diff options
author | Jack Lloyd <[email protected]> | 2018-06-17 11:02:32 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-06-17 11:16:46 -0400 |
commit | f8afec45c659c870a3930a8e1b9cf26d6f0760d5 (patch) | |
tree | ff14ed9be67c649ba1b08b787e7530ed096b4c5f /src/lib/misc | |
parent | b434f6a7518b65fbe5eb1b8e042d2daf10d03671 (diff) |
Avoid leaking size of exponent
See #1606 for discussion
Diffstat (limited to 'src/lib/misc')
-rw-r--r-- | src/lib/misc/srp6/srp6.cpp | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/lib/misc/srp6/srp6.cpp b/src/lib/misc/srp6/srp6.cpp index bf5c6ac93..cb7e3c600 100644 --- a/src/lib/misc/srp6/srp6.cpp +++ b/src/lib/misc/srp6/srp6.cpp @@ -82,6 +82,8 @@ srp6_client_agree(const std::string& identifier, const BigInt& B, RandomNumberGenerator& rng) { + const size_t a_bits = 256; + DL_Group group(group_id); const BigInt& g = group.get_g(); const BigInt& p = group.get_p(); @@ -93,9 +95,9 @@ srp6_client_agree(const std::string& identifier, const BigInt k = hash_seq(hash_id, p_bytes, p, g); - const BigInt a(rng, 256); + const BigInt a(rng, a_bits); - const BigInt A = group.power_g_p(a); + const BigInt A = group.power_g_p(a, a_bits); const BigInt u = hash_seq(hash_id, p_bytes, A, B); @@ -117,7 +119,8 @@ BigInt generate_srp6_verifier(const std::string& identifier, const BigInt x = compute_x(hash_id, identifier, password, salt); DL_Group group(group_id); - return group.power_g_p(x); + // FIXME: x should be size of hash fn + return group.power_g_p(x, x.bits()); } BigInt SRP6_Server_Session::step1(const BigInt& v, @@ -125,19 +128,21 @@ BigInt SRP6_Server_Session::step1(const BigInt& v, const std::string& hash_id, RandomNumberGenerator& rng) { + const size_t b_bits = 256; + DL_Group group(group_id); const BigInt& g = group.get_g(); const BigInt& p = group.get_p(); m_p_bytes = p.bytes(); m_v = v; - m_b = BigInt(rng, 256); + m_b = BigInt(rng, b_bits); m_p = p; m_hash_id = hash_id; const BigInt k = hash_seq(hash_id, m_p_bytes, p, g); - m_B = group.mod_p(v*k + group.power_g_p(m_b)); + m_B = group.mod_p(v*k + group.power_g_p(m_b, b_bits)); return m_B; } |