diff options
| -rw-r--r-- | sbin/photurisd/Makefile | 4 | ||||
| -rw-r--r-- | sbin/photurisd/api.c | 4 | ||||
| -rw-r--r-- | sbin/photurisd/compute_secrets.c | 52 | ||||
| -rw-r--r-- | sbin/photurisd/config.c | 66 | ||||
| -rw-r--r-- | sbin/photurisd/exchange.c | 328 | ||||
| -rw-r--r-- | sbin/photurisd/exchange.h | 18 | ||||
| -rw-r--r-- | sbin/photurisd/handle_cookie_response.c | 8 | ||||
| -rw-r--r-- | sbin/photurisd/handle_value_request.c | 52 | ||||
| -rw-r--r-- | sbin/photurisd/handle_value_response.c | 11 | ||||
| -rw-r--r-- | sbin/photurisd/identity.c | 4 | ||||
| -rw-r--r-- | sbin/photurisd/kernel.c | 12 | ||||
| -rw-r--r-- | sbin/photurisd/modulus.c | 80 | ||||
| -rw-r--r-- | sbin/photurisd/modulus.h | 37 | ||||
| -rw-r--r-- | sbin/photurisd/scheme.c | 59 | ||||
| -rw-r--r-- | sbin/photurisd/secrets.h | 4 | ||||
| -rw-r--r-- | sbin/photurisd/server.c | 36 | ||||
| -rw-r--r-- | sbin/photurisd/state.c | 8 | ||||
| -rw-r--r-- | sbin/photurisd/state.h | 16 |
18 files changed, 388 insertions, 411 deletions
diff --git a/sbin/photurisd/Makefile b/sbin/photurisd/Makefile index 86f525dfa07..10f6db4cdae 100644 --- a/sbin/photurisd/Makefile +++ b/sbin/photurisd/Makefile @@ -1,6 +1,6 @@ PROG= photurisd -LDADD= -lgmp -ldes -DPADD= ${LIBGMP} ${LIBDES} +LDADD= -lcrypto -ldes +DPADD= ${LIBCRYPTO} ${LIBDES} SRCS= photuris_cookie_request.c photuris_cookie_response.c \ photuris_value_request.c photuris_value_response.c \ photuris_identity_request.c photuris_identity_response.c \ diff --git a/sbin/photurisd/api.c b/sbin/photurisd/api.c index 17cf1f7db97..3e324e17543 100644 --- a/sbin/photurisd/api.c +++ b/sbin/photurisd/api.c @@ -37,7 +37,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: api.c,v 1.1 1998/11/14 23:37:22 deraadt Exp $"; +static char rcsid[] = "$Id: api.c,v 1.2 2000/12/11 02:16:50 provos Exp $"; #endif #define _API_C_ @@ -97,7 +97,7 @@ process_api(int fd, int sendsock) #ifndef DEBUG if (addresses != (char **) NULL && strlen(st->address)) - for (i = 0; i<num_ifs; i++) { + for (i = 0; i < num_ifs; i++) { if (addresses[i] == (char *)NULL) continue; if (!strcmp(addresses[i], st->address)) { diff --git a/sbin/photurisd/compute_secrets.c b/sbin/photurisd/compute_secrets.c index 59b964b4d34..23afe98643f 100644 --- a/sbin/photurisd/compute_secrets.c +++ b/sbin/photurisd/compute_secrets.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: compute_secrets.c,v 1.1 1998/11/14 23:37:22 deraadt Exp $"; +static char rcsid[] = "$Id: compute_secrets.c,v 1.2 2000/12/11 02:16:50 provos Exp $"; #endif #define _SECRETS_C_ @@ -46,7 +46,7 @@ static char rcsid[] = "$Id: compute_secrets.c,v 1.1 1998/11/14 23:37:22 deraadt #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> -#include <gmp.h> +#include <ssl/bn.h> #include <md5.h> #include "state.h" #include <sha1.h> @@ -63,54 +63,54 @@ static char rcsid[] = "$Id: compute_secrets.c,v 1.1 1998/11/14 23:37:22 deraadt int privacykey(struct stateob *st, struct idxform *hash, u_int8_t *key, u_int8_t *packet, u_int16_t bytes, u_int16_t *order, int owner); + int compute_shared_secret(struct stateob *st, - u_int8_t **shared, u_int16_t *sharedsize) + u_int8_t **shared, size_t *sharedsize) { struct moduli_cache *mod; - int header; - - mpz_t tmp, bits, tex; - - mpz_init(tmp); - mpz_init(bits); + int header, res; + BIGNUM *tmp, *tex; + BN_CTX *ctx; - if((mod=mod_find_modgen(st->modulus, st->generator)) == NULL) { + if ((mod = mod_find_modgen(st->modulus, st->generator)) == NULL) { log_error(0, "Can't find exchange information in cache in compute_shared_secret()"); - return -1; + return (-1); } /* Compute Diffie-Hellmann a^(xy) (mod n) */ + tex = BN_new(); + BN_varpre2bn(st->texchange, st->texchangesize, tex); - mpz_init_set_varpre(tex, st->texchange); - mpz_powm(tmp, tex, mod->private_value, mod->modulus); - - mpz_clear(tex); + tmp = BN_new(); + ctx = BN_CTX_new(); + BN_mod_exp(tmp, tex, mod->private_value, mod->modulus, ctx); + BN_CTX_free(ctx); - varpre_get_number_bits(bits, scheme_get_mod(st->scheme)); + BN_clear_free(tex); *sharedsize = BUFFER_SIZE; - if(mpz_to_varpre(buffer, sharedsize, tmp, bits) == -1) + res = BN_bn2varpre(tmp, buffer, sharedsize); + BN_clear_free(tmp); + + if (res == -1) return -1; - mpz_clear(bits); - mpz_clear(tmp); /* The shared secret is not used with the size part */ - if (buffer[0] == 255 && buffer[1] == 255) - header = 8; - else if (buffer[0] == 255) + if (buffer[0] == 255) header = 4; else header = 2; *sharedsize -= header; - if((*shared = calloc(*sharedsize,sizeof(u_int8_t))) == NULL) { + if ((*shared = calloc(*sharedsize,sizeof(u_int8_t))) == NULL) { log_error(0, "Not enough memory for shared secret in compute_shared_secret()"); - return -1; + return (-1); } - bcopy(buffer+header, *shared, *sharedsize); - return 0; + bcopy(buffer + header, *shared, *sharedsize); + + return (0); } /* diff --git a/sbin/photurisd/config.c b/sbin/photurisd/config.c index 71d1ee33246..245dcfaa104 100644 --- a/sbin/photurisd/config.c +++ b/sbin/photurisd/config.