*
* %$r_A = g^{\rho_A}$% Alice's challenge
* %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
- * %$v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})$%
+ * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
* Alice's challenge check value
* %$r_B^\alpha = a^{\rho_B}$% Alice's reply
* %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
} else {
T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
buf_init(&bb, buf_i, sizeof(buf_i));
- G_TOBUF(gg, &bb, kxc->r);
+ G_TORAW(gg, &bb, kxc->r);
buf_flip(&bb);
ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
}
G_EXP(gg, r, c, kpriv);
h = GH_INIT(algs.h);
HASH_STRING(h, "tripe-expected-reply");
+ hashge(h, kx->kpub);
hashge(h, c);
hashge(h, kx->c);
hashge(h, r);
trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(a));
}))
GH_DESTROY(h);
- G_EXP(gg, y, gg->g, a);
- ok = G_EQ(gg, y, c);
+ if (MP_CMP(a, >=, gg->r))
+ ok = 0;
+ else{
+ G_EXP(gg, y, gg->g, a);
+ ok = G_EQ(gg, y, c);
+ }
if (!ok) {
a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
h = GH_INIT(algs.h);
HASH_STRING(h, "tripe-expected-reply");
+ hashge(h, kpub);
hashge(h, kx->c);
hashge(h, kxc->c);
hashge(h, kx->rx);
}
buf_init(b, BBASE(&bb), BLEN(&bb));
r = G_CREATE(gg);
- if (G_FROMBUF(gg, b, r)) {
+ if (G_FROMRAW(gg, b, r)) {
a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
goto bad;
}