From b9a7482c0254c8c1ece1acf93ef23082f31abb37 Mon Sep 17 00:00:00 2001
From: Roger Dingledine <arma@torproject.org>
Date: Sat, 6 Aug 2005 16:50:51 +0000
Subject: [PATCH] note another potential security problem with generating key
 material from our DH handshake.

svn:r4724
---
 src/common/crypto.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/common/crypto.c b/src/common/crypto.c
index c75ab2694d..2fd0e3042f 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -1458,6 +1458,12 @@ int crypto_dh_compute_secret(crypto_dh_env_t *dh,
   }
   secret_len = result;
   /* sometimes secret_len might be less than 128, e.g., 127. that's ok. */
+  /* Actually, http://www.faqs.org/rfcs/rfc2631.html says:
+   *   Leading zeros MUST be preserved, so that ZZ occupies as many
+   *   octets as p. For instance, if p is 1024 bits, ZZ should be 128
+   *   bytes long.
+   * What are the security implications here?
+   */
   for (i = 0; i < secret_bytes_out; i += DIGEST_LEN) {
     secret_tmp[secret_len] = (unsigned char) i/DIGEST_LEN;
     if (crypto_digest(hash, secret_tmp, secret_len+1))