Bug (or specific issue?) with key generation when password enabled

Open ni4 opened this issue 12 years ago • 0 comments

Even when password is enabled, for key generation only first 32 bytes of seed-password-iv buffer are used:

EVP_DigestInit(&ctx, EVP_sha1());
EVP_DigestUpdate(&ctx, buffer, OBFUSCATE_SEED_LENGTH + iv_len);
EVP_DigestFinal(&ctx, md_output, &md_len);

So, for instance, when password is longer then 16 bytes, the same key will be used for client and for server.

May 01 '13 13:05 ni4