DingliZhang/boringssl
1
0
Fork 0
mirror of https://github.com/openeuler-riscv/boringssl.git synced 2026-04-28 08:23:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add SPAKE2+.

Browse Source 
This is an internal-only primitive, at least for now.

Change-Id: I365d42c9df59894ed131fba139efc7c9bbe0ed35
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/75107
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
Adam Langley
2025-01-08 13:43:12 -08:00
committed by Boringssl LUCI CQ
parent a8a4fce24d
commit 21f54b2730
11 changed files with 1076 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
AUTHORS
View File

@@ -6,6 +6,7 @@
# source control.
Google LLC
Brian Smith
Apple Inc
# Additionally, much of the code in BoringSSL is derived from code in the
# OpenSSL project. We thank the OpenSSL projects contributors for their

3
build.json
View File

@@ -316,6 +316,7 @@
"crypto/sha/sha256.cc",
"crypto/sha/sha512.cc",
"crypto/siphash/siphash.cc",
"crypto/spake2plus/spake2plus.cc",
"crypto/stack/stack.cc",
"crypto/thread.cc",
"crypto/thread_none.cc",
@@ -542,6 +543,7 @@
"crypto/rand_extra/getrandom_fillin.h",
"crypto/rand_extra/sysrand_internal.h",
"crypto/rsa_extra/internal.h",
"crypto/spake2plus/internal.h",
"crypto/trust_token/internal.h",
"crypto/x509/ext_dat.h",
"crypto/x509/internal.h",
@@ -859,6 +861,7 @@
"crypto/self_test.cc",
"crypto/siphash/siphash_test.cc",
"crypto/slhdsa/slhdsa_test.cc",
"crypto/spake2plus/spake2plus_test.cc",
"crypto/stack/stack_test.cc",
"crypto/test/gtest_main.cc",
"crypto/thread_test.cc",

5
crypto/fipsmodule/ec/internal.h
View File

@@ -73,6 +73,11 @@ OPENSSL_EXPORT int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out,
void ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out,
const BN_ULONG *words, size_t num);
// ec_random_nonzero_scalar sets |out| to a uniformly selected random value from
// zero to |group->order| - 1. It returns one on success and zero on error.
int ec_random_scalar(const EC_GROUP *group, EC_SCALAR *out,
const uint8_t additional_data[32]);
// ec_random_nonzero_scalar sets |out| to a uniformly selected random value from
// 1 to |group->order| - 1. It returns one on success and zero on error.
int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,

10
crypto/fipsmodule/ec/scalar.cc.inc
View File

@@ -16,9 +16,9 @@
#include <openssl/err.h>
#include <openssl/mem.h>
#include "internal.h"
#include "../bn/internal.h"
#include "../../internal.h"
#include "../bn/internal.h"
#include "internal.h"
int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
@@ -49,6 +49,12 @@ int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) {
return mask == 0;
}
int ec_random_scalar(const EC_GROUP *group, EC_SCALAR *out,
const uint8_t additional_data[32]) {
return bn_rand_range_words(out->words, 0, group->order.N.d,
group->order.N.width, additional_data);
}
int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,
const uint8_t additional_data[32]) {
return bn_rand_range_words(out->words, 1, group->order.N.d,

204
crypto/spake2plus/internal.h Normal file
View File

@@ -0,0 +1,204 @@
/* Copyright 2024 The BoringSSL Authors
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#ifndef OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H
#define OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H
#include <openssl/base.h>
#include <sys/types.h>
#include <openssl/sha.h>
#include <openssl/span.h>
#include "../fipsmodule/ec/internal.h"
BSSL_NAMESPACE_BEGIN
// SPAKE2+.
//
// SPAKE2+ is an augmented password-authenticated key-exchange. It allows
// two parties, a prover and verifier, to derive a strong shared key with no
// risk of disclosing the password, known only to the prover, to the verifier.
// (But note that the verifier can still attempt an offline, brute-force attack
// to recover the password.)
//
// This is an implementation of SPAKE2+ using P-256 as the group, SHA-256 as
// the hash function, HKDF-SHA256 as the key derivation function, and
// HMAC-SHA256 as the message authentication code.
//
// See https://www.rfc-editor.org/rfc/rfc9383.html
namespace spake2plus {
// kShareSize is the size of a SPAKE2+ key share.
constexpr size_t kShareSize = 65;
// kConfirmSize is the size of a SPAKE2+ key confirmation message.
constexpr size_t kConfirmSize = 32;
// kVerifierSize is the size of the w0 and w1 values in the SPAKE2+ protocol.
constexpr size_t kVerifierSize = 32;
// kRegistrationRecordSize is the number of bytes in a registration record,
// which is provided to the verifier.
constexpr size_t kRegistrationRecordSize = 65;
// kSecretSize is the number of bytes of shared secret that the SPAKE2+ protocol
// generates.
constexpr size_t kSecretSize = 32;
// Register computes the values needed in the offline registration
// step of the SPAKE2+ protocol. See the following for more details:
// https://www.rfc-editor.org/rfc/rfc9383.html#section-3.2
//
// The |password| argument is the mandatory prover password. The |out_w0|,
// |out_w1|, and |out_registration_record| arguments are where the password
// verifiers (w0 and w1) and registration record (L) are stored, respectively.
// The prover is given |out_w0| and |out_w1| while the verifier is given
// |out_w0| and |out_registration_record|.
//
// To ensure success, |out_w0| and |out_w1| must be of length |kVerifierSize|,
// and |out_registration_record| of size |kRegistrationRecordSize|.
[[nodiscard]] OPENSSL_EXPORT bool Register(
Span<uint8_t> out_w0, Span<uint8_t> out_w1,
Span<uint8_t> out_registration_record, Span<const uint8_t> password,
Span<const uint8_t> id_prover, Span<const uint8_t> id_verifier);
class OPENSSL_EXPORT Prover {
public:
static constexpr bool kAllowUniquePtr = true;
Prover();
~Prover();
// Init creates a new prover, which can only be used for a single execution of
// the protocol.
//
// The |context| argument is an application-specific value meant to constrain
// the protocol execution. The |w0| and |w1| arguments are password verifier
// values computed during the offline registration phase of the protocol. The
// |id_prover| and |id_verifier| arguments allow optional, opaque names to be
// bound into the protocol. See the following for more information about how
// these identities may be chosen:
// https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2
[[nodiscard]] bool Init(Span<const uint8_t> context,
Span<const uint8_t> id_prover,
Span<const uint8_t> id_verifier,
Span<const uint8_t> w0, Span<const uint8_t> w1,
Span<const uint8_t> x = Span<const uint8_t>());
// GenerateShare computes a SPAKE2+ share and writes it to |out_share|.
//
// This function can only be called once for a given |Prover|. To ensure
// success, |out_share| must be |kShareSize| bytes.
[[nodiscard]] bool GenerateShare(Span<uint8_t> out_share);
// ComputeConfirmation computes a SPAKE2+ key confirmation
// message and writes it to |out_confirm|. It also computes the shared secret
// and writes it to |out_secret|.
//
// This function can only be called once for a given |Prover|.
//
// To ensure success, |out_confirm| must be |kConfirmSize| bytes
// and |out_secret| must be |kSecretSize| bytes.
[[nodiscard]] bool ComputeConfirmation(Span<uint8_t> out_confirm,
Span<uint8_t> out_secret,
Span<const uint8_t> peer_share,
Span<const uint8_t> peer_confirm);
private:
enum class State {
kInit,
kShareGenerated,
kConfirmGenerated,
kDone,
};
State state_ = State::kInit;
SHA256_CTX transcript_hash_;
EC_SCALAR w0_;
EC_SCALAR w1_;
EC_SCALAR x_;
EC_AFFINE X_;
uint8_t share_[kShareSize];
};
class OPENSSL_EXPORT Verifier {
public:
static constexpr bool kAllowUniquePtr = true;
Verifier();
~Verifier();
// Init creates a new verifier, which can only be used for a single execution
// of the protocol.
//
// The |context| argument is an application-specific value meant to constrain
// the protocol execution. The |w0| and |registration_record| arguments are
// required, and are computed by the prover via |Register|. Only the prover
// can produce |w0| and |registration_record|, as they require
// knowledge of the password. The prover must securely transmit this to the
// verifier out-of-band. The |id_prover| and |id_verifier| arguments allow
// optional, opaque names to be bound into the protocol. See the following for
// more information about how these identities may be chosen:
// https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2
[[nodiscard]] bool Init(Span<const uint8_t> context,
Span<const uint8_t> id_prover,
Span<const uint8_t> id_verifier,
Span<const uint8_t> w0,
Span<const uint8_t> registration_record,
Span<const uint8_t> y = Span<const uint8_t>());
// ProcessProverShare computes a SPAKE2+ share from an input share,
// |prover_share|, and writes it to |out_share|. It also computes the key
// confirmation message and writes it to |out_confirm|. Finally, it computes
// the shared secret and writes it to |out_secret|.
//
// This function can only be called once for a given |Verifier|.
//
// To ensure success, |out_share| must be |kShareSize| bytes, |out_confirm|
// must be |kConfirmSize| bytes, and |out_secret| must be |kSecretSize| bytes.
[[nodiscard]] bool ProcessProverShare(Span<uint8_t> out_share,
Span<uint8_t> out_confirm,
Span<uint8_t> out_secret,
Span<const uint8_t> prover_share);
// VerifyProverConfirmation verifies a SPAKE2+ key confirmation message,
// |prover_confirm|.
//
// This function can only be called once for a given |Verifier|.
[[nodiscard]] bool VerifyProverConfirmation(Span<const uint8_t> peer_confirm);
private:
enum class State {
kInit,
kProverShareSeen,
kDone,
};
State state_ = State::kInit;
SHA256_CTX transcript_hash_;
EC_SCALAR w0_;
EC_AFFINE L_;
EC_SCALAR y_;
uint8_t confirm_[kConfirmSize];
};
} // namespace spake2plus
BSSL_NAMESPACE_END
#endif // OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H

501
crypto/spake2plus/spake2plus.cc Normal file
View File

@@ -0,0 +1,501 @@
/* Copyright 2024 The BoringSSL Authors
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <openssl/base.h>
#include <assert.h>
#include <string.h>
#include <openssl/bn.h>
#include <openssl/bytestring.h>
#include <openssl/crypto.h>
#include <openssl/ec.h>
#include <openssl/evp.h>
#include <openssl/hkdf.h>
#include <openssl/hmac.h>
#include <openssl/mem.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "../fipsmodule/bn/internal.h"
#include "../fipsmodule/ec/internal.h"
#include "../internal.h"
#include "./internal.h"
#include "openssl/err.h"
BSSL_NAMESPACE_BEGIN
namespace spake2plus {
namespace {
const uint8_t kDefaultAdditionalData[32] = {0};
// https://www.rfc-editor.org/rfc/rfc9383.html#appendix-B
// seed: 1.2.840.10045.3.1.7 point generation seed (M)
// M =
// 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f
//
// `M` is interpreted as a X9.62-format compressed point. This is then the
// uncompressed form:
const uint8_t kM_bytes[] = {
0x04, 0x88, 0x6e, 0x2f, 0x97, 0xac, 0xe4, 0x6e, 0x55, 0xba, 0x9d,
0xd7, 0x24, 0x25, 0x79, 0xf2, 0x99, 0x3b, 0x64, 0xe1, 0x6e, 0xf3,
0xdc, 0xab, 0x95, 0xaf, 0xd4, 0x97, 0x33, 0x3d, 0x8f, 0xa1, 0x2f,
0x5f, 0xf3, 0x55, 0x16, 0x3e, 0x43, 0xce, 0x22, 0x4e, 0x0b, 0x0e,
0x65, 0xff, 0x02, 0xac, 0x8e, 0x5c, 0x7b, 0xe0, 0x94, 0x19, 0xc7,
0x85, 0xe0, 0xca, 0x54, 0x7d, 0x55, 0xa1, 0x2e, 0x2d, 0x20};
// https://www.rfc-editor.org/rfc/rfc9383.html#appendix-B
// seed: 1.2.840.10045.3.1.7 point generation seed (N)
// N =
// 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49
//
// `N` is interpreted as a X9.62-format compressed point. This is then the
// uncompressed form:
const uint8_t kN_bytes[] = {
0x04, 0xd8, 0xbb, 0xd6, 0xc6, 0x39, 0xc6, 0x29, 0x37, 0xb0, 0x4d,
0x99, 0x7f, 0x38, 0xc3, 0x77, 0x07, 0x19, 0xc6, 0x29, 0xd7, 0x01,
0x4d, 0x49, 0xa2, 0x4b, 0x4f, 0x98, 0xba, 0xa1, 0x29, 0x2b, 0x49,
0x07, 0xd6, 0x0a, 0xa6, 0xbf, 0xad, 0xe4, 0x50, 0x08, 0xa6, 0x36,
0x33, 0x7f, 0x51, 0x68, 0xc6, 0x4d, 0x9b, 0xd3, 0x60, 0x34, 0x80,
0x8c, 0xd5, 0x64, 0x49, 0x0b, 0x1e, 0x65, 0x6e, 0xdb, 0xe7};
void UpdateWithLengthPrefix(SHA256_CTX *sha, Span<const uint8_t> data) {
uint8_t len_le[8];
CRYPTO_store_u64_le(len_le, data.size());
SHA256_Update(sha, len_le, sizeof(len_le));
SHA256_Update(sha, data.data(), data.size());
}
void ConstantToJacobian(const EC_GROUP *group, EC_JACOBIAN *out,
bssl::Span<const uint8_t> in) {
EC_AFFINE point;
BSSL_CHECK(ec_point_from_uncompressed(group, &point, in.data(), in.size()));
ec_affine_to_jacobian(group, out, &point);
}
void ScalarToSizedBuffer(const EC_GROUP *group, const EC_SCALAR *s,
Span<uint8_t> out_buf) {
size_t out_bytes;
ec_scalar_to_bytes(group, out_buf.data(), &out_bytes, s);
BSSL_CHECK(out_bytes == out_buf.size());
}
bool AddLengthPrefixed(CBB *cbb, Span<const uint8_t> bytes) {
return CBB_add_u64le(cbb, bytes.size()) &&
CBB_add_bytes(cbb, bytes.data(), bytes.size());
}
void InitTranscriptHash(SHA256_CTX *sha, Span<const uint8_t> context,
Span<const uint8_t> id_prover,
Span<const uint8_t> id_verifier) {
SHA256_Init(sha);
UpdateWithLengthPrefix(sha, context);
UpdateWithLengthPrefix(sha, id_prover);
UpdateWithLengthPrefix(sha, id_verifier);
UpdateWithLengthPrefix(sha, kM_bytes);
UpdateWithLengthPrefix(sha, kN_bytes);
}
bool ComputeTranscript(uint8_t out_prover_confirm[kConfirmSize],
uint8_t out_verifier_confirm[kConfirmSize],
uint8_t out_secret[kSecretSize],
const uint8_t prover_share[kShareSize],
const uint8_t verifier_share[kShareSize],
SHA256_CTX *sha, const EC_AFFINE *Z, const EC_AFFINE *V,
const EC_SCALAR *w0) {
const EC_GROUP *group = EC_group_p256();
uint8_t Z_enc[kShareSize];
size_t Z_enc_len = ec_point_to_bytes(group, Z, POINT_CONVERSION_UNCOMPRESSED,
Z_enc, sizeof(Z_enc));
BSSL_CHECK(Z_enc_len == sizeof(Z_enc));
uint8_t V_enc[kShareSize];
size_t V_enc_len = ec_point_to_bytes(group, V, POINT_CONVERSION_UNCOMPRESSED,
V_enc, sizeof(V_enc));
BSSL_CHECK(V_enc_len == sizeof(V_enc));
uint8_t w0_enc[kVerifierSize];
ScalarToSizedBuffer(group, w0, w0_enc);
uint8_t K_main[SHA256_DIGEST_LENGTH];
UpdateWithLengthPrefix(sha, Span(prover_share, kShareSize));
UpdateWithLengthPrefix(sha, Span(verifier_share, kShareSize));
UpdateWithLengthPrefix(sha, Z_enc);
UpdateWithLengthPrefix(sha, V_enc);
UpdateWithLengthPrefix(sha, w0_enc);
SHA256_Final(K_main, sha);
auto confirmation_str = StringAsBytes("ConfirmationKeys");
uint8_t keys[kSecretSize * 2];
if (!HKDF(keys, sizeof(keys), EVP_sha256(), K_main, sizeof(K_main), nullptr,
0, confirmation_str.data(), confirmation_str.size())) {
return false;
}
auto secret_info_str = StringAsBytes("SharedKey");
if (!HKDF(out_secret, kSecretSize, EVP_sha256(), K_main, sizeof(K_main),
nullptr, 0, secret_info_str.data(), secret_info_str.size())) {
return false;
}
unsigned prover_confirm_len;
