sonic-openssh/kexgex.c

/* $OpenBSD: kexgex.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */
/*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#include <sys/types.h>

#include <openssl/evp.h>
#include <signal.h>

#include "buffer.h"
#include "key.h"
#include "cipher.h"
#include "kex.h"
#include "ssh2.h"

void
kexgex_hash(
    const EVP_MD *evp_md,
    char *client_version_string,
    char *server_version_string,
    char *ckexinit, int ckexinitlen,
    char *skexinit, int skexinitlen,
    u_char *serverhostkeyblob, int sbloblen,
    int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,
    BIGNUM *client_dh_pub,
    BIGNUM *server_dh_pub,
    BIGNUM *shared_secret,
    u_char **hash, u_int *hashlen)
{
	Buffer b;
	static u_char digest[EVP_MAX_MD_SIZE];
	EVP_MD_CTX md;

	buffer_init(&b);
	buffer_put_cstring(&b, client_version_string);
	buffer_put_cstring(&b, server_version_string);

	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
	buffer_put_int(&b, ckexinitlen+1);
	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	buffer_append(&b, ckexinit, ckexinitlen);
	buffer_put_int(&b, skexinitlen+1);
	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	buffer_append(&b, skexinit, skexinitlen);

	buffer_put_string(&b, serverhostkeyblob, sbloblen);
	if (min == -1 || max == -1)
		buffer_put_int(&b, wantbits);
	else {
		buffer_put_int(&b, min);
		buffer_put_int(&b, wantbits);
		buffer_put_int(&b, max);
	}
	buffer_put_bignum2(&b, prime);
	buffer_put_bignum2(&b, gen);
	buffer_put_bignum2(&b, client_dh_pub);
	buffer_put_bignum2(&b, server_dh_pub);
	buffer_put_bignum2(&b, shared_secret);

#ifdef DEBUG_KEXDH
	buffer_dump(&b);
#endif

	EVP_DigestInit(&md, evp_md);
	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	EVP_DigestFinal(&md, digest, NULL);

	buffer_free(&b);
	*hash = digest;
	*hashlen = EVP_MD_size(evp_md);
#ifdef DEBUG_KEXDH
	dump_digest("hash", digest, *hashlen);
#endif
}
- deraadt@cvs.openbsd.org 2006/08/03 03:34:42 [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything except removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy") 2006-08-05 06:39:39 +04:00			`/* $OpenBSD: kexgex.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */`
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00			`/*`
			`* Copyright (c) 2000 Niels Provos. All rights reserved.`
			`* Copyright (c) 2001 Markus Friedl. All rights reserved.`
			`*`
			`* Redistribution and use in source and binary forms, with or without`
			`* modification, are permitted provided that the following conditions`
			`* are met:`
			`* 1. Redistributions of source code must retain the above copyright`
			`* notice, this list of conditions and the following disclaimer.`
			`* 2. Redistributions in binary form must reproduce the above copyright`
			`* notice, this list of conditions and the following disclaimer in the`
			`* documentation and/or other materials provided with the distribution.`
			`*`
			* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
			`* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES`
			`* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.`
			`* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,`
			`* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT`
			`* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,`
			`* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY`
			`* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT`
			`* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF`
			`* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`
			`*/`

			`#include "includes.h"`

- deraadt@cvs.openbsd.org 2006/08/03 03:34:42 [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything except removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy") 2006-08-05 06:39:39 +04:00			`#include <sys/types.h>`

- markus@cvs.openbsd.org 2003/02/16 17:09:57 [kex.c kexdh.c kexgex.c kex.h sshconnect2.c sshd.c ssh-keyscan.c] split kex into client and server code, no need to link server code into the client; ok provos@ 2003-02-24 04:03:03 +03:00			`#include <openssl/evp.h>`
- deraadt@cvs.openbsd.org 2006/08/03 03:34:42 [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything except removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy") 2006-08-05 06:39:39 +04:00			`#include <signal.h>`
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00
			`#include "buffer.h"`
- deraadt@cvs.openbsd.org 2006/08/03 03:34:42 [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything except removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy") 2006-08-05 06:39:39 +04:00			`#include "key.h"`
			`#include "cipher.h"`
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00			`#include "kex.h"`
			`#include "ssh2.h"`

- djm@cvs.openbsd.org 2005/11/04 05:15:59 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c] remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@ 2005-11-05 07:19:35 +03:00			`void`
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00			`kexgex_hash(`
- djm@cvs.openbsd.org 2005/11/04 05:15:59 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c] remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@ 2005-11-05 07:19:35 +03:00			`const EVP_MD *evp_md,`
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00			`char *client_version_string,`
			`char *server_version_string,`
			`char *ckexinit, int ckexinitlen,`
			`char *skexinit, int skexinitlen,`
- stevesk@cvs.openbsd.org 2001/09/17 19:27:15 [kexdh.c kexgex.c key.c key.h ssh-dss.c ssh-keygen.c ssh-rsa.c] u_char/char cleanup; ok markus 2001-09-18 09:41:19 +04:00			`u_char *serverhostkeyblob, int sbloblen,`
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00			`int min, int wantbits, int max, BIGNUM prime, BIGNUM gen,`
			`BIGNUM *client_dh_pub,`
			`BIGNUM *server_dh_pub,`
- djm@cvs.openbsd.org 2005/11/04 05:15:59 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c] remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@ 2005-11-05 07:19:35 +03:00			`BIGNUM *shared_secret,`
			`u_char *hash, u_int hashlen)`
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00			`{`
			`Buffer b;`
			`static u_char digest[EVP_MAX_MD_SIZE];`
			`EVP_MD_CTX md;`

			`buffer_init(&b);`
- markus@cvs.openbsd.org 2001/06/07 20:23:05 [authfd.c authfile.c channels.c kexdh.c kexgex.c packet.c ssh.c sshconnect.c sshconnect1.c] use xxx_put_cstring() 2001-06-09 05:42:01 +04:00			`buffer_put_cstring(&b, client_version_string);`
			`buffer_put_cstring(&b, server_version_string);`
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00
			`/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */`
			`buffer_put_int(&b, ckexinitlen+1);`
			`buffer_put_char(&b, SSH2_MSG_KEXINIT);`
			`buffer_append(&b, ckexinit, ckexinitlen);`
			`buffer_put_int(&b, skexinitlen+1);`
			`buffer_put_char(&b, SSH2_MSG_KEXINIT);`
			`buffