--- gvpe/src/connection.C	2013/07/18 17:35:10	1.103
+++ gvpe/src/connection.C	2013/07/19 18:18:27	1.104
@@ -180,15 +180,12 @@
 }
 
 static void
-auth_hash (const auth_data &auth, auth_mac &mac)
+auth_hash (const auth_data &auth, const ecdh_key &b, auth_mac &mac)
 {
-  HMAC_CTX ctx;
-
-  HMAC_CTX_init (&ctx);
-  require (HMAC_Init_ex (&ctx, auth.rsa.auth_key, sizeof (auth.rsa.auth_key), AUTH_DIGEST (), 0));
-  require (HMAC_Update  (&ctx, (const unsigned char *)&auth, sizeof auth));
-  require (HMAC_Final   (&ctx, (unsigned char *)&mac, 0));
-  HMAC_CTX_cleanup (&ctx);
+  hkdf kdf (&auth.ecdh, sizeof (auth.ecdh), AUTH_DIGEST ()); // use remote ecdh b as salt
+  kdf.extract (&auth.rsa, sizeof (auth.rsa));
+  kdf.extract_done ();
+  kdf.expand (mac, sizeof mac, b, sizeof b); // use response ecdh b as info
 }
 
 void
@@ -199,7 +196,6 @@
       // request data
       rand_fill (snd_auth.rsa);
       curve25519_generate (snd_ecdh_a, snd_auth.ecdh);
-      auth_hash (snd_auth, snd_auth_mac);
 
       // eventual response data
       curve25519_generate (rcv_ecdh_a, rcv_ecdh_b);
@@ -365,34 +361,29 @@
 
 /////////////////////////////////////////////////////////////////////////////
 
-unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
-
 void
-hmac_packet::hmac_gen (crypto_ctx *ctx)
+hmac_packet::hmac_gen (crypto_ctx *ctx, u8 *hmac_digest)
 {
-  unsigned int xlen;
-
   HMAC_CTX *hctx = &ctx->hctx;
 
   require (HMAC_Init_ex (hctx, 0, 0, 0, 0));
-  require (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
-                        len - sizeof (hmac_packet)));
-  require (HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen));
+  require (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), len - sizeof (hmac_packet)));
+  require (HMAC_Final (hctx, hmac_digest, 0));
 }
 
 void
 hmac_packet::hmac_set (crypto_ctx *ctx)
 {
-  hmac_gen (ctx);
-
+  unsigned char hmac_digest[EVP_MAX_MD_SIZE];
+  hmac_gen (ctx, hmac_digest);
   memcpy (hmac, hmac_digest, HMACLENGTH);
 }
 
 bool
 hmac_packet::hmac_chk (crypto_ctx *ctx)
 {
-  hmac_gen (ctx);
-
+  unsigned char hmac_digest[EVP_MAX_MD_SIZE];
+  hmac_gen (ctx, hmac_digest);
   return !memcmp (hmac, hmac_digest, HMACLENGTH);
 }
 
@@ -838,8 +829,8 @@
 {
   auth_res_packet *pkt = new auth_res_packet (conf->id);
 
-  auth_hash (rcv_auth, pkt->response.mac);
-  memcpy (pkt->response.ecdh, rcv_ecdh_b, sizeof (rcv_ecdh_b));
+  memcpy (pkt->response.ecdh, rcv_ecdh_b, sizeof rcv_ecdh_b);
+  auth_hash (rcv_auth, rcv_ecdh_b, pkt->response.mac);
 
   slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
   send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
@@ -1142,14 +1133,17 @@
 
           slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
 
-          if (memcmp (&p->response.mac, snd_auth_mac, sizeof (snd_auth_mac)))
+          auth_mac local_mac;
+          auth_hash (snd_auth, p->response.ecdh, local_mac);
+
+          if (memcmp (&p->response.mac, local_mac, sizeof local_mac))
             {
               slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."),
                     conf->nodename, (const char *)rsi);
             }
           else if (!have_snd_auth)
             {
-              memcpy (snd_ecdh_b, p->response.ecdh, sizeof (snd_ecdh_b));
+              memcpy (snd_ecdh_b, p->response.ecdh, sizeof snd_ecdh_b);
 
               have_snd_auth = true;
               connection_established (rsi);