summaryrefslogtreecommitdiff
path: root/lib/libcrypto/jpake
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2009-01-09 12:14:10 +0000
committerDamien Miller <djm@cvs.openbsd.org>2009-01-09 12:14:10 +0000
commitd30d6ad00561d36a052e2a024020f6802756f04a (patch)
treed0056b85d59fbcdf6660f64d326c2aec91ab897d /lib/libcrypto/jpake
parente3e8dff41f7ab5012303998d65d07ce01ada07e2 (diff)
import openssl-0.9.8j
Diffstat (limited to 'lib/libcrypto/jpake')
-rw-r--r--lib/libcrypto/jpake/Makefile64
-rw-r--r--lib/libcrypto/jpake/jpake.c483
-rw-r--r--lib/libcrypto/jpake/jpake.h129
-rw-r--r--lib/libcrypto/jpake/jpake_err.c105
-rw-r--r--lib/libcrypto/jpake/jpaketest.c192
5 files changed, 973 insertions, 0 deletions
diff --git a/lib/libcrypto/jpake/Makefile b/lib/libcrypto/jpake/Makefile
new file mode 100644
index 00000000000..a4a1402f2ec
--- /dev/null
+++ b/lib/libcrypto/jpake/Makefile
@@ -0,0 +1,64 @@
+DIR=jpake
+TOP=../..
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+LIB=$(TOP)/libcrypto.a
+LIBOBJ=jpake.o jpake_err.o
+LIBSRC=jpake.c jpake_err.c
+
+EXHEADER=jpake.h
+TEST=jpaketest.c
+
+top:
+ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all: lib
+
+lib: $(LIBOBJ)
+ $(ARX) $(LIB) $(LIBOBJ)
+ $(RANLIB) $(LIB) || echo Never mind.
+ @touch lib
+
+links:
+ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+
+install:
+ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
+ do \
+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ done;
+
+depend:
+ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
+ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+dclean:
+ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+ mv -f Makefile.new $(MAKEFILE)
+
+clean:
+ rm -f *.s *.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff
+
+jpaketest: top jpaketest.c $(LIB)
+ $(CC) $(CFLAGS) -Wall -Werror -g -o jpaketest jpaketest.c $(LIB)
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+jpake.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+jpake.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+jpake.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+jpake.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+jpake.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+jpake.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+jpake.o: ../../include/openssl/symhacks.h jpake.c jpake.h
+jpake_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+jpake_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+jpake_err.o: ../../include/openssl/err.h ../../include/openssl/jpake.h
+jpake_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+jpake_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+jpake_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+jpake_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+jpake_err.o: jpake_err.c
diff --git a/lib/libcrypto/jpake/jpake.c b/lib/libcrypto/jpake/jpake.c
new file mode 100644
index 00000000000..577b7ef375c
--- /dev/null
+++ b/lib/libcrypto/jpake/jpake.c
@@ -0,0 +1,483 @@
+#include "jpake.h"
+
+#include <openssl/crypto.h>
+#include <openssl/sha.h>
+#include <openssl/err.h>
+#include <memory.h>
+#include <assert.h>
+
+/*
+ * In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or
+ * Bob's (x3, x4, x1, x2). If you see what I mean.
