From 40b4681a6ecb142a09fea84809be5b1bdef65617 Mon Sep 17 00:00:00 2001 From: Tony Garnock-Jones Date: Mon, 16 Jan 2023 16:21:12 +0100 Subject: [PATCH] Ugh, xsalsa20poly1305 as an AEAD isn't a thing --- schemas/noise.prs | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/schemas/noise.prs b/schemas/noise.prs index 94eb6dd..16b384b 100644 --- a/schemas/noise.prs +++ b/schemas/noise.prs @@ -1,28 +1,28 @@ version 1 . -; Noise_IK_25519_XSalsa20Poly1305_SHA512 -; Noise_NK_25519_XSalsa20Poly1305_SHA512 -; -; Most noise instantiations use ChaChaPoly (or AESGCM) but because e.g. tweetnacl offers -; XSalsa20 instead of ChaCha, I think I'll go with that. +; Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s, just like Wireguard +; Noise_NKpsk2_25519_ChaChaPoly_BLAKE2s -; IK: +; - ephemeral public keys are 32 bytes +; - pre-shared-keys (PSKs) are 32 bytes +; - authentication tags (on each AEAD encrypted payload) are 16 bytes each + +; IKpsk2: ; <- s (for us, the object's static key is in the cap ref) ; ... ; -> e, es, s, ss -; <- e, ee, se +; <- e, ee, se, psk ; -; NK: +; NKpsk2: ; <- s (for us, the object's static key is in the cap ref) ; ... ; -> e, es -; <- e, ee -; -; NKpsk2, IKpsk2 +; <- e, ee, psk ; Assertion. Handshake is an ephemeral public key followed by either an encrypted public-key ; (IK) or an encrypted empty payload (NK). Connect = . -; Assertion (to initiatorSession). Handshake is an encrypted ephemeral public key. +; Assertion (to initiatorSession). Handshake is an encrypted ephemeral public key followed by a +; (differently-)encrypted PSK (which may be all zeros when no PSK is relevant). Accept = .