jehanne/sys/src/lib/authsrv/authpak.c

#include <u.h>
#include <lib9.h>
#include <mp.h>
#include <libsec.h>
#include <authsrv.h>

#include "msqrt.mpc"
#include "decaf.mpc"
#include "edwards.mpc"
#include "elligator2.mpc"
#include "spake2ee.mpc"
#include "ed448.mpc"

typedef struct PAKcurve PAKcurve;
struct PAKcurve
{
	Lock;
	mpint	*P;
	mpint	*A;
	mpint	*D;
	mpint	*X;
	mpint	*Y;
};

static PAKcurve*
authpak_curve(void)
{
	static PAKcurve a;

	jehanne_lock(&a);
	if(a.P == nil){
		a.P = mpnew(0);
		a.A = mpnew(0);
		a.D = mpnew(0);
		a.X = mpnew(0);
		a.Y = mpnew(0);
		ed448_curve(a.P, a.A, a.D, a.X, a.Y);
		a.P = mpfield(a.P);
	}
	jehanne_unlock(&a);
	return &a;
}

void
authpak_hash(Authkey *k, char *u)
{
	static char info[] = "Plan 9 AuthPAK hash";
	uint8_t *bp, salt[SHA2_256dlen], h[2*PAKSLEN];
	mpint *H, *PX,*PY,*PZ,*PT;
	PAKcurve *c;

	H = mpnew(0);
	PX = mpnew(0);
	PY = mpnew(0);
	PZ = mpnew(0);
	PT = mpnew(0);

	sha2_256((uint8_t*)u, strlen(u), salt, nil);

	hkdf_x(	salt, SHA2_256dlen,
		(uint8_t*)info, sizeof(info)-1,
		k->aes, AESKEYLEN,
		h, sizeof(h),
		hmac_sha2_256, SHA2_256dlen);

	c = authpak_curve();

	betomp(h + 0*PAKSLEN, PAKSLEN, H);		/* HM */
	spake2ee_h2P(c->P,c->A,c->D, H, PX,PY,PZ,PT);	/* PM */

	bp = k->pakhash;
	mptober(PX, bp, PAKSLEN), bp += PAKSLEN;
	mptober(PY, bp, PAKSLEN), bp += PAKSLEN;
	mptober(PZ, bp, PAKSLEN), bp += PAKSLEN;
	mptober(PT, bp, PAKSLEN), bp += PAKSLEN;

	betomp(h + 1*PAKSLEN, PAKSLEN, H);		/* HN */
	spake2ee_h2P(c->P,c->A,c->D, H, PX,PY,PZ,PT);	/* PN */

	mptober(PX, bp, PAKSLEN), bp += PAKSLEN;
	mptober(PY, bp, PAKSLEN), bp += PAKSLEN;
	mptober(PZ, bp, PAKSLEN), bp += PAKSLEN;
	mptober(PT, bp, PAKSLEN);

	mpfree(PX);
	mpfree(PY);
	mpfree(PZ);
	mpfree(PT);
	mpfree(H);
}

void
authpak_new(PAKpriv *p, Authkey *k, uint8_t y[PAKYLEN], int isclient)
{
	mpint *PX,*PY,*PZ,*PT, *X, *Y;
	PAKcurve *c;
	uint8_t *bp;

	memset(p, 0, sizeof(PAKpriv));
	p->isclient = isclient != 0;

	X = mpnew(0);
	Y = mpnew(0);

	PX = mpnew(0);
	PY = mpnew(0);
	PZ = mpnew(0);
	PT = mpnew(0);

	PX->flags |= MPtimesafe;
	PY->flags |= MPtimesafe;
	PZ->flags |= MPtimesafe;
	PT->flags |= MPtimesafe;

	bp = k->pakhash + PAKPLEN*(p->isclient == 0);
	betomp(bp, PAKSLEN, PX), bp += PAKSLEN;
	betomp(bp, PAKSLEN, PY), bp += PAKSLEN;
	betomp(bp, PAKSLEN, PZ), bp += PAKSLEN;
	betomp(bp, PAKSLEN, PT);

	c = authpak_curve();

	X->flags |= MPtimesafe;
	mpnrand(c->P, genrandom, X);

	spake2ee_1(c->P,c->A,c->D, X, c->X,c->Y, PX,PY,PZ,PT, Y);

	mptober(X, p->x, PAKXLEN);
	mptober(Y, p->y, PAKYLEN);

	memmove(y, p->y, PAKYLEN);

	mpfree(PX);
	mpfree(PY);
	mpfree(PZ);
	mpfree(PT);

	mpfree(X);
	mpfree(Y);
}

int
authpak_finish(PAKpriv *p, Authkey *k, uint8_t y[PAKYLEN])
{
	static char info[] = "Plan 9 AuthPAK key";
	uint8_t *bp, z[PAKSLEN], salt[SHA2_256dlen];
	mpint *PX,*PY,*PZ,*PT, *X, *Y, *Z, *ok;
	DigestState *s;
	PAKcurve *c;
	int ret;

	X = mpnew(0);
	Y = mpnew(0);
	Z = mpnew(0);
	ok = mpnew(0);

	PX = mpnew(0);
	PY = mpnew(0);
	PZ = mpnew(0);
	PT = mpnew(0);

	PX->flags |= MPtimesafe;
	PY->flags |= MPtimesafe;
	PZ->flags |= MPtimesafe;
	PT->flags |= MPtimesafe;

	bp = k->pakhash + PAKPLEN*(p->isclient != 0);
	betomp(bp, PAKSLEN, PX), bp += PAKSLEN;
	betomp(bp, PAKSLEN, PY), bp += PAKSLEN;
	betomp(bp, PAKSLEN, PZ), bp += PAKSLEN;
	betomp(bp, PAKSLEN, PT);

	Z->flags |= MPtimesafe;
	X->flags |= MPtimesafe;
	betomp(p->x, PAKXLEN, X);

	betomp(y, PAKYLEN, Y);

	c = authpak_curve();
	spake2ee_2(c->P,c->A,c->D, PX,PY,PZ,PT, X, Y, ok, Z);

	if(mpcmp(ok, mpzero) == 0){
		ret = -1;
		goto out;
	}

	mptober(Z, z, sizeof(z));

	s = sha2_256(p->isclient ? p->y : y, PAKYLEN, nil, nil);
	sha2_256(p->isclient ? y : p->y, PAKYLEN, salt, s);

	hkdf_x(	salt, SHA2_256dlen,
		(uint8_t*)info, sizeof(info)-1,
		z, sizeof(z),
		k->pakkey, PAKKEYLEN,
		hmac_sha2_256, SHA2_256dlen);

	ret = 0;
out:
	memset(z, 0, sizeof(z));
	memset(p, 0, sizeof(PAKpriv));

	mpfree(PX);
	mpfree(PY);
	mpfree(PZ);
	mpfree(PT);

	mpfree(X);
	mpfree(Y);
	mpfree(Z);
	mpfree(ok);

	return ret;
}
first usable version of kernel and commands After an year of hard work, this is a first "usable" version of Jehanne. 2016-11-25 17:18:40 +01:00			`#include <u.h>`
libc: introduce "jehanne_" namespace With this commit all functions declared in libc.h have been renamed with the "jehanne_" prefix. This is done for several reason: - it removes conflicts during symbol resolution when linking standard C libraries like newlib or musl - it allows programs depending on a standard C library to directly link to a library depending on our non standard libc (eg libsec). To ease transiction two files are provided: - sys/include/lib9.h that can be included instead of <libc.h> to use the old names (via a simple set of macros) - sys/src/lib/c/lib9.c that can be compiled with a program where the macro provided by lib9.h are too dumb (see for example rc or grep). In the kernel port/lib.h has been modified accordingly and some of the functions it directly provides has been renamed too (eg malloc in qmalloc.c and print in devcons.c). 2017-04-19 23:33:14 +02:00			`#include <lib9.h>`
first usable version of kernel and commands After an year of hard work, this is a first "usable" version of Jehanne. 2016-11-25 17:18:40 +01:00			`#include <mp.h>`
			`#include <libsec.h>`
			`#include <authsrv.h>`

			`#include "msqrt.mpc"`
			`#include "decaf.mpc"`
			`#include "edwards.mpc"`
			`#include "elligator2.mpc"`
			`#include "spake2ee.mpc"`
			`#include "ed448.mpc"`

			`typedef struct PAKcurve PAKcurve;`
			`struct PAKcurve`
			`{`
			`Lock;`
			`mpint *P;`
			`mpint *A;`
			`mpint *D;`
			`mpint *X;`
			`mpint *Y;`
			`};`

			`static PAKcurve*`
			`authpak_curve(void)`
			`{`
			`static PAKcurve a;`

libc: introduce "jehanne_" namespace With this commit all functions declared in libc.h have been renamed with the "jehanne_" prefix. This is done for several reason: - it removes conflicts during symbol resolution when linking standard C libraries like newlib or musl - it allows programs depending on a standard C library to directly link to a library depending on our non standard libc (eg libsec). To ease transiction two files are provided: - sys/include/lib9.h that can be included instead of <libc.h> to use the old names (via a simple set of macros) - sys/src/lib/c/lib9.c that can be compiled with a program where the macro provided by lib9.h are too dumb (see for example rc or grep). In the kernel port/lib.h has been modified accordingly and some of the functions it directly provides has been renamed too (eg malloc in qmalloc.c and print in devcons.c). 2017-04-19 23:33:14 +02:00			`jehanne_lock(&a);`
first usable version of kernel and commands After an year of hard work, this is a first "usable" version of Jehanne. 2016-11-25 17:18:40 +01:00			`if(a.P == nil){`
			`a.P = mpnew(0);`
			`a.A = mpnew(0);`
			`a.D = mpnew(0);`
			`a.X = mpnew(0);`
			`a.Y = mpnew(0);`
			`ed448_curve(a.P, a.A, a.D, a.X, a.Y);`
			`a.P = mpfield(a.P);`
			`}`
libc: introduce "jehanne_" namespace With this commit all functions declared in libc.h have been renamed with the "jehanne_" prefix. This is done for several reason: - it removes conflicts during symbol resolution when linking standard C libraries like newlib or musl - it allows programs depending on a standard C library to directly link to a library depending on our non standard libc (eg libsec). To ease transiction two files are provided: - sys/include/lib9.h that can be included instead of <libc.h> to use the old names (via a simple set of macros) - sys/src/lib/c/lib9.c that can be compiled with a program where the macro provided by lib9.h are too dumb (see for example rc or grep). In the kernel port/lib.h has been modified accordingly and some of the functions it directly provides has been renamed too (eg malloc in qmalloc.c and print in devcons.c). 2017-04-19 23:33:14 +02:00			`jehanne_unlock(&a);`
first usable version of kernel and commands After an year of hard work, this is a first "usable" version of Jehanne. 2016-11-25 17:18:40 +01:00			`return &a;`
			`}`

			`void`
			`authpak_hash(Authkey k, char u)`
			`{`
			`static char info[] = "Plan 9 AuthPAK hash";`
			`uint8_t bp, salt[SHA2_256dlen], h[2PAKSLEN];`
			`mpint H, PX,PY,PZ,*PT;`
			`PAKcurve *c;`

			`H = mpnew(0);`
			`PX = mpnew(0);`
			`PY = mpnew(0);`
			`PZ = mpnew(0);`
			`PT = mpnew(0);`

			`sha2_256((uint8_t*)u, strlen(u), salt, nil);`

			`hkdf_x( salt, SHA2_256dlen,`
			`(uint8_t*)info, sizeof(info)-1,`
			`k->aes, AESKEYLEN,`
			`h, sizeof(h),`
			`hmac_sha2_256, SHA2_256dlen);`

			`c = authpak_curve();`

			`betomp(h + 0PAKSLEN, PAKSLEN, H); / HM */`
			`spake2ee_h2P(c->P,c->A,c->D, H, PX,PY,PZ,PT); /* PM */`

			`bp = k->pakhash;`
			`mptober(PX, bp, PAKSLEN), bp += PAKSLEN;`
			`mptober(PY, bp, PAKSLEN), bp += PAKSLEN;`
			`mptober(PZ, bp, PAKSLEN), bp += PAKSLEN;`
			`mptober(PT, bp, PAKSLEN), bp += PAKSLEN;`

			`betomp(h + 1PAKSLEN, PAKSLEN, H); / HN */`
			`spake2ee_h2P(c->P,c->A,c->D, H, PX,PY,PZ,PT); /* PN */`

			`mptober(PX, bp, PAKSLEN), bp += PAKSLEN;`
			`mptober(PY, bp, PAKSLEN), bp += PAKSLEN;`
			`mptober(PZ, bp, PAKSLEN), bp += PAKSLEN;`
			`mptober(PT, bp, PAKSLEN);`

			`mpfree(PX);`
			`mpfree(PY);`
			`mpfree(PZ);`
			`mpfree(PT);`
			`mpfree(H);`
			`}`

			`void`
			`authpak_new(PAKpriv p, Authkey k, uint8_t y[PAKYLEN], int isclient)`
			`{`
			`mpint PX,PY,PZ,PT, X, Y;`
			`PAKcurve *c;`
			`uint8_t *bp;`

			`memset(p, 0, sizeof(PAKpriv));`
			`p->isclient = isclient != 0;`

			`X = mpnew(0);`
			`Y = mpnew(0);`

			`PX = mpnew(0);`
			`PY = mpnew(0);`
			`PZ = mpnew(0);`
			`PT = mpnew(0);`

			`PX->flags \|= MPtimesafe;`
			`PY->flags \|= MPtimesafe;`
			`PZ->flags \|= MPtimesafe;`
			`PT->flags \|= MPtimesafe;`

			`bp = k->pakhash + PAKPLEN*(p->isclient == 0);`
			`betomp(bp, PAKSLEN, PX), bp += PAKSLEN;`
			`betomp(bp, PAKSLEN, PY), bp += PAKSLEN;`
			`betomp(bp, PAKSLEN, PZ), bp += PAKSLEN;`
			`betomp(bp, PAKSLEN, PT);`

			`c = authpak_curve();`

			`X->flags \|= MPtimesafe;`
			`mpnrand(c->P, genrandom, X);`

			`spake2ee_1(c->P,c->A,c->D, X, c->X,c->Y, PX,PY,PZ,PT, Y);`

			`mptober(X, p->x, PAKXLEN);`
			`mptober(Y, p->y, PAKYLEN);`

			`memmove(y, p->y, PAKYLEN);`

			`mpfree(PX);`
			`mpfree(PY);`
			`mpfree(PZ);`
			`mpfree(PT);`

			`mpfree(X);`
			`mpfree(Y);`
			`}`

			`int`
			`authpak_finish(PAKpriv p, Authkey k, uint8_t y[PAKYLEN])`
			`{`
			`static char info[] = "Plan 9 AuthPAK key";`
			`uint8_t *bp, z[PAKSLEN], salt[SHA2_256dlen];`
			`mpint PX,PY,PZ,PT, X, Y, Z, ok;`
			`DigestState *s;`
			`PAKcurve *c;`
			`int ret;`

			`X = mpnew(0);`
			`Y = mpnew(0);`
			`Z = mpnew(0);`
			`ok = mpnew(0);`

			`PX = mpnew(0);`
			`PY = mpnew(0);`
			`PZ = mpnew(0);`
			`PT = mpnew(0);`

			`PX->flags \|= MPtimesafe;`
			`PY->flags \|= MPtimesafe;`
			`PZ->flags \|= MPtimesafe;`
			`PT->flags \|= MPtimesafe;`

			`bp = k->pakhash + PAKPLEN*(p->isclient != 0);`
			`betomp(bp, PAKSLEN, PX), bp += PAKSLEN;`
			`betomp(bp, PAKSLEN, PY), bp += PAKSLEN;`
			`betomp(bp, PAKSLEN, PZ), bp += PAKSLEN;`
			`betomp(bp, PAKSLEN, PT);`

			`Z->flags \|= MPtimesafe;`
			`X->flags \|= MPtimesafe;`
			`betomp(p->x, PAKXLEN, X);`

			`betomp(y, PAKYLEN, Y);`

			`c = authpak_curve();`
			`spake2ee_2(c->P,c->A,c->D, PX,PY,PZ,PT, X, Y, ok, Z);`

			`if(mpcmp(ok, mpzero) == 0){`
			`ret = -1;`
			`goto out;`
			`}`

			`mptober(Z, z, sizeof(z));`

			`s = sha2_256(p->isclient ? p->y : y, PAKYLEN, nil, nil);`
			`sha2_256(p->isclient ? y : p->y, PAKYLEN, salt, s);`

			`hkdf_x( salt, SHA2_256dlen,`
			`(uint8_t*)info, sizeof(info)-1,`
			`z, sizeof(z),`
			`k->pakkey, PAKKEYLEN,`
			`hmac_sha2_256, SHA2_256dlen);`

			`ret = 0;`
			`out:`
			`memset(z, 0, sizeof(z));`
			`memset(p, 0, sizeof(PAKpriv));`

			`mpfree(PX);`
			`mpfree(PY);`
			`mpfree(PZ);`
			`mpfree(PT);`

			`mpfree(X);`
			`mpfree(Y);`
			`mpfree(Z);`
			`mpfree(ok);`

			`return ret;`
			`}`