=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/kex.c,v retrieving revision 1.6.2.5 retrieving revision 1.7 diff -u -r1.6.2.5 -r1.7 --- src/usr.bin/ssh/kex.c 2001/03/21 18:52:47 1.6.2.5 +++ src/usr.bin/ssh/kex.c 2000/05/25 20:45:20 1.7 @@ -9,6 +9,11 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES @@ -23,26 +28,27 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.6.2.5 2001/03/21 18:52:47 jason Exp $"); +RCSID("$Id: kex.c,v 1.7 2000/05/25 20:45:20 markus Exp $"); -#include -#include -#include -#include -#include - +#include "ssh.h" #include "ssh2.h" #include "xmalloc.h" #include "buffer.h" #include "bufaux.h" #include "packet.h" -#include "compat.h" #include "cipher.h" +#include "compat.h" + +#include +#include + +#include +#include +#include +#include +#include + #include "kex.h" -#include "key.h" -#include "log.h" -#include "mac.h" -#include "match.h" #define KEX_COOKIE_LEN 16 @@ -50,7 +56,7 @@ kex_init(char *myproposal[PROPOSAL_MAX]) { int first_kex_packet_follows = 0; - u_char cookie[KEX_COOKIE_LEN]; + unsigned char cookie[KEX_COOKIE_LEN]; u_int32_t rand = 0; int i; Buffer *ki = xmalloc(sizeof(*ki)); @@ -81,7 +87,7 @@ debug("send KEXINIT"); packet_start(SSH2_MSG_KEXINIT); - packet_put_raw(buffer_ptr(my_kexinit), buffer_len(my_kexinit)); + packet_put_raw(buffer_ptr(my_kexinit), buffer_len(my_kexinit)); packet_send(); packet_write_wait(); debug("done"); @@ -122,6 +128,11 @@ int n = BN_num_bits(dh_pub); int bits_set = 0; + /* we only accept g==2 */ + if (!BN_is_word(dh->g, 2)) { + log("invalid DH base != 2"); + return 0; + } if (dh_pub->neg) { log("invalid public DH value: negativ"); return 0; @@ -138,91 +149,39 @@ return 0; } -void -dh_gen_key(DH *dh, int need) -{ - int i, bits_set = 0, tries = 0; - - if (dh->p == NULL) - fatal("dh_gen_key: dh->p == NULL"); - if (2*need >= BN_num_bits(dh->p)) - fatal("dh_gen_key: group too small: %d (2*need %d)", - BN_num_bits(dh->p), 2*need); - do { - if (dh->priv_key != NULL) - BN_free(dh->priv_key); - dh->priv_key = BN_new(); - if (dh->priv_key == NULL) - fatal("dh_gen_key: BN_new failed"); - /* generate a 2*need bits random private exponent */ - if (!BN_rand(dh->priv_key, 2*need, 0, 0)) - fatal("dh_gen_key: BN_rand failed"); - if (DH_generate_key(dh) == 0) - fatal("DH_generate_key"); - for (i = 0; i <= BN_num_bits(dh->priv_key); i++) - if (BN_is_bit_set(dh->priv_key, i)) - bits_set++; - debug("dh_gen_key: priv key bits set: %d/%d", - bits_set, BN_num_bits(dh->priv_key)); - if (tries++ > 10) - fatal("dh_gen_key: too many bad keys: giving up"); - } while (!dh_pub_is_valid(dh, dh->pub_key)); -} - DH * -dh_new_group_asc(const char *gen, const char *modulus) +dh_new_group1() { - DH *dh; - int ret; - - dh = DH_new(); - if (dh == NULL) - fatal("DH_new"); - - if ((ret = BN_hex2bn(&dh->p, modulus)) < 0) - fatal("BN_hex2bn p"); - if ((ret = BN_hex2bn(&dh->g, gen)) < 0) - fatal("BN_hex2bn g"); - - return (dh); -} - -/* - * This just returns the group, we still need to generate the exchange - * value. - */ - -DH * -dh_new_group(BIGNUM *gen, BIGNUM *modulus) -{ - DH *dh; - - dh = DH_new(); - if (dh == NULL) - fatal("DH_new"); - dh->p = modulus; - dh->g = gen; - - return (dh); -} - -DH * -dh_new_group1(void) -{ - static char *gen = "2", *group1 = + static char *group1 = "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381" "FFFFFFFF" "FFFFFFFF"; - - return (dh_new_group_asc(gen, group1)); + DH *dh; + int ret, tries = 0; + dh = DH_new(); + if(dh == NULL) + fatal("DH_new"); + ret = BN_hex2bn(&dh->p, group1); + if(ret<0) + fatal("BN_hex2bn"); + dh->g = BN_new(); + if(dh->g == NULL) + fatal("DH_new