- djm@cvs.openbsd.org 2005/11/04 05:15:59
[kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
remove hardcoded hash lengths in key exchange code, allowing
implementation of KEX methods with different hashes (e.g. SHA-256);
ok markus@ dtucker@ stevesk@
diff --git a/ChangeLog b/ChangeLog
index cefc3e0..6fb0b7d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -93,6 +93,11 @@
- dtucker@cvs.openbsd.org 2005/11/03 13:38:29
[canohost.c]
Cache reverse lookups with and without DNS separately; ok markus@
+ - djm@cvs.openbsd.org 2005/11/04 05:15:59
+ [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
+ remove hardcoded hash lengths in key exchange code, allowing
+ implementation of KEX methods with different hashes (e.g. SHA-256);
+ ok markus@ dtucker@ stevesk@
20051102
- (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
@@ -3226,4 +3231,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3950 2005/11/05 04:16:52 djm Exp $
+$Id: ChangeLog,v 1.3951 2005/11/05 04:19:35 djm Exp $
diff --git a/kex.c b/kex.c
index 5dce335..cd71be9 100644
--- a/kex.c
+++ b/kex.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
#include <openssl/crypto.h>
@@ -294,13 +294,17 @@
fatal("no kex alg");
if (strcmp(k->name, KEX_DH1) == 0) {
k->kex_type = KEX_DH_GRP1_SHA1;
+ k->evp_md = EVP_sha1();
} else if (strcmp(k->name, KEX_DH14) == 0) {
k->kex_type = KEX_DH_GRP14_SHA1;
- } else if (strcmp(k->name, KEX_DHGEX) == 0) {
+ k->evp_md = EVP_sha1();
+ } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
k->kex_type = KEX_DH_GEX_SHA1;
+ k->evp_md = EVP_sha1();
} else
fatal("bad kex alg %s", k->name);
}
+
static void
choose_hostkeyalg(Kex *k, char *client, char *server)
{
@@ -404,28 +408,28 @@
}
static u_char *
-derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret)
+derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen,
+ BIGNUM *shared_secret)
{
Buffer b;
- const EVP_MD *evp_md = EVP_sha1();
EVP_MD_CTX md;
char c = id;
u_int have;
- int mdsz = EVP_MD_size(evp_md);
+ int mdsz;
u_char *digest;
- if (mdsz < 0)
- fatal("derive_key: mdsz < 0");
- digest = xmalloc(roundup(need, mdsz));
+ if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0)
+ fatal("bad kex md size %d", mdsz);
+ digest = xmalloc(roundup(need, mdsz));
buffer_init(&b);
buffer_put_bignum2(&b, shared_secret);
/* K1 = HASH(K || H || "A" || session_id) */
- EVP_DigestInit(&md, evp_md);
+ EVP_DigestInit(&md, kex->evp_md);
if (!(datafellows & SSH_BUG_DERIVEKEY))
EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
- EVP_DigestUpdate(&md, hash, mdsz);
+ EVP_DigestUpdate(&md, hash, hashlen);
EVP_DigestUpdate(&md, &c, 1);
EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len);
EVP_DigestFinal(&md, digest, NULL);
@@ -436,10 +440,10 @@
* Key = K1 || K2 || ... || Kn
*/
for (have = mdsz; need > have; have += mdsz) {
- EVP_DigestInit(&md, evp_md);
+ EVP_DigestInit(&md, kex->evp_md);
if (!(datafellows & SSH_BUG_DERIVEKEY))
EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
- EVP_DigestUpdate(&md, hash, mdsz);
+ EVP_DigestUpdate(&md, hash, hashlen);
EVP_DigestUpdate(&md, digest, have);
EVP_DigestFinal(&md, digest + have, NULL);
}
@@ -455,13 +459,15 @@
#define NKEYS 6
void
-kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret)
+kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret)
{
u_char *keys[NKEYS];
u_int i, mode, ctos;
- for (i = 0; i < NKEYS; i++)
- keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret);
+ for (i = 0; i < NKEYS; i++) {
+ keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen,
+ shared_secret);
+ }
debug2("kex_derive_keys");
for (mode = 0; mode < MODE_MAX; mode++) {
diff --git a/kex.h b/kex.h
index 3024a27..bbd931e 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $ */
+/* $OpenBSD: kex.h,v 1.38 2005/11/04 05:15:59 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -31,9 +31,9 @@
#include "cipher.h"
#include "key.h"
-#define KEX_DH1 "diffie-hellman-group1-sha1"
-#define KEX_DH14 "diffie-hellman-group14-sha1"
-#define KEX_DHGEX "diffie-hellman-group-exchange-sha1"
+#define KEX_DH1 "diffie-hellman-group1-sha1"
+#define KEX_DH14 "diffie-hellman-group14-sha1"
+#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
#define COMP_NONE 0
#define COMP_ZLIB 1
@@ -114,6 +114,7 @@
Buffer peer;
int done;
int flags;
+ const EVP_MD *evp_md;
char *client_version_string;
char *server_version_string;
int (*verify_host_key)(Key *);
@@ -127,7 +128,7 @@
void kex_send_kexinit(Kex *);
void kex_input_kexinit(int, u_int32_t, void *);
-void kex_derive_keys(Kex *, u_char *, BIGNUM *);
+void kex_derive_keys(Kex *, u_char *, u_int, BIGNUM *);
Newkeys *kex_get_newkeys(int);
@@ -136,12 +137,13 @@
void kexgex_client(Kex *);
void kexgex_server(Kex *);
-u_char *
+void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
- BIGNUM *, BIGNUM *, BIGNUM *);
-u_char *
-kexgex_hash(char *, char *, char *, int, char *, int, u_char *, int,
- int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *);
+ BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
+void
+kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
+ int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
+ BIGNUM *, BIGNUM *, u_char **, u_int *);
void
derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
diff --git a/kexdh.c b/kexdh.c
index 4bbb7d1..f79d878 100644
--- a/kexdh.c
+++ b/kexdh.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexdh.c,v 1.20 2005/11/04 05:15:59 djm Exp $");
#include <openssl/evp.h>
@@ -32,7 +32,7 @@
#include "ssh2.h"
#include "kex.h"
-u_char *
+void
kex_dh_hash(
char *client_version_string,
char *server_version_string,
@@ -41,7 +41,8 @@
u_char *serverhostkeyblob, int sbloblen,
BIGNUM *client_dh_pub,
BIGNUM *server_dh_pub,
- BIGNUM *shared_secret)
+ BIGNUM *shared_secret,
+ u_char **hash, u_int *hashlen)
{
Buffer b;
static u_char digest[EVP_MAX_MD_SIZE];
@@ -77,5 +78,6 @@
#ifdef DEBUG_KEX
dump_digest("hash", digest, EVP_MD_size(evp_md));
#endif
- return digest;
+ *hash = digest;
+ *hashlen = EVP_MD_size(evp_md);
}
diff --git a/kexdhc.c b/kexdhc.c
index f48bd46..d8a2fa3 100644
--- a/kexdhc.c
+++ b/kexdhc.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: kexdhc.c,v 1.2 2004/06/13 12:53:24 djm Exp $");
+RCSID("$OpenBSD: kexdhc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
#include "xmalloc.h"
#include "key.h"
@@ -41,7 +41,7 @@
Key *server_host_key;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
- u_int klen, kout, slen, sbloblen;
+ u_int klen, kout, slen, sbloblen, hashlen;
/* generate and send 'e', client DH public key */
switch (kex->kex_type) {
@@ -114,7 +114,7 @@
xfree(kbuf);
/* calc and verify H */
- hash = kex_dh_hash(
+ kex_dh_hash(
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -122,25 +122,26 @@
server_host_key_blob, sbloblen,
dh->pub_key,
dh_server_pub,
- shared_secret
+ shared_secret,
+ &hash, &hashlen
);
xfree(server_host_key_blob);
BN_clear_free(dh_server_pub);
DH_free(dh);
- if (key_verify(server_host_key, signature, slen, hash, 20) != 1)
+ if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
xfree(signature);
/* save session id */
if (kex->session_id == NULL) {
- kex->session_id_len = 20;
+ kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
- kex_derive_keys(kex, hash, shared_secret);
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
diff --git a/kexdhs.c b/kexdhs.c
index 225e655..26c8cdf 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: kexdhs.c,v 1.2 2004/06/13 12:53:24 djm Exp $");
+RCSID("$OpenBSD: kexdhs.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
#include "xmalloc.h"
#include "key.h"
@@ -41,7 +41,7 @@
DH *dh;
Key *server_host_key;
u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
- u_int sbloblen, klen, kout;
+ u_int sbloblen, klen, kout, hashlen;
u_int slen;
/* generate server DH public key */
@@ -103,7 +103,7 @@
key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
/* calc H */
- hash = kex_dh_hash(
+ kex_dh_hash(
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
@@ -111,21 +111,20 @@
server_host_key_blob, sbloblen,
dh_client_pub,
dh->pub_key,
- shared_secret
+ shared_secret,
+ &hash, &hashlen
);
BN_clear_free(dh_client_pub);
/* save session id := H */
- /* XXX hashlen depends on KEX */
if (kex->session_id == NULL) {
- kex->session_id_len = 20;
+ kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
- /* XXX hashlen depends on KEX */
- PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
+ PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
/* destroy_sensitive_data(); */
@@ -141,7 +140,7 @@
/* have keys, free DH */
DH_free(dh);
- kex_derive_keys(kex, hash, shared_secret);
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
diff --git a/kexgex.c b/kexgex.c
index b0c39c8..705484a 100644
--- a/kexgex.c
+++ b/kexgex.c
@@ -24,7 +24,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexgex.c,v 1.24 2005/11/04 05:15:59 djm Exp $");
#include <openssl/evp.h>
@@ -33,8 +33,9 @@
#include "kex.h"
#include "ssh2.h"
-u_char *
+void
kexgex_hash(
+ const EVP_MD *evp_md,
char *client_version_string,
char *server_version_string,
char *ckexinit, int ckexinitlen,
@@ -43,11 +44,11 @@
int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,
BIGNUM *client_dh_pub,
BIGNUM *server_dh_pub,
- BIGNUM *shared_secret)
+ BIGNUM *shared_secret,
+ u_char **hash, u_int *hashlen)
{
Buffer b;
static u_char digest[EVP_MAX_MD_SIZE];
- const EVP_MD *evp_md = EVP_sha1();
EVP_MD_CTX md;
buffer_init(&b);
@@ -79,14 +80,15 @@
#ifdef DEBUG_KEXDH
buffer_dump(&b);
#endif
+
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
EVP_DigestFinal(&md, digest, NULL);
buffer_free(&b);
-
+ *hash = digest;
+ *hashlen = EVP_MD_size(evp_md);
#ifdef DEBUG_KEXDH
- dump_digest("hash", digest, EVP_MD_size(evp_md));
+ dump_digest("hash", digest, *hashlen);
#endif
- return digest;
}
diff --git a/kexgexc.c b/kexgexc.c
index 0193183..a6ff875 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -24,7 +24,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: kexgexc.c,v 1.2 2003/12/08 11:00:47 markus Exp $");
+RCSID("$OpenBSD: kexgexc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
#include "xmalloc.h"
#include "key.h"
@@ -42,7 +42,7 @@
BIGNUM *p = NULL, *g = NULL;
Key *server_host_key;
u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
- u_int klen, kout, slen, sbloblen;
+ u_int klen, kout, slen, sbloblen, hashlen;
int min, max, nbits;
DH *dh;
@@ -155,7 +155,8 @@
min = max = -1;
/* calc and verify H */
- hash = kexgex_hash(
+ kexgex_hash(
+ kex->evp_md,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -165,25 +166,27 @@
dh->p, dh->g,
dh->pub_key,
dh_server_pub,
- shared_secret
+ shared_secret,
+ &hash, &hashlen
);
+
/* have keys, free DH */
DH_free(dh);
xfree(server_host_key_blob);
BN_clear_free(dh_server_pub);
- if (key_verify(server_host_key, signature, slen, hash, 20) != 1)
+ if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
xfree(signature);
/* save session id */
if (kex->session_id == NULL) {
- kex->session_id_len = 20;
+ kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
- kex_derive_keys(kex, hash, shared_secret);
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
diff --git a/kexgexs.c b/kexgexs.c
index baebfcf..c48b27a 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -24,7 +24,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: kexgexs.c,v 1.1 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexgexs.c,v 1.2 2005/11/04 05:15:59 djm Exp $");
#include "xmalloc.h"
#include "key.h"
@@ -43,7 +43,7 @@
Key *server_host_key;
DH *dh;
u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
- u_int sbloblen, klen, kout, slen;
+ u_int sbloblen, klen, kout, slen, hashlen;
int min = -1, max = -1, nbits = -1, type;
if (kex->load_host_key == NULL)
@@ -137,8 +137,9 @@
if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
min = max = -1;
- /* calc H */ /* XXX depends on 'kex' */
- hash = kexgex_hash(
+ /* calc H */
+ kexgex_hash(
+ kex->evp_md,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
@@ -148,21 +149,20 @@
dh->p, dh->g,
dh_client_pub,
dh->pub_key,
- shared_secret
+ shared_secret,
+ &hash, &hashlen
);
BN_clear_free(dh_client_pub);
/* save session id := H */
- /* XXX hashlen depends on KEX */
if (kex->session_id == NULL) {
- kex->session_id_len = 20;
+ kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
- /* XXX hashlen depends on KEX */
- PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
+ PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
/* destroy_sensitive_data(); */
@@ -179,7 +179,7 @@
/* have keys, free DH */
DH_free(dh);
- kex_derive_keys(kex, hash, shared_secret);
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);