From b29ff927b0b6efb06719788e8facc9482c784b6c Mon Sep 17 00:00:00 2001
From: akwizgran <akwizgran@users.sourceforge.net>
Date: Tue, 15 Dec 2015 10:07:33 +0000
Subject: [PATCH] Switch KDF from SHA-256 to Blake2. #169

---
 .../crypto/CryptoComponentImpl.java           | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java b/briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java
index d86f02a94d..4d62980cd8 100644
--- a/briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java
+++ b/briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java
@@ -22,6 +22,7 @@ import org.spongycastle.crypto.CipherParameters;
 import org.spongycastle.crypto.Digest;
 import org.spongycastle.crypto.Mac;
 import org.spongycastle.crypto.agreement.ECDHCBasicAgreement;
+import org.spongycastle.crypto.digests.Blake2bDigest;
 import org.spongycastle.crypto.digests.SHA256Digest;
 import org.spongycastle.crypto.engines.AESLightEngine;
 import org.spongycastle.crypto.generators.ECKeyPairGenerator;
@@ -389,18 +390,19 @@ class CryptoComponentImpl implements CryptoComponent {
 	// Key derivation function based on a hash function - see NIST SP 800-56A,
 	// section 5.8
 	private byte[] hashKdf(byte[]... inputs) {
+		Digest digest = new Blake2bDigest();
 		// The output of the hash function must be long enough to use as a key
-		MessageDigest messageDigest = getMessageDigest();
-		if (messageDigest.getDigestLength() < SecretKey.LENGTH)
-			throw new IllegalStateException();
+		int hashLength = digest.getDigestSize();
+		if (hashLength < SecretKey.LENGTH) throw new IllegalStateException();
 		// Calculate the hash over the concatenated length-prefixed inputs
 		byte[] length = new byte[4];
 		for (byte[] input : inputs) {
 			ByteUtils.writeUint32(input.length, length, 0);
-			messageDigest.update(length);
-			messageDigest.update(input);
+			digest.update(length, 0, length.length);
+			digest.update(input, 0, input.length);
 		}
-		byte[] hash = messageDigest.digest();
+		byte[] hash = new byte[hashLength];
+		digest.doFinal(hash, 0);
 		// The output is the first SecretKey.LENGTH bytes of the hash
 		if (hash.length == SecretKey.LENGTH) return hash;
 		byte[] truncated = new byte[SecretKey.LENGTH];
@@ -412,12 +414,11 @@ class CryptoComponentImpl implements CryptoComponent {
 	// NIST SP 800-108, section 5.1
 	private byte[] macKdf(SecretKey key, byte[]... inputs) {
 		// Initialise the PRF
-		Mac prf = new HMac(new SHA256Digest());
+		Mac prf = new HMac(new Blake2bDigest());
 		prf.init(new KeyParameter(key.getBytes()));
 		// The output of the PRF must be long enough to use as a key
 		int macLength = prf.getMacSize();
-		if (macLength < SecretKey.LENGTH)
-			throw new IllegalStateException();
+		if (macLength < SecretKey.LENGTH) throw new IllegalStateException();
 		// Calculate the PRF over the concatenated length-prefixed inputs
 		byte[] length = new byte[4];
 		for (byte[] input : inputs) {
-- 
GitLab