#![forbid(unsafe_code)] #![warn(rust_2018_idioms, unused_qualifications)] #![doc(html_logo_url = "https://raw.githubusercontent.com/RustCrypto/meta/master/logo_small.png")] #![doc = include_str!("../README.md")] //! # Usage //! //! Alice and Bob both initialize their SPAKE2 instances with the same (weak) //! password. They will exchange messages to (hopefully) derive a shared secret //! key. The protocol is symmetric: for each operation that Alice does, Bob will //! do the same. //! //! However, there are two roles in the SPAKE2 protocol, "A" and "B". The two //! sides must agree ahead of time which one will play which role (the //! messages they generate depend upon which side they play). There are two //! separate constructor functions, `start_a()` and `start_b()`, and a //! complete interaction will use one of each (one `start_a` on one computer, //! and one `start_b` on the other computer). //! //! Each instance of a SPAKE2 protocol uses a set of shared parameters. These //! include a group, a generator, and a pair of arbitrary group elements. //! This library comes a single pre-generated parameter set, but could be //! extended with others. //! //! You start by calling `start_a()` (or `_b)` with the password and identity //! strings for both sides. This gives you back a state object and the first //! message, which you must send to your partner. Once you receive the //! corresponding inbound message, you pass it into the state object //! (consuming both in the process) by calling `s.finish()`, and you get back //! the shared key as a bytestring. //! //! The password and identity strings must each be wrapped in a "newtype", //! which is a simple `struct` that protects against swapping the different //! types of bytestrings. //! //! Thus a client-side program start with: //! //! ```rust //! use spake2::{Ed25519Group, Identity, Password, SPAKE2}; //! # fn send(msg: &[u8]) {} //! let (s1, outbound_msg) = SPAKE2::::start_a( //! &Password::new(b"password"), //! &Identity::new(b"client id string"), //! &Identity::new(b"server id string")); //! send(&outbound_msg); //! //! # fn receive() -> Vec { let (s2, i2) = SPAKE2::::start_b(&Password::new(b"password"), &Identity::new(b"client id string"), &Identity::new(b"server id string")); i2 } //! let inbound_msg = receive(); //! let key1 = s1.finish(&inbound_msg).unwrap(); //! ``` //! //! while the server-side might do: //! //! ```rust //! # fn send(msg: &[u8]) {} //! use spake2::{Ed25519Group, Identity, Password, SPAKE2}; //! let (s1, outbound_msg) = SPAKE2::::start_b( //! &Password::new(b"password"), //! &Identity::new(b"client id string"), //! &Identity::new(b"server id string")); //! send(&outbound_msg); //! //! # fn receive() -> Vec { let (s2, i2) = SPAKE2::::start_a(&Password::new(b"password"), &Identity::new(b"client id string"), &Identity::new(b"server id string")); i2 } //! let inbound_msg = receive(); //! let key2 = s1.finish(&inbound_msg).unwrap(); //! ``` //! //! If both sides used the same password, and there is no man-in-the-middle, //! then `key1` and `key2` will be identical. If not, the two sides will get //! different keys. When one side encrypts with `key1`, and the other side //! attempts to decrypt with `key2`, they'll get nothing but garbled noise. //! //! The shared key can be used as an HMAC key to provide data integrity on //! subsequent messages, or as an authenticated-encryption key (e.g. //! nacl.secretbox). It can also be fed into [HKDF][1] to derive other //! session keys as necessary. //! //! The `SPAKE2` instances, and the messages they create, are single-use. Create //! a new one for each new session. `finish` consumes the instance. //! //! # Symmetric Usage //! //! A single SPAKE2 instance must be used asymmetrically: the two sides must //! somehow decide (ahead of time) which role they will each play. The //! implementation includes the side identifier in the exchanged message to //! guard against a `start_a` talking to another `start_a`. Typically a //! "client" will take on the `A` role, and the "server" will be `B`. //! //! This is a nuisance for more egalitarian protocols, where there's no clear //! way to assign these roles ahead of time. In this case, use //! `start_symmetric()` on both sides. This uses a different set of //! parameters (so it is not interoperable with `start_A` or `start_b`), but //! should otherwise behave the same way. The symmetric mode uses only one //! identity string, not two. //! //! Carol does: //! //! ```rust //! # fn send(msg: &[u8]) {} //! use spake2::{Ed25519Group, Identity, Password, SPAKE2}; //! let (s1, outbound_msg) = SPAKE2::::start_symmetric( //! &Password::new(b"password"), //! &Identity::new(b"shared id string")); //! send(&outbound_msg); //! //! # fn receive() -> Vec { let (s2, i2) = SPAKE2::::start_symmetric(&Password::new(b"password"), &Identity::new(b"shared id string")); i2 } //! let inbound_msg = receive(); //! let key1 = s1.finish(&inbound_msg).unwrap(); //! ``` //! //! Dave does exactly the same: //! //! ```rust //! # fn send(msg: &[u8]) {} //! use spake2::{Ed25519Group, Identity, Password, SPAKE2}; //! let (s1, outbound_msg) = SPAKE2::::start_symmetric( //! &Password::new(b"password"), //! &Identity::new(b"shared id string")); //! send(&outbound_msg); //! //! # fn receive() -> Vec { let (s2, i2) = SPAKE2::::start_symmetric(&Password::new(b"password"), &Identity::new(b"shared id string")); i2 } //! let inbound_msg = receive(); //! let key1 = s1.finish(&inbound_msg).unwrap(); //! ``` //! //! # Identifier Strings //! //! The SPAKE2 protocol includes a pair of "identity strings" `idA` and `idB` //! that are included in the final key-derivation hash. This binds the key to a //! single pair of parties, or for some specific purpose. //! //! For example, when user "alice" logs into "example.com", both sides should set //! `idA = b"alice"` and `idB = b"example.com"`. This prevents an attacker from //! substituting messages from unrelated login sessions (other users on the same //! server, or other servers for the same user). //! //! This also makes sure the session is established with the correct service. If //! Alice has one password for "example.com" but uses it for both login and //! file-transfer services, `idB` should be different for the two services. //! Otherwise if Alice is simultaneously connecting to both services, and //! attacker could rearrange the messages and cause her login client to connect //! to the file-transfer server, and vice versa. //! //! `idA` and `idB` must be bytestrings (slices of ``). //! //! `start_symmetric` uses