Google Git
Sign in
boringssl/boringssl.git/200fe6786b820414444615bb6c2bb09fce90b6c3^!/.
commit
200fe6786b820414444615bb6c2bb09fce90b6c3
[log]
author
Adam Langley <agl@google.com>
Wed Dec 12 16:24:42 2018 -0800
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Thu Dec 13 18:42:02 2018 +0000
tree
652ca718555ce2b22ca8a89ab95811fb041428bc
parent
35a66d4aae6c94f8a314c73a2f97fd40799e1264 [diff]
Remove HRSS confirmation hash.

Since the underlying operation is deterministic the confirmation hash
isn't needed and SXY didn't use it in their proof.

Change-Id: I3a03c20ee79645cf94b10dbfe654c1b88d9aa416
Reviewed-on: https://boringssl-review.googlesource.com/c/33605
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/crypto/hrss/hrss.c b/crypto/hrss/hrss.c
index 87241a5..881da78 100644
--- a/crypto/hrss/hrss.c
+++ b/crypto/hrss/hrss.c

@@ -2088,10 +2088,9 @@
   poly_marshal(out, &prh_plus_m);
 }
 
-static const char kConfirmationHash[] = "confirmation hash";
 static const char kSharedKey[] = "shared key";
 
-void HRSS_encap(uint8_t out_ciphertext[POLY_BYTES + 32],
+void HRSS_encap(uint8_t out_ciphertext[POLY_BYTES],
                 uint8_t out_shared_key[32],
                 const struct HRSS_public_key *in_pub,
                 const uint8_t in[HRSS_SAMPLE_BYTES + HRSS_SAMPLE_BYTES]) {
@@ -2109,16 +2108,10 @@
 
   SHA256_CTX hash_ctx;
   SHA256_Init(&hash_ctx);
-  SHA256_Update(&hash_ctx, kConfirmationHash, sizeof(kConfirmationHash));
-  SHA256_Update(&hash_ctx, m_bytes, sizeof(m_bytes));
-  SHA256_Update(&hash_ctx, r_bytes, sizeof(r_bytes));
-  SHA256_Final(out_ciphertext + POLY_BYTES, &hash_ctx);
-
-  SHA256_Init(&hash_ctx);
   SHA256_Update(&hash_ctx, kSharedKey, sizeof(kSharedKey));
   SHA256_Update(&hash_ctx, m_bytes, sizeof(m_bytes));
   SHA256_Update(&hash_ctx, r_bytes, sizeof(r_bytes));
-  SHA256_Update(&hash_ctx, out_ciphertext, POLY_BYTES + 32);
+  SHA256_Update(&hash_ctx, out_ciphertext, POLY_BYTES);
   SHA256_Final(out_shared_key, &hash_ctx);
 }
 
@@ -2166,7 +2159,7 @@
   // If the ciphertext is publicly invalid then a random shared key is still
   // returned to simply the logic of the caller, but this path is not constant
   // time.
-  if (ciphertext_len != POLY_BYTES + 32) {
+  if (ciphertext_len != HRSS_CIPHERTEXT_BYTES) {
     return;
   }
 
@@ -2200,7 +2193,9 @@
   struct poly3 r3;
   crypto_word_t ok = poly3_from_poly_checked(&r3, &c);
 
-  uint8_t expected_ciphertext[POLY_BYTES + 32];
+  uint8_t expected_ciphertext[HRSS_CIPHERTEXT_BYTES];
+  OPENSSL_STATIC_ASSERT(HRSS_CIPHERTEXT_BYTES == POLY_BYTES,
+                        "ciphertext is the wrong size");
   assert(ciphertext_len == sizeof(expected_ciphertext));
   owf(expected_ciphertext, pub, &m_lifted, &c);
 
@@ -2209,12 +2204,6 @@
   poly_marshal_mod3(m_bytes, &m);
   poly_marshal_mod3(r_bytes, &c);
 
-  SHA256_Init(&hash_ctx);
-  SHA256_Update(&hash_ctx, kConfirmationHash, sizeof(kConfirmationHash));
-  SHA256_Update(&hash_ctx, m_bytes, sizeof(m_bytes));
-  SHA256_Update(&hash_ctx, r_bytes, sizeof(r_bytes));
-  SHA256_Final(expected_ciphertext + POLY_BYTES, &hash_ctx);
-
   ok &= constant_time_is_zero_w(CRYPTO_memcmp(ciphertext, expected_ciphertext,
                                               sizeof(expected_ciphertext)));
 

diff --git a/crypto/hrss/hrss_test.cc b/crypto/hrss/hrss_test.cc
index b37456c..ead717d 100644
--- a/crypto/hrss/hrss_test.cc
+++ b/crypto/hrss/hrss_test.cc

@@ -444,17 +444,14 @@
       0x0a, 0xcf, 0x72, 0x74, 0x76, 0x75, 0x99, 0x4d, 0x3d, 0x9a, 0x4c, 0x54,
       0xcd, 0xf8, 0x54, 0xf0, 0xbd, 0x73, 0xe9, 0x4f, 0x29, 0xd0, 0xe1, 0x24,
       0x94, 0x52, 0xd6, 0x60, 0x80, 0x71, 0x24, 0x95, 0x92, 0x01, 0x0e, 0xa9,
-      0x7e, 0x64, 0x2e, 0xed, 0x51, 0xcc, 0xd2, 0xff, 0xfd, 0x0b, 0xf4, 0x1d,
-      0x25, 0x5d, 0x10, 0x87, 0x09, 0x55, 0x06, 0x95, 0xae, 0xb3, 0xef, 0xe9,
-      0xaa, 0x36, 0x15, 0x97, 0xe6, 0xf2, 0x24, 0xcf, 0x7d, 0xcd, 0x55, 0x11,
-      0xba, 0x20, 0xd0, 0xd7, 0xdc, 0xa6,
+      0x7e, 0x64, 0x2e, 0xed, 0x51, 0xcc, 0xd2, 0xff, 0xfd, 0x0b,
   };
   EXPECT_EQ(Bytes(ciphertext), Bytes(kExpectedCiphertext));
 
   static const uint8_t kExpectedSharedKey[HRSS_KEY_BYTES] = {
-      0x04, 0x5a, 0x1a, 0xbc, 0x4c, 0x76, 0x47, 0x1f, 0xbf, 0xc9, 0x23,
-      0xec, 0xcb, 0x6e, 0x4d, 0x59, 0x8d, 0x3f, 0x90, 0x3e, 0x53, 0x73,
-      0x3c, 0x2c, 0x71, 0xcc, 0xac, 0xc5, 0xe0, 0xf2, 0xbc, 0xe8,
+      0xbc, 0x98, 0x9c, 0x9c, 0x1f, 0x57, 0x6f, 0x38, 0x0b, 0x5d, 0xc2,
+      0x23, 0x7d, 0x01, 0xae, 0x63, 0x17, 0xe8, 0xe4, 0xb2, 0x02, 0xa7,
+      0xc4, 0x3a, 0x1b, 0x5a, 0xf3, 0xf8, 0xb5, 0xea, 0x6e, 0x22,
   };
   EXPECT_EQ(Bytes(shared_key), Bytes(kExpectedSharedKey));
 
@@ -467,9 +464,9 @@
   HRSS_decap(shared_key, &pub, &priv, ciphertext, sizeof(ciphertext));
 
   static const uint8_t kExpectedFailureKey[HRSS_KEY_BYTES] = {
-      0x3a, 0xec, 0xc0, 0x38, 0x4f, 0xa7, 0x17, 0xb2, 0x77, 0x61, 0xb1,
-      0xf8, 0x12, 0x7f, 0xd9, 0x61, 0x67, 0x70, 0x63, 0xbe, 0xa2, 0x72,
-      0xfe, 0x1a, 0x82, 0x8d, 0x1d, 0x90, 0xe0, 0x36, 0x69, 0x2d,
+      0x8e, 0x19, 0xfe, 0x2b, 0x12, 0x67, 0xef, 0x9a, 0x63, 0x4d, 0x79,
+      0x33, 0x8c, 0xce, 0xbf, 0x03, 0xdb, 0x9c, 0xc4, 0xc1, 0x70, 0xe1,
+      0x32, 0xa6, 0xb3, 0xd3, 0xa1, 0x43, 0x3c, 0xf1, 0x1f, 0x5a,
   };
   EXPECT_EQ(Bytes(shared_key), Bytes(kExpectedFailureKey));
 }

diff --git a/include/openssl/hrss.h b/include/openssl/hrss.h
index 4e1c73f..cc5edff 100644
--- a/include/openssl/hrss.h
+++ b/include/openssl/hrss.h

