Annotation of src/usr.bin/ssh/kexc25519.c, Revision 1.15
1.15 ! djm 1: /* $OpenBSD: kexc25519.c,v 1.14 2019/01/21 10:24:09 djm Exp $ */
1.1 markus 2: /*
1.14 djm 3: * Copyright (c) 2019 Markus Friedl. All rights reserved.
1.1 markus 4: * Copyright (c) 2010 Damien Miller. All rights reserved.
5: * Copyright (c) 2013 Aris Adamantiadis. All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: * 1. Redistributions of source code must retain the above copyright
11: * notice, this list of conditions and the following disclaimer.
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
15: *
16: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26: */
27:
28: #include <sys/types.h>
29:
1.14 djm 30: #include <stdio.h>
31: #include <string.h>
1.1 markus 32: #include <signal.h>
33:
1.8 markus 34: #include "sshkey.h"
1.1 markus 35: #include "kex.h"
1.14 djm 36: #include "sshbuf.h"
1.3 djm 37: #include "digest.h"
1.8 markus 38: #include "ssherr.h"
1.14 djm 39: #include "ssh2.h"
1.1 markus 40:
41: extern int crypto_scalarmult_curve25519(u_char a[CURVE25519_SIZE],
42: const u_char b[CURVE25519_SIZE], const u_char c[CURVE25519_SIZE])
1.7 djm 43: __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
44: __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)))
45: __attribute__((__bounded__(__minbytes__, 3, CURVE25519_SIZE)));
1.1 markus 46:
47: void
48: kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
49: {
50: static const u_char basepoint[CURVE25519_SIZE] = {9};
51:
52: arc4random_buf(key, CURVE25519_SIZE);
53: crypto_scalarmult_curve25519(pub, key, basepoint);
54: }
55:
1.8 markus 56: int
1.13 djm 57: kexc25519_shared_key_ext(const u_char key[CURVE25519_SIZE],
58: const u_char pub[CURVE25519_SIZE], struct sshbuf *out, int raw)
1.1 markus 59: {
60: u_char shared_key[CURVE25519_SIZE];
1.12 djm 61: u_char zero[CURVE25519_SIZE];
1.8 markus 62: int r;
1.9 djm 63:
1.12 djm 64: crypto_scalarmult_curve25519(shared_key, key, pub);
65:
66: /* Check for all-zero shared secret */
67: explicit_bzero(zero, CURVE25519_SIZE);
68: if (timingsafe_bcmp(zero, shared_key, CURVE25519_SIZE) == 0)
1.9 djm 69: return SSH_ERR_KEY_INVALID_EC_VALUE;
1.1 markus 70:
71: #ifdef DEBUG_KEXECDH
72: dump_digest("shared secret", shared_key, CURVE25519_SIZE);
73: #endif
1.13 djm 74: if (raw)
75: r = sshbuf_put(out, shared_key, CURVE25519_SIZE);
76: else
77: r = sshbuf_put_bignum2_bytes(out, shared_key, CURVE25519_SIZE);
1.5 tedu 78: explicit_bzero(shared_key, CURVE25519_SIZE);
1.8 markus 79: return r;
1.1 markus 80: }
81:
1.8 markus 82: int
1.13 djm 83: kexc25519_shared_key(const u_char key[CURVE25519_SIZE],
84: const u_char pub[CURVE25519_SIZE], struct sshbuf *out)
85: {
86: return kexc25519_shared_key_ext(key, pub, out, 0);
87: }
88:
89: int
1.1 markus 90: kex_c25519_hash(
1.3 djm 91: int hash_alg,
1.11 djm 92: const struct sshbuf *client_version,
93: const struct sshbuf *server_version,
1.10 djm 94: const u_char *ckexinit, size_t ckexinitlen,
95: const u_char *skexinit, size_t skexinitlen,
1.8 markus 96: const u_char *serverhostkeyblob, size_t sbloblen,
1.15 ! djm 97: const struct sshbuf *client_pub,
! 98: const struct sshbuf *server_pub,
! 99: const struct sshbuf *shared_secret,
1.8 markus 100: u_char *hash, size_t *hashlen)
1.1 markus 101: {
1.8 markus 102: struct sshbuf *b;
103: int r;
1.1 markus 104:
1.8 markus 105: if (*hashlen < ssh_digest_bytes(hash_alg))
106: return SSH_ERR_INVALID_ARGUMENT;
107: if ((b = sshbuf_new()) == NULL)
108: return SSH_ERR_ALLOC_FAIL;
1.13 djm 109: if ((r = sshbuf_put_stringb(b, client_version)) != 0 ||
110: (r = sshbuf_put_stringb(b, server_version)) != 0 ||
1.8 markus 111: /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
1.13 djm 112: (r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||
113: (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
114: (r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||
115: (r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||
116: (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
117: (r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||
118: (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
1.15 ! djm 119: (r = sshbuf_put_stringb(b, client_pub)) != 0 ||
! 120: (r = sshbuf_put_stringb(b, server_pub)) != 0 ||
! 121: (r = sshbuf_putb(b, shared_secret)) != 0) {
1.8 markus 122: sshbuf_free(b);
123: return r;
124: }
1.1 markus 125: #ifdef DEBUG_KEX
1.8 markus 126: sshbuf_dump(b, stderr);
1.1 markus 127: #endif
1.8 markus 128: if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
129: sshbuf_free(b);
130: return SSH_ERR_LIBCRYPTO_ERROR;
131: }
132: sshbuf_free(b);
133: *hashlen = ssh_digest_bytes(hash_alg);
1.1 markus 134: #ifdef DEBUG_KEX
1.8 markus 135: dump_digest("hash", hash, *hashlen);
1.1 markus 136: #endif
1.8 markus 137: return 0;
1.14 djm 138: }
139:
140: int
141: kex_c25519_keypair(struct kex *kex)
142: {
143: struct sshbuf *buf = NULL;
144: u_char *cp = NULL;
145: int r;
146:
147: if ((buf = sshbuf_new()) == NULL)
148: return SSH_ERR_ALLOC_FAIL;
149: if ((r = sshbuf_reserve(buf, CURVE25519_SIZE, &cp)) != 0)
150: goto out;
151: kexc25519_keygen(kex->c25519_client_key, cp);
152: #ifdef DEBUG_KEXECDH
153: dump_digest("client public key c25519:", cp, CURVE25519_SIZE);
154: #endif
155: kex->kem_client_pub = buf;
156: buf = NULL;
157: out:
158: sshbuf_free(buf);
159: return r;
160: }
161:
162: int
1.15 ! djm 163: kex_c25519_enc(struct kex *kex, const struct sshbuf *client_blob,
! 164: struct sshbuf **server_blobp, struct sshbuf **shared_secretp)
1.14 djm 165: {
166: struct sshbuf *server_blob = NULL;
167: struct sshbuf *buf = NULL;
1.15 ! djm 168: const u_char *client_pub;
1.14 djm 169: u_char *server_pub;
170: u_char server_key[CURVE25519_SIZE];
171: int r;
172:
173: *server_blobp = NULL;
174: *shared_secretp = NULL;
175:
1.15 ! djm 176: if (sshbuf_len(client_blob) != CURVE25519_SIZE) {
1.14 djm 177: r = SSH_ERR_SIGNATURE_INVALID;
178: goto out;
179: }
1.15 ! djm 180: client_pub = sshbuf_ptr(client_blob);
1.14 djm 181: #ifdef DEBUG_KEXECDH
1.15 ! djm 182: dump_digest("client public key 25519:", client_pub, CURVE25519_SIZE);
1.14 djm 183: #endif
184: /* allocate space for encrypted KEM key and ECDH pub key */
185: if ((server_blob = sshbuf_new()) == NULL) {
186: r = SSH_ERR_ALLOC_FAIL;
187: goto out;
188: }
189: if ((r = sshbuf_reserve(server_blob, CURVE25519_SIZE, &server_pub)) != 0)
190: goto out;
191: kexc25519_keygen(server_key, server_pub);
192: /* allocate shared secret */
193: if ((buf = sshbuf_new()) == NULL) {
194: r = SSH_ERR_ALLOC_FAIL;
195: goto out;
196: }
1.15 ! djm 197: if ((r = kexc25519_shared_key_ext(server_key, client_pub, buf, 0)) < 0)
1.14 djm 198: goto out;
199: #ifdef DEBUG_KEXECDH
200: dump_digest("server public key 25519:", server_pub, CURVE25519_SIZE);
201: dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
202: #endif
203: *server_blobp = server_blob;
204: *shared_secretp = buf;
205: server_blob = NULL;
206: buf = NULL;
207: out:
208: explicit_bzero(server_key, sizeof(server_key));
209: sshbuf_free(server_blob);
210: sshbuf_free(buf);
211: return r;
212: }
213:
214: int
1.15 ! djm 215: kex_c25519_dec(struct kex *kex, const struct sshbuf *server_blob,
! 216: struct sshbuf **shared_secretp)
1.14 djm 217: {
218: struct sshbuf *buf = NULL;
1.15 ! djm 219: const u_char *server_pub;
1.14 djm 220: int r;
221:
222: *shared_secretp = NULL;
223:
1.15 ! djm 224: if (sshbuf_len(server_blob) != CURVE25519_SIZE) {
1.14 djm 225: r = SSH_ERR_SIGNATURE_INVALID;
226: goto out;
227: }
1.15 ! djm 228: server_pub = sshbuf_ptr(server_blob);
1.14 djm 229: #ifdef DEBUG_KEXECDH
1.15 ! djm 230: dump_digest("server public key c25519:", server_pub, CURVE25519_SIZE);
1.14 djm 231: #endif
232: /* shared secret */
233: if ((buf = sshbuf_new()) == NULL) {
234: r = SSH_ERR_ALLOC_FAIL;
235: goto out;
236: }
1.15 ! djm 237: if ((r = kexc25519_shared_key_ext(kex->c25519_client_key, server_pub,
1.14 djm 238: buf, 0)) < 0)
239: goto out;
240: #ifdef DEBUG_KEXECDH
241: dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
242: #endif
243: *shared_secretp = buf;
244: buf = NULL;
245: out:
246: sshbuf_free(buf);
247: return r;
1.1 markus 248: }