generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add JPAKE.

Browse Source
This commit is contained in:
Ben Laurie
2008-10-26 18:42:05 +00:00
parent 3b668eedda
commit 2124e869a8
29 changed files with 1416 additions and 214 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/crypto.h
View File

@@ -362,6 +362,7 @@ int CRYPTO_is_mem_check_on(void);
#define is_MemCheck_on() CRYPTO_is_mem_check_on()
#define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__)
#define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__)
#define OPENSSL_realloc(addr,num) \
CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
#define OPENSSL_realloc_clean(addr,old_num,num) \
@@ -473,6 +474,7 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
void *CRYPTO_malloc_locked(int num, const char *file, int line);
void CRYPTO_free_locked(void *);
void *CRYPTO_malloc(int num, const char *file, int line);
char *CRYPTO_strdup(const char *str, const char *file, int line);
void CRYPTO_free(void *);
void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,

10
crypto/des/Makefile
View File

@@ -277,11 +277,11 @@ rpc_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
rpc_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
rpc_enc.o: des_locl.h des_ver.h rpc_des.h rpc_enc.c
set_key.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
set_key.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
set_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
set_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
set_key.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
set_key.o: des_locl.h set_key.c
set_key.o: ../../include/openssl/e_os2.h ../../include/openssl/fips.h
set_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/ossl_typ.h
set_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
set_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
set_key.o: ../../include/openssl/ui_compat.h des_locl.h set_key.c
str2key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
str2key.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
str2key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h

23
crypto/err/Makefile
View File

@@ -89,17 +89,18 @@ err_all.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
err_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
err_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
err_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
err_all.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
err_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
err_all.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
err_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
err_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
err_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
err_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
err_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
err_all.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
err_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
err_all.o: ../../include/openssl/x509v3.h err_all.c
err_all.o: ../../include/openssl/fips.h ../../include/openssl/jpake.h
err_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
err_all.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
err_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
err_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem2.h
err_all.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
err_all.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
err_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
err_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
err_all.o: ../../include/openssl/ui.h ../../include/openssl/x509.h
err_all.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
err_all.o: err_all.c
err_bio.o: ../../e_os.h ../../include/openssl/bio.h
err_bio.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
err_bio.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h

2
crypto/err/err.h
View File

@@ -142,6 +142,7 @@ typedef struct err_state_st
#define ERR_LIB_STORE 44
#define ERR_LIB_FIPS 45
#define ERR_LIB_CMS 46
#define ERR_LIB_JPAKE 47
#define ERR_LIB_USER 128
@@ -175,6 +176,7 @@ typedef struct err_state_st
#define STOREerr(f,r) ERR_PUT_error(ERR_LIB_STORE,(f),(r),__FILE__,__LINE__)
#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__)
#define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),__FILE__,__LINE__)
#define JPAKEerr(f,r) ERR_PUT_error(ERR_LIB_JPAKE,(f),(r),__FILE__,__LINE__)
/* Borland C seems too stupid to be able to shift and do longs in
* the pre-processor :-( */

3
crypto/err/err_all.c
View File

@@ -102,6 +102,8 @@
#include <openssl/cms.h>
#endif
#include <openssl/jpake.h>
void ERR_load_crypto_strings(void)
{
#ifndef OPENSSL_NO_ERR
@@ -151,5 +153,6 @@ void ERR_load_crypto_strings(void)
#ifndef OPENSSL_NO_CMS
ERR_load_CMS_strings();
#endif
ERR_load_JPAKE_strings();
#endif
}

1
crypto/err/err_str.c
View File

@@ -148,6 +148,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
{ERR_PACK(ERR_LIB_OCSP,0,0) ,"OCSP routines"},
{ERR_PACK(ERR_LIB_FIPS,0,0) ,"FIPS routines"},
{ERR_PACK(ERR_LIB_CMS,0,0) ,"CMS routines"},
{ERR_PACK(ERR_LIB_JPAKE,0,0) ,"JPAKE routines"},
{0,NULL},
};

1
crypto/err/openssl.ec
View File

@@ -33,6 +33,7 @@ L ECDH crypto/ecdh/ecdh.h crypto/ecdh/ech_err.c
L STORE crypto/store/store.h crypto/store/str_err.c
L FIPS fips/fips.h crypto/fips_err.h
L CMS crypto/cms/cms.h crypto/cms/cms_err.c
L JPAKE crypto/jpake/jpake.h crypto/jpake/jpake_err.c
# additional header files to be scanned for function names
L NONE crypto/x509/x509_vfy.h NONE

