p2p: validate recovered ephemeral pubkey against checksum in decodeAuthMsg

1 files changed, 12 insertions, 4 deletions

diff --git a/p2p/rlpx.go b/p2p/rlpx.go
index eca3d9ed6..3e3589c49 100644
--- a/p2p/rlpx.go
+++ b/p2p/rlpx.go
@@ -267,6 +267,10 @@ func initiatorEncHandshake(conn io.ReadWriter, prv *ecdsa.PrivateKey, remoteID d
 }
 
 func newInitiatorHandshake(remoteID discover.NodeID) (*encHandshake, error) {
+	rpub, err := remoteID.Pubkey()
+	if err != nil {
+		return nil, fmt.Errorf("bad remoteID: %v", err)
+	}
 	// generate random initiator nonce
 	n := make([]byte, shaLen)
 	if _, err := rand.Read(n); err != nil {
@@ -277,10 +281,6 @@ func newInitiatorHandshake(remoteID discover.NodeID) (*encHandshake, error) {
 	if err != nil {
 		return nil, err
 	}
-	rpub, err := remoteID.Pubkey()
-	if err != nil {
-		return nil, fmt.Errorf("bad remoteID: %v", err)
-	}
 	h := &encHandshake{
 		initiator:     true,
 		remoteID:      remoteID,
@@ -417,6 +417,14 @@ func decodeAuthMsg(prv *ecdsa.PrivateKey, token []byte, auth []byte) (*encHandsh
 	if err != nil {
 		return nil, err
 	}
+
+	// validate the sha3 of recovered pubkey
+	remoteRandomPubMAC := msg[sigLen : sigLen+shaLen]
+	shaRemoteRandomPub := crypto.Sha3(remoteRandomPub[1:])
+	if !bytes.Equal(remoteRandomPubMAC, shaRemoteRandomPub) {
+		return nil, fmt.Errorf("sha3 of recovered ephemeral pubkey does not match checksum in auth message")
+	}
+
 	h.remoteRandomPub, _ = importPublicKey(remoteRandomPub)
 	return h, nil
 }