jpake.h revision 193645 
1193645Ssimon/*
2193645Ssimon * Implement J-PAKE, as described in
3193645Ssimon * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
4193645Ssimon *
5193645Ssimon * With hints from http://www.cl.cam.ac.uk/~fh240/software/JPAKE2.java.
6193645Ssimon */
7193645Ssimon
8193645Ssimon#ifndef HEADER_JPAKE_H
9193645Ssimon#define HEADER_JPAKE_H
10193645Ssimon
11193645Ssimon#include <openssl/opensslconf.h>
12193645Ssimon
13193645Ssimon#ifdef OPENSSL_NO_JPAKE
14193645Ssimon#error JPAKE is disabled.
15193645Ssimon#endif
16193645Ssimon
17193645Ssimon#ifdef  __cplusplus
18193645Ssimonextern "C" {
19193645Ssimon#endif
20193645Ssimon
21193645Ssimon#include <openssl/bn.h>
22193645Ssimon#include <openssl/sha.h>
23193645Ssimon
24193645Ssimontypedef struct JPAKE_CTX JPAKE_CTX;
25193645Ssimon
26193645Ssimon/* Note that "g" in the ZKPs is not necessarily the J-PAKE g. */
27193645Ssimontypedef struct
28193645Ssimon    {
29193645Ssimon    BIGNUM *gr; /* g^r (r random) */
30193645Ssimon    BIGNUM *b;  /* b = r - x*h, h=hash(g, g^r, g^x, name) */
31193645Ssimon    } JPAKE_ZKP;
32193645Ssimon
33193645Ssimontypedef struct
34193645Ssimon    {
35193645Ssimon    BIGNUM *gx;       /* g^x in step 1, g^(xa + xc + xd) * xb * s in step 2 */
36193645Ssimon    JPAKE_ZKP zkpx;   /* ZKP(x) or ZKP(xb * s) */
37193645Ssimon    } JPAKE_STEP_PART;
38193645Ssimon
39193645Ssimontypedef struct
40193645Ssimon    {
41193645Ssimon    JPAKE_STEP_PART p1;   /* g^x3, ZKP(x3) or g^x1, ZKP(x1) */
42193645Ssimon    JPAKE_STEP_PART p2;   /* g^x4, ZKP(x4) or g^x2, ZKP(x2) */
43193645Ssimon    } JPAKE_STEP1;
44193645Ssimon
45193645Ssimontypedef JPAKE_STEP_PART JPAKE_STEP2;
46193645Ssimon
47193645Ssimontypedef struct
48193645Ssimon    {
49193645Ssimon    unsigned char hhk[SHA_DIGEST_LENGTH];
50193645Ssimon    } JPAKE_STEP3A;
51193645Ssimon
52193645Ssimontypedef struct
53193645Ssimon    {
54193645Ssimon    unsigned char hk[SHA_DIGEST_LENGTH];
55193645Ssimon    } JPAKE_STEP3B;
56193645Ssimon
57193645Ssimon/* Parameters are copied */
58193645SsimonJPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
59193645Ssimon			 const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
60193645Ssimon			 const BIGNUM *secret);
61193645Ssimonvoid JPAKE_CTX_free(JPAKE_CTX *ctx);
62193645Ssimon
63193645Ssimon/*
64193645Ssimon * Note that JPAKE_STEP1 can be used multiple times before release
65193645Ssimon * without another init.
66193645Ssimon */
67193645Ssimonvoid JPAKE_STEP1_init(JPAKE_STEP1 *s1);
68193645Ssimonint JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx);
69193645Ssimonint JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received);
70193645Ssimonvoid JPAKE_STEP1_release(JPAKE_STEP1 *s1);
71193645Ssimon
72193645Ssimon/*
73193645Ssimon * Note that JPAKE_STEP2 can be used multiple times before release
74193645Ssimon * without another init.
75193645Ssimon */
76193645Ssimonvoid JPAKE_STEP2_init(JPAKE_STEP2 *s2);
77193645Ssimonint JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx);
78193645Ssimonint JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received);
79193645Ssimonvoid JPAKE_STEP2_release(JPAKE_STEP2 *s2);
80193645Ssimon
81193645Ssimon/*
82193645Ssimon * Optionally verify the shared key. If the shared secrets do not
83193645Ssimon * match, the two ends will disagree about the shared key, but
84193645Ssimon * otherwise the protocol will succeed.
85193645Ssimon */
86193645Ssimonvoid JPAKE_STEP3A_init(JPAKE_STEP3A *s3a);
87193645Ssimonint JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx);
88193645Ssimonint JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received);
89193645Ssimonvoid JPAKE_STEP3A_release(JPAKE_STEP3A *s3a);
90193645Ssimon
91193645Ssimonvoid JPAKE_STEP3B_init(JPAKE_STEP3B *s3b);
92193645Ssimonint JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx);
93193645Ssimonint JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received);
94193645Ssimonvoid JPAKE_STEP3B_release(JPAKE_STEP3B *s3b);
95193645Ssimon
96193645Ssimon/*
97193645Ssimon * the return value belongs to the library and will be released when
98193645Ssimon * ctx is released, and will change when a new handshake is performed.
99193645Ssimon */
100193645Ssimonconst BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx);
101193645Ssimon
102193645Ssimon/* BEGIN ERROR CODES */
103193645Ssimon/* The following lines are auto generated by the script mkerr.pl. Any changes
104193645Ssimon * made after this point may be overwritten when the script is next run.
105193645Ssimon */
106193645Ssimonvoid ERR_load_JPAKE_strings(void);
107193645Ssimon
108193645Ssimon/* Error codes for the JPAKE functions. */
109193645Ssimon
110193645Ssimon/* Function codes. */
111193645Ssimon#define JPAKE_F_JPAKE_STEP1_PROCESS			 101
112193645Ssimon#define JPAKE_F_JPAKE_STEP2_PROCESS			 102
113193645Ssimon#define JPAKE_F_JPAKE_STEP3A_PROCESS			 103
114193645Ssimon#define JPAKE_F_JPAKE_STEP3B_PROCESS			 104
115193645Ssimon#define JPAKE_F_VERIFY_ZKP				 100
116193645Ssimon
117193645Ssimon/* Reason codes. */
118193645Ssimon#define JPAKE_R_G_TO_THE_X4_IS_ONE			 105
119193645Ssimon#define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH		 106
120193645Ssimon#define JPAKE_R_HASH_OF_KEY_MISMATCH			 107
121193645Ssimon#define JPAKE_R_VERIFY_B_FAILED				 102
122193645Ssimon#define JPAKE_R_VERIFY_X3_FAILED			 103
123193645Ssimon#define JPAKE_R_VERIFY_X4_FAILED			 104
124193645Ssimon#define JPAKE_R_ZKP_VERIFY_FAILED			 100
125193645Ssimon
126193645Ssimon#ifdef  __cplusplus
127193645Ssimon}
128193645Ssimon#endif
129193645Ssimon#endif
130