diff options
| author | Roger Dingledine <arma@torproject.org> | 2005-08-06 16:50:51 +0000 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2005-08-06 16:50:51 +0000 |
| commit | b9a7482c0254c8c1ece1acf93ef23082f31abb37 (patch) | |
| tree | 27278529363fde42b2ad12fbef69db3d723d6a63 | |
| parent | 261bf4c4d48b36e0faed2ae229ce0adfc02fd3d8 (diff) | |
| download | tor-b9a7482c0254c8c1ece1acf93ef23082f31abb37.tar.gz tor-b9a7482c0254c8c1ece1acf93ef23082f31abb37.zip | |
note another potential security problem with generating key material
from our DH handshake.
svn:r4724
| -rw-r--r-- | src/common/crypto.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/common/crypto.c b/src/common/crypto.c index c75ab2694d..2fd0e3042f 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -1458,6 +1458,12 @@ int crypto_dh_compute_secret(crypto_dh_env_t *dh, } secret_len = result; /* sometimes secret_len might be less than 128, e.g., 127. that's ok. */ + /* Actually, http://www.faqs.org/rfcs/rfc2631.html says: + * Leading zeros MUST be preserved, so that ZZ occupies as many + * octets as p. For instance, if p is 1024 bits, ZZ should be 128 + * bytes long. + * What are the security implications here? + */ for (i = 0; i < secret_bytes_out; i += DIGEST_LEN) { secret_tmp[secret_len] = (unsigned char) i/DIGEST_LEN; if (crypto_digest(hash, secret_tmp, secret_len+1)) |