[noise] Kernel-land C implementation of latest noise specification
Jason A. Donenfeld
Jason at zx2c4.com
Tue Jul 7 17:30:26 PDT 2015
On Wed, Jul 8, 2015 at 2:18 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> So, I'm NOT modifying your GETKEY function -- I still use chacha20(k,
> n) for this, as you specify.
>
> What I'm doing, instead is replacing your usage of HMAC-SHA2-256(key,
> m) with Blake2b(key, m), and replacing your usage of SHA2-256(m) with
> Blake2b(m).
>
> Does this make sense?
>
> Perhaps revert <https://github.com/trevp/noise/commit/2dec3fd894f37a0c014b4f8656b9f90299840e8e>
> and parts of <https://github.com/trevp/noise/commit/15ac0473cf6f6e9a9ff500ecfa5ba5c00701d06b>?
> I rather liked the GETKEY part being mandated. I think these two edits
> made the specification much less clear.
Just to make sure we're crystal clear, here is how I derive a new session:
noise_derive_new_session(dst, src)
{
dst->key = noise_getkey(src);
dst->hash = src->hash;
dst->index = src->index;
dst->nonce_counter = 0;
}
And here is what I do after a dhes or dhss or dhee calculation in a descriptor:
noise_kdf(key, dh_calculation_input)
{
temporary_key_value = thirty-two-bytes-of-zeros;
if (key is not empty)
temporary_key_value = noise_getkey(key);
key->key = blake2b(temporary_key_value, dh_calculation_input);
key->nonce_counter = 0;
}
Both of these functions call noise_getkey, which does this:
noise_getkey(src_key)
{
return chacha20(src_key->key, src_key->nonce_counter++,
thirty-two-bytes-of-zeros);
}
Is this fitting with the specification?
Finally, after a new message involving a descriptor has been consumed
or created, I do this:
noise_finish_consuming_message(key, message)
{
key->hash = blake2b(key->hash || message);
}
Are we on the same page?
More information about the Noise
mailing list