Google Git
Sign in
weave / weave / libweave / 287321d1641ca4c41bc456c45b8f08ee4575dab6 / . / third_party / chromium / crypto / p224_spake.h
blob: dcfd0fe4160168c7175bea60b3c1064e0b239a35 [file] [log] [blame]
Vitaly Buka9ba72a82015-08-06 17:36:17 -0700[diff] [blame]1// Copyright 2012 The Chromium OS Authors. All rights reserved.
Vitaly Buka6ca6a232015-08-06 17:32:43 -0700[diff] [blame]2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
Vitaly Buka9e5b6832015-10-14 15:57:14 -0700[diff] [blame]5#ifndef LIBWEAVE_THIRD_PARTY_CHROMIUM_P224_SPAKE_H_
Vitaly Buka9ba72a82015-08-06 17:36:17 -0700[diff] [blame]6
7#include <string>
Vitaly Buka6ca6a232015-08-06 17:32:43 -0700[diff] [blame]8
9#include <base/gtest_prod_util.h>
Vitaly Buka6ca6a232015-08-06 17:32:43 -0700[diff] [blame]10
Vitaly Buka9e5b6832015-10-14 15:57:14 -0700[diff] [blame]11#include "third_party/chromium/crypto/p224.h"
12#include "third_party/chromium/crypto/sha2.h"
Vitaly Buka9ba72a82015-08-06 17:36:17 -0700[diff] [blame]13
Vitaly Buka6ca6a232015-08-06 17:32:43 -0700[diff] [blame]14namespace crypto {
15
16// P224EncryptedKeyExchange implements SPAKE2, a variant of Encrypted
17// Key Exchange. It allows two parties that have a secret common
18// password to establish a common secure key by exchanging messages
19// over an insecure channel without disclosing the password.
20//
21// The password can be low entropy as authenticating with an attacker only
22// gives the attacker a one-shot password oracle. No other information about
23// the password is leaked. (However, you must be sure to limit the number of
24// permitted authentication attempts otherwise they get many one-shot oracles.)
25//
26// The protocol requires several RTTs (actually two, but you shouldn't assume
27// that.) To use the object, call GetNextMessage() and pass that message to the
28// peer. Get a message from the peer and feed it into ProcessMessage. Then
29// examine the return value of ProcessMessage:
30// kResultPending: Another round is required. Call GetNextMessage and repeat.
31// kResultFailed: The authentication has failed. You can get a human readable
32// error message by calling error().
33// kResultSuccess: The authentication was successful.
34//
35// In each exchange, each peer always sends a message.
Vitaly Buka9ba72a82015-08-06 17:36:17 -0700[diff] [blame]36class P224EncryptedKeyExchange {
Vitaly Buka6ca6a232015-08-06 17:32:43 -0700[diff] [blame]37 public:
38 enum Result {
39 kResultPending,
40 kResultFailed,
41 kResultSuccess,
42 };
43
44 // PeerType's values are named client and server due to convention. But
45 // they could be called "A" and "B" as far as the protocol is concerned so
46 // long as the two parties don't both get the same label.
47 enum PeerType {
48 kPeerTypeClient,
49 kPeerTypeServer,
50 };
51
52 // peer_type: the type of the local authentication party.
53 // password: secret session password. Both parties to the
54 // authentication must pass the same value. For the case of a
55 // TLS connection, see RFC 5705.
Vitaly Buka0d501072015-08-18 18:09:46 -0700[diff] [blame]56 P224EncryptedKeyExchange(PeerType peer_type, const std::string& password);
Vitaly Buka6ca6a232015-08-06 17:32:43 -0700[diff] [blame]57
58 // GetNextMessage returns a byte string which must be passed to the other
59 // party in the authentication.
60 const std::string& GetNextMessage();
61
62 // ProcessMessage processes a message which must have been generated by a
63 // call to GetNextMessage() by the other party.
Vitaly Buka0d501072015-08-18 18:09:46 -0700[diff] [blame]64 Result ProcessMessage(const std::string& message);
Vitaly Buka6ca6a232015-08-06 17:32:43 -0700[diff] [blame]65
66 // In the event that ProcessMessage() returns kResultFailed, error will
67 // return a human readable error message.
68 const std::string& error() const;
69
70 // The key established as result of the key exchange. Must be called
71 // at then end after ProcessMessage() returns kResultSuccess.
72 const std::string& GetKey() const;
73
74 // The key established as result of the key exchange. Can be called after
75 // the first ProcessMessage()
76 const std::string& GetUnverifiedKey() const;
77
78 private:
79 // The authentication state machine is very simple and each party proceeds
80 // through each of these states, in order.
81 enum State {
82 kStateInitial,
83 kStateRecvDH,
84 kStateSendHash,
85 kStateRecvHash,
86 kStateDone,
87 };
88
89 FRIEND_TEST_ALL_PREFIXES(MutualAuth, ExpectedValues);
90
91 void Init();
92
93 // Sets internal random scalar. Should be used by tests only.
94 void SetXForTesting(const std::string& x);
95
96 State state_;
97 const bool is_server_;
98 // next_message_ contains a value for GetNextMessage() to return.
99 std::string next_message_;
100 std::string error_;
101
102 // CalculateHash computes the verification hash for the given peer and writes
103 // |kSHA256Length| bytes at |out_digest|.
104 void CalculateHash(
105 PeerType peer_type,
106 const std::string& client_masked_dh,
107 const std::string& server_masked_dh,
108 const std::string& k,
109 uint8* out_digest);
110
111 // x_ is the secret Diffie-Hellman exponent (see paper referenced in .cc
112 // file).
113 uint8 x_[p224::kScalarBytes];
114 // pw_ is SHA256(P(password), P(session))[:28] where P() prepends a uint32,
115 // big-endian length prefix (see paper referenced in .cc file).
116 uint8 pw_[p224::kScalarBytes];
117 // expected_authenticator_ is used to store the hash value expected from the
118 // other party.
119 uint8 expected_authenticator_[kSHA256Length];
120
121 std::string key_;
122};
123
124} // namespace crypto
125
Vitaly Buka9e5b6832015-10-14 15:57:14 -0700[diff] [blame]126#endif // LIBWEAVE_THIRD_PARTY_CHROMIUM_P224_SPAKE_H_