Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: kexgen.c,v 1.10 2024/09/09 02:39:57 djm Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2019 Markus Friedl. All rights reserved. |
4 | | * |
5 | | * Redistribution and use in source and binary forms, with or without |
6 | | * modification, are permitted provided that the following conditions |
7 | | * are met: |
8 | | * 1. Redistributions of source code must retain the above copyright |
9 | | * notice, this list of conditions and the following disclaimer. |
10 | | * 2. Redistributions in binary form must reproduce the above copyright |
11 | | * notice, this list of conditions and the following disclaimer in the |
12 | | * documentation and/or other materials provided with the distribution. |
13 | | * |
14 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
15 | | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
16 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
17 | | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
18 | | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
19 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
20 | | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
21 | | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
22 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
23 | | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | | */ |
25 | | |
26 | | #include "includes.h" |
27 | | |
28 | | #include <sys/types.h> |
29 | | |
30 | | #include <stdarg.h> |
31 | | #include <stdio.h> |
32 | | #include <string.h> |
33 | | #include <signal.h> |
34 | | |
35 | | #include "sshkey.h" |
36 | | #include "kex.h" |
37 | | #include "log.h" |
38 | | #include "packet.h" |
39 | | #include "ssh2.h" |
40 | | #include "sshbuf.h" |
41 | | #include "digest.h" |
42 | | #include "ssherr.h" |
43 | | |
44 | | static int input_kex_gen_init(int, u_int32_t, struct ssh *); |
45 | | static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh); |
46 | | |
47 | | static int |
48 | | kex_gen_hash( |
49 | | int hash_alg, |
50 | | const struct sshbuf *client_version, |
51 | | const struct sshbuf *server_version, |
52 | | const struct sshbuf *client_kexinit, |
53 | | const struct sshbuf *server_kexinit, |
54 | | const struct sshbuf *server_host_key_blob, |
55 | | const struct sshbuf *client_pub, |
56 | | const struct sshbuf *server_pub, |
57 | | const struct sshbuf *shared_secret, |
58 | | u_char *hash, size_t *hashlen) |
59 | 1.17k | { |
60 | 1.17k | struct sshbuf *b; |
61 | 1.17k | int r; |
62 | | |
63 | 1.17k | if (*hashlen < ssh_digest_bytes(hash_alg)) |
64 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
65 | 1.17k | if ((b = sshbuf_new()) == NULL) |
66 | 0 | return SSH_ERR_ALLOC_FAIL; |
67 | 1.17k | if ((r = sshbuf_put_stringb(b, client_version)) != 0 || |
68 | 1.17k | (r = sshbuf_put_stringb(b, server_version)) != 0 || |
69 | | /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ |
70 | 1.17k | (r = sshbuf_put_u32(b, sshbuf_len(client_kexinit) + 1)) != 0 || |
71 | 1.17k | (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 || |
72 | 1.17k | (r = sshbuf_putb(b, client_kexinit)) != 0 || |
73 | 1.17k | (r = sshbuf_put_u32(b, sshbuf_len(server_kexinit) + 1)) != 0 || |
74 | 1.17k | (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 || |
75 | 1.17k | (r = sshbuf_putb(b, server_kexinit)) != 0 || |
76 | 1.17k | (r = sshbuf_put_stringb(b, server_host_key_blob)) != 0 || |
77 | 1.17k | (r = sshbuf_put_stringb(b, client_pub)) != 0 || |
78 | 1.17k | (r = sshbuf_put_stringb(b, server_pub)) != 0 || |
79 | 1.17k | (r = sshbuf_putb(b, shared_secret)) != 0) { |
80 | 0 | sshbuf_free(b); |
81 | 0 | return r; |
82 | 0 | } |
83 | | #ifdef DEBUG_KEX |
84 | | sshbuf_dump(b, stderr); |
85 | | #endif |
86 | 1.17k | if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) { |
87 | 0 | sshbuf_free(b); |
88 | 0 | return SSH_ERR_LIBCRYPTO_ERROR; |
89 | 0 | } |
90 | 1.17k | sshbuf_free(b); |
91 | 1.17k | *hashlen = ssh_digest_bytes(hash_alg); |
92 | | #ifdef DEBUG_KEX |
93 | | dump_digest("hash", hash, *hashlen); |
94 | | #endif |
95 | 1.17k | return 0; |
96 | 1.17k | } |
97 | | |
98 | | int |
99 | | kex_gen_client(struct ssh *ssh) |
100 | 4.88k | { |
101 | 4.88k | struct kex *kex = ssh->kex; |
102 | 4.88k | int r; |
103 | | |
104 | 4.88k | switch (kex->kex_type) { |
105 | 0 | #ifdef WITH_OPENSSL |
106 | 1.08k | case KEX_DH_GRP1_SHA1: |
107 | 1.08k | case KEX_DH_GRP14_SHA1: |
108 | 1.08k | case KEX_DH_GRP14_SHA256: |
109 | 1.08k | case KEX_DH_GRP16_SHA512: |
110 | 1.08k | case KEX_DH_GRP18_SHA512: |
111 | 1.08k | r = kex_dh_keypair(kex); |
112 | 1.08k | break; |
113 | 1.23k | case KEX_ECDH_SHA2: |
114 | 1.23k | r = kex_ecdh_keypair(kex); |
115 | 1.23k | break; |
116 | 0 | #endif |
117 | 1.76k | case KEX_C25519_SHA256: |
118 | 1.76k | r = kex_c25519_keypair(kex); |
119 | 1.76k | break; |
120 | 794 | case KEX_KEM_SNTRUP761X25519_SHA512: |
121 | 794 | r = kex_kem_sntrup761x25519_keypair(kex); |
122 | 794 | break; |
123 | 0 | case KEX_KEM_MLKEM768X25519_SHA256: |
124 | 0 | r = kex_kem_mlkem768x25519_keypair(kex); |
125 | 0 | break; |
126 | 0 | default: |
127 | 0 | r = SSH_ERR_INVALID_ARGUMENT; |
128 | 0 | break; |
129 | 4.88k | } |
130 | 4.88k | if (r != 0) |
131 | 0 | return r; |
132 | 4.88k | if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_INIT)) != 0 || |
133 | 4.88k | (r = sshpkt_put_stringb(ssh, kex->client_pub)) != 0 || |
134 | 4.88k | (r = sshpkt_send(ssh)) != 0) |
135 | 0 | return r; |
136 | 4.88k | debug("expecting SSH2_MSG_KEX_ECDH_REPLY"); |
137 | 4.88k | ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &input_kex_gen_reply); |
138 | 4.88k | return 0; |
139 | 4.88k | } |
140 | | |
141 | | static int |
142 | | input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh) |
143 | 1.09k | { |
144 | 1.09k | struct kex *kex = ssh->kex; |
145 | 1.09k | struct sshkey *server_host_key = NULL; |
146 | 1.09k | struct sshbuf *shared_secret = NULL; |
147 | 1.09k | struct sshbuf *server_blob = NULL; |
148 | 1.09k | struct sshbuf *tmp = NULL, *server_host_key_blob = NULL; |
149 | 1.09k | u_char *signature = NULL; |
150 | 1.09k | u_char hash[SSH_DIGEST_MAX_LENGTH]; |
151 | 1.09k | size_t slen, hashlen; |
152 | 1.09k | int r; |
153 | | |
154 | 1.09k | debug("SSH2_MSG_KEX_ECDH_REPLY received"); |
155 | 1.09k | ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &kex_protocol_error); |
156 | | |
157 | | /* hostkey */ |
158 | 1.09k | if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0) |
159 | 60 | goto out; |
160 | | /* sshkey_fromb() consumes its buffer, so make a copy */ |
161 | 1.03k | if ((tmp = sshbuf_fromb(server_host_key_blob)) == NULL) { |
162 | 0 | r = SSH_ERR_ALLOC_FAIL; |
163 | 0 | goto out; |
164 | 0 | } |
165 | 1.03k | if ((r = sshkey_fromb(tmp, &server_host_key)) != 0) |
166 | 409 | goto out; |
167 | 622 | if ((r = kex_verify_host_key(ssh, server_host_key)) != 0) |
168 | 122 | goto out; |
169 | | |
170 | | /* Q_S, server public key */ |
171 | | /* signed H */ |
172 | 500 | if ((r = sshpkt_getb_froms(ssh, &server_blob)) != 0 || |
173 | 500 | (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 || |
174 | 500 | (r = sshpkt_get_end(ssh)) != 0) |
175 | 14 | goto out; |
176 | | |
177 | | /* compute shared secret */ |
178 | 486 | switch (kex->kex_type) { |
179 | 0 | #ifdef WITH_OPENSSL |
180 | 41 | case KEX_DH_GRP1_SHA1: |
181 | 41 | case KEX_DH_GRP14_SHA1: |
182 | 41 | case KEX_DH_GRP14_SHA256: |
183 | 41 | case KEX_DH_GRP16_SHA512: |
184 | 41 | case KEX_DH_GRP18_SHA512: |
185 | 41 | r = kex_dh_dec(kex, server_blob, &shared_secret); |
186 | 41 | break; |
187 | 8 | case KEX_ECDH_SHA2: |
188 | 8 | r = kex_ecdh_dec(kex, server_blob, &shared_secret); |
189 | 8 | break; |
190 | 0 | #endif |
191 | 428 | case KEX_C25519_SHA256: |
192 | 428 | r = kex_c25519_dec(kex, server_blob, &shared_secret); |
193 | 428 | break; |
194 | 9 | case KEX_KEM_SNTRUP761X25519_SHA512: |
195 | 9 | r = kex_kem_sntrup761x25519_dec(kex, server_blob, |
196 | 9 | &shared_secret); |
197 | 9 | break; |
198 | 0 | case KEX_KEM_MLKEM768X25519_SHA256: |
199 | 0 | r = kex_kem_mlkem768x25519_dec(kex, server_blob, |
200 | 0 | &shared_secret); |
201 | 0 | break; |
202 | 0 | default: |
203 | 0 | r = SSH_ERR_INVALID_ARGUMENT; |
204 | 0 | break; |
205 | 486 | } |
206 | 486 | if (r !=0 ) |
207 | 9 | goto out; |
208 | | |
209 | | /* calc and verify H */ |
210 | 477 | hashlen = sizeof(hash); |
211 | 477 | if ((r = kex_gen_hash( |
212 | 477 | kex->hash_alg, |
213 | 477 | kex->client_version, |
214 | 477 | kex->server_version, |
215 | 477 | kex->my, |
216 | 477 | kex->peer, |
217 | 477 | server_host_key_blob, |
218 | 477 | kex->client_pub, |
219 | 477 | server_blob, |
220 | 477 | shared_secret, |
221 | 477 | hash, &hashlen)) != 0) |
222 | 0 | goto out; |
223 | | |
224 | 477 | if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen, |
225 | 477 | kex->hostkey_alg, ssh->compat, NULL)) != 0) |
226 | 477 | goto out; |
227 | | |
228 | 0 | if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) != 0 || |
229 | 0 | (r = kex_send_newkeys(ssh)) != 0) |
230 | 0 | goto out; |
231 | | |
232 | | /* save initial signature and hostkey */ |
233 | 0 | if ((kex->flags & KEX_INITIAL) != 0) { |
234 | 0 | if (kex->initial_hostkey != NULL || kex->initial_sig != NULL) { |
235 | 0 | r = SSH_ERR_INTERNAL_ERROR; |
236 | 0 | goto out; |
237 | 0 | } |
238 | 0 | if ((kex->initial_sig = sshbuf_new()) == NULL) { |
239 | 0 | r = SSH_ERR_ALLOC_FAIL; |
240 | 0 | goto out; |
241 | 0 | } |
242 | 0 | if ((r = sshbuf_put(kex->initial_sig, signature, slen)) != 0) |
243 | 0 | goto out; |
244 | 0 | kex->initial_hostkey = server_host_key; |
245 | 0 | server_host_key = NULL; |
246 | 0 | } |
247 | | /* success */ |
248 | 1.09k | out: |
249 | 1.09k | explicit_bzero(hash, sizeof(hash)); |
250 | 1.09k | explicit_bzero(kex->c25519_client_key, sizeof(kex->c25519_client_key)); |
251 | 1.09k | explicit_bzero(kex->sntrup761_client_key, |
252 | 1.09k | sizeof(kex->sntrup761_client_key)); |
253 | 1.09k | explicit_bzero(kex->mlkem768_client_key, |
254 | 1.09k | sizeof(kex->mlkem768_client_key)); |
255 | 1.09k | sshbuf_free(server_host_key_blob); |
256 | 1.09k | free(signature); |
257 | 1.09k | sshbuf_free(tmp); |
258 | 1.09k | sshkey_free(server_host_key); |
259 | 1.09k | sshbuf_free(server_blob); |
260 | 1.09k | sshbuf_free(shared_secret); |
261 | 1.09k | sshbuf_free(kex->client_pub); |
262 | 1.09k | kex->client_pub = NULL; |
263 | 1.09k | return r; |
264 | 0 | } |
265 | | |
266 | | int |
267 | | kex_gen_server(struct ssh *ssh) |
268 | 5.50k | { |
269 | 5.50k | debug("expecting SSH2_MSG_KEX_ECDH_INIT"); |
270 | 5.50k | ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_INIT, &input_kex_gen_init); |
271 | 5.50k | return 0; |
272 | 5.50k | } |
273 | | |
274 | | static int |
275 | | input_kex_gen_init(int type, u_int32_t seq, struct ssh *ssh) |
276 | 747 | { |
277 | 747 | struct kex *kex = ssh->kex; |
278 | 747 | struct sshkey *server_host_private, *server_host_public; |
279 | 747 | struct sshbuf *shared_secret = NULL; |
280 | 747 | struct sshbuf *server_pubkey = NULL; |
281 | 747 | struct sshbuf *client_pubkey = NULL; |
282 | 747 | struct sshbuf *server_host_key_blob = NULL; |
283 | 747 | u_char *signature = NULL, hash[SSH_DIGEST_MAX_LENGTH]; |
284 | 747 | size_t slen, hashlen; |
285 | 747 | int r; |
286 | | |
287 | 747 | debug("SSH2_MSG_KEX_ECDH_INIT received"); |
288 | 747 | ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_INIT, &kex_protocol_error); |
289 | | |
290 | 747 | if ((r = kex_load_hostkey(ssh, &server_host_private, |
291 | 747 | &server_host_public)) != 0) |
292 | 0 | goto out; |
293 | | |
294 | 747 | if ((r = sshpkt_getb_froms(ssh, &client_pubkey)) != 0 || |
295 | 747 | (r = sshpkt_get_end(ssh)) != 0) |
296 | 25 | goto out; |
297 | | |
298 | | /* compute shared secret */ |
299 | 722 | switch (kex->kex_type) { |
300 | 0 | #ifdef WITH_OPENSSL |
301 | 253 | case KEX_DH_GRP1_SHA1: |
302 | 253 | case KEX_DH_GRP14_SHA1: |
303 | 253 | case KEX_DH_GRP14_SHA256: |
304 | 253 | case KEX_DH_GRP16_SHA512: |
305 | 253 | case KEX_DH_GRP18_SHA512: |
306 | 253 | r = kex_dh_enc(kex, client_pubkey, &server_pubkey, |
307 | 253 | &shared_secret); |
308 | 253 | break; |
309 | 51 | case KEX_ECDH_SHA2: |
310 | 51 | r = kex_ecdh_enc(kex, client_pubkey, &server_pubkey, |
311 | 51 | &shared_secret); |
312 | 51 | break; |
313 | 0 | #endif |
314 | 384 | case KEX_C25519_SHA256: |
315 | 384 | r = kex_c25519_enc(kex, client_pubkey, &server_pubkey, |
316 | 384 | &shared_secret); |
317 | 384 | break; |
318 | 34 | case KEX_KEM_SNTRUP761X25519_SHA512: |
319 | 34 | r = kex_kem_sntrup761x25519_enc(kex, client_pubkey, |
320 | 34 | &server_pubkey, &shared_secret); |
321 | 34 | break; |
322 | 0 | case KEX_KEM_MLKEM768X25519_SHA256: |
323 | 0 | r = kex_kem_mlkem768x25519_enc(kex, client_pubkey, |
324 | 0 | &server_pubkey, &shared_secret); |
325 | 0 | break; |
326 | 0 | default: |
327 | 0 | r = SSH_ERR_INVALID_ARGUMENT; |
328 | 0 | break; |
329 | 722 | } |
330 | 722 | if (r !=0 ) |
331 | 28 | goto out; |
332 | | |
333 | | /* calc H */ |
334 | 694 | if ((server_host_key_blob = sshbuf_new()) == NULL) { |
335 | 0 | r = SSH_ERR_ALLOC_FAIL; |
336 | 0 | goto out; |
337 | 0 | } |
338 | 694 | if ((r = sshkey_putb(server_host_public, server_host_key_blob)) != 0) |
339 | 0 | goto out; |
340 | 694 | hashlen = sizeof(hash); |
341 | 694 | if ((r = kex_gen_hash( |
342 | 694 | kex->hash_alg, |
343 | 694 | kex->client_version, |
344 | 694 | kex->server_version, |
345 | 694 | kex->peer, |
346 | 694 | kex->my, |
347 | 694 | server_host_key_blob, |
348 | 694 | client_pubkey, |
349 | 694 | server_pubkey, |
350 | 694 | shared_secret, |
351 | 694 | hash, &hashlen)) != 0) |
352 | 0 | goto out; |
353 | | |
354 | | /* sign H */ |
355 | 694 | if ((r = kex->sign(ssh, server_host_private, server_host_public, |
356 | 694 | &signature, &slen, hash, hashlen, kex->hostkey_alg)) != 0) |
357 | 0 | goto out; |
358 | | |
359 | | /* send server hostkey, ECDH pubkey 'Q_S' and signed H */ |
360 | 694 | if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_REPLY)) != 0 || |
361 | 694 | (r = sshpkt_put_stringb(ssh, server_host_key_blob)) != 0 || |
362 | 694 | (r = sshpkt_put_stringb(ssh, server_pubkey)) != 0 || |
363 | 694 | (r = sshpkt_put_string(ssh, signature, slen)) != 0 || |
364 | 694 | (r = sshpkt_send(ssh)) != 0) |
365 | 0 | goto out; |
366 | | |
367 | 694 | if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) != 0 || |
368 | 694 | (r = kex_send_newkeys(ssh)) != 0) |
369 | 0 | goto out; |
370 | | /* retain copy of hostkey used at initial KEX */ |
371 | 694 | if (kex->initial_hostkey == NULL && |
372 | 694 | (r = sshkey_from_private(server_host_public, |
373 | 694 | &kex->initial_hostkey)) != 0) |
374 | 0 | goto out; |
375 | | /* success */ |
376 | 747 | out: |
377 | 747 | explicit_bzero(hash, sizeof(hash)); |
378 | 747 | sshbuf_free(server_host_key_blob); |
379 | 747 | free(signature); |
380 | 747 | sshbuf_free(shared_secret); |
381 | 747 | sshbuf_free(client_pubkey); |
382 | 747 | sshbuf_free(server_pubkey); |
383 | 747 | return r; |
384 | 694 | } |