4 files changed, 380 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index e7b773de8..1d3e74671 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -24,6 +24,8 @@
     [roaming_common.c]
     fix a couple of function definitions foo() -> foo(void)
     (-Wold-style-definition)
+ - (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from
+   KEX/curve25519 change
 20131103
 - (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep.
diff --git a/kexc25519.c b/kexc25519.c
new file mode 100644
index 000000000..348a7d50d
--- /dev/null
+++ b/kexc25519.c
@@ -0,0 +1,127 @@
+/* $OpenBSD: kexc25519.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */
+/*
+ * Copyright (c) 2001, 2013 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2010 Damien Miller.  All rights reserved.
+ * Copyright (c) 2013 Aris Adamantiadis.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#include <sys/types.h>
+#include <signal.h>
+#include <string.h>
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include "buffer.h"
+#include "ssh2.h"
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "log.h"
+extern int crypto_scalarmult_curve25519(u_char a[CURVE25519_SIZE],
+    const u_char b[CURVE25519_SIZE], const u_char c[CURVE25519_SIZE])
+        __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
+        __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)))
+        __attribute__((__bounded__(__minbytes__, 3, CURVE25519_SIZE)));
+void
+kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
+{
+        static const u_char basepoint[CURVE25519_SIZE] = {9};
+        arc4random_buf(key, CURVE25519_SIZE);
+        crypto_scalarmult_curve25519(pub, key, basepoint);
+}
+BIGNUM *
+kexc25519_shared_key(const u_char key[CURVE25519_SIZE],
+    const u_char pub[CURVE25519_SIZE])
+{
+        u_char shared_key[CURVE25519_SIZE];
+        BIGNUM *shared_secret;
+        crypto_scalarmult_curve25519(shared_key, key, pub);
+#ifdef DEBUG_KEXECDH
+        dump_digest("shared secret", shared_key, CURVE25519_SIZE);
+#endif
+        if ((shared_secret = BN_new()) == NULL)
+                fatal("%s: BN_new failed", __func__);
+        if (BN_bin2bn(shared_key, sizeof(shared_key), shared_secret) == NULL)
+                fatal("%s: BN_bin2bn failed", __func__);
+        memset(shared_key, 0, CURVE25519_SIZE); /* XXX explicit_bzero() */
+        return (shared_secret);
+}
+void
+kex_c25519_hash(
+    const EVP_MD *evp_md,
+    char *client_version_string,
+    char *server_version_string,
+    char *ckexinit, int ckexinitlen,
+    char *skexinit, int skexinitlen,
+    u_char *serverhostkeyblob, int sbloblen,
+    const u_char client_dh_pub[CURVE25519_SIZE],
+    const u_char server_dh_pub[CURVE25519_SIZE],
+    const BIGNUM *shared_secret,
+    u_char **hash, u_int *hashlen)
+{
+        Buffer b;
+        EVP_MD_CTX md;
+        static u_char digest[EVP_MAX_MD_SIZE];
+        buffer_init(&b);
+        buffer_put_cstring(&b, client_version_string);
+        buffer_put_cstring(&b, server_version_string);
+        /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
+        buffer_put_int(&b, ckexinitlen+1);
+        buffer_put_char(&b, SSH2_MSG_KEXINIT);
+        buffer_append(&b, ckexinit, ckexinitlen);
+        buffer_put_int(&b, skexinitlen+1);
+        buffer_put_char(&b, SSH2_MSG_KEXINIT);
+        buffer_append(&b, skexinit, skexinitlen);
+        buffer_put_string(&b, serverhostkeyblob, sbloblen);
+        buffer_put_string(&b, client_dh_pub, CURVE25519_SIZE);
+        buffer_put_string(&b, server_dh_pub, CURVE25519_SIZE);
+        buffer_put_bignum2(&b, shared_secret);
+#ifdef DEBUG_KEX
+        buffer_dump(&b);
+#endif
+        EVP_DigestInit(&md, evp_md);
+        EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
+        EVP_DigestFinal(&md, digest, NULL);
+        buffer_free(&b);
+#ifdef DEBUG_KEX
+        dump_digest("hash", digest, EVP_MD_size(evp_md));
+#endif
+        *hash = digest;
+        *hashlen = EVP_MD_size(evp_md);
+}
diff --git a/kexc25519c.c b/kexc25519c.c
new file mode 100644
index 000000000..f741566cc
--- /dev/null
+++ b/kexc25519c.c
@@ -0,0 +1,128 @@
+/* $OpenBSD: kexc25519c.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2010 Damien Miller.  All rights reserved.
