On Thu, Jul 27, 2023 at 03:31:32PM +0200, Claudio Jeker wrote:
> Use ibuf_data() instead of direct access to ibuf->buf.
> In some cases use ibuf_add_buf().
>
> --
> :wq Claudio
ok tobhe@
>
> Index: crypto.c
> ===================================================================
> RCS file: /cvs/src/sbin/iked/crypto.c,v
> retrieving revision 1.44
> diff -u -p -r1.44 crypto.c
> --- crypto.c 6 Jun 2023 13:27:49 -0000 1.44
> +++ crypto.c 27 Jul 2023 13:28:59 -0000
> @@ -327,7 +327,7 @@ hash_free(struct iked_hash *hash)
> void
> hash_init(struct iked_hash *hash)
> {
> - HMAC_Init_ex(hash->hash_ctx, hash->hash_key->buf,
> + HMAC_Init_ex(hash->hash_ctx, ibuf_data(hash->hash_key),
> ibuf_length(hash->hash_key), hash->hash_priv, NULL);
> }
>
> @@ -572,7 +572,7 @@ cipher_init(struct iked_cipher *encr, in
> encr->encr_saltlength), encr->encr_saltlength);
> if (nonce == NULL)
> return (-1);
> - if (ibuf_add(nonce, ibuf_data(encr->encr_iv) ,
> ibuf_size(encr->encr_iv)) != 0)
> + if (ibuf_add_buf(nonce, encr->encr_iv) != 0)
> goto done;
> if (EVP_CipherInit_ex(encr->encr_ctx, NULL, NULL,
> ibuf_data(encr->encr_key), ibuf_data(nonce), enc) != 1)
> Index: dh.c
> ===================================================================
> RCS file: /cvs/src/sbin/iked/dh.c,v
> retrieving revision 1.32
> diff -u -p -r1.32 dh.c
> --- dh.c 3 Dec 2022 22:34:35 -0000 1.32
> +++ dh.c 27 Jul 2023 08:27:36 -0000
> @@ -401,7 +401,7 @@ dh_create_exchange(struct dh_group *grou
> if (buf == NULL)
> return -1;
> *bufp = buf;
> - return (group->exchange(group, buf->buf));
> + return (group->exchange(group, ibuf_data(buf)));
> }
>
> int
> @@ -419,7 +419,7 @@ dh_create_shared(struct dh_group *group,
> if (buf == NULL)
> return -1;
> *secretp = buf;
> - return (group->shared(group, buf->buf, exchange->buf));
> + return (group->shared(group, ibuf_data(buf), ibuf_data(exchange)));
> }
>
> int
> @@ -801,7 +801,7 @@ kemsx_create_exchange2(struct dh_group *
> buf = ibuf_new(NULL, need);
> if (buf == NULL)
> return -1;
> - cp = buf->buf;
> + cp = ibuf_data(buf);
> memcpy(cp, kemsx->public,
> crypto_kem_sntrup761_PUBLICKEYBYTES);
> cp += crypto_kem_sntrup761_PUBLICKEYBYTES;
> @@ -819,8 +819,8 @@ kemsx_create_exchange2(struct dh_group *
> buf = ibuf_new(NULL, need);
> if (buf == NULL)
> return -1;
> - cp = buf->buf;
> - pk = iexchange->buf;
> + cp = ibuf_data(buf);
> + pk = ibuf_data(iexchange);
> crypto_kem_sntrup761_enc(cp, kemsx->kemkey, pk);
> cp += crypto_kem_sntrup761_CIPHERTEXTBYTES;
> }
> @@ -850,7 +850,7 @@ kemsx_create_shared2(struct dh_group *gr
> return (-1);
>
> have = ibuf_size(exchange);
> - cp = exchange->buf;
> + cp = ibuf_data(exchange);
> if (kemsx->initiator) {
> /* input */
> need = crypto_kem_sntrup761_CIPHERTEXTBYTES +
> @@ -878,7 +878,7 @@ kemsx_create_shared2(struct dh_group *gr
> EVP_DigestInit_ex(ctx, EVP_sha512(), NULL) != 1 ||
> EVP_DigestUpdate(ctx, kemsx->kemkey, sizeof(kemsx->kemkey)) != 1 ||
> EVP_DigestUpdate(ctx, shared, sizeof(shared)) != 1 ||
> - EVP_DigestFinal_ex(ctx, buf->buf, &len) != 1) {
> + EVP_DigestFinal_ex(ctx, ibuf_data(buf), &len) != 1) {
> EVP_MD_CTX_free(ctx);
> ibuf_free(buf);
> return (-1);
> Index: ikev2.c
> ===================================================================
> RCS file: /cvs/src/sbin/iked/ikev2.c,v
> retrieving revision 1.374
> diff -u -p -r1.374 ikev2.c
> --- ikev2.c 18 Jul 2023 15:07:41 -0000 1.374
> +++ ikev2.c 27 Jul 2023 13:28:15 -0000
> @@ -5738,14 +5738,14 @@ ikev2_sa_keys(struct iked *env, struct i
>
> log_debug("%s: DHSECRET with %zu bytes", SPI_SA(sa, __func__),
> ibuf_length(dhsecret));
> - print_hex(dhsecret->buf, 0, ibuf_length(dhsecret));
> + print_hex(ibuf_data(dhsecret), 0, ibuf_length(dhsecret));
>
> if (!key) {
> /*
> * Set PRF key to generate SKEYSEED = prf(Ni | Nr, g^ir)
> */
> - if ((ninr = ibuf_new(sa->sa_inonce->buf, ilen)) == NULL ||
> - ibuf_add(ninr, sa->sa_rnonce->buf, rlen) != 0) {
> + if ((ninr = ibuf_new(ibuf_data(sa->sa_inonce), ilen)) == NULL ||
> + ibuf_add(ninr, ibuf_data(sa->sa_rnonce), rlen) != 0) {
> log_info("%s: failed to get nonce key buffer",
> SPI_SA(sa, __func__));
> goto done;
> @@ -5755,15 +5755,15 @@ ikev2_sa_keys(struct iked *env, struct i
> /*
> * Set PRF key to generate SKEYSEED = prf(key, g^ir | Ni | Nr)
> */
> - if (ibuf_add(dhsecret, sa->sa_inonce->buf, ilen) != 0 ||
> - ibuf_add(dhsecret, sa->sa_rnonce->buf, rlen) != 0) {
> + if (ibuf_add(dhsecret, ibuf_data(sa->sa_inonce), ilen) != 0 ||
> + ibuf_add(dhsecret, ibuf_data(sa->sa_rnonce), rlen) != 0) {
> log_info("%s: failed to get nonce key buffer",
> SPI_SA(sa, __func__));
> goto done;
> }
> }
>
> - if ((hash_setkey(prf, key->buf, ibuf_length(key))) == NULL) {
> + if ((hash_setkey(prf, ibuf_data(key), ibuf_length(key))) == NULL) {
> log_info("%s: failed to set prf key", SPI_SA(sa, __func__));
> goto done;
> }
> @@ -5776,11 +5776,11 @@ ikev2_sa_keys(struct iked *env, struct i
>
> tmplen = 0;
> hash_init(prf);
> - hash_update(prf, dhsecret->buf, ibuf_length(dhsecret));
> - hash_final(prf, skeyseed->buf, &tmplen);
> + hash_update(prf, ibuf_data(dhsecret), ibuf_length(dhsecret));
> + hash_final(prf, ibuf_data(skeyseed), &tmplen);
>
> log_debug("%s: SKEYSEED with %zu bytes", __func__, tmplen);
> - print_hex(skeyseed->buf, 0, tmplen);
> + print_hex(ibuf_data(skeyseed), 0, tmplen);
>
> if (ibuf_setsize(skeyseed, tmplen) == -1) {
> log_info("%s: failed to set keymaterial length",
> @@ -5800,8 +5800,8 @@ ikev2_sa_keys(struct iked *env, struct i
> ispi = htobe64(sa->sa_hdr.sh_ispi);
> rspi = htobe64(sa->sa_hdr.sh_rspi);
>
> - if ((s = ibuf_new(sa->sa_inonce->buf, ilen)) == NULL ||
> - ibuf_add(s, sa->sa_rnonce->buf, rlen) != 0 ||
> + if ((s = ibuf_new(ibuf_data(sa->sa_inonce), ilen)) == NULL ||
> + ibuf_add(s, ibuf_data(sa->sa_rnonce), rlen) != 0 ||
> ibuf_add(s, &ispi, sizeof(ispi)) != 0 ||
> ibuf_add(s, &rspi, sizeof(rspi)) != 0) {
> log_info("%s: failed to set S buffer",
> @@ -5810,7 +5810,7 @@ ikev2_sa_keys(struct iked *env, struct i
> }
>
> log_debug("%s: S with %zu bytes", SPI_SA(sa, __func__), ibuf_length(s));
> - print_hex(s->buf, 0, ibuf_length(s));
> + print_hex(ibuf_data(s), 0, ibuf_length(s));
>
> /*
> * Get the size of the key material we need and the number
> @@ -5850,29 +5850,31 @@ ikev2_sa_keys(struct iked *env, struct i
>
> log_debug("%s: SK_d with %zu bytes", __func__,
> ibuf_length(sa->sa_key_d));
> - print_hex(sa->sa_key_d->buf, 0, ibuf_length(sa->sa_key_d));
> + print_hex(ibuf_data(sa->sa_key_d), 0, ibuf_length(sa->sa_key_d));
> if (!isaead) {
> log_debug("%s: SK_ai with %zu bytes", __func__,
> ibuf_length(sa->sa_key_iauth));
> - print_hex(sa->sa_key_iauth->buf, 0,
> + print_hex(ibuf_data(sa->sa_key_iauth), 0,
> ibuf_length(sa->sa_key_iauth));
> log_debug("%s: SK_ar with %zu bytes", __func__,
> ibuf_length(sa->sa_key_rauth));
> - print_hex(sa->sa_key_rauth->buf, 0,
> + print_hex(ibuf_data(sa->sa_key_rauth), 0,
> ibuf_length(sa->sa_key_rauth));
> }
> log_debug("%s: SK_ei with %zu bytes", __func__,
> ibuf_length(sa->sa_key_iencr));
> - print_hex(sa->sa_key_iencr->buf, 0, ibuf_length(sa->sa_key_iencr));
> + print_hex(ibuf_data(sa->sa_key_iencr), 0,
> + ibuf_length(sa->sa_key_iencr));
> log_debug("%s: SK_er with %zu bytes", __func__,
> ibuf_length(sa->sa_key_rencr));
> - print_hex(sa->sa_key_rencr->buf, 0, ibuf_length(sa->sa_key_rencr));
> + print_hex(ibuf_data(sa->sa_key_rencr), 0,
> + ibuf_length(sa->sa_key_rencr));
> log_debug("%s: SK_pi with %zu bytes", __func__,
> ibuf_length(sa->sa_key_iprf));
> - print_hex(sa->sa_key_iprf->buf, 0, ibuf_length(sa->sa_key_iprf));
> + print_hex(ibuf_data(sa->sa_key_iprf), 0, ibuf_length(sa->sa_key_iprf));
> log_debug("%s: SK_pr with %zu bytes", __func__,
> ibuf_length(sa->sa_key_rprf));
> - print_hex(sa->sa_key_rprf->buf, 0, ibuf_length(sa->sa_key_rprf));
> + print_hex(ibuf_data(sa->sa_key_rprf), 0, ibuf_length(sa->sa_key_rprf));
>
> ret = 0;
>
> @@ -5930,33 +5932,33 @@ ikev2_prfplus(struct iked_hash *prf, str
>
> for (i = 0; i < rlen; i++) {
> if (t1 != NULL) {
> - t2 = ibuf_new(t1->buf, ibuf_length(t1));
> + t2 = ibuf_new(ibuf_data(t1), ibuf_length(t1));
> ibuf_free(t1);
> } else
> t2 = ibuf_new(NULL, 0);
> t1 = ibuf_new(NULL, hash_keylength(prf));
>
> - ibuf_add(t2, seed->buf, ibuf_length(seed));
> + ibuf_add_buf(t2, seed);
> pad = i + 1;
> ibuf_add(t2, &pad, 1);
>
> hash_init(prf);
