wolf SSL
wolfSSL 3.11.1 for TLS1.3 beta
wolfcrypt/src/srp.c@3:6f956bdb3073, 2016-04-28 (annotated)
- Committer:
- wolfSSL
- Date:
- Thu Apr 28 00:56:55 2016 +0000
- Revision:
- 3:6f956bdb3073
wolfSSL 3.9.0
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| wolfSSL | 3:6f956bdb3073 | 1 | /* srp.c |
| wolfSSL | 3:6f956bdb3073 | 2 | * |
| wolfSSL | 3:6f956bdb3073 | 3 | * Copyright (C) 2006-2016 wolfSSL Inc. |
| wolfSSL | 3:6f956bdb3073 | 4 | * |
| wolfSSL | 3:6f956bdb3073 | 5 | * This file is part of wolfSSL. |
| wolfSSL | 3:6f956bdb3073 | 6 | * |
| wolfSSL | 3:6f956bdb3073 | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
| wolfSSL | 3:6f956bdb3073 | 8 | * it under the terms of the GNU General Public License as published by |
| wolfSSL | 3:6f956bdb3073 | 9 | * the Free Software Foundation; either version 2 of the License, or |
| wolfSSL | 3:6f956bdb3073 | 10 | * (at your option) any later version. |
| wolfSSL | 3:6f956bdb3073 | 11 | * |
| wolfSSL | 3:6f956bdb3073 | 12 | * wolfSSL is distributed in the hope that it will be useful, |
| wolfSSL | 3:6f956bdb3073 | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| wolfSSL | 3:6f956bdb3073 | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| wolfSSL | 3:6f956bdb3073 | 15 | * GNU General Public License for more details. |
| wolfSSL | 3:6f956bdb3073 | 16 | * |
| wolfSSL | 3:6f956bdb3073 | 17 | * You should have received a copy of the GNU General Public License |
| wolfSSL | 3:6f956bdb3073 | 18 | * along with this program; if not, write to the Free Software |
| wolfSSL | 3:6f956bdb3073 | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
| wolfSSL | 3:6f956bdb3073 | 20 | */ |
| wolfSSL | 3:6f956bdb3073 | 21 | |
| wolfSSL | 3:6f956bdb3073 | 22 | |
| wolfSSL | 3:6f956bdb3073 | 23 | #ifdef HAVE_CONFIG_H |
| wolfSSL | 3:6f956bdb3073 | 24 | #include <config.h> |
| wolfSSL | 3:6f956bdb3073 | 25 | #endif |
| wolfSSL | 3:6f956bdb3073 | 26 | |
| wolfSSL | 3:6f956bdb3073 | 27 | #include <wolfssl/wolfcrypt/settings.h> |
| wolfSSL | 3:6f956bdb3073 | 28 | |
| wolfSSL | 3:6f956bdb3073 | 29 | #ifdef WOLFCRYPT_HAVE_SRP |
| wolfSSL | 3:6f956bdb3073 | 30 | |
| wolfSSL | 3:6f956bdb3073 | 31 | #include <wolfssl/wolfcrypt/srp.h> |
| wolfSSL | 3:6f956bdb3073 | 32 | #include <wolfssl/wolfcrypt/random.h> |
| wolfSSL | 3:6f956bdb3073 | 33 | #include <wolfssl/wolfcrypt/error-crypt.h> |
| wolfSSL | 3:6f956bdb3073 | 34 | |
| wolfSSL | 3:6f956bdb3073 | 35 | #ifdef NO_INLINE |
| wolfSSL | 3:6f956bdb3073 | 36 | #include <wolfssl/wolfcrypt/misc.h> |
| wolfSSL | 3:6f956bdb3073 | 37 | #else |
| wolfSSL | 3:6f956bdb3073 | 38 | #include <wolfcrypt/src/misc.c> |
| wolfSSL | 3:6f956bdb3073 | 39 | #endif |
| wolfSSL | 3:6f956bdb3073 | 40 | |
| wolfSSL | 3:6f956bdb3073 | 41 | /** Computes the session key using the Mask Generation Function 1. */ |
| wolfSSL | 3:6f956bdb3073 | 42 | static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size); |
| wolfSSL | 3:6f956bdb3073 | 43 | |
| wolfSSL | 3:6f956bdb3073 | 44 | static int SrpHashInit(SrpHash* hash, SrpType type) |
| wolfSSL | 3:6f956bdb3073 | 45 | { |
| wolfSSL | 3:6f956bdb3073 | 46 | hash->type = type; |
| wolfSSL | 3:6f956bdb3073 | 47 | |
| wolfSSL | 3:6f956bdb3073 | 48 | switch (type) { |
| wolfSSL | 3:6f956bdb3073 | 49 | case SRP_TYPE_SHA: |
| wolfSSL | 3:6f956bdb3073 | 50 | #ifndef NO_SHA |
| wolfSSL | 3:6f956bdb3073 | 51 | return wc_InitSha(&hash->data.sha); |
| wolfSSL | 3:6f956bdb3073 | 52 | #else |
| wolfSSL | 3:6f956bdb3073 | 53 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 54 | #endif |
| wolfSSL | 3:6f956bdb3073 | 55 | |
| wolfSSL | 3:6f956bdb3073 | 56 | case SRP_TYPE_SHA256: |
| wolfSSL | 3:6f956bdb3073 | 57 | #ifndef NO_SHA256 |
| wolfSSL | 3:6f956bdb3073 | 58 | return wc_InitSha256(&hash->data.sha256); |
| wolfSSL | 3:6f956bdb3073 | 59 | #else |
| wolfSSL | 3:6f956bdb3073 | 60 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 61 | #endif |
| wolfSSL | 3:6f956bdb3073 | 62 | |
| wolfSSL | 3:6f956bdb3073 | 63 | case SRP_TYPE_SHA384: |
| wolfSSL | 3:6f956bdb3073 | 64 | #ifdef WOLFSSL_SHA384 |
| wolfSSL | 3:6f956bdb3073 | 65 | return wc_InitSha384(&hash->data.sha384); |
| wolfSSL | 3:6f956bdb3073 | 66 | #else |
| wolfSSL | 3:6f956bdb3073 | 67 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 68 | #endif |
| wolfSSL | 3:6f956bdb3073 | 69 | |
| wolfSSL | 3:6f956bdb3073 | 70 | case SRP_TYPE_SHA512: |
| wolfSSL | 3:6f956bdb3073 | 71 | #ifdef WOLFSSL_SHA512 |
| wolfSSL | 3:6f956bdb3073 | 72 | return wc_InitSha512(&hash->data.sha512); |
| wolfSSL | 3:6f956bdb3073 | 73 | #else |
| wolfSSL | 3:6f956bdb3073 | 74 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 75 | #endif |
| wolfSSL | 3:6f956bdb3073 | 76 | |
| wolfSSL | 3:6f956bdb3073 | 77 | default: |
| wolfSSL | 3:6f956bdb3073 | 78 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 79 | } |
| wolfSSL | 3:6f956bdb3073 | 80 | } |
| wolfSSL | 3:6f956bdb3073 | 81 | |
| wolfSSL | 3:6f956bdb3073 | 82 | static int SrpHashUpdate(SrpHash* hash, const byte* data, word32 size) |
| wolfSSL | 3:6f956bdb3073 | 83 | { |
| wolfSSL | 3:6f956bdb3073 | 84 | switch (hash->type) { |
| wolfSSL | 3:6f956bdb3073 | 85 | case SRP_TYPE_SHA: |
| wolfSSL | 3:6f956bdb3073 | 86 | #ifndef NO_SHA |
| wolfSSL | 3:6f956bdb3073 | 87 | return wc_ShaUpdate(&hash->data.sha, data, size); |
| wolfSSL | 3:6f956bdb3073 | 88 | #else |
| wolfSSL | 3:6f956bdb3073 | 89 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 90 | #endif |
| wolfSSL | 3:6f956bdb3073 | 91 | |
| wolfSSL | 3:6f956bdb3073 | 92 | case SRP_TYPE_SHA256: |
| wolfSSL | 3:6f956bdb3073 | 93 | #ifndef NO_SHA256 |
| wolfSSL | 3:6f956bdb3073 | 94 | return wc_Sha256Update(&hash->data.sha256, data, size); |
| wolfSSL | 3:6f956bdb3073 | 95 | #else |
| wolfSSL | 3:6f956bdb3073 | 96 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 97 | #endif |
| wolfSSL | 3:6f956bdb3073 | 98 | |
| wolfSSL | 3:6f956bdb3073 | 99 | case SRP_TYPE_SHA384: |
| wolfSSL | 3:6f956bdb3073 | 100 | #ifdef WOLFSSL_SHA384 |
| wolfSSL | 3:6f956bdb3073 | 101 | return wc_Sha384Update(&hash->data.sha384, data, size); |
| wolfSSL | 3:6f956bdb3073 | 102 | #else |
| wolfSSL | 3:6f956bdb3073 | 103 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 104 | #endif |
| wolfSSL | 3:6f956bdb3073 | 105 | |
| wolfSSL | 3:6f956bdb3073 | 106 | case SRP_TYPE_SHA512: |
| wolfSSL | 3:6f956bdb3073 | 107 | #ifdef WOLFSSL_SHA512 |
| wolfSSL | 3:6f956bdb3073 | 108 | return wc_Sha512Update(&hash->data.sha512, data, size); |
| wolfSSL | 3:6f956bdb3073 | 109 | #else |
| wolfSSL | 3:6f956bdb3073 | 110 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 111 | #endif |
| wolfSSL | 3:6f956bdb3073 | 112 | |
| wolfSSL | 3:6f956bdb3073 | 113 | default: |
| wolfSSL | 3:6f956bdb3073 | 114 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 115 | } |
| wolfSSL | 3:6f956bdb3073 | 116 | } |
| wolfSSL | 3:6f956bdb3073 | 117 | |
| wolfSSL | 3:6f956bdb3073 | 118 | static int SrpHashFinal(SrpHash* hash, byte* digest) |
| wolfSSL | 3:6f956bdb3073 | 119 | { |
| wolfSSL | 3:6f956bdb3073 | 120 | switch (hash->type) { |
| wolfSSL | 3:6f956bdb3073 | 121 | case SRP_TYPE_SHA: |
| wolfSSL | 3:6f956bdb3073 | 122 | #ifndef NO_SHA |
| wolfSSL | 3:6f956bdb3073 | 123 | return wc_ShaFinal(&hash->data.sha, digest); |
| wolfSSL | 3:6f956bdb3073 | 124 | #else |
| wolfSSL | 3:6f956bdb3073 | 125 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 126 | #endif |
| wolfSSL | 3:6f956bdb3073 | 127 | |
| wolfSSL | 3:6f956bdb3073 | 128 | case SRP_TYPE_SHA256: |
| wolfSSL | 3:6f956bdb3073 | 129 | #ifndef NO_SHA256 |
| wolfSSL | 3:6f956bdb3073 | 130 | return wc_Sha256Final(&hash->data.sha256, digest); |
| wolfSSL | 3:6f956bdb3073 | 131 | #else |
| wolfSSL | 3:6f956bdb3073 | 132 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 133 | #endif |
| wolfSSL | 3:6f956bdb3073 | 134 | |
| wolfSSL | 3:6f956bdb3073 | 135 | case SRP_TYPE_SHA384: |
| wolfSSL | 3:6f956bdb3073 | 136 | #ifdef WOLFSSL_SHA384 |
| wolfSSL | 3:6f956bdb3073 | 137 | return wc_Sha384Final(&hash->data.sha384, digest); |
| wolfSSL | 3:6f956bdb3073 | 138 | #else |
| wolfSSL | 3:6f956bdb3073 | 139 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 140 | #endif |
| wolfSSL | 3:6f956bdb3073 | 141 | |
| wolfSSL | 3:6f956bdb3073 | 142 | case SRP_TYPE_SHA512: |
| wolfSSL | 3:6f956bdb3073 | 143 | #ifdef WOLFSSL_SHA512 |
| wolfSSL | 3:6f956bdb3073 | 144 | return wc_Sha512Final(&hash->data.sha512, digest); |
| wolfSSL | 3:6f956bdb3073 | 145 | #else |
| wolfSSL | 3:6f956bdb3073 | 146 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 147 | #endif |
| wolfSSL | 3:6f956bdb3073 | 148 | |
| wolfSSL | 3:6f956bdb3073 | 149 | default: |
| wolfSSL | 3:6f956bdb3073 | 150 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 151 | } |
| wolfSSL | 3:6f956bdb3073 | 152 | } |
| wolfSSL | 3:6f956bdb3073 | 153 | |
| wolfSSL | 3:6f956bdb3073 | 154 | static word32 SrpHashSize(SrpType type) |
| wolfSSL | 3:6f956bdb3073 | 155 | { |
| wolfSSL | 3:6f956bdb3073 | 156 | switch (type) { |
| wolfSSL | 3:6f956bdb3073 | 157 | case SRP_TYPE_SHA: |
| wolfSSL | 3:6f956bdb3073 | 158 | #ifndef NO_SHA |
| wolfSSL | 3:6f956bdb3073 | 159 | return SHA_DIGEST_SIZE; |
| wolfSSL | 3:6f956bdb3073 | 160 | #else |
| wolfSSL | 3:6f956bdb3073 | 161 | return 0; |
| wolfSSL | 3:6f956bdb3073 | 162 | #endif |
| wolfSSL | 3:6f956bdb3073 | 163 | |
| wolfSSL | 3:6f956bdb3073 | 164 | case SRP_TYPE_SHA256: |
| wolfSSL | 3:6f956bdb3073 | 165 | #ifndef NO_SHA256 |
| wolfSSL | 3:6f956bdb3073 | 166 | return SHA256_DIGEST_SIZE; |
| wolfSSL | 3:6f956bdb3073 | 167 | #else |
| wolfSSL | 3:6f956bdb3073 | 168 | return 0; |
| wolfSSL | 3:6f956bdb3073 | 169 | #endif |
| wolfSSL | 3:6f956bdb3073 | 170 | |
| wolfSSL | 3:6f956bdb3073 | 171 | case SRP_TYPE_SHA384: |
| wolfSSL | 3:6f956bdb3073 | 172 | #ifdef WOLFSSL_SHA384 |
| wolfSSL | 3:6f956bdb3073 | 173 | return SHA384_DIGEST_SIZE; |
| wolfSSL | 3:6f956bdb3073 | 174 | #else |
| wolfSSL | 3:6f956bdb3073 | 175 | return 0; |
| wolfSSL | 3:6f956bdb3073 | 176 | #endif |
| wolfSSL | 3:6f956bdb3073 | 177 | |
| wolfSSL | 3:6f956bdb3073 | 178 | case SRP_TYPE_SHA512: |
| wolfSSL | 3:6f956bdb3073 | 179 | #ifdef WOLFSSL_SHA512 |
| wolfSSL | 3:6f956bdb3073 | 180 | return SHA512_DIGEST_SIZE; |
| wolfSSL | 3:6f956bdb3073 | 181 | #else |
| wolfSSL | 3:6f956bdb3073 | 182 | return 0; |
| wolfSSL | 3:6f956bdb3073 | 183 | #endif |
| wolfSSL | 3:6f956bdb3073 | 184 | |
| wolfSSL | 3:6f956bdb3073 | 185 | default: |
| wolfSSL | 3:6f956bdb3073 | 186 | return 0; |
| wolfSSL | 3:6f956bdb3073 | 187 | } |
| wolfSSL | 3:6f956bdb3073 | 188 | } |
| wolfSSL | 3:6f956bdb3073 | 189 | |
| wolfSSL | 3:6f956bdb3073 | 190 | int wc_SrpInit(Srp* srp, SrpType type, SrpSide side) |
| wolfSSL | 3:6f956bdb3073 | 191 | { |
| wolfSSL | 3:6f956bdb3073 | 192 | int r; |
| wolfSSL | 3:6f956bdb3073 | 193 | |
| wolfSSL | 3:6f956bdb3073 | 194 | /* validating params */ |
| wolfSSL | 3:6f956bdb3073 | 195 | |
| wolfSSL | 3:6f956bdb3073 | 196 | if (!srp) |
| wolfSSL | 3:6f956bdb3073 | 197 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 198 | |
| wolfSSL | 3:6f956bdb3073 | 199 | if (side != SRP_CLIENT_SIDE && side != SRP_SERVER_SIDE) |
| wolfSSL | 3:6f956bdb3073 | 200 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 201 | |
| wolfSSL | 3:6f956bdb3073 | 202 | switch (type) { |
| wolfSSL | 3:6f956bdb3073 | 203 | case SRP_TYPE_SHA: |
| wolfSSL | 3:6f956bdb3073 | 204 | #ifdef NO_SHA |
| wolfSSL | 3:6f956bdb3073 | 205 | return NOT_COMPILED_IN; |
| wolfSSL | 3:6f956bdb3073 | 206 | #else |
| wolfSSL | 3:6f956bdb3073 | 207 | break; /* OK */ |
| wolfSSL | 3:6f956bdb3073 | 208 | #endif |
| wolfSSL | 3:6f956bdb3073 | 209 | |
| wolfSSL | 3:6f956bdb3073 | 210 | case SRP_TYPE_SHA256: |
| wolfSSL | 3:6f956bdb3073 | 211 | #ifdef NO_SHA256 |
| wolfSSL | 3:6f956bdb3073 | 212 | return NOT_COMPILED_IN; |
| wolfSSL | 3:6f956bdb3073 | 213 | #else |
| wolfSSL | 3:6f956bdb3073 | 214 | break; /* OK */ |
| wolfSSL | 3:6f956bdb3073 | 215 | #endif |
| wolfSSL | 3:6f956bdb3073 | 216 | |
| wolfSSL | 3:6f956bdb3073 | 217 | case SRP_TYPE_SHA384: |
| wolfSSL | 3:6f956bdb3073 | 218 | #ifndef WOLFSSL_SHA384 |
| wolfSSL | 3:6f956bdb3073 | 219 | return NOT_COMPILED_IN; |
| wolfSSL | 3:6f956bdb3073 | 220 | #else |
| wolfSSL | 3:6f956bdb3073 | 221 | break; /* OK */ |
| wolfSSL | 3:6f956bdb3073 | 222 | #endif |
| wolfSSL | 3:6f956bdb3073 | 223 | |
| wolfSSL | 3:6f956bdb3073 | 224 | case SRP_TYPE_SHA512: |
| wolfSSL | 3:6f956bdb3073 | 225 | #ifndef WOLFSSL_SHA512 |
| wolfSSL | 3:6f956bdb3073 | 226 | return NOT_COMPILED_IN; |
| wolfSSL | 3:6f956bdb3073 | 227 | #else |
| wolfSSL | 3:6f956bdb3073 | 228 | break; /* OK */ |
| wolfSSL | 3:6f956bdb3073 | 229 | #endif |
| wolfSSL | 3:6f956bdb3073 | 230 | |
| wolfSSL | 3:6f956bdb3073 | 231 | default: |
| wolfSSL | 3:6f956bdb3073 | 232 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 233 | } |
| wolfSSL | 3:6f956bdb3073 | 234 | |
| wolfSSL | 3:6f956bdb3073 | 235 | /* initializing variables */ |
| wolfSSL | 3:6f956bdb3073 | 236 | |
| wolfSSL | 3:6f956bdb3073 | 237 | XMEMSET(srp, 0, sizeof(Srp)); |
| wolfSSL | 3:6f956bdb3073 | 238 | |
| wolfSSL | 3:6f956bdb3073 | 239 | if ((r = SrpHashInit(&srp->client_proof, type)) != 0) |
| wolfSSL | 3:6f956bdb3073 | 240 | return r; |
| wolfSSL | 3:6f956bdb3073 | 241 | |
| wolfSSL | 3:6f956bdb3073 | 242 | if ((r = SrpHashInit(&srp->server_proof, type)) != 0) |
| wolfSSL | 3:6f956bdb3073 | 243 | return r; |
| wolfSSL | 3:6f956bdb3073 | 244 | |
| wolfSSL | 3:6f956bdb3073 | 245 | if ((r = mp_init_multi(&srp->N, &srp->g, &srp->auth, |
| wolfSSL | 3:6f956bdb3073 | 246 | &srp->priv, 0, 0)) != 0) |
| wolfSSL | 3:6f956bdb3073 | 247 | return r; |
| wolfSSL | 3:6f956bdb3073 | 248 | |
| wolfSSL | 3:6f956bdb3073 | 249 | srp->side = side; srp->type = type; |
| wolfSSL | 3:6f956bdb3073 | 250 | srp->salt = NULL; srp->saltSz = 0; |
| wolfSSL | 3:6f956bdb3073 | 251 | srp->user = NULL; srp->userSz = 0; |
| wolfSSL | 3:6f956bdb3073 | 252 | srp->key = NULL; srp->keySz = 0; |
| wolfSSL | 3:6f956bdb3073 | 253 | |
| wolfSSL | 3:6f956bdb3073 | 254 | srp->keyGenFunc_cb = wc_SrpSetKey; |
| wolfSSL | 3:6f956bdb3073 | 255 | |
| wolfSSL | 3:6f956bdb3073 | 256 | return 0; |
| wolfSSL | 3:6f956bdb3073 | 257 | } |
| wolfSSL | 3:6f956bdb3073 | 258 | |
| wolfSSL | 3:6f956bdb3073 | 259 | void wc_SrpTerm(Srp* srp) |
| wolfSSL | 3:6f956bdb3073 | 260 | { |
| wolfSSL | 3:6f956bdb3073 | 261 | if (srp) { |
| wolfSSL | 3:6f956bdb3073 | 262 | mp_clear(&srp->N); mp_clear(&srp->g); |
| wolfSSL | 3:6f956bdb3073 | 263 | mp_clear(&srp->auth); mp_clear(&srp->priv); |
| wolfSSL | 3:6f956bdb3073 | 264 | |
| wolfSSL | 3:6f956bdb3073 | 265 | ForceZero(srp->salt, srp->saltSz); |
| wolfSSL | 3:6f956bdb3073 | 266 | XFREE(srp->salt, NULL, DYNAMIC_TYPE_SRP); |
| wolfSSL | 3:6f956bdb3073 | 267 | ForceZero(srp->user, srp->userSz); |
| wolfSSL | 3:6f956bdb3073 | 268 | XFREE(srp->user, NULL, DYNAMIC_TYPE_SRP); |
| wolfSSL | 3:6f956bdb3073 | 269 | ForceZero(srp->key, srp->keySz); |
| wolfSSL | 3:6f956bdb3073 | 270 | XFREE(srp->key, NULL, DYNAMIC_TYPE_SRP); |
| wolfSSL | 3:6f956bdb3073 | 271 | |
| wolfSSL | 3:6f956bdb3073 | 272 | ForceZero(srp, sizeof(Srp)); |
| wolfSSL | 3:6f956bdb3073 | 273 | } |
| wolfSSL | 3:6f956bdb3073 | 274 | } |
| wolfSSL | 3:6f956bdb3073 | 275 | |
| wolfSSL | 3:6f956bdb3073 | 276 | int wc_SrpSetUsername(Srp* srp, const byte* username, word32 size) |
| wolfSSL | 3:6f956bdb3073 | 277 | { |
| wolfSSL | 3:6f956bdb3073 | 278 | if (!srp || !username) |
| wolfSSL | 3:6f956bdb3073 | 279 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 280 | |
| wolfSSL | 3:6f956bdb3073 | 281 | srp->user = (byte*)XMALLOC(size, NULL, DYNAMIC_TYPE_SRP); |
| wolfSSL | 3:6f956bdb3073 | 282 | if (srp->user == NULL) |
| wolfSSL | 3:6f956bdb3073 | 283 | return MEMORY_E; |
| wolfSSL | 3:6f956bdb3073 | 284 | |
| wolfSSL | 3:6f956bdb3073 | 285 | srp->userSz = size; |
| wolfSSL | 3:6f956bdb3073 | 286 | XMEMCPY(srp->user, username, srp->userSz); |
| wolfSSL | 3:6f956bdb3073 | 287 | |
| wolfSSL | 3:6f956bdb3073 | 288 | return 0; |
| wolfSSL | 3:6f956bdb3073 | 289 | } |
| wolfSSL | 3:6f956bdb3073 | 290 | |
| wolfSSL | 3:6f956bdb3073 | 291 | int wc_SrpSetParams(Srp* srp, const byte* N, word32 nSz, |
| wolfSSL | 3:6f956bdb3073 | 292 | const byte* g, word32 gSz, |
| wolfSSL | 3:6f956bdb3073 | 293 | const byte* salt, word32 saltSz) |
| wolfSSL | 3:6f956bdb3073 | 294 | { |
| wolfSSL | 3:6f956bdb3073 | 295 | SrpHash hash; |
| wolfSSL | 3:6f956bdb3073 | 296 | byte digest1[SRP_MAX_DIGEST_SIZE]; |
| wolfSSL | 3:6f956bdb3073 | 297 | byte digest2[SRP_MAX_DIGEST_SIZE]; |
| wolfSSL | 3:6f956bdb3073 | 298 | byte pad = 0; |
| wolfSSL | 3:6f956bdb3073 | 299 | int i, j, r; |
| wolfSSL | 3:6f956bdb3073 | 300 | |
| wolfSSL | 3:6f956bdb3073 | 301 | if (!srp || !N || !g || !salt || nSz < gSz) |
| wolfSSL | 3:6f956bdb3073 | 302 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 303 | |
| wolfSSL | 3:6f956bdb3073 | 304 | if (!srp->user) |
| wolfSSL | 3:6f956bdb3073 | 305 | return SRP_CALL_ORDER_E; |
| wolfSSL | 3:6f956bdb3073 | 306 | |
| wolfSSL | 3:6f956bdb3073 | 307 | /* Set N */ |
| wolfSSL | 3:6f956bdb3073 | 308 | if (mp_read_unsigned_bin(&srp->N, N, nSz) != MP_OKAY) |
| wolfSSL | 3:6f956bdb3073 | 309 | return MP_READ_E; |
| wolfSSL | 3:6f956bdb3073 | 310 | |
| wolfSSL | 3:6f956bdb3073 | 311 | if (mp_count_bits(&srp->N) < SRP_DEFAULT_MIN_BITS) |
| wolfSSL | 3:6f956bdb3073 | 312 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 313 | |
| wolfSSL | 3:6f956bdb3073 | 314 | /* Set g */ |
| wolfSSL | 3:6f956bdb3073 | 315 | if (mp_read_unsigned_bin(&srp->g, g, gSz) != MP_OKAY) |
| wolfSSL | 3:6f956bdb3073 | 316 | return MP_READ_E; |
| wolfSSL | 3:6f956bdb3073 | 317 | |
| wolfSSL | 3:6f956bdb3073 | 318 | if (mp_cmp(&srp->N, &srp->g) != MP_GT) |
| wolfSSL | 3:6f956bdb3073 | 319 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 320 | |
| wolfSSL | 3:6f956bdb3073 | 321 | /* Set salt */ |
| wolfSSL | 3:6f956bdb3073 | 322 | if (srp->salt) { |
| wolfSSL | 3:6f956bdb3073 | 323 | ForceZero(srp->salt, srp->saltSz); |
| wolfSSL | 3:6f956bdb3073 | 324 | XFREE(srp->salt, NULL, DYNAMIC_TYPE_SRP); |
| wolfSSL | 3:6f956bdb3073 | 325 | } |
| wolfSSL | 3:6f956bdb3073 | 326 | |
| wolfSSL | 3:6f956bdb3073 | 327 | srp->salt = (byte*)XMALLOC(saltSz, NULL, DYNAMIC_TYPE_SRP); |
| wolfSSL | 3:6f956bdb3073 | 328 | if (srp->salt == NULL) |
| wolfSSL | 3:6f956bdb3073 | 329 | return MEMORY_E; |
| wolfSSL | 3:6f956bdb3073 | 330 | |
| wolfSSL | 3:6f956bdb3073 | 331 | XMEMCPY(srp->salt, salt, saltSz); |
| wolfSSL | 3:6f956bdb3073 | 332 | srp->saltSz = saltSz; |
| wolfSSL | 3:6f956bdb3073 | 333 | |
| wolfSSL | 3:6f956bdb3073 | 334 | /* Set k = H(N, g) */ |
| wolfSSL | 3:6f956bdb3073 | 335 | r = SrpHashInit(&hash, srp->type); |
| wolfSSL | 3:6f956bdb3073 | 336 | if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz); |
| wolfSSL | 3:6f956bdb3073 | 337 | for (i = 0; (word32)i < nSz - gSz; i++) |
| wolfSSL | 3:6f956bdb3073 | 338 | SrpHashUpdate(&hash, &pad, 1); |
| wolfSSL | 3:6f956bdb3073 | 339 | if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz); |
| wolfSSL | 3:6f956bdb3073 | 340 | if (!r) r = SrpHashFinal(&hash, srp->k); |
| wolfSSL | 3:6f956bdb3073 | 341 | |
| wolfSSL | 3:6f956bdb3073 | 342 | /* update client proof */ |
| wolfSSL | 3:6f956bdb3073 | 343 | |
| wolfSSL | 3:6f956bdb3073 | 344 | /* digest1 = H(N) */ |
| wolfSSL | 3:6f956bdb3073 | 345 | if (!r) r = SrpHashInit(&hash, srp->type); |
| wolfSSL | 3:6f956bdb3073 | 346 | if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz); |
| wolfSSL | 3:6f956bdb3073 | 347 | if (!r) r = SrpHashFinal(&hash, digest1); |
| wolfSSL | 3:6f956bdb3073 | 348 | |
| wolfSSL | 3:6f956bdb3073 | 349 | /* digest2 = H(g) */ |
| wolfSSL | 3:6f956bdb3073 | 350 | if (!r) r = SrpHashInit(&hash, srp->type); |
| wolfSSL | 3:6f956bdb3073 | 351 | if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz); |
| wolfSSL | 3:6f956bdb3073 | 352 | if (!r) r = SrpHashFinal(&hash, digest2); |
| wolfSSL | 3:6f956bdb3073 | 353 | |
| wolfSSL | 3:6f956bdb3073 | 354 | /* digest1 = H(N) ^ H(g) */ |
| wolfSSL | 3:6f956bdb3073 | 355 | if (r == 0) { |
| wolfSSL | 3:6f956bdb3073 | 356 | for (i = 0, j = SrpHashSize(srp->type); i < j; i++) |
| wolfSSL | 3:6f956bdb3073 | 357 | digest1[i] ^= digest2[i]; |
| wolfSSL | 3:6f956bdb3073 | 358 | } |
| wolfSSL | 3:6f956bdb3073 | 359 | |
| wolfSSL | 3:6f956bdb3073 | 360 | /* digest2 = H(user) */ |
| wolfSSL | 3:6f956bdb3073 | 361 | if (!r) r = SrpHashInit(&hash, srp->type); |
| wolfSSL | 3:6f956bdb3073 | 362 | if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz); |
| wolfSSL | 3:6f956bdb3073 | 363 | if (!r) r = SrpHashFinal(&hash, digest2); |
| wolfSSL | 3:6f956bdb3073 | 364 | |
| wolfSSL | 3:6f956bdb3073 | 365 | /* client proof = H( H(N) ^ H(g) | H(user) | salt) */ |
| wolfSSL | 3:6f956bdb3073 | 366 | if (!r) r = SrpHashUpdate(&srp->client_proof, digest1, j); |
| wolfSSL | 3:6f956bdb3073 | 367 | if (!r) r = SrpHashUpdate(&srp->client_proof, digest2, j); |
| wolfSSL | 3:6f956bdb3073 | 368 | if (!r) r = SrpHashUpdate(&srp->client_proof, salt, saltSz); |
| wolfSSL | 3:6f956bdb3073 | 369 | |
| wolfSSL | 3:6f956bdb3073 | 370 | return r; |
| wolfSSL | 3:6f956bdb3073 | 371 | } |
| wolfSSL | 3:6f956bdb3073 | 372 | |
| wolfSSL | 3:6f956bdb3073 | 373 | int wc_SrpSetPassword(Srp* srp, const byte* password, word32 size) |
| wolfSSL | 3:6f956bdb3073 | 374 | { |
| wolfSSL | 3:6f956bdb3073 | 375 | SrpHash hash; |
| wolfSSL | 3:6f956bdb3073 | 376 | byte digest[SRP_MAX_DIGEST_SIZE]; |
| wolfSSL | 3:6f956bdb3073 | 377 | word32 digestSz; |
| wolfSSL | 3:6f956bdb3073 | 378 | int r; |
| wolfSSL | 3:6f956bdb3073 | 379 | |
| wolfSSL | 3:6f956bdb3073 | 380 | if (!srp || !password || srp->side != SRP_CLIENT_SIDE) |
| wolfSSL | 3:6f956bdb3073 | 381 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 382 | |
| wolfSSL | 3:6f956bdb3073 | 383 | if (!srp->salt) |
| wolfSSL | 3:6f956bdb3073 | 384 | return SRP_CALL_ORDER_E; |
| wolfSSL | 3:6f956bdb3073 | 385 | |
| wolfSSL | 3:6f956bdb3073 | 386 | digestSz = SrpHashSize(srp->type); |
| wolfSSL | 3:6f956bdb3073 | 387 | |
| wolfSSL | 3:6f956bdb3073 | 388 | /* digest = H(username | ':' | password) */ |
| wolfSSL | 3:6f956bdb3073 | 389 | r = SrpHashInit(&hash, srp->type); |
| wolfSSL | 3:6f956bdb3073 | 390 | if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz); |
| wolfSSL | 3:6f956bdb3073 | 391 | if (!r) r = SrpHashUpdate(&hash, (const byte*) ":", 1); |
| wolfSSL | 3:6f956bdb3073 | 392 | if (!r) r = SrpHashUpdate(&hash, password, size); |
| wolfSSL | 3:6f956bdb3073 | 393 | if (!r) r = SrpHashFinal(&hash, digest); |
| wolfSSL | 3:6f956bdb3073 | 394 | |
| wolfSSL | 3:6f956bdb3073 | 395 | /* digest = H(salt | H(username | ':' | password)) */ |
| wolfSSL | 3:6f956bdb3073 | 396 | if (!r) r = SrpHashInit(&hash, srp->type); |
| wolfSSL | 3:6f956bdb3073 | 397 | if (!r) r = SrpHashUpdate(&hash, srp->salt, srp->saltSz); |
| wolfSSL | 3:6f956bdb3073 | 398 | if (!r) r = SrpHashUpdate(&hash, digest, digestSz); |
| wolfSSL | 3:6f956bdb3073 | 399 | if (!r) r = SrpHashFinal(&hash, digest); |
| wolfSSL | 3:6f956bdb3073 | 400 | |
| wolfSSL | 3:6f956bdb3073 | 401 | /* Set x (private key) */ |
| wolfSSL | 3:6f956bdb3073 | 402 | if (!r) r = mp_read_unsigned_bin(&srp->auth, digest, digestSz); |
| wolfSSL | 3:6f956bdb3073 | 403 | |
| wolfSSL | 3:6f956bdb3073 | 404 | ForceZero(digest, SRP_MAX_DIGEST_SIZE); |
| wolfSSL | 3:6f956bdb3073 | 405 | |
| wolfSSL | 3:6f956bdb3073 | 406 | return r; |
| wolfSSL | 3:6f956bdb3073 | 407 | } |
| wolfSSL | 3:6f956bdb3073 | 408 | |
| wolfSSL | 3:6f956bdb3073 | 409 | int wc_SrpGetVerifier(Srp* srp, byte* verifier, word32* size) |
| wolfSSL | 3:6f956bdb3073 | 410 | { |
| wolfSSL | 3:6f956bdb3073 | 411 | mp_int v; |
| wolfSSL | 3:6f956bdb3073 | 412 | int r; |
| wolfSSL | 3:6f956bdb3073 | 413 | |
| wolfSSL | 3:6f956bdb3073 | 414 | if (!srp || !verifier || !size || srp->side != SRP_CLIENT_SIDE) |
| wolfSSL | 3:6f956bdb3073 | 415 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 416 | |
| wolfSSL | 3:6f956bdb3073 | 417 | if (mp_iszero(&srp->auth)) |
| wolfSSL | 3:6f956bdb3073 | 418 | return SRP_CALL_ORDER_E; |
| wolfSSL | 3:6f956bdb3073 | 419 | |
| wolfSSL | 3:6f956bdb3073 | 420 | r = mp_init(&v); |
| wolfSSL | 3:6f956bdb3073 | 421 | if (r != MP_OKAY) |
| wolfSSL | 3:6f956bdb3073 | 422 | return MP_INIT_E; |
| wolfSSL | 3:6f956bdb3073 | 423 | |
| wolfSSL | 3:6f956bdb3073 | 424 | /* v = g ^ x % N */ |
| wolfSSL | 3:6f956bdb3073 | 425 | if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &v); |
| wolfSSL | 3:6f956bdb3073 | 426 | if (!r) r = *size < (word32)mp_unsigned_bin_size(&v) ? BUFFER_E : MP_OKAY; |
| wolfSSL | 3:6f956bdb3073 | 427 | if (!r) r = mp_to_unsigned_bin(&v, verifier); |
| wolfSSL | 3:6f956bdb3073 | 428 | if (!r) *size = mp_unsigned_bin_size(&v); |
| wolfSSL | 3:6f956bdb3073 | 429 | |
| wolfSSL | 3:6f956bdb3073 | 430 | mp_clear(&v); |
| wolfSSL | 3:6f956bdb3073 | 431 | |
| wolfSSL | 3:6f956bdb3073 | 432 | return r; |
| wolfSSL | 3:6f956bdb3073 | 433 | } |
| wolfSSL | 3:6f956bdb3073 | 434 | |
| wolfSSL | 3:6f956bdb3073 | 435 | int wc_SrpSetVerifier(Srp* srp, const byte* verifier, word32 size) |
| wolfSSL | 3:6f956bdb3073 | 436 | { |
| wolfSSL | 3:6f956bdb3073 | 437 | if (!srp || !verifier || srp->side != SRP_SERVER_SIDE) |
| wolfSSL | 3:6f956bdb3073 | 438 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 439 | |
| wolfSSL | 3:6f956bdb3073 | 440 | return mp_read_unsigned_bin(&srp->auth, verifier, size); |
| wolfSSL | 3:6f956bdb3073 | 441 | } |
| wolfSSL | 3:6f956bdb3073 | 442 | |
| wolfSSL | 3:6f956bdb3073 | 443 | int wc_SrpSetPrivate(Srp* srp, const byte* private, word32 size) |
| wolfSSL | 3:6f956bdb3073 | 444 | { |
| wolfSSL | 3:6f956bdb3073 | 445 | mp_int p; |
| wolfSSL | 3:6f956bdb3073 | 446 | int r; |
| wolfSSL | 3:6f956bdb3073 | 447 | |
| wolfSSL | 3:6f956bdb3073 | 448 | if (!srp || !private || !size) |
| wolfSSL | 3:6f956bdb3073 | 449 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 450 | |
| wolfSSL | 3:6f956bdb3073 | 451 | if (mp_iszero(&srp->auth)) |
| wolfSSL | 3:6f956bdb3073 | 452 | return SRP_CALL_ORDER_E; |
| wolfSSL | 3:6f956bdb3073 | 453 | |
| wolfSSL | 3:6f956bdb3073 | 454 | r = mp_init(&p); |
| wolfSSL | 3:6f956bdb3073 | 455 | if (r != MP_OKAY) |
| wolfSSL | 3:6f956bdb3073 | 456 | return MP_INIT_E; |
| wolfSSL | 3:6f956bdb3073 | 457 | if (!r) r = mp_read_unsigned_bin(&p, private, size); |
| wolfSSL | 3:6f956bdb3073 | 458 | if (!r) r = mp_mod(&p, &srp->N, &srp->priv); |
| wolfSSL | 3:6f956bdb3073 | 459 | if (!r) r = mp_iszero(&srp->priv) ? SRP_BAD_KEY_E : 0; |
| wolfSSL | 3:6f956bdb3073 | 460 | |
| wolfSSL | 3:6f956bdb3073 | 461 | mp_clear(&p); |
| wolfSSL | 3:6f956bdb3073 | 462 | |
| wolfSSL | 3:6f956bdb3073 | 463 | return r; |
| wolfSSL | 3:6f956bdb3073 | 464 | } |
| wolfSSL | 3:6f956bdb3073 | 465 | |
| wolfSSL | 3:6f956bdb3073 | 466 | /** Generates random data using wolfcrypt RNG. */ |
| wolfSSL | 3:6f956bdb3073 | 467 | static int wc_SrpGenPrivate(Srp* srp, byte* priv, word32 size) |
| wolfSSL | 3:6f956bdb3073 | 468 | { |
| wolfSSL | 3:6f956bdb3073 | 469 | WC_RNG rng; |
| wolfSSL | 3:6f956bdb3073 | 470 | int r = wc_InitRng(&rng); |
| wolfSSL | 3:6f956bdb3073 | 471 | |
| wolfSSL | 3:6f956bdb3073 | 472 | if (!r) r = wc_RNG_GenerateBlock(&rng, priv, size); |
| wolfSSL | 3:6f956bdb3073 | 473 | if (!r) r = wc_SrpSetPrivate(srp, priv, size); |
| wolfSSL | 3:6f956bdb3073 | 474 | if (!r) wc_FreeRng(&rng); |
| wolfSSL | 3:6f956bdb3073 | 475 | |
| wolfSSL | 3:6f956bdb3073 | 476 | return r; |
| wolfSSL | 3:6f956bdb3073 | 477 | } |
| wolfSSL | 3:6f956bdb3073 | 478 | |
| wolfSSL | 3:6f956bdb3073 | 479 | int wc_SrpGetPublic(Srp* srp, byte* pub, word32* size) |
| wolfSSL | 3:6f956bdb3073 | 480 | { |
| wolfSSL | 3:6f956bdb3073 | 481 | mp_int pubkey; |
| wolfSSL | 3:6f956bdb3073 | 482 | word32 modulusSz; |
| wolfSSL | 3:6f956bdb3073 | 483 | int r; |
| wolfSSL | 3:6f956bdb3073 | 484 | |
| wolfSSL | 3:6f956bdb3073 | 485 | if (!srp || !pub || !size) |
| wolfSSL | 3:6f956bdb3073 | 486 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 487 | |
| wolfSSL | 3:6f956bdb3073 | 488 | if (mp_iszero(&srp->auth)) |
| wolfSSL | 3:6f956bdb3073 | 489 | return SRP_CALL_ORDER_E; |
| wolfSSL | 3:6f956bdb3073 | 490 | |
| wolfSSL | 3:6f956bdb3073 | 491 | modulusSz = mp_unsigned_bin_size(&srp->N); |
| wolfSSL | 3:6f956bdb3073 | 492 | if (*size < modulusSz) |
| wolfSSL | 3:6f956bdb3073 | 493 | return BUFFER_E; |
| wolfSSL | 3:6f956bdb3073 | 494 | |
| wolfSSL | 3:6f956bdb3073 | 495 | r = mp_init(&pubkey); |
| wolfSSL | 3:6f956bdb3073 | 496 | if (r != MP_OKAY) |
| wolfSSL | 3:6f956bdb3073 | 497 | return MP_INIT_E; |
| wolfSSL | 3:6f956bdb3073 | 498 | |
| wolfSSL | 3:6f956bdb3073 | 499 | /* priv = random() */ |
| wolfSSL | 3:6f956bdb3073 | 500 | if (mp_iszero(&srp->priv)) |
| wolfSSL | 3:6f956bdb3073 | 501 | r = wc_SrpGenPrivate(srp, pub, modulusSz); |
| wolfSSL | 3:6f956bdb3073 | 502 | |
| wolfSSL | 3:6f956bdb3073 | 503 | /* client side: A = g ^ a % N */ |
| wolfSSL | 3:6f956bdb3073 | 504 | if (srp->side == SRP_CLIENT_SIDE) { |
| wolfSSL | 3:6f956bdb3073 | 505 | if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, &pubkey); |
| wolfSSL | 3:6f956bdb3073 | 506 | |
| wolfSSL | 3:6f956bdb3073 | 507 | /* server side: B = (k * v + (g ^ b % N)) % N */ |
| wolfSSL | 3:6f956bdb3073 | 508 | } else { |
| wolfSSL | 3:6f956bdb3073 | 509 | mp_int i, j; |
| wolfSSL | 3:6f956bdb3073 | 510 | |
| wolfSSL | 3:6f956bdb3073 | 511 | if (mp_init_multi(&i, &j, 0, 0, 0, 0) == MP_OKAY) { |
| wolfSSL | 3:6f956bdb3073 | 512 | if (!r) r = mp_read_unsigned_bin(&i, srp->k,SrpHashSize(srp->type)); |
| wolfSSL | 3:6f956bdb3073 | 513 | if (!r) r = mp_iszero(&i) ? SRP_BAD_KEY_E : 0; |
| wolfSSL | 3:6f956bdb3073 | 514 | if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, &pubkey); |
| wolfSSL | 3:6f956bdb3073 | 515 | if (!r) r = mp_mulmod(&i, &srp->auth, &srp->N, &j); |
| wolfSSL | 3:6f956bdb3073 | 516 | if (!r) r = mp_add(&j, &pubkey, &i); |
| wolfSSL | 3:6f956bdb3073 | 517 | if (!r) r = mp_mod(&i, &srp->N, &pubkey); |
| wolfSSL | 3:6f956bdb3073 | 518 | |
| wolfSSL | 3:6f956bdb3073 | 519 | mp_clear(&i); mp_clear(&j); |
| wolfSSL | 3:6f956bdb3073 | 520 | } |
| wolfSSL | 3:6f956bdb3073 | 521 | } |
| wolfSSL | 3:6f956bdb3073 | 522 | |
| wolfSSL | 3:6f956bdb3073 | 523 | /* extract public key to buffer */ |
| wolfSSL | 3:6f956bdb3073 | 524 | XMEMSET(pub, 0, modulusSz); |
| wolfSSL | 3:6f956bdb3073 | 525 | if (!r) r = mp_to_unsigned_bin(&pubkey, pub); |
| wolfSSL | 3:6f956bdb3073 | 526 | if (!r) *size = mp_unsigned_bin_size(&pubkey); |
| wolfSSL | 3:6f956bdb3073 | 527 | mp_clear(&pubkey); |
| wolfSSL | 3:6f956bdb3073 | 528 | |
| wolfSSL | 3:6f956bdb3073 | 529 | return r; |
| wolfSSL | 3:6f956bdb3073 | 530 | } |
| wolfSSL | 3:6f956bdb3073 | 531 | |
| wolfSSL | 3:6f956bdb3073 | 532 | static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size) |
| wolfSSL | 3:6f956bdb3073 | 533 | { |
| wolfSSL | 3:6f956bdb3073 | 534 | SrpHash hash; |
| wolfSSL | 3:6f956bdb3073 | 535 | byte digest[SRP_MAX_DIGEST_SIZE]; |
| wolfSSL | 3:6f956bdb3073 | 536 | word32 i, j, digestSz = SrpHashSize(srp->type); |
| wolfSSL | 3:6f956bdb3073 | 537 | byte counter[4]; |
| wolfSSL | 3:6f956bdb3073 | 538 | int r = BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 539 | |
| wolfSSL | 3:6f956bdb3073 | 540 | srp->key = (byte*)XMALLOC(2 * digestSz, NULL, DYNAMIC_TYPE_SRP); |
| wolfSSL | 3:6f956bdb3073 | 541 | if (srp->key == NULL) |
| wolfSSL | 3:6f956bdb3073 | 542 | return MEMORY_E; |
| wolfSSL | 3:6f956bdb3073 | 543 | |
| wolfSSL | 3:6f956bdb3073 | 544 | srp->keySz = 2 * digestSz; |
| wolfSSL | 3:6f956bdb3073 | 545 | |
| wolfSSL | 3:6f956bdb3073 | 546 | for (i = j = 0; j < srp->keySz; i++) { |
| wolfSSL | 3:6f956bdb3073 | 547 | counter[0] = (i >> 24) & 0xFF; |
| wolfSSL | 3:6f956bdb3073 | 548 | counter[1] = (i >> 16) & 0xFF; |
| wolfSSL | 3:6f956bdb3073 | 549 | counter[2] = (i >> 8) & 0xFF; |
| wolfSSL | 3:6f956bdb3073 | 550 | counter[3] = i & 0xFF; |
| wolfSSL | 3:6f956bdb3073 | 551 | |
| wolfSSL | 3:6f956bdb3073 | 552 | r = SrpHashInit(&hash, srp->type); |
| wolfSSL | 3:6f956bdb3073 | 553 | if (!r) r = SrpHashUpdate(&hash, secret, size); |
| wolfSSL | 3:6f956bdb3073 | 554 | if (!r) r = SrpHashUpdate(&hash, counter, 4); |
| wolfSSL | 3:6f956bdb3073 | 555 | |
| wolfSSL | 3:6f956bdb3073 | 556 | if(j + digestSz > srp->keySz) { |
| wolfSSL | 3:6f956bdb3073 | 557 | if (!r) r = SrpHashFinal(&hash, digest); |
| wolfSSL | 3:6f956bdb3073 | 558 | XMEMCPY(srp->key + j, digest, srp->keySz - j); |
| wolfSSL | 3:6f956bdb3073 | 559 | j = srp->keySz; |
| wolfSSL | 3:6f956bdb3073 | 560 | } |
| wolfSSL | 3:6f956bdb3073 | 561 | else { |
| wolfSSL | 3:6f956bdb3073 | 562 | if (!r) r = SrpHashFinal(&hash, srp->key + j); |
| wolfSSL | 3:6f956bdb3073 | 563 | j += digestSz; |
| wolfSSL | 3:6f956bdb3073 | 564 | } |
| wolfSSL | 3:6f956bdb3073 | 565 | } |
| wolfSSL | 3:6f956bdb3073 | 566 | |
| wolfSSL | 3:6f956bdb3073 | 567 | ForceZero(digest, sizeof(digest)); |
| wolfSSL | 3:6f956bdb3073 | 568 | ForceZero(&hash, sizeof(SrpHash)); |
| wolfSSL | 3:6f956bdb3073 | 569 | |
| wolfSSL | 3:6f956bdb3073 | 570 | return r; |
| wolfSSL | 3:6f956bdb3073 | 571 | } |
| wolfSSL | 3:6f956bdb3073 | 572 | |
| wolfSSL | 3:6f956bdb3073 | 573 | int wc_SrpComputeKey(Srp* srp, byte* clientPubKey, word32 clientPubKeySz, |
| wolfSSL | 3:6f956bdb3073 | 574 | byte* serverPubKey, word32 serverPubKeySz) |
| wolfSSL | 3:6f956bdb3073 | 575 | { |
| wolfSSL | 3:6f956bdb3073 | 576 | SrpHash hash; |
| wolfSSL | 3:6f956bdb3073 | 577 | byte *secret; |
| wolfSSL | 3:6f956bdb3073 | 578 | byte digest[SRP_MAX_DIGEST_SIZE]; |
| wolfSSL | 3:6f956bdb3073 | 579 | word32 i, secretSz, digestSz; |
| wolfSSL | 3:6f956bdb3073 | 580 | mp_int u, s, temp1, temp2; |
| wolfSSL | 3:6f956bdb3073 | 581 | byte pad = 0; |
| wolfSSL | 3:6f956bdb3073 | 582 | int r; |
| wolfSSL | 3:6f956bdb3073 | 583 | |
| wolfSSL | 3:6f956bdb3073 | 584 | /* validating params */ |
| wolfSSL | 3:6f956bdb3073 | 585 | |
| wolfSSL | 3:6f956bdb3073 | 586 | if (!srp || !clientPubKey || clientPubKeySz == 0 |
| wolfSSL | 3:6f956bdb3073 | 587 | || !serverPubKey || serverPubKeySz == 0) |
| wolfSSL | 3:6f956bdb3073 | 588 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 589 | |
| wolfSSL | 3:6f956bdb3073 | 590 | if (mp_iszero(&srp->priv)) |
| wolfSSL | 3:6f956bdb3073 | 591 | return SRP_CALL_ORDER_E; |
| wolfSSL | 3:6f956bdb3073 | 592 | |
| wolfSSL | 3:6f956bdb3073 | 593 | /* initializing variables */ |
| wolfSSL | 3:6f956bdb3073 | 594 | |
| wolfSSL | 3:6f956bdb3073 | 595 | if ((r = SrpHashInit(&hash, srp->type)) != 0) |
| wolfSSL | 3:6f956bdb3073 | 596 | return r; |
| wolfSSL | 3:6f956bdb3073 | 597 | |
| wolfSSL | 3:6f956bdb3073 | 598 | digestSz = SrpHashSize(srp->type); |
| wolfSSL | 3:6f956bdb3073 | 599 | secretSz = mp_unsigned_bin_size(&srp->N); |
| wolfSSL | 3:6f956bdb3073 | 600 | |
| wolfSSL | 3:6f956bdb3073 | 601 | if ((secret = (byte*)XMALLOC(secretSz, NULL, DYNAMIC_TYPE_SRP)) == NULL) |
| wolfSSL | 3:6f956bdb3073 | 602 | return MEMORY_E; |
| wolfSSL | 3:6f956bdb3073 | 603 | |
| wolfSSL | 3:6f956bdb3073 | 604 | if ((r = mp_init_multi(&u, &s, &temp1, &temp2, 0, 0)) != MP_OKAY) { |
| wolfSSL | 3:6f956bdb3073 | 605 | XFREE(secret, NULL, DYNAMIC_TYPE_SRP); |
| wolfSSL | 3:6f956bdb3073 | 606 | return r; |
| wolfSSL | 3:6f956bdb3073 | 607 | } |
| wolfSSL | 3:6f956bdb3073 | 608 | |
| wolfSSL | 3:6f956bdb3073 | 609 | /* building u (random scrambling parameter) */ |
| wolfSSL | 3:6f956bdb3073 | 610 | |
| wolfSSL | 3:6f956bdb3073 | 611 | /* H(A) */ |
| wolfSSL | 3:6f956bdb3073 | 612 | for (i = 0; !r && i < secretSz - clientPubKeySz; i++) |
| wolfSSL | 3:6f956bdb3073 | 613 | r = SrpHashUpdate(&hash, &pad, 1); |
| wolfSSL | 3:6f956bdb3073 | 614 | if (!r) r = SrpHashUpdate(&hash, clientPubKey, clientPubKeySz); |
| wolfSSL | 3:6f956bdb3073 | 615 | |
| wolfSSL | 3:6f956bdb3073 | 616 | /* H(A | B) */ |
| wolfSSL | 3:6f956bdb3073 | 617 | for (i = 0; !r && i < secretSz - serverPubKeySz; i++) |
| wolfSSL | 3:6f956bdb3073 | 618 | r = SrpHashUpdate(&hash, &pad, 1); |
| wolfSSL | 3:6f956bdb3073 | 619 | if (!r) r = SrpHashUpdate(&hash, serverPubKey, serverPubKeySz); |
| wolfSSL | 3:6f956bdb3073 | 620 | |
| wolfSSL | 3:6f956bdb3073 | 621 | /* set u */ |
| wolfSSL | 3:6f956bdb3073 | 622 | if (!r) r = SrpHashFinal(&hash, digest); |
| wolfSSL | 3:6f956bdb3073 | 623 | if (!r) r = mp_read_unsigned_bin(&u, digest, SrpHashSize(srp->type)); |
| wolfSSL | 3:6f956bdb3073 | 624 | |
| wolfSSL | 3:6f956bdb3073 | 625 | /* building s (secret) */ |
| wolfSSL | 3:6f956bdb3073 | 626 | |
| wolfSSL | 3:6f956bdb3073 | 627 | if (!r && srp->side == SRP_CLIENT_SIDE) { |
| wolfSSL | 3:6f956bdb3073 | 628 | |
| wolfSSL | 3:6f956bdb3073 | 629 | /* temp1 = B - k * v; rejects k == 0, B == 0 and B >= N. */ |
| wolfSSL | 3:6f956bdb3073 | 630 | r = mp_read_unsigned_bin(&temp1, srp->k, digestSz); |
| wolfSSL | 3:6f956bdb3073 | 631 | if (!r) r = mp_iszero(&temp1) ? SRP_BAD_KEY_E : 0; |
| wolfSSL | 3:6f956bdb3073 | 632 | if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &temp2); |
| wolfSSL | 3:6f956bdb3073 | 633 | if (!r) r = mp_mulmod(&temp1, &temp2, &srp->N, &s); |
| wolfSSL | 3:6f956bdb3073 | 634 | if (!r) r = mp_read_unsigned_bin(&temp2, serverPubKey, serverPubKeySz); |
| wolfSSL | 3:6f956bdb3073 | 635 | if (!r) r = mp_iszero(&temp2) ? SRP_BAD_KEY_E : 0; |
| wolfSSL | 3:6f956bdb3073 | 636 | if (!r) r = mp_cmp(&temp2, &srp->N) != MP_LT ? SRP_BAD_KEY_E : 0; |
| wolfSSL | 3:6f956bdb3073 | 637 | if (!r) r = mp_sub(&temp2, &s, &temp1); |
| wolfSSL | 3:6f956bdb3073 | 638 | |
| wolfSSL | 3:6f956bdb3073 | 639 | /* temp2 = a + u * x */ |
| wolfSSL | 3:6f956bdb3073 | 640 | if (!r) r = mp_mulmod(&u, &srp->auth, &srp->N, &s); |
| wolfSSL | 3:6f956bdb3073 | 641 | if (!r) r = mp_add(&srp->priv, &s, &temp2); |
| wolfSSL | 3:6f956bdb3073 | 642 | |
| wolfSSL | 3:6f956bdb3073 | 643 | /* secret = temp1 ^ temp2 % N */ |
| wolfSSL | 3:6f956bdb3073 | 644 | if (!r) r = mp_exptmod(&temp1, &temp2, &srp->N, &s); |
| wolfSSL | 3:6f956bdb3073 | 645 | |
| wolfSSL | 3:6f956bdb3073 | 646 | } else if (!r && srp->side == SRP_SERVER_SIDE) { |
| wolfSSL | 3:6f956bdb3073 | 647 | /* temp1 = v ^ u % N */ |
| wolfSSL | 3:6f956bdb3073 | 648 | r = mp_exptmod(&srp->auth, &u, &srp->N, &temp1); |
| wolfSSL | 3:6f956bdb3073 | 649 | |
| wolfSSL | 3:6f956bdb3073 | 650 | /* temp2 = A * temp1 % N; rejects A == 0, A >= N */ |
| wolfSSL | 3:6f956bdb3073 | 651 | if (!r) r = mp_read_unsigned_bin(&s, clientPubKey, clientPubKeySz); |
| wolfSSL | 3:6f956bdb3073 | 652 | if (!r) r = mp_iszero(&s) ? SRP_BAD_KEY_E : 0; |
| wolfSSL | 3:6f956bdb3073 | 653 | if (!r) r = mp_cmp(&s, &srp->N) != MP_LT ? SRP_BAD_KEY_E : 0; |
| wolfSSL | 3:6f956bdb3073 | 654 | if (!r) r = mp_mulmod(&s, &temp1, &srp->N, &temp2); |
| wolfSSL | 3:6f956bdb3073 | 655 | |
| wolfSSL | 3:6f956bdb3073 | 656 | /* rejects A * v ^ u % N >= 1, A * v ^ u % N == -1 % N */ |
| wolfSSL | 3:6f956bdb3073 | 657 | if (!r) r = mp_read_unsigned_bin(&temp1, (const byte*)"\001", 1); |
| wolfSSL | 3:6f956bdb3073 | 658 | if (!r) r = mp_cmp(&temp2, &temp1) != MP_GT ? SRP_BAD_KEY_E : 0; |
| wolfSSL | 3:6f956bdb3073 | 659 | if (!r) r = mp_sub(&srp->N, &temp1, &s); |
| wolfSSL | 3:6f956bdb3073 | 660 | if (!r) r = mp_cmp(&temp2, &s) == MP_EQ ? SRP_BAD_KEY_E : 0; |
| wolfSSL | 3:6f956bdb3073 | 661 | |
| wolfSSL | 3:6f956bdb3073 | 662 | /* secret = temp2 * b % N */ |
| wolfSSL | 3:6f956bdb3073 | 663 | if (!r) r = mp_exptmod(&temp2, &srp->priv, &srp->N, &s); |
| wolfSSL | 3:6f956bdb3073 | 664 | } |
| wolfSSL | 3:6f956bdb3073 | 665 | |
| wolfSSL | 3:6f956bdb3073 | 666 | /* building session key from secret */ |
| wolfSSL | 3:6f956bdb3073 | 667 | |
| wolfSSL | 3:6f956bdb3073 | 668 | if (!r) r = mp_to_unsigned_bin(&s, secret); |
| wolfSSL | 3:6f956bdb3073 | 669 | if (!r) r = srp->keyGenFunc_cb(srp, secret, mp_unsigned_bin_size(&s)); |
| wolfSSL | 3:6f956bdb3073 | 670 | |
| wolfSSL | 3:6f956bdb3073 | 671 | /* updating client proof = H( H(N) ^ H(g) | H(user) | salt | A | B | K) */ |
| wolfSSL | 3:6f956bdb3073 | 672 | |
| wolfSSL | 3:6f956bdb3073 | 673 | if (!r) r = SrpHashUpdate(&srp->client_proof, clientPubKey, clientPubKeySz); |
| wolfSSL | 3:6f956bdb3073 | 674 | if (!r) r = SrpHashUpdate(&srp->client_proof, serverPubKey, serverPubKeySz); |
| wolfSSL | 3:6f956bdb3073 | 675 | if (!r) r = SrpHashUpdate(&srp->client_proof, srp->key, srp->keySz); |
| wolfSSL | 3:6f956bdb3073 | 676 | |
| wolfSSL | 3:6f956bdb3073 | 677 | /* updating server proof = H(A) */ |
| wolfSSL | 3:6f956bdb3073 | 678 | |
| wolfSSL | 3:6f956bdb3073 | 679 | if (!r) r = SrpHashUpdate(&srp->server_proof, clientPubKey, clientPubKeySz); |
| wolfSSL | 3:6f956bdb3073 | 680 | |
| wolfSSL | 3:6f956bdb3073 | 681 | XFREE(secret, NULL, DYNAMIC_TYPE_SRP); |
| wolfSSL | 3:6f956bdb3073 | 682 | mp_clear(&u); mp_clear(&s); mp_clear(&temp1); mp_clear(&temp2); |
| wolfSSL | 3:6f956bdb3073 | 683 | |
| wolfSSL | 3:6f956bdb3073 | 684 | return r; |
| wolfSSL | 3:6f956bdb3073 | 685 | } |
| wolfSSL | 3:6f956bdb3073 | 686 | |
| wolfSSL | 3:6f956bdb3073 | 687 | int wc_SrpGetProof(Srp* srp, byte* proof, word32* size) |
| wolfSSL | 3:6f956bdb3073 | 688 | { |
| wolfSSL | 3:6f956bdb3073 | 689 | int r; |
| wolfSSL | 3:6f956bdb3073 | 690 | |
| wolfSSL | 3:6f956bdb3073 | 691 | if (!srp || !proof || !size) |
| wolfSSL | 3:6f956bdb3073 | 692 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 693 | |
| wolfSSL | 3:6f956bdb3073 | 694 | if (*size < SrpHashSize(srp->type)) |
| wolfSSL | 3:6f956bdb3073 | 695 | return BUFFER_E; |
| wolfSSL | 3:6f956bdb3073 | 696 | |
| wolfSSL | 3:6f956bdb3073 | 697 | if ((r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE |
| wolfSSL | 3:6f956bdb3073 | 698 | ? &srp->client_proof |
| wolfSSL | 3:6f956bdb3073 | 699 | : &srp->server_proof, proof)) != 0) |
| wolfSSL | 3:6f956bdb3073 | 700 | return r; |
| wolfSSL | 3:6f956bdb3073 | 701 | |
| wolfSSL | 3:6f956bdb3073 | 702 | *size = SrpHashSize(srp->type); |
| wolfSSL | 3:6f956bdb3073 | 703 | |
| wolfSSL | 3:6f956bdb3073 | 704 | if (srp->side == SRP_CLIENT_SIDE) { |
| wolfSSL | 3:6f956bdb3073 | 705 | /* server proof = H( A | client proof | K) */ |
| wolfSSL | 3:6f956bdb3073 | 706 | if (!r) r = SrpHashUpdate(&srp->server_proof, proof, *size); |
| wolfSSL | 3:6f956bdb3073 | 707 | if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz); |
| wolfSSL | 3:6f956bdb3073 | 708 | } |
| wolfSSL | 3:6f956bdb3073 | 709 | |
| wolfSSL | 3:6f956bdb3073 | 710 | return r; |
| wolfSSL | 3:6f956bdb3073 | 711 | } |
| wolfSSL | 3:6f956bdb3073 | 712 | |
| wolfSSL | 3:6f956bdb3073 | 713 | int wc_SrpVerifyPeersProof(Srp* srp, byte* proof, word32 size) |
| wolfSSL | 3:6f956bdb3073 | 714 | { |
| wolfSSL | 3:6f956bdb3073 | 715 | byte digest[SRP_MAX_DIGEST_SIZE]; |
| wolfSSL | 3:6f956bdb3073 | 716 | int r; |
| wolfSSL | 3:6f956bdb3073 | 717 | |
| wolfSSL | 3:6f956bdb3073 | 718 | if (!srp || !proof) |
| wolfSSL | 3:6f956bdb3073 | 719 | return BAD_FUNC_ARG; |
| wolfSSL | 3:6f956bdb3073 | 720 | |
| wolfSSL | 3:6f956bdb3073 | 721 | if (size != SrpHashSize(srp->type)) |
| wolfSSL | 3:6f956bdb3073 | 722 | return BUFFER_E; |
| wolfSSL | 3:6f956bdb3073 | 723 | |
| wolfSSL | 3:6f956bdb3073 | 724 | r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE ? &srp->server_proof |
| wolfSSL | 3:6f956bdb3073 | 725 | : &srp->client_proof, digest); |
| wolfSSL | 3:6f956bdb3073 | 726 | |
| wolfSSL | 3:6f956bdb3073 | 727 | if (srp->side == SRP_SERVER_SIDE) { |
| wolfSSL | 3:6f956bdb3073 | 728 | /* server proof = H( A | client proof | K) */ |
| wolfSSL | 3:6f956bdb3073 | 729 | if (!r) r = SrpHashUpdate(&srp->server_proof, proof, size); |
| wolfSSL | 3:6f956bdb3073 | 730 | if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz); |
| wolfSSL | 3:6f956bdb3073 | 731 | } |
| wolfSSL | 3:6f956bdb3073 | 732 | |
| wolfSSL | 3:6f956bdb3073 | 733 | if (!r && XMEMCMP(proof, digest, size) != 0) |
| wolfSSL | 3:6f956bdb3073 | 734 | r = SRP_VERIFY_E; |
| wolfSSL | 3:6f956bdb3073 | 735 | |
| wolfSSL | 3:6f956bdb3073 | 736 | return r; |
| wolfSSL | 3:6f956bdb3073 | 737 | } |
| wolfSSL | 3:6f956bdb3073 | 738 | |
| wolfSSL | 3:6f956bdb3073 | 739 | #endif /* WOLFCRYPT_HAVE_SRP */ |
| wolfSSL | 3:6f956bdb3073 | 740 |