+ */
+
+typedef struct
+ {
+ char *name; /* Must be unique */
+ char *peer_name;
+ BIGNUM *p;
+ BIGNUM *g;
+ BIGNUM *q;
+ BIGNUM *gxc; /* Alice's g^{x3} or Bob's g^{x1} */
+ BIGNUM *gxd; /* Alice's g^{x4} or Bob's g^{x2} */
+ } JPAKE_CTX_PUBLIC;
+
+struct JPAKE_CTX
+ {
+ JPAKE_CTX_PUBLIC p;
+ BIGNUM *secret; /* The shared secret */
+ BN_CTX *ctx;
+ BIGNUM *xa; /* Alice's x1 or Bob's x3 */
+ BIGNUM *xb; /* Alice's x2 or Bob's x4 */
+ BIGNUM *key; /* The calculated (shared) key */
+ };
+
+static void JPAKE_ZKP_init(JPAKE_ZKP *zkp)
+ {
+ zkp->gr = BN_new();
+ zkp->b = BN_new();
+ }
+
+static void JPAKE_ZKP_release(JPAKE_ZKP *zkp)
+ {
+ BN_free(zkp->b);
+ BN_free(zkp->gr);
+ }
+
+/* Two birds with one stone - make the global name as expected */
+#define JPAKE_STEP_PART_init JPAKE_STEP2_init
+#define JPAKE_STEP_PART_release JPAKE_STEP2_release
+
+void JPAKE_STEP_PART_init(JPAKE_STEP_PART *p)
+ {
+ p->gx = BN_new();
+ JPAKE_ZKP_init(&p->zkpx);
+ }
+
+void JPAKE_STEP_PART_release(JPAKE_STEP_PART *p)
+ {
+ JPAKE_ZKP_release(&p->zkpx);
+ BN_free(p->gx);
+ }
+
+void JPAKE_STEP1_init(JPAKE_STEP1 *s1)
+ {
+ JPAKE_STEP_PART_init(&s1->p1);
+ JPAKE_STEP_PART_init(&s1->p2);
+ }
+
+void JPAKE_STEP1_release(JPAKE_STEP1 *s1)
+ {
+ JPAKE_STEP_PART_release(&s1->p2);
+ JPAKE_STEP_PART_release(&s1->p1);
+ }
+
+static void JPAKE_CTX_init(JPAKE_CTX *ctx, const char *name,
+ const char *peer_name, const BIGNUM *p,
+ const BIGNUM *g, const BIGNUM *q,
+ const BIGNUM *secret)
+ {
+ ctx->p.name = OPENSSL_strdup(name);
+ ctx->p.peer_name = OPENSSL_strdup(peer_name);
+ ctx->p.p = BN_dup(p);
+ ctx->p.g = BN_dup(g);
+ ctx->p.q = BN_dup(q);
+ ctx->secret = BN_dup(secret);
+
+ ctx->p.gxc = BN_new();
+ ctx->p.gxd = BN_new();
+
+ ctx->xa = BN_new();
+ ctx->xb = BN_new();
+ ctx->key = BN_new();
+ ctx->ctx = BN_CTX_new();
+ }
+
+static void JPAKE_CTX_release(JPAKE_CTX *ctx)
+ {
+ BN_CTX_free(ctx->ctx);
+ BN_clear_free(ctx->key);
+ BN_clear_free(ctx->xb);
+ BN_clear_free(ctx->xa);
+
+ BN_free(ctx->p.gxd);
+ BN_free(ctx->p.gxc);
+
+ BN_clear_free(ctx->secret);
+ BN_free(ctx->p.q);
+ BN_free(ctx->p.g);
+ BN_free(ctx->p.p);
+ OPENSSL_free(ctx->p.peer_name);
+ OPENSSL_free(ctx->p.name);
+
+ memset(ctx, '\0', sizeof *ctx);
+ }
+
+JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
+ const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
+ const BIGNUM *secret)
+ {
+ JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx);
+
+ JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret);
+
+ return ctx;
+ }
+
+void JPAKE_CTX_free(JPAKE_CTX *ctx)
+ {
+ JPAKE_CTX_release(ctx);
+ OPENSSL_free(ctx);
+ }
+
+static void hashlength(SHA_CTX *sha, size_t l)
+ {
+ unsigned char b[2];
+
+ assert(l <= 0xffff);
+ b[0] = l >> 8;
+ b[1] = l&0xff;
+ SHA1_Update(sha, b, 2);
+ }
+
+static void hashstring(SHA_CTX *sha, const char *string)
+ {
+ size_t l = strlen(string);
+
+ hashlength(sha, l);
+ SHA1_Update(sha, string, l);
+ }
+
+static void hashbn(SHA_CTX *sha, const BIGNUM *bn)
+ {
+ size_t l = BN_num_bytes(bn);
+ unsigned char *bin = OPENSSL_malloc(l);
+
+ hashlength(sha, l);
+ BN_bn2bin(bn, bin);
+ SHA1_Update(sha, bin, l);
+ OPENSSL_free(bin);
+ }
+
+/* h=hash(g, g^r, g^x, name) */
+static void zkp_hash(BIGNUM *h, const BIGNUM *zkpg, const JPAKE_STEP_PART *p,
+ const char *proof_name)
+ {
+ unsigned char md[SHA_DIGEST_LENGTH];
+ SHA_CTX sha;
+
+ /*
+ * XXX: hash should not allow moving of the boundaries - Java code
+ * is flawed in this respect. Length encoding seems simplest.
