1 |
|
|
/* $OpenBSD: kexecdhs.c,v 1.16 2017/05/30 14:23:52 markus Exp $ */ |
2 |
|
|
/* |
3 |
|
|
* Copyright (c) 2001 Markus Friedl. All rights reserved. |
4 |
|
|
* Copyright (c) 2010 Damien Miller. All rights reserved. |
5 |
|
|
* |
6 |
|
|
* Redistribution and use in source and binary forms, with or without |
7 |
|
|
* modification, are permitted provided that the following conditions |
8 |
|
|
* are met: |
9 |
|
|
* 1. Redistributions of source code must retain the above copyright |
10 |
|
|
* notice, this list of conditions and the following disclaimer. |
11 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
12 |
|
|
* notice, this list of conditions and the following disclaimer in the |
13 |
|
|
* documentation and/or other materials provided with the distribution. |
14 |
|
|
* |
15 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
16 |
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
17 |
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
18 |
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
19 |
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
20 |
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
21 |
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
22 |
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
23 |
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
24 |
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
25 |
|
|
*/ |
26 |
|
|
|
27 |
|
|
#include <sys/types.h> |
28 |
|
|
#include <string.h> |
29 |
|
|
#include <signal.h> |
30 |
|
|
|
31 |
|
|
#include <openssl/ecdh.h> |
32 |
|
|
|
33 |
|
|
#include "sshkey.h" |
34 |
|
|
#include "cipher.h" |
35 |
|
|
#include "digest.h" |
36 |
|
|
#include "kex.h" |
37 |
|
|
#include "log.h" |
38 |
|
|
#include "packet.h" |
39 |
|
|
#include "ssh2.h" |
40 |
|
|
|
41 |
|
|
#include "dispatch.h" |
42 |
|
|
#include "compat.h" |
43 |
|
|
#include "ssherr.h" |
44 |
|
|
#include "sshbuf.h" |
45 |
|
|
|
46 |
|
|
static int input_kex_ecdh_init(int, u_int32_t, struct ssh *); |
47 |
|
|
|
48 |
|
|
int |
49 |
|
|
kexecdh_server(struct ssh *ssh) |
50 |
|
|
{ |
51 |
|
|
debug("expecting SSH2_MSG_KEX_ECDH_INIT"); |
52 |
|
|
ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_INIT, &input_kex_ecdh_init); |
53 |
|
|
return 0; |
54 |
|
|
} |
55 |
|
|
|
56 |
|
|
static int |
57 |
|
|
input_kex_ecdh_init(int type, u_int32_t seq, struct ssh *ssh) |
58 |
|
|
{ |
59 |
|
|
struct kex *kex = ssh->kex; |
60 |
|
|
EC_POINT *client_public; |
61 |
|
|
EC_KEY *server_key = NULL; |
62 |
|
|
const EC_GROUP *group; |
63 |
|
|
const EC_POINT *public_key; |
64 |
|
|
BIGNUM *shared_secret = NULL; |
65 |
|
|
struct sshkey *server_host_private, *server_host_public; |
66 |
|
|
u_char *server_host_key_blob = NULL, *signature = NULL; |
67 |
|
|
u_char *kbuf = NULL; |
68 |
|
|
u_char hash[SSH_DIGEST_MAX_LENGTH]; |
69 |
|
|
size_t slen, sbloblen; |
70 |
|
|
size_t klen = 0, hashlen; |
71 |
|
|
int r; |
72 |
|
|
|
73 |
|
|
if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) { |
74 |
|
|
r = SSH_ERR_ALLOC_FAIL; |
75 |
|
|
goto out; |
76 |
|
|
} |
77 |
|
|
if (EC_KEY_generate_key(server_key) != 1) { |
78 |
|
|
r = SSH_ERR_LIBCRYPTO_ERROR; |
79 |
|
|
goto out; |
80 |
|
|
} |
81 |
|
|
group = EC_KEY_get0_group(server_key); |
82 |
|
|
|
83 |
|
|
#ifdef DEBUG_KEXECDH |
84 |
|
|
fputs("server private key:\n", stderr); |
85 |
|
|
sshkey_dump_ec_key(server_key); |
86 |
|
|
#endif |
87 |
|
|
|
88 |
|
|
if (kex->load_host_public_key == NULL || |
89 |
|
|
kex->load_host_private_key == NULL) { |
90 |
|
|
r = SSH_ERR_INVALID_ARGUMENT; |
91 |
|
|
goto out; |
92 |
|
|
} |
93 |
|
|
server_host_public = kex->load_host_public_key(kex->hostkey_type, |
94 |
|
|
kex->hostkey_nid, ssh); |
95 |
|
|
server_host_private = kex->load_host_private_key(kex->hostkey_type, |
96 |
|
|
kex->hostkey_nid, ssh); |
97 |
|
|
if (server_host_public == NULL) { |
98 |
|
|
r = SSH_ERR_NO_HOSTKEY_LOADED; |
99 |
|
|
goto out; |
100 |
|
|
} |
101 |
|
|
if ((client_public = EC_POINT_new(group)) == NULL) { |
102 |
|
|
r = SSH_ERR_ALLOC_FAIL; |
103 |
|
|
goto out; |
104 |
|
|
} |
105 |
|
|
if ((r = sshpkt_get_ec(ssh, client_public, group)) != 0 || |
106 |
|
|
(r = sshpkt_get_end(ssh)) != 0) |
107 |
|
|
goto out; |
108 |
|
|
|
109 |
|
|
#ifdef DEBUG_KEXECDH |
110 |
|
|
fputs("client public key:\n", stderr); |
111 |
|
|
sshkey_dump_ec_point(group, client_public); |
112 |
|
|
#endif |
113 |
|
|
if (sshkey_ec_validate_public(group, client_public) != 0) { |
114 |
|
|
sshpkt_disconnect(ssh, "invalid client public key"); |
115 |
|
|
r = SSH_ERR_MESSAGE_INCOMPLETE; |
116 |
|
|
goto out; |
117 |
|
|
} |
118 |
|
|
|
119 |
|
|
/* Calculate shared_secret */ |
120 |
|
|
klen = (EC_GROUP_get_degree(group) + 7) / 8; |
121 |
|
|
if ((kbuf = malloc(klen)) == NULL || |
122 |
|
|
(shared_secret = BN_new()) == NULL) { |
123 |
|
|
r = SSH_ERR_ALLOC_FAIL; |
124 |
|
|
goto out; |
125 |
|
|
} |
126 |
|
|
if (ECDH_compute_key(kbuf, klen, client_public, |
127 |
|
|
server_key, NULL) != (int)klen || |
128 |
|
|
BN_bin2bn(kbuf, klen, shared_secret) == NULL) { |
129 |
|
|
r = SSH_ERR_LIBCRYPTO_ERROR; |
130 |
|
|
goto out; |
131 |
|
|
} |
132 |
|
|
|
133 |
|
|
#ifdef DEBUG_KEXECDH |
134 |
|
|
dump_digest("shared secret", kbuf, klen); |
135 |
|
|
#endif |
136 |
|
|
/* calc H */ |
137 |
|
|
if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob, |
138 |
|
|
&sbloblen)) != 0) |
139 |
|
|
goto out; |
140 |
|
|
hashlen = sizeof(hash); |
141 |
|
|
if ((r = kex_ecdh_hash( |
142 |
|
|
kex->hash_alg, |
143 |
|
|
group, |
144 |
|
|
kex->client_version_string, |
145 |
|
|
kex->server_version_string, |
146 |
|
|
sshbuf_ptr(kex->peer), sshbuf_len(kex->peer), |
147 |
|
|
sshbuf_ptr(kex->my), sshbuf_len(kex->my), |
148 |
|
|
server_host_key_blob, sbloblen, |
149 |
|
|
client_public, |
150 |
|
|
EC_KEY_get0_public_key(server_key), |
151 |
|
|
shared_secret, |
152 |
|
|
hash, &hashlen)) != 0) |
153 |
|
|
goto out; |
154 |
|
|
|
155 |
|
|
/* save session id := H */ |
156 |
|
|
if (kex->session_id == NULL) { |
157 |
|
|
kex->session_id_len = hashlen; |
158 |
|
|
kex->session_id = malloc(kex->session_id_len); |
159 |
|
|
if (kex->session_id == NULL) { |
160 |
|
|
r = SSH_ERR_ALLOC_FAIL; |
161 |
|
|
goto out; |
162 |
|
|
} |
163 |
|
|
memcpy(kex->session_id, hash, kex->session_id_len); |
164 |
|
|
} |
165 |
|
|
|
166 |
|
|
/* sign H */ |
167 |
|
|
if ((r = kex->sign(server_host_private, server_host_public, &signature, |
168 |
|
|
&slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0) |
169 |
|
|
goto out; |
170 |
|
|
|
171 |
|
|
/* destroy_sensitive_data(); */ |
172 |
|
|
|
173 |
|
|
public_key = EC_KEY_get0_public_key(server_key); |
174 |
|
|
/* send server hostkey, ECDH pubkey 'Q_S' and signed H */ |
175 |
|
|
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_REPLY)) != 0 || |
176 |
|
|
(r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 || |
177 |
|
|
(r = sshpkt_put_ec(ssh, public_key, group)) != 0 || |
178 |
|
|
(r = sshpkt_put_string(ssh, signature, slen)) != 0 || |
179 |
|
|
(r = sshpkt_send(ssh)) != 0) |
180 |
|
|
goto out; |
181 |
|
|
|
182 |
|
|
if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0) |
183 |
|
|
r = kex_send_newkeys(ssh); |
184 |
|
|
out: |
185 |
|
|
explicit_bzero(hash, sizeof(hash)); |
186 |
|
|
if (kex->ec_client_key) { |
187 |
|
|
EC_KEY_free(kex->ec_client_key); |
188 |
|
|
kex->ec_client_key = NULL; |
189 |
|
|
} |
190 |
|
|
if (server_key) |
191 |
|
|
EC_KEY_free(server_key); |
192 |
|
|
if (kbuf) { |
193 |
|
|
explicit_bzero(kbuf, klen); |
194 |
|
|
free(kbuf); |
195 |
|
|
} |
196 |
|
|
if (shared_secret) |
197 |
|
|
BN_clear_free(shared_secret); |
198 |
|
|
free(server_host_key_blob); |
199 |
|
|
free(signature); |
200 |
|
|
return r; |
201 |
|
|
} |