[noise] [NoiseSocket] First handshake message parsing questions

Alexey Ermishkin scratch.net at gmail.com
Sun Feb 26 11:52:39 PST 2017

I'm trying to implement the handshake parsing in a most bulletproof way
possible and have some thoughts about the process

We agreed that the first message must always be XX "e" message. But what if
we support both 25519, 448 and others? 
Should we abort if we have a valid first 25519 public key and then 0 length
448 key? Technically, we can construct a valid message to parse using
following 448 keys if they exist, but it will not be a straightforward way
to do.

Suppose the client sends:
XX_..._25519 || publicKey ||
XX_..._448 || publicKey || 
IK_..._25519 || reuses "e" || handshake data ||
IK_..._448 || reuses "e" || handshake data ||
IK_..._25519 || new "e" || handshake data ||
IK_..._448 || new "e"  || handshake data ||
XX_other_448 || reuses "e"(which?)  ||
Xx_other_25519 || reuses "e" (which?) ||

I hope the idea is clear - we can have all possible combinations of cipher
suites and messages which may or may not reuse previous ephemeral public
keys which makes the parsing logic rather complex depending on the server
cipher suite priority. We will also have to read the message to the end to
build the prologue.
Not that it's not doable, but it will definitely need some refinement about
what can be done and what cannot.

For example: either one algorithm-aware "e" per whole message or each
sub-message must have its own "e".
What do you think?

More information about the Noise mailing list