ref: fe1eb39db7ae6904924f3ab1f6f9b34416f2eb1b
dir: /sys/src/cmd/auth/factotum/p9sk1.c/
/* * p9sk1, dp9ik - Plan 9 secret (private) key authentication. * dp9ik uses AuthPAK diffie hellman key exchange with the * auth server to protect the password derived key from offline * dictionary attacks. * * Client protocol: * write challenge[challen] * read pakreq[ticketreqlen + pakylen] (dp9ik only) * write paky[pakylen] * read tickreq[tickreqlen] (p9sk1 only) * write ticket + authenticator * read authenticator * * Server protocol: * read challenge[challen] * write pakreq[ticketreqlen + pakylen] (dp9ik only) * read paky[pakylen] * write tickreq[tickreqlen] (p9sk1 only) * read ticket + authenticator * write authenticator * * Login protocol: * write user * write password */ #include "dat.h" struct State { Key *key; Ticket t; Ticketreq tr; Authkey k; PAKpriv p; char cchal[CHALLEN]; uchar y[PAKYLEN], rand[2*NONCELEN]; char tbuf[MAXTICKETLEN + MAXAUTHENTLEN]; int tbuflen; uchar *secret; int speakfor; }; enum { /* client phases */ CHaveChal, CNeedPAKreq, /* dp9ik only */ CHavePAKy, CNeedTreq, /* p9sk1 only */ CHaveTicket, CNeedAuth, /* server phases */ SNeedChal, SHavePAKreq, /* dp9ik only */ SNeedPAKy, SHaveTreq, /* p9sk1 only */ SNeedTicket, SHaveAuth, /* login phases */ SNeedUser, SNeedPass, Maxphase, }; static char *phasenames[Maxphase] = { [CHaveChal] "CHaveChal", [CNeedPAKreq] "CNeedPAKreq", [CHavePAKy] "CHavePAKy", [CNeedTreq] "CNeedTreq", [CHaveTicket] "CHaveTicket", [CNeedAuth] "CNeedAuth", [SNeedChal] "SNeedChal", [SHavePAKreq] "SHavePAKreq", [SNeedPAKy] "SNeedPAKy", [SHaveTreq] "SHaveTreq", [SNeedTicket] "SNeedTicket", [SHaveAuth] "SHaveAuth", [SNeedUser] "SNeedUser", [SNeedPass] "SNeedPass", }; static int gettickets(State*, uchar*, char*, int); static int p9skinit(Proto *p, Fsstate *fss) { State *s; int iscli, ret; Key *k; Keyinfo ki; Attr *attr; char *role; role = _strfindattr(fss->attr, "role"); if(role != nil && strcmp(role, "login") == 0) iscli = 0; else if((iscli = isclient(role)) < 0) return failure(fss, nil); s = emalloc(sizeof *s); fss = fss; fss->phasename = phasenames; fss->maxphase = Maxphase; fss->proto = p; if(iscli){ fss->phase = CHaveChal; genrandom((uchar*)s->cchal, CHALLEN); }else{ fss->phase = SNeedChal; s->tr.type = AuthTreq; attr = setattr(_copyattr(fss->attr), "proto=%q", p->name); if(strcmp(role, "login") == 0){ attr = setattr(attr, "role=server"); fss->phase = SNeedUser; } mkkeyinfo(&ki, fss, attr); ki.user = nil; ret = findkey(&k, &ki, "user? dom?"); _freeattr(attr); if(ret != RpcOk){ free(s); return ret; } safecpy(s->tr.authid, _strfindattr(k->attr, "user"), sizeof(s->tr.authid)); safecpy(s->tr.authdom, _strfindattr(k->attr, "dom"), sizeof(s->tr.authdom)); s->key = k; memmove(&s->k, k->priv, sizeof(Authkey)); genrandom((uchar*)s->tr.chal, sizeof s->tr.chal); } s->tbuflen = 0; s->secret = nil; fss->ps = s; return RpcOk; } static int establish(Fsstate *fss) { AuthInfo *ai; State *s; s = fss->ps; ai = &fss->ai; ai->cuid = s->t.cuid; ai->suid = s->t.suid; if(fss->proto == &dp9ik){ static char info[] = "Plan 9 session secret"; ai->nsecret = 256; ai->secret = emalloc(ai->nsecret); hkdf_x( s->rand, 2*NONCELEN, (uchar*)info, sizeof(info)-1, s->t.key, NONCELEN, ai->secret, ai->nsecret, hmac_sha2_256, SHA2_256dlen); } else { ai->nsecret = 8; ai->secret = emalloc(ai->nsecret); des56to64((uchar*)s->t.key, ai->secret); } s->secret = ai->secret; fss->haveai = 1; fss->phase = Established; return RpcOk; } static int p9skread(Fsstate *fss, void *a, uint *n) { int m; State *s; s = fss->ps; switch(fss->phase){ default: return phaseerror(fss, "read"); case CHaveChal: m = CHALLEN; if(*n < m) return toosmall(fss, m); *n = m; memmove(a, s->cchal, m); if(fss->proto == &dp9ik) fss->phase = CNeedPAKreq; else fss->phase = CNeedTreq; return RpcOk; case SHavePAKreq: m = TICKREQLEN + PAKYLEN; if(*n < m) return toosmall(fss, m); s->tr.type = AuthPAK; *n = convTR2M(&s->tr, a, *n); authpak_new(&s->p, &s->k, (uchar*)a + *n, 1); *n += PAKYLEN; fss->phase = SNeedPAKy; return RpcOk; case CHavePAKy: m = PAKYLEN; if(*n < m) return toosmall(fss, m); *n = m; memmove(a, s->y, m); fss->phase = CHaveTicket; return RpcOk; case SHaveTreq: m = TICKREQLEN; if(*n < m) return toosmall(fss, m); s->tr.type = AuthTreq; *n = convTR2M(&s->tr, a, *n); fss->phase = SNeedTicket; return RpcOk; case CHaveTicket: m = s->tbuflen; if(*n < m) return toosmall(fss, m); *n = m; memmove(a, s->tbuf, m); fss->phase = CNeedAuth; return RpcOk; case SHaveAuth: m = s->tbuflen; if(*n < m) return toosmall(fss, m); *n = m; memmove(a, s->tbuf, m); return establish(fss); } } static int p9skwrite(Fsstate *fss, void *a, uint n) { int m, ret, sret; char tbuf[2*PAKYLEN+2*MAXTICKETLEN], *user; Attr *attr; State *s; Key *srvkey; Keyinfo ki; Authenticator auth; s = fss->ps; switch(fss->phase){ default: return phaseerror(fss, "write"); case SNeedChal: m = CHALLEN; if(n < m) return toosmall(fss, m); memmove(s->cchal, a, m); if(fss->proto == &dp9ik) fss->phase = SHavePAKreq; else fss->phase = SHaveTreq; return RpcOk; case CNeedPAKreq: m = TICKREQLEN+PAKYLEN; if(n < m) return toosmall(fss, m); case CNeedTreq: m = TICKREQLEN; if(n < m) return toosmall(fss, m); m = convM2TR(a, n, &s->tr); if(m <= 0 || s->tr.type != (fss->phase==CNeedPAKreq ? AuthPAK : AuthTreq)) return failure(fss, Easproto); if(s->key != nil) closekey(s->key); attr = _delattr(_delattr(_copyattr(fss->attr), "role"), "user"); attr = setattr(attr, "proto=%q", fss->proto->name); user = _strfindattr(fss->attr, "user"); /* * If our client is the user who started factotum (client==owner), then * he can use whatever keys we have to speak as whoever he pleases. * If, on the other hand, we're speaking on behalf of someone else, * we will only vouch for their name on the local system. * * We do the sysuser findkey second so that if we return RpcNeedkey, * the correct key information gets asked for. */ srvkey = nil; s->speakfor = 0; sret = RpcFailure; if(user==nil || strcmp(user, fss->sysuser) == 0){ mkkeyinfo(&ki, fss, attr); ki.user = nil; sret = findkey(&srvkey, &ki, "role=speakfor dom=%q user?", s->tr.authdom); } if(user != nil) attr = setattr(attr, "user=%q", user); mkkeyinfo(&ki, fss, attr); ret = findkey(&s->key, &ki, "role=client dom=%q %s", s->tr.authdom, fss->proto->keyprompt); if(ret == RpcOk) closekey(srvkey); else if(sret == RpcOk){ s->key = srvkey; s->speakfor = 1; }else if(ret == RpcConfirm || sret == RpcConfirm){ _freeattr(attr); return RpcConfirm; }else{ _freeattr(attr); return ret; } /* fill in the rest of the request */ safecpy(s->tr.hostid, _strfindattr(s->key->attr, "user"), sizeof s->tr.hostid); if(s->speakfor) safecpy(s->tr.uid, fss->sysuser, sizeof s->tr.uid); else safecpy(s->tr.uid, s->tr.hostid, sizeof s->tr.uid); /* get tickets from authserver or invent if we can */ memmove(&s->k, s->key->priv, sizeof(Authkey)); if(fss->phase == CNeedPAKreq) ret = gettickets(s, (uchar*)a + m, tbuf, sizeof(tbuf)); else ret = gettickets(s, nil, tbuf, sizeof(tbuf)); if(ret <= 0){ _freeattr(attr); return failure(fss, nil); } m = convM2T(tbuf, ret, &s->t, &s->k); if(m <= 0 || (fss->proto == &dp9ik && s->t.form == 0)){ _freeattr(attr); return failure(fss, Easproto); } if(s->t.num != AuthTc){ if(s->key->successes == 0 && !s->speakfor) disablekey(s->key); if(askforkeys && !s->speakfor){ snprint(fss->keyinfo, sizeof fss->keyinfo, "%A %s", attr, fss->proto->keyprompt); _freeattr(attr); return RpcNeedkey; }else{ _freeattr(attr); return failure(fss, Ebadkey); } } s->key->successes++; _freeattr(attr); ret -= m; memmove(s->tbuf, tbuf+m, ret); genrandom(s->rand, NONCELEN); auth.num = AuthAc; memmove(auth.chal, s->tr.chal, CHALLEN); memmove(auth.rand, s->rand, NONCELEN); ret += convA2M(&auth, s->tbuf+ret, sizeof(s->tbuf)-ret, &s->t); s->tbuflen = ret; if(fss->phase == CNeedPAKreq) fss->phase = CHavePAKy; else fss->phase = CHaveTicket; return RpcOk; case SNeedPAKy: m = PAKYLEN; if(n < m) return toosmall(fss, m); if(authpak_finish(&s->p, &s->k, (uchar*)a)) return failure(fss, Easproto); fss->phase = SNeedTicket; return RpcOk; case SNeedTicket: m = convM2T(a, n, &s->t, &s->k); if(m <= 0 || convM2A((char*)a+m, n-m, &auth, &s->t) <= 0) return toosmall(fss, MAXTICKETLEN + MAXAUTHENTLEN); if(fss->proto == &dp9ik && s->t.form == 0) return failure(fss, Easproto); if(s->t.num != AuthTs || tsmemcmp(s->t.chal, s->tr.chal, CHALLEN) != 0) return failure(fss, Easproto); if(auth.num != AuthAc || tsmemcmp(auth.chal, s->tr.chal, CHALLEN) != 0) return failure(fss, Easproto); memmove(s->rand, auth.rand, NONCELEN); genrandom(s->rand + NONCELEN, NONCELEN); auth.num = AuthAs; memmove(auth.chal, s->cchal, CHALLEN); memmove(auth.rand, s->rand + NONCELEN, NONCELEN); s->tbuflen = convA2M(&auth, s->tbuf, sizeof(s->tbuf), &s->t); fss->phase = SHaveAuth; return RpcOk; case CNeedAuth: m = convM2A(a, n, &auth, &s->t); if(m <= 0) return toosmall(fss, -m); if(auth.num != AuthAs || tsmemcmp(auth.chal, s->cchal, CHALLEN) != 0) return failure(fss, Easproto); memmove(s->rand+NONCELEN, auth.rand, NONCELEN); return establish(fss); case SNeedUser: if(n >= sizeof(s->tr.hostid)) return failure(fss, "user id too long"); strncpy(s->tr.hostid, a, n); s->tr.hostid[n] = 0; strncpy(s->tr.uid, a, n); s->tr.uid[n] = 0; fss->phase = SNeedPass; return RpcOk; case SNeedPass: { Authkey ks; uchar tk[NONCELEN]; char pass[PASSWDLEN]; if(n >= sizeof(pass)) return failure(fss, "password too long"); /* save server key */ memmove(&ks, &s->k, sizeof(ks)); /* derive client key */ strncpy(pass, a, n); pass[n] = 0; passtokey(&s->k, pass); memset(pass, 0, sizeof(pass)); if(fss->proto == &dp9ik){ uchar ys[PAKYLEN]; PAKpriv ps; authpak_hash(&s->k, s->tr.hostid); authpak_new(&ps, &ks, ys, 1); ret = gettickets(s, ys, tbuf, sizeof(tbuf)); if(ret > 0 && authpak_finish(&ps, &ks, s->y)) return failure(fss, Easproto); } else { ret = gettickets(s, nil, tbuf, sizeof(tbuf)); } if(ret <= 0) return failure(fss, nil); /* verify client ticket */ m = convM2T(tbuf, ret, &s->t, &s->k); if(m <= 0 || (fss->proto == &dp9ik && s->t.form == 0)) return failure(fss, Easproto); if(s->t.num != AuthTc || tsmemcmp(s->t.chal, s->tr.chal, CHALLEN) != 0) return failure(fss, Ebadkey); memmove(tk, s->t.key, sizeof(tk)); /* restore sever key */ memmove(&s->k, &ks, sizeof(ks)); /* verify server ticket */ m = convM2T(tbuf+m, ret-m, &s->t, &s->k); if(m <= 0 || (fss->proto == &dp9ik && s->t.form == 0)) return failure(fss, Easproto); if(s->t.num != AuthTs || tsmemcmp(s->t.chal, s->tr.chal, CHALLEN) != 0 || tsmemcmp(tk, s->t.key, sizeof(tk)) != 0) return failure(fss, Ebadkey); } genrandom(s->rand, 2*NONCELEN); return establish(fss); } } static void p9skclose(Fsstate *fss) { State *s; s = fss->ps; if(s->secret != nil){ free(s->secret); s->secret = nil; } if(s->key != nil){ closekey(s->key); s->key = nil; } memset(s, 0, sizeof(State)); free(s); } static int p9skaddkey(Key *k, int before) { Authkey *akey; char *s, *u; u = _strfindattr(k->attr, "user"); if(u == nil){ werrstr("no user attribute"); return -1; } akey = emalloc(sizeof(Authkey)); if(s = _strfindattr(k->privattr, "!hex")){ if(k->proto == &dp9ik){ if(dec16(akey->aes, AESKEYLEN, s, strlen(s)) != AESKEYLEN){ free(akey); werrstr("malformed key data"); return -1; } } else { if(dec16((uchar*)akey->des, DESKEYLEN, s, strlen(s)) != DESKEYLEN){ free(akey); werrstr("malformed key data"); return -1; } } }else if(s = _strfindattr(k->privattr, "!password")){ passtokey(akey, s); }else{ werrstr("no key data"); free(akey); return -1; } if(k->proto == &dp9ik) authpak_hash(akey, u); else memset(akey->aes, 0, AESKEYLEN); /* don't attempt AuthPAK for p9sk1 key */ k->priv = akey; return replacekey(k, before); } static void p9skclosekey(Key *k) { if(k->priv == nil) return; memset(k->priv, 0, sizeof(Authkey)); free(k->priv); } static int mkservertickets(State *s, uchar *y, char *tbuf, int tbuflen) { Ticketreq *tr = &s->tr; Ticket t; int ret; if(strcmp(tr->authid, tr->hostid) != 0) return -1; /* this keeps creating accounts on martha from working. -- presotto if(strcmp(tr->uid, "none") == 0) return -1; */ memset(&t, 0, sizeof(t)); ret = 0; if(y != nil){ t.form = 1; authpak_new(&s->p, &s->k, s->y, 0); authpak_finish(&s->p, &s->k, y); } memmove(t.chal, tr->chal, CHALLEN); strcpy(t.cuid, tr->uid); strcpy(t.suid, tr->uid); genrandom((uchar*)t.key, sizeof(t.key)); t.num = AuthTc; ret += convT2M(&t, tbuf+ret, tbuflen-ret, &s->k); t.num = AuthTs; ret += convT2M(&t, tbuf+ret, tbuflen-ret, &s->k); memset(&t, 0, sizeof(t)); return ret; } static int getastickets(State *s, uchar *y, char *tbuf, int tbuflen) { Ticketreq *tr = &s->tr; int asfd, rv; char *dom; if((dom = _strfindattr(s->key->attr, "dom")) == nil){ werrstr("auth key has no domain"); return -1; } asfd = _authdial(dom); if(asfd < 0) return -1; alarm(30*1000); if(y != nil){ rv = -1; s->tr.type = AuthPAK; if(_asrequest(asfd, tr) != 0 || write(asfd, y, PAKYLEN) != PAKYLEN) goto Out; authpak_new(&s->p, &s->k, (uchar*)tbuf, 1); if(write(asfd, tbuf, PAKYLEN) != PAKYLEN) goto Out; if(_asrdresp(asfd, tbuf, 2*PAKYLEN) != 2*PAKYLEN) goto Out; memmove(s->y, tbuf, PAKYLEN); if(authpak_finish(&s->p, &s->k, (uchar*)tbuf+PAKYLEN)) goto Out; } s->tr.type = AuthTreq; rv = _asgetticket(asfd, tr, tbuf, tbuflen); Out: alarm(0); close(asfd); return rv; } static int gettickets(State *s, uchar *y, char *tbuf, int tbuflen) { int ret; if(s->tr.authdom[0] == 0 || s->tr.authid[0] == 0 || s->tr.hostid[0] == 0 || s->tr.uid[0] == 0){ werrstr("bad ticket request"); return -1; } ret = getastickets(s, y, tbuf, tbuflen); if(ret > 0) return ret; return mkservertickets(s, y, tbuf, tbuflen); } Proto p9sk1 = { .name= "p9sk1", .init= p9skinit, .write= p9skwrite, .read= p9skread, .close= p9skclose, .addkey= p9skaddkey, .closekey= p9skclosekey, .keyprompt= "user? !password?" }; Proto dp9ik = { .name= "dp9ik", .init= p9skinit, .write= p9skwrite, .read= p9skread, .close= p9skclose, .addkey= p9skaddkey, .closekey= p9skclosekey, .keyprompt= "user? !password?" };