Google Git
Sign in
boringssl / boringssl / 9aa2f99097f36f6aff2648733a8cf96db7d0fe3d / . / ssl / test / runner / spake2plus / spake2plus.go
blob: abef785b3ed98ba675c4605ed354085d674c3614 [file] [log] [blame]
// Copyright 2025 The BoringSSL Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package spake2plus implements RFC 9383 for testing.
package spake2plus
import (
"bytes"
"crypto/elliptic"
"crypto/hkdf"
"crypto/hmac"
"crypto/rand"
"crypto/sha256"
"encoding/binary"
"errors"
"io"
"math/big"
"golang.org/x/crypto/scrypt"
)
const (
verifierSize = 32 // size of w0, w1 in bytes, for P-256
registrationRecordSize = 65 // uncompressed P-256 point size
shareSize = 65
confirmSize = 32
keySize = 32
pbkdfOutputSize = 80
)
type Role int
const (
RoleProver Role = iota
RoleVerifier
)
type state int
const (
stateInit state = iota
stateShareGenerated
stateKeyGenerated
)
type Context struct {
IDProver []byte
IDVerifier []byte
Role Role
curve elliptic.Curve
context []byte
w0 *big.Int
w1 *big.Int
Lx, Ly *big.Int // L point
Mx, My *big.Int // M point
Nx, Ny *big.Int // N point
Xx, Xy *big.Int // X point
Yx, Yy *big.Int // Y point
Zx, Zy *big.Int // Z point
Vx, Vy *big.Int // V point
x *big.Int // ephemeral scalar for prover
y *big.Int // ephemeral scalar for verifier
share []byte
confirm []byte
state state
}
// Hardcoded M and N from the RFC (uncompressed)
var kM = []byte{
0x04, 0x88, 0x6e, 0x2f, 0x97, 0xac, 0xe4, 0x6e, 0x55, 0xba, 0x9d,
0xd7, 0x24, 0x25, 0x79, 0xf2, 0x99, 0x3b, 0x64, 0xe1, 0x6e, 0xf3,
0xdc, 0xab, 0x95, 0xaf, 0xd4, 0x97, 0x33, 0x3d, 0x8f, 0xa1, 0x2f,
0x5f, 0xf3, 0x55, 0x16, 0x3e, 0x43, 0xce, 0x22, 0x4e, 0x0b, 0x0e,
0x65, 0xff, 0x02, 0xac, 0x8e, 0x5c, 0x7b, 0xe0, 0x94, 0x19, 0xc7,
0x85, 0xe0, 0xca, 0x54, 0x7d, 0x55, 0xa1, 0x2e, 0x2d, 0x20,
}
var kN = []byte{
0x04, 0xd8, 0xbb, 0xd6, 0xc6, 0x39, 0xc6, 0x29, 0x37, 0xb0, 0x4d,
0x99, 0x7f, 0x38, 0xc3, 0x77, 0x07, 0x19, 0xc6, 0x29, 0xd7, 0x01,
0x4d, 0x49, 0xa2, 0x4b, 0x4f, 0x98, 0xba, 0xa1, 0x29, 0x2b, 0x49,
0x07, 0xd6, 0x0a, 0xa6, 0xbf, 0xad, 0xe4, 0x50, 0x08, 0xa6, 0x36,
0x33, 0x7f, 0x51, 0x68, 0xc6, 0x4d, 0x9b, 0xd3, 0x60, 0x34, 0x80,
0x8c, 0xd5, 0x64, 0x49, 0x0b, 0x1e, 0x65, 0x6e, 0xdb, 0xe7,
}
func Register(
pw []byte,
idProver []byte,
idVerifier []byte,
) (pwVerifierW0 []byte, pwVerifierW1 []byte, registrationRecord []byte, err error) {
mhfBuf := new(bytes.Buffer)
if err := binary.Write(mhfBuf, binary.LittleEndian, uint64(len(pw))); err != nil {
return nil, nil, nil, err
}
mhfBuf.Write(pw)
if err := binary.Write(mhfBuf, binary.LittleEndian, uint64(len(idProver))); err != nil {
return nil, nil, nil, err
}
mhfBuf.Write(idProver)
if err := binary.Write(mhfBuf, binary.LittleEndian, uint64(len(idVerifier))); err != nil {
return nil, nil, nil, err
}
mhfBuf.Write(idVerifier)
key, err := scrypt.Key(mhfBuf.Bytes(), nil, 32768, 8, 1, pbkdfOutputSize)
if err != nil {
return nil, nil, nil, err
}
curve := elliptic.P256()
N := curve.Params().N
w0 := new(big.Int).SetBytes(key[:pbkdfOutputSize/2])
w0.Mod(w0, N)
w1 := new(big.Int).SetBytes(key[pbkdfOutputSize/2:])
w1.Mod(w1, N)
pwVerifierW0 = make([]byte, verifierSize)
pwVerifierW1 = make([]byte, verifierSize)
copy(pwVerifierW0, w0.Bytes())
copy(pwVerifierW1, w1.Bytes())
Lx, Ly := curve.ScalarBaseMult(w1.Bytes())
L := elliptic.Marshal(curve, Lx, Ly)
registrationRecord = make([]byte, registrationRecordSize)
copy(registrationRecord, L)
return pwVerifierW0, pwVerifierW1, registrationRecord, nil
}
func newContext(
role Role,
context []byte,
idProver []byte,
idVerifier []byte,
pwVerifierW0 []byte,
pwVerifierW1 []byte,
registrationRecord []byte,
x *big.Int,
y *big.Int,
) (*Context, error) {
curve := elliptic.P256()
Mx, My := elliptic.Unmarshal(curve, kM)
if Mx == nil {
return nil, errors.New("invalid M point")
}
Nx, Ny := elliptic.Unmarshal(curve, kN)
if Nx == nil {
return nil, errors.New("invalid N point")
}
ctx := &Context{
Role: role,
curve: curve,
context: append([]byte(nil), context...),
IDProver: append([]byte(nil), idProver...),
IDVerifier: append([]byte(nil), idVerifier...),
Mx: Mx,
My: My,
Nx: Nx,
Ny: Ny,
state: stateInit,
}
N := curve.Params().N
if role == RoleProver {
if pwVerifierW0 == nil || pwVerifierW1 == nil || y != nil {
return nil, errors.New("invalid parameters for prover")
}
ctx.w0 = new(big.Int).SetBytes(pwVerifierW0)
ctx.w1 = new(big.Int).SetBytes(pwVerifierW1)
ctx.w0.Mod(ctx.w0, N)
ctx.w1.Mod(ctx.w1, N)
if x == nil {
xRand, err := randFieldElement(curve)
if err != nil {
return nil, err
}
ctx.x = xRand
} else {
ctx.x = new(big.Int).Set(x)
}
} else {
// Verifier
if pwVerifierW0 == nil || registrationRecord == nil || x != nil {
return nil, errors.New("invalid parameters for verifier")
}
ctx.w0 = new(big.Int).SetBytes(pwVerifierW0)
ctx.w0.Mod(ctx.w0, N)
// Load L
Lx, Ly := elliptic.Unmarshal(curve, registrationRecord)
if Lx == nil {
return nil, errors.New("invalid L point")
}
ctx.Lx, ctx.Ly = Lx, Ly
if y == nil {
yRand, err := randFieldElement(curve)
if err != nil {
return nil, err
}
ctx.y = yRand
} else {
ctx.y = new(big.Int).Set(y)
}
}
return ctx, nil
}
func randFieldElement(curve elliptic.Curve) (*big.Int, error) {
params := curve.Params()
b := make([]byte, (params.BitSize+7)/8)
var k *big.Int
for {
if _, err := rand.Read(b); err != nil {
return nil, err
}
k = new(big.Int).SetBytes(b)
if k.Sign() != 0 && k.Cmp(params.N) < 0 {
break
}
}
return k, nil
}
func NewProver(
context []byte, idProver []byte, idVerifier []byte,
pwVerifierW0 []byte, pwVerifierW1 []byte,
) (*Context, error) {
return newContext(RoleProver, context, idProver, idVerifier,
pwVerifierW0, pwVerifierW1, nil, nil, nil)
}
func NewVerifier(
context []byte, idProver []byte, idVerifier []byte,
pwVerifierW0 []byte, registrationRecord []byte,
) (*Context, error) {
return newContext(RoleVerifier, context, idProver, idVerifier,
pwVerifierW0, nil, registrationRecord, nil, nil)
}
func (ctx *Context) GenerateProverShare() (share []byte, err error) {
if ctx.Role != RoleProver {
return nil, errors.New("invalid state for prover share generation")
}
if ctx.state != stateInit {
return ctx.share, nil
}
curve := ctx.curve
// l = x * G
lx, ly := curve.ScalarBaseMult(ctx.x.Bytes())
// r = w0 * M
rx, ry := curve.ScalarMult(ctx.Mx, ctx.My, ctx.w0.Bytes())
// X = l + r
Xx, Xy := curve.Add(lx, ly, rx, ry)
ctx.Xx, ctx.Xy = Xx, Xy
share = elliptic.Marshal(curve, Xx, Xy)
ctx.share = append([]byte(nil), share...)
ctx.state = stateShareGenerated
return share, nil
}
func updateWithLengthPrefix(h io.Writer, data []byte) {
var lenLe [8]byte
binary.LittleEndian.PutUint64(lenLe[:], uint64(len(data)))
h.Write(lenLe[:])
h.Write(data)
}
func computeTranscriptAndConfirmation(
ctx *Context,
shareP, shareV []byte,
) (proverConfirm, verifierConfirm, sharedSecret []byte, err error) {
curve := ctx.curve
Z := elliptic.Marshal(curve, ctx.Zx, ctx.Zy)
V := elliptic.Marshal(curve, ctx.Vx, ctx.Vy)
h := sha256.New()
updateWithLengthPrefix(h, ctx.context)
updateWithLengthPrefix(h, ctx.IDProver)
updateWithLengthPrefix(h, ctx.IDVerifier)
updateWithLengthPrefix(h, kM)
updateWithLengthPrefix(h, kN)
updateWithLengthPrefix(h, shareP)
updateWithLengthPrefix(h, shareV)
updateWithLengthPrefix(h, Z)
updateWithLengthPrefix(h, V)
updateWithLengthPrefix(h, ctx.w0.Bytes())
K_main := h.Sum(nil)
confirmationStr := []byte("ConfirmationKeys")
keys := doHKDF(K_main, confirmationStr, keySize*2)
secretInfoStr := []byte("SharedKey")
sharedSecret = doHKDF(K_main, secretInfoStr, keySize)
// Prover confirmation = HMAC(keys[:32], shareV)
macP := hmac.New(sha256.New, keys[:keySize])
macP.Write(shareV)
proverConfirm = macP.Sum(nil)
// Verifier confirmation = HMAC(keys[32:], shareP)
macV := hmac.New(sha256.New, keys[keySize:])
macV.Write(shareP)
verifierConfirm = macV.Sum(nil)
return
}
func doHKDF(ikm, info []byte, size int) []byte {
out, err := hkdf.Key(sha256.New, ikm, nil, string(info), size)
if err != nil {
panic(err)
}
return out
}
func (ctx *Context) ProcessProverShare(
proverShare []byte,
) (verifierShare []byte, verifierConfirm []byte, sharedSecret []byte, err error) {
if ctx.Role != RoleVerifier || ctx.state != stateInit || len(proverShare) != shareSize {
return nil, nil, nil, errors.New("invalid state or share")
}
curve := ctx.curve
// Y = y*G + w0*N
lx, ly := curve.ScalarBaseMult(ctx.y.Bytes())
rx, ry := curve.ScalarMult(ctx.Nx, ctx.Ny, ctx.w0.Bytes())
Yx, Yy := curve.Add(lx, ly, rx, ry)
ctx.Yx, ctx.Yy = Yx, Yy
verifierShare = elliptic.Marshal(curve, Yx, Yy)
if px, py := elliptic.Unmarshal(curve, proverShare); px == nil {
return nil, nil, nil, errors.New("invalid prover share")
} else {
ctx.Xx, ctx.Xy = px, py
}
// T = X - w0*M
mx, my := curve.ScalarMult(ctx.Mx, ctx.My, ctx.w0.Bytes())
mx, my = mx, new(big.Int).Neg(my)
my.Mod(my, curve.Params().P)
Tx, Ty := curve.Add(ctx.Xx, ctx.Xy, mx, my)
// Z = (y)*T
Zx, Zy := curve.ScalarMult(Tx, Ty, ctx.y.Bytes())
ctx.Zx, ctx.Zy = Zx, Zy
// V = (y)*L
Vx, Vy := curve.ScalarMult(ctx.Lx, ctx.Ly, ctx.y.Bytes())
ctx.Vx, ctx.Vy = Vx, Vy
proverConfirm, verifierConfirm, sharedSecret, err := computeTranscriptAndConfirmation(ctx, proverShare, verifierShare)
if err != nil {
return nil, nil, nil, err
}
ctx.confirm = proverConfirm
ctx.state = stateKeyGenerated
return verifierShare, verifierConfirm, sharedSecret, nil
}
// computeProverConfirmation (Prover side)
func (ctx *Context) ComputeProverConfirmation(
verifierShare []byte,
claimedVerifierConfirm []byte,
) (proverConfirm []byte, sharedSecret []byte, err error) {
if ctx.Role != RoleProver || ctx.state != stateShareGenerated || len(verifierShare) != shareSize || len(claimedVerifierConfirm) != confirmSize {
return nil, nil, errors.New("invalid state or input")
}
curve := ctx.curve
vx, vy := elliptic.Unmarshal(curve, verifierShare)
if vx == nil {
return nil, nil, errors.New("invalid verifier share")
}
ctx.Yx, ctx.Yy = vx, vy
// T = Y - w0*N
nx, ny := curve.ScalarMult(ctx.Nx, ctx.Ny, ctx.w0.Bytes())
ny.Neg(ny)
ny.Mod(ny, curve.Params().P)
Tx, Ty := curve.Add(ctx.Yx, ctx.Yy, nx, ny)
// Z = x*T
Zx, Zy := curve.ScalarMult(Tx, Ty, ctx.x.Bytes())
ctx.Zx, ctx.Zy = Zx, Zy
// V = w1*T
Vx, Vy := curve.ScalarMult(Tx, Ty, ctx.w1.Bytes())
ctx.Vx, ctx.Vy = Vx, Vy
// Compute transcript
proverConfirm, verifierConfirm, sharedSecret, err := computeTranscriptAndConfirmation(ctx, ctx.share, verifierShare)
if err != nil {
return nil, nil, err
}
// Check verifier confirm
if !hmac.Equal(verifierConfirm, claimedVerifierConfirm) {
return nil, nil, errors.New("verifier confirmation mismatch")
}
ctx.state = stateKeyGenerated
return proverConfirm, sharedSecret, nil
}
// VerifyProverConfirmation (Verifier side)
func (ctx *Context) VerifyProverConfirmation(proverConfirm []byte) error {
if ctx.Role != RoleVerifier || ctx.state != stateKeyGenerated || len(proverConfirm) != confirmSize {
return errors.New("invalid state or input")
}
if !hmac.Equal(ctx.confirm, proverConfirm) {
return errors.New("prover confirmation mismatch")
}
return nil
}