chiark / gitweb /
site: Replace remote's caps after verifying MSG3
Previously we'd just `or' the new capability bits into
`st->remote_capabilities' prior to verification, with the rather
unfortunate result that an adversary could convince us that the remote
site has features which it doesn't, in fact, implement. At present, the
worst effect here is preventing key-exchange from completion, but it's
imaginable that future capability bits have worse effects.
Instead, (a) simply replace our idea of the remote site's capabilities
rather than accumulating a union of all mentioned capabilities, and (b)
do this /after/ verifying the signature on the message. (This is safe
because there's no mention of `st->remote_capabilities' in the
intervening code in `process_msg3', or in the common message-
verification code in `process_msg3_msg4'.)
Signed-off-by: Mark Wooding <mdw@distorted.org.uk>