# HG changeset patch # User Ivo Smits # Date 1368660926 -7200 # Node ID 4adbd9b67fe2e0a8198768c14d30d4d48c141bff # Parent c8d176154d7ce8ba1fb0b97d4626efd3b5a9f681 Fix nonce calculation when both sides use the same key in nacltai and salty protocols diff -r c8d176154d7c -r 4adbd9b67fe2 src/proto.nacltai.c --- a/src/proto.nacltai.c Thu May 16 01:19:12 2013 +0200 +++ b/src/proto.nacltai.c Thu May 16 01:35:26 2013 +0200 @@ -196,12 +196,11 @@ } else { fprintf(stderr, "Warning: TIME_WINDOW not set, risking an initial replay attack\n"); } - if (envval = getconf("ROLE")) { - d->cenonce[nonceoffset-1] = atoi(envval) ? 1 : 0; - } else { - d->cenonce[nonceoffset-1] = memcmp(cownpublickey, cpublickey, crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES) > 0 ? 1 : 0; - } - d->cdnonce[nonceoffset-1] = d->cenonce[nonceoffset-1] ? 0 : 1; + int role = memcmp(cownpublickey, cpublickey, crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES); + if (envval = getconf("ROLE")) role = atoi(envval) ? 1 : -1; + role = (role == 0) ? 0 : ((role > 0) ? 1 : 2); + d->cenonce[nonceoffset-1] = role & 1; + d->cdnonce[nonceoffset-1] = (role >> 1) & 1; return 0; } diff -r c8d176154d7c -r 4adbd9b67fe2 src/proto.salty.c --- a/src/proto.salty.c Thu May 16 01:19:12 2013 +0200 +++ b/src/proto.salty.c Thu May 16 01:35:26 2013 +0200 @@ -144,7 +144,7 @@ struct qt_proto_data_salty { time_t lastkeyupdate, lastkeyupdatesent; unsigned char controlkey[BEFORENMBYTES]; - bool controlencoderole; + int controlroles; uint64 controldecodetime; uint64 controlencodetime; struct qt_proto_data_salty_keyset* dataencoder; @@ -226,7 +226,7 @@ d->controlencodetime++; unsigned char nonce[24]; memset(nonce, 0, 24); - nonce[0] = d->controlencoderole ? 1 : 0; + nonce[0] = d->controlroles & 1; encodeuint64(nonce + 16, d->controlencodetime); unsigned char encbuffer[32 + 1 + 32 + 24 + 32 + 24 + 8]; if (crypto_box_curve25519xsalsa20poly1305_afternm(encbuffer, buffer, 32 + (1 + 32 + 24 + 32 + 24 + 8), nonce, d->controlkey)) return; @@ -294,7 +294,8 @@ crypto_box_curve25519xsalsa20poly1305_beforenm(d->controlkey, cpublickey, csecretkey); unsigned char cownpublickey[PUBLICKEYBYTES]; crypto_scalarmult_curve25519_base(cownpublickey, csecretkey); - d->controlencoderole = memcmp(cownpublickey, cpublickey, PUBLICKEYBYTES) > 0; + int role = memcmp(cownpublickey, cpublickey, PUBLICKEYBYTES); + d->controlroles = (role == 0) ? 0 : ((role > 0) ? 1 : 2); d->controldecodetime = 0; d->controlencodetime = ((uint64)time(NULL)) << 8; d->datalocalkeyid = 0; @@ -399,7 +400,7 @@ } unsigned char cnonce[NONCEBYTES]; memset(cnonce, 0, 24); - cnonce[0] = d->controlencoderole ? 0 : 1; + cnonce[0] = (d->controlroles >> 1) & 1; memcpy(cnonce + 16, enc + 13, 8); memset(enc + 12 + 1 + 8 - 16, 0, 16); if (crypto_box_curve25519xsalsa20poly1305_open_afternm(raw, enc + 12 + 1 + 8 - 16, len - 1 - 8 + 16, cnonce, d->controlkey)) {