~mdw
/
tripe
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
keyexch, keymgmt: Include the peer's public key in the check hash.
[tripe]
/
keyexch.c
diff --git
a/keyexch.c
b/keyexch.c
index
ea4748e
..
f6786e0
100644
(file)
--- a/
keyexch.c
+++ b/
keyexch.c
@@
-47,7
+47,7
@@
*
* %$r_A = g^{\rho_A}$% Alice's challenge
* %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
*
* %$r_A = g^{\rho_A}$% Alice's challenge
* %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
- * %$v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})$%
+ * %$v_A = \rho_A \xor H(\cookie{expected-reply},
a,
r_A, r_B, b^{\rho_A})$%
* Alice's challenge check value
* %$r_B^\alpha = a^{\rho_B}$% Alice's reply
* %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
* Alice's challenge check value
* %$r_B^\alpha = a^{\rho_B}$% Alice's reply
* %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
@@
-367,7
+367,7
@@
static void kxc_answer(keyexch *kx, kxchal *kxc)
} else {
T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
buf_init(&bb, buf_i, sizeof(buf_i));
} else {
T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
buf_init(&bb, buf_i, sizeof(buf_i));
- G_TO
BUF
(gg, &bb, kxc->r);
+ G_TO
RAW
(gg, &bb, kxc->r);
buf_flip(&bb);
ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
}
buf_flip(&bb);
ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
}
@@
-415,6
+415,7
@@
static ge *getreply(keyexch *kx, ge *c, mp *ck)
G_EXP(gg, r, c, kpriv);
h = GH_INIT(algs.h);
HASH_STRING(h, "tripe-expected-reply");
G_EXP(gg, r, c, kpriv);
h = GH_INIT(algs.h);
HASH_STRING(h, "tripe-expected-reply");
+ hashge(h, kx->kpub);
hashge(h, c);
hashge(h, kx->c);
hashge(h, r);
hashge(h, c);
hashge(h, kx->c);
hashge(h, r);
@@
-427,8
+428,12
@@
static ge *getreply(keyexch *kx, ge *c, mp *ck)
trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(a));
}))
GH_DESTROY(h);
trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(a));
}))
GH_DESTROY(h);
- G_EXP(gg, y, gg->g, a);
- ok = G_EQ(gg, y, c);
+ if (MP_CMP(a, >=, gg->r))
+ ok = 0;
+ else{
+ G_EXP(gg, y, gg->g, a);
+ ok = G_EQ(gg, y, c);
+ }
if (!ok) {
a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
if (!ok) {
a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
@@
-553,6
+558,7
@@
static int dochallenge(keyexch *kx, unsigned msg, buf *b)
h = GH_INIT(algs.h);
HASH_STRING(h, "tripe-expected-reply");
h = GH_INIT(algs.h);
HASH_STRING(h, "tripe-expected-reply");
+ hashge(h, kpub);
hashge(h, kx->c);
hashge(h, kxc->c);
hashge(h, kx->rx);
hashge(h, kx->c);
hashge(h, kxc->c);
hashge(h, kx->rx);
@@
-757,7
+763,7
@@
static kxchal *matchreply(keyexch *kx, unsigned ty, const octet *hc_in,
}
buf_init(b, BBASE(&bb), BLEN(&bb));
r = G_CREATE(gg);
}
buf_init(b, BBASE(&bb), BLEN(&bb));
r = G_CREATE(gg);
- if (G_FROM
BUF
(gg, b, r)) {
+ if (G_FROM
RAW
(gg, b, r)) {
a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
goto bad;
}
a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
goto bad;
}