andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: andre@0: #ifdef FREEBL_NO_DEPEND andre@0: #include "stubs.h" andre@0: #endif andre@0: andre@0: #include "blapi.h" andre@0: #include "secerr.h" andre@0: #include "secitem.h" andre@0: #include "secmpi.h" andre@0: andre@0: /* Hash an item's length and then its value. Only items smaller than 2^16 bytes andre@0: * are allowed. Lengths are hashed in network byte order. This is designed andre@0: * to match the OpenSSL J-PAKE implementation. andre@0: */ andre@0: static mp_err andre@0: hashSECItem(HASHContext * hash, const SECItem * it) andre@0: { andre@0: unsigned char length[2]; andre@0: andre@0: if (it->len > 0xffff) andre@0: return MP_BADARG; andre@0: andre@0: length[0] = (unsigned char) (it->len >> 8); andre@0: length[1] = (unsigned char) (it->len); andre@0: hash->hashobj->update(hash->hash_context, length, 2); andre@0: hash->hashobj->update(hash->hash_context, it->data, it->len); andre@0: return MP_OKAY; andre@0: } andre@0: andre@0: /* Hash all public components of the signature, each prefixed with its andre@0: length, and then convert the hash to an mp_int. */ andre@0: static mp_err andre@0: hashPublicParams(HASH_HashType hashType, const SECItem * g, andre@0: const SECItem * gv, const SECItem * gx, andre@0: const SECItem * signerID, mp_int * h) andre@0: { andre@0: mp_err err; andre@0: unsigned char hBuf[HASH_LENGTH_MAX]; andre@0: SECItem hItem; andre@0: HASHContext hash; andre@0: andre@0: hash.hashobj = HASH_GetRawHashObject(hashType); andre@0: if (hash.hashobj == NULL || hash.hashobj->length > sizeof hBuf) { andre@0: return MP_BADARG; andre@0: } andre@0: hash.hash_context = hash.hashobj->create(); andre@0: if (hash.hash_context == NULL) { andre@0: return MP_MEM; andre@0: } andre@0: andre@0: hItem.data = hBuf; andre@0: hItem.len = hash.hashobj->length; andre@0: andre@0: hash.hashobj->begin(hash.hash_context); andre@0: CHECK_MPI_OK( hashSECItem(&hash, g) ); andre@0: CHECK_MPI_OK( hashSECItem(&hash, gv) ); andre@0: CHECK_MPI_OK( hashSECItem(&hash, gx) ); andre@0: CHECK_MPI_OK( hashSECItem(&hash, signerID) ); andre@0: hash.hashobj->end(hash.hash_context, hItem.data, &hItem.len, andre@0: sizeof hBuf); andre@0: SECITEM_TO_MPINT(hItem, h); andre@0: andre@0: cleanup: andre@0: if (hash.hash_context != NULL) { andre@0: hash.hashobj->destroy(hash.hash_context, PR_TRUE); andre@0: } andre@0: andre@0: return err; andre@0: } andre@0: andre@0: /* Generate a Schnorr signature for round 1 or round 2 */ andre@0: SECStatus andre@0: JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType, andre@0: const SECItem * signerID, const SECItem * x, andre@0: const SECItem * testRandom, const SECItem * gxIn, SECItem * gxOut, andre@0: SECItem * gv, SECItem * r) andre@0: { andre@0: SECStatus rv = SECSuccess; andre@0: mp_err err; andre@0: mp_int p; andre@0: mp_int q; andre@0: mp_int g; andre@0: mp_int X; andre@0: mp_int GX; andre@0: mp_int V; andre@0: mp_int GV; andre@0: mp_int h; andre@0: mp_int tmp; andre@0: mp_int R; andre@0: SECItem v; andre@0: andre@0: if (!arena || andre@0: !pqg || !pqg->prime.data || pqg->prime.len == 0 || andre@0: !pqg->subPrime.data || pqg->subPrime.len == 0 || andre@0: !pqg->base.data || pqg->base.len == 0 || andre@0: !signerID || !signerID->data || signerID->len == 0 || andre@0: !x || !x->data || x->len == 0 || andre@0: (testRandom && (!testRandom->data || testRandom->len == 0)) || andre@0: (gxIn == NULL && (!gxOut || gxOut->data != NULL)) || andre@0: (gxIn != NULL && (!gxIn->data || gxIn->len == 0 || gxOut != NULL)) || andre@0: !gv || gv->data != NULL || andre@0: !r || r->data != NULL) { andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); andre@0: return SECFailure; andre@0: } andre@0: andre@0: andre@0: MP_DIGITS(&p) = 0; andre@0: MP_DIGITS(&q) = 0; andre@0: MP_DIGITS(&g) = 0; andre@0: MP_DIGITS(&X) = 0; andre@0: MP_DIGITS(&GX) = 0; andre@0: MP_DIGITS(&V) = 0; andre@0: MP_DIGITS(&GV) = 0; andre@0: MP_DIGITS(&h) = 0; andre@0: MP_DIGITS(&tmp) = 0; andre@0: MP_DIGITS(&R) = 0; andre@0: andre@0: CHECK_MPI_OK( mp_init(&p) ); andre@0: CHECK_MPI_OK( mp_init(&q) ); andre@0: CHECK_MPI_OK( mp_init(&g) ); andre@0: CHECK_MPI_OK( mp_init(&X) ); andre@0: CHECK_MPI_OK( mp_init(&GX) ); andre@0: CHECK_MPI_OK( mp_init(&V) ); andre@0: CHECK_MPI_OK( mp_init(&GV) ); andre@0: CHECK_MPI_OK( mp_init(&h) ); andre@0: CHECK_MPI_OK( mp_init(&tmp) ); andre@0: CHECK_MPI_OK( mp_init(&R) ); andre@0: andre@0: SECITEM_TO_MPINT(pqg->prime, &p); andre@0: SECITEM_TO_MPINT(pqg->subPrime, &q); andre@0: SECITEM_TO_MPINT(pqg->base, &g); andre@0: SECITEM_TO_MPINT(*x, &X); andre@0: andre@0: /* gx = g^x */ andre@0: if (gxIn == NULL) { andre@0: CHECK_MPI_OK( mp_exptmod(&g, &X, &p, &GX) ); andre@0: MPINT_TO_SECITEM(&GX, gxOut, arena); andre@0: gxIn = gxOut; andre@0: } else { andre@0: SECITEM_TO_MPINT(*gxIn, &GX); andre@0: } andre@0: andre@0: /* v is a random value in the q subgroup */ andre@0: if (testRandom == NULL) { andre@0: v.data = NULL; andre@0: rv = DSA_NewRandom(arena, &pqg->subPrime, &v); andre@0: if (rv != SECSuccess) { andre@0: goto cleanup; andre@0: } andre@0: } else { andre@0: v.data = testRandom->data; andre@0: v.len = testRandom->len; andre@0: } andre@0: SECITEM_TO_MPINT(v, &V); andre@0: andre@0: /* gv = g^v (mod q), random v, 1 <= v < q */ andre@0: CHECK_MPI_OK( mp_exptmod(&g, &V, &p, &GV) ); andre@0: MPINT_TO_SECITEM(&GV, gv, arena); andre@0: andre@0: /* h = H(g, gv, gx, signerID) */ andre@0: CHECK_MPI_OK( hashPublicParams(hashType, &pqg->base, gv, gxIn, signerID, andre@0: &h) ); andre@0: andre@0: /* r = v - x*h (mod q) */ andre@0: CHECK_MPI_OK( mp_mulmod(&X, &h, &q, &tmp) ); andre@0: CHECK_MPI_OK( mp_submod(&V, &tmp, &q, &R) ); andre@0: MPINT_TO_SECITEM(&R, r, arena); andre@0: andre@0: cleanup: andre@0: mp_clear(&p); andre@0: mp_clear(&q); andre@0: mp_clear(&g); andre@0: mp_clear(&X); andre@0: mp_clear(&GX); andre@0: mp_clear(&V); andre@0: mp_clear(&GV); andre@0: mp_clear(&h); andre@0: mp_clear(&tmp); andre@0: mp_clear(&R); andre@0: andre@0: if (rv == SECSuccess && err != MP_OKAY) { andre@0: MP_TO_SEC_ERROR(err); andre@0: rv = SECFailure; andre@0: } andre@0: return rv; andre@0: } andre@0: andre@0: /* Verify a Schnorr signature generated by the peer in round 1 or round 2. */ andre@0: SECStatus andre@0: JPAKE_Verify(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType, andre@0: const SECItem * signerID, const SECItem * peerID, andre@0: const SECItem * gx, const SECItem * gv, const SECItem * r) andre@0: { andre@0: SECStatus rv = SECSuccess; andre@0: mp_err err; andre@0: mp_int p; andre@0: mp_int q; andre@0: mp_int g; andre@0: mp_int p_minus_1; andre@0: mp_int GX; andre@0: mp_int h; andre@0: mp_int one; andre@0: mp_int R; andre@0: mp_int gr; andre@0: mp_int gxh; andre@0: mp_int gr_gxh; andre@0: SECItem calculated; andre@0: andre@0: if (!arena || andre@0: !pqg || !pqg->prime.data || pqg->prime.len == 0 || andre@0: !pqg->subPrime.data || pqg->subPrime.len == 0 || andre@0: !pqg->base.data || pqg->base.len == 0 || andre@0: !signerID || !signerID->data || signerID->len == 0 || andre@0: !peerID || !peerID->data || peerID->len == 0 || andre@0: !gx || !gx->data || gx->len == 0 || andre@0: !gv || !gv->data || gv->len == 0 || andre@0: !r || !r->data || r->len == 0 || andre@0: SECITEM_CompareItem(signerID, peerID) == SECEqual) { andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); andre@0: return SECFailure; andre@0: } andre@0: andre@0: MP_DIGITS(&p) = 0; andre@0: MP_DIGITS(&q) = 0; andre@0: MP_DIGITS(&g) = 0; andre@0: MP_DIGITS(&p_minus_1) = 0; andre@0: MP_DIGITS(&GX) = 0; andre@0: MP_DIGITS(&h) = 0; andre@0: MP_DIGITS(&one) = 0; andre@0: MP_DIGITS(&R) = 0; andre@0: MP_DIGITS(&gr) = 0; andre@0: MP_DIGITS(&gxh) = 0; andre@0: MP_DIGITS(&gr_gxh) = 0; andre@0: calculated.data = NULL; andre@0: andre@0: CHECK_MPI_OK( mp_init(&p) ); andre@0: CHECK_MPI_OK( mp_init(&q) ); andre@0: CHECK_MPI_OK( mp_init(&g) ); andre@0: CHECK_MPI_OK( mp_init(&p_minus_1) ); andre@0: CHECK_MPI_OK( mp_init(&GX) ); andre@0: CHECK_MPI_OK( mp_init(&h) ); andre@0: CHECK_MPI_OK( mp_init(&one) ); andre@0: CHECK_MPI_OK( mp_init(&R) ); andre@0: CHECK_MPI_OK( mp_init(&gr) ); andre@0: CHECK_MPI_OK( mp_init(&gxh) ); andre@0: CHECK_MPI_OK( mp_init(&gr_gxh) ); andre@0: andre@0: SECITEM_TO_MPINT(pqg->prime, &p); andre@0: SECITEM_TO_MPINT(pqg->subPrime, &q); andre@0: SECITEM_TO_MPINT(pqg->base, &g); andre@0: SECITEM_TO_MPINT(*gx, &GX); andre@0: SECITEM_TO_MPINT(*r, &R); andre@0: andre@0: CHECK_MPI_OK( mp_sub_d(&p, 1, &p_minus_1) ); andre@0: CHECK_MPI_OK( mp_exptmod(&GX, &q, &p, &one) ); andre@0: /* Check g^x is in [1, p-2], R is in [0, q-1], and (g^x)^q mod p == 1 */ andre@0: if (!(mp_cmp_z(&GX) > 0 && andre@0: mp_cmp(&GX, &p_minus_1) < 0 && andre@0: mp_cmp(&R, &q) < 0 && andre@0: mp_cmp_d(&one, 1) == 0)) { andre@0: goto badSig; andre@0: } andre@0: andre@0: CHECK_MPI_OK( hashPublicParams(hashType, &pqg->base, gv, gx, peerID, andre@0: &h) ); andre@0: andre@0: /* Calculate g^v = g^r * g^x^h */ andre@0: CHECK_MPI_OK( mp_exptmod(&g, &R, &p, &gr) ); andre@0: CHECK_MPI_OK( mp_exptmod(&GX, &h, &p, &gxh) ); andre@0: CHECK_MPI_OK( mp_mulmod(&gr, &gxh, &p, &gr_gxh) ); andre@0: andre@0: /* Compare calculated g^v to given g^v */ andre@0: MPINT_TO_SECITEM(&gr_gxh, &calculated, arena); andre@0: if (calculated.len == gv->len && andre@0: NSS_SecureMemcmp(calculated.data, gv->data, calculated.len) == 0) { andre@0: rv = SECSuccess; andre@0: } else { andre@0: badSig: PORT_SetError(SEC_ERROR_BAD_SIGNATURE); andre@0: rv = SECFailure; andre@0: } andre@0: andre@0: cleanup: andre@0: mp_clear(&p); andre@0: mp_clear(&q); andre@0: mp_clear(&g); andre@0: mp_clear(&p_minus_1); andre@0: mp_clear(&GX); andre@0: mp_clear(&h); andre@0: mp_clear(&one); andre@0: mp_clear(&R); andre@0: mp_clear(&gr); andre@0: mp_clear(&gxh); andre@0: mp_clear(&gr_gxh); andre@0: andre@0: if (rv == SECSuccess && err != MP_OKAY) { andre@0: MP_TO_SEC_ERROR(err); andre@0: rv = SECFailure; andre@0: } andre@0: return rv; andre@0: } andre@0: andre@0: /* Calculate base = gx1*gx3*gx4 (mod p), i.e. g^(x1+x3+x4) (mod p) */ andre@0: static mp_err andre@0: jpake_Round2Base(const SECItem * gx1, const SECItem * gx3, andre@0: const SECItem * gx4, const mp_int * p, mp_int * base) andre@0: { andre@0: mp_err err; andre@0: mp_int GX1; andre@0: mp_int GX3; andre@0: mp_int GX4; andre@0: mp_int tmp; andre@0: andre@0: MP_DIGITS(&GX1) = 0; andre@0: MP_DIGITS(&GX3) = 0; andre@0: MP_DIGITS(&GX4) = 0; andre@0: MP_DIGITS(&tmp) = 0; andre@0: andre@0: CHECK_MPI_OK( mp_init(&GX1) ); andre@0: CHECK_MPI_OK( mp_init(&GX3) ); andre@0: CHECK_MPI_OK( mp_init(&GX4) ); andre@0: CHECK_MPI_OK( mp_init(&tmp) ); andre@0: andre@0: SECITEM_TO_MPINT(*gx1, &GX1); andre@0: SECITEM_TO_MPINT(*gx3, &GX3); andre@0: SECITEM_TO_MPINT(*gx4, &GX4); andre@0: andre@0: /* In round 2, the peer/attacker sends us g^x3 and g^x4 and the protocol andre@0: requires that these values are distinct. */ andre@0: if (mp_cmp(&GX3, &GX4) == 0) { andre@0: return MP_BADARG; andre@0: } andre@0: andre@0: CHECK_MPI_OK( mp_mul(&GX1, &GX3, &tmp) ); andre@0: CHECK_MPI_OK( mp_mul(&tmp, &GX4, &tmp) ); andre@0: CHECK_MPI_OK( mp_mod(&tmp, p, base) ); andre@0: andre@0: cleanup: andre@0: mp_clear(&GX1); andre@0: mp_clear(&GX3); andre@0: mp_clear(&GX4); andre@0: mp_clear(&tmp); andre@0: return err; andre@0: } andre@0: andre@0: SECStatus andre@0: JPAKE_Round2(PLArenaPool * arena, andre@0: const SECItem * p, const SECItem *q, const SECItem * gx1, andre@0: const SECItem * gx3, const SECItem * gx4, SECItem * base, andre@0: const SECItem * x2, const SECItem * s, SECItem * x2s) andre@0: { andre@0: mp_err err; andre@0: mp_int P; andre@0: mp_int Q; andre@0: mp_int X2; andre@0: mp_int S; andre@0: mp_int result; andre@0: andre@0: if (!arena || andre@0: !p || !p->data || p->len == 0 || andre@0: !q || !q->data || q->len == 0 || andre@0: !gx1 || !gx1->data || gx1->len == 0 || andre@0: !gx3 || !gx3->data || gx3->len == 0 || andre@0: !gx4 || !gx4->data || gx4->len == 0 || andre@0: !base || base->data != NULL || andre@0: (x2s != NULL && (x2s->data != NULL || andre@0: !x2 || !x2->data || x2->len == 0 || andre@0: !s || !s->data || s->len == 0))) { andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); andre@0: return SECFailure; andre@0: } andre@0: andre@0: MP_DIGITS(&P) = 0; andre@0: MP_DIGITS(&Q) = 0; andre@0: MP_DIGITS(&X2) = 0; andre@0: MP_DIGITS(&S) = 0; andre@0: MP_DIGITS(&result) = 0; andre@0: andre@0: CHECK_MPI_OK( mp_init(&P) ); andre@0: CHECK_MPI_OK( mp_init(&Q) ); andre@0: CHECK_MPI_OK( mp_init(&result) ); andre@0: andre@0: if (x2s != NULL) { andre@0: CHECK_MPI_OK( mp_init(&X2) ); andre@0: CHECK_MPI_OK( mp_init(&S) ); andre@0: andre@0: SECITEM_TO_MPINT(*q, &Q); andre@0: SECITEM_TO_MPINT(*x2, &X2); andre@0: andre@0: SECITEM_TO_MPINT(*s, &S); andre@0: /* S must be in [1, Q-1] */ andre@0: if (mp_cmp_z(&S) <= 0 || mp_cmp(&S, &Q) >= 0) { andre@0: err = MP_BADARG; andre@0: goto cleanup; andre@0: } andre@0: andre@0: CHECK_MPI_OK( mp_mulmod(&X2, &S, &Q, &result) ); andre@0: MPINT_TO_SECITEM(&result, x2s, arena); andre@0: } andre@0: andre@0: SECITEM_TO_MPINT(*p, &P); andre@0: CHECK_MPI_OK( jpake_Round2Base(gx1, gx3, gx4, &P, &result) ); andre@0: MPINT_TO_SECITEM(&result, base, arena); andre@0: andre@0: cleanup: andre@0: mp_clear(&P); andre@0: mp_clear(&Q); andre@0: mp_clear(&X2); andre@0: mp_clear(&S); andre@0: mp_clear(&result); andre@0: andre@0: if (err != MP_OKAY) { andre@0: MP_TO_SEC_ERROR(err); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: SECStatus andre@0: JPAKE_Final(PLArenaPool * arena, const SECItem * p, const SECItem * q, andre@0: const SECItem * x2, const SECItem * gx4, const SECItem * x2s, andre@0: const SECItem * B, SECItem * K) andre@0: { andre@0: mp_err err; andre@0: mp_int P; andre@0: mp_int Q; andre@0: mp_int tmp; andre@0: mp_int exponent; andre@0: mp_int divisor; andre@0: mp_int base; andre@0: andre@0: if (!arena || andre@0: !p || !p->data || p->len == 0 || andre@0: !q || !q->data || q->len == 0 || andre@0: !x2 || !x2->data || x2->len == 0 || andre@0: !gx4 || !gx4->data || gx4->len == 0 || andre@0: !x2s || !x2s->data || x2s->len == 0 || andre@0: !B || !B->data || B->len == 0 || andre@0: !K || K->data != NULL) { andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); andre@0: return SECFailure; andre@0: } andre@0: andre@0: MP_DIGITS(&P) = 0; andre@0: MP_DIGITS(&Q) = 0; andre@0: MP_DIGITS(&tmp) = 0; andre@0: MP_DIGITS(&exponent) = 0; andre@0: MP_DIGITS(&divisor) = 0; andre@0: MP_DIGITS(&base) = 0; andre@0: andre@0: CHECK_MPI_OK( mp_init(&P) ); andre@0: CHECK_MPI_OK( mp_init(&Q) ); andre@0: CHECK_MPI_OK( mp_init(&tmp) ); andre@0: CHECK_MPI_OK( mp_init(&exponent) ); andre@0: CHECK_MPI_OK( mp_init(&divisor) ); andre@0: CHECK_MPI_OK( mp_init(&base) ); andre@0: andre@0: /* exponent = -x2s (mod q) */ andre@0: SECITEM_TO_MPINT(*q, &Q); andre@0: SECITEM_TO_MPINT(*x2s, &tmp); andre@0: /* q == 0 (mod q), so q - x2s == -x2s (mod q) */ andre@0: CHECK_MPI_OK( mp_sub(&Q, &tmp, &exponent) ); andre@0: andre@0: /* divisor = gx4^-x2s = 1/(gx4^x2s) (mod p) */ andre@0: SECITEM_TO_MPINT(*p, &P); andre@0: SECITEM_TO_MPINT(*gx4, &tmp); andre@0: CHECK_MPI_OK( mp_exptmod(&tmp, &exponent, &P, &divisor) ); andre@0: andre@0: /* base = B*divisor = B/(gx4^x2s) (mod p) */ andre@0: SECITEM_TO_MPINT(*B, &tmp); andre@0: CHECK_MPI_OK( mp_mulmod(&divisor, &tmp, &P, &base) ); andre@0: andre@0: /* tmp = base^x2 (mod p) */ andre@0: SECITEM_TO_MPINT(*x2, &exponent); andre@0: CHECK_MPI_OK( mp_exptmod(&base, &exponent, &P, &tmp) ); andre@0: andre@0: MPINT_TO_SECITEM(&tmp, K, arena); andre@0: andre@0: cleanup: andre@0: mp_clear(&P); andre@0: mp_clear(&Q); andre@0: mp_clear(&tmp); andre@0: mp_clear(&exponent); andre@0: mp_clear(&divisor); andre@0: mp_clear(&base); andre@0: andre@0: if (err != MP_OKAY) { andre@0: MP_TO_SEC_ERROR(err); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: }