Use faster Salsa20 instead of HKDF in AONT

Signed-off-by: Sergey Matveev <stargrave@stargrave.org>

diff --git a/doc/developer.texi b/doc/developer.texi
index 936e7977bda9ca02ce02fba908706eb09a85c8ba..30025669ffc4668e15f565874702dae70a91d3fe 100644 (file)
--- a/doc/developer.texi
+++ b/doc/developer.texi
@@ -24,8 +24,7 @@ Pay attention how to get @ref{Sources, development source code}.
     @url{http://theory.lcs.mit.edu/~cis/pubs/rivest/fusion.ps,
     All-Or-Nothing-Transformed} (based on
     @url{http://cseweb.ucsd.edu/~mihir/papers/oaep.html, OAEP} using
-    @url{https://en.wikipedia.org/wiki/Key_derivation_function, HKDF}
-    with @url{https://blake2.net/, BLAKE2b-512} and BLAKE2b-256 based
+    Salsa20 with @url{https://blake2.net/, BLAKE2b-256} based
     @url{http://crypto.stanford.edu/~dabo/abstracts/saep.html, SAEP+}
     checksums) data with 128-bits of feeded random.
 @item Packet overhead

diff --git a/src/govpn/aont/oaep.go b/src/govpn/aont/oaep.go
index cea5833fa906cd9dd28ab0ac145424a39fea5b86..c881e2710be9f3bd9c4c3b66a1f3f3b377e2a601 100644 (file)
--- a/src/govpn/aont/oaep.go
+++ b/src/govpn/aont/oaep.go
@@ -30,7 +30,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 // package PKG:
 //
 //     PKG = P1 || P2
-//      P1 = HKDF(BLAKE2b, r) XOR (M || BLAKE2b(r || M)) ||
+//      P1 = Salsa20(key=r, nonce=0x00, 0x00) XOR (M || BLAKE2b(r || M))
 //      P2 = BLAKE2b(P1) XOR r
 package aont
 
@@ -39,7 +39,7 @@ import (
        "errors"
 
        "github.com/dchest/blake2b"
-       "golang.org/x/crypto/hkdf"
+       "golang.org/x/crypto/salsa20"
 )
 
 const (
@@ -47,30 +47,26 @@ const (
        RSize = 16
 )
 
+var (
+       dummyNonce []byte = make([]byte, 8)
+)
+
 // Encode the data, produce AONT package. Data size will be larger than
 // the original one for 48 bytes.
 func Encode(r *[RSize]byte, in []byte) ([]byte, error) {
        out := make([]byte, len(in)+HSize+RSize)
-       hr := hkdf.New(blake2b.New512, r[:], nil, nil)
-       if _, err := hr.Read(out[:len(in)+HSize]); err != nil {
-               return nil, err
-       }
-       var i int
-       for i = 0; i < len(in); i++ {
-               out[i] ^= in[i]
-       }
+       copy(out, in)
        h := blake2b.New256()
        h.Write(r[:])
        h.Write(in)
-       for _, b := range h.Sum(nil) {
-               out[i] ^= b
-               i++
-       }
+       copy(out[len(in):], h.Sum(nil))
+       salsaKey := new([32]byte)
+       copy(salsaKey[:], r[:])
+       salsa20.XORKeyStream(out, out, dummyNonce, salsaKey)
        h.Reset()
-       h.Write(out[:i])
-       for _, b := range h.Sum(nil)[:RSize] {
-               out[i] = b ^ r[i-len(in)-HSize]
-               i++
+       h.Write(out[:len(in)+32])
+       for i, b := range h.Sum(nil)[:RSize] {
+               out[len(in)+32+i] = b ^ r[i]
        }
        return out, nil
 }
@@ -83,19 +79,14 @@ func Decode(in []byte) ([]byte, error) {
        }
        h := blake2b.New256()
        h.Write(in[:len(in)-RSize])
-       out := make([]byte, len(in)-RSize)
+       salsaKey := new([32]byte)
        for i, b := range h.Sum(nil)[:RSize] {
-               out[i] = b ^ in[len(in)-RSize+i]
+               salsaKey[i] = b ^ in[len(in)-RSize+i]
        }
        h.Reset()
-       h.Write(out[:RSize])
-       hr := hkdf.New(blake2b.New512, out[:RSize], nil, nil)
-       if _, err := hr.Read(out); err != nil {
-               return nil, err
-       }
-       for i := 0; i < len(out); i++ {
-               out[i] ^= in[i]
-       }
+       h.Write(salsaKey[:RSize])
+       out := make([]byte, len(in)-RSize)
+       salsa20.XORKeyStream(out, in[:len(in)-RSize], dummyNonce, salsaKey)
        h.Write(out[:len(out)-HSize])
        if subtle.ConstantTimeCompare(h.Sum(nil), out[len(out)-HSize:]) != 1 {
                return nil, errors.New("Invalid checksum")

diff --git a/utils/makedist.sh b/utils/makedist.sh
index def37c63f3c57dd06e14d441145e3dd5342641a3..cf819eceafe3460110d516368b93c90f357a9a5c 100755 (executable)
--- a/utils/makedist.sh
+++ b/utils/makedist.sh
@@ -22,7 +22,6 @@ golang.org/x/crypto/LICENSE
 golang.org/x/crypto/PATENTS
 golang.org/x/crypto/README
 golang.org/x/crypto/curve25519
-golang.org/x/crypto/hkdf
 golang.org/x/crypto/poly1305
 golang.org/x/crypto/salsa20
 golang.org/x/crypto/xtea