/* $CoreSDI: auth_srp.c,v 1.30 2001/12/12 20:35:02 claudio Exp $ */ /* * Copyright (c) 2000, 2001, Core SDI S.A., Argentina * All rights reserved * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither name of the Core SDI S.A. nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* * SRP (Secure Remote Password protocol) authentication module * Author: Claudio Castiglia * * Based on the paper from Thomas Wu * SRP Home Page: http://www-cs-students.stanford.edu/~tjw/srp/ */ #ifndef WIN32 /* Unix */ #include #include #ifdef __linux__ #include /* in_addr_t */ #endif #include #include #include #include #include #include #include #include #include #else /* Win32 */ #include #include #include "exits.h" #include "winsyslog.h" #endif /* WIN32 */ #include #include #include #ifdef __OpenBSD__ #include #else #include #define SHA1_DIGESTSIZE SHA_DIGEST_LENGTH #define SHA1_CTX SHA_CTX #define SHA1Init SHA1_Init #define SHA1Update SHA1_Update #define SHA1Final SHA1_Final #endif /* __OpenBSD__ */ #include "sysdep.h" #include "packet.h" #include "resource.h" #include "modtypes.h" #include "commands.h" #include "authargs.h" #include "log.h" #define AUTH_SRP "auth srp: " #ifndef SRP_PASS_RNAME #define SRP_PASS_RNAME "SRPPass" /* Verifier & salt resource */ #endif #ifndef SRP_CIPHER #define SRP_CIPHER "bf-cbc" #endif #define NBITS 2048 #define NBYTES (NBITS >> 3) #define ERR_STRLEN 121 /* See ERR_error_string(3) */ static const unsigned char prime[] = { 0xED, 0x27, 0x7F, 0x57, 0xA3, 0x1A, 0x3F, 0x7C, 0x63, 0xBC, 0xC6, 0x72, 0xE8, 0xE3, 0xF7, 0xA5, 0xD3, 0x03, 0x2E, 0xC2, 0xA6, 0x9E, 0x00, 0x95, 0xFD, 0xA8, 0xA2, 0x32, 0xCD, 0x4C, 0x93, 0x28, 0xC5, 0x96, 0xAE, 0x23, 0xA9, 0xA2, 0x79, 0x81, 0x75, 0x58, 0x5E, 0x88, 0x84, 0x85, 0xAB, 0x2A, 0x6B, 0x39, 0x8A, 0x06, 0x4A, 0x15, 0x13, 0x5D, 0xE2, 0x14, 0xB7, 0x8B, 0xF1, 0x94, 0xF6, 0xC0, 0x01, 0xB5, 0xDF, 0xFE, 0xC1, 0x5A, 0xB7, 0xA1, 0x21, 0x82, 0x5D, 0xF2, 0xCC, 0x11, 0x5A, 0x65, 0x90, 0xE5, 0x19, 0xBD, 0x96, 0x3B, 0xC7, 0x9B, 0xB0, 0x8C, 0x90, 0x90, 0xE5, 0x21, 0x1F, 0xCE, 0x1B, 0x8B, 0x78, 0xE2, 0xD0, 0x02, 0x8B, 0x18, 0x3B, 0x05, 0x75, 0x9A, 0x46, 0x8F, 0xA3, 0xE0, 0xA6, 0xBE, 0x71, 0x4E, 0xB7, 0x75, 0x0D, 0x5E, 0x5D, 0x4B, 0x39, 0x7B, 0xB9, 0x5D, 0x48, 0xA4, 0x57, 0x45, 0x8B, 0x44, 0x13, 0x35, 0xAC, 0xE5, 0xC8, 0xDD, 0x5B, 0x27, 0x10, 0x5B, 0x82, 0xE6, 0xD9, 0xED, 0xFC, 0x7C, 0x5C, 0x74, 0xBB, 0xDF, 0x78, 0x74, 0xF0, 0x6C, 0xC8, 0x12, 0x89, 0xA8, 0xA9, 0x28, 0xC2, 0x66, 0x8A, 0xB7, 0x84, 0x38, 0xF8, 0xE1, 0x04, 0x07, 0xA1, 0xD6, 0xB0, 0x5D, 0x69, 0x03, 0xF8, 0x27, 0xB1, 0x0F, 0xE8, 0xD9, 0x26, 0x31, 0xE9, 0x66, 0xD0, 0x82, 0xF9, 0x53, 0x4D, 0xEB, 0xB3, 0xC5, 0xCF, 0xDB, 0xEF, 0x66, 0xD3, 0x8D, 0xB4, 0x22, 0xAB, 0x6F, 0xF5, 0x48, 0x2A, 0xE6, 0x78, 0x1E, 0x6A, 0x42, 0x8F, 0xA0, 0x15, 0x71, 0x94, 0xF0, 0xA8, 0x6E, 0x47, 0x0E, 0xD8, 0x80, 0x7D, 0x8F, 0xFF, 0x08, 0xAB, 0x7C, 0xB5, 0xA5, 0x27, 0x3D, 0x33, 0x56, 0x10, 0x81, 0x7C, 0x62, 0xAC, 0x11, 0xD4, 0xE2, 0xF2, 0x70, 0xFE, 0xA9, 0x3D, 0x9E, 0x01, 0xB6, 0x45, 0x93 }; static const unsigned char generator[] = { 0x9E, 0x1A, 0x54, 0xE5, 0x17, 0x66, 0xD4, 0xFD, 0x97, 0xD3, 0x2E, 0xF7, 0x45, 0xED, 0x4F, 0xC3, 0xE2, 0x02, 0x1F, 0x2C, 0x6F, 0x14, 0x00, 0x63, 0xFE, 0x70, 0x6C, 0x21, 0xDE, 0x33, 0x0C, 0xC5, 0xD9, 0x0F, 0x1E, 0xC2, 0x71, 0x16, 0xFB, 0xAB, 0xA3, 0x90, 0x3F, 0x05, 0xAD, 0xAE, 0x72, 0x1C, 0x47, 0x7B, 0xB1, 0x59, 0x86, 0xB8, 0xB7, 0x93, 0xEC, 0x0D, 0xCF, 0xB2, 0xA1, 0x0D, 0xF9, 0xD5, 0x56, 0x79, 0x3F, 0xFF, 0x2B, 0x91, 0xCF, 0xC0, 0xC1, 0x01, 0x93, 0xF7, 0x32, 0xB6, 0x3C, 0x43, 0xB5, 0xEE, 0x11, 0x29, 0x0E, 0xD2, 0x85, 0x12, 0x75, 0xB3, 0x0B, 0x0B, 0x43, 0x6B, 0x6A, 0x89, 0x67, 0xB2, 0x50, 0x97, 0x35, 0x57, 0x07, 0x65, 0x7C, 0xAE, 0x4E, 0x66, 0xD9, 0xB5, 0x17, 0xEB, 0x19, 0xD4, 0x4B, 0x89, 0xCF, 0xA3, 0x5E, 0x3E, 0xE8, 0xDC, 0xD0, 0xFD, 0x26, 0x3E, 0x30, 0x6D, 0x8F, 0x83, 0xB2, 0x2D, 0x62, 0x23, 0xC8, 0x99, 0x30, 0x93, 0x92, 0x1A, 0x0A, 0xE7, 0xAC, 0x99, 0xE6, 0x9E, 0xA8, 0x52, 0xE8, 0x4D, 0xD2, 0x94, 0xFA, 0xF8, 0xA0, 0x48, 0x85, 0x61, 0xB1, 0x1B, 0x1B, 0x70, 0x81, 0x99, 0xB1, 0xCF, 0xAD, 0x7B, 0x50, 0x96, 0x02, 0xAF, 0xC1, 0x39, 0xCA, 0xE8, 0xF0, 0xAD, 0x50, 0x1A, 0x76, 0x0A, 0x9B, 0x3B, 0x6E, 0xCB, 0xF0, 0xEF, 0x35, 0xAC, 0xA6, 0x37, 0x89, 0x47, 0xCD, 0x2E, 0x8A, 0x92, 0x9F, 0x99, 0xE2, 0x5E, 0x78, 0x17, 0x1C, 0xF5, 0x4E, 0x30, 0x1C, 0x99, 0xA5, 0x69, 0x9C, 0x2C, 0x5F, 0xC0, 0x0E, 0x4B, 0xB8, 0xA0, 0x70, 0x49, 0x84, 0xB4, 0x90, 0x55, 0xA9, 0x0A, 0xAA, 0x05, 0xC7, 0xA8, 0x79, 0x18, 0xC4, 0xD3, 0x77, 0x8E, 0xB5, 0xAB, 0xA8, 0x41, 0xC8, 0x0B, 0xE3, 0x41, 0xF6, 0xF5, 0xFF, 0x1B, 0x7E, 0x69, 0x56, 0x79, 0x83, 0xB7 }; static BIGNUM p; /* Prime module */ static BIGNUM pm1; /* p - 1 */ static BIGNUM g; /* Generator */ /* * _get_mem(): * Allocate memory in increments of NBYTES for each call. */ static void _get_mem(void **memp, size_t *size) { *size += NBYTES; *memp = realloc(*memp, *size); if (*memp == NULL) fatal(EX_OSERR, AUTH_SRP "%s.", strerror(errno)); } /* * _safe_mem(): * Check memory size, allocate if needed. */ static void _safe_mem(void **memp, size_t *memsiz, size_t needed_size) { while (needed_size > *memsiz) _get_mem(memp, memsiz); } /* * _fatal_bn(): * Log fatal bn (big number) library error and exit(3). */ static void _fatal_bn(const char *cname) { char errb[ERR_STRLEN]; ERR_error_string_n(ERR_get_error(), errb, sizeof(errb)); fatal(EX_SOFTWARE, AUTH_SRP "%s: %s.", cname, errb); } /* * _rand_bn(): * Generate a random big number greater than 1 and less than n - 1. */ static void _rand_bn(BIGNUM *bn, BIGNUM *tmp, BN_CTX *bnctx) { do { if (!BN_rand(tmp, NBITS, 1, 0) || !BN_mod(bn, tmp, &pm1, bnctx)) _fatal_bn("Can't create random big number."); } while (BN_is_zero(bn) || BN_is_one(bn)); } /* * _send_bn(): * Send a big number to the other side coded as: * */ static void _send_bn(PACKET *packet, const BIGNUM *bn, void **buf, size_t *bufsiz) { size_t bnlen; /* Get appropiate buffer size */ bnlen = BN_num_bytes(bn); _safe_mem(buf, bufsiz, bnlen); if (!BN_bn2bin(bn, *buf)) _fatal_bn("_send_bn()"); packet_put_int32(packet, bnlen); packet_put_raw(packet, *buf, bnlen); } /* * _recv_bn(): * Receive a big number from other side coded as: * */ static void _recv_bn(PACKET *packet, BIGNUM *bn, void **buf, size_t *bufsiz) { int32_t bnlen; /* Get appropiate buffer size */ packet_get_int32(packet, &bnlen); if (bnlen < 1 || bnlen > NBYTES) fatal(EX_PROTOCOL, AUTH_SRP "recv_bn(): Protocol violation."); _safe_mem(buf, bufsiz, bnlen); packet_get_raw(packet, *buf, bnlen); if (BN_bin2bn(*buf, bnlen, bn) == NULL) _fatal_bn("_recv_bn()"); } /* * _get_srppass(): * Get salt and verifier from user resource; * return 0 on success and -1 on error (in this case user * or SRP_PASS_RNAME resource does not exists: fake salt * and verifier are generated). */ static int _get_srppass(AUTHCON *ct, BIGNUM *v, BIGNUM *s, unsigned char *bs) { RESOURCE *r; BN_CTX *bnctx = BN_CTX_new(); BIGNUM tmp; if (ct->rlist != NULL) { if ( (r = res_find(ct->rlist, SRP_PASS_RNAME)) != NULL) { if (r->dsize == 2 * NBYTES) { if (BN_bin2bn(r->data, NBYTES, s) == NULL || BN_bin2bn((char *) r->data + NBYTES, NBYTES, v) == NULL) _fatal_bn("_get_srppass()"); memcpy(bs, r->data, NBYTES); return (0); } log_err(AUTH_SRP "Invalid verifier resource size."); } } /* Generate fake verifier and salt (try to avoid timing attack) */ log_debug(AUTH_SRP "Generating fake verifier and salt."); BN_CTX_init(bnctx); BN_init(&tmp); _rand_bn(v, &tmp, bnctx); _rand_bn(s, &tmp, bnctx); BN_free(&tmp); BN_CTX_free(bnctx); BN_bn2bin(s, bs); return (-1); } /* * _hash_bn(): * Generate a hash digest from a modulo n big number. */ static void _hash_bn(unsigned char *dst, const BIGNUM *bn, void **buf, size_t *bufsiz) { SHA1_CTX ctx; _safe_mem(buf, bufsiz, BN_num_bytes(bn)); SHA1Init(&ctx); SHA1Update(&ctx, *buf, BN_bn2bin(bn, *buf)); SHA1Final(dst, &ctx); } /* * _auth_digest1(): * Calculate the first authentication digest as: * HASH(bignum1, bignum2, digest) */ static void _auth_digest1(unsigned char *dst, BIGNUM *bn1, BIGNUM *bn2, unsigned char *dg, void **buf, size_t *bufsiz) { SHA1_CTX hash_ctx; size_t maxsiz; /* Get appropiate buffer size */ maxsiz = (BN_num_bytes(bn1) < BN_num_bytes(bn2)) ? BN_num_bytes(bn2) : BN_num_bytes(bn1); _safe_mem(buf, bufsiz, maxsiz); /* Calculate digest */ SHA1Init(&hash_ctx); SHA1Update(&hash_ctx, *buf, BN_bn2bin(bn1, *buf)); SHA1Update(&hash_ctx, *buf, BN_bn2bin(bn2, *buf)); SHA1Update(&hash_ctx, dg, SHA1_DIGESTSIZE); SHA1Final(dst, &hash_ctx); } /* * _auth_digest2(): * Calculate the second authenticacion digest as: * HASH(bignum, digest1, digest2). */ static void _auth_digest2(unsigned char *dst, BIGNUM *bn, unsigned char *dg1, unsigned char *dg2, void **buf, size_t *bufsiz) { SHA1_CTX hash_ctx; /* Get appropiate buffer size */ _safe_mem(buf, bufsiz, BN_num_bytes(bn)); /* Calculate digest */ SHA1Init(&hash_ctx); SHA1Update(&hash_ctx, *buf, BN_bn2bin(bn, *buf)); SHA1Update(&hash_ctx, dg1, SHA1_DIGESTSIZE); SHA1Update(&hash_ctx, dg2, SHA1_DIGESTSIZE); SHA1Final(dst, &hash_ctx); } /* * _init_encrypt(): * Initialize packet encryption using a SHA1_DIGESTSIZE bytes key. */ static void _init_encrypt(PACKET *packet, unsigned char *key) { if (packet_init_encrypt(packet, EVP_get_cipherbyname(SRP_CIPHER), key, SHA1_DIGESTSIZE) < 0) fatal(EX_SOFTWARE, AUTH_SRP "_init_encrypt(): %s.", strerror(errno)); } /* * _init() * Initialization function, called once by dlopen(3). */ void _init() { BN_init(&g); BN_init(&p); BN_init(&pm1); if (BN_bin2bn(prime, sizeof(prime), &p) == NULL || BN_bin2bn(prime, sizeof(prime), &pm1) == NULL || BN_bin2bn(generator, sizeof(generator), &g) == NULL || !BN_sub_word(&pm1, (BN_ULONG)1)) _fatal_bn("_init()"); } /* * _fini() * Finalization function, called once by last dlclose(3). */ void _fini() { BN_free(&g); BN_free(&p); BN_free(&pm1); } /* * _auth_srvr() * Server side authentication function; returns 0 on success. * 1. Send hostname // XXX: move to engine * 2. Receive username * 3. Lookup user verifier (v) and salt (s) * 4. Send s * 5. Calculate b = rand(); 1 < b < p - 1 * u = rand(); 1 < u < p - 1 * B = g exp b + v * 6. Receive A; A != 1 && A != g * 7. Send B, u * 8. Calculate S = (A * v exp u) exp b * K = HASH(S) * M1 = HASH(A, B, K) * 9. Receive USER_M1 * 10. Verify M1 == USER_M1 ? * 11. Calculate M2 = HASH(A, M1, K) * 12. Send M2 */ static int _auth_srvr(AUTHCON *ct) { int32_t srvr_st, clnt_st; unsigned char K[SHA1_DIGESTSIZE], M1[SHA1_DIGESTSIZE], M2[SHA1_DIGESTSIZE], USER_M1[SHA1_DIGESTSIZE], bs[NBYTES]; BIGNUM A, B, S, b, u, v, s, tmp; BN_CTX *bnctx = BN_CTX_new(); void *buffer; size_t bufsiz; char hostname[MAXHOSTNAMELEN]; /* XXX: move to engine */ /* XXX: move to engine */ /* Send hostname */ gethostname(hostname, sizeof(hostname)); packet_put_string(ct->packet, hostname); /* Receive username */ packet_get_string(ct->packet, ct->peername, sizeof(ct->peername)); bufsiz = 0; buffer = NULL; BN_init(&A); BN_init(&B); BN_init(&S); BN_init(&b); BN_init(&s); BN_init(&u); BN_init(&v); BN_init(&tmp); BN_CTX_init(bnctx); clnt_st = LOGIN_FAILED; /* Get user verifier and salt, send salt */ ct->rlist = res_open_list(ct->peername, RES_FORCEREAD); log_debug(AUTH_SRP "Loading salt and verifier for user '%s'.", ct->peername); srvr_st = (_get_srppass(ct, &v, &s, bs) == 0) ? LOGIN_SUCCESS : LOGIN_FAILED; packet_put_raw(ct->packet, bs, sizeof(bs)); if (srvr_st == LOGIN_FAILED) log_debug(AUTH_SRP "User '%s' does not have a valid srp " "account.", ct->peername); /* * Calculate: * b = rand(); 1 < b < p - 1 * u = rand(); 