2 * Copyright (c) 1997-1999 The Stanford SRP Authentication Project
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
26 * In addition, the following conditions apply:
28 * 1. Any software that incorporates the SRP authentication technology
29 * must display the following acknowlegment:
30 * "This product uses the 'Secure Remote Password' cryptographic
31 * authentication system developed by Tom Wu (tjw@CS.Stanford.EDU)."
33 * 2. Any software that incorporates all or part of the SRP distribution
34 * itself must also display the following acknowledgment:
35 * "This product includes software developed by Tom Wu and Eugene
36 * Jhong for the SRP Distribution (http://srp.stanford.edu/srp/)."
38 * 3. Redistributions in source or binary form must retain an intact copy
39 * of this copyright notice and list of conditions.
43 #include "t_defines.h"
48 _TYPE( struct t_client * )
49 t_clientopen(u, n, g, s)
56 unsigned char buf1[SHA_DIGESTSIZE], buf2[SHA_DIGESTSIZE];
59 struct t_preconf * tpc;
61 BigInteger nn, gg, n12, r;
64 if(n->len < MIN_MOD_BYTES)
66 for(i = 0; i < t_getprecount(); ++i) {
67 tpc = t_getpreparam(i);
68 if(tpc->modulus.len == n->len && tpc->generator.len == g->len &&
69 memcmp(tpc->modulus.data, n->data, n->len) == 0 &&
70 memcmp(tpc->generator.data, g->data, g->len) == 0) {
71 validated = 1; /* Match found, done */
79 if((tc = malloc(sizeof(struct t_client))) == 0)
82 strncpy(tc->username, u, MAXUSERLEN);
87 tc->n.data = tc->nbuf;
88 memcpy(tc->n.data, n->data, tc->n.len);
91 SHA1Update(&ctxt, tc->n.data, tc->n.len);
92 SHA1Final(buf1, &ctxt);
95 tc->g.data = tc->gbuf;
96 memcpy(tc->g.data, g->data, tc->g.len);
99 SHA1Update(&ctxt, tc->g.data, tc->g.len);
100 SHA1Final(buf2, &ctxt);
102 for(i = 0; i < sizeof(buf1); ++i)
105 SHA1Update(&tc->hash, buf1, sizeof(buf1));
108 SHA1Update(&ctxt, tc->username, strlen(tc->username));
109 SHA1Final(buf1, &ctxt);
111 SHA1Update(&tc->hash, buf1, sizeof(buf1));
114 tc->s.data = tc->sbuf;
115 memcpy(tc->s.data, s->data, tc->s.len);
117 SHA1Update(&tc->hash, tc->s.data, tc->s.len);
119 tc->a.data = tc->abuf;
120 tc->A.data = tc->Abuf;
121 tc->p.data = tc->pbuf;
122 tc->v.data = tc->vbuf;
124 SHA1Init(&tc->ckhash);
129 _TYPE( struct t_num * )
131 struct t_client * tc;
133 BigInteger a, A, n, g;
136 tc->a.len = tc->n.len;
140 t_random(tc->a.data, tc->a.len);
141 a = BigIntegerFromBytes(tc->a.data, tc->a.len);
142 n = BigIntegerFromBytes(tc->n.data, tc->n.len);
143 g = BigIntegerFromBytes(tc->g.data, tc->g.len);
144 A = BigIntegerFromInt(0);
145 BigIntegerModExp(A, g, a, n);
146 tc->A.len = BigIntegerToBytes(A, tc->A.data);
153 SHA1Update(&tc->hash, tc->A.data, tc->A.len);
154 SHA1Update(&tc->ckhash, tc->A.data, tc->A.len);
160 t_clientpasswd(tc, password)
161 struct t_client * tc;
164 BigInteger n, g, p, v;
166 unsigned char dig[SHA_DIGESTSIZE];
168 n = BigIntegerFromBytes(tc->n.data, tc->n.len);
169 g = BigIntegerFromBytes(tc->g.data, tc->g.len);
172 SHA1Update(&ctxt, tc->username, strlen(tc->username));
173 SHA1Update(&ctxt, ":", 1);
174 SHA1Update(&ctxt, password, strlen(password));
175 SHA1Final(dig, &ctxt);
178 SHA1Update(&ctxt, tc->s.data, tc->s.len);
179 SHA1Update(&ctxt, dig, sizeof(dig));
180 SHA1Final(dig, &ctxt);
182 p = BigIntegerFromBytes(dig, sizeof(dig));
184 v = BigIntegerFromInt(0);
185 BigIntegerModExp(v, g, p, n);
187 tc->p.len = BigIntegerToBytes(p, tc->p.data);
190 tc->v.len = BigIntegerToBytes(v, tc->v.data);
194 _TYPE( unsigned char * )
195 t_clientgetkey(tc, serverval)
196 struct t_client * tc;
197 struct t_num * serverval;
199 BigInteger n, B, v, p, a, sum, S;
200 unsigned char sbuf[MAXPARAMLEN];
201 unsigned char dig[SHA_DIGESTSIZE];
207 SHA1Update(&ctxt, serverval->data, serverval->len);
208 SHA1Final(dig, &ctxt);
209 u = (dig[0] << 24) | (dig[1] << 16) | (dig[2] << 8) | dig[3];
213 SHA1Update(&tc->hash, serverval->data, serverval->len);
215 B = BigIntegerFromBytes(serverval->data, serverval->len);
216 n = BigIntegerFromBytes(tc->n.data, tc->n.len);
218 if(BigIntegerCmp(B, n) >= 0 || BigIntegerCmpInt(B, 0) == 0) {
223 v = BigIntegerFromBytes(tc->v.data, tc->v.len);
224 if(BigIntegerCmp(B, v) < 0)
225 BigIntegerAdd(B, B, n);
226 BigIntegerSub(B, B, v);
229 a = BigIntegerFromBytes(tc->a.data, tc->a.len);
230 p = BigIntegerFromBytes(tc->p.data, tc->p.len);
232 sum = BigIntegerFromInt(0);
233 BigIntegerMulInt(sum, p, u);
234 BigIntegerAdd(sum, sum, a);
239 S = BigIntegerFromInt(0);
240 BigIntegerModExp(S, B, sum, n);
241 slen = BigIntegerToBytes(S, sbuf);
248 t_sessionkey(tc->session_key, sbuf, slen);
249 memset(sbuf, 0, slen);
251 SHA1Update(&tc->hash, tc->session_key, sizeof(tc->session_key));
253 SHA1Final(tc->session_response, &tc->hash);
254 SHA1Update(&tc->ckhash, tc->session_response, sizeof(tc->session_response));
255 SHA1Update(&tc->ckhash, tc->session_key, sizeof(tc->session_key));
257 return tc->session_key;
261 t_clientverify(tc, resp)
262 struct t_client * tc;
263 unsigned char * resp;
265 unsigned char expected[SHA_DIGESTSIZE];
267 SHA1Final(expected, &tc->ckhash);
268 return memcmp(expected, resp, sizeof(expected));
271 _TYPE( unsigned char * )
273 struct t_client * tc;
275 return tc->session_response;
280 struct t_client * tc;
282 memset(tc->abuf, 0, sizeof(tc->abuf));
283 memset(tc->pbuf, 0, sizeof(tc->pbuf));
284 memset(tc->vbuf, 0, sizeof(tc->vbuf));
285 memset(tc->session_key, 0, sizeof(tc->session_key));