aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libutil/http.c65
-rw-r--r--src/libutil/keypair_private.h6
-rw-r--r--src/libutil/keypairs_cache.c21
3 files changed, 50 insertions, 42 deletions
diff --git a/src/libutil/http.c b/src/libutil/http.c
index f6f08e376..a225dd210 100644
--- a/src/libutil/http.c
+++ b/src/libutil/http.c
@@ -683,10 +683,10 @@ rspamd_http_decrypt_message (struct rspamd_http_connection *conn,
struct http_parser_settings decrypted_cb;
nonce = msg->body->str;
- m = msg->body->str + rspamd_cryptobox_NONCEBYTES +
- rspamd_cryptobox_MACBYTES;
- dec_len = msg->body->len - rspamd_cryptobox_NONCEBYTES -
- rspamd_cryptobox_MACBYTES;
+ m = msg->body->str + rspamd_cryptobox_nonce_bytes () +
+ rspamd_cryptobox_mac_bytes ();
+ dec_len = msg->body->len - rspamd_cryptobox_nonce_bytes () -
+ rspamd_cryptobox_mac_bytes ();
if (!peer_key->has_nm) {
/* We still save NM for the following encryption */
@@ -695,7 +695,7 @@ rspamd_http_decrypt_message (struct rspamd_http_connection *conn,
}
if (!rspamd_cryptobox_decrypt_nm_inplace (m, dec_len, nonce,
- peer_key->nm, m - rspamd_cryptobox_MACBYTES)) {
+ peer_key->nm, m - rspamd_cryptobox_mac_bytes ())) {
msg_err ("cannot verify encrypted message");
return -1;
}
@@ -752,8 +752,8 @@ rspamd_http_on_message_complete (http_parser * parser)
if ((conn->opts & RSPAMD_HTTP_BODY_PARTIAL) == 0 && priv->encrypted) {
if (priv->local_key == NULL || priv->msg->peer_key == NULL ||
- priv->msg->body->len < rspamd_cryptobox_NONCEBYTES +
- rspamd_cryptobox_MACBYTES) {
+ priv->msg->body->len < rspamd_cryptobox_nonce_bytes () +
+ rspamd_cryptobox_mac_bytes ()) {
msg_err ("cannot decrypt message");
return -1;
}
@@ -1175,7 +1175,7 @@ rspamd_http_connection_encrypt_message (
struct rspamd_http_keypair *peer_key)
{
struct rspamd_cryptobox_segment *segments;
- guchar *crlfp = mp + rspamd_cryptobox_MACBYTES;
+ guchar *crlfp = mp + rspamd_cryptobox_mac_bytes ();
gint i, cnt;
guint outlen;
struct rspamd_http_header *hdr;
@@ -1243,11 +1243,11 @@ rspamd_http_connection_encrypt_message (
* iov[4..i] = encrypted HTTP request/reply
*/
priv->out[2].iov_base = np;
- priv->out[2].iov_len = rspamd_cryptobox_NONCEBYTES;
+ priv->out[2].iov_len = rspamd_cryptobox_nonce_bytes ();
priv->out[3].iov_base = mp;
- priv->out[3].iov_len = rspamd_cryptobox_MACBYTES;
+ priv->out[3].iov_len = rspamd_cryptobox_mac_bytes ();
- outlen += rspamd_cryptobox_NONCEBYTES + rspamd_cryptobox_MACBYTES;
+ outlen += rspamd_cryptobox_nonce_bytes () + rspamd_cryptobox_mac_bytes ();
for (i = 0; i < cnt; i ++) {
priv->out[i + 4].iov_base = segments[i].data;
@@ -1274,7 +1274,7 @@ rspamd_http_connection_write_message (struct rspamd_http_connection *conn,
rspamd_fstring_t *buf;
gboolean encrypted = FALSE;
gchar *b32_key, *b32_id;
- guchar nonce[rspamd_cryptobox_NONCEBYTES], mac[rspamd_cryptobox_MACBYTES],
+ guchar nonce[rspamd_cryptobox_MAX_NONCEBYTES], mac[rspamd_cryptobox_MAX_MACBYTES],
id[BLAKE2B_OUTBYTES];
guchar *np = NULL, *mp = NULL, *meth_pos = NULL;
struct rspamd_http_keypair *peer_key = NULL;
@@ -1336,7 +1336,8 @@ rspamd_http_connection_write_message (struct rspamd_http_connection *conn,
* [iov[n + 2] = encrypted body]
*/
priv->outlen = 7;
- enclen = rspamd_cryptobox_NONCEBYTES + rspamd_cryptobox_MACBYTES +
+ enclen = rspamd_cryptobox_nonce_bytes () +
