1 files changed, 0 insertions, 456 deletions
diff --git a/jpake.c b/jpake.c
deleted file mode 100644
index 3dd87916a..000000000
--- a/jpake.c
+++ /dev/null
@@ -1,456 +0,0 @@
-/* $OpenBSD: jpake.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */
-/*
- * Copyright (c) 2008 Damien Miller.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-/*
- * Shared components of zero-knowledge password auth using J-PAKE protocol
- * as described in:
- *
- * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
- * 16th Workshop on Security Protocols, Cambridge, April 2008
- *
- * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
- */
-#include "includes.h"
-#include <sys/types.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdarg.h>
-#include <openssl/bn.h>
-#include <openssl/evp.h>
-#include "xmalloc.h"
-#include "ssh2.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "buffer.h"
-#include "packet.h"
-#include "dispatch.h"
-#include "log.h"
-#include "misc.h"
-#include "jpake.h"
-#include "schnorr.h"
-#ifdef JPAKE
-/* RFC3526 group 5, 1536 bits */
-#define JPAKE_GROUP_G "2"
-#define JPAKE_GROUP_P \
-        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74" \
-        "020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437" \
-        "4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
-        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05" \
-        "98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \
-        "9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
-struct modp_group *
-jpake_default_group(void)
-{
-        return modp_group_from_g_and_safe_p(JPAKE_GROUP_G, JPAKE_GROUP_P);
-}
-struct jpake_ctx *
-jpake_new(void)
-{
-        struct jpake_ctx *ret;
-        ret = xcalloc(1, sizeof(*ret));
-        ret->grp = jpake_default_group();
-        ret->s = ret->k = NULL;
-        ret->x1 = ret->x2 = ret->x3 = ret->x4 = NULL;
-        ret->g_x1 = ret->g_x2 = ret->g_x3 = ret->g_x4 = NULL;
-        ret->a = ret->b = NULL;
-        ret->client_id = ret->server_id = NULL;
-        ret->h_k_cid_sessid = ret->h_k_sid_sessid = NULL;
-        debug3("%s: alloc %p", __func__, ret);
-        return ret;
-}
-void
-jpake_free(struct jpake_ctx *pctx)
-{
-        debug3("%s: free %p", __func__, pctx);
-#define JPAKE_BN_CLEAR_FREE(v)                  \
-        do {                                    \
-                if ((v) != NULL) {              \
-                        BN_clear_free(v);       \
-                        (v) = NULL;             \
-                }                               \
-        } while (0)
-#define JPAKE_BUF_CLEAR_FREE(v, l)              \
-        do {                                    \
-                if ((v) != NULL) {              \
-                        bzero((v), (l));        \
-                        free(v);                \
-                        (v) = NULL;             \
-                        (l) = 0;                \
-                }                               \
-        } while (0)
-        JPAKE_BN_CLEAR_FREE(pctx->s);
-        JPAKE_BN_CLEAR_FREE(pctx->k);
-        JPAKE_BN_CLEAR_FREE(pctx->x1);
-        JPAKE_BN_CLEAR_FREE(pctx->x2);
-        JPAKE_BN_CLEAR_FREE(pctx->x3);
-        JPAKE_BN_CLEAR_FREE(pctx->x4);
-        JPAKE_BN_CLEAR_FREE(pctx->g_x1);
-        JPAKE_BN_CLEAR_FREE(pctx->g_x2);
-        JPAKE_BN_CLEAR_FREE(pctx->g_x3);
-        JPAKE_BN_CLEAR_FREE(pctx->g_x4);
-        JPAKE_BN_CLEAR_FREE(pctx->a);
-        JPAKE_BN_CLEAR_FREE(pctx->b);
-        JPAKE_BUF_CLEAR_FREE(pctx->client_id, pctx->client_id_len);
-        JPAKE_BUF_CLEAR_FREE(pctx->server_id, pctx->server_id_len);
-        JPAKE_BUF_CLEAR_FREE(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
-        JPAKE_BUF_CLEAR_FREE(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
-#undef JPAKE_BN_CLEAR_FREE
-#undef JPAKE_BUF_CLEAR_FREE
-        bzero(pctx, sizeof(*pctx));
-        free(pctx);
-}
-/* dump entire jpake_ctx. NB. includes private values! */
-void
-jpake_dump(struct jpake_ctx *pctx, const char *fmt, ...)
-{
-        char *out;
-        va_list args;
-        out = NULL;
-        va_start(args, fmt);
-        vasprintf(&out, fmt, args);
-        va_end(args);
-        if (out == NULL)
-                fatal("%s: vasprintf failed", __func__);
-        debug3("%s: %s (ctx at %p)", __func__, out, pctx);
-        if (pctx == NULL) {
-                free(out);
-                return;
-        }
-#define JPAKE_DUMP_BN(a)        do { \
-                if ((a) != NULL) \
-                        JPAKE_DEBUG_BN(((a), "%s = ", #a)); \
-        } while (0)
-#define JPAKE_DUMP_BUF(a, b)    do { \
-                if ((a) != NULL) \
-                        JPAKE_DEBUG_BUF((a, b, "%s", #a)); \
-        } while (0)
-        JPAKE_DUMP_BN(pctx->s);
-        JPAKE_DUMP_BN(pctx->k);
-        JPAKE_DUMP_BN(pctx->x1);
-        JPAKE_DUMP_BN(pctx->x2);
-        JPAKE_DUMP_BN(pctx->x3);
-        JPAKE_DUMP_BN(pctx->x4);
-        JPAKE_DUMP_BN(pctx->g_x1);
-        JPAKE_DUMP_BN(pctx->g_x2);
-        JPAKE_DUMP_BN(pctx->g_x3);
-        JPAKE_DUMP_BN(pctx->g_x4);
-        JPAKE_DUMP_BN(pctx->a);
-        JPAKE_DUMP_BN(pctx->b);
-        JPAKE_DUMP_BUF(pctx->client_id, pctx->client_id_len);
-        JPAKE_DUMP_BUF(pctx->server_id, pctx->server_id_len);
-        JPAKE_DUMP_BUF(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
-        JPAKE_DUMP_BUF(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
-        debug3("%s: %s done", __func__, out);
-        free(out);
-}
-/* Shared parts of step 1 exchange calculation */
-void
-jpake_step1(struct modp_group *grp,
-    u_char **id, u_int *id_len,
-    BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
-    u_char **priv1_proof, u_int *priv1_proof_len,
-    u_char **priv2_proof, u_int *priv2_proof_len)
-{
-        BN_CTX *bn_ctx;
-        if ((bn_ctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new", __func__);
-        /* Random nonce to prevent replay */
-        *id = xmalloc(KZP_ID_LEN);
-        *id_len = KZP_ID_LEN;
-        arc4random_buf(*id, *id_len);
-        /*
-         * x1/x3 is a random element of Zq
-         * x2/x4 is a random element of Z*q
-         * We also exclude [1] from x1/x3 candidates and [0, 1] from
-         * x2/x4 candiates to avoid possible degeneracy (i.e. g^0, g^1).
-         */
-        if ((*priv1 = bn_rand_range_gt_one(grp->q)) == NULL ||
-            (*priv2 = bn_rand_range_gt_one(grp->q)) == NULL)
-                fatal("%s: bn_rand_range_gt_one", __func__);
-        /*
-         * client: g_x1 = g^x1 mod p / server: g_x3 = g^x3 mod p
-         * client: g_x2 = g^x2 mod p / server: g_x4 = g^x4 mod p
-         */
-        if ((*g_priv1 = BN_new()) == NULL ||
-            (*g_priv2 = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-        if (BN_mod_exp(*g_priv1, grp->g, *priv1, grp->p, bn_ctx) == -1)
-                fatal("%s: BN_mod_exp", __func__);
-        if (BN_mod_exp(*g_priv2, grp->g, *priv2, grp->p, bn_ctx) == -1)
-                fatal("%s: BN_mod_exp", __func__);
-        /* Generate proofs for holding x1/x3 and x2/x4 */
-        if (schnorr_sign_buf(grp->p, grp->q, grp->g,
-            *priv1, *g_priv1, *id, *id_len,
-            priv1_proof, priv1_proof_len) != 0)
-                fatal("%s: schnorr_sign", __func__);
-        if (schnorr_sign_buf(grp->p, grp->q, grp->g,
-            *priv2, *g_priv2, *id, *id_len,
-            priv2_proof, priv2_proof_len) != 0)
-                fatal("%s: schnorr_sign", __func__);
-        BN_CTX_free(bn_ctx);
-}
-/* Shared parts of step 2 exchange calculation */
-void
-jpake_step2(struct modp_group *grp, BIGNUM *s,
-    BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
-    const u_char *theirid, u_int theirid_len,
-    const u_char *myid, u_int myid_len,
-    const u_char *theirpub1_proof, u_int theirpub1_proof_len,
-    const u_char *theirpub2_proof, u_int theirpub2_proof_len,
-    BIGNUM **newpub,
-    u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len)
-{
-        BN_CTX *bn_ctx;
-        BIGNUM *tmp, *exponent;
-        /* Validate peer's step 1 values */
-        if (BN_cmp(theirpub1, BN_value_one()) <= 0)
-                fatal("%s: theirpub1 <= 1", __func__);
-        if (BN_cmp(theirpub1, grp->p) >= 0)
-                fatal("%s: theirpub1 >= p", __func__);
-        if (BN_cmp(theirpub2, BN_value_one()) <= 0)
-                fatal("%s: theirpub2 <= 1", __func__);
-        if (BN_cmp(theirpub2, grp->p) >= 0)
-                fatal("%s: theirpub2 >= p", __func__);
-        if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1,
-            theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1)
-                fatal("%s: schnorr_verify theirpub1 failed", __func__);
-        if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub2,
-            theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1)
-                fatal("%s: schnorr_verify theirpub2 failed", __func__);
-        if ((bn_ctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new", __func__);
-        if ((*newpub = BN_new()) == NULL ||
-            (tmp = BN_new()) == NULL ||
-            (exponent = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-        /*
-         * client: exponent = x2 * s mod p
-         * server: exponent = x4 * s mod p
-         */
-        if (BN_mod_mul(exponent, mypriv2, s, grp->q, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (exponent = mypriv2 * s mod p)",
-                    __func__);
-        /*
-         * client: tmp = g^(x1 + x3 + x4) mod p
-         * server: tmp = g^(x1 + x2 + x3) mod p
-         */
-        if (BN_mod_mul(tmp, mypub1, theirpub1, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (tmp = mypub1 * theirpub1 mod p)",
-                    __func__);
-        if (BN_mod_mul(tmp, tmp, theirpub2, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (tmp = tmp * theirpub2 mod p)", __func__);
-        /*
-         * client: a = tmp^exponent = g^((x1+x3+x4) * x2 * s) mod p
-         * server: b = tmp^exponent = g^((x1+x2+x3) * x4 * s) mod p
-         */
-        if (BN_mod_exp(*newpub, tmp, exponent, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (newpub = tmp^exponent mod p)", __func__);
-        JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
-        JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__));
-        /* Note the generator here is 'tmp', not g */
-        if (schnorr_sign_buf(grp->p, grp->q, tmp, exponent, *newpub,
-            myid, myid_len,
-            newpub_exponent_proof, newpub_exponent_proof_len) != 0)
-                fatal("%s: schnorr_sign newpub", __func__);
-        BN_clear_free(tmp); /* XXX stash for later use? */
-        BN_clear_free(exponent); /* XXX stash for later use? (yes, in conf) */
-        BN_CTX_free(bn_ctx);
-}
-/* Confirmation hash calculation */
-void
-jpake_confirm_hash(const BIGNUM *k,
-    const u_char *endpoint_id, u_int endpoint_id_len,
-    const u_char *sess_id, u_int sess_id_len,
-    u_char **confirm_hash, u_int *confirm_hash_len)
-{
-        Buffer b;
-        /*
-         * Calculate confirmation proof:
-         *     client: H(k || client_id || session_id)
-         *     server: H(k || server_id || session_id)
-         */
-        buffer_init(&b);
-        buffer_put_bignum2(&b, k);
-        buffer_put_string(&b, endpoint_id, endpoint_id_len);
-        buffer_put_string(&b, sess_id, sess_id_len);
-        if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
-            confirm_hash, confirm_hash_len) != 0)
-                fatal("%s: hash_buffer", __func__);
-        buffer_free(&b);
-}
-/* Shared parts of key derivation and confirmation calculation */
-void
-jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val,
-    BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
-    BIGNUM *theirpub1, BIGNUM *theirpub2,
-    const u_char *my_id, u_int my_id_len,
-    const u_char *their_id, u_int their_id_len,
-    const u_char *sess_id, u_int sess_id_len,
-    const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len,
-    BIGNUM **k,
-    u_char **confirm_hash, u_int *confirm_hash_len)
-{
-        BN_CTX *bn_ctx;
-        BIGNUM *tmp;
-        if ((bn_ctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new", __func__);
-        if ((tmp = BN_new()) == NULL ||
-            (*k = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-        /* Validate step 2 values */
-        if (BN_cmp(step2_val, BN_value_one()) <= 0)
-                fatal("%s: step2_val <= 1", __func__);
-        if (BN_cmp(step2_val, grp->p) >= 0)
-                fatal("%s: step2_val >= p", __func__);
-        /*
-         * theirpriv2_s_proof is calculated with a different generator:
-         * tmp = g^(mypriv1+mypriv2+theirpub1) = g^mypub1*g^mypub2*g^theirpub1
-         * Calculate it here so we can check the signature.
-         */
-        if (BN_mod_mul(tmp, mypub1, mypub2, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (tmp = mypub1 * mypub2 mod p)", __func__);
-        if (BN_mod_mul(tmp, tmp, theirpub1, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (tmp = tmp * theirpub1 mod p)", __func__);
-        JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
-        if (schnorr_verify_buf(grp->p, grp->q, tmp, step2_val, 
-            their_id, their_id_len,
-            theirpriv2_s_proof, theirpriv2_s_proof_len) != 1)
-                fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__);
-        /*
-         * Derive shared key:
-         *     client: k = (b / g^(x2*x4*s))^x2 = g^((x1+x3)*x2*x4*s)
-         *     server: k = (a / g^(x2*x4*s))^x4 = g^((x1+x3)*x2*x4*s)
-         *
-         * Computed as:
-         *     client: k = (g_x4^(q - (x2 * s)) * b)^x2 mod p
-         *     server: k = (g_x2^(q - (x4 * s)) * b)^x4 mod p
-         */
-        if (BN_mul(tmp, mypriv2, s, bn_ctx) != 1)
-                fatal("%s: BN_mul (tmp = mypriv2 * s)", __func__);
-        if (BN_mod_sub(tmp, grp->q, tmp, grp->q, bn_ctx) != 1)
-                fatal("%s: BN_mod_sub (tmp = q - tmp mod q)", __func__);
-        if (BN_mod_exp(tmp, theirpub2, tmp, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_exp (tmp = theirpub2^tmp) mod p", __func__);
-        if (BN_mod_mul(tmp, tmp, step2_val, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (tmp = tmp * step2_val) mod p", __func__);
-        if (BN_mod_exp(*k, tmp, mypriv2, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_exp (k = tmp^mypriv2) mod p", __func__);
-        
-        BN_CTX_free(bn_ctx);
-        BN_clear_free(tmp);
-        jpake_confirm_hash(*k, my_id, my_id_len, sess_id, sess_id_len,
-            confirm_hash, confirm_hash_len);
-}
-/*
- * Calculate and check confirmation hash from peer. Returns 1 on success
- * 0 on failure/mismatch.
- */
-int
-jpake_check_confirm(const BIGNUM *k,
-    const u_char *peer_id, u_int peer_id_len,
-    const u_char *sess_id, u_int sess_id_len,
-    const u_char *peer_confirm_hash, u_int peer_confirm_hash_len)
-{
-        u_char *expected_confirm_hash;
-        u_int expected_confirm_hash_len;
-        int success = 0;
-        /* Calculate and verify expected confirmation hash */
-        jpake_confirm_hash(k, peer_id, peer_id_len, sess_id, sess_id_len,
-            &expected_confirm_hash, &expected_confirm_hash_len);
-        JPAKE_DEBUG_BUF((expected_confirm_hash, expected_confirm_hash_len,
-            "%s: expected confirm hash", __func__));
-        JPAKE_DEBUG_BUF((peer_confirm_hash, peer_confirm_hash_len,
-            "%s: received confirm hash", __func__));
-        if (peer_confirm_hash_len != expected_confirm_hash_len)
-                error("%s: confirmation length mismatch (my %u them %u)",
-                    __func__, expected_confirm_hash_len, peer_confirm_hash_len);
-        else if (timingsafe_bcmp(peer_confirm_hash, expected_confirm_hash,
-            expected_confirm_hash_len) == 0)
-                success = 1;
-        bzero(expected_confirm_hash, expected_confirm_hash_len);
-        free(expected_confirm_hash);
-        debug3("%s: success = %d", __func__, success);
-        return success;
-}
-/* XXX main() function with tests */
-#endif /* JPAKE */

diff --git a/jpake.c b/jpake.c deleted file mode 100644 index 3dd87916a..000000000 --- a/jpake.c +++ /dev/null
@@ -1,456 +0,0 @@
1	/* $OpenBSD: jpake.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */
2	/*
3	* Copyright (c) 2008 Damien Miller. All rights reserved.
4	*
5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above
7	* copyright notice and this permission notice appear in all copies.
8	*
9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/
17
18	/*
19	* Shared components of zero-knowledge password auth using J-PAKE protocol
20	* as described in:
21	*
22	* F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
23	* 16th Workshop on Security Protocols, Cambridge, April 2008
24	*
25	* http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
26	*/
27
28	#include "includes.h"
29
30	#include <sys/types.h>
31
32	#include <stdio.h>
33	#include <string.h>
34	#include <stdarg.h>
35
36	#include <openssl/bn.h>
37	#include <openssl/evp.h>
38
39	#include "xmalloc.h"
40	#include "ssh2.h"
41	#include "key.h"
42	#include "hostfile.h"
43	#include "auth.h"
44	#include "buffer.h"
45	#include "packet.h"
46	#include "dispatch.h"
47	#include "log.h"
48	#include "misc.h"
49
50	#include "jpake.h"
51	#include "schnorr.h"
52
53	#ifdef JPAKE
54
55	/* RFC3526 group 5, 1536 bits */
56	#define JPAKE_GROUP_G "2"
57	#define JPAKE_GROUP_P \
58	"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74" \
59	"020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437" \
60	"4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
61	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05" \
62	"98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \
63	"9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
64
65	struct modp_group *
66	jpake_default_group(void)
67	{
68	return modp_group_from_g_and_safe_p(JPAKE_GROUP_G, JPAKE_GROUP_P);
69	}
70
71	struct jpake_ctx *
72	jpake_new(void)
73	{
74	struct jpake_ctx *ret;
75
76	ret = xcalloc(1, sizeof(*ret));
77
78	ret->grp = jpake_default_group();
79
80	ret->s = ret->k = NULL;
81	ret->x1 = ret->x2 = ret->x3 = ret->x4 = NULL;
82	ret->g_x1 = ret->g_x2 = ret->g_x3 = ret->g_x4 = NULL;
83	ret->a = ret->b = NULL;
84
85	ret->client_id = ret->server_id = NULL;
86	ret->h_k_cid_sessid = ret->h_k_sid_sessid = NULL;
87
88	debug3("%s: alloc %p", __func__, ret);
89
90	return ret;
91	}
92
93	void
94	jpake_free(struct jpake_ctx *pctx)
95	{
96	debug3("%s: free %p", __func__, pctx);
97
98	#define JPAKE_BN_CLEAR_FREE(v) \
99	do { \
100	if ((v) != NULL) { \
101	BN_clear_free(v); \
102	(v) = NULL; \
103	} \
104	} while (0)
105	#define JPAKE_BUF_CLEAR_FREE(v, l) \
106	do { \
107	if ((v) != NULL) { \
108	bzero((v), (l)); \
109	free(v); \
110	(v) = NULL; \
111	(l) = 0; \
112	} \
113	} while (0)
114
115	JPAKE_BN_CLEAR_FREE(pctx->s);
116	JPAKE_BN_CLEAR_FREE(pctx->k);
117	JPAKE_BN_CLEAR_FREE(pctx->x1);
118	JPAKE_BN_CLEAR_FREE(pctx->x2);
119	JPAKE_BN_CLEAR_FREE(pctx->x3);
120	JPAKE_BN_CLEAR_FREE(pctx->x4);
121	JPAKE_BN_CLEAR_FREE(pctx->g_x1);
122	JPAKE_BN_CLEAR_FREE(pctx->g_x2);
123	JPAKE_BN_CLEAR_FREE(pctx->g_x3);
124	JPAKE_BN_CLEAR_FREE(pctx->g_x4);
125	JPAKE_BN_CLEAR_FREE(pctx->a);
126	JPAKE_BN_CLEAR_FREE(pctx->b);
127
128	JPAKE_BUF_CLEAR_FREE(pctx->client_id, pctx->client_id_len);
129	JPAKE_BUF_CLEAR_FREE(pctx->server_id, pctx->server_id_len);
130	JPAKE_BUF_CLEAR_FREE(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
131	JPAKE_BUF_CLEAR_FREE(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
132
133	#undef JPAKE_BN_CLEAR_FREE
134	#undef JPAKE_BUF_CLEAR_FREE
135
136	bzero(pctx, sizeof(*pctx));
137	free(pctx);
138	}
139
140	/* dump entire jpake_ctx. NB. includes private values! */
141	void
142	jpake_dump(struct jpake_ctx pctx, const char fmt, ...)
143	{
144	char *out;
145	va_list args;
146
147	out = NULL;
148	va_start(args, fmt);
149	vasprintf(&out, fmt, args);
150	va_end(args);
151	if (out == NULL)
152	fatal("%s: vasprintf failed", __func__);
153
154	debug3("%s: %s (ctx at %p)", __func__, out, pctx);
155	if (pctx == NULL) {
156	free(out);
157	return;
158	}
159
160	#define JPAKE_DUMP_BN(a) do { \
161	if ((a) != NULL) \
162	JPAKE_DEBUG_BN(((a), "%s = ", #a)); \
163	} while (0)
164	#define JPAKE_DUMP_BUF(a, b) do { \
165	if ((a) != NULL) \
166	JPAKE_DEBUG_BUF((a, b, "%s", #a)); \
167	} while (0)
168
169	JPAKE_DUMP_BN(pctx->s);
170	JPAKE_DUMP_BN(pctx->k);
171	JPAKE_DUMP_BN(pctx->x1);
172	JPAKE_DUMP_BN(pctx->x2);
173	JPAKE_DUMP_BN(pctx->x3);
174	JPAKE_DUMP_BN(pctx->x4);
175	JPAKE_DUMP_BN(pctx->g_x1);
176	JPAKE_DUMP_BN(pctx->g_x2);
177	JPAKE_DUMP_BN(pctx->g_x3);
178	JPAKE_DUMP_BN(pctx->g_x4);
179	JPAKE_DUMP_BN(pctx->a);
180	JPAKE_DUMP_BN(pctx->b);
181
182	JPAKE_DUMP_BUF(pctx->client_id, pctx->client_id_len);
183	JPAKE_DUMP_BUF(pctx->server_id, pctx->server_id_len);
184	JPAKE_DUMP_BUF(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
185	JPAKE_DUMP_BUF(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
186
187	debug3("%s: %s done", __func__, out);
188	free(out);
189	}
190
191	/* Shared parts of step 1 exchange calculation */
192	void
193	jpake_step1(struct modp_group *grp,
194	u_char *id, u_int id_len,
195	BIGNUM priv1, BIGNUM priv2, BIGNUM g_priv1, BIGNUM g_priv2,
196	u_char *priv1_proof, u_int priv1_proof_len,
197	u_char *priv2_proof, u_int priv2_proof_len)
198	{
199	BN_CTX *bn_ctx;
200
201	if ((bn_ctx = BN_CTX_new()) == NULL)
202	fatal("%s: BN_CTX_new", __func__);
203
204	/* Random nonce to prevent replay */
205	*id = xmalloc(KZP_ID_LEN);
206	*id_len = KZP_ID_LEN;
207	arc4random_buf(id, id_len);
208
209	/*
210	* x1/x3 is a random element of Zq
211	* x2/x4 is a random element of Z*q
212	* We also exclude [1] from x1/x3 candidates and [0, 1] from
213	* x2/x4 candiates to avoid possible degeneracy (i.e. g^0, g^1).
214	*/
215	if ((*priv1 = bn_rand_range_gt_one(grp->q)) == NULL \|\|
216	(*priv2 = bn_rand_range_gt_one(grp->q)) == NULL)
217	fatal("%s: bn_rand_range_gt_one", __func__);
218
219	/*
220	* client: g_x1 = g^x1 mod p / server: g_x3 = g^x3 mod p
221	* client: g_x2 = g^x2 mod p / server: g_x4 = g^x4 mod p
222	*/
223	if ((*g_priv1 = BN_new()) == NULL \|\|
224	(*g_priv2 = BN_new()) == NULL)
225	fatal("%s: BN_new", __func__);
226	if (BN_mod_exp(g_priv1, grp->g, priv1, grp->p, bn_ctx) == -1)
227	fatal("%s: BN_mod_exp", __func__);
228	if (BN_mod_exp(g_priv2, grp->g, priv2, grp->p, bn_ctx) == -1)
229	fatal("%s: BN_mod_exp", __func__);
230
231	/* Generate proofs for holding x1/x3 and x2/x4 */
232	if (schnorr_sign_buf(grp->p, grp->q, grp->g,
233	priv1, g_priv1, id, id_len,
234	priv1_proof, priv1_proof_len) != 0)
235	fatal("%s: schnorr_sign", __func__);
236	if (schnorr_sign_buf(grp->p, grp->q, grp->g,
237	priv2, g_priv2, id, id_len,
238	priv2_proof, priv2_proof_len) != 0)
239	fatal("%s: schnorr_sign", __func__);
240
241	BN_CTX_free(bn_ctx);
242	}
243
244	/* Shared parts of step 2 exchange calculation */
245	void
246	jpake_step2(struct modp_group grp, BIGNUM s,
247	BIGNUM mypub1, BIGNUM theirpub1, BIGNUM theirpub2, BIGNUM mypriv2,
248	const u_char *theirid, u_int theirid_len,
249	const u_char *myid, u_int myid_len,
250	const u_char *theirpub1_proof, u_int theirpub1_proof_len,
251	const u_char *theirpub2_proof, u_int theirpub2_proof_len,
252	BIGNUM **newpub,
253	u_char *newpub_exponent_proof, u_int newpub_exponent_proof_len)
254	{
255	BN_CTX *bn_ctx;
256	BIGNUM tmp, exponent;
257
258	/* Validate peer's step 1 values */
259	if (BN_cmp(theirpub1, BN_value_one()) <= 0)
260	fatal("%s: theirpub1 <= 1", __func__);
261	if (BN_cmp(theirpub1, grp->p) >= 0)
262	fatal("%s: theirpub1 >= p", __func__);
263	if (BN_cmp(theirpub2, BN_value_one()) <= 0)
264	fatal("%s: theirpub2 <= 1", __func__);
265	if (BN_cmp(theirpub2, grp->p) >= 0)
266	fatal("%s: theirpub2 >= p", __func__);
267
268	if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1,
269	theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1)
270	fatal("%s: schnorr_verify theirpub1 failed", __func__);
271	if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub2,
272	theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1)
273	fatal("%s: schnorr_verify theirpub2 failed", __func__);
274
275	if ((bn_ctx = BN_CTX_new()) == NULL)
276	fatal("%s: BN_CTX_new", __func__);
277
278	if ((*newpub = BN_new()) == NULL \|\|
279	(tmp = BN_new()) == NULL \|\|
280	(exponent = BN_new()) == NULL)
281	fatal("%s: BN_new", __func__);
282
283	/*
284	* client: exponent = x2 * s mod p
285	* server: exponent = x4 * s mod p
286	*/
287	if (BN_mod_mul(exponent, mypriv2, s, grp->q, bn_ctx) != 1)
288	fatal("%s: BN_mod_mul (exponent = mypriv2 * s mod p)",
289	__func__);
290
291	/*
292	* client: tmp = g^(x1 + x3 + x4) mod p
293	* server: tmp = g^(x1 + x2 + x3) mod p
294	*/
295	if (BN_mod_mul(tmp, mypub1, theirpub1, grp->p, bn_ctx) != 1)
296	fatal("%s: BN_mod_mul (tmp = mypub1 * theirpub1 mod p)",
297	__func__);
298	if (BN_mod_mul(tmp, tmp, theirpub2, grp->p, bn_ctx) != 1)
299	fatal("%s: BN_mod_mul (tmp = tmp * theirpub2 mod p)", __func__);
300
301	/*
302	* client: a = tmp^exponent = g^((x1+x3+x4) * x2 * s) mod p
303	* server: b = tmp^exponent = g^((x1+x2+x3) * x4 * s) mod p
304	*/
305	if (BN_mod_exp(*newpub, tmp, exponent, grp->p, bn_ctx) != 1)
306	fatal("%s: BN_mod_mul (newpub = tmp^exponent mod p)", __func__);
307
308	JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
309	JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__));
310
311	/* Note the generator here is 'tmp', not g */
312	if (schnorr_sign_buf(grp->p, grp->q, tmp, exponent, *newpub,
313	myid, myid_len,
314	newpub_exponent_proof, newpub_exponent_proof_len) != 0)
315	fatal("%s: schnorr_sign newpub", __func__);
316
317	BN_clear_free(tmp); /* XXX stash for later use? */
318	BN_clear_free(exponent); /* XXX stash for later use? (yes, in conf) */
319
320	BN_CTX_free(bn_ctx);
321	}
322
323	/* Confirmation hash calculation */
324	void
325	jpake_confirm_hash(const BIGNUM *k,
326	const u_char *endpoint_id, u_int endpoint_id_len,
327	const u_char *sess_id, u_int sess_id_len,
328	u_char *confirm_hash, u_int confirm_hash_len)
329	{
330	Buffer b;
331
332	/*
333	* Calculate confirmation proof:
334	* client: H(k \|\| client_id \|\| session_id)
335	* server: H(k \|\| server_id \|\| session_id)
336	*/
337	buffer_init(&b);
338	buffer_put_bignum2(&b, k);
339	buffer_put_string(&b, endpoint_id, endpoint_id_len);
340	buffer_put_string(&b, sess_id, sess_id_len);
341	if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
342	confirm_hash, confirm_hash_len) != 0)
343	fatal("%s: hash_buffer", __func__);
344	buffer_free(&b);
345	}
346
347	/* Shared parts of key derivation and confirmation calculation */
348	void
349	jpake_key_confirm(struct modp_group grp, BIGNUM s, BIGNUM *step2_val,
350	BIGNUM mypriv2, BIGNUM mypub1, BIGNUM *mypub2,
351	BIGNUM theirpub1, BIGNUM theirpub2,
352	const u_char *my_id, u_int my_id_len,
353	const u_char *their_id, u_int their_id_len,
354	const u_char *sess_id, u_int sess_id_len,
355	const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len,
356	BIGNUM **k,
357	u_char *confirm_hash, u_int confirm_hash_len)
358	{
359	BN_CTX *bn_ctx;
360	BIGNUM *tmp;
361
362	if ((bn_ctx = BN_CTX_new()) == NULL)
363	fatal("%s: BN_CTX_new", __func__);
364	if ((tmp = BN_new()) == NULL \|\|
365	(*k = BN_new()) == NULL)
366	fatal("%s: BN_new", __func__);
367
368	/* Validate step 2 values */
369	if (BN_cmp(step2_val, BN_value_one()) <= 0)
370	fatal("%s: step2_val <= 1", __func__);
371	if (BN_cmp(step2_val, grp->p) >= 0)
372	fatal("%s: step2_val >= p", __func__);
373
374	/*
375	* theirpriv2_s_proof is calculated with a different generator:
376	* tmp = g^(mypriv1+mypriv2+theirpub1) = g^mypub1g^mypub2g^theirpub1
377	* Calculate it here so we can check the signature.
378	*/
379	if (BN_mod_mul(tmp, mypub1, mypub2, grp->p, bn_ctx) != 1)
380	fatal("%s: BN_mod_mul (tmp = mypub1 * mypub2 mod p)", __func__);
381	if (BN_mod_mul(tmp, tmp, theirpub1, grp->p, bn_ctx) != 1)
382	fatal("%s: BN_mod_mul (tmp = tmp * theirpub1 mod p)", __func__);
383
384	JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
385
386	if (schnorr_verify_buf(grp->p, grp->q, tmp, step2_val,
387	their_id, their_id_len,
388	theirpriv2_s_proof, theirpriv2_s_proof_len) != 1)
389	fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__);
390
391	/*
392	* Derive shared key:
393	* client: k = (b / g^(x2x4s))^x2 = g^((x1+x3)x2x4*s)
394	* server: k = (a / g^(x2x4s))^x4 = g^((x1+x3)x2x4*s)
395	*
396	* Computed as:
397	* client: k = (g_x4^(q - (x2 * s)) * b)^x2 mod p
398	* server: k = (g_x2^(q - (x4 * s)) * b)^x4 mod p
399	*/
400	if (BN_mul(tmp, mypriv2, s, bn_ctx) != 1)
401	fatal("%s: BN_mul (tmp = mypriv2 * s)", __func__);
402	if (BN_mod_sub(tmp, grp->q, tmp, grp->q, bn_ctx) != 1)
403	fatal("%s: BN_mod_sub (tmp = q - tmp mod q)", __func__);
404	if (BN_mod_exp(tmp, theirpub2, tmp, grp->p, bn_ctx) != 1)
405	fatal("%s: BN_mod_exp (tmp = theirpub2^tmp) mod p", __func__);
406	if (BN_mod_mul(tmp, tmp, step2_val, grp->p, bn_ctx) != 1)
407	fatal("%s: BN_mod_mul (tmp = tmp * step2_val) mod p", __func__);
408	if (BN_mod_exp(*k, tmp, mypriv2, grp->p, bn_ctx) != 1)
409	fatal("%s: BN_mod_exp (k = tmp^mypriv2) mod p", __func__);
410
411	BN_CTX_free(bn_ctx);
412	BN_clear_free(tmp);
413
414	jpake_confirm_hash(*k, my_id, my_id_len, sess_id, sess_id_len,
415	confirm_hash, confirm_hash_len);
416	}
417
418	/*
419	* Calculate and check confirmation hash from peer. Returns 1 on success
420	* 0 on failure/mismatch.
421	*/
422	int
423	jpake_check_confirm(const BIGNUM *k,
424	const u_char *peer_id, u_int peer_id_len,
425	const u_char *sess_id, u_int sess_id_len,
426	const u_char *peer_confirm_hash, u_int peer_confirm_hash_len)
427	{
428	u_char *expected_confirm_hash;
429	u_int expected_confirm_hash_len;
430	int success = 0;
431
432	/* Calculate and verify expected confirmation hash */
433	jpake_confirm_hash(k, peer_id, peer_id_len, sess_id, sess_id_len,
434	&expected_confirm_hash, &expected_confirm_hash_len);
435
436	JPAKE_DEBUG_BUF((expected_confirm_hash, expected_confirm_hash_len,
437	"%s: expected confirm hash", __func__));
438	JPAKE_DEBUG_BUF((peer_confirm_hash, peer_confirm_hash_len,
439	"%s: received confirm hash", __func__));
440
441	if (peer_confirm_hash_len != expected_confirm_hash_len)
442	error("%s: confirmation length mismatch (my %u them %u)",
443	__func__, expected_confirm_hash_len, peer_confirm_hash_len);
444	else if (timingsafe_bcmp(peer_confirm_hash, expected_confirm_hash,
445	expected_confirm_hash_len) == 0)
446	success = 1;
447	bzero(expected_confirm_hash, expected_confirm_hash_len);
448	free(expected_confirm_hash);
449	debug3("%s: success = %d", __func__, success);
450	return success;
451	}
452
453	/* XXX main() function with tests */
454
455	#endif /* JPAKE */
456