niklas/cyclonedds
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Correct generation of the crypto key

Browse source 
Signed-off-by: Marcel Jordense <marcel.jordense@adlinktech.com>
This commit is contained in:
Marcel Jordense 2020-05-01 14:13:05 +02:00 committed by eboasson
parent 720c8f8fbf
commit 860f261dc6
2 changed files with 10 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/security/builtin_plugins/cryptographic/src/crypto_key_factory.c
View file

@ -89,8 +89,10 @@ calculate_kx_keys(
unsigned char *kx_master_salt, *kx_master_sender_key; unsigned char *kx_master_salt, *kx_master_sender_key;
size_t shared_secret_size = get_secret_size_from_secret_handle(shared_secret); size_t shared_secret_size = get_secret_size_from_secret_handle(shared_secret);
unsigned char hash[SHA256_DIGEST_LENGTH]; unsigned char hash[SHA256_DIGEST_LENGTH];
size_t concatenated_bytes1_size = DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE * 2 + sizeof(KXSALTCOOKIE); size_t KXKEYCOOKIE_SIZE = strlen(KXKEYCOOKIE);
size_t concatenated_bytes2_size = DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE * 2 + sizeof(KXKEYCOOKIE); size_t KXSALTCOOKIE_SIZE = strlen(KXSALTCOOKIE);
size_t concatenated_bytes1_size = DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE * 2 + KXSALTCOOKIE_SIZE;
size_t concatenated_bytes2_size = DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE * 2 + KXKEYCOOKIE_SIZE;
DDS_Security_octet *concatenated_bytes1, *concatenated_bytes2; DDS_Security_octet *concatenated_bytes1, *concatenated_bytes2;
memset(ex, 0, sizeof(*ex)); memset(ex, 0, sizeof(*ex));
@ -108,9 +110,8 @@ calculate_kx_keys(
/* master_salt */ /* master_salt */
memcpy(concatenated_bytes1, challenge1, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); memcpy(concatenated_bytes1, challenge1, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE);
memcpy(concatenated_bytes1 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE, KXSALTCOOKIE, sizeof(KXSALTCOOKIE)); memcpy(concatenated_bytes1 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE, KXSALTCOOKIE, KXSALTCOOKIE_SIZE);
memcpy(concatenated_bytes1 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE + sizeof(KXSALTCOOKIE), challenge2, memcpy(concatenated_bytes1 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE + KXSALTCOOKIE_SIZE, challenge2, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE);
DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE);
SHA256(concatenated_bytes1, concatenated_bytes1_size, hash); SHA256(concatenated_bytes1, concatenated_bytes1_size, hash);
if (!(kx_master_salt = crypto_hmac256(hash, SHA256_DIGEST_LENGTH, shared_secret_key, (uint32_t) shared_secret_size, ex))) if (!(kx_master_salt = crypto_hmac256(hash, SHA256_DIGEST_LENGTH, shared_secret_key, (uint32_t) shared_secret_size, ex)))
@ -118,9 +119,8 @@ calculate_kx_keys(
/* master_sender_key */ /* master_sender_key */
memcpy(concatenated_bytes2, challenge2, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); memcpy(concatenated_bytes2, challenge2, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE);
memcpy(concatenated_bytes2 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE, KXKEYCOOKIE, sizeof(KXKEYCOOKIE)); memcpy(concatenated_bytes2 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE, KXKEYCOOKIE, KXKEYCOOKIE_SIZE);
memcpy(concatenated_bytes2 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE + sizeof(KXKEYCOOKIE), challenge1, memcpy(concatenated_bytes2 + DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE + KXKEYCOOKIE_SIZE, challenge1, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE);
DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE);
SHA256(concatenated_bytes2, concatenated_bytes2_size, hash); SHA256(concatenated_bytes2, concatenated_bytes2_size, hash);
if (!(kx_master_sender_key = crypto_hmac256(hash, SHA256_DIGEST_LENGTH, shared_secret_key, (uint32_t) shared_secret_size, ex))) if (!(kx_master_sender_key = crypto_hmac256(hash, SHA256_DIGEST_LENGTH, shared_secret_key, (uint32_t) shared_secret_size, ex)))
@ -1158,6 +1158,7 @@ crypto_factory_set_participant_crypto_tokens(
master_key_material *remote_key_mat_new = crypto_master_key_material_new(CRYPTO_TRANSFORMATION_KIND_NONE); master_key_material *remote_key_mat_new = crypto_master_key_material_new(CRYPTO_TRANSFORMATION_KIND_NONE);
crypto_token_copy(remote_key_mat_new, remote_key_mat); crypto_token_copy(remote_key_mat_new, remote_key_mat);
key_material->remote_key_material = remote_key_mat_new; key_material->remote_key_material = remote_key_mat_new;
if (remote_key_mat_old != NULL) if (remote_key_mat_old != NULL)
{ {
struct gcreq *gcreq = gcreq_new(impl->crypto->gv->gcreq_queue, gc_remote_key_material); struct gcreq *gcreq = gcreq_new(impl->crypto->gv->gcreq_queue, gc_remote_key_material);

1
src/security/builtin_plugins/cryptographic/src/crypto_utils.c
View file

@ -62,6 +62,7 @@ crypto_calculate_key_impl(
memcpy(buffer, prefix, strlen(prefix)); memcpy(buffer, prefix, strlen(prefix));
memcpy(&buffer[strlen(prefix)], master_salt, key_bytes); memcpy(&buffer[strlen(prefix)], master_salt, key_bytes);
memcpy(&buffer[strlen(prefix) + key_bytes], &id, sizeof(id)); memcpy(&buffer[strlen(prefix) + key_bytes], &id, sizeof(id));
if (HMAC(EVP_sha256(), master_key, (int)key_bytes, buffer, sz, md, NULL) == NULL) if (HMAC(EVP_sha256(), master_key, (int)key_bytes, buffer, sz, md, NULL) == NULL)
{ {
DDS_Security_Exception_set_with_openssl_error(ex, DDS_CRYPTO_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CIPHER_ERROR, 0, "HMAC failed: "); DDS_Security_Exception_set_with_openssl_error(ex, DDS_CRYPTO_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CIPHER_ERROR, 0, "HMAC failed: ");