Calculate and verify signature and MAC for Introduction ACKs

Before the introducee sends her ACK,
she derives a master key from the ephemeral shared secret as before.

Two nonces and a MAC key are then derived from the master key.
The local introducee signs one of the nonces and calculates a MAC
over her own identity public key, ephemeral public key,
transport properties and timestamp.
The local introducee includes the signature and MAC in her ACK.

On receiving the remote introducee's ACK,
the local introducee verifies the signature and MAC.
Should the verification fail, an ABORT is sent to the introducer and
the remote introducee that was added as inactive is deleted again.

briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java

@@ -87,6 +87,9 @@ class CryptoComponentImpl implements CryptoComponent {
 	// KDF labels for header key derivation
 	private static final byte[] A_HEADER = ascii("ALICE_HEADER_KEY");
 	private static final byte[] B_HEADER = ascii("BOB_HEADER_KEY");
+	// KDF labels for MAC key derivation
+	private static final byte[] A_MAC = ascii("ALICE_MAC_KEY");
+	private static final byte[] B_MAC = ascii("BOB_MAC_KEY");
 	// KDF label for key rotation
 	private static final byte[] ROTATE = ascii("ROTATE");
 
@@ -233,6 +236,11 @@ class CryptoComponentImpl implements CryptoComponent {
 		return new SecretKey(macKdf(master, alice ? A_INVITE : B_INVITE));
 	}
 
+	@Override
+	public SecretKey deriveMacKey(SecretKey master, boolean alice) {
+		return new SecretKey(macKdf(master, alice ? A_MAC : B_MAC));
+	}
+
 	@Override
 	public byte[] deriveSignatureNonce(SecretKey master,
 			boolean alice) {