Annotation of src/usr.bin/ssh/jpake.c, Revision 1.7
1.7 ! dtucker 1: /* $OpenBSD: jpake.c,v 1.6 2010/09/20 04:54:07 djm Exp $ */
1.1 djm 2: /*
3: * Copyright (c) 2008 Damien Miller. All rights reserved.
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: */
17:
18: /*
19: * Shared components of zero-knowledge password auth using J-PAKE protocol
20: * as described in:
21: *
22: * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
23: * 16th Workshop on Security Protocols, Cambridge, April 2008
24: *
25: * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
26: */
27:
28: #include <sys/types.h>
29:
30: #include <stdio.h>
31: #include <string.h>
32: #include <stdarg.h>
33:
34: #include <openssl/bn.h>
35: #include <openssl/evp.h>
36:
37: #include "xmalloc.h"
38: #include "ssh2.h"
39: #include "key.h"
40: #include "hostfile.h"
41: #include "auth.h"
42: #include "buffer.h"
43: #include "packet.h"
44: #include "dispatch.h"
45: #include "log.h"
1.6 djm 46: #include "misc.h"
1.1 djm 47:
48: #include "jpake.h"
1.2 djm 49: #include "schnorr.h"
1.1 djm 50:
51: #ifdef JPAKE
52:
53: /* RFC3526 group 5, 1536 bits */
54: #define JPAKE_GROUP_G "2"
55: #define JPAKE_GROUP_P \
56: "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74" \
57: "020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437" \
58: "4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
59: "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05" \
60: "98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \
61: "9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
62:
1.2 djm 63: struct modp_group *
1.1 djm 64: jpake_default_group(void)
65: {
1.2 djm 66: return modp_group_from_g_and_safe_p(JPAKE_GROUP_G, JPAKE_GROUP_P);
1.1 djm 67: }
68:
69: struct jpake_ctx *
70: jpake_new(void)
71: {
72: struct jpake_ctx *ret;
73:
74: ret = xcalloc(1, sizeof(*ret));
75:
76: ret->grp = jpake_default_group();
77:
78: ret->s = ret->k = NULL;
79: ret->x1 = ret->x2 = ret->x3 = ret->x4 = NULL;
80: ret->g_x1 = ret->g_x2 = ret->g_x3 = ret->g_x4 = NULL;
81: ret->a = ret->b = NULL;
82:
83: ret->client_id = ret->server_id = NULL;
84: ret->h_k_cid_sessid = ret->h_k_sid_sessid = NULL;
85:
86: debug3("%s: alloc %p", __func__, ret);
87:
88: return ret;
89: }
90:
91: void
92: jpake_free(struct jpake_ctx *pctx)
93: {
94: debug3("%s: free %p", __func__, pctx);
95:
96: #define JPAKE_BN_CLEAR_FREE(v) \
97: do { \
98: if ((v) != NULL) { \
99: BN_clear_free(v); \
100: (v) = NULL; \
101: } \
102: } while (0)
103: #define JPAKE_BUF_CLEAR_FREE(v, l) \
104: do { \
105: if ((v) != NULL) { \
106: bzero((v), (l)); \
107: xfree(v); \
108: (v) = NULL; \
109: (l) = 0; \
110: } \
111: } while (0)
112:
113: JPAKE_BN_CLEAR_FREE(pctx->s);
114: JPAKE_BN_CLEAR_FREE(pctx->k);
115: JPAKE_BN_CLEAR_FREE(pctx->x1);
116: JPAKE_BN_CLEAR_FREE(pctx->x2);
117: JPAKE_BN_CLEAR_FREE(pctx->x3);
118: JPAKE_BN_CLEAR_FREE(pctx->x4);
119: JPAKE_BN_CLEAR_FREE(pctx->g_x1);
120: JPAKE_BN_CLEAR_FREE(pctx->g_x2);
121: JPAKE_BN_CLEAR_FREE(pctx->g_x3);
122: JPAKE_BN_CLEAR_FREE(pctx->g_x4);
123: JPAKE_BN_CLEAR_FREE(pctx->a);
124: JPAKE_BN_CLEAR_FREE(pctx->b);
125:
126: JPAKE_BUF_CLEAR_FREE(pctx->client_id, pctx->client_id_len);
127: JPAKE_BUF_CLEAR_FREE(pctx->server_id, pctx->server_id_len);
128: JPAKE_BUF_CLEAR_FREE(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
129: JPAKE_BUF_CLEAR_FREE(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
130:
131: #undef JPAKE_BN_CLEAR_FREE
132: #undef JPAKE_BUF_CLEAR_FREE
133:
1.7 ! dtucker 134: bzero(pctx, sizeof(*pctx));
1.1 djm 135: xfree(pctx);
136: }
137:
138: /* dump entire jpake_ctx. NB. includes private values! */
139: void
140: jpake_dump(struct jpake_ctx *pctx, const char *fmt, ...)
141: {
142: char *out;
143: va_list args;
144:
145: out = NULL;
146: va_start(args, fmt);
147: vasprintf(&out, fmt, args);
148: va_end(args);
149: if (out == NULL)
150: fatal("%s: vasprintf failed", __func__);
151:
152: debug3("%s: %s (ctx at %p)", __func__, out, pctx);
153: if (pctx == NULL) {
154: free(out);
155: return;
156: }
157:
158: #define JPAKE_DUMP_BN(a) do { \
159: if ((a) != NULL) \
160: JPAKE_DEBUG_BN(((a), "%s = ", #a)); \
161: } while (0)
162: #define JPAKE_DUMP_BUF(a, b) do { \
163: if ((a) != NULL) \
164: JPAKE_DEBUG_BUF((a, b, "%s", #a)); \
165: } while (0)
166:
167: JPAKE_DUMP_BN(pctx->s);
168: JPAKE_DUMP_BN(pctx->k);
169: JPAKE_DUMP_BN(pctx->x1);
170: JPAKE_DUMP_BN(pctx->x2);
171: JPAKE_DUMP_BN(pctx->x3);
172: JPAKE_DUMP_BN(pctx->x4);
173: JPAKE_DUMP_BN(pctx->g_x1);
174: JPAKE_DUMP_BN(pctx->g_x2);
175: JPAKE_DUMP_BN(pctx->g_x3);
176: JPAKE_DUMP_BN(pctx->g_x4);
177: JPAKE_DUMP_BN(pctx->a);
178: JPAKE_DUMP_BN(pctx->b);
179:
180: JPAKE_DUMP_BUF(pctx->client_id, pctx->client_id_len);
181: JPAKE_DUMP_BUF(pctx->server_id, pctx->server_id_len);
182: JPAKE_DUMP_BUF(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
183: JPAKE_DUMP_BUF(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
184:
185: debug3("%s: %s done", __func__, out);
186: free(out);
187: }
188:
189: /* Shared parts of step 1 exchange calculation */
190: void
1.2 djm 191: jpake_step1(struct modp_group *grp,
1.1 djm 192: u_char **id, u_int *id_len,
193: BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
194: u_char **priv1_proof, u_int *priv1_proof_len,
195: u_char **priv2_proof, u_int *priv2_proof_len)
196: {
197: BN_CTX *bn_ctx;
198:
199: if ((bn_ctx = BN_CTX_new()) == NULL)
200: fatal("%s: BN_CTX_new", __func__);
201:
202: /* Random nonce to prevent replay */
203: *id = xmalloc(KZP_ID_LEN);
204: *id_len = KZP_ID_LEN;
205: arc4random_buf(*id, *id_len);
206:
207: /*
208: * x1/x3 is a random element of Zq
209: * x2/x4 is a random element of Z*q
210: * We also exclude [1] from x1/x3 candidates and [0, 1] from
211: * x2/x4 candiates to avoid possible degeneracy (i.e. g^0, g^1).
212: */
213: if ((*priv1 = bn_rand_range_gt_one(grp->q)) == NULL ||
214: (*priv2 = bn_rand_range_gt_one(grp->q)) == NULL)
215: fatal("%s: bn_rand_range_gt_one", __func__);
216:
217: /*
218: * client: g_x1 = g^x1 mod p / server: g_x3 = g^x3 mod p
219: * client: g_x2 = g^x2 mod p / server: g_x4 = g^x4 mod p
220: */
221: if ((*g_priv1 = BN_new()) == NULL ||
222: (*g_priv2 = BN_new()) == NULL)
223: fatal("%s: BN_new", __func__);
224: if (BN_mod_exp(*g_priv1, grp->g, *priv1, grp->p, bn_ctx) == -1)
225: fatal("%s: BN_mod_exp", __func__);
226: if (BN_mod_exp(*g_priv2, grp->g, *priv2, grp->p, bn_ctx) == -1)
227: fatal("%s: BN_mod_exp", __func__);
228:
229: /* Generate proofs for holding x1/x3 and x2/x4 */
1.2 djm 230: if (schnorr_sign_buf(grp->p, grp->q, grp->g,
1.1 djm 231: *priv1, *g_priv1, *id, *id_len,
232: priv1_proof, priv1_proof_len) != 0)
233: fatal("%s: schnorr_sign", __func__);
1.2 djm 234: if (schnorr_sign_buf(grp->p, grp->q, grp->g,
1.1 djm 235: *priv2, *g_priv2, *id, *id_len,
236: priv2_proof, priv2_proof_len) != 0)
237: fatal("%s: schnorr_sign", __func__);
238:
239: BN_CTX_free(bn_ctx);
240: }
241:
242: /* Shared parts of step 2 exchange calculation */
243: void
1.2 djm 244: jpake_step2(struct modp_group *grp, BIGNUM *s,
1.1 djm 245: BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
246: const u_char *theirid, u_int theirid_len,
247: const u_char *myid, u_int myid_len,
248: const u_char *theirpub1_proof, u_int theirpub1_proof_len,
249: const u_char *theirpub2_proof, u_int theirpub2_proof_len,
250: BIGNUM **newpub,
251: u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len)
252: {
253: BN_CTX *bn_ctx;
254: BIGNUM *tmp, *exponent;
255:
256: /* Validate peer's step 1 values */
257: if (BN_cmp(theirpub1, BN_value_one()) <= 0)
258: fatal("%s: theirpub1 <= 1", __func__);
1.5 djm 259: if (BN_cmp(theirpub1, grp->p) >= 0)
260: fatal("%s: theirpub1 >= p", __func__);
1.1 djm 261: if (BN_cmp(theirpub2, BN_value_one()) <= 0)
262: fatal("%s: theirpub2 <= 1", __func__);
1.5 djm 263: if (BN_cmp(theirpub2, grp->p) >= 0)
264: fatal("%s: theirpub2 >= p", __func__);
1.1 djm 265:
1.2 djm 266: if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1,
1.1 djm 267: theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1)
268: fatal("%s: schnorr_verify theirpub1 failed", __func__);
1.2 djm 269: if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub2,
1.1 djm 270: theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1)
271: fatal("%s: schnorr_verify theirpub2 failed", __func__);
272:
273: if ((bn_ctx = BN_CTX_new()) == NULL)
274: fatal("%s: BN_CTX_new", __func__);
275:
276: if ((*newpub = BN_new()) == NULL ||
277: (tmp = BN_new()) == NULL ||
278: (exponent = BN_new()) == NULL)
279: fatal("%s: BN_new", __func__);
280:
281: /*
282: * client: exponent = x2 * s mod p
283: * server: exponent = x4 * s mod p
284: */
285: if (BN_mod_mul(exponent, mypriv2, s, grp->q, bn_ctx) != 1)
286: fatal("%s: BN_mod_mul (exponent = mypriv2 * s mod p)",
287: __func__);
288:
289: /*
290: * client: tmp = g^(x1 + x3 + x4) mod p
291: * server: tmp = g^(x1 + x2 + x3) mod p
292: */
293: if (BN_mod_mul(tmp, mypub1, theirpub1, grp->p, bn_ctx) != 1)
294: fatal("%s: BN_mod_mul (tmp = mypub1 * theirpub1 mod p)",
295: __func__);
296: if (BN_mod_mul(tmp, tmp, theirpub2, grp->p, bn_ctx) != 1)
297: fatal("%s: BN_mod_mul (tmp = tmp * theirpub2 mod p)", __func__);
298:
299: /*
300: * client: a = tmp^exponent = g^((x1+x3+x4) * x2 * s) mod p
301: * server: b = tmp^exponent = g^((x1+x2+x3) * x4 * s) mod p
302: */
303: if (BN_mod_exp(*newpub, tmp, exponent, grp->p, bn_ctx) != 1)
304: fatal("%s: BN_mod_mul (newpub = tmp^exponent mod p)", __func__);
305:
306: JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
307: JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__));
308:
309: /* Note the generator here is 'tmp', not g */
1.2 djm 310: if (schnorr_sign_buf(grp->p, grp->q, tmp, exponent, *newpub,
1.1 djm 311: myid, myid_len,
312: newpub_exponent_proof, newpub_exponent_proof_len) != 0)
313: fatal("%s: schnorr_sign newpub", __func__);
314:
315: BN_clear_free(tmp); /* XXX stash for later use? */
316: BN_clear_free(exponent); /* XXX stash for later use? (yes, in conf) */
317:
318: BN_CTX_free(bn_ctx);
319: }
320:
321: /* Confirmation hash calculation */
322: void
323: jpake_confirm_hash(const BIGNUM *k,
324: const u_char *endpoint_id, u_int endpoint_id_len,
325: const u_char *sess_id, u_int sess_id_len,
326: u_char **confirm_hash, u_int *confirm_hash_len)
327: {
328: Buffer b;
329:
330: /*
331: * Calculate confirmation proof:
332: * client: H(k || client_id || session_id)
333: * server: H(k || server_id || session_id)
334: */
335: buffer_init(&b);
336: buffer_put_bignum2(&b, k);
337: buffer_put_string(&b, endpoint_id, endpoint_id_len);
338: buffer_put_string(&b, sess_id, sess_id_len);
339: if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
340: confirm_hash, confirm_hash_len) != 0)
341: fatal("%s: hash_buffer", __func__);
342: buffer_free(&b);
343: }
344:
345: /* Shared parts of key derivation and confirmation calculation */
346: void
1.2 djm 347: jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val,
1.1 djm 348: BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
349: BIGNUM *theirpub1, BIGNUM *theirpub2,
350: const u_char *my_id, u_int my_id_len,
351: const u_char *their_id, u_int their_id_len,
352: const u_char *sess_id, u_int sess_id_len,
353: const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len,
354: BIGNUM **k,
355: u_char **confirm_hash, u_int *confirm_hash_len)
356: {
357: BN_CTX *bn_ctx;
358: BIGNUM *tmp;
359:
360: if ((bn_ctx = BN_CTX_new()) == NULL)
361: fatal("%s: BN_CTX_new", __func__);
362: if ((tmp = BN_new()) == NULL ||
363: (*k = BN_new()) == NULL)
364: fatal("%s: BN_new", __func__);
365:
366: /* Validate step 2 values */
367: if (BN_cmp(step2_val, BN_value_one()) <= 0)
368: fatal("%s: step2_val <= 1", __func__);
1.5 djm 369: if (BN_cmp(step2_val, grp->p) >= 0)
370: fatal("%s: step2_val >= p", __func__);
1.1 djm 371:
372: /*
373: * theirpriv2_s_proof is calculated with a different generator:
374: * tmp = g^(mypriv1+mypriv2+theirpub1) = g^mypub1*g^mypub2*g^theirpub1
375: * Calculate it here so we can check the signature.
376: */
377: if (BN_mod_mul(tmp, mypub1, mypub2, grp->p, bn_ctx) != 1)
378: fatal("%s: BN_mod_mul (tmp = mypub1 * mypub2 mod p)", __func__);
379: if (BN_mod_mul(tmp, tmp, theirpub1, grp->p, bn_ctx) != 1)
380: fatal("%s: BN_mod_mul (tmp = tmp * theirpub1 mod p)", __func__);
381:
382: JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
383:
1.2 djm 384: if (schnorr_verify_buf(grp->p, grp->q, tmp, step2_val,
1.1 djm 385: their_id, their_id_len,
386: theirpriv2_s_proof, theirpriv2_s_proof_len) != 1)
387: fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__);
388:
389: /*
390: * Derive shared key:
391: * client: k = (b / g^(x2*x4*s))^x2 = g^((x1+x3)*x2*x4*s)
392: * server: k = (a / g^(x2*x4*s))^x4 = g^((x1+x3)*x2*x4*s)
393: *
394: * Computed as:
395: * client: k = (g_x4^(q - (x2 * s)) * b)^x2 mod p
396: * server: k = (g_x2^(q - (x4 * s)) * b)^x4 mod p
397: */
398: if (BN_mul(tmp, mypriv2, s, bn_ctx) != 1)
399: fatal("%s: BN_mul (tmp = mypriv2 * s)", __func__);
400: if (BN_mod_sub(tmp, grp->q, tmp, grp->q, bn_ctx) != 1)
401: fatal("%s: BN_mod_sub (tmp = q - tmp mod q)", __func__);
402: if (BN_mod_exp(tmp, theirpub2, tmp, grp->p, bn_ctx) != 1)
403: fatal("%s: BN_mod_exp (tmp = theirpub2^tmp) mod p", __func__);
404: if (BN_mod_mul(tmp, tmp, step2_val, grp->p, bn_ctx) != 1)
405: fatal("%s: BN_mod_mul (tmp = tmp * step2_val) mod p", __func__);
406: if (BN_mod_exp(*k, tmp, mypriv2, grp->p, bn_ctx) != 1)
407: fatal("%s: BN_mod_exp (k = tmp^mypriv2) mod p", __func__);
408:
409: BN_CTX_free(bn_ctx);
410: BN_clear_free(tmp);
411:
412: jpake_confirm_hash(*k, my_id, my_id_len, sess_id, sess_id_len,
413: confirm_hash, confirm_hash_len);
414: }
415:
416: /*
417: * Calculate and check confirmation hash from peer. Returns 1 on success
418: * 0 on failure/mismatch.
419: */
420: int
421: jpake_check_confirm(const BIGNUM *k,
422: const u_char *peer_id, u_int peer_id_len,
423: const u_char *sess_id, u_int sess_id_len,
424: const u_char *peer_confirm_hash, u_int peer_confirm_hash_len)
425: {
426: u_char *expected_confirm_hash;
427: u_int expected_confirm_hash_len;
428: int success = 0;
429:
430: /* Calculate and verify expected confirmation hash */
431: jpake_confirm_hash(k, peer_id, peer_id_len, sess_id, sess_id_len,
432: &expected_confirm_hash, &expected_confirm_hash_len);
433:
434: JPAKE_DEBUG_BUF((expected_confirm_hash, expected_confirm_hash_len,
435: "%s: expected confirm hash", __func__));
436: JPAKE_DEBUG_BUF((peer_confirm_hash, peer_confirm_hash_len,
437: "%s: received confirm hash", __func__));
438:
439: if (peer_confirm_hash_len != expected_confirm_hash_len)
440: error("%s: confirmation length mismatch (my %u them %u)",
441: __func__, expected_confirm_hash_len, peer_confirm_hash_len);
1.4 djm 442: else if (timingsafe_bcmp(peer_confirm_hash, expected_confirm_hash,
1.1 djm 443: expected_confirm_hash_len) == 0)
444: success = 1;
445: bzero(expected_confirm_hash, expected_confirm_hash_len);
446: xfree(expected_confirm_hash);
447: debug3("%s: success = %d", __func__, success);
448: return success;
449: }
450:
451: /* XXX main() function with tests */
452:
453: #endif /* JPAKE */
454: