[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Forward secrecy in spiped



On Tue, Apr 29, 2014 at 11:53 PM, Colin Percival <cperciva@tarsnap.com> wrote:
Code review follows.  If you prefer I can fix things myself, but since you did
the first draft I figure I should give you the option. :-)

Thanks. A question before I start revising... 
 
Can't do that -- it would break backwards compatibility.  (I don't know if
anyone is running with -f on one endpoint and not on the other, and if they
are it's probably a mistake... but we still have to avoid any possibility
that upgrading to a newer version of spiped will turn a working setup into
a non-working setup.)

Let's add a new option instead:
        -g      Require perfect forward secrecy by dropping connections if the
                other host is using the -f option.

Ok.
 

> + * is_zero_or_one(x, len):
> + * Returns non-zero if the big-endian value stored at (${x}, ${len}) is equal
> + * to either 0 or 1.

This is wrong.  We need to detect 1; we don't need to detect 0.  (A validly
signed 0 implies that someone who has the shared key is not following the
protocol, in which case we've already lost.)

Isn't that an argument for detecting 0 even if -g isn't specified? It seems to be to be better to drop connections which are detected to not be conforming.