| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 // This code implements SPAKE2, a variant of EKE: | |
| 6 // http://www.di.ens.fr/~pointche/pub.php?reference=AbPo04 | |
| 7 | |
| 8 #include <crypto/p224_spake.h> | |
| 9 | |
| 10 #include <algorithm> | |
| 11 | |
| 12 #include <base/logging.h> | |
| 13 #include <crypto/p224.h> | |
| 14 #include <crypto/random.h> | |
| 15 #include <crypto/secure_util.h> | |
| 16 | |
| 17 namespace { | |
| 18 | |
| 19 // The following two points (M and N in the protocol) are verifiable random | |
| 20 // points on the curve and can be generated with the following code: | |
| 21 | |
| 22 // #include <stdint.h> | |
| 23 // #include <stdio.h> | |
| 24 // #include <string.h> | |
| 25 // | |
| 26 // #include <openssl/ec.h> | |
| 27 // #include <openssl/obj_mac.h> | |
| 28 // #include <openssl/sha.h> | |
| 29 // | |
| 30 // static const char kSeed1[] = "P224 point generation seed (M)"; | |
| 31 // static const char kSeed2[] = "P224 point generation seed (N)"; | |
| 32 // | |
| 33 // void find_seed(const char* seed) { | |
| 34 // SHA256_CTX sha256; | |
| 35 // uint8_t digest[SHA256_DIGEST_LENGTH]; | |
| 36 // | |
| 37 // SHA256_Init(&sha256); | |
| 38 // SHA256_Update(&sha256, seed, strlen(seed)); | |
| 39 // SHA256_Final(digest, &sha256); | |
| 40 // | |
| 41 // BIGNUM x, y; | |
| 42 // EC_GROUP* p224 = EC_GROUP_new_by_curve_name(NID_secp224r1); | |
| 43 // EC_POINT* p = EC_POINT_new(p224); | |
| 44 // | |
| 45 // for (unsigned i = 0;; i++) { | |
| 46 // BN_init(&x); | |
| 47 // BN_bin2bn(digest, 28, &x); | |
| 48 // | |
| 49 // if (EC_POINT_set_compressed_coordinates_GFp( | |
| 50 // p224, p, &x, digest[28] & 1, NULL)) { | |
| 51 // BN_init(&y); | |
| 52 // EC_POINT_get_affine_coordinates_GFp(p224, p, &x, &y, NULL); | |
| 53 // char* x_str = BN_bn2hex(&x); | |
| 54 // char* y_str = BN_bn2hex(&y); | |
| 55 // printf("Found after %u iterations:\n%s\n%s\n", i, x_str, y_str); | |
| 56 // OPENSSL_free(x_str); | |
| 57 // OPENSSL_free(y_str); | |
| 58 // BN_free(&x); | |
| 59 // BN_free(&y); | |
| 60 // break; | |
| 61 // } | |
| 62 // | |
| 63 // SHA256_Init(&sha256); | |
| 64 // SHA256_Update(&sha256, digest, sizeof(digest)); | |
| 65 // SHA256_Final(digest, &sha256); | |
| 66 // | |
| 67 // BN_free(&x); | |
| 68 // } | |
| 69 // | |
| 70 // EC_POINT_free(p); | |
| 71 // EC_GROUP_free(p224); | |
| 72 // } | |
| 73 // | |
| 74 // int main() { | |
| 75 // find_seed(kSeed1); | |
| 76 // find_seed(kSeed2); | |
| 77 // return 0; | |
| 78 // } | |
| 79 | |
| 80 const crypto::p224::Point kM = { | |
| 81 {174237515, 77186811, 235213682, 33849492, | |
| 82 33188520, 48266885, 177021753, 81038478}, | |
| 83 {104523827, 245682244, 266509668, 236196369, | |
| 84 28372046, 145351378, 198520366, 113345994}, | |
| 85 {1, 0, 0, 0, 0, 0, 0, 0}, | |
| 86 }; | |
| 87 | |
| 88 const crypto::p224::Point kN = { | |
| 89 {136176322, 263523628, 251628795, 229292285, | |
| 90 5034302, 185981975, 171998428, 11653062}, | |
| 91 {197567436, 51226044, 60372156, 175772188, | |
| 92 42075930, 8083165, 160827401, 65097570}, | |
| 93 {1, 0, 0, 0, 0, 0, 0, 0}, | |
| 94 }; | |
| 95 | |
| 96 } // anonymous namespace | |
| 97 | |
| 98 namespace crypto { | |
| 99 | |
| 100 P224EncryptedKeyExchange::P224EncryptedKeyExchange( | |
| 101 PeerType peer_type, const base::StringPiece& password) | |
| 102 : state_(kStateInitial), | |
| 103 is_server_(peer_type == kPeerTypeServer) { | |
| 104 memset(&x_, 0, sizeof(x_)); | |
| 105 memset(&expected_authenticator_, 0, sizeof(expected_authenticator_)); | |
| 106 | |
| 107 // x_ is a random scalar. | |
| 108 RandBytes(x_, sizeof(x_)); | |
| 109 | |
| 110 // Calculate |password| hash to get SPAKE password value. | |
| 111 SHA256HashString(std::string(password.data(), password.length()), | |
| 112 pw_, sizeof(pw_)); | |
| 113 | |
| 114 Init(); | |
| 115 } | |
| 116 | |
| 117 void P224EncryptedKeyExchange::Init() { | |
| 118 // X = g**x_ | |
| 119 p224::Point X; | |
| 120 p224::ScalarBaseMult(x_, &X); | |
| 121 | |
| 122 // The client masks the Diffie-Hellman value, X, by adding M**pw and the | |
| 123 // server uses N**pw. | |
| 124 p224::Point MNpw; | |
| 125 p224::ScalarMult(is_server_ ? kN : kM, pw_, &MNpw); | |
| 126 | |
| 127 // X* = X + (N|M)**pw | |
| 128 p224::Point Xstar; | |
| 129 p224::Add(X, MNpw, &Xstar); | |
| 130 | |
| 131 next_message_ = Xstar.ToString(); | |
| 132 } | |
| 133 | |
| 134 const std::string& P224EncryptedKeyExchange::GetNextMessage() { | |
| 135 if (state_ == kStateInitial) { | |
| 136 state_ = kStateRecvDH; | |
| 137 return next_message_; | |
| 138 } else if (state_ == kStateSendHash) { | |
| 139 state_ = kStateRecvHash; | |
| 140 return next_message_; | |
| 141 } | |
| 142 | |
| 143 LOG(FATAL) << "P224EncryptedKeyExchange::GetNextMessage called in" | |
| 144 " bad state " << state_; | |
| 145 next_message_ = ""; | |
| 146 return next_message_; | |
| 147 } | |
| 148 | |
| 149 P224EncryptedKeyExchange::Result P224EncryptedKeyExchange::ProcessMessage( | |
| 150 const base::StringPiece& message) { | |
| 151 if (state_ == kStateRecvHash) { | |
| 152 // This is the final state of the protocol: we are reading the peer's | |
| 153 // authentication hash and checking that it matches the one that we expect. | |
| 154 if (message.size() != sizeof(expected_authenticator_)) { | |
| 155 error_ = "peer's hash had an incorrect size"; | |
| 156 return kResultFailed; | |
| 157 } | |
| 158 if (!SecureMemEqual(message.data(), expected_authenticator_, | |
| 159 message.size())) { | |
| 160 error_ = "peer's hash had incorrect value"; | |
| 161 return kResultFailed; | |
| 162 } | |
| 163 state_ = kStateDone; | |
| 164 return kResultSuccess; | |
| 165 } | |
| 166 | |
| 167 if (state_ != kStateRecvDH) { | |
| 168 LOG(FATAL) << "P224EncryptedKeyExchange::ProcessMessage called in" | |
| 169 " bad state " << state_; | |
| 170 error_ = "internal error"; | |
| 171 return kResultFailed; | |
| 172 } | |
| 173 | |
| 174 // Y* is the other party's masked, Diffie-Hellman value. | |
| 175 p224::Point Ystar; | |
| 176 if (!Ystar.SetFromString(message)) { | |
| 177 error_ = "failed to parse peer's masked Diffie-Hellman value"; | |
| 178 return kResultFailed; | |
| 179 } | |
| 180 | |
| 181 // We calculate the mask value: (N|M)**pw | |
| 182 p224::Point MNpw, minus_MNpw, Y, k; | |
| 183 p224::ScalarMult(is_server_ ? kM : kN, pw_, &MNpw); | |
| 184 p224::Negate(MNpw, &minus_MNpw); | |
| 185 | |
| 186 // Y = Y* - (N|M)**pw | |
| 187 p224::Add(Ystar, minus_MNpw, &Y); | |
| 188 | |
| 189 // K = Y**x_ | |