+ */
+ SHA1_Init(&sha);
+ hashbn(&sha, zkpg);
+ assert(!BN_is_zero(p->zkpx.gr));
+ hashbn(&sha, p->zkpx.gr);
+ hashbn(&sha, p->gx);
+ hashstring(&sha, proof_name);
+ SHA1_Final(md, &sha);
+ BN_bin2bn(md, SHA_DIGEST_LENGTH, h);
+ }
+
+/*
+ * Prove knowledge of x
+ * Note that p->gx has already been calculated
+ */
+static void generate_zkp(JPAKE_STEP_PART *p, const BIGNUM *x,
+ const BIGNUM *zkpg, JPAKE_CTX *ctx)
+ {
+ BIGNUM *r = BN_new();
+ BIGNUM *h = BN_new();
+ BIGNUM *t = BN_new();
+
+ /*
+ * r in [0,q)
+ * XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform
+ */
+ BN_rand_range(r, ctx->p.q);
+ /* g^r */
+ BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx);
+
+ /* h=hash... */
+ zkp_hash(h, zkpg, p, ctx->p.name);
+
+ /* b = r - x*h */
+ BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx);
+ BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx);
+
+ /* cleanup */
+ BN_free(t);
+ BN_free(h);
+ BN_free(r);
+ }
+
+static int verify_zkp(const JPAKE_STEP_PART *p, const BIGNUM *zkpg,
+ JPAKE_CTX *ctx)
+ {
+ BIGNUM *h = BN_new();
+ BIGNUM *t1 = BN_new();
+ BIGNUM *t2 = BN_new();
+ BIGNUM *t3 = BN_new();
+ int ret = 0;
+
+ zkp_hash(h, zkpg, p, ctx->p.peer_name);
+
+ /* t1 = g^b */
+ BN_mod_exp(t1, zkpg, p->zkpx.b, ctx->p.p, ctx->ctx);
+ /* t2 = (g^x)^h = g^{hx} */
+ BN_mod_exp(t2, p->gx, h, ctx->p.p, ctx->ctx);
+ /* t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly) */
+ BN_mod_mul(t3, t1, t2, ctx->p.p, ctx->ctx);
+
+ /* verify t3 == g^r */
+ if(BN_cmp(t3, p->zkpx.gr) == 0)
+ ret = 1;
+ else
+ JPAKEerr(JPAKE_F_VERIFY_ZKP, JPAKE_R_ZKP_VERIFY_FAILED);
+
+ /* cleanup */
+ BN_free(t3);
+ BN_free(t2);
+ BN_free(t1);
+ BN_free(h);
+
+ return ret;
+ }
+
+static void generate_step_part(JPAKE_STEP_PART *p, const BIGNUM *x,
+ const BIGNUM *g, JPAKE_CTX *ctx)
+ {
+ BN_mod_exp(p->gx, g, x, ctx->p.p, ctx->ctx);
+ generate_zkp(p, x, g, ctx);
+ }
+
+/* Generate each party's random numbers. xa is in [0, q), xb is in [1, q). */
+static void genrand(JPAKE_CTX *ctx)
+ {
+ BIGNUM *qm1;
+
+ /* xa in [0, q) */
+ BN_rand_range(ctx->xa, ctx->p.q);
+
+ /* q-1 */
+ qm1 = BN_new();
+ BN_copy(qm1, ctx->p.q);
+ BN_sub_word(qm1, 1);
+
+ /* ... and xb in [0, q-1) */
+ BN_rand_range(ctx->xb, qm1);
+ /* [1, q) */
+ BN_add_word(ctx->xb, 1);
+
+ /* cleanup */
+ BN_free(qm1);
+ }
+
+int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx)
+ {
+ genrand(ctx);
+ generate_step_part(&send->p1, ctx->xa, ctx->p.g, ctx);
+ generate_step_part(&send->p2, ctx->xb, ctx->p.g, ctx);
+
+ return 1;
+ }
+
+int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received)
+ {
+ /* verify their ZKP(xc) */
+ if(!verify_zkp(&received->p1, ctx->p.g, ctx))
+ {
+ JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED);
+ return 0;
+ }
+
+ /* verify their ZKP(xd) */
+ if(!verify_zkp(&received->p2, ctx->p.g, ctx))
+ {
+ JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED);
+ return 0;
+ }
+
+ /* g^xd != 1 */
+ if(BN_is_one(received->p2.gx))
+ {
+ JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE);
+ return 0;
+ }
+
+ /* Save the bits we need for later */
+ BN_copy(ctx->p.gxc, received->p1.gx);
+ BN_copy(ctx->p.gxd, received->p2.gx);
+
+ return 1;
+ }
+
+
+int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx)
+ {
+ BIGNUM *t1 = BN_new();
+ BIGNUM *t2 = BN_new();
+
+ /*
+ * X = g^{(xa + xc + xd) * xb * s}
+ * t1 = g^xa
+ */
+ BN_mod_exp(t1, ctx->p.g, ctx->xa, ctx->p.p, ctx->ctx);
+ /* t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc} */
+ BN_mod_mul(t2, t1, ctx->p.gxc, ctx->p.p, ctx->ctx);
+ /* t1 = t2 * g^{xd} = g^{xa + xc + xd} */
+ BN_mod_mul(t1, t2, ctx->p.gxd, ctx->p.p, ctx->ctx);
+ /* t2 = xb * s */
+ BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx);
+
+ /*
+ * ZKP(xb * s)
+ * XXX: this is kinda funky, because we're using
+ *
+ * g' = g^{xa + xc + xd}
+ *
+ * as the generator, which means X is g'^{xb * s}
+ * X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s}
+ */
+ generate_step_part(send, t2, t1, ctx);
+
+ /* cleanup */
+ BN_free(t1);
+ BN_free(t2);
+
+ return 1;
+ }
+
+/* gx = g^{xc + xa + xb} * xd * s */
+static int compute_key(JPAKE_CTX *ctx, const BIGNUM *gx)
+ {
+ BIGNUM *t1 = BN_new();
+ BIGNUM *t2 = BN_new();
+ BIGNUM *t3 = BN_new();
+
+ /*
+ * K = (gx/g^{xb * xd * s})^{xb}
+ * = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb}
+ * = (g^{(xa + xc) * xd * s})^{xb}
+ * = g^{(xa + xc) * xb * xd * s}
+ * [which is the same regardless of who calculates it]
+ */
+
+ /* t1 = (g^{xd})^{xb} = g^{xb * xd} */
+ BN_mod_exp(t1, ctx->p.gxd, ctx->xb, ctx->p.p, ctx->ctx);
+ /* t2 = -s = q-s */
+ BN_sub(t2, ctx->p.q, ctx->secret);
+ /* t3 = t1^t2 = g^{-xb * xd * s} */
+ BN_mod_exp(t3, t1, t2, ctx->p.p, ctx->ctx);
+ /* t1 = gx * t3 = X/g^{xb * xd * s} */
+ BN_mod_mul(t1, gx, t3, ctx->p.p, ctx->ctx);
+ /* K = t1^{xb} */
+ BN_mod_exp(ctx->key, t1, ctx->xb, ctx->p.p, ctx->ctx);
+
+ /* cleanup */
+ BN_free(t3);
+ BN_free(t2);
+ BN_free(t1);
+
+ return 1;
+ }
+
+int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received)
+ {
+ BIGNUM *t1 = BN_new();
