| 2 |
- |
1 |
/*
|
|
|
2 |
* Various files from /sys/src/cmd/auth/secstore, just enough
|
|
|
3 |
* to download a file at boot time.
|
|
|
4 |
*/
|
|
|
5 |
|
|
|
6 |
#include "dat.h"
|
|
|
7 |
#include <ip.h>
|
|
|
8 |
|
|
|
9 |
enum{ CHK = 16};
|
|
|
10 |
enum{ MAXFILESIZE = 10*1024*1024 };
|
|
|
11 |
|
|
|
12 |
enum{// PW status bits
|
|
|
13 |
Enabled = (1<<0),
|
|
|
14 |
STA = (1<<1), // extra SecurID step
|
|
|
15 |
};
|
|
|
16 |
|
|
|
17 |
static char testmess[] = "__secstore\tPAK\nC=%s\nm=0\n";
|
|
|
18 |
|
|
|
19 |
int
|
|
|
20 |
havesecstore(void)
|
|
|
21 |
{
|
|
|
22 |
int m, n, fd;
|
|
|
23 |
uchar buf[500];
|
|
|
24 |
|
|
|
25 |
n = snprint((char*)buf, sizeof buf, testmess, owner);
|
|
|
26 |
hnputs(buf, 0x8000+n-2);
|
|
|
27 |
|
|
|
28 |
fd = secdial();
|
|
|
29 |
if(fd < 0)
|
|
|
30 |
return 0;
|
|
|
31 |
if(write(fd, buf, n) != n || readn(fd, buf, 2) != 2){
|
|
|
32 |
close(fd);
|
|
|
33 |
return 0;
|
|
|
34 |
}
|
|
|
35 |
n = ((buf[0]&0x7f)<<8) + buf[1];
|
|
|
36 |
if(n+1 > sizeof buf){
|
|
|
37 |
werrstr("implausibly large count %d", n);
|
|
|
38 |
close(fd);
|
|
|
39 |
return 0;
|
|
|
40 |
}
|
|
|
41 |
m = readn(fd, buf, n);
|
|
|
42 |
close(fd);
|
|
|
43 |
if(m != n){
|
|
|
44 |
if(m >= 0)
|
|
|
45 |
werrstr("short read from secstore");
|
|
|
46 |
return 0;
|
|
|
47 |
}
|
|
|
48 |
buf[n] = 0;
|
|
|
49 |
if(strcmp((char*)buf, "!account expired") == 0){
|
|
|
50 |
werrstr("account expired");
|
|
|
51 |
return 0;
|
|
|
52 |
}
|
|
|
53 |
return strcmp((char*)buf, "!account exists") == 0;
|
|
|
54 |
}
|
|
|
55 |
|
|
|
56 |
// delimited, authenticated, encrypted connection
|
|
|
57 |
enum{ Maxmsg=4096 }; // messages > Maxmsg bytes are truncated
|
|
|
58 |
typedef struct SConn SConn;
|
|
|
59 |
|
|
|
60 |
extern SConn* newSConn(int); // arg is open file descriptor
|
|
|
61 |
struct SConn{
|
|
|
62 |
void *chan;
|
|
|
63 |
int secretlen;
|
|
|
64 |
int (*secret)(SConn*, uchar*, int);//
|
|
|
65 |
int (*read)(SConn*, uchar*, int); // <0 if error; errmess in buffer
|
|
|
66 |
int (*write)(SConn*, uchar*, int);
|
|
|
67 |
void (*free)(SConn*); // also closes file descriptor
|
|
|
68 |
};
|
|
|
69 |
// secret(s,b,dir) sets secret for digest, encrypt, using the secretlen
|
|
|
70 |
// bytes in b to form keys for the two directions;
|
|
|
71 |
// set dir=0 in client, dir=1 in server
|
|
|
72 |
|
|
|
73 |
// error convention: write !message in-band
|
|
|
74 |
#define readstr secstore_readstr
|
|
|
75 |
static void writerr(SConn*, char*);
|
|
|
76 |
static int readstr(SConn*, char*); // call with buf of size Maxmsg+1
|
|
|
77 |
// returns -1 upon error, with error message in buf
|
|
|
78 |
|
|
|
79 |
typedef struct ConnState {
|
|
|
80 |
uchar secret[SHA1dlen];
|
|
|
81 |
