1 /* 2 * Copyright (c) 2000 Niels Provos. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include "includes.h" 27 RCSID("$OpenBSD: kexgexc.c,v 1.3 2005/11/04 05:15:59 djm Exp $"); 28 29 #include "xmalloc.h" 30 #include "key.h" 31 #include "kex.h" 32 #include "log.h" 33 #include "packet.h" 34 #include "dh.h" 35 #include "ssh2.h" 36 #include "compat.h" 37 38 void 39 kexgex_client(Kex *kex) 40 { 41 BIGNUM *dh_server_pub = NULL, *shared_secret = NULL; 42 BIGNUM *p = NULL, *g = NULL; 43 Key *server_host_key; 44 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; 45 u_int klen, kout, slen, sbloblen, hashlen; 46 int min, max, nbits; 47 DH *dh; 48 49 nbits = dh_estimate(kex->we_need * 8); 50 51 if (datafellows & SSH_OLD_DHGEX) { 52 /* Old GEX request */ 53 packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD); 54 packet_put_int(nbits); 55 min = DH_GRP_MIN; 56 max = DH_GRP_MAX; 57 58 debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits); 59 } else { 60 /* New GEX request */ 61 min = DH_GRP_MIN; 62 max = DH_GRP_MAX; 63 packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); 64 packet_put_int(min); 65 packet_put_int(nbits); 66 packet_put_int(max); 67 68 debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent", 69 min, nbits, max); 70 } 71 #ifdef DEBUG_KEXDH 72 fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n", 73 min, nbits, max); 74 #endif 75 packet_send(); 76 77 debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP"); 78 packet_read_expect(SSH2_MSG_KEX_DH_GEX_GROUP); 79 80 if ((p = BN_new()) == NULL) 81 fatal("BN_new"); 82 packet_get_bignum2(p); 83 if ((g = BN_new()) == NULL) 84 fatal("BN_new"); 85 packet_get_bignum2(g); 86 packet_check_eom(); 87 88 if (BN_num_bits(p) < min || BN_num_bits(p) > max) 89 fatal("DH_GEX group out of range: %d !< %d !< %d", 90 min, BN_num_bits(p), max); 91 92 dh = dh_new_group(g, p); 93 dh_gen_key(dh, kex->we_need * 8); 94 95 #ifdef DEBUG_KEXDH 96 DHparams_print_fp(stderr, dh); 97 fprintf(stderr, "pub= "); 98 BN_print_fp(stderr, dh->pub_key); 99 fprintf(stderr, "\n"); 100 #endif 101 102 debug("SSH2_MSG_KEX_DH_GEX_INIT sent"); 103 /* generate and send 'e', client DH public key */ 104 packet_start(SSH2_MSG_KEX_DH_GEX_INIT); 105 packet_put_bignum2(dh->pub_key); 106 packet_send(); 107 108 debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY"); 109 packet_read_expect(SSH2_MSG_KEX_DH_GEX_REPLY); 110 111 /* key, cert */ 112 server_host_key_blob = packet_get_string(&sbloblen); 113 server_host_key = key_from_blob(server_host_key_blob, sbloblen); 114 if (server_host_key == NULL) 115 fatal("cannot decode server_host_key_blob"); 116 if (server_host_key->type != kex->hostkey_type) 117 fatal("type mismatch for decoded server_host_key_blob"); 118 if (kex->verify_host_key == NULL) 119 fatal("cannot verify server_host_key"); 120 if (kex->verify_host_key(server_host_key) == -1) 121 fatal("server_host_key verification failed"); 122 123 /* DH paramter f, server public DH key */ 124 if ((dh_server_pub = BN_new()) == NULL) 125 fatal("dh_server_pub == NULL"); 126 packet_get_bignum2(dh_server_pub); 127 128 #ifdef DEBUG_KEXDH 129 fprintf(stderr, "dh_server_pub= "); 130 BN_print_fp(stderr, dh_server_pub); 131 fprintf(stderr, "\n"); 132 debug("bits %d", BN_num_bits(dh_server_pub)); 133 #endif 134 135 /* signed H */ 136 signature = packet_get_string(&slen); 137 packet_check_eom(); 138 139 if (!dh_pub_is_valid(dh, dh_server_pub)) 140 packet_disconnect("bad server public DH value"); 141 142 klen = DH_size(dh); 143 kbuf = xmalloc(klen); 144 kout = DH_compute_key(kbuf, dh_server_pub, dh); 145 #ifdef DEBUG_KEXDH 146 dump_digest("shared secret", kbuf, kout); 147 #endif 148 if ((shared_secret = BN_new()) == NULL) 149 fatal("kexgex_client: BN_new failed"); 150 BN_bin2bn(kbuf, kout, shared_secret); 151 memset(kbuf, 0, klen); 152 xfree(kbuf); 153 154 if (datafellows & SSH_OLD_DHGEX) 155 min = max = -1; 156 157 /* calc and verify H */ 158 kexgex_hash( 159 kex->evp_md, 160 kex->client_version_string, 161 kex->server_version_string, 162 buffer_ptr(&kex->my), buffer_len(&kex->my), 163 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 164 server_host_key_blob, sbloblen, 165 min, nbits, max, 166 dh->p, dh->g, 167 dh->pub_key, 168 dh_server_pub, 169 shared_secret, 170 &hash, &hashlen 171 ); 172 173 /* have keys, free DH */ 174 DH_free(dh); 175 xfree(server_host_key_blob); 176 BN_clear_free(dh_server_pub); 177 178 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) 179 fatal("key_verify failed for server_host_key"); 180 key_free(server_host_key); 181 xfree(signature); 182 183 /* save session id */ 184 if (kex->session_id == NULL) { 185 kex->session_id_len = hashlen; 186 kex->session_id = xmalloc(kex->session_id_len); 187 memcpy(kex->session_id, hash, kex->session_id_len); 188 } 189 kex_derive_keys(kex, hash, hashlen, shared_secret); 190 BN_clear_free(shared_secret); 191 192 kex_finish(kex); 193 } 194