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: config.c,v 1.1 1998/11/14 23:37:22 deraadt Exp $"; +static char rcsid[] = "$Id: config.c,v 1.2 2000/12/11 02:16:50 provos Exp $"; #endif #define _CONFIG_C_ @@ -50,7 +50,7 @@ static char rcsid[] = "$Id: config.c,v 1.1 1998/11/14 23:37:22 deraadt Exp $"; #include <netdb.h> #include <time.h> #include <pwd.h> -#include <gmp.h> +#include <ssl/bn.h> #if defined(_AIX) || defined(NEED_STRSEP) #include "strsep.h" #endif @@ -351,12 +351,12 @@ int init_schemes(void) { struct moduli_cache *tmp; - mpz_t generator, bits; - u_int32_t scheme_bits; + BIGNUM *generator; + size_t scheme_bits; u_int8_t *newbuf; char *p, *p2; - u_int16_t size; + size_t size; int gen_flag = 0; #ifdef DEBUG @@ -365,10 +365,9 @@ init_schemes(void) open_config_file(NULL); - mpz_init(generator); - mpz_init(bits); + generator = BN_new(); - while((p = config_get(CONFIG_EXCHANGE)) != NULL) { + while ((p = config_get(CONFIG_EXCHANGE)) != NULL) { p2 = p + strlen(CONFIG_EXCHANGE); if (!isspace(*p2)) continue; @@ -378,15 +377,15 @@ init_schemes(void) /* Get exchange Scheme */ if (!strncmp(p2, "DH_G_2_MD5", 10)) { p = p2 + 11; - mpz_set_ui(generator, 2); + BN_set_word(generator, 2); *(u_int16_t *)buffer = htons(DH_G_2_MD5); } else if (!strncmp(p2, "DH_G_2_DES_MD5", 14)) { p = p2 + 15; - mpz_set_ui(generator, 2); + BN_set_word(generator, 2); *(u_int16_t *)buffer = htons(DH_G_2_DES_MD5); } else if (!strncmp(p2, "DH_G_2_3DES_SHA1", 16)) { p = p2 + 17; - mpz_set_ui(generator, 2); + BN_set_word(generator, 2); *(u_int16_t *)buffer = htons(DH_G_2_3DES_SHA1); } else { log_error(0, "Unknown scheme %s in init_schemes()", p2); @@ -401,13 +400,11 @@ init_schemes(void) } if (scheme_bits != 0) { - if ((tmp = mod_find_generator(generator)) == NULL) continue; - while(tmp != NULL) { - mpz_get_number_bits(bits, tmp->modulus); - if (mpz_get_ui(bits) == scheme_bits) + while (tmp != NULL) { + if (BN_num_bits(tmp->modulus) == scheme_bits) break; tmp = mod_find_generator_next(tmp, generator); } @@ -418,7 +415,7 @@ init_schemes(void) } size = BUFFER_SIZE - 2; - if (mpz_to_varpre(buffer+2, &size, tmp->modulus, bits) == -1) + if (BN_bn2varpre(tmp->modulus, buffer+2, &size) == -1) continue; } else { size = 2; @@ -439,7 +436,6 @@ init_schemes(void) bcopy(buffer, global_schemes + global_schemesize, size + 2); global_schemesize += size + 2; - } #ifdef DEBUG printf("Read %d bytes of exchange schemes.\n", global_schemesize); @@ -448,20 +444,18 @@ init_schemes(void) if (!gen_flag) { log_error(0, "DH_G_2_MD5 not in config file, inserting it"); - mpz_set_ui(generator, 2); + BN_set_word(generator, 2); if ((tmp = mod_find_generator(generator)) == NULL) crit_error(0, "no modulus for generator 2 in init_schemes()"); - mpz_get_number_bits(bits, tmp->modulus); size = BUFFER_SIZE - 2; - if (mpz_to_varpre(buffer+2, &size, tmp->modulus, bits) == -1) - crit_error(0, "mpz_to_varpre() in init_schemes()"); + if (BN_bn2varpre(tmp->modulus, buffer+2, &size) == -1) + crit_error(0, "BN_bn2varpre() in init_schemes()"); *(u_int16_t *)buffer = htons(DH_G_2_MD5); } - mpz_clear(generator); - mpz_clear(bits); + BN_clear_free(generator); return 1; } @@ -471,7 +465,7 @@ init_moduli(int primes) { struct moduli_cache *tmp; char *p, *p2; - mpz_t m, g; + BIGNUM *m, *g, *a; open_config_file(NULL); @@ -479,24 +473,30 @@ init_moduli(int primes) printf("[Bootstrapping moduli]\n"); #endif - mpz_init(m); - mpz_init(g); + m = BN_new(); + g = BN_new(); while((p = config_get(CONFIG_MODULUS)) != NULL) { p2 = p + strlen(CONFIG_MODULUS); - while(isspace(*p2)) + while (isspace(*p2)) p2++; /* Get generator */ - if ((p=strsep(&p2, " ")) == NULL) + if ((p = strsep(&p2, " ")) == NULL) continue; - /* Convert an ascii string to mpz, autodetect base */ - if (mpz_set_str(g, p, 0) == -1) + /* Convert an hex string to bignum */ + a = g; + if (!strncmp(p, "0x", 2)) + p += 2; + if (!BN_hex2bn(&a, p)) continue; /* Get modulus */ - if (mpz_set_str(m, p2, 0) == -1) + a = m; + if (!strncmp(p2, "0x", 2)) + p2 += 2; + if (!BN_hex2bn(&a, p2)) continue; if ((tmp = mod_new_modgen(m, g)) == NULL) @@ -512,8 +512,8 @@ init_moduli(int primes) close_config_file(); - mpz_clear(m); - mpz_clear(g); + BN_free(m); + BN_free(g); /* Now check primality */ if (primes) diff --git a/sbin/photurisd/exchange.c b/sbin/photurisd/exchange.c index 0e584bef1bf..34ea8183702 100644 --- a/sbin/photurisd/exchange.c +++ b/sbin/photurisd/exchange.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: exchange.c,v 1.1 1998/11/14 23:37:23 deraadt Exp $"; +static char rcsid[] = "$Id: exchange.c,v 1.2 2000/12/11 02:16:50 provos Exp $"; #endif #define _EXCHANGE_C_ @@ -57,181 +57,139 @@ static char rcsid[] = "$Id: exchange.c,v 1.1 1998/11/14 23:37:23 deraadt Exp $"; #include "scheme.h" #include "errlog.h" -void -make_random_mpz(mpz_t a, mpz_t bits) -{ - mpz_t d; - - mpz_init_set_str(d, "0x100000000", 0); - - /* XXX - we generate too many bits */ - - mpz_set_ui(a, 0); - mpz_cdiv_q_ui(bits,bits,32); /* We work in 2^32 chucks */ - - while(mpz_cmp_ui(bits,0)>0) { - mpz_mul(a, a, d); /* c = a * 0x100000000 */ - mpz_add_ui(a, a, arc4random()); /* d = random */ - mpz_sub_ui(bits, bits, 1); - } - mpz_clear(d); -} - /* * Get the number of bits from a variable precision number * according to draft-simpson-photuris-11 */ u_int8_t * -varpre_get_number_bits(mpz_t bits, u_int8_t *varpre) +varpre_get_number_bits(size_t *nbits, u_int8_t *varpre) { - u_int8_t blocks; - mpz_t a; - - mpz_init_set_ui(a,0); + int blocks; + size_t bits; - mpz_set_ui(bits, 0); if (varpre == NULL) - return NULL; + return (NULL); + + /* We don't support numbers, that long */ + if (*varpre == 255 && *(varpre+1) == 255) + return (NULL); - if(*varpre == 255 && *(varpre+1) == 255) { - blocks = 6; - varpre += 2; - mpz_set_ui(bits, 16776960); - } else if(*varpre == 