From cdb1d5af7c1171f3f711e503ad71fc5b766daccc Mon Sep 17 00:00:00 2001
From: str4d <str4d@mail.i2p>
Date: Mon, 17 Dec 2018 19:23:56 +0000
Subject: [PATCH] Prop 123: Add cpk_i to DH client auth KDF input

This ensures the KDF output is bound to both public keys (epk and cpk_i).
---
 i2p2www/spec/proposals/123-new-netdb-entries.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/i2p2www/spec/proposals/123-new-netdb-entries.rst b/i2p2www/spec/proposals/123-new-netdb-entries.rst
index e1dfb367..c5e57828 100644
--- a/i2p2www/spec/proposals/123-new-netdb-entries.rst
+++ b/i2p2www/spec/proposals/123-new-netdb-entries.rst
@@ -913,7 +913,7 @@ Then for each authorized client, the server encrypts ``authCookie`` to its publi
 
   {% highlight lang='text' %}
 sharedSecret = DH.AGREE(esk, cpk_i)
-  authInput = sharedSecret || subcredential || publishedTimestamp
+  authInput = sharedSecret || cpk_i || subcredential || publishedTimestamp
   okm = KDF(epk, authInput, "ELS2_XCA", 8 + S_KEY_LEN)
   clientID_i = okm[0..8]
   clientKey_i = okm[8..(8+S_KEY_LEN)]
@@ -933,7 +933,7 @@ and encryption key ``clientKey_i``:
 
   {% highlight lang='text' %}
 sharedSecret = DH.AGREE(csk_i, epk)
-  authInput = sharedSecret || subcredential || publishedTimestamp
+  authInput = sharedSecret || cpk_i || subcredential || publishedTimestamp
   okm = KDF(epk, authInput, "ELS2_XCA", 8 + S_KEY_LEN)
   clientID_i = okm[0..8]
   clientKey_i = okm[8..(8+S_KEY_LEN)]