Include protocol version in shared secret derivation.

briar-core/src/main/java/org/briarproject/briar/introduction/IntroduceeManager.java

@@ -76,6 +76,7 @@ import static org.briarproject.briar.api.introduction.IntroductionConstants.OUR_
 import static org.briarproject.briar.api.introduction.IntroductionConstants.OUR_SIGNATURE;
 import static org.briarproject.briar.api.introduction.IntroductionConstants.OUR_TIME;
 import static org.briarproject.briar.api.introduction.IntroductionConstants.OUR_TRANSPORT;
+import static org.briarproject.briar.api.introduction.IntroductionConstants.PROTOCOL_VERSION;
 import static org.briarproject.briar.api.introduction.IntroductionConstants.PUBLIC_KEY;
 import static org.briarproject.briar.api.introduction.IntroductionConstants.REMOTE_AUTHOR_ID;
 import static org.briarproject.briar.api.introduction.IntroductionConstants.REMOTE_AUTHOR_IS_US;
@@ -433,8 +434,13 @@ class IntroduceeManager {
 
 		// The shared secret is derived from the local ephemeral key pair
 		// and the remote ephemeral public key
+		byte[][] inputs = {
+				new byte[] {PROTOCOL_VERSION},
+				alice ? ourPublicKeyBytes : theirPublicKeyBytes,
+				alice ? theirPublicKeyBytes : ourPublicKeyBytes
+		};
 		return cryptoComponent.deriveSharedSecret(SHARED_SECRET_LABEL,
-				theirPublicKey, ourKeyPair, alice);
+				theirPublicKey, ourKeyPair, inputs);
 	}
 
 	/**

briar-core/src/test/java/org/briarproject/briar/introduction/IntroductionIntegrationTest.java

@@ -65,6 +65,7 @@ import static org.briarproject.briar.api.introduction.IntroductionConstants.MAC_
 import static org.briarproject.briar.api.introduction.IntroductionConstants.MAC_LABEL;
 import static org.briarproject.briar.api.introduction.IntroductionConstants.NAME;
 import static org.briarproject.briar.api.introduction.IntroductionConstants.NONCE;
+import static org.briarproject.briar.api.introduction.IntroductionConstants.PROTOCOL_VERSION;
 import static org.briarproject.briar.api.introduction.IntroductionConstants.PUBLIC_KEY;
 import static org.briarproject.briar.api.introduction.IntroductionConstants.SESSION_ID;
 import static org.briarproject.briar.api.introduction.IntroductionConstants.SHARED_SECRET_LABEL;
@@ -753,8 +754,13 @@ public class IntroductionIntegrationTest
 		KeyPair eKeyPair2 = crypto.generateAgreementKeyPair();
 
 		// Nonce 1
+		byte[][] inputs = {
+				new byte[] {PROTOCOL_VERSION},
+				eKeyPair1.getPublic().getEncoded(),
+				eKeyPair2.getPublic().getEncoded()
+		};
 		SecretKey sharedSecret = crypto.deriveSharedSecret(SHARED_SECRET_LABEL,
-				eKeyPair2.getPublic(), eKeyPair1, true);
+				eKeyPair2.getPublic(), eKeyPair1, inputs);
 		byte[] nonce1 = crypto.mac(ALICE_NONCE_LABEL, sharedSecret);
 
 		// Signature 1
@@ -787,20 +793,24 @@ public class IntroductionIntegrationTest
 
 		// replace ephemeral key pair and recalculate matching keys and nonce
 		KeyPair eKeyPair1f = crypto.generateAgreementKeyPair();
-		byte[] ePublicKeyBytes1f = eKeyPair1f.getPublic().getEncoded();
+		byte[][] fakeInputs = {
+				new byte[] {PROTOCOL_VERSION},
+				eKeyPair1f.getPublic().getEncoded(),
+				eKeyPair2.getPublic().getEncoded()
+		};
 		sharedSecret = crypto.deriveSharedSecret(SHARED_SECRET_LABEL,
-				eKeyPair2.getPublic(), eKeyPair1f, true);
+				eKeyPair2.getPublic(), eKeyPair1f, fakeInputs);
 		nonce1 = crypto.mac(ALICE_NONCE_LABEL, sharedSecret);
 
 		// recalculate MAC
 		macKey1 = crypto.deriveKey(ALICE_MAC_KEY_LABEL, sharedSecret);
 		toMacList = BdfList.of(keyPair1.getPublic().getEncoded(),
-				ePublicKeyBytes1f, tp1, time1);
+				eKeyPair1f.getPublic().getEncoded(), tp1, time1);
 		toMac = clientHelper.toByteArray(toMacList);
 		mac1 = crypto.mac(MAC_LABEL, macKey1, toMac);
 
 		// update state with faked information
-		state.put(E_PUBLIC_KEY, ePublicKeyBytes1f);
+		state.put(E_PUBLIC_KEY, eKeyPair1f.getPublic().getEncoded());
 		state.put(MAC, mac1);
 		state.put(MAC_KEY, macKey1.getBytes());
 		state.put(NONCE, nonce1);