keyexch: Group element encodings must have constant length.

SECURITY FIX.  COMPATIBILITY BREAK.

Using the `buf' encodings of group elements leaks length information.
Use the `raw' encoding instead.  I suspect that this really is a bad
security property to have; certainly the security proof for the key
exchange protocol depends on all encodings having the same length.

diff --git a/keyexch.c b/keyexch.c
index ea4748e2956ddeaafbbcc0f4d85a83395ebe6d28..80e0132a3bf9c69ccd86ca28325be7a39eba6957 100644 (file)
--- a/keyexch.c
+++ b/keyexch.c
@@ -367,7 +367,7 @@ static void kxc_answer(keyexch *kx, kxchal *kxc)
   } else {
     T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
     buf_init(&bb, buf_i, sizeof(buf_i));
-    G_TOBUF(gg, &bb, kxc->r);
+    G_TORAW(gg, &bb, kxc->r);
     buf_flip(&bb);
     ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
   }
@@ -757,7 +757,7 @@ static kxchal *matchreply(keyexch *kx, unsigned ty, const octet *hc_in,
   }
   buf_init(b, BBASE(&bb), BLEN(&bb));
   r = G_CREATE(gg);
-  if (G_FROMBUF(gg, b, r)) {
+  if (G_FROMRAW(gg, b, r)) {
     a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
     goto bad;
   }