1193645Ssimon/*
2193645Ssimon * Implement J-PAKE, as described in
3193645Ssimon * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
4296465Sdelphij *
5193645Ssimon * With hints from http://www.cl.cam.ac.uk/~fh240/software/JPAKE2.java.
6193645Ssimon */
7193645Ssimon
8193645Ssimon#ifndef HEADER_JPAKE_H
9296465Sdelphij# define HEADER_JPAKE_H
10193645Ssimon
11296465Sdelphij# include <openssl/opensslconf.h>
12193645Ssimon
13296465Sdelphij# ifdef OPENSSL_NO_JPAKE
14296465Sdelphij#  error JPAKE is disabled.
15296465Sdelphij# endif
16193645Ssimon
17193645Ssimon#ifdef  __cplusplus
18193645Ssimonextern "C" {
19193645Ssimon#endif
20193645Ssimon
21296465Sdelphij# include <openssl/bn.h>
22296465Sdelphij# include <openssl/sha.h>
23193645Ssimon
24193645Ssimontypedef struct JPAKE_CTX JPAKE_CTX;
25193645Ssimon
26193645Ssimon/* Note that "g" in the ZKPs is not necessarily the J-PAKE g. */
27296465Sdelphijtypedef struct {
28296465Sdelphij    BIGNUM *gr;                 /* g^r (r random) */
29296465Sdelphij    BIGNUM *b;                  /* b = r - x*h, h=hash(g, g^r, g^x, name) */
30296465Sdelphij} JPAKE_ZKP;
31193645Ssimon
32296465Sdelphijtypedef struct {
33296465Sdelphij    BIGNUM *gx;                 /* g^x in step 1, g^(xa + xc + xd) * xb * s
34296465Sdelphij                                 * in step 2 */
35296465Sdelphij    JPAKE_ZKP zkpx;             /* ZKP(x) or ZKP(xb * s) */
36296465Sdelphij} JPAKE_STEP_PART;
37193645Ssimon
38296465Sdelphijtypedef struct {
39296465Sdelphij    JPAKE_STEP_PART p1;         /* g^x3, ZKP(x3) or g^x1, ZKP(x1) */
40296465Sdelphij    JPAKE_STEP_PART p2;         /* g^x4, ZKP(x4) or g^x2, ZKP(x2) */
41296465Sdelphij} JPAKE_STEP1;
42193645Ssimon
43193645Ssimontypedef JPAKE_STEP_PART JPAKE_STEP2;
44193645Ssimon
45296465Sdelphijtypedef struct {
46193645Ssimon    unsigned char hhk[SHA_DIGEST_LENGTH];
47296465Sdelphij} JPAKE_STEP3A;
48193645Ssimon
49296465Sdelphijtypedef struct {
50193645Ssimon    unsigned char hk[SHA_DIGEST_LENGTH];
51296465Sdelphij} JPAKE_STEP3B;
52193645Ssimon
53193645Ssimon/* Parameters are copied */
54193645SsimonJPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
55296465Sdelphij                         const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
56296465Sdelphij                         const BIGNUM *secret);
57193645Ssimonvoid JPAKE_CTX_free(JPAKE_CTX *ctx);
58193645Ssimon
59193645Ssimon/*
60193645Ssimon * Note that JPAKE_STEP1 can be used multiple times before release
61193645Ssimon * without another init.
62193645Ssimon */
63193645Ssimonvoid JPAKE_STEP1_init(JPAKE_STEP1 *s1);
64193645Ssimonint JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx);
65193645Ssimonint JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received);
66193645Ssimonvoid JPAKE_STEP1_release(JPAKE_STEP1 *s1);
67193645Ssimon
68193645Ssimon/*
69193645Ssimon * Note that JPAKE_STEP2 can be used multiple times before release
70193645Ssimon * without another init.
71193645Ssimon */
72193645Ssimonvoid JPAKE_STEP2_init(JPAKE_STEP2 *s2);
73193645Ssimonint JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx);
74193645Ssimonint JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received);
75193645Ssimonvoid JPAKE_STEP2_release(JPAKE_STEP2 *s2);
76193645Ssimon
77193645Ssimon/*
78193645Ssimon * Optionally verify the shared key. If the shared secrets do not
79193645Ssimon * match, the two ends will disagree about the shared key, but
80193645Ssimon * otherwise the protocol will succeed.
81193645Ssimon */
82193645Ssimonvoid JPAKE_STEP3A_init(JPAKE_STEP3A *s3a);
83193645Ssimonint JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx);
84193645Ssimonint JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received);
85193645Ssimonvoid JPAKE_STEP3A_release(JPAKE_STEP3A *s3a);
86193645Ssimon
87193645Ssimonvoid JPAKE_STEP3B_init(JPAKE_STEP3B *s3b);
88193645Ssimonint JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx);
89193645Ssimonint JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received);
90193645Ssimonvoid JPAKE_STEP3B_release(JPAKE_STEP3B *s3b);
91193645Ssimon
92193645Ssimon/*
93193645Ssimon * the return value belongs to the library and will be released when
94193645Ssimon * ctx is released, and will change when a new handshake is performed.
95193645Ssimon */
96193645Ssimonconst BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx);
97193645Ssimon
98193645Ssimon/* BEGIN ERROR CODES */
99296465Sdelphij/*
100296465Sdelphij * The following lines are auto generated by the script mkerr.pl. Any changes
101193645Ssimon * made after this point may be overwritten when the script is next run.
102193645Ssimon */
103193645Ssimonvoid ERR_load_JPAKE_strings(void);
104193645Ssimon
105193645Ssimon/* Error codes for the JPAKE functions. */
106193645Ssimon
107193645Ssimon/* Function codes. */
108296465Sdelphij# define JPAKE_F_JPAKE_STEP1_PROCESS                      101
109296465Sdelphij# define JPAKE_F_JPAKE_STEP2_PROCESS                      102
110296465Sdelphij# define JPAKE_F_JPAKE_STEP3A_PROCESS                     103
111296465Sdelphij# define JPAKE_F_JPAKE_STEP3B_PROCESS                     104
112296465Sdelphij# define JPAKE_F_VERIFY_ZKP                               100
113193645Ssimon
114193645Ssimon/* Reason codes. */
115296465Sdelphij# define JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL                 108
116296465Sdelphij# define JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL                 109
117296465Sdelphij# define JPAKE_R_G_TO_THE_X4_IS_ONE                       105
118296465Sdelphij# define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH             106
119296465Sdelphij# define JPAKE_R_HASH_OF_KEY_MISMATCH                     107
120296465Sdelphij# define JPAKE_R_VERIFY_B_FAILED                          102
121296465Sdelphij# define JPAKE_R_VERIFY_X3_FAILED                         103
122296465Sdelphij# define JPAKE_R_VERIFY_X4_FAILED                         104
123296465Sdelphij# define JPAKE_R_ZKP_VERIFY_FAILED                        100
124193645Ssimon
125193645Ssimon#ifdef  __cplusplus
126193645Ssimon}
127193645Ssimon#endif
128193645Ssimon#endif
129