From 16c229e069e0b28f463484b2e894471b95ccd3a6 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Tue, 13 Oct 2015 12:26:01 +0100 Subject: [PATCH] Store NM between encrypt/decrypt. --- src/libcryptobox/cryptobox.c | 2 +- src/libutil/http.c | 40 +++++++++++++++-------------------- src/libutil/keypair_private.h | 1 + src/libutil/keypairs_cache.c | 1 + 4 files changed, 20 insertions(+), 24 deletions(-) diff --git a/src/libcryptobox/cryptobox.c b/src/libcryptobox/cryptobox.c index 5e344d46c..3169c01a0 100644 --- a/src/libcryptobox/cryptobox.c +++ b/src/libcryptobox/cryptobox.c @@ -392,7 +392,7 @@ rspamd_cryptobox_siphash (unsigned char *out, const unsigned char *in, * Code based on IEEE Std 802.11-2007, Annex H.4.2. */ gboolean -rspamd_cryptobox_pbkdf(const char *pass, gsize pass_len, +rspamd_cryptobox_pbkdf (const char *pass, gsize pass_len, const guint8 *salt, gsize salt_len, guint8 *key, gsize key_len, unsigned int rounds) { diff --git a/src/libutil/http.c b/src/libutil/http.c index 612e898bb..2f618164a 100644 --- a/src/libutil/http.c +++ b/src/libutil/http.c @@ -441,7 +441,7 @@ rspamd_http_parse_key (rspamd_ftok_t *data, struct rspamd_http_connection *conn, key_len >= sizeof (kp->pk)) { if (memcmp (priv->local_key->id, decoded_id, RSPAMD_HTTP_KEY_ID_LEN) == 0) { - kp = g_slice_alloc (sizeof (*kp)); + kp = g_slice_alloc0 (sizeof (*kp)); REF_INIT_RETAIN (kp, rspamd_http_keypair_dtor); memcpy (kp->pk, decoded_key, sizeof (kp->pk)); priv->msg->peer_key = kp; @@ -688,20 +688,16 @@ rspamd_http_decrypt_message (struct rspamd_http_connection *conn, dec_len = msg->body->len - rspamd_cryptobox_NONCEBYTES - rspamd_cryptobox_MACBYTES; - if (conn->cache) { - if (!rspamd_cryptobox_decrypt_nm_inplace (m, dec_len, nonce, - peer_key->nm, m - rspamd_cryptobox_MACBYTES)) { - msg_err ("cannot verify encrypted message"); - return -1; - } + if (!peer_key->has_nm) { + /* We still save NM for the following encryption */ + rspamd_cryptobox_nm (peer_key->nm, peer_key->pk, priv->local_key->sk); + peer_key->has_nm = TRUE; } - else { - if (!rspamd_cryptobox_decrypt_inplace (m, dec_len, nonce, - peer_key->pk, priv->local_key->sk, - m - rspamd_cryptobox_MACBYTES)) { - msg_err ("cannot verify encrypted message"); - return -1; - } + + if (!rspamd_cryptobox_decrypt_nm_inplace (m, dec_len, nonce, + peer_key->nm, m - rspamd_cryptobox_MACBYTES)) { + msg_err ("cannot verify encrypted message"); + return -1; } /* Cleanup message */ @@ -1229,17 +1225,15 @@ rspamd_http_connection_encrypt_message ( cnt = i; - if (conn->cache) { - rspamd_cryptobox_encryptv_nm_inplace (segments, + if (!peer_key->has_nm) { + rspamd_cryptobox_nm (peer_key->nm, peer_key->pk, priv->local_key->sk); + peer_key->has_nm = TRUE; + } + + rspamd_cryptobox_encryptv_nm_inplace (segments, cnt, np, peer_key->nm, mp); - } - else { - rspamd_cryptobox_encryptv_inplace (segments, - cnt, np, - peer_key->pk, priv->local_key->sk, mp); - } /* * iov[0] = base HTTP request @@ -2384,7 +2378,7 @@ rspamd_http_connection_make_peer_key (const gchar *key) pk_decoded = rspamd_decode_base32 (key, strlen (key), &dec_len); if (pk_decoded != NULL && dec_len == rspamd_cryptobox_PKBYTES) { - kp = g_slice_alloc (sizeof (*kp)); + kp = g_slice_alloc0 (sizeof (*kp)); REF_INIT_RETAIN (kp, rspamd_http_keypair_dtor); memcpy (kp->pk, pk_decoded, sizeof (kp->pk)); blake2b (kp->id, kp->pk, NULL, sizeof (kp->id), sizeof (kp->pk), 0); diff --git a/src/libutil/keypair_private.h b/src/libutil/keypair_private.h index 70f9bad59..ac70f25e6 100644 --- a/src/libutil/keypair_private.h +++ b/src/libutil/keypair_private.h @@ -35,6 +35,7 @@ struct rspamd_http_keypair { guchar sk[rspamd_cryptobox_SKBYTES]; guchar id[BLAKE2B_OUTBYTES]; guchar nm[rspamd_cryptobox_NMBYTES]; + gboolean has_nm; ref_entry_t ref; }; diff --git a/src/libutil/keypairs_cache.c b/src/libutil/keypairs_cache.c index c10c6959d..eb9b5215c 100644 --- a/src/libutil/keypairs_cache.c +++ b/src/libutil/keypairs_cache.c @@ -107,6 +107,7 @@ rspamd_keypair_cache_process (struct rspamd_keypair_cache *c, g_assert (new != NULL); memcpy (kp_remote->nm, new->nm, rspamd_cryptobox_NMBYTES); + kp_remote->has_nm = TRUE; #if 0 memcpy (kp_local->nm, new->nm, rspamd_cryptobox_NMBYTES); #endif -- 2.39.5