1193645Ssimon/* 2193645Ssimon * Implement J-PAKE, as described in 3193645Ssimon * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf 4296465Sdelphij * 5193645Ssimon * With hints from http://www.cl.cam.ac.uk/~fh240/software/JPAKE2.java. 6193645Ssimon */ 7193645Ssimon 8193645Ssimon#ifndef HEADER_JPAKE_H 9296465Sdelphij# define HEADER_JPAKE_H 10193645Ssimon 11296465Sdelphij# include <openssl/opensslconf.h> 12193645Ssimon 13296465Sdelphij# ifdef OPENSSL_NO_JPAKE 14296465Sdelphij# error JPAKE is disabled. 15296465Sdelphij# endif 16193645Ssimon 17193645Ssimon#ifdef __cplusplus 18193645Ssimonextern "C" { 19193645Ssimon#endif 20193645Ssimon 21296465Sdelphij# include <openssl/bn.h> 22296465Sdelphij# include <openssl/sha.h> 23193645Ssimon 24193645Ssimontypedef struct JPAKE_CTX JPAKE_CTX; 25193645Ssimon 26193645Ssimon/* Note that "g" in the ZKPs is not necessarily the J-PAKE g. */ 27296465Sdelphijtypedef struct { 28296465Sdelphij BIGNUM *gr; /* g^r (r random) */ 29296465Sdelphij BIGNUM *b; /* b = r - x*h, h=hash(g, g^r, g^x, name) */ 30296465Sdelphij} JPAKE_ZKP; 31193645Ssimon 32296465Sdelphijtypedef struct { 33296465Sdelphij BIGNUM *gx; /* g^x in step 1, g^(xa + xc + xd) * xb * s 34296465Sdelphij * in step 2 */ 35296465Sdelphij JPAKE_ZKP zkpx; /* ZKP(x) or ZKP(xb * s) */ 36296465Sdelphij} JPAKE_STEP_PART; 37193645Ssimon 38296465Sdelphijtypedef struct { 39296465Sdelphij JPAKE_STEP_PART p1; /* g^x3, ZKP(x3) or g^x1, ZKP(x1) */ 40296465Sdelphij JPAKE_STEP_PART p2; /* g^x4, ZKP(x4) or g^x2, ZKP(x2) */ 41296465Sdelphij} JPAKE_STEP1; 42193645Ssimon 43193645Ssimontypedef JPAKE_STEP_PART JPAKE_STEP2; 44193645Ssimon 45296465Sdelphijtypedef struct { 46193645Ssimon unsigned char hhk[SHA_DIGEST_LENGTH]; 47296465Sdelphij} JPAKE_STEP3A; 48193645Ssimon 49296465Sdelphijtypedef struct { 50193645Ssimon unsigned char hk[SHA_DIGEST_LENGTH]; 51296465Sdelphij} JPAKE_STEP3B; 52193645Ssimon 53193645Ssimon/* Parameters are copied */ 54193645SsimonJPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name, 55296465Sdelphij const BIGNUM *p, const BIGNUM *g, const BIGNUM *q, 56296465Sdelphij const BIGNUM *secret); 57193645Ssimonvoid JPAKE_CTX_free(JPAKE_CTX *ctx); 58193645Ssimon 59193645Ssimon/* 60193645Ssimon * Note that JPAKE_STEP1 can be used multiple times before release 61193645Ssimon * without another init. 62193645Ssimon */ 63193645Ssimonvoid JPAKE_STEP1_init(JPAKE_STEP1 *s1); 64193645Ssimonint JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx); 65193645Ssimonint JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received); 66193645Ssimonvoid JPAKE_STEP1_release(JPAKE_STEP1 *s1); 67193645Ssimon 68193645Ssimon/* 69193645Ssimon * Note that JPAKE_STEP2 can be used multiple times before release 70193645Ssimon * without another init. 71193645Ssimon */ 72193645Ssimonvoid JPAKE_STEP2_init(JPAKE_STEP2 *s2); 73193645Ssimonint JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx); 74193645Ssimonint JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received); 75193645Ssimonvoid JPAKE_STEP2_release(JPAKE_STEP2 *s2); 76193645Ssimon 77193645Ssimon/* 78193645Ssimon * Optionally verify the shared key. If the shared secrets do not 79193645Ssimon * match, the two ends will disagree about the shared key, but 80193645Ssimon * otherwise the protocol will succeed. 81193645Ssimon */ 82193645Ssimonvoid JPAKE_STEP3A_init(JPAKE_STEP3A *s3a); 83193645Ssimonint JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx); 84193645Ssimonint JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received); 85193645Ssimonvoid JPAKE_STEP3A_release(JPAKE_STEP3A *s3a); 86193645Ssimon 87193645Ssimonvoid JPAKE_STEP3B_init(JPAKE_STEP3B *s3b); 88193645Ssimonint JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx); 89193645Ssimonint JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received); 90193645Ssimonvoid JPAKE_STEP3B_release(JPAKE_STEP3B *s3b); 91193645Ssimon 92193645Ssimon/* 93193645Ssimon * the return value belongs to the library and will be released when 94193645Ssimon * ctx is released, and will change when a new handshake is performed. 95193645Ssimon */ 96193645Ssimonconst BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx); 97193645Ssimon 98193645Ssimon/* BEGIN ERROR CODES */ 99296465Sdelphij/* 100296465Sdelphij * The following lines are auto generated by the script mkerr.pl. Any changes 101193645Ssimon * made after this point may be overwritten when the script is next run. 102193645Ssimon */ 103193645Ssimonvoid ERR_load_JPAKE_strings(void); 104193645Ssimon 105193645Ssimon/* Error codes for the JPAKE functions. */ 106193645Ssimon 107193645Ssimon/* Function codes. */ 108296465Sdelphij# define JPAKE_F_JPAKE_STEP1_PROCESS 101 109296465Sdelphij# define JPAKE_F_JPAKE_STEP2_PROCESS 102 110296465Sdelphij# define JPAKE_F_JPAKE_STEP3A_PROCESS 103 111296465Sdelphij# define JPAKE_F_JPAKE_STEP3B_PROCESS 104 112296465Sdelphij# define JPAKE_F_VERIFY_ZKP 100 113193645Ssimon 114193645Ssimon/* Reason codes. */ 115296465Sdelphij# define JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL 108 116296465Sdelphij# define JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL 109 117296465Sdelphij# define JPAKE_R_G_TO_THE_X4_IS_ONE 105 118296465Sdelphij# define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH 106 119296465Sdelphij# define JPAKE_R_HASH_OF_KEY_MISMATCH 107 120296465Sdelphij# define JPAKE_R_VERIFY_B_FAILED 102 121296465Sdelphij# define JPAKE_R_VERIFY_X3_FAILED 103 122296465Sdelphij# define JPAKE_R_VERIFY_X4_FAILED 104 123296465Sdelphij# define JPAKE_R_ZKP_VERIFY_FAILED 100 124193645Ssimon 125193645Ssimon#ifdef __cplusplus 126193645Ssimon} 127193645Ssimon#endif 128193645Ssimon#endif 129