2 6e527fbc 2005-02-13 devnull * Various files from /sys/src/cmd/auth/secstore, just enough
3 6e527fbc 2005-02-13 devnull * to download a file at boot time.
6 6e527fbc 2005-02-13 devnull #include "std.h"
7 6e527fbc 2005-02-13 devnull #include "dat.h"
8 6e527fbc 2005-02-13 devnull #include <ip.h>
10 6e527fbc 2005-02-13 devnull enum{ CHK = 16};
11 6e527fbc 2005-02-13 devnull enum{ MAXFILESIZE = 10*1024*1024 };
13 cbeb0b26 2006-04-01 devnull enum{/* PW status bits */
14 6e527fbc 2005-02-13 devnull Enabled = (1<<0),
15 cbeb0b26 2006-04-01 devnull STA = (1<<1) /* extra SecurID step */
18 6e527fbc 2005-02-13 devnull static char testmess[] = "__secstore\tPAK\nC=%s\nm=0\n";
19 6e527fbc 2005-02-13 devnull char *secstore;
22 6e527fbc 2005-02-13 devnull secdial(void)
26 6e527fbc 2005-02-13 devnull p = secstore;
27 6e527fbc 2005-02-13 devnull if(p == nil) /* else use the authserver */
28 6e527fbc 2005-02-13 devnull p = getenv("secstore");
29 6e527fbc 2005-02-13 devnull if(p == nil)
30 6e527fbc 2005-02-13 devnull p = getenv("auth");
31 6e527fbc 2005-02-13 devnull if(p == nil)
32 6e527fbc 2005-02-13 devnull p = "secstore";
34 6e527fbc 2005-02-13 devnull return dial(netmkaddr(p, "net", "secstore"), 0, 0, 0);
39 6e527fbc 2005-02-13 devnull havesecstore(void)
41 6e527fbc 2005-02-13 devnull int m, n, fd;
42 6e527fbc 2005-02-13 devnull uchar buf[500];
44 6e527fbc 2005-02-13 devnull n = snprint((char*)buf, sizeof buf, testmess, owner);
45 6e527fbc 2005-02-13 devnull hnputs(buf, 0x8000+n-2);
47 6e527fbc 2005-02-13 devnull fd = secdial();
48 1757e76a 2005-02-13 devnull if(fd < 0){
49 1757e76a 2005-02-13 devnull if(debug)
50 1757e76a 2005-02-13 devnull fprint(2, "secdial: %r\n");
51 5f6612ba 2008-05-31 rsc flog("secdial: %r");
52 6e527fbc 2005-02-13 devnull return 0;
54 6e527fbc 2005-02-13 devnull if(write(fd, buf, n) != n || readn(fd, buf, 2) != 2){
55 5f6612ba 2008-05-31 rsc flog("secstore: no count");
56 6e527fbc 2005-02-13 devnull close(fd);
57 6e527fbc 2005-02-13 devnull return 0;
59 6e527fbc 2005-02-13 devnull n = ((buf[0]&0x7f)<<8) + buf[1];
60 6e527fbc 2005-02-13 devnull if(n+1 > sizeof buf){
61 5f6612ba 2008-05-31 rsc flog("secstore: bad count");
62 6e527fbc 2005-02-13 devnull werrstr("implausibly large count %d", n);
63 6e527fbc 2005-02-13 devnull close(fd);
64 6e527fbc 2005-02-13 devnull return 0;
66 6e527fbc 2005-02-13 devnull m = readn(fd, buf, n);
67 6e527fbc 2005-02-13 devnull close(fd);
68 6e527fbc 2005-02-13 devnull if(m != n){
69 5f6612ba 2008-05-31 rsc flog("secstore: unexpected eof");
70 6e527fbc 2005-02-13 devnull if(m >= 0)
71 6e527fbc 2005-02-13 devnull werrstr("short read from secstore");
72 6e527fbc 2005-02-13 devnull return 0;
74 6e527fbc 2005-02-13 devnull buf[n] = 0;
75 6e527fbc 2005-02-13 devnull if(strcmp((char*)buf, "!account expired") == 0){
76 5f6612ba 2008-05-31 rsc flog("secstore: account expired");
77 6e527fbc 2005-02-13 devnull werrstr("account expired");
78 6e527fbc 2005-02-13 devnull return 0;
80 5f6612ba 2008-05-31 rsc if(strcmp((char*)buf, "!account exists") == 0){
81 5f6612ba 2008-05-31 rsc flog("secstore: account exists");
84 5f6612ba 2008-05-31 rsc flog("secstore: %s", buf);
88 cbeb0b26 2006-04-01 devnull /* delimited, authenticated, encrypted connection */
89 cbeb0b26 2006-04-01 devnull enum{ Maxmsg=4096 }; /* messages > Maxmsg bytes are truncated */
90 6e527fbc 2005-02-13 devnull typedef struct SConn SConn;
92 cbeb0b26 2006-04-01 devnull extern SConn* newSConn(int); /* arg is open file descriptor */
93 6e527fbc 2005-02-13 devnull struct SConn{
94 6e527fbc 2005-02-13 devnull void *chan;
95 6e527fbc 2005-02-13 devnull int secretlen;
96 cbeb0b26 2006-04-01 devnull int (*secret)(SConn*, uchar*, int);/* */
97 cbeb0b26 2006-04-01 devnull int (*read)(SConn*, uchar*, int); /* <0 if error; errmess in buffer */
98 6e527fbc 2005-02-13 devnull int (*write)(SConn*, uchar*, int);
99 cbeb0b26 2006-04-01 devnull void (*free)(SConn*); /* also closes file descriptor */
101 cbeb0b26 2006-04-01 devnull /* secret(s,b,dir) sets secret for digest, encrypt, using the secretlen */
102 cbeb0b26 2006-04-01 devnull /* bytes in b to form keys for the two directions; */
103 cbeb0b26 2006-04-01 devnull /* set dir=0 in client, dir=1 in server */
105 cbeb0b26 2006-04-01 devnull /* error convention: write !message in-band */
106 6e527fbc 2005-02-13 devnull #define readstr secstore_readstr
107 6e527fbc 2005-02-13 devnull static void writerr(SConn*, char*);
108 cbeb0b26 2006-04-01 devnull static int readstr(SConn*, char*); /* call with buf of size Maxmsg+1 */
109 cbeb0b26 2006-04-01 devnull /* returns -1 upon error, with error message in buf */
111 6e527fbc 2005-02-13 devnull typedef struct ConnState {
112 6e527fbc 2005-02-13 devnull uchar secret[SHA1dlen];
113 6e527fbc 2005-02-13 devnull ulong seqno;
114 6e527fbc 2005-02-13 devnull RC4state rc4;
115 6e527fbc 2005-02-13 devnull } ConnState;
118 3aef37ba 2008-12-02 trisk typedef struct SS {
119 cbeb0b26 2006-04-01 devnull int fd; /* file descriptor for read/write of encrypted data */
120 cbeb0b26 2006-04-01 devnull int alg; /* if nonzero, "alg sha rc4_128" */
121 6e527fbc 2005-02-13 devnull ConnState in, out;
124 6e527fbc 2005-02-13 devnull static int
125 6e527fbc 2005-02-13 devnull SC_secret(SConn *conn, uchar *sigma, int direction)
127 6e527fbc 2005-02-13 devnull SS *ss = (SS*)(conn->chan);
128 6e527fbc 2005-02-13 devnull int nsigma = conn->secretlen;
130 6e527fbc 2005-02-13 devnull if(direction != 0){
131 6e527fbc 2005-02-13 devnull hmac_sha1(sigma, nsigma, (uchar*)"one", 3, ss->out.secret, nil);
132 6e527fbc 2005-02-13 devnull hmac_sha1(sigma, nsigma, (uchar*)"two", 3, ss->in.secret, nil);
134 6e527fbc 2005-02-13 devnull hmac_sha1(sigma, nsigma, (uchar*)"two", 3, ss->out.secret, nil);
135 6e527fbc 2005-02-13 devnull hmac_sha1(sigma, nsigma, (uchar*)"one", 3, ss->in.secret, nil);
137 cbeb0b26 2006-04-01 devnull setupRC4state(&ss->in.rc4, ss->in.secret, 16); /* restrict to 128 bits */
138 6e527fbc 2005-02-13 devnull setupRC4state(&ss->out.rc4, ss->out.secret, 16);
139 6e527fbc 2005-02-13 devnull ss->alg = 1;
140 6e527fbc 2005-02-13 devnull return 0;
143 6e527fbc 2005-02-13 devnull static void
144 6e527fbc 2005-02-13 devnull hash(uchar secret[SHA1dlen], uchar *data, int len, int seqno, uchar d[SHA1dlen])
146 6e527fbc 2005-02-13 devnull DigestState sha;
147 6e527fbc 2005-02-13 devnull uchar seq[4];
149 6e527fbc 2005-02-13 devnull seq[0] = seqno>>24;
150 6e527fbc 2005-02-13 devnull seq[1] = seqno>>16;
151 6e527fbc 2005-02-13 devnull seq[2] = seqno>>8;
152 6e527fbc 2005-02-13 devnull seq[3] = seqno;
153 6e527fbc 2005-02-13 devnull memset(&sha, 0, sizeof sha);
154 6e527fbc 2005-02-13 devnull sha1(secret, SHA1dlen, nil, &sha);
155 6e527fbc 2005-02-13 devnull sha1(data, len, nil, &sha);
156 6e527fbc 2005-02-13 devnull sha1(seq, 4, d, &sha);
159 6e527fbc 2005-02-13 devnull static int
160 6e527fbc 2005-02-13 devnull verify(uchar secret[SHA1dlen], uchar *data, int len, int seqno, uchar d[SHA1dlen])
162 6e527fbc 2005-02-13 devnull DigestState sha;
163 6e527fbc 2005-02-13 devnull uchar seq[4];
164 6e527fbc 2005-02-13 devnull uchar digest[SHA1dlen];
166 6e527fbc 2005-02-13 devnull seq[0] = seqno>>24;
167 6e527fbc 2005-02-13 devnull seq[1] = seqno>>16;
168 6e527fbc 2005-02-13 devnull seq[2] = seqno>>8;
169 6e527fbc 2005-02-13 devnull seq[3] = seqno;
170 6e527fbc 2005-02-13 devnull memset(&sha, 0, sizeof sha);
171 6e527fbc 2005-02-13 devnull sha1(secret, SHA1dlen, nil, &sha);
172 6e527fbc 2005-02-13 devnull sha1(data, len, nil, &sha);
173 6e527fbc 2005-02-13 devnull sha1(seq, 4, digest, &sha);
174 6e527fbc 2005-02-13 devnull return memcmp(d, digest, SHA1dlen);
177 6e527fbc 2005-02-13 devnull static int
178 6e527fbc 2005-02-13 devnull SC_read(SConn *conn, uchar *buf, int n)
180 6e527fbc 2005-02-13 devnull SS *ss = (SS*)(conn->chan);
181 6e527fbc 2005-02-13 devnull uchar count[2], digest[SHA1dlen];
182 6e527fbc 2005-02-13 devnull int len, nr;
184 c976381d 2017-05-05 gsoares if(read(ss->fd, count, 2) != 2 || (count[0]&0x80) == 0){
185 6e527fbc 2005-02-13 devnull werrstr("!SC_read invalid count");
186 6e527fbc 2005-02-13 devnull return -1;
188 cbeb0b26 2006-04-01 devnull len = (count[0]&0x7f)<<8 | count[1]; /* SSL-style count; no pad */
189 6e527fbc 2005-02-13 devnull if(ss->alg){
190 6e527fbc 2005-02-13 devnull len -= SHA1dlen;
191 6e527fbc 2005-02-13 devnull if(len <= 0 || readn(ss->fd, digest, SHA1dlen) != SHA1dlen){
192 6e527fbc 2005-02-13 devnull werrstr("!SC_read missing sha1");
193 6e527fbc 2005-02-13 devnull return -1;
195 6e527fbc 2005-02-13 devnull if(len > n || readn(ss->fd, buf, len) != len){
196 6e527fbc 2005-02-13 devnull werrstr("!SC_read missing data");
197 6e527fbc 2005-02-13 devnull return -1;
199 6e527fbc 2005-02-13 devnull rc4(&ss->in.rc4, digest, SHA1dlen);
200 6e527fbc 2005-02-13 devnull rc4(&ss->in.rc4, buf, len);
201 6e527fbc 2005-02-13 devnull if(verify(ss->in.secret, buf, len, ss->in.seqno, digest) != 0){
202 6e527fbc 2005-02-13 devnull werrstr("!SC_read integrity check failed");
203 6e527fbc 2005-02-13 devnull return -1;
206 6e527fbc 2005-02-13 devnull if(len <= 0 || len > n){
207 6e527fbc 2005-02-13 devnull werrstr("!SC_read implausible record length");
208 6e527fbc 2005-02-13 devnull return -1;
210 6e527fbc 2005-02-13 devnull if( (nr = readn(ss->fd, buf, len)) != len){
211 6e527fbc 2005-02-13 devnull werrstr("!SC_read expected %d bytes, but got %d", len, nr);
212 6e527fbc 2005-02-13 devnull return -1;
215 6e527fbc 2005-02-13 devnull ss->in.seqno++;
216 6e527fbc 2005-02-13 devnull return len;
219 6e527fbc 2005-02-13 devnull static int
220 6e527fbc 2005-02-13 devnull SC_write(SConn *conn, uchar *buf, int n)
222 6e527fbc 2005-02-13 devnull SS *ss = (SS*)(conn->chan);
223 6e527fbc 2005-02-13 devnull uchar count[2], digest[SHA1dlen], enc[Maxmsg+1];
224 6e527fbc 2005-02-13 devnull int len;
226 6e527fbc 2005-02-13 devnull if(n <= 0 || n > Maxmsg+1){
227 6e527fbc 2005-02-13 devnull werrstr("!SC_write invalid n %d", n);
228 6e527fbc 2005-02-13 devnull return -1;
230 6e527fbc 2005-02-13 devnull len = n;
231 6e527fbc 2005-02-13 devnull if(ss->alg)
232 6e527fbc 2005-02-13 devnull len += SHA1dlen;
233 6e527fbc 2005-02-13 devnull count[0] = 0x80 | len>>8;
234 6e527fbc 2005-02-13 devnull count[1] = len;
235 6e527fbc 2005-02-13 devnull if(write(ss->fd, count, 2) != 2){
236 6e527fbc 2005-02-13 devnull werrstr("!SC_write invalid count");
237 6e527fbc 2005-02-13 devnull return -1;
239 6e527fbc 2005-02-13 devnull if(ss->alg){
240 6e527fbc 2005-02-13 devnull hash(ss->out.secret, buf, n, ss->out.seqno, digest);
241 6e527fbc 2005-02-13 devnull rc4(&ss->out.rc4, digest, SHA1dlen);
242 6e527fbc 2005-02-13 devnull memcpy(enc, buf, n);
243 6e527fbc 2005-02-13 devnull rc4(&ss->out.rc4, enc, n);
244 6e527fbc 2005-02-13 devnull if(write(ss->fd, digest, SHA1dlen) != SHA1dlen ||
245 6e527fbc 2005-02-13 devnull write(ss->fd, enc, n) != n){
246 6e527fbc 2005-02-13 devnull werrstr("!SC_write error on send");
247 6e527fbc 2005-02-13 devnull return -1;
250 6e527fbc 2005-02-13 devnull if(write(ss->fd, buf, n) != n){
251 6e527fbc 2005-02-13 devnull werrstr("!SC_write error on send");
252 6e527fbc 2005-02-13 devnull return -1;
255 6e527fbc 2005-02-13 devnull ss->out.seqno++;
256 6e527fbc 2005-02-13 devnull return n;
259 6e527fbc 2005-02-13 devnull static void
260 6e527fbc 2005-02-13 devnull SC_free(SConn *conn)
262 6e527fbc 2005-02-13 devnull SS *ss = (SS*)(conn->chan);
264 6e527fbc 2005-02-13 devnull close(ss->fd);
265 6e527fbc 2005-02-13 devnull free(ss);
266 6e527fbc 2005-02-13 devnull free(conn);
270 6e527fbc 2005-02-13 devnull newSConn(int fd)
273 6e527fbc 2005-02-13 devnull SConn *conn;
275 6e527fbc 2005-02-13 devnull if(fd < 0)
276 6e527fbc 2005-02-13 devnull return nil;
277 6e527fbc 2005-02-13 devnull ss = (SS*)emalloc(sizeof(*ss));
278 6e527fbc 2005-02-13 devnull conn = (SConn*)emalloc(sizeof(*conn));
279 6e527fbc 2005-02-13 devnull ss->fd = fd;
280 6e527fbc 2005-02-13 devnull ss->alg = 0;
281 6e527fbc 2005-02-13 devnull conn->chan = (void*)ss;
282 6e527fbc 2005-02-13 devnull conn->secretlen = SHA1dlen;
283 6e527fbc 2005-02-13 devnull conn->free = SC_free;
284 6e527fbc 2005-02-13 devnull conn->secret = SC_secret;
285 6e527fbc 2005-02-13 devnull conn->read = SC_read;
286 6e527fbc 2005-02-13 devnull conn->write = SC_write;
287 6e527fbc 2005-02-13 devnull return conn;
290 6e527fbc 2005-02-13 devnull static void
291 6e527fbc 2005-02-13 devnull writerr(SConn *conn, char *s)
293 6e527fbc 2005-02-13 devnull char buf[Maxmsg];
295 6e527fbc 2005-02-13 devnull snprint(buf, Maxmsg, "!%s", s);
296 6e527fbc 2005-02-13 devnull conn->write(conn, (uchar*)buf, strlen(buf));
299 6e527fbc 2005-02-13 devnull static int
300 6e527fbc 2005-02-13 devnull readstr(SConn *conn, char *s)
304 6e527fbc 2005-02-13 devnull n = conn->read(conn, (uchar*)s, Maxmsg);
305 6e527fbc 2005-02-13 devnull if(n >= 0){
306 6e527fbc 2005-02-13 devnull s[n] = 0;
307 6e527fbc 2005-02-13 devnull if(s[0] == '!'){
308 6e527fbc 2005-02-13 devnull memmove(s, s+1, n);
312 6e527fbc 2005-02-13 devnull strcpy(s, "read error");
314 6e527fbc 2005-02-13 devnull return n;
317 6e527fbc 2005-02-13 devnull static int
318 6e527fbc 2005-02-13 devnull getfile(SConn *conn, uchar *key, int nkey)
320 6e527fbc 2005-02-13 devnull char *buf;
321 6e527fbc 2005-02-13 devnull int nbuf, n, nr, len;
322 6e527fbc 2005-02-13 devnull char s[Maxmsg+1], *gf, *p, *q;
323 6e527fbc 2005-02-13 devnull uchar skey[SHA1dlen], ib[Maxmsg+CHK], *ibr, *ibw;
324 6e527fbc 2005-02-13 devnull AESstate aes;
325 6e527fbc 2005-02-13 devnull DigestState *sha;
327 6e527fbc 2005-02-13 devnull gf = "factotum";
328 6e527fbc 2005-02-13 devnull memset(&aes, 0, sizeof aes);
330 6e527fbc 2005-02-13 devnull snprint(s, Maxmsg, "GET %s\n", gf);
331 6e527fbc 2005-02-13 devnull conn->write(conn, (uchar*)s, strlen(s));
333 6e527fbc 2005-02-13 devnull /* get file size */
334 6e527fbc 2005-02-13 devnull s[0] = '\0';
335 6e527fbc 2005-02-13 devnull if(readstr(conn, s) < 0){
336 6e527fbc 2005-02-13 devnull werrstr("secstore: %r");
337 6e527fbc 2005-02-13 devnull return -1;
339 6e527fbc 2005-02-13 devnull if((len = atoi(s)) < 0){
340 6e527fbc 2005-02-13 devnull werrstr("secstore: remote file %s does not exist", gf);
341 6e527fbc 2005-02-13 devnull return -1;
342 cbeb0b26 2006-04-01 devnull }else if(len > MAXFILESIZE){/*assert */
343 6e527fbc 2005-02-13 devnull werrstr("secstore: implausible file size %d for %s", len, gf);
344 6e527fbc 2005-02-13 devnull return -1;
347 6e527fbc 2005-02-13 devnull ibr = ibw = ib;
348 6e527fbc 2005-02-13 devnull buf = nil;
349 6e527fbc 2005-02-13 devnull nbuf = 0;
350 6e527fbc 2005-02-13 devnull for(nr=0; nr < len;){
351 6e527fbc 2005-02-13 devnull if((n = conn->read(conn, ibw, Maxmsg)) <= 0){
352 6e527fbc 2005-02-13 devnull werrstr("secstore: empty file chunk n=%d nr=%d len=%d: %r", n, nr, len);
353 6e527fbc 2005-02-13 devnull return -1;
355 6e527fbc 2005-02-13 devnull nr += n;
356 6e527fbc 2005-02-13 devnull ibw += n;
357 6e527fbc 2005-02-13 devnull if(!aes.setup){ /* first time, read 16 byte IV */
