kexdh.c

   1 /*
   2  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  * 1. Redistributions of source code must retain the above copyright
   8  *    notice, this list of conditions and the following disclaimer.
   9  * 2. Redistributions in binary form must reproduce the above copyright
  10  *    notice, this list of conditions and the following disclaimer in the
  11  *    documentation and/or other materials provided with the distribution.
  12  *
  13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23  */
  24
  25 #include "includes.h"
  26 RCSID("$OpenBSD: kexdh.c,v 1.17 2002/02/28 15:46:33 markus Exp $");
  27
  28 #include <openssl/crypto.h>
  29 #include <openssl/bn.h>
  30
  31 #include "xmalloc.h"
  32 #include "buffer.h"
  33 #include "bufaux.h"
  34 #include "key.h"
  35 #include "kex.h"
  36 #include "log.h"
  37 #include "packet.h"
  38 #include "dh.h"
  39 #include "ssh2.h"
  40
  41 static u_char *
  42 kex_dh_hash(
  43     char *client_version_string,
  44     char *server_version_string,
  45     char *ckexinit, int ckexinitlen,
  46     char *skexinit, int skexinitlen,
  47     u_char *serverhostkeyblob, int sbloblen,
  48     BIGNUM *client_dh_pub,
  49     BIGNUM *server_dh_pub,
  50     BIGNUM *shared_secret)
  51 {
  52         Buffer b;
  53         static u_char digest[EVP_MAX_MD_SIZE];
  54         const EVP_MD *evp_md = EVP_sha1();
  55         EVP_MD_CTX md;
  56
  57         buffer_init(&b);
  58         buffer_put_cstring(&b, client_version_string);
  59         buffer_put_cstring(&b, server_version_string);
  60
  61         /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
  62         buffer_put_int(&b, ckexinitlen+1);
  63         buffer_put_char(&b, SSH2_MSG_KEXINIT);
  64         buffer_append(&b, ckexinit, ckexinitlen);
  65         buffer_put_int(&b, skexinitlen+1);
  66         buffer_put_char(&b, SSH2_MSG_KEXINIT);
  67         buffer_append(&b, skexinit, skexinitlen);
  68
  69         buffer_put_string(&b, serverhostkeyblob, sbloblen);
  70         buffer_put_bignum2(&b, client_dh_pub);
  71         buffer_put_bignum2(&b, server_dh_pub);
  72         buffer_put_bignum2(&b, shared_secret);
  73
  74 #ifdef DEBUG_KEX
  75         buffer_dump(&b);
  76 #endif
  77         EVP_DigestInit(&md, evp_md);
  78         EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
  79         EVP_DigestFinal(&md, digest, NULL);
  80
  81         buffer_free(&b);
  82
  83 #ifdef DEBUG_KEX
  84         dump_digest("hash", digest, EVP_MD_size(evp_md));
  85 #endif
  86         return digest;
  87 }
  88
  89 /* client */
  90
  91 static void
  92 kexdh_client(Kex *kex)
  93 {
  94         BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
  95         DH *dh;
  96         Key *server_host_key;
  97         u_char *server_host_key_blob = NULL, *signature = NULL;
  98         u_char *kbuf, *hash;
  99         u_int klen, kout, slen, sbloblen;
 100
 101         /* generate and send 'e', client DH public key */
 102         dh = dh_new_group1();
 103         dh_gen_key(dh, kex->we_need * 8);
 104         packet_start(SSH2_MSG_KEXDH_INIT);
 105         packet_put_bignum2(dh->pub_key);
 106         packet_send();
 107
 108         debug("sending SSH2_MSG_KEXDH_INIT");
 109 #ifdef DEBUG_KEXDH
 110         DHparams_print_fp(stderr, dh);
 111         fprintf(stderr, "pub= ");
 112         BN_print_fp(stderr, dh->pub_key);
 113         fprintf(stderr, "\n");
 114 #endif
 115
 116         debug("expecting SSH2_MSG_KEXDH_REPLY");
 117         packet_read_expect(SSH2_MSG_KEXDH_REPLY);
 118
 119         /* key, cert */
 120         server_host_key_blob = packet_get_string(&sbloblen);
 121         server_host_key = key_from_blob(server_host_key_blob, sbloblen);
 122         if (server_host_key == NULL)
 123                 fatal("cannot decode server_host_key_blob");
 124         if (server_host_key->type != kex->hostkey_type)
 125                 fatal("type mismatch for decoded server_host_key_blob");
 126         if (kex->verify_host_key == NULL)
 127                 fatal("cannot verify server_host_key");
 128         if (kex->verify_host_key(server_host_key) == -1)
 129                 fatal("server_host_key verification failed");
 130
 131         /* DH paramter f, server public DH key */
 132         if ((dh_server_pub = BN_new()) == NULL)
 133                 fatal("dh_server_pub == NULL");
 134         packet_get_bignum2(dh_server_pub);
 135
 136 #ifdef DEBUG_KEXDH
 137         fprintf(stderr, "dh_server_pub= ");
 138         BN_print_fp(stderr, dh_server_pub);
 139         fprintf(stderr, "\n");
 140         debug("bits %d", BN_num_bits(dh_server_pub));
 141 #endif
 142
 143         /* signed H */
 144         signature = packet_get_string(&slen);
 145         packet_check_eom();
 146
 147         if (!dh_pub_is_valid(dh, dh_server_pub))
 148                 packet_disconnect("bad server public DH value");
 149
 150         klen = DH_size(dh);
 151         kbuf = xmalloc(klen);
 152         kout = DH_compute_key(kbuf, dh_server_pub, dh);
 153 #ifdef DEBUG_KEXDH
 154         dump_digest("shared secret", kbuf, kout);
 155 #endif
 156         if ((shared_secret = BN_new()) == NULL)
 157                 fatal("kexdh_client: BN_new failed");
 158         BN_bin2bn(kbuf, kout, shared_secret);
 159         memset(kbuf, 0, klen);
 160         xfree(kbuf);
 161
 162         /* calc and verify H */
 163         hash = kex_dh_hash(
 164             kex->client_version_string,
 165             kex->server_version_string,
 166             buffer_ptr(&kex->my), buffer_len(&kex->my),
 167             buffer_ptr(&kex->peer), buffer_len(&kex->peer),
 168             server_host_key_blob, sbloblen,
 169             dh->pub_key,
 170             dh_server_pub,
 171             shared_secret
 172         );
 173         xfree(server_host_key_blob);
 174         BN_clear_free(dh_server_pub);
 175         DH_free(dh);
 176
 177         if (key_verify(server_host_key, signature, slen, hash, 20) != 1)
 178                 fatal("key_verify failed for server_host_key");
 179         key_free(server_host_key);
 180         xfree(signature);
 181
 182         /* save session id */
 183         if (kex->session_id == NULL) {
 184                 kex->session_id_len = 20;
 185                 kex->session_id = xmalloc(kex->session_id_len);
 186                 memcpy(kex->session_id, hash, kex->session_id_len);
 187         }
 188
 189         kex_derive_keys(kex, hash, shared_secret);
 190         BN_clear_free(shared_secret);
 191         kex_finish(kex);
 192 }
 193
 194 /* server */
 195
 196 static void
 197 kexdh_server(Kex *kex)
 198 {
 199         BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
 200         DH *dh;
 201         Key *server_host_key;
 202         u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
 203         u_int sbloblen, klen, kout;
 204         u_int slen;
 205
 206         /* generate server DH public key */
 207         dh = dh_new_group1();
 208         dh_gen_key(dh, kex->we_need * 8);
 209
 210         debug("expecting SSH2_MSG_KEXDH_INIT");
 211         packet_read_expect(SSH2_MSG_KEXDH_INIT);
 212
 213         if (kex->load_host_key == NULL)
 214                 fatal("Cannot load hostkey");
 215         server_host_key = kex->load_host_key(kex->hostkey_type);
 216         if (server_host_key == NULL)
 217                 fatal("Unsupported hostkey type %d", kex->hostkey_type);
 218
 219         /* key, cert */
 220         if ((dh_client_pub = BN_new()) == NULL)
 221                 fatal("dh_client_pub == NULL");
 222         packet_get_bignum2(dh_client_pub);
 223         packet_check_eom();
 224
 225 #ifdef DEBUG_KEXDH
 226         fprintf(stderr, "dh_client_pub= ");
 227         BN_print_fp(stderr, dh_client_pub);
 228         fprintf(stderr, "\n");
 229         debug("bits %d", BN_num_bits(dh_client_pub));
 230 #endif
 231
 232 #ifdef DEBUG_KEXDH
 233         DHparams_print_fp(stderr, dh);
 234         fprintf(stderr, "pub= ");
 235         BN_print_fp(stderr, dh->pub_key);
 236         fprintf(stderr, "\n");
 237 #endif
 238         if (!dh_pub_is_valid(dh, dh_client_pub))
 239                 packet_disconnect("bad client public DH value");
 240
 241         klen = DH_size(dh);
 242         kbuf = xmalloc(klen);
 243         kout = DH_compute_key(kbuf, dh_client_pub, dh);
 244 #ifdef DEBUG_KEXDH
 245         dump_digest("shared secret", kbuf, kout);
 246 #endif
 247         if ((shared_secret = BN_new()) == NULL)
 248                 fatal("kexdh_server: BN_new failed");
 249         BN_bin2bn(kbuf, kout, shared_secret);
 250         memset(kbuf, 0, klen);
 251         xfree(kbuf);
 252
 253         key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
 254
 255         /* calc H */
 256         hash = kex_dh_hash(
 257             kex->client_version_string,
 258             kex->server_version_string,
 259             buffer_ptr(&kex->peer), buffer_len(&kex->peer),
 260             buffer_ptr(&kex->my), buffer_len(&kex->my),
 261             server_host_key_blob, sbloblen,
 262             dh_client_pub,
 263             dh->pub_key,
 264             shared_secret
 265         );
 266         BN_clear_free(dh_client_pub);
 267
 268         /* save session id := H */
 269         /* XXX hashlen depends on KEX */
 270         if (kex->session_id == NULL) {
 271                 kex->session_id_len = 20;
 272                 kex->session_id = xmalloc(kex->session_id_len);
 273                 memcpy(kex->session_id, hash, kex->session_id_len);
 274         }
 275
 276         /* sign H */
 277         /* XXX hashlen depends on KEX */
 278         key_sign(server_host_key, &signature, &slen, hash, 20);
 279
 280         /* destroy_sensitive_data(); */
 281
 282         /* send server hostkey, DH pubkey 'f' and singed H */
 283         packet_start(SSH2_MSG_KEXDH_REPLY);
 284         packet_put_string(server_host_key_blob, sbloblen);
 285         packet_put_bignum2(dh->pub_key);        /* f */
 286         packet_put_string(signature, slen);
 287         packet_send();
 288
 289         xfree(signature);
 290         xfree(server_host_key_blob);
 291         /* have keys, free DH */
 292         DH_free(dh);
 293
 294         kex_derive_keys(kex, hash, shared_secret);
 295         BN_clear_free(shared_secret);
 296         kex_finish(kex);
 297 }
 298
 299 void
 300 kexdh(Kex *kex)
 301 {
 302         if (kex->server)
 303                 kexdh_server(kex);
 304         else
 305                 kexdh_client(kex);
 306 }