From c0183326a6447f931d4ec971963633a687e12c5e Mon Sep 17 00:00:00 2001
From: "Javier S. Pedro" <maemo@javispedro.com>
Date: Sun, 30 Sep 2012 23:56:06 +0200
Subject: prevent trivial mitm attack

---
 distfoldd/agent.cc       | 7 +++++--
 distfoldd/agent.h        | 2 +-
 distfoldd/clientagent.cc | 4 +++-
 distfoldd/serveragent.cc | 4 +++-
 4 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/distfoldd/agent.cc b/distfoldd/agent.cc
index 8baa85b..1087889 100644
--- a/distfoldd/agent.cc
+++ b/distfoldd/agent.cc
@@ -175,9 +175,12 @@ QByteArray Agent::generateChallenge()
 	return QCA::Random::randomArray(challenge_size).toByteArray();
 }
 
-QByteArray Agent::generateChallengeResponse(const QByteArray& server_challenge, const QByteArray& client_challenge)
+QByteArray Agent::generateChallengeResponse(const QByteArray& server_challenge, const QByteArray& client_challenge, const QSslCertificate& server_cert, const QSslCertificate& client_cert)
 {
-	return hmacSha1(_passwd.toUtf8(), server_challenge + client_challenge);
+	QByteArray server_digest = server_cert.digest(QCryptographicHash::Sha1);
+	QByteArray client_digest = client_cert.digest(QCryptographicHash::Sha1);
+	return hmacSha1(_passwd.toUtf8(), server_challenge + server_digest +
+	                                  client_challenge + client_digest);
 }
 
 QByteArray Agent::encodeAuthReply(AuthResult result)
diff --git a/distfoldd/agent.h b/distfoldd/agent.h
index 0d25077..727eb55 100644
--- a/distfoldd/agent.h
+++ b/distfoldd/agent.h
@@ -187,7 +187,7 @@ protected:
 
 	static QByteArray hmacSha1(const QByteArray& key, const QByteArray& message);
 	QByteArray generateChallenge();
-	QByteArray generateChallengeResponse(const QByteArray& server_challenge, const QByteArray& client_challenge);
+	QByteArray generateChallengeResponse(const QByteArray& server_challenge, const QByteArray& client_challenge, const QSslCertificate& server_cert, const QSslCertificate& client_cert);
 
 	QByteArray encodeAuthReply(AuthResult result);
 	AuthResult decodeAuthReply(const QByteArray& ba);
diff --git a/distfoldd/clientagent.cc b/distfoldd/clientagent.cc
index 8eb6c44..7d108cb 100644
--- a/distfoldd/clientagent.cc
+++ b/distfoldd/clientagent.cc
@@ -22,7 +22,9 @@ void ClientAgent::handleMessage(MessageType msg, const QByteArray &data)
 		qDebug() << "Hello reply";
 		Q_ASSERT(_socket->isEncrypted());
 		_state = STATE_AUTH;
-		sendMessage(MSG_AUTH, generateChallengeResponse(data, _challenge));
+		sendMessage(MSG_AUTH, generateChallengeResponse(data, _challenge,
+		                                                _socket->peerCertificate(),
+		                                                _socket->localCertificate()));
 		break;
 	case MSG_AUTH_REPLY:
 		Q_ASSERT(_state == STATE_AUTH);
diff --git a/distfoldd/serveragent.cc b/distfoldd/serveragent.cc
index 3f133bd..2051e22 100644
--- a/distfoldd/serveragent.cc
+++ b/distfoldd/serveragent.cc
@@ -78,7 +78,9 @@ void ServerAgent::handleAuth(const QByteArray &response)
 
 	qDebug() << "Server Handling client auth";
 
-	if (response == generateChallengeResponse(_challenge, _clientChallenge)) {
+	if (response == generateChallengeResponse(_challenge, _clientChallenge,
+	                                          _socket->localCertificate(),
+	                                          _socket->peerCertificate())) {
 		_authOk = true;
 		qDebug() << "Authentication successful";
 	} else {
-- 
cgit v1.2.3