2 * Copyright (c) 1997-1999 The Stanford SRP Authentication Project
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
26 * In addition, the following conditions apply:
28 * 1. Any software that incorporates the SRP authentication technology
29 * must display the following acknowlegment:
30 * "This product uses the 'Secure Remote Password' cryptographic
31 * authentication system developed by Tom Wu (tjw@CS.Stanford.EDU)."
33 * 2. Any software that incorporates all or part of the SRP distribution
34 * itself must also display the following acknowledgment:
35 * "This product includes software developed by Tom Wu and Eugene
36 * Jhong for the SRP Distribution (http://srp.stanford.edu/srp/)."
38 * 3. Redistributions in source or binary form must retain an intact copy
39 * of this copyright notice and list of conditions.
43 #include "t_defines.h"
47 _TYPE( struct t_server * )
48 t_serveropenraw(ent, tce)
50 struct t_confent * tce;
53 unsigned char buf1[SHA_DIGESTSIZE], buf2[SHA_DIGESTSIZE];
57 if((ts = malloc(sizeof(struct t_server))) == 0)
60 SHA1Init(&ts->ckhash);
62 ts->index = ent->index;
63 ts->n.len = tce->modulus.len;
64 ts->n.data = ts->nbuf;
65 memcpy(ts->n.data, tce->modulus.data, ts->n.len);
68 SHA1Update(&ctxt, ts->n.data, ts->n.len);
69 SHA1Final(buf1, &ctxt);
71 ts->g.len = tce->generator.len;
72 ts->g.data = ts->gbuf;
73 memcpy(ts->g.data, tce->generator.data, ts->g.len);
76 SHA1Update(&ctxt, ts->g.data, ts->g.len);
77 SHA1Final(buf2, &ctxt);
79 for(i = 0; i < sizeof(buf1); ++i)
82 SHA1Update(&ts->ckhash, buf1, sizeof(buf1));
85 SHA1Update(&ctxt, ent->name, strlen(ent->name));
86 SHA1Final(buf1, &ctxt);
88 SHA1Update(&ts->ckhash, buf1, sizeof(buf1));
90 ts->v.len = ent->password.len;
91 ts->v.data = ts->vbuf;
92 memcpy(ts->v.data, ent->password.data, ts->v.len);
94 ts->s.len = ent->salt.len;
95 ts->s.data = ts->saltbuf;
96 memcpy(ts->s.data, ent->salt.data, ts->s.len);
98 SHA1Update(&ts->ckhash, ts->s.data, ts->s.len);
100 ts->b.data = ts->bbuf;
101 ts->B.data = ts->Bbuf;
104 SHA1Init(&ts->oldhash);
105 SHA1Init(&ts->oldckhash);
110 _TYPE( struct t_num * )
112 struct t_server * ts;
114 BigInteger b, B, v, n, g;
117 ts->b.len = ts->n.len;
121 t_random(ts->b.data, ts->b.len);
122 b = BigIntegerFromBytes(ts->b.data, ts->b.len);
123 n = BigIntegerFromBytes(ts->n.data, ts->n.len);
124 g = BigIntegerFromBytes(ts->g.data, ts->g.len);
125 B = BigIntegerFromInt(0);
126 BigIntegerModExp(B, g, b, n);
128 v = BigIntegerFromBytes(ts->v.data, ts->v.len);
129 BigIntegerAdd(B, B, v);
130 if(BigIntegerCmp(B, n) > 0)
131 BigIntegerSub(B, B, n);
133 ts->B.len = BigIntegerToBytes(B, ts->B.data);
141 SHA1Update(&ts->oldckhash, ts->B.data, ts->B.len);
146 _TYPE( unsigned char * )
147 t_servergetkey(ts, clientval)
148 struct t_server * ts;
149 struct t_num * clientval;
151 BigInteger n, v, A, b, prod, res, S;
153 unsigned char sbuf[MAXPARAMLEN];
154 unsigned char dig[SHA_DIGESTSIZE];
158 SHA1Update(&ts->ckhash, clientval->data, clientval->len);
159 SHA1Update(&ts->ckhash, ts->B.data, ts->B.len);
162 SHA1Update(&ctxt, ts->B.data, ts->B.len);
163 SHA1Final(dig, &ctxt);
164 u = (dig[0] << 24) | (dig[1] << 16) | (dig[2] << 8) | dig[3];
166 SHA1Update(&ts->oldhash, clientval->data, clientval->len);
167 SHA1Update(&ts->hash, clientval->data, clientval->len);
169 n = BigIntegerFromBytes(ts->n.data, ts->n.len);
170 b = BigIntegerFromBytes(ts->b.data, ts->b.len);
171 v = BigIntegerFromBytes(ts->v.data, ts->v.len);
172 A = BigIntegerFromBytes(clientval->data, clientval->len);
174 prod = BigIntegerFromInt(0);
175 BigIntegerModExpInt(prod, v, u, n);
176 res = BigIntegerFromInt(0);
177 BigIntegerModMul(res, prod, A, n);
181 BigIntegerFree(prod);
183 if(BigIntegerCmpInt(res, 1) <= 0) { /* Check for Av^u == 1 (mod n) */
190 S = BigIntegerFromInt(0);
192 BigIntegerAddInt(S, res, 1);
193 if(BigIntegerCmp(S, n) == 0) { /* Check for Av^u == -1 (mod n) */
201 BigIntegerModExp(S, res, b, n);
202 slen = BigIntegerToBytes(S, sbuf);
209 t_sessionkey(ts->session_key, sbuf, slen);
210 memset(sbuf, 0, slen);
212 SHA1Update(&ts->oldhash, ts->session_key, sizeof(ts->session_key));
213 SHA1Update(&ts->oldckhash, ts->session_key, sizeof(ts->session_key));
214 SHA1Update(&ts->ckhash, ts->session_key, sizeof(ts->session_key));
216 return ts->session_key;
220 t_serververify(ts, resp)
221 struct t_server * ts;
222 unsigned char * resp;
224 unsigned char expected[SHA_DIGESTSIZE];
227 SHA1Final(expected, &ts->oldckhash);
228 i = memcmp(expected, resp, sizeof(expected));
230 SHA1Final(ts->session_response, &ts->oldhash);
233 SHA1Final(expected, &ts->ckhash);
234 i = memcmp(expected, resp, sizeof(expected));
236 SHA1Update(&ts->hash, expected, sizeof(expected));
237 SHA1Update(&ts->hash, ts->session_key, sizeof(ts->session_key));
238 SHA1Final(ts->session_response, &ts->hash);
243 _TYPE( unsigned char * )
245 struct t_server * ts;
247 return ts->session_response;
252 struct t_server * ts;
254 memset(ts->bbuf, 0, sizeof(ts->bbuf));
255 memset(ts->vbuf, 0, sizeof(ts->vbuf));
256 memset(ts->saltbuf, 0, sizeof(ts->saltbuf));
257 memset(ts->session_key, 0, sizeof(ts->session_key));