diff options
| author | Ben Laurie <ben@openssl.org> | 2008-10-26 18:40:52 +0000 |
|---|---|---|
| committer | Ben Laurie <ben@openssl.org> | 2008-10-26 18:40:52 +0000 |
| commit | 6caa4edd3e6410aff7c80011d905abcd3c1b1143 (patch) | |
| tree | cd78ea1921ac59740eb310b88bad25d642dc281a | |
| parent | ac786241a2607ea14cf29e3a0e4ad1aae672a8df (diff) | |
Add JPAKE.
| -rw-r--r-- | CHANGES | 4 | ||||
| -rw-r--r-- | Makefile.org | 2 | ||||
| -rw-r--r-- | apps/Makefile | 23 | ||||
| -rw-r--r-- | apps/apps.c | 214 | ||||
| -rw-r--r-- | apps/apps.h | 2 | ||||
| -rw-r--r-- | apps/s_client.c | 12 | ||||
| -rw-r--r-- | apps/s_server.c | 13 | ||||
| -rw-r--r-- | crypto/crypto.h | 2 | ||||
| -rw-r--r-- | crypto/err/Makefile | 23 | ||||
| -rw-r--r-- | crypto/err/err.h | 2 | ||||
| -rw-r--r-- | crypto/err/err_all.c | 3 | ||||
| -rw-r--r-- | crypto/err/openssl.ec | 1 | ||||
| -rw-r--r-- | crypto/jpake/.cvsignore | 1 | ||||
| -rw-r--r-- | crypto/jpake/Makefile | 49 | ||||
| -rw-r--r-- | crypto/jpake/jpake.c | 468 | ||||
| -rw-r--r-- | crypto/jpake/jpake.h | 115 | ||||
| -rw-r--r-- | crypto/jpake/jpake_err.c | 105 | ||||
| -rw-r--r-- | crypto/jpake/jpaketest.c | 176 | ||||
| -rw-r--r-- | crypto/mem.c | 7 | ||||
| -rw-r--r-- | test/Makefile | 24 |
20 files changed, 1215 insertions, 31 deletions
@@ -722,6 +722,10 @@ Changes between 0.9.8i and 0.9.8j [xx XXX xxxx] + *) Add JPAKE support, including demo authentication in s_client and + s_server. + [Ben Laurie] + *) Set the comparison function in v3_addr_canonize(). [Rob Austein <sra@hactrn.net>] diff --git a/Makefile.org b/Makefile.org index d3dc117eec..97e8e72890 100644 --- a/Makefile.org +++ b/Makefile.org @@ -119,7 +119,7 @@ SDIRS= \ bn ec rsa dsa ecdsa dh ecdh dso engine \ buffer bio stack lhash rand err \ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \ - cms pqueue ts + cms pqueue ts jpake # keep in mind that the above list is adjusted by ./Configure # according to no-xxx arguments... diff --git a/apps/Makefile b/apps/Makefile index 1718538c26..20975c2a3f 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -188,17 +188,18 @@ apps.o: ../include/openssl/conf.h ../include/openssl/crypto.h apps.o: ../include/openssl/e_os2.h ../include/openssl/ec.h apps.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h apps.o: ../include/openssl/engine.h ../include/openssl/err.h -apps.o: ../include/openssl/evp.h ../include/openssl/lhash.h -apps.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -apps.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h -apps.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -apps.o: ../include/openssl/pem.h ../include/openssl/pem2.h -apps.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h -apps.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -apps.o: ../include/openssl/sha.h ../include/openssl/stack.h -apps.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -apps.o: ../include/openssl/ui.h ../include/openssl/x509.h -apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h +apps.o: ../include/openssl/evp.h ../include/openssl/jpake.h +apps.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +apps.o: ../include/openssl/objects.h ../include/openssl/ocsp.h +apps.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +apps.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +apps.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h +apps.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h +apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h +apps.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +apps.o: ../include/openssl/txt_db.h ../include/openssl/ui.h +apps.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +apps.o: ../include/openssl/x509v3.h apps.c apps.h asn1pars.