+ BIGNUM *t2 = BN_new();
+ int ret = 0;
+
+ /*
+ * g' = g^{xc + xa + xb} [from our POV]
+ * t1 = xa + xb
+ */
+ BN_mod_add(t1, ctx->xa, ctx->xb, ctx->p.q, ctx->ctx);
+ /* t2 = g^{t1} = g^{xa+xb} */
+ BN_mod_exp(t2, ctx->p.g, t1, ctx->p.p, ctx->ctx);
+ /* t1 = g^{xc} * t2 = g^{xc + xa + xb} */
+ BN_mod_mul(t1, ctx->p.gxc, t2, ctx->p.p, ctx->ctx);
+
+ if(verify_zkp(received, t1, ctx))
+ ret = 1;
+ else
+ JPAKEerr(JPAKE_F_JPAKE_STEP2_PROCESS, JPAKE_R_VERIFY_B_FAILED);
+
+ compute_key(ctx, received->gx);
+
+ /* cleanup */
+ BN_free(t2);
+ BN_free(t1);
+
+ return ret;
+ }
+
+static void quickhashbn(unsigned char *md, const BIGNUM *bn)
+ {
+ SHA_CTX sha;
+
+ SHA1_Init(&sha);
+ hashbn(&sha, bn);
+ SHA1_Final(md, &sha);
+ }
+
+void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a)
+ {}
+
+int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx)
+ {
+ quickhashbn(send->hhk, ctx->key);
+ SHA1(send->hhk, sizeof send->hhk, send->hhk);
+
+ return 1;
+ }
+
+int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received)
+ {
+ unsigned char hhk[SHA_DIGEST_LENGTH];
+
+ quickhashbn(hhk, ctx->key);
+ SHA1(hhk, sizeof hhk, hhk);
+ if(memcmp(hhk, received->hhk, sizeof hhk))
+ {
+ JPAKEerr(JPAKE_F_JPAKE_STEP3A_PROCESS, JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH);
+ return 0;
+ }
+ return 1;
+ }
+
+void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a)
+ {}
+
+void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b)
+ {}
+
+int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx)
+ {
+ quickhashbn(send->hk, ctx->key);
+
+ return 1;
+ }
+
+int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received)
+ {
+ unsigned char hk[SHA_DIGEST_LENGTH];
+
+ quickhashbn(hk, ctx->key);
+ if(memcmp(hk, received->hk, sizeof hk))
+ {
+ JPAKEerr(JPAKE_F_JPAKE_STEP3B_PROCESS, JPAKE_R_HASH_OF_KEY_MISMATCH);
+ return 0;
+ }
+ return 1;
+ }
+
+void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b)
+ {}
+
+const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx)
+ {
+ return ctx->key;
+ }
+
diff --git a/lib/libcrypto/jpake/jpake.h b/lib/libcrypto/jpake/jpake.h
new file mode 100644
index 00000000000..693ea188cb8
--- /dev/null
+++ b/lib/libcrypto/jpake/jpake.h
@@ -0,0 +1,129 @@
+/*
+ * Implement J-PAKE, as described in
+ * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
+ *
+ * With hints from http://www.cl.cam.ac.uk/~fh240/software/JPAKE2.java.
+ */
+
+#ifndef HEADER_JPAKE_H
+#define HEADER_JPAKE_H
+
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_NO_JPAKE
+#error JPAKE is disabled.
