Signature fix

2025-03-28 19:41:55 +02:00 · 2025-03-28 19:41:55 +02:00 · 8d45d2e745
commit 8d45d2e745
parent 045d9ad417
1 changed files with 13 additions and 16 deletions
--- a/protocol_prototype/protocol.py
+++ b/protocol_prototype/protocol.py
@ -307,8 +307,8 @@ class IcingProtocol:

    def generate_ecdhe(self, index: int):
        """
-        Formerly 'respond_to_handshake'. Verifies ephemeral signature, computes ECDH,
-        updates pfs_history, and stores shared_secret. Does NOT send a handshake back.
+        Formerly 'respond_to_handshake'. Verifies the inbound ephemeral signature
+        and computes the ECDH shared secret, updating PFS history.
        """
        if index < 0 or index >= len(self.inbound_messages):
            print(f"{RED}[ERROR]{RESET} Invalid index {index}.")
@ -318,33 +318,30 @@ class IcingProtocol:
            print(f"{RED}[ERROR]{RESET} inbound_messages[{index}] is not a HANDSHAKE.")
            return

-        # Parse fields
-        # (timestamp, ephemeral_pub, ephemeral_sig, pfs_hash) = ...
-        (ts32, ephemeral_pub, ephemeral_sig, pfs_val) = msg["parsed"]
+        ephemeral_pub = msg["parsed"]["ephemeral_pub"]
+        ephemeral_sig = msg["parsed"]["ephemeral_sig"]
+
+        # Use our raw_signature_to_der wrapper only if signature is 64 bytes.
+        # Otherwise, assume the signature is already DER-encoded.
+        from crypto_utils import raw_signature_to_der
+        if len(ephemeral_sig) == 64:
+            sig_der = raw_signature_to_der(ephemeral_sig)
+        else:
+            sig_der = ephemeral_sig

-        # 1) Verify ephemeral signature
-        if not self.peer_identity_pubkey_obj:
-            print(f"{RED}[ERROR]{RESET} Peer identity not set.")
-            return
-        # ephemeral_sig is raw r||s
-        sig_der = raw_signature_to_der(ephemeral_sig)
        ok = verify_signature(self.peer_identity_pubkey_obj, sig_der, ephemeral_pub)
        if not ok:
            print(f"{RED}[ERROR]{RESET} Ephemeral signature invalid.")
            return
        print(f"{GREEN}[OK]{RESET} Ephemeral signature verified.")

-        # 2) ECDH
        if not self.ephemeral_privkey:
-            print(f"{YELLOW}[WARN]{RESET} No ephemeral_privkey. Cannot compute shared secret.")
+            print(f"{YELLOW}[WARN]{RESET} No ephemeral_privkey available, cannot compute shared secret.")
            return
        shared = compute_ecdh_shared_key(self.ephemeral_privkey, ephemeral_pub)
        self.shared_secret = shared.hex()
        print(f"{GREEN}[OK]{RESET} Computed ECDH shared key = {self.shared_secret}")

-        # 3) Update pfs_history
-        # If we have an entry, increment session_number, store new secret
-        # If none, create session_number=1, store new secret
        old_session, _ = self.pfs_history.get(self.peer_identity_pubkey_bytes, (-1, ""))
        new_session = 1 if old_session < 0 else old_session + 1
        self.pfs_history[self.peer_identity_pubkey_bytes] = (new_session, self.shared_secret)