Add SPAKE2+.
This is an internal-only primitive, at least for now.
Change-Id: I365d42c9df59894ed131fba139efc7c9bbe0ed35
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/75107
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/AUTHORS b/AUTHORS
index 78c3a2a..f3e85c0 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -6,6 +6,7 @@
# source control.
Google LLC
Brian Smith
+Apple Inc
# Additionally, much of the code in BoringSSL is derived from code in the
# OpenSSL project. We thank the OpenSSL project’s contributors for their
diff --git a/build.json b/build.json
index 71489c9..c9d1778 100644
--- a/build.json
+++ b/build.json
@@ -316,6 +316,7 @@
"crypto/sha/sha256.cc",
"crypto/sha/sha512.cc",
"crypto/siphash/siphash.cc",
+ "crypto/spake2plus/spake2plus.cc",
"crypto/stack/stack.cc",
"crypto/thread.cc",
"crypto/thread_none.cc",
@@ -542,6 +543,7 @@
"crypto/rand_extra/getrandom_fillin.h",
"crypto/rand_extra/sysrand_internal.h",
"crypto/rsa_extra/internal.h",
+ "crypto/spake2plus/internal.h",
"crypto/trust_token/internal.h",
"crypto/x509/ext_dat.h",
"crypto/x509/internal.h",
@@ -859,6 +861,7 @@
"crypto/self_test.cc",
"crypto/siphash/siphash_test.cc",
"crypto/slhdsa/slhdsa_test.cc",
+ "crypto/spake2plus/spake2plus_test.cc",
"crypto/stack/stack_test.cc",
"crypto/test/gtest_main.cc",
"crypto/thread_test.cc",
diff --git a/crypto/fipsmodule/ec/internal.h b/crypto/fipsmodule/ec/internal.h
index 5c37605..1f3d06e 100644
--- a/crypto/fipsmodule/ec/internal.h
+++ b/crypto/fipsmodule/ec/internal.h
@@ -74,6 +74,11 @@
const BN_ULONG *words, size_t num);
// ec_random_nonzero_scalar sets |out| to a uniformly selected random value from
+// zero to |group->order| - 1. It returns one on success and zero on error.
+int ec_random_scalar(const EC_GROUP *group, EC_SCALAR *out,
+ const uint8_t additional_data[32]);
+
+// ec_random_nonzero_scalar sets |out| to a uniformly selected random value from
// 1 to |group->order| - 1. It returns one on success and zero on error.
int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,
const uint8_t additional_data[32]);
diff --git a/crypto/fipsmodule/ec/scalar.cc.inc b/crypto/fipsmodule/ec/scalar.cc.inc
index 4cf6d1f..d5d9d62 100644
--- a/crypto/fipsmodule/ec/scalar.cc.inc
+++ b/crypto/fipsmodule/ec/scalar.cc.inc
@@ -16,9 +16,9 @@
#include <openssl/err.h>
#include <openssl/mem.h>
-#include "internal.h"
-#include "../bn/internal.h"
#include "../../internal.h"
+#include "../bn/internal.h"
+#include "internal.h"
int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
@@ -49,6 +49,12 @@
return mask == 0;
}
+int ec_random_scalar(const EC_GROUP *group, EC_SCALAR *out,
+ const uint8_t additional_data[32]) {
+ return bn_rand_range_words(out->words, 0, group->order.N.d,
+ group->order.N.width, additional_data);
+}
+
int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,
const uint8_t additional_data[32]) {
return bn_rand_range_words(out->words, 1, group->order.N.d,
diff --git a/crypto/spake2plus/internal.h b/crypto/spake2plus/internal.h
new file mode 100644
index 0000000..d90e3b3
--- /dev/null
+++ b/crypto/spake2plus/internal.h
@@ -0,0 +1,204 @@
+/* Copyright 2024 The BoringSSL Authors
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H
+#define OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H
+
+#include <openssl/base.h>
+
+#include <sys/types.h>
+
+#include <openssl/sha.h>
+#include <openssl/span.h>
+
+#include "../fipsmodule/ec/internal.h"
+
+
+BSSL_NAMESPACE_BEGIN
+
+// SPAKE2+.
+//
+// SPAKE2+ is an augmented password-authenticated key-exchange. It allows
+// two parties, a prover and verifier, to derive a strong shared key with no
+// risk of disclosing the password, known only to the prover, to the verifier.
+// (But note that the verifier can still attempt an offline, brute-force attack
+// to recover the password.)
+//
+// This is an implementation of SPAKE2+ using P-256 as the group, SHA-256 as
+// the hash function, HKDF-SHA256 as the key derivation function, and
+// HMAC-SHA256 as the message authentication code.
+//
+// See https://www.rfc-editor.org/rfc/rfc9383.html
+
+namespace spake2plus {
+
+// kShareSize is the size of a SPAKE2+ key share.
+constexpr size_t kShareSize = 65;
+
+// kConfirmSize is the size of a SPAKE2+ key confirmation message.
+constexpr size_t kConfirmSize = 32;
+
+// kVerifierSize is the size of the w0 and w1 values in the SPAKE2+ protocol.
+constexpr size_t kVerifierSize = 32;
+
+// kRegistrationRecordSize is the number of bytes in a registration record,
+// which is provided to the verifier.
+constexpr size_t kRegistrationRecordSize = 65;
+
+// kSecretSize is the number of bytes of shared secret that the SPAKE2+ protocol
+// generates.
+constexpr size_t kSecretSize = 32;
+
+// Register computes the values needed in the offline registration
+// step of the SPAKE2+ protocol. See the following for more details:
+// https://www.rfc-editor.org/rfc/rfc9383.html#section-3.2
+//
+// The |password| argument is the mandatory prover password. The |out_w0|,
+// |out_w1|, and |out_registration_record| arguments are where the password
+// verifiers (w0 and w1) and registration record (L) are stored, respectively.
+// The prover is given |out_w0| and |out_w1| while the verifier is given
+// |out_w0| and |out_registration_record|.
+//
+// To ensure success, |out_w0| and |out_w1| must be of length |kVerifierSize|,
+// and |out_registration_record| of size |kRegistrationRecordSize|.
