/src/dropbear/src/svr-kex.c

Source
/*
 * Dropbear - a SSH2 server
 * 
 * Copyright (c) 2002,2003 Matt Johnston
 * Copyright (c) 2004 by Mihnea Stoenescu
 * All rights reserved.
 * 
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 * 
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 * 
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE. */

#include "includes.h"
#include "dbutil.h"
#include "algo.h"
#include "buffer.h"
#include "session.h"
#include "kex.h"
#include "ssh.h"
#include "packet.h"
#include "bignum.h"
#include "dbrandom.h"
#include "runopts.h"
#include "ecc.h"
#include "gensignkey.h"

static void send_msg_kexdh_reply(mp_int *dh_e, buffer *q_c);
#if DROPBEAR_EXT_INFO
static void send_msg_ext_info(void);
#endif

/* Handle a diffie-hellman key exchange initialisation. This involves
 * calculating a session key reply value, and corresponding hash. These
 * are carried out by send_msg_kexdh_reply(). recv_msg_kexdh_init() calls
 * that function, then brings the new keys into use */
void recv_msg_kexdh_init() {
  DEF_MP_INT(dh_e);
  buffer *q_c = NULL;

  TRACE(("enter recv_msg_kexdh_init"))
  if (!ses.kexstate.recvkexinit) {
    dropbear_exit("Premature kexdh_init message received");
  }

  switch (ses.newkeys->algo_kex->mode) {
#if DROPBEAR_NORMAL_DH
    case DROPBEAR_KEX_NORMAL_DH:
      m_mp_init(&dh_e);
      if (buf_getmpint(ses.payload, &dh_e) != DROPBEAR_SUCCESS) {
        dropbear_exit("Bad kex value");
      }
      break;
#endif
#if DROPBEAR_ECDH
    case DROPBEAR_KEX_ECDH:
#endif
#if DROPBEAR_CURVE25519
    case DROPBEAR_KEX_CURVE25519:
#endif
#if DROPBEAR_PQHYBRID
    case DROPBEAR_KEX_PQHYBRID:
#endif
#if DROPBEAR_ECDH || DROPBEAR_CURVE25519 || DROPBEAR_PQHYBRID
      q_c = buf_getstringbuf(ses.payload);
      break;
#endif
  }
  if (ses.payload->pos != ses.payload->len) {
    dropbear_exit("Bad kex value");
  }

  send_msg_kexdh_reply(&dh_e, q_c);

  mp_clear(&dh_e);
  if (q_c) {
    buf_free(q_c);
    q_c = NULL;
  }

  send_msg_newkeys();

#if DROPBEAR_EXT_INFO
  /* Only send it following the first newkeys */
  if (!ses.kexstate.donesecondkex && ses.allow_ext_info) {
    send_msg_ext_info();
  }
#endif

  if (!ses.kexstate.donesecondkex) {
    /* Disable other signature types.
     * During future rekeying, privileges may have been dropped
     * so other keys won't be loadable.
     * This must occur after send_msg_ext_info() which uses the hostkey list */
    disable_sig_except(ses.newkeys->algo_signature);
  }

  ses.requirenext = SSH_MSG_NEWKEYS;
  TRACE(("leave recv_msg_kexdh_init"))
}


#if DROPBEAR_DELAY_HOSTKEY

static void svr_ensure_hostkey() {

  const char* fn = NULL;
  char *expand_fn = NULL;
  enum signkey_type type = ses.newkeys->algo_hostkey;
  void **hostkey = signkey_key_ptr(svr_opts.hostkey, type);
  int ret = DROPBEAR_FAILURE;

  if (hostkey && *hostkey) {
    return;
  }

  switch (type)
  {
#if DROPBEAR_RSA
    case DROPBEAR_SIGNKEY_RSA:
      fn = RSA_PRIV_FILENAME;
      break;
#endif
#if DROPBEAR_DSS
    case DROPBEAR_SIGNKEY_DSS:
      fn = DSS_PRIV_FILENAME;
      break;
#endif
#if DROPBEAR_ECDSA
    case DROPBEAR_SIGNKEY_ECDSA_NISTP256:
    case DROPBEAR_SIGNKEY_ECDSA_NISTP384:
    case DROPBEAR_SIGNKEY_ECDSA_NISTP521:
      fn = ECDSA_PRIV_FILENAME;
      break;
#endif
#if DROPBEAR_ED25519
    case DROPBEAR_SIGNKEY_ED25519:
      fn = ED25519_PRIV_FILENAME;
      break;
#endif
    default:
      dropbear_assert(0);
  }

  expand_fn = expand_homedir_path(fn);

  ret = readhostkey(expand_fn, svr_opts.hostkey, &type);
  if (ret == DROPBEAR_SUCCESS) {
    goto out;
  }

  if (signkey_generate(type, 0, expand_fn, 1) == DROPBEAR_FAILURE) {
    goto out;
  }
  
  /* Read what we just generated (or another process raced us) */
  ret = readhostkey(expand_fn, svr_opts.hostkey, &type);

  if (ret == DROPBEAR_SUCCESS) {
    char *fp = NULL;
    unsigned int len;
    buffer *key_buf = buf_new(MAX_PUBKEY_SIZE);
    buf_put_pub_key(key_buf, svr_opts.hostkey, type);
    buf_setpos(key_buf, 4);
    len = key_buf->len - key_buf->pos;
    fp = sign_key_fingerprint(buf_getptr(key_buf, len), len);
    dropbear_log(LOG_INFO, "Generated hostkey %s, fingerprint is %s",
      expand_fn, fp);
    m_free(fp);
    buf_free(key_buf);
  }

out:
  if (ret == DROPBEAR_FAILURE) {
    dropbear_exit("Couldn't read or generate hostkey %s", expand_fn);
  }
    m_free(expand_fn);
}
#endif
  
/* Generate our side of the diffie-hellman key exchange value (dh_f), and
 * calculate the session key using the diffie-hellman algorithm. Following
 * that, the session hash is calculated, and signed with RSA or DSS. The
 * result is sent to the client. 
 *
 * See the transport RFC4253 section 8 for details
 * or RFC5656 section 4 for elliptic curve variant. */
static void send_msg_kexdh_reply(mp_int *dh_e, buffer *q_c) {
  TRACE(("enter send_msg_kexdh_reply"))

  /* we can start creating the kexdh_reply packet */
  CHECKCLEARTOWRITE();

#if DROPBEAR_DELAY_HOSTKEY
  if (svr_opts.delay_hostkey)
  {
    svr_ensure_hostkey();
  }
#endif

#if DROPBEAR_FUZZ
  if (fuzz.fuzzing && fuzz.skip_kexmaths) {
    fuzz_fake_send_kexdh_reply();
    return;
  }
#endif

  buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_REPLY);
  buf_put_pub_key(ses.writepayload, svr_opts.hostkey,
      ses.newkeys->algo_hostkey);

  switch (ses.newkeys->algo_kex->mode) {
#if DROPBEAR_NORMAL_DH
    case DROPBEAR_KEX_NORMAL_DH:
      {
      struct kex_dh_param * dh_param = gen_kexdh_param();
      kexdh_comb_key(dh_param, dh_e, svr_opts.hostkey);

      /* put f */
      buf_putmpint(ses.writepayload, &dh_param->pub);
      free_kexdh_param(dh_param);
      }
      break;
#endif
#if DROPBEAR_ECDH
    case DROPBEAR_KEX_ECDH:
      {
      struct kex_ecdh_param *ecdh_param = gen_kexecdh_param();
      kexecdh_comb_key(ecdh_param, q_c, svr_opts.hostkey);

      buf_put_ecc_raw_pubkey_string(ses.writepayload, &ecdh_param->key);
      free_kexecdh_param(ecdh_param);
      }
      break;
#endif
#if DROPBEAR_CURVE25519
    case DROPBEAR_KEX_CURVE25519:
      {
      struct kex_curve25519_param *param = gen_kexcurve25519_param();
      kexcurve25519_comb_key(param, q_c, svr_opts.hostkey);

      buf_putstring(ses.writepayload, param->pub, CURVE25519_LEN);
      free_kexcurve25519_param(param);
      }
      break;
#endif
#if DROPBEAR_PQHYBRID
    case DROPBEAR_KEX_PQHYBRID:
      {
      struct kex_pqhybrid_param *param = gen_kexpqhybrid_param();
      kexpqhybrid_comb_key(param, q_c, svr_opts.hostkey);

      buf_putbufstring(ses.writepayload, param->concat_public);
      free_kexpqhybrid_param(param);
      }
      break;
#endif
  }

