1 /* $OpenBSD: jpake.c,v 1.6 2010/09/20 04:54:07 djm Exp $ */
2 /*
3 * Copyright (c) 2008 Damien Miller. All rights reserved.
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 /*
19 * Shared components of zero-knowledge password auth using J-PAKE protocol
20 * as described in:
21 *
22 * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
23 * 16th Workshop on Security Protocols, Cambridge, April 2008
24 *
25 * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
26 */
27
28 #include "includes.h"
29
30 #include <sys/types.h>
31
32 #include <stdio.h>
33 #include <string.h>
34 #include <stdarg.h>
35
36 #include <openssl/bn.h>
37 #include <openssl/evp.h>
38
39 #include "xmalloc.h"
40 #include "ssh2.h"
41 #include "key.h"
42 #include "hostfile.h"
43 #include "auth.h"
44 #include "buffer.h"
45 #include "packet.h"
46 #include "dispatch.h"
47 #include "log.h"
48 #include "misc.h"
49
50 #include "jpake.h"
51 #include "schnorr.h"
52
53 #ifdef JPAKE
54
55 /* RFC3526 group 5, 1536 bits */
56 #define JPAKE_GROUP_G "2"
57 #define JPAKE_GROUP_P \
58 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74" \
59 "020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437" \
60 "4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
61 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05" \
62 "98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \
63 "9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
64
65 struct modp_group *
jpake_default_group(void)66 jpake_default_group(void)
67 {
68 return modp_group_from_g_and_safe_p(JPAKE_GROUP_G, JPAKE_GROUP_P);
69 }
70
71 struct jpake_ctx *
jpake_new(void)72 jpake_new(void)
73 {
74 struct jpake_ctx *ret;
75
76 ret = xcalloc(1, sizeof(*ret));
77
78 ret->grp = jpake_default_group();
79
80 ret->s = ret->k = NULL;
81 ret->x1 = ret->x2 = ret->x3 = ret->x4 = NULL;
82 ret->g_x1 = ret->g_x2 = ret->g_x3 = ret->g_x4 = NULL;
83 ret->a = ret->b = NULL;
84
85 ret->client_id = ret->server_id = NULL;
86 ret->h_k_cid_sessid = ret->h_k_sid_sessid = NULL;
87
88 debug3("%s: alloc %p", __func__, ret);
89
90 return ret;
91 }
92
93 void
jpake_free(struct jpake_ctx * pctx)94 jpake_free(struct jpake_ctx *pctx)
95 {
96 debug3("%s: free %p", __func__, pctx);
97
98 #define JPAKE_BN_CLEAR_FREE(v) \
99 do { \
100 if ((v) != NULL) { \
101 BN_clear_free(v); \
102 (v) = NULL; \
103 } \
104 } while (0)
105 #define JPAKE_BUF_CLEAR_FREE(v, l) \
106 do { \
107 if ((v) != NULL) { \
108 bzero((v), (l)); \
109 xfree(v); \
110 (v) = NULL; \
111 (l) = 0; \
112 } \
113 } while (0)
114
115 JPAKE_BN_CLEAR_FREE(pctx->s);
116 JPAKE_BN_CLEAR_FREE(pctx->k);
117 JPAKE_BN_CLEAR_FREE(pctx->x1);
118 JPAKE_BN_CLEAR_FREE(pctx->x2);
119 JPAKE_BN_CLEAR_FREE(pctx->x3);
120 JPAKE_BN_CLEAR_FREE(pctx->x4);
121 JPAKE_BN_CLEAR_FREE(pctx->g_x1);
122 JPAKE_BN_CLEAR_FREE(pctx->g_x2);
123 JPAKE_BN_CLEAR_FREE(pctx->g_x3);
124 JPAKE_BN_CLEAR_FREE(pctx->g_x4);
125 JPAKE_BN_CLEAR_FREE(pctx->a);
126 JPAKE_BN_CLEAR_FREE(pctx->b);
127
128 JPAKE_BUF_CLEAR_FREE(pctx->client_id, pctx->client_id_len);
129 JPAKE_BUF_CLEAR_FREE(pctx->server_id, pctx->server_id_len);
130 JPAKE_BUF_CLEAR_FREE(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
131 JPAKE_BUF_CLEAR_FREE(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
132
133 #undef JPAKE_BN_CLEAR_FREE
134 #undef JPAKE_BUF_CLEAR_FREE
135
136 bzero(pctx, sizeof(pctx));
137 xfree(pctx);
138 }
139
140 /* dump entire jpake_ctx. NB. includes private values! */
141 void
jpake_dump(struct jpake_ctx * pctx,const char * fmt,...)142 jpake_dump(struct jpake_ctx *pctx, const char *fmt, ...)
143 {
144 char *out;
145 va_list args;
146
147 out = NULL;
148 va_start(args, fmt);
149 vasprintf(&out, fmt, args);
150 va_end(args);
151 if (out == NULL)
152 fatal("%s: vasprintf failed", __func__);
153
154 debug3("%s: %s (ctx at %p)", __func__, out, pctx);
155 if (pctx == NULL) {
156 free(out);
157 return;
158 }
159
160 #define JPAKE_DUMP_BN(a) do { \
161 if ((a) != NULL) \
162 JPAKE_DEBUG_BN(((a), "%s = ", #a)); \
163 } while (0)
164 #define JPAKE_DUMP_BUF(a, b) do { \
165 if ((a) != NULL) \
166 JPAKE_DEBUG_BUF((a, b, "%s", #a)); \
167 } while (0)
168
169 JPAKE_DUMP_BN(pctx->s);
170 JPAKE_DUMP_BN(pctx->k);
171 JPAKE_DUMP_BN(pctx->x1);
172 JPAKE_DUMP_BN(pctx->x2);
173 JPAKE_DUMP_BN(pctx->x3);
174 JPAKE_DUMP_BN(pctx->x4);
175 JPAKE_DUMP_BN(pctx->g_x1);
176 JPAKE_DUMP_BN(pctx->g_x2);
177 JPAKE_DUMP_BN(pctx->g_x3);
178 JPAKE_DUMP_BN(pctx->g_x4);
179 JPAKE_DUMP_BN(pctx->a);
180 JPAKE_DUMP_BN(pctx->b);
181
182 JPAKE_DUMP_BUF(pctx->client_id, pctx->client_id_len);
183 JPAKE_DUMP_BUF(pctx->server_id, pctx->server_id_len);
184 JPAKE_DUMP_BUF(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
185 JPAKE_DUMP_BUF(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
186
187 debug3("%s: %s done", __func__, out);
188 free(out);
189 }
190
191 /* Shared parts of step 1 exchange calculation */
192 void
jpake_step1(struct modp_group * grp,u_char ** id,u_int * id_len,BIGNUM ** priv1,BIGNUM ** priv2,BIGNUM ** g_priv1,BIGNUM ** g_priv2,u_char ** priv1_proof,u_int * priv1_proof_len,u_char ** priv2_proof,u_int * priv2_proof_len)193 jpake_step1(struct modp_group *grp,
194 u_char **id, u_int *id_len,
195 BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
196 u_char **priv1_proof, u_int *priv1_proof_len,
197 u_char **priv2_proof, u_int *priv2_proof_len)
198 {
199 BN_CTX *bn_ctx;
200
201 if ((bn_ctx = BN_CTX_new()) == NULL)
202 fatal("%s: BN_CTX_new", __func__);
203
204 /* Random nonce to prevent replay */
205 *id = xmalloc(KZP_ID_LEN);
206 *id_len = KZP_ID_LEN;
207 arc4random_buf(*id, *id_len);
208
209 /*
210 * x1/x3 is a random element of Zq
211 * x2/x4 is a random element of Z*q
212 * We also exclude [1] from x1/x3 candidates and [0, 1] from
213 * x2/x4 candiates to avoid possible degeneracy (i.e. g^0, g^1).
214 */
215 if ((*priv1 = bn_rand_range_gt_one(grp->q)) == NULL ||
216 (*priv2 = bn_rand_range_gt_one(grp->q)) == NULL)
217 fatal("%s: bn_rand_range_gt_one", __func__);
218
219 /*
220 * client: g_x1 = g^x1 mod p / server: g_x3 = g^x3 mod p
221 * client: g_x2 = g^x2 mod p / server: g_x4 = g^x4 mod p
222 */
223 if ((*g_priv1 = BN_new()) == NULL ||
224 (*g_priv2 = BN_new()) == NULL)
225 fatal("%s: BN_new", __func__);
226 if (BN_mod_exp(*g_priv1, grp->g, *priv1, grp->p, bn_ctx) == -1)
227 fatal("%s: BN_mod_exp", __func__);
228 if (BN_mod_exp(*g_priv2, grp->g, *priv2, grp->p, bn_ctx) == -1)
229 fatal("%s: BN_mod_exp", __func__);
230
231 /* Generate proofs for holding x1/x3 and x2/x4 */
232 if (schnorr_sign_buf(grp->p, grp->q, grp->g,
233 *priv1, *g_priv1, *id, *id_len,
234 priv1_proof, priv1_proof_len) != 0)
235 fatal("%s: schnorr_sign", __func__);
236 if (schnorr_sign_buf(grp->p, grp->q, grp->g,
237 *priv2, *g_priv2, *id, *id_len,
238 priv2_proof, priv2_proof_len) != 0)
239 fatal("%s: schnorr_sign", __func__);
240
241 BN_CTX_free(bn_ctx);
242 }
243
244 /* Shared parts of step 2 exchange calculation */
245 void
jpake_step2(struct modp_group * grp,BIGNUM * s,BIGNUM * mypub1,BIGNUM * theirpub1,BIGNUM * theirpub2,BIGNUM * mypriv2,const u_char * theirid,u_int theirid_len,const u_char * myid,u_int myid_len,const u_char * theirpub1_proof,u_int theirpub1_proof_len,const u_char * theirpub2_proof,u_int theirpub2_proof_len,BIGNUM ** newpub,u_char ** newpub_exponent_proof,u_int * newpub_exponent_proof_len)246 jpake_step2(struct modp_group *grp, BIGNUM *s,
247 BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
248 const u_char *theirid, u_int theirid_len,
249 const u_char *myid, u_int myid_len,
250 const u_char *theirpub1_proof, u_int theirpub1_proof_len,
251 const u_char *theirpub2_proof, u_int theirpub2_proof_len,
252 BIGNUM **newpub,
253 u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len)
254 {
255 BN_CTX *bn_ctx;
256 BIGNUM *tmp, *exponent;
257
258 /* Validate peer's step 1 values */
259 if (BN_cmp(theirpub1, BN_value_one()) <= 0)
260 fatal("%s: theirpub1 <= 1", __func__);
261 if (BN_cmp(theirpub1, grp->p) >= 0)
262 fatal("%s: theirpub1 >= p", __func__);
263 if (BN_cmp(theirpub2, BN_value_one()) <= 0)
264 fatal("%s: theirpub2 <= 1", __func__);
265 if (BN_cmp(theirpub2, grp->p) >= 0)
266 fatal("%s: theirpub2 >= p", __func__);
267
268 if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1,
269 theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1)
270 fatal("%s: schnorr_verify theirpub1 failed", __func__);
271 if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub2,
272 theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1)
273 fatal("%s: schnorr_verify theirpub2 failed", __func__);
274
275 if ((bn_ctx = BN_CTX_new()) == NULL)
276 fatal("%s: BN_CTX_new", __func__);
277
278 if ((*newpub = BN_new()) == NULL ||
279 (tmp = BN_new()) == NULL ||
280 (exponent = BN_new()) == NULL)
281 fatal("%s: BN_new", __func__);
282
283 /*
284 * client: exponent = x2 * s mod p
285 * server: exponent = x4 * s mod p
286 */
287 if (BN_mod_mul(exponent, mypriv2, s, grp->q, bn_ctx) != 1)
288 fatal("%s: BN_mod_mul (exponent = mypriv2 * s mod p)",
289 __func__);
290
291 /*
292 * client: tmp = g^(x1 + x3 + x4) mod p
293 * server: tmp = g^(x1 + x2 + x3) mod p
294 */
295 if (BN_mod_mul(tmp, mypub1, theirpub1, grp->p, bn_ctx) != 1)
296 fatal("%s: BN_mod_mul (tmp = mypub1 * theirpub1 mod p)",
297 __func__);
298 if (BN_mod_mul(tmp, tmp, theirpub2, grp->p, bn_ctx) != 1)
299 fatal("%s: BN_mod_mul (tmp = tmp * theirpub2 mod p)", __func__);
300
301 /*
302 * client: a = tmp^exponent = g^((x1+x3+x4) * x2 * s) mod p
303 * server: b = tmp^exponent = g^((x1+x2+x3) * x4 * s) mod p
304 */
305 if (BN_mod_exp(*newpub, tmp, exponent, grp->p, bn_ctx) != 1)
306 fatal("%s: BN_mod_mul (newpub = tmp^exponent mod p)", __func__);
307
308 JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
309 JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__));
310
311 /* Note the generator here is 'tmp', not g */
312 if (schnorr_sign_buf(grp->p, grp->q, tmp, exponent, *newpub,
313 myid, myid_len,
314 newpub_exponent_proof, newpub_exponent_proof_len) != 0)
315 fatal("%s: schnorr_sign newpub", __func__);
316
317 BN_clear_free(tmp); /* XXX stash for later use? */
318 BN_clear_free(exponent); /* XXX stash for later use? (yes, in conf) */
319
320 BN_CTX_free(bn_ctx);
321 }
322
323 /* Confirmation hash calculation */
324 void
jpake_confirm_hash(const BIGNUM * k,const u_char * endpoint_id,u_int endpoint_id_len,const u_char * sess_id,u_int sess_id_len,u_char ** confirm_hash,u_int * confirm_hash_len)325 jpake_confirm_hash(const BIGNUM *k,
326 const u_char *endpoint_id, u_int endpoint_id_len,
327 const u_char *sess_id, u_int sess_id_len,
328 u_char **confirm_hash, u_int *confirm_hash_len)
329 {
330 Buffer b;
331
332 /*
333 * Calculate confirmation proof:
334 * client: H(k || client_id || session_id)
335 * server: H(k || server_id || session_id)
336 */
337 buffer_init(&b);
338 buffer_put_bignum2(&b, k);
339 buffer_put_string(&b, endpoint_id, endpoint_id_len);
340 buffer_put_string(&b, sess_id, sess_id_len);
341 if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
342 confirm_hash, confirm_hash_len) != 0)
343 fatal("%s: hash_buffer", __func__);
344 buffer_free(&b);
345 }
346
347 /* Shared parts of key derivation and confirmation calculation */
348 void
jpake_key_confirm(struct modp_group * grp,BIGNUM * s,BIGNUM * step2_val,BIGNUM * mypriv2,BIGNUM * mypub1,BIGNUM * mypub2,BIGNUM * theirpub1,BIGNUM * theirpub2,const u_char * my_id,u_int my_id_len,const u_char * their_id,u_int their_id_len,const u_char * sess_id,u_int sess_id_len,const u_char * theirpriv2_s_proof,u_int theirpriv2_s_proof_len,BIGNUM ** k,u_char ** confirm_hash,u_int * confirm_hash_len)349 jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val,
350 BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
351 BIGNUM *theirpub1, BIGNUM *theirpub2,
352 const u_char *my_id, u_int my_id_len,
353 const u_char *their_id, u_int their_id_len,
354 const u_char *sess_id, u_int sess_id_len,
355 const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len,
356 BIGNUM **k,
357 u_char **confirm_hash, u_int *confirm_hash_len)
358 {
359 BN_CTX *bn_ctx;
360 BIGNUM *tmp;
361
362 if ((bn_ctx = BN_CTX_new()) == NULL)
363 fatal("%s: BN_CTX_new", __func__);
364 if ((tmp = BN_new()) == NULL ||
365 (*k = BN_new()) == NULL)
366 fatal("%s: BN_new", __func__);
367
368 /* Validate step 2 values */
369 if (BN_cmp(step2_val, BN_value_one()) <= 0)
370 fatal("%s: step2_val <= 1", __func__);
371 if (BN_cmp(step2_val, grp->p) >= 0)
372 fatal("%s: step2_val >= p", __func__);
373
374 /*
375 * theirpriv2_s_proof is calculated with a different generator:
376 * tmp = g^(mypriv1+mypriv2+theirpub1) = g^mypub1*g^mypub2*g^theirpub1
377 * Calculate it here so we can check the signature.
378 */
379 if (BN_mod_mul(tmp, mypub1, mypub2, grp->p, bn_ctx) != 1)
380 fatal("%s: BN_mod_mul (tmp = mypub1 * mypub2 mod p)", __func__);
381 if (BN_mod_mul(tmp, tmp, theirpub1, grp->p, bn_ctx) != 1)
382 fatal("%s: BN_mod_mul (tmp = tmp * theirpub1 mod p)", __func__);
383
384 JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
385
386 if (schnorr_verify_buf(grp->p, grp->q, tmp, step2_val,
387 their_id, their_id_len,
388 theirpriv2_s_proof, theirpriv2_s_proof_len) != 1)
389 fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__);
390
391 /*
392 * Derive shared key:
393 * client: k = (b / g^(x2*x4*s))^x2 = g^((x1+x3)*x2*x4*s)
394 * server: k = (a / g^(x2*x4*s))^x4 = g^((x1+x3)*x2*x4*s)
395 *
396 * Computed as:
397 * client: k = (g_x4^(q - (x2 * s)) * b)^x2 mod p
398 * server: k = (g_x2^(q - (x4 * s)) * b)^x4 mod p
399 */
400 if (BN_mul(tmp, mypriv2, s, bn_ctx) != 1)
401 fatal("%s: BN_mul (tmp = mypriv2 * s)", __func__);
402 if (BN_mod_sub(tmp, grp->q, tmp, grp->q, bn_ctx) != 1)
403 fatal("%s: BN_mod_sub (tmp = q - tmp mod q)", __func__);
404 if (BN_mod_exp(tmp, theirpub2, tmp, grp->p, bn_ctx) != 1)
405 fatal("%s: BN_mod_exp (tmp = theirpub2^tmp) mod p", __func__);
406 if (BN_mod_mul(tmp, tmp, step2_val, grp->p, bn_ctx) != 1)
407 fatal("%s: BN_mod_mul (tmp = tmp * step2_val) mod p", __func__);
408 if (BN_mod_exp(*k, tmp, mypriv2, grp->p, bn_ctx) != 1)
409 fatal("%s: BN_mod_exp (k = tmp^mypriv2) mod p", __func__);
410
411 BN_CTX_free(bn_ctx);
412 BN_clear_free(tmp);
413
414 jpake_confirm_hash(*k, my_id, my_id_len, sess_id, sess_id_len,
415 confirm_hash, confirm_hash_len);
416 }
417
418 /*
419 * Calculate and check confirmation hash from peer. Returns 1 on success
420 * 0 on failure/mismatch.
421 */
422 int
jpake_check_confirm(const BIGNUM * k,const u_char * peer_id,u_int peer_id_len,const u_char * sess_id,u_int sess_id_len,const u_char * peer_confirm_hash,u_int peer_confirm_hash_len)423 jpake_check_confirm(const BIGNUM *k,
424 const u_char *peer_id, u_int peer_id_len,
425 const u_char *sess_id, u_int sess_id_len,
426 const u_char *peer_confirm_hash, u_int peer_confirm_hash_len)
427 {
428 u_char *expected_confirm_hash;
429 u_int expected_confirm_hash_len;
430 int success = 0;
431
432 /* Calculate and verify expected confirmation hash */
433 jpake_confirm_hash(k, peer_id, peer_id_len, sess_id, sess_id_len,
434 &expected_confirm_hash, &expected_confirm_hash_len);
435
436 JPAKE_DEBUG_BUF((expected_confirm_hash, expected_confirm_hash_len,
437 "%s: expected confirm hash", __func__));
438 JPAKE_DEBUG_BUF((peer_confirm_hash, peer_confirm_hash_len,
439 "%s: received confirm hash", __func__));
440
441 if (peer_confirm_hash_len != expected_confirm_hash_len)
442 error("%s: confirmation length mismatch (my %u them %u)",
443 __func__, expected_confirm_hash_len, peer_confirm_hash_len);
444 else if (timingsafe_bcmp(peer_confirm_hash, expected_confirm_hash,
445 expected_confirm_hash_len) == 0)
446 success = 1;
447 bzero(expected_confirm_hash, expected_confirm_hash_len);
448 xfree(expected_confirm_hash);
449 debug3("%s: success = %d", __func__, success);
450 return success;
451 }
452
453 /* XXX main() function with tests */
454
455 #endif /* JPAKE */
456
457