| 190 p224::ScalarMult(Y, x_, &k); | |
| 191 | |
| 192 // If everything worked out, then K is the same for both parties. | |
| 193 key_ = k.ToString(); | |
| 194 | |
| 195 std::string client_masked_dh, server_masked_dh; | |
| 196 if (is_server_) { | |
| 197 client_masked_dh = message.as_string(); | |
| 198 server_masked_dh = next_message_; | |
| 199 } else { | |
| 200 client_masked_dh = next_message_; | |
| 201 server_masked_dh = message.as_string(); | |
| 202 } | |
| 203 | |
| 204 // Now we calculate the hashes that each side will use to prove to the other | |
| 205 // that they derived the correct value for K. | |
| 206 uint8 client_hash[kSHA256Length], server_hash[kSHA256Length]; | |
| 207 CalculateHash(kPeerTypeClient, client_masked_dh, server_masked_dh, key_, | |
| 208 client_hash); | |
| 209 CalculateHash(kPeerTypeServer, client_masked_dh, server_masked_dh, key_, | |
| 210 server_hash); | |
| 211 | |
| 212 const uint8* my_hash = is_server_ ? server_hash : client_hash; | |
| 213 const uint8* their_hash = is_server_ ? client_hash : server_hash; | |
| 214 | |
| 215 next_message_ = | |
| 216 std::string(reinterpret_cast<const char*>(my_hash), kSHA256Length); | |
| 217 memcpy(expected_authenticator_, their_hash, kSHA256Length); | |
| 218 state_ = kStateSendHash; | |
| 219 return kResultPending; | |
| 220 } | |
| 221 | |
| 222 void P224EncryptedKeyExchange::CalculateHash( | |
| 223 PeerType peer_type, | |
| 224 const std::string& client_masked_dh, | |
| 225 const std::string& server_masked_dh, | |
| 226 const std::string& k, | |
| 227 uint8* out_digest) { | |
| 228 std::string hash_contents; | |
| 229 | |
| 230 if (peer_type == kPeerTypeServer) { | |
| 231 hash_contents = "server"; | |
| 232 } else { | |
| 233 hash_contents = "client"; | |
| 234 } | |
| 235 | |
| 236 hash_contents += client_masked_dh; | |
| 237 hash_contents += server_masked_dh; | |
| 238 hash_contents += | |
| 239 std::string(reinterpret_cast<const char *>(pw_), sizeof(pw_)); | |
| 240 hash_contents += k; | |
| 241 | |
| 242 SHA256HashString(hash_contents, out_digest, kSHA256Length); | |
| 243 } | |
| 244 | |
| 245 const std::string& P224EncryptedKeyExchange::error() const { | |
| 246 return error_; | |
| 247 } | |
| 248 | |
| 249 const std::string& P224EncryptedKeyExchange::GetKey() const { | |
| 250 DCHECK_EQ(state_, kStateDone); | |
| 251 return GetUnverifiedKey(); | |
| 252 } | |
| 253 | |
| 254 const std::string& P224EncryptedKeyExchange::GetUnverifiedKey() const { | |
| 255 // Key is already final when state is kStateSendHash. Subsequent states are | |
| 256 // used only for verification of the key. Some users may combine verification | |
| 257 // with sending verifiable data instead of |expected_authenticator_|. | |
| 258 DCHECK_GE(state_, kStateSendHash); | |
| 259 return key_; | |
| 260 } | |
| 261 | |
| 262 void P224EncryptedKeyExchange::SetXForTesting(const std::string& x) { | |
| 263 memset(&x_, 0, sizeof(x_)); | |
| 264 memcpy(&x_, x.data(), std::min(x.size(), sizeof(x_))); | |
| 265 Init(); | |
| 266 } | |
| 267 | |
| 268 } // namespace crypto | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 956613002:
Reland "Cut down /crypto and switch what is left of it to boringssl". (Closed)
Base URL: git@github.com:domokit/mojo.git@master