Fixed error in processing of allowed HMAC algs.

xsd: allowed algs default to none if unspecified.
This commit is contained in:
Russ Magee 2021-11-14 21:17:56 -08:00
parent 129dce4b08
commit cfc9ab8590
2 changed files with 254 additions and 231 deletions

View File

@ -439,9 +439,9 @@ var (
aHMACAlgs allowedHMACAlgs
)
type allowedKEXAlgs []string // TODO
type allowedCipherAlgs []string // TODO
type allowedHMACAlgs []string // TODO
type allowedKEXAlgs []string
type allowedCipherAlgs []string
type allowedHMACAlgs []string
func (a allowedKEXAlgs) allowed(k xsnet.KEXAlg) bool {
for i := 0; i < len(a); i++ {
@ -527,9 +527,33 @@ func main() {
flag.BoolVar(&useSystemPasswd, "s", true, "use system shadow passwds")
flag.BoolVar(&dbg, "d", false, "debug logging")
flag.Var(&aKEXAlgs, "aK", `List of allowed KEX algs (eg. 'KEXAlgA KEXAlgB ... KEXAlgN') (default allow all)`)
flag.Var(&aCipherAlgs, "aC", `List of allowed ciphers (eg. 'CipherAlgA CipherAlgB ... CipherAlgN') (default allow all)`)
flag.Var(&aHMACAlgs, "aH", `List of allowed HMACs (eg. 'HMACAlgA HMACAlgB ... HMACAlgN') (default allow all)`)
flag.Var(&aKEXAlgs, "aK", `Allowed KEX algs (eg. '-aK KEXAlgA -aK KEXAlgB ...') (default: none)
KEX_all
KEX_HERRADURA256
KEX_HERRADURA512
KEX_HERRADURA1024
KEX_HERRADURA2048
KEX_KYBER512
KEX_KYBER768
KEX_KYBER1024
KEX_NEWHOPE
KEX_NEWHOPE_SIMPLE
KEX_FRODOKEM_1344AES
KEX_FRODOKEM_1344SHAKE
KEX_FRODOKEM_976AES
KEX_FRODOKEM_976SHAKE`)
flag.Var(&aCipherAlgs, "aC", `Allowed ciphers (eg. '-aC CAlgA -aC CAlgB ...') (default: none)
C_all
C_AES_256
C_TWOFISH_128
C_BLOWFISH_64
C_CRYPTMT1
C_HOPSCOTCH
C_CHACHA20_12`)
flag.Var(&aHMACAlgs, "aH", `Allowed HMACs (eg. '-aH HMACAlgA -aH HMACAlgB ...') (default: none)
H_all
H_SHA256
H_SHA512`)
flag.Parse()
@ -566,17 +590,17 @@ func main() {
// Set up allowed algs, if specified (default allow all)
if len(aKEXAlgs) == 0 {
aKEXAlgs = []string{"KEX_all"}
aKEXAlgs = []string{"none"}
}
logger.LogNotice(fmt.Sprintf("Allowed KEXAlgs: %v\n", aKEXAlgs)) // nolint: gosec,errcheck
if len(aCipherAlgs) == 0 {
aCipherAlgs = []string{"C_all"}
aCipherAlgs = []string{"none"}
}
logger.LogNotice(fmt.Sprintf("Allowed CipherAlgs: %v\n", aCipherAlgs)) // nolint: gosec,errcheck
if len(aHMACAlgs) == 0 {
aHMACAlgs = []string{"H_all"}
aHMACAlgs = []string{"none"}
}
logger.LogNotice(fmt.Sprintf("Allowed HMACAlgs: %v\n", aHMACAlgs)) // nolint: gosec,errcheck
@ -620,7 +644,8 @@ func main() {
conn, err := l.Accept()
if err != nil {
log.Printf("Accept() got error(%v), hanging up.\n", err)
} else if !aKEXAlgs.allowed(conn.KEX()) {
} else {
if !aKEXAlgs.allowed(conn.KEX()) {
log.Printf("Accept() rejected for banned KEX alg %d, hanging up.\n", conn.KEX())
conn.SetStatus(xsnet.CSEKEXAlgDenied)
conn.Close()
@ -847,6 +872,7 @@ func main() {
}
return
}(&conn) // nolint: errcheck
} // algs valid and not blacklisted
} // Accept() success
} //endfor
//logger.LogNotice(fmt.Sprintln("[Exiting]")) // nolint: gosec,errcheck

View File

@ -25,6 +25,7 @@ package xsnet
import (
"bytes"
"crypto/cipher"
crand "crypto/rand"
"encoding/binary"
"encoding/hex"
"errors"
@ -39,7 +40,6 @@ import (
"strings"
"sync"
"time"
crand "crypto/rand"
hkex "blitter.com/go/herradurakex"
"blitter.com/go/kyber"
@ -169,11 +169,11 @@ func (hc *Conn) HAlg() CSHmacAlg {
}
func (h *CSHmacAlg) String() string {
switch (*h >> 8) & 0x0FF {
switch *h & 0x0FF {
case HmacSHA256:
return "H_SHA256"
case HmacSHA512:
return "C_SHA512"
return "H_SHA512"
default:
return "H_ERR_UNK"
}
@ -296,7 +296,7 @@ func _new(kexAlg KEXAlg, conn *net.Conn) (hc *Conn, e error) {
case KEX_FRODOKEM_976AES:
fallthrough
case KEX_FRODOKEM_976SHAKE:
log.Printf("[KEx alg %d accepted]\n", kexAlg)
//log.Printf("[KEx alg %d is valid]\n", kexAlg)
default:
// UNREACHABLE: _getkexalgnum() guarantees a valid KEX value
hc.kex = KEX_HERRADURA512
@ -672,7 +672,6 @@ func FrodoKEMAcceptSetup(c *net.Conn, hc *Conn) (err error) {
}
pubB, secB := kem.Keygen()
// [Alice sends use a public key (na, ea)
pubA_bigint := big.NewInt(0)
_, err = fmt.Fscanf(*c, "0x%x\n", pubA_bigint)
@ -1173,10 +1172,8 @@ func (hl *HKExListener) Accept() (hc Conn, err error) {
return Conn{}, err
}
// Finally, ensure alg proposed by client is allowed by server config
//if hc.kex.String() {
log.Println("[hc.Accept successful]")
return
return hc, err
}
/*---------------------------------------------------------------------*/