diff options
| author | Ben Laurie <ben@openssl.org> | 2008-10-26 18:40:52 +0000 |
|---|---|---|
| committer | Ben Laurie <ben@openssl.org> | 2008-10-26 18:40:52 +0000 |
| commit | 6caa4edd3e6410aff7c80011d905abcd3c1b1143 (patch) | |
| tree | cd78ea1921ac59740eb310b88bad25d642dc281a /crypto | |
| parent | ac786241a2607ea14cf29e3a0e4ad1aae672a8df (diff) | |
Add JPAKE.
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/crypto.h | 2 | ||||
| -rw-r--r-- | crypto/err/Makefile | 23 | ||||
| -rw-r--r-- | crypto/err/err.h | 2 | ||||
| -rw-r--r-- | crypto/err/err_all.c | 3 | ||||
| -rw-r--r-- | crypto/err/openssl.ec | 1 | ||||
| -rw-r--r-- | crypto/jpake/.cvsignore | 1 | ||||
| -rw-r--r-- | crypto/jpake/Makefile | 49 | ||||
| -rw-r--r-- | crypto/jpake/jpake.c | 468 | ||||
| -rw-r--r-- | crypto/jpake/jpake.h | 115 | ||||
| -rw-r--r-- | crypto/jpake/jpake_err.c | 105 | ||||
| -rw-r--r-- | crypto/jpake/jpaketest.c | 176 | ||||
| -rw-r--r-- | crypto/mem.c | 7 |
12 files changed, 941 insertions, 11 deletions
diff --git a/crypto/crypto.h b/crypto/crypto.h index efde768937..ff09bc5fb4 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -366,6 +366,7 @@ int CRYPTO_is_mem_check_on(void); #define is_MemCheck_on() CRYPTO_is_mem_check_on() #define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__) +#define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__) #define OPENSSL_realloc(addr,num) \ CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__) #define OPENSSL_realloc_clean(addr,old_num,num) \ @@ -489,6 +490,7 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int), void *CRYPTO_malloc_locked(int num, const char *file, int line); void CRYPTO_free_locked(void *); void *CRYPTO_malloc(int num, const char *file, int line); +char *CRYPTO_strdup(const char *str, const char *file, int line); void CRYPTO_free(void *); void *CRYPTO_realloc(void *addr,int num, const char *file, int line); void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file, diff --git a/crypto/err/Makefile b/crypto/err/Makefile index 862b23ba17..3581d10178 100644 --- a/crypto/err/Makefile +++ b/crypto/err/Makefile @@ -90,17 +90,18 @@ err_all.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h err_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h err_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h err_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h -err_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -err_all.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h -err_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -err_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem2.h -err_all.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h -err_all.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h -err_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -err_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -err_all.o: ../../include/openssl/ts.h ../../include/openssl/ui.h -err_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h -err_all.o: ../../include/openssl/x509v3.h err_all.c +err_all.o: ../../include/openssl/jpake.h ../../include/openssl/lhash.h +err_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +err_all.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h +err_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +err_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h +err_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h +err_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +err_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +err_all.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h +err_all.o: ../../include/openssl/ui.h ../../include/openssl/x509.h +err_all.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h +err_all.o: err_all.c err_prn.o: ../../e_os.h ../../include/openssl/bio.h err_prn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h err_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/crypto/err/err.h b/crypto/err/err.h index 006351d5e3..b9f8c16d47 100644 --- a/crypto/err/err.h +++ b/crypto/err/err.h @@ -197,6 +197,7 @@ typedef struct err_state_st #define ERR_LIB_CMS 46 #define ERR_LIB_TS 47 #define ERR_LIB_HMAC 48 +#define ERR_LIB_JPAKE 49 #define ERR_LIB_USER 128 @@ -232,6 +233,7 @@ typedef struct err_state_st #define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),__FILE__,__LINE__) #define TSerr(f,r) ERR_PUT_error(ERR_LIB_TS,(f),(r),__FILE__,__LINE__) #define HMACerr(f,r) ERR_PUT_error(ERR_LIB_HMAC,(f),(r),__FILE__,__LINE__) +#define JPAKEerr(f,r) ERR_PUT_error(ERR_LIB_JPAKE,(f),(r),__FILE__,__LINE__) /* Borland C seems too stupid to be able to shift and do longs in * the pre-processor :-( */ diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index f0a5e075ab..5ab89f9498 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -100,6 +100,8 @@ #include <openssl/cms.h> #endif +#include <openssl/jpake.h> + void ERR_load_crypto_strings(void) { #ifndef OPENSSL_NO_ERR @@ -148,5 +150,6 @@ void ERR_load_crypto_strings(void) #ifndef OPENSSL_NO_CMS ERR_load_CMS_strings(); #endif + ERR_load_JPAKE_strings(); #endif } diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index c513734e94..e0554b4342 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -34,6 +34,7 @@ L STORE crypto/store/store.h crypto/store/str_err.c L TS crypto/ts/ts.h crypto/ts/ts_err.c L HMAC crypto/hmac/hmac.h crypto/hmac/hmac_err.c L CMS crypto/cms/cms.h crypto/cms/cms_err.c +L JPAKE crypto/jpake/jpake.h crypto/jpake/jpake_err.c # additional header files to be scanned for function names L NONE crypto/x509/x509_vfy.h NONE diff --git a/crypto/jpake/.cvsignore b/crypto/jpake/.cvsignore new file mode 100644 index 0000000000..a65b41774a --- /dev/null +++ b/crypto/jpake/.cvsignore @@ -0,0 +1 @@ +lib diff --git a/crypto/jpake/Makefile b/crypto/jpake/Makefile new file mode 100644 index 0000000000..d508c977a9 --- /dev/null +++ b/crypto/jpake/Makefile @@ -0,0 +1,49 @@ +DIR=jpake +TOP=../.. + +CFLAGS= $(INCLUDES) $(CFLAG) + +LIB=$(TOP)/libcrypto.a +LIBOBJ=jpake.o jpake_err.o +LIBSRC=jpake.c jpake_err.c + +EXHEADER=jpake.h +TEST=jpaketest.c + +top: + (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) + +all: lib + +lib: $(LIBOBJ) + $(AR) $(LIB) $(LIBOBJ) + $(RANLIB) $(LIB) || echo Never mind. + @touch lib + +links: + @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) + @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) + +depend: + @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) + +jpaketest: top jpaketest.c $(LIB) + $(CC) $(CFLAGS) -Wall -Werror -g -o jpaketest jpaketest.c $(LIB) +# DO NOT DELETE THIS LINE -- make depend depends on it. + +jpake.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +jpake.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +jpake.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +jpake.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +jpake.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h +jpake.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +jpake.o: ../../include/openssl/symhacks.h jpake.c jpake.h +jpake_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +jpake_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +jpake_err.o: ../../include/openssl/err.h ../../include/openssl/jpake.h +jpake_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h +jpake_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +jpake_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +jpake_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +jpake_err.o: jpake_err.c