wolfSSL-TLS13-Beta - wolfSSL 3.11.1 for TLS1.3 beta

Users » wolfSSL » Code » wolfSSL-TLS13-Beta

wolfSSL 3.11.1 for TLS1.3 beta

wolfcrypt/src/srp.c@13:80fb167dafdf, 2017-05-30 (annotated)

Committer:: wolfSSL
Date:: Tue May 30 06:16:19 2017 +0000
Revision:: 13:80fb167dafdf
Parent:: 11:cee25a834751

wolfSSL 3.11.1: TLS1.3 Beta

Who changed what in which revision?

User	Revision	Line number	New contents of line
wolfSSL	11:cee25a834751	1	/* srp.c
wolfSSL	11:cee25a834751	2	*
wolfSSL	11:cee25a834751	3	* Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL	11:cee25a834751	4	*
wolfSSL	11:cee25a834751	5	* This file is part of wolfSSL.
wolfSSL	11:cee25a834751	6	*
wolfSSL	11:cee25a834751	7	* wolfSSL is free software; you can redistribute it and/or modify
wolfSSL	11:cee25a834751	8	* it under the terms of the GNU General Public License as published by
wolfSSL	11:cee25a834751	9	* the Free Software Foundation; either version 2 of the License, or
wolfSSL	11:cee25a834751	10	* (at your option) any later version.
wolfSSL	11:cee25a834751	11	*
wolfSSL	11:cee25a834751	12	* wolfSSL is distributed in the hope that it will be useful,
wolfSSL	11:cee25a834751	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL	11:cee25a834751	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL	11:cee25a834751	15	* GNU General Public License for more details.
wolfSSL	11:cee25a834751	16	*
wolfSSL	11:cee25a834751	17	* You should have received a copy of the GNU General Public License
wolfSSL	11:cee25a834751	18	* along with this program; if not, write to the Free Software
wolfSSL	11:cee25a834751	19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL	11:cee25a834751	20	*/
wolfSSL	11:cee25a834751	21
wolfSSL	11:cee25a834751	22
wolfSSL	11:cee25a834751	23	#ifdef HAVE_CONFIG_H
wolfSSL	11:cee25a834751	24	#include <config.h>
wolfSSL	11:cee25a834751	25	#endif
wolfSSL	11:cee25a834751	26
wolfSSL	11:cee25a834751	27	#include <wolfssl/wolfcrypt/settings.h>
wolfSSL	11:cee25a834751	28
wolfSSL	11:cee25a834751	29	#ifdef WOLFCRYPT_HAVE_SRP
wolfSSL	11:cee25a834751	30
wolfSSL	11:cee25a834751	31	#include <wolfssl/wolfcrypt/srp.h>
wolfSSL	11:cee25a834751	32	#include <wolfssl/wolfcrypt/random.h>
wolfSSL	11:cee25a834751	33	#include <wolfssl/wolfcrypt/error-crypt.h>
wolfSSL	11:cee25a834751	34
wolfSSL	11:cee25a834751	35	#ifdef NO_INLINE
wolfSSL	11:cee25a834751	36	#include <wolfssl/wolfcrypt/misc.h>
wolfSSL	11:cee25a834751	37	#else
wolfSSL	11:cee25a834751	38	#define WOLFSSL_MISC_INCLUDED
wolfSSL	11:cee25a834751	39	#include <wolfcrypt/src/misc.c>
wolfSSL	11:cee25a834751	40	#endif
wolfSSL	11:cee25a834751	41
wolfSSL	11:cee25a834751	42	/** Computes the session key using the Mask Generation Function 1. */
wolfSSL	11:cee25a834751	43	static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size);
wolfSSL	11:cee25a834751	44
wolfSSL	11:cee25a834751	45	static int SrpHashInit(SrpHash* hash, SrpType type)
wolfSSL	11:cee25a834751	46	{
wolfSSL	11:cee25a834751	47	hash->type = type;
wolfSSL	11:cee25a834751	48
wolfSSL	11:cee25a834751	49	switch (type) {
wolfSSL	11:cee25a834751	50	case SRP_TYPE_SHA:
wolfSSL	11:cee25a834751	51	#ifndef NO_SHA
wolfSSL	11:cee25a834751	52	return wc_InitSha(&hash->data.sha);
wolfSSL	11:cee25a834751	53	#else
wolfSSL	11:cee25a834751	54	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	55	#endif
wolfSSL	11:cee25a834751	56
wolfSSL	11:cee25a834751	57	case SRP_TYPE_SHA256:
wolfSSL	11:cee25a834751	58	#ifndef NO_SHA256
wolfSSL	11:cee25a834751	59	return wc_InitSha256(&hash->data.sha256);
wolfSSL	11:cee25a834751	60	#else
wolfSSL	11:cee25a834751	61	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	62	#endif
wolfSSL	11:cee25a834751	63
wolfSSL	11:cee25a834751	64	case SRP_TYPE_SHA384:
wolfSSL	11:cee25a834751	65	#ifdef WOLFSSL_SHA384
wolfSSL	11:cee25a834751	66	return wc_InitSha384(&hash->data.sha384);
wolfSSL	11:cee25a834751	67	#else
wolfSSL	11:cee25a834751	68	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	69	#endif
wolfSSL	11:cee25a834751	70
wolfSSL	11:cee25a834751	71	case SRP_TYPE_SHA512:
wolfSSL	11:cee25a834751	72	#ifdef WOLFSSL_SHA512
wolfSSL	11:cee25a834751	73	return wc_InitSha512(&hash->data.sha512);
wolfSSL	11:cee25a834751	74	#else
wolfSSL	11:cee25a834751	75	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	76	#endif
wolfSSL	11:cee25a834751	77
wolfSSL	11:cee25a834751	78	default:
wolfSSL	11:cee25a834751	79	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	80	}
wolfSSL	11:cee25a834751	81	}
wolfSSL	11:cee25a834751	82
wolfSSL	11:cee25a834751	83	static int SrpHashUpdate(SrpHash* hash, const byte* data, word32 size)
wolfSSL	11:cee25a834751	84	{
wolfSSL	11:cee25a834751	85	switch (hash->type) {
wolfSSL	11:cee25a834751	86	case SRP_TYPE_SHA:
wolfSSL	11:cee25a834751	87	#ifndef NO_SHA
wolfSSL	11:cee25a834751	88	return wc_ShaUpdate(&hash->data.sha, data, size);
wolfSSL	11:cee25a834751	89	#else
wolfSSL	11:cee25a834751	90	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	91	#endif
