PageRenderTime 39ms CodeModel.GetById 6ms app.highlight 28ms RepoModel.GetById 1ms app.codeStats 0ms

/security/nss/lib/freebl/jpake.c

http://github.com/zpao/v8monkey
C | 526 lines | 403 code | 64 blank | 59 comment | 145 complexity | d94893b51136edbcd7f208406bd72f2f MD5 | raw file
  1/* ***** BEGIN LICENSE BLOCK *****
  2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3 *
  4 * The contents of this file are subject to the Mozilla Public License Version
  5 * 1.1 (the "License"); you may not use this file except in compliance with
  6 * the License. You may obtain a copy of the License at
  7 * http://www.mozilla.org/MPL/
  8 *
  9 * Software distributed under the License is distributed on an "AS IS" basis,
 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 11 * for the specific language governing rights and limitations under the
 12 * License.
 13 *
 14 * The Original Code is the Netscape security libraries.
 15 *
 16 * The Initial Developer of the Original Code is Mozilla Fonudation.
 17 * Portions created by the Initial Developer are Copyright (C) 2010
 18 * the Initial Developer. All Rights Reserved.
 19 *
 20 * Contributor(s):
 21 *
 22 * Alternatively, the contents of this file may be used under the terms of
 23 * either the GNU General Public License Version 2 or later (the "GPL"), or
 24 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 25 * in which case the provisions of the GPL or the LGPL are applicable instead
 26 * of those above. If you wish to allow use of your version of this file only
 27 * under the terms of either the GPL or the LGPL, and not to allow others to
 28 * use your version of this file under the terms of the MPL, indicate your
 29 * decision by deleting the provisions above and replace them with the notice
 30 * and other provisions required by the GPL or the LGPL. If you do not delete
 31 * the provisions above, a recipient may use your version of this file under
 32 * the terms of any one of the MPL, the GPL or the LGPL.
 33 *
 34 * ***** END LICENSE BLOCK ***** */
 35
 36#ifdef FREEBL_NO_DEPEND
 37#include "stubs.h"
 38#endif
 39
 40#include "blapi.h"
 41#include "secerr.h"
 42#include "secitem.h"
 43#include "secmpi.h"
 44
 45/* Hash an item's length and then its value. Only items smaller than 2^16 bytes
 46 * are allowed. Lengths are hashed in network byte order. This is designed
 47 * to match the OpenSSL J-PAKE implementation.
 48 */
 49static mp_err
 50hashSECItem(HASHContext * hash, const SECItem * it)
 51{
 52    unsigned char length[2];
 53
 54    if (it->len > 0xffff)
 55        return MP_BADARG;
 56
 57    length[0] = (unsigned char) (it->len >> 8);
 58    length[1] = (unsigned char) (it->len);
 59    hash->hashobj->update(hash->hash_context, length, 2);
 60    hash->hashobj->update(hash->hash_context, it->data, it->len);
 61    return MP_OKAY;
 62}
 63
 64/* Hash all public components of the signature, each prefixed with its
 65   length, and then convert the hash to an mp_int. */
 66static mp_err
 67hashPublicParams(HASH_HashType hashType, const SECItem * g,
 68                 const SECItem * gv, const SECItem * gx,
 69                 const SECItem * signerID, mp_int * h)
 70{
 71    mp_err err;
 72    unsigned char hBuf[HASH_LENGTH_MAX];
 73    SECItem hItem;
 74    HASHContext hash;
 75    
 76    hash.hashobj = HASH_GetRawHashObject(hashType);
 77    if (hash.hashobj == NULL || hash.hashobj->length > sizeof hBuf) {
 78        return MP_BADARG;
