est31
/
csrp-gmp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add RFC 5054 test vector tests and SHA-1 algorithm

master
est31 2015-04-24 06:58:24 +02:00
parent f4f75901d5
commit e5a12b1d06
7 changed files with 800 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -44,13 +44,16 @@ The call `srp_random_seed` has been removed.
The call `srp_user_new` has a new parameter, `username_for_verifier`,
allowing to use different usernames for verifier and srp login.
Also, `srp_user_start_authentication` and `srp_verifier_new` have new
parameters to specify `a` and `b` values.
Added option for `srp_create_salted_verification_key` call to specify
a salt.
We ship with OpenSSL's implementation of the SHA256 hash algorithm.
Support for other hash algoritms was dropped (but re-introducing is
fairly easy, just copy from an OpenSSL source distribution).
We ship with OpenSSL's implementation of the SHA256 and SHA-1 hash
algorithms. Support for other hash algoritms was dropped (but
re-introducing is fairly easy, just copy from an OpenSSL source
distribution).
Usage Example
-------------

7
sha/sha2.h → sha/sha.h
View File

@ -118,6 +118,13 @@ typedef struct SHAstate_st {
# define SHA256_CBLOCK (SHA_LBLOCK*4)/* SHA-256 treats input data as a
* contiguous array of 32 bit wide
* big-endian values. */
int SHA1_Init(SHA_CTX *c);
int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
int SHA1_Final(unsigned char *md, SHA_CTX *c);
unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md);
void SHA1_Transform(SHA_CTX *c, const unsigned char *data);
# define SHA224_DIGEST_LENGTH 28
# define SHA256_DIGEST_LENGTH 32

521
sha/sha1.c Normal file
View File

@ -0,0 +1,521 @@
/* crypto/sha/sha_locl.h */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <stdlib.h>
#include <string.h>
#include <openssl/sha.h>
#define DATA_ORDER_IS_BIG_ENDIAN
#define SHA_1
#define HASH_LONG SHA_LONG
#define HASH_CTX SHA_CTX
#define HASH_CBLOCK SHA_CBLOCK
#define HASH_MAKE_STRING(c,s) do { \
unsigned long ll; \
ll=(c)->h0; (void)HOST_l2c(ll,(s)); \
ll=(c)->h1; (void)HOST_l2c(ll,(s)); \
ll=(c)->h2; (void)HOST_l2c(ll,(s)); \
ll=(c)->h3; (void)HOST_l2c(ll,(s)); \
ll=(c)->h4; (void)HOST_l2c(ll,(s)); \
} while (0)
#if defined(SHA_0)
# define HASH_UPDATE SHA_Update
# define HASH_TRANSFORM SHA_Transform
# define HASH_FINAL SHA_Final
# define HASH_INIT SHA_Init
# define HASH_BLOCK_DATA_ORDER sha_block_data_order
# define Xupdate(a,ix,ia,ib,ic,id) (ix=(a)=(ia^ib^ic^id))
static void sha_block_data_order(SHA_CTX *c, const void *p, size_t num);
#elif defined(SHA_1)
# define HASH_UPDATE SHA1_Update
# define HASH_TRANSFORM SHA1_Transform
# define HASH_FINAL SHA1_Final
# define HASH_INIT SHA1_Init
# define HASH_BLOCK_DATA_ORDER sha1_block_data_order
# if defined(__MWERKS__) && defined(__MC68K__)
/* Metrowerks for Motorola fails otherwise:-( <appro@fy.chalmers.se> */
# define Xupdate(a,ix,ia,ib,ic,id) do { (a)=(ia^ib^ic^id); \
ix=(a)=ROTATE((a),1); \
} while (0)
# else
# define Xupdate(a,ix,ia,ib,ic,id) ( (a)=(ia^ib^ic^id), \
ix=(a)=ROTATE((a),1) \
)
# endif
# ifndef SHA1_ASM
static
# endif
void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num);
#else
# error "Either SHA_0 or SHA_1 must be defined."
#endif
#include "md32_common.h"
#define INIT_DATA_h0 0x67452301UL
#define INIT_DATA_h1 0xefcdab89UL
#define INIT_DATA_h2 0x98badcfeUL
#define INIT_DATA_h3 0x10325476UL
#define INIT_DATA_h4 0xc3d2e1f0UL
# define fips_md_init(alg) fips_md_init_ctx(alg, alg)
# define fips_md_init_ctx(alg, cx) \
int alg##_Init(cx##_CTX *c)
# define fips_cipher_abort(alg) while(0)
unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
{
SHA_CTX c;
static unsigned char m[SHA_DIGEST_LENGTH];
if (md == NULL)
md = m;
if (!SHA1_Init(&c))
return NULL;
SHA1_Update(&c, d, n);
SHA1_Final(md, &c);
OPENSSL_cleanse(&c, sizeof(c));
return (md);
}
#ifdef SHA_0
fips_md_init(SHA)
#else
fips_md_init_ctx(SHA1, SHA)
#endif
{
memset(c, 0, sizeof(*c));
c->h0 = INIT_DATA_h0;
c->h1 = INIT_DATA_h1;
c->h2 = INIT_DATA_h2;
c->h3 = INIT_DATA_h3;
c->h4 = INIT_DATA_h4;
return 1;
}
#define K_00_19 0x5a827999UL
#define K_20_39 0x6ed9eba1UL
#define K_40_59 0x8f1bbcdcUL
#define K_60_79 0xca62c1d6UL
/*
* As pointed out by Wei Dai <weidai@eskimo.com>, F() below can be simplified
* to the code in F_00_19. Wei attributes these optimisations to Peter
* Gutmann's SHS code, and he attributes it to Rich Schroeppel. #define
* F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) I've just become aware of another
* tweak to be made, again from Wei Dai, in F_40_59, (x&a)|(y&a) -> (x|y)&a
*/
#define F_00_19(b,c,d) ((((c) ^ (d)) & (b)) ^ (d))
#define F_20_39(b,c,d) ((b) ^ (c) ^ (d))
#define F_40_59(b,c,d) (((b) & (c)) | (((b)|(c)) & (d)))
#define F_60_79(b,c,d) F_20_39(b,c,d)
#ifndef OPENSSL_SMALL_FOOTPRINT
# define BODY_00_15(i,a,b,c,d,e,f,xi) \
(f)=xi+(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \
(b)=ROTATE((b),30);
# define BODY_16_19(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \
Xupdate(f,xi,xa,xb,xc,xd); \
(f)+=(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \
(b)=ROTATE((b),30);
# define BODY_20_31(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \
Xupdate(f,xi,xa,xb,xc,xd); \
(f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \
(b)=ROTATE((b),30);
# define BODY_32_39(i,a,b,c,d,e,f,xa,xb,xc,xd) \
Xupdate(f,xa,xa,xb,xc,xd); \
(f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \
(b)=ROTATE((b),30);
# define BODY_40_59(i,a,b,c,d,e,f,xa,xb,xc,xd) \
Xupdate(f,xa,xa,xb,xc,xd); \
(f)+=(e)+K_40_59+ROTATE((a),5)+F_40_59((b),(c),(d)); \
(b)=ROTATE((b),30);
# define BODY_60_79(i,a,b,c,d,e,f,xa,xb,xc,xd) \
Xupdate(f,xa,xa,xb,xc,xd); \
(f)=xa+(e)+K_60_79+ROTATE((a),5)+F_60_79((b),(c),(d)); \
(b)=ROTATE((b),30);
# ifdef X
# undef X
# endif
# ifndef MD32_XARRAY
/*
* Originally X was an array. As it's automatic it's natural
* to expect RISC compiler to accomodate at least part of it in
* the register bank, isn't it? Unfortunately not all compilers
* "find" this expectation reasonable:-( On order to make such
* compilers generate better code I replace X[] with a bunch of
* X0, X1, etc. See the function body below...
* <appro@fy.chalmers.se>
*/
# define X(i) XX##i
# else
/*
* However! Some compilers (most notably HP C) get overwhelmed by
* that many local variables so that we have to have the way to
* fall down to the original behavior.
*/
# define X(i) XX[i]
# endif
# if !defined(SHA_1) || !defined(SHA1_ASM)
static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num)
{
const unsigned char *data = p;
register unsigned MD32_REG_T A, B, C, D, E, T, l;
# ifndef MD32_XARRAY
unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
XX8, XX9, XX10, XX11, XX12, XX13, XX14, XX15;
# else
SHA_LONG XX[16];
# endif
A = c->h0;
B = c->h1;
C = c->h2;
D = c->h3;
E = c->h4;
for (;;) {
const union {
long one;
char little;
} is_endian = {
1
};
if (!is_endian.little && sizeof(SHA_LONG) == 4
&& ((size_t)p % 4) == 0) {
const SHA_LONG *W = (const SHA_LONG *)data;
X(0) = W[0];
X(1) = W[1];
BODY_00_15(0, A, B, C, D, E, T, X(0));
X(2) = W[2];
BODY_00_15(1, T, A, B, C, D, E, X(1));
X(3) = W[3];
BODY_00_15(2, E, T, A, B, C, D, X(2));
X(4) = W[4];
BODY_00_15(3, D, E, T, A, B, C, X(3));
X(5) = W[5];
BODY_00_15(4, C, D, E, T, A, B, X(4));
X(6) = W[6];
BODY_00_15(5, B, C, D, E, T, A, X(5));
X(7) = W[7];
BODY_00_15(6, A, B, C, D, E, T, X(6));
X(8) = W[8];
BODY_00_15(7, T, A, B, C, D, E, X(7));
X(9) = W[9];
BODY_00_15(8, E, T, A, B, C, D, X(8));
X(10) = W[10];
BODY_00_15(9, D, E, T, A, B, C, X(9));
X(11) = W[11];
BODY_00_15(10, C, D, E, T, A, B, X(10));
X(12) = W[12];
BODY_00_15(11, B, C, D, E, T, A, X(11));
X(13) = W[13];
BODY_00_15(12, A, B, C, D, E, T, X(12));
X(14) = W[14];
BODY_00_15(13, T, A, B, C, D, E, X(13));
X(15) = W[15];
BODY_00_15(14, E, T, A, B, C, D, X(14));
BODY_00_15(15, D, E, T, A, B, C, X(15));
data += SHA_CBLOCK;
} else {
(void)HOST_c2l(data, l);
X(0) = l;
(void)HOST_c2l(data, l);
X(1) = l;
BODY_00_15(0, A, B, C, D, E, T, X(0));
(void)HOST_c2l(data, l);
X(2) = l;
BODY_00_15(1, T, A, B, C, D, E, X(1));
(void)HOST_c2l(data, l);
X(3) = l;
BODY_00_15(2, E, T, A, B, C, D, X(2));
(void)HOST_c2l(data, l);
X(4) = l;
BODY_00_15(3, D, E, T, A, B, C, X(3));
(void)HOST_c2l(data, l);
X(5) = l;
BODY_00_15(4, C, D, E, T, A, B, X(4));
(void)HOST_c2l(data, l);
X(6) = l;
BODY_00_15(5, B, C, D, E, T, A, X(5));
(void)HOST_c2l(data, l);
X(7) = l;
BODY_00_15(6, A, B, C, D, E, T, X(6));
(void)HOST_c2l(data, l);
X(8) = l;
BODY_00_15(7, T, A, B, C, D, E, X(7));
(void)HOST_c2l(data, l);
X(9) = l;
BODY_00_15(8, E, T, A, B, C, D, X(8));
(void)HOST_c2l(data, l);
X(10) = l;
BODY_00_15(9, D, E, T, A, B, C, X(9));
(void)HOST_c2l(data, l);
X(11) = l;
BODY_00_15(10, C, D, E, T, A, B, X(10));
(void)HOST_c2l(data, l);
X(12) = l;
BODY_00_15(11, B, C, D, E, T, A, X(11));
(void)HOST_c2l(data, l);
X(13) = l;
BODY_00_15(12, A, B, C, D, E, T, X(12));
(void)HOST_c2l(data, l);
X(14) = l;
BODY_00_15(13, T, A, B, C, D, E, X(13));
(void)HOST_c2l(data, l);
X(15) = l;
BODY_00_15(14, E, T, A, B, C, D, X(14));
BODY_00_15(15, D, E, T, A, B, C, X(15));
}
BODY_16_19(16, C, D, E, T, A, B, X(0), X(0), X(2), X(8), X(13));
BODY_16_19(17, B, C, D, E, T, A, X(1), X(1), X(3), X(9), X(14));
BODY_16_19(18, A, B, C, D, E, T, X(2), X(2), X(4), X(10), X(15));
BODY_16_19(19, T, A, B, C, D, E, X(3), X(3), X(5), X(11), X(0));
BODY_20_31(20, E, T, A, B, C, D, X(4), X(4), X(6), X(12), X(1));
BODY_20_31(21, D, E, T, A, B, C, X(5), X(5), X(7), X(13), X(2));
BODY_20_31(22, C, D, E, T, A, B, X(6), X(6), X(8), X(14), X(3));
BODY_20_31(23, B, C, D, E, T, A, X(7), X(7), X(9), X(15), X(4));
BODY_20_31(24, A, B, C, D, E, T, X(8), X(8), X(10), X(0), X(5));
BODY_20_31(25, T, A, B, C, D, E, X(9), X(9), X(11), X(1), X(6));
BODY_20_31(26, E, T, A, B, C, D, X(10), X(10), X(12), X(2), X(7));
BODY_20_31(27, D, E, T, A, B, C, X(11), X(11), X(13), X(3), X(8));
BODY_20_31(28, C, D, E, T, A, B, X(12), X(12), X(14), X(4), X(9));
BODY_20_31(29, B, C, D, E, T, A, X(13), X(13), X(15), X(5), X(10));
BODY_20_31(30, A, B, C, D, E, T, X(14), X(14), X(0), X(6), X(11));
BODY_20_31(31, T, A, B, C, D, E, X(15), X(15), X(1), X(7), X(12));
BODY_32_39(32, E, T, A, B, C, D, X(0), X(2), X(8), X(13));
BODY_32_39(33, D, E, T, A, B, C, X(1), X(3), X(9), X(14));
BODY_32_39(34, C, D, E, T, A, B, X(2), X(4), X(10), X(15));