wolfSSL	11:cee25a834751	92
wolfSSL	11:cee25a834751	93	case SRP_TYPE_SHA256:
wolfSSL	11:cee25a834751	94	#ifndef NO_SHA256
wolfSSL	11:cee25a834751	95	return wc_Sha256Update(&hash->data.sha256, data, size);
wolfSSL	11:cee25a834751	96	#else
wolfSSL	11:cee25a834751	97	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	98	#endif
wolfSSL	11:cee25a834751	99
wolfSSL	11:cee25a834751	100	case SRP_TYPE_SHA384:
wolfSSL	11:cee25a834751	101	#ifdef WOLFSSL_SHA384
wolfSSL	11:cee25a834751	102	return wc_Sha384Update(&hash->data.sha384, data, size);
wolfSSL	11:cee25a834751	103	#else
wolfSSL	11:cee25a834751	104	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	105	#endif
wolfSSL	11:cee25a834751	106
wolfSSL	11:cee25a834751	107	case SRP_TYPE_SHA512:
wolfSSL	11:cee25a834751	108	#ifdef WOLFSSL_SHA512
wolfSSL	11:cee25a834751	109	return wc_Sha512Update(&hash->data.sha512, data, size);
wolfSSL	11:cee25a834751	110	#else
wolfSSL	11:cee25a834751	111	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	112	#endif
wolfSSL	11:cee25a834751	113
wolfSSL	11:cee25a834751	114	default:
wolfSSL	11:cee25a834751	115	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	116	}
wolfSSL	11:cee25a834751	117	}
wolfSSL	11:cee25a834751	118
wolfSSL	11:cee25a834751	119	static int SrpHashFinal(SrpHash* hash, byte* digest)
wolfSSL	11:cee25a834751	120	{
wolfSSL	11:cee25a834751	121	switch (hash->type) {
wolfSSL	11:cee25a834751	122	case SRP_TYPE_SHA:
wolfSSL	11:cee25a834751	123	#ifndef NO_SHA
wolfSSL	11:cee25a834751	124	return wc_ShaFinal(&hash->data.sha, digest);
wolfSSL	11:cee25a834751	125	#else
wolfSSL	11:cee25a834751	126	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	127	#endif
wolfSSL	11:cee25a834751	128
wolfSSL	11:cee25a834751	129	case SRP_TYPE_SHA256:
wolfSSL	11:cee25a834751	130	#ifndef NO_SHA256
wolfSSL	11:cee25a834751	131	return wc_Sha256Final(&hash->data.sha256, digest);
wolfSSL	11:cee25a834751	132	#else
wolfSSL	11:cee25a834751	133	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	134	#endif
wolfSSL	11:cee25a834751	135
wolfSSL	11:cee25a834751	136	case SRP_TYPE_SHA384:
wolfSSL	11:cee25a834751	137	#ifdef WOLFSSL_SHA384
wolfSSL	11:cee25a834751	138	return wc_Sha384Final(&hash->data.sha384, digest);
wolfSSL	11:cee25a834751	139	#else
wolfSSL	11:cee25a834751	140	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	141	#endif
wolfSSL	11:cee25a834751	142
wolfSSL	11:cee25a834751	143	case SRP_TYPE_SHA512:
wolfSSL	11:cee25a834751	144	#ifdef WOLFSSL_SHA512
wolfSSL	11:cee25a834751	145	return wc_Sha512Final(&hash->data.sha512, digest);
wolfSSL	11:cee25a834751	146	#else
wolfSSL	11:cee25a834751	147	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	148	#endif
wolfSSL	11:cee25a834751	149
wolfSSL	11:cee25a834751	150	default:
wolfSSL	11:cee25a834751	151	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	152	}
wolfSSL	11:cee25a834751	153	}
wolfSSL	11:cee25a834751	154
wolfSSL	11:cee25a834751	155	static word32 SrpHashSize(SrpType type)
wolfSSL	11:cee25a834751	156	{
wolfSSL	11:cee25a834751	157	switch (type) {
wolfSSL	11:cee25a834751	158	case SRP_TYPE_SHA:
wolfSSL	11:cee25a834751	159	#ifndef NO_SHA
wolfSSL	11:cee25a834751	160	return SHA_DIGEST_SIZE;
wolfSSL	11:cee25a834751	161	#else
wolfSSL	11:cee25a834751	162	return 0;
wolfSSL	11:cee25a834751	163	#endif
wolfSSL	11:cee25a834751	164
wolfSSL	11:cee25a834751	165	case SRP_TYPE_SHA256:
wolfSSL	11:cee25a834751	166	#ifndef NO_SHA256
wolfSSL	11:cee25a834751	167	return SHA256_DIGEST_SIZE;
wolfSSL	11:cee25a834751	168	#else
wolfSSL	11:cee25a834751	169	return 0;
wolfSSL	11:cee25a834751	170	#endif
wolfSSL	11:cee25a834751	171
wolfSSL	11:cee25a834751	172	case SRP_TYPE_SHA384:
wolfSSL	11:cee25a834751	173	#ifdef WOLFSSL_SHA384
wolfSSL	11:cee25a834751	174	return SHA384_DIGEST_SIZE;
wolfSSL	11:cee25a834751	175	#else
wolfSSL	11:cee25a834751	176	return 0;
wolfSSL	11:cee25a834751	177	#endif
wolfSSL	11:cee25a834751	178
wolfSSL	11:cee25a834751	179	case SRP_TYPE_SHA512:
wolfSSL	11:cee25a834751	180	#ifdef WOLFSSL_SHA512
wolfSSL	11:cee25a834751	181	return SHA512_DIGEST_SIZE;
wolfSSL	11:cee25a834751	182	#else
wolfSSL	11:cee25a834751	183	return 0;
wolfSSL	11:cee25a834751	184	#endif
wolfSSL	11:cee25a834751	185
wolfSSL	11:cee25a834751	186	default:
wolfSSL	11:cee25a834751	187	return 0;
wolfSSL	11:cee25a834751	188	}
wolfSSL	11:cee25a834751	189	}
wolfSSL	11:cee25a834751	190
wolfSSL	11:cee25a834751	191	int wc_SrpInit(Srp* srp, SrpType type, SrpSide side)
wolfSSL	11:cee25a834751	192	{
wolfSSL	11:cee25a834751	193	int r;
wolfSSL	11:cee25a834751	194
wolfSSL	11:cee25a834751	195	/* validating params */
wolfSSL	11:cee25a834751	196
wolfSSL	11:cee25a834751	197	if (!srp)
wolfSSL	11:cee25a834751	198	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	199
wolfSSL	11:cee25a834751	200	if (side != SRP_CLIENT_SIDE && side != SRP_SERVER_SIDE)
wolfSSL	11:cee25a834751	201	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	202
