fix another MitM attack. Now the DH key exchange REALLY depends on the authentication.
authorRudolf Polzer <divverent@alientrap.org>
Tue, 3 Aug 2010 06:15:04 +0000 (08:15 +0200)
committerRudolf Polzer <divverent@alientrap.org>
Tue, 3 Aug 2010 06:21:23 +0000 (08:21 +0200)
d0_blind_id.c
d0_blind_id.txt

index 9c7a513..614f49a 100644 (file)
@@ -60,8 +60,8 @@ struct d0_blind_id_s
        d0_bignum_t *schnorr_s;
 
        // public data (player ID public key, this is what the server gets to know)
-       d0_bignum_t *schnorr_4_to_s;
-       d0_bignum_t *schnorr_H_4_to_s_signature; // 0 when signature is invalid
+       d0_bignum_t *schnorr_g_to_s;
+       d0_bignum_t *schnorr_H_g_to_s_signature; // 0 when signature is invalid
        // as hash function H, we get the SHA1 and reinterpret as bignum - yes, it always is < 160 bits
 
        // temp data
@@ -69,7 +69,8 @@ struct d0_blind_id_s
 
        d0_bignum_t *r; // random number for schnorr ID
        d0_bignum_t *t; // for DH key exchange
-       d0_bignum_t *other_4_to_t; // for DH key exchange
+       d0_bignum_t *g_to_t; // for DH key exchange
+       d0_bignum_t *other_g_to_t; // for DH key exchange
        d0_bignum_t *challenge; // challenge
 
        char msghash[SCHNORR_HASHSIZE]; // init hash
@@ -301,13 +302,14 @@ void d0_blind_id_clear(d0_blind_id_t *ctx)
        if(ctx->rsa_d) d0_bignum_free(ctx->rsa_d);
        if(ctx->schnorr_G) d0_bignum_free(ctx->schnorr_G);
        if(ctx->schnorr_s) d0_bignum_free(ctx->schnorr_s);
-       if(ctx->schnorr_4_to_s) d0_bignum_free(ctx->schnorr_4_to_s);
-       if(ctx->schnorr_H_4_to_s_signature) d0_bignum_free(ctx->schnorr_H_4_to_s_signature);
+       if(ctx->schnorr_g_to_s) d0_bignum_free(ctx->schnorr_g_to_s);
+       if(ctx->schnorr_H_g_to_s_signature) d0_bignum_free(ctx->schnorr_H_g_to_s_signature);
        if(ctx->rsa_blind_signature_camouflage) d0_bignum_free(ctx->rsa_blind_signature_camouflage);
        if(ctx->r) d0_bignum_free(ctx->r);
        if(ctx->challenge) d0_bignum_free(ctx->challenge);
        if(ctx->t) d0_bignum_free(ctx->t);
-       if(ctx->other_4_to_t) d0_bignum_free(ctx->other_4_to_t);
+       if(ctx->g_to_t) d0_bignum_free(ctx->g_to_t);
+       if(ctx->other_g_to_t) d0_bignum_free(ctx->other_g_to_t);
        memset(ctx, 0, sizeof(*ctx));
 }
 
@@ -319,13 +321,14 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_copy(d0_blind_id_t *ctx, const d0_blind_id_t
        if(src->rsa_d) CHECK_ASSIGN(ctx->rsa_d, d0_bignum_mov(NULL, src->rsa_d));
        if(src->schnorr_G) CHECK_ASSIGN(ctx->schnorr_G, d0_bignum_mov(NULL, src->schnorr_G));
        if(src->schnorr_s) CHECK_ASSIGN(ctx->schnorr_s, d0_bignum_mov(NULL, src->schnorr_s));
-       if(src->schnorr_4_to_s) CHECK_ASSIGN(ctx->schnorr_4_to_s, d0_bignum_mov(NULL, src->schnorr_4_to_s));
-       if(src->schnorr_H_4_to_s_signature) CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_bignum_mov(NULL, src->schnorr_H_4_to_s_signature));
+       if(src->schnorr_g_to_s) CHECK_ASSIGN(ctx->schnorr_g_to_s, d0_bignum_mov(NULL, src->schnorr_g_to_s));
+       if(src->schnorr_H_g_to_s_signature) CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_bignum_mov(NULL, src->schnorr_H_g_to_s_signature));
        if(src->rsa_blind_signature_camouflage) CHECK_ASSIGN(ctx->rsa_blind_signature_camouflage, d0_bignum_mov(NULL, src->rsa_blind_signature_camouflage));
        if(src->r) CHECK_ASSIGN(ctx->r, d0_bignum_mov(NULL, src->r));
        if(src->challenge) CHECK_ASSIGN(ctx->challenge, d0_bignum_mov(NULL, src->challenge));
        if(src->t) CHECK_ASSIGN(ctx->t, d0_bignum_mov(NULL, src->t));
-       if(src->other_4_to_t) CHECK_ASSIGN(ctx->other_4_to_t, d0_bignum_mov(NULL, src->other_4_to_t));
+       if(src->g_to_t) CHECK_ASSIGN(ctx->g_to_t, d0_bignum_mov(NULL, src->g_to_t));
+       if(src->other_g_to_t) CHECK_ASSIGN(ctx->other_g_to_t, d0_bignum_mov(NULL, src->other_g_to_t));
        memcpy(ctx->msg, src->msg, sizeof(ctx->msg));
        ctx->msglen = src->msglen;
        memcpy(ctx->msghash, src->msghash, sizeof(ctx->msghash));
@@ -502,12 +505,12 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_generate_private_id_start(d0_blind_id_t *ctx
 {
        // temps: temp0 = order
        USING(schnorr_G);
-       REPLACING(schnorr_s); REPLACING(schnorr_4_to_s);
+       REPLACING(schnorr_s); REPLACING(schnorr_g_to_s);
 
        CHECK(d0_dl_get_order(temp0, ctx->schnorr_G));
        CHECK_ASSIGN(ctx->schnorr_s, d0_bignum_rand_range(ctx->schnorr_s, zero, temp0));
-       CHECK_ASSIGN(ctx->schnorr_4_to_s, d0_bignum_mod_pow(ctx->schnorr_4_to_s, four, ctx->schnorr_s, ctx->schnorr_G));
-       CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_bignum_zero(ctx->schnorr_H_4_to_s_signature));
+       CHECK_ASSIGN(ctx->schnorr_g_to_s, d0_bignum_mod_pow(ctx->schnorr_g_to_s, four, ctx->schnorr_s, ctx->schnorr_G));
+       CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_bignum_zero(ctx->schnorr_H_g_to_s_signature));
        return 1;
 
 fail:
@@ -521,7 +524,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_generate_private_id_request(d0_blind_id_t *c
        size_t sz;
 
        // temps: temp0 rsa_blind_signature_camouflage^challenge, temp1 (4^s)*rsa_blind_signature_camouflage^challenge
-       USING(rsa_n); USING(rsa_e); USING(schnorr_4_to_s);
+       USING(rsa_n); USING(rsa_e); USING(schnorr_g_to_s);
        REPLACING(rsa_blind_signature_camouflage);
 
        out = d0_iobuf_open_write(outbuf, *outbuflen);
@@ -530,7 +533,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_generate_private_id_request(d0_blind_id_t *c
        CHECK(d0_bignum_mod_pow(temp0, ctx->rsa_blind_signature_camouflage, ctx->rsa_e, ctx->rsa_n));
 
        // we will actually sign HA(4^s) to prevent a malleability attack!
-       CHECK(d0_bignum_mov(temp2, ctx->schnorr_4_to_s));
+       CHECK(d0_bignum_mov(temp2, ctx->schnorr_g_to_s));
        sz = (d0_bignum_size(ctx->rsa_n) + 7) / 8; // this is too long, so we have to take the value % rsa_n when "decrypting"
        if(sz > sizeof(shabuf))
                sz = sizeof(shabuf);
@@ -577,13 +580,13 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_finish_private_id_request(d0_blind_id_t *ctx
 
        // temps: temp0 input, temp1 rsa_blind_signature_camouflage^-1
        USING(rsa_blind_signature_camouflage); USING(rsa_n);
-       REPLACING(schnorr_H_4_to_s_signature);
+       REPLACING(schnorr_H_g_to_s_signature);
 
        in = d0_iobuf_open_read(inbuf, inbuflen);
 
        CHECK(d0_iobuf_read_bignum(in, temp0));
        CHECK(d0_bignum_mod_inv(temp1, ctx->rsa_blind_signature_camouflage, ctx->rsa_n));
-       CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_bignum_mod_mul(ctx->schnorr_H_4_to_s_signature, temp0, temp1, ctx->rsa_n));
+       CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_bignum_mod_mul(ctx->schnorr_H_g_to_s_signature, temp0, temp1, ctx->rsa_n));
 
        return d0_iobuf_close(in, NULL);
 
@@ -630,13 +633,13 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_read_private_id(d0_blind_id_t *ctx, const ch
 {
        d0_iobuf_t *in = NULL;
 
-       REPLACING(schnorr_s); REPLACING(schnorr_4_to_s); REPLACING(schnorr_H_4_to_s_signature);
+       REPLACING(schnorr_s); REPLACING(schnorr_g_to_s); REPLACING(schnorr_H_g_to_s_signature);
 
        in = d0_iobuf_open_read(inbuf, inbuflen);
 
        CHECK_ASSIGN(ctx->schnorr_s, d0_iobuf_read_bignum(in, ctx->schnorr_s));
-       CHECK_ASSIGN(ctx->schnorr_4_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_4_to_s));
-       CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_4_to_s_signature));
+       CHECK_ASSIGN(ctx->schnorr_g_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_g_to_s));
+       CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_g_to_s_signature));
 
        return d0_iobuf_close(in, NULL);
 
@@ -649,12 +652,12 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_read_public_id(d0_blind_id_t *ctx, const cha
 {
        d0_iobuf_t *in = NULL;
 
-       REPLACING(schnorr_4_to_s); REPLACING(schnorr_H_4_to_s_signature);
+       REPLACING(schnorr_g_to_s); REPLACING(schnorr_H_g_to_s_signature);
 
        in = d0_iobuf_open_read(inbuf, inbuflen);
 
-       CHECK_ASSIGN(ctx->schnorr_4_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_4_to_s));
-       CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_4_to_s_signature));
+       CHECK_ASSIGN(ctx->schnorr_g_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_g_to_s));
+       CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_g_to_s_signature));
 
        return d0_iobuf_close(in, NULL);
 
@@ -667,13 +670,13 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_write_private_id(const d0_blind_id_t *ctx, c
 {
        d0_iobuf_t *out = NULL;
 
-       USING(schnorr_s); USING(schnorr_4_to_s); USING(schnorr_H_4_to_s_signature);
+       USING(schnorr_s); USING(schnorr_g_to_s); USING(schnorr_H_g_to_s_signature);
 
        out = d0_iobuf_open_write(outbuf, *outbuflen);
 
        CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_s));
-       CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_4_to_s));
-       CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_4_to_s_signature));
+       CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_g_to_s));
+       CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_g_to_s_signature));
 
        return d0_iobuf_close(out, outbuflen);
 
@@ -686,12 +689,12 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_write_public_id(const d0_blind_id_t *ctx, ch
 {
        d0_iobuf_t *out = NULL;
 
-       USING(schnorr_4_to_s); USING(schnorr_H_4_to_s_signature);
+       USING(schnorr_g_to_s); USING(schnorr_H_g_to_s_signature);
 
        out = d0_iobuf_open_write(outbuf, *outbuflen);
 
-       CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_4_to_s));
-       CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_4_to_s_signature));
+       CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_g_to_s));
+       CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_g_to_s_signature));
 
        return d0_iobuf_close(out, outbuflen);
 
@@ -713,10 +716,10 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_start(d0_blind_
        // temps: temp0 order, temp0 4^r
        if(is_first)
        {
-               USING(schnorr_4_to_s); USING(schnorr_H_4_to_s_signature);
+               USING(schnorr_g_to_s); USING(schnorr_H_g_to_s_signature);
        }
        USING(schnorr_G);
-       REPLACING(r);
+       REPLACING(r); REPLACING(t); REPLACING(g_to_t);
 
        out = d0_iobuf_open_write(outbuf, *outbuflen);
 
@@ -725,8 +728,8 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_start(d0_blind_
                // send ID
                if(send_modulus)
                        CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_G));
-               CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_4_to_s));
-               CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_4_to_s_signature));
+               CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_g_to_s));
+               CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_g_to_s_signature));
        }
 
        // start schnorr ID scheme
@@ -735,11 +738,19 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_start(d0_blind_
        CHECK_ASSIGN(ctx->r, d0_bignum_rand_range(ctx->r, zero, temp0));
        CHECK(d0_bignum_mod_pow(temp0, four, ctx->r, ctx->schnorr_G));
 
+       // initialize Signed Diffie Hellmann
+       CHECK(d0_dl_get_order(temp1, ctx->schnorr_G));
+       CHECK_ASSIGN(ctx->t, d0_bignum_rand_range(ctx->t, zero, temp1));
+       CHECK_ASSIGN(ctx->g_to_t, d0_bignum_mod_pow(ctx->g_to_t, four, ctx->t, ctx->schnorr_G));
+       // can we SOMEHOW do this with just one mod_pow?
+
        // hash it, hash it, everybody hash it
        conv = d0_iobuf_open_write(convbuf, sizeof(convbuf));
        CHECK(d0_iobuf_write_bignum(conv, temp0));
+       CHECK(d0_iobuf_write_bignum(conv, ctx->g_to_t));
        CHECK(d0_iobuf_write_packet(conv, msg, msglen));
        CHECK(d0_iobuf_write_bignum(conv, temp0));
+       CHECK(d0_iobuf_write_bignum(conv, ctx->g_to_t));
        d0_iobuf_close(conv, &sz);
        conv = NULL;
        CHECK(d0_iobuf_write_raw(out, sha(convbuf, sz), SCHNORR_HASHSIZE) == SCHNORR_HASHSIZE);
@@ -766,7 +777,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_challenge(d0_bl
        // temps: temp0 order, temp0 signature check
        if(is_first)
        {
-               REPLACING(schnorr_4_to_s); REPLACING(schnorr_H_4_to_s_signature);
+               REPLACING(schnorr_g_to_s); REPLACING(schnorr_H_g_to_s_signature);
                if(recv_modulus)
                        REPLACING(schnorr_G);
                else
@@ -774,7 +785,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_challenge(d0_bl
        }
        else
        {
-               USING(schnorr_4_to_s); USING(schnorr_H_4_to_s_signature);
+               USING(schnorr_g_to_s); USING(schnorr_H_g_to_s_signature);
                USING(schnorr_G);
        }
        USING(rsa_e); USING(rsa_n);
@@ -791,18 +802,18 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_challenge(d0_bl
                        CHECK(d0_bignum_cmp(ctx->schnorr_G, zero) > 0);
                        CHECK(d0_bignum_cmp(ctx->schnorr_G, ctx->rsa_n) < 0);
                }
-               CHECK_ASSIGN(ctx->schnorr_4_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_4_to_s));
-               CHECK(d0_bignum_cmp(ctx->schnorr_4_to_s, zero) >= 0);
-               CHECK(d0_bignum_cmp(ctx->schnorr_4_to_s, ctx->schnorr_G) < 0);
-               CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_4_to_s_signature));
-               CHECK(d0_bignum_cmp(ctx->schnorr_H_4_to_s_signature, zero) >= 0);
-               CHECK(d0_bignum_cmp(ctx->schnorr_H_4_to_s_signature, ctx->rsa_n) < 0);
+               CHECK_ASSIGN(ctx->schnorr_g_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_g_to_s));
+               CHECK(d0_bignum_cmp(ctx->schnorr_g_to_s, zero) >= 0);
+               CHECK(d0_bignum_cmp(ctx->schnorr_g_to_s, ctx->schnorr_G) < 0);
+               CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_g_to_s_signature));
+               CHECK(d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, zero) >= 0);
+               CHECK(d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, ctx->rsa_n) < 0);
 
                // check signature of key (t = k^d, so, t^challenge = k)
-               CHECK(d0_bignum_mod_pow(temp0, ctx->schnorr_H_4_to_s_signature, ctx->rsa_e, ctx->rsa_n));
+               CHECK(d0_bignum_mod_pow(temp0, ctx->schnorr_H_g_to_s_signature, ctx->rsa_e, ctx->rsa_n));
 
                // we will actually sign SHA(4^s) to prevent a malleability attack!
-               CHECK(d0_bignum_mov(temp2, ctx->schnorr_4_to_s));
+               CHECK(d0_bignum_mov(temp2, ctx->schnorr_g_to_s));
                sz = (d0_bignum_size(ctx->rsa_n) + 7) / 8; // this is too long, so we have to take the value % rsa_n when "decrypting"
                if(sz > sizeof(shabuf))
                        sz = sizeof(shabuf);
@@ -816,7 +827,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_challenge(d0_bl
                if(d0_bignum_cmp(temp0, temp1))
                {
                        // accept the key anyway, but mark as failed signature! will later return 0 in status
-                       CHECK(d0_bignum_zero(ctx->schnorr_H_4_to_s_signature));
+                       CHECK(d0_bignum_zero(ctx->schnorr_H_g_to_s_signature));
                }
        }
 
@@ -835,7 +846,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_challenge(d0_bl
        CHECK(d0_iobuf_write_bignum(out, temp0));
 
        if(status)
-               *status = !!d0_bignum_cmp(ctx->schnorr_H_4_to_s_signature, zero);
+               *status = !!d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, zero);
 
        d0_iobuf_close(in, NULL);
        return d0_iobuf_close(out, outbuflen);
@@ -854,8 +865,8 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_response(d0_bli
        d0_iobuf_t *out = NULL;
 
        // temps: 0 order, 1 prod, 2 y, 3 challenge
-       REPLACING(other_4_to_t); REPLACING(t);
-       USING(schnorr_G); USING(schnorr_s); USING(r);
+       REPLACING(other_g_to_t); REPLACING(t);
+       USING(schnorr_G); USING(schnorr_s); USING(r); USING(g_to_t);
 
        in = d0_iobuf_open_read(inbuf, inbuflen);
        out = d0_iobuf_open_write(outbuf, *outbuflen);
@@ -872,22 +883,11 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_response(d0_bli
        CHECK(d0_iobuf_write_bignum(out, temp2));
 
        // Diffie Hellmann recv
-       CHECK_ASSIGN(ctx->other_4_to_t, d0_iobuf_read_bignum(in, ctx->other_4_to_t));
-       CHECK(d0_bignum_cmp(ctx->other_4_to_t, zero) > 0);
-       CHECK(d0_bignum_cmp(ctx->other_4_to_t, ctx->schnorr_G) < 0);
+       CHECK_ASSIGN(ctx->other_g_to_t, d0_iobuf_read_bignum(in, ctx->other_g_to_t));
+       CHECK(d0_bignum_cmp(ctx->other_g_to_t, zero) > 0);
+       CHECK(d0_bignum_cmp(ctx->other_g_to_t, ctx->schnorr_G) < 0);
        // Diffie Hellmann send
-       CHECK(d0_dl_get_order(temp0, ctx->schnorr_G));
-       CHECK_ASSIGN(ctx->t, d0_bignum_rand_range(ctx->t, zero, temp0));
-       // modify DH key value! (add |G|-r)
-       CHECK(d0_bignum_add(temp1, ctx->t, temp0));
-       CHECK(d0_bignum_sub(temp2, temp1, ctx->r));
-       // can be undone by multiplying with 4^r in the end
-       // ensures the party of the DH key exchange is the same party as the one of
-       // the auth protocol (MITM who changes DH key exchange must break auth protocol)
-       // trick is that MITM has no knowledge about g^r at this point, as he only
-       // knows it in hashed form
-       CHECK(d0_bignum_mod_pow(temp0, four, temp2, ctx->schnorr_G));
-       CHECK(d0_iobuf_write_bignum(out, temp0));
+       CHECK(d0_iobuf_write_bignum(out, ctx->g_to_t));
 
        d0_iobuf_close(in, NULL);
        return d0_iobuf_close(out, outbuflen);
@@ -910,7 +910,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_verify(d0_blind
 
        // temps: 0 y 1 order
        USING(challenge); USING(schnorr_G);
-       REPLACING(other_4_to_t);
+       REPLACING(other_g_to_t);
 
        in = d0_iobuf_open_read(inbuf, inbuflen);
 
@@ -922,22 +922,22 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_verify(d0_blind
        // verify schnorr ID scheme
        // we need 4^r = 4^temp0 (g^s)^-challenge
        CHECK(d0_bignum_neg(temp1, ctx->challenge));
-       CHECK(d0_bignum_mod_pow(temp2, ctx->schnorr_4_to_s, temp1, ctx->schnorr_G));
+       CHECK(d0_bignum_mod_pow(temp2, ctx->schnorr_g_to_s, temp1, ctx->schnorr_G));
        CHECK(d0_bignum_mod_pow(temp1, four, temp0, ctx->schnorr_G));
        CHECK_ASSIGN(temp3, d0_bignum_mod_mul(temp3, temp1, temp2, ctx->schnorr_G));
 
        // Diffie Hellmann recv
-       CHECK_ASSIGN(ctx->other_4_to_t, d0_iobuf_read_bignum(in, ctx->other_4_to_t));
-       CHECK(d0_bignum_cmp(ctx->other_4_to_t, zero) > 0);
-       CHECK(d0_bignum_cmp(ctx->other_4_to_t, ctx->schnorr_G) < 0);
-       // recover DH key value!
-       CHECK(d0_bignum_mod_mul(ctx->other_4_to_t, ctx->other_4_to_t, temp3, ctx->schnorr_G));
+       CHECK_ASSIGN(ctx->other_g_to_t, d0_iobuf_read_bignum(in, ctx->other_g_to_t));
+       CHECK(d0_bignum_cmp(ctx->other_g_to_t, zero) > 0);
+       CHECK(d0_bignum_cmp(ctx->other_g_to_t, ctx->schnorr_G) < 0);
 
        // hash it, hash it, everybody hash it
        conv = d0_iobuf_open_write(convbuf, sizeof(convbuf));
        CHECK(d0_iobuf_write_bignum(conv, temp3));
+       CHECK(d0_iobuf_write_bignum(conv, ctx->other_g_to_t));
        CHECK(d0_iobuf_write_packet(conv, ctx->msg, ctx->msglen));
        CHECK(d0_iobuf_write_bignum(conv, temp3));
+       CHECK(d0_iobuf_write_bignum(conv, ctx->other_g_to_t));
        d0_iobuf_close(conv, &sz);
        conv = NULL;
        if(memcmp(sha(convbuf, sz), ctx->msghash, SCHNORR_HASHSIZE))
@@ -947,7 +947,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_verify(d0_blind
        }
 
        if(status)
-               *status = !!d0_bignum_cmp(ctx->schnorr_H_4_to_s_signature, zero);
+               *status = !!d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, zero);
 
        if(ctx->msglen <= *msglen)
                memcpy(msg, ctx->msg, ctx->msglen);
@@ -970,12 +970,12 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_fingerprint64_public_id(const d0_blind_id_t
        d0_iobuf_t *conv = NULL;
        size_t sz, n;
 
-       USING(schnorr_4_to_s);
+       USING(schnorr_g_to_s);
 
        out = d0_iobuf_open_write(outbuf, *outbuflen);
        conv = d0_iobuf_open_write(convbuf, sizeof(convbuf));
 
-       CHECK(d0_iobuf_write_bignum(conv, ctx->schnorr_4_to_s));
+       CHECK(d0_iobuf_write_bignum(conv, ctx->schnorr_g_to_s));
        CHECK(d0_iobuf_close(conv, &sz));
        conv = NULL;
 
@@ -996,10 +996,10 @@ fail:
 
 BOOL d0_blind_id_sessionkey_public_id(const d0_blind_id_t *ctx, char *outbuf, size_t *outbuflen)
 {
-       USING(t); USING(other_4_to_t); USING(schnorr_G);
+       USING(t); USING(other_g_to_t); USING(schnorr_G);
 
        // temps: temp0 result
-       CHECK(d0_bignum_mod_pow(temp0, ctx->other_4_to_t, ctx->t, ctx->schnorr_G));
+       CHECK(d0_bignum_mod_pow(temp0, ctx->other_g_to_t, ctx->t, ctx->schnorr_G));
        return d0_longhash_destructive(temp0, outbuf, *outbuflen);
 
 fail:
index 2fa73ac..5234fe5 100644 (file)
@@ -61,7 +61,8 @@ Authentication protocol:
        "start":
        - Client sends S, H if this is the first round of the protocol
        - Client generates r in [0, |G|[ at random
-       - Client sends x = h("g^r || m || g^r")
+       - Client generates t in [0, |G|[ at random
+       - Client sends x = h("g^r || g^t || m || g^r || g^t")
        - Client sends m in plain
        "challenge":
        - Server receives S, H if this is the first round of the protocol
@@ -74,15 +75,14 @@ Authentication protocol:
        - Client receives c and g^T
        - Client verifies that the received values are in the allowed ranges
        - Client sends y = r + s * c mod |G|
-       - Client generates t in [0, |G|[ at random
-       - Client g^(t-r)
+       - Client sends g^t
        - Client calculates K = (g^T)^t
        "verify":
-       - Server receives y and g^(t-r)
+       - Server receives y and g^t
        - Server calculates z = g^y S^-c
        - Server calculates x' = h("z || m || z")
        - Server verifies x == x'
-       - Server calculates K = (g^(t-r) * z)^T
+       - Server calculates K = (g^t)^T
 
 Protocol variant: g and G can be also part of the public ID. In this case, g
 and G are sent as part of this protocol additionally to S, H.