Annotation of src/usr.bin/ssh/schnorr.c, Revision 1.7.2.1
1.7.2.1 ! djm 1: /* $OpenBSD: schnorr.c,v 1.7 2013/05/17 00:13:14 djm Exp $ */
1.1 djm 2: /*
3: * Copyright (c) 2008 Damien Miller. All rights reserved.
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: */
17:
18: /*
19: * Implementation of Schnorr signatures / zero-knowledge proofs, based on
20: * description in:
21: *
22: * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
23: * 16th Workshop on Security Protocols, Cambridge, April 2008
24: *
25: * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
26: */
27:
28: #include <sys/types.h>
29:
30: #include <string.h>
31: #include <stdarg.h>
32: #include <stdio.h>
33:
34: #include <openssl/evp.h>
35: #include <openssl/bn.h>
36:
37: #include "xmalloc.h"
38: #include "buffer.h"
39: #include "log.h"
40:
1.3 djm 41: #include "schnorr.h"
1.1 djm 42:
43: /* #define SCHNORR_DEBUG */ /* Privacy-violating debugging */
44: /* #define SCHNORR_MAIN */ /* Include main() selftest */
45:
46: #ifndef SCHNORR_DEBUG
47: # define SCHNORR_DEBUG_BN(a)
48: # define SCHNORR_DEBUG_BUF(a)
49: #else
1.3 djm 50: # define SCHNORR_DEBUG_BN(a) debug3_bn a
51: # define SCHNORR_DEBUG_BUF(a) debug3_buf a
1.1 djm 52: #endif /* SCHNORR_DEBUG */
53:
54: /*
55: * Calculate hash component of Schnorr signature H(g || g^v || g^x || id)
1.3 djm 56: * using the hash function defined by "evp_md". Returns signature as
57: * bignum or NULL on error.
1.1 djm 58: */
59: static BIGNUM *
60: schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
1.3 djm 61: const EVP_MD *evp_md, const BIGNUM *g_v, const BIGNUM *g_x,
1.1 djm 62: const u_char *id, u_int idlen)
63: {
64: u_char *digest;
65: u_int digest_len;
66: BIGNUM *h;
67: Buffer b;
68: int success = -1;
69:
70: if ((h = BN_new()) == NULL) {
71: error("%s: BN_new", __func__);
72: return NULL;
73: }
74:
75: buffer_init(&b);
76:
1.2 djm 77: /* h = H(g || p || q || g^v || g^x || id) */
1.1 djm 78: buffer_put_bignum2(&b, g);
1.2 djm 79: buffer_put_bignum2(&b, p);
80: buffer_put_bignum2(&b, q);
1.1 djm 81: buffer_put_bignum2(&b, g_v);
82: buffer_put_bignum2(&b, g_x);
83: buffer_put_string(&b, id, idlen);
84:
85: SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
86: "%s: hashblob", __func__));
1.3 djm 87: if (hash_buffer(buffer_ptr(&b), buffer_len(&b), evp_md,
1.1 djm 88: &digest, &digest_len) != 0) {
89: error("%s: hash_buffer", __func__);
90: goto out;
91: }
92: if (BN_bin2bn(digest, (int)digest_len, h) == NULL) {
93: error("%s: BN_bin2bn", __func__);
94: goto out;
95: }
96: success = 0;
97: SCHNORR_DEBUG_BN((h, "%s: h = ", __func__));
98: out:
99: buffer_free(&b);
100: bzero(digest, digest_len);
1.7 djm 101: free(digest);
1.1 djm 102: digest_len = 0;
103: if (success == 0)
104: return h;
105: BN_clear_free(h);
106: return NULL;
107: }
108:
109: /*
110: * Generate Schnorr signature to prove knowledge of private value 'x' used
111: * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
1.3 djm 112: * using the hash function "evp_md".
1.1 djm 113: * 'idlen' bytes from 'id' will be included in the signature hash as an anti-
114: * replay salt.
1.3 djm 115: *
116: * On success, 0 is returned. The signature values are returned as *e_p
117: * (g^v mod p) and *r_p (v - xh mod q). The caller must free these values.
118: * On failure, -1 is returned.
1.1 djm 119: */
120: int
121: schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
1.3 djm 122: const EVP_MD *evp_md, const BIGNUM *x, const BIGNUM *g_x,
123: const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p)
1.1 djm 124: {
125: int success = -1;
126: BIGNUM *h, *tmp, *v, *g_v, *r;
127: BN_CTX *bn_ctx;
128:
129: SCHNORR_DEBUG_BN((x, "%s: x = ", __func__));
130: SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
131:
132: /* Avoid degenerate cases: g^0 yields a spoofable signature */
133: if (BN_cmp(g_x, BN_value_one()) <= 0) {
134: error("%s: g_x < 1", __func__);
135: return -1;
136: }
1.4 djm 137: if (BN_cmp(g_x, grp_p) >= 0) {
138: error("%s: g_x > g", __func__);
139: return -1;
140: }
1.1 djm 141:
142: h = g_v = r = tmp = v = NULL;
143: if ((bn_ctx = BN_CTX_new()) == NULL) {
144: error("%s: BN_CTX_new", __func__);
145: goto out;
146: }
147: if ((g_v = BN_new()) == NULL ||
148: (r = BN_new()) == NULL ||
149: (tmp = BN_new()) == NULL) {
150: error("%s: BN_new", __func__);
151: goto out;
152: }
153:
154: /*
155: * v must be a random element of Zq, so 1 <= v < q
156: * we also exclude v = 1, since g^1 looks dangerous
157: */
158: if ((v = bn_rand_range_gt_one(grp_p)) == NULL) {
159: error("%s: bn_rand_range2", __func__);
160: goto out;
161: }
162: SCHNORR_DEBUG_BN((v, "%s: v = ", __func__));
163:
164: /* g_v = g^v mod p */
165: if (BN_mod_exp(g_v, grp_g, v, grp_p, bn_ctx) == -1) {
166: error("%s: BN_mod_exp (g^v mod p)", __func__);
167: goto out;
168: }
169: SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));
170:
171: /* h = H(g || g^v || g^x || id) */
1.3 djm 172: if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, g_v, g_x,
1.1 djm 173: id, idlen)) == NULL) {
174: error("%s: schnorr_hash failed", __func__);
175: goto out;
176: }
177:
178: /* r = v - xh mod q */
179: if (BN_mod_mul(tmp, x, h, grp_q, bn_ctx) == -1) {
180: error("%s: BN_mod_mul (tmp = xv mod q)", __func__);
181: goto out;
182: }
183: if (BN_mod_sub(r, v, tmp, grp_q, bn_ctx) == -1) {
184: error("%s: BN_mod_mul (r = v - tmp)", __func__);
185: goto out;
186: }
1.3 djm 187: SCHNORR_DEBUG_BN((g_v, "%s: e = ", __func__));
1.1 djm 188: SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
189:
1.3 djm 190: *e_p = g_v;
191: *r_p = r;
192:
193: success = 0;
194: out:
195: BN_CTX_free(bn_ctx);
196: if (h != NULL)
197: BN_clear_free(h);
198: if (v != NULL)
199: BN_clear_free(v);
200: BN_clear_free(tmp);
201:
202: return success;
203: }
204:
205: /*
206: * Generate Schnorr signature to prove knowledge of private value 'x' used
207: * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
208: * using a SHA256 hash.
209: * 'idlen' bytes from 'id' will be included in the signature hash as an anti-
210: * replay salt.
211: * On success, 0 is returned and *siglen bytes of signature are returned in
212: * *sig (caller to free). Returns -1 on failure.
213: */
214: int
215: schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
216: const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
217: u_char **sig, u_int *siglen)
218: {
219: Buffer b;
220: BIGNUM *r, *e;
221:
222: if (schnorr_sign(grp_p, grp_q, grp_g, EVP_sha256(),
223: x, g_x, id, idlen, &r, &e) != 0)
224: return -1;
225:
226: /* Signature is (e, r) */
1.1 djm 227: buffer_init(&b);
228: /* XXX sigtype-hash as string? */
1.3 djm 229: buffer_put_bignum2(&b, e);
1.1 djm 230: buffer_put_bignum2(&b, r);
231: *siglen = buffer_len(&b);
232: *sig = xmalloc(*siglen);
233: memcpy(*sig, buffer_ptr(&b), *siglen);
234: SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
235: "%s: sigblob", __func__));
236: buffer_free(&b);
1.3 djm 237:
1.1 djm 238: BN_clear_free(r);
1.3 djm 239: BN_clear_free(e);
1.1 djm 240:
1.3 djm 241: return 0;
1.1 djm 242: }
243:
244: /*
1.3 djm 245: * Verify Schnorr signature { r (v - xh mod q), e (g^v mod p) } against
246: * public exponent g_x (g^x) under group defined by 'grp_p', 'grp_q' and
247: * 'grp_g' using hash "evp_md".
