From c4f8e1d2a4983ec02fdbc3c9b697d452793a2be2 Mon Sep 17 00:00:00 2001
From: Prabhpreet Dua <615318+prabhpreet@users.noreply.github.com>
Date: Wed, 5 Jun 2024 18:40:01 +0530
Subject: [PATCH] fix(rosenpass): Prevent duplicate osk issue on handshake

Issue reported by: Paul Spooren <mail@aparcar.org>
---
 Cargo.lock                |  2 +-
 rosenpass/Cargo.toml      |  2 +-
 rosenpass/src/msgs.rs     |  3 ---
 rosenpass/src/protocol.rs | 12 ++++++++----
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 1f805c7..908286f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1011,7 +1011,7 @@ checksum = "3582f63211428f83597b51b2ddb88e2a91a9d52d12831f9d08f5e624e8977422"
 
 [[package]]
 name = "rosenpass"
-version = "0.2.1"
+version = "0.2.2"
 dependencies = [
  "anyhow",
  "base64",
diff --git a/rosenpass/Cargo.toml b/rosenpass/Cargo.toml
index a2bd3e0..c591ece 100644
--- a/rosenpass/Cargo.toml
+++ b/rosenpass/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "rosenpass"
-version = "0.2.1"
+version = "0.2.2"
 authors = ["Karolin Varner <karo@cupdev.net>", "wucke13 <wucke13@gmail.com>"]
 edition = "2021"
 license = "MIT OR Apache-2.0"
diff --git a/rosenpass/src/msgs.rs b/rosenpass/src/msgs.rs
index 9108f1b..683bac2 100644
--- a/rosenpass/src/msgs.rs
+++ b/rosenpass/src/msgs.rs
@@ -131,9 +131,6 @@ macro_rules! data_lense(
 
         impl<__ContainerType $(, $( $generic: LenseView ),+ )? > $type<__ContainerType $(, $( $generic ),+ )? >{
             $(
-            /// Size in bytes of the field `
-            #[doc = !($field)]
-            /// `
             pub const fn [< $field _len >]() -> usize{
                 $len
             }
diff --git a/rosenpass/src/protocol.rs b/rosenpass/src/protocol.rs
index 44cf57d..26104ec 100644
--- a/rosenpass/src/protocol.rs
+++ b/rosenpass/src/protocol.rs
@@ -822,12 +822,12 @@ impl CryptoServer {
                 ensure!(msg_in.check_seal(self)?, seal_broken);
 
                 let mut msg_out = tx_buf.envelope_truncating::<EmptyData<&mut [u8]>>()?;
-                let peer = self.handle_init_conf(
+                let (peer, if_exchanged) = self.handle_init_conf(
                     msg_in.payload().init_conf()?,
                     msg_out.payload_mut().empty_data()?,
                 )?;
                 len = self.seal_and_commit_msg(peer, MsgType::EmptyData, msg_out)?;
-                exchanged = true;
+                exchanged = if_exchanged;
                 peer
             }
             Ok(MsgType::EmptyData) => {
@@ -1614,7 +1614,8 @@ impl CryptoServer {
         &mut self,
         ic: InitConf<&[u8]>,
         mut rc: EmptyData<&mut [u8]>,
-    ) -> Result<PeerPtr> {
+    ) -> Result<(PeerPtr, bool)> {
+        let mut exchanged = false;
         // (peer, bn) ← LoadBiscuit(InitConf.biscuit)
         // ICR1
         let (peer, biscuit_no, mut core) = HandshakeState::load_biscuit(
@@ -1644,6 +1645,9 @@ impl CryptoServer {
             // TODO: This should be part of the protocol specification.
             // Abort any ongoing handshake from initiator role
             peer.hs().take(self);
+
+            // Only exchange key on a new biscuit number
+            exchanged = true;
         }
 
         // TODO: Implementing RP should be possible without touching the live session stuff
@@ -1683,7 +1687,7 @@ impl CryptoServer {
         let k = ses.txkm.secret();
         aead_enc_into(rc.auth_mut(), k, &n, &NOTHING, &NOTHING)?; // ct, k, n, ad, pt
 
-        Ok(peer)
+        Ok((peer, exchanged))
     }
 
     pub fn handle_resp_conf(&mut self, rc: EmptyData<&[u8]>) -> Result<PeerPtr> {