occ_srp.h 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302
  1. /**
  2. * Copyright (c) 2016 - 2018, Nordic Semiconductor ASA
  3. *
  4. * All rights reserved.
  5. *
  6. * Redistribution and use in source and binary forms, with or without modification,
  7. * are permitted provided that the following conditions are met:
  8. *
  9. * 1. Redistributions of source code must retain the above copyright notice, this
  10. * list of conditions and the following disclaimer.
  11. *
  12. * 2. Redistributions in binary form, except as embedded into a Nordic
  13. * Semiconductor ASA integrated circuit in a product or a software update for
  14. * such product, must reproduce the above copyright notice, this list of
  15. * conditions and the following disclaimer in the documentation and/or other
  16. * materials provided with the distribution.
  17. *
  18. * 3. Neither the name of Nordic Semiconductor ASA nor the names of its
  19. * contributors may be used to endorse or promote products derived from this
  20. * software without specific prior written permission.
  21. *
  22. * 4. This software, with or without modification, must only be used with a
  23. * Nordic Semiconductor ASA integrated circuit.
  24. *
  25. * 5. Any software provided in binary form under this license must not be reverse
  26. * engineered, decompiled, modified and/or disassembled.
  27. *
  28. * THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
  29. * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  30. * OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
  31. * DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
  32. * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  33. * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
  34. * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  35. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  36. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
  37. * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  38. *
  39. */
  40. /**@file
  41. * SRP is an augmented password-authenticated key agreement protocol,
  42. * specifically designed to work around existing patents. SRP allows the use of
  43. * user names and passwords over unencrypted channels and supplies a shared
  44. * secret at the end of the authentication sequence that can be used to generate
  45. * encryption keys.
  46. *
  47. * An eavesdropper or man in the middle cannot obtain enough information to be
  48. * able to brute force guess a password without further interactions with the
  49. * parties for each guess.
  50. *
  51. * The server does not store password-equivalent data. This means that an
  52. * attacker who steals the server data cannot masquerade as the client unless
  53. * they first perform a brute force search for the password.
  54. *
  55. * The specific variant implemented here is SRP-6 3072 bit SHA-512 as mandated
  56. * by Apple for use with HomeKit.
  57. *
  58. * @see [RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication](https://tools.ietf.org/html/rfc5054)
  59. * @see [The Stanford SRP Homepage](http://srp.stanford.edu)
  60. *
  61. * **Basic protocol overview**
  62. *
  63. * *Setup*
  64. * 1. Server generates a username / password combination together with a salt.
  65. * 2. Server derives a password verifier (see #occ_srp_verifier).
  66. * 3. The username, salt and verifier are stored and required to open sessions.
  67. * The original password is no longer needed.
  68. *
  69. * *Session opening*
  70. * 1. Client sends a username and the public key of an ephemeral key pair to the
  71. * server.
  72. * 2. Server sends the salt and the public key of another ephemeral key pair to
  73. * the client (see #occ_srp_public_key).
  74. * 3. Client and Server both compute the session key from this information (see
  75. * #occ_srp_scrambling_parameter, #occ_srp_premaster_secret,
  76. * #occ_srp_session_key).
  77. * 4. Client sends proof of the session key to the server.
  78. * 5. Server validates proof (see #occ_srp_proof_m1), then sends proof of the
  79. * session key to the client (see #occ_srp_proof_m2).
  80. * 6. Client validates proof. Both parties know that they share the same private
  81. * session key.
  82. */
  83. #ifndef OCC_SRP_H
  84. #define OCC_SRP_H
  85. #include <stdint.h>
  86. #include <stddef.h>
  87. /**
  88. * Salt length.
  89. */
  90. #define occ_srp_SALT_BYTES (16)
  91. /**
  92. * Password verifier length.
  93. */
  94. #define occ_srp_VERIFIER_BYTES (384)
  95. /**
  96. * Secret key length.
  97. */
  98. #define occ_srp_SECRET_KEY_BYTES (32)
  99. /**
  100. * Public key length.
