- djm@cvs.openbsd.org 2010/12/04 00:18:01
[openssh-git.git] / kexgexc.c
blob79552d70983a965f7ad5dbc393ceccd21abe0988
1 /* $OpenBSD: kexgexc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */
2 /*
3 * Copyright (c) 2000 Niels Provos. All rights reserved.
4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 #include "includes.h"
29 #include <sys/types.h>
31 #include <openssl/dh.h>
33 #include <stdarg.h>
34 #include <stdio.h>
35 #include <string.h>
36 #include <signal.h>
38 #include "xmalloc.h"
39 #include "buffer.h"
40 #include "key.h"
41 #include "cipher.h"
42 #include "kex.h"
43 #include "log.h"
44 #include "packet.h"
45 #include "dh.h"
46 #include "ssh2.h"
47 #include "compat.h"
49 void
50 kexgex_client(Kex *kex)
52 BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
53 BIGNUM *p = NULL, *g = NULL;
54 Key *server_host_key;
55 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
56 u_int klen, slen, sbloblen, hashlen;
57 int kout;
58 int min, max, nbits;
59 DH *dh;
61 nbits = dh_estimate(kex->we_need * 8);
63 if (datafellows & SSH_OLD_DHGEX) {
64 /* Old GEX request */
65 packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
66 packet_put_int(nbits);
67 min = DH_GRP_MIN;
68 max = DH_GRP_MAX;
70 debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
71 } else {
72 /* New GEX request */
73 min = DH_GRP_MIN;
74 max = DH_GRP_MAX;
75 packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
76 packet_put_int(min);
77 packet_put_int(nbits);
78 packet_put_int(max);
80 debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent",
81 min, nbits, max);
83 #ifdef DEBUG_KEXDH
84 fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n",
85 min, nbits, max);
86 #endif
87 packet_send();
89 debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP");
90 packet_read_expect(SSH2_MSG_KEX_DH_GEX_GROUP);
92 if ((p = BN_new()) == NULL)
93 fatal("BN_new");
94 packet_get_bignum2(p);
95 if ((g = BN_new()) == NULL)
96 fatal("BN_new");
97 packet_get_bignum2(g);
98 packet_check_eom();
100 if (BN_num_bits(p) < min || BN_num_bits(p) > max)
101 fatal("DH_GEX group out of range: %d !< %d !< %d",
102 min, BN_num_bits(p), max);
104 dh = dh_new_group(g, p);
105 dh_gen_key(dh, kex->we_need * 8);
107 #ifdef DEBUG_KEXDH
108 DHparams_print_fp(stderr, dh);
109 fprintf(stderr, "pub= ");
110 BN_print_fp(stderr, dh->pub_key);
111 fprintf(stderr, "\n");
112 #endif
114 debug("SSH2_MSG_KEX_DH_GEX_INIT sent");
115 /* generate and send 'e', client DH public key */
116 packet_start(SSH2_MSG_KEX_DH_GEX_INIT);
117 packet_put_bignum2(dh->pub_key);
118 packet_send();
120 debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY");
121 packet_read_expect(SSH2_MSG_KEX_DH_GEX_REPLY);
123 /* key, cert */
124 server_host_key_blob = packet_get_string(&sbloblen);
125 server_host_key = key_from_blob(server_host_key_blob, sbloblen);
126 if (server_host_key == NULL)
127 fatal("cannot decode server_host_key_blob");
128 if (server_host_key->type != kex->hostkey_type)
129 fatal("type mismatch for decoded server_host_key_blob");
130 if (kex->verify_host_key == NULL)
131 fatal("cannot verify server_host_key");
132 if (kex->verify_host_key(server_host_key) == -1)
133 fatal("server_host_key verification failed");
135 /* DH parameter f, server public DH key */
136 if ((dh_server_pub = BN_new()) == NULL)
137 fatal("dh_server_pub == NULL");
138 packet_get_bignum2(dh_server_pub);
140 #ifdef DEBUG_KEXDH
141 fprintf(stderr, "dh_server_pub= ");
142 BN_print_fp(stderr, dh_server_pub);
143 fprintf(stderr, "\n");
144 debug("bits %d", BN_num_bits(dh_server_pub));
145 #endif
147 /* signed H */
148 signature = packet_get_string(&slen);
149 packet_check_eom();
151 if (!dh_pub_is_valid(dh, dh_server_pub))
152 packet_disconnect("bad server public DH value");
154 klen = DH_size(dh);
155 kbuf = xmalloc(klen);
156 if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0)
157 fatal("DH_compute_key: failed");
158 #ifdef DEBUG_KEXDH
159 dump_digest("shared secret", kbuf, kout);
160 #endif
161 if ((shared_secret = BN_new()) == NULL)
162 fatal("kexgex_client: BN_new failed");
163 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
164 fatal("kexgex_client: BN_bin2bn failed");
165 memset(kbuf, 0, klen);
166 xfree(kbuf);
168 if (datafellows & SSH_OLD_DHGEX)
169 min = max = -1;
171 /* calc and verify H */
172 kexgex_hash(
173 kex->evp_md,
174 kex->client_version_string,
175 kex->server_version_string,
176 buffer_ptr(&kex->my), buffer_len(&kex->my),
177 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
178 server_host_key_blob, sbloblen,
179 min, nbits, max,
180 dh->p, dh->g,
181 dh->pub_key,
182 dh_server_pub,
183 shared_secret,
184 &hash, &hashlen
187 /* have keys, free DH */
188 DH_free(dh);
189 xfree(server_host_key_blob);
190 BN_clear_free(dh_server_pub);
192 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
193 fatal("key_verify failed for server_host_key");
194 key_free(server_host_key);
195 xfree(signature);
197 /* save session id */
198 if (kex->session_id == NULL) {
199 kex->session_id_len = hashlen;
200 kex->session_id = xmalloc(kex->session_id_len);
201 memcpy(kex->session_id, hash, kex->session_id_len);
203 kex_derive_keys(kex, hash, hashlen, shared_secret);
204 BN_clear_free(shared_secret);
206 kex_finish(kex);