Annotation of src/usr.bin/ssh/schnorr.c, Revision 1.10
1.10 ! djm 1: /* $OpenBSD: schnorr.c,v 1.9 2014/01/09 23:20:00 djm Exp $ */
1.1 djm 2: /*
3: * Copyright (c) 2008 Damien Miller. All rights reserved.
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: */
17:
18: /*
19: * Implementation of Schnorr signatures / zero-knowledge proofs, based on
20: * description in:
21: *
22: * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
23: * 16th Workshop on Security Protocols, Cambridge, April 2008
24: *
25: * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
26: */
27:
28: #include <sys/types.h>
29:
30: #include <string.h>
31: #include <stdarg.h>
32: #include <stdio.h>
33:
34: #include <openssl/evp.h>
35: #include <openssl/bn.h>
36:
37: #include "xmalloc.h"
38: #include "buffer.h"
39: #include "log.h"
40:
1.3 djm 41: #include "schnorr.h"
1.9 djm 42: #include "digest.h"
1.1 djm 43:
44: /* #define SCHNORR_DEBUG */ /* Privacy-violating debugging */
45: /* #define SCHNORR_MAIN */ /* Include main() selftest */
46:
47: #ifndef SCHNORR_DEBUG
48: # define SCHNORR_DEBUG_BN(a)
49: # define SCHNORR_DEBUG_BUF(a)
50: #else
1.3 djm 51: # define SCHNORR_DEBUG_BN(a) debug3_bn a
52: # define SCHNORR_DEBUG_BUF(a) debug3_buf a
1.1 djm 53: #endif /* SCHNORR_DEBUG */
54:
55: /*
56: * Calculate hash component of Schnorr signature H(g || g^v || g^x || id)
1.9 djm 57: * using the hash function defined by "hash_alg". Returns signature as
1.3 djm 58: * bignum or NULL on error.
1.1 djm 59: */
60: static BIGNUM *
61: schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
1.9 djm 62: int hash_alg, const BIGNUM *g_v, const BIGNUM *g_x,
1.1 djm 63: const u_char *id, u_int idlen)
64: {
65: u_char *digest;
66: u_int digest_len;
67: BIGNUM *h;
68: Buffer b;
69: int success = -1;
70:
71: if ((h = BN_new()) == NULL) {
72: error("%s: BN_new", __func__);
73: return NULL;
74: }
75:
76: buffer_init(&b);
77:
1.2 djm 78: /* h = H(g || p || q || g^v || g^x || id) */
1.1 djm 79: buffer_put_bignum2(&b, g);
1.2 djm 80: buffer_put_bignum2(&b, p);
81: buffer_put_bignum2(&b, q);
1.1 djm 82: buffer_put_bignum2(&b, g_v);
83: buffer_put_bignum2(&b, g_x);
84: buffer_put_string(&b, id, idlen);
85:
86: SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
87: "%s: hashblob", __func__));
1.9 djm 88: if (hash_buffer(buffer_ptr(&b), buffer_len(&b), hash_alg,
1.1 djm 89: &digest, &digest_len) != 0) {
90: error("%s: hash_buffer", __func__);
91: goto out;
92: }
93: if (BN_bin2bn(digest, (int)digest_len, h) == NULL) {
94: error("%s: BN_bin2bn", __func__);
95: goto out;
96: }
97: success = 0;
98: SCHNORR_DEBUG_BN((h, "%s: h = ", __func__));
99: out:
100: buffer_free(&b);
101: bzero(digest, digest_len);
1.7 djm 102: free(digest);
1.1 djm 103: digest_len = 0;
104: if (success == 0)
105: return h;
106: BN_clear_free(h);
107: return NULL;
108: }
109:
110: /*
111: * Generate Schnorr signature to prove knowledge of private value 'x' used
112: * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
1.9 djm 113: * using the hash function "hash_alg".
1.1 djm 114: * 'idlen' bytes from 'id' will be included in the signature hash as an anti-
115: * replay salt.
1.3 djm 116: *
117: * On success, 0 is returned. The signature values are returned as *e_p
118: * (g^v mod p) and *r_p (v - xh mod q). The caller must free these values.
119: * On failure, -1 is returned.
1.1 djm 120: */
121: int
122: schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
1.9 djm 123: int hash_alg, const BIGNUM *x, const BIGNUM *g_x,
1.3 djm 124: const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p)
1.1 djm 125: {
126: int success = -1;
127: BIGNUM *h, *tmp, *v, *g_v, *r;
128: BN_CTX *bn_ctx;
129:
130: SCHNORR_DEBUG_BN((x, "%s: x = ", __func__));
131: SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
132:
133: /* Avoid degenerate cases: g^0 yields a spoofable signature */
134: if (BN_cmp(g_x, BN_value_one()) <= 0) {
135: error("%s: g_x < 1", __func__);
136: return -1;
137: }
1.4 djm 138: if (BN_cmp(g_x, grp_p) >= 0) {
139: error("%s: g_x > g", __func__);
140: return -1;
141: }
1.1 djm 142:
143: h = g_v = r = tmp = v = NULL;
144: if ((bn_ctx = BN_CTX_new()) == NULL) {
145: error("%s: BN_CTX_new", __func__);
146: goto out;
147: }
148: if ((g_v = BN_new()) == NULL ||
149: (r = BN_new()) == NULL ||
150: (tmp = BN_new()) == NULL) {
151: error("%s: BN_new", __func__);
152: goto out;
153: }
154:
155: /*
156: * v must be a random element of Zq, so 1 <= v < q
157: * we also exclude v = 1, since g^1 looks dangerous
158: */
159: if ((v = bn_rand_range_gt_one(grp_p)) == NULL) {
160: error("%s: bn_rand_range2", __func__);
161: goto out;
162: }
163: SCHNORR_DEBUG_BN((v, "%s: v = ", __func__));
164:
165: /* g_v = g^v mod p */
166: if (BN_mod_exp(g_v, grp_g, v, grp_p, bn_ctx) == -1) {
167: error("%s: BN_mod_exp (g^v mod p)", __func__);
168: goto out;
169: }
170: SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));
171:
172: /* h = H(g || g^v || g^x || id) */
1.9 djm 173: if ((h = schnorr_hash(grp_p, grp_q, grp_g, hash_alg, g_v, g_x,
1.1 djm 174: id, idlen)) == NULL) {
175: error("%s: schnorr_hash failed", __func__);
176: goto out;
177: }
178:
179: /* r = v - xh mod q */
180: if (BN_mod_mul(tmp, x, h, grp_q, bn_ctx) == -1) {
181: error("%s: BN_mod_mul (tmp = xv mod q)", __func__);
182: goto out;
183: }
184: if (BN_mod_sub(r, v, tmp, grp_q, bn_ctx) == -1) {
185: error("%s: BN_mod_mul (r = v - tmp)", __func__);
186: goto out;
187: }
1.3 djm 188: SCHNORR_DEBUG_BN((g_v, "%s: e = ", __func__));
1.1 djm 189: SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
190:
1.3 djm 191: *e_p = g_v;
192: *r_p = r;
193:
194: success = 0;
195: out:
196: BN_CTX_free(bn_ctx);
197: if (h != NULL)
198: BN_clear_free(h);
199: if (v != NULL)
200: BN_clear_free(v);
201: BN_clear_free(tmp);
202:
203: return success;
204: }
205:
206: /*
207: * Generate Schnorr signature to prove knowledge of private value 'x' used
208: * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
209: * using a SHA256 hash.
210: * 'idlen' bytes from 'id' will be included in the signature hash as an anti-
211: * replay salt.
212: * On success, 0 is returned and *siglen bytes of signature are returned in
213: * *sig (caller to free). Returns -1 on failure.
214: */
215: int
216: schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
217: const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
218: u_char **sig, u_int *siglen)
219: {
220: Buffer b;
221: BIGNUM *r, *e;
222:
1.9 djm 223: if (schnorr_sign(grp_p, grp_q, grp_g, SSH_DIGEST_SHA256,
1.3 djm 224: x, g_x, id, idlen, &r, &e) != 0)
225: return -1;
226:
227: /* Signature is (e, r) */
1.1 djm 228: buffer_init(&b);
229: /* XXX sigtype-hash as string? */
1.3 djm 230: buffer_put_bignum2(&b, e);
1.1 djm 231: buffer_put_bignum2(&b, r);
232: *siglen = buffer_len(&b);
233: *sig = xmalloc(*siglen);
234: memcpy(*sig, buffer_ptr(&b), *siglen);
235: SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
236: "%s: sigblob", __func__));
237: buffer_free(&b);
1.3 djm 238:
1.1 djm 239: BN_clear_free(r);
1.3 djm 240: BN_clear_free(e);
1.1 djm 241:
1.3 djm 242: return 0;
1.1 djm 243: }
244:
245: /*
1.3 djm 246: * Verify Schnorr signature { r (v - xh mod q), e (g^v mod p) } against
247: * public exponent g_x (g^x) under group defined by 'grp_p', 'grp_q' and
1.9 djm 248: * 'grp_g' using hash "hash_alg".
1.1 djm 249: * Signature hash will be salted with 'idlen' bytes from 'id'.
250: * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
251: */
252: int
253: schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
1.9 djm 254: int hash_alg, const BIGNUM *g_x, const u_char *id, u_int idlen,
1.3 djm 255: const BIGNUM *r, const BIGNUM *e)
1.1 djm 256: {
257: int success = -1;
1.5 djm 258: BIGNUM *h = NULL, *g_xh = NULL, *g_r = NULL, *gx_q = NULL;
259: BIGNUM *expected = NULL;
1.1 djm 260: BN_CTX *bn_ctx;
261:
262: SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
263:
264: /* Avoid degenerate cases: g^0 yields a spoofable signature */
265: if (BN_cmp(g_x, BN_value_one()) <= 0) {
1.5 djm 266: error("%s: g_x <= 1", __func__);
1.4 djm 267: return -1;
268: }
269: if (BN_cmp(g_x, grp_p) >= 0) {
270: error("%s: g_x >= p", __func__);
1.1 djm 271: return -1;
272: }
273:
1.3 djm 274: h = g_xh = g_r = expected = NULL;
1.1 djm 275: if ((bn_ctx = BN_CTX_new()) == NULL) {
276: error("%s: BN_CTX_new", __func__);
277: goto out;
278: }
1.3 djm 279: if ((g_xh = BN_new()) == NULL ||
1.1 djm 280: (g_r = BN_new()) == NULL ||
1.5 djm 281: (gx_q = BN_new()) == NULL ||
1.1 djm 282: (expected = BN_new()) == NULL) {
283: error("%s: BN_new", __func__);
284: goto out;
285: }
286:
1.3 djm 287: SCHNORR_DEBUG_BN((e, "%s: e = ", __func__));
1.1 djm 288: SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
289:
1.5 djm 290: /* gx_q = (g^x)^q must === 1 mod p */
291: if (BN_mod_exp(gx_q, g_x, grp_q, grp_p, bn_ctx) == -1) {
292: error("%s: BN_mod_exp (g_x^q mod p)", __func__);
293: goto out;
294: }
295: if (BN_cmp(gx_q, BN_value_one()) != 0) {
296: error("%s: Invalid signature (g^x)^q != 1 mod p", __func__);
297: goto out;
298: }
299:
300: SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__));
1.1 djm 301: /* h = H(g || g^v || g^x || id) */
1.9 djm 302: if ((h = schnorr_hash(grp_p, grp_q, grp_g, hash_alg, e, g_x,
1.1 djm 303: id, idlen)) == NULL) {
304: error("%s: schnorr_hash failed", __func__);
305: goto out;
306: }
307:
308: /* g_xh = (g^x)^h */
309: if (BN_mod_exp(g_xh, g_x, h, grp_p, bn_ctx) == -1) {
310: error("%s: BN_mod_exp (g_x^h mod p)", __func__);
311: goto out;
312: }
313: SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__));
314:
315: /* g_r = g^r */
316: if (BN_mod_exp(g_r, grp_g, r, grp_p, bn_ctx) == -1) {
317: error("%s: BN_mod_exp (g_x^h mod p)", __func__);
318: goto out;
319: }
320: SCHNORR_DEBUG_BN((g_r, "%s: g_r = ", __func__));
321:
322: /* expected = g^r * g_xh */
323: if (BN_mod_mul(expected, g_r, g_xh, grp_p, bn_ctx) == -1) {
324: error("%s: BN_mod_mul (expected = g_r mod p)", __func__);
325: goto out;
326: }
327: SCHNORR_DEBUG_BN((expected, "%s: expected = ", __func__));
328:
1.3 djm 329: /* Check e == expected */
330: success = BN_cmp(expected, e) == 0;
1.1 djm 331: out:
332: BN_CTX_free(bn_ctx);
333: if (h != NULL)
334: BN_clear_free(h);
1.5 djm 335: if (gx_q != NULL)
336: BN_clear_free(gx_q);
337: if (g_xh != NULL)
338: BN_clear_free(g_xh);
339: if (g_r != NULL)
340: BN_clear_free(g_r);
341: if (expected != NULL)
342: BN_clear_free(expected);
1.1 djm 343: return success;
344: }
345:
1.3 djm 346: /*
347: * Verify Schnorr signature 'sig' of length 'siglen' against public exponent
348: * g_x (g^x) under group defined by 'grp_p', 'grp_q' and 'grp_g' using a
349: * SHA256 hash.
350: * Signature hash will be salted with 'idlen' bytes from 'id'.
351: * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
352: */
353: int
354: schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q,
355: const BIGNUM *grp_g,
356: const BIGNUM *g_x, const u_char *id, u_int idlen,
357: const u_char *sig, u_int siglen)
358: {
359: Buffer b;
360: int ret = -1;
361: u_int rlen;
362: BIGNUM *r, *e;
363:
364: e = r = NULL;
365: if ((e = BN_new()) == NULL ||
366: (r = BN_new()) == NULL) {
367: error("%s: BN_new", __func__);
368: goto out;
369: }
370:
371: /* Extract g^v and r from signature blob */
372: buffer_init(&b);
373: buffer_append(&b, sig, siglen);
374: SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
375: "%s: sigblob", __func__));
376: buffer_get_bignum2(&b, e);
377: buffer_get_bignum2(&b, r);
378: rlen = buffer_len(&b);
379: buffer_free(&b);
380: if (rlen != 0) {
381: error("%s: remaining bytes in signature %d", __func__, rlen);
382: goto out;
383: }
384:
1.9 djm 385: ret = schnorr_verify(grp_p, grp_q, grp_g, SSH_DIGEST_SHA256,
1.3 djm 386: g_x, id, idlen, r, e);
387: out:
388: BN_clear_free(e);
389: BN_clear_free(r);
390:
391: return ret;
392: }
393:
394: /* Helper functions */
395:
396: /*
397: * Generate uniformly distributed random number in range (1, high).
398: * Return number on success, NULL on failure.
399: */
400: BIGNUM *
401: bn_rand_range_gt_one(const BIGNUM *high)
402: {
403: BIGNUM *r, *tmp;
404: int success = -1;
405:
406: if ((tmp = BN_new()) == NULL) {
407: error("%s: BN_new", __func__);
408: return NULL;
409: }
410: if ((r = BN_new()) == NULL) {
411: error("%s: BN_new failed", __func__);
412: goto out;
413: }
414: if (BN_set_word(tmp, 2) != 1) {
415: error("%s: BN_set_word(tmp, 2)", __func__);
416: goto out;
417: }
418: if (BN_sub(tmp, high, tmp) == -1) {
419: error("%s: BN_sub failed (tmp = high - 2)", __func__);
420: goto out;
421: }
422: if (BN_rand_range(r, tmp) == -1) {
423: error("%s: BN_rand_range failed", __func__);
424: goto out;
425: }
426: if (BN_set_word(tmp, 2) != 1) {
427: error("%s: BN_set_word(tmp, 2)", __func__);
428: goto out;
429: }
430: if (BN_add(r, r, tmp) == -1) {
431: error("%s: BN_add failed (r = r + 2)", __func__);
432: goto out;
433: }
434: success = 0;
435: out:
436: BN_clear_free(tmp);
437: if (success == 0)
438: return r;
439: BN_clear_free(r);
440: return NULL;
441: }
442:
1.9 djm 443: /* XXX convert all callers of this to use ssh_digest_memory() directly */
1.3 djm 444: /*
445: * Hash contents of buffer 'b' with hash 'md'. Returns 0 on success,
446: * with digest via 'digestp' (caller to free) and length via 'lenp'.
447: * Returns -1 on failure.
448: */
449: int
1.9 djm 450: hash_buffer(const u_char *buf, u_int len, int hash_alg,
1.3 djm 451: u_char **digestp, u_int *lenp)
452: {
1.9 djm 453: u_char digest[SSH_DIGEST_MAX_LENGTH];
454: u_int digest_len = ssh_digest_bytes(hash_alg);
1.10 ! djm 455:
! 456: *digestp = NULL;
! 457: *lenp = 0;
1.3 djm 458:
1.9 djm 459: if (digest_len == 0) {
460: error("%s: invalid hash", __func__);
461: return -1;
1.3 djm 462: }
1.9 djm 463: if (ssh_digest_memory(hash_alg, buf, len, digest, digest_len) != 0) {
464: error("%s: digest_memory failed", __func__);
465: return -1;
1.3 djm 466: }
467: *digestp = xmalloc(digest_len);
468: *lenp = digest_len;
469: memcpy(*digestp, digest, *lenp);
470: bzero(digest, sizeof(digest));
471: digest_len = 0;
1.9 djm 472: return 0;
1.3 djm 473: }
474:
475: /* print formatted string followed by bignum */
476: void
477: debug3_bn(const BIGNUM *n, const char *fmt, ...)
478: {
479: char *out, *h;
480: va_list args;
1.6 dtucker 481: int ret;
1.3 djm 482:
483: out = NULL;
484: va_start(args, fmt);
1.6 dtucker 485: ret = vasprintf(&out, fmt, args);
1.3 djm 486: va_end(args);
1.6 dtucker 487: if (ret == -1 || out == NULL)
1.3 djm 488: fatal("%s: vasprintf failed", __func__);
489:
490: if (n == NULL)
491: debug3("%s(null)", out);
492: else {
493: h = BN_bn2hex(n);
494: debug3("%s0x%s", out, h);
495: free(h);
496: }
497: free(out);
498: }
499:
500: /* print formatted string followed by buffer contents in hex */
501: void
502: debug3_buf(const u_char *buf, u_int len, const char *fmt, ...)
503: {
504: char *out, h[65];
505: u_int i, j;
506: va_list args;
1.6 dtucker 507: int ret;
1.3 djm 508:
509: out = NULL;
510: va_start(args, fmt);
1.6 dtucker 511: ret = vasprintf(&out, fmt, args);
1.3 djm 512: va_end(args);
1.6 dtucker 513: if (ret == -1 || out == NULL)
1.3 djm 514: fatal("%s: vasprintf failed", __func__);
515:
516: debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : "");
517: free(out);
518: if (buf == NULL)
519: return;
520:
521: *h = '\0';
522: for (i = j = 0; i < len; i++) {
523: snprintf(h + j, sizeof(h) - j, "%02x", buf[i]);
524: j += 2;
525: if (j >= sizeof(h) - 1 || i == len - 1) {
526: debug3(" %s", h);
527: *h = '\0';
528: j = 0;
529: }
530: }
531: }
532:
533: /*
534: * Construct a MODP group from hex strings p (which must be a safe
535: * prime) and g, automatically calculating subgroup q as (p / 2)
536: */
537: struct modp_group *
538: modp_group_from_g_and_safe_p(const char *grp_g, const char *grp_p)
539: {
540: struct modp_group *ret;
541:
1.8 djm 542: ret = xcalloc(1, sizeof(*ret));
1.3 djm 543: ret->p = ret->q = ret->g = NULL;
544: if (BN_hex2bn(&ret->p, grp_p) == 0 ||
545: BN_hex2bn(&ret->g, grp_g) == 0)
546: fatal("%s: BN_hex2bn", __func__);
547: /* Subgroup order is p/2 (p is a safe prime) */
548: if ((ret->q = BN_new()) == NULL)
549: fatal("%s: BN_new", __func__);
550: if (BN_rshift1(ret->q, ret->p) != 1)
551: fatal("%s: BN_rshift1", __func__);
552:
553: return ret;
554: }
555:
556: void
557: modp_group_free(struct modp_group *grp)
558: {
559: if (grp->g != NULL)
560: BN_clear_free(grp->g);
561: if (grp->p != NULL)
562: BN_clear_free(grp->p);
563: if (grp->q != NULL)
564: BN_clear_free(grp->q);
565: bzero(grp, sizeof(*grp));
1.7 djm 566: free(grp);
1.3 djm 567: }
568:
569: /* main() function for self-test */
570:
1.1 djm 571: #ifdef SCHNORR_MAIN
572: static void
573: schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q,
574: const BIGNUM *grp_g, const BIGNUM *x)
575: {
576: BIGNUM *g_x;
577: u_char *sig;
578: u_int siglen;
579: BN_CTX *bn_ctx;
580:
581: if ((bn_ctx = BN_CTX_new()) == NULL)
582: fatal("%s: BN_CTX_new", __func__);
583: if ((g_x = BN_new()) == NULL)
584: fatal("%s: BN_new", __func__);
585:
586: if (BN_mod_exp(g_x, grp_g, x, grp_p, bn_ctx) == -1)
587: fatal("%s: g_x", __func__);
1.3 djm 588: if (schnorr_sign_buf(grp_p, grp_q, grp_g, x, g_x, "junk", 4,
589: &sig, &siglen))
1.1 djm 590: fatal("%s: schnorr_sign", __func__);
1.3 djm 591: if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
1.1 djm 592: sig, siglen) != 1)
593: fatal("%s: verify fail", __func__);
1.3 djm 594: if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "JUNK", 4,
1.1 djm 595: sig, siglen) != 0)
596: fatal("%s: verify should have failed (bad ID)", __func__);
597: sig[4] ^= 1;
1.3 djm 598: if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
1.1 djm 599: sig, siglen) != 0)
600: fatal("%s: verify should have failed (bit error)", __func__);
1.7 djm 601: free(sig);
1.1 djm 602: BN_free(g_x);
603: BN_CTX_free(bn_ctx);
604: }
605:
606: static void
607: schnorr_selftest(void)
608: {
609: BIGNUM *x;
1.3 djm 610: struct modp_group *grp;
1.1 djm 611: u_int i;
612: char *hh;
613:
614: grp = jpake_default_group();
615: if ((x = BN_new()) == NULL)
616: fatal("%s: BN_new", __func__);
617: SCHNORR_DEBUG_BN((grp->p, "%s: grp->p = ", __func__));
618: SCHNORR_DEBUG_BN((grp->q, "%s: grp->q = ", __func__));
619: SCHNORR_DEBUG_BN((grp->g, "%s: grp->g = ", __func__));
620:
621: /* [1, 20) */
622: for (i = 1; i < 20; i++) {
623: printf("x = %u\n", i);
624: fflush(stdout);
625: if (BN_set_word(x, i) != 1)
626: fatal("%s: set x word", __func__);
627: schnorr_selftest_one(grp->p, grp->q, grp->g, x);
628: }
629:
630: /* 100 x random [0, p) */
631: for (i = 0; i < 100; i++) {
632: if (BN_rand_range(x, grp->p) != 1)
633: fatal("%s: BN_rand_range", __func__);
634: hh = BN_bn2hex(x);
635: printf("x = (random) 0x%s\n", hh);
636: free(hh);
637: fflush(stdout);
638: schnorr_selftest_one(grp->p, grp->q, grp->g, x);
639: }
640:
641: /* [q-20, q) */
642: if (BN_set_word(x, 20) != 1)
643: fatal("%s: BN_set_word (x = 20)", __func__);
644: if (BN_sub(x, grp->q, x) != 1)
645: fatal("%s: BN_sub (q - x)", __func__);
646: for (i = 0; i < 19; i++) {
647: hh = BN_bn2hex(x);
648: printf("x = (q - %d) 0x%s\n", 20 - i, hh);
649: free(hh);
650: fflush(stdout);
651: schnorr_selftest_one(grp->p, grp->q, grp->g, x);
652: if (BN_add(x, x, BN_value_one()) != 1)
653: fatal("%s: BN_add (x + 1)", __func__);
654: }
655: BN_free(x);
656: }
657:
658: int
659: main(int argc, char **argv)
660: {
661: log_init(argv[0], SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_USER, 1);
662:
663: schnorr_selftest();
664: return 0;
665: }
666: #endif
667: