[minion-cvs] Fix bugs in header generation logic; rename OAEP_OVERHE...

[nickm@seul.org (Nick Mathewson)]

Update of /home/minion/cvsroot/doc/spec
In directory moria.mit.edu:/tmp/cvs-serv14155

Modified Files:
	minion-spec.txt 
Log Message:
Fix bugs in header generation logic; rename OAEP_OVERHEAD to PK_OVERHEAD_LEN throughout (from Peter)

Index: minion-spec.txt
===================================================================
RCS file: /home/minion/cvsroot/doc/spec/minion-spec.txt,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -d -r1.18 -r1.19
--- minion-spec.txt	6 Oct 2003 19:06:12 -0000	1.18
+++ minion-spec.txt	7 Oct 2003 19:55:40 -0000	1.19
@@ -597,7 +597,7 @@
    headers are swapped at the crossover point. [XXXX describe crossover]
 
    A header is HEADER_LEN=2048 octets long and contains up to
-   2048/(OAEP_OVERHEAD+MIN_SH)=24 subheaders. Starting with N
+   2048/(PK_OVERHEAD_LEN+MIN_SH)=24 subheaders. Starting with N
    subheaders SH_0..SH_N containing secrets SK_0..SK_N (and placing
    routing extension blocks directly after their respective
    subheaders), the header is constructed by appending random padding
@@ -617,7 +617,7 @@
 
    The constructor then determines the amount of data (SIZE_i) that will
    be added for each node's subheader.  This amount is equal to
-   MIN_SH, plus OAEP_OVERHEAD, plus the length of the routing
+   MIN_SH, plus PK_OVERHEAD_LEN, plus the length of the routing
    information for the following node (or the 'delivery' routing
    information if this node is last).  The constructor generates a
    chunk of random padding, equal in length to HEADER_LEN minus the
@@ -660,7 +660,13 @@
      // Calculate the sizes of the subheaders.
      for i = 1 .. N
         // OAEP Padding plus invariant parts plus routing info.
-        SIZE_i = MIN_SH + OAEP_OVERHEAD + Len(RI_i)
+	if i = N then
+	   Set RI from R
+        else
+           Set RI = RI_(i+1)
+        endif
+
+        SIZE_i = MIN_SH + PK_OVERHEAD_LEN + Len(RI)
         JUNK_KEY_i = SubKey(SK_i, "RANDOM JUNK")
         K_i = SubKey(SK_i, "HEADER SECRET KEY")
      end
@@ -691,19 +697,19 @@
         if i = N then
              Set RT and RI from R.
         else
-             Let RT = RT_(i+1), RI = RI(i+1)
+             Let RT = RT_(i+1), RI = RI_(i+1)
         endif
 
-        SH0 = SHS(V, SK_i, Z(20), len(RI_(i+1)), RT_(i+1), RI(i+1))
+        SH0 = SHS(V, SK_i, Z(20), len(RI), RT, RI)
         SH_LEN = LEN(SH0)
         H0 = SH0 | H_(i+1)
 
-        REST = H0[PK_MAX_DATA_LEN : Len(REST) - PK_MAX_DATA_LEN]
+        REST = H0[PK_MAX_DATA_LEN : Len(H0) - PK_MAX_DATA_LEN]
 
-        EREST = Encrypt(K, REST)
+        EREST = Encrypt(K_i, REST)
         DIGEST = HASH(EREST | J_i)
 
-        SH = SHS(V, SK_i, DIGEST, len(RI_(i+1)), RT_(i+1), RI(i+1))
+        SH = SHS(V, SK_i, DIGEST, len(RI), RT, RI)
         UNDERFLOW = Min(PK_MAX_DATA_LEN - SH_LEN, 0)
         RSA_PART = SH | H0[PK_MAX_DATA_LEN - UNDERFLOW : UNDERFLOW]
 
@@ -812,7 +818,7 @@
 
         JUNK_KEY = SubKey(SK, "RANDOM JUNK")
         H1 = H1[PK_ENC_LEN : 2048-PK_ENC_LEN] |
-             PRNG(JUNK_KEY, OAEP_OVERHEAD + MIN_SH + RS)
+             PRNG(JUNK_KEY, PK_OVERHEAD_LEN + MIN_SH + RS)
         HEADER_KEY = SubKey(SK, "HEADER SECRET KEY")
         H1 = H1 ^ PRNG(HEADER_KEY, Len(H1))