Add NOISE_N variant to hydro_kx

hydrogen.h

@@ -158,10 +158,6 @@ int hydro_sign_verify(const uint8_t csig[hydro_sign_BYTES], const void *m_, size
 #define hydro_kx_PSKBYTES 32
 #define hydro_kx_SEEDBYTES 32
 
-#define hydro_kx_XX_PACKET1BYTES 32
-#define hydro_kx_XX_PACKET2BYTES 80
-#define hydro_kx_XX_PACKET3BYTES 48
-
 typedef struct hydro_kx_keypair {
     uint8_t pk[hydro_kx_PUBLICKEYBYTES];
     uint8_t sk[hydro_kx_SECRETKEYBYTES];
@@ -184,6 +180,23 @@ void hydro_kx_keygen(hydro_kx_keypair *static_kp);
 void hydro_kx_keygen_deterministic(hydro_kx_keypair *static_kp,
                                    const uint8_t     seed[hydro_kx_SEEDBYTES]);
 
+/* NOISE_N */
+
+#define hydro_kx_N_PACKET1BYTES 32
+
+int hydro_kx_n_1(hydro_kx_session_keypair *kp, uint8_t packet1[hydro_kx_N_PACKET1BYTES],
+                 const uint8_t psk[hydro_kx_PSKBYTES],
+                 const uint8_t peer_static_pk[hydro_kx_PUBLICKEYBYTES]);
+
+int hydro_kx_n_2(hydro_kx_session_keypair *kp, const uint8_t packet1[hydro_kx_N_PACKET1BYTES],
+                 const uint8_t psk[hydro_kx_PSKBYTES], const hydro_kx_keypair *static_kp);
+
+/* NOISE_XX */
+
+#define hydro_kx_XX_PACKET1BYTES 32
+#define hydro_kx_XX_PACKET2BYTES 80
+#define hydro_kx_XX_PACKET3BYTES 48
+
 int hydro_kx_xx_1(hydro_kx_state *state, uint8_t packet1[hydro_kx_XX_PACKET1BYTES],
                   const uint8_t psk[hydro_kx_PSKBYTES]);
 

impl/kx.h

@@ -200,6 +200,62 @@ hydro_kx_final(hydro_kx_state *state, uint8_t rx[hydro_kx_SESSIONKEYBYTES],
     hydro_memzero(state, sizeof *state);
 }
 
+/* NOISE_N */
+
+int
+hydro_kx_n_1(hydro_kx_session_keypair *kp, uint8_t packet1[hydro_kx_N_PACKET1BYTES],
+             const uint8_t psk[hydro_kx_PSKBYTES],
+             const uint8_t peer_static_pk[hydro_kx_PUBLICKEYBYTES])
+{
+    hydro_kx_state state;
+    uint8_t        dh_res[hydro_x25519_BYTES];
+
+    mem_zero(&state, sizeof state);
+
+    hydro_kx_keygen(&state.eph_kp);
+    COMPILER_ASSERT(hydro_kx_PSKBYTES >= hydro_hash_KEYBYTES);
+    hydro_hash_hash(state.h, sizeof state.h, peer_static_pk, hydro_kx_PUBLICKEYBYTES,
+                    hydro_kx_CONTEXT, psk);
+    memcpy(packet1, state.eph_kp.pk, hydro_kx_PUBLICKEYBYTES);
+
+    COMPILER_ASSERT(sizeof state.h >= hydro_hash_KEYBYTES);
+    hydro_hash_hash(state.h, sizeof state.h, state.eph_kp.pk, sizeof state.eph_kp.pk,
+                    hydro_kx_CONTEXT, state.h);
+
+    if (hydro_kx_scalarmult(&state, dh_res, state.eph_kp.sk, peer_static_pk) != 0) {
+        return -1;
+    }
+    hydro_kx_final(&state, kp->rx, kp->tx);
+
+    return 0;
+}
+
+int
+hydro_kx_n_2(hydro_kx_session_keypair *kp, const uint8_t packet1[hydro_kx_N_PACKET1BYTES],
+             const uint8_t psk[hydro_kx_PSKBYTES], const hydro_kx_keypair *static_kp)
+{
+    hydro_kx_state state;
+    uint8_t        dh_res[hydro_x25519_BYTES];
+    const uint8_t *peer_eph_pk = packet1;
+
+    mem_zero(&state, sizeof state);
+
+    COMPILER_ASSERT(hydro_kx_PSKBYTES >= hydro_hash_KEYBYTES);
+    hydro_hash_hash(state.h, sizeof state.h, static_kp->pk, sizeof static_kp->pk, hydro_kx_CONTEXT,
+                    psk);
+
+    COMPILER_ASSERT(sizeof state.h >= hydro_hash_KEYBYTES);
+    hydro_hash_hash(state.h, sizeof state.h, peer_eph_pk, hydro_kx_PUBLICKEYBYTES, hydro_kx_CONTEXT,
+                    state.h);
+
+    if (hydro_kx_scalarmult(&state, dh_res, static_kp->sk, peer_eph_pk) != 0) {
+        return -1;
+    }
+    hydro_kx_final(&state, kp->tx, kp->rx);
+
+    return 0;
+}
+
 /* NOISE_XX */
 
 int

tests/tests.c

@@ -272,7 +272,7 @@ test_sign(void)
 }
 
 static void
-test_kx(void)
+test_kx_xx(void)
 {
     hydro_kx_state           st_client;
     hydro_kx_state           st_server;
@@ -301,8 +301,7 @@ test_kx(void)
     hydro_random_buf(psk, sizeof psk);
     hydro_kx_xx_1(&st_client, packet1, psk);
     hydro_kx_xx_2(&st_server, packet2, packet1, psk, &server_static_kp);
-    hydro_kx_xx_3(&st_client, &kp_client, packet3, client_peer_pk, packet2, psk,
-                  &client_static_kp);
+    hydro_kx_xx_3(&st_client, &kp_client, packet3, client_peer_pk, packet2, psk, &client_static_kp);
     hydro_kx_xx_4(&st_server, &kp_server, server_peer_pk, packet3, psk);
 
     assert(hydro_equal(kp_client.tx, kp_server.rx, hydro_kx_SESSIONKEYBYTES));
@@ -311,6 +310,25 @@ test_kx(void)
     assert(hydro_equal(server_peer_pk, client_static_kp.pk, hydro_kx_PUBLICKEYBYTES));
 }
 
+static void
+test_kx_n(void)
+{
+    hydro_kx_keypair         server_static_kp;
+    uint8_t                  psk[hydro_kx_PSKBYTES];
+    uint8_t                  packet1[hydro_kx_N_PACKET1BYTES];
+    hydro_kx_session_keypair kp_client;
+    hydro_kx_session_keypair kp_server;
+
+    hydro_kx_keygen(&server_static_kp);
+    hydro_random_buf(psk, sizeof psk);
+
+    hydro_kx_n_1(&kp_client, packet1, psk, server_static_kp.pk);
+    hydro_kx_n_2(&kp_server, packet1, psk, &server_static_kp);
+
+    assert(hydro_equal(kp_client.tx, kp_server.rx, hydro_kx_SESSIONKEYBYTES));
+    assert(hydro_equal(kp_client.rx, kp_server.tx, hydro_kx_SESSIONKEYBYTES));
+}
+
 static void
 test_pwhash(void)
 {
@@ -371,7 +389,8 @@ main(void)
     test_core();
     test_hash();
     test_kdf();
-    test_kx();
+    test_kx_xx();
+    test_kx_n();
     test_pwhash();
     test_randombytes();
     test_secretbox();