kexdh.c

   1 /*
   2  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  * 1. Redistributions of source code must retain the above copyright
   8  *    notice, this list of conditions and the following disclaimer.
   9  * 2. Redistributions in binary form must reproduce the above copyright
  10  *    notice, this list of conditions and the following disclaimer in the
  11  *    documentation and/or other materials provided with the distribution.
  12  *
  13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23  */
  24
  25 #include "includes.h"
  26 RCSID("$OpenBSD: kexdh.c,v 1.17 2002/02/28 15:46:33 markus Exp $");
  27
  28 #include <openssl/crypto.h>
  29 #include <openssl/bn.h>
  30
  31 #include "xmalloc.h"
  32 #include "buffer.h"
  33 #include "bufaux.h"
  34 #include "key.h"
  35 #include "kex.h"
  36 #include "log.h"
  37 #include "packet.h"
  38 #include "dh.h"
  39 #include "ssh2.h"
  40 #include "monitor.h"
  41 #include "monitor_wrap.h"
  42
  43 /* Imports */
  44 extern int use_privsep;
  45 extern int mm_recvfd;
  46
  47 static u_char *
  48 kex_dh_hash(
  49     char *client_version_string,
  50     char *server_version_string,
  51     char *ckexinit, int ckexinitlen,
  52     char *skexinit, int skexinitlen,
  53     u_char *serverhostkeyblob, int sbloblen,
  54     BIGNUM *client_dh_pub,
  55     BIGNUM *server_dh_pub,
  56     BIGNUM *shared_secret)
  57 {
  58         Buffer b;
  59         static u_char digest[EVP_MAX_MD_SIZE];
  60         const EVP_MD *evp_md = EVP_sha1();
  61         EVP_MD_CTX md;
  62
  63         buffer_init(&b);
  64         buffer_put_cstring(&b, client_version_string);
  65         buffer_put_cstring(&b, server_version_string);
  66
  67         /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
  68         buffer_put_int(&b, ckexinitlen+1);
  69         buffer_put_char(&b, SSH2_MSG_KEXINIT);
  70         buffer_append(&b, ckexinit, ckexinitlen);
  71         buffer_put_int(&b, skexinitlen+1);
  72         buffer_put_char(&b, SSH2_MSG_KEXINIT);
  73         buffer_append(&b, skexinit, skexinitlen);
  74
  75         buffer_put_string(&b, serverhostkeyblob, sbloblen);
  76         buffer_put_bignum2(&b, client_dh_pub);
  77         buffer_put_bignum2(&b, server_dh_pub);
  78         buffer_put_bignum2(&b, shared_secret);
  79
  80 #ifdef DEBUG_KEX
  81         buffer_dump(&b);
  82 #endif
  83         EVP_DigestInit(&md, evp_md);
  84         EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
  85         EVP_DigestFinal(&md, digest, NULL);
  86
  87         buffer_free(&b);
  88
  89 #ifdef DEBUG_KEX
  90         dump_digest("hash", digest, EVP_MD_size(evp_md));
  91 #endif
  92         return digest;
  93 }
  94
  95 /* client */
  96
  97 static void
  98 kexdh_client(Kex *kex)
  99 {
 100         BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
 101         DH *dh;
 102         Key *server_host_key;
 103         u_char *server_host_key_blob = NULL, *signature = NULL;
 104         u_char *kbuf, *hash;
 105         u_int klen, kout, slen, sbloblen;
 106
 107         /* generate and send 'e', client DH public key */
 108         dh = dh_new_group1();
 109         dh_gen_key(dh, kex->we_need * 8);
 110         packet_start(SSH2_MSG_KEXDH_INIT);
 111         packet_put_bignum2(dh->pub_key);
 112         packet_send();
 113
 114         debug("sending SSH2_MSG_KEXDH_INIT");
 115 #ifdef DEBUG_KEXDH
 116         DHparams_print_fp(stderr, dh);
 117         fprintf(stderr, "pub= ");
 118         BN_print_fp(stderr, dh->pub_key);
 119         fprintf(stderr, "\n");
 120 #endif
 121
 122         debug("expecting SSH2_MSG_KEXDH_REPLY");
 123         packet_read_expect(SSH2_MSG_KEXDH_REPLY);
 124
 125         /* key, cert */
 126         server_host_key_blob = packet_get_string(&sbloblen);
 127         server_host_key = key_from_blob(server_host_key_blob, sbloblen);
 128         if (server_host_key == NULL)
 129                 fatal("cannot decode server_host_key_blob");
 130         if (server_host_key->type != kex->hostkey_type)
 131                 fatal("type mismatch for decoded server_host_key_blob");
 132         if (kex->verify_host_key == NULL)
 133                 fatal("cannot verify server_host_key");
 134         if (kex->verify_host_key(server_host_key) == -1)
 135                 fatal("server_host_key verification failed");
 136
 137         /* DH paramter f, server public DH key */
 138         if ((dh_server_pub = BN_new()) == NULL)
 139                 fatal("dh_server_pub == NULL");
 140         packet_get_bignum2(dh_server_pub);
 141
 142 #ifdef DEBUG_KEXDH
 143         fprintf(stderr, "dh_server_pub= ");
 144         BN_print_fp(stderr, dh_server_pub);
 145         fprintf(stderr, "\n");
 146         debug("bits %d", BN_num_bits(dh_server_pub));
 147 #endif
 148
 149         /* signed H */
 150         signature = packet_get_string(&slen);
 151         packet_check_eom();
 152
 153         if (!dh_pub_is_valid(dh, dh_server_pub))
 154                 packet_disconnect("bad server public DH value");
 155
 156         klen = DH_size(dh);
 157         kbuf = xmalloc(klen);
 158         kout = DH_compute_key(kbuf, dh_server_pub, dh);
 159 #ifdef DEBUG_KEXDH
 160         dump_digest("shared secret", kbuf, kout);
 161 #endif
 162         if ((shared_secret = BN_new()) == NULL)
 163                 fatal("kexdh_client: BN_new failed");
 164         BN_bin2bn(kbuf, kout, shared_secret);
 165         memset(kbuf, 0, klen);
 166         xfree(kbuf);
 167
 168         /* calc and verify H */
 169         hash = kex_dh_hash(
 170             kex->client_version_string,
 171             kex->server_version_string,
 172             buffer_ptr(&kex->my), buffer_len(&kex->my),
 173             buffer_ptr(&kex->peer), buffer_len(&kex->peer),
 174             server_host_key_blob, sbloblen,
 175             dh->pub_key,
 176             dh_server_pub,
 177             shared_secret
 178         );
 179         xfree(server_host_key_blob);
 180         BN_clear_free(dh_server_pub);
 181         DH_free(dh);
 182
 183         if (key_verify(server_host_key, signature, slen, hash, 20) != 1)
 184                 fatal("key_verify failed for server_host_key");
 185         key_free(server_host_key);
 186         xfree(signature);
 187
 188         /* save session id */
 189         if (kex->session_id == NULL) {
 190                 kex->session_id_len = 20;
 191                 kex->session_id = xmalloc(kex->session_id_len);
 192                 memcpy(kex->session_id, hash, kex->session_id_len);
 193         }
 194
 195         kex_derive_keys(kex, hash, shared_secret);
 196         BN_clear_free(shared_secret);
 197         kex_finish(kex);
 198 }
 199
 200 /* server */
 201
 202 static void
 203 kexdh_server(Kex *kex)
 204 {
 205         BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
 206         DH *dh;
 207         Key *server_host_key;
 208         u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
 209         u_int sbloblen, klen, kout;
 210         u_int slen;
 211
 212         /* generate server DH public key */
 213         dh = dh_new_group1();
 214         dh_gen_key(dh, kex->we_need * 8);
 215
 216         debug("expecting SSH2_MSG_KEXDH_INIT");
 217         packet_read_expect(SSH2_MSG_KEXDH_INIT);
 218
 219         if (kex->load_host_key == NULL)
 220                 fatal("Cannot load hostkey");
 221         server_host_key = kex->load_host_key(kex->hostkey_type);
 222         if (server_host_key == NULL)
 223                 fatal("Unsupported hostkey type %d", kex->hostkey_type);
 224
 225         /* key, cert */
 226         if ((dh_client_pub = BN_new()) == NULL)
 227                 fatal("dh_client_pub == NULL");
 228         packet_get_bignum2(dh_client_pub);
 229         packet_check_eom();
 230
 231 #ifdef DEBUG_KEXDH
 232         fprintf(stderr, "dh_client_pub= ");
 233         BN_print_fp(stderr, dh_client_pub);
 234         fprintf(stderr, "\n");
 235         debug("bits %d", BN_num_bits(dh_client_pub));
 236 #endif
 237
 238 #ifdef DEBUG_KEXDH
 239         DHparams_print_fp(stderr, dh);
 240         fprintf(stderr, "pub= ");
 241         BN_print_fp(stderr, dh->pub_key);
 242         fprintf(stderr, "\n");
 243 #endif
 244         if (!dh_pub_is_valid(dh, dh_client_pub))
 245                 packet_disconnect("bad client public DH value");
 246
 247         klen = DH_size(dh);
 248         kbuf = xmalloc(klen);
 249         kout = DH_compute_key(kbuf, dh_client_pub, dh);
 250 #ifdef DEBUG_KEXDH
 251         dump_digest("shared secret", kbuf, kout);
 252 #endif
 253         if ((shared_secret = BN_new()) == NULL)
 254                 fatal("kexdh_server: BN_new failed");
 255         BN_bin2bn(kbuf, kout, shared_secret);
 256         memset(kbuf, 0, klen);
 257         xfree(kbuf);
 258
 259         key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
 260
 261         /* calc H */
 262         hash = kex_dh_hash(
 263             kex->client_version_string,
 264             kex->server_version_string,
 265             buffer_ptr(&kex->peer), buffer_len(&kex->peer),
 266             buffer_ptr(&kex->my), buffer_len(&kex->my),
 267             server_host_key_blob, sbloblen,
 268             dh_client_pub,
 269             dh->pub_key,
 270             shared_secret
 271         );
 272         BN_clear_free(dh_client_pub);
 273
 274         /* save session id := H */
 275         /* XXX hashlen depends on KEX */
 276         if (kex->session_id == NULL) {
 277                 kex->session_id_len = 20;
 278                 kex->session_id = xmalloc(kex->session_id_len);
 279                 memcpy(kex->session_id, hash, kex->session_id_len);
 280         }
 281
 282         /* sign H */
 283         /* XXX hashlen depends on KEX */
 284         if (use_privsep)
 285                 mm_key_sign(mm_recvfd,
 286                     kex->host_key_index(server_host_key),
 287                     &signature, &slen, hash, 20);
 288         else
 289                 key_sign(server_host_key, &signature, &slen, hash, 20);
 290
 291         /* destroy_sensitive_data(); */
 292
 293         /* send server hostkey, DH pubkey 'f' and singed H */
 294         packet_start(SSH2_MSG_KEXDH_REPLY);
 295         packet_put_string(server_host_key_blob, sbloblen);
 296         packet_put_bignum2(dh->pub_key);        /* f */
 297         packet_put_string(signature, slen);
 298         packet_send();
 299
 300         xfree(signature);
 301         xfree(server_host_key_blob);
 302         /* have keys, free DH */
 303         DH_free(dh);
 304
 305         kex_derive_keys(kex, hash, shared_secret);
 306         BN_clear_free(shared_secret);
 307         kex_finish(kex);
 308 }
 309
 310 void
 311 kexdh(Kex *kex)
 312 {
 313         if (kex->server)
 314                 kexdh_server(kex);
 315         else
 316                 kexdh_client(kex);
 317 }