search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
remove unused variable
[dropbear.git] / common-kex.c
blob8c47a48cb392cb790a6525a19b85c2deeed5ecac
1 /*
2 * Dropbear SSH
3 *
4 * Copyright (c) 2002-2004 Matt Johnston
5 * Portions Copyright (c) 2004 by Mihnea Stoenescu
6 * All rights reserved.
7 *
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
14 *
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
17 *
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24 * SOFTWARE. */
25
26 #include "includes.h"
27 #include "dbutil.h"
28 #include "algo.h"
29 #include "buffer.h"
30 #include "session.h"
31 #include "kex.h"
32 #include "ssh.h"
33 #include "packet.h"
34 #include "bignum.h"
35 #include "random.h"
36 #include "runopts.h"
37
38 /* diffie-hellman-group1-sha1 value for p */
39 static const unsigned char dh_p_val[] = {
40 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
41 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
42 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
43 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
44 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
45 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
46 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
47 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
48 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
49 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81,
50 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
51 #define DH_P_LEN sizeof(dh_p_val)
52
53 static const int DH_G_VAL = 2;
54
55 static void kexinitialise();
56 void gen_new_keys();
57 #ifndef DISABLE_ZLIB
58 static void gen_new_zstreams();
59 #endif
60 static void read_kex_algos();
61 /* helper function for gen_new_keys */
62 static void hashkeys(unsigned char *out, int outlen,
63 const hash_state * hs, unsigned const char X);
64
65
66 /* Send our list of algorithms we can use */
67 void send_msg_kexinit() {
68
69 CHECKCLEARTOWRITE();
70 buf_putbyte(ses.writepayload, SSH_MSG_KEXINIT);
71
72 /* cookie */
73 genrandom(buf_getwriteptr(ses.writepayload, 16), 16);
74 buf_incrwritepos(ses.writepayload, 16);
75
76 /* kex algos */
77 buf_put_algolist(ses.writepayload, sshkex);
78
79 /* server_host_key_algorithms */
80 buf_put_algolist(ses.writepayload, sshhostkey);
81
82 /* encryption_algorithms_client_to_server */
83 buf_put_algolist(ses.writepayload, sshciphers);
84
85 /* encryption_algorithms_server_to_client */
86 buf_put_algolist(ses.writepayload, sshciphers);
87
88 /* mac_algorithms_client_to_server */
89 buf_put_algolist(ses.writepayload, sshhashes);
90
91 /* mac_algorithms_server_to_client */
92 buf_put_algolist(ses.writepayload, sshhashes);
93
94 /* compression_algorithms_client_to_server */
95 buf_put_algolist(ses.writepayload, ses.compress_algos);
96
97 /* compression_algorithms_server_to_client */
98 buf_put_algolist(ses.writepayload, ses.compress_algos);
99
100 /* languages_client_to_server */
101 buf_putstring(ses.writepayload, "", 0);
102
103 /* languages_server_to_client */
104 buf_putstring(ses.writepayload, "", 0);
105
106 /* first_kex_packet_follows - unimplemented for now */
107 buf_putbyte(ses.writepayload, 0x00);
108
109 /* reserved unit32 */
110 buf_putint(ses.writepayload, 0);
111
112 /* set up transmitted kex packet buffer for hashing.
113 * This is freed after the end of the kex */
114 ses.transkexinit = buf_newcopy(ses.writepayload);
115
116 encrypt_packet();
117 ses.dataallowed = 0; /* don't send other packets during kex */
118
119 TRACE(("DATAALLOWED=0"))
120 TRACE(("-> KEXINIT"))
121 ses.kexstate.sentkexinit = 1;
122 }
123
124 /* *** NOTE regarding (send|recv)_msg_newkeys ***
125 * Changed by mihnea from the original kex.c to set dataallowed after a
126 * completed key exchange, no matter the order in which it was performed.
127 * This enables client mode without affecting server functionality.
128 */
129
130 /* Bring new keys into use after a key exchange, and let the client know*/
131 void send_msg_newkeys() {
132
133 TRACE(("enter send_msg_newkeys"))
134
135 /* generate the kexinit request */
136 CHECKCLEARTOWRITE();
137 buf_putbyte(ses.writepayload, SSH_MSG_NEWKEYS);
138 encrypt_packet();
139
140
141 /* set up our state */
142 if (ses.kexstate.recvnewkeys) {
143 TRACE(("while RECVNEWKEYS=1"))
144 gen_new_keys();
145 kexinitialise(); /* we've finished with this kex */
146 TRACE((" -> DATAALLOWED=1"))
147 ses.dataallowed = 1; /* we can send other packets again now */
148 ses.kexstate.donefirstkex = 1;
149 } else {
150 ses.kexstate.sentnewkeys = 1;
151 TRACE(("SENTNEWKEYS=1"))
152 }
153
154 TRACE(("-> MSG_NEWKEYS"))
155 TRACE(("leave send_msg_newkeys"))
156 }
157
158 /* Bring the new keys into use after a key exchange */
159 void recv_msg_newkeys() {
160
161 TRACE(("<- MSG_NEWKEYS"))
162 TRACE(("enter recv_msg_newkeys"))
163
164 /* simply check if we've sent SSH_MSG_NEWKEYS, and if so,
165 * switch to the new keys */
166 if (ses.kexstate.sentnewkeys) {
167 TRACE(("while SENTNEWKEYS=1"))
168 gen_new_keys();
169 kexinitialise(); /* we've finished with this kex */
170 TRACE((" -> DATAALLOWED=1"))
171 ses.dataallowed = 1; /* we can send other packets again now */
172 ses.kexstate.donefirstkex = 1;
173 } else {
174 TRACE(("RECVNEWKEYS=1"))
175 ses.kexstate.recvnewkeys = 1;
176 }
177
178 TRACE(("leave recv_msg_newkeys"))
179 }
180
181
182 /* Set up the kex for the first time */
183 void kexfirstinitialise() {
184 ses.kexstate.donefirstkex = 0;
185
186 #ifndef DISABLE_ZLIB
187 if (opts.enable_compress) {
188 ses.compress_algos = ssh_compress;
189 } else
190 #endif
191 {
192 ses.compress_algos = ssh_nocompress;
193 }
194 kexinitialise();
195 }
196
197 /* Reset the kex state, ready for a new negotiation */
198 static void kexinitialise() {
199
200 TRACE(("kexinitialise()"))
201
202 /* sent/recv'd MSG_KEXINIT */
203 ses.kexstate.sentkexinit = 0;
204 ses.kexstate.recvkexinit = 0;
205
206 /* sent/recv'd MSG_NEWKEYS */
207 ses.kexstate.recvnewkeys = 0;
208 ses.kexstate.sentnewkeys = 0;
209
210 /* first_packet_follows */
211 ses.kexstate.firstfollows = 0;
212
213 ses.kexstate.datatrans = 0;
214 ses.kexstate.datarecv = 0;
215
216 ses.kexstate.lastkextime = time(NULL);
217
218 }
219
220 /* Helper function for gen_new_keys, creates a hash. It makes a copy of the
221 * already initialised hash_state hs, which should already have processed
222 * the dh_K and hash, since these are common. X is the letter 'A', 'B' etc.
223 * out must have at least min(SHA1_HASH_SIZE, outlen) bytes allocated.
224 * The output will only be expanded once, as we are assured that
225 * outlen <= 2*SHA1_HASH_SIZE for all known hashes.
226 *
227 * See Section 7.2 of rfc4253 (ssh transport) for details */
228 static void hashkeys(unsigned char *out, int outlen,
229 const hash_state * hs, const unsigned char X) {
230
231 hash_state hs2;
232 unsigned char k2[SHA1_HASH_SIZE]; /* used to extending */
233
234 memcpy(&hs2, hs, sizeof(hash_state));
235 sha1_process(&hs2, &X, 1);
236 sha1_process(&hs2, ses.session_id, SHA1_HASH_SIZE);
237 sha1_done(&hs2, out);
238 if (SHA1_HASH_SIZE < outlen) {
239 /* need to extend */
240 memcpy(&hs2, hs, sizeof(hash_state));
241 sha1_process(&hs2, out, SHA1_HASH_SIZE);
242 sha1_done(&hs2, k2);
243 memcpy(&out[SHA1_HASH_SIZE], k2, outlen - SHA1_HASH_SIZE);
244 }
245 }
246
247 /* Generate the actual encryption/integrity keys, using the results of the
248 * key exchange, as specified in section 5.2 of the IETF secsh-transport
249 * draft. This occurs after the DH key-exchange.
250 *
251 * ses.newkeys is the new set of keys which are generated, these are only
252 * taken into use after both sides have sent a newkeys message */
253
254 /* Originally from kex.c, generalized for cli/svr mode --mihnea */
255 void gen_new_keys() {
256
257 unsigned char C2S_IV[MAX_IV_LEN];
258 unsigned char C2S_key[MAX_KEY_LEN];
259 unsigned char S2C_IV[MAX_IV_LEN];
260 unsigned char S2C_key[MAX_KEY_LEN];
261 /* unsigned char key[MAX_KEY_LEN]; */
262 unsigned char *trans_IV, *trans_key, *recv_IV, *recv_key;
263
264 hash_state hs;
265 unsigned int C2S_keysize, S2C_keysize;
266 char mactransletter, macrecvletter; /* Client or server specific */
267 int recv_cipher = 0, trans_cipher = 0;
268
269 TRACE(("enter gen_new_keys"))
270 /* the dh_K and hash are the start of all hashes, we make use of that */
271
272 sha1_init(&hs);
273 sha1_process_mp(&hs, ses.dh_K);
274 mp_clear(ses.dh_K);
275 m_free(ses.dh_K);
276 sha1_process(&hs, ses.hash, SHA1_HASH_SIZE);
277 m_burn(ses.hash, SHA1_HASH_SIZE);
278
279 if (IS_DROPBEAR_CLIENT) {
280 trans_IV = C2S_IV;
281 recv_IV = S2C_IV;
282 trans_key = C2S_key;
283 recv_key = S2C_key;
284 C2S_keysize = ses.newkeys->trans.algo_crypt->keysize;
285 S2C_keysize = ses.newkeys->recv.algo_crypt->keysize;
286 mactransletter = 'E';
287 macrecvletter = 'F';
288 } else {
289 trans_IV = S2C_IV;
290 recv_IV = C2S_IV;
291 trans_key = S2C_key;
292 recv_key = C2S_key;
293 C2S_keysize = ses.newkeys->recv.algo_crypt->keysize;
294 S2C_keysize = ses.newkeys->trans.algo_crypt->keysize;
295 mactransletter = 'F';
296 macrecvletter = 'E';
297 }
298
299 hashkeys(C2S_IV, SHA1_HASH_SIZE, &hs, 'A');
300 hashkeys(S2C_IV, SHA1_HASH_SIZE, &hs, 'B');
301 hashkeys(C2S_key, C2S_keysize, &hs, 'C');
302 hashkeys(S2C_key, S2C_keysize, &hs, 'D');
303
304 recv_cipher = find_cipher(ses.newkeys->recv.algo_crypt->cipherdesc->name);
305 if (recv_cipher < 0)
306 dropbear_exit("crypto error");
307 if (ses.newkeys->recv.crypt_mode->start(recv_cipher,
308 recv_IV, recv_key,
309 ses.newkeys->recv.algo_crypt->keysize, 0,
310 &ses.newkeys->recv.cipher_state) != CRYPT_OK) {
311 dropbear_exit("crypto error");
312 }
313
314 trans_cipher = find_cipher(ses.newkeys->trans.algo_crypt->cipherdesc->name);
315 if (trans_cipher < 0)
316 dropbear_exit("crypto error");
317 if (ses.newkeys->trans.crypt_mode->start(trans_cipher,
318 trans_IV, trans_key,
319 ses.newkeys->trans.algo_crypt->keysize, 0,
320 &ses.newkeys->trans.cipher_state) != CRYPT_OK) {
321 dropbear_exit("crypto error");
322 }
323
324 /* MAC keys */
325 hashkeys(ses.newkeys->trans.mackey,
326 ses.newkeys->trans.algo_mac->keysize, &hs, mactransletter);
327 hashkeys(ses.newkeys->recv.mackey,
328 ses.newkeys->recv.algo_mac->keysize, &hs, macrecvletter);
329 ses.newkeys->trans.hash_index = find_hash(ses.newkeys->trans.algo_mac->hashdesc->name),
330 ses.newkeys->recv.hash_index = find_hash(ses.newkeys->recv.algo_mac->hashdesc->name),
331
332 #ifndef DISABLE_ZLIB
333 gen_new_zstreams();
334 #endif
335
336 /* Switch over to the new keys */
337 m_burn(ses.keys, sizeof(struct key_context));
338 m_free(ses.keys);
339 ses.keys = ses.newkeys;
340 ses.newkeys = NULL;
341
342 TRACE(("leave gen_new_keys"))
343 }
344
345 #ifndef DISABLE_ZLIB
346
347 int is_compress_trans() {
348 return ses.keys->trans.algo_comp == DROPBEAR_COMP_ZLIB
349 || (ses.authstate.authdone
350 && ses.keys->trans.algo_comp == DROPBEAR_COMP_ZLIB_DELAY);
351 }
352
353 int is_compress_recv() {
354 return ses.keys->recv.algo_comp == DROPBEAR_COMP_ZLIB
355 || (ses.authstate.authdone
356 && ses.keys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY);
357 }
358
359 /* Set up new zlib compression streams, close the old ones. Only
360 * called from gen_new_keys() */
361 static void gen_new_zstreams() {
362
363 /* create new zstreams */
364 if (ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB
365 || ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
366 ses.newkeys->recv.zstream = (z_streamp)m_malloc(sizeof(z_stream));
367 ses.newkeys->recv.zstream->zalloc = Z_NULL;
368 ses.newkeys->recv.zstream->zfree = Z_NULL;
369
370 if (inflateInit(ses.newkeys->recv.zstream) != Z_OK) {
371 dropbear_exit("zlib error");
372 }
373 } else {
374 ses.newkeys->recv.zstream = NULL;
375 }
376
377 if (ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB
378 || ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
379 ses.newkeys->trans.zstream = (z_streamp)m_malloc(sizeof(z_stream));
380 ses.newkeys->trans.zstream->zalloc = Z_NULL;
381 ses.newkeys->trans.zstream->zfree = Z_NULL;
382
383 if (deflateInit2(ses.newkeys->trans.zstream, Z_DEFAULT_COMPRESSION,
384 Z_DEFLATED, DROPBEAR_ZLIB_WINDOW_BITS,
385 DROPBEAR_ZLIB_MEM_LEVEL, Z_DEFAULT_STRATEGY)
386 != Z_OK) {
387 dropbear_exit("zlib error");
388 }
389 } else {
390 ses.newkeys->trans.zstream = NULL;
391 }
392
393 /* clean up old keys */
394 if (ses.keys->recv.zstream != NULL) {
395 if (inflateEnd(ses.keys->recv.zstream) == Z_STREAM_ERROR) {
396 /* Z_DATA_ERROR is ok, just means that stream isn't ended */
397 dropbear_exit("crypto error");
398 }
399 m_free(ses.keys->recv.zstream);
400 }
401 if (ses.keys->trans.zstream != NULL) {
402 if (deflateEnd(ses.keys->trans.zstream) == Z_STREAM_ERROR) {
403 /* Z_DATA_ERROR is ok, just means that stream isn't ended */
404 dropbear_exit("crypto error");
405 }
406 m_free(ses.keys->trans.zstream);
407 }
408 }
409 #endif /* DISABLE_ZLIB */
410
411
412 /* Executed upon receiving a kexinit message from the client to initiate
413 * key exchange. If we haven't already done so, we send the list of our
414 * preferred algorithms. The client's requested algorithms are processed,
415 * and we calculate the first portion of the key-exchange-hash for used
416 * later in the key exchange. No response is sent, as the client should
417 * initiate the diffie-hellman key exchange */
418
419 /* Originally from kex.c, generalized for cli/svr mode --mihnea */
420 /* Belongs in common_kex.c where it should be moved after review */
421 void recv_msg_kexinit() {
422
423 unsigned int kexhashbuf_len = 0;
424 unsigned int remote_ident_len = 0;
425 unsigned int local_ident_len = 0;
426
427 TRACE(("<- KEXINIT"))
428 TRACE(("enter recv_msg_kexinit"))
429
430 if (!ses.kexstate.sentkexinit) {
431 /* we need to send a kex packet */
432 send_msg_kexinit();
433 TRACE(("continue recv_msg_kexinit: sent kexinit"))
434 }
435
436 /* start the kex hash */
437 local_ident_len = strlen(LOCAL_IDENT);
438 remote_ident_len = strlen((char*)ses.remoteident);
439
440 kexhashbuf_len = local_ident_len + remote_ident_len
441 + ses.transkexinit->len + ses.payload->len
442 + KEXHASHBUF_MAX_INTS;
443
444 ses.kexhashbuf = buf_new(kexhashbuf_len);
445
446 if (IS_DROPBEAR_CLIENT) {
447
448 /* read the peer's choice of algos */
449 read_kex_algos();
450
451 /* V_C, the client's version string (CR and NL excluded) */
452 buf_putstring(ses.kexhashbuf,
453 (unsigned char*)LOCAL_IDENT, local_ident_len);
454 /* V_S, the server's version string (CR and NL excluded) */
455 buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
456
457 /* I_C, the payload of the client's SSH_MSG_KEXINIT */
458 buf_putstring(ses.kexhashbuf,
459 ses.transkexinit->data, ses.transkexinit->len);
460 /* I_S, the payload of the server's SSH_MSG_KEXINIT */
461 buf_setpos(ses.payload, 0);
462 buf_putstring(ses.kexhashbuf, ses.payload->data, ses.payload->len);
463
464 } else {
465 /* SERVER */
466
467 /* read the peer's choice of algos */
468 read_kex_algos();
469 /* V_C, the client's version string (CR and NL excluded) */
470 buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
471 /* V_S, the server's version string (CR and NL excluded) */
472 buf_putstring(ses.kexhashbuf,
473 (unsigned char*)LOCAL_IDENT, local_ident_len);
474
475 /* I_C, the payload of the client's SSH_MSG_KEXINIT */
476 buf_setpos(ses.payload, 0);
477 buf_putstring(ses.kexhashbuf, ses.payload->data, ses.payload->len);
478
479 /* I_S, the payload of the server's SSH_MSG_KEXINIT */
480 buf_putstring(ses.kexhashbuf,
481 ses.transkexinit->data, ses.transkexinit->len);
482
483 ses.requirenext = SSH_MSG_KEXDH_INIT;
484 }
485
486 buf_free(ses.transkexinit);
487 ses.transkexinit = NULL;
488 /* the rest of ses.kexhashbuf will be done after DH exchange */
489
490 ses.kexstate.recvkexinit = 1;
491
492 TRACE(("leave recv_msg_kexinit"))
493 }
494
495 /* Initialises and generate one side of the diffie-hellman key exchange values.
496 * See the ietf-secsh-transport draft, section 6, for details */
497 /* dh_pub and dh_priv MUST be already initialised */
498 void gen_kexdh_vals(mp_int *dh_pub, mp_int *dh_priv) {
499
500 DEF_MP_INT(dh_p);
501 DEF_MP_INT(dh_q);
502 DEF_MP_INT(dh_g);
503
504 TRACE(("enter send_msg_kexdh_reply"))
505
506 m_mp_init_multi(&dh_g, &dh_p, &dh_q, NULL);
507
508 /* read the prime and generator*/
509 bytes_to_mp(&dh_p, (unsigned char*)dh_p_val, DH_P_LEN);
510
511 if (mp_set_int(&dh_g, DH_G_VAL) != MP_OKAY) {
512 dropbear_exit("Diffie-Hellman error");
513 }
514
515 /* calculate q = (p-1)/2 */
516 /* dh_priv is just a temp var here */
517 if (mp_sub_d(&dh_p, 1, dh_priv) != MP_OKAY) {
518 dropbear_exit("Diffie-Hellman error");
519 }
520 if (mp_div_2(dh_priv, &dh_q) != MP_OKAY) {
521 dropbear_exit("Diffie-Hellman error");
522 }
523
524 /* Generate a private portion 0 < dh_priv < dh_q */
525 gen_random_mpint(&dh_q, dh_priv);
526
527 /* f = g^y mod p */
528 if (mp_exptmod(&dh_g, dh_priv, &dh_p, dh_pub) != MP_OKAY) {
529 dropbear_exit("Diffie-Hellman error");
530 }
531 mp_clear_multi(&dh_g, &dh_p, &dh_q, NULL);
532 }
533
534 /* This function is fairly common between client/server, with some substitution
535 * of dh_e/dh_f etc. Hence these arguments:
536 * dh_pub_us is 'e' for the client, 'f' for the server. dh_pub_them is
537 * vice-versa. dh_priv is the x/y value corresponding to dh_pub_us */
538 void kexdh_comb_key(mp_int *dh_pub_us, mp_int *dh_priv, mp_int *dh_pub_them,
539 sign_key *hostkey) {
540
541 mp_int dh_p;
542 mp_int *dh_e = NULL, *dh_f = NULL;
543 hash_state hs;
544
545 /* read the prime and generator*/
546 m_mp_init(&dh_p);
547 bytes_to_mp(&dh_p, dh_p_val, DH_P_LEN);
548
549 /* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */
550 if (mp_cmp(dh_pub_them, &dh_p) != MP_LT
551 || mp_cmp_d(dh_pub_them, 0) != MP_GT) {
552 dropbear_exit("Diffie-Hellman error");
553 }
554
555 /* K = e^y mod p = f^x mod p */
556 ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int));
557 m_mp_init(ses.dh_K);
558 if (mp_exptmod(dh_pub_them, dh_priv, &dh_p, ses.dh_K) != MP_OKAY) {
559 dropbear_exit("Diffie-Hellman error");
560 }
561
562 /* clear no longer needed vars */
563 mp_clear_multi(&dh_p, NULL);
564
565 /* From here on, the code needs to work with the _same_ vars on each side,
566 * not vice-versaing for client/server */
567 if (IS_DROPBEAR_CLIENT) {
568 dh_e = dh_pub_us;
569 dh_f = dh_pub_them;
570 } else {
571 dh_e = dh_pub_them;
572 dh_f = dh_pub_us;
573 }
574
575 /* Create the remainder of the hash buffer, to generate the exchange hash */
576 /* K_S, the host key */
577 buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
578 /* e, exchange value sent by the client */
579 buf_putmpint(ses.kexhashbuf, dh_e);
580 /* f, exchange value sent by the server */
581 buf_putmpint(ses.kexhashbuf, dh_f);
582 /* K, the shared secret */
583 buf_putmpint(ses.kexhashbuf, ses.dh_K);
584
585 /* calculate the hash H to sign */
586 sha1_init(&hs);
587 buf_setpos(ses.kexhashbuf, 0);
588 sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len),
589 ses.kexhashbuf->len);
590 sha1_done(&hs, ses.hash);
591
592 buf_burn(ses.kexhashbuf);
593 buf_free(ses.kexhashbuf);
594 ses.kexhashbuf = NULL;
595
596 /* first time around, we set the session_id to H */
597 if (ses.session_id == NULL) {
598 /* create the session_id, this never needs freeing */
599 ses.session_id = (unsigned char*)m_malloc(SHA1_HASH_SIZE);
600 memcpy(ses.session_id, ses.hash, SHA1_HASH_SIZE);
601 }
602 }
603
604 /* read the other side's algo list. buf_match_algo is a callback to match
605 * algos for the client or server. */
606 static void read_kex_algos() {
607
608 /* for asymmetry */
609 algo_type * c2s_hash_algo = NULL;
610 algo_type * s2c_hash_algo = NULL;
611 algo_type * c2s_cipher_algo = NULL;
612 algo_type * s2c_cipher_algo = NULL;
613 algo_type * c2s_comp_algo = NULL;
614 algo_type * s2c_comp_algo = NULL;
615 /* the generic one */
616 algo_type * algo = NULL;
617
618 /* which algo couldn't match */
619 char * erralgo = NULL;
620
621 int goodguess = 0;
622 int allgood = 1; /* we AND this with each goodguess and see if its still
623 true after */
624
625 buf_incrpos(ses.payload, 16); /* start after the cookie */
626
627 ses.newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
628
629 /* kex_algorithms */
630 algo = ses.buf_match_algo(ses.payload, sshkex, &goodguess);
631 allgood &= goodguess;
632 if (algo == NULL) {
633 erralgo = "kex";
634 goto error;
635 }
636 TRACE(("kex algo %s", algo->name))
637 ses.newkeys->algo_kex = algo->val;
638
639 /* server_host_key_algorithms */
640 algo = ses.buf_match_algo(ses.payload, sshhostkey, &goodguess);
641 allgood &= goodguess;
642 if (algo == NULL) {
643 erralgo = "hostkey";
644 goto error;
645 }
646 TRACE(("hostkey algo %s", algo->name))
647 ses.newkeys->algo_hostkey = algo->val;
648
649 /* encryption_algorithms_client_to_server */
650 c2s_cipher_algo = ses.buf_match_algo(ses.payload, sshciphers, &goodguess);
651 if (c2s_cipher_algo == NULL) {
652 erralgo = "enc c->s";
653 goto error;
654 }
655 TRACE(("enc c2s is %s", c2s_cipher_algo->name))
656
657 /* encryption_algorithms_server_to_client */
658 s2c_cipher_algo = ses.buf_match_algo(ses.payload, sshciphers, &goodguess);
659 if (s2c_cipher_algo == NULL) {
660 erralgo = "enc s->c";
661 goto error;
662 }
663 TRACE(("enc s2c is %s", s2c_cipher_algo->name))
664
665 /* mac_algorithms_client_to_server */
666 c2s_hash_algo = ses.buf_match_algo(ses.payload, sshhashes, &goodguess);
667 if (c2s_hash_algo == NULL) {
668 erralgo = "mac c->s";
669 goto error;
670 }
671 TRACE(("hash c2s is %s", c2s_hash_algo->name))
672
673 /* mac_algorithms_server_to_client */
674 s2c_hash_algo = ses.buf_match_algo(ses.payload, sshhashes, &goodguess);
675 if (s2c_hash_algo == NULL) {
676 erralgo = "mac s->c";
677 goto error;
678 }
679 TRACE(("hash s2c is %s", s2c_hash_algo->name))
680
681 /* compression_algorithms_client_to_server */
682 c2s_comp_algo = ses.buf_match_algo(ses.payload, ses.compress_algos, &goodguess);
683 if (c2s_comp_algo == NULL) {
684 erralgo = "comp c->s";
685 goto error;
686 }
687 TRACE(("hash c2s is %s", c2s_comp_algo->name))
688
689 /* compression_algorithms_server_to_client */
690 s2c_comp_algo = ses.buf_match_algo(ses.payload, ses.compress_algos, &goodguess);
691 if (s2c_comp_algo == NULL) {
692 erralgo = "comp s->c";
693 goto error;
694 }
695 TRACE(("hash s2c is %s", s2c_comp_algo->name))
696
697 /* languages_client_to_server */
698 buf_eatstring(ses.payload);
699
700 /* languages_server_to_client */
701 buf_eatstring(ses.payload);
702
703 /* first_kex_packet_follows */
704 if (buf_getbool(ses.payload)) {
705 ses.kexstate.firstfollows = 1;
706 /* if the guess wasn't good, we ignore the packet sent */
707 if (!allgood) {
708 ses.ignorenext = 1;
709 }
710 }
711
712 /* Handle the asymmetry */
713 if (IS_DROPBEAR_CLIENT) {
714 ses.newkeys->recv.algo_crypt =
715 (struct dropbear_cipher*)s2c_cipher_algo->data;
716 ses.newkeys->trans.algo_crypt =
717 (struct dropbear_cipher*)c2s_cipher_algo->data;
718 ses.newkeys->recv.crypt_mode =
719 (struct dropbear_cipher_mode*)s2c_cipher_algo->mode;
720 ses.newkeys->trans.crypt_mode =
721 (struct dropbear_cipher_mode*)c2s_cipher_algo->mode;
722 ses.newkeys->recv.algo_mac =
723 (struct dropbear_hash*)s2c_hash_algo->data;
724 ses.newkeys->trans.algo_mac =
725 (struct dropbear_hash*)c2s_hash_algo->data;
726 ses.newkeys->recv.algo_comp = s2c_comp_algo->val;
727 ses.newkeys->trans.algo_comp = c2s_comp_algo->val;
728 } else {
729 /* SERVER */
730 ses.newkeys->recv.algo_crypt =
731 (struct dropbear_cipher*)c2s_cipher_algo->data;
732 ses.newkeys->trans.algo_crypt =
733 (struct dropbear_cipher*)s2c_cipher_algo->data;
734 ses.newkeys->recv.crypt_mode =
735 (struct dropbear_cipher_mode*)c2s_cipher_algo->mode;
736 ses.newkeys->trans.crypt_mode =
737 (struct dropbear_cipher_mode*)s2c_cipher_algo->mode;
738 ses.newkeys->recv.algo_mac =
739 (struct dropbear_hash*)c2s_hash_algo->data;
740 ses.newkeys->trans.algo_mac =
741 (struct dropbear_hash*)s2c_hash_algo->data;
742 ses.newkeys->recv.algo_comp = c2s_comp_algo->val;
743 ses.newkeys->trans.algo_comp = s2c_comp_algo->val;
744 }
745
746 /* reserved for future extensions */
747 buf_getint(ses.payload);
748 return;
749
750 error:
751 dropbear_exit("no matching algo %s", erralgo);
752 }
Unofficial git mirror of Dropbear Monotone repository