mirror of https://gogs.blitter.com/RLabs/xs
Fixed error in processing of allowed HMAC algs.
xsd: allowed algs default to none if unspecified.
This commit is contained in:
parent
129dce4b08
commit
cfc9ab8590
46
xsd/xsd.go
46
xsd/xsd.go
|
@ -439,9 +439,9 @@ var (
|
|||
aHMACAlgs allowedHMACAlgs
|
||||
)
|
||||
|
||||
type allowedKEXAlgs []string // TODO
|
||||
type allowedCipherAlgs []string // TODO
|
||||
type allowedHMACAlgs []string // TODO
|
||||
type allowedKEXAlgs []string
|
||||
type allowedCipherAlgs []string
|
||||
type allowedHMACAlgs []string
|
||||
|
||||
func (a allowedKEXAlgs) allowed(k xsnet.KEXAlg) bool {
|
||||
for i := 0; i < len(a); i++ {
|
||||
|
@ -527,9 +527,33 @@ func main() {
|
|||
flag.BoolVar(&useSystemPasswd, "s", true, "use system shadow passwds")
|
||||
flag.BoolVar(&dbg, "d", false, "debug logging")
|
||||
|
||||
flag.Var(&aKEXAlgs, "aK", `List of allowed KEX algs (eg. 'KEXAlgA KEXAlgB ... KEXAlgN') (default allow all)`)
|
||||
flag.Var(&aCipherAlgs, "aC", `List of allowed ciphers (eg. 'CipherAlgA CipherAlgB ... CipherAlgN') (default allow all)`)
|
||||
flag.Var(&aHMACAlgs, "aH", `List of allowed HMACs (eg. 'HMACAlgA HMACAlgB ... HMACAlgN') (default allow all)`)
|
||||
flag.Var(&aKEXAlgs, "aK", `Allowed KEX algs (eg. '-aK KEXAlgA -aK KEXAlgB ...') (default: none)
|
||||
KEX_all
|
||||
KEX_HERRADURA256
|
||||
KEX_HERRADURA512
|
||||
KEX_HERRADURA1024
|
||||
KEX_HERRADURA2048
|
||||
KEX_KYBER512
|
||||
KEX_KYBER768
|
||||
KEX_KYBER1024
|
||||
KEX_NEWHOPE
|
||||
KEX_NEWHOPE_SIMPLE
|
||||
KEX_FRODOKEM_1344AES
|
||||
KEX_FRODOKEM_1344SHAKE
|
||||
KEX_FRODOKEM_976AES
|
||||
KEX_FRODOKEM_976SHAKE`)
|
||||
flag.Var(&aCipherAlgs, "aC", `Allowed ciphers (eg. '-aC CAlgA -aC CAlgB ...') (default: none)
|
||||
C_all
|
||||
C_AES_256
|
||||
C_TWOFISH_128
|
||||
C_BLOWFISH_64
|
||||
C_CRYPTMT1
|
||||
C_HOPSCOTCH
|
||||
C_CHACHA20_12`)
|
||||
flag.Var(&aHMACAlgs, "aH", `Allowed HMACs (eg. '-aH HMACAlgA -aH HMACAlgB ...') (default: none)
|
||||
H_all
|
||||
H_SHA256
|
||||
H_SHA512`)
|
||||
|
||||
flag.Parse()
|
||||
|
||||
|
@ -566,17 +590,17 @@ func main() {
|
|||
|
||||
// Set up allowed algs, if specified (default allow all)
|
||||
if len(aKEXAlgs) == 0 {
|
||||
aKEXAlgs = []string{"KEX_all"}
|
||||
aKEXAlgs = []string{"none"}
|
||||
}
|
||||
logger.LogNotice(fmt.Sprintf("Allowed KEXAlgs: %v\n", aKEXAlgs)) // nolint: gosec,errcheck
|
||||
|
||||
if len(aCipherAlgs) == 0 {
|
||||
aCipherAlgs = []string{"C_all"}
|
||||
aCipherAlgs = []string{"none"}
|
||||
}
|
||||
logger.LogNotice(fmt.Sprintf("Allowed CipherAlgs: %v\n", aCipherAlgs)) // nolint: gosec,errcheck
|
||||
|
||||
if len(aHMACAlgs) == 0 {
|
||||
aHMACAlgs = []string{"H_all"}
|
||||
aHMACAlgs = []string{"none"}
|
||||
}
|
||||
logger.LogNotice(fmt.Sprintf("Allowed HMACAlgs: %v\n", aHMACAlgs)) // nolint: gosec,errcheck
|
||||
|
||||
|
@ -620,7 +644,8 @@ func main() {
|
|||
conn, err := l.Accept()
|
||||
if err != nil {
|
||||
log.Printf("Accept() got error(%v), hanging up.\n", err)
|
||||
} else if !aKEXAlgs.allowed(conn.KEX()) {
|
||||
} else {
|
||||
if !aKEXAlgs.allowed(conn.KEX()) {
|
||||
log.Printf("Accept() rejected for banned KEX alg %d, hanging up.\n", conn.KEX())
|
||||
conn.SetStatus(xsnet.CSEKEXAlgDenied)
|
||||
conn.Close()
|
||||
|
@ -847,6 +872,7 @@ func main() {
|
|||
}
|
||||
return
|
||||
}(&conn) // nolint: errcheck
|
||||
} // algs valid and not blacklisted
|
||||
} // Accept() success
|
||||
} //endfor
|
||||
//logger.LogNotice(fmt.Sprintln("[Exiting]")) // nolint: gosec,errcheck
|
||||
|
|
13
xsnet/net.go
13
xsnet/net.go
|
@ -25,6 +25,7 @@ package xsnet
|
|||
import (
|
||||
"bytes"
|
||||
"crypto/cipher"
|
||||
crand "crypto/rand"
|
||||
"encoding/binary"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
|
@ -39,7 +40,6 @@ import (
|
|||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
crand "crypto/rand"
|
||||
|
||||
hkex "blitter.com/go/herradurakex"
|
||||
"blitter.com/go/kyber"
|
||||
|
@ -169,11 +169,11 @@ func (hc *Conn) HAlg() CSHmacAlg {
|
|||
}
|
||||
|
||||
func (h *CSHmacAlg) String() string {
|
||||
switch (*h >> 8) & 0x0FF {
|
||||
switch *h & 0x0FF {
|
||||
case HmacSHA256:
|
||||
return "H_SHA256"
|
||||
case HmacSHA512:
|
||||
return "C_SHA512"
|
||||
return "H_SHA512"
|
||||
default:
|
||||
return "H_ERR_UNK"
|
||||
}
|
||||
|
@ -296,7 +296,7 @@ func _new(kexAlg KEXAlg, conn *net.Conn) (hc *Conn, e error) {
|
|||
case KEX_FRODOKEM_976AES:
|
||||
fallthrough
|
||||
case KEX_FRODOKEM_976SHAKE:
|
||||
log.Printf("[KEx alg %d accepted]\n", kexAlg)
|
||||
//log.Printf("[KEx alg %d is valid]\n", kexAlg)
|
||||
default:
|
||||
// UNREACHABLE: _getkexalgnum() guarantees a valid KEX value
|
||||
hc.kex = KEX_HERRADURA512
|
||||
|
@ -672,7 +672,6 @@ func FrodoKEMAcceptSetup(c *net.Conn, hc *Conn) (err error) {
|
|||
}
|
||||
pubB, secB := kem.Keygen()
|
||||
|
||||
|
||||
// [Alice sends use a public key (na, ea)
|
||||
pubA_bigint := big.NewInt(0)
|
||||
_, err = fmt.Fscanf(*c, "0x%x\n", pubA_bigint)
|
||||
|
@ -1173,10 +1172,8 @@ func (hl *HKExListener) Accept() (hc Conn, err error) {
|
|||
return Conn{}, err
|
||||
}
|
||||
|
||||
// Finally, ensure alg proposed by client is allowed by server config
|
||||
//if hc.kex.String() {
|
||||
log.Println("[hc.Accept successful]")
|
||||
return
|
||||
return hc, err
|
||||
}
|
||||
|
||||
/*---------------------------------------------------------------------*/
|
||||
|
|
Loading…
Reference in New Issue