358 6e527fbc 2005-02-13 devnull if(n < 16){
359 6e527fbc 2005-02-13 devnull werrstr("secstore: no IV in file");
360 6e527fbc 2005-02-13 devnull return -1;
362 6e527fbc 2005-02-13 devnull sha = sha1((uchar*)"aescbc file", 11, nil, nil);
363 6e527fbc 2005-02-13 devnull sha1(key, nkey, skey, sha);
364 6e527fbc 2005-02-13 devnull setupAESstate(&aes, skey, AESbsize, ibr);
365 6e527fbc 2005-02-13 devnull memset(skey, 0, sizeof skey);
366 6e527fbc 2005-02-13 devnull ibr += AESbsize;
367 6e527fbc 2005-02-13 devnull n -= AESbsize;
369 6e527fbc 2005-02-13 devnull aesCBCdecrypt(ibw-n, n, &aes);
370 6e527fbc 2005-02-13 devnull n = ibw-ibr-CHK;
371 6e527fbc 2005-02-13 devnull if(n > 0){
372 6e527fbc 2005-02-13 devnull buf = erealloc(buf, nbuf+n+1);
373 6e527fbc 2005-02-13 devnull memmove(buf+nbuf, ibr, n);
374 6e527fbc 2005-02-13 devnull nbuf += n;
375 6e527fbc 2005-02-13 devnull ibr += n;
377 6e527fbc 2005-02-13 devnull memmove(ib, ibr, ibw-ibr);
378 6e527fbc 2005-02-13 devnull ibw = ib + (ibw-ibr);
379 6e527fbc 2005-02-13 devnull ibr = ib;
381 6e527fbc 2005-02-13 devnull n = ibw-ibr;
382 6e527fbc 2005-02-13 devnull if((n != CHK) || (memcmp(ib, "XXXXXXXXXXXXXXXX", CHK) != 0)){
383 6e527fbc 2005-02-13 devnull werrstr("secstore: decrypted file failed to authenticate!");
384 6e527fbc 2005-02-13 devnull free(buf);
385 6e527fbc 2005-02-13 devnull return -1;
387 6e527fbc 2005-02-13 devnull if(nbuf == 0){
388 6e527fbc 2005-02-13 devnull werrstr("secstore got empty file");
389 6e527fbc 2005-02-13 devnull return -1;
391 6e527fbc 2005-02-13 devnull buf[nbuf] = '\0';
392 6e527fbc 2005-02-13 devnull p = buf;
394 6e527fbc 2005-02-13 devnull while(p){
395 6e527fbc 2005-02-13 devnull if(q = strchr(p, '\n'))
396 6e527fbc 2005-02-13 devnull *q++ = '\0';
398 5f6612ba 2008-05-31 rsc if(ctlwrite(p) < 0){
399 5f6612ba 2008-05-31 rsc flog("secstore %s:%d: %r", gf, n);
400 6e527fbc 2005-02-13 devnull fprint(2, "secstore(%s) line %d: %r\n", gf, n);
404 6e527fbc 2005-02-13 devnull free(buf);
405 6e527fbc 2005-02-13 devnull return 0;
408 6e527fbc 2005-02-13 devnull static char VERSION[] = "secstore";
410 6e527fbc 2005-02-13 devnull typedef struct PAKparams{
411 6e527fbc 2005-02-13 devnull mpint *q, *p, *r, *g;
412 6e527fbc 2005-02-13 devnull } PAKparams;
414 6e527fbc 2005-02-13 devnull static PAKparams *pak;
416 cbeb0b26 2006-04-01 devnull /* This group was generated by the seed EB7B6E35F7CD37B511D96C67D6688CC4DD440E1E. */
417 6e527fbc 2005-02-13 devnull static void
418 6e527fbc 2005-02-13 devnull initPAKparams(void)
422 6e527fbc 2005-02-13 devnull pak = (PAKparams*)emalloc(sizeof(*pak));
423 6e527fbc 2005-02-13 devnull pak->q = strtomp("E0F0EF284E10796C5A2A511E94748BA03C795C13", nil, 16, nil);
424 6e527fbc 2005-02-13 devnull pak->p = strtomp("C41CFBE4D4846F67A3DF7DE9921A49D3B42DC33728427AB159CEC8CBBD"
425 6e527fbc 2005-02-13 devnull "B12B5F0C244F1A734AEB9840804EA3C25036AD1B61AFF3ABBC247CD4B384224567A86"
426 6e527fbc 2005-02-13 devnull "3A6F020E7EE9795554BCD08ABAD7321AF27E1E92E3DB1C6E7E94FAAE590AE9C48F96D9"
427 6e527fbc 2005-02-13 devnull "3D178E809401ABE8A534A1EC44359733475A36A70C7B425125062B1142D", nil, 16, nil);
428 6e527fbc 2005-02-13 devnull pak->r = strtomp("DF310F4E54A5FEC5D86D3E14863921E834113E060F90052AD332B3241CEF"
429 6e527fbc 2005-02-13 devnull "2497EFA0303D6344F7C819691A0F9C4A773815AF8EAECFB7EC1D98F039F17A32A7E887"
430 6e527fbc 2005-02-13 devnull "D97251A927D093F44A55577F4D70444AEBD06B9B45695EC23962B175F266895C67D21"
431 6e527fbc 2005-02-13 devnull "C4656848614D888A4", nil, 16, nil);
432 6e527fbc 2005-02-13 devnull pak->g = strtomp("2F1C308DC46B9A44B52DF7DACCE1208CCEF72F69C743ADD4D2327173444"
433 6e527fbc 2005-02-13 devnull "ED6E65E074694246E07F9FD4AE26E0FDDD9F54F813C40CB9BCD4338EA6F242AB94CD41"
434 6e527fbc 2005-02-13 devnull "0E676C290368A16B1A3594877437E516C53A6EEE5493A038A017E955E218E7819734E3E"
435 6e527fbc 2005-02-13 devnull "2A6E0BAE08B14258F8C03CC1B30E0DDADFCF7CEDF0727684D3D255F1", nil, 16, nil);
438 cbeb0b26 2006-04-01 devnull /* H = (sha(ver,C,sha(passphrase)))^r mod p, */
439 cbeb0b26 2006-04-01 devnull /* a hash function expensive to attack by brute force. */
440 6e527fbc 2005-02-13 devnull static void
441 6e527fbc 2005-02-13 devnull longhash(char *ver, char *C, uchar *passwd, mpint *H)
443 6e527fbc 2005-02-13 devnull uchar *Cp;
444 6e527fbc 2005-02-13 devnull int i, n, nver, nC;
445 6e527fbc 2005-02-13 devnull uchar buf[140], key[1];
447 6e527fbc 2005-02-13 devnull nver = strlen(ver);
448 6e527fbc 2005-02-13 devnull nC = strlen(C);
449 6e527fbc 2005-02-13 devnull n = nver + nC + SHA1dlen;
450 6e527fbc 2005-02-13 devnull Cp = (uchar*)emalloc(n);
451 6e527fbc 2005-02-13 devnull memmove(Cp, ver, nver);
452 6e527fbc 2005-02-13 devnull memmove(Cp+nver, C, nC);
453 6e527fbc 2005-02-13 devnull memmove(Cp+nver+nC, passwd, SHA1dlen);
454 6e527fbc 2005-02-13 devnull for(i = 0; i < 7; i++){
455 6e527fbc 2005-02-13 devnull key[0] = 'A'+i;
456 6e527fbc 2005-02-13 devnull hmac_sha1(Cp, n, key, sizeof key, buf+i*SHA1dlen, nil);
458 6e527fbc 2005-02-13 devnull memset(Cp, 0, n);
459 6e527fbc 2005-02-13 devnull free(Cp);
460 6e527fbc 2005-02-13 devnull betomp(buf, sizeof buf, H);
461 6e527fbc 2005-02-13 devnull mpmod(H, pak->p, H);
462 6e527fbc 2005-02-13 devnull mpexp(H, pak->r, pak->p, H);
465 cbeb0b26 2006-04-01 devnull /* Hi = H^-1 mod p */
466 6e527fbc 2005-02-13 devnull static char *
467 6e527fbc 2005-02-13 devnull PAK_Hi(char *C, char *passphrase, mpint *H, mpint *Hi)
469 6e527fbc 2005-02-13 devnull uchar passhash[SHA1dlen];
471 6e527fbc 2005-02-13 devnull sha1((uchar *)passphrase, strlen(passphrase), passhash, nil);
472 6e527fbc 2005-02-13 devnull initPAKparams();
473 6e527fbc 2005-02-13 devnull longhash(VERSION, C, passhash, H);
474 6e527fbc 2005-02-13 devnull mpinvert(H, pak->p, Hi);
475 6e527fbc 2005-02-13 devnull return mptoa(Hi, 64, nil, 0);
478 cbeb0b26 2006-04-01 devnull /* another, faster, hash function for each party to */
479 cbeb0b26 2006-04-01 devnull /* confirm that the other has the right secrets. */
480 6e527fbc 2005-02-13 devnull static void
481 6e527fbc 2005-02-13 devnull shorthash(char *mess, char *C, char *S, char *m, char *mu, char *sigma, char *Hi, uchar *digest)
483 6e527fbc 2005-02-13 devnull SHA1state *state;
485 6e527fbc 2005-02-13 devnull state = sha1((uchar*)mess, strlen(mess), 0, 0);
486 6e527fbc 2005-02-13 devnull state = sha1((uchar*)C, strlen(C), 0, state);
487 6e527fbc 2005-02-13 devnull state = sha1((uchar*)S, strlen(S), 0, state);
488 6e527fbc 2005-02-13 devnull state = sha1((uchar*)m, strlen(m), 0, state);
489 6e527fbc 2005-02-13 devnull state = sha1((uchar*)mu, strlen(mu), 0, state);
490 6e527fbc 2005-02-13 devnull state = sha1((uchar*)sigma, strlen(sigma), 0, state);
491 6e527fbc 2005-02-13 devnull state = sha1((uchar*)Hi, strlen(Hi), 0, state);
492 6e527fbc 2005-02-13 devnull state = sha1((uchar*)mess, strlen(mess), 0, state);
493 6e527fbc 2005-02-13 devnull state = sha1((uchar*)C, strlen(C), 0, state);
494 6e527fbc 2005-02-13 devnull state = sha1((uchar*)S, strlen(S), 0, state);
495 6e527fbc 2005-02-13 devnull state = sha1((uchar*)m, strlen(m), 0, state);
496 6e527fbc 2005-02-13 devnull state = sha1((uchar*)mu, strlen(mu), 0, state);
497 6e527fbc 2005-02-13 devnull state = sha1((uchar*)sigma, strlen(sigma), 0, state);
498 6e527fbc 2005-02-13 devnull sha1((uchar*)Hi, strlen(Hi), digest, state);
501 cbeb0b26 2006-04-01 devnull /* On input, conn provides an open channel to the server; */
502 cbeb0b26 2006-04-01 devnull /* C is the name this client calls itself; */
503 cbeb0b26 2006-04-01 devnull /* pass is the user's passphrase */
504 cbeb0b26 2006-04-01 devnull /* On output, session secret has been set in conn */
505 cbeb0b26 2006-04-01 devnull /* (unless return code is negative, which means failure). */
506 cbeb0b26 2006-04-01 devnull /* If pS is not nil, it is set to the (alloc'd) name the server calls itself. */
507 6e527fbc 2005-02-13 devnull static int
508 6e527fbc 2005-02-13 devnull PAKclient(SConn *conn, char *C, char *pass, char **pS)
510 6e527fbc 2005-02-13 devnull char *mess, *mess2, *eol, *S, *hexmu, *ks, *hexm, *hexsigma = nil, *hexHi;
511 6e527fbc 2005-02-13 devnull char kc[2*SHA1dlen+1];
512 6e527fbc 2005-02-13 devnull uchar digest[SHA1dlen];
513 6e527fbc 2005-02-13 devnull int rc = -1, n;
514 6e527fbc 2005-02-13 devnull mpint *x, *m = mpnew(0), *mu = mpnew(0), *sigma = mpnew(0);
515 6e527fbc 2005-02-13 devnull mpint *H = mpnew(0), *Hi = mpnew(0);
517 6e527fbc 2005-02-13 devnull hexHi = PAK_Hi(C, pass, H, Hi);
519 cbeb0b26 2006-04-01 devnull /* random 1<=x<=q-1; send C, m=g**x H */
520 6e527fbc 2005-02-13 devnull x = mprand(164, genrandom, nil);
521 6e527fbc 2005-02-13 devnull mpmod(x, pak->q, x);
522 6e527fbc 2005-02-13 devnull if(mpcmp(x, mpzero) == 0)
523 6e527fbc 2005-02-13 devnull mpassign(mpone, x);
524 6e527fbc 2005-02-13 devnull mpexp(pak->g, x, pak->p, m);
525 6e527fbc 2005-02-13 devnull mpmul(m, H, m);
526 6e527fbc 2005-02-13 devnull mpmod(m, pak->p, m);
527 6e527fbc 2005-02-13 devnull hexm = mptoa(m, 64, nil, 0);
528 6e527fbc 2005-02-13 devnull mess = (char*)emalloc(2*Maxmsg+2);
529 6e527fbc 2005-02-13 devnull mess2 = mess+Maxmsg+1;
530 6e527fbc 2005-02-13 devnull snprint(mess, Maxmsg, "%s\tPAK\nC=%s\nm=%s\n", VERSION, C, hexm);
531 6e527fbc 2005-02-13 devnull conn->write(conn, (uchar*)mess, strlen(mess));
533 cbeb0b26 2006-04-01 devnull /* recv g**y, S, check hash1(g**xy) */
534 6e527fbc 2005-02-13 devnull if(readstr(conn, mess) < 0){
535 6e527fbc 2005-02-13 devnull fprint(2, "error: %s\n", mess);
536 6e527fbc 2005-02-13 devnull writerr(conn, "couldn't read g**y");
537 6e527fbc 2005-02-13 devnull goto done;
539 6e527fbc 2005-02-13 devnull eol = strchr(mess, '\n');
540 6e527fbc 2005-02-13 devnull if(strncmp("mu=", mess, 3) != 0 || !eol || strncmp("\nk=", eol, 3) != 0){
541 6e527fbc 2005-02-13 devnull writerr(conn, "verifier syntax error");
542 6e527fbc 2005-02-13 devnull goto done;
544 6e527fbc 2005-02-13 devnull hexmu = mess+3;
545 6e527fbc 2005-02-13 devnull *eol = 0;
546 6e527fbc 2005-02-13 devnull ks = eol+3;
547 6e527fbc 2005-02-13 devnull eol = strchr(ks, '\n');
548 6e527fbc 2005-02-13 devnull if(!eol || strncmp("\nS=", eol, 3) != 0){
549 6e527fbc 2005-02-13 devnull writerr(conn, "verifier syntax error for secstore 1.0");
550 6e527fbc 2005-02-13 devnull goto done;
552 6e527fbc 2005-02-13 devnull *eol = 0;
553 6e527fbc 2005-02-13 devnull S = eol+3;
554 6e527fbc 2005-02-13 devnull eol = strchr(S, '\n');
555 6e527fbc 2005-02-13 devnull if(!eol){
556 6e527fbc 2005-02-13 devnull writerr(conn, "verifier syntax error for secstore 1.0");
557 6e527fbc 2005-02-13 devnull goto done;
559 6e527fbc 2005-02-13 devnull *eol = 0;
561 6e527fbc 2005-02-13 devnull *pS = estrdup(S);
562 6e527fbc 2005-02-13 devnull strtomp(hexmu, nil, 64, mu);
563 6e527fbc 2005-02-13 devnull mpexp(mu, x, pak->p, sigma);
564 6e527fbc 2005-02-13 devnull hexsigma = mptoa(sigma, 64, nil, 0);
565 6e527fbc 2005-02-13 devnull shorthash("server", C, S, hexm, hexmu, hexsigma, hexHi, digest);
566 6e527fbc 2005-02-13 devnull enc64(kc, sizeof kc, digest, SHA1dlen);
567 6e527fbc 2005-02-13 devnull if(strcmp(ks, kc) != 0){
568 6e527fbc 2005-02-13 devnull writerr(conn, "verifier didn't match");
569 6e527fbc 2005-02-13 devnull goto done;
572 cbeb0b26 2006-04-01 devnull /* send hash2(g**xy) */
573 6e527fbc 2005-02-13 devnull shorthash("client", C, S, hexm, hexmu, hexsigma, hexHi, digest);
574 6e527fbc 2005-02-13 devnull enc64(kc, sizeof kc, digest, SHA1dlen);
575 6e527fbc 2005-02-13 devnull snprint(mess2, Maxmsg, "k'=%s\n", kc);
576 6e527fbc 2005-02-13 devnull conn->write(conn, (uchar*)mess2, strlen(mess2));
578 cbeb0b26 2006-04-01 devnull /* set session key */
579 6e527fbc 2005-02-13 devnull shorthash("session", C, S, hexm, hexmu, hexsigma, hexHi, digest);
580 6e527fbc 2005-02-13 devnull memset(hexsigma, 0, strlen(hexsigma));
581 6e527fbc 2005-02-13 devnull n = conn->secret(conn, digest, 0);
582 6e527fbc 2005-02-13 devnull memset(digest, 0, SHA1dlen);
583 cbeb0b26 2006-04-01 devnull if(n < 0){/*assert */
584 6e527fbc 2005-02-13 devnull writerr(conn, "can't set secret");
585 6e527fbc 2005-02-13 devnull goto done;
590 6e527fbc 2005-02-13 devnull mpfree(x);
591 6e527fbc 2005-02-13 devnull mpfree(sigma);
592 6e527fbc 2005-02-13 devnull mpfree(mu);
593 6e527fbc 2005-02-13 devnull mpfree(m);
594 6e527fbc 2005-02-13 devnull mpfree(Hi);
595 6e527fbc 2005-02-13 devnull mpfree(H);
596 6e527fbc 2005-02-13 devnull free(hexsigma);
597 6e527fbc 2005-02-13 devnull free(hexHi);
598 6e527fbc 2005-02-13 devnull free(hexm);
599 6e527fbc 2005-02-13 devnull free(mess);
600 6e527fbc 2005-02-13 devnull return rc;
604 6e527fbc 2005-02-13 devnull secstorefetch(void)
606 6e527fbc 2005-02-13 devnull int rv = -1, fd;
607 6e527fbc 2005-02-13 devnull char s[Maxmsg+1];
608 6e527fbc 2005-02-13 devnull SConn *conn;
609 6e527fbc 2005-02-13 devnull char *pass, *sta;
611 6e527fbc 2005-02-13 devnull sta = nil;
612 6e527fbc 2005-02-13 devnull conn = nil;
613 6e527fbc 2005-02-13 devnull pass = readcons("secstore password", nil, 1);
614 6e527fbc 2005-02-13 devnull if(pass==nil || strlen(pass)==0){
615 6e527fbc 2005-02-13 devnull werrstr("cancel");
616 6e527fbc 2005-02-13 devnull goto Out;
618 6e527fbc 2005-02-13 devnull if((fd = secdial()) < 0)
619 6e527fbc 2005-02-13 devnull goto Out;
620 6e527fbc 2005-02-13 devnull if((conn = newSConn(fd)) == nil)
621 6e527fbc 2005-02-13 devnull goto Out;
622 6e527fbc 2005-02-13 devnull if(PAKclient(conn, owner, pass, nil) < 0){
623 6e527fbc 2005-02-13 devnull werrstr("password mistyped?");
624 6e527fbc 2005-02-13 devnull goto Out;
626 6e527fbc 2005-02-13 devnull if(readstr(conn, s) < 0)
627 6e527fbc 2005-02-13 devnull goto Out;
628 6e527fbc 2005-02-13 devnull if(strcmp(s, "STA") == 0){
629 6e527fbc 2005-02-13 devnull sta = readcons("STA PIN+SecureID", nil, 1);
630 6e527fbc 2005-02-13 devnull if(sta==nil || strlen(sta)==0){
631 6e527fbc 2005-02-13 devnull werrstr("cancel");
632 6e527fbc 2005-02-13 devnull goto Out;
634 6e527fbc 2005-02-13 devnull if(strlen(sta) >= sizeof s - 3){
635 6e527fbc 2005-02-13 devnull werrstr("STA response too long");
636 6e527fbc 2005-02-13 devnull goto Out;
638 6e527fbc 2005-02-13 devnull strcpy(s+3, sta);
639 6e527fbc 2005-02-13 devnull conn->write(conn, (uchar*)s, strlen(s));
640 6e527fbc 2005-02-13 devnull readstr(conn, s);
642 6e527fbc 2005-02-13 devnull if(strcmp(s, "OK") !=0){
643 6e527fbc 2005-02-13 devnull werrstr("%s", s);
644 6e527fbc 2005-02-13 devnull goto Out;
646 6e527fbc 2005-02-13 devnull if(getfile(conn, (uchar*)pass, strlen(pass)) < 0)
647 6e527fbc 2005-02-13 devnull goto Out;
648 6e527fbc 2005-02-13 devnull conn->write(conn, (uchar*)"BYE", 3);
653 5f6612ba 2008-05-31 rsc flog("secstorefetch: %r");
654 6e527fbc 2005-02-13 devnull if(conn)
655 6e527fbc 2005-02-13 devnull conn->free(conn);
656 6e527fbc 2005-02-13 devnull if(pass)
657 6e527fbc 2005-02-13 devnull free(pass);
659 6e527fbc 2005-02-13 devnull free(sta);
660 6e527fbc 2005-02-13 devnull return rv;