 79    }
 80    hash.hash_context = hash.hashobj->create();
 81    if (hash.hash_context == NULL) {
 82        return MP_MEM;
 83    }
 84
 85    hItem.data = hBuf;
 86    hItem.len = hash.hashobj->length;
 87
 88    hash.hashobj->begin(hash.hash_context);
 89    CHECK_MPI_OK( hashSECItem(&hash, g) );
 90    CHECK_MPI_OK( hashSECItem(&hash, gv) );
 91    CHECK_MPI_OK( hashSECItem(&hash, gx) );
 92    CHECK_MPI_OK( hashSECItem(&hash, signerID) );
 93    hash.hashobj->end(hash.hash_context, hItem.data, &hItem.len,
 94                      sizeof hBuf);
 95    SECITEM_TO_MPINT(hItem, h);
 96
 97cleanup:
 98    if (hash.hash_context != NULL) {
 99        hash.hashobj->destroy(hash.hash_context, PR_TRUE);
100    }
101
102    return err;
103}
104
105/* Generate a Schnorr signature for round 1 or round 2 */
106SECStatus
107JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
108           const SECItem * signerID, const SECItem * x,
109           const SECItem * testRandom, const SECItem * gxIn, SECItem * gxOut,
110           SECItem * gv, SECItem * r)
111{
112    SECStatus rv = SECSuccess;
113    mp_err err;
114    mp_int p;
115    mp_int q;
116    mp_int g;
117    mp_int X;
118    mp_int GX;
119    mp_int V;
120    mp_int GV;
121    mp_int h;
122    mp_int tmp;
123    mp_int R;
124    SECItem v;
125
126    if (!arena    ||
127        !pqg      || !pqg->prime.data     || pqg->prime.len == 0 ||
128                     !pqg->subPrime.data  || pqg->subPrime.len == 0 ||
129                     !pqg->base.data      || pqg->base.len == 0 ||
130        !signerID || !signerID->data      || signerID->len == 0 ||
131        !x        || !x->data             || x->len == 0 ||
132        (testRandom && (!testRandom->data || testRandom->len == 0)) ||
133        (gxIn == NULL && (!gxOut || gxOut->data != NULL)) ||
134        (gxIn != NULL && (!gxIn->data || gxIn->len == 0 || gxOut != NULL)) ||
135        !gv       || gv->data != NULL ||
136        !r        || r->data != NULL) {
137        PORT_SetError(SEC_ERROR_INVALID_ARGS);
138        return SECFailure;
139    }
140
141
142    MP_DIGITS(&p) = 0;
143    MP_DIGITS(&q) = 0;
144    MP_DIGITS(&g) = 0;
145    MP_DIGITS(&X) = 0;
146    MP_DIGITS(&GX) = 0;
147    MP_DIGITS(&V) = 0;
148    MP_DIGITS(&GV) = 0;
149    MP_DIGITS(&h) = 0;
150    MP_DIGITS(&tmp) = 0;
151    MP_DIGITS(&R) = 0;
152
153    CHECK_MPI_OK( mp_init(&p) );
154    CHECK_MPI_OK( mp_init(&q) );
155    CHECK_MPI_OK( mp_init(&g) );
156    CHECK_MPI_OK( mp_init(&X) );
157    CHECK_MPI_OK( mp_init(&GX) );
158    CHECK_MPI_OK( mp_init(&V) );
159    CHECK_MPI_OK( mp_init(&GV) );
160    CHECK_MPI_OK( mp_init(&h) );
161    CHECK_MPI_OK( mp_init(&tmp) );
162    CHECK_MPI_OK( mp_init(&R) );
163
164    SECITEM_TO_MPINT(pqg->prime, &p);
165    SECITEM_TO_MPINT(pqg->subPrime, &q);
166    SECITEM_TO_MPINT(pqg->base, &g);
167    SECITEM_TO_MPINT(*x,  &X);
168
169    /* gx = g^x */
170    if (gxIn == NULL) {
171        CHECK_MPI_OK( mp_exptmod(&g, &X, &p, &GX) );
172        MPINT_TO_SECITEM(&GX, gxOut, arena);
173        gxIn = gxOut;
174    } else {
175        SECITEM_TO_MPINT(*gxIn, &GX);
176    }
177
178    /* v is a random value in the q subgroup */
179    if (testRandom == NULL) {
180        v.data = NULL;
181        rv = DSA_NewRandom(arena, &pqg->subPrime, &v);
182        if (rv != SECSuccess) {
183            goto cleanup;
184        }
185    } else {
186        v.data = testRandom->data;
