diff options
author | markus@openbsd.org <markus@openbsd.org> | 2015-01-19 20:16:15 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-01-20 09:19:39 +1100 |
commit | 57d10cbe861a235dd269c74fb2fe248469ecee9d (patch) | |
tree | c65deed24700490bd3b20300c4829d4d5466ff6d /kexecdhc.c | |
parent | 3fdc88a0def4f86aa88a5846ac079dc964c0546a (diff) |
upstream commit
adapt kex to sshbuf and struct ssh; ok djm@
Diffstat (limited to 'kexecdhc.c')
-rw-r--r-- | kexecdhc.c | 207 |
1 files changed, 137 insertions, 70 deletions
diff --git a/kexecdhc.c b/kexecdhc.c index df811c1c8..3f362c5b1 100644 --- a/kexecdhc.c +++ b/kexecdhc.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kexecdhc.c,v 1.8 2015/01/19 19:52:16 markus Exp $ */ | 1 | /* $OpenBSD: kexecdhc.c,v 1.9 2015/01/19 20:16:15 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2010 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2010 Damien Miller. All rights reserved. |
@@ -34,126 +34,193 @@ | |||
34 | #include <string.h> | 34 | #include <string.h> |
35 | #include <signal.h> | 35 | #include <signal.h> |
36 | 36 | ||
37 | #include "xmalloc.h" | 37 | #include <openssl/ecdh.h> |
38 | #include "buffer.h" | 38 | |
39 | #include "key.h" | 39 | #include "sshkey.h" |
40 | #include "cipher.h" | 40 | #include "cipher.h" |
41 | #include "digest.h" | ||
41 | #include "kex.h" | 42 | #include "kex.h" |
42 | #include "log.h" | 43 | #include "log.h" |
43 | #include "packet.h" | 44 | #include "packet.h" |
44 | #include "dh.h" | 45 | #include "dh.h" |
45 | #include "ssh2.h" | 46 | #include "ssh2.h" |
47 | #include "dispatch.h" | ||
48 | #include "compat.h" | ||
49 | #include "ssherr.h" | ||
50 | #include "sshbuf.h" | ||
46 | 51 | ||
47 | #include <openssl/ecdh.h> | 52 | static int input_kex_ecdh_reply(int, u_int32_t, void *); |
48 | 53 | ||
49 | void | 54 | int |
50 | kexecdh_client(Kex *kex) | 55 | kexecdh_client(struct ssh *ssh) |
51 | { | 56 | { |
52 | EC_KEY *client_key; | 57 | struct kex *kex = ssh->kex; |
53 | EC_POINT *server_public; | 58 | EC_KEY *client_key = NULL; |
54 | const EC_GROUP *group; | 59 | const EC_GROUP *group; |
55 | BIGNUM *shared_secret; | 60 | const EC_POINT *public_key; |
56 | Key *server_host_key; | 61 | int r; |
57 | u_char *server_host_key_blob = NULL, *signature = NULL; | ||
58 | u_char *kbuf, *hash; | ||
59 | u_int klen, slen, sbloblen, hashlen; | ||
60 | 62 | ||
61 | if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) | 63 | if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) { |
62 | fatal("%s: EC_KEY_new_by_curve_name failed", __func__); | 64 | r = SSH_ERR_ALLOC_FAIL; |
63 | if (EC_KEY_generate_key(client_key) != 1) | 65 | goto out; |
64 | fatal("%s: EC_KEY_generate_key failed", __func__); | 66 | } |
67 | if (EC_KEY_generate_key(client_key) != 1) { | ||
68 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
69 | goto out; | ||
70 | } | ||
65 | group = EC_KEY_get0_group(client_key); | 71 | group = EC_KEY_get0_group(client_key); |
72 | public_key = EC_KEY_get0_public_key(client_key); | ||
66 | 73 | ||
67 | packet_start(SSH2_MSG_KEX_ECDH_INIT); | 74 | if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_INIT)) != 0 || |
68 | packet_put_ecpoint(group, EC_KEY_get0_public_key(client_key)); | 75 | (r = sshpkt_put_ec(ssh, public_key, group)) != 0 || |
69 | packet_send(); | 76 | (r = sshpkt_send(ssh)) != 0) |
77 | goto out; | ||
70 | debug("sending SSH2_MSG_KEX_ECDH_INIT"); | 78 | debug("sending SSH2_MSG_KEX_ECDH_INIT"); |
71 | 79 | ||
72 | #ifdef DEBUG_KEXECDH | 80 | #ifdef DEBUG_KEXECDH |
73 | fputs("client private key:\n", stderr); | 81 | fputs("client private key:\n", stderr); |
74 | key_dump_ec_key(client_key); | 82 | sshkey_dump_ec_key(client_key); |
75 | #endif | 83 | #endif |
84 | kex->ec_client_key = client_key; | ||
85 | kex->ec_group = group; | ||
86 | client_key = NULL; /* owned by the kex */ | ||
76 | 87 | ||
77 | debug("expecting SSH2_MSG_KEX_ECDH_REPLY"); | 88 | debug("expecting SSH2_MSG_KEX_ECDH_REPLY"); |
78 | packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY); | 89 | ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &input_kex_ecdh_reply); |
90 | r = 0; | ||
91 | out: | ||
92 | if (client_key) | ||
93 | EC_KEY_free(client_key); | ||
94 | return r; | ||
95 | } | ||
96 | |||
97 | static int | ||
98 | input_kex_ecdh_reply(int type, u_int32_t seq, void *ctxt) | ||
99 | { | ||
100 | struct ssh *ssh = ctxt; | ||
101 | struct kex *kex = ssh->kex; | ||
102 | const EC_GROUP *group; | ||
103 | EC_POINT *server_public = NULL; | ||
104 | EC_KEY *client_key; | ||
105 | BIGNUM *shared_secret = NULL; | ||
106 | struct sshkey *server_host_key = NULL; | ||
107 | u_char *server_host_key_blob = NULL, *signature = NULL; | ||
108 | u_char *kbuf = NULL; | ||
109 | u_char hash[SSH_DIGEST_MAX_LENGTH]; | ||
110 | size_t slen, sbloblen; | ||
111 | size_t klen = 0, hashlen; | ||
112 | int r; | ||
113 | |||
114 | if (kex->verify_host_key == NULL) { | ||
115 | r = SSH_ERR_INVALID_ARGUMENT; | ||
116 | goto out; | ||
117 | } | ||
118 | group = kex->ec_group; | ||
119 | client_key = kex->ec_client_key; | ||
79 | 120 | ||
80 | /* hostkey */ | 121 | /* hostkey */ |
81 | server_host_key_blob = packet_get_string(&sbloblen); | 122 | if ((r = sshpkt_get_string(ssh, &server_host_key_blob, |
82 | server_host_key = key_from_blob(server_host_key_blob, sbloblen); | 123 | &sbloblen)) != 0 || |
83 | if (server_host_key == NULL) | 124 | (r = sshkey_from_blob(server_host_key_blob, sbloblen, |
84 | fatal("cannot decode server_host_key_blob"); | 125 | &server_host_key)) != 0) |
85 | if (server_host_key->type != kex->hostkey_type) | 126 | goto out; |
86 | fatal("type mismatch for decoded server_host_key_blob"); | 127 | if (server_host_key->type != kex->hostkey_type) { |
87 | if (kex->verify_host_key == NULL) | 128 | r = SSH_ERR_KEY_TYPE_MISMATCH; |
88 | fatal("cannot verify server_host_key"); | 129 | goto out; |
89 | if (kex->verify_host_key(server_host_key) == -1) | 130 | } |
90 | fatal("server_host_key verification failed"); | 131 | if (kex->verify_host_key(server_host_key, ssh) == -1) { |
132 | r = SSH_ERR_SIGNATURE_INVALID; | ||
133 | goto out; | ||
134 | } | ||
91 | 135 | ||
92 | /* Q_S, server public key */ | 136 | /* Q_S, server public key */ |
93 | if ((server_public = EC_POINT_new(group)) == NULL) | 137 | /* signed H */ |
94 | fatal("%s: EC_POINT_new failed", __func__); | 138 | if ((server_public = EC_POINT_new(group)) == NULL) { |
95 | packet_get_ecpoint(group, server_public); | 139 | r = SSH_ERR_ALLOC_FAIL; |
96 | 140 | goto out; | |
97 | if (key_ec_validate_public(group, server_public) != 0) | 141 | } |
98 | fatal("%s: invalid server public key", __func__); | 142 | if ((r = sshpkt_get_ec(ssh, server_public, group)) != 0 || |
143 | (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 || | ||
144 | (r = sshpkt_get_end(ssh)) != 0) | ||
145 | goto out; | ||
99 | 146 | ||
100 | #ifdef DEBUG_KEXECDH | 147 | #ifdef DEBUG_KEXECDH |
101 | fputs("server public key:\n", stderr); | 148 | fputs("server public key:\n", stderr); |
102 | key_dump_ec_point(group, server_public); | 149 | sshkey_dump_ec_point(group, server_public); |
103 | #endif | 150 | #endif |
104 | 151 | if (sshkey_ec_validate_public(group, server_public) != 0) { | |
105 | /* signed H */ | 152 | sshpkt_disconnect(ssh, "invalid server public key"); |
106 | signature = packet_get_string(&slen); | 153 | r = SSH_ERR_MESSAGE_INCOMPLETE; |
107 | packet_check_eom(); | 154 | goto out; |
155 | } | ||
108 | 156 | ||
109 | klen = (EC_GROUP_get_degree(group) + 7) / 8; | 157 | klen = (EC_GROUP_get_degree(group) + 7) / 8; |
110 | kbuf = xmalloc(klen); | 158 | if ((kbuf = malloc(klen)) == NULL || |
159 | (shared_secret = BN_new()) == NULL) { | ||
160 | r = SSH_ERR_ALLOC_FAIL; | ||
161 | goto out; | ||
162 | } | ||
111 | if (ECDH_compute_key(kbuf, klen, server_public, | 163 | if (ECDH_compute_key(kbuf, klen, server_public, |
112 | client_key, NULL) != (int)klen) | 164 | client_key, NULL) != (int)klen || |
113 | fatal("%s: ECDH_compute_key failed", __func__); | 165 | BN_bin2bn(kbuf, klen, shared_secret) == NULL) { |
166 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
167 | goto out; | ||
168 | } | ||
114 | 169 | ||
115 | #ifdef DEBUG_KEXECDH | 170 | #ifdef DEBUG_KEXECDH |
116 | dump_digest("shared secret", kbuf, klen); | 171 | dump_digest("shared secret", kbuf, klen); |
117 | #endif | 172 | #endif |
118 | if ((shared_secret = BN_new()) == NULL) | ||
119 | fatal("%s: BN_new failed", __func__); | ||
120 | if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) | ||
121 | fatal("%s: BN_bin2bn failed", __func__); | ||
122 | explicit_bzero(kbuf, klen); | ||
123 | free(kbuf); | ||
124 | |||
125 | /* calc and verify H */ | 173 | /* calc and verify H */ |
126 | kex_ecdh_hash( | 174 | hashlen = sizeof(hash); |
175 | if ((r = kex_ecdh_hash( | ||
127 | kex->hash_alg, | 176 | kex->hash_alg, |
128 | group, | 177 | group, |
129 | kex->client_version_string, | 178 | kex->client_version_string, |
130 | kex->server_version_string, | 179 | kex->server_version_string, |
131 | buffer_ptr(kex->my), buffer_len(kex->my), | 180 | sshbuf_ptr(kex->my), sshbuf_len(kex->my), |
132 | buffer_ptr(kex->peer), buffer_len(kex->peer), | 181 | sshbuf_ptr(kex->peer), sshbuf_len(kex->peer), |
133 | server_host_key_blob, sbloblen, | 182 | server_host_key_blob, sbloblen, |
134 | EC_KEY_get0_public_key(client_key), | 183 | EC_KEY_get0_public_key(client_key), |
135 | server_public, | 184 | server_public, |
136 | shared_secret, | 185 | shared_secret, |
137 | &hash, &hashlen | 186 | hash, &hashlen)) != 0) |
138 | ); | 187 | goto out; |
139 | free(server_host_key_blob); | ||
140 | EC_POINT_clear_free(server_public); | ||
141 | EC_KEY_free(client_key); | ||
142 | 188 | ||
143 | if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) | 189 | if ((r = sshkey_verify(server_host_key, signature, slen, hash, |
144 | fatal("key_verify failed for server_host_key"); | 190 | hashlen, ssh->compat)) != 0) |
145 | key_free(server_host_key); | 191 | goto out; |
146 | free(signature); | ||
147 | 192 | ||
148 | /* save session id */ | 193 | /* save session id */ |
149 | if (kex->session_id == NULL) { | 194 | if (kex->session_id == NULL) { |
150 | kex->session_id_len = hashlen; | 195 | kex->session_id_len = hashlen; |
151 | kex->session_id = xmalloc(kex->session_id_len); | 196 | kex->session_id = malloc(kex->session_id_len); |
197 | if (kex->session_id == NULL) { | ||
198 | r = SSH_ERR_ALLOC_FAIL; | ||
199 | goto out; | ||
200 | } | ||
152 | memcpy(kex->session_id, hash, kex->session_id_len); | 201 | memcpy(kex->session_id, hash, kex->session_id_len); |
153 | } | 202 | } |
154 | 203 | ||
155 | kex_derive_keys_bn(kex, hash, hashlen, shared_secret); | 204 | if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0) |
156 | BN_clear_free(shared_secret); | 205 | r = kex_send_newkeys(ssh); |
157 | kex_finish(kex); | 206 | out: |
207 | explicit_bzero(hash, sizeof(hash)); | ||
208 | if (kex->ec_client_key) { | ||
209 | EC_KEY_free(kex->ec_client_key); | ||
210 | kex->ec_client_key = NULL; | ||
211 | } | ||
212 | if (server_public) | ||
213 | EC_POINT_clear_free(server_public); | ||
214 | if (kbuf) { | ||
215 | explicit_bzero(kbuf, klen); | ||
216 | free(kbuf); | ||
217 | } | ||
218 | if (shared_secret) | ||
219 | BN_clear_free(shared_secret); | ||
220 | sshkey_free(server_host_key); | ||
221 | free(server_host_key_blob); | ||
222 | free(signature); | ||
223 | return r; | ||
158 | } | 224 | } |
159 | #endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */ | 225 | #endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */ |
226 | |||