version 1.8, 2015/01/19 19:52:16 |
version 1.9, 2015/01/19 20:16:15 |
|
|
|
|
#include <openssl/ecdh.h> |
#include <openssl/ecdh.h> |
|
|
#include "xmalloc.h" |
#include "sshkey.h" |
#include "buffer.h" |
|
#include "key.h" |
|
#include "cipher.h" |
#include "cipher.h" |
|
#include "digest.h" |
#include "kex.h" |
#include "kex.h" |
#include "log.h" |
#include "log.h" |
#include "packet.h" |
#include "packet.h" |
#include "dh.h" |
#include "dh.h" |
#include "ssh2.h" |
#include "ssh2.h" |
|
#include "dispatch.h" |
|
#include "compat.h" |
|
#include "ssherr.h" |
|
#include "sshbuf.h" |
|
|
void |
static int input_kex_ecdh_reply(int, u_int32_t, void *); |
kexecdh_client(Kex *kex) |
|
|
int |
|
kexecdh_client(struct ssh *ssh) |
{ |
{ |
EC_KEY *client_key; |
struct kex *kex = ssh->kex; |
EC_POINT *server_public; |
EC_KEY *client_key = NULL; |
const EC_GROUP *group; |
const EC_GROUP *group; |
BIGNUM *shared_secret; |
const EC_POINT *public_key; |
Key *server_host_key; |
int r; |
u_char *server_host_key_blob = NULL, *signature = NULL; |
|
u_char *kbuf, *hash; |
|
u_int klen, slen, sbloblen, hashlen; |
|
|
|
if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) |
if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) { |
fatal("%s: EC_KEY_new_by_curve_name failed", __func__); |
r = SSH_ERR_ALLOC_FAIL; |
if (EC_KEY_generate_key(client_key) != 1) |
goto out; |
fatal("%s: EC_KEY_generate_key failed", __func__); |
} |
|
if (EC_KEY_generate_key(client_key) != 1) { |
|
r = SSH_ERR_LIBCRYPTO_ERROR; |
|
goto out; |
|
} |
group = EC_KEY_get0_group(client_key); |
group = EC_KEY_get0_group(client_key); |
|
public_key = EC_KEY_get0_public_key(client_key); |
|
|
packet_start(SSH2_MSG_KEX_ECDH_INIT); |
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_INIT)) != 0 || |
packet_put_ecpoint(group, EC_KEY_get0_public_key(client_key)); |
(r = sshpkt_put_ec(ssh, public_key, group)) != 0 || |
packet_send(); |
(r = sshpkt_send(ssh)) != 0) |
|
goto out; |
debug("sending SSH2_MSG_KEX_ECDH_INIT"); |
debug("sending SSH2_MSG_KEX_ECDH_INIT"); |
|
|
#ifdef DEBUG_KEXECDH |
#ifdef DEBUG_KEXECDH |
fputs("client private key:\n", stderr); |
fputs("client private key:\n", stderr); |
key_dump_ec_key(client_key); |
sshkey_dump_ec_key(client_key); |
#endif |
#endif |
|
kex->ec_client_key = client_key; |
|
kex->ec_group = group; |
|
client_key = NULL; /* owned by the kex */ |
|
|
debug("expecting SSH2_MSG_KEX_ECDH_REPLY"); |
debug("expecting SSH2_MSG_KEX_ECDH_REPLY"); |
packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY); |
ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &input_kex_ecdh_reply); |
|
r = 0; |
|
out: |
|
if (client_key) |
|
EC_KEY_free(client_key); |
|
return r; |
|
} |
|
|
|
static int |
|
input_kex_ecdh_reply(int type, u_int32_t seq, void *ctxt) |
|
{ |
|
struct ssh *ssh = ctxt; |
|
struct kex *kex = ssh->kex; |
|
const EC_GROUP *group; |
|
EC_POINT *server_public = NULL; |
|
EC_KEY *client_key; |
|
BIGNUM *shared_secret = NULL; |
|
struct sshkey *server_host_key = NULL; |
|
u_char *server_host_key_blob = NULL, *signature = NULL; |
|
u_char *kbuf = NULL; |
|
u_char hash[SSH_DIGEST_MAX_LENGTH]; |
|
size_t slen, sbloblen; |
|
size_t klen = 0, hashlen; |
|
int r; |
|
|
|
if (kex->verify_host_key == NULL) { |
|
r = SSH_ERR_INVALID_ARGUMENT; |
|
goto out; |
|
} |
|
group = kex->ec_group; |
|
client_key = kex->ec_client_key; |
|
|
/* hostkey */ |
/* hostkey */ |
server_host_key_blob = packet_get_string(&sbloblen); |
if ((r = sshpkt_get_string(ssh, &server_host_key_blob, |
server_host_key = key_from_blob(server_host_key_blob, sbloblen); |
&sbloblen)) != 0 || |
if (server_host_key == NULL) |
(r = sshkey_from_blob(server_host_key_blob, sbloblen, |
fatal("cannot decode server_host_key_blob"); |
&server_host_key)) != 0) |
if (server_host_key->type != kex->hostkey_type) |
goto out; |
fatal("type mismatch for decoded server_host_key_blob"); |
if (server_host_key->type != kex->hostkey_type) { |
if (kex->verify_host_key == NULL) |
r = SSH_ERR_KEY_TYPE_MISMATCH; |
fatal("cannot verify server_host_key"); |
goto out; |
if (kex->verify_host_key(server_host_key) == -1) |
} |
fatal("server_host_key verification failed"); |
if (kex->verify_host_key(server_host_key, ssh) == -1) { |
|
r = SSH_ERR_SIGNATURE_INVALID; |
|
goto out; |
|
} |
|
|
/* Q_S, server public key */ |
/* Q_S, server public key */ |
if ((server_public = EC_POINT_new(group)) == NULL) |
/* signed H */ |
fatal("%s: EC_POINT_new failed", __func__); |
if ((server_public = EC_POINT_new(group)) == NULL) { |
packet_get_ecpoint(group, server_public); |
r = SSH_ERR_ALLOC_FAIL; |
|
goto out; |
|
} |
|
if ((r = sshpkt_get_ec(ssh, server_public, group)) != 0 || |
|
(r = sshpkt_get_string(ssh, &signature, &slen)) != 0 || |
|
(r = sshpkt_get_end(ssh)) != 0) |
|
goto out; |
|
|
if (key_ec_validate_public(group, server_public) != 0) |
|
fatal("%s: invalid server public key", __func__); |
|
|
|
#ifdef DEBUG_KEXECDH |
#ifdef DEBUG_KEXECDH |
fputs("server public key:\n", stderr); |
fputs("server public key:\n", stderr); |
key_dump_ec_point(group, server_public); |
sshkey_dump_ec_point(group, server_public); |
#endif |
#endif |
|
if (sshkey_ec_validate_public(group, server_public) != 0) { |
|
sshpkt_disconnect(ssh, "invalid server public key"); |
|
r = SSH_ERR_MESSAGE_INCOMPLETE; |
|
goto out; |
|
} |
|
|
/* signed H */ |
|
signature = packet_get_string(&slen); |
|
packet_check_eom(); |
|
|
|
klen = (EC_GROUP_get_degree(group) + 7) / 8; |
klen = (EC_GROUP_get_degree(group) + 7) / 8; |
kbuf = xmalloc(klen); |
if ((kbuf = malloc(klen)) == NULL || |
|
(shared_secret = BN_new()) == NULL) { |
|
r = SSH_ERR_ALLOC_FAIL; |
|
goto out; |
|
} |
if (ECDH_compute_key(kbuf, klen, server_public, |
if (ECDH_compute_key(kbuf, klen, server_public, |
client_key, NULL) != (int)klen) |
client_key, NULL) != (int)klen || |
fatal("%s: ECDH_compute_key failed", __func__); |
BN_bin2bn(kbuf, klen, shared_secret) == NULL) { |
|
r = SSH_ERR_LIBCRYPTO_ERROR; |
|
goto out; |
|
} |
|
|
#ifdef DEBUG_KEXECDH |
#ifdef DEBUG_KEXECDH |
dump_digest("shared secret", kbuf, klen); |
dump_digest("shared secret", kbuf, klen); |
#endif |
#endif |
if ((shared_secret = BN_new()) == NULL) |
|
fatal("%s: BN_new failed", __func__); |
|
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) |
|
fatal("%s: BN_bin2bn failed", __func__); |
|
explicit_bzero(kbuf, klen); |
|
free(kbuf); |
|
|
|
/* calc and verify H */ |
/* calc and verify H */ |
kex_ecdh_hash( |
hashlen = sizeof(hash); |
|
if ((r = kex_ecdh_hash( |
kex->hash_alg, |
kex->hash_alg, |
group, |
group, |
kex->client_version_string, |
kex->client_version_string, |
kex->server_version_string, |
kex->server_version_string, |
buffer_ptr(kex->my), buffer_len(kex->my), |
sshbuf_ptr(kex->my), sshbuf_len(kex->my), |
buffer_ptr(kex->peer), buffer_len(kex->peer), |
sshbuf_ptr(kex->peer), sshbuf_len(kex->peer), |
server_host_key_blob, sbloblen, |
server_host_key_blob, sbloblen, |
EC_KEY_get0_public_key(client_key), |
EC_KEY_get0_public_key(client_key), |
server_public, |
server_public, |
shared_secret, |
shared_secret, |
&hash, &hashlen |
hash, &hashlen)) != 0) |
); |
goto out; |
free(server_host_key_blob); |
|
EC_POINT_clear_free(server_public); |
|
EC_KEY_free(client_key); |
|
|
|
if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) |
if ((r = sshkey_verify(server_host_key, signature, slen, hash, |
fatal("key_verify failed for server_host_key"); |
hashlen, ssh->compat)) != 0) |
key_free(server_host_key); |
goto out; |
free(signature); |
|
|
|
/* save session id */ |
/* save session id */ |
if (kex->session_id == NULL) { |
if (kex->session_id == NULL) { |
kex->session_id_len = hashlen; |
kex->session_id_len = hashlen; |
kex->session_id = xmalloc(kex->session_id_len); |
kex->session_id = malloc(kex->session_id_len); |
|
if (kex->session_id == NULL) { |
|
r = SSH_ERR_ALLOC_FAIL; |
|
goto out; |
|
} |
memcpy(kex->session_id, hash, kex->session_id_len); |
memcpy(kex->session_id, hash, kex->session_id_len); |
} |
} |
|
|
kex_derive_keys_bn(kex, hash, hashlen, shared_secret); |
if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0) |
BN_clear_free(shared_secret); |
r = kex_send_newkeys(ssh); |
kex_finish(kex); |
out: |
|
explicit_bzero(hash, sizeof(hash)); |
|
if (kex->ec_client_key) { |
|
EC_KEY_free(kex->ec_client_key); |
|
kex->ec_client_key = NULL; |
|
} |
|
if (server_public) |
|
EC_POINT_clear_free(server_public); |
|
if (kbuf) { |
|
explicit_bzero(kbuf, klen); |
|
free(kbuf); |
|
} |
|
if (shared_secret) |
|
BN_clear_free(shared_secret); |
|
sshkey_free(server_host_key); |
|
free(server_host_key_blob); |
|
free(signature); |
|
return r; |
} |
} |