Merge pull request #1 from openweave/initial-version
Initial version of stand-alone OpenSSL EC J-PAKE implementation.
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..2491c6d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,15 @@
+*.a
+*.o
+*.in
+autom4te.cache
+configure
+aclocal.m4
+compile
+depcomp
+install-sh
+missing
+config.status
+config.log
+Makefile
+ecjpaketest
+openssl-ecjpake-*.tar.gz
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..af92d84
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,190 @@
+Contributing to OpenWeave
+========================
+
+Want to contribute? Great! First, read this page (including the small
+print at the end).
+
+## Bugs
+
+If you find a bug in the source code, you can help us by [submitting a GitHub Issue](https://github.com/openweave/openweave-core/issues/new). The best bug reports provide a detailed description of the issue and step-by-step instructions for predictably reproducing the issue. Even better, you can [submit a Pull Request](#submitting-a-pull-request) with a fix.
+
+## New Features
+
+You can request a new feature by [submitting a GitHub Issue](https://github.com/openweave/openweave-core/issues/new).
+
+If you would like to implement a new feature, please consider the scope of the new feature:
+
+* *Large feature*: first [submit a GitHub
+ Issue](https://github.com/openweave/openweave-core/issues/new) and communicate
+ your proposal so that the community can review and provide feedback. Getting
+ early feedback will help ensure your implementation work is accepted by the
+ community. This will also allow us to better coordinate our efforts and
+ minimize duplicated effort.
+
+* *Small feature*: can be implemented and directly [submitted as a Pull
+ Request](#submitting-a-pull-request).
+
+## Contributing Code
+
+The OpenWeave-Core follows the "Fork-and-Pull" model for accepting contributions.
+
+### Initial Setup
+
+Setup your GitHub fork and continuous-integration services:
+
+1. Fork the [OpenWeave-Core
+ repository](https://github.com/openweave/openweave-core) by clicking "Fork"
+ on the web UI.
+
+2. Enable [Travis CI](https://travis-ci.org/) by logging in with your GitHub
+ account and enabling your newly created fork. We use Travis CI for
+ Linux-based continuous integration checks. All contributions must pass these
+ checks to be accepted.
+
+Setup your local development environment:
+
+```bash
+# Clone your fork
+git clone git@github.com:<username>/openweave-core.git
+
+# Configure upstream alias
+git remote add upstream git@github.com:openweave/openweave-core.git
+```
+
+### Before you contribute
+
+Before we can use your code, you must sign the [Google Individual
+Contributor License Agreement][CLA-INDI] (CLA), which you can do
+online. The CLA is necessary mainly because you own the copyright to
+your changes, even after your contribution becomes part of our
+codebase, so we need your permission to use and distribute your code.
+We also need to be sure of various other things—for instance that
+you'll tell us if you know that your code infringes on other people's
+patents. You don't have to sign the CLA until after you've submitted
+your code for review and a member has approved it, but you must do it
+before we can put your code into our codebase. Before you start
+working on a larger contribution, you should get in touch with us
+first through the issue tracker with your idea so that we can help out
+and possibly guide you. Coordinating up front makes it much easier to
+avoid frustration later on.
+
+[CLA-INDI]: https://cla.developers.google.com/about/google-individual
+
+### Submitting a Pull Request
+
+#### Branch
+
+For each new feature, create a working branch:
+
+```bash
+# Create a working branch for your new feature
+git branch --track <branch-name> origin/master
+
+# Checkout the branch
+git checkout <branch-name>
+```
+
+#### Create Commits
+
+```bash
+# Add each modified file you'd like to include in the commit
+git add <file1> <file2>
+
+# Create a commit
+git commit
+```
+
+This will open up a text editor where you can craft your commit message.
+
+#### Upstream Sync and Clean Up
+
+Prior to submitting your pull request, you might want to do a few things to
+clean up your branch and make it as simple as possible for the original
+repository's maintainer to test, accept, and merge your work.
+
+If any commits have been made to the upstream master branch, you should rebase
+your development branch so that merging it will be a simple fast-forward that
+won't require any conflict resolution work.
+
+```bash
+# Fetch upstream master and merge with your repository's master branch
+git checkout master
+git pull upstream master
+
+# If there were any new commits, rebase your development branch
+git checkout <branch-name>
+git rebase master
+```
+
+Now, it may be desirable to squash some of your smaller commits down into a
+small number of larger more cohesive commits. You can do this with an
+interactive rebase:
+
+```bash
+# Rebase all commits on your development branch
+git checkout
+git rebase -i master
+```
+
+This will open up a text editor where you can specify which commits to squash.
+
+#### Coding Conventions and Style
+
+OpenWeave Core runs a style check on every pull request as part of the
+continuous integration and pull request validation. In order to validate that
+the submitted code meets the guidelines, you may run:
+
+```bash
+make -f Makefile-Standalone pretty-check
+```
+
+If you wish to use automated formatting tools, we have provided a `clang-format`
+style. In order to automatically format the file, you'd run:
+
+```bash
+clang-format -i -style=file <src-filename>
+```
+
+#### Push and Test
+
+```bash
+# Checkout your branch
+git checkout <branch-name>
+
+# Push to your GitHub fork:
+git push origin <branch-name>
+```
+
+This will trigger the Travis CI continuous-integration checks. You
+can view the results in the respective services. Note that the integration
+checks will report failures on occasion. If a failure occurs, you may try
+rerunning the test via the Travis web UI.
+
+#### Submit Pull Request
+
+Once you've validated the Travis CI results, go to the page for
+your fork on GitHub, select your development branch, and click the pull request
+button. If you need to make any adjustments to your pull request, just push the
+updates to GitHub. Your pull request will automatically track the changes on
+your development branch and update.
+
+#### Code reviews
+
+All submissions, including submissions by project members, require review.
+
+### Documentation
+
+Documentation undergoes the same review process as code and
+contributions may be mirrored on our [openweave.io][ow-io] website.
+See the [Documentation Style Guide][doc-style] for more information on
+how to author and format documentation for contribution.
+
+### The small print
+
+Contributions made by corporations are covered by a different
+agreement than the one above, the [Software Grant and Corporate
+Contributor License Agreement][CLA-CORP].
+
+[CLA-CORP]: https://cla.developers.google.com/about/google-corporate
+[doc-style]: /doc/STYLE_GUIDE.md
+[ow-io]: https://openweave.io
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d645695
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,202 @@
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/Makefile.am b/Makefile.am
new file mode 100644
index 0000000..3af278f
--- /dev/null
+++ b/Makefile.am
@@ -0,0 +1,35 @@
+#
+# Copyright (c) 2020 Google LLC.
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Build rules for library
+
+lib_LIBRARIES = libopenssl-ecjpake.a
+
+libopenssl_ecjpake_a_SOURCES = ecjpake.c ecjpake_err.c
+
+libopenssl_ecjpake_a_CFLAGS = -I$(srcdir)/openssl
+
+EXTRA_DIST = openssl
+
+
+# Build rules for test application
+
+bin_PROGRAMS = ecjpaketest
+
+ecjpaketest_SOURCES = ecjpaketest.c
+
+ecjpaketest_LDADD = libopenssl-ecjpake.a -lcrypto
diff --git a/README.md b/README.md
index b155ea7..eda66c5 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,18 @@
# openssl-ecjpake
+
+An implementation of the [J-PAKE](https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling) cryptographic protocol based on elliptic curves. J-PAKE is a key agreement protocol that allows parties to establish secure communications by means of a shared, low-entropy password/secret.
+
+This implementation is built for use with [OpenSSL](https://www.openssl.org/), and makes use of OpenSSL's public EC crypto APIs. It can also be with Google's [BoringSSL](https://boringssl.googlesource.com/boringssl/).
+
+## Building
+
+Clone the openssl-ecjpake repo:
+
+ $ git clone https://github.com/openweave/openssl-ecjpake
+ $ cd openssl-ecjpake
+
+Build using the supplied automake makefile:
+
+ $ autoreconf -ivf
+ $ ./configure
+ $ make
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..6f6824b
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,28 @@
+#
+# Copyright (c) 2020 Google LLC.
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+AC_INIT([openssl-ecjpake], [1.0])
+AM_INIT_AUTOMAKE([1.14 foreign silent-rules subdir-objects tar-pax no-define])
+
+AC_PROG_CC
+AC_PROG_RANLIB
+
+AC_CONFIG_FILES([
+ Makefile
+])
+
+AC_OUTPUT
diff --git a/ecjpake.c b/ecjpake.c
new file mode 100644
index 0000000..0309498
--- /dev/null
+++ b/ecjpake.c
@@ -0,0 +1,775 @@
+/*
+ *
+ * Copyright (c) 2017 Google LLC.
+ * All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "ecjpake.h"
+
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <string.h>
+
+#ifdef OPENSSL_IS_BORINGSSL
+#include <assert.h>
+#define OPENSSL_assert(TEST) (assert(TEST))
+#endif
+
+/*
+ * In the definition, (xa, xb, xc, xd) are Alice's (x1, x2, x3, x4) or
+ * Bob's (x3, x4, x1, x2).
+ */
+
+typedef struct {
+ unsigned char *num; /* Must be unique */
+ size_t len;
+} ECJPAKE_ID;
+
+struct ECJPAKE_CTX {
+ /* public values */
+ ECJPAKE_ID local_id;
+ ECJPAKE_ID peer_id;
+ const EC_GROUP *group; /* Elliptic Curve Group */
+ EC_POINT *Gxc; /* Alice's G*x3 or Bob's G*x1 */
+ EC_POINT *Gxd; /* Alice's G*x4 or Bob's G*x2 */
+ /* secret values - should not be revealed publicly and
+ should be cleared when released */
+ BIGNUM *secret; /* The shared secret */
+ BN_CTX *ctx;
+ BIGNUM *xa; /* Alice's x1 or Bob's x3 */
+ BIGNUM *xb; /* Alice's x2 or Bob's x4 */
+ unsigned char key[SHA256_DIGEST_LENGTH]; /* The calculated (shared) key */
+};
+
+static int zkp_init(ECJPAKE_ZKP *zkp, const EC_GROUP *group)
+{
+ zkp->Gr = EC_POINT_new(group);
+ if (zkp->Gr == NULL)
+ return 0;
+ zkp->b = BN_new();
+ if (zkp->b == NULL)
+ return 0;
+ return 1;
+}
+
+static void zkp_release(ECJPAKE_ZKP *zkp)
+{
+ if (zkp->b != NULL)
+ BN_free(zkp->b);
+ if (zkp->Gr != NULL)
+ EC_POINT_free(zkp->Gr);
+}
+
+#define step_part_init ECJPAKE_STEP2_init
+#define step_part_release ECJPAKE_STEP2_release
+
+int step_part_init(ECJPAKE_STEP_PART *p, const ECJPAKE_CTX *ctx)
+{
+ memset(p, 0, sizeof(*p));
+ p->Gx = EC_POINT_new(ctx->group);
+ if (p->Gx == NULL)
+ goto err;
+ if (!zkp_init(&p->zkpx, ctx->group))
+ goto err;
+ return 1;
+
+err:
+ ECJPAKEerr(ECJPAKE_F_STEP_PART_INIT, ERR_R_MALLOC_FAILURE);
+ step_part_release(p);
+ return 0;
+}
+
+void step_part_release(ECJPAKE_STEP_PART *p)
+{
+ zkp_release(&p->zkpx);
+ if (p->Gx != NULL)
+ EC_POINT_free(p->Gx);
+}
+
+int ECJPAKE_STEP1_init(ECJPAKE_STEP1 *s1, const ECJPAKE_CTX *ctx)
+{
+ if (!step_part_init(&s1->p1, ctx))
+ return 0;
+ if (!step_part_init(&s1->p2, ctx))
+ return 0;
+ return 1;
+}
+
+void ECJPAKE_STEP1_release(ECJPAKE_STEP1 *s1)
+{
+ step_part_release(&s1->p2);
+ step_part_release(&s1->p1);
+}
+
+ECJPAKE_CTX *ECJPAKE_CTX_new(const EC_GROUP *group, const BIGNUM *secret,
+ const unsigned char *local_id_num,
+ const size_t local_id_len,
+ const unsigned char *peer_id_num,
+ const size_t peer_id_len)
+{
+ ECJPAKE_CTX *ctx = NULL;
+
+ /* init ecjpake context */
+ ctx = OPENSSL_malloc(sizeof(*ctx));
+ if (ctx == NULL)
+ goto err;
+ memset(ctx, 0, sizeof(*ctx));
+
+ /* init elliptic curve group */
+ if (group == NULL)
+ goto err;
+ ctx->group = group;
+
+ /* init local id */
+ ctx->local_id.num = (unsigned char *)OPENSSL_malloc(local_id_len);
+ if (ctx->local_id.num == NULL)
+ goto err;
+ memcpy(ctx->local_id.num, local_id_num, local_id_len);
+ ctx->local_id.len = local_id_len;
+
+ /* init peer id */
+ ctx->peer_id.num = (unsigned char *)OPENSSL_malloc(peer_id_len);
+ if (ctx->peer_id.num == NULL)
+ goto err;
+ memcpy(ctx->peer_id.num, peer_id_num, peer_id_len);
+ ctx->peer_id.len = peer_id_len;
+
+ /* init secret */
+ ctx->secret = BN_dup(secret);
+ if (ctx->secret == NULL)
+ goto err;
+
+ /* init remaining ecjpake context fields */
+ ctx->Gxc = EC_POINT_new(ctx->group);
+ if (ctx->Gxc == NULL)
+ goto err;
+ ctx->Gxd = EC_POINT_new(ctx->group);
+ if (ctx->Gxd == NULL)
+ goto err;
+ ctx->xa = BN_new();
+ if (ctx->xa == NULL)
+ goto err;
+ ctx->xb = BN_new();
+ if (ctx->xb == NULL)
+ goto err;
+ ctx->ctx = BN_CTX_new();
+ if (ctx->ctx == NULL)
+ goto err;
+
+ return ctx;
+
+err:
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_CTX_NEW, ERR_R_MALLOC_FAILURE);
+ ECJPAKE_CTX_free(ctx);
+ return NULL;
+}
+
+void ECJPAKE_CTX_free(ECJPAKE_CTX *ctx)
+{
+ if (ctx != NULL) {
+ if (ctx->ctx != NULL)
+ BN_CTX_free(ctx->ctx);
+ if (ctx->xb != NULL)
+ BN_clear_free(ctx->xb);
+ if (ctx->xa != NULL)
+ BN_clear_free(ctx->xa);
+ if (ctx->Gxd != NULL)
+ EC_POINT_free(ctx->Gxd);
+ if (ctx->Gxc != NULL)
+ EC_POINT_free(ctx->Gxc);
+ if (ctx->secret != NULL)
+ BN_clear_free(ctx->secret);
+ if (ctx->peer_id.num != NULL)
+ OPENSSL_free(ctx->peer_id.num);
+ if (ctx->local_id.num != NULL)
+ OPENSSL_free(ctx->local_id.num);
+ OPENSSL_free(ctx);
+ }
+}
+
+static void hashlength(SHA256_CTX *sha, size_t l)
+{
+ unsigned char b[2];
+
+ OPENSSL_assert(l <= 0xffff);
+ b[0] = l >> 8;
+ b[1] = l & 0xff;
+ SHA256_Update(sha, b, 2);
+}
+
+static int hashpoint_default(ECJPAKE_CTX *ctx, SHA256_CTX *sha,
+ const EC_POINT *point)
+{
+ size_t point_len;
+ unsigned char *point_oct = NULL;
+ int ret = 0;
+
+ point_len = EC_POINT_point2oct(ctx->group, point,
+ POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
+ if (point_len == 0)
+ goto err;
+
+ point_oct = (unsigned char *)OPENSSL_malloc(point_len);
+ if (point_oct == NULL)
+ goto err;
+
+ point_len = EC_POINT_point2oct(ctx->group, point,
+ POINT_CONVERSION_UNCOMPRESSED, point_oct,
+ point_len, ctx->ctx);
+ if (point_len == 0)
+ goto err;
+
+ hashlength(sha, point_len);
+ SHA256_Update(sha, point_oct, point_len);
+ ret = 1;
+
+err:
+ if (point_oct != NULL)
+ OPENSSL_free(point_oct);
+ return ret;
+}
+
+static ECJPAKE_HASHPOINT_FUNC_PTR hashpoint = &hashpoint_default;
+
+void ECJPAKE_Set_HashECPoint(ECJPAKE_HASHPOINT_FUNC_PTR hashpoint_custom)
+{
+ hashpoint = hashpoint_custom;
+}
+
+/* h = hash(G, G*r, G*x, ecjpake_id) */
+static int zkp_hash(ECJPAKE_CTX *ctx, BIGNUM *h, const EC_POINT *zkpG,
+ const ECJPAKE_STEP_PART *p, const int use_local_id)
+{
+ unsigned char md[SHA256_DIGEST_LENGTH];
+ SHA256_CTX sha;
+
+ SHA256_Init(&sha);
+ if (!hashpoint(ctx, &sha, zkpG))
+ goto err;
+ if (!hashpoint(ctx, &sha, p->zkpx.Gr))
+ goto err;
+ if (!hashpoint(ctx, &sha, p->Gx))
+ goto err;
+ if (use_local_id)
+ SHA256_Update(&sha, ctx->local_id.num, ctx->local_id.len);
+ else
+ SHA256_Update(&sha, ctx->peer_id.num, ctx->peer_id.len);
+ SHA256_Final(md, &sha);
+ if (BN_bin2bn(md, SHA256_DIGEST_LENGTH, h) == NULL)
+ goto err;
+ return 1;
+
+err:
+ ECJPAKEerr(ECJPAKE_F_ZKP_HASH, ERR_R_MALLOC_FAILURE);
+ return 0;
+}
+
+/* Generate random number in [1, n - 1] ( i.e. [1, n) ) */
+static int genrand(BIGNUM *rnd, const BIGNUM *n)
+{
+ BIGNUM *nm1 = NULL;
+ int ret = 0;
+
+ nm1 = BN_new();
+ if (nm1 == NULL)
+ goto err;
+ /* n - 1 */
+ if (!BN_copy(nm1, n))
+ goto err;
+ if (!BN_sub_word(nm1, 1))
+ goto err;
+ /* random number in [0, n - 1) */
+ if (!BN_rand_range(rnd, nm1))
+ goto err;
+ /* [1, n) */
+ if (!BN_add_word(rnd, 1))
+ goto err;
+ ret = 1;
+
+err:
+ if (!ret)
+ ECJPAKEerr(ECJPAKE_F_GENRAND, ERR_R_MALLOC_FAILURE);
+ if (nm1 != NULL)
+ BN_free(nm1);
+ return ret;
+}
+
+/* Prove knowledge of x. (Note that p->Gx has already been calculated) */
+static int generate_zkp(ECJPAKE_STEP_PART *p, const BIGNUM *x,
+ const EC_POINT *zkpG, ECJPAKE_CTX *ctx)
+{
+ BIGNUM *order = NULL;
+ BIGNUM *r = NULL;
+ BIGNUM *h = NULL;
+ BIGNUM *t = NULL;
+ int ret = 0;
+
+ order = BN_new();
+ if (order == NULL)
+ goto err;
+ if (!EC_GROUP_get_order(ctx->group, order, ctx->ctx))
+ goto err;
+ /* r in [1,n-1] */
+ r = BN_new();
+ if (r == NULL)
+ goto err;
+ if (!genrand(r, order))
+ goto err;
+ /* G * r */
+ if (!EC_POINT_mul(ctx->group, p->zkpx.Gr, NULL, zkpG, r, ctx->ctx))
+ goto err;
+ /* h = hash(G, G * r, G * x, ecjpake_id) */
+ h = BN_new();
+ if (h == NULL)
+ goto err;
+ if (!zkp_hash(ctx, h, zkpG, p, 1))
+ goto err;
+ /* b = r - x*h */
+ t = BN_new();
+ if (t == NULL)
+ goto err;
+ if (!BN_mod_mul(t, x, h, order, ctx->ctx))
+ goto err;
+ if (!BN_mod_sub(p->zkpx.b, r, t, order, ctx->ctx))
+ goto err;
+ ret = 1;
+
+err:
+ if (!ret)
+ ECJPAKEerr(ECJPAKE_F_GENERATE_ZKP, ERR_R_MALLOC_FAILURE);
+ if (t != NULL)
+ BN_free(t);
+ if (h != NULL)
+ BN_free(h);
+ if (r != NULL)
+ BN_free(r);
+ if (order != NULL)
+ BN_free(order);
+ return ret;
+}
+
+static int verify_zkp(const ECJPAKE_STEP_PART *p, const EC_POINT *zkpG,
+ ECJPAKE_CTX *ctx)
+{
+ BIGNUM *h = NULL;
+ EC_POINT *point1 = NULL;
+ EC_POINT *point2 = NULL;
+ int ret = 0;
+
+ /* h = hash(G, G * r, G * x, ecjpake_id) */
+ h = BN_new();
+ if (h == NULL)
+ goto err;
+ if (!zkp_hash(ctx, h, zkpG, p, 0))
+ goto err;
+ /* point1 = G * b */
+ point1 = EC_POINT_new(ctx->group);
+ if (point1 == NULL)
+ goto err;
+ if (!EC_POINT_mul(ctx->group, point1, NULL, zkpG, p->zkpx.b, ctx->ctx))
+ goto err;
+ /* point2 = (G * x) * h = G * {h * x} */
+ point2 = EC_POINT_new(ctx->group);
+ if (point2 == NULL)
+ goto err;
+ if (!EC_POINT_mul(ctx->group, point2, NULL, p->Gx, h, ctx->ctx))
+ goto err;
+ /* point2 = point1 + point2 = G*{hx} + G*b = G*{hx+b} = G*r (allegedly) */
+ if (!EC_POINT_add(ctx->group, point2, point1, point2, ctx->ctx))
+ goto err;
+ /* verify (point2 == G * r) */
+ if (0 != EC_POINT_cmp(ctx->group, point2, p->zkpx.Gr, ctx->ctx))
+ {
+ ECJPAKEerr(ECJPAKE_F_VERIFY_ZKP, ECJPAKE_R_ZKP_VERIFY_FAILED);
+ goto clean;
+ }
+
+ ret = 1;
+ goto clean;
+
+err:
+ ECJPAKEerr(ECJPAKE_F_VERIFY_ZKP, ERR_R_MALLOC_FAILURE);
+clean:
+ if (point2 != NULL)
+ EC_POINT_free(point2);
+ if (point1 != NULL)
+ EC_POINT_free(point1);
+ if (h != NULL)
+ BN_free(h);
+ return ret;
+}
+
+static int step_part_generate(ECJPAKE_STEP_PART *p, const BIGNUM *x,
+ const EC_POINT *G, ECJPAKE_CTX *ctx)
+{
+ if (!EC_POINT_mul(ctx->group, p->Gx, NULL, G, x, ctx->ctx))
+ goto err;
+ if (!generate_zkp(p, x, G, ctx))
+ goto err;
+ return 1;
+
+err:
+ ECJPAKEerr(ECJPAKE_F_STEP_PART_GENERATE, ERR_R_MALLOC_FAILURE);
+ return 0;
+}
+
+int ECJPAKE_STEP1_generate(ECJPAKE_STEP1 *send, ECJPAKE_CTX *ctx)
+{
+ BIGNUM *order = NULL;
+ const EC_POINT *generator = NULL;
+ int ret = 0;
+
+ order = BN_new();
+ if (order == NULL)
+ goto err;
+ if (!EC_GROUP_get_order(ctx->group, order, ctx->ctx))
+ goto err;
+
+ if (!genrand(ctx->xa, order))
+ goto err;
+ if (!genrand(ctx->xb, order))
+ goto err;
+
+ generator = EC_GROUP_get0_generator(ctx->group);
+ if (!step_part_generate(&send->p1, ctx->xa, generator, ctx))
+ goto err;
+ if (!step_part_generate(&send->p2, ctx->xb, generator, ctx))
+ goto err;
+
+ ret = 1;
+
+err:
+ if (!ret)
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_STEP1_GENERATE, ERR_R_MALLOC_FAILURE);
+ if (order != NULL)
+ BN_free(order);
+ return ret;
+}
+
+/*-
+ * Elliptic Curve Point Validity Check.
+ */
+static int EC_POINT_is_legal(const EC_POINT *point, const EC_GROUP *group)
+{
+ EC_KEY *eckey = NULL;
+ int legal = 0;
+
+ if (point == NULL || group == NULL)
+ {
+ ECJPAKEerr(ECJPAKE_F_EC_POINT_IS_LEGAL, ERR_R_PASSED_NULL_PARAMETER);
+ goto err;
+ }
+ if ((eckey = EC_KEY_new()) == NULL)
+ {
+ ECJPAKEerr(ECJPAKE_F_EC_POINT_IS_LEGAL, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ if (!EC_KEY_set_group(eckey, group))
+ {
+ ECJPAKEerr(ECJPAKE_F_EC_POINT_IS_LEGAL, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ if (!EC_KEY_set_public_key(eckey, point))
+ {
+ ECJPAKEerr(ECJPAKE_F_EC_POINT_IS_LEGAL, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ if (!EC_KEY_check_key(eckey))
+ {
+ ECJPAKEerr(ECJPAKE_F_EC_POINT_IS_LEGAL, ECJPAKE_R_G_IS_NOT_LEGAL);
+ goto err;
+ }
+
+ legal = 1;
+
+err:
+ EC_KEY_free(eckey);
+
+ return legal;
+}
+
+int ECJPAKE_STEP1_process(ECJPAKE_CTX *ctx, const ECJPAKE_STEP1 *received)
+{
+
+ /* check Gxc is a legal point on Elliptic Curve */
+ if (!EC_POINT_is_legal(received->p1.Gx, ctx->group))
+ {
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_STEP1_PROCESS,
+ ECJPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL);
+ return 0;
+ }
+
+ /* check Gxd is a legal point on Elliptic Curve */
+ if (!EC_POINT_is_legal(received->p2.Gx, ctx->group))
+ {
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_STEP1_PROCESS,
+ ECJPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL);
+ return 0;
+ }
+
+ /* verify ZKP(xc) */
+ if (!verify_zkp(&received->p1, EC_GROUP_get0_generator(ctx->group), ctx))
+ {
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_STEP1_PROCESS,
+ ECJPAKE_R_VERIFY_X3_FAILED);
+ return 0;
+ }
+
+ /* verify ZKP(xd) */
+ if (!verify_zkp(&received->p2, EC_GROUP_get0_generator(ctx->group), ctx))
+ {
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_STEP1_PROCESS,
+ ECJPAKE_R_VERIFY_X4_FAILED);
+ return 0;
+ }
+
+ /* Save the points we need for later */
+ if (!EC_POINT_copy(ctx->Gxc, received->p1.Gx) ||
+ !EC_POINT_copy(ctx->Gxd, received->p2.Gx))
+ {
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_STEP1_PROCESS, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ return 1;
+}
+
+int ECJPAKE_STEP2_generate(ECJPAKE_STEP2 *send, ECJPAKE_CTX *ctx)
+{
+ EC_POINT *point = NULL;
+ BIGNUM *order = NULL;
+ BIGNUM *xbs = NULL;
+ int ret = 0;
+
+ /*-
+ * X = G * {(xa + xc + xd) * xb * s}
+ */
+ point = EC_POINT_new(ctx->group);
+ if (point == NULL)
+ goto err;
+ /* point = G * xa */
+ if (!EC_POINT_mul(ctx->group, point, NULL,
+ EC_GROUP_get0_generator(ctx->group), ctx->xa, ctx->ctx))
+ goto err;
+ /* point = G * xa + G * xc = G * {xa + xc} */
+ if (!EC_POINT_add(ctx->group, point, point, ctx->Gxc, ctx->ctx))
+ goto err;
+ /* point = G * {xa + xc} + G * xd = G * {xa + xc + xd} */
+ if (!EC_POINT_add(ctx->group, point, point, ctx->Gxd, ctx->ctx))
+ goto err;
+ /* xbs = xb * s */
+ order = BN_new();
+ if (order == NULL)
+ goto err;
+ xbs = BN_new();
+ if (xbs == NULL)
+ goto err;
+ if (!EC_GROUP_get_order(ctx->group, order, ctx->ctx))
+ goto err;
+ if (!BN_mod_mul(xbs, ctx->xb, ctx->secret, order, ctx->ctx))
+ goto err;
+
+ /*-
+ * ZKP(xb * s)
+ * For STEP2 the generator is:
+ * G' = G * {xa + xc + xd}
+ * which means X is G' * {xb * s}
+ * X = G' * {xb * s} = G * {(xa + xc + xd) * xb * s}
+ */
+ if (!step_part_generate(send, xbs, point, ctx))
+ goto err;
+ ret = 1;
+
+err:
+ if (!ret)
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_STEP2_GENERATE, ERR_R_MALLOC_FAILURE);
+ if (xbs != NULL)
+ BN_clear_free(xbs);
+ if (order != NULL)
+ BN_free(order);
+ if (point != NULL)
+ EC_POINT_free(point);
+ return ret;
+}
+
+/* Gx = G * {(xc + xa + xb) * xd * secret} */
+static int compute_key(ECJPAKE_CTX *ctx, const EC_POINT *Gx)
+{
+ EC_POINT *point = NULL;
+ SHA256_CTX sha;
+ int ret = 0;
+
+ /*-
+ * K = (Gx - G * {xb * xd * secret}) * xb
+ * = (G * {(xc + xa + xb) * xd * secret - xb * xd * secret}) * xb
+ * = (G * {(xc + xa) * xd * secret}) * xb
+ * = G * {(xa + xc) * xb * xd * secret}
+ * [which is the same regardless of who calculates it]
+ */
+
+ /* point = (G * xd) * xb = G * {xb * xd} */
+ point = EC_POINT_new(ctx->group);
+ if (point == NULL)
+ goto err;
+ if (!EC_POINT_mul(ctx->group, point, NULL, ctx->Gxd, ctx->xb, ctx->ctx))
+ goto err;
+ /* point = - G * {xb * xd} */
+ if (!EC_POINT_invert(ctx->group, point, ctx->ctx))
+ goto err;
+ /* point = - G * {xb * xd * secret} */
+ if (!EC_POINT_mul(ctx->group, point, NULL, point, ctx->secret, ctx->ctx))
+ goto err;
+ /* point = Gx - G * {xb * xd * secret} */
+ if (!EC_POINT_add(ctx->group, point, Gx, point, ctx->ctx))
+ goto err;
+ /* point = point * xb */
+ if (!EC_POINT_mul(ctx->group, point, NULL, point, ctx->xb, ctx->ctx))
+ goto err;
+ /* Hash point to generate shared secret key */
+ SHA256_Init(&sha);
+ if (!hashpoint(ctx, &sha, point))
+ goto err;
+ SHA256_Final(ctx->key, &sha);
+ ret = 1;
+
+err:
+ if (!ret)
+ ECJPAKEerr(ECJPAKE_F_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);
+ if (point != NULL)
+ EC_POINT_clear_free(point);
+ return ret;
+}
+
+int ECJPAKE_STEP2_process(ECJPAKE_CTX *ctx, const ECJPAKE_STEP2 *received)
+{
+ BIGNUM *order = NULL;
+ BIGNUM *tmp = NULL;
+ EC_POINT *point = NULL;
+ int ret = 0;
+
+ /* Get Order */
+ order = BN_new();
+ if (order == NULL)
+ goto err;
+ if (!EC_GROUP_get_order(ctx->group, order, ctx->ctx))
+ goto err;
+ /* G' = G * {xc + xa + xb} */
+ /* tmp = xa + xb */
+ tmp = BN_new();
+ if (tmp == NULL)
+ goto err;
+ if (!BN_mod_add(tmp, ctx->xa, ctx->xb, order, ctx->ctx))
+ goto err;
+ /* point = G * {xa + xb} */
+ point = EC_POINT_new(ctx->group);
+ if (point == NULL)
+ goto err;
+ if (!EC_POINT_mul(ctx->group, point, NULL,
+ EC_GROUP_get0_generator(ctx->group), tmp, ctx->ctx))
+ goto err;
+ /* point = G * {xc + xa + xb} */
+ if (!EC_POINT_add(ctx->group, point, ctx->Gxc, point, ctx->ctx))
+ goto err;
+ /* Verify ZKP */
+ if (!verify_zkp(received, point, ctx))
+ {
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_STEP2_PROCESS, ECJPAKE_R_VERIFY_X4S_FAILED);
+ goto clean;
+ }
+ /* calculate shared secret (key) */
+ if (!compute_key(ctx, received->Gx))
+ goto err;
+
+ ret = 1;
+ goto clean;
+
+err:
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_STEP2_PROCESS, ERR_R_MALLOC_FAILURE);
+clean:
+ if (point != NULL)
+ EC_POINT_free(point);
+ if (tmp != NULL)
+ BN_free(tmp);
+ if (order != NULL)
+ BN_free(order);
+ return ret;
+}
+
+void ECJPAKE_STEP3A_init(ECJPAKE_STEP3A *s3a)
+{
+}
+
+int ECJPAKE_STEP3A_generate(ECJPAKE_STEP3A *send, ECJPAKE_CTX *ctx)
+{
+ SHA256(ctx->key, sizeof ctx->key, send->hhk);
+ SHA256(send->hhk, sizeof send->hhk, send->hhk);
+
+ return 1;
+}
+
+int ECJPAKE_STEP3A_process(ECJPAKE_CTX *ctx, const ECJPAKE_STEP3A *received)
+{
+ unsigned char hhk[SHA256_DIGEST_LENGTH];
+
+ SHA256(ctx->key, sizeof ctx->key, hhk);
+ SHA256(hhk, sizeof hhk, hhk);
+ if (memcmp(hhk, received->hhk, sizeof hhk)) {
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_STEP3A_PROCESS,
+ ECJPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH);
+ return 0;
+ }
+ return 1;
+}
+
+void ECJPAKE_STEP3A_release(ECJPAKE_STEP3A *s3a)
+{
+}
+
+void ECJPAKE_STEP3B_init(ECJPAKE_STEP3B *s3b)
+{
+}
+
+int ECJPAKE_STEP3B_generate(ECJPAKE_STEP3B *send, ECJPAKE_CTX *ctx)
+{
+ SHA256(ctx->key, sizeof(ctx->key), send->hk);
+ return 1;
+}
+
+int ECJPAKE_STEP3B_process(ECJPAKE_CTX *ctx, const ECJPAKE_STEP3B *received)
+{
+ unsigned char hk[SHA256_DIGEST_LENGTH];
+
+ SHA256(ctx->key, sizeof(ctx->key), hk);
+ if (memcmp(hk, received->hk, sizeof(hk))) {
+ ECJPAKEerr(ECJPAKE_F_ECJPAKE_STEP3B_PROCESS,
+ ECJPAKE_R_HASH_OF_KEY_MISMATCH);
+ return 0;
+ }
+ return 1;
+}
+
+void ECJPAKE_STEP3B_release(ECJPAKE_STEP3B *s3b)
+{
+}
+
+const EC_GROUP *ECJPAKE_get_ecGroup(const ECJPAKE_CTX *ctx)
+{
+ return ctx->group;
+}
+
+const unsigned char *ECJPAKE_get_shared_key(const ECJPAKE_CTX *ctx)
+{
+ return ctx->key;
+}
diff --git a/ecjpake_err.c b/ecjpake_err.c
new file mode 100644
index 0000000..6ec1e0f
--- /dev/null
+++ b/ecjpake_err.c
@@ -0,0 +1,75 @@
+/*
+ *
+ * Copyright (c) 2017 Google LLC.
+ * All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "ecjpake.h"
+
+/* BEGIN ERROR CODES */
+#if !defined(OPENSSL_NO_ERR) && !defined(OPENSSL_IS_BORINGSSL)
+
+# define ERR_FUNC(func) ERR_PACK(ERR_LIB_ECJPAKE,func,0)
+# define ERR_REASON(reason) ERR_PACK(ERR_LIB_ECJPAKE,0,reason)
+
+static ERR_STRING_DATA ECJPAKE_str_functs[] = {
+ {ERR_FUNC(ECJPAKE_F_COMPUTE_KEY), "compute_key"},
+ {ERR_FUNC(ECJPAKE_F_EC_POINT_IS_LEGAL), "EC_POINT_is_legal"},
+ {ERR_FUNC(ECJPAKE_F_ECJPAKE_CTX_NEW), "ECJPAKE_CTX_new"},
+ {ERR_FUNC(ECJPAKE_F_ECJPAKE_STEP1_GENERATE), "ECJPAKE_STEP1_generate"},
+ {ERR_FUNC(ECJPAKE_F_ECJPAKE_STEP1_PROCESS), "ECJPAKE_STEP1_process"},
+ {ERR_FUNC(ECJPAKE_F_ECJPAKE_STEP2_GENERATE), "ECJPAKE_STEP2_generate"},
+ {ERR_FUNC(ECJPAKE_F_ECJPAKE_STEP2_PROCESS), "ECJPAKE_STEP2_process"},
+ {ERR_FUNC(ECJPAKE_F_ECJPAKE_STEP3A_PROCESS), "ECJPAKE_STEP3A_process"},
+ {ERR_FUNC(ECJPAKE_F_ECJPAKE_STEP3B_PROCESS), "ECJPAKE_STEP3B_process"},
+ {ERR_FUNC(ECJPAKE_F_GENERATE_ZKP), "generate_zkp"},
+ {ERR_FUNC(ECJPAKE_F_GENRAND), "genrand"},
+ {ERR_FUNC(ECJPAKE_F_STEP_PART_GENERATE), "step_part_generate"},
+ {ERR_FUNC(ECJPAKE_F_STEP_PART_INIT), "step_part_init"},
+ {ERR_FUNC(ECJPAKE_F_VERIFY_ZKP), "verify_zkp"},
+ {ERR_FUNC(ECJPAKE_F_ZKP_HASH), "zkp_hash"},
+ {0,NULL}
+};
+
+static ERR_STRING_DATA ECJPAKE_str_reasons[] = {
+ {ERR_REASON(ECJPAKE_R_G_IS_NOT_LEGAL), "Gx is not legal"},
+ {ERR_REASON(ECJPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL),
+ "Gx to the x3 is not legal"},
+ {ERR_REASON(ECJPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL),
+ "Gx to the x4 is not legal"},
+ {ERR_REASON(ECJPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH),
+ "hash of hash of key mismatch"},
+ {ERR_REASON(ECJPAKE_R_HASH_OF_KEY_MISMATCH), "hash of key mismatch"},
+ {ERR_REASON(ECJPAKE_R_VERIFY_X3_FAILED), "verify x3 failed"},
+ {ERR_REASON(ECJPAKE_R_VERIFY_X4_FAILED), "verify x4 failed"},
+ {ERR_REASON(ECJPAKE_R_VERIFY_X4S_FAILED), "verify x4*s failed"},
+ {ERR_REASON(ECJPAKE_R_ZKP_VERIFY_FAILED), "zkp verify failed"},
+ {0,NULL}
+};
+
+#endif
+
+void ERR_load_ECJPAKE_strings(void)
+{
+#if !defined(OPENSSL_NO_ERR) && !defined(OPENSSL_IS_BORINGSSL)
+
+ if (ERR_func_error_string(ECJPAKE_str_functs[0].error) == NULL) {
+ ERR_load_strings(0, ECJPAKE_str_functs);
+ ERR_load_strings(0, ECJPAKE_str_reasons);
+ }
+#endif
+}
diff --git a/ecjpaketest.c b/ecjpaketest.c
new file mode 100644
index 0000000..3c0c49e
--- /dev/null
+++ b/ecjpaketest.c
@@ -0,0 +1,328 @@
+/*
+ *
+ * Copyright (c) 2017 Google LLC.
+ * All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_NO_ECJPAKE
+
+# include <stdio.h>
+
+int main(int argc, char *argv[])
+{
+ printf("No EC J-PAKE support\n");
+ return(0);
+}
+
+#else
+
+# include <openssl/ecjpake.h>
+# include <openssl/crypto.h>
+# include <openssl/bio.h>
+# include <openssl/rand.h>
+# include <openssl/obj_mac.h>
+# include <openssl/err.h>
+# include <memory.h>
+
+static void showkey(const char *name, const unsigned char *key)
+{
+ int i;
+
+ fputs(name, stdout);
+ fputs(" = ", stdout);
+ for (i = 0; i < SHA256_DIGEST_LENGTH; i++)
+ fprintf(stdout, "%02X", key[i]);
+ putc('\n', stdout);
+}
+
+static const char rnd_seed[] =
+ "string to make the random number generator think it has entropy";
+
+/* generates random length value in a range [len_bottom, len_top] */
+static int generate_rand_len(size_t *rand_len,
+ unsigned int len_bottom,
+ unsigned int len_top)
+{
+ if (len_top > 0xffff || len_bottom > len_top)
+ return 0;
+
+ if (!RAND_bytes((unsigned char *)(rand_len), sizeof(size_t)))
+ return 0;
+
+ *rand_len = *rand_len % (len_top - len_bottom + 1) + len_bottom;
+
+ return 1;
+}
+
+static int run_ecjpake(ECJPAKE_CTX *alice, ECJPAKE_CTX *bob)
+{
+ ECJPAKE_STEP1 alice_s1;
+ ECJPAKE_STEP1 bob_s1;
+ ECJPAKE_STEP2 alice_s2;
+ ECJPAKE_STEP2 bob_s2;
+ ECJPAKE_STEP3A alice_s3a;
+ ECJPAKE_STEP3B bob_s3b;
+
+ /* Alice --> Bob: Step 1 */
+ fputs("\tAlice --> Bob: Step 1\n", stdout);
+ ECJPAKE_STEP1_init(&alice_s1, alice);
+ ECJPAKE_STEP1_generate(&alice_s1, alice);
+
+ if (!ECJPAKE_STEP1_process(bob, &alice_s1)) {
+ ECJPAKE_STEP1_release(&alice_s1);
+ fprintf(stderr, "Bob fails to process Alice's step 1\n");
+ ERR_print_errors_fp(stdout);
+ return 1;
+ }
+ ECJPAKE_STEP1_release(&alice_s1);
+
+ /* Bob --> Alice: Step 1 */
+ fputs("\tBob --> Alice: Step 1\n", stdout);
+ ECJPAKE_STEP1_init(&bob_s1, bob);
+ ECJPAKE_STEP1_generate(&bob_s1, bob);
+ if (!ECJPAKE_STEP1_process(alice, &bob_s1)) {
+ ECJPAKE_STEP1_release(&bob_s1);
+ fprintf(stderr, "Alice fails to process Bob's step 1\n");
+ ERR_print_errors_fp(stdout);
+ return 2;
+ }
+ ECJPAKE_STEP1_release(&bob_s1);
+
+ /* Alice --> Bob: Step 2 */
+ fputs("\tAlice --> Bob: Step 2\n", stdout);
+ ECJPAKE_STEP2_init(&alice_s2, alice);
+ ECJPAKE_STEP2_generate(&alice_s2, alice);
+ if (!ECJPAKE_STEP2_process(bob, &alice_s2)) {
+ ECJPAKE_STEP2_release(&alice_s2);
+ fprintf(stderr, "Bob fails to process Alice's step 2\n");
+ ERR_print_errors_fp(stdout);
+ return 3;
+ }
+ ECJPAKE_STEP2_release(&alice_s2);
+
+ /* Bob --> Alice: Step 2 */
+ fputs("\tBob --> Alice: Step 2\n", stdout);
+ ECJPAKE_STEP2_init(&bob_s2, bob);
+ ECJPAKE_STEP2_generate(&bob_s2, bob);
+ if (!ECJPAKE_STEP2_process(alice, &bob_s2)) {
+ ECJPAKE_STEP2_release(&bob_s2);
+ fprintf(stderr, "Alice fails to process Bob's step 2\n");
+ ERR_print_errors_fp(stdout);
+ return 4;
+ }
+ ECJPAKE_STEP2_release(&bob_s2);
+
+ showkey("\tAlice's key", ECJPAKE_get_shared_key(alice));
+ showkey("\tBob's key ", ECJPAKE_get_shared_key(bob));
+
+ /* Alice --> Bob: Step 3A */
+ fputs("\tAlice --> Bob: Step 3A\n", stdout);
+ ECJPAKE_STEP3A_init(&alice_s3a);
+ ECJPAKE_STEP3A_generate(&alice_s3a, alice);
+ if (!ECJPAKE_STEP3A_process(bob, &alice_s3a)) {
+ ECJPAKE_STEP3A_release(&alice_s3a);
+ return 5;
+ }
+ ECJPAKE_STEP3A_release(&alice_s3a);
+
+ /* Bob --> Alice: Step 3B */
+ fputs("\tBob --> Alice: Step 3B\n", stdout);
+ ECJPAKE_STEP3B_init(&bob_s3b);
+ ECJPAKE_STEP3B_generate(&bob_s3b, bob);
+ if (!ECJPAKE_STEP3B_process(alice, &bob_s3b)) {
+ ECJPAKE_STEP3B_release(&bob_s3b);
+ return 6;
+ }
+ ECJPAKE_STEP3B_release(&bob_s3b);
+
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ ECJPAKE_CTX *alice = NULL;
+ ECJPAKE_CTX *bob = NULL;
+ unsigned char *alice_id_num = NULL;
+ unsigned char *bob_id_num = NULL;
+ size_t alice_id_len;
+ size_t bob_id_len;
+ BIGNUM *secret = NULL;;
+ BIGNUM *secret_wrong = NULL;
+ size_t secret_len;
+ EC_GROUP *group = NULL;
+ int i;
+ int ret = 1;
+
+ typedef struct test_curve {
+ int nid;
+ char *name;
+ } test_curve;
+
+ test_curve test_curves[] = {
+ /* SECG PRIME CURVES TESTS */
+ {NID_secp160r1, "SECG Prime-Curve P-160"},
+ /* NIST PRIME CURVES TESTS */
+ {NID_X9_62_prime192v1, "NIST Prime-Curve P-192"},
+ {NID_secp224r1, "NIST Prime-Curve P-224"},
+ {NID_X9_62_prime256v1, "NIST Prime-Curve P-256"},
+ {NID_secp384r1, "NIST Prime-Curve P-384"},
+ {NID_secp521r1, "NIST Prime-Curve P-521"},
+# ifndef OPENSSL_NO_EC2M
+ /* NIST BINARY CURVES TESTS */
+ {NID_sect163k1, "NIST Binary-Curve K-163"},
+ {NID_sect163r2, "NIST Binary-Curve B-163"},
+ {NID_sect233k1, "NIST Binary-Curve K-233"},
+ {NID_sect233r1, "NIST Binary-Curve B-233"},
+ {NID_sect283k1, "NIST Binary-Curve K-283"},
+ {NID_sect283r1, "NIST Binary-Curve B-283"},
+ {NID_sect409k1, "NIST Binary-Curve K-409"},
+ {NID_sect409r1, "NIST Binary-Curve B-409"},
+ {NID_sect571k1, "NIST Binary-Curve K-571"},
+ {NID_sect571r1, "NIST Binary-Curve B-571"},
+# endif
+ };
+
+# ifdef OPENSSL_SYS_WIN32
+ CRYPTO_malloc_init();
+# endif
+
+ RAND_seed(rnd_seed, sizeof rnd_seed);
+
+ for (i = 0; i < sizeof(test_curves)/sizeof(test_curve); i++) {
+
+ fprintf(stdout, "\nTesting ECJPAKE protocol for %s\n",
+ test_curves[i].name);
+
+ group = EC_GROUP_new_by_curve_name(test_curves[i].nid);
+ if (group == NULL)
+ goto err;
+
+ /* randomize length of a secret in a range [32, 1024] bits */
+ if (!generate_rand_len(&secret_len, 32, 512))
+ goto err;
+ /* randomize secret of secret_len bits */
+ secret = BN_new();
+ if (secret == NULL)
+ goto err;
+ if (!BN_rand(secret, secret_len, 0, 0))
+ goto err;
+ /* randomize alice_id_len in a range [4, 128] bytes */
+ if (!generate_rand_len(&alice_id_len, 4, 128))
+ goto err;
+ /* randomize alice_id_num of alice_id_len bytes */
+ alice_id_num = (unsigned char *)OPENSSL_malloc(alice_id_len);
+ if (alice_id_num == NULL)
+ goto err;
+ if (!RAND_bytes(alice_id_num, alice_id_len))
+ goto err;
+ /* randomize bob_id_len in a range [4, 128] bytes */
+ if (!generate_rand_len(&bob_id_len, 4, 128))
+ goto err;
+ /* randomize bob_id_num of bob_id_len bytes */
+ bob_id_num = (unsigned char *)OPENSSL_malloc(bob_id_len);
+ if (bob_id_num == NULL)
+ goto err;
+ if (!RAND_bytes(bob_id_num, bob_id_len))
+ goto err;
+
+ /* Initialize ECJPAKE_CTX for Alice and Bob */
+ alice = ECJPAKE_CTX_new(group, secret, alice_id_num, alice_id_len,
+ bob_id_num, bob_id_len);
+ if (alice == NULL)
+ goto err;
+ bob = ECJPAKE_CTX_new(group, secret, bob_id_num, bob_id_len,
+ alice_id_num, alice_id_len);
+ if (bob == NULL)
+ goto err;
+
+ fprintf(stdout, "Plain EC J-PAKE run\n");
+ if (run_ecjpake(alice, bob) != 0) {
+ fprintf(stderr, "Plain EC J-PAKE run failed\n");
+ goto err;
+ }
+
+ ECJPAKE_CTX_free(bob);
+ bob = NULL;
+ ECJPAKE_CTX_free(alice);
+ alice = NULL;
+
+ /* Now give Alice and Bob different secrets */
+ alice = ECJPAKE_CTX_new(group, secret, alice_id_num, alice_id_len,
+ bob_id_num, bob_id_len);
+ if (alice == NULL)
+ goto err;
+ /* randomize secret_wrong of secret_len bits */
+ secret_wrong = BN_new();
+ if (secret_wrong == NULL)
+ goto err;
+ if (!BN_rand(secret_wrong, secret_len, 0, 0))
+ goto err;
+ if (!BN_add(secret_wrong, secret_wrong, secret))
+ goto err;
+ bob = ECJPAKE_CTX_new(group, secret_wrong, bob_id_num, bob_id_len,
+ alice_id_num, alice_id_len);
+ if (bob == NULL)
+ goto err;
+
+ fprintf(stdout, "Mismatch secret EC J-PAKE run\n");
+ if (run_ecjpake(alice, bob) != 5) {
+ fprintf(stderr, "Mismatched secret EC J-PAKE run failed\n");
+ goto err;
+ }
+
+ ECJPAKE_CTX_free(bob);
+ bob = NULL;
+ ECJPAKE_CTX_free(alice);
+ alice = NULL;
+ BN_free(secret);
+ secret = NULL;
+ BN_free(secret_wrong);
+ secret_wrong = NULL;
+ OPENSSL_free(alice_id_num);
+ alice_id_num = NULL;
+ OPENSSL_free(bob_id_num);
+ bob_id_num = NULL;
+ EC_GROUP_free(group);
+ group = NULL;
+ }
+
+ ret = 0;
+
+err:
+ if (ret)
+ fprintf(stderr, "ecjpaketest completed with error.\n");
+ else
+ fprintf(stderr, "ecjpaketest completed successfully.\n");
+ if (bob != NULL)
+ ECJPAKE_CTX_free(bob);
+ if (alice != NULL)
+ ECJPAKE_CTX_free(alice);
+ if (secret != NULL)
+ BN_free(secret);
+ if (secret_wrong != NULL)
+ BN_free(secret_wrong);
+ if (alice_id_num != NULL)
+ OPENSSL_free(alice_id_num);
+ if (bob_id_num != NULL)
+ OPENSSL_free(bob_id_num);
+ if (group != NULL)
+ EC_GROUP_free(group);
+ CRYPTO_cleanup_all_ex_data();
+ return ret;
+}
+
+#endif
diff --git a/openssl/ecjpake.h b/openssl/ecjpake.h
new file mode 100644
index 0000000..0d75138
--- /dev/null
+++ b/openssl/ecjpake.h
@@ -0,0 +1,184 @@
+/*
+ *
+ * Copyright (c) 2017 Google LLC.
+ * All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef HEADER_ECJPAKE_H
+# define HEADER_ECJPAKE_H
+
+# include <openssl/opensslconf.h>
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+# include <openssl/ec.h>
+# include <openssl/bn.h>
+# include <openssl/sha.h>
+
+typedef struct ECJPAKE_CTX ECJPAKE_CTX;
+
+typedef struct {
+ EC_POINT *Gr; /* G * r (r random) */
+ BIGNUM *b; /* b = r - x * h,
+ h = hash(G, G * r, G * x, name) */
+} ECJPAKE_ZKP;
+
+typedef struct {
+ EC_POINT *Gx; /* G * x in step 1,
+ G * ((xa + xc + xd) * xb * s) in step 2 */
+ ECJPAKE_ZKP zkpx; /* ZKP(x) or ZKP(xb * s) */
+} ECJPAKE_STEP_PART;
+
+typedef struct {
+ ECJPAKE_STEP_PART p1; /* {G * x3, ZKP(x3)} or {G * x1, ZKP(x1)} */
+ ECJPAKE_STEP_PART p2; /* {G * x4, ZKP(x4)} or {G * x2, ZKP(x2)} */
+} ECJPAKE_STEP1;
+
+typedef ECJPAKE_STEP_PART ECJPAKE_STEP2;
+
+typedef struct {
+ unsigned char hhk[SHA256_DIGEST_LENGTH];
+} ECJPAKE_STEP3A;
+
+typedef struct {
+ unsigned char hk[SHA256_DIGEST_LENGTH];
+} ECJPAKE_STEP3B;
+
+/*
+ * Defines pointer to the function that calculates SHA256 hash of elliptic curve
+ * point. ECJPAKE implements it's own point hash function.
+ * Use ECJPAKE_Set_HashECPoint() to provide alternative implementation of the
+ * point hash.
+ */
+typedef int(*ECJPAKE_HASHPOINT_FUNC_PTR)(ECJPAKE_CTX *, SHA256_CTX *,
+ const EC_POINT *);
+
+/*
+ * Sets the function that will be used to hash elliptic curve point.
+ * If this function is not called the ecjpake uses it's own (default)
+ * implementation of the point hash function.
+ */
+void ECJPAKE_Set_HashECPoint(ECJPAKE_HASHPOINT_FUNC_PTR hashpoint_custom);
+
+/* Initializes ECJPAKE_CTX with protocol parameters */
+ECJPAKE_CTX *ECJPAKE_CTX_new(const EC_GROUP *group, const BIGNUM *secret,
+ const unsigned char *local_id_num,
+ const size_t local_id_len,
+ const unsigned char *peer_id_num,
+ const size_t peer_id_len);
+
+/* Releases ECJPAKE_CTX */
+void ECJPAKE_CTX_free(ECJPAKE_CTX *ctx);
+
+/*
+ * Functions to initialize, generate, process, and release ECJPAKE_STEP1 data.
+ * Note that ECJPAKE_STEP1 can be used multiple times before release
+ * without another init.
+ */
+int ECJPAKE_STEP1_init(ECJPAKE_STEP1 *s1, const ECJPAKE_CTX *ctx);
+int ECJPAKE_STEP1_generate(ECJPAKE_STEP1 *send, ECJPAKE_CTX *ctx);
+int ECJPAKE_STEP1_process(ECJPAKE_CTX *ctx, const ECJPAKE_STEP1 *received);
+void ECJPAKE_STEP1_release(ECJPAKE_STEP1 *s1);
+
+/*
+ * Functions to initialize, generate, process, and release ECJPAKE_STEP2 data.
+ * Note that ECJPAKE_STEP2 can be used multiple times before release
+ * without another init.
+ */
+int ECJPAKE_STEP2_init(ECJPAKE_STEP2 *s2, const ECJPAKE_CTX *ctx);
+int ECJPAKE_STEP2_generate(ECJPAKE_STEP2 *send, ECJPAKE_CTX *ctx);
+int ECJPAKE_STEP2_process(ECJPAKE_CTX *ctx, const ECJPAKE_STEP2 *received);
+void ECJPAKE_STEP2_release(ECJPAKE_STEP2 *s2);
+
+/*
+ * Optionally verify the shared key. If the shared secrets do not
+ * match, the two ends will disagree about the shared key, but
+ * otherwise the protocol will succeed.
+ */
+void ECJPAKE_STEP3A_init(ECJPAKE_STEP3A *s3a);
+int ECJPAKE_STEP3A_generate(ECJPAKE_STEP3A *send, ECJPAKE_CTX *ctx);
+int ECJPAKE_STEP3A_process(ECJPAKE_CTX *ctx, const ECJPAKE_STEP3A *received);
+void ECJPAKE_STEP3A_release(ECJPAKE_STEP3A *s3a);
+
+void ECJPAKE_STEP3B_init(ECJPAKE_STEP3B *s3b);
+int ECJPAKE_STEP3B_generate(ECJPAKE_STEP3B *send, ECJPAKE_CTX *ctx);
+int ECJPAKE_STEP3B_process(ECJPAKE_CTX *ctx, const ECJPAKE_STEP3B *received);
+void ECJPAKE_STEP3B_release(ECJPAKE_STEP3B *s3b);
+
+/*
+ * Returns shared secret value. The value belongs to the library and will be
+ * released when ctx is released, and will change when a new handshake is
+ * performed.
+ */
+const unsigned char *ECJPAKE_get_shared_key(const ECJPAKE_CTX *ctx);
+
+/* Returns elliptic curve group used in the current ECJPAKE handshake. */
+const EC_GROUP *ECJPAKE_get_ecGroup(const ECJPAKE_CTX *ctx);
+
+/* BEGIN ERROR CODES */
+/*
+ * The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_ECJPAKE_strings(void);
+
+/* Error codes for the ECJPAKE functions. */
+
+/* Function codes. */
+# define ECJPAKE_F_COMPUTE_KEY 100
+# define ECJPAKE_F_EC_POINT_IS_LEGAL 101
+# define ECJPAKE_F_ECJPAKE_CTX_NEW 102
+# define ECJPAKE_F_ECJPAKE_STEP1_GENERATE 103
+# define ECJPAKE_F_ECJPAKE_STEP1_PROCESS 104
+# define ECJPAKE_F_ECJPAKE_STEP2_GENERATE 105
+# define ECJPAKE_F_ECJPAKE_STEP2_PROCESS 106
+# define ECJPAKE_F_ECJPAKE_STEP3A_PROCESS 107
+# define ECJPAKE_F_ECJPAKE_STEP3B_PROCESS 108
+# define ECJPAKE_F_GENERATE_ZKP 109
+# define ECJPAKE_F_GENRAND 110
+# define ECJPAKE_F_STEP_PART_GENERATE 111
+# define ECJPAKE_F_STEP_PART_INIT 112
+# define ECJPAKE_F_VERIFY_ZKP 113
+# define ECJPAKE_F_ZKP_HASH 114
+
+/* Reason codes. */
+# define ECJPAKE_R_G_IS_NOT_LEGAL 100
+# define ECJPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL 101
+# define ECJPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL 102
+# define ECJPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH 103
+# define ECJPAKE_R_HASH_OF_KEY_MISMATCH 104
+# define ECJPAKE_R_VERIFY_X3_FAILED 105
+# define ECJPAKE_R_VERIFY_X4_FAILED 106
+# define ECJPAKE_R_VERIFY_X4S_FAILED 107
+# define ECJPAKE_R_ZKP_VERIFY_FAILED 108
+
+#ifndef ERR_LIB_ECJPAKE
+# define ERR_LIB_ECJPAKE 50
+#endif
+
+#ifndef ECJPAKEerr
+# ifndef OPENSSL_IS_BORINGSSL
+# define ECJPAKEerr(f,r) ERR_PUT_error(ERR_LIB_ECJPAKE,(f),(r),__FILE__,__LINE__)
+# else
+# define ECJPAKEerr(f,r) ERR_put_error(ERR_LIB_ECJPAKE,(f),(r),__FILE__,__LINE__)
+# endif
+#endif
+
+# ifdef __cplusplus
+}
+# endif
+#endif