1/* $OpenBSD: kexgexc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ 2/* 3 * Copyright (c) 2000 Niels Provos. All rights reserved. 4 * Copyright (c) 2001 Markus Friedl. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#include "includes.h" 28 29#include <sys/types.h> 30 31#ifdef __APPLE_CRYPTO__ 32#include "ossl-dh.h" 33#else 34#include <openssl/dh.h> 35#endif 36 37#include <stdarg.h> 38#include <stdio.h> 39#include <string.h> 40#include <signal.h> 41 42#include "xmalloc.h" 43#include "buffer.h" 44#include "key.h" 45#include "cipher.h" 46#include "kex.h" 47#include "log.h" 48#include "packet.h" 49#include "dh.h" 50#include "ssh2.h" 51#include "compat.h" 52 53void 54kexgex_client(Kex *kex) 55{ 56 BIGNUM *dh_server_pub = NULL, *shared_secret = NULL; 57 BIGNUM *p = NULL, *g = NULL; 58 Key *server_host_key; 59 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; 60 u_int klen, slen, sbloblen, hashlen; 61 int kout; 62 int min, max, nbits; 63 DH *dh; 64 65 nbits = dh_estimate(kex->we_need * 8); 66 67 if (datafellows & SSH_OLD_DHGEX) { 68 /* Old GEX request */ 69 packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD); 70 packet_put_int(nbits); 71 min = DH_GRP_MIN; 72 max = DH_GRP_MAX; 73 74 debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits); 75 } else { 76 /* New GEX request */ 77 min = DH_GRP_MIN; 78 max = DH_GRP_MAX; 79 packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); 80 packet_put_int(min); 81 packet_put_int(nbits); 82 packet_put_int(max); 83 84 debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent", 85 min, nbits, max); 86 } 87#ifdef DEBUG_KEXDH 88 fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n", 89 min, nbits, max); 90#endif 91 packet_send(); 92 93 debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP"); 94 packet_read_expect(SSH2_MSG_KEX_DH_GEX_GROUP); 95 96 if ((p = BN_new()) == NULL) 97 fatal("BN_new"); 98 packet_get_bignum2(p); 99 if ((g = BN_new()) == NULL) 100 fatal("BN_new"); 101 packet_get_bignum2(g); 102 packet_check_eom(); 103 104 if (BN_num_bits(p) < min || BN_num_bits(p) > max) 105 fatal("DH_GEX group out of range: %d !< %d !< %d", 106 min, BN_num_bits(p), max); 107 108 dh = dh_new_group(g, p); 109 dh_gen_key(dh, kex->we_need * 8); 110 111#ifdef DEBUG_KEXDH 112 DHparams_print_fp(stderr, dh); 113 fprintf(stderr, "pub= "); 114 BN_print_fp(stderr, dh->pub_key); 115 fprintf(stderr, "\n"); 116#endif 117 118 debug("SSH2_MSG_KEX_DH_GEX_INIT sent"); 119 /* generate and send 'e', client DH public key */ 120 packet_start(SSH2_MSG_KEX_DH_GEX_INIT); 121 packet_put_bignum2(dh->pub_key); 122 packet_send(); 123 124 debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY"); 125 packet_read_expect(SSH2_MSG_KEX_DH_GEX_REPLY); 126 127 /* key, cert */ 128 server_host_key_blob = packet_get_string(&sbloblen); 129 server_host_key = key_from_blob(server_host_key_blob, sbloblen); 130 if (server_host_key == NULL) 131 fatal("cannot decode server_host_key_blob"); 132 if (server_host_key->type != kex->hostkey_type) 133 fatal("type mismatch for decoded server_host_key_blob"); 134 if (kex->verify_host_key == NULL) 135 fatal("cannot verify server_host_key"); 136 if (kex->verify_host_key(server_host_key) == -1) 137 fatal("server_host_key verification failed"); 138 139 /* DH parameter f, server public DH key */ 140 if ((dh_server_pub = BN_new()) == NULL) 141 fatal("dh_server_pub == NULL"); 142 packet_get_bignum2(dh_server_pub); 143 144#ifdef DEBUG_KEXDH 145 fprintf(stderr, "dh_server_pub= "); 146 BN_print_fp(stderr, dh_server_pub); 147 fprintf(stderr, "\n"); 148 debug("bits %d", BN_num_bits(dh_server_pub)); 149#endif 150 151 /* signed H */ 152 signature = packet_get_string(&slen); 153 packet_check_eom(); 154 155 if (!dh_pub_is_valid(dh, dh_server_pub)) 156 packet_disconnect("bad server public DH value"); 157 158 klen = DH_size(dh); 159 kbuf = xmalloc(klen); 160 if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0) 161 fatal("DH_compute_key: failed"); 162#ifdef DEBUG_KEXDH 163 dump_digest("shared secret", kbuf, kout); 164#endif 165 if ((shared_secret = BN_new()) == NULL) 166 fatal("kexgex_client: BN_new failed"); 167 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) 168 fatal("kexgex_client: BN_bin2bn failed"); 169 memset(kbuf, 0, klen); 170 xfree(kbuf); 171 172 if (datafellows & SSH_OLD_DHGEX) 173 min = max = -1; 174 175 /* calc and verify H */ 176 kexgex_hash( 177 kex->evp_md, 178 kex->client_version_string, 179 kex->server_version_string, 180 buffer_ptr(&kex->my), buffer_len(&kex->my), 181 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 182 server_host_key_blob, sbloblen, 183 min, nbits, max, 184 dh->p, dh->g, 185 dh->pub_key, 186 dh_server_pub, 187 shared_secret, 188 &hash, &hashlen 189 ); 190 191 /* have keys, free DH */ 192 DH_free(dh); 193 xfree(server_host_key_blob); 194 BN_clear_free(dh_server_pub); 195 196 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) 197 fatal("key_verify failed for server_host_key"); 198 key_free(server_host_key); 199 xfree(signature); 200 201 /* save session id */ 202 if (kex->session_id == NULL) { 203 kex->session_id_len = hashlen; 204 kex->session_id = xmalloc(kex->session_id_len); 205 memcpy(kex->session_id, hash, kex->session_id_len); 206 } 207 kex_derive_keys(kex, hash, hashlen, shared_secret); 208 BN_clear_free(shared_secret); 209 210 kex_finish(kex); 211} 212