Home | History | Annotate | Download | only in crypto
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 // This code implements SPAKE2, a variant of EKE:
      6 //  http://www.di.ens.fr/~pointche/pub.php?reference=AbPo04
      7 
      8 #include <crypto/p224_spake.h>
      9 
     10 #include <base/logging.h>
     11 #include <crypto/p224.h>
     12 #include <crypto/random.h>
     13 #include <crypto/secure_util.h>
     14 
     15 namespace {
     16 
     17 // The following two points (M and N in the protocol) are verifiable random
     18 // points on the curve and can be generated with the following code:
     19 
     20 // #include <stdint.h>
     21 // #include <stdio.h>
     22 // #include <string.h>
     23 //
     24 // #include <openssl/ec.h>
     25 // #include <openssl/obj_mac.h>
     26 // #include <openssl/sha.h>
     27 //
     28 // static const char kSeed1[] = "P224 point generation seed (M)";
     29 // static const char kSeed2[] = "P224 point generation seed (N)";
     30 //
     31 // void find_seed(const char* seed) {
     32 //   SHA256_CTX sha256;
     33 //   uint8_t digest[SHA256_DIGEST_LENGTH];
     34 //
     35 //   SHA256_Init(&sha256);
     36 //   SHA256_Update(&sha256, seed, strlen(seed));
     37 //   SHA256_Final(digest, &sha256);
     38 //
     39 //   BIGNUM x, y;
     40 //   EC_GROUP* p224 = EC_GROUP_new_by_curve_name(NID_secp224r1);
     41 //   EC_POINT* p = EC_POINT_new(p224);
     42 //
     43 //   for (unsigned i = 0;; i++) {
     44 //     BN_init(&x);
     45 //     BN_bin2bn(digest, 28, &x);
     46 //
     47 //     if (EC_POINT_set_compressed_coordinates_GFp(
     48 //             p224, p, &x, digest[28] & 1, NULL)) {
     49 //       BN_init(&y);
     50 //       EC_POINT_get_affine_coordinates_GFp(p224, p, &x, &y, NULL);
     51 //       char* x_str = BN_bn2hex(&x);
     52 //       char* y_str = BN_bn2hex(&y);
     53 //       printf("Found after %u iterations:\n%s\n%s\n", i, x_str, y_str);
     54 //       OPENSSL_free(x_str);
     55 //       OPENSSL_free(y_str);
     56 //       BN_free(&x);
     57 //       BN_free(&y);
     58 //       break;
     59 //     }
     60 //
     61 //     SHA256_Init(&sha256);
     62 //     SHA256_Update(&sha256, digest, sizeof(digest));
     63 //     SHA256_Final(digest, &sha256);
     64 //
     65 //     BN_free(&x);
     66 //   }
     67 //
     68 //   EC_POINT_free(p);
     69 //   EC_GROUP_free(p224);
     70 // }
     71 //
     72 // int main() {
     73 //   find_seed(kSeed1);
     74 //   find_seed(kSeed2);
     75 //   return 0;
     76 // }
     77 
     78 const crypto::p224::Point kM = {
     79   {174237515, 77186811, 235213682, 33849492,
     80    33188520, 48266885, 177021753, 81038478},
     81   {104523827, 245682244, 266509668, 236196369,
     82    28372046, 145351378, 198520366, 113345994},
     83   {1, 0, 0, 0, 0, 0, 0},
     84 };
     85 
     86 const crypto::p224::Point kN = {
     87   {136176322, 263523628, 251628795, 229292285,
     88    5034302, 185981975, 171998428, 11653062},
     89   {197567436, 51226044, 60372156, 175772188,
     90    42075930, 8083165, 160827401, 65097570},
     91   {1, 0, 0, 0, 0, 0, 0},
     92 };
     93 
     94 }  // anonymous namespace
     95 
     96 namespace crypto {
     97 
     98 P224EncryptedKeyExchange::P224EncryptedKeyExchange(
     99     PeerType peer_type, const base::StringPiece& password)
    100     : state_(kStateInitial),
    101       is_server_(peer_type == kPeerTypeServer) {
    102   memset(&x_, 0, sizeof(x_));
    103   memset(&expected_authenticator_, 0, sizeof(expected_authenticator_));
    104 
    105   // x_ is a random scalar.
    106   RandBytes(x_, sizeof(x_));
    107 
    108   // X = g**x_
    109   p224::Point X;
    110   p224::ScalarBaseMult(x_, &X);
    111 
    112   // Calculate |password| hash to get SPAKE password value.
    113   SHA256HashString(std::string(password.data(), password.length()),
    114                    pw_, sizeof(pw_));
    115 
    116   // The client masks the Diffie-Hellman value, X, by adding M**pw and the
    117   // server uses N**pw.
    118   p224::Point MNpw;
    119   p224::ScalarMult(is_server_ ? kN : kM, pw_, &MNpw);
    120 
    121   // X* = X + (N|M)**pw
    122   p224::Point Xstar;
    123   p224::Add(X, MNpw, &Xstar);
    124 
    125   next_message_ = Xstar.ToString();
    126 }
    127 
    128 const std::string& P224EncryptedKeyExchange::GetMessage() {
    129   if (state_ == kStateInitial) {
    130     state_ = kStateRecvDH;
    131     return next_message_;
    132   } else if (state_ == kStateSendHash) {
    133     state_ = kStateRecvHash;
    134     return next_message_;
    135   }
    136 
    137   LOG(FATAL) << "P224EncryptedKeyExchange::GetMessage called in"
    138                 " bad state " << state_;
    139   next_message_ = "";
    140   return next_message_;
    141 }
    142 
    143 P224EncryptedKeyExchange::Result P224EncryptedKeyExchange::ProcessMessage(
    144     const base::StringPiece& message) {
    145   if (state_ == kStateRecvHash) {
    146     // This is the final state of the protocol: we are reading the peer's
    147     // authentication hash and checking that it matches the one that we expect.
    148     if (message.size() != sizeof(expected_authenticator_)) {
    149       error_ = "peer's hash had an incorrect size";
    150       return kResultFailed;
    151     }
    152     if (!SecureMemEqual(message.data(), expected_authenticator_,
    153                         message.size())) {
    154       error_ = "peer's hash had incorrect value";
    155       return kResultFailed;
    156     }
    157     state_ = kStateDone;
    158     return kResultSuccess;
    159   }
    160 
    161   if (state_ != kStateRecvDH) {
    162     LOG(FATAL) << "P224EncryptedKeyExchange::ProcessMessage called in"
    163                   " bad state " << state_;
    164     error_ = "internal error";
    165     return kResultFailed;
    166   }
    167 
    168   // Y* is the other party's masked, Diffie-Hellman value.
    169   p224::Point Ystar;
    170   if (!Ystar.SetFromString(message)) {
    171     error_ = "failed to parse peer's masked Diffie-Hellman value";
    172     return kResultFailed;
    173   }
    174 
    175   // We calculate the mask value: (N|M)**pw
    176   p224::Point MNpw, minus_MNpw, Y, k;
    177   p224::ScalarMult(is_server_ ? kM : kN, pw_, &MNpw);
    178   p224::Negate(MNpw, &minus_MNpw);
    179 
    180   // Y = Y* - (N|M)**pw
    181   p224::Add(Ystar, minus_MNpw, &Y);
    182 
    183   // K = Y**x_
    184   p224::ScalarMult(Y, x_, &k);
    185 
    186   // If everything worked out, then K is the same for both parties.
    187   key_ = k.ToString();
    188 
    189   std::string client_masked_dh, server_masked_dh;
    190   if (is_server_) {
    191     client_masked_dh = message.as_string();
    192     server_masked_dh = next_message_;
    193   } else {
    194     client_masked_dh = next_message_;
    195     server_masked_dh = message.as_string();
    196   }
    197 
    198   // Now we calculate the hashes that each side will use to prove to the other
    199   // that they derived the correct value for K.
    200   uint8 client_hash[kSHA256Length], server_hash[kSHA256Length];
    201   CalculateHash(kPeerTypeClient, client_masked_dh, server_masked_dh, key_,
    202                 client_hash);
    203   CalculateHash(kPeerTypeServer, client_masked_dh, server_masked_dh, key_,
    204                 server_hash);
    205 
    206   const uint8* my_hash = is_server_ ? server_hash : client_hash;
    207   const uint8* their_hash = is_server_ ? client_hash : server_hash;
    208 
    209   next_message_ =
    210       std::string(reinterpret_cast<const char*>(my_hash), kSHA256Length);
    211   memcpy(expected_authenticator_, their_hash, kSHA256Length);
    212   state_ = kStateSendHash;
    213   return kResultPending;
    214 }
    215 
    216 void P224EncryptedKeyExchange::CalculateHash(
    217     PeerType peer_type,
    218     const std::string& client_masked_dh,
    219     const std::string& server_masked_dh,
    220     const std::string& k,
    221     uint8* out_digest) {
    222   std::string hash_contents;
    223 
    224   if (peer_type == kPeerTypeServer) {
    225     hash_contents = "server";
    226   } else {
    227     hash_contents = "client";
    228   }
    229 
    230   hash_contents += client_masked_dh;
    231   hash_contents += server_masked_dh;
    232   hash_contents +=
    233       std::string(reinterpret_cast<const char *>(pw_), sizeof(pw_));
    234   hash_contents += k;
    235 
    236   SHA256HashString(hash_contents, out_digest, kSHA256Length);
    237 }
    238 
    239 const std::string& P224EncryptedKeyExchange::error() const {
    240   return error_;
    241 }
    242 
    243 const std::string& P224EncryptedKeyExchange::GetKey() {
    244   DCHECK_EQ(state_, kStateDone);
    245   return key_;
    246 }
    247 
    248 }  // namespace crypto
    249