aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/misc
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-06-17 11:02:32 -0400
committerJack Lloyd <[email protected]>2018-06-17 11:16:46 -0400
commitf8afec45c659c870a3930a8e1b9cf26d6f0760d5 (patch)
treeff14ed9be67c649ba1b08b787e7530ed096b4c5f /src/lib/misc
parentb434f6a7518b65fbe5eb1b8e042d2daf10d03671 (diff)
Avoid leaking size of exponent
See #1606 for discussion
Diffstat (limited to 'src/lib/misc')
-rw-r--r--src/lib/misc/srp6/srp6.cpp15
1 files changed, 10 insertions, 5 deletions
diff --git a/src/lib/misc/srp6/srp6.cpp b/src/lib/misc/srp6/srp6.cpp
index bf5c6ac93..cb7e3c600 100644
--- a/src/lib/misc/srp6/srp6.cpp
+++ b/src/lib/misc/srp6/srp6.cpp
@@ -82,6 +82,8 @@ srp6_client_agree(const std::string& identifier,
const BigInt& B,
RandomNumberGenerator& rng)
{
+ const size_t a_bits = 256;
+
DL_Group group(group_id);
const BigInt& g = group.get_g();
const BigInt& p = group.get_p();
@@ -93,9 +95,9 @@ srp6_client_agree(const std::string& identifier,
const BigInt k = hash_seq(hash_id, p_bytes, p, g);
- const BigInt a(rng, 256);
+ const BigInt a(rng, a_bits);
- const BigInt A = group.power_g_p(a);
+ const BigInt A = group.power_g_p(a, a_bits);
const BigInt u = hash_seq(hash_id, p_bytes, A, B);
@@ -117,7 +119,8 @@ BigInt generate_srp6_verifier(const std::string& identifier,
const BigInt x = compute_x(hash_id, identifier, password, salt);
DL_Group group(group_id);
- return group.power_g_p(x);
+ // FIXME: x should be size of hash fn
+ return group.power_g_p(x, x.bits());
}
BigInt SRP6_Server_Session::step1(const BigInt& v,
@@ -125,19 +128,21 @@ BigInt SRP6_Server_Session::step1(const BigInt& v,
const std::string& hash_id,
RandomNumberGenerator& rng)
{
+ const size_t b_bits = 256;
+
DL_Group group(group_id);
const BigInt& g = group.get_g();
const BigInt& p = group.get_p();
m_p_bytes = p.bytes();
m_v = v;
- m_b = BigInt(rng, 256);
+ m_b = BigInt(rng, b_bits);
m_p = p;
m_hash_id = hash_id;
const BigInt k = hash_seq(hash_id, m_p_bytes, p, g);
- m_B = group.mod_p(v*k + group.power_g_p(m_b));
+ m_B = group.mod_p(v*k + group.power_g_p(m_b, b_bits));
return m_B;
}