X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/5251b2e9939493c088632a548fa61553ff53eae3..9317aa9290393480e8004bd443c38b5faa5f6f0c:/keyexch.c

diff --git a/keyexch.c b/keyexch.c
index 80e0132a..f6786e09 100644
--- a/keyexch.c
+++ b/keyexch.c
@@ -47,7 +47,7 @@
  *
  * %$r_A = g^{\rho_A}$%			Alice's challenge
  * %$c_A = H(\cookie{cookie}, r_A)$%	Alice's cookie
- * %$v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})$%
+ * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
  * 			  		Alice's challenge check value
  * %$r_B^\alpha = a^{\rho_B}$%		Alice's reply
  * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
@@ -415,6 +415,7 @@ static ge *getreply(keyexch *kx, ge *c, mp *ck)
   G_EXP(gg, r, c, kpriv);
   h = GH_INIT(algs.h);
   HASH_STRING(h, "tripe-expected-reply");
+  hashge(h, kx->kpub);
   hashge(h, c);
   hashge(h, kx->c);
   hashge(h, r);
@@ -427,8 +428,12 @@ static ge *getreply(keyexch *kx, ge *c, mp *ck)
     trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(a));
   }))
   GH_DESTROY(h);
-  G_EXP(gg, y, gg->g, a);
-  ok = G_EQ(gg, y, c);
+  if (MP_CMP(a, >=, gg->r))
+    ok = 0;
+  else{
+    G_EXP(gg, y, gg->g, a);
+    ok = G_EQ(gg, y, c);
+  }
   if (!ok) {
     a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
     IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
@@ -553,6 +558,7 @@ static int dochallenge(keyexch *kx, unsigned msg, buf *b)
 
     h = GH_INIT(algs.h);
     HASH_STRING(h, "tripe-expected-reply");
+    hashge(h, kpub);
     hashge(h, kx->c);
     hashge(h, kxc->c);
     hashge(h, kx->rx);