chromium/src
0
Fork 0
Code Activity

crypto: remove P224 SPAKE implementation

Browse Source 
It is unused. It appears to have been originally added to support
"chromoting me2me", but was known to be broken as early as 2016[1]
(internal link, sorry non-Googlers) and has no other users.

[1]: https://groups.google.com/a/google.com/g/ise-crypto/c/88KY7bH0zLo/m/t22NRlImBwAJ

Bug: None
Change-Id: I401666875fae4731ce3ed265bdae84317b5a8725
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5836519
Commit-Queue: Elly FJ <ellyjones@chromium.org>
Reviewed-by: David Benjamin <davidben@chromium.org>
Auto-Submit: Elly FJ <ellyjones@chromium.org>
Commit-Queue: David Benjamin <davidben@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1351127}
This commit is contained in:
Elly
2024-09-05 00:09:58 +00:00
committed by Chromium LUCI CQ
parent aec0df1a6f
commit d943a2dead
4 changed files with 0 additions and 655 deletions

3
crypto/BUILD.gn

@ -35,8 +35,6 @@ component("crypto") {
"hmac.h",
"openssl_util.cc",
"openssl_util.h",
"p224_spake.cc",
"p224_spake.h",
"random.cc",
"random.h",
"rsa_private_key.cc",
@ -173,7 +171,6 @@ test("crypto_unittests") {
"ec_signature_creator_unittest.cc",
"encryptor_unittest.cc",
"hmac_unittest.cc",
"p224_spake_unittest.cc",
"random_unittest.cc",
"rsa_private_key_unittest.cc",
"secure_hash_unittest.cc",

346
crypto/p224_spake.cc

@ -1,346 +0,0 @@
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// This code implements SPAKE2, a variant of EKE:
// http://www.di.ens.fr/~pointche/pub.php?reference=AbPo04
#include "crypto/p224_spake.h"
#include <string.h>
#include <algorithm>
#include <string_view>
#include "base/check_op.h"
#include "base/logging.h"
#include "crypto/random.h"
#include "crypto/secure_util.h"
#include "third_party/boringssl/src/include/openssl/bn.h"
#include "third_party/boringssl/src/include/openssl/ec.h"
namespace {
// The following two points (M and N in the protocol) are verifiable random
// points on the curve and can be generated with the following code:
// #include <stdint.h>
// #include <stdio.h>
// #include <string.h>
//
// #include <openssl/ec.h>
// #include <openssl/obj_mac.h>
// #include <openssl/sha.h>
//
// // Silence a presubmit.
// #define PRINTF printf
//
// static const char kSeed1[] = "P224 point generation seed (M)";
// static const char kSeed2[] = "P224 point generation seed (N)";
//
// void find_seed(const char* seed) {
// SHA256_CTX sha256;
// uint8_t digest[SHA256_DIGEST_LENGTH];
//
// SHA256_Init(&sha256);
// SHA256_Update(&sha256, seed, strlen(seed));
// SHA256_Final(digest, &sha256);
//
// BIGNUM x, y;
// EC_GROUP* p224 = EC_GROUP_new_by_curve_name(NID_secp224r1);
// EC_POINT* p = EC_POINT_new(p224);
//
// for (unsigned i = 0;; i++) {
// BN_init(&x);
// BN_bin2bn(digest, 28, &x);
//
// if (EC_POINT_set_compressed_coordinates_GFp(
// p224, p, &x, digest[28] & 1, NULL)) {
// BN_init(&y);
// EC_POINT_get_affine_coordinates_GFp(p224, p, &x, &y, NULL);
// char* x_str = BN_bn2hex(&x);
// char* y_str = BN_bn2hex(&y);
// PRINTF("Found after %u iterations:\n%s\n%s\n", i, x_str, y_str);
// OPENSSL_free(x_str);
// OPENSSL_free(y_str);
// BN_free(&x);
// BN_free(&y);
// break;
// }
//
// SHA256_Init(&sha256);
// SHA256_Update(&sha256, digest, sizeof(digest));
// SHA256_Final(digest, &sha256);
//
// BN_free(&x);
// }
//
// EC_POINT_free(p);
// EC_GROUP_free(p224);
// }
//
// int main() {
// find_seed(kSeed1);
// find_seed(kSeed2);
// return 0;
// }
const uint8_t kM_X962[1 + 28 + 28] = {
0x04, 0x4d, 0x48, 0xc8, 0xea, 0x8d, 0x23, 0x39, 0x2e, 0x07, 0xe8, 0x51,
0xfa, 0x6a, 0xa8, 0x20, 0x48, 0x09, 0x4e, 0x05, 0x13, 0x72, 0x49, 0x9c,
0x6f, 0xba, 0x62, 0xa7, 0x4b, 0x6c, 0x18, 0x5c, 0xab, 0xd5, 0x2e, 0x2e,
0x8a, 0x9e, 0x2d, 0x21, 0xb0, 0xec, 0x4e, 0xe1, 0x41, 0x21, 0x1f, 0xe2,
0x9d, 0x64, 0xea, 0x4d, 0x04, 0x46, 0x3a, 0xe8, 0x33,
};
const uint8_t kN_X962[1 + 28 + 28] = {
0x04, 0x0b, 0x1c, 0xfc, 0x6a, 0x40, 0x7c, 0xdc, 0xb1, 0x5d, 0xc1, 0x70,
0x4c, 0xd1, 0x3e, 0xda, 0xab, 0x8f, 0xde, 0xff, 0x8c, 0xfb, 0xfb, 0x50,
0xd2, 0xc8, 0x1d, 0xe2, 0xc2, 0x3e, 0x14, 0xf6, 0x29, 0x96, 0x08, 0x09,
0x07, 0xb5, 0x6d, 0xd2, 0x82, 0x07, 0x1a, 0xa7, 0xa1, 0x21, 0xc3, 0x99,
0x34, 0xbc, 0x30, 0xda, 0x5b, 0xcb, 0xc6, 0xa3, 0xcc,
};
// ToBignum returns |big_endian_bytes| interpreted as a big-endian number.
bssl::UniquePtr<BIGNUM> ToBignum(base::span<const uint8_t> big_endian_bytes) {
bssl::UniquePtr<BIGNUM> bn(BN_new());
CHECK(BN_bin2bn(big_endian_bytes.data(), big_endian_bytes.size(), bn.get()));
return bn;
}
// GetPoint decodes and returns the given X.962-encoded point. It will crash if
// |x962| is not a valid P-224 point.
bssl::UniquePtr<EC_POINT> GetPoint(
const EC_GROUP* p224,
base::span<const uint8_t, 1 + 28 + 28> x962) {
bssl::UniquePtr<EC_POINT> point(EC_POINT_new(p224));
CHECK(EC_POINT_oct2point(p224, point.get(), x962.data(), x962.size(),
/*ctx=*/nullptr));
return point;
}
// GetMask returns (M|N)**pw, where the choice of M or N is controlled by
// |use_m|.
bssl::UniquePtr<EC_POINT> GetMask(const EC_GROUP* p224,
bool use_m,
base::span<const uint8_t> pw) {
bssl::UniquePtr<EC_POINT> MN(GetPoint(p224, use_m ? kM_X962 : kN_X962));
bssl::UniquePtr<EC_POINT> MNpw(EC_POINT_new(p224));
bssl::UniquePtr<BIGNUM> pw_bn(ToBignum(pw));
CHECK(EC_POINT_mul(p224, MNpw.get(), nullptr, MN.get(), pw_bn.get(),
/*ctx=*/nullptr));
return MNpw;
}
// ToMessage serialises |in| as a 56-byte string that contains the big-endian
// representations of x and y, or is all zeros if |in| is infinity.
std::string ToMessage(const EC_GROUP* p224, const EC_POINT* in) {
if (EC_POINT_is_at_infinity(p224, in)) {
return std::string(28 + 28, 0);
}
uint8_t x962[1 + 28 + 28];
CHECK(EC_POINT_point2oct(p224, in, POINT_CONVERSION_UNCOMPRESSED, x962,
sizeof(x962), /*ctx=*/nullptr) == sizeof(x962));
return std::string(reinterpret_cast<const char*>(&x962[1]), sizeof(x962) - 1);
}
// FromMessage converts a message, as generated by |ToMessage|, into a point. It
// returns |nullptr| if the input is invalid or not on the curve.
bssl::UniquePtr<EC_POINT> FromMessage(const EC_GROUP* p224,
std::string_view in) {
if (in.size() != 56) {
return nullptr;
}
uint8_t x962[1 + 56];
x962[0] = 4;
memcpy(&x962[1], in.data(), sizeof(x962) - 1);
bssl::UniquePtr<EC_POINT> ret(EC_POINT_new(p224));
if (!EC_POINT_oct2point(p224, ret.get(), x962, sizeof(x962),
/*ctx=*/nullptr)) {
return nullptr;
}
return ret;
}
} // anonymous namespace
namespace crypto {
P224EncryptedKeyExchange::P224EncryptedKeyExchange(PeerType peer_type,
std::string_view password)
: state_(kStateInitial), is_server_(peer_type == kPeerTypeServer) {
std::ranges::fill(expected_authenticator_, 0u);
// x_ is a random scalar.
RandBytes(x_);
// Calculate |password| hash to get SPAKE password value.
SHA256HashString(std::string(password.data(), password.length()),
pw_, sizeof(pw_));
Init();
}
void P224EncryptedKeyExchange::Init() {
// X = g**x_
const EC_GROUP* p224 = EC_group_p224();
bssl::UniquePtr<EC_POINT> X(EC_POINT_new(p224));
bssl::UniquePtr<BIGNUM> x_bn(ToBignum(x_));
// x_bn may be >= the order, but |EC_POINT_mul| handles that. It doesn't do so
// in constant-time, but the these values are locally generated and so this
// occurs with negligible probability. (Same with |pw_|, just below.)
CHECK(EC_POINT_mul(p224, X.get(), x_bn.get(), nullptr, nullptr,
/*ctx=*/nullptr));
// The client masks the Diffie-Hellman value, X, by adding M**pw and the
// server uses N**pw.
bssl::UniquePtr<EC_POINT> MNpw(GetMask(p224, !is_server_, pw_));
// X* = X + (N|M)**pw
bssl::UniquePtr<EC_POINT> Xstar(EC_POINT_new(p224));
CHECK(EC_POINT_add(p224, Xstar.get(), X.get(), MNpw.get(),
/*ctx=*/nullptr));
next_message_ = ToMessage(p224, Xstar.get());
}
const std::string& P224EncryptedKeyExchange::GetNextMessage() {
if (state_ == kStateInitial) {
state_ = kStateRecvDH;
return next_message_;
} else if (state_ == kStateSendHash) {
state_ = kStateRecvHash;
return next_message_;
}
LOG(FATAL) << "P224EncryptedKeyExchange::GetNextMessage called in"
" bad state " << state_;
}
P224EncryptedKeyExchange::Result P224EncryptedKeyExchange::ProcessMessage(
std::string_view message) {
if (state_ == kStateRecvHash) {
// This is the final state of the protocol: we are reading the peer's
// authentication hash and checking that it matches the one that we expect.
if (message.size() != sizeof(expected_authenticator_)) {
error_ = "peer's hash had an incorrect size";
return kResultFailed;
}
if (!SecureMemEqual(message.data(), expected_authenticator_,
message.size())) {
error_ = "peer's hash had incorrect value";
return kResultFailed;
}
state_ = kStateDone;
return kResultSuccess;
}
if (state_ != kStateRecvDH) {
LOG(FATAL) << "P224EncryptedKeyExchange::ProcessMessage called in"
" bad state " << state_;
}
const EC_GROUP* p224 = EC_group_p224();
// Y* is the other party's masked, Diffie-Hellman value.
bssl::UniquePtr<EC_POINT> Ystar(FromMessage(p224, message));
if (!Ystar) {
error_ = "failed to parse peer's masked Diffie-Hellman value";
return kResultFailed;
}
// We calculate the mask value: (N|M)**pw
bssl::UniquePtr<EC_POINT> MNpw(GetMask(p224, is_server_, pw_));
// Y = Y* - (N|M)**pw
CHECK(EC_POINT_invert(p224, MNpw.get(), /*ctx=*/nullptr));
bssl::UniquePtr<EC_POINT> Y(EC_POINT_new(p224));
CHECK(EC_POINT_add(p224, Y.get(), Ystar.get(), MNpw.get(),
/*ctx=*/nullptr));
// K = Y**x_
bssl::UniquePtr<EC_POINT> K(EC_POINT_new(p224));
bssl::UniquePtr<BIGNUM> x_bn(ToBignum(x_));
CHECK(EC_POINT_mul(p224, K.get(), nullptr, Y.get(), x_bn.get(),
/*ctx=*/nullptr));
// If everything worked out, then K is the same for both parties.
key_ = ToMessage(p224, K.get());
std::string client_masked_dh, server_masked_dh;
if (is_server_) {
client_masked_dh = std::string(message);
server_masked_dh = next_message_;
} else {
client_masked_dh = next_message_;
server_masked_dh = std::string(message);
}
// Now we calculate the hashes that each side will use to prove to the other
// that they derived the correct value for K.
uint8_t client_hash[kSHA256Length], server_hash[kSHA256Length];
CalculateHash(kPeerTypeClient, client_masked_dh, server_masked_dh, key_,
client_hash);
CalculateHash(kPeerTypeServer, client_masked_dh, server_masked_dh, key_,
server_hash);
const uint8_t* my_hash = is_server_ ? server_hash : client_hash;
const uint8_t* their_hash = is_server_ ? client_hash : server_hash;
next_message_ =
std::string(reinterpret_cast<const char*>(my_hash), kSHA256Length);
memcpy(expected_authenticator_, their_hash, kSHA256Length);
state_ = kStateSendHash;
return kResultPending;
}
void P224EncryptedKeyExchange::CalculateHash(
PeerType peer_type,
const std::string& client_masked_dh,
const std::string& server_masked_dh,
const std::string& k,
uint8_t* out_digest) {
std::string hash_contents;
if (peer_type == kPeerTypeServer) {
hash_contents = "server";
} else {
hash_contents = "client";
}
hash_contents += client_masked_dh;
hash_contents += server_masked_dh;
hash_contents +=
std::string(reinterpret_cast<const char *>(pw_), sizeof(pw_));
hash_contents += k;
SHA256HashString(hash_contents, out_digest, kSHA256Length);
}
const std::string& P224EncryptedKeyExchange::error() const {
return error_;
}
const std::string& P224EncryptedKeyExchange::GetKey() const {
DCHECK_EQ(state_, kStateDone);
return GetUnverifiedKey();
}
const std::string& P224EncryptedKeyExchange::GetUnverifiedKey() const {
// Key is already final when state is kStateSendHash. Subsequent states are
// used only for verification of the key. Some users may combine verification
// with sending verifiable data instead of |expected_authenticator_|.
DCHECK_GE(state_, kStateSendHash);
return key_;
}
void P224EncryptedKeyExchange::SetXForTesting(const std::string& x) {
memset(&x_, 0, sizeof(x_));
memcpy(&x_, x.data(), std::min(x.size(), sizeof(x_)));
Init();
}
} // namespace crypto

129
crypto/p224_spake.h

@ -1,129 +0,0 @@
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CRYPTO_P224_SPAKE_H_
#define CRYPTO_P224_SPAKE_H_
#include <stdint.h>
#include <string>
#include <string_view>
#include "base/gtest_prod_util.h"
#include "crypto/sha2.h"
namespace crypto {
// P224EncryptedKeyExchange implements SPAKE2, a variant of Encrypted
// Key Exchange. It allows two parties that have a secret common
// password to establish a common secure key by exchanging messages
// over an insecure channel without disclosing the password.
//
// The password can be low entropy as authenticating with an attacker only
// gives the attacker a one-shot password oracle. No other information about
// the password is leaked. (However, you must be sure to limit the number of
// permitted authentication attempts otherwise they get many one-shot oracles.)
//
// The protocol requires several RTTs (actually two, but you shouldn't assume
// that.) To use the object, call GetNextMessage() and pass that message to the
// peer. Get a message from the peer and feed it into ProcessMessage. Then
// examine the return value of ProcessMessage:
// kResultPending: Another round is required. Call GetNextMessage and repeat.
// kResultFailed: The authentication has failed. You can get a human readable
// error message by calling error().
// kResultSuccess: The authentication was successful.
//
// In each exchange, each peer always sends a message.
class CRYPTO_EXPORT P224EncryptedKeyExchange {
public:
enum Result {
kResultPending,
kResultFailed,
kResultSuccess,
};
// PeerType's values are named client and server due to convention. But
// they could be called "A" and "B" as far as the protocol is concerned so
// long as the two parties don't both get the same label.
enum PeerType {
kPeerTypeClient,
kPeerTypeServer,
};
// peer_type: the type of the local authentication party.
// password: secret session password. Both parties to the
// authentication must pass the same value. For the case of a
// TLS connection, see RFC 5705.
P224EncryptedKeyExchange(PeerType peer_type, std::string_view password);
// GetNextMessage returns a byte string which must be passed to the other
// party in the authentication.
const std::string& GetNextMessage();
// ProcessMessage processes a message which must have been generated by a
// call to GetNextMessage() by the other party.
Result ProcessMessage(std::string_view message);
// In the event that ProcessMessage() returns kResultFailed, error will
// return a human readable error message.
const std::string& error() const;
// The key established as result of the key exchange. Must be called
// at then end after ProcessMessage() returns kResultSuccess.
const std::string& GetKey() const;
// The key established as result of the key exchange. Can be called after
// the first ProcessMessage()
const std::string& GetUnverifiedKey() const;
private:
// The authentication state machine is very simple and each party proceeds
// through each of these states, in order.
enum State {
kStateInitial,
kStateRecvDH,
kStateSendHash,
kStateRecvHash,
kStateDone,
};
FRIEND_TEST_ALL_PREFIXES(MutualAuth, ExpectedValues);
void Init();
// Sets internal random scalar. Should be used by tests only.
void SetXForTesting(const std::string& x);
State state_;
const bool is_server_;
// next_message_ contains a value for GetNextMessage() to return.
std::string next_message_;
std::string error_;
// CalculateHash computes the verification hash for the given peer and writes
// |kSHA256Length| bytes at |out_digest|.
void CalculateHash(PeerType peer_type,
const std::string& client_masked_dh,
const std::string& server_masked_dh,
const std::string& k,
uint8_t* out_digest);
// kScalarBytes is the number of bytes in a P-224 scalar.
static constexpr size_t kScalarBytes = 28;
// x_ is the secret Diffie-Hellman exponent (see paper referenced in .cc
// file).
uint8_t x_[kScalarBytes];
// pw_ is SHA256(P(password), P(session))[:28] where P() prepends a uint32_t,
// big-endian length prefix (see paper referenced in .cc file).
uint8_t pw_[kScalarBytes];
// expected_authenticator_ is used to store the hash value expected from the
// other party.
uint8_t expected_authenticator_[kSHA256Length];
std::string key_;
};
} // namespace crypto
#endif // CRYPTO_P224_SPAKE_H_

177
crypto/p224_spake_unittest.cc

@ -1,177 +0,0 @@
// Copyright 2011 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifdef UNSAFE_BUFFERS_BUILD
// TODO(crbug.com/351564777): Remove this and convert code to safer constructs.
#pragma allow_unsafe_buffers
#endif
#include "crypto/p224_spake.h"
#include <stddef.h>
#include <stdint.h>
#include <string>
#include "base/strings/string_number_conversions.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace crypto {
namespace {
bool RunExchange(P224EncryptedKeyExchange* client,
P224EncryptedKeyExchange* server,
bool is_password_same) {
for (;;) {
std::string client_message, server_message;
client_message = client->GetNextMessage();
server_message = server->GetNextMessage();
P224EncryptedKeyExchange::Result client_result, server_result;
client_result = client->ProcessMessage(server_message);
server_result = server->ProcessMessage(client_message);
// Check that we never hit the case where only one succeeds.
EXPECT_EQ(client_result == P224EncryptedKeyExchange::kResultSuccess,
server_result == P224EncryptedKeyExchange::kResultSuccess);
if (client_result == P224EncryptedKeyExchange::kResultFailed ||
server_result == P224EncryptedKeyExchange::kResultFailed) {
return false;
}
EXPECT_EQ(is_password_same,
client->GetUnverifiedKey() == server->GetUnverifiedKey());
if (client_result == P224EncryptedKeyExchange::kResultSuccess &&
server_result == P224EncryptedKeyExchange::kResultSuccess) {
return true;
}
EXPECT_EQ(P224EncryptedKeyExchange::kResultPending, client_result);
EXPECT_EQ(P224EncryptedKeyExchange::kResultPending, server_result);
}
}
const char kPassword[] = "foo";
} // namespace
TEST(MutualAuth, CorrectAuth) {
P224EncryptedKeyExchange client(
P224EncryptedKeyExchange::kPeerTypeClient, kPassword);
P224EncryptedKeyExchange server(
P224EncryptedKeyExchange::kPeerTypeServer, kPassword);
EXPECT_TRUE(RunExchange(&client, &server, true));
EXPECT_EQ(client.GetKey(), server.GetKey());
}
TEST(MutualAuth, IncorrectPassword) {
P224EncryptedKeyExchange client(
P224EncryptedKeyExchange::kPeerTypeClient,
kPassword);
P224EncryptedKeyExchange server(
P224EncryptedKeyExchange::kPeerTypeServer,
"wrongpassword");
EXPECT_FALSE(RunExchange(&client, &server, false));
}
TEST(MutualAuth, ExpectedValues) {
P224EncryptedKeyExchange client(P224EncryptedKeyExchange::kPeerTypeClient,
kPassword);
client.SetXForTesting("Client x");
P224EncryptedKeyExchange server(P224EncryptedKeyExchange::kPeerTypeServer,
kPassword);
server.SetXForTesting("Server x");
std::string client_message = client.GetNextMessage();
EXPECT_EQ(
"3508EF7DECC8AB9F9C439FBB0154288BBECC0A82E8448F4CF29554EB"
"BE9D486686226255EAD1D077C635B1A41F46AC91D7F7F32CED9EC3E0",
base::HexEncode(client_message));
std::string server_message = server.GetNextMessage();
EXPECT_EQ(
"A3088C18B75D2C2B107105661AEC85424777475EB29F1DDFB8C14AFB"
"F1603D0DF38413A00F420ACF2059E7997C935F5A957A193D09A2B584",
base::HexEncode(server_message));
EXPECT_EQ(P224EncryptedKeyExchange::kResultPending,
client.ProcessMessage(server_message));
EXPECT_EQ(P224EncryptedKeyExchange::kResultPending,
server.ProcessMessage(client_message));
EXPECT_EQ(client.GetUnverifiedKey(), server.GetUnverifiedKey());
// Must stay the same. External implementations should be able to pair with.
EXPECT_EQ(
"CE7CCFC435CDA4F01EC8826788B1F8B82EF7D550A34696B371096E64"
"C487D4FE193F7D1A6FF6820BC7F807796BA3889E8F999BBDEFC32FFA",
base::HexEncode(server.GetUnverifiedKey()));
EXPECT_TRUE(RunExchange(&client, &server, true));
EXPECT_EQ(client.GetKey(), server.GetKey());
}
TEST(MutualAuth, Fuzz) {
static const unsigned kIterations = 40;
for (unsigned i = 0; i < kIterations; i++) {
P224EncryptedKeyExchange client(
P224EncryptedKeyExchange::kPeerTypeClient, kPassword);
P224EncryptedKeyExchange server(
P224EncryptedKeyExchange::kPeerTypeServer, kPassword);
// We'll only be testing small values of i, but we don't want that to bias
// the test coverage. So we disperse the value of i by multiplying by the
// FNV, 32-bit prime, producing a simplistic PRNG.
const uint32_t rand = i * 16777619;
for (unsigned round = 0;; round++) {
std::string client_message, server_message;
client_message = client.GetNextMessage();
server_message = server.GetNextMessage();
if ((rand & 1) == round) {
const bool server_or_client = rand & 2;
std::string* m = server_or_client ? &server_message : &client_message;
if (rand & 4) {
// Truncate
*m = m->substr(0, (i >> 3) % m->size());
} else {
// Corrupt
const size_t bits = m->size() * 8;
const size_t bit_to_corrupt = (rand >> 3) % bits;
const_cast<char*>(m->data())[bit_to_corrupt / 8] ^=
1 << (bit_to_corrupt % 8);
}
}
P224EncryptedKeyExchange::Result client_result, server_result;
client_result = client.ProcessMessage(server_message);
server_result = server.ProcessMessage(client_message);
// If we have corrupted anything, we expect the authentication to fail,
// although one side can succeed if we happen to corrupt the second round
// message to the other.
ASSERT_FALSE(
client_result == P224EncryptedKeyExchange::kResultSuccess &&
server_result == P224EncryptedKeyExchange::kResultSuccess);
if (client_result == P224EncryptedKeyExchange::kResultFailed ||
server_result == P224EncryptedKeyExchange::kResultFailed) {
break;
}
ASSERT_EQ(P224EncryptedKeyExchange::kResultPending,
client_result);
ASSERT_EQ(P224EncryptedKeyExchange::kResultPending,
server_result);
}
}
}
} // namespace crypto