#include <openssl/sha.h>
#include <openssl/err.h>
#include <memory.h>
-#include <assert.h>
+#include <string.h>
/*
* In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or
{
unsigned char b[2];
- assert(l <= 0xffff);
+ OPENSSL_assert(l <= 0xffff);
b[0] = l >> 8;
b[1] = l&0xff;
SHA1_Update(sha, b, 2);
*/
SHA1_Init(&sha);
hashbn(&sha, zkpg);
- assert(!BN_is_zero(p->zkpx.gr));
+ OPENSSL_assert(!BN_is_zero(p->zkpx.gr));
hashbn(&sha, p->zkpx.gr);
hashbn(&sha, p->gx);
hashstring(&sha, proof_name);
BIGNUM *h = BN_new();
BIGNUM *t = BN_new();
- /*
+ /*-
* r in [0,q)
* XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform
*/
return 1;
}
+/* g^x is a legal value */
+static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx)
+ {
+ BIGNUM *t;
+ int res;
+
+ if(BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0)
+ return 0;
+
+ t = BN_new();
+ BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx);
+ res = BN_is_one(t);
+ BN_free(t);
+
+ return res;
+ }
+
int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received)
{
+ if(!is_legal(received->p1.gx, ctx))
+ {
+ JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL);
+ return 0;
+ }
+
+ if(!is_legal(received->p2.gx, ctx))
+ {
+ JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL);
+ return 0;
+ }
+
/* verify their ZKP(xc) */
if(!verify_zkp(&received->p1, ctx->p.g, ctx))
{
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
- /*
+ /*-
* X = g^{(xa + xc + xd) * xb * s}
* t1 = g^xa
*/
/* t2 = xb * s */
BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx);
- /*
+ /*-
* ZKP(xb * s)
* XXX: this is kinda funky, because we're using
*
BIGNUM *t2 = BN_new();
BIGNUM *t3 = BN_new();
- /*
+ /*-
* K = (gx/g^{xb * xd * s})^{xb}
* = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb}
* = (g^{(xa + xc) * xd * s})^{xb}
BIGNUM *t2 = BN_new();
int ret = 0;
- /*
+ /*-
* g' = g^{xc + xa + xb} [from our POV]
* t1 = xa + xb
*/