1 /* $OpenBSD: kexgexc.c,v 1.17 2014/02/02 03:44:31 djm Exp $ */ 2 /* 3 * Copyright (c) 2000 Niels Provos. All rights reserved. 4 * Copyright (c) 2001 Markus Friedl. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include "includes.h" 28 29 #include <sys/types.h> 30 31 #include <openssl/dh.h> 32 33 #include <stdarg.h> 34 #include <stdio.h> 35 #include <string.h> 36 #include <signal.h> 37 38 #include "xmalloc.h" 39 #include "buffer.h" 40 #include "key.h" 41 #include "cipher.h" 42 #include "kex.h" 43 #include "log.h" 44 #include "packet.h" 45 #include "dh.h" 46 #include "ssh2.h" 47 #include "compat.h" 48 49 void 50 kexgex_client(Kex *kex) 51 { 52 BIGNUM *dh_server_pub = NULL, *shared_secret = NULL; 53 BIGNUM *p = NULL, *g = NULL; 54 Key *server_host_key; 55 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; 56 u_int klen, slen, sbloblen, hashlen; 57 int kout; 58 int min, max, nbits; 59 DH *dh; 60 61 nbits = dh_estimate(kex->dh_need * 8); 62 63 if (datafellows & SSH_OLD_DHGEX) { 64 /* Old GEX request */ 65 packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD); 66 packet_put_int(nbits); 67 min = DH_GRP_MIN; 68 max = DH_GRP_MAX; 69 70 debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits); 71 } else { 72 /* New GEX request */ 73 min = DH_GRP_MIN; 74 max = DH_GRP_MAX; 75 packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); 76 packet_put_int(min); 77 packet_put_int(nbits); 78 packet_put_int(max); 79 80 debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent", 81 min, nbits, max); 82 } 83 #ifdef DEBUG_KEXDH 84 fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n", 85 min, nbits, max); 86 #endif 87 packet_send(); 88 89 debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP"); 90 packet_read_expect(SSH2_MSG_KEX_DH_GEX_GROUP); 91 92 if ((p = BN_new()) == NULL) 93 fatal("BN_new"); 94 packet_get_bignum2(p); 95 if ((g = BN_new()) == NULL) 96 fatal("BN_new"); 97 packet_get_bignum2(g); 98 packet_check_eom(); 99 100 if (BN_num_bits(p) < min || BN_num_bits(p) > max) 101 fatal("DH_GEX group out of range: %d !< %d !< %d", 102 min, BN_num_bits(p), max); 103 104 dh = dh_new_group(g, p); 105 dh_gen_key(dh, kex->we_need * 8); 106 107 #ifdef DEBUG_KEXDH 108 DHparams_print_fp(stderr, dh); 109 fprintf(stderr, "pub= "); 110 BN_print_fp(stderr, dh->pub_key); 111 fprintf(stderr, "\n"); 112 #endif 113 114 debug("SSH2_MSG_KEX_DH_GEX_INIT sent"); 115 /* generate and send 'e', client DH public key */ 116 packet_start(SSH2_MSG_KEX_DH_GEX_INIT); 117 packet_put_bignum2(dh->pub_key); 118 packet_send(); 119 120 debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY"); 121 packet_read_expect(SSH2_MSG_KEX_DH_GEX_REPLY); 122 123 /* key, cert */ 124 server_host_key_blob = packet_get_string(&sbloblen); 125 server_host_key = key_from_blob(server_host_key_blob, sbloblen); 126 if (server_host_key == NULL) 127 fatal("cannot decode server_host_key_blob"); 128 if (server_host_key->type != kex->hostkey_type) 129 fatal("type mismatch for decoded server_host_key_blob"); 130 if (kex->verify_host_key == NULL) 131 fatal("cannot verify server_host_key"); 132 if (kex->verify_host_key(server_host_key) == -1) 133 fatal("server_host_key verification failed"); 134 135 /* DH parameter f, server public DH key */ 136 if ((dh_server_pub = BN_new()) == NULL) 137 fatal("dh_server_pub == NULL"); 138 packet_get_bignum2(dh_server_pub); 139 140 #ifdef DEBUG_KEXDH 141 fprintf(stderr, "dh_server_pub= "); 142 BN_print_fp(stderr, dh_server_pub); 143 fprintf(stderr, "\n"); 144 debug("bits %d", BN_num_bits(dh_server_pub)); 145 #endif 146 147 /* signed H */ 148 signature = packet_get_string(&slen); 149 packet_check_eom(); 150 151 if (!dh_pub_is_valid(dh, dh_server_pub)) 152 packet_disconnect("bad server public DH value"); 153 154 klen = DH_size(dh); 155 kbuf = xmalloc(klen); 156 if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0) 157 fatal("DH_compute_key: failed"); 158 #ifdef DEBUG_KEXDH 159 dump_digest("shared secret", kbuf, kout); 160 #endif 161 if ((shared_secret = BN_new()) == NULL) 162 fatal("kexgex_client: BN_new failed"); 163 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) 164 fatal("kexgex_client: BN_bin2bn failed"); 165 explicit_bzero(kbuf, klen); 166 free(kbuf); 167 168 if (datafellows & SSH_OLD_DHGEX) 169 min = max = -1; 170 171 /* calc and verify H */ 172 kexgex_hash( 173 kex->hash_alg, 174 kex->client_version_string, 175 kex->server_version_string, 176 buffer_ptr(&kex->my), buffer_len(&kex->my), 177 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 178 server_host_key_blob, sbloblen, 179 min, nbits, max, 180 dh->p, dh->g, 181 dh->pub_key, 182 dh_server_pub, 183 shared_secret, 184 &hash, &hashlen 185 ); 186 187 /* have keys, free DH */ 188 DH_free(dh); 189 free(server_host_key_blob); 190 BN_clear_free(dh_server_pub); 191 192 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) 193 fatal("key_verify failed for server_host_key"); 194 key_free(server_host_key); 195 free(signature); 196 197 /* save session id */ 198 if (kex->session_id == NULL) { 199 kex->session_id_len = hashlen; 200 kex->session_id = xmalloc(kex->session_id_len); 201 memcpy(kex->session_id, hash, kex->session_id_len); 202 } 203 kex_derive_keys_bn(kex, hash, hashlen, shared_secret); 204 BN_clear_free(shared_secret); 205 206 kex_finish(kex); 207 } 208