1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 // This code implements SPAKE2, a variant of EKE: 6 // http://www.di.ens.fr/~pointche/pub.php?reference=AbPo04 7 8 #include <crypto/p224_spake.h> 9 10 #include <base/logging.h> 11 #include <crypto/p224.h> 12 #include <crypto/random.h> 13 #include <crypto/secure_util.h> 14 15 namespace { 16 17 // The following two points (M and N in the protocol) are verifiable random 18 // points on the curve and can be generated with the following code: 19 20 // #include <stdint.h> 21 // #include <stdio.h> 22 // #include <string.h> 23 // 24 // #include <openssl/ec.h> 25 // #include <openssl/obj_mac.h> 26 // #include <openssl/sha.h> 27 // 28 // static const char kSeed1[] = "P224 point generation seed (M)"; 29 // static const char kSeed2[] = "P224 point generation seed (N)"; 30 // 31 // void find_seed(const char* seed) { 32 // SHA256_CTX sha256; 33 // uint8_t digest[SHA256_DIGEST_LENGTH]; 34 // 35 // SHA256_Init(&sha256); 36 // SHA256_Update(&sha256, seed, strlen(seed)); 37 // SHA256_Final(digest, &sha256); 38 // 39 // BIGNUM x, y; 40 // EC_GROUP* p224 = EC_GROUP_new_by_curve_name(NID_secp224r1); 41 // EC_POINT* p = EC_POINT_new(p224); 42 // 43 // for (unsigned i = 0;; i++) { 44 // BN_init(&x); 45 // BN_bin2bn(digest, 28, &x); 46 // 47 // if (EC_POINT_set_compressed_coordinates_GFp( 48 // p224, p, &x, digest[28] & 1, NULL)) { 49 // BN_init(&y); 50 // EC_POINT_get_affine_coordinates_GFp(p224, p, &x, &y, NULL); 51 // char* x_str = BN_bn2hex(&x); 52 // char* y_str = BN_bn2hex(&y); 53 // printf("Found after %u iterations:\n%s\n%s\n", i, x_str, y_str); 54 // OPENSSL_free(x_str); 55 // OPENSSL_free(y_str); 56 // BN_free(&x); 57 // BN_free(&y); 58 // break; 59 // } 60 // 61 // SHA256_Init(&sha256); 62 // SHA256_Update(&sha256, digest, sizeof(digest)); 63 // SHA256_Final(digest, &sha256); 64 // 65 // BN_free(&x); 66 // } 67 // 68 // EC_POINT_free(p); 69 // EC_GROUP_free(p224); 70 // } 71 // 72 // int main() { 73 // find_seed(kSeed1); 74 // find_seed(kSeed2); 75 // return 0; 76 // } 77 78 const crypto::p224::Point kM = { 79 {174237515, 77186811, 235213682, 33849492, 80 33188520, 48266885, 177021753, 81038478}, 81 {104523827, 245682244, 266509668, 236196369, 82 28372046, 145351378, 198520366, 113345994}, 83 {1, 0, 0, 0, 0, 0, 0}, 84 }; 85 86 const crypto::p224::Point kN = { 87 {136176322, 263523628, 251628795, 229292285, 88 5034302, 185981975, 171998428, 11653062}, 89 {197567436, 51226044, 60372156, 175772188, 90 42075930, 8083165, 160827401, 65097570}, 91 {1, 0, 0, 0, 0, 0, 0}, 92 }; 93 94 } // anonymous namespace 95 96 namespace crypto { 97 98 P224EncryptedKeyExchange::P224EncryptedKeyExchange( 99 PeerType peer_type, const base::StringPiece& password) 100 : state_(kStateInitial), 101 is_server_(peer_type == kPeerTypeServer) { 102 memset(&x_, 0, sizeof(x_)); 103 memset(&expected_authenticator_, 0, sizeof(expected_authenticator_)); 104 105 // x_ is a random scalar. 106 RandBytes(x_, sizeof(x_)); 107 108 // X = g**x_ 109 p224::Point X; 110 p224::ScalarBaseMult(x_, &X); 111 112 // Calculate |password| hash to get SPAKE password value. 113 SHA256HashString(std::string(password.data(), password.length()), 114 pw_, sizeof(pw_)); 115 116 // The client masks the Diffie-Hellman value, X, by adding M**pw and the 117 // server uses N**pw. 118 p224::Point MNpw; 119 p224::ScalarMult(is_server_ ? kN : kM, pw_, &MNpw); 120 121 // X* = X + (N|M)**pw 122 p224::Point Xstar; 123 p224::Add(X, MNpw, &Xstar); 124 125 next_message_ = Xstar.ToString(); 126 } 127 128 const std::string& P224EncryptedKeyExchange::GetMessage() { 129 if (state_ == kStateInitial) { 130 state_ = kStateRecvDH; 131 return next_message_; 132 } else if (state_ == kStateSendHash) { 133 state_ = kStateRecvHash; 134 return next_message_; 135 } 136 137 LOG(FATAL) << "P224EncryptedKeyExchange::GetMessage called in" 138 " bad state " << state_; 139 next_message_ = ""; 140 return next_message_; 141 } 142 143 P224EncryptedKeyExchange::Result P224EncryptedKeyExchange::ProcessMessage( 144 const base::StringPiece& message) { 145 if (state_ == kStateRecvHash) { 146 // This is the final state of the protocol: we are reading the peer's 147 // authentication hash and checking that it matches the one that we expect. 148 if (message.size() != sizeof(expected_authenticator_)) { 149 error_ = "peer's hash had an incorrect size"; 150 return kResultFailed; 151 } 152 if (!SecureMemEqual(message.data(), expected_authenticator_, 153 message.size())) { 154 error_ = "peer's hash had incorrect value"; 155 return kResultFailed; 156 } 157 state_ = kStateDone; 158 return kResultSuccess; 159 } 160 161 if (state_ != kStateRecvDH) { 162 LOG(FATAL) << "P224EncryptedKeyExchange::ProcessMessage called in" 163 " bad state " << state_; 164 error_ = "internal error"; 165 return kResultFailed; 166 } 167 168 // Y* is the other party's masked, Diffie-Hellman value. 169 p224::Point Ystar; 170 if (!Ystar.SetFromString(message)) { 171 error_ = "failed to parse peer's masked Diffie-Hellman value"; 172 return kResultFailed; 173 } 174 175 // We calculate the mask value: (N|M)**pw 176 p224::Point MNpw, minus_MNpw, Y, k; 177 p224::ScalarMult(is_server_ ? kM : kN, pw_, &MNpw); 178 p224::Negate(MNpw, &minus_MNpw); 179 180 // Y = Y* - (N|M)**pw 181 p224::Add(Ystar, minus_MNpw, &Y); 182 183 // K = Y**x_ 184 p224::ScalarMult(Y, x_, &k); 185 186 // If everything worked out, then K is the same for both parties. 187 key_ = k.ToString(); 188 189 std::string client_masked_dh, server_masked_dh; 190 if (is_server_) { 191 client_masked_dh = message.as_string(); 192 server_masked_dh = next_message_; 193 } else { 194 client_masked_dh = next_message_; 195 server_masked_dh = message.as_string(); 196 } 197 198 // Now we calculate the hashes that each side will use to prove to the other 199 // that they derived the correct value for K. 200 uint8 client_hash[kSHA256Length], server_hash[kSHA256Length]; 201 CalculateHash(kPeerTypeClient, client_masked_dh, server_masked_dh, key_, 202 client_hash); 203 CalculateHash(kPeerTypeServer, client_masked_dh, server_masked_dh, key_, 204 server_hash); 205 206 const uint8* my_hash = is_server_ ? server_hash : client_hash; 207 const uint8* their_hash = is_server_ ? client_hash : server_hash; 208 209 next_message_ = 210 std::string(reinterpret_cast<const char*>(my_hash), kSHA256Length); 211 memcpy(expected_authenticator_, their_hash, kSHA256Length); 212 state_ = kStateSendHash; 213 return kResultPending; 214 } 215 216 void P224EncryptedKeyExchange::CalculateHash( 217 PeerType peer_type, 218 const std::string& client_masked_dh, 219 const std::string& server_masked_dh, 220 const std::string& k, 221 uint8* out_digest) { 222 std::string hash_contents; 223 224 if (peer_type == kPeerTypeServer) { 225 hash_contents = "server"; 226 } else { 227 hash_contents = "client"; 228 } 229 230 hash_contents += client_masked_dh; 231 hash_contents += server_masked_dh; 232 hash_contents += 233 std::string(reinterpret_cast<const char *>(pw_), sizeof(pw_)); 234 hash_contents += k; 235 236 SHA256HashString(hash_contents, out_digest, kSHA256Length); 237 } 238 239 const std::string& P224EncryptedKeyExchange::error() const { 240 return error_; 241 } 242 243 const std::string& P224EncryptedKeyExchange::GetKey() { 244 DCHECK_EQ(state_, kStateDone); 245 return key_; 246 } 247 248 } // namespace crypto 249
