ref: c50e30b59e81227198b3188183e55ae143498d71
dir: /secstore.c/
/* * Various files from /sys/src/cmd/auth/secstore, just enough * to download a file at boot time. */ #include <u.h> #include <libc.h> #include <mp.h> #include <libsec.h> #include "drawterm.h" static void* emalloc(ulong n) { return mallocz(n, 1); } enum{ CHK = 16}; enum{ MAXFILESIZE = 10*1024*1024 }; enum{// PW status bits Enabled = (1<<0), STA = (1<<1), // extra SecurID step }; static char testmess[] = "__secstore\tPAK\nC=%s\nm=0\n"; int secdial(char *secstore) { char *p, buf[80], *f[3]; int fd, nf; p = secstore; /* take it from writehostowner, if set there */ if(*p == 0) /* else use the authserver */ p = "$auth"; /* translate $auth ourselves. * authaddr is something like il!host!566 or tcp!host!567. * extract host, accounting for a change of format to something * like il!host or tcp!host or host. */ if(strcmp(p, "$auth")==0){ if(authserver == nil) return -1; strecpy(buf, buf+sizeof buf, authserver); nf = getfields(buf, f, nelem(f), 0, "!"); switch(nf){ default: return -1; case 1: p = f[0]; break; case 2: case 3: p = f[1]; break; } } fd = dial(netmkaddr(p, "tcp", "5356"), 0, 0, 0); if(fd >= 0) return fd; return -1; } int havesecstore(char *addr, char *owner) { int m, n, fd; uchar buf[500]; n = snprint((char*)buf, sizeof buf, testmess, owner); hnputs(buf, 0x8000+n-2); fd = secdial(addr); if(fd < 0) return 0; if(write(fd, buf, n) != n || readn(fd, buf, 2) != 2){ close(fd); return 0; } n = ((buf[0]&0x7f)<<8) + buf[1]; if(n+1 > sizeof buf){ werrstr("implausibly large count %d", n); close(fd); return 0; } m = readn(fd, buf, n); close(fd); if(m != n){ if(m >= 0) werrstr("short read from secstore"); return 0; } buf[n] = 0; if(strcmp((char*)buf, "!account expired") == 0){ werrstr("account expired"); return 0; } return strcmp((char*)buf, "!account exists") == 0; } // delimited, authenticated, encrypted connection enum{ Maxmsg=4096 }; // messages > Maxmsg bytes are truncated typedef struct SConn SConn; extern SConn* newSConn(int); // arg is open file descriptor struct SConn{ void *chan; int secretlen; int (*secret)(SConn*, uchar*, int);// int (*read)(SConn*, uchar*, int); // <0 if error; errmess in buffer int (*write)(SConn*, uchar*, int); void (*free)(SConn*); // also closes file descriptor }; // secret(s,b,dir) sets secret for digest, encrypt, using the secretlen // bytes in b to form keys for the two directions; // set dir=0 in client, dir=1 in server // error convention: write !message in-band #define readstr secstore_readstr static void writerr(SConn*, char*); static int readstr(SConn*, char*); // call with buf of size Maxmsg+1 // returns -1 upon error, with error message in buf typedef struct ConnState { uchar secret[SHA1dlen]; ulong seqno; RC4state rc4; } ConnState; typedef struct SS{ int fd; // file descriptor for read/write of encrypted data int alg; // if nonzero, "alg sha rc4_128" ConnState in, out; } SS; static int SC_secret(SConn *conn, uchar *sigma, int direction) { SS *ss = (SS*)(conn->chan); int nsigma = conn->secretlen; if(direction != 0){ hmac_sha1(sigma, nsigma, (uchar*)"one", 3, ss->out.secret, nil); hmac_sha1(sigma, nsigma, (uchar*)"two", 3, ss->in.secret, nil); }else{ hmac_sha1(sigma, nsigma, (uchar*)"two", 3, ss->out.secret, nil); hmac_sha1(sigma, nsigma, (uchar*)"one", 3, ss->in.secret, nil); } setupRC4state(&ss->in.rc4, ss->in.secret, 16); // restrict to 128 bits setupRC4state(&ss->out.rc4, ss->out.secret, 16); ss->alg = 1; return 0; } static void hash(uchar secret[SHA1dlen], uchar *data, int len, int seqno, uchar d[SHA1dlen]) { DigestState sha; uchar seq[4]; seq[0] = seqno>>24; seq[1] = seqno>>16; seq[2] = seqno>>8; seq[3] = seqno; memset(&sha, 0, sizeof sha); sha1(secret, SHA1dlen, nil, &sha); sha1(data, len, nil, &sha); sha1(seq, 4, d, &sha); } static int verify(uchar secret[SHA1dlen], uchar *data, int len, int seqno, uchar d[SHA1dlen]) { DigestState sha; uchar seq[4]; uchar digest[SHA1dlen]; seq[0] = seqno>>24; seq[1] = seqno>>16; seq[2] = seqno>>8; seq[3] = seqno; memset(&sha, 0, sizeof sha); sha1(secret, SHA1dlen, nil, &sha); sha1(data, len, nil, &sha); sha1(seq, 4, digest, &sha); return memcmp(d, digest, SHA1dlen); } static int SC_read(SConn *conn, uchar *buf, int n) { SS *ss = (SS*)(conn->chan); uchar count[2], digest[SHA1dlen]; int len, nr; if(read(ss->fd, count, 2) != 2 || (count[0]&0x80) == 0){ werrstr("!SC_read invalid count"); return -1; } len = (count[0]&0x7f)<<8 | count[1]; // SSL-style count; no pad if(ss->alg){ len -= SHA1dlen; if(len <= 0 || readn(ss->fd, digest, SHA1dlen) != SHA1dlen){ werrstr("!SC_read missing sha1"); return -1; } if(len > n || readn(ss->fd, buf, len) != len){ werrstr("!SC_read missing data"); return -1; } rc4(&ss->in.rc4, digest, SHA1dlen); rc4(&ss->in.rc4, buf, len); if(verify(ss->in.secret, buf, len, ss->in.seqno, digest) != 0){ werrstr("!SC_read integrity check failed"); return -1; } }else{ if(len <= 0 || len > n){ werrstr("!SC_read implausible record length"); return -1; } if( (nr = readn(ss->fd, buf, len)) != len){ werrstr("!SC_read expected %d bytes, but got %d", len, nr); return -1; } } ss->in.seqno++; return len; } static int SC_write(SConn *conn, uchar *buf, int n) { SS *ss = (SS*)(conn->chan); uchar count[2], digest[SHA1dlen]; int len; if(n <= 0 || n > Maxmsg+1){ werrstr("!SC_write invalid n %d", n); return -1; } len = n; if(ss->alg) len += SHA1dlen; count[0] = 0x80 | len>>8; count[1] = len; if(write(ss->fd, count, 2) != 2){ werrstr("!SC_write invalid count"); return -1; } if(ss->alg){ hash(ss->out.secret, buf, n, ss->out.seqno, digest); rc4(&ss->out.rc4, digest, SHA1dlen); rc4(&ss->out.rc4, buf, n); if(write(ss->fd, digest, SHA1dlen) != SHA1dlen || write(ss->fd, buf, n) != n){ werrstr("!SC_write error on send"); return -1; } }else{ if(write(ss->fd, buf, n) != n){ werrstr("!SC_write error on send"); return -1; } } ss->out.seqno++; return n; } static void SC_free(SConn *conn) { SS *ss = (SS*)(conn->chan); close(ss->fd); free(ss); free(conn); } SConn* newSConn(int fd) { SS *ss; SConn *conn; if(fd < 0) return nil; ss = (SS*)emalloc(sizeof(*ss)); conn = (SConn*)emalloc(sizeof(*conn)); ss->fd = fd; ss->alg = 0; conn->chan = (void*)ss; conn->secretlen = SHA1dlen; conn->free = SC_free; conn->secret = SC_secret; conn->read = SC_read; conn->write = SC_write; return conn; } static void writerr(SConn *conn, char *s) { char buf[Maxmsg]; snprint(buf, Maxmsg, "!%s", s); conn->write(conn, (uchar*)buf, strlen(buf)); } static int readstr(SConn *conn, char *s) { int n; n = conn->read(conn, (uchar*)s, Maxmsg); if(n >= 0){ s[n] = 0; if(s[0] == '!'){ memmove(s, s+1, n); n = -1; } }else{ strcpy(s, "read error"); } return n; } static char* getfile(SConn *conn, uchar *key, int nkey) { char *buf; int nbuf, n, nr, len; char s[Maxmsg+1], *gf; uchar skey[SHA1dlen], ib[Maxmsg+CHK], *ibr, *ibw; AESstate aes; DigestState *sha; gf = "factotum"; memset(&aes, 0, sizeof aes); snprint(s, Maxmsg, "GET %s\n", gf); conn->write(conn, (uchar*)s, strlen(s)); /* get file size */ s[0] = '\0'; if(readstr(conn, s) < 0){ werrstr("secstore: %r"); return nil; } if((len = atoi(s)) < 0){ werrstr("secstore: remote file %s does not exist", gf); return nil; }else if(len > MAXFILESIZE){//assert werrstr("secstore: implausible file size %d for %s", len, gf); return nil; } ibr = ibw = ib; buf = nil; nbuf = 0; for(nr=0; nr < len;){ if((n = conn->read(conn, ibw, Maxmsg)) <= 0){ werrstr("secstore: empty file chunk n=%d nr=%d len=%d: %r", n, nr, len); return nil; } nr += n; ibw += n; if(!aes.setup){ /* first time, read 16 byte IV */ if(n < 16){ werrstr("secstore: no IV in file"); return nil; } sha = sha1((uchar*)"aescbc file", 11, nil, nil); sha1(key, nkey, skey, sha); setupAESstate(&aes, skey, AESbsize, ibr); memset(skey, 0, sizeof skey); ibr += AESbsize; n -= AESbsize; } aesCBCdecrypt(ibw-n, n, &aes); n = ibw-ibr-CHK; if(n > 0){ buf = realloc(buf, nbuf+n+1); if(buf == nil) sysfatal("out of memory"); memmove(buf+nbuf, ibr, n); nbuf += n; ibr += n; } memmove(ib, ibr, ibw-ibr); ibw = ib + (ibw-ibr); ibr = ib; } n = ibw-ibr; if((n != CHK) || (memcmp(ib, "XXXXXXXXXXXXXXXX", CHK) != 0)){ werrstr("secstore: decrypted file failed to authenticate!"); free(buf); return nil; } if(nbuf == 0){ werrstr("secstore got empty file"); return nil; } buf[nbuf] = '\0'; return buf; } static char VERSION[] = "secstore"; typedef struct PAKparams{ mpint *q, *p, *r, *g; } PAKparams; static PAKparams *pak; // This group was generated by the seed EB7B6E35F7CD37B511D96C67D6688CC4DD440E1E. static void initPAKparams(void) { if(pak) return; pak = (PAKparams*)emalloc(sizeof(*pak)); pak->q = strtomp("E0F0EF284E10796C5A2A511E94748BA03C795C13", nil, 16, nil); pak->p = strtomp("C41CFBE4D4846F67A3DF7DE9921A49D3B42DC33728427AB159CEC8CBBD" "B12B5F0C244F1A734AEB9840804EA3C25036AD1B61AFF3ABBC247CD4B384224567A86" "3A6F020E7EE9795554BCD08ABAD7321AF27E1E92E3DB1C6E7E94FAAE590AE9C48F96D9" "3D178E809401ABE8A534A1EC44359733475A36A70C7B425125062B1142D", nil, 16, nil); pak->r = strtomp("DF310F4E54A5FEC5D86D3E14863921E834113E060F90052AD332B3241CEF" "2497EFA0303D6344F7C819691A0F9C4A773815AF8EAECFB7EC1D98F039F17A32A7E887" "D97251A927D093F44A55577F4D70444AEBD06B9B45695EC23962B175F266895C67D21" "C4656848614D888A4", nil, 16, nil); pak->g = strtomp("2F1C308DC46B9A44B52DF7DACCE1208CCEF72F69C743ADD4D2327173444" "ED6E65E074694246E07F9FD4AE26E0FDDD9F54F813C40CB9BCD4338EA6F242AB94CD41" "0E676C290368A16B1A3594877437E516C53A6EEE5493A038A017E955E218E7819734E3E" "2A6E0BAE08B14258F8C03CC1B30E0DDADFCF7CEDF0727684D3D255F1", nil, 16, nil); } // H = (sha(ver,C,sha(passphrase)))^r mod p, // a hash function expensive to attack by brute force. static void longhash(char *ver, char *C, uchar *passwd, mpint *H) { uchar *Cp; int i, n, nver, nC; uchar buf[140], key[1]; nver = strlen(ver); nC = strlen(C); n = nver + nC + SHA1dlen; Cp = (uchar*)emalloc(n); memmove(Cp, ver, nver); memmove(Cp+nver, C, nC); memmove(Cp+nver+nC, passwd, SHA1dlen); for(i = 0; i < 7; i++){ key[0] = 'A'+i; hmac_sha1(Cp, n, key, sizeof key, buf+i*SHA1dlen, nil); } memset(Cp, 0, n); free(Cp); betomp(buf, sizeof buf, H); mpmod(H, pak->p, H); mpexp(H, pak->r, pak->p, H); } // Hi = H^-1 mod p static char * PAK_Hi(char *C, char *passphrase, mpint *H, mpint *Hi) { uchar passhash[SHA1dlen]; sha1((uchar *)passphrase, strlen(passphrase), passhash, nil); initPAKparams(); longhash(VERSION, C, passhash, H); mpinvert(H, pak->p, Hi); return mptoa(Hi, 64, nil, 0); } // another, faster, hash function for each party to // confirm that the other has the right secrets. static void shorthash(char *mess, char *C, char *S, char *m, char *mu, char *sigma, char *Hi, uchar *digest) { SHA1state *state; state = sha1((uchar*)mess, strlen(mess), 0, 0); state = sha1((uchar*)C, strlen(C), 0, state); state = sha1((uchar*)S, strlen(S), 0, state); state = sha1((uchar*)m, strlen(m), 0, state); state = sha1((uchar*)mu, strlen(mu), 0, state); state = sha1((uchar*)sigma, strlen(sigma), 0, state); state = sha1((uchar*)Hi, strlen(Hi), 0, state); state = sha1((uchar*)mess, strlen(mess), 0, state); state = sha1((uchar*)C, strlen(C), 0, state); state = sha1((uchar*)S, strlen(S), 0, state); state = sha1((uchar*)m, strlen(m), 0, state); state = sha1((uchar*)mu, strlen(mu), 0, state); state = sha1((uchar*)sigma, strlen(sigma), 0, state); sha1((uchar*)Hi, strlen(Hi), digest, state); } // On input, conn provides an open channel to the server; // C is the name this client calls itself; // pass is the user's passphrase // On output, session secret has been set in conn // (unless return code is negative, which means failure). // If pS is not nil, it is set to the (alloc'd) name the server calls itself. static int PAKclient(SConn *conn, char *C, char *pass, char **pS) { char *mess, *mess2, *eol, *S, *hexmu, *ks, *hexm, *hexsigma = nil, *hexHi; char kc[2*SHA1dlen+1]; uchar digest[SHA1dlen]; int rc = -1, n; mpint *x, *m = mpnew(0), *mu = mpnew(0), *sigma = mpnew(0); mpint *H = mpnew(0), *Hi = mpnew(0); hexHi = PAK_Hi(C, pass, H, Hi); // random 1<=x<=q-1; send C, m=g**x H x = mprand(164, genrandom, nil); mpmod(x, pak->q, x); if(mpcmp(x, mpzero) == 0) mpassign(mpone, x); mpexp(pak->g, x, pak->p, m); mpmul(m, H, m); mpmod(m, pak->p, m); hexm = mptoa(m, 64, nil, 0); mess = (char*)emalloc(2*Maxmsg+2); mess2 = mess+Maxmsg+1; snprint(mess, Maxmsg, "%s\tPAK\nC=%s\nm=%s\n", VERSION, C, hexm); conn->write(conn, (uchar*)mess, strlen(mess)); // recv g**y, S, check hash1(g**xy) if(readstr(conn, mess) < 0){ fprint(2, "error: %s\n", mess); writerr(conn, "couldn't read g**y"); goto done; } eol = strchr(mess, '\n'); if(strncmp("mu=", mess, 3) != 0 || !eol || strncmp("\nk=", eol, 3) != 0){ writerr(conn, "verifier syntax error"); goto done; } hexmu = mess+3; *eol = 0; ks = eol+3; eol = strchr(ks, '\n'); if(!eol || strncmp("\nS=", eol, 3) != 0){ writerr(conn, "verifier syntax error for secstore 1.0"); goto done; } *eol = 0; S = eol+3; eol = strchr(S, '\n'); if(!eol){ writerr(conn, "verifier syntax error for secstore 1.0"); goto done; } *eol = 0; if(pS) *pS = strdup(S); strtomp(hexmu, nil, 64, mu); mpexp(mu, x, pak->p, sigma); hexsigma = mptoa(sigma, 64, nil, 0); shorthash("server", C, S, hexm, hexmu, hexsigma, hexHi, digest); enc64(kc, sizeof kc, digest, SHA1dlen); if(strcmp(ks, kc) != 0){ writerr(conn, "verifier didn't match"); goto done; } // send hash2(g**xy) shorthash("client", C, S, hexm, hexmu, hexsigma, hexHi, digest); enc64(kc, sizeof kc, digest, SHA1dlen); snprint(mess2, Maxmsg, "k'=%s\n", kc); conn->write(conn, (uchar*)mess2, strlen(mess2)); // set session key shorthash("session", C, S, hexm, hexmu, hexsigma, hexHi, digest); memset(hexsigma, 0, strlen(hexsigma)); n = conn->secret(conn, digest, 0); memset(digest, 0, SHA1dlen); if(n < 0){//assert writerr(conn, "can't set secret"); goto done; } rc = 0; done: mpfree(x); mpfree(sigma); mpfree(mu); mpfree(m); mpfree(Hi); mpfree(H); free(hexsigma); free(hexHi); free(hexm); free(mess); return rc; } char* secstorefetch(char *addr, char *owner, char *password) { int fd; char *rv; char s[Maxmsg+1], bye[10]; SConn *conn; char *pass, *sta; sta = nil; conn = nil; rv = nil; if(password != nil && *password) pass = strdup(password); else pass = readcons("secstore password", nil, 1); if(pass==nil || strlen(pass)==0){ werrstr("cancel"); goto Out; } if((fd = secdial(addr)) < 0) goto Out; if((conn = newSConn(fd)) == nil) goto Out; if(PAKclient(conn, owner, pass, nil) < 0){ werrstr("password mistyped?"); goto Out; } if(readstr(conn, s) < 0) goto Out; if(strcmp(s, "STA") == 0){ sta = readcons("STA PIN+SecureID", nil, 1); if(sta==nil || strlen(sta)==0){ werrstr("cancel"); goto Out; } if(strlen(sta) >= sizeof s - 3){ werrstr("STA response too long"); goto Out; } strcpy(s+3, sta); conn->write(conn, (uchar*)s, strlen(s)); readstr(conn, s); } if(strcmp(s, "OK") !=0){ werrstr("%s", s); goto Out; } if((rv = getfile(conn, (uchar*)pass, strlen(pass))) == nil) goto Out; strcpy(bye, "BYE"); conn->write(conn, (uchar*)bye, 3); Out: if(conn) conn->free(conn); if(pass) free(pass); if(sta) free(sta); return rv; }