ulong seqno;
|
|
|
82 |
RC4state rc4;
|
|
|
83 |
} ConnState;
|
|
|
84 |
|
|
|
85 |
typedef struct SS{
|
|
|
86 |
int fd; // file descriptor for read/write of encrypted data
|
|
|
87 |
int alg; // if nonzero, "alg sha rc4_128"
|
|
|
88 |
ConnState in, out;
|
|
|
89 |
} SS;
|
|
|
90 |
|
|
|
91 |
static int
|
|
|
92 |
SC_secret(SConn *conn, uchar *sigma, int direction)
|
|
|
93 |
{
|
|
|
94 |
SS *ss = (SS*)(conn->chan);
|
|
|
95 |
int nsigma = conn->secretlen;
|
|
|
96 |
|
|
|
97 |
if(direction != 0){
|
|
|
98 |
hmac_sha1(sigma, nsigma, (uchar*)"one", 3, ss->out.secret, nil);
|
|
|
99 |
hmac_sha1(sigma, nsigma, (uchar*)"two", 3, ss->in.secret, nil);
|
|
|
100 |
}else{
|
|
|
101 |
hmac_sha1(sigma, nsigma, (uchar*)"two", 3, ss->out.secret, nil);
|
|
|
102 |
hmac_sha1(sigma, nsigma, (uchar*)"one", 3, ss->in.secret, nil);
|
|
|
103 |
}
|
|
|
104 |
setupRC4state(&ss->in.rc4, ss->in.secret, 16); // restrict to 128 bits
|
|
|
105 |
setupRC4state(&ss->out.rc4, ss->out.secret, 16);
|
|
|
106 |
ss->alg = 1;
|
|
|
107 |
return 0;
|
|
|
108 |
}
|
|
|
109 |
|
|
|
110 |
static void
|
|
|
111 |
hash(uchar secret[SHA1dlen], uchar *data, int len, int seqno, uchar d[SHA1dlen])
|
|
|
112 |
{
|
|
|
113 |
DigestState sha;
|
|
|
114 |
uchar seq[4];
|
|
|
115 |
|
|
|
116 |
seq[0] = seqno>>24;
|
|
|
117 |
seq[1] = seqno>>16;
|
|
|
118 |
seq[2] = seqno>>8;
|
|
|
119 |
seq[3] = seqno;
|
|
|
120 |
memset(&sha, 0, sizeof sha);
|
|
|
121 |
sha1(secret, SHA1dlen, nil, &sha);
|
|
|
122 |
sha1(data, len, nil, &sha);
|
|
|
123 |
sha1(seq, 4, d, &sha);
|
|
|
124 |
}
|
|
|
125 |
|
|
|
126 |
static int
|
|
|
127 |
verify(uchar secret[SHA1dlen], uchar *data, int len, int seqno, uchar d[SHA1dlen])
|
|
|
128 |
{
|
|
|
129 |
DigestState sha;
|
|
|
130 |
uchar seq[4];
|
|
|
131 |
uchar digest[SHA1dlen];
|
|
|
132 |
|
|
|
133 |
seq[0] = seqno>>24;
|
|
|
134 |
seq[1] = seqno>>16;
|
|
|
135 |
seq[2] = seqno>>8;
|
|
|
136 |
seq[3] = seqno;
|
|
|
137 |
memset(&sha, 0, sizeof sha);
|
|
|
138 |
sha1(secret, SHA1dlen, nil, &sha);
|
|
|
139 |
sha1(data, len, nil, &sha);
|
|
|
140 |
sha1(seq, 4, digest, &sha);
|
|
|
141 |
return memcmp(d, digest, SHA1dlen);
|
|
|
142 |
}
|
|
|
143 |
|
|
|
144 |
static int
|
|
|
145 |
SC_read(SConn *conn, uchar *buf, int n)
|
|
|
146 |
{
|
|
|
147 |
SS *ss = (SS*)(conn->chan);
|
|
|
148 |
uchar count[2], digest[SHA1dlen];
|
|
|
149 |
int len, nr;
|
|
|
150 |
|
|
|
151 |
if(read(ss->fd, count, 2) != 2 || count[0]&0x80 == 0){
|
|
|
152 |
werrstr("!SC_read invalid count");
|
|
|
153 |
return -1;
|
|
|
154 |
}
|
|
|
155 |
len = (count[0]&0x7f)<<8 | count[1]; // SSL-style count; no pad
|
|
|
156 |
if(ss->alg){
|
|
|
157 |
len -= SHA1dlen;
|
|
|
158 |
if(len <= 0 || readn(ss->fd, digest, SHA1dlen) != SHA1dlen){
|
|
|
159 |
werrstr("!SC_read missing sha1");
|
|
|
160 |
return -1;
|
|
|
161 |
}
|
|
|
162 |
if(len > n || readn(ss->fd, buf, len) != len){
|
|
|
163 |
werrstr("!SC_read missing data");
|
|
|
164 |
return -1;
|
|
|
165 |
}
|
|
|
166 |
rc4(&ss->in.rc4, digest, SHA1dlen);
|
|
|
167 |
rc4(&ss->in.rc4, buf, len);
|
|
|
168 |
if(verify(ss->in.secret, buf, len, ss->in.seqno, digest) != 0){
|
|
|
169 |
werrstr("!SC_read integrity check failed");
|
|
|
170 |
return -1;
|
|
|
171 |
}
|
|
|
172 |
}else{
|
|
|
173 |
if(len <= 0 || len > n){
|
|
|
174 |
werrstr("!SC_read implausible record length");
|
|
|
175 |
return -1;
|
|
|
176 |
}
|
|
|
177 |
if( (nr = readn(ss->fd, buf, len)) != len){
|
|
|
178 |
werrstr("!SC_read expected %d bytes, but got %d", len, nr);
|
|
|
179 |
return -1;
|
|
|
180 |
}
|
|
|
181 |
}
|
|
|
182 |
ss->in.seqno++;
|
|
|
183 |
return len;
|
|
|
184 |
}
|
|
|
185 |
|
|
|
186 |
static int
|
|
|
187 |
SC_write(SConn *conn, uchar *buf, int n)
|
|
|
188 |
{
|
|
|
189 |
SS *ss = (SS*)(conn->chan);
|
|
|
190 |
uchar count[2], digest[SHA1dlen], enc[Maxmsg+1];
|
|
|
191 |
int len;
|
|
|
192 |
|
|
|
193 |
if(n <= 0 || n > Maxmsg+1){
|
|
|
194 |
werrstr("!SC_write invalid n %d", n);
|
|
|
195 |
return -1;
|
|
|
196 |
}
|
|
|
197 |
len = n;
|
|
|
198 |
if(ss->alg)
|
|
|
199 |
len += SHA1dlen;
|
|
|
200 |
count[0] = 0x80 | len>>8;
|
|
|
201 |
count[1] = len;
|
|
|
202 |
if(write(ss->fd, count, 2) != 2){
|
|
|
203 |
werrstr("!SC_write invalid count");
|
|
|
204 |
return -1;
|
|
|
205 |
}
|
|
|
206 |
if(ss->alg){
|
|
|
207 |
hash(ss->out.secret, buf, n, ss->out.seqno, digest);
|
|
|
208 |
rc4(&ss->out.rc4, digest, SHA1dlen);
|
|
|
209 |
memcpy(enc, buf, n);
|
|
|
210 |
rc4(&ss->out.rc4, enc, n);
|
|
|
211 |
if(write(ss->fd, digest, SHA1dlen) != SHA1dlen ||
|
|
|
212 |
write(ss->fd, enc, n) != n){
|
|
|
213 |
werrstr("!SC_write error on send");
|
|
|
214 |
return -1;
|
|
|
215 |
}
|
|
|
216 |
}else{
|
|
|
217 |
if(write(ss->fd, buf, n) != n){
|
|
|
218 |
werrstr("!SC_write error on send");
|
|
|
219 |
return -1;
|
|
|
220 |
}
|
|
|
221 |
}
|
|
|
222 |
ss->out.seqno++;
|
|
|
223 |
return n;
|
|
|
224 |
}
|
|
|
225 |
|
|
|
226 |
static void
|
|
|
227 |
SC_free(SConn *conn)
|
|
|
228 |
{
|
|
|
229 |
SS *ss = (SS*)(conn->chan);
|
|
|
230 |
|
|
|
231 |
close(ss->fd);
|
|
|
232 |
free(ss);
|
|
|
233 |
free(conn);
|
|
|
234 |
}
|
|
|
235 |
|
|
|
236 |
SConn*
|
|
|
237 |
newSConn(int fd)
|
|
|
238 |
{
|
|
|
239 |
SS *ss;
|
|
|
240 |
SConn *conn;
|
|
|
241 |
|
|
|
242 |
if(fd < 0)
|
|
|
243 |
return nil;
|
|
|
244 |
ss = (SS*)emalloc(sizeof(*ss));
|
|
|
245 |
conn = (SConn*)emalloc(sizeof(*conn));
|
|
|
246 |
ss->fd = fd;
|
|
|
247 |
ss->alg = 0;
|
|
|
248 |
conn->chan = (void*)ss;
|
|
|
249 |
conn->secretlen = SHA1dlen;
|
|
|
250 |
conn->free = SC_free;
|
|
|
251 |
conn->secret = SC_secret;
|
|
|
252 |
conn->read = SC_read;
|
|
|
253 |
conn->write = SC_write;
|
|
|
254 |
return conn;
|
|
|
255 |
}
|
|
|
256 |
|
|
|
257 |
static void
|
|
|
258 |
writerr(SConn *conn, char *s)
|
|
|
259 |
{
|
|
|
260 |
char buf[Maxmsg];
|
|
|
261 |
|
|
|
262 |
snprint(buf, Maxmsg, "!%s", s);
|
|
|
263 |
conn->write(conn, (uchar*)buf, strlen(buf));
|
|
|
264 |
}
|
|
|
265 |
|
|
|
266 |
static int
|
|
|
267 |
readstr(SConn *conn, char *s)
|
|
|
268 |
{
|
|
|
269 |
int n;
|
|
|
270 |
|
|
|
271 |
n = conn->read(conn, (uchar*)s, Maxmsg);
|
|
|
272 |
if(n >= 0){
|
|
|
273 |
s[n] = 0;
|
|
|
274 |
if(s[0] == '!'){
|
|
|
275 |
memmove(s, s+1, n);
|
|
|
276 |
n = -1;
|
|
|
277 |
}
|
|
|
278 |
}else{
|
|
|
279 |
strcpy(s, "read error");
|
|
|
280 |
}
|
|
|
281 |
return n;
|
|
|
282 |
}
|
|
|
283 |
|
|
|
284 |
static int
|
|
|
285 |
getfile(SConn *conn, uchar *key, int nkey)
|
|
|
286 |
{
|
|
|
287 |
char *buf;
|
|
|
288 |
int nbuf, n, nr, len;
|
|
|
289 |
char s[Maxmsg+1], *gf, *p, *q;
|
|
|
290 |
uchar skey[SHA1dlen], ib[Maxmsg+CHK], *ibr, *ibw;
|
|
|
291 |
AESstate aes;
|
|
|
292 |
DigestState *sha;
|
|
|
293 |
|
|
|
294 |
gf = "factotum";
|
|
|
295 |
memset(&aes, 0, sizeof aes);
|
|
|
296 |
|
|
|
297 |
snprint(s, Maxmsg, "GET %s\n", gf);
|
|
|
298 |
conn->write(conn, (uchar*)s, strlen(s));
|
|
|
299 |
|
|
|
300 |
/* get file size */
|
|
|
301 |
s[0] = '\0';
|
|
|
302 |
if(readstr(conn, s) < 0){
|
|
|
303 |
werrstr("secstore: %r");
|
|
|
304 |
return -1;
|
|
|
305 |
}
|
|
|
306 |
if((len = atoi(s)) < 0){
|
|
|
307 |
werrstr("secstore: remote file %s does not exist", gf);
|
|
|
308 |
return -1;
|
|
|
309 |
}else if(len > MAXFILESIZE){//assert
|
|
|
310 |
werrstr("secstore: implausible file size %d for %s", len, gf);
|
|
|
311 |
return -1;
|
|
|
312 |
}
|
|
|
313 |
|
|
|
314 |
ibr = ibw = ib;
|
|
|
315 |
buf = nil;
|
|
|
316 |
nbuf = 0;
|
|
|
317 |
for(nr=0; nr < len;){
|
|
|
318 |
if((n = conn->read(conn, ibw, Maxmsg)) <= 0){
|
|
|
319 |
werrstr("secstore: empty file chunk n=%d nr=%d len=%d: %r", n, nr, len);
|
|
|
320 |
return -1;
|
|
|
321 |
}
|
|
|
322 |
nr += n;
|
|
|
323 |
ibw += n;
|
|
|
324 |
if(!aes.setup){ /* first time, read 16 byte IV */
|
|
|
325 |
if(n < 16){
|
|
|
326 |
werrstr("secstore: no IV in file");
|
|
|
327 |
return -1;
|
|
|
328 |
}
|
|
|
329 |
sha = sha1((uchar*)"aescbc file", 11, nil, nil);
|
|
|
330 |
sha1(key, nkey, skey, sha);
|
|
|
331 |
setupAESstate(&aes, skey, AESbsize, ibr);
|
|
|
332 |
memset(skey, 0, sizeof skey);
|
|
|
333 |
ibr += AESbsize;
|
|
|
334 |
n -= AESbsize;
|
|
|
335 |
}
|
|
|
336 |
aesCBCdecrypt(ibw-n, n, &aes);
|
|
|
337 |
n = ibw-ibr-CHK;
|
|
|
338 |
if(n > 0){
|
|
|
339 |
buf = erealloc(buf, nbuf+n+1);
|
|
|
340 |
memmove(buf+nbuf, ibr, n);
|
|
|
341 |
nbuf += n;
|
|
|
342 |
ibr += n;
|
|
|
343 |
}
|
|
|
344 |
memmove(ib, ibr, ibw-ibr);
|
|
|
345 |
ibw = ib + (ibw-ibr);
|
|
|
346 |
ibr = ib;
|
|
|
347 |
}
|
|
|
348 |
n = ibw-ibr;
|
|
|
349 |
if((n != CHK) || (memcmp(ib, "XXXXXXXXXXXXXXXX", CHK) != 0)){
|
|
|
350 |
werrstr("secstore: decrypted file failed to authenticate!");
|
|
|
351 |
free(buf);
|
|
|
352 |
return -1;
|
|
|
353 |
}
|
|
|
354 |
if(nbuf == 0){
|
|
|
355 |
werrstr("secstore got empty file");
|
|
|
356 |
return -1;
|
|
|
357 |
}
|
|
|
358 |
buf[nbuf] = '\0';
|
|
|
359 |
p = buf;
|
|
|
360 |
n = 0;
|
|
|
361 |
while(p){
|
|
|
362 |
if(q = strchr(p, '\n'))
|
|
|
363 |
*q++ = '\0';
|
|
|
364 |
n++;
|
|
|
365 |
if(ctlwrite(p, 0) < 0)
|
|
|
366 |
fprint(2, "factotum: secstore(%s) line %d: %r\n", gf, n);
|
|
|
367 |
p = q;
|
|
|
368 |
}
|
|
|
369 |
free(buf);
|
|
|
370 |
return 0;
|
|
|
371 |
}
|
|
|
372 |
|
|
|
373 |
static char VERSION[] = "secstore";
|
|
|
374 |
|
|
|
375 |
typedef struct PAKparams{
|
|
|
376 |
mpint *q, *p, *r, *g;
|
|
|
377 |
} PAKparams;
|
|
|
378 |
|
|
|
379 |
static PAKparams *pak;
|
|
|
380 |
|
|
|
381 |
// This group was generated by the seed EB7B6E35F7CD37B511D96C67D6688CC4DD440E1E.
|
|
|
382 |
static void
|
|
|
383 |
initPAKparams(void)
|
|
|
384 |
{
|
|
|
385 |
if(pak)
|
|
|
386 |
return;
|
|
|
387 |
pak = (PAKparams*)emalloc(sizeof(*pak));
|
|
|
388 |
pak->q = strtomp("E0F0EF284E10796C5A2A511E94748BA03C795C13", nil, 16, nil);
|
|
|
389 |
pak->p = strtomp("C41CFBE4D4846F67A3DF7DE9921A49D3B42DC33728427AB159CEC8CBBD"
|
|
|
390 |
"B12B5F0C244F1A734AEB9840804EA3C25036AD1B61AFF3ABBC247CD4B384224567A86"
|
|
|
391 |
"3A6F020E7EE9795554BCD08ABAD7321AF27E1E92E3DB1C6E7E94FAAE590AE9C48F96D9"
|
|
|
392 |
"3D178E809401ABE8A534A1EC44359733475A36A70C7B425125062B1142D", nil, 16, nil);
|
|
|
393 |
pak->r = strtomp("DF310F4E54A5FEC5D86D3E14863921E834113E060F90052AD332B3241CEF"
|
|
|
394 |
"2497EFA0303D6344F7C819691A0F9C4A773815AF8EAECFB7EC1D98F039F17A32A7E887"
|
|
|
395 |
"D97251A927D093F44A55577F4D70444AEBD06B9B45695EC23962B175F266895C67D21"
|
|
|
396 |
"C4656848614D888A4", nil, 16, nil);
|
|
|
397 |
pak->g = strtomp("2F1C308DC46B9A44B52DF7DACCE1208CCEF72F69C743ADD4D2327173444"
|
|
|
398 |
"ED6E65E074694246E07F9FD4AE26E0FDDD9F54F813C40CB9BCD4338EA6F242AB94CD41"
|
|
|
399 |
"0E676C290368A16B1A3594877437E516C53A6EEE5493A038A017E955E218E7819734E3E"
|
|
|
400 |
"2A6E0BAE08B14258F8C03CC1B30E0DDADFCF7CEDF0727684D3D255F1", nil, 16, nil);
|
|
|
401 |
}
|
|
|
402 |
|
|
|
403 |
// H = (sha(ver,C,sha(passphrase)))^r mod p,
|
|
|
404 |
// a hash function expensive to attack by brute force.
