/src/openssh/kexgexs.c

Source
/* $OpenBSD: kexgexs.c,v 1.49 2025/10/03 00:09:26 djm Exp $ */
/*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#ifdef WITH_OPENSSL

#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <signal.h>

#include "openbsd-compat/openssl-compat.h"
#include <openssl/bn.h>
#include <openssl/dh.h>

#include "sshkey.h"
#include "cipher.h"
#include "digest.h"
#include "kex.h"
#include "log.h"
#include "packet.h"
#include "dh.h"
#include "ssh2.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "dispatch.h"
#include "ssherr.h"
#include "sshbuf.h"
#include "misc.h"

static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);

int
kexgex_server(struct ssh *ssh)
{
  ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
      &input_kex_dh_gex_request);
  debug("expecting SSH2_MSG_KEX_DH_GEX_REQUEST");
  return 0;
}

static int
input_kex_dh_gex_request(int type, u_int32_t seq, struct ssh *ssh)
{
  struct kex *kex = ssh->kex;
  int r;
  u_int min = 0, max = 0, nbits = 0;
  const BIGNUM *dh_p, *dh_g;

  debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
  ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST, &kex_protocol_error);

  if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
      (r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
      (r = sshpkt_get_u32(ssh, &max)) != 0 ||
      (r = sshpkt_get_end(ssh)) != 0)
    goto out;
  kex->nbits = nbits;
  kex->min = min;
  kex->max = max;
  min = MAXIMUM(DH_GRP_MIN, min);
  max = MINIMUM(DH_GRP_MAX, max);
  nbits = MAXIMUM(DH_GRP_MIN, nbits);
  nbits = MINIMUM(DH_GRP_MAX, nbits);

  if (kex->max < kex->min || kex->nbits < kex->min ||
      kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
    r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
    goto out;
  }

  /* Contact privileged parent */
  kex->dh = mm_choose_dh(min, nbits, max);
  if (kex->dh == NULL) {
    (void)sshpkt_disconnect(ssh, "no matching DH grp found");
    r = SSH_ERR_ALLOC_FAIL;
    goto out;
  }
  debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
  DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
  if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_GROUP)) != 0 ||
      (r = sshpkt_put_bignum2(ssh, dh_p)) != 0 ||
      (r = sshpkt_put_bignum2(ssh, dh_g)) != 0 ||
      (r = sshpkt_send(ssh)) != 0)
    goto out;

  /* Compute our exchange value in parallel with the client */
  if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
    goto out;

  debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");
  ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &input_kex_dh_gex_init);
  r = 0;
 out:
  return r;
}

static int
input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh)
{
  struct kex *kex = ssh->kex;
  BIGNUM *dh_client_pub = NULL;
  const BIGNUM *pub_key, *dh_p, *dh_g;
  struct sshbuf *shared_secret = NULL;
  struct sshbuf *server_host_key_blob = NULL;
  struct sshkey *server_host_public, *server_host_private;
  u_char *signature = NULL;
  u_char hash[SSH_DIGEST_MAX_LENGTH];
  size_t slen, hashlen;
  int r;

  debug("SSH2_MSG_KEX_DH_GEX_INIT received");
  ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &kex_protocol_error);

  if ((r = kex_load_hostkey(ssh, &server_host_private,
      &server_host_public)) != 0)
    goto out;

  /* key, cert */
  if ((r = sshpkt_get_bignum2(ssh, &dh_client_pub)) != 0 ||
      (r = sshpkt_get_end(ssh)) != 0)
    goto out;
  if ((shared_secret = sshbuf_new()) == NULL) {
    r = SSH_ERR_ALLOC_FAIL;
    goto out;
  }
  if ((r = kex_dh_compute_key(kex, dh_client_pub, shared_secret)) != 0)
    goto out;
  if ((server_host_key_blob = sshbuf_new()) == NULL) {
    r = SSH_ERR_ALLOC_FAIL;
    goto out;
  }
  if ((r = sshkey_putb(server_host_public, server_host_key_blob)) != 0)
    goto out;

  /* calc H */
  DH_get0_key(kex->dh, &pub_key, NULL);
  DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
  hashlen = sizeof(hash);
  if ((r = kexgex_hash(
      kex->hash_alg,
      kex->client_version,
      kex->server_version,
      kex->peer,
      kex->my,
      server_host_key_blob,
      kex->min, kex->nbits, kex->max,
      dh_p, dh_g,
      dh_client_pub,
      pub_key,
      sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
      hash, &hashlen)) != 0)
    goto out;

  /* sign H */
  if ((r = kex->sign(ssh, server_host_private, server_host_public,
      &signature, &slen, hash, hashlen, kex->hostkey_alg)) < 0)
    goto out;

