summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/jpake
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/jpake')
-rw-r--r--src/lib/libcrypto/jpake/Makefile64
-rw-r--r--src/lib/libcrypto/jpake/jpake.c511
-rw-r--r--src/lib/libcrypto/jpake/jpake.h131
-rw-r--r--src/lib/libcrypto/jpake/jpake_err.c107
-rw-r--r--src/lib/libcrypto/jpake/jpaketest.c192
5 files changed, 1005 insertions, 0 deletions
diff --git a/src/lib/libcrypto/jpake/Makefile b/src/lib/libcrypto/jpake/Makefile
new file mode 100644
index 0000000000..110c49ce0b
--- /dev/null
+++ b/src/lib/libcrypto/jpake/Makefile
@@ -0,0 +1,64 @@
1DIR=jpake
2TOP=../..
3
4CFLAGS= $(INCLUDES) $(CFLAG)
5
6LIB=$(TOP)/libcrypto.a
7LIBOBJ=jpake.o jpake_err.o
8LIBSRC=jpake.c jpake_err.c
9
10EXHEADER=jpake.h
11TEST=jpaketest.c
12
13top:
14 (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
15
16all: lib
17
18lib: $(LIBOBJ)
19 $(AR) $(LIB) $(LIBOBJ)
20 $(RANLIB) $(LIB) || echo Never mind.
21 @touch lib
22
23links:
24 @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
25 @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
26
27install:
28 @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
29 @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
30 do \
31 (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
32 chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
33 done;
34
35depend:
36 @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
37 $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
38
39dclean:
40 $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
41 mv -f Makefile.new $(MAKEFILE)
42
43clean:
44 rm -f *.s *.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff
45
46jpaketest: top jpaketest.c $(LIB)
47 $(CC) $(CFLAGS) -Wall -Werror -g -o jpaketest jpaketest.c $(LIB)
48# DO NOT DELETE THIS LINE -- make depend depends on it.
49
50jpake.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
51jpake.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
52jpake.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
53jpake.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
54jpake.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
55jpake.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
56jpake.o: ../../include/openssl/symhacks.h jpake.c jpake.h
57jpake_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
58jpake_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
59jpake_err.o: ../../include/openssl/err.h ../../include/openssl/jpake.h
60jpake_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
61jpake_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
62jpake_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
63jpake_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
64jpake_err.o: jpake_err.c
diff --git a/src/lib/libcrypto/jpake/jpake.c b/src/lib/libcrypto/jpake/jpake.c
new file mode 100644
index 0000000000..8e4b633ccc
--- /dev/null
+++ b/src/lib/libcrypto/jpake/jpake.c
@@ -0,0 +1,511 @@
1#include "jpake.h"
2
3#include <openssl/crypto.h>
4#include <openssl/sha.h>
5#include <openssl/err.h>
6#include <memory.h>
7
8/*
9 * In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or
10 * Bob's (x3, x4, x1, x2). If you see what I mean.
11 */
12
13typedef struct
14 {
15 char *name; /* Must be unique */
16 char *peer_name;
17 BIGNUM *p;
18 BIGNUM *g;
19 BIGNUM *q;
20 BIGNUM *gxc; /* Alice's g^{x3} or Bob's g^{x1} */
21 BIGNUM *gxd; /* Alice's g^{x4} or Bob's g^{x2} */
22 } JPAKE_CTX_PUBLIC;
23
24struct JPAKE_CTX
25 {
26 JPAKE_CTX_PUBLIC p;
27 BIGNUM *secret; /* The shared secret */
28 BN_CTX *ctx;
29 BIGNUM *xa; /* Alice's x1 or Bob's x3 */
30 BIGNUM *xb; /* Alice's x2 or Bob's x4 */
31 BIGNUM *key; /* The calculated (shared) key */
32 };
33
34static void JPAKE_ZKP_init(JPAKE_ZKP *zkp)
35 {
36 zkp->gr = BN_new();
37 zkp->b = BN_new();
38 }
39
40static void JPAKE_ZKP_release(JPAKE_ZKP *zkp)
41 {
42 BN_free(zkp->b);
43 BN_free(zkp->gr);
44 }
45
46/* Two birds with one stone - make the global name as expected */
47#define JPAKE_STEP_PART_init JPAKE_STEP2_init
48#define JPAKE_STEP_PART_release JPAKE_STEP2_release
49
50void JPAKE_STEP_PART_init(JPAKE_STEP_PART *p)
51 {
52 p->gx = BN_new();
53 JPAKE_ZKP_init(&p->zkpx);
54 }
55
56void JPAKE_STEP_PART_release(JPAKE_STEP_PART *p)
57 {
58 JPAKE_ZKP_release(&p->zkpx);
59 BN_free(p->gx);
60 }
61
62void JPAKE_STEP1_init(JPAKE_STEP1 *s1)
63 {
64 JPAKE_STEP_PART_init(&s1->p1);
65 JPAKE_STEP_PART_init(&s1->p2);
66 }
67
68void JPAKE_STEP1_release(JPAKE_STEP1 *s1)
69 {
70 JPAKE_STEP_PART_release(&s1->p2);
71 JPAKE_STEP_PART_release(&s1->p1);
72 }
73
74static void JPAKE_CTX_init(JPAKE_CTX *ctx, const char *name,
75 const char *peer_name, const BIGNUM *p,
76 const BIGNUM *g, const BIGNUM *q,
77 const BIGNUM *secret)
78 {
79 ctx->p.name = OPENSSL_strdup(name);
80 ctx->p.peer_name = OPENSSL_strdup(peer_name);
81 ctx->p.p = BN_dup(p);
82 ctx->p.g = BN_dup(g);
83 ctx->p.q = BN_dup(q);
84 ctx->secret = BN_dup(secret);
85
86 ctx->p.gxc = BN_new();
87 ctx->p.gxd = BN_new();
88
89 ctx->xa = BN_new();
90 ctx->xb = BN_new();
91 ctx->key = BN_new();
92 ctx->ctx = BN_CTX_new();
93 }
94
95static void JPAKE_CTX_release(JPAKE_CTX *ctx)
96 {
97 BN_CTX_free(ctx->ctx);
98 BN_clear_free(ctx->key);
99 BN_clear_free(ctx->xb);
100 BN_clear_free(ctx->xa);
101
102 BN_free(ctx->p.gxd);
103 BN_free(ctx->p.gxc);
104
105 BN_clear_free(ctx->secret);
106 BN_free(ctx->p.q);
107 BN_free(ctx->p.g);
108 BN_free(ctx->p.p);
109 OPENSSL_free(ctx->p.peer_name);
110 OPENSSL_free(ctx->p.name);
111
112 memset(ctx, '\0', sizeof *ctx);
113 }
114
115JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
116 const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
117 const BIGNUM *secret)
118 {
119 JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx);
120
121 JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret);
122
123 return ctx;
124 }
125
126void JPAKE_CTX_free(JPAKE_CTX *ctx)
127 {
128 JPAKE_CTX_release(ctx);
129 OPENSSL_free(ctx);
130 }
131
132static void hashlength(SHA_CTX *sha, size_t l)
133 {
134 unsigned char b[2];
135
136 OPENSSL_assert(l <= 0xffff);
137 b[0] = l >> 8;
138 b[1] = l&0xff;
139 SHA1_Update(sha, b, 2);
140 }
141
142static void hashstring(SHA_CTX *sha, const char *string)
143 {
144 size_t l = strlen(string);
145
146 hashlength(sha, l);
147 SHA1_Update(sha, string, l);
148 }
149
150static void hashbn(SHA_CTX *sha, const BIGNUM *bn)
151 {
152 size_t l = BN_num_bytes(bn);
153 unsigned char *bin = OPENSSL_malloc(l);
154
155 hashlength(sha, l);
156 BN_bn2bin(bn, bin);
157 SHA1_Update(sha, bin, l);
158 OPENSSL_free(bin);
159 }
160
161/* h=hash(g, g^r, g^x, name) */
162static void zkp_hash(BIGNUM *h, const BIGNUM *zkpg, const JPAKE_STEP_PART *p,
163 const char *proof_name)
164 {
165 unsigned char md[SHA_DIGEST_LENGTH];
166 SHA_CTX sha;
167
168 /*
169 * XXX: hash should not allow moving of the boundaries - Java code
170 * is flawed in this respect. Length encoding seems simplest.
171 */
172 SHA1_Init(&sha);
173 hashbn(&sha, zkpg);
174 OPENSSL_assert(!BN_is_zero(p->zkpx.gr));
175 hashbn(&sha, p->zkpx.gr);
176 hashbn(&sha, p->gx);
177 hashstring(&sha, proof_name);
178 SHA1_Final(md, &sha);
179 BN_bin2bn(md, SHA_DIGEST_LENGTH, h);
180 }
181
182/*
183 * Prove knowledge of x
184 * Note that p->gx has already been calculated
185 */
186static void generate_zkp(JPAKE_STEP_PART *p, const BIGNUM *x,
187 const BIGNUM *zkpg, JPAKE_CTX *ctx)
188 {
189 BIGNUM *r = BN_new();
190 BIGNUM *h = BN_new();
191 BIGNUM *t = BN_new();
192
193 /*
194 * r in [0,q)
195 * XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform
196 */
197 BN_rand_range(r, ctx->p.q);
198 /* g^r */
199 BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx);
200
201 /* h=hash... */
202 zkp_hash(h, zkpg, p, ctx->p.name);
203
204 /* b = r - x*h */
205 BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx);
206 BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx);
207
208 /* cleanup */
209 BN_free(t);
210 BN_free(h);
211 BN_free(r);
212 }
213
214static int verify_zkp(const JPAKE_STEP_PART *p, const BIGNUM *zkpg,
215 JPAKE_CTX *ctx)
216 {
217 BIGNUM *h = BN_new();
218 BIGNUM *t1 = BN_new();
219 BIGNUM *t2 = BN_new();
220 BIGNUM *t3 = BN_new();
221 int ret = 0;
222
223 zkp_hash(h, zkpg, p, ctx->p.peer_name);
224
225 /* t1 = g^b */
226 BN_mod_exp(t1, zkpg, p->zkpx.b, ctx->p.p, ctx->ctx);
227 /* t2 = (g^x)^h = g^{hx} */
228 BN_mod_exp(t2, p->gx, h, ctx->p.p, ctx->ctx);
229 /* t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly) */
230 BN_mod_mul(t3, t1, t2, ctx->p.p, ctx->ctx);
231
232 /* verify t3 == g^r */
233 if(BN_cmp(t3, p->zkpx.gr) == 0)
234 ret = 1;
235 else
236 JPAKEerr(JPAKE_F_VERIFY_ZKP, JPAKE_R_ZKP_VERIFY_FAILED);
237
238 /* cleanup */
239 BN_free(t3);
240 BN_free(t2);
241 BN_free(t1);
242 BN_free(h);
243
244 return ret;
245 }
246
247static void generate_step_part(JPAKE_STEP_PART *p, const BIGNUM *x,
248 const BIGNUM *g, JPAKE_CTX *ctx)
249 {
250 BN_mod_exp(p->gx, g, x, ctx->p.p, ctx->ctx);
251 generate_zkp(p, x, g, ctx);
252 }
253
254/* Generate each party's random numbers. xa is in [0, q), xb is in [1, q). */
255static void genrand(JPAKE_CTX *ctx)
256 {
257 BIGNUM *qm1;
258
259 /* xa in [0, q) */
260 BN_rand_range(ctx->xa, ctx->p.q);
261
262 /* q-1 */
263 qm1 = BN_new();
264 BN_copy(qm1, ctx->p.q);
265 BN_sub_word(qm1, 1);
266
267 /* ... and xb in [0, q-1) */
268 BN_rand_range(ctx->xb, qm1);
269 /* [1, q) */
270 BN_add_word(ctx->xb, 1);
271
272 /* cleanup */
273 BN_free(qm1);
274 }
275
276int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx)
277 {
278 genrand(ctx);
279 generate_step_part(&send->p1, ctx->xa, ctx->p.g, ctx);
280 generate_step_part(&send->p2, ctx->xb, ctx->p.g, ctx);
281
282 return 1;
283 }
284
285/* g^x is a legal value */
286static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx)
287 {
288 BIGNUM *t;
289 int res;
290
291 if(BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0)
292 return 0;
293
294 t = BN_new();
295 BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx);
296 res = BN_is_one(t);
297 BN_free(t);
298
299 return res;
300 }
301
302int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received)
303 {
304 if(!is_legal(received->p1.gx, ctx))
305 {
306 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL);
307 return 0;
308 }
309
310 if(!is_legal(received->p2.gx, ctx))
311 {
312 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL);
313 return 0;
314 }
315
316 /* verify their ZKP(xc) */
317 if(!verify_zkp(&received->p1, ctx->p.g, ctx))
318 {
319 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED);
320 return 0;
321 }
322
323 /* verify their ZKP(xd) */
324 if(!verify_zkp(&received->p2, ctx->p.g, ctx))
325 {
326 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED);
327 return 0;
328 }
329
330 /* g^xd != 1 */
331 if(BN_is_one(received->p2.gx))
332 {
333 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE);
334 return 0;
335 }
336
337 /* Save the bits we need for later */
338 BN_copy(ctx->p.gxc, received->p1.gx);
339 BN_copy(ctx->p.gxd, received->p2.gx);
340
341 return 1;
342 }
343
344
345int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx)
346 {
347 BIGNUM *t1 = BN_new();
348 BIGNUM *t2 = BN_new();
349
350 /*
351 * X = g^{(xa + xc + xd) * xb * s}
352 * t1 = g^xa
353 */
354 BN_mod_exp(t1, ctx->p.g, ctx->xa, ctx->p.p, ctx->ctx);
355 /* t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc} */
356 BN_mod_mul(t2, t1, ctx->p.gxc, ctx->p.p, ctx->ctx);
357 /* t1 = t2 * g^{xd} = g^{xa + xc + xd} */
358 BN_mod_mul(t1, t2, ctx->p.gxd, ctx->p.p, ctx->ctx);
359 /* t2 = xb * s */
360 BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx);
361
362 /*
363 * ZKP(xb * s)
364 * XXX: this is kinda funky, because we're using
365 *
366 * g' = g^{xa + xc + xd}
367 *
368 * as the generator, which means X is g'^{xb * s}
369 * X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s}
370 */
371 generate_step_part(send, t2, t1, ctx);
372
373 /* cleanup */
374 BN_free(t1);
375 BN_free(t2);
376
377 return 1;
378 }
379
380/* gx = g^{xc + xa + xb} * xd * s */
381static int compute_key(JPAKE_CTX *ctx, const BIGNUM *gx)
382 {
383 BIGNUM *t1 = BN_new();
384 BIGNUM *t2 = BN_new();
385 BIGNUM *t3 = BN_new();
386
387 /*
388 * K = (gx/g^{xb * xd * s})^{xb}
389 * = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb}
390 * = (g^{(xa + xc) * xd * s})^{xb}
391 * = g^{(xa + xc) * xb * xd * s}
392 * [which is the same regardless of who calculates it]
393 */
394
395 /* t1 = (g^{xd})^{xb} = g^{xb * xd} */
396 BN_mod_exp(t1, ctx->p.gxd, ctx->xb, ctx->p.p, ctx->ctx);
397 /* t2 = -s = q-s */
398 BN_sub(t2, ctx->p.q, ctx->secret);
399 /* t3 = t1^t2 = g^{-xb * xd * s} */
400 BN_mod_exp(t3, t1, t2, ctx->p.p, ctx->ctx);
401 /* t1 = gx * t3 = X/g^{xb * xd * s} */
402 BN_mod_mul(t1, gx, t3, ctx->p.p, ctx->ctx);
403 /* K = t1^{xb} */
404 BN_mod_exp(ctx->key, t1, ctx->xb, ctx->p.p, ctx->ctx);
405
406 /* cleanup */
407 BN_free(t3);
408 BN_free(t2);
409 BN_free(t1);
410
411 return 1;
412 }
413
414int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received)
415 {
416 BIGNUM *t1 = BN_new();
417 BIGNUM *t2 = BN_new();
418 int ret = 0;
419
420 /*
421 * g' = g^{xc + xa + xb} [from our POV]
422 * t1 = xa + xb
423 */
424 BN_mod_add(t1, ctx->xa, ctx->xb, ctx->p.q, ctx->ctx);
425 /* t2 = g^{t1} = g^{xa+xb} */
426 BN_mod_exp(t2, ctx->p.g, t1, ctx->p.p, ctx->ctx);
427 /* t1 = g^{xc} * t2 = g^{xc + xa + xb} */
428 BN_mod_mul(t1, ctx->p.gxc, t2, ctx->p.p, ctx->ctx);
429
430 if(verify_zkp(received, t1, ctx))
431 ret = 1;
432 else
433 JPAKEerr(JPAKE_F_JPAKE_STEP2_PROCESS, JPAKE_R_VERIFY_B_FAILED);
434
435 compute_key(ctx, received->gx);
436
437 /* cleanup */
438 BN_free(t2);
439 BN_free(t1);
440
441 return ret;
442 }
443
444static void quickhashbn(unsigned char *md, const BIGNUM *bn)
445 {
446 SHA_CTX sha;
447
448 SHA1_Init(&sha);
449 hashbn(&sha, bn);
450 SHA1_Final(md, &sha);
451 }
452
453void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a)
454 {}
455
456int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx)
457 {
458 quickhashbn(send->hhk, ctx->key);
459 SHA1(send->hhk, sizeof send->hhk, send->hhk);
460
461 return 1;
462 }
463
464int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received)
465 {
466 unsigned char hhk[SHA_DIGEST_LENGTH];
467
468 quickhashbn(hhk, ctx->key);
469 SHA1(hhk, sizeof hhk, hhk);
470 if(memcmp(hhk, received->hhk, sizeof hhk))
471 {
472 JPAKEerr(JPAKE_F_JPAKE_STEP3A_PROCESS, JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH);
473 return 0;
474 }
475 return 1;
476 }
477
478void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a)
479 {}
480
481void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b)
482 {}
483
484int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx)
485 {
486 quickhashbn(send->hk, ctx->key);
487
488 return 1;
489 }
490
491int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received)
492 {
493 unsigned char hk[SHA_DIGEST_LENGTH];
494
495 quickhashbn(hk, ctx->key);
496 if(memcmp(hk, received->hk, sizeof hk))
497 {
498 JPAKEerr(JPAKE_F_JPAKE_STEP3B_PROCESS, JPAKE_R_HASH_OF_KEY_MISMATCH);
499 return 0;
500 }
501 return 1;
502 }
503
504void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b)
505 {}
506
507const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx)
508 {
509 return ctx->key;
510 }
511
diff --git a/src/lib/libcrypto/jpake/jpake.h b/src/lib/libcrypto/jpake/jpake.h
new file mode 100644
index 0000000000..fd143b4d9b
--- /dev/null
+++ b/src/lib/libcrypto/jpake/jpake.h
@@ -0,0 +1,131 @@
1/*
2 * Implement J-PAKE, as described in
3 * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
4 *
5 * With hints from http://www.cl.cam.ac.uk/~fh240/software/JPAKE2.java.
6 */
7
8#ifndef HEADER_JPAKE_H
9#define HEADER_JPAKE_H
10
11#include <openssl/opensslconf.h>
12
13#ifdef OPENSSL_NO_JPAKE
14#error JPAKE is disabled.
15#endif
16
17#ifdef __cplusplus
18extern "C" {
19#endif
20
21#include <openssl/bn.h>
22#include <openssl/sha.h>
23
24typedef struct JPAKE_CTX JPAKE_CTX;
25
26/* Note that "g" in the ZKPs is not necessarily the J-PAKE g. */
27typedef struct
28 {
29 BIGNUM *gr; /* g^r (r random) */
30 BIGNUM *b; /* b = r - x*h, h=hash(g, g^r, g^x, name) */
31 } JPAKE_ZKP;
32
33typedef struct
34 {
35 BIGNUM *gx; /* g^x in step 1, g^(xa + xc + xd) * xb * s in step 2 */
36 JPAKE_ZKP zkpx; /* ZKP(x) or ZKP(xb * s) */
37 } JPAKE_STEP_PART;
38
39typedef struct
40 {
41 JPAKE_STEP_PART p1; /* g^x3, ZKP(x3) or g^x1, ZKP(x1) */
42 JPAKE_STEP_PART p2; /* g^x4, ZKP(x4) or g^x2, ZKP(x2) */
43 } JPAKE_STEP1;
44
45typedef JPAKE_STEP_PART JPAKE_STEP2;
46
47typedef struct
48 {
49 unsigned char hhk[SHA_DIGEST_LENGTH];
50 } JPAKE_STEP3A;
51
52typedef struct
53 {
54 unsigned char hk[SHA_DIGEST_LENGTH];
55 } JPAKE_STEP3B;
56
57/* Parameters are copied */
58JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
59 const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
60 const BIGNUM *secret);
61void JPAKE_CTX_free(JPAKE_CTX *ctx);
62
63/*
64 * Note that JPAKE_STEP1 can be used multiple times before release
65 * without another init.
66 */
67void JPAKE_STEP1_init(JPAKE_STEP1 *s1);
68int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx);
69int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received);
70void JPAKE_STEP1_release(JPAKE_STEP1 *s1);
71
72/*
73 * Note that JPAKE_STEP2 can be used multiple times before release
74 * without another init.
75 */
76void JPAKE_STEP2_init(JPAKE_STEP2 *s2);
77int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx);
78int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received);
79void JPAKE_STEP2_release(JPAKE_STEP2 *s2);
80
81/*
82 * Optionally verify the shared key. If the shared secrets do not
83 * match, the two ends will disagree about the shared key, but
84 * otherwise the protocol will succeed.
85 */
86void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a);
87int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx);
88int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received);
89void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a);
90
91void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b);
92int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx);
93int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received);
94void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b);
95
96/*
97 * the return value belongs to the library and will be released when
98 * ctx is released, and will change when a new handshake is performed.
99 */
100const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx);
101
102/* BEGIN ERROR CODES */
103/* The following lines are auto generated by the script mkerr.pl. Any changes
104 * made after this point may be overwritten when the script is next run.
105 */
106void ERR_load_JPAKE_strings(void);
107
108/* Error codes for the JPAKE functions. */
109
110/* Function codes. */
111#define JPAKE_F_JPAKE_STEP1_PROCESS 101
112#define JPAKE_F_JPAKE_STEP2_PROCESS 102
113#define JPAKE_F_JPAKE_STEP3A_PROCESS 103
114#define JPAKE_F_JPAKE_STEP3B_PROCESS 104
115#define JPAKE_F_VERIFY_ZKP 100
116
117/* Reason codes. */
118#define JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL 108
119#define JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL 109
120#define JPAKE_R_G_TO_THE_X4_IS_ONE 105
121#define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH 106
122#define JPAKE_R_HASH_OF_KEY_MISMATCH 107
123#define JPAKE_R_VERIFY_B_FAILED 102
124#define JPAKE_R_VERIFY_X3_FAILED 103
125#define JPAKE_R_VERIFY_X4_FAILED 104
126#define JPAKE_R_ZKP_VERIFY_FAILED 100
127
128#ifdef __cplusplus
129}
130#endif
131#endif
diff --git a/src/lib/libcrypto/jpake/jpake_err.c b/src/lib/libcrypto/jpake/jpake_err.c
new file mode 100644
index 0000000000..a9a9dee75c
--- /dev/null
+++ b/src/lib/libcrypto/jpake/jpake_err.c
@@ -0,0 +1,107 @@
1/* crypto/jpake/jpake_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2010 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/jpake.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_JPAKE,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_JPAKE,0,reason)
70
71static ERR_STRING_DATA JPAKE_str_functs[]=
72 {
73{ERR_FUNC(JPAKE_F_JPAKE_STEP1_PROCESS), "JPAKE_STEP1_process"},
74{ERR_FUNC(JPAKE_F_JPAKE_STEP2_PROCESS), "JPAKE_STEP2_process"},
75{ERR_FUNC(JPAKE_F_JPAKE_STEP3A_PROCESS), "JPAKE_STEP3A_process"},
76{ERR_FUNC(JPAKE_F_JPAKE_STEP3B_PROCESS), "JPAKE_STEP3B_process"},
77{ERR_FUNC(JPAKE_F_VERIFY_ZKP), "VERIFY_ZKP"},
78{0,NULL}
79 };
80
81static ERR_STRING_DATA JPAKE_str_reasons[]=
82 {
83{ERR_REASON(JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL),"g to the x3 is not legal"},
84{ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL),"g to the x4 is not legal"},
85{ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_ONE) ,"g to the x4 is one"},
86{ERR_REASON(JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH),"hash of hash of key mismatch"},
87{ERR_REASON(JPAKE_R_HASH_OF_KEY_MISMATCH),"hash of key mismatch"},
88{ERR_REASON(JPAKE_R_VERIFY_B_FAILED) ,"verify b failed"},
89{ERR_REASON(JPAKE_R_VERIFY_X3_FAILED) ,"verify x3 failed"},
90{ERR_REASON(JPAKE_R_VERIFY_X4_FAILED) ,"verify x4 failed"},
91{ERR_REASON(JPAKE_R_ZKP_VERIFY_FAILED) ,"zkp verify failed"},
92{0,NULL}
93 };
94
95#endif
96
97void ERR_load_JPAKE_strings(void)
98 {
99#ifndef OPENSSL_NO_ERR
100
101 if (ERR_func_error_string(JPAKE_str_functs[0].error) == NULL)
102 {
103 ERR_load_strings(0,JPAKE_str_functs);
104 ERR_load_strings(0,JPAKE_str_reasons);
105 }
106#endif
107 }
diff --git a/src/lib/libcrypto/jpake/jpaketest.c b/src/lib/libcrypto/jpake/jpaketest.c
new file mode 100644
index 0000000000..eaba75ed8a
--- /dev/null
+++ b/src/lib/libcrypto/jpake/jpaketest.c
@@ -0,0 +1,192 @@
1#include <openssl/opensslconf.h>
2
3#ifdef OPENSSL_NO_JPAKE
4
5#include <stdio.h>
6
7int main(int argc, char *argv[])
8{
9 printf("No J-PAKE support\n");
10 return(0);
11}
12
13#else
14
15#include <openssl/jpake.h>
16#include <openssl/err.h>
17
18static void showbn(const char *name, const BIGNUM *bn)
19 {
20 fputs(name, stdout);
21 fputs(" = ", stdout);
22 BN_print_fp(stdout, bn);
23 putc('\n', stdout);
24 }
25
26static int run_jpake(JPAKE_CTX *alice, JPAKE_CTX *bob)
27 {
28 JPAKE_STEP1 alice_s1;
29 JPAKE_STEP1 bob_s1;
30 JPAKE_STEP2 alice_s2;
31 JPAKE_STEP2 bob_s2;
32 JPAKE_STEP3A alice_s3a;
33 JPAKE_STEP3B bob_s3b;
34
35 /* Alice -> Bob: step 1 */
36 puts("A->B s1");
37 JPAKE_STEP1_init(&alice_s1);
38 JPAKE_STEP1_generate(&alice_s1, alice);
39 if(!JPAKE_STEP1_process(bob, &alice_s1))
40 {
41 printf("Bob fails to process Alice's step 1\n");
42 ERR_print_errors_fp(stdout);
43 return 1;
44 }
45 JPAKE_STEP1_release(&alice_s1);
46
47 /* Bob -> Alice: step 1 */
48 puts("B->A s1");
49 JPAKE_STEP1_init(&bob_s1);
50 JPAKE_STEP1_generate(&bob_s1, bob);
51 if(!JPAKE_STEP1_process(alice, &bob_s1))
52 {
53 printf("Alice fails to process Bob's step 1\n");
54 ERR_print_errors_fp(stdout);
55 return 2;
56 }
57 JPAKE_STEP1_release(&bob_s1);
58
59 /* Alice -> Bob: step 2 */
60 puts("A->B s2");
61 JPAKE_STEP2_init(&alice_s2);
62 JPAKE_STEP2_generate(&alice_s2, alice);
63 if(!JPAKE_STEP2_process(bob, &alice_s2))
64 {
65 printf("Bob fails to process Alice's step 2\n");
66 ERR_print_errors_fp(stdout);
67 return 3;
68 }
69 JPAKE_STEP2_release(&alice_s2);
70
71 /* Bob -> Alice: step 2 */
72 puts("B->A s2");
73 JPAKE_STEP2_init(&bob_s2);
74 JPAKE_STEP2_generate(&bob_s2, bob);
75 if(!JPAKE_STEP2_process(alice, &bob_s2))
76 {
77 printf("Alice fails to process Bob's step 2\n");
78 ERR_print_errors_fp(stdout);
79 return 4;
80 }
81 JPAKE_STEP2_release(&bob_s2);
82
83 showbn("Alice's key", JPAKE_get_shared_key(alice));
84 showbn("Bob's key ", JPAKE_get_shared_key(bob));
85
86 /* Alice -> Bob: step 3a */
87 puts("A->B s3a");
88 JPAKE_STEP3A_init(&alice_s3a);
89 JPAKE_STEP3A_generate(&alice_s3a, alice);
90 if(!JPAKE_STEP3A_process(bob, &alice_s3a))
91 {
92 printf("Bob fails to process Alice's step 3a\n");
93 ERR_print_errors_fp(stdout);
94 return 5;
95 }
96 JPAKE_STEP3A_release(&alice_s3a);
97
98 /* Bob -> Alice: step 3b */
99 puts("B->A s3b");
100 JPAKE_STEP3B_init(&bob_s3b);
101 JPAKE_STEP3B_generate(&bob_s3b, bob);
102 if(!JPAKE_STEP3B_process(alice, &bob_s3b))
103 {
104 printf("Alice fails to process Bob's step 3b\n");
105 ERR_print_errors_fp(stdout);
106 return 6;
107 }
108 JPAKE_STEP3B_release(&bob_s3b);
109
110 return 0;
111 }
112
113int main(int argc, char **argv)
114 {
115 JPAKE_CTX *alice;
116 JPAKE_CTX *bob;
117 BIGNUM *p = NULL;
118 BIGNUM *g = NULL;
119 BIGNUM *q = NULL;
120 BIGNUM *secret = BN_new();
121 BIO *bio_err;
122
123 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
124
125 CRYPTO_malloc_debug_init();
126 CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
127 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
128
129 ERR_load_crypto_strings();
130
131 /*
132 BN_hex2bn(&p, "fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b76b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7");
133 BN_hex2bn(&g, "f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a");
134 BN_hex2bn(&q, "9760508f15230bccb292b982a2eb840bf0581cf5");
135 */
136 /*
137 p = BN_new();
138 BN_generate_prime(p, 1024, 1, NULL, NULL, NULL, NULL);
139 */
140 /* Use a safe prime for p (that we found earlier) */
141 BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
142 showbn("p", p);
143 g = BN_new();
144 BN_set_word(g, 2);
145 showbn("g", g);
146 q = BN_new();
147 BN_rshift1(q, p);
148 showbn("q", q);
149
150 BN_rand(secret, 32, -1, 0);
151
152 /* A normal run, expect this to work... */
153 alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret);
154 bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret);
155
156 if(run_jpake(alice, bob) != 0)
157 {
158 fprintf(stderr, "Plain JPAKE run failed\n");
159 return 1;
160 }
161
162 JPAKE_CTX_free(bob);
163 JPAKE_CTX_free(alice);
164
165 /* Now give Alice and Bob different secrets */
166 alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret);
167 BN_add_word(secret, 1);
168 bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret);
169
170 if(run_jpake(alice, bob) != 5)
171 {
172 fprintf(stderr, "Mismatched secret JPAKE run failed\n");
173 return 1;
174 }
175
176 JPAKE_CTX_free(bob);
177 JPAKE_CTX_free(alice);
178
179 BN_free(secret);
180 BN_free(q);
181 BN_free(g);
182 BN_free(p);
183
184 CRYPTO_cleanup_all_ex_data();
185 ERR_remove_thread_state(NULL);
186 ERR_free_strings();
187 CRYPTO_mem_leaks(bio_err);
188
189 return 0;
190 }
191
192#endif