1 #include <openssl/jpake.h>
2 #include <openssl/crypto.h>
3 #include <openssl/sha.h>
4 #include <openssl/err.h>
9 * In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or
10 * Bob's (x3, x4, x1, x2). If you see what I mean.
14 char *name; /* Must be unique */
19 BIGNUM *gxc; /* Alice's g^{x3} or Bob's g^{x1} */
20 BIGNUM *gxd; /* Alice's g^{x4} or Bob's g^{x2} */
25 BIGNUM *secret; /* The shared secret */
27 BIGNUM *xa; /* Alice's x1 or Bob's x3 */
28 BIGNUM *xb; /* Alice's x2 or Bob's x4 */
29 BIGNUM *key; /* The calculated (shared) key */
32 static void JPAKE_ZKP_init(JPAKE_ZKP *zkp)
38 static void JPAKE_ZKP_release(JPAKE_ZKP *zkp)
44 /* Two birds with one stone - make the global name as expected */
45 #define JPAKE_STEP_PART_init JPAKE_STEP2_init
46 #define JPAKE_STEP_PART_release JPAKE_STEP2_release
48 void JPAKE_STEP_PART_init(JPAKE_STEP_PART *p)
51 JPAKE_ZKP_init(&p->zkpx);
54 void JPAKE_STEP_PART_release(JPAKE_STEP_PART *p)
56 JPAKE_ZKP_release(&p->zkpx);
60 void JPAKE_STEP1_init(JPAKE_STEP1 *s1)
62 JPAKE_STEP_PART_init(&s1->p1);
63 JPAKE_STEP_PART_init(&s1->p2);
66 void JPAKE_STEP1_release(JPAKE_STEP1 *s1)
68 JPAKE_STEP_PART_release(&s1->p2);
69 JPAKE_STEP_PART_release(&s1->p1);
72 static void JPAKE_CTX_init(JPAKE_CTX *ctx, const char *name,
73 const char *peer_name, const BIGNUM *p,
74 const BIGNUM *g, const BIGNUM *q,
77 ctx->p.name = OPENSSL_strdup(name);
78 ctx->p.peer_name = OPENSSL_strdup(peer_name);
82 ctx->secret = BN_dup(secret);
84 ctx->p.gxc = BN_new();
85 ctx->p.gxd = BN_new();
90 ctx->ctx = BN_CTX_new();
93 static void JPAKE_CTX_release(JPAKE_CTX *ctx)
95 BN_CTX_free(ctx->ctx);
96 BN_clear_free(ctx->key);
97 BN_clear_free(ctx->xb);
98 BN_clear_free(ctx->xa);
103 BN_clear_free(ctx->secret);
107 OPENSSL_free(ctx->p.peer_name);
108 OPENSSL_free(ctx->p.name);
110 memset(ctx, '\0', sizeof *ctx);
113 JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
114 const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
115 const BIGNUM *secret)
117 JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx);
121 JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret);
126 void JPAKE_CTX_free(JPAKE_CTX *ctx)
128 JPAKE_CTX_release(ctx);
132 static void hashlength(SHA_CTX *sha, size_t l)
136 OPENSSL_assert(l <= 0xffff);
139 SHA1_Update(sha, b, 2);
142 static void hashstring(SHA_CTX *sha, const char *string)
144 size_t l = strlen(string);
147 SHA1_Update(sha, string, l);
150 static int hashbn(SHA_CTX *sha, const BIGNUM *bn)
152 size_t l = BN_num_bytes(bn);
153 unsigned char *bin = OPENSSL_malloc(l);
160 SHA1_Update(sha, bin, l);
165 /* h=hash(g, g^r, g^x, name) */
166 static int zkp_hash(BIGNUM *h, const BIGNUM *zkpg, const JPAKE_STEP_PART *p,
167 const char *proof_name)
169 unsigned char md[SHA_DIGEST_LENGTH];
173 * XXX: hash should not allow moving of the boundaries - Java code
174 * is flawed in this respect. Length encoding seems simplest.
