1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // This code implements SPAKE2, a variant of EKE:
6 // http://www.di.ens.fr/~pointche/pub.php?reference=AbPo04
7
8 #include "crypto/p224_spake.h"
9
10 #include <algorithm>
11
12 #include "base/logging.h"
13 #include "crypto/p224.h"
14 #include "crypto/random.h"
15 #include "crypto/secure_util.h"
16
17 namespace {
18
19 // The following two points (M and N in the protocol) are verifiable random
20 // points on the curve and can be generated with the following code:
21
22 // #include <stdint.h>
23 // #include <stdio.h>
24 // #include <string.h>
25 //
26 // #include <openssl/ec.h>
27 // #include <openssl/obj_mac.h>
28 // #include <openssl/sha.h>
29 //
30 // // Silence a presubmit.
31 // #define PRINTF printf
32 //
33 // static const char kSeed1[] = "P224 point generation seed (M)";
34 // static const char kSeed2[] = "P224 point generation seed (N)";
35 //
36 // void find_seed(const char* seed) {
37 // SHA256_CTX sha256;
38 // uint8_t digest[SHA256_DIGEST_LENGTH];
39 //
40 // SHA256_Init(&sha256);
41 // SHA256_Update(&sha256, seed, strlen(seed));
42 // SHA256_Final(digest, &sha256);
43 //
44 // BIGNUM x, y;
45 // EC_GROUP* p224 = EC_GROUP_new_by_curve_name(NID_secp224r1);
46 // EC_POINT* p = EC_POINT_new(p224);
47 //
48 // for (unsigned i = 0;; i++) {
49 // BN_init(&x);
50 // BN_bin2bn(digest, 28, &x);
51 //
52 // if (EC_POINT_set_compressed_coordinates_GFp(
53 // p224, p, &x, digest[28] & 1, NULL)) {
54 // BN_init(&y);
55 // EC_POINT_get_affine_coordinates_GFp(p224, p, &x, &y, NULL);
56 // char* x_str = BN_bn2hex(&x);
57 // char* y_str = BN_bn2hex(&y);
58 // PRINTF("Found after %u iterations:\n%s\n%s\n", i, x_str, y_str);
59 // OPENSSL_free(x_str);
60 // OPENSSL_free(y_str);
61 // BN_free(&x);
62 // BN_free(&y);
63 // break;
64 // }
65 //
66 // SHA256_Init(&sha256);
67 // SHA256_Update(&sha256, digest, sizeof(digest));
68 // SHA256_Final(digest, &sha256);
69 //
70 // BN_free(&x);
71 // }
72 //
73 // EC_POINT_free(p);
74 // EC_GROUP_free(p224);
75 // }
76 //
77 // int main() {
78 // find_seed(kSeed1);
79 // find_seed(kSeed2);
80 // return 0;
81 // }
82
83 const crypto::p224::Point kM = {
84 {174237515, 77186811, 235213682, 33849492,
85 33188520, 48266885, 177021753, 81038478},
86 {104523827, 245682244, 266509668, 236196369,
87 28372046, 145351378, 198520366, 113345994},
88 {1, 0, 0, 0, 0, 0, 0, 0},
89 };
90
91 const crypto::p224::Point kN = {
92 {136176322, 263523628, 251628795, 229292285,
93 5034302, 185981975, 171998428, 11653062},
94 {197567436, 51226044, 60372156, 175772188,
95 42075930, 8083165, 160827401, 65097570},
96 {1, 0, 0, 0, 0, 0, 0, 0},
97 };
98
99 } // anonymous namespace
100
101 namespace crypto {
102
P224EncryptedKeyExchange(PeerType peer_type,base::StringPiece password)103 P224EncryptedKeyExchange::P224EncryptedKeyExchange(PeerType peer_type,
104 base::StringPiece password)
105 : state_(kStateInitial), is_server_(peer_type == kPeerTypeServer) {
106 memset(&x_, 0, sizeof(x_));
107 memset(&expected_authenticator_, 0, sizeof(expected_authenticator_));
108
109 // x_ is a random scalar.
110 RandBytes(x_, sizeof(x_));
111
112 // Calculate |password| hash to get SPAKE password value.
113 SHA256HashString(std::string(password.data(), password.length()),
114 pw_, sizeof(pw_));
115
116 Init();
117 }
118
Init()119 void P224EncryptedKeyExchange::Init() {
120 // X = g**x_
121 p224::Point X;
122 p224::ScalarBaseMult(x_, &X);
123
124 // The client masks the Diffie-Hellman value, X, by adding M**pw and the
125 // server uses N**pw.
126 p224::Point MNpw;
127 p224::ScalarMult(is_server_ ? kN : kM, pw_, &MNpw);
128
129 // X* = X + (N|M)**pw
130 p224::Point Xstar;
131 p224::Add(X, MNpw, &Xstar);
132
133 next_message_ = Xstar.ToString();
134 }
135
GetNextMessage()136 const std::string& P224EncryptedKeyExchange::GetNextMessage() {
137 if (state_ == kStateInitial) {
138 state_ = kStateRecvDH;
139 return next_message_;
140 } else if (state_ == kStateSendHash) {
141 state_ = kStateRecvHash;
142 return next_message_;
143 }
144
145 LOG(FATAL) << "P224EncryptedKeyExchange::GetNextMessage called in"
146 " bad state " << state_;
147 next_message_ = "";
148 return next_message_;
149 }
150
ProcessMessage(base::StringPiece message)151 P224EncryptedKeyExchange::Result P224EncryptedKeyExchange::ProcessMessage(
152 base::StringPiece message) {
153 if (state_ == kStateRecvHash) {
154 // This is the final state of the protocol: we are reading the peer's
155 // authentication hash and checking that it matches the one that we expect.
156 if (message.size() != sizeof(expected_authenticator_)) {
157 error_ = "peer's hash had an incorrect size";
158 return kResultFailed;
159 }
160 if (!SecureMemEqual(message.data(), expected_authenticator_,
161 message.size())) {
162 error_ = "peer's hash had incorrect value";
163 return kResultFailed;
164 }
165 state_ = kStateDone;
166 return kResultSuccess;
167 }
168
169 if (state_ != kStateRecvDH) {
170 LOG(FATAL) << "P224EncryptedKeyExchange::ProcessMessage called in"
171 " bad state " << state_;
172 error_ = "internal error";
173 return kResultFailed;
174 }
175
176 // Y* is the other party's masked, Diffie-Hellman value.
177 p224::Point Ystar;
178 if (!Ystar.SetFromString(message)) {
179 error_ = "failed to parse peer's masked Diffie-Hellman value";
180 return kResultFailed;
181 }
182
183 // We calculate the mask value: (N|M)**pw
184 p224::Point MNpw, minus_MNpw, Y, k;
185 p224::ScalarMult(is_server_ ? kM : kN, pw_, &MNpw);
186 p224::Negate(MNpw, &minus_MNpw);
187
188 // Y = Y* - (N|M)**pw
189 p224::Add(Ystar, minus_MNpw, &Y);
190
191 // K = Y**x_
192 p224::ScalarMult(Y, x_, &k);
193
194 // If everything worked out, then K is the same for both parties.
195 key_ = k.ToString();
196
197 std::string client_masked_dh, server_masked_dh;
198 if (is_server_) {
199 client_masked_dh = message.as_string();
200 server_masked_dh = next_message_;
201 } else {
202 client_masked_dh = next_message_;
203 server_masked_dh = message.as_string();
204 }
205
206 // Now we calculate the hashes that each side will use to prove to the other
207 // that they derived the correct value for K.
208 uint8_t client_hash[kSHA256Length], server_hash[kSHA256Length];
209 CalculateHash(kPeerTypeClient, client_masked_dh, server_masked_dh, key_,
210 client_hash);
211 CalculateHash(kPeerTypeServer, client_masked_dh, server_masked_dh, key_,
212 server_hash);
213
214 const uint8_t* my_hash = is_server_ ? server_hash : client_hash;
215 const uint8_t* their_hash = is_server_ ? client_hash : server_hash;
216
217 next_message_ =
218 std::string(reinterpret_cast<const char*>(my_hash), kSHA256Length);
219 memcpy(expected_authenticator_, their_hash, kSHA256Length);
220 state_ = kStateSendHash;
221 return kResultPending;
222 }
223
CalculateHash(PeerType peer_type,const std::string & client_masked_dh,const std::string & server_masked_dh,const std::string & k,uint8_t * out_digest)224 void P224EncryptedKeyExchange::CalculateHash(
225 PeerType peer_type,
226 const std::string& client_masked_dh,
227 const std::string& server_masked_dh,
228 const std::string& k,
229 uint8_t* out_digest) {
230 std::string hash_contents;
231
232 if (peer_type == kPeerTypeServer) {
233 hash_contents = "server";
234 } else {
235 hash_contents = "client";
236 }
237
238 hash_contents += client_masked_dh;
239 hash_contents += server_masked_dh;
240 hash_contents +=
241 std::string(reinterpret_cast<const char *>(pw_), sizeof(pw_));
242 hash_contents += k;
243
244 SHA256HashString(hash_contents, out_digest, kSHA256Length);
245 }
246
error() const247 const std::string& P224EncryptedKeyExchange::error() const {
248 return error_;
249 }
250
GetKey() const251 const std::string& P224EncryptedKeyExchange::GetKey() const {
252 DCHECK_EQ(state_, kStateDone);
253 return GetUnverifiedKey();
254 }
255
GetUnverifiedKey() const256 const std::string& P224EncryptedKeyExchange::GetUnverifiedKey() const {
257 // Key is already final when state is kStateSendHash. Subsequent states are
258 // used only for verification of the key. Some users may combine verification
259 // with sending verifiable data instead of |expected_authenticator_|.
260 DCHECK_GE(state_, kStateSendHash);
261 return key_;
262 }
263
SetXForTesting(const std::string & x)264 void P224EncryptedKeyExchange::SetXForTesting(const std::string& x) {
265 memset(&x_, 0, sizeof(x_));
266 memcpy(&x_, x.data(), std::min(x.size(), sizeof(x_)));
267 Init();
268 }
269
270 } // namespace crypto
271