1 < u < p - 1 * B = (g exp b + v) % p = ((g exp b) % p + v) % p */ _rand_bn(&b, &tmp, bnctx); _rand_bn(&u, &tmp, bnctx); if (!BN_mod_exp(&B, &g, &b, &p, bnctx) || !BN_add(&tmp, &B, &v) || !BN_mod(&B, &tmp, &p, bnctx)) _fatal_bn("srvr_auth()"); /* Receive A, send B and u */ _recv_bn(ct->packet, &A, &buffer, &bufsiz); _send_bn(ct->packet, &B, &buffer, &bufsiz); _send_bn(ct->packet, &u, &buffer, &bufsiz); /* * Calculate: * S = ( (A * v exp u) exp b ) % n * ( (A * (v exp u) % n) exp b ) % n * K = HASH(S) * M1 = HASH(A, B, K) */ if (!BN_mod_exp(&S, &v, &u, &p, bnctx) || !BN_mod_mul(&tmp, &A, &S, &p, bnctx) || !BN_mod_exp(&S, &tmp, &b, &p, bnctx)) _fatal_bn("srvr_auth()"); _hash_bn(K, &S, &buffer, &bufsiz); _auth_digest1(M1, &A, &B, K, &buffer, &bufsiz); /* Receive client authentication digest */ packet_get_raw(ct->packet, USER_M1, sizeof(USER_M1)); /* * Authentication of client fails when: * 1. User does not exists (tested before); or * 2. Received A value is 1 or g; or * 3. USER_M1 != M1 */ /* * Check possible attack playing with the value of A: * A == 1 || A == g <=> a == 0 || a == 1 => S = known */ if (srvr_st == LOGIN_SUCCESS && (BN_is_one(&A) || BN_ucmp(&A, &g) == 0)) { log_err(AUTH_SRP "Attack as user '%s' detected.", ct->peername); srvr_st = LOGIN_FAILED; } /* USER_M1 == HASH(A, B, K) ? */ if (srvr_st == LOGIN_SUCCESS && memcmp(USER_M1, M1, sizeof(M1))) { log_debug(AUTH_SRP "Client authentication failed."); srvr_st = LOGIN_FAILED; } packet_put_int32(ct->packet, srvr_st); /* Server authentication */ if (srvr_st == LOGIN_SUCCESS) { _auth_digest2(M2, &A, M1, K, &buffer, &bufsiz); packet_put_raw(ct->packet, M2, sizeof(M2)); packet_get_int32(ct->packet, &clnt_st); if (clnt_st == LOGIN_FAILED) log_err(AUTH_SRP "Server refused by client."); } BN_clear_free(&A); BN_clear_free(&B); BN_clear_free(&S); BN_clear_free(&b); BN_clear_free(&s); BN_clear_free(&u); BN_clear_free(&v); BN_clear_free(&tmp); BN_CTX_free(bnctx); free(buffer); /* Init encryption */ if (srvr_st == LOGIN_SUCCESS && clnt_st == LOGIN_SUCCESS) { _init_encrypt(ct->packet, K); bzero(K, sizeof(K)); log_debug(AUTH_SRP "Authentication succeed, encryption " "initiated."); return (0); } return (-1); } /* * _auth_clnt() * Client side authentication function; returns 0 on success. * 1. Send username * 2. Receive salt (s) * 3. Calculate x = HASH(s, pass) * 4. Send A = g exp a; a = rand(); 1 < a < p - 1 * 5. Receive B, u * 6. Calculate S = (B - g exp x) exp (a + u * x) * 7. Calcualte K = HASH(S) * M1 = HASH(A, B, K) * M2 = HASH(A, M1, K) * 8. Send M1 * 9. Receive M2 * 10. Verify M2 == HASH(A, M1, K) ? */ static int _auth_clnt(AUTHCON *ct, struct autharg_clnt *args) { int32_t srvr_st, clnt_st; unsigned char xdigest[SHA1_DIGESTSIZE], bs[NBYTES], K[SHA1_DIGESTSIZE], M1[SHA1_DIGESTSIZE], M2[SHA1_DIGESTSIZE], SERVER_M2[SHA1_DIGESTSIZE]; BIGNUM a, u, x, A, B, S, tmp1, tmp2, tmp3; BN_CTX *bnctx = BN_CTX_new(); SHA1_CTX sha1_ctx; void *buffer; size_t bufsiz; /* XXX: move to engine */ packet_get_string(ct->packet, ct->peername, sizeof(ct->peername)); buffer = NULL; bufsiz = 0; BN_init(&a); BN_init(&u); BN_init(&x); BN_init(&A); BN_init(&B); BN_init(&S); BN_init(&tmp1); BN_init(&tmp2); BN_init(&tmp3); BN_CTX_init(bnctx); srvr_st = clnt_st = LOGIN_FAILED; /* Get username and password */ if (args->user[0] == '\0') { int i; fprintf(stderr, "login: "); fgets(args->user, sizeof(args->user), stdin); i = strlen(args->user); if (i >= 1 && args->user[i - 1] == '\n') args->user[i - 1] = '\0'; } if (args->pass[0] == '\0') { char *pass; fprintf(stderr, "password: "); pass = (char *) getpass(""); strlcpy(args->pass, pass, sizeof(args->pass)); bzero(pass, strlen(pass)); } /* Send username, receive salt */ packet_put_string(ct->packet, args->user); packet_get_raw(ct->packet, bs, sizeof(bs)); /* * Calculate: * x = HASH(salt, password) */ SHA1Init(&sha1_ctx); SHA1Update(&sha1_ctx, bs, sizeof(bs)); SHA1Update(&sha1_ctx, args->pass, strlen(args->pass)); SHA1Final(xdigest, &sha1_ctx); bzero(args->pass, sizeof(args->pass)); if (BN_bin2bn(xdigest, sizeof(xdigest), &tmp1) == NULL || !BN_mod(&x, &tmp1, &pm1, bnctx)) _fatal_bn("_auth_clnt()"); /* * Calculate: * a = rand(); 1 < a < n - 1 * A = (g exp a) % n */ _rand_bn(&a, &tmp1, bnctx); if (!BN_mod_exp(&A, &g, &a, &p, bnctx)) _fatal_bn("_auth_clnt()"); /* Send A, receive B and u */ _send_bn(ct->packet, &A, &buffer, &bufsiz); _recv_bn(ct->packet, &B, &buffer, &bufsiz); _recv_bn(ct->packet, &u, &buffer, &bufsiz); /* * Calculate: * S = ( (B - g exp x) exp (a + u * x) ) % n * = ( (B - (g exp x) % n) exp * ((a + ((u * x) % (n - 1))) % (n - 1)) ) % n */ if (!BN_mod_mul(&tmp1, &u, &x, &pm1, bnctx) || !BN_add(&S, &tmp1, &a) || !BN_mod(&tmp1, &S, &pm1, bnctx) || !BN_mod_exp(&tmp2, &g, &x, &p, bnctx) || !BN_add(&tmp3, &B, &p) || /* Workaround for the BN_mod() bug */ !BN_sub(&S, &tmp3, &tmp2) || !BN_mod(&tmp2, &S, &p, bnctx) || !BN_mod_exp(&S, &tmp2, &tmp1, &p, bnctx)) _fatal_bn("_auth_clnt()"); /* * Calculate: * K = HASH(S) * M1 = HASH(A, B, K) * M2 = HASH(A, M1, K) */ _hash_bn(K, &S, &buffer, &bufsiz); _auth_digest1(M1, &A, &B, K, &buffer, &bufsiz); _auth_digest2(M2, &A, M1, K, &buffer, &bufsiz); /* Send M1, receive server authentication status */ packet_put_raw(ct->packet, M1, sizeof(M1)); packet_get_int32(ct->packet, &srvr_st); /* If server authenticated us, authenticate him */ if (srvr_st == LOGIN_SUCCESS) { packet_get_raw(ct->packet, SERVER_M2, sizeof(SERVER_M2)); if (!memcmp(SERVER_M2, M2, sizeof(M2))) clnt_st = LOGIN_SUCCESS; else log_err(AUTH_SRP "Possibly compromised server: %s.", ct->peername); packet_put_int32(ct->packet, clnt_st); } else log_debug(AUTH_SRP "Authentication from server failed."); BN_clear_free(&a); BN_clear_free(&u); BN_clear_free(&x); BN_clear_free(&A); BN_clear_free(&B); BN_clear_free(&S); BN_clear_free(&tmp1); BN_clear_free(&tmp2); BN_CTX_free(bnctx); free(buffer); /* Init encryption */ if (srvr_st == LOGIN_SUCCESS && clnt_st == LOGIN_SUCCESS) { packet_flush(ct->packet); /* We sent the last data */ _init_encrypt(ct->packet, K); bzero(K, sizeof(K)); log_debug(AUTH_SRP "Authentication succeed, encryption " "initiated."); return (0); } return (-1); } /* * filter_resource() * Detect a SRP_PASS_RNAME resource and code its correct value; * return 0 on success and -1 on error and set errno. * On fatal errors program is terminated. */ static int _filter_resource(AUTHCON *ct, struct autharg_filter *args) { SHA1_CTX sha1_ctx; BN_CTX *bnctx = BN_CTX_new(); BIGNUM salt, verifier, x, tmp; unsigned char bsalt[NBYTES], xdigest[SHA1_DIGESTSIZE]; if (args->rname == NULL || args->value == NULL || args->vsize < 1) { errno = EINVAL; return (-1); } /* Just filter srp passwords */ if (!strcmp(args->rname, SRP_PASS_RNAME)) { BN_CTX_init(bnctx); BN_init(&salt); BN_init(&x); BN_init(&verifier); BN_init(&tmp); /* * Calculate: * salt = rand(); 1 < salt < n - 1 * x = HASH(salt, password); 1 < x < n - 1 * verifier = (g exp x) % n */ _rand_bn(&salt, &tmp, bnctx); BN_bn2bin(&salt, bsalt); SHA1Init(&sha1_ctx); SHA1Update(&sha1_ctx, bsalt, sizeof(bsalt)); SHA1Update(&sha1_ctx, args->value, args->vsize); SHA1Final(xdigest, &sha1_ctx); if (BN_bin2bn(xdigest, sizeof(xdigest), &tmp) == NULL || !BN_mod(&x, &tmp, &pm1, bnctx) || !BN_mod_exp(&verifier, &g, &x, &p, bnctx)) _fatal_bn("_filter_resource()"); /* Get memory for the filtered value */ args->fvsize = 2 * NBYTES; args->fvalue = malloc(args->fvsize); if (args->fvalue != NULL) { /* * The resource value is the binary form of * both salt and verifier data concatenated. */ memcpy(args->fvalue, bsalt, sizeof(bsalt)); BN_bn2bin(&verifier, (char *) args->fvalue + sizeof(bsalt)); } BN_clear_free(&tmp); BN_clear_free(&verifier); BN_clear_free(&x); BN_clear_free(&salt); BN_CTX_free(bnctx); if (args->fvalue == NULL) return (-1); } return (0); } /* * init() * SRP module initialization. */ EXPORT AUTHCON * init() { return (malloc(sizeof(AUTHCON))); } /* * proc_entry() */ EXPORT int proc_entry(int opcode, AUTHCON *context, void *args) { switch (opcode) { case AUTH_SERVER: /* Authentication process, server side */ return (_auth_srvr(context)); case AUTH_CLIENT: /* Authentication process, client side */ return (_auth_clnt(context, args)); case AUTH_FILTER_RESOURCE: /* Filter srp resources values */ return (_filter_resource(context, args)); default: errno = EINVAL; } return (-1); } #ifdef WIN32 /* * DllMain(): * Windows _init() and _fini(). */ BOOL WINAPI DllMain(HINSTANCE hinst, DWORD reason, LPVOID reserved) { switch (reason) { case DLL_PROCESS_ATTACH: _init(); break; case DLL_PROCESS_DETACH: _fini(); default: ; } return (TRUE); } #endif /* WIN32 */