/security/nss/lib/freebl/jpake.c
C | 526 lines | 403 code | 64 blank | 59 comment | 145 complexity | d94893b51136edbcd7f208406bd72f2f MD5 | raw file
1/* ***** BEGIN LICENSE BLOCK ***** 2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 3 * 4 * The contents of this file are subject to the Mozilla Public License Version 5 * 1.1 (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * http://www.mozilla.org/MPL/ 8 * 9 * Software distributed under the License is distributed on an "AS IS" basis, 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 11 * for the specific language governing rights and limitations under the 12 * License. 13 * 14 * The Original Code is the Netscape security libraries. 15 * 16 * The Initial Developer of the Original Code is Mozilla Fonudation. 17 * Portions created by the Initial Developer are Copyright (C) 2010 18 * the Initial Developer. All Rights Reserved. 19 * 20 * Contributor(s): 21 * 22 * Alternatively, the contents of this file may be used under the terms of 23 * either the GNU General Public License Version 2 or later (the "GPL"), or 24 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), 25 * in which case the provisions of the GPL or the LGPL are applicable instead 26 * of those above. If you wish to allow use of your version of this file only 27 * under the terms of either the GPL or the LGPL, and not to allow others to 28 * use your version of this file under the terms of the MPL, indicate your 29 * decision by deleting the provisions above and replace them with the notice 30 * and other provisions required by the GPL or the LGPL. If you do not delete 31 * the provisions above, a recipient may use your version of this file under 32 * the terms of any one of the MPL, the GPL or the LGPL. 33 * 34 * ***** END LICENSE BLOCK ***** */ 35 36#ifdef FREEBL_NO_DEPEND 37#include "stubs.h" 38#endif 39 40#include "blapi.h" 41#include "secerr.h" 42#include "secitem.h" 43#include "secmpi.h" 44 45/* Hash an item's length and then its value. Only items smaller than 2^16 bytes 46 * are allowed. Lengths are hashed in network byte order. This is designed 47 * to match the OpenSSL J-PAKE implementation. 48 */ 49static mp_err 50hashSECItem(HASHContext * hash, const SECItem * it) 51{ 52 unsigned char length[2]; 53 54 if (it->len > 0xffff) 55 return MP_BADARG; 56 57 length[0] = (unsigned char) (it->len >> 8); 58 length[1] = (unsigned char) (it->len); 59 hash->hashobj->update(hash->hash_context, length, 2); 60 hash->hashobj->update(hash->hash_context, it->data, it->len); 61 return MP_OKAY; 62} 63 64/* Hash all public components of the signature, each prefixed with its 65 length, and then convert the hash to an mp_int. */ 66static mp_err 67hashPublicParams(HASH_HashType hashType, const SECItem * g, 68 const SECItem * gv, const SECItem * gx, 69 const SECItem * signerID, mp_int * h) 70{ 71 mp_err err; 72 unsigned char hBuf[HASH_LENGTH_MAX]; 73 SECItem hItem; 74 HASHContext hash; 75 76 hash.hashobj = HASH_GetRawHashObject(hashType); 77 if (hash.hashobj == NULL || hash.hashobj->length > sizeof hBuf) { 78 return MP_BADARG; 79 } 80 hash.hash_context = hash.hashobj->create(); 81 if (hash.hash_context == NULL) { 82 return MP_MEM; 83 } 84 85 hItem.data = hBuf; 86 hItem.len = hash.hashobj->length; 87 88 hash.hashobj->begin(hash.hash_context); 89 CHECK_MPI_OK( hashSECItem(&hash, g) ); 90 CHECK_MPI_OK( hashSECItem(&hash, gv) ); 91 CHECK_MPI_OK( hashSECItem(&hash, gx) ); 92 CHECK_MPI_OK( hashSECItem(&hash, signerID) ); 93 hash.hashobj->end(hash.hash_context, hItem.data, &hItem.len, 94 sizeof hBuf); 95 SECITEM_TO_MPINT(hItem, h); 96 97cleanup: 98 if (hash.hash_context != NULL) { 99 hash.hashobj->destroy(hash.hash_context, PR_TRUE); 100 } 101 102 return err; 103} 104 105/* Generate a Schnorr signature for round 1 or round 2 */ 106SECStatus 107JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType, 108 const SECItem * signerID, const SECItem * x, 109 const SECItem * testRandom, const SECItem * gxIn, SECItem * gxOut, 110 SECItem * gv, SECItem * r) 111{ 112 SECStatus rv = SECSuccess; 113 mp_err err; 114 mp_int p; 115 mp_int q; 116 mp_int g; 117 mp_int X; 118 mp_int GX; 119 mp_int V; 120 mp_int GV; 121 mp_int h; 122 mp_int tmp; 123 mp_int R; 124 SECItem v; 125 126 if (!arena || 127 !pqg || !pqg->prime.data || pqg->prime.len == 0 || 128 !pqg->subPrime.data || pqg->subPrime.len == 0 || 129 !pqg->base.data || pqg->base.len == 0 || 130 !signerID || !signerID->data || signerID->len == 0 || 131 !x || !x->data || x->len == 0 || 132 (testRandom && (!testRandom->data || testRandom->len == 0)) || 133 (gxIn == NULL && (!gxOut || gxOut->data != NULL)) || 134 (gxIn != NULL && (!gxIn->data || gxIn->len == 0 || gxOut != NULL)) || 135 !gv || gv->data != NULL || 136 !r || r->data != NULL) { 137 PORT_SetError(SEC_ERROR_INVALID_ARGS); 138 return SECFailure; 139 } 140 141 142 MP_DIGITS(&p) = 0; 143 MP_DIGITS(&q) = 0; 144 MP_DIGITS(&g) = 0; 145 MP_DIGITS(&X) = 0; 146 MP_DIGITS(&GX) = 0; 147 MP_DIGITS(&V) = 0; 148 MP_DIGITS(&GV) = 0; 149 MP_DIGITS(&h) = 0; 150 MP_DIGITS(&tmp) = 0; 151 MP_DIGITS(&R) = 0; 152 153 CHECK_MPI_OK( mp_init(&p) ); 154 CHECK_MPI_OK( mp_init(&q) ); 155 CHECK_MPI_OK( mp_init(&g) ); 156 CHECK_MPI_OK( mp_init(&X) ); 157 CHECK_MPI_OK( mp_init(&GX) ); 158 CHECK_MPI_OK( mp_init(&V) ); 159 CHECK_MPI_OK( mp_init(&GV) ); 160 CHECK_MPI_OK( mp_init(&h) ); 161 CHECK_MPI_OK( mp_init(&tmp) ); 162 CHECK_MPI_OK( mp_init(&R) ); 163 164 SECITEM_TO_MPINT(pqg->prime, &p); 165 SECITEM_TO_MPINT(pqg->subPrime, &q); 166 SECITEM_TO_MPINT(pqg->base, &g); 167 SECITEM_TO_MPINT(*x, &X); 168 169 /* gx = g^x */ 170 if (gxIn == NULL) { 171 CHECK_MPI_OK( mp_exptmod(&g, &X, &p, &GX) ); 172 MPINT_TO_SECITEM(&GX, gxOut, arena); 173 gxIn = gxOut; 174 } else { 175 SECITEM_TO_MPINT(*gxIn, &GX); 176 } 177 178 /* v is a random value in the q subgroup */ 179 if (testRandom == NULL) { 180 v.data = NULL; 181 rv = DSA_NewRandom(arena, &pqg->subPrime, &v); 182 if (rv != SECSuccess) { 183 goto cleanup; 184 } 185 } else { 186 v.data = testRandom->data; 187 v.len = testRandom->len; 188 } 189 SECITEM_TO_MPINT(v, &V); 190 191 /* gv = g^v (mod q), random v, 1 <= v < q */ 192 CHECK_MPI_OK( mp_exptmod(&g, &V, &p, &GV) ); 193 MPINT_TO_SECITEM(&GV, gv, arena); 194 195 /* h = H(g, gv, gx, signerID) */ 196 CHECK_MPI_OK( hashPublicParams(hashType, &pqg->base, gv, gxIn, signerID, 197 &h) ); 198 199 /* r = v - x*h (mod q) */ 200 CHECK_MPI_OK( mp_mulmod(&X, &h, &q, &tmp) ); 201 CHECK_MPI_OK( mp_submod(&V, &tmp, &q, &R) ); 202 MPINT_TO_SECITEM(&R, r, arena); 203 204cleanup: 205 mp_clear(&p); 206 mp_clear(&q); 207 mp_clear(&g); 208 mp_clear(&X); 209 mp_clear(&GX); 210 mp_clear(&V); 211 mp_clear(&GV); 212 mp_clear(&h); 213 mp_clear(&tmp); 214 mp_clear(&R); 215 216 if (rv == SECSuccess && err != MP_OKAY) { 217 MP_TO_SEC_ERROR(err); 218 rv = SECFailure; 219 } 220 return rv; 221} 222 223/* Verify a Schnorr signature generated by the peer in round 1 or round 2. */ 224SECStatus 225JPAKE_Verify(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType, 226 const SECItem * signerID, const SECItem * peerID, 227 const SECItem * gx, const SECItem * gv, const SECItem * r) 228{ 229 SECStatus rv = SECSuccess; 230 mp_err err; 231 mp_int p; 232 mp_int q; 233 mp_int g; 234 mp_int p_minus_1; 235 mp_int GX; 236 mp_int h; 237 mp_int one; 238 mp_int R; 239 mp_int gr; 240 mp_int gxh; 241 mp_int gr_gxh; 242 SECItem calculated; 243 244 if (!arena || 245 !pqg || !pqg->prime.data || pqg->prime.len == 0 || 246 !pqg->subPrime.data || pqg->subPrime.len == 0 || 247 !pqg->base.data || pqg->base.len == 0 || 248 !signerID || !signerID->data || signerID->len == 0 || 249 !peerID || !peerID->data || peerID->len == 0 || 250 !gx || !gx->data || gx->len == 0 || 251 !gv || !gv->data || gv->len == 0 || 252 !r || !r->data || r->len == 0 || 253 SECITEM_CompareItem(signerID, peerID) == SECEqual) { 254 PORT_SetError(SEC_ERROR_INVALID_ARGS); 255 return SECFailure; 256 } 257 258 MP_DIGITS(&p) = 0; 259 MP_DIGITS(&q) = 0; 260 MP_DIGITS(&g) = 0; 261 MP_DIGITS(&p_minus_1) = 0; 262 MP_DIGITS(&GX) = 0; 263 MP_DIGITS(&h) = 0; 264 MP_DIGITS(&one) = 0; 265 MP_DIGITS(&R) = 0; 266 MP_DIGITS(&gr) = 0; 267 MP_DIGITS(&gxh) = 0; 268 MP_DIGITS(&gr_gxh) = 0; 269 calculated.data = NULL; 270 271 CHECK_MPI_OK( mp_init(&p) ); 272 CHECK_MPI_OK( mp_init(&q) ); 273 CHECK_MPI_OK( mp_init(&g) ); 274 CHECK_MPI_OK( mp_init(&p_minus_1) ); 275 CHECK_MPI_OK( mp_init(&GX) ); 276 CHECK_MPI_OK( mp_init(&h) ); 277 CHECK_MPI_OK( mp_init(&one) ); 278 CHECK_MPI_OK( mp_init(&R) ); 279 CHECK_MPI_OK( mp_init(&gr) ); 280 CHECK_MPI_OK( mp_init(&gxh) ); 281 CHECK_MPI_OK( mp_init(&gr_gxh) ); 282 283 SECITEM_TO_MPINT(pqg->prime, &p); 284 SECITEM_TO_MPINT(pqg->subPrime, &q); 285 SECITEM_TO_MPINT(pqg->base, &g); 286 SECITEM_TO_MPINT(*gx, &GX); 287 SECITEM_TO_MPINT(*r, &R); 288 289 CHECK_MPI_OK( mp_sub_d(&p, 1, &p_minus_1) ); 290 CHECK_MPI_OK( mp_exptmod(&GX, &q, &p, &one) ); 291 /* Check g^x is in [1, p-2], R is in [0, q-1], and (g^x)^q mod p == 1 */ 292 if (!(mp_cmp_z(&GX) > 0 && 293 mp_cmp(&GX, &p_minus_1) < 0 && 294 mp_cmp(&R, &q) < 0 && 295 mp_cmp_d(&one, 1) == 0)) { 296 goto badSig; 297 } 298 299 CHECK_MPI_OK( hashPublicParams(hashType, &pqg->base, gv, gx, peerID, 300 &h) ); 301 302 /* Calculate g^v = g^r * g^x^h */ 303 CHECK_MPI_OK( mp_exptmod(&g, &R, &p, &gr) ); 304 CHECK_MPI_OK( mp_exptmod(&GX, &h, &p, &gxh) ); 305 CHECK_MPI_OK( mp_mulmod(&gr, &gxh, &p, &gr_gxh) ); 306 307 /* Compare calculated g^v to given g^v */ 308 MPINT_TO_SECITEM(&gr_gxh, &calculated, arena); 309 if (calculated.len == gv->len && 310 NSS_SecureMemcmp(calculated.data, gv->data, calculated.len) == 0) { 311 rv = SECSuccess; 312 } else { 313badSig: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); 314 rv = SECFailure; 315 } 316 317cleanup: 318 mp_clear(&p); 319 mp_clear(&q); 320 mp_clear(&g); 321 mp_clear(&p_minus_1); 322 mp_clear(&GX); 323 mp_clear(&h); 324 mp_clear(&one); 325 mp_clear(&R); 326 mp_clear(&gr); 327 mp_clear(&gxh); 328 mp_clear(&gr_gxh); 329 330 if (rv == SECSuccess && err != MP_OKAY) { 331 MP_TO_SEC_ERROR(err); 332 rv = SECFailure; 333 } 334 return rv; 335} 336 337/* Calculate base = gx1*gx3*gx4 (mod p), i.e. g^(x1+x3+x4) (mod p) */ 338static mp_err 339jpake_Round2Base(const SECItem * gx1, const SECItem * gx3, 340 const SECItem * gx4, const mp_int * p, mp_int * base) 341{ 342 mp_err err; 343 mp_int GX1; 344 mp_int GX3; 345 mp_int GX4; 346 mp_int tmp; 347 348 MP_DIGITS(&GX1) = 0; 349 MP_DIGITS(&GX3) = 0; 350 MP_DIGITS(&GX4) = 0; 351 MP_DIGITS(&tmp) = 0; 352 353 CHECK_MPI_OK( mp_init(&GX1) ); 354 CHECK_MPI_OK( mp_init(&GX3) ); 355 CHECK_MPI_OK( mp_init(&GX4) ); 356 CHECK_MPI_OK( mp_init(&tmp) ); 357 358 SECITEM_TO_MPINT(*gx1, &GX1); 359 SECITEM_TO_MPINT(*gx3, &GX3); 360 SECITEM_TO_MPINT(*gx4, &GX4); 361 362 /* In round 2, the peer/attacker sends us g^x3 and g^x4 and the protocol 363 requires that these values are distinct. */ 364 if (mp_cmp(&GX3, &GX4) == 0) { 365 return MP_BADARG; 366 } 367 368 CHECK_MPI_OK( mp_mul(&GX1, &GX3, &tmp) ); 369 CHECK_MPI_OK( mp_mul(&tmp, &GX4, &tmp) ); 370 CHECK_MPI_OK( mp_mod(&tmp, p, base) ); 371 372cleanup: 373 mp_clear(&GX1); 374 mp_clear(&GX3); 375 mp_clear(&GX4); 376 mp_clear(&tmp); 377 return err; 378} 379 380SECStatus 381JPAKE_Round2(PLArenaPool * arena, 382 const SECItem * p, const SECItem *q, const SECItem * gx1, 383 const SECItem * gx3, const SECItem * gx4, SECItem * base, 384 const SECItem * x2, const SECItem * s, SECItem * x2s) 385{ 386 mp_err err; 387 mp_int P; 388 mp_int Q; 389 mp_int X2; 390 mp_int S; 391 mp_int result; 392 393 if (!arena || 394 !p || !p->data || p->len == 0 || 395 !q || !q->data || q->len == 0 || 396 !gx1 || !gx1->data || gx1->len == 0 || 397 !gx3 || !gx3->data || gx3->len == 0 || 398 !gx4 || !gx4->data || gx4->len == 0 || 399 !base || base->data != NULL || 400 (x2s != NULL && (x2s->data != NULL || 401 !x2 || !x2->data || x2->len == 0 || 402 !s || !s->data || s->len == 0))) { 403 PORT_SetError(SEC_ERROR_INVALID_ARGS); 404 return SECFailure; 405 } 406 407 MP_DIGITS(&P) = 0; 408 MP_DIGITS(&Q) = 