third_party/chromium/crypto/p224_spake.cc - weave/libweave - Git at Google

 // Copyright 2012 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 // This code implements SPAKE2, a variant of EKE:
 //  http://www.di.ens.fr/~pointche/pub.php?reference=AbPo04

 #include "third_party/chromium/crypto/p224_spake.h"

 #include <algorithm>

 #include <base/logging.h>
 #include <base/rand_util.h>

 #include "third_party/chromium/crypto/p224.h"

 namespace {

 // The following two points (M and N in the protocol) are verifiable random
 // points on the curve and can be generated with the following code:

 // #include <stdint.h>
 // #include <stdio.h>
 // #include <string.h>
 //
 // #include <openssl/ec.h>
 // #include <openssl/obj_mac.h>
 // #include <openssl/sha.h>
 //
 // static const char kSeed1[] = "P224 point generation seed (M)";
 // static const char kSeed2[] = "P224 point generation seed (N)";
 //
 // void find_seed(const char* seed) {
 //   SHA256_CTX sha256;
 //   uint8_t digest[SHA256_DIGEST_LENGTH];
 //
 //   SHA256_Init(&sha256);
 //   SHA256_Update(&sha256, seed, strlen(seed));
 //   SHA256_Final(digest, &sha256);
 //
 //   BIGNUM x, y;
 //   EC_GROUP* p224 = EC_GROUP_new_by_curve_name(NID_secp224r1);
 //   EC_POINT* p = EC_POINT_new(p224);
 //
 //   for (unsigned i = 0;; i++) {
 //     BN_init(&x);
 //     BN_bin2bn(digest, 28, &x);
 //
 //     if (EC_POINT_set_compressed_coordinates_GFp(
 //             p224, p, &x, digest[28] & 1, NULL)) {
 //       BN_init(&y);
 //       EC_POINT_get_affine_coordinates_GFp(p224, p, &x, &y, NULL);
 //       char* x_str = BN_bn2hex(&x);
 //       char* y_str = BN_bn2hex(&y);
 //       printf("Found after %u iterations:\n%s\n%s\n", i, x_str, y_str);
 //       OPENSSL_free(x_str);
 //       OPENSSL_free(y_str);
 //       BN_free(&x);
 //       BN_free(&y);
 //       break;
 //     }
 //
 //     SHA256_Init(&sha256);
 //     SHA256_Update(&sha256, digest, sizeof(digest));
 //     SHA256_Final(digest, &sha256);
 //
 //     BN_free(&x);
 //   }
 //
 //   EC_POINT_free(p);
 //   EC_GROUP_free(p224);
 // }
 //
 // int main() {
 //   find_seed(kSeed1);
 //   find_seed(kSeed2);
 //   return 0;
 // }

 const crypto::p224::Point kM = {
   {174237515, 77186811, 235213682, 33849492,
    33188520, 48266885, 177021753, 81038478},
   {104523827, 245682244, 266509668, 236196369,
    28372046, 145351378, 198520366, 113345994},
   {1, 0, 0, 0, 0, 0, 0, 0},
 };

 const crypto::p224::Point kN = {
   {136176322, 263523628, 251628795, 229292285,
    5034302, 185981975, 171998428, 11653062},
   {197567436, 51226044, 60372156, 175772188,
    42075930, 8083165, 160827401, 65097570},
   {1, 0, 0, 0, 0, 0, 0, 0},
 };

 // Performs a constant-time comparison of two strings, returning true if the
 // strings are equal.
 //
 // For cryptographic operations, comparison functions such as memcmp() may
 // expose side-channel information about input, allowing an attacker to
 // perform timing analysis to determine what the expected bits should be. In
 // order to avoid such attacks, the comparison must execute in constant time,
 // so as to not to reveal to the attacker where the difference(s) are.
 // For an example attack, see
 // http://groups.google.com/group/keyczar-discuss/browse_thread/thread/5571eca0948b2a13
 bool SecureMemEqual(const uint8_t* s1_ptr, const uint8_t* s2_ptr, size_t n) {
   uint8_t tmp = 0;
   for (size_t i = 0; i < n; ++i, ++s1_ptr, ++s2_ptr)
     tmp |= *s1_ptr ^ *s2_ptr;
   return (tmp == 0);
 }

 }  // anonymous namespace

 namespace crypto {

 P224EncryptedKeyExchange::P224EncryptedKeyExchange(
     PeerType peer_type, const base::StringPiece& password)
     : state_(kStateInitial),
       is_server_(peer_type == kPeerTypeServer) {
   memset(&x_, 0, sizeof(x_));
   memset(&expected_authenticator_, 0, sizeof(expected_authenticator_));

   // x_ is a random scalar.
   base::RandBytes(x_, sizeof(x_));

   // Calculate |password| hash to get SPAKE password value.
   SHA256HashString(std::string(password.data(), password.length()),
                    pw_, sizeof(pw_));

   Init();
 }

 void P224EncryptedKeyExchange::Init() {
   // X = g**x_
   p224::Point X;
   p224::ScalarBaseMult(x_, &X);

   // The client masks the Diffie-Hellman value, X, by adding M**pw and the
   // server uses N**pw.
   p224::Point MNpw;
   p224::ScalarMult(is_server_ ? kN : kM, pw_, &MNpw);

   // X* = X + (N|M)**pw
   p224::Point Xstar;
   p224::Add(X, MNpw, &Xstar);

   next_message_ = Xstar.ToString();
 }

 const std::string& P224EncryptedKeyExchange::GetNextMessage() {
   if (state_ == kStateInitial) {
     state_ = kStateRecvDH;
     return next_message_;
   } else if (state_ == kStateSendHash) {
     state_ = kStateRecvHash;
     return next_message_;
   }

   LOG(FATAL) << "P224EncryptedKeyExchange::GetNextMessage called in"
                 " bad state " << state_;
   next_message_ = "";
   return next_message_;
 }

 P224EncryptedKeyExchange::Result P224EncryptedKeyExchange::ProcessMessage(
     const base::StringPiece& message) {
   if (state_ == kStateRecvHash) {
     // This is the final state of the protocol: we are reading the peer's
     // authentication hash and checking that it matches the one that we expect.
     if (message.size() != sizeof(expected_authenticator_)) {
       error_ = "peer's hash had an incorrect size";
       return kResultFailed;
     }
     if (!SecureMemEqual(reinterpret_cast<const uint8_t*>(message.data()),
                         expected_authenticator_, message.size())) {
       error_ = "peer's hash had incorrect value";
       return kResultFailed;
     }
     state_ = kStateDone;
     return kResultSuccess;
   }

   if (state_ != kStateRecvDH) {
     LOG(FATAL) << "P224EncryptedKeyExchange::ProcessMessage called in"
                   " bad state " << state_;
     error_ = "internal error";
     return kResultFailed;
   }

   // Y* is the other party's masked, Diffie-Hellman value.
   p224::Point Ystar;
   if (!Ystar.SetFromString(message)) {
     error_ = "failed to parse peer's masked Diffie-Hellman value";
     return kResultFailed;
   }

   // We calculate the mask value: (N|M)**pw
   p224::Point MNpw, minus_MNpw, Y, k;
   p224::ScalarMult(is_server_ ? kM : kN, pw_, &MNpw);
   p224::Negate(MNpw, &minus_MNpw);

   // Y = Y* - (N|M)**pw
   p224::Add(Ystar, minus_MNpw, &Y);

   // K = Y**x_
   p224::ScalarMult(Y, x_, &k);

   // If everything worked out, then K is the same for both parties.
   key_ = k.ToString();

   std::string client_masked_dh, server_masked_dh;
   if (is_server_) {
     client_masked_dh = message.as_string();
     server_masked_dh = next_message_;
   } else {
     client_masked_dh = next_message_;
     server_masked_dh = message.as_string();
   }

   // Now we calculate the hashes that each side will use to prove to the other
   // that they derived the correct value for K.
   uint8_t client_hash[kSHA256Length], server_hash[kSHA256Length];
   CalculateHash(kPeerTypeClient, client_masked_dh, server_masked_dh, key_,
                 client_hash);
   CalculateHash(kPeerTypeServer, client_masked_dh, server_masked_dh, key_,
                 server_hash);

   const uint8_t* my_hash = is_server_ ? server_hash : client_hash;
   const uint8_t* their_hash = is_server_ ? client_hash : server_hash;

   next_message_ =
       std::string(reinterpret_cast<const char*>(my_hash), kSHA256Length);
   memcpy(expected_authenticator_, their_hash, kSHA256Length);
   state_ = kStateSendHash;
   return kResultPending;
 }

 void P224EncryptedKeyExchange::CalculateHash(
     PeerType peer_type,
     const std::string& client_masked_dh,
     const std::string& server_masked_dh,
     const std::string& k,
     uint8_t* out_digest) {
   std::string hash_contents;

   if (peer_type == kPeerTypeServer) {
     hash_contents = "server";
   } else {
     hash_contents = "client";
   }

   hash_contents += client_masked_dh;
   hash_contents += server_masked_dh;
   hash_contents +=
       std::string(reinterpret_cast<const char *>(pw_), sizeof(pw_));
   hash_contents += k;

   SHA256HashString(hash_contents, out_digest, kSHA256Length);
 }

 const std::string& P224EncryptedKeyExchange::error() const {
   return error_;
 }

 const std::string& P224EncryptedKeyExchange::GetKey() const {
   DCHECK_EQ(state_, kStateDone);
   return GetUnverifiedKey();
 }

 const std::string& P224EncryptedKeyExchange::GetUnverifiedKey() const {
   // Key is already final when state is kStateSendHash. Subsequent states are
   // used only for verification of the key. Some users may combine verification
   // with sending verifiable data instead of |expected_authenticator_|.
   DCHECK_GE(state_, kStateSendHash);
   return key_;
 }

 void P224EncryptedKeyExchange::SetXForTesting(const std::string& x) {
   memset(&x_, 0, sizeof(x_));
   memcpy(&x_, x.data(), std::min(x.size(), sizeof(x_)));
   Init();
 }

 }  // namespace crypto
	// Copyright 2012 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	// This code implements SPAKE2, a variant of EKE:
	// http://www.di.ens.fr/~pointche/pub.php?reference=AbPo04

	#include "third_party/chromium/crypto/p224_spake.h"

	#include <algorithm>

	#include <base/logging.h>
	#include <base/rand_util.h>

	#include "third_party/chromium/crypto/p224.h"

	namespace {

	// The following two points (M and N in the protocol) are verifiable random
	// points on the curve and can be generated with the following code:

	// #include <stdint.h>
	// #include <stdio.h>
	// #include <string.h>
	//
	// #include <openssl/ec.h>
	// #include <openssl/obj_mac.h>
	// #include <openssl/sha.h>
	//
	// static const char kSeed1[] = "P224 point generation seed (M)";
	// static const char kSeed2[] = "P224 point generation seed (N)";
	//
	// void find_seed(const char* seed) {
	// SHA256_CTX sha256;
	// uint8_t digest[SHA256_DIGEST_LENGTH];
	//
	// SHA256_Init(&sha256);
	// SHA256_Update(&sha256, seed, strlen(seed));
	// SHA256_Final(digest, &sha256);
	//
	// BIGNUM x, y;
	// EC_GROUP* p224 = EC_GROUP_new_by_curve_name(NID_secp224r1);
	// EC_POINT* p = EC_POINT_new(p224);
	//
	// for (unsigned i = 0;; i++) {
	// BN_init(&x);
	// BN_bin2bn(digest, 28, &x);
	//
	// if (EC_POINT_set_compressed_coordinates_GFp(
	// p224, p, &x, digest[28] & 1, NULL)) {
	// BN_init(&y);
	// EC_POINT_get_affine_coordinates_GFp(p224, p, &x, &y, NULL);
	// char* x_str = BN_bn2hex(&x);
	// char* y_str = BN_bn2hex(&y);
	// printf("Found after %u iterations:\n%s\n%s\n", i, x_str, y_str);
	// OPENSSL_free(x_str);
	// OPENSSL_free(y_str);
	// BN_free(&x);
	// BN_free(&y);
	// break;
	// }
	//
	// SHA256_Init(&sha256);
	// SHA256_Update(&sha256, digest, sizeof(digest));
	// SHA256_Final(digest, &sha256);
	//
	// BN_free(&x);
	// }
	//
	// EC_POINT_free(p);
	// EC_GROUP_free(p224);
	// }
	//
	// int main() {
	// find_seed(kSeed1);
	// find_seed(kSeed2);
	// return 0;
	// }

	const crypto::p224::Point kM = {
	{174237515, 77186811, 235213682, 33849492,
	33188520, 48266885, 177021753, 81038478},
	{104523827, 245682244, 266509668, 236196369,
	28372046, 145351378, 198520366, 113345994},
	{1, 0, 0, 0, 0, 0, 0, 0},
	};

	const crypto::p224::Point kN = {
	{136176322, 263523628, 251628795, 229292285,
	5034302, 185981975, 171998428, 11653062},
	{197567436, 51226044, 60372156, 175772188,
	42075930, 8083165, 160827401, 65097570},
	{1, 0, 0, 0, 0, 0, 0, 0},
	};

	// Performs a constant-time comparison of two strings, returning true if the
	// strings are equal.
	//
	// For cryptographic operations, comparison functions such as memcmp() may
	// expose side-channel information about input, allowing an attacker to
	// perform timing analysis to determine what the expected bits should be. In
	// order to avoid such attacks, the comparison must execute in constant time,
	// so as to not to reveal to the attacker where the difference(s) are.
	// For an example attack, see
	// http://groups.google.com/group/keyczar-discuss/browse_thread/thread/5571eca0948b2a13
	bool SecureMemEqual(const uint8_t* s1_ptr, const uint8_t* s2_ptr, size_t n) {
	uint8_t tmp = 0;
	for (size_t i = 0; i < n; ++i, ++s1_ptr, ++s2_ptr)
	tmp \|= s1_ptr ^ s2_ptr;
	return (tmp == 0);
	}

	} // anonymous namespace

	namespace crypto {

	P224EncryptedKeyExchange::P224EncryptedKeyExchange(
	PeerType peer_type, const base::StringPiece& password)
	: state_(kStateInitial),
	is_server_(peer_type == kPeerTypeServer) {
	memset(&x_, 0, sizeof(x_));
	memset(&expected_authenticator_, 0, sizeof(expected_authenticator_));

	// x_ is a random scalar.
	base::RandBytes(x_, sizeof(x_));

	// Calculate \|password\| hash to get SPAKE password value.
	SHA256HashString(std::string(password.data(), password.length()),
	pw_, sizeof(pw_));

	Init();
	}

	void P224EncryptedKeyExchange::Init() {
	// X = g**x_
	p224::Point X;
	p224::ScalarBaseMult(x_, &X);

	// The client masks the Diffie-Hellman value, X, by adding M**pw and the
	// server uses N**pw.
	p224::Point MNpw;
	p224::ScalarMult(is_server_ ? kN : kM, pw_, &MNpw);

	// X* = X + (N\|M)**pw
	p224::Point Xstar;
	p224::Add(X, MNpw, &Xstar);

	next_message_ = Xstar.ToString();
	}

	const std::string& P224EncryptedKeyExchange::GetNextMessage() {
	if (state_ == kStateInitial) {
	state_ = kStateRecvDH;
	return next_message_;
	} else if (state_ == kStateSendHash) {
	state_ = kStateRecvHash;
	return next_message_;
	}

	LOG(FATAL) << "P224EncryptedKeyExchange::GetNextMessage called in"
	" bad state " << state_;
	next_message_ = "";
	return next_message_;
	}

	P224EncryptedKeyExchange::Result P224EncryptedKeyExchange::ProcessMessage(
	const base::StringPiece& message) {
	if (state_ == kStateRecvHash) {
	// This is the final state of the protocol: we are reading the peer's
	// authentication hash and checking that it matches the one that we expect.
	if (message.size() != sizeof(expected_authenticator_)) {
	error_ = "peer's hash had an incorrect size";
	return kResultFailed;
	}
	if (!SecureMemEqual(reinterpret_cast<const uint8_t*>(message.data()),
	expected_authenticator_, message.size())) {
	error_ = "peer's hash had incorrect value";
	return kResultFailed;
	}
	state_ = kStateDone;
	return kResultSuccess;
	}

	if (state_ != kStateRecvDH) {
	LOG(FATAL) << "P224EncryptedKeyExchange::ProcessMessage called in"
	" bad state " << state_;
	error_ = "internal error";
	return kResultFailed;
	}

	// Y* is the other party's masked, Diffie-Hellman value.
	p224::Point Ystar;
	if (!Ystar.SetFromString(message)) {
	error_ = "failed to parse peer's masked Diffie-Hellman value";
	return kResultFailed;
	}

	// We calculate the mask value: (N\|M)**pw
	p224::Point MNpw, minus_MNpw, Y, k;
	p224::ScalarMult(is_server_ ? kM : kN, pw_, &MNpw);
	p224::Negate(MNpw, &minus_MNpw);

	// Y = Y* - (N\|M)**pw
	p224::Add(Ystar, minus_MNpw, &Y);

	// K = Y**x_
	p224::ScalarMult(Y, x_, &k);

	// If everything worked out, then K is the same for both parties.
	key_ = k.ToString();

	std::string client_masked_dh, server_masked_dh;
	if (is_server_) {
	client_masked_dh = message.as_string();
	server_masked_dh = next_message_;
	} else {
	client_masked_dh = next_message_;
	server_masked_dh = message.as_string();
	}

	// Now we calculate the hashes that each side will use to prove to the other
	// that they derived the correct value for K.
	uint8_t client_hash[kSHA256Length], server_hash[kSHA256Length];
	CalculateHash(kPeerTypeClient, client_masked_dh, server_masked_dh, key_,
	client_hash);
	CalculateHash(kPeerTypeServer, client_masked_dh, server_masked_dh, key_,
	server_hash);

	const uint8_t* my_hash = is_server_ ? server_hash : client_hash;
	const uint8_t* their_hash = is_server_ ? client_hash : server_hash;

	next_message_ =
	std::string(reinterpret_cast<const char*>(my_hash), kSHA256Length);
	memcpy(expected_authenticator_, their_hash, kSHA256Length);
	state_ = kStateSendHash;
	return kResultPending;
	}

	void P224EncryptedKeyExchange::CalculateHash(
	PeerType peer_type,
	const std::string& client_masked_dh,
	const std::string& server_masked_dh,
	const std::string& k,
	uint8_t* out_digest) {
	std::string hash_contents;

	if (peer_type == kPeerTypeServer) {
	hash_contents = "server";
	} else {
	hash_contents = "client";
	}

	hash_contents += client_masked_dh;
	hash_contents += server_masked_dh;
	hash_contents +=
	std::string(reinterpret_cast<const char *>(pw_), sizeof(pw_));
	hash_contents += k;

	SHA256HashString(hash_contents, out_digest, kSHA256Length);
	}

	const std::string& P224EncryptedKeyExchange::error() const {
	return error_;
	}

	const std::string& P224EncryptedKeyExchange::GetKey() const {
	DCHECK_EQ(state_, kStateDone);
	return GetUnverifiedKey();
	}

	const std::string& P224EncryptedKeyExchange::GetUnverifiedKey() const {
	// Key is already final when state is kStateSendHash. Subsequent states are
	// used only for verification of the key. Some users may combine verification
	// with sending verifiable data instead of \|expected_authenticator_\|.
	DCHECK_GE(state_, kStateSendHash);
	return key_;
	}

	void P224EncryptedKeyExchange::SetXForTesting(const std::string& x) {
	memset(&x_, 0, sizeof(x_));
	memcpy(&x_, x.data(), std::min(x.size(), sizeof(x_)));
	Init();
	}

	} // namespace crypto