
@@
-447,8
+448,6
@@
static kxchal *kxc_new(keyexch *kx)
/* --- Fill in the new structure --- */
kxc = CREATE(kxchal);
/* --- Fill in the new structure --- */
kxc = CREATE(kxchal);
- kxc->c = G_CREATE(kx->kpriv->g);
- kxc->r = G_CREATE(kx->kpriv->g);
kxc->ks = 0;
kxc->kx = kx;
kxc->f = 0;
kxc->ks = 0;
kxc->kx = kx;
kxc->f = 0;
@@
-678,9
+677,10
@@
static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
/* --- Compute the reply, and check the magic --- */
G_EXP(g, r, c, kx->kpriv->kpriv);
/* --- Compute the reply, and check the magic --- */
G_EXP(g, r, c, kx->kpriv->kpriv);
- cv = mpunmask(MP_NEW, ck, ixsz, algs->mgf,
- hashcheck(kx, kx->kpub->kpub, kx->c, c, r),
- algs->hashsz);
+ if ((cv = mpunmask(MP_NEW, ck, ixsz, algs->mgf,
+ hashcheck(kx, kx->kpub->kpub, kx->c, c, r),
+ algs->hashsz)) == 0)
+ goto badcheck;
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
trace(T_CRYPTO, "crypto: computed reply = %s", gestr(g, r));
trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv));
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
trace(T_CRYPTO, "crypto: computed reply = %s", gestr(g, r));
trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv));
@@
-693,8
+693,8
@@
static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
/* --- Fill in a new challenge block --- */
kxc = kxc_new(kx);
/* --- Fill in a new challenge block --- */
kxc = kxc_new(kx);
-
G_COPY(g, kxc->c, c)
;
-
G_COPY(g, kxc->r, r
);
+
kxc->c = c; c = 0
;
+
kxc->r = r; r = G_CREATE(g
);
h = GH_INIT(algs->h); HASH_STRING(h, "tripe-check-hash");
GH_HASH(h, ck, ixsz);
h = GH_INIT(algs->h); HASH_STRING(h, "tripe-check-hash");
GH_HASH(h, ck, ixsz);
@@
-711,7
+711,7
@@
static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
/* --- Work out the shared key --- */
/* --- Work out the shared key --- */
- G_EXP(g, r, c, kx->alpha);
+ G_EXP(g, r,
kxc->
c, kx->alpha);
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
trace(T_CRYPTO, "crypto: shared secret = %s", gestr(g, r));
}))
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
trace(T_CRYPTO, "crypto: shared secret = %s", gestr(g, r));
}))
@@
-754,7
+754,7
@@
static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p);
}
kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p);
}
- G_DESTROY(g, c);
+
if (c)
G_DESTROY(g, c);
G_DESTROY(g, cc);
G_DESTROY(g, r);
mp_drop(cv);
G_DESTROY(g, cc);
G_DESTROY(g, r);
mp_drop(cv);
@@
-764,7
+764,7
@@
badcheck:
a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
goto bad;
bad:
a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
goto bad;
bad:
- G_DESTROY(g, c);
+
if (c)
G_DESTROY(g, c);
G_DESTROY(g, cc);
G_DESTROY(g, r);
mp_drop(cv);
G_DESTROY(g, cc);
G_DESTROY(g, r);
mp_drop(cv);
@@
-1479,7
+1479,7
@@
int kx_init(keyexch *kx, peer *p, keyset **ks, unsigned f)
{
if ((kx->kpriv = km_findpriv(p_privtag(p))) == 0) goto fail_0;
if ((kx->kpub = km_findpub(p_tag(p))) == 0) goto fail_1;
{
if ((kx->kpriv = km_findpriv(p_privtag(p))) == 0) goto fail_0;
if ((kx->kpub = km_findpub(p_tag(p))) == 0) goto fail_1;
- if (!
group_samep(kx->kpriv->g, kx->kpub->g
)) {
+ if (!
km_samealgsp(kx->kpriv, kx->kpub
)) {
a_warn("KX", "?PEER", p, "group-mismatch",
"local-private-key", "%s", p_privtag(p),
"peer-public-key", "%s", p_tag(p),
a_warn("KX", "?PEER", p, "group-mismatch",
"local-private-key", "%s", p_privtag(p),
"peer-public-key", "%s", p_tag(p),