On 04/30/14 00:28, Frederick Akalin wrote: > On Tue, Apr 29, 2014 at 11:53 PM, Colin Percival <cperc...@tarsnap.com > <mailto:cperc...@tarsnap.com>> wrote: > > + * is_zero_or_one(x, len): > > + * Returns non-zero if the big-endian value stored at (${x}, ${len}) > is equal > > + * to either 0 or 1. > > This is wrong. We need to detect 1; we don't need to detect 0. (A > validly > signed 0 implies that someone who has the shared key is not following the > protocol, in which case we've already lost.) > > Isn't that an argument for detecting 0 even if -g isn't specified? It seems to > be to be better to drop connections which are detected to not be conforming.
There's lots of "impossible" values -- all quadratic non-residues, for example -- but there's no point checking for all of them. There's always going to be ways that a participant can deliberately sabotage the protocol (by revealing the negotiated keys, if nothing else); the point of the protocol is to protect compliant hosts from non-participants. Even the -g option isn't about any level of cryptographic security; it's purely about detecting misconfigurations. -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid