[noise] diff between KDF=64byte-PRF and KDF=HKDF-with-64byte-hashfunc

Jason A. Donenfeld Jason at zx2c4.com
Wed Oct 14 07:57:02 PDT 2015 

In case it helps at all in deciding, here's a practical point of view on
the complexity added:

diff --git a/src/crypto/blake2b.c b/src/crypto/blake2b.c
index a87e714..e45e71a 100644
--- a/src/crypto/blake2b.c
<http://git.zx2c4.com/WireGuard/tree/src/crypto/blake2b.c?id=cb3a2550d4111325b4a101fb0fdf2bed3d82313c>
+++ b/src/crypto/blake2b.c
<http://git.zx2c4.com/WireGuard/tree/src/crypto/blake2b.c?id=b2a846defbde29cab1f0d4fbdfe898cd96ead855>
@@ -290,6 +290,45 @@ void blake2b(uint8_t *out, const uint8_t *in, const
uint8_t *key, const uint8_t
blake2b_final(&state, out, outlen);
}
+void blake2b_hmac(uint8_t *out, const uint8_t *in, const uint8_t *key,
const uint8_t outlen, const uint64_t inlen, const uint64_t keylen)
+{
+ blake2b_state state;
+ uint8_t o_key[BLAKE2B_BLOCKBYTES] = { 0 };
+ uint8_t i_key[BLAKE2B_BLOCKBYTES] = { 0 };
+ uint8_t i_hash[BLAKE2B_OUTBYTES];
+ uint8_t i;
+
+ if (keylen > BLAKE2B_BLOCKBYTES) {
+ blake2b_init(&state, BLAKE2B_OUTBYTES);
+ blake2b_update(&state, key, keylen);
+ blake2b_final(&state, o_key, BLAKE2B_OUTBYTES);
+ memcpy(i_key, o_key, BLAKE2B_OUTBYTES);
+ } else {
+ memcpy(o_key, key, keylen);
+ memcpy(i_key, key, keylen);
+ }
+
+ for (i = 0; i < BLAKE2B_BLOCKBYTES; ++i) {
+ o_key[i] ^= 0x5c;
+ i_key[i] ^= 0x36;
+ }
+
+ blake2b_init(&state, BLAKE2B_OUTBYTES);
+ blake2b_update(&state, i_key, BLAKE2B_BLOCKBYTES);
+ blake2b_update(&state, in, inlen);
+ blake2b_final(&state, i_hash, BLAKE2B_OUTBYTES);
+
+ blake2b_init(&state, BLAKE2B_OUTBYTES);
+ blake2b_update(&state, o_key, BLAKE2B_BLOCKBYTES);
+ blake2b_update(&state, i_hash, BLAKE2B_OUTBYTES);
+ blake2b_final(&state, i_hash, BLAKE2B_OUTBYTES);
+
+ memcpy(out, i_hash, outlen);
+ memzero_explicit(o_key, BLAKE2B_BLOCKBYTES);
+ memzero_explicit(i_key, BLAKE2B_BLOCKBYTES);
+ memzero_explicit(i_hash, BLAKE2B_OUTBYTES);
+}
+
#ifdef DEBUG
#include "blake2b_selftest.h"
diff --git a/src/crypto/blake2b.h b/src/crypto/blake2b.h
index 7a2180f..1b4e659 100644
--- a/src/crypto/blake2b.h
<http://git.zx2c4.com/WireGuard/tree/src/crypto/blake2b.h?id=cb3a2550d4111325b4a101fb0fdf2bed3d82313c>
+++ b/src/crypto/blake2b.h
<http://git.zx2c4.com/WireGuard/tree/src/crypto/blake2b.h?id=b2a846defbde29cab1f0d4fbdfe898cd96ead855>
@@ -30,6 +30,8 @@ void blake2b_init_key(blake2b_state *state, const uint8_t
outlen, const void *ke
void blake2b_update(blake2b_state *state, const uint8_t *in, uint64_t
inlen);
void blake2b_final(blake2b_state *state, uint8_t *out, uint8_t outlen);
+void blake2b_hmac(uint8_t *out, const uint8_t *in, const uint8_t *key,
const uint8_t outlen, const uint64_t inlen, const uint64_t keylen);
+
#ifdef DEBUG
void blake2b_selftest(void);
#endif
diff --git a/src/noise/key.c b/src/noise/key.c
index f005dbf..ca59c5d 100644
--- a/src/noise/key.c
<http://git.zx2c4.com/WireGuard/tree/src/noise/key.c?id=cb3a2550d4111325b4a101fb0fdf2bed3d82313c>
+++ b/src/noise/key.c
<http://git.zx2c4.com/WireGuard/tree/src/noise/key.c?id=b2a846defbde29cab1f0d4fbdfe898cd96ead855>
@@ -8,8 +8,10 @@
static inline void kdf(u8 first_dst[NOISE_SYMMETRIC_KEY_LEN], u8
second_dst[NOISE_SYMMETRIC_KEY_LEN],
const u8 chaining_key[NOISE_SYMMETRIC_KEY_LEN], const u8 *data, size_t
data_len)
{
+ static const u8 one = 1;
u8 temp_key[BLAKE2B_OUTBYTES];
- blake2b(temp_key, data, chaining_key, BLAKE2B_OUTBYTES, data_len,
NOISE_SYMMETRIC_KEY_LEN);
+ blake2b_hmac(temp_key, data, chaining_key, BLAKE2B_OUTBYTES, data_len,
NOISE_SYMMETRIC_KEY_LEN);
+ blake2b_hmac(temp_key, &one, temp_key, BLAKE2B_OUTBYTES, 1,
BLAKE2B_OUTBYTES);
memcpy(first_dst, temp_key, NOISE_SYMMETRIC_KEY_LEN);
memcpy(second_dst, temp_key + NOISE_SYMMETRIC_KEY_LEN,
NOISE_SYMMETRIC_KEY_LEN);
memzero_explicit(temp_key, BLAKE2B_OUTBYTES);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20151014/4af01d9d/attachment.html>

More information about the Noise mailing list