diff options
| author | est31 <MTest31@outlook.com> | 2015-04-12 04:49:13 +0200 |
|---|---|---|
| committer | est31 <MTest31@outlook.com> | 2015-05-11 18:40:27 +0200 |
| commit | 82e35edff52d88dcd64a9bfc9d2c4c93f1341b78 (patch) | |
| tree | bf55839e296c6d1cb9b7f81b8f5cf69e0492b4c0 /src/util | |
| parent | 181f7baa453c58d4070de7196fd74663110946a8 (diff) | |
| download | minetest-82e35edff52d88dcd64a9bfc9d2c4c93f1341b78.tar.gz minetest-82e35edff52d88dcd64a9bfc9d2c4c93f1341b78.tar.bz2 minetest-82e35edff52d88dcd64a9bfc9d2c4c93f1341b78.zip | |
Make early protocol auth mechanism generic, and add SRP
Adds everything needed for SRP (and everything works too),
but still deactivated, as protocol v25 init packets aren't final yet.
Can be activated by changing the LATEST_PROTOCOL_VERSION header to 25
inside networkprotocol.h.
Diffstat (limited to 'src/util')
| -rw-r--r-- | src/util/CMakeLists.txt | 3 | ||||
| -rw-r--r-- | src/util/auth.cpp | 126 | ||||
| -rw-r--r-- | src/util/auth.h | 37 | ||||
| -rw-r--r-- | src/util/md32_common.h | 428 | ||||
| -rw-r--r-- | src/util/sha2.h | 154 | ||||
| -rw-r--r-- | src/util/sha256.c | 404 | ||||
| -rw-r--r-- | src/util/srp.cpp | 1029 | ||||
| -rw-r--r-- | src/util/srp.h | 171 | ||||
| -rw-r--r-- | src/util/string.cpp | 23 | ||||
| -rw-r--r-- | src/util/string.h | 3 |
10 files changed, 2353 insertions, 25 deletions
diff --git a/src/util/CMakeLists.txt b/src/util/CMakeLists.txt index 112f09bb9..33900a43a 100644 --- a/src/util/CMakeLists.txt +++ b/src/util/CMakeLists.txt @@ -1,11 +1,14 @@ set(UTIL_SRCS + ${CMAKE_CURRENT_SOURCE_DIR}/auth.cpp ${CMAKE_CURRENT_SOURCE_DIR}/base64.cpp ${CMAKE_CURRENT_SOURCE_DIR}/directiontables.cpp ${CMAKE_CURRENT_SOURCE_DIR}/numeric.cpp ${CMAKE_CURRENT_SOURCE_DIR}/pointedthing.cpp ${CMAKE_CURRENT_SOURCE_DIR}/serialize.cpp ${CMAKE_CURRENT_SOURCE_DIR}/sha1.cpp + ${CMAKE_CURRENT_SOURCE_DIR}/sha256.c ${CMAKE_CURRENT_SOURCE_DIR}/string.cpp + ${CMAKE_CURRENT_SOURCE_DIR}/srp.cpp ${CMAKE_CURRENT_SOURCE_DIR}/timetaker.cpp PARENT_SCOPE) diff --git a/src/util/auth.cpp b/src/util/auth.cpp new file mode 100644 index 000000000..ac5139535 --- /dev/null +++ b/src/util/auth.cpp @@ -0,0 +1,126 @@ +/* +Minetest +Copyright (C) 2015 est31 <MTest31@outlook.com> + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU Lesser General Public License as published by +the Free Software Foundation; either version 2.1 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Lesser General Public License for more details. + +You should have received a copy of the GNU Lesser General Public License along +with this program; if not, write to the Free Software Foundation, Inc., +51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#include <algorithm> +#include <string> +#include "auth.h" +#include "base64.h" +#include "sha1.h" +#include "srp.h" +#include "string.h" + +// Get an sha-1 hash of the player's name combined with +// the password entered. That's what the server uses as +// their password. (Exception : if the password field is +// blank, we send a blank password - this is for backwards +// compatibility with password-less players). +std::string translatePassword(const std::string &name, + const std::string &password) +{ + if (password.length() == 0) + return ""; + + std::string slt = name + password; + SHA1 sha1; + sha1.addBytes(slt.c_str(), slt.length()); + unsigned char *digest = sha1.getDigest(); + std::string pwd = base64_encode(digest, 20); + free(digest); + return pwd; +} + +void getSRPVerifier(const std::string &name, + const std::string &password, char **salt, size_t *salt_len, + char **bytes_v, size_t *len_v) +{ + std::string n_name = lowercase(name); + srp_create_salted_verification_key(SRP_SHA256, SRP_NG_2048, + n_name.c_str(), (const unsigned char *)password.c_str(), + password.size(), (unsigned char **)salt, salt_len, + (unsigned char **)bytes_v, len_v, NULL, NULL); +} + +// Get a db-ready SRP verifier +// The salt param is only modifyable by this method so that you can free it +// if it was allocated. You shouldn't use it for other purposes, as you will +// need the contents of salt_len too. +inline static std::string getSRPVerifier(const std::string &name, + const std::string &password, char ** salt, size_t salt_len) +{ + char * bytes_v = NULL; + size_t len_v; + getSRPVerifier(name, password, salt, &salt_len, + &bytes_v, &len_v); + std::string ret_val = encodeSRPVerifier(std::string(bytes_v, len_v), + std::string(*salt, salt_len)); + free(bytes_v); + return ret_val; +} + +// Get a db-ready SRP verifier +std::string getSRPVerifier(const std::string &name, + const std::string &password) +{ + char * salt = NULL; + std::string ret_val = getSRPVerifier(name, + password, &salt, 0); + free(salt); + return ret_val; +} + +// Get a db-ready SRP verifier +std::string getSRPVerifier(const std::string &name, + const std::string &password, const std::string &salt) +{ + // The implementation won't change the salt if its set, + // therefore we can cast. + char *salt_cstr = (char *)salt.c_str(); + return getSRPVerifier(name, password, + &salt_cstr, salt.size()); +} + +// Make a SRP verifier db-ready +std::string encodeSRPVerifier(const std::string &verifier, + const std::string &salt) +{ + std::ostringstream ret_str; + ret_str << "#1#" + << base64_encode((unsigned char*) salt.c_str(), salt.size()) << "#" + << base64_encode((unsigned char*) verifier.c_str(), verifier.size()); + return ret_str.str(); +} + +bool decodeSRPVerifier(const std::string &enc_pwd, + std::string *salt, std::string *bytes_v) +{ + std::vector<std::string> pwd_components = str_split(enc_pwd, '#'); + + if ((pwd_components.size() != 4) + || (pwd_components[1] != "1") // 1 means srp + || !base64_is_valid(pwd_components[2]) + || !base64_is_valid(pwd_components[3])) + return false; + + std::string salt_str = base64_decode(pwd_components[2]); + std::string bytes_v_str = base64_decode(pwd_components[3]); + *salt = salt_str; + *bytes_v = bytes_v_str; + return true; + +} diff --git a/src/util/auth.h b/src/util/auth.h new file mode 100644 index 000000000..36d8c20a4 --- /dev/null +++ b/src/util/auth.h @@ -0,0 +1,37 @@ +/* +Minetest +Copyright (C) 2015 est31 <MTest31@outlook.com> + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU Lesser General Public License as published by +the Free Software Foundation; either version 2.1 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Lesser General Public License for more details. + +You should have received a copy of the GNU Lesser General Public License along +with this program; if not, write to the Free Software Foundation, Inc., +51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#ifndef AUTH_H +#define AUTH_H + +std::string translatePassword(const std::string &name, + const std::string &password); +void getSRPVerifier(const std::string &name, + const std::string &password, char **salt, size_t *salt_len, + char **bytes_v, size_t *len_v); +std::string getSRPVerifier(const std::string &name, + const std::string &password); +std::string getSRPVerifier(const std::string &name, + const std::string &password, const std::string &salt); +std::string encodeSRPVerifier(const std::string &verifier, + const std::string &salt); +bool decodeSRPVerifier(const std::string &enc_pwd, + std::string *salt, std::string *bytes_v); + +#endif
\ No newline at end of file diff --git a/src/util/md32_common.h b/src/util/md32_common.h new file mode 100644 index 000000000..085d1d7a5 --- /dev/null +++ b/src/util/md32_common.h @@ -0,0 +1,428 @@ +/* md32_common.h file used by sha256 implementation */ +/* ==================================================================== + * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + */ + +/*- + * This is a generic 32 bit "collector" for message digest algorithms. + * Whenever needed it collects input character stream into chunks of + * 32 bit values and invokes a block function that performs actual hash + * calculations. + * + * Porting guide. + * + * Obligatory macros: + * + * DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN + * this macro defines byte order of input stream. + * HASH_CBLOCK + * size of a unit chunk HASH_BLOCK operates on. + * HASH_LONG + * has to be at lest 32 bit wide, if it's wider, then + * HASH_LONG_LOG2 *has to* be defined along + * HASH_CTX + * context structure that at least contains following + * members: + * typedef struct { + * ... + * HASH_LONG Nl,Nh; + * either { + * HASH_LONG data[HASH_LBLOCK]; + * unsigned char data[HASH_CBLOCK]; + * }; + * unsigned int num; + * ... + * } HASH_CTX; + * data[] vector is expected to be zeroed upon first call to + * HASH_UPDATE. + * HASH_UPDATE + * name of "Update" function, implemented here. + * HASH_TRANSFORM + * name of "Transform" function, implemented here. + * HASH_FINAL + * name of "Final" function, implemented here. + * HASH_BLOCK_DATA_ORDER + * name of "block" function capable of treating *unaligned* input + * message in original (data) byte order, implemented externally. + * HASH_MAKE_STRING + * macro convering context variables to an ASCII hash string. + * + * MD5 example: + * + * #define DATA_ORDER_IS_LITTLE_ENDIAN + * + * #define HASH_LONG MD5_LONG + * #define HASH_LONG_LOG2 MD5_LONG_LOG2 + * #define HASH_CTX MD5_CTX + * #define HASH_CBLOCK MD5_CBLOCK + * #define HASH_UPDATE MD5_Update + * #define HASH_TRANSFORM MD5_Transform + * #define HASH_FINAL MD5_Final + * #define HASH_BLOCK_DATA_ORDER md5_block_data_order + * + * <appro@fy.chalmers.se> + */ + +#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN) +# error "DATA_ORDER must be defined!" +#endif + +#ifndef HASH_CBLOCK +# error "HASH_CBLOCK must be defined!" +#endif +#ifndef HASH_LONG +# error "HASH_LONG must be defined!" +#endif +#ifndef HASH_CTX +# error "HASH_CTX must be defined!" +#endif + +#ifndef HASH_UPDATE +# error "HASH_UPDATE must be defined!" +#endif +#ifndef HASH_TRANSFORM +# error "HASH_TRANSFORM must be defined!" +#endif +#ifndef HASH_FINAL +# error "HASH_FINAL must be defined!" +#endif + +#ifndef HASH_BLOCK_DATA_ORDER +# error "HASH_BLOCK_DATA_ORDER must be defined!" +#endif + +/* + * Engage compiler specific rotate intrinsic function if available. + */ +#undef ROTATE +#ifndef PEDANTIC +# if defined(_MSC_VER) +# define ROTATE(a,n) _lrotl(a,n) +# elif defined(__ICC) +# define ROTATE(a,n) _rotl(a,n) +# elif defined(__MWERKS__) +# if defined(__POWERPC__) +# define ROTATE(a,n) __rlwinm(a,n,0,31) +# elif defined(__MC68K__) + /* Motorola specific tweak. <appro@fy.chalmers.se> */ +# define ROTATE(a,n) ( n<24 ? __rol(a,n) : __ror(a,32-n) ) +# else +# define ROTATE(a,n) __rol(a,n) +# endif +# elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) + /* + * Some GNU C inline assembler templates. Note that these are + * rotates by *constant* number of bits! But that's exactly + * what we need here... + * <appro@fy.chalmers.se> + */ +# if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__) +# define ROTATE(a,n) ({ register unsigned int ret; \ + asm ( \ + "roll %1,%0" \ + : "=r"(ret) \ + : "I"(n), "0"((unsigned int)(a)) \ + : "cc"); \ + ret; \ + }) +# elif defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \ + defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__) +# define ROTATE(a,n) ({ register unsigned int ret; \ + asm ( \ + "rlwinm %0,%1,%2,0,31" \ + : "=r"(ret) \ + : "r"(a), "I"(n)); \ + ret; \ + }) +# elif defined(__s390x__) +# define ROTATE(a,n) ({ register unsigned int ret; \ + asm ("rll %0,%1,%2" \ + : "=r"(ret) \ + : "r"(a), "I"(n)); \ + ret; \ + }) +# endif +# endif +#endif /* PEDANTIC */ + +#ifndef ROTATE +# define ROTATE(a,n) (((a)<<(n))|(((a)&0xffffffff)>>(32-(n)))) +#endif + +#if defined(DATA_ORDER_IS_BIG_ENDIAN) + +# ifndef PEDANTIC +# if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) +# if ((defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)) || \ + (defined(__x86_64) || defined(__x86_64__)) +# if !defined(B_ENDIAN) + /* + * This gives ~30-40% performance improvement in SHA-256 compiled + * with gcc [on P4]. Well, first macro to be frank. We can pull + * this trick on x86* platforms only, because these CPUs can fetch + * unaligned data without raising an exception. + */ +# define HOST_c2l(c,l) ({ unsigned int r=*((const unsigned int *)(c)); \ + asm ("bswapl %0":"=r"(r):"0"(r)); \ + (c)+=4; (l)=r; }) +# define HOST_l2c(l,c) ({ unsigned int r=(l); \ + asm ("bswapl %0":"=r"(r):"0"(r)); \ + *((unsigned int *)(c))=r; (c)+=4; r; }) +# endif +# elif defined(__aarch64__) +# if defined(__BYTE_ORDER__) +# if defined(__ORDER_LITTLE_ENDIAN__) && __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__ +# define HOST_c2l(c,l) ({ unsigned int r; \ + asm ("rev %w0,%w1" \ + :"=r"(r) \ + :"r"(*((const unsigned int *)(c))));\ + (c)+=4; (l)=r; }) +# define HOST_l2c(l,c) ({ unsigned int r; \ + asm ("rev %w0,%w1" \ + :"=r"(r) \ + :"r"((unsigned int)(l)));\ + *((unsigned int *)(c))=r; (c)+=4; r; }) +# elif defined(__ORDER_BIG_ENDIAN__) && __BYTE_ORDER__==__ORDER_BIG_ENDIAN__ +# define HOST_c2l(c,l) ((l)=*((const unsigned int *)(c)), (c)+=4, (l)) +# define HOST_l2c(l,c) (*((unsigned int *)(c))=(l), (c)+=4, (l)) +# endif +# endif +# endif +# endif +# if defined(__s390__) || defined(__s390x__) +# define HOST_c2l(c,l) ((l)=*((const unsigned int *)(c)), (c)+=4, (l)) +# define HOST_l2c(l,c) (*((unsigned int *)(c))=(l), (c)+=4, (l)) +# endif +# endif + +# ifndef HOST_c2l +# define HOST_c2l(c,l) (l =(((unsigned long)(*((c)++)))<<24), \ + l|=(((unsigned long)(*((c)++)))<<16), \ + l|=(((unsigned long)(*((c)++)))<< 8), \ + l|=(((unsigned long)(*((c)++))) ) ) +# endif +# ifndef HOST_l2c +# define HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \ + *((c)++)=(unsigned char)(((l)>>16)&0xff), \ + *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ + *((c)++)=(unsigned char)(((l) )&0xff), \ + l) +# endif + +#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) + +# ifndef PEDANTIC +# if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) +# if defined(__s390x__) +# define HOST_c2l(c,l) ({ asm ("lrv %0,%1" \ + :"=d"(l) :"m"(*(const unsigned int *)(c)));\ + (c)+=4; (l); }) +# define HOST_l2c(l,c) ({ asm ("strv %1,%0" \ + :"=m"(*(unsigned int *)(c)) :"d"(l));\ + (c)+=4; (l); }) +# endif +# endif +# if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__) +# ifndef B_ENDIAN + /* See comment in DATA_ORDER_IS_BIG_ENDIAN section. */ +# define HOST_c2l(c,l) ((l)=*((const unsigned int *)(c)), (c)+=4, l) +# define HOST_l2c(l,c) (*((unsigned int *)(c))=(l), (c)+=4, l) +# endif +# endif +# endif + +# ifndef HOST_c2l +# define HOST_c2l(c,l) (l =(((unsigned long)(*((c)++))) ), \ + l|=(((unsigned long)(*((c)++)))<< 8), \ + l|=(((unsigned long)(*((c)++)))<<16), \ + l|=(((unsigned long)(*((c)++)))<<24) ) +# endif +# ifndef HOST_l2c +# define HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \ + *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ + *((c)++)=(unsigned char)(((l)>>16)&0xff), \ + *((c)++)=(unsigned char)(((l)>>24)&0xff), \ + l) +# endif + +#endif + +/* + * Time for some action:-) + */ + +int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len) +{ + const unsigned char *data = data_; + unsigned char *p; + HASH_LONG l; + size_t n; + + if (len == 0) + return 1; + + l = (c->Nl + (((HASH_LONG) len) << 3)) & 0xffffffffUL; + /* + * 95-05-24 eay Fixed a bug with the overflow handling, thanks to Wei Dai + * <weidai@eskimo.com> for pointing it out. + */ + if (l < c->Nl) /* overflow */ + c->Nh++; + c->Nh += (HASH_LONG) (len >> 29); /* might cause compiler warning on + * 16-bit */ + c->Nl = l; + + n = c->num; + if (n != 0) { + p = (unsigned char *)c->data; + + if (len >= HASH_CBLOCK || len + n >= HASH_CBLOCK) { + memcpy(p + n, data, HASH_CBLOCK - n); + HASH_BLOCK_DATA_ORDER(c, p, 1); + n = HASH_CBLOCK - n; + data += n; + len -= n; + c->num = 0; + memset(p, 0, HASH_CBLOCK); /* keep it zeroed */ + } else { + memcpy(p + n, data, len); + c->num += (unsigned int)len; + return 1; + } + } + + n = len / HASH_CBLOCK; + if (n > 0) { + HASH_BLOCK_DATA_ORDER(c, data, n); + n *= HASH_CBLOCK; + data += n; + len -= n; + } + + if (len != 0) { + p = (unsigned char *)c->data; + c->num = (unsigned int)len; + memcpy(p, data, len); + } + return 1; +} + +void HASH_TRANSFORM(HASH_CTX *c, const unsigned char *data) +{ + HASH_BLOCK_DATA_ORDER(c, data, 1); +} + +int HASH_FINAL(unsigned char *md, HASH_CTX *c) +{ + unsigned char *p = (unsigned char *)c->data; + size_t n = c->num; + + p[n] = 0x80; /* there is always room for one */ + n++; + + if (n > (HASH_CBLOCK - 8)) { + memset(p + n, 0, HASH_CBLOCK - n); + n = 0; + HASH_BLOCK_DATA_ORDER(c, p, 1); + } + memset(p + n, 0, HASH_CBLOCK - 8 - n); + + p += HASH_CBLOCK - 8; +#if defined(DATA_ORDER_IS_BIG_ENDIAN) + (void)HOST_l2c(c->Nh, p); + (void)HOST_l2c(c->Nl, p); +#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) + (void)HOST_l2c(c->Nl, p); + (void)HOST_l2c(c->Nh, p); +#endif + p -= HASH_CBLOCK; + HASH_BLOCK_DATA_ORDER(c, p, 1); + c->num = 0; + memset(p, 0, HASH_CBLOCK); + +#ifndef HASH_MAKE_STRING +# error "HASH_MAKE_STRING must be defined!" +#else + HASH_MAKE_STRING(c, md); +#endif + + return 1; +} + +#ifndef MD32_REG_T +# if defined(__alpha) || defined(__sparcv9) || defined(__mips) +# define MD32_REG_T long +/* + * This comment was originaly written for MD5, which is why it + * discusses A-D. But it basically applies to all 32-bit digests, + * which is why it was moved to common header file. + * + * In case you wonder why A-D are declared as long and not + * as MD5_LONG. Doing so results in slight performance + * boost on LP64 architectures. The catch is we don't + * really care if 32 MSBs of a 64-bit register get polluted + * with eventual overflows as we *save* only 32 LSBs in + * *either* case. Now declaring 'em long excuses the compiler + * from keeping 32 MSBs zeroed resulting in 13% performance + * improvement under SPARC Solaris7/64 and 5% under AlphaLinux. + * Well, to be honest it should say that this *prevents* + * performance degradation. + * <appro@fy.chalmers.se> + */ +# else +/* + * Above is not absolute and there are LP64 compilers that + * generate better code if MD32_REG_T is defined int. The above + * pre-processor condition reflects the circumstances under which + * the conclusion was made and is subject to further extension. + * <appro@fy.chalmers.se> + */ +# define MD32_REG_T int +# endif +#endif diff --git a/src/util/sha2.h b/src/util/sha2.h new file mode 100644 index 000000000..6ac045feb --- /dev/null +++ b/src/util/sha2.h @@ -0,0 +1,154 @@ +/* crypto/sha/sha.h */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#ifndef HEADER_SHA_H +# define HEADER_SHA_H + +# include <stddef.h> + +#ifdef __cplusplus +extern "C" { +#endif + +# if defined(OPENSSL_NO_SHA) || (defined(OPENSSL_NO_SHA0) && defined(OPENSSL_NO_SHA1)) +# error SHA is disabled. +# endif + +# if defined(OPENSSL_FIPS) +# define FIPS_SHA_SIZE_T size_t +# endif + +/* + Compat stuff from OpenSSL land + */ + +/* crypto.h */ + +# define fips_md_init(alg) fips_md_init_ctx(alg, alg) + +# define fips_md_init_ctx(alg, cx) \ + int alg##_Init(cx##_CTX *c) +# define fips_cipher_abort(alg) while(0) + +/*- + * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then ! + * ! SHA_LONG_LOG2 has to be defined along. ! + * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + */ + +# if defined(__LP32__) +# define SHA_LONG unsigned long +# elif defined(__ILP64__) +# define SHA_LONG unsigned long +# define SHA_LONG_LOG2 3 +# else +# define SHA_LONG unsigned int +# endif + +# define SHA_LBLOCK 16 +# define SHA_CBLOCK (SHA_LBLOCK*4)/* SHA treats input data as a + * contiguous array of 32 bit wide + * big-endian values. */ +# define SHA_LAST_BLOCK (SHA_CBLOCK-8) +# define SHA_DIGEST_LENGTH 20 + +typedef struct SHAstate_st { + SHA_LONG h0, h1, h2, h3, h4; + SHA_LONG Nl, Nh; + SHA_LONG data[SHA_LBLOCK]; + unsigned int num; +} SHA_CTX; + +# define SHA256_CBLOCK (SHA_LBLOCK*4)/* SHA-256 treats input data as a + * contiguous array of 32 bit wide + * big-endian values. */ +# define SHA224_DIGEST_LENGTH 28 +# define SHA256_DIGEST_LENGTH 32 + +typedef struct SHA256state_st { + SHA_LONG h[8]; + SHA_LONG Nl, Nh; + SHA_LONG data[SHA_LBLOCK]; + unsigned int num, md_len; +} SHA256_CTX; + +# ifndef OPENSSL_NO_SHA256 +# ifdef OPENSSL_FIPS +int private_SHA224_Init(SHA256_CTX *c); +int private_SHA256_Init(SHA256_CTX *c); +# endif +int SHA224_Init(SHA256_CTX *c); +int SHA224_Update(SHA256_CTX *c, const void *data, size_t len); +int SHA224_Final(unsigned char *md, SHA256_CTX *c); +unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md); +int SHA256_Init(SHA256_CTX *c); +int SHA256_Update(SHA256_CTX *c, const void *data, size_t len); +int SHA256_Final(unsigned char *md, SHA256_CTX *c); +unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md); +void SHA256_Transform(SHA256_CTX *c, const unsigned char *data); +# endif + +# define SHA384_DIGEST_LENGTH 48 +# define SHA512_DIGEST_LENGTH 64 + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/src/util/sha256.c b/src/util/sha256.c new file mode 100644 index 000000000..311aac4a8 --- /dev/null +++ b/src/util/sha256.c @@ -0,0 +1,404 @@ +/* crypto/sha/sha256.c */ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved + * according to the OpenSSL license [found in ../../LICENSE]. + * ==================================================================== + */ +# include <stdlib.h> +# include <string.h> + +# include <util/sha2.h> + +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2a 19 Mar 2015" +# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT + +const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT; + +/* mem_clr.c */ +unsigned char cleanse_ctr = 0; +void OPENSSL_cleanse(void *ptr, size_t len) +{ + unsigned char *p = ptr; + size_t loop = len, ctr = cleanse_ctr; + while (loop--) { + *(p++) = (unsigned char)ctr; + ctr += (17 + ((size_t)p & 0xF)); + } + p = memchr(ptr, (unsigned char)ctr, len); + if (p) + ctr += (63 + (size_t)p); + cleanse_ctr = (unsigned char)ctr; +} + +# define fips_md_init(alg) fips_md_init_ctx(alg, alg) +# define fips_md_init_ctx(alg, cx) \ + int alg##_Init(cx##_CTX *c) +# define fips_cipher_abort(alg) while(0) + +fips_md_init_ctx(SHA224, SHA256) +{ + memset(c, 0, sizeof(*c)); + c->h[0] = 0xc1059ed8UL; + c->h[1] = 0x367cd507UL; + c->h[2] = 0x3070dd17UL; + c->h[3] = 0xf70e5939UL; + c->h[4] = 0xffc00b31UL; + c->h[5] = 0x68581511UL; + c->h[6] = 0x64f98fa7UL; + c->h[7] = 0xbefa4fa4UL; + c->md_len = SHA224_DIGEST_LENGTH; + return 1; +} + +fips_md_init(SHA256) +{ + memset(c, 0, sizeof(*c)); + c->h[0] = 0x6a09e667UL; + c->h[1] = 0xbb67ae85UL; + c->h[2] = 0x3c6ef372UL; + c->h[3] = 0xa54ff53aUL; + c->h[4] = 0x510e527fUL; + c->h[5] = 0x9b05688cUL; + c->h[6] = 0x1f83d9abUL; + c->h[7] = 0x5be0cd19UL; + c->md_len = SHA256_DIGEST_LENGTH; + return 1; +} + +unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md) +{ + SHA256_CTX c; + static unsigned char m[SHA224_DIGEST_LENGTH]; + + if (md == NULL) + md = m; + SHA224_Init(&c); + SHA256_Update(&c, d, n); + SHA256_Final(md, &c); + OPENSSL_cleanse(&c, sizeof(c)); + return (md); +} + +unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md) +{ + SHA256_CTX c; + static unsigned char m[SHA256_DIGEST_LENGTH]; + + if (md == NULL) + md = m; + SHA256_Init(&c); + SHA256_Update(&c, d, n); + SHA256_Final(md, &c); + OPENSSL_cleanse(&c, sizeof(c)); + return (md); +} + +int SHA224_Update(SHA256_CTX *c, const void *data, size_t len) +{ + return SHA256_Update(c, data, len); +} + +int SHA224_Final(unsigned char *md, SHA256_CTX *c) +{ + return SHA256_Final(md, c); +} + +# define DATA_ORDER_IS_BIG_ENDIAN + +# define HASH_LONG SHA_LONG +# define HASH_CTX SHA256_CTX +# define HASH_CBLOCK SHA_CBLOCK +/* + * Note that FIPS180-2 discusses "Truncation of the Hash Function Output." + * default: case below covers for it. It's not clear however if it's + * permitted to truncate to amount of bytes not divisible by 4. I bet not, + * but if it is, then default: case shall be extended. For reference. + * Idea behind separate cases for pre-defined lenghts is to let the + * compiler decide if it's appropriate to unroll small loops. + */ +# define HASH_MAKE_STRING(c,s) do { \ + unsigned long ll; \ + unsigned int nn; \ + switch ((c)->md_len) \ + { case SHA224_DIGEST_LENGTH: \ + for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \ + { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ + break; \ + case SHA256_DIGEST_LENGTH: \ + for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \ + { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ + break; \ + default: \ + if ((c)->md_len > SHA256_DIGEST_LENGTH) \ + return 0; \ + for (nn=0;nn<(c)->md_len/4;nn++) \ + { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ + break; \ + } \ + } while (0) + +# define HASH_UPDATE SHA256_Update +# define HASH_TRANSFORM SHA256_Transform +# define HASH_FINAL SHA256_Final +# define HASH_BLOCK_DATA_ORDER sha256_block_data_order +# ifndef SHA256_ASM +static +# endif +void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num); + +# include "md32_common.h" + +# ifndef SHA256_ASM +static const SHA_LONG K256[64] = { + 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, + 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, + 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, + 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, + 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, + 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, + 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, + 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, + 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, + 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, + 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, + 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, + 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, + 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, + 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, + 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL +}; + +/* + * FIPS specification refers to right rotations, while our ROTATE macro + * is left one. This is why you might notice that rotation coefficients + * differ from those observed in FIPS document by 32-N... + */ +# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10)) +# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7)) +# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3)) +# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10)) + +# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) + +# ifdef OPENSSL_SMALL_FOOTPRINT + +static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, + size_t num) +{ + unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2; + SHA_LONG X[16], l; + int i; + const unsigned char *data = in; + + while (num--) { + + a = ctx->h[0]; + b = ctx->h[1]; + c = ctx->h[2]; + d = ctx->h[3]; + e = ctx->h[4]; + f = ctx->h[5]; + g = ctx->h[6]; + h = ctx->h[7]; + + for (i = 0; i < 16; i++) { + HOST_c2l(data, l); + T1 = X[i] = l; + T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; + T2 = Sigma0(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + } + + for (; i < 64; i++) { + s0 = X[(i + 1) & 0x0f]; + s0 = sigma0(s0); + s1 = X[(i + 14) & 0x0f]; + s1 = sigma1(s1); + + T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf]; + T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; + T2 = Sigma0(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + } + + ctx->h[0] += a; + ctx->h[1] += b; + ctx->h[2] += c; + ctx->h[3] += d; + ctx->h[4] += e; + ctx->h[5] += f; + ctx->h[6] += g; + ctx->h[7] += h; + + } +} + +# else + +# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \ + T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \ + h = Sigma0(a) + Maj(a,b,c); \ + d += T1; h += T1; } while (0) + +# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \ + s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \ + s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \ + T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \ + ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0) + +static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, + size_t num) +{ + unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1; + SHA_LONG X[16]; + int i; + const unsigned char *data = in; + const union { + long one; + char little; + } is_endian = { + 1 + }; + + while (num--) { + + a = ctx->h[0]; + b = ctx->h[1]; + c = ctx->h[2]; + d = ctx->h[3]; + e = ctx->h[4]; + f = ctx->h[5]; + g = ctx->h[6]; + h = ctx->h[7]; + + if (!is_endian.little && sizeof(SHA_LONG) == 4 + && ((size_t)in % 4) == 0) { + const SHA_LONG *W = (const SHA_LONG *)data; + + T1 = X[0] = W[0]; + ROUND_00_15(0, a, b, c, d, e, f, g, h); + T1 = X[1] = W[1]; + ROUND_00_15(1, h, a, b, c, d, e, f, g); + T1 = X[2] = W[2]; + ROUND_00_15(2, g, h, a, b, c, d, e, f); + T1 = X[3] = W[3]; + ROUND_00_15(3, f, g, h, a, b, c, d, e); + T1 = X[4] = W[4]; + ROUND_00_15(4, e, f, g, h, a, b, c, d); + T1 = X[5] = W[5]; + ROUND_00_15(5, d, e, f, g, h, a, b, c); + T1 = X[6] = W[6]; + ROUND_00_15(6, c, d, e, f, g, h, a, b); + T1 = X[7] = W[7]; + ROUND_00_15(7, b, c, d, e, f, g, h, a); + T1 = X[8] = W[8]; + ROUND_00_15(8, a, b, c, d, e, f, g, h); + T1 = X[9] = W[9]; + ROUND_00_15(9, h, a, b, c, d, e, f, g); + T1 = X[10] = W[10]; + ROUND_00_15(10, g, h, a, b, c, d, e, f); + T1 = X[11] = W[11]; + ROUND_00_15(11, f, g, h, a, b, c, d, e); + T1 = X[12] = W[12]; + ROUND_00_15(12, e, f, g, h, a, b, c, d); + T1 = X[13] = W[13]; + ROUND_00_15(13, d, e, f, g, h, a, b, c); + T1 = X[14] = W[14]; + ROUND_00_15(14, c, d, e, f, g, h, a, b); + T1 = X[15] = W[15]; + ROUND_00_15(15, b, c, d, e, f, g, h, a); + + data += SHA256_CBLOCK; + } else { + SHA_LONG l; + + HOST_c2l(data, l); + T1 = X[0] = l; + ROUND_00_15(0, a, b, c, d, e, f, g, h); + HOST_c2l(data, l); + T1 = X[1] = l; + ROUND_00_15(1, h, a, b, c, d, e, f, g); + HOST_c2l(data, l); + T1 = X[2] = l; + ROUND_00_15(2, g, h, a, b, c, d, e, f); + HOST_c2l(data, l); + T1 = X[3] = l; + ROUND_00_15(3, f, g, h, a, b, c, d, e); + HOST_c2l(data, l); + T1 = X[4] = l; + ROUND_00_15(4, e, f, g, h, a, b, c, d); + HOST_c2l(data, l); + T1 = X[5] = l; + ROUND_00_15(5, d, e, f, g, h, a, b, c); + HOST_c2l(data, l); + T1 = X[6] = l; + ROUND_00_15(6, c, d, e, f, g, h, a, b); + HOST_c2l(data, l); + T1 = X[7] = l; + ROUND_00_15(7, b, c, d, e, f, g, h, a); + HOST_c2l(data, l); + T1 = X[8] = l; + ROUND_00_15(8, a, b, c, d, e, f, g, h); + HOST_c2l(data, l); + T1 = X[9] = l; + ROUND_00_15(9, h, a, b, c, d, e, f, g); + HOST_c2l(data, l); + T1 = X[10] = l; + ROUND_00_15(10, g, h, a, b, c, d, e, f); + HOST_c2l(data, l); + T1 = X[11] = l; + ROUND_00_15(11, f, g, h, a, b, c, d, e); + HOST_c2l(data, l); + T1 = X[12] = l; + ROUND_00_15(12, e, f, g, h, a, b, c, d); + HOST_c2l(data, l); + T1 = X[13] = l; + ROUND_00_15(13, d, e, f, g, h, a, b, c); + HOST_c2l(data, l); + T1 = X[14] = l; + ROUND_00_15(14, c, d, e, f, g, h, a, b); + HOST_c2l(data, l); + T1 = X[15] = l; + ROUND_00_15(15, b, c, d, e, f, g, h, a); + } + + for (i = 16; i < 64; i += 8) { + ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); + ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); + ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); + ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); + ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); + ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); + ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); + ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); + } + + ctx->h[0] += a; + ctx->h[1] += b; + ctx->h[2] += c; + ctx->h[3] += d; + ctx->h[4] += e; + ctx->h[5] += f; + ctx->h[6] += g; + ctx->h[7] += h; + + } +} + +# endif +# endif /* SHA256_ASM */ diff --git a/src/util/srp.cpp b/src/util/srp.cpp new file mode 100644 index 000000000..cc8bac6bb --- /dev/null +++ b/src/util/srp.cpp @@ -0,0 +1,1029 @@ +/* + * Secure Remote Password 6a implementation + * https://github.com/est31/csrp-gmp + * + * The MIT License (MIT) + * + * Copyright (c) 2010, 2013 Tom Cocagne, 2015 est31 <MTest31@outlook.com> + * + * Permission is hereby granted, free of charge, to any person obtaining a copy of + * this software and associated documentation files (the "Software"), to deal in + * the Software without restriction, including without limitation the rights to + * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is furnished to do + * so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + * + */ + +#ifdef WIN32 + #include <windows.h> + #include <wincrypt.h> +#else + #include <time.h> +#endif + +#include <stdlib.h> +#include <string.h> +#include <stdio.h> + +#include <config.h> + +#if USE_SYSTEM_GMP || defined (__ANDROID__) || defined (ANDROID) + #include <gmp.h> +#else + #include <gmp/mini-gmp.h> +#endif + +#include <util/sha2.h> + +#include "srp.h" +//#define CSRP_USE_SHA1 +#define CSRP_USE_SHA256 + +#define srp_dbg_data(data, datalen, prevtext) ; +/*void srp_dbg_data(unsigned char * data, size_t datalen, char * prevtext) +{ + printf(prevtext); + size_t i; + for (i = 0; i < datalen; i++) + { + printf("%02X", data[i]); + } + printf("\n"); +}*/ + +static int g_initialized = 0; + +#define RAND_BUFF_MAX 128 +static unsigned int g_rand_idx; +static unsigned char g_rand_buff[RAND_BUFF_MAX]; + +typedef struct +{ + mpz_t N; + mpz_t g; +} NGConstant; + +struct NGHex +{ + const char* n_hex; + const char* g_hex; +}; + +/* All constants here were pulled from Appendix A of RFC 5054 */ +static struct NGHex global_Ng_constants[] = { + { /* 1024 */ + "EEAF0AB9ADB38DD69C33F80AFA8FC5E86072618775FF3C0B9EA2314C9C256576D674DF7496" + "EA81D3383B4813D692C6E0E0D5D8E250B98BE48E495C1D6089DAD15DC7D7B46154D6B6CE8E" + "F4AD69B15D4982559B297BCF1885C529F566660E57EC68EDBC3C05726CC02FD4CBF4976EAA" + "9AFD5138FE8376435B9FC61D2FC0EB06E3", + "2" + }, + { /* 2048 */ + "AC6BDB41324A9A9BF166DE5E1389582FAF72B6651987EE07FC3192943DB56050A37329CBB4" + "A099ED8193E0757767A13DD52312AB4B03310DCD7F48A9DA04FD50E8083969EDB767B0CF60" + "95179A163AB3661A05FBD5FAAAE82918A9962F0B93B855F97993EC975EEAA80D740ADBF4FF" + "747359D041D5C33EA71D281E446B14773BCA97B43A23FB801676BD207A436C6481F1D2B907" + "8717461A5B9D32E688F87748544523B524B0D57D5EA77A2775D2ECFA032CFBDBF52FB37861" + "60279004E57AE6AF874E7303CE53299CCC041C7BC308D82A5698F3A8D0C38271AE35F8E9DB" + "FBB694B5C803D89F7AE435DE236D525F54759B65E372FCD68EF20FA7111F9E4AFF73", + "2" + }, + { /* 4096 */ + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" + "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B" + "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9" + "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6" + "49286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8" + "FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D" + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C" + "180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718" + "3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D" + "04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7D" + "B3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D226" + "1AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200C" + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFC" + "E0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B26" + "99C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB" + "04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2" + "233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127" + "D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" + "FFFFFFFFFFFFFFFF", + "5" + }, + { /* 8192 */ + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" + "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B" + "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9" + "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6" + "49286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8" + "FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D" + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C" + "180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718" + "3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D" + "04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7D" + "B3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D226" + "1AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200C" + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFC" + "E0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B26" + "99C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB" + "04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2" + "233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127" + "D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934028492" + "36C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406" + "AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918" + "DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B33205151" + "2BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03" + "F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97F" + "BEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA" + "CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58B" + "B7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632" + "387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E" + "6DBE115974A3926F12FEE5E438777CB6A932DF8CD8BEC4D073B931BA" + "3BC832B68D9DD300741FA7BF8AFC47ED2576F6936BA424663AAB639C" + "5AE4F5683423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD9" + "22222E04A4037C0713EB57A81A23F0C73473FC646CEA306B4BCBC886" + "2F8385DDFA9D4B7FA2C087E879683303ED5BDD3A062B3CF5B3A278A6" + "6D2A13F83F44F82DDF310EE074AB6A364597E899A0255DC164F31CC5" + "0846851DF9AB48195DED7EA1B1D510BD7EE74D73FAF36BC31ECFA268" + "359046F4EB879F924009438B481C6CD7889A002ED5EE382BC9190DA6" + "FC026E479558E4475677E9AA9E3050E2765694DFC81F56E880B96E71" + "60C980DD98EDD3DFFFFFFFFFFFFFFFFF", + "13" + }, + {0,0} /* null sentinel */ +}; + + +static NGConstant *new_ng( SRP_NGType ng_type, const char *n_hex, const char *g_hex ) +{ + NGConstant *ng = (NGConstant *) malloc(sizeof(NGConstant)); + mpz_init(ng->N); + mpz_init(ng->g); + + if (!ng || !ng->N || !ng->g) + return 0; + + if (ng_type != SRP_NG_CUSTOM) { + n_hex = global_Ng_constants[ ng_type ].n_hex; + g_hex = global_Ng_constants[ ng_type ].g_hex; + } + + mpz_set_str(ng->N, n_hex, 16); + mpz_set_str(ng->g, g_hex, 16); + + return ng; +} + +static void delete_ng( NGConstant *ng ) +{ + if (ng) { + mpz_clear(ng->N); + mpz_clear(ng->g); + free(ng); + } +} + + + +typedef union +{ + SHA_CTX sha; + SHA256_CTX sha256; + //SHA512_CTX sha512; +} HashCTX; + + +struct SRPVerifier +{ + SRP_HashAlgorithm hash_alg; + NGConstant *ng; + + char *username; + unsigned char *bytes_B; + int authenticated; + + unsigned char M[SHA512_DIGEST_LENGTH]; + unsigned char H_AMK[SHA512_DIGEST_LENGTH]; + unsigned char session_key[SHA512_DIGEST_LENGTH]; +}; + + +struct SRPUser +{ + SRP_HashAlgorithm hash_alg; + NGConstant *ng; + + mpz_t a; + mpz_t A; + mpz_t S; + + unsigned char *bytes_A; + int authenticated; + + char *username; + char *username_verifier; + unsigned char *password; + size_t password_len; + + unsigned char M[SHA512_DIGEST_LENGTH]; + unsigned char H_AMK[SHA512_DIGEST_LENGTH]; + unsigned char session_key[SHA512_DIGEST_LENGTH]; +}; + + +static int hash_init(SRP_HashAlgorithm alg, HashCTX *c) +{ + switch (alg) { +#ifdef CSRP_USE_SHA1 + case SRP_SHA1: return SHA1_Init(&c->sha); +#endif + /*case SRP_SHA224: return SHA224_Init(&c->sha256);*/ +#ifdef CSRP_USE_SHA256 + case SRP_SHA256: return SHA256_Init(&c->sha256); +#endif + /*case SRP_SHA384: return SHA384_Init(&c->sha512); + case SRP_SHA512: return SHA512_Init(&c->sha512);*/ + default: return -1; + }; +} +static int hash_update( SRP_HashAlgorithm alg, HashCTX *c, const void *data, size_t len ) +{ + switch (alg) { +#ifdef CSRP_USE_SHA1 + case SRP_SHA1: return SHA1_Update(&c->sha, data, len); +#endif + /*case SRP_SHA224: return SHA224_Update(&c->sha256, data, len);*/ +#ifdef CSRP_USE_SHA256 + case SRP_SHA256: return SHA256_Update(&c->sha256, data, len); +#endif + /*case SRP_SHA384: return SHA384_Update( &c->sha512, data, len ); + case SRP_SHA512: return SHA512_Update( &c->sha512, data, len );*/ + default: return -1; + }; +} +static int hash_final( SRP_HashAlgorithm alg, HashCTX *c, unsigned char *md ) +{ + switch (alg) { +#ifdef CSRP_USE_SHA1 + case SRP_SHA1: return SHA1_Final(md, &c->sha); +#endif + /*case SRP_SHA224: return SHA224_Final(md, &c->sha256);*/ +#ifdef CSRP_USE_SHA256 + case SRP_SHA256: return SHA256_Final(md, &c->sha256); +#endif + /*case SRP_SHA384: return SHA384_Final(md, &c->sha512); + case SRP_SHA512: return SHA512_Final(md, &c->sha512);*/ + default: return -1; + }; +} +static unsigned char *hash(SRP_HashAlgorithm alg, const unsigned char *d, size_t n, unsigned char *md) +{ + switch (alg) { +#ifdef CSRP_USE_SHA1 + case SRP_SHA1: return SHA1(d, n, md); +#endif + /*case SRP_SHA224: return SHA224( d, n, md );*/ +#ifdef CSRP_USE_SHA256 + case SRP_SHA256: return SHA256(d, n, md); +#endif + /*case SRP_SHA384: return SHA384( d, n, md ); + case SRP_SHA512: return SHA512( d, n, md );*/ + default: return 0; + }; +} +static size_t hash_length(SRP_HashAlgorithm alg) +{ + switch (alg) { +#ifdef CSRP_USE_SHA1 + case SRP_SHA1: return SHA_DIGEST_LENGTH; +#endif + /*case SRP_SHA224: return SHA224_DIGEST_LENGTH;*/ +#ifdef CSRP_USE_SHA256 + case SRP_SHA256: return SHA256_DIGEST_LENGTH; +#endif + /*case SRP_SHA384: return SHA384_DIGEST_LENGTH; + case SRP_SHA512: return SHA512_DIGEST_LENGTH;*/ + default: return -1; + }; +} + +inline static int mpz_num_bytes(const mpz_t op) +{ + return (mpz_sizeinbase (op, 2) + 7) / 8; +} + +inline static void mpz_to_bin(const mpz_t op, unsigned char *to) +{ + mpz_export(to, NULL, 1, 1, 1, 0, op); +} + +inline static void mpz_from_bin(const unsigned char *s, size_t len, mpz_t ret) +{ + mpz_import(ret, len, 1, 1, 1, 0, s); +} + +// set op to (op1 * op2) mod d, using tmp for the calculation +inline static void mpz_mulm(mpz_t op, const mpz_t op1, const mpz_t op2, const mpz_t d, mpz_t tmp) +{ + mpz_mul(tmp, op1, op2); + mpz_mod(op, tmp, d); +} + +// set op to (op1 + op2) mod d, using tmp for the calculation +inline static void mpz_addm( mpz_t op, const mpz_t op1, const mpz_t op2, const mpz_t d, mpz_t tmp ) +{ + mpz_add(tmp, op1, op2); + mpz_mod(op, tmp, d); +} + +// set op to (op1 - op2) mod d, using tmp for the calculation +inline static void mpz_subm(mpz_t op, const mpz_t op1, const mpz_t op2, const mpz_t d, mpz_t tmp) +{ + mpz_sub(tmp, op1, op2); + mpz_mod(op, tmp, d); +} + +static int H_nn(mpz_t result, SRP_HashAlgorithm alg, const mpz_t N, const mpz_t n1, const mpz_t n2) +{ + unsigned char buff[SHA512_DIGEST_LENGTH]; + size_t len_N = mpz_num_bytes(N); + size_t len_n1 = mpz_num_bytes(n1); + size_t len_n2 = mpz_num_bytes(n2); + size_t nbytes = len_N + len_N; + unsigned char *bin = (unsigned char *) malloc(nbytes); + if (!bin) + return 0; + if (len_n1 > len_N || len_n2 > len_N) { + free(bin); + return 0; + } + memset(bin, 0, nbytes); + mpz_to_bin(n1, bin + (len_N - len_n1)); + mpz_to_bin(n2, bin + (len_N + len_N - len_n2)); + hash( alg, bin, nbytes, buff ); + free(bin); + mpz_from_bin(buff, hash_length(alg), result); + return 1; +} + +static int H_ns(mpz_t result, SRP_HashAlgorithm alg, const unsigned char *n, size_t len_n, const unsigned char *bytes, size_t len_bytes) +{ + unsigned char buff[SHA512_DIGEST_LENGTH]; + size_t nbytes = len_n + len_bytes; + unsigned char *bin = (unsigned char *) malloc(nbytes); + if (!bin) + return 0; + memcpy(bin, n, len_n); + memcpy(bin + len_n, bytes, len_bytes); + hash(alg, bin, nbytes, buff); + free(bin); + mpz_from_bin(buff, hash_length(alg), result); + return 1; +} + +static int calculate_x(mpz_t result, SRP_HashAlgorithm alg, const unsigned char *salt, size_t salt_len, const char *username, const unsigned char *password, size_t password_len) +{ + unsigned char ucp_hash[SHA512_DIGEST_LENGTH]; + HashCTX ctx; + hash_init(alg, &ctx); + + srp_dbg_data((char*) username, strlen(username), "Username for x: "); + srp_dbg_data((char*) password, password_len, "Password for x: "); + hash_update(alg, &ctx, username, strlen(username)); + hash_update(alg, &ctx, ":", 1); + hash_update(alg, &ctx, password, password_len); + + hash_final(alg, &ctx, ucp_hash); + + return H_ns(result, alg, salt, salt_len, ucp_hash, hash_length(alg)); +} + +static void update_hash_n(SRP_HashAlgorithm alg, HashCTX *ctx, const mpz_t n) +{ + size_t len = mpz_num_bytes(n); + unsigned char* n_bytes = (unsigned char *) malloc(len); + if (!n_bytes) + return; + mpz_to_bin(n, n_bytes); + hash_update(alg, ctx, n_bytes, len); + free(n_bytes); +} + +static void hash_num( SRP_HashAlgorithm alg, const mpz_t n, unsigned char *dest ) +{ + int nbytes = mpz_num_bytes(n); + unsigned char *bin = (unsigned char *) malloc(nbytes); + if(!bin) + return; + mpz_to_bin(n, bin); + hash(alg, bin, nbytes, dest); + free(bin); +} + +static void calculate_M(SRP_HashAlgorithm alg, NGConstant *ng, unsigned char *dest, + const char *I, const unsigned char *s_bytes, size_t s_len, + const mpz_t A, const mpz_t B, const unsigned char *K) +{ + unsigned char H_N[SHA512_DIGEST_LENGTH]; + unsigned char H_g[SHA512_DIGEST_LENGTH]; + unsigned char H_I[SHA512_DIGEST_LENGTH]; + unsigned char H_xor[SHA512_DIGEST_LENGTH]; + HashCTX ctx; + size_t i = 0; + size_t hash_len = hash_length(alg); + + hash_num(alg, ng->N, H_N); + hash_num(alg, ng->g, H_g); + + hash(alg, (const unsigned char *)I, strlen(I), H_I); + + + for (i = 0; i < hash_len; i++ ) + H_xor[i] = H_N[i] ^ H_g[i]; + + hash_init(alg, &ctx); + + hash_update(alg, &ctx, H_xor, hash_len); + hash_update(alg, &ctx, H_I, hash_len); + hash_update(alg, &ctx, s_bytes, s_len); + update_hash_n(alg, &ctx, A); + update_hash_n(alg, &ctx, B); + hash_update(alg, &ctx, K, hash_len); + + hash_final(alg, &ctx, dest); +} + +static void calculate_H_AMK(SRP_HashAlgorithm alg, unsigned char *dest, const mpz_t A, const unsigned char *M, const unsigned char *K) +{ + HashCTX ctx; + + hash_init(alg, &ctx); + + update_hash_n(alg, &ctx, A); + hash_update(alg, &ctx, M, hash_length(alg)); + hash_update(alg, &ctx, K, hash_length(alg)); + + hash_final(alg, &ctx, dest); +} + + +struct srp_pcgrandom { + unsigned long long int m_state; + unsigned long long int m_inc; +}; typedef struct srp_pcgrandom srp_pcgrandom; + +static unsigned long int srp_pcgrandom_next(srp_pcgrandom *r) +{ + unsigned long long int oldstate = r->m_state; + r->m_state = oldstate * 6364136223846793005ULL + r->m_inc; + + unsigned long int xorshifted = ((oldstate >> 18u) ^ oldstate) >> 27u; + unsigned long int rot = oldstate >> 59u; + return (xorshifted >> rot) | (xorshifted << ((-rot) & 31)); +} + +static void srp_pcgrandom_seed(srp_pcgrandom *r, unsigned long long int state, + unsigned long long int seq) +{ + r->m_state = 0U; + r->m_inc = (seq << 1u) | 1u; + srp_pcgrandom_next(r); + r->m_state += state; + srp_pcgrandom_next(r); +} + + +static int fill_buff() +{ + g_rand_idx = 0; + +#ifdef WIN32 + HCRYPTPROV wctx; +#else + FILE *fp = 0; +#endif + +#ifdef WIN32 + + CryptAcquireContext(&wctx, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT); + CryptGenRandom(wctx, sizeof(g_rand_buff), (BYTE*) g_rand_buff); + CryptReleaseContext(wctx, 0); + + return 1; + +#else + fp = fopen("/dev/urandom", "r"); + + if (fp) { + fread(g_rand_buff, sizeof(g_rand_buff), 1, fp); + fclose(fp); + } else { + srp_pcgrandom *r = (srp_pcgrandom *) malloc(sizeof(srp_pcgrandom)); + srp_pcgrandom_seed(r, time(NULL) ^ clock(), 0xda3e39cb94b95bdbULL); + size_t i = 0; + for (i = 0; i < RAND_BUFF_MAX; i++) { + g_rand_buff[i] = srp_pcgrandom_next(r); + } + } +#endif + return 1; +} + +static void mpz_fill_random(mpz_t num) +{ + // was call: BN_rand(num, 256, -1, 0); + if (RAND_BUFF_MAX - g_rand_idx < 32) + fill_buff(); + mpz_from_bin((const unsigned char *) (&g_rand_buff[g_rand_idx]), 32, num); + g_rand_idx += 32; +} + +static void init_random() +{ + if (g_initialized) + return; + g_initialized = fill_buff(); +} + +#define srp_dbg_num(num, text) ; +/*void srp_dbg_num(mpz_t num, char * prevtext) +{ + int len_num = mpz_num_bytes(num); + char *bytes_num = (char*) malloc(len_num); + mpz_to_bin(num, (unsigned char *) bytes_num); + srp_dbg_data(bytes_num, len_num, prevtext); + free(bytes_num); + +}*/ + +/*********************************************************************************************************** + * + * Exported Functions + * + ***********************************************************************************************************/ + +void srp_create_salted_verification_key( SRP_HashAlgorithm alg, + SRP_NGType ng_type, const char *username_for_verifier, + const unsigned char *password, size_t len_password, + unsigned char **bytes_s, size_t *len_s, + unsigned char **bytes_v, size_t *len_v, + const char *n_hex, const char *g_hex ) +{ + mpz_t v; mpz_init(v); + mpz_t x; mpz_init(x); + NGConstant *ng = new_ng(ng_type, n_hex, g_hex); + + if(!ng) + goto cleanup_and_exit; + + if (*bytes_s == NULL) { + *len_s = 16; + if (RAND_BUFF_MAX - g_rand_idx < 16) + fill_buff(); + *bytes_s = (unsigned char*)malloc(sizeof(char) * 16); + memcpy(*bytes_s, &g_rand_buff + g_rand_idx, sizeof(char) * 16); + g_rand_idx += 16; + } + + + if (!calculate_x(x, alg, *bytes_s, *len_s, username_for_verifier, + password, len_password)) + goto cleanup_and_exit; + + srp_dbg_num(x, "Server calculated x: "); + + mpz_powm(v, ng->g, x, ng->N); + + *len_v = mpz_num_bytes(v); + + *bytes_v = (unsigned char*)malloc(*len_v); + + if (!bytes_v) + goto cleanup_and_exit; + + mpz_to_bin(v, *bytes_v); + +cleanup_and_exit: + delete_ng( ng ); + mpz_clear(v); + mpz_clear(x); +} + + + +/* Out: bytes_B, len_B. + * + * On failure, bytes_B will be set to NULL and len_B will be set to 0 + */ +struct SRPVerifier *srp_verifier_new(SRP_HashAlgorithm alg, + SRP_NGType ng_type, const char *username, + const unsigned char *bytes_s, size_t len_s, + const unsigned char *bytes_v, size_t len_v, + const unsigned char *bytes_A, size_t len_A, + const unsigned char *bytes_b, size_t len_b, + unsigned char **bytes_B, size_t *len_B, + const char *n_hex, const char *g_hex ) +{ + mpz_t v; mpz_init(v); mpz_from_bin(bytes_v, len_v, v); + mpz_t A; mpz_init(A); mpz_from_bin(bytes_A, len_A, A); + mpz_t u; mpz_init(u); + mpz_t B; mpz_init(B); + mpz_t S; mpz_init(S); + mpz_t b; mpz_init(b); + mpz_t k; mpz_init(k); + mpz_t tmp1; mpz_init(tmp1); + mpz_t tmp2; mpz_init(tmp2); + mpz_t tmp3; mpz_init(tmp3); + size_t ulen = strlen(username) + 1; + NGConstant *ng = new_ng(ng_type, n_hex, g_hex); + struct SRPVerifier *ver = 0; + + *len_B = 0; + *bytes_B = 0; + + if (!ng) + goto cleanup_and_exit; + + ver = (struct SRPVerifier *) malloc( sizeof(struct SRPVerifier) ); + + if (!ver) + goto cleanup_and_exit; + + init_random(); /* Only happens once */ + + ver->username = (char *) malloc(ulen); + ver->hash_alg = alg; + ver->ng = ng; + + if (!ver->username) { + free(ver); + ver = 0; + goto cleanup_and_exit; + } + + memcpy((char*)ver->username, username, ulen); + + ver->authenticated = 0; + + /* SRP-6a safety check */ + mpz_mod(tmp1, A, ng->N); + if (mpz_sgn(tmp1) != 0) { + if (bytes_b) { + mpz_from_bin(bytes_b, len_b, b); + } else { + mpz_fill_random(b); + } + + if (!H_nn(k, alg, ng->N, ng->N, ng->g)) { + free(ver); + ver = 0; + goto cleanup_and_exit; + } + + /* B = kv + g^b */ + mpz_mulm(tmp1, k, v, ng->N, tmp3); + mpz_powm(tmp2, ng->g, b, ng->N); + mpz_addm(B, tmp1, tmp2, ng->N, tmp3); + + if (!H_nn(u, alg, ng->N, A, B)) { + free(ver); + ver = 0; + goto cleanup_and_exit; + } + + srp_dbg_num(u, "Server calculated u: "); + + /* S = (A *(v^u)) ^ b */ + mpz_powm(tmp1, v, u, ng->N); + mpz_mulm(tmp2, A, tmp1, ng->N, tmp3); + mpz_powm(S, tmp2, b, ng->N); + + hash_num(alg, S, ver->session_key); + + calculate_M(alg, ng, ver->M, username, bytes_s, len_s, A, B, ver->session_key); + calculate_H_AMK(alg, ver->H_AMK, A, ver->M, ver->session_key); + + *len_B = mpz_num_bytes(B); + *bytes_B = (unsigned char*)malloc(*len_B); + + if (!*bytes_B) { + free(ver->username); + free(ver); + ver = 0; + *len_B = 0; + goto cleanup_and_exit; + } + + mpz_to_bin(B, *bytes_B); + + ver->bytes_B = *bytes_B; + } else { + free(ver); + ver = 0; + } + +cleanup_and_exit: + mpz_clear(v); + mpz_clear(A); + mpz_clear(u); + mpz_clear(k); + mpz_clear(B); + mpz_clear(S); + mpz_clear(b); + mpz_clear(tmp1); + mpz_clear(tmp2); + mpz_clear(tmp3); + return ver; +} + + + + +void srp_verifier_delete(struct SRPVerifier *ver) +{ + if (ver) { + delete_ng(ver->ng); + free(ver->username); + free(ver->bytes_B); + memset(ver, 0, sizeof(*ver)); + free(ver); + } +} + + + +int srp_verifier_is_authenticated(struct SRPVerifier *ver) +{ + return ver->authenticated; +} + + +const char *srp_verifier_get_username(struct SRPVerifier *ver) +{ + return ver->username; +} + + +const unsigned char *srp_verifier_get_session_key(struct SRPVerifier *ver, size_t *key_length) +{ + if (key_length) + *key_length = hash_length(ver->hash_alg); + return ver->session_key; +} + + +size_t srp_verifier_get_session_key_length(struct SRPVerifier *ver) +{ + return hash_length(ver->hash_alg); +} + + +/* user_M must be exactly SHA512_DIGEST_LENGTH bytes in size */ +void srp_verifier_verify_session(struct SRPVerifier *ver, const unsigned char *user_M, unsigned char **bytes_HAMK) +{ + if (memcmp(ver->M, user_M, hash_length(ver->hash_alg)) == 0) { + ver->authenticated = 1; + *bytes_HAMK = ver->H_AMK; + } else + *bytes_HAMK = NULL; +} + +/*******************************************************************************/ + +struct SRPUser *srp_user_new(SRP_HashAlgorithm alg, SRP_NGType ng_type, + const char *username, const char *username_for_verifier, + const unsigned char *bytes_password, size_t len_password, + const char *n_hex, const char *g_hex) +{ + struct SRPUser *usr = (struct SRPUser *) malloc(sizeof(struct SRPUser)); + size_t ulen = strlen(username) + 1; + size_t uvlen = strlen(username_for_verifier) + 1; + + if (!usr) + goto err_exit; + + init_random(); /* Only happens once */ + + usr->hash_alg = alg; + usr->ng = new_ng(ng_type, n_hex, g_hex); + + mpz_init(usr->a); + mpz_init(usr->A); + mpz_init(usr->S); + + if (!usr->ng || !usr->a || !usr->A || !usr->S) + goto err_exit; + + usr->username = (char*)malloc(ulen); + usr->username_verifier = (char*)malloc(uvlen); + usr->password = (unsigned char*)malloc(len_password); + usr->password_len = len_password; + + if (!usr->username || !usr->password) + goto err_exit; + + memcpy(usr->username, username, ulen); + memcpy(usr->username_verifier, username_for_verifier, uvlen); + memcpy(usr->password, bytes_password, len_password); + + usr->authenticated = 0; + + usr->bytes_A = 0; + + return usr; + +err_exit: + if (usr) { + mpz_clear(usr->a); + mpz_clear(usr->A); + mpz_clear(usr->S); + if (usr->username) + free(usr->username); + if (usr->username_verifier) + free(usr->username_verifier); + if (usr->password) { + memset(usr->password, 0, usr->password_len); + free(usr->password); + } + free(usr); + } + + return 0; +} + + + +void srp_user_delete(struct SRPUser *usr) +{ + if(usr) { + mpz_clear(usr->a); + mpz_clear(usr->A); + mpz_clear(usr->S); + + delete_ng(usr->ng); + + memset(usr->password, 0, usr->password_len); + + free(usr->username); + free(usr->username_verifier); + free(usr->password); + + if (usr->bytes_A) + free(usr->bytes_A); + + memset(usr, 0, sizeof(*usr)); + free(usr); + } +} + + + +int srp_user_is_authenticated(struct SRPUser *usr) +{ + return usr->authenticated; +} + + +const char *srp_user_get_username(struct SRPUser *usr) +{ + return usr->username; +} + + +const unsigned char* srp_user_get_session_key(struct SRPUser* usr, size_t* key_length) +{ + if (key_length) + *key_length = hash_length(usr->hash_alg); + return usr->session_key; +} + + +size_t srp_user_get_session_key_length(struct SRPUser *usr) +{ + return hash_length(usr->hash_alg); +} + + +/* Output: username, bytes_A, len_A */ +void srp_user_start_authentication(struct SRPUser *usr, char **username, + const unsigned char *bytes_a, size_t len_a, + unsigned char **bytes_A, size_t *len_A) +{ + if (bytes_a) { + mpz_from_bin(bytes_a, len_a, usr->a); + } else { + mpz_fill_random(usr->a); + } + + mpz_powm(usr->A, usr->ng->g, usr->a, usr->ng->N); + + *len_A = mpz_num_bytes(usr->A); + *bytes_A = (unsigned char*)malloc(*len_A); + + if (!*bytes_A) { + *len_A = 0; + *bytes_A = 0; + *username = 0; + return; + } + + mpz_to_bin(usr->A, *bytes_A); + + usr->bytes_A = *bytes_A; + if (username) + *username = usr->username; +} + + +/* Output: bytes_M. Buffer length is SHA512_DIGEST_LENGTH */ +void srp_user_process_challenge(struct SRPUser *usr, + const unsigned char *bytes_s, size_t len_s, + const unsigned char *bytes_B, size_t len_B, + unsigned char **bytes_M, size_t *len_M) +{ + mpz_t B; mpz_init(B); mpz_from_bin(bytes_B, len_B, B); + mpz_t u; mpz_init(u); + mpz_t x; mpz_init(x); + mpz_t k; mpz_init(k); + mpz_t v; mpz_init(v); + mpz_t tmp1; mpz_init(tmp1); + mpz_t tmp2; mpz_init(tmp2); + mpz_t tmp3; mpz_init(tmp3); + mpz_t tmp4; mpz_init(tmp4); + + *len_M = 0; + *bytes_M = 0; + + if (!H_nn(u, usr->hash_alg, usr->ng->N, usr->A, B)) + goto cleanup_and_exit; + + srp_dbg_num(u, "Client calculated u: "); + + if (!calculate_x(x, usr->hash_alg, bytes_s, len_s, + usr->username_verifier, usr->password, usr->password_len)) + goto cleanup_and_exit; + + srp_dbg_num(x, "Client calculated x: "); + + if (!H_nn(k, usr->hash_alg, usr->ng->N, usr->ng->N, usr->ng->g)) + goto cleanup_and_exit; + + /* SRP-6a safety check */ + if ( mpz_sgn(B) != 0 && mpz_sgn(u) != 0 ) { + mpz_powm(v, usr->ng->g, x, usr->ng->N); + + srp_dbg_num(v, "Client calculated v: "); + + /* S = (B - k*(g^x)) ^ (a + ux) */ + mpz_mul(tmp1, u, x); + mpz_add(tmp2, usr->a, tmp1); /* tmp2 = (a + ux) */ + mpz_powm(tmp1, usr->ng->g, x, usr->ng->N); /* tmp1 = g^x */ + mpz_mulm(tmp3, k, tmp1, usr->ng->N, tmp4); /* tmp3 = k*(g^x) */ + mpz_subm(tmp1, B, tmp3, usr->ng->N, tmp4); /* tmp1 = (B - K*(g^x)) */ + mpz_powm(usr->S, tmp1, tmp2, usr->ng->N); + + hash_num(usr->hash_alg, usr->S, usr->session_key); + + calculate_M( usr->hash_alg, usr->ng, usr->M, usr->username, bytes_s, len_s, usr->A,B, usr->session_key ); + calculate_H_AMK( usr->hash_alg, usr->H_AMK, usr->A, usr->M, usr->session_key ); + + *bytes_M = usr->M; + if (len_M) + *len_M = hash_length( usr->hash_alg ); + } else { + *bytes_M = NULL; + if (len_M) + *len_M = 0; + } + +cleanup_and_exit: + + mpz_clear(B); + mpz_clear(u); + mpz_clear(x); + mpz_clear(k); + mpz_clear(v); + mpz_clear(tmp1); + mpz_clear(tmp2); + mpz_clear(tmp3); + mpz_clear(tmp4); +} + + +void srp_user_verify_session(struct SRPUser *usr, const unsigned char *bytes_HAMK) +{ + if (memcmp(usr->H_AMK, bytes_HAMK, hash_length(usr->hash_alg)) == 0) + usr->authenticated = 1; +} diff --git a/src/util/srp.h b/src/util/srp.h new file mode 100644 index 000000000..15a2b8a68 --- /dev/null +++ b/src/util/srp.h @@ -0,0 +1,171 @@ +/* + * Secure Remote Password 6a implementation + * https://github.com/est31/csrp-gmp + * + * The MIT License (MIT) + * + * Copyright (c) 2010, 2013 Tom Cocagne, 2015 est31 <MTest31@outlook.com> + * + * Permission is hereby granted, free of charge, to any person obtaining a copy of + * this software and associated documentation files (the "Software"), to deal in + * the Software without restriction, including without limitation the rights to + * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is furnished to do + * so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + * + */ + +/* + * + * Purpose: This is a direct implementation of the Secure Remote Password + * Protocol version 6a as described by + * http://srp.stanford.edu/design.html + * + * Author: tom.cocagne@gmail.com (Tom Cocagne) + * + * Dependencies: LibGMP + * + * Usage: Refer to test_srp.c for a demonstration + * + * Notes: + * This library allows multiple combinations of hashing algorithms and + * prime number constants. For authentication to succeed, the hash and + * prime number constants must match between + * srp_create_salted_verification_key(), srp_user_new(), + * and srp_verifier_new(). A recommended approach is to determine the + * desired level of security for an application and globally define the + * hash and prime number constants to the predetermined values. + * + * As one might suspect, more bits means more security. As one might also + * suspect, more bits also means more processing time. The test_srp.c + * program can be easily modified to profile various combinations of + * hash & prime number pairings. + */ + +#ifndef SRP_H +#define SRP_H + + +struct SRPVerifier; +struct SRPUser; + +typedef enum +{ + SRP_NG_1024, + SRP_NG_2048, + SRP_NG_4096, + SRP_NG_8192, + SRP_NG_CUSTOM +} SRP_NGType; + +typedef enum +{ + /*SRP_SHA1,*/ + /*SRP_SHA224,*/ + SRP_SHA256, + /*SRP_SHA384, + SRP_SHA512*/ +} SRP_HashAlgorithm; + +/* Out: bytes_v, len_v + * + * The caller is responsible for freeing the memory allocated for bytes_v + * + * The n_hex and g_hex parameters should be 0 unless SRP_NG_CUSTOM is used for ng_type. + * If provided, they must contain ASCII text of the hexidecimal notation. + * + * If bytes_s == NULL, it is filled with random data. The caller is responsible for freeing. + */ +void srp_create_salted_verification_key( SRP_HashAlgorithm alg, + SRP_NGType ng_type, const char *username_for_verifier, + const unsigned char *password, size_t len_password, + unsigned char **bytes_s, size_t *len_s, + unsigned char **bytes_v, size_t *len_v, + const char * n_hex, const char *g_hex ); + +/* Out: bytes_B, len_B. + * + * On failure, bytes_B will be set to NULL and len_B will be set to 0 + * + * The n_hex and g_hex parameters should be 0 unless SRP_NG_CUSTOM is used for ng_type + * + * If bytes_b == NULL, random data is used for b. + */ +struct SRPVerifier* srp_verifier_new(SRP_HashAlgorithm alg, SRP_NGType ng_type, + const char *username, + const unsigned char *bytes_s, size_t len_s, + const unsigned char *bytes_v, size_t len_v, + const unsigned char *bytes_A, size_t len_A, + const unsigned char *bytes_b, size_t len_b, + unsigned char** bytes_B, size_t *len_B, + const char* n_hex, const char* g_hex); + + +void srp_verifier_delete( struct SRPVerifier* ver ); + + +int srp_verifier_is_authenticated( struct SRPVerifier* ver ); + + +const char * srp_verifier_get_username( struct SRPVerifier* ver ); + +/* key_length may be null */ +const unsigned char* srp_verifier_get_session_key( struct SRPVerifier* ver, + size_t *key_length ); + + +size_t srp_verifier_get_session_key_length(struct SRPVerifier* ver); + + +/* user_M must be exactly srp_verifier_get_session_key_length() bytes in size */ +void srp_verifier_verify_session( struct SRPVerifier* ver, + const unsigned char* user_M, unsigned char** bytes_HAMK ); + +/*******************************************************************************/ + +/* The n_hex and g_hex parameters should be 0 unless SRP_NG_CUSTOM is used for ng_type */ +struct SRPUser *srp_user_new(SRP_HashAlgorithm alg, SRP_NGType ng_type, + const char *username, const char *username_for_verifier, + const unsigned char *bytes_password, size_t len_password, + const char *n_hex, const char *g_hex); + +void srp_user_delete(struct SRPUser * usr); + +int srp_user_is_authenticated(struct SRPUser * usr); + + +const char* srp_user_get_username(struct SRPUser * usr); + +/* key_length may be null */ +const unsigned char* srp_user_get_session_key(struct SRPUser* usr, size_t* key_length); + +size_t srp_user_get_session_key_length(struct SRPUser* usr); + +/* Output: username, bytes_A, len_A. If you don't want it get written, set username to NULL. + * If bytes_a == NULL, random data is used for a. */ +void srp_user_start_authentication(struct SRPUser* usr, char** username, + const unsigned char* bytes_a, size_t len_a, + unsigned char** bytes_A, size_t* len_A); + +/* Output: bytes_M, len_M (len_M may be null and will always be + * srp_user_get_session_key_length() bytes in size) */ +void srp_user_process_challenge(struct SRPUser *usr, + const unsigned char *bytes_s, size_t len_s, + const unsigned char *bytes_B, size_t len_B, + unsigned char **bytes_M, size_t *len_M); + +/* bytes_HAMK must be exactly srp_user_get_session_key_length() bytes in size */ +void srp_user_verify_session(struct SRPUser* usr, const unsigned char* bytes_HAMK); + +#endif /* Include Guard */ diff --git a/src/util/string.cpp b/src/util/string.cpp index c0f0e97fd..231eaf6be 100644 --- a/src/util/string.cpp +++ b/src/util/string.cpp @@ -22,12 +22,9 @@ with this program; if not, write to the Free Software Foundation, Inc., #include "numeric.h" #include "log.h" -#include "sha1.h" -#include "base64.h" #include "hex.h" #include "../porting.h" -#include <algorithm> #include <sstream> #include <iomanip> #include <map> @@ -176,26 +173,6 @@ std::string wide_to_narrow(const std::wstring &wcs) #endif -// Get an sha-1 hash of the player's name combined with -// the password entered. That's what the server uses as -// their password. (Exception : if the password field is -// blank, we send a blank password - this is for backwards -// compatibility with password-less players). -std::string translatePassword(const std::string &playername, - const std::string &password) -{ - if (password.length() == 0) - return ""; - - std::string slt = playername + password; - SHA1 sha1; - sha1.addBytes(slt.c_str(), slt.length()); - unsigned char *digest = sha1.getDigest(); - std::string pwd = base64_encode(digest, 20); - free(digest); - return pwd; -} - std::string urlencode(std::string str) { // Encodes non-unreserved URI characters by a percent sign diff --git a/src/util/string.h b/src/util/string.h index f2d9af570..4ab5cf3f7 100644 --- a/src/util/string.h +++ b/src/util/string.h @@ -43,8 +43,7 @@ wchar_t *narrow_to_wide_c(const char *str); std::wstring narrow_to_wide(const std::string &mbs); std::string wide_to_narrow(const std::wstring &wcs); -std::string translatePassword(const std::string &playername, - const std::string &password); + std::string urlencode(std::string str); std::string urldecode(std::string str); u32 readFlagString(std::string str, const FlagDesc *flagdesc, u32 *flagmask); |