187        v.len = testRandom->len;
188    }
189    SECITEM_TO_MPINT(v, &V);
190
191    /* gv = g^v (mod q), random v, 1 <= v < q */
192    CHECK_MPI_OK( mp_exptmod(&g, &V, &p, &GV) );
193    MPINT_TO_SECITEM(&GV, gv, arena);
194
195    /* h = H(g, gv, gx, signerID) */
196    CHECK_MPI_OK( hashPublicParams(hashType, &pqg->base, gv, gxIn, signerID,
197                                   &h) );
198
199    /* r = v - x*h (mod q) */
200    CHECK_MPI_OK( mp_mulmod(&X, &h, &q, &tmp) );
201    CHECK_MPI_OK( mp_submod(&V, &tmp, &q, &R) );
202    MPINT_TO_SECITEM(&R, r, arena);
203
204cleanup:
205    mp_clear(&p);
206    mp_clear(&q);
207    mp_clear(&g);
208    mp_clear(&X);
209    mp_clear(&GX);
210    mp_clear(&V);
211    mp_clear(&GV);
212    mp_clear(&h);
213    mp_clear(&tmp);
214    mp_clear(&R);
215
216    if (rv == SECSuccess && err != MP_OKAY) {
217        MP_TO_SEC_ERROR(err);
218        rv = SECFailure;
219    }
220    return rv;
221}
222
223/* Verify a Schnorr signature generated by the peer in round 1 or round 2. */
224SECStatus
225JPAKE_Verify(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
226             const SECItem * signerID, const SECItem * peerID,
227             const SECItem * gx, const SECItem * gv, const SECItem * r)
228{
229    SECStatus rv = SECSuccess;
230    mp_err err;
231    mp_int p;
232    mp_int q;
233    mp_int g;
234    mp_int p_minus_1;
235    mp_int GX;
236    mp_int h;
237    mp_int one;
238    mp_int R;
239    mp_int gr;
240    mp_int gxh;
241    mp_int gr_gxh;
242    SECItem calculated;
243
244    if (!arena    ||
245        !pqg      || !pqg->prime.data    || pqg->prime.len == 0 ||
246                     !pqg->subPrime.data || pqg->subPrime.len == 0 ||
247                     !pqg->base.data     || pqg->base.len == 0 ||
248        !signerID || !signerID->data  || signerID->len == 0 ||
249        !peerID   || !peerID->data    || peerID->len == 0 ||
250        !gx       || !gx->data        || gx->len == 0 ||
251        !gv       || !gv->data        || gv->len == 0 ||
252        !r        || !r->data         || r->len == 0 ||
253        SECITEM_CompareItem(signerID, peerID) == SECEqual) {
254        PORT_SetError(SEC_ERROR_INVALID_ARGS);
255        return SECFailure;
256    }
257
258    MP_DIGITS(&p) = 0;
259    MP_DIGITS(&q) = 0;
260    MP_DIGITS(&g) = 0;
261    MP_DIGITS(&p_minus_1) = 0;
262    MP_DIGITS(&GX) = 0;
263    MP_DIGITS(&h) = 0;
264    MP_DIGITS(&one) = 0;
265    MP_DIGITS(&R) = 0;
266    MP_DIGITS(&gr) = 0;
267    MP_DIGITS(&gxh) = 0;
268    MP_DIGITS(&gr_gxh) = 0;
269    calculated.data = NULL;
270
271    CHECK_MPI_OK( mp_init(&p) );
272    CHECK_MPI_OK( mp_init(&q) );
273    CHECK_MPI_OK( mp_init(&g) );
274    CHECK_MPI_OK( mp_init(&p_minus_1) );
275    CHECK_MPI_OK( mp_init(&GX) );
276    CHECK_MPI_OK( mp_init(&h) );
277    CHECK_MPI_OK( mp_init(&one) );
278    CHECK_MPI_OK( mp_init(&R) );
279    CHECK_MPI_OK( mp_init(&gr) );
280    CHECK_MPI_OK( mp_init(&gxh) );
281    CHECK_MPI_OK( mp_init(&gr_gxh) );
282
283    SECITEM_TO_MPINT(pqg->prime, &p);
284    SECITEM_TO_MPINT(pqg->subPrime, &q);
285    SECITEM_TO_MPINT(pqg->base, &g);
286    SECITEM_TO_MPINT(*gx, &GX);
287    SECITEM_TO_MPINT(*r, &R);
288
289    CHECK_MPI_OK( mp_sub_d(&p, 1, &p_minus_1) );
290    CHECK_MPI_OK( mp_exptmod(&GX, &q, &p, &one) );
291    /* Check g^x is in [1, p-2], R is in [0, q-1], and (g^x)^q mod p == 1 */
292    if (!(mp_cmp_z(&GX) > 0 && 
293          mp_cmp(&GX, &p_minus_1) < 0 && 
294          mp_cmp(&R, &q) < 0 &&
295          mp_cmp_d(&one, 1) == 0)) {
296        goto badSig;
297    }
298    
299    CHECK_MPI_OK( hashPublicParams(hashType, &pqg->base, gv, gx, peerID,
300                                   &h) );
301
302    /* Calculate g^v = g^r * g^x^h */
303    CHECK_MPI_OK( mp_exptmod(&g, &R, &p, &gr) );
304    CHECK_MPI_OK( mp_exptmod(&GX, &h, &p, &gxh) );
305    CHECK_MPI_OK( mp_mulmod(&gr, &gxh, &p, &gr_gxh) );
306
307    /* Compare calculated g^v to given g^v */
308    MPINT_TO_SECITEM(&gr_gxh, &calculated, arena);
309    if (calculated.len == gv->len &&
310        NSS_SecureMemcmp(calculated.data, gv->data, calculated.len) == 0) {
311        rv = SECSuccess;
312    } else {
313badSig: PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
314        rv = SECFailure;
315    }
316
317cleanup:
318    mp_clear(&p);
319    mp_clear(&q);
320    mp_clear(&g);
321    mp_clear(&p_minus_1);
322    mp_clear(&GX);
323    mp_clear(&h);
324    mp_clear(&one);
325    mp_clear(&R);
326    mp_clear(&gr);
327    mp_clear(&gxh);
328    mp_clear(&gr_gxh);
329 
330    if (rv == SECSuccess && err != MP_OKAY) {
331        MP_TO_SEC_ERROR(err);
332        rv = SECFailure;
333    }
334    return rv;
335}
336
337/* Calculate base = gx1*gx3*gx4 (mod p), i.e. g^(x1+x3+x4) (mod p) */
338static mp_err
339jpake_Round2Base(const SECItem * gx1, const SECItem * gx3,
340                 const SECItem * gx4, const mp_int * p, mp_int * base)
341{
342    mp_err err;
343    mp_int GX1;
344    mp_int GX3;
345    mp_int GX4;
346    mp_int tmp;
347
348    MP_DIGITS(&GX1) = 0;
349    MP_DIGITS(&GX3) = 0;
350    MP_DIGITS(&GX4) = 0;
351    MP_DIGITS(&tmp) = 0;
352
353    CHECK_MPI_OK( mp_init(&GX1) );
354    CHECK_MPI_OK( mp_init(&GX3) );
355    CHECK_MPI_OK( mp_init(&GX4) );
356    CHECK_MPI_OK( mp_init(&tmp) );
357
358    SECITEM_TO_MPINT(*gx1, &GX1);
359    SECITEM_TO_MPINT(*gx3, &GX3);
360    SECITEM_TO_MPINT(*gx4, &GX4);
361
362    /* In round 2, the peer/attacker sends us g^x3 and g^x4 and the protocol
363       requires that these values are distinct. */
364    if (mp_cmp(&GX3, &GX4) == 0) {
365        return MP_BADARG;
366    }
367    
368    CHECK_MPI_OK( mp_mul(&GX1, &GX3, &tmp) );
369    CHECK_MPI_OK( mp_mul(&tmp, &GX4, &tmp) ); 
370    CHECK_MPI_OK( mp_mod(&tmp, p, base) );
371
372cleanup:
373    mp_clear(&GX1);
374    mp_clear(&GX3);
375    mp_clear(&GX4);
376    mp_clear(&tmp);
377    return err;
378}
379
380SECStatus
381JPAKE_Round2(PLArenaPool * arena,
382             const SECItem * p, const SECItem  *q, const SECItem * gx1,
383             const SECItem * gx3, const SECItem * gx4, SECItem * base,
384             const SECItem * x2, const SECItem * s, SECItem * x2s)
385{
386    mp_err err;
387    mp_int P;
388    mp_int Q;
389    mp_int X2;
390    mp_int S;
391    mp_int result;
392
393    if (!arena ||
394        !p     || !p->data    || p->len == 0   ||
395        !q     || !q->data    || q->len == 0   ||
396        !gx1   || !gx1->data  || gx1->len == 0 ||
397        !gx3   || !gx3->data  || gx3->len == 0 ||
398        !gx4   || !gx4->data  || gx4->len == 0 ||
399        !base  || base->data != NULL ||
400        (x2s != NULL && (x2s->data != NULL ||
401           !x2 || !x2->data   || x2->len == 0 ||
402           !s  || !s->data    || s->len == 0))) {
403        PORT_SetError(SEC_ERROR_INVALID_ARGS);
404        return SECFailure;
405    }
406
407    MP_DIGITS(&P) = 0;
408    MP_DIGITS(&Q) = 0;
409    MP_DIGITS(&X2) = 0;
410    MP_DIGITS(&S) = 0;
411    MP_DIGITS(&result) = 0;
412
413    CHECK_MPI_OK( mp_init(&P) );
414    CHECK_MPI_OK( mp_init(&Q) );
415    CHECK_MPI_OK( mp_init(&result) );
416
417    if (x2s != NULL) {
418        CHECK_MPI_OK( mp_init(&X2) );
419        CHECK_MPI_OK( mp_init(&S) );
420
421        SECITEM_TO_MPINT(*q, &Q);
422        SECITEM_TO_MPINT(*x2, &X2);
423        
424        SECITEM_TO_MPINT(*s, &S);
425        /* S must be in [1, Q-1] */
426        if (mp_cmp_z(&S) <= 0 || mp_cmp(&S, &Q) >= 0) {
427            err = MP_BADARG;
428            goto cleanup;
429        }
430
431        CHECK_MPI_OK( mp_mulmod(&X2, &S, &Q, &result) );
432        MPINT_TO_SECITEM(&result, x2s, arena);
433    }
434
435    SECITEM_TO_MPINT(*p, &P);
436    CHECK_MPI_OK( jpake_Round2Base(gx1, gx3, gx4, &P, &result) );
437    MPINT_TO_SECITEM(&result, base, arena);
438
439cleanup:
440    mp_clear(&P);
441    mp_clear(&Q);
442    mp_clear(&X2);
443    mp_clear(&S);
444    mp_clear(&result);
445
446    if (err != MP_OKAY) {
447        MP_TO_SEC_ERROR(err);
448        return SECFailure;
449    }
450    return SECSuccess;
451}
452
453SECStatus
454JPAKE_Final(PLArenaPool * arena, const SECItem * p, const SECItem * q,
455            const SECItem * x2, const SECItem * gx4, const SECItem * x2s,
456            const SECItem * B, SECItem * K)
457{
458    mp_err err;
459    mp_int P;
460    mp_int Q;
461    mp_int tmp;
462    mp_int exponent;
463    mp_int divisor;
464    mp_int base;
465
466    if (!arena ||
467        !p     || !p->data    || p->len == 0   ||
468        !q     || !q->data    || q->len == 0   ||
469        !x2    || !x2->data   || x2->len == 0  ||
470        !gx4   || !gx4->data  || gx4->len == 0 ||
471        !x2s   || !x2s->data  || x2s->len == 0 ||
472        !B     || !B->data    || B->len == 0 ||
473        !K     || K->data != NULL) {
474        PORT_SetError(SEC_ERROR_INVALID_ARGS);
475        return SECFailure;
476    }
477
478    MP_DIGITS(&P) = 0;
479    MP_DIGITS(&Q) = 0;
480    MP_DIGITS(&tmp) = 0;
481    MP_DIGITS(&exponent) = 0;
482    MP_DIGITS(&divisor) = 0;
483    MP_DIGITS(&base) = 0;
484
485    CHECK_MPI_OK( mp_init(&P) );
486    CHECK_MPI_OK( mp_init(&Q) );
487    CHECK_MPI_OK( mp_init(&tmp) );
488    CHECK_MPI_OK( mp_init(&exponent) );
489    CHECK_MPI_OK( mp_init(&divisor) );
490    CHECK_MPI_OK( mp_init(&base) );
491
492    /* exponent = -x2s (mod q) */
493    SECITEM_TO_MPINT(*q, &Q);
494    SECITEM_TO_MPINT(*x2s, &tmp);
495    /*  q == 0 (mod q), so q - x2s == -x2s (mod q) */
496    CHECK_MPI_OK( mp_sub(&Q, &tmp, &exponent) );
497
498    /* divisor = gx4^-x2s = 1/(gx4^x2s) (mod p) */
499    SECITEM_TO_MPINT(*p, &P);
500    SECITEM_TO_MPINT(*gx4, &tmp);
501    CHECK_MPI_OK( mp_exptmod(&tmp, &exponent, &P, &divisor) );
502    
503    /* base = B*divisor = B/(gx4^x2s) (mod p) */
504    SECITEM_TO_MPINT(*B, &tmp);
505    CHECK_MPI_OK( mp_mulmod(&divisor, &tmp, &P, &base) );
506
507    /* tmp = base^x2 (mod p) */
508    SECITEM_TO_MPINT(*x2, &exponent);
509    CHECK_MPI_OK( mp_exptmod(&base, &exponent, &P, &tmp) );
510
511    MPINT_TO_SECITEM(&tmp, K, arena);
512
513cleanup:
514    mp_clear(&P);
515    mp_clear(&Q);
516    mp_clear(&tmp);
517    mp_clear(&exponent);
518    mp_clear(&divisor);
519    mp_clear(&base);
520
521    if (err != MP_OKAY) {
522        MP_TO_SEC_ERROR(err);
523        return SECFailure;
524    }
525    return SECSuccess;
526}