> - hash_update(prf, t2->buf, ibuf_length(t2));
> - hash_final(prf, t1->buf, &hashlen);
> + hash_update(prf, ibuf_data(t2), ibuf_length(t2));
> + hash_final(prf, ibuf_data(t1), &hashlen);
>
> if (hashlen != hash_length(prf))
> fatalx("ikev2_prfplus: hash length mismatch");
>
> ibuf_free(t2);
> - ibuf_add(t, t1->buf, ibuf_length(t1));
> + ibuf_add_buf(t, t1);
>
> log_debug("%s: T%d with %zu bytes", __func__,
> pad, ibuf_length(t1));
> - print_hex(t1->buf, 0, ibuf_length(t1));
> + print_hex(ibuf_data(t1), 0, ibuf_length(t1));
> }
>
> log_debug("%s: Tn with %zu bytes", __func__, ibuf_length(t));
> - print_hex(t->buf, 0, ibuf_length(t));
> + print_hex(ibuf_data(t), 0, ibuf_length(t));
>
> ibuf_free(t1);
>
> Index: ikev2_msg.c
> ===================================================================
> RCS file: /cvs/src/sbin/iked/ikev2_msg.c,v
> retrieving revision 1.97
> diff -u -p -r1.97 ikev2_msg.c
> --- ikev2_msg.c 18 Jul 2023 15:07:41 -0000 1.97
> +++ ikev2_msg.c 27 Jul 2023 08:27:36 -0000
> @@ -448,7 +448,7 @@ ikev2_msg_encrypt(struct iked *env, stru
> log_debug("%s: padded length %zu", __func__, ibuf_size(src));
> print_hex(ibuf_data(src), 0, ibuf_size(src));
>
> - cipher_setkey(sa->sa_encr, encr->buf, ibuf_length(encr));
> + cipher_setkey(sa->sa_encr, ibuf_data(encr), ibuf_length(encr));
> cipher_setiv(sa->sa_encr, NULL, 0); /* XXX ivlen */
> if (cipher_init_encrypt(sa->sa_encr) == -1) {
> log_info("%s: error initiating cipher.", __func__);
> @@ -619,22 +619,23 @@ ikev2_msg_decrypt(struct iked *env, stru
> if ((tmp = ibuf_new(NULL, hash_keylength(sa->sa_integr))) ==
> NULL)
> goto done;
>
> - hash_setkey(sa->sa_integr, integr->buf, ibuf_length(integr));
> + hash_setkey(sa->sa_integr, ibuf_data(integr),
> + ibuf_length(integr));
> hash_init(sa->sa_integr);
> hash_update(sa->sa_integr, ibuf_data(msg),
> ibuf_size(msg) - integrlen);
> - hash_final(sa->sa_integr, tmp->buf, &tmplen);
> + hash_final(sa->sa_integr, ibuf_data(tmp), &tmplen);
>
> integrdata = ibuf_seek(src, integroff, integrlen);
> if (integrdata == NULL)
> goto done;
> - if (memcmp(tmp->buf, integrdata, integrlen) != 0) {
> + if (memcmp(ibuf_data(tmp), integrdata, integrlen) != 0) {
> log_debug("%s: integrity check failed", __func__);
> goto done;
> }
>
> log_debug("%s: integrity check succeeded", __func__);
> - print_hex(tmp->buf, 0, tmplen);
> + print_hex(ibuf_data(tmp), 0, tmplen);
>
> ibuf_free(tmp);
> tmp = NULL;
> @@ -648,7 +649,7 @@ ikev2_msg_decrypt(struct iked *env, stru
> goto done;
> }
>
> - cipher_setkey(sa->sa_encr, encr->buf, ibuf_length(encr));
> + cipher_setkey(sa->sa_encr, ibuf_data(encr), ibuf_length(encr));
> cipher_setiv(sa->sa_encr, ibuf_seek(src, ivoff, ivlen), ivlen);
> if (cipher_init_decrypt(sa->sa_encr) == -1) {
> log_info("%s: error initiating cipher.", __func__);
>