1
crypto/jpake/.cvsignore Normal file
View File

@@ -0,0 +1 @@
lib

49
crypto/jpake/Makefile Normal file
View File

@@ -0,0 +1,49 @@
DIR=jpake
TOP=../..
CFLAGS= $(INCLUDES) $(CFLAG)
LIB=$(TOP)/libcrypto.a
LIBOBJ=jpake.o jpake_err.o
LIBSRC=jpake.c jpake_err.c
EXHEADER=jpake.h
TEST=jpaketest.c
top:
(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
all: lib
lib: $(LIBOBJ)
$(ARX) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB) || echo Never mind.
@touch lib
links:
@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
depend:
@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
jpaketest: top jpaketest.c $(LIB)
$(CC) $(CFLAGS) -Wall -Werror -g -o jpaketest jpaketest.c $(LIB)
# DO NOT DELETE THIS LINE -- make depend depends on it.
jpake.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
jpake.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
jpake.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
jpake.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
jpake.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
jpake.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
jpake.o: ../../include/openssl/symhacks.h jpake.c jpake.h
jpake_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
jpake_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
jpake_err.o: ../../include/openssl/err.h ../../include/openssl/jpake.h
jpake_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
jpake_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
jpake_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
jpake_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
jpake_err.o: jpake_err.c