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/sha.h>
+
+typedef struct JPAKE_CTX JPAKE_CTX;
+
+/* Note that "g" in the ZKPs is not necessarily the J-PAKE g. */
+typedef struct
+ {
+ BIGNUM *gr; /* g^r (r random) */
+ BIGNUM *b; /* b = r - x*h, h=hash(g, g^r, g^x, name) */
+ } JPAKE_ZKP;
+
+typedef struct
+ {
+ BIGNUM *gx; /* g^x in step 1, g^(xa + xc + xd) * xb * s in step 2 */
+ JPAKE_ZKP zkpx; /* ZKP(x) or ZKP(xb * s) */
+ } JPAKE_STEP_PART;
+
+typedef struct
+ {
+ JPAKE_STEP_PART p1; /* g^x3, ZKP(x3) or g^x1, ZKP(x1) */
+ JPAKE_STEP_PART p2; /* g^x4, ZKP(x4) or g^x2, ZKP(x2) */
+ } JPAKE_STEP1;
+
+typedef JPAKE_STEP_PART JPAKE_STEP2;
+
+typedef struct
+ {
+ unsigned char hhk[SHA_DIGEST_LENGTH];
+ } JPAKE_STEP3A;
+
+typedef struct
+ {
+ unsigned char hk[SHA_DIGEST_LENGTH];
+ } JPAKE_STEP3B;
+
+/* Parameters are copied */
+JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
+ const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
+ const BIGNUM *secret);
+void JPAKE_CTX_free(JPAKE_CTX *ctx);
+
+/*
+ * Note that JPAKE_STEP1 can be used multiple times before release
+ * without another init.
+ */
+void JPAKE_STEP1_init(JPAKE_STEP1 *s1);
+int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx);
+int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received);
+void JPAKE_STEP1_release(JPAKE_STEP1 *s1);
+
+/*
+ * Note that JPAKE_STEP2 can be used multiple times before release
+ * without another init.
+ */
+void JPAKE_STEP2_init(JPAKE_STEP2 *s2);
+int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx);
+int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received);
+void JPAKE_STEP2_release(JPAKE_STEP2 *s2);
+
+/*
+ * Optionally verify the shared key. If the shared secrets do not
+ * match, the two ends will disagree about the shared key, but
+ * otherwise the protocol will succeed.
+ */
+void JPAKE_STEP3A_init(JPAKE_STEP3A *s3a);
+int JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx);
+int JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received);
+void JPAKE_STEP3A_release(JPAKE_STEP3A *s3a);
+
+void JPAKE_STEP3B_init(JPAKE_STEP3B *s3b);
+int JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx);
+int JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received);
+void JPAKE_STEP3B_release(JPAKE_STEP3B *s3b);
+
+/*
+ * the return value belongs to the library and will be released when
+ * ctx is released, and will change when a new handshake is performed.
+ */
+const BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_JPAKE_strings(void);
+
+/* Error codes for the JPAKE functions. */
+
+/* Function codes. */
+#define JPAKE_F_JPAKE_STEP1_PROCESS 101
+#define JPAKE_F_JPAKE_STEP2_PROCESS 102
+#define JPAKE_F_JPAKE_STEP3A_PROCESS 103
+#define JPAKE_F_JPAKE_STEP3B_PROCESS 104
+#define JPAKE_F_VERIFY_ZKP 100
+
+/* Reason codes. */
+#define JPAKE_R_G_TO_THE_X4_IS_ONE 105
+#define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH 106
+#define JPAKE_R_HASH_OF_KEY_MISMATCH 107
+#define JPAKE_R_VERIFY_B_FAILED 102
+#define JPAKE_R_VERIFY_X3_FAILED 103
+#define JPAKE_R_VERIFY_X4_FAILED 104
+#define JPAKE_R_ZKP_VERIFY_FAILED 100
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/lib/libcrypto/jpake/jpake_err.c b/lib/libcrypto/jpake/jpake_err.c
new file mode 100644
index 00000000000..1b950679679
--- /dev/null
+++ b/lib/libcrypto/jpake/jpake_err.c
@@ -0,0 +1,105 @@
+/* crypto/jpake/jpake_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/jpake.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_JPAKE,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_JPAKE,0,reason)
+
+static ERR_STRING_DATA JPAKE_str_functs[]=
+ {
+{ERR_FUNC(JPAKE_F_JPAKE_STEP1_PROCESS), "JPAKE_STEP1_process"},
+{ERR_FUNC(JPAKE_F_JPAKE_STEP2_PROCESS), "JPAKE_STEP2_process"},
+{ERR_FUNC(JPAKE_F_JPAKE_STEP3A_PROCESS), "JPAKE_STEP3A_process"},
+{ERR_FUNC(JPAKE_F_JPAKE_STEP3B_PROCESS), "JPAKE_STEP3B_process"},
+{ERR_FUNC(JPAKE_F_VERIFY_ZKP), "VERIFY_ZKP"},
+{0,NULL}
+ };
+
+static ERR_STRING_DATA JPAKE_str_reasons[]=
+ {
+{ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_ONE) ,"g to the x4 is one"},
+{ERR_REASON(JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH),"hash of hash of key mismatch"},
+{ERR_REASON(JPAKE_R_HASH_OF_KEY_MISMATCH),"hash of key mismatch"},
+{ERR_REASON(JPAKE_R_VERIFY_B_FAILED) ,"verify b failed"},
+{ERR_REASON(JPAKE_R_VERIFY_X3_FAILED) ,"verify x3 failed"},
+{ERR_REASON(JPAKE_R_VERIFY_X4_FAILED) ,"verify x4 failed"},
+{ERR_REASON(JPAKE_R_ZKP_VERIFY_FAILED) ,"zkp verify failed"},
+{0,NULL}
+ };
+
+#endif
+
+void ERR_load_JPAKE_strings(void)
+ {
+#ifndef OPENSSL_NO_ERR
+
+ if (ERR_func_error_string(JPAKE_str_functs[0].error) == NULL)
+ {
+ ERR_load_strings(0,JPAKE_str_functs);
+ ERR_load_strings(0,JPAKE_str_reasons);
+ }
+#endif
+ }
diff --git a/lib/libcrypto/jpake/jpaketest.c b/lib/libcrypto/jpake/jpaketest.c
new file mode 100644
index 00000000000..792fc49eb46
--- /dev/null
+++ b/lib/libcrypto/jpake/jpaketest.c
@@ -0,0 +1,192 @@
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_NO_JPAKE
+
+#include <stdio.h>
+
+int main(int argc, char *argv[])
+{
+ printf("No J-PAKE support\n");
+ return(0);
+}
+
+#else
+
+#include <openssl/jpake.h>
+#include <openssl/err.h>
+
+static void showbn(const char *name, const BIGNUM *bn)
+ {
+ fputs(name, stdout);
+ fputs(" = ", stdout);
+ BN_print_fp(stdout, bn);
+ putc('\n', stdout);
+ }
+
+static int run_jpake(JPAKE_CTX *alice, JPAKE_CTX *bob)
+ {
+ JPAKE_STEP1 alice_s1;
+ JPAKE_STEP1 bob_s1;
+ JPAKE_STEP2 alice_s2;
+ JPAKE_STEP2 bob_s2;
+ JPAKE_STEP3A alice_s3a;
+ JPAKE_STEP3B bob_s3b;
+
+ /* Alice -> Bob: step 1 */
+ puts("A->B s1");
+ JPAKE_STEP1_init(&alice_s1);
+ JPAKE_STEP1_generate(&alice_s1, alice);
+ if(!JPAKE_STEP1_process(bob, &alice_s1))
+ {
+ printf("Bob fails to process Alice's step 1\n");
+ ERR_print_errors_fp(stdout);
+ return 1;
+ }
+ JPAKE_STEP1_release(&alice_s1);
+
+ /* Bob -> Alice: step 1 */
+ puts("B->A s1");
+ JPAKE_STEP1_init(&bob_s1);
+ JPAKE_STEP1_generate(&bob_s1, bob);
+ if(!JPAKE_STEP1_process(alice, &bob_s1))
+ {
+ printf("Alice fails to process Bob's step 1\n");
+ ERR_print_errors_fp(stdout);
+ return 2;
+ }
+ JPAKE_STEP1_release(&bob_s1);
+
+ /* Alice -> Bob: step 2 */
+ puts("A->B s2");
+ JPAKE_STEP2_init(&alice_s2);
+ JPAKE_STEP2_generate(&alice_s2, alice);
+ if(!JPAKE_STEP2_process(bob, &alice_s2))
+ {
+ printf("Bob fails to process Alice's step 2\n");
+ ERR_print_errors_fp(stdout);
+ return 3;
+ }
+ JPAKE_STEP2_release(&alice_s2);
+
+ /* Bob -> Alice: step 2 */
+ puts("B->A s2");
+ JPAKE_STEP2_init(&bob_s2);
+ JPAKE_STEP2_generate(&bob_s2, bob);
+ if(!JPAKE_STEP2_process(alice, &bob_s2))
+ {
+ printf("Alice fails to process Bob's step 2\n");
+ ERR_print_errors_fp(stdout);
+ return 4;
+ }
+ JPAKE_STEP2_release(&bob_s2);
+
+ showbn("Alice's key", JPAKE_get_shared_key(alice));
+ showbn("Bob's key ", JPAKE_get_shared_key(bob));
+
+ /* Alice -> Bob: step 3a */
+ puts("A->B s3a");
+ JPAKE_STEP3A_init(&alice_s3a);
+ JPAKE_STEP3A_generate(&alice_s3a, alice);
+ if(!JPAKE_STEP3A_process(bob, &alice_s3a))
+ {
+ printf("Bob fails to process Alice's step 3a\n");
+ ERR_print_errors_fp(stdout);
+ return 5;
+ }
+ JPAKE_STEP3A_release(&alice_s3a);
+
+ /* Bob -> Alice: step 3b */
+ puts("B->A s3b");
+ JPAKE_STEP3B_init(&bob_s3b);
+ JPAKE_STEP3B_generate(&bob_s3b, bob);
+ if(!JPAKE_STEP3B_process(alice, &bob_s3b))
+ {
+ printf("Alice fails to process Bob's step 3b\n");
+ ERR_print_errors_fp(stdout);
+ return 6;
+ }
+ JPAKE_STEP3B_release(&bob_s3b);
+
+ return 0;
+ }
+
+int main(int argc, char **argv)
+ {
+ JPAKE_CTX *alice;
+ JPAKE_CTX *bob;
+ BIGNUM *p = NULL;
+ BIGNUM *g = NULL;
+ BIGNUM *q = NULL;
+ BIGNUM *secret = BN_new();
+ BIO *bio_err;
+
+ bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+ CRYPTO_malloc_debug_init();
+ CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
+ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+ ERR_load_crypto_strings();
+
+ /*
+ BN_hex2bn(&p, "fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b76b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7");
+ BN_hex2bn(&g, "f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a");
+ BN_hex2bn(&q, "9760508f15230bccb292b982a2eb840bf0581cf5");
+ */
+ /*
+ p = BN_new();
+ BN_generate_prime(p, 1024, 1, NULL, NULL, NULL, NULL);
+ */
+ /* Use a safe prime for p (that we found earlier) */
+ BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
+ showbn("p", p);
+ g = BN_new();
+ BN_set_word(g, 2);
+ showbn("g", g);
+ q = BN_new();
+ BN_rshift1(q, p);
+ showbn("q", q);
+
+ BN_rand(secret, 32, -1, 0);
+
+ /* A normal run, expect this to work... */
+ alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret);
+ bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret);
+
+ if(run_jpake(alice, bob) != 0)
+ {
+ fprintf(stderr, "Plain JPAKE run failed\n");
+ return 1;
+ }
+
+ JPAKE_CTX_free(bob);
+ JPAKE_CTX_free(alice);
+
+ /* Now give Alice and Bob different secrets */
+ alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret);
+ BN_add_word(secret, 1);
+ bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret);
+
+ if(run_jpake(alice, bob) != 5)
+ {
+ fprintf(stderr, "Mismatched secret JPAKE run failed\n");
+ return 1;
+ }
+
+ JPAKE_CTX_free(bob);
+ JPAKE_CTX_free(alice);
+
+ BN_free(secret);
+ BN_free(q);
+ BN_free(g);
+ BN_free(p);
+
+ CRYPTO_cleanup_all_ex_data();
+ ERR_remove_state(0);
+ ERR_free_strings();
+ CRYPTO_mem_leaks(bio_err);
+
+ return 0;
+ }
+
+#endif