Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 1 | /* $OpenBSD: kex.c,v 1.131 2017/03/15 07:07:39 markus Exp $ */ |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2 | /* |
| 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
| 4 | * |
| 5 | * Redistribution and use in source and binary forms, with or without |
| 6 | * modification, are permitted provided that the following conditions |
| 7 | * are met: |
| 8 | * 1. Redistributions of source code must retain the above copyright |
| 9 | * notice, this list of conditions and the following disclaimer. |
| 10 | * 2. Redistributions in binary form must reproduce the above copyright |
| 11 | * notice, this list of conditions and the following disclaimer in the |
| 12 | * documentation and/or other materials provided with the distribution. |
| 13 | * |
| 14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
| 15 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| 16 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
| 17 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
| 18 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 19 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 20 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 21 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 22 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 24 | */ |
| 25 | |
| 26 | #include "includes.h" |
| 27 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 28 | |
| 29 | #include <signal.h> |
| 30 | #include <stdarg.h> |
| 31 | #include <stdio.h> |
| 32 | #include <stdlib.h> |
| 33 | #include <string.h> |
| 34 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 35 | #ifdef WITH_OPENSSL |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 36 | #include <openssl/crypto.h> |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 37 | #include <openssl/dh.h> |
| 38 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 39 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 40 | #include "ssh2.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 41 | #include "packet.h" |
| 42 | #include "compat.h" |
| 43 | #include "cipher.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 44 | #include "sshkey.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 45 | #include "kex.h" |
| 46 | #include "log.h" |
| 47 | #include "mac.h" |
| 48 | #include "match.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 49 | #include "misc.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 50 | #include "dispatch.h" |
| 51 | #include "monitor.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 52 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 53 | #include "ssherr.h" |
| 54 | #include "sshbuf.h" |
| 55 | #include "digest.h" |
| 56 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 57 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
| 58 | # if defined(HAVE_EVP_SHA256) |
| 59 | # define evp_ssh_sha256 EVP_sha256 |
| 60 | # else |
| 61 | extern const EVP_MD *evp_ssh_sha256(void); |
| 62 | # endif |
| 63 | #endif |
| 64 | |
| 65 | /* prototype */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 66 | static int kex_choose_conf(struct ssh *); |
| 67 | static int kex_input_newkeys(int, u_int32_t, void *); |
| 68 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 69 | static const char *proposal_names[PROPOSAL_MAX] = { |
| 70 | "KEX algorithms", |
| 71 | "host key algorithms", |
| 72 | "ciphers ctos", |
| 73 | "ciphers stoc", |
| 74 | "MACs ctos", |
| 75 | "MACs stoc", |
| 76 | "compression ctos", |
| 77 | "compression stoc", |
| 78 | "languages ctos", |
| 79 | "languages stoc", |
| 80 | }; |
| 81 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 82 | struct kexalg { |
| 83 | char *name; |
| 84 | u_int type; |
| 85 | int ec_nid; |
| 86 | int hash_alg; |
| 87 | }; |
| 88 | static const struct kexalg kexalgs[] = { |
| 89 | #ifdef WITH_OPENSSL |
| 90 | { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 91 | { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, |
| 92 | { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, |
| 93 | { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, |
| 94 | { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 95 | { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, |
| 96 | #ifdef HAVE_EVP_SHA256 |
| 97 | { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, |
| 98 | #endif /* HAVE_EVP_SHA256 */ |
| 99 | #ifdef OPENSSL_HAS_ECC |
| 100 | { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, |
| 101 | NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, |
| 102 | { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, |
| 103 | SSH_DIGEST_SHA384 }, |
| 104 | # ifdef OPENSSL_HAS_NISTP521 |
| 105 | { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, |
| 106 | SSH_DIGEST_SHA512 }, |
| 107 | # endif /* OPENSSL_HAS_NISTP521 */ |
| 108 | #endif /* OPENSSL_HAS_ECC */ |
| 109 | #endif /* WITH_OPENSSL */ |
| 110 | #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) |
| 111 | { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 112 | { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 113 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |
| 114 | { NULL, -1, -1, -1}, |
| 115 | }; |
| 116 | |
| 117 | char * |
| 118 | kex_alg_list(char sep) |
| 119 | { |
| 120 | char *ret = NULL, *tmp; |
| 121 | size_t nlen, rlen = 0; |
| 122 | const struct kexalg *k; |
| 123 | |
| 124 | for (k = kexalgs; k->name != NULL; k++) { |
| 125 | if (ret != NULL) |
| 126 | ret[rlen++] = sep; |
| 127 | nlen = strlen(k->name); |
| 128 | if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { |
| 129 | free(ret); |
| 130 | return NULL; |
| 131 | } |
| 132 | ret = tmp; |
| 133 | memcpy(ret + rlen, k->name, nlen + 1); |
| 134 | rlen += nlen; |
| 135 | } |
| 136 | return ret; |
| 137 | } |
| 138 | |
| 139 | static const struct kexalg * |
| 140 | kex_alg_by_name(const char *name) |
| 141 | { |
| 142 | const struct kexalg *k; |
| 143 | |
| 144 | for (k = kexalgs; k->name != NULL; k++) { |
| 145 | if (strcmp(k->name, name) == 0) |
| 146 | return k; |
| 147 | } |
| 148 | return NULL; |
| 149 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 150 | |
| 151 | /* Validate KEX method name list */ |
| 152 | int |
| 153 | kex_names_valid(const char *names) |
| 154 | { |
| 155 | char *s, *cp, *p; |
| 156 | |
| 157 | if (names == NULL || strcmp(names, "") == 0) |
| 158 | return 0; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 159 | if ((s = cp = strdup(names)) == NULL) |
| 160 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 161 | for ((p = strsep(&cp, ",")); p && *p != '\0'; |
| 162 | (p = strsep(&cp, ","))) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 163 | if (kex_alg_by_name(p) == NULL) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 164 | error("Unsupported KEX algorithm \"%.100s\"", p); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 165 | free(s); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 166 | return 0; |
| 167 | } |
| 168 | } |
| 169 | debug3("kex names ok: [%s]", names); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 170 | free(s); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 171 | return 1; |
| 172 | } |
| 173 | |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 174 | /* |
| 175 | * Concatenate algorithm names, avoiding duplicates in the process. |
| 176 | * Caller must free returned string. |
| 177 | */ |
| 178 | char * |
| 179 | kex_names_cat(const char *a, const char *b) |
| 180 | { |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 181 | char *ret = NULL, *tmp = NULL, *cp, *p, *m; |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 182 | size_t len; |
| 183 | |
| 184 | if (a == NULL || *a == '\0') |
| 185 | return NULL; |
| 186 | if (b == NULL || *b == '\0') |
| 187 | return strdup(a); |
| 188 | if (strlen(b) > 1024*1024) |
| 189 | return NULL; |
| 190 | len = strlen(a) + strlen(b) + 2; |
| 191 | if ((tmp = cp = strdup(b)) == NULL || |
| 192 | (ret = calloc(1, len)) == NULL) { |
| 193 | free(tmp); |
| 194 | return NULL; |
| 195 | } |
| 196 | strlcpy(ret, a, len); |
| 197 | for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 198 | if ((m = match_list(ret, p, NULL)) != NULL) { |
| 199 | free(m); |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 200 | continue; /* Algorithm already present */ |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 201 | } |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 202 | if (strlcat(ret, ",", len) >= len || |
| 203 | strlcat(ret, p, len) >= len) { |
| 204 | free(tmp); |
| 205 | free(ret); |
| 206 | return NULL; /* Shouldn't happen */ |
| 207 | } |
| 208 | } |
| 209 | free(tmp); |
| 210 | return ret; |
| 211 | } |
| 212 | |
| 213 | /* |
| 214 | * Assemble a list of algorithms from a default list and a string from a |
| 215 | * configuration file. The user-provided string may begin with '+' to |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 216 | * indicate that it should be appended to the default or '-' that the |
| 217 | * specified names should be removed. |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 218 | */ |
| 219 | int |
| 220 | kex_assemble_names(const char *def, char **list) |
| 221 | { |
| 222 | char *ret; |
| 223 | |
| 224 | if (list == NULL || *list == NULL || **list == '\0') { |
| 225 | *list = strdup(def); |
| 226 | return 0; |
| 227 | } |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 228 | if (**list == '+') { |
| 229 | if ((ret = kex_names_cat(def, *list + 1)) == NULL) |
| 230 | return SSH_ERR_ALLOC_FAIL; |
| 231 | free(*list); |
| 232 | *list = ret; |
| 233 | } else if (**list == '-') { |
| 234 | if ((ret = match_filter_list(def, *list + 1)) == NULL) |
| 235 | return SSH_ERR_ALLOC_FAIL; |
| 236 | free(*list); |
| 237 | *list = ret; |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 238 | } |
| 239 | |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 240 | return 0; |
| 241 | } |
| 242 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 243 | /* put algorithm proposal into buffer */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 244 | int |
| 245 | kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 246 | { |
| 247 | u_int i; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 248 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 249 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 250 | sshbuf_reset(b); |
| 251 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 252 | /* |
| 253 | * add a dummy cookie, the cookie will be overwritten by |
| 254 | * kex_send_kexinit(), each time a kexinit is set |
| 255 | */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 256 | for (i = 0; i < KEX_COOKIE_LEN; i++) { |
| 257 | if ((r = sshbuf_put_u8(b, 0)) != 0) |
| 258 | return r; |
| 259 | } |
| 260 | for (i = 0; i < PROPOSAL_MAX; i++) { |
| 261 | if ((r = sshbuf_put_cstring(b, proposal[i])) != 0) |
| 262 | return r; |
| 263 | } |
| 264 | if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */ |
| 265 | (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */ |
| 266 | return r; |
| 267 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 268 | } |
| 269 | |
| 270 | /* parse buffer and return algorithm proposal */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 271 | int |
| 272 | kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 273 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 274 | struct sshbuf *b = NULL; |
| 275 | u_char v; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 276 | u_int i; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 277 | char **proposal = NULL; |
| 278 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 279 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 280 | *propp = NULL; |
| 281 | if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL) |
| 282 | return SSH_ERR_ALLOC_FAIL; |
| 283 | if ((b = sshbuf_fromb(raw)) == NULL) { |
| 284 | r = SSH_ERR_ALLOC_FAIL; |
| 285 | goto out; |
| 286 | } |
| 287 | if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */ |
| 288 | goto out; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 289 | /* extract kex init proposal strings */ |
| 290 | for (i = 0; i < PROPOSAL_MAX; i++) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 291 | if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) |
| 292 | goto out; |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 293 | debug2("%s: %s", proposal_names[i], proposal[i]); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 294 | } |
| 295 | /* first kex follows / reserved */ |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 296 | if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ |
| 297 | (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 298 | goto out; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 299 | if (first_kex_follows != NULL) |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 300 | *first_kex_follows = v; |
| 301 | debug2("first_kex_follows %d ", v); |
| 302 | debug2("reserved %u ", i); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 303 | r = 0; |
| 304 | *propp = proposal; |
| 305 | out: |
| 306 | if (r != 0 && proposal != NULL) |
| 307 | kex_prop_free(proposal); |
| 308 | sshbuf_free(b); |
| 309 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 310 | } |
| 311 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 312 | void |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 313 | kex_prop_free(char **proposal) |
| 314 | { |
| 315 | u_int i; |
| 316 | |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 317 | if (proposal == NULL) |
| 318 | return; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 319 | for (i = 0; i < PROPOSAL_MAX; i++) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 320 | free(proposal[i]); |
| 321 | free(proposal); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 322 | } |
| 323 | |
| 324 | /* ARGSUSED */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 325 | static int |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 326 | kex_protocol_error(int type, u_int32_t seq, void *ctxt) |
| 327 | { |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 328 | struct ssh *ssh = active_state; /* XXX */ |
| 329 | int r; |
| 330 | |
| 331 | error("kex protocol error: type %d seq %u", type, seq); |
| 332 | if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || |
| 333 | (r = sshpkt_put_u32(ssh, seq)) != 0 || |
| 334 | (r = sshpkt_send(ssh)) != 0) |
| 335 | return r; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 336 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 337 | } |
| 338 | |
| 339 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 340 | kex_reset_dispatch(struct ssh *ssh) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 341 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 342 | ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 343 | SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 344 | } |
| 345 | |
| 346 | static int |
| 347 | kex_send_ext_info(struct ssh *ssh) |
| 348 | { |
| 349 | int r; |
| 350 | char *algs; |
| 351 | |
| 352 | if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL) |
| 353 | return SSH_ERR_ALLOC_FAIL; |
| 354 | if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || |
| 355 | (r = sshpkt_put_u32(ssh, 1)) != 0 || |
| 356 | (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || |
| 357 | (r = sshpkt_put_cstring(ssh, algs)) != 0 || |
| 358 | (r = sshpkt_send(ssh)) != 0) |
| 359 | goto out; |
| 360 | /* success */ |
| 361 | r = 0; |
| 362 | out: |
| 363 | free(algs); |
| 364 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 365 | } |
| 366 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 367 | int |
| 368 | kex_send_newkeys(struct ssh *ssh) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 369 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 370 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 371 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 372 | kex_reset_dispatch(ssh); |
| 373 | if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 || |
| 374 | (r = sshpkt_send(ssh)) != 0) |
| 375 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 376 | debug("SSH2_MSG_NEWKEYS sent"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 377 | debug("expecting SSH2_MSG_NEWKEYS"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 378 | ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 379 | if (ssh->kex->ext_info_c) |
| 380 | if ((r = kex_send_ext_info(ssh)) != 0) |
| 381 | return r; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 382 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 383 | } |
| 384 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 385 | int |
| 386 | kex_input_ext_info(int type, u_int32_t seq, void *ctxt) |
| 387 | { |
| 388 | struct ssh *ssh = ctxt; |
| 389 | struct kex *kex = ssh->kex; |
| 390 | u_int32_t i, ninfo; |
| 391 | char *name, *val, *found; |
| 392 | int r; |
| 393 | |
| 394 | debug("SSH2_MSG_EXT_INFO received"); |
| 395 | ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); |
| 396 | if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) |
| 397 | return r; |
| 398 | for (i = 0; i < ninfo; i++) { |
| 399 | if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) |
| 400 | return r; |
| 401 | if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) { |
| 402 | free(name); |
| 403 | return r; |
| 404 | } |
| 405 | debug("%s: %s=<%s>", __func__, name, val); |
| 406 | if (strcmp(name, "server-sig-algs") == 0) { |
| 407 | found = match_list("rsa-sha2-256", val, NULL); |
| 408 | if (found) { |
| 409 | kex->rsa_sha2 = 256; |
| 410 | free(found); |
| 411 | } |
| 412 | found = match_list("rsa-sha2-512", val, NULL); |
| 413 | if (found) { |
| 414 | kex->rsa_sha2 = 512; |
| 415 | free(found); |
| 416 | } |
| 417 | } |
| 418 | free(name); |
| 419 | free(val); |
| 420 | } |
| 421 | return sshpkt_get_end(ssh); |
| 422 | } |
| 423 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 424 | static int |
| 425 | kex_input_newkeys(int type, u_int32_t seq, void *ctxt) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 426 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 427 | struct ssh *ssh = ctxt; |
| 428 | struct kex *kex = ssh->kex; |
| 429 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 430 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 431 | debug("SSH2_MSG_NEWKEYS received"); |
| 432 | ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 433 | ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 434 | if ((r = sshpkt_get_end(ssh)) != 0) |
| 435 | return r; |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 436 | if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) |
| 437 | return r; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 438 | kex->done = 1; |
| 439 | sshbuf_reset(kex->peer); |
| 440 | /* sshbuf_reset(kex->my); */ |
| 441 | kex->flags &= ~KEX_INIT_SENT; |
| 442 | free(kex->name); |
| 443 | kex->name = NULL; |
| 444 | return 0; |
| 445 | } |
| 446 | |
| 447 | int |
| 448 | kex_send_kexinit(struct ssh *ssh) |
| 449 | { |
| 450 | u_char *cookie; |
| 451 | struct kex *kex = ssh->kex; |
| 452 | int r; |
| 453 | |
| 454 | if (kex == NULL) |
| 455 | return SSH_ERR_INTERNAL_ERROR; |
| 456 | if (kex->flags & KEX_INIT_SENT) |
| 457 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 458 | kex->done = 0; |
| 459 | |
| 460 | /* generate a random cookie */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 461 | if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) |
| 462 | return SSH_ERR_INVALID_FORMAT; |
| 463 | if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) |
| 464 | return SSH_ERR_INTERNAL_ERROR; |
| 465 | arc4random_buf(cookie, KEX_COOKIE_LEN); |
| 466 | |
| 467 | if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 || |
| 468 | (r = sshpkt_putb(ssh, kex->my)) != 0 || |
| 469 | (r = sshpkt_send(ssh)) != 0) |
| 470 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 471 | debug("SSH2_MSG_KEXINIT sent"); |
| 472 | kex->flags |= KEX_INIT_SENT; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 473 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 474 | } |
| 475 | |
| 476 | /* ARGSUSED */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 477 | int |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 478 | kex_input_kexinit(int type, u_int32_t seq, void *ctxt) |
| 479 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 480 | struct ssh *ssh = ctxt; |
| 481 | struct kex *kex = ssh->kex; |
| 482 | const u_char *ptr; |
| 483 | u_int i; |
| 484 | size_t dlen; |
| 485 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 486 | |
| 487 | debug("SSH2_MSG_KEXINIT received"); |
| 488 | if (kex == NULL) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 489 | return SSH_ERR_INVALID_ARGUMENT; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 490 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 491 | ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 492 | ptr = sshpkt_ptr(ssh, &dlen); |
| 493 | if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) |
| 494 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 495 | |
| 496 | /* discard packet */ |
| 497 | for (i = 0; i < KEX_COOKIE_LEN; i++) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 498 | if ((r = sshpkt_get_u8(ssh, NULL)) != 0) |
| 499 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 500 | for (i = 0; i < PROPOSAL_MAX; i++) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 501 | if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) |
| 502 | return r; |
| 503 | /* |
| 504 | * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported |
| 505 | * KEX method has the server move first, but a server might be using |
| 506 | * a custom method or one that we otherwise don't support. We should |
| 507 | * be prepared to remember first_kex_follows here so we can eat a |
| 508 | * packet later. |
| 509 | * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means |
| 510 | * for cases where the server *doesn't* go first. I guess we should |
| 511 | * ignore it when it is set for these cases, which is what we do now. |
| 512 | */ |
| 513 | if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */ |
| 514 | (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */ |
| 515 | (r = sshpkt_get_end(ssh)) != 0) |
| 516 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 517 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 518 | if (!(kex->flags & KEX_INIT_SENT)) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 519 | if ((r = kex_send_kexinit(ssh)) != 0) |
| 520 | return r; |
| 521 | if ((r = kex_choose_conf(ssh)) != 0) |
| 522 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 523 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 524 | if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) |
| 525 | return (kex->kex[kex->kex_type])(ssh); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 526 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 527 | return SSH_ERR_INTERNAL_ERROR; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 528 | } |
| 529 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 530 | int |
| 531 | kex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp) |
| 532 | { |
| 533 | struct kex *kex; |
| 534 | int r; |
| 535 | |
| 536 | *kexp = NULL; |
| 537 | if ((kex = calloc(1, sizeof(*kex))) == NULL) |
| 538 | return SSH_ERR_ALLOC_FAIL; |
| 539 | if ((kex->peer = sshbuf_new()) == NULL || |
| 540 | (kex->my = sshbuf_new()) == NULL) { |
| 541 | r = SSH_ERR_ALLOC_FAIL; |
| 542 | goto out; |
| 543 | } |
| 544 | if ((r = kex_prop2buf(kex->my, proposal)) != 0) |
| 545 | goto out; |
| 546 | kex->done = 0; |
| 547 | kex_reset_dispatch(ssh); |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 548 | ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 549 | r = 0; |
| 550 | *kexp = kex; |
| 551 | out: |
| 552 | if (r != 0) |
| 553 | kex_free(kex); |
| 554 | return r; |
| 555 | } |
| 556 | |
| 557 | void |
| 558 | kex_free_newkeys(struct newkeys *newkeys) |
| 559 | { |
| 560 | if (newkeys == NULL) |
| 561 | return; |
| 562 | if (newkeys->enc.key) { |
| 563 | explicit_bzero(newkeys->enc.key, newkeys->enc.key_len); |
| 564 | free(newkeys->enc.key); |
| 565 | newkeys->enc.key = NULL; |
| 566 | } |
| 567 | if (newkeys->enc.iv) { |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 568 | explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 569 | free(newkeys->enc.iv); |
| 570 | newkeys->enc.iv = NULL; |
| 571 | } |
| 572 | free(newkeys->enc.name); |
| 573 | explicit_bzero(&newkeys->enc, sizeof(newkeys->enc)); |
| 574 | free(newkeys->comp.name); |
| 575 | explicit_bzero(&newkeys->comp, sizeof(newkeys->comp)); |
| 576 | mac_clear(&newkeys->mac); |
| 577 | if (newkeys->mac.key) { |
| 578 | explicit_bzero(newkeys->mac.key, newkeys->mac.key_len); |
| 579 | free(newkeys->mac.key); |
| 580 | newkeys->mac.key = NULL; |
| 581 | } |
| 582 | free(newkeys->mac.name); |
| 583 | explicit_bzero(&newkeys->mac, sizeof(newkeys->mac)); |
| 584 | explicit_bzero(newkeys, sizeof(*newkeys)); |
| 585 | free(newkeys); |
| 586 | } |
| 587 | |
| 588 | void |
| 589 | kex_free(struct kex *kex) |
| 590 | { |
| 591 | u_int mode; |
| 592 | |
| 593 | #ifdef WITH_OPENSSL |
| 594 | if (kex->dh) |
| 595 | DH_free(kex->dh); |
| 596 | #ifdef OPENSSL_HAS_ECC |
| 597 | if (kex->ec_client_key) |
| 598 | EC_KEY_free(kex->ec_client_key); |
| 599 | #endif /* OPENSSL_HAS_ECC */ |
| 600 | #endif /* WITH_OPENSSL */ |
| 601 | for (mode = 0; mode < MODE_MAX; mode++) { |
| 602 | kex_free_newkeys(kex->newkeys[mode]); |
| 603 | kex->newkeys[mode] = NULL; |
| 604 | } |
| 605 | sshbuf_free(kex->peer); |
| 606 | sshbuf_free(kex->my); |
| 607 | free(kex->session_id); |
| 608 | free(kex->client_version_string); |
| 609 | free(kex->server_version_string); |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 610 | free(kex->failed_choice); |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 611 | free(kex->hostkey_alg); |
| 612 | free(kex->name); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 613 | free(kex); |
| 614 | } |
| 615 | |
| 616 | int |
| 617 | kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) |
| 618 | { |
| 619 | int r; |
| 620 | |
| 621 | if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0) |
| 622 | return r; |
| 623 | if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */ |
| 624 | kex_free(ssh->kex); |
| 625 | ssh->kex = NULL; |
| 626 | return r; |
| 627 | } |
| 628 | return 0; |
| 629 | } |
| 630 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 631 | /* |
| 632 | * Request key re-exchange, returns 0 on success or a ssherr.h error |
| 633 | * code otherwise. Must not be called if KEX is incomplete or in-progress. |
| 634 | */ |
| 635 | int |
| 636 | kex_start_rekex(struct ssh *ssh) |
| 637 | { |
| 638 | if (ssh->kex == NULL) { |
| 639 | error("%s: no kex", __func__); |
| 640 | return SSH_ERR_INTERNAL_ERROR; |
| 641 | } |
| 642 | if (ssh->kex->done == 0) { |
| 643 | error("%s: requested twice", __func__); |
| 644 | return SSH_ERR_INTERNAL_ERROR; |
| 645 | } |
| 646 | ssh->kex->done = 0; |
| 647 | return kex_send_kexinit(ssh); |
| 648 | } |
| 649 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 650 | static int |
| 651 | choose_enc(struct sshenc *enc, char *client, char *server) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 652 | { |
| 653 | char *name = match_list(client, server, NULL); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 654 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 655 | if (name == NULL) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 656 | return SSH_ERR_NO_CIPHER_ALG_MATCH; |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 657 | if ((enc->cipher = cipher_by_name(name)) == NULL) { |
| 658 | free(name); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 659 | return SSH_ERR_INTERNAL_ERROR; |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 660 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 661 | enc->name = name; |
| 662 | enc->enabled = 0; |
| 663 | enc->iv = NULL; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 664 | enc->iv_len = cipher_ivlen(enc->cipher); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 665 | enc->key = NULL; |
| 666 | enc->key_len = cipher_keylen(enc->cipher); |
| 667 | enc->block_size = cipher_blocksize(enc->cipher); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 668 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 669 | } |
| 670 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 671 | static int |
| 672 | choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 673 | { |
| 674 | char *name = match_list(client, server, NULL); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 675 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 676 | if (name == NULL) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 677 | return SSH_ERR_NO_MAC_ALG_MATCH; |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 678 | if (mac_setup(mac, name) < 0) { |
| 679 | free(name); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 680 | return SSH_ERR_INTERNAL_ERROR; |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 681 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 682 | /* truncate the key */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 683 | if (ssh->compat & SSH_BUG_HMAC) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 684 | mac->key_len = 16; |
| 685 | mac->name = name; |
| 686 | mac->key = NULL; |
| 687 | mac->enabled = 0; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 688 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 689 | } |
| 690 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 691 | static int |
| 692 | choose_comp(struct sshcomp *comp, char *client, char *server) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 693 | { |
| 694 | char *name = match_list(client, server, NULL); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 695 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 696 | if (name == NULL) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 697 | return SSH_ERR_NO_COMPRESS_ALG_MATCH; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 698 | if (strcmp(name, "zlib@openssh.com") == 0) { |
| 699 | comp->type = COMP_DELAYED; |
| 700 | } else if (strcmp(name, "zlib") == 0) { |
| 701 | comp->type = COMP_ZLIB; |
| 702 | } else if (strcmp(name, "none") == 0) { |
| 703 | comp->type = COMP_NONE; |
| 704 | } else { |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 705 | free(name); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 706 | return SSH_ERR_INTERNAL_ERROR; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 707 | } |
| 708 | comp->name = name; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 709 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 710 | } |
| 711 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 712 | static int |
| 713 | choose_kex(struct kex *k, char *client, char *server) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 714 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 715 | const struct kexalg *kexalg; |
| 716 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 717 | k->name = match_list(client, server, NULL); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 718 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 719 | debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 720 | if (k->name == NULL) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 721 | return SSH_ERR_NO_KEX_ALG_MATCH; |
| 722 | if ((kexalg = kex_alg_by_name(k->name)) == NULL) |
| 723 | return SSH_ERR_INTERNAL_ERROR; |
| 724 | k->kex_type = kexalg->type; |
| 725 | k->hash_alg = kexalg->hash_alg; |
| 726 | k->ec_nid = kexalg->ec_nid; |
| 727 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 728 | } |
| 729 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 730 | static int |
| 731 | choose_hostkeyalg(struct kex *k, char *client, char *server) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 732 | { |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 733 | k->hostkey_alg = match_list(client, server, NULL); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 734 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 735 | debug("kex: host key algorithm: %s", |
| 736 | k->hostkey_alg ? k->hostkey_alg : "(no match)"); |
| 737 | if (k->hostkey_alg == NULL) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 738 | return SSH_ERR_NO_HOSTKEY_ALG_MATCH; |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 739 | k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 740 | if (k->hostkey_type == KEY_UNSPEC) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 741 | return SSH_ERR_INTERNAL_ERROR; |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 742 | k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 743 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 744 | } |
| 745 | |
| 746 | static int |
| 747 | proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) |
| 748 | { |
| 749 | static int check[] = { |
| 750 | PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 |
| 751 | }; |
| 752 | int *idx; |
| 753 | char *p; |
| 754 | |
| 755 | for (idx = &check[0]; *idx != -1; idx++) { |
| 756 | if ((p = strchr(my[*idx], ',')) != NULL) |
| 757 | *p = '\0'; |
| 758 | if ((p = strchr(peer[*idx], ',')) != NULL) |
| 759 | *p = '\0'; |
| 760 | if (strcmp(my[*idx], peer[*idx]) != 0) { |
| 761 | debug2("proposal mismatch: my %s peer %s", |
| 762 | my[*idx], peer[*idx]); |
| 763 | return (0); |
| 764 | } |
| 765 | } |
| 766 | debug2("proposals match"); |
| 767 | return (1); |
| 768 | } |
| 769 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 770 | static int |
| 771 | kex_choose_conf(struct ssh *ssh) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 772 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 773 | struct kex *kex = ssh->kex; |
| 774 | struct newkeys *newkeys; |
| 775 | char **my = NULL, **peer = NULL; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 776 | char **cprop, **sprop; |
| 777 | int nenc, nmac, ncomp; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 778 | u_int mode, ctos, need, dh_need, authlen; |
| 779 | int r, first_kex_follows; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 780 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 781 | debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); |
| 782 | if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) |
| 783 | goto out; |
| 784 | debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server"); |
| 785 | if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 786 | goto out; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 787 | |
| 788 | if (kex->server) { |
| 789 | cprop=peer; |
| 790 | sprop=my; |
| 791 | } else { |
| 792 | cprop=my; |
| 793 | sprop=peer; |
| 794 | } |
| 795 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 796 | /* Check whether client supports ext_info_c */ |
| 797 | if (kex->server) { |
| 798 | char *ext; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 799 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 800 | ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); |
| 801 | kex->ext_info_c = (ext != NULL); |
| 802 | free(ext); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 803 | } |
| 804 | |
| 805 | /* Algorithm Negotiation */ |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 806 | if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], |
| 807 | sprop[PROPOSAL_KEX_ALGS])) != 0) { |
| 808 | kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; |
| 809 | peer[PROPOSAL_KEX_ALGS] = NULL; |
| 810 | goto out; |
| 811 | } |
| 812 | if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], |
| 813 | sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { |
| 814 | kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; |
| 815 | peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; |
| 816 | goto out; |
| 817 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 818 | for (mode = 0; mode < MODE_MAX; mode++) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 819 | if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) { |
| 820 | r = SSH_ERR_ALLOC_FAIL; |
| 821 | goto out; |
| 822 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 823 | kex->newkeys[mode] = newkeys; |
| 824 | ctos = (!kex->server && mode == MODE_OUT) || |
| 825 | (kex->server && mode == MODE_IN); |
| 826 | nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; |
| 827 | nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; |
| 828 | ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 829 | if ((r = choose_enc(&newkeys->enc, cprop[nenc], |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 830 | sprop[nenc])) != 0) { |
| 831 | kex->failed_choice = peer[nenc]; |
| 832 | peer[nenc] = NULL; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 833 | goto out; |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 834 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 835 | authlen = cipher_authlen(newkeys->enc.cipher); |
| 836 | /* ignore mac for authenticated encryption */ |
| 837 | if (authlen == 0 && |
| 838 | (r = choose_mac(ssh, &newkeys->mac, cprop[nmac], |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 839 | sprop[nmac])) != 0) { |
| 840 | kex->failed_choice = peer[nmac]; |
| 841 | peer[nmac] = NULL; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 842 | goto out; |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 843 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 844 | if ((r = choose_comp(&newkeys->comp, cprop[ncomp], |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 845 | sprop[ncomp])) != 0) { |
| 846 | kex->failed_choice = peer[ncomp]; |
| 847 | peer[ncomp] = NULL; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 848 | goto out; |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 849 | } |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 850 | debug("kex: %s cipher: %s MAC: %s compression: %s", |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 851 | ctos ? "client->server" : "server->client", |
| 852 | newkeys->enc.name, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 853 | authlen == 0 ? newkeys->mac.name : "<implicit>", |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 854 | newkeys->comp.name); |
| 855 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 856 | need = dh_need = 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 857 | for (mode = 0; mode < MODE_MAX; mode++) { |
| 858 | newkeys = kex->newkeys[mode]; |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 859 | need = MAXIMUM(need, newkeys->enc.key_len); |
| 860 | need = MAXIMUM(need, newkeys->enc.block_size); |
| 861 | need = MAXIMUM(need, newkeys->enc.iv_len); |
| 862 | need = MAXIMUM(need, newkeys->mac.key_len); |
| 863 | dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher)); |
| 864 | dh_need = MAXIMUM(dh_need, newkeys->enc.block_size); |
| 865 | dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len); |
| 866 | dh_need = MAXIMUM(dh_need, newkeys->mac.key_len); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 867 | } |
| 868 | /* XXX need runden? */ |
| 869 | kex->we_need = need; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 870 | kex->dh_need = dh_need; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 871 | |
| 872 | /* ignore the next message if the proposals do not match */ |
| 873 | if (first_kex_follows && !proposals_match(my, peer) && |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 874 | !(ssh->compat & SSH_BUG_FIRSTKEX)) |
| 875 | ssh->dispatch_skip_packets = 1; |
| 876 | r = 0; |
| 877 | out: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 878 | kex_prop_free(my); |
| 879 | kex_prop_free(peer); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 880 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 881 | } |
| 882 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 883 | static int |
| 884 | derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, |
| 885 | const struct sshbuf *shared_secret, u_char **keyp) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 886 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 887 | struct kex *kex = ssh->kex; |
| 888 | struct ssh_digest_ctx *hashctx = NULL; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 889 | char c = id; |
| 890 | u_int have; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 891 | size_t mdsz; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 892 | u_char *digest; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 893 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 894 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 895 | if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) |
| 896 | return SSH_ERR_INVALID_ARGUMENT; |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 897 | if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 898 | r = SSH_ERR_ALLOC_FAIL; |
| 899 | goto out; |
| 900 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 901 | |
| 902 | /* K1 = HASH(K || H || "A" || session_id) */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 903 | if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || |
| 904 | ssh_digest_update_buffer(hashctx, shared_secret) != 0 || |
| 905 | ssh_digest_update(hashctx, hash, hashlen) != 0 || |
| 906 | ssh_digest_update(hashctx, &c, 1) != 0 || |
| 907 | ssh_digest_update(hashctx, kex->session_id, |
| 908 | kex->session_id_len) != 0 || |
| 909 | ssh_digest_final(hashctx, digest, mdsz) != 0) { |
| 910 | r = SSH_ERR_LIBCRYPTO_ERROR; |
| 911 | goto out; |
| 912 | } |
| 913 | ssh_digest_free(hashctx); |
| 914 | hashctx = NULL; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 915 | |
| 916 | /* |
| 917 | * expand key: |
| 918 | * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) |
| 919 | * Key = K1 || K2 || ... || Kn |
| 920 | */ |
| 921 | for (have = mdsz; need > have; have += mdsz) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 922 | if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || |
| 923 | ssh_digest_update_buffer(hashctx, shared_secret) != 0 || |
| 924 | ssh_digest_update(hashctx, hash, hashlen) != 0 || |
| 925 | ssh_digest_update(hashctx, digest, have) != 0 || |
| 926 | ssh_digest_final(hashctx, digest + have, mdsz) != 0) { |
| 927 | r = SSH_ERR_LIBCRYPTO_ERROR; |
| 928 | goto out; |
| 929 | } |
| 930 | ssh_digest_free(hashctx); |
| 931 | hashctx = NULL; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 932 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 933 | #ifdef DEBUG_KEX |
| 934 | fprintf(stderr, "key '%c'== ", c); |
| 935 | dump_digest("key", digest, need); |
| 936 | #endif |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 937 | *keyp = digest; |
| 938 | digest = NULL; |
| 939 | r = 0; |
| 940 | out: |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 941 | free(digest); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 942 | ssh_digest_free(hashctx); |
| 943 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 944 | } |
| 945 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 946 | #define NKEYS 6 |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 947 | int |
| 948 | kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen, |
| 949 | const struct sshbuf *shared_secret) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 950 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 951 | struct kex *kex = ssh->kex; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 952 | u_char *keys[NKEYS]; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 953 | u_int i, j, mode, ctos; |
| 954 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 955 | |
| 956 | for (i = 0; i < NKEYS; i++) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 957 | if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen, |
| 958 | shared_secret, &keys[i])) != 0) { |
| 959 | for (j = 0; j < i; j++) |
| 960 | free(keys[j]); |
| 961 | return r; |
| 962 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 963 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 964 | for (mode = 0; mode < MODE_MAX; mode++) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 965 | ctos = (!kex->server && mode == MODE_OUT) || |
| 966 | (kex->server && mode == MODE_IN); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 967 | kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1]; |
| 968 | kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3]; |
| 969 | kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5]; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 970 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 971 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 972 | } |
| 973 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 974 | #ifdef WITH_OPENSSL |
| 975 | int |
| 976 | kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen, |
| 977 | const BIGNUM *secret) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 978 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 979 | struct sshbuf *shared_secret; |
| 980 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 981 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 982 | if ((shared_secret = sshbuf_new()) == NULL) |
| 983 | return SSH_ERR_ALLOC_FAIL; |
| 984 | if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0) |
| 985 | r = kex_derive_keys(ssh, hash, hashlen, shared_secret); |
| 986 | sshbuf_free(shared_secret); |
| 987 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 988 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 989 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 990 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 991 | #ifdef WITH_SSH1 |
| 992 | int |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 993 | derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus, |
| 994 | u_int8_t cookie[8], u_int8_t id[16]) |
| 995 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 996 | u_int8_t hbuf[2048], sbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH]; |
| 997 | struct ssh_digest_ctx *hashctx = NULL; |
| 998 | size_t hlen, slen; |
| 999 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1000 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1001 | hlen = BN_num_bytes(host_modulus); |
| 1002 | slen = BN_num_bytes(server_modulus); |
| 1003 | if (hlen < (512 / 8) || (u_int)hlen > sizeof(hbuf) || |
| 1004 | slen < (512 / 8) || (u_int)slen > sizeof(sbuf)) |
| 1005 | return SSH_ERR_KEY_BITS_MISMATCH; |
| 1006 | if (BN_bn2bin(host_modulus, hbuf) <= 0 || |
| 1007 | BN_bn2bin(server_modulus, sbuf) <= 0) { |
| 1008 | r = SSH_ERR_LIBCRYPTO_ERROR; |
| 1009 | goto out; |
| 1010 | } |
| 1011 | if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) { |
| 1012 | r = SSH_ERR_ALLOC_FAIL; |
| 1013 | goto out; |
| 1014 | } |
| 1015 | if (ssh_digest_update(hashctx, hbuf, hlen) != 0 || |
| 1016 | ssh_digest_update(hashctx, sbuf, slen) != 0 || |
| 1017 | ssh_digest_update(hashctx, cookie, 8) != 0 || |
| 1018 | ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) { |
| 1019 | r = SSH_ERR_LIBCRYPTO_ERROR; |
| 1020 | goto out; |
| 1021 | } |
| 1022 | memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5)); |
| 1023 | r = 0; |
| 1024 | out: |
| 1025 | ssh_digest_free(hashctx); |
| 1026 | explicit_bzero(hbuf, sizeof(hbuf)); |
| 1027 | explicit_bzero(sbuf, sizeof(sbuf)); |
| 1028 | explicit_bzero(obuf, sizeof(obuf)); |
| 1029 | return r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1030 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1031 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1032 | |
| 1033 | #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) |
| 1034 | void |
| 1035 | dump_digest(char *msg, u_char *digest, int len) |
| 1036 | { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1037 | fprintf(stderr, "%s\n", msg); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1038 | sshbuf_dump_data(digest, len, stderr); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1039 | } |
| 1040 | #endif |