255) { + bits = 0; + if (*varpre == 255) { blocks = 3; - mpz_set_ui(bits, 65280); + bits = 65280; varpre++; } else blocks = 2; - while(blocks-->0) { - mpz_mul_ui(a,a,256); - mpz_add_ui(a,a,*varpre); - varpre++; + while (blocks-- > 0) { + bits = (bits << 8) + *varpre; + varpre++; } - mpz_add(bits,a,bits); /* Add the above bits */ - mpz_clear(a); - return varpre; + + *nbits = bits; + + return (varpre); } /* - * Convert a variable precision number to a mpz number + * Convert a variable precision number to a bignum */ u_int8_t * -mpz_set_varpre(mpz_t a, u_int8_t *varpre) +BN_varpre2bn(u_int8_t *varpre, size_t size, BIGNUM *a) { u_int8_t *p; - mpz_t bytes; - - mpz_init(bytes); - mpz_set_ui(a, 0); - p = varpre_get_number_bits(bytes, varpre); - mpz_cdiv_q_ui(bytes,bytes,8); /* Number of bytes */ - while(mpz_cmp_ui(bytes,0)) { - mpz_mul_ui(a, a, 256); - mpz_sub_ui(bytes, bytes, 1); - mpz_add_ui(a, a, *p); - p++; - } - mpz_clear(bytes); - - return p; -} + size_t bytes; -u_int8_t * -mpz_init_set_varpre(mpz_t a, u_int8_t *varpre) -{ - mpz_init(a); - return mpz_set_varpre(a,varpre); -} + BN_zero(a); + p = varpre_get_number_bits(&bytes, varpre); + if (p == NULL) + return (NULL); -void -mpz_get_number_bits(mpz_t rop, mpz_t p) -{ - size_t bits; + bytes = (bytes + 7) / 8; + + if (p + bytes != varpre + size) + return (NULL); + + while (bytes > 0) { + BN_lshift(a, a, 8); + BN_add_word(a, *p); + + bytes--; + p++; + } - bits = mpz_sizeinbase(p, 2); - mpz_set_ui(rop, bits); + return (p); } int -mpz_to_varpre(u_int8_t *value, u_int16_t *size, mpz_t p, mpz_t gbits) +BN_bn2varpre(BIGNUM *p, u_int8_t *value, size_t *size) { - u_int16_t header; - mpz_t a, tmp, bits, bytes; - u_int32_t count; - - mpz_init(bytes); - mpz_init(tmp); - mpz_init_set(bits, gbits); - - mpz_cdiv_q_ui(bytes, bits, 8); - - count = mpz_get_ui(bytes); - - /* XXX - only support 4 octets at the moment */ - if(mpz_cmp_ui(bits, 65279) > 0) { - mpz_sub_ui(bits,bits,65280); - value[0] = 255; - value[3] = mpz_fdiv_qr_ui(bits,tmp,bits,256) & 0xFF; - value[2] = mpz_fdiv_qr_ui(bits,tmp,bits,256) & 0xFF; - value[1] = mpz_fdiv_qr_ui(bits,tmp,bits,256) & 0xFF; - header = 4; - } else { - value[1] = mpz_fdiv_qr_ui(bits,tmp,bits,256) & 0xFF; - value[0] = mpz_fdiv_qr_ui(bits,tmp,bits,256) & 0xFF; - header = 2; - } + size_t bits, bytes; + int header; + BIGNUM *a; + + bits = BN_num_bits(p); + bytes = (bits + 7) / 8; + + /* We only support 4 octets */ + if (bits > 65279) { + bits -= 65280; + value[0] = 255; + value[1] = (bits >> 16) & 0xFF; + value[2] = (bits >> 8) & 0xFF; + value[3] = bits & 0xFF; + header = 4; + } else { + value[0] = (bits >> 8) & 0xFF; + value[1] = bits & 0xFF; + header = 2; + } - if(mpz_cmp_ui(bytes, *size-header)>0) - return -1; /* Not enough buffer */ + /* Check if the buffer is big enough */ + if (bytes + header > (*size - header)) + return (-1); - mpz_init_set(a, p); + a = BN_new(); + BN_copy(a, p); - /* XXX - int16 vs. int32 */ - *size = count+header; + *size = bytes + header; - while(count>0) { - count--; - value[count+header]=mpz_fdiv_qr_ui(a, tmp, a, 256); - } - mpz_clear(a); - mpz_clear(tmp); - mpz_clear(bits); - mpz_clear(bytes); + while (bytes > 0) { + bytes--; + value[bytes + header] = BN_mod_word(a, 256); + BN_rshift(a, a, 8); + } + BN_clear_free(a); - return 0; + return (0); } int -exchange_check_value(mpz_t exchange, mpz_t gen, mpz_t mod) +exchange_check_value(BIGNUM *exchange, BIGNUM *gen, BIGNUM *mod) { size_t bits; - mpz_t test; + BIGNUM *test; - bits = mpz_sizeinbase(mod, 2); - if (mpz_sizeinbase(exchange, 2) < bits/2) - return 0; - - mpz_init(test); - mpz_sub_ui(test, mod, 1); - if (!mpz_cmp(exchange,test)) { - mpz_clear(test); - return 0; - } - mpz_set_ui(test, 1); - if (!mpz_cmp(exchange,test)) { - mpz_clear(test); - return 0; + bits = BN_num_bits(mod); + if (BN_num_bits(exchange) < bits/2) + return (0); + + test = BN_new(); + BN_copy(test, mod); + BN_sub_word(test, 1); + if (!BN_cmp(exchange, test)) { + BN_free(test); + return (0); } /* XXX - more tests need to go here */ - mpz_clear(test); - return 1; + BN_free(test); + return (1); } /* @@ -240,7 +198,7 @@ exchange_check_value(mpz_t exchange, mpz_t gen, mpz_t mod) */ int -exchange_make_values(struct stateob *st, mpz_t modulus, mpz_t generator) +exchange_make_values(struct stateob *st, BIGNUM *modulus, BIGNUM *generator) { struct moduli_cache *p, *tmp; u_int8_t *mod; @@ -249,33 +207,32 @@ exchange_make_values(struct stateob *st, mpz_t modulus, mpz_t generator) tm = time(NULL); /* See if we have this cached already */ - if((p = mod_find_modgen(modulus,generator)) == NULL) { + if ((p = mod_find_modgen(modulus,generator)) == NULL) { /* Create a new modulus, generator pair */ if((p = mod_new_modgen(modulus,generator)) == NULL) { - mpz_clear(generator); - mpz_clear(modulus); + BN_clear_free(generator); + BN_clear_free(modulus); log_error(1, "Not enough memory in exchange_make_values()"); - return -1; + return (-1); } mod_insert(p); } /* If we don't have a private value calculate a new one */ - if(p->lifetime < tm || !mpz_cmp_ui(p->private_value,0)) { + if (p->lifetime < tm || BN_is_zero(p->private_value)) { if (p->exchangevalue != NULL) free(p->exchangevalue); /* See if we can find a cached private value */ - if((tmp = mod_find_modulus(modulus)) != NULL && - tmp->lifetime > tm && mpz_cmp_ui(tmp->private_value,0)) { - mpz_set(p->private_value, tmp->private_value); - + if ((tmp = mod_find_modulus(modulus)) != NULL && + tmp->lifetime > tm && !BN_is_zero(tmp->private_value)) { + BN_copy(p->private_value, tmp->private_value); /* Keep exchange value on same (gen,mod) pair */ - if (!mpz_cmp(p->generator, tmp->generator)) { + if (!BN_cmp(p->generator, tmp->generator)) { p->exchangevalue = calloc(tmp->exchangesize,sizeof(u_int8_t)); if (p->exchangevalue == NULL) { log_error(1, "calloc() in exchange_make_values()"); - return -1; + return (-1); } bcopy(tmp->exchangevalue, p->exchangevalue, tmp->exchangesize); @@ -287,7 +244,7 @@ exchange_make_values(struct stateob *st, mpz_t modulus, mpz_t generator) p->status = tmp->status; p->lifetime = tmp->lifetime; } else { - mpz_t bits; + size_t bits; /* * Make a new private value and change responder secrets @@ -298,93 +255,97 @@ exchange_make_values(struct stateob *st, mpz_t modulus, mpz_t generator) schedule_insert(REKEY, REKEY_TIMEOUT, NULL, 0); reset_secret(); - mpz_init(bits); - p->lifetime = tm + MOD_TIMEOUT; p->exchangevalue = NULL; /* Find pointer to the VPN containing the modulus */ mod = scheme_get_mod(st->scheme); - varpre_get_number_bits(bits, mod); - make_random_mpz(p->private_value, bits); - mpz_clear(bits); + varpre_get_number_bits(&bits, mod); + BN_rand(p->private_value, bits, 0, 0); } /* Do we need to generate a new exchange value */ if (p->exchangevalue == NULL) { - mpz_t tmp, bits; + BIGNUM *tmp; + BN_CTX *ctx; + size_t bits; - mpz_init(bits); mod = scheme_get_mod(st->scheme); - varpre_get_number_bits(bits, mod); - - mpz_init(tmp); + varpre_get_number_bits(&bits, mod); - mpz_powm(tmp, p->generator, p->private_value, p->modulus); + tmp = BN_new(); + ctx = BN_CTX_new(); + BN_mod_exp(tmp, p->generator, p->private_value, p->modulus, + ctx); /* * If our exchange value is defective we need to make a new one * to avoid subgroup confinement. */ while (!exchange_check_value(tmp, p->generator, p->modulus)) { - make_random_mpz(p->private_value, bits); - mpz_powm(tmp, p->generator, p->private_value, p->modulus); + BN_rand(p->private_value, bits, 0, 0); + BN_mod_exp(tmp, p->generator, p->private_value, p->modulus, + ctx); } + BN_CTX_free(ctx); p->exchangesize = BUFFER_SIZE; - mpz_to_varpre(buffer, &(p->exchangesize), tmp, bits); + BN_bn2varpre(tmp, buffer, &(p->exchangesize)); p->exchangevalue = calloc(p->exchangesize, sizeof(u_int8_t)); if (p->exchangevalue == NULL) { log_error(1, "calloc() in exchange_make_value()"); - mpz_clear(bits); mpz_clear(tmp); - return -1; + BN_clear_free(tmp); + return (-1); } bcopy(buffer, p->exchangevalue, p->exchangesize); - mpz_clear(bits); - mpz_clear(tmp); + BN_clear_free(tmp); } } + if (st->exchangevalue != NULL) free(st->exchangevalue); + st->exchangevalue = calloc(p->exchangesize, sizeof(u_int8_t)); if (st->exchangevalue == NULL) { log_error(1, "calloc() in exchange_make_values()"); - return -1; + return (-1); } bcopy(p->exchangevalue, st->exchangevalue, p->exchangesize); + st->exchangesize = p->exchangesize; - mpz_set(st->modulus, p->modulus); - mpz_set(st->generator, p->generator); - return 0; + BN_copy(st->modulus, p->modulus); + BN_copy(st->generator, p->generator); + + return (0); } int -exchange_set_generator(mpz_t generator, u_int8_t *scheme, u_int8_t *gen) +exchange_set_generator(BIGNUM *generator, u_int8_t *scheme, u_int8_t *gen) { switch (ntohs(*((u_int16_t *)scheme))) { case DH_G_2_MD5: /* DH: Generator of 2 */ case DH_G_2_DES_MD5: /* DH: Generator of 2 + privacy */ case DH_G_2_3DES_SHA1: - mpz_set_ui(generator,2); + BN_set_word(generator,2); break; case DH_G_3_MD5: case DH_G_3_DES_MD5: case DH_G_3_3DES_SHA1: - mpz_set_ui(generator,3); + BN_set_word(generator,3); break; case DH_G_5_MD5: case DH_G_5_DES_MD5: case DH_G_5_3DES_SHA1: - mpz_set_ui(generator,5); + BN_set_word(generator,5); break; default: log_error(0, "Unsupported exchange scheme %d", *((u_int16_t *)scheme)); - return -1; + return (-1); } - return 0; + return (0); } /* @@ -395,36 +356,37 @@ exchange_set_generator(mpz_t generator, u_int8_t *scheme, u_int8_t *gen) int exchange_value_generate(struct stateob *st, u_int8_t *value, u_int16_t *size) { - mpz_t modulus,generator; + BIGNUM *modulus, *generator; struct moduli_cache *p; u_int8_t *varpre; if ((varpre = scheme_get_mod(st->scheme)) == NULL) - return -1; + return (-1); - mpz_init(generator); + generator = BN_new(); if (exchange_set_generator(generator, st->scheme, scheme_get_gen(st->scheme)) == -1) { - mpz_clear(generator); - return -1; + BN_clear_free(generator); + return (-1); } - mpz_init_set_varpre(modulus, varpre); + modulus = BN_new(); + BN_varpre2bn(varpre, varpre2octets(varpre), modulus); if(exchange_make_values(st, modulus, generator) == -1) { - mpz_clear(modulus); - mpz_clear(generator); - return -1; + BN_clear_free(modulus); + BN_clear_free(generator); + return (-1); } p = mod_find_modgen(modulus,generator); if (*size < p->exchangesize) - return -1; + return (-1); bcopy(p->exchangevalue, value, p->exchangesize); - mpz_clear(modulus); - mpz_clear(generator); + BN_clear_free(modulus); + BN_clear_free(generator); *size = p->exchangesize; - return 1; + return (1); } diff --git a/sbin/photurisd/exchange.h b/sbin/photurisd/exchange.h index ba32df6cda3..0d6070bbe80 100644 --- a/sbin/photurisd/exchange.h +++ b/sbin/photurisd/exchange.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: exchange.h,v 1.1 1998/11/14 23:37:23 deraadt Exp $ */ +/* $Id: exchange.h,v 1.2 2000/12/11 02:16:50 provos Exp $ */ /* * exchange.h: * exchange generation header file @@ -44,15 +44,13 @@ #define EXTERN extern #endif -EXTERN void make_random_mpz(mpz_t a, mpz_t bits); -EXTERN u_int8_t *varpre_get_number_bits(mpz_t bits, u_int8_t *varpre); -EXTERN u_int8_t *mpz_set_varpre(mpz_t a, u_int8_t *varpre); -EXTERN u_int8_t *mpz_init_set_varpre(mpz_t a, u_int8_t *varpre); -EXTERN void mpz_get_number_bits(mpz_t rop, mpz_t p); -EXTERN int mpz_to_varpre(u_int8_t *value, u_int16_t *size, mpz_t p, mpz_t bits); -EXTERN int exchange_set_generator(mpz_t, u_int8_t *, u_int8_t *); -EXTERN int exchange_check_value(mpz_t, mpz_t, mpz_t); -EXTERN int exchange_make_values(struct stateob *, mpz_t, mpz_t ); +EXTERN u_int8_t *varpre_get_number_bits(size_t *, u_int8_t *); +EXTERN u_int8_t *BN_varpre2bn(u_int8_t *, size_t, BIGNUM *); +EXTERN int BN_bn2varpre(BIGNUM *, u_int8_t *, size_t *); + +EXTERN int exchange_set_generator(BIGNUM *, u_int8_t *, u_int8_t *); +EXTERN int exchange_check_value(BIGNUM *, BIGNUM *, BIGNUM *); +EXTERN int exchange_make_values(struct stateob *, BIGNUM *, BIGNUM *); EXTERN int exchange_value_generate(struct stateob *, u_int8_t *, u_int16_t *); #endif diff --git a/sbin/photurisd/handle_cookie_response.c b/sbin/photurisd/handle_cookie_response.c index 03650e074cd..c5e897d649b 100644 --- a/sbin/photurisd/handle_cookie_response.c +++ b/sbin/photurisd/handle_cookie_response.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: handle_cookie_response.c,v 1.1 1998/11/14 23:37:23 deraadt Exp $"; +static char rcsid[] = "$Id: handle_cookie_response.c,v 1.2 2000/12/11 02:16:50 provos Exp $"; #endif #include <stdio.h> @@ -91,15 +91,15 @@ handle_cookie_response(u_char *packet, int size, /* Check scheme size */ p = COOKIE_RESPONSE_SCHEMES(header); i = 0; - while(i<size-COOKIE_RESPONSE_MIN) { + while (i < size - COOKIE_RESPONSE_MIN) { if ((n = scheme_get_len(p + i)) == 0) break; i += n; } - if (i != size-COOKIE_RESPONSE_MIN) { + if (i != size - COOKIE_RESPONSE_MIN) { log_error(0, "schemes corrupt in handle_cookie_response()"); - return -1; /* Size didn't match UDP size */ + return (-1); /* Size didn't match UDP size */ } /* Copy responder cookies and offered schemes */ diff --git a/sbin/photurisd/handle_value_request.c b/sbin/photurisd/handle_value_request.c index 18ad6d5e95f..e3f5bb13088 100644 --- a/sbin/photurisd/handle_value_request.c +++ b/sbin/photurisd/handle_value_request.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: handle_value_request.c,v 1.2 1999/12/17 18:57:03 deraadt Exp $"; +static char rcsid[] = "$Id: handle_value_request.c,v 1.3 2000/12/11 02:16:50 provos Exp $"; #endif #include <stdio.h> @@ -44,6 +44,7 @@ static char rcsid[] = "$Id: handle_value_request.c,v 1.2 1999/12/17 18:57:03 der #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> +#include <ssl/bn.h> #include "config.h" #include "photuris.h" #include "packets.h" @@ -75,9 +76,10 @@ handle_value_request(u_char *packet, int size, }; struct value_request *header; struct stateob *st; - mpz_t test, gen, mod; + BIGNUM *test, *gen, *mod; u_int8_t *p, *modp, *refp, *genp = NULL; - u_int16_t sstart, vsize, modsize, modflag; + size_t sstart, vsize, modsize, modpsize, refpsize; + int modflag; u_int8_t scheme_ref[2]; u_int8_t rcookie[COOKIE_SIZE]; @@ -121,26 +123,31 @@ handle_value_request(u_char *packet, int size, modflag = 0; refp = modp = NULL; *(u_int16_t *)scheme_ref = htons(scheme_get_ref(header->scheme)); - while(sstart < ssize) { - p = scheme_get_mod(schemes+sstart); + while (sstart < ssize) { + p = scheme_get_mod(schemes + sstart); modsize = varpre2octets(p); if (!bcmp(header->scheme, schemes + sstart, 2)) { modflag = 1; if (modsize == vsize) { genp = scheme_get_gen(schemes+sstart); modp = p; + modpsize = modsize; break; /* On right scheme + right size */ } else if (modsize <= 2 && refp != NULL) { - modp = refp; + modp = refp; + modpsize = refpsize; break; } - } else if (!bcmp(scheme_ref, schemes + sstart,2 ) && modsize == vsize) { - genp = scheme_get_gen(schemes+sstart); + } else if (!bcmp(scheme_ref, schemes + sstart, 2) && + modsize == vsize) { + genp = scheme_get_gen(schemes + sstart); if (modflag) { modp = p; + modpsize = modsize; break; } refp = p; + refpsize = modsize; } sstart += scheme_get_len(schemes+sstart); @@ -149,19 +156,30 @@ handle_value_request(u_char *packet, int size, return -1; /* Did not find a scheme - XXX log */ /* now check the exchange value */ - mpz_init_set_varpre(test, parts[0].where); - mpz_init_set_varpre(mod, modp); - mpz_init(gen); + test = BN_new(); + if (BN_varpre2bn(parts[0].where, parts[0].size, test) == NULL) { + BN_free(test); + return (-1); + } + + mod = BN_new(); + if (BN_varpre2bn(modp, modpsize, mod) == NULL) { + BN_free(test); + BN_free(mod); + return (-1); + } + + gen = BN_new(); if (exchange_set_generator(gen, header->scheme, genp) == -1 || !exchange_check_value(test, gen, mod)) { - mpz_clear(test); - mpz_clear(gen); - mpz_clear(mod); + BN_free(test); + BN_free(gen); + BN_free(mod); return 0; } - mpz_clear(test); - mpz_clear(gen); - mpz_clear(mod); + BN_free(test); + BN_free(gen); + BN_free(mod); if ((st = state_new()) == NULL) return -1; diff --git a/sbin/photurisd/handle_value_response.c b/sbin/photurisd/handle_value_response.c index cd07867fa9a..61769b4a456 100644 --- a/sbin/photurisd/handle_value_response.c +++ b/sbin/photurisd/handle_value_response.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: handle_value_response.c,v 1.1 1998/11/14 23:37:24 deraadt Exp $"; +static char rcsid[] = "$Id: handle_value_response.c,v 1.2 2000/12/11 02:16:50 provos Exp $"; #endif #include <stdlib.h> @@ -73,7 +73,7 @@ handle_value_response(u_char *packet, int size, char *address, }; struct value_response *header; struct stateob *st; - mpz_t test; + BIGNUM *test; if (size < VALUE_RESPONSE_MIN) return -1; /* packet too small */ @@ -93,12 +93,13 @@ handle_value_response(u_char *packet, int size, char *address, return -1; /* We don't want this packet */ /* Now check the exchange value for defects */ - mpz_init_set_varpre(test, parts[0].where); + test = BN_new(); + BN_varpre2bn(parts[0].where, parts[0].size, test); if (!exchange_check_value(test, st->generator, st->modulus)) { - mpz_clear(test); + BN_clear_free(test); return 0; } - mpz_clear(test); + BN_clear_free(test); /* Reserved Field for TBV */ bcopy(header->reserved, st->uSPITBV, 3); diff --git a/sbin/photurisd/identity.c b/sbin/photurisd/identity.c index 3b3ad455c3b..2135a97d3bb 100644 --- a/sbin/photurisd/identity.c +++ b/sbin/photurisd/identity.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: identity.c,v 1.1 1998/11/14 23:37:25 deraadt Exp $"; +static char rcsid[] = "$Id: identity.c,v 1.2 2000/12/11 02:16:50 provos Exp $"; #endif #define _IDENTITY_C_ @@ -50,7 +50,7 @@ static char rcsid[] = "$Id: identity.c,v 1.1 1998/11/14 23:37:25 deraadt Exp $"; #include <netinet/in.h> #include <arpa/inet.h> #include <md5.h> -#include <gmp.h> +#include <ssl/bn.h> #include <sha1.h> #include "config.h" #include "photuris.h" diff --git a/sbin/photurisd/kernel.c b/sbin/photurisd/kernel.c index 8a70af9c720..fba0e02469e 100644 --- a/sbin/photurisd/kernel.c +++ b/sbin/photurisd/kernel.c @@ -39,7 +39,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: kernel.c,v 1.7 2000/08/25 05:16:46 angelos Exp $"; +static char rcsid[] = "$Id: kernel.c,v 1.8 2000/12/11 02:16:50 provos Exp $"; #endif #include <time.h> @@ -295,13 +295,19 @@ kernel_xf_read(int sd, char *buffer, int blen, int seq) perror("read() in kernel_xf_read()"); return 0; } - } while ((seq && sres->sadb_msg_seq != seq) || - (sres->sadb_msg_pid && sres->sadb_msg_pid != pfkey_pid)); + } while (seq && (sres->sadb_msg_seq != seq || + (sres->sadb_msg_pid && sres->sadb_msg_pid != pfkey_pid) + )); + if (sres->sadb_msg_errno) { log_error(0, "kernel_xf_read: PFKEYV2 result: %s", strerror(sres->sadb_msg_errno)); return 0; } + + if (sres->sadb_msg_pid && sres->sadb_msg_pid != pfkey_pid) + return (0); + return 1; } diff --git a/sbin/photurisd/modulus.c b/sbin/photurisd/modulus.c index c0bbd91277d..0ab232c7983 100644 --- a/sbin/photurisd/modulus.c +++ b/sbin/photurisd/modulus.c @@ -40,7 +40,7 @@ #include <stdlib.h> #include <time.h> -#include <gmp.h> +#include <ssl/bn.h> #include "config.h" #include "modulus.h" #include "errlog.h" @@ -99,27 +99,30 @@ mod_check_prime(int iter, int tm) struct moduli_cache *p = modob, *tmp; time_t now; int flag; + BN_CTX *ctx; #ifdef DEBUG char *hex; #endif + ctx = BN_CTX_new(); + now = time(NULL); - while(p != NULL && (tm == 0 || (time(NULL) - now < tm))) { + while (p != NULL && (tm == 0 || (time(NULL) - now < tm))) { if (p->iterations < MOD_PRIME_MAX && (p->status == MOD_UNUSED || p->status == MOD_COMPUTING)) { #ifdef DEBUG - hex = mpz_get_str(NULL, 16, p->modulus); + hex = BN_bn2hex(p->modulus); printf(" Checking 0x%s for primality: ", hex); fflush(stdout); free(hex); #endif - flag = mpz_probab_prime_p(p->modulus, iter); + flag = BN_is_prime(p->modulus, iter, NULL, ctx, NULL); if (!flag) log_error(0, "found a non prime in mod_check_prime()"); tmp = mod_find_modulus(p->modulus); - while(tmp != NULL) { + while (tmp != NULL) { if (!flag) { tmp->status = MOD_NOTPRIME; tmp->lifetime = now + 2*MOD_TIMEOUT; @@ -154,19 +157,21 @@ mod_check_prime(int iter, int tm) } p = p->next; } + + BN_CTX_free(ctx); } struct moduli_cache * -mod_new_modgen(mpz_t m, mpz_t g) +mod_new_modgen(BIGNUM *m, BIGNUM *g) { struct moduli_cache *p; if((p = calloc(1, sizeof(struct moduli_cache)))==NULL) return NULL; - mpz_init_set(p->modulus,m); - mpz_init_set(p->generator,g); - mpz_init(p->private_value); + p->modulus = BN_new(); BN_copy(p->modulus, m); + p->generator = BN_new(); BN_copy(p->generator, g); + p->private_value = BN_new(); /* XXX - change lifetime later */ p->lifetime = time(NULL) + MOD_TIMEOUT; @@ -176,14 +181,14 @@ mod_new_modgen(mpz_t m, mpz_t g) } struct moduli_cache * -mod_new_modulus(mpz_t m) +mod_new_modulus(BIGNUM *m) { struct moduli_cache *tmp; - mpz_t generator; - mpz_init(generator); + BIGNUM *generator; + generator = BN_new(); tmp = mod_new_modgen(m, generator); - mpz_clear(generator); + BN_clear_free(generator); return tmp; } @@ -191,9 +196,9 @@ mod_new_modulus(mpz_t m) int mod_value_reset(struct moduli_cache *ob) { - mpz_clear(ob->private_value); - mpz_clear(ob->modulus); - mpz_clear(ob->generator); + BN_clear_free(ob->private_value); + BN_clear_free(ob->modulus); + BN_clear_free(ob->generator); if (ob->exchangevalue != NULL) free(ob->exchangevalue); @@ -206,7 +211,8 @@ mod_value_reset(struct moduli_cache *ob) */ struct moduli_cache * -mod_find_modgen_next(struct moduli_cache *ob, mpz_t modulus, mpz_t generator) +mod_find_modgen_next(struct moduli_cache *ob, BIGNUM *modulus, + BIGNUM *generator) { struct moduli_cache *tmp = ob; @@ -216,9 +222,9 @@ mod_find_modgen_next(struct moduli_cache *ob, mpz_t modulus, mpz_t generator) tmp = tmp->next; while(tmp!=NULL) { - if((!mpz_cmp_ui(generator,0) || - !mpz_cmp(tmp->generator,generator)) && - (!mpz_cmp_ui(modulus,0) || !mpz_cmp(modulus,tmp->modulus))) + if((BN_is_zero(generator) || + !BN_cmp(tmp->generator, generator)) && + (BN_is_zero(modulus) || !BN_cmp(modulus, tmp->modulus))) return tmp; tmp = tmp->next; } @@ -226,59 +232,59 @@ mod_find_modgen_next(struct moduli_cache *ob, mpz_t modulus, mpz_t generator) } struct moduli_cache * -mod_find_modgen(mpz_t modulus, mpz_t generator) +mod_find_modgen(BIGNUM *modulus, BIGNUM *generator) { return mod_find_modgen_next(NULL, modulus, generator); } struct moduli_cache * -mod_find_generator_next(struct moduli_cache *ob, mpz_t generator) +mod_find_generator_next(struct moduli_cache *ob, BIGNUM *generator) { struct moduli_cache *tmp; - mpz_t modulus; + BIGNUM *modulus; - mpz_init(modulus); /* Is set to zero by init */ + modulus = BN_new(); /* Is set to zero by init */ tmp = mod_find_modgen_next(ob, modulus, generator); - mpz_clear(modulus); + BN_clear_free(modulus); return tmp; } struct moduli_cache * -mod_find_generator(mpz_t generator) +mod_find_generator(BIGNUM *generator) { struct moduli_cache *tmp; - mpz_t modulus; + BIGNUM *modulus; - mpz_init(modulus); /* Is set to zero by init */ + modulus = BN_new(); /* Is set to zero by init */ tmp = mod_find_modgen(modulus,generator); - mpz_clear(modulus); + BN_clear_free(modulus); return tmp; } struct moduli_cache * -mod_find_modulus_next(struct moduli_cache *ob, mpz_t modulus) +mod_find_modulus_next(struct moduli_cache *ob, BIGNUM *modulus) { struct moduli_cache *tmp; - mpz_t generator; + BIGNUM *generator; - mpz_init(generator); /* Is set to zero by init */ + generator = BN_new(); /* Is set to zero by init */ tmp = mod_find_modgen_next(ob, modulus, generator); - mpz_clear(generator); + BN_clear_free(generator); return tmp; } struct moduli_cache * -mod_find_modulus(mpz_t modulus) +mod_find_modulus(BIGNUM *modulus) { struct moduli_cache *tmp; - mpz_t generator; + BIGNUM *generator; - mpz_init(generator); /* Is set to zero by init */ + generator = BN_new(); /* Is set to zero by init */ tmp = mod_find_modgen(modulus,generator); - mpz_clear(generator); + BN_clear_free(generator); return tmp; } diff --git a/sbin/photurisd/modulus.h b/sbin/photurisd/modulus.h index bf76b4cae49..d914689d562 100644 --- a/sbin/photurisd/modulus.h +++ b/sbin/photurisd/modulus.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: modulus.h,v 1.1 1998/11/14 23:37:25 deraadt Exp $ */ +/* $Id: modulus.h,v 1.2 2000/12/11 02:16:50 provos Exp $ */ /* * modulus.h: * modulus handling functions @@ -60,32 +60,33 @@ #define MOD_TIMEOUT 120 struct moduli_cache { - struct moduli_cache *next; /* Link to next member */ - mpz_t modulus; /* Modulus for computation */ - mpz_t generator; /* Used generator */ - mpz_t private_value; /* Our own private value */ - u_int8_t *exchangevalue; /* Our own exchange value */ - u_int16_t exchangesize; - int iterations; /* primality check iterations */ - int status; /* Status of the modulus */ - time_t lifetime; /* For modulus + exchange value */ + struct moduli_cache *next; /* Link to next member */ + BIGNUM *modulus; /* Modulus for computation */ + BIGNUM *generator; /* Used generator */ + BIGNUM *private_value; /* Our own private value */ + u_int8_t *exchangevalue; /* Our own exchange value */ + size_t exchangesize; + int iterations; /* primality check iterations */ + int status; /* Status of the modulus */ + time_t lifetime; /* For modulus + exchange value */ }; /* Prototypes */ int mod_insert(struct moduli_cache *ob); int mod_unlink(struct moduli_cache *ob); -struct moduli_cache *mod_new_modgen(mpz_t m, mpz_t g); -struct moduli_cache *mod_new_modulus(mpz_t m); +struct moduli_cache *mod_new_modgen(BIGNUM *, BIGNUM *); +struct moduli_cache *mod_new_modulus(BIGNUM *); int mod_value_reset(struct moduli_cache *ob); -struct moduli_cache *mod_find_modgen(mpz_t modulus, mpz_t generator); -struct moduli_cache *mod_find_modgen_next(struct moduli_cache *ob, mpz_t modulus, mpz_t generator); -struct moduli_cache *mod_find_modulus(mpz_t modulus); -struct moduli_cache *mod_find_generator(mpz_t generator); -struct moduli_cache *mod_find_modulus_next(struct moduli_cache *ob, mpz_t modulus); -struct moduli_cache *mod_find_generator_next(struct moduli_cache *ob, mpz_t generator); +struct moduli_cache *mod_find_modgen(BIGNUM *, BIGNUM *); +struct moduli_cache *mod_find_modgen_next(struct moduli_cache *, BIGNUM *, + BIGNUM *); +struct moduli_cache *mod_find_modulus(BIGNUM *); +struct moduli_cache *mod_find_generator(BIGNUM *); +struct moduli_cache *mod_find_modulus_next(struct moduli_cache *, BIGNUM *); +struct moduli_cache *mod_find_generator_next(struct moduli_cache *, BIGNUM *); void mod_check_prime(int iter, int tm); diff --git a/sbin/photurisd/scheme.c b/sbin/photurisd/scheme.c index dc32ceb02ff..d50904bf127 100644 --- a/sbin/photurisd/scheme.c +++ b/sbin/photurisd/scheme.