diff --git a/libaxolotl/src/androidTest/java/org/whispersystems/test/kdf/HKDFTest.java b/libaxolotl/src/androidTest/java/org/whispersystems/test/kdf/HKDFTest.java index 0ff34373da..079bc4fa56 100644 --- a/libaxolotl/src/androidTest/java/org/whispersystems/test/kdf/HKDFTest.java +++ b/libaxolotl/src/androidTest/java/org/whispersystems/test/kdf/HKDFTest.java @@ -2,7 +2,6 @@ package org.whispersystems.test.kdf; import android.test.AndroidTestCase; -import org.whispersystems.libaxolotl.kdf.DerivedSecrets; import org.whispersystems.libaxolotl.kdf.HKDF; import java.util.Arrays; @@ -20,24 +19,19 @@ public class HKDFTest extends AndroidTestCase { byte[] info = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, (byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, (byte) 0xf8, (byte) 0xf9}; - byte[] expectedOutputOne = {(byte) 0x3c, (byte) 0xb2, (byte) 0x5f, (byte) 0x25, (byte) 0xfa, - (byte) 0xac, (byte) 0xd5, (byte) 0x7a, (byte) 0x90, (byte) 0x43, - (byte) 0x4f, (byte) 0x64, (byte) 0xd0, (byte) 0x36, (byte) 0x2f, - (byte) 0x2a, (byte) 0x2d, (byte) 0x2d, (byte) 0x0a, (byte) 0x90, - (byte) 0xcf, (byte) 0x1a, (byte) 0x5a, (byte) 0x4c, (byte) 0x5d, - (byte) 0xb0, (byte) 0x2d, (byte) 0x56, (byte) 0xec, (byte) 0xc4, - (byte) 0xc5, (byte) 0xbf}; + byte[] okm = {(byte) 0x3c, (byte) 0xb2, (byte) 0x5f, (byte) 0x25, (byte) 0xfa, + (byte) 0xac, (byte) 0xd5, (byte) 0x7a, (byte) 0x90, (byte) 0x43, + (byte) 0x4f, (byte) 0x64, (byte) 0xd0, (byte) 0x36, (byte) 0x2f, + (byte) 0x2a, (byte) 0x2d, (byte) 0x2d, (byte) 0x0a, (byte) 0x90, + (byte) 0xcf, (byte) 0x1a, (byte) 0x5a, (byte) 0x4c, (byte) 0x5d, + (byte) 0xb0, (byte) 0x2d, (byte) 0x56, (byte) 0xec, (byte) 0xc4, + (byte) 0xc5, (byte) 0xbf, (byte) 0x34, (byte) 0x00, (byte) 0x72, + (byte) 0x08, (byte) 0xd5, (byte) 0xb8, (byte) 0x87, (byte) 0x18, + (byte) 0x58, (byte) 0x65}; - byte[] expectedOutputTwo = {(byte) 0x34, (byte) 0x00, (byte) 0x72, (byte) 0x08, (byte) 0xd5, - (byte) 0xb8, (byte) 0x87, (byte) 0x18, (byte) 0x58, (byte) 0x65}; + byte[] actualOutput = HKDF.createFor(3).deriveSecrets(ikm, salt, info, 42); - DerivedSecrets derivedSecrets = HKDF.createFor(3).deriveSecrets(ikm, salt, info); - - byte[] truncatedMacKey = new byte[expectedOutputTwo.length]; - System.arraycopy(derivedSecrets.getMacKey().getEncoded(), 0, truncatedMacKey, 0, truncatedMacKey.length); - - assertTrue(Arrays.equals(derivedSecrets.getCipherKey().getEncoded(), expectedOutputOne)); - assertTrue(Arrays.equals(expectedOutputTwo, truncatedMacKey)); + assertTrue(Arrays.equals(okm, actualOutput)); } public void testVectorLongV3() { @@ -109,6 +103,9 @@ public class HKDFTest extends AndroidTestCase { (byte) 0x3e, (byte) 0x87, (byte) 0xc1, (byte) 0x4c, (byte) 0x01, (byte) 0xd5, (byte) 0xc1, (byte) 0xf3, (byte) 0x43, (byte) 0x4f, (byte) 0x1d, (byte) 0x87}; + + byte[] actualOutput = HKDF.createFor(3).deriveSecrets(ikm, salt, info, 82); + assertTrue(Arrays.equals(okm, actualOutput)); } public void testVectorV2() { @@ -122,25 +119,21 @@ public class HKDFTest extends AndroidTestCase { byte[] info = {(byte)0xf0, (byte)0xf1, (byte)0xf2, (byte)0xf3, (byte)0xf4, (byte)0xf5, (byte)0xf6, (byte)0xf7, (byte)0xf8, (byte)0xf9}; - byte[] expectedOutputOne = {(byte)0x6e, (byte)0xc2, (byte)0x55, (byte)0x6d, (byte)0x5d, - (byte)0x7b, (byte)0x1d, (byte)0x81, (byte)0xde, (byte)0xe4, - (byte)0x22, (byte)0x2a, (byte)0xd7, (byte)0x48, (byte)0x36, - (byte)0x95, (byte)0xdd, (byte)0xc9, (byte)0x8f, (byte)0x4f, - (byte)0x5f, (byte)0xab, (byte)0xc0, (byte)0xe0, (byte)0x20, - (byte)0x5d, (byte)0xc2, (byte)0xef, (byte)0x87, (byte)0x52, - (byte)0xd4, (byte)0x1e}; + byte[] okm = {(byte)0x6e, (byte)0xc2, (byte)0x55, (byte)0x6d, (byte)0x5d, + (byte)0x7b, (byte)0x1d, (byte)0x81, (byte)0xde, (byte)0xe4, + (byte)0x22, (byte)0x2a, (byte)0xd7, (byte)0x48, (byte)0x36, + (byte)0x95, (byte)0xdd, (byte)0xc9, (byte)0x8f, (byte)0x4f, + (byte)0x5f, (byte)0xab, (byte)0xc0, (byte)0xe0, (byte)0x20, + (byte)0x5d, (byte)0xc2, (byte)0xef, (byte)0x87, (byte)0x52, + (byte)0xd4, (byte)0x1e, (byte)0x04, (byte)0xe2, (byte)0xe2, + (byte)0x11, (byte)0x01, (byte)0xc6, (byte)0x8f, (byte)0xf0, + (byte)0x93, (byte)0x94, (byte)0xb8, (byte)0xad, (byte)0x0b, + (byte)0xdc, (byte)0xb9, (byte)0x60, (byte)0x9c, (byte)0xd4, + (byte)0xee, (byte)0x82, (byte)0xac, (byte)0x13, (byte)0x19, + (byte)0x9b, (byte)0x4a, (byte)0xa9, (byte)0xfd, (byte)0xa8, + (byte)0x99, (byte)0xda, (byte)0xeb, (byte)0xec}; - byte[] expectedOutputTwo = {(byte)0x04, (byte)0xe2, (byte)0xe2, (byte)0x11, (byte)0x01, - (byte)0xc6, (byte)0x8f, (byte)0xf0, (byte)0x93, (byte)0x94, - (byte)0xb8, (byte)0xad, (byte)0x0b, (byte)0xdc, (byte)0xb9, - (byte)0x60, (byte)0x9c, (byte)0xd4, (byte)0xee, (byte)0x82, - (byte)0xac, (byte)0x13, (byte)0x19, (byte)0x9b, (byte)0x4a, - (byte)0xa9, (byte)0xfd, (byte)0xa8, (byte)0x99, (byte)0xda, - (byte)0xeb, (byte)0xec}; - - DerivedSecrets derivedSecrets = HKDF.createFor(2).deriveSecrets(ikm, salt, info); - - assertTrue(Arrays.equals(derivedSecrets.getCipherKey().getEncoded(), expectedOutputOne)); - assertTrue(Arrays.equals(derivedSecrets.getMacKey().getEncoded(), expectedOutputTwo)); + byte[] actualOutput = HKDF.createFor(2).deriveSecrets(ikm, salt, info, 64); + assertTrue(Arrays.equals(okm, actualOutput)); } } diff --git a/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/DerivedSecrets.java b/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/DerivedSecrets.java index 93786947e8..56d24cd460 100644 --- a/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/DerivedSecrets.java +++ b/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/DerivedSecrets.java @@ -21,12 +21,27 @@ import javax.crypto.spec.SecretKeySpec; public class DerivedSecrets { + public static final int SIZE = 64; + private static final int CIPHER_KEYS_OFFSET = 0; + private static final int MAC_KEYS_OFFSET = 32; + private final SecretKeySpec cipherKey; private final SecretKeySpec macKey; - public DerivedSecrets(SecretKeySpec cipherKey, SecretKeySpec macKey) { - this.cipherKey = cipherKey; - this.macKey = macKey; + public DerivedSecrets(byte[] okm) { + this.cipherKey = deriveCipherKey(okm); + this.macKey = deriveMacKey(okm); + } + private SecretKeySpec deriveCipherKey(byte[] okm) { + byte[] cipherKey = new byte[32]; + System.arraycopy(okm, CIPHER_KEYS_OFFSET, cipherKey, 0, cipherKey.length); + return new SecretKeySpec(cipherKey, "AES"); + } + + private SecretKeySpec deriveMacKey(byte[] okm) { + byte[] macKey = new byte[32]; + System.arraycopy(okm, MAC_KEYS_OFFSET, macKey, 0, macKey.length); + return new SecretKeySpec(macKey, "HmacSHA256"); } public SecretKeySpec getCipherKey() { diff --git a/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/HKDF.java b/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/HKDF.java index 9c4f747448..2301b4fbbc 100644 --- a/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/HKDF.java +++ b/libaxolotl/src/main/java/org/whispersystems/libaxolotl/kdf/HKDF.java @@ -27,10 +27,6 @@ import javax.crypto.spec.SecretKeySpec; public abstract class HKDF { private static final int HASH_OUTPUT_SIZE = 32; - private static final int KEY_MATERIAL_SIZE = 64; - - private static final int CIPHER_KEYS_OFFSET = 0; - private static final int MAC_KEYS_OFFSET = 32; public static HKDF createFor(int messageVersion) { switch (messageVersion) { @@ -40,31 +36,14 @@ public abstract class HKDF { } } - public DerivedSecrets deriveSecrets(byte[] inputKeyMaterial, byte[] info) { + public byte[] deriveSecrets(byte[] inputKeyMaterial, byte[] info, int outputLength) { byte[] salt = new byte[HASH_OUTPUT_SIZE]; - return deriveSecrets(inputKeyMaterial, salt, info); + return deriveSecrets(inputKeyMaterial, salt, info, outputLength); } - public DerivedSecrets deriveSecrets(byte[] inputKeyMaterial, byte[] salt, byte[] info) { - byte[] prk = extract(salt, inputKeyMaterial); - byte[] okm = expand(prk, info, KEY_MATERIAL_SIZE); - - SecretKeySpec cipherKey = deriveCipherKey(okm); - SecretKeySpec macKey = deriveMacKey(okm); - - return new DerivedSecrets(cipherKey, macKey); - } - - private SecretKeySpec deriveCipherKey(byte[] okm) { - byte[] cipherKey = new byte[32]; - System.arraycopy(okm, CIPHER_KEYS_OFFSET, cipherKey, 0, cipherKey.length); - return new SecretKeySpec(cipherKey, "AES"); - } - - private SecretKeySpec deriveMacKey(byte[] okm) { - byte[] macKey = new byte[32]; - System.arraycopy(okm, MAC_KEYS_OFFSET, macKey, 0, macKey.length); - return new SecretKeySpec(macKey, "HmacSHA256"); + public byte[] deriveSecrets(byte[] inputKeyMaterial, byte[] salt, byte[] info, int outputLength) { + byte[] prk = extract(salt, inputKeyMaterial); + return expand(prk, info, outputLength); } private byte[] extract(byte[] salt, byte[] inputKeyMaterial) { @@ -79,9 +58,10 @@ public abstract class HKDF { private byte[] expand(byte[] prk, byte[] info, int outputSize) { try { - int iterations = (int)Math.ceil((double)outputSize/(double)HASH_OUTPUT_SIZE); - byte[] mixin = new byte[0]; - ByteArrayOutputStream results = new ByteArrayOutputStream(); + int iterations = (int) Math.ceil((double) outputSize / (double) HASH_OUTPUT_SIZE); + byte[] mixin = new byte[0]; + ByteArrayOutputStream results = new ByteArrayOutputStream(); + int remainingBytes = outputSize; for (int i= getIterationStartOffset();i(new RootKey(kdf, derivedSecrets.getCipherKey().getEncoded()), new ChainKey(kdf, derivedSecrets.getMacKey().getEncoded(), 0)); diff --git a/libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/RootKey.java b/libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/RootKey.java index fc23503ac0..9782508777 100644 --- a/libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/RootKey.java +++ b/libaxolotl/src/main/java/org/whispersystems/libaxolotl/ratchet/RootKey.java @@ -22,6 +22,7 @@ import org.whispersystems.libaxolotl.ecc.ECKeyPair; import org.whispersystems.libaxolotl.ecc.ECPublicKey; import org.whispersystems.libaxolotl.kdf.DerivedSecrets; import org.whispersystems.libaxolotl.kdf.HKDF; +import org.whispersystems.libaxolotl.util.ByteUtil; import org.whispersystems.libaxolotl.util.Pair; public class RootKey { @@ -41,10 +42,12 @@ public class RootKey { public Pair createChain(ECPublicKey theirEphemeral, ECKeyPair ourEphemeral) throws InvalidKeyException { - byte[] sharedSecret = Curve.calculateAgreement(theirEphemeral, ourEphemeral.getPrivateKey()); - DerivedSecrets keys = kdf.deriveSecrets(sharedSecret, key, "WhisperRatchet".getBytes()); - RootKey newRootKey = new RootKey(kdf, keys.getCipherKey().getEncoded()); - ChainKey newChainKey = new ChainKey(kdf, keys.getMacKey().getEncoded(), 0); + byte[] sharedSecret = Curve.calculateAgreement(theirEphemeral, ourEphemeral.getPrivateKey()); + byte[] keyBytes = kdf.deriveSecrets(sharedSecret, key, "WhisperRatchet".getBytes(), 64); + byte[][] keys = ByteUtil.split(keyBytes, 32, 32); + + RootKey newRootKey = new RootKey(kdf, keys[0]); + ChainKey newChainKey = new ChainKey(kdf, keys[1], 0); return new Pair<>(newRootKey, newChainKey); }