From eb8b60e320cdade9f4c07e2abacfb92c52e01348 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 31 Aug 2010 22:41:14 +1000 Subject: - djm@cvs.openbsd.org 2010/08/31 11:54:45 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c] [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c] [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c] [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c] [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h] [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5] [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@ --- kexecdh.c | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 kexecdh.c (limited to 'kexecdh.c') diff --git a/kexecdh.c b/kexecdh.c new file mode 100644 index 000000000..a5a14f4bd --- /dev/null +++ b/kexecdh.c @@ -0,0 +1,108 @@ +/* $OpenBSD: kexecdh.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. + * Copyright (c) 2010 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include + +#include +#include + +#include +#include +#include +#include + +#include "buffer.h" +#include "ssh2.h" +#include "key.h" +#include "cipher.h" +#include "kex.h" +#include "log.h" + +int +kex_ecdh_name_to_nid(const char *kexname) +{ + int ret; + + if (strlen(kexname) < sizeof(KEX_ECDH_SHA256) - 1) + fatal("%s: kexname too short \"%s\"", __func__, kexname); + ret = key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA256) - 1); + if (ret == -1) + fatal("%s: unsupported curve negotiated \"%s\"", __func__, + kexname); + return ret; +} + +void +kex_ecdh_hash( + const EVP_MD *evp_md, + const EC_GROUP *ec_group, + char *client_version_string, + char *server_version_string, + char *ckexinit, int ckexinitlen, + char *skexinit, int skexinitlen, + u_char *serverhostkeyblob, int sbloblen, + const EC_POINT *client_dh_pub, + const EC_POINT *server_dh_pub, + const BIGNUM *shared_secret, + u_char **hash, u_int *hashlen) +{ + Buffer b; + EVP_MD_CTX md; + static u_char digest[EVP_MAX_MD_SIZE]; + + buffer_init(&b); + buffer_put_cstring(&b, client_version_string); + buffer_put_cstring(&b, server_version_string); + + /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ + buffer_put_int(&b, ckexinitlen+1); + buffer_put_char(&b, SSH2_MSG_KEXINIT); + buffer_append(&b, ckexinit, ckexinitlen); + buffer_put_int(&b, skexinitlen+1); + buffer_put_char(&b, SSH2_MSG_KEXINIT); + buffer_append(&b, skexinit, skexinitlen); + + buffer_put_string(&b, serverhostkeyblob, sbloblen); + buffer_put_ecpoint(&b, ec_group, client_dh_pub); + buffer_put_ecpoint(&b, ec_group, server_dh_pub); + buffer_put_bignum2(&b, shared_secret); + +#ifdef DEBUG_KEX + buffer_dump(&b); +#endif + EVP_DigestInit(&md, evp_md); + EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); + EVP_DigestFinal(&md, digest, NULL); + + buffer_free(&b); + +#ifdef DEBUG_KEX + dump_digest("hash", digest, EVP_MD_size(evp_md)); +#endif + *hash = digest; + *hashlen = EVP_MD_size(evp_md); +} + -- cgit v1.2.3 From c79ff0770e0ac1e0d9acc2741190cf7599bb6bd8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 31 Aug 2010 22:50:48 +1000 Subject: - (djm) [bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] include includes.h --- ChangeLog | 2 ++ bufec.c | 3 +++ kexecdh.c | 2 ++ kexecdhc.c | 2 ++ kexecdhs.c | 2 ++ ssh-ecdsa.c | 2 ++ 6 files changed, 13 insertions(+) (limited to 'kexecdh.c') diff --git a/ChangeLog b/ChangeLog index 3488c8215..a71eab347 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,8 @@ feedback and ok markus@ - (djm) [Makefile.in] Add new ECC files + - (djm) [bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] include + includes.h 20100827 - (dtucker) [contrib/redhat/sshd.init] Bug #1810: initlog is deprecated, diff --git a/bufec.c b/bufec.c index dff9c69c9..c77d1ecb9 100644 --- a/bufec.c +++ b/bufec.c @@ -14,6 +14,9 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include "includes.h" + #include #include diff --git a/kexecdh.c b/kexecdh.c index a5a14f4bd..bd5718136 100644 --- a/kexecdh.c +++ b/kexecdh.c @@ -24,6 +24,8 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include "includes.h" + #include #include diff --git a/kexecdhc.c b/kexecdhc.c index f6d9977c5..7ac7b1ee2 100644 --- a/kexecdhc.c +++ b/kexecdhc.c @@ -24,6 +24,8 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include "includes.h" + #include #include diff --git a/kexecdhs.c b/kexecdhs.c index d73333893..e49a0ef37 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -24,6 +24,8 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include "includes.h" + #include #include #include diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c index a1c1bdb60..3069ca5bc 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c @@ -24,6 +24,8 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include "includes.h" + #include #include -- cgit v1.2.3 From 041ab7c1e7d6514ed84a539a767f79ffb356e807 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 10 Sep 2010 11:23:34 +1000 Subject: - djm@cvs.openbsd.org 2010/09/09 10:45:45 [kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c] ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases. This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client. ok naddy@ --- ChangeLog | 13 +++++++++++++ kex.c | 10 +++++----- kex.h | 5 +++-- kexecdh.c | 14 +++++++++++--- key.c | 47 +++++++++++++++++++++++++++++++++++------------ key.h | 4 +++- monitor.c | 8 ++++---- ssh-ecdsa.c | 10 ++++++---- 8 files changed, 80 insertions(+), 31 deletions(-) (limited to 'kexecdh.c') diff --git a/ChangeLog b/ChangeLog index 32f82369d..87fee3bf0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,19 @@ gcc, at least in earlier versions, but this does not forgive your current transgressions) seen between zlib and openssl ok djm + - djm@cvs.openbsd.org 2010/09/09 10:45:45 + [kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c] + ECDH/ECDSA compliance fix: these methods vary the hash function they use + (SHA256/384/512) depending on the length of the curve in use. The previous + code incorrectly used SHA256 in all cases. + + This fix will cause authentication failure when using 384 or 521-bit curve + keys if one peer hasn't been upgraded and the other has. (256-bit curve + keys work ok). In particular you may need to specify HostkeyAlgorithms + when connecting to a server that has not been upgraded from an upgraded + client. + + ok naddy@ 20100831 - OpenBSD CVS Sync diff --git a/kex.c b/kex.c index abe9b9f5d..7c8763191 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.84 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.85 2010/09/09 10:45:45 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -325,10 +325,10 @@ choose_kex(Kex *k, char *client, char *server) } else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) { k->kex_type = KEX_DH_GEX_SHA256; k->evp_md = evp_ssh_sha256(); - } else if (strncmp(k->name, KEX_ECDH_SHA256, - sizeof(KEX_ECDH_SHA256) - 1) == 0) { - k->kex_type = KEX_ECDH_SHA2; - k->evp_md = evp_ssh_sha256(); + } else if (strncmp(k->name, KEX_ECDH_SHA2_STEM, + sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) { + k->kex_type = KEX_ECDH_SHA2; + k->evp_md = kex_ecdh_name_to_evpmd(k->name); #endif } else fatal("bad kex alg %s", k->name); diff --git a/kex.h b/kex.h index a183ffda2..f5dcc8791 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.50 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.51 2010/09/09 10:45:45 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -39,7 +39,7 @@ #define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256" #define KEX_RESUME "resume@appgate.com" /* The following represents the family of ECDH methods */ -#define KEX_ECDH_SHA256 "ecdh-sha2-" +#define KEX_ECDH_SHA2_STEM "ecdh-sha2-" #define COMP_NONE 0 #define COMP_ZLIB 1 @@ -165,6 +165,7 @@ kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int, const BIGNUM *, u_char **, u_int *); int kex_ecdh_name_to_nid(const char *); +const EVP_MD *kex_ecdh_name_to_evpmd(const char *); void derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]); diff --git a/kexecdh.c b/kexecdh.c index bd5718136..f59d7b903 100644 --- a/kexecdh.c +++ b/kexecdh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdh.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: kexecdh.c,v 1.2 2010/09/09 10:45:45 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -48,15 +48,23 @@ kex_ecdh_name_to_nid(const char *kexname) { int ret; - if (strlen(kexname) < sizeof(KEX_ECDH_SHA256) - 1) + if (strlen(kexname) < sizeof(KEX_ECDH_SHA2_STEM) - 1) fatal("%s: kexname too short \"%s\"", __func__, kexname); - ret = key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA256) - 1); + ret = key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA2_STEM) - 1); if (ret == -1) fatal("%s: unsupported curve negotiated \"%s\"", __func__, kexname); return ret; } +const EVP_MD * +kex_ecdh_name_to_evpmd(const char *kexname) +{ + int nid = kex_ecdh_name_to_nid(kexname); + + return key_ec_nid_to_evpmd(nid); +} + void kex_ecdh_hash( const EVP_MD *evp_md, diff --git a/key.c b/key.c index 842280a9f..b9dc2355b 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.92 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: key.c,v 1.93 2010/09/09 10:45:45 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -978,17 +978,7 @@ key_size(const Key *k) return BN_num_bits(k->dsa->p); case KEY_ECDSA: case KEY_ECDSA_CERT: - switch (k->ecdsa_nid) { - case NID_X9_62_prime256v1: - return 256; - case NID_secp384r1: - return 384; - case NID_secp521r1: - return 521; - default: - break; - } - break; + return key_curve_nid_to_bits(k->ecdsa_nid); } return 0; } @@ -1961,6 +1951,7 @@ key_cert_is_legacy(Key *k) } } +/* XXX: these are really begging for a table-driven approach */ int key_curve_name_to_nid(const char *name) { @@ -1975,6 +1966,22 @@ key_curve_name_to_nid(const char *name) return -1; } +u_int +key_curve_nid_to_bits(int nid) +{ + switch (nid) { + case NID_X9_62_prime256v1: + return 256; + case NID_secp384r1: + return 384; + case NID_secp521r1: + return 521; + default: + error("%s: unsupported EC curve nid %d", __func__, nid); + return 0; + } +} + const char * key_curve_nid_to_name(int nid) { @@ -1989,6 +1996,22 @@ key_curve_nid_to_name(int nid) return NULL; } +const EVP_MD * +key_ec_nid_to_evpmd(int nid) +{ + int kbits = key_curve_nid_to_bits(nid); + + if (kbits == 0) + fatal("%s: invalid nid %d", __func__, nid); + /* RFC5656 section 6.2.1 */ + if (kbits <= 256) + return EVP_sha256(); + else if (kbits <= 384) + return EVP_sha384(); + else + return EVP_sha512(); +} + int key_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) { diff --git a/key.h b/key.h index 2eb124364..ba1a20c07 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.31 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: key.h,v 1.32 2010/09/09 10:45:45 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -112,8 +112,10 @@ int key_cert_is_legacy(Key *); int key_ecdsa_nid_from_name(const char *); int key_curve_name_to_nid(const char *); const char * key_curve_nid_to_name(int); +u_int key_curve_nid_to_bits(int); int key_ecdsa_bits_to_nid(int); int key_ecdsa_group_to_nid(const EC_GROUP *); +const EVP_MD * key_ec_nid_to_evpmd(int nid); int key_ec_validate_public(const EC_GROUP *, const EC_POINT *); int key_ec_validate_private(const EC_KEY *); diff --git a/monitor.c b/monitor.c index 32395ee44..29d987c70 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.109 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.110 2010/09/09 10:45:45 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -590,10 +590,10 @@ mm_answer_sign(int sock, Buffer *m) p = buffer_get_string(m, &datlen); /* - * Supported KEX types will only return SHA1 (20 byte) or - * SHA256 (32 byte) hashes + * Supported KEX types use SHA1 (20 bytes), SHA256 (32 bytes), + * SHA384 (48 bytes) and SHA512 (64 bytes). */ - if (datlen != 20 && datlen != 32) + if (datlen != 20 && datlen != 32 && datlen != 48 && datlen != 64) fatal("%s: data length incorrect: %u", __func__, datlen); /* save session id, it will be passed on the first call */ diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c index 0627ee5c0..5c4ce2311 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD$ */ +/* $OpenBSD: ssh-ecdsa.c,v 1.4 2010/09/10 01:04:10 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -46,7 +46,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp, const u_char *data, u_int datalen) { ECDSA_SIG *sig; - const EVP_MD *evp_md = EVP_sha256(); + const EVP_MD *evp_md; EVP_MD_CTX md; u_char digest[EVP_MAX_MD_SIZE]; u_int len, dlen; @@ -57,6 +57,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp, error("%s: no ECDSA key", __func__); return -1; } + evp_md = key_ec_nid_to_evpmd(key->ecdsa_nid); EVP_DigestInit(&md, evp_md); EVP_DigestUpdate(&md, data, datalen); EVP_DigestFinal(&md, digest, &dlen); @@ -94,21 +95,22 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, const u_char *data, u_int datalen) { ECDSA_SIG *sig; - const EVP_MD *evp_md = EVP_sha256(); + const EVP_MD *evp_md; EVP_MD_CTX md; u_char digest[EVP_MAX_MD_SIZE], *sigblob; u_int len, dlen; int rlen, ret; Buffer b, bb; + char *ktype; if (key == NULL || key->ecdsa == NULL || (key->type != KEY_ECDSA && key->type != KEY_ECDSA_CERT)) { error("%s: no ECDSA key", __func__); return -1; } + evp_md = key_ec_nid_to_evpmd(key->ecdsa_nid); /* fetch signature */ - char *ktype; buffer_init(&b); buffer_append(&b, signature, signaturelen); ktype = buffer_get_string(&b, NULL); -- cgit v1.2.3 From 6af914a15c0c33e8b5bab5ca61919b8562ff1db9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 10 Sep 2010 11:39:26 +1000 Subject: - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c] [kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c] [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on platforms that don't have the requisite OpenSSL support. ok dtucker@ --- ChangeLog | 4 ++++ authfd.c | 2 ++ authfile.c | 4 ++++ bufec.c | 3 +++ buffer.h | 2 ++ configure.ac | 26 +++++++++++++++++++++-- kex.h | 5 ++++- kexecdh.c | 3 +++ kexecdhc.c | 13 ++++++++++-- kexecdhs.c | 13 ++++++++++-- key.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- key.h | 10 ++++++++- myproposal.h | 53 +++++++++++++++++++++++++---------------------- packet.c | 4 ++++ readconf.c | 3 ++- ssh-agent.c | 4 ++++ ssh-ecdsa.c | 4 ++++ ssh-keygen.c | 6 ++++++ ssh.c | 10 +++++++++ 19 files changed, 200 insertions(+), 36 deletions(-) (limited to 'kexecdh.c') diff --git a/ChangeLog b/ChangeLog index 87fee3bf0..742e966c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -62,6 +62,10 @@ client. ok naddy@ + - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c] + [kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c] + [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on + platforms that don't have the requisite OpenSSL support. ok dtucker@ 20100831 - OpenBSD CVS Sync diff --git a/authfd.c b/authfd.c index ec537d2e9..c11c3f5a8 100644 --- a/authfd.c +++ b/authfd.c @@ -509,6 +509,7 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) buffer_len(&key->cert->certblob)); buffer_put_bignum2(b, key->dsa->priv_key); break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid)); buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa), @@ -522,6 +523,7 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) buffer_len(&key->cert->certblob)); buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); break; +#endif } buffer_put_cstring(b, comment); } diff --git a/authfile.c b/authfile.c index 20ac8c76d..b1e3eda5c 100644 --- a/authfile.c +++ b/authfile.c @@ -213,10 +213,12 @@ key_save_private_pem(Key *key, const char *filename, const char *_passphrase, success = PEM_write_DSAPrivateKey(fp, key->dsa, cipher, passphrase, len, NULL, NULL); break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: success = PEM_write_ECPrivateKey(fp, key->ecdsa, cipher, passphrase, len, NULL, NULL); break; +#endif case KEY_RSA: success = PEM_write_RSAPrivateKey(fp, key->rsa, cipher, passphrase, len, NULL, NULL); @@ -515,6 +517,7 @@ key_load_private_pem(int fd, int type, const char *passphrase, #ifdef DEBUG_PK DSA_print_fp(stderr, prv->dsa, 8); #endif +#ifdef OPENSSL_HAS_ECC } else if (pk->type == EVP_PKEY_EC && (type == KEY_UNSPEC||type==KEY_ECDSA)) { prv = key_new(KEY_UNSPEC); @@ -538,6 +541,7 @@ key_load_private_pem(int fd, int type, const char *passphrase, if (prv->ecdsa != NULL) key_dump_ec_key(prv->ecdsa); #endif +#endif /* OPENSSL_HAS_ECC */ } else { error("PEM_read_PrivateKey: mismatch or " "unknown EVP_PKEY save_type %d", pk->save_type); diff --git a/bufec.c b/bufec.c index c77d1ecb9..3dcb49477 100644 --- a/bufec.c +++ b/bufec.c @@ -17,6 +17,8 @@ #include "includes.h" +#ifdef OPENSSL_HAS_ECC + #include #include @@ -141,3 +143,4 @@ buffer_get_ecpoint(Buffer *buffer, const EC_GROUP *curve, fatal("%s: buffer error", __func__); } +#endif /* OPENSSL_HAS_ECC */ diff --git a/buffer.h b/buffer.h index 1fb3f1666..e2a9dd100 100644 --- a/buffer.h +++ b/buffer.h @@ -86,11 +86,13 @@ char *buffer_get_cstring_ret(Buffer *, u_int *); void *buffer_get_string_ptr_ret(Buffer *, u_int *); int buffer_get_char_ret(char *, Buffer *); +#ifdef OPENSSL_HAS_ECC #include int buffer_put_ecpoint_ret(Buffer *, const EC_GROUP *, const EC_POINT *); void buffer_put_ecpoint(Buffer *, const EC_GROUP *, const EC_POINT *); int buffer_get_ecpoint_ret(Buffer *, const EC_GROUP *, EC_POINT *); void buffer_get_ecpoint(Buffer *, const EC_GROUP *, EC_POINT *); +#endif #endif /* BUFFER_H */ diff --git a/configure.ac b/configure.ac index 637e7b536..d267ba2b1 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.451 2010/08/16 03:15:23 dtucker Exp $ +# $Id: configure.ac,v 1.452 2010/09/10 01:39:27 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.451 $) +AC_REVISION($Revision: 1.452 $) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -2158,6 +2158,28 @@ fi # Search for SHA256 support in libc and/or OpenSSL AC_CHECK_FUNCS(SHA256_Update EVP_sha256) +# Check complete ECC support in OpenSSL +AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) +AC_LINK_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#include +int main(void) { + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); + const EVP_MD *m = EVP_sha512(); /* We need this too */ +} + ]])], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(OPENSSL_HAS_ECC, 1, + [libcrypto includes complete ECC support]) + ], + [ + AC_MSG_RESULT(no) + ] +) + saved_LIBS="$LIBS" AC_CHECK_LIB(iaf, ia_openinfo, [ LIBS="$LIBS -liaf" diff --git a/kex.h b/kex.h index f5dcc8791..06914756a 100644 --- a/kex.h +++ b/kex.h @@ -159,13 +159,16 @@ void kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *, int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); +#ifdef OPENSSL_HAS_ECC void kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int, char *, int, u_char *, int, const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char **, u_int *); - int kex_ecdh_name_to_nid(const char *); const EVP_MD *kex_ecdh_name_to_evpmd(const char *); +#else +# define kex_ecdh_name_to_evpmd(x) NULL +#endif void derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]); diff --git a/kexecdh.c b/kexecdh.c index f59d7b903..4c58a5122 100644 --- a/kexecdh.c +++ b/kexecdh.c @@ -26,6 +26,8 @@ #include "includes.h" +#ifdef OPENSSL_HAS_ECC + #include #include @@ -116,3 +118,4 @@ kex_ecdh_hash( *hashlen = EVP_MD_size(evp_md); } +#endif /* OPENSSL_HAS_ECC */ diff --git a/kexecdhc.c b/kexecdhc.c index 7ac7b1ee2..297a0e5a9 100644 --- a/kexecdhc.c +++ b/kexecdhc.c @@ -32,8 +32,6 @@ #include #include -#include - #include "xmalloc.h" #include "buffer.h" #include "key.h" @@ -44,6 +42,10 @@ #include "dh.h" #include "ssh2.h" +#ifdef OPENSSL_HAS_ECC + +#include + void kexecdh_client(Kex *kex) { @@ -156,3 +158,10 @@ kexecdh_client(Kex *kex) BN_clear_free(shared_secret); kex_finish(kex); } +#else /* OPENSSL_HAS_ECC */ +void +kexecdh_client(Kex *kex) +{ + fatal("ECC support is not enabled"); +} +#endif /* OPENSSL_HAS_ECC */ diff --git a/kexecdhs.c b/kexecdhs.c index e49a0ef37..d2c3feb09 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -30,8 +30,6 @@ #include #include -#include - #include "xmalloc.h" #include "buffer.h" #include "key.h" @@ -46,6 +44,10 @@ #endif #include "monitor_wrap.h" +#ifdef OPENSSL_HAS_ECC + +#include + void kexecdh_server(Kex *kex) { @@ -161,3 +163,10 @@ kexecdh_server(Kex *kex) BN_clear_free(shared_secret); kex_finish(kex); } +#else /* OPENSSL_HAS_ECC */ +void +kexecdh_server(Kex *kex) +{ + fatal("ECC support is not enabled"); +} +#endif /* OPENSSL_HAS_ECC */ diff --git a/key.c b/key.c index b9dc2355b..3cda8f2cb 100644 --- a/key.c +++ b/key.c @@ -111,10 +111,12 @@ key_new(int type) fatal("key_new: BN_new failed"); k->dsa = dsa; break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: case KEY_ECDSA_CERT: /* Cannot do anything until we know the group */ break; +#endif case KEY_UNSPEC: break; default: @@ -214,12 +216,14 @@ key_free(Key *k) DSA_free(k->dsa); k->dsa = NULL; break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: case KEY_ECDSA_CERT: if (k->ecdsa != NULL) EC_KEY_free(k->ecdsa); k->ecdsa = NULL; break; +#endif case KEY_UNSPEC: break; default: @@ -279,6 +283,7 @@ key_equal_public(const Key *a, const Key *b) BN_cmp(a->dsa->q, b->dsa->q) == 0 && BN_cmp(a->dsa->g, b->dsa->g) == 0 && BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: case KEY_ECDSA: if (a->ecdsa == NULL || b->ecdsa == NULL || @@ -297,6 +302,7 @@ key_equal_public(const Key *a, const Key *b) } BN_CTX_free(bnctx); return 1; +#endif /* OPENSSL_HAS_ECC */ default: fatal("key_equal: bad key type %d", a->type); } @@ -695,11 +701,13 @@ key_read(Key *ret, char **cpp) } *space = '\0'; type = key_type_from_name(cp); +#ifdef OPENSSL_HAS_ECC if (key_type_plain(type) == KEY_ECDSA && (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) { debug("key_read: invalid curve"); return -1; } +#endif *space = ' '; if (type == KEY_UNSPEC) { debug3("key_read: missing keytype"); @@ -736,12 +744,14 @@ key_read(Key *ret, char **cpp) key_free(k); return -1; } +#ifdef OPENSSL_HAS_ECC if (key_type_plain(type) == KEY_ECDSA && curve_nid != k->ecdsa_nid) { error("key_read: type mismatch: EC curve mismatch"); key_free(k); return -1; } +#endif /*XXXX*/ if (key_is_cert(ret)) { if (!key_is_cert(k)) { @@ -772,6 +782,7 @@ key_read(Key *ret, char **cpp) DSA_print_fp(stderr, ret->dsa, 8); #endif } +#ifdef OPENSSL_HAS_ECC if (key_type_plain(ret->type) == KEY_ECDSA) { if (ret->ecdsa != NULL) EC_KEY_free(ret->ecdsa); @@ -783,6 +794,7 @@ key_read(Key *ret, char **cpp) key_dump_ec_key(ret->ecdsa); #endif } +#endif success = 1; /*XXXX*/ key_free(k); @@ -839,11 +851,13 @@ key_write(const Key *key, FILE *f) if (key->dsa == NULL) return 0; break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: case KEY_ECDSA_CERT: if (key->ecdsa == NULL) return 0; break; +#endif case KEY_RSA: case KEY_RSA_CERT_V00: case KEY_RSA_CERT: @@ -877,8 +891,10 @@ key_type(const Key *k) return "RSA"; case KEY_DSA: return "DSA"; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: return "ECDSA"; +#endif case KEY_RSA_CERT_V00: return "RSA-CERT-V00"; case KEY_DSA_CERT_V00: @@ -887,8 +903,10 @@ key_type(const Key *k) return "RSA-CERT"; case KEY_DSA_CERT: return "DSA-CERT"; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: return "ECDSA-CERT"; +#endif } return "unknown"; } @@ -922,6 +940,7 @@ key_ssh_name_from_type_nid(int type, int nid) return "ssh-rsa-cert-v01@openssh.com"; case KEY_DSA_CERT: return "ssh-dss-cert-v01@openssh.com"; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: switch (nid) { case NID_X9_62_prime256v1: @@ -946,6 +965,7 @@ key_ssh_name_from_type_nid(int type, int nid) break; } break; +#endif /* OPENSSL_HAS_ECC */ } return "ssh-unknown"; } @@ -976,9 +996,11 @@ key_size(const Key *k) case KEY_DSA_CERT_V00: case KEY_DSA_CERT: return BN_num_bits(k->dsa->p); +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: case KEY_ECDSA_CERT: return key_curve_nid_to_bits(k->ecdsa_nid); +#endif } return 0; } @@ -1012,17 +1034,20 @@ int key_ecdsa_bits_to_nid(int bits) { switch (bits) { +#ifdef OPENSSL_HAS_ECC case 256: return NID_X9_62_prime256v1; case 384: return NID_secp384r1; case 521: return NID_secp521r1; +#endif default: return -1; } } +#ifdef OPENSSL_HAS_ECC /* * This is horrid, but OpenSSL's PEM_read_PrivateKey seems not to restore * the EC_GROUP nid when loading a key... @@ -1070,6 +1095,7 @@ ecdsa_generate_private_key(u_int bits, int *nid) fatal("%s: EC_KEY_generate_key failed", __func__); return private; } +#endif /* OPENSSL_HAS_ECC */ Key * key_generate(int type, u_int bits) @@ -1079,9 +1105,11 @@ key_generate(int type, u_int bits) case KEY_DSA: k->dsa = dsa_generate_private_key(bits); break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid); break; +#endif case KEY_RSA: case KEY_RSA1: k->rsa = rsa_generate_private_key(bits); @@ -1158,6 +1186,7 @@ key_from_private(const Key *k) (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) fatal("key_from_private: BN_copy failed"); break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: case KEY_ECDSA_CERT: n = key_new(k->type); @@ -1168,6 +1197,7 @@ key_from_private(const Key *k) EC_KEY_get0_public_key(k->ecdsa)) != 1) fatal("%s: EC_KEY_set_public_key failed", __func__); break; +#endif case KEY_RSA: case KEY_RSA1: case KEY_RSA_CERT_V00: @@ -1199,11 +1229,13 @@ key_type_from_name(char *name) return KEY_RSA; } else if (strcmp(name, "ssh-dss") == 0) { return KEY_DSA; +#ifdef OPENSSL_HAS_ECC } else if (strcmp(name, "ecdsa") == 0 || strcmp(name, "ecdsa-sha2-nistp256") == 0 || strcmp(name, "ecdsa-sha2-nistp384") == 0 || strcmp(name, "ecdsa-sha2-nistp521") == 0) { return KEY_ECDSA; +#endif } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) { return KEY_RSA_CERT_V00; } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { @@ -1212,10 +1244,13 @@ key_type_from_name(char *name) return KEY_RSA_CERT; } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { return KEY_DSA_CERT; +#ifdef OPENSSL_HAS_ECC } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 || strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 || - strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) + strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { return KEY_ECDSA_CERT; +#endif + } debug2("key_type_from_name: unknown key type '%s'", name); return KEY_UNSPEC; @@ -1224,6 +1259,7 @@ key_type_from_name(char *name) int key_ecdsa_nid_from_name(const char *name) { +#ifdef OPENSSL_HAS_ECC if (strcmp(name, "ecdsa-sha2-nistp256") == 0 || strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0) return NID_X9_62_prime256v1; @@ -1233,6 +1269,7 @@ key_ecdsa_nid_from_name(const char *name) if (strcmp(name, "ecdsa-sha2-nistp521") == 0 || strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) return NID_secp521r1; +#endif /* OPENSSL_HAS_ECC */ debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); return -1; @@ -1403,7 +1440,9 @@ key_from_blob(const u_char *blob, u_int blen) int rlen, type, nid = -1; char *ktype = NULL, *curve = NULL; Key *key = NULL; +#ifdef OPENSSL_HAS_ECC EC_POINT *q = NULL; +#endif #ifdef DEBUG_PK dump_base64(stderr, blob, blen); @@ -1416,8 +1455,10 @@ key_from_blob(const u_char *blob, u_int blen) } type = key_type_from_name(ktype); +#ifdef OPENSSL_HAS_ECC if (key_type_plain(type) == KEY_ECDSA) nid = key_ecdsa_nid_from_name(ktype); +#endif switch (type) { case KEY_RSA_CERT: @@ -1455,6 +1496,7 @@ key_from_blob(const u_char *blob, u_int blen) DSA_print_fp(stderr, key->dsa, 8); #endif break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ /* FALLTHROUGH */ @@ -1490,6 +1532,7 @@ key_from_blob(const u_char *blob, u_int blen) key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); #endif break; +#endif /* OPENSSL_HAS_ECC */ case KEY_UNSPEC: key = key_new(type); break; @@ -1509,8 +1552,10 @@ key_from_blob(const u_char *blob, u_int blen) xfree(ktype); if (curve != NULL) xfree(curve); +#ifdef OPENSSL_HAS_ECC if (q != NULL) EC_POINT_free(q); +#endif buffer_free(&b); return key; } @@ -1543,12 +1588,14 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) buffer_put_bignum2(&b, key->dsa->g); buffer_put_bignum2(&b, key->dsa->pub_key); break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: buffer_put_cstring(&b, key_ssh_name(key)); buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), EC_KEY_get0_public_key(key->ecdsa)); break; +#endif case KEY_RSA: buffer_put_cstring(&b, key_ssh_name(key)); buffer_put_bignum2(&b, key->rsa->e); @@ -1582,9 +1629,11 @@ key_sign( case KEY_DSA_CERT: case KEY_DSA: return ssh_dss_sign(key, sigp, lenp, data, datalen); +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: case KEY_ECDSA: return ssh_ecdsa_sign(key, sigp, lenp, data, datalen); +#endif case KEY_RSA_CERT_V00: case KEY_RSA_CERT: case KEY_RSA: @@ -1613,9 +1662,11 @@ key_verify( case KEY_DSA_CERT: case KEY_DSA: return ssh_dss_verify(key, signature, signaturelen, data, datalen); +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: case KEY_ECDSA: return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen); +#endif case KEY_RSA_CERT_V00: case KEY_RSA_CERT: case KEY_RSA: @@ -1670,6 +1721,7 @@ key_demote(const Key *k) if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) fatal("key_demote: BN_dup failed"); break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: key_cert_copy(k, pk); /* FALLTHROUGH */ @@ -1680,6 +1732,7 @@ key_demote(const Key *k) EC_KEY_get0_public_key(k->ecdsa)) != 1) fatal("key_demote: EC_KEY_set_public_key failed"); break; +#endif default: fatal("key_free: bad key type %d", k->type); break; @@ -1819,6 +1872,7 @@ key_certify(Key *k, Key *ca) buffer_put_bignum2(&k->cert->certblob, k->dsa->g); buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key); break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: buffer_put_cstring(&k->cert->certblob, key_curve_nid_to_name(k->ecdsa_nid)); @@ -1826,6 +1880,7 @@ key_certify(Key *k, Key *ca) EC_KEY_get0_group(k->ecdsa), EC_KEY_get0_public_key(k->ecdsa)); break; +#endif case KEY_RSA_CERT_V00: case KEY_RSA_CERT: buffer_put_bignum2(&k->cert->certblob, k->rsa->e); @@ -1955,12 +2010,14 @@ key_cert_is_legacy(Key *k) int key_curve_name_to_nid(const char *name) { +#ifdef OPENSSL_HAS_ECC if (strcmp(name, "nistp256") == 0) return NID_X9_62_prime256v1; else if (strcmp(name, "nistp384") == 0) return NID_secp384r1; else if (strcmp(name, "nistp521") == 0) return NID_secp521r1; +#endif debug("%s: unsupported EC curve name \"%.100s\"", __func__, name); return -1; @@ -1970,12 +2027,14 @@ u_int key_curve_nid_to_bits(int nid) { switch (nid) { +#ifdef OPENSSL_HAS_ECC case NID_X9_62_prime256v1: return 256; case NID_secp384r1: return 384; case NID_secp521r1: return 521; +#endif default: error("%s: unsupported EC curve nid %d", __func__, nid); return 0; @@ -1985,17 +2044,19 @@ key_curve_nid_to_bits(int nid) const char * key_curve_nid_to_name(int nid) { +#ifdef OPENSSL_HAS_ECC if (nid == NID_X9_62_prime256v1) return "nistp256"; else if (nid == NID_secp384r1) return "nistp384"; else if (nid == NID_secp521r1) return "nistp521"; - +#endif error("%s: unsupported EC curve nid %d", __func__, nid); return NULL; } +#ifdef OPENSSL_HAS_ECC const EVP_MD * key_ec_nid_to_evpmd(int nid) { @@ -2180,4 +2241,4 @@ key_dump_ec_key(const EC_KEY *key) fputs("\n", stderr); } #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ - +#endif /* OPENSSL_HAS_ECC */ diff --git a/key.h b/key.h index ba1a20c07..86a1d889c 100644 --- a/key.h +++ b/key.h @@ -29,7 +29,9 @@ #include "buffer.h" #include #include +#ifdef OPENSSL_HAS_ECC #include +#endif typedef struct Key Key; enum types { @@ -77,7 +79,11 @@ struct Key { RSA *rsa; DSA *dsa; int ecdsa_nid; /* NID of curve */ +#ifdef OPENSSL_HAS_ECC EC_KEY *ecdsa; +#else + void *ecdsa; +#endif struct KeyCert *cert; }; @@ -114,10 +120,12 @@ int key_curve_name_to_nid(const char *); const char * key_curve_nid_to_name(int); u_int key_curve_nid_to_bits(int); int key_ecdsa_bits_to_nid(int); +#ifdef OPENSSL_HAS_ECC int key_ecdsa_group_to_nid(const EC_GROUP *); const EVP_MD * key_ec_nid_to_evpmd(int nid); int key_ec_validate_public(const EC_GROUP *, const EC_POINT *); int key_ec_validate_private(const EC_KEY *); +#endif Key *key_from_blob(const u_char *, u_int); int key_to_blob(const Key *, u_char **, u_int *); @@ -135,7 +143,7 @@ int ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int) int ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int); int ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int); -#if defined(DEBUG_KEXECDH) || defined(DEBUG_PK) +#if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK)) void key_dump_ec_point(const EC_GROUP *, const EC_POINT *); void key_dump_ec_key(const EC_KEY *); #endif diff --git a/myproposal.h b/myproposal.h index 5daca533b..893190788 100644 --- a/myproposal.h +++ b/myproposal.h @@ -26,44 +26,49 @@ #include +#ifdef OPENSSL_HAS_ECC +# define KEX_ECDH_METHODS \ + "ecdh-sha2-nistp256," \ + "ecdh-sha2-nistp384," \ + "ecdh-sha2-nistp521," +# define HOSTKEY_ECDSA_CERT_METHODS \ + "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ + "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ + "ecdsa-sha2-nistp521-cert-v01@openssh.com," +# define HOSTKEY_ECDSA_METHODS \ + "ecdsa-sha2-nistp256," \ + "ecdsa-sha2-nistp384," \ + "ecdsa-sha2-nistp521," +#else +# define KEX_ECDH_METHODS +# define HOSTKEY_ECDSA_CERT_METHODS +# define HOSTKEY_ECDSA_METHODS +#endif + /* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ #if OPENSSL_VERSION_NUMBER < 0x00907000L -# define KEX_DEFAULT_KEX \ - "diffie-hellman-group-exchange-sha1," \ - "diffie-hellman-group14-sha1," \ - "diffie-hellman-group1-sha1" - -#define KEX_DEFAULT_PK_ALG \ - "ssh-rsa-cert-v01@openssh.com," \ - "ssh-dss-cert-v01@openssh.com," \ - "ssh-rsa-cert-v00@openssh.com," \ - "ssh-dss-cert-v00@openssh.com," \ - "ssh-rsa," \ - "ssh-dss" +# define KEX_SHA256_METHODS \ + "diffie-hellman-group-exchange-sha1," #else -# define KEX_DEFAULT_KEX \ - "ecdh-sha2-nistp256," \ - "ecdh-sha2-nistp384," \ - "ecdh-sha2-nistp521," \ - "diffie-hellman-group-exchange-sha256," \ +# define KEX_SHA256_METHODS +#endif + +# define KEX_DEFAULT_KEX \ + KEX_ECDH_METHODS \ + KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha1," \ "diffie-hellman-group14-sha1," \ "diffie-hellman-group1-sha1" #define KEX_DEFAULT_PK_ALG \ - "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ - "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ - "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ + HOSTKEY_ECDSA_CERT_METHODS \ "ssh-rsa-cert-v01@openssh.com," \ "ssh-dss-cert-v01@openssh.com," \ "ssh-rsa-cert-v00@openssh.com," \ "ssh-dss-cert-v00@openssh.com," \ - "ecdsa-sha2-nistp256," \ - "ecdsa-sha2-nistp384," \ - "ecdsa-sha2-nistp521," \ + HOSTKEY_ECDSA_METHODS \ "ssh-rsa," \ "ssh-dss" -#endif #define KEX_DEFAULT_ENCRYPT \ "aes128-ctr,aes192-ctr,aes256-ctr," \ diff --git a/packet.c b/packet.c index a06c5e3ef..0018d5839 100644 --- a/packet.c +++ b/packet.c @@ -641,11 +641,13 @@ packet_put_bignum2(BIGNUM * value) buffer_put_bignum2(&active_state->outgoing_packet, value); } +#ifdef OPENSSL_HAS_ECC void packet_put_ecpoint(const EC_GROUP *curve, const EC_POINT *point) { buffer_put_ecpoint(&active_state->outgoing_packet, curve, point); } +#endif /* * Finalizes and sends the packet. If the encryption key has been set, @@ -1517,11 +1519,13 @@ packet_get_bignum2(BIGNUM * value) buffer_get_bignum2(&active_state->incoming_packet, value); } +#ifdef OPENSSL_HAS_ECC void packet_get_ecpoint(const EC_GROUP *curve, EC_POINT *point) { buffer_get_ecpoint(&active_state->incoming_packet, curve, point); } +#endif void * packet_get_raw(u_int *length_ptr) diff --git a/readconf.c b/readconf.c index 98ce3017f..586422930 100644 --- a/readconf.c +++ b/readconf.c @@ -1214,12 +1214,13 @@ fill_default_options(Options * options) xmalloc(len); snprintf(options->identity_files[options->num_identity_files++], len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA); - +#ifdef OPENSSL_HAS_ECC len = 2 + strlen(_PATH_SSH_CLIENT_ID_ECDSA) + 1; options->identity_files[options->num_identity_files] = xmalloc(len); snprintf(options->identity_files[options->num_identity_files++], len, "~/%.100s", _PATH_SSH_CLIENT_ID_ECDSA); +#endif } } if (options->escape_char == -1) diff --git a/ssh-agent.c b/ssh-agent.c index 87939b2b6..8f19fb157 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -468,8 +468,10 @@ process_add_identity(SocketEntry *e, int version) int type, success = 0, death = 0, confirm = 0; char *type_name, *comment, *curve; Key *k = NULL; +#ifdef OPENSSL_HAS_ECC BIGNUM *exponent; EC_POINT *q; +#endif u_char *cert; u_int len; @@ -510,6 +512,7 @@ process_add_identity(SocketEntry *e, int version) key_add_private(k); buffer_get_bignum2(&e->request, k->dsa->priv_key); break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: k = key_new_private(type); k->ecdsa_nid = key_ecdsa_nid_from_name(type_name); @@ -561,6 +564,7 @@ process_add_identity(SocketEntry *e, int version) fatal("%s: bad ECDSA key", __func__); BN_clear_free(exponent); break; +#endif /* OPENSSL_HAS_ECC */ case KEY_RSA: k = key_new_private(type); buffer_get_bignum2(&e->request, k->rsa->n); diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c index 5c4ce2311..c8276b460 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c @@ -26,6 +26,8 @@ #include "includes.h" +#ifdef OPENSSL_HAS_ECC + #include #include @@ -162,3 +164,5 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error"); return ret; } + +#endif /* OPENSSL_HAS_ECC */ diff --git a/ssh-keygen.c b/ssh-keygen.c index 43b8c7f97..bbd434b0b 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -265,10 +265,12 @@ do_convert_to_pkcs8(Key *k) if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) fatal("PEM_write_DSA_PUBKEY failed"); break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) fatal("PEM_write_EC_PUBKEY failed"); break; +#endif default: fatal("%s: unsupported key type %s", __func__, key_type(k)); } @@ -549,6 +551,7 @@ do_convert_from_pkcs8(Key **k, int *private) (*k)->type = KEY_DSA; (*k)->dsa = EVP_PKEY_get1_DSA(pubkey); break; +#ifdef OPENSSL_HAS_ECC case EVP_PKEY_EC: *k = key_new(KEY_UNSPEC); (*k)->type = KEY_ECDSA; @@ -556,6 +559,7 @@ do_convert_from_pkcs8(Key **k, int *private) (*k)->ecdsa_nid = key_ecdsa_group_to_nid( EC_KEY_get0_group((*k)->ecdsa)); break; +#endif default: fatal("%s: unsupported pubkey type %d", __func__, EVP_PKEY_type(pubkey->type)); @@ -632,10 +636,12 @@ do_convert_from(struct passwd *pw) ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL); break; +#ifdef OPENSSL_HAS_ECC case KEY_ECDSA: ok = PEM_write_ECPrivateKey(stdout, k->ecdsa, NULL, NULL, 0, NULL, NULL); break; +#endif case KEY_RSA: ok = PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, NULL, 0, NULL, NULL); diff --git a/ssh.c b/ssh.c index 51c68d7da..3ade744b6 100644 --- a/ssh.c +++ b/ssh.c @@ -783,20 +783,26 @@ main(int ac, char **av) sensitive_data.nkeys = 7; sensitive_data.keys = xcalloc(sensitive_data.nkeys, sizeof(Key)); + for (i = 0; i < sensitive_data.nkeys; i++) + sensitive_data.keys[i] = NULL; PRIV_START; sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, _PATH_HOST_KEY_FILE, "", NULL, NULL); sensitive_data.keys[1] = key_load_private_cert(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, "", NULL); +#ifdef OPENSSL_HAS_ECC sensitive_data.keys[2] = key_load_private_cert(KEY_ECDSA, _PATH_HOST_ECDSA_KEY_FILE, "", NULL); +#endif sensitive_data.keys[3] = key_load_private_cert(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, "", NULL); sensitive_data.keys[4] = key_load_private_type(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL); +#ifdef OPENSSL_HAS_ECC sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA, _PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL); +#endif sensitive_data.keys[6] = key_load_private_type(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); PRIV_END; @@ -808,14 +814,18 @@ main(int ac, char **av) sensitive_data.keys[6] == NULL) { sensitive_data.keys[1] = key_load_cert( _PATH_HOST_DSA_KEY_FILE); +#ifdef OPENSSL_HAS_ECC sensitive_data.keys[2] = key_load_cert( _PATH_HOST_ECDSA_KEY_FILE); +#endif sensitive_data.keys[3] = key_load_cert( _PATH_HOST_RSA_KEY_FILE); sensitive_data.keys[4] = key_load_public( _PATH_HOST_DSA_KEY_FILE, NULL); +#ifdef OPENSSL_HAS_ECC sensitive_data.keys[5] = key_load_public( _PATH_HOST_ECDSA_KEY_FILE, NULL); +#endif sensitive_data.keys[6] = key_load_public( _PATH_HOST_RSA_KEY_FILE, NULL); sensitive_data.external_keysign = 1; -- cgit v1.2.3 From d5f62bf280b0798d7009d4424594a648a4e887fb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 24 Sep 2010 22:11:14 +1000 Subject: - djm@cvs.openbsd.org 2010/09/22 05:01:30 [kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@ --- ChangeLog | 7 +++++++ kex.c | 30 +++++++++++++++++++++++++++++- kex.h | 7 +++++-- kexecdh.c | 12 ++++-------- kexecdhc.c | 5 +++-- kexecdhs.c | 5 +++-- readconf.c | 18 +++++++++++++++++- readconf.h | 3 ++- servconf.c | 17 ++++++++++++++++- servconf.h | 3 ++- ssh_config.5 | 15 +++++++++++++-- sshconnect2.c | 4 +++- sshd.c | 4 +++- sshd_config.5 | 15 +++++++++++++-- 14 files changed, 120 insertions(+), 25 deletions(-) (limited to 'kexecdh.c') diff --git a/ChangeLog b/ChangeLog index 7d9e994d1..5cb4c880d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,13 @@ either ready or stale without races. stale server sockets are now automatically removed ok deraadt + - djm@cvs.openbsd.org 2010/09/22 05:01:30 + [kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] + [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] + add a KexAlgorithms knob to the client and server configuration to allow + selection of which key exchange methods are used by ssh(1) and sshd(8) + and their order of preference. + ok markus@ 20100910 - (dtucker) [openbsd-compat/port-linux.c] Check is_selinux_enabled for exact diff --git a/kex.c b/kex.c index 7c8763191..c65e28f94 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.85 2010/09/09 10:45:45 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.86 2010/09/22 05:01:29 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -62,6 +62,34 @@ extern const EVP_MD *evp_ssh_sha256(void); static void kex_kexinit_finish(Kex *); static void kex_choose_conf(Kex *); +/* Validate KEX method name list */ +int +kex_names_valid(const char *names) +{ + char *s, *cp, *p; + + if (names == NULL || strcmp(names, "") == 0) + return 0; + s = cp = xstrdup(names); + for ((p = strsep(&cp, ",")); p && *p != '\0'; + (p = strsep(&cp, ","))) { + if (strcmp(p, KEX_DHGEX_SHA256) != 0 && + strcmp(p, KEX_DHGEX_SHA1) != 0 && + strcmp(p, KEX_DH14) != 0 && + strcmp(p, KEX_DH1) != 0 && + (strncmp(p, KEX_ECDH_SHA2_STEM, + sizeof(KEX_ECDH_SHA2_STEM) - 1) != 0 || + kex_ecdh_name_to_nid(p) == -1)) { + error("Unsupported KEX algorithm \"%.100s\"", p); + xfree(s); + return 0; + } + } + debug3("kex names ok: [%s]", names); + xfree(s); + return 1; +} + /* put algorithm proposal into buffer */ static void kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) diff --git a/kex.h b/kex.h index 3e312fb44..7373d3c78 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.51 2010/09/09 10:45:45 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.52 2010/09/22 05:01:29 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -138,6 +138,8 @@ struct Kex { void (*kex[KEX_MAX])(Kex *); }; +int kex_names_valid(const char *); + Kex *kex_setup(char *[PROPOSAL_MAX]); void kex_finish(Kex *); @@ -169,7 +171,8 @@ kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int, int kex_ecdh_name_to_nid(const char *); const EVP_MD *kex_ecdh_name_to_evpmd(const char *); #else -# define kex_ecdh_name_to_evpmd(x) NULL +# define kex_ecdh_name_to_nid(x) (-1) +# define kex_ecdh_name_to_evpmd(x) (NULL) #endif void diff --git a/kexecdh.c b/kexecdh.c index 4c58a5122..f13f69d3b 100644 --- a/kexecdh.c +++ b/kexecdh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdh.c,v 1.2 2010/09/09 10:45:45 djm Exp $ */ +/* $OpenBSD: kexecdh.c,v 1.3 2010/09/22 05:01:29 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -48,15 +48,9 @@ int kex_ecdh_name_to_nid(const char *kexname) { - int ret; - if (strlen(kexname) < sizeof(KEX_ECDH_SHA2_STEM) - 1) fatal("%s: kexname too short \"%s\"", __func__, kexname); - ret = key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA2_STEM) - 1); - if (ret == -1) - fatal("%s: unsupported curve negotiated \"%s\"", __func__, - kexname); - return ret; + return key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA2_STEM) - 1); } const EVP_MD * @@ -64,6 +58,8 @@ kex_ecdh_name_to_evpmd(const char *kexname) { int nid = kex_ecdh_name_to_nid(kexname); + if (nid == -1) + fatal("%s: unsupported ECDH curve \"%s\"", __func__, kexname); return key_ec_nid_to_evpmd(nid); } diff --git a/kexecdhc.c b/kexecdhc.c index 297a0e5a9..115d4bf83 100644 --- a/kexecdhc.c +++ b/kexecdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhc.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: kexecdhc.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -59,7 +59,8 @@ kexecdh_client(Kex *kex) u_int klen, slen, sbloblen, hashlen; int curve_nid; - curve_nid = kex_ecdh_name_to_nid(kex->name); + if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) + fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name); if ((client_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", __func__); if (EC_KEY_generate_key(client_key) != 1) diff --git a/kexecdhs.c b/kexecdhs.c index d2c3feb09..8c515dfa6 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -61,7 +61,8 @@ kexecdh_server(Kex *kex) u_int klen, slen, sbloblen, hashlen; int curve_nid; - curve_nid = kex_ecdh_name_to_nid(kex->name); + if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) + fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name); if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", __func__); if (EC_KEY_generate_key(server_key) != 1) diff --git a/readconf.c b/readconf.c index 586422930..da7efd193 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.188 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.189 2010/09/22 05:01:29 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -132,6 +132,7 @@ typedef enum { oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, + oKexAlgorithms, oDeprecated, oUnsupported } OpCodes; @@ -240,6 +241,7 @@ static struct { #else { "zeroknowledgepasswordauthentication", oUnsupported }, #endif + { "kexalgorithms", oKexAlgorithms }, { NULL, oBadOption } }; @@ -699,6 +701,18 @@ parse_int: options->macs = xstrdup(arg); break; + case oKexAlgorithms: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", + filename, linenum); + if (!kex_names_valid(arg)) + fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", + filename, linenum, arg ? arg : ""); + if (*activep && options->kex_algorithms == NULL) + options->kex_algorithms = xstrdup(arg); + break; + case oHostKeyAlgorithms: arg = strdelim(&s); if (!arg || *arg == '\0') @@ -1078,6 +1092,7 @@ initialize_options(Options * options) options->cipher = -1; options->ciphers = NULL; options->macs = NULL; + options->kex_algorithms = NULL; options->hostkeyalgorithms = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->num_identity_files = 0; @@ -1191,6 +1206,7 @@ fill_default_options(Options * options) options->cipher = SSH_CIPHER_NOT_SET; /* options->ciphers, default set in myproposals.h */ /* options->macs, default set in myproposals.h */ + /* options->kex_algorithms, default set in myproposals.h */ /* options->hostkeyalgorithms, default set in myproposals.h */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_2; diff --git a/readconf.h b/readconf.h index 95d104674..ae61466df 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.86 2010/07/19 09:15:12 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.87 2010/09/22 05:01:29 djm Exp $ */ /* * Author: Tatu Ylonen @@ -73,6 +73,7 @@ typedef struct { char *ciphers; /* SSH2 ciphers in order of preference. */ char *macs; /* SSH2 macs in order of preference. */ char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ + char *kex_algorithms; /* SSH2 kex methods in order of preference. */ int protocol; /* Protocol in order of preference. */ char *hostname; /* Real host to connect. */ char *host_key_alias; /* hostname alias for .ssh/known_hosts */ diff --git a/servconf.c b/servconf.c index def6b716a..d26a7db05 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.210 2010/09/01 15:21:35 naddy Exp $ */ +/* $OpenBSD: servconf.c,v 1.211 2010/09/22 05:01:29 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -109,6 +109,7 @@ initialize_server_options(ServerOptions *options) options->num_deny_groups = 0; options->ciphers = NULL; options->macs = NULL; + options->kex_algorithms = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->gateway_ports = -1; options->num_subsystems = 0; @@ -314,6 +315,7 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, + sKexAlgorithms, sDeprecated, sUnsupported } ServerOpCodes; @@ -436,6 +438,7 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, + { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1131,6 +1134,18 @@ process_server_config_line(ServerOptions *options, char *line, options->macs = xstrdup(arg); break; + case sKexAlgorithms: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", + filename, linenum); + if (!kex_names_valid(arg)) + fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", + filename, linenum, arg ? arg : ""); + if (options->kex_algorithms == NULL) + options->kex_algorithms = xstrdup(arg); + break; + case sProtocol: intptr = &options->protocol; arg = strdelim(&cp); diff --git a/servconf.h b/servconf.h index 45d2a2ae3..ad13f2edd 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.93 2010/05/07 11:30:30 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.94 2010/09/22 05:01:29 djm Exp $ */ /* * Author: Tatu Ylonen @@ -72,6 +72,7 @@ typedef struct { int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ char *ciphers; /* Supported SSH2 ciphers. */ char *macs; /* Supported SSH2 macs. */ + char *kex_algorithms; /* SSH2 kex methods in order of preference. */ int protocol; /* Supported protocol versions. */ int gateway_ports; /* If true, allow remote connects to forwarded ports. */ SyslogFacility log_facility; /* Facility for system logging. */ diff --git a/ssh_config.5 b/ssh_config.5 index 33038ffcf..6e49842a7 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.139 2010/08/31 11:54:45 djm Exp $ -.Dd $Mdocdate: August 31 2010 $ +.\" $OpenBSD: ssh_config.5,v 1.140 2010/09/22 05:01:29 djm Exp $ +.Dd $Mdocdate: September 22 2010 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -646,6 +646,17 @@ it may be zero or more of: .Dq pam , and .Dq skey . +.It Cm KexAlgorithms +Specifies the available KEX (Key Exchange) algorithms. +Multiple algorithms must be comma-separated. +The default is +.Dq ecdh-sha2-nistp256 , +.Dq ecdh-sha2-nistp384 , +.Dq ecdh-sha2-nistp521 , +.Dq diffie-hellman-group-exchange-sha256 , +.Dq diffie-hellman-group-exchange-sha1 , +.Dq diffie-hellman-group14-sha1 , +.Dq diffie-hellman-group1-sha1 . .It Cm LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. diff --git a/sshconnect2.c b/sshconnect2.c index a31a663d4..6fe356cca 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.184 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.185 2010/09/22 05:01:29 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -135,6 +135,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = options.hostkeyalgorithms; + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; if (options.rekey_limit) packet_set_rekey_limit((u_int32_t)options.rekey_limit); diff --git a/sshd.c b/sshd.c index 7995f5a1d..5d4d14ae2 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.379 2010/08/31 12:33:38 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.380 2010/09/22 05:01:29 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2297,6 +2297,8 @@ do_ssh2_kex(void) myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; } + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); diff --git a/sshd_config.5 b/sshd_config.5 index af3d89b80..d87f60246 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.126 2010/08/31 11:54:45 djm Exp $ -.Dd $Mdocdate: August 31 2010 $ +.\" $OpenBSD: sshd_config.5,v 1.127 2010/09/22 05:01:30 djm Exp $ +.Dd $Mdocdate: September 22 2010 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -538,6 +538,17 @@ Specifies whether to automatically destroy the user's ticket cache file on logout. The default is .Dq yes . +.It Cm KexAlgorithms +Specifies the available KEX (Key Exchange) algorithms. +Multiple algorithms must be comma-separated. +The default is +.Dq ecdh-sha2-nistp256 , +.Dq ecdh-sha2-nistp384 , +.Dq ecdh-sha2-nistp521 , +.Dq diffie-hellman-group-exchange-sha256 , +.Dq diffie-hellman-group-exchange-sha1 , +.Dq diffie-hellman-group14-sha1 , +.Dq diffie-hellman-group1-sha1 . .It Cm KeyRegenerationInterval In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). -- cgit v1.2.3