Return to schnorr.c CVS log

Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/schnorr.c, Revision 1.2

1.2     ! djm         1: /* $OpenBSD: schnorr.c,v 1.1 2008/11/04 08:22:13 djm Exp $ */
1.1       djm         2: /*
                      3:  * Copyright (c) 2008 Damien Miller.  All rights reserved.
                      4:  *
                      5:  * Permission to use, copy, modify, and distribute this software for any
                      6:  * purpose with or without fee is hereby granted, provided that the above
                      7:  * copyright notice and this permission notice appear in all copies.
                      8:  *
                      9:  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
                     10:  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
                     11:  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
                     12:  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
                     13:  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
                     14:  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
                     15:  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
                     16:  */
                     17:
                     18: /*
                     19:  * Implementation of Schnorr signatures / zero-knowledge proofs, based on
                     20:  * description in:
                     21:  *
                     22:  * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
                     23:  * 16th Workshop on Security Protocols, Cambridge, April 2008
                     24:  *
                     25:  * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
                     26:  */
                     27:
                     28: #include <sys/types.h>
                     29:
                     30: #include <string.h>
                     31: #include <stdarg.h>
                     32: #include <stdio.h>
                     33:
                     34: #include <openssl/evp.h>
                     35: #include <openssl/bn.h>
                     36:
                     37: #include "xmalloc.h"
                     38: #include "buffer.h"
                     39: #include "log.h"
                     40:
                     41: #include "jpake.h"
                     42:
                     43: /* #define SCHNORR_DEBUG */            /* Privacy-violating debugging */
                     44: /* #define SCHNORR_MAIN */             /* Include main() selftest */
                     45:
                     46: /* XXX */
                     47: /* Parametise signature hash? (sha256, sha1, etc.) */
                     48: /* Signature format - include type name, hash type, group params? */
                     49:
                     50: #ifndef SCHNORR_DEBUG
                     51: # define SCHNORR_DEBUG_BN(a)
                     52: # define SCHNORR_DEBUG_BUF(a)
                     53: #else
                     54: # define SCHNORR_DEBUG_BN(a)   jpake_debug3_bn a
                     55: # define SCHNORR_DEBUG_BUF(a)  jpake_debug3_buf a
                     56: #endif /* SCHNORR_DEBUG */
                     57:
                     58: /*
                     59:  * Calculate hash component of Schnorr signature H(g || g^v || g^x || id)
                     60:  * using SHA1. Returns signature as bignum or NULL on error.
                     61:  */
                     62: static BIGNUM *
                     63: schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
                     64:     const BIGNUM *g_v, const BIGNUM *g_x,
                     65:     const u_char *id, u_int idlen)
                     66: {
                     67:        u_char *digest;
                     68:        u_int digest_len;
                     69:        BIGNUM *h;
                     70:        EVP_MD_CTX evp_md_ctx;
                     71:        Buffer b;
                     72:        int success = -1;
                     73:
                     74:        if ((h = BN_new()) == NULL) {
                     75:                error("%s: BN_new", __func__);
                     76:                return NULL;
                     77:        }
                     78:
                     79:        buffer_init(&b);
                     80:        EVP_MD_CTX_init(&evp_md_ctx);
                     81:
1.2     ! djm        82:        /* h = H(g || p || q || g^v || g^x || id) */
1.1       djm        83:        buffer_put_bignum2(&b, g);
1.2     ! djm        84:        buffer_put_bignum2(&b, p);
        !            85:        buffer_put_bignum2(&b, q);
1.1       djm        86:        buffer_put_bignum2(&b, g_v);
                     87:        buffer_put_bignum2(&b, g_x);
                     88:        buffer_put_string(&b, id, idlen);
                     89:
                     90:        SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
                     91:            "%s: hashblob", __func__));
                     92:        if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
                     93:            &digest, &digest_len) != 0) {
                     94:                error("%s: hash_buffer", __func__);
                     95:                goto out;
                     96:        }
                     97:        if (BN_bin2bn(digest, (int)digest_len, h) == NULL) {
                     98:                error("%s: BN_bin2bn", __func__);
                     99:                goto out;
                    100:        }
                    101:        success = 0;
                    102:        SCHNORR_DEBUG_BN((h, "%s: h = ", __func__));
                    103:  out:
                    104:        buffer_free(&b);
                    105:        EVP_MD_CTX_cleanup(&evp_md_ctx);
                    106:        bzero(digest, digest_len);
                    107:        xfree(digest);
                    108:        digest_len = 0;
                    109:        if (success == 0)
                    110:                return h;
                    111:        BN_clear_free(h);
                    112:        return NULL;
                    113: }
                    114:
                    115: /*
                    116:  * Generate Schnorr signature to prove knowledge of private value 'x' used
                    117:  * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
                    118:  * 'idlen' bytes from 'id' will be included in the signature hash as an anti-
                    119:  * replay salt.
                    120:  * On success, 0 is returned and *siglen bytes of signature are returned in
                    121:  * *sig (caller to free). Returns -1 on failure.
                    122:  */
                    123: int
                    124: schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
                    125:     const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
                    126:     u_char **sig, u_int *siglen)
                    127: {
                    128:        int success = -1;
                    129:        Buffer b;
                    130:        BIGNUM *h, *tmp, *v, *g_v, *r;
                    131:        BN_CTX *bn_ctx;
                    132:
                    133:        SCHNORR_DEBUG_BN((x, "%s: x = ", __func__));
                    134:        SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
                    135:
                    136:        /* Avoid degenerate cases: g^0 yields a spoofable signature */
                    137:        if (BN_cmp(g_x, BN_value_one()) <= 0) {
                    138:                error("%s: g_x < 1", __func__);
                    139:                return -1;
                    140:        }
                    141:
                    142:        h = g_v = r = tmp = v = NULL;
                    143:        if ((bn_ctx = BN_CTX_new()) == NULL) {
                    144:                error("%s: BN_CTX_new", __func__);
                    145:                goto out;
                    146:        }
                    147:        if ((g_v = BN_new()) == NULL ||
                    148:            (r = BN_new()) == NULL ||
                    149:            (tmp = BN_new()) == NULL) {
                    150:                error("%s: BN_new", __func__);
                    151:                goto out;
                    152:        }
                    153:
                    154:        /*
                    155:         * v must be a random element of Zq, so 1 <= v < q
                    156:         * we also exclude v = 1, since g^1 looks dangerous
                    157:         */
                    158:        if ((v = bn_rand_range_gt_one(grp_p)) == NULL) {
                    159:                error("%s: bn_rand_range2", __func__);
                    160:                goto out;
                    161:        }
                    162:        SCHNORR_DEBUG_BN((v, "%s: v = ", __func__));
                    163:
                    164:        /* g_v = g^v mod p */
                    165:        if (BN_mod_exp(g_v, grp_g, v, grp_p, bn_ctx) == -1) {
                    166:                error("%s: BN_mod_exp (g^v mod p)", __func__);
                    167:                goto out;
                    168:        }
                    169:        SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));
                    170:
                    171:        /* h = H(g || g^v || g^x || id) */
                    172:        if ((h = schnorr_hash(grp_p, grp_q, grp_g, g_v, g_x,
                    173:            id, idlen)) == NULL) {
                    174:                error("%s: schnorr_hash failed", __func__);
                    175:                goto out;
                    176:        }
                    177:
                    178:        /* r = v - xh mod q */
                    179:        if (BN_mod_mul(tmp, x, h, grp_q, bn_ctx) == -1) {
                    180:                error("%s: BN_mod_mul (tmp = xv mod q)", __func__);
                    181:                goto out;
                    182:        }
                    183:        if (BN_mod_sub(r, v, tmp, grp_q, bn_ctx) == -1) {
                    184:                error("%s: BN_mod_mul (r = v - tmp)", __func__);
                    185:                goto out;
                    186:        }
                    187:        SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
                    188:
                    189:        /* Signature is (g_v, r) */
                    190:        buffer_init(&b);
                    191:        /* XXX sigtype-hash as string? */
                    192:        buffer_put_bignum2(&b, g_v);
                    193:        buffer_put_bignum2(&b, r);
                    194:        *siglen = buffer_len(&b);
                    195:        *sig = xmalloc(*siglen);
                    196:        memcpy(*sig, buffer_ptr(&b), *siglen);
                    197:        SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
                    198:            "%s: sigblob", __func__));
                    199:        buffer_free(&b);
                    200:        success = 0;
                    201:  out:
                    202:        BN_CTX_free(bn_ctx);
                    203:        if (h != NULL)
                    204:                BN_clear_free(h);
                    205:        if (v != NULL)
                    206:                BN_clear_free(v);
                    207:        BN_clear_free(r);
                    208:        BN_clear_free(g_v);
                    209:        BN_clear_free(tmp);
                    210:
                    211:        return success;
                    212: }
                    213:
                    214: /*
                    215:  * Verify Schnorr signature 'sig' of length 'siglen' against public exponent
                    216:  * g_x (g^x) under group defined by 'grp_p', 'grp_q' and 'grp_g'.
                    217:  * Signature hash will be salted with 'idlen' bytes from 'id'.
                    218:  * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
                    219:  */
                    220: int
                    221: schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
                    222:     const BIGNUM *g_x, const u_char *id, u_int idlen,
                    223:     const u_char *sig, u_int siglen)
                    224: {
                    225:        int success = -1;
                    226:        Buffer b;
                    227:        BIGNUM *g_v, *h, *r, *g_xh, *g_r, *expected;
                    228:        BN_CTX *bn_ctx;
                    229:        u_int rlen;
                    230:
                    231:        SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
                    232:
                    233:        /* Avoid degenerate cases: g^0 yields a spoofable signature */
                    234:        if (BN_cmp(g_x, BN_value_one()) <= 0) {
                    235:                error("%s: g_x < 1", __func__);
                    236:                return -1;
                    237:        }
                    238:
                    239:        g_v = h = r = g_xh = g_r = expected = NULL;
                    240:        if ((bn_ctx = BN_CTX_new()) == NULL) {
                    241:                error("%s: BN_CTX_new", __func__);
                    242:                goto out;
                    243:        }
                    244:        if ((g_v = BN_new()) == NULL ||
                    245:            (r = BN_new()) == NULL ||
                    246:            (g_xh = BN_new()) == NULL ||
                    247:            (g_r = BN_new()) == NULL ||
                    248:            (expected = BN_new()) == NULL) {
                    249:                error("%s: BN_new", __func__);
                    250:                goto out;
                    251:        }
                    252:
                    253:        /* Extract g^v and r from signature blob */
                    254:        buffer_init(&b);
                    255:        buffer_append(&b, sig, siglen);
                    256:        SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
                    257:            "%s: sigblob", __func__));
                    258:        buffer_get_bignum2(&b, g_v);
                    259:        buffer_get_bignum2(&b, r);
                    260:        rlen = buffer_len(&b);
                    261:        buffer_free(&b);
                    262:        if (rlen != 0) {
                    263:                error("%s: remaining bytes in signature %d", __func__, rlen);
                    264:                goto out;
                    265:        }
                    266:        buffer_free(&b);
                    267:        SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));
                    268:        SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
                    269:
                    270:        /* h = H(g || g^v || g^x || id) */
                    271:        if ((h = schnorr_hash(grp_p, grp_q, grp_g, g_v, g_x,
                    272:            id, idlen)) == NULL) {
                    273:                error("%s: schnorr_hash failed", __func__);
                    274:                goto out;
                    275:        }
                    276:
                    277:        /* g_xh = (g^x)^h */
                    278:        if (BN_mod_exp(g_xh, g_x, h, grp_p, bn_ctx) == -1) {
                    279:                error("%s: BN_mod_exp (g_x^h mod p)", __func__);
                    280:                goto out;
                    281:        }
                    282:        SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__));
                    283:
                    284:        /* g_r = g^r */
                    285:        if (BN_mod_exp(g_r, grp_g, r, grp_p, bn_ctx) == -1) {
                    286:                error("%s: BN_mod_exp (g_x^h mod p)", __func__);
                    287:                goto out;
                    288:        }
                    289:        SCHNORR_DEBUG_BN((g_r, "%s: g_r = ", __func__));
                    290:
                    291:        /* expected = g^r * g_xh */
                    292:        if (BN_mod_mul(expected, g_r, g_xh, grp_p, bn_ctx) == -1) {
                    293:                error("%s: BN_mod_mul (expected = g_r mod p)", __func__);
                    294:                goto out;
                    295:        }
                    296:        SCHNORR_DEBUG_BN((expected, "%s: expected = ", __func__));
                    297:
                    298:        /* Check g_v == expected */
                    299:        success = BN_cmp(expected, g_v) == 0;
                    300:  out:
                    301:        BN_CTX_free(bn_ctx);
                    302:        if (h != NULL)
                    303:                BN_clear_free(h);
                    304:        BN_clear_free(g_v);
                    305:        BN_clear_free(r);
                    306:        BN_clear_free(g_xh);
                    307:        BN_clear_free(g_r);
                    308:        BN_clear_free(expected);
                    309:        return success;
                    310: }
                    311:
                    312: #ifdef SCHNORR_MAIN
                    313: static void
                    314: schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q,
                    315:     const BIGNUM *grp_g, const BIGNUM *x)
                    316: {
                    317:        BIGNUM *g_x;
                    318:        u_char *sig;
                    319:        u_int siglen;
                    320:        BN_CTX *bn_ctx;
                    321:
                    322:        if ((bn_ctx = BN_CTX_new()) == NULL)
                    323:                fatal("%s: BN_CTX_new", __func__);
                    324:        if ((g_x = BN_new()) == NULL)
                    325:                fatal("%s: BN_new", __func__);
                    326:
                    327:        if (BN_mod_exp(g_x, grp_g, x, grp_p, bn_ctx) == -1)
                    328:                fatal("%s: g_x", __func__);
                    329:        if (schnorr_sign(grp_p, grp_q, grp_g, x, g_x, "junk", 4, &sig, &siglen))
                    330:                fatal("%s: schnorr_sign", __func__);
                    331:        if (schnorr_verify(grp_p, grp_q, grp_g, g_x, "junk", 4,
                    332:            sig, siglen) != 1)
                    333:                fatal("%s: verify fail", __func__);
                    334:        if (schnorr_verify(grp_p, grp_q, grp_g, g_x, "JUNK", 4,
                    335:            sig, siglen) != 0)
                    336:                fatal("%s: verify should have failed (bad ID)", __func__);
                    337:        sig[4] ^= 1;
                    338:        if (schnorr_verify(grp_p, grp_q, grp_g, g_x, "junk", 4,
                    339:            sig, siglen) != 0)
                    340:                fatal("%s: verify should have failed (bit error)", __func__);
                    341:        xfree(sig);
                    342:        BN_free(g_x);
                    343:        BN_CTX_free(bn_ctx);
                    344: }
                    345:
                    346: static void
                    347: schnorr_selftest(void)
                    348: {
                    349:        BIGNUM *x;
                    350:        struct jpake_group *grp;
                    351:        u_int i;
                    352:        char *hh;
                    353:
                    354:        grp = jpake_default_group();
                    355:        if ((x = BN_new()) == NULL)
                    356:                fatal("%s: BN_new", __func__);
                    357:        SCHNORR_DEBUG_BN((grp->p, "%s: grp->p = ", __func__));
                    358:        SCHNORR_DEBUG_BN((grp->q, "%s: grp->q = ", __func__));
                    359:        SCHNORR_DEBUG_BN((grp->g, "%s: grp->g = ", __func__));
                    360:
                    361:        /* [1, 20) */
                    362:        for (i = 1; i < 20; i++) {
                    363:                printf("x = %u\n", i);
                    364:                fflush(stdout);
                    365:                if (BN_set_word(x, i) != 1)
                    366:                        fatal("%s: set x word", __func__);
                    367:                schnorr_selftest_one(grp->p, grp->q, grp->g, x);
                    368:        }
                    369:
                    370:        /* 100 x random [0, p) */
                    371:        for (i = 0; i < 100; i++) {
                    372:                if (BN_rand_range(x, grp->p) != 1)
                    373:                        fatal("%s: BN_rand_range", __func__);
                    374:                hh = BN_bn2hex(x);
                    375:                printf("x = (random) 0x%s\n", hh);
                    376:                free(hh);
                    377:                fflush(stdout);
                    378:                schnorr_selftest_one(grp->p, grp->q, grp->g, x);
                    379:        }
                    380:
                    381:        /* [q-20, q) */
                    382:        if (BN_set_word(x, 20) != 1)
                    383:                fatal("%s: BN_set_word (x = 20)", __func__);
                    384:        if (BN_sub(x, grp->q, x) != 1)
                    385:                fatal("%s: BN_sub (q - x)", __func__);
                    386:        for (i = 0; i < 19; i++) {
                    387:                hh = BN_bn2hex(x);
                    388:                printf("x = (q - %d) 0x%s\n", 20 - i, hh);
                    389:                free(hh);
                    390:                fflush(stdout);
                    391:                schnorr_selftest_one(grp->p, grp->q, grp->g, x);
                    392:                if (BN_add(x, x, BN_value_one()) != 1)
                    393:                        fatal("%s: BN_add (x + 1)", __func__);
                    394:        }
                    395:        BN_free(x);
                    396: }
                    397:
                    398: int
                    399: main(int argc, char **argv)
                    400: {
                    401:        log_init(argv[0], SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_USER, 1);
                    402:
                    403:        schnorr_selftest();
                    404:        return 0;
                    405: }
                    406: #endif
                    407: