OLD | NEW |
| (Empty) |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "remoting/protocol/spake2_authenticator.h" | |
6 | |
7 #include <utility> | |
8 | |
9 #include "base/base64.h" | |
10 #include "base/logging.h" | |
11 #include "base/sys_byteorder.h" | |
12 #include "crypto/hmac.h" | |
13 #include "crypto/secure_util.h" | |
14 #include "remoting/base/constants.h" | |
15 #include "remoting/base/rsa_key_pair.h" | |
16 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" | |
17 #include "third_party/boringssl/src/include/openssl/curve25519.h" | |
18 #include "third_party/webrtc/libjingle/xmllite/xmlelement.h" | |
19 | |
20 namespace remoting { | |
21 namespace protocol { | |
22 | |
23 namespace { | |
24 | |
25 // Each peer sends 2 messages: <spake-message> and <verification-hash>. The | |
26 // content of <spake-message> is the output of SPAKE2_generate_msg() and must | |
27 // be passed to SPAKE2_process_msg() on the other end. This is enough to | |
28 // generate authentication key. <verification-hash> is sent to confirm that both | |
29 // ends get the same authentication key (which means they both know the | |
30 // password). This verification hash is calculated in | |
31 // CalculateVerificationHash() as follows: | |
32 // HMAC_SHA256(auth_key, ("host"|"client") + local_jid.length() + local_jid + | |
33 // remote_jid.length() + remote_jid) | |
34 // where auth_key is the key produced by SPAKE2. | |
35 | |
36 const buzz::StaticQName kSpakeMessageTag = {kChromotingXmlNamespace, | |
37 "spake-message"}; | |
38 const buzz::StaticQName kVerificationHashTag = {kChromotingXmlNamespace, | |
39 "verification-hash"}; | |
40 const buzz::StaticQName kCertificateTag = {kChromotingXmlNamespace, | |
41 "certificate"}; | |
42 | |
43 scoped_ptr<buzz::XmlElement> EncodeBinaryValueToXml( | |
44 const buzz::StaticQName& qname, | |
45 const std::string& content) { | |
46 std::string content_base64; | |
47 base::Base64Encode(content, &content_base64); | |
48 | |
49 scoped_ptr<buzz::XmlElement> result(new buzz::XmlElement(qname)); | |
50 result->SetBodyText(content_base64); | |
51 return result; | |
52 } | |
53 | |
54 // Finds tag named |qname| in base_message and decodes it from base64 and stores | |
55 // in |data|. If the element is not present then found is set to false otherwise | |
56 // it's set to true. If the element is there and it's content cound't be decoded | |
57 // then false is returned. | |
58 bool DecodeBinaryValueFromXml(const buzz::XmlElement* message, | |
59 const buzz::QName& qname, | |
60 bool* found, | |
61 std::string* data) { | |
62 const buzz::XmlElement* element = message->FirstNamed(qname); | |
63 *found = element != nullptr; | |
64 if (!*found) | |
65 return true; | |
66 | |
67 if (!base::Base64Decode(element->BodyText(), data)) { | |
68 LOG(WARNING) << "Failed to parse " << qname.LocalPart(); | |
69 return false; | |
70 } | |
71 | |
72 return !data->empty(); | |
73 } | |
74 | |
75 std::string PrefixWithLength(const std::string& str) { | |
76 uint32_t length = base::HostToNet32(str.size()); | |
77 return std::string(reinterpret_cast<char*>(&length), sizeof(length)) + str; | |
78 } | |
79 | |
80 } // namespace | |
81 | |
82 // static | |
83 scoped_ptr<Authenticator> Spake2Authenticator::CreateForClient( | |
84 const std::string& local_id, | |
85 const std::string& remote_id, | |
86 const std::string& shared_secret, | |
87 Authenticator::State initial_state) { | |
88 return make_scoped_ptr(new Spake2Authenticator( | |
89 local_id, remote_id, shared_secret, false, initial_state)); | |
90 } | |
91 | |
92 // static | |
93 scoped_ptr<Authenticator> Spake2Authenticator::CreateForHost( | |
94 const std::string& local_id, | |
95 const std::string& remote_id, | |
96 const std::string& shared_secret, | |
97 const std::string& local_cert, | |
98 scoped_refptr<RsaKeyPair> key_pair, | |
99 Authenticator::State initial_state) { | |
100 scoped_ptr<Spake2Authenticator> result(new Spake2Authenticator( | |
101 local_id, remote_id, shared_secret, true, initial_state)); | |
102 result->local_cert_ = local_cert; | |
103 result->local_key_pair_ = key_pair; | |
104 return std::move(result); | |
105 } | |
106 | |
107 Spake2Authenticator::Spake2Authenticator(const std::string& local_id, | |
108 const std::string& remote_id, | |
109 const std::string& shared_secret, | |
110 bool is_host, | |
111 Authenticator::State initial_state) | |
112 : local_id_(local_id), | |
113 remote_id_(remote_id), | |
114 shared_secret_(shared_secret), | |
115 is_host_(is_host), | |
116 state_(initial_state) { | |
117 spake2_context_ = SPAKE2_CTX_new( | |
118 is_host ? spake2_role_bob : spake2_role_alice, | |
119 reinterpret_cast<const uint8_t*>(local_id_.data()), local_id_.size(), | |
120 reinterpret_cast<const uint8_t*>(remote_id_.data()), remote_id_.size()); | |
121 | |
122 // Generate first message and push it to |pending_messages_|. | |
123 uint8_t message[SPAKE2_MAX_MSG_SIZE]; | |
124 size_t message_size; | |
125 int result = SPAKE2_generate_msg( | |
126 spake2_context_, message, &message_size, sizeof(message), | |
127 reinterpret_cast<const uint8_t*>(shared_secret_.data()), | |
128 shared_secret_.size()); | |
129 CHECK(result); | |
130 local_spake_message_.assign(reinterpret_cast<char*>(message), message_size); | |
131 } | |
132 | |
133 Spake2Authenticator::~Spake2Authenticator() { | |
134 SPAKE2_CTX_free(spake2_context_); | |
135 } | |
136 | |
137 Authenticator::State Spake2Authenticator::state() const { | |
138 if (state_ == ACCEPTED && !outgoing_verification_hash_.empty()) | |
139 return MESSAGE_READY; | |
140 return state_; | |
141 } | |
142 | |
143 bool Spake2Authenticator::started() const { | |
144 return started_; | |
145 } | |
146 | |
147 Authenticator::RejectionReason Spake2Authenticator::rejection_reason() const { | |
148 DCHECK_EQ(state(), REJECTED); | |
149 return rejection_reason_; | |
150 } | |
151 | |
152 void Spake2Authenticator::ProcessMessage(const buzz::XmlElement* message, | |
153 const base::Closure& resume_callback) { | |
154 ProcessMessageInternal(message); | |
155 resume_callback.Run(); | |
156 } | |
157 | |
158 void Spake2Authenticator::ProcessMessageInternal( | |
159 const buzz::XmlElement* message) { | |
160 DCHECK_EQ(state(), WAITING_MESSAGE); | |
161 | |
162 // Parse the certificate. | |
163 bool cert_present; | |
164 if (!DecodeBinaryValueFromXml(message, kCertificateTag, &cert_present, | |
165 &remote_cert_)) { | |
166 state_ = REJECTED; | |
167 rejection_reason_ = PROTOCOL_ERROR; | |
168 return; | |
169 } | |
170 | |
171 // Client always expects certificate in the first message. | |
172 if (!is_host_ && remote_cert_.empty()) { | |
173 LOG(WARNING) << "No valid host certificate."; | |
174 state_ = REJECTED; | |
175 rejection_reason_ = PROTOCOL_ERROR; | |
176 return; | |
177 } | |
178 | |
179 bool spake_message_present = false; | |
180 std::string spake_message; | |
181 bool verification_hash_present = false; | |
182 std::string verification_hash; | |
183 if (!DecodeBinaryValueFromXml(message, kSpakeMessageTag, | |
184 &spake_message_present, &spake_message) || | |
185 !DecodeBinaryValueFromXml(message, kVerificationHashTag, | |
186 &verification_hash_present, | |
187 &verification_hash)) { | |
188 state_ = REJECTED; | |
189 rejection_reason_ = PROTOCOL_ERROR; | |
190 return; | |
191 } | |
192 | |
193 // |auth_key_| is generated when <spake-message> is received. | |
194 if (auth_key_.empty()) { | |
195 if (!spake_message_present) { | |
196 LOG(WARNING) << "<spake-message> not found."; | |
197 state_ = REJECTED; | |
198 rejection_reason_ = PROTOCOL_ERROR; | |
199 return; | |
200 } | |
201 uint8_t key[SPAKE2_MAX_KEY_SIZE]; | |
202 size_t key_size; | |
203 started_ = true; | |
204 int result = SPAKE2_process_msg( | |
205 spake2_context_, key, &key_size, sizeof(key), | |
206 reinterpret_cast<const uint8_t*>(spake_message.data()), | |
207 spake_message.size()); | |
208 if (!result) { | |
209 state_ = REJECTED; | |
210 rejection_reason_ = INVALID_CREDENTIALS; | |
211 return; | |
212 } | |
213 CHECK(key_size); | |
214 auth_key_.assign(reinterpret_cast<char*>(key), key_size); | |
215 | |
216 outgoing_verification_hash_ = | |
217 CalculateVerificationHash(is_host_, local_id_, remote_id_); | |
218 expected_verification_hash_ = | |
219 CalculateVerificationHash(!is_host_, remote_id_, local_id_); | |
220 } else if (spake_message_present) { | |
221 LOG(WARNING) << "Received duplicate <spake-message>."; | |
222 state_ = REJECTED; | |
223 rejection_reason_ = PROTOCOL_ERROR; | |
224 return; | |
225 } | |
226 | |
227 if (spake_message_sent_ && !verification_hash_present) { | |
228 LOG(WARNING) << "Didn't receive <verification-hash> when expected."; | |
229 state_ = REJECTED; | |
230 rejection_reason_ = PROTOCOL_ERROR; | |
231 return; | |
232 } | |
233 | |
234 if (verification_hash_present) { | |
235 if (verification_hash.size() != expected_verification_hash_.size() || | |
236 !crypto::SecureMemEqual(verification_hash.data(), | |
237 expected_verification_hash_.data(), | |
238 verification_hash.size())) { | |
239 state_ = REJECTED; | |
240 rejection_reason_ = INVALID_CREDENTIALS; | |
241 return; | |
242 } | |
243 state_ = ACCEPTED; | |
244 return; | |
245 } | |
246 | |
247 state_ = MESSAGE_READY; | |
248 } | |
249 | |
250 scoped_ptr<buzz::XmlElement> Spake2Authenticator::GetNextMessage() { | |
251 DCHECK_EQ(state(), MESSAGE_READY); | |
252 | |
253 scoped_ptr<buzz::XmlElement> message = CreateEmptyAuthenticatorMessage(); | |
254 | |
255 if (!spake_message_sent_) { | |
256 if (!local_cert_.empty()) { | |
257 message->AddElement( | |
258 EncodeBinaryValueToXml(kCertificateTag, local_cert_).release()); | |
259 } | |
260 | |
261 message->AddElement( | |
262 EncodeBinaryValueToXml(kSpakeMessageTag, local_spake_message_) | |
263 .release()); | |
264 | |
265 spake_message_sent_ = true; | |
266 } | |
267 | |
268 if (!outgoing_verification_hash_.empty()) { | |
269 message->AddElement(EncodeBinaryValueToXml(kVerificationHashTag, | |
270 outgoing_verification_hash_) | |
271 .release()); | |
272 outgoing_verification_hash_.clear(); | |
273 } | |
274 | |
275 if (state_ != ACCEPTED) { | |
276 state_ = WAITING_MESSAGE; | |
277 } | |
278 return message; | |
279 } | |
280 | |
281 const std::string& Spake2Authenticator::GetAuthKey() const { | |
282 return auth_key_; | |
283 } | |
284 | |
285 scoped_ptr<ChannelAuthenticator> | |
286 Spake2Authenticator::CreateChannelAuthenticator() const { | |
287 DCHECK_EQ(state(), ACCEPTED); | |
288 CHECK(!auth_key_.empty()); | |
289 | |
290 if (is_host_) { | |
291 return SslHmacChannelAuthenticator::CreateForHost( | |
292 local_cert_, local_key_pair_, auth_key_); | |
293 } else { | |
294 return SslHmacChannelAuthenticator::CreateForClient(remote_cert_, | |
295 auth_key_); | |
296 } | |
297 } | |
298 | |
299 std::string Spake2Authenticator::CalculateVerificationHash( | |
300 bool from_host, | |
301 const std::string& local_id, | |
302 const std::string& remote_id) { | |
303 std::string message = (from_host ? "host" : "client") + | |
304 PrefixWithLength(local_id) + | |
305 PrefixWithLength(remote_id); | |
306 crypto::HMAC hmac(crypto::HMAC::SHA256); | |
307 std::string result(hmac.DigestLength(), '\0'); | |
308 if (!hmac.Init(auth_key_) || | |
309 !hmac.Sign(message, reinterpret_cast<uint8_t*>(&result[0]), | |
310 result.length())) { | |
311 LOG(FATAL) << "Failed to calculate HMAC."; | |
312 } | |
313 return result; | |
314 } | |
315 | |
316 } // namespace protocol | |
317 } // namespace remoting | |
OLD | NEW |