Split HKDF secret derivation and parsing.

signalapp · Oct 20, 2014 · 6326ef7 · 6326ef7
1 parent f29d1e6
commit 6326ef7
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 77 deletions.
diff --git a/libaxolotl/src/androidTest/java/org/whispersystems/test/kdf/HKDFTest.java b/libaxolotl/src/androidTest/java/org/whispersystems/test/kdf/HKDFTest.java
@@ -2,7 +2,6 @@
 
 import android.test.AndroidTestCase;
 
-import org.whispersystems.libaxolotl.kdf.DerivedSecrets;
 import org.whispersystems.libaxolotl.kdf.HKDF;
 
 import java.util.Arrays;
@@ -20,24 +19,19 @@ public void testVectorV3() {
     byte[] info = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, (byte) 0xf4,
                    (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, (byte) 0xf8, (byte) 0xf9};
 
-    byte[] expectedOutputOne = {(byte) 0x3c, (byte) 0xb2, (byte) 0x5f, (byte) 0x25, (byte) 0xfa,
-                                (byte) 0xac, (byte) 0xd5, (byte) 0x7a, (byte) 0x90, (byte) 0x43,
-                                (byte) 0x4f, (byte) 0x64, (byte) 0xd0, (byte) 0x36, (byte) 0x2f,
-                                (byte) 0x2a, (byte) 0x2d, (byte) 0x2d, (byte) 0x0a, (byte) 0x90,
-                                (byte) 0xcf, (byte) 0x1a, (byte) 0x5a, (byte) 0x4c, (byte) 0x5d,
-                                (byte) 0xb0, (byte) 0x2d, (byte) 0x56, (byte) 0xec, (byte) 0xc4,
-                                (byte) 0xc5, (byte) 0xbf};
+    byte[] okm = {(byte) 0x3c, (byte) 0xb2, (byte) 0x5f, (byte) 0x25, (byte) 0xfa,
+                  (byte) 0xac, (byte) 0xd5, (byte) 0x7a, (byte) 0x90, (byte) 0x43,
+                  (byte) 0x4f, (byte) 0x64, (byte) 0xd0, (byte) 0x36, (byte) 0x2f,
+                  (byte) 0x2a, (byte) 0x2d, (byte) 0x2d, (byte) 0x0a, (byte) 0x90,
+                  (byte) 0xcf, (byte) 0x1a, (byte) 0x5a, (byte) 0x4c, (byte) 0x5d,
+                  (byte) 0xb0, (byte) 0x2d, (byte) 0x56, (byte) 0xec, (byte) 0xc4,
+                  (byte) 0xc5, (byte) 0xbf, (byte) 0x34, (byte) 0x00, (byte) 0x72,
+                  (byte) 0x08, (byte) 0xd5, (byte) 0xb8, (byte) 0x87, (byte) 0x18,
+                  (byte) 0x58, (byte) 0x65};
 
-    byte[] expectedOutputTwo = {(byte) 0x34, (byte) 0x00, (byte) 0x72, (byte) 0x08, (byte) 0xd5,
-                                (byte) 0xb8, (byte) 0x87, (byte) 0x18, (byte) 0x58, (byte) 0x65};
+    byte[] actualOutput = HKDF.createFor(3).deriveSecrets(ikm, salt, info, 42);
 
-    DerivedSecrets derivedSecrets = HKDF.createFor(3).deriveSecrets(ikm, salt, info);
-
-    byte[] truncatedMacKey = new byte[expectedOutputTwo.length];
-    System.arraycopy(derivedSecrets.getMacKey().getEncoded(), 0, truncatedMacKey, 0, truncatedMacKey.length);
-
-    assertTrue(Arrays.equals(derivedSecrets.getCipherKey().getEncoded(), expectedOutputOne));
-    assertTrue(Arrays.equals(expectedOutputTwo, truncatedMacKey));
+    assertTrue(Arrays.equals(okm, actualOutput));
   }
 
   public void testVectorLongV3() {
@@ -109,6 +103,9 @@ public void testVectorLongV3() {
                    (byte) 0x3e, (byte) 0x87, (byte) 0xc1, (byte) 0x4c, (byte) 0x01,
                    (byte) 0xd5, (byte) 0xc1, (byte) 0xf3, (byte) 0x43, (byte) 0x4f,
                    (byte) 0x1d, (byte) 0x87};
+
+    byte[] actualOutput = HKDF.createFor(3).deriveSecrets(ikm, salt, info, 82);
+    assertTrue(Arrays.equals(okm, actualOutput));
   }
 
   public void testVectorV2() {
@@ -122,25 +119,21 @@ public void testVectorV2() {
     byte[] info = {(byte)0xf0, (byte)0xf1, (byte)0xf2, (byte)0xf3, (byte)0xf4,
                    (byte)0xf5, (byte)0xf6, (byte)0xf7, (byte)0xf8, (byte)0xf9};
 
-    byte[] expectedOutputOne = {(byte)0x6e, (byte)0xc2, (byte)0x55, (byte)0x6d, (byte)0x5d,
-                                (byte)0x7b, (byte)0x1d, (byte)0x81, (byte)0xde, (byte)0xe4,
-                                (byte)0x22, (byte)0x2a, (byte)0xd7, (byte)0x48, (byte)0x36,
-                                (byte)0x95, (byte)0xdd, (byte)0xc9, (byte)0x8f, (byte)0x4f,
-                                (byte)0x5f, (byte)0xab, (byte)0xc0, (byte)0xe0, (byte)0x20,
-                                (byte)0x5d, (byte)0xc2, (byte)0xef, (byte)0x87, (byte)0x52,
-                                (byte)0xd4, (byte)0x1e};
-
-    byte[] expectedOutputTwo = {(byte)0x04, (byte)0xe2, (byte)0xe2, (byte)0x11, (byte)0x01,
-                                (byte)0xc6, (byte)0x8f, (byte)0xf0, (byte)0x93, (byte)0x94,
-                                (byte)0xb8, (byte)0xad, (byte)0x0b, (byte)0xdc, (byte)0xb9,
-                                (byte)0x60, (byte)0x9c, (byte)0xd4, (byte)0xee, (byte)0x82,
-                                (byte)0xac, (byte)0x13, (byte)0x19, (byte)0x9b, (byte)0x4a,
-                                (byte)0xa9, (byte)0xfd, (byte)0xa8, (byte)0x99, (byte)0xda,
-                                (byte)0xeb, (byte)0xec};
-
-    DerivedSecrets derivedSecrets = HKDF.createFor(2).deriveSecrets(ikm, salt, info);
-
-    assertTrue(Arrays.equals(derivedSecrets.getCipherKey().getEncoded(), expectedOutputOne));
-    assertTrue(Arrays.equals(derivedSecrets.getMacKey().getEncoded(), expectedOutputTwo));
+    byte[] okm = {(byte)0x6e, (byte)0xc2, (byte)0x55, (byte)0x6d, (byte)0x5d,
+                  (byte)0x7b, (byte)0x1d, (byte)0x81, (byte)0xde, (byte)0xe4,
+                  (byte)0x22, (byte)0x2a, (byte)0xd7, (byte)0x48, (byte)0x36,
+                  (byte)0x95, (byte)0xdd, (byte)0xc9, (byte)0x8f, (byte)0x4f,
+                  (byte)0x5f, (byte)0xab, (byte)0xc0, (byte)0xe0, (byte)0x20,
+                  (byte)0x5d, (byte)0xc2, (byte)0xef, (byte)0x87, (byte)0x52,
+                  (byte)0xd4, (byte)0x1e, (byte)0x04, (byte)0xe2, (byte)0xe2,
+                  (byte)0x11, (byte)0x01, (byte)0xc6, (byte)0x8f, (byte)0xf0,
+                  (byte)0x93, (byte)0x94, (byte)0xb8, (byte)0xad, (byte)0x0b,
+                  (byte)0xdc, (byte)0xb9, (byte)0x60, (byte)0x9c, (byte)0xd4,
+                  (byte)0xee, (byte)0x82, (byte)0xac, (byte)0x13, (byte)0x19,
+                  (byte)0x9b, (byte)0x4a, (byte)0xa9, (byte)0xfd, (byte)0xa8,
+                  (byte)0x99, (byte)0xda, (byte)0xeb, (byte)0xec};
+
+    byte[] actualOutput = HKDF.createFor(2).deriveSecrets(ikm, salt, info, 64);
+    assertTrue(Arrays.equals(okm, actualOutput));
   }
 }
diff --git a/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/DerivedSecrets.java b/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/DerivedSecrets.java
@@ -21,12 +21,27 @@
 
 public class DerivedSecrets {
 
+  public  static final int SIZE               = 64;
+  private static final int CIPHER_KEYS_OFFSET = 0;
+  private static final int MAC_KEYS_OFFSET    = 32;
+
   private final SecretKeySpec cipherKey;
   private final SecretKeySpec macKey;
 
