evie/rs-matter
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
rs-matter/matter/src/secure_channel/crypto_openssl.rs

450 lines
14 KiB
Rust
Raw Blame History

/*
*
* Copyright (c) 2020-2022 Project CHIP Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
use crate::error::Error;
use super::crypto::CryptoSpake2;
use byteorder::{ByteOrder, LittleEndian};
use log::error;
use openssl::{
bn::{BigNum, BigNumContext},
ec::{EcGroup, EcPoint, EcPointRef, PointConversionForm},
hash::{Hasher, MessageDigest},
nid::Nid,
};
const MATTER_M_BIN: [u8; 65] = [
0x04, 0x88, 0x6e, 0x2f, 0x97, 0xac, 0xe4, 0x6e, 0x55, 0xba, 0x9d, 0xd7, 0x24, 0x25, 0x79, 0xf2,
0x99, 0x3b, 0x64, 0xe1, 0x6e, 0xf3, 0xdc, 0xab, 0x95, 0xaf, 0xd4, 0x97, 0x33, 0x3d, 0x8f, 0xa1,
0x2f, 0x5f, 0xf3, 0x55, 0x16, 0x3e, 0x43, 0xce, 0x22, 0x4e, 0x0b, 0x0e, 0x65, 0xff, 0x02, 0xac,
0x8e, 0x5c, 0x7b, 0xe0, 0x94, 0x19, 0xc7, 0x85, 0xe0, 0xca, 0x54, 0x7d, 0x55, 0xa1, 0x2e, 0x2d,
0x20,
];
const MATTER_N_BIN: [u8; 65] = [
0x04, 0xd8, 0xbb, 0xd6, 0xc6, 0x39, 0xc6, 0x29, 0x37, 0xb0, 0x4d, 0x99, 0x7f, 0x38, 0xc3, 0x77,
0x07, 0x19, 0xc6, 0x29, 0xd7, 0x01, 0x4d, 0x49, 0xa2, 0x4b, 0x4f, 0x98, 0xba, 0xa1, 0x29, 0x2b,
0x49, 0x07, 0xd6, 0x0a, 0xa6, 0xbf, 0xad, 0xe4, 0x50, 0x08, 0xa6, 0x36, 0x33, 0x7f, 0x51, 0x68,
0xc6, 0x4d, 0x9b, 0xd3, 0x60, 0x34, 0x80, 0x8c, 0xd5, 0x64, 0x49, 0x0b, 0x1e, 0x65, 0x6e, 0xdb,
0xe7,
];
#[allow(non_snake_case)]
pub struct CryptoOpenSSL {
group: EcGroup,
bn_ctx: BigNumContext,
// Stores the randomly generated x or y depending upon who we are
xy: BigNum,
w0: BigNum,
w1: BigNum,
M: EcPoint,
N: EcPoint,
L: EcPoint,
pB: EcPoint,
order: BigNum,
}
impl CryptoSpake2 for CryptoOpenSSL {
#[allow(non_snake_case)]
fn new() -> Result<Self, Error> {
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1)?;
let mut bn_ctx = BigNumContext::new()?;
let M = EcPoint::from_bytes(&group, &MATTER_M_BIN, &mut bn_ctx)?;
let N = EcPoint::from_bytes(&group, &MATTER_N_BIN, &mut bn_ctx)?;
let L = EcPoint::new(&group)?;
let pB = EcPoint::from_bytes(&group, &MATTER_N_BIN, &mut bn_ctx)?;
let mut order = BigNum::new()?;
group.as_ref().order(&mut order, &mut bn_ctx)?;
Ok(CryptoOpenSSL {
group,
bn_ctx,
xy: BigNum::new()?,
w0: BigNum::new()?,
w1: BigNum::new()?,
order,
M,
N,
pB,
L,
})
}
// Computes w0 from w0s respectively
fn set_w0_from_w0s(&mut self, w0s: &[u8]) -> Result<(), Error> {
// From the Matter Spec,
// w0 = w0s mod p
// where p is the order of the curve
let w0s = BigNum::from_slice(w0s)?;
self.w0.checked_rem(&w0s, &self.order, &mut self.bn_ctx)?;
Ok(())
}
fn set_w1_from_w1s(&mut self, w1s: &[u8]) -> Result<(), Error> {
// From the Matter Spec,
// w1 = w1s mod p
// where p is the order of the curve
let w1s = BigNum::from_slice(w1s)?;
self.w1.checked_rem(&w1s, &self.order, &mut self.bn_ctx)?;
Ok(())
}
fn set_w0(&mut self, w0: &[u8]) -> Result<(), Error> {
self.w0 = BigNum::from_slice(w0)?;
Ok(())
}
fn set_w1(&mut self, w1: &[u8]) -> Result<(), Error> {
self.w1 = BigNum::from_slice(w1)?;
Ok(())
}
fn set_L(&mut self, l: &[u8]) -> Result<(), Error> {
self.L = EcPoint::from_bytes(&self.group, l, &mut self.bn_ctx)?;
Ok(())
}
#[allow(non_snake_case)]
#[allow(dead_code)]
fn set_L_from_w1s(&mut self, w1s: &[u8]) -> Result<(), Error> {
// From the Matter spec,
// L = w1 * P
// where P is the generator of the underlying elliptic curve
self.set_w1_from_w1s(w1s)?;
self.L = EcPoint::new(&self.group)?;
self.L.mul_generator(&self.group, &self.w1, &self.bn_ctx)?;
Ok(())
}
#[allow(non_snake_case)]
fn get_pB(&mut self, pB: &mut [u8]) -> Result<(), Error> {
// From the SPAKE2+ spec (https://datatracker.ietf.org/doc/draft-bar-cfrg-spake2plus/)
// for y
// - select random y between 0 to p
// - Y = y*P + w0*N
// - pB = Y
self.order.rand_range(&mut self.xy)?;
let P = self.group.generator();
self.pB = CryptoOpenSSL::do_add_mul(
P,
&self.xy,
&self.N,
&self.w0,
&self.group,
&mut self.bn_ctx,
)?;
let pB_internal = self.pB.to_bytes(
&self.group,
PointConversionForm::UNCOMPRESSED,
&mut self.bn_ctx,
)?;
let pB_internal = pB_internal.as_slice();
if pB_internal.len() != pB.len() {
error!("pB length mismatch");
return Err(Error::Invalid);
}
pB.copy_from_slice(pB_internal);
Ok(())
}
#[allow(non_snake_case)]
fn get_TT_as_verifier(
&mut self,
context: &[u8],
pA: &[u8],
pB: &[u8],
TT_hash: &mut [u8],
) -> Result<(), Error> {
let mut TT = Hasher::new(MessageDigest::sha256())?;
// context
CryptoOpenSSL::add_to_tt(&mut TT, context)?;
// 2 empty identifiers
CryptoOpenSSL::add_to_tt(&mut TT, &[])?;
CryptoOpenSSL::add_to_tt(&mut TT, &[])?;
// M
CryptoOpenSSL::add_to_tt(&mut TT, &MATTER_M_BIN)?;
// N
CryptoOpenSSL::add_to_tt(&mut TT, &MATTER_N_BIN)?;
// X = pA
CryptoOpenSSL::add_to_tt(&mut TT, pA)?;
// Y = pB
CryptoOpenSSL::add_to_tt(&mut TT, pB)?;
let X = EcPoint::from_bytes(&self.group, pA, &mut self.bn_ctx)?;
let (Z, V) = CryptoOpenSSL::get_ZV_as_verifier(
&self.w0,
&self.L,
&mut self.M,
&X,
&self.xy,
&self.order,
&self.group,
&mut self.bn_ctx,
)?;
// Z
let tmp = Z.to_bytes(
&self.group,
PointConversionForm::UNCOMPRESSED,
&mut self.bn_ctx,
)?;
let tmp = tmp.as_slice();
CryptoOpenSSL::add_to_tt(&mut TT, tmp)?;
// V
let tmp = V.to_bytes(
&self.group,
PointConversionForm::UNCOMPRESSED,
&mut self.bn_ctx,
)?;
let tmp = tmp.as_slice();
CryptoOpenSSL::add_to_tt(&mut TT, tmp)?;
// w0
let tmp = self.w0.to_vec();
let tmp = tmp.as_slice();
CryptoOpenSSL::add_to_tt(&mut TT, tmp)?;
let h = TT.finish()?;
TT_hash.copy_from_slice(h.as_ref());
Ok(())
}
}
impl CryptoOpenSSL {
fn add_to_tt(tt: &mut Hasher, buf: &[u8]) -> Result<(), Error> {
let mut len_buf: [u8; 8] = [0; 8];
LittleEndian::write_u64(&mut len_buf, buf.len() as u64);
tt.update(&len_buf)?;
if buf.len() > 0 {
tt.update(buf)?;
}
Ok(())
}
// Do a*b + c*d
#[inline(always)]
fn do_add_mul(
a: &EcPointRef,
b: &BigNum,
c: &EcPoint,
d: &BigNum,
group: &EcGroup,
bn_ctx: &mut BigNumContext,
) -> Result<EcPoint, Error> {
let mut mul1 = EcPoint::new(group)?;
let mut mul2 = EcPoint::new(group)?;
mul1.mul(group, a, b, bn_ctx)?;
mul2.mul(group, c, d, bn_ctx)?;
let mut result = EcPoint::new(group)?;
result.add(group, &mul1, &mul2, bn_ctx)?;
Ok(result)
}
#[inline(always)]
#[allow(non_snake_case)]
#[allow(dead_code)]
fn get_ZV_as_prover(
w0: &BigNum,
w1: &BigNum,
N: &mut EcPoint,
Y: &EcPoint,
x: &BigNum,
order: &BigNum,
group: &EcGroup,
bn_ctx: &mut BigNumContext,
) -> Result<(EcPoint, EcPoint), Error> {
// As per the RFC, the operation here is:
// Z = h*x*(Y - w0*N)
// V = h*w1*(Y - w0*N)
// We will follow the same sequence as in C++ SDK, under the assumption
// that the same sequence works for all embedded platforms. So the step
// of operations is:
// tmp = x*w0
// Z = x*Y + tmp*N (N is inverted to get the 'negative' effect)
// Z = h*Z (cofactor Mul)
let mut tmp = BigNum::new()?;
tmp.mod_mul(x, w0, order, bn_ctx)?;
N.invert(group, bn_ctx)?;
let Z = CryptoOpenSSL::do_add_mul(Y, x, N, &tmp, group, bn_ctx)?;
// Cofactor for P256 is 1, so that is a No-Op
tmp.mod_mul(w1, w0, order, bn_ctx)?;
let V = CryptoOpenSSL::do_add_mul(Y, w1, N, &tmp, group, bn_ctx)?;
Ok((Z, V))
}
#[inline(always)]
#[allow(non_snake_case)]
#[allow(dead_code)]
fn get_ZV_as_verifier(
w0: &BigNum,
L: &EcPoint,
M: &mut EcPoint,
X: &EcPoint,
y: &BigNum,
order: &BigNum,
group: &EcGroup,
bn_ctx: &mut BigNumContext,
) -> Result<(EcPoint, EcPoint), Error> {
// As per the RFC, the operation here is:
// Z = h*y*(X - w0*M)
// V = h*y*L
// We will follow the same sequence as in C++ SDK, under the assumption
// that the same sequence works for all embedded platforms. So the step
// of operations is:
// tmp = y*w0
// Z = y*X + tmp*M (M is inverted to get the 'negative' effect)
// Z = h*Z (cofactor Mul)
let mut tmp = BigNum::new()?;
tmp.mod_mul(y, w0, order, bn_ctx)?;
M.invert(group, bn_ctx)?;
let Z = CryptoOpenSSL::do_add_mul(X, y, M, &tmp, group, bn_ctx)?;
// Cofactor for P256 is 1, so that is a No-Op
let mut V = EcPoint::new(group)?;
V.mul(group, L, y, bn_ctx)?;
Ok((Z, V))
}
}
#[cfg(test)]
mod tests {
use super::CryptoOpenSSL;
use crate::secure_channel::crypto::CryptoSpake2;
use crate::secure_channel::spake2p_test_vectors::test_vectors::*;
use openssl::bn::BigNum;
use openssl::ec::{EcPoint, PointConversionForm};
#[test]
#[allow(non_snake_case)]
fn test_get_X() {
for t in RFC_T {
let mut c = CryptoOpenSSL::new().unwrap();
let x = BigNum::from_slice(&t.x).unwrap();
c.set_w0(&t.w0).unwrap();
let P = c.group.generator();
let r = CryptoOpenSSL::do_add_mul(P, &x, &c.M, &c.w0, &c.group, &mut c.bn_ctx).unwrap();
assert_eq!(
t.X,
r.to_bytes(&c.group, PointConversionForm::UNCOMPRESSED, &mut c.bn_ctx)
.unwrap()
.as_slice()
);
}
}
#[test]
#[allow(non_snake_case)]
fn test_get_Y() {
for t in RFC_T {
let mut c = CryptoOpenSSL::new().unwrap();
let y = BigNum::from_slice(&t.y).unwrap();
c.set_w0(&t.w0).unwrap();
let P = c.group.generator();
let r = CryptoOpenSSL::do_add_mul(P, &y, &c.N, &c.w0, &c.group, &mut c.bn_ctx).unwrap();
assert_eq!(
t.Y,
r.to_bytes(&c.group, PointConversionForm::UNCOMPRESSED, &mut c.bn_ctx)
.unwrap()
.as_slice()
);
}
}
#[test]
#[allow(non_snake_case)]
fn test_get_ZV_as_prover() {
for t in RFC_T {
let mut c = CryptoOpenSSL::new().unwrap();
let x = BigNum::from_slice(&t.x).unwrap();
c.set_w0(&t.w0).unwrap();
c.set_w1(&t.w1).unwrap();
let Y = EcPoint::from_bytes(&c.group, &t.Y, &mut c.bn_ctx).unwrap();
let (Z, V) = CryptoOpenSSL::get_ZV_as_prover(
&c.w0,
&c.w1,
&mut c.N,
&Y,
&x,
&c.order,
&c.group,
&mut c.bn_ctx,
)
.unwrap();
assert_eq!(
t.Z,
Z.to_bytes(&c.group, PointConversionForm::UNCOMPRESSED, &mut c.bn_ctx)
.unwrap()
.as_slice()
);
assert_eq!(
t.V,
V.to_bytes(&c.group, PointConversionForm::UNCOMPRESSED, &mut c.bn_ctx)
.unwrap()
.as_slice()
);
}
}
#[test]
#[allow(non_snake_case)]
fn test_get_ZV_as_verifier() {
for t in RFC_T {
let mut c = CryptoOpenSSL::new().unwrap();
let y = BigNum::from_slice(&t.y).unwrap();
c.set_w0(&t.w0).unwrap();
let X = EcPoint::from_bytes(&c.group, &t.X, &mut c.bn_ctx).unwrap();
let L = EcPoint::from_bytes(&c.group, &t.L, &mut c.bn_ctx).unwrap();
let (Z, V) = CryptoOpenSSL::get_ZV_as_verifier(
&c.w0,
&L,
&mut c.M,
&X,
&y,
&c.order,
&c.group,
&mut c.bn_ctx,
)
.unwrap();
assert_eq!(
t.Z,
Z.to_bytes(&c.group, PointConversionForm::UNCOMPRESSED, &mut c.bn_ctx)
.unwrap()
.as_slice()
);
assert_eq!(
t.V,
V.to_bytes(&c.group, PointConversionForm::UNCOMPRESSED, &mut c.bn_ctx)
.unwrap()
.as_slice()
);
}
}
}
Reference in a new issue View git blame Copy permalink