- After receiving the other's SIG message, the signature is verified. If it is
correct, the shared secret is calculated from the public keys exchanged in the
KEX message using the Elliptic Curve Diffie-Helman algorithm.
-- The shared secret key is expanded using a PRF. Both nonces and an application
+- The shared secret key is expanded using a PRF. Both nonces and the application
specific label are also used as input for the PRF.
- An ACK message is sent only when doing key renegotiation, and is sent using
the old encryption keys.
- uint8_t initiator (0 = local peer, 1 = remote peer is initiator)
- opaque remote_kex_message[1 + 32 + ECDH_SIZE]
- opaque local_kex_message[1 + 32 + ECDH_SIZE]
+- opaque label[label_length]
The PRF is calculated as follows:
size_t keylen = ECDH_SIZE;
size_t siglen = ecdsa_size(&s->mykey);
- // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
- char msg[(1 + 32 + keylen) * 2 + 1];
+ // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
+ char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
char sig[siglen];
msg[0] = s->initiator;
memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
- memcpy(msg + 2 + 32 + keylen, s->hiskex, 1 + 32 + keylen);
+ memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
+ memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
// Sign the result.
if(!ecdsa_sign(&s->mykey, msg, sizeof msg, sig))
return error(s, EIO, "Invalid KEX record length");
// Concatenate both KEX messages, plus tag indicating if it is from the connection originator
- char msg[(1 + 32 + keylen) * 2 + 1];
+ char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
msg[0] = !s->initiator;
memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
- memcpy(msg + 2 + 32 + keylen, s->mykex, 1 + 32 + keylen);
+ memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
+ memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
// Verify signature.
if(!ecdsa_verify(&s->hiskey, msg, sizeof msg, data))