a single `idSymmetric=` string, instead of `idA` //! and `idB`. Both sides must provide the same `idSymmetric=`, or leave it //! empty. //! //! # Serialization //! //! Sometimes, you can't hold the SPAKE2 instance in memory for the whole //! negotiation: perhaps all your program state is stored in a database, and //! nothing lives in RAM for more than a few moments. //! //! Unfortunately the Rust implementation does not yet provide serialization //! of the state object. A future version should correct this. //! //! # Security //! //! This library is probably not constant-time, and does not protect against //! timing attacks. Do not allow attackers to measure how long it takes you //! to create or respond to a message. This matters somewhat less for pairing //! protocols, because their passwords are single-use randomly-generated //! keys, so an attacker has much less to work with. //! //! This library depends upon a strong source of random numbers. Do not use it on //! a system where os.urandom() is weak. //! //! # Speed //! //! To run the built-in speed tests, just run `cargo bench`. //! //! SPAKE2 consists of two phases, separated by a single message exchange. //! The time these phases take is split roughly 50/50. On my 2.8GHz Core-i7 //! (i7-7600U) cpu, the built-in Ed25519Group parameters take about 112 //! microseconds for each phase, and the message exchanged is 33 bytes long. //! //! # Testing //! //! Run `cargo test` to run the built-in test suite. //! //! # History //! //! The protocol was described as "PAKE2" in ["cryptobook"] [2] from Dan Boneh //! and Victor Shoup. This is a form of "SPAKE2", defined by Abdalla and //! Pointcheval at [RSA 2005] [3]. Additional recommendations for groups and //! distinguished elements were published in [Ladd's IETF draft] [4]. //! //! The Ed25519 implementation uses code adapted from Daniel Bernstein (djb), //! Matthew Dempsky, Daniel Holth, Ron Garret, with further optimizations by //! Brian Warner[5]. The "arbitrary element" computation, which must be the same //! for both participants, is from python-pure25519 version 0.5. //! //! The Boneh/Shoup chapter that defines PAKE2 also defines an augmented variant //! named "PAKE2+", which changes one side (typically a server) to record a //! derivative of the password instead of the actual password. In PAKE2+, a //! server compromise does not immediately give access to the passwords: instead, //! the attacker must perform an offline dictionary attack against the stolen //! data before they can learn the passwords. PAKE2+ support is planned, but not //! yet implemented. //! //! The security of the symmetric case was proved by Kobara/Imai[6] in 2003, and //! uses different (slightly weaker?) reductions than that of the asymmetric //! form. See also Mike Hamburg's analysis[7] from 2015. //! //! Brian Warner first wrote the Python version in July 2010. He wrote this //! Rust version in in May 2017. //! //! ### footnotes //! //! [1]: https://tools.ietf.org/html/rfc5869 "HKDF" //! [2]: http://crypto.stanford.edu/~dabo/cryptobook/ "cryptobook" //! [3]: http://www.di.ens.fr/~pointche/Documents/Papers/2005_rsa.pdf "RSA 2005" //! [4]: https://tools.ietf.org/html/draft-ladd-spake2-01 "Ladd's IETF draft" //! [5]: https://github.com/warner/python-pure25519 //! [6]: http://eprint.iacr.org/2003/038.pdf "Pretty-Simple Password-Authenticated Key-Exchange Under Standard Assumptions" //! [7]: https://moderncrypto.org/mail-archive/curves/2015/000419.html "PAKE questions" use curve25519_dalek::constants::ED25519_BASEPOINT_POINT; use curve25519_dalek::edwards::CompressedEdwardsY; use curve25519_dalek::edwards::EdwardsPoint as c2_Element; use curve25519_dalek::scalar::Scalar as c2_Scalar; use hkdf::Hkdf; use rand::{rngs::OsRng, CryptoRng, Rng}; use sha2::{Digest, Sha256}; use std::fmt; use std::ops::Deref; /* "newtype pattern": it's a Vec, but only used for a specific argument * type, to distinguish between ones that are meant as passwords, and ones * that are meant as identity strings */ #[derive(PartialEq, Eq, Clone)] pub struct Password(Vec); impl Password { pub fn new(p: &[u8]) -> Password { Password(p.to_vec()) } } impl Deref for Password { type Target = Vec; fn deref(&self) -> &Vec { &self.0 } } #[derive(PartialEq, Eq, Clone)] pub struct Identity(Vec); impl Deref for Identity { type Target = Vec; fn deref(&self) -> &Vec { &self.0 } } impl Identity { pub fn new(p: &[u8]) -> Identity { Identity(p.to_vec()) } } #[derive(Debug, PartialEq, Eq)] pub enum ErrorType { BadSide, WrongLength, CorruptMessage, } #[derive(Debug, PartialEq, Eq)] pub struct SPAKEErr { pub kind: ErrorType, } pub trait Group { type Scalar; type Element; //type Element: Add // + Mul; // const element_length: usize; // in unstable, or u8 //type ElementBytes : Index+IndexMut; // later type TranscriptHash; fn name() -> &'static str; fn const_m() -> Self::Element; fn const_n() -> Self::Element; fn const_s() -> Self::Element; fn hash_to_scalar(s: &[u8]) -> Self::Scalar; fn random_scalar(cspring: &mut T) -> Self::Scalar where T: Rng + CryptoRng; fn scalar_neg(s: &Self::Scalar) -> Self::Scalar; fn element_to_bytes(e: &Self::Element) -> Vec; fn bytes_to_element(b: &[u8]) -> Option; fn element_length() -> usize; fn basepoint_mult(s: &Self::Scalar) -> Self::Element; fn scalarmult(e: &Self::Element, s: &Self::Scalar) -> Self::Element; fn add(a: &Self::Element, b: &Self::Element) -> Self::Element; } #[derive(Debug, PartialEq, Eq)] pub struct Ed25519Group; impl Group for Ed25519Group { type Scalar = c2_Scalar; type Element = c2_Element; //type ElementBytes = Vec; //type ElementBytes = [u8; 32]; //type ScalarBytes type TranscriptHash = Sha256; fn name() -> &'static str { "Ed25519" } fn const_m() -> c2_Element { // python -c "import binascii, spake2; b=binascii.hexlify(spake2.ParamsEd25519.M.to_bytes()); print(', '.join(['0x'+b[i:i+2] for i in range(0,len(b),2)]))" // 15cfd18e385952982b6a8f8c7854963b58e34388c8e6dae891db756481a02312 CompressedEdwardsY([ 0x15, 0xcf, 0xd1, 0x8e, 0x38, 0x59, 0x52, 0x98, 0x2b, 0x6a, 0x8f, 0x8c, 0x78, 0x54, 0x96, 0x3b, 0x58, 0xe3, 0x43, 0x88, 0xc8, 0xe6, 0xda, 0xe8, 0x91, 0xdb, 0x75, 0x64, 0x81, 0xa0, 0x23, 0x12, ]) .decompress() .unwrap() } fn const_n() -> c2_Element { // python -c "import binascii, spake2; b=binascii.hexlify(spake2.ParamsEd25519.N.to_bytes()); print(', '.join(['0x'+b[i:i+2] for i in range(0,len(b),2)]))" // f04f2e7eb734b2a8f8b472eaf9c3c632576ac64aea650b496a8a20ff00e583c3 CompressedEdwardsY([ 0xf0, 0x4f, 0x2e, 0x7e, 0xb7, 0x34, 0xb2, 0xa8, 0xf8, 0xb4, 0x72, 0xea, 0xf9, 0xc3, 0xc6, 0x32, 0x57, 0x6a, 0xc6, 0x4a, 0xea, 0x65, 0x0b, 0x49, 0x6a, 0x8a, 0x20, 0xff, 0x00, 0xe5, 0x83, 0xc3, ]) .decompress() .unwrap() } fn const_s() -> c2_Element { // python -c "import binascii, spake2; b=binascii.hexlify(spake2.ParamsEd25519.S.to_bytes()); print(', '.join(['0x'+b[i:i+2] for i in range(0,len(b),2)]))" // 6f00dae87c1be1a73b5922ef431cd8f57879569c222d22b1cd71e8546ab8e6f1 CompressedEdwardsY([ 0x6f, 0x00, 0xda, 0xe8, 0x7c, 0x1b, 0xe1, 0xa7, 0x3b, 0x59, 0x22, 0xef, 0x43, 0x1c, 0xd8, 0xf5, 0x78, 0x79, 0x56, 0x9c, 0x22, 0x2d, 0x22, 0xb1, 0xcd, 0x71, 0xe8, 0x54, 0x6a, 0xb8, 0xe6, 0xf1, ]) .decompress() .unwrap() } fn hash_to_scalar(s: &[u8]) -> c2_Scalar { ed25519_hash_to_scalar(s) } fn random_scalar(cspring: &mut T) -> c2_Scalar where T: Rng + CryptoRng, { c2_Scalar::random(cspring) } fn scalar_neg(s: &c2_Scalar) -> c2_Scalar { -s } fn element_to_bytes(s: &c2_Element) -> Vec { s.compress().as_bytes().to_vec() } fn element_length() -> usize { 32 } fn bytes_to_element(b: &[u8]) -> Option { if b.len() != 32 { return None; } //let mut bytes: [u8; 32] = let mut bytes = [0u8; 32]; bytes.copy_from_slice(b); let cey = CompressedEdwardsY(bytes); // CompressedEdwardsY::new(b) cey.decompress() } fn basepoint_mult(s: &c2_Scalar) -> c2_Element { //c2_Element::basepoint_mult(s) ED25519_BASEPOINT_POINT * s } fn scalarmult(e: &c2_Element, s: &c2_Scalar) -> c2_Element { e * s //e.scalar_mult(s) } fn add(a: &c2_Element, b: &c2_Element) -> c2_Element { a + b //a.add(b) } } fn ed25519_hash_to_scalar(s: &[u8]) -> c2_Scalar { //c2_Scalar::hash_from_bytes::(&s) // spake2.py does: // h = HKDF(salt=b"", ikm=s, hash=SHA256, info=b"SPAKE2 pw", len=32+16) // i = int(h, 16) // i % q let mut okm = [0u8; 32 + 16]; Hkdf::::new(Some(b""), s) .expand(b"SPAKE2 pw", &mut okm) .unwrap(); //println!("expanded: {}{}", "................................", okm.iter().to_hex()); // ok let mut reducible = [0u8; 64]; // little-endian for (i, x) in okm.iter().enumerate().take(32 + 16) { reducible[32 + 16 - 1 - i] = *x; } //println!("reducible: {}", reducible.iter().to_hex()); c2_Scalar::from_bytes_mod_order_wide(&reducible) //let reduced = c2_Scalar::reduce(&reducible); //println!("reduced: {}", reduced.as_bytes().to_hex()); //println!("done"); //reduced } fn ed25519_hash_ab( password_vec: &[u8], id_a: &[u8], id_b: &[u8], first_msg: &[u8], second_msg: &[u8], key_bytes: &[u8], ) -> Vec { assert_eq!(first_msg.len(), 32); assert_eq!(second_msg.len(), 32); // the transcript is fixed-length, made up of 6 32-byte values: // byte 0-31 : sha256(pw) // byte 32-63 : sha256(idA) // byte 64-95 : sha256(idB) // byte 96-127 : X_msg // byte 128-159: Y_msg // byte 160-191: K_bytes let mut transcript = [0u8; 6 * 32]; let mut pw_hash = Sha256::new(); pw_hash.update(password_vec); transcript[0..32].copy_from_slice(&pw_hash.finalize()); let mut ida_hash = Sha256::new(); ida_hash.update(id_a); transcript[32..64].copy_from_slice(&ida_hash.finalize()); let mut idb_hash = Sha256::new(); idb_hash.update(id_b); transcript[64..96].copy_from_slice(&idb_hash.finalize()); transcript[96..128].copy_from_slice(first_msg); transcript[128..160].copy_from_slice(second_msg); transcript[160..192].copy_from_slice(key_bytes); //println!("transcript: {:?}", transcript.iter().to_hex()); //let mut hash = G::TranscriptHash::default(); let mut hash = Sha256::new(); hash.update(transcript.to_vec()); hash.finalize().to_vec() } fn ed25519_hash_symmetric( password_vec: &[u8], id_s: &[u8], msg_u: &[u8], msg_v: &[u8], key_bytes: &[u8], ) -> Vec { assert_eq!(msg_u.len(), 32); assert_eq!(msg_v.len(), 32); // # since we don't know which side is which, we must sort the messages // first_msg, second_msg = sorted([msg1, msg2]) // transcript = b"".join([sha256(pw).digest(), // sha256(idSymmetric).digest(), // first_msg, second_msg, K_bytes]) // the transcript is fixed-length, made up of 5 32-byte values: // byte 0-31 : sha256(pw) // byte 32-63 : sha256(idSymmetric) // byte 64-95 : X_msg // byte 96-127 : Y_msg // byte 128-159: K_bytes let mut transcript = [0u8; 5 * 32]; let mut pw_hash = Sha256::new(); pw_hash.update(password_vec); transcript[0..32].copy_from_slice(&pw_hash.finalize()); let mut ids_hash = Sha256::new(); ids_hash.update(id_s); transcript[32..64].copy_from_slice(&ids_hash.finalize()); if msg_u < msg_v { transcript[64..96].copy_from_slice(msg_u); transcript[96..128].copy_from_slice(msg_v); } else { transcript[64..96].copy_from_slice(msg_v); transcript[96..128].copy_from_slice(msg_u); } transcript[128..160].copy_from_slice(key_bytes); let mut hash = Sha256::new(); hash.update(transcript.to_vec()); hash.finalize().to_vec() } /* "session type pattern" */ #[derive(Debug, PartialEq, Eq)] enum Side { A, B, Symmetric, } // we implement a custom Debug below, to avoid revealing secrets in a dump #[derive(PartialEq, Eq)] pub struct SPAKE2 { //where &G::Scalar: Neg { side: Side, xy_scalar: G::Scalar, password_vec: Vec, id_a: Vec, id_b: Vec, id_s: Vec, msg1: Vec, password_scalar: G::Scalar, } impl SPAKE2 { fn start_internal( side: Side, password: &Password, id_a: &Identity, id_b: &Identity, id_s: &Identity, xy_scalar: G::Scalar, ) -> (SPAKE2, Vec) { //let password_scalar: G::Scalar = hash_to_scalar::(password); let password_scalar: G::Scalar = G::hash_to_scalar(password); // a: X = B*x + M*pw // b: Y = B*y + N*pw // sym: X = B*x * S*pw let blinding = match side { Side::A => G::const_m(), Side::B => G::const_n(), Side::Symmetric => G::const_s(), }; let m1: G::Element = G::add( &G::basepoint_mult(&xy_scalar), &G::scalarmult(&blinding, &password_scalar), ); //let m1: G::Element = &G::basepoint_mult(&x) + &(blinding * &password_scalar); let msg1: Vec = G::element_to_bytes(&m1); let mut password_vec = Vec::new(); password_vec.extend_from_slice(password); let mut id_a_copy = Vec::new(); id_a_copy.extend_from_slice(id_a); let mut id_b_copy = Vec::new(); id_b_copy.extend_from_slice(id_b); let mut id_s_copy = Vec::new(); id_s_copy.extend_from_slice(id_s); let mut msg_and_side = vec![match side { Side::A => 0x41, // 'A' Side::B => 0x42, // 'B' Side::Symmetric => 0x53, // 'S' }]; msg_and_side.extend_from_slice(&msg1); ( SPAKE2 { side, xy_scalar, password_vec, // string id_a: id_a_copy, id_b: id_b_copy, id_s: id_s_copy, msg1, password_scalar, // scalar }, msg_and_side, ) } fn start_a_internal( password: &Password, id_a: &Identity, id_b: &Identity, xy_scalar: G::Scalar, ) -> (SPAKE2, Vec) { Self::start_internal( Side::A, password, id_a, id_b, &Identity::new(b""), xy_scalar, ) } fn start_b_internal( password: &Password, id_a: &Identity, id_b: &Identity, xy_scalar: G::Scalar, ) -> (SPAKE2, Vec) { Self::start_internal( Side::B, password, id_a, id_b, &Identity::new(b""), xy_scalar, ) } fn start_symmetric_internal( password: &Password, id_s: &Identity, xy_scalar: G::Scalar, ) -> (SPAKE2, Vec) { Self::start_internal( Side::Symmetric, password, &Identity::new(b""), &Identity::new(b""), id_s, xy_scalar, ) } pub fn start_a(password: &Password, id_a: &Identity, id_b: &Identity) -> (SPAKE2, Vec) { let mut cspring: OsRng = OsRng::new().unwrap(); let xy_scalar: G::Scalar = G::random_scalar(&mut cspring); Self::start_a_internal(password, id_a, id_b, xy_scalar) } pub fn start_b(password: &Password, id_a: &Identity, id_b: &Identity) -> (SPAKE2, Vec) { let mut cspring: OsRng = OsRng::new().unwrap(); let xy_scalar: G::Scalar = G::random_scalar(&mut cspring); Self::start_b_internal(password, id_a, id_b, xy_scalar) } pub fn start_symmetric(password: &Password, id_s: &Identity) -> (SPAKE2, Vec) { let mut cspring: OsRng = OsRng::new().unwrap(); let xy_scalar: G::Scalar = G::random_scalar(&mut cspring); Self::start_symmetric_internal(password, id_s, xy_scalar) } pub fn finish(self, msg2: &[u8]) -> Result, SPAKEErr> { if msg2.len() != 1 + G::element_length() { return Err(SPAKEErr { kind: ErrorType::WrongLength, }); } let msg_side = msg2[0]; match self.side { Side::A => match msg_side { 0x42 => (), // 'B' _ => { return Err(SPAKEErr { kind: ErrorType::BadSide, }) } }, Side::B => match msg_side { 0x41 => (), // 'A' _ => { return Err(SPAKEErr { kind: ErrorType::BadSide, }) } }, Side::Symmetric => match msg_side { 0x53 => (), // 'S' _ => { return Err(SPAKEErr { kind: ErrorType::BadSide, }) } }, } let msg2_element = match G::bytes_to_element(&msg2[1..]) { Some(x) => x, None => { return Err(SPAKEErr { kind: ErrorType::CorruptMessage, }) } }; // a: K = (Y+N*(-pw))*x // b: K = (X+M*(-pw))*y let unblinding = match self.side { Side::A => G::const_n(), Side::B => G::const_m(), Side::Symmetric => G::const_s(), }; let tmp1 = G::scalarmult(&unblinding, &G::scalar_neg(&self.password_scalar)); let tmp2 = G::add(&msg2_element, &tmp1); let key_element = G::scalarmult(&tmp2, &self.xy_scalar); let key_bytes = G::element_to_bytes(&key_element); // key = H(H(pw) + H(idA) + H(idB) + X + Y + K) //transcript = b"".join([sha256(pw).digest(), // sha256(idA).digest(), sha256(idB).digest(), // X_msg, Y_msg, K_bytes]) //key = sha256(transcript).digest() // note that both sides must use the same order Ok(match self.side { Side::A => ed25519_hash_ab( &self.password_vec, &self.id_a, &self.id_b, self.msg1.as_slice(), &msg2[1..], &key_bytes, ), Side::B => ed25519_hash_ab( &self.password_vec, &self.id_a, &self.id_b, &msg2[1..], self.msg1.as_slice(), &key_bytes, ), Side::Symmetric => ed25519_hash_symmetric( &self.password_vec, &self.id_s, &self.msg1, &msg2[1..], &key_bytes, ), }) } } fn maybe_utf8(s: &[u8]) -> String { match String::from_utf8(s.to_vec()) { Ok(m) => format!("(s={})", m), Err(_) => format!("(hex={})", hex::encode(s)), } } impl fmt::Debug for SPAKE2 { fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result { fmt.debug_struct("SPAKE2") .field("group", &G::name()) .field("side", &self.side) .field("idA", &maybe_utf8(&self.id_a)) .field("idB", &maybe_utf8(&self.id_b)) .field("idS", &maybe_utf8(&self.id_s)) .finish() } } #[cfg(test)] mod tests;