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h asn1pars.o: ../include/openssl/buffer.h ../include/openssl/conf.h asn1pars.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h diff --git a/apps/apps.c b/apps/apps.c index 548ae4c143..f3087fc265 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -122,6 +122,7 @@ #include <sys/types.h> #include <ctype.h> #include <errno.h> +#include <assert.h> #include <openssl/err.h> #include <openssl/x509.h> #include <openssl/x509v3.h> @@ -136,6 +137,7 @@ #include <openssl/rsa.h> #endif #include <openssl/bn.h> +#include <openssl/jpake.h> #define NON_MAIN #include "apps.h" @@ -2377,6 +2379,218 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx) BIO_free(out); } +static JPAKE_CTX *jpake_init(const char *us, const char *them, + const char *secret) + { + BIGNUM *p = NULL; + BIGNUM *g = NULL; + BIGNUM *q = NULL; + BIGNUM *bnsecret = BN_new(); + JPAKE_CTX *ctx; + + // Use a safe prime for p (that we found earlier) + BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F"); + g = BN_new(); + BN_set_word(g, 2); + q = BN_new(); + BN_rshift1(q, p); + + BN_bin2bn(secret, strlen(secret), bnsecret); + + ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret); + BN_free(bnsecret); + BN_free(q); + BN_free(g); + BN_free(p); + + return ctx; + } + +static void jpake_send_part(BIO *conn, const JPAKE_STEP_PART *p) + { + BN_print(conn, p->gx); + BIO_puts(conn, "\n"); + BN_print(conn, p->zkpx.gr); + BIO_puts(conn, "\n"); + BN_print(conn, p->zkpx.b); + BIO_puts(conn, "\n"); + } + +static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx) + { + JPAKE_STEP1 s1; + + JPAKE_STEP1_init(&s1); + JPAKE_STEP1_generate(&s1, ctx); + jpake_send_part(bconn, &s1.p1); + jpake_send_part(bconn, &s1.p2); + BIO_flush(bconn); + JPAKE_STEP1_release(&s1); + } + +static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx) + { + JPAKE_STEP2 s2; + + JPAKE_STEP2_init(&s2); + JPAKE_STEP2_generate(&s2, ctx); + jpake_send_part(bconn, &s2); + BIO_flush(bconn); + JPAKE_STEP2_release(&s2); + } + +static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx) + { + JPAKE_STEP3A s3a; + + JPAKE_STEP3A_init(&s3a); + JPAKE_STEP3A_generate(&s3a, ctx); + BIO_write(bconn, s3a.hhk, sizeof s3a.hhk); + BIO_flush(bconn); + JPAKE_STEP3A_release(&s3a); + } + +static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx) + { + JPAKE_STEP3B s3b; + + JPAKE_STEP3B_init(&s3b); + JPAKE_STEP3B_generate(&s3b, ctx); + BIO_write(bconn, s3b.hk, sizeof s3b.hk); + BIO_flush(bconn); + JPAKE_STEP3B_release(&s3b); + } + +static void readbn(BIGNUM **bn, BIO *bconn) + { + char buf[10240]; + int l; + + l = BIO_gets(bconn, buf, sizeof buf); + assert(l >= 0); + assert(buf[l-1] == '\n'); + buf[l-1] = '\0'; + BN_hex2bn(bn, buf); + } + +static void jpake_receive_part(JPAKE_STEP_PART *p, BIO *bconn) + { + readbn(&p->gx, bconn); + readbn(&p->zkpx.gr, bconn); + readbn(&p->zkpx.b, bconn); + } + +static void jpake_receive_step1(JPAKE_CTX *ctx, BIO *bconn) + { + JPAKE_STEP1 s1; + + JPAKE_STEP1_init(&s1); + jpake_receive_part(&s1.p1, bconn); + jpake_receive_part(&s1.p2, bconn); + if(!JPAKE_STEP1_process(ctx, &s1)) + { + ERR_print_errors(bio_err); + exit(1); + } + JPAKE_STEP1_release(&s1); + } + +static void jpake_receive_step2(JPAKE_CTX *ctx, BIO *bconn) + { + JPAKE_STEP2 s2; + + JPAKE_STEP2_init(&s2); + jpake_receive_part(&s2, bconn); + if(!JPAKE_STEP2_process(ctx, &s2)) + { + ERR_print_errors(bio_err); + exit(1); + } + JPAKE_STEP2_release(&s2); + } + +static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn) + { + JPAKE_STEP3A s3a; + int l; + + JPAKE_STEP3A_init(&s3a); + l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk); + assert(l == sizeof