1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // This code implements SPAKE2, a variant of EKE:
6 // http://www.di.ens.fr/~pointche/pub.php?reference=AbPo04
8 #include <crypto/p224_spake.h>
10 #include <base/logging.h>
11 #include <crypto/p224.h>
12 #include <crypto/random.h>
13 #include <crypto/secure_util.h>
17 // The following two points (M and N in the protocol) are verifiable random
18 // points on the curve and can be generated with the following code:
20 // #include <stdint.h>
22 // #include <string.h>
24 // #include <openssl/ec.h>
25 // #include <openssl/obj_mac.h>
26 // #include <openssl/sha.h>
28 // static const char kSeed1[] = "P224 point generation seed (M)";
29 // static const char kSeed2[] = "P224 point generation seed (N)";
31 // void find_seed(const char* seed) {
33 // uint8_t digest[SHA256_DIGEST_LENGTH];
35 // SHA256_Init(&sha256);
36 // SHA256_Update(&sha256, seed, strlen(seed));
37 // SHA256_Final(digest, &sha256);
40 // EC_GROUP* p224 = EC_GROUP_new_by_curve_name(NID_secp224r1);
41 // EC_POINT* p = EC_POINT_new(p224);
43 // for (unsigned i = 0;; i++) {
45 // BN_bin2bn(digest, 28, &x);
47 // if (EC_POINT_set_compressed_coordinates_GFp(
48 // p224, p, &x, digest[28] & 1, NULL)) {
50 // EC_POINT_get_affine_coordinates_GFp(p224, p, &x, &y, NULL);
51 // char* x_str = BN_bn2hex(&x);
52 // char* y_str = BN_bn2hex(&y);
53 // printf("Found after %u iterations:\n%s\n%s\n", i, x_str, y_str);
54 // OPENSSL_free(x_str);
55 // OPENSSL_free(y_str);
61 // SHA256_Init(&sha256);
62 // SHA256_Update(&sha256, digest, sizeof(digest));
63 // SHA256_Final(digest, &sha256);
69 // EC_GROUP_free(p224);
78 const crypto::p224::Point kM
= {
79 {174237515, 77186811, 235213682, 33849492,
80 33188520, 48266885, 177021753, 81038478},
81 {104523827, 245682244, 266509668, 236196369,
82 28372046, 145351378, 198520366, 113345994},
83 {1, 0, 0, 0, 0, 0, 0},
86 const crypto::p224::Point kN
= {
87 {136176322, 263523628, 251628795, 229292285,
88 5034302, 185981975, 171998428, 11653062},
89 {197567436, 51226044, 60372156, 175772188,
90 42075930, 8083165, 160827401, 65097570},
91 {1, 0, 0, 0, 0, 0, 0},
94 } // anonymous namespace
98 P224EncryptedKeyExchange::P224EncryptedKeyExchange(
99 PeerType peer_type
, const base::StringPiece
& password
)
100 : state_(kStateInitial
),
101 is_server_(peer_type
== kPeerTypeServer
) {
102 memset(&x_
, 0, sizeof(x_
));
103 memset(&expected_authenticator_
, 0, sizeof(expected_authenticator_
));
105 // x_ is a random scalar.
106 RandBytes(x_
, sizeof(x_
));
110 p224::ScalarBaseMult(x_
, &X
);
112 // Calculate |password| hash to get SPAKE password value.
113 SHA256HashString(std::string(password
.data(), password
.length()),
116 // The client masks the Diffie-Hellman value, X, by adding M**pw and the
117 // server uses N**pw.
