| 2 |
- |
1 |
// PAK is an encrypted key exchange protocol designed by Philip MacKenzie et al.
|
|
|
2 |
// It is patented and use outside Plan 9 requires you get a license.
|
|
|
3 |
// (All other EKE protocols are patented as well, by Lucent or others.)
|
|
|
4 |
#include <u.h>
|
|
|
5 |
#include <libc.h>
|
|
|
6 |
#include <mp.h>
|
|
|
7 |
#include <libsec.h>
|
|
|
8 |
#include "SConn.h"
|
|
|
9 |
#include "secstore.h"
|
|
|
10 |
|
|
|
11 |
extern int verbose;
|
|
|
12 |
|
|
|
13 |
char VERSION[] = "secstore";
|
|
|
14 |
static char *feedback[] = {"alpha","bravo","charlie","delta","echo","foxtrot","golf","hotel"};
|
|
|
15 |
|
|
|
16 |
typedef struct PAKparams{
|
|
|
17 |
mpint *q, *p, *r, *g;
|
|
|
18 |
} PAKparams;
|
|
|
19 |
|
|
|
20 |
static PAKparams *pak;
|
|
|
21 |
|
|
|
22 |
// from seed EB7B6E35F7CD37B511D96C67D6688CC4DD440E1E
|
|
|
23 |
static void
|
|
|
24 |
initPAKparams(void)
|
|
|
25 |
{
|
|
|
26 |
if(pak)
|
|
|
27 |
return;
|
|
|
28 |
pak = (PAKparams*)emalloc(sizeof(*pak));
|
|
|
29 |
pak->q = strtomp("E0F0EF284E10796C5A2A511E94748BA03C795C13", nil, 16, nil);
|
|
|
30 |
pak->p = strtomp("C41CFBE4D4846F67A3DF7DE9921A49D3B42DC33728427AB159CEC8CBB"
|
|
|
31 |
"DB12B5F0C244F1A734AEB9840804EA3C25036AD1B61AFF3ABBC247CD4B384224567A86"
|
|
|
32 |
"3A6F020E7EE9795554BCD08ABAD7321AF27E1E92E3DB1C6E7E94FAAE590AE9C48F96D9"
|
|
|
33 |
"3D178E809401ABE8A534A1EC44359733475A36A70C7B425125062B1142D",
|
|
|
34 |
nil, 16, nil);
|
|
|
35 |
pak->r = strtomp("DF310F4E54A5FEC5D86D3E14863921E834113E060F90052AD332B3241"
|
|
|
36 |
"CEF2497EFA0303D6344F7C819691A0F9C4A773815AF8EAECFB7EC1D98F039F17A32A7E"
|
|
|
37 |
"887D97251A927D093F44A55577F4D70444AEBD06B9B45695EC23962B175F266895C67D"
|
|
|
38 |
"21C4656848614D888A4", nil, 16, nil);
|
|
|
39 |
pak->g = strtomp("2F1C308DC46B9A44B52DF7DACCE1208CCEF72F69C743ADD4D23271734"
|
|
|
40 |
"44ED6E65E074694246E07F9FD4AE26E0FDDD9F54F813C40CB9BCD4338EA6F242AB94CD"
|
|
|
41 |
"410E676C290368A16B1A3594877437E516C53A6EEE5493A038A017E955E218E7819734"
|
|
|
42 |
"E3E2A6E0BAE08B14258F8C03CC1B30E0DDADFCF7CEDF0727684D3D255F1",
|
|
|
43 |
nil, 16, nil);
|
|
|
44 |
}
|
|
|
45 |
|
|
|
46 |
// H = (sha(ver,C,sha(passphrase)))^r mod p,
|
|
|
47 |
// a hash function expensive to attack by brute force.
|
|
|
48 |
static void
|
|
|
49 |
longhash(char *ver, char *C, uchar *passwd, mpint *H)
|
|
|
50 |
{
|
|
|
51 |
uchar *Cp;
|
|
|
52 |
int i, n, nver, nC;
|
|
|
53 |
uchar buf[140], key[1];
|
|
|
54 |
|
|
|
55 |
nver = strlen(ver);
|
|
|
56 |
nC = strlen(C);
|
|
|
57 |
n = nver + nC + SHA1dlen;
|
|
|
58 |
Cp = (uchar*)emalloc(n);
|
|
|
59 |
memmove(Cp, ver, nver);
|
|
|
60 |
memmove(Cp+nver, C, nC);
|
|
|
61 |
memmove(Cp+nver+nC, passwd, SHA1dlen);
|
|
|
62 |
for(i = 0; i < 7; i++){
|
|
|
63 |
key[0] = 'A'+i;
|
|
|
64 |
hmac_sha1(Cp, n, key, sizeof key, buf+i*SHA1dlen, nil);
|
|
|
65 |
}
|
|
|
66 |
memset(Cp, 0, n);
|
|
|
67 |
free(Cp);
|
|
|
68 |
betomp(buf, sizeof buf, H);
|
|
|
69 |
mpmod(H, pak->p, H);
|
|
|
70 |
mpexp(H, pak->r, pak->p, H);
|
|
|
71 |
}
|
|
|
72 |
|
|
|
73 |
// Hi = H^-1 mod p
|
|
|
74 |
char *
|
|
|
75 |
PAK_Hi(char *C, char *passphrase, mpint *H, mpint *Hi)
|
|
|
76 |
{
|
|
|
77 |
uchar passhash[SHA1dlen];
|
|
|
78 |
|
|
|
79 |
sha1((uchar *)passphrase, strlen(passphrase), passhash, nil);
|
|
|
80 |
initPAKparams();
|
|
|
81 |
longhash(VERSION, C, passhash, H);
|
|
|
82 |
mpinvert(H, pak->p, Hi);
|
|
|
83 |
return mptoa(Hi, 64, nil, 0);
|
|
|
84 |
}
|
|
|
85 |
|
|
|
86 |
// another, faster, hash function for each party to
|
|
|
87 |
// confirm that the other has the right secrets.
|
|
|
88 |
static void
|
|
|
89 |
shorthash(char *mess, char *C, char *S, char *m, char *mu, char *sigma, char *Hi, uchar *digest)
|
|
|
90 |
{
|
|
|
91 |
SHA1state *state;
|
|
|
92 |
|
|
|
93 |
state = sha1((uchar*)mess, strlen(mess), 0, 0);
|
|
|
94 |
state = sha1((uchar*)C, strlen(C), 0, state);
|
|
|
95 |
state = sha1((uchar*)S, strlen(S), 0, state);
|
|
|
96 |
state = sha1((uchar*)m, strlen(m), 0, state);
|
|
|
97 |
state = sha1((uchar*)mu, strlen(mu), 0, state);
|
|
|
98 |
state = sha1((uchar*)sigma, strlen(sigma), 0, state);
|
|
|
99 |
state = sha1((uchar*)Hi, strlen(Hi), 0, state);
|
|
|
100 |
state = sha1((uchar*)mess, strlen(mess), 0, state);
|
|
|
101 |
state = sha1((uchar*)C, strlen(C), 0, state);
|
|
|
102 |
state = sha1((uchar*)S, strlen(S), 0, state);
|
|
|
103 |
state = sha1((uchar*)m, strlen(m), 0, state);
|
|
|
104 |
state = sha1((uchar*)mu, strlen(mu), 0, state);
|
|
|
105 |
state = sha1((uchar*)sigma, strlen(sigma), 0, state);
|
|
|
106 |
sha1((uchar*)Hi, strlen(Hi), digest, state);
|
|
|
107 |
}
|
|
|
108 |
|
|
|
109 |
// On input, conn provides an open channel to the server;
|
|
|
110 |
// C is the name this client calls itself;
|
|
|
111 |
// pass is the user's passphrase
|
|
|
112 |
// On output, session secret has been set in conn
|
|
|
113 |
// (unless return code is negative, which means failure).
|
|
|
114 |
// If pS is not nil, it is set to the (alloc'd) name the server calls itself.
|
|
|
115 |
int
|
|
|
116 |
PAKclient(SConn *conn, char *C, char *pass, char **pS)
|
|
|
117 |
{
|
|
|
118 |
char *mess, *mess2, *eol, *S, *hexmu, *ks, *hexm, *hexsigma = nil, *hexHi;
|
|
|
119 |
char kc[2*SHA1dlen+1];
|
|
|
120 |
uchar digest[SHA1dlen];
|
|
|
121 |
int rc = -1, n;
|
|
|
122 |
mpint *x, *m = mpnew(0), *mu = mpnew(0), *sigma = mpnew(0);
|
|
|
123 |
mpint *H = mpnew(0), *Hi = mpnew(0);
|
|
|
124 |
|
|
|
125 |
hexHi = PAK_Hi(C, pass, H, Hi);
|
|
|
126 |
if(verbose)
|
|
|
127 |
fprint(2, "%s\n", feedback[H->p[0]&0x7]); // provide a clue to catch typos
|
|
|
128 |
|
|
|
129 |
// random 1<=x<=q-1; send C, m=g**x H
|
|
|
130 |
x = mprand(240, genrandom, nil);
|
|
|
131 |
mpmod(x, pak->q, x);
|
|
|
132 |
if(mpcmp(x, mpzero) == 0)
|
|
|
133 |
mpassign(mpone, x);
|
|
|
134 |
mpexp(pak->g, x, pak->p, m);
|
|
|
135 |
mpmul(m, H, m);
|
|
|
136 |
mpmod(m, pak->p, m);
|
|
|
137 |
hexm = mptoa(m, 64, nil, 0);
|
|
|
138 |
mess = (char*)emalloc(2*Maxmsg+2);
|
|
|
139 |
mess2 = mess+Maxmsg+1;
|
|
|
140 |
snprint(mess, Maxmsg, "%s\tPAK\nC=%s\nm=%s\n", VERSION, C, hexm);
|
|
|
141 |
conn->write(conn, (uchar*)mess, strlen(mess));
|
|
|
142 |
|
|
|
143 |
// recv g**y, S, check hash1(g**xy)
|
|
|
144 |
if(readstr(conn, mess) < 0){
|
|
|
145 |
fprint(2, "%s: error: %s\n", argv0, mess);
|
|
|
146 |
writerr(conn, "couldn't read g**y");
|
|
|
147 |
goto done;
|
|
|
148 |
}
|
|
|
149 |
eol = strchr(mess, '\n');
|
|
|
150 |
if(strncmp("mu=", mess, 3) != 0 || !eol || strncmp("\nk=", eol, 3) != 0){
|
|
|
151 |
writerr(conn, "verifier syntax error");
|
|
|
152 |
goto done;
|
|
|
153 |
}
|
|
|
154 |
hexmu = mess+3;
|
|
|
155 |
*eol = 0;
|
|
|
156 |
ks = eol+3;
|
|
|
157 |
eol = strchr(ks, '\n');
|
|
|
158 |
if(!eol || strncmp("\nS=", eol, 3) != 0){
|
|
|
159 |
writerr(conn, "verifier syntax error for secstore 1.0");
|
|
|
160 |
goto done;
|
|
|
161 |
}
|
|
|
162 |
*eol = 0;
|
|
|
163 |
S = eol+3;
|
|
|
164 |
eol = strchr(S, '\n');
|
|
|
165 |
if(!eol){
|
|
|
166 |
writerr(conn, "verifier syntax error for secstore 1.0");
|
|
|
167 |
goto done;
|
|
|
168 |
}
|
|
|
169 |
*eol = 0;
|
|
|
170 |
if(pS)
|
|
|
171 |
*pS = estrdup(S);
|
|
|
172 |
strtomp(hexmu, nil, 64, mu);
|
|
|
173 |
mpexp(mu, x, pak->p, sigma);
|
|
|
174 |
hexsigma = mptoa(sigma, 64, nil, 0);
|
|
|
175 |
shorthash("server", C, S, hexm, hexmu, hexsigma, hexHi, digest);
|
|
|
176 |
enc64(kc, sizeof kc, digest, SHA1dlen);
|
|
|
177 |
if(strcmp(ks, kc) != 0){
|
|
|
178 |
writerr(conn, "verifier didn't match");
|
|
|
179 |
goto done;
|
|
|
180 |
}
|
|
|
181 |
|
|
|
182 |
// send hash2(g**xy)
|
|
|
183 |
shorthash("client", C, S, hexm, hexmu, hexsigma, hexHi, digest);
|
|
|
184 |
enc64(kc, sizeof kc, digest, SHA1dlen);
|
|
|
185 |
snprint(mess2, Maxmsg, "k'=%s\n", kc);
|
|
|
186 |
conn->write(conn, (uchar*)mess2, strlen(mess2));
|
|
|
187 |
|
|
|
188 |
// set session key
|
|
|
189 |
shorthash("session", C, S, hexm, hexmu, hexsigma, hexHi, digest);
|
|
|
190 |
memset(hexsigma, 0, strlen(hexsigma));
|
|
|
191 |
n = conn->secret(conn, digest, 0);
|
|
|
192 |
memset(digest, 0, SHA1dlen);
|
|
|
193 |
if(n < 0){
|
|
|
194 |
writerr(conn, "can't set secret");
|
|
|
195 |
goto done;
|
|
|
196 |
}
|
|
|
197 |
|
|
|
198 |
rc = 0;
|
|
|
199 |
done:
|
|
|
200 |
mpfree(x);
|
|
|
201 |
mpfree(sigma);
|
|
|
202 |
mpfree(mu);
|
|
|
203 |
mpfree(m);
|
|
|
204 |
mpfree(Hi);
|
|
|
205 |
mpfree(H);
|
|
|
206 |
free(hexsigma);
|
|
|
207 |
free(hexHi);
|
|
|
208 |
free(hexm);
|
|
|
209 |
free(mess);
|
|
|
210 |
return rc;
|
|
|
211 |
}
|
|
|
212 |
|
|
|
213 |
// On input,
|
|
|
214 |
// mess contains first message;
|
|
|
215 |
// name is name this server should call itself.
|
|
|
216 |
// On output, session secret has been set in conn;
|
|
|
217 |
// if pw!=nil, then *pw points to PW struct for authenticated user.
|
|
|
218 |
// returns -1 if error
|
|
|
219 |
int
|
|
|
220 |
PAKserver(SConn *conn, char *S, char *mess, PW **pwp)
|
|
|
221 |
{
|
|
|
222 |
int rc = -1, n;
|
|
|
223 |
char mess2[Maxmsg+1], *eol;
|
|
|
224 |
char *C, ks[41], *kc, *hexm, *hexmu = nil, *hexsigma = nil, *hexHi = nil;
|
|
|
225 |
uchar digest[SHA1dlen];
|
|
|
226 |
mpint *H = mpnew(0), *Hi = mpnew(0);
|
|
|
227 |
mpint *y = nil, *m = mpnew(0), *mu = mpnew(0), *sigma = mpnew(0);
|
|
|
228 |
PW *pw = nil;
|
|
|
229 |
|
|
|
230 |
// secstore version and algorithm
|
|
|
231 |
snprint(mess2,Maxmsg,"%s\tPAK\n", VERSION);
|
|
|
232 |
n = strlen(mess2);
|
|
|
233 |
if(strncmp(mess,mess2,n) != 0){
|
|
|
234 |
writerr(conn, "protocol should start with ver alg");
|
|
|
235 |
return -1;
|
|
|
236 |
}
|
|
|
237 |
mess += n;
|
|
|
238 |
initPAKparams();
|
|
|
239 |
|
|
|
240 |
// parse first message into C, m
|
|
|
241 |
eol = strchr(mess, '\n');
|
|
|
242 |
if(strncmp("C=", mess, 2) != 0 || !eol){
|
|
|
243 |
fprint(2, "%s: mess[1]=%s\n", argv0, mess);
|
|
|
244 |
writerr(conn, "PAK version mismatch");
|
|
|
245 |
goto done;
|
|
|
246 |
}
|
|
|
247 |
C = mess+2;
|
|
|
248 |
*eol = 0;
|
|
|
249 |
hexm = eol+3;
|
|
|
250 |
eol = strchr(hexm, '\n');
|
|
|
251 |
if(strncmp("m=", hexm-2, 2) != 0 || !eol){
|
|
|
252 |
writerr(conn, "PAK version mismatch");
|
|
|
253 |
goto done;
|
|
|
254 |
}
|
|
|
255 |
*eol = 0;
|
|
|
256 |
strtomp(hexm, nil, 64, m);
|
|
|
257 |
mpmod(m, pak->p, m);
|
|
|
258 |
|
|
|
259 |
// lookup client
|
|
|
260 |
if((pw = getPW(C,0)) == nil) {
|
|
|
261 |
snprint(mess2, sizeof mess2, "%r");
|
|
|
262 |
writerr(conn, mess2);
|
|
|
263 |
goto done;
|
|
|
264 |
}
|
|
|
265 |
if(mpcmp(m, mpzero) == 0) {
|
|
|
266 |
writerr(conn, "account exists");
|
|
|
267 |
freePW(pw);
|
|
|
268 |
pw = nil;
|
|
|
269 |
goto done;
|
|
|
270 |
}
|
|
|
271 |
hexHi = mptoa(pw->Hi, 64, nil, 0);
|
|
|
272 |
|
|
|
273 |
// random y, mu=g**y, sigma=g**xy
|
|
|
274 |
y = mprand(240, genrandom, nil);
|
|
|
275 |
mpmod(y, pak->q, y);
|
|
|
276 |
if(mpcmp(y, mpzero) == 0){
|
|
|
277 |
mpassign(mpone, y);
|
|
|
278 |
}
|
|
|
279 |
mpexp(pak->g, y, pak->p, mu);
|
|
|
280 |
mpmul(m, pw->Hi, m);
|
|
|
281 |
mpmod(m, pak->p, m);
|
|
|
282 |
mpexp(m, y, pak->p, sigma);
|
|
|
283 |
|
|
|
284 |
// send g**y, hash1(g**xy)
|
|
|
285 |
hexmu = mptoa(mu, 64, nil, 0);
|
|
|
286 |
hexsigma = mptoa(sigma, 64, nil, 0);
|
|
|
287 |
shorthash("server", C, S, hexm, hexmu, hexsigma, hexHi, digest);
|
|
|
288 |
enc64(ks, sizeof ks, digest, SHA1dlen);
|
|
|
289 |
snprint(mess2, sizeof mess2, "mu=%s\nk=%s\nS=%s\n", hexmu, ks, S);
|
|
|
290 |
conn->write(conn, (uchar*)mess2, strlen(mess2));
|
|
|
291 |
|
|
|
292 |
// recv hash2(g**xy)
|
|
|
293 |
if(readstr(conn, mess2) < 0){
|
|
|
294 |
writerr(conn, "couldn't read verifier");
|
|
|
295 |
goto done;
|
|
|
296 |
}
|
|
|
297 |
eol = strchr(mess2, '\n');
|
|
|
298 |
if(strncmp("k'=", mess2, 3) != 0 || !eol){
|
|
|
299 |
writerr(conn, "verifier syntax error");
|
|
|
300 |
goto done;
|
|
|
301 |
}
|
|
|
302 |
kc = mess2+3;
|
|
|
303 |
*eol = 0;
|
|
|
304 |
shorthash("client", C, S, hexm, hexmu, hexsigma, hexHi, digest);
|
|
|
305 |
enc64(ks, sizeof ks, digest, SHA1dlen);
|
|
|
306 |
if(strcmp(ks, kc) != 0) {
|
|
|
307 |
rc = -2;
|
|
|
308 |
goto done;
|
|
|
309 |
}
|
|
|
310 |
|
|
|
311 |
// set session key
|
|
|
312 |
shorthash("session", C, S, hexm, hexmu, hexsigma, hexHi, digest);
|
|
|
313 |
n = conn->secret(conn, digest, 1);
|
|
|
314 |
if(n < 0){
|
|
|
315 |
writerr(conn, "can't set secret");
|
|
|
316 |
goto done;
|
|
|
317 |
}
|
|
|
318 |
|
|
|
319 |
rc = 0;
|
|
|
320 |
done:
|
|
|
321 |
if(rc<0 && pw){
|
|
|
322 |
pw->failed++;
|
|
|
323 |
putPW(pw);
|
|
|
324 |
}
|
|
|
325 |
if(rc==0 && pw && pw->failed>0){
|
|
|
326 |
pw->failed = 0;
|
|
|
327 |
putPW(pw);
|
|
|
328 |
}
|
|
|
329 |
if(pwp)
|
|
|
330 |
*pwp = pw;
|
|
|
331 |
else
|
|
|
332 |
freePW(pw);
|
|
|
333 |
free(hexsigma);
|
|
|
334 |
free(hexHi);
|
|
|
335 |
free(hexmu);
|
|
|
336 |
mpfree(y);
|
|
|
337 |
mpfree(sigma);
|
|
|
338 |
mpfree(mu);
|
|
|
339 |
mpfree(m);
|
|
|
340 |
mpfree(Hi);
|
|
|
341 |
mpfree(H);
|
|
|
342 |
return rc;
|
|
|
343 |
}
|
|
|
344 |
|