fix(rosenpass): Prevent duplicate osk issue on handshake

Issue reported by: Paul Spooren <mail@aparcar.org>
2025-12-09 14:20:30 -08:00 · 2024-06-05 18:40:01 +05:30
4 changed files with 10 additions and 9 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1011,7 +1011,7 @@ checksum = "3582f63211428f83597b51b2ddb88e2a91a9d52d12831f9d08f5e624e8977422"

 [[package]]
 name = "rosenpass"
-version = "0.2.1"
+version = "0.2.2"
 dependencies = [
 "anyhow",
 "base64",
--- a/rosenpass/Cargo.toml
+++ b/rosenpass/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "rosenpass"
-version = "0.2.1"
+version = "0.2.2"
 authors = ["Karolin Varner <karo@cupdev.net>", "wucke13 <wucke13@gmail.com>"]
 edition = "2021"
 license = "MIT OR Apache-2.0"
--- a/rosenpass/src/msgs.rs
+++ b/rosenpass/src/msgs.rs
@@ -131,9 +131,6 @@ macro_rules! data_lense(

        impl<__ContainerType $(, $( $generic: LenseView ),+ )? > $type<__ContainerType $(, $( $generic ),+ )? >{
            $(
-            /// Size in bytes of the field `
-            #[doc = !($field)]
-            /// `
            pub const fn [< $field _len >]() -> usize{
                $len
            }
--- a/rosenpass/src/protocol.rs
+++ b/rosenpass/src/protocol.rs
@@ -822,12 +822,12 @@ impl CryptoServer {
                ensure!(msg_in.check_seal(self)?, seal_broken);

                let mut msg_out = tx_buf.envelope_truncating::<EmptyData<&mut [u8]>>()?;
-                let peer = self.handle_init_conf(
+                let (peer, if_exchanged) = self.handle_init_conf(
                    msg_in.payload().init_conf()?,
                    msg_out.payload_mut().empty_data()?,
                )?;
                len = self.seal_and_commit_msg(peer, MsgType::EmptyData, msg_out)?;
-                exchanged = true;
+                exchanged = if_exchanged;
                peer
            }
            Ok(MsgType::EmptyData) => {
@@ -1614,7 +1614,8 @@ impl CryptoServer {
        &mut self,
        ic: InitConf<&[u8]>,
        mut rc: EmptyData<&mut [u8]>,
-    ) -> Result<PeerPtr> {
+    ) -> Result<(PeerPtr, bool)> {
+        let mut exchanged = false;
        // (peer, bn) ← LoadBiscuit(InitConf.biscuit)
        // ICR1
        let (peer, biscuit_no, mut core) = HandshakeState::load_biscuit(
@@ -1644,6 +1645,9 @@ impl CryptoServer {
            // TODO: This should be part of the protocol specification.
            // Abort any ongoing handshake from initiator role
            peer.hs().take(self);
+
+            // Only exchange key on a new biscuit number
+            exchanged = true;
        }

        // TODO: Implementing RP should be possible without touching the live session stuff
@@ -1683,7 +1687,7 @@ impl CryptoServer {
        let k = ses.txkm.secret();
        aead_enc_into(rc.auth_mut(), k, &n, &NOTHING, &NOTHING)?; // ct, k, n, ad, pt

-        Ok(peer)
+        Ok((peer, exchanged))
    }

    pub fn handle_resp_conf(&mut self, rc: EmptyData<&[u8]>) -> Result<PeerPtr> {