From d42a70544f237ec0fd371efd07e5c4f36c2f4b89 Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@zerotier.com>
Date: Tue, 13 Sep 2022 11:09:20 -0400
Subject: [PATCH] More simplification and move key agreements to as late as
 possible after session state check.

---
 crypto/src/zssp.rs | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/crypto/src/zssp.rs b/crypto/src/zssp.rs
index 9a4b82636..6d518dc81 100644
--- a/crypto/src/zssp.rs
+++ b/crypto/src/zssp.rs
@@ -848,7 +848,8 @@ impl<H: Host> ReceiveContext<H> {
                     // Mix result of 'ss' agreement into master key.
                     key = Secret(hmac_sha512(key.as_bytes(), ss.as_bytes()));
 
-                    // Authenticate entire packet with HMAC-SHA384, verifying alice's identity via 'ss' secret.
+                    // Authenticate entire packet with HMAC-SHA384, verifying alice's identity via 'ss' secret that was
+                    // just mixed into the key.
                     if !hmac_sha384_2(
                         kbkdf512(key.as_bytes(), KBKDF_KEY_USAGE_LABEL_HMAC).first_n::<48>(),
                         pseudoheader,
@@ -861,15 +862,6 @@ impl<H: Host> ReceiveContext<H> {
 
                     // Alice's offer has been verified and her current key state reconstructed.
 
-                    // Generate our ephemeral NIST P-384 key pair.
-                    let bob_e0_keypair = P384KeyPair::generate();
-
-                    // Key agreement: both sides' ephemeral P-384 public keys.
-                    let e0e0 = bob_e0_keypair.agree(&alice_e0_public).ok_or(Error::FailedAuthentication)?;
-
-                    // Key agreement: bob (local) static NIST P-384, alice (remote) ephemeral P-384.
-                    let se0 = bob_e0_keypair.agree(&alice_s_public_p384).ok_or(Error::FailedAuthentication)?;
-
                     // Perform checks and match ratchet key if there's an existing session, or gate (via host) and
                     // then create new sessions.
                     let (new_session, ratchet_key, ratchet_count) = if let Some(session) = session.as_ref() {
@@ -932,6 +924,15 @@ impl<H: Host> ReceiveContext<H> {
                     let existing_session = session;
                     let session = existing_session.as_ref().map_or_else(|| new_session.as_ref().unwrap(), |s| &*s);
 
+                    // Generate our ephemeral NIST P-384 key pair.
+                    let bob_e0_keypair = P384KeyPair::generate();
+
+                    // Key agreement: both sides' ephemeral P-384 public keys.
+                    let e0e0 = bob_e0_keypair.agree(&alice_e0_public).ok_or(Error::FailedAuthentication)?;
+
+                    // Key agreement: bob (local) static NIST P-384, alice (remote) ephemeral P-384.
+                    let se0 = bob_e0_keypair.agree(&alice_s_public_p384).ok_or(Error::FailedAuthentication)?;
+
                     // Mix in the psk, the key to this point, our ephemeral public, e0e0, and se0, completing Noise_IK.
                     //
                     // FIPS note: the order of HMAC parameters are flipped here from the usual Noise HMAC(key, X). That's because