search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dropbar: Update to version 2013.60.1.
[tomato.git] / release / src / router / dropbear / common-kex.c
bloba488877fee8abc52633b17c936cdce9c09bc0d84
1 /*
2 * Dropbear SSH
3 *
4 * Copyright (c) 2002-2004 Matt Johnston
5 * Portions Copyright (c) 2004 by Mihnea Stoenescu
6 * All rights reserved.
7 *
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
14 *
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
17 *
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24 * SOFTWARE. */
25
26 #include "includes.h"
27 #include "dbutil.h"
28 #include "algo.h"
29 #include "buffer.h"
30 #include "session.h"
31 #include "kex.h"
32 #include "ssh.h"
33 #include "packet.h"
34 #include "bignum.h"
35 #include "random.h"
36 #include "runopts.h"
37
38 /* diffie-hellman-group1-sha1 value for p */
39 #define DH_P_1_LEN 128
40 static const unsigned char dh_p_1[DH_P_1_LEN] = {
41 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
42 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
43 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
44 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
45 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
46 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
47 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
48 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
49 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
50 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81,
51 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
52
53 /* diffie-hellman-group14-sha1 value for p */
54 #define DH_P_14_LEN 256
55 static const unsigned char dh_p_14[DH_P_14_LEN] = {
56 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
57 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
58 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
59 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
60 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
61 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
62 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
63 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
64 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
65 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
66 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
67 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
68 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
69 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
70 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
71 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
72 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
73 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
74 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
75 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
76 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF,
77 0xFF, 0xFF, 0xFF, 0xFF};
78
79 /* Same for group1 and group14 */
80 static const int DH_G_VAL = 2;
81
82 static void kexinitialise();
83 static void gen_new_keys();
84 #ifndef DISABLE_ZLIB
85 static void gen_new_zstream_recv();
86 static void gen_new_zstream_trans();
87 #endif
88 static void read_kex_algos();
89 /* helper function for gen_new_keys */
90 static void hashkeys(unsigned char *out, int outlen,
91 const hash_state * hs, unsigned const char X);
92
93
94 /* Send our list of algorithms we can use */
95 void send_msg_kexinit() {
96
97 CHECKCLEARTOWRITE();
98 buf_putbyte(ses.writepayload, SSH_MSG_KEXINIT);
99
100 /* cookie */
101 genrandom(buf_getwriteptr(ses.writepayload, 16), 16);
102 buf_incrwritepos(ses.writepayload, 16);
103
104 /* kex algos */
105 buf_put_algolist(ses.writepayload, sshkex);
106
107 /* server_host_key_algorithms */
108 buf_put_algolist(ses.writepayload, sshhostkey);
109
110 /* encryption_algorithms_client_to_server */
111 buf_put_algolist(ses.writepayload, sshciphers);
112
113 /* encryption_algorithms_server_to_client */
114 buf_put_algolist(ses.writepayload, sshciphers);
115
116 /* mac_algorithms_client_to_server */
117 buf_put_algolist(ses.writepayload, sshhashes);
118
119 /* mac_algorithms_server_to_client */
120 buf_put_algolist(ses.writepayload, sshhashes);
121
122
123 /* compression_algorithms_client_to_server */
124 buf_put_algolist(ses.writepayload, ses.compress_algos);
125
126 /* compression_algorithms_server_to_client */
127 buf_put_algolist(ses.writepayload, ses.compress_algos);
128
129 /* languages_client_to_server */
130 buf_putstring(ses.writepayload, "", 0);
131
132 /* languages_server_to_client */
133 buf_putstring(ses.writepayload, "", 0);
134
135 /* first_kex_packet_follows */
136 buf_putbyte(ses.writepayload, (ses.send_kex_first_guess != NULL));
137
138 /* reserved unit32 */
139 buf_putint(ses.writepayload, 0);
140
141 /* set up transmitted kex packet buffer for hashing.
142 * This is freed after the end of the kex */
143 ses.transkexinit = buf_newcopy(ses.writepayload);
144
145 encrypt_packet();
146 ses.dataallowed = 0; /* don't send other packets during kex */
147
148 ses.kexstate.sentkexinit = 1;
149
150 ses.newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
151
152 if (ses.send_kex_first_guess) {
153 ses.newkeys->algo_kex = sshkex[0].val;
154 ses.newkeys->algo_hostkey = sshhostkey[0].val;
155 ses.send_kex_first_guess();
156 }
157
158 TRACE(("DATAALLOWED=0"))
159 TRACE(("-> KEXINIT"))
160
161 }
162
163 static void switch_keys() {
164 TRACE2(("enter switch_keys"))
165 if (!(ses.kexstate.sentkexinit && ses.kexstate.recvkexinit)) {
166 dropbear_exit("Unexpected newkeys message");
167 }
168
169 if (!ses.keys) {
170 ses.keys = m_malloc(sizeof(*ses.newkeys));
171 }
172 if (ses.kexstate.recvnewkeys && ses.newkeys->recv.valid) {
173 TRACE(("switch_keys recv"))
174 #ifndef DISABLE_ZLIB
175 gen_new_zstream_recv();
176 #endif
177 ses.keys->recv = ses.newkeys->recv;
178 m_burn(&ses.newkeys->recv, sizeof(ses.newkeys->recv));
179 ses.newkeys->recv.valid = 0;
180 }
181 if (ses.kexstate.sentnewkeys && ses.newkeys->trans.valid) {
182 TRACE(("switch_keys trans"))
183 #ifndef DISABLE_ZLIB
184 gen_new_zstream_trans();
185 #endif
186 ses.keys->trans = ses.newkeys->trans;
187 m_burn(&ses.newkeys->trans, sizeof(ses.newkeys->trans));
188 ses.newkeys->trans.valid = 0;
189 }
190 if (ses.kexstate.sentnewkeys && ses.kexstate.recvnewkeys)
191 {
192 TRACE(("switch_keys done"))
193 ses.keys->algo_kex = ses.newkeys->algo_kex;
194 ses.keys->algo_hostkey = ses.newkeys->algo_hostkey;
195 ses.keys->allow_compress = 0;
196 m_free(ses.newkeys);
197 ses.newkeys = NULL;
198 kexinitialise();
199 }
200 TRACE2(("leave switch_keys"))
201 }
202
203 /* Bring new keys into use after a key exchange, and let the client know*/
204 void send_msg_newkeys() {
205
206 TRACE(("enter send_msg_newkeys"))
207
208 /* generate the kexinit request */
209 CHECKCLEARTOWRITE();
210 buf_putbyte(ses.writepayload, SSH_MSG_NEWKEYS);
211 encrypt_packet();
212
213
214 /* set up our state */
215 ses.kexstate.sentnewkeys = 1;
216 ses.kexstate.donefirstkex = 1;
217 ses.dataallowed = 1; /* we can send other packets again now */
218 gen_new_keys();
219 switch_keys();
220
221 TRACE(("leave send_msg_newkeys"))
222 }
223
224 /* Bring the new keys into use after a key exchange */
225 void recv_msg_newkeys() {
226
227 TRACE(("enter recv_msg_newkeys"))
228
229 ses.kexstate.recvnewkeys = 1;
230 switch_keys();
231
232 TRACE(("leave recv_msg_newkeys"))
233 }
234
235
236 /* Set up the kex for the first time */
237 void kexfirstinitialise() {
238 ses.kexstate.donefirstkex = 0;
239
240 #ifndef DISABLE_ZLIB
241 if (opts.enable_compress) {
242 ses.compress_algos = ssh_compress;
243 } else
244 #endif
245 {
246 ses.compress_algos = ssh_nocompress;
247 }
248 kexinitialise();
249 }
250
251 /* Reset the kex state, ready for a new negotiation */
252 static void kexinitialise() {
253
254 TRACE(("kexinitialise()"))
255
256 /* sent/recv'd MSG_KEXINIT */
257 ses.kexstate.sentkexinit = 0;
258 ses.kexstate.recvkexinit = 0;
259
260 /* sent/recv'd MSG_NEWKEYS */
261 ses.kexstate.recvnewkeys = 0;
262 ses.kexstate.sentnewkeys = 0;
263
264 /* first_packet_follows */
265 ses.kexstate.them_firstfollows = 0;
266
267 ses.kexstate.datatrans = 0;
268 ses.kexstate.datarecv = 0;
269
270 ses.kexstate.our_first_follows_matches = 0;
271
272 ses.kexstate.lastkextime = time(NULL);
273
274 }
275
276 /* Helper function for gen_new_keys, creates a hash. It makes a copy of the
277 * already initialised hash_state hs, which should already have processed
278 * the dh_K and hash, since these are common. X is the letter 'A', 'B' etc.
279 * out must have at least min(SHA1_HASH_SIZE, outlen) bytes allocated.
280 *
281 * See Section 7.2 of rfc4253 (ssh transport) for details */
282 static void hashkeys(unsigned char *out, int outlen,
283 const hash_state * hs, const unsigned char X) {
284
285 hash_state hs2;
286 int offset;
287
288 memcpy(&hs2, hs, sizeof(hash_state));
289 sha1_process(&hs2, &X, 1);
290 sha1_process(&hs2, ses.session_id, SHA1_HASH_SIZE);
291 sha1_done(&hs2, out);
292 for (offset = SHA1_HASH_SIZE;
293 offset < outlen;
294 offset += SHA1_HASH_SIZE)
295 {
296 /* need to extend */
297 unsigned char k2[SHA1_HASH_SIZE];
298 memcpy(&hs2, hs, sizeof(hash_state));
299 sha1_process(&hs2, out, offset);
300 sha1_done(&hs2, k2);
301 memcpy(&out[offset], k2, MIN(outlen - offset, SHA1_HASH_SIZE));
302 }
303 }
304
305 /* Generate the actual encryption/integrity keys, using the results of the
306 * key exchange, as specified in section 7.2 of the transport rfc 4253.
307 * This occurs after the DH key-exchange.
308 *
309 * ses.newkeys is the new set of keys which are generated, these are only
310 * taken into use after both sides have sent a newkeys message */
311
312 static void gen_new_keys() {
313
314 unsigned char C2S_IV[MAX_IV_LEN];
315 unsigned char C2S_key[MAX_KEY_LEN];
316 unsigned char S2C_IV[MAX_IV_LEN];
317 unsigned char S2C_key[MAX_KEY_LEN];
318 /* unsigned char key[MAX_KEY_LEN]; */
319 unsigned char *trans_IV, *trans_key, *recv_IV, *recv_key;
320
321 hash_state hs;
322 unsigned int C2S_keysize, S2C_keysize;
323 char mactransletter, macrecvletter; /* Client or server specific */
324
325 TRACE(("enter gen_new_keys"))
326 /* the dh_K and hash are the start of all hashes, we make use of that */
327
328 sha1_init(&hs);
329 sha1_process_mp(&hs, ses.dh_K);
330 mp_clear(ses.dh_K);
331 m_free(ses.dh_K);
332 sha1_process(&hs, ses.hash, SHA1_HASH_SIZE);
333 m_burn(ses.hash, SHA1_HASH_SIZE);
334
335 if (IS_DROPBEAR_CLIENT) {
336 trans_IV = C2S_IV;
337 recv_IV = S2C_IV;
338 trans_key = C2S_key;
339 recv_key = S2C_key;
340 C2S_keysize = ses.newkeys->trans.algo_crypt->keysize;
341 S2C_keysize = ses.newkeys->recv.algo_crypt->keysize;
342 mactransletter = 'E';
343 macrecvletter = 'F';
344 } else {
345 trans_IV = S2C_IV;
346 recv_IV = C2S_IV;
347 trans_key = S2C_key;
348 recv_key = C2S_key;
349 C2S_keysize = ses.newkeys->recv.algo_crypt->keysize;
350 S2C_keysize = ses.newkeys->trans.algo_crypt->keysize;
351 mactransletter = 'F';
352 macrecvletter = 'E';
353 }
354
355 hashkeys(C2S_IV, SHA1_HASH_SIZE, &hs, 'A');
356 hashkeys(S2C_IV, SHA1_HASH_SIZE, &hs, 'B');
357 hashkeys(C2S_key, C2S_keysize, &hs, 'C');
358 hashkeys(S2C_key, S2C_keysize, &hs, 'D');
359
360 if (ses.newkeys->recv.algo_crypt->cipherdesc != NULL) {
361 int recv_cipher = find_cipher(ses.newkeys->recv.algo_crypt->cipherdesc->name);
362 if (recv_cipher < 0)
363 dropbear_exit("Crypto error");
364 if (ses.newkeys->recv.crypt_mode->start(recv_cipher,
365 recv_IV, recv_key,
366 ses.newkeys->recv.algo_crypt->keysize, 0,
367 &ses.newkeys->recv.cipher_state) != CRYPT_OK) {
368 dropbear_exit("Crypto error");
369 }
370 }
371
372 if (ses.newkeys->trans.algo_crypt->cipherdesc != NULL) {
373 int trans_cipher = find_cipher(ses.newkeys->trans.algo_crypt->cipherdesc->name);
374 if (trans_cipher < 0)
375 dropbear_exit("Crypto error");
376 if (ses.newkeys->trans.crypt_mode->start(trans_cipher,
377 trans_IV, trans_key,
378 ses.newkeys->trans.algo_crypt->keysize, 0,
379 &ses.newkeys->trans.cipher_state) != CRYPT_OK) {
380 dropbear_exit("Crypto error");
381 }
382 }
383
384 if (ses.newkeys->trans.algo_mac->hashdesc != NULL) {
385 hashkeys(ses.newkeys->trans.mackey,
386 ses.newkeys->trans.algo_mac->keysize, &hs, mactransletter);
387 ses.newkeys->trans.hash_index = find_hash(ses.newkeys->trans.algo_mac->hashdesc->name);
388 }
389
390 if (ses.newkeys->recv.algo_mac->hashdesc != NULL) {
391 hashkeys(ses.newkeys->recv.mackey,
392 ses.newkeys->recv.algo_mac->keysize, &hs, macrecvletter);
393 ses.newkeys->recv.hash_index = find_hash(ses.newkeys->recv.algo_mac->hashdesc->name);
394 }
395
396 /* Ready to switch over */
397 ses.newkeys->trans.valid = 1;
398 ses.newkeys->recv.valid = 1;
399
400 m_burn(C2S_IV, sizeof(C2S_IV));
401 m_burn(C2S_key, sizeof(C2S_key));
402 m_burn(S2C_IV, sizeof(S2C_IV));
403 m_burn(S2C_key, sizeof(S2C_key));
404
405 TRACE(("leave gen_new_keys"))
406 }
407
408 #ifndef DISABLE_ZLIB
409
410 int is_compress_trans() {
411 return ses.keys->trans.algo_comp == DROPBEAR_COMP_ZLIB
412 || (ses.authstate.authdone
413 && ses.keys->trans.algo_comp == DROPBEAR_COMP_ZLIB_DELAY);
414 }
415
416 int is_compress_recv() {
417 return ses.keys->recv.algo_comp == DROPBEAR_COMP_ZLIB
418 || (ses.authstate.authdone
419 && ses.keys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY);
420 }
421
422 /* Set up new zlib compression streams, close the old ones. Only
423 * called from gen_new_keys() */
424 static void gen_new_zstream_recv() {
425
426 /* create new zstreams */
427 if (ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB
428 || ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
429 ses.newkeys->recv.zstream = (z_streamp)m_malloc(sizeof(z_stream));
430 ses.newkeys->recv.zstream->zalloc = Z_NULL;
431 ses.newkeys->recv.zstream->zfree = Z_NULL;
432
433 if (inflateInit(ses.newkeys->recv.zstream) != Z_OK) {
434 dropbear_exit("zlib error");
435 }
436 } else {
437 ses.newkeys->recv.zstream = NULL;
438 }
439 /* clean up old keys */
440 if (ses.keys->recv.zstream != NULL) {
441 if (inflateEnd(ses.keys->recv.zstream) == Z_STREAM_ERROR) {
442 /* Z_DATA_ERROR is ok, just means that stream isn't ended */
443 dropbear_exit("Crypto error");
444 }
445 m_free(ses.keys->recv.zstream);
446 }
447 }
448
449 static void gen_new_zstream_trans() {
450
451 if (ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB
452 || ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
453 ses.newkeys->trans.zstream = (z_streamp)m_malloc(sizeof(z_stream));
454 ses.newkeys->trans.zstream->zalloc = Z_NULL;
455 ses.newkeys->trans.zstream->zfree = Z_NULL;
456
457 if (deflateInit2(ses.newkeys->trans.zstream, Z_DEFAULT_COMPRESSION,
458 Z_DEFLATED, DROPBEAR_ZLIB_WINDOW_BITS,
459 DROPBEAR_ZLIB_MEM_LEVEL, Z_DEFAULT_STRATEGY)
460 != Z_OK) {
461 dropbear_exit("zlib error");
462 }
463 } else {
464 ses.newkeys->trans.zstream = NULL;
465 }
466
467 if (ses.keys->trans.zstream != NULL) {
468 if (deflateEnd(ses.keys->trans.zstream) == Z_STREAM_ERROR) {
469 /* Z_DATA_ERROR is ok, just means that stream isn't ended */
470 dropbear_exit("Crypto error");
471 }
472 m_free(ses.keys->trans.zstream);
473 }
474 }
475 #endif /* DISABLE_ZLIB */
476
477
478 /* Executed upon receiving a kexinit message from the client to initiate
479 * key exchange. If we haven't already done so, we send the list of our
480 * preferred algorithms. The client's requested algorithms are processed,
481 * and we calculate the first portion of the key-exchange-hash for used
482 * later in the key exchange. No response is sent, as the client should
483 * initiate the diffie-hellman key exchange */
484
485 /* Originally from kex.c, generalized for cli/svr mode --mihnea */
486 /* Belongs in common_kex.c where it should be moved after review */
487 void recv_msg_kexinit() {
488
489 unsigned int kexhashbuf_len = 0;
490 unsigned int remote_ident_len = 0;
491 unsigned int local_ident_len = 0;
492
493 TRACE(("<- KEXINIT"))
494 TRACE(("enter recv_msg_kexinit"))
495
496 if (!ses.kexstate.sentkexinit) {
497 /* we need to send a kex packet */
498 send_msg_kexinit();
499 TRACE(("continue recv_msg_kexinit: sent kexinit"))
500 }
501
502 /* start the kex hash */
503 local_ident_len = strlen(LOCAL_IDENT);
504 remote_ident_len = strlen((char*)ses.remoteident);
505
506 kexhashbuf_len = local_ident_len + remote_ident_len
507 + ses.transkexinit->len + ses.payload->len
508 + KEXHASHBUF_MAX_INTS;
509
510 ses.kexhashbuf = buf_new(kexhashbuf_len);
511
512 if (IS_DROPBEAR_CLIENT) {
513
514 /* read the peer's choice of algos */
515 read_kex_algos();
516
517 /* V_C, the client's version string (CR and NL excluded) */
518 buf_putstring(ses.kexhashbuf,
519 (unsigned char*)LOCAL_IDENT, local_ident_len);
520 /* V_S, the server's version string (CR and NL excluded) */
521 buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
522
523 /* I_C, the payload of the client's SSH_MSG_KEXINIT */
524 buf_putstring(ses.kexhashbuf,
525 ses.transkexinit->data, ses.transkexinit->len);
526 /* I_S, the payload of the server's SSH_MSG_KEXINIT */
527 buf_setpos(ses.payload, 0);
528 buf_putstring(ses.kexhashbuf, ses.payload->data, ses.payload->len);
529
530 } else {
531 /* SERVER */
532
533 /* read the peer's choice of algos */
534 read_kex_algos();
535 /* V_C, the client's version string (CR and NL excluded) */
536 buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
537 /* V_S, the server's version string (CR and NL excluded) */
538 buf_putstring(ses.kexhashbuf,
539 (unsigned char*)LOCAL_IDENT, local_ident_len);
540
541 /* I_C, the payload of the client's SSH_MSG_KEXINIT */
542 buf_setpos(ses.payload, 0);
543 buf_putstring(ses.kexhashbuf, ses.payload->data, ses.payload->len);
544
545 /* I_S, the payload of the server's SSH_MSG_KEXINIT */
546 buf_putstring(ses.kexhashbuf,
547 ses.transkexinit->data, ses.transkexinit->len);
548
549 ses.requirenext[0] = SSH_MSG_KEXDH_INIT;
550 }
551
552 buf_free(ses.transkexinit);
553 ses.transkexinit = NULL;
554 /* the rest of ses.kexhashbuf will be done after DH exchange */
555
556 ses.kexstate.recvkexinit = 1;
557
558 TRACE(("leave recv_msg_kexinit"))
559 }
560
561 static void load_dh_p(mp_int * dh_p)
562 {
563 switch (ses.newkeys->algo_kex) {
564 case DROPBEAR_KEX_DH_GROUP1:
565 bytes_to_mp(dh_p, dh_p_1, DH_P_1_LEN);
566 break;
567 case DROPBEAR_KEX_DH_GROUP14:
568 bytes_to_mp(dh_p, dh_p_14, DH_P_14_LEN);
569 break;
570 }
571 }
572
573 /* Initialises and generate one side of the diffie-hellman key exchange values.
574 * See the transport rfc 4253 section 8 for details */
575 /* dh_pub and dh_priv MUST be already initialised */
576 void gen_kexdh_vals(mp_int *dh_pub, mp_int *dh_priv) {
577
578 DEF_MP_INT(dh_p);
579 DEF_MP_INT(dh_q);
580 DEF_MP_INT(dh_g);
581
582 TRACE(("enter gen_kexdh_vals"))
583
584 m_mp_init_multi(&dh_g, &dh_p, &dh_q, NULL);
585
586 /* read the prime and generator*/
587 load_dh_p(&dh_p);
588
589 if (mp_set_int(&dh_g, DH_G_VAL) != MP_OKAY) {
590 dropbear_exit("Diffie-Hellman error");
591 }
592
593 /* calculate q = (p-1)/2 */
594 /* dh_priv is just a temp var here */
595 if (mp_sub_d(&dh_p, 1, dh_priv) != MP_OKAY) {
596 dropbear_exit("Diffie-Hellman error");
597 }
598 if (mp_div_2(dh_priv, &dh_q) != MP_OKAY) {
599 dropbear_exit("Diffie-Hellman error");
600 }
601
602 /* Generate a private portion 0 < dh_priv < dh_q */
603 gen_random_mpint(&dh_q, dh_priv);
604
605 /* f = g^y mod p */
606 if (mp_exptmod(&dh_g, dh_priv, &dh_p, dh_pub) != MP_OKAY) {
607 dropbear_exit("Diffie-Hellman error");
608 }
609 mp_clear_multi(&dh_g, &dh_p, &dh_q, NULL);
610 }
611
612 /* This function is fairly common between client/server, with some substitution
613 * of dh_e/dh_f etc. Hence these arguments:
614 * dh_pub_us is 'e' for the client, 'f' for the server. dh_pub_them is
615 * vice-versa. dh_priv is the x/y value corresponding to dh_pub_us */
616 void kexdh_comb_key(mp_int *dh_pub_us, mp_int *dh_priv, mp_int *dh_pub_them,
617 sign_key *hostkey) {
618
619 mp_int dh_p;
620 mp_int *dh_e = NULL, *dh_f = NULL;
621 hash_state hs;
622
623 /* read the prime and generator*/
624 m_mp_init(&dh_p);
625 load_dh_p(&dh_p);
626
627 /* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */
628 if (mp_cmp(dh_pub_them, &dh_p) != MP_LT
629 || mp_cmp_d(dh_pub_them, 0) != MP_GT) {
630 dropbear_exit("Diffie-Hellman error");
631 }
632
633 /* K = e^y mod p = f^x mod p */
634 ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int));
635 m_mp_init(ses.dh_K);
636 if (mp_exptmod(dh_pub_them, dh_priv, &dh_p, ses.dh_K) != MP_OKAY) {
637 dropbear_exit("Diffie-Hellman error");
638 }
639
640 /* clear no longer needed vars */
641 mp_clear_multi(&dh_p, NULL);
642
643 /* From here on, the code needs to work with the _same_ vars on each side,
644 * not vice-versaing for client/server */
645 if (IS_DROPBEAR_CLIENT) {
646 dh_e = dh_pub_us;
647 dh_f = dh_pub_them;
648 } else {
649 dh_e = dh_pub_them;
650 dh_f = dh_pub_us;
651 }
652
653 /* Create the remainder of the hash buffer, to generate the exchange hash */
654 /* K_S, the host key */
655 buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
656 /* e, exchange value sent by the client */
657 buf_putmpint(ses.kexhashbuf, dh_e);
658 /* f, exchange value sent by the server */
659 buf_putmpint(ses.kexhashbuf, dh_f);
660 /* K, the shared secret */
661 buf_putmpint(ses.kexhashbuf, ses.dh_K);
662
663 /* calculate the hash H to sign */
664 sha1_init(&hs);
665 buf_setpos(ses.kexhashbuf, 0);
666 sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len),
667 ses.kexhashbuf->len);
668 sha1_done(&hs, ses.hash);
669
670 buf_burn(ses.kexhashbuf);
671 buf_free(ses.kexhashbuf);
672 ses.kexhashbuf = NULL;
673
674 /* first time around, we set the session_id to H */
675 if (ses.session_id == NULL) {
676 /* create the session_id, this never needs freeing */
677 ses.session_id = (unsigned char*)m_malloc(SHA1_HASH_SIZE);
678 memcpy(ses.session_id, ses.hash, SHA1_HASH_SIZE);
679 }
680 }
681
682 /* read the other side's algo list. buf_match_algo is a callback to match
683 * algos for the client or server. */
684 static void read_kex_algos() {
685
686 /* for asymmetry */
687 algo_type * c2s_hash_algo = NULL;
688 algo_type * s2c_hash_algo = NULL;
689 algo_type * c2s_cipher_algo = NULL;
690 algo_type * s2c_cipher_algo = NULL;
691 algo_type * c2s_comp_algo = NULL;
692 algo_type * s2c_comp_algo = NULL;
693 /* the generic one */
694 algo_type * algo = NULL;
695
696 /* which algo couldn't match */
697 char * erralgo = NULL;
698
699 int goodguess = 0;
700 int allgood = 1; /* we AND this with each goodguess and see if its still
701 true after */
702
703 buf_incrpos(ses.payload, 16); /* start after the cookie */
704
705 memset(ses.newkeys, 0x0, sizeof(*ses.newkeys));
706
707 #ifdef USE_KEXGUESS2
708 enum kexguess2_used kexguess2 = KEXGUESS2_LOOK;
709 #else
710 enum kexguess2_used kexguess2 = KEXGUESS2_NO;
711 #endif
712
713 /* kex_algorithms */
714 algo = buf_match_algo(ses.payload, sshkex, &kexguess2, &goodguess);
715 allgood &= goodguess;
716 if (algo == NULL || algo->val == KEXGUESS2_ALGO_ID) {
717 erralgo = "kex";
718 goto error;
719 }
720 TRACE(("kexguess2 %d", kexguess2))
721 TRACE(("kex algo %s", algo->name))
722 ses.newkeys->algo_kex = algo->val;
723
724 /* server_host_key_algorithms */
725 algo = buf_match_algo(ses.payload, sshhostkey, &kexguess2, &goodguess);
726 allgood &= goodguess;
727 if (algo == NULL) {
728 erralgo = "hostkey";
729 goto error;
730 }
731 TRACE(("hostkey algo %s", algo->name))
732 ses.newkeys->algo_hostkey = algo->val;
733
734 /* encryption_algorithms_client_to_server */
735 c2s_cipher_algo = buf_match_algo(ses.payload, sshciphers, NULL, NULL);
736 if (c2s_cipher_algo == NULL) {
737 erralgo = "enc c->s";
738 goto error;
739 }
740 TRACE(("enc c2s is %s", c2s_cipher_algo->name))
741
742 /* encryption_algorithms_server_to_client */
743 s2c_cipher_algo = buf_match_algo(ses.payload, sshciphers, NULL, NULL);
744 if (s2c_cipher_algo == NULL) {
745 erralgo = "enc s->c";
746 goto error;
747 }
748 TRACE(("enc s2c is %s", s2c_cipher_algo->name))
749
750 /* mac_algorithms_client_to_server */
751 c2s_hash_algo = buf_match_algo(ses.payload, sshhashes, NULL, NULL);
752 if (c2s_hash_algo == NULL) {
753 erralgo = "mac c->s";
754 goto error;
755 }
756 TRACE(("hash c2s is %s", c2s_hash_algo->name))
757
758 /* mac_algorithms_server_to_client */
759 s2c_hash_algo = buf_match_algo(ses.payload, sshhashes, NULL, NULL);
760 if (s2c_hash_algo == NULL) {
761 erralgo = "mac s->c";
762 goto error;
763 }
764 TRACE(("hash s2c is %s", s2c_hash_algo->name))
765
766 /* compression_algorithms_client_to_server */
767 c2s_comp_algo = buf_match_algo(ses.payload, ses.compress_algos, NULL, NULL);
768 if (c2s_comp_algo == NULL) {
769 erralgo = "comp c->s";
770 goto error;
771 }
772 TRACE(("hash c2s is %s", c2s_comp_algo->name))
773
774 /* compression_algorithms_server_to_client */
775 s2c_comp_algo = buf_match_algo(ses.payload, ses.compress_algos, NULL, NULL);
776 if (s2c_comp_algo == NULL) {
777 erralgo = "comp s->c";
778 goto error;
779 }
780 TRACE(("hash s2c is %s", s2c_comp_algo->name))
781
782 /* languages_client_to_server */
783 buf_eatstring(ses.payload);
784
785 /* languages_server_to_client */
786 buf_eatstring(ses.payload);
787
788 /* their first_kex_packet_follows */
789 if (buf_getbool(ses.payload)) {
790 TRACE(("them kex firstfollows. allgood %d", allgood))
791 ses.kexstate.them_firstfollows = 1;
792 /* if the guess wasn't good, we ignore the packet sent */
793 if (!allgood) {
794 ses.ignorenext = 1;
795 }
796 }
797
798 /* Handle the asymmetry */
799 if (IS_DROPBEAR_CLIENT) {
800 ses.newkeys->recv.algo_crypt =
801 (struct dropbear_cipher*)s2c_cipher_algo->data;
802 ses.newkeys->trans.algo_crypt =
803 (struct dropbear_cipher*)c2s_cipher_algo->data;
804 ses.newkeys->recv.crypt_mode =
805 (struct dropbear_cipher_mode*)s2c_cipher_algo->mode;
806 ses.newkeys->trans.crypt_mode =
807 (struct dropbear_cipher_mode*)c2s_cipher_algo->mode;
808 ses.newkeys->recv.algo_mac =
809 (struct dropbear_hash*)s2c_hash_algo->data;
810 ses.newkeys->trans.algo_mac =
811 (struct dropbear_hash*)c2s_hash_algo->data;
812 ses.newkeys->recv.algo_comp = s2c_comp_algo->val;
813 ses.newkeys->trans.algo_comp = c2s_comp_algo->val;
814 } else {
815 /* SERVER */
816 ses.newkeys->recv.algo_crypt =
817 (struct dropbear_cipher*)c2s_cipher_algo->data;
818 ses.newkeys->trans.algo_crypt =
819 (struct dropbear_cipher*)s2c_cipher_algo->data;
820 ses.newkeys->recv.crypt_mode =
821 (struct dropbear_cipher_mode*)c2s_cipher_algo->mode;
822 ses.newkeys->trans.crypt_mode =
823 (struct dropbear_cipher_mode*)s2c_cipher_algo->mode;
824 ses.newkeys->recv.algo_mac =
825 (struct dropbear_hash*)c2s_hash_algo->data;
826 ses.newkeys->trans.algo_mac =
827 (struct dropbear_hash*)s2c_hash_algo->data;
828 ses.newkeys->recv.algo_comp = c2s_comp_algo->val;
829 ses.newkeys->trans.algo_comp = s2c_comp_algo->val;
830 }
831
832 /* reserved for future extensions */
833 buf_getint(ses.payload);
834
835 if (ses.send_kex_first_guess && allgood) {
836 TRACE(("our_first_follows_matches 1"))
837 ses.kexstate.our_first_follows_matches = 1;
838 }
839 return;
840
841 error:
842 dropbear_exit("No matching algo %s", erralgo);
843 }
Tomato firmware and modifications.