X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/blobdiff_plain/bcd0f084cbca943179a4534c638e47aae29a80db..9317aa9290393480e8004bd443c38b5faa5f6f0c:/keyexch.c

diff --git a/keyexch.c b/keyexch.c
index ea4748e2..f6786e09 100644
--- a/keyexch.c
+++ b/keyexch.c
@@ -47,7 +47,7 @@
  *
  * %$r_A = g^{\rho_A}$%			Alice's challenge
  * %$c_A = H(\cookie{cookie}, r_A)$%	Alice's cookie
- * %$v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})$%
+ * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
  * 			  		Alice's challenge check value
  * %$r_B^\alpha = a^{\rho_B}$%		Alice's reply
  * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
@@ -367,7 +367,7 @@ static void kxc_answer(keyexch *kx, kxchal *kxc)
   } else {
     T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
     buf_init(&bb, buf_i, sizeof(buf_i));
-    G_TOBUF(gg, &bb, kxc->r);
+    G_TORAW(gg, &bb, kxc->r);
     buf_flip(&bb);
     ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
   }
@@ -415,6 +415,7 @@ static ge *getreply(keyexch *kx, ge *c, mp *ck)
   G_EXP(gg, r, c, kpriv);
   h = GH_INIT(algs.h);
   HASH_STRING(h, "tripe-expected-reply");
+  hashge(h, kx->kpub);
   hashge(h, c);
   hashge(h, kx->c);
   hashge(h, r);
@@ -427,8 +428,12 @@ static ge *getreply(keyexch *kx, ge *c, mp *ck)
     trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(a));
   }))
   GH_DESTROY(h);
-  G_EXP(gg, y, gg->g, a);
-  ok = G_EQ(gg, y, c);
+  if (MP_CMP(a, >=, gg->r))
+    ok = 0;
+  else{
+    G_EXP(gg, y, gg->g, a);
+    ok = G_EQ(gg, y, c);
+  }
   if (!ok) {
     a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
     IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
@@ -553,6 +558,7 @@ static int dochallenge(keyexch *kx, unsigned msg, buf *b)
 
     h = GH_INIT(algs.h);
     HASH_STRING(h, "tripe-expected-reply");
+    hashge(h, kpub);
     hashge(h, kx->c);
     hashge(h, kxc->c);
     hashge(h, kx->rx);
@@ -757,7 +763,7 @@ static kxchal *matchreply(keyexch *kx, unsigned ty, const octet *hc_in,
   }
   buf_init(b, BBASE(&bb), BLEN(&bb));
   r = G_CREATE(gg);
-  if (G_FROMBUF(gg, b, r)) {
+  if (G_FROMRAW(gg, b, r)) {
     a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
     goto bad;
   }