Store NM between encrypt/decrypt.

4 files changed, 20 insertions, 24 deletions

diff --git a/src/libcryptobox/cryptobox.c b/src/libcryptobox/cryptobox.c
index 5e344d46c..3169c01a0 100644
--- a/src/libcryptobox/cryptobox.c
+++ b/src/libcryptobox/cryptobox.c
@@ -392,7 +392,7 @@ rspamd_cryptobox_siphash (unsigned char *out, const unsigned char *in,
  * Code based on IEEE Std 802.11-2007, Annex H.4.2.
  */
 gboolean
-rspamd_cryptobox_pbkdf(const char *pass, gsize pass_len,
+rspamd_cryptobox_pbkdf (const char *pass, gsize pass_len,
 		const guint8 *salt, gsize salt_len, guint8 *key, gsize key_len,
 		unsigned int rounds)
 {
diff --git a/src/libutil/http.c b/src/libutil/http.c
index 612e898bb..2f618164a 100644
--- a/src/libutil/http.c
+++ b/src/libutil/http.c
@@ -441,7 +441,7 @@ rspamd_http_parse_key (rspamd_ftok_t *data, struct rspamd_http_connection *conn,
 						key_len >= sizeof (kp->pk)) {
 					if (memcmp (priv->local_key->id, decoded_id,
 							RSPAMD_HTTP_KEY_ID_LEN) == 0) {
-						kp = g_slice_alloc (sizeof (*kp));
+						kp = g_slice_alloc0 (sizeof (*kp));
 						REF_INIT_RETAIN (kp, rspamd_http_keypair_dtor);
 						memcpy (kp->pk, decoded_key, sizeof (kp->pk));
 						priv->msg->peer_key = kp;
@@ -688,20 +688,16 @@ rspamd_http_decrypt_message (struct rspamd_http_connection *conn,
 	dec_len = msg->body->len - rspamd_cryptobox_NONCEBYTES -
 			rspamd_cryptobox_MACBYTES;
 
-	if (conn->cache) {
-		if (!rspamd_cryptobox_decrypt_nm_inplace (m, dec_len, nonce,
-				peer_key->nm, m - rspamd_cryptobox_MACBYTES)) {
-			msg_err ("cannot verify encrypted message");
-			return -1;
-		}
+	if (!peer_key->has_nm) {
+		/* We still save NM for the following encryption */
+		rspamd_cryptobox_nm (peer_key->nm, peer_key->pk, priv->local_key->sk);
+		peer_key->has_nm = TRUE;
 	}
-	else {
-		if (!rspamd_cryptobox_decrypt_inplace (m, dec_len, nonce,
-				peer_key->pk, priv->local_key->sk,
-				m - rspamd_cryptobox_MACBYTES)) {
-			msg_err ("cannot verify encrypted message");
-			return -1;
-		}
+
+	if (!rspamd_cryptobox_decrypt_nm_inplace (m, dec_len, nonce,
+			peer_key->nm, m - rspamd_cryptobox_MACBYTES)) {
+		msg_err ("cannot verify encrypted message");
+		return -1;
 	}
 
 	/* Cleanup message */
@@ -1229,17 +1225,15 @@ rspamd_http_connection_encrypt_message (
 
 	cnt = i;
 
-	if (conn->cache) {
-		rspamd_cryptobox_encryptv_nm_inplace (segments,
+	if (!peer_key->has_nm) {
+		rspamd_cryptobox_nm (peer_key->nm, peer_key->pk, priv->local_key->sk);
+		peer_key->has_nm = TRUE;
+	}
+
+	rspamd_cryptobox_encryptv_nm_inplace (segments,
 			cnt,
 			np,
 			peer_key->nm, mp);
-	}
-	else {
-		rspamd_cryptobox_encryptv_inplace (segments,
-				cnt, np,
-				peer_key->pk, priv->local_key->sk, mp);
-	}
 
 	/*
 	 * iov[0] = base HTTP request
@@ -2384,7 +2378,7 @@ rspamd_http_connection_make_peer_key (const gchar *key)
 	pk_decoded = rspamd_decode_base32 (key, strlen (key), &dec_len);
 
 	if (pk_decoded != NULL && dec_len == rspamd_cryptobox_PKBYTES) {
-		kp = g_slice_alloc (sizeof (*kp));
+		kp = g_slice_alloc0 (sizeof (*kp));
 		REF_INIT_RETAIN (kp, rspamd_http_keypair_dtor);
 		memcpy (kp->pk, pk_decoded, sizeof (kp->pk));
 		blake2b (kp->id, kp->pk, NULL, sizeof (kp->id), sizeof (kp->pk), 0);
diff --git a/src/libutil/keypair_private.h b/src/libutil/keypair_private.h
index 70f9bad59..ac70f25e6 100644
--- a/src/libutil/keypair_private.h
+++ b/src/libutil/keypair_private.h
@@ -35,6 +35,7 @@ struct rspamd_http_keypair {
 	guchar sk[rspamd_cryptobox_SKBYTES];
 	guchar id[BLAKE2B_OUTBYTES];
 	guchar nm[rspamd_cryptobox_NMBYTES];
+	gboolean has_nm;
 	ref_entry_t ref;
 };
 
diff --git a/src/libutil/keypairs_cache.c b/src/libutil/keypairs_cache.c
index c10c6959d..eb9b5215c 100644
--- a/src/libutil/keypairs_cache.c
+++ b/src/libutil/keypairs_cache.c
@@ -107,6 +107,7 @@ rspamd_keypair_cache_process (struct rspamd_keypair_cache *c,
 	g_assert (new != NULL);
 
 	memcpy (kp_remote->nm, new->nm, rspamd_cryptobox_NMBYTES);
+	kp_remote->has_nm = TRUE;
 #if 0
 	memcpy (kp_local->nm, new->nm, rspamd_cryptobox_NMBYTES);
 #endif