3 #include <openssl/crypto.h>
4 #include <openssl/sha.h>
5 #include <openssl/err.h>
10 * In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or
11 * Bob's (x3, x4, x1, x2). If you see what I mean.
16 char *name; // Must be unique
21 BIGNUM *gxc; // Alice's g^{x3} or Bob's g^{x1}
22 BIGNUM *gxd; // Alice's g^{x4} or Bob's g^{x2}
28 BIGNUM *secret; // The shared secret
30 BIGNUM *xa; // Alice's x1 or Bob's x3
31 BIGNUM *xb; // Alice's x2 or Bob's x4
32 BIGNUM *key; // The calculated (shared) key
35 static void JPAKE_ZKP_init(JPAKE_ZKP *zkp)
41 static void JPAKE_ZKP_release(JPAKE_ZKP *zkp)
47 // Two birds with one stone - make the global name as expected
48 #define JPAKE_STEP_PART_init JPAKE_STEP2_init
49 #define JPAKE_STEP_PART_release JPAKE_STEP2_release
51 void JPAKE_STEP_PART_init(JPAKE_STEP_PART *p)
54 JPAKE_ZKP_init(&p->zkpx);
57 void JPAKE_STEP_PART_release(JPAKE_STEP_PART *p)
59 JPAKE_ZKP_release(&p->zkpx);
63 void JPAKE_STEP1_init(JPAKE_STEP1 *s1)
65 JPAKE_STEP_PART_init(&s1->p1);
66 JPAKE_STEP_PART_init(&s1->p2);
69 void JPAKE_STEP1_release(JPAKE_STEP1 *s1)
71 JPAKE_STEP_PART_release(&s1->p2);
72 JPAKE_STEP_PART_release(&s1->p1);
75 static void JPAKE_CTX_init(JPAKE_CTX *ctx, const char *name,
76 const char *peer_name, const BIGNUM *p,
77 const BIGNUM *g, const BIGNUM *q,
80 ctx->p.name = OPENSSL_strdup(name);
81 ctx->p.peer_name = OPENSSL_strdup(peer_name);
85 ctx->secret = BN_dup(secret);
87 ctx->p.gxc = BN_new();
88 ctx->p.gxd = BN_new();
93 ctx->ctx = BN_CTX_new();
96 static void JPAKE_CTX_release(JPAKE_CTX *ctx)
98 BN_CTX_free(ctx->ctx);
99 BN_clear_free(ctx->key);
100 BN_clear_free(ctx->xb);
101 BN_clear_free(ctx->xa);
106 BN_clear_free(ctx->secret);
110 OPENSSL_free(ctx->p.peer_name);
111 OPENSSL_free(ctx->p.name);
113 memset(ctx, '\0', sizeof *ctx);
116 JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
117 const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
118 const BIGNUM *secret)
120 JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx);
122 JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret);
127 void JPAKE_CTX_free(JPAKE_CTX *ctx)
129 JPAKE_CTX_release(ctx);
133 static void hashlength(SHA_CTX *sha, size_t l)
140 SHA1_Update(sha, b, 2);
143 static void hashstring(SHA_CTX *sha, const char *string)
145 size_t l = strlen(string);
148 SHA1_Update(sha, string, l);
151 static void hashbn(SHA_CTX *sha, const BIGNUM *bn)
153 size_t l = BN_num_bytes(bn);
154 unsigned char *bin = alloca(l);
158 SHA1_Update(sha, bin, l);
161 // h=hash(g, g^r, g^x, name)
162 static void zkp_hash(BIGNUM *h, const BIGNUM *zkpg, const JPAKE_STEP_PART *p,
163 const char *proof_name)
165 unsigned char md[SHA_DIGEST_LENGTH];
168 // XXX: hash should not allow moving of the boundaries - Java code
169 // is flawed in this respect. Length encoding seems simplest.
172 assert(!BN_is_zero(p->zkpx.gr));
173 hashbn(&sha, p->zkpx.gr);
175 hashstring(&sha, proof_name);
176 SHA1_Final(md, &sha);
177 BN_bin2bn(md, SHA_DIGEST_LENGTH, h);
180 // Prove knowledge of x
181 // Note that p->gx has already been calculated
182 static void generate_zkp(JPAKE_STEP_PART *p, const BIGNUM *x,
183 const BIGNUM *zkpg, JPAKE_CTX *ctx)
185 BIGNUM *r = BN_new();
186 BIGNUM *h = BN_new();
187 BIGNUM *t = BN_new();
190 // XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform
191 BN_rand_range(r, ctx->p.q);
193 BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx);
196 zkp_hash(h, zkpg, p, ctx->p.name);
199 BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx);
200 BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx);
208 static int verify_zkp(const JPAKE_STEP_PART *p, const BIGNUM *zkpg,
211 BIGNUM *h = BN_new();
212 BIGNUM *t1 = BN_new();
213 BIGNUM *t2 = BN_new();
214 BIGNUM *t3 = BN_new();
217 zkp_hash(h, zkpg, p, ctx->p.peer_name);
220 BN_mod_exp(t1, zkpg, p->zkpx.b, ctx->p.p, ctx->ctx);
221 // t2 = (g^x)^h = g^{hx}
222 BN_mod_exp(t2, p->gx, h, ctx->p.p, ctx->ctx);
223 // t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly)
224 BN_mod_mul(t3, t1, t2, ctx->p.p, ctx->ctx);
227 if(BN_cmp(t3, p->zkpx.gr) == 0)
230 JPAKEerr(JPAKE_F_VERIFY_ZKP, JPAKE_R_ZKP_VERIFY_FAILED);
241 static void generate_step_part(JPAKE_STEP_PART *p, const BIGNUM *x,
242 const BIGNUM *g, JPAKE_CTX *ctx)
244 BN_mod_exp(p->gx, g, x, ctx->p.p, ctx->ctx);
245 generate_zkp(p, x, g, ctx);
248 // Generate each party's random numbers. xa is in [0, q), xb is in [1, q).
249 static void genrand(JPAKE_CTX *ctx)
254 BN_rand_range(ctx->xa, ctx->p.q);
258 BN_copy(qm1, ctx->p.q);
261 // ... and xb in [0, q-1)
262 BN_rand_range(ctx->xb, qm1);
264 BN_add_word(ctx->xb, 1);
270 int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx)
273 generate_step_part(&send->p1, ctx->xa, ctx->p.g, ctx);
274 generate_step_part(&send->p2, ctx->xb, ctx->p.g, ctx);
279 int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received)
281 // verify their ZKP(xc)
282 if(!verify_zkp(&received->p1, ctx->p.g, ctx))
284 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED);
288 // verify their ZKP(xd)
289 if(!verify_zkp(&received->p2, ctx->p.g, ctx))
291 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED);
296 if(BN_is_one(received->p2.gx))
298 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE);
302 // Save the bits we need for later
303 BN_copy(ctx->p.gxc, received->p1.gx);
304 BN_copy(ctx->p.gxd, received->p2.gx);
310 int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx)
312 BIGNUM *t1 = BN_new();
313 BIGNUM *t2 = BN_new();
315 // X = g^{(xa + xc + xd) * xb * s}
317 BN_mod_exp(t1, ctx->p.g, ctx->xa, ctx->p.p, ctx->ctx);
318 // t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc}
319 BN_mod_mul(t2, t1, ctx->p.gxc, ctx->p.p, ctx->ctx);
320 // t1 = t2 * g^{xd} = g^{xa + xc + xd}
321 BN_mod_mul(t1, t2, ctx->p.gxd, ctx->p.p, ctx->ctx);
323 BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx);
326 // XXX: this is kinda funky, because we're using
328 // g' = g^{xa + xc + xd}
330 // as the generator, which means X is g'^{xb * s}
331 // X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s}
332 generate_step_part(send, t2, t1, ctx);
341 // gx = g^{xc + xa + xb} * xd * s
342 static int compute_key(JPAKE_CTX *ctx, const BIGNUM *gx)
344 BIGNUM *t1 = BN_new();
345 BIGNUM *t2 = BN_new();
346 BIGNUM *t3 = BN_new();
348 // K = (gx/g^{xb * xd * s})^{xb}
349 // = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb}
350 // = (g^{(xa + xc) * xd * s})^{xb}
351 // = g^{(xa + xc) * xb * xd * s}
352 // [which is the same regardless of who calculates it]
354 // t1 = (g^{xd})^{xb} = g^{xb * xd}
355 BN_mod_exp(t1, ctx->p.gxd, ctx->xb, ctx->p.p, ctx->ctx);
357 BN_sub(t2, ctx->p.q, ctx->secret);
358 // t3 = t1^t2 = g^{-xb * xd * s}
359 BN_mod_exp(t3, t1, t2, ctx->p.p, ctx->ctx);
360 // t1 = gx * t3 = X/g^{xb * xd * s}
361 BN_mod_mul(t1, gx, t3, ctx->p.p, ctx->ctx);
363 BN_mod_exp(ctx->key, t1, ctx->xb, ctx->p.p, ctx->ctx);
373 int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received)
375 BIGNUM *t1 = BN_new();
376 BIGNUM *t2 = BN_new();
379 // g' = g^{xc + xa + xb} [from our POV]
381 BN_mod_add(t1, ctx->xa, ctx->xb, ctx->p.q, ctx->ctx);
382 // t2 = g^{t1} = g^{xa+xb}
383 BN_mod_exp(t2, ctx->p.g, t1, ctx->p.p, ctx->ctx);
384 // t1 = g^{xc} * t2 = g^{xc + xa + xb}
385 BN_mod_mul(t1, ctx->p.gxc, t2, ctx->p.p, ctx->ctx);
387 if(verify_zkp(received, t1, ctx))
390 JPAKEerr(JPAKE_F_JPAKE_STEP2_PROCESS, JPAKE_R_VERIFY_B_FAILED);
392 compute_key(ctx, received->gx);
401 static void quickhashbn(unsigned char *md, const BIGNUM *bn)
407 SHA1_Final(md, &sha);
410 void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a)
413 int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx)
415 quickhashbn(send->hhk, ctx->key);
416 SHA1(send->hhk, sizeof send->hhk, send->hhk);
421 int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received)
423 unsigned char hhk[SHA_DIGEST_LENGTH];
425 quickhashbn(hhk, ctx->key);
426 SHA1(hhk, sizeof hhk, hhk);
427 if(memcmp(hhk, received->hhk, sizeof hhk))
429 JPAKEerr(JPAKE_F_JPAKE_STEP3A_PROCESS, JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH);
435 void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a)
438 void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b)
441 int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx)
443 quickhashbn(send->hk, ctx->key);
448 int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received)
450 unsigned char hk[SHA_DIGEST_LENGTH];
452 quickhashbn(hk, ctx->key);
453 if(memcmp(hk, received->hk, sizeof hk))
455 JPAKEerr(JPAKE_F_JPAKE_STEP3B_PROCESS, JPAKE_R_HASH_OF_KEY_MISMATCH);
461 void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b)
464 const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx)