1 files changed, 511 insertions, 0 deletions
diff --git a/src/lib/libcrypto/jpake/jpake.c b/src/lib/libcrypto/jpake/jpake.c
new file mode 100644
index 0000000000..8e4b633ccc
--- /dev/null
+++ b/src/lib/libcrypto/jpake/jpake.c
@@ -0,0 +1,511 @@
+#include "jpake.h"
+#include <openssl/crypto.h>
+#include <openssl/sha.h>
+#include <openssl/err.h>
+#include <memory.h>
+/*
+ * In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or
+ * Bob's (x3, x4, x1, x2). If you see what I mean.
+ */
+typedef struct
+    {
+    char *name;  /* Must be unique */
+    char *peer_name;
+    BIGNUM *p;
+    BIGNUM *g;
+    BIGNUM *q;
+    BIGNUM *gxc; /* Alice's g^{x3} or Bob's g^{x1} */
+    BIGNUM *gxd; /* Alice's g^{x4} or Bob's g^{x2} */
+    } JPAKE_CTX_PUBLIC;
+struct JPAKE_CTX
+    {
+    JPAKE_CTX_PUBLIC p;
+    BIGNUM *secret;   /* The shared secret */
+    BN_CTX *ctx;
+    BIGNUM *xa;       /* Alice's x1 or Bob's x3 */
+    BIGNUM *xb;       /* Alice's x2 or Bob's x4 */
+    BIGNUM *key;      /* The calculated (shared) key */
+    };
+static void JPAKE_ZKP_init(JPAKE_ZKP *zkp)
+    {
+    zkp->gr = BN_new();
+    zkp->b = BN_new();
+    }
+static void JPAKE_ZKP_release(JPAKE_ZKP *zkp)
+    {
+    BN_free(zkp->b);
+    BN_free(zkp->gr);
+    }
+/* Two birds with one stone - make the global name as expected */
+#define JPAKE_STEP_PART_init    JPAKE_STEP2_init
+#define JPAKE_STEP_PART_release JPAKE_STEP2_release
+void JPAKE_STEP_PART_init(JPAKE_STEP_PART *p)
+    {
+    p->gx = BN_new();
+    JPAKE_ZKP_init(&p->zkpx);
+    }
+void JPAKE_STEP_PART_release(JPAKE_STEP_PART *p)
+    {
+    JPAKE_ZKP_release(&p->zkpx);
+    BN_free(p->gx);
+    }
+void JPAKE_STEP1_init(JPAKE_STEP1 *s1)
+    {
+    JPAKE_STEP_PART_init(&s1->p1);
+    JPAKE_STEP_PART_init(&s1->p2);
+    }
+void JPAKE_STEP1_release(JPAKE_STEP1 *s1)
+    {
+    JPAKE_STEP_PART_release(&s1->p2);
+    JPAKE_STEP_PART_release(&s1->p1);
+    }
+static void JPAKE_CTX_init(JPAKE_CTX *ctx, const char *name,
+                           const char *peer_name, const BIGNUM *p,
+                           const BIGNUM *g, const BIGNUM *q,
+                           const BIGNUM *secret)
+    {
+    ctx->p.name = OPENSSL_strdup(name);
+    ctx->p.peer_name = OPENSSL_strdup(peer_name);
+    ctx->p.p = BN_dup(p);
+    ctx->p.g = BN_dup(g);
+    ctx->p.q = BN_dup(q);
+    ctx->secret = BN_dup(secret);
+    ctx->p.gxc = BN_new();
+    ctx->p.gxd = BN_new();
+    ctx->xa = BN_new();
+    ctx->xb = BN_new();
+    ctx->key = BN_new();
+    ctx->ctx = BN_CTX_new();
+    }
+    
+static void JPAKE_CTX_release(JPAKE_CTX *ctx)
+    {
+    BN_CTX_free(ctx->ctx);
+    BN_clear_free(ctx->key);
+    BN_clear_free(ctx->xb);
+    BN_clear_free(ctx->xa);
+    BN_free(ctx->p.gxd);
+    BN_free(ctx->p.gxc);
+    BN_clear_free(ctx->secret);
+    BN_free(ctx->p.q);
+    BN_free(ctx->p.g);
+    BN_free(ctx->p.p);
+    OPENSSL_free(ctx->p.peer_name);
+    OPENSSL_free(ctx->p.name);
+    memset(ctx, '\0', sizeof *ctx);
+    }
+    
+JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
+                         const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
+                         const BIGNUM *secret)
+    {
+    JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx);
+    JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret);
+    return ctx;
+    }
+void JPAKE_CTX_free(JPAKE_CTX *ctx)
+    {
+    JPAKE_CTX_release(ctx);
+    OPENSSL_free(ctx);
+    }
+static void hashlength(SHA_CTX *sha, size_t l)
+    {
+    unsigned char b[2];
+    OPENSSL_assert(l <= 0xffff);
+    b[0] = l >> 8;
+    b[1] = l&0xff;
+    SHA1_Update(sha, b, 2);
+    }
+static void hashstring(SHA_CTX *sha, const char *string)
+    {
+    size_t l = strlen(string);
+    hashlength(sha, l);
+    SHA1_Update(sha, string, l);
+    }
+static void hashbn(SHA_CTX *sha, const BIGNUM *bn)
+    {
+    size_t l = BN_num_bytes(bn);
+    unsigned char *bin = OPENSSL_malloc(l);
+    hashlength(sha, l);
+    BN_bn2bin(bn, bin);
+    SHA1_Update(sha, bin, l);
+    OPENSSL_free(bin);
+    }
+/* h=hash(g, g^r, g^x, name) */
+static void zkp_hash(BIGNUM *h, const BIGNUM *zkpg, const JPAKE_STEP_PART *p,
+                     const char *proof_name)
+    {
+    unsigned char md[SHA_DIGEST_LENGTH];
+    SHA_CTX sha;
+   /*
+    * XXX: hash should not allow moving of the boundaries - Java code
+    * is flawed in this respect. Length encoding seems simplest.
+    */
+    SHA1_Init(&sha);
+    hashbn(&sha, zkpg);
+    OPENSSL_assert(!BN_is_zero(p->zkpx.gr));
+    hashbn(&sha, p->zkpx.gr);
+    hashbn(&sha, p->gx);
+    hashstring(&sha, proof_name);
+    SHA1_Final(md, &sha);
+    BN_bin2bn(md, SHA_DIGEST_LENGTH, h);
+    }
+/*
+ * Prove knowledge of x
+ * Note that p->gx has already been calculated
+ */
+static void generate_zkp(JPAKE_STEP_PART *p, const BIGNUM *x,
+                         const BIGNUM *zkpg, JPAKE_CTX *ctx)
+    {
+    BIGNUM *r = BN_new();
+    BIGNUM *h = BN_new();
+    BIGNUM *t = BN_new();
+   /*
+    * r in [0,q)
+    * XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform
+    */
+    BN_rand_range(r, ctx->p.q);
+   /* g^r */
+    BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx);
+   /* h=hash... */
+    zkp_hash(h, zkpg, p, ctx->p.name);
+   /* b = r - x*h */
+    BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx);
+    BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx);
+   /* cleanup */
+    BN_free(t);
+    BN_free(h);
+    BN_free(r);
+    }
+static int verify_zkp(const JPAKE_STEP_PART *p, const BIGNUM *zkpg,
+                      JPAKE_CTX *ctx)
+    {
+    BIGNUM *h = BN_new();
+    BIGNUM *t1 = BN_new();
+    BIGNUM *t2 = BN_new();
+    BIGNUM *t3 = BN_new();
+    int ret = 0;
+    zkp_hash(h, zkpg, p, ctx->p.peer_name);
+   /* t1 = g^b */
+    BN_mod_exp(t1, zkpg, p->zkpx.b, ctx->p.p, ctx->ctx);
+   /* t2 = (g^x)^h = g^{hx} */
+    BN_mod_exp(t2, p->gx, h, ctx->p.p, ctx->ctx);
+   /* t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly) */
+    BN_mod_mul(t3, t1, t2, ctx->p.p, ctx->ctx);
+   /* verify t3 == g^r */
+    if(BN_cmp(t3, p->zkpx.gr) == 0)
+        ret = 1;
+    else
+        JPAKEerr(JPAKE_F_VERIFY_ZKP, JPAKE_R_ZKP_VERIFY_FAILED);
+   /* cleanup */
+    BN_free(t3);
+    BN_free(t2);
+    BN_free(t1);
+    BN_free(h);
+    return ret;
+    }    
+static void generate_step_part(JPAKE_STEP_PART *p, const BIGNUM *x,
+                               const BIGNUM *g, JPAKE_CTX *ctx)
+    {
+    BN_mod_exp(p->gx, g, x, ctx->p.p, ctx->ctx);
+    generate_zkp(p, x, g, ctx);
+    }
+/* Generate each party's random numbers. xa is in [0, q), xb is in [1, q). */
+static void genrand(JPAKE_CTX *ctx)
+    {
+    BIGNUM *qm1;
+   /* xa in [0, q) */
+    BN_rand_range(ctx->xa, ctx->p.q);
+   /* q-1 */
+    qm1 = BN_new();
+    BN_copy(qm1, ctx->p.q);
+    BN_sub_word(qm1, 1);
+   /* ... and xb in [0, q-1) */
+    BN_rand_range(ctx->xb, qm1);
+   /* [1, q) */
+    BN_add_word(ctx->xb, 1);
+   /* cleanup */
+    BN_free(qm1);
+    }
+int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx)
+    {
+    genrand(ctx);
+    generate_step_part(&send->p1, ctx->xa, ctx->p.g, ctx);
+    generate_step_part(&send->p2, ctx->xb, ctx->p.g, ctx);
+    return 1;
+    }
+/* g^x is a legal value */
+static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx)
+    {
+    BIGNUM *t;
+    int res;
+    
+    if(BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0)
+        return 0;
+    t = BN_new();
+    BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx);
+    res = BN_is_one(t);
+    BN_free(t);
+    return res;
+    }
+int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received)
+    {
+    if(!is_legal(received->p1.gx, ctx))
+        {
+        JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL);
+        return 0;
+        }
+    if(!is_legal(received->p2.gx, ctx))
+        {
+        JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL);
+        return 0;
+        }
+   /* verify their ZKP(xc) */
+    if(!verify_zkp(&received->p1, ctx->p.g, ctx))
+        {
+        JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED);
+        return 0;
+        }
+   /* verify their ZKP(xd) */
+    if(!verify_zkp(&received->p2, ctx->p.g, ctx))
+        {
+        JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED);
+        return 0;
+        }
+   /* g^xd != 1 */
+    if(BN_is_one(received->p2.gx))
+        {
+        JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE);
+        return 0;
+        }
+   /* Save the bits we need for later */
+    BN_copy(ctx->p.gxc, received->p1.gx);
+    BN_copy(ctx->p.gxd, received->p2.gx);
+    return 1;
+    }
+int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx)
+    {
+    BIGNUM *t1 = BN_new();
+    BIGNUM *t2 = BN_new();
+   /*
+    * X = g^{(xa + xc + xd) * xb * s}
+    * t1 = g^xa
+    */
+    BN_mod_exp(t1, ctx->p.g, ctx->xa, ctx->p.p, ctx->ctx);
+   /* t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc} */
+    BN_mod_mul(t2, t1, ctx->p.gxc, ctx->p.p, ctx->ctx);
+   /* t1 = t2 * g^{xd} = g^{xa + xc + xd} */
+    BN_mod_mul(t1, t2, ctx->p.gxd, ctx->p.p, ctx->ctx);
+   /* t2 = xb * s */
+    BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx);
+   /*
+    * ZKP(xb * s)
+    * XXX: this is kinda funky, because we're using
+    *
+    * g' = g^{xa + xc + xd}
+    *
+    * as the generator, which means X is g'^{xb * s}
+    * X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s}
+    */
+    generate_step_part(send, t2, t1, ctx);
+   /* cleanup */
+    BN_free(t1);
+    BN_free(t2);
+    return 1;
+    }
+/* gx = g^{xc + xa + xb} * xd * s */
+static int compute_key(JPAKE_CTX *ctx, const BIGNUM *gx)
+    {
+    BIGNUM *t1 = BN_new();
+    BIGNUM *t2 = BN_new();
+    BIGNUM *t3 = BN_new();
+   /*
+    * K = (gx/g^{xb * xd * s})^{xb}
+    *   = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb}
+    *   = (g^{(xa + xc) * xd * s})^{xb}
+    *   = g^{(xa + xc) * xb * xd * s}
+    * [which is the same regardless of who calculates it]
