diff options
Diffstat (limited to 'src/lib/libcrypto/jpake')
-rw-r--r-- | src/lib/libcrypto/jpake/Makefile | 64 | ||||
-rw-r--r-- | src/lib/libcrypto/jpake/jpake.c | 511 | ||||
-rw-r--r-- | src/lib/libcrypto/jpake/jpake.h | 131 | ||||
-rw-r--r-- | src/lib/libcrypto/jpake/jpake_err.c | 107 | ||||
-rw-r--r-- | src/lib/libcrypto/jpake/jpaketest.c | 192 |
5 files changed, 1005 insertions, 0 deletions
diff --git a/src/lib/libcrypto/jpake/Makefile b/src/lib/libcrypto/jpake/Makefile new file mode 100644 index 0000000000..110c49ce0b --- /dev/null +++ b/src/lib/libcrypto/jpake/Makefile | |||
@@ -0,0 +1,64 @@ | |||
1 | DIR=jpake | ||
2 | TOP=../.. | ||
3 | |||
4 | CFLAGS= $(INCLUDES) $(CFLAG) | ||
5 | |||
6 | LIB=$(TOP)/libcrypto.a | ||
7 | LIBOBJ=jpake.o jpake_err.o | ||
8 | LIBSRC=jpake.c jpake_err.c | ||
9 | |||
10 | EXHEADER=jpake.h | ||
11 | TEST=jpaketest.c | ||
12 | |||
13 | top: | ||
14 | (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) | ||
15 | |||
16 | all: lib | ||
17 | |||
18 | lib: $(LIBOBJ) | ||
19 | $(AR) $(LIB) $(LIBOBJ) | ||
20 | $(RANLIB) $(LIB) || echo Never mind. | ||
21 | @touch lib | ||
22 | |||
23 | links: | ||
24 | @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) | ||
25 | @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) | ||
26 | |||
27 | install: | ||
28 | @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... | ||
29 | @headerlist="$(EXHEADER)"; for i in $$headerlist ; \ | ||
30 | do \ | ||
31 | (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ | ||
32 | chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ | ||
33 | done; | ||
34 | |||
35 | depend: | ||
36 | @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... | ||
37 | $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) | ||
38 | |||
39 | dclean: | ||
40 | $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new | ||
41 | mv -f Makefile.new $(MAKEFILE) | ||
42 | |||
43 | clean: | ||
44 | rm -f *.s *.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff | ||
45 | |||
46 | jpaketest: top jpaketest.c $(LIB) | ||
47 | $(CC) $(CFLAGS) -Wall -Werror -g -o jpaketest jpaketest.c $(LIB) | ||
48 | # DO NOT DELETE THIS LINE -- make depend depends on it. | ||
49 | |||
50 | jpake.o: ../../include/openssl/bio.h ../../include/openssl/bn.h | ||
51 | jpake.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h | ||
52 | jpake.o: ../../include/openssl/err.h ../../include/openssl/lhash.h | ||
53 | jpake.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h | ||
54 | jpake.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h | ||
55 | jpake.o: ../../include/openssl/sha.h ../../include/openssl/stack.h | ||
56 | jpake.o: ../../include/openssl/symhacks.h jpake.c jpake.h | ||
57 | jpake_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h | ||
58 | jpake_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h | ||
59 | jpake_err.o: ../../include/openssl/err.h ../../include/openssl/jpake.h | ||
60 | jpake_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h | ||
61 | jpake_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h | ||
62 | jpake_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h | ||
63 | jpake_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h | ||
64 | jpake_err.o: jpake_err.c | ||
diff --git a/src/lib/libcrypto/jpake/jpake.c b/src/lib/libcrypto/jpake/jpake.c new file mode 100644 index 0000000000..8e4b633ccc --- /dev/null +++ b/src/lib/libcrypto/jpake/jpake.c | |||
@@ -0,0 +1,511 @@ | |||
1 | #include "jpake.h" | ||
2 | |||
3 | #include <openssl/crypto.h> | ||
4 | #include <openssl/sha.h> | ||
5 | #include <openssl/err.h> | ||
6 | #include <memory.h> | ||
7 | |||
8 | /* | ||
9 | * In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or | ||
10 | * Bob's (x3, x4, x1, x2). If you see what I mean. | ||
11 | */ | ||
12 | |||
13 | typedef struct | ||
14 | { | ||
15 | char *name; /* Must be unique */ | ||
16 | char *peer_name; | ||
17 | BIGNUM *p; | ||
18 | BIGNUM *g; | ||
19 | BIGNUM *q; | ||
20 | BIGNUM *gxc; /* Alice's g^{x3} or Bob's g^{x1} */ | ||
21 | BIGNUM *gxd; /* Alice's g^{x4} or Bob's g^{x2} */ | ||
22 | } JPAKE_CTX_PUBLIC; | ||
23 | |||
24 | struct JPAKE_CTX | ||
25 | { | ||
26 | JPAKE_CTX_PUBLIC p; | ||
27 | BIGNUM *secret; /* The shared secret */ | ||
28 | BN_CTX *ctx; | ||
29 | BIGNUM *xa; /* Alice's x1 or Bob's x3 */ | ||
30 | BIGNUM *xb; /* Alice's x2 or Bob's x4 */ | ||
31 | BIGNUM *key; /* The calculated (shared) key */ | ||
32 | }; | ||
33 | |||
34 | static void JPAKE_ZKP_init(JPAKE_ZKP *zkp) | ||
35 | { | ||
36 | zkp->gr = BN_new(); | ||
37 | zkp->b = BN_new(); | ||
38 | } | ||
39 | |||
40 | static void JPAKE_ZKP_release(JPAKE_ZKP *zkp) | ||
41 | { | ||
42 | BN_free(zkp->b); | ||
43 | BN_free(zkp->gr); | ||
44 | } | ||
45 | |||
46 | /* Two birds with one stone - make the global name as expected */ | ||
47 | #define JPAKE_STEP_PART_init JPAKE_STEP2_init | ||
48 | #define JPAKE_STEP_PART_release JPAKE_STEP2_release | ||
49 | |||
50 | void JPAKE_STEP_PART_init(JPAKE_STEP_PART *p) | ||
51 | { | ||
52 | p->gx = BN_new(); | ||
53 | JPAKE_ZKP_init(&p->zkpx); | ||
54 | } | ||
55 | |||
56 | void JPAKE_STEP_PART_release(JPAKE_STEP_PART *p) | ||
57 | { | ||
58 | JPAKE_ZKP_release(&p->zkpx); | ||
59 | BN_free(p->gx); | ||
60 | } | ||
61 | |||
62 | void JPAKE_STEP1_init(JPAKE_STEP1 *s1) | ||
63 | { | ||
64 | JPAKE_STEP_PART_init(&s1->p1); | ||
65 | JPAKE_STEP_PART_init(&s1->p2); | ||
66 | } | ||
67 | |||
68 | void JPAKE_STEP1_release(JPAKE_STEP1 *s1) | ||
69 | { | ||
70 | JPAKE_STEP_PART_release(&s1->p2); | ||
71 | JPAKE_STEP_PART_release(&s1->p1); | ||
72 | } | ||
73 | |||
74 | static void JPAKE_CTX_init(JPAKE_CTX *ctx, const char *name, | ||
75 | const char *peer_name, const BIGNUM *p, | ||
76 | const BIGNUM *g, const BIGNUM *q, | ||
77 | const BIGNUM *secret) | ||
78 | { | ||
79 | ctx->p.name = OPENSSL_strdup(name); | ||
80 | ctx->p.peer_name = OPENSSL_strdup(peer_name); | ||
81 | ctx->p.p = BN_dup(p); | ||
82 | ctx->p.g = BN_dup(g); | ||
83 | ctx->p.q = BN_dup(q); | ||
84 | ctx->secret = BN_dup(secret); | ||
85 | |||
86 | ctx->p.gxc = BN_new(); | ||
87 | ctx->p.gxd = BN_new(); | ||
88 | |||
89 | ctx->xa = BN_new(); | ||
90 | ctx->xb = BN_new(); | ||
91 | ctx->key = BN_new(); | ||
92 | ctx->ctx = BN_CTX_new(); | ||
93 | } | ||
94 | |||
95 | static void JPAKE_CTX_release(JPAKE_CTX *ctx) | ||
96 | { | ||
97 | BN_CTX_free(ctx->ctx); | ||
98 | BN_clear_free(ctx->key); | ||
99 | BN_clear_free(ctx->xb); | ||
100 | BN_clear_free(ctx->xa); | ||
101 | |||
102 | BN_free(ctx->p.gxd); | ||
103 | BN_free(ctx->p.gxc); | ||
104 | |||
105 | BN_clear_free(ctx->secret); | ||
106 | BN_free(ctx->p.q); | ||
107 | BN_free(ctx->p.g); | ||
108 | BN_free(ctx->p.p); | ||
109 | OPENSSL_free(ctx->p.peer_name); | ||
110 | OPENSSL_free(ctx->p.name); | ||
111 | |||
112 | memset(ctx, '\0', sizeof *ctx); | ||
113 | } | ||
114 | |||
115 | JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name, | ||
116 | const BIGNUM *p, const BIGNUM *g, const BIGNUM *q, | ||
117 | const BIGNUM *secret) | ||
118 | { | ||
119 | JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx); | ||
120 | |||
121 | JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret); | ||
122 | |||
123 | return ctx; | ||
124 | } | ||
125 | |||
126 | void JPAKE_CTX_free(JPAKE_CTX *ctx) | ||
127 | { | ||
128 | JPAKE_CTX_release(ctx); | ||
129 | OPENSSL_free(ctx); | ||
130 | } | ||
131 | |||
132 | static void hashlength(SHA_CTX *sha, size_t l) | ||
133 | { | ||
134 | unsigned char b[2]; | ||
135 | |||
136 | OPENSSL_assert(l <= 0xffff); | ||
137 | b[0] = l >> 8; | ||
138 | b[1] = l&0xff; | ||
139 | SHA1_Update(sha, b, 2); | ||
140 | } | ||
141 | |||
142 | static void hashstring(SHA_CTX *sha, const char *string) | ||
143 | { | ||
144 | size_t l = strlen(string); | ||
145 | |||
146 | hashlength(sha, l); | ||
147 | SHA1_Update(sha, string, l); | ||
148 | } | ||
149 | |||
150 | static void hashbn(SHA_CTX *sha, const BIGNUM *bn) | ||
151 | { | ||
152 | size_t l = BN_num_bytes(bn); | ||
153 | unsigned char *bin = OPENSSL_malloc(l); | ||
154 | |||
155 | hashlength(sha, l); | ||
156 | BN_bn2bin(bn, bin); | ||
157 | SHA1_Update(sha, bin, l); | ||
158 | OPENSSL_free(bin); | ||
159 | } | ||
160 | |||
161 | /* h=hash(g, g^r, g^x, name) */ | ||
162 | static void zkp_hash(BIGNUM *h, const BIGNUM *zkpg, const JPAKE_STEP_PART *p, | ||
163 | const char *proof_name) | ||
164 | { | ||
165 | unsigned char md[SHA_DIGEST_LENGTH]; | ||
166 | SHA_CTX sha; | ||
167 | |||
168 | /* | ||
169 | * XXX: hash should not allow moving of the boundaries - Java code | ||
170 | * is flawed in this respect. Length encoding seems simplest. | ||
171 | */ | ||
172 | SHA1_Init(&sha); | ||
173 | hashbn(&sha, zkpg); | ||
174 | OPENSSL_assert(!BN_is_zero(p->zkpx.gr)); | ||
175 | hashbn(&sha, p->zkpx.gr); | ||
176 | hashbn(&sha, p->gx); | ||
177 | hashstring(&sha, proof_name); | ||
178 | SHA1_Final(md, &sha); | ||
179 | BN_bin2bn(md, SHA_DIGEST_LENGTH, h); | ||
180 | } | ||
181 | |||
182 | /* | ||
183 | * Prove knowledge of x | ||
184 | * Note that p->gx has already been calculated | ||
185 | */ | ||
186 | static void generate_zkp(JPAKE_STEP_PART *p, const BIGNUM *x, | ||
187 | const BIGNUM *zkpg, JPAKE_CTX *ctx) | ||
188 | { | ||
189 | BIGNUM *r = BN_new(); | ||
190 | BIGNUM *h = BN_new(); | ||
191 | BIGNUM *t = BN_new(); | ||
192 | |||
193 | /* | ||
194 | * r in [0,q) | ||
195 | * XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform | ||
196 | */ | ||
197 | BN_rand_range(r, ctx->p.q); | ||
198 | /* g^r */ | ||
199 | BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx); | ||
200 | |||
201 | /* h=hash... */ | ||
202 | zkp_hash(h, zkpg, p, ctx->p.name); | ||
203 | |||
204 | /* b = r - x*h */ | ||
205 | BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx); | ||
206 | BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx); | ||
207 | |||
208 | /* cleanup */ | ||
209 | BN_free(t); | ||
210 | BN_free(h); | ||
211 | BN_free(r); | ||
212 | } | ||
213 | |||
214 | static int verify_zkp(const JPAKE_STEP_PART *p, const BIGNUM *zkpg, | ||
215 | JPAKE_CTX *ctx) | ||
216 | { | ||
217 | BIGNUM *h = BN_new(); | ||
218 | BIGNUM *t1 = BN_new(); | ||
219 | BIGNUM *t2 = BN_new(); | ||
220 | BIGNUM *t3 = BN_new(); | ||
221 | int ret = 0; | ||
222 | |||
223 | zkp_hash(h, zkpg, p, ctx->p.peer_name); | ||
224 | |||
225 | /* t1 = g^b */ | ||
226 | BN_mod_exp(t1, zkpg, p->zkpx.b, ctx->p.p, ctx->ctx); | ||
227 | /* t2 = (g^x)^h = g^{hx} */ | ||
228 | BN_mod_exp(t2, p->gx, h, ctx->p.p, ctx->ctx); | ||
229 | /* t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly) */ | ||
230 | BN_mod_mul(t3, t1, t2, ctx->p.p, ctx->ctx); | ||
231 | |||
232 | /* verify t3 == g^r */ | ||
233 | if(BN_cmp(t3, p->zkpx.gr) == 0) | ||
234 | ret = 1; | ||
235 | else | ||
236 | JPAKEerr(JPAKE_F_VERIFY_ZKP, JPAKE_R_ZKP_VERIFY_FAILED); | ||
237 | |||
238 | /* cleanup */ | ||
239 | BN_free(t3); | ||
240 | BN_free(t2); | ||
241 | BN_free(t1); | ||
242 | BN_free(h); | ||
243 | |||
244 | return ret; | ||
245 | } | ||
246 | |||
247 | static void generate_step_part(JPAKE_STEP_PART *p, const BIGNUM *x, | ||
248 | const BIGNUM *g, JPAKE_CTX *ctx) | ||
249 | { | ||
250 | BN_mod_exp(p->gx, g, x, ctx->p.p, ctx->ctx); | ||
251 | generate_zkp(p, x, g, ctx); | ||
252 | } | ||
253 | |||
254 | /* Generate each party's random numbers. xa is in [0, q), xb is in [1, q). */ | ||
255 | static void genrand(JPAKE_CTX *ctx) | ||
256 | { | ||
257 | BIGNUM *qm1; | ||
258 | |||
259 | /* xa in [0, q) */ | ||
260 | BN_rand_range(ctx->xa, ctx->p.q); | ||
261 | |||
262 | /* q-1 */ | ||
263 | qm1 = BN_new(); | ||
264 | BN_copy(qm1, ctx->p.q); | ||
265 | BN_sub_word(qm1, 1); | ||
266 | |||
267 | /* ... and xb in [0, q-1) */ | ||
268 | BN_rand_range(ctx->xb, qm1); | ||
269 | /* [1, q) */ | ||
270 | BN_add_word(ctx->xb, 1); | ||
271 | |||
272 | /* cleanup */ | ||
273 | BN_free(qm1); | ||
274 | } | ||
275 | |||
276 | int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx) | ||
277 | { | ||
278 | genrand(ctx); | ||
279 | generate_step_part(&send->p1, ctx->xa, ctx->p.g, ctx); | ||
280 | generate_step_part(&send->p2, ctx->xb, ctx->p.g, ctx); | ||
281 | |||
282 | return 1; | ||
283 | } | ||
284 | |||
285 | /* g^x is a legal value */ | ||
286 | static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx) | ||
287 | { | ||
288 | BIGNUM *t; | ||
289 | int res; | ||
290 | |||
291 | if(BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0) | ||
292 | return 0; | ||
293 | |||
294 | t = BN_new(); | ||
295 | BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx); | ||
296 | res = BN_is_one(t); | ||
297 | BN_free(t); | ||
298 | |||
299 | return res; | ||
300 | } | ||
301 | |||
302 | int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received) | ||
303 | { | ||
304 | if(!is_legal(received->p1.gx, ctx)) | ||
305 | { | ||
306 | JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL); | ||
307 | return 0; | ||
308 | } | ||
309 | |||
310 | if(!is_legal(received->p2.gx, ctx)) | ||
311 | { | ||
312 | JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL); | ||
313 | return 0; | ||
314 | } | ||
315 | |||
316 | /* verify their ZKP(xc) */ | ||
317 | if(!verify_zkp(&received->p1, ctx->p.g, ctx)) | ||
318 | { | ||
319 | JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED); | ||
320 | return 0; | ||
321 | } | ||
322 | |||
323 | /* verify their ZKP(xd) */ | ||
324 | if(!verify_zkp(&received->p2, ctx->p.g, ctx)) | ||
325 | { | ||
326 | JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED); | ||
327 | return 0; | ||
328 | } | ||
329 | |||
330 | /* g^xd != 1 */ | ||
331 | if(BN_is_one(received->p2.gx)) | ||
332 | { | ||
333 | JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE); | ||
334 | return 0; | ||
335 | } | ||
336 | |||
337 | /* Save the bits we need for later */ | ||
338 | BN_copy(ctx->p.gxc, received->p1.gx); | ||
339 | BN_copy(ctx->p.gxd, received->p2.gx); | ||
340 | |||
341 | return 1; | ||
342 | } | ||
343 | |||
344 | |||
345 | int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx) | ||
346 | { | ||
347 | BIGNUM *t1 = BN_new(); | ||
348 | BIGNUM *t2 = BN_new(); | ||
349 | |||
350 | /* | ||
351 | * X = g^{(xa + xc + xd) * xb * s} | ||
352 | * t1 = g^xa | ||
353 | */ | ||
354 | BN_mod_exp(t1, ctx->p.g, ctx->xa, ctx->p.p, ctx->ctx); | ||
355 | /* t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc} */ | ||
356 | BN_mod_mul(t2, t1, ctx->p.gxc, ctx->p.p, ctx->ctx); | ||
357 | /* t1 = t2 * g^{xd} = g^{xa + xc + xd} */ | ||
358 | BN_mod_mul(t1, t2, ctx->p.gxd, ctx->p.p, ctx->ctx); | ||
359 | /* t2 = xb * s */ | ||
360 | BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx); | ||
361 | |||
362 | /* | ||
363 | * ZKP(xb * s) | ||
364 | * XXX: this is kinda funky, because we're using | ||
365 | * | ||
366 | * g' = g^{xa + xc + xd} | ||
367 | * | ||
368 | * as the generator, which means X is g'^{xb * s} | ||
369 | * X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s} | ||
370 | */ | ||
371 | generate_step_part(send, t2, t1, ctx); | ||
372 | |||
373 | /* cleanup */ | ||
374 | BN_free(t1); | ||
375 | BN_free(t2); | ||
376 | |||
377 | return 1; | ||
378 | } | ||
379 | |||
380 | /* gx = g^{xc + xa + xb} * xd * s */ | ||
381 | static int compute_key(JPAKE_CTX *ctx, const BIGNUM *gx) | ||
382 | { | ||
383 | BIGNUM *t1 = BN_new(); | ||
384 | BIGNUM *t2 = BN_new(); | ||
385 | BIGNUM *t3 = BN_new(); | ||
386 | |||
387 | /* | ||
388 | * K = (gx/g^{xb * xd * s})^{xb} | ||
389 | * = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb} | ||
390 | * = (g^{(xa + xc) * xd * s})^{xb} | ||
391 | * = g^{(xa + xc) * xb * xd * s} | ||
392 | * [which is the same regardless of who calculates it] | ||
393 | */ | ||
394 | |||
395 | /* t1 = (g^{xd})^{xb} = g^{xb * xd} */ | ||
396 | BN_mod_exp(t1, ctx->p.gxd, ctx->xb, ctx->p.p, ctx->ctx); | ||
397 | /* t2 = -s = q-s */ | ||
398 | BN_sub(t2, ctx->p.q, ctx->secret); | ||
399 | /* t3 = t1^t2 = g^{-xb * xd * s} */ | ||
400 | BN_mod_exp(t3, t1, t2, ctx->p.p, ctx->ctx); | ||
401 | /* t1 = gx * t3 = X/g^{xb * xd * s} */ | ||
402 | BN_mod_mul(t1, gx, t3, ctx->p.p, ctx->ctx); | ||
403 | /* K = t1^{xb} */ | ||
404 | BN_mod_exp(ctx->key, t1, ctx->xb, ctx->p.p, ctx->ctx); | ||
405 | |||
406 | /* cleanup */ | ||
407 | BN_free(t3); | ||
408 | BN_free(t2); | ||
409 | BN_free(t1); | ||
410 | |||
411 | return 1; | ||
412 | } | ||
413 | |||
414 | int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received) | ||
415 | { | ||
416 | BIGNUM *t1 = BN_new(); | ||
417 | BIGNUM *t2 = BN_new(); | ||
418 | int ret = 0; | ||
419 | |||
420 | /* | ||
421 | * g' = g^{xc + xa + xb} [from our POV] | ||
422 | * t1 = xa + xb | ||
423 | */ | ||
424 | BN_mod_add(t1, ctx->xa, ctx->xb, ctx->p.q, ctx->ctx); | ||
425 | /* t2 = g^{t1} = g^{xa+xb} */ | ||
426 | BN_mod_exp(t2, ctx->p.g, t1, ctx->p.p, ctx->ctx); | ||
427 | /* t1 = g^{xc} * t2 = g^{xc + xa + xb} */ | ||
428 | BN_mod_mul(t1, ctx->p.gxc, t2, ctx->p.p, ctx->ctx); | ||
429 | |||
430 | if(verify_zkp(received, t1, ctx)) | ||
431 | ret = 1; | ||
432 | else | ||
433 | JPAKEerr(JPAKE_F_JPAKE_STEP2_PROCESS, JPAKE_R_VERIFY_B_FAILED); | ||
434 | |||
435 | compute_key(ctx, received->gx); | ||
436 | |||
437 | /* cleanup */ | ||
438 | BN_free(t2); | ||
439 | BN_free(t1); | ||
440 | |||
441 | return ret; | ||
442 | } | ||
443 | |||
444 | static void quickhashbn(unsigned char *md, const BIGNUM *bn) | ||
445 | { | ||
446 | SHA_CTX sha; | ||
447 | |||
448 | SHA1_Init(&sha); | ||
449 | hashbn(&sha, bn); | ||
450 | SHA1_Final(md, &sha); | ||
451 | } | ||
452 | |||
453 | void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a) | ||
454 | {} | ||
455 | |||
456 | int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx) | ||
457 | { | ||
458 | quickhashbn(send->hhk, ctx->key); | ||
459 | SHA1(send->hhk, sizeof send->hhk, send->hhk); | ||
460 | |||
461 | return 1; | ||
462 | } | ||
463 | |||
464 | int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received) | ||
465 | { | ||
466 | unsigned char hhk[SHA_DIGEST_LENGTH]; | ||
467 | |||
468 | quickhashbn(hhk, ctx->key); | ||
469 | SHA1(hhk, sizeof hhk, hhk); | ||
470 | if(memcmp(hhk, received->hhk, sizeof hhk)) | ||
471 | { | ||
472 | JPAKEerr(JPAKE_F_JPAKE_STEP3A_PROCESS, JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH); | ||
473 | return 0; | ||
474 | } | ||
475 | return 1; | ||
476 | } | ||
477 | |||
478 | void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a) | ||
479 | {} | ||
480 | |||
481 | void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b) | ||
482 | {} | ||
483 | |||
484 | int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx) | ||
485 | { | ||
486 | quickhashbn(send->hk, ctx->key); | ||
487 | |||
488 | return 1; | ||
489 | } | ||
490 | |||
491 | int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received) | ||
492 | { | ||
493 | unsigned char hk[SHA_DIGEST_LENGTH]; | ||
494 | |||
495 | quickhashbn(hk, ctx->key); | ||
496 | if(memcmp(hk, received->hk, sizeof hk)) | ||
497 | { | ||
498 | JPAKEerr(JPAKE_F_JPAKE_STEP3B_PROCESS, JPAKE_R_HASH_OF_KEY_MISMATCH); | ||
499 | return 0; | ||
500 | } | ||
501 | return 1; | ||
502 | } | ||
503 | |||
504 | void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b) | ||
505 | {} | ||
506 | |||
507 | const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx) | ||
508 | { | ||
509 | return ctx->key; | ||
510 | } | ||
511 | |||
diff --git a/src/lib/libcrypto/jpake/jpake.h b/src/lib/libcrypto/jpake/jpake.h new file mode 100644 index 0000000000..fd143b4d9b --- /dev/null +++ b/src/lib/libcrypto/jpake/jpake.h | |||
@@ -0,0 +1,131 @@ | |||
1 | /* | ||
2 | * Implement J-PAKE, as described in | ||
3 | * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf | ||
4 | * | ||
5 | * With hints from http://www.cl.cam.ac.uk/~fh240/software/JPAKE2.java. | ||
6 | */ | ||
7 | |||
8 | #ifndef HEADER_JPAKE_H | ||
9 | #define HEADER_JPAKE_H | ||
10 | |||
11 | #include <openssl/opensslconf.h> | ||
12 | |||
13 | #ifdef OPENSSL_NO_JPAKE | ||
14 | #error JPAKE is disabled. | ||
15 | #endif | ||
16 | |||
17 | #ifdef __cplusplus | ||
18 | extern "C" { | ||
19 | #endif | ||
20 | |||
21 | #include <openssl/bn.h> | ||
22 | #include <openssl/sha.h> | ||
23 | |||
24 | typedef struct JPAKE_CTX JPAKE_CTX; | ||
25 | |||
26 | /* Note that "g" in the ZKPs is not necessarily the J-PAKE g. */ | ||
27 | typedef struct | ||
28 | { | ||
29 | BIGNUM *gr; /* g^r (r random) */ | ||
30 | BIGNUM *b; /* b = r - x*h, h=hash(g, g^r, g^x, name) */ | ||
31 | } JPAKE_ZKP; | ||
32 | |||
33 | typedef struct | ||
34 | { | ||
35 | BIGNUM *gx; /* g^x in step 1, g^(xa + xc + xd) * xb * s in step 2 */ | ||
36 | JPAKE_ZKP zkpx; /* ZKP(x) or ZKP(xb * s) */ | ||
37 | } JPAKE_STEP_PART; | ||
38 | |||
39 | typedef struct | ||
40 | { | ||
41 | JPAKE_STEP_PART p1; /* g^x3, ZKP(x3) or g^x1, ZKP(x1) */ | ||
42 | JPAKE_STEP_PART p2; /* g^x4, ZKP(x4) or g^x2, ZKP(x2) */ | ||
43 | } JPAKE_STEP1; | ||
44 | |||
45 | typedef JPAKE_STEP_PART JPAKE_STEP2; | ||
46 | |||
47 | typedef struct | ||
48 | { | ||
49 | unsigned char hhk[SHA_DIGEST_LENGTH]; | ||
50 | } JPAKE_STEP3A; | ||
51 | |||
52 | typedef struct | ||
53 | { | ||
54 | unsigned char hk[SHA_DIGEST_LENGTH]; | ||
55 | } JPAKE_STEP3B; | ||
56 | |||
57 | /* Parameters are copied */ | ||
58 | JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name, | ||
59 | const BIGNUM *p, const BIGNUM *g, const BIGNUM *q, | ||
60 | const BIGNUM *secret); | ||
61 | void JPAKE_CTX_free(JPAKE_CTX *ctx); | ||
62 | |||
63 | /* | ||
64 | * Note that JPAKE_STEP1 can be used multiple times before release | ||
65 | * without another init. | ||
66 | */ | ||
67 | void JPAKE_STEP1_init(JPAKE_STEP1 *s1); | ||
68 | int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx); | ||
69 | int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received); | ||
70 | void JPAKE_STEP1_release(JPAKE_STEP1 *s1); | ||
71 | |||
72 | /* | ||
73 | * Note that JPAKE_STEP2 can be used multiple times before release | ||
74 | * without another init. | ||
75 | */ | ||
76 | void JPAKE_STEP2_init(JPAKE_STEP2 *s2); | ||
77 | int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx); | ||
78 | int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received); | ||
79 | void JPAKE_STEP2_release(JPAKE_STEP2 *s2); | ||
80 | |||
81 | /* | ||
82 | * Optionally verify the shared key. If the shared secrets do not | ||
83 | * match, the two ends will disagree about the shared key, but | ||
84 | * otherwise the protocol will succeed. | ||
85 | */ | ||
86 | void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a); | ||
87 | int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx); | ||
88 | int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received); | ||
89 | void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a); | ||
90 | |||
91 | void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b); | ||
92 | int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx); | ||
93 | int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received); | ||
94 | void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b); | ||
95 | |||
96 | /* | ||
97 | * the return value belongs to the library and will be released when | ||
98 | * ctx is released, and will change when a new handshake is performed. | ||
99 | */ | ||
100 | const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx); | ||
101 | |||
102 | /* BEGIN ERROR CODES */ | ||
103 | /* The following lines are auto generated by the script mkerr.pl. Any changes | ||
104 | * made after this point may be overwritten when the script is next run. | ||
105 | */ | ||
106 | void ERR_load_JPAKE_strings(void); | ||
107 | |||
108 | /* Error codes for the JPAKE functions. */ | ||
109 | |||
110 | /* Function codes. */ | ||
111 | #define JPAKE_F_JPAKE_STEP1_PROCESS 101 | ||
112 | #define JPAKE_F_JPAKE_STEP2_PROCESS 102 | ||
113 | #define JPAKE_F_JPAKE_STEP3A_PROCESS 103 | ||
114 | #define JPAKE_F_JPAKE_STEP3B_PROCESS 104 | ||
115 | #define JPAKE_F_VERIFY_ZKP 100 | ||
116 | |||
117 | /* Reason codes. */ | ||
118 | #define JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL 108 | ||
119 | #define JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL 109 | ||
120 | #define JPAKE_R_G_TO_THE_X4_IS_ONE 105 | ||
121 | #define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH 106 | ||
122 | #define JPAKE_R_HASH_OF_KEY_MISMATCH 107 | ||
123 | #define JPAKE_R_VERIFY_B_FAILED 102 | ||
124 | #define JPAKE_R_VERIFY_X3_FAILED 103 | ||
125 | #define JPAKE_R_VERIFY_X4_FAILED 104 | ||
126 | #define JPAKE_R_ZKP_VERIFY_FAILED 100 | ||
127 | |||
128 | #ifdef __cplusplus | ||
129 | } | ||
130 | #endif | ||
131 | #endif | ||
diff --git a/src/lib/libcrypto/jpake/jpake_err.c b/src/lib/libcrypto/jpake/jpake_err.c new file mode 100644 index 0000000000..a9a9dee75c --- /dev/null +++ b/src/lib/libcrypto/jpake/jpake_err.c | |||
@@ -0,0 +1,107 @@ | |||
1 | /* crypto/jpake/jpake_err.c */ | ||
2 | /* ==================================================================== | ||
3 | * Copyright (c) 1999-2010 The OpenSSL Project. All rights reserved. | ||
4 | * | ||
5 | * Redistribution and use in source and binary forms, with or without | ||
6 | * modification, are permitted provided that the following conditions | ||
7 | * are met: | ||
8 | * | ||
9 | * 1. Redistributions of source code must retain the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer. | ||
11 | * | ||
12 | * 2. Redistributions in binary form must reproduce the above copyright | ||
13 | * notice, this list of conditions and the following disclaimer in | ||
14 | * the documentation and/or other materials provided with the | ||
15 | * distribution. | ||
16 | * | ||
17 | * 3. All advertising materials mentioning features or use of this | ||
18 | * software must display the following acknowledgment: | ||
19 | * "This product includes software developed by the OpenSSL Project | ||
20 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | ||
21 | * | ||
22 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | ||
23 | * endorse or promote products derived from this software without | ||
24 | * prior written permission. For written permission, please contact | ||
25 | * openssl-core@OpenSSL.org. | ||
26 | * | ||
27 | * 5. Products derived from this software may not be called "OpenSSL" | ||
28 | * nor may "OpenSSL" appear in their names without prior written | ||
29 | * permission of the OpenSSL Project. | ||
30 | * | ||
31 | * 6. Redistributions of any form whatsoever must retain the following | ||
32 | * acknowledgment: | ||
33 | * "This product includes software developed by the OpenSSL Project | ||
34 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | ||
35 | * | ||
36 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | ||
37 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
38 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||
39 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | ||
40 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
41 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
42 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
43 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
44 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | ||
45 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
46 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | ||
47 | * OF THE POSSIBILITY OF SUCH DAMAGE. | ||
48 | * ==================================================================== | ||
49 | * | ||
50 | * This product includes cryptographic software written by Eric Young | ||
51 | * (eay@cryptsoft.com). This product includes software written by Tim | ||
52 | * Hudson (tjh@cryptsoft.com). | ||
53 | * | ||
54 | */ | ||
55 | |||
56 | /* NOTE: this file was auto generated by the mkerr.pl script: any changes | ||
57 | * made to it will be overwritten when the script next updates this file, | ||
58 | * only reason strings will be preserved. | ||
59 | */ | ||
60 | |||
61 | #include <stdio.h> | ||
62 | #include <openssl/err.h> | ||
63 | #include <openssl/jpake.h> | ||
64 | |||
65 | /* BEGIN ERROR CODES */ | ||
66 | #ifndef OPENSSL_NO_ERR | ||
67 | |||
68 | #define ERR_FUNC(func) ERR_PACK(ERR_LIB_JPAKE,func,0) | ||
69 | #define ERR_REASON(reason) ERR_PACK(ERR_LIB_JPAKE,0,reason) | ||
70 | |||
71 | static ERR_STRING_DATA JPAKE_str_functs[]= | ||
72 | { | ||
73 | {ERR_FUNC(JPAKE_F_JPAKE_STEP1_PROCESS), "JPAKE_STEP1_process"}, | ||
74 | {ERR_FUNC(JPAKE_F_JPAKE_STEP2_PROCESS), "JPAKE_STEP2_process"}, | ||
75 | {ERR_FUNC(JPAKE_F_JPAKE_STEP3A_PROCESS), "JPAKE_STEP3A_process"}, | ||
76 | {ERR_FUNC(JPAKE_F_JPAKE_STEP3B_PROCESS), "JPAKE_STEP3B_process"}, | ||
77 | {ERR_FUNC(JPAKE_F_VERIFY_ZKP), "VERIFY_ZKP"}, | ||
78 | {0,NULL} | ||
79 | }; | ||
80 | |||
81 | static ERR_STRING_DATA JPAKE_str_reasons[]= | ||
82 | { | ||
83 | {ERR_REASON(JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL),"g to the x3 is not legal"}, | ||
84 | {ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL),"g to the x4 is not legal"}, | ||
85 | {ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_ONE) ,"g to the x4 is one"}, | ||
86 | {ERR_REASON(JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH),"hash of hash of key mismatch"}, | ||
87 | {ERR_REASON(JPAKE_R_HASH_OF_KEY_MISMATCH),"hash of key mismatch"}, | ||
88 | {ERR_REASON(JPAKE_R_VERIFY_B_FAILED) ,"verify b failed"}, | ||
89 | {ERR_REASON(JPAKE_R_VERIFY_X3_FAILED) ,"verify x3 failed"}, | ||
90 | {ERR_REASON(JPAKE_R_VERIFY_X4_FAILED) ,"verify x4 failed"}, | ||
91 | {ERR_REASON(JPAKE_R_ZKP_VERIFY_FAILED) ,"zkp verify failed"}, | ||
92 | {0,NULL} | ||
93 | }; | ||
94 | |||
95 | #endif | ||
96 | |||
97 | void ERR_load_JPAKE_strings(void) | ||
98 | { | ||
99 | #ifndef OPENSSL_NO_ERR | ||
100 | |||
101 | if (ERR_func_error_string(JPAKE_str_functs[0].error) == NULL) | ||
102 | { | ||
103 | ERR_load_strings(0,JPAKE_str_functs); | ||
104 | ERR_load_strings(0,JPAKE_str_reasons); | ||
105 | } | ||
106 | #endif | ||
107 | } | ||
diff --git a/src/lib/libcrypto/jpake/jpaketest.c b/src/lib/libcrypto/jpake/jpaketest.c new file mode 100644 index 0000000000..eaba75ed8a --- /dev/null +++ b/src/lib/libcrypto/jpake/jpaketest.c | |||
@@ -0,0 +1,192 @@ | |||
1 | #include <openssl/opensslconf.h> | ||
2 | |||
3 | #ifdef OPENSSL_NO_JPAKE | ||
4 | |||
5 | #include <stdio.h> | ||
6 | |||
7 | int main(int argc, char *argv[]) | ||
8 | { | ||
9 | printf("No J-PAKE support\n"); | ||
10 | return(0); | ||
11 | } | ||
12 | |||
13 | #else | ||
14 | |||
15 | #include <openssl/jpake.h> | ||
16 | #include <openssl/err.h> | ||
17 | |||
18 | static void showbn(const char *name, const BIGNUM *bn) | ||
19 | { | ||
20 | fputs(name, stdout); | ||
21 | fputs(" = ", stdout); | ||
22 | BN_print_fp(stdout, bn); | ||
23 | putc('\n', stdout); | ||
24 | } | ||
25 | |||
26 | static int run_jpake(JPAKE_CTX *alice, JPAKE_CTX *bob) | ||
27 | { | ||
28 | JPAKE_STEP1 alice_s1; | ||
29 | JPAKE_STEP1 bob_s1; | ||
30 | JPAKE_STEP2 alice_s2; | ||
31 | JPAKE_STEP2 bob_s2; | ||
32 | JPAKE_STEP3A alice_s3a; | ||
33 | JPAKE_STEP3B bob_s3b; | ||
34 | |||
35 | /* Alice -> Bob: step 1 */ | ||
36 | puts("A->B s1"); | ||
37 | JPAKE_STEP1_init(&alice_s1); | ||
38 | JPAKE_STEP1_generate(&alice_s1, alice); | ||
39 | if(!JPAKE_STEP1_process(bob, &alice_s1)) | ||
40 | { | ||
41 | printf("Bob fails to process Alice's step 1\n"); | ||
42 | ERR_print_errors_fp(stdout); | ||
43 | return 1; | ||
44 | } | ||
45 | JPAKE_STEP1_release(&alice_s1); | ||
46 | |||
47 | /* Bob -> Alice: step 1 */ | ||
48 | puts("B->A s1"); | ||
49 | JPAKE_STEP1_init(&bob_s1); | ||
50 | JPAKE_STEP1_generate(&bob_s1, bob); | ||
51 | if(!JPAKE_STEP1_process(alice, &bob_s1)) | ||
52 | { | ||
53 | printf("Alice fails to process Bob's step 1\n"); | ||
54 | ERR_print_errors_fp(stdout); | ||
55 | return 2; | ||
56 | } | ||
57 | JPAKE_STEP1_release(&bob_s1); | ||
58 | |||
59 | /* Alice -> Bob: step 2 */ | ||
60 | puts("A->B s2"); | ||
61 | JPAKE_STEP2_init(&alice_s2); | ||
62 | JPAKE_STEP2_generate(&alice_s2, alice); | ||
63 | if(!JPAKE_STEP2_process(bob, &alice_s2)) | ||
64 | { | ||
65 | printf("Bob fails to process Alice's step 2\n"); | ||
66 | ERR_print_errors_fp(stdout); | ||
67 | return 3; | ||
68 | } | ||
69 | JPAKE_STEP2_release(&alice_s2); | ||
70 | |||
71 | /* Bob -> Alice: step 2 */ | ||
72 | puts("B->A s2"); | ||
73 | JPAKE_STEP2_init(&bob_s2); | ||
74 | JPAKE_STEP2_generate(&bob_s2, bob); | ||
75 | if(!JPAKE_STEP2_process(alice, &bob_s2)) | ||
76 | { | ||
77 | printf("Alice fails to process Bob's step 2\n"); | ||
78 | ERR_print_errors_fp(stdout); | ||
79 | return 4; | ||
80 | } | ||
81 | JPAKE_STEP2_release(&bob_s2); | ||
82 | |||
83 | showbn("Alice's key", JPAKE_get_shared_key(alice)); | ||
84 | showbn("Bob's key ", JPAKE_get_shared_key(bob)); | ||
85 | |||
86 | /* Alice -> Bob: step 3a */ | ||
87 | puts("A->B s3a"); | ||
88 | JPAKE_STEP3A_init(&alice_s3a); | ||
89 | JPAKE_STEP3A_generate(&alice_s3a, alice); | ||
90 | if(!JPAKE_STEP3A_process(bob, &alice_s3a)) | ||
91 | { | ||
92 | printf("Bob fails to process Alice's step 3a\n"); | ||
93 | ERR_print_errors_fp(stdout); | ||
94 | return 5; | ||
95 | } | ||
96 | JPAKE_STEP3A_release(&alice_s3a); | ||
97 | |||
98 | /* Bob -> Alice: step 3b */ | ||
99 | puts("B->A s3b"); | ||
100 | JPAKE_STEP3B_init(&bob_s3b); | ||
101 | JPAKE_STEP3B_generate(&bob_s3b, bob); | ||
102 | if(!JPAKE_STEP3B_process(alice, &bob_s3b)) | ||
103 | { | ||
104 | printf("Alice fails to process Bob's step 3b\n"); | ||
105 | ERR_print_errors_fp(stdout); | ||
106 | return 6; | ||
107 | } | ||
108 | JPAKE_STEP3B_release(&bob_s3b); | ||
109 | |||
110 | return 0; | ||
111 | } | ||
112 | |||
113 | int main(int argc, char **argv) | ||
114 | { | ||
115 | JPAKE_CTX *alice; | ||
116 | JPAKE_CTX *bob; | ||
117 | BIGNUM *p = NULL; | ||
118 | BIGNUM *g = NULL; | ||
119 | BIGNUM *q = NULL; | ||
120 | BIGNUM *secret = BN_new(); | ||
121 | BIO *bio_err; | ||
122 | |||
123 | bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); | ||
124 | |||
125 | CRYPTO_malloc_debug_init(); | ||
126 | CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL); | ||
127 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); | ||
128 | |||
129 | ERR_load_crypto_strings(); | ||
130 | |||
131 | /* | ||
132 | BN_hex2bn(&p, "fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b76b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7"); | ||
133 | BN_hex2bn(&g, "f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a"); | ||
134 | BN_hex2bn(&q, "9760508f15230bccb292b982a2eb840bf0581cf5"); | ||
135 | */ | ||
136 | /* | ||
137 | p = BN_new(); | ||
138 | BN_generate_prime(p, 1024, 1, NULL, NULL, NULL, NULL); | ||
139 | */ | ||
140 | /* Use a safe prime for p (that we found earlier) */ | ||
141 | BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F"); | ||
142 | showbn("p", p); | ||
143 | g = BN_new(); | ||
144 | BN_set_word(g, 2); | ||
145 | showbn("g", g); | ||
146 | q = BN_new(); | ||
147 | BN_rshift1(q, p); | ||
148 | showbn("q", q); | ||
149 | |||
150 | BN_rand(secret, 32, -1, 0); | ||
151 | |||
152 | /* A normal run, expect this to work... */ | ||
153 | alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret); | ||
154 | bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret); | ||
155 | |||
156 | if(run_jpake(alice, bob) != 0) | ||
157 | { | ||
158 | fprintf(stderr, "Plain JPAKE run failed\n"); | ||
159 | return 1; | ||
160 | } | ||
161 | |||
162 | JPAKE_CTX_free(bob); | ||
163 | JPAKE_CTX_free(alice); | ||
164 | |||
165 | /* Now give Alice and Bob different secrets */ | ||
166 | alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret); | ||
167 | BN_add_word(secret, 1); | ||
168 | bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret); | ||
169 | |||
170 | if(run_jpake(alice, bob) != 5) | ||
171 | { | ||
172 | fprintf(stderr, "Mismatched secret JPAKE run failed\n"); | ||
173 | return 1; | ||
174 | } | ||
175 | |||
176 | JPAKE_CTX_free(bob); | ||
177 | JPAKE_CTX_free(alice); | ||
178 | |||
179 | BN_free(secret); | ||
180 | BN_free(q); | ||
181 | BN_free(g); | ||
182 | BN_free(p); | ||
183 | |||
184 | CRYPTO_cleanup_all_ex_data(); | ||
185 | ERR_remove_thread_state(NULL); | ||
186 | ERR_free_strings(); | ||
187 | CRYPTO_mem_leaks(bio_err); | ||
188 | |||
189 | return 0; | ||
190 | } | ||
191 | |||
192 | #endif | ||