| 5b01421b |
1 | /* $OpenBSD: jpake.c,v 1.2 2009/03/05 07:18:19 djm Exp $ */ |
| 5adf6b9a |
2 | /* |
| 3 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
| 4 | * |
| 5 | * Permission to use, copy, modify, and distribute this software for any |
| 6 | * purpose with or without fee is hereby granted, provided that the above |
| 7 | * copyright notice and this permission notice appear in all copies. |
| 8 | * |
| 9 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 10 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 11 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| 12 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 13 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| 14 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 15 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 16 | */ |
| 17 | |
| 18 | /* |
| 19 | * Shared components of zero-knowledge password auth using J-PAKE protocol |
| 20 | * as described in: |
| 21 | * |
| 22 | * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", |
| 23 | * 16th Workshop on Security Protocols, Cambridge, April 2008 |
| 24 | * |
| 25 | * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf |
| 26 | */ |
| 27 | |
| 28 | #include "includes.h" |
| 29 | |
| 30 | #include <sys/types.h> |
| 31 | |
| 32 | #include <stdio.h> |
| 33 | #include <string.h> |
| 34 | #include <stdarg.h> |
| 35 | |
| 36 | #include <openssl/bn.h> |
| 37 | #include <openssl/evp.h> |
| 38 | |
| 39 | #include "xmalloc.h" |
| 40 | #include "ssh2.h" |
| 41 | #include "key.h" |
| 42 | #include "hostfile.h" |
| 43 | #include "auth.h" |
| 44 | #include "buffer.h" |
| 45 | #include "packet.h" |
| 46 | #include "dispatch.h" |
| 47 | #include "log.h" |
| 48 | |
| 49 | #include "jpake.h" |
| 5b01421b |
50 | #include "schnorr.h" |
| 5adf6b9a |
51 | |
| 52 | #ifdef JPAKE |
| 53 | |
| 54 | /* RFC3526 group 5, 1536 bits */ |
| 55 | #define JPAKE_GROUP_G "2" |
| 56 | #define JPAKE_GROUP_P \ |
| 57 | "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74" \ |
| 58 | "020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437" \ |
| 59 | "4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ |
| 60 | "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05" \ |
| 61 | "98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \ |
| 62 | "9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" |
| 63 | |
| 5b01421b |
64 | struct modp_group * |
| 5adf6b9a |
65 | jpake_default_group(void) |
| 66 | { |
| 5b01421b |
67 | return modp_group_from_g_and_safe_p(JPAKE_GROUP_G, JPAKE_GROUP_P); |
| 5adf6b9a |
68 | } |
| 69 | |
| 70 | struct jpake_ctx * |
| 71 | jpake_new(void) |
| 72 | { |
| 73 | struct jpake_ctx *ret; |
| 74 | |
| 75 | ret = xcalloc(1, sizeof(*ret)); |
| 76 | |
| 77 | ret->grp = jpake_default_group(); |
| 78 | |
| 79 | ret->s = ret->k = NULL; |
| 80 | ret->x1 = ret->x2 = ret->x3 = ret->x4 = NULL; |
| 81 | ret->g_x1 = ret->g_x2 = ret->g_x3 = ret->g_x4 = NULL; |
| 82 | ret->a = ret->b = NULL; |
| 83 | |
| 84 | ret->client_id = ret->server_id = NULL; |
| 85 | ret->h_k_cid_sessid = ret->h_k_sid_sessid = NULL; |
| 86 | |
| 87 | debug3("%s: alloc %p", __func__, ret); |
| 88 | |
| 89 | return ret; |
| 90 | } |
| 91 | |
| 5adf6b9a |
92 | void |
| 93 | jpake_free(struct jpake_ctx *pctx) |
| 94 | { |
| 95 | debug3("%s: free %p", __func__, pctx); |
| 96 | |
| 97 | #define JPAKE_BN_CLEAR_FREE(v) \ |
| 98 | do { \ |
| 99 | if ((v) != NULL) { \ |
| 100 | BN_clear_free(v); \ |
| 101 | (v) = NULL; \ |
| 102 | } \ |
| 103 | } while (0) |
| 104 | #define JPAKE_BUF_CLEAR_FREE(v, l) \ |
| 105 | do { \ |
| 106 | if ((v) != NULL) { \ |
| 107 | bzero((v), (l)); \ |
| 108 | xfree(v); \ |
| 109 | (v) = NULL; \ |
| 110 | (l) = 0; \ |
| 111 | } \ |
| 112 | } while (0) |
| 113 | |
| 114 | JPAKE_BN_CLEAR_FREE(pctx->s); |
| 115 | JPAKE_BN_CLEAR_FREE(pctx->k); |
| 116 | JPAKE_BN_CLEAR_FREE(pctx->x1); |
| 117 | JPAKE_BN_CLEAR_FREE(pctx->x2); |
| 118 | JPAKE_BN_CLEAR_FREE(pctx->x3); |
| 119 | JPAKE_BN_CLEAR_FREE(pctx->x4); |
| 120 | JPAKE_BN_CLEAR_FREE(pctx->g_x1); |
| 121 | JPAKE_BN_CLEAR_FREE(pctx->g_x2); |
| 122 | JPAKE_BN_CLEAR_FREE(pctx->g_x3); |
| 123 | JPAKE_BN_CLEAR_FREE(pctx->g_x4); |
| 124 | JPAKE_BN_CLEAR_FREE(pctx->a); |
| 125 | JPAKE_BN_CLEAR_FREE(pctx->b); |
| 126 | |
| 127 | JPAKE_BUF_CLEAR_FREE(pctx->client_id, pctx->client_id_len); |
| 128 | JPAKE_BUF_CLEAR_FREE(pctx->server_id, pctx->server_id_len); |
| 129 | JPAKE_BUF_CLEAR_FREE(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len); |
| 130 | JPAKE_BUF_CLEAR_FREE(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len); |
| 131 | |
| 132 | #undef JPAKE_BN_CLEAR_FREE |
| 133 | #undef JPAKE_BUF_CLEAR_FREE |
| 134 | |
| 135 | bzero(pctx, sizeof(pctx)); |
| 136 | xfree(pctx); |
| 137 | } |
| 138 | |
| 139 | /* dump entire jpake_ctx. NB. includes private values! */ |
| 140 | void |
| 141 | jpake_dump(struct jpake_ctx *pctx, const char *fmt, ...) |
| 142 | { |
| 143 | char *out; |
| 144 | va_list args; |
| 145 | |
| 146 | out = NULL; |
| 147 | va_start(args, fmt); |
| 148 | vasprintf(&out, fmt, args); |
| 149 | va_end(args); |
| 150 | if (out == NULL) |
| 151 | fatal("%s: vasprintf failed", __func__); |
| 152 | |
| 153 | debug3("%s: %s (ctx at %p)", __func__, out, pctx); |
| 154 | if (pctx == NULL) { |
| 155 | free(out); |
| 156 | return; |
| 157 | } |
| 158 | |
| 159 | #define JPAKE_DUMP_BN(a) do { \ |
| 160 | if ((a) != NULL) \ |
| 161 | JPAKE_DEBUG_BN(((a), "%s = ", #a)); \ |
| 162 | } while (0) |
| 163 | #define JPAKE_DUMP_BUF(a, b) do { \ |
| 164 | if ((a) != NULL) \ |
| 165 | JPAKE_DEBUG_BUF((a, b, "%s", #a)); \ |
| 166 | } while (0) |
| 167 | |
| 168 | JPAKE_DUMP_BN(pctx->s); |
| 169 | JPAKE_DUMP_BN(pctx->k); |
| 170 | JPAKE_DUMP_BN(pctx->x1); |
| 171 | JPAKE_DUMP_BN(pctx->x2); |
| 172 | JPAKE_DUMP_BN(pctx->x3); |
| 173 | JPAKE_DUMP_BN(pctx->x4); |
| 174 | JPAKE_DUMP_BN(pctx->g_x1); |
| 175 | JPAKE_DUMP_BN(pctx->g_x2); |
| 176 | JPAKE_DUMP_BN(pctx->g_x3); |
| 177 | JPAKE_DUMP_BN(pctx->g_x4); |
| 178 | JPAKE_DUMP_BN(pctx->a); |
| 179 | JPAKE_DUMP_BN(pctx->b); |
| 180 | |
| 181 | JPAKE_DUMP_BUF(pctx->client_id, pctx->client_id_len); |
| 182 | JPAKE_DUMP_BUF(pctx->server_id, pctx->server_id_len); |
| 183 | JPAKE_DUMP_BUF(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len); |
| 184 | JPAKE_DUMP_BUF(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len); |
| 185 | |
| 186 | debug3("%s: %s done", __func__, out); |
| 187 | free(out); |
| 188 | } |
| 189 | |
| 190 | /* Shared parts of step 1 exchange calculation */ |
| 191 | void |
| 5b01421b |
192 | jpake_step1(struct modp_group *grp, |
| 5adf6b9a |
193 | u_char **id, u_int *id_len, |
| 194 | BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2, |
| 195 | u_char **priv1_proof, u_int *priv1_proof_len, |
| 196 | u_char **priv2_proof, u_int *priv2_proof_len) |
| 197 | { |
| 198 | BN_CTX *bn_ctx; |
| 199 | |
| 200 | if ((bn_ctx = BN_CTX_new()) == NULL) |
| 201 | fatal("%s: BN_CTX_new", __func__); |
| 202 | |
| 203 | /* Random nonce to prevent replay */ |
| 204 | *id = xmalloc(KZP_ID_LEN); |
| 205 | *id_len = KZP_ID_LEN; |
| 206 | arc4random_buf(*id, *id_len); |
| 207 | |
| 208 | /* |
| 209 | * x1/x3 is a random element of Zq |
| 210 | * x2/x4 is a random element of Z*q |
| 211 | * We also exclude [1] from x1/x3 candidates and [0, 1] from |
| 212 | * x2/x4 candiates to avoid possible degeneracy (i.e. g^0, g^1). |
| 213 | */ |
| 214 | if ((*priv1 = bn_rand_range_gt_one(grp->q)) == NULL || |
| 215 | (*priv2 = bn_rand_range_gt_one(grp->q)) == NULL) |
| 216 | fatal("%s: bn_rand_range_gt_one", __func__); |
| 217 | |
| 218 | /* |
| 219 | * client: g_x1 = g^x1 mod p / server: g_x3 = g^x3 mod p |
| 220 | * client: g_x2 = g^x2 mod p / server: g_x4 = g^x4 mod p |
| 221 | */ |
| 222 | if ((*g_priv1 = BN_new()) == NULL || |
| 223 | (*g_priv2 = BN_new()) == NULL) |
| 224 | fatal("%s: BN_new", __func__); |
| 225 | if (BN_mod_exp(*g_priv1, grp->g, *priv1, grp->p, bn_ctx) == -1) |
| 226 | fatal("%s: BN_mod_exp", __func__); |
| 227 | if (BN_mod_exp(*g_priv2, grp->g, *priv2, grp->p, bn_ctx) == -1) |
| 228 | fatal("%s: BN_mod_exp", __func__); |
| 229 | |
| 230 | /* Generate proofs for holding x1/x3 and x2/x4 */ |
| 5b01421b |
231 | if (schnorr_sign_buf(grp->p, grp->q, grp->g, |
| 5adf6b9a |
232 | *priv1, *g_priv1, *id, *id_len, |
| 233 | priv1_proof, priv1_proof_len) != 0) |
| 234 | fatal("%s: schnorr_sign", __func__); |
| 5b01421b |
235 | if (schnorr_sign_buf(grp->p, grp->q, grp->g, |
| 5adf6b9a |
236 | *priv2, *g_priv2, *id, *id_len, |
| 237 | priv2_proof, priv2_proof_len) != 0) |
| 238 | fatal("%s: schnorr_sign", __func__); |
| 239 | |
| 240 | BN_CTX_free(bn_ctx); |
| 241 | } |
| 242 | |
| 243 | /* Shared parts of step 2 exchange calculation */ |
| 244 | void |
| 5b01421b |
245 | jpake_step2(struct modp_group *grp, BIGNUM *s, |
| 5adf6b9a |
246 | BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2, |
| 247 | const u_char *theirid, u_int theirid_len, |
| 248 | const u_char *myid, u_int myid_len, |
| 249 | const u_char *theirpub1_proof, u_int theirpub1_proof_len, |
| 250 | const u_char *theirpub2_proof, u_int theirpub2_proof_len, |
| 251 | BIGNUM **newpub, |
| 252 | u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len) |
| 253 | { |
| 254 | BN_CTX *bn_ctx; |
| 255 | BIGNUM *tmp, *exponent; |
| 256 | |
| 257 | /* Validate peer's step 1 values */ |
| 258 | if (BN_cmp(theirpub1, BN_value_one()) <= 0) |
| 259 | fatal("%s: theirpub1 <= 1", __func__); |
| 260 | if (BN_cmp(theirpub2, BN_value_one()) <= 0) |
| 261 | fatal("%s: theirpub2 <= 1", __func__); |
| 262 | |
| 5b01421b |
263 | if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1, |
| 5adf6b9a |
264 | theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1) |
| 265 | fatal("%s: schnorr_verify theirpub1 failed", __func__); |
| 5b01421b |
266 | if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub2, |
| 5adf6b9a |
267 | theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1) |
| 268 | fatal("%s: schnorr_verify theirpub2 failed", __func__); |
| 269 | |
| 270 | if ((bn_ctx = BN_CTX_new()) == NULL) |
| 271 | fatal("%s: BN_CTX_new", __func__); |
| 272 | |
| 273 | if ((*newpub = BN_new()) == NULL || |
| 274 | (tmp = BN_new()) == NULL || |
| 275 | (exponent = BN_new()) == NULL) |
| 276 | fatal("%s: BN_new", __func__); |
| 277 | |
| 278 | /* |
| 279 | * client: exponent = x2 * s mod p |
| 280 | * server: exponent = x4 * s mod p |
| 281 | */ |
| 282 | if (BN_mod_mul(exponent, mypriv2, s, grp->q, bn_ctx) != 1) |
| 283 | fatal("%s: BN_mod_mul (exponent = mypriv2 * s mod p)", |
| 284 | __func__); |
| 285 | |
| 286 | /* |
| 287 | * client: tmp = g^(x1 + x3 + x4) mod p |
| 288 | * server: tmp = g^(x1 + x2 + x3) mod p |
| 289 | */ |
| 290 | if (BN_mod_mul(tmp, mypub1, theirpub1, grp->p, bn_ctx) != 1) |
| 291 | fatal("%s: BN_mod_mul (tmp = mypub1 * theirpub1 mod p)", |
| 292 | __func__); |
| 293 | if (BN_mod_mul(tmp, tmp, theirpub2, grp->p, bn_ctx) != 1) |
| 294 | fatal("%s: BN_mod_mul (tmp = tmp * theirpub2 mod p)", __func__); |
| 295 | |
| 296 | /* |
| 297 | * client: a = tmp^exponent = g^((x1+x3+x4) * x2 * s) mod p |
| 298 | * server: b = tmp^exponent = g^((x1+x2+x3) * x4 * s) mod p |
| 299 | */ |
| 300 | if (BN_mod_exp(*newpub, tmp, exponent, grp->p, bn_ctx) != 1) |
| 301 | fatal("%s: BN_mod_mul (newpub = tmp^exponent mod p)", __func__); |
| 302 | |
| 303 | JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__)); |
| 304 | JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__)); |
| 305 | |
| 306 | /* Note the generator here is 'tmp', not g */ |
| 5b01421b |
307 | if (schnorr_sign_buf(grp->p, grp->q, tmp, exponent, *newpub, |
| 5adf6b9a |
308 | myid, myid_len, |
| 309 | newpub_exponent_proof, newpub_exponent_proof_len) != 0) |
| 310 | fatal("%s: schnorr_sign newpub", __func__); |
| 311 | |
| 312 | BN_clear_free(tmp); /* XXX stash for later use? */ |
| 313 | BN_clear_free(exponent); /* XXX stash for later use? (yes, in conf) */ |
| 314 | |
| 315 | BN_CTX_free(bn_ctx); |
| 316 | } |
| 317 | |
| 318 | /* Confirmation hash calculation */ |
| 319 | void |
| 320 | jpake_confirm_hash(const BIGNUM *k, |
| 321 | const u_char *endpoint_id, u_int endpoint_id_len, |
| 322 | const u_char *sess_id, u_int sess_id_len, |
| 323 | u_char **confirm_hash, u_int *confirm_hash_len) |
| 324 | { |
| 325 | Buffer b; |
| 326 | |
| 327 | /* |
| 328 | * Calculate confirmation proof: |
| 329 | * client: H(k || client_id || session_id) |
| 330 | * server: H(k || server_id || session_id) |
| 331 | */ |
| 332 | buffer_init(&b); |
| 333 | buffer_put_bignum2(&b, k); |
| 334 | buffer_put_string(&b, endpoint_id, endpoint_id_len); |
| 335 | buffer_put_string(&b, sess_id, sess_id_len); |
| 336 | if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(), |
| 337 | confirm_hash, confirm_hash_len) != 0) |
| 338 | fatal("%s: hash_buffer", __func__); |
| 339 | buffer_free(&b); |
| 340 | } |
| 341 | |
| 342 | /* Shared parts of key derivation and confirmation calculation */ |
| 343 | void |
| 5b01421b |
344 | jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val, |
| 5adf6b9a |
345 | BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2, |
| 346 | BIGNUM *theirpub1, BIGNUM *theirpub2, |
| 347 | const u_char *my_id, u_int my_id_len, |
| 348 | const u_char *their_id, u_int their_id_len, |
| 349 | const u_char *sess_id, u_int sess_id_len, |
| 350 | const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len, |
| 351 | BIGNUM **k, |
| 352 | u_char **confirm_hash, u_int *confirm_hash_len) |
| 353 | { |
| 354 | BN_CTX *bn_ctx; |
| 355 | BIGNUM *tmp; |
| 356 | |
| 357 | if ((bn_ctx = BN_CTX_new()) == NULL) |
| 358 | fatal("%s: BN_CTX_new", __func__); |
| 359 | if ((tmp = BN_new()) == NULL || |
| 360 | (*k = BN_new()) == NULL) |
| 361 | fatal("%s: BN_new", __func__); |
| 362 | |
| 363 | /* Validate step 2 values */ |
| 364 | if (BN_cmp(step2_val, BN_value_one()) <= 0) |
| 365 | fatal("%s: step2_val <= 1", __func__); |
| 366 | |
| 367 | /* |
| 368 | * theirpriv2_s_proof is calculated with a different generator: |
| 369 | * tmp = g^(mypriv1+mypriv2+theirpub1) = g^mypub1*g^mypub2*g^theirpub1 |
| 370 | * Calculate it here so we can check the signature. |
| 371 | */ |
| 372 | if (BN_mod_mul(tmp, mypub1, mypub2, grp->p, bn_ctx) != 1) |
| 373 | fatal("%s: BN_mod_mul (tmp = mypub1 * mypub2 mod p)", __func__); |
| 374 | if (BN_mod_mul(tmp, tmp, theirpub1, grp->p, bn_ctx) != 1) |
| 375 | fatal("%s: BN_mod_mul (tmp = tmp * theirpub1 mod p)", __func__); |
| 376 | |
| 377 | JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__)); |
| 378 | |
| 5b01421b |
379 | if (schnorr_verify_buf(grp->p, grp->q, tmp, step2_val, |
| 5adf6b9a |
380 | their_id, their_id_len, |
| 381 | theirpriv2_s_proof, theirpriv2_s_proof_len) != 1) |
| 382 | fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__); |
| 383 | |
| 384 | /* |
| 385 | * Derive shared key: |
| 386 | * client: k = (b / g^(x2*x4*s))^x2 = g^((x1+x3)*x2*x4*s) |
| 387 | * server: k = (a / g^(x2*x4*s))^x4 = g^((x1+x3)*x2*x4*s) |
| 388 | * |
| 389 | * Computed as: |
| 390 | * client: k = (g_x4^(q - (x2 * s)) * b)^x2 mod p |
| 391 | * server: k = (g_x2^(q - (x4 * s)) * b)^x4 mod p |
| 392 | */ |
| 393 | if (BN_mul(tmp, mypriv2, s, bn_ctx) != 1) |
| 394 | fatal("%s: BN_mul (tmp = mypriv2 * s)", __func__); |
| 395 | if (BN_mod_sub(tmp, grp->q, tmp, grp->q, bn_ctx) != 1) |
| 396 | fatal("%s: BN_mod_sub (tmp = q - tmp mod q)", __func__); |
| 397 | if (BN_mod_exp(tmp, theirpub2, tmp, grp->p, bn_ctx) != 1) |
| 398 | fatal("%s: BN_mod_exp (tmp = theirpub2^tmp) mod p", __func__); |
| 399 | if (BN_mod_mul(tmp, tmp, step2_val, grp->p, bn_ctx) != 1) |
| 400 | fatal("%s: BN_mod_mul (tmp = tmp * step2_val) mod p", __func__); |
| 401 | if (BN_mod_exp(*k, tmp, mypriv2, grp->p, bn_ctx) != 1) |
| 402 | fatal("%s: BN_mod_exp (k = tmp^mypriv2) mod p", __func__); |
| 403 | |
| 404 | BN_CTX_free(bn_ctx); |
| 405 | BN_clear_free(tmp); |
| 406 | |
| 407 | jpake_confirm_hash(*k, my_id, my_id_len, sess_id, sess_id_len, |
| 408 | confirm_hash, confirm_hash_len); |
| 409 | } |
| 410 | |
| 411 | /* |
| 412 | * Calculate and check confirmation hash from peer. Returns 1 on success |
| 413 | * 0 on failure/mismatch. |
| 414 | */ |
| 415 | int |
| 416 | jpake_check_confirm(const BIGNUM *k, |
| 417 | const u_char *peer_id, u_int peer_id_len, |
| 418 | const u_char *sess_id, u_int sess_id_len, |
| 419 | const u_char *peer_confirm_hash, u_int peer_confirm_hash_len) |
| 420 | { |
| 421 | u_char *expected_confirm_hash; |
| 422 | u_int expected_confirm_hash_len; |
| 423 | int success = 0; |
| 424 | |
| 425 | /* Calculate and verify expected confirmation hash */ |
| 426 | jpake_confirm_hash(k, peer_id, peer_id_len, sess_id, sess_id_len, |
| 427 | &expected_confirm_hash, &expected_confirm_hash_len); |
| 428 | |
| 429 | JPAKE_DEBUG_BUF((expected_confirm_hash, expected_confirm_hash_len, |
| 430 | "%s: expected confirm hash", __func__)); |
| 431 | JPAKE_DEBUG_BUF((peer_confirm_hash, peer_confirm_hash_len, |
| 432 | "%s: received confirm hash", __func__)); |
| 433 | |
| 434 | if (peer_confirm_hash_len != expected_confirm_hash_len) |
| 435 | error("%s: confirmation length mismatch (my %u them %u)", |
| 436 | __func__, expected_confirm_hash_len, peer_confirm_hash_len); |
| 437 | else if (memcmp(peer_confirm_hash, expected_confirm_hash, |
| 438 | expected_confirm_hash_len) == 0) |
| 439 | success = 1; |
| 440 | bzero(expected_confirm_hash, expected_confirm_hash_len); |
| 441 | xfree(expected_confirm_hash); |
| 442 | debug3("%s: success = %d", __func__, success); |
| 443 | return success; |
| 444 | } |
| 445 | |
| 446 | /* XXX main() function with tests */ |
| 447 | |
| 448 | #endif /* JPAKE */ |
| 449 | |
andersk / openssh.git / blame