Fixed error in processing of allowed HMAC algs.

xsd: allowed algs default to none if unspecified.
This commit is contained in:
Russ Magee 2021-11-14 21:17:56 -08:00
parent 129dce4b08
commit cfc9ab8590
2 changed files with 254 additions and 231 deletions

View File

@ -439,9 +439,9 @@ var (
aHMACAlgs allowedHMACAlgs aHMACAlgs allowedHMACAlgs
) )
type allowedKEXAlgs []string // TODO type allowedKEXAlgs []string
type allowedCipherAlgs []string // TODO type allowedCipherAlgs []string
type allowedHMACAlgs []string // TODO type allowedHMACAlgs []string
func (a allowedKEXAlgs) allowed(k xsnet.KEXAlg) bool { func (a allowedKEXAlgs) allowed(k xsnet.KEXAlg) bool {
for i := 0; i < len(a); i++ { for i := 0; i < len(a); i++ {
@ -527,9 +527,33 @@ func main() {
flag.BoolVar(&useSystemPasswd, "s", true, "use system shadow passwds") flag.BoolVar(&useSystemPasswd, "s", true, "use system shadow passwds")
flag.BoolVar(&dbg, "d", false, "debug logging") flag.BoolVar(&dbg, "d", false, "debug logging")
flag.Var(&aKEXAlgs, "aK", `List of allowed KEX algs (eg. 'KEXAlgA KEXAlgB ... KEXAlgN') (default allow all)`) flag.Var(&aKEXAlgs, "aK", `Allowed KEX algs (eg. '-aK KEXAlgA -aK KEXAlgB ...') (default: none)
flag.Var(&aCipherAlgs, "aC", `List of allowed ciphers (eg. 'CipherAlgA CipherAlgB ... CipherAlgN') (default allow all)`) KEX_all
flag.Var(&aHMACAlgs, "aH", `List of allowed HMACs (eg. 'HMACAlgA HMACAlgB ... HMACAlgN') (default allow all)`) KEX_HERRADURA256
KEX_HERRADURA512
KEX_HERRADURA1024
KEX_HERRADURA2048
KEX_KYBER512
KEX_KYBER768
KEX_KYBER1024
KEX_NEWHOPE
KEX_NEWHOPE_SIMPLE
KEX_FRODOKEM_1344AES
KEX_FRODOKEM_1344SHAKE
KEX_FRODOKEM_976AES
KEX_FRODOKEM_976SHAKE`)
flag.Var(&aCipherAlgs, "aC", `Allowed ciphers (eg. '-aC CAlgA -aC CAlgB ...') (default: none)
C_all
C_AES_256
C_TWOFISH_128
C_BLOWFISH_64
C_CRYPTMT1
C_HOPSCOTCH
C_CHACHA20_12`)
flag.Var(&aHMACAlgs, "aH", `Allowed HMACs (eg. '-aH HMACAlgA -aH HMACAlgB ...') (default: none)
H_all
H_SHA256
H_SHA512`)
flag.Parse() flag.Parse()
@ -566,17 +590,17 @@ func main() {
// Set up allowed algs, if specified (default allow all) // Set up allowed algs, if specified (default allow all)
if len(aKEXAlgs) == 0 { if len(aKEXAlgs) == 0 {
aKEXAlgs = []string{"KEX_all"} aKEXAlgs = []string{"none"}
} }
logger.LogNotice(fmt.Sprintf("Allowed KEXAlgs: %v\n", aKEXAlgs)) // nolint: gosec,errcheck logger.LogNotice(fmt.Sprintf("Allowed KEXAlgs: %v\n", aKEXAlgs)) // nolint: gosec,errcheck
if len(aCipherAlgs) == 0 { if len(aCipherAlgs) == 0 {
aCipherAlgs = []string{"C_all"} aCipherAlgs = []string{"none"}
} }
logger.LogNotice(fmt.Sprintf("Allowed CipherAlgs: %v\n", aCipherAlgs)) // nolint: gosec,errcheck logger.LogNotice(fmt.Sprintf("Allowed CipherAlgs: %v\n", aCipherAlgs)) // nolint: gosec,errcheck
if len(aHMACAlgs) == 0 { if len(aHMACAlgs) == 0 {
aHMACAlgs = []string{"H_all"} aHMACAlgs = []string{"none"}
} }
logger.LogNotice(fmt.Sprintf("Allowed HMACAlgs: %v\n", aHMACAlgs)) // nolint: gosec,errcheck logger.LogNotice(fmt.Sprintf("Allowed HMACAlgs: %v\n", aHMACAlgs)) // nolint: gosec,errcheck
@ -620,7 +644,8 @@ func main() {
conn, err := l.Accept() conn, err := l.Accept()
if err != nil { if err != nil {
log.Printf("Accept() got error(%v), hanging up.\n", err) log.Printf("Accept() got error(%v), hanging up.\n", err)
} else if !aKEXAlgs.allowed(conn.KEX()) { } else {
if !aKEXAlgs.allowed(conn.KEX()) {
log.Printf("Accept() rejected for banned KEX alg %d, hanging up.\n", conn.KEX()) log.Printf("Accept() rejected for banned KEX alg %d, hanging up.\n", conn.KEX())
conn.SetStatus(xsnet.CSEKEXAlgDenied) conn.SetStatus(xsnet.CSEKEXAlgDenied)
conn.Close() conn.Close()
@ -847,6 +872,7 @@ func main() {
} }
return return
}(&conn) // nolint: errcheck }(&conn) // nolint: errcheck
} // algs valid and not blacklisted
} // Accept() success } // Accept() success
} //endfor } //endfor
//logger.LogNotice(fmt.Sprintln("[Exiting]")) // nolint: gosec,errcheck //logger.LogNotice(fmt.Sprintln("[Exiting]")) // nolint: gosec,errcheck

View File

@ -25,6 +25,7 @@ package xsnet
import ( import (
"bytes" "bytes"
"crypto/cipher" "crypto/cipher"
crand "crypto/rand"
"encoding/binary" "encoding/binary"
"encoding/hex" "encoding/hex"
"errors" "errors"
@ -39,7 +40,6 @@ import (
"strings" "strings"
"sync" "sync"
"time" "time"
crand "crypto/rand"
hkex "blitter.com/go/herradurakex" hkex "blitter.com/go/herradurakex"
"blitter.com/go/kyber" "blitter.com/go/kyber"
@ -169,11 +169,11 @@ func (hc *Conn) HAlg() CSHmacAlg {
} }
func (h *CSHmacAlg) String() string { func (h *CSHmacAlg) String() string {
switch (*h >> 8) & 0x0FF { switch *h & 0x0FF {
case HmacSHA256: case HmacSHA256:
return "H_SHA256" return "H_SHA256"
case HmacSHA512: case HmacSHA512:
return "C_SHA512" return "H_SHA512"
default: default:
return "H_ERR_UNK" return "H_ERR_UNK"
} }
@ -296,7 +296,7 @@ func _new(kexAlg KEXAlg, conn *net.Conn) (hc *Conn, e error) {
case KEX_FRODOKEM_976AES: case KEX_FRODOKEM_976AES:
fallthrough fallthrough
case KEX_FRODOKEM_976SHAKE: case KEX_FRODOKEM_976SHAKE:
log.Printf("[KEx alg %d accepted]\n", kexAlg) //log.Printf("[KEx alg %d is valid]\n", kexAlg)
default: default:
// UNREACHABLE: _getkexalgnum() guarantees a valid KEX value // UNREACHABLE: _getkexalgnum() guarantees a valid KEX value
hc.kex = KEX_HERRADURA512 hc.kex = KEX_HERRADURA512
@ -672,7 +672,6 @@ func FrodoKEMAcceptSetup(c *net.Conn, hc *Conn) (err error) {
} }
pubB, secB := kem.Keygen() pubB, secB := kem.Keygen()
// [Alice sends use a public key (na, ea) // [Alice sends use a public key (na, ea)
pubA_bigint := big.NewInt(0) pubA_bigint := big.NewInt(0)
_, err = fmt.Fscanf(*c, "0x%x\n", pubA_bigint) _, err = fmt.Fscanf(*c, "0x%x\n", pubA_bigint)
@ -1173,10 +1172,8 @@ func (hl *HKExListener) Accept() (hc Conn, err error) {
return Conn{}, err return Conn{}, err
} }
// Finally, ensure alg proposed by client is allowed by server config
//if hc.kex.String() {
log.Println("[hc.Accept successful]") log.Println("[hc.Accept successful]")
return return hc, err
} }
/*---------------------------------------------------------------------*/ /*---------------------------------------------------------------------*/