wolf SSL
wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
Diff: wolfcrypt/src/srp.c
- Revision:
- 13:f67a6c6013ca
- Parent:
- 11:cee25a834751
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/wolfcrypt/src/srp.c Tue Aug 22 10:48:22 2017 +0000
@@ -0,0 +1,758 @@
+/* srp.c
+ *
+ * Copyright (C) 2006-2016 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+#ifdef HAVE_CONFIG_H
+ #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef WOLFCRYPT_HAVE_SRP
+
+#include <wolfssl/wolfcrypt/srp.h>
+#include <wolfssl/wolfcrypt/random.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+
+#ifdef NO_INLINE
+ #include <wolfssl/wolfcrypt/misc.h>
+#else
+ #define WOLFSSL_MISC_INCLUDED
+ #include <wolfcrypt/src/misc.c>
+#endif
+
+/** Computes the session key using the Mask Generation Function 1. */
+static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size);
+
+static int SrpHashInit(SrpHash* hash, SrpType type)
+{
+ hash->type = type;
+
+ switch (type) {
+ case SRP_TYPE_SHA:
+ #ifndef NO_SHA
+ return wc_InitSha(&hash->data.sha);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ case SRP_TYPE_SHA256:
+ #ifndef NO_SHA256
+ return wc_InitSha256(&hash->data.sha256);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ case SRP_TYPE_SHA384:
+ #ifdef WOLFSSL_SHA384
+ return wc_InitSha384(&hash->data.sha384);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ case SRP_TYPE_SHA512:
+ #ifdef WOLFSSL_SHA512
+ return wc_InitSha512(&hash->data.sha512);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ default:
+ return BAD_FUNC_ARG;
+ }
+}
+
+static int SrpHashUpdate(SrpHash* hash, const byte* data, word32 size)
+{
+ switch (hash->type) {
+ case SRP_TYPE_SHA:
+ #ifndef NO_SHA
+ return wc_ShaUpdate(&hash->data.sha, data, size);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ case SRP_TYPE_SHA256:
+ #ifndef NO_SHA256
+ return wc_Sha256Update(&hash->data.sha256, data, size);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ case SRP_TYPE_SHA384:
+ #ifdef WOLFSSL_SHA384
+ return wc_Sha384Update(&hash->data.sha384, data, size);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ case SRP_TYPE_SHA512:
+ #ifdef WOLFSSL_SHA512
+ return wc_Sha512Update(&hash->data.sha512, data, size);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ default:
+ return BAD_FUNC_ARG;
+ }
+}
+
+static int SrpHashFinal(SrpHash* hash, byte* digest)
+{
+ switch (hash->type) {
+ case SRP_TYPE_SHA:
+ #ifndef NO_SHA
+ return wc_ShaFinal(&hash->data.sha, digest);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ case SRP_TYPE_SHA256:
+ #ifndef NO_SHA256
+ return wc_Sha256Final(&hash->data.sha256, digest);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ case SRP_TYPE_SHA384:
+ #ifdef WOLFSSL_SHA384
+ return wc_Sha384Final(&hash->data.sha384, digest);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ case SRP_TYPE_SHA512:
+ #ifdef WOLFSSL_SHA512
+ return wc_Sha512Final(&hash->data.sha512, digest);
+ #else
+ return BAD_FUNC_ARG;
+ #endif
+
+ default:
+ return BAD_FUNC_ARG;
+ }
+}
+