+ * Copyright (c) 2013 Aris Adamantiadis.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#include <sys/types.h>
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
+#include "xmalloc.h"
+#include "buffer.h"
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "ssh2.h"
+void
+kexc25519_client(Kex *kex)
+{
+        BIGNUM *shared_secret;
+        Key *server_host_key;
+        u_char client_key[CURVE25519_SIZE];
+        u_char client_pubkey[CURVE25519_SIZE];
+        u_char *server_pubkey = NULL;
+        u_char *server_host_key_blob = NULL, *signature = NULL;
+        u_char *hash;
+        u_int slen, sbloblen, hashlen;
+        kexc25519_keygen(client_key, client_pubkey);
+        packet_start(SSH2_MSG_KEX_ECDH_INIT);
+        packet_put_string(client_pubkey, sizeof(client_pubkey));
+        packet_send();
+        debug("sending SSH2_MSG_KEX_ECDH_INIT");
+#ifdef DEBUG_KEXECDH
+        dump_digest("client private key:", client_key, sizeof(client_key));
+#endif
+        debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
+        packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY);
+        /* hostkey */
+        server_host_key_blob = packet_get_string(&sbloblen);
+        server_host_key = key_from_blob(server_host_key_blob, sbloblen);
+        if (server_host_key == NULL)
+                fatal("cannot decode server_host_key_blob");
+        if (server_host_key->type != kex->hostkey_type)
+                fatal("type mismatch for decoded server_host_key_blob");
+        if (kex->verify_host_key == NULL)
+                fatal("cannot verify server_host_key");
+        if (kex->verify_host_key(server_host_key) == -1)
+                fatal("server_host_key verification failed");
+        /* Q_S, server public key */
+        server_pubkey = packet_get_string(&slen);
+        if (slen != CURVE25519_SIZE)
+                fatal("Incorrect size for server Curve25519 pubkey: %d", slen);
+#ifdef DEBUG_KEXECDH
+        dump_digest("server public key:", server_pubkey, CURVE25519_SIZE);
+#endif
+        /* signed H */
+        signature = packet_get_string(&slen);
+        packet_check_eom();
+        shared_secret = kexc25519_shared_key(client_key, server_pubkey);
+        /* calc and verify H */
+        kex_c25519_hash(
+            kex->evp_md,
+            kex->client_version_string,
+            kex->server_version_string,
+            buffer_ptr(&kex->my), buffer_len(&kex->my),
+            buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+            server_host_key_blob, sbloblen,
+            client_pubkey,
+            server_pubkey,
+            shared_secret,
+            &hash, &hashlen
+        );
+        free(server_host_key_blob);
+        free(server_pubkey);
+        if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
+                fatal("key_verify failed for server_host_key");
+        key_free(server_host_key);
+        free(signature);
+        /* save session id */
+        if (kex->session_id == NULL) {
+                kex->session_id_len = hashlen;
+                kex->session_id = xmalloc(kex->session_id_len);
+                memcpy(kex->session_id, hash, kex->session_id_len);
+        }
+        kex_derive_keys(kex, hash, hashlen, shared_secret);
+        BN_clear_free(shared_secret);
+        kex_finish(kex);
+}
diff --git a/kexc25519s.c b/kexc25519s.c
new file mode 100644
index 000000000..784841b82
--- /dev/null
+++ b/kexc25519s.c
@@ -0,0 +1,123 @@
+/* $OpenBSD: kexc25519s.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2010 Damien Miller.  All rights reserved.
+ * Copyright (c) 2013 Aris Adamantiadis.  All rights reserved.
+ *
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#include <sys/types.h>
+#include <string.h>
+#include <signal.h>
+#include "xmalloc.h"
+#include "buffer.h"
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "ssh2.h"
+void
+kexc25519_server(Kex *kex)
+{
+        BIGNUM *shared_secret;
+        Key *server_host_private, *server_host_public;
+        u_char *server_host_key_blob = NULL, *signature = NULL;
+        u_char server_key[CURVE25519_SIZE];
+        u_char *client_pubkey = NULL;
+        u_char server_pubkey[CURVE25519_SIZE];
+        u_char *hash;
+        u_int slen, sbloblen, hashlen;
+        /* generate private key */
+        kexc25519_keygen(server_key, server_pubkey);
+#ifdef DEBUG_KEXECDH
+        dump_digest("server private key:", server_key, sizeof(server_key));
+#endif
+        if (kex->load_host_public_key == NULL ||
+            kex->load_host_private_key == NULL)
+                fatal("Cannot load hostkey");
+        server_host_public = kex->load_host_public_key(kex->hostkey_type);
+        if (server_host_public == NULL)
+                fatal("Unsupported hostkey type %d", kex->hostkey_type);
+        server_host_private = kex->load_host_private_key(kex->hostkey_type);
+        debug("expecting SSH2_MSG_KEX_ECDH_INIT");
+        packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);
+        client_pubkey = packet_get_string(&slen);
+        if (slen != CURVE25519_SIZE)
+                fatal("Incorrect size for server Curve25519 pubkey: %d", slen);
+        packet_check_eom();
+#ifdef DEBUG_KEXECDH
+        dump_digest("client public key:", client_pubkey, CURVE25519_SIZE);
+#endif
+        shared_secret = kexc25519_shared_key(server_key, client_pubkey);
+        /* calc H */
+        key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
+        kex_c25519_hash(
+            kex->evp_md,
+            kex->client_version_string,
+            kex->server_version_string,
+            buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+            buffer_ptr(&kex->my), buffer_len(&kex->my),
+            server_host_key_blob, sbloblen,
+            client_pubkey,
+            server_pubkey,
+            shared_secret,
+            &hash, &hashlen
+        );
+        /* save session id := H */
+        if (kex->session_id == NULL) {
+                kex->session_id_len = hashlen;
+                kex->session_id = xmalloc(kex->session_id_len);
+                memcpy(kex->session_id, hash, kex->session_id_len);
+        }
+        /* sign H */
+        kex->sign(server_host_private, server_host_public, &signature, &slen,
+            hash, hashlen);
+        /* destroy_sensitive_data(); */
+        /* send server hostkey, ECDH pubkey 'Q_S' and signed H */
+        packet_start(SSH2_MSG_KEX_ECDH_REPLY);
+        packet_put_string(server_host_key_blob, sbloblen);
+        packet_put_string(server_pubkey, sizeof(server_pubkey));
+        packet_put_string(signature, slen);
+        packet_send();
+        free(signature);
+        free(server_host_key_blob);
+        /* have keys, free server key */
+        free(client_pubkey);
+        kex_derive_keys(kex, hash, hashlen, shared_secret);
+        BN_clear_free(shared_secret);
+        kex_finish(kex);
+}

diff --git a/ChangeLog b/ChangeLog index e7b773de8..1d3e74671 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -24,6 +24,8 @@
24	[roaming_common.c]	24	[roaming_common.c]
25	fix a couple of function definitions foo() -> foo(void)	25	fix a couple of function definitions foo() -> foo(void)
26	(-Wold-style-definition)	26	(-Wold-style-definition)
		27	- (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from
		28	KEX/curve25519 change
27		29
28	20131103	30	20131103
29	- (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep.	31	- (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep.


diff --git a/kexc25519.c b/kexc25519.c new file mode 100644 index 000000000..348a7d50d --- /dev/null +++ b/kexc25519.c
@@ -0,0 +1,127 @@
		1	/* $OpenBSD: kexc25519.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */
		2	/*
		3	* Copyright (c) 2001, 2013 Markus Friedl. All rights reserved.
		4	* Copyright (c) 2010 Damien Miller. All rights reserved.
		5	* Copyright (c) 2013 Aris Adamantiadis. All rights reserved.
		6	*
		7	* Redistribution and use in source and binary forms, with or without
		8	* modification, are permitted provided that the following conditions
		9	* are met:
		10	* 1. Redistributions of source code must retain the above copyright
		11	* notice, this list of conditions and the following disclaimer.
		12	* 2. Redistributions in binary form must reproduce the above copyright
		13	* notice, this list of conditions and the following disclaimer in the
		14	* documentation and/or other materials provided with the distribution.
		15	*
		16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		26	*/
		27
		28	#include "includes.h"
		29
		30	#include <sys/types.h>
		31
		32	#include <signal.h>
		33	#include <string.h>
		34
		35	#include <openssl/bn.h>
		36	#include <openssl/evp.h>
		37
		38	#include "buffer.h"
		39	#include "ssh2.h"
		40	#include "key.h"
		41	#include "cipher.h"
		42	#include "kex.h"
		43	#include "log.h"
		44
		45	extern int crypto_scalarmult_curve25519(u_char a[CURVE25519_SIZE],
		46	const u_char b[CURVE25519_SIZE], const u_char c[CURVE25519_SIZE])
		47	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
		48	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)))
		49	__attribute__((__bounded__(__minbytes__, 3, CURVE25519_SIZE)));
		50
		51	void
		52	kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
		53	{
		54	static const u_char basepoint[CURVE25519_SIZE] = {9};
		55
		56	arc4random_buf(key, CURVE25519_SIZE);
		57	crypto_scalarmult_curve25519(pub, key, basepoint);
		58	}
		59
		60	BIGNUM *
		61	kexc25519_shared_key(const u_char key[CURVE25519_SIZE],
		62	const u_char pub[CURVE25519_SIZE])
		63	{
		64	u_char shared_key[CURVE25519_SIZE];
		65	BIGNUM *shared_secret;
		66
		67	crypto_scalarmult_curve25519(shared_key, key, pub);
		68	#ifdef DEBUG_KEXECDH
		69	dump_digest("shared secret", shared_key, CURVE25519_SIZE);
		70	#endif
		71	if ((shared_secret = BN_new()) == NULL)
		72	fatal("%s: BN_new failed", __func__);
		73	if (BN_bin2bn(shared_key, sizeof(shared_key), shared_secret) == NULL)
		74	fatal("%s: BN_bin2bn failed", __func__);
		75	memset(shared_key, 0, CURVE25519_SIZE); /* XXX explicit_bzero() */
		76	return (shared_secret);
		77	}
		78
		79	void
		80	kex_c25519_hash(
		81	const EVP_MD *evp_md,
		82	char *client_version_string,
		83	char *server_version_string,
		84	char *ckexinit, int ckexinitlen,
		85	char *skexinit, int skexinitlen,
		86	u_char *serverhostkeyblob, int sbloblen,
		87	const u_char client_dh_pub[CURVE25519_SIZE],
		88	const u_char server_dh_pub[CURVE25519_SIZE],
		89	const BIGNUM *shared_secret,
		90	u_char *hash, u_int hashlen)
		91	{
		92	Buffer b;
		93	EVP_MD_CTX md;
		94	static u_char digest[EVP_MAX_MD_SIZE];
		95
		96	buffer_init(&b);
		97	buffer_put_cstring(&b, client_version_string);
		98	buffer_put_cstring(&b, server_version_string);
		99
		100	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
		101	buffer_put_int(&b, ckexinitlen+1);
		102	buffer_put_char(&b, SSH2_MSG_KEXINIT);
		103	buffer_append(&b, ckexinit, ckexinitlen);
		104	buffer_put_int(&b, skexinitlen+1);
		105	buffer_put_char(&b, SSH2_MSG_KEXINIT);
		106	buffer_append(&b, skexinit, skexinitlen);
		107
		108	buffer_put_string(&b, serverhostkeyblob, sbloblen);
		109	buffer_put_string(&b, client_dh_pub, CURVE25519_SIZE);
		110	buffer_put_string(&b, server_dh_pub, CURVE25519_SIZE);
		111	buffer_put_bignum2(&b, shared_secret);
		112
		113	#ifdef DEBUG_KEX
		114	buffer_dump(&b);
		115	#endif
		116	EVP_DigestInit(&md, evp_md);
		117	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
		118	EVP_DigestFinal(&md, digest, NULL);
		119
		120	buffer_free(&b);
		121
		122	#ifdef DEBUG_KEX
		123	dump_digest("hash", digest, EVP_MD_size(evp_md));
		124	#endif
		125	*hash = digest;
		126	*hashlen = EVP_MD_size(evp_md);
		127	}


diff --git a/kexc25519c.c b/kexc25519c.c new file mode 100644 index 000000000..f741566cc --- /dev/null +++ b/kexc25519c.c
@@ -0,0 +1,128 @@
		1	/* $OpenBSD: kexc25519c.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */
		2	/*
		3	* Copyright (c) 2001 Markus Friedl. All rights reserved.
		4	* Copyright (c) 2010 Damien Miller. All rights reserved.
		5	* Copyright (c) 2013 Aris Adamantiadis. All rights reserved.
		6	*
		7	* Redistribution and use in source and binary forms, with or without
		8	* modification, are permitted provided that the following conditions
		9	* are met:
		10	* 1. Redistributions of source code must retain the above copyright
		11	* notice, this list of conditions and the following disclaimer.
		12	* 2. Redistributions in binary form must reproduce the above copyright
		13	* notice, this list of conditions and the following disclaimer in the
		14	* documentation and/or other materials provided with the distribution.
		15	*
		16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		26	*/
		27
		28	#include "includes.h"
		29
		30	#include <sys/types.h>
		31
		32	#include <stdio.h>
		33	#include <string.h>
		34	#include <signal.h>
		35
		36	#include "xmalloc.h"
		37	#include "buffer.h"
		38	#include "key.h"
		39	#include "cipher.h"
		40	#include "kex.h"
		41	#include "log.h"
		42	#include "packet.h"
		43	#include "ssh2.h"
		44
		45	void
		46	kexc25519_client(Kex *kex)
		47	{
		48	BIGNUM *shared_secret;
		49	Key *server_host_key;
		50	u_char client_key[CURVE25519_SIZE];
		51	u_char client_pubkey[CURVE25519_SIZE];
		52	u_char *server_pubkey = NULL;
		53	u_char server_host_key_blob = NULL, signature = NULL;
		54	u_char *hash;
		55	u_int slen, sbloblen, hashlen;
		56
		57	kexc25519_keygen(client_key, client_pubkey);
		58
		59	packet_start(SSH2_MSG_KEX_ECDH_INIT);
		60	packet_put_string(client_pubkey, sizeof(client_pubkey));
		61	packet_send();
		62	debug("sending SSH2_MSG_KEX_ECDH_INIT");
		63
		64	#ifdef DEBUG_KEXECDH
		65	dump_digest("client private key:", client_key, sizeof(client_key));
		66	#endif
		67
		68	debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
		69	packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY);
		70
		71	/* hostkey */
		72	server_host_key_blob = packet_get_string(&sbloblen);
		73	server_host_key = key_from_blob(server_host_key_blob, sbloblen);
		74	if (server_host_key == NULL)
		75	fatal("cannot decode server_host_key_blob");
		76	if (server_host_key->type != kex->hostkey_type)
		77	fatal("type mismatch for decoded server_host_key_blob");
		78	if (kex->verify_host_key == NULL)
		79	fatal("cannot verify server_host_key");
		80	if (kex->verify_host_key(server_host_key) == -1)
		81	fatal("server_host_key verification failed");
		82
		83	/* Q_S, server public key */
		84	server_pubkey = packet_get_string(&slen);
		85	if (slen != CURVE25519_SIZE)
		86	fatal("Incorrect size for server Curve25519 pubkey: %d", slen);
		87
		88	#ifdef DEBUG_KEXECDH
		89	dump_digest("server public key:", server_pubkey, CURVE25519_SIZE);
		90	#endif
		91
		92	/* signed H */
		93	signature = packet_get_string(&slen);
		94	packet_check_eom();
		95
		96	shared_secret = kexc25519_shared_key(client_key, server_pubkey);
		97
		98	/* calc and verify H */
		99	kex_c25519_hash(
		100	kex->evp_md,
		101	kex->client_version_string,
		102	kex->server_version_string,
		103	buffer_ptr(&kex->my), buffer_len(&kex->my),
		104	buffer_ptr(&kex->peer), buffer_len(&kex->peer),
		105	server_host_key_blob, sbloblen,
		106	client_pubkey,
		107	server_pubkey,
		108	shared_secret,
		109	&hash, &hashlen
		110	);
		111	free(server_host_key_blob);
		112	free(server_pubkey);
		113	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
		114	fatal("key_verify failed for server_host_key");
		115	key_free(server_host_key);
		116	free(signature);
		117
		118	/* save session id */
		119	if (kex->session_id == NULL) {
		120	kex->session_id_len = hashlen;
		121	kex->session_id = xmalloc(kex->session_id_len);
		122	memcpy(kex->session_id, hash, kex->session_id_len);
		123	}
		124
		125	kex_derive_keys(kex, hash, hashlen, shared_secret);
		126	BN_clear_free(shared_secret);
		127	kex_finish(kex);
		128	}


diff --git a/kexc25519s.c b/kexc25519s.c new file mode 100644 index 000000000..784841b82 --- /dev/null +++ b/kexc25519s.c
@@ -0,0 +1,123 @@
		1	/* $OpenBSD: kexc25519s.c,v 1.2 2013/11/02 22:02:14 markus Exp $ */
		2	/*
		3	* Copyright (c) 2001 Markus Friedl. All rights reserved.
		4	* Copyright (c) 2010 Damien Miller. All rights reserved.
		5	* Copyright (c) 2013 Aris Adamantiadis. All rights reserved.
		6	*
		7	* modification, are permitted provided that the following conditions
		8	* are met:
		9	* 1. Redistributions of source code must retain the above copyright
		10	* notice, this list of conditions and the following disclaimer.
		11	* 2. Redistributions in binary form must reproduce the above copyright
		12	* notice, this list of conditions and the following disclaimer in the
		13	* documentation and/or other materials provided with the distribution.
		14	*
		15	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		16	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		17	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		18	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		19	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		20	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		21	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		22	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		23	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		24	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		25	*/
		26
		27	#include "includes.h"
		28
		29	#include <sys/types.h>
		30	#include <string.h>
		31	#include <signal.h>
		32
		33	#include "xmalloc.h"
		34	#include "buffer.h"
		35	#include "key.h"
		36	#include "cipher.h"
		37	#include "kex.h"
		38	#include "log.h"
		39	#include "packet.h"
		40	#include "ssh2.h"
		41
		42	void
		43	kexc25519_server(Kex *kex)
		44	{
		45	BIGNUM *shared_secret;
		46	Key server_host_private, server_host_public;
		47	u_char server_host_key_blob = NULL, signature = NULL;
		48	u_char server_key[CURVE25519_SIZE];
		49	u_char *client_pubkey = NULL;
		50	u_char server_pubkey[CURVE25519_SIZE];
		51	u_char *hash;
		52	u_int slen, sbloblen, hashlen;
		53
		54	/* generate private key */
		55	kexc25519_keygen(server_key, server_pubkey);
		56	#ifdef DEBUG_KEXECDH
		57	dump_digest("server private key:", server_key, sizeof(server_key));
		58	#endif
		59
		60	if (kex->load_host_public_key == NULL \|\|
		61	kex->load_host_private_key == NULL)
		62	fatal("Cannot load hostkey");
		63	server_host_public = kex->load_host_public_key(kex->hostkey_type);
		64	if (server_host_public == NULL)
		65	fatal("Unsupported hostkey type %d", kex->hostkey_type);
		66	server_host_private = kex->load_host_private_key(kex->hostkey_type);
		67
		68	debug("expecting SSH2_MSG_KEX_ECDH_INIT");
		69	packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);
		70	client_pubkey = packet_get_string(&slen);
		71	if (slen != CURVE25519_SIZE)
		72	fatal("Incorrect size for server Curve25519 pubkey: %d", slen);
		73	packet_check_eom();
		74
		75	#ifdef DEBUG_KEXECDH
		76	dump_digest("client public key:", client_pubkey, CURVE25519_SIZE);
		77	#endif
		78
		79	shared_secret = kexc25519_shared_key(server_key, client_pubkey);
		80
		81	/* calc H */
		82	key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
		83	kex_c25519_hash(
		84	kex->evp_md,
		85	kex->client_version_string,
		86	kex->server_version_string,
		87	buffer_ptr(&kex->peer), buffer_len(&kex->peer),
		88	buffer_ptr(&kex->my), buffer_len(&kex->my),
		89	server_host_key_blob, sbloblen,
		90	client_pubkey,
		91	server_pubkey,
		92	shared_secret,
		93	&hash, &hashlen
		94	);
		95
		96	/* save session id := H */
		97	if (kex->session_id == NULL) {
		98	kex->session_id_len = hashlen;
		99	kex->session_id = xmalloc(kex->session_id_len);
		100	memcpy(kex->session_id, hash, kex->session_id_len);
		101	}
		102
		103	/* sign H */
		104	kex->sign(server_host_private, server_host_public, &signature, &slen,
		105	hash, hashlen);
		106
		107	/* destroy_sensitive_data(); */
		108
		109	/* send server hostkey, ECDH pubkey 'Q_S' and signed H */
		110	packet_start(SSH2_MSG_KEX_ECDH_REPLY);
		111	packet_put_string(server_host_key_blob, sbloblen);
		112	packet_put_string(server_pubkey, sizeof(server_pubkey));
		113	packet_put_string(signature, slen);
		114	packet_send();
		115
		116	free(signature);
		117	free(server_host_key_blob);
		118	/* have keys, free server key */
		119	free(client_pubkey);
		120	kex_derive_keys(kex, hash, hashlen, shared_secret);
		121	BN_clear_free(shared_secret);
		122	kex_finish(kex);
		123	}