/src/openssh/kexgexs.c

Source (jump to first uncovered line)
/* $OpenBSD: kexgexs.c,v 1.47 2024/05/17 00:30:23 djm Exp $ */
/*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#ifdef WITH_OPENSSL


#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <signal.h>

#include <openssl/dh.h>

#include "openbsd-compat/openssl-compat.h"

#include "sshkey.h"
#include "cipher.h"
#include "digest.h"
#include "kex.h"
#include "log.h"
#include "packet.h"
#include "dh.h"
#include "ssh2.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "dispatch.h"
#include "ssherr.h"
#include "sshbuf.h"
#include "misc.h"

static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);

int
kexgex_server(struct ssh *ssh)
{
  ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
      &input_kex_dh_gex_request);
  debug("expecting SSH2_MSG_KEX_DH_GEX_REQUEST");
  return 0;
}

static int
input_kex_dh_gex_request(int type, u_int32_t seq, struct ssh *ssh)
{
  struct kex *kex = ssh->kex;
  int r;
  u_int min = 0, max = 0, nbits = 0;
  const BIGNUM *dh_p, *dh_g;

  debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
  ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST, &kex_protocol_error);

  if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
      (r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
      (r = sshpkt_get_u32(ssh, &max)) != 0 ||
      (r = sshpkt_get_end(ssh)) != 0)
    goto out;
  kex->nbits = nbits;
  kex->min = min;
  kex->max = max;
  min = MAXIMUM(DH_GRP_MIN, min);
  max = MINIMUM(DH_GRP_MAX, max);
  nbits = MAXIMUM(DH_GRP_MIN, nbits);
  nbits = MINIMUM(DH_GRP_MAX, nbits);

  if (kex->max < kex->min || kex->nbits < kex->min ||
      kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
    r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
    goto out;
  }

  /* Contact privileged parent */
  kex->dh = mm_choose_dh(min, nbits, max);
  if (kex->dh == NULL) {
    (void)sshpkt_disconnect(ssh, "no matching DH grp found");
    r = SSH_ERR_ALLOC_FAIL;
    goto out;
  }
  debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
  DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
  if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_GROUP)) != 0 ||
      (r = sshpkt_put_bignum2(ssh, dh_p)) != 0 ||
      (r = sshpkt_put_bignum2(ssh, dh_g)) != 0 ||
      (r = sshpkt_send(ssh)) != 0)
    goto out;

  /* Compute our exchange value in parallel with the client */
  if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
    goto out;

  debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");
  ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &input_kex_dh_gex_init);
  r = 0;
 out:
  return r;
}

static int
input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh)
{
  struct kex *kex = ssh->kex;
  BIGNUM *dh_client_pub = NULL;
  const BIGNUM *pub_key, *dh_p, *dh_g;
  struct sshbuf *shared_secret = NULL;
  struct sshbuf *server_host_key_blob = NULL;
  struct sshkey *server_host_public, *server_host_private;
  u_char *signature = NULL;
  u_char hash[SSH_DIGEST_MAX_LENGTH];
  size_t slen, hashlen;
  int r;

  debug("SSH2_MSG_KEX_DH_GEX_INIT received");
  ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &kex_protocol_error);

  if ((r = kex_load_hostkey(ssh, &server_host_private,
      &server_host_public)) != 0)
    goto out;

  /* key, cert */
  if ((r = sshpkt_get_bignum2(ssh, &dh_client_pub)) != 0 ||
      (r = sshpkt_get_end(ssh)) != 0)
    goto out;
  if ((shared_secret = sshbuf_new()) == NULL) {
    r = SSH_ERR_ALLOC_FAIL;
    goto out;
  }
  if ((r = kex_dh_compute_key(kex, dh_client_pub, shared_secret)) != 0)
    goto out;
  if ((server_host_key_blob = sshbuf_new()) == NULL) {
    r = SSH_ERR_ALLOC_FAIL;
    goto out;
  }
  if ((r = sshkey_putb(server_host_public, server_host_key_blob)) != 0)
    goto out;

  /* calc H */
  DH_get0_key(kex->dh, &pub_key, NULL);
  DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
  hashlen = sizeof(hash);
  if ((r = kexgex_hash(
      kex->hash_alg,
      kex->client_version,
      kex->server_version,
      kex->peer,
      kex->my,
      server_host_key_blob,
      kex->min, kex->nbits, kex->max,
      dh_p, dh_g,
      dh_client_pub,
      pub_key,
      sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
      hash, &hashlen)) != 0)
    goto out;

  /* sign H */
  if ((r = kex->sign(ssh, server_host_private, server_host_public,
      &signature, &slen, hash, hashlen, kex->hostkey_alg)) < 0)
    goto out;

  /* send server hostkey, DH pubkey 'f' and signed H */
  if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REPLY)) != 0 ||
      (r = sshpkt_put_stringb(ssh, server_host_key_blob)) != 0 ||
      (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 ||     /* f */
      (r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
      (r = sshpkt_send(ssh)) != 0)
    goto out;

  if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) != 0 ||
      (r = kex_send_newkeys(ssh)) != 0)
    goto out;

  /* retain copy of hostkey used at initial KEX */
  if (kex->initial_hostkey == NULL &&
      (r = sshkey_from_private(server_host_public,
      &kex->initial_hostkey)) != 0)
    goto out;
  /* success */
 out:
  explicit_bzero(hash, sizeof(hash));
  DH_free(kex->dh);
  kex->dh = NULL;
  BN_clear_free(dh_client_pub);
  sshbuf_free(shared_secret);
  sshbuf_free(server_host_key_blob);
  free(signature);
  return r;
}
#endif /* WITH_OPENSSL */

Coverage Report

Created: 2025-07-01 07:01

Line	Count	Source (jump to first uncovered line)
1		/* $OpenBSD: kexgexs.c,v 1.47 2024/05/17 00:30:23 djm Exp $ */
2		/*
3		* Copyright (c) 2000 Niels Provos. All rights reserved.
4		* Copyright (c) 2001 Markus Friedl. All rights reserved.
5		*
6		* Redistribution and use in source and binary forms, with or without
7		* modification, are permitted provided that the following conditions
8		* are met:
9		* 1. Redistributions of source code must retain the above copyright
10		* notice, this list of conditions and the following disclaimer.
11		* 2. Redistributions in binary form must reproduce the above copyright
12		* notice, this list of conditions and the following disclaimer in the
13		* documentation and/or other materials provided with the distribution.
14		*
15		* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16		* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17		* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18		* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19		* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20		* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21		* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22		* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23		* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24		* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25		*/
26
27		#include "includes.h"
28
29		#ifdef WITH_OPENSSL
30
31
32		#include <stdarg.h>
33		#include <stdio.h>
34		#include <string.h>
35		#include <signal.h>
36
37		#include <openssl/dh.h>
38
39		#include "openbsd-compat/openssl-compat.h"
40
41		#include "sshkey.h"
42		#include "cipher.h"
43		#include "digest.h"
44		#include "kex.h"
45		#include "log.h"
46		#include "packet.h"
47		#include "dh.h"
48		#include "ssh2.h"
49		#ifdef GSSAPI
50		#include "ssh-gss.h"
51		#endif
52		#include "monitor_wrap.h"
53		#include "dispatch.h"
54		#include "ssherr.h"
55		#include "sshbuf.h"
56		#include "misc.h"
57
58		static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
59		static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
60
61		int
62		kexgex_server(struct ssh *ssh)
63	1.35k	{
64	1.35k	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
65	1.35k	&input_kex_dh_gex_request);
66	1.35k	debug("expecting SSH2_MSG_KEX_DH_GEX_REQUEST");
67	1.35k	return 0;
68	1.35k	}
69
70		static int
71		input_kex_dh_gex_request(int type, u_int32_t seq, struct ssh *ssh)
72	332	{
73	332	struct kex *kex = ssh->kex;
74	332	int r;
75	332	u_int min = 0, max = 0, nbits = 0;
76	332	const BIGNUM dh_p, dh_g;
77
78	332	debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
79	332	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST, &kex_protocol_error);
80
81	332	if ((r = sshpkt_get_u32(ssh, &min)) != 0 \|\|
82	332	(r = sshpkt_get_u32(ssh, &nbits)) != 0 \|\|
83	332	(r = sshpkt_get_u32(ssh, &max)) != 0 \|\|
84	332	(r = sshpkt_get_end(ssh)) != 0)
85	4	goto out;
86	328	kex->nbits = nbits;
87	328	kex->min = min;
88	328	kex->max = max;
89	328	min = MAXIMUM(DH_GRP_MIN, min);
90	328	max = MINIMUM(DH_GRP_MAX, max);
91	328	nbits = MAXIMUM(DH_GRP_MIN, nbits);
92	328	nbits = MINIMUM(DH_GRP_MAX, nbits);
93
94	328	if (kex->max < kex->min \|\| kex->nbits < kex->min \|\|
95	328	kex->max < kex->nbits \|\| kex->max < DH_GRP_MIN) {
96	124	r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
97	124	goto out;
98	124	}
99
100		/* Contact privileged parent */
101	204	kex->dh = mm_choose_dh(min, nbits, max);
102	204	if (kex->dh == NULL) {
103	0	(void)sshpkt_disconnect(ssh, "no matching DH grp found");
104	0	r = SSH_ERR_ALLOC_FAIL;
105	0	goto out;
106	0	}
107	204	debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
108	204	DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
109	204	if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_GROUP)) != 0 \|\|
110	204	(r = sshpkt_put_bignum2(ssh, dh_p)) != 0 \|\|
111	204	(r = sshpkt_put_bignum2(ssh, dh_g)) != 0 \|\|
112	204	(r = sshpkt_send(ssh)) != 0)
113	0	goto out;
114
115		/* Compute our exchange value in parallel with the client */
116	204	if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
117	0	goto out;
118
119	204	debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");
120	204	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &input_kex_dh_gex_init);
121	204	r = 0;
122	332	out:
123	332	return r;
124	204	}
125
126		static int
127		input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh)
128	70	{
129	70	struct kex *kex = ssh->kex;
130	70	BIGNUM *dh_client_pub = NULL;
131	70	const BIGNUM pub_key, dh_p, *dh_g;
132	70	struct sshbuf *shared_secret = NULL;
133	70	struct sshbuf *server_host_key_blob = NULL;
134	70	struct sshkey server_host_public, server_host_private;
135	70	u_char *signature = NULL;
136	70	u_char hash[SSH_DIGEST_MAX_LENGTH];
137	70	size_t slen, hashlen;
138	70	int r;
139
140	70	debug("SSH2_MSG_KEX_DH_GEX_INIT received");
141	70	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &kex_protocol_error);
142
143	70	if ((r = kex_load_hostkey(ssh, &server_host_private,
144	70	&server_host_public)) != 0)
145	0	goto out;
146
147		/* key, cert */
148	70	if ((r = sshpkt_get_bignum2(ssh, &dh_client_pub)) != 0 \|\|
149	70	(r = sshpkt_get_end(ssh)) != 0)
150	11	goto out;
151	59	if ((shared_secret = sshbuf_new()) == NULL) {
152	0	r = SSH_ERR_ALLOC_FAIL;
153	0	goto out;
154	0	}
155	59	if ((r = kex_dh_compute_key(kex, dh_client_pub, shared_secret)) != 0)
156	1	goto out;
157	58	if ((server_host_key_blob = sshbuf_new()) == NULL) {
158	0	r = SSH_ERR_ALLOC_FAIL;
159	0	goto out;
160	0	}
161	58	if ((r = sshkey_putb(server_host_public, server_host_key_blob)) != 0)
162	0	goto out;
163
164		/* calc H */
165	58	DH_get0_key(kex->dh, &pub_key, NULL);
166	58	DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
167	58	hashlen = sizeof(hash);
168	58	if ((r = kexgex_hash(
169	58	kex->hash_alg,
170	58	kex->client_version,
171	58	kex->server_version,
172	58	kex->peer,
173	58	kex->my,
174	58	server_host_key_blob,
175	58	kex->min, kex->nbits, kex->max,
176	58	dh_p, dh_g,
177	58	dh_client_pub,
178	58	pub_key,
179	58	sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
180	58	hash, &hashlen)) != 0)
181	0	goto out;
182
183		/* sign H */
184	58	if ((r = kex->sign(ssh, server_host_private, server_host_public,
185	58	&signature, &slen, hash, hashlen, kex->hostkey_alg)) < 0)
186	0	goto out;
187
188		/* send server hostkey, DH pubkey 'f' and signed H */
189	58	if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REPLY)) != 0 \|\|
190	58	(r = sshpkt_put_stringb(ssh, server_host_key_blob)) != 0 \|\|
191	58	(r = sshpkt_put_bignum2(ssh, pub_key)) != 0 \|\| /* f */
192	58	(r = sshpkt_put_string(ssh, signature, slen)) != 0 \|\|
193	58	(r = sshpkt_send(ssh)) != 0)
194	0	goto out;
195
196	58	if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) != 0 \|\|
197	58	(r = kex_send_newkeys(ssh)) != 0)
198	0	goto out;
199
200		/* retain copy of hostkey used at initial KEX */
201	58	if (kex->initial_hostkey == NULL &&
202	58	(r = sshkey_from_private(server_host_public,
203	58	&kex->initial_hostkey)) != 0)
204	0	goto out;
205		/* success */
206	70	out:
207	70	explicit_bzero(hash, sizeof(hash));
208	70	DH_free(kex->dh);
209	70	kex->dh = NULL;
210	70	BN_clear_free(dh_client_pub);
211	70	sshbuf_free(shared_secret);
212	70	sshbuf_free(server_host_key_blob);
213	70	free(signature);
214	70	return r;
215	58	}
216		#endif /* WITH_OPENSSL */