From a699afcae2000f690cec89a958b9e8fc6350ddce Mon Sep 17 00:00:00 2001 From: claudio Date: Fri, 28 Jul 2023 07:31:38 +0000 Subject: [PATCH] Use ibuf_data() instead of accessing the ibuf buf pointer directly. Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate. OK tobhe@ tb@ --- sbin/iked/crypto.c | 6 ++--- sbin/iked/dh.c | 16 ++++++------- sbin/iked/ikev2.c | 56 ++++++++++++++++++++++--------------------- sbin/iked/ikev2_msg.c | 15 ++++++------ 4 files changed, 48 insertions(+), 45 deletions(-) diff --git a/sbin/iked/crypto.c b/sbin/iked/crypto.c index 99d32823f6e..8a65e47cedc 100644 --- a/sbin/iked/crypto.c +++ b/sbin/iked/crypto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto.c,v 1.44 2023/06/06 13:27:49 claudio Exp $ */ +/* $OpenBSD: crypto.c,v 1.45 2023/07/28 07:31:38 claudio Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -327,7 +327,7 @@ hash_free(struct iked_hash *hash) void hash_init(struct iked_hash *hash) { - HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf, + HMAC_Init_ex(hash->hash_ctx, ibuf_data(hash->hash_key), ibuf_length(hash->hash_key), hash->hash_priv, NULL); } @@ -572,7 +572,7 @@ cipher_init(struct iked_cipher *encr, int enc) encr->encr_saltlength), encr->encr_saltlength); if (nonce == NULL) return (-1); - if (ibuf_add(nonce, ibuf_data(encr->encr_iv) , ibuf_size(encr->encr_iv)) != 0) + if (ibuf_add_buf(nonce, encr->encr_iv) != 0) goto done; if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL, ibuf_data(encr->encr_key), ibuf_data(nonce), enc) != 1) diff --git a/sbin/iked/dh.c b/sbin/iked/dh.c index efe0bf2838d..e545c6df0bc 100644 --- a/sbin/iked/dh.c +++ b/sbin/iked/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.32 2022/12/03 22:34:35 tobhe Exp $ */ +/* $OpenBSD: dh.c,v 1.33 2023/07/28 07:31:38 claudio Exp $ */ /* * Copyright (c) 2010-2014 Reyk Floeter @@ -401,7 +401,7 @@ dh_create_exchange(struct dh_group *group, struct ibuf **bufp, struct ibuf *iexc if (buf == NULL) return -1; *bufp = buf; - return (group->exchange(group, buf->buf)); + return (group->exchange(group, ibuf_data(buf))); } int @@ -419,7 +419,7 @@ dh_create_shared(struct dh_group *group, struct ibuf **secretp, struct ibuf *exc if (buf == NULL) return -1; *secretp = buf; - return (group->shared(group, buf->buf, exchange->buf)); + return (group->shared(group, ibuf_data(buf), ibuf_data(exchange))); } int @@ -801,7 +801,7 @@ kemsx_create_exchange2(struct dh_group *group, struct ibuf **bufp, buf = ibuf_new(NULL, need); if (buf == NULL) return -1; - cp = buf->buf; + cp = ibuf_data(buf); memcpy(cp, kemsx->public, crypto_kem_sntrup761_PUBLICKEYBYTES); cp += crypto_kem_sntrup761_PUBLICKEYBYTES; @@ -819,8 +819,8 @@ kemsx_create_exchange2(struct dh_group *group, struct ibuf **bufp, buf = ibuf_new(NULL, need); if (buf == NULL) return -1; - cp = buf->buf; - pk = iexchange->buf; + cp = ibuf_data(buf); + pk = ibuf_data(iexchange); crypto_kem_sntrup761_enc(cp, kemsx->kemkey, pk); cp += crypto_kem_sntrup761_CIPHERTEXTBYTES; } @@ -850,7 +850,7 @@ kemsx_create_shared2(struct dh_group *group, struct ibuf **sharedp, return (-1); have = ibuf_size(exchange); - cp = exchange->buf; + cp = ibuf_data(exchange); if (kemsx->initiator) { /* input */ need = crypto_kem_sntrup761_CIPHERTEXTBYTES + @@ -878,7 +878,7 @@ kemsx_create_shared2(struct dh_group *group, struct ibuf **sharedp, EVP_DigestInit_ex(ctx, EVP_sha512(), NULL) != 1 || EVP_DigestUpdate(ctx, kemsx->kemkey, sizeof(kemsx->kemkey)) != 1 || EVP_DigestUpdate(ctx, shared, sizeof(shared)) != 1 || - EVP_DigestFinal_ex(ctx, buf->buf, &len) != 1) { + EVP_DigestFinal_ex(ctx, ibuf_data(buf), &len) != 1) { EVP_MD_CTX_free(ctx); ibuf_free(buf); return (-1); diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 14e05a07012..d255cd7ae3c 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.374 2023/07/18 15:07:41 claudio Exp $ */ +/* $OpenBSD: ikev2.c,v 1.375 2023/07/28 07:31:38 claudio Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -5738,14 +5738,14 @@ ikev2_sa_keys(struct iked *env, struct iked_sa *sa, struct ibuf *key) log_debug("%s: DHSECRET with %zu bytes", SPI_SA(sa, __func__), ibuf_length(dhsecret)); - print_hex(dhsecret->buf, 0, ibuf_length(dhsecret)); + print_hex(ibuf_data(dhsecret), 0, ibuf_length(dhsecret)); if (!key) { /* * Set PRF key to generate SKEYSEED = prf(Ni | Nr, g^ir) */ - if ((ninr = ibuf_new(sa->sa_inonce->buf, ilen)) == NULL || - ibuf_add(ninr, sa->sa_rnonce->buf, rlen) != 0) { + if ((ninr = ibuf_new(ibuf_data(sa->sa_inonce), ilen)) == NULL || + ibuf_add(ninr, ibuf_data(sa->sa_rnonce), rlen) != 0) { log_info("%s: failed to get nonce key buffer", SPI_SA(sa, __func__)); goto done; @@ -5755,15 +5755,15 @@ ikev2_sa_keys(struct iked *env, struct iked_sa *sa, struct ibuf *key) /* * Set PRF key to generate SKEYSEED = prf(key, g^ir | Ni | Nr) */ - if (ibuf_add(dhsecret, sa->sa_inonce->buf, ilen) != 0 || - ibuf_add(dhsecret, sa->sa_rnonce->buf, rlen) != 0) { + if (ibuf_add(dhsecret, ibuf_data(sa->sa_inonce), ilen) != 0 || + ibuf_add(dhsecret, ibuf_data(sa->sa_rnonce), rlen) != 0) { log_info("%s: failed to get nonce key buffer", SPI_SA(sa, __func__)); goto done; } } - if ((hash_setkey(prf, key->buf, ibuf_length(key))) == NULL) { + if ((hash_setkey(prf, ibuf_data(key), ibuf_length(key))) == NULL) { log_info("%s: failed to set prf key", SPI_SA(sa, __func__)); goto done; } @@ -5776,11 +5776,11 @@ ikev2_sa_keys(struct iked *env, struct iked_sa *sa, struct ibuf *key) tmplen = 0; hash_init(prf); - hash_update(prf, dhsecret->buf, ibuf_length(dhsecret)); - hash_final(prf, skeyseed->buf, &tmplen); + hash_update(prf, ibuf_data(dhsecret), ibuf_length(dhsecret)); + hash_final(prf, ibuf_data(skeyseed), &tmplen); log_debug("%s: SKEYSEED with %zu bytes", __func__, tmplen); - print_hex(skeyseed->buf, 0, tmplen); + print_hex(ibuf_data(skeyseed), 0, tmplen); if (ibuf_setsize(skeyseed, tmplen) == -1) { log_info("%s: failed to set keymaterial length", @@ -5800,8 +5800,8 @@ ikev2_sa_keys(struct iked *env, struct iked_sa *sa, struct ibuf *key) ispi = htobe64(sa->sa_hdr.sh_ispi); rspi = htobe64(sa->sa_hdr.sh_rspi); - if ((s = ibuf_new(sa->sa_inonce->buf, ilen)) == NULL || - ibuf_add(s, sa->sa_rnonce->buf, rlen) != 0 || + if ((s = ibuf_new(ibuf_data(sa->sa_inonce), ilen)) == NULL || + ibuf_add(s, ibuf_data(sa->sa_rnonce), rlen) != 0 || ibuf_add(s, &ispi, sizeof(ispi)) != 0 || ibuf_add(s, &rspi, sizeof(rspi)) != 0) { log_info("%s: failed to set S buffer", @@ -5810,7 +5810,7 @@ ikev2_sa_keys(struct iked *env, struct iked_sa *sa, struct ibuf *key) } log_debug("%s: S with %zu bytes", SPI_SA(sa, __func__), ibuf_length(s)); - print_hex(s->buf, 0, ibuf_length(s)); + print_hex(ibuf_data(s), 0, ibuf_length(s)); /* * Get the size of the key material we need and the number @@ -5850,29 +5850,31 @@ ikev2_sa_keys(struct iked *env, struct iked_sa *sa, struct ibuf *key) log_debug("%s: SK_d with %zu bytes", __func__, ibuf_length(sa->sa_key_d)); - print_hex(sa->sa_key_d->buf, 0, ibuf_length(sa->sa_key_d)); + print_hex(ibuf_data(sa->sa_key_d), 0, ibuf_length(sa->sa_key_d)); if (!isaead) { log_debug("%s: SK_ai with %zu bytes", __func__, ibuf_length(sa->sa_key_iauth)); - print_hex(sa->sa_key_iauth->buf, 0, + print_hex(ibuf_data(sa->sa_key_iauth), 0, ibuf_length(sa->sa_key_iauth)); log_debug("%s: SK_ar with %zu bytes", __func__, ibuf_length(sa->sa_key_rauth)); - print_hex(sa->sa_key_rauth->buf, 0, + print_hex(ibuf_data(sa->sa_key_rauth), 0, ibuf_length(sa->sa_key_rauth)); } log_debug("%s: SK_ei with %zu bytes", __func__, ibuf_length(sa->sa_key_iencr)); - print_hex(sa->sa_key_iencr->buf, 0, ibuf_length(sa->sa_key_iencr)); + print_hex(ibuf_data(sa->sa_key_iencr), 0, + ibuf_length(sa->sa_key_iencr)); log_debug("%s: SK_er with %zu bytes", __func__, ibuf_length(sa->sa_key_rencr)); - print_hex(sa->sa_key_rencr->buf, 0, ibuf_length(sa->sa_key_rencr)); + print_hex(ibuf_data(sa->sa_key_rencr), 0, + ibuf_length(sa->sa_key_rencr)); log_debug("%s: SK_pi with %zu bytes", __func__, ibuf_length(sa->sa_key_iprf)); - print_hex(sa->sa_key_iprf->buf, 0, ibuf_length(sa->sa_key_iprf)); + print_hex(ibuf_data(sa->sa_key_iprf), 0, ibuf_length(sa->sa_key_iprf)); log_debug("%s: SK_pr with %zu bytes", __func__, ibuf_length(sa->sa_key_rprf)); - print_hex(sa->sa_key_rprf->buf, 0, ibuf_length(sa->sa_key_rprf)); + print_hex(ibuf_data(sa->sa_key_rprf), 0, ibuf_length(sa->sa_key_rprf)); ret = 0; @@ -5930,33 +5932,33 @@ ikev2_prfplus(struct iked_hash *prf, struct ibuf *key, struct ibuf *seed, for (i = 0; i < rlen; i++) { if (t1 != NULL) { - t2 = ibuf_new(t1->buf, ibuf_length(t1)); + t2 = ibuf_new(ibuf_data(t1), ibuf_length(t1)); ibuf_free(t1); } else t2 = ibuf_new(NULL, 0); t1 = ibuf_new(NULL, hash_keylength(prf)); - ibuf_add(t2, seed->buf, ibuf_length(seed)); + ibuf_add_buf(t2, seed); pad = i + 1; ibuf_add(t2, &pad, 1); hash_init(prf); - hash_update(prf, t2->buf, ibuf_length(t2)); - hash_final(prf, t1->buf, &hashlen); + hash_update(prf, ibuf_data(t2), ibuf_length(t2)); + hash_final(prf, ibuf_data(t1), &hashlen); if (hashlen != hash_length(prf)) fatalx("ikev2_prfplus: hash length mismatch"); ibuf_free(t2); - ibuf_add(t, t1->buf, ibuf_length(t1)); + ibuf_add_buf(t, t1); log_debug("%s: T%d with %zu bytes", __func__, pad, ibuf_length(t1)); - print_hex(t1->buf, 0, ibuf_length(t1)); + print_hex(ibuf_data(t1), 0, ibuf_length(t1)); } log_debug("%s: Tn with %zu bytes", __func__, ibuf_length(t)); - print_hex(t->buf, 0, ibuf_length(t)); + print_hex(ibuf_data(t), 0, ibuf_length(t)); ibuf_free(t1); diff --git a/sbin/iked/ikev2_msg.c b/sbin/iked/ikev2_msg.c index aa7e08d2ed7..79865b21e8b 100644 --- a/sbin/iked/ikev2_msg.c +++ b/sbin/iked/ikev2_msg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2_msg.c,v 1.97 2023/07/18 15:07:41 claudio Exp $ */ +/* $OpenBSD: ikev2_msg.c,v 1.98 2023/07/28 07:31:38 claudio Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -448,7 +448,7 @@ ikev2_msg_encrypt(struct iked *env, struct iked_sa *sa, struct ibuf *src, log_debug("%s: padded length %zu", __func__, ibuf_size(src)); print_hex(ibuf_data(src), 0, ibuf_size(src)); - cipher_setkey(sa->sa_encr, encr->buf, ibuf_length(encr)); + cipher_setkey(sa->sa_encr, ibuf_data(encr), ibuf_length(encr)); cipher_setiv(sa->sa_encr, NULL, 0); /* XXX ivlen */ if (cipher_init_encrypt(sa->sa_encr) == -1) { log_info("%s: error initiating cipher.", __func__); @@ -619,22 +619,23 @@ ikev2_msg_decrypt(struct iked *env, struct iked_sa *sa, if ((tmp = ibuf_new(NULL, hash_keylength(sa->sa_integr))) == NULL) goto done; - hash_setkey(sa->sa_integr, integr->buf, ibuf_length(integr)); + hash_setkey(sa->sa_integr, ibuf_data(integr), + ibuf_length(integr)); hash_init(sa->sa_integr); hash_update(sa->sa_integr, ibuf_data(msg), ibuf_size(msg) - integrlen); - hash_final(sa->sa_integr, tmp->buf, &tmplen); + hash_final(sa->sa_integr, ibuf_data(tmp), &tmplen); integrdata = ibuf_seek(src, integroff, integrlen); if (integrdata == NULL) goto done; - if (memcmp(tmp->buf, integrdata, integrlen) != 0) { + if (memcmp(ibuf_data(tmp), integrdata, integrlen) != 0) { log_debug("%s: integrity check failed", __func__); goto done; } log_debug("%s: integrity check succeeded", __func__); - print_hex(tmp->buf, 0, tmplen); + print_hex(ibuf_data(tmp), 0, tmplen); ibuf_free(tmp); tmp = NULL; @@ -648,7 +649,7 @@ ikev2_msg_decrypt(struct iked *env, struct iked_sa *sa, goto done; } - cipher_setkey(sa->sa_encr, encr->buf, ibuf_length(encr)); + cipher_setkey(sa->sa_encr, ibuf_data(encr), ibuf_length(encr)); cipher_setiv(sa->sa_encr, ibuf_seek(src, ivoff, ivlen), ivlen); if (cipher_init_decrypt(sa->sa_encr) == -1) { log_info("%s: error initiating cipher.", __func__); -- 2.20.1