1 /* $OpenBSD: kexecdhs.c,v 1.15 2015/12/04 16:41:28 markus Exp $ */
3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
31 #include <sys/types.h>
35 #include <openssl/ecdh.h>
50 static int input_kex_ecdh_init(int, u_int32_t
, void *);
53 kexecdh_server(struct ssh
*ssh
)
55 debug("expecting SSH2_MSG_KEX_ECDH_INIT");
56 ssh_dispatch_set(ssh
, SSH2_MSG_KEX_ECDH_INIT
, &input_kex_ecdh_init
);
61 input_kex_ecdh_init(int type
, u_int32_t seq
, void *ctxt
)
63 struct ssh
*ssh
= ctxt
;
64 struct kex
*kex
= ssh
->kex
;
65 EC_POINT
*client_public
;
66 EC_KEY
*server_key
= NULL
;
67 const EC_GROUP
*group
;
68 const EC_POINT
*public_key
;
69 BIGNUM
*shared_secret
= NULL
;
70 struct sshkey
*server_host_private
, *server_host_public
;
71 u_char
*server_host_key_blob
= NULL
, *signature
= NULL
;
73 u_char hash
[SSH_DIGEST_MAX_LENGTH
];
74 size_t slen
, sbloblen
;
75 size_t klen
= 0, hashlen
;
78 if ((server_key
= EC_KEY_new_by_curve_name(kex
->ec_nid
)) == NULL
) {
79 r
= SSH_ERR_ALLOC_FAIL
;
82 if (EC_KEY_generate_key(server_key
) != 1) {
83 r
= SSH_ERR_LIBCRYPTO_ERROR
;
86 group
= EC_KEY_get0_group(server_key
);
89 fputs("server private key:\n", stderr
);
90 sshkey_dump_ec_key(server_key
);
93 if (kex
->load_host_public_key
== NULL
||
94 kex
->load_host_private_key
== NULL
) {
95 r
= SSH_ERR_INVALID_ARGUMENT
;
98 server_host_public
= kex
->load_host_public_key(kex
->hostkey_type
,
99 kex
->hostkey_nid
, ssh
);
100 server_host_private
= kex
->load_host_private_key(kex
->hostkey_type
,
101 kex
->hostkey_nid
, ssh
);
102 if (server_host_public
== NULL
) {
103 r
= SSH_ERR_NO_HOSTKEY_LOADED
;
106 if ((client_public
= EC_POINT_new(group
)) == NULL
) {
107 r
= SSH_ERR_ALLOC_FAIL
;
110 if ((r
= sshpkt_get_ec(ssh
, client_public
, group
)) != 0 ||
111 (r
= sshpkt_get_end(ssh
)) != 0)
115 fputs("client public key:\n", stderr
);
116 sshkey_dump_ec_point(group
, client_public
);
118 if (sshkey_ec_validate_public(group
, client_public
) != 0) {
119 sshpkt_disconnect(ssh
, "invalid client public key");
120 r
= SSH_ERR_MESSAGE_INCOMPLETE
;
124 /* Calculate shared_secret */
125 klen
= (EC_GROUP_get_degree(group
) + 7) / 8;
126 if ((kbuf
= malloc(klen
)) == NULL
||
127 (shared_secret
= BN_new()) == NULL
) {
128 r
= SSH_ERR_ALLOC_FAIL
;
131 if (ECDH_compute_key(kbuf
, klen
, client_public
,
132 server_key
, NULL
) != (int)klen
||
133 BN_bin2bn(kbuf
, klen
, shared_secret
) == NULL
) {
134 r
= SSH_ERR_LIBCRYPTO_ERROR
;
139 dump_digest("shared secret", kbuf
, klen
);
142 if ((r
= sshkey_to_blob(server_host_public
, &server_host_key_blob
,
145 hashlen
= sizeof(hash
);
146 if ((r
= kex_ecdh_hash(
149 kex
->client_version_string
,
150 kex
->server_version_string
,
151 sshbuf_ptr(kex
->peer
), sshbuf_len(kex
->peer
),
152 sshbuf_ptr(kex
->my
), sshbuf_len(kex
->my
),
153 server_host_key_blob
, sbloblen
,
155 EC_KEY_get0_public_key(server_key
),
157 hash
, &hashlen
)) != 0)
160 /* save session id := H */
161 if (kex
->session_id
== NULL
) {
162 kex
->session_id_len
= hashlen
;
163 kex
->session_id
= malloc(kex
->session_id_len
);
164 if (kex
->session_id
== NULL
) {
165 r
= SSH_ERR_ALLOC_FAIL
;
168 memcpy(kex
->session_id
, hash
, kex
->session_id_len
);
172 if ((r
= kex
->sign(server_host_private
, server_host_public
, &signature
,
173 &slen
, hash
, hashlen
, kex
->hostkey_alg
, ssh
->compat
)) < 0)
176 /* destroy_sensitive_data(); */
178 public_key
= EC_KEY_get0_public_key(server_key
);
179 /* send server hostkey, ECDH pubkey 'Q_S' and signed H */
180 if ((r
= sshpkt_start(ssh
, SSH2_MSG_KEX_ECDH_REPLY
)) != 0 ||
181 (r
= sshpkt_put_string(ssh
, server_host_key_blob
, sbloblen
)) != 0 ||
182 (r
= sshpkt_put_ec(ssh
, public_key
, group
)) != 0 ||
183 (r
= sshpkt_put_string(ssh
, signature
, slen
)) != 0 ||
184 (r
= sshpkt_send(ssh
)) != 0)
187 if ((r
= kex_derive_keys_bn(ssh
, hash
, hashlen
, shared_secret
)) == 0)
188 r
= kex_send_newkeys(ssh
);
190 explicit_bzero(hash
, sizeof(hash
));
191 if (kex
->ec_client_key
) {
192 EC_KEY_free(kex
->ec_client_key
);
193 kex
->ec_client_key
= NULL
;
196 EC_KEY_free(server_key
);
198 explicit_bzero(kbuf
, klen
);
202 BN_clear_free(shared_secret
);
203 free(server_host_key_blob
);
207 #endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */