OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "remoting/protocol/spake2_authenticator.h" | |
6 | |
7 #include <utility> | |
8 | |
9 #include "base/base64.h" | |
10 #include "base/logging.h" | |
11 #include "crypto/hmac.h" | |
12 #include "crypto/secure_util.h" | |
13 #include "remoting/base/constants.h" | |
14 #include "remoting/base/rsa_key_pair.h" | |
15 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" | |
16 #include "third_party/boringssl/src/include/openssl/curve25519.h" | |
17 #include "third_party/webrtc/libjingle/xmllite/xmlelement.h" | |
18 | |
19 namespace remoting { | |
20 namespace protocol { | |
21 | |
22 namespace { | |
23 | |
24 // Each peer sends 2 messages: <spake-message> and <verification-hash>. The | |
25 // content of <spake-message> is the output of SPAKE2_generate_msg() and must | |
26 // be passed to SPAKE2_process_msg() on the other end. This is enough to | |
27 // generate authentication key. <verification-hash> is sent to confirm that both | |
28 // ends get the same authentication key (which means they both know the | |
29 // password). This verification hash is calculated in | |
30 // CalculateVerificationHash() as follows: | |
31 // HMAC_SHA256(auth_key, "host"|"client" + local_jid + " " + remote_jid) | |
32 // where auth_key is the key produced by SPAKE2. | |
33 | |
34 const buzz::StaticQName kSpakeMessageTag = {kChromotingXmlNamespace, | |
35 "spake-message"}; | |
36 const buzz::StaticQName kVerificationHashTag = {kChromotingXmlNamespace, | |
37 "verification-hash"}; | |
38 const buzz::StaticQName kCertificateTag = {kChromotingXmlNamespace, | |
39 "certificate"}; | |
40 | |
41 scoped_ptr<buzz::XmlElement> EncodeBinaryValueToXml( | |
42 const buzz::StaticQName& qname, | |
43 const std::string& content) { | |
44 std::string content_base64; | |
45 base::Base64Encode(content, &content_base64); | |
46 | |
47 scoped_ptr<buzz::XmlElement> result(new buzz::XmlElement(qname)); | |
48 result->SetBodyText(content_base64); | |
49 return result; | |
50 } | |
51 | |
52 // Finds tag named |qname| in base_message and decodes it from base64 and stores | |
53 // in |data|. If the element is not present then found is set to false otherwise | |
54 // it's set to true. If the element is there and it's content cound't be decoded | |
55 // then false is returned. | |
56 bool DecodeBinaryValueFromXml(const buzz::XmlElement* message, | |
57 const buzz::QName& qname, | |
58 bool* found, | |
59 std::string* data) { | |
60 const buzz::XmlElement* element = message->FirstNamed(qname); | |
61 *found = element != nullptr; | |
62 if (!*found) | |
63 return true; | |
64 | |
65 if (!base::Base64Decode(element->BodyText(), data)) { | |
66 LOG(WARNING) << "Failed to parse " << qname.LocalPart(); | |
67 return false; | |
68 } | |
69 | |
70 return !data->empty(); | |
71 } | |
72 | |
73 } // namespace | |
74 | |
75 // static | |
76 scoped_ptr<Authenticator> Spake2Authenticator::CreateForClient( | |
77 const std::string& local_id, | |
78 const std::string& remote_id, | |
79 const std::string& shared_secret, | |
80 Authenticator::State initial_state) { | |
81 return make_scoped_ptr(new Spake2Authenticator( | |
82 local_id, remote_id, shared_secret, false, initial_state)); | |
83 } | |
84 | |
85 // static | |
86 scoped_ptr<Authenticator> Spake2Authenticator::CreateForHost( | |
87 const std::string& local_id, | |
88 const std::string& remote_id, | |
89 const std::string& shared_secret, | |
90 const std::string& local_cert, | |
91 scoped_refptr<RsaKeyPair> key_pair, | |
92 Authenticator::State initial_state) { | |
93 scoped_ptr<Spake2Authenticator> result(new Spake2Authenticator( | |
94 local_id, remote_id, shared_secret, true, initial_state)); | |
95 result->local_cert_ = local_cert; | |
96 result->local_key_pair_ = key_pair; | |
