Set server key material before LoginInit() (#58)

* set server key material before LoginInit()

Signed-off-by: bytemare <[email protected]>

Author: bytemare

examples_test.go

@@ -91,6 +91,7 @@ func Example_configuration() {
 func Example_serverSetup() {
 	// This a straightforward way to use a secure and efficient configuration.
 	// They have to be run only once in the application's lifecycle, and the output values must be stored appropriately.
+	serverID := []byte("server-identity")
 	conf := opaque.DefaultConfiguration()
 	secretOprfSeed = conf.GenerateOPRFSeed()
 	serverPrivateKey, serverPublicKey = conf.KeyGen()
@@ -99,9 +100,19 @@ func Example_serverSetup() {
 		log.Fatalf("Oh no! Something went wrong setting up the server secrets!")
 	}
 
-	fmt.Println("OPAQUE server values initialized.")
+	// Server setup
+	server, err := conf.Server()
+	if err != nil {
+		log.Fatalln(err)
+	}
 
-	// Output: OPAQUE server values initialized.
+	if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed); err != nil {
+		log.Fatalln(err)
+	}
+
+	fmt.Println("OPAQUE server initialized.")
+
+	// Output: OPAQUE server initialized.
 }
 
 // Example_Deserialization demonstrates a couple of ways to deserialize OPAQUE protocol messages.
@@ -297,6 +308,10 @@ func Example_loginKeyExchange() {
 		log.Fatalln(err)
 	}
 
+	if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed); err != nil {
+		log.Fatalln(err)
+	}
+
 	// These are the 3 login messages that will be exchanged,
 	// and the respective sessions keys for the client and server.
 	var message1, message2, message3 []byte
@@ -315,8 +330,7 @@ func Example_loginKeyExchange() {
 			log.Fatalln(err)
 		}
 
-		ke2, err := server.LoginInit(ke1, serverID, serverPrivateKey, serverPublicKey, secretOprfSeed,
-			exampleClientRecord)
+		ke2, err := server.LoginInit(ke1, exampleClientRecord)
 		if err != nil {
 			log.Fatalln(err)
 		}
@@ -410,12 +424,16 @@ func Example_fakeResponse() {
 			log.Fatalln(err)
 		}
 
+		if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed); err != nil {
+			log.Fatalln(err)
+		}
+
 		ke1, err := server.Deserialize.KE1(message1)
 		if err != nil {
 			log.Fatalln(err)
 		}
 
-		ke2, err := server.LoginInit(ke1, serverID, serverPrivateKey, serverPublicKey, secretOprfSeed, fakeRecord)
+		ke2, err := server.LoginInit(ke1, fakeRecord)
 		if err != nil {
 			log.Fatalln(err)
 		}

internal/ake/3dh.go

@@ -83,6 +83,25 @@ type values struct {
 	nonce              []byte
 }
 
+// GetEphemeralSecretKey returns the state's ephemeral secret key.
+func (v *values) GetEphemeralSecretKey() *group.Scalar {
+	return v.ephemeralSecretKey
+}
+
+// GetNonce returns the secret nonce.
+func (v *values) GetNonce() []byte {
+	return v.nonce
+}
+
+func (v *values) flush() {
+	if v.ephemeralSecretKey != nil {
+		v.ephemeralSecretKey.Zero()
+		v.ephemeralSecretKey = nil
+	}
+
+	v.nonce = nil
+}
+
 // setOptions sets optional values.
 // There's no effect if ephemeralSecretKey and nonce have already been set in a previous call.
 func (v *values) setOptions(g group.Group, options Options) *group.Element {

internal/ake/client.go

@@ -81,3 +81,9 @@ func (c *Client) Finalize(
 func (c *Client) SessionKey() []byte {
 	return c.sessionSecret
 }
+
+// Flush sets all the client's session related internal AKE values to nil.
+func (c *Client) Flush() {
+	c.values.flush()
+	c.sessionSecret = nil
+}

internal/ake/server.go

@@ -109,3 +109,10 @@ func (s *Server) SetState(clientMac, sessionSecret []byte) error {
 
 	return nil
 }
+
+// Flush sets all the server's session related internal AKE values to nil.
+func (s *Server) Flush() {
+	s.values.flush()
+	s.clientMac = nil
+	s.sessionSecret = nil
+}

server.go

@@ -23,6 +23,9 @@ import (
 )
 
 var (
+	// ErrNoServerKeyMaterial indicates that the server's key material has not been set.
+	ErrNoServerKeyMaterial = errors.New("key material not set: call SetKeyMaterial() to set values")
+
 	// ErrAkeInvalidClientMac indicates that the MAC contained in the KE3 message is not valid in the given session.
 	ErrAkeInvalidClientMac = errors.New("failed to authenticate client: invalid client mac")
 
@@ -47,6 +50,14 @@ type Server struct {
 	Deserialize *Deserializer
 	conf        *internal.Configuration
 	Ake         *ake.Server
+	*keyMaterial
+}
+
+type keyMaterial struct {
+	serverIdentity  []byte
+	serverSecretKey *group.Scalar
+	serverPublicKey []byte
+	oprfSeed        []byte
 }
 
 // NewServer returns a Server instantiation given the application Configuration.
@@ -64,6 +75,7 @@ func NewServer(c *Configuration) (*Server, error) {
 		Deserialize: &Deserializer{conf: conf},
 		conf:        conf,
 		Ake:         ake.NewServer(),
+		keyMaterial: nil,
 	}, nil
 }
 
@@ -117,41 +129,6 @@ func (s *Server) credentialResponse(
 	return message.NewCredentialResponse(z, maskingNonce, maskedResponse)
 }
 
-func (s *Server) verifyInitInput(
-	serverSecretKey, serverPublicKey, oprfSeed []byte,
-	record *ClientRecord,
-) (*group.Scalar, error) {
-	sks := s.conf.Group.NewScalar()
-	if err := sks.Decode(serverSecretKey); err != nil {
-		return nil, fmt.Errorf("invalid server AKE secret key: %w", err)
-	}
-
-	if sks.IsZero() {
-		return nil, ErrZeroSKS
-	}
-
-	if len(oprfSeed) != s.conf.Hash.Size() {
-		return nil, ErrInvalidOPRFSeedLength
-	}
-
-	if len(serverPublicKey) != s.conf.Group.ElementLength() {
-		return nil, ErrInvalidPksLength
-	}
-
-	if err := s.conf.Group.NewElement().Decode(serverPublicKey); err != nil {
-		return nil, fmt.Errorf("invalid server public key: %w", err)
-	}
-
-	if len(record.Envelope) != s.conf.EnvelopeSize {
-		return nil, ErrInvalidEnvelopeLength
-	}
-
-	// We've checked that the server's public key and the client's envelope are of correct length,
-	// thus ensuring that the subsequent xor-ing input is the same length as the encryption pad.
-
-	return sks, nil
-}
-
 // ServerLoginInitOptions enables setting optional values for the session, which default to secure random values if not
 // set.
 type ServerLoginInitOptions struct {
@@ -175,30 +152,75 @@ func getServerLoginInitOptions(options []ServerLoginInitOptions) *ake.Options {
 	return &op
 }
 
-// LoginInit responds to a KE1 message with a KE2 message given server credentials and client record.
+// SetKeyMaterial set the server's identity and mandatory key material to be used during LoginInit().
+// All these values must be the same as used during client registration and remain the same across protocol execution
+// for a given registered client.
+//
+// - serverIdentity can be nil, in which case it will be set to serverPublicKey.
+// - serverSecretKey is the server's secret AKE key.
+// - serverPublicKey is the server's public AKE key to the serverSecretKey.
+// - oprfSeed is the long-term OPRF input seed.
+func (s *Server) SetKeyMaterial(serverIdentity, serverSecretKey, serverPublicKey, oprfSeed []byte) error {
+	sks := s.conf.Group.NewScalar()
+	if err := sks.Decode(serverSecretKey); err != nil {
+		return fmt.Errorf("invalid server AKE secret key: %w", err)
+	}
+
+	if sks.IsZero() {
+		return ErrZeroSKS
+	}
+
+	if len(oprfSeed) != s.conf.Hash.Size() {
+		return ErrInvalidOPRFSeedLength
+	}
+
+	if len(serverPublicKey) != s.conf.Group.ElementLength() {
+		return ErrInvalidPksLength
+	}
+
+	if err := s.conf.Group.NewElement().Decode(serverPublicKey); err != nil {
+		return fmt.Errorf("invalid server public key: %w", err)
+	}
+
+	s.keyMaterial = &keyMaterial{
+		serverIdentity:  serverIdentity,
+		serverSecretKey: sks,
+		serverPublicKey: serverPublicKey,
+		oprfSeed:        oprfSeed,
+	}
+
+	return nil
+}
+
+// LoginInit responds to a KE1 message with a KE2 message a client record.
 func (s *Server) LoginInit(
 	ke1 *message.KE1,
-	serverIdentity, serverSecretKey, serverPublicKey, oprfSeed []byte,
 	record *ClientRecord,
 	options ...ServerLoginInitOptions,
 ) (*message.KE2, error) {
-	sks, err := s.verifyInitInput(serverSecretKey, serverPublicKey, oprfSeed, record)
-	if err != nil {
-		return nil, err
+	if s.keyMaterial == nil {
+		return nil, ErrNoServerKeyMaterial
 	}
 
+	if len(record.Envelope) != s.conf.EnvelopeSize {
+		return nil, ErrInvalidEnvelopeLength
+	}
+
+	// We've checked that the server's public key and the client's envelope are of correct length,
+	// thus ensuring that the subsequent xor-ing input is the same length as the encryption pad.
+
 	op := getServerLoginInitOptions(options)
 
-	response := s.credentialResponse(ke1.CredentialRequest, serverPublicKey,
-		record.RegistrationRecord, record.CredentialIdentifier, oprfSeed, record.TestMaskNonce)
+	response := s.credentialResponse(ke1.CredentialRequest, s.keyMaterial.serverPublicKey,
+		record.RegistrationRecord, record.CredentialIdentifier, s.keyMaterial.oprfSeed, record.TestMaskNonce)
 
 	identities := ake.Identities{
 		ClientIdentity: record.ClientIdentity,
-		ServerIdentity: serverIdentity,
+		ServerIdentity: s.keyMaterial.serverIdentity,
 	}
-	identities.SetIdentities(record.PublicKey, serverPublicKey)
+	identities.SetIdentities(record.PublicKey, s.keyMaterial.serverPublicKey)
 
-	ke2 := s.Ake.Response(s.conf, &identities, sks, record.PublicKey, ke1, response, *op)
+	ke2 := s.Ake.Response(s.conf, &identities, s.keyMaterial.serverSecretKey, record.PublicKey, ke1, response, *op)
 
 	return ke2, nil
 }

tests/client_test.go

@@ -9,6 +9,7 @@
 package opaque_test
 
 import (
+	"log"
 	"strings"
 	"testing"
 
@@ -117,16 +118,23 @@ func TestClientFinish_BadMaskedResponse(t *testing.T) {
 		if err != nil {
 			t.Fatal(err)
 		}
+
 		server, err := conf.conf.Server()
 		if err != nil {
 			t.Fatal(err)
 		}
+
 		sks, pks := conf.conf.KeyGen()
 		oprfSeed := internal.RandomBytes(conf.conf.Hash.Size())
+
+		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed); err != nil {
+			t.Fatal(err)
+		}
+
 		rec := buildRecord(credID, oprfSeed, []byte("yo"), pks, client, server)
 
 		ke1 := client.LoginInit([]byte("yo"))
-		ke2, _ := server.LoginInit(ke1, nil, sks, pks, oprfSeed, rec)
+		ke2, _ := server.LoginInit(ke1, rec)
 
 		goodLength := client.GetConf().Group.ElementLength() + client.GetConf().EnvelopeSize
 		expected := "invalid masked response length"
@@ -156,16 +164,23 @@ func TestClientFinish_InvalidEnvelopeTag(t *testing.T) {
 		if err != nil {
 			t.Fatal(err)
 		}
+
 		server, err := conf.conf.Server()
 		if err != nil {
 			t.Fatal(err)
 		}
+
 		sks, pks := conf.conf.KeyGen()
 		oprfSeed := internal.RandomBytes(conf.conf.Hash.Size())
+
+		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed); err != nil {
+			t.Fatal(err)
+		}
+
 		rec := buildRecord(credID, oprfSeed, []byte("yo"), pks, client, server)
 
 		ke1 := client.LoginInit([]byte("yo"))
-		ke2, _ := server.LoginInit(ke1, nil, sks, pks, oprfSeed, rec)
+		ke2, _ := server.LoginInit(ke1, rec)
 
 		env, _, err := getEnvelope(client, ke2)
 		if err != nil {
@@ -207,16 +222,23 @@ func TestClientFinish_InvalidKE2KeyEncoding(t *testing.T) {
 		if err != nil {
 			t.Fatal(err)
 		}
+
 		server, err := conf.conf.Server()
 		if err != nil {
 			t.Fatal(err)
 		}
+
 		sks, pks := conf.conf.KeyGen()
 		oprfSeed := internal.RandomBytes(conf.conf.Hash.Size())
+
+		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed); err != nil {
+			t.Fatal(err)
+		}
+
 		rec := buildRecord(credID, oprfSeed, []byte("yo"), pks, client, server)
 
 		ke1 := client.LoginInit([]byte("yo"))
-		ke2, _ := server.LoginInit(ke1, nil, sks, pks, oprfSeed, rec)
+		ke2, _ := server.LoginInit(ke1, rec)
 		// epks := ke2.EpkS
 
 		// tamper epks
@@ -283,16 +305,23 @@ func TestClientFinish_InvalidKE2Mac(t *testing.T) {
 		if err != nil {
 			t.Fatal(err)
 		}
+
 		server, err := conf.conf.Server()
 		if err != nil {
 			t.Fatal(err)
 		}
+
 		sks, pks := conf.conf.KeyGen()
 		oprfSeed := internal.RandomBytes(conf.conf.Hash.Size())
+
+		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed); err != nil {
+			log.Fatal(err)
+		}
+
 		rec := buildRecord(credID, oprfSeed, []byte("yo"), pks, client, server)
 
 		ke1 := client.LoginInit([]byte("yo"))
-		ke2, _ := server.LoginInit(ke1, nil, sks, pks, oprfSeed, rec)
+		ke2, _ := server.LoginInit(ke1, rec)
 
 		ke2.Mac = internal.RandomBytes(client.GetConf().MAC.Size())
 		expected := "finalizing AKE: invalid server mac"