From e5a12b1d06063570edc0fd04c170cff62dbb99ab Mon Sep 17 00:00:00 2001 From: est31 Date: Fri, 24 Apr 2015 06:58:24 +0200 Subject: [PATCH] Add RFC 5054 test vector tests and SHA-1 algorithm --- README.md | 9 +- sha/{sha2.h => sha.h} | 7 + sha/sha1.c | 521 ++++++++++++++++++++++++++++++++++++++++++ sha/sha256.c | 7 +- srp.c | 58 +++-- srp.h | 11 +- test_srp.c | 216 ++++++++++++++++- 7 files changed, 800 insertions(+), 29 deletions(-) rename sha/{sha2.h => sha.h} (95%) create mode 100644 sha/sha1.c diff --git a/README.md b/README.md index b151529..81d8ce5 100644 --- a/README.md +++ b/README.md @@ -44,13 +44,16 @@ The call `srp_random_seed` has been removed. The call `srp_user_new` has a new parameter, `username_for_verifier`, allowing to use different usernames for verifier and srp login. +Also, `srp_user_start_authentication` and `srp_verifier_new` have new +parameters to specify `a` and `b` values. Added option for `srp_create_salted_verification_key` call to specify a salt. -We ship with OpenSSL's implementation of the SHA256 hash algorithm. -Support for other hash algoritms was dropped (but re-introducing is -fairly easy, just copy from an OpenSSL source distribution). +We ship with OpenSSL's implementation of the SHA256 and SHA-1 hash +algorithms. Support for other hash algoritms was dropped (but +re-introducing is fairly easy, just copy from an OpenSSL source +distribution). Usage Example ------------- diff --git a/sha/sha2.h b/sha/sha.h similarity index 95% rename from sha/sha2.h rename to sha/sha.h index 6ac045f..1cb068f 100644 --- a/sha/sha2.h +++ b/sha/sha.h @@ -118,6 +118,13 @@ typedef struct SHAstate_st { # define SHA256_CBLOCK (SHA_LBLOCK*4)/* SHA-256 treats input data as a * contiguous array of 32 bit wide * big-endian values. */ + +int SHA1_Init(SHA_CTX *c); +int SHA1_Update(SHA_CTX *c, const void *data, size_t len); +int SHA1_Final(unsigned char *md, SHA_CTX *c); +unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md); +void SHA1_Transform(SHA_CTX *c, const unsigned char *data); + # define SHA224_DIGEST_LENGTH 28 # define SHA256_DIGEST_LENGTH 32 diff --git a/sha/sha1.c b/sha/sha1.c new file mode 100644 index 0000000..1a44c35 --- /dev/null +++ b/sha/sha1.c @@ -0,0 +1,521 @@ +/* crypto/sha/sha_locl.h */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include +#include + +#include + +#define DATA_ORDER_IS_BIG_ENDIAN + +#define SHA_1 + +#define HASH_LONG SHA_LONG +#define HASH_CTX SHA_CTX +#define HASH_CBLOCK SHA_CBLOCK +#define HASH_MAKE_STRING(c,s) do { \ + unsigned long ll; \ + ll=(c)->h0; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h1; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h2; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h3; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h4; (void)HOST_l2c(ll,(s)); \ + } while (0) + +#if defined(SHA_0) + +# define HASH_UPDATE SHA_Update +# define HASH_TRANSFORM SHA_Transform +# define HASH_FINAL SHA_Final +# define HASH_INIT SHA_Init +# define HASH_BLOCK_DATA_ORDER sha_block_data_order +# define Xupdate(a,ix,ia,ib,ic,id) (ix=(a)=(ia^ib^ic^id)) + +static void sha_block_data_order(SHA_CTX *c, const void *p, size_t num); + +#elif defined(SHA_1) + +# define HASH_UPDATE SHA1_Update +# define HASH_TRANSFORM SHA1_Transform +# define HASH_FINAL SHA1_Final +# define HASH_INIT SHA1_Init +# define HASH_BLOCK_DATA_ORDER sha1_block_data_order +# if defined(__MWERKS__) && defined(__MC68K__) + /* Metrowerks for Motorola fails otherwise:-( */ +# define Xupdate(a,ix,ia,ib,ic,id) do { (a)=(ia^ib^ic^id); \ + ix=(a)=ROTATE((a),1); \ + } while (0) +# else +# define Xupdate(a,ix,ia,ib,ic,id) ( (a)=(ia^ib^ic^id), \ + ix=(a)=ROTATE((a),1) \ + ) +# endif + +# ifndef SHA1_ASM +static +# endif +void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num); + +#else +# error "Either SHA_0 or SHA_1 must be defined." +#endif + +#include "md32_common.h" + +#define INIT_DATA_h0 0x67452301UL +#define INIT_DATA_h1 0xefcdab89UL +#define INIT_DATA_h2 0x98badcfeUL +#define INIT_DATA_h3 0x10325476UL +#define INIT_DATA_h4 0xc3d2e1f0UL + +# define fips_md_init(alg) fips_md_init_ctx(alg, alg) +# define fips_md_init_ctx(alg, cx) \ + int alg##_Init(cx##_CTX *c) +# define fips_cipher_abort(alg) while(0) + +unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md) +{ + SHA_CTX c; + static unsigned char m[SHA_DIGEST_LENGTH]; + + if (md == NULL) + md = m; + if (!SHA1_Init(&c)) + return NULL; + SHA1_Update(&c, d, n); + SHA1_Final(md, &c); + OPENSSL_cleanse(&c, sizeof(c)); + return (md); +} + +#ifdef SHA_0 +fips_md_init(SHA) +#else +fips_md_init_ctx(SHA1, SHA) +#endif +{ + memset(c, 0, sizeof(*c)); + c->h0 = INIT_DATA_h0; + c->h1 = INIT_DATA_h1; + c->h2 = INIT_DATA_h2; + c->h3 = INIT_DATA_h3; + c->h4 = INIT_DATA_h4; + return 1; +} + +#define K_00_19 0x5a827999UL +#define K_20_39 0x6ed9eba1UL +#define K_40_59 0x8f1bbcdcUL +#define K_60_79 0xca62c1d6UL + +/* + * As pointed out by Wei Dai , F() below can be simplified + * to the code in F_00_19. Wei attributes these optimisations to Peter + * Gutmann's SHS code, and he attributes it to Rich Schroeppel. #define + * F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) I've just become aware of another + * tweak to be made, again from Wei Dai, in F_40_59, (x&a)|(y&a) -> (x|y)&a + */ +#define F_00_19(b,c,d) ((((c) ^ (d)) & (b)) ^ (d)) +#define F_20_39(b,c,d) ((b) ^ (c) ^ (d)) +#define F_40_59(b,c,d) (((b) & (c)) | (((b)|(c)) & (d))) +#define F_60_79(b,c,d) F_20_39(b,c,d) + +#ifndef OPENSSL_SMALL_FOOTPRINT + +# define BODY_00_15(i,a,b,c,d,e,f,xi) \ + (f)=xi+(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ + (b)=ROTATE((b),30); + +# define BODY_16_19(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \ + Xupdate(f,xi,xa,xb,xc,xd); \ + (f)+=(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ + (b)=ROTATE((b),30); + +# define BODY_20_31(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \ + Xupdate(f,xi,xa,xb,xc,xd); \ + (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ + (b)=ROTATE((b),30); + +# define BODY_32_39(i,a,b,c,d,e,f,xa,xb,xc,xd) \ + Xupdate(f,xa,xa,xb,xc,xd); \ + (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ + (b)=ROTATE((b),30); + +# define BODY_40_59(i,a,b,c,d,e,f,xa,xb,xc,xd) \ + Xupdate(f,xa,xa,xb,xc,xd); \ + (f)+=(e)+K_40_59+ROTATE((a),5)+F_40_59((b),(c),(d)); \ + (b)=ROTATE((b),30); + +# define BODY_60_79(i,a,b,c,d,e,f,xa,xb,xc,xd) \ + Xupdate(f,xa,xa,xb,xc,xd); \ + (f)=xa+(e)+K_60_79+ROTATE((a),5)+F_60_79((b),(c),(d)); \ + (b)=ROTATE((b),30); + +# ifdef X +# undef X +# endif +# ifndef MD32_XARRAY + /* + * Originally X was an array. As it's automatic it's natural + * to expect RISC compiler to accomodate at least part of it in + * the register bank, isn't it? Unfortunately not all compilers + * "find" this expectation reasonable:-( On order to make such + * compilers generate better code I replace X[] with a bunch of + * X0, X1, etc. See the function body below... + * + */ +# define X(i) XX##i +# else + /* + * However! Some compilers (most notably HP C) get overwhelmed by + * that many local variables so that we have to have the way to + * fall down to the original behavior. + */ +# define X(i) XX[i] +# endif + +# if !defined(SHA_1) || !defined(SHA1_ASM) +static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num) +{ + const unsigned char *data = p; + register unsigned MD32_REG_T A, B, C, D, E, T, l; +# ifndef MD32_XARRAY + unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, + XX8, XX9, XX10, XX11, XX12, XX13, XX14, XX15; +# else + SHA_LONG XX[16]; +# endif + + A = c->h0; + B = c->h1; + C = c->h2; + D = c->h3; + E = c->h4; + + for (;;) { + const union { + long one; + char little; + } is_endian = { + 1 + }; + + if (!is_endian.little && sizeof(SHA_LONG) == 4 + && ((size_t)p % 4) == 0) { + const SHA_LONG *W = (const SHA_LONG *)data; + + X(0) = W[0]; + X(1) = W[1]; + BODY_00_15(0, A, B, C, D, E, T, X(0)); + X(2) = W[2]; + BODY_00_15(1, T, A, B, C, D, E, X(1)); + X(3) = W[3]; + BODY_00_15(2, E, T, A, B, C, D, X(2)); + X(4) = W[4]; + BODY_00_15(3, D, E, T, A, B, C, X(3)); + X(5) = W[5]; + BODY_00_15(4, C, D, E, T, A, B, X(4)); + X(6) = W[6]; + BODY_00_15(5, B, C, D, E, T, A, X(5)); + X(7) = W[7]; + BODY_00_15(6, A, B, C, D, E, T, X(6)); + X(8) = W[8]; + BODY_00_15(7, T, A, B, C, D, E, X(7)); + X(9) = W[9]; + BODY_00_15(8, E, T, A, B, C, D, X(8)); + X(10) = W[10]; + BODY_00_15(9, D, E, T, A, B, C, X(9)); + X(11) = W[11]; + BODY_00_15(10, C, D, E, T, A, B, X(10)); + X(12) = W[12]; + BODY_00_15(11, B, C, D, E, T, A, X(11)); + X(13) = W[13]; + BODY_00_15(12, A, B, C, D, E, T, X(12)); + X(14) = W[14]; + BODY_00_15(13, T, A, B, C, D, E, X(13)); + X(15) = W[15]; + BODY_00_15(14, E, T, A, B, C, D, X(14)); + BODY_00_15(15, D, E, T, A, B, C, X(15)); + + data += SHA_CBLOCK; + } else { + (void)HOST_c2l(data, l); + X(0) = l; + (void)HOST_c2l(data, l); + X(1) = l; + BODY_00_15(0, A, B, C, D, E, T, X(0)); + (void)HOST_c2l(data, l); + X(2) = l; + BODY_00_15(1, T, A, B, C, D, E, X(1)); + (void)HOST_c2l(data, l); + X(3) = l; + BODY_00_15(2, E, T, A, B, C, D, X(2)); + (void)HOST_c2l(data, l); + X(4) = l; + BODY_00_15(3, D, E, T, A, B, C, X(3)); + (void)HOST_c2l(data, l); + X(5) = l; + BODY_00_15(4, C, D, E, T, A, B, X(4)); + (void)HOST_c2l(data, l); + X(6) = l; + BODY_00_15(5, B, C, D, E, T, A, X(5)); + (void)HOST_c2l(data, l); + X(7) = l; + BODY_00_15(6, A, B, C, D, E, T, X(6)); + (void)HOST_c2l(data, l); + X(8) = l; + BODY_00_15(7, T, A, B, C, D, E, X(7)); + (void)HOST_c2l(data, l); + X(9) = l; + BODY_00_15(8, E, T, A, B, C, D, X(8)); + (void)HOST_c2l(data, l); + X(10) = l; + BODY_00_15(9, D, E, T, A, B, C, X(9)); + (void)HOST_c2l(data, l); + X(11) = l; + BODY_00_15(10, C, D, E, T, A, B, X(10)); + (void)HOST_c2l(data, l); + X(12) = l; + BODY_00_15(11, B, C, D, E, T, A, X(11)); + (void)HOST_c2l(data, l); + X(13) = l; + BODY_00_15(12, A, B, C, D, E, T, X(12)); + (void)HOST_c2l(data, l); + X(14) = l; + BODY_00_15(13, T, A, B, C, D, E, X(13)); + (void)HOST_c2l(data, l); + X(15) = l; + BODY_00_15(14, E, T, A, B, C, D, X(14)); + BODY_00_15(15, D, E, T, A, B, C, X(15)); + } + + BODY_16_19(16, C, D, E, T, A, B, X(0), X(0), X(2), X(8), X(13)); + BODY_16_19(17, B, C, D, E, T, A, X(1), X(1), X(3), X(9), X(14)); + BODY_16_19(18, A, B, C, D, E, T, X(2), X(2), X(4), X(10), X(15)); + BODY_16_19(19, T, A, B, C, D, E, X(3), X(3), X(5), X(11), X(0)); + + BODY_20_31(20, E, T, A, B, C, D, X(4), X(4), X(6), X(12), X(1)); + BODY_20_31(21, D, E, T, A, B, C, X(5), X(5), X(7), X(13), X(2)); + BODY_20_31(22, C, D, E, T, A, B, X(6), X(6), X(8), X(14), X(3)); + BODY_20_31(23, B, C, D, E, T, A, X(7), X(7), X(9), X(15), X(4)); + BODY_20_31(24, A, B, C, D, E, T, X(8), X(8), X(10), X(0), X(5)); + BODY_20_31(25, T, A, B, C, D, E, X(9), X(9), X(11), X(1), X(6)); + BODY_20_31(26, E, T, A, B, C, D, X(10), X(10), X(12), X(2), X(7)); + BODY_20_31(27, D, E, T, A, B, C, X(11), X(11), X(13), X(3), X(8)); + BODY_20_31(28, C, D, E, T, A, B, X(12), X(12), X(14), X(4), X(9)); + BODY_20_31(29, B, C, D, E, T, A, X(13), X(13), X(15), X(5), X(10)); + BODY_20_31(30, A, B, C, D, E, T, X(14), X(14), X(0), X(6), X(11)); + BODY_20_31(31, T, A, B, C, D, E, X(15), X(15), X(1), X(7), X(12)); + + BODY_32_39(32, E, T, A, B, C, D, X(0), X(2), X(8), X(13)); + BODY_32_39(33, D, E, T, A, B, C, X(1), X(3), X(9), X(14)); + BODY_32_39(34, C, D, E, T, A, B, X(2), X(4), X(10), X(15)); + BODY_32_39(35, B, C, D, E, T, A, X(3), X(5), X(11), X(0)); + BODY_32_39(36, A, B, C, D, E, T, X(4), X(6), X(12), X(1)); + BODY_32_39(37, T, A, B, C, D, E, X(5), X(7), X(13), X(2)); + BODY_32_39(38, E, T, A, B, C, D, X(6), X(8), X(14), X(3)); + BODY_32_39(39, D, E, T, A, B, C, X(7), X(9), X(15), X(4)); + + BODY_40_59(40, C, D, E, T, A, B, X(8), X(10), X(0), X(5)); + BODY_40_59(41, B, C, D, E, T, A, X(9), X(11), X(1), X(6)); + BODY_40_59(42, A, B, C, D, E, T, X(10), X(12), X(2), X(7)); + BODY_40_59(43, T, A, B, C, D, E, X(11), X(13), X(3), X(8)); + BODY_40_59(44, E, T, A, B, C, D, X(12), X(14), X(4), X(9)); + BODY_40_59(45, D, E, T, A, B, C, X(13), X(15), X(5), X(10)); + BODY_40_59(46, C, D, E, T, A, B, X(14), X(0), X(6), X(11)); + BODY_40_59(47, B, C, D, E, T, A, X(15), X(1), X(7), X(12)); + BODY_40_59(48, A, B, C, D, E, T, X(0), X(2), X(8), X(13)); + BODY_40_59(49, T, A, B, C, D, E, X(1), X(3), X(9), X(14)); + BODY_40_59(50, E, T, A, B, C, D, X(2), X(4), X(10), X(15)); + BODY_40_59(51, D, E, T, A, B, C, X(3), X(5), X(11), X(0)); + BODY_40_59(52, C, D, E, T, A, B, X(4), X(6), X(12), X(1)); + BODY_40_59(53, B, C, D, E, T, A, X(5), X(7), X(13), X(2)); + BODY_40_59(54, A, B, C, D, E, T, X(6), X(8), X(14), X(3)); + BODY_40_59(55, T, A, B, C, D, E, X(7), X(9), X(15), X(4)); + BODY_40_59(56, E, T, A, B, C, D, X(8), X(10), X(0), X(5)); + BODY_40_59(57, D, E, T, A, B, C, X(9), X(11), X(1), X(6)); + BODY_40_59(58, C, D, E, T, A, B, X(10), X(12), X(2), X(7)); + BODY_40_59(59, B, C, D, E, T, A, X(11), X(13), X(3), X(8)); + + BODY_60_79(60, A, B, C, D, E, T, X(12), X(14), X(4), X(9)); + BODY_60_79(61, T, A, B, C, D, E, X(13), X(15), X(5), X(10)); + BODY_60_79(62, E, T, A, B, C, D, X(14), X(0), X(6), X(11)); + BODY_60_79(63, D, E, T, A, B, C, X(15), X(1), X(7), X(12)); + BODY_60_79(64, C, D, E, T, A, B, X(0), X(2), X(8), X(13)); + BODY_60_79(65, B, C, D, E, T, A, X(1), X(3), X(9), X(14)); + BODY_60_79(66, A, B, C, D, E, T, X(2), X(4), X(10), X(15)); + BODY_60_79(67, T, A, B, C, D, E, X(3), X(5), X(11), X(0)); + BODY_60_79(68, E, T, A, B, C, D, X(4), X(6), X(12), X(1)); + BODY_60_79(69, D, E, T, A, B, C, X(5), X(7), X(13), X(2)); + BODY_60_79(70, C, D, E, T, A, B, X(6), X(8), X(14), X(3)); + BODY_60_79(71, B, C, D, E, T, A, X(7), X(9), X(15), X(4)); + BODY_60_79(72, A, B, C, D, E, T, X(8), X(10), X(0), X(5)); + BODY_60_79(73, T, A, B, C, D, E, X(9), X(11), X(1), X(6)); + BODY_60_79(74, E, T, A, B, C, D, X(10), X(12), X(2), X(7)); + BODY_60_79(75, D, E, T, A, B, C, X(11), X(13), X(3), X(8)); + BODY_60_79(76, C, D, E, T, A, B, X(12), X(14), X(4), X(9)); + BODY_60_79(77, B, C, D, E, T, A, X(13), X(15), X(5), X(10)); + BODY_60_79(78, A, B, C, D, E, T, X(14), X(0), X(6), X(11)); + BODY_60_79(79, T, A, B, C, D, E, X(15), X(1), X(7), X(12)); + + c->h0 = (c->h0 + E) & 0xffffffffL; + c->h1 = (c->h1 + T) & 0xffffffffL; + c->h2 = (c->h2 + A) & 0xffffffffL; + c->h3 = (c->h3 + B) & 0xffffffffL; + c->h4 = (c->h4 + C) & 0xffffffffL; + + if (--num == 0) + break; + + A = c->h0; + B = c->h1; + C = c->h2; + D = c->h3; + E = c->h4; + + } +} +# endif + +#else /* OPENSSL_SMALL_FOOTPRINT */ + +# define BODY_00_15(xi) do { \ + T=E+K_00_19+F_00_19(B,C,D); \ + E=D, D=C, C=ROTATE(B,30), B=A; \ + A=ROTATE(A,5)+T+xi; } while(0) + +# define BODY_16_19(xa,xb,xc,xd) do { \ + Xupdate(T,xa,xa,xb,xc,xd); \ + T+=E+K_00_19+F_00_19(B,C,D); \ + E=D, D=C, C=ROTATE(B,30), B=A; \ + A=ROTATE(A,5)+T; } while(0) + +# define BODY_20_39(xa,xb,xc,xd) do { \ + Xupdate(T,xa,xa,xb,xc,xd); \ + T+=E+K_20_39+F_20_39(B,C,D); \ + E=D, D=C, C=ROTATE(B,30), B=A; \ + A=ROTATE(A,5)+T; } while(0) + +# define BODY_40_59(xa,xb,xc,xd) do { \ + Xupdate(T,xa,xa,xb,xc,xd); \ + T+=E+K_40_59+F_40_59(B,C,D); \ + E=D, D=C, C=ROTATE(B,30), B=A; \ + A=ROTATE(A,5)+T; } while(0) + +# define BODY_60_79(xa,xb,xc,xd) do { \ + Xupdate(T,xa,xa,xb,xc,xd); \ + T=E+K_60_79+F_60_79(B,C,D); \ + E=D, D=C, C=ROTATE(B,30), B=A; \ + A=ROTATE(A,5)+T+xa; } while(0) + +# if !defined(SHA_1) || !defined(SHA1_ASM) +static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num) +{ + const unsigned char *data = p; + register unsigned MD32_REG_T A, B, C, D, E, T, l; + int i; + SHA_LONG X[16]; + + A = c->h0; + B = c->h1; + C = c->h2; + D = c->h3; + E = c->h4; + + for (;;) { + for (i = 0; i < 16; i++) { + HOST_c2l(data, l); + X[i] = l; + BODY_00_15(X[i]); + } + for (i = 0; i < 4; i++) { + BODY_16_19(X[i], X[i + 2], X[i + 8], X[(i + 13) & 15]); + } + for (; i < 24; i++) { + BODY_20_39(X[i & 15], X[(i + 2) & 15], X[(i + 8) & 15], + X[(i + 13) & 15]); + } + for (i = 0; i < 20; i++) { + BODY_40_59(X[(i + 8) & 15], X[(i + 10) & 15], X[i & 15], + X[(i + 5) & 15]); + } + for (i = 4; i < 24; i++) { + BODY_60_79(X[(i + 8) & 15], X[(i + 10) & 15], X[i & 15], + X[(i + 5) & 15]); + } + + c->h0 = (c->h0 + A) & 0xffffffffL; + c->h1 = (c->h1 + B) & 0xffffffffL; + c->h2 = (c->h2 + C) & 0xffffffffL; + c->h3 = (c->h3 + D) & 0xffffffffL; + c->h4 = (c->h4 + E) & 0xffffffffL; + + if (--num == 0) + break; + + A = c->h0; + B = c->h1; + C = c->h2; + D = c->h3; + E = c->h4; + + } +} +# endif + +#endif diff --git a/sha/sha256.c b/sha/sha256.c index a1491b3..73a6355 100644 --- a/sha/sha256.c +++ b/sha/sha256.c @@ -7,12 +7,7 @@ # include # include -# include "sha2.h" - -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2a 19 Mar 2015" -# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT - -const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT; +# include "sha.h" /* mem_clr.c */ unsigned char cleanse_ctr = 0; diff --git a/srp.c b/srp.c index 0cd4627..55de675 100644 --- a/srp.c +++ b/srp.c @@ -37,11 +37,21 @@ #include #include -#include +#include #include "srp.h" #define srp_dbg_data(data, datalen, prevtext) ; +/*void srp_dbg_data(unsigned char * data, int datalen, char * prevtext) +{ + printf(prevtext); + int i; + for (i = 0; i < datalen; i++) + { + printf("%02X", data[i]); + } + printf("\n"); +}*/ static int g_initialized = 0; @@ -229,8 +239,8 @@ static int hash_init( SRP_HashAlgorithm alg, HashCTX *c ) { switch (alg) { - /*case SRP_SHA1 : return SHA1_Init( &c->sha ); - case SRP_SHA224: return SHA224_Init( &c->sha256 );*/ + case SRP_SHA1 : return SHA1_Init( &c->sha ); + /*case SRP_SHA224: return SHA224_Init( &c->sha256 );*/ case SRP_SHA256: return SHA256_Init( &c->sha256 ); /*case SRP_SHA384: return SHA384_Init( &c->sha512 ); case SRP_SHA512: return SHA512_Init( &c->sha512 );*/ @@ -242,8 +252,8 @@ static int hash_update( SRP_HashAlgorithm alg, HashCTX *c, const void *data, siz { switch (alg) { - /*case SRP_SHA1 : return SHA1_Update( &c->sha, data, len ); - case SRP_SHA224: return SHA224_Update( &c->sha256, data, len );*/ + case SRP_SHA1 : return SHA1_Update( &c->sha, data, len ); + /*case SRP_SHA224: return SHA224_Update( &c->sha256, data, len );*/ case SRP_SHA256: return SHA256_Update( &c->sha256, data, len ); /*case SRP_SHA384: return SHA384_Update( &c->sha512, data, len ); case SRP_SHA512: return SHA512_Update( &c->sha512, data, len );*/ @@ -255,8 +265,8 @@ static int hash_final( SRP_HashAlgorithm alg, HashCTX *c, unsigned char *md ) { switch (alg) { - /*case SRP_SHA1 : return SHA1_Final( md, &c->sha ); - case SRP_SHA224: return SHA224_Final( md, &c->sha256 );*/ + case SRP_SHA1 : return SHA1_Final( md, &c->sha ); + /*case SRP_SHA224: return SHA224_Final( md, &c->sha256 );*/ case SRP_SHA256: return SHA256_Final( md, &c->sha256 ); /*case SRP_SHA384: return SHA384_Final( md, &c->sha512 ); case SRP_SHA512: return SHA512_Final( md, &c->sha512 );*/ @@ -268,8 +278,8 @@ static unsigned char * hash( SRP_HashAlgorithm alg, const unsigned char *d, size { switch (alg) { - /*case SRP_SHA1 : return SHA1( d, n, md ); - case SRP_SHA224: return SHA224( d, n, md );*/ + case SRP_SHA1 : return SHA1( d, n, md ); + /*case SRP_SHA224: return SHA224( d, n, md );*/ case SRP_SHA256: return SHA256( d, n, md ); /*case SRP_SHA384: return SHA384( d, n, md ); case SRP_SHA512: return SHA512( d, n, md );*/ @@ -281,8 +291,8 @@ static int hash_length( SRP_HashAlgorithm alg ) { switch (alg) { - /*case SRP_SHA1 : return SHA_DIGEST_LENGTH; - case SRP_SHA224: return SHA224_DIGEST_LENGTH;*/ + case SRP_SHA1 : return SHA_DIGEST_LENGTH; + /*case SRP_SHA224: return SHA224_DIGEST_LENGTH;*/ case SRP_SHA256: return SHA256_DIGEST_LENGTH; /*case SRP_SHA384: return SHA384_DIGEST_LENGTH; case SRP_SHA512: return SHA512_DIGEST_LENGTH;*/ @@ -502,6 +512,15 @@ static void init_random() } #define srp_dbg_num(num, text) ; +/*void srp_dbg_num(mpz_t num, char * prevtext) +{ + int len_num = mpz_num_bytes(num); + char *bytes_num = (char*) malloc(len_num); + mpz_to_bin(num, (unsigned char *) bytes_num); + srp_dbg_data(bytes_num, len_num, prevtext); + free(bytes_num); + +}*/ /*********************************************************************************************************** * @@ -565,6 +584,7 @@ struct SRPVerifier * srp_verifier_new( SRP_HashAlgorithm alg, SRP_NGType ng_typ const unsigned char * bytes_s, int len_s, const unsigned char * bytes_v, int len_v, const unsigned char * bytes_A, int len_A, + const unsigned char * bytes_b, int len_b, const unsigned char ** bytes_B, int * len_B, const char * n_hex, const char * g_hex ) { @@ -614,7 +634,12 @@ struct SRPVerifier * srp_verifier_new( SRP_HashAlgorithm alg, SRP_NGType ng_typ mpz_mod(tmp1, A, ng->N); if ( mpz_sgn(tmp1) != 0 ) { - mpz_fill_random(b); + if (bytes_b) + { + mpz_from_bin(bytes_b, len_b, b); + } else { + mpz_fill_random(b); + } if (!H_nn(k, alg, ng->N, ng->N, ng->g)) { @@ -860,10 +885,15 @@ int srp_user_get_session_key_length( struct SRPUser * usr ) /* Output: username, bytes_A, len_A */ void srp_user_start_authentication( struct SRPUser * usr, const char ** username, + const unsigned char * bytes_a, int len_a, const unsigned char ** bytes_A, int * len_A ) { - - mpz_fill_random(usr->a); + if (bytes_a) + { + mpz_from_bin(bytes_a, len_a, usr->a); + } else { + mpz_fill_random(usr->a); + } mpz_powm(usr->A, usr->ng->g, usr->a, usr->ng->N); diff --git a/srp.h b/srp.h index d4af4bc..0929647 100644 --- a/srp.h +++ b/srp.h @@ -71,8 +71,8 @@ typedef enum typedef enum { - /*SRP_SHA1, - SRP_SHA224,*/ + SRP_SHA1, + /*SRP_SHA224,*/ SRP_SHA256, /*SRP_SHA384, SRP_SHA512*/ @@ -99,11 +99,14 @@ void srp_create_salted_verification_key( SRP_HashAlgorithm alg, * On failure, bytes_B will be set to NULL and len_B will be set to 0 * * The n_hex and g_hex parameters should be 0 unless SRP_NG_CUSTOM is used for ng_type + * + * If bytes_b == NULL, random data is used for b. */ struct SRPVerifier * srp_verifier_new( SRP_HashAlgorithm alg, SRP_NGType ng_type, const char * username, const unsigned char * bytes_s, int len_s, const unsigned char * bytes_v, int len_v, const unsigned char * bytes_A, int len_A, + const unsigned char * bytes_b, int len_b, const unsigned char ** bytes_B, int * len_B, const char * n_hex, const char * g_hex ); @@ -148,8 +151,10 @@ const unsigned char * srp_user_get_session_key( struct SRPUser * usr, int * key_ int srp_user_get_session_key_length( struct SRPUser * usr ); -/* Output: username, bytes_A, len_A. If you don't want it get written, set username to NULL */ +/* Output: username, bytes_A, len_A. If you don't want it get written, set username to NULL. + * If bytes_a == NULL, random data is used for a. */ void srp_user_start_authentication( struct SRPUser * usr, const char ** username, + const unsigned char * bytes_a, int len_a, const unsigned char ** bytes_A, int * len_A ); /* Output: bytes_M, len_M (len_M may be null and will always be diff --git a/test_srp.c b/test_srp.c index 9c9bf67..92b22b7 100644 --- a/test_srp.c +++ b/test_srp.c @@ -18,15 +18,225 @@ unsigned long long get_usec() return (((unsigned long long)t.tv_sec) * 1000000) + t.tv_usec; } +// The test vectors from +// https://tools.ietf.org/html/rfc5054#appendix-B + +static const char srp_5054_salt[] = { + 0xBE, 0xB2, 0x53, 0x79, 0xD1, 0xA8, 0x58, 0x1E, + 0xB5, 0xA7, 0x27, 0x67, 0x3A, 0x24, 0x41, 0xEE, +}; + +static const char srp_5054_v[] = { + 0x7E, 0x27, 0x3D, 0xE8, 0x69, 0x6F, 0xFC, 0x4F, + 0x4E, 0x33, 0x7D, 0x05, 0xB4, 0xB3, 0x75, 0xBE, + 0xB0, 0xDD, 0xE1, 0x56, 0x9E, 0x8F, 0xA0, 0x0A, + 0x98, 0x86, 0xD8, 0x12, 0x9B, 0xAD, 0xA1, 0xF1, + 0x82, 0x22, 0x23, 0xCA, 0x1A, 0x60, 0x5B, 0x53, + 0x0E, 0x37, 0x9B, 0xA4, 0x72, 0x9F, 0xDC, 0x59, + 0xF1, 0x05, 0xB4, 0x78, 0x7E, 0x51, 0x86, 0xF5, + 0xC6, 0x71, 0x08, 0x5A, 0x14, 0x47, 0xB5, 0x2A, + 0x48, 0xCF, 0x19, 0x70, 0xB4, 0xFB, 0x6F, 0x84, + 0x00, 0xBB, 0xF4, 0xCE, 0xBF, 0xBB, 0x16, 0x81, + 0x52, 0xE0, 0x8A, 0xB5, 0xEA, 0x53, 0xD1, 0x5C, + 0x1A, 0xFF, 0x87, 0xB2, 0xB9, 0xDA, 0x6E, 0x04, + 0xE0, 0x58, 0xAD, 0x51, 0xCC, 0x72, 0xBF, 0xC9, + 0x03, 0x3B, 0x56, 0x4E, 0x26, 0x48, 0x0D, 0x78, + 0xE9, 0x55, 0xA5, 0xE2, 0x9E, 0x7A, 0xB2, 0x45, + 0xDB, 0x2B, 0xE3, 0x15, 0xE2, 0x09, 0x9A, 0xFB, +}; + +static const char srp_5054_a[] = { + 0x60, 0x97, 0x55, 0x27, 0x03, 0x5C, 0xF2, 0xAD, + 0x19, 0x89, 0x80, 0x6F, 0x04, 0x07, 0x21, 0x0B, + 0xC8, 0x1E, 0xDC, 0x04, 0xE2, 0x76, 0x2A, 0x56, + 0xAF, 0xD5, 0x29, 0xDD, 0xDA, 0x2D, 0x43, 0x93, +}; + +static const char srp_5054_A[] = { + 0x61, 0xD5, 0xE4, 0x90, 0xF6, 0xF1, 0xB7, 0x95, + 0x47, 0xB0, 0x70, 0x4C, 0x43, 0x6F, 0x52, 0x3D, + 0xD0, 0xE5, 0x60, 0xF0, 0xC6, 0x41, 0x15, 0xBB, + 0x72, 0x55, 0x7E, 0xC4, 0x43, 0x52, 0xE8, 0x90, + 0x32, 0x11, 0xC0, 0x46, 0x92, 0x27, 0x2D, 0x8B, + 0x2D, 0x1A, 0x53, 0x58, 0xA2, 0xCF, 0x1B, 0x6E, + 0x0B, 0xFC, 0xF9, 0x9F, 0x92, 0x15, 0x30, 0xEC, + 0x8E, 0x39, 0x35, 0x61, 0x79, 0xEA, 0xE4, 0x5E, + 0x42, 0xBA, 0x92, 0xAE, 0xAC, 0xED, 0x82, 0x51, + 0x71, 0xE1, 0xE8, 0xB9, 0xAF, 0x6D, 0x9C, 0x03, + 0xE1, 0x32, 0x7F, 0x44, 0xBE, 0x08, 0x7E, 0xF0, + 0x65, 0x30, 0xE6, 0x9F, 0x66, 0x61, 0x52, 0x61, + 0xEE, 0xF5, 0x40, 0x73, 0xCA, 0x11, 0xCF, 0x58, + 0x58, 0xF0, 0xED, 0xFD, 0xFE, 0x15, 0xEF, 0xEA, + 0xB3, 0x49, 0xEF, 0x5D, 0x76, 0x98, 0x8A, 0x36, + 0x72, 0xFA, 0xC4, 0x7B, 0x07, 0x69, 0x44, 0x7B, +}; + +static const char srp_5054_b[] = { + 0xE4, 0x87, 0xCB, 0x59, 0xD3, 0x1A, 0xC5, 0x50, + 0x47, 0x1E, 0x81, 0xF0, 0x0F, 0x69, 0x28, 0xE0, + 0x1D, 0xDA, 0x08, 0xE9, 0x74, 0xA0, 0x04, 0xF4, + 0x9E, 0x61, 0xF5, 0xD1, 0x05, 0x28, 0x4D, 0x20, +}; + +static const char srp_5054_B[] = { + 0xBD, 0x0C, 0x61, 0x51, 0x2C, 0x69, 0x2C, 0x0C, + 0xB6, 0xD0, 0x41, 0xFA, 0x01, 0xBB, 0x15, 0x2D, + 0x49, 0x16, 0xA1, 0xE7, 0x7A, 0xF4, 0x6A, 0xE1, + 0x05, 0x39, 0x30, 0x11, 0xBA, 0xF3, 0x89, 0x64, + 0xDC, 0x46, 0xA0, 0x67, 0x0D, 0xD1, 0x25, 0xB9, + 0x5A, 0x98, 0x16, 0x52, 0x23, 0x6F, 0x99, 0xD9, + 0xB6, 0x81, 0xCB, 0xF8, 0x78, 0x37, 0xEC, 0x99, + 0x6C, 0x6D, 0xA0, 0x44, 0x53, 0x72, 0x86, 0x10, + 0xD0, 0xC6, 0xDD, 0xB5, 0x8B, 0x31, 0x88, 0x85, + 0xD7, 0xD8, 0x2C, 0x7F, 0x8D, 0xEB, 0x75, 0xCE, + 0x7B, 0xD4, 0xFB, 0xAA, 0x37, 0x08, 0x9E, 0x6F, + 0x9C, 0x60, 0x59, 0xF3, 0x88, 0x83, 0x8E, 0x7A, + 0x00, 0x03, 0x0B, 0x33, 0x1E, 0xB7, 0x68, 0x40, + 0x91, 0x04, 0x40, 0xB1, 0xB2, 0x7A, 0xAE, 0xAE, + 0xEB, 0x40, 0x12, 0xB7, 0xD7, 0x66, 0x52, 0x38, + 0xA8, 0xE3, 0xFB, 0x00, 0x4B, 0x11, 0x7B, 0x58, +}; + +// This isn't used (yet) +static const char srp_5054_u[] = { + 0xCE, 0x38, 0xB9, 0x59, 0x34, 0x87, 0xDA, 0x98, + 0x55, 0x4E, 0xD4, 0x7D, 0x70, 0xA7, 0xAE, 0x5F, + 0x46, 0x2E, 0xF0, 0x19, +}; + +// This is SHA-1() +static const char srp_5054_S[] = { + 0x01, 0x7e, 0xef, 0xa1, 0xce, 0xfc, 0x5c, 0x2e, + 0x62, 0x6e, 0x21, 0x59, 0x89, 0x87, 0xf3, 0x1e, + 0x0f, 0x1b, 0x11, 0xbb, +}; + +int test_rfc_5054_compat() +{ + struct SRPVerifier * ver; + struct SRPUser * usr; + + const unsigned char * bytes_s = (const unsigned char *) srp_5054_salt; + const unsigned char * bytes_v = 0; + const unsigned char * bytes_A = 0; + const unsigned char * bytes_B = 0; + + const unsigned char * bytes_M = 0; + const unsigned char * bytes_HAMK = 0; + const unsigned char * bytes_S = 0; + + int len_s = 16; + int len_v = 0; + int len_A = 0; + int len_B = 0; + int len_M = 0; + int len_S = 0; + int i; + + const char * username = "alice"; + const char * password = "password123"; + + SRP_HashAlgorithm alg = SRP_SHA1; + SRP_NGType ng_type = SRP_NG_1024; //TEST_NG; + + printf("Testing RFC 5054 test vectors..."); + + srp_create_salted_verification_key( alg, ng_type, username, + (const unsigned char *)password, + strlen(password), &bytes_s, &len_s, &bytes_v, &len_v, NULL, NULL ); + + if (len_v != 128 || memcmp(&srp_5054_v, bytes_v, len_v) != 0) + { + printf(" computed v doesn't match!\n"); + return 1; + } + + usr = srp_user_new( alg, ng_type, username, username, + (const unsigned char *)password, + strlen(password), NULL, NULL ); + + srp_user_start_authentication( usr, NULL, srp_5054_a, 32, &bytes_A, &len_A ); + + if (memcmp(&srp_5054_A, bytes_A, len_A) != 0) + { + printf(" computed A doesn't match!\n"); + return 1; + } + + /* User -> Host: (username, bytes_A) */ + ver = srp_verifier_new( alg, ng_type, username, (const unsigned char *) srp_5054_salt, + len_s, bytes_v, len_v, bytes_A, len_A, srp_5054_b, 32, &bytes_B, + &len_B, NULL, NULL ); + + if ( !bytes_B ) + { + printf(" SRP-6a safety check violated for B!\n"); + return 1; + } + + if (memcmp(&srp_5054_B, bytes_B, len_B) != 0) + { + printf(" computed B doesn't match!\n"); + return 1; + } + + + /* Host -> User: (bytes_s, bytes_B) */ + srp_user_process_challenge( usr, (const unsigned char *) srp_5054_salt, len_s, bytes_B, len_B, &bytes_M, &len_M ); + + if ( !bytes_M ) + { + printf(" SRP-6a safety check violated for M!\n"); + goto cleanup; + } + + /* User -> Host: (bytes_M) */ + srp_verifier_verify_session( ver, bytes_M, &bytes_HAMK ); + + if ( !bytes_HAMK ) + { + printf(" user authentication failed!\n"); + goto cleanup; + } + + /* Host -> User: (HAMK) */ + srp_user_verify_session( usr, bytes_HAMK ); + + if ( !srp_user_is_authenticated(usr) ) + { + printf(" server authentication failed!\n"); + } + + bytes_S = srp_verifier_get_session_key(ver, &len_S); + + if (memcmp(&srp_5054_S, bytes_S, len_S) != 0) + { + printf(" computed session key doesn't match!\n"); + return 1; + } + + printf(" success.\n"); + + cleanup: + srp_verifier_delete( ver ); + srp_user_delete( usr ); + + free( (char *)bytes_v ); + + return 0; +} + const char * test_n_hex = "EEAF0AB9ADB38DD69C33F80AFA8FC5E86072618775FF3C0B9EA2314C9C256576D674DF7496" "EA81D3383B4813D692C6E0E0D5D8E250B98BE48E495C1D6089DAD15DC7D7B46154D6B6CE8E" "F4AD69B15D4982559B297BCF1885C529F566660E57EC68EDBC3C05726CC02FD4CBF4976EAA" "9AFD5138FE8376435B9FC61D2FC0EB06E3"; const char * test_g_hex = "2"; - int main( int argc, char * argv[] ) { + test_rfc_5054_compat(); + printf("Performing the speedtest.\n"); + struct SRPVerifier * ver; struct SRPUser * usr; @@ -80,11 +290,11 @@ int main( int argc, char * argv[] ) (const unsigned char *)password, strlen(password), n_hex, g_hex ); - srp_user_start_authentication( usr, NULL, &bytes_A, &len_A ); + srp_user_start_authentication( usr, NULL, NULL, 0, &bytes_A, &len_A ); /* User -> Host: (username, bytes_A) */ ver = srp_verifier_new( alg, ng_type, username, bytes_s, len_s, bytes_v, len_v, - bytes_A, len_A, & bytes_B, &len_B, n_hex, g_hex ); + bytes_A, len_A, NULL, 0, & bytes_B, &len_B, n_hex, g_hex ); if ( !bytes_B ) {