5 files changed, 42 insertions, 1 deletions

diff --git a/src/exchange/taler-exchange-httpd_link.c b/src/exchange/taler-exchange-httpd_link.c
index de10f8b82..47b803ffa 100644
--- a/src/exchange/taler-exchange-httpd_link.c
+++ b/src/exchange/taler-exchange-httpd_link.c
@@ -91,7 +91,13 @@ handle_link_data (void *cls,
       TALER_JSON_pack_exchange_withdraw_values ("ewv",
                                                 &pos->alg_values),
       GNUNET_JSON_pack_data_auto ("link_sig",
-                                  &pos->orig_coin_link_sig));
+                                  &pos->orig_coin_link_sig),
+      GNUNET_JSON_pack_allow_null (
+        pos->have_nonce
+        ? GNUNET_JSON_pack_data_auto ("cs_nonce",
+                                      &pos->nonce)
+        : GNUNET_JSON_pack_string ("cs_nonce",
+                                   NULL)));
     if ( (NULL == obj) ||
          (0 !=
           json_array_append_new (list,
diff --git a/src/exchange/taler-exchange-httpd_recoup-refresh.c b/src/exchange/taler-exchange-httpd_recoup-refresh.c
index 3e0588940..829e2cbd7 100644
--- a/src/exchange/taler-exchange-httpd_recoup-refresh.c
+++ b/src/exchange/taler-exchange-httpd_recoup-refresh.c
@@ -174,6 +174,7 @@ verify_and_execute_recoup_refresh (
   const struct TALER_CoinPublicInfo *coin,
   const struct TALER_ExchangeWithdrawValues *exchange_vals,
   const union TALER_DenominationBlindingKeyP *coin_bks,
+  const struct TALER_CsNonce *nonce,
   const struct TALER_CoinSpendSignatureP *coin_sig)
 {
   struct RecoupContext pc;
@@ -263,6 +264,9 @@ verify_and_execute_recoup_refresh (
         TALER_EC_EXCHANGE_RECOUP_REFRESH_BLINDING_FAILED,
         NULL);
     }
+    if (TALER_DENOMINATION_CS == blinded_planchet.cipher)
+      blinded_planchet.details.cs_blinded_planchet.nonce
+        = *nonce;
     TALER_coin_ev_hash (&blinded_planchet,
                         &coin->denom_pub_hash,
                         &h_blind);
@@ -360,6 +364,7 @@ TEH_handler_recoup_refresh (struct MHD_Connection *connection,
   union TALER_DenominationBlindingKeyP coin_bks;
   struct TALER_CoinSpendSignatureP coin_sig;
   struct TALER_ExchangeWithdrawValues exchange_vals;
+  struct TALER_CsNonce nonce;
   struct GNUNET_JSON_Specification spec[] = {
     GNUNET_JSON_spec_fixed_auto ("denom_pub_hash",
                                  &coin.denom_pub_hash),
@@ -371,12 +376,18 @@ TEH_handler_recoup_refresh (struct MHD_Connection *connection,
                                  &coin_bks),
     GNUNET_JSON_spec_fixed_auto ("coin_sig",
                                  &coin_sig),
+    GNUNET_JSON_spec_mark_optional (
+      GNUNET_JSON_spec_fixed_auto ("cs_nonce",
+                                   &nonce)),
     GNUNET_JSON_spec_end ()
   };
 
   memset (&coin,
           0,
           sizeof (coin));
+  memset (&nonce,
+          0,
+          sizeof (nonce));
   coin.coin_pub = *coin_pub;
   ret = TALER_MHD_parse_json_data (connection,
                                    root,
@@ -392,6 +403,7 @@ TEH_handler_recoup_refresh (struct MHD_Connection *connection,
                                              &coin,
                                              &exchange_vals,
                                              &coin_bks,
+                                             &nonce,
                                              &coin_sig);
     GNUNET_JSON_parse_free (spec);
     return res;
diff --git a/src/exchange/taler-exchange-httpd_recoup.c b/src/exchange/taler-exchange-httpd_recoup.c
index f4e426fbb..c635769c6 100644
--- a/src/exchange/taler-exchange-httpd_recoup.c
+++ b/src/exchange/taler-exchange-httpd_recoup.c
@@ -177,6 +177,7 @@ verify_and_execute_recoup (
   const struct TALER_CoinPublicInfo *coin,
   const struct TALER_ExchangeWithdrawValues *exchange_vals,
   const union TALER_DenominationBlindingKeyP *coin_bks,
+  const struct TALER_CsNonce *nonce,
   const struct TALER_CoinSpendSignatureP *coin_sig)
 {
   struct RecoupContext pc;
@@ -268,6 +269,9 @@ verify_and_execute_recoup (
         TALER_EC_EXCHANGE_RECOUP_BLINDING_FAILED,
         NULL);
     }
+    if (TALER_DENOMINATION_CS == blinded_planchet.cipher)
+      blinded_planchet.details.cs_blinded_planchet.nonce
+        = *nonce;
     if (GNUNET_OK !=
         TALER_coin_ev_hash (&blinded_planchet,
                             &coin->denom_pub_hash,
@@ -373,6 +377,7 @@ TEH_handler_recoup (struct MHD_Connection *connection,
   union TALER_DenominationBlindingKeyP coin_bks;
   struct TALER_CoinSpendSignatureP coin_sig;
   struct TALER_ExchangeWithdrawValues exchange_vals;
+  struct TALER_CsNonce nonce;
   struct GNUNET_JSON_Specification spec[] = {
     GNUNET_JSON_spec_fixed_auto ("denom_pub_hash",
                                  &coin.denom_pub_hash),
@@ -384,12 +389,18 @@ TEH_handler_recoup (struct MHD_Connection *connection,
                                  &coin_bks),
     GNUNET_JSON_spec_fixed_auto ("coin_sig",
                                  &coin_sig),
+    GNUNET_JSON_spec_mark_optional (
+      GNUNET_JSON_spec_fixed_auto ("cs_nonce",
+                                   &nonce)),
     GNUNET_JSON_spec_end ()
   };
 
   memset (&coin,
           0,
           sizeof (coin));
+  memset (&nonce,
+          0,
+          sizeof (nonce));
   coin.coin_pub = *coin_pub;
   ret = TALER_MHD_parse_json_data (connection,
                                    root,
@@ -408,6 +419,7 @@ TEH_handler_recoup (struct MHD_Connection *connection,
                                      &coin,
                                      &exchange_vals,
                                      &coin_bks,
+                                     &nonce,
                                      &coin_sig);
     GNUNET_JSON_parse_free (spec);
     return res;
diff --git a/src/exchange/taler-exchange-httpd_refreshes_reveal.c b/src/exchange/taler-exchange-httpd_refreshes_reveal.c
index 0d8f7bf9b..779b9df45 100644
--- a/src/exchange/taler-exchange-httpd_refreshes_reveal.c
+++ b/src/exchange/taler-exchange-httpd_refreshes_reveal.c
@@ -634,6 +634,13 @@ resolve_refreshes_reveal_denominations (struct MHD_Connection *connection,
 
       rrc->blinded_planchet = rcds[i].blinded_planchet;
     }
+    // FIXME: in CS-case, we MUST check if signatures
+    // already exist under the given nonce
+    // (TODO: check: refresh session hash OK?), and if so,
+    // we MUST return the existing signatures (c0/c1 may have changed!)
+    // and MUST NOT return the fresh signatures!
+    // => change this to a 'do_refresh_reveal' and
+    // change SQL to return existing signatures (if any)!
     qs = TEH_plugin->insert_refresh_reveal (TEH_plugin->cls,
                                             melt_serial_id,
                                             num_fresh_coins,
diff --git a/src/exchange/taler-exchange-httpd_withdraw.c b/src/exchange/taler-exchange-httpd_withdraw.c
index 7572f85d2..3799187c1 100644
--- a/src/exchange/taler-exchange-httpd_withdraw.c
+++ b/src/exchange/taler-exchange-httpd_withdraw.c
@@ -535,6 +535,10 @@ TEH_handler_withdraw (struct TEH_RequestContext *rc,
   /* Clean up and send back final response */
   GNUNET_JSON_parse_free (spec);
 
+  // FIXME: in CS-case, we MUST re-transmit any _existing_ signature
+  // (if database had a record matching the nonce)
+  // instead of sending a 'fresh' one back (as c0/c1 may differ in
+  // a client attack!
   {
     MHD_RESULT ret;