177 if (!hashbn(&sha, zkpg))
179 OPENSSL_assert(!BN_is_zero(p->zkpx.gr));
180 if (!hashbn(&sha, p->zkpx.gr))
182 if (!hashbn(&sha, p->gx))
184 hashstring(&sha, proof_name);
185 SHA1_Final(md, &sha);
186 BN_bin2bn(md, SHA_DIGEST_LENGTH, h);
191 * Prove knowledge of x
192 * Note that p->gx has already been calculated
194 static int generate_zkp(JPAKE_STEP_PART *p, const BIGNUM *x,
195 const BIGNUM *zkpg, JPAKE_CTX *ctx)
198 BIGNUM *r = BN_new();
199 BIGNUM *h = BN_new();
200 BIGNUM *t = BN_new();
204 * XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform
206 BN_rand_range(r, ctx->p.q);
208 BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx);
211 if (!zkp_hash(h, zkpg, p, ctx->p.name))
215 BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx);
216 BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx);
227 static int verify_zkp(const JPAKE_STEP_PART *p, const BIGNUM *zkpg,
230 BIGNUM *h = BN_new();
231 BIGNUM *t1 = BN_new();
232 BIGNUM *t2 = BN_new();
233 BIGNUM *t3 = BN_new();
236 if (!zkp_hash(h, zkpg, p, ctx->p.peer_name))
240 BN_mod_exp(t1, zkpg, p->zkpx.b, ctx->p.p, ctx->ctx);
241 /* t2 = (g^x)^h = g^{hx} */
242 BN_mod_exp(t2, p->gx, h, ctx->p.p, ctx->ctx);
243 /* t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly) */
244 BN_mod_mul(t3, t1, t2, ctx->p.p, ctx->ctx);
246 /* verify t3 == g^r */
247 if (BN_cmp(t3, p->zkpx.gr) == 0)
250 JPAKEerr(JPAKE_F_VERIFY_ZKP, JPAKE_R_ZKP_VERIFY_FAILED);
262 static int generate_step_part(JPAKE_STEP_PART *p, const BIGNUM *x,
263 const BIGNUM *g, JPAKE_CTX *ctx)
265 BN_mod_exp(p->gx, g, x, ctx->p.p, ctx->ctx);
266 if (!generate_zkp(p, x, g, ctx))
271 /* Generate each party's random numbers. xa is in [0, q), xb is in [1, q). */
272 static void genrand(JPAKE_CTX *ctx)
277 BN_rand_range(ctx->xa, ctx->p.q);
281 BN_copy(qm1, ctx->p.q);
284 /* ... and xb in [0, q-1) */
285 BN_rand_range(ctx->xb, qm1);
287 BN_add_word(ctx->xb, 1);
293 int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx)
296 if (!generate_step_part(&send->p1, ctx->xa, ctx->p.g, ctx))
298 if (!generate_step_part(&send->p2, ctx->xb, ctx->p.g, ctx))
304 /* g^x is a legal value */
305 static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx)
310 if (BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0)
314 BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx);
321 int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received)
323 if (!is_legal(received->p1.gx, ctx)) {
324 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS,
325 JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL);
329 if (!is_legal(received->p2.gx, ctx)) {
330 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS,
331 JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL);
335 /* verify their ZKP(xc) */
336 if (!verify_zkp(&received->p1, ctx->p.g, ctx)) {
337 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED);
341 /* verify their ZKP(xd) */
342 if (!verify_zkp(&received->p2, ctx->p.g, ctx)) {
343 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED);
348 if (BN_is_one(received->p2.gx)) {
349 JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE);
353 /* Save the bits we need for later */
354 BN_copy(ctx->p.gxc, received->p1.gx);
355 BN_copy(ctx->p.gxd, received->p2.gx);
360 int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx)
364 BIGNUM *t1 = BN_new();