  /* send server hostkey, DH pubkey 'f' and signed H */
  if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REPLY)) != 0 ||
      (r = sshpkt_put_stringb(ssh, server_host_key_blob)) != 0 ||
      (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 ||     /* f */
      (r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
      (r = sshpkt_send(ssh)) != 0)
    goto out;

  if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) != 0 ||
      (r = kex_send_newkeys(ssh)) != 0)
    goto out;

  /* retain copy of hostkey used at initial KEX */
  if (kex->initial_hostkey == NULL &&
      (r = sshkey_from_private(server_host_public,
      &kex->initial_hostkey)) != 0)
    goto out;
  /* success */
 out:
  explicit_bzero(hash, sizeof(hash));
  DH_free(kex->dh);
  kex->dh = NULL;
  BN_clear_free(dh_client_pub);
  sshbuf_free(shared_secret);
  sshbuf_free(server_host_key_blob);
  free(signature);
  return r;
}
#endif /* WITH_OPENSSL */

Coverage Report

Created: 2025-11-17 06:38

Line	Count	Source
1		/* $OpenBSD: kexgexs.c,v 1.49 2025/10/03 00:09:26 djm Exp $ */
2		/*
3		* Copyright (c) 2000 Niels Provos. All rights reserved.
4		* Copyright (c) 2001 Markus Friedl. All rights reserved.
5		*
6		* Redistribution and use in source and binary forms, with or without
7		* modification, are permitted provided that the following conditions
8		* are met:
9		* 1. Redistributions of source code must retain the above copyright
10		* notice, this list of conditions and the following disclaimer.
11		* 2. Redistributions in binary form must reproduce the above copyright
12		* notice, this list of conditions and the following disclaimer in the
13		* documentation and/or other materials provided with the distribution.
14		*
15		* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16		* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17		* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18		* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19		* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20		* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21		* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22		* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23		* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24		* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25		*/
26
27		#include "includes.h"
28
29		#ifdef WITH_OPENSSL
30
31		#include <stdarg.h>
32		#include <stdio.h>
33		#include <string.h>
34		#include <signal.h>
35
36		#include "openbsd-compat/openssl-compat.h"
37		#include <openssl/bn.h>
38		#include <openssl/dh.h>
39
40		#include "sshkey.h"
41		#include "cipher.h"
42		#include "digest.h"
43		#include "kex.h"
44		#include "log.h"
45		#include "packet.h"
46		#include "dh.h"
47		#include "ssh2.h"
48		#ifdef GSSAPI
49		#include "ssh-gss.h"
50		#endif
51		#include "monitor_wrap.h"
52		#include "dispatch.h"
53		#include "ssherr.h"
54		#include "sshbuf.h"
55		#include "misc.h"
56
57		static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
58		static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
59
60		int
61		kexgex_server(struct ssh *ssh)
62	1.26k	{
63	1.26k	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
64	1.26k	&input_kex_dh_gex_request);
65	1.26k	debug("expecting SSH2_MSG_KEX_DH_GEX_REQUEST");
66	1.26k	return 0;
67	1.26k	}
68
69		static int
70		input_kex_dh_gex_request(int type, u_int32_t seq, struct ssh *ssh)
71	290	{
72	290	struct kex *kex = ssh->kex;
73	290	int r;
74	290	u_int min = 0, max = 0, nbits = 0;
75	290	const BIGNUM dh_p, dh_g;
76
77	290	debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
78	290	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST, &kex_protocol_error);
79
80	290	if ((r = sshpkt_get_u32(ssh, &min)) != 0 \|\|
81	289	(r = sshpkt_get_u32(ssh, &nbits)) != 0 \|\|
82	288	(r = sshpkt_get_u32(ssh, &max)) != 0 \|\|
83	287	(r = sshpkt_get_end(ssh)) != 0)
84	4	goto out;
85	286	kex->nbits = nbits;
86	286	kex->min = min;
87	286	kex->max = max;
88	286	min = MAXIMUM(DH_GRP_MIN, min);
89	286	max = MINIMUM(DH_GRP_MAX, max);
90	286	nbits = MAXIMUM(DH_GRP_MIN, nbits);
91	286	nbits = MINIMUM(DH_GRP_MAX, nbits);
92
93	286	if (kex->max < kex->min \|\| kex->nbits < kex->min \|\|
94	251	kex->max < kex->nbits \|\| kex->max < DH_GRP_MIN) {
95	93	r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
96	93	goto out;
97	93	}
98
99		/* Contact privileged parent */
100	193	kex->dh = mm_choose_dh(min, nbits, max);
101	193	if (kex->dh == NULL) {
102	0	(void)sshpkt_disconnect(ssh, "no matching DH grp found");
103	0	r = SSH_ERR_ALLOC_FAIL;
104	0	goto out;
105	0	}
106	193	debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
107	193	DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
108	193	if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_GROUP)) != 0 \|\|
109	193	(r = sshpkt_put_bignum2(ssh, dh_p)) != 0 \|\|
110	193	(r = sshpkt_put_bignum2(ssh, dh_g)) != 0 \|\|
111	193	(r = sshpkt_send(ssh)) != 0)
112	0	goto out;
113
114		/* Compute our exchange value in parallel with the client */
115	193	if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
116	0	goto out;
117
118	193	debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");
119	193	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &input_kex_dh_gex_init);
120	193	r = 0;
121	290	out:
122	290	return r;
123	193	}
124
125		static int
126		input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh)
127	70	{
128	70	struct kex *kex = ssh->kex;
129	70	BIGNUM *dh_client_pub = NULL;
130	70	const BIGNUM pub_key, dh_p, *dh_g;
131	70	struct sshbuf *shared_secret = NULL;
132	70	struct sshbuf *server_host_key_blob = NULL;
133	70	struct sshkey server_host_public, server_host_private;
134	70	u_char *signature = NULL;
135	70	u_char hash[SSH_DIGEST_MAX_LENGTH];
136	70	size_t slen, hashlen;
137	70	int r;
138
139	70	debug("SSH2_MSG_KEX_DH_GEX_INIT received");
140	70	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &kex_protocol_error);
141
142	70	if ((r = kex_load_hostkey(ssh, &server_host_private,
143	70	&server_host_public)) != 0)
144	0	goto out;
145
146		/* key, cert */
147	70	if ((r = sshpkt_get_bignum2(ssh, &dh_client_pub)) != 0 \|\|
148	66	(r = sshpkt_get_end(ssh)) != 0)
149	10	goto out;
150	60	if ((shared_secret = sshbuf_new()) == NULL) {
151	0	r = SSH_ERR_ALLOC_FAIL;
152	0	goto out;
153	0	}
154	60	if ((r = kex_dh_compute_key(kex, dh_client_pub, shared_secret)) != 0)
155	1	goto out;
156	59	if ((server_host_key_blob = sshbuf_new()) == NULL) {
157	0	r = SSH_ERR_ALLOC_FAIL;
158	0	goto out;
159	0	}
160	59	if ((r = sshkey_putb(server_host_public, server_host_key_blob)) != 0)
161	0	goto out;
162
163		/* calc H */
164	59	DH_get0_key(kex->dh, &pub_key, NULL);
165	59	DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
166	59	hashlen = sizeof(hash);
167	59	if ((r = kexgex_hash(
168	59	kex->hash_alg,
169	59	kex->client_version,
170	59	kex->server_version,
171	59	kex->peer,
172	59	kex->my,
173	59	server_host_key_blob,
174	59	kex->min, kex->nbits, kex->max,
175	59	dh_p, dh_g,
176	59	dh_client_pub,
177	59	pub_key,
178	59	sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
179	59	hash, &hashlen)) != 0)
180	0	goto out;
181
182		/* sign H */
183	59	if ((r = kex->sign(ssh, server_host_private, server_host_public,
184	59	&signature, &slen, hash, hashlen, kex->hostkey_alg)) < 0)
185	0	goto out;
186
187		/* send server hostkey, DH pubkey 'f' and signed H */
188	59	if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REPLY)) != 0 \|\|
189	59	(r = sshpkt_put_stringb(ssh, server_host_key_blob)) != 0 \|\|
190	59	(r = sshpkt_put_bignum2(ssh, pub_key)) != 0 \|\| /* f */
191	59	(r = sshpkt_put_string(ssh, signature, slen)) != 0 \|\|
192	59	(r = sshpkt_send(ssh)) != 0)
193	0	goto out;
194
195	59	if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) != 0 \|\|
196	59	(r = kex_send_newkeys(ssh)) != 0)
197	0	goto out;
198
199		/* retain copy of hostkey used at initial KEX */
200	59	if (kex->initial_hostkey == NULL &&
201	59	(r = sshkey_from_private(server_host_public,
202	59	&kex->initial_hostkey)) != 0)
203	0	goto out;
204		/* success */
205	70	out:
206	70	explicit_bzero(hash, sizeof(hash));
207	70	DH_free(kex->dh);
208		kex->dh = NULL;
209	70	BN_clear_free(dh_client_pub);
210	70	sshbuf_free(shared_secret);
211	70	sshbuf_free(server_host_key_blob);
212	70	free(signature);
213	70	return r;
214	59	}
215		#endif /* WITH_OPENSSL */