chiark / gitweb /
~mdw / tripe / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
keyexch, keymgmt: Include the peer's public key in the check hash.
[tripe] / keyexch.c
diff --git a/keyexch.c b/keyexch.c
index 80e0132a3bf9c69ccd86ca28325be7a39eba6957..f6786e0928b54dd7862f4686d8f9b034655f3645 100644 (file)
--- a/keyexch.c
+++ b/keyexch.c
@@ -47,7 +47,7 @@
  *
  * %$r_A = g^{\rho_A}$%                        Alice's challenge
  * %$c_A = H(\cookie{cookie}, r_A)$%   Alice's cookie
  *
  * %$r_A = g^{\rho_A}$%                        Alice's challenge
  * %$c_A = H(\cookie{cookie}, r_A)$%   Alice's cookie
- * %$v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})$%
+ * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
  *                                     Alice's challenge check value
  * %$r_B^\alpha = a^{\rho_B}$%         Alice's reply
  * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
  *                                     Alice's challenge check value
  * %$r_B^\alpha = a^{\rho_B}$%         Alice's reply
  * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
@@ -415,6 +415,7 @@ static ge *getreply(keyexch *kx, ge *c, mp *ck)
   G_EXP(gg, r, c, kpriv);
   h = GH_INIT(algs.h);
   HASH_STRING(h, "tripe-expected-reply");
   G_EXP(gg, r, c, kpriv);
   h = GH_INIT(algs.h);
   HASH_STRING(h, "tripe-expected-reply");
+  hashge(h, kx->kpub);
   hashge(h, c);
   hashge(h, kx->c);
   hashge(h, r);
   hashge(h, c);
   hashge(h, kx->c);
   hashge(h, r);
@@ -427,8 +428,12 @@ static ge *getreply(keyexch *kx, ge *c, mp *ck)
     trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(a));
   }))
   GH_DESTROY(h);
     trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(a));
   }))
   GH_DESTROY(h);
-  G_EXP(gg, y, gg->g, a);
-  ok = G_EQ(gg, y, c);
+  if (MP_CMP(a, >=, gg->r))
+    ok = 0;
+  else{
+    G_EXP(gg, y, gg->g, a);
+    ok = G_EQ(gg, y, c);
+  }
   if (!ok) {
     a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
     IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
   if (!ok) {
     a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
     IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
@@ -553,6 +558,7 @@ static int dochallenge(keyexch *kx, unsigned msg, buf *b)
 
     h = GH_INIT(algs.h);
     HASH_STRING(h, "tripe-expected-reply");
 
     h = GH_INIT(algs.h);
     HASH_STRING(h, "tripe-expected-reply");
+    hashge(h, kpub);
     hashge(h, kx->c);
     hashge(h, kxc->c);
     hashge(h, kx->rx);
     hashge(h, kx->c);
     hashge(h, kxc->c);
     hashge(h, kx->rx);
Trivial IP Encryption: a simple VPN