119 p224::ScalarMult(is_server_
? kN
: kM
, pw_
, &MNpw
);
121 // X* = X + (N|M)**pw
123 p224::Add(X
, MNpw
, &Xstar
);
125 next_message_
= Xstar
.ToString();
128 const std::string
& P224EncryptedKeyExchange::GetMessage() {
129 if (state_
== kStateInitial
) {
130 state_
= kStateRecvDH
;
131 return next_message_
;
132 } else if (state_
== kStateSendHash
) {
133 state_
= kStateRecvHash
;
134 return next_message_
;
137 LOG(FATAL
) << "P224EncryptedKeyExchange::GetMessage called in"
138 " bad state " << state_
;
140 return next_message_
;
143 P224EncryptedKeyExchange::Result
P224EncryptedKeyExchange::ProcessMessage(
144 const base::StringPiece
& message
) {
145 if (state_
== kStateRecvHash
) {
146 // This is the final state of the protocol: we are reading the peer's
147 // authentication hash and checking that it matches the one that we expect.
148 if (message
.size() != sizeof(expected_authenticator_
)) {
149 error_
= "peer's hash had an incorrect size";
150 return kResultFailed
;
152 if (!SecureMemEqual(message
.data(), expected_authenticator_
,
154 error_
= "peer's hash had incorrect value";
155 return kResultFailed
;
158 return kResultSuccess
;
161 if (state_
!= kStateRecvDH
) {
162 LOG(FATAL
) << "P224EncryptedKeyExchange::ProcessMessage called in"
163 " bad state " << state_
;
164 error_
= "internal error";
165 return kResultFailed
;
168 // Y* is the other party's masked, Diffie-Hellman value.
170 if (!Ystar
.SetFromString(message
)) {
171 error_
= "failed to parse peer's masked Diffie-Hellman value";
172 return kResultFailed
;
175 // We calculate the mask value: (N|M)**pw
176 p224::Point MNpw
, minus_MNpw
, Y
, k
;
177 p224::ScalarMult(is_server_
? kM
: kN
, pw_
, &MNpw
);
178 p224::Negate(MNpw
, &minus_MNpw
);
180 // Y = Y* - (N|M)**pw
181 p224::Add(Ystar
, minus_MNpw
, &Y
);
184 p224::ScalarMult(Y
, x_
, &k
);
186 // If everything worked out, then K is the same for both parties.
189 std::string client_masked_dh
, server_masked_dh
;
191 client_masked_dh
= message
.as_string();
192 server_masked_dh
= next_message_
;
194 client_masked_dh
= next_message_
;
195 server_masked_dh
= message
.as_string();
198 // Now we calculate the hashes that each side will use to prove to the other
199 // that they derived the correct value for K.
200 uint8 client_hash
[kSHA256Length
], server_hash
[kSHA256Length
];
201 CalculateHash(kPeerTypeClient
, client_masked_dh
, server_masked_dh
, key_
,
203 CalculateHash(kPeerTypeServer
, client_masked_dh
, server_masked_dh
, key_
,
206 const uint8
* my_hash
= is_server_
? server_hash
: client_hash
;
207 const uint8
* their_hash
= is_server_
? client_hash
: server_hash
;
210 std::string(reinterpret_cast<const char*>(my_hash
), kSHA256Length
);
211 memcpy(expected_authenticator_
, their_hash
, kSHA256Length
);
212 state_
= kStateSendHash
;
213 return kResultPending
;
216 void P224EncryptedKeyExchange::CalculateHash(
218 const std::string
& client_masked_dh
,
219 const std::string
& server_masked_dh
,
220 const std::string
& k
,
222 std::string hash_contents
;
224 if (peer_type
== kPeerTypeServer
) {
225 hash_contents
= "server";
227 hash_contents
= "client";
230 hash_contents
+= client_masked_dh
;
231 hash_contents
+= server_masked_dh
;
233 std::string(reinterpret_cast<const char *>(pw_
), sizeof(pw_
));
236 SHA256HashString(hash_contents
, out_digest
, kSHA256Length
);
239 const std::string
& P224EncryptedKeyExchange::error() const {
243 const std::string
& P224EncryptedKeyExchange::GetKey() {
244 DCHECK_EQ(state_
, kStateDone
);
248 } // namespace crypto