Addressing various TODOs and minor cleanups (facebook#127)

PaulGrandperrin · Feb 2, 2021 · 9d3963f · 9d3963f
1 parent be6d042
commit 9d3963f
Show file tree

Hide file tree

Showing 12 changed files with 120 additions and 135 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -13,25 +13,22 @@ readme = "README.md"
 default = ["u64_backend"]
 slow-hash = ["scrypt"]
 bench = []
-u64_backend = ["curve25519-dalek/u64_backend", "x25519-dalek/u64_backend"]
-u32_backend = ["curve25519-dalek/u32_backend", "x25519-dalek/u32_backend"]
+u64_backend = ["curve25519-dalek/u64_backend"]
+u32_backend = ["curve25519-dalek/u32_backend"]
 
 [dependencies]
 curve25519-dalek = { version = "3.0.0", default-features = false, features = ["std"] }
 digest = "0.9.0"
 displaydoc = "0.1.7"
-fiat-crypto = { version = "0.1.5"}
 generic-array = "0.14.4"
 generic-bytes = { version = "0.1.0" }
 generic-bytes-derive = { version = "0.1.0" }
 hkdf = "0.10.0"
 hmac = "0.10.1"
 rand_core = "0.5.1"
 scrypt = { version = "0.5.0", optional = true }
-sha2 = "0.9.2"
 subtle = { version = "2.3.0", default-features = false }
 thiserror = "1.0.22"
-x25519-dalek = { version = "1.1.0", default-features = false, features = ["std"] }
 zeroize = "1.1.1"
 
 [dev-dependencies]
@@ -42,6 +39,7 @@ criterion = "0.3.3"
 hex = "0.4.2"
 lazy_static = "1.4.0"
 serde_json = "1.0.60"
+sha2 = "0.9.2"
 proptest = "0.10.1"
 rand = "0.7"
 rustyline = "7.0.0"

diff --git a/examples/digital_locker.rs b/examples/digital_locker.rs
@@ -34,9 +34,9 @@ use std::process::exit;
 
 use opaque_ke::{
     ciphersuite::CipherSuite, ClientLogin, ClientLoginFinishParameters, ClientLoginStartParameters,
-    ClientRegistration, ClientRegistrationFinishParameters, CredentialRequest, CredentialResponse,
-    RegistrationRequest, RegistrationResponse, RegistrationUpload, ServerLogin,
-    ServerLoginStartParameters, ServerRegistration,
+    ClientRegistration, ClientRegistrationFinishParameters, CredentialFinalization,
+    CredentialRequest, CredentialResponse, RegistrationRequest, RegistrationResponse,
+    RegistrationUpload, ServerLogin, ServerLoginStartParameters, ServerRegistration,
 };
 
 // The ciphersuite trait allows to specify the underlying primitives
@@ -173,9 +173,27 @@ fn open_locker(
         return Err(String::from("Incorrect password, please try again."));
     }
     let client_login_finish_result = result.unwrap();
+    let credential_finalization_bytes = client_login_finish_result.message.serialize();
 
-    // Decrypt contents of locker
-    let plaintext = decrypt(&client_login_finish_result.export_key, &locker.contents);
+    // Client sends credential_finalization_bytes to server
+
+    let server_login_finish_result = server_login_start_result
+        .state
+        .finish(CredentialFinalization::deserialize(&credential_finalization_bytes[..]).unwrap())
+        .unwrap();
+
+    // Server sends locker contents, encrypted under the session key, to the client
+    let encrypted_locker_contents =
+        encrypt(&server_login_finish_result.shared_secret, &locker.contents);
+
+    // Client decrypts contents of locker, first under the shared secret, and then under the export key
+    let plaintext = decrypt(
+        &client_login_finish_result.export_key,
+        &decrypt(
+            &client_login_finish_result.shared_secret,
+            &encrypted_locker_contents,
+        ),
+    );
     String::from_utf8(plaintext).map_err(|_| String::from("UTF8 error"))
 }
 

diff --git a/src/envelope.rs b/src/envelope.rs
@@ -100,6 +100,9 @@ pub(crate) struct Envelope<D: Hash> {
     hmac: GenericArray<u8, <D as Digest>::OutputSize>,
 }
 
+// Note that this struct represents an envelope that has been "opened" with the asssociated
+// key. This key is also used to derive the export_key parameter, which is technically
+// unrelated to the envelope's encrypted and authenticated contents.
 pub(crate) struct OpenedEnvelope<D: Hash> {
     pub(crate) client_s_sk: Vec<u8>,
     pub(crate) export_key: GenericArray<u8, <D as Digest>::OutputSize>,

diff --git a/src/key_exchange/traits.rs b/src/key_exchange/traits.rs
@@ -21,7 +21,6 @@ pub trait KeyExchange<D: Hash, G: Group> {
     type KE3Message: for<'r> TryFrom<&'r [u8], Error = PakeError> + ToBytes;
 
     fn generate_ke1<R: RngCore + CryptoRng>(
-        l1_component: Vec<u8>,
         info: Vec<u8>,
         rng: &mut R,
     ) -> Result<(Self::KE1State, Self::KE1Message), ProtocolError>;
@@ -44,6 +43,7 @@ pub trait KeyExchange<D: Hash, G: Group> {
         l2_component: Vec<u8>,
         ke2_message: Self::KE2Message,
         ke1_state: &Self::KE1State,
+        serialized_credential_request: &[u8],
         server_s_pk: Key,
         client_s_sk: Key,
         id_u: Vec<u8>,

diff --git a/src/key_exchange/tripledh.rs b/src/key_exchange/tripledh.rs
@@ -28,7 +28,6 @@ use rand_core::{CryptoRng, RngCore};
 use std::convert::TryFrom;
 
 const KEY_LEN: usize = 32;
-pub(crate) const NONCE_LEN: usize = 32;
 pub(crate) type NonceLen = U32;
 
 static STR_3DH: &[u8] = b"3DH keys";
@@ -51,15 +50,14 @@ impl<D: Hash, G: Group> KeyExchange<D, G> for TripleDH {
     type KE3Message = KE3Message<<D as FixedOutput>::OutputSize>;
 
     fn generate_ke1<R: RngCore + CryptoRng>(
-        alpha_bytes: Vec<u8>,
         info: Vec<u8>,
         rng: &mut R,
     ) -> Result<(Self::KE1State, Self::KE1Message), ProtocolError> {
         let client_e_kp = KeyPair::<G>::generate_random(rng);
         let client_nonce: GenericArray<u8, NonceLen> = {
-            let mut client_nonce_bytes = [0u8; NONCE_LEN];
+            let mut client_nonce_bytes = vec![0u8; NonceLen::to_usize()];
             rng.fill_bytes(&mut client_nonce_bytes);
-            client_nonce_bytes.into()
+            GenericArray::clone_from_slice(&client_nonce_bytes)
         };
 
         let ke1_message = KE1Message {
@@ -68,14 +66,10 @@ impl<D: Hash, G: Group> KeyExchange<D, G> for TripleDH {
             client_e_pk: client_e_kp.public().clone(),
         };
 
-        // TODO: must match the serialization of a credential request, could be done more cleanly
-        let serialized_credential_request = [alpha_bytes, ke1_message.to_bytes()].concat();
-
         Ok((
             KE1State {
                 client_e_sk: client_e_kp.private().clone(),
                 client_nonce,
-                serialized_credential_request,
             },
             ke1_message,
         ))
@@ -95,9 +89,9 @@ impl<D: Hash, G: Group> KeyExchange<D, G> for TripleDH {
     ) -> Result<(Vec<u8>, Self::KE2State, Self::KE2Message), ProtocolError> {
         let server_e_kp = KeyPair::<G>::generate_random(rng);
         let server_nonce: GenericArray<u8, NonceLen> = {
-            let mut server_nonce_bytes = [0u8; NONCE_LEN];
+            let mut server_nonce_bytes = vec![0u8; NonceLen::to_usize()];
             rng.fill_bytes(&mut server_nonce_bytes);
-            server_nonce_bytes.into()
+            GenericArray::clone_from_slice(&server_nonce_bytes)
         };
 
         let (session_secret, km2, ke2, km3) = derive_3dh_keys::<D, G>(
@@ -169,6 +163,7 @@ impl<D: Hash, G: Group> KeyExchange<D, G> for TripleDH {
         l2_component: Vec<u8>,
         ke2_message: Self::KE2Message,
         ke1_state: &Self::KE1State,
+        serialized_credential_request: &[u8],
         server_s_pk: Key,
         client_s_sk: Key,
         id_u: Vec<u8>,
@@ -190,7 +185,7 @@ impl<D: Hash, G: Group> KeyExchange<D, G> for TripleDH {
         )?;
 
         let transcript: Vec<u8> = [
-            &ke1_state.serialized_credential_request[..],
+            &serialized_credential_request,
             &l2_component[..],
             &ke2_message.to_bytes_without_mac(),
         ]
@@ -258,7 +253,7 @@ impl<D: Hash, G: Group> KeyExchange<D, G> for TripleDH {
     }
 
     fn ke2_message_size() -> usize {
-        NONCE_LEN + KEY_LEN + <<D as FixedOutput>::OutputSize as Unsigned>::to_usize()
+        NonceLen::to_usize() + KEY_LEN + <<D as FixedOutput>::OutputSize as Unsigned>::to_usize()
     }
 }
 
@@ -267,7 +262,6 @@ impl<D: Hash, G: Group> KeyExchange<D, G> for TripleDH {
 pub struct KE1State {
     client_e_sk: Key,
     client_nonce: GenericArray<u8, NonceLen>,
-    serialized_credential_request: Vec<u8>,
 }
 
 /// The first key exchange message
@@ -282,26 +276,21 @@ impl TryFrom<&[u8]> for KE1State {
     type Error = PakeError;
 
     fn try_from(bytes: &[u8]) -> Result<Self, Self::Error> {
-        let checked_bytes = check_slice_size_atleast(bytes, KEY_LEN + NONCE_LEN, "ke1_state")?;
+        let nonce_len = NonceLen::to_usize();
+        let checked_bytes = check_slice_size_atleast(bytes, KEY_LEN + nonce_len, "ke1_state")?;
 
         Ok(Self {
             client_e_sk: Key::from_bytes(&checked_bytes[..KEY_LEN])?,
             client_nonce: GenericArray::clone_from_slice(
-                &checked_bytes[KEY_LEN..KEY_LEN + NONCE_LEN],
+                &checked_bytes[KEY_LEN..KEY_LEN + nonce_len],
             ),
-            serialized_credential_request: checked_bytes[KEY_LEN + NONCE_LEN..].to_vec(),
         })
     }
 }
 
 impl ToBytes for KE1State {
     fn to_bytes(&self) -> Vec<u8> {
-        let output: Vec<u8> = [
-            &self.client_e_sk.to_arr(),
-            &self.client_nonce[..],
-            &self.serialized_credential_request[..],
-        ]
-        .concat();
+        let output: Vec<u8> = [&self.client_e_sk.to_arr(), &self.client_nonce[..]].concat();
         output
     }
 }
@@ -321,15 +310,16 @@ impl TryFrom<&[u8]> for KE1Message {
     type Error = PakeError;
 
     fn try_from(ke1_message_bytes: &[u8]) -> Result<Self, Self::Error> {
+        let nonce_len = NonceLen::to_usize();
         let checked_nonce =
-            check_slice_size_atleast(ke1_message_bytes, NONCE_LEN, "ke1_message nonce")?;
+            check_slice_size_atleast(ke1_message_bytes, nonce_len, "ke1_message nonce")?;
 
-        let (info, remainder) = tokenize(&checked_nonce[NONCE_LEN..], 2)?;
+        let (info, remainder) = tokenize(&checked_nonce[nonce_len..], 2)?;
 
         let checked_client_e_pk = check_slice_size(&remainder, KEY_LEN, "ke1_message client_e_pk")?;
 
         Ok(Self {
-            client_nonce: GenericArray::clone_from_slice(&checked_nonce[..NONCE_LEN]),
+            client_nonce: GenericArray::clone_from_slice(&checked_nonce[..nonce_len]),
             info,
             client_e_pk: Key::from_bytes(&checked_client_e_pk)?,
         })
@@ -401,17 +391,18 @@ impl<HashLen: ArrayLength<u8>> TryFrom<&[u8]> for KE2Message<HashLen> {
     type Error = PakeError;
 
     fn try_from(input: &[u8]) -> Result<Self, Self::Error> {
-        let checked_nonce = check_slice_size_atleast(input, NONCE_LEN, "ke2_message nonce")?;
+        let nonce_len = NonceLen::to_usize();
+        let checked_nonce = check_slice_size_atleast(input, nonce_len, "ke2_message nonce")?;
         let checked_server_e_pk = check_slice_size_atleast(
-            &checked_nonce[NONCE_LEN..],
+            &checked_nonce[nonce_len..],
             KEY_LEN,
             "ke2_message server_e_pk",
         )?;
         let (e_info, remainder) = tokenize(&checked_server_e_pk[KEY_LEN..], 2)?;
         let checked_mac = check_slice_size(&remainder, HashLen::to_usize(), "ke1_message mac")?;
 
         Ok(Self {
-            server_nonce: GenericArray::clone_from_slice(&checked_nonce[..NONCE_LEN]),
+            server_nonce: GenericArray::clone_from_slice(&checked_nonce[..nonce_len]),
             server_e_pk: Key::from_bytes(&checked_server_e_pk[..KEY_LEN])?,
             e_info,
             mac: GenericArray::clone_from_slice(&checked_mac),

diff --git a/src/map_to_curve.rs b/src/map_to_curve.rs
@@ -37,7 +37,6 @@ impl GroupWithMapToCurve for RistrettoPoint {
     // Implements the hash_to_ristretto255() function from
     // https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.txt
     fn map_to_curve<H: Hash>(msg: &[u8], dst: &[u8]) -> Result<Self, InternalPakeError> {
-        // FIXME use generic_array and turn this into a compile-time error if size mismatch
         let uniform_bytes =
             expand_message_xmd::<H>(msg, dst, <H as Digest>::OutputSize::to_usize())?;
         Ok(<Self as Group>::hash_to_curve(

diff --git a/src/messages.rs b/src/messages.rs
@@ -259,12 +259,24 @@ pub struct CredentialResponse<CS: CipherSuite> {
 impl<CS: CipherSuite> CredentialResponse<CS> {
     /// Serialization into bytes
     pub fn serialize(&self) -> Vec<u8> {
-        let mut credential_response: Vec<u8> = Vec::new();
-        credential_response.extend_from_slice(&self.beta.to_arr());
-        credential_response.extend_from_slice(&serialize(&self.server_s_pk.to_arr().to_vec(), 2));
-        credential_response.extend_from_slice(&self.envelope.to_bytes());
-        credential_response.extend_from_slice(&self.ke2_message.to_bytes());
-        credential_response
+        [
+            Self::serialize_without_ke(&self.beta, &self.server_s_pk, &self.envelope),
+            self.ke2_message.to_bytes(),
+        ]
+        .concat()
+    }
+
+    pub(crate) fn serialize_without_ke(
+        beta: &CS::Group,
+        server_s_pk: &Key,
+        envelope: &Envelope<CS::Hash>,
+    ) -> Vec<u8> {
+        [
+            &beta.to_arr(),
+            &serialize(&server_s_pk.to_arr().to_vec(), 2)[..],
+            &envelope.to_bytes(),
+        ]
+        .concat()
     }
 
     /// Deserialization from bytes