From: Mark Wooding <mdw@distorted.org.uk>
Date: Thu, 26 May 2016 08:26:09 +0000 (+0100)
Subject: server/keyexch.c: Fix error handling around `mpmask' and `mpunmask'.
X-Git-Tag: 1.0.0pre19~29
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/commitdiff_plain/c13541b1ddedc7012c823bb793fb2f6f62ba3e08

server/keyexch.c: Fix error handling around `mpmask' and `mpunmask'.

The return value from `mpmask' wasn't being used, and callers expected a
broken buffer on failure, so that's the official story now.

The return value from `mpunmask' was advertised properly, but not
checked, so fix that.
---

diff --git a/server/keyexch.c b/server/keyexch.c
index 34114b79..7b4eb0d8 100644
--- a/server/keyexch.c
+++ b/server/keyexch.c
@@ -125,20 +125,20 @@ static void hashge(ghash *h, group *g, ge *x)
  *		@const octet *k@ = pointer to key material
  *		@size_t ksz@ = size of the key
  *
- * Returns:	Pointer to the output.
+ * Returns:	---
  *
  * Use:		Masks a multiprecision integer: returns %$x \xor H(k)$%, so
  *		it's a random oracle thing rather than an encryption thing.
+ *		Breaks the output buffer on error.
  */
 
-static octet *mpmask(buf *b, mp *x, size_t n,
-		     const gccipher *mgfc, const octet *k, size_t ksz)
+static void mpmask(buf *b, mp *x, size_t n,
+		   const gccipher *mgfc, const octet *k, size_t ksz)
 {
   gcipher *mgf;
   octet *p;
 
-  if ((p = buf_get(b, n)) == 0)
-    return (0);
+  if ((p = buf_get(b, n)) == 0) return;
   mgf = GC_INIT(mgfc, k, ksz);
   IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
     trace(T_CRYPTO, "crypto: masking index = %s", mpstr(x));
@@ -151,7 +151,6 @@ static octet *mpmask(buf *b, mp *x, size_t n,
     trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n);
   }))
   GC_DESTROY(mgf);
-  return (p);
 }
 
 /* --- @mpunmask@ --- *
@@ -678,9 +677,10 @@ static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
     /* --- Compute the reply, and check the magic --- */
 
     G_EXP(g, r, c, kx->kpriv->kpriv);
-    cv = mpunmask(MP_NEW, ck, ixsz, algs->mgf,
-		  hashcheck(kx, kx->kpub->kpub, kx->c, c, r),
-		  algs->hashsz);
+    if ((cv = mpunmask(MP_NEW, ck, ixsz, algs->mgf,
+		       hashcheck(kx, kx->kpub->kpub, kx->c, c, r),
+		       algs->hashsz)) == 0)
+      goto badcheck;
     IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
       trace(T_CRYPTO, "crypto: computed reply = %s", gestr(g, r));
       trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv));