changeset 43:4adbd9b67fe2

Fix nonce calculation when both sides use the same key in nacltai and salty protocols
author Ivo Smits <Ivo@UCIS.nl>
date Thu, 16 May 2013 01:35:26 +0200
parents c8d176154d7c
children 55f379f0a650
files src/proto.nacltai.c src/proto.salty.c
diffstat 2 files changed, 10 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/src/proto.nacltai.c	Thu May 16 01:19:12 2013 +0200
+++ b/src/proto.nacltai.c	Thu May 16 01:35:26 2013 +0200
@@ -196,12 +196,11 @@
 	} else {
 		fprintf(stderr, "Warning: TIME_WINDOW not set, risking an initial replay attack\n");
 	}
-	if (envval = getconf("ROLE")) {
-		d->cenonce[nonceoffset-1] = atoi(envval) ? 1 : 0;
-	} else {
-		d->cenonce[nonceoffset-1] = memcmp(cownpublickey, cpublickey, crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES) > 0 ? 1 : 0;
-	}
-	d->cdnonce[nonceoffset-1] = d->cenonce[nonceoffset-1] ? 0 : 1;
+	int role = memcmp(cownpublickey, cpublickey, crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES);
+	if (envval = getconf("ROLE")) role = atoi(envval) ? 1 : -1;
+	role = (role == 0) ? 0 : ((role > 0) ? 1 : 2);
+	d->cenonce[nonceoffset-1] = role & 1;
+	d->cdnonce[nonceoffset-1] = (role >> 1) & 1;
 	return 0;
 }
 
--- a/src/proto.salty.c	Thu May 16 01:19:12 2013 +0200
+++ b/src/proto.salty.c	Thu May 16 01:35:26 2013 +0200
@@ -144,7 +144,7 @@
 struct qt_proto_data_salty {
 	time_t lastkeyupdate, lastkeyupdatesent;
 	unsigned char controlkey[BEFORENMBYTES];
-	bool controlencoderole;
+	int controlroles;
 	uint64 controldecodetime;
 	uint64 controlencodetime;
 	struct qt_proto_data_salty_keyset* dataencoder;
@@ -226,7 +226,7 @@
 	d->controlencodetime++;
 	unsigned char nonce[24];
 	memset(nonce, 0, 24);
-	nonce[0] = d->controlencoderole ? 1 : 0;
+	nonce[0] = d->controlroles & 1;
 	encodeuint64(nonce + 16, d->controlencodetime);
 	unsigned char encbuffer[32 + 1 + 32 + 24 + 32 + 24 + 8];
 	if (crypto_box_curve25519xsalsa20poly1305_afternm(encbuffer, buffer, 32 + (1 + 32 + 24 + 32 + 24 + 8), nonce, d->controlkey)) return;
@@ -294,7 +294,8 @@
 	crypto_box_curve25519xsalsa20poly1305_beforenm(d->controlkey, cpublickey, csecretkey);
 	unsigned char cownpublickey[PUBLICKEYBYTES];
 	crypto_scalarmult_curve25519_base(cownpublickey, csecretkey);
-	d->controlencoderole = memcmp(cownpublickey, cpublickey, PUBLICKEYBYTES) > 0;
+	int role = memcmp(cownpublickey, cpublickey, PUBLICKEYBYTES);
+	d->controlroles = (role == 0) ? 0 : ((role > 0) ? 1 : 2);
 	d->controldecodetime = 0;
 	d->controlencodetime = ((uint64)time(NULL)) << 8;
 	d->datalocalkeyid = 0;
@@ -399,7 +400,7 @@
 		}
 		unsigned char cnonce[NONCEBYTES];
 		memset(cnonce, 0, 24);
-		cnonce[0] = d->controlencoderole ? 0 : 1;
+		cnonce[0] = (d->controlroles >> 1) & 1;
 		memcpy(cnonce + 16, enc + 13, 8);
 		memset(enc + 12 + 1 + 8 - 16, 0, 16);
 		if (crypto_box_curve25519xsalsa20poly1305_open_afternm(raw, enc + 12 + 1 + 8 - 16, len - 1 - 8 + 16, cnonce, d->controlkey)) {