10 #include "elligator2.mpc"
11 #include "spake2ee.mpc"
14 typedef struct PAKcurve PAKcurve;
37 ed448_curve(a.P, a.A, a.D, a.X, a.Y);
45 authpak_hash(Authkey *k, char *u)
47 static char info[] = "Plan 9 AuthPAK hash";
48 uchar *bp, salt[SHA2_256dlen], h[2*PAKSLEN];
49 mpint *H, *PX,*PY,*PZ,*PT;
58 sha2_256((uchar*)u, strlen(u), salt, nil);
60 hkdf_x( salt, SHA2_256dlen,
61 (uchar*)info, sizeof(info)-1,
64 hmac_sha2_256, SHA2_256dlen);
68 betomp(h + 0*PAKSLEN, PAKSLEN, H); /* HM */
69 spake2ee_h2P(c->P,c->A,c->D, H, PX,PY,PZ,PT); /* PM */
72 mptober(PX, bp, PAKSLEN), bp += PAKSLEN;
73 mptober(PY, bp, PAKSLEN), bp += PAKSLEN;
74 mptober(PZ, bp, PAKSLEN), bp += PAKSLEN;
75 mptober(PT, bp, PAKSLEN), bp += PAKSLEN;
77 betomp(h + 1*PAKSLEN, PAKSLEN, H); /* HN */
78 spake2ee_h2P(c->P,c->A,c->D, H, PX,PY,PZ,PT); /* PN */
80 mptober(PX, bp, PAKSLEN), bp += PAKSLEN;
81 mptober(PY, bp, PAKSLEN), bp += PAKSLEN;
82 mptober(PZ, bp, PAKSLEN), bp += PAKSLEN;
83 mptober(PT, bp, PAKSLEN);
93 authpak_new(PAKpriv *p, Authkey *k, uchar y[PAKYLEN], int isclient)
95 mpint *PX,*PY,*PZ,*PT, *X, *Y;
99 memset(p, 0, sizeof(PAKpriv));
100 p->isclient = isclient != 0;
110 PX->flags |= MPtimesafe;
111 PY->flags |= MPtimesafe;
112 PZ->flags |= MPtimesafe;
113 PT->flags |= MPtimesafe;
115 bp = k->pakhash + PAKPLEN*(p->isclient == 0);
116 betomp(bp, PAKSLEN, PX), bp += PAKSLEN;
117 betomp(bp, PAKSLEN, PY), bp += PAKSLEN;
118 betomp(bp, PAKSLEN, PZ), bp += PAKSLEN;
119 betomp(bp, PAKSLEN, PT);
123 X->flags |= MPtimesafe;
124 mpnrand(c->P, genrandom, X);
126 spake2ee_1(c->P,c->A,c->D, X, c->X,c->Y, PX,PY,PZ,PT, Y);
128 mptober(X, p->x, PAKXLEN);
129 mptober(Y, p->y, PAKYLEN);
131 memmove(y, p->y, PAKYLEN);
143 authpak_finish(PAKpriv *p, Authkey *k, uchar y[PAKYLEN])
145 static char info[] = "Plan 9 AuthPAK key";
146 uchar *bp, z[PAKSLEN], salt[SHA2_256dlen];
147 mpint *PX,*PY,*PZ,*PT, *X, *Y, *Z, *ok;
162 PX->flags |= MPtimesafe;
163 PY->flags |= MPtimesafe;
164 PZ->flags |= MPtimesafe;
165 PT->flags |= MPtimesafe;
167 bp = k->pakhash + PAKPLEN*(p->isclient != 0);
168 betomp(bp, PAKSLEN, PX), bp += PAKSLEN;
169 betomp(bp, PAKSLEN, PY), bp += PAKSLEN;
170 betomp(bp, PAKSLEN, PZ), bp += PAKSLEN;
171 betomp(bp, PAKSLEN, PT);
173 Z->flags |= MPtimesafe;
174 X->flags |= MPtimesafe;
175 betomp(p->x, PAKXLEN, X);
177 betomp(y, PAKYLEN, Y);
180 spake2ee_2(c->P,c->A,c->D, PX,PY,PZ,PT, X, Y, ok, Z);
182 if(mpcmp(ok, mpzero) == 0){
187 mptober(Z, z, sizeof(z));
189 s = sha2_256(p->isclient ? p->y : y, PAKYLEN, nil, nil);
190 sha2_256(p->isclient ? y : p->y, PAKYLEN, salt, s);
192 hkdf_x( salt, SHA2_256dlen,
193 (uchar*)info, sizeof(info)-1,
195 k->pakkey, PAKKEYLEN,
196 hmac_sha2_256, SHA2_256dlen);
200 memset(z, 0, sizeof(z));
201 memset(p, 0, sizeof(PAKpriv));