Add SPAKE2+. This is an internal-only primitive, at least for now. Change-Id: I365d42c9df59894ed131fba139efc7c9bbe0ed35 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/75107 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/AUTHORS b/AUTHORS index 78c3a2a..f3e85c0 100644 --- a/AUTHORS +++ b/AUTHORS
@@ -6,6 +6,7 @@ # source control. Google LLC Brian Smith +Apple Inc # Additionally, much of the code in BoringSSL is derived from code in the # OpenSSL project. We thank the OpenSSL project’s contributors for their
diff --git a/build.json b/build.json index 71489c9..c9d1778 100644 --- a/build.json +++ b/build.json
@@ -316,6 +316,7 @@ "crypto/sha/sha256.cc", "crypto/sha/sha512.cc", "crypto/siphash/siphash.cc", + "crypto/spake2plus/spake2plus.cc", "crypto/stack/stack.cc", "crypto/thread.cc", "crypto/thread_none.cc", @@ -542,6 +543,7 @@ "crypto/rand_extra/getrandom_fillin.h", "crypto/rand_extra/sysrand_internal.h", "crypto/rsa_extra/internal.h", + "crypto/spake2plus/internal.h", "crypto/trust_token/internal.h", "crypto/x509/ext_dat.h", "crypto/x509/internal.h", @@ -859,6 +861,7 @@ "crypto/self_test.cc", "crypto/siphash/siphash_test.cc", "crypto/slhdsa/slhdsa_test.cc", + "crypto/spake2plus/spake2plus_test.cc", "crypto/stack/stack_test.cc", "crypto/test/gtest_main.cc", "crypto/thread_test.cc",
diff --git a/crypto/fipsmodule/ec/internal.h b/crypto/fipsmodule/ec/internal.h index 5c37605..1f3d06e 100644 --- a/crypto/fipsmodule/ec/internal.h +++ b/crypto/fipsmodule/ec/internal.h
@@ -74,6 +74,11 @@ const BN_ULONG *words, size_t num); // ec_random_nonzero_scalar sets |out| to a uniformly selected random value from +// zero to |group->order| - 1. It returns one on success and zero on error. +int ec_random_scalar(const EC_GROUP *group, EC_SCALAR *out, + const uint8_t additional_data[32]); + +// ec_random_nonzero_scalar sets |out| to a uniformly selected random value from // 1 to |group->order| - 1. It returns one on success and zero on error. int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out, const uint8_t additional_data[32]);
diff --git a/crypto/fipsmodule/ec/scalar.cc.inc b/crypto/fipsmodule/ec/scalar.cc.inc index 4cf6d1f..d5d9d62 100644 --- a/crypto/fipsmodule/ec/scalar.cc.inc +++ b/crypto/fipsmodule/ec/scalar.cc.inc
@@ -16,9 +16,9 @@ #include <openssl/err.h> #include <openssl/mem.h> -#include "internal.h" -#include "../bn/internal.h" #include "../../internal.h" +#include "../bn/internal.h" +#include "internal.h" int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, @@ -49,6 +49,12 @@ return mask == 0; } +int ec_random_scalar(const EC_GROUP *group, EC_SCALAR *out, + const uint8_t additional_data[32]) { + return bn_rand_range_words(out->words, 0, group->order.N.d, + group->order.N.width, additional_data); +} + int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out, const uint8_t additional_data[32]) { return bn_rand_range_words(out->words, 1, group->order.N.d,
diff --git a/crypto/spake2plus/internal.h b/crypto/spake2plus/internal.h new file mode 100644 index 0000000..d90e3b3 --- /dev/null +++ b/crypto/spake2plus/internal.h
@@ -0,0 +1,204 @@ +/* Copyright 2024 The BoringSSL Authors + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H +#define OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H + +#include <openssl/base.h> + +#include <sys/types.h> + +#include <openssl/sha.h> +#include <openssl/span.h> + +#include "../fipsmodule/ec/internal.h" + + +BSSL_NAMESPACE_BEGIN + +// SPAKE2+. +// +// SPAKE2+ is an augmented password-authenticated key-exchange. It allows +// two parties, a prover and verifier, to derive a strong shared key with no +// risk of disclosing the password, known only to the prover, to the verifier. +// (But note that the verifier can still attempt an offline, brute-force attack +// to recover the password.) +// +// This is an implementation of SPAKE2+ using P-256 as the group, SHA-256 as +// the hash function, HKDF-SHA256 as the key derivation function, and +// HMAC-SHA256 as the message authentication code. +// +// See https://www.rfc-editor.org/rfc/rfc9383.html + +namespace spake2plus { + +// kShareSize is the size of a SPAKE2+ key share. +constexpr size_t kShareSize = 65; + +// kConfirmSize is the size of a SPAKE2+ key confirmation message. +constexpr size_t kConfirmSize = 32; + +// kVerifierSize is the size of the w0 and w1 values in the SPAKE2+ protocol. +constexpr size_t kVerifierSize = 32; + +// kRegistrationRecordSize is the number of bytes in a registration record, +// which is provided to the verifier. +constexpr size_t kRegistrationRecordSize = 65; + +// kSecretSize is the number of bytes of shared secret that the SPAKE2+ protocol +// generates. +constexpr size_t kSecretSize = 32; + +// Register computes the values needed in the offline registration +// step of the SPAKE2+ protocol. See the following for more details: +// https://www.rfc-editor.org/rfc/rfc9383.html#section-3.2 +// +// The |password| argument is the mandatory prover password. The |out_w0|, +// |out_w1|, and |out_registration_record| arguments are where the password +// verifiers (w0 and w1) and registration record (L) are stored, respectively. +// The prover is given |out_w0| and |out_w1| while the verifier is given +// |out_w0| and |out_registration_record|. +// +// To ensure success, |out_w0| and |out_w1| must be of length |kVerifierSize|, +// and |out_registration_record| of size |kRegistrationRecordSize|. +[[nodiscard]] OPENSSL_EXPORT bool Register( + Span<uint8_t> out_w0, Span<uint8_t> out_w1, + Span<uint8_t> out_registration_record, Span<const uint8_t> password, + Span<const uint8_t> id_prover, Span<const uint8_t> id_verifier); + +class OPENSSL_EXPORT Prover { + public: + static constexpr bool kAllowUniquePtr = true; + + Prover(); + ~Prover(); + + // Init creates a new prover, which can only be used for a single execution of + // the protocol. + // + // The |context| argument is an application-specific value meant to constrain + // the protocol execution. The |w0| and |w1| arguments are password verifier + // values computed during the offline registration phase of the protocol. The + // |id_prover| and |id_verifier| arguments allow optional, opaque names to be + // bound into the protocol. See the following for more information about how + // these identities may be chosen: + // https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2 + [[nodiscard]] bool Init(Span<const uint8_t> context, + Span<const uint8_t> id_prover, + Span<const uint8_t> id_verifier, + Span<const uint8_t> w0, Span<const uint8_t> w1, + Span<const uint8_t> x = Span<const uint8_t>()); + + // GenerateShare computes a SPAKE2+ share and writes it to |out_share|. + // + // This function can only be called once for a given |Prover|. To ensure + // success, |out_share| must be |kShareSize| bytes. + [[nodiscard]] bool GenerateShare(Span<uint8_t> out_share); + + // ComputeConfirmation computes a SPAKE2+ key confirmation + // message and writes it to |out_confirm|. It also computes the shared secret + // and writes it to |out_secret|. + // + // This function can only be called once for a given |Prover|. + // + // To ensure success, |out_confirm| must be |kConfirmSize| bytes + // and |out_secret| must be |kSecretSize| bytes. + [[nodiscard]] bool ComputeConfirmation(Span<uint8_t> out_confirm, + Span<uint8_t> out_secret, + Span<const uint8_t> peer_share, + Span<const uint8_t> peer_confirm); + + private: + enum class State { + kInit, + kShareGenerated, + kConfirmGenerated, + kDone, + }; + + State state_ = State::kInit; + SHA256_CTX transcript_hash_; + EC_SCALAR w0_; + EC_SCALAR w1_; + EC_SCALAR x_; + EC_AFFINE X_; + uint8_t share_[kShareSize]; +}; + +class OPENSSL_EXPORT Verifier { + public: + static constexpr bool kAllowUniquePtr = true; + + Verifier(); + ~Verifier(); + + // Init creates a new verifier, which can only be used for a single execution + // of the protocol. + // + // The |context| argument is an application-specific value meant to constrain + // the protocol execution. The |w0| and |registration_record| arguments are + // required, and are computed by the prover via |Register|. Only the prover + // can produce |w0| and |registration_record|, as they require + // knowledge of the password. The prover must securely transmit this to the + // verifier out-of-band. The |id_prover| and |id_verifier| arguments allow + // optional, opaque names to be bound into the protocol. See the following for + // more information about how these identities may be chosen: + // https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2 + [[nodiscard]] bool Init(Span<const uint8_t> context, + Span<const uint8_t> id_prover, + Span<const uint8_t> id_verifier, + Span<const uint8_t> w0, + Span<const uint8_t> registration_record, + Span<const uint8_t> y = Span<const uint8_t>()); + + // ProcessProverShare computes a SPAKE2+ share from an input share, + // |prover_share|, and writes it to |out_share|. It also computes the key + // confirmation message and writes it to |out_confirm|. Finally, it computes + // the shared secret and writes it to |out_secret|. + // + // This function can only be called once for a given |Verifier|. + // + // To ensure success, |out_share| must be |kShareSize| bytes, |out_confirm| + // must be |kConfirmSize| bytes, and |out_secret| must be |kSecretSize| bytes. + [[nodiscard]] bool ProcessProverShare(Span<uint8_t> out_share, + Span<uint8_t> out_confirm, + Span<uint8_t> out_secret, + Span<const uint8_t> prover_share); + + // VerifyProverConfirmation verifies a SPAKE2+ key confirmation message, + // |prover_confirm|. + // + // This function can only be called once for a given |Verifier|. + [[nodiscard]] bool VerifyProverConfirmation(Span<const uint8_t> peer_confirm); + + private: + enum class State { + kInit, + kProverShareSeen, + kDone, + }; + + State state_ = State::kInit; + SHA256_CTX transcript_hash_; + EC_SCALAR w0_; + EC_AFFINE L_; + EC_SCALAR y_; + uint8_t confirm_[kConfirmSize]; +}; + +} // namespace spake2plus + +BSSL_NAMESPACE_END + +#endif // OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H
diff --git a/crypto/spake2plus/spake2plus.cc b/crypto/spake2plus/spake2plus.cc new file mode 100644 index 0000000..c191855 --- /dev/null +++ b/crypto/spake2plus/spake2plus.cc
@@ -0,0 +1,501 @@ +/* Copyright 2024 The BoringSSL Authors + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include <openssl/base.h> + +#include <assert.h> +#include <string.h> + +#include <openssl/bn.h> +#include <openssl/bytestring.h> +#include <openssl/crypto.h> +#include <openssl/ec.h> +#include <openssl/evp.h> +#include <openssl/hkdf.h> +#include <openssl/hmac.h> +#include <openssl/mem.h> +#include <openssl/rand.h> +#include <openssl/sha.h> + +#include "../fipsmodule/bn/internal.h" +#include "../fipsmodule/ec/internal.h" +#include "../internal.h" +#include "./internal.h" +#include "openssl/err.h" + +BSSL_NAMESPACE_BEGIN +namespace spake2plus { +namespace { + +const uint8_t kDefaultAdditionalData[32] = {0}; + +// https://www.rfc-editor.org/rfc/rfc9383.html#appendix-B +// seed: 1.2.840.10045.3.1.7 point generation seed (M) +// M = +// 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f +// +// `M` is interpreted as a X9.62-format compressed point. This is then the +// uncompressed form: +const uint8_t kM_bytes[] = { + 0x04, 0x88, 0x6e, 0x2f, 0x97, 0xac, 0xe4, 0x6e, 0x55, 0xba, 0x9d, + 0xd7, 0x24, 0x25, 0x79, 0xf2, 0x99, 0x3b, 0x64, 0xe1, 0x6e, 0xf3, + 0xdc, 0xab, 0x95, 0xaf, 0xd4, 0x97, 0x33, 0x3d, 0x8f, 0xa1, 0x2f, + 0x5f, 0xf3, 0x55, 0x16, 0x3e, 0x43, 0xce, 0x22, 0x4e, 0x0b, 0x0e, + 0x65, 0xff, 0x02, 0xac, 0x8e, 0x5c, 0x7b, 0xe0, 0x94, 0x19, 0xc7, + 0x85, 0xe0, 0xca, 0x54, 0x7d, 0x55, 0xa1, 0x2e, 0x2d, 0x20}; + +// https://www.rfc-editor.org/rfc/rfc9383.html#appendix-B +// seed: 1.2.840.10045.3.1.7 point generation seed (N) +// N = +// 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49 +// +// `N` is interpreted as a X9.62-format compressed point. This is then the +// uncompressed form: +const uint8_t kN_bytes[] = { + 0x04, 0xd8, 0xbb, 0xd6, 0xc6, 0x39, 0xc6, 0x29, 0x37, 0xb0, 0x4d, + 0x99, 0x7f, 0x38, 0xc3, 0x77, 0x07, 0x19, 0xc6, 0x29, 0xd7, 0x01, + 0x4d, 0x49, 0xa2, 0x4b, 0x4f, 0x98, 0xba, 0xa1, 0x29, 0x2b, 0x49, + 0x07, 0xd6, 0x0a, 0xa6, 0xbf, 0xad, 0xe4, 0x50, 0x08, 0xa6, 0x36, + 0x33, 0x7f, 0x51, 0x68, 0xc6, 0x4d, 0x9b, 0xd3, 0x60, 0x34, 0x80, + 0x8c, 0xd5, 0x64, 0x49, 0x0b, 0x1e, 0x65, 0x6e, 0xdb, 0xe7}; + +void UpdateWithLengthPrefix(SHA256_CTX *sha, Span<const uint8_t> data) { + uint8_t len_le[8]; + CRYPTO_store_u64_le(len_le, data.size()); + SHA256_Update(sha, len_le, sizeof(len_le)); + SHA256_Update(sha, data.data(), data.size()); +} + +void ConstantToJacobian(const EC_GROUP *group, EC_JACOBIAN *out, + bssl::Span<const uint8_t> in) { + EC_AFFINE point; + BSSL_CHECK(ec_point_from_uncompressed(group, &point, in.data(), in.size())); + ec_affine_to_jacobian(group, out, &point); +} + +void ScalarToSizedBuffer(const EC_GROUP *group, const EC_SCALAR *s, + Span<uint8_t> out_buf) { + size_t out_bytes; + ec_scalar_to_bytes(group, out_buf.data(), &out_bytes, s); + BSSL_CHECK(out_bytes == out_buf.size()); +} + +bool AddLengthPrefixed(CBB *cbb, Span<const uint8_t> bytes) { + return CBB_add_u64le(cbb, bytes.size()) && + CBB_add_bytes(cbb, bytes.data(), bytes.size()); +} + +void InitTranscriptHash(SHA256_CTX *sha, Span<const uint8_t> context, + Span<const uint8_t> id_prover, + Span<const uint8_t> id_verifier) { + SHA256_Init(sha); + UpdateWithLengthPrefix(sha, context); + UpdateWithLengthPrefix(sha, id_prover); + UpdateWithLengthPrefix(sha, id_verifier); + UpdateWithLengthPrefix(sha, kM_bytes); + UpdateWithLengthPrefix(sha, kN_bytes); +} + +bool ComputeTranscript(uint8_t out_prover_confirm[kConfirmSize], + uint8_t out_verifier_confirm[kConfirmSize], + uint8_t out_secret[kSecretSize], + const uint8_t prover_share[kShareSize], + const uint8_t verifier_share[kShareSize], + SHA256_CTX *sha, const EC_AFFINE *Z, const EC_AFFINE *V, + const EC_SCALAR *w0) { + const EC_GROUP *group = EC_group_p256(); + + uint8_t Z_enc[kShareSize]; + size_t Z_enc_len = ec_point_to_bytes(group, Z, POINT_CONVERSION_UNCOMPRESSED, + Z_enc, sizeof(Z_enc)); + BSSL_CHECK(Z_enc_len == sizeof(Z_enc)); + + uint8_t V_enc[kShareSize]; + size_t V_enc_len = ec_point_to_bytes(group, V, POINT_CONVERSION_UNCOMPRESSED, + V_enc, sizeof(V_enc)); + BSSL_CHECK(V_enc_len == sizeof(V_enc)); + + uint8_t w0_enc[kVerifierSize]; + ScalarToSizedBuffer(group, w0, w0_enc); + + uint8_t K_main[SHA256_DIGEST_LENGTH]; + UpdateWithLengthPrefix(sha, Span(prover_share, kShareSize)); + UpdateWithLengthPrefix(sha, Span(verifier_share, kShareSize)); + UpdateWithLengthPrefix(sha, Z_enc); + UpdateWithLengthPrefix(sha, V_enc); + UpdateWithLengthPrefix(sha, w0_enc); + SHA256_Final(K_main, sha); + + auto confirmation_str = StringAsBytes("ConfirmationKeys"); + uint8_t keys[kSecretSize * 2]; + if (!HKDF(keys, sizeof(keys), EVP_sha256(), K_main, sizeof(K_main), nullptr, + 0, confirmation_str.data(), confirmation_str.size())) { + return false; + } + + auto secret_info_str = StringAsBytes("SharedKey"); + if (!HKDF(out_secret, kSecretSize, EVP_sha256(), K_main, sizeof(K_main), + nullptr, 0, secret_info_str.data(), secret_info_str.size())) { + return false; + } + + unsigned prover_confirm_len; + if (HMAC(EVP_sha256(), keys, kSecretSize, verifier_share, kShareSize, + out_prover_confirm, &prover_confirm_len) == nullptr) { + return false; + } + BSSL_CHECK(prover_confirm_len == kConfirmSize); + + unsigned verifier_confirm_len; + if (HMAC(EVP_sha256(), keys + kSecretSize, kSecretSize, prover_share, + kShareSize, out_verifier_confirm, + &verifier_confirm_len) == nullptr) { + return false; + } + BSSL_CHECK(verifier_confirm_len == kConfirmSize); + + return true; +} + +} // namespace + +bool Register(Span<uint8_t> out_w0, Span<uint8_t> out_w1, + Span<uint8_t> out_registration_record, + Span<const uint8_t> password, Span<const uint8_t> id_prover, + Span<const uint8_t> id_verifier) { + if (out_w0.size() != kVerifierSize || out_w1.size() != kVerifierSize || + out_registration_record.size() != kRegistrationRecordSize) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + // Offline registration format from: + // https://www.rfc-editor.org/rfc/rfc9383.html#section-3.2 + ScopedCBB mhf_input; + if (!CBB_init(mhf_input.get(), password.size() + id_prover.size() + + id_verifier.size() + + 3 * sizeof(uint64_t)) || // + !AddLengthPrefixed(mhf_input.get(), password) || + !AddLengthPrefixed(mhf_input.get(), id_prover) || + !AddLengthPrefixed(mhf_input.get(), id_verifier) || + !CBB_flush(mhf_input.get())) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + // https://neuromancer.sk/std/nist/P-256 + // sage: p = + // 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff + // ....: K = GF(p) + // ....: a = + // K(0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc) + // ....: b = + // K(0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b) + // ....: E = EllipticCurve(K, (a, b)) + // ....: G = + // E(0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296, + // ....: 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5) + // ....: + // E.set_order(0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63 + // ....: 2551 * 0x1) + // sage: k = 64 + // sage: L = (2 * (ceil(log(p)/log(2)) + k)) / 8 + + // RFC 9383 Section 3.2 + constexpr size_t kKDFOutputSize = 80; + constexpr size_t kKDFOutputWords = kKDFOutputSize / BN_BYTES; + + uint8_t key[kKDFOutputSize]; + if (!EVP_PBE_scrypt((const char *)CBB_data(mhf_input.get()), + CBB_len(mhf_input.get()), nullptr, 0, + /*N=*/32768, /*r=*/8, /*p=*/1, + /*max_mem=*/1024 * 1024 * 33, key, kKDFOutputSize)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + const EC_GROUP *group = EC_group_p256(); + BN_ULONG w0_words[kKDFOutputWords / 2]; + bn_big_endian_to_words(w0_words, kKDFOutputWords / 2, key, + kKDFOutputSize / 2); + EC_SCALAR w0; + ec_scalar_reduce(group, &w0, w0_words, kKDFOutputWords / 2); + ScalarToSizedBuffer(group, &w0, out_w0); + + BN_ULONG w1_words[kKDFOutputWords / 2]; + bn_big_endian_to_words(w1_words, kKDFOutputWords / 2, + key + kKDFOutputSize / 2, kKDFOutputSize / 2); + EC_SCALAR w1; + ec_scalar_reduce(group, &w1, w1_words, kKDFOutputWords / 2); + ScalarToSizedBuffer(group, &w1, out_w1); + + EC_JACOBIAN L_j; + EC_AFFINE L; + if (!ec_point_mul_scalar_base(group, &L_j, &w1) || // + !ec_jacobian_to_affine(group, &L, &L_j) || // + !ec_point_to_bytes(group, &L, POINT_CONVERSION_UNCOMPRESSED, + out_registration_record.data(), + kRegistrationRecordSize)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + return true; +} + +Prover::Prover() = default; +Prover::~Prover() = default; + +bool Prover::Init(Span<const uint8_t> context, Span<const uint8_t> id_prover, + Span<const uint8_t> id_verifier, Span<const uint8_t> w0, + Span<const uint8_t> w1, Span<const uint8_t> x) { + const EC_GROUP *group = EC_group_p256(); + + if (!ec_scalar_from_bytes(group, &w0_, w0.data(), w0.size()) || + !ec_scalar_from_bytes(group, &w1_, w1.data(), w1.size()) || + (!x.empty() && + !ec_scalar_from_bytes(group, &x_, x.data(), x.size())) || // + (x.empty() && !ec_random_scalar(group, &x_, kDefaultAdditionalData))) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + InitTranscriptHash(&transcript_hash_, context, id_prover, id_verifier); + + return true; +} + +bool Prover::GenerateShare(Span<uint8_t> out_share) { + if (state_ != State::kInit || out_share.size() != kShareSize) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + // Compute X = x×P + w0×M. + // TODO(crbug.com/383778231): This could be sped up with a constant-time, + // two-point multiplication. + const EC_GROUP *group = EC_group_p256(); + EC_JACOBIAN l; + if (!ec_point_mul_scalar_base(group, &l, &x_)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + EC_JACOBIAN M_j; + ConstantToJacobian(group, &M_j, kM_bytes); + + EC_JACOBIAN r; + if (!ec_point_mul_scalar(group, &r, &M_j, &w0_)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + EC_JACOBIAN X_j; + group->meth->add(group, &X_j, &l, &r); + if (!ec_jacobian_to_affine(group, &X_, &X_j)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + size_t written = ec_point_to_bytes(group, &X_, POINT_CONVERSION_UNCOMPRESSED, + out_share.data(), kShareSize); + BSSL_CHECK(written == kShareSize); + + memcpy(share_, out_share.data(), kShareSize); + state_ = State::kShareGenerated; + return true; +} + +bool Prover::ComputeConfirmation(Span<uint8_t> out_confirm, + Span<uint8_t> out_secret, + Span<const uint8_t> peer_share, + Span<const uint8_t> peer_confirm) { + if (state_ != State::kShareGenerated || out_confirm.size() != kConfirmSize || + out_secret.size() != kSecretSize || peer_share.size() != kShareSize || + peer_confirm.size() != kConfirmSize) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + const EC_GROUP *group = EC_group_p256(); + EC_AFFINE Y; + if (!ec_point_from_uncompressed(group, &Y, peer_share.data(), + peer_share.size())) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + EC_JACOBIAN N_j; + ConstantToJacobian(group, &N_j, kN_bytes); + + EC_JACOBIAN r; + if (!ec_point_mul_scalar(group, &r, &N_j, &w0_)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + ec_felem_neg(group, &r.Y, &r.Y); + + EC_JACOBIAN Y_j; + ec_affine_to_jacobian(group, &Y_j, &Y); + + EC_JACOBIAN t; + group->meth->add(group, &t, &Y_j, &r); + + EC_JACOBIAN tmp; + EC_AFFINE Z, V; + // TODO(crbug.com/383778231): The two affine conversions could be batched + // together. + if (!ec_point_mul_scalar(group, &tmp, &t, &x_) || // + !ec_jacobian_to_affine(group, &Z, &tmp) || // + !ec_point_mul_scalar(group, &tmp, &t, &w1_) || // + !ec_jacobian_to_affine(group, &V, &tmp)) { + return 0; + } + + uint8_t verifier_confirm[kConfirmSize]; + if (!ComputeTranscript(out_confirm.data(), verifier_confirm, + out_secret.data(), share_, peer_share.data(), + &transcript_hash_, &Z, &V, &w0_) || + CRYPTO_memcmp(verifier_confirm, peer_confirm.data(), + sizeof(verifier_confirm)) != 0) { + return 0; + } + + state_ = State::kDone; + return true; +} + +Verifier::Verifier() = default; +Verifier::~Verifier() = default; + +bool Verifier::Init(Span<const uint8_t> context, Span<const uint8_t> id_prover, + Span<const uint8_t> id_verifier, Span<const uint8_t> w0, + Span<const uint8_t> registration_record, + Span<const uint8_t> y) { + const EC_GROUP *group = EC_group_p256(); + + if (!ec_scalar_from_bytes(group, &w0_, w0.data(), w0.size()) || + !ec_point_from_uncompressed(group, &L_, registration_record.data(), + registration_record.size()) || // + (!y.empty() && + !ec_scalar_from_bytes(group, &y_, y.data(), y.size())) || // + (y.empty() && !ec_random_scalar(group, &y_, kDefaultAdditionalData))) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + InitTranscriptHash(&transcript_hash_, context, id_prover, id_verifier); + + return true; +} + + +bool Verifier::ProcessProverShare(Span<uint8_t> out_share, + Span<uint8_t> out_confirm, + Span<uint8_t> out_secret, + Span<const uint8_t> prover_share) { + if (state_ != State::kInit || // + out_share.size() != kShareSize || out_confirm.size() != kConfirmSize || + out_secret.size() != kSecretSize || prover_share.size() != kShareSize) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + const EC_GROUP *group = EC_group_p256(); + EC_JACOBIAN l, r, M_j, N_j; + ConstantToJacobian(group, &M_j, kM_bytes); + ConstantToJacobian(group, &N_j, kN_bytes); + + // Compute Y = y×P + w0×M. + // TODO(crbug.com/383778231): This could be sped up with a constant-time, + // two-point multiplication. + if (!ec_point_mul_scalar_base(group, &l, &y_) || + !ec_point_mul_scalar(group, &r, &N_j, &w0_)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + EC_JACOBIAN Y_j; + EC_AFFINE Y; + group->meth->add(group, &Y_j, &l, &r); + if (!ec_jacobian_to_affine(group, &Y, &Y_j)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + const size_t written = ec_point_to_bytes( + group, &Y, POINT_CONVERSION_UNCOMPRESSED, out_share.data(), kShareSize); + BSSL_CHECK(written == kShareSize); + + EC_JACOBIAN r2; + EC_AFFINE X; + if (!ec_point_from_uncompressed(group, &X, prover_share.data(), + prover_share.size()) || + !ec_point_mul_scalar(group, &r2, &M_j, &w0_)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + ec_felem_neg(group, &r2.Y, &r2.Y); + + EC_JACOBIAN X_j, T; + ec_affine_to_jacobian(group, &X_j, &X); + group->meth->add(group, &T, &X_j, &r2); + + // TODO(crbug.com/383778231): The two affine conversions could be batched + // together. + EC_JACOBIAN tmp; + EC_AFFINE Z; + if (!ec_point_mul_scalar(group, &tmp, &T, &y_) || // + !ec_jacobian_to_affine(group, &Z, &tmp)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + EC_JACOBIAN L_j; + EC_AFFINE V; + ec_affine_to_jacobian(group, &L_j, &L_); + if (!ec_point_mul_scalar(group, &tmp, &L_j, &y_) || // + !ec_jacobian_to_affine(group, &V, &tmp)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + if (!ComputeTranscript(confirm_, out_confirm.data(), out_secret.data(), + prover_share.data(), out_share.data(), + &transcript_hash_, &Z, &V, &w0_)) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + state_ = State::kProverShareSeen; + return true; +} + +bool Verifier::VerifyProverConfirmation(Span<const uint8_t> peer_confirm) { + if (state_ != State::kProverShareSeen || // + peer_confirm.size() != kConfirmSize || // + CRYPTO_memcmp(confirm_, peer_confirm.data(), sizeof(confirm_)) != 0) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR); + return false; + } + + state_ = State::kDone; + return true; +} + +} // namespace spake2plus + +BSSL_NAMESPACE_END
diff --git a/crypto/spake2plus/spake2plus_test.cc b/crypto/spake2plus/spake2plus_test.cc new file mode 100644 index 0000000..35ad18e --- /dev/null +++ b/crypto/spake2plus/spake2plus_test.cc
@@ -0,0 +1,342 @@ +/* Copyright 2024 The BoringSSL Authors + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include <openssl/base.h> + +#include <string> +#include <unordered_map> +#include <utility> +#include <vector> + +#include <stdint.h> +#include <stdio.h> +#include <string.h> + +#include <openssl/bn.h> +#include <openssl/span.h> + +#include <gtest/gtest.h> + +#include "../internal.h" +#include "../test/test_util.h" +#include "./internal.h" + + +BSSL_NAMESPACE_BEGIN + +namespace { + +using namespace spake2plus; + +std::vector<uint8_t> HexToBytes(const char *str) { + std::vector<uint8_t> ret; + if (!DecodeHex(&ret, str)) { + abort(); + } + return ret; +} + +class RegistrationCache { + public: + struct Result { + std::vector<uint8_t> w0, w1, record; + }; + + const Result &Get(const std::pair<std::string, std::string> &names, + const std::string &pw) { + CacheKey key{names.first, names.second, pw}; + + auto it = cache.find(key); + if (it != cache.end()) { + return it->second; + } + + Result output; + output.w0.resize(kVerifierSize); + output.w1.resize(kVerifierSize); + output.record.resize(kRegistrationRecordSize); + + if (!Register(Span(output.w0), Span(output.w1), Span(output.record), + StringAsBytes(pw), StringAsBytes(names.first), + StringAsBytes(names.second))) { + abort(); + } + + return cache.emplace(std::move(key), std::move(output)).first->second; + } + + private: + struct CacheKey { + std::string id_prover, id_verifier, password; + + bool operator==(const CacheKey &other) const { + return std::tie(id_prover, id_verifier, password) == + std::tie(other.id_prover, other.id_verifier, other.password); + } + }; + + struct KeyHash { + std::size_t operator()(const CacheKey &k) const { + return std::hash<std::string>()(k.id_prover) ^ + std::hash<std::string>()(k.id_verifier) ^ + std::hash<std::string>()(k.password); + } + }; + + std::unordered_map<CacheKey, Result, KeyHash> cache; +}; + +RegistrationCache &GlobalRegistrationCache() { + static RegistrationCache cache; + return cache; +} + +struct SPAKEPLUSRun { + bool Run() { + const RegistrationCache::Result ®istration = + GlobalRegistrationCache().Get(prover_names, pw); + + Prover prover; + if (!prover.Init(StringAsBytes(context), StringAsBytes(prover_names.first), + StringAsBytes(prover_names.second), registration.w0, + registration.w1)) { + return false; + } + + std::vector<uint8_t> verifier_registration_record = registration.record; + if (verifier_corrupt_record) { + verifier_registration_record[verifier_registration_record.size() - 1] ^= + 0xFF; + } + + Verifier verifier; + if (!verifier.Init(StringAsBytes(context), + StringAsBytes(verifier_names.first), + StringAsBytes(verifier_names.second), registration.w0, + verifier_registration_record)) { + return false; + } + + uint8_t prover_share[kShareSize]; + if (!prover.GenerateShare(prover_share)) { + return false; + } + + if (repeat_invocations && prover.GenerateShare(prover_share)) { + return false; + } + + if (prover_corrupt_msg_bit && + *prover_corrupt_msg_bit < 8 * sizeof(prover_share)) { + prover_share[*prover_corrupt_msg_bit / 8] ^= + 1 << (*prover_corrupt_msg_bit & 7); + } + + uint8_t verifier_share[kShareSize]; + uint8_t verifier_confirm[kConfirmSize]; + uint8_t verifier_secret[kSecretSize]; + if (!verifier.ProcessProverShare(verifier_share, verifier_confirm, + verifier_secret, prover_share)) { + return false; + } + + if (repeat_invocations && + verifier.ProcessProverShare(verifier_share, verifier_confirm, + verifier_secret, prover_share)) { + return false; + } + + uint8_t prover_confirm[kConfirmSize]; + uint8_t prover_secret[kSecretSize]; + if (!prover.ComputeConfirmation(prover_confirm, prover_secret, + verifier_share, verifier_confirm)) { + return false; + } + + if (repeat_invocations && // + prover.ComputeConfirmation(prover_confirm, prover_secret, + verifier_share, verifier_confirm)) { + return false; + } + + if (prover_corrupt_confirm_bit && + *prover_corrupt_confirm_bit < 8 * sizeof(prover_confirm)) { + prover_confirm[*prover_corrupt_confirm_bit / 8] ^= + 1 << (*prover_corrupt_confirm_bit & 7); + } + + if (!verifier.VerifyProverConfirmation(prover_confirm)) { + return false; + } + + if (repeat_invocations && + verifier.VerifyProverConfirmation(prover_confirm)) { + return false; + } + + key_matches_ = Span(prover_secret) == Span(verifier_secret); + return true; + } + + bool key_matches() const { return key_matches_; } + + std::string context = + "SPAKE2+-P256-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors"; + std::string pw = "password"; + std::pair<std::string, std::string> prover_names = {"client", "server"}; + std::pair<std::string, std::string> verifier_names = {"client", "server"}; + bool verifier_corrupt_record = false; + bool repeat_invocations = false; + std::optional<size_t> prover_corrupt_msg_bit; + std::optional<size_t> prover_corrupt_confirm_bit; + + private: + bool key_matches_ = false; +}; + +TEST(SPAKEPLUSTest, TestVectors) { + // https://datatracker.ietf.org/doc/html/rfc9383#appendix-C + // SPAKE2+-P256-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors + const char w0_str[] = + "bb8e1bbcf3c48f62c08db243652ae55d3e5586053fca77102994f23ad95491b3"; + const char w1_str[] = + "7e945f34d78785b8a3ef44d0df5a1a97d6b3b460409a345ca7830387a74b1dba"; + const char L_str[] = + "04eb7c9db3d9a9eb1f8adab81b5794c1f13ae3e225efbe91ea487425854c7fc00f00bfed" + "cbd09b2400142d40a14f2064ef31dfaa903b91d1faea7093d835966efd"; + const char x_str[] = + "d1232c8e8693d02368976c174e2088851b8365d0d79a9eee709c6a05a2fad539"; + const char share_p_str[] = + "04ef3bd051bf78a2234ec0df197f7828060fe9856503579bb1733009042c15c0c1de1277" + "27f418b5966afadfdd95a6e4591d171056b333dab97a79c7193e341727"; + const char y_str[] = + "717a72348a182085109c8d3917d6c43d59b224dc6a7fc4f0483232fa6516d8b3"; + const char share_v_str[] = + "04c0f65da0d11927bdf5d560c69e1d7d939a05b0e88291887d679fcadea75810fb5cc1ca" + "7494db39e82ff2f50665255d76173e09986ab46742c798a9a68437b048"; + const char confirm_p_str[] = + "926cc713504b9b4d76c9162ded04b5493e89109f6d89462cd33adc46fda27527"; + const char confirm_v_str[] = + "9747bcc4f8fe9f63defee53ac9b07876d907d55047e6ff2def2e7529089d3e68"; + const char secret_str[] = + "0c5f8ccd1413423a54f6c1fb26ff01534a87f893779c6e68666d772bfd91f3e7"; + const std::string context = + "SPAKE2+-P256-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors"; + const std::pair<std::string, std::string> prover_names = {"client", "server"}; + const std::pair<std::string, std::string> verifier_names = {"client", + "server"}; + + std::vector<uint8_t> w0 = HexToBytes(w0_str); + std::vector<uint8_t> w1 = HexToBytes(w1_str); + std::vector<uint8_t> registration_record = HexToBytes(L_str); + std::vector<uint8_t> x = HexToBytes(x_str); + std::vector<uint8_t> y = HexToBytes(y_str); + + Prover prover; + ASSERT_TRUE(prover.Init(StringAsBytes(context), + StringAsBytes(prover_names.first), + StringAsBytes(prover_names.second), MakeConstSpan(w0), + MakeConstSpan(w1), x)); + + Verifier verifier; + ASSERT_TRUE( + verifier.Init(StringAsBytes(context), StringAsBytes(prover_names.first), + StringAsBytes(prover_names.second), MakeConstSpan(w0), + MakeConstSpan(registration_record), y)); + + uint8_t prover_share[kShareSize]; + ASSERT_TRUE(prover.GenerateShare(prover_share)); + + std::vector<uint8_t> share_p = HexToBytes(share_p_str); + ASSERT_TRUE( + OPENSSL_memcmp(share_p.data(), prover_share, sizeof(prover_share)) == 0); + + uint8_t verifier_share[kShareSize]; + uint8_t verifier_confirm[kConfirmSize]; + uint8_t verifier_secret[kSecretSize]; + ASSERT_TRUE(verifier.ProcessProverShare(verifier_share, verifier_confirm, + verifier_secret, prover_share)); + + std::vector<uint8_t> share_v = HexToBytes(share_v_str); + ASSERT_TRUE(OPENSSL_memcmp(share_v.data(), verifier_share, + sizeof(verifier_share)) == 0); + std::vector<uint8_t> confirm_v = HexToBytes(confirm_v_str); + ASSERT_TRUE(OPENSSL_memcmp(confirm_v.data(), verifier_confirm, + sizeof(verifier_confirm)) == 0); + + uint8_t prover_confirm[kConfirmSize]; + uint8_t prover_secret[kSecretSize]; + ASSERT_TRUE(prover.ComputeConfirmation(prover_confirm, prover_secret, + verifier_share, verifier_confirm)); + + std::vector<uint8_t> confirm_p = HexToBytes(confirm_p_str); + ASSERT_TRUE(OPENSSL_memcmp(confirm_p.data(), prover_confirm, + sizeof(prover_confirm)) == 0); + + ASSERT_TRUE(verifier.VerifyProverConfirmation(prover_confirm)); + + std::vector<uint8_t> expected_secret = HexToBytes(secret_str); + static_assert(sizeof(verifier_secret) == sizeof(prover_secret)); + ASSERT_TRUE(OPENSSL_memcmp(prover_secret, verifier_secret, + sizeof(prover_secret)) == 0); + ASSERT_TRUE(OPENSSL_memcmp(expected_secret.data(), verifier_secret, + sizeof(verifier_secret)) == 0); +} + +TEST(SPAKEPLUSTest, SPAKEPLUS) { + for (unsigned i = 0; i < 20; i++) { + SPAKEPLUSRun spake2; + ASSERT_TRUE(spake2.Run()); + EXPECT_TRUE(spake2.key_matches()); + } +} + +TEST(SPAKEPLUSTest, WrongPassword) { + SPAKEPLUSRun spake2; + spake2.verifier_corrupt_record = true; + ASSERT_FALSE(spake2.Run()); +} + +TEST(SPAKEPLUSTest, WrongNames) { + SPAKEPLUSRun spake2; + spake2.prover_names.second = "alice"; + spake2.verifier_names.second = "bob"; + ASSERT_FALSE(spake2.Run()); +} + +TEST(SPAKEPLUSTest, CorruptMessages) { + for (size_t i = 0; i < 8 * kShareSize; i++) { + SPAKEPLUSRun spake2; + spake2.prover_corrupt_msg_bit = i; + EXPECT_FALSE(spake2.Run()) + << "Passed after corrupting Prover's key share message, bit " << i; + } + + for (size_t i = 0; i < 8 * kConfirmSize; i++) { + SPAKEPLUSRun spake2; + spake2.prover_corrupt_confirm_bit = i; + EXPECT_FALSE(spake2.Run()) + << "Passed after corrupting Verifier's confirmation message, bit " << i; + } +} + +TEST(SPAKEPLUSTest, StateMachine) { + SPAKEPLUSRun spake2; + spake2.repeat_invocations = true; + ASSERT_TRUE(spake2.Run()); +} + +} // namespace + +BSSL_NAMESPACE_END
diff --git a/gen/sources.bzl b/gen/sources.bzl index 5af0dd2..35f3af6 100644 --- a/gen/sources.bzl +++ b/gen/sources.bzl
@@ -415,6 +415,7 @@ "crypto/sha/sha512.cc", "crypto/siphash/siphash.cc", "crypto/slhdsa/slhdsa.cc", + "crypto/spake2plus/spake2plus.cc", "crypto/stack/stack.cc", "crypto/thread.cc", "crypto/thread_none.cc", @@ -644,6 +645,7 @@ "crypto/rand_extra/getrandom_fillin.h", "crypto/rand_extra/sysrand_internal.h", "crypto/rsa_extra/internal.h", + "crypto/spake2plus/internal.h", "crypto/trust_token/internal.h", "crypto/x509/ext_dat.h", "crypto/x509/internal.h", @@ -757,6 +759,7 @@ "crypto/self_test.cc", "crypto/siphash/siphash_test.cc", "crypto/slhdsa/slhdsa_test.cc", + "crypto/spake2plus/spake2plus_test.cc", "crypto/stack/stack_test.cc", "crypto/test/gtest_main.cc", "crypto/thread_test.cc",
diff --git a/gen/sources.cmake b/gen/sources.cmake index bbbb9c2..6979e47 100644 --- a/gen/sources.cmake +++ b/gen/sources.cmake
@@ -429,6 +429,7 @@ crypto/sha/sha512.cc crypto/siphash/siphash.cc crypto/slhdsa/slhdsa.cc + crypto/spake2plus/spake2plus.cc crypto/stack/stack.cc crypto/thread.cc crypto/thread_none.cc @@ -662,6 +663,7 @@ crypto/rand_extra/getrandom_fillin.h crypto/rand_extra/sysrand_internal.h crypto/rsa_extra/internal.h + crypto/spake2plus/internal.h crypto/trust_token/internal.h crypto/x509/ext_dat.h crypto/x509/internal.h @@ -781,6 +783,7 @@ crypto/self_test.cc crypto/siphash/siphash_test.cc crypto/slhdsa/slhdsa_test.cc + crypto/spake2plus/spake2plus_test.cc crypto/stack/stack_test.cc crypto/test/gtest_main.cc crypto/thread_test.cc
diff --git a/gen/sources.gni b/gen/sources.gni index b5c3d54..1b40795 100644 --- a/gen/sources.gni +++ b/gen/sources.gni
@@ -415,6 +415,7 @@ "crypto/sha/sha512.cc", "crypto/siphash/siphash.cc", "crypto/slhdsa/slhdsa.cc", + "crypto/spake2plus/spake2plus.cc", "crypto/stack/stack.cc", "crypto/thread.cc", "crypto/thread_none.cc", @@ -644,6 +645,7 @@ "crypto/rand_extra/getrandom_fillin.h", "crypto/rand_extra/sysrand_internal.h", "crypto/rsa_extra/internal.h", + "crypto/spake2plus/internal.h", "crypto/trust_token/internal.h", "crypto/x509/ext_dat.h", "crypto/x509/internal.h", @@ -757,6 +759,7 @@ "crypto/self_test.cc", "crypto/siphash/siphash_test.cc", "crypto/slhdsa/slhdsa_test.cc", + "crypto/spake2plus/spake2plus_test.cc", "crypto/stack/stack_test.cc", "crypto/test/gtest_main.cc", "crypto/thread_test.cc",
diff --git a/gen/sources.json b/gen/sources.json index c4604c8..b2e6b52 100644 --- a/gen/sources.json +++ b/gen/sources.json
@@ -399,6 +399,7 @@ "crypto/sha/sha512.cc", "crypto/siphash/siphash.cc", "crypto/slhdsa/slhdsa.cc", + "crypto/spake2plus/spake2plus.cc", "crypto/stack/stack.cc", "crypto/thread.cc", "crypto/thread_none.cc", @@ -626,6 +627,7 @@ "crypto/rand_extra/getrandom_fillin.h", "crypto/rand_extra/sysrand_internal.h", "crypto/rsa_extra/internal.h", + "crypto/spake2plus/internal.h", "crypto/trust_token/internal.h", "crypto/x509/ext_dat.h", "crypto/x509/internal.h", @@ -738,6 +740,7 @@ "crypto/self_test.cc", "crypto/siphash/siphash_test.cc", "crypto/slhdsa/slhdsa_test.cc", + "crypto/spake2plus/spake2plus_test.cc", "crypto/stack/stack_test.cc", "crypto/test/gtest_main.cc", "crypto/thread_test.cc",