| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CRYPTO_P224_SPAKE_H_ | 5 #ifndef CRYPTO_P224_SPAKE_H_ |
| 6 #define CRYPTO_P224_SPAKE_H_ | 6 #define CRYPTO_P224_SPAKE_H_ |
| 7 | 7 |
| 8 #include <base/gtest_prod_util.h> |
| 8 #include <base/strings/string_piece.h> | 9 #include <base/strings/string_piece.h> |
| 9 #include <crypto/p224.h> | 10 #include <crypto/p224.h> |
| 10 #include <crypto/sha2.h> | 11 #include <crypto/sha2.h> |
| 11 | 12 |
| 12 namespace crypto { | 13 namespace crypto { |
| 13 | 14 |
| 14 // P224EncryptedKeyExchange implements SPAKE2, a variant of Encrypted | 15 // P224EncryptedKeyExchange implements SPAKE2, a variant of Encrypted |
| 15 // Key Exchange. It allows two parties that have a secret common | 16 // Key Exchange. It allows two parties that have a secret common |
| 16 // password to establish a common secure key by exchanging messages | 17 // password to establish a common secure key by exchanging messages |
| 17 // over unsecure channel without disclosing the password. | 18 // over an insecure channel without disclosing the password. |
| 18 // | 19 // |
| 19 // The password can be low entropy as authenticating with an attacker only | 20 // The password can be low entropy as authenticating with an attacker only |
| 20 // gives the attacker a one-shot password oracle. No other information about | 21 // gives the attacker a one-shot password oracle. No other information about |
| 21 // the password is leaked. (However, you must be sure to limit the number of | 22 // the password is leaked. (However, you must be sure to limit the number of |
| 22 // permitted authentication attempts otherwise they get many one-shot oracles.) | 23 // permitted authentication attempts otherwise they get many one-shot oracles.) |
| 23 // | 24 // |
| 24 // The protocol requires several RTTs (actually two, but you shouldn't assume | 25 // The protocol requires several RTTs (actually two, but you shouldn't assume |
| 25 // that.) To use the object, call GetMessage() and pass that message to the | 26 // that.) To use the object, call GetMessage() and pass that message to the |
| 26 // peer. Get a message from the peer and feed it into ProcessMessage. Then | 27 // peer. Get a message from the peer and feed it into ProcessMessage. Then |
| 27 // examine the return value of ProcessMessage: | 28 // examine the return value of ProcessMessage: |
| (...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 78 // The authentication state machine is very simple and each party proceeds | 79 // The authentication state machine is very simple and each party proceeds |
| 79 // through each of these states, in order. | 80 // through each of these states, in order. |
| 80 enum State { | 81 enum State { |
| 81 kStateInitial, | 82 kStateInitial, |
| 82 kStateRecvDH, | 83 kStateRecvDH, |
| 83 kStateSendHash, | 84 kStateSendHash, |
| 84 kStateRecvHash, | 85 kStateRecvHash, |
| 85 kStateDone, | 86 kStateDone, |
| 86 }; | 87 }; |
| 87 | 88 |
| 89 FRIEND_TEST_ALL_PREFIXES(MutualAuth, ExpectedValues); |
| 90 |
| 91 void Init(); |
| 92 |
| 93 // Sets internal random scalar. Should be used by tests only. |
| 94 void SetXForTesting(const std::string& x); |
| 95 |
| 88 State state_; | 96 State state_; |
| 89 const bool is_server_; | 97 const bool is_server_; |
| 90 // next_message_ contains a value for GetMessage() to return. | 98 // next_message_ contains a value for GetMessage() to return. |
| 91 std::string next_message_; | 99 std::string next_message_; |
| 92 std::string error_; | 100 std::string error_; |
| 93 | 101 |
| 94 // CalculateHash computes the verification hash for the given peer and writes | 102 // CalculateHash computes the verification hash for the given peer and writes |
| 95 // |kSHA256Length| bytes at |out_digest|. | 103 // |kSHA256Length| bytes at |out_digest|. |
| 96 void CalculateHash( | 104 void CalculateHash( |
| 97 PeerType peer_type, | 105 PeerType peer_type, |
| 98 const std::string& client_masked_dh, | 106 const std::string& client_masked_dh, |
| 99 const std::string& server_masked_dh, | 107 const std::string& server_masked_dh, |
| 100 const std::string& k, | 108 const std::string& k, |
| 101 uint8* out_digest); | 109 uint8* out_digest); |
| 102 | 110 |
| 103 // x_ is the secret Diffie-Hellman exponent (see paper referenced in .cc | 111 // x_ is the secret Diffie-Hellman exponent (see paper referenced in .cc |
| 104 // file). | 112 // file). |
| 105 uint8 x_[p224::kScalarBytes]; | 113 uint8 x_[p224::kScalarBytes]; |
| 106 // pw_ is SHA256(P(password), P(session))[:28] where P() prepends a uint32, | 114 // pw_ is SHA256(P(password), P(session))[:28] where P() prepends a uint32, |
| 107 // big-endian length prefix (see paper refereneced in .cc file). | 115 // big-endian length prefix (see paper referenced in .cc file). |
| 108 uint8 pw_[p224::kScalarBytes]; | 116 uint8 pw_[p224::kScalarBytes]; |
| 109 // expected_authenticator_ is used to store the hash value expected from the | 117 // expected_authenticator_ is used to store the hash value expected from the |
| 110 // other party. | 118 // other party. |
| 111 uint8 expected_authenticator_[kSHA256Length]; | 119 uint8 expected_authenticator_[kSHA256Length]; |
| 112 | 120 |
| 113 std::string key_; | 121 std::string key_; |
| 114 }; | 122 }; |
| 115 | 123 |
| 116 } // namespace crypto | 124 } // namespace crypto |
| 117 | 125 |
| 118 #endif // CRYPTO_P224_SPAKE_H_ | 126 #endif // CRYPTO_P224_SPAKE_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 787803004:
Update from https://crrev.com/307664 (Closed)
Base URL: https://github.com/domokit/mojo.git@master