+    */
+   /* t1 = (g^{xd})^{xb} = g^{xb * xd} */
+    BN_mod_exp(t1, ctx->p.gxd, ctx->xb, ctx->p.p, ctx->ctx);
+   /* t2 = -s = q-s */
+    BN_sub(t2, ctx->p.q, ctx->secret);
+   /* t3 = t1^t2 = g^{-xb * xd * s} */
+    BN_mod_exp(t3, t1, t2, ctx->p.p, ctx->ctx);
+   /* t1 = gx * t3 = X/g^{xb * xd * s} */
+    BN_mod_mul(t1, gx, t3, ctx->p.p, ctx->ctx);
+   /* K = t1^{xb} */
+    BN_mod_exp(ctx->key, t1, ctx->xb, ctx->p.p, ctx->ctx);
+   /* cleanup */
+    BN_free(t3);
+    BN_free(t2);
+    BN_free(t1);
+    return 1;
+    }
+int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received)
+    {
+    BIGNUM *t1 = BN_new();
+    BIGNUM *t2 = BN_new();
+    int ret = 0;
+   /*
+    * g' = g^{xc + xa + xb} [from our POV]
+    * t1 = xa + xb
+    */
+    BN_mod_add(t1, ctx->xa, ctx->xb, ctx->p.q, ctx->ctx);
+   /* t2 = g^{t1} = g^{xa+xb} */
+    BN_mod_exp(t2, ctx->p.g, t1, ctx->p.p, ctx->ctx);
+   /* t1 = g^{xc} * t2 = g^{xc + xa + xb} */
+    BN_mod_mul(t1, ctx->p.gxc, t2, ctx->p.p, ctx->ctx);
+    if(verify_zkp(received, t1, ctx))
+        ret = 1;
+    else
+        JPAKEerr(JPAKE_F_JPAKE_STEP2_PROCESS, JPAKE_R_VERIFY_B_FAILED);
+    compute_key(ctx, received->gx);
+   /* cleanup */
+    BN_free(t2);
+    BN_free(t1);
+    return ret;
+    }
+static void quickhashbn(unsigned char *md, const BIGNUM *bn)
+    {
+    SHA_CTX sha;
+    SHA1_Init(&sha);
+    hashbn(&sha, bn);
+    SHA1_Final(md, &sha);
+    }
+void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a)
+    {}
+int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx)
+    {
+    quickhashbn(send->hhk, ctx->key);
+    SHA1(send->hhk, sizeof send->hhk, send->hhk);
+    return 1;
+    }
+int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received)
+    {
+    unsigned char hhk[SHA_DIGEST_LENGTH];
+    quickhashbn(hhk, ctx->key);
+    SHA1(hhk, sizeof hhk, hhk);
+    if(memcmp(hhk, received->hhk, sizeof hhk))
+        {
+        JPAKEerr(JPAKE_F_JPAKE_STEP3A_PROCESS, JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH);
+        return 0;
+        }
+    return 1;
+    }
+void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a)
+    {}
+void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b)
+    {}
+int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx)
+    {
+    quickhashbn(send->hk, ctx->key);
+    return 1;
+    }
+int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received)
+    {
+    unsigned char hk[SHA_DIGEST_LENGTH];
+    quickhashbn(hk, ctx->key);
+    if(memcmp(hk, received->hk, sizeof hk))
+        {
+        JPAKEerr(JPAKE_F_JPAKE_STEP3B_PROCESS, JPAKE_R_HASH_OF_KEY_MISMATCH);
+        return 0;
+        }
+    return 1;
+    }
+void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b)
+    {}
+const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx)
+    {
+    return ctx->key;
+    }

diff --git a/src/lib/libcrypto/jpake/jpake.c b/src/lib/libcrypto/jpake/jpake.c new file mode 100644 index 0000000000..8e4b633ccc --- /dev/null +++ b/src/lib/libcrypto/jpake/jpake.c
@@ -0,0 +1,511 @@
	1	#include "jpake.h"
	2
	3	#include <openssl/crypto.h>
	4	#include <openssl/sha.h>
	5	#include <openssl/err.h>
	6	#include <memory.h>
	7
	8	/*
	9	* In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or
	10	* Bob's (x3, x4, x1, x2). If you see what I mean.
	11	*/
	12
	13	typedef struct
	14	{
	15	char name; / Must be unique */
	16	char *peer_name;
	17	BIGNUM *p;
	18	BIGNUM *g;
	19	BIGNUM *q;
	20	BIGNUM gxc; / Alice's g^{x3} or Bob's g^{x1} */
	21	BIGNUM gxd; / Alice's g^{x4} or Bob's g^{x2} */
	22	} JPAKE_CTX_PUBLIC;
	23
	24	struct JPAKE_CTX
	25	{
	26	JPAKE_CTX_PUBLIC p;
	27	BIGNUM secret; / The shared secret */
	28	BN_CTX *ctx;
	29	BIGNUM xa; / Alice's x1 or Bob's x3 */
	30	BIGNUM xb; / Alice's x2 or Bob's x4 */
	31	BIGNUM key; / The calculated (shared) key */
	32	};
	33
	34	static void JPAKE_ZKP_init(JPAKE_ZKP *zkp)
	35	{
	36	zkp->gr = BN_new();
	37	zkp->b = BN_new();
	38	}
	39
	40	static void JPAKE_ZKP_release(JPAKE_ZKP *zkp)
	41	{
	42	BN_free(zkp->b);
	43	BN_free(zkp->gr);
	44	}
	45
	46	/* Two birds with one stone - make the global name as expected */
	47	#define JPAKE_STEP_PART_init JPAKE_STEP2_init
	48	#define JPAKE_STEP_PART_release JPAKE_STEP2_release
	49
	50	void JPAKE_STEP_PART_init(JPAKE_STEP_PART *p)
	51	{
	52	p->gx = BN_new();
	53	JPAKE_ZKP_init(&p->zkpx);
	54	}
	55
	56	void JPAKE_STEP_PART_release(JPAKE_STEP_PART *p)
	57	{
	58	JPAKE_ZKP_release(&p->zkpx);
	59	BN_free(p->gx);
	60	}
	61
	62	void JPAKE_STEP1_init(JPAKE_STEP1 *s1)
	63	{
	64	JPAKE_STEP_PART_init(&s1->p1);
	65	JPAKE_STEP_PART_init(&s1->p2);
	66	}
	67
	68	void JPAKE_STEP1_release(JPAKE_STEP1 *s1)
	69	{
	70	JPAKE_STEP_PART_release(&s1->p2);
	71	JPAKE_STEP_PART_release(&s1->p1);
	72	}
	73
	74	static void JPAKE_CTX_init(JPAKE_CTX ctx, const char name,
	75	const char peer_name, const BIGNUM p,
	76	const BIGNUM g, const BIGNUM q,
	77	const BIGNUM *secret)
	78	{
	79	ctx->p.name = OPENSSL_strdup(name);
	80	ctx->p.peer_name = OPENSSL_strdup(peer_name);
	81	ctx->p.p = BN_dup(p);
	82	ctx->p.g = BN_dup(g);
	83	ctx->p.q = BN_dup(q);
	84	ctx->secret = BN_dup(secret);
	85
	86	ctx->p.gxc = BN_new();
	87	ctx->p.gxd = BN_new();
	88
	89	ctx->xa = BN_new();
	90	ctx->xb = BN_new();
	91	ctx->key = BN_new();
	92	ctx->ctx = BN_CTX_new();
	93	}
	94
	95	static void JPAKE_CTX_release(JPAKE_CTX *ctx)
	96	{
	97	BN_CTX_free(ctx->ctx);
	98	BN_clear_free(ctx->key);
	99	BN_clear_free(ctx->xb);
	100	BN_clear_free(ctx->xa);
	101
	102	BN_free(ctx->p.gxd);
	103	BN_free(ctx->p.gxc);
	104
	105	BN_clear_free(ctx->secret);
	106	BN_free(ctx->p.q);
	107	BN_free(ctx->p.g);
	108	BN_free(ctx->p.p);
	109	OPENSSL_free(ctx->p.peer_name);
	110	OPENSSL_free(ctx->p.name);
	111
	112	memset(ctx, '\0', sizeof *ctx);
	113	}
	114
	115	JPAKE_CTX JPAKE_CTX_new(const char name, const char *peer_name,
	116	const BIGNUM p, const BIGNUM g, const BIGNUM *q,
	117	const BIGNUM *secret)
	118	{
	119	JPAKE_CTX ctx = OPENSSL_malloc(sizeof ctx);
	120
	121	JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret);
	122
	123	return ctx;
	124	}
	125
	126	void JPAKE_CTX_free(JPAKE_CTX *ctx)
	127	{
	128	JPAKE_CTX_release(ctx);
	129	OPENSSL_free(ctx);
	130	}
	131
	132	static void hashlength(SHA_CTX *sha, size_t l)
	133	{
	134	unsigned char b[2];
	135
	136	OPENSSL_assert(l <= 0xffff);
	137	b[0] = l >> 8;
	138	b[1] = l&0xff;
	139	SHA1_Update(sha, b, 2);
	140	}
	141
	142	static void hashstring(SHA_CTX sha, const char string)
	143	{
	144	size_t l = strlen(string);
	145
	146	hashlength(sha, l);
	147	SHA1_Update(sha, string, l);
	148	}
	149
	150	static void hashbn(SHA_CTX sha, const BIGNUM bn)
	151	{
	152	size_t l = BN_num_bytes(bn);
	153	unsigned char *bin = OPENSSL_malloc(l);
	154
	155	hashlength(sha, l);
	156	BN_bn2bin(bn, bin);
	157	SHA1_Update(sha, bin, l);
	158	OPENSSL_free(bin);
	159	}
	160
	161	/* h=hash(g, g^r, g^x, name) */
	162	static void zkp_hash(BIGNUM h, const BIGNUM zkpg, const JPAKE_STEP_PART *p,
	163	const char *proof_name)
	164	{
	165	unsigned char md[SHA_DIGEST_LENGTH];
	166	SHA_CTX sha;
	167
	168	/*
	169	* XXX: hash should not allow moving of the boundaries - Java code
	170	* is flawed in this respect. Length encoding seems simplest.
	171	*/
	172	SHA1_Init(&sha);
	173	hashbn(&sha, zkpg);
	174	OPENSSL_assert(!BN_is_zero(p->zkpx.gr));
	175	hashbn(&sha, p->zkpx.gr);
	176	hashbn(&sha, p->gx);
	177	hashstring(&sha, proof_name);
	178	SHA1_Final(md, &sha);
	179	BN_bin2bn(md, SHA_DIGEST_LENGTH, h);
	180	}
	181
	182	/*
	183	* Prove knowledge of x
	184	* Note that p->gx has already been calculated
	185	*/
	186	static void generate_zkp(JPAKE_STEP_PART p, const BIGNUM x,
	187	const BIGNUM zkpg, JPAKE_CTX ctx)
	188	{
	189	BIGNUM *r = BN_new();
	190	BIGNUM *h = BN_new();
	191	BIGNUM *t = BN_new();
	192
	193	/*
	194	* r in [0,q)
	195	* XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform
	196	*/
	197	BN_rand_range(r, ctx->p.q);
	198	/* g^r */
	199	BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx);
	200
	201	/* h=hash... */
	202	zkp_hash(h, zkpg, p, ctx->p.name);
	203
	204	/* b = r - xh /
	205	BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx);
	206	BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx);
	207
	208	/* cleanup */
	209	BN_free(t);
	210	BN_free(h);
	211	BN_free(r);
	212	}
	213
	214	static int verify_zkp(const JPAKE_STEP_PART p, const BIGNUM zkpg,
	215	JPAKE_CTX *ctx)
	216	{
	217	BIGNUM *h = BN_new();
	218	BIGNUM *t1 = BN_new();
	219	BIGNUM *t2 = BN_new();
	220	BIGNUM *t3 = BN_new();
	221	int ret = 0;
	222
	223	zkp_hash(h, zkpg, p, ctx->p.peer_name);
	224
	225	/* t1 = g^b */
	226	BN_mod_exp(t1, zkpg, p->zkpx.b, ctx->p.p, ctx->ctx);
	227	/* t2 = (g^x)^h = g^{hx} */
	228	BN_mod_exp(t2, p->gx, h, ctx->p.p, ctx->ctx);
	229	/* t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly) */
	230	BN_mod_mul(t3, t1, t2, ctx->p.p, ctx->ctx);
	231
	232	/* verify t3 == g^r */
	233	if(BN_cmp(t3, p->zkpx.gr) == 0)
	234	ret = 1;
	235	else
	236	JPAKEerr(JPAKE_F_VERIFY_ZKP, JPAKE_R_ZKP_VERIFY_FAILED);
	237
	238	/* cleanup */
	239	BN_free(t3);
	240	BN_free(t2);
	241	BN_free(t1);
	242	BN_free(h);
	243
	244	return ret;
	245	}
	246
	247	static void generate_step_part(JPAKE_STEP_PART p, const BIGNUM x,
	248	const BIGNUM g, JPAKE_CTX ctx)
	249	{
	250	BN_mod_exp(p->gx, g, x, ctx->p.p, ctx->ctx);
	251	generate_zkp(p, x, g, ctx);
	252	}
	253
	254	/* Generate each party's random numbers. xa is in [0, q), xb is in [1, q). */
	255	static void genrand(JPAKE_CTX *ctx)
	256	{
	257	BIGNUM *qm1;
	258
	259	/* xa in [0, q) */
	260	BN_rand_range(ctx->xa, ctx->p.q);
	261
	262	/* q-1 */
	263	qm1 = BN_new();
	264	BN_copy(qm1, ctx->p.q);
	265	BN_sub_word(qm1, 1);
	266
	267	/* ... and xb in [0, q-1) */
	268	BN_rand_range(ctx->xb, qm1);
	269	/* [1, q) */
	270	BN_add_word(ctx->xb, 1);
	271
	272	/* cleanup */
	273	BN_free(qm1);
	274	}
	275
	276	int JPAKE_STEP1_generate(JPAKE_STEP1 send, JPAKE_CTX ctx)
	277	{
	278	genrand(ctx);
	279	generate_step_part(&send->p1, ctx->xa, ctx->p.g, ctx);
	280	generate_step_part(&send->p2, ctx->xb, ctx->p.g, ctx);
	281
	282	return 1;
	283	}
	284
	285	/* g^x is a legal value */
	286	static int is_legal(const BIGNUM gx, const JPAKE_CTX ctx)
	287	{
	288	BIGNUM *t;
	289	int res;
	290
	291	if(BN_is_negative(gx) \|\| BN_is_zero(gx) \|\| BN_cmp(gx, ctx->p.p) >= 0)
	292	return 0;
	293
	294	t = BN_new();
	295	BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx);
	296	res = BN_is_one(t);
	297	BN_free(t);
	298
	299	return res;
	300	}
	301
	302	int JPAKE_STEP1_process(JPAKE_CTX ctx, const JPAKE_STEP1 received)
	303	{
	304	if(!is_legal(received->p1.gx, ctx))
	305	{
	306	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL);
	307	return 0;
	308	}
	309
	310	if(!is_legal(received->p2.gx, ctx))
	311	{
	312	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL);
	313	return 0;
	314	}
	315
	316	/* verify their ZKP(xc) */
	317	if(!verify_zkp(&received->p1, ctx->p.g, ctx))
	318	{
	319	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED);
	320	return 0;
	321	}
	322
	323	/* verify their ZKP(xd) */
	324	if(!verify_zkp(&received->p2, ctx->p.g, ctx))
	325	{
	326	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED);
	327	return 0;
	328	}
	329
	330	/* g^xd != 1 */
	331	if(BN_is_one(received->p2.gx))
	332	{
	333	JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE);
	334	return 0;
	335	}
	336
	337	/* Save the bits we need for later */
	338	BN_copy(ctx->p.gxc, received->p1.gx);
	339	BN_copy(ctx->p.gxd, received->p2.gx);
	340
	341	return 1;
	342	}
	343
	344
	345	int JPAKE_STEP2_generate(JPAKE_STEP2 send, JPAKE_CTX ctx)
	346	{
	347	BIGNUM *t1 = BN_new();
	348	BIGNUM *t2 = BN_new();
	349
	350	/*
	351	* X = g^{(xa + xc + xd) * xb * s}
	352	* t1 = g^xa
	353	*/
	354	BN_mod_exp(t1, ctx->p.g, ctx->xa, ctx->p.p, ctx->ctx);
	355	/* t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc} */
	356	BN_mod_mul(t2, t1, ctx->p.gxc, ctx->p.p, ctx->ctx);
	357	/* t1 = t2 * g^{xd} = g^{xa + xc + xd} */
	358	BN_mod_mul(t1, t2, ctx->p.gxd, ctx->p.p, ctx->ctx);
	359	/* t2 = xb * s */
	360	BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx);
	361
	362	/*
	363	* ZKP(xb * s)
	364	* XXX: this is kinda funky, because we're using
	365	*
	366	* g' = g^{xa + xc + xd}
	367	*
	368	* as the generator, which means X is g'^{xb * s}
	369	* X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s}
	370	*/
	371	generate_step_part(send, t2, t1, ctx);
	372
	373	/* cleanup */
	374	BN_free(t1);
	375	BN_free(t2);
	376
	377	return 1;
	378	}
	379
	380	/* gx = g^{xc + xa + xb} * xd * s */
	381	static int compute_key(JPAKE_CTX ctx, const BIGNUM gx)
	382	{
	383	BIGNUM *t1 = BN_new();
	384	BIGNUM *t2 = BN_new();
	385	BIGNUM *t3 = BN_new();
	386
	387	/*
	388	* K = (gx/g^{xb * xd * s})^{xb}
	389	* = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb}
	390	* = (g^{(xa + xc) * xd * s})^{xb}
	391	* = g^{(xa + xc) * xb * xd * s}
	392	* [which is the same regardless of who calculates it]
	393	*/
	394
	395	/* t1 = (g^{xd})^{xb} = g^{xb * xd} */
	396	BN_mod_exp(t1, ctx->p.gxd, ctx->xb, ctx->p.p, ctx->ctx);
	397	/* t2 = -s = q-s */
	398	BN_sub(t2, ctx->p.q, ctx->secret);
	399	/* t3 = t1^t2 = g^{-xb * xd * s} */
	400	BN_mod_exp(t3, t1, t2, ctx->p.p, ctx->ctx);
	401	/* t1 = gx * t3 = X/g^{xb * xd * s} */
	402	BN_mod_mul(t1, gx, t3, ctx->p.p, ctx->ctx);
	403	/* K = t1^{xb} */
	404	BN_mod_exp(ctx->key, t1, ctx->xb, ctx->p.p, ctx->ctx);
	405
	406	/* cleanup */
	407	BN_free(t3);
	408	BN_free(t2);
	409	BN_free(t1);
	410
	411	return 1;
	412	}
	413
	414	int JPAKE_STEP2_process(JPAKE_CTX ctx, const JPAKE_STEP2 received)
	415	{
	416	BIGNUM *t1 = BN_new();
	417	BIGNUM *t2 = BN_new();
	418	int ret = 0;
	419
	420	/*
	421	* g' = g^{xc + xa + xb} [from our POV]
	422	* t1 = xa + xb
	423	*/
	424	BN_mod_add(t1, ctx->xa, ctx->xb, ctx->p.q, ctx->ctx);
	425	/* t2 = g^{t1} = g^{xa+xb} */
	426	BN_mod_exp(t2, ctx->p.g, t1, ctx->p.p, ctx->ctx);
	427	/* t1 = g^{xc} * t2 = g^{xc + xa + xb} */
	428	BN_mod_mul(t1, ctx->p.gxc, t2, ctx->p.p, ctx->ctx);
	429
	430	if(verify_zkp(received, t1, ctx))
	431	ret = 1;
	432	else
	433	JPAKEerr(JPAKE_F_JPAKE_STEP2_PROCESS, JPAKE_R_VERIFY_B_FAILED);
	434
	435	compute_key(ctx, received->gx);
	436
	437	/* cleanup */
	438	BN_free(t2);
	439	BN_free(t1);
	440
	441	return ret;
	442	}
	443
	444	static void quickhashbn(unsigned char md, const BIGNUM bn)
	445	{
	446	SHA_CTX sha;
	447
	448	SHA1_Init(&sha);
	449	hashbn(&sha, bn);
	450	SHA1_Final(md, &sha);
	451	}
	452
	453	void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a)
	454	{}
	455
	456	int JPAKE_STEP3A_generate(JPAKE_STEP3A send, JPAKE_CTX ctx)
	457	{
	458	quickhashbn(send->hhk, ctx->key);
	459	SHA1(send->hhk, sizeof send->hhk, send->hhk);
	460
	461	return 1;
	462	}
	463
	464	int JPAKE_STEP3A_process(JPAKE_CTX ctx, const JPAKE_STEP3A received)
	465	{
	466	unsigned char hhk[SHA_DIGEST_LENGTH];
	467
	468	quickhashbn(hhk, ctx->key);
	469	SHA1(hhk, sizeof hhk, hhk);
	470	if(memcmp(hhk, received->hhk, sizeof hhk))
	471	{
	472	JPAKEerr(JPAKE_F_JPAKE_STEP3A_PROCESS, JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH);
	473	return 0;
	474	}
	475	return 1;
	476	}
	477
	478	void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a)
	479	{}
	480
	481	void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b)
	482	{}
	483
	484	int JPAKE_STEP3B_generate(JPAKE_STEP3B send, JPAKE_CTX ctx)
	485	{
	486	quickhashbn(send->hk, ctx->key);
	487
	488	return 1;
	489	}
	490
	491	int JPAKE_STEP3B_process(JPAKE_CTX ctx, const JPAKE_STEP3B received)
	492	{
	493	unsigned char hk[SHA_DIGEST_LENGTH];
	494
	495	quickhashbn(hk, ctx->key);
	496	if(memcmp(hk, received->hk, sizeof hk))
	497	{
	498	JPAKEerr(JPAKE_F_JPAKE_STEP3B_PROCESS, JPAKE_R_HASH_OF_KEY_MISMATCH);
	499	return 0;
	500	}
	501	return 1;
	502	}
	503
	504	void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b)
	505	{}
	506
	507	const BIGNUM JPAKE_get_shared_key(JPAKE_CTX ctx)
	508	{
	509	return ctx->key;
	510	}
	511