// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // This code implements SPAKE2, a variant of EKE: // http://www.di.ens.fr/~pointche/pub.php?reference=AbPo04 #include "crypto/p224_spake.h" #include <string.h> #include <algorithm> #include <string_view> #include "base/check_op.h" #include "base/logging.h" #include "crypto/random.h" #include "crypto/secure_util.h" #include "third_party/boringssl/src/include/openssl/bn.h" #include "third_party/boringssl/src/include/openssl/ec.h" namespace { // The following two points (M and N in the protocol) are verifiable random // points on the curve and can be generated with the following code: // #include <stdint.h> // #include <stdio.h> // #include <string.h> // // #include <openssl/ec.h> // #include <openssl/obj_mac.h> // #include <openssl/sha.h> // // // Silence a presubmit. // #define PRINTF printf // // static const char kSeed1[] = "P224 point generation seed (M)"; // static const char kSeed2[] = "P224 point generation seed (N)"; // // void find_seed(const char* seed) { // SHA256_CTX sha256; // uint8_t digest[SHA256_DIGEST_LENGTH]; // // SHA256_Init(&sha256); // SHA256_Update(&sha256, seed, strlen(seed)); // SHA256_Final(digest, &sha256); // // BIGNUM x, y; // EC_GROUP* p224 = EC_GROUP_new_by_curve_name(NID_secp224r1); // EC_POINT* p = EC_POINT_new(p224); // // for (unsigned i = 0;; i++) { // BN_init(&x); // BN_bin2bn(digest, 28, &x); // // if (EC_POINT_set_compressed_coordinates_GFp( // p224, p, &x, digest[28] & 1, NULL)) { // BN_init(&y); // EC_POINT_get_affine_coordinates_GFp(p224, p, &x, &y, NULL); // char* x_str = BN_bn2hex(&x); // char* y_str = BN_bn2hex(&y); // PRINTF("Found after %u iterations:\n%s\n%s\n", i, x_str, y_str); // OPENSSL_free(x_str); // OPENSSL_free(y_str); // BN_free(&x); // BN_free(&y); // break; // } // // SHA256_Init(&sha256); // SHA256_Update(&sha256, digest, sizeof(digest)); // SHA256_Final(digest, &sha256); // // BN_free(&x); // } // // EC_POINT_free(p); // EC_GROUP_free(p224); // } // // int main() { // find_seed(kSeed1); // find_seed(kSeed2); // return 0; // } const uint8_t kM_X962[1 + 28 + 28] = …; const uint8_t kN_X962[1 + 28 + 28] = …; // ToBignum returns |big_endian_bytes| interpreted as a big-endian number. bssl::UniquePtr<BIGNUM> ToBignum(base::span<const uint8_t> big_endian_bytes) { … } // GetPoint decodes and returns the given X.962-encoded point. It will crash if // |x962| is not a valid P-224 point. bssl::UniquePtr<EC_POINT> GetPoint( const EC_GROUP* p224, base::span<const uint8_t, 1 + 28 + 28> x962) { … } // GetMask returns (M|N)**pw, where the choice of M or N is controlled by // |use_m|. bssl::UniquePtr<EC_POINT> GetMask(const EC_GROUP* p224, bool use_m, base::span<const uint8_t> pw) { … } // ToMessage serialises |in| as a 56-byte string that contains the big-endian // representations of x and y, or is all zeros if |in| is infinity. std::string ToMessage(const EC_GROUP* p224, const EC_POINT* in) { … } // FromMessage converts a message, as generated by |ToMessage|, into a point. It // returns |nullptr| if the input is invalid or not on the curve. bssl::UniquePtr<EC_POINT> FromMessage(const EC_GROUP* p224, std::string_view in) { … } } // anonymous namespace namespace crypto { P224EncryptedKeyExchange::P224EncryptedKeyExchange(PeerType peer_type, std::string_view password) : … { … } void P224EncryptedKeyExchange::Init() { … } const std::string& P224EncryptedKeyExchange::GetNextMessage() { … } P224EncryptedKeyExchange::Result P224EncryptedKeyExchange::ProcessMessage( std::string_view message) { … } void P224EncryptedKeyExchange::CalculateHash( PeerType peer_type, const std::string& client_masked_dh, const std::string& server_masked_dh, const std::string& k, uint8_t* out_digest) { … } const std::string& P224EncryptedKeyExchange::error() const { … } const std::string& P224EncryptedKeyExchange::GetKey() const { … } const std::string& P224EncryptedKeyExchange::GetUnverifiedKey() const { … } void P224EncryptedKeyExchange::SetXForTesting(const std::string& x) { … } } // namespace crypto
Codebase Browser
chromium