void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-04-26 17:03:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

More simplification and move key agreements to as late as possible after session state check.

Browse source
This commit is contained in:
Adam Ierymenko 2022-09-13 11:09:20 -04:00
parent a7fa425830
commit d42a70544f
No known key found for this signature in database
GPG key ID: C8877CF2D7A5D7F3
1 changed files with 11 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
crypto/src/zssp.rs
View file

@ -848,7 +848,8 @@ impl<H: Host> ReceiveContext<H> {
// Mix result of 'ss' agreement into master key. // Mix result of 'ss' agreement into master key.
key = Secret(hmac_sha512(key.as_bytes(), ss.as_bytes())); key = Secret(hmac_sha512(key.as_bytes(), ss.as_bytes()));
// Authenticate entire packet with HMAC-SHA384, verifying alice's identity via 'ss' secret. // Authenticate entire packet with HMAC-SHA384, verifying alice's identity via 'ss' secret that was
// just mixed into the key.
if !hmac_sha384_2( if !hmac_sha384_2(
kbkdf512(key.as_bytes(), KBKDF_KEY_USAGE_LABEL_HMAC).first_n::<48>(), kbkdf512(key.as_bytes(), KBKDF_KEY_USAGE_LABEL_HMAC).first_n::<48>(),
pseudoheader, pseudoheader,
@ -861,15 +862,6 @@ impl<H: Host> ReceiveContext<H> {
// Alice's offer has been verified and her current key state reconstructed. // Alice's offer has been verified and her current key state reconstructed.
// Generate our ephemeral NIST P-384 key pair.
let bob_e0_keypair = P384KeyPair::generate();
// Key agreement: both sides' ephemeral P-384 public keys.
let e0e0 = bob_e0_keypair.agree(&alice_e0_public).ok_or(Error::FailedAuthentication)?;
// Key agreement: bob (local) static NIST P-384, alice (remote) ephemeral P-384.
let se0 = bob_e0_keypair.agree(&alice_s_public_p384).ok_or(Error::FailedAuthentication)?;
// Perform checks and match ratchet key if there's an existing session, or gate (via host) and // Perform checks and match ratchet key if there's an existing session, or gate (via host) and
// then create new sessions. // then create new sessions.
let (new_session, ratchet_key, ratchet_count) = if let Some(session) = session.as_ref() { let (new_session, ratchet_key, ratchet_count) = if let Some(session) = session.as_ref() {
@ -932,6 +924,15 @@ impl<H: Host> ReceiveContext<H> {
let existing_session = session; let existing_session = session;
let session = existing_session.as_ref().map_or_else(|| new_session.as_ref().unwrap(), |s| &*s); let session = existing_session.as_ref().map_or_else(|| new_session.as_ref().unwrap(), |s| &*s);
// Generate our ephemeral NIST P-384 key pair.
let bob_e0_keypair = P384KeyPair::generate();
// Key agreement: both sides' ephemeral P-384 public keys.
let e0e0 = bob_e0_keypair.agree(&alice_e0_public).ok_or(Error::FailedAuthentication)?;
// Key agreement: bob (local) static NIST P-384, alice (remote) ephemeral P-384.
let se0 = bob_e0_keypair.agree(&alice_s_public_p384).ok_or(Error::FailedAuthentication)?;
// Mix in the psk, the key to this point, our ephemeral public, e0e0, and se0, completing Noise_IK. // Mix in the psk, the key to this point, our ephemeral public, e0e0, and se0, completing Noise_IK.
// //
// FIPS note: the order of HMAC parameters are flipped here from the usual Noise HMAC(key, X). That's because // FIPS note: the order of HMAC parameters are flipped here from the usual Noise HMAC(key, X). That's because