use HKDF for NTCP2 key derivation data phase

libi2pd/Crypto.cpp

@@ -1259,18 +1259,29 @@ namespace crypto
 #endif
 	}
 
-	void HKDF (const uint8_t * salt, const uint8_t * key, size_t keyLen, const std::string& info, uint8_t * out)
+	void HKDF (const uint8_t * salt, const uint8_t * key, size_t keyLen, const std::string& info, 
+		uint8_t * out, size_t outLen)
 	{
 #if OPENSSL_HKDF
-		EVP_PKEY_CTX * pctx = EVP_PKEY_CTX_new_id (EVP_PKEY_HKDF, NULL);
+		EVP_PKEY_CTX * pctx = EVP_PKEY_CTX_new_id (EVP_PKEY_HKDF, nullptr);
 		EVP_PKEY_derive_init (pctx);
 		EVP_PKEY_CTX_set_hkdf_md (pctx, EVP_sha256());
-		EVP_PKEY_CTX_set1_hkdf_salt (pctx, salt, 32);
-		EVP_PKEY_CTX_set1_hkdf_key (pctx, key, keyLen);
+		if (key && keyLen)
+		{	
+			EVP_PKEY_CTX_set1_hkdf_salt (pctx, salt, 32);
+			EVP_PKEY_CTX_set1_hkdf_key (pctx, key, keyLen);
+		}	
+		else
+		{
+			// zerolen
+			EVP_PKEY_CTX_hkdf_mode (pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY);
+			uint8_t tempKey[32]; unsigned int len;
+			HMAC(EVP_sha256(), salt, 32, nullptr, 0, tempKey, &len);
+			EVP_PKEY_CTX_set1_hkdf_key (pctx, tempKey, len);
+		}		
 		if (info.length () > 0)
 			EVP_PKEY_CTX_add1_hkdf_info (pctx, info.c_str (), info.length ());
-		size_t outlen = 64;
-		EVP_PKEY_derive (pctx, out, &outlen);
+		EVP_PKEY_derive (pctx, out, &outLen);
 		EVP_PKEY_CTX_free (pctx);
 #else
 		uint8_t prk[32]; unsigned int len;
@@ -1278,8 +1289,11 @@ namespace crypto
 		auto l = info.length ();
 		memcpy (out, info.c_str (), l); out[l] = 0x01;
 		HMAC(EVP_sha256(), prk, 32, out, l + 1, out, &len);
-		memcpy (out + 32, info.c_str (), l); out[l + 32] = 0x02;
-		HMAC(EVP_sha256(), prk, 32, out, l + 33, out + 32, &len); 
+		if (outLen > 32) // 64
+		{	
+			memcpy (out + 32, info.c_str (), l); out[l + 32] = 0x02;
+			HMAC(EVP_sha256(), prk, 32, out, l + 33, out + 32, &len); 
+		}	
 #endif
 	}
 

libi2pd/Crypto.h

@@ -296,7 +296,7 @@ namespace crypto
 
 // HKDF
 
-	void HKDF (const uint8_t * salt, const uint8_t * key, size_t keyLen, const std::string& info, uint8_t * out); // salt - 32, out - 64, info <= 32 
+	void HKDF (const uint8_t * salt, const uint8_t * key, size_t keyLen, const std::string& info, uint8_t * out, size_t outLen = 64); // salt - 32, out - 32 or 64, info <= 32 
 
 // init and terminate
 	void InitCrypto (bool precomputation);

libi2pd/NTCP2.cpp

@@ -441,23 +441,17 @@ namespace transport
 
 	void NTCP2Session::KeyDerivationFunctionDataPhase ()
 	{
-		uint8_t tempKey[32]; unsigned int len;
-		HMAC(EVP_sha256(), m_Establisher->GetCK (), 32, nullptr, 0, tempKey, &len); // temp_key = HMAC-SHA256(ck, zerolen)
-		static uint8_t one[1] =  { 1 };
-		HMAC(EVP_sha256(), tempKey, 32, one, 1, m_Kab, &len);  // k_ab = HMAC-SHA256(temp_key, byte(0x01)).
-		m_Kab[32] = 2;
-		HMAC(EVP_sha256(), tempKey, 32, m_Kab, 33, m_Kba, &len);  // k_ba = HMAC-SHA256(temp_key, k_ab || byte(0x02))
-		static uint8_t ask[4] = { 'a', 's', 'k', 1 }, master[32];
-		HMAC(EVP_sha256(), tempKey, 32, ask, 4, master, &len); // ask_master = HMAC-SHA256(temp_key, "ask" || byte(0x01))
+		uint8_t k[64];
+		i2p::crypto::HKDF (m_Establisher->GetCK (), nullptr, 0, "", k); // k_ab, k_ba = HKDF(ck, zerolen)
+		memcpy (m_Kab, k, 32); memcpy (m_Kba, k + 32, 32);
+		uint8_t master[32];
+		i2p::crypto::HKDF (m_Establisher->GetCK (), nullptr, 0, "ask", master, 32); // ask_master = HKDF(ck, zerolen, info="ask")
 		uint8_t h[39];
 		memcpy (h, m_Establisher->GetH (), 32);
 		memcpy (h + 32, "siphash", 7);
-		HMAC(EVP_sha256(), master, 32, h, 39, tempKey, &len); // temp_key = HMAC-SHA256(ask_master, h || "siphash")
-		HMAC(EVP_sha256(), tempKey, 32, one, 1, master, &len); // sip_master = HMAC-SHA256(temp_key, byte(0x01))  
-		HMAC(EVP_sha256(), master, 32, nullptr, 0, tempKey, &len); // temp_key = HMAC-SHA256(sip_master, zerolen)
-		HMAC(EVP_sha256(), tempKey, 32, one, 1, m_Sipkeysab, &len); // sipkeys_ab = HMAC-SHA256(temp_key, byte(0x01)).
-		m_Sipkeysab[32] = 2;
-		HMAC(EVP_sha256(), tempKey, 32, m_Sipkeysab, 33, m_Sipkeysba, &len); // sipkeys_ba = HMAC-SHA256(temp_key, sipkeys_ab || byte(0x02)) 
+		i2p::crypto::HKDF (master, h, 39, "", master, 32); // sip_master = HKDF(ask_master, h || "siphash")
+		i2p::crypto::HKDF (master, nullptr, 0, "", k, 64); // sipkeys_ab, sipkeys_ba = HKDF(sip_master, zerolen)
+		memcpy (m_Sipkeysab, k, 32); memcpy (m_Sipkeysba, k + 32, 32);	
 	}
 
 

libi2pd/NTCP2.h

@@ -195,7 +195,7 @@ namespace transport
 
 			std::unique_ptr<NTCP2Establisher> m_Establisher;
 			// data phase
-			uint8_t m_Kab[33], m_Kba[32], m_Sipkeysab[33], m_Sipkeysba[32]; 
+			uint8_t m_Kab[32], m_Kba[32], m_Sipkeysab[32], m_Sipkeysba[32]; 
 			const uint8_t * m_SendKey, * m_ReceiveKey;
 #if OPENSSL_SIPHASH 
 			EVP_PKEY * m_SendSipKey, * m_ReceiveSipKey;