468
crypto/jpake/jpake.c Normal file
View File

@@ -0,0 +1,468 @@
#include "jpake.h"
#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/err.h>
#include <memory.h>
#include <assert.h>
/*
* In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or
* Bob's (x3, x4, x1, x2). If you see what I mean.
*/
typedef struct
{
char *name; // Must be unique
char *peer_name;
BIGNUM *p;
BIGNUM *g;
BIGNUM *q;
BIGNUM *gxc; // Alice's g^{x3} or Bob's g^{x1}
BIGNUM *gxd; // Alice's g^{x4} or Bob's g^{x2}
} JPAKE_CTX_PUBLIC;
struct JPAKE_CTX
{
JPAKE_CTX_PUBLIC p;
BIGNUM *secret; // The shared secret
BN_CTX *ctx;
BIGNUM *xa; // Alice's x1 or Bob's x3
BIGNUM *xb; // Alice's x2 or Bob's x4
BIGNUM *key; // The calculated (shared) key
};
static void JPAKE_ZKP_init(JPAKE_ZKP *zkp)
{
zkp->gr = BN_new();
zkp->b = BN_new();
}
static void JPAKE_ZKP_release(JPAKE_ZKP *zkp)
{
BN_free(zkp->b);
BN_free(zkp->gr);
}
// Two birds with one stone - make the global name as expected
#define JPAKE_STEP_PART_init JPAKE_STEP2_init
#define JPAKE_STEP_PART_release JPAKE_STEP2_release
void JPAKE_STEP_PART_init(JPAKE_STEP_PART *p)
{
p->gx = BN_new();
JPAKE_ZKP_init(&p->zkpx);
}
void JPAKE_STEP_PART_release(JPAKE_STEP_PART *p)
{
JPAKE_ZKP_release(&p->zkpx);
BN_free(p->gx);
}
void JPAKE_STEP1_init(JPAKE_STEP1 *s1)
{
JPAKE_STEP_PART_init(&s1->p1);
JPAKE_STEP_PART_init(&s1->p2);
}
void JPAKE_STEP1_release(JPAKE_STEP1 *s1)
{
JPAKE_STEP_PART_release(&s1->p2);
JPAKE_STEP_PART_release(&s1->p1);
}
static void JPAKE_CTX_init(JPAKE_CTX *ctx, const char *name,
const char *peer_name, const BIGNUM *p,
const BIGNUM *g, const BIGNUM *q,
const BIGNUM *secret)
{
ctx->p.name = OPENSSL_strdup(name);
ctx->p.peer_name = OPENSSL_strdup(peer_name);
ctx->p.p = BN_dup(p);
ctx->p.g = BN_dup(g);
ctx->p.q = BN_dup(q);
ctx->secret = BN_dup(secret);
ctx->p.gxc = BN_new();
ctx->p.gxd = BN_new();
ctx->xa = BN_new();
ctx->xb = BN_new();
ctx->key = BN_new();
ctx->ctx = BN_CTX_new();
}
static void JPAKE_CTX_release(JPAKE_CTX *ctx)
{
BN_CTX_free(ctx->ctx);
BN_clear_free(ctx->key);
BN_clear_free(ctx->xb);
BN_clear_free(ctx->xa);
BN_free(ctx->p.gxd);
BN_free(ctx->p.gxc);
BN_clear_free(ctx->secret);
BN_free(ctx->p.q);
BN_free(ctx->p.g);
BN_free(ctx->p.p);
OPENSSL_free(ctx->p.peer_name);
OPENSSL_free(ctx->p.name);
memset(ctx, '\0', sizeof *ctx);
}
JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
const BIGNUM *secret)
{
JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx);
JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret);
return ctx;
}
void JPAKE_CTX_free(JPAKE_CTX *ctx)
{
JPAKE_CTX_release(ctx);
OPENSSL_free(ctx);
}
static void hashlength(SHA_CTX *sha, size_t l)
{
unsigned char b[2];
assert(l <= 0xffff);
b[0] = l >> 8;
b[1] = l&0xff;
SHA1_Update(sha, b, 2);
}
static void hashstring(SHA_CTX *sha, const char *string)
{
size_t l = strlen(string);
hashlength(sha, l);
SHA1_Update(sha, string, l);
}
static void hashbn(SHA_CTX *sha, const BIGNUM *bn)
{
size_t l = BN_num_bytes(bn);
unsigned char *bin = alloca(l);
hashlength(sha, l);
BN_bn2bin(bn, bin);
SHA1_Update(sha, bin, l);
}
// h=hash(g, g^r, g^x, name)
static void zkp_hash(BIGNUM *h, const BIGNUM *zkpg, const JPAKE_STEP_PART *p,
const char *proof_name)
{
unsigned char md[SHA_DIGEST_LENGTH];
SHA_CTX sha;
// XXX: hash should not allow moving of the boundaries - Java code
// is flawed in this respect. Length encoding seems simplest.
SHA1_Init(&sha);
hashbn(&sha, zkpg);
assert(!BN_is_zero(p->zkpx.gr));
hashbn(&sha, p->zkpx.gr);
hashbn(&sha, p->gx);
hashstring(&sha, proof_name);
SHA1_Final(md, &sha);
BN_bin2bn(md, SHA_DIGEST_LENGTH, h);
}
// Prove knowledge of x
// Note that p->gx has already been calculated
static void generate_zkp(JPAKE_STEP_PART *p, const BIGNUM *x,
const BIGNUM *zkpg, JPAKE_CTX *ctx)
{
BIGNUM *r = BN_new();
BIGNUM *h = BN_new();
BIGNUM *t = BN_new();
// r in [0,q)
// XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform
BN_rand_range(r, ctx->p.q);
// g^r
BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx);
// h=hash...
zkp_hash(h, zkpg, p, ctx->p.name);
// b = r - x*h
BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx);
BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx);
// cleanup
BN_free(t);
BN_free(h);
BN_free(r);
}
static int verify_zkp(const JPAKE_STEP_PART *p, const BIGNUM *zkpg,
JPAKE_CTX *ctx)
{
BIGNUM *h = BN_new();
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
BIGNUM *t3 = BN_new();
int ret = 0;
zkp_hash(h, zkpg, p, ctx->p.peer_name);
// t1 = g^b
BN_mod_exp(t1, zkpg, p->zkpx.b, ctx->p.p, ctx->ctx);
// t2 = (g^x)^h = g^{hx}
BN_mod_exp(t2, p->gx, h, ctx->p.p, ctx->ctx);
// t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly)
BN_mod_mul(t3, t1, t2, ctx->p.p, ctx->ctx);
// verify t3 == g^r
if(BN_cmp(t3, p->zkpx.gr) == 0)
ret = 1;
else
JPAKEerr(JPAKE_F_VERIFY_ZKP, JPAKE_R_ZKP_VERIFY_FAILED);
// cleanup
BN_free(t3);
BN_free(t2);
BN_free(t1);
BN_free(h);
return ret;
}
static void generate_step_part(JPAKE_STEP_PART *p, const BIGNUM *x,
const BIGNUM *g, JPAKE_CTX *ctx)
{
BN_mod_exp(p->gx, g, x, ctx->p.p, ctx->ctx);
generate_zkp(p, x, g, ctx);
}
// Generate each party's random numbers. xa is in [0, q), xb is in [1, q).
static void genrand(JPAKE_CTX *ctx)
{
BIGNUM *qm1;
// xa in [0, q)
BN_rand_range(ctx->xa, ctx->p.q);
// q-1
qm1 = BN_new();
BN_copy(qm1, ctx->p.q);
BN_sub_word(qm1, 1);
// ... and xb in [0, q-1)
BN_rand_range(ctx->xb, qm1);
// [1, q)
BN_add_word(ctx->xb, 1);
// cleanup
BN_free(qm1);
}
int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx)
{
genrand(ctx);
generate_step_part(&send->p1, ctx->xa, ctx->p.g, ctx);
generate_step_part(&send->p2, ctx->xb, ctx->p.g, ctx);
return 1;
}
int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received)
{
// verify their ZKP(xc)
if(!verify_zkp(&received->p1, ctx->p.g, ctx))
{
JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED);
return 0;
}
// verify their ZKP(xd)
if(!verify_zkp(&received->p2, ctx->p.g, ctx))
{
JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED);
return 0;
}
// g^xd != 1
if(BN_is_one(received->p2.gx))
{
JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE);
return 0;
}
// Save the bits we need for later
BN_copy(ctx->p.gxc, received->p1.gx);
BN_copy(ctx->p.gxd, received->p2.gx);
return 1;
}
int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx)
{
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
// X = g^{(xa + xc + xd) * xb * s}
// t1 = g^xa
BN_mod_exp(t1, ctx->p.g, ctx->xa, ctx->p.p, ctx->ctx);
// t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc}
BN_mod_mul(t2, t1, ctx->p.gxc, ctx->p.p, ctx->ctx);
// t1 = t2 * g^{xd} = g^{xa + xc + xd}
BN_mod_mul(t1, t2, ctx->p.gxd, ctx->p.p, ctx->ctx);
// t2 = xb * s
BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx);
// ZKP(xb * s)
// XXX: this is kinda funky, because we're using
//
// g' = g^{xa + xc + xd}
//
// as the generator, which means X is g'^{xb * s}
// X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s}
generate_step_part(send, t2, t1, ctx);
// cleanup
BN_free(t1);
BN_free(t2);
return 1;
}
// gx = g^{xc + xa + xb} * xd * s
static int compute_key(JPAKE_CTX *ctx, const BIGNUM *gx)
{
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
BIGNUM *t3 = BN_new();
// K = (gx/g^{xb * xd * s})^{xb}
// = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb}
// = (g^{(xa + xc) * xd * s})^{xb}
// = g^{(xa + xc) * xb * xd * s}
// [which is the same regardless of who calculates it]
// t1 = (g^{xd})^{xb} = g^{xb * xd}
BN_mod_exp(t1, ctx->p.gxd, ctx->xb, ctx->p.p, ctx->ctx);
// t2 = -s = q-s
BN_sub(t2, ctx->p.q, ctx->secret);
// t3 = t1^t2 = g^{-xb * xd * s}
BN_mod_exp(t3, t1, t2, ctx->p.p, ctx->ctx);
// t1 = gx * t3 = X/g^{xb * xd * s}
BN_mod_mul(t1, gx, t3, ctx->p.p, ctx->ctx);
// K = t1^{xb}
BN_mod_exp(ctx->key, t1, ctx->xb, ctx->p.p, ctx->ctx);
// cleanup
BN_free(t3);
BN_free(t2);
BN_free(t1);
return 1;
}
int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received)
{
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
int ret = 0;
// g' = g^{xc + xa + xb} [from our POV]
// t1 = xa + xb
BN_mod_add(t1, ctx->xa, ctx->xb, ctx->p.q, ctx->ctx);
// t2 = g^{t1} = g^{xa+xb}
BN_mod_exp(t2, ctx->p.g, t1, ctx->p.p, ctx->ctx);
// t1 = g^{xc} * t2 = g^{xc + xa + xb}
BN_mod_mul(t1, ctx->p.gxc, t2, ctx->p.p, ctx->ctx);
if(verify_zkp(received, t1, ctx))
ret = 1;
else
JPAKEerr(JPAKE_F_JPAKE_STEP2_PROCESS, JPAKE_R_VERIFY_B_FAILED);
compute_key(ctx, received->gx);
// cleanup
BN_free(t2);
BN_free(t1);
return ret;
}
static void quickhashbn(unsigned char *md, const BIGNUM *bn)
{
SHA_CTX sha;
SHA1_Init(&sha);
hashbn(&sha, bn);
SHA1_Final(md, &sha);
}
void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a)
{}
int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx)
{
quickhashbn(send->hhk, ctx->key);
SHA1(send->hhk, sizeof send->hhk, send->hhk);
return 1;
}
int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received)
{
unsigned char hhk[SHA_DIGEST_LENGTH];
quickhashbn(hhk, ctx->key);
SHA1(hhk, sizeof hhk, hhk);
if(memcmp(hhk, received->hhk, sizeof hhk))
{
JPAKEerr(JPAKE_F_JPAKE_STEP3A_PROCESS, JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH);
return 0;
}
return 1;
}
void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a)
{}
void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b)
{}
int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx)
{
quickhashbn(send->hk, ctx->key);
return 1;
}
int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received)
{
unsigned char hk[SHA_DIGEST_LENGTH];
quickhashbn(hk, ctx->key);
if(memcmp(hk, received->hk, sizeof hk))
{
JPAKEerr(JPAKE_F_JPAKE_STEP3B_PROCESS, JPAKE_R_HASH_OF_KEY_MISMATCH);
return 0;
}
return 1;
}
void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b)
{}
const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx)
{
return ctx->key;
}