diff --git a/crypto/jpake/jpake.c b/crypto/jpake/jpake.c new file mode 100644 index 0000000000..3ed1d1b158 --- /dev/null +++ b/crypto/jpake/jpake.c @@ -0,0 +1,468 @@ +#include "jpake.h" + +#include <openssl/crypto.h> +#include <openssl/sha.h> +#include <openssl/err.h> +#include <memory.h> +#include <assert.h> + +/* + * In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or + * Bob's (x3, x4, x1, x2). If you see what I mean. + */ + +typedef struct + { + char *name; // Must be unique + char *peer_name; + BIGNUM *p; + BIGNUM *g; + BIGNUM *q; + BIGNUM *gxc; // Alice's g^{x3} or Bob's g^{x1} + BIGNUM *gxd; // Alice's g^{x4} or Bob's g^{x2} + } JPAKE_CTX_PUBLIC; + +struct JPAKE_CTX + { + JPAKE_CTX_PUBLIC p; + BIGNUM *secret; // The shared secret + BN_CTX *ctx; + BIGNUM *xa; // Alice's x1 or Bob's x3 + BIGNUM *xb; // Alice's x2 or Bob's x4 + BIGNUM *key; // The calculated (shared) key + }; + +static void JPAKE_ZKP_init(JPAKE_ZKP *zkp) + { + zkp->gr = BN_new(); + zkp->b = BN_new(); + } + +static void JPAKE_ZKP_release(JPAKE_ZKP *zkp) + { + BN_free(zkp->b); + BN_free(zkp->gr); + } + +// Two birds with one stone - make the global name as expected +#define JPAKE_STEP_PART_init JPAKE_STEP2_init +#define JPAKE_STEP_PART_release JPAKE_STEP2_release + +void JPAKE_STEP_PART_init(JPAKE_STEP_PART *p) + { + p->gx = BN_new(); + JPAKE_ZKP_init(&p->zkpx); + } + +void JPAKE_STEP_PART_release(JPAKE_STEP_PART *p) + { + JPAKE_ZKP_release(&p->zkpx); + BN_free(p->gx); + } + +void JPAKE_STEP1_init(JPAKE_STEP1 *s1) + { + JPAKE_STEP_PART_init(&s1->p1); + JPAKE_STEP_PART_init(&s1->p2); + } + +void JPAKE_STEP1_release(JPAKE_STEP1 *s1) + { + JPAKE_STEP_PART_release(&s1->p2); + JPAKE_STEP_PART_release(&s1->p1); + } + +static void JPAKE_CTX_init(JPAKE_CTX *ctx, const char *name, + const char *peer_name, const BIGNUM *p, + const BIGNUM *g, const BIGNUM *q, + const BIGNUM *secret) + { + ctx->p.name = OPENSSL_strdup(name); + ctx->p.peer_name = OPENSSL_strdup(peer_name); + ctx->p.p = BN_dup(p); + ctx->p.g = BN_dup(g); + ctx->p.q = BN_dup(q); + ctx->secret = BN_dup(secret); + + ctx->p.gxc = BN_new(); + ctx->p.gxd = BN_new(); + + ctx->xa = BN_new(); + ctx->xb = BN_new(); + ctx->key = BN_new(); + ctx->ctx = BN_CTX_new(); + } + +static void JPAKE_CTX_release(JPAKE_CTX *ctx) + { + BN_CTX_free(ctx->ctx); + BN_clear_free(ctx->key); + BN_clear_free(ctx->xb); + BN_clear_free(ctx->xa); + + BN_free(ctx->p.gxd); + BN_free(ctx->p.gxc); + + BN_clear_free(ctx->secret); + BN_free(ctx->p.q); + BN_free(ctx->p.g); + BN_free(ctx->p.p); + OPENSSL_free(ctx->p.peer_name); + OPENSSL_free(ctx->p.name); + + memset(ctx, '\0', sizeof *ctx); + } + +JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name, + const BIGNUM *p, const BIGNUM *g, const BIGNUM *q, + const BIGNUM *secret) + { + JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx); + + JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret); + + return ctx; + } + +void JPAKE_CTX_free(JPAKE_CTX *ctx) + { + JPAKE_CTX_release(ctx); + OPENSSL_free(ctx); + } + +static void hashlength(SHA_CTX *sha, size_t l) + { + unsigned char b[2]; + + assert(l <= 0xffff); + b[0] = l >> 8; + b[1] = l&0xff; + SHA1_Update(sha, b, 2); + } + +static void hashstring(SHA_CTX *sha, const char *string) + { + size_t l = strlen(string); + + hashlength(sha, l); + SHA1_Update(sha, string, l); + } + +static void hashbn(SHA_CTX *sha, const BIGNUM *bn) + { + size_t l = BN_num_bytes(bn); + unsigned char *bin = alloca(l); + + hashlength(sha, l); + BN_bn2bin(bn, bin); + SHA1_Update(sha, bin, l); + } + +// h=hash(g, g^r, g^x, name) +static void zkp_hash(BIGNUM *h, const BIGNUM *zkpg, const JPAKE_STEP_PART *p, + const char *proof_name) + { + unsigned char md[SHA_DIGEST_LENGTH]; + SHA_CTX sha; + + // XXX: hash should not allow moving of the boundaries - Java code + // is flawed in this respect. Length encoding seems simplest. + SHA1_Init(&sha); + hashbn(&sha, zkpg); + assert(!BN_is_zero(p->zkpx.gr)); + hashbn(&sha, p->zkpx.gr); + hashbn(&sha, p->gx); + hashstring(&sha, proof_name); + SHA1_Final(md, &sha); + BN_bin2bn(md, SHA_DIGEST_LENGTH, h); + } + +// Prove knowledge of x +// Note that p->gx has already been calculated +static void generate_zkp(JPAKE_STEP_PART *p, const BIGNUM *x, + const BIGNUM *zkpg, JPAKE_CTX *ctx) + { + BIGNUM *r = BN_new(); + BIGNUM *h = BN_new(); + BIGNUM *t = BN_new(); + + // r in [0,q) + // XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform + BN_rand_range(r, ctx->p.q); + // g^r + BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx); + + // h=hash... + zkp_hash(h, zkpg, p, ctx->p.name); + + // b = r - x*h + BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx); + BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx); + + // cleanup + BN_free(t); + BN_free(h); + BN_free(r); + } + +static int verify_zkp(const JPAKE_STEP_PART *p, const BIGNUM *zkpg, + JPAKE_CTX *ctx) + { + BIGNUM *h = BN_new(); + BIGNUM *t1 = BN_new(); + BIGNUM *t2 = BN_new(); + BIGNUM *t3 = BN_new(); + int ret = 0; + + zkp_hash(h, zkpg, p, ctx->p.peer_name); + + // t1 = g^b + BN_mod_exp(t1, zkpg, p->zkpx.b, ctx->p.p, ctx->ctx); + // t2 = (g^x)^h = g^{hx} + BN_mod_exp(t2, p->gx, h, ctx->p.p, ctx->ctx); + // t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly) + BN_mod_mul(t3, t1, t2, ctx->p.p, ctx->ctx); + + // verify t3 == g^r + if(BN_cmp(t3, p->zkpx.gr) == 0) + ret = 1; + else + JPAKEerr(JPAKE_F_VERIFY_ZKP, JPAKE_R_ZKP_VERIFY_FAILED); + + // cleanup + BN_free(t3); + BN_free(t2); + BN_free(t1); + BN_free(h); + + return ret; + } + +static void generate_step_part(JPAKE_STEP_PART *p, const BIGNUM *x, + const BIGNUM *g, JPAKE_CTX *ctx) + { + BN_mod_exp(p->gx, g, x, ctx->p.p, ctx->ctx); + generate_zkp(p, x, g, ctx); + } + +// Generate each party's random numbers. xa is in [0, q), xb is in [1, q). +static void genrand(JPAKE_CTX *ctx) + { + BIGNUM *qm1; + + // xa in [0, q) + BN_rand_range(ctx->xa, ctx->p.q); + + // q-1 + qm1 = BN_new(); + BN_copy(qm1, ctx->p.q); + BN_sub_word(qm1, 1); + + // ... and xb in [0, q-1) + BN_rand_range(ctx->xb, qm1); + // [1, q) + BN_add_word(ctx->xb, 1); + + // cleanup + BN_free(qm1); + } + +int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx) + { + genrand(ctx); + generate_step_part(&send->p1, ctx->xa, ctx->p.g, ctx); + generate_step_part(&send->p2, ctx->xb, ctx->p.g, ctx); + + return 1; + } + +int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received) + { + // verify their ZKP(xc) + if(!verify_zkp(&received->p1, ctx->p.g, ctx)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED); + return 0; + } + + // verify their ZKP(xd) + if(!verify_zkp(&received->p2, ctx->p.g, ctx)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED); + return 0; + } + + // g^xd != 1 + if(BN_is_one(received->p2.gx)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE); + return 0; + } + + // Save the bits we need for later + BN_copy(ctx->p.gxc, received->p1.gx); + BN_copy(ctx->p.gxd, received->p2.gx); + + return 1; + } + + +int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx) + { + BIGNUM *t1 = BN_new(); + BIGNUM *t2 = BN_new(); + + // X = g^{(xa + xc + xd) * xb * s} + // t1 = g^xa + BN_mod_exp(t1, ctx->p.g, ctx->xa, ctx->p.p, ctx->ctx); + // t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc} + BN_mod_mul(t2, t1, ctx->p.gxc, ctx->p.p, ctx->ctx); + // t1 = t2 * g^{xd} = g^{xa + xc + xd} + BN_mod_mul(t1, t2, ctx->p.gxd, ctx->p.p, ctx->ctx); + // t2 = xb * s + BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx); + + // ZKP(xb * s) + // XXX: this is kinda funky, because we're using + // + // g' = g^{xa + xc + xd} + // + // as the generator, which means X is g'^{xb * s} + // X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s} + generate_step_part(send, t2, t1, ctx); + + // cleanup + BN_free(t1); + BN_free(t2); + + return 1; + } + +// gx = g^{xc + xa + xb} * xd * s +static int compute_key(JPAKE_CTX *ctx, const BIGNUM *gx) + { + BIGNUM *t1 = BN_new(); + BIGNUM *t2 = BN_new(); + BIGNUM *t3 = BN_new(); + + // K = (gx/g^{xb * xd * s})^{xb} + // = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb} + // = (g^{(xa + xc) * xd * s})^{xb} + // = g^{(xa + xc) * xb * xd * s} + // [which is the same regardless of who calculates it] + + // t1 = (g^{xd})^{xb} = g^{xb * xd} + BN_mod_exp(t1, ctx->p.gxd, ctx->xb, ctx->p.p, ctx->ctx); + // t2 = -s = q-s + BN_sub(t2, ctx->p.q, ctx->secret); + // t3 = t1^t2 = g^{-xb * xd * s} + BN_mod_exp(t3, t1, t2, ctx->p.p, ctx->ctx); + // t1 = gx * t3 = X/g^{xb * xd * s} + BN_mod_mul(t1, gx, t3, ctx->p.p, ctx->ctx); + // K = t1^{xb} + BN_mod_exp(ctx->key, t1, ctx->xb, ctx->p.p, ctx->ctx); + + // cleanup + BN_free(t3); + BN_free(t2); + BN_free(t1); + + return 1; + } + +int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received) + { + BIGNUM *t1 = BN_new(); + BIGNUM *t2 = BN_new(); + int ret = 0; + + // g' = g^{xc + xa + xb} [from our POV] + // t1 = xa + xb + BN_mod_add(t1, ctx->xa, ctx->xb, ctx->p.q, ctx->ctx); + // t2 = g^{t1} = g^{xa+xb} + BN_mod_exp(t2, ctx->p.g, t1, ctx->p.p, ctx->ctx); + // t1 = g^{xc} * t2 = g^{xc + xa + xb} + BN_mod_mul(t1, ctx->p.gxc, t2, ctx->p.p, ctx->ctx); + + if(verify_zkp(received, t1, ctx)) + ret = 1; + else + JPAKEerr(JPAKE_F_JPAKE_STEP2_PROCESS, JPAKE_R_VERIFY_B_FAILED); + + compute_key(ctx, received->gx); + + // cleanup + BN_free(t2); + BN_free(t1); + + return ret; + } + +static void quickhashbn(unsigned char *md, const BIGNUM *bn) + { + SHA_CTX sha; + + SHA1_Init(&sha); + hashbn(&sha, bn); + SHA1_Final(md, &sha); + } + +void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a) + {} + +int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx) + { + quickhashbn(send->hhk, ctx->key); + SHA1(send->hhk, sizeof send->hhk, send->hhk); + + return 1; + } + +int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received) + { + unsigned char hhk[SHA_DIGEST_LENGTH]; + + quickhashbn(hhk, ctx->key); + SHA1(hhk, sizeof hhk, hhk); + if(memcmp(hhk, received->hhk, sizeof hhk)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP3A_PROCESS, JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH); + return 0; + } + return 1; + } + +void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a) + {} + +void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b) + {} + +int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx) + { + quickhashbn(send->hk, ctx->key); + + return 1; + } + +int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received) + { + unsigned char hk[SHA_DIGEST_LENGTH]; + + quickhashbn(hk, ctx->key); + if(memcmp(hk, received->hk, sizeof hk)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP3B_PROCESS, JPAKE_R_HASH_OF_KEY_MISMATCH); + return 0; + } + return 1; + } + +void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b) + {} + +const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx) + { + return ctx->key; + } + diff --git a/crypto/jpake/jpake.h b/crypto/jpake/jpake.h new file mode 100644 index 0000000000..4c67a24378 --- /dev/null +++ b/crypto/jpake/jpake.h @@ -0,0 +1,115 @@ +/* + * Implement J-PAKE, as described in + * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf + * + * With hints from http://www.cl.cam.ac.uk/~fh240/software/JPAKE2.java. + */ + +#ifndef HEADER_JPAKE_H +#define HEADER_JPAKE_H + +#ifdef __cplusplus +extern "C" { +#endif + +#include <openssl/bn.h> +#include <openssl/sha.h> + +typedef struct JPAKE_CTX JPAKE_CTX; + +// Note that "g" in the ZKPs is not necessarily the J-PAKE g. +typedef struct + { + BIGNUM *gr; // g^r (r random) + BIGNUM *b; // b = r - x*h, h=hash(g, g^r, g^x, name) + } JPAKE_ZKP; + +typedef struct + { + BIGNUM *gx; // g^x in step 1, g^(xa + xc + xd) * xb * s in step 2 + JPAKE_ZKP zkpx; // ZKP(x) or ZKP(xb * s) + } JPAKE_STEP_PART; + +typedef struct + { + JPAKE_STEP_PART p1; // g^x3, ZKP(x3) or g^x1, ZKP(x1) + JPAKE_STEP_PART p2; // g^x4, ZKP(x4) or g^x2, ZKP(x2) + } JPAKE_STEP1; + +typedef JPAKE_STEP_PART JPAKE_STEP2; + +typedef struct + { + unsigned char hhk[SHA_DIGEST_LENGTH]; + } JPAKE_STEP3A; + +typedef struct + { + unsigned char hk[SHA_DIGEST_LENGTH]; + } JPAKE_STEP3B; + +// Parameters are copied +JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name, + const BIGNUM *p, const BIGNUM *g, const BIGNUM *q, + const BIGNUM *secret); +void JPAKE_CTX_free(JPAKE_CTX *ctx); + +// Note that JPAKE_STEP1 can be used multiple times before release +// without another init. +void JPAKE_STEP1_init(JPAKE_STEP1 *s1); +int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx); +int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received); +void JPAKE_STEP1_release(JPAKE_STEP1 *s1); + +// Note that JPAKE_STEP2 can be used multiple times before release +// without another init. +void JPAKE_STEP2_init(JPAKE_STEP2 *s2); +int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx); +int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received); +void JPAKE_STEP2_release(JPAKE_STEP2 *s2); + +// Optionally verify the shared key. If the shared secrets do not +// match, the two ends will disagree about the shared key, but +// otherwise the protocol will succeed. +void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a); +int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx); +int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received); +void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a); + +void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b); +int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx); +int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received); +void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b); + +// the return value belongs to the library and will be released when +// ctx is released, and will change when a new handshake is performed. +const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx); + +/* BEGIN ERROR CODES */ +/* The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. + */ +void ERR_load_JPAKE_strings(void); + +/* Error codes for the JPAKE functions. */ + +/* Function codes. */ +#define JPAKE_F_JPAKE_STEP1_PROCESS 101 +#define JPAKE_F_JPAKE_STEP2_PROCESS 102 +#define JPAKE_F_JPAKE_STEP3A_PROCESS 103 +#define JPAKE_F_JPAKE_STEP3B_PROCESS 104 +#define JPAKE_F_VERIFY_ZKP 100 + +/* Reason codes. */ +#define JPAKE_R_G_TO_THE_X4_IS_ONE 105 +#define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH 106 +#define JPAKE_R_HASH_OF_KEY_MISMATCH 107 +#define JPAKE_R_VERIFY_B_FAILED 102 +#define JPAKE_R_VERIFY_X3_FAILED 103 +#define JPAKE_R_VERIFY_X4_FAILED 104 +#define JPAKE_R_ZKP_VERIFY_FAILED 100 + +#ifdef __cplusplus +} +#endif +#endif diff --git a/crypto/jpake/jpake_err.c b/crypto/jpake/jpake_err.c new file mode 100644 index 0000000000..1b95067967 --- /dev/null +++ b/crypto/jpake/jpake_err.c @@ -0,0 +1,105 @@ +/* crypto/jpake/jpake_err.c */ +/* ==================================================================== + * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/* NOTE: this file was auto generated by the mkerr.pl script: any changes + * made to it will be overwritten when the script next updates this file, + * only reason strings will be preserved. + */ + +#include <stdio.h> +#include <openssl/err.h> +#include <openssl/jpake.h> + +/* BEGIN ERROR CODES */ +#ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_JPAKE,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_JPAKE,0,reason) + +static ERR_STRING_DATA JPAKE_str_functs[]= + { +{ERR_FUNC(JPAKE_F_JPAKE_STEP1_PROCESS), "JPAKE_STEP1_process"}, +{ERR_FUNC(JPAKE_F_JPAKE_STEP2_PROCESS), "JPAKE_STEP2_process"}, +{ERR_FUNC(JPAKE_F_JPAKE_STEP3A_PROCESS), "JPAKE_STEP3A_process"}, +{ERR_FUNC(JPAKE_F_JPAKE_STEP3B_PROCESS), "JPAKE_STEP3B_process"}, +{ERR_FUNC(JPAKE_F_VERIFY_ZKP), "VERIFY_ZKP"}, +{0,NULL} + }; + +static ERR_STRING_DATA JPAKE_str_reasons[]= + { +{ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_ONE) ,"g to the x4 is one"}, +{ERR_REASON(JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH),"hash of hash of key mismatch"}, +{ERR_REASON(JPAKE_R_HASH_OF_KEY_MISMATCH),"hash of key mismatch"}, +{ERR_REASON(JPAKE_R_VERIFY_B_FAILED) ,"verify b failed"}, +{ERR_REASON(JPAKE_R_VERIFY_X3_FAILED) ,"verify x3 failed"}, +{ERR_REASON(JPAKE_R_VERIFY_X4_FAILED) ,"verify x4 failed"}, +{ERR_REASON(JPAKE_R_ZKP_VERIFY_FAILED) ,"zkp verify failed"}, +{0,NULL} + }; + +#endif + +void ERR_load_JPAKE_strings(void) + { +#ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(JPAKE_str_functs[0].error) == NULL) + { + ERR_load_strings(0,JPAKE_str_functs); + ERR_load_strings(0,JPAKE_str_reasons); + } +#endif + } diff --git a/crypto/jpake/jpaketest.c b/crypto/jpake/jpaketest.c new file mode 100644 index 0000000000..13b2e1f119 --- /dev/null +++ b/crypto/jpake/jpaketest.c @@ -0,0 +1,176 @@ +#include <openssl/jpake.h> +#include <openssl/err.h> + +static void showbn(const char *name, const BIGNUM *bn) + { + fputs(name, stdout); + fputs(" = ", stdout); + BN_print_fp(stdout, bn); + putc('\n', stdout); + } + +static int run_jpake(JPAKE_CTX *alice, JPAKE_CTX *bob) + { + JPAKE_STEP1 alice_s1; + JPAKE_STEP1 bob_s1; + JPAKE_STEP2 alice_s2; + JPAKE_STEP2 bob_s2; + JPAKE_STEP3A alice_s3a; + JPAKE_STEP3B bob_s3b; + + // Alice -> Bob: step 1 + puts("A->B s1"); + JPAKE_STEP1_init(&alice_s1); + JPAKE_STEP1_generate(&alice_s1, alice); + if(!JPAKE_STEP1_process(bob, &alice_s1)) + { + printf("Bob fails to process Alice's step 1\n"); + ERR_print_errors_fp(stdout); + return 1; + } + JPAKE_STEP1_release(&alice_s1); + + // Bob -> Alice: step 1 + puts("B->A s1"); + JPAKE_STEP1_init(&bob_s1); + JPAKE_STEP1_generate(&bob_s1, bob); + if(!JPAKE_STEP1_process(alice, &bob_s1)) + { + printf("Alice fails to process Bob's step 1\n"); + ERR_print_errors_fp(stdout); + return 2; + } + JPAKE_STEP1_release(&bob_s1); + + // Alice -> Bob: step 2 + puts("A->B s2"); + JPAKE_STEP2_init(&alice_s2); + JPAKE_STEP2_generate(&alice_s2, alice); + if(!JPAKE_STEP2_process(bob, &alice_s2)) + { + printf("Bob fails to process Alice's step 2\n"); + ERR_print_errors_fp(stdout); + return 3; + } + JPAKE_STEP2_release(&alice_s2); + + // Bob -> Alice: step 2 + puts("B->A s2"); + JPAKE_STEP2_init(&bob_s2); + JPAKE_STEP2_generate(&bob_s2, bob); + if(!JPAKE_STEP2_process(alice, &bob_s2)) + { + printf("Alice fails to process Bob's step 2\n"); + ERR_print_errors_fp(stdout); + return 4; + } + JPAKE_STEP2_release(&bob_s2); + + showbn("Alice's key", JPAKE_get_shared_key(alice)); + showbn("Bob's key ", JPAKE_get_shared_key(bob)); + + // Alice -> Bob: step 3a + puts("A->B s3a"); + JPAKE_STEP3A_init(&alice_s3a); + JPAKE_STEP3A_generate(&alice_s3a, alice); + if(!JPAKE_STEP3A_process(bob, &alice_s3a)) + { + printf("Bob fails to process Alice's step 3a\n"); + ERR_print_errors_fp(stdout); + return 5; + } + JPAKE_STEP3A_release(&alice_s3a); + + // Bob -> Alice: step 3b + puts("B->A s3b"); + JPAKE_ |