BODY_32_39(35, B, C, D, E, T, A, X(3), X(5), X(11), X(0));
BODY_32_39(36, A, B, C, D, E, T, X(4), X(6), X(12), X(1));
BODY_32_39(37, T, A, B, C, D, E, X(5), X(7), X(13), X(2));
BODY_32_39(38, E, T, A, B, C, D, X(6), X(8), X(14), X(3));
BODY_32_39(39, D, E, T, A, B, C, X(7), X(9), X(15), X(4));
BODY_40_59(40, C, D, E, T, A, B, X(8), X(10), X(0), X(5));
BODY_40_59(41, B, C, D, E, T, A, X(9), X(11), X(1), X(6));
BODY_40_59(42, A, B, C, D, E, T, X(10), X(12), X(2), X(7));
BODY_40_59(43, T, A, B, C, D, E, X(11), X(13), X(3), X(8));
BODY_40_59(44, E, T, A, B, C, D, X(12), X(14), X(4), X(9));
BODY_40_59(45, D, E, T, A, B, C, X(13), X(15), X(5), X(10));
BODY_40_59(46, C, D, E, T, A, B, X(14), X(0), X(6), X(11));
BODY_40_59(47, B, C, D, E, T, A, X(15), X(1), X(7), X(12));
BODY_40_59(48, A, B, C, D, E, T, X(0), X(2), X(8), X(13));
BODY_40_59(49, T, A, B, C, D, E, X(1), X(3), X(9), X(14));
BODY_40_59(50, E, T, A, B, C, D, X(2), X(4), X(10), X(15));
BODY_40_59(51, D, E, T, A, B, C, X(3), X(5), X(11), X(0));
BODY_40_59(52, C, D, E, T, A, B, X(4), X(6), X(12), X(1));
BODY_40_59(53, B, C, D, E, T, A, X(5), X(7), X(13), X(2));
BODY_40_59(54, A, B, C, D, E, T, X(6), X(8), X(14), X(3));
BODY_40_59(55, T, A, B, C, D, E, X(7), X(9), X(15), X(4));
BODY_40_59(56, E, T, A, B, C, D, X(8), X(10), X(0), X(5));
BODY_40_59(57, D, E, T, A, B, C, X(9), X(11), X(1), X(6));
BODY_40_59(58, C, D, E, T, A, B, X(10), X(12), X(2), X(7));
BODY_40_59(59, B, C, D, E, T, A, X(11), X(13), X(3), X(8));
BODY_60_79(60, A, B, C, D, E, T, X(12), X(14), X(4), X(9));
BODY_60_79(61, T, A, B, C, D, E, X(13), X(15), X(5), X(10));
BODY_60_79(62, E, T, A, B, C, D, X(14), X(0), X(6), X(11));
BODY_60_79(63, D, E, T, A, B, C, X(15), X(1), X(7), X(12));
BODY_60_79(64, C, D, E, T, A, B, X(0), X(2), X(8), X(13));
BODY_60_79(65, B, C, D, E, T, A, X(1), X(3), X(9), X(14));
BODY_60_79(66, A, B, C, D, E, T, X(2), X(4), X(10), X(15));
BODY_60_79(67, T, A, B, C, D, E, X(3), X(5), X(11), X(0));
BODY_60_79(68, E, T, A, B, C, D, X(4), X(6), X(12), X(1));
BODY_60_79(69, D, E, T, A, B, C, X(5), X(7), X(13), X(2));
BODY_60_79(70, C, D, E, T, A, B, X(6), X(8), X(14), X(3));
BODY_60_79(71, B, C, D, E, T, A, X(7), X(9), X(15), X(4));
BODY_60_79(72, A, B, C, D, E, T, X(8), X(10), X(0), X(5));
BODY_60_79(73, T, A, B, C, D, E, X(9), X(11), X(1), X(6));
BODY_60_79(74, E, T, A, B, C, D, X(10), X(12), X(2), X(7));
BODY_60_79(75, D, E, T, A, B, C, X(11), X(13), X(3), X(8));
BODY_60_79(76, C, D, E, T, A, B, X(12), X(14), X(4), X(9));
BODY_60_79(77, B, C, D, E, T, A, X(13), X(15), X(5), X(10));
BODY_60_79(78, A, B, C, D, E, T, X(14), X(0), X(6), X(11));
BODY_60_79(79, T, A, B, C, D, E, X(15), X(1), X(7), X(12));
c->h0 = (c->h0 + E) & 0xffffffffL;
c->h1 = (c->h1 + T) & 0xffffffffL;
c->h2 = (c->h2 + A) & 0xffffffffL;
c->h3 = (c->h3 + B) & 0xffffffffL;
c->h4 = (c->h4 + C) & 0xffffffffL;
if (--num == 0)
break;
A = c->h0;
B = c->h1;
C = c->h2;
D = c->h3;
E = c->h4;
}
}
# endif
#else /* OPENSSL_SMALL_FOOTPRINT */
# define BODY_00_15(xi) do { \
T=E+K_00_19+F_00_19(B,C,D); \
E=D, D=C, C=ROTATE(B,30), B=A; \
A=ROTATE(A,5)+T+xi; } while(0)
# define BODY_16_19(xa,xb,xc,xd) do { \
Xupdate(T,xa,xa,xb,xc,xd); \
T+=E+K_00_19+F_00_19(B,C,D); \
E=D, D=C, C=ROTATE(B,30), B=A; \
A=ROTATE(A,5)+T; } while(0)
# define BODY_20_39(xa,xb,xc,xd) do { \
Xupdate(T,xa,xa,xb,xc,xd); \
T+=E+K_20_39+F_20_39(B,C,D); \
E=D, D=C, C=ROTATE(B,30), B=A; \
A=ROTATE(A,5)+T; } while(0)
# define BODY_40_59(xa,xb,xc,xd) do { \
Xupdate(T,xa,xa,xb,xc,xd); \
T+=E+K_40_59+F_40_59(B,C,D); \
E=D, D=C, C=ROTATE(B,30), B=A; \
A=ROTATE(A,5)+T; } while(0)
# define BODY_60_79(xa,xb,xc,xd) do { \
Xupdate(T,xa,xa,xb,xc,xd); \
T=E+K_60_79+F_60_79(B,C,D); \
E=D, D=C, C=ROTATE(B,30), B=A; \
A=ROTATE(A,5)+T+xa; } while(0)
# if !defined(SHA_1) || !defined(SHA1_ASM)
static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num)
{
const unsigned char *data = p;
register unsigned MD32_REG_T A, B, C, D, E, T, l;
int i;
SHA_LONG X[16];
A = c->h0;
B = c->h1;
C = c->h2;
D = c->h3;
E = c->h4;
for (;;) {
for (i = 0; i < 16; i++) {
HOST_c2l(data, l);
X[i] = l;
BODY_00_15(X[i]);
}
for (i = 0; i < 4; i++) {
BODY_16_19(X[i], X[i + 2], X[i + 8], X[(i + 13) & 15]);
}
for (; i < 24; i++) {
BODY_20_39(X[i & 15], X[(i + 2) & 15], X[(i + 8) & 15],
X[(i + 13) & 15]);
}
for (i = 0; i < 20; i++) {
BODY_40_59(X[(i + 8) & 15], X[(i + 10) & 15], X[i & 15],
X[(i + 5) & 15]);
}
for (i = 4; i < 24; i++) {
BODY_60_79(X[(i + 8) & 15], X[(i + 10) & 15], X[i & 15],
X[(i + 5) & 15]);
}
c->h0 = (c->h0 + A) & 0xffffffffL;
c->h1 = (c->h1 + B) & 0xffffffffL;
c->h2 = (c->h2 + C) & 0xffffffffL;
c->h3 = (c->h3 + D) & 0xffffffffL;
c->h4 = (c->h4 + E) & 0xffffffffL;
if (--num == 0)
break;
A = c->h0;
B = c->h1;
C = c->h2;
D = c->h3;
E = c->h4;
}
}
# endif
#endif

7
sha/sha256.c
View File

@ -7,12 +7,7 @@
# include <stdlib.h>
# include <string.h>
# include "sha2.h"
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2a 19 Mar 2015"
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
# include "sha.h"
/* mem_clr.c */
unsigned char cleanse_ctr = 0;

58
srp.c
View File

@ -37,11 +37,21 @@
#include <stdio.h>
#include <gmp.h>
#include <sha/sha2.h>
#include <sha/sha.h>
#include "srp.h"
#define srp_dbg_data(data, datalen, prevtext) ;
/*void srp_dbg_data(unsigned char * data, int datalen, char * prevtext)
{
printf(prevtext);
int i;
for (i = 0; i < datalen; i++)
{
printf("%02X", data[i]);
}
printf("\n");
}*/
static int g_initialized = 0;
@ -229,8 +239,8 @@ static int hash_init( SRP_HashAlgorithm alg, HashCTX *c )
{
switch (alg)
{
/*case SRP_SHA1 : return SHA1_Init( &c->sha );
case SRP_SHA224: return SHA224_Init( &c->sha256 );*/
case SRP_SHA1 : return SHA1_Init( &c->sha );
/*case SRP_SHA224: return SHA224_Init( &c->sha256 );*/
case SRP_SHA256: return SHA256_Init( &c->sha256 );
/*case SRP_SHA384: return SHA384_Init( &c->sha512 );
case SRP_SHA512: return SHA512_Init( &c->sha512 );*/
@ -242,8 +252,8 @@ static int hash_update( SRP_HashAlgorithm alg, HashCTX *c, const void *data, siz
{
switch (alg)
{
/*case SRP_SHA1 : return SHA1_Update( &c->sha, data, len );
case SRP_SHA224: return SHA224_Update( &c->sha256, data, len );*/
case SRP_SHA1 : return SHA1_Update( &c->sha, data, len );
/*case SRP_SHA224: return SHA224_Update( &c->sha256, data, len );*/
case SRP_SHA256: return SHA256_Update( &c->sha256, data, len );
/*case SRP_SHA384: return SHA384_Update( &c->sha512, data, len );
case SRP_SHA512: return SHA512_Update( &c->sha512, data, len );*/
@ -255,8 +265,8 @@ static int hash_final( SRP_HashAlgorithm alg, HashCTX *c, unsigned char *md )
{
switch (alg)
{
/*case SRP_SHA1 : return SHA1_Final( md, &c->sha );
case SRP_SHA224: return SHA224_Final( md, &c->sha256 );*/
case SRP_SHA1 : return SHA1_Final( md, &c->sha );
/*case SRP_SHA224: return SHA224_Final( md, &c->sha256 );*/
case SRP_SHA256: return SHA256_Final( md, &c->sha256 );
/*case SRP_SHA384: return SHA384_Final( md, &c->sha512 );
case SRP_SHA512: return SHA512_Final( md, &c->sha512 );*/
@ -268,8 +278,8 @@ static unsigned char * hash( SRP_HashAlgorithm alg, const unsigned char *d, size
{
switch (alg)
{
/*case SRP_SHA1 : return SHA1( d, n, md );
case SRP_SHA224: return SHA224( d, n, md );*/
case SRP_SHA1 : return SHA1( d, n, md );
/*case SRP_SHA224: return SHA224( d, n, md );*/
case SRP_SHA256: return SHA256( d, n, md );
/*case SRP_SHA384: return SHA384( d, n, md );
case SRP_SHA512: return SHA512( d, n, md );*/
@ -281,8 +291,8 @@ static int hash_length( SRP_HashAlgorithm alg )
{
switch (alg)
{
/*case SRP_SHA1 : return SHA_DIGEST_LENGTH;
case SRP_SHA224: return SHA224_DIGEST_LENGTH;*/
case SRP_SHA1 : return SHA_DIGEST_LENGTH;
/*case SRP_SHA224: return SHA224_DIGEST_LENGTH;*/
case SRP_SHA256: return SHA256_DIGEST_LENGTH;
/*case SRP_SHA384: return SHA384_DIGEST_LENGTH;
case SRP_SHA512: return SHA512_DIGEST_LENGTH;*/
@ -502,6 +512,15 @@ static void init_random()
}
#define srp_dbg_num(num, text) ;
/*void srp_dbg_num(mpz_t num, char * prevtext)
{
int len_num = mpz_num_bytes(num);
char *bytes_num = (char*) malloc(len_num);
mpz_to_bin(num, (unsigned char *) bytes_num);
srp_dbg_data(bytes_num, len_num, prevtext);
free(bytes_num);
}*/
/***********************************************************************************************************
*
@ -565,6 +584,7 @@ struct SRPVerifier * srp_verifier_new( SRP_HashAlgorithm alg, SRP_NGType ng_typ
const unsigned char * bytes_s, int len_s,
const unsigned char * bytes_v, int len_v,
const unsigned char * bytes_A, int len_A,
const unsigned char * bytes_b, int len_b,
const unsigned char ** bytes_B, int * len_B,
const char * n_hex, const char * g_hex )
{
@ -614,7 +634,12 @@ struct SRPVerifier * srp_verifier_new( SRP_HashAlgorithm alg, SRP_NGType ng_typ
mpz_mod(tmp1, A, ng->N);
if ( mpz_sgn(tmp1) != 0 )
{
mpz_fill_random(b);
if (bytes_b)
{
mpz_from_bin(bytes_b, len_b, b);
} else {
mpz_fill_random(b);
}
if (!H_nn(k, alg, ng->N, ng->N, ng->g))
{
@ -860,10 +885,15 @@ int srp_user_get_session_key_length( struct SRPUser * usr )
/* Output: username, bytes_A, len_A */
void srp_user_start_authentication( struct SRPUser * usr, const char ** username,
const unsigned char * bytes_a, int len_a,
const unsigned char ** bytes_A, int * len_A )
{
mpz_fill_random(usr->a);
if (bytes_a)
{
mpz_from_bin(bytes_a, len_a, usr->a);
} else {
mpz_fill_random(usr->a);
}
mpz_powm(usr->A, usr->ng->g, usr->a, usr->ng->N);

11
srp.h
View File

@ -71,8 +71,8 @@ typedef enum
typedef enum
{
/*SRP_SHA1,
SRP_SHA224,*/
SRP_SHA1,
/*SRP_SHA224,*/
SRP_SHA256,
/*SRP_SHA384,
SRP_SHA512*/
@ -99,11 +99,14 @@ void srp_create_salted_verification_key( SRP_HashAlgorithm alg,
* On failure, bytes_B will be set to NULL and len_B will be set to 0
*
* The n_hex and g_hex parameters should be 0 unless SRP_NG_CUSTOM is used for ng_type
*
* If bytes_b == NULL, random data is used for b.
*/
struct SRPVerifier * srp_verifier_new( SRP_HashAlgorithm alg, SRP_NGType ng_type, const char * username,
const unsigned char * bytes_s, int len_s,
const unsigned char * bytes_v, int len_v,
const unsigned char * bytes_A, int len_A,
const unsigned char * bytes_b, int len_b,
const unsigned char ** bytes_B, int * len_B,
const char * n_hex, const char * g_hex );
@ -148,8 +151,10 @@ const unsigned char * srp_user_get_session_key( struct SRPUser * usr, int * key_
int srp_user_get_session_key_length( struct SRPUser * usr );
/* Output: username, bytes_A, len_A. If you don't want it get written, set username to NULL */
/* Output: username, bytes_A, len_A. If you don't want it get written, set username to NULL.
* If bytes_a == NULL, random data is used for a. */
void srp_user_start_authentication( struct SRPUser * usr, const char ** username,
const unsigned char * bytes_a, int len_a,
const unsigned char ** bytes_A, int * len_A );
/* Output: bytes_M, len_M (len_M may be null and will always be

216
test_srp.c
View File

@ -18,15 +18,225 @@ unsigned long long get_usec()
return (((unsigned long long)t.tv_sec) * 1000000) + t.tv_usec;
}
// The test vectors from
// https://tools.ietf.org/html/rfc5054#appendix-B
static const char srp_5054_salt[] = {
0xBE, 0xB2, 0x53, 0x79, 0xD1, 0xA8, 0x58, 0x1E,
0xB5, 0xA7, 0x27, 0x67, 0x3A, 0x24, 0x41, 0xEE,
};
static const char srp_5054_v[] = {
0x7E, 0x27, 0x3D, 0xE8, 0x69, 0x6F, 0xFC, 0x4F,
0x4E, 0x33, 0x7D, 0x05, 0xB4, 0xB3, 0x75, 0xBE,
0xB0, 0xDD, 0xE1, 0x56, 0x9E, 0x8F, 0xA0, 0x0A,
0x98, 0x86, 0xD8, 0x12, 0x9B, 0xAD, 0xA1, 0xF1,
0x82, 0x22, 0x23, 0xCA, 0x1A, 0x60, 0x5B, 0x53,
0x0E, 0x37, 0x9B, 0xA4, 0x72, 0x9F, 0xDC, 0x59,
0xF1, 0x05, 0xB4, 0x78, 0x7E, 0x51, 0x86, 0xF5,
0xC6, 0x71, 0x08, 0x5A, 0x14, 0x47, 0xB5, 0x2A,
0x48, 0xCF, 0x19, 0x70, 0xB4, 0xFB, 0x6F, 0x84,
0x00, 0xBB, 0xF4, 0xCE, 0xBF, 0xBB, 0x16, 0x81,
0x52, 0xE0, 0x8A, 0xB5, 0xEA, 0x53, 0xD1, 0x5C,
0x1A, 0xFF, 0x87, 0xB2, 0xB9, 0xDA, 0x6E, 0x04,
0xE0, 0x58, 0xAD, 0x51, 0xCC, 0x72, 0xBF, 0xC9,
0x03, 0x3B, 0x56, 0x4E, 0x26, 0x48, 0x0D, 0x78,
0xE9, 0x55, 0xA5, 0xE2, 0x9E, 0x7A, 0xB2, 0x45,
0xDB, 0x2B, 0xE3, 0x15, 0xE2, 0x09, 0x9A, 0xFB,
};
static const char srp_5054_a[] = {
0x60, 0x97, 0x55, 0x27, 0x03, 0x5C, 0xF2, 0xAD,
0x19, 0x89, 0x80, 0x6F, 0x04, 0x07, 0x21, 0x0B,
0xC8, 0x1E, 0xDC, 0x04, 0xE2, 0x76, 0x2A, 0x56,
0xAF, 0xD5, 0x29, 0xDD, 0xDA, 0x2D, 0x43, 0x93,
};
static const char srp_5054_A[] = {
0x61, 0xD5, 0xE4, 0x90, 0xF6, 0xF1, 0xB7, 0x95,
0x47, 0xB0, 0x70, 0x4C, 0x43, 0x6F, 0x52, 0x3D,
0xD0, 0xE5, 0x60, 0xF0, 0xC6, 0x41, 0x15, 0xBB,
0x72, 0x55, 0x7E, 0xC4, 0x43, 0x52, 0xE8, 0x90,
0x32, 0x11, 0xC0, 0x46, 0x92, 0x27, 0x2D, 0x8B,
0x2D, 0x1A, 0x53, 0x58, 0xA2, 0xCF, 0x1B, 0x6E,
0x0B, 0xFC, 0xF9, 0x9F, 0x92, 0x15, 0x30, 0xEC,
0x8E, 0x39, 0x35, 0x61, 0x79, 0xEA, 0xE4, 0x5E,
0x42, 0xBA, 0x92, 0xAE, 0xAC, 0xED, 0x82, 0x51,
0x71, 0xE1, 0xE8, 0xB9, 0xAF, 0x6D, 0x9C, 0x03,
0xE1, 0x32, 0x7F, 0x44, 0xBE, 0x08, 0x7E, 0xF0,
0x65, 0x30, 0xE6, 0x9F, 0x66, 0x61, 0x52, 0x61,
0xEE, 0xF5, 0x40, 0x73, 0xCA, 0x11, 0xCF, 0x58,
0x58, 0xF0, 0xED, 0xFD, 0xFE, 0x15, 0xEF, 0xEA,
0xB3, 0x49, 0xEF, 0x5D, 0x76, 0x98, 0x8A, 0x36,
0x72, 0xFA, 0xC4, 0x7B, 0x07, 0x69, 0x44, 0x7B,
};
static const char srp_5054_b[] = {
0xE4, 0x87, 0xCB, 0x59, 0xD3, 0x1A, 0xC5, 0x50,
0x47, 0x1E, 0x81, 0xF0, 0x0F, 0x69, 0x28, 0xE0,
0x1D, 0xDA, 0x08, 0xE9, 0x74, 0xA0, 0x04, 0xF4,
0x9E, 0x61, 0xF5, 0xD1, 0x05, 0x28, 0x4D, 0x20,
};
static const char srp_5054_B[] = {
0xBD, 0x0C, 0x61, 0x51, 0x2C, 0x69, 0x2C, 0x0C,
0xB6, 0xD0, 0x41, 0xFA, 0x01, 0xBB, 0x15, 0x2D,
0x49, 0x16, 0xA1, 0xE7, 0x7A, 0xF4, 0x6A, 0xE1,
0x05, 0x39, 0x30, 0x11, 0xBA, 0xF3, 0x89, 0x64,
0xDC, 0x46, 0xA0, 0x67, 0x0D, 0xD1, 0x25, 0xB9,
0x5A, 0x98, 0x16, 0x52, 0x23, 0x6F, 0x99, 0xD9,
0xB6, 0x81, 0xCB, 0xF8, 0x78, 0x37, 0xEC, 0x99,
0x6C, 0x6D, 0xA0, 0x44, 0x53, 0x72, 0x86, 0x10,
0xD0, 0xC6, 0xDD, 0xB5, 0x8B, 0x31, 0x88, 0x85,
0xD7, 0xD8, 0x2C, 0x7F, 0x8D, 0xEB, 0x75, 0xCE,
0x7B, 0xD4, 0xFB, 0xAA, 0x37, 0x08, 0x9E, 0x6F,
0x9C, 0x60, 0x59, 0xF3, 0x88, 0x83, 0x8E, 0x7A,
0x00, 0x03, 0x0B, 0x33, 0x1E, 0xB7, 0x68, 0x40,
0x91, 0x04, 0x40, 0xB1, 0xB2, 0x7A, 0xAE, 0xAE,
0xEB, 0x40, 0x12, 0xB7, 0xD7, 0x66, 0x52, 0x38,
0xA8, 0xE3, 0xFB, 0x00, 0x4B, 0x11, 0x7B, 0x58,
};
// This isn't used (yet)
static const char srp_5054_u[] = {
0xCE, 0x38, 0xB9, 0x59, 0x34, 0x87, 0xDA, 0x98,
0x55, 0x4E, 0xD4, 0x7D, 0x70, 0xA7, 0xAE, 0x5F,
0x46, 0x2E, 0xF0, 0x19,
};
// This is SHA-1(<premaster secret>)
static const char srp_5054_S[] = {
0x01, 0x7e, 0xef, 0xa1, 0xce, 0xfc, 0x5c, 0x2e,
0x62, 0x6e, 0x21, 0x59, 0x89, 0x87, 0xf3, 0x1e,
0x0f, 0x1b, 0x11, 0xbb,
};
int test_rfc_5054_compat()
{
struct SRPVerifier * ver;
struct SRPUser * usr;
const unsigned char * bytes_s = (const unsigned char *) srp_5054_salt;
const unsigned char * bytes_v = 0;
const unsigned char * bytes_A = 0;
const unsigned char * bytes_B = 0;
const unsigned char * bytes_M = 0;
const unsigned char * bytes_HAMK = 0;
const unsigned char * bytes_S = 0;
int len_s = 16;
int len_v = 0;
int len_A = 0;
int len_B = 0;
int len_M = 0;
int len_S = 0;
int i;
const char * username = "alice";
const char * password = "password123";
SRP_HashAlgorithm alg = SRP_SHA1;
SRP_NGType ng_type = SRP_NG_1024; //TEST_NG;
printf("Testing RFC 5054 test vectors...");
srp_create_salted_verification_key( alg, ng_type, username,
(const unsigned char *)password,
strlen(password), &bytes_s, &len_s, &bytes_v, &len_v, NULL, NULL );
if (len_v != 128 || memcmp(&srp_5054_v, bytes_v, len_v) != 0)
{
printf(" computed v doesn't match!\n");
return 1;
}
usr = srp_user_new( alg, ng_type, username, username,
(const unsigned char *)password,
strlen(password), NULL, NULL );
srp_user_start_authentication( usr, NULL, srp_5054_a, 32, &bytes_A, &len_A );
if (memcmp(&srp_5054_A, bytes_A, len_A) != 0)
{
printf(" computed A doesn't match!\n");
return 1;
}
/* User -> Host: (username, bytes_A) */
ver = srp_verifier_new( alg, ng_type, username, (const unsigned char *) srp_5054_salt,
len_s, bytes_v, len_v, bytes_A, len_A, srp_5054_b, 32, &bytes_B,
&len_B, NULL, NULL );
if ( !bytes_B )
{
printf(" SRP-6a safety check violated for B!\n");
return 1;
}
if (memcmp(&srp_5054_B, bytes_B, len_B) != 0)
{
printf(" computed B doesn't match!\n");
return 1;
}
/* Host -> User: (bytes_s, bytes_B) */
srp_user_process_challenge( usr, (const unsigned char *) srp_5054_salt, len_s, bytes_B, len_B, &bytes_M, &len_M );
if ( !bytes_M )
{
printf(" SRP-6a safety check violated for M!\n");
goto cleanup;
}
/* User -> Host: (bytes_M) */
srp_verifier_verify_session( ver, bytes_M, &bytes_HAMK );
if ( !bytes_HAMK )
{
printf(" user authentication failed!\n");
goto cleanup;
}
/* Host -> User: (HAMK) */
srp_user_verify_session( usr, bytes_HAMK );
if ( !srp_user_is_authenticated(usr) )
{
printf(" server authentication failed!\n");
}
bytes_S = srp_verifier_get_session_key(ver, &len_S);
if (memcmp(&srp_5054_S, bytes_S, len_S) != 0)
{
printf(" computed session key doesn't match!\n");
return 1;
}
printf(" success.\n");
cleanup:
srp_verifier_delete( ver );
srp_user_delete( usr );
free( (char *)bytes_v );
return 0;
}
const char * test_n_hex = "EEAF0AB9ADB38DD69C33F80AFA8FC5E86072618775FF3C0B9EA2314C9C256576D674DF7496"
"EA81D3383B4813D692C6E0E0D5D8E250B98BE48E495C1D6089DAD15DC7D7B46154D6B6CE8E"
"F4AD69B15D4982559B297BCF1885C529F566660E57EC68EDBC3C05726CC02FD4CBF4976EAA"
"9AFD5138FE8376435B9FC61D2FC0EB06E3";
const char * test_g_hex = "2";
int main( int argc, char * argv[] )
{
test_rfc_5054_compat();
printf("Performing the speedtest.\n");
struct SRPVerifier * ver;
struct SRPUser * usr;
@ -80,11 +290,11 @@ int main( int argc, char * argv[] )
(const unsigned char *)password,
strlen(password), n_hex, g_hex );
srp_user_start_authentication( usr, NULL, &bytes_A, &len_A );
srp_user_start_authentication( usr, NULL, NULL, 0, &bytes_A, &len_A );
/* User -> Host: (username, bytes_A) */
ver = srp_verifier_new( alg, ng_type, username, bytes_s, len_s, bytes_v, len_v,
bytes_A, len_A, & bytes_B, &len_B, n_hex, g_hex );
bytes_A, len_A, NULL, 0, & bytes_B, &len_B, n_hex, g_hex );
if ( !bytes_B )
{