/src/botan/src/lib/misc/srp6/srp6.cpp

Source (jump to first uncovered line)
/*
* SRP-6a (RFC 5054 compatatible)
* (C) 2011,2012,2019 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/srp6.h>
#include <botan/hash.h>
#include <botan/dl_group.h>
#include <botan/numthry.h>

namespace Botan {

namespace {

BigInt hash_seq(const std::string& hash_id,
                size_t pad_to,
                const BigInt& in1,
                const BigInt& in2)
   {
   std::unique_ptr<HashFunction> hash_fn(HashFunction::create_or_throw(hash_id));

   hash_fn->update(BigInt::encode_1363(in1, pad_to));
   hash_fn->update(BigInt::encode_1363(in2, pad_to));

   return BigInt::decode(hash_fn->final());
   }

BigInt compute_x(const std::string& hash_id,
                 const std::string& identifier,
                 const std::string& password,
                 const std::vector<uint8_t>& salt)
   {
   std::unique_ptr<HashFunction> hash_fn(HashFunction::create_or_throw(hash_id));

   hash_fn->update(identifier);
   hash_fn->update(":");
   hash_fn->update(password);

   secure_vector<uint8_t> inner_h = hash_fn->final();

   hash_fn->update(salt);
   hash_fn->update(inner_h);

   secure_vector<uint8_t> outer_h = hash_fn->final();

   return BigInt::decode(outer_h);
   }

}

std::string srp6_group_identifier(const BigInt& N, const BigInt& g)
   {
   /*
   This function assumes that only one 'standard' SRP parameter set has
   been defined for a particular bitsize. As of this writing that is the case.
   */
   try
      {
      const std::string group_name = "modp/srp/" + std::to_string(N.bits());

      DL_Group group(group_name);

      if(group.get_p() == N && group.get_g() == g)
         return group_name;
      }
   catch(...)
      {
      }

   // If we didn't return, the group was unknown or did not match
   throw Invalid_Argument("Invalid or unknown SRP group parameters");
   }

std::pair<BigInt, SymmetricKey>
srp6_client_agree(const std::string& identifier,
                  const std::string& password,
                  const std::string& group_id,
                  const std::string& hash_id,
                  const std::vector<uint8_t>& salt,
                  const BigInt& B,
                  RandomNumberGenerator& rng)
   {
   DL_Group group(group_id);
   const size_t a_bits = group.exponent_bits();

   return srp6_client_agree(identifier, password, group, hash_id, salt, B, a_bits, rng);
   }

std::pair<BigInt, SymmetricKey>
srp6_client_agree(const std::string& identifier,
                  const std::string& password,
                  const DL_Group& group,
                  const std::string& hash_id,
                  const std::vector<uint8_t>& salt,
                  const BigInt& B,
                  const size_t a_bits,
                  RandomNumberGenerator& rng)
   {
   const BigInt& g = group.get_g();
   const BigInt& p = group.get_p();

   const size_t p_bytes = group.p_bytes();

   if(B <= 0 || B >= p)
      throw Decoding_Error("Invalid SRP parameter from server");

   const BigInt k = hash_seq(hash_id, p_bytes, p, g);

   const BigInt a(rng, a_bits);

   const BigInt A = group.power_g_p(a, a_bits);

   const BigInt u = hash_seq(hash_id, p_bytes, A, B);

   const BigInt x = compute_x(hash_id, identifier, password, salt);

   const BigInt S = power_mod(group.mod_p(B - (k * power_mod(g, x, p))),
                              group.mod_p(a + (u * x)), p);

   const SymmetricKey Sk(BigInt::encode_1363(S, p_bytes));

   return std::make_pair(A, Sk);
   }

BigInt generate_srp6_verifier(const std::string& identifier,
                              const std::string& password,
                              const std::vector<uint8_t>& salt,
                              const std::string& group_id,
                              const std::string& hash_id)
   {
   DL_Group group(group_id);
   return generate_srp6_verifier(identifier, password, salt, group, hash_id);
   }

BigInt generate_srp6_verifier(const std::string& identifier,
                              const std::string& password,
                              const std::vector<uint8_t>& salt,
                              const DL_Group& group,
                              const std::string& hash_id)
   {
   const BigInt x = compute_x(hash_id, identifier, password, salt);
   // FIXME: x should be size of hash fn so avoid computing x.bits() here
   return group.power_g_p(x, x.bits());
   }

BigInt SRP6_Server_Session::step1(const BigInt& v,
                                  const std::string& group_id,
                                  const std::string& hash_id,
                                  RandomNumberGenerator& rng)
   {
   DL_Group group(group_id);
   const size_t b_bits = group.exponent_bits();

   return this->step1(v, group, hash_id, b_bits, rng);
   }

BigInt SRP6_Server_Session::step1(const BigInt& v,
                                  const DL_Group& group,
                                  const std::string& hash_id,
                                  size_t b_bits,
                                  RandomNumberGenerator& rng)
   {
   const BigInt& g = group.get_g();
   const BigInt& p = group.get_p();

   m_p_bytes = p.bytes();
   m_v = v;
   m_b = BigInt(rng, b_bits);
   m_p = p;
   m_hash_id = hash_id;

   const BigInt k = hash_seq(hash_id, m_p_bytes, p, g);

   m_B = group.mod_p(v*k + group.power_g_p(m_b, b_bits));

   return m_B;
   }

SymmetricKey SRP6_Server_Session::step2(const BigInt& A)
   {
   if(A <= 0 || A >= m_p)
      throw Decoding_Error("Invalid SRP parameter from client");

   const BigInt u = hash_seq(m_hash_id, m_p_bytes, A, m_B);

   const BigInt S = power_mod(A * power_mod(m_v, u, m_p), m_b, m_p);

   return BigInt::encode_1363(S, m_p_bytes);
   }

}

Line	Count	Source (jump to first uncovered line)
1		/*
2		* SRP-6a (RFC 5054 compatatible)
3		* (C) 2011,2012,2019 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#include <botan/srp6.h>
9		#include <botan/hash.h>
10		#include <botan/dl_group.h>
11		#include <botan/numthry.h>
12
13		namespace Botan {
14
15		namespace {
16
17		BigInt hash_seq(const std::string& hash_id,
18		size_t pad_to,
19		const BigInt& in1,
20		const BigInt& in2)
21	0	{
22	0	std::unique_ptr<HashFunction> hash_fn(HashFunction::create_or_throw(hash_id));
23	0
24	0	hash_fn->update(BigInt::encode_1363(in1, pad_to));
25	0	hash_fn->update(BigInt::encode_1363(in2, pad_to));
26	0
27	0	return BigInt::decode(hash_fn->final());
28	0	}
29
30		BigInt compute_x(const std::string& hash_id,
31		const std::string& identifier,
32		const std::string& password,
33		const std::vector<uint8_t>& salt)
34	0	{
35	0	std::unique_ptr<HashFunction> hash_fn(HashFunction::create_or_throw(hash_id));
36	0
37	0	hash_fn->update(identifier);
38	0	hash_fn->update(":");
39	0	hash_fn->update(password);
40	0
41	0	secure_vector<uint8_t> inner_h = hash_fn->final();
42	0
43	0	hash_fn->update(salt);
44	0	hash_fn->update(inner_h);
45	0
46	0	secure_vector<uint8_t> outer_h = hash_fn->final();
47	0
48	0	return BigInt::decode(outer_h);
49	0	}
50
51		}
52
53		std::string srp6_group_identifier(const BigInt& N, const BigInt& g)
54	0	{
55		/*
56		This function assumes that only one 'standard' SRP parameter set has
57		been defined for a particular bitsize. As of this writing that is the case.
58		*/
59	0	try
60	0	{
61	0	const std::string group_name = "modp/srp/" + std::to_string(N.bits());
62	0
63	0	DL_Group group(group_name);
64	0
65	0	if(group.get_p() == N && group.get_g() == g)
66	0	return group_name;
67	0	}
68	0	catch(...)
69	0	{
70	0	}
71	0
72		// If we didn't return, the group was unknown or did not match
73	0	throw Invalid_Argument("Invalid or unknown SRP group parameters");
74	0	}
75
76		std::pair<BigInt, SymmetricKey>
77		srp6_client_agree(const std::string& identifier,
78		const std::string& password,
79		const std::string& group_id,
80		const std::string& hash_id,
81		const std::vector<uint8_t>& salt,
82		const BigInt& B,
83		RandomNumberGenerator& rng)
84	0	{
85	0	DL_Group group(group_id);
86	0	const size_t a_bits = group.exponent_bits();
87	0
88	0	return srp6_client_agree(identifier, password, group, hash_id, salt, B, a_bits, rng);
89	0	}
90
91		std::pair<BigInt, SymmetricKey>
92		srp6_client_agree(const std::string& identifier,
93		const std::string& password,
94		const DL_Group& group,
95		const std::string& hash_id,
96		const std::vector<uint8_t>& salt,
97		const BigInt& B,
98		const size_t a_bits,
99		RandomNumberGenerator& rng)
100	0	{
101	0	const BigInt& g = group.get_g();
102	0	const BigInt& p = group.get_p();
103	0
104	0	const size_t p_bytes = group.p_bytes();
105	0
106	0	if(B <= 0 \|\| B >= p)
107	0	throw Decoding_Error("Invalid SRP parameter from server");
108	0
109	0	const BigInt k = hash_seq(hash_id, p_bytes, p, g);
110	0
111	0	const BigInt a(rng, a_bits);
112	0
113	0	const BigInt A = group.power_g_p(a, a_bits);
114	0
115	0	const BigInt u = hash_seq(hash_id, p_bytes, A, B);
116	0
117	0	const BigInt x = compute_x(hash_id, identifier, password, salt);
118	0
119	0	const BigInt S = power_mod(group.mod_p(B - (k * power_mod(g, x, p))),
120	0	group.mod_p(a + (u * x)), p);
121	0
122	0	const SymmetricKey Sk(BigInt::encode_1363(S, p_bytes));
123	0
124	0	return std::make_pair(A, Sk);
125	0	}
126
127		BigInt generate_srp6_verifier(const std::string& identifier,
128		const std::string& password,
129		const std::vector<uint8_t>& salt,
130		const std::string& group_id,
131		const std::string& hash_id)
132	0	{
133	0	DL_Group group(group_id);
134	0	return generate_srp6_verifier(identifier, password, salt, group, hash_id);
135	0	}
136
137		BigInt generate_srp6_verifier(const std::string& identifier,
138		const std::string& password,
139		const std::vector<uint8_t>& salt,
140		const DL_Group& group,
141		const std::string& hash_id)
142	0	{
143	0	const BigInt x = compute_x(hash_id, identifier, password, salt);
144		// FIXME: x should be size of hash fn so avoid computing x.bits() here
145	0	return group.power_g_p(x, x.bits());
146	0	}
147
148		BigInt SRP6_Server_Session::step1(const BigInt& v,
149		const std::string& group_id,
150		const std::string& hash_id,
151		RandomNumberGenerator& rng)
152	0	{
153	0	DL_Group group(group_id);
154	0	const size_t b_bits = group.exponent_bits();
155	0
156	0	return this->step1(v, group, hash_id, b_bits, rng);
157	0	}
158
159		BigInt SRP6_Server_Session::step1(const BigInt& v,
160		const DL_Group& group,
161		const std::string& hash_id,
162		size_t b_bits,
163		RandomNumberGenerator& rng)
164	0	{
165	0	const BigInt& g = group.get_g();
166	0	const BigInt& p = group.get_p();
167	0
168	0	m_p_bytes = p.bytes();
169	0	m_v = v;
170	0	m_b = BigInt(rng, b_bits);
171	0	m_p = p;
172	0	m_hash_id = hash_id;
173	0
174	0	const BigInt k = hash_seq(hash_id, m_p_bytes, p, g);
175	0
176	0	m_B = group.mod_p(v*k + group.power_g_p(m_b, b_bits));
177	0
178	0	return m_B;
179	0	}
180
181		SymmetricKey SRP6_Server_Session::step2(const BigInt& A)
182	0	{
183	0	if(A <= 0 \|\| A >= m_p)
184	0	throw Decoding_Error("Invalid SRP parameter from client");
185	0
186	0	const BigInt u = hash_seq(m_hash_id, m_p_bytes, A, m_B);
187	0
188	0	const BigInt S = power_mod(A * power_mod(m_v, u, m_p), m_b, m_p);
189	0
190	0	return BigInt::encode_1363(S, m_p_bytes);
191	0	}
192
193		}

Coverage Report

Created: 2020-09-16 07:52