Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: kexgexc.c,v 1.38 2021/12/19 22:08:06 djm Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2000 Niels Provos. All rights reserved. |
4 | | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
5 | | * |
6 | | * Redistribution and use in source and binary forms, with or without |
7 | | * modification, are permitted provided that the following conditions |
8 | | * are met: |
9 | | * 1. Redistributions of source code must retain the above copyright |
10 | | * notice, this list of conditions and the following disclaimer. |
11 | | * 2. Redistributions in binary form must reproduce the above copyright |
12 | | * notice, this list of conditions and the following disclaimer in the |
13 | | * documentation and/or other materials provided with the distribution. |
14 | | * |
15 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
16 | | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
17 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
18 | | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
19 | | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
20 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
21 | | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
22 | | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
23 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
24 | | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
25 | | */ |
26 | | |
27 | | #include "includes.h" |
28 | | |
29 | | #ifdef WITH_OPENSSL |
30 | | |
31 | | #include <sys/types.h> |
32 | | |
33 | | #include <openssl/dh.h> |
34 | | |
35 | | #include <stdarg.h> |
36 | | #include <stdio.h> |
37 | | #include <string.h> |
38 | | #include <signal.h> |
39 | | |
40 | | #include "openbsd-compat/openssl-compat.h" |
41 | | |
42 | | #include "sshkey.h" |
43 | | #include "cipher.h" |
44 | | #include "digest.h" |
45 | | #include "kex.h" |
46 | | #include "log.h" |
47 | | #include "packet.h" |
48 | | #include "dh.h" |
49 | | #include "ssh2.h" |
50 | | #include "compat.h" |
51 | | #include "dispatch.h" |
52 | | #include "ssherr.h" |
53 | | #include "sshbuf.h" |
54 | | #include "misc.h" |
55 | | |
56 | | static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *); |
57 | | static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *); |
58 | | |
59 | | int |
60 | | kexgex_client(struct ssh *ssh) |
61 | 1.20k | { |
62 | 1.20k | struct kex *kex = ssh->kex; |
63 | 1.20k | int r; |
64 | 1.20k | u_int nbits; |
65 | | |
66 | 1.20k | nbits = dh_estimate(kex->dh_need * 8); |
67 | | |
68 | 1.20k | kex->min = DH_GRP_MIN; |
69 | 1.20k | kex->max = DH_GRP_MAX; |
70 | 1.20k | kex->nbits = nbits; |
71 | 1.20k | if (ssh->compat & SSH_BUG_DHGEX_LARGE) |
72 | 0 | kex->nbits = MINIMUM(kex->nbits, 4096); |
73 | | /* New GEX request */ |
74 | 1.20k | if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 || |
75 | 1.20k | (r = sshpkt_put_u32(ssh, kex->min)) != 0 || |
76 | 1.20k | (r = sshpkt_put_u32(ssh, kex->nbits)) != 0 || |
77 | 1.20k | (r = sshpkt_put_u32(ssh, kex->max)) != 0 || |
78 | 1.20k | (r = sshpkt_send(ssh)) != 0) |
79 | 0 | goto out; |
80 | 1.20k | debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent", |
81 | 1.20k | kex->min, kex->nbits, kex->max); |
82 | | #ifdef DEBUG_KEXDH |
83 | | fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n", |
84 | | kex->min, kex->nbits, kex->max); |
85 | | #endif |
86 | 1.20k | debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP"); |
87 | 1.20k | ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_GROUP, |
88 | 1.20k | &input_kex_dh_gex_group); |
89 | 1.20k | r = 0; |
90 | 1.20k | out: |
91 | 1.20k | return r; |
92 | 1.20k | } |
93 | | |
94 | | static int |
95 | | input_kex_dh_gex_group(int type, u_int32_t seq, struct ssh *ssh) |
96 | 97 | { |
97 | 97 | struct kex *kex = ssh->kex; |
98 | 97 | BIGNUM *p = NULL, *g = NULL; |
99 | 97 | const BIGNUM *pub_key; |
100 | 97 | int r, bits; |
101 | | |
102 | 97 | debug("SSH2_MSG_KEX_DH_GEX_GROUP received"); |
103 | 97 | ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_GROUP, &kex_protocol_error); |
104 | | |
105 | 97 | if ((r = sshpkt_get_bignum2(ssh, &p)) != 0 || |
106 | 97 | (r = sshpkt_get_bignum2(ssh, &g)) != 0 || |
107 | 97 | (r = sshpkt_get_end(ssh)) != 0) |
108 | 52 | goto out; |
109 | 45 | if ((bits = BN_num_bits(p)) < 0 || |
110 | 45 | (u_int)bits < kex->min || (u_int)bits > kex->max) { |
111 | 1 | r = SSH_ERR_DH_GEX_OUT_OF_RANGE; |
112 | 1 | goto out; |
113 | 1 | } |
114 | 44 | if ((kex->dh = dh_new_group(g, p)) == NULL) { |
115 | 0 | r = SSH_ERR_ALLOC_FAIL; |
116 | 0 | goto out; |
117 | 0 | } |
118 | 44 | p = g = NULL; /* belong to kex->dh now */ |
119 | | |
120 | | /* generate and send 'e', client DH public key */ |