  101. */
  102. #define occ_srp_PUBLIC_KEY_BYTES (384)
  103. /**
  104. * Scrambling parameter length.
  105. */
  106. #define occ_srp_SCRAMBLING_PARAMETER_BYTES (64)
  107. /**
  108. * Premaster secret length.
  109. */
  110. #define occ_srp_PREMASTER_SECRET_BYTES (384)
  111. /**
  112. * Session key length.
  113. */
  114. #define occ_srp_SESSION_KEY_BYTES (64)
  115. /**
  116. * Proof length.
  117. */
  118. #define occ_srp_PROOF_BYTES (64)
  119. /**@name SRP-6 Password verifier generation.
  120. *
  121. * A password verifier is generated from a user name and a password. The
  122. * password @p pass may be discarded, as only the verifier is used during later
  123. * computations.
  124. *
  125. * **Example**
  126. * @include occ_srp_verifier.c
  127. */
  128. /**@{*/
  129. /**
  130. * SRP-6 Password Verifier.
  131. *
  132. * The verifier is generated for a given user name @p user, a password @p pass
  133. * and salt @p salt.
  134. *
  135. * @param[out] v Generated password verifier, must be 32 bit aligned.
  136. * @param salt Salt.
  137. * @param user User name.
  138. * @param user_len Length of @p user.
  139. * @param pass Password.
  140. * @param pass_len Length of @p pass.
  141. */
  142. void occ_srp_verifier(uint8_t v[occ_srp_VERIFIER_BYTES],
  143. const uint8_t salt[occ_srp_SALT_BYTES],
  144. const uint8_t *user, size_t user_len,
  145. const uint8_t *pass, size_t pass_len);
  146. /**@}*/
  147. /**@name SRP-6 Public key generation.
  148. *
  149. * An ephemeral keypair can be generated based on the password verifier to be
  150. * used when opening a new session.
  151. *
  152. * **Example**
  153. * @include occ_srp_public_key.c
  154. */
  155. /**@{*/
  156. /**
  157. * SRP-6 Public Key.
  158. *
  159. * The public key for a given private key @p priv_b is generated using the
  160. * password verifier @p v and put into @p pub_b.
  161. *
  162. * @param[out] pub_b Generated public key, must be 32 bit aligned.
  163. * @param priv_b Private key.
  164. * @param v Password verifier.
  165. */
  166. void occ_srp_public_key(uint8_t pub_b[occ_srp_PUBLIC_KEY_BYTES],
  167. const uint8_t priv_b[occ_srp_SECRET_KEY_BYTES],
  168. const uint8_t v[occ_srp_VERIFIER_BYTES]);
  169. /**@}*/
  170. /**@name SRP-6 Session key generation.
  171. *
  172. * A premaster secret can be derived from both the client's and server's public
  173. * keys, the server's private key and the password verifier. A shared session
  174. * key can be generated from this premaster secret.
  175. *
  176. * **Example**
  177. * @include occ_srp_session_key.c
  178. */
  179. /**@{*/
  180. /**
  181. * SRP-6 Scrambling Parameter.
  182. *
  183. * The scrambling parameter is computed from both the client's public key
  184. * @p pub_a and the server's public key @p pub_b. The scrambling parameter
  185. * is required to compute the premaster secret.
  186. *
  187. * @param[out] u Generated scrambling parameter.
  188. * @param pub_a Client public key.
  189. * @param pub_b Server public key.
  190. */
  191. void occ_srp_scrambling_parameter(uint8_t u[occ_srp_SCRAMBLING_PARAMETER_BYTES],
  192. const uint8_t pub_a[occ_srp_PUBLIC_KEY_BYTES],
  193. const uint8_t pub_b[occ_srp_PUBLIC_KEY_BYTES]);
  194. /**
  195. * SRP-6 Premaster Secret.
  196. *
  197. * The premaster secret between the client and the server is computed using the
  198. * client public key @p pub_a, the server private key @p priv_b, the scrambling
  199. * parameter @p u and the password verifier @p v. If the client public key
  200. * @p pub_a is valid, the premaster secret is then put into @p s. The premaster
  201. * secret can be used to generate encryption keys.
  202. *
  203. * @param[out] s Generated premaster secret, must be 32 bit aligned.
  204. * @param pub_a Client public key.
  205. * @param priv_b Server private key.
  206. * @param u Scrambling parameter; generated with @c srp_scrambling_parameter.
  207. * @param v Password verifier.
  208. *
  209. * @returns 0 If @p pub_a is a legal public key.
  210. * @returns 1 Otherwise.
  211. */
  212. int occ_srp_premaster_secret(uint8_t s[occ_srp_PREMASTER_SECRET_BYTES],
  213. const uint8_t pub_a[occ_srp_PUBLIC_KEY_BYTES],
  214. const uint8_t priv_b[occ_srp_SECRET_KEY_BYTES],
  215. const uint8_t u[occ_srp_SCRAMBLING_PARAMETER_BYTES],
  216. const uint8_t v[occ_srp_VERIFIER_BYTES]);
  217. /**
  218. * SRP-6 SRP Session Key.
  219. *
  220. * Generates the shared SRP session key from the premaster secret @p s and puts
  221. * it into @p k.
  222. *
  223. * @param[out] k Generated SRP session key.
  224. * @param s Premaster secret.
  225. */
  226. void occ_srp_session_key(uint8_t k[occ_srp_SESSION_KEY_BYTES],
  227. const uint8_t s[occ_srp_PREMASTER_SECRET_BYTES]);
  228. /**@}*/
  229. /**@name SRP-6 Proof exchange.
  230. *
  231. * Proofs are exchanged from client to server and vice versa to ensure that both
  232. * parties computed the same shared session key. The proofs only match if the
  233. * correct password is used by the client.
  234. *
  235. * **Example**
  236. * @include occ_srp_proof.c
  237. */
  238. /**@{*/
  239. /**
  240. * SRP-6 Proof M1 (client to server).
  241. *
  242. * A proof is generated by the client and sent to the server to assert that the
  243. * client is in possession of the shared session key @p k. The server also
  244. * generates the proof. Only if the proofs match, the process can continue.
  245. * The proof is based on the salt @p salt, the client public key @p pub_a,
  246. * the server public key @p pub_b and the shared session key @p k.
  247. *
  248. * @param[out] m1 Generated proof.
  249. * @param user User name.
  250. * @param user_len Length of @p user.
  251. * @param salt Salt.
  252. * @param pub_a Client public key.
  253. * @param pub_b Server public key.
  254. * @param k Session key.
  255. */
  256. void occ_srp_proof_m1(uint8_t m1[occ_srp_PROOF_BYTES],
  257. const uint8_t *user, size_t user_len,
  258. const uint8_t salt[occ_srp_SALT_BYTES],
  259. const uint8_t pub_a[occ_srp_PUBLIC_KEY_BYTES],
  260. const uint8_t pub_b[occ_srp_PUBLIC_KEY_BYTES],
  261. const uint8_t k[occ_srp_SESSION_KEY_BYTES]);
  262. /**
  263. * SRP-6 Proof M2 (server to client).
  264. *
  265. * A second proof is generated by the server and sent back to the client to
  266. * assert that the server is in possession of the shared session key @p k. The
  267. * client also generates the proof. If the proofs match, both parties can assume
  268. * that they share the same session key @p k. The second proof is based on the
  269. * client public key @p pub_a, the first proof @p m1 and the session key @p k.
  270. *
  271. * @param[out] m2 Generated proof.
  272. * @param pub_a Client public key.
  273. * @param m1 First proof; generated with @c srp_proof_m1.
  274. * @param k Session key.
  275. */
  276. void occ_srp_proof_m2(uint8_t m2[occ_srp_PROOF_BYTES],
  277. const uint8_t pub_a[occ_srp_PUBLIC_KEY_BYTES],
  278. const uint8_t m1[occ_srp_PROOF_BYTES],
  279. const uint8_t k[occ_srp_SESSION_KEY_BYTES]);
  280. /**@}*/
  281. #endif