search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Changes to update Tomato RAF.
[tomato.git] / release / src / router / dropbear / common-kex.c
blob2b3472b7d6581728c64903c2dcb2b4e6259827e4
1 /*
2 * Dropbear SSH
3 *
4 * Copyright (c) 2002-2004 Matt Johnston
5 * Portions Copyright (c) 2004 by Mihnea Stoenescu
6 * All rights reserved.
7 *
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
14 *
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
17 *
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24 * SOFTWARE. */
25
26 #include "includes.h"
27 #include "dbutil.h"
28 #include "algo.h"
29 #include "buffer.h"
30 #include "session.h"
31 #include "kex.h"
32 #include "ssh.h"
33 #include "packet.h"
34 #include "bignum.h"
35 #include "random.h"
36 #include "runopts.h"
37
38 /* diffie-hellman-group1-sha1 value for p */
39 #define DH_P_1_LEN 128
40 static const unsigned char dh_p_1[DH_P_1_LEN] = {
41 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
42 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
43 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
44 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
45 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
46 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
47 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
48 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
49 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
50 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81,
51 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
52
53 /* diffie-hellman-group14-sha1 value for p */
54 #define DH_P_14_LEN 256
55 static const unsigned char dh_p_14[DH_P_14_LEN] = {
56 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
57 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
58 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
59 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
60 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
61 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
62 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
63 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
64 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
65 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
66 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
67 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
68 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
69 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
70 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
71 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
72 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
73 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
74 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
75 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
76 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF,
77 0xFF, 0xFF, 0xFF, 0xFF};
78
79 /* Same for group1 and group14 */
80 static const int DH_G_VAL = 2;
81
82 static void kexinitialise();
83 void gen_new_keys();
84 #ifndef DISABLE_ZLIB
85 static void gen_new_zstreams();
86 #endif
87 static void read_kex_algos();
88 /* helper function for gen_new_keys */
89 static void hashkeys(unsigned char *out, int outlen,
90 const hash_state * hs, unsigned const char X);
91
92
93 /* Send our list of algorithms we can use */
94 void send_msg_kexinit() {
95
96 CHECKCLEARTOWRITE();
97 buf_putbyte(ses.writepayload, SSH_MSG_KEXINIT);
98
99 /* cookie */
100 genrandom(buf_getwriteptr(ses.writepayload, 16), 16);
101 buf_incrwritepos(ses.writepayload, 16);
102
103 /* kex algos */
104 buf_put_algolist(ses.writepayload, sshkex);
105
106 /* server_host_key_algorithms */
107 buf_put_algolist(ses.writepayload, sshhostkey);
108
109 /* encryption_algorithms_client_to_server */
110 buf_put_algolist(ses.writepayload, sshciphers);
111
112 /* encryption_algorithms_server_to_client */
113 buf_put_algolist(ses.writepayload, sshciphers);
114
115 /* mac_algorithms_client_to_server */
116 buf_put_algolist(ses.writepayload, sshhashes);
117
118 /* mac_algorithms_server_to_client */
119 buf_put_algolist(ses.writepayload, sshhashes);
120
121 /* compression_algorithms_client_to_server */
122 buf_put_algolist(ses.writepayload, ses.compress_algos);
123
124 /* compression_algorithms_server_to_client */
125 buf_put_algolist(ses.writepayload, ses.compress_algos);
126
127 /* languages_client_to_server */
128 buf_putstring(ses.writepayload, "", 0);
129
130 /* languages_server_to_client */
131 buf_putstring(ses.writepayload, "", 0);
132
133 /* first_kex_packet_follows - unimplemented for now */
134 buf_putbyte(ses.writepayload, 0x00);
135
136 /* reserved unit32 */
137 buf_putint(ses.writepayload, 0);
138
139 /* set up transmitted kex packet buffer for hashing.
