catcrypt security fix: sign metadata.

diff --git a/catcrypt.1 b/catcrypt.1
index 6803067..d4ef3e1 100644 (file)
--- a/catcrypt.1
+++ b/catcrypt.1
@@ -685,8 +685,9 @@ Use the first bits of the keystream to key a symmetric encryption
 scheme; use the next bits to key a message authentication code.
 .hP 4.
 If we're signing the message then extract 1024 bytes from the keystream,
-sign them, and emit a packet containing the signature.  The signature
-packet doesn't contain the signed message, just the signature.
+sign the header and public value, and the keystream bytes; emit a packet
+containing the signature.  The signature packet doesn't contain the
+signed message, just the signature.
 .hP 5.
 Split the message into blocks.  For each block, pick a random IV from
 the keystream, encrypt the block and emit a packet containing the

diff --git a/catcrypt.c b/catcrypt.c
index fdb8473..8468552 100644 (file)
--- a/catcrypt.c
+++ b/catcrypt.c
@@ -53,8 +53,6 @@
 #include "ectab.h"
 #include "ptab.h"
 
-/*----- Utilities ---------------------------------------------------------*/
-
 /*----- Static variables --------------------------------------------------*/
 
 static const char *keyring = "keyring";
@@ -75,12 +73,13 @@ static const char *keyring = "keyring";
  * MGF (or similar) to make a symmetric encryption and MAC key.
  *
  * If the message is signed, there comes a signature chunk.  The signature is
- * on the further output of the MGF.  This means that the recipient can
- * modify the message and still have a valid signature, so it's not useful
- * for proving things to other people; but it also means that the recipient
- * knows that the message is from someone who knows the hash, which limits
- * the possiblities to (a) whoever encrypted the message (good!) and (b)
- * whoever knows the recipient's private key.
+ * on the header and key-encapsulation chunks, and further output of the MGF.
+ * This means that the recipient can modify the message and still have a
+ * valid signature, so it's not useful for proving things to other people;
+ * but it also means that the recipient knows that the message is from
+ * someone who knows the hash, which limits the possiblities to (a) whoever
+ * encrypted the message (good!) and (b) whoever knows the recipient's
+ * private key.
  *
  * Then come message chunks.  Each one begins with a MAC over an implicit
  * sequence number and the ciphertext.  The final chunk's ciphertext is
@@ -231,6 +230,7 @@ static int encrypt(int argc, char *argv[])
   buf_putu32(&b, k->id);
   if (sk) buf_putu32(&b, sk->id);
   assert(BOK(&b));
+  if (s) GH_HASHBUF16(s->h, BBASE(&b), BLEN(&b));
   chunk_write(e, &b);
 
   /* --- Build the KEM chunk --- */
@@ -240,6 +240,7 @@ static int encrypt(int argc, char *argv[])
     die(EXIT_FAILURE, "failed to encapsulate key");
   buf_init(&b, d.buf, d.len);
   BSTEP(&b, d.len);
+  if (s) GH_HASHBUF16(s->h, BBASE(&b), BLEN(&b));
   chunk_write(e, &b);
 
   /* --- Write the signature chunk --- */
@@ -415,6 +416,15 @@ static int decrypt(int argc, char *argv[])
     if (verb) printf("FAIL malformed header: junk at end\n");
     exit(EXIT_FAILURE);
   }
+  if (sk) {
+    s = getsig(sk, "ccsig", 0);
+    if (!(f & f_nocheck) && verb && (err = s->ops->check(s)) != 0) {
+      dstr_reset(&d);
+      key_fulltag(sk, &d);
+      printf("WARN verification key %s fails check: %s\n", d.buf, err);
+    }
+    GH_HASHBUF16(s->h, BBASE(&b), BSZ(&b));
+  }
 
   /* --- Find the key --- */
 
@@ -427,15 +437,11 @@ static int decrypt(int argc, char *argv[])
     if (verb) printf("FAIL failed to decapsulate key\n");
     exit(EXIT_FAILURE);
   }
+  if (s) GH_HASHBUF16(s->h, d.buf, d.len);
 
   /* --- Verify the signature, if there is one --- */
 
   if (sk) {
-    s = getsig(sk, "ccsig", 0);
-    dstr_reset(&d);
-    key_fulltag(sk, &d);
-    if (!(f & f_nocheck) && verb && (err = s->ops->check(s)) != 0)
-      printf("WARN verification key %s fails check: %s\n", d.buf, err);
     dstr_reset(&d);
     dstr_ensure(&d, 1024);
     GC_ENCRYPT(cx, 0, d.buf, 1024);