jpake.h revision 193645
1193645Ssimon/* 2193645Ssimon * Implement J-PAKE, as described in 3193645Ssimon * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf 4193645Ssimon * 5193645Ssimon * With hints from http://www.cl.cam.ac.uk/~fh240/software/JPAKE2.java. 6193645Ssimon */ 7193645Ssimon 8193645Ssimon#ifndef HEADER_JPAKE_H 9193645Ssimon#define HEADER_JPAKE_H 10193645Ssimon 11193645Ssimon#include <openssl/opensslconf.h> 12193645Ssimon 13193645Ssimon#ifdef OPENSSL_NO_JPAKE 14193645Ssimon#error JPAKE is disabled. 15193645Ssimon#endif 16193645Ssimon 17193645Ssimon#ifdef __cplusplus 18193645Ssimonextern "C" { 19193645Ssimon#endif 20193645Ssimon 21193645Ssimon#include <openssl/bn.h> 22193645Ssimon#include <openssl/sha.h> 23193645Ssimon 24193645Ssimontypedef struct JPAKE_CTX JPAKE_CTX; 25193645Ssimon 26193645Ssimon/* Note that "g" in the ZKPs is not necessarily the J-PAKE g. */ 27193645Ssimontypedef struct 28193645Ssimon { 29193645Ssimon BIGNUM *gr; /* g^r (r random) */ 30193645Ssimon BIGNUM *b; /* b = r - x*h, h=hash(g, g^r, g^x, name) */ 31193645Ssimon } JPAKE_ZKP; 32193645Ssimon 33193645Ssimontypedef struct 34193645Ssimon { 35193645Ssimon BIGNUM *gx; /* g^x in step 1, g^(xa + xc + xd) * xb * s in step 2 */ 36193645Ssimon JPAKE_ZKP zkpx; /* ZKP(x) or ZKP(xb * s) */ 37193645Ssimon } JPAKE_STEP_PART; 38193645Ssimon 39193645Ssimontypedef struct 40193645Ssimon { 41193645Ssimon JPAKE_STEP_PART p1; /* g^x3, ZKP(x3) or g^x1, ZKP(x1) */ 42193645Ssimon JPAKE_STEP_PART p2; /* g^x4, ZKP(x4) or g^x2, ZKP(x2) */ 43193645Ssimon } JPAKE_STEP1; 44193645Ssimon 45193645Ssimontypedef JPAKE_STEP_PART JPAKE_STEP2; 46193645Ssimon 47193645Ssimontypedef struct 48193645Ssimon { 49193645Ssimon unsigned char hhk[SHA_DIGEST_LENGTH]; 50193645Ssimon } JPAKE_STEP3A; 51193645Ssimon 52193645Ssimontypedef struct 53193645Ssimon { 54193645Ssimon unsigned char hk[SHA_DIGEST_LENGTH]; 55193645Ssimon } JPAKE_STEP3B; 56193645Ssimon 57193645Ssimon/* Parameters are copied */ 58193645SsimonJPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name, 59193645Ssimon const BIGNUM *p, const BIGNUM *g, const BIGNUM *q, 60193645Ssimon const BIGNUM *secret); 61193645Ssimonvoid JPAKE_CTX_free(JPAKE_CTX *ctx); 62193645Ssimon 63193645Ssimon/* 64193645Ssimon * Note that JPAKE_STEP1 can be used multiple times before release 65193645Ssimon * without another init. 66193645Ssimon */ 67193645Ssimonvoid JPAKE_STEP1_init(JPAKE_STEP1 *s1); 68193645Ssimonint JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx); 69193645Ssimonint JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received); 70193645Ssimonvoid JPAKE_STEP1_release(JPAKE_STEP1 *s1); 71193645Ssimon 72193645Ssimon/* 73193645Ssimon * Note that JPAKE_STEP2 can be used multiple times before release 74193645Ssimon * without another init. 75193645Ssimon */ 76193645Ssimonvoid JPAKE_STEP2_init(JPAKE_STEP2 *s2); 77193645Ssimonint JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx); 78193645Ssimonint JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received); 79193645Ssimonvoid JPAKE_STEP2_release(JPAKE_STEP2 *s2); 80193645Ssimon 81193645Ssimon/* 82193645Ssimon * Optionally verify the shared key. If the shared secrets do not 83193645Ssimon * match, the two ends will disagree about the shared key, but 84193645Ssimon * otherwise the protocol will succeed. 85193645Ssimon */ 86193645Ssimonvoid JPAKE_STEP3A_init(JPAKE_STEP3A *s3a); 87193645Ssimonint JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx); 88193645Ssimonint JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received); 89193645Ssimonvoid JPAKE_STEP3A_release(JPAKE_STEP3A *s3a); 90193645Ssimon 91193645Ssimonvoid JPAKE_STEP3B_init(JPAKE_STEP3B *s3b); 92193645Ssimonint JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx); 93193645Ssimonint JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received); 94193645Ssimonvoid JPAKE_STEP3B_release(JPAKE_STEP3B *s3b); 95193645Ssimon 96193645Ssimon/* 97193645Ssimon * the return value belongs to the library and will be released when 98193645Ssimon * ctx is released, and will change when a new handshake is performed. 99193645Ssimon */ 100193645Ssimonconst BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx); 101193645Ssimon 102193645Ssimon/* BEGIN ERROR CODES */ 103193645Ssimon/* The following lines are auto generated by the script mkerr.pl. Any changes 104193645Ssimon * made after this point may be overwritten when the script is next run. 105193645Ssimon */ 106193645Ssimonvoid ERR_load_JPAKE_strings(void); 107193645Ssimon 108193645Ssimon/* Error codes for the JPAKE functions. */ 109193645Ssimon 110193645Ssimon/* Function codes. */ 111193645Ssimon#define JPAKE_F_JPAKE_STEP1_PROCESS 101 112193645Ssimon#define JPAKE_F_JPAKE_STEP2_PROCESS 102 113193645Ssimon#define JPAKE_F_JPAKE_STEP3A_PROCESS 103 114193645Ssimon#define JPAKE_F_JPAKE_STEP3B_PROCESS 104 115193645Ssimon#define JPAKE_F_VERIFY_ZKP 100 116193645Ssimon 117193645Ssimon/* Reason codes. */ 118193645Ssimon#define JPAKE_R_G_TO_THE_X4_IS_ONE 105 119193645Ssimon#define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH 106 120193645Ssimon#define JPAKE_R_HASH_OF_KEY_MISMATCH 107 121193645Ssimon#define JPAKE_R_VERIFY_B_FAILED 102 122193645Ssimon#define JPAKE_R_VERIFY_X3_FAILED 103 123193645Ssimon#define JPAKE_R_VERIFY_X4_FAILED 104 124193645Ssimon#define JPAKE_R_ZKP_VERIFY_FAILED 100 125193645Ssimon 126193645Ssimon#ifdef __cplusplus 127193645Ssimon} 128193645Ssimon#endif 129193645Ssimon#endif 130