115
crypto/jpake/jpake.h Normal file
View File

@@ -0,0 +1,115 @@
/*
* Implement J-PAKE, as described in
* http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
*
* With hints from http://www.cl.cam.ac.uk/~fh240/software/JPAKE2.java.
*/
#ifndef HEADER_JPAKE_H
#define HEADER_JPAKE_H
#ifdef __cplusplus
extern "C" {
#endif
#include <openssl/bn.h>
#include <openssl/sha.h>
typedef struct JPAKE_CTX JPAKE_CTX;
// Note that "g" in the ZKPs is not necessarily the J-PAKE g.
typedef struct
{
BIGNUM *gr; // g^r (r random)
BIGNUM *b; // b = r - x*h, h=hash(g, g^r, g^x, name)
} JPAKE_ZKP;
typedef struct
{
BIGNUM *gx; // g^x in step 1, g^(xa + xc + xd) * xb * s in step 2
JPAKE_ZKP zkpx; // ZKP(x) or ZKP(xb * s)
} JPAKE_STEP_PART;
typedef struct
{
JPAKE_STEP_PART p1; // g^x3, ZKP(x3) or g^x1, ZKP(x1)
JPAKE_STEP_PART p2; // g^x4, ZKP(x4) or g^x2, ZKP(x2)
} JPAKE_STEP1;
typedef JPAKE_STEP_PART JPAKE_STEP2;
typedef struct
{
unsigned char hhk[SHA_DIGEST_LENGTH];
} JPAKE_STEP3A;
typedef struct
{
unsigned char hk[SHA_DIGEST_LENGTH];
} JPAKE_STEP3B;
// Parameters are copied
JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
const BIGNUM *secret);
void JPAKE_CTX_free(JPAKE_CTX *ctx);
// Note that JPAKE_STEP1 can be used multiple times before release
// without another init.
void JPAKE_STEP1_init(JPAKE_STEP1 *s1);
int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx);
int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received);
void JPAKE_STEP1_release(JPAKE_STEP1 *s1);
// Note that JPAKE_STEP2 can be used multiple times before release
// without another init.
void JPAKE_STEP2_init(JPAKE_STEP2 *s2);
int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx);
int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received);
void JPAKE_STEP2_release(JPAKE_STEP2 *s2);
// Optionally verify the shared key. If the shared secrets do not
// match, the two ends will disagree about the shared key, but
// otherwise the protocol will succeed.
void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a);
int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx);
int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received);
void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a);
void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b);
int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx);
int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received);
void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b);
// the return value belongs to the library and will be released when
// ctx is released, and will change when a new handshake is performed.
const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx);
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_JPAKE_strings(void);
/* Error codes for the JPAKE functions. */
/* Function codes. */
#define JPAKE_F_JPAKE_STEP1_PROCESS 101
#define JPAKE_F_JPAKE_STEP2_PROCESS 102
#define JPAKE_F_JPAKE_STEP3A_PROCESS 103
#define JPAKE_F_JPAKE_STEP3B_PROCESS 104
#define JPAKE_F_VERIFY_ZKP 100
/* Reason codes. */
#define JPAKE_R_G_TO_THE_X4_IS_ONE 105
#define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH 106
#define JPAKE_R_HASH_OF_KEY_MISMATCH 107
#define JPAKE_R_VERIFY_B_FAILED 102
#define JPAKE_R_VERIFY_X3_FAILED 103
#define JPAKE_R_VERIFY_X4_FAILED 104
#define JPAKE_R_ZKP_VERIFY_FAILED 100
#ifdef __cplusplus
}
#endif
#endif

105
crypto/jpake/jpake_err.c Normal file
View File

@@ -0,0 +1,105 @@
/* crypto/jpake/jpake_err.c */
/* ====================================================================
* Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* NOTE: this file was auto generated by the mkerr.pl script: any changes
* made to it will be overwritten when the script next updates this file,
* only reason strings will be preserved.
*/
#include <stdio.h>
#include <openssl/err.h>
#include <openssl/jpake.h>
/* BEGIN ERROR CODES */
#ifndef OPENSSL_NO_ERR
#define ERR_FUNC(func) ERR_PACK(ERR_LIB_JPAKE,func,0)
#define ERR_REASON(reason) ERR_PACK(ERR_LIB_JPAKE,0,reason)
static ERR_STRING_DATA JPAKE_str_functs[]=
{
{ERR_FUNC(JPAKE_F_JPAKE_STEP1_PROCESS), "JPAKE_STEP1_process"},
{ERR_FUNC(JPAKE_F_JPAKE_STEP2_PROCESS), "JPAKE_STEP2_process"},
{ERR_FUNC(JPAKE_F_JPAKE_STEP3A_PROCESS), "JPAKE_STEP3A_process"},
{ERR_FUNC(JPAKE_F_JPAKE_STEP3B_PROCESS), "JPAKE_STEP3B_process"},
{ERR_FUNC(JPAKE_F_VERIFY_ZKP), "VERIFY_ZKP"},
{0,NULL}
};
static ERR_STRING_DATA JPAKE_str_reasons[]=
{
{ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_ONE) ,"g to the x4 is one"},
{ERR_REASON(JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH),"hash of hash of key mismatch"},
{ERR_REASON(JPAKE_R_HASH_OF_KEY_MISMATCH),"hash of key mismatch"},
{ERR_REASON(JPAKE_R_VERIFY_B_FAILED) ,"verify b failed"},
{ERR_REASON(JPAKE_R_VERIFY_X3_FAILED) ,"verify x3 failed"},
{ERR_REASON(JPAKE_R_VERIFY_X4_FAILED) ,"verify x4 failed"},
{ERR_REASON(JPAKE_R_ZKP_VERIFY_FAILED) ,"zkp verify failed"},
{0,NULL}
};
#endif
void ERR_load_JPAKE_strings(void)
{
#ifndef OPENSSL_NO_ERR
if (ERR_func_error_string(JPAKE_str_functs[0].error) == NULL)
{
ERR_load_strings(0,JPAKE_str_functs);
ERR_load_strings(0,JPAKE_str_reasons);
}
#endif
}

176
crypto/jpake/jpaketest.c Normal file
View File

@@ -0,0 +1,176 @@
#include <openssl/jpake.h>
#include <openssl/err.h>
static void showbn(const char *name, const BIGNUM *bn)
{
fputs(name, stdout);
fputs(" = ", stdout);
BN_print_fp(stdout, bn);
putc('\n', stdout);
}
static int run_jpake(JPAKE_CTX *alice, JPAKE_CTX *bob)
{
JPAKE_STEP1 alice_s1;
JPAKE_STEP1 bob_s1;
JPAKE_STEP2 alice_s2;
JPAKE_STEP2 bob_s2;
JPAKE_STEP3A alice_s3a;
JPAKE_STEP3B bob_s3b;
// Alice -> Bob: step 1
puts("A->B s1");
JPAKE_STEP1_init(&alice_s1);
JPAKE_STEP1_generate(&alice_s1, alice);
if(!JPAKE_STEP1_process(bob, &alice_s1))
{
printf("Bob fails to process Alice's step 1\n");
ERR_print_errors_fp(stdout);
return 1;
}
JPAKE_STEP1_release(&alice_s1);
// Bob -> Alice: step 1
puts("B->A s1");
JPAKE_STEP1_init(&bob_s1);
JPAKE_STEP1_generate(&bob_s1, bob);
if(!JPAKE_STEP1_process(alice, &bob_s1))
{
printf("Alice fails to process Bob's step 1\n");
ERR_print_errors_fp(stdout);
return 2;
}
JPAKE_STEP1_release(&bob_s1);
// Alice -> Bob: step 2
puts("A->B s2");
JPAKE_STEP2_init(&alice_s2);
JPAKE_STEP2_generate(&alice_s2, alice);
if(!JPAKE_STEP2_process(bob, &alice_s2))
{
printf("Bob fails to process Alice's step 2\n");
ERR_print_errors_fp(stdout);
return 3;
}
JPAKE_STEP2_release(&alice_s2);
// Bob -> Alice: step 2
puts("B->A s2");
JPAKE_STEP2_init(&bob_s2);
JPAKE_STEP2_generate(&bob_s2, bob);
if(!JPAKE_STEP2_process(alice, &bob_s2))
{
printf("Alice fails to process Bob's step 2\n");
ERR_print_errors_fp(stdout);
return 4;
}
JPAKE_STEP2_release(&bob_s2);
showbn("Alice's key", JPAKE_get_shared_key(alice));
showbn("Bob's key ", JPAKE_get_shared_key(bob));
// Alice -> Bob: step 3a
puts("A->B s3a");
JPAKE_STEP3A_init(&alice_s3a);
JPAKE_STEP3A_generate(&alice_s3a, alice);
if(!JPAKE_STEP3A_process(bob, &alice_s3a))
{
printf("Bob fails to process Alice's step 3a\n");
ERR_print_errors_fp(stdout);
return 5;
}
JPAKE_STEP3A_release(&alice_s3a);
// Bob -> Alice: step 3b
puts("B->A s3b");
JPAKE_STEP3B_init(&bob_s3b);
JPAKE_STEP3B_generate(&bob_s3b, bob);
if(!JPAKE_STEP3B_process(alice, &bob_s3b))
{
printf("Alice fails to process Bob's step 3b\n");
ERR_print_errors_fp(stdout);
return 6;
}
JPAKE_STEP3B_release(&bob_s3b);
return 0;
}
int main(int argc, char **argv)
{
JPAKE_CTX *alice;
JPAKE_CTX *bob;
BIGNUM *p = NULL;
BIGNUM *g = NULL;
BIGNUM *q = NULL;
BIGNUM *secret = BN_new();
BIO *bio_err;
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
ERR_load_crypto_strings();
/*
BN_hex2bn(&p, "fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b76b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7");
BN_hex2bn(&g, "f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a");
BN_hex2bn(&q, "9760508f15230bccb292b982a2eb840bf0581cf5");
*/
/*
p = BN_new();
BN_generate_prime(p, 1024, 1, NULL, NULL, NULL, NULL);
*/
// Use a safe prime for p (that we found earlier)
BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
showbn("p", p);
g = BN_new();
BN_set_word(g, 2);
showbn("g", g);
q = BN_new();
BN_rshift1(q, p);
showbn("q", q);
BN_rand(secret, 32, -1, 0);
// A normal run, expect this to work...
alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret);
bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret);
if(run_jpake(alice, bob) != 0)
{
fprintf(stderr, "Plain JPAKE run failed\n");
return 1;
}
JPAKE_CTX_free(bob);
JPAKE_CTX_free(alice);
// Now give Alice and Bob different secrets
alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret);
BN_add_word(secret, 1);
bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret);
if(run_jpake(alice, bob) != 5)
{
fprintf(stderr, "Mismatched secret JPAKE run failed\n");
return 1;
}
JPAKE_CTX_free(bob);
JPAKE_CTX_free(alice);
BN_free(secret);
BN_free(q);
BN_free(g);
BN_free(p);
CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
ERR_free_strings();
CRYPTO_mem_leaks(bio_err);
return 0;
}

8
crypto/mem.c
View File

@@ -341,6 +341,14 @@ void *CRYPTO_malloc(int num, const char *file, int line)
return ret;
}
char *CRYPTO_strdup(const char *str, const char *file, int line)
{
char *ret = CRYPTO_malloc(strlen(str)+1, file, line);
strcpy(ret, str);
return ret;
}
void *CRYPTO_realloc(void *str, int num, const char *file, int line)
{
void *ret = NULL;