1e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/*
2e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * Implement J-PAKE, as described in
3e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
4e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu *
5e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * With hints from http://www.cl.cam.ac.uk/~fh240/software/JPAKE2.java.
6e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu */
7e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
8e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#ifndef HEADER_JPAKE_H
9e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define HEADER_JPAKE_H
10e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
11e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#include <openssl/opensslconf.h>
12e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
13e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#ifdef OPENSSL_NO_JPAKE
14e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#error JPAKE is disabled.
15e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#endif
16e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
17e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#ifdef  __cplusplus
18e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguextern "C" {
19e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#endif
20e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
21e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#include <openssl/bn.h>
22e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#include <openssl/sha.h>
23e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
24e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugutypedef struct JPAKE_CTX JPAKE_CTX;
25e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
26e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/* Note that "g" in the ZKPs is not necessarily the J-PAKE g. */
27e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugutypedef struct
28e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    {
29e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    BIGNUM *gr; /* g^r (r random) */
30e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    BIGNUM *b;  /* b = r - x*h, h=hash(g, g^r, g^x, name) */
31e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    } JPAKE_ZKP;
32e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
33e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugutypedef struct
34e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    {
35e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    BIGNUM *gx;       /* g^x in step 1, g^(xa + xc + xd) * xb * s in step 2 */
36e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    JPAKE_ZKP zkpx;   /* ZKP(x) or ZKP(xb * s) */
37e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    } JPAKE_STEP_PART;
38e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
39e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugutypedef struct
40e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    {
41e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    JPAKE_STEP_PART p1;   /* g^x3, ZKP(x3) or g^x1, ZKP(x1) */
42e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    JPAKE_STEP_PART p2;   /* g^x4, ZKP(x4) or g^x2, ZKP(x2) */
43e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    } JPAKE_STEP1;
44e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
45e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugutypedef JPAKE_STEP_PART JPAKE_STEP2;
46e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
47e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugutypedef struct
48e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    {
49e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    unsigned char hhk[SHA_DIGEST_LENGTH];
50e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    } JPAKE_STEP3A;
51e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
52e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugutypedef struct
53e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    {
54e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    unsigned char hk[SHA_DIGEST_LENGTH];
55e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu    } JPAKE_STEP3B;
56e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
57e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/* Parameters are copied */
58e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra ModaduguJPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
59e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu			 const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
60e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu			 const BIGNUM *secret);
61e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguvoid JPAKE_CTX_free(JPAKE_CTX *ctx);
62e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
63e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/*
64e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * Note that JPAKE_STEP1 can be used multiple times before release
65e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * without another init.
66e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu */
67e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguvoid JPAKE_STEP1_init(JPAKE_STEP1 *s1);
68e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguint JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx);
69e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguint JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received);
70e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguvoid JPAKE_STEP1_release(JPAKE_STEP1 *s1);
71e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
72e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/*
73e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * Note that JPAKE_STEP2 can be used multiple times before release
74e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * without another init.
75e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu */
76e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguvoid JPAKE_STEP2_init(JPAKE_STEP2 *s2);
77e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguint JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx);
78e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguint JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received);
79e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguvoid JPAKE_STEP2_release(JPAKE_STEP2 *s2);
80e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
81e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/*
82e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * Optionally verify the shared key. If the shared secrets do not
83e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * match, the two ends will disagree about the shared key, but
84e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * otherwise the protocol will succeed.
85e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu */
86e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguvoid JPAKE_STEP3A_init(JPAKE_STEP3A *s3a);
87e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguint JPAKE_STEP3A_generate(JPAKE_STEP3A *send, JPAKE_CTX *ctx);
88e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguint JPAKE_STEP3A_process(JPAKE_CTX *ctx, const JPAKE_STEP3A *received);
89e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguvoid JPAKE_STEP3A_release(JPAKE_STEP3A *s3a);
90e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
91e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguvoid JPAKE_STEP3B_init(JPAKE_STEP3B *s3b);
92e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguint JPAKE_STEP3B_generate(JPAKE_STEP3B *send, JPAKE_CTX *ctx);
93e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguint JPAKE_STEP3B_process(JPAKE_CTX *ctx, const JPAKE_STEP3B *received);
94e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguvoid JPAKE_STEP3B_release(JPAKE_STEP3B *s3b);
95e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
96e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/*
97e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * the return value belongs to the library and will be released when
98e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * ctx is released, and will change when a new handshake is performed.
99e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu */
100e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguconst BIGNUM *JPAKE_get_shared_key(JPAKE_CTX *ctx);
101e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
102e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/* BEGIN ERROR CODES */
103e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/* The following lines are auto generated by the script mkerr.pl. Any changes
104e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * made after this point may be overwritten when the script is next run.
105e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu */
106e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguvoid ERR_load_JPAKE_strings(void);
107e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
108e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/* Error codes for the JPAKE functions. */
109e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
110e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/* Function codes. */
111e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_F_JPAKE_STEP1_PROCESS			 101
112e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_F_JPAKE_STEP2_PROCESS			 102
113e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_F_JPAKE_STEP3A_PROCESS			 103
114e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_F_JPAKE_STEP3B_PROCESS			 104
115e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_F_VERIFY_ZKP				 100
116e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
117e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu/* Reason codes. */
118976a034585c7e8ff9dda5ebe032f399b78887f70Brian Carlstrom#define JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL		 108
119976a034585c7e8ff9dda5ebe032f399b78887f70Brian Carlstrom#define JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL		 109
120e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_R_G_TO_THE_X4_IS_ONE			 105
121e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH		 106
122e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_R_HASH_OF_KEY_MISMATCH			 107
123e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_R_VERIFY_B_FAILED				 102
124e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_R_VERIFY_X3_FAILED			 103
125e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_R_VERIFY_X4_FAILED			 104
126e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#define JPAKE_R_ZKP_VERIFY_FAILED			 100
127e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu
128e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#ifdef  __cplusplus
129e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu}
130e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#endif
131e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu#endif
132