From fb2ccf63152e415e5bb1243b1284ef496cf45c03 Mon Sep 17 00:00:00 2001
From: Vitaly Buka <vitalybuka@chromium.org>
Date: Thu, 4 Dec 2014 09:15:20 -0800
Subject: Allow to get key from SPAKE2 after the first round trip. The second
 round trip is optional and is not the part of SPAKE2 algorithm. Application
 may want to get key and do verification with usefull payload.

BUG=438470
R=agl@chromium.org

Review URL: https://codereview.chromium.org/761663004

Cr-Commit-Position: refs/heads/master@{#306844}
---
 crypto/p224_spake.cc          | 10 +++++++++-
 crypto/p224_spake.h           |  6 +++++-
 crypto/p224_spake_unittest.cc | 20 +++++++++++---------
 3 files changed, 25 insertions(+), 11 deletions(-)

(limited to 'crypto')

diff --git a/crypto/p224_spake.cc b/crypto/p224_spake.cc
index 31109a4..f20b10c 100644
--- a/crypto/p224_spake.cc
+++ b/crypto/p224_spake.cc
@@ -240,8 +240,16 @@ const std::string& P224EncryptedKeyExchange::error() const {
   return error_;
 }
 
-const std::string& P224EncryptedKeyExchange::GetKey() {
+const std::string& P224EncryptedKeyExchange::GetKey() const {
   DCHECK_EQ(state_, kStateDone);
+  return GetUnverifiedKey();
+}
+
+const std::string& P224EncryptedKeyExchange::GetUnverifiedKey() const {
+  // Key is already final when state is kStateSendHash. Subsequent states are
+  // used only for verification of the key. Some users may combine verification
+  // with sending verifiable data instead of |expected_authenticator_|.
+  DCHECK_GE(state_, kStateSendHash);
   return key_;
 }
 
diff --git a/crypto/p224_spake.h b/crypto/p224_spake.h
index 6905ef2..61451a3 100644
--- a/crypto/p224_spake.h
+++ b/crypto/p224_spake.h
@@ -68,7 +68,11 @@ class CRYPTO_EXPORT P224EncryptedKeyExchange {
 
   // The key established as result of the key exchange. Must be called
   // at then end after ProcessMessage() returns kResultSuccess.
-  const std::string& GetKey();
+  const std::string& GetKey() const;
+
+  // The key established as result of the key exchange. Can be called after
+  // the first ProcessMessage()
+  const std::string& GetUnverifiedKey() const;
 
  private:
   // The authentication state machine is very simple and each party proceeds
diff --git a/crypto/p224_spake_unittest.cc b/crypto/p224_spake_unittest.cc
index 589cdbf..6651c8d 100644
--- a/crypto/p224_spake_unittest.cc
+++ b/crypto/p224_spake_unittest.cc
@@ -13,7 +13,8 @@ namespace crypto {
 namespace {
 
 bool RunExchange(P224EncryptedKeyExchange* client,
-                 P224EncryptedKeyExchange* server) {
+                 P224EncryptedKeyExchange* server,
+                 bool is_password_same) {
   for (;;) {
     std::string client_message, server_message;
     client_message = client->GetMessage();
@@ -24,23 +25,24 @@ bool RunExchange(P224EncryptedKeyExchange* client,
     server_result = server->ProcessMessage(client_message);
 
     // Check that we never hit the case where only one succeeds.
-    if ((client_result == P224EncryptedKeyExchange::kResultSuccess) ^
-        (server_result == P224EncryptedKeyExchange::kResultSuccess)) {
-      CHECK(false) << "Parties differ on whether authentication was successful";
-    }
+    EXPECT_EQ(client_result == P224EncryptedKeyExchange::kResultSuccess,
+              server_result == P224EncryptedKeyExchange::kResultSuccess);
 
     if (client_result == P224EncryptedKeyExchange::kResultFailed ||
         server_result == P224EncryptedKeyExchange::kResultFailed) {
       return false;
     }
 
+    EXPECT_EQ(is_password_same,
+              client->GetUnverifiedKey() == server->GetUnverifiedKey());
+
     if (client_result == P224EncryptedKeyExchange::kResultSuccess &&
         server_result == P224EncryptedKeyExchange::kResultSuccess) {
       return true;
     }
 
-    CHECK_EQ(P224EncryptedKeyExchange::kResultPending, client_result);
-    CHECK_EQ(P224EncryptedKeyExchange::kResultPending, server_result);
+    EXPECT_EQ(P224EncryptedKeyExchange::kResultPending, client_result);
+    EXPECT_EQ(P224EncryptedKeyExchange::kResultPending, server_result);
   }
 }
 
@@ -54,7 +56,7 @@ TEST(MutualAuth, CorrectAuth) {
   P224EncryptedKeyExchange server(
       P224EncryptedKeyExchange::kPeerTypeServer, kPassword);
 
-  EXPECT_TRUE(RunExchange(&client, &server));
+  EXPECT_TRUE(RunExchange(&client, &server, true));
   EXPECT_EQ(client.GetKey(), server.GetKey());
 }
 
@@ -66,7 +68,7 @@ TEST(MutualAuth, IncorrectPassword) {
       P224EncryptedKeyExchange::kPeerTypeServer,
       "wrongpassword");
 
-  EXPECT_FALSE(RunExchange(&client, &server));
+  EXPECT_FALSE(RunExchange(&client, &server, false));
 }
 
 TEST(MutualAuth, Fuzz) {
-- 
cgit v1.1