From 5fbaf28c12ea4241e6ebd3ac7f9ba27291119c12 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Wed, 8 Mar 2023 15:51:34 -0500 Subject: [PATCH 1/2] Mix ephemeral keys into "h" --- zssp/src/zssp.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/zssp/src/zssp.rs b/zssp/src/zssp.rs index 87f28563f..0673561f1 100644 --- a/zssp/src/zssp.rs +++ b/zssp/src/zssp.rs @@ -320,7 +320,7 @@ impl Context { current_key: 0, current_offer: Offer::NoiseXKInit(Box::new(AliceOutgoingIncompleteSessionState { last_retry_time: AtomicI64::new(current_time), - noise_h: mix_hash(&INITIAL_H, remote_s_public_blob), + noise_h: mix_hash(&mix_hash(&INITIAL_H, remote_s_public_blob), &alice_noise_e), noise_es: noise_es.clone(), alice_noise_e_secret, alice_hk_secret: Secret(alice_hk_secret.secret), @@ -726,7 +726,7 @@ impl Context { let alice_noise_e = P384PublicKey::from_bytes(&pkt.alice_noise_e).ok_or(Error::FailedAuthentication)?; let noise_es = app.get_local_s_keypair().agree(&alice_noise_e).ok_or(Error::FailedAuthentication)?; - let noise_h = mix_hash(&INITIAL_H, app.get_local_s_public_blob()); + let noise_h = mix_hash(&mix_hash(&INITIAL_H, app.get_local_s_public_blob()), alice_noise_e.as_bytes()); let noise_h_next = mix_hash(&noise_h, &pkt_assembled[HEADER_SIZE..]); // Decrypt and authenticate init packet, also proving that caller knows our static identity. @@ -816,7 +816,7 @@ impl Context { timestamp: current_time, alice_session_id, bob_session_id, - noise_h: mix_hash(&noise_h_next, &ack_packet[HEADER_SIZE..]), + noise_h: mix_hash(&mix_hash(&noise_h_next, &bob_noise_e), &ack_packet[HEADER_SIZE..]), noise_es_ee: noise_es_ee.clone(), hk, bob_noise_e_secret, @@ -881,7 +881,7 @@ impl Context { )); // Go ahead and compute the next 'h' state before we lose the ciphertext in decrypt. - let noise_h_next = mix_hash(&outgoing_offer.noise_h, &pkt_assembled[HEADER_SIZE..]); + let noise_h_next = mix_hash(&mix_hash(&outgoing_offer.noise_h, bob_noise_e.as_bytes()), &pkt_assembled[HEADER_SIZE..]); // Decrypt and authenticate Bob's reply. let mut gcm = AesGcm::new( From ccb5ff8e6d5312dbef68fd62c04c517da88d4086 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Wed, 8 Mar 2023 16:00:23 -0500 Subject: [PATCH 2/2] Add PSK to h as well. --- zssp/src/zssp.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/zssp/src/zssp.rs b/zssp/src/zssp.rs index 0673561f1..a2b6854de 100644 --- a/zssp/src/zssp.rs +++ b/zssp/src/zssp.rs @@ -948,7 +948,7 @@ impl Context { assert!(metadata.len() <= (u16::MAX as usize)); reply_len = append_to_slice(&mut reply_buffer, reply_len, &(metadata.len() as u16).to_le_bytes())?; - let noise_h_next = mix_hash(&noise_h_next, &reply_buffer[HEADER_SIZE..reply_len]); + let noise_h_next = mix_hash(&mix_hash(&noise_h_next, &reply_buffer[HEADER_SIZE..reply_len]), session.psk.as_bytes()); enc_start = reply_len; reply_len = append_to_slice(&mut reply_buffer, reply_len, metadata)?; @@ -1047,6 +1047,8 @@ impl Context { } let (alice_noise_s, psk, application_data) = check_result.unwrap(); + let noise_h_next = mix_hash(&noise_h_next, psk.as_bytes()); + // Complete Noise_XKpsk3 on Bob's side. let noise_es_ee_se_hk_psk = Secret(hmac_sha512( &hmac_sha512(