uams: harden DHX2, DHX, SRP key exchange and session verifier

[rdmark]

DHX2: Zero-pad the DH prime p when serializing for the wire, matching the existing treatment of g and Ma. Also guard logincont2 and changepw_3 against being called before the shared key K is established by logincont1, preventing a NULL pointer dereference if a client skips the key exchange step.

DHX: Guard logincont and changepw against being called before the shared key K is established, preventing a NULL pointer dereference if the login step was skipped or failed. Also release K immediately after serializing it to the local key buffer, fixing a leak that left key material in memory indefinitely after authentication.

SRP: Check that the SRP session verifier is set before proceeding in srp_logincont, preventing a NULL pointer dereference if the login step was skipped or failed.

Inspired by bug fixes in afp-perl by Derrik Pates

[augmentcode]

🤖 Augment PR Summary

Summary: This PR hardens the DHX2 UAM key exchange by making wire serialization and state handling more robust.

Changes:

• Zero-pads the DH prime p during DHX2 setup so it is always serialized to a fixed PRIMEBITS/8 length, matching existing padding behavior for g and Ma.
• Adds guards in DHX2 logincont2 handlers to reject calls made before logincont1 established the shared key (K_MD5hash), preventing NULL dereferences.
• Adds a similar guard in the PAM variant’s changepw_3 to ensure the key exchange step completed before decrypting password buffers.

Technical Notes: The changes align wire formatting with Apple’s expectations and harden against clients that skip required exchange steps (inspired by afp-perl fixes).

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 1 suggestion posted.

Comment augment review to trigger a new review at any time.

[sonarqubecloud]

Quality Gate failed

Failed conditions
52.3% Duplication on New Code (required ≤ 14%)

See analysis details on SonarQube Cloud

[github-actions]

🔥 Spectest (AFP 3.4) - Flamegraph (AFP_ASSERT active)

Commit: 08a96e489505fee6d8f5cbcb0a75cec4a67a5f4f
Profiling: On-CPU sampling @ 1009 Hz (prime), DWARF call-graph, x86_64
Build: debugoptimized (-O2 -g -fno-omit-frame-pointer)
Total Runtime: 66s, Netatalk Code-time: 4.2%,
Stacks: 1913, SVG size: 1.2M

🔥 Open interactive Flamegraph (SVG)

📥 Download from artifacts →

🔝 Top 10 leaf functions

Function	Samples
finish_task_switch.isra.0	493557840
do_syscall_64	421209000
_raw_spin_unlock_irqrestore	298315080
__cp_end	181367640
srso_alias_safe_ret	80277480
__syscall_cp_c	49554000
x64_sys_call	46580760
find_get_block_common	36669960
dircache_process_deferred_chain	33696720
__schedule	29732400

[rdmark]

the heavy code repetition is a recurring concern with these UAMs -- we've had a few corner case bugs in the past because of this. I have been pondering alternative solutions: such as a static library with abstractions for the repeated logic, or maybe even merge the respective PAM and passwd libraries into one and make the authentication backend a runtime option.

[andylemin]

the heavy code repetition is a recurring concern with these UAMs -- we've had a few corner case bugs in the past because of this. I have been pondering alternative solutions: such as a static library with abstractions for the repeated logic, or maybe even merge the respective PAM and passwd libraries into one and make the authentication backend a runtime option.

Yes we should try to have shared code if we can - this is going to be prone to issues as you say, which is not a good thing for the front security layer