From 2e2abc61db54f3a25fcb261e2d93277673770d70 Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Tue, 19 Oct 2021 13:55:28 +0200 Subject: make KDF conform to RFC 5869 --- src/util/crypto_hkdf.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) (limited to 'src/util') diff --git a/src/util/crypto_hkdf.c b/src/util/crypto_hkdf.c index 7270b87b6..ba3626e1a 100644 --- a/src/util/crypto_hkdf.c +++ b/src/util/crypto_hkdf.c @@ -103,11 +103,29 @@ getPRK (gcry_md_hd_t mac, const void *xts, size_t xts_len, const void *skm, size_t skm_len, void *prk) { const void *ret; + size_t dlen; - ret = doHMAC (mac, xts, xts_len, skm, skm_len); + dlen = gcry_md_get_algo_dlen (gcry_md_get_algo (mac)); + + /* sanity check to bound stack allocation */ + GNUNET_assert (dlen <= 512); + + /* From RFC 5869: + * salt - optional salt value (a non-secret random value); + * if not provided, it is set to a string of HashLen zeros. */ + + if (xts_len == 0) + { + char zero_salt[dlen] = { 0 }; + ret = doHMAC (mac, zero_salt, dlen, skm, skm_len); + } + else + { + ret = doHMAC (mac, xts, xts_len, skm, skm_len); + } if (ret == NULL) return GNUNET_SYSERR; - GNUNET_memcpy (prk, ret, gcry_md_get_algo_dlen (gcry_md_get_algo (mac))); + GNUNET_memcpy (prk, ret, dlen); return GNUNET_YES; } -- cgit v1.2.3 From 789268e1b9320a0757fe3c191767b155aedd351d Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Tue, 19 Oct 2021 13:59:42 +0200 Subject: kdf: zero out salt correctly --- src/util/crypto_hkdf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/util') diff --git a/src/util/crypto_hkdf.c b/src/util/crypto_hkdf.c index ba3626e1a..4e4496819 100644 --- a/src/util/crypto_hkdf.c +++ b/src/util/crypto_hkdf.c @@ -116,7 +116,8 @@ getPRK (gcry_md_hd_t mac, const void *xts, size_t xts_len, const void *skm, if (xts_len == 0) { - char zero_salt[dlen] = { 0 }; + char zero_salt[dlen]; + memset (zero_salt, 0, dlen); ret = doHMAC (mac, zero_salt, dlen, skm, skm_len); } else -- cgit v1.2.3 From f94d9e793861c5e36d17f485c3c1a7053f86587e Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Sat, 23 Oct 2021 07:26:30 +0200 Subject: -style fixes --- src/include/gnunet_json_lib.h | 4 ++-- src/json/json.c | 2 +- src/pq/pq_result_helper.c | 43 +++++++++++++++++++++++++------------------ src/util/crypto_rsa.c | 23 +++++++++++++++++++---- 4 files changed, 47 insertions(+), 25 deletions(-) (limited to 'src/util') diff --git a/src/include/gnunet_json_lib.h b/src/include/gnunet_json_lib.h index 92f696e08..5ef4592e5 100644 --- a/src/include/gnunet_json_lib.h +++ b/src/include/gnunet_json_lib.h @@ -107,9 +107,9 @@ struct GNUNET_JSON_Specification size_t *size_ptr; /** - * Set to #GNUNET_YES if this component is optional. + * Set to true if this component is optional. */ - int is_optional; + bool is_optional; }; diff --git a/src/json/json.c b/src/json/json.c index 51d5c0c72..6d11b4fdd 100644 --- a/src/json/json.c +++ b/src/json/json.c @@ -77,7 +77,7 @@ GNUNET_JSON_spec_mark_optional (struct GNUNET_JSON_Specification spec) { struct GNUNET_JSON_Specification ret = spec; - ret.is_optional = GNUNET_YES; + ret.is_optional = true; return ret; } diff --git a/src/pq/pq_result_helper.c b/src/pq/pq_result_helper.c index 23fb4f96e..f264603f4 100644 --- a/src/pq/pq_result_helper.c +++ b/src/pq/pq_result_helper.c @@ -127,10 +127,13 @@ GNUNET_PQ_result_spec_variable_size (const char *name, void **dst, size_t *sptr) { - struct GNUNET_PQ_ResultSpec res = - { &extract_varsize_blob, - &clean_varsize_blob, NULL, - (void *) (dst), 0, name, sptr }; + struct GNUNET_PQ_ResultSpec res = { + .conv = &extract_varsize_blob, + .cleaner = &clean_varsize_blob, + .dst = (void *) (dst), + .fname = name, + .result_size = sptr + }; return res; } @@ -207,10 +210,12 @@ GNUNET_PQ_result_spec_fixed_size (const char *name, void *dst, size_t dst_size) { - struct GNUNET_PQ_ResultSpec res = - { &extract_fixed_blob, - NULL, NULL, - (dst), dst_size, name, NULL }; + struct GNUNET_PQ_ResultSpec res = { + .conv = &extract_fixed_blob, + .dst = (dst), + .dst_size = dst_size, + .fname = name + }; return res; } @@ -301,11 +306,12 @@ struct GNUNET_PQ_ResultSpec GNUNET_PQ_result_spec_rsa_public_key (const char *name, struct GNUNET_CRYPTO_RsaPublicKey **rsa) { - struct GNUNET_PQ_ResultSpec res = - { &extract_rsa_public_key, - &clean_rsa_public_key, - NULL, - (void *) rsa, 0, name, NULL }; + struct GNUNET_PQ_ResultSpec res = { + .conv = &extract_rsa_public_key, + .cleaner = &clean_rsa_public_key, + .dst = (void *) rsa, + .fname = name + }; return res; } @@ -395,11 +401,12 @@ struct GNUNET_PQ_ResultSpec GNUNET_PQ_result_spec_rsa_signature (const char *name, struct GNUNET_CRYPTO_RsaSignature **sig) { - struct GNUNET_PQ_ResultSpec res = - { &extract_rsa_signature, - &clean_rsa_signature, - NULL, - (void *) sig, 0, (name), NULL }; + struct GNUNET_PQ_ResultSpec res = { + .conv = &extract_rsa_signature, + .cleaner = &clean_rsa_signature, + .dst = (void *) sig, + .fname = name + }; return res; } diff --git a/src/util/crypto_rsa.c b/src/util/crypto_rsa.c index 4d3de00bc..f017d1f10 100644 --- a/src/util/crypto_rsa.c +++ b/src/util/crypto_rsa.c @@ -310,9 +310,15 @@ GNUNET_CRYPTO_rsa_public_key_encode ( struct GNUNET_CRYPTO_RsaPublicKeyHeaderP hdr; int ret; - ret = key_from_sexp (ne, key->sexp, "public-key", "ne"); + ret = key_from_sexp (ne, + key->sexp, + "public-key", + "ne"); if (0 != ret) - ret = key_from_sexp (ne, key->sexp, "rsa", "ne"); + ret = key_from_sexp (ne, + key->sexp, + "rsa", + "ne"); if (0 != ret) { GNUNET_break (0); @@ -333,16 +339,25 @@ GNUNET_CRYPTO_rsa_public_key_encode ( (n_size > UINT16_MAX) ) { GNUNET_break (0); - *buffer = NULL; + if (NULL != buffer) + *buffer = NULL; gcry_mpi_release (ne[0]); gcry_mpi_release (ne[1]); return 0; } buf_size = n_size + e_size + sizeof (hdr); + if (NULL == buffer) + { + gcry_mpi_release (ne[0]); + gcry_mpi_release (ne[1]); + return buf_size; + } buf = GNUNET_malloc (buf_size); hdr.modulus_length = htons ((uint16_t) n_size); hdr.public_exponent_length = htons ((uint16_t) e_size); - memcpy (buf, &hdr, sizeof (hdr)); + memcpy (buf, + &hdr, + sizeof (hdr)); GNUNET_assert (0 == gcry_mpi_print (GCRYMPI_FMT_USG, (unsigned char *) &buf[sizeof (hdr)], -- cgit v1.2.3 From 62bd4ad64ebf1567c05170353dd7c60813c4f284 Mon Sep 17 00:00:00 2001 From: Alessio Vanni Date: Sat, 30 Oct 2021 16:07:08 +0200 Subject: -fix subtle bug in GNUNET_CONFIGURATION_default Apparently this was there since the beginning and it wasn't caught earlier merely due to a coincidence. Basically, it was looking at the caller's values instead of GNUnet's and even when I used this function in personal projects, it just happened that I was calling this function before setting the new project data, so the two environments ended up being the same. It didn't cause any issues because it was still returning GNUnet's own configuration, meaning everything else worked as expected, but naturally if one were to move the call later on it would break. Also add a comment to answer the FIXME. --- src/util/configuration.