X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/blobdiff_plain/b41feb109ed1745db099dcc70703726f117c36dc..01d12d8f98b4292d64d9996a17bc9c9264cacaf9:/server/keyexch.c diff --git a/server/keyexch.c b/server/keyexch.c index 2502fa39..0c1ed829 100644 --- a/server/keyexch.c +++ b/server/keyexch.c @@ -125,20 +125,20 @@ static void hashge(ghash *h, group *g, ge *x) * @const octet *k@ = pointer to key material * @size_t ksz@ = size of the key * - * Returns: Pointer to the output. + * Returns: --- * * Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so * it's a random oracle thing rather than an encryption thing. + * Breaks the output buffer on error. */ -static octet *mpmask(buf *b, mp *x, size_t n, - const gccipher *mgfc, const octet *k, size_t ksz) +static void mpmask(buf *b, mp *x, size_t n, + const gccipher *mgfc, const octet *k, size_t ksz) { gcipher *mgf; octet *p; - if ((p = buf_get(b, n)) == 0) - return (0); + if ((p = buf_get(b, n)) == 0) return; mgf = GC_INIT(mgfc, k, ksz); IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { trace(T_CRYPTO, "crypto: masking index = %s", mpstr(x)); @@ -151,7 +151,6 @@ static octet *mpmask(buf *b, mp *x, size_t n, trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n); })) GC_DESTROY(mgf); - return (p); } /* --- @mpunmask@ --- * @@ -428,6 +427,8 @@ static void kxc_stoptimer(kxchal *kxc) * Returns: A pointer to the challenge block. * * Use: Returns a pointer to a new challenge block to fill in. + * In particular, the @c@ and @r@ members are left + * uninitialized. */ static kxchal *kxc_new(keyexch *kx) @@ -447,8 +448,6 @@ static kxchal *kxc_new(keyexch *kx) /* --- Fill in the new structure --- */ kxc = CREATE(kxchal); - kxc->c = G_CREATE(kx->kpriv->g); - kxc->r = G_CREATE(kx->kpriv->g); kxc->ks = 0; kxc->kx = kx; kxc->f = 0; @@ -678,9 +677,10 @@ static kxchal *respond(keyexch *kx, unsigned msg, buf *b) /* --- Compute the reply, and check the magic --- */ G_EXP(g, r, c, kx->kpriv->kpriv); - cv = mpunmask(MP_NEW, ck, ixsz, algs->mgf, - hashcheck(kx, kx->kpub->kpub, kx->c, c, r), - algs->hashsz); + if ((cv = mpunmask(MP_NEW, ck, ixsz, algs->mgf, + hashcheck(kx, kx->kpub->kpub, kx->c, c, r), + algs->hashsz)) == 0) + goto badcheck; IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { trace(T_CRYPTO, "crypto: computed reply = %s", gestr(g, r)); trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv)); @@ -693,8 +693,8 @@ static kxchal *respond(keyexch *kx, unsigned msg, buf *b) /* --- Fill in a new challenge block --- */ kxc = kxc_new(kx); - G_COPY(g, kxc->c, c); - G_COPY(g, kxc->r, r); + kxc->c = c; c = 0; + kxc->r = r; r = G_CREATE(g); h = GH_INIT(algs->h); HASH_STRING(h, "tripe-check-hash"); GH_HASH(h, ck, ixsz); @@ -711,7 +711,7 @@ static kxchal *respond(keyexch *kx, unsigned msg, buf *b) /* --- Work out the shared key --- */ - G_EXP(g, r, c, kx->alpha); + G_EXP(g, r, kxc->c, kx->alpha); IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { trace(T_CRYPTO, "crypto: shared secret = %s", gestr(g, r)); })) @@ -754,7 +754,7 @@ static kxchal *respond(keyexch *kx, unsigned msg, buf *b) kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p); } - G_DESTROY(g, c); + if (c) G_DESTROY(g, c); G_DESTROY(g, cc); G_DESTROY(g, r); mp_drop(cv); @@ -764,7 +764,7 @@ badcheck: a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END); goto bad; bad: - G_DESTROY(g, c); + if (c) G_DESTROY(g, c); G_DESTROY(g, cc); G_DESTROY(g, r); mp_drop(cv); @@ -1479,8 +1479,8 @@ int kx_init(keyexch *kx, peer *p, keyset **ks, unsigned f) { if ((kx->kpriv = km_findpriv(p_privtag(p))) == 0) goto fail_0; if ((kx->kpub = km_findpub(p_tag(p))) == 0) goto fail_1; - if (!group_samep(kx->kpriv->g, kx->kpub->g)) { - a_warn("KX", "?PEER", kx->p, "group-mismatch", + if (!km_samealgsp(kx->kpriv, kx->kpub)) { + a_warn("KX", "?PEER", p, "group-mismatch", "local-private-key", "%s", p_privtag(p), "peer-public-key", "%s", p_tag(p), A_END);