+static word32 SrpHashSize(SrpType type)
+{
+ switch (type) {
+ case SRP_TYPE_SHA:
+ #ifndef NO_SHA
+ return SHA_DIGEST_SIZE;
+ #else
+ return 0;
+ #endif
+
+ case SRP_TYPE_SHA256:
+ #ifndef NO_SHA256
+ return SHA256_DIGEST_SIZE;
+ #else
+ return 0;
+ #endif
+
+ case SRP_TYPE_SHA384:
+ #ifdef WOLFSSL_SHA384
+ return SHA384_DIGEST_SIZE;
+ #else
+ return 0;
+ #endif
+
+ case SRP_TYPE_SHA512:
+ #ifdef WOLFSSL_SHA512
+ return SHA512_DIGEST_SIZE;
+ #else
+ return 0;
+ #endif
+
+ default:
+ return 0;
+ }
+}
+
+int wc_SrpInit(Srp* srp, SrpType type, SrpSide side)
+{
+ int r;
+
+ /* validating params */
+
+ if (!srp)
+ return BAD_FUNC_ARG;
+
+ if (side != SRP_CLIENT_SIDE && side != SRP_SERVER_SIDE)
+ return BAD_FUNC_ARG;
+
+ switch (type) {
+ case SRP_TYPE_SHA:
+ #ifdef NO_SHA
+ return NOT_COMPILED_IN;
+ #else
+ break; /* OK */
+ #endif
+
+ case SRP_TYPE_SHA256:
+ #ifdef NO_SHA256
+ return NOT_COMPILED_IN;
+ #else
+ break; /* OK */
+ #endif
+
+ case SRP_TYPE_SHA384:
+ #ifndef WOLFSSL_SHA384
+ return NOT_COMPILED_IN;
+ #else
+ break; /* OK */
+ #endif
+
+ case SRP_TYPE_SHA512:
+ #ifndef WOLFSSL_SHA512
+ return NOT_COMPILED_IN;
+ #else
+ break; /* OK */
+ #endif
+
+ default:
+ return BAD_FUNC_ARG;
+ }
+
+ /* initializing variables */
+
+ XMEMSET(srp, 0, sizeof(Srp));
+
+ if ((r = SrpHashInit(&srp->client_proof, type)) != 0)
+ return r;
+
+ if ((r = SrpHashInit(&srp->server_proof, type)) != 0)
+ return r;
+
+ if ((r = mp_init_multi(&srp->N, &srp->g, &srp->auth,
+ &srp->priv, 0, 0)) != 0)
+ return r;
+
+ srp->side = side; srp->type = type;
+ srp->salt = NULL; srp->saltSz = 0;
+ srp->user = NULL; srp->userSz = 0;
+ srp->key = NULL; srp->keySz = 0;
+
+ srp->keyGenFunc_cb = wc_SrpSetKey;
+
+ /* default heap hint to NULL or test value */
+#ifdef WOLFSSL_HEAP_TEST
+ srp->heap = (void*)WOLFSSL_HEAP_TEST;
+#else
+ srp->heap = NULL;
+#endif
+
+ return 0;
+}
+
+void wc_SrpTerm(Srp* srp)
+{
+ if (srp) {
+ mp_clear(&srp->N); mp_clear(&srp->g);
+ mp_clear(&srp->auth); mp_clear(&srp->priv);
+
+ if (srp->salt) {
+ ForceZero(srp->salt, srp->saltSz);
+ XFREE(srp->salt, srp->heap, DYNAMIC_TYPE_SRP);
+ }
+ if (srp->user) {
+ ForceZero(srp->user, srp->userSz);
+ XFREE(srp->user, srp->heap, DYNAMIC_TYPE_SRP);
+ }
+ if (srp->key) {
+ ForceZero(srp->key, srp->keySz);
+ XFREE(srp->key, srp->heap, DYNAMIC_TYPE_SRP);
+ }
+
+ ForceZero(srp, sizeof(Srp));
+ }
+}
+
+int wc_SrpSetUsername(Srp* srp, const byte* username, word32 size)
+{
+ if (!srp || !username)
+ return BAD_FUNC_ARG;
+
+ srp->user = (byte*)XMALLOC(size, srp->heap, DYNAMIC_TYPE_SRP);
+ if (srp->user == NULL)
+ return MEMORY_E;
+
+ srp->userSz = size;
+ XMEMCPY(srp->user, username, srp->userSz);
+
+ return 0;
+}
+
+int wc_SrpSetParams(Srp* srp, const byte* N, word32 nSz,
+ const byte* g, word32 gSz,
+ const byte* salt, word32 saltSz)
+{
+ SrpHash hash;
+ byte digest1[SRP_MAX_DIGEST_SIZE];
+ byte digest2[SRP_MAX_DIGEST_SIZE];
+ byte pad = 0;
+ int i, r;
+ int j = 0;
+
+ if (!srp || !N || !g || !salt || nSz < gSz)
+ return BAD_FUNC_ARG;
+
+ if (!srp->user)