140 * This is freed after the end of the kex */
141 ses.transkexinit = buf_newcopy(ses.writepayload);
142
143 encrypt_packet();
144 ses.dataallowed = 0; /* don't send other packets during kex */
145
146 TRACE(("DATAALLOWED=0"))
147 TRACE(("-> KEXINIT"))
148 ses.kexstate.sentkexinit = 1;
149 }
150
151 /* *** NOTE regarding (send|recv)_msg_newkeys ***
152 * Changed by mihnea from the original kex.c to set dataallowed after a
153 * completed key exchange, no matter the order in which it was performed.
154 * This enables client mode without affecting server functionality.
155 */
156
157 /* Bring new keys into use after a key exchange, and let the client know*/
158 void send_msg_newkeys() {
159
160 TRACE(("enter send_msg_newkeys"))
161
162 /* generate the kexinit request */
163 CHECKCLEARTOWRITE();
164 buf_putbyte(ses.writepayload, SSH_MSG_NEWKEYS);
165 encrypt_packet();
166
167
168 /* set up our state */
169 if (ses.kexstate.recvnewkeys) {
170 TRACE(("while RECVNEWKEYS=1"))
171 gen_new_keys();
172 kexinitialise(); /* we've finished with this kex */
173 TRACE((" -> DATAALLOWED=1"))
174 ses.dataallowed = 1; /* we can send other packets again now */
175 ses.kexstate.donefirstkex = 1;
176 } else {
177 ses.kexstate.sentnewkeys = 1;
178 TRACE(("SENTNEWKEYS=1"))
179 }
180
181 TRACE(("-> MSG_NEWKEYS"))
182 TRACE(("leave send_msg_newkeys"))
183 }
184
185 /* Bring the new keys into use after a key exchange */
186 void recv_msg_newkeys() {
187
188 TRACE(("<- MSG_NEWKEYS"))
189 TRACE(("enter recv_msg_newkeys"))
190
191 /* simply check if we've sent SSH_MSG_NEWKEYS, and if so,
192 * switch to the new keys */
193 if (ses.kexstate.sentnewkeys) {
194 TRACE(("while SENTNEWKEYS=1"))
195 gen_new_keys();
196 kexinitialise(); /* we've finished with this kex */
197 TRACE((" -> DATAALLOWED=1"))
198 ses.dataallowed = 1; /* we can send other packets again now */
199 ses.kexstate.donefirstkex = 1;
200 } else {
201 TRACE(("RECVNEWKEYS=1"))
202 ses.kexstate.recvnewkeys = 1;
203 }
204
205 TRACE(("leave recv_msg_newkeys"))
206 }
207
208
209 /* Set up the kex for the first time */
210 void kexfirstinitialise() {
211 ses.kexstate.donefirstkex = 0;
212
213 #ifndef DISABLE_ZLIB
214 if (opts.enable_compress) {
215 ses.compress_algos = ssh_compress;
216 } else
217 #endif
218 {
219 ses.compress_algos = ssh_nocompress;
220 }
221 kexinitialise();
222 }
223
224 /* Reset the kex state, ready for a new negotiation */
225 static void kexinitialise() {
226
227 TRACE(("kexinitialise()"))
228
229 /* sent/recv'd MSG_KEXINIT */
230 ses.kexstate.sentkexinit = 0;
231 ses.kexstate.recvkexinit = 0;
232
233 /* sent/recv'd MSG_NEWKEYS */
234 ses.kexstate.recvnewkeys = 0;
235 ses.kexstate.sentnewkeys = 0;
236
237 /* first_packet_follows */
238 ses.kexstate.firstfollows = 0;
239
240 ses.kexstate.datatrans = 0;
241 ses.kexstate.datarecv = 0;
242
243 ses.kexstate.lastkextime = time(NULL);
244
245 }
246
247 /* Helper function for gen_new_keys, creates a hash. It makes a copy of the
248 * already initialised hash_state hs, which should already have processed
249 * the dh_K and hash, since these are common. X is the letter 'A', 'B' etc.
250 * out must have at least min(SHA1_HASH_SIZE, outlen) bytes allocated.
251 * The output will only be expanded once, as we are assured that
252 * outlen <= 2*SHA1_HASH_SIZE for all known hashes.
253 *
254 * See Section 7.2 of rfc4253 (ssh transport) for details */
255 static void hashkeys(unsigned char *out, int outlen,
256 const hash_state * hs, const unsigned char X) {
257
258 hash_state hs2;
259 unsigned char k2[SHA1_HASH_SIZE]; /* used to extending */
260
261 memcpy(&hs2, hs, sizeof(hash_state));
262 sha1_process(&hs2, &X, 1);
263 sha1_process(&hs2, ses.session_id, SHA1_HASH_SIZE);
264 sha1_done(&hs2, out);
265 if (SHA1_HASH_SIZE < outlen) {
266 /* need to extend */
267 memcpy(&hs2, hs, sizeof(hash_state));
268 sha1_process(&hs2, out, SHA1_HASH_SIZE);
269 sha1_done(&hs2, k2);
270 memcpy(&out[SHA1_HASH_SIZE], k2, outlen - SHA1_HASH_SIZE);
271 }
272 }
273
274 /* Generate the actual encryption/integrity keys, using the results of the
275 * key exchange, as specified in section 7.2 of the transport rfc 4253.
276 * This occurs after the DH key-exchange.
277 *
278 * ses.newkeys is the new set of keys which are generated, these are only
279 * taken into use after both sides have sent a newkeys message */
280
281 /* Originally from kex.c, generalized for cli/svr mode --mihnea */
282 void gen_new_keys() {
283
284 unsigned char C2S_IV[MAX_IV_LEN];
285 unsigned char C2S_key[MAX_KEY_LEN];
286 unsigned char S2C_IV[MAX_IV_LEN];
287 unsigned char S2C_key[MAX_KEY_LEN];
288 /* unsigned char key[MAX_KEY_LEN]; */
289 unsigned char *trans_IV, *trans_key, *recv_IV, *recv_key;
290
291 hash_state hs;
292 unsigned int C2S_keysize, S2C_keysize;
293 char mactransletter, macrecvletter; /* Client or server specific */
294 int recv_cipher = 0, trans_cipher = 0;
295
296 TRACE(("enter gen_new_keys"))
297 /* the dh_K and hash are the start of all hashes, we make use of that */
298
299 sha1_init(&hs);
300 sha1_process_mp(&hs, ses.dh_K);
301 mp_clear(ses.dh_K);
302 m_free(ses.dh_K);
303 sha1_process(&hs, ses.hash, SHA1_HASH_SIZE);
304 m_burn(ses.hash, SHA1_HASH_SIZE);
305
306 if (IS_DROPBEAR_CLIENT) {
307 trans_IV = C2S_IV;
308 recv_IV = S2C_IV;
309 trans_key = C2S_key;
310 recv_key = S2C_key;
311 C2S_keysize = ses.newkeys->trans.algo_crypt->keysize;
312 S2C_keysize = ses.newkeys->recv.algo_crypt->keysize;
313 mactransletter = 'E';
314 macrecvletter = 'F';
315 } else {
316 trans_IV = S2C_IV;
317 recv_IV = C2S_IV;
318 trans_key = S2C_key;
319 recv_key = C2S_key;
320 C2S_keysize = ses.newkeys->recv.algo_crypt->keysize;
321 S2C_keysize = ses.newkeys->trans.algo_crypt->keysize;
322 mactransletter = 'F';
323 macrecvletter = 'E';
324 }
325
326 hashkeys(C2S_IV, SHA1_HASH_SIZE, &hs, 'A');
327 hashkeys(S2C_IV, SHA1_HASH_SIZE, &hs, 'B');
328 hashkeys(C2S_key, C2S_keysize, &hs, 'C');
329 hashkeys(S2C_key, S2C_keysize, &hs, 'D');
330
331 recv_cipher = find_cipher(ses.newkeys->recv.algo_crypt->cipherdesc->name);
332 if (recv_cipher < 0)
333 dropbear_exit("Crypto error");
334 if (ses.newkeys->recv.crypt_mode->start(recv_cipher,
335 recv_IV, recv_key,
336 ses.newkeys->recv.algo_crypt->keysize, 0,
337 &ses.newkeys->recv.cipher_state) != CRYPT_OK) {
338 dropbear_exit("Crypto error");
339 }
340
341 trans_cipher = find_cipher(ses.newkeys->trans.algo_crypt->cipherdesc->name);
342 if (trans_cipher < 0)
343 dropbear_exit("Crypto error");
344 if (ses.newkeys->trans.crypt_mode->start(trans_cipher,
345 trans_IV, trans_key,
346 ses.newkeys->trans.algo_crypt->keysize, 0,
347 &ses.newkeys->trans.cipher_state) != CRYPT_OK) {
348 dropbear_exit("Crypto error");
349 }
350
351 /* MAC keys */
352 hashkeys(ses.newkeys->trans.mackey,
353 ses.newkeys->trans.algo_mac->keysize, &hs, mactransletter);
354 hashkeys(ses.newkeys->recv.mackey,
355 ses.newkeys->recv.algo_mac->keysize, &hs, macrecvletter);
356 ses.newkeys->trans.hash_index = find_hash(ses.newkeys->trans.algo_mac->hashdesc->name),
357 ses.newkeys->recv.hash_index = find_hash(ses.newkeys->recv.algo_mac->hashdesc->name),
358
359 #ifndef DISABLE_ZLIB
360 gen_new_zstreams();
361 #endif
362
363 /* Switch over to the new keys */
364 m_burn(ses.keys, sizeof(struct key_context));
365 m_free(ses.keys);
366 ses.keys = ses.newkeys;
367 ses.newkeys = NULL;
368
369 m_burn(C2S_IV, sizeof(C2S_IV));
370 m_burn(C2S_key, sizeof(C2S_key));
371 m_burn(S2C_IV, sizeof(S2C_IV));
372 m_burn(S2C_key, sizeof(S2C_key));
373
374 TRACE(("leave gen_new_keys"))
375 }
376
377 #ifndef DISABLE_ZLIB
378
379 int is_compress_trans() {
380 return ses.keys->trans.algo_comp == DROPBEAR_COMP_ZLIB
381 || (ses.authstate.authdone
382 && ses.keys->trans.algo_comp == DROPBEAR_COMP_ZLIB_DELAY);
383 }
384
385 int is_compress_recv() {
386 return ses.keys->recv.algo_comp == DROPBEAR_COMP_ZLIB
387 || (ses.authstate.authdone
388 && ses.keys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY);
389 }
390
391 /* Set up new zlib compression streams, close the old ones. Only
392 * called from gen_new_keys() */
393 static void gen_new_zstreams() {
394
395 /* create new zstreams */
396 if (ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB
397 || ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
398 ses.newkeys->recv.zstream = (z_streamp)m_malloc(sizeof(z_stream));
399 ses.newkeys->recv.zstream->zalloc = Z_NULL;
400 ses.newkeys->recv.zstream->zfree = Z_NULL;
401
402 if (inflateInit(ses.newkeys->recv.zstream) != Z_OK) {
403 dropbear_exit("zlib error");
404 }
405 } else {
406 ses.newkeys->recv.zstream = NULL;
407 }
408
409 if (ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB
410 || ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
411 ses.newkeys->trans.zstream = (z_streamp)m_malloc(sizeof(z_stream));
412 ses.newkeys->trans.zstream->zalloc = Z_NULL;
413 ses.newkeys->trans.zstream->zfree = Z_NULL;
414
415 if (deflateInit2(ses.newkeys->trans.zstream, Z_DEFAULT_COMPRESSION,
416 Z_DEFLATED, DROPBEAR_ZLIB_WINDOW_BITS,
417 DROPBEAR_ZLIB_MEM_LEVEL, Z_DEFAULT_STRATEGY)
418 != Z_OK) {
419 dropbear_exit("zlib error");
420 }
421 } else {
422 ses.newkeys->trans.zstream = NULL;
423 }
424
425 /* clean up old keys */
426 if (ses.keys->recv.zstream != NULL) {
427 if (inflateEnd(ses.keys->recv.zstream) == Z_STREAM_ERROR) {
428 /* Z_DATA_ERROR is ok, just means that stream isn't ended */
429 dropbear_exit("Crypto error");
430 }
431 m_free(ses.keys->recv.zstream);
432 }
433 if (ses.keys->trans.zstream != NULL) {
434 if (deflateEnd(ses.keys->trans.zstream) == Z_STREAM_ERROR) {
435 /* Z_DATA_ERROR is ok, just means that stream isn't ended */
436 dropbear_exit("Crypto error");
437 }
438 m_free(ses.keys->trans.zstream);
439 }
440 }
441 #endif /* DISABLE_ZLIB */
442
443
