diff options
author | Uros Majstorovic <majstor@majstor.org> | 2024-04-26 19:13:23 +0200 |
---|---|---|
committer | Uros Majstorovic <majstor@majstor.org> | 2024-04-26 19:13:23 +0200 |
commit | 4d50119033c574806d393643d96f11e065142822 (patch) | |
tree | fb208e960c6ce948fa6cc6ce10e77889bfe02252 /ecp/src | |
parent | 8428b7703c2b5d510aed8f57f146d2717b5529bc (diff) |
added max diff between current irep nonce and auth tag nonce
Diffstat (limited to 'ecp/src')
-rw-r--r-- | ecp/src/ecp/core.c | 44 | ||||
-rw-r--r-- | ecp/src/ecp/core.h | 8 |
2 files changed, 17 insertions, 35 deletions
diff --git a/ecp/src/ecp/core.c b/ecp/src/ecp/core.c index d111a97..6355a03 100644 --- a/ecp/src/ecp/core.c +++ b/ecp/src/ecp/core.c @@ -378,7 +378,7 @@ static ECPConnection *conn_table_search(ECPSocket *sock, unsigned char c_idx, ec static void conn_table_expire(ECPSocket *sock, ecp_sts_t to, ecp_conn_expired_t conn_expired) { ECPConnection *conn; - ECPConnection *to_remove[ECP_MAX_EXP]; + ECPConnection *to_remove[ECP_MAX_EXPIRED]; int i, remove_cnt, expired; ecp_sts_t now = ecp_tm_get_s(); @@ -421,7 +421,7 @@ static void conn_table_expire(ECPSocket *sock, ecp_sts_t to, ecp_conn_expired_t to_remove[remove_cnt] = conn; remove_cnt++; - if (remove_cnt == ECP_MAX_EXP) { + if (remove_cnt == ECP_MAX_EXPIRED) { if (!rv) { remove_next = ecp_ht_itr_key(&itr); } else { @@ -471,7 +471,7 @@ static void conn_table_expire(ECPSocket *sock, ecp_sts_t to, ecp_conn_expired_t if (expired) { to_remove[remove_cnt] = conn; remove_cnt++; - if (remove_cnt == ECP_MAX_EXP) break; + if (remove_cnt == ECP_MAX_EXPIRED) break; } } @@ -484,7 +484,7 @@ static void conn_table_expire(ECPSocket *sock, ecp_sts_t to, ecp_conn_expired_t ecp_conn_refcount_dec(to_remove[i]); } - } while (remove_cnt < ECP_MAX_EXP); + } while (remove_cnt < ECP_MAX_EXPIRED); #endif /* ECP_WITH_HTABLE */ } @@ -639,34 +639,11 @@ int ecp_sock_dhkey_get_pub(ECPSocket *sock, unsigned char *idx, ecp_ecdh_public_ return ECP_OK; } -void ecp_sock_get_nonce(ECPSocket *sock, ecp_nonce_t *nonce) { -#ifdef ECP_WITH_PTHREAD - pthread_mutex_lock(&sock->mutex); -#endif - - *nonce = sock->nonce_out; - sock->nonce_out++; - -#ifdef ECP_WITH_PTHREAD - pthread_mutex_unlock(&sock->mutex); -#endif -} - -static int _conn_expired_inb(ECPConnection *conn, ecp_sts_t now, ecp_sts_t to) { - if (ecp_conn_is_inb(conn) && _ecp_conn_is_zombie(conn, now, to)) return 1; - return 0; -} - void ecp_sock_expire(ECPSocket *sock, ecp_sts_t to, ecp_conn_expired_t conn_expired) { conn_table_expire(sock, to, conn_expired); } -void ecp_sock_expire_inb(ECPSocket *sock, ecp_sts_t to) { - ecp_sock_ckey_new(sock); - conn_table_expire(sock, to, _conn_expired_inb); -} - -void ecp_atag_gen(ECPSocket *sock, unsigned char *atag, unsigned char *public_buf, ecp_nonce_t *nonce) { +void ecp_atag_gen(ECPSocket *sock, unsigned char *public_buf, unsigned char *atag, ecp_nonce_t *nonce) { unsigned char msg[ECP_SIZE_ECDH_PUB+ECP_SIZE_NONCE]; ecp_hmac_key_t key; @@ -675,6 +652,8 @@ void ecp_atag_gen(ECPSocket *sock, unsigned char *atag, unsigned char *public_bu #endif memcpy(&key, &sock->ckey, sizeof(sock->ckey)); + *nonce = sock->nonce_out; + sock->nonce_out++; #ifdef ECP_WITH_PTHREAD pthread_mutex_unlock(&sock->mutex); @@ -690,17 +669,23 @@ int ecp_cookie_verify(ECPSocket *sock, unsigned char *cookie, unsigned char *pub unsigned char msg[ECP_SIZE_ECDH_PUB+ECP_SIZE_NONCE]; unsigned char atag[ECP_SIZE_ATAG]; ecp_hmac_key_t key; + ecp_nonce_t nonce_sock, nonce_cookie, nonce_offset; #ifdef ECP_WITH_PTHREAD pthread_mutex_lock(&sock->mutex); #endif memcpy(&key, &sock->ckey, sizeof(sock->ckey)); + nonce_sock = sock->nonce_out - 1; #ifdef ECP_WITH_PTHREAD pthread_mutex_unlock(&sock->mutex); #endif + ecp_buf2nonce(&nonce_cookie, cookie); + nonce_offset = nonce_sock - nonce_cookie; + if (nonce_offset > ECP_MAX_NONCE_FWD) return ECP_ERR_COOKIE; + memcpy(msg, public_buf, ECP_SIZE_ECDH_PUB); memcpy(msg+ECP_SIZE_ECDH_PUB, cookie, ECP_SIZE_NONCE); ecp_hmac(atag, &key, msg, sizeof(msg)); @@ -1710,8 +1695,7 @@ ssize_t ecp_send_init_rep(ECPSocket *sock, ECPConnection *parent, ecp_tr_addr_t ecp_pld_set_type(payload.buffer, payload.size, ECP_MTYPE_INIT_REP); msg = ecp_pld_get_msg(payload.buffer, payload.size); - ecp_sock_get_nonce(sock, &nonce); - ecp_atag_gen(sock, atag, public_buf, &nonce); + ecp_atag_gen(sock, public_buf, atag, &nonce); _rv = ecp_sock_dhkey_get_pub(sock, msg, (ecp_ecdh_public_t *)(msg+1)); if (_rv) return _rv; diff --git a/ecp/src/ecp/core.h b/ecp/src/ecp/core.h index 6f1dbab..3b1d7b4 100644 --- a/ecp/src/ecp/core.h +++ b/ecp/src/ecp/core.h @@ -47,7 +47,8 @@ #define ECP_MAX_MTYPE 16 #define ECP_MAX_PARENT 3 #define ECP_MAX_SEQ_FWD 1024 -#define ECP_MAX_EXP 100 +#define ECP_MAX_NONCE_FWD 100 /* max diff between current sock nonce and auth tag nonce (open req message) */ +#define ECP_MAX_EXPIRED 100 #define ECP_MIN_KEYX_DT 3600 @@ -393,12 +394,9 @@ void ecp_sock_ckey_new(ECPSocket *sock); int ecp_sock_dhkey_new(ECPSocket *sock); int ecp_sock_dhkey_get(ECPSocket *sock, unsigned char idx, ECPDHKey *key); int ecp_sock_dhkey_get_pub(ECPSocket *sock, unsigned char *idx, ecp_ecdh_public_t *public); -void ecp_sock_get_nonce(ECPSocket *sock, ecp_nonce_t *nonce); - void ecp_sock_expire(ECPSocket *sock, ecp_sts_t to, ecp_conn_expired_t conn_expired); -void ecp_sock_expire_inb(ECPSocket *sock, ecp_sts_t to); -void ecp_atag_gen(ECPSocket *sock, unsigned char *cookie, unsigned char *public_buf, ecp_nonce_t *nonce); +void ecp_atag_gen(ECPSocket *sock, unsigned char *public_buf, unsigned char *atag, ecp_nonce_t *nonce); int ecp_cookie_verify(ECPSocket *sock, unsigned char *cookie, unsigned char *public_buf); ECPConnection *ecp_conn_new_inb(ECPSocket *sock, unsigned char ctype); |