@@ -50,7 +50,7 @@
 // HRSS_PUBLIC_KEY_BYTES is the number of bytes in a public key.
 #define HRSS_PUBLIC_KEY_BYTES 1138
 // HRSS_CIPHERTEXT_BYTES is the number of bytes in a ciphertext.
-#define HRSS_CIPHERTEXT_BYTES (1138 + 32)
+#define HRSS_CIPHERTEXT_BYTES 1138
 // HRSS_KEY_BYTES is the number of bytes in a shared key.
 #define HRSS_KEY_BYTES 32
 // HRSS_POLY3_BYTES is the number of bytes needed to serialise a mod 3

diff --git a/ssl/test/runner/hrss/hrss.go b/ssl/test/runner/hrss/hrss.go
index ebda656..9f4fdd7 100644
--- a/ssl/test/runner/hrss/hrss.go
+++ b/ssl/test/runner/hrss/hrss.go

@@ -11,7 +11,7 @@
 
 const (
 	PublicKeySize  = modQBytes
-	CiphertextSize = modQBytes + 32
+	CiphertextSize = modQBytes
 )
 
 const (
@@ -1058,18 +1058,9 @@
 	m.marshalS3(mBytes[:])
 	r.marshalS3(rBytes[:])
 
+	ciphertext = pub.owf(&m, &r)
+
 	h := sha256.New()
-	h.Write([]byte("confirmation hash\x00"))
-	h.Write(mBytes[:])
-	h.Write(rBytes[:])
-	confirmationDigest := h.Sum(nil)
-
-	encrypted := pub.owf(&m, &r)
-	ciphertext = make([]byte, 0, len(encrypted)+len(confirmationDigest))
-	ciphertext = append(ciphertext, encrypted...)
-	ciphertext = append(ciphertext, confirmationDigest...)
-
-	h.Reset()
 	h.Write([]byte("shared key\x00"))
 	h.Write(mBytes[:])
 	h.Write(rBytes[:])
@@ -1114,12 +1105,12 @@
 }
 
 func (priv *PrivateKey) Decap(ciphertext []byte) (sharedKey []byte, ok bool) {
-	if len(ciphertext) != modQBytes+32 {
+	if len(ciphertext) != modQBytes {
 		return nil, false
 	}
 
 	var e poly
-	if !e.unmarshal(ciphertext[:modQBytes]) {
+	if !e.unmarshal(ciphertext) {
 		return nil, false
 	}
 
@@ -1153,18 +1144,9 @@
 	m.marshalS3(mBytes[:])
 	r.marshal(rBytes[:])
 
-	h := sha256.New()
-	h.Write([]byte("confirmation hash\x00"))
-	h.Write(mBytes[:])
-	h.Write(rBytes[:])
-	confirmationDigest := h.Sum(nil)
-
 	var rPoly poly
 	rPoly.fromMod3(&r)
-	encrypted := priv.PublicKey.owf(&m, &rPoly)
-	expectedCiphertext := make([]byte, 0, len(encrypted)+len(confirmationDigest))
-	expectedCiphertext = append(expectedCiphertext, encrypted...)
-	expectedCiphertext = append(expectedCiphertext, confirmationDigest...)
+	expectedCiphertext := priv.PublicKey.owf(&m, &rPoly)
 
 	allOk &= subtle.ConstantTimeCompare(ciphertext, expectedCiphertext)
 
@@ -1172,7 +1154,7 @@
 	hmacHash.Write(ciphertext)
 	hmacDigest := hmacHash.Sum(nil)
 
-	h.Reset()
+	h := sha256.New()
 	h.Write([]byte("shared key\x00"))
 	h.Write(mBytes[:])
 	h.Write(rBytes[:])