[openssh.git] / kex.c

/*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"
RCSID("$OpenBSD: kex.c,v 1.13 2000/11/12 19:50:37 markus Exp $");

#include "ssh.h"
#include "ssh2.h"
#include "xmalloc.h"
#include "buffer.h"
#include "bufaux.h"
#include "packet.h"
#include "compat.h"

#include <openssl/bn.h>
#include <openssl/dh.h>

#include <openssl/crypto.h>
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/pem.h>

#include "kex.h"
#include "key.h"

#define KEX_COOKIE_LEN	16

Buffer *
kex_init(char *myproposal[PROPOSAL_MAX])
{
	int first_kex_packet_follows = 0;
	unsigned char cookie[KEX_COOKIE_LEN];
	u_int32_t rand = 0;
	int i;
	Buffer *ki = xmalloc(sizeof(*ki));
	for (i = 0; i < KEX_COOKIE_LEN; i++) {
		if (i % 4 == 0)
			rand = arc4random();
		cookie[i] = rand & 0xff;
		rand >>= 8;
	}
	buffer_init(ki);
	buffer_append(ki, (char *)cookie, sizeof cookie);
	for (i = 0; i < PROPOSAL_MAX; i++)
		buffer_put_cstring(ki, myproposal[i]);
	buffer_put_char(ki, first_kex_packet_follows);
	buffer_put_int(ki, 0);				/* uint32 reserved */
	return ki;
}

/* send kexinit, parse and save reply */
void
kex_exchange_kexinit(
    Buffer *my_kexinit, Buffer *peer_kexint,
    char *peer_proposal[PROPOSAL_MAX])
{
	int i;
	char *ptr;
	int plen;

	debug("send KEXINIT");
	packet_start(SSH2_MSG_KEXINIT);
	packet_put_raw(buffer_ptr(my_kexinit), buffer_len(my_kexinit));	
	packet_send();
	packet_write_wait();
	debug("done");

	/*
	 * read and save raw KEXINIT payload in buffer. this is used during
	 * computation of the session_id and the session keys.
	 */
	debug("wait KEXINIT");
	packet_read_expect(&plen, SSH2_MSG_KEXINIT);
	ptr = packet_get_raw(&plen);
	buffer_append(peer_kexint, ptr, plen);

	/* parse packet and save algorithm proposal */
	/* skip cookie */
	for (i = 0; i < KEX_COOKIE_LEN; i++)
		packet_get_char();
	/* extract kex init proposal strings */
	for (i = 0; i < PROPOSAL_MAX; i++) {
		peer_proposal[i] = packet_get_string(NULL);
		debug("got kexinit: %s", peer_proposal[i]);
	}
	/* first kex follow / reserved */
	i = packet_get_char();
	debug("first kex follow: %d ", i);
	i = packet_get_int();
	debug("reserved: %d ", i);
	packet_done();
	debug("done");
}

/* diffie-hellman-group1-sha1 */

int
dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
{
	int i;
	int n = BN_num_bits(dh_pub);
	int bits_set = 0;

	if (dh_pub->neg) {
		log("invalid public DH value: negativ");
		return 0;
	}
	for (i = 0; i <= n; i++)
		if (BN_is_bit_set(dh_pub, i))
			bits_set++;
	debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p));

	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
		return 1;
	log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
	return 0;
}

DH *
dh_gen_key(DH *dh)
{
	int tries = 0;

	do {
		if (DH_generate_key(dh) == 0)
			fatal("DH_generate_key");
		if (tries++ > 10)
			fatal("dh_new_group1: too many bad keys: giving up");
	} while (!dh_pub_is_valid(dh, dh->pub_key));
	return dh;
}

DH *
dh_new_group_asc(const char *gen, const char *modulus)
{
	DH *dh;
	int ret;

	dh = DH_new();
	if (dh == NULL)
		fatal("DH_new");

	if ((ret = BN_hex2bn(&dh->p, modulus)) < 0)
		fatal("BN_hex2bn p");
	if ((ret = BN_hex2bn(&dh->g, gen)) < 0)
		fatal("BN_hex2bn g");

	return (dh_gen_key(dh));
}

DH *
dh_new_group(BIGNUM *gen, BIGNUM *modulus)
{
	DH *dh;

	dh = DH_new();
	if (dh == NULL)
		fatal("DH_new");
	dh->p = modulus;
	dh->g = gen;

	return (dh_gen_key(dh));
}

DH *
dh_new_group1()
{
	static char *gen = "2", *group1 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	    "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group1));
}

void
dump_digest(unsigned char *digest, int len)
{
	int i;
	for (i = 0; i< len; i++){
		fprintf(stderr, "%02x", digest[i]);
		if(i%2!=0)
			fprintf(stderr, " ");
	}
	fprintf(stderr, "\n");
}

unsigned char *
kex_hash(
    char *client_version_string,
    char *server_version_string,
    char *ckexinit, int ckexinitlen,
    char *skexinit, int skexinitlen,
    char *serverhostkeyblob, int sbloblen,
    BIGNUM *client_dh_pub,
    BIGNUM *server_dh_pub,
    BIGNUM *shared_secret)
{
	Buffer b;
	static unsigned char digest[EVP_MAX_MD_SIZE];
	EVP_MD *evp_md = EVP_sha1();
	EVP_MD_CTX md;

	buffer_init(&b);
	buffer_put_string(&b, client_version_string, strlen(client_version_string));
	buffer_put_string(&b, server_version_string, strlen(server_version_string));

	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
	buffer_put_int(&b, ckexinitlen+1);
	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	buffer_append(&b, ckexinit, ckexinitlen);
	buffer_put_int(&b, skexinitlen+1);
	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	buffer_append(&b, skexinit, skexinitlen);

	buffer_put_string(&b, serverhostkeyblob, sbloblen);
	buffer_put_bignum2(&b, client_dh_pub);
	buffer_put_bignum2(&b, server_dh_pub);
	buffer_put_bignum2(&b, shared_secret);
	
#ifdef DEBUG_KEX
	buffer_dump(&b);
#endif

	EVP_DigestInit(&md, evp_md);
	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	EVP_DigestFinal(&md, digest, NULL);

	buffer_free(&b);

#ifdef DEBUG_KEX
	dump_digest(digest, evp_md->md_size);
#endif
	return digest;
}

unsigned char *
kex_hash_gex(
    char *client_version_string,
    char *server_version_string,
    char *ckexinit, int ckexinitlen,
    char *skexinit, int skexinitlen,
    char *serverhostkeyblob, int sbloblen,
    int minbits, BIGNUM *prime, BIGNUM *gen,
    BIGNUM *client_dh_pub,
    BIGNUM *server_dh_pub,
    BIGNUM *shared_secret)
{
	Buffer b;
	static unsigned char digest[EVP_MAX_MD_SIZE];
	EVP_MD *evp_md = EVP_sha1();
	EVP_MD_CTX md;

	buffer_init(&b);
	buffer_put_string(&b, client_version_string, strlen(client_version_string));
	buffer_put_string(&b, server_version_string, strlen(server_version_string));

	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
	buffer_put_int(&b, ckexinitlen+1);
	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	buffer_append(&b, ckexinit, ckexinitlen);
	buffer_put_int(&b, skexinitlen+1);
	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	buffer_append(&b, skexinit, skexinitlen);

	buffer_put_string(&b, serverhostkeyblob, sbloblen);
	buffer_put_int(&b, minbits);
	buffer_put_bignum2(&b, prime);
	buffer_put_bignum2(&b, gen);
	buffer_put_bignum2(&b, client_dh_pub);
	buffer_put_bignum2(&b, server_dh_pub);
	buffer_put_bignum2(&b, shared_secret);
	
#ifdef DEBUG_KEX
	buffer_dump(&b);
#endif

	EVP_DigestInit(&md, evp_md);
	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	EVP_DigestFinal(&md, digest, NULL);

	buffer_free(&b);

#ifdef DEBUG_KEX
	dump_digest(digest, evp_md->md_size);
#endif
	return digest;
}

unsigned char *
derive_key(int id, int need, char unsigned *hash, BIGNUM *shared_secret)
{
	Buffer b;
	EVP_MD *evp_md = EVP_sha1();
	EVP_MD_CTX md;
	char c = id;
	int have;
	int mdsz = evp_md->md_size;
	unsigned char *digest = xmalloc(((need+mdsz-1)/mdsz)*mdsz);

	buffer_init(&b);
	buffer_put_bignum2(&b, shared_secret);

	EVP_DigestInit(&md, evp_md);
	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));	/* shared_secret K */
	EVP_DigestUpdate(&md, hash, mdsz);		/* transport-06 */
	EVP_DigestUpdate(&md, &c, 1);			/* key id */
	EVP_DigestUpdate(&md, hash, mdsz);		/* session id */
	EVP_DigestFinal(&md, digest, NULL);

	/* expand */
	for (have = mdsz; need > have; have += mdsz) {
		EVP_DigestInit(&md, evp_md);
		EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
		EVP_DigestUpdate(&md, hash, mdsz);
		EVP_DigestUpdate(&md, digest, have);
		EVP_DigestFinal(&md, digest + have, NULL);
	}
	buffer_free(&b);
#ifdef DEBUG_KEX
	fprintf(stderr, "Digest '%c'== ", c);
	dump_digest(digest, need);
#endif
	return digest;
}

#define NKEYS	6

#define	MAX_PROP	20
#define	SEP	","

char *
get_match(char *client, char *server)
{
	char *sproposals[MAX_PROP];
	char *c, *s, *p, *ret, *cp, *sp;
	int i, j, nproposals;

	c = cp = xstrdup(client);
	s = sp = xstrdup(server);

	for ((p = strsep(&sp, SEP)), i=0; p && *p != '\0'; 
	     (p = strsep(&sp, SEP)), i++) {
		if (i < MAX_PROP)
			sproposals[i] = p;
		else
			break;
	}
	nproposals = i;

	for ((p = strsep(&cp, SEP)), i=0; p && *p != '\0'; 
	     (p = strsep(&cp, SEP)), i++) {
		for (j = 0; j < nproposals; j++) {
			if (strcmp(p, sproposals[j]) == 0) {
				ret = xstrdup(p);
				xfree(c);
				xfree(s);
				return ret;
			}
		}
	}
	xfree(c);
	xfree(s);
	return NULL;
}
void
choose_enc(Enc *enc, char *client, char *server)
{
	char *name = get_match(client, server);
	if (name == NULL)
		fatal("no matching cipher found: client %s server %s", client, server);
	enc->cipher = cipher_by_name(name);
	if (enc->cipher == NULL)
		fatal("matching cipher is not supported: %s", name);
	enc->name = name;
	enc->enabled = 0;
	enc->iv = NULL;
	enc->key = NULL;
}
void
choose_mac(Mac *mac, char *client, char *server)
{
	char *name = get_match(client, server);
	if (name == NULL)
		fatal("no matching mac found: client %s server %s", client, server);
	if (strcmp(name, "hmac-md5") == 0) {
		mac->md = EVP_md5();
	} else if (strcmp(name, "hmac-sha1") == 0) {
		mac->md = EVP_sha1();
	} else if (strcmp(name, "hmac-ripemd160@openssh.com") == 0) {
		mac->md = EVP_ripemd160();
	} else {
		fatal("unsupported mac %s", name);
	}
	mac->name = name;
	mac->mac_len = mac->md->md_size;
	mac->key_len = (datafellows & SSH_BUG_HMAC) ? 16 : mac->mac_len;
	mac->key = NULL;
	mac->enabled = 0;
}
void
choose_comp(Comp *comp, char *client, char *server)
{
	char *name = get_match(client, server);
	if (name == NULL)
		fatal("no matching comp found: client %s server %s", client, server);
	if (strcmp(name, "zlib") == 0) {
		comp->type = 1;
	} else if (strcmp(name, "none") == 0) {
		comp->type = 0;
	} else {
		fatal("unsupported comp %s", name);
	}
	comp->name = name;
}
void
choose_kex(Kex *k, char *client, char *server)
{
	k->name = get_match(client, server);
	if (k->name == NULL)
		fatal("no kex alg");
	if (strcmp(k->name, KEX_DH1) == 0) {
		k->kex_type = DH_GRP1_SHA1;
	} else if (strcmp(k->name, KEX_DHGEX) == 0) {
		k->kex_type = DH_GEX_SHA1;
	} else
		fatal("bad kex alg %s", k->name);
}
void
choose_hostkeyalg(Kex *k, char *client, char *server)
{
	char *hostkeyalg = get_match(client, server);
	if (hostkeyalg == NULL)
		fatal("no hostkey alg");
	k->hostkey_type = key_type_from_name(hostkeyalg);
	if (k->hostkey_type == KEY_UNSPEC)
		fatal("bad hostkey alg '%s'", hostkeyalg);
}

Kex *
kex_choose_conf(char *cprop[PROPOSAL_MAX], char *sprop[PROPOSAL_MAX], int server)
{
	int mode;
	int ctos;				/* direction: if true client-to-server */
	int need;
	Kex *k;

	k = xmalloc(sizeof(*k));
	memset(k, 0, sizeof(*k));
	k->server = server;

	for (mode = 0; mode < MODE_MAX; mode++) {
		int nenc, nmac, ncomp;
		ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN);
		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
		choose_enc (&k->enc [mode], cprop[nenc],  sprop[nenc]);
		choose_mac (&k->mac [mode], cprop[nmac],  sprop[nmac]);
		choose_comp(&k->comp[mode], cprop[ncomp], sprop[ncomp]);
		debug("kex: %s %s %s %s",
		    ctos ? "client->server" : "server->client",
		    k->enc[mode].name,
		    k->mac[mode].name,
		    k->comp[mode].name);
	}
	choose_kex(k, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
	choose_hostkeyalg(k, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
	need = 0;
	for (mode = 0; mode < MODE_MAX; mode++) {
	    if (need < k->enc[mode].cipher->key_len)
		    need = k->enc[mode].cipher->key_len;
	    if (need < k->enc[mode].cipher->block_size)
		    need = k->enc[mode].cipher->block_size;
	    if (need < k->mac[mode].key_len)
		    need = k->mac[mode].key_len;
	}
	/* XXX need runden? */
	k->we_need = need;
	return k;
}

int
kex_derive_keys(Kex *k, unsigned char *hash, BIGNUM *shared_secret)
{
	int i;
	int mode;
	int ctos;
	unsigned char *keys[NKEYS];

	for (i = 0; i < NKEYS; i++)
		keys[i] = derive_key('A'+i, k->we_need, hash, shared_secret);

	for (mode = 0; mode < MODE_MAX; mode++) {
		ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN);
		k->enc[mode].iv  = keys[ctos ? 0 : 1];
		k->enc[mode].key = keys[ctos ? 2 : 3];
		k->mac[mode].key = keys[ctos ? 4 : 5];
	}
	return 0;
}
Commit	Line	Data
4f8c6159	1	/*
	2	* Copyright (c) 2000 Markus Friedl. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
4f8c6159	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
	24
	25	#include "includes.h"
fa08c86b	26	RCSID("$OpenBSD: kex.c,v 1.13 2000/11/12 19:50:37 markus Exp $");
4f8c6159	27
	28	#include "ssh.h"
	29	#include "ssh2.h"
	30	#include "xmalloc.h"
	31	#include "buffer.h"
	32	#include "bufaux.h"
71276795	33	#include "packet.h"
4f8c6159	34	#include "compat.h"
	35
	36	#include <openssl/bn.h>
	37	#include <openssl/dh.h>
	38
	39	#include <openssl/crypto.h>
	40	#include <openssl/bio.h>
	41	#include <openssl/bn.h>
	42	#include <openssl/dh.h>
	43	#include <openssl/pem.h>
	44
	45	#include "kex.h"
fa08c86b	46	#include "key.h"
4f8c6159	47
71276795	48	#define KEX_COOKIE_LEN 16
71276795	49
4f8c6159	50	Buffer *
	51	kex_init(char *myproposal[PROPOSAL_MAX])
	52	{
71276795	53	int first_kex_packet_follows = 0;
71276795	54	unsigned char cookie[KEX_COOKIE_LEN];
4f8c6159	55	u_int32_t rand = 0;
	56	int i;
	57	Buffer ki = xmalloc(sizeof(ki));
71276795	58	for (i = 0; i < KEX_COOKIE_LEN; i++) {
4f8c6159	59	if (i % 4 == 0)
	60	rand = arc4random();
	61	cookie[i] = rand & 0xff;
	62	rand >>= 8;
	63	}
	64	buffer_init(ki);
	65	buffer_append(ki, (char *)cookie, sizeof cookie);
	66	for (i = 0; i < PROPOSAL_MAX; i++)
	67	buffer_put_cstring(ki, myproposal[i]);
71276795	68	buffer_put_char(ki, first_kex_packet_follows);
71276795	69	buffer_put_int(ki, 0); /* uint32 reserved */
4f8c6159	70	return ki;
	71	}
	72
71276795	73	/* send kexinit, parse and save reply */
	74	void
	75	kex_exchange_kexinit(
	76	Buffer my_kexinit, Buffer peer_kexint,
	77	char *peer_proposal[PROPOSAL_MAX])
	78	{
	79	int i;
	80	char *ptr;
	81	int plen;
	82
	83	debug("send KEXINIT");
	84	packet_start(SSH2_MSG_KEXINIT);
	85	packet_put_raw(buffer_ptr(my_kexinit), buffer_len(my_kexinit));
	86	packet_send();
	87	packet_write_wait();
	88	debug("done");
	89
	90	/*
	91	* read and save raw KEXINIT payload in buffer. this is used during
	92	* computation of the session_id and the session keys.
	93	*/
	94	debug("wait KEXINIT");
	95	packet_read_expect(&plen, SSH2_MSG_KEXINIT);
	96	ptr = packet_get_raw(&plen);
	97	buffer_append(peer_kexint, ptr, plen);
	98
	99	/* parse packet and save algorithm proposal */
	100	/* skip cookie */
	101	for (i = 0; i < KEX_COOKIE_LEN; i++)
	102	packet_get_char();
	103	/* extract kex init proposal strings */
	104	for (i = 0; i < PROPOSAL_MAX; i++) {
	105	peer_proposal[i] = packet_get_string(NULL);
	106	debug("got kexinit: %s", peer_proposal[i]);
	107	}
	108	/* first kex follow / reserved */
	109	i = packet_get_char();
	110	debug("first kex follow: %d ", i);
	111	i = packet_get_int();
	112	debug("reserved: %d ", i);
	113	packet_done();
	114	debug("done");
	115	}
	116
4f8c6159	117	/* diffie-hellman-group1-sha1 */
	118
	119	int
	120	dh_pub_is_valid(DH dh, BIGNUM dh_pub)
	121	{
	122	int i;
	123	int n = BN_num_bits(dh_pub);
	124	int bits_set = 0;
	125
4f8c6159	126	if (dh_pub->neg) {
	127	log("invalid public DH value: negativ");
	128	return 0;
	129	}
	130	for (i = 0; i <= n; i++)
	131	if (BN_is_bit_set(dh_pub, i))
	132	bits_set++;
	133	debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
	134
	135	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	136	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
	137	return 1;
	138	log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
	139	return 0;
	140	}
	141
	142	DH *
94ec8c6b	143	dh_gen_key(DH *dh)
4f8c6159	144	{
94ec8c6b	145	int tries = 0;
94ec8c6b	146
4f8c6159	147	do {
	148	if (DH_generate_key(dh) == 0)
	149	fatal("DH_generate_key");
	150	if (tries++ > 10)
	151	fatal("dh_new_group1: too many bad keys: giving up");
	152	} while (!dh_pub_is_valid(dh, dh->pub_key));
	153	return dh;
	154	}
	155
94ec8c6b	156	DH *
	157	dh_new_group_asc(const char gen, const char modulus)
	158	{
	159	DH *dh;
	160	int ret;
	161
	162	dh = DH_new();
	163	if (dh == NULL)
	164	fatal("DH_new");
	165
	166	if ((ret = BN_hex2bn(&dh->p, modulus)) < 0)
	167	fatal("BN_hex2bn p");
	168	if ((ret = BN_hex2bn(&dh->g, gen)) < 0)
	169	fatal("BN_hex2bn g");
	170
	171	return (dh_gen_key(dh));
	172	}
	173
	174	DH *
	175	dh_new_group(BIGNUM gen, BIGNUM modulus)
	176	{
	177	DH *dh;
	178
	179	dh = DH_new();
	180	if (dh == NULL)
	181	fatal("DH_new");
	182	dh->p = modulus;
	183	dh->g = gen;
	184
	185	return (dh_gen_key(dh));
	186	}
	187
	188	DH *
	189	dh_new_group1()
	190	{
	191	static char gen = "2", group1 =
	192	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	193	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	194	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	195	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	196	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	197	"FFFFFFFF" "FFFFFFFF";
	198
	199	return (dh_new_group_asc(gen, group1));
	200	}
	201
4f8c6159	202	void
	203	dump_digest(unsigned char *digest, int len)
	204	{
	205	int i;
	206	for (i = 0; i< len; i++){
	207	fprintf(stderr, "%02x", digest[i]);
	208	if(i%2!=0)
	209	fprintf(stderr, " ");
	210	}
	211	fprintf(stderr, "\n");
	212	}
	213
	214	unsigned char *
	215	kex_hash(
	216	char *client_version_string,
	217	char *server_version_string,
	218	char *ckexinit, int ckexinitlen,
	219	char *skexinit, int skexinitlen,
	220	char *serverhostkeyblob, int sbloblen,
	221	BIGNUM *client_dh_pub,
	222	BIGNUM *server_dh_pub,
	223	BIGNUM *shared_secret)
	224	{
	225	Buffer b;
	226	static unsigned char digest[EVP_MAX_MD_SIZE];
	227	EVP_MD *evp_md = EVP_sha1();
	228	EVP_MD_CTX md;
	229
	230	buffer_init(&b);
	231	buffer_put_string(&b, client_version_string, strlen(client_version_string));
	232	buffer_put_string(&b, server_version_string, strlen(server_version_string));
	233
	234	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
	235	buffer_put_int(&b, ckexinitlen+1);
	236	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	237	buffer_append(&b, ckexinit, ckexinitlen);
	238	buffer_put_int(&b, skexinitlen+1);
	239	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	240	buffer_append(&b, skexinit, skexinitlen);
	241
	242	buffer_put_string(&b, serverhostkeyblob, sbloblen);
	243	buffer_put_bignum2(&b, client_dh_pub);
	244	buffer_put_bignum2(&b, server_dh_pub);
	245	buffer_put_bignum2(&b, shared_secret);
	246
	247	#ifdef DEBUG_KEX
	248	buffer_dump(&b);
	249	#endif
	250
	251	EVP_DigestInit(&md, evp_md);
	252	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	253	EVP_DigestFinal(&md, digest, NULL);
	254
	255	buffer_free(&b);
	256
	257	#ifdef DEBUG_KEX
	258	dump_digest(digest, evp_md->md_size);
	259	#endif
	260	return digest;
	261	}
	262
94ec8c6b	263	unsigned char *
	264	kex_hash_gex(
	265	char *client_version_string,
	266	char *server_version_string,
	267	char *ckexinit, int ckexinitlen,
	268	char *skexinit, int skexinitlen,
	269	char *serverhostkeyblob, int sbloblen,
	270	int minbits, BIGNUM prime, BIGNUM gen,
	271	BIGNUM *client_dh_pub,
	272	BIGNUM *server_dh_pub,
	273	BIGNUM *shared_secret)
	274	{
	275	Buffer b;
	276	static unsigned char digest[EVP_MAX_MD_SIZE];
	277	EVP_MD *evp_md = EVP_sha1();
	278	EVP_MD_CTX md;
	279
	280	buffer_init(&b);
	281	buffer_put_string(&b, client_version_string, strlen(client_version_string));
	282	buffer_put_string(&b, server_version_string, strlen(server_version_string));
	283
	284	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
	285	buffer_put_int(&b, ckexinitlen+1);
	286	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	287	buffer_append(&b, ckexinit, ckexinitlen);
	288	buffer_put_int(&b, skexinitlen+1);
	289	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	290	buffer_append(&b, skexinit, skexinitlen);
	291
	292	buffer_put_string(&b, serverhostkeyblob, sbloblen);
	293	buffer_put_int(&b, minbits);
	294	buffer_put_bignum2(&b, prime);
	295	buffer_put_bignum2(&b, gen);
	296	buffer_put_bignum2(&b, client_dh_pub);
	297	buffer_put_bignum2(&b, server_dh_pub);
	298	buffer_put_bignum2(&b, shared_secret);
	299
	300	#ifdef DEBUG_KEX
	301	buffer_dump(&b);
	302	#endif
	303
	304	EVP_DigestInit(&md, evp_md);
	305	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	306	EVP_DigestFinal(&md, digest, NULL);
	307
	308	buffer_free(&b);
	309
	310	#ifdef DEBUG_KEX
	311	dump_digest(digest, evp_md->md_size);
	312	#endif
	313	return digest;
	314	}
	315
4f8c6159	316	unsigned char *
	317	derive_key(int id, int need, char unsigned hash, BIGNUM shared_secret)
	318	{
	319	Buffer b;
	320	EVP_MD *evp_md = EVP_sha1();
	321	EVP_MD_CTX md;
	322	char c = id;
	323	int have;
	324	int mdsz = evp_md->md_size;
	325	unsigned char digest = xmalloc(((need+mdsz-1)/mdsz)mdsz);
	326
	327	buffer_init(&b);
	328	buffer_put_bignum2(&b, shared_secret);
	329
	330	EVP_DigestInit(&md, evp_md);
	331	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); /* shared_secret K */
	332	EVP_DigestUpdate(&md, hash, mdsz); /* transport-06 */
	333	EVP_DigestUpdate(&md, &c, 1); /* key id */
	334	EVP_DigestUpdate(&md, hash, mdsz); /* session id */
	335	EVP_DigestFinal(&md, digest, NULL);
	336
	337	/* expand */
	338	for (have = mdsz; need > have; have += mdsz) {
	339	EVP_DigestInit(&md, evp_md);
	340	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	341	EVP_DigestUpdate(&md, hash, mdsz);
	342	EVP_DigestUpdate(&md, digest, have);
	343	EVP_DigestFinal(&md, digest + have, NULL);
	344	}
	345	buffer_free(&b);
	346	#ifdef DEBUG_KEX
	347	fprintf(stderr, "Digest '%c'== ", c);
	348	dump_digest(digest, need);
	349	#endif
	350	return digest;
	351	}
	352
	353	#define NKEYS 6
	354
	355	#define MAX_PROP 20
	356	#define SEP ","
	357
	358	char *
	359	get_match(char client, char server)
	360	{
	361	char *sproposals[MAX_PROP];
089fbbd2	362	char c, s, p, ret, cp, sp;
4f8c6159	363	int i, j, nproposals;
4f8c6159	364
089fbbd2	365	c = cp = xstrdup(client);
089fbbd2	366	s = sp = xstrdup(server);
71276795	367
089fbbd2	368	for ((p = strsep(&sp, SEP)), i=0; p && *p != '\0';
089fbbd2	369	(p = strsep(&sp, SEP)), i++) {
4f8c6159	370	if (i < MAX_PROP)
	371	sproposals[i] = p;
	372	else
	373	break;
	374	}
	375	nproposals = i;
	376
089fbbd2	377	for ((p = strsep(&cp, SEP)), i=0; p && *p != '\0';
089fbbd2	378	(p = strsep(&cp, SEP)), i++) {
71276795	379	for (j = 0; j < nproposals; j++) {
	380	if (strcmp(p, sproposals[j]) == 0) {
	381	ret = xstrdup(p);
	382	xfree(c);
	383	xfree(s);
	384	return ret;
	385	}
	386	}
4f8c6159	387	}
71276795	388	xfree(c);
71276795	389	xfree(s);
4f8c6159	390	return NULL;
	391	}
	392	void
	393	choose_enc(Enc enc, char client, char *server)
	394	{
	395	char *name = get_match(client, server);
	396	if (name == NULL)
	397	fatal("no matching cipher found: client %s server %s", client, server);
94ec8c6b	398	enc->cipher = cipher_by_name(name);
	399	if (enc->cipher == NULL)
	400	fatal("matching cipher is not supported: %s", name);
4f8c6159	401	enc->name = name;
	402	enc->enabled = 0;
	403	enc->iv = NULL;
	404	enc->key = NULL;
	405	}
	406	void
	407	choose_mac(Mac mac, char client, char *server)
	408	{
	409	char *name = get_match(client, server);
	410	if (name == NULL)
	411	fatal("no matching mac found: client %s server %s", client, server);
	412	if (strcmp(name, "hmac-md5") == 0) {
	413	mac->md = EVP_md5();
	414	} else if (strcmp(name, "hmac-sha1") == 0) {
	415	mac->md = EVP_sha1();
	416	} else if (strcmp(name, "hmac-ripemd160@openssh.com") == 0) {
	417	mac->md = EVP_ripemd160();
	418	} else {
	419	fatal("unsupported mac %s", name);
	420	}
	421	mac->name = name;
	422	mac->mac_len = mac->md->md_size;
d0c832f3	423	mac->key_len = (datafellows & SSH_BUG_HMAC) ? 16 : mac->mac_len;
4f8c6159	424	mac->key = NULL;
	425	mac->enabled = 0;
	426	}
	427	void
	428	choose_comp(Comp comp, char client, char *server)
	429	{
	430	char *name = get_match(client, server);
	431	if (name == NULL)
	432	fatal("no matching comp found: client %s server %s", client, server);
	433	if (strcmp(name, "zlib") == 0) {
	434	comp->type = 1;
	435	} else if (strcmp(name, "none") == 0) {
	436	comp->type = 0;
	437	} else {
	438	fatal("unsupported comp %s", name);
	439	}
	440	comp->name = name;
	441	}
	442	void
	443	choose_kex(Kex k, char client, char *server)
	444	{
	445	k->name = get_match(client, server);
	446	if (k->name == NULL)
	447	fatal("no kex alg");
94ec8c6b	448	if (strcmp(k->name, KEX_DH1) == 0) {
	449	k->kex_type = DH_GRP1_SHA1;
	450	} else if (strcmp(k->name, KEX_DHGEX) == 0) {
	451	k->kex_type = DH_GEX_SHA1;
	452	} else
4f8c6159	453	fatal("bad kex alg %s", k->name);
	454	}
	455	void
	456	choose_hostkeyalg(Kex k, char client, char *server)
	457	{
fa08c86b	458	char *hostkeyalg = get_match(client, server);
fa08c86b	459	if (hostkeyalg == NULL)
4f8c6159	460	fatal("no hostkey alg");
fa08c86b	461	k->hostkey_type = key_type_from_name(hostkeyalg);
	462	if (k->hostkey_type == KEY_UNSPEC)
	463	fatal("bad hostkey alg '%s'", hostkeyalg);
4f8c6159	464	}
	465
	466	Kex *
	467	kex_choose_conf(char cprop[PROPOSAL_MAX], char sprop[PROPOSAL_MAX], int server)
	468	{
4f8c6159	469	int mode;
	470	int ctos; /* direction: if true client-to-server */
	471	int need;
	472	Kex *k;
	473
	474	k = xmalloc(sizeof(*k));
	475	memset(k, 0, sizeof(*k));
	476	k->server = server;
	477
	478	for (mode = 0; mode < MODE_MAX; mode++) {
	479	int nenc, nmac, ncomp;
	480	ctos = (!k->server && mode == MODE_OUT) \|\| (k->server && mode == MODE_IN);
	481	nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
	482	nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
	483	ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
	484	choose_enc (&k->enc [mode], cprop[nenc], sprop[nenc]);
	485	choose_mac (&k->mac [mode], cprop[nmac], sprop[nmac]);
	486	choose_comp(&k->comp[mode], cprop[ncomp], sprop[ncomp]);
	487	debug("kex: %s %s %s %s",
	488	ctos ? "client->server" : "server->client",
	489	k->enc[mode].name,
	490	k->mac[mode].name,
	491	k->comp[mode].name);
	492	}
	493	choose_kex(k, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
	494	choose_hostkeyalg(k, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
	495	sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
4f8c6159	496	need = 0;
4f8c6159	497	for (mode = 0; mode < MODE_MAX; mode++) {
94ec8c6b	498	if (need < k->enc[mode].cipher->key_len)
	499	need = k->enc[mode].cipher->key_len;
	500	if (need < k->enc[mode].cipher->block_size)
	501	need = k->enc[mode].cipher->block_size;
4f8c6159	502	if (need < k->mac[mode].key_len)
	503	need = k->mac[mode].key_len;
	504	}
71276795	505	/* XXX need runden? */
4f8c6159	506	k->we_need = need;
	507	return k;
	508	}
	509
	510	int
	511	kex_derive_keys(Kex k, unsigned char hash, BIGNUM *shared_secret)
	512	{
	513	int i;
	514	int mode;
	515	int ctos;
	516	unsigned char *keys[NKEYS];
	517
	518	for (i = 0; i < NKEYS; i++)
	519	keys[i] = derive_key('A'+i, k->we_need, hash, shared_secret);
	520
	521	for (mode = 0; mode < MODE_MAX; mode++) {
	522	ctos = (!k->server && mode == MODE_OUT) \|\| (k->server && mode == MODE_IN);
	523	k->enc[mode].iv = keys[ctos ? 0 : 1];
	524	k->enc[mode].key = keys[ctos ? 2 : 3];
	525	k->mac[mode].key = keys[ctos ? 4 : 5];
	526	}
	527	return 0;
	528	}