* @const octet *k@ = pointer to key material
* @size_t ksz@ = size of the key
*
- * Returns: Pointer to the output.
+ * Returns: ---
*
* Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so
* it's a random oracle thing rather than an encryption thing.
+ * Breaks the output buffer on error.
*/
-static octet *mpmask(buf *b, mp *x, size_t n,
- const gccipher *mgfc, const octet *k, size_t ksz)
+static void mpmask(buf *b, mp *x, size_t n,
+ const gccipher *mgfc, const octet *k, size_t ksz)
{
gcipher *mgf;
octet *p;
- if ((p = buf_get(b, n)) == 0)
- return (0);
+ if ((p = buf_get(b, n)) == 0) return;
mgf = GC_INIT(mgfc, k, ksz);
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
trace(T_CRYPTO, "crypto: masking index = %s", mpstr(x));
trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n);
}))
GC_DESTROY(mgf);
- return (p);
}
/* --- @mpunmask@ --- *
* Returns: A pointer to the challenge block.
*
* Use: Returns a pointer to a new challenge block to fill in.
+ * In particular, the @c@ and @r@ members are left
+ * uninitialized.
*/
static kxchal *kxc_new(keyexch *kx)
/* --- Fill in the new structure --- */
kxc = CREATE(kxchal);
- kxc->c = G_CREATE(kx->kpriv->g);
- kxc->r = G_CREATE(kx->kpriv->g);
kxc->ks = 0;
kxc->kx = kx;
kxc->f = 0;
/* --- Compute the reply, and check the magic --- */
G_EXP(g, r, c, kx->kpriv->kpriv);
- cv = mpunmask(MP_NEW, ck, ixsz, algs->mgf,
- hashcheck(kx, kx->kpub->kpub, kx->c, c, r),
- algs->hashsz);
+ if ((cv = mpunmask(MP_NEW, ck, ixsz, algs->mgf,
+ hashcheck(kx, kx->kpub->kpub, kx->c, c, r),
+ algs->hashsz)) == 0)
+ goto badcheck;
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
trace(T_CRYPTO, "crypto: computed reply = %s", gestr(g, r));
trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv));
/* --- Fill in a new challenge block --- */
kxc = kxc_new(kx);
- G_COPY(g, kxc->c, c);
- G_COPY(g, kxc->r, r);
+ kxc->c = c; c = 0;
+ kxc->r = r; r = G_CREATE(g);
h = GH_INIT(algs->h); HASH_STRING(h, "tripe-check-hash");
GH_HASH(h, ck, ixsz);
/* --- Work out the shared key --- */
- G_EXP(g, r, c, kx->alpha);
+ G_EXP(g, r, kxc->c, kx->alpha);
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
trace(T_CRYPTO, "crypto: shared secret = %s", gestr(g, r));
}))
kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p);
}
- G_DESTROY(g, c);
+ if (c) G_DESTROY(g, c);
G_DESTROY(g, cc);
G_DESTROY(g, r);
mp_drop(cv);
a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
goto bad;
bad:
- G_DESTROY(g, c);
+ if (c) G_DESTROY(g, c);
G_DESTROY(g, cc);
G_DESTROY(g, r);
mp_drop(cv);
{
if ((kx->kpriv = km_findpriv(p_privtag(p))) == 0) goto fail_0;
if ((kx->kpub = km_findpub(p_tag(p))) == 0) goto fail_1;
- if (!group_samep(kx->kpriv->g, kx->kpub->g)) {
- a_warn("KX", "?PEER", kx->p, "group-mismatch",
+ if (!km_samealgsp(kx->kpriv, kx->kpub)) {
+ a_warn("KX", "?PEER", p, "group-mismatch",
"local-private-key", "%s", p_privtag(p),
"peer-public-key", "%s", p_tag(p),
A_END);