Applying envelope simplified construction and km3 mac changes (#128)

Author: kevinlewi

src/envelope.rs

@@ -16,7 +16,6 @@ use rand_core::{CryptoRng, RngCore};
 use std::convert::TryFrom;
 
 // Constant string used as salt for HKDF computation
-const STR_RWDU: &[u8] = b"rwdU";
 const STR_PAD: &[u8] = b"Pad";
 const STR_AUTH_KEY: &[u8] = b"AuthKey";
 const STR_EXPORT_KEY: &[u8] = b"ExportKey";
@@ -191,23 +190,17 @@ impl<D: Hash> Envelope<D> {
         let mut nonce = vec![0u8; NONCE_LEN];
         rng.fill_bytes(&mut nonce);
 
-        let h = Hkdf::<D>::new(Some(STR_RWDU), &key);
+        let h = Hkdf::<D>::new(Some(&nonce), &key);
         let mut xor_key = vec![0u8; plaintext.len()];
         let mut hmac_key = vec![0u8; Self::hmac_key_size()];
         let mut export_key = vec![0u8; Self::export_key_size()];
 
-        h.expand(&[nonce.clone(), STR_PAD.to_vec()].concat(), &mut xor_key)
+        h.expand(STR_PAD, &mut xor_key)
+            .map_err(|_| InternalPakeError::HkdfError)?;
+        h.expand(STR_AUTH_KEY, &mut hmac_key)
+            .map_err(|_| InternalPakeError::HkdfError)?;
+        h.expand(STR_EXPORT_KEY, &mut export_key)
             .map_err(|_| InternalPakeError::HkdfError)?;
-        h.expand(
-            &[nonce.clone(), STR_AUTH_KEY.to_vec()].concat(),
-            &mut hmac_key,
-        )
-        .map_err(|_| InternalPakeError::HkdfError)?;
-        h.expand(
-            &[nonce.clone(), STR_EXPORT_KEY.to_vec()].concat(),
-            &mut export_key,
-        )
-        .map_err(|_| InternalPakeError::HkdfError)?;
 
         let ciphertext: Vec<u8> = xor_key
             .iter()
@@ -271,26 +264,17 @@ impl<D: Hash> Envelope<D> {
         key: &[u8],
         aad: &[u8],
     ) -> Result<OpenedInnerEnvelope<D>, InternalPakeError> {
-        let h = Hkdf::<D>::new(Some(STR_RWDU), &key);
+        let h = Hkdf::<D>::new(Some(&self.inner_envelope.nonce), &key);
         let mut xor_key = vec![0u8; self.inner_envelope.ciphertext.len()];
         let mut hmac_key = vec![0u8; Self::hmac_key_size()];
         let mut export_key = vec![0u8; Self::export_key_size()];
 
-        h.expand(
-            &[self.inner_envelope.nonce.clone(), STR_PAD.to_vec()].concat(),
-            &mut xor_key,
-        )
-        .map_err(|_| InternalPakeError::HkdfError)?;
-        h.expand(
-            &[self.inner_envelope.nonce.clone(), STR_AUTH_KEY.to_vec()].concat(),
-            &mut hmac_key,
-        )
-        .map_err(|_| InternalPakeError::HkdfError)?;
-        h.expand(
-            &[self.inner_envelope.nonce.clone(), STR_EXPORT_KEY.to_vec()].concat(),
-            &mut export_key,
-        )
-        .map_err(|_| InternalPakeError::HkdfError)?;
+        h.expand(STR_PAD, &mut xor_key)
+            .map_err(|_| InternalPakeError::HkdfError)?;
+        h.expand(STR_AUTH_KEY, &mut hmac_key)
+            .map_err(|_| InternalPakeError::HkdfError)?;
+        h.expand(STR_EXPORT_KEY, &mut export_key)
+            .map_err(|_| InternalPakeError::HkdfError)?;
 
         let mut hmac =
             Hmac::<D>::new_varkey(&hmac_key).map_err(|_| InternalPakeError::HmacError)?;

src/key_exchange/tripledh.rs

@@ -34,7 +34,7 @@ static STR_3DH: &[u8] = b"3DH keys";
 static STR_CLIENT_MAC: &[u8] = b"client mac";
 static STR_HANDSHAKE_SECRET: &[u8] = b"handshake secret";
 static STR_SERVER_MAC: &[u8] = b"server mac";
-static STR_SERVER_ENC: &[u8] = b"server enc";
+static STR_SERVER_ENC: &[u8] = b"handshake enc";
 static STR_ENCRYPTION_PAD: &[u8] = b"encryption pad";
 static STR_SESSION_SECRET: &[u8] = b"session secret";
 static STR_OPAQUE: &[u8] = b"OPAQUE ";
@@ -140,6 +140,7 @@ impl<D: Hash, G: Group> KeyExchange<D, G> for TripleDH {
 
         let mut hasher3 = D::new();
         hasher3.update(&transcript2);
+        hasher3.update(&mac);
         let hashed_transcript = hasher3.finalize();
 
         Ok((
@@ -207,7 +208,7 @@ impl<D: Hash, G: Group> KeyExchange<D, G> for TripleDH {
 
         let mut hasher2 = D::new();
         hasher2.update(transcript);
-        // hasher2.update(ke2_message.mac.to_vec()); // FIXME, sync with @caw on including this
+        hasher2.update(ke2_message.mac.to_vec());
         let hashed_transcript = hasher2.finalize();
 
         let mut client_mac =

src/opaque.rs

@@ -27,7 +27,7 @@ use rand_core::{CryptoRng, RngCore};
 use std::{convert::TryFrom, marker::PhantomData};
 use zeroize::Zeroize;
 
-static STR_OPAQUE_VERSION: &[u8] = b"OPAQUE01";
+static STR_OPAQUE_VERSION: &[u8] = b"OPAQUE";
 
 // Registration
 // ============

src/tests/full_test.rs

@@ -68,37 +68,37 @@ pub struct TestVectorParameters {
 
 static TEST_VECTOR: &str = r#"
 {
-    "client_s_pk": "ba8c7e239ed64ea1e6068b52cbd5a34ba6f55d635d20a4593884dc271865ea63",
-    "client_s_sk": "edb5e886441ddcd4fdd80593d9ea7b7f82f284fcc1d565b802e99997457b960a",
-    "client_e_pk": "08973113b27d6f2291aaaeb92f34a8438d279a48b1b412bddbf2785be660e479",
-    "client_e_sk": "28fb3aadbc2716844d8de562d35e61914da734dcea0fa6ebd79603ef9eff4e01",
-    "server_s_pk": "b67d948b98eecfb516a626fab94170e490ccd90da05fce94a016c4d5d6b7136a",
-    "server_s_sk": "52350a684c353e39bbaadeb042b2de94226a493f6ae172b7fc45408bbfda6401",
-    "server_e_pk": "42103d44b03f3886fe3e419b1b96521fa5a706bb1a4e003907daa381960d664a",
-    "server_e_sk": "564e113d5b2784fcf3a55d5ca48512a2fd5c3c393753f6cfd157cb712b317c04",
+    "client_s_pk": "3a776afc0ba554a731cc8e2c8fef1ba3e9110195a7902d9b15ecc1352867833e",
+    "client_s_sk": "bd42afe22725696df96e193ff4d0580e565ad8b769ea718f343245ea83625505",
+    "client_e_pk": "c22c46082bae3fcb2e5690c0c9a27fa59f752ff9a78ad5c41a18f7f665a3da05",
+    "client_e_sk": "21616ff86563a235ab01eb7e13f057b1cae8533dc7a4e99076e56d29f948c40b",
+    "server_s_pk": "d685d935664b0f8175456c9594cb3205329352970a560a4efedb5bfb39335811",
+    "server_s_sk": "5e37d39ed0c5880c748818b834d97fd8235f4b77a7e06287664c02e5bafd6407",
+    "server_e_pk": "0202a269a71da47901e071eab4702d92288e9e3ac12b77cc9eae1a6a3be5bf25",
+    "server_e_sk": "055453a054b87b50c8e9f2ae4eac6e56348ec82b3e3271d843a958b0f634ed0b",
     "id_u": "696455",
     "id_s": "696453",
     "password": "70617373776f7264",
-    "blinding_factor": "a70b37951d84ed312a0a8e025b71eafdd362b4e7db872881762d506a271b6e07",
-    "oprf_key": "1eaf3cdd64da67e17e3364182f00ed0c323bfb44b20a1b7e0025a0334ab6d40d",
-    "envelope_nonce": "5dba53e994e82b6d76353341102791cdfb1c2b460e1f913c5741a9c8cf2017c9",
-    "client_nonce": "488244dbf75f86ebaa30307773d3e0eabccb91be349abef8a69c458dbf236e4c",
-    "server_nonce": "13cc5ceb7687d80293005e7f9452ce104d1bac6598dd2265f184cacd558d6b31",
+    "blinding_factor": "67c5f74c953923c950c978b332f306454a8dc7ae7888449281b9d550ab05e204",
+    "oprf_key": "94ddb3f439fb4d69ac31b3220604066316b370b4402403d04f9efece28d6a00f",
+    "envelope_nonce": "c2956142808696bc993b1b1424166afcf0e7de8ba45d8348cd5ff0fbbf528485",
+    "client_nonce": "b61c639342a00e60652c0567423bc332fc7af6558da4651bd53b89f688fc1274",
+    "server_nonce": "ebb9dcbbfe8776aa3831763a4172f6e95cec5714d08a0e0a03151f561135c416",
     "info1": "696e666f31",
     "einfo2": "65696e666f32",
-    "registration_request": "ecf819ef83351e4c75e016ef845b62a12c14f397328960574935a42e04e0fa42",
-    "registration_response": "2e9bf80e5c101ee2d391ff2aec06af97af17f443fc93a5cc98189681cb943d700020b67d948b98eecfb516a626fab94170e490ccd90da05fce94a016c4d5d6b7136a",
-    "registration_upload": "0020ba8c7e239ed64ea1e6068b52cbd5a34ba6f55d635d20a4593884dc271865ea63015dba53e994e82b6d76353341102791cdfb1c2b460e1f913c5741a9c8cf2017c90022f11b89b207eb0735f2bdb2a9968bc9d7c1c962fd0274b4fc1fff2466c769d3710586a3a21ac8ecf13aafe2dc5460eb2f52d8f760396a17beeaf1ef3d1e4e50dd906555832fc51fc474554cb9ff063f6685f9043efc08fd6816666833d68d3b0eb6d9",
-    "credential_request": "ecf819ef83351e4c75e016ef845b62a12c14f397328960574935a42e04e0fa42488244dbf75f86ebaa30307773d3e0eabccb91be349abef8a69c458dbf236e4c0005696e666f3108973113b27d6f2291aaaeb92f34a8438d279a48b1b412bddbf2785be660e479",
-    "credential_response": "2e9bf80e5c101ee2d391ff2aec06af97af17f443fc93a5cc98189681cb943d700020b67d948b98eecfb516a626fab94170e490ccd90da05fce94a016c4d5d6b7136a015dba53e994e82b6d76353341102791cdfb1c2b460e1f913c5741a9c8cf2017c90022f11b89b207eb0735f2bdb2a9968bc9d7c1c962fd0274b4fc1fff2466c769d3710586a3a21ac8ecf13aafe2dc5460eb2f52d8f760396a17beeaf1ef3d1e4e50dd906555832fc51fc474554cb9ff063f6685f9043efc08fd6816666833d68d3b0eb6d913cc5ceb7687d80293005e7f9452ce104d1bac6598dd2265f184cacd558d6b3142103d44b03f3886fe3e419b1b96521fa5a706bb1a4e003907daa381960d664a0006a0f4de671e13c37b24e29138ff9d3df3d55c3b822fedee8dcefd643a1deab7cda5aa1c20f31a0c2a1823c8de3e793f50b257833788b75609fb6c5c4a9cad225f3a981c4ff7b2",
-    "credential_finalization": "0640114ec21fbad6da11c61dfa77a48026646a2a1bd091ef5c9dc46b45f9e53c72f5d714e026d808b6de8911947eef437e9f6a6e969e1ea13f2f4880adc7c879",
-    "client_registration_state": "a70b37951d84ed312a0a8e025b71eafdd362b4e7db872881762d506a271b6e0770617373776f7264",
-    "client_login_state": "a70b37951d84ed312a0a8e025b71eafdd362b4e7db872881762d506a271b6e070067ecf819ef83351e4c75e016ef845b62a12c14f397328960574935a42e04e0fa42488244dbf75f86ebaa30307773d3e0eabccb91be349abef8a69c458dbf236e4c0005696e666f3108973113b27d6f2291aaaeb92f34a8438d279a48b1b412bddbf2785be660e479004028fb3aadbc2716844d8de562d35e61914da734dcea0fa6ebd79603ef9eff4e01488244dbf75f86ebaa30307773d3e0eabccb91be349abef8a69c458dbf236e4c70617373776f7264",
-    "server_registration_state": "1eaf3cdd64da67e17e3364182f00ed0c323bfb44b20a1b7e0025a0334ab6d40d",
-    "server_login_state": "4952acf61167e6d0e799572827724fdf8c80bda8c62ac28deb68d125661dade2cc1136e634d5fb93f1de4d170ae3e2f5885e333ac3b72d630ab56618c2247fa4d5968eefd69cd270ed14fbcb39627fea9a93cd18175e1b5cfceb06f705bbcb5ecddcd0602aacd7cb358f3273b1099895210bf8baa37d2fab5ed8c092fe9e5739bc6c50cf08ca7d4f4107d48057507480e0c9534b4f04d77cd5156cbd112565d8a2d5beaa473003dcf8dd82d4046648a701c72afeed0f627fcb782627dfaed3ca",
-    "password_file": "1eaf3cdd64da67e17e3364182f00ed0c323bfb44b20a1b7e0025a0334ab6d40dba8c7e239ed64ea1e6068b52cbd5a34ba6f55d635d20a4593884dc271865ea63015dba53e994e82b6d76353341102791cdfb1c2b460e1f913c5741a9c8cf2017c90022f11b89b207eb0735f2bdb2a9968bc9d7c1c962fd0274b4fc1fff2466c769d3710586a3a21ac8ecf13aafe2dc5460eb2f52d8f760396a17beeaf1ef3d1e4e50dd906555832fc51fc474554cb9ff063f6685f9043efc08fd6816666833d68d3b0eb6d9",
-    "export_key": "2b86667de895e4d2c15b93bc70f0aa2df67b83987fa53deac9473697e2fade045e0fd0e4af478ccff52165c1467272993da34dcb3baa45aa59cf9d817e6c6bcb",
-    "shared_secret": "bc6c50cf08ca7d4f4107d48057507480e0c9534b4f04d77cd5156cbd112565d8a2d5beaa473003dcf8dd82d4046648a701c72afeed0f627fcb782627dfaed3ca"
+    "registration_request": "5ea0a0a57a2882691c3fc8e0dfe09bf05b130723b24371f8ac03b9c75d0d5b79",
+    "registration_response": "c0ebf6cc43f92c2da075f93da39cb37d7571e61c26bfab69bbcdb35a0a313e260020d685d935664b0f8175456c9594cb3205329352970a560a4efedb5bfb39335811",
+    "registration_upload": "00203a776afc0ba554a731cc8e2c8fef1ba3e9110195a7902d9b15ecc1352867833e01c2956142808696bc993b1b1424166afcf0e7de8ba45d8348cd5ff0fbbf52848500223b28798f911bb2f0c6cc626f27daf055271234dc1c1e32df59e864cffe946dfb02795cc53d6bcadf5e9535341c473f72b7ea88f4ff87fe941c0dace9f9975fa8887ac0bb7c84a5028fcdd10b41f9216523ba3513c95eb127437155feb0c022469334",
+    "credential_request": "5ea0a0a57a2882691c3fc8e0dfe09bf05b130723b24371f8ac03b9c75d0d5b79b61c639342a00e60652c0567423bc332fc7af6558da4651bd53b89f688fc12740005696e666f31c22c46082bae3fcb2e5690c0c9a27fa59f752ff9a78ad5c41a18f7f665a3da05",
+    "credential_response": "c0ebf6cc43f92c2da075f93da39cb37d7571e61c26bfab69bbcdb35a0a313e260020d685d935664b0f8175456c9594cb3205329352970a560a4efedb5bfb3933581101c2956142808696bc993b1b1424166afcf0e7de8ba45d8348cd5ff0fbbf52848500223b28798f911bb2f0c6cc626f27daf055271234dc1c1e32df59e864cffe946dfb02795cc53d6bcadf5e9535341c473f72b7ea88f4ff87fe941c0dace9f9975fa8887ac0bb7c84a5028fcdd10b41f9216523ba3513c95eb127437155feb0c022469334ebb9dcbbfe8776aa3831763a4172f6e95cec5714d08a0e0a03151f561135c4160202a269a71da47901e071eab4702d92288e9e3ac12b77cc9eae1a6a3be5bf250006148cc6985fd9c04245efa02487d25a5e4ffa64fdb7f7fd627839ca70f29da495e59489891e14b7122656edcf2bfc788f92bf458fac31d4b0ddd6b6aa764e08c56d16e803e919",
+    "credential_finalization": "c6c0ccf4e5155b2cecabc61efc289824e00eb2e5d3c15d508100d35d8f0d3ba317797270af96cd4610b954ec21898f2e9df02411c21352a3220259034c711487",
+    "client_registration_state": "67c5f74c953923c950c978b332f306454a8dc7ae7888449281b9d550ab05e20470617373776f7264",
+    "client_login_state": "67c5f74c953923c950c978b332f306454a8dc7ae7888449281b9d550ab05e20400675ea0a0a57a2882691c3fc8e0dfe09bf05b130723b24371f8ac03b9c75d0d5b79b61c639342a00e60652c0567423bc332fc7af6558da4651bd53b89f688fc12740005696e666f31c22c46082bae3fcb2e5690c0c9a27fa59f752ff9a78ad5c41a18f7f665a3da05004021616ff86563a235ab01eb7e13f057b1cae8533dc7a4e99076e56d29f948c40bb61c639342a00e60652c0567423bc332fc7af6558da4651bd53b89f688fc127470617373776f7264",
+    "server_registration_state": "94ddb3f439fb4d69ac31b3220604066316b370b4402403d04f9efece28d6a00f",
+    "server_login_state": "fa7795f9a3a3f93e950d4d902689157f98cdf839fe64847b9b24dc2c7d07e9d674cdcb3db4c7653dcf133c49eadbf2b3a0665e19c37461352a8bdce781cefd5d8c8153b0b60a3abbb9cc2a34fe3c53541b1e7df3216d3bac1e8280fa697db9ee6b2468e585f9912bd227c51b702671691b6d6a3542db4597c18013fbae903b5c9d5ff920b8a7231d717155af4475b3591973245b9dd26cf956383e8145fa3e8c1e508b72f3e3c42e3d116611b676780628591acf37757c74ad297f71a0b54b39",
+    "password_file": "94ddb3f439fb4d69ac31b3220604066316b370b4402403d04f9efece28d6a00f3a776afc0ba554a731cc8e2c8fef1ba3e9110195a7902d9b15ecc1352867833e01c2956142808696bc993b1b1424166afcf0e7de8ba45d8348cd5ff0fbbf52848500223b28798f911bb2f0c6cc626f27daf055271234dc1c1e32df59e864cffe946dfb02795cc53d6bcadf5e9535341c473f72b7ea88f4ff87fe941c0dace9f9975fa8887ac0bb7c84a5028fcdd10b41f9216523ba3513c95eb127437155feb0c022469334",
+    "export_key": "c250b23ac69b71bcc246db97398487198c94c73c84e1256b57c3ceb32a76fdc7547a8953bfc94b530e5b660f559faa53572f98ec0168e378087017b9a7393f57",
+    "shared_secret": "9d5ff920b8a7231d717155af4475b3591973245b9dd26cf956383e8145fa3e8c1e508b72f3e3c42e3d116611b676780628591acf37757c74ad297f71a0b54b39"
 }
 "#;