+ rspamd_cryptobox_mac_bytes () +
4 + /* 2 * CRLF */
bodylen;
}
@@ -1364,7 +1365,8 @@ rspamd_http_connection_write_message (struct rspamd_http_connection *conn,
ENCRYPTED_VERSION);
}
- enclen = rspamd_cryptobox_NONCEBYTES + rspamd_cryptobox_MACBYTES +
+ enclen = rspamd_cryptobox_nonce_bytes () +
+ rspamd_cryptobox_mac_bytes () +
preludelen + /* version [content-length] + 2 * CRLF */
bodylen;
}
@@ -1556,7 +1558,7 @@ rspamd_http_connection_write_message (struct rspamd_http_connection *conn,
if (encrypted) {
memcpy (id, peer_key->id, sizeof (id));
b32_key = rspamd_encode_base32 (priv->local_key->pk,
- sizeof (priv->local_key->pk));
+ rspamd_cryptobox_pk_bytes ());
b32_id = rspamd_encode_base32 (id, RSPAMD_HTTP_KEY_ID_LEN);
/* XXX: add some fuzz here */
rspamd_printf_fstring (&buf, "Key: %s=%s\r\n", b32_id, b32_key);
@@ -1573,8 +1575,8 @@ rspamd_http_connection_write_message (struct rspamd_http_connection *conn,
if (encrypted) {
gint meth_offset, nonce_offset, mac_offset;
- ottery_rand_bytes (nonce, sizeof (nonce));
- memset (mac, 0, sizeof (mac));
+ ottery_rand_bytes (nonce, rspamd_cryptobox_nonce_bytes ());
+ memset (mac, 0, rspamd_cryptobox_mac_bytes ());
meth_offset = buf->len;
if (conn->type == RSPAMD_HTTP_SERVER) {
@@ -1588,9 +1590,9 @@ rspamd_http_connection_write_message (struct rspamd_http_connection *conn,
}
nonce_offset = buf->len;
- buf = rspamd_fstring_append (buf, nonce, sizeof (nonce));
+ buf = rspamd_fstring_append (buf, nonce, rspamd_cryptobox_nonce_bytes ());
mac_offset = buf->len;
- buf = rspamd_fstring_append (buf, mac, sizeof (mac));
+ buf = rspamd_fstring_append (buf, mac, rspamd_cryptobox_mac_bytes ());
/* Need to be encrypted */
if (conn->type == RSPAMD_HTTP_SERVER) {
@@ -2238,12 +2240,13 @@ rspamd_http_connection_make_key (gchar *key, gsize keylen)
decoded_pk = rspamd_decode_base32 (key + keylen / 2, keylen / 2, &decoded_len);
if (decoded_pk != NULL && decoded_sk != NULL) {
- if (decoded_len == rspamd_cryptobox_PKBYTES) {
+ if (decoded_len == rspamd_cryptobox_pk_bytes ()) {
kp = g_slice_alloc (sizeof (*kp));
REF_INIT_RETAIN (kp, rspamd_http_keypair_dtor);
- memcpy (kp->sk, decoded_sk, rspamd_cryptobox_SKBYTES);
- memcpy (kp->pk, decoded_pk, rspamd_cryptobox_PKBYTES);
- blake2b (kp->id, kp->pk, NULL, sizeof (kp->id), sizeof (kp->pk), 0);
+ memcpy (kp->sk, decoded_sk, rspamd_cryptobox_sk_bytes ());
+ memcpy (kp->pk, decoded_pk, rspamd_cryptobox_pk_bytes ());
+ blake2b (kp->id, kp->pk, NULL, sizeof (kp->id),
+ rspamd_cryptobox_pk_bytes (), 0);
return (gpointer)kp;
}
@@ -2263,7 +2266,8 @@ rspamd_http_connection_gen_key (void)
REF_INIT_RETAIN (kp, rspamd_http_keypair_dtor);
rspamd_cryptobox_keypair (kp->pk, kp->sk);
- blake2b (kp->id, kp->pk, NULL, sizeof (kp->id), sizeof (kp->pk), 0);
+ blake2b (kp->id, kp->pk, NULL, sizeof (kp->id),
+ rspamd_cryptobox_pk_bytes (), 0);
return (gpointer)kp;
}
@@ -2306,11 +2310,13 @@ rspamd_http_connection_print_key (gpointer key, guint how)
res = g_string_new (NULL);
if ((how & RSPAMD_KEYPAIR_PUBKEY)) {
- rspamd_http_print_key_component (kp->pk, sizeof (kp->pk), res, how,
+ rspamd_http_print_key_component (kp->pk,
+ rspamd_cryptobox_pk_bytes (), res, how,
"Public key");
}
if ((how & RSPAMD_KEYPAIR_PRIVKEY)) {
- rspamd_http_print_key_component (kp->sk, sizeof (kp->sk), res, how,
+ rspamd_http_print_key_component (kp->sk, rspamd_cryptobox_sk_bytes (),
+ res, how,
"Private key");
}
if ((how & RSPAMD_KEYPAIR_ID)) {
@@ -2377,11 +2383,12 @@ rspamd_http_connection_make_peer_key (const gchar *key)
pk_decoded = rspamd_decode_base32 (key, strlen (key), &dec_len);
- if (pk_decoded != NULL && dec_len == rspamd_cryptobox_PKBYTES) {
+ if (pk_decoded != NULL && dec_len == rspamd_cryptobox_pk_bytes ()) {
kp = g_slice_alloc0 (sizeof (*kp));
REF_INIT_RETAIN (kp, rspamd_http_keypair_dtor);
- memcpy (kp->pk, pk_decoded, sizeof (kp->pk));
- blake2b (kp->id, kp->pk, NULL, sizeof (kp->id), sizeof (kp->pk), 0);
+ memcpy (kp->pk, pk_decoded, rspamd_cryptobox_pk_bytes ());
+ blake2b (kp->id, kp->pk, NULL, sizeof (kp->id),
+ rspamd_cryptobox_pk_bytes (), 0);
}
g_free (pk_decoded);
diff --git a/src/libutil/keypair_private.h b/src/libutil/keypair_private.h
index 757dabb6b..96f78bdcd 100644
--- a/src/libutil/keypair_private.h
+++ b/src/libutil/keypair_private.h
@@ -31,10 +31,10 @@
#include "cryptobox.h"
struct RSPAMD_ALIGNED(32) rspamd_http_keypair {
- guchar pk[rspamd_cryptobox_PKBYTES];
- guchar RSPAMD_ALIGNED(32) sk[rspamd_cryptobox_SKBYTES];
+ guchar RSPAMD_ALIGNED(32) sk[rspamd_cryptobox_MAX_SKBYTES];
+ guchar RSPAMD_ALIGNED(32) nm[rspamd_cryptobox_MAX_NMBYTES];
+ guchar RSPAMD_ALIGNED(32) pk[rspamd_cryptobox_MAX_PKBYTES];
guchar id[BLAKE2B_OUTBYTES];
- guchar RSPAMD_ALIGNED(32) nm[rspamd_cryptobox_NMBYTES];
gboolean has_nm;
ref_entry_t ref;
};
diff --git a/src/libutil/keypairs_cache.c b/src/libutil/keypairs_cache.c
index eb9b5215c..8b8014e5d 100644
--- a/src/libutil/keypairs_cache.c
+++ b/src/libutil/keypairs_cache.c
@@ -31,8 +31,8 @@
#include "xxhash.h"
struct rspamd_keypair_elt {
- guchar nm[rspamd_cryptobox_NMBYTES];
- guchar pair[rspamd_cryptobox_PKBYTES + rspamd_cryptobox_SKBYTES];
+ guchar nm[rspamd_cryptobox_MAX_NMBYTES];
+ guchar pair[rspamd_cryptobox_MAX_PKBYTES + rspamd_cryptobox_MAX_SKBYTES];
};
struct rspamd_keypair_cache {
@@ -90,23 +90,24 @@ rspamd_keypair_cache_process (struct rspamd_keypair_cache *c,
g_assert (kp_local != NULL);
g_assert (kp_remote != NULL);
- memcpy (search.pair, kp_remote->pk, rspamd_cryptobox_PKBYTES);
- memcpy (&search.pair[rspamd_cryptobox_PKBYTES], kp_local->sk,
- rspamd_cryptobox_SKBYTES);
+ memset (&search, 0, sizeof (search));
+ memcpy (search.pair, kp_remote->pk, rspamd_cryptobox_pk_bytes ());
+ memcpy (&search.pair[rspamd_cryptobox_MAX_PKBYTES], kp_local->sk,
+ rspamd_cryptobox_sk_bytes ());
new = rspamd_lru_hash_lookup (c->hash, &search, time (NULL));
if (new == NULL) {
- new = g_slice_alloc (sizeof (*new));
- memcpy (new->pair, kp_remote->pk, rspamd_cryptobox_PKBYTES);
- memcpy (&new->pair[rspamd_cryptobox_PKBYTES], kp_local->sk,
- rspamd_cryptobox_SKBYTES);
+ new = g_slice_alloc0 (sizeof (*new));
+ memcpy (new->pair, kp_remote->pk, rspamd_cryptobox_pk_bytes ());
+ memcpy (&new->pair[rspamd_cryptobox_MAX_PKBYTES], kp_local->sk,
+ rspamd_cryptobox_sk_bytes ());
rspamd_cryptobox_nm (new->nm, kp_remote->pk, kp_local->sk);
rspamd_lru_hash_insert (c->hash, new, new, time (NULL), -1);
}
g_assert (new != NULL);
- memcpy (kp_remote->nm, new->nm, rspamd_cryptobox_NMBYTES);
+ memcpy (kp_remote->nm, new->nm, rspamd_cryptobox_nm_bytes ());
kp_remote->has_nm = TRUE;
#if 0
memcpy (kp_local->nm, new->nm, rspamd_cryptobox_NMBYTES);