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'src/util') diff --git a/src/util/configuration.c b/src/util/configuration.c index 09a3a7d93..d9d6721cc 100644 --- a/src/util/configuration.c +++ b/src/util/configuration.c @@ -2383,31 +2383,34 @@ GNUNET_CONFIGURATION_default (void) char *cfgname = NULL; struct GNUNET_CONFIGURATION_Handle *cfg; - /* FIXME: Why are we doing this? Needs some commentary! */ + /* Makes sure function implicitly looking at the installation directory (for + example GNUNET_CONFIGURATION_load further down) use GNUnet's environment + instead of the caller's. It's done at the start to make sure as many + functions as possible are directed to the proper paths. */ GNUNET_OS_init (dpd); cfg = GNUNET_CONFIGURATION_create (); /* First, try user configuration. */ if (NULL != xdg) - GNUNET_asprintf (&cfgname, "%s/%s", xdg, pd->config_file); + GNUNET_asprintf (&cfgname, "%s/%s", xdg, dpd->config_file); else - cfgname = GNUNET_strdup (pd->user_config_file); + cfgname = GNUNET_strdup (dpd->user_config_file); /* If user config doesn't exist, try in /etc// and /etc/ */ if (GNUNET_OK != GNUNET_DISK_file_test (cfgname)) { GNUNET_free (cfgname); - GNUNET_asprintf (&cfgname, "/etc/%s", pd->config_file); + GNUNET_asprintf (&cfgname, "/etc/%s", dpd->config_file); } if (GNUNET_OK != GNUNET_DISK_file_test (cfgname)) { GNUNET_free (cfgname); GNUNET_asprintf (&cfgname, "/etc/%s/%s", - pd->project_dirname, - pd->config_file); + dpd->project_dirname, + dpd->config_file); } if (GNUNET_OK != GNUNET_DISK_file_test (cfgname)) { -- cgit v1.2.3 From 328047f8ee926055be593f180de40885823a7988 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Mon, 1 Nov 2021 09:14:42 +0100 Subject: -cleanup --- src/include/gnunet_os_lib.h | 4 ++-- src/util/os_installation.c | 20 ++------------------ 2 files changed, 4 insertions(+), 20 deletions(-) (limited to 'src/util') diff --git a/src/include/gnunet_os_lib.h b/src/include/gnunet_os_lib.h index 749f766d2..eddf97dab 100644 --- a/src/include/gnunet_os_lib.h +++ b/src/include/gnunet_os_lib.h @@ -672,9 +672,9 @@ GNUNET_OS_install_parent_control_handler (void *cls); * #GNUNET_NO if not SUID (but binary exists), * #GNUNET_SYSERR on error (no such binary or not executable) */ -int +enum GNUNET_GenericReturnValue GNUNET_OS_check_helper_binary (const char *binary, - int check_suid, + bool check_suid, const char *params); diff --git a/src/util/os_installation.c b/src/util/os_installation.c index f15e1871a..171bb5baa 100644 --- a/src/util/os_installation.c +++ b/src/util/os_installation.c @@ -754,25 +754,9 @@ GNUNET_OS_get_suid_binary_path (const struct GNUNET_CONFIGURATION_Handle *cfg, } -/** - * Check whether an executable exists and possibly if the suid bit is - * set on the file. Attempts to find the file using the current PATH - * environment variable as a search path. - * - * @param binary the name of the file to check. - * W32: must not have an .exe suffix. - * @param check_suid input true if the binary should be checked for SUID (*nix) - * W32: checks if the program has sufficient privileges by executing this - * binary with the -d flag. -d omits a programs main loop and only - * executes all privileged operations in an binary. - * @param params parameters used for w32 privilege checking (can be NULL for != w32 ) - * @return #GNUNET_YES if the file is SUID (*nix) or can be executed with current privileges (W32), - * #GNUNET_NO if not SUID (but binary exists), - * #GNUNET_SYSERR on error (no such binary or not executable) - */ -int +enum GNUNET_GenericReturnValue GNUNET_OS_check_helper_binary (const char *binary, - int check_suid, + bool check_suid, const char *params) { struct stat statbuf; -- cgit v1.2.3