444 /* Executed upon receiving a kexinit message from the client to initiate
445 * key exchange. If we haven't already done so, we send the list of our
446 * preferred algorithms. The client's requested algorithms are processed,
447 * and we calculate the first portion of the key-exchange-hash for used
448 * later in the key exchange. No response is sent, as the client should
449 * initiate the diffie-hellman key exchange */
450
451 /* Originally from kex.c, generalized for cli/svr mode --mihnea */
452 /* Belongs in common_kex.c where it should be moved after review */
453 void recv_msg_kexinit() {
454
455 unsigned int kexhashbuf_len = 0;
456 unsigned int remote_ident_len = 0;
457 unsigned int local_ident_len = 0;
458
459 TRACE(("<- KEXINIT"))
460 TRACE(("enter recv_msg_kexinit"))
461
462 if (!ses.kexstate.sentkexinit) {
463 /* we need to send a kex packet */
464 send_msg_kexinit();
465 TRACE(("continue recv_msg_kexinit: sent kexinit"))
466 }
467
468 /* start the kex hash */
469 local_ident_len = strlen(LOCAL_IDENT);
470 remote_ident_len = strlen((char*)ses.remoteident);
471
472 kexhashbuf_len = local_ident_len + remote_ident_len
473 + ses.transkexinit->len + ses.payload->len
474 + KEXHASHBUF_MAX_INTS;
475
476 ses.kexhashbuf = buf_new(kexhashbuf_len);
477
478 if (IS_DROPBEAR_CLIENT) {
479
480 /* read the peer's choice of algos */
481 read_kex_algos();
482
483 /* V_C, the client's version string (CR and NL excluded) */
484 buf_putstring(ses.kexhashbuf,
485 (unsigned char*)LOCAL_IDENT, local_ident_len);
486 /* V_S, the server's version string (CR and NL excluded) */
487 buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
488
489 /* I_C, the payload of the client's SSH_MSG_KEXINIT */
490 buf_putstring(ses.kexhashbuf,
491 ses.transkexinit->data, ses.transkexinit->len);
492 /* I_S, the payload of the server's SSH_MSG_KEXINIT */
493 buf_setpos(ses.payload, 0);
494 buf_putstring(ses.kexhashbuf, ses.payload->data, ses.payload->len);
495
496 } else {
497 /* SERVER */
498
499 /* read the peer's choice of algos */
500 read_kex_algos();
501 /* V_C, the client's version string (CR and NL excluded) */
502 buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
503 /* V_S, the server's version string (CR and NL excluded) */
504 buf_putstring(ses.kexhashbuf,
505 (unsigned char*)LOCAL_IDENT, local_ident_len);
506
507 /* I_C, the payload of the client's SSH_MSG_KEXINIT */
508 buf_setpos(ses.payload, 0);
509 buf_putstring(ses.kexhashbuf, ses.payload->data, ses.payload->len);
510
511 /* I_S, the payload of the server's SSH_MSG_KEXINIT */
512 buf_putstring(ses.kexhashbuf,
513 ses.transkexinit->data, ses.transkexinit->len);
514
515 ses.requirenext = SSH_MSG_KEXDH_INIT;
516 }
517
518 buf_free(ses.transkexinit);
519 ses.transkexinit = NULL;
520 /* the rest of ses.kexhashbuf will be done after DH exchange */
521
522 ses.kexstate.recvkexinit = 1;
523
524 TRACE(("leave recv_msg_kexinit"))
525 }
526
527 static void load_dh_p(mp_int * dh_p)
528 {
529 switch (ses.newkeys->algo_kex) {
530 case DROPBEAR_KEX_DH_GROUP1:
531 bytes_to_mp(dh_p, dh_p_1, DH_P_1_LEN);
532 break;
533 case DROPBEAR_KEX_DH_GROUP14:
534 bytes_to_mp(dh_p, dh_p_14, DH_P_14_LEN);
535 break;
536 }
537 }
538
539 /* Initialises and generate one side of the diffie-hellman key exchange values.
540 * See the transport rfc 4253 section 8 for details */
541 /* dh_pub and dh_priv MUST be already initialised */
542 void gen_kexdh_vals(mp_int *dh_pub, mp_int *dh_priv) {
543
544 DEF_MP_INT(dh_p);
545 DEF_MP_INT(dh_q);
546 DEF_MP_INT(dh_g);
547
548 TRACE(("enter send_msg_kexdh_reply"))
549
550 m_mp_init_multi(&dh_g, &dh_p, &dh_q, NULL);
551
552 /* read the prime and generator*/
553 load_dh_p(&dh_p);
554
555 if (mp_set_int(&dh_g, DH_G_VAL) != MP_OKAY) {
556 dropbear_exit("Diffie-Hellman error");
557 }
558
559 /* calculate q = (p-1)/2 */
560 /* dh_priv is just a temp var here */
561 if (mp_sub_d(&dh_p, 1, dh_priv) != MP_OKAY) {
562 dropbear_exit("Diffie-Hellman error");
563 }
564 if (mp_div_2(dh_priv, &dh_q) != MP_OKAY) {
565 dropbear_exit("Diffie-Hellman error");
566 }
567
568 /* Generate a private portion 0 < dh_priv < dh_q */
569 gen_random_mpint(&dh_q, dh_priv);
570
571 /* f = g^y mod p */
572 if (mp_exptmod(&dh_g, dh_priv, &dh_p, dh_pub) != MP_OKAY) {
573 dropbear_exit("Diffie-Hellman error");
574 }
575 mp_clear_multi(&dh_g, &dh_p, &dh_q, NULL);
576 }
577
578 /* This function is fairly common between client/server, with some substitution
579 * of dh_e/dh_f etc. Hence these arguments:
580 * dh_pub_us is 'e' for the client, 'f' for the server. dh_pub_them is
581 * vice-versa. dh_priv is the x/y value corresponding to dh_pub_us */
582 void kexdh_comb_key(mp_int *dh_pub_us, mp_int *dh_priv, mp_int *dh_pub_them,
583 sign_key *hostkey) {
584
585 mp_int dh_p;
586 mp_int *dh_e = NULL, *dh_f = NULL;
587 hash_state hs;
588
589 /* read the prime and generator*/
590 m_mp_init(&dh_p);
591 load_dh_p(&dh_p);
592
593 /* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */
594 if (mp_cmp(dh_pub_them, &dh_p) != MP_LT
595 || mp_cmp_d(dh_pub_them, 0) != MP_GT) {
596 dropbear_exit("Diffie-Hellman error");
597 }
598
599 /* K = e^y mod p = f^x mod p */
600 ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int));
601 m_mp_init(ses.dh_K);
602 if (mp_exptmod(dh_pub_them, dh_priv, &dh_p, ses.dh_K) != MP_OKAY) {
603 dropbear_exit("Diffie-Hellman error");
604 }
605
606 /* clear no longer needed vars */
607 mp_clear_multi(&dh_p, NULL);
608
609 /* From here on, the code needs to work with the _same_ vars on each side,
610 * not vice-versaing for client/server */
611 if (IS_DROPBEAR_CLIENT) {
612 dh_e = dh_pub_us;
613 dh_f = dh_pub_them;
614 } else {
615 dh_e = dh_pub_them;
616 dh_f = dh_pub_us;
617 }
618
619 /* Create the remainder of the hash buffer, to generate the exchange hash */
620 /* K_S, the host key */
621 buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
622 /* e, exchange value sent by the client */
623 buf_putmpint(ses.kexhashbuf, dh_e);
624 /* f, exchange value sent by the server */
625 buf_putmpint(ses.kexhashbuf, dh_f);
626 /* K, the shared secret */
627 buf_putmpint(ses.kexhashbuf, ses.dh_K);
628
629 /* calculate the hash H to sign */
630 sha1_init(&hs);
631 buf_setpos(ses.kexhashbuf, 0);
632 sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len),
633 ses.kexhashbuf->len);
634 sha1_done(&hs, ses.hash);
635
636 buf_burn(ses.kexhashbuf);
637 buf_free(ses.kexhashbuf);
638 ses.kexhashbuf = NULL;
639
640 /* first time around, we set the session_id to H */
641 if (ses.session_id == NULL) {
642 /* create the session_id, this never needs freeing */
643 ses.session_id = (unsigned char*)m_malloc(SHA1_HASH_SIZE);
644 memcpy(ses.session_id, ses.hash, SHA1_HASH_SIZE);
645 }
646 }
647
648 /* read the other side's algo list. buf_match_algo is a callback to match
649 * algos for the client or server. */
650 static void read_kex_algos() {
651
652 /* for asymmetry */
653 algo_type * c2s_hash_algo = NULL;
654 algo_type * s2c_hash_algo = NULL;
655 algo_type * c2s_cipher_algo = NULL;
656 algo_type * s2c_cipher_algo = NULL;
657 algo_type * c2s_comp_algo = NULL;
658 algo_type * s2c_comp_algo = NULL;
659 /* the generic one */
660 algo_type * algo = NULL;
661
662 /* which algo couldn't match */
663 char * erralgo = NULL;
664
665 int goodguess = 0;
666 int allgood = 1; /* we AND this with each goodguess and see if its still
667 true after */
668
669 buf_incrpos(ses.payload, 16); /* start after the cookie */
670
671 ses.newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
672
673 /* kex_algorithms */
674 algo = ses.buf_match_algo(ses.payload, sshkex, &goodguess);
675 allgood &= goodguess;
676 if (algo == NULL) {
677 erralgo = "kex";
678 goto error;
679 }
680 TRACE(("kex algo %s", algo->name))
681 ses.newkeys->algo_kex = algo->val;
682
683 /* server_host_key_algorithms */
684 algo = ses.buf_match_algo(ses.payload, sshhostkey, &goodguess);
685 allgood &= goodguess;
686 if (algo == NULL) {
687 erralgo = "hostkey";
688 goto error;
689 }
690 TRACE(("hostkey algo %s", algo->name))
691 ses.newkeys->algo_hostkey = algo->val;
692
693 /* encryption_algorithms_client_to_server */
694 c2s_cipher_algo = ses.buf_match_algo(ses.payload, sshciphers, &goodguess);
695 if (c2s_cipher_algo == NULL) {
696 erralgo = "enc c->s";
697 goto error;
698 }
699 TRACE(("enc c2s is %s", c2s_cipher_algo->name))
700
701 /* encryption_algorithms_server_to_client */
702 s2c_cipher_algo = ses.buf_match_algo(ses.payload, sshciphers, &goodguess);
703 if (s2c_cipher_algo == NULL) {
704 erralgo = "enc s->c";
705 goto error;
706 }
707 TRACE(("enc s2c is %s", s2c_cipher_algo->name))
708
709 /* mac_algorithms_client_to_server */
710 c2s_hash_algo = ses.buf_match_algo(ses.payload, sshhashes, &goodguess);
711 if (c2s_hash_algo == NULL) {
712 erralgo = "mac c->s";
713 goto error;
714 }
715 TRACE(("hash c2s is %s", c2s_hash_algo->name))
716
717 /* mac_algorithms_server_to_client */
718 s2c_hash_algo = ses.buf_match_algo(ses.payload, sshhashes, &goodguess);
719 if (s2c_hash_algo == NULL) {
720 erralgo = "mac s->c";
721 goto error;
722 }
723 TRACE(("hash s2c is %s", s2c_hash_algo->name))
724
725 /* compression_algorithms_client_to_server */
726 c2s_comp_algo = ses.buf_match_algo(ses.payload, ses.compress_algos, &goodguess);
727 if (c2s_comp_algo == NULL) {
728 erralgo = "comp c->s";
729 goto error;
730 }
731 TRACE(("hash c2s is %s", c2s_comp_algo->name))
732
733 /* compression_algorithms_server_to_client */
734 s2c_comp_algo = ses.buf_match_algo(ses.payload, ses.compress_algos, &goodguess);
735 if (s2c_comp_algo == NULL) {
736 erralgo = "comp s->c";
737 goto error;
738 }
739 TRACE(("hash s2c is %s", s2c_comp_algo->name))
740
741 /* languages_client_to_server */
742 buf_eatstring(ses.payload);
743
744 /* languages_server_to_client */
745 buf_eatstring(ses.payload);
746
747 /* first_kex_packet_follows */
748 if (buf_getbool(ses.payload)) {
749 ses.kexstate.firstfollows = 1;
750 /* if the guess wasn't good, we ignore the packet sent */
751 if (!allgood) {
752 ses.ignorenext = 1;
753 }
754 }
755
756 /* Handle the asymmetry */
757 if (IS_DROPBEAR_CLIENT) {
758 ses.newkeys->recv.algo_crypt =
759 (struct dropbear_cipher*)s2c_cipher_algo->data;
760 ses.newkeys->trans.algo_crypt =
761 (struct dropbear_cipher*)c2s_cipher_algo->data;
762 ses.newkeys->recv.crypt_mode =
763 (struct dropbear_cipher_mode*)s2c_cipher_algo->mode;
764 ses.newkeys->trans.crypt_mode =
765 (struct dropbear_cipher_mode*)c2s_cipher_algo->mode;
766 ses.newkeys->recv.algo_mac =
767 (struct dropbear_hash*)s2c_hash_algo->data;
768 ses.newkeys->trans.algo_mac =
769 (struct dropbear_hash*)c2s_hash_algo->data;
770 ses.newkeys->recv.algo_comp = s2c_comp_algo->val;
771 ses.newkeys->trans.algo_comp = c2s_comp_algo->val;
772 } else {
773 /* SERVER */
774 ses.newkeys->recv.algo_crypt =
775 (struct dropbear_cipher*)c2s_cipher_algo->data;
776 ses.newkeys->trans.algo_crypt =
777 (struct dropbear_cipher*)s2c_cipher_algo->data;
778 ses.newkeys->recv.crypt_mode =
779 (struct dropbear_cipher_mode*)c2s_cipher_algo->mode;
780 ses.newkeys->trans.crypt_mode =
781 (struct dropbear_cipher_mode*)s2c_cipher_algo->mode;
782 ses.newkeys->recv.algo_mac =
783 (struct dropbear_hash*)c2s_hash_algo->data;
784 ses.newkeys->trans.algo_mac =
785 (struct dropbear_hash*)s2c_hash_algo->data;
786 ses.newkeys->recv.algo_comp = c2s_comp_algo->val;
787 ses.newkeys->trans.algo_comp = s2c_comp_algo->val;
788 }
789
790 /* reserved for future extensions */
791 buf_getint(ses.payload);
792 return;
793
794 error:
795 dropbear_exit("No matching algo %s", erralgo);
796 }
Tomato firmware and modifications.