if (HMAC(EVP_sha256(), keys, kSecretSize, verifier_share, kShareSize,
out_prover_confirm, &prover_confirm_len) == nullptr) {
return false;
}
BSSL_CHECK(prover_confirm_len == kConfirmSize);
unsigned verifier_confirm_len;
if (HMAC(EVP_sha256(), keys + kSecretSize, kSecretSize, prover_share,
kShareSize, out_verifier_confirm,
&verifier_confirm_len) == nullptr) {
return false;
}
BSSL_CHECK(verifier_confirm_len == kConfirmSize);
return true;
}
} // namespace
bool Register(Span<uint8_t> out_w0, Span<uint8_t> out_w1,
Span<uint8_t> out_registration_record,
Span<const uint8_t> password, Span<const uint8_t> id_prover,
Span<const uint8_t> id_verifier) {
if (out_w0.size() != kVerifierSize || out_w1.size() != kVerifierSize ||
out_registration_record.size() != kRegistrationRecordSize) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
// Offline registration format from:
// https://www.rfc-editor.org/rfc/rfc9383.html#section-3.2
ScopedCBB mhf_input;
if (!CBB_init(mhf_input.get(), password.size() + id_prover.size() +
id_verifier.size() +
3 * sizeof(uint64_t)) || //
!AddLengthPrefixed(mhf_input.get(), password) ||
!AddLengthPrefixed(mhf_input.get(), id_prover) ||
!AddLengthPrefixed(mhf_input.get(), id_verifier) ||
!CBB_flush(mhf_input.get())) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
// https://neuromancer.sk/std/nist/P-256
// sage: p =
// 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
// ....: K = GF(p)
// ....: a =
// K(0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc)
// ....: b =
// K(0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b)
// ....: E = EllipticCurve(K, (a, b))
// ....: G =
// E(0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296,
// ....: 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)
// ....:
// E.set_order(0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63
// ....: 2551 * 0x1)
// sage: k = 64
// sage: L = (2 * (ceil(log(p)/log(2)) + k)) / 8
// RFC 9383 Section 3.2
constexpr size_t kKDFOutputSize = 80;
constexpr size_t kKDFOutputWords = kKDFOutputSize / BN_BYTES;
uint8_t key[kKDFOutputSize];
if (!EVP_PBE_scrypt((const char *)CBB_data(mhf_input.get()),
CBB_len(mhf_input.get()), nullptr, 0,
/*N=*/32768, /*r=*/8, /*p=*/1,
/*max_mem=*/1024 * 1024 * 33, key, kKDFOutputSize)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
const EC_GROUP *group = EC_group_p256();
BN_ULONG w0_words[kKDFOutputWords / 2];
bn_big_endian_to_words(w0_words, kKDFOutputWords / 2, key,
kKDFOutputSize / 2);
EC_SCALAR w0;
ec_scalar_reduce(group, &w0, w0_words, kKDFOutputWords / 2);
ScalarToSizedBuffer(group, &w0, out_w0);
BN_ULONG w1_words[kKDFOutputWords / 2];
bn_big_endian_to_words(w1_words, kKDFOutputWords / 2,
key + kKDFOutputSize / 2, kKDFOutputSize / 2);
EC_SCALAR w1;
ec_scalar_reduce(group, &w1, w1_words, kKDFOutputWords / 2);
ScalarToSizedBuffer(group, &w1, out_w1);
EC_JACOBIAN L_j;
EC_AFFINE L;
if (!ec_point_mul_scalar_base(group, &L_j, &w1) || //
!ec_jacobian_to_affine(group, &L, &L_j) || //
!ec_point_to_bytes(group, &L, POINT_CONVERSION_UNCOMPRESSED,
out_registration_record.data(),
kRegistrationRecordSize)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
return true;
}
Prover::Prover() = default;
Prover::~Prover() = default;
bool Prover::Init(Span<const uint8_t> context, Span<const uint8_t> id_prover,
Span<const uint8_t> id_verifier, Span<const uint8_t> w0,
Span<const uint8_t> w1, Span<const uint8_t> x) {
const EC_GROUP *group = EC_group_p256();
if (!ec_scalar_from_bytes(group, &w0_, w0.data(), w0.size()) ||
!ec_scalar_from_bytes(group, &w1_, w1.data(), w1.size()) ||
(!x.empty() &&
!ec_scalar_from_bytes(group, &x_, x.data(), x.size())) || //
(x.empty() && !ec_random_scalar(group, &x_, kDefaultAdditionalData))) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
InitTranscriptHash(&transcript_hash_, context, id_prover, id_verifier);
return true;
}
bool Prover::GenerateShare(Span<uint8_t> out_share) {
if (state_ != State::kInit || out_share.size() != kShareSize) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
// Compute X = x×P + w0×M.
// TODO(crbug.com/383778231): This could be sped up with a constant-time,
// two-point multiplication.
const EC_GROUP *group = EC_group_p256();
EC_JACOBIAN l;
if (!ec_point_mul_scalar_base(group, &l, &x_)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
EC_JACOBIAN M_j;
ConstantToJacobian(group, &M_j, kM_bytes);
EC_JACOBIAN r;
if (!ec_point_mul_scalar(group, &r, &M_j, &w0_)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
EC_JACOBIAN X_j;
group->meth->add(group, &X_j, &l, &r);
if (!ec_jacobian_to_affine(group, &X_, &X_j)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
size_t written = ec_point_to_bytes(group, &X_, POINT_CONVERSION_UNCOMPRESSED,
out_share.data(), kShareSize);
BSSL_CHECK(written == kShareSize);
memcpy(share_, out_share.data(), kShareSize);
state_ = State::kShareGenerated;
return true;
}
bool Prover::ComputeConfirmation(Span<uint8_t> out_confirm,
Span<uint8_t> out_secret,
Span<const uint8_t> peer_share,
Span<const uint8_t> peer_confirm) {
if (state_ != State::kShareGenerated || out_confirm.size() != kConfirmSize ||
out_secret.size() != kSecretSize || peer_share.size() != kShareSize ||
peer_confirm.size() != kConfirmSize) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
const EC_GROUP *group = EC_group_p256();
EC_AFFINE Y;
if (!ec_point_from_uncompressed(group, &Y, peer_share.data(),
peer_share.size())) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
EC_JACOBIAN N_j;
ConstantToJacobian(group, &N_j, kN_bytes);
EC_JACOBIAN r;
if (!ec_point_mul_scalar(group, &r, &N_j, &w0_)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
ec_felem_neg(group, &r.Y, &r.Y);
EC_JACOBIAN Y_j;
ec_affine_to_jacobian(group, &Y_j, &Y);
EC_JACOBIAN t;
group->meth->add(group, &t, &Y_j, &r);
EC_JACOBIAN tmp;
EC_AFFINE Z, V;
// TODO(crbug.com/383778231): The two affine conversions could be batched
// together.
if (!ec_point_mul_scalar(group, &tmp, &t, &x_) || //
!ec_jacobian_to_affine(group, &Z, &tmp) || //
!ec_point_mul_scalar(group, &tmp, &t, &w1_) || //
!ec_jacobian_to_affine(group, &V, &tmp)) {
return 0;
}
uint8_t verifier_confirm[kConfirmSize];
if (!ComputeTranscript(out_confirm.data(), verifier_confirm,
out_secret.data(), share_, peer_share.data(),
&transcript_hash_, &Z, &V, &w0_) ||
CRYPTO_memcmp(verifier_confirm, peer_confirm.data(),
sizeof(verifier_confirm)) != 0) {
return 0;
}
state_ = State::kDone;
return true;
}
Verifier::Verifier() = default;
Verifier::~Verifier() = default;
bool Verifier::Init(Span<const uint8_t> context, Span<const uint8_t> id_prover,
Span<const uint8_t> id_verifier, Span<const uint8_t> w0,
Span<const uint8_t> registration_record,
Span<const uint8_t> y) {
const EC_GROUP *group = EC_group_p256();
if (!ec_scalar_from_bytes(group, &w0_, w0.data(), w0.size()) ||
!ec_point_from_uncompressed(group, &L_, registration_record.data(),
registration_record.size()) || //
(!y.empty() &&
!ec_scalar_from_bytes(group, &y_, y.data(), y.size())) || //
(y.empty() && !ec_random_scalar(group, &y_, kDefaultAdditionalData))) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
InitTranscriptHash(&transcript_hash_, context, id_prover, id_verifier);
return true;
}
bool Verifier::ProcessProverShare(Span<uint8_t> out_share,
Span<uint8_t> out_confirm,
Span<uint8_t> out_secret,
Span<const uint8_t> prover_share) {
if (state_ != State::kInit || //
out_share.size() != kShareSize || out_confirm.size() != kConfirmSize ||
out_secret.size() != kSecretSize || prover_share.size() != kShareSize) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
const EC_GROUP *group = EC_group_p256();
EC_JACOBIAN l, r, M_j, N_j;
ConstantToJacobian(group, &M_j, kM_bytes);
ConstantToJacobian(group, &N_j, kN_bytes);
// Compute Y = y×P + w0×M.
// TODO(crbug.com/383778231): This could be sped up with a constant-time,
// two-point multiplication.
if (!ec_point_mul_scalar_base(group, &l, &y_) ||
!ec_point_mul_scalar(group, &r, &N_j, &w0_)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
EC_JACOBIAN Y_j;
EC_AFFINE Y;
group->meth->add(group, &Y_j, &l, &r);
if (!ec_jacobian_to_affine(group, &Y, &Y_j)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
const size_t written = ec_point_to_bytes(
group, &Y, POINT_CONVERSION_UNCOMPRESSED, out_share.data(), kShareSize);
BSSL_CHECK(written == kShareSize);
EC_JACOBIAN r2;
EC_AFFINE X;
if (!ec_point_from_uncompressed(group, &X, prover_share.data(),
prover_share.size()) ||
!ec_point_mul_scalar(group, &r2, &M_j, &w0_)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
ec_felem_neg(group, &r2.Y, &r2.Y);
EC_JACOBIAN X_j, T;
ec_affine_to_jacobian(group, &X_j, &X);
group->meth->add(group, &T, &X_j, &r2);
// TODO(crbug.com/383778231): The two affine conversions could be batched
// together.
EC_JACOBIAN tmp;
EC_AFFINE Z;
if (!ec_point_mul_scalar(group, &tmp, &T, &y_) || //
!ec_jacobian_to_affine(group, &Z, &tmp)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
EC_JACOBIAN L_j;
EC_AFFINE V;
ec_affine_to_jacobian(group, &L_j, &L_);
if (!ec_point_mul_scalar(group, &tmp, &L_j, &y_) || //
!ec_jacobian_to_affine(group, &V, &tmp)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
if (!ComputeTranscript(confirm_, out_confirm.data(), out_secret.data(),
prover_share.data(), out_share.data(),
&transcript_hash_, &Z, &V, &w0_)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
state_ = State::kProverShareSeen;
return true;
}
bool Verifier::VerifyProverConfirmation(Span<const uint8_t> peer_confirm) {
if (state_ != State::kProverShareSeen || //
peer_confirm.size() != kConfirmSize || //
CRYPTO_memcmp(confirm_, peer_confirm.data(), sizeof(confirm_)) != 0) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
return false;
}
state_ = State::kDone;
return true;
}
} // namespace spake2plus
BSSL_NAMESPACE_END

342
crypto/spake2plus/spake2plus_test.cc Normal file
View File

@@ -0,0 +1,342 @@
/* Copyright 2024 The BoringSSL Authors
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <openssl/base.h>
#include <string>
#include <unordered_map>
#include <utility>
#include <vector>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <openssl/bn.h>
#include <openssl/span.h>
#include <gtest/gtest.h>
#include "../internal.h"
#include "../test/test_util.h"
#include "./internal.h"
BSSL_NAMESPACE_BEGIN
namespace {
using namespace spake2plus;
std::vector<uint8_t> HexToBytes(const char *str) {
std::vector<uint8_t> ret;
if (!DecodeHex(&ret, str)) {
abort();
}
return ret;
}
class RegistrationCache {
public:
struct Result {
std::vector<uint8_t> w0, w1, record;
};
const Result &Get(const std::pair<std::string, std::string> &names,
const std::string &pw) {
CacheKey key{names.first, names.second, pw};
auto it = cache.find(key);
if (it != cache.end()) {
return it->second;
}
Result output;
output.w0.resize(kVerifierSize);
output.w1.resize(kVerifierSize);
output.record.resize(kRegistrationRecordSize);
if (!Register(Span(output.w0), Span(output.w1), Span(output.record),
StringAsBytes(pw), StringAsBytes(names.first),
StringAsBytes(names.second))) {
abort();
}
return cache.emplace(std::move(key), std::move(output)).first->second;
}
private:
struct CacheKey {
std::string id_prover, id_verifier, password;
bool operator==(const CacheKey &other) const {
return std::tie(id_prover, id_verifier, password) ==
std::tie(other.id_prover, other.id_verifier, other.password);
}
};
struct KeyHash {
std::size_t operator()(const CacheKey &k) const {
return std::hash<std::string>()(k.id_prover) ^
std::hash<std::string>()(k.id_verifier) ^
std::hash<std::string>()(k.password);
}
};
std::unordered_map<CacheKey, Result, KeyHash> cache;
};
RegistrationCache &GlobalRegistrationCache() {
static RegistrationCache cache;
return cache;
}
struct SPAKEPLUSRun {
bool Run() {
const RegistrationCache::Result &registration =
GlobalRegistrationCache().Get(prover_names, pw);
Prover prover;
if (!prover.Init(StringAsBytes(context), StringAsBytes(prover_names.first),
StringAsBytes(prover_names.second), registration.w0,
registration.w1)) {
return false;
}
std::vector<uint8_t> verifier_registration_record = registration.record;
if (verifier_corrupt_record) {
verifier_registration_record[verifier_registration_record.size() - 1] ^=
0xFF;
}
Verifier verifier;
if (!verifier.Init(StringAsBytes(context),
StringAsBytes(verifier_names.first),
StringAsBytes(verifier_names.second), registration.w0,
verifier_registration_record)) {
return false;
}
uint8_t prover_share[kShareSize];
if (!prover.GenerateShare(prover_share)) {
return false;
}
if (repeat_invocations && prover.GenerateShare(prover_share)) {
return false;
}
if (prover_corrupt_msg_bit &&
*prover_corrupt_msg_bit < 8 * sizeof(prover_share)) {
prover_share[*prover_corrupt_msg_bit / 8] ^=
1 << (*prover_corrupt_msg_bit & 7);
}
uint8_t verifier_share[kShareSize];
uint8_t verifier_confirm[kConfirmSize];
uint8_t verifier_secret[kSecretSize];
if (!verifier.ProcessProverShare(verifier_share, verifier_confirm,
verifier_secret, prover_share)) {
return false;
}
if (repeat_invocations &&
verifier.ProcessProverShare(verifier_share, verifier_confirm,
verifier_secret, prover_share)) {
return false;
}
uint8_t prover_confirm[kConfirmSize];
uint8_t prover_secret[kSecretSize];
if (!prover.ComputeConfirmation(prover_confirm, prover_secret,
verifier_share, verifier_confirm)) {
return false;
}
if (repeat_invocations && //
prover.ComputeConfirmation(prover_confirm, prover_secret,
verifier_share, verifier_confirm)) {
return false;
}
if (prover_corrupt_confirm_bit &&
*prover_corrupt_confirm_bit < 8 * sizeof(prover_confirm)) {
prover_confirm[*prover_corrupt_confirm_bit / 8] ^=
1 << (*prover_corrupt_confirm_bit & 7);
}
if (!verifier.VerifyProverConfirmation(prover_confirm)) {
return false;
}
if (repeat_invocations &&
verifier.VerifyProverConfirmation(prover_confirm)) {
return false;
}
key_matches_ = Span(prover_secret) == Span(verifier_secret);
return true;
}
bool key_matches() const { return key_matches_; }
std::string context =
"SPAKE2+-P256-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors";
std::string pw = "password";
std::pair<std::string, std::string> prover_names = {"client", "server"};
std::pair<std::string, std::string> verifier_names = {"client", "server"};
bool verifier_corrupt_record = false;
bool repeat_invocations = false;
std::optional<size_t> prover_corrupt_msg_bit;
std::optional<size_t> prover_corrupt_confirm_bit;
private:
bool key_matches_ = false;
};
TEST(SPAKEPLUSTest, TestVectors) {
// https://datatracker.ietf.org/doc/html/rfc9383#appendix-C
// SPAKE2+-P256-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors
const char w0_str[] =
"bb8e1bbcf3c48f62c08db243652ae55d3e5586053fca77102994f23ad95491b3";
const char w1_str[] =
"7e945f34d78785b8a3ef44d0df5a1a97d6b3b460409a345ca7830387a74b1dba";
const char L_str[] =
"04eb7c9db3d9a9eb1f8adab81b5794c1f13ae3e225efbe91ea487425854c7fc00f00bfed"
"cbd09b2400142d40a14f2064ef31dfaa903b91d1faea7093d835966efd";
const char x_str[] =
"d1232c8e8693d02368976c174e2088851b8365d0d79a9eee709c6a05a2fad539";
const char share_p_str[] =
"04ef3bd051bf78a2234ec0df197f7828060fe9856503579bb1733009042c15c0c1de1277"
"27f418b5966afadfdd95a6e4591d171056b333dab97a79c7193e341727";
const char y_str[] =
"717a72348a182085109c8d3917d6c43d59b224dc6a7fc4f0483232fa6516d8b3";
const char share_v_str[] =
"04c0f65da0d11927bdf5d560c69e1d7d939a05b0e88291887d679fcadea75810fb5cc1ca"
"7494db39e82ff2f50665255d76173e09986ab46742c798a9a68437b048";
const char confirm_p_str[] =
"926cc713504b9b4d76c9162ded04b5493e89109f6d89462cd33adc46fda27527";
const char confirm_v_str[] =
"9747bcc4f8fe9f63defee53ac9b07876d907d55047e6ff2def2e7529089d3e68";
const char secret_str[] =
"0c5f8ccd1413423a54f6c1fb26ff01534a87f893779c6e68666d772bfd91f3e7";
const std::string context =
"SPAKE2+-P256-SHA256-HKDF-SHA256-HMAC-SHA256 Test Vectors";
const std::pair<std::string, std::string> prover_names = {"client", "server"};
const std::pair<std::string, std::string> verifier_names = {"client",
"server"};
std::vector<uint8_t> w0 = HexToBytes(w0_str);
std::vector<uint8_t> w1 = HexToBytes(w1_str);
std::vector<uint8_t> registration_record = HexToBytes(L_str);
std::vector<uint8_t> x = HexToBytes(x_str);
std::vector<uint8_t> y = HexToBytes(y_str);
Prover prover;
ASSERT_TRUE(prover.Init(StringAsBytes(context),
StringAsBytes(prover_names.first),
StringAsBytes(prover_names.second), MakeConstSpan(w0),
MakeConstSpan(w1), x));
Verifier verifier;
ASSERT_TRUE(
verifier.Init(StringAsBytes(context), StringAsBytes(prover_names.first),
StringAsBytes(prover_names.second), MakeConstSpan(w0),
MakeConstSpan(registration_record), y));
uint8_t prover_share[kShareSize];
ASSERT_TRUE(prover.GenerateShare(prover_share));
std::vector<uint8_t> share_p = HexToBytes(share_p_str);
ASSERT_TRUE(
OPENSSL_memcmp(share_p.data(), prover_share, sizeof(prover_share)) == 0);
uint8_t verifier_share[kShareSize];
uint8_t verifier_confirm[kConfirmSize];
uint8_t verifier_secret[kSecretSize];
ASSERT_TRUE(verifier.ProcessProverShare(verifier_share, verifier_confirm,
verifier_secret, prover_share));
std::vector<uint8_t> share_v = HexToBytes(share_v_str);
ASSERT_TRUE(OPENSSL_memcmp(share_v.data(), verifier_share,
sizeof(verifier_share)) == 0);
std::vector<uint8_t> confirm_v = HexToBytes(confirm_v_str);
ASSERT_TRUE(OPENSSL_memcmp(confirm_v.data(), verifier_confirm,
sizeof(verifier_confirm)) == 0);
uint8_t prover_confirm[kConfirmSize];
uint8_t prover_secret[kSecretSize];
ASSERT_TRUE(prover.ComputeConfirmation(prover_confirm, prover_secret,
verifier_share, verifier_confirm));
std::vector<uint8_t> confirm_p = HexToBytes(confirm_p_str);
ASSERT_TRUE(OPENSSL_memcmp(confirm_p.data(), prover_confirm,
sizeof(prover_confirm)) == 0);
ASSERT_TRUE(verifier.VerifyProverConfirmation(prover_confirm));
std::vector<uint8_t> expected_secret = HexToBytes(secret_str);
static_assert(sizeof(verifier_secret) == sizeof(prover_secret));
ASSERT_TRUE(OPENSSL_memcmp(prover_secret, verifier_secret,
sizeof(prover_secret)) == 0);
ASSERT_TRUE(OPENSSL_memcmp(expected_secret.data(), verifier_secret,
sizeof(verifier_secret)) == 0);
}
TEST(SPAKEPLUSTest, SPAKEPLUS) {
for (unsigned i = 0; i < 20; i++) {
SPAKEPLUSRun spake2;
ASSERT_TRUE(spake2.Run());
EXPECT_TRUE(spake2.key_matches());
}
}
TEST(SPAKEPLUSTest, WrongPassword) {
SPAKEPLUSRun spake2;
spake2.verifier_corrupt_record = true;
ASSERT_FALSE(spake2.Run());
}
TEST(SPAKEPLUSTest, WrongNames) {
SPAKEPLUSRun spake2;
spake2.prover_names.second = "alice";
spake2.verifier_names.second = "bob";
ASSERT_FALSE(spake2.Run());
}
TEST(SPAKEPLUSTest, CorruptMessages) {
for (size_t i = 0; i < 8 * kShareSize; i++) {
SPAKEPLUSRun spake2;
spake2.prover_corrupt_msg_bit = i;
EXPECT_FALSE(spake2.Run())
<< "Passed after corrupting Prover's key share message, bit " << i;
}
for (size_t i = 0; i < 8 * kConfirmSize; i++) {
SPAKEPLUSRun spake2;
spake2.prover_corrupt_confirm_bit = i;
EXPECT_FALSE(spake2.Run())
<< "Passed after corrupting Verifier's confirmation message, bit " << i;
}
}
TEST(SPAKEPLUSTest, StateMachine) {
SPAKEPLUSRun spake2;
spake2.repeat_invocations = true;
ASSERT_TRUE(spake2.Run());
}
} // namespace
BSSL_NAMESPACE_END

3
gen/sources.bzl
View File

@@ -415,6 +415,7 @@ crypto_sources = [
"crypto/sha/sha512.cc",
"crypto/siphash/siphash.cc",
"crypto/slhdsa/slhdsa.cc",
"crypto/spake2plus/spake2plus.cc",
"crypto/stack/stack.cc",
"crypto/thread.cc",
"crypto/thread_none.cc",
@@ -644,6 +645,7 @@ crypto_internal_headers = [
"crypto/rand_extra/getrandom_fillin.h",
"crypto/rand_extra/sysrand_internal.h",
"crypto/rsa_extra/internal.h",
"crypto/spake2plus/internal.h",
"crypto/trust_token/internal.h",
"crypto/x509/ext_dat.h",
"crypto/x509/internal.h",
@@ -757,6 +759,7 @@ crypto_test_sources = [
"crypto/self_test.cc",
"crypto/siphash/siphash_test.cc",
"crypto/slhdsa/slhdsa_test.cc",
"crypto/spake2plus/spake2plus_test.cc",
"crypto/stack/stack_test.cc",
"crypto/test/gtest_main.cc",
"crypto/thread_test.cc",

3
gen/sources.cmake
View File

@@ -429,6 +429,7 @@ set(
crypto/sha/sha512.cc
crypto/siphash/siphash.cc
crypto/slhdsa/slhdsa.cc
crypto/spake2plus/spake2plus.cc
crypto/stack/stack.cc
crypto/thread.cc
crypto/thread_none.cc
@@ -662,6 +663,7 @@ set(
crypto/rand_extra/getrandom_fillin.h
crypto/rand_extra/sysrand_internal.h
crypto/rsa_extra/internal.h
crypto/spake2plus/internal.h
crypto/trust_token/internal.h
crypto/x509/ext_dat.h
crypto/x509/internal.h
@@ -781,6 +783,7 @@ set(
crypto/self_test.cc
crypto/siphash/siphash_test.cc
crypto/slhdsa/slhdsa_test.cc
crypto/spake2plus/spake2plus_test.cc
crypto/stack/stack_test.cc
crypto/test/gtest_main.cc
crypto/thread_test.cc

3
gen/sources.gni
View File

@@ -415,6 +415,7 @@ crypto_sources = [
"crypto/sha/sha512.cc",
"crypto/siphash/siphash.cc",
"crypto/slhdsa/slhdsa.cc",
"crypto/spake2plus/spake2plus.cc",
"crypto/stack/stack.cc",
"crypto/thread.cc",
"crypto/thread_none.cc",
@@ -644,6 +645,7 @@ crypto_internal_headers = [
"crypto/rand_extra/getrandom_fillin.h",
"crypto/rand_extra/sysrand_internal.h",
"crypto/rsa_extra/internal.h",
"crypto/spake2plus/internal.h",
"crypto/trust_token/internal.h",
"crypto/x509/ext_dat.h",
"crypto/x509/internal.h",
@@ -757,6 +759,7 @@ crypto_test_sources = [
"crypto/self_test.cc",
"crypto/siphash/siphash_test.cc",
"crypto/slhdsa/slhdsa_test.cc",
"crypto/spake2plus/spake2plus_test.cc",
"crypto/stack/stack_test.cc",
"crypto/test/gtest_main.cc",
"crypto/thread_test.cc",

3
gen/sources.json
View File

@@ -399,6 +399,7 @@
"crypto/sha/sha512.cc",
"crypto/siphash/siphash.cc",
"crypto/slhdsa/slhdsa.cc",
"crypto/spake2plus/spake2plus.cc",
"crypto/stack/stack.cc",
"crypto/thread.cc",
"crypto/thread_none.cc",
@@ -626,6 +627,7 @@
"crypto/rand_extra/getrandom_fillin.h",
"crypto/rand_extra/sysrand_internal.h",
"crypto/rsa_extra/internal.h",
"crypto/spake2plus/internal.h",
"crypto/trust_token/internal.h",
"crypto/x509/ext_dat.h",
"crypto/x509/internal.h",
@@ -738,6 +740,7 @@
"crypto/self_test.cc",
"crypto/siphash/siphash_test.cc",
"crypto/slhdsa/slhdsa_test.cc",
"crypto/spake2plus/spake2plus_test.cc",
"crypto/stack/stack_test.cc",
"crypto/test/gtest_main.cc",
"crypto/thread_test.cc",