Add sha256 to hkdf name

sosthene-nitrokey · sosthene-nitrokey · commit 6283af5b7a3b · 2024-10-02T09:01:40.000+02:00
diff --git a/src/hpke.rs b/src/hpke.rs
@@ -21,7 +21,7 @@ use rand_core::{CryptoRng, RngCore};
 use salty::agreement as x25519;
 
 const X25519_KEM_SUITE_ID: &[u8] = b"KEM\x00\x20";
-const X25519_HKDF_CHACHA20_POLY1305_HPKE_SUITE_ID: &[u8] = b"HPKE\x00\x20\x00\x01\x00\x03";
+const X25519_HKDF_SHA256_CHACHA20_POLY1305_HPKE_SUITE_ID: &[u8] = b"HPKE\x00\x20\x00\x01\x00\x03";
 
 fn labeled_extract(
     suite_id: &[u8],
@@ -120,43 +120,51 @@ trait Aead:
     >
 {
     const AEAD_ID: u16;
-    const X25519_HKDF_SELF_HPKE_SUITE_ID: &'static [u8];
+    const X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID: &'static [u8];
 }
 
 impl Aead for ChaCha20Poly1305 {
     const AEAD_ID: u16 = 0x0003;
-    const X25519_HKDF_SELF_HPKE_SUITE_ID: &'static [u8] =
-        X25519_HKDF_CHACHA20_POLY1305_HPKE_SUITE_ID;
+    const X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID: &'static [u8] =
+        X25519_HKDF_SHA256_CHACHA20_POLY1305_HPKE_SUITE_ID;
 }
 
 impl Aead for ChaCha8Poly1305 {
     /// Custom non-standard Id
     const AEAD_ID: u16 = 0xFFFE;
-    const X25519_HKDF_SELF_HPKE_SUITE_ID: &'static [u8] = b"HPKE\x00\x20\x00\x01\xFF\xFE";
+    const X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID: &'static [u8] = b"HPKE\x00\x20\x00\x01\xFF\xFE";
 }
 
 const NK: usize = 32;
 const NN: usize = 12;
 const NH: usize = 32;
 
 fn key_schedule<T: Aead>(_role: Role, shared_secret: [u8; 32], info: &[u8]) -> Context {
-    let (_, psk_id_hash) =
-        labeled_extract(T::X25519_HKDF_SELF_HPKE_SUITE_ID, b"", b"psk_id_hash", b"");
-    let (_, info_hash) =
-        labeled_extract(T::X25519_HKDF_SELF_HPKE_SUITE_ID, b"", b"info_hash", info);
+    let (_, psk_id_hash) = labeled_extract(
+        T::X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID,
+        b"",
+        b"psk_id_hash",
+        b"",
+    );
+    let (_, info_hash) = labeled_extract(
+        T::X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID,
+        b"",
+        b"info_hash",
+        info,
+    );
     let mut key_schedule_context = [0; 65];
     key_schedule_context[0] = MODE_BASE;
     key_schedule_context[1..33].copy_from_slice(&psk_id_hash);
     key_schedule_context[33..].copy_from_slice(&info_hash);
     let (secret, _) = labeled_extract(
-        T::X25519_HKDF_SELF_HPKE_SUITE_ID,
+        T::X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID,
         &shared_secret,
         b"secret",
         b"",
     );
     let mut key = [0; NK];
     labeled_expand(
-        T::X25519_HKDF_SELF_HPKE_SUITE_ID,
+        T::X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID,
         &secret,
         b"key",
         &key_schedule_context,
@@ -165,7 +173,7 @@ fn key_schedule<T: Aead>(_role: Role, shared_secret: [u8; 32], info: &[u8]) -> C
     .expect("KEY is not too large");
     let mut base_nonce = [0; NN];
     labeled_expand(
-        T::X25519_HKDF_SELF_HPKE_SUITE_ID,
+        T::X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID,
         &secret,
         b"base_nonce",
         &key_schedule_context,
@@ -174,7 +182,7 @@ fn key_schedule<T: Aead>(_role: Role, shared_secret: [u8; 32], info: &[u8]) -> C
     .expect("NONCE is not too large");
     let mut exporter_secret = [0; NH];
     labeled_expand(
-        T::X25519_HKDF_SELF_HPKE_SUITE_ID,
+        T::X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID,
         &secret,
         b"exp",
         &key_schedule_context,
@@ -575,16 +583,16 @@ mod tests {
     }
 
     const X25519_KEM_ID: u16 = 0x0020;
-    const HKDF_KDF_ID: u16 = 0x0001;
+    const HKDF_SHA256_KDF_ID: u16 = 0x0001;
     fn assert_suite_id<T: Aead>() {
         let calculated_id: Vec<u8> = b"HPKE"
             .iter()
             .copied()
             .chain(X25519_KEM_ID.to_be_bytes())
-            .chain(HKDF_KDF_ID.to_be_bytes())
+            .chain(HKDF_SHA256_KDF_ID.to_be_bytes())
             .chain(T::AEAD_ID.to_be_bytes())
             .collect();
-        assert_eq!(T::X25519_HKDF_SELF_HPKE_SUITE_ID, &calculated_id);
+        assert_eq!(T::X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID, &calculated_id);
     }
 
     #[test]
