1 |
|
|
/* $OpenBSD: kexc25519c.c,v 1.8 2017/05/31 04:17:12 djm Exp $ */ |
2 |
|
|
/* |
3 |
|
|
* Copyright (c) 2001 Markus Friedl. All rights reserved. |
4 |
|
|
* Copyright (c) 2010 Damien Miller. All rights reserved. |
5 |
|
|
* Copyright (c) 2013 Aris Adamantiadis. All rights reserved. |
6 |
|
|
* |
7 |
|
|
* Redistribution and use in source and binary forms, with or without |
8 |
|
|
* modification, are permitted provided that the following conditions |
9 |
|
|
* are met: |
10 |
|
|
* 1. Redistributions of source code must retain the above copyright |
11 |
|
|
* notice, this list of conditions and the following disclaimer. |
12 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
13 |
|
|
* notice, this list of conditions and the following disclaimer in the |
14 |
|
|
* documentation and/or other materials provided with the distribution. |
15 |
|
|
* |
16 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
17 |
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
18 |
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
19 |
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
20 |
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
21 |
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
22 |
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
23 |
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
24 |
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
25 |
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
26 |
|
|
*/ |
27 |
|
|
|
28 |
|
|
#include <sys/types.h> |
29 |
|
|
|
30 |
|
|
#include <stdio.h> |
31 |
|
|
#include <string.h> |
32 |
|
|
#include <signal.h> |
33 |
|
|
|
34 |
|
|
#include "sshkey.h" |
35 |
|
|
#include "cipher.h" |
36 |
|
|
#include "kex.h" |
37 |
|
|
#include "log.h" |
38 |
|
|
#include "packet.h" |
39 |
|
|
#include "ssh2.h" |
40 |
|
|
#include "sshbuf.h" |
41 |
|
|
#include "digest.h" |
42 |
|
|
#include "ssherr.h" |
43 |
|
|
|
44 |
|
|
static int |
45 |
|
|
input_kex_c25519_reply(int type, u_int32_t seq, struct ssh *ssh); |
46 |
|
|
|
47 |
|
|
int |
48 |
|
|
kexc25519_client(struct ssh *ssh) |
49 |
|
|
{ |
50 |
|
|
struct kex *kex = ssh->kex; |
51 |
|
|
int r; |
52 |
|
|
|
53 |
|
|
kexc25519_keygen(kex->c25519_client_key, kex->c25519_client_pubkey); |
54 |
|
|
#ifdef DEBUG_KEXECDH |
55 |
|
|
dump_digest("client private key:", kex->c25519_client_key, |
56 |
|
|
sizeof(kex->c25519_client_key)); |
57 |
|
|
#endif |
58 |
|
|
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_INIT)) != 0 || |
59 |
|
|
(r = sshpkt_put_string(ssh, kex->c25519_client_pubkey, |
60 |
|
|
sizeof(kex->c25519_client_pubkey))) != 0 || |
61 |
|
|
(r = sshpkt_send(ssh)) != 0) |
62 |
|
|
return r; |
63 |
|
|
|
64 |
|
|
debug("expecting SSH2_MSG_KEX_ECDH_REPLY"); |
65 |
|
|
ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &input_kex_c25519_reply); |
66 |
|
|
return 0; |
67 |
|
|
} |
68 |
|
|
|
69 |
|
|
static int |
70 |
|
|
input_kex_c25519_reply(int type, u_int32_t seq, struct ssh *ssh) |
71 |
|
|
{ |
72 |
|
|
struct kex *kex = ssh->kex; |
73 |
|
|
struct sshkey *server_host_key = NULL; |
74 |
|
|
struct sshbuf *shared_secret = NULL; |
75 |
|
|
u_char *server_pubkey = NULL; |
76 |
|
|
u_char *server_host_key_blob = NULL, *signature = NULL; |
77 |
|
|
u_char hash[SSH_DIGEST_MAX_LENGTH]; |
78 |
|
|
size_t slen, pklen, sbloblen, hashlen; |
79 |
|
|
int r; |
80 |
|
|
|
81 |
|
|
if (kex->verify_host_key == NULL) { |
82 |
|
|
r = SSH_ERR_INVALID_ARGUMENT; |
83 |
|
|
goto out; |
84 |
|
|
} |
85 |
|
|
|
86 |
|
|
/* hostkey */ |
87 |
|
|
if ((r = sshpkt_get_string(ssh, &server_host_key_blob, |
88 |
|
|
&sbloblen)) != 0 || |
89 |
|
|
(r = sshkey_from_blob(server_host_key_blob, sbloblen, |
90 |
|
|
&server_host_key)) != 0) |
91 |
|
|
goto out; |
92 |
|
|
if (server_host_key->type != kex->hostkey_type || |
93 |
|
|
(kex->hostkey_type == KEY_ECDSA && |
94 |
|
|
server_host_key->ecdsa_nid != kex->hostkey_nid)) { |
95 |
|
|
r = SSH_ERR_KEY_TYPE_MISMATCH; |
96 |
|
|
goto out; |
97 |
|
|
} |
98 |
|
|
if (kex->verify_host_key(server_host_key, ssh) == -1) { |
99 |
|
|
r = SSH_ERR_SIGNATURE_INVALID; |
100 |
|
|
goto out; |
101 |
|
|
} |
102 |
|
|
|
103 |
|
|
/* Q_S, server public key */ |
104 |
|
|
/* signed H */ |
105 |
|
|
if ((r = sshpkt_get_string(ssh, &server_pubkey, &pklen)) != 0 || |
106 |
|
|
(r = sshpkt_get_string(ssh, &signature, &slen)) != 0 || |
107 |
|
|
(r = sshpkt_get_end(ssh)) != 0) |
108 |
|
|
goto out; |
109 |
|
|
if (pklen != CURVE25519_SIZE) { |
110 |
|
|
r = SSH_ERR_SIGNATURE_INVALID; |
111 |
|
|
goto out; |
112 |
|
|
} |
113 |
|
|
|
114 |
|
|
#ifdef DEBUG_KEXECDH |
115 |
|
|
dump_digest("server public key:", server_pubkey, CURVE25519_SIZE); |
116 |
|
|
#endif |
117 |
|
|
|
118 |
|
|
if ((shared_secret = sshbuf_new()) == NULL) { |
119 |
|
|
r = SSH_ERR_ALLOC_FAIL; |
120 |
|
|
goto out; |
121 |
|
|
} |
122 |
|
|
if ((r = kexc25519_shared_key(kex->c25519_client_key, server_pubkey, |
123 |
|
|
shared_secret)) < 0) |
124 |
|
|
goto out; |
125 |
|
|
|
126 |
|
|
/* calc and verify H */ |
127 |
|
|
hashlen = sizeof(hash); |
128 |
|
|
if ((r = kex_c25519_hash( |
129 |
|
|
kex->hash_alg, |
130 |
|
|
kex->client_version_string, |
131 |
|
|
kex->server_version_string, |
132 |
|
|
sshbuf_ptr(kex->my), sshbuf_len(kex->my), |
133 |
|
|
sshbuf_ptr(kex->peer), sshbuf_len(kex->peer), |
134 |
|
|
server_host_key_blob, sbloblen, |
135 |
|
|
kex->c25519_client_pubkey, |
136 |
|
|
server_pubkey, |
137 |
|
|
sshbuf_ptr(shared_secret), sshbuf_len(shared_secret), |
138 |
|
|
hash, &hashlen)) < 0) |
139 |
|
|
goto out; |
140 |
|
|
|
141 |
|
|
if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen, |
142 |
|
|
ssh->compat)) != 0) |
143 |
|
|
goto out; |
144 |
|
|
|
145 |
|
|
/* save session id */ |
146 |
|
|
if (kex->session_id == NULL) { |
147 |
|
|
kex->session_id_len = hashlen; |
148 |
|
|
kex->session_id = malloc(kex->session_id_len); |
149 |
|
|
if (kex->session_id == NULL) { |
150 |
|
|
r = SSH_ERR_ALLOC_FAIL; |
151 |
|
|
goto out; |
152 |
|
|
} |
153 |
|
|
memcpy(kex->session_id, hash, kex->session_id_len); |
154 |
|
|
} |
155 |
|
|
|
156 |
|
|
if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0) |
157 |
|
|
r = kex_send_newkeys(ssh); |
158 |
|
|
out: |
159 |
|
|
explicit_bzero(hash, sizeof(hash)); |
160 |
|
|
explicit_bzero(kex->c25519_client_key, sizeof(kex->c25519_client_key)); |
161 |
|
|
free(server_host_key_blob); |
162 |
|
|
free(server_pubkey); |
163 |
|
|
free(signature); |
164 |
|
|
sshkey_free(server_host_key); |
165 |
|
|
sshbuf_free(shared_secret); |
166 |
|
|
return r; |
167 |
|
|
} |