From 860f261dc6b94ee354f6e2c34f9f7506704b7818 Mon Sep 17 00:00:00 2001 From: Marcel Jordense Date: Fri, 1 May 2020 14:13:05 +0200 Subject: [PATCH] Correct generation of the crypto key Signed-off-by: Marcel Jordense --- .../cryptographic/src/crypto_key_factory.c | 17 +++++++++-------- .../cryptographic/src/crypto_utils.c | 1 + 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/security/builtin_plugins/cryptographic/src/crypto_key_factory.c b/src/security/builtin_plugins/cryptographic/src/crypto_key_factory.c index cef6830..5416abf 100644 --- a/src/security/builtin_plugins/cryptographic/src/crypto_key_factory.c +++ b/src/security/builtin_plugins/cryptographic/src/crypto_key_factory.c @@ -89,8 +89,10 @@ calculate_kx_keys( unsigned char *kx_master_salt, *kx_master_sender_key; size_t shared_secret_size = get_secret_size_from_secret_handle(shared_secret); unsigned char hash[SHA256_DIGEST_LENGTH]; - size_t concatenated_bytes1_size = DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE * 2 + sizeof(KXSALTCOOKIE); - size_t concatenated_bytes2_size = DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE * 2 + sizeof(KXKEYCOOKIE); + size_t KXKEYCOOKIE_SIZE = strlen(KXKEYCOOKIE); + size_t KXSALTCOOKIE_SIZE = strlen(KXSALTCOOKIE); + size_t concatenated_bytes1_size = DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE * 2 + KXSALTCOOKIE_SIZE; + size_t concatenated_bytes2_size = DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE * 2 + KXKEYCOOKIE_SIZE; DDS_Security_octet *concatenated_bytes1, *concatenated_bytes2; memset(ex, 0, sizeof(*ex)); @@ -108,9 +110,8 @@ calculate_kx_keys( /* master_salt */ memcpy(concatenated_bytes1, challenge1, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); - memcpy(concatenated_bytes1 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE, KXSALTCOOKIE, sizeof(KXSALTCOOKIE)); - memcpy(concatenated_bytes1 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE + sizeof(KXSALTCOOKIE), challenge2, - DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); + memcpy(concatenated_bytes1 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE, KXSALTCOOKIE, KXSALTCOOKIE_SIZE); + memcpy(concatenated_bytes1 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE + KXSALTCOOKIE_SIZE, challenge2, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); SHA256(concatenated_bytes1, concatenated_bytes1_size, hash); if (!(kx_master_salt = crypto_hmac256(hash, SHA256_DIGEST_LENGTH, shared_secret_key, (uint32_t) shared_secret_size, ex))) @@ -118,9 +119,8 @@ calculate_kx_keys( /* master_sender_key */ memcpy(concatenated_bytes2, challenge2, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); - memcpy(concatenated_bytes2 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE, KXKEYCOOKIE, sizeof(KXKEYCOOKIE)); - memcpy(concatenated_bytes2 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE + sizeof(KXKEYCOOKIE), challenge1, - DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); + memcpy(concatenated_bytes2 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE, KXKEYCOOKIE, KXKEYCOOKIE_SIZE); + memcpy(concatenated_bytes2 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE + KXKEYCOOKIE_SIZE, challenge1, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); SHA256(concatenated_bytes2, concatenated_bytes2_size, hash); if (!(kx_master_sender_key = crypto_hmac256(hash, SHA256_DIGEST_LENGTH, shared_secret_key, (uint32_t) shared_secret_size, ex))) @@ -1158,6 +1158,7 @@ crypto_factory_set_participant_crypto_tokens( master_key_material *remote_key_mat_new = crypto_master_key_material_new(CRYPTO_TRANSFORMATION_KIND_NONE); crypto_token_copy(remote_key_mat_new, remote_key_mat); key_material->remote_key_material = remote_key_mat_new; + if (remote_key_mat_old != NULL) { struct gcreq *gcreq = gcreq_new(impl->crypto->gv->gcreq_queue, gc_remote_key_material); diff --git a/src/security/builtin_plugins/cryptographic/src/crypto_utils.c b/src/security/builtin_plugins/cryptographic/src/crypto_utils.c index 36e9f75..12ca32e 100644 --- a/src/security/builtin_plugins/cryptographic/src/crypto_utils.c +++ b/src/security/builtin_plugins/cryptographic/src/crypto_utils.c @@ -62,6 +62,7 @@ crypto_calculate_key_impl( memcpy(buffer, prefix, strlen(prefix)); memcpy(&buffer[strlen(prefix)], master_salt, key_bytes); memcpy(&buffer[strlen(prefix) + key_bytes], &id, sizeof(id)); + if (HMAC(EVP_sha256(), master_key, (int)key_bytes, buffer, sz, md, NULL) == NULL) { DDS_Security_Exception_set_with_openssl_error(ex, DDS_CRYPTO_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CIPHER_ERROR, 0, "HMAC failed: ");