Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 1 | // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | // This code implements SPAKE2, a variant of EKE: |
| 6 | // http://www.di.ens.fr/~pointche/pub.php?reference=AbPo04 |
| 7 | |
| 8 | #include <crypto/p224_spake.h> |
| 9 | |
| 10 | #include <base/logging.h> |
| 11 | #include <crypto/p224.h> |
| 12 | #include <crypto/random.h> |
| 13 | #include <crypto/secure_util.h> |
| 14 | |
| 15 | namespace { |
| 16 | |
| 17 | // The following two points (M and N in the protocol) are verifiable random |
| 18 | // points on the curve and can be generated with the following code: |
| 19 | |
| 20 | // #include <stdint.h> |
| 21 | // #include <stdio.h> |
| 22 | // #include <string.h> |
| 23 | // |
| 24 | // #include <openssl/ec.h> |
| 25 | // #include <openssl/obj_mac.h> |
| 26 | // #include <openssl/sha.h> |
| 27 | // |
| 28 | // static const char kSeed1[] = "P224 point generation seed (M)"; |
| 29 | // static const char kSeed2[] = "P224 point generation seed (N)"; |
| 30 | // |
| 31 | // void find_seed(const char* seed) { |
| 32 | // SHA256_CTX sha256; |
| 33 | // uint8_t digest[SHA256_DIGEST_LENGTH]; |
| 34 | // |
| 35 | // SHA256_Init(&sha256); |
| 36 | // SHA256_Update(&sha256, seed, strlen(seed)); |
| 37 | // SHA256_Final(digest, &sha256); |
| 38 | // |
| 39 | // BIGNUM x, y; |
| 40 | // EC_GROUP* p224 = EC_GROUP_new_by_curve_name(NID_secp224r1); |
| 41 | // EC_POINT* p = EC_POINT_new(p224); |
| 42 | // |
| 43 | // for (unsigned i = 0;; i++) { |
| 44 | // BN_init(&x); |
| 45 | // BN_bin2bn(digest, 28, &x); |
| 46 | // |
| 47 | // if (EC_POINT_set_compressed_coordinates_GFp( |
| 48 | // p224, p, &x, digest[28] & 1, NULL)) { |
| 49 | // BN_init(&y); |
| 50 | // EC_POINT_get_affine_coordinates_GFp(p224, p, &x, &y, NULL); |
| 51 | // char* x_str = BN_bn2hex(&x); |
| 52 | // char* y_str = BN_bn2hex(&y); |
| 53 | // printf("Found after %u iterations:\n%s\n%s\n", i, x_str, y_str); |
| 54 | // OPENSSL_free(x_str); |
| 55 | // OPENSSL_free(y_str); |
| 56 | // BN_free(&x); |
| 57 | // BN_free(&y); |
| 58 | // break; |
| 59 | // } |
| 60 | // |
| 61 | // SHA256_Init(&sha256); |
| 62 | // SHA256_Update(&sha256, digest, sizeof(digest)); |
| 63 | // SHA256_Final(digest, &sha256); |
| 64 | // |
| 65 | // BN_free(&x); |
| 66 | // } |
| 67 | // |
| 68 | // EC_POINT_free(p); |
| 69 | // EC_GROUP_free(p224); |
| 70 | // } |
| 71 | // |
| 72 | // int main() { |
| 73 | // find_seed(kSeed1); |
| 74 | // find_seed(kSeed2); |
| 75 | // return 0; |
| 76 | // } |
| 77 | |
| 78 | const crypto::p224::Point kM = { |
| 79 | {174237515, 77186811, 235213682, 33849492, |
| 80 | 33188520, 48266885, 177021753, 81038478}, |
| 81 | {104523827, 245682244, 266509668, 236196369, |
| 82 | 28372046, 145351378, 198520366, 113345994}, |
| 83 | {1, 0, 0, 0, 0, 0, 0}, |
| 84 | }; |
| 85 | |
| 86 | const crypto::p224::Point kN = { |
| 87 | {136176322, 263523628, 251628795, 229292285, |