s3a.hhk); + if(!JPAKE_STEP3A_process(ctx, &s3a)) + { + ERR_print_errors(bio_err); + exit(1); + } + JPAKE_STEP3A_release(&s3a); + } + +static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn) + { + JPAKE_STEP3B s3b; + int l; + + JPAKE_STEP3B_init(&s3b); + l = BIO_read(bconn, s3b.hk, sizeof s3b.hk); + assert(l == sizeof s3b.hk); + if(!JPAKE_STEP3B_process(ctx, &s3b)) + { + ERR_print_errors(bio_err); + exit(1); + } + JPAKE_STEP3B_release(&s3b); + } + +void jpake_client_auth(BIO *out, BIO *conn, const char *secret) + { + JPAKE_CTX *ctx; + BIO *bconn; + + BIO_puts(out, "Authenticating with JPAKE\n"); + + ctx = jpake_init("client", "server", secret); + + bconn = BIO_new(BIO_f_buffer()); + BIO_push(bconn, conn); + + jpake_send_step1(bconn, ctx); + jpake_receive_step1(ctx, bconn); + jpake_send_step2(bconn, ctx); + jpake_receive_step2(ctx, bconn); + jpake_send_step3a(bconn, ctx); + jpake_receive_step3b(ctx, bconn); + + BIO_puts(out, "JPAKE authentication succeeded\n"); + + BIO_pop(bconn); + BIO_free(bconn); + } + +void jpake_server_auth(BIO *out, BIO *conn, const char *secret) + { + JPAKE_CTX *ctx; + BIO *bconn; + + BIO_puts(out, "Authenticating with JPAKE\n"); + + ctx = jpake_init("server", "client", secret); + + bconn = BIO_new(BIO_f_buffer()); + BIO_push(bconn, conn); + + jpake_receive_step1(ctx, bconn); + jpake_send_step1(bconn, ctx); + jpake_receive_step2(ctx, bconn); + jpake_send_step2(bconn, ctx); + jpake_receive_step3a(ctx, bconn); + jpake_send_step3b(bconn, ctx); + + BIO_puts(out, "JPAKE authentication succeeded\n"); + + BIO_pop(bconn); + BIO_free(bconn); + } + /* * Platform-specific sections */ diff --git a/apps/apps.h b/apps/apps.h index bcf597f3ef..f08893e3e8 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -308,6 +308,8 @@ int bio_to_mem(unsigned char **out, int maxlen, BIO *in); int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value); int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e, int do_param); +void jpake_client_auth(BIO *out, BIO *conn, const char *secret); +void jpake_server_auth(BIO *out, BIO *conn, const char *secret); #define FORMAT_UNDEF 0 #define FORMAT_ASN1 1 diff --git a/apps/s_client.c b/apps/s_client.c index f038a55323..93c62b4386 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -418,7 +418,6 @@ int MAIN(int argc, char **argv) int stdin_set = 0; #endif #endif - #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; tlsextctx tlsextcbp = @@ -430,6 +429,7 @@ int MAIN(int argc, char **argv) int peerlen = sizeof(peer); int enable_timeouts = 0 ; long socket_mtu = 0; + char *jpake_secret = NULL; #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_client_method(); @@ -699,6 +699,11 @@ int MAIN(int argc, char **argv) /* meth=TLSv1_client_method(); */ } #endif + else if (strcmp(*argv,"-jpake") == 0) + { + if (--argc < 1) goto bad; + jpake_secret = *++argv; + } else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -974,8 +979,6 @@ re_start: else sbio=BIO_new_socket(s,BIO_NOCLOSE); - - if (nbio_test) { BIO *test; @@ -1020,6 +1023,9 @@ SSL_set_tlsext_status_ids(con, ids); } #endif + if (jpake_secret) + jpake_client_auth(bio_c_out, sbio, jpake_secret); + SSL_set_bio(con,sbio,sbio); SSL_set_connect_state(con); diff --git a/apps/s_server.c b/apps/s_server.c index c95057a7f8..1bf649b710 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -822,6 +822,8 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); int MAIN(int, char **); +static char *jpake_secret = NULL; + int MAIN(int argc, char *argv[]) { X509_STORE *store = NULL; @@ -854,7 +856,6 @@ int MAIN(int argc, char *argv[]) EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; #endif - #ifndef OPENSSL_NO_TLSEXT tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; #endif @@ -1179,7 +1180,13 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_key_file2= *(++argv); } + #endif + else if (strcmp(*argv,"-jpake") == 0) + { + if (--argc < 1) goto bad; + jpake_secret = *(++argv); + } else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1807,6 +1814,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) test=BIO_new(BIO_f_nbio_test()); sbio=BIO_push(test,sbio); } + + if(jpake_secret) + jpake_server_auth(bio_s_out, sbio, jpake_secret); + SSL_set_bio(con,sbio,sbio); SSL_set_accept_state(con); /* SSL_set_fd(con,s); */ diff --git a/crypto/crypto.h b/crypto/crypto.h index efde768937..ff09bc5fb4 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -366,6 +366,7 @@ int CRYPTO_is_mem_check_on(void); #define is_MemCheck_on() CRYPTO_is_mem_check_on() #define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__) +#define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__) #define OPENSSL_realloc(addr,num) \ CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__) #define OPENSSL_realloc_clean(addr,old_num,num) \ @@ -489,6 +490,7 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int), void *CRYPTO_malloc_locked(int num, const char *file, int line); void CRYPTO_free_locked(void *); void *CRYPTO_malloc(int num, const char *file, int line); +char *CRYPTO_strdup(const char *str, const char *file, int line); void CRYPTO_free(void *); void *CRYPTO_realloc(void *addr,int num, const char *file, int line); void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file, diff --git a/crypto/err/Makefile b/crypto/err/Makefile index 862b23ba17..3581d10178 100644 --- a/crypto/err/Makefile +++ b/crypto/err/Makefile @@ -90,17 +90,18 @@ err_all.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h err_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h err_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h err_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h -err_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -err_all.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h -err_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -err_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem2.h -err_all.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h -err_all.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h -err_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -err_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -err_all.o: ../../include/openssl/ts.h ../../include/openssl/ui.h -err_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h -err_all.o: ../../include/openssl/x509v3.h err_all.c +err_all.o: ../../include/openssl/jpake.h ../../include/openssl/lhash.h +err_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +err_all.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h +err_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +err_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h +err_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h +err_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +err_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +err_all.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h +err_all.o: ../../include/openssl/ui.h ../../include/openssl/x509.h +err_all.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h +err_all.o: err_all.c err_prn.o: ../../e_os.h ../../include/openssl/bio.h err_prn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h err_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/crypto/err/err.h b/crypto/err/err.h index 006351d5e3..b9f8c16d47 100644 --- a/crypto/err/err.h +++ b/crypto/err/err.h @@ -197,6 +197,7 @@ typedef struct err_state_st #define ERR_LIB_CMS 46 #define ERR_LIB_TS 47 #define ERR_LIB_HMAC 48 +#define ERR_LIB_JPAKE 49 #define ERR_LIB_USER 128 @@ -232,6 +233,7 @@ typedef struct err_state_st #define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),__FILE__,__LINE__) #define TSerr(f,r) ERR_PUT_error(ERR_LIB_TS,(f),(r),__FILE__,__LINE__) #define HMACerr(f,r) ERR_PUT_error(ERR_LIB_HMAC,(f),(r),__FILE__,__LINE__) +#define JPAKEerr(f,r) ERR_PUT_error(ERR_LIB_JPAKE,(f),(r),__FILE__,__LINE__) /* Borland C seems too stupid to be able to shift and do longs in * the pre-processor :-( */ diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index f0a5e075ab..5ab89f9498 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -100,6 +100,8 @@ #include <openssl/cms.h> #endif +#include <openssl/jpake.h> + void ERR_load_crypto_strings(void) { #ifndef OPENSSL_NO_ERR @@ -148,5 +150,6 @@ void ERR_load_crypto_strings(void) #ifndef OPENSSL_NO_CMS ERR_load_CMS_strings(); #endif + ERR_load_JPAKE_strings(); #endif } diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index c513734e94..e0554b4342 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -34,6 +34,7 @@ L STORE crypto/store/store.h crypto/store/str_err.c L TS crypto/ts/ts.h crypto/ts/ts_err.c L HMAC crypto/hmac/hmac.h crypto/hmac/hmac_err.c L CMS crypto/cms/cms.h crypto/cms/cms_err.c +L JPAKE crypto/jpake/jpake.h crypto/jpake/jpake_err.c # additional header files to be scanned for function names L NONE crypto/x509/x509_vfy.h NONE diff --git a/crypto/jpake/.cvsignore b/crypto/jpake/.cvsignore new file mode 100644 index 0000000000..a65b41774a --- /dev/null +++ b/crypto/jpake/.cvsignore @@ -0,0 +1 @@ +lib diff --git a/crypto/jpake/Makefile b/crypto/jpake/Makefile new file mode 100644 index 0000000000..d508c977a9 --- /dev/null +++ b/crypto/jpake/Makefile @@ -0,0 +1,49 @@ +DIR=jpake +TOP=../.. + +CFLAGS= $(INCLUDES) $(CFLAG) + +LIB=$(TOP)/libcrypto.a +LIBOBJ=jpake.o jpake_err.o +LIBSRC=jpake.c jpake_err.c + +EXHEADER=jpake.h +TEST=jpaketest.c + +top: + (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) + +all: lib + +lib: $(LIBOBJ) + $(AR) $(LIB) $(LIBOBJ) + $(RANLIB) $(LIB) || echo Never mind. + @touch lib + +links: + @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) + @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) + +depend: + @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) + +jpaketest: top jpaketest.c $(LIB) + $(CC) $(CFLAGS) -Wall -Werror -g -o jpaketest jpaketest.c $(LIB) +# DO NOT DELETE THIS LINE -- make depend depends on it. + +jpake.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +jpake.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +jpake.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +jpake.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +jpake.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h +jpake.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +jpake.o: ../../include/openssl/symhacks.h jpake.c jpake.h +jpake_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +jpake_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +jpake_err.o: ../../include/openssl/err.h ../../include/openssl/jpake.h +jpake_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h +jpake_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +jpake_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +jpake_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +jpake_err.o: jpake_err.c diff --git a/crypto/jpake/jpake.c b/crypto/jpake/jpake.c new file mode 100644 index 0000000000..3ed1d1b158 --- /dev/null +++ b/crypto/jpake/jpake.c @@ -0,0 +1,468 @@ +#include "jpake.h" + +#include <openssl/crypto.h> +#include <openssl/sha.h> +#include <openssl/err.h> +#include <memory.h> +#include <assert.h> + +/* + * In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or + * Bob's (x3, x4, x1, x2). If you see what I mean. + */ + +typedef struct + { + char *name; // Must be unique + char *peer_name; + BIGNUM *p; + BIGNUM *g; + BIGNUM *q; + BIGNUM *gxc; // Alice's g^{x3} or Bob's g^{x1} + BIGNUM *gxd; // Alice's g^{x4} or Bob's g^{x2} + } JPAKE_CTX_PUBLIC; + +struct JPAKE_CTX + { + JPAKE_CTX_PUBLIC p; + BIGNUM *secret; // The shared secret + BN_CTX *ctx; + BIGNUM *xa; // Alice's x1 or Bob's x3 + BIGNUM *xb; // Alice's x2 or Bob's x4 + BIGNUM *key; // The calculated (shared) key + }; + +static void JPAKE_ZKP_init(JPAKE_ZKP *zkp) + { + zkp->gr = BN_new(); + zkp->b = BN_new(); + } + +static void JPAKE_ZKP_release(JPAKE_ZKP *zkp) + { + BN_free(zkp->b); + BN_free(zkp->gr); + } + +// Two birds with one stone - make the global name as expected +#define JPAKE_STEP_PART_init JPAKE_STEP2_init +#define JPAKE_STEP_PART_release JPAKE_STEP2_release + +void JPAKE_STEP_PART_init(JPAKE_STEP_PART *p) + { + p->gx = BN_new(); + JPAKE_ZKP_init(&p->zkpx); + } + +void JPAKE_STEP_PART_release(JPAKE_STEP_PART *p) + { + JPAKE_ZKP_release(&p->zkpx); + BN_free(p->gx); + } + +void JPAKE_STEP1_init(JPAKE_STEP1 *s1) + { + JPAKE_STEP_PART_init(&s1->p1); + JPAKE_STEP_PART_init(&s1->p2); + } + +void JPAKE_STEP1_release(JPAKE_STEP1 *s1) + { + JPAKE_STEP_PART_release(&s1->p2); + JPAKE_STEP_PART_release(&s1->p1); + } + +static void JPAKE_CTX_init(JPAKE_CTX *ctx, const char *name, + const char *peer_name, const BIGNUM *p, + const BIGNUM *g, const BIGNUM *q, + const BIGNUM *secret) + { + ctx->p.name = OPENSSL_strdup(name); + ctx->p.peer_name = OPENSSL_strdup(peer_name); + ctx->p.p = BN_dup(p); + ctx->p.g = BN_dup(g); + ctx->p.q = BN_dup(q); + ctx->secret = BN_dup(secret); + + ctx->p.gxc = BN_new(); + ctx->p.gxd = BN_new(); + + ctx->xa = BN_new(); + ctx->xb = BN_new(); + ctx->key = BN_new(); + ctx->ctx = BN_CTX_new(); + } + +static void JPAKE_CTX_release(JPAKE_CTX *ctx) + { + BN_CTX_free(ctx->ctx); + BN_clear_free(ctx->key); + BN_clear_free(ctx->xb); + BN_clear_free(ctx->xa); + + BN_free(ctx->p.gxd); + BN_free(ctx->p.gxc); + + BN_clear_free(ctx->secret); + BN_free(ctx->p.q); + BN_free(ctx->p.g); + BN_free(ctx->p.p); + OPENSSL_free(ctx->p.peer_name); + OPENSSL_free(ctx->p.name); + + memset(ctx, '\0', sizeof *ctx); + } + +JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name, + const BIGNUM *p, const BIGNUM *g, const BIGNUM *q, + const BIGNUM *secret) + { + JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx); + + JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret); + + return ctx; + } + +void JPAKE_CTX_free(JPAKE_CTX *ctx) + { + JPAKE_CTX_release(ctx); + OPENSSL_free(ctx); + } + +static void hashlength(SHA_CTX *sha, size_t l) + { + unsigned char b[2]; + + assert(l <= 0xffff); + b[0] = l >> 8; + b[1] = l&0xff; + SHA1_Update(sha, b, 2); + } + +static void hashstring(SHA_CTX *sha, const char *string) + { + size_t l = strlen(string); + + hashlength(sha, l); + SHA1_Update(sha, string, l); + } + +static void hashbn(SHA_CTX *sha, const BIGNUM *bn) + { + size_t l = BN_num_bytes(bn); + unsigned char *bin = alloca(l); + + hashlength(sha, l); + BN_bn2bin(bn, bin); + SHA1_Update(sha, bin, l); + } + +// h=hash(g, g^r, g^x, name) +static void zkp_hash(BIGNUM *h, const BIGNUM *zkpg, const JPAKE_STEP_PART *p, + const char *proof_name) + { + unsigned char md[SHA_DIGEST_LENGTH]; + SHA_CTX sha; + + // XXX: hash should not allow moving of the boundaries - Java code + // is flawed in this respect. Length encoding seems simplest. + SHA1_Init(&sha); + hashbn(&sha, zkpg); + assert(!BN_is_zero(p->zkpx.gr)); + hashbn(&sha, p->zkpx.gr); + hashbn(&sha, p->gx); + hashstring(&sha, proof_name); + SHA1_Final(md, &sha); + BN_bin2bn(md, SHA_DIGEST_LENGTH, h); + } + +// Prove knowledge of x +// Note that p->gx has already been calculated +static void generate_zkp(JPAKE_STEP_PART *p, const BIGNUM *x, + const BIGNUM *zkpg, JPAKE_CTX *ctx) + { + BIGNUM *r = BN_new(); + BIGNUM *h = BN_new(); + BIGNUM *t = BN_new(); + + // r in [0,q) + // XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform + BN_rand_range(r, ctx->p.q); + // g^r + BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx); + + // h=hash... + zkp_hash(h, zkpg, p, ctx->p.name); + + // b = r - x*h + BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx); + BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx); + + // cleanup + BN_free(t); + BN_free(h); + BN_free(r); + } + +static int verify_zkp(const JPAKE_STEP_PART *p, const BIGNUM *zkpg, + JPAKE_CTX *ctx) + { + BIGNUM *h = BN_new(); + BIGNUM *t1 = BN_new(); + BIGNUM *t2 = BN_new(); + BIGNUM *t3 = BN_new(); + int ret = 0; + + zkp_hash(h, zkpg, p, ctx->p.peer_name); + + // t1 = g^b + BN_mod_exp(t1, zkpg, p->zkpx.b, ctx->p.p, ctx->ctx); + // t2 = (g^x)^h = g^{hx} + BN_mod_exp(t2, p->gx, h, ctx->p.p, ctx->ctx); + // t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly) + BN_mod_mul(t3, t1, t2, ctx->p.p, ctx->ctx); + + // verify t3 == g^r + if(BN_cmp(t3, p->zkpx.gr) == 0) + ret = 1; + else + JPAKEerr(JPAKE_F_VERIFY_ZKP, JPAKE_R_ZKP_VERIFY_FAILED); + + // cleanup + BN_free(t3); + BN_free(t2); + BN_free(t1); + BN_free(h); + + return ret; + } + +static void generate_step_part(JPAKE_STEP_PART *p, const BIGNUM *x, + const BIGNUM *g, JPAKE_CTX *ctx) + { + BN_mod_exp(p->gx, g, x, ctx->p.p, ctx->ctx); + generate_zkp(p, x, g, ctx); + } + +// Generate each party's random numbers. xa is in [0, q), xb is in [1, q). +static void genrand(JPAKE_CTX *ctx) + { + BIGNUM *qm1; + + // xa in [0, q) + BN_rand_range(ctx->xa, ctx->p.q); + + // q-1 + qm1 = BN_new(); + BN_copy(qm1, ctx->p.q); + BN_sub_word(qm1, 1); + + // ... and xb in [0, q-1) + BN_rand_range(ctx->xb, qm1); + // [1, q) + BN_add_word(ctx->xb, 1); + + // cleanup + BN_free(qm1); + } + +int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx) + { + genrand(ctx); + generate_step_part(&send->p1, ctx->xa, ctx->p.g, ctx); + generate_step_part(&send->p2, ctx->xb, ctx->p.g, ctx); + + return 1; + } + +int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received) + { + // verify their ZKP(xc) + if(!verify_zkp(&received->p1, ctx->p.g, ctx)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED); + return 0; + } + + // verify their ZKP(xd) + if(!verify_zkp(&received->p2, ctx->p.g, ctx)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED); + return 0; + } + + // g^xd != 1 + if(BN_is_one(received->p2.gx)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE); + return 0; + } + + // Save the bits we need for later + BN_copy(ctx->p.gxc, received->p1.gx); + BN_copy(ctx->p.gxd, received->p2.gx); + + return 1; + } + + +int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx) + { + BIGNUM *t1 = BN_new(); + BIGNUM *t2 = BN_new(); + + // X = g^{(xa + xc + xd) * xb * s} + // t1 = g^xa + BN_mod_exp(t1, ctx->p.g, ctx->xa, ctx->p.p, ctx->ctx); + // t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc} + BN_mod_mul(t2, t1, ctx->p.gxc, ctx->p.p, ctx->ctx); + // t1 = t2 * g^{xd} = g^{xa + xc + xd} + BN_mod_mul(t1, t2, ctx->p.gxd, ctx->p.p, ctx->ctx); + // t2 = xb * s + BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx); + + // ZKP(xb * s) + // XXX: this is kinda funky, because we're using + // + // g' = g^{xa + xc + xd} + // + // as the generator, which means X is g'^{xb * s} + // X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s} + generate_step_part(send, t2, t1, ctx); + + // cleanup + BN_free(t1); + BN_free(t2); + |