97 return std::move(result); | |
98 } | |
99 | |
100 Spake2Authenticator::Spake2Authenticator(const std::string& local_id, | |
101 const std::string& remote_id, | |
102 const std::string& shared_secret, | |
103 bool is_host, | |
104 Authenticator::State initial_state) | |
105 : local_id_(local_id), | |
106 remote_id_(remote_id), | |
107 shared_secret_(shared_secret), | |
108 is_host_(is_host), | |
109 state_(initial_state) { | |
110 spake2_context_ = SPAKE2_CTX_new( | |
111 is_host ? spake2_role_bob : spake2_role_alice, | |
112 reinterpret_cast<const uint8_t*>(local_id_.data()), local_id_.size(), | |
113 reinterpret_cast<const uint8_t*>(remote_id_.data()), remote_id_.size()); | |
114 | |
115 // Generate first message and push it to |pending_messages_|. | |
116 uint8_t message[SPAKE2_MAX_MSG_SIZE]; | |
117 size_t message_size; | |
118 bool result = SPAKE2_generate_msg( | |
119 spake2_context_, message, &message_size, sizeof(message), | |
120 reinterpret_cast<const uint8_t*>(shared_secret_.data()), | |
121 shared_secret_.size()); | |
122 CHECK(result); | |
123 local_spake_message_.assign(reinterpret_cast<char*>(message), message_size); | |
124 } | |
125 | |
126 Spake2Authenticator::~Spake2Authenticator() { | |
127 SPAKE2_CTX_free(spake2_context_); | |
128 } | |
129 | |
130 Authenticator::State Spake2Authenticator::state() const { | |
131 if (state_ == ACCEPTED && !outgoing_verification_hash_.empty()) | |
132 return MESSAGE_READY; | |
133 return state_; | |
134 } | |
135 | |
136 bool Spake2Authenticator::started() const { | |
137 return started_; | |
138 } | |
139 | |
140 Authenticator::RejectionReason Spake2Authenticator::rejection_reason() const { | |
141 DCHECK_EQ(state(), REJECTED); | |
142 return rejection_reason_; | |
143 } | |
144 | |
145 void Spake2Authenticator::ProcessMessage(const buzz::XmlElement* message, | |
146 const base::Closure& resume_callback) { | |
147 ProcessMessageInternal(message); | |
148 resume_callback.Run(); | |
149 } | |
150 | |
151 void Spake2Authenticator::ProcessMessageInternal( | |
152 const buzz::XmlElement* message) { | |
153 DCHECK_EQ(state(), WAITING_MESSAGE); | |
154 | |
155 // Parse the certificate. | |
156 bool cert_present; | |
157 if (!DecodeBinaryValueFromXml(message, kCertificateTag, &cert_present, | |
158 &remote_cert_)) { | |
159 state_ = REJECTED; | |
160 rejection_reason_ = PROTOCOL_ERROR; | |
161 return; | |
162 } | |
163 | |
164 // Client always expects certificate in the first message. | |
165 if (!is_host_ && remote_cert_.empty()) { | |
166 LOG(WARNING) << "No valid host certificate."; | |
167 state_ = REJECTED; | |
168 rejection_reason_ = PROTOCOL_ERROR; | |
169 return; | |
170 } | |
171 | |
172 bool spake_message_present = false; | |
173 std::string spake_message; | |
174 bool verification_hash_present = false; | |
175 std::string verification_hash; | |
176 if (!DecodeBinaryValueFromXml(message, kSpakeMessageTag, | |
177 &spake_message_present, &spake_message) || | |
178 !DecodeBinaryValueFromXml(message, kVerificationHashTag, | |
179 &verification_hash_present, | |
180 &verification_hash)) { | |
181 state_ = REJECTED; | |
182 rejection_reason_ = PROTOCOL_ERROR; | |
183 return; | |
184 } | |
185 | |
186 // |auth_key_| is generated when <spake-message> is received. | |
187 if (auth_key_.empty()) { | |
188 if (!spake_message_present) { | |
189 LOG(WARNING) << "<spake-message> not found."; | |
190 state_ = REJECTED; | |
191 rejection_reason_ = PROTOCOL_ERROR; | |
192 return; | |
193 } | |
194 uint8_t key[SPAKE2_MAX_KEY_SIZE]; | |
195 size_t key_size; | |
196 started_ = true; | |
197 bool result = SPAKE2_process_msg( | |
198 spake2_context_, key, &key_size, sizeof(key), | |
199 reinterpret_cast<const uint8_t*>(spake_message.data()), | |
200 spake_message.size()); | |
201 if (!result) { | |
202 state_ = REJECTED; | |
203 rejection_reason_ = INVALID_CREDENTIALS; | |
204 return; | |
205 } | |
206 CHECK(key_size); | |
207 auth_key_.assign(reinterpret_cast<char*>(key), key_size); | |
208 | |
209 outgoing_verification_hash_ = | |
210 CalculateVerificationHash(is_host_, local_id_, remote_id_); | |
211 expected_verification_hash_ = | |
212 CalculateVerificationHash(!is_host_, remote_id_, local_id_); | |
213 } else if (spake_message_present) { | |
214 LOG(WARNING) << "Received duplicate <spake-message>."; | |
215 state_ = REJECTED; | |
216 rejection_reason_ = PROTOCOL_ERROR; | |
217 return; | |
218 } | |
219 | |
220 if (spake_message_sent_ && !verification_hash_present) { | |
221 LOG(WARNING) << "Didn't receive <verification-hash> when expected."; | |
222 state_ = REJECTED; | |
223 rejection_reason_ = PROTOCOL_ERROR; | |
224 return; | |
225 } | |
226 | |
227 if (verification_hash_present) { | |
228 if (verification_hash.size() != expected_verification_hash_.size() || | |
229 !crypto::SecureMemEqual(verification_hash.data(), | |
230 expected_verification_hash_.data(), | |
231 verification_hash.size())) { | |
232 state_ = REJECTED; | |
233 rejection_reason_ = INVALID_CREDENTIALS; | |
234 return; | |
235 } | |
236 state_ = ACCEPTED; | |
237 return; | |
238 } | |
239 | |
240 state_ = MESSAGE_READY; | |
241 } | |
242 | |
243 scoped_ptr<buzz::XmlElement> Spake2Authenticator::GetNextMessage() { | |
244 DCHECK_EQ(state(), MESSAGE_READY); | |
245 | |
246 scoped_ptr<buzz::XmlElement> message = CreateEmptyAuthenticatorMessage(); | |
247 | |
248 if (!spake_message_sent_) { | |
249 if (!local_cert_.empty()) { | |
250 message->AddElement( | |
251 EncodeBinaryValueToXml(kCertificateTag, local_cert_).release()); | |
252 } | |
253 | |
254 message->AddElement( | |
255 EncodeBinaryValueToXml(kSpakeMessageTag, local_spake_message_) | |
256 .release()); | |
257 | |
258 spake_message_sent_ = true; | |
259 } | |
260 | |
261 if (!outgoing_verification_hash_.empty()) { | |
262 message->AddElement(EncodeBinaryValueToXml(kVerificationHashTag, | |
263 outgoing_verification_hash_) | |
264 .release()); | |
265 outgoing_verification_hash_.clear(); | |
266 } | |
267 | |
268 if (state_ != ACCEPTED) { | |
269 state_ = WAITING_MESSAGE; | |
270 } | |
271 return message; | |
272 } | |
273 | |
274 const std::string& Spake2Authenticator::GetAuthKey() const { | |
275 return auth_key_; | |
276 } | |
277 | |
278 scoped_ptr<ChannelAuthenticator> | |
279 Spake2Authenticator::CreateChannelAuthenticator() const { | |
280 DCHECK_EQ(state(), ACCEPTED); | |
281 CHECK(!auth_key_.empty()); | |
282 | |
283 if (is_host_) { | |
284 return SslHmacChannelAuthenticator::CreateForHost( | |
285 local_cert_, local_key_pair_, auth_key_); | |
286 } else { | |
287 return SslHmacChannelAuthenticator::CreateForClient(remote_cert_, | |
288 auth_key_); | |
289 } | |
290 } | |
291 | |
292 std::string Spake2Authenticator::CalculateVerificationHash( | |
293 bool from_host, | |
294 const std::string& local_id, | |
295 const std::string& remote_id) { | |
296 crypto::HMAC hmac(crypto::HMAC::SHA256); | |
297 std::string result(hmac.DigestLength(), '\0'); | |
298 if (!hmac.Init(auth_key_) || | |
299 !hmac.Sign((from_host ? "host" : "client") + local_id + " " + remote_id, | |
Arnar Birgisson
2016/03/07 23:58:09
This must assume local_id and remote_id are either
Sergey Ulanov
2016/03/08 01:53:44
Done.
| |
300 reinterpret_cast<uint8_t*>(&result[0]), result.length())) { | |
301 LOG(FATAL) << "Failed to calculate HMAC."; | |
302 } | |
303 return result; | |
Arnar Birgisson
2016/03/07 23:58:09
This verification hash should sign over the server
Sergey Ulanov
2016/03/08 01:53:44
The auth_key_ generated by spake is passed to SslH
| |
304 } | |
305 | |
306 } // namespace protocol | |
307 } // namespace remoting | |
OLD | NEW |