kex.c revision 197679
1/* $OpenBSD: kex.c,v 1.81 2009/05/27 06:34:36 andreas Exp $ */ 2/* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include "includes.h" 27 28#include <sys/param.h> 29 30#include <signal.h> 31#include <stdarg.h> 32#include <stdio.h> 33#include <stdlib.h> 34#include <string.h> 35 36#include <openssl/crypto.h> 37 38#include "xmalloc.h" 39#include "ssh2.h" 40#include "buffer.h" 41#include "packet.h" 42#include "compat.h" 43#include "cipher.h" 44#include "key.h" 45#include "kex.h" 46#include "log.h" 47#include "mac.h" 48#include "match.h" 49#include "dispatch.h" 50#include "monitor.h" 51 52#if OPENSSL_VERSION_NUMBER >= 0x00907000L 53# if defined(HAVE_EVP_SHA256) 54# define evp_ssh_sha256 EVP_sha256 55# else 56extern const EVP_MD *evp_ssh_sha256(void); 57# endif 58#endif 59 60/* prototype */ 61static void kex_kexinit_finish(Kex *); 62static void kex_choose_conf(Kex *); 63 64/* put algorithm proposal into buffer */ 65static void 66kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) 67{ 68 u_int i; 69 70 buffer_clear(b); 71 /* 72 * add a dummy cookie, the cookie will be overwritten by 73 * kex_send_kexinit(), each time a kexinit is set 74 */ 75 for (i = 0; i < KEX_COOKIE_LEN; i++) 76 buffer_put_char(b, 0); 77 for (i = 0; i < PROPOSAL_MAX; i++) 78 buffer_put_cstring(b, proposal[i]); 79 buffer_put_char(b, 0); /* first_kex_packet_follows */ 80 buffer_put_int(b, 0); /* uint32 reserved */ 81} 82 83/* parse buffer and return algorithm proposal */ 84static char ** 85kex_buf2prop(Buffer *raw, int *first_kex_follows) 86{ 87 Buffer b; 88 u_int i; 89 char **proposal; 90 91 proposal = xcalloc(PROPOSAL_MAX, sizeof(char *)); 92 93 buffer_init(&b); 94 buffer_append(&b, buffer_ptr(raw), buffer_len(raw)); 95 /* skip cookie */ 96 for (i = 0; i < KEX_COOKIE_LEN; i++) 97 buffer_get_char(&b); 98 /* extract kex init proposal strings */ 99 for (i = 0; i < PROPOSAL_MAX; i++) { 100 proposal[i] = buffer_get_string(&b,NULL); 101 debug2("kex_parse_kexinit: %s", proposal[i]); 102 } 103 /* first kex follows / reserved */ 104 i = buffer_get_char(&b); 105 if (first_kex_follows != NULL) 106 *first_kex_follows = i; 107 debug2("kex_parse_kexinit: first_kex_follows %d ", i); 108 i = buffer_get_int(&b); 109 debug2("kex_parse_kexinit: reserved %u ", i); 110 buffer_free(&b); 111 return proposal; 112} 113 114static void 115kex_prop_free(char **proposal) 116{ 117 u_int i; 118 119 for (i = 0; i < PROPOSAL_MAX; i++) 120 xfree(proposal[i]); 121 xfree(proposal); 122} 123 124/* ARGSUSED */ 125static void 126kex_protocol_error(int type, u_int32_t seq, void *ctxt) 127{ 128 error("Hm, kex protocol error: type %d seq %u", type, seq); 129} 130 131static void 132kex_reset_dispatch(void) 133{ 134 dispatch_range(SSH2_MSG_TRANSPORT_MIN, 135 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); 136 dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); 137} 138 139void 140kex_finish(Kex *kex) 141{ 142 kex_reset_dispatch(); 143 144 packet_start(SSH2_MSG_NEWKEYS); 145 packet_send(); 146 /* packet_write_wait(); */ 147 debug("SSH2_MSG_NEWKEYS sent"); 148 149 debug("expecting SSH2_MSG_NEWKEYS"); 150 packet_read_expect(SSH2_MSG_NEWKEYS); 151 packet_check_eom(); 152 debug("SSH2_MSG_NEWKEYS received"); 153 154 kex->done = 1; 155 buffer_clear(&kex->peer); 156 /* buffer_clear(&kex->my); */ 157 kex->flags &= ~KEX_INIT_SENT; 158 xfree(kex->name); 159 kex->name = NULL; 160} 161 162void 163kex_send_kexinit(Kex *kex) 164{ 165 u_int32_t rnd = 0; 166 u_char *cookie; 167 u_int i; 168 169 if (kex == NULL) { 170 error("kex_send_kexinit: no kex, cannot rekey"); 171 return; 172 } 173 if (kex->flags & KEX_INIT_SENT) { 174 debug("KEX_INIT_SENT"); 175 return; 176 } 177 kex->done = 0; 178 179 /* generate a random cookie */ 180 if (buffer_len(&kex->my) < KEX_COOKIE_LEN) 181 fatal("kex_send_kexinit: kex proposal too short"); 182 cookie = buffer_ptr(&kex->my); 183 for (i = 0; i < KEX_COOKIE_LEN; i++) { 184 if (i % 4 == 0) 185 rnd = arc4random(); 186 cookie[i] = rnd; 187 rnd >>= 8; 188 } 189 packet_start(SSH2_MSG_KEXINIT); 190 packet_put_raw(buffer_ptr(&kex->my), buffer_len(&kex->my)); 191 packet_send(); 192 debug("SSH2_MSG_KEXINIT sent"); 193 kex->flags |= KEX_INIT_SENT; 194} 195 196/* ARGSUSED */ 197void 198kex_input_kexinit(int type, u_int32_t seq, void *ctxt) 199{ 200 char *ptr; 201 u_int i, dlen; 202 Kex *kex = (Kex *)ctxt; 203 204 debug("SSH2_MSG_KEXINIT received"); 205 if (kex == NULL) 206 fatal("kex_input_kexinit: no kex, cannot rekey"); 207 208 ptr = packet_get_raw(&dlen); 209 buffer_append(&kex->peer, ptr, dlen); 210 211 /* discard packet */ 212 for (i = 0; i < KEX_COOKIE_LEN; i++) 213 packet_get_char(); 214 for (i = 0; i < PROPOSAL_MAX; i++) 215 xfree(packet_get_string(NULL)); 216 (void) packet_get_char(); 217 (void) packet_get_int(); 218 packet_check_eom(); 219 220 kex_kexinit_finish(kex); 221} 222 223Kex * 224kex_setup(char *proposal[PROPOSAL_MAX]) 225{ 226 Kex *kex; 227 228 kex = xcalloc(1, sizeof(*kex)); 229 buffer_init(&kex->peer); 230 buffer_init(&kex->my); 231 kex_prop2buf(&kex->my, proposal); 232 kex->done = 0; 233 234 kex_send_kexinit(kex); /* we start */ 235 kex_reset_dispatch(); 236 237 return kex; 238} 239 240static void 241kex_kexinit_finish(Kex *kex) 242{ 243 if (!(kex->flags & KEX_INIT_SENT)) 244 kex_send_kexinit(kex); 245 246 kex_choose_conf(kex); 247 248 if (kex->kex_type >= 0 && kex->kex_type < KEX_MAX && 249 kex->kex[kex->kex_type] != NULL) { 250 (kex->kex[kex->kex_type])(kex); 251 } else { 252 fatal("Unsupported key exchange %d", kex->kex_type); 253 } 254} 255 256static void 257choose_enc(Enc *enc, char *client, char *server) 258{ 259 char *name = match_list(client, server, NULL); 260 if (name == NULL) 261 fatal("no matching cipher found: client %s server %s", 262 client, server); 263 if ((enc->cipher = cipher_by_name(name)) == NULL) 264 fatal("matching cipher is not supported: %s", name); 265 enc->name = name; 266 enc->enabled = 0; 267 enc->iv = NULL; 268 enc->key = NULL; 269 enc->key_len = cipher_keylen(enc->cipher); 270 enc->block_size = cipher_blocksize(enc->cipher); 271} 272 273static void 274choose_mac(Mac *mac, char *client, char *server) 275{ 276 char *name = match_list(client, server, NULL); 277 if (name == NULL) 278 fatal("no matching mac found: client %s server %s", 279 client, server); 280 if (mac_setup(mac, name) < 0) 281 fatal("unsupported mac %s", name); 282 /* truncate the key */ 283 if (datafellows & SSH_BUG_HMAC) 284 mac->key_len = 16; 285 mac->name = name; 286 mac->key = NULL; 287 mac->enabled = 0; 288} 289 290static void 291choose_comp(Comp *comp, char *client, char *server) 292{ 293 char *name = match_list(client, server, NULL); 294 if (name == NULL) 295 fatal("no matching comp found: client %s server %s", client, server); 296 if (strcmp(name, "zlib@openssh.com") == 0) { 297 comp->type = COMP_DELAYED; 298 } else if (strcmp(name, "zlib") == 0) { 299 comp->type = COMP_ZLIB; 300 } else if (strcmp(name, "none") == 0) { 301 comp->type = COMP_NONE; 302 } else { 303 fatal("unsupported comp %s", name); 304 } 305 comp->name = name; 306} 307 308static void 309choose_kex(Kex *k, char *client, char *server) 310{ 311 k->name = match_list(client, server, NULL); 312 if (k->name == NULL) 313 fatal("Unable to negotiate a key exchange method"); 314 if (strcmp(k->name, KEX_DH1) == 0) { 315 k->kex_type = KEX_DH_GRP1_SHA1; 316 k->evp_md = EVP_sha1(); 317 } else if (strcmp(k->name, KEX_DH14) == 0) { 318 k->kex_type = KEX_DH_GRP14_SHA1; 319 k->evp_md = EVP_sha1(); 320 } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) { 321 k->kex_type = KEX_DH_GEX_SHA1; 322 k->evp_md = EVP_sha1(); 323#if OPENSSL_VERSION_NUMBER >= 0x00907000L 324 } else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) { 325 k->kex_type = KEX_DH_GEX_SHA256; 326 k->evp_md = evp_ssh_sha256(); 327#endif 328 } else 329 fatal("bad kex alg %s", k->name); 330} 331 332static void 333choose_hostkeyalg(Kex *k, char *client, char *server) 334{ 335 char *hostkeyalg = match_list(client, server, NULL); 336 if (hostkeyalg == NULL) 337 fatal("no hostkey alg"); 338 k->hostkey_type = key_type_from_name(hostkeyalg); 339 if (k->hostkey_type == KEY_UNSPEC) 340 fatal("bad hostkey alg '%s'", hostkeyalg); 341 xfree(hostkeyalg); 342} 343 344static int 345proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) 346{ 347 static int check[] = { 348 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 349 }; 350 int *idx; 351 char *p; 352 353 for (idx = &check[0]; *idx != -1; idx++) { 354 if ((p = strchr(my[*idx], ',')) != NULL) 355 *p = '\0'; 356 if ((p = strchr(peer[*idx], ',')) != NULL) 357 *p = '\0'; 358 if (strcmp(my[*idx], peer[*idx]) != 0) { 359 debug2("proposal mismatch: my %s peer %s", 360 my[*idx], peer[*idx]); 361 return (0); 362 } 363 } 364 debug2("proposals match"); 365 return (1); 366} 367 368static void 369kex_choose_conf(Kex *kex) 370{ 371 Newkeys *newkeys; 372 char **my, **peer; 373 char **cprop, **sprop; 374 int nenc, nmac, ncomp; 375 u_int mode, ctos, need; 376 int first_kex_follows, type; 377 378 my = kex_buf2prop(&kex->my, NULL); 379 peer = kex_buf2prop(&kex->peer, &first_kex_follows); 380 381 if (kex->server) { 382 cprop=peer; 383 sprop=my; 384 } else { 385 cprop=my; 386 sprop=peer; 387 } 388 389 /* Algorithm Negotiation */ 390 for (mode = 0; mode < MODE_MAX; mode++) { 391 newkeys = xcalloc(1, sizeof(*newkeys)); 392 kex->newkeys[mode] = newkeys; 393 ctos = (!kex->server && mode == MODE_OUT) || 394 (kex->server && mode == MODE_IN); 395 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 396 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 397 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 398 choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]); 399 choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]); 400 choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); 401 debug("kex: %s %s %s %s", 402 ctos ? "client->server" : "server->client", 403 newkeys->enc.name, 404 newkeys->mac.name, 405 newkeys->comp.name); 406 } 407 choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); 408 choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], 409 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); 410 need = 0; 411 for (mode = 0; mode < MODE_MAX; mode++) { 412 newkeys = kex->newkeys[mode]; 413 if (need < newkeys->enc.key_len) 414 need = newkeys->enc.key_len; 415 if (need < newkeys->enc.block_size) 416 need = newkeys->enc.block_size; 417 if (need < newkeys->mac.key_len) 418 need = newkeys->mac.key_len; 419 } 420 /* XXX need runden? */ 421 kex->we_need = need; 422 423 /* ignore the next message if the proposals do not match */ 424 if (first_kex_follows && !proposals_match(my, peer) && 425 !(datafellows & SSH_BUG_FIRSTKEX)) { 426 type = packet_read(); 427 debug2("skipping next packet (type %u)", type); 428 } 429 430 kex_prop_free(my); 431 kex_prop_free(peer); 432} 433 434static u_char * 435derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen, 436 BIGNUM *shared_secret) 437{ 438 Buffer b; 439 EVP_MD_CTX md; 440 char c = id; 441 u_int have; 442 int mdsz; 443 u_char *digest; 444 445 if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0) 446 fatal("bad kex md size %d", mdsz); 447 digest = xmalloc(roundup(need, mdsz)); 448 449 buffer_init(&b); 450 buffer_put_bignum2(&b, shared_secret); 451 452 /* K1 = HASH(K || H || "A" || session_id) */ 453 EVP_DigestInit(&md, kex->evp_md); 454 if (!(datafellows & SSH_BUG_DERIVEKEY)) 455 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); 456 EVP_DigestUpdate(&md, hash, hashlen); 457 EVP_DigestUpdate(&md, &c, 1); 458 EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len); 459 EVP_DigestFinal(&md, digest, NULL); 460 461 /* 462 * expand key: 463 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) 464 * Key = K1 || K2 || ... || Kn 465 */ 466 for (have = mdsz; need > have; have += mdsz) { 467 EVP_DigestInit(&md, kex->evp_md); 468 if (!(datafellows & SSH_BUG_DERIVEKEY)) 469 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); 470 EVP_DigestUpdate(&md, hash, hashlen); 471 EVP_DigestUpdate(&md, digest, have); 472 EVP_DigestFinal(&md, digest + have, NULL); 473 } 474 buffer_free(&b); 475#ifdef DEBUG_KEX 476 fprintf(stderr, "key '%c'== ", c); 477 dump_digest("key", digest, need); 478#endif 479 return digest; 480} 481 482Newkeys *current_keys[MODE_MAX]; 483 484#define NKEYS 6 485void 486kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret) 487{ 488 u_char *keys[NKEYS]; 489 u_int i, mode, ctos; 490 491 for (i = 0; i < NKEYS; i++) { 492 keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen, 493 shared_secret); 494 } 495 496 debug2("kex_derive_keys"); 497 for (mode = 0; mode < MODE_MAX; mode++) { 498 current_keys[mode] = kex->newkeys[mode]; 499 kex->newkeys[mode] = NULL; 500 ctos = (!kex->server && mode == MODE_OUT) || 501 (kex->server && mode == MODE_IN); 502 current_keys[mode]->enc.iv = keys[ctos ? 0 : 1]; 503 current_keys[mode]->enc.key = keys[ctos ? 2 : 3]; 504 current_keys[mode]->mac.key = keys[ctos ? 4 : 5]; 505 } 506} 507 508Newkeys * 509kex_get_newkeys(int mode) 510{ 511 Newkeys *ret; 512 513 ret = current_keys[mode]; 514 current_keys[mode] = NULL; 515 return ret; 516} 517 518void 519derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus, 520 u_int8_t cookie[8], u_int8_t id[16]) 521{ 522 const EVP_MD *evp_md = EVP_md5(); 523 EVP_MD_CTX md; 524 u_int8_t nbuf[2048], obuf[EVP_MAX_MD_SIZE]; 525 int len; 526 527 EVP_DigestInit(&md, evp_md); 528 529 len = BN_num_bytes(host_modulus); 530 if (len < (512 / 8) || (u_int)len > sizeof(nbuf)) 531 fatal("%s: bad host modulus (len %d)", __func__, len); 532 BN_bn2bin(host_modulus, nbuf); 533 EVP_DigestUpdate(&md, nbuf, len); 534 535 len = BN_num_bytes(server_modulus); 536 if (len < (512 / 8) || (u_int)len > sizeof(nbuf)) 537 fatal("%s: bad server modulus (len %d)", __func__, len); 538 BN_bn2bin(server_modulus, nbuf); 539 EVP_DigestUpdate(&md, nbuf, len); 540 541 EVP_DigestUpdate(&md, cookie, 8); 542 543 EVP_DigestFinal(&md, obuf, NULL); 544 memcpy(id, obuf, 16); 545 546 memset(nbuf, 0, sizeof(nbuf)); 547 memset(obuf, 0, sizeof(obuf)); 548 memset(&md, 0, sizeof(md)); 549} 550 551#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) 552void 553dump_digest(char *msg, u_char *digest, int len) 554{ 555 u_int i; 556 557 fprintf(stderr, "%s\n", msg); 558 for (i = 0; i < len; i++) { 559 fprintf(stderr, "%02x", digest[i]); 560 if (i%32 == 31) 561 fprintf(stderr, "\n"); 562 else if (i%8 == 7) 563 fprintf(stderr, " "); 564 } 565 fprintf(stderr, "\n"); 566} 567#endif 568