  /* calc the signature */
  buf_put_sign(ses.writepayload, svr_opts.hostkey, 
      ses.newkeys->algo_signature, ses.hash);

  /* the SSH_MSG_KEXDH_REPLY is done */
  encrypt_packet();

  TRACE(("leave send_msg_kexdh_reply"))
}

#if DROPBEAR_EXT_INFO
/* Only used for server-sig-algs on the server side */
static void send_msg_ext_info(void) {
  TRACE(("enter send_msg_ext_info"))

  buf_putbyte(ses.writepayload, SSH_MSG_EXT_INFO);
  /* nr-extensions */
  buf_putint(ses.writepayload, 1);

  buf_putstring(ses.writepayload, SSH_SERVER_SIG_ALGS, strlen(SSH_SERVER_SIG_ALGS));
  buf_put_algolist_all(ses.writepayload, sigalgs, 1);
  
  encrypt_packet();

  TRACE(("leave send_msg_ext_info"))
}
#endif

Coverage Report

Created: 2026-01-09 07:11

Line	Count	Source
1		/*
2		* Dropbear - a SSH2 server
3		*
4		* Copyright (c) 2002,2003 Matt Johnston
5		* Copyright (c) 2004 by Mihnea Stoenescu
6		* All rights reserved.
7		*
8		* Permission is hereby granted, free of charge, to any person obtaining a copy
9		* of this software and associated documentation files (the "Software"), to deal
10		* in the Software without restriction, including without limitation the rights
11		* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12		* copies of the Software, and to permit persons to whom the Software is
13		* furnished to do so, subject to the following conditions:
14		*
15		* The above copyright notice and this permission notice shall be included in
16		* all copies or substantial portions of the Software.
17		*
18		* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19		* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20		* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21		* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22		* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23		* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24		* SOFTWARE. */
25
26		#include "includes.h"
27		#include "dbutil.h"
28		#include "algo.h"
29		#include "buffer.h"
30		#include "session.h"
31		#include "kex.h"
32		#include "ssh.h"
33		#include "packet.h"
34		#include "bignum.h"
35		#include "dbrandom.h"
36		#include "runopts.h"
37		#include "ecc.h"
38		#include "gensignkey.h"
39
40		static void send_msg_kexdh_reply(mp_int dh_e, buffer q_c);
41		#if DROPBEAR_EXT_INFO
42		static void send_msg_ext_info(void);
43		#endif
44
45		/* Handle a diffie-hellman key exchange initialisation. This involves
46		* calculating a session key reply value, and corresponding hash. These
47		* are carried out by send_msg_kexdh_reply(). recv_msg_kexdh_init() calls
48		* that function, then brings the new keys into use */
49	0	void recv_msg_kexdh_init() {
50	0	DEF_MP_INT(dh_e);
51	0	buffer *q_c = NULL;
52
53	0	TRACE(("enter recv_msg_kexdh_init"))
54	0	if (!ses.kexstate.recvkexinit) {
55	0	dropbear_exit("Premature kexdh_init message received");
56	0	}
57
58	0	switch (ses.newkeys->algo_kex->mode) {
59	0	#if DROPBEAR_NORMAL_DH
60	0	case DROPBEAR_KEX_NORMAL_DH:
61	0	m_mp_init(&dh_e);
62	0	if (buf_getmpint(ses.payload, &dh_e) != DROPBEAR_SUCCESS) {
63	0	dropbear_exit("Bad kex value");
64	0	}
65	0	break;
66	0	#endif
67	0	#if DROPBEAR_ECDH
68	0	case DROPBEAR_KEX_ECDH:
69	0	#endif
70	0	#if DROPBEAR_CURVE25519
71	0	case DROPBEAR_KEX_CURVE25519:
72	0	#endif
73	0	#if DROPBEAR_PQHYBRID
74	0	case DROPBEAR_KEX_PQHYBRID:
75	0	#endif
76	0	#if DROPBEAR_ECDH \|\| DROPBEAR_CURVE25519 \|\| DROPBEAR_PQHYBRID
77	0	q_c = buf_getstringbuf(ses.payload);
78	0	break;
79	0	#endif
80	0	}
81	0	if (ses.payload->pos != ses.payload->len) {
82	0	dropbear_exit("Bad kex value");
83	0	}
84
85	0	send_msg_kexdh_reply(&dh_e, q_c);
86
87	0	mp_clear(&dh_e);
88	0	if (q_c) {
89	0	buf_free(q_c);
90	0	q_c = NULL;
91	0	}
92
93	0	send_msg_newkeys();
94
95	0	#if DROPBEAR_EXT_INFO
96		/* Only send it following the first newkeys */
97	0	if (!ses.kexstate.donesecondkex && ses.allow_ext_info) {
98	0	send_msg_ext_info();
99	0	}
100	0	#endif
101
102	0	if (!ses.kexstate.donesecondkex) {
103		/* Disable other signature types.
104		* During future rekeying, privileges may have been dropped
105		* so other keys won't be loadable.
106		* This must occur after send_msg_ext_info() which uses the hostkey list */
107	0	disable_sig_except(ses.newkeys->algo_signature);
108	0	}
109
110	0	ses.requirenext = SSH_MSG_NEWKEYS;
111	0	TRACE(("leave recv_msg_kexdh_init"))
112	0	}
113
114
115		#if DROPBEAR_DELAY_HOSTKEY
116
117	0	static void svr_ensure_hostkey() {
118
119	0	const char* fn = NULL;
120	0	char *expand_fn = NULL;
121	0	enum signkey_type type = ses.newkeys->algo_hostkey;
122	0	void **hostkey = signkey_key_ptr(svr_opts.hostkey, type);
123	0	int ret = DROPBEAR_FAILURE;
124
125	0	if (hostkey && *hostkey) {
126	0	return;
127	0	}
128
129	0	switch (type)
130	0	{
131	0	#if DROPBEAR_RSA
132	0	case DROPBEAR_SIGNKEY_RSA:
133	0	fn = RSA_PRIV_FILENAME;
134	0	break;
135	0	#endif
136	0	#if DROPBEAR_DSS
137	0	case DROPBEAR_SIGNKEY_DSS:
138	0	fn = DSS_PRIV_FILENAME;
139	0	break;
140	0	#endif
141	0	#if DROPBEAR_ECDSA
142	0	case DROPBEAR_SIGNKEY_ECDSA_NISTP256:
143	0	case DROPBEAR_SIGNKEY_ECDSA_NISTP384:
144	0	case DROPBEAR_SIGNKEY_ECDSA_NISTP521:
145	0	fn = ECDSA_PRIV_FILENAME;
146	0	break;
147	0	#endif
148	0	#if DROPBEAR_ED25519
149	0	case DROPBEAR_SIGNKEY_ED25519:
150	0	fn = ED25519_PRIV_FILENAME;
151	0	break;
152	0	#endif
153	0	default:
154	0	dropbear_assert(0);
155	0	}
156
157	0	expand_fn = expand_homedir_path(fn);
158
159	0	ret = readhostkey(expand_fn, svr_opts.hostkey, &type);
160	0	if (ret == DROPBEAR_SUCCESS) {
161	0	goto out;
162	0	}
163
164	0	if (signkey_generate(type, 0, expand_fn, 1) == DROPBEAR_FAILURE) {
165	0	goto out;
166	0	}
167
168		/* Read what we just generated (or another process raced us) */
169	0	ret = readhostkey(expand_fn, svr_opts.hostkey, &type);
170
171	0	if (ret == DROPBEAR_SUCCESS) {
172	0	char *fp = NULL;
173	0	unsigned int len;
174	0	buffer *key_buf = buf_new(MAX_PUBKEY_SIZE);
175	0	buf_put_pub_key(key_buf, svr_opts.hostkey, type);
176	0	buf_setpos(key_buf, 4);
177	0	len = key_buf->len - key_buf->pos;
178	0	fp = sign_key_fingerprint(buf_getptr(key_buf, len), len);
179	0	dropbear_log(LOG_INFO, "Generated hostkey %s, fingerprint is %s",
180	0	expand_fn, fp);
181	0	m_free(fp);
182	0	buf_free(key_buf);
183	0	}
184
185	0	out:
186	0	if (ret == DROPBEAR_FAILURE) {
187	0	dropbear_exit("Couldn't read or generate hostkey %s", expand_fn);
188	0	}
189	0	m_free(expand_fn);
190	0	}
191		#endif
192
193		/* Generate our side of the diffie-hellman key exchange value (dh_f), and
194		* calculate the session key using the diffie-hellman algorithm. Following
195		* that, the session hash is calculated, and signed with RSA or DSS. The
196		* result is sent to the client.
197		*
198		* See the transport RFC4253 section 8 for details
199		* or RFC5656 section 4 for elliptic curve variant. */
200	0	static void send_msg_kexdh_reply(mp_int dh_e, buffer q_c) {
201	0	TRACE(("enter send_msg_kexdh_reply"))
202
203		/* we can start creating the kexdh_reply packet */
204	0	CHECKCLEARTOWRITE();
205
206	0	#if DROPBEAR_DELAY_HOSTKEY
207	0	if (svr_opts.delay_hostkey)
208	0	{
209	0	svr_ensure_hostkey();
210	0	}
211	0	#endif
212
213	0	#if DROPBEAR_FUZZ
214	0	if (fuzz.fuzzing && fuzz.skip_kexmaths) {
215	0	fuzz_fake_send_kexdh_reply();
216	0	return;
217	0	}
218	0	#endif
219
220	0	buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_REPLY);
221	0	buf_put_pub_key(ses.writepayload, svr_opts.hostkey,
222	0	ses.newkeys->algo_hostkey);
223
224	0	switch (ses.newkeys->algo_kex->mode) {
225	0	#if DROPBEAR_NORMAL_DH
226	0	case DROPBEAR_KEX_NORMAL_DH:
227	0	{
228	0	struct kex_dh_param * dh_param = gen_kexdh_param();
229	0	kexdh_comb_key(dh_param, dh_e, svr_opts.hostkey);
230
231		/* put f */
232	0	buf_putmpint(ses.writepayload, &dh_param->pub);
233	0	free_kexdh_param(dh_param);
234	0	}
235	0	break;
236	0	#endif
237	0	#if DROPBEAR_ECDH
238	0	case DROPBEAR_KEX_ECDH:
239	0	{
240	0	struct kex_ecdh_param *ecdh_param = gen_kexecdh_param();
241	0	kexecdh_comb_key(ecdh_param, q_c, svr_opts.hostkey);
242
243	0	buf_put_ecc_raw_pubkey_string(ses.writepayload, &ecdh_param->key);
244	0	free_kexecdh_param(ecdh_param);
245	0	}
246	0	break;
247	0	#endif
248	0	#if DROPBEAR_CURVE25519
249	0	case DROPBEAR_KEX_CURVE25519:
250	0	{
251	0	struct kex_curve25519_param *param = gen_kexcurve25519_param();
252	0	kexcurve25519_comb_key(param, q_c, svr_opts.hostkey);
253
254	0	buf_putstring(ses.writepayload, param->pub, CURVE25519_LEN);
255	0	free_kexcurve25519_param(param);
256	0	}
257	0	break;
258	0	#endif
259	0	#if DROPBEAR_PQHYBRID
260	0	case DROPBEAR_KEX_PQHYBRID:
261	0	{
262	0	struct kex_pqhybrid_param *param = gen_kexpqhybrid_param();
263	0	kexpqhybrid_comb_key(param, q_c, svr_opts.hostkey);
264
265	0	buf_putbufstring(ses.writepayload, param->concat_public);
266	0	free_kexpqhybrid_param(param);
267	0	}
268	0	break;
269	0	#endif
270	0	}
271
272		/* calc the signature */
273	0	buf_put_sign(ses.writepayload, svr_opts.hostkey,
274	0	ses.newkeys->algo_signature, ses.hash);
275
276		/* the SSH_MSG_KEXDH_REPLY is done */
277	0	encrypt_packet();
278
279	0	TRACE(("leave send_msg_kexdh_reply"))
280	0	}
281
282		#if DROPBEAR_EXT_INFO
283		/* Only used for server-sig-algs on the server side */
284	0	static void send_msg_ext_info(void) {
285	0	TRACE(("enter send_msg_ext_info"))
286
287	0	buf_putbyte(ses.writepayload, SSH_MSG_EXT_INFO);
288		/* nr-extensions */
289	0	buf_putint(ses.writepayload, 1);
290
291	0	buf_putstring(ses.writepayload, SSH_SERVER_SIG_ALGS, strlen(SSH_SERVER_SIG_ALGS));
292	0	buf_put_algolist_all(ses.writepayload, sigalgs, 1);
293
294	0	encrypt_packet();
295
296	0	TRACE(("leave send_msg_ext_info"))
297	0	}
298		#endif