2 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 RCSID("$OpenBSD: kex.c,v 1.21 2001/02/11 12:59:24 markus Exp $");
28 #include <openssl/crypto.h>
29 #include <openssl/bio.h>
30 #include <openssl/bn.h>
31 #include <openssl/dh.h>
32 #include <openssl/pem.h>
46 #define KEX_COOKIE_LEN 16
49 kex_init(char *myproposal[PROPOSAL_MAX])
51 int first_kex_packet_follows = 0;
52 u_char cookie[KEX_COOKIE_LEN];
55 Buffer *ki = xmalloc(sizeof(*ki));
56 for (i = 0; i < KEX_COOKIE_LEN; i++) {
59 cookie[i] = rand & 0xff;
63 buffer_append(ki, (char *)cookie, sizeof cookie);
64 for (i = 0; i < PROPOSAL_MAX; i++)
65 buffer_put_cstring(ki, myproposal[i]);
66 buffer_put_char(ki, first_kex_packet_follows);
67 buffer_put_int(ki, 0); /* uint32 reserved */
71 /* send kexinit, parse and save reply */
74 Buffer *my_kexinit, Buffer *peer_kexint,
75 char *peer_proposal[PROPOSAL_MAX])
81 debug("send KEXINIT");
82 packet_start(SSH2_MSG_KEXINIT);
83 packet_put_raw(buffer_ptr(my_kexinit), buffer_len(my_kexinit));
89 * read and save raw KEXINIT payload in buffer. this is used during
90 * computation of the session_id and the session keys.
92 debug("wait KEXINIT");
93 packet_read_expect(&plen, SSH2_MSG_KEXINIT);
94 ptr = packet_get_raw(&plen);
95 buffer_append(peer_kexint, ptr, plen);
97 /* parse packet and save algorithm proposal */
99 for (i = 0; i < KEX_COOKIE_LEN; i++)
101 /* extract kex init proposal strings */
102 for (i = 0; i < PROPOSAL_MAX; i++) {
103 peer_proposal[i] = packet_get_string(NULL);
104 debug("got kexinit: %s", peer_proposal[i]);
106 /* first kex follow / reserved */
107 i = packet_get_char();
108 debug("first kex follow: %d ", i);
109 i = packet_get_int();
110 debug("reserved: %d ", i);
115 /* diffie-hellman-group1-sha1 */
118 dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
121 int n = BN_num_bits(dh_pub);
125 log("invalid public DH value: negativ");
128 for (i = 0; i <= n; i++)
129 if (BN_is_bit_set(dh_pub, i))
131 debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
133 /* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
134 if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
136 log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
146 if (DH_generate_key(dh) == 0)
147 fatal("DH_generate_key");
149 fatal("dh_new_group1: too many bad keys: giving up");
150 } while (!dh_pub_is_valid(dh, dh->pub_key));
154 dh_new_group_asc(const char *gen, const char *modulus)
163 if ((ret = BN_hex2bn(&dh->p, modulus)) < 0)
164 fatal("BN_hex2bn p");
165 if ((ret = BN_hex2bn(&dh->g, gen)) < 0)
166 fatal("BN_hex2bn g");
172 * This just returns the group, we still need to generate the exchange
177 dh_new_group(BIGNUM *gen, BIGNUM *modulus)
193 static char *gen = "2", *group1 =
194 "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
195 "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
196 "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
197 "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
198 "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
199 "FFFFFFFF" "FFFFFFFF";
201 return (dh_new_group_asc(gen, group1));
206 dump_digest(u_char *digest, int len)
209 for (i = 0; i< len; i++){
210 fprintf(stderr, "%02x", digest[i]);
212 fprintf(stderr, " ");
214 fprintf(stderr, "\n");
220 char *client_version_string,
221 char *server_version_string,
222 char *ckexinit, int ckexinitlen,
223 char *skexinit, int skexinitlen,
224 char *serverhostkeyblob, int sbloblen,
225 BIGNUM *client_dh_pub,
226 BIGNUM *server_dh_pub,
227 BIGNUM *shared_secret)
230 static u_char digest[EVP_MAX_MD_SIZE];
231 EVP_MD *evp_md = EVP_sha1();
235 buffer_put_string(&b, client_version_string, strlen(client_version_string));
236 buffer_put_string(&b, server_version_string, strlen(server_version_string));
238 /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
239 buffer_put_int(&b, ckexinitlen+1);
240 buffer_put_char(&b, SSH2_MSG_KEXINIT);
241 buffer_append(&b, ckexinit, ckexinitlen);
242 buffer_put_int(&b, skexinitlen+1);
243 buffer_put_char(&b, SSH2_MSG_KEXINIT);
244 buffer_append(&b, skexinit, skexinitlen);
246 buffer_put_string(&b, serverhostkeyblob, sbloblen);
247 buffer_put_bignum2(&b, client_dh_pub);
248 buffer_put_bignum2(&b, server_dh_pub);
249 buffer_put_bignum2(&b, shared_secret);
255 EVP_DigestInit(&md, evp_md);
256 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
257 EVP_DigestFinal(&md, digest, NULL);
262 dump_digest(digest, evp_md->md_size);
269 char *client_version_string,
270 char *server_version_string,
271 char *ckexinit, int ckexinitlen,
272 char *skexinit, int skexinitlen,
273 char *serverhostkeyblob, int sbloblen,
274 int minbits, BIGNUM *prime, BIGNUM *gen,
275 BIGNUM *client_dh_pub,
276 BIGNUM *server_dh_pub,
277 BIGNUM *shared_secret)
280 static u_char digest[EVP_MAX_MD_SIZE];
281 EVP_MD *evp_md = EVP_sha1();
285 buffer_put_string(&b, client_version_string, strlen(client_version_string));
286 buffer_put_string(&b, server_version_string, strlen(server_version_string));
288 /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
289 buffer_put_int(&b, ckexinitlen+1);
290 buffer_put_char(&b, SSH2_MSG_KEXINIT);
291 buffer_append(&b, ckexinit, ckexinitlen);
292 buffer_put_int(&b, skexinitlen+1);
293 buffer_put_char(&b, SSH2_MSG_KEXINIT);
294 buffer_append(&b, skexinit, skexinitlen);
296 buffer_put_string(&b, serverhostkeyblob, sbloblen);
297 buffer_put_int(&b, minbits);
298 buffer_put_bignum2(&b, prime);
299 buffer_put_bignum2(&b, gen);
300 buffer_put_bignum2(&b, client_dh_pub);
301 buffer_put_bignum2(&b, server_dh_pub);
302 buffer_put_bignum2(&b, shared_secret);
308 EVP_DigestInit(&md, evp_md);
309 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
310 EVP_DigestFinal(&md, digest, NULL);
315 dump_digest(digest, evp_md->md_size);
321 derive_key(int id, int need, u_char *hash, BIGNUM *shared_secret)
324 EVP_MD *evp_md = EVP_sha1();
328 int mdsz = evp_md->md_size;
329 u_char *digest = xmalloc(((need+mdsz-1)/mdsz)*mdsz);
332 buffer_put_bignum2(&b, shared_secret);
334 EVP_DigestInit(&md, evp_md);
335 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); /* shared_secret K */
336 EVP_DigestUpdate(&md, hash, mdsz); /* transport-06 */
337 EVP_DigestUpdate(&md, &c, 1); /* key id */
338 EVP_DigestUpdate(&md, hash, mdsz); /* session id */
339 EVP_DigestFinal(&md, digest, NULL);
342 for (have = mdsz; need > have; have += mdsz) {
343 EVP_DigestInit(&md, evp_md);
344 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
345 EVP_DigestUpdate(&md, hash, mdsz);
346 EVP_DigestUpdate(&md, digest, have);
347 EVP_DigestFinal(&md, digest + have, NULL);
351 fprintf(stderr, "Digest '%c'== ", c);
352 dump_digest(digest, need);
363 get_match(char *client, char *server)
365 char *sproposals[MAX_PROP];
366 char *c, *s, *p, *ret, *cp, *sp;
367 int i, j, nproposals;
369 c = cp = xstrdup(client);
370 s = sp = xstrdup(server);
372 for ((p = strsep(&sp, SEP)), i=0; p && *p != '\0';
373 (p = strsep(&sp, SEP)), i++) {
381 for ((p = strsep(&cp, SEP)), i=0; p && *p != '\0';
382 (p = strsep(&cp, SEP)), i++) {
383 for (j = 0; j < nproposals; j++) {
384 if (strcmp(p, sproposals[j]) == 0) {
397 choose_enc(Enc *enc, char *client, char *server)
399 char *name = get_match(client, server);
401 fatal("no matching cipher found: client %s server %s", client, server);
402 enc->cipher = cipher_by_name(name);
403 if (enc->cipher == NULL)
404 fatal("matching cipher is not supported: %s", name);
411 choose_mac(Mac *mac, char *client, char *server)
413 char *name = get_match(client, server);
415 fatal("no matching mac found: client %s server %s", client, server);
416 if (mac_init(mac, name) < 0)
417 fatal("unsupported mac %s", name);
418 /* truncate the key */
419 if (datafellows & SSH_BUG_HMAC)
426 choose_comp(Comp *comp, char *client, char *server)
428 char *name = get_match(client, server);
430 fatal("no matching comp found: client %s server %s", client, server);
431 if (strcmp(name, "zlib") == 0) {
433 } else if (strcmp(name, "none") == 0) {
436 fatal("unsupported comp %s", name);
441 choose_kex(Kex *k, char *client, char *server)
443 k->name = get_match(client, server);
446 if (strcmp(k->name, KEX_DH1) == 0) {
447 k->kex_type = DH_GRP1_SHA1;
448 } else if (strcmp(k->name, KEX_DHGEX) == 0) {
449 k->kex_type = DH_GEX_SHA1;
451 fatal("bad kex alg %s", k->name);
454 choose_hostkeyalg(Kex *k, char *client, char *server)
456 char *hostkeyalg = get_match(client, server);
457 if (hostkeyalg == NULL)
458 fatal("no hostkey alg");
459 k->hostkey_type = key_type_from_name(hostkeyalg);
460 if (k->hostkey_type == KEY_UNSPEC)
461 fatal("bad hostkey alg '%s'", hostkeyalg);
466 kex_choose_conf(char *cprop[PROPOSAL_MAX], char *sprop[PROPOSAL_MAX], int server)
469 int ctos; /* direction: if true client-to-server */
473 k = xmalloc(sizeof(*k));
474 memset(k, 0, sizeof(*k));
477 for (mode = 0; mode < MODE_MAX; mode++) {
478 int nenc, nmac, ncomp;
479 ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN);
480 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
481 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
482 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
483 choose_enc (&k->enc [mode], cprop[nenc], sprop[nenc]);
484 choose_mac (&k->mac [mode], cprop[nmac], sprop[nmac]);
485 choose_comp(&k->comp[mode], cprop[ncomp], sprop[ncomp]);
486 debug("kex: %s %s %s %s",
487 ctos ? "client->server" : "server->client",
492 choose_kex(k, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
493 choose_hostkeyalg(k, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
494 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
496 for (mode = 0; mode < MODE_MAX; mode++) {
497 if (need < k->enc[mode].cipher->key_len)
498 need = k->enc[mode].cipher->key_len;
499 if (need < k->enc[mode].cipher->block_size)
500 need = k->enc[mode].cipher->block_size;
501 if (need < k->mac[mode].key_len)
502 need = k->mac[mode].key_len;
504 /* XXX need runden? */
510 kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret)
517 for (i = 0; i < NKEYS; i++)
518 keys[i] = derive_key('A'+i, k->we_need, hash, shared_secret);
520 for (mode = 0; mode < MODE_MAX; mode++) {
521 ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN);
522 k->enc[mode].iv = keys[ctos ? 0 : 1];
523 k->enc[mode].key = keys[ctos ? 2 : 3];
524 k->mac[mode].key = keys[ctos ? 4 : 5];
andersk / openssh.git / blob