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: scheme.c,v 1.1 1998/11/14 23:37:28 deraadt Exp $"; +static char rcsid[] = "$Id: scheme.c,v 1.2 2000/12/11 02:16:50 provos Exp $"; #endif #define _SCHEME_C_ @@ -119,7 +119,7 @@ scheme_get_mod(u_int8_t *scheme) size_t scheme_get_len(u_int8_t *scheme) { - return 2 + varpre2octets(scheme+2); + return 2 + varpre2octets(scheme + 2); } u_int16_t @@ -151,41 +151,30 @@ scheme_get_ref(u_int8_t *scheme) size_t varpre2octets(u_int8_t *varpre) { - int blocks, header; - size_t size; - mpz_t offset, a; + int blocks, header; + size_t size; - mpz_init(offset); - mpz_init(a); + /* XXX - only support a few octets at the moment */ + if(varpre[0] == 255 && varpre[1] == 255) + return (0); + + size = 0; + if (varpre[0] == 255) { + blocks = 3; + varpre++; + size = 65280; + header = 4; + } else { + header = 2; + blocks = 2; + } - /* XXX - only support a few octets at the moment */ + while (blocks--) { + size = (size << 8) + *varpre; + varpre++; + } + size = (size + 7) / 8; - if(*varpre == 255 && *(varpre+1) == 255) { - blocks = 6; - varpre += 2; - mpz_set_ui(offset, 16776960); - header = 8; - } else if (*varpre == 255) { - blocks = 3; - varpre++; - mpz_set_ui(offset, 65280); - header = 4; - } else { - header = 2; - blocks = 2; - } - - while(blocks--) { - mpz_mul_ui(a, a, 256); - mpz_add_ui(a, a, *varpre); - varpre++; - } - mpz_add(offset, offset, a); - mpz_cdiv_q_ui(offset, offset, 8); - size = mpz_get_ui(offset) + header; - mpz_clear(offset); - mpz_clear(a); - - return size; + return (size + header); } diff --git a/sbin/photurisd/secrets.h b/sbin/photurisd/secrets.h index 247bf48d52b..264bc2346d6 100644 --- a/sbin/photurisd/secrets.h +++ b/sbin/photurisd/secrets.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: secrets.h,v 1.1 1998/11/14 23:37:28 deraadt Exp $ */ +/* $Id: secrets.h,v 1.2 2000/12/11 02:16:50 provos Exp $ */ /* * secrets.h: * prototypes for compute_secrets.c @@ -48,7 +48,7 @@ #define EXTERN extern #endif -EXTERN int compute_shared_secret(struct stateob *, u_int8_t **, u_int16_t *); +EXTERN int compute_shared_secret(struct stateob *, u_int8_t **, size_t *); EXTERN int compute_session_key(struct stateob *st, u_int8_t *key, u_int8_t *attribute, int owner, u_int16_t *order); diff --git a/sbin/photurisd/server.c b/sbin/photurisd/server.c index fbeff3f9636..c9558334e6e 100644 --- a/sbin/photurisd/server.c +++ b/sbin/photurisd/server.c @@ -35,7 +35,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: server.c,v 1.1 1998/11/14 23:37:28 deraadt Exp $"; +static char rcsid[] = "$Id: server.c,v 1.2 2000/12/11 02:16:50 provos Exp $"; #endif #define _SERVER_C_ @@ -269,7 +269,7 @@ server(void) memset((void *)normfds, 0, size); - for (i=0; i<num_ifs; i++) + for (i = 0; i < num_ifs; i++) FD_SET(sockets[i], normfds); while (1) { @@ -299,27 +299,23 @@ server(void) else #endif if (addresses[i] == NULL) - process_api(sockets[i], global_socket); - else if (strcmp("127.0.0.1", inet_ntoa(sin.sin_addr))) { - d = sizeof(struct sockaddr_in); - if (recvfrom(sockets[i], + process_api(sockets[i], global_socket); + else { + d = sizeof(struct sockaddr_in); + if (recvfrom(sockets[i], #ifdef BROKEN_RECVFROM - (char *) buffer, 1, + (char *) buffer, 1, #else - (char *) NULL, 0, + (char *) NULL, 0, #endif - MSG_PEEK, - (struct sockaddr *) &sin, &d) == -1) { - log_error(1, "recvfrom() in server()"); - return -1; - } - handle_packet(sockets[i], addresses[i]); - } else { - /* XXX - flush it. APUE */ - d = sizeof(struct sockaddr_in); - recvfrom(sockets[i], (char *)buffer, BUFFER_SIZE, 0, - (struct sockaddr *) &sin, &d); - } + MSG_PEEK, + (struct sockaddr *)&sin, + &d) == -1) { + log_error(1, "recvfrom() in server()"); + return -1; + } + handle_packet(sockets[i], addresses[i]); + } } } diff --git a/sbin/photurisd/state.c b/sbin/photurisd/state.c index fe60213d6b2..d97e83b4787 100644 --- a/sbin/photurisd/state.c +++ b/sbin/photurisd/state.c @@ -141,8 +141,8 @@ state_new(void) if((p = calloc(1, sizeof(struct stateob)))==NULL) return NULL; - mpz_init(p->modulus); - mpz_init(p->generator); + p->modulus = BN_new(); + p->generator = BN_new(); p->exchange_lifetime = exchange_lifetime; p->spi_lifetime = spi_lifetime; @@ -153,8 +153,8 @@ state_new(void) int state_value_reset(struct stateob *ob) { - mpz_clear(ob->modulus); - mpz_clear(ob->generator); + BN_clear_free(ob->modulus); + BN_clear_free(ob->generator); if (ob->texchange != NULL) free(ob->texchange); diff --git a/sbin/photurisd/state.h b/sbin/photurisd/state.h index 01f0e8f1bbb..a43dd63b20e 100644 --- a/sbin/photurisd/state.h +++ b/sbin/photurisd/state.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: state.h,v 1.2 1999/12/17 18:57:03 deraadt Exp $ */ +/* $Id: state.h,v 1.3 2000/12/11 02:16:51 provos Exp $ */ /* * state.h: * state object @@ -38,7 +38,7 @@ #include <sys/socket.h> #include <netinet/in.h> -#include <gmp.h> +#include <ssl/bn.h> #include <time.h> #include "userdefs.h" #ifdef NEED_UTYPES @@ -119,18 +119,18 @@ struct stateob { void *uSPIprivacyctx; time_t ulifetime; /* User SPI lifetime */ - mpz_t modulus; /* Modulus for look up in cache */ - mpz_t generator; /* Generator for look up in cache */ + BIGNUM *modulus; /* Modulus for look up in cache */ + BIGNUM *generator; /* Generator for look up in cache */ u_int8_t *texchange; /* Their exchange value */ - u_int16_t texchangesize; + size_t texchangesize; u_int8_t *exchangevalue; /* Our exchange value */ - u_int16_t exchangesize; + size_t exchangesize; u_int8_t *shared; /* Shared secret */ - u_int16_t sharedsize; + size_t sharedsize; int retries; /* Number of retransmits */ u_int8_t *packet; /* Buffer for retransmits */ - u_int16_t packetlen; + size_t packetlen; u_int8_t packetsig[16]; /* MD5 hash of an old packet */ time_t lifetime; /* Lifetime for the exchange */ |