g"); + BN_set_word(dh->g, 2); + do { + if (DH_generate_key(dh) == 0) + fatal("DH_generate_key"); + if (tries++ > 10) + fatal("dh_new_group1: too many bad keys: giving up"); + } while (!dh_pub_is_valid(dh, dh->pub_key)); + return dh; } -#ifdef DEBUG_KEX void -dump_digest(u_char *digest, int len) +dump_digest(unsigned char *digest, int len) { int i; for (i = 0; i< len; i++){ @@ -232,9 +191,8 @@ } fprintf(stderr, "\n"); } -#endif -u_char * +unsigned char * kex_hash( char *client_version_string, char *server_version_string, @@ -246,7 +204,7 @@ BIGNUM *shared_secret) { Buffer b; - static u_char digest[EVP_MAX_MD_SIZE]; + static unsigned char digest[EVP_MAX_MD_SIZE]; EVP_MD *evp_md = EVP_sha1(); EVP_MD_CTX md; @@ -266,7 +224,7 @@ buffer_put_bignum2(&b, client_dh_pub); buffer_put_bignum2(&b, server_dh_pub); buffer_put_bignum2(&b, shared_secret); - + #ifdef DEBUG_KEX buffer_dump(&b); #endif @@ -283,69 +241,16 @@ return digest; } -u_char * -kex_hash_gex( - char *client_version_string, - char *server_version_string, - char *ckexinit, int ckexinitlen, - char *skexinit, int skexinitlen, - char *serverhostkeyblob, int sbloblen, - int minbits, BIGNUM *prime, BIGNUM *gen, - BIGNUM *client_dh_pub, - BIGNUM *server_dh_pub, - BIGNUM *shared_secret) +unsigned char * +derive_key(int id, int need, char unsigned *hash, BIGNUM *shared_secret) { Buffer b; - static u_char digest[EVP_MAX_MD_SIZE]; EVP_MD *evp_md = EVP_sha1(); EVP_MD_CTX md; - - buffer_init(&b); - buffer_put_string(&b, client_version_string, strlen(client_version_string)); - buffer_put_string(&b, server_version_string, strlen(server_version_string)); - - /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ - buffer_put_int(&b, ckexinitlen+1); - buffer_put_char(&b, SSH2_MSG_KEXINIT); - buffer_append(&b, ckexinit, ckexinitlen); - buffer_put_int(&b, skexinitlen+1); - buffer_put_char(&b, SSH2_MSG_KEXINIT); - buffer_append(&b, skexinit, skexinitlen); - - buffer_put_string(&b, serverhostkeyblob, sbloblen); - buffer_put_int(&b, minbits); - buffer_put_bignum2(&b, prime); - buffer_put_bignum2(&b, gen); - buffer_put_bignum2(&b, client_dh_pub); - buffer_put_bignum2(&b, server_dh_pub); - buffer_put_bignum2(&b, shared_secret); - -#ifdef DEBUG_KEX - buffer_dump(&b); -#endif - - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestFinal(&md, digest, NULL); - - buffer_free(&b); - -#ifdef DEBUG_KEX - dump_digest(digest, evp_md->md_size); -#endif - return digest; -} - -u_char * -derive_key(int id, int need, u_char *hash, BIGNUM *shared_secret) -{ - Buffer b; - EVP_MD *evp_md = EVP_sha1(); - EVP_MD_CTX md; char c = id; int have; int mdsz = evp_md->md_size; - u_char *digest = xmalloc(((need+mdsz-1)/mdsz)*mdsz); + unsigned char *digest = xmalloc(((need+mdsz-1)/mdsz)*mdsz); buffer_init(&b); buffer_put_bignum2(&b, shared_secret); @@ -373,15 +278,71 @@ return digest; } +#define NKEYS 6 + +#define MAX_PROP 20 +#define SEP "," + +char * +get_match(char *client, char *server) +{ + char *sproposals[MAX_PROP]; + char *c, *s, *p, *ret; + int i, j, nproposals; + + c = xstrdup(client); + s = xstrdup(server); + + for ((p = strtok(s, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) { + if (i < MAX_PROP) + sproposals[i] = p; + else + break; + } + nproposals = i; + + for ((p = strtok(c, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) { + for (j = 0; j < nproposals; j++) { + if (strcmp(p, sproposals[j]) == 0) { + ret = xstrdup(p); + xfree(c); + xfree(s); + return ret; + } + } + } + xfree(c); + xfree(s); + return NULL; +} void choose_enc(Enc *enc, char *client, char *server) { - char *name = match_list(client, server, NULL); + char *name = get_match(client, server); if (name == NULL) fatal("no matching cipher found: client %s server %s", client, server); - enc->cipher = cipher_by_name(name); - if (enc->cipher == NULL) - fatal("matching cipher is not supported: %s", name); + enc->type = cipher_number(name); + + switch (enc->type) { + case SSH_CIPHER_3DES_CBC: + enc->key_len = 24; + enc->iv_len = 8; + enc->block_size = 8; + break; + case SSH_CIPHER_BLOWFISH_CBC: + case SSH_CIPHER_CAST128_CBC: + enc->key_len = 16; + enc->iv_len = 8; + enc->block_size = 8; + break; + case SSH_CIPHER_ARCFOUR: + enc->key_len = 16; + enc->iv_len = 0; + enc->block_size = 8; + break; + default: + fatal("unsupported cipher %s", name); + } enc->name = name; enc->enabled = 0; enc->iv = NULL; @@ -390,22 +351,28 @@ void choose_mac(Mac *mac, char *client, char *server) { - char *name = match_list(client, server, NULL); + char *name = get_match(client, server); if (name == NULL) fatal("no matching mac found: client %s server %s", client, server); - if (mac_init(mac, name) < 0) + if (strcmp(name, "hmac-md5") == 0) { + mac->md = EVP_md5(); + } else if (strcmp(name, "hmac-sha1") == 0) { + mac->md = EVP_sha1(); + } else if (strcmp(name, "hmac-ripemd160@openssh.com") == 0) { + mac->md = EVP_ripemd160(); + } else { fatal("unsupported mac %s", name); - /* truncate the key */ - if (datafellows & SSH_BUG_HMAC) - mac->key_len = 16; + } mac->name = name; + mac->mac_len = mac->md->md_size; + mac->key_len = (datafellows & SSH_BUG_HMAC) ? 16 : mac->mac_len; mac->key = NULL; mac->enabled = 0; } void choose_comp(Comp *comp, char *client, char *server) { - char *name = match_list(client, server, NULL); + char *name = get_match(client, server); if (name == NULL) fatal("no matching comp found: client %s server %s", client, server); if (strcmp(name, "zlib") == 0) { @@ -420,26 +387,20 @@ void choose_kex(Kex *k, char *client, char *server) { - k->name = match_list(client, server, NULL); + k->name = get_match(client, server); if (k->name == NULL) fatal("no kex alg"); - if (strcmp(k->name, KEX_DH1) == 0) { - k->kex_type = DH_GRP1_SHA1; - } else if (strcmp(k->name, KEX_DHGEX) == 0) { - k->kex_type = DH_GEX_SHA1; - } else + if (strcmp(k->name, KEX_DH1) != 0) fatal("bad kex alg %s", k->name); } void choose_hostkeyalg(Kex *k, char *client, char *server) { - char *hostkeyalg = match_list(client, server, NULL); - if (hostkeyalg == NULL) + k->hostkeyalg = get_match(client, server); + if (k->hostkeyalg == NULL) fatal("no hostkey alg"); - k->hostkey_type = key_type_from_name(hostkeyalg); - if (k->hostkey_type == KEY_UNSPEC) - fatal("bad hostkey alg '%s'", hostkeyalg); - xfree(hostkeyalg); + if (strcmp(k->hostkeyalg, KEX_DSS) != 0) + fatal("bad hostkey alg %s", k->hostkeyalg); } Kex * @@ -474,10 +435,10 @@ sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); need = 0; for (mode = 0; mode < MODE_MAX; mode++) { - if (need < k->enc[mode].cipher->key_len) - need = k->enc[mode].cipher->key_len; - if (need < k->enc[mode].cipher->block_size) - need = k->enc[mode].cipher->block_size; + if (need < k->enc[mode].key_len) + need = k->enc[mode].key_len; + if (need < k->enc[mode].iv_len) + need = k->enc[mode].iv_len; if (need < k->mac[mode].key_len) need = k->mac[mode].key_len; } @@ -486,14 +447,13 @@ return k; } -#define NKEYS 6 int -kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret) +kex_derive_keys(Kex *k, unsigned char *hash, BIGNUM *shared_secret) { int i; int mode; int ctos; - u_char *keys[NKEYS]; + unsigned char *keys[NKEYS]; for (i = 0; i < NKEYS; i++) keys[i] = derive_key('A'+i, k->we_need, hash, shared_secret);