+[[nodiscard]] OPENSSL_EXPORT bool Register(
+ Span<uint8_t> out_w0, Span<uint8_t> out_w1,
+ Span<uint8_t> out_registration_record, Span<const uint8_t> password,
+ Span<const uint8_t> id_prover, Span<const uint8_t> id_verifier);
+
+class OPENSSL_EXPORT Prover {
+ public:
+ static constexpr bool kAllowUniquePtr = true;
+
+ Prover();
+ ~Prover();
+
+ // Init creates a new prover, which can only be used for a single execution of
+ // the protocol.
+ //
+ // The |context| argument is an application-specific value meant to constrain
+ // the protocol execution. The |w0| and |w1| arguments are password verifier
+ // values computed during the offline registration phase of the protocol. The
+ // |id_prover| and |id_verifier| arguments allow optional, opaque names to be
+ // bound into the protocol. See the following for more information about how
+ // these identities may be chosen:
+ // https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2
+ [[nodiscard]] bool Init(Span<const uint8_t> context,
+ Span<const uint8_t> id_prover,
+ Span<const uint8_t> id_verifier,
+ Span<const uint8_t> w0, Span<const uint8_t> w1,
+ Span<const uint8_t> x = Span<const uint8_t>());
+
+ // GenerateShare computes a SPAKE2+ share and writes it to |out_share|.
+ //
+ // This function can only be called once for a given |Prover|. To ensure
+ // success, |out_share| must be |kShareSize| bytes.
+ [[nodiscard]] bool GenerateShare(Span<uint8_t> out_share);
+
+ // ComputeConfirmation computes a SPAKE2+ key confirmation
+ // message and writes it to |out_confirm|. It also computes the shared secret
+ // and writes it to |out_secret|.
+ //
+ // This function can only be called once for a given |Prover|.
+ //
+ // To ensure success, |out_confirm| must be |kConfirmSize| bytes
+ // and |out_secret| must be |kSecretSize| bytes.
+ [[nodiscard]] bool ComputeConfirmation(Span<uint8_t> out_confirm,
+ Span<uint8_t> out_secret,
+ Span<const uint8_t> peer_share,
+ Span<const uint8_t> peer_confirm);
+
+ private:
+ enum class State {
+ kInit,
+ kShareGenerated,
+ kConfirmGenerated,
+ kDone,
+ };
+
+ State state_ = State::kInit;
+ SHA256_CTX transcript_hash_;
+ EC_SCALAR w0_;
+ EC_SCALAR w1_;
+ EC_SCALAR x_;
+ EC_AFFINE X_;
+ uint8_t share_[kShareSize];
+};
+
+class OPENSSL_EXPORT Verifier {
+ public:
+ static constexpr bool kAllowUniquePtr = true;
+
+ Verifier();
+ ~Verifier();
+
+ // Init creates a new verifier, which can only be used for a single execution
+ // of the protocol.
+ //
+ // The |context| argument is an application-specific value meant to constrain
+ // the protocol execution. The |w0| and |registration_record| arguments are
+ // required, and are computed by the prover via |Register|. Only the prover
+ // can produce |w0| and |registration_record|, as they require
+ // knowledge of the password. The prover must securely transmit this to the
+ // verifier out-of-band. The |id_prover| and |id_verifier| arguments allow
+ // optional, opaque names to be bound into the protocol. See the following for
+ // more information about how these identities may be chosen:
+ // https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2
+ [[nodiscard]] bool Init(Span<const uint8_t> context,
+ Span<const uint8_t> id_prover,
+ Span<const uint8_t> id_verifier,
+ Span<const uint8_t> w0,
+ Span<const uint8_t> registration_record,
+ Span<const uint8_t> y = Span<const uint8_t>());
+
+ // ProcessProverShare computes a SPAKE2+ share from an input share,
+ // |prover_share|, and writes it to |out_share|. It also computes the key
+ // confirmation message and writes it to |out_confirm|. Finally, it computes
+ // the shared secret and writes it to |out_secret|.
+ //
+ // This function can only be called once for a given |Verifier|.
+ //
+ // To ensure success, |out_share| must be |kShareSize| bytes, |out_confirm|
+ // must be |kConfirmSize| bytes, and |out_secret| must be |kSecretSize| bytes.
+ [[nodiscard]] bool ProcessProverShare(Span<uint8_t> out_share,
+ Span<uint8_t> out_confirm,
+ Span<uint8_t> out_secret,
+ Span<const uint8_t> prover_share);
+
+ // VerifyProverConfirmation verifies a SPAKE2+ key confirmation message,
+ // |prover_confirm|.
+ //
+ // This function can only be called once for a given |Verifier|.
+ [[nodiscard]] bool VerifyProverConfirmation(Span<const uint8_t> peer_confirm);
+
+ private:
+ enum class State {
+ kInit,
+ kProverShareSeen,
+ kDone,
+ };
+
+ State state_ = State::kInit;
+ SHA256_CTX transcript_hash_;
+ EC_SCALAR w0_;
+ EC_AFFINE L_;
+ EC_SCALAR y_;
+ uint8_t confirm_[kConfirmSize];
+};
+
+} // namespace spake2plus
+
+BSSL_NAMESPACE_END
+
+#endif // OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H
diff --git a/crypto/spake2plus/spake2plus.cc b/crypto/spake2plus/spake2plus.cc
new file mode 100644
index 0000000..c191855
--- /dev/null
+++ b/crypto/spake2plus/spake2plus.cc
@@ -0,0 +1,501 @@
+/* Copyright 2024 The BoringSSL Authors
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/base.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/bytestring.h>
+#include <openssl/crypto.h>
+#include <openssl/ec.h>
+#include <openssl/evp.h>
+#include <openssl/hkdf.h>
+#include <openssl/hmac.h>
+#include <openssl/mem.h>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
+
+#include "../fipsmodule/bn/internal.h"
+#include "../fipsmodule/ec/internal.h"
+#include "../internal.h"
+#include "./internal.h"
+#include "openssl/err.h"
+
+BSSL_NAMESPACE_BEGIN
+namespace spake2plus {
+namespace {
+
+const uint8_t kDefaultAdditionalData[32] = {0};
+
+// https://www.rfc-editor.org/rfc/rfc9383.html#appendix-B
+// seed: 1.2.840.10045.3.1.7 point generation seed (M)
+// M =
+// 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f
+//
+// `M` is interpreted as a X9.62-format compressed point. This is then the
+// uncompressed form:
+const uint8_t kM_bytes[] = {
+ 0x04, 0x88, 0x6e, 0x2f, 0x97, 0xac, 0xe4, 0x6e, 0x55, 0xba, 0x9d,
+ 0xd7, 0x24, 0x25, 0x79, 0xf2, 0x99, 0x3b, 0x64, 0xe1, 0x6e, 0xf3,
+ 0xdc, 0xab, 0x95, 0xaf, 0xd4, 0x97, 0x33, 0x3d, 0x8f, 0xa1, 0x2f,
+ 0x5f, 0xf3, 0x55, 0x16, 0x3e, 0x43, 0xce, 0x22, 0x4e, 0x0b, 0x0e,
+ 0x65, 0xff, 0x02, 0xac, 0x8e, 0x5c, 0x7b, 0xe0, 0x94, 0x19, 0xc7,
+ 0x85, 0xe0, 0xca, 0x54, 0x7d, 0x55, 0xa1, 0x2e, 0x2d, 0x20};
+
+// https://www.rfc-editor.org/rfc/rfc9383.html#appendix-B
+// seed: 1.2.840.10045.3.1.7 point generation seed (N)
+// N =
+// 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49
+//
+// `N` is interpreted as a X9.62-format compressed point. This is then the
+// uncompressed form:
+const uint8_t kN_bytes[] = {
+ 0x04, 0xd8, 0xbb, 0xd6, 0xc6, 0x39, 0xc6, 0x29, 0x37, 0xb0, 0x4d,
+ 0x99, 0x7f, 0x38, 0xc3, 0x77, 0x07, 0x19, 0xc6, 0x29, 0xd7, 0x01,
+ 0x4d, 0x49, 0xa2, 0x4b, 0x4f, 0x98, 0xba, 0xa1, 0x29, 0x2b, 0x49,
+ 0x07, 0xd6, 0x0a, 0xa6, 0xbf, 0xad, 0xe4, 0x50, 0x08, 0xa6, 0x36,
+ 0x33, 0x7f, 0x51, 0x68, 0xc6, 0x4d, 0x9b, 0xd3, 0x60, 0x34, 0x80,
+ 0x8c, 0xd5, 0x64, 0x49, 0x0b, 0x1e, 0x65, 0x6e, 0xdb, 0xe7};
+
+void UpdateWithLengthPrefix(SHA256_CTX *sha, Span<const uint8_t> data) {
+ uint8_t len_le[8];
+ CRYPTO_store_u64_le(len_le, data.size());
+ SHA256_Update(sha, len_le, sizeof(len_le));
+ SHA256_Update(sha, data.data(), data.size());
+}
+
+void ConstantToJacobian(const EC_GROUP *group, EC_JACOBIAN *out,
+ bssl::Span<const uint8_t> in) {
+ EC_AFFINE point;
+ BSSL_CHECK(ec_point_from_uncompressed(group, &point, in.data(), in.size()));
+ ec_affine_to_jacobian(group, out, &point);
+}
+
+void ScalarToSizedBuffer(const EC_GROUP *group, const EC_SCALAR *s,
+ Span<uint8_t> out_buf) {
+ size_t out_bytes;
+ ec_scalar_to_bytes(group, out_buf.data(), &out_bytes, s);
+ BSSL_CHECK(out_bytes == out_buf.size());
+}
+
+bool AddLengthPrefixed(CBB *cbb, Span<const uint8_t> bytes) {
+ return CBB_add_u64le(cbb, bytes.size()) &&
+ CBB_add_bytes(cbb, bytes.data(), bytes.size());
+}
+
+void InitTranscriptHash(SHA256_CTX *sha, Span<const uint8_t> context,
+ Span<const uint8_t> id_prover,
+ Span<const uint8_t> id_verifier) {
+ SHA256_Init(sha);
+ UpdateWithLengthPrefix(sha, context);
+ UpdateWithLengthPrefix(sha, id_prover);
+ UpdateWithLengthPrefix(sha, id_verifier);
+ UpdateWithLengthPrefix(sha, kM_bytes);
+ UpdateWithLengthPrefix(sha, kN_bytes);
+}
+
+bool ComputeTranscript(uint8_t out_prover_confirm[kConfirmSize],
+ uint8_t out_verifier_confirm[kConfirmSize],
+ uint8_t out_secret[kSecretSize],
+ const uint8_t prover_share[kShareSize],
+ const uint8_t verifier_share[kShareSize],
+ SHA256_CTX *sha, const EC_AFFINE *Z, const EC_AFFINE *V,
+ const EC_SCALAR *w0) {
+ const EC_GROUP *group = EC_group_p256();
+
+ uint8_t Z_enc[kShareSize];
+ size_t Z_enc_len = ec_point_to_bytes(group, Z, POINT_CONVERSION_UNCOMPRESSED,
+ Z_enc, sizeof(Z_enc));
+ BSSL_CHECK(Z_enc_len == sizeof(Z_enc));
+
+ uint8_t V_enc[kShareSize];
+ size_t V_enc_len = ec_point_to_bytes(group, V, POINT_CONVERSION_UNCOMPRESSED,
+ V_enc, sizeof(V_enc));
+ BSSL_CHECK(V_enc_len == sizeof(V_enc));
+
+ uint8_t w0_enc[kVerifierSize];
+ ScalarToSizedBuffer(group, w0, w0_enc);
+
+ uint8_t K_main[SHA256_DIGEST_LENGTH];
+ UpdateWithLengthPrefix(sha, Span(prover_share, kShareSize));
+ UpdateWithLengthPrefix(sha, Span(verifier_share, kShareSize));
+ UpdateWithLengthPrefix(sha, Z_enc);
+ UpdateWithLengthPrefix(sha, V_enc);
+ UpdateWithLengthPrefix(sha, w0_enc);
+ SHA256_Final(K_main, sha);
+
+ auto confirmation_str = StringAsBytes("ConfirmationKeys");
+ uint8_t keys[kSecretSize * 2];
+ if (!HKDF(keys, sizeof(keys), EVP_sha256(), K_main, sizeof(K_main), nullptr,
+ 0, confirmation_str.data(), confirmation_str.size())) {
+ return false;
+ }
+
+ auto secret_info_str = StringAsBytes("SharedKey");
+ if (!HKDF(out_secret, kSecretSize, EVP_sha256(), K_main, sizeof(K_main),
+ nullptr, 0, secret_info_str.data(), secret_info_str.size())) {
+ return false;
+ }
+
+ unsigned prover_confirm_len;
+ if (HMAC(EVP_sha256(), keys, kSecretSize, verifier_share, kShareSize,
+ out_prover_confirm, &prover_confirm_len) == nullptr) {
+ return false;
+ }
+ BSSL_CHECK(prover_confirm_len == kConfirmSize);
+
+ unsigned verifier_confirm_len;
+ if (HMAC(EVP_sha256(), keys + kSecretSize, kSecretSize, prover_share,
+ kShareSize, out_verifier_confirm,
+ &verifier_confirm_len) == nullptr) {
+ return false;
+ }
+ BSSL_CHECK(verifier_confirm_len == kConfirmSize);
+
+ return true;
+}
+
+} // namespace
+
+bool Register(Span<uint8_t> out_w0, Span<uint8_t> out_w1,
+ Span<uint8_t> out_registration_record,
+ Span<const uint8_t> password, Span<const uint8_t> id_prover,
+ Span<const uint8_t> id_verifier) {
+ if (out_w0.size() != kVerifierSize || out_w1.size() != kVerifierSize ||
+ out_registration_record.size() != kRegistrationRecordSize) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ // Offline registration format from:
+ // https://www.rfc-editor.org/rfc/rfc9383.html#section-3.2
+ ScopedCBB mhf_input;
+ if (!CBB_init(mhf_input.get(), password.size() + id_prover.size() +
+ id_verifier.size() +
+ 3 * sizeof(uint64_t)) || //
+ !AddLengthPrefixed(mhf_input.get(), password) ||
+ !AddLengthPrefixed(mhf_input.get(), id_prover) ||
+ !AddLengthPrefixed(mhf_input.get(), id_verifier) ||
+ !CBB_flush(mhf_input.get())) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ // https://neuromancer.sk/std/nist/P-256
+ // sage: p =
+ // 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
+ // ....: K = GF(p)
+ // ....: a =
+ // K(0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc)
+ // ....: b =
+ // K(0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b)
+ // ....: E = EllipticCurve(K, (a, b))
+ // ....: G =
+ // E(0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296,
+ // ....: 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)
+ // ....:
+ // E.set_order(0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63
+ // ....: 2551 * 0x1)
+ // sage: k = 64
+ // sage: L = (2 * (ceil(log(p)/log(2)) + k)) / 8
+
+ // RFC 9383 Section 3.2
+ constexpr size_t kKDFOutputSize = 80;
+ constexpr size_t kKDFOutputWords = kKDFOutputSize / BN_BYTES;
+
+ uint8_t key[kKDFOutputSize];
+ if (!EVP_PBE_scrypt((const char *)CBB_data(mhf_input.get()),
+ CBB_len(mhf_input.get()), nullptr, 0,
+ /*N=*/32768, /*r=*/8, /*p=*/1,
+ /*max_mem=*/1024 * 1024 * 33, key, kKDFOutputSize)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ const EC_GROUP *group = EC_group_p256();
+ BN_ULONG w0_words[kKDFOutputWords / 2];
+ bn_big_endian_to_words(w0_words, kKDFOutputWords / 2, key,
+ kKDFOutputSize / 2);
+ EC_SCALAR w0;
+ ec_scalar_reduce(group, &w0, w0_words, kKDFOutputWords / 2);
+ ScalarToSizedBuffer(group, &w0, out_w0);
+
+ BN_ULONG w1_words[kKDFOutputWords / 2];
+ bn_big_endian_to_words(w1_words, kKDFOutputWords / 2,
+ key + kKDFOutputSize / 2, kKDFOutputSize / 2);
+ EC_SCALAR w1;
+ ec_scalar_reduce(group, &w1, w1_words, kKDFOutputWords / 2);
+ ScalarToSizedBuffer(group, &w1, out_w1);
+
+ EC_JACOBIAN L_j;
+ EC_AFFINE L;
+ if (!ec_point_mul_scalar_base(group, &L_j, &w1) || //
+ !ec_jacobian_to_affine(group, &L, &L_j) || //
+ !ec_point_to_bytes(group, &L, POINT_CONVERSION_UNCOMPRESSED,
+ out_registration_record.data(),
+ kRegistrationRecordSize)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ return true;
+}
+
+Prover::Prover() = default;
+Prover::~Prover() = default;
+
+bool Prover::Init(Span<const uint8_t> context, Span<const uint8_t> id_prover,
+ Span<const uint8_t> id_verifier, Span<const uint8_t> w0,
+ Span<const uint8_t> w1, Span<const uint8_t> x) {
+ const EC_GROUP *group = EC_group_p256();
+
+ if (!ec_scalar_from_bytes(group, &w0_, w0.data(), w0.size()) ||
+ !ec_scalar_from_bytes(group, &w1_, w1.data(), w1.size()) ||
+ (!x.empty() &&
+ !ec_scalar_from_bytes(group, &x_, x.data(), x.size())) || //
+ (x.empty() && !ec_random_scalar(group, &x_, kDefaultAdditionalData))) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ InitTranscriptHash(&transcript_hash_, context, id_prover, id_verifier);
+
+ return true;
+}
+
+bool Prover::GenerateShare(Span<uint8_t> out_share) {
+ if (state_ != State::kInit || out_share.size() != kShareSize) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ // Compute X = x×P + w0×M.
+ // TODO(crbug.com/383778231): This could be sped up with a constant-time,
+ // two-point multiplication.
+ const EC_GROUP *group = EC_group_p256();
+ EC_JACOBIAN l;
+ if (!ec_point_mul_scalar_base(group, &l, &x_)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ EC_JACOBIAN M_j;
+ ConstantToJacobian(group, &M_j, kM_bytes);
+
+ EC_JACOBIAN r;
+ if (!ec_point_mul_scalar(group, &r, &M_j, &w0_)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ EC_JACOBIAN X_j;
+ group->meth->add(group, &X_j, &l, &r);
+ if (!ec_jacobian_to_affine(group, &X_, &X_j)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ size_t written = ec_point_to_bytes(group, &X_, POINT_CONVERSION_UNCOMPRESSED,
+ out_share.data(), kShareSize);
+ BSSL_CHECK(written == kShareSize);
+
+ memcpy(share_, out_share.data(), kShareSize);
+ state_ = State::kShareGenerated;
+ return true;
+}
+
+bool Prover::ComputeConfirmation(Span<uint8_t> out_confirm,
+ Span<uint8_t> out_secret,
+ Span<const uint8_t> peer_share,
+ Span<const uint8_t> peer_confirm) {
+ if (state_ != State::kShareGenerated || out_confirm.size() != kConfirmSize ||
+ out_secret.size() != kSecretSize || peer_share.size() != kShareSize ||
+ peer_confirm.size() != kConfirmSize) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ const EC_GROUP *group = EC_group_p256();
+ EC_AFFINE Y;
+ if (!ec_point_from_uncompressed(group, &Y, peer_share.data(),
+ peer_share.size())) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ EC_JACOBIAN N_j;
+ ConstantToJacobian(group, &N_j, kN_bytes);
+
+ EC_JACOBIAN r;
+ if (!ec_point_mul_scalar(group, &r, &N_j, &w0_)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ ec_felem_neg(group, &r.Y, &r.Y);
+
+ EC_JACOBIAN Y_j;
+ ec_affine_to_jacobian(group, &Y_j, &Y);
+
+ EC_JACOBIAN t;
+ group->meth->add(group, &t, &Y_j, &r);
+
+ EC_JACOBIAN tmp;
+ EC_AFFINE Z, V;
+ // TODO(crbug.com/383778231): The two affine conversions could be batched
+ // together.
+ if (!ec_point_mul_scalar(group, &tmp, &t, &x_) || //
+ !ec_jacobian_to_affine(group, &Z, &tmp) || //
+ !ec_point_mul_scalar(group, &tmp, &t, &w1_) || //
+ !ec_jacobian_to_affine(group, &V, &tmp)) {
+ return 0;
+ }
+
+ uint8_t verifier_confirm[kConfirmSize];
+ if (!ComputeTranscript(out_confirm.data(), verifier_confirm,
+ out_secret.data(), share_, peer_share.data(),
+ &transcript_hash_, &Z, &V, &w0_) ||
+ CRYPTO_memcmp(verifier_confirm, peer_confirm.data(),
+ sizeof(verifier_confirm)) != 0) {
+ return 0;
+ }
+
+ state_ = State::kDone;
+ return true;
+}
+
+Verifier::Verifier() = default;
+Verifier::~Verifier() = default;
+
+bool Verifier::Init(Span<const uint8_t> context, Span<const uint8_t> id_prover,
+ Span<const uint8_t> id_verifier, Span<const uint8_t> w0,
+ Span<const uint8_t> registration_record,
+ Span<const uint8_t> y) {
+ const EC_GROUP *group = EC_group_p256();
+
+ if (!ec_scalar_from_bytes(group, &w0_, w0.data(), w0.size()) ||
+ !ec_point_from_uncompressed(group, &L_, registration_record.data(),
+ registration_record.size()) || //
+ (!y.empty() &&
+ !ec_scalar_from_bytes(group, &y_, y.data(), y.size())) || //
+ (y.empty() && !ec_random_scalar(group, &y_, kDefaultAdditionalData))) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ InitTranscriptHash(&transcript_hash_, context, id_prover, id_verifier);
+
+ return true;
+}
+
+
+bool Verifier::ProcessProverShare(Span<uint8_t> out_share,
+ Span<uint8_t> out_confirm,
+ Span<uint8_t> out_secret,
+ Span<const uint8_t> prover_share) {
+ if (state_ != State::kInit || //
+ out_share.size() != kShareSize || out_confirm.size() != kConfirmSize ||
+ out_secret.size() != kSecretSize || prover_share.size() != kShareSize) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ const EC_GROUP *group = EC_group_p256();
+ EC_JACOBIAN l, r, M_j, N_j;
+ ConstantToJacobian(group, &M_j, kM_bytes);
+ ConstantToJacobian(group, &N_j, kN_bytes);
+
+ // Compute Y = y×P + w0×M.
+ // TODO(crbug.com/383778231): This could be sped up with a constant-time,
+ // two-point multiplication.
+ if (!ec_point_mul_scalar_base(group, &l, &y_) ||
+ !ec_point_mul_scalar(group, &r, &N_j, &w0_)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ EC_JACOBIAN Y_j;
+ EC_AFFINE Y;
+ group->meth->add(group, &Y_j, &l, &r);
+ if (!ec_jacobian_to_affine(group, &Y, &Y_j)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ const size_t written = ec_point_to_bytes(
+ group, &Y, POINT_CONVERSION_UNCOMPRESSED, out_share.data(), kShareSize);
+ BSSL_CHECK(written == kShareSize);
+
+ EC_JACOBIAN r2;
+ EC_AFFINE X;
+ if (!ec_point_from_uncompressed(group, &X, prover_share.data(),
+ prover_share.size()) ||
+ !ec_point_mul_scalar(group, &r2, &M_j, &w0_)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ ec_felem_neg(group, &r2.Y, &r2.Y);
+
+ EC_JACOBIAN X_j, T;
+ ec_affine_to_jacobian(group, &X_j, &X);
+ group->meth->add(group, &T, &X_j, &r2);
+
+ // TODO(crbug.com/383778231): The two affine conversions could be batched
+ // together.
+ EC_JACOBIAN tmp;
+ EC_AFFINE Z;
+ if (!ec_point_mul_scalar(group, &tmp, &T, &y_) || //
+ !ec_jacobian_to_affine(group, &Z, &tmp)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ EC_JACOBIAN L_j;
+ EC_AFFINE V;
+ ec_affine_to_jacobian(group, &L_j, &L_);
+ if (!ec_point_mul_scalar(group, &tmp, &L_j, &y_) || //
+ !ec_jacobian_to_affine(group, &V, &tmp)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ if (!ComputeTranscript(confirm_, out_confirm.data(), out_secret.data(),
+ prover_share.data(), out_share.data(),
+ &transcript_hash_, &Z, &V, &w0_)) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ state_ = State::kProverShareSeen;
+ return true;
+}
+
+bool Verifier::VerifyProverConfirmation(Span<const uint8_t> peer_confirm) {
+ if (state_ != State::kProverShareSeen || //
+ peer_confirm.size() != kConfirmSize || //
+ CRYPTO_memcmp(confirm_, peer_confirm.data(), sizeof(confirm_)) != 0) {
+ OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
+
+ state_ = State::kDone;
+ return true;
+}
+
+} // namespace spake2plus
+
+BSSL_NAMESPACE_END
diff --git a/crypto/spake2plus/spake2plus_test.cc b/crypto/spake2plus/spake2plus_test.cc
new file mode 100644
index 0000000..35ad18e
--- /dev/null
+++ b/crypto/spake2plus/spake2plus_test.cc
@@ -0,0 +1,342 @@
+/* Copyright 2024 The BoringSSL Authors
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/base.h>
+
+#include <string>
+#include <unordered_map>
+#include <utility>
+#include <vector>
+
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/span.h>
+
+#include <gtest/gtest.h>
+
+#include "../internal.h"
+#include "../test/test_util.h"
+#include "./internal.h"
+
+
+BSSL_NAMESPACE_BEGIN
+
+namespace {
+
+using namespace spake2plus;
+
+std::vector<uint8_t> HexToBytes(const char *str) {
+ std::vector<uint8_t> ret;
+ if (!DecodeHex(&ret, str)) {
+ abort();
+ }
+ return ret;
+}
+
+class RegistrationCache {
+ public:
+ struct Result {
+ std::vector<uint8_t> w0, w1, record;
+ };
+
+ const Result &Get(const std::pair<std::string, std::string> &names,
+ const std::string &pw) {
+ CacheKey key{names.first, names.second, pw};
+
+ auto it = cache.find(key);
+ if (it != cache.end()) {
+ return it->second;
+ }
+
+ Result output;
+ output.w0.resize(kVerifierSize);
+ output.w1.resize(kVerifierSize);
+ output.record.resize(kRegistrationRecordSize);
+
+ if (!Register(Span(output.w0), Span(output.w1), Span(output.record),
+ StringAsBytes(pw), StringAsBytes(names.first),
+ StringAsBytes(names.second))) {
+ abort();
+ }
+
+ return cache.emplace(std::move(key), std::move(output)).first->second;
+ }
+
+ private:
+ struct CacheKey {
+ std::string id_prover, id_verifier, password;
+
+ bool operator==(const CacheKey &other) const {
+ return std::tie(id_prover, id_verifier, password) ==
+ std::tie(other.id_prover, other.id_verifier, other.password);
+ }
+ };
+
+ struct KeyHash {
+ std::size_t operator()(const CacheKey &k) const {
+ return std::hash<std::string>()(k.id_prover) ^
+ std::hash<std::string>()(k.id_verifier) ^
+ std::hash<std::string>()(k.password);
+ }
+ };
+
+ std::unordered_map<CacheKey, Result, KeyHash> cache;
+};
+
+RegistrationCache &GlobalRegistrationCache() {
+ static RegistrationCache cache;
+ return cache;
+}
+
+struct SPAKEPLUSRun {
+ bool Run() {
+ const RegistrationCache::Result ®istration =
+ GlobalRegistrationCache().Get(prover_names, pw);
+
+ Prover prover;
+ if (!prover.Init(StringAsBytes(context), StringAsBytes(prover_names.first),
+ StringAsBytes(prover_names.second), registration.w0,
+ registration.w1)) {
+ return false;
+ }
+
+ std::vector<uint8_t> verifier_registration_record = registration.record;
+ if (verifier_corrupt_record) {
+ verifier_registration_record[verifier_registration_record.size() - 1] ^=
+ 0xFF;
+ }
+
+ Verifier verifier;
+ if (!verifier.Init(StringAsBytes(context),
+ StringAsBytes(verifier_names.first),
+ StringAsBytes(verifier_names.second), registration.w0,
+ verifier_registration_record)) {
+ return false;
+ }
+
+ uint8_t prover_share[kShareSize];
+ if (!prover.GenerateShare(prover_share)) {
+ return false;
+ }
+
+ if (repeat_invocations && prover.GenerateShare(prover_share)) {
+ return false;
+ }
+
+ if (prover_corrupt_msg_bit &&
+ *prover_corrupt_msg_bit < 8 * sizeof(prover_share)) {
+ prover_share[*prover_corrupt_msg_bit / 8] ^=
+ 1 << (*prover_corrupt_msg_bit & 7);
+ }
+
+ uint8_t verifier_share[kShareSize];
+ uint8_t verifier_confirm[kConfirmSize];
+ uint8_t verifier_secret[kSecretSize];
+ if (!verifier.ProcessProverShare(verifier_share, verifier_confirm,
+ verifier_secret, prover_share)) {
+ return false;
+ }
+
+ if (repeat_invocations &&
+ verifier.ProcessProverShare(verifier_share, verifier_confirm,
+ verifier_secret, prover_share)) {
+ return false;
+ }
+
+ uint8_t prover_confirm[kConfirmSize];
+ uint8_t prover_secret[kSecretSize];
+ if (!prover.ComputeConfirmation(prover_confirm, prover_secret,
+ verifier_share, verifier_confirm)) {
+ return false;
+ }
+
+ if (repeat_invocations && //
+ prover.ComputeConfirmation(prover_confirm, prover_secret,
+ verifier_share, verifier_confirm)) {
+ return false;
+ }
+
+ if (prover_corrupt_confirm_bit &&
+ *prover_corrupt_confirm_bit < 8 * sizeof(prover_confirm)) {
+ prover_confirm[*prover_corrupt_confirm_bit / 8] ^=
+ 1 << (*prover_corrupt_confirm_bit & 7);
+ }
+
+ if (!verifier.VerifyProverConfirmation(prover_confirm)) {
+ return false;
+ }
+
+ if (repeat_invocations &&
+ verifier.VerifyProverConfirmation(prover_confirm)) {
+ return false;
+ }
+
+ key_matches_ = Span(prover_secret) == Span(verifier_secret);
+ return true;
+ }
+
+ bool key_matches() const { return key_matches_; }
+
+ std::string context =
+ "SPAKE2+-P256-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors";
+ std::string pw = "password";
+ std::pair<std::string, std::string> prover_names = {"client", "server"};
+ std::pair<std::string, std::string> verifier_names = {"client", "server"};
+ bool verifier_corrupt_record = false;
+ bool repeat_invocations = false;
+ std::optional<size_t> prover_corrupt_msg_bit;
+ std::optional<size_t> prover_corrupt_confirm_bit;
+
+ private:
+ bool key_matches_ = false;
+};
+
+TEST(SPAKEPLUSTest, TestVectors) {
+ // https://datatracker.ietf.org/doc/html/rfc9383#appendix-C
+ // SPAKE2+-P256-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors
+ const char w0_str[] =
+ "bb8e1bbcf3c48f62c08db243652ae55d3e5586053fca77102994f23ad95491b3";
+ const char w1_str[] =
+ "7e945f34d78785b8a3ef44d0df5a1a97d6b3b460409a345ca7830387a74b1dba";
+ const char L_str[] =
+ "04eb7c9db3d9a9eb1f8adab81b5794c1f13ae3e225efbe91ea487425854c7fc00f00bfed"
+ "cbd09b2400142d40a14f2064ef31dfaa903b91d1faea7093d835966efd";
+ const char x_str[] =
+ "d1232c8e8693d02368976c174e2088851b8365d0d79a9eee709c6a05a2fad539";
+ const char share_p_str[] =
+ "04ef3bd051bf78a2234ec0df197f7828060fe9856503579bb1733009042c15c0c1de1277"
+ "27f418b5966afadfdd95a6e4591d171056b333dab97a79c7193e341727";
+ const char y_str[] =
+ "717a72348a182085109c8d3917d6c43d59b224dc6a7fc4f0483232fa6516d8b3";
+ const char share_v_str[] =
+ "04c0f65da0d11927bdf5d560c69e1d7d939a05b0e88291887d679fcadea75810fb5cc1ca"
+ "7494db39e82ff2f50665255d76173e09986ab46742c798a9a68437b048";
+ const char confirm_p_str[] =
+ "926cc713504b9b4d76c9162ded04b5493e89109f6d89462cd33adc46fda27527";
+ const char confirm_v_str[] =
+ "9747bcc4f8fe9f63defee53ac9b07876d907d55047e6ff2def2e7529089d3e68";
+ const char secret_str[] =
+ "0c5f8ccd1413423a54f6c1fb26ff01534a87f893779c6e68666d772bfd91f3e7";
+ const std::string context =
+ "SPAKE2+-P256-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors";
+ const std::pair<std::string, std::string> prover_names = {"client", "server"};
+ const std::pair<std::string, std::string> verifier_names = {"client",
+ "server"};
+
+ std::vector<uint8_t> w0 = HexToBytes(w0_str);
+ std::vector<uint8_t> w1 = HexToBytes(w1_str);
+ std::vector<uint8_t> registration_record = HexToBytes(L_str);
+ std::vector<uint8_t> x = HexToBytes(x_str);
+ std::vector<uint8_t> y = HexToBytes(y_str);
+
+ Prover prover;
+ ASSERT_TRUE(prover.Init(StringAsBytes(context),
+ StringAsBytes(prover_names.first),
+ StringAsBytes(prover_names.second), MakeConstSpan(w0),
+ MakeConstSpan(w1), x));
+
+ Verifier verifier;
+ ASSERT_TRUE(
+ verifier.Init(StringAsBytes(context), StringAsBytes(prover_names.first),
+ StringAsBytes(prover_names.second), MakeConstSpan(w0),
+ MakeConstSpan(registration_record), y));
+
+ uint8_t prover_share[kShareSize];
+ ASSERT_TRUE(prover.GenerateShare(prover_share));
+
+ std::vector<uint8_t> share_p = HexToBytes(share_p_str);
+ ASSERT_TRUE(
+ OPENSSL_memcmp(share_p.data(), prover_share, sizeof(prover_share)) == 0);
+
+ uint8_t verifier_share[kShareSize];
+ uint8_t verifier_confirm[kConfirmSize];
+ uint8_t verifier_secret[kSecretSize];
+ ASSERT_TRUE(verifier.ProcessProverShare(verifier_share, verifier_confirm,
+ verifier_secret, prover_share));
+
+ std::vector<uint8_t> share_v = HexToBytes(share_v_str);
+ ASSERT_TRUE(OPENSSL_memcmp(share_v.data(), verifier_share,
+ sizeof(verifier_share)) == 0);
+ std::vector<uint8_t> confirm_v = HexToBytes(confirm_v_str);
+ ASSERT_TRUE(OPENSSL_memcmp(confirm_v.data(), verifier_confirm,
+ sizeof(verifier_confirm)) == 0);
+
+ uint8_t prover_confirm[kConfirmSize];
+ uint8_t prover_secret[kSecretSize];
+ ASSERT_TRUE(prover.ComputeConfirmation(prover_confirm, prover_secret,
+ verifier_share, verifier_confirm));
+
+ std::vector<uint8_t> confirm_p = HexToBytes(confirm_p_str);
+ ASSERT_TRUE(OPENSSL_memcmp(confirm_p.data(), prover_confirm,
+ sizeof(prover_confirm)) == 0);
+
+ ASSERT_TRUE(verifier.VerifyProverConfirmation(prover_confirm));
+
+ std::vector<uint8_t> expected_secret = HexToBytes(secret_str);
+ static_assert(sizeof(verifier_secret) == sizeof(prover_secret));
+ ASSERT_TRUE(OPENSSL_memcmp(prover_secret, verifier_secret,
+ sizeof(prover_secret)) == 0);
+ ASSERT_TRUE(OPENSSL_memcmp(expected_secret.data(), verifier_secret,
+ sizeof(verifier_secret)) == 0);
+}
+
+TEST(SPAKEPLUSTest, SPAKEPLUS) {
+ for (unsigned i = 0; i < 20; i++) {
+ SPAKEPLUSRun spake2;
+ ASSERT_TRUE(spake2.Run());
+ EXPECT_TRUE(spake2.key_matches());
+ }
+}
+
+TEST(SPAKEPLUSTest, WrongPassword) {
+ SPAKEPLUSRun spake2;
+ spake2.verifier_corrupt_record = true;
+ ASSERT_FALSE(spake2.Run());
+}
+
+TEST(SPAKEPLUSTest, WrongNames) {
+ SPAKEPLUSRun spake2;
+ spake2.prover_names.second = "alice";
+ spake2.verifier_names.second = "bob";
+ ASSERT_FALSE(spake2.Run());
+}
+
+TEST(SPAKEPLUSTest, CorruptMessages) {
+ for (size_t i = 0; i < 8 * kShareSize; i++) {
+ SPAKEPLUSRun spake2;
+ spake2.prover_corrupt_msg_bit = i;
+ EXPECT_FALSE(spake2.Run())
+ << "Passed after corrupting Prover's key share message, bit " << i;
+ }
+
+ for (size_t i = 0; i < 8 * kConfirmSize; i++) {
+ SPAKEPLUSRun spake2;
+ spake2.prover_corrupt_confirm_bit = i;
+ EXPECT_FALSE(spake2.Run())
+ << "Passed after corrupting Verifier's confirmation message, bit " << i;
+ }
+}
+
+TEST(SPAKEPLUSTest, StateMachine) {
+ SPAKEPLUSRun spake2;
+ spake2.repeat_invocations = true;
+ ASSERT_TRUE(spake2.Run());
+}
+
+} // namespace
+
+BSSL_NAMESPACE_END
diff --git a/gen/sources.bzl b/gen/sources.bzl
index 5af0dd2..35f3af6 100644
--- a/gen/sources.bzl
+++ b/gen/sources.bzl
@@ -415,6 +415,7 @@
"crypto/sha/sha512.cc",
"crypto/siphash/siphash.cc",
"crypto/slhdsa/slhdsa.cc",
+ "crypto/spake2plus/spake2plus.cc",
"crypto/stack/stack.cc",
"crypto/thread.cc",
"crypto/thread_none.cc",
@@ -644,6 +645,7 @@
"crypto/rand_extra/getrandom_fillin.h",
"crypto/rand_extra/sysrand_internal.h",
"crypto/rsa_extra/internal.h",
+ "crypto/spake2plus/internal.h",
"crypto/trust_token/internal.h",
"crypto/x509/ext_dat.h",
"crypto/x509/internal.h",
@@ -757,6 +759,7 @@
"crypto/self_test.cc",
"crypto/siphash/siphash_test.cc",
"crypto/slhdsa/slhdsa_test.cc",
+ "crypto/spake2plus/spake2plus_test.cc",
"crypto/stack/stack_test.cc",
"crypto/test/gtest_main.cc",
"crypto/thread_test.cc",
diff --git a/gen/sources.cmake b/gen/sources.cmake
index bbbb9c2..6979e47 100644
--- a/gen/sources.cmake
+++ b/gen/sources.cmake
@@ -429,6 +429,7 @@
crypto/sha/sha512.cc
crypto/siphash/siphash.cc
crypto/slhdsa/slhdsa.cc
+ crypto/spake2plus/spake2plus.cc
crypto/stack/stack.cc
crypto/thread.cc
crypto/thread_none.cc
@@ -662,6 +663,7 @@
crypto/rand_extra/getrandom_fillin.h
crypto/rand_extra/sysrand_internal.h
crypto/rsa_extra/internal.h
+ crypto/spake2plus/internal.h
crypto/trust_token/internal.h
crypto/x509/ext_dat.h
crypto/x509/internal.h
@@ -781,6 +783,7 @@
crypto/self_test.cc
crypto/siphash/siphash_test.cc
crypto/slhdsa/slhdsa_test.cc
+ crypto/spake2plus/spake2plus_test.cc
crypto/stack/stack_test.cc
crypto/test/gtest_main.cc
crypto/thread_test.cc
diff --git a/gen/sources.gni b/gen/sources.gni
index b5c3d54..1b40795 100644
--- a/gen/sources.gni
+++ b/gen/sources.gni
@@ -415,6 +415,7 @@
"crypto/sha/sha512.cc",
"crypto/siphash/siphash.cc",
"crypto/slhdsa/slhdsa.cc",
+ "crypto/spake2plus/spake2plus.cc",
"crypto/stack/stack.cc",
"crypto/thread.cc",
"crypto/thread_none.cc",
@@ -644,6 +645,7 @@
"crypto/rand_extra/getrandom_fillin.h",
"crypto/rand_extra/sysrand_internal.h",
"crypto/rsa_extra/internal.h",
+ "crypto/spake2plus/internal.h",
"crypto/trust_token/internal.h",
"crypto/x509/ext_dat.h",
"crypto/x509/internal.h",
@@ -757,6 +759,7 @@
"crypto/self_test.cc",
"crypto/siphash/siphash_test.cc",
"crypto/slhdsa/slhdsa_test.cc",
+ "crypto/spake2plus/spake2plus_test.cc",
"crypto/stack/stack_test.cc",
"crypto/test/gtest_main.cc",
"crypto/thread_test.cc",
diff --git a/gen/sources.json b/gen/sources.json
index c4604c8..b2e6b52 100644
--- a/gen/sources.json
+++ b/gen/sources.json
@@ -399,6 +399,7 @@
"crypto/sha/sha512.cc",
"crypto/siphash/siphash.cc",
"crypto/slhdsa/slhdsa.cc",
+ "crypto/spake2plus/spake2plus.cc",
"crypto/stack/stack.cc",
"crypto/thread.cc",
"crypto/thread_none.cc",
@@ -626,6 +627,7 @@
"crypto/rand_extra/getrandom_fillin.h",
"crypto/rand_extra/sysrand_internal.h",
"crypto/rsa_extra/internal.h",
+ "crypto/spake2plus/internal.h",
"crypto/trust_token/internal.h",
"crypto/x509/ext_dat.h",
"crypto/x509/internal.h",
@@ -738,6 +740,7 @@
"crypto/self_test.cc",
"crypto/siphash/siphash_test.cc",
"crypto/slhdsa/slhdsa_test.cc",
+ "crypto/spake2plus/spake2plus_test.cc",
"crypto/stack/stack_test.cc",
"crypto/test/gtest_main.cc",
"crypto/thread_test.cc",