wolfSSL	11:cee25a834751	203	switch (type) {
wolfSSL	11:cee25a834751	204	case SRP_TYPE_SHA:
wolfSSL	11:cee25a834751	205	#ifdef NO_SHA
wolfSSL	11:cee25a834751	206	return NOT_COMPILED_IN;
wolfSSL	11:cee25a834751	207	#else
wolfSSL	11:cee25a834751	208	break; /* OK */
wolfSSL	11:cee25a834751	209	#endif
wolfSSL	11:cee25a834751	210
wolfSSL	11:cee25a834751	211	case SRP_TYPE_SHA256:
wolfSSL	11:cee25a834751	212	#ifdef NO_SHA256
wolfSSL	11:cee25a834751	213	return NOT_COMPILED_IN;
wolfSSL	11:cee25a834751	214	#else
wolfSSL	11:cee25a834751	215	break; /* OK */
wolfSSL	11:cee25a834751	216	#endif
wolfSSL	11:cee25a834751	217
wolfSSL	11:cee25a834751	218	case SRP_TYPE_SHA384:
wolfSSL	11:cee25a834751	219	#ifndef WOLFSSL_SHA384
wolfSSL	11:cee25a834751	220	return NOT_COMPILED_IN;
wolfSSL	11:cee25a834751	221	#else
wolfSSL	11:cee25a834751	222	break; /* OK */
wolfSSL	11:cee25a834751	223	#endif
wolfSSL	11:cee25a834751	224
wolfSSL	11:cee25a834751	225	case SRP_TYPE_SHA512:
wolfSSL	11:cee25a834751	226	#ifndef WOLFSSL_SHA512
wolfSSL	11:cee25a834751	227	return NOT_COMPILED_IN;
wolfSSL	11:cee25a834751	228	#else
wolfSSL	11:cee25a834751	229	break; /* OK */
wolfSSL	11:cee25a834751	230	#endif
wolfSSL	11:cee25a834751	231
wolfSSL	11:cee25a834751	232	default:
wolfSSL	11:cee25a834751	233	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	234	}
wolfSSL	11:cee25a834751	235
wolfSSL	11:cee25a834751	236	/* initializing variables */
wolfSSL	11:cee25a834751	237
wolfSSL	11:cee25a834751	238	XMEMSET(srp, 0, sizeof(Srp));
wolfSSL	11:cee25a834751	239
wolfSSL	11:cee25a834751	240	if ((r = SrpHashInit(&srp->client_proof, type)) != 0)
wolfSSL	11:cee25a834751	241	return r;
wolfSSL	11:cee25a834751	242
wolfSSL	11:cee25a834751	243	if ((r = SrpHashInit(&srp->server_proof, type)) != 0)
wolfSSL	11:cee25a834751	244	return r;
wolfSSL	11:cee25a834751	245
wolfSSL	11:cee25a834751	246	if ((r = mp_init_multi(&srp->N, &srp->g, &srp->auth,
wolfSSL	11:cee25a834751	247	&srp->priv, 0, 0)) != 0)
wolfSSL	11:cee25a834751	248	return r;
wolfSSL	11:cee25a834751	249
wolfSSL	11:cee25a834751	250	srp->side = side; srp->type = type;
wolfSSL	11:cee25a834751	251	srp->salt = NULL; srp->saltSz = 0;
wolfSSL	11:cee25a834751	252	srp->user = NULL; srp->userSz = 0;
wolfSSL	11:cee25a834751	253	srp->key = NULL; srp->keySz = 0;
wolfSSL	11:cee25a834751	254
wolfSSL	11:cee25a834751	255	srp->keyGenFunc_cb = wc_SrpSetKey;
wolfSSL	11:cee25a834751	256
wolfSSL	11:cee25a834751	257	/* default heap hint to NULL or test value */
wolfSSL	11:cee25a834751	258	#ifdef WOLFSSL_HEAP_TEST
wolfSSL	11:cee25a834751	259	srp->heap = (void*)WOLFSSL_HEAP_TEST;
wolfSSL	11:cee25a834751	260	#else
wolfSSL	11:cee25a834751	261	srp->heap = NULL;
wolfSSL	11:cee25a834751	262	#endif
wolfSSL	11:cee25a834751	263
wolfSSL	11:cee25a834751	264	return 0;
wolfSSL	11:cee25a834751	265	}
wolfSSL	11:cee25a834751	266
wolfSSL	11:cee25a834751	267	void wc_SrpTerm(Srp* srp)
wolfSSL	11:cee25a834751	268	{
wolfSSL	11:cee25a834751	269	if (srp) {
wolfSSL	11:cee25a834751	270	mp_clear(&srp->N); mp_clear(&srp->g);
wolfSSL	11:cee25a834751	271	mp_clear(&srp->auth); mp_clear(&srp->priv);
wolfSSL	11:cee25a834751	272
wolfSSL	11:cee25a834751	273	if (srp->salt) {
wolfSSL	11:cee25a834751	274	ForceZero(srp->salt, srp->saltSz);
wolfSSL	11:cee25a834751	275	XFREE(srp->salt, srp->heap, DYNAMIC_TYPE_SRP);
wolfSSL	11:cee25a834751	276	}
wolfSSL	11:cee25a834751	277	if (srp->user) {
wolfSSL	11:cee25a834751	278	ForceZero(srp->user, srp->userSz);
wolfSSL	11:cee25a834751	279	XFREE(srp->user, srp->heap, DYNAMIC_TYPE_SRP);
wolfSSL	11:cee25a834751	280	}
wolfSSL	11:cee25a834751	281	if (srp->key) {
wolfSSL	11:cee25a834751	282	ForceZero(srp->key, srp->keySz);
wolfSSL	11:cee25a834751	283	XFREE(srp->key, srp->heap, DYNAMIC_TYPE_SRP);
wolfSSL	11:cee25a834751	284	}
wolfSSL	11:cee25a834751	285
wolfSSL	11:cee25a834751	286	ForceZero(srp, sizeof(Srp));
wolfSSL	11:cee25a834751	287	}
wolfSSL	11:cee25a834751	288	}
wolfSSL	11:cee25a834751	289
wolfSSL	11:cee25a834751	290	int wc_SrpSetUsername(Srp* srp, const byte* username, word32 size)
wolfSSL	11:cee25a834751	291	{
wolfSSL	11:cee25a834751	292	if (!srp \|\| !username)
wolfSSL	11:cee25a834751	293	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	294
wolfSSL	11:cee25a834751	295	srp->user = (byte*)XMALLOC(size, srp->heap, DYNAMIC_TYPE_SRP);
wolfSSL	11:cee25a834751	296	if (srp->user == NULL)
wolfSSL	11:cee25a834751	297	return MEMORY_E;
wolfSSL	11:cee25a834751	298
wolfSSL	11:cee25a834751	299	srp->userSz = size;
wolfSSL	11:cee25a834751	300	XMEMCPY(srp->user, username, srp->userSz);
wolfSSL	11:cee25a834751	301
wolfSSL	11:cee25a834751	302	return 0;
wolfSSL	11:cee25a834751	303	}
wolfSSL	11:cee25a834751	304
wolfSSL	11:cee25a834751	305	int wc_SrpSetParams(Srp* srp, const byte* N, word32 nSz,
wolfSSL	11:cee25a834751	306	const byte* g, word32 gSz,
wolfSSL	11:cee25a834751	307	const byte* salt, word32 saltSz)
wolfSSL	11:cee25a834751	308	{
wolfSSL	11:cee25a834751	309	SrpHash hash;
wolfSSL	11:cee25a834751	310	byte digest1[SRP_MAX_DIGEST_SIZE];
wolfSSL	11:cee25a834751	311	byte digest2[SRP_MAX_DIGEST_SIZE];
wolfSSL	11:cee25a834751	312	byte pad = 0;
wolfSSL	11:cee25a834751	313	int i, r;
wolfSSL	11:cee25a834751	314	int j = 0;
wolfSSL	11:cee25a834751	315
wolfSSL	11:cee25a834751	316	if (!srp \|\| !N \|\| !g \|\| !salt \|\| nSz < gSz)
wolfSSL	11:cee25a834751	317	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	318
wolfSSL	11:cee25a834751	319	if (!srp->user)
wolfSSL	11:cee25a834751	320	return SRP_CALL_ORDER_E;
wolfSSL	11:cee25a834751	321
wolfSSL	11:cee25a834751	322	/* Set N */
wolfSSL	11:cee25a834751	323	if (mp_read_unsigned_bin(&srp->N, N, nSz) != MP_OKAY)
wolfSSL	11:cee25a834751	324	return MP_READ_E;
wolfSSL	11:cee25a834751	325
wolfSSL	11:cee25a834751	326	if (mp_count_bits(&srp->N) < SRP_MODULUS_MIN_BITS)
wolfSSL	11:cee25a834751	327	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	328
wolfSSL	11:cee25a834751	329	/* Set g */
wolfSSL	11:cee25a834751	330	if (mp_read_unsigned_bin(&srp->g, g, gSz) != MP_OKAY)
wolfSSL	11:cee25a834751	331	return MP_READ_E;
wolfSSL	11:cee25a834751	332
wolfSSL	11:cee25a834751	333	if (mp_cmp(&srp->N, &srp->g) != MP_GT)
wolfSSL	11:cee25a834751	334	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	335
wolfSSL	11:cee25a834751	336	/* Set salt */
wolfSSL	11:cee25a834751	337	if (srp->salt) {
wolfSSL	11:cee25a834751	338	ForceZero(srp->salt, srp->saltSz);
wolfSSL	11:cee25a834751	339	XFREE(srp->salt, srp->heap, DYNAMIC_TYPE_SRP);
wolfSSL	11:cee25a834751	340	}
wolfSSL	11:cee25a834751	341
wolfSSL	11:cee25a834751	342	srp->salt = (byte*)XMALLOC(saltSz, srp->heap, DYNAMIC_TYPE_SRP);
wolfSSL	11:cee25a834751	343	if (srp->salt == NULL)
wolfSSL	11:cee25a834751	344	return MEMORY_E;
wolfSSL	11:cee25a834751	345
wolfSSL	11:cee25a834751	346	XMEMCPY(srp->salt, salt, saltSz);
wolfSSL	11:cee25a834751	347	srp->saltSz = saltSz;
wolfSSL	11:cee25a834751	348
wolfSSL	11:cee25a834751	349	/* Set k = H(N, g) */
wolfSSL	11:cee25a834751	350	r = SrpHashInit(&hash, srp->type);
wolfSSL	11:cee25a834751	351	if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz);
wolfSSL	11:cee25a834751	352	for (i = 0; (word32)i < nSz - gSz; i++) {
wolfSSL	11:cee25a834751	353	if (!r) r = SrpHashUpdate(&hash, &pad, 1);
wolfSSL	11:cee25a834751	354	}
wolfSSL	11:cee25a834751	355	if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz);
wolfSSL	11:cee25a834751	356	if (!r) r = SrpHashFinal(&hash, srp->k);
wolfSSL	11:cee25a834751	357
wolfSSL	11:cee25a834751	358	/* update client proof */
wolfSSL	11:cee25a834751	359
wolfSSL	11:cee25a834751	360	/* digest1 = H(N) */
wolfSSL	11:cee25a834751	361	if (!r) r = SrpHashInit(&hash, srp->type);
wolfSSL	11:cee25a834751	362	if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz);
wolfSSL	11:cee25a834751	363	if (!r) r = SrpHashFinal(&hash, digest1);
wolfSSL	11:cee25a834751	364
wolfSSL	11:cee25a834751	365	/* digest2 = H(g) */
wolfSSL	11:cee25a834751	366	if (!r) r = SrpHashInit(&hash, srp->type);
wolfSSL	11:cee25a834751	367	if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz);
wolfSSL	11:cee25a834751	368	if (!r) r = SrpHashFinal(&hash, digest2);
wolfSSL	11:cee25a834751	369
wolfSSL	11:cee25a834751	370	/* digest1 = H(N) ^ H(g) */
wolfSSL	11:cee25a834751	371	if (r == 0) {
wolfSSL	11:cee25a834751	372	for (i = 0, j = SrpHashSize(srp->type); i < j; i++)
wolfSSL	11:cee25a834751	373	digest1[i] ^= digest2[i];
wolfSSL	11:cee25a834751	374	}
wolfSSL	11:cee25a834751	375
wolfSSL	11:cee25a834751	376	/* digest2 = H(user) */
wolfSSL	11:cee25a834751	377	if (!r) r = SrpHashInit(&hash, srp->type);
wolfSSL	11:cee25a834751	378	if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz);
wolfSSL	11:cee25a834751	379	if (!r) r = SrpHashFinal(&hash, digest2);
wolfSSL	11:cee25a834751	380
wolfSSL	11:cee25a834751	381	/* client proof = H( H(N) ^ H(g) \| H(user) \| salt) */
wolfSSL	11:cee25a834751	382	if (!r) r = SrpHashUpdate(&srp->client_proof, digest1, j);
wolfSSL	11:cee25a834751	383	if (!r) r = SrpHashUpdate(&srp->client_proof, digest2, j);
wolfSSL	11:cee25a834751	384	if (!r) r = SrpHashUpdate(&srp->client_proof, salt, saltSz);
wolfSSL	11:cee25a834751	385
wolfSSL	11:cee25a834751	386	return r;
wolfSSL	11:cee25a834751	387	}
wolfSSL	11:cee25a834751	388
wolfSSL	11:cee25a834751	389	int wc_SrpSetPassword(Srp* srp, const byte* password, word32 size)
wolfSSL	11:cee25a834751	390	{
wolfSSL	11:cee25a834751	391	SrpHash hash;
wolfSSL	11:cee25a834751	392	byte digest[SRP_MAX_DIGEST_SIZE];
wolfSSL	11:cee25a834751	393	word32 digestSz;
wolfSSL	11:cee25a834751	394	int r;
wolfSSL	11:cee25a834751	395
wolfSSL	11:cee25a834751	396	if (!srp \|\| !password \|\| srp->side != SRP_CLIENT_SIDE)
wolfSSL	11:cee25a834751	397	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	398
wolfSSL	11:cee25a834751	399	if (!srp->salt)
wolfSSL	11:cee25a834751	400	return SRP_CALL_ORDER_E;
wolfSSL	11:cee25a834751	401
wolfSSL	11:cee25a834751	402	digestSz = SrpHashSize(srp->type);
wolfSSL	11:cee25a834751	403
wolfSSL	11:cee25a834751	404	/* digest = H(username \| ':' \| password) */
wolfSSL	11:cee25a834751	405	r = SrpHashInit(&hash, srp->type);
wolfSSL	11:cee25a834751	406	if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz);
wolfSSL	11:cee25a834751	407	if (!r) r = SrpHashUpdate(&hash, (const byte*) ":", 1);
wolfSSL	11:cee25a834751	408	if (!r) r = SrpHashUpdate(&hash, password, size);
wolfSSL	11:cee25a834751	409	if (!r) r = SrpHashFinal(&hash, digest);
wolfSSL	11:cee25a834751	410
wolfSSL	11:cee25a834751	411	/* digest = H(salt \| H(username \| ':' \| password)) */
wolfSSL	11:cee25a834751	412	if (!r) r = SrpHashInit(&hash, srp->type);
wolfSSL	11:cee25a834751	413	if (!r) r = SrpHashUpdate(&hash, srp->salt, srp->saltSz);
wolfSSL	11:cee25a834751	414	if (!r) r = SrpHashUpdate(&hash, digest, digestSz);
wolfSSL	11:cee25a834751	415	if (!r) r = SrpHashFinal(&hash, digest);
wolfSSL	11:cee25a834751	416
wolfSSL	11:cee25a834751	417	/* Set x (private key) */
wolfSSL	11:cee25a834751	418	if (!r) r = mp_read_unsigned_bin(&srp->auth, digest, digestSz);
wolfSSL	11:cee25a834751	419
wolfSSL	11:cee25a834751	420	ForceZero(digest, SRP_MAX_DIGEST_SIZE);
wolfSSL	11:cee25a834751	421
wolfSSL	11:cee25a834751	422	return r;
wolfSSL	11:cee25a834751	423	}
wolfSSL	11:cee25a834751	424
wolfSSL	11:cee25a834751	425	int wc_SrpGetVerifier(Srp* srp, byte* verifier, word32* size)
wolfSSL	11:cee25a834751	426	{
wolfSSL	11:cee25a834751	427	mp_int v;
wolfSSL	11:cee25a834751	428	int r;
wolfSSL	11:cee25a834751	429
wolfSSL	11:cee25a834751	430	if (!srp \|\| !verifier \|\| !size \|\| srp->side != SRP_CLIENT_SIDE)
wolfSSL	11:cee25a834751	431	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	432
wolfSSL	11:cee25a834751	433	if (mp_iszero(&srp->auth) == MP_YES)
wolfSSL	11:cee25a834751	434	return SRP_CALL_ORDER_E;
wolfSSL	11:cee25a834751	435
wolfSSL	11:cee25a834751	436	r = mp_init(&v);
wolfSSL	11:cee25a834751	437	if (r != MP_OKAY)
wolfSSL	11:cee25a834751	438	return MP_INIT_E;
wolfSSL	11:cee25a834751	439
wolfSSL	11:cee25a834751	440	/* v = g ^ x % N */
wolfSSL	11:cee25a834751	441	if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &v);
wolfSSL	11:cee25a834751	442	if (!r) r = *size < (word32)mp_unsigned_bin_size(&v) ? BUFFER_E : MP_OKAY;
wolfSSL	11:cee25a834751	443	if (!r) r = mp_to_unsigned_bin(&v, verifier);
wolfSSL	11:cee25a834751	444	if (!r) *size = mp_unsigned_bin_size(&v);
wolfSSL	11:cee25a834751	445
wolfSSL	11:cee25a834751	446	mp_clear(&v);
wolfSSL	11:cee25a834751	447
wolfSSL	11:cee25a834751	448	return r;
wolfSSL	11:cee25a834751	449	}
wolfSSL	11:cee25a834751	450
wolfSSL	11:cee25a834751	451	int wc_SrpSetVerifier(Srp* srp, const byte* verifier, word32 size)
wolfSSL	11:cee25a834751	452	{
wolfSSL	11:cee25a834751	453	if (!srp \|\| !verifier \|\| srp->side != SRP_SERVER_SIDE)
wolfSSL	11:cee25a834751	454	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	455
wolfSSL	11:cee25a834751	456	return mp_read_unsigned_bin(&srp->auth, verifier, size);
wolfSSL	11:cee25a834751	457	}
wolfSSL	11:cee25a834751	458
wolfSSL	11:cee25a834751	459	int wc_SrpSetPrivate(Srp* srp, const byte* priv, word32 size)
wolfSSL	11:cee25a834751	460	{
wolfSSL	11:cee25a834751	461	mp_int p;
wolfSSL	11:cee25a834751	462	int r;
wolfSSL	11:cee25a834751	463
wolfSSL	11:cee25a834751	464	if (!srp \|\| !priv \|\| !size)
wolfSSL	11:cee25a834751	465	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	466
wolfSSL	11:cee25a834751	467	if (mp_iszero(&srp->auth) == MP_YES)
wolfSSL	11:cee25a834751	468	return SRP_CALL_ORDER_E;
wolfSSL	11:cee25a834751	469
wolfSSL	11:cee25a834751	470	r = mp_init(&p);
wolfSSL	11:cee25a834751	471	if (r != MP_OKAY)
wolfSSL	11:cee25a834751	472	return MP_INIT_E;
wolfSSL	11:cee25a834751	473	if (!r) r = mp_read_unsigned_bin(&p, priv, size);
wolfSSL	11:cee25a834751	474	if (!r) r = mp_mod(&p, &srp->N, &srp->priv);
wolfSSL	11:cee25a834751	475	if (!r) r = mp_iszero(&srp->priv) == MP_YES ? SRP_BAD_KEY_E : 0;
wolfSSL	11:cee25a834751	476
wolfSSL	11:cee25a834751	477	mp_clear(&p);
wolfSSL	11:cee25a834751	478
wolfSSL	11:cee25a834751	479	return r;
wolfSSL	11:cee25a834751	480	}
wolfSSL	11:cee25a834751	481
wolfSSL	11:cee25a834751	482	/** Generates random data using wolfcrypt RNG. */
wolfSSL	11:cee25a834751	483	static int wc_SrpGenPrivate(Srp* srp, byte* priv, word32 size)
wolfSSL	11:cee25a834751	484	{
wolfSSL	11:cee25a834751	485	WC_RNG rng;
wolfSSL	11:cee25a834751	486	int r = wc_InitRng(&rng);
wolfSSL	11:cee25a834751	487
wolfSSL	11:cee25a834751	488	if (!r) r = wc_RNG_GenerateBlock(&rng, priv, size);
wolfSSL	11:cee25a834751	489	if (!r) r = wc_SrpSetPrivate(srp, priv, size);
wolfSSL	11:cee25a834751	490	if (!r) wc_FreeRng(&rng);
wolfSSL	11:cee25a834751	491
wolfSSL	11:cee25a834751	492	return r;
wolfSSL	11:cee25a834751	493	}
wolfSSL	11:cee25a834751	494
wolfSSL	11:cee25a834751	495	int wc_SrpGetPublic(Srp* srp, byte* pub, word32* size)
wolfSSL	11:cee25a834751	496	{
wolfSSL	11:cee25a834751	497	mp_int pubkey;
wolfSSL	11:cee25a834751	498	word32 modulusSz;
wolfSSL	11:cee25a834751	499	int r;
wolfSSL	11:cee25a834751	500
wolfSSL	11:cee25a834751	501	if (!srp \|\| !pub \|\| !size)
wolfSSL	11:cee25a834751	502	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	503
wolfSSL	11:cee25a834751	504	if (mp_iszero(&srp->auth) == MP_YES)
wolfSSL	11:cee25a834751	505	return SRP_CALL_ORDER_E;
wolfSSL	11:cee25a834751	506
wolfSSL	11:cee25a834751	507	modulusSz = mp_unsigned_bin_size(&srp->N);
wolfSSL	11:cee25a834751	508	if (*size < modulusSz)
wolfSSL	11:cee25a834751	509	return BUFFER_E;
wolfSSL	11:cee25a834751	510
wolfSSL	11:cee25a834751	511	r = mp_init(&pubkey);
wolfSSL	11:cee25a834751	512	if (r != MP_OKAY)
wolfSSL	11:cee25a834751	513	return MP_INIT_E;
wolfSSL	11:cee25a834751	514
wolfSSL	11:cee25a834751	515	/* priv = random() */
wolfSSL	11:cee25a834751	516	if (mp_iszero(&srp->priv) == MP_YES)
wolfSSL	11:cee25a834751	517	r = wc_SrpGenPrivate(srp, pub, SRP_PRIVATE_KEY_MIN_BITS / 8);
wolfSSL	11:cee25a834751	518
wolfSSL	11:cee25a834751	519	/* client side: A = g ^ a % N */
wolfSSL	11:cee25a834751	520	if (srp->side == SRP_CLIENT_SIDE) {
wolfSSL	11:cee25a834751	521	if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, &pubkey);
wolfSSL	11:cee25a834751	522
wolfSSL	11:cee25a834751	523	/* server side: B = (k * v + (g ^ b % N)) % N */
wolfSSL	11:cee25a834751	524	} else {
wolfSSL	11:cee25a834751	525	mp_int i, j;
wolfSSL	11:cee25a834751	526
wolfSSL	11:cee25a834751	527	if (mp_init_multi(&i, &j, 0, 0, 0, 0) == MP_OKAY) {
wolfSSL	11:cee25a834751	528	if (!r) r = mp_read_unsigned_bin(&i, srp->k,SrpHashSize(srp->type));
wolfSSL	11:cee25a834751	529	if (!r) r = mp_iszero(&i) == MP_YES ? SRP_BAD_KEY_E : 0;
wolfSSL	11:cee25a834751	530	if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, &pubkey);
wolfSSL	11:cee25a834751	531	if (!r) r = mp_mulmod(&i, &srp->auth, &srp->N, &j);
wolfSSL	11:cee25a834751	532	if (!r) r = mp_add(&j, &pubkey, &i);
wolfSSL	11:cee25a834751	533	if (!r) r = mp_mod(&i, &srp->N, &pubkey);
wolfSSL	11:cee25a834751	534
wolfSSL	11:cee25a834751	535	mp_clear(&i); mp_clear(&j);
wolfSSL	11:cee25a834751	536	}
wolfSSL	11:cee25a834751	537	}
wolfSSL	11:cee25a834751	538
wolfSSL	11:cee25a834751	539	/* extract public key to buffer */
wolfSSL	11:cee25a834751	540	XMEMSET(pub, 0, modulusSz);
wolfSSL	11:cee25a834751	541	if (!r) r = mp_to_unsigned_bin(&pubkey, pub);
wolfSSL	11:cee25a834751	542	if (!r) *size = mp_unsigned_bin_size(&pubkey);
wolfSSL	11:cee25a834751	543	mp_clear(&pubkey);
wolfSSL	11:cee25a834751	544
wolfSSL	11:cee25a834751	545	return r;
wolfSSL	11:cee25a834751	546	}
wolfSSL	11:cee25a834751	547
wolfSSL	11:cee25a834751	548	static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size)
wolfSSL	11:cee25a834751	549	{
wolfSSL	11:cee25a834751	550	SrpHash hash;
wolfSSL	11:cee25a834751	551	byte digest[SRP_MAX_DIGEST_SIZE];
wolfSSL	11:cee25a834751	552	word32 i, j, digestSz = SrpHashSize(srp->type);
wolfSSL	11:cee25a834751	553	byte counter[4];
wolfSSL	11:cee25a834751	554	int r = BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	555
wolfSSL	11:cee25a834751	556	XMEMSET(digest, 0, SRP_MAX_DIGEST_SIZE);
wolfSSL	11:cee25a834751	557
wolfSSL	11:cee25a834751	558	srp->key = (byte)XMALLOC(2 digestSz, srp->heap, DYNAMIC_TYPE_SRP);
wolfSSL	11:cee25a834751	559	if (srp->key == NULL)
wolfSSL	11:cee25a834751	560	return MEMORY_E;
wolfSSL	11:cee25a834751	561
wolfSSL	11:cee25a834751	562	srp->keySz = 2 * digestSz;
wolfSSL	11:cee25a834751	563
wolfSSL	11:cee25a834751	564	for (i = j = 0; j < srp->keySz; i++) {
wolfSSL	11:cee25a834751	565	counter[0] = (i >> 24) & 0xFF;
wolfSSL	11:cee25a834751	566	counter[1] = (i >> 16) & 0xFF;
wolfSSL	11:cee25a834751	567	counter[2] = (i >> 8) & 0xFF;
wolfSSL	11:cee25a834751	568	counter[3] = i & 0xFF;
wolfSSL	11:cee25a834751	569
wolfSSL	11:cee25a834751	570	r = SrpHashInit(&hash, srp->type);
wolfSSL	11:cee25a834751	571	if (!r) r = SrpHashUpdate(&hash, secret, size);
wolfSSL	11:cee25a834751	572	if (!r) r = SrpHashUpdate(&hash, counter, 4);
wolfSSL	11:cee25a834751	573
wolfSSL	11:cee25a834751	574	if (j + digestSz > srp->keySz) {
wolfSSL	11:cee25a834751	575	if (!r) r = SrpHashFinal(&hash, digest);
wolfSSL	11:cee25a834751	576	XMEMCPY(srp->key + j, digest, srp->keySz - j);
wolfSSL	11:cee25a834751	577	j = srp->keySz;
wolfSSL	11:cee25a834751	578	}
wolfSSL	11:cee25a834751	579	else {
wolfSSL	11:cee25a834751	580	if (!r) r = SrpHashFinal(&hash, srp->key + j);
wolfSSL	11:cee25a834751	581	j += digestSz;
wolfSSL	11:cee25a834751	582	}
wolfSSL	11:cee25a834751	583	}
wolfSSL	11:cee25a834751	584
wolfSSL	11:cee25a834751	585	ForceZero(digest, sizeof(digest));
wolfSSL	11:cee25a834751	586	ForceZero(&hash, sizeof(SrpHash));
wolfSSL	11:cee25a834751	587
wolfSSL	11:cee25a834751	588	return r;
wolfSSL	11:cee25a834751	589	}
wolfSSL	11:cee25a834751	590
wolfSSL	11:cee25a834751	591	int wc_SrpComputeKey(Srp* srp, byte* clientPubKey, word32 clientPubKeySz,
wolfSSL	11:cee25a834751	592	byte* serverPubKey, word32 serverPubKeySz)
wolfSSL	11:cee25a834751	593	{
wolfSSL	11:cee25a834751	594	SrpHash hash;
wolfSSL	11:cee25a834751	595	byte *secret;
wolfSSL	11:cee25a834751	596	byte digest[SRP_MAX_DIGEST_SIZE];
wolfSSL	11:cee25a834751	597	word32 i, secretSz, digestSz;
wolfSSL	11:cee25a834751	598	mp_int u, s, temp1, temp2;
wolfSSL	11:cee25a834751	599	byte pad = 0;
wolfSSL	11:cee25a834751	600	int r;
wolfSSL	11:cee25a834751	601
wolfSSL	11:cee25a834751	602	/* validating params */
wolfSSL	11:cee25a834751	603
wolfSSL	11:cee25a834751	604	if (!srp \|\| !clientPubKey \|\| clientPubKeySz == 0
wolfSSL	11:cee25a834751	605	\|\| !serverPubKey \|\| serverPubKeySz == 0)
wolfSSL	11:cee25a834751	606	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	607
wolfSSL	11:cee25a834751	608	if (mp_iszero(&srp->priv) == MP_YES)
wolfSSL	11:cee25a834751	609	return SRP_CALL_ORDER_E;
wolfSSL	11:cee25a834751	610
wolfSSL	11:cee25a834751	611	/* initializing variables */
wolfSSL	11:cee25a834751	612
wolfSSL	11:cee25a834751	613	if ((r = SrpHashInit(&hash, srp->type)) != 0)
wolfSSL	11:cee25a834751	614	return r;
wolfSSL	11:cee25a834751	615
wolfSSL	11:cee25a834751	616	digestSz = SrpHashSize(srp->type);
wolfSSL	11:cee25a834751	617	secretSz = mp_unsigned_bin_size(&srp->N);
wolfSSL	11:cee25a834751	618
wolfSSL	11:cee25a834751	619	if ((secret = (byte*)XMALLOC(secretSz, srp->heap, DYNAMIC_TYPE_SRP)) ==NULL)
wolfSSL	11:cee25a834751	620	return MEMORY_E;
wolfSSL	11:cee25a834751	621
wolfSSL	11:cee25a834751	622	if ((r = mp_init_multi(&u, &s, &temp1, &temp2, 0, 0)) != MP_OKAY) {
wolfSSL	11:cee25a834751	623	XFREE(secret, srp->heap, DYNAMIC_TYPE_SRP);
wolfSSL	11:cee25a834751	624	return r;
wolfSSL	11:cee25a834751	625	}
wolfSSL	11:cee25a834751	626
wolfSSL	11:cee25a834751	627	/* building u (random scrambling parameter) */
wolfSSL	11:cee25a834751	628
wolfSSL	11:cee25a834751	629	/* H(A) */
wolfSSL	11:cee25a834751	630	for (i = 0; !r && i < secretSz - clientPubKeySz; i++)
wolfSSL	11:cee25a834751	631	r = SrpHashUpdate(&hash, &pad, 1);
wolfSSL	11:cee25a834751	632	if (!r) r = SrpHashUpdate(&hash, clientPubKey, clientPubKeySz);
wolfSSL	11:cee25a834751	633
wolfSSL	11:cee25a834751	634	/* H(A \| B) */
wolfSSL	11:cee25a834751	635	for (i = 0; !r && i < secretSz - serverPubKeySz; i++)
wolfSSL	11:cee25a834751	636	r = SrpHashUpdate(&hash, &pad, 1);
wolfSSL	11:cee25a834751	637	if (!r) r = SrpHashUpdate(&hash, serverPubKey, serverPubKeySz);
wolfSSL	11:cee25a834751	638
wolfSSL	11:cee25a834751	639	/* set u */
wolfSSL	11:cee25a834751	640	if (!r) r = SrpHashFinal(&hash, digest);
wolfSSL	11:cee25a834751	641	if (!r) r = mp_read_unsigned_bin(&u, digest, SrpHashSize(srp->type));
wolfSSL	11:cee25a834751	642
wolfSSL	11:cee25a834751	643	/* building s (secret) */
wolfSSL	11:cee25a834751	644
wolfSSL	11:cee25a834751	645	if (!r && srp->side == SRP_CLIENT_SIDE) {
wolfSSL	11:cee25a834751	646
wolfSSL	11:cee25a834751	647	/* temp1 = B - k * v; rejects k == 0, B == 0 and B >= N. */
wolfSSL	11:cee25a834751	648	r = mp_read_unsigned_bin(&temp1, srp->k, digestSz);
wolfSSL	11:cee25a834751	649	if (!r) r = mp_iszero(&temp1) == MP_YES ? SRP_BAD_KEY_E : 0;
wolfSSL	11:cee25a834751	650	if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &temp2);
wolfSSL	11:cee25a834751	651	if (!r) r = mp_mulmod(&temp1, &temp2, &srp->N, &s);
wolfSSL	11:cee25a834751	652	if (!r) r = mp_read_unsigned_bin(&temp2, serverPubKey, serverPubKeySz);
wolfSSL	11:cee25a834751	653	if (!r) r = mp_iszero(&temp2) == MP_YES ? SRP_BAD_KEY_E : 0;
wolfSSL	11:cee25a834751	654	if (!r) r = mp_cmp(&temp2, &srp->N) != MP_LT ? SRP_BAD_KEY_E : 0;
wolfSSL	11:cee25a834751	655	if (!r) r = mp_sub(&temp2, &s, &temp1);
wolfSSL	11:cee25a834751	656
wolfSSL	11:cee25a834751	657	/* temp2 = a + u * x */
wolfSSL	11:cee25a834751	658	if (!r) r = mp_mulmod(&u, &srp->auth, &srp->N, &s);
wolfSSL	11:cee25a834751	659	if (!r) r = mp_add(&srp->priv, &s, &temp2);
wolfSSL	11:cee25a834751	660
wolfSSL	11:cee25a834751	661	/* secret = temp1 ^ temp2 % N */
wolfSSL	11:cee25a834751	662	if (!r) r = mp_exptmod(&temp1, &temp2, &srp->N, &s);
wolfSSL	11:cee25a834751	663
wolfSSL	11:cee25a834751	664	} else if (!r && srp->side == SRP_SERVER_SIDE) {
wolfSSL	11:cee25a834751	665	/* temp1 = v ^ u % N */
wolfSSL	11:cee25a834751	666	r = mp_exptmod(&srp->auth, &u, &srp->N, &temp1);
wolfSSL	11:cee25a834751	667
wolfSSL	11:cee25a834751	668	/* temp2 = A * temp1 % N; rejects A == 0, A >= N */
wolfSSL	11:cee25a834751	669	if (!r) r = mp_read_unsigned_bin(&s, clientPubKey, clientPubKeySz);
wolfSSL	11:cee25a834751	670	if (!r) r = mp_iszero(&s) == MP_YES ? SRP_BAD_KEY_E : 0;
wolfSSL	11:cee25a834751	671	if (!r) r = mp_cmp(&s, &srp->N) != MP_LT ? SRP_BAD_KEY_E : 0;
wolfSSL	11:cee25a834751	672	if (!r) r = mp_mulmod(&s, &temp1, &srp->N, &temp2);
wolfSSL	11:cee25a834751	673
wolfSSL	11:cee25a834751	674	/* rejects A * v ^ u % N >= 1, A * v ^ u % N == -1 % N */
wolfSSL	11:cee25a834751	675	if (!r) r = mp_read_unsigned_bin(&temp1, (const byte*)"\001", 1);
wolfSSL	11:cee25a834751	676	if (!r) r = mp_cmp(&temp2, &temp1) != MP_GT ? SRP_BAD_KEY_E : 0;
wolfSSL	11:cee25a834751	677	if (!r) r = mp_sub(&srp->N, &temp1, &s);
wolfSSL	11:cee25a834751	678	if (!r) r = mp_cmp(&temp2, &s) == MP_EQ ? SRP_BAD_KEY_E : 0;
wolfSSL	11:cee25a834751	679
wolfSSL	11:cee25a834751	680	/* secret = temp2 * b % N */
wolfSSL	11:cee25a834751	681	if (!r) r = mp_exptmod(&temp2, &srp->priv, &srp->N, &s);
wolfSSL	11:cee25a834751	682	}
wolfSSL	11:cee25a834751	683
wolfSSL	11:cee25a834751	684	/* building session key from secret */
wolfSSL	11:cee25a834751	685
wolfSSL	11:cee25a834751	686	if (!r) r = mp_to_unsigned_bin(&s, secret);
wolfSSL	11:cee25a834751	687	if (!r) r = srp->keyGenFunc_cb(srp, secret, mp_unsigned_bin_size(&s));
wolfSSL	11:cee25a834751	688
wolfSSL	11:cee25a834751	689	/* updating client proof = H( H(N) ^ H(g) \| H(user) \| salt \| A \| B \| K) */
wolfSSL	11:cee25a834751	690
wolfSSL	11:cee25a834751	691	if (!r) r = SrpHashUpdate(&srp->client_proof, clientPubKey, clientPubKeySz);
wolfSSL	11:cee25a834751	692	if (!r) r = SrpHashUpdate(&srp->client_proof, serverPubKey, serverPubKeySz);
wolfSSL	11:cee25a834751	693	if (!r) r = SrpHashUpdate(&srp->client_proof, srp->key, srp->keySz);
wolfSSL	11:cee25a834751	694
wolfSSL	11:cee25a834751	695	/* updating server proof = H(A) */
wolfSSL	11:cee25a834751	696
wolfSSL	11:cee25a834751	697	if (!r) r = SrpHashUpdate(&srp->server_proof, clientPubKey, clientPubKeySz);
wolfSSL	11:cee25a834751	698
wolfSSL	11:cee25a834751	699	XFREE(secret, srp->heap, DYNAMIC_TYPE_SRP);
wolfSSL	11:cee25a834751	700	mp_clear(&u); mp_clear(&s); mp_clear(&temp1); mp_clear(&temp2);
wolfSSL	11:cee25a834751	701
wolfSSL	11:cee25a834751	702	return r;
wolfSSL	11:cee25a834751	703	}
wolfSSL	11:cee25a834751	704
wolfSSL	11:cee25a834751	705	int wc_SrpGetProof(Srp* srp, byte* proof, word32* size)
wolfSSL	11:cee25a834751	706	{
wolfSSL	11:cee25a834751	707	int r;
wolfSSL	11:cee25a834751	708
wolfSSL	11:cee25a834751	709	if (!srp \|\| !proof \|\| !size)
wolfSSL	11:cee25a834751	710	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	711
wolfSSL	11:cee25a834751	712	if (*size < SrpHashSize(srp->type))
wolfSSL	11:cee25a834751	713	return BUFFER_E;
wolfSSL	11:cee25a834751	714
wolfSSL	11:cee25a834751	715	if ((r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE
wolfSSL	11:cee25a834751	716	? &srp->client_proof
wolfSSL	11:cee25a834751	717	: &srp->server_proof, proof)) != 0)
wolfSSL	11:cee25a834751	718	return r;
wolfSSL	11:cee25a834751	719
wolfSSL	11:cee25a834751	720	*size = SrpHashSize(srp->type);
wolfSSL	11:cee25a834751	721
wolfSSL	11:cee25a834751	722	if (srp->side == SRP_CLIENT_SIDE) {
wolfSSL	11:cee25a834751	723	/* server proof = H( A \| client proof \| K) */
wolfSSL	11:cee25a834751	724	if (!r) r = SrpHashUpdate(&srp->server_proof, proof, *size);
wolfSSL	11:cee25a834751	725	if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
wolfSSL	11:cee25a834751	726	}
wolfSSL	11:cee25a834751	727
wolfSSL	11:cee25a834751	728	return r;
wolfSSL	11:cee25a834751	729	}
wolfSSL	11:cee25a834751	730
wolfSSL	11:cee25a834751	731	int wc_SrpVerifyPeersProof(Srp* srp, byte* proof, word32 size)
wolfSSL	11:cee25a834751	732	{
wolfSSL	11:cee25a834751	733	byte digest[SRP_MAX_DIGEST_SIZE];
wolfSSL	11:cee25a834751	734	int r;
wolfSSL	11:cee25a834751	735
wolfSSL	11:cee25a834751	736	if (!srp \|\| !proof)
wolfSSL	11:cee25a834751	737	return BAD_FUNC_ARG;
wolfSSL	11:cee25a834751	738
wolfSSL	11:cee25a834751	739	if (size != SrpHashSize(srp->type))
wolfSSL	11:cee25a834751	740	return BUFFER_E;
wolfSSL	11:cee25a834751	741
wolfSSL	11:cee25a834751	742	r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE ? &srp->server_proof
wolfSSL	11:cee25a834751	743	: &srp->client_proof, digest);
wolfSSL	11:cee25a834751	744
wolfSSL	11:cee25a834751	745	if (srp->side == SRP_SERVER_SIDE) {
wolfSSL	11:cee25a834751	746	/* server proof = H( A \| client proof \| K) */
wolfSSL	11:cee25a834751	747	if (!r) r = SrpHashUpdate(&srp->server_proof, proof, size);
wolfSSL	11:cee25a834751	748	if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
wolfSSL	11:cee25a834751	749	}
wolfSSL	11:cee25a834751	750
wolfSSL	11:cee25a834751	751	if (!r && XMEMCMP(proof, digest, size) != 0)
wolfSSL	11:cee25a834751	752	r = SRP_VERIFY_E;
wolfSSL	11:cee25a834751	753
wolfSSL	11:cee25a834751	754	return r;
wolfSSL	11:cee25a834751	755	}
wolfSSL	11:cee25a834751	756
wolfSSL	11:cee25a834751	757	#endif /* WOLFCRYPT_HAVE_SRP */
wolfSSL	11:cee25a834751	758

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	30 May 2017
Imports:	0
Forks:	0
Commits:	14
Dependents:	0
Dependencies:	0
Followers:	1

This repository is Public (Unlisted).

wolfcrypt/src/srp.c@13:80fb167dafdf, 2017-05-30 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning