/* * Verify Schnorr signature 'sig' of length 'siglen' against public exponent * g_x (g^x) under group defined by 'grp_p', 'grp_q' and 'grp_g' using a * SHA256 hash. * Signature hash will be salted with 'idlen' bytes from 'id'. * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature. */ int schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g, const BIGNUM *g_x, const u_char *id, u_int idlen, const u_char *sig, u_int siglen) { Buffer b; int ret = -1; u_int rlen; BIGNUM *r, *e; e = r = NULL; if ((e = BN_new()) == NULL || (r = BN_new()) == NULL) { error("%s: BN_new", __func__); goto out; } /* Extract g^v and r from signature blob */ buffer_init(&b); buffer_append(&b, sig, siglen); SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b), "%s: sigblob", __func__)); buffer_get_bignum2(&b, e); buffer_get_bignum2(&b, r); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { error("%s: remaining bytes in signature %d", __func__, rlen); goto out; } ret = schnorr_verify(grp_p, grp_q, grp_g, SSH_DIGEST_SHA256, g_x, id, idlen, r, e); out: BN_clear_free(e); BN_clear_free(r); return ret; }
/* Shared parts of key derivation and confirmation calculation */ void jpake_key_confirm(struct jpake_group *grp, BIGNUM *s, BIGNUM *step2_val, BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2, BIGNUM *theirpub1, BIGNUM *theirpub2, const u_char *my_id, u_int my_id_len, const u_char *their_id, u_int their_id_len, const u_char *sess_id, u_int sess_id_len, const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len, BIGNUM **k, u_char **confirm_hash, u_int *confirm_hash_len) { BN_CTX *bn_ctx; BIGNUM *tmp; if ((bn_ctx = BN_CTX_new()) == NULL) fatal("%s: BN_CTX_new", __func__); if ((tmp = BN_new()) == NULL || (*k = BN_new()) == NULL) fatal("%s: BN_new", __func__); /* Validate step 2 values */ if (BN_cmp(step2_val, BN_value_one()) <= 0) fatal("%s: step2_val <= 1", __func__); /* * theirpriv2_s_proof is calculated with a different generator: * tmp = g^(mypriv1+mypriv2+theirpub1) = g^mypub1*g^mypub2*g^theirpub1 * Calculate it here so we can check the signature. */ if (BN_mod_mul(tmp, mypub1, mypub2, grp->p, bn_ctx) != 1) fatal("%s: BN_mod_mul (tmp = mypub1 * mypub2 mod p)", __func__); if (BN_mod_mul(tmp, tmp, theirpub1, grp->p, bn_ctx) != 1) fatal("%s: BN_mod_mul (tmp = tmp * theirpub1 mod p)", __func__); JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__)); if (schnorr_verify(grp->p, grp->q, tmp, step2_val, their_id, their_id_len, theirpriv2_s_proof, theirpriv2_s_proof_len) != 1) fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__); /* * Derive shared key: * client: k = (b / g^(x2*x4*s))^x2 = g^((x1+x3)*x2*x4*s) * server: k = (a / g^(x2*x4*s))^x4 = g^((x1+x3)*x2*x4*s) * * Computed as: * client: k = (g_x4^(q - (x2 * s)) * b)^x2 mod p * server: k = (g_x2^(q - (x4 * s)) * b)^x4 mod p */ if (BN_mul(tmp, mypriv2, s, bn_ctx) != 1) fatal("%s: BN_mul (tmp = mypriv2 * s)", __func__); if (BN_mod_sub(tmp, grp->q, tmp, grp->q, bn_ctx) != 1) fatal("%s: BN_mod_sub (tmp = q - tmp mod q)", __func__); if (BN_mod_exp(tmp, theirpub2, tmp, grp->p, bn_ctx) != 1) fatal("%s: BN_mod_exp (tmp = theirpub2^tmp) mod p", __func__); if (BN_mod_mul(tmp, tmp, step2_val, grp->p, bn_ctx) != 1) fatal("%s: BN_mod_mul (tmp = tmp * step2_val) mod p", __func__); if (BN_mod_exp(*k, tmp, mypriv2, grp->p, bn_ctx) != 1) fatal("%s: BN_mod_exp (k = tmp^mypriv2) mod p", __func__); BN_CTX_free(bn_ctx); BN_clear_free(tmp); jpake_confirm_hash(*k, my_id, my_id_len, sess_id, sess_id_len, confirm_hash, confirm_hash_len); }
/* Shared parts of step 2 exchange calculation */ void jpake_step2(struct jpake_group *grp, BIGNUM *s, BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2, const u_char *theirid, u_int theirid_len, const u_char *myid, u_int myid_len, const u_char *theirpub1_proof, u_int theirpub1_proof_len, const u_char *theirpub2_proof, u_int theirpub2_proof_len, BIGNUM **newpub, u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len) { BN_CTX *bn_ctx; BIGNUM *tmp, *exponent; /* Validate peer's step 1 values */ if (BN_cmp(theirpub1, BN_value_one()) <= 0) fatal("%s: theirpub1 <= 1", __func__); if (BN_cmp(theirpub2, BN_value_one()) <= 0) fatal("%s: theirpub2 <= 1", __func__); if (schnorr_verify(grp->p, grp->q, grp->g, theirpub1, theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1) fatal("%s: schnorr_verify theirpub1 failed", __func__); if (schnorr_verify(grp->p, grp->q, grp->g, theirpub2, theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1) fatal("%s: schnorr_verify theirpub2 failed", __func__); if ((bn_ctx = BN_CTX_new()) == NULL) fatal("%s: BN_CTX_new", __func__); if ((*newpub = BN_new()) == NULL || (tmp = BN_new()) == NULL || (exponent = BN_new()) == NULL) fatal("%s: BN_new", __func__); /* * client: exponent = x2 * s mod p * server: exponent = x4 * s mod p */ if (BN_mod_mul(exponent, mypriv2, s, grp->q, bn_ctx) != 1) fatal("%s: BN_mod_mul (exponent = mypriv2 * s mod p)", __func__); /* * client: tmp = g^(x1 + x3 + x4) mod p * server: tmp = g^(x1 + x2 + x3) mod p */ if (BN_mod_mul(tmp, mypub1, theirpub1, grp->p, bn_ctx) != 1) fatal("%s: BN_mod_mul (tmp = mypub1 * theirpub1 mod p)", __func__); if (BN_mod_mul(tmp, tmp, theirpub2, grp->p, bn_ctx) != 1) fatal("%s: BN_mod_mul (tmp = tmp * theirpub2 mod p)", __func__); /* * client: a = tmp^exponent = g^((x1+x3+x4) * x2 * s) mod p * server: b = tmp^exponent = g^((x1+x2+x3) * x4 * s) mod p */ if (BN_mod_exp(*newpub, tmp, exponent, grp->p, bn_ctx) != 1) fatal("%s: BN_mod_mul (newpub = tmp^exponent mod p)", __func__); JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__)); JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__)); /* Note the generator here is 'tmp', not g */ if (schnorr_sign(grp->p, grp->q, tmp, exponent, *newpub, myid, myid_len, newpub_exponent_proof, newpub_exponent_proof_len) != 0) fatal("%s: schnorr_sign newpub", __func__); BN_clear_free(tmp); /* XXX stash for later use? */ BN_clear_free(exponent); /* XXX stash for later use? (yes, in conf) */ BN_CTX_free(bn_ctx); }