1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 3*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 4*7c478bd9Sstevel@tonic-gate */ 5*7c478bd9Sstevel@tonic-gate /* $OpenBSD: kex.h,v 1.32 2002/09/09 14:54:14 markus Exp $ */ 6*7c478bd9Sstevel@tonic-gate 7*7c478bd9Sstevel@tonic-gate #ifndef _KEX_H 8*7c478bd9Sstevel@tonic-gate #define _KEX_H 9*7c478bd9Sstevel@tonic-gate 10*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 11*7c478bd9Sstevel@tonic-gate 12*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 13*7c478bd9Sstevel@tonic-gate extern "C" { 14*7c478bd9Sstevel@tonic-gate #endif 15*7c478bd9Sstevel@tonic-gate 16*7c478bd9Sstevel@tonic-gate 17*7c478bd9Sstevel@tonic-gate /* 18*7c478bd9Sstevel@tonic-gate * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * Redistribution and use in source and binary forms, with or without 21*7c478bd9Sstevel@tonic-gate * modification, are permitted provided that the following conditions 22*7c478bd9Sstevel@tonic-gate * are met: 23*7c478bd9Sstevel@tonic-gate * 1. Redistributions of source code must retain the above copyright 24*7c478bd9Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer. 25*7c478bd9Sstevel@tonic-gate * 2. Redistributions in binary form must reproduce the above copyright 26*7c478bd9Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer in the 27*7c478bd9Sstevel@tonic-gate * documentation and/or other materials provided with the distribution. 28*7c478bd9Sstevel@tonic-gate * 29*7c478bd9Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 30*7c478bd9Sstevel@tonic-gate * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 31*7c478bd9Sstevel@tonic-gate * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 32*7c478bd9Sstevel@tonic-gate * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 33*7c478bd9Sstevel@tonic-gate * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 34*7c478bd9Sstevel@tonic-gate * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 35*7c478bd9Sstevel@tonic-gate * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 36*7c478bd9Sstevel@tonic-gate * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 37*7c478bd9Sstevel@tonic-gate * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 38*7c478bd9Sstevel@tonic-gate * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 39*7c478bd9Sstevel@tonic-gate */ 40*7c478bd9Sstevel@tonic-gate 41*7c478bd9Sstevel@tonic-gate #include <openssl/evp.h> 42*7c478bd9Sstevel@tonic-gate #include "buffer.h" 43*7c478bd9Sstevel@tonic-gate #include "cipher.h" 44*7c478bd9Sstevel@tonic-gate #include "key.h" 45*7c478bd9Sstevel@tonic-gate 46*7c478bd9Sstevel@tonic-gate #ifdef GSSAPI 47*7c478bd9Sstevel@tonic-gate #ifdef SUNW_GSSAPI 48*7c478bd9Sstevel@tonic-gate #include <gssapi/gssapi.h> 49*7c478bd9Sstevel@tonic-gate #include <gssapi/gssapi_ext.h> 50*7c478bd9Sstevel@tonic-gate #else 51*7c478bd9Sstevel@tonic-gate #ifdef GSS_KRB5 52*7c478bd9Sstevel@tonic-gate #ifdef HEIMDAL 53*7c478bd9Sstevel@tonic-gate #include <gssapi.h> 54*7c478bd9Sstevel@tonic-gate #else 55*7c478bd9Sstevel@tonic-gate #include <gssapi_generic.h> 56*7c478bd9Sstevel@tonic-gate #endif /* HEIMDAL */ 57*7c478bd9Sstevel@tonic-gate #endif /* GSS_KRB5 */ 58*7c478bd9Sstevel@tonic-gate #endif /* SUNW_GSSAPI */ 59*7c478bd9Sstevel@tonic-gate #endif /* GSSAPI */ 60*7c478bd9Sstevel@tonic-gate 61*7c478bd9Sstevel@tonic-gate #define KEX_DH1 "diffie-hellman-group1-sha1" 62*7c478bd9Sstevel@tonic-gate #define KEX_DHGEX "diffie-hellman-group-exchange-sha1" 63*7c478bd9Sstevel@tonic-gate 64*7c478bd9Sstevel@tonic-gate enum kex_init_proposals { 65*7c478bd9Sstevel@tonic-gate PROPOSAL_KEX_ALGS, 66*7c478bd9Sstevel@tonic-gate PROPOSAL_SERVER_HOST_KEY_ALGS, 67*7c478bd9Sstevel@tonic-gate PROPOSAL_ENC_ALGS_CTOS, 68*7c478bd9Sstevel@tonic-gate PROPOSAL_ENC_ALGS_STOC, 69*7c478bd9Sstevel@tonic-gate PROPOSAL_MAC_ALGS_CTOS, 70*7c478bd9Sstevel@tonic-gate PROPOSAL_MAC_ALGS_STOC, 71*7c478bd9Sstevel@tonic-gate PROPOSAL_COMP_ALGS_CTOS, 72*7c478bd9Sstevel@tonic-gate PROPOSAL_COMP_ALGS_STOC, 73*7c478bd9Sstevel@tonic-gate PROPOSAL_LANG_CTOS, 74*7c478bd9Sstevel@tonic-gate PROPOSAL_LANG_STOC, 75*7c478bd9Sstevel@tonic-gate PROPOSAL_MAX 76*7c478bd9Sstevel@tonic-gate }; 77*7c478bd9Sstevel@tonic-gate 78*7c478bd9Sstevel@tonic-gate enum kex_modes { 79*7c478bd9Sstevel@tonic-gate MODE_IN, 80*7c478bd9Sstevel@tonic-gate MODE_OUT, 81*7c478bd9Sstevel@tonic-gate MODE_MAX 82*7c478bd9Sstevel@tonic-gate }; 83*7c478bd9Sstevel@tonic-gate 84*7c478bd9Sstevel@tonic-gate enum kex_exchange { 85*7c478bd9Sstevel@tonic-gate KEX_DH_GRP1_SHA1, 86*7c478bd9Sstevel@tonic-gate KEX_DH_GEX_SHA1, 87*7c478bd9Sstevel@tonic-gate #ifdef GSSAPI 88*7c478bd9Sstevel@tonic-gate KEX_GSS_GRP1_SHA1, 89*7c478bd9Sstevel@tonic-gate #endif /* GSSAPI */ 90*7c478bd9Sstevel@tonic-gate KEX_MAX 91*7c478bd9Sstevel@tonic-gate }; 92*7c478bd9Sstevel@tonic-gate 93*7c478bd9Sstevel@tonic-gate 94*7c478bd9Sstevel@tonic-gate #define KEX_INIT_SENT 0x0001 95*7c478bd9Sstevel@tonic-gate 96*7c478bd9Sstevel@tonic-gate typedef struct Kex Kex; 97*7c478bd9Sstevel@tonic-gate typedef struct Mac Mac; 98*7c478bd9Sstevel@tonic-gate typedef struct Comp Comp; 99*7c478bd9Sstevel@tonic-gate typedef struct Enc Enc; 100*7c478bd9Sstevel@tonic-gate typedef struct Newkeys Newkeys; 101*7c478bd9Sstevel@tonic-gate 102*7c478bd9Sstevel@tonic-gate struct Enc { 103*7c478bd9Sstevel@tonic-gate char *name; 104*7c478bd9Sstevel@tonic-gate Cipher *cipher; 105*7c478bd9Sstevel@tonic-gate int enabled; 106*7c478bd9Sstevel@tonic-gate u_int key_len; 107*7c478bd9Sstevel@tonic-gate u_int block_size; 108*7c478bd9Sstevel@tonic-gate u_char *key; 109*7c478bd9Sstevel@tonic-gate u_char *iv; 110*7c478bd9Sstevel@tonic-gate }; 111*7c478bd9Sstevel@tonic-gate struct Mac { 112*7c478bd9Sstevel@tonic-gate char *name; 113*7c478bd9Sstevel@tonic-gate int enabled; 114*7c478bd9Sstevel@tonic-gate const EVP_MD *md; 115*7c478bd9Sstevel@tonic-gate int mac_len; 116*7c478bd9Sstevel@tonic-gate u_char *key; 117*7c478bd9Sstevel@tonic-gate int key_len; 118*7c478bd9Sstevel@tonic-gate }; 119*7c478bd9Sstevel@tonic-gate struct Comp { 120*7c478bd9Sstevel@tonic-gate int type; 121*7c478bd9Sstevel@tonic-gate int enabled; 122*7c478bd9Sstevel@tonic-gate char *name; 123*7c478bd9Sstevel@tonic-gate }; 124*7c478bd9Sstevel@tonic-gate struct Newkeys { 125*7c478bd9Sstevel@tonic-gate Enc enc; 126*7c478bd9Sstevel@tonic-gate Mac mac; 127*7c478bd9Sstevel@tonic-gate Comp comp; 128*7c478bd9Sstevel@tonic-gate }; 129*7c478bd9Sstevel@tonic-gate 130*7c478bd9Sstevel@tonic-gate struct KexOptions { 131*7c478bd9Sstevel@tonic-gate int gss_deleg_creds; 132*7c478bd9Sstevel@tonic-gate }; 133*7c478bd9Sstevel@tonic-gate 134*7c478bd9Sstevel@tonic-gate struct Kex { 135*7c478bd9Sstevel@tonic-gate u_char *session_id; 136*7c478bd9Sstevel@tonic-gate u_int session_id_len; 137*7c478bd9Sstevel@tonic-gate Newkeys *newkeys[MODE_MAX]; 138*7c478bd9Sstevel@tonic-gate int we_need; 139*7c478bd9Sstevel@tonic-gate int server; 140*7c478bd9Sstevel@tonic-gate char *serverhost; 141*7c478bd9Sstevel@tonic-gate char *name; 142*7c478bd9Sstevel@tonic-gate int hostkey_type; 143*7c478bd9Sstevel@tonic-gate int kex_type; 144*7c478bd9Sstevel@tonic-gate Buffer my; 145*7c478bd9Sstevel@tonic-gate Buffer peer; 146*7c478bd9Sstevel@tonic-gate int initial_kex_done; 147*7c478bd9Sstevel@tonic-gate int done; 148*7c478bd9Sstevel@tonic-gate int flags; 149*7c478bd9Sstevel@tonic-gate char *client_version_string; 150*7c478bd9Sstevel@tonic-gate char *server_version_string; 151*7c478bd9Sstevel@tonic-gate struct KexOptions options; 152*7c478bd9Sstevel@tonic-gate int (*verify_host_key)(Key *); 153*7c478bd9Sstevel@tonic-gate int (*accept_host_key)(Key *); /* for GSS keyex */ 154*7c478bd9Sstevel@tonic-gate Key *(*load_host_key)(int); 155*7c478bd9Sstevel@tonic-gate int (*host_key_index)(Key *); 156*7c478bd9Sstevel@tonic-gate void (*kex[KEX_MAX])(Kex *); 157*7c478bd9Sstevel@tonic-gate void (*kex_hook)(Kex *, char **); /* for GSS keyex rekeying */ 158*7c478bd9Sstevel@tonic-gate #ifdef GSSAPI 159*7c478bd9Sstevel@tonic-gate gss_OID_set mechs; /* mechs in my proposal */ 160*7c478bd9Sstevel@tonic-gate #endif /* GSSAPI */ 161*7c478bd9Sstevel@tonic-gate }; 162*7c478bd9Sstevel@tonic-gate 163*7c478bd9Sstevel@tonic-gate typedef void (*Kex_hook_func)(Kex *, char **); /* for GSS-API rekeying */ 164*7c478bd9Sstevel@tonic-gate 165*7c478bd9Sstevel@tonic-gate Kex *kex_setup(const char *host, 166*7c478bd9Sstevel@tonic-gate char *proposal[PROPOSAL_MAX], 167*7c478bd9Sstevel@tonic-gate Kex_hook_func hook); 168*7c478bd9Sstevel@tonic-gate void kex_finish(Kex *); 169*7c478bd9Sstevel@tonic-gate 170*7c478bd9Sstevel@tonic-gate void kex_send_kexinit(Kex *); 171*7c478bd9Sstevel@tonic-gate void kex_input_kexinit(int, u_int32_t, void *); 172*7c478bd9Sstevel@tonic-gate void kex_derive_keys(Kex *, u_char *, BIGNUM *); 173*7c478bd9Sstevel@tonic-gate 174*7c478bd9Sstevel@tonic-gate /* XXX Remove after merge of 3.6/7 code is completed */ 175*7c478bd9Sstevel@tonic-gate #if 0 176*7c478bd9Sstevel@tonic-gate void kexdh(Kex *); 177*7c478bd9Sstevel@tonic-gate void kexgex(Kex *); 178*7c478bd9Sstevel@tonic-gate #endif 179*7c478bd9Sstevel@tonic-gate 180*7c478bd9Sstevel@tonic-gate Newkeys *kex_get_newkeys(int); 181*7c478bd9Sstevel@tonic-gate 182*7c478bd9Sstevel@tonic-gate void kexdh_client(Kex *); 183*7c478bd9Sstevel@tonic-gate void kexdh_server(Kex *); 184*7c478bd9Sstevel@tonic-gate void kexgex_client(Kex *); 185*7c478bd9Sstevel@tonic-gate void kexgex_server(Kex *); 186*7c478bd9Sstevel@tonic-gate 187*7c478bd9Sstevel@tonic-gate u_char * 188*7c478bd9Sstevel@tonic-gate kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, 189*7c478bd9Sstevel@tonic-gate BIGNUM *, BIGNUM *, BIGNUM *); 190*7c478bd9Sstevel@tonic-gate u_char * 191*7c478bd9Sstevel@tonic-gate kexgex_hash(char *, char *, char *, int, char *, int, u_char *, int, 192*7c478bd9Sstevel@tonic-gate int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *); 193*7c478bd9Sstevel@tonic-gate 194*7c478bd9Sstevel@tonic-gate #ifdef GSSAPI 195*7c478bd9Sstevel@tonic-gate void kexgss_client(Kex *); 196*7c478bd9Sstevel@tonic-gate void kexgss_server(Kex *); 197*7c478bd9Sstevel@tonic-gate #endif 198*7c478bd9Sstevel@tonic-gate 199*7c478bd9Sstevel@tonic-gate #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) 200*7c478bd9Sstevel@tonic-gate void dump_digest(char *, u_char *, int); 201*7c478bd9Sstevel@tonic-gate #endif 202*7c478bd9Sstevel@tonic-gate 203*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 204*7c478bd9Sstevel@tonic-gate } 205*7c478bd9Sstevel@tonic-gate #endif 206*7c478bd9Sstevel@tonic-gate 207*7c478bd9Sstevel@tonic-gate #endif /* _KEX_H */ 208