-  public DerivedSecrets(SecretKeySpec cipherKey, SecretKeySpec macKey) {
-    this.cipherKey = cipherKey;
-    this.macKey    = macKey;
+  public DerivedSecrets(byte[] okm) {
+    this.cipherKey = deriveCipherKey(okm);
+    this.macKey    = deriveMacKey(okm);
+  }
+  private SecretKeySpec deriveCipherKey(byte[] okm) {
+    byte[] cipherKey = new byte[32];
+    System.arraycopy(okm, CIPHER_KEYS_OFFSET, cipherKey, 0, cipherKey.length);
+    return new SecretKeySpec(cipherKey, "AES");
+  }
+
+  private SecretKeySpec deriveMacKey(byte[] okm) {
+    byte[] macKey = new byte[32];
+    System.arraycopy(okm, MAC_KEYS_OFFSET, macKey, 0, macKey.length);
+    return new SecretKeySpec(macKey, "HmacSHA256");
   }
 
   public SecretKeySpec getCipherKey() {

diff --git a/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/HKDF.java b/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/HKDF.java
@@ -27,10 +27,6 @@
 public abstract class HKDF {
 
   private static final int HASH_OUTPUT_SIZE  = 32;
-  private static final int KEY_MATERIAL_SIZE = 64;
-
-  private static final int CIPHER_KEYS_OFFSET = 0;
-  private static final int MAC_KEYS_OFFSET    = 32;
 
   public static HKDF createFor(int messageVersion) {
     switch (messageVersion) {
@@ -40,31 +36,14 @@ public static HKDF createFor(int messageVersion) {
     }
   }
 
-  public DerivedSecrets deriveSecrets(byte[] inputKeyMaterial, byte[] info) {
+  public byte[] deriveSecrets(byte[] inputKeyMaterial, byte[] info, int outputLength) {
     byte[] salt = new byte[HASH_OUTPUT_SIZE];
-    return deriveSecrets(inputKeyMaterial, salt, info);
-  }
-
-  public DerivedSecrets deriveSecrets(byte[] inputKeyMaterial, byte[] salt, byte[] info) {
-    byte[] prk              = extract(salt, inputKeyMaterial);
-    byte[] okm              = expand(prk, info, KEY_MATERIAL_SIZE);
-
-    SecretKeySpec cipherKey = deriveCipherKey(okm);
-    SecretKeySpec macKey    = deriveMacKey(okm);
-
-    return new DerivedSecrets(cipherKey, macKey);
-  }
-
-  private SecretKeySpec deriveCipherKey(byte[] okm) {
-    byte[] cipherKey = new byte[32];
-    System.arraycopy(okm, CIPHER_KEYS_OFFSET, cipherKey, 0, cipherKey.length);
-    return new SecretKeySpec(cipherKey, "AES");
+    return deriveSecrets(inputKeyMaterial, salt, info, outputLength);
   }
 
-  private SecretKeySpec deriveMacKey(byte[] okm) {
-    byte[] macKey = new byte[32];
-    System.arraycopy(okm, MAC_KEYS_OFFSET, macKey, 0, macKey.length);
-    return new SecretKeySpec(macKey, "HmacSHA256");
+  public byte[] deriveSecrets(byte[] inputKeyMaterial, byte[] salt, byte[] info, int outputLength) {
+    byte[] prk = extract(salt, inputKeyMaterial);
+    return expand(prk, info, outputLength);
   }
 
   private byte[] extract(byte[] salt, byte[] inputKeyMaterial) {
@@ -79,9 +58,10 @@ private byte[] extract(byte[] salt, byte[] inputKeyMaterial) {
 
   private byte[] expand(byte[] prk, byte[] info, int outputSize) {
     try {
-      int                   iterations = (int)Math.ceil((double)outputSize/(double)HASH_OUTPUT_SIZE);
-      byte[]                mixin      = new byte[0];
-      ByteArrayOutputStream results    = new ByteArrayOutputStream();
+      int                   iterations     = (int) Math.ceil((double) outputSize / (double) HASH_OUTPUT_SIZE);
+      byte[]                mixin          = new byte[0];
+      ByteArrayOutputStream results        = new ByteArrayOutputStream();
+      int                   remainingBytes = outputSize;
 
       for (int i= getIterationStartOffset();i<iterations + getIterationEndOffset();i++) {
         Mac mac = Mac.getInstance("HmacSHA256");
@@ -94,9 +74,12 @@ private byte[] expand(byte[] prk, byte[] info, int outputSize) {
         mac.update((byte)i);
 
         byte[] stepResult = mac.doFinal();
-        results.write(stepResult, 0, stepResult.length);
+        int    stepSize   = Math.min(remainingBytes, stepResult.length);
+
+        results.write(stepResult, 0, stepSize);
 
-        mixin = stepResult;
+        mixin          = stepResult;
+        remainingBytes -= stepSize;
       }
 
       return results.toByteArray();

diff --git a/libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/ChainKey.java b/libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/ChainKey.java
@@ -56,7 +56,8 @@ public ChainKey getNextChainKey() {
 
   public MessageKeys getMessageKeys() {
     byte[]         inputKeyMaterial = getBaseMaterial(MESSAGE_KEY_SEED);
-    DerivedSecrets keyMaterial      = kdf.deriveSecrets(inputKeyMaterial, "WhisperMessageKeys".getBytes());
+    byte[]         keyMaterialBytes = kdf.deriveSecrets(inputKeyMaterial, "WhisperMessageKeys".getBytes(), DerivedSecrets.SIZE);
+    DerivedSecrets keyMaterial      = new DerivedSecrets(keyMaterialBytes);
 
     return new MessageKeys(keyMaterial.getCipherKey(), keyMaterial.getMacKey(), index);
   }

diff --git a/libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/RatchetingSession.java b/libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/RatchetingSession.java
@@ -131,7 +131,8 @@ private static Pair<RootKey, ChainKey> calculate4DHE(boolean isAlice, int sessio
         secrets.write(Curve.calculateAgreement(theirPreKey, ourPreKey.getPrivateKey()));
       }
 
-      DerivedSecrets derivedSecrets = kdf.deriveSecrets(secrets.toByteArray(), "WhisperText".getBytes());
+      byte[]         derivedSecretBytes = kdf.deriveSecrets(secrets.toByteArray(), "WhisperText".getBytes(), DerivedSecrets.SIZE);
+      DerivedSecrets derivedSecrets     = new DerivedSecrets(derivedSecretBytes);
 
       return new Pair<>(new RootKey(kdf, derivedSecrets.getCipherKey().getEncoded()),
                         new ChainKey(kdf, derivedSecrets.getMacKey().getEncoded(), 0));

diff --git a/libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/RootKey.java b/libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/RootKey.java
@@ -22,6 +22,7 @@
 import org.whispersystems.libaxolotl.ecc.ECPublicKey;
 import org.whispersystems.libaxolotl.kdf.DerivedSecrets;
 import org.whispersystems.libaxolotl.kdf.HKDF;
+import org.whispersystems.libaxolotl.util.ByteUtil;
 import org.whispersystems.libaxolotl.util.Pair;
 
 public class RootKey {
@@ -41,10 +42,12 @@ public byte[] getKeyBytes() {
   public Pair<RootKey, ChainKey> createChain(ECPublicKey theirEphemeral, ECKeyPair ourEphemeral)
       throws InvalidKeyException
   {
-    byte[]         sharedSecret = Curve.calculateAgreement(theirEphemeral, ourEphemeral.getPrivateKey());
-    DerivedSecrets keys         = kdf.deriveSecrets(sharedSecret, key, "WhisperRatchet".getBytes());
-    RootKey        newRootKey   = new RootKey(kdf, keys.getCipherKey().getEncoded());
-    ChainKey       newChainKey  = new ChainKey(kdf, keys.getMacKey().getEncoded(), 0);
+    byte[]   sharedSecret = Curve.calculateAgreement(theirEphemeral, ourEphemeral.getPrivateKey());
+    byte[]   keyBytes     = kdf.deriveSecrets(sharedSecret, key, "WhisperRatchet".getBytes(), 64);
+    byte[][] keys         = ByteUtil.split(keyBytes, 32, 32);
+
+    RootKey        newRootKey   = new RootKey(kdf, keys[0]);
+    ChainKey       newChainKey  = new ChainKey(kdf, keys[1], 0);
 
     return new Pair<>(newRootKey, newChainKey);
   }