|
|
|
405 |
static void
|
|
|
406 |
longhash(char *ver, char *C, uchar *passwd, mpint *H)
|
|
|
407 |
{
|
|
|
408 |
uchar *Cp;
|
|
|
409 |
int i, n, nver, nC;
|
|
|
410 |
uchar buf[140], key[1];
|
|
|
411 |
|
|
|
412 |
nver = strlen(ver);
|
|
|
413 |
nC = strlen(C);
|
|
|
414 |
n = nver + nC + SHA1dlen;
|
|
|
415 |
Cp = (uchar*)emalloc(n);
|
|
|
416 |
memmove(Cp, ver, nver);
|
|
|
417 |
memmove(Cp+nver, C, nC);
|
|
|
418 |
memmove(Cp+nver+nC, passwd, SHA1dlen);
|
|
|
419 |
for(i = 0; i < 7; i++){
|
|
|
420 |
key[0] = 'A'+i;
|
|
|
421 |
hmac_sha1(Cp, n, key, sizeof key, buf+i*SHA1dlen, nil);
|
|
|
422 |
}
|
|
|
423 |
memset(Cp, 0, n);
|
|
|
424 |
free(Cp);
|
|
|
425 |
betomp(buf, sizeof buf, H);
|
|
|
426 |
mpmod(H, pak->p, H);
|
|
|
427 |
mpexp(H, pak->r, pak->p, H);
|
|
|
428 |
}
|
|
|
429 |
|
|
|
430 |
// Hi = H^-1 mod p
|
|
|
431 |
static char *
|
|
|
432 |
PAK_Hi(char *C, char *passphrase, mpint *H, mpint *Hi)
|
|
|
433 |
{
|
|
|
434 |
uchar passhash[SHA1dlen];
|
|
|
435 |
|
|
|
436 |
sha1((uchar *)passphrase, strlen(passphrase), passhash, nil);
|
|
|
437 |
initPAKparams();
|
|
|
438 |
longhash(VERSION, C, passhash, H);
|
|
|
439 |
mpinvert(H, pak->p, Hi);
|
|
|
440 |
return mptoa(Hi, 64, nil, 0);
|
|
|
441 |
}
|
|
|
442 |
|
|
|
443 |
// another, faster, hash function for each party to
|
|
|
444 |
// confirm that the other has the right secrets.
|
|
|
445 |
static void
|
|
|
446 |
shorthash(char *mess, char *C, char *S, char *m, char *mu, char *sigma, char *Hi, uchar *digest)
|
|
|
447 |
{
|
|
|
448 |
SHA1state *state;
|
|
|
449 |
|
|
|
450 |
state = sha1((uchar*)mess, strlen(mess), 0, 0);
|
|
|
451 |
state = sha1((uchar*)C, strlen(C), 0, state);
|
|
|
452 |
state = sha1((uchar*)S, strlen(S), 0, state);
|
|
|
453 |
state = sha1((uchar*)m, strlen(m), 0, state);
|
|
|
454 |
state = sha1((uchar*)mu, strlen(mu), 0, state);
|
|
|
455 |
state = sha1((uchar*)sigma, strlen(sigma), 0, state);
|
|
|
456 |
state = sha1((uchar*)Hi, strlen(Hi), 0, state);
|
|
|
457 |
state = sha1((uchar*)mess, strlen(mess), 0, state);
|
|
|
458 |
state = sha1((uchar*)C, strlen(C), 0, state);
|
|
|
459 |
state = sha1((uchar*)S, strlen(S), 0, state);
|
|
|
460 |
state = sha1((uchar*)m, strlen(m), 0, state);
|
|
|
461 |
state = sha1((uchar*)mu, strlen(mu), 0, state);
|
|
|
462 |
state = sha1((uchar*)sigma, strlen(sigma), 0, state);
|
|
|
463 |
sha1((uchar*)Hi, strlen(Hi), digest, state);
|
|
|
464 |
}
|
|
|
465 |
|
|
|
466 |
// On input, conn provides an open channel to the server;
|
|
|
467 |
// C is the name this client calls itself;
|
|
|
468 |
// pass is the user's passphrase
|
|
|
469 |
// On output, session secret has been set in conn
|
|
|
470 |
// (unless return code is negative, which means failure).
|
|
|
471 |
// If pS is not nil, it is set to the (alloc'd) name the server calls itself.
|
|
|
472 |
static int
|
|
|
473 |
PAKclient(SConn *conn, char *C, char *pass, char **pS)
|
|
|
474 |
{
|
|
|
475 |
char *mess, *mess2, *eol, *S, *hexmu, *ks, *hexm, *hexsigma = nil, *hexHi;
|
|
|
476 |
char kc[2*SHA1dlen+1];
|
|
|
477 |
uchar digest[SHA1dlen];
|
|
|
478 |
int rc = -1, n;
|
|
|
479 |
mpint *x, *m = mpnew(0), *mu = mpnew(0), *sigma = mpnew(0);
|
|
|
480 |
mpint *H = mpnew(0), *Hi = mpnew(0);
|
|
|
481 |
|
|
|
482 |
hexHi = PAK_Hi(C, pass, H, Hi);
|
|
|
483 |
|
|
|
484 |
// random 1<=x<=q-1; send C, m=g**x H
|
|
|
485 |
x = mprand(164, genrandom, nil);
|
|
|
486 |
mpmod(x, pak->q, x);
|
|
|
487 |
if(mpcmp(x, mpzero) == 0)
|
|
|
488 |
mpassign(mpone, x);
|
|
|
489 |
mpexp(pak->g, x, pak->p, m);
|
|
|
490 |
mpmul(m, H, m);
|
|
|
491 |
mpmod(m, pak->p, m);
|
|
|
492 |
hexm = mptoa(m, 64, nil, 0);
|
|
|
493 |
mess = (char*)emalloc(2*Maxmsg+2);
|
|
|
494 |
mess2 = mess+Maxmsg+1;
|
|
|
495 |
snprint(mess, Maxmsg, "%s\tPAK\nC=%s\nm=%s\n", VERSION, C, hexm);
|
|
|
496 |
conn->write(conn, (uchar*)mess, strlen(mess));
|
|
|
497 |
|
|
|
498 |
// recv g**y, S, check hash1(g**xy)
|
|
|
499 |
if(readstr(conn, mess) < 0){
|
|
|
500 |
fprint(2, "factotum: error: %s\n", mess);
|
|
|
501 |
writerr(conn, "couldn't read g**y");
|
|
|
502 |
goto done;
|
|
|
503 |
}
|
|
|
504 |
eol = strchr(mess, '\n');
|
|
|
505 |
if(strncmp("mu=", mess, 3) != 0 || !eol || strncmp("\nk=", eol, 3) != 0){
|
|
|
506 |
writerr(conn, "verifier syntax error");
|
|
|
507 |
goto done;
|
|
|
508 |
}
|
|
|
509 |
hexmu = mess+3;
|
|
|
510 |
*eol = 0;
|
|
|
511 |
ks = eol+3;
|
|
|
512 |
eol = strchr(ks, '\n');
|
|
|
513 |
if(!eol || strncmp("\nS=", eol, 3) != 0){
|
|
|
514 |
writerr(conn, "verifier syntax error for secstore 1.0");
|
|
|
515 |
goto done;
|
|
|
516 |
}
|
|
|
517 |
*eol = 0;
|
|
|
518 |
S = eol+3;
|
|
|
519 |
eol = strchr(S, '\n');
|
|
|
520 |
if(!eol){
|
|
|
521 |
writerr(conn, "verifier syntax error for secstore 1.0");
|
|
|
522 |
goto done;
|
|
|
523 |
}
|
|
|
524 |
*eol = 0;
|
|
|
525 |
if(pS)
|
|
|
526 |
*pS = estrdup(S);
|
|
|
527 |
strtomp(hexmu, nil, 64, mu);
|
|
|
528 |
mpexp(mu, x, pak->p, sigma);
|
|
|
529 |
hexsigma = mptoa(sigma, 64, nil, 0);
|
|
|
530 |
shorthash("server", C, S, hexm, hexmu, hexsigma, hexHi, digest);
|
|
|
531 |
enc64(kc, sizeof kc, digest, SHA1dlen);
|
|
|
532 |
if(strcmp(ks, kc) != 0){
|
|
|
533 |
writerr(conn, "verifier didn't match");
|
|
|
534 |
goto done;
|
|
|
535 |
}
|
|
|
536 |
|
|
|
537 |
// send hash2(g**xy)
|
|
|
538 |
shorthash("client", C, S, hexm, hexmu, hexsigma, hexHi, digest);
|
|
|
539 |
enc64(kc, sizeof kc, digest, SHA1dlen);
|
|
|
540 |
snprint(mess2, Maxmsg, "k'=%s\n", kc);
|
|
|
541 |
conn->write(conn, (uchar*)mess2, strlen(mess2));
|
|
|
542 |
|
|
|
543 |
// set session key
|
|
|
544 |
shorthash("session", C, S, hexm, hexmu, hexsigma, hexHi, digest);
|
|
|
545 |
memset(hexsigma, 0, strlen(hexsigma));
|
|
|
546 |
n = conn->secret(conn, digest, 0);
|
|
|
547 |
memset(digest, 0, SHA1dlen);
|
|
|
548 |
if(n < 0){//assert
|
|
|
549 |
writerr(conn, "can't set secret");
|
|
|
550 |
goto done;
|
|
|
551 |
}
|
|
|
552 |
|
|
|
553 |
rc = 0;
|
|
|
554 |
done:
|
|
|
555 |
mpfree(x);
|
|
|
556 |
mpfree(sigma);
|
|
|
557 |
mpfree(mu);
|
|
|
558 |
mpfree(m);
|
|
|
559 |
mpfree(Hi);
|
|
|
560 |
mpfree(H);
|
|
|
561 |
free(hexsigma);
|
|
|
562 |
free(hexHi);
|
|
|
563 |
free(hexm);
|
|
|
564 |
free(mess);
|
|
|
565 |
return rc;
|
|
|
566 |
}
|
|
|
567 |
|
|
|
568 |
int
|
|
|
569 |
secstorefetch(char *password)
|
|
|
570 |
{
|
|
|
571 |
int rv = -1, fd;
|
|
|
572 |
char s[Maxmsg+1];
|
|
|
573 |
SConn *conn;
|
|
|
574 |
char *pass, *sta;
|
|
|
575 |
|
|
|
576 |
sta = nil;
|
|
|
577 |
conn = nil;
|
|
|
578 |
if(password != nil && *password)
|
|
|
579 |
pass = estrdup(password);
|
|
|
580 |
else
|
|
|
581 |
pass = readcons("secstore password", nil, 1);
|
|
|
582 |
if(pass==nil || strlen(pass)==0){
|
|
|
583 |
werrstr("cancel");
|
|
|
584 |
goto Out;
|
|
|
585 |
}
|
|
|
586 |
if((fd = secdial()) < 0)
|
|
|
587 |
goto Out;
|
|
|
588 |
if((conn = newSConn(fd)) == nil)
|
|
|
589 |
goto Out;
|
|
|
590 |
if(PAKclient(conn, owner, pass, nil) < 0){
|
|
|
591 |
werrstr("password mistyped?");
|
|
|
592 |
goto Out;
|
|
|
593 |
}
|
|
|
594 |
if(readstr(conn, s) < 0)
|
|
|
595 |
goto Out;
|
|
|
596 |
if(strcmp(s, "STA") == 0){
|
|
|
597 |
sta = readcons("STA PIN+SecureID", nil, 1);
|
|
|
598 |
if(sta==nil || strlen(sta)==0){
|
|
|
599 |
werrstr("cancel");
|
|
|
600 |
goto Out;
|
|
|
601 |
}
|
|
|
602 |
if(strlen(sta) >= sizeof s - 3){
|
|
|
603 |
werrstr("STA response too long");
|
|
|
604 |
goto Out;
|
|
|
605 |
}
|
|
|
606 |
strcpy(s+3, sta);
|
|
|
607 |
conn->write(conn, (uchar*)s, strlen(s));
|
|
|
608 |
readstr(conn, s);
|
|
|
609 |
}
|
|
|
610 |
if(strcmp(s, "OK") !=0){
|
|
|
611 |
werrstr("%s", s);
|
|
|
612 |
goto Out;
|
|
|
613 |
}
|
|
|
614 |
if(getfile(conn, (uchar*)pass, strlen(pass)) < 0)
|
|
|
615 |
goto Out;
|
|
|
616 |
conn->write(conn, (uchar*)"BYE", 3);
|
|
|
617 |
rv = 0;
|
|
|
618 |
|
|
|
619 |
Out:
|
|
|
620 |
if(conn)
|
|
|
621 |
conn->free(conn);
|
|
|
622 |
if(pass)
|
|
|
623 |
free(pass);
|
|
|
624 |
if(sta)
|
|
|
625 |
free(sta);
|
|
|
626 |
return rv;
|
|
|
627 |
}
|
|
|
628 |
|