andersk Git - openssh.git/blame_incremental

... / ...

Commit	Line	Data
	1	/*
	2	* Copyright (c) 2000 Markus Friedl. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
	24
	25	#include "includes.h"
	26	RCSID("$OpenBSD: kex.c,v 1.30 2001/04/04 20:25:37 markus Exp $");
	27
	28	#include <openssl/crypto.h>
	29
	30	#include "ssh2.h"
	31	#include "xmalloc.h"
	32	#include "buffer.h"
	33	#include "bufaux.h"
	34	#include "packet.h"
	35	#include "compat.h"
	36	#include "cipher.h"
	37	#include "kex.h"
	38	#include "key.h"
	39	#include "log.h"
	40	#include "mac.h"
	41	#include "match.h"
	42	#include "dispatch.h"
	43
	44	#define KEX_COOKIE_LEN 16
	45
	46	void kex_kexinit_finish(Kex *kex);
	47	void kex_choose_conf(Kex *k);
	48
	49	/* put algorithm proposal into buffer */
	50	void
	51	kex_prop2buf(Buffer b, char proposal[PROPOSAL_MAX])
	52	{
	53	u_int32_t rand = 0;
	54	int i;
	55
	56	buffer_clear(b);
	57	for (i = 0; i < KEX_COOKIE_LEN; i++) {
	58	if (i % 4 == 0)
	59	rand = arc4random();
	60	buffer_put_char(b, rand & 0xff);
	61	rand >>= 8;
	62	}
	63	for (i = 0; i < PROPOSAL_MAX; i++)
	64	buffer_put_cstring(b, proposal[i]);
	65	buffer_put_char(b, 0); /* first_kex_packet_follows */
	66	buffer_put_int(b, 0); /* uint32 reserved */
	67	}
	68
	69	/* parse buffer and return algorithm proposal */
	70	char **
	71	kex_buf2prop(Buffer *raw)
	72	{
	73	Buffer b;
	74	int i;
	75	char **proposal;
	76
	77	proposal = xmalloc(PROPOSAL_MAX * sizeof(char *));
	78
	79	buffer_init(&b);
	80	buffer_append(&b, buffer_ptr(raw), buffer_len(raw));
	81	/* skip cookie */
	82	for (i = 0; i < KEX_COOKIE_LEN; i++)
	83	buffer_get_char(&b);
	84	/* extract kex init proposal strings */
	85	for (i = 0; i < PROPOSAL_MAX; i++) {
	86	proposal[i] = buffer_get_string(&b,NULL);
	87	debug2("kex_parse_kexinit: %s", proposal[i]);
	88	}
	89	/* first kex follows / reserved */
	90	i = buffer_get_char(&b);
	91	debug2("kex_parse_kexinit: first_kex_follows %d ", i);
	92	i = buffer_get_int(&b);
	93	debug2("kex_parse_kexinit: reserved %d ", i);
	94	buffer_free(&b);
	95	return proposal;
	96	}
	97
	98	void
	99	kex_prop_free(char **proposal)
	100	{
	101	int i;
	102
	103	for (i = 0; i < PROPOSAL_MAX; i++)
	104	xfree(proposal[i]);
	105	xfree(proposal);
	106	}
	107
	108	void
	109	kex_protocol_error(int type, int plen, void *ctxt)
	110	{
	111	error("Hm, kex protocol error: type %d plen %d", type, plen);
	112	}
	113
	114	void
	115	kex_clear_dispatch(void)
	116	{
	117	int i;
	118
	119	/* Numbers 30-49 are used for kex packets */
	120	for (i = 30; i <= 49; i++)
	121	dispatch_set(i, &kex_protocol_error);
	122	}
	123
	124	void
	125	kex_finish(Kex *kex)
	126	{
	127	int plen;
	128
	129	kex_clear_dispatch();
	130
	131	packet_start(SSH2_MSG_NEWKEYS);
	132	packet_send();
	133	/* packet_write_wait(); */
	134	debug("SSH2_MSG_NEWKEYS sent");
	135
	136	debug("waiting for SSH2_MSG_NEWKEYS");
	137	packet_read_expect(&plen, SSH2_MSG_NEWKEYS);
	138	debug("SSH2_MSG_NEWKEYS received");
	139	kex->done = 1;
	140	buffer_clear(&kex->peer);
	141	/* buffer_clear(&kex->my); */
	142	kex->flags &= ~KEX_INIT_SENT;
	143	}
	144
	145	void
	146	kex_send_kexinit(Kex *kex)
	147	{
	148	if (kex == NULL) {
	149	error("kex_send_kexinit: no kex, cannot rekey");
	150	return;
	151	}
	152	if (kex->flags & KEX_INIT_SENT) {
	153	debug("KEX_INIT_SENT");
	154	return;
	155	}
	156	kex->done = 0;
	157	packet_start(SSH2_MSG_KEXINIT);
	158	packet_put_raw(buffer_ptr(&kex->my), buffer_len(&kex->my));
	159	packet_send();
	160	debug("SSH2_MSG_KEXINIT sent");
	161	kex->flags \|= KEX_INIT_SENT;
	162	}
	163
	164	void
	165	kex_input_kexinit(int type, int plen, void *ctxt)
	166	{
	167	char *ptr;
	168	int dlen;
	169	Kex kex = (Kex )ctxt;
	170
	171	debug("SSH2_MSG_KEXINIT received");
	172	if (kex == NULL)
	173	fatal("kex_input_kexinit: no kex, cannot rekey");
	174
	175	ptr = packet_get_raw(&dlen);
	176	buffer_append(&kex->peer, ptr, dlen);
	177
	178	kex_kexinit_finish(kex);
	179	}
	180
	181	Kex *
	182	kex_setup(char *proposal[PROPOSAL_MAX])
	183	{
	184	Kex *kex;
	185
	186	kex = xmalloc(sizeof(*kex));
	187	memset(kex, 0, sizeof(*kex));
	188	buffer_init(&kex->peer);
	189	buffer_init(&kex->my);
	190	kex_prop2buf(&kex->my, proposal);
	191	kex->done = 0;
	192
	193	kex_send_kexinit(kex); /* we start */
	194	kex_clear_dispatch();
	195	dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
	196
	197	return kex;
	198	}
	199
	200	void
	201	kex_kexinit_finish(Kex *kex)
	202	{
	203	if (!(kex->flags & KEX_INIT_SENT))
	204	kex_send_kexinit(kex);
	205
	206	kex_choose_conf(kex);
	207
	208	switch(kex->kex_type) {
	209	case DH_GRP1_SHA1:
	210	kexdh(kex);
	211	break;
	212	case DH_GEX_SHA1:
	213	kexgex(kex);
	214	break;
	215	default:
	216	fatal("Unsupported key exchange %d", kex->kex_type);
	217	}
	218	}
	219
	220	void
	221	choose_enc(Enc enc, char client, char *server)
	222	{
	223	char *name = match_list(client, server, NULL);
	224	if (name == NULL)
	225	fatal("no matching cipher found: client %s server %s", client, server);
	226	enc->cipher = cipher_by_name(name);
	227	if (enc->cipher == NULL)
	228	fatal("matching cipher is not supported: %s", name);
	229	enc->name = name;
	230	enc->enabled = 0;
	231	enc->iv = NULL;
	232	enc->key = NULL;
	233	}
	234	void
	235	choose_mac(Mac mac, char client, char *server)
	236	{
	237	char *name = match_list(client, server, NULL);
	238	if (name == NULL)
	239	fatal("no matching mac found: client %s server %s", client, server);
	240	if (mac_init(mac, name) < 0)
	241	fatal("unsupported mac %s", name);
	242	/* truncate the key */
	243	if (datafellows & SSH_BUG_HMAC)
	244	mac->key_len = 16;
	245	mac->name = name;
	246	mac->key = NULL;
	247	mac->enabled = 0;
	248	}
	249	void
	250	choose_comp(Comp comp, char client, char *server)
	251	{
	252	char *name = match_list(client, server, NULL);
	253	if (name == NULL)
	254	fatal("no matching comp found: client %s server %s", client, server);
	255	if (strcmp(name, "zlib") == 0) {
	256	comp->type = 1;
	257	} else if (strcmp(name, "none") == 0) {
	258	comp->type = 0;
	259	} else {
	260	fatal("unsupported comp %s", name);
	261	}
	262	comp->name = name;
	263	}
	264	void
	265	choose_kex(Kex k, char client, char *server)
	266	{
	267	k->name = match_list(client, server, NULL);
	268	if (k->name == NULL)
	269	fatal("no kex alg");
	270	if (strcmp(k->name, KEX_DH1) == 0) {
	271	k->kex_type = DH_GRP1_SHA1;
	272	} else if (strcmp(k->name, KEX_DHGEX) == 0) {
	273	k->kex_type = DH_GEX_SHA1;
	274	} else
	275	fatal("bad kex alg %s", k->name);
	276	}
	277	void
	278	choose_hostkeyalg(Kex k, char client, char *server)
	279	{
	280	char *hostkeyalg = match_list(client, server, NULL);
	281	if (hostkeyalg == NULL)
	282	fatal("no hostkey alg");
	283	k->hostkey_type = key_type_from_name(hostkeyalg);
	284	if (k->hostkey_type == KEY_UNSPEC)
	285	fatal("bad hostkey alg '%s'", hostkeyalg);
	286	xfree(hostkeyalg);
	287	}
	288
	289	void
	290	kex_choose_conf(Kex *kex)
	291	{
	292	Newkeys *newkeys;
	293	char my, peer;
	294	char cprop, sprop;
	295	int nenc, nmac, ncomp;
	296	int mode;
	297	int ctos; /* direction: if true client-to-server */
	298	int need;
	299
	300	my = kex_buf2prop(&kex->my);
	301	peer = kex_buf2prop(&kex->peer);
	302
	303	if (kex->server) {
	304	cprop=peer;
	305	sprop=my;
	306	} else {
	307	cprop=my;
	308	sprop=peer;
	309	}
	310
	311	/* Algorithm Negotiation */
	312	for (mode = 0; mode < MODE_MAX; mode++) {
	313	newkeys = xmalloc(sizeof(*newkeys));
	314	memset(newkeys, 0, sizeof(*newkeys));
	315	kex->newkeys[mode] = newkeys;
	316	ctos = (!kex->server && mode == MODE_OUT) \|\| (kex->server && mode == MODE_IN);
	317	nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
	318	nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
	319	ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
	320	choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]);
	321	choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]);
	322	choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
	323	debug("kex: %s %s %s %s",
	324	ctos ? "client->server" : "server->client",
	325	newkeys->enc.name,
	326	newkeys->mac.name,
	327	newkeys->comp.name);
	328	}
	329	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
	330	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
	331	sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
	332	need = 0;
	333	for (mode = 0; mode < MODE_MAX; mode++) {
	334	newkeys = kex->newkeys[mode];
	335	if (need < newkeys->enc.cipher->key_len)
	336	need = newkeys->enc.cipher->key_len;
	337	if (need < newkeys->enc.cipher->block_size)
	338	need = newkeys->enc.cipher->block_size;
	339	if (need < newkeys->mac.key_len)
	340	need = newkeys->mac.key_len;
	341	}
	342	/* XXX need runden? */
	343	kex->we_need = need;
	344
	345	kex_prop_free(my);
	346	kex_prop_free(peer);
	347	}
	348
	349	u_char *
	350	derive_key(Kex kex, int id, int need, u_char hash, BIGNUM *shared_secret)
	351	{
	352	Buffer b;
	353	EVP_MD *evp_md = EVP_sha1();
	354	EVP_MD_CTX md;
	355	char c = id;
	356	int have;
	357	int mdsz = evp_md->md_size;
	358	u_char *digest = xmalloc(roundup(need, mdsz));
	359
	360	buffer_init(&b);
	361	buffer_put_bignum2(&b, shared_secret);
	362
	363	/* K1 = HASH(K \|\| H \|\| "A" \|\| session_id) */
	364	EVP_DigestInit(&md, evp_md);
	365	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	366	EVP_DigestUpdate(&md, hash, mdsz);
	367	EVP_DigestUpdate(&md, &c, 1);
	368	EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len);
	369	EVP_DigestFinal(&md, digest, NULL);
	370
	371	/*
	372	* expand key:
	373	* Kn = HASH(K \|\| H \|\| K1 \|\| K2 \|\| ... \|\| Kn-1)
	374	* Key = K1 \|\| K2 \|\| ... \|\| Kn
	375	*/
	376	for (have = mdsz; need > have; have += mdsz) {
	377	EVP_DigestInit(&md, evp_md);
	378	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	379	EVP_DigestUpdate(&md, hash, mdsz);
	380	EVP_DigestUpdate(&md, digest, have);
	381	EVP_DigestFinal(&md, digest + have, NULL);
	382	}
	383	buffer_free(&b);
	384	#ifdef DEBUG_KEX
	385	fprintf(stderr, "key '%c'== ", c);
	386	dump_digest("key", digest, need);
	387	#endif
	388	return digest;
	389	}
	390
	391	Newkeys *current_keys[MODE_MAX];
	392
	393	#define NKEYS 6
	394	void
	395	kex_derive_keys(Kex kex, u_char hash, BIGNUM *shared_secret)
	396	{
	397	u_char *keys[NKEYS];
	398	int i, mode, ctos;
	399
	400	for (i = 0; i < NKEYS; i++)
	401	keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret);
	402
	403	debug("kex_derive_keys");
	404	for (mode = 0; mode < MODE_MAX; mode++) {
	405	current_keys[mode] = kex->newkeys[mode];
	406	kex->newkeys[mode] = NULL;
	407	ctos = (!kex->server && mode == MODE_OUT) \|\| (kex->server && mode == MODE_IN);
	408	current_keys[mode]->enc.iv = keys[ctos ? 0 : 1];
	409	current_keys[mode]->enc.key = keys[ctos ? 2 : 3];
	410	current_keys[mode]->mac.key = keys[ctos ? 4 : 5];
	411	}
	412	}
	413
	414	Newkeys *
	415	kex_get_newkeys(int mode)
	416	{
	417	Newkeys *ret;
	418
	419	ret = current_keys[mode];
	420	current_keys[mode] = NULL;
	421	return ret;
	422	}
	423
	424	#if defined(DEBUG_KEX) \|\| defined(DEBUG_KEXDH)
	425	void
	426	dump_digest(char msg, u_char digest, int len)
	427	{
	428	int i;
	429
	430	fprintf(stderr, "%s\n", msg);
	431	for (i = 0; i< len; i++){
	432	fprintf(stderr, "%02x", digest[i]);
	433	if (i%32 == 31)
	434	fprintf(stderr, "\n");
	435	else if (i%8 == 7)
	436	fprintf(stderr, " ");
	437	}
	438	fprintf(stderr, "\n");
	439	}
	440	#endif