Freed RNS from dependency on PyCA HMAC, HKDF and hashes

RNS/Identity.py

@@ -34,10 +34,8 @@ from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
 from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey
-from cryptography.hazmat.primitives.kdf.hkdf import HKDF
 from cryptography.fernet import Fernet
 
-cio_default_backend = default_backend()
 
 class Identity:
     """
@@ -159,10 +157,7 @@ class Identity:
         :param data: Data to be hashed as *bytes*.
         :returns: SHA-256 hash as *bytes*
         """
-        digest = hashlib.sha256()
-        digest.update(data)
-
-        return digest.digest()
+        return RNS.Cryptography.sha256(data)
 
     @staticmethod
     def truncated_hash(data):
@@ -429,14 +424,12 @@ class Identity:
 
             shared_key = ephemeral_key.exchange(self.pub)
             
-            # TODO: Improve this re-allocation of HKDF
-            derived_key = HKDF(
-                algorithm=hashes.SHA256(),
+            derived_key = RNS.Cryptography.hkdf(
                 length=32,
+                derive_from=shared_key,
                 salt=self.get_salt(),
-                info=self.get_context(),
-                backend=cio_default_backend,
-            ).derive(shared_key)
+                context=self.get_context(),
+            )
 
             fernet = Fernet(base64.urlsafe_b64encode(derived_key))
             ciphertext = base64.urlsafe_b64decode(fernet.encrypt(plaintext))
@@ -464,14 +457,12 @@ class Identity:
 
                     shared_key = self.prv.exchange(peer_pub)
 
-                    # TODO: Improve this re-allocation of HKDF
-                    derived_key = HKDF(
-                        algorithm=hashes.SHA256(),
+                    derived_key = RNS.Cryptography.hkdf(
                         length=32,
+                        derive_from=shared_key,
                         salt=self.get_salt(),
-                        info=self.get_context(),
-                        backend=cio_default_backend,
-                    ).derive(shared_key)
+                        context=self.get_context(),
+                    )
 
                     fernet = Fernet(base64.urlsafe_b64encode(derived_key))
                     ciphertext = ciphertext_token[Identity.KEYSIZE//8//2:]

RNS/Link.py

@@ -25,7 +25,6 @@ from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
 from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey
-from cryptography.hazmat.primitives.kdf.hkdf import HKDF
 from cryptography.fernet import Fernet
 from time import sleep
 from .vendor import umsgpack as umsgpack
@@ -35,9 +34,6 @@ import math
 import time
 import RNS
 
-import traceback
-
-cio_default_backend = default_backend()
 
 class LinkCallbacks:
     def __init__(self):
@@ -239,14 +235,13 @@ class Link:
         self.status = Link.HANDSHAKE
         self.shared_key = self.prv.exchange(self.peer_pub)
 
-        # TODO: Improve this re-allocation of HKDF
-        self.derived_key = HKDF(
-            algorithm=hashes.SHA256(),
+        self.derived_key = RNS.Cryptography.hkdf(
             length=32,
+            derive_from=self.shared_key,
             salt=self.get_salt(),
-            info=self.get_context(),
-            backend=cio_default_backend,
-        ).derive(self.shared_key)
+            context=self.get_context(),
+        )
+
 
     def prove(self):
         signed_data = self.link_id+self.pub_bytes+self.sig_pub_bytes
@@ -822,9 +817,6 @@ class Link:
             return plaintext
         except Exception as e:
             RNS.log("Decryption failed on link "+str(self)+". The contained exception was: "+str(e), RNS.LOG_ERROR)
-            # RNS.log(traceback.format_exc(), RNS.LOG_ERROR)
-            # TODO: Think long about implications here
-            # self.teardown()
 
 
     def sign(self, message):

RNS/Reticulum.py

@@ -21,11 +21,6 @@
 # SOFTWARE.
 
 from .vendor.platformutils import get_platform
-from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.kdf.hkdf import HKDF
-from cryptography.hazmat.backends import default_backend
-
-cio_default_backend = default_backend()
 
 if get_platform() == "android":
     from .Interfaces import Interface
@@ -840,13 +835,12 @@ class Reticulum:
                                         ifac_origin += RNS.Identity.full_hash(interface.ifac_netkey.encode("utf-8"))
 
                                     ifac_origin_hash = RNS.Identity.full_hash(ifac_origin)
-                                    interface.ifac_key = HKDF(
-                                        algorithm=hashes.SHA256(),
+                                    interface.ifac_key = RNS.Cryptography.hkdf(
                                         length=64,
+                                        derive_from=ifac_origin_hash,
                                         salt=self.ifac_salt,
-                                        info=None,
-                                        backend=cio_default_backend,
-                                    ).derive(ifac_origin_hash)
+                                        context=None
+                                    )
 
                                     interface.ifac_identity = RNS.Identity.from_bytes(interface.ifac_key)
                                     interface.ifac_signature = interface.ifac_identity.sign(RNS.Identity.full_hash(interface.ifac_key))

RNS/__init__.py

@@ -37,6 +37,8 @@ from .Destination import Destination
 from .Packet import Packet
 from .Packet import PacketReceipt
 from .Resource import Resource, ResourceAdvertisement
+from .Cryptography import HKDF
+from .Cryptography import Hashes
 
 modules = glob.glob(os.path.dirname(__file__)+"/*.py")
 __all__ = [ os.path.basename(f)[:-3] for f in modules if not f.endswith('__init__.py')]