121 | 44 | if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0) |
122 | 10 | goto out; |
123 | 34 | DH_get0_key(kex->dh, &pub_key, NULL); |
124 | 34 | if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_INIT)) != 0 || |
125 | 34 | (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || |
126 | 34 | (r = sshpkt_send(ssh)) != 0) |
127 | 0 | goto out; |
128 | 34 | debug("SSH2_MSG_KEX_DH_GEX_INIT sent"); |
129 | | #ifdef DEBUG_KEXDH |
130 | | DHparams_print_fp(stderr, kex->dh); |
131 | | fprintf(stderr, "pub= "); |
132 | | BN_print_fp(stderr, pub_key); |
133 | | fprintf(stderr, "\n"); |
134 | | #endif |
135 | 34 | debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY"); |
136 | 34 | ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &input_kex_dh_gex_reply); |
137 | 34 | r = 0; |
138 | 97 | out: |
139 | 97 | BN_clear_free(p); |
140 | 97 | BN_clear_free(g); |
141 | 97 | return r; |
142 | 34 | } |
143 | | |
144 | | static int |
145 | | input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh) |
146 | 21 | { |
147 | 21 | struct kex *kex = ssh->kex; |
148 | 21 | BIGNUM *dh_server_pub = NULL; |
149 | 21 | const BIGNUM *pub_key, *dh_p, *dh_g; |
150 | 21 | struct sshbuf *shared_secret = NULL; |
151 | 21 | struct sshbuf *tmp = NULL, *server_host_key_blob = NULL; |
152 | 21 | struct sshkey *server_host_key = NULL; |
153 | 21 | u_char *signature = NULL; |
154 | 21 | u_char hash[SSH_DIGEST_MAX_LENGTH]; |
155 | 21 | size_t slen, hashlen; |
156 | 21 | int r; |
157 | | |
158 | 21 | debug("SSH2_MSG_KEX_DH_GEX_REPLY received"); |
159 | 21 | ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &kex_protocol_error); |
160 | | |
161 | | /* key, cert */ |
162 | 21 | if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0) |
163 | 2 | goto out; |
164 | | /* sshkey_fromb() consumes its buffer, so make a copy */ |
165 | 19 | if ((tmp = sshbuf_fromb(server_host_key_blob)) == NULL) { |
166 | 0 | r = SSH_ERR_ALLOC_FAIL; |
167 | 0 | goto out; |
168 | 0 | } |
169 | 19 | if ((r = sshkey_fromb(tmp, &server_host_key)) != 0 || |
170 | 19 | (r = kex_verify_host_key(ssh, server_host_key)) != 0) |
171 | 5 | goto out; |
172 | | /* DH parameter f, server public DH key, signed H */ |
173 | 14 | if ((r = sshpkt_get_bignum2(ssh, &dh_server_pub)) != 0 || |
174 | 14 | (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 || |
175 | 14 | (r = sshpkt_get_end(ssh)) != 0) |
176 | 5 | goto out; |
177 | 9 | if ((shared_secret = sshbuf_new()) == NULL) { |
178 | 0 | r = SSH_ERR_ALLOC_FAIL; |
179 | 0 | goto out; |
180 | 0 | } |
181 | 9 | if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0) |
182 | 1 | goto out; |
183 | 8 | if (ssh->compat & SSH_OLD_DHGEX) |
184 | 0 | kex->min = kex->max = -1; |
185 | | |
186 | | /* calc and verify H */ |
187 | 8 | DH_get0_key(kex->dh, &pub_key, NULL); |
188 | 8 | DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g); |
189 | 8 | hashlen = sizeof(hash); |
190 | 8 | if ((r = kexgex_hash( |
191 | 8 | kex->hash_alg, |
192 | 8 | kex->client_version, |
193 | 8 | kex->server_version, |
194 | 8 | kex->my, |
195 | 8 | kex->peer, |
196 | 8 | server_host_key_blob, |
197 | 8 | kex->min, kex->nbits, kex->max, |
198 | 8 | dh_p, dh_g, |
199 | 8 | pub_key, |
200 | 8 | dh_server_pub, |
201 | 8 | sshbuf_ptr(shared_secret), sshbuf_len(shared_secret), |
202 | 8 | hash, &hashlen)) != 0) |
203 | 0 | goto out; |
204 | | |
205 | 8 | if ((r = sshkey_verify(server_host_key, signature, slen, hash, |
206 | 8 | hashlen, kex->hostkey_alg, ssh->compat, NULL)) != 0) |
207 | 8 | goto out; |
208 | | |
209 | 0 | if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) != 0 || |
210 | 0 | (r = kex_send_newkeys(ssh)) != 0) |
211 | 0 | goto out; |
212 | | |
213 | | /* save initial signature and hostkey */ |
214 | 0 | if ((kex->flags & KEX_INITIAL) != 0) { |
215 | 0 | if (kex->initial_hostkey != NULL || kex->initial_sig != NULL) { |
216 | 0 | r = SSH_ERR_INTERNAL_ERROR; |
217 | 0 | goto out; |
218 | 0 | } |
219 | 0 | if ((kex->initial_sig = sshbuf_new()) == NULL) { |
220 | 0 | r = SSH_ERR_ALLOC_FAIL; |
221 | 0 | goto out; |
222 | 0 | } |
223 | 0 | if ((r = sshbuf_put(kex->initial_sig, signature, slen)) != 0) |
224 | 0 | goto out; |
225 | 0 | kex->initial_hostkey = server_host_key; |
226 | 0 | server_host_key = NULL; |
227 | 0 | } |
228 | | /* success */ |
229 | 21 | out: |
230 | 21 | explicit_bzero(hash, sizeof(hash)); |
231 | 21 | DH_free(kex->dh); |
232 | 21 | kex->dh = NULL; |
233 | 21 | BN_clear_free(dh_server_pub); |
234 | 21 | sshbuf_free(shared_secret); |
235 | 21 | sshkey_free(server_host_key); |
236 | 21 | sshbuf_free(tmp); |
237 | 21 | sshbuf_free(server_host_key_blob); |
238 | 21 | free(signature); |
239 | 21 | return r; |
240 | 0 | } |
241 | | #endif /* WITH_OPENSSL */ |