- djm@cvs.openbsd.org 2008/11/04 08:22:13

     [auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
     [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
     [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
     [Makefile.in]
     Add support for an experimental zero-knowledge password authentication
     method using the J-PAKE protocol described in F. Hao, P. Ryan,
     "Password Authenticated Key Exchange by Juggling", 16th Workshop on
     Security Protocols, Cambridge, April 2008.

     This method allows password-based authentication without exposing
     the password to the server. Instead, the client and server exchange
     cryptographic proofs to demonstrate of knowledge of the password while
     revealing nothing useful to an attacker or compromised endpoint.

     This is experimental, work-in-progress code and is presently
     compiled-time disabled (turn on -DJPAKE in Makefile.inc).

     "just commit it.  It isn't too intrusive." deraadt@

1 files changed, 5 insertions, 1 deletions

diff --git a/auth.h b/auth.h
index 6a70f0eb6..3a70f4421 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.61 2008/07/02 12:03:51 dtucker Exp $ */
+/* $OpenBSD: auth.h,v 1.62 2008/11/04 08:22:12 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -59,6 +59,7 @@ struct Authctxt {
         struct passwd   *pw;            /* set if 'valid' */
         char            *style;
         void            *kbdintctxt;
+        void            *jpake_ctx;
 #ifdef BSD_AUTH
         auth_session_t  *as;
 #endif
@@ -156,6 +157,9 @@ int	bsdauth_respond(void *, u_int, char **);
 int     skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 int     skey_respond(void *, u_int, char **);
 
+void    auth2_jpake_get_pwdata(Authctxt *, BIGNUM **, char **, char **);
+void    auth2_jpake_stop(Authctxt *);
+
 int     allowed_user(struct passwd *);
 struct passwd * getpwnamallow(const char *user);