1.1 djm 248: * Signature hash will be salted with 'idlen' bytes from 'id'.
249: * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
250: */
251: int
252: schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
1.3 djm 253: const EVP_MD *evp_md, const BIGNUM *g_x, const u_char *id, u_int idlen,
254: const BIGNUM *r, const BIGNUM *e)
1.1 djm 255: {
256: int success = -1;
1.5 djm 257: BIGNUM *h = NULL, *g_xh = NULL, *g_r = NULL, *gx_q = NULL;
258: BIGNUM *expected = NULL;
1.1 djm 259: BN_CTX *bn_ctx;
260:
261: SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
262:
263: /* Avoid degenerate cases: g^0 yields a spoofable signature */
264: if (BN_cmp(g_x, BN_value_one()) <= 0) {
1.5 djm 265: error("%s: g_x <= 1", __func__);
1.4 djm 266: return -1;
267: }
268: if (BN_cmp(g_x, grp_p) >= 0) {
269: error("%s: g_x >= p", __func__);
1.1 djm 270: return -1;
271: }
272:
1.3 djm 273: h = g_xh = g_r = expected = NULL;
1.1 djm 274: if ((bn_ctx = BN_CTX_new()) == NULL) {
275: error("%s: BN_CTX_new", __func__);
276: goto out;
277: }
1.3 djm 278: if ((g_xh = BN_new()) == NULL ||
1.1 djm 279: (g_r = BN_new()) == NULL ||
1.5 djm 280: (gx_q = BN_new()) == NULL ||
1.1 djm 281: (expected = BN_new()) == NULL) {
282: error("%s: BN_new", __func__);
283: goto out;
284: }
285:
1.3 djm 286: SCHNORR_DEBUG_BN((e, "%s: e = ", __func__));
1.1 djm 287: SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
288:
1.5 djm 289: /* gx_q = (g^x)^q must === 1 mod p */
290: if (BN_mod_exp(gx_q, g_x, grp_q, grp_p, bn_ctx) == -1) {
291: error("%s: BN_mod_exp (g_x^q mod p)", __func__);
292: goto out;
293: }
294: if (BN_cmp(gx_q, BN_value_one()) != 0) {
295: error("%s: Invalid signature (g^x)^q != 1 mod p", __func__);
296: goto out;
297: }
298:
299: SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__));
1.1 djm 300: /* h = H(g || g^v || g^x || id) */
1.3 djm 301: if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, e, g_x,
1.1 djm 302: id, idlen)) == NULL) {
303: error("%s: schnorr_hash failed", __func__);
304: goto out;
305: }
306:
307: /* g_xh = (g^x)^h */
308: if (BN_mod_exp(g_xh, g_x, h, grp_p, bn_ctx) == -1) {
309: error("%s: BN_mod_exp (g_x^h mod p)", __func__);
310: goto out;
311: }
312: SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__));
313:
314: /* g_r = g^r */
315: if (BN_mod_exp(g_r, grp_g, r, grp_p, bn_ctx) == -1) {
316: error("%s: BN_mod_exp (g_x^h mod p)", __func__);
317: goto out;
318: }
319: SCHNORR_DEBUG_BN((g_r, "%s: g_r = ", __func__));
320:
321: /* expected = g^r * g_xh */
322: if (BN_mod_mul(expected, g_r, g_xh, grp_p, bn_ctx) == -1) {
323: error("%s: BN_mod_mul (expected = g_r mod p)", __func__);
324: goto out;
325: }
326: SCHNORR_DEBUG_BN((expected, "%s: expected = ", __func__));
327:
1.3 djm 328: /* Check e == expected */
329: success = BN_cmp(expected, e) == 0;
1.1 djm 330: out:
331: BN_CTX_free(bn_ctx);
332: if (h != NULL)
333: BN_clear_free(h);
1.5 djm 334: if (gx_q != NULL)
335: BN_clear_free(gx_q);
336: if (g_xh != NULL)
337: BN_clear_free(g_xh);
338: if (g_r != NULL)
339: BN_clear_free(g_r);
340: if (expected != NULL)
341: BN_clear_free(expected);
1.1 djm 342: return success;
343: }
344:
1.3 djm 345: /*
346: * Verify Schnorr signature 'sig' of length 'siglen' against public exponent
347: * g_x (g^x) under group defined by 'grp_p', 'grp_q' and 'grp_g' using a
348: * SHA256 hash.
349: * Signature hash will be salted with 'idlen' bytes from 'id'.
350: * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
351: */
352: int
353: schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q,
354: const BIGNUM *grp_g,
355: const BIGNUM *g_x, const u_char *id, u_int idlen,
356: const u_char *sig, u_int siglen)
357: {
358: Buffer b;
359: int ret = -1;
360: u_int rlen;
361: BIGNUM *r, *e;
362:
363: e = r = NULL;
364: if ((e = BN_new()) == NULL ||
365: (r = BN_new()) == NULL) {
366: error("%s: BN_new", __func__);
367: goto out;
368: }
369:
370: /* Extract g^v and r from signature blob */
371: buffer_init(&b);
372: buffer_append(&b, sig, siglen);
373: SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
374: "%s: sigblob", __func__));
375: buffer_get_bignum2(&b, e);
376: buffer_get_bignum2(&b, r);
377: rlen = buffer_len(&b);
378: buffer_free(&b);
379: if (rlen != 0) {
380: error("%s: remaining bytes in signature %d", __func__, rlen);
381: goto out;
382: }
383:
384: ret = schnorr_verify(grp_p, grp_q, grp_g, EVP_sha256(),
385: g_x, id, idlen, r, e);
386: out:
387: BN_clear_free(e);
388: BN_clear_free(r);
389:
390: return ret;
391: }
392:
393: /* Helper functions */
394:
395: /*
396: * Generate uniformly distributed random number in range (1, high).
397: * Return number on success, NULL on failure.
398: */
399: BIGNUM *
400: bn_rand_range_gt_one(const BIGNUM *high)
401: {
402: BIGNUM *r, *tmp;
403: int success = -1;
404:
405: if ((tmp = BN_new()) == NULL) {
406: error("%s: BN_new", __func__);
407: return NULL;
408: }
409: if ((r = BN_new()) == NULL) {
410: error("%s: BN_new failed", __func__);
411: goto out;
412: }
413: if (BN_set_word(tmp, 2) != 1) {
414: error("%s: BN_set_word(tmp, 2)", __func__);
415: goto out;
416: }
417: if (BN_sub(tmp, high, tmp) == -1) {
418: error("%s: BN_sub failed (tmp = high - 2)", __func__);
419: goto out;
420: }
421: if (BN_rand_range(r, tmp) == -1) {
422: error("%s: BN_rand_range failed", __func__);
423: goto out;
424: }
425: if (BN_set_word(tmp, 2) != 1) {
426: error("%s: BN_set_word(tmp, 2)", __func__);
427: goto out;
428: }
429: if (BN_add(r, r, tmp) == -1) {
430: error("%s: BN_add failed (r = r + 2)", __func__);
431: goto out;
432: }
433: success = 0;
434: out:
435: BN_clear_free(tmp);
436: if (success == 0)
437: return r;
438: BN_clear_free(r);
439: return NULL;
440: }
441:
442: /*
443: * Hash contents of buffer 'b' with hash 'md'. Returns 0 on success,
444: * with digest via 'digestp' (caller to free) and length via 'lenp'.
445: * Returns -1 on failure.
446: */
447: int
448: hash_buffer(const u_char *buf, u_int len, const EVP_MD *md,
449: u_char **digestp, u_int *lenp)
450: {
451: u_char digest[EVP_MAX_MD_SIZE];
452: u_int digest_len;
453: EVP_MD_CTX evp_md_ctx;
454: int success = -1;
455:
456: EVP_MD_CTX_init(&evp_md_ctx);
457:
458: if (EVP_DigestInit_ex(&evp_md_ctx, md, NULL) != 1) {
459: error("%s: EVP_DigestInit_ex", __func__);
460: goto out;
461: }
462: if (EVP_DigestUpdate(&evp_md_ctx, buf, len) != 1) {
463: error("%s: EVP_DigestUpdate", __func__);
464: goto out;
465: }
466: if (EVP_DigestFinal_ex(&evp_md_ctx, digest, &digest_len) != 1) {
467: error("%s: EVP_DigestFinal_ex", __func__);
468: goto out;
469: }
470: *digestp = xmalloc(digest_len);
471: *lenp = digest_len;
472: memcpy(*digestp, digest, *lenp);
473: success = 0;
474: out:
475: EVP_MD_CTX_cleanup(&evp_md_ctx);
476: bzero(digest, sizeof(digest));
477: digest_len = 0;
478: return success;
479: }
480:
481: /* print formatted string followed by bignum */
482: void
483: debug3_bn(const BIGNUM *n, const char *fmt, ...)
484: {
485: char *out, *h;
486: va_list args;
1.6 dtucker 487: int ret;
1.3 djm 488:
489: out = NULL;
490: va_start(args, fmt);
1.6 dtucker 491: ret = vasprintf(&out, fmt, args);
1.3 djm 492: va_end(args);
1.6 dtucker 493: if (ret == -1 || out == NULL)
1.3 djm 494: fatal("%s: vasprintf failed", __func__);
495:
496: if (n == NULL)
497: debug3("%s(null)", out);
498: else {
499: h = BN_bn2hex(n);
500: debug3("%s0x%s", out, h);
501: free(h);
502: }
503: free(out);
504: }
505:
506: /* print formatted string followed by buffer contents in hex */
507: void
508: debug3_buf(const u_char *buf, u_int len, const char *fmt, ...)
509: {
510: char *out, h[65];
511: u_int i, j;
512: va_list args;
1.6 dtucker 513: int ret;
1.3 djm 514:
515: out = NULL;
516: va_start(args, fmt);
1.6 dtucker 517: ret = vasprintf(&out, fmt, args);
1.3 djm 518: va_end(args);
1.6 dtucker 519: if (ret == -1 || out == NULL)
1.3 djm 520: fatal("%s: vasprintf failed", __func__);
521:
522: debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : "");
523: free(out);
524: if (buf == NULL)
525: return;
526:
527: *h = '\0';
528: for (i = j = 0; i < len; i++) {
529: snprintf(h + j, sizeof(h) - j, "%02x", buf[i]);
530: j += 2;
531: if (j >= sizeof(h) - 1 || i == len - 1) {
532: debug3(" %s", h);
533: *h = '\0';
534: j = 0;
535: }
536: }
537: }
538:
539: /*
540: * Construct a MODP group from hex strings p (which must be a safe
541: * prime) and g, automatically calculating subgroup q as (p / 2)
542: */
543: struct modp_group *
544: modp_group_from_g_and_safe_p(const char *grp_g, const char *grp_p)
545: {
546: struct modp_group *ret;
547:
1.7.2.1 ! djm 548: ret = xcalloc(1, sizeof(*ret));
1.3 djm 549: ret->p = ret->q = ret->g = NULL;
550: if (BN_hex2bn(&ret->p, grp_p) == 0 ||
551: BN_hex2bn(&ret->g, grp_g) == 0)
552: fatal("%s: BN_hex2bn", __func__);
553: /* Subgroup order is p/2 (p is a safe prime) */
554: if ((ret->q = BN_new()) == NULL)
555: fatal("%s: BN_new", __func__);
556: if (BN_rshift1(ret->q, ret->p) != 1)
557: fatal("%s: BN_rshift1", __func__);
558:
559: return ret;
560: }
561:
562: void
563: modp_group_free(struct modp_group *grp)
564: {
565: if (grp->g != NULL)
566: BN_clear_free(grp->g);
567: if (grp->p != NULL)
568: BN_clear_free(grp->p);
569: if (grp->q != NULL)
570: BN_clear_free(grp->q);
571: bzero(grp, sizeof(*grp));
1.7 djm 572: free(grp);
1.3 djm 573: }
574:
575: /* main() function for self-test */
576:
1.1 djm 577: #ifdef SCHNORR_MAIN
578: static void
579: schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q,
580: const BIGNUM *grp_g, const BIGNUM *x)
581: {
582: BIGNUM *g_x;
583: u_char *sig;
584: u_int siglen;
585: BN_CTX *bn_ctx;
586:
587: if ((bn_ctx = BN_CTX_new()) == NULL)
588: fatal("%s: BN_CTX_new", __func__);
589: if ((g_x = BN_new()) == NULL)
590: fatal("%s: BN_new", __func__);
591:
592: if (BN_mod_exp(g_x, grp_g, x, grp_p, bn_ctx) == -1)
593: fatal("%s: g_x", __func__);
1.3 djm 594: if (schnorr_sign_buf(grp_p, grp_q, grp_g, x, g_x, "junk", 4,
595: &sig, &siglen))
1.1 djm 596: fatal("%s: schnorr_sign", __func__);
1.3 djm 597: if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
1.1 djm 598: sig, siglen) != 1)
599: fatal("%s: verify fail", __func__);
1.3 djm 600: if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "JUNK", 4,
1.1 djm 601: sig, siglen) != 0)
602: fatal("%s: verify should have failed (bad ID)", __func__);
603: sig[4] ^= 1;
1.3 djm 604: if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
1.1 djm 605: sig, siglen) != 0)
606: fatal("%s: verify should have failed (bit error)", __func__);
1.7 djm 607: free(sig);
1.1 djm 608: BN_free(g_x);
609: BN_CTX_free(bn_ctx);
610: }
611:
612: static void
613: schnorr_selftest(void)
614: {
615: BIGNUM *x;
1.3 djm 616: struct modp_group *grp;
1.1 djm 617: u_int i;
618: char *hh;
619:
620: grp = jpake_default_group();
621: if ((x = BN_new()) == NULL)
622: fatal("%s: BN_new", __func__);
623: SCHNORR_DEBUG_BN((grp->p, "%s: grp->p = ", __func__));
624: SCHNORR_DEBUG_BN((grp->q, "%s: grp->q = ", __func__));
625: SCHNORR_DEBUG_BN((grp->g, "%s: grp->g = ", __func__));
626:
627: /* [1, 20) */
628: for (i = 1; i < 20; i++) {
629: printf("x = %u\n", i);
630: fflush(stdout);
631: if (BN_set_word(x, i) != 1)
632: fatal("%s: set x word", __func__);
633: schnorr_selftest_one(grp->p, grp->q, grp->g, x);
634: }
635:
636: /* 100 x random [0, p) */
637: for (i = 0; i < 100; i++) {
638: if (BN_rand_range(x, grp->p) != 1)
639: fatal("%s: BN_rand_range", __func__);
640: hh = BN_bn2hex(x);
641: printf("x = (random) 0x%s\n", hh);
642: free(hh);
643: fflush(stdout);
644: schnorr_selftest_one(grp->p, grp->q, grp->g, x);
645: }
646:
647: /* [q-20, q) */
648: if (BN_set_word(x, 20) != 1)
649: fatal("%s: BN_set_word (x = 20)", __func__);
650: if (BN_sub(x, grp->q, x) != 1)
651: fatal("%s: BN_sub (q - x)", __func__);
652: for (i = 0; i < 19; i++) {
653: hh = BN_bn2hex(x);
654: printf("x = (q - %d) 0x%s\n", 20 - i, hh);
655: free(hh);
656: fflush(stdout);
657: schnorr_selftest_one(grp->p, grp->q, grp->g, x);
658: if (BN_add(x, x, BN_value_one()) != 1)
659: fatal("%s: BN_add (x + 1)", __func__);
660: }
661: BN_free(x);
662: }
663:
664: int
665: main(int argc, char **argv)
666: {
667: log_init(argv[0], SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_USER, 1);
668:
669: schnorr_selftest();
670: return 0;
671: }
672: #endif
673: