mirror of https://gogs.blitter.com/RLabs/xs
Fixed error in processing of allowed HMAC algs.
xsd: allowed algs default to none if unspecified.
This commit is contained in:
Russ Magee
parent
129dce4b08
commit
cfc9ab8590
46
xsd/xsd.go
46
xsd/xsd.go
|
|
@ -439,9 +439,9 @@ var (
|
||||||
aHMACAlgs allowedHMACAlgs
|
aHMACAlgs allowedHMACAlgs
|
||||||
)
|
)
|
||||||
|
|
||||||
type allowedKEXAlgs []string // TODO
|
type allowedKEXAlgs []string
|
||||||
type allowedCipherAlgs []string // TODO
|
type allowedCipherAlgs []string
|
||||||
type allowedHMACAlgs []string // TODO
|
type allowedHMACAlgs []string
|
||||||
|
|
||||||
func (a allowedKEXAlgs) allowed(k xsnet.KEXAlg) bool {
|
func (a allowedKEXAlgs) allowed(k xsnet.KEXAlg) bool {
|
||||||
for i := 0; i < len(a); i++ {
|
for i := 0; i < len(a); i++ {
|
||||||
|
|
@ -527,9 +527,33 @@ func main() {
|
||||||
flag.BoolVar(&useSystemPasswd, "s", true, "use system shadow passwds")
|
flag.BoolVar(&useSystemPasswd, "s", true, "use system shadow passwds")
|
||||||
flag.BoolVar(&dbg, "d", false, "debug logging")
|
flag.BoolVar(&dbg, "d", false, "debug logging")
|
||||||
|
|
||||||
flag.Var(&aKEXAlgs, "aK", `List of allowed KEX algs (eg. 'KEXAlgA KEXAlgB ... KEXAlgN') (default allow all)`)
|
flag.Var(&aKEXAlgs, "aK", `Allowed KEX algs (eg. '-aK KEXAlgA -aK KEXAlgB ...') (default: none)
|
||||||
flag.Var(&aCipherAlgs, "aC", `List of allowed ciphers (eg. 'CipherAlgA CipherAlgB ... CipherAlgN') (default allow all)`)
|
KEX_all
|
||||||
flag.Var(&aHMACAlgs, "aH", `List of allowed HMACs (eg. 'HMACAlgA HMACAlgB ... HMACAlgN') (default allow all)`)
|
KEX_HERRADURA256
|
||||||
|
KEX_HERRADURA512
|
||||||
|
KEX_HERRADURA1024
|
||||||
|
KEX_HERRADURA2048
|
||||||
|
KEX_KYBER512
|
||||||
|
KEX_KYBER768
|
||||||
|
KEX_KYBER1024
|
||||||
|
KEX_NEWHOPE
|
||||||
|
KEX_NEWHOPE_SIMPLE
|
||||||
|
KEX_FRODOKEM_1344AES
|
||||||
|
KEX_FRODOKEM_1344SHAKE
|
||||||
|
KEX_FRODOKEM_976AES
|
||||||
|
KEX_FRODOKEM_976SHAKE`)
|
||||||
|
flag.Var(&aCipherAlgs, "aC", `Allowed ciphers (eg. '-aC CAlgA -aC CAlgB ...') (default: none)
|
||||||
|
C_all
|
||||||
|
C_AES_256
|
||||||
|
C_TWOFISH_128
|
||||||
|
C_BLOWFISH_64
|
||||||
|
C_CRYPTMT1
|
||||||
|
C_HOPSCOTCH
|
||||||
|
C_CHACHA20_12`)
|
||||||
|
flag.Var(&aHMACAlgs, "aH", `Allowed HMACs (eg. '-aH HMACAlgA -aH HMACAlgB ...') (default: none)
|
||||||
|
H_all
|
||||||
|
H_SHA256
|
||||||
|
H_SHA512`)
|
||||||
|
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
|
|
@ -566,17 +590,17 @@ func main() {
|
||||||
|
|
||||||
// Set up allowed algs, if specified (default allow all)
|
// Set up allowed algs, if specified (default allow all)
|
||||||
if len(aKEXAlgs) == 0 {
|
if len(aKEXAlgs) == 0 {
|
||||||
aKEXAlgs = []string{"KEX_all"}
|
aKEXAlgs = []string{"none"}
|
||||||
}
|
}
|
||||||
logger.LogNotice(fmt.Sprintf("Allowed KEXAlgs: %v\n", aKEXAlgs)) // nolint: gosec,errcheck
|
logger.LogNotice(fmt.Sprintf("Allowed KEXAlgs: %v\n", aKEXAlgs)) // nolint: gosec,errcheck
|
||||||
|
|
||||||
if len(aCipherAlgs) == 0 {
|
if len(aCipherAlgs) == 0 {
|
||||||
aCipherAlgs = []string{"C_all"}
|
aCipherAlgs = []string{"none"}
|
||||||
}
|
}
|
||||||
logger.LogNotice(fmt.Sprintf("Allowed CipherAlgs: %v\n", aCipherAlgs)) // nolint: gosec,errcheck
|
logger.LogNotice(fmt.Sprintf("Allowed CipherAlgs: %v\n", aCipherAlgs)) // nolint: gosec,errcheck
|
||||||
|
|
||||||
if len(aHMACAlgs) == 0 {
|
if len(aHMACAlgs) == 0 {
|
||||||
aHMACAlgs = []string{"H_all"}
|
aHMACAlgs = []string{"none"}
|
||||||
}
|
}
|
||||||
logger.LogNotice(fmt.Sprintf("Allowed HMACAlgs: %v\n", aHMACAlgs)) // nolint: gosec,errcheck
|
logger.LogNotice(fmt.Sprintf("Allowed HMACAlgs: %v\n", aHMACAlgs)) // nolint: gosec,errcheck
|
||||||
|
|
||||||
|
|
@ -620,7 +644,8 @@ func main() {
|
||||||
conn, err := l.Accept()
|
conn, err := l.Accept()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("Accept() got error(%v), hanging up.\n", err)
|
log.Printf("Accept() got error(%v), hanging up.\n", err)
|
||||||
} else if !aKEXAlgs.allowed(conn.KEX()) {
|
} else {
|
||||||
|
if !aKEXAlgs.allowed(conn.KEX()) {
|
||||||
log.Printf("Accept() rejected for banned KEX alg %d, hanging up.\n", conn.KEX())
|
log.Printf("Accept() rejected for banned KEX alg %d, hanging up.\n", conn.KEX())
|
||||||
conn.SetStatus(xsnet.CSEKEXAlgDenied)
|
conn.SetStatus(xsnet.CSEKEXAlgDenied)
|
||||||
conn.Close()
|
conn.Close()
|
||||||
|
|
@ -847,6 +872,7 @@ func main() {
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}(&conn) // nolint: errcheck
|
}(&conn) // nolint: errcheck
|
||||||
|
} // algs valid and not blacklisted
|
||||||
} // Accept() success
|
} // Accept() success
|
||||||
} //endfor
|
} //endfor
|
||||||
//logger.LogNotice(fmt.Sprintln("[Exiting]")) // nolint: gosec,errcheck
|
//logger.LogNotice(fmt.Sprintln("[Exiting]")) // nolint: gosec,errcheck
|
||||||
|
|
|
||||||
13
xsnet/net.go
13
xsnet/net.go
|
|
@ -25,6 +25,7 @@ package xsnet
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/cipher"
|
"crypto/cipher"
|
||||||
|
crand "crypto/rand"
|
||||||
"encoding/binary"
|
"encoding/binary"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"errors"
|
"errors"
|
||||||
|
|
@ -39,7 +40,6 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
crand "crypto/rand"
|
|
||||||
|
|
||||||
hkex "blitter.com/go/herradurakex"
|
hkex "blitter.com/go/herradurakex"
|
||||||
"blitter.com/go/kyber"
|
"blitter.com/go/kyber"
|
||||||
|
|
@ -169,11 +169,11 @@ func (hc *Conn) HAlg() CSHmacAlg {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *CSHmacAlg) String() string {
|
func (h *CSHmacAlg) String() string {
|
||||||
switch (*h >> 8) & 0x0FF {
|
switch *h & 0x0FF {
|
||||||
case HmacSHA256:
|
case HmacSHA256:
|
||||||
return "H_SHA256"
|
return "H_SHA256"
|
||||||
case HmacSHA512:
|
case HmacSHA512:
|
||||||
return "C_SHA512"
|
return "H_SHA512"
|
||||||
default:
|
default:
|
||||||
return "H_ERR_UNK"
|
return "H_ERR_UNK"
|
||||||
}
|
}
|
||||||
|
|
@ -296,7 +296,7 @@ func _new(kexAlg KEXAlg, conn *net.Conn) (hc *Conn, e error) {
|
||||||
case KEX_FRODOKEM_976AES:
|
case KEX_FRODOKEM_976AES:
|
||||||
fallthrough
|
fallthrough
|
||||||
case KEX_FRODOKEM_976SHAKE:
|
case KEX_FRODOKEM_976SHAKE:
|
||||||
log.Printf("[KEx alg %d accepted]\n", kexAlg)
|
//log.Printf("[KEx alg %d is valid]\n", kexAlg)
|
||||||
default:
|
default:
|
||||||
// UNREACHABLE: _getkexalgnum() guarantees a valid KEX value
|
// UNREACHABLE: _getkexalgnum() guarantees a valid KEX value
|
||||||
hc.kex = KEX_HERRADURA512
|
hc.kex = KEX_HERRADURA512
|
||||||
|
|
@ -672,7 +672,6 @@ func FrodoKEMAcceptSetup(c *net.Conn, hc *Conn) (err error) {
|
||||||
}
|
}
|
||||||
pubB, secB := kem.Keygen()
|
pubB, secB := kem.Keygen()
|
||||||
|
|
||||||
|
|
||||||
// [Alice sends use a public key (na, ea)
|
// [Alice sends use a public key (na, ea)
|
||||||
pubA_bigint := big.NewInt(0)
|
pubA_bigint := big.NewInt(0)
|
||||||
_, err = fmt.Fscanf(*c, "0x%x\n", pubA_bigint)
|
_, err = fmt.Fscanf(*c, "0x%x\n", pubA_bigint)
|
||||||
|
|
@ -1173,10 +1172,8 @@ func (hl *HKExListener) Accept() (hc Conn, err error) {
|
||||||
return Conn{}, err
|
return Conn{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Finally, ensure alg proposed by client is allowed by server config
|
|
||||||
//if hc.kex.String() {
|
|
||||||
log.Println("[hc.Accept successful]")
|
log.Println("[hc.Accept successful]")
|
||||||
return
|
return hc, err
|
||||||
}
|
}
|
||||||
|
|
||||||
/*---------------------------------------------------------------------*/
|
/*---------------------------------------------------------------------*/
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue