1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
|
/* PAK is an encrypted key exchange protocol designed by Philip MacKenzie et al. */
/* It is patented and use outside Plan 9 requires you get a license. */
/* (All other EKE protocols are patented as well, by Lucent or others.) */
#include <u.h>
#include <libc.h>
#include <mp.h>
#include <libsec.h>
#include "SConn.h"
#include "secstore.h"
extern int verbose;
char VERSION[] = "secstore";
static char *feedback[] = {"alpha","bravo","charlie","delta","echo","foxtrot","golf","hotel"};
typedef struct PAKparams{
mpint *q, *p, *r, *g;
} PAKparams;
static PAKparams *pak;
/* from seed EB7B6E35F7CD37B511D96C67D6688CC4DD440E1E */
static void
initPAKparams(void)
{
if(pak)
return;
pak = (PAKparams*)emalloc(sizeof(*pak));
pak->q = strtomp("E0F0EF284E10796C5A2A511E94748BA03C795C13", nil, 16, nil);
pak->p = strtomp("C41CFBE4D4846F67A3DF7DE9921A49D3B42DC33728427AB159CEC8CBB"
"DB12B5F0C244F1A734AEB9840804EA3C25036AD1B61AFF3ABBC247CD4B384224567A86"
"3A6F020E7EE9795554BCD08ABAD7321AF27E1E92E3DB1C6E7E94FAAE590AE9C48F96D9"
"3D178E809401ABE8A534A1EC44359733475A36A70C7B425125062B1142D",
nil, 16, nil);
pak->r = strtomp("DF310F4E54A5FEC5D86D3E14863921E834113E060F90052AD332B3241"
"CEF2497EFA0303D6344F7C819691A0F9C4A773815AF8EAECFB7EC1D98F039F17A32A7E"
"887D97251A927D093F44A55577F4D70444AEBD06B9B45695EC23962B175F266895C67D"
"21C4656848614D888A4", nil, 16, nil);
pak->g = strtomp("2F1C308DC46B9A44B52DF7DACCE1208CCEF72F69C743ADD4D23271734"
"44ED6E65E074694246E07F9FD4AE26E0FDDD9F54F813C40CB9BCD4338EA6F242AB94CD"
"410E676C290368A16B1A3594877437E516C53A6EEE5493A038A017E955E218E7819734"
"E3E2A6E0BAE08B14258F8C03CC1B30E0DDADFCF7CEDF0727684D3D255F1",
nil, 16, nil);
}
/* H = (sha(ver,C,sha(passphrase)))^r mod p, */
/* a hash function expensive to attack by brute force. */
static void
longhash(char *ver, char *C, uchar *passwd, mpint *H)
{
uchar *Cp;
int i, n, nver, nC;
uchar buf[140], key[1];
nver = strlen(ver);
nC = strlen(C);
n = nver + nC + SHA1dlen;
Cp = (uchar*)emalloc(n);
memmove(Cp, ver, nver);
memmove(Cp+nver, C, nC);
memmove(Cp+nver+nC, passwd, SHA1dlen);
for(i = 0; i < 7; i++){
key[0] = 'A'+i;
hmac_sha1(Cp, n, key, sizeof key, buf+i*SHA1dlen, nil);
}
memset(Cp, 0, n);
free(Cp);
betomp(buf, sizeof buf, H);
mpmod(H, pak->p, H);
mpexp(H, pak->r, pak->p, H);
}
/* Hi = H^-1 mod p */
char *
PAK_Hi(char *C, char *passphrase, mpint *H, mpint *Hi)
{
uchar passhash[SHA1dlen];
sha1((uchar *)passphrase, strlen(passphrase), passhash, nil);
initPAKparams();
longhash(VERSION, C, passhash, H);
mpinvert(H, pak->p, Hi);
return mptoa(Hi, 64, nil, 0);
}
/* another, faster, hash function for each party to */
/* confirm that the other has the right secrets. */
static void
shorthash(char *mess, char *C, char *S, char *m, char *mu, char *sigma, char *Hi, uchar *digest)
{
SHA1state *state;
state = sha1((uchar*)mess, strlen(mess), 0, 0);
state = sha1((uchar*)C, strlen(C), 0, state);
state = sha1((uchar*)S, strlen(S), 0, state);
state = sha1((uchar*)m, strlen(m), 0, state);
state = sha1((uchar*)mu, strlen(mu), 0, state);
state = sha1((uchar*)sigma, strlen(sigma), 0, state);
state = sha1((uchar*)Hi, strlen(Hi), 0, state);
state = sha1((uchar*)mess, strlen(mess), 0, state);
state = sha1((uchar*)C, strlen(C), 0, state);
state = sha1((uchar*)S, strlen(S), 0, state);
state = sha1((uchar*)m, strlen(m), 0, state);
state = sha1((uchar*)mu, strlen(mu), 0, state);
state = sha1((uchar*)sigma, strlen(sigma), 0, state);
sha1((uchar*)Hi, strlen(Hi), digest, state);
}
/* On input, conn provides an open channel to the server; */
/* C is the name this client calls itself; */
/* pass is the user's passphrase */
/* On output, session secret has been set in conn */
/* (unless return code is negative, which means failure). */
/* If pS is not nil, it is set to the (alloc'd) name the server calls itself. */
int
PAKclient(SConn *conn, char *C, char *pass, char **pS)
{
char *mess, *mess2, *eol, *S, *hexmu, *ks, *hexm, *hexsigma = nil, *hexHi;
char kc[2*SHA1dlen+1];
uchar digest[SHA1dlen];
int rc = -1, n;
mpint *x, *m = mpnew(0), *mu = mpnew(0), *sigma = mpnew(0);
mpint *H = mpnew(0), *Hi = mpnew(0);
hexHi = PAK_Hi(C, pass, H, Hi);
if(verbose)
fprint(2,"%s\n", feedback[H->p[0]&0x7]); /* provide a clue to catch typos */
/* random 1<=x<=q-1; send C, m=g**x H */
x = mprand(240, genrandom, nil);
mpmod(x, pak->q, x);
if(mpcmp(x, mpzero) == 0)
mpassign(mpone, x);
mpexp(pak->g, x, pak->p, m);
mpmul(m, H, m);
mpmod(m, pak->p, m);
hexm = mptoa(m, 64, nil, 0);
mess = (char*)emalloc(2*Maxmsg+2);
mess2 = mess+Maxmsg+1;
snprint(mess, Maxmsg, "%s\tPAK\nC=%s\nm=%s\n", VERSION, C, hexm);
conn->write(conn, (uchar*)mess, strlen(mess));
/* recv g**y, S, check hash1(g**xy) */
if(readstr(conn, mess) < 0){
fprint(2, "error: %s\n", mess);
writerr(conn, "couldn't read g**y");
goto done;
}
eol = strchr(mess, '\n');
if(strncmp("mu=", mess, 3) != 0 || !eol || strncmp("\nk=", eol, 3) != 0){
writerr(conn, "verifier syntax error");
goto done;
}
hexmu = mess+3;
*eol = 0;
ks = eol+3;
eol = strchr(ks, '\n');
if(!eol || strncmp("\nS=", eol, 3) != 0){
writerr(conn, "verifier syntax error for secstore 1.0");
goto done;
}
*eol = 0;
S = eol+3;
eol = strchr(S, '\n');
if(!eol){
writerr(conn, "verifier syntax error for secstore 1.0");
goto done;
}
*eol = 0;
if(pS)
*pS = estrdup(S);
strtomp(hexmu, nil, 64, mu);
mpexp(mu, x, pak->p, sigma);
hexsigma = mptoa(sigma, 64, nil, 0);
shorthash("server", C, S, hexm, hexmu, hexsigma, hexHi, digest);
enc64(kc, sizeof kc, digest, SHA1dlen);
if(strcmp(ks, kc) != 0){
writerr(conn, "verifier didn't match");
goto done;
}
/* send hash2(g**xy) */
shorthash("client", C, S, hexm, hexmu, hexsigma, hexHi, digest);
enc64(kc, sizeof kc, digest, SHA1dlen);
snprint(mess2, Maxmsg, "k'=%s\n", kc);
conn->write(conn, (uchar*)mess2, strlen(mess2));
/* set session key */
shorthash("session", C, S, hexm, hexmu, hexsigma, hexHi, digest);
memset(hexsigma, 0, strlen(hexsigma));
n = conn->secret(conn, digest, 0);
memset(digest, 0, SHA1dlen);
if(n < 0){
writerr(conn, "can't set secret");
goto done;
}
rc = 0;
done:
mpfree(x);
mpfree(sigma);
mpfree(mu);
mpfree(m);
mpfree(Hi);
mpfree(H);
free(hexsigma);
free(hexHi);
free(hexm);
free(mess);
return rc;
}
/* On input, */
/* mess contains first message; */
/* name is name this server should call itself. */
/* On output, session secret has been set in conn; */
/* if pw!=nil, then *pw points to PW struct for authenticated user. */
/* returns -1 if error */
int
PAKserver(SConn *conn, char *S, char *mess, PW **pwp)
{
int rc = -1, n;
char mess2[Maxmsg+1], *eol;
char *C, ks[41], *kc, *hexm, *hexmu = nil, *hexsigma = nil, *hexHi = nil;
uchar digest[SHA1dlen];
mpint *H = mpnew(0), *Hi = mpnew(0);
mpint *y = nil, *m = mpnew(0), *mu = mpnew(0), *sigma = mpnew(0);
PW *pw = nil;
/* secstore version and algorithm */
snprint(mess2,Maxmsg,"%s\tPAK\n", VERSION);
n = strlen(mess2);
if(strncmp(mess,mess2,n) != 0){
writerr(conn, "protocol should start with ver alg");
return -1;
}
mess += n;
initPAKparams();
/* parse first message into C, m */
eol = strchr(mess, '\n');
if(strncmp("C=", mess, 2) != 0 || !eol){
fprint(2,"mess[1]=%s\n", mess);
writerr(conn, "PAK version mismatch");
goto done;
}
C = mess+2;
*eol = 0;
hexm = eol+3;
eol = strchr(hexm, '\n');
if(strncmp("m=", hexm-2, 2) != 0 || !eol){
writerr(conn, "PAK version mismatch");
goto done;
}
*eol = 0;
strtomp(hexm, nil, 64, m);
mpmod(m, pak->p, m);
/* lookup client */
if((pw = getPW(C,0)) == nil) {
snprint(mess2, sizeof mess2, "%r");
writerr(conn, mess2);
goto done;
}
if(mpcmp(m, mpzero) == 0) {
writerr(conn, "account exists");
freePW(pw);
pw = nil;
goto done;
}
hexHi = mptoa(pw->Hi, 64, nil, 0);
/* random y, mu=g**y, sigma=g**xy */
y = mprand(240, genrandom, nil);
mpmod(y, pak->q, y);
if(mpcmp(y, mpzero) == 0){
mpassign(mpone, y);
}
mpexp(pak->g, y, pak->p, mu);
mpmul(m, pw->Hi, m);
mpmod(m, pak->p, m);
mpexp(m, y, pak->p, sigma);
/* send g**y, hash1(g**xy) */
hexmu = mptoa(mu, 64, nil, 0);
hexsigma = mptoa(sigma, 64, nil, 0);
shorthash("server", C, S, hexm, hexmu, hexsigma, hexHi, digest);
enc64(ks, sizeof ks, digest, SHA1dlen);
snprint(mess2, sizeof mess2, "mu=%s\nk=%s\nS=%s\n", hexmu, ks, S);
conn->write(conn, (uchar*)mess2, strlen(mess2));
/* recv hash2(g**xy) */
if(readstr(conn, mess2) < 0){
writerr(conn, "couldn't read verifier");
goto done;
}
eol = strchr(mess2, '\n');
if(strncmp("k'=", mess2, 3) != 0 || !eol){
writerr(conn, "verifier syntax error");
goto done;
}
kc = mess2+3;
*eol = 0;
shorthash("client", C, S, hexm, hexmu, hexsigma, hexHi, digest);
enc64(ks, sizeof ks, digest, SHA1dlen);
if(strcmp(ks, kc) != 0) {
rc = -2;
goto done;
}
/* set session key */
shorthash("session", C, S, hexm, hexmu, hexsigma, hexHi, digest);
n = conn->secret(conn, digest, 1);
if(n < 0){
writerr(conn, "can't set secret");
goto done;
}
rc = 0;
done:
if(rc<0 && pw){
pw->failed++;
putPW(pw);
}
if(rc==0 && pw && pw->failed>0){
pw->failed = 0;
putPW(pw);
}
if(pwp)
*pwp = pw;
else
freePW(pw);
free(hexsigma);
free(hexHi);
free(hexmu);
mpfree(y);
mpfree(sigma);
mpfree(mu);
mpfree(m);
mpfree(Hi);
mpfree(H);
return rc;
}
|