| 1 | /* |
| 2 | * Copyright (c) 1997-1999 The Stanford SRP Authentication Project |
| 3 | * All Rights Reserved. |
| 4 | * |
| 5 | * Permission is hereby granted, free of charge, to any person obtaining |
| 6 | * a copy of this software and associated documentation files (the |
| 7 | * "Software"), to deal in the Software without restriction, including |
| 8 | * without limitation the rights to use, copy, modify, merge, publish, |
| 9 | * distribute, sublicense, and/or sell copies of the Software, and to |
| 10 | * permit persons to whom the Software is furnished to do so, subject to |
| 11 | * the following conditions: |
| 12 | * |
| 13 | * The above copyright notice and this permission notice shall be |
| 14 | * included in all copies or substantial portions of the Software. |
| 15 | * |
| 16 | * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, |
| 17 | * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY |
| 18 | * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. |
| 19 | * |
| 20 | * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, |
| 21 | * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER |
| 22 | * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF |
| 23 | * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT |
| 24 | * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 25 | * |
| 26 | * In addition, the following conditions apply: |
| 27 | * |
| 28 | * 1. Any software that incorporates the SRP authentication technology |
| 29 | * must display the following acknowlegment: |
| 30 | * "This product uses the 'Secure Remote Password' cryptographic |
| 31 | * authentication system developed by Tom Wu (tjw@CS.Stanford.EDU)." |
| 32 | * |
| 33 | * 2. Any software that incorporates all or part of the SRP distribution |
| 34 | * itself must also display the following acknowledgment: |
| 35 | * "This product includes software developed by Tom Wu and Eugene |
| 36 | * Jhong for the SRP Distribution (http://srp.stanford.edu/srp/)." |
| 37 | * |
| 38 | * 3. Redistributions in source or binary form must retain an intact copy |
| 39 | * of this copyright notice and list of conditions. |
| 40 | */ |
| 41 | |
| 42 | #include <stdio.h> |
| 43 | #include "t_defines.h" |
| 44 | #include "t_pwd.h" |
| 45 | #include "t_client.h" |
| 46 | #include "t_sha.h" |
| 47 | |
| 48 | _TYPE( struct t_client * ) |
| 49 | t_clientopen(u, n, g, s) |
| 50 | const char * u; |
| 51 | struct t_num * n; |
| 52 | struct t_num * g; |
| 53 | struct t_num * s; |
| 54 | { |
| 55 | struct t_client * tc; |
| 56 | unsigned char buf1[SHA_DIGESTSIZE], buf2[SHA_DIGESTSIZE]; |
| 57 | SHA1_CTX ctxt; |
| 58 | int i, validated; |
| 59 | struct t_preconf * tpc; |
| 60 | |
| 61 | BigInteger nn, gg, n12, r; |
| 62 | |
| 63 | validated = 0; |
| 64 | if(n->len < MIN_MOD_BYTES) |
| 65 | return 0; |
| 66 | for(i = 0; i < t_getprecount(); ++i) { |
| 67 | tpc = t_getpreparam(i); |
| 68 | if(tpc->modulus.len == n->len && tpc->generator.len == g->len && |
| 69 | memcmp(tpc->modulus.data, n->data, n->len) == 0 && |
| 70 | memcmp(tpc->generator.data, g->data, g->len) == 0) { |
| 71 | validated = 1; /* Match found, done */ |
| 72 | break; |
| 73 | } |
| 74 | } |
| 75 | |
| 76 | if(validated == 0) |
| 77 | return 0; |
| 78 | |
| 79 | if((tc = malloc(sizeof(struct t_client))) == 0) |
| 80 | return 0; |
| 81 | |
| 82 | strncpy(tc->username, u, MAXUSERLEN); |
| 83 | |
| 84 | SHA1Init(&tc->hash); |
| 85 | |
| 86 | tc->n.len = n->len; |
| 87 | tc->n.data = tc->nbuf; |
| 88 | memcpy(tc->n.data, n->data, tc->n.len); |
| 89 | |
| 90 | SHA1Init(&ctxt); |
| 91 | SHA1Update(&ctxt, tc->n.data, tc->n.len); |
| 92 | SHA1Final(buf1, &ctxt); |
| 93 | |
| 94 | tc->g.len = g->len; |
| 95 | tc->g.data = tc->gbuf; |
| 96 | memcpy(tc->g.data, g->data, tc->g.len); |
| 97 | |
| 98 | SHA1Init(&ctxt); |
| 99 | SHA1Update(&ctxt, tc->g.data, tc->g.len); |
| 100 | SHA1Final(buf2, &ctxt); |
| 101 | |
| 102 | for(i = 0; i < sizeof(buf1); ++i) |
| 103 | buf1[i] ^= buf2[i]; |
| 104 | |
| 105 | SHA1Update(&tc->hash, buf1, sizeof(buf1)); |
| 106 | |
| 107 | SHA1Init(&ctxt); |
| 108 | SHA1Update(&ctxt, tc->username, strlen(tc->username)); |
| 109 | SHA1Final(buf1, &ctxt); |
| 110 | |
| 111 | SHA1Update(&tc->hash, buf1, sizeof(buf1)); |
| 112 | |
| 113 | tc->s.len = s->len; |
| 114 | tc->s.data = tc->sbuf; |
| 115 | memcpy(tc->s.data, s->data, tc->s.len); |
| 116 | |
| 117 | SHA1Update(&tc->hash, tc->s.data, tc->s.len); |
| 118 | |
| 119 | tc->a.data = tc->abuf; |
| 120 | tc->A.data = tc->Abuf; |
| 121 | tc->p.data = tc->pbuf; |
| 122 | tc->v.data = tc->vbuf; |
| 123 | |
| 124 | SHA1Init(&tc->ckhash); |
| 125 | |
| 126 | return tc; |
| 127 | } |
| 128 | |
| 129 | _TYPE( struct t_num * ) |
| 130 | t_clientgenexp(tc) |
| 131 | struct t_client * tc; |
| 132 | { |
| 133 | BigInteger a, A, n, g; |
| 134 | |
| 135 | if(tc->n.len < ALEN) |
| 136 | tc->a.len = tc->n.len; |
| 137 | else |
| 138 | tc->a.len = ALEN; |
| 139 | |
| 140 | t_random(tc->a.data, tc->a.len); |
| 141 | a = BigIntegerFromBytes(tc->a.data, tc->a.len); |
| 142 | n = BigIntegerFromBytes(tc->n.data, tc->n.len); |
| 143 | g = BigIntegerFromBytes(tc->g.data, tc->g.len); |
| 144 | A = BigIntegerFromInt(0); |
| 145 | BigIntegerModExp(A, g, a, n); |
| 146 | tc->A.len = BigIntegerToBytes(A, tc->A.data); |
| 147 | |
| 148 | BigIntegerFree(A); |
| 149 | BigIntegerFree(a); |
| 150 | BigIntegerFree(g); |
| 151 | BigIntegerFree(n); |
| 152 | |
| 153 | SHA1Update(&tc->hash, tc->A.data, tc->A.len); |
| 154 | SHA1Update(&tc->ckhash, tc->A.data, tc->A.len); |
| 155 | |
| 156 | return &tc->A; |
| 157 | } |
| 158 | |
| 159 | _TYPE( void ) |
| 160 | t_clientpasswd(tc, password) |
| 161 | struct t_client * tc; |
| 162 | char * password; |
| 163 | { |
| 164 | BigInteger n, g, p, v; |
| 165 | SHA1_CTX ctxt; |
| 166 | unsigned char dig[SHA_DIGESTSIZE]; |
| 167 | |
| 168 | n = BigIntegerFromBytes(tc->n.data, tc->n.len); |
| 169 | g = BigIntegerFromBytes(tc->g.data, tc->g.len); |
| 170 | |
| 171 | SHA1Init(&ctxt); |
| 172 | SHA1Update(&ctxt, tc->username, strlen(tc->username)); |
| 173 | SHA1Update(&ctxt, ":", 1); |
| 174 | SHA1Update(&ctxt, password, strlen(password)); |
| 175 | SHA1Final(dig, &ctxt); |
| 176 | |
| 177 | SHA1Init(&ctxt); |
| 178 | SHA1Update(&ctxt, tc->s.data, tc->s.len); |
| 179 | SHA1Update(&ctxt, dig, sizeof(dig)); |
| 180 | SHA1Final(dig, &ctxt); |
| 181 | |
| 182 | p = BigIntegerFromBytes(dig, sizeof(dig)); |
| 183 | |
| 184 | v = BigIntegerFromInt(0); |
| 185 | BigIntegerModExp(v, g, p, n); |
| 186 | |
| 187 | tc->p.len = BigIntegerToBytes(p, tc->p.data); |
| 188 | BigIntegerFree(p); |
| 189 | |
| 190 | tc->v.len = BigIntegerToBytes(v, tc->v.data); |
| 191 | BigIntegerFree(v); |
| 192 | } |
| 193 | |
| 194 | _TYPE( unsigned char * ) |
| 195 | t_clientgetkey(tc, serverval) |
| 196 | struct t_client * tc; |
| 197 | struct t_num * serverval; |
| 198 | { |
| 199 | BigInteger n, B, v, p, a, sum, S; |
| 200 | unsigned char sbuf[MAXPARAMLEN]; |
| 201 | unsigned char dig[SHA_DIGESTSIZE]; |
| 202 | unsigned slen; |
| 203 | unsigned int u; |
| 204 | SHA1_CTX ctxt; |
| 205 | |
| 206 | SHA1Init(&ctxt); |
| 207 | SHA1Update(&ctxt, serverval->data, serverval->len); |
| 208 | SHA1Final(dig, &ctxt); |
| 209 | u = (dig[0] << 24) | (dig[1] << 16) | (dig[2] << 8) | dig[3]; |
| 210 | if(u == 0) |
| 211 | return NULL; |
| 212 | |
| 213 | SHA1Update(&tc->hash, serverval->data, serverval->len); |
| 214 | |
| 215 | B = BigIntegerFromBytes(serverval->data, serverval->len); |
| 216 | n = BigIntegerFromBytes(tc->n.data, tc->n.len); |
| 217 | |
| 218 | if(BigIntegerCmp(B, n) >= 0 || BigIntegerCmpInt(B, 0) == 0) { |
| 219 | BigIntegerFree(B); |
| 220 | BigIntegerFree(n); |
| 221 | return NULL; |
| 222 | } |
| 223 | v = BigIntegerFromBytes(tc->v.data, tc->v.len); |
| 224 | if(BigIntegerCmp(B, v) < 0) |
| 225 | BigIntegerAdd(B, B, n); |
| 226 | BigIntegerSub(B, B, v); |
| 227 | BigIntegerFree(v); |
| 228 | |
| 229 | a = BigIntegerFromBytes(tc->a.data, tc->a.len); |
| 230 | p = BigIntegerFromBytes(tc->p.data, tc->p.len); |
| 231 | |
| 232 | sum = BigIntegerFromInt(0); |
| 233 | BigIntegerMulInt(sum, p, u); |
| 234 | BigIntegerAdd(sum, sum, a); |
| 235 | |
| 236 | BigIntegerFree(p); |
| 237 | BigIntegerFree(a); |
| 238 | |
| 239 | S = BigIntegerFromInt(0); |
| 240 | BigIntegerModExp(S, B, sum, n); |
| 241 | slen = BigIntegerToBytes(S, sbuf); |
| 242 | |
| 243 | BigIntegerFree(S); |
| 244 | BigIntegerFree(sum); |
| 245 | BigIntegerFree(B); |
| 246 | BigIntegerFree(n); |
| 247 | |
| 248 | t_sessionkey(tc->session_key, sbuf, slen); |
| 249 | memset(sbuf, 0, slen); |
| 250 | |
| 251 | SHA1Update(&tc->hash, tc->session_key, sizeof(tc->session_key)); |
| 252 | |
| 253 | SHA1Final(tc->session_response, &tc->hash); |
| 254 | SHA1Update(&tc->ckhash, tc->session_response, sizeof(tc->session_response)); |
| 255 | SHA1Update(&tc->ckhash, tc->session_key, sizeof(tc->session_key)); |
| 256 | |
| 257 | return tc->session_key; |
| 258 | } |
| 259 | |
| 260 | _TYPE( int ) |
| 261 | t_clientverify(tc, resp) |
| 262 | struct t_client * tc; |
| 263 | unsigned char * resp; |
| 264 | { |
| 265 | unsigned char expected[SHA_DIGESTSIZE]; |
| 266 | |
| 267 | SHA1Final(expected, &tc->ckhash); |
| 268 | return memcmp(expected, resp, sizeof(expected)); |
| 269 | } |
| 270 | |
| 271 | _TYPE( unsigned char * ) |
| 272 | t_clientresponse(tc) |
| 273 | struct t_client * tc; |
| 274 | { |
| 275 | return tc->session_response; |
| 276 | } |
| 277 | |
| 278 | _TYPE( void ) |
| 279 | t_clientclose(tc) |
| 280 | struct t_client * tc; |
| 281 | { |
| 282 | memset(tc->abuf, 0, sizeof(tc->abuf)); |
| 283 | memset(tc->pbuf, 0, sizeof(tc->pbuf)); |
| 284 | memset(tc->vbuf, 0, sizeof(tc->vbuf)); |
| 285 | memset(tc->session_key, 0, sizeof(tc->session_key)); |
| 286 | free(tc); |
| 287 | } |
| 288 | |