+ return SRP_CALL_ORDER_E;
+
+ /* Set N */
+ if (mp_read_unsigned_bin(&srp->N, N, nSz) != MP_OKAY)
+ return MP_READ_E;
+
+ if (mp_count_bits(&srp->N) < SRP_MODULUS_MIN_BITS)
+ return BAD_FUNC_ARG;
+
+ /* Set g */
+ if (mp_read_unsigned_bin(&srp->g, g, gSz) != MP_OKAY)
+ return MP_READ_E;
+
+ if (mp_cmp(&srp->N, &srp->g) != MP_GT)
+ return BAD_FUNC_ARG;
+
+ /* Set salt */
+ if (srp->salt) {
+ ForceZero(srp->salt, srp->saltSz);
+ XFREE(srp->salt, srp->heap, DYNAMIC_TYPE_SRP);
+ }
+
+ srp->salt = (byte*)XMALLOC(saltSz, srp->heap, DYNAMIC_TYPE_SRP);
+ if (srp->salt == NULL)
+ return MEMORY_E;
+
+ XMEMCPY(srp->salt, salt, saltSz);
+ srp->saltSz = saltSz;
+
+ /* Set k = H(N, g) */
+ r = SrpHashInit(&hash, srp->type);
+ if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz);
+ for (i = 0; (word32)i < nSz - gSz; i++) {
+ if (!r) r = SrpHashUpdate(&hash, &pad, 1);
+ }
+ if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz);
+ if (!r) r = SrpHashFinal(&hash, srp->k);
+
+ /* update client proof */
+
+ /* digest1 = H(N) */
+ if (!r) r = SrpHashInit(&hash, srp->type);
+ if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz);
+ if (!r) r = SrpHashFinal(&hash, digest1);
+
+ /* digest2 = H(g) */
+ if (!r) r = SrpHashInit(&hash, srp->type);
+ if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz);
+ if (!r) r = SrpHashFinal(&hash, digest2);
+
+ /* digest1 = H(N) ^ H(g) */
+ if (r == 0) {
+ for (i = 0, j = SrpHashSize(srp->type); i < j; i++)
+ digest1[i] ^= digest2[i];
+ }
+
+ /* digest2 = H(user) */
+ if (!r) r = SrpHashInit(&hash, srp->type);
+ if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz);
+ if (!r) r = SrpHashFinal(&hash, digest2);
+
+ /* client proof = H( H(N) ^ H(g) | H(user) | salt) */
+ if (!r) r = SrpHashUpdate(&srp->client_proof, digest1, j);
+ if (!r) r = SrpHashUpdate(&srp->client_proof, digest2, j);
+ if (!r) r = SrpHashUpdate(&srp->client_proof, salt, saltSz);
+
+ return r;
+}
+
+int wc_SrpSetPassword(Srp* srp, const byte* password, word32 size)
+{
+ SrpHash hash;
+ byte digest[SRP_MAX_DIGEST_SIZE];
+ word32 digestSz;
+ int r;
+
+ if (!srp || !password || srp->side != SRP_CLIENT_SIDE)
+ return BAD_FUNC_ARG;
+
+ if (!srp->salt)
+ return SRP_CALL_ORDER_E;
+
+ digestSz = SrpHashSize(srp->type);
+
+ /* digest = H(username | ':' | password) */
+ r = SrpHashInit(&hash, srp->type);
+ if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz);
+ if (!r) r = SrpHashUpdate(&hash, (const byte*) ":", 1);
+ if (!r) r = SrpHashUpdate(&hash, password, size);
+ if (!r) r = SrpHashFinal(&hash, digest);
+
+ /* digest = H(salt | H(username | ':' | password)) */
+ if (!r) r = SrpHashInit(&hash, srp->type);
+ if (!r) r = SrpHashUpdate(&hash, srp->salt, srp->saltSz);
+ if (!r) r = SrpHashUpdate(&hash, digest, digestSz);
+ if (!r) r = SrpHashFinal(&hash, digest);
+
+ /* Set x (private key) */
+ if (!r) r = mp_read_unsigned_bin(&srp->auth, digest, digestSz);
+
+ ForceZero(digest, SRP_MAX_DIGEST_SIZE);
+
+ return r;
+}
+
+int wc_SrpGetVerifier(Srp* srp, byte* verifier, word32* size)
+{
+ mp_int v;
+ int r;
+
+ if (!srp || !verifier || !size || srp->side != SRP_CLIENT_SIDE)
+ return BAD_FUNC_ARG;
+
+ if (mp_iszero(&srp->auth) == MP_YES)
+ return SRP_CALL_ORDER_E;
+
+ r = mp_init(&v);
+ if (r != MP_OKAY)
+ return MP_INIT_E;
+
+ /* v = g ^ x % N */
+ if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &v);
+ if (!r) r = *size < (word32)mp_unsigned_bin_size(&v) ? BUFFER_E : MP_OKAY;
+ if (!r) r = mp_to_unsigned_bin(&v, verifier);
+ if (!r) *size = mp_unsigned_bin_size(&v);
+
+ mp_clear(&v);
+
+ return r;
+}
+
+int wc_SrpSetVerifier(Srp* srp, const byte* verifier, word32 size)
+{
+ if (!srp || !verifier || srp->side != SRP_SERVER_SIDE)
+ return BAD_FUNC_ARG;
+
+ return mp_read_unsigned_bin(&srp->auth, verifier, size);
+}
+
+int wc_SrpSetPrivate(Srp* srp, const byte* priv, word32 size)
+{
+ mp_int p;
+ int r;
+
+ if (!srp || !priv || !size)
+ return BAD_FUNC_ARG;
+
+ if (mp_iszero(&srp->auth) == MP_YES)
+ return SRP_CALL_ORDER_E;
+
+ r = mp_init(&p);
+ if (r != MP_OKAY)
+ return MP_INIT_E;
+ if (!r) r = mp_read_unsigned_bin(&p, priv, size);
+ if (!r) r = mp_mod(&p, &srp->N, &srp->priv);
+ if (!r) r = mp_iszero(&srp->priv) == MP_YES ? SRP_BAD_KEY_E : 0;
+
+ mp_clear(&p);
+
+ return r;
+}
+
+/** Generates random data using wolfcrypt RNG. */
+static int wc_SrpGenPrivate(Srp* srp, byte* priv, word32 size)
+{
+ WC_RNG rng;
+ int r = wc_InitRng(&rng);
+
+ if (!r) r = wc_RNG_GenerateBlock(&rng, priv, size);
+ if (!r) r = wc_SrpSetPrivate(srp, priv, size);
+ if (!r) wc_FreeRng(&rng);
+
+ return r;
+}
+
+int wc_SrpGetPublic(Srp* srp, byte* pub, word32* size)
+{
+ mp_int pubkey;
+ word32 modulusSz;
+ int r;
+
+ if (!srp || !pub || !size)
+ return BAD_FUNC_ARG;
+
+ if (mp_iszero(&srp->auth) == MP_YES)
+ return SRP_CALL_ORDER_E;
+
+ modulusSz = mp_unsigned_bin_size(&srp->N);
+ if (*size < modulusSz)
+ return BUFFER_E;
+
+ r = mp_init(&pubkey);
+ if (r != MP_OKAY)
+ return MP_INIT_E;
+
+ /* priv = random() */
+ if (mp_iszero(&srp->priv) == MP_YES)
+ r = wc_SrpGenPrivate(srp, pub, SRP_PRIVATE_KEY_MIN_BITS / 8);
+
+ /* client side: A = g ^ a % N */
+ if (srp->side == SRP_CLIENT_SIDE) {
+ if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, &pubkey);
+
+ /* server side: B = (k * v + (g ^ b % N)) % N */
+ } else {
+ mp_int i, j;
+
+ if (mp_init_multi(&i, &j, 0, 0, 0, 0) == MP_OKAY) {
+ if (!r) r = mp_read_unsigned_bin(&i, srp->k,SrpHashSize(srp->type));
+ if (!r) r = mp_iszero(&i) == MP_YES ? SRP_BAD_KEY_E : 0;
+ if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, &pubkey);
+ if (!r) r = mp_mulmod(&i, &srp->auth, &srp->N, &j);
+ if (!r) r = mp_add(&j, &pubkey, &i);
+ if (!r) r = mp_mod(&i, &srp->N, &pubkey);
+
+ mp_clear(&i); mp_clear(&j);
+ }
+ }
+
+ /* extract public key to buffer */
+ XMEMSET(pub, 0, modulusSz);
+ if (!r) r = mp_to_unsigned_bin(&pubkey, pub);
+ if (!r) *size = mp_unsigned_bin_size(&pubkey);
+ mp_clear(&pubkey);
+
+ return r;
+}
+
+static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size)
+{
+ SrpHash hash;
+ byte digest[SRP_MAX_DIGEST_SIZE];
+ word32 i, j, digestSz = SrpHashSize(srp->type);
+ byte counter[4];
+ int r = BAD_FUNC_ARG;
+
+ XMEMSET(digest, 0, SRP_MAX_DIGEST_SIZE);
+
+ srp->key = (byte*)XMALLOC(2 * digestSz, srp->heap, DYNAMIC_TYPE_SRP);
+ if (srp->key == NULL)
+ return MEMORY_E;
+
+ srp->keySz = 2 * digestSz;
+
+ for (i = j = 0; j < srp->keySz; i++) {
+ counter[0] = (i >> 24) & 0xFF;
+ counter[1] = (i >> 16) & 0xFF;
+ counter[2] = (i >> 8) & 0xFF;
+ counter[3] = i & 0xFF;
+
+ r = SrpHashInit(&hash, srp->type);
+ if (!r) r = SrpHashUpdate(&hash, secret, size);
+ if (!r) r = SrpHashUpdate(&hash, counter, 4);
+
+ if (j + digestSz > srp->keySz) {
+ if (!r) r = SrpHashFinal(&hash, digest);
+ XMEMCPY(srp->key + j, digest, srp->keySz - j);
+ j = srp->keySz;
+ }
+ else {
+ if (!r) r = SrpHashFinal(&hash, srp->key + j);
+ j += digestSz;
+ }
+ }
+
+ ForceZero(digest, sizeof(digest));
+ ForceZero(&hash, sizeof(SrpHash));
+
+ return r;
+}
+
+int wc_SrpComputeKey(Srp* srp, byte* clientPubKey, word32 clientPubKeySz,
+ byte* serverPubKey, word32 serverPubKeySz)
+{
+ SrpHash hash;
+ byte *secret;
+ byte digest[SRP_MAX_DIGEST_SIZE];
+ word32 i, secretSz, digestSz;
+ mp_int u, s, temp1, temp2;
+ byte pad = 0;
+ int r;
+
+ /* validating params */
+
+ if (!srp || !clientPubKey || clientPubKeySz == 0
+ || !serverPubKey || serverPubKeySz == 0)
+ return BAD_FUNC_ARG;
+
+ if (mp_iszero(&srp->priv) == MP_YES)
+ return SRP_CALL_ORDER_E;
+
+ /* initializing variables */
+
+ if ((r = SrpHashInit(&hash, srp->type)) != 0)
+ return r;
+
+ digestSz = SrpHashSize(srp->type);
+ secretSz = mp_unsigned_bin_size(&srp->N);
+
+ if ((secret = (byte*)XMALLOC(secretSz, srp->heap, DYNAMIC_TYPE_SRP)) ==NULL)
+ return MEMORY_E;
+
+ if ((r = mp_init_multi(&u, &s, &temp1, &temp2, 0, 0)) != MP_OKAY) {
+ XFREE(secret, srp->heap, DYNAMIC_TYPE_SRP);
+ return r;
+ }
+
+ /* building u (random scrambling parameter) */
+
+ /* H(A) */
+ for (i = 0; !r && i < secretSz - clientPubKeySz; i++)
+ r = SrpHashUpdate(&hash, &pad, 1);
+ if (!r) r = SrpHashUpdate(&hash, clientPubKey, clientPubKeySz);
+
+ /* H(A | B) */
+ for (i = 0; !r && i < secretSz - serverPubKeySz; i++)
+ r = SrpHashUpdate(&hash, &pad, 1);
+ if (!r) r = SrpHashUpdate(&hash, serverPubKey, serverPubKeySz);
+
+ /* set u */
+ if (!r) r = SrpHashFinal(&hash, digest);
+ if (!r) r = mp_read_unsigned_bin(&u, digest, SrpHashSize(srp->type));
+
+ /* building s (secret) */
+
+ if (!r && srp->side == SRP_CLIENT_SIDE) {
+
+ /* temp1 = B - k * v; rejects k == 0, B == 0 and B >= N. */
+ r = mp_read_unsigned_bin(&temp1, srp->k, digestSz);
+ if (!r) r = mp_iszero(&temp1) == MP_YES ? SRP_BAD_KEY_E : 0;
+ if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &temp2);
+ if (!r) r = mp_mulmod(&temp1, &temp2, &srp->N, &s);
+ if (!r) r = mp_read_unsigned_bin(&temp2, serverPubKey, serverPubKeySz);
+ if (!r) r = mp_iszero(&temp2) == MP_YES ? SRP_BAD_KEY_E : 0;
+ if (!r) r = mp_cmp(&temp2, &srp->N) != MP_LT ? SRP_BAD_KEY_E : 0;
+ if (!r) r = mp_sub(&temp2, &s, &temp1);
+
+ /* temp2 = a + u * x */
+ if (!r) r = mp_mulmod(&u, &srp->auth, &srp->N, &s);
+ if (!r) r = mp_add(&srp->priv, &s, &temp2);
+
+ /* secret = temp1 ^ temp2 % N */
+ if (!r) r = mp_exptmod(&temp1, &temp2, &srp->N, &s);
+
+ } else if (!r && srp->side == SRP_SERVER_SIDE) {
+ /* temp1 = v ^ u % N */
+ r = mp_exptmod(&srp->auth, &u, &srp->N, &temp1);
+
+ /* temp2 = A * temp1 % N; rejects A == 0, A >= N */
+ if (!r) r = mp_read_unsigned_bin(&s, clientPubKey, clientPubKeySz);
+ if (!r) r = mp_iszero(&s) == MP_YES ? SRP_BAD_KEY_E : 0;
+ if (!r) r = mp_cmp(&s, &srp->N) != MP_LT ? SRP_BAD_KEY_E : 0;
+ if (!r) r = mp_mulmod(&s, &temp1, &srp->N, &temp2);
+
+ /* rejects A * v ^ u % N >= 1, A * v ^ u % N == -1 % N */
+ if (!r) r = mp_read_unsigned_bin(&temp1, (const byte*)"\001", 1);
+ if (!r) r = mp_cmp(&temp2, &temp1) != MP_GT ? SRP_BAD_KEY_E : 0;
+ if (!r) r = mp_sub(&srp->N, &temp1, &s);
+ if (!r) r = mp_cmp(&temp2, &s) == MP_EQ ? SRP_BAD_KEY_E : 0;
+
+ /* secret = temp2 * b % N */
+ if (!r) r = mp_exptmod(&temp2, &srp->priv, &srp->N, &s);
+ }
+
+ /* building session key from secret */
+
+ if (!r) r = mp_to_unsigned_bin(&s, secret);
+ if (!r) r = srp->keyGenFunc_cb(srp, secret, mp_unsigned_bin_size(&s));
+
+ /* updating client proof = H( H(N) ^ H(g) | H(user) | salt | A | B | K) */
+
+ if (!r) r = SrpHashUpdate(&srp->client_proof, clientPubKey, clientPubKeySz);
+ if (!r) r = SrpHashUpdate(&srp->client_proof, serverPubKey, serverPubKeySz);
+ if (!r) r = SrpHashUpdate(&srp->client_proof, srp->key, srp->keySz);
+
+ /* updating server proof = H(A) */
+
+ if (!r) r = SrpHashUpdate(&srp->server_proof, clientPubKey, clientPubKeySz);
+
+ XFREE(secret, srp->heap, DYNAMIC_TYPE_SRP);
+ mp_clear(&u); mp_clear(&s); mp_clear(&temp1); mp_clear(&temp2);
+
+ return r;
+}
+
+int wc_SrpGetProof(Srp* srp, byte* proof, word32* size)
+{
+ int r;
+
+ if (!srp || !proof || !size)
+ return BAD_FUNC_ARG;
+
+ if (*size < SrpHashSize(srp->type))
+ return BUFFER_E;
+
+ if ((r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE
+ ? &srp->client_proof
+ : &srp->server_proof, proof)) != 0)
+ return r;
+
+ *size = SrpHashSize(srp->type);
+
+ if (srp->side == SRP_CLIENT_SIDE) {
+ /* server proof = H( A | client proof | K) */
+ if (!r) r = SrpHashUpdate(&srp->server_proof, proof, *size);
+ if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
+ }
+
+ return r;
+}
+
+int wc_SrpVerifyPeersProof(Srp* srp, byte* proof, word32 size)
+{
+ byte digest[SRP_MAX_DIGEST_SIZE];
+ int r;
+
+ if (!srp || !proof)
+ return BAD_FUNC_ARG;
+
+ if (size != SrpHashSize(srp->type))
+ return BUFFER_E;
+
+ r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE ? &srp->server_proof
+ : &srp->client_proof, digest);
+
+ if (srp->side == SRP_SERVER_SIDE) {
+ /* server proof = H( A | client proof | K) */
+ if (!r) r = SrpHashUpdate(&srp->server_proof, proof, size);
+ if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
+ }
+
+ if (!r && XMEMCMP(proof, digest, size) != 0)
+ r = SRP_VERIFY_E;
+
+ return r;
+}
+
+#endif /* WOLFCRYPT_HAVE_SRP */
+