1/* $NetBSD: jpake.c,v 1.6 2011/07/25 03:03:10 christos Exp $ */ 2/* $OpenBSD: jpake.c,v 1.6 2010/09/20 04:54:07 djm Exp $ */ 3/* 4 * Copyright (c) 2008 Damien Miller. All rights reserved. 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19/* 20 * Shared components of zero-knowledge password auth using J-PAKE protocol 21 * as described in: 22 * 23 * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 24 * 16th Workshop on Security Protocols, Cambridge, April 2008 25 * 26 * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf 27 */ 28#include "includes.h" 29__RCSID("$NetBSD: jpake.c,v 1.6 2011/07/25 03:03:10 christos Exp $"); 30 31#include <sys/types.h> 32 33#include <stdio.h> 34#include <string.h> 35#include <stdarg.h> 36 37#include <openssl/bn.h> 38#include <openssl/evp.h> 39 40#include "xmalloc.h" 41#include "ssh2.h" 42#include "key.h" 43#include "hostfile.h" 44#include "auth.h" 45#include "buffer.h" 46#include "packet.h" 47#include "dispatch.h" 48#include "log.h" 49#include "misc.h" 50 51#include "jpake.h" 52#include "schnorr.h" 53 54#ifdef JPAKE 55 56/* RFC3526 group 5, 1536 bits */ 57#define JPAKE_GROUP_G "2" 58#define JPAKE_GROUP_P \ 59 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74" \ 60 "020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437" \ 61 "4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ 62 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05" \ 63 "98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \ 64 "9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" 65 66struct modp_group * 67jpake_default_group(void) 68{ 69 return modp_group_from_g_and_safe_p(JPAKE_GROUP_G, JPAKE_GROUP_P); 70} 71 72struct jpake_ctx * 73jpake_new(void) 74{ 75 struct jpake_ctx *ret; 76 77 ret = xcalloc(1, sizeof(*ret)); 78 79 ret->grp = jpake_default_group(); 80 81 ret->s = ret->k = NULL; 82 ret->x1 = ret->x2 = ret->x3 = ret->x4 = NULL; 83 ret->g_x1 = ret->g_x2 = ret->g_x3 = ret->g_x4 = NULL; 84 ret->a = ret->b = NULL; 85 86 ret->client_id = ret->server_id = NULL; 87 ret->h_k_cid_sessid = ret->h_k_sid_sessid = NULL; 88 89 debug3("%s: alloc %p", __func__, ret); 90 91 return ret; 92} 93 94void 95jpake_free(struct jpake_ctx *pctx) 96{ 97 debug3("%s: free %p", __func__, pctx); 98 99#define JPAKE_BN_CLEAR_FREE(v) \ 100 do { \ 101 if ((v) != NULL) { \ 102 BN_clear_free(v); \ 103 (v) = NULL; \ 104 } \ 105 } while (0) 106#define JPAKE_BUF_CLEAR_FREE(v, l) \ 107 do { \ 108 if ((v) != NULL) { \ 109 bzero((v), (l)); \ 110 xfree(v); \ 111 (v) = NULL; \ 112 (l) = 0; \ 113 } \ 114 } while (0) 115 116 JPAKE_BN_CLEAR_FREE(pctx->s); 117 JPAKE_BN_CLEAR_FREE(pctx->k); 118 JPAKE_BN_CLEAR_FREE(pctx->x1); 119 JPAKE_BN_CLEAR_FREE(pctx->x2); 120 JPAKE_BN_CLEAR_FREE(pctx->x3); 121 JPAKE_BN_CLEAR_FREE(pctx->x4); 122 JPAKE_BN_CLEAR_FREE(pctx->g_x1); 123 JPAKE_BN_CLEAR_FREE(pctx->g_x2); 124 JPAKE_BN_CLEAR_FREE(pctx->g_x3); 125 JPAKE_BN_CLEAR_FREE(pctx->g_x4); 126 JPAKE_BN_CLEAR_FREE(pctx->a); 127 JPAKE_BN_CLEAR_FREE(pctx->b); 128 129 JPAKE_BUF_CLEAR_FREE(pctx->client_id, pctx->client_id_len); 130 JPAKE_BUF_CLEAR_FREE(pctx->server_id, pctx->server_id_len); 131 JPAKE_BUF_CLEAR_FREE(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len); 132 JPAKE_BUF_CLEAR_FREE(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len); 133 134#undef JPAKE_BN_CLEAR_FREE 135#undef JPAKE_BUF_CLEAR_FREE 136 137 bzero(pctx, sizeof(pctx)); 138 xfree(pctx); 139} 140 141/* dump entire jpake_ctx. NB. includes private values! */ 142void 143jpake_dump(struct jpake_ctx *pctx, const char *fmt, ...) 144{ 145 char *out; 146 va_list args; 147 148 out = NULL; 149 va_start(args, fmt); 150 vasprintf(&out, fmt, args); 151 va_end(args); 152 if (out == NULL) 153 fatal("%s: vasprintf failed", __func__); 154 155 debug3("%s: %s (ctx at %p)", __func__, out, pctx); 156 if (pctx == NULL) { 157 free(out); 158 return; 159 } 160 161#define JPAKE_DUMP_BN(a) do { \ 162 if ((a) != NULL) \ 163 JPAKE_DEBUG_BN(((a), "%s = ", #a)); \ 164 } while (0) 165#define JPAKE_DUMP_BUF(a, b) do { \ 166 if ((a) != NULL) \ 167 JPAKE_DEBUG_BUF((a, b, "%s", #a)); \ 168 } while (0) 169 170 JPAKE_DUMP_BN(pctx->s); 171 JPAKE_DUMP_BN(pctx->k); 172 JPAKE_DUMP_BN(pctx->x1); 173 JPAKE_DUMP_BN(pctx->x2); 174 JPAKE_DUMP_BN(pctx->x3); 175 JPAKE_DUMP_BN(pctx->x4); 176 JPAKE_DUMP_BN(pctx->g_x1); 177 JPAKE_DUMP_BN(pctx->g_x2); 178 JPAKE_DUMP_BN(pctx->g_x3); 179 JPAKE_DUMP_BN(pctx->g_x4); 180 JPAKE_DUMP_BN(pctx->a); 181 JPAKE_DUMP_BN(pctx->b); 182 183 JPAKE_DUMP_BUF(pctx->client_id, pctx->client_id_len); 184 JPAKE_DUMP_BUF(pctx->server_id, pctx->server_id_len); 185 JPAKE_DUMP_BUF(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len); 186 JPAKE_DUMP_BUF(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len); 187 188 debug3("%s: %s done", __func__, out); 189 free(out); 190} 191 192/* Shared parts of step 1 exchange calculation */ 193void 194jpake_step1(struct modp_group *grp, 195 u_char **id, u_int *id_len, 196 BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2, 197 u_char **priv1_proof, u_int *priv1_proof_len, 198 u_char **priv2_proof, u_int *priv2_proof_len) 199{ 200 BN_CTX *bn_ctx; 201 202 if ((bn_ctx = BN_CTX_new()) == NULL) 203 fatal("%s: BN_CTX_new", __func__); 204 205 /* Random nonce to prevent replay */ 206 *id = xmalloc(KZP_ID_LEN); 207 *id_len = KZP_ID_LEN; 208 arc4random_buf(*id, *id_len); 209 210 /* 211 * x1/x3 is a random element of Zq 212 * x2/x4 is a random element of Z*q 213 * We also exclude [1] from x1/x3 candidates and [0, 1] from 214 * x2/x4 candiates to avoid possible degeneracy (i.e. g^0, g^1). 215 */ 216 if ((*priv1 = bn_rand_range_gt_one(grp->q)) == NULL || 217 (*priv2 = bn_rand_range_gt_one(grp->q)) == NULL) 218 fatal("%s: bn_rand_range_gt_one", __func__); 219 220 /* 221 * client: g_x1 = g^x1 mod p / server: g_x3 = g^x3 mod p 222 * client: g_x2 = g^x2 mod p / server: g_x4 = g^x4 mod p 223 */ 224 if ((*g_priv1 = BN_new()) == NULL || 225 (*g_priv2 = BN_new()) == NULL) 226 fatal("%s: BN_new", __func__); 227 if (BN_mod_exp(*g_priv1, grp->g, *priv1, grp->p, bn_ctx) == -1) 228 fatal("%s: BN_mod_exp", __func__); 229 if (BN_mod_exp(*g_priv2, grp->g, *priv2, grp->p, bn_ctx) == -1) 230 fatal("%s: BN_mod_exp", __func__); 231 232 /* Generate proofs for holding x1/x3 and x2/x4 */ 233 if (schnorr_sign_buf(grp->p, grp->q, grp->g, 234 *priv1, *g_priv1, *id, *id_len, 235 priv1_proof, priv1_proof_len) != 0) 236 fatal("%s: schnorr_sign", __func__); 237 if (schnorr_sign_buf(grp->p, grp->q, grp->g, 238 *priv2, *g_priv2, *id, *id_len, 239 priv2_proof, priv2_proof_len) != 0) 240 fatal("%s: schnorr_sign", __func__); 241 242 BN_CTX_free(bn_ctx); 243} 244 245/* Shared parts of step 2 exchange calculation */ 246void 247jpake_step2(struct modp_group *grp, BIGNUM *s, 248 BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2, 249 const u_char *theirid, u_int theirid_len, 250 const u_char *myid, u_int myid_len, 251 const u_char *theirpub1_proof, u_int theirpub1_proof_len, 252 const u_char *theirpub2_proof, u_int theirpub2_proof_len, 253 BIGNUM **newpub, 254 u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len) 255{ 256 BN_CTX *bn_ctx; 257 BIGNUM *tmp, *exponent; 258 259 /* Validate peer's step 1 values */ 260 if (BN_cmp(theirpub1, BN_value_one()) <= 0) 261 fatal("%s: theirpub1 <= 1", __func__); 262 if (BN_cmp(theirpub1, grp->p) >= 0) 263 fatal("%s: theirpub1 >= p", __func__); 264 if (BN_cmp(theirpub2, BN_value_one()) <= 0) 265 fatal("%s: theirpub2 <= 1", __func__); 266 if (BN_cmp(theirpub2, grp->p) >= 0) 267 fatal("%s: theirpub2 >= p", __func__); 268 269 if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1, 270 theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1) 271 fatal("%s: schnorr_verify theirpub1 failed", __func__); 272 if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub2, 273 theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1) 274 fatal("%s: schnorr_verify theirpub2 failed", __func__); 275 276 if ((bn_ctx = BN_CTX_new()) == NULL) 277 fatal("%s: BN_CTX_new", __func__); 278 279 if ((*newpub = BN_new()) == NULL || 280 (tmp = BN_new()) == NULL || 281 (exponent = BN_new()) == NULL) 282 fatal("%s: BN_new", __func__); 283 284 /* 285 * client: exponent = x2 * s mod p 286 * server: exponent = x4 * s mod p 287 */ 288 if (BN_mod_mul(exponent, mypriv2, s, grp->q, bn_ctx) != 1) 289 fatal("%s: BN_mod_mul (exponent = mypriv2 * s mod p)", 290 __func__); 291 292 /* 293 * client: tmp = g^(x1 + x3 + x4) mod p 294 * server: tmp = g^(x1 + x2 + x3) mod p 295 */ 296 if (BN_mod_mul(tmp, mypub1, theirpub1, grp->p, bn_ctx) != 1) 297 fatal("%s: BN_mod_mul (tmp = mypub1 * theirpub1 mod p)", 298 __func__); 299 if (BN_mod_mul(tmp, tmp, theirpub2, grp->p, bn_ctx) != 1) 300 fatal("%s: BN_mod_mul (tmp = tmp * theirpub2 mod p)", __func__); 301 302 /* 303 * client: a = tmp^exponent = g^((x1+x3+x4) * x2 * s) mod p 304 * server: b = tmp^exponent = g^((x1+x2+x3) * x4 * s) mod p 305 */ 306 if (BN_mod_exp(*newpub, tmp, exponent, grp->p, bn_ctx) != 1) 307 fatal("%s: BN_mod_mul (newpub = tmp^exponent mod p)", __func__); 308 309 JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__)); 310 JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__)); 311 312 /* Note the generator here is 'tmp', not g */ 313 if (schnorr_sign_buf(grp->p, grp->q, tmp, exponent, *newpub, 314 myid, myid_len, 315 newpub_exponent_proof, newpub_exponent_proof_len) != 0) 316 fatal("%s: schnorr_sign newpub", __func__); 317 318 BN_clear_free(tmp); /* XXX stash for later use? */ 319 BN_clear_free(exponent); /* XXX stash for later use? (yes, in conf) */ 320 321 BN_CTX_free(bn_ctx); 322} 323 324/* Confirmation hash calculation */ 325void 326jpake_confirm_hash(const BIGNUM *k, 327 const u_char *endpoint_id, u_int endpoint_id_len, 328 const u_char *sess_id, u_int sess_id_len, 329 u_char **confirm_hash, u_int *confirm_hash_len) 330{ 331 Buffer b; 332 333 /* 334 * Calculate confirmation proof: 335 * client: H(k || client_id || session_id) 336 * server: H(k || server_id || session_id) 337 */ 338 buffer_init(&b); 339 buffer_put_bignum2(&b, k); 340 buffer_put_string(&b, endpoint_id, endpoint_id_len); 341 buffer_put_string(&b, sess_id, sess_id_len); 342 if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(), 343 confirm_hash, confirm_hash_len) != 0) 344 fatal("%s: hash_buffer", __func__); 345 buffer_free(&b); 346} 347 348/* Shared parts of key derivation and confirmation calculation */ 349void 350jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val, 351 BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2, 352 BIGNUM *theirpub1, BIGNUM *theirpub2, 353 const u_char *my_id, u_int my_id_len, 354 const u_char *their_id, u_int their_id_len, 355 const u_char *sess_id, u_int sess_id_len, 356 const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len, 357 BIGNUM **k, 358 u_char **confirm_hash, u_int *confirm_hash_len) 359{ 360 BN_CTX *bn_ctx; 361 BIGNUM *tmp; 362 363 if ((bn_ctx = BN_CTX_new()) == NULL) 364 fatal("%s: BN_CTX_new", __func__); 365 if ((tmp = BN_new()) == NULL || 366 (*k = BN_new()) == NULL) 367 fatal("%s: BN_new", __func__); 368 369 /* Validate step 2 values */ 370 if (BN_cmp(step2_val, BN_value_one()) <= 0) 371 fatal("%s: step2_val <= 1", __func__); 372 if (BN_cmp(step2_val, grp->p) >= 0) 373 fatal("%s: step2_val >= p", __func__); 374 375 /* 376 * theirpriv2_s_proof is calculated with a different generator: 377 * tmp = g^(mypriv1+mypriv2+theirpub1) = g^mypub1*g^mypub2*g^theirpub1 378 * Calculate it here so we can check the signature. 379 */ 380 if (BN_mod_mul(tmp, mypub1, mypub2, grp->p, bn_ctx) != 1) 381 fatal("%s: BN_mod_mul (tmp = mypub1 * mypub2 mod p)", __func__); 382 if (BN_mod_mul(tmp, tmp, theirpub1, grp->p, bn_ctx) != 1) 383 fatal("%s: BN_mod_mul (tmp = tmp * theirpub1 mod p)", __func__); 384 385 JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__)); 386 387 if (schnorr_verify_buf(grp->p, grp->q, tmp, step2_val, 388 their_id, their_id_len, 389 theirpriv2_s_proof, theirpriv2_s_proof_len) != 1) 390 fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__); 391 392 /* 393 * Derive shared key: 394 * client: k = (b / g^(x2*x4*s))^x2 = g^((x1+x3)*x2*x4*s) 395 * server: k = (a / g^(x2*x4*s))^x4 = g^((x1+x3)*x2*x4*s) 396 * 397 * Computed as: 398 * client: k = (g_x4^(q - (x2 * s)) * b)^x2 mod p 399 * server: k = (g_x2^(q - (x4 * s)) * b)^x4 mod p 400 */ 401 if (BN_mul(tmp, mypriv2, s, bn_ctx) != 1) 402 fatal("%s: BN_mul (tmp = mypriv2 * s)", __func__); 403 if (BN_mod_sub(tmp, grp->q, tmp, grp->q, bn_ctx) != 1) 404 fatal("%s: BN_mod_sub (tmp = q - tmp mod q)", __func__); 405 if (BN_mod_exp(tmp, theirpub2, tmp, grp->p, bn_ctx) != 1) 406 fatal("%s: BN_mod_exp (tmp = theirpub2^tmp) mod p", __func__); 407 if (BN_mod_mul(tmp, tmp, step2_val, grp->p, bn_ctx) != 1) 408 fatal("%s: BN_mod_mul (tmp = tmp * step2_val) mod p", __func__); 409 if (BN_mod_exp(*k, tmp, mypriv2, grp->p, bn_ctx) != 1) 410 fatal("%s: BN_mod_exp (k = tmp^mypriv2) mod p", __func__); 411 412 BN_CTX_free(bn_ctx); 413 BN_clear_free(tmp); 414 415 jpake_confirm_hash(*k, my_id, my_id_len, sess_id, sess_id_len, 416 confirm_hash, confirm_hash_len); 417} 418 419/* 420 * Calculate and check confirmation hash from peer. Returns 1 on success 421 * 0 on failure/mismatch. 422 */ 423int 424jpake_check_confirm(const BIGNUM *k, 425 const u_char *peer_id, u_int peer_id_len, 426 const u_char *sess_id, u_int sess_id_len, 427 const u_char *peer_confirm_hash, u_int peer_confirm_hash_len) 428{ 429 u_char *expected_confirm_hash; 430 u_int expected_confirm_hash_len; 431 int success = 0; 432 433 /* Calculate and verify expected confirmation hash */ 434 jpake_confirm_hash(k, peer_id, peer_id_len, sess_id, sess_id_len, 435 &expected_confirm_hash, &expected_confirm_hash_len); 436 437 JPAKE_DEBUG_BUF((expected_confirm_hash, expected_confirm_hash_len, 438 "%s: expected confirm hash", __func__)); 439 JPAKE_DEBUG_BUF((peer_confirm_hash, peer_confirm_hash_len, 440 "%s: received confirm hash", __func__)); 441 442 if (peer_confirm_hash_len != expected_confirm_hash_len) 443 error("%s: confirmation length mismatch (my %u them %u)", 444 __func__, expected_confirm_hash_len, peer_confirm_hash_len); 445 else if (timingsafe_bcmp(peer_confirm_hash, expected_confirm_hash, 446 expected_confirm_hash_len) == 0) 447 success = 1; 448 bzero(expected_confirm_hash, expected_confirm_hash_len); 449 xfree(expected_confirm_hash); 450 debug3("%s: success = %d", __func__, success); 451 return success; 452} 453 454/* XXX main() function with tests */ 455 456#endif /* JPAKE */ 457 458