crypto/openssh/kexgexs.c

   1 /* $OpenBSD: kexgexs.c,v 1.29 2016/06/08 02:13:01 dtucker Exp $ */
   2 /*
   3  * Copyright (c) 2000 Niels Provos.  All rights reserved.
   4  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in the
  13  *    documentation and/or other materials provided with the distribution.
  14  *
  15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  25  */
  26
  27 #include "includes.h"
  28
  29 #ifdef WITH_OPENSSL
  30
  31 #include <sys/param.h>  /* MIN MAX */
  32
  33 #include <stdarg.h>
  34 #include <stdio.h>
  35 #include <string.h>
  36 #include <signal.h>
  37
  38 #include <openssl/dh.h>
  39
  40 #include "sshkey.h"
  41 #include "cipher.h"
  42 #include "digest.h"
  43 #include "kex.h"
  44 #include "log.h"
  45 #include "packet.h"
  46 #include "dh.h"
  47 #include "ssh2.h"
  48 #include "compat.h"
  49 #ifdef GSSAPI
  50 #include "ssh-gss.h"
  51 #endif
  52 #include "monitor_wrap.h"
  53 #include "dispatch.h"
  54 #include "ssherr.h"
  55 #include "sshbuf.h"
  56
  57 static int input_kex_dh_gex_request(int, u_int32_t, void *);
  58 static int input_kex_dh_gex_init(int, u_int32_t, void *);
  59
  60 int
  61 kexgex_server(struct ssh *ssh)
  62 {
  63         ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
  64             &input_kex_dh_gex_request);
  65         debug("expecting SSH2_MSG_KEX_DH_GEX_REQUEST");
  66         return 0;
  67 }
  68
  69 static int
  70 input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt)
  71 {
  72         struct ssh *ssh = ctxt;
  73         struct kex *kex = ssh->kex;
  74         int r;
  75         u_int min = 0, max = 0, nbits = 0;
  76
  77         debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
  78         if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
  79             (r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
  80             (r = sshpkt_get_u32(ssh, &max)) != 0 ||
  81             (r = sshpkt_get_end(ssh)) != 0)
  82                 goto out;
  83         kex->nbits = nbits;
  84         kex->min = min;
  85         kex->max = max;
  86         min = MAX(DH_GRP_MIN, min);
  87         max = MIN(DH_GRP_MAX, max);
  88         nbits = MAX(DH_GRP_MIN, nbits);
  89         nbits = MIN(DH_GRP_MAX, nbits);
  90
  91         if (kex->max < kex->min || kex->nbits < kex->min ||
  92             kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
  93                 r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
  94                 goto out;
  95         }
  96
  97         /* Contact privileged parent */
  98         kex->dh = PRIVSEP(choose_dh(min, nbits, max));
  99         if (kex->dh == NULL) {
 100                 sshpkt_disconnect(ssh, "no matching DH grp found");
 101                 r = SSH_ERR_ALLOC_FAIL;
 102                 goto out;
 103         }
 104         debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
 105         if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_GROUP)) != 0 ||
 106             (r = sshpkt_put_bignum2(ssh, kex->dh->p)) != 0 ||
 107             (r = sshpkt_put_bignum2(ssh, kex->dh->g)) != 0 ||
 108             (r = sshpkt_send(ssh)) != 0)
 109                 goto out;
 110
 111         /* Compute our exchange value in parallel with the client */
 112         if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
 113                 goto out;
 114
 115         debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");
 116         ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &input_kex_dh_gex_init);
 117         r = 0;
 118  out:
 119         return r;
 120 }
 121
 122 static int
 123 input_kex_dh_gex_init(int type, u_int32_t seq, void *ctxt)
 124 {
 125         struct ssh *ssh = ctxt;
 126         struct kex *kex = ssh->kex;
 127         BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
 128         struct sshkey *server_host_public, *server_host_private;
 129         u_char *kbuf = NULL, *signature = NULL, *server_host_key_blob = NULL;
 130         u_char hash[SSH_DIGEST_MAX_LENGTH];
 131         size_t sbloblen, slen;
 132         size_t klen = 0, hashlen;
 133         int kout, r;
 134
 135         if (kex->load_host_public_key == NULL ||
 136             kex->load_host_private_key == NULL) {
 137                 r = SSH_ERR_INVALID_ARGUMENT;
 138                 goto out;
 139         }
 140         server_host_public = kex->load_host_public_key(kex->hostkey_type,
 141             kex->hostkey_nid, ssh);
 142         server_host_private = kex->load_host_private_key(kex->hostkey_type,
 143             kex->hostkey_nid, ssh);
 144         if (server_host_public == NULL) {
 145                 r = SSH_ERR_NO_HOSTKEY_LOADED;
 146                 goto out;
 147         }
 148
 149         /* key, cert */
 150         if ((dh_client_pub = BN_new()) == NULL) {
 151                 r = SSH_ERR_ALLOC_FAIL;
 152                 goto out;
 153         }
 154         if ((r = sshpkt_get_bignum2(ssh, dh_client_pub)) != 0 ||
 155             (r = sshpkt_get_end(ssh)) != 0)
 156                 goto out;
 157
 158 #ifdef DEBUG_KEXDH
 159         fprintf(stderr, "dh_client_pub= ");
 160         BN_print_fp(stderr, dh_client_pub);
 161         fprintf(stderr, "\n");
 162         debug("bits %d", BN_num_bits(dh_client_pub));
 163 #endif
 164
 165 #ifdef DEBUG_KEXDH
 166         DHparams_print_fp(stderr, kex->dh);
 167         fprintf(stderr, "pub= ");
 168         BN_print_fp(stderr, kex->dh->pub_key);
 169         fprintf(stderr, "\n");
 170 #endif
 171         if (!dh_pub_is_valid(kex->dh, dh_client_pub)) {
 172                 sshpkt_disconnect(ssh, "bad client public DH value");
 173                 r = SSH_ERR_MESSAGE_INCOMPLETE;
 174                 goto out;
 175         }
 176
 177         klen = DH_size(kex->dh);
 178         if ((kbuf = malloc(klen)) == NULL ||
 179             (shared_secret = BN_new()) == NULL) {
 180                 r = SSH_ERR_ALLOC_FAIL;
 181                 goto out;
 182         }
 183         if ((kout = DH_compute_key(kbuf, dh_client_pub, kex->dh)) < 0 ||
 184             BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
 185                 r = SSH_ERR_LIBCRYPTO_ERROR;
 186                 goto out;
 187         }
 188 #ifdef DEBUG_KEXDH
 189         dump_digest("shared secret", kbuf, kout);
 190 #endif
 191         if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
 192             &sbloblen)) != 0)
 193                 goto out;
 194         /* calc H */
 195         hashlen = sizeof(hash);
 196         if ((r = kexgex_hash(
 197             kex->hash_alg,
 198             kex->client_version_string,
 199             kex->server_version_string,
 200             sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
 201             sshbuf_ptr(kex->my), sshbuf_len(kex->my),
 202             server_host_key_blob, sbloblen,
 203             kex->min, kex->nbits, kex->max,
 204             kex->dh->p, kex->dh->g,
 205             dh_client_pub,
 206             kex->dh->pub_key,
 207             shared_secret,
 208             hash, &hashlen)) != 0)
 209                 goto out;
 210
 211         /* save session id := H */
 212         if (kex->session_id == NULL) {
 213                 kex->session_id_len = hashlen;
 214                 kex->session_id = malloc(kex->session_id_len);
 215                 if (kex->session_id == NULL) {
 216                         r = SSH_ERR_ALLOC_FAIL;
 217                         goto out;
 218                 }
 219                 memcpy(kex->session_id, hash, kex->session_id_len);
 220         }
 221
 222         /* sign H */
 223         if ((r = kex->sign(server_host_private, server_host_public, &signature,
 224              &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
 225                 goto out;
 226
 227         /* destroy_sensitive_data(); */
 228
 229         /* send server hostkey, DH pubkey 'f' and singed H */
 230         if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REPLY)) != 0 ||
 231             (r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
 232             (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 ||     /* f */
 233             (r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
 234             (r = sshpkt_send(ssh)) != 0)
 235                 goto out;
 236
 237         if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
 238                 r = kex_send_newkeys(ssh);
 239  out:
 240         DH_free(kex->dh);
 241         kex->dh = NULL;
 242         if (dh_client_pub)
 243                 BN_clear_free(dh_client_pub);
 244         if (kbuf) {
 245                 explicit_bzero(kbuf, klen);
 246                 free(kbuf);
 247         }
 248         if (shared_secret)
 249                 BN_clear_free(shared_secret);
 250         free(server_host_key_blob);
 251         free(signature);
 252         return r;
 253 }
 254 #endif /* WITH_OPENSSL */