aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2015-10-27 11:18:40 +0000
committerVsevolod Stakhov <vsevolod@highsecure.ru>2015-10-27 11:18:40 +0000
commit9f25f5d50ea7c3366e6791f69cc8ea6bfc0dddbd (patch)
tree12af322ff4e007a3ca79189b0b0d9f367c906dcf
parentd8688b6d2c58241328149aedbd998ddca6591b9f (diff)
downloadrspamd-9f25f5d50ea7c3366e6791f69cc8ea6bfc0dddbd.tar.gz
rspamd-9f25f5d50ea7c3366e6791f69cc8ea6bfc0dddbd.zip
Fix critical issue in keyed blake2 implementation.
-rw-r--r--src/libcryptobox/blake2/blake2.c29
1 files changed, 24 insertions, 5 deletions
diff --git a/src/libcryptobox/blake2/blake2.c b/src/libcryptobox/blake2/blake2.c
index 594459bf7..addaf61f5 100644
--- a/src/libcryptobox/blake2/blake2.c
+++ b/src/libcryptobox/blake2/blake2.c
@@ -139,12 +139,31 @@ blake2b_init (blake2b_state *S)
void
blake2b_keyed_init (blake2b_state *S, const unsigned char *key, size_t keylen)
{
- unsigned char k[BLAKE2B_BLOCKBYTES] = {0};
+ unsigned char k[BLAKE2B_BLOCKBYTES];
+ blake2b_state _ks;
+ blake2b_state_internal *state = (blake2b_state_internal *)S;
- g_assert (keylen <= BLAKE2B_KEYBYTES);
- memcpy (k, key, keylen);
- blake2b_init (S);
- blake2b_update (S, k, BLAKE2B_BLOCKBYTES);
+ memset (k, 0, sizeof (k));
+
+ if (keylen <= BLAKE2B_KEYBYTES) {
+ memcpy (k, key, keylen);
+ blake2b_init (S);
+ state->h[1] ^= keylen;
+ blake2b_update (S, k, sizeof (k));
+ }
+ else {
+ blake2b_init (S);
+ /*
+ * We use additional blake2 iteration to store large key
+ * XXX: it is not compatible with the original implementation but safe
+ */
+ blake2b_init (&_ks);
+ blake2b_update (&_ks, key, keylen);
+ blake2b_final (&_ks, k);
+ blake2b_keyed_init (S, k, BLAKE2B_KEYBYTES);
+ }
+
+ rspamd_explicit_memzero (k, sizeof (k));
}
/* hash inlen bytes from in, which may or may not be word aligned, returns the number of bytes used */