From 269e5134ad67851b6984bf0d677495c863799a45 Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Wed, 6 Jan 2016 14:03:54 +0300 Subject: [PATCH] Use faster Salsa20 instead of HKDF in AONT Signed-off-by: Sergey Matveev --- doc/developer.texi | 3 +-- src/govpn/aont/oaep.go | 47 +++++++++++++++++------------------------- utils/makedist.sh | 1 - 3 files changed, 20 insertions(+), 31 deletions(-) diff --git a/doc/developer.texi b/doc/developer.texi index 936e797..3002566 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -24,8 +24,7 @@ Pay attention how to get @ref{Sources, development source code}. @url{http://theory.lcs.mit.edu/~cis/pubs/rivest/fusion.ps, All-Or-Nothing-Transformed} (based on @url{http://cseweb.ucsd.edu/~mihir/papers/oaep.html, OAEP} using - @url{https://en.wikipedia.org/wiki/Key_derivation_function, HKDF} - with @url{https://blake2.net/, BLAKE2b-512} and BLAKE2b-256 based + Salsa20 with @url{https://blake2.net/, BLAKE2b-256} based @url{http://crypto.stanford.edu/~dabo/abstracts/saep.html, SAEP+} checksums) data with 128-bits of feeded random. @item Packet overhead diff --git a/src/govpn/aont/oaep.go b/src/govpn/aont/oaep.go index cea5833..c881e27 100644 --- a/src/govpn/aont/oaep.go +++ b/src/govpn/aont/oaep.go @@ -30,7 +30,7 @@ along with this program. If not, see . // package PKG: // // PKG = P1 || P2 -// P1 = HKDF(BLAKE2b, r) XOR (M || BLAKE2b(r || M)) || +// P1 = Salsa20(key=r, nonce=0x00, 0x00) XOR (M || BLAKE2b(r || M)) // P2 = BLAKE2b(P1) XOR r package aont @@ -39,7 +39,7 @@ import ( "errors" "github.com/dchest/blake2b" - "golang.org/x/crypto/hkdf" + "golang.org/x/crypto/salsa20" ) const ( @@ -47,30 +47,26 @@ const ( RSize = 16 ) +var ( + dummyNonce []byte = make([]byte, 8) +) + // Encode the data, produce AONT package. Data size will be larger than // the original one for 48 bytes. func Encode(r *[RSize]byte, in []byte) ([]byte, error) { out := make([]byte, len(in)+HSize+RSize) - hr := hkdf.New(blake2b.New512, r[:], nil, nil) - if _, err := hr.Read(out[:len(in)+HSize]); err != nil { - return nil, err - } - var i int - for i = 0; i < len(in); i++ { - out[i] ^= in[i] - } + copy(out, in) h := blake2b.New256() h.Write(r[:]) h.Write(in) - for _, b := range h.Sum(nil) { - out[i] ^= b - i++ - } + copy(out[len(in):], h.Sum(nil)) + salsaKey := new([32]byte) + copy(salsaKey[:], r[:]) + salsa20.XORKeyStream(out, out, dummyNonce, salsaKey) h.Reset() - h.Write(out[:i]) - for _, b := range h.Sum(nil)[:RSize] { - out[i] = b ^ r[i-len(in)-HSize] - i++ + h.Write(out[:len(in)+32]) + for i, b := range h.Sum(nil)[:RSize] { + out[len(in)+32+i] = b ^ r[i] } return out, nil } @@ -83,19 +79,14 @@ func Decode(in []byte) ([]byte, error) { } h := blake2b.New256() h.Write(in[:len(in)-RSize]) - out := make([]byte, len(in)-RSize) + salsaKey := new([32]byte) for i, b := range h.Sum(nil)[:RSize] { - out[i] = b ^ in[len(in)-RSize+i] + salsaKey[i] = b ^ in[len(in)-RSize+i] } h.Reset() - h.Write(out[:RSize]) - hr := hkdf.New(blake2b.New512, out[:RSize], nil, nil) - if _, err := hr.Read(out); err != nil { - return nil, err - } - for i := 0; i < len(out); i++ { - out[i] ^= in[i] - } + h.Write(salsaKey[:RSize]) + out := make([]byte, len(in)-RSize) + salsa20.XORKeyStream(out, in[:len(in)-RSize], dummyNonce, salsaKey) h.Write(out[:len(out)-HSize]) if subtle.ConstantTimeCompare(h.Sum(nil), out[len(out)-HSize:]) != 1 { return nil, errors.New("Invalid checksum") diff --git a/utils/makedist.sh b/utils/makedist.sh index def37c6..cf819ec 100755 --- a/utils/makedist.sh +++ b/utils/makedist.sh @@ -22,7 +22,6 @@ golang.org/x/crypto/LICENSE golang.org/x/crypto/PATENTS golang.org/x/crypto/README golang.org/x/crypto/curve25519 -golang.org/x/crypto/hkdf golang.org/x/crypto/poly1305 golang.org/x/crypto/salsa20 golang.org/x/crypto/xtea -- 2.44.0