From 5251b2e9939493c088632a548fa61553ff53eae3 Mon Sep 17 00:00:00 2001
Message-Id: <5251b2e9939493c088632a548fa61553ff53eae3.1714137841.git.mdw@distorted.org.uk>
From: Mark Wooding <mdw@chiark.greenend.org.uk>
Date: Tue, 19 Sep 2006 21:47:33 +0100
Subject: [PATCH] keyexch: Group element encodings must have constant length.
Organization: Straylight/Edgeware

From: Mark Wooding <mdw@distorted.org.uk>

SECURITY FIX.  COMPATIBILITY BREAK.

Using the `buf' encodings of group elements leaks length information.
Use the `raw' encoding instead.  I suspect that this really is a bad
security property to have; certainly the security proof for the key
exchange protocol depends on all encodings having the same length.
---
 keyexch.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/keyexch.c b/keyexch.c
index ea4748e2..80e0132a 100644
--- a/keyexch.c
+++ b/keyexch.c
@@ -367,7 +367,7 @@ static void kxc_answer(keyexch *kx, kxchal *kxc)
   } else {
     T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
     buf_init(&bb, buf_i, sizeof(buf_i));
-    G_TOBUF(gg, &bb, kxc->r);
+    G_TORAW(gg, &bb, kxc->r);
     buf_flip(&bb);
     ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
   }
@@ -757,7 +757,7 @@ static kxchal *matchreply(keyexch *kx, unsigned ty, const octet *hc_in,
   }
   buf_init(b, BBASE(&bb), BLEN(&bb));
   r = G_CREATE(gg);
-  if (G_FROMBUF(gg, b, r)) {
+  if (G_FROMRAW(gg, b, r)) {
     a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
     goto bad;
   }
-- 
[mdw]