| 88 | 5034302, 185981975, 171998428, 11653062}, |
| 89 | {197567436, 51226044, 60372156, 175772188, |
| 90 | 42075930, 8083165, 160827401, 65097570}, |
| 91 | {1, 0, 0, 0, 0, 0, 0}, |
| 92 | }; |
| 93 | |
| 94 | } // anonymous namespace |
| 95 | |
| 96 | namespace crypto { |
| 97 | |
| 98 | P224EncryptedKeyExchange::P224EncryptedKeyExchange( |
| 99 | PeerType peer_type, const base::StringPiece& password) |
| 100 | : state_(kStateInitial), |
| 101 | is_server_(peer_type == kPeerTypeServer) { |
| 102 | memset(&x_, 0, sizeof(x_)); |
| 103 | memset(&expected_authenticator_, 0, sizeof(expected_authenticator_)); |
| 104 | |
| 105 | // x_ is a random scalar. |
| 106 | RandBytes(x_, sizeof(x_)); |
| 107 | |
| 108 | // X = g**x_ |
| 109 | p224::Point X; |
| 110 | p224::ScalarBaseMult(x_, &X); |
| 111 | |
| 112 | // Calculate |password| hash to get SPAKE password value. |
| 113 | SHA256HashString(std::string(password.data(), password.length()), |
| 114 | pw_, sizeof(pw_)); |
| 115 | |
| 116 | // The client masks the Diffie-Hellman value, X, by adding M**pw and the |
| 117 | // server uses N**pw. |
| 118 | p224::Point MNpw; |
| 119 | p224::ScalarMult(is_server_ ? kN : kM, pw_, &MNpw); |
| 120 | |
| 121 | // X* = X + (N|M)**pw |
| 122 | p224::Point Xstar; |
| 123 | p224::Add(X, MNpw, &Xstar); |
| 124 | |
| 125 | next_message_ = Xstar.ToString(); |
| 126 | } |
| 127 | |
| 128 | const std::string& P224EncryptedKeyExchange::GetMessage() { |
| 129 | if (state_ == kStateInitial) { |
| 130 | state_ = kStateRecvDH; |
| 131 | return next_message_; |
| 132 | } else if (state_ == kStateSendHash) { |
| 133 | state_ = kStateRecvHash; |
| 134 | return next_message_; |
| 135 | } |
| 136 | |
| 137 | LOG(FATAL) << "P224EncryptedKeyExchange::GetMessage called in" |
| 138 | " bad state " << state_; |
| 139 | next_message_ = ""; |
| 140 | return next_message_; |
| 141 | } |
| 142 | |
| 143 | P224EncryptedKeyExchange::Result P224EncryptedKeyExchange::ProcessMessage( |
| 144 | const base::StringPiece& message) { |
| 145 | if (state_ == kStateRecvHash) { |
| 146 | // This is the final state of the protocol: we are reading the peer's |
| 147 | // authentication hash and checking that it matches the one that we expect. |
| 148 | if (message.size() != sizeof(expected_authenticator_)) { |
| 149 | error_ = "peer's hash had an incorrect size"; |
| 150 | return kResultFailed; |
| 151 | } |
| 152 | if (!SecureMemEqual(message.data(), expected_authenticator_, |
| 153 | message.size())) { |
| 154 | error_ = "peer's hash had incorrect value"; |
| 155 | return kResultFailed; |
| 156 | } |
| 157 | state_ = kStateDone; |
| 158 | return kResultSuccess; |
| 159 | } |
| 160 | |
| 161 | if (state_ != kStateRecvDH) { |
| 162 | LOG(FATAL) << "P224EncryptedKeyExchange::ProcessMessage called in" |
| 163 | " bad state " << state_; |
| 164 | error_ = "internal error"; |
| 165 | return kResultFailed; |
| 166 | } |
| 167 | |
| 168 | // Y* is the other party's masked, Diffie-Hellman value. |
| 169 | p224::Point Ystar; |
| 170 | if (!Ystar.SetFromString(message)) { |
| 171 | error_ = "failed to parse peer's masked Diffie-Hellman value"; |
| 172 | return kResultFailed; |
| 173 | } |
| 174 | |
| 175 | // We calculate the mask value: (N|M)**pw |
| 176 | p224::Point MNpw, minus_MNpw, Y, k; |
| 177 | p224::ScalarMult(is_server_ ? kM : kN, pw_, &MNpw); |
| 178 | p224::Negate(MNpw, &minus_MNpw); |
| 179 | |
| 180 | // Y = Y* - (N|M)**pw |
| 181 | p224::Add(Ystar, minus_MNpw, &Y); |
| 182 | |
| 183 | // K = Y**x_ |
| 184 | p224::ScalarMult(Y, x_, &k); |
| 185 | |
| 186 | // If everything worked out, then K is the same for both parties. |
| 187 | key_ = k.ToString(); |
| 188 | |
| 189 | std::string client_masked_dh, server_masked_dh; |
| 190 | if (is_server_) { |
| 191 | client_masked_dh = message.as_string(); |
| 192 | server_masked_dh = next_message_; |
| 193 | } else { |
| 194 | client_masked_dh = next_message_; |
| 195 | server_masked_dh = message.as_string(); |
| 196 | } |
| 197 | |
| 198 | // Now we calculate the hashes that each side will use to prove to the other |
| 199 | // that they derived the correct value for K. |
| 200 | uint8 client_hash[kSHA256Length], server_hash[kSHA256Length]; |
| 201 | CalculateHash(kPeerTypeClient, client_masked_dh, server_masked_dh, key_, |
| 202 | client_hash); |
| 203 | CalculateHash(kPeerTypeServer, client_masked_dh, server_masked_dh, key_, |
| 204 | server_hash); |
| 205 | |
| 206 | const uint8* my_hash = is_server_ ? server_hash : client_hash; |
| 207 | const uint8* their_hash = is_server_ ? client_hash : server_hash; |
| 208 | |
| 209 | next_message_ = |
| 210 | std::string(reinterpret_cast<const char*>(my_hash), kSHA256Length); |
| 211 | memcpy(expected_authenticator_, their_hash, kSHA256Length); |
| 212 | state_ = kStateSendHash; |
| 213 | return kResultPending; |
| 214 | } |
| 215 | |
| 216 | void P224EncryptedKeyExchange::CalculateHash( |
| 217 | PeerType peer_type, |
| 218 | const std::string& client_masked_dh, |
| 219 | const std::string& server_masked_dh, |
| 220 | const std::string& k, |
| 221 | uint8* out_digest) { |
| 222 | std::string hash_contents; |
| 223 | |
| 224 | if (peer_type == kPeerTypeServer) { |
| 225 | hash_contents = "server"; |
| 226 | } else { |
| 227 | hash_contents = "client"; |
| 228 | } |
| 229 | |
| 230 | hash_contents += client_masked_dh; |
| 231 | hash_contents += server_masked_dh; |
| 232 | hash_contents += |
| 233 | std::string(reinterpret_cast<const char *>(pw_), sizeof(pw_)); |
| 234 | hash_contents += k; |
| 235 | |
| 236 | SHA256HashString(hash_contents, out_digest, kSHA256Length); |
| 237 | } |
| 238 | |
| 239 | const std::string& P224EncryptedKeyExchange::error() const { |
| 240 | return error_; |
| 241 | } |
| 242 | |
| 243 | const std::string& P224EncryptedKeyExchange::GetKey() { |
| 244 | DCHECK_EQ(state_, kStateDone); |
| 245 | return key_; |
| 246 | } |
| 247 | |
| 248 | } // namespace crypto |