[noise] Branch: "imp"

[Jason A. Donenfeld]

On Sat, Nov 7, 2015 at 7:31 PM, Trevor Perrin <trevp at trevp.net> wrote:
>  - Added notion of a "prologue" byte-sequence.  MixHash(prologue) is
> called during initialization:  "may be zero-length, or which may
> contain context information that both parties want to confirm is
> identical, such as protocol or version negotiation messages sent
> previously".

Okay, so if no prologue is specified, this doesn't change anything
substantively. But now it's an available option. Cool. Using it,
though, hampers interopability. And so, in that case, since
interopability doesn't matter, why not instead just augment the
handshake name specifier that's also used in MixHash (and ck)?

>  - Clarified handling of invalid DH public keys ("output may be set to
> all zeros or any other value..."); removed the "allowed to abort"
> option, better to steer people down one path to avoid implementation
> fingerprinting risk.

Okay. That roughly looks like this: https://paste.kde.org/prtbi5z0l/o6jnt5


>    - Clarified that Noise pipes should use 1-byte type, 2-byte length,
> so that we can get interoperable Noise pipes as the default Noise use.

This seems like a rather substantive change:

+So that Noise pipes can be used with arbitrary lower-level protocols, handshake
+messages are sent with the `type` byte followed by a 2-byte big-endian length
+field, followed by the Noise handshake message. Transport messages are sent
+with only the 2-byte length field, followed by the Noise tranport message.

I'm using a 1 byte type parameter already, but as discussed repeatedly
in the past, I have no use for the length parameter, since I have the
IP/UDP headers already doing that. Is it okay for me to deviate from
the spec? And if so, could this then be a mere suggestion, rather than
a mandated substantive change?