chiark / gitweb /
keyexch: Group element encodings must have constant length.
authorMark Wooding <mdw@distorted.org.uk>
Tue, 19 Sep 2006 20:47:33 +0000 (21:47 +0100)
committerMark Wooding <mdw@distorted.org.uk>
Tue, 19 Sep 2006 20:47:33 +0000 (21:47 +0100)
SECURITY FIX.  COMPATIBILITY BREAK.

Using the `buf' encodings of group elements leaks length information.
Use the `raw' encoding instead.  I suspect that this really is a bad
security property to have; certainly the security proof for the key
exchange protocol depends on all encodings having the same length.

keyexch.c

index ea4748e..80e0132 100644 (file)
--- a/keyexch.c
+++ b/keyexch.c
@@ -367,7 +367,7 @@ static void kxc_answer(keyexch *kx, kxchal *kxc)
   } else {
     T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
     buf_init(&bb, buf_i, sizeof(buf_i));
-    G_TOBUF(gg, &bb, kxc->r);
+    G_TORAW(gg, &bb, kxc->r);
     buf_flip(&bb);
     ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
   }
@@ -757,7 +757,7 @@ static kxchal *matchreply(keyexch *kx, unsigned ty, const octet *hc_in,
   }
   buf_init(b, BBASE(&bb), BLEN(&bb));
   r = G_CREATE(gg);
-  if (G_FROMBUF(gg, b, r)) {
+  if (G_FROMRAW(gg, b, r)) {
     a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
     goto bad;
   }