1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/freebl/jpake.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,495 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#ifdef FREEBL_NO_DEPEND
1.9 +#include "stubs.h"
1.10 +#endif
1.11 +
1.12 +#include "blapi.h"
1.13 +#include "secerr.h"
1.14 +#include "secitem.h"
1.15 +#include "secmpi.h"
1.16 +
1.17 +/* Hash an item's length and then its value. Only items smaller than 2^16 bytes
1.18 + * are allowed. Lengths are hashed in network byte order. This is designed
1.19 + * to match the OpenSSL J-PAKE implementation.
1.20 + */
1.21 +static mp_err
1.22 +hashSECItem(HASHContext * hash, const SECItem * it)
1.23 +{
1.24 + unsigned char length[2];
1.25 +
1.26 + if (it->len > 0xffff)
1.27 + return MP_BADARG;
1.28 +
1.29 + length[0] = (unsigned char) (it->len >> 8);
1.30 + length[1] = (unsigned char) (it->len);
1.31 + hash->hashobj->update(hash->hash_context, length, 2);
1.32 + hash->hashobj->update(hash->hash_context, it->data, it->len);
1.33 + return MP_OKAY;
1.34 +}
1.35 +
1.36 +/* Hash all public components of the signature, each prefixed with its
1.37 + length, and then convert the hash to an mp_int. */
1.38 +static mp_err
1.39 +hashPublicParams(HASH_HashType hashType, const SECItem * g,
1.40 + const SECItem * gv, const SECItem * gx,
1.41 + const SECItem * signerID, mp_int * h)
1.42 +{
1.43 + mp_err err;
1.44 + unsigned char hBuf[HASH_LENGTH_MAX];
1.45 + SECItem hItem;
1.46 + HASHContext hash;
1.47 +
1.48 + hash.hashobj = HASH_GetRawHashObject(hashType);
1.49 + if (hash.hashobj == NULL || hash.hashobj->length > sizeof hBuf) {
1.50 + return MP_BADARG;
1.51 + }
1.52 + hash.hash_context = hash.hashobj->create();
1.53 + if (hash.hash_context == NULL) {
1.54 + return MP_MEM;
1.55 + }
1.56 +
1.57 + hItem.data = hBuf;
1.58 + hItem.len = hash.hashobj->length;
1.59 +
1.60 + hash.hashobj->begin(hash.hash_context);
1.61 + CHECK_MPI_OK( hashSECItem(&hash, g) );
1.62 + CHECK_MPI_OK( hashSECItem(&hash, gv) );
1.63 + CHECK_MPI_OK( hashSECItem(&hash, gx) );
1.64 + CHECK_MPI_OK( hashSECItem(&hash, signerID) );
1.65 + hash.hashobj->end(hash.hash_context, hItem.data, &hItem.len,
1.66 + sizeof hBuf);
1.67 + SECITEM_TO_MPINT(hItem, h);
1.68 +
1.69 +cleanup:
1.70 + if (hash.hash_context != NULL) {
1.71 + hash.hashobj->destroy(hash.hash_context, PR_TRUE);
1.72 + }
1.73 +
1.74 + return err;
1.75 +}
1.76 +
1.77 +/* Generate a Schnorr signature for round 1 or round 2 */
1.78 +SECStatus
1.79 +JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
1.80 + const SECItem * signerID, const SECItem * x,
1.81 + const SECItem * testRandom, const SECItem * gxIn, SECItem * gxOut,
1.82 + SECItem * gv, SECItem * r)
1.83 +{
1.84 + SECStatus rv = SECSuccess;
1.85 + mp_err err;
1.86 + mp_int p;
1.87 + mp_int q;
1.88 + mp_int g;
1.89 + mp_int X;
1.90 + mp_int GX;
1.91 + mp_int V;
1.92 + mp_int GV;
1.93 + mp_int h;
1.94 + mp_int tmp;
1.95 + mp_int R;
1.96 + SECItem v;
1.97 +
1.98 + if (!arena ||
1.99 + !pqg || !pqg->prime.data || pqg->prime.len == 0 ||
1.100 + !pqg->subPrime.data || pqg->subPrime.len == 0 ||
1.101 + !pqg->base.data || pqg->base.len == 0 ||
1.102 + !signerID || !signerID->data || signerID->len == 0 ||
1.103 + !x || !x->data || x->len == 0 ||
1.104 + (testRandom && (!testRandom->data || testRandom->len == 0)) ||
1.105 + (gxIn == NULL && (!gxOut || gxOut->data != NULL)) ||
1.106 + (gxIn != NULL && (!gxIn->data || gxIn->len == 0 || gxOut != NULL)) ||
1.107 + !gv || gv->data != NULL ||
1.108 + !r || r->data != NULL) {
1.109 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.110 + return SECFailure;
1.111 + }
1.112 +
1.113 +
1.114 + MP_DIGITS(&p) = 0;
1.115 + MP_DIGITS(&q) = 0;
1.116 + MP_DIGITS(&g) = 0;
1.117 + MP_DIGITS(&X) = 0;
1.118 + MP_DIGITS(&GX) = 0;
1.119 + MP_DIGITS(&V) = 0;
1.120 + MP_DIGITS(&GV) = 0;
1.121 + MP_DIGITS(&h) = 0;
1.122 + MP_DIGITS(&tmp) = 0;
1.123 + MP_DIGITS(&R) = 0;
1.124 +
1.125 + CHECK_MPI_OK( mp_init(&p) );
1.126 + CHECK_MPI_OK( mp_init(&q) );
1.127 + CHECK_MPI_OK( mp_init(&g) );
1.128 + CHECK_MPI_OK( mp_init(&X) );
1.129 + CHECK_MPI_OK( mp_init(&GX) );
1.130 + CHECK_MPI_OK( mp_init(&V) );
1.131 + CHECK_MPI_OK( mp_init(&GV) );
1.132 + CHECK_MPI_OK( mp_init(&h) );
1.133 + CHECK_MPI_OK( mp_init(&tmp) );
1.134 + CHECK_MPI_OK( mp_init(&R) );
1.135 +
1.136 + SECITEM_TO_MPINT(pqg->prime, &p);
1.137 + SECITEM_TO_MPINT(pqg->subPrime, &q);
1.138 + SECITEM_TO_MPINT(pqg->base, &g);
1.139 + SECITEM_TO_MPINT(*x, &X);
1.140 +
1.141 + /* gx = g^x */
1.142 + if (gxIn == NULL) {
1.143 + CHECK_MPI_OK( mp_exptmod(&g, &X, &p, &GX) );
1.144 + MPINT_TO_SECITEM(&GX, gxOut, arena);
1.145 + gxIn = gxOut;
1.146 + } else {
1.147 + SECITEM_TO_MPINT(*gxIn, &GX);
1.148 + }
1.149 +
1.150 + /* v is a random value in the q subgroup */
1.151 + if (testRandom == NULL) {
1.152 + v.data = NULL;
1.153 + rv = DSA_NewRandom(arena, &pqg->subPrime, &v);
1.154 + if (rv != SECSuccess) {
1.155 + goto cleanup;
1.156 + }
1.157 + } else {
1.158 + v.data = testRandom->data;
1.159 + v.len = testRandom->len;
1.160 + }
1.161 + SECITEM_TO_MPINT(v, &V);
1.162 +
1.163 + /* gv = g^v (mod q), random v, 1 <= v < q */
1.164 + CHECK_MPI_OK( mp_exptmod(&g, &V, &p, &GV) );
1.165 + MPINT_TO_SECITEM(&GV, gv, arena);
1.166 +
1.167 + /* h = H(g, gv, gx, signerID) */
1.168 + CHECK_MPI_OK( hashPublicParams(hashType, &pqg->base, gv, gxIn, signerID,
1.169 + &h) );
1.170 +
1.171 + /* r = v - x*h (mod q) */
1.172 + CHECK_MPI_OK( mp_mulmod(&X, &h, &q, &tmp) );
1.173 + CHECK_MPI_OK( mp_submod(&V, &tmp, &q, &R) );
1.174 + MPINT_TO_SECITEM(&R, r, arena);
1.175 +
1.176 +cleanup:
1.177 + mp_clear(&p);
1.178 + mp_clear(&q);
1.179 + mp_clear(&g);
1.180 + mp_clear(&X);
1.181 + mp_clear(&GX);
1.182 + mp_clear(&V);
1.183 + mp_clear(&GV);
1.184 + mp_clear(&h);
1.185 + mp_clear(&tmp);
1.186 + mp_clear(&R);
1.187 +
1.188 + if (rv == SECSuccess && err != MP_OKAY) {
1.189 + MP_TO_SEC_ERROR(err);
1.190 + rv = SECFailure;
1.191 + }
1.192 + return rv;
1.193 +}
1.194 +
1.195 +/* Verify a Schnorr signature generated by the peer in round 1 or round 2. */
1.196 +SECStatus
1.197 +JPAKE_Verify(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
1.198 + const SECItem * signerID, const SECItem * peerID,
1.199 + const SECItem * gx, const SECItem * gv, const SECItem * r)
1.200 +{
1.201 + SECStatus rv = SECSuccess;
1.202 + mp_err err;
1.203 + mp_int p;
1.204 + mp_int q;
1.205 + mp_int g;
1.206 + mp_int p_minus_1;
1.207 + mp_int GX;
1.208 + mp_int h;
1.209 + mp_int one;
1.210 + mp_int R;
1.211 + mp_int gr;
1.212 + mp_int gxh;
1.213 + mp_int gr_gxh;
1.214 + SECItem calculated;
1.215 +
1.216 + if (!arena ||
1.217 + !pqg || !pqg->prime.data || pqg->prime.len == 0 ||
1.218 + !pqg->subPrime.data || pqg->subPrime.len == 0 ||
1.219 + !pqg->base.data || pqg->base.len == 0 ||
1.220 + !signerID || !signerID->data || signerID->len == 0 ||
1.221 + !peerID || !peerID->data || peerID->len == 0 ||
1.222 + !gx || !gx->data || gx->len == 0 ||
1.223 + !gv || !gv->data || gv->len == 0 ||
1.224 + !r || !r->data || r->len == 0 ||
1.225 + SECITEM_CompareItem(signerID, peerID) == SECEqual) {
1.226 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.227 + return SECFailure;
1.228 + }
1.229 +
1.230 + MP_DIGITS(&p) = 0;
1.231 + MP_DIGITS(&q) = 0;
1.232 + MP_DIGITS(&g) = 0;
1.233 + MP_DIGITS(&p_minus_1) = 0;
1.234 + MP_DIGITS(&GX) = 0;
1.235 + MP_DIGITS(&h) = 0;
1.236 + MP_DIGITS(&one) = 0;
1.237 + MP_DIGITS(&R) = 0;
1.238 + MP_DIGITS(&gr) = 0;
1.239 + MP_DIGITS(&gxh) = 0;
1.240 + MP_DIGITS(&gr_gxh) = 0;
1.241 + calculated.data = NULL;
1.242 +
1.243 + CHECK_MPI_OK( mp_init(&p) );
1.244 + CHECK_MPI_OK( mp_init(&q) );
1.245 + CHECK_MPI_OK( mp_init(&g) );
1.246 + CHECK_MPI_OK( mp_init(&p_minus_1) );
1.247 + CHECK_MPI_OK( mp_init(&GX) );
1.248 + CHECK_MPI_OK( mp_init(&h) );
1.249 + CHECK_MPI_OK( mp_init(&one) );
1.250 + CHECK_MPI_OK( mp_init(&R) );
1.251 + CHECK_MPI_OK( mp_init(&gr) );
1.252 + CHECK_MPI_OK( mp_init(&gxh) );
1.253 + CHECK_MPI_OK( mp_init(&gr_gxh) );
1.254 +
1.255 + SECITEM_TO_MPINT(pqg->prime, &p);
1.256 + SECITEM_TO_MPINT(pqg->subPrime, &q);
1.257 + SECITEM_TO_MPINT(pqg->base, &g);
1.258 + SECITEM_TO_MPINT(*gx, &GX);
1.259 + SECITEM_TO_MPINT(*r, &R);
1.260 +
1.261 + CHECK_MPI_OK( mp_sub_d(&p, 1, &p_minus_1) );
1.262 + CHECK_MPI_OK( mp_exptmod(&GX, &q, &p, &one) );
1.263 + /* Check g^x is in [1, p-2], R is in [0, q-1], and (g^x)^q mod p == 1 */
1.264 + if (!(mp_cmp_z(&GX) > 0 &&
1.265 + mp_cmp(&GX, &p_minus_1) < 0 &&
1.266 + mp_cmp(&R, &q) < 0 &&
1.267 + mp_cmp_d(&one, 1) == 0)) {
1.268 + goto badSig;
1.269 + }
1.270 +
1.271 + CHECK_MPI_OK( hashPublicParams(hashType, &pqg->base, gv, gx, peerID,
1.272 + &h) );
1.273 +
1.274 + /* Calculate g^v = g^r * g^x^h */
1.275 + CHECK_MPI_OK( mp_exptmod(&g, &R, &p, &gr) );
1.276 + CHECK_MPI_OK( mp_exptmod(&GX, &h, &p, &gxh) );
1.277 + CHECK_MPI_OK( mp_mulmod(&gr, &gxh, &p, &gr_gxh) );
1.278 +
1.279 + /* Compare calculated g^v to given g^v */
1.280 + MPINT_TO_SECITEM(&gr_gxh, &calculated, arena);
1.281 + if (calculated.len == gv->len &&
1.282 + NSS_SecureMemcmp(calculated.data, gv->data, calculated.len) == 0) {
1.283 + rv = SECSuccess;
1.284 + } else {
1.285 +badSig: PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
1.286 + rv = SECFailure;
1.287 + }
1.288 +
1.289 +cleanup:
1.290 + mp_clear(&p);
1.291 + mp_clear(&q);
1.292 + mp_clear(&g);
1.293 + mp_clear(&p_minus_1);
1.294 + mp_clear(&GX);
1.295 + mp_clear(&h);
1.296 + mp_clear(&one);
1.297 + mp_clear(&R);
1.298 + mp_clear(&gr);
1.299 + mp_clear(&gxh);
1.300 + mp_clear(&gr_gxh);
1.301 +
1.302 + if (rv == SECSuccess && err != MP_OKAY) {
1.303 + MP_TO_SEC_ERROR(err);
1.304 + rv = SECFailure;
1.305 + }
1.306 + return rv;
1.307 +}
1.308 +
1.309 +/* Calculate base = gx1*gx3*gx4 (mod p), i.e. g^(x1+x3+x4) (mod p) */
1.310 +static mp_err
1.311 +jpake_Round2Base(const SECItem * gx1, const SECItem * gx3,
1.312 + const SECItem * gx4, const mp_int * p, mp_int * base)
1.313 +{
1.314 + mp_err err;
1.315 + mp_int GX1;
1.316 + mp_int GX3;
1.317 + mp_int GX4;
1.318 + mp_int tmp;
1.319 +
1.320 + MP_DIGITS(&GX1) = 0;
1.321 + MP_DIGITS(&GX3) = 0;
1.322 + MP_DIGITS(&GX4) = 0;
1.323 + MP_DIGITS(&tmp) = 0;
1.324 +
1.325 + CHECK_MPI_OK( mp_init(&GX1) );
1.326 + CHECK_MPI_OK( mp_init(&GX3) );
1.327 + CHECK_MPI_OK( mp_init(&GX4) );
1.328 + CHECK_MPI_OK( mp_init(&tmp) );
1.329 +
1.330 + SECITEM_TO_MPINT(*gx1, &GX1);
1.331 + SECITEM_TO_MPINT(*gx3, &GX3);
1.332 + SECITEM_TO_MPINT(*gx4, &GX4);
1.333 +
1.334 + /* In round 2, the peer/attacker sends us g^x3 and g^x4 and the protocol
1.335 + requires that these values are distinct. */
1.336 + if (mp_cmp(&GX3, &GX4) == 0) {
1.337 + return MP_BADARG;
1.338 + }
1.339 +
1.340 + CHECK_MPI_OK( mp_mul(&GX1, &GX3, &tmp) );
1.341 + CHECK_MPI_OK( mp_mul(&tmp, &GX4, &tmp) );
1.342 + CHECK_MPI_OK( mp_mod(&tmp, p, base) );
1.343 +
1.344 +cleanup:
1.345 + mp_clear(&GX1);
1.346 + mp_clear(&GX3);
1.347 + mp_clear(&GX4);
1.348 + mp_clear(&tmp);
1.349 + return err;
1.350 +}
1.351 +
1.352 +SECStatus
1.353 +JPAKE_Round2(PLArenaPool * arena,
1.354 + const SECItem * p, const SECItem *q, const SECItem * gx1,
1.355 + const SECItem * gx3, const SECItem * gx4, SECItem * base,
1.356 + const SECItem * x2, const SECItem * s, SECItem * x2s)
1.357 +{
1.358 + mp_err err;
1.359 + mp_int P;
1.360 + mp_int Q;
1.361 + mp_int X2;
1.362 + mp_int S;
1.363 + mp_int result;
1.364 +
1.365 + if (!arena ||
1.366 + !p || !p->data || p->len == 0 ||
1.367 + !q || !q->data || q->len == 0 ||
1.368 + !gx1 || !gx1->data || gx1->len == 0 ||
1.369 + !gx3 || !gx3->data || gx3->len == 0 ||
1.370 + !gx4 || !gx4->data || gx4->len == 0 ||
1.371 + !base || base->data != NULL ||
1.372 + (x2s != NULL && (x2s->data != NULL ||
1.373 + !x2 || !x2->data || x2->len == 0 ||
1.374 + !s || !s->data || s->len == 0))) {
1.375 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.376 + return SECFailure;
1.377 + }
1.378 +
1.379 + MP_DIGITS(&P) = 0;
1.380 + MP_DIGITS(&Q) = 0;
1.381 + MP_DIGITS(&X2) = 0;
1.382 + MP_DIGITS(&S) = 0;
1.383 + MP_DIGITS(&result) = 0;
1.384 +
1.385 + CHECK_MPI_OK( mp_init(&P) );
1.386 + CHECK_MPI_OK( mp_init(&Q) );
1.387 + CHECK_MPI_OK( mp_init(&result) );
1.388 +
1.389 + if (x2s != NULL) {
1.390 + CHECK_MPI_OK( mp_init(&X2) );
1.391 + CHECK_MPI_OK( mp_init(&S) );
1.392 +
1.393 + SECITEM_TO_MPINT(*q, &Q);
1.394 + SECITEM_TO_MPINT(*x2, &X2);
1.395 +
1.396 + SECITEM_TO_MPINT(*s, &S);
1.397 + /* S must be in [1, Q-1] */
1.398 + if (mp_cmp_z(&S) <= 0 || mp_cmp(&S, &Q) >= 0) {
1.399 + err = MP_BADARG;
1.400 + goto cleanup;
1.401 + }
1.402 +
1.403 + CHECK_MPI_OK( mp_mulmod(&X2, &S, &Q, &result) );
1.404 + MPINT_TO_SECITEM(&result, x2s, arena);
1.405 + }
1.406 +
1.407 + SECITEM_TO_MPINT(*p, &P);
1.408 + CHECK_MPI_OK( jpake_Round2Base(gx1, gx3, gx4, &P, &result) );
1.409 + MPINT_TO_SECITEM(&result, base, arena);
1.410 +
1.411 +cleanup:
1.412 + mp_clear(&P);
1.413 + mp_clear(&Q);
1.414 + mp_clear(&X2);
1.415 + mp_clear(&S);
1.416 + mp_clear(&result);
1.417 +
1.418 + if (err != MP_OKAY) {
1.419 + MP_TO_SEC_ERROR(err);
1.420 + return SECFailure;
1.421 + }
1.422 + return SECSuccess;
1.423 +}
1.424 +
1.425 +SECStatus
1.426 +JPAKE_Final(PLArenaPool * arena, const SECItem * p, const SECItem * q,
1.427 + const SECItem * x2, const SECItem * gx4, const SECItem * x2s,
1.428 + const SECItem * B, SECItem * K)
1.429 +{
1.430 + mp_err err;
1.431 + mp_int P;
1.432 + mp_int Q;
1.433 + mp_int tmp;
1.434 + mp_int exponent;
1.435 + mp_int divisor;
1.436 + mp_int base;
1.437 +
1.438 + if (!arena ||
1.439 + !p || !p->data || p->len == 0 ||
1.440 + !q || !q->data || q->len == 0 ||
1.441 + !x2 || !x2->data || x2->len == 0 ||
1.442 + !gx4 || !gx4->data || gx4->len == 0 ||
1.443 + !x2s || !x2s->data || x2s->len == 0 ||
1.444 + !B || !B->data || B->len == 0 ||
1.445 + !K || K->data != NULL) {
1.446 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.447 + return SECFailure;
1.448 + }
1.449 +
1.450 + MP_DIGITS(&P) = 0;
1.451 + MP_DIGITS(&Q) = 0;
1.452 + MP_DIGITS(&tmp) = 0;
1.453 + MP_DIGITS(&exponent) = 0;
1.454 + MP_DIGITS(&divisor) = 0;
1.455 + MP_DIGITS(&base) = 0;
1.456 +
1.457 + CHECK_MPI_OK( mp_init(&P) );
1.458 + CHECK_MPI_OK( mp_init(&Q) );
1.459 + CHECK_MPI_OK( mp_init(&tmp) );
1.460 + CHECK_MPI_OK( mp_init(&exponent) );
1.461 + CHECK_MPI_OK( mp_init(&divisor) );
1.462 + CHECK_MPI_OK( mp_init(&base) );
1.463 +
1.464 + /* exponent = -x2s (mod q) */
1.465 + SECITEM_TO_MPINT(*q, &Q);
1.466 + SECITEM_TO_MPINT(*x2s, &tmp);
1.467 + /* q == 0 (mod q), so q - x2s == -x2s (mod q) */
1.468 + CHECK_MPI_OK( mp_sub(&Q, &tmp, &exponent) );
1.469 +
1.470 + /* divisor = gx4^-x2s = 1/(gx4^x2s) (mod p) */
1.471 + SECITEM_TO_MPINT(*p, &P);
1.472 + SECITEM_TO_MPINT(*gx4, &tmp);
1.473 + CHECK_MPI_OK( mp_exptmod(&tmp, &exponent, &P, &divisor) );
1.474 +
1.475 + /* base = B*divisor = B/(gx4^x2s) (mod p) */
1.476 + SECITEM_TO_MPINT(*B, &tmp);
1.477 + CHECK_MPI_OK( mp_mulmod(&divisor, &tmp, &P, &base) );
1.478 +
1.479 + /* tmp = base^x2 (mod p) */
1.480 + SECITEM_TO_MPINT(*x2, &exponent);
1.481 + CHECK_MPI_OK( mp_exptmod(&base, &exponent, &P, &tmp) );
1.482 +
1.483 + MPINT_TO_SECITEM(&tmp, K, arena);
1.484 +
1.485 +cleanup:
1.486 + mp_clear(&P);
1.487 + mp_clear(&Q);
1.488 + mp_clear(&tmp);
1.489 + mp_clear(&exponent);
1.490 + mp_clear(&divisor);
1.491 + mp_clear(&base);
1.492 +
1.493 + if (err != MP_OKAY) {
1.494 + MP_TO_SEC_ERROR(err);
1.495 + return SECFailure;
1.496 + }
1.497 + return SECSuccess;
1.498 +}