0; 409 MP_DIGITS(&X2) = 0; 410 MP_DIGITS(&S) = 0; 411 MP_DIGITS(&result) = 0; 412 413 CHECK_MPI_OK( mp_init(&P) ); 414 CHECK_MPI_OK( mp_init(&Q) ); 415 CHECK_MPI_OK( mp_init(&result) ); 416 417 if (x2s != NULL) { 418 CHECK_MPI_OK( mp_init(&X2) ); 419 CHECK_MPI_OK( mp_init(&S) ); 420 421 SECITEM_TO_MPINT(*q, &Q); 422 SECITEM_TO_MPINT(*x2, &X2); 423 424 SECITEM_TO_MPINT(*s, &S); 425 /* S must be in [1, Q-1] */ 426 if (mp_cmp_z(&S) <= 0 || mp_cmp(&S, &Q) >= 0) { 427 err = MP_BADARG; 428 goto cleanup; 429 } 430 431 CHECK_MPI_OK( mp_mulmod(&X2, &S, &Q, &result) ); 432 MPINT_TO_SECITEM(&result, x2s, arena); 433 } 434 435 SECITEM_TO_MPINT(*p, &P); 436 CHECK_MPI_OK( jpake_Round2Base(gx1, gx3, gx4, &P, &result) ); 437 MPINT_TO_SECITEM(&result, base, arena); 438 439cleanup: 440 mp_clear(&P); 441 mp_clear(&Q); 442 mp_clear(&X2); 443 mp_clear(&S); 444 mp_clear(&result); 445 446 if (err != MP_OKAY) { 447 MP_TO_SEC_ERROR(err); 448 return SECFailure; 449 } 450 return SECSuccess; 451} 452 453SECStatus 454JPAKE_Final(PLArenaPool * arena, const SECItem * p, const SECItem * q, 455 const SECItem * x2, const SECItem * gx4, const SECItem * x2s, 456 const SECItem * B, SECItem * K) 457{ 458 mp_err err; 459 mp_int P; 460 mp_int Q; 461 mp_int tmp; 462 mp_int exponent; 463 mp_int divisor; 464 mp_int base; 465 466 if (!arena || 467 !p || !p->data || p->len == 0 || 468 !q || !q->data || q->len == 0 || 469 !x2 || !x2->data || x2->len == 0 || 470 !gx4 || !gx4->data || gx4->len == 0 || 471 !x2s || !x2s->data || x2s->len == 0 || 472 !B || !B->data || B->len == 0 || 473 !K || K->data != NULL) { 474 PORT_SetError(SEC_ERROR_INVALID_ARGS); 475 return SECFailure; 476 } 477 478 MP_DIGITS(&P) = 0; 479 MP_DIGITS(&Q) = 0; 480 MP_DIGITS(&tmp) = 0; 481 MP_DIGITS(&exponent) = 0; 482 MP_DIGITS(&divisor) = 0; 483 MP_DIGITS(&base) = 0; 484 485 CHECK_MPI_OK( mp_init(&P) ); 486 CHECK_MPI_OK( mp_init(&Q) ); 487 CHECK_MPI_OK( mp_init(&tmp) ); 488 CHECK_MPI_OK( mp_init(&exponent) ); 489 CHECK_MPI_OK( mp_init(&divisor) ); 490 CHECK_MPI_OK( mp_init(&base) ); 491 492 /* exponent = -x2s (mod q) */ 493 SECITEM_TO_MPINT(*q, &Q); 494 SECITEM_TO_MPINT(*x2s, &tmp); 495 /* q == 0 (mod q), so q - x2s == -x2s (mod q) */ 496 CHECK_MPI_OK( mp_sub(&Q, &tmp, &exponent) ); 497 498 /* divisor = gx4^-x2s = 1/(gx4^x2s) (mod p) */ 499 SECITEM_TO_MPINT(*p, &P); 500 SECITEM_TO_MPINT(*gx4, &tmp); 501 CHECK_MPI_OK( mp_exptmod(&tmp, &exponent, &P, &divisor) ); 502 503 /* base = B*divisor = B/(gx4^x2s) (mod p) */ 504 SECITEM_TO_MPINT(*B, &tmp); 505 CHECK_MPI_OK( mp_mulmod(&divisor, &tmp, &P, &base) ); 506 507 /* tmp = base^x2 (mod p) */ 508 SECITEM_TO_MPINT(*x2, &exponent); 509 CHECK_MPI_OK( mp_exptmod(&base, &exponent, &P, &tmp) ); 510 511 MPINT_TO_SECITEM(&tmp, K, arena); 512 513cleanup: 514 mp_clear(&P); 515 mp_clear(&Q); 516 mp_clear(&tmp); 517 mp_clear(&exponent); 518 mp_clear(&divisor); 519 mp_clear(&base); 520 521 if (err != MP_OKAY) { 522 MP_TO_SEC_ERROR(err); 523 return SECFailure; 524 } 525 return SECSuccess; 526}