RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2025-01-03 16:22:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

- (dtucker) OpenBSD CVS Sync

Browse Source 
- djm@cvs.openbsd.org 2010/12/03 23:49:26
     [schnorr.c]
     check that g^x^q === 1 mod p; recommended by JPAKE author Feng Hao
     (this code is still disabled, but apprently people are treating it as
     a reference implementation)
This commit is contained in:
Darren Tucker 2010-12-05 09:00:30 +11:00
parent 37bb7568ab
commit 7336b904ff
2 changed files with 30 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -1,6 +1,12 @@
20101205 20101205
- (dtucker) openbsd-compat/openssl-compat.c] remove sleep leftover from - (dtucker) openbsd-compat/openssl-compat.c] remove sleep leftover from
debugging. Spotted by djm. debugging. Spotted by djm.
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/12/03 23:49:26
[schnorr.c]
check that g^x^q === 1 mod p; recommended by JPAKE author Feng Hao
(this code is still disabled, but apprently people are treating it as
a reference implementation)
20101204 20101204
- (djm) [openbsd-compat/bindresvport.c] Use arc4random_uniform(range) - (djm) [openbsd-compat/bindresvport.c] Use arc4random_uniform(range)

30
schnorr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: schnorr.c,v 1.4 2010/09/20 04:50:53 djm Exp $ */ /* $OpenBSD: schnorr.c,v 1.5 2010/12/03 23:49:26 djm Exp $ */
/* /*
* Copyright (c) 2008 Damien Miller. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved.
* *
@ -258,14 +258,15 @@ schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
const BIGNUM *r, const BIGNUM *e) const BIGNUM *r, const BIGNUM *e)
{ {
int success = -1; int success = -1;
BIGNUM *h, *g_xh, *g_r, *expected; BIGNUM *h = NULL, *g_xh = NULL, *g_r = NULL, *gx_q = NULL;
BIGNUM *expected = NULL;
BN_CTX *bn_ctx; BN_CTX *bn_ctx;
SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__)); SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
/* Avoid degenerate cases: g^0 yields a spoofable signature */ /* Avoid degenerate cases: g^0 yields a spoofable signature */
if (BN_cmp(g_x, BN_value_one()) <= 0) { if (BN_cmp(g_x, BN_value_one()) <= 0) {
error("%s: g_x < 1", __func__); error("%s: g_x <= 1", __func__);
return -1; return -1;
} }
if (BN_cmp(g_x, grp_p) >= 0) { if (BN_cmp(g_x, grp_p) >= 0) {
@ -280,6 +281,7 @@ schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
} }
if ((g_xh = BN_new()) == NULL || if ((g_xh = BN_new()) == NULL ||
(g_r = BN_new()) == NULL || (g_r = BN_new()) == NULL ||
(gx_q = BN_new()) == NULL ||
(expected = BN_new()) == NULL) { (expected = BN_new()) == NULL) {
error("%s: BN_new", __func__); error("%s: BN_new", __func__);
goto out; goto out;
@ -288,6 +290,17 @@ schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
SCHNORR_DEBUG_BN((e, "%s: e = ", __func__)); SCHNORR_DEBUG_BN((e, "%s: e = ", __func__));
SCHNORR_DEBUG_BN((r, "%s: r = ", __func__)); SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
/* gx_q = (g^x)^q must === 1 mod p */
if (BN_mod_exp(gx_q, g_x, grp_q, grp_p, bn_ctx) == -1) {
error("%s: BN_mod_exp (g_x^q mod p)", __func__);
goto out;
}
if (BN_cmp(gx_q, BN_value_one()) != 0) {
error("%s: Invalid signature (g^x)^q != 1 mod p", __func__);
goto out;
}
SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__));
/* h = H(g || g^v || g^x || id) */ /* h = H(g || g^v || g^x || id) */
if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, e, g_x, if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, e, g_x,
id, idlen)) == NULL) { id, idlen)) == NULL) {
@ -322,9 +335,14 @@ schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
BN_CTX_free(bn_ctx); BN_CTX_free(bn_ctx);
if (h != NULL) if (h != NULL)
BN_clear_free(h); BN_clear_free(h);
BN_clear_free(g_xh); if (gx_q != NULL)
BN_clear_free(g_r); BN_clear_free(gx_q);
BN_clear_free(expected); if (g_xh != NULL)
BN_clear_free(g_xh);
if (g_r != NULL)
BN_clear_free(g_r);
if (expected != NULL)
BN_clear_free(expected);
return success; return success;
} }