xref: /freebsd/crypto/openssh/kexgexc.c (revision b1f9167f94059fd55c630891d359bcff987bd7eb)
1 /* $OpenBSD: kexgexc.c,v 1.17 2014/02/02 03:44:31 djm Exp $ */
2 /*
3  * Copyright (c) 2000 Niels Provos.  All rights reserved.
4  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #include "includes.h"
28 
29 #include <sys/types.h>
30 
31 #include <openssl/dh.h>
32 
33 #include <stdarg.h>
34 #include <stdio.h>
35 #include <string.h>
36 #include <signal.h>
37 
38 #include "xmalloc.h"
39 #include "buffer.h"
40 #include "key.h"
41 #include "cipher.h"
42 #include "kex.h"
43 #include "log.h"
44 #include "packet.h"
45 #include "dh.h"
46 #include "ssh2.h"
47 #include "compat.h"
48 
49 void
50 kexgex_client(Kex *kex)
51 {
52 	BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
53 	BIGNUM *p = NULL, *g = NULL;
54 	Key *server_host_key;
55 	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
56 	u_int klen, slen, sbloblen, hashlen;
57 	int kout;
58 	int min, max, nbits;
59 	DH *dh;
60 
61 	nbits = dh_estimate(kex->dh_need * 8);
62 
63 	if (datafellows & SSH_OLD_DHGEX) {
64 		/* Old GEX request */
65 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
66 		packet_put_int(nbits);
67 		min = DH_GRP_MIN;
68 		max = DH_GRP_MAX;
69 
70 		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
71 	} else {
72 		/* New GEX request */
73 		min = DH_GRP_MIN;
74 		max = DH_GRP_MAX;
75 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
76 		packet_put_int(min);
77 		packet_put_int(nbits);
78 		packet_put_int(max);
79 
80 		debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent",
81 		    min, nbits, max);
82 	}
83 #ifdef DEBUG_KEXDH
84 	fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n",
85 	    min, nbits, max);
86 #endif
87 	packet_send();
88 
89 	debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP");
90 	packet_read_expect(SSH2_MSG_KEX_DH_GEX_GROUP);
91 
92 	if ((p = BN_new()) == NULL)
93 		fatal("BN_new");
94 	packet_get_bignum2(p);
95 	if ((g = BN_new()) == NULL)
96 		fatal("BN_new");
97 	packet_get_bignum2(g);
98 	packet_check_eom();
99 
100 	if (BN_num_bits(p) < min || BN_num_bits(p) > max)
101 		fatal("DH_GEX group out of range: %d !< %d !< %d",
102 		    min, BN_num_bits(p), max);
103 
104 	dh = dh_new_group(g, p);
105 	dh_gen_key(dh, kex->we_need * 8);
106 
107 #ifdef DEBUG_KEXDH
108 	DHparams_print_fp(stderr, dh);
109 	fprintf(stderr, "pub= ");
110 	BN_print_fp(stderr, dh->pub_key);
111 	fprintf(stderr, "\n");
112 #endif
113 
114 	debug("SSH2_MSG_KEX_DH_GEX_INIT sent");
115 	/* generate and send 'e', client DH public key */
116 	packet_start(SSH2_MSG_KEX_DH_GEX_INIT);
117 	packet_put_bignum2(dh->pub_key);
118 	packet_send();
119 
120 	debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY");
121 	packet_read_expect(SSH2_MSG_KEX_DH_GEX_REPLY);
122 
123 	/* key, cert */
124 	server_host_key_blob = packet_get_string(&sbloblen);
125 	server_host_key = key_from_blob(server_host_key_blob, sbloblen);
126 	if (server_host_key == NULL)
127 		fatal("cannot decode server_host_key_blob");
128 	if (server_host_key->type != kex->hostkey_type)
129 		fatal("type mismatch for decoded server_host_key_blob");
130 	if (kex->verify_host_key == NULL)
131 		fatal("cannot verify server_host_key");
132 	if (kex->verify_host_key(server_host_key) == -1)
133 		fatal("server_host_key verification failed");
134 
135 	/* DH parameter f, server public DH key */
136 	if ((dh_server_pub = BN_new()) == NULL)
137 		fatal("dh_server_pub == NULL");
138 	packet_get_bignum2(dh_server_pub);
139 
140 #ifdef DEBUG_KEXDH
141 	fprintf(stderr, "dh_server_pub= ");
142 	BN_print_fp(stderr, dh_server_pub);
143 	fprintf(stderr, "\n");
144 	debug("bits %d", BN_num_bits(dh_server_pub));
145 #endif
146 
147 	/* signed H */
148 	signature = packet_get_string(&slen);
149 	packet_check_eom();
150 
151 	if (!dh_pub_is_valid(dh, dh_server_pub))
152 		packet_disconnect("bad server public DH value");
153 
154 	klen = DH_size(dh);
155 	kbuf = xmalloc(klen);
156 	if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0)
157 		fatal("DH_compute_key: failed");
158 #ifdef DEBUG_KEXDH
159 	dump_digest("shared secret", kbuf, kout);
160 #endif
161 	if ((shared_secret = BN_new()) == NULL)
162 		fatal("kexgex_client: BN_new failed");
163 	if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
164 		fatal("kexgex_client: BN_bin2bn failed");
165 	explicit_bzero(kbuf, klen);
166 	free(kbuf);
167 
168 	if (datafellows & SSH_OLD_DHGEX)
169 		min = max = -1;
170 
171 	/* calc and verify H */
172 	kexgex_hash(
173 	    kex->hash_alg,
174 	    kex->client_version_string,
175 	    kex->server_version_string,
176 	    buffer_ptr(&kex->my), buffer_len(&kex->my),
177 	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
178 	    server_host_key_blob, sbloblen,
179 	    min, nbits, max,
180 	    dh->p, dh->g,
181 	    dh->pub_key,
182 	    dh_server_pub,
183 	    shared_secret,
184 	    &hash, &hashlen
185 	);
186 
187 	/* have keys, free DH */
188 	DH_free(dh);
189 	free(server_host_key_blob);
190 	BN_clear_free(dh_server_pub);
191 
192 	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
193 		fatal("key_verify failed for server_host_key");
194 	key_free(server_host_key);
195 	free(signature);
196 
197 	/* save session id */
198 	if (kex->session_id == NULL) {
199 		kex->session_id_len = hashlen;
200 		kex->session_id = xmalloc(kex->session_id_len);
201 		memcpy(kex->session_id, hash, kex->session_id_len);
202 	}
203 	kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
204 	BN_clear_free(shared_secret);
205 
206 	kex_finish(kex);
207 }
208