365 BIGNUM *t2 = BN_new();
368 * X = g^{(xa + xc + xd) * xb * s}
371 BN_mod_exp(t1, ctx->p.g, ctx->xa, ctx->p.p, ctx->ctx);
372 /* t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc} */
373 BN_mod_mul(t2, t1, ctx->p.gxc, ctx->p.p, ctx->ctx);
374 /* t1 = t2 * g^{xd} = g^{xa + xc + xd} */
375 BN_mod_mul(t1, t2, ctx->p.gxd, ctx->p.p, ctx->ctx);
377 BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx);
381 * XXX: this is kinda funky, because we're using
383 * g' = g^{xa + xc + xd}
385 * as the generator, which means X is g'^{xb * s}
386 * X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s}
388 ret = generate_step_part(send, t2, t1, ctx);
397 /* gx = g^{xc + xa + xb} * xd * s */
398 static int compute_key(JPAKE_CTX *ctx, const BIGNUM *gx)
400 BIGNUM *t1 = BN_new();
401 BIGNUM *t2 = BN_new();
402 BIGNUM *t3 = BN_new();
405 * K = (gx/g^{xb * xd * s})^{xb}
406 * = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb}
407 * = (g^{(xa + xc) * xd * s})^{xb}
408 * = g^{(xa + xc) * xb * xd * s}
409 * [which is the same regardless of who calculates it]
412 /* t1 = (g^{xd})^{xb} = g^{xb * xd} */
413 BN_mod_exp(t1, ctx->p.gxd, ctx->xb, ctx->p.p, ctx->ctx);
415 BN_sub(t2, ctx->p.q, ctx->secret);
416 /* t3 = t1^t2 = g^{-xb * xd * s} */
417 BN_mod_exp(t3, t1, t2, ctx->p.p, ctx->ctx);
418 /* t1 = gx * t3 = X/g^{xb * xd * s} */
419 BN_mod_mul(t1, gx, t3, ctx->p.p, ctx->ctx);
421 BN_mod_exp(ctx->key, t1, ctx->xb, ctx->p.p, ctx->ctx);
431 int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received)
433 BIGNUM *t1 = BN_new();
434 BIGNUM *t2 = BN_new();
438 * g' = g^{xc + xa + xb} [from our POV]
441 BN_mod_add(t1, ctx->xa, ctx->xb, ctx->p.q, ctx->ctx);
442 /* t2 = g^{t1} = g^{xa+xb} */
443 BN_mod_exp(t2, ctx->p.g, t1, ctx->p.p, ctx->ctx);
444 /* t1 = g^{xc} * t2 = g^{xc + xa + xb} */
445 BN_mod_mul(t1, ctx->p.gxc, t2, ctx->p.p, ctx->ctx);
447 if (verify_zkp(received, t1, ctx))
450 JPAKEerr(JPAKE_F_JPAKE_STEP2_PROCESS, JPAKE_R_VERIFY_B_FAILED);
452 compute_key(ctx, received->gx);
461 static int quickhashbn(unsigned char *md, const BIGNUM *bn)
466 if (!hashbn(&sha, bn))
468 SHA1_Final(md, &sha);
472 void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a)
476 int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx)
478 if (!quickhashbn(send->hhk, ctx->key))
480 SHA1(send->hhk, sizeof send->hhk, send->hhk);
485 int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received)
487 unsigned char hhk[SHA_DIGEST_LENGTH];
489 if (!quickhashbn(hhk, ctx->key))
491 SHA1(hhk, sizeof hhk, hhk);
492 if (memcmp(hhk, received->hhk, sizeof hhk)) {
493 JPAKEerr(JPAKE_F_JPAKE_STEP3A_PROCESS,
494 JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH);
500 void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a)
504 void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b)
508 int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx)
510 if (!quickhashbn(send->hk, ctx->key))
515 int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received)
517 unsigned char hk[SHA_DIGEST_LENGTH];
519 if (!quickhashbn(hk, ctx->key))
521 if (memcmp(hk, received->hk, sizeof hk)) {
522 JPAKEerr(JPAKE_F_JPAKE_STEP3B_PROCESS, JPAKE_R_HASH_OF_KEY_MISMATCH);
528 void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b)
532 const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx)