[noise] New branch: n0

Jason A. Donenfeld Jason at zx2c4.com
Fri Oct 2 02:13:13 PDT 2015


So this looks like:

diff --git a/doc/protocol.md b/doc/protocol.md
index d04132c..ba639d3 100644
--- a/doc/protocol.md
<http://git.zx2c4.com/WireGuard/tree/doc/protocol.md?id=dde2f6b2510284cffe9ea9fab892bb562305804a>
+++ b/doc/protocol.md
<http://git.zx2c4.com/WireGuard/tree/doc/protocol.md?id=44d4c6975eb9f52881194aadba31bc9da05a5a79>
@@ -68,7 +68,7 @@ The fields are populated as follows:
msg.sender_index = little_endian(initiator.sender_index)
msg.unencrypted_ephemeral = DH_PUBKEY(initiator.ephemeral_private)
initiator.hash = HASH(initiator.hash || msg.unencrypted_ephemeral)
- initiator.key = KDF(GETKEY(initiator.key, 0),
DH(initiator.ephemeral_private, responder.static_public))
+ initiator.key = KDF(initiator.key, DH(initiator.ephemeral_private,
responder.static_public))
msg.encrypted_static = AEAD(initiator.key, 0, initiator.static_public,
initiator.hash)
initiator.hash = HASH(initiator.hash || msg.encrypted_static)
initiator.key = KDF(GETKEY(initiator.key, 1), DH(initiator.static_private,
responder.static_public))
@@ -98,7 +98,7 @@ The fields are populated as follows:
msg.encrypted_ephemeral = AEAD(responder.key, 1,
DH_PUBKEY(responder.ephemeral_private), responder.hash)
responder.hash = HASH(responder.hash || msg.encrypted_ephemeral)
responder.key = KDF(GETKEY(responder.key, 2),
DH(responder.ephemeral_private, initiator.ephemeral_public))
- responder.key = KDF(GETKEY(responder.key, 0),
DH(responder.ephemeral_private, initiator.static_public))
+ responder.key = KDF(responder.key, DH(responder.ephemeral_private,
initiator.static_public))
msg.encrypted_nothing = AEAD(responder.key, 0, [empty], responder.hash)
When the initiator receives this message, he decrypts and does all the
above operations in reverse, so that the state is identical.
diff --git a/src/noise/key.c b/src/noise/key.c
index e1dcd78..f68ca9f 100644
--- a/src/noise/key.c
<http://git.zx2c4.com/WireGuard/tree/src/noise/key.c?id=dde2f6b2510284cffe9ea9fab892bb562305804a>
+++ b/src/noise/key.c
<http://git.zx2c4.com/WireGuard/tree/src/noise/key.c?id=44d4c6975eb9f52881194aadba31bc9da05a5a79>
@@ -26,8 +26,12 @@ static inline bool getkey(u8
dst_key[NOISE_SYMMETRIC_KEY_LEN], struct noise_symm
static inline bool kdf(struct noise_symmetric_key *key, const u8 *src,
size_t src_len)
{
u8 newkey[NOISE_SYMMETRIC_KEY_LEN];
- if (!getkey(newkey, key))
+
+ if (!key->counter.receive.counter)
+ memcpy(newkey, key->key, NOISE_SYMMETRIC_KEY_LEN);
+ else if (!getkey(newkey, key))
return false;
+
blake2b(key->key, src, newkey, NOISE_SYMMETRIC_KEY_LEN, src_len,
NOISE_SYMMETRIC_KEY_LEN);
memzero_explicit(newkey, NOISE_SYMMETRIC_KEY_LEN);
atomic64_set(&key->counter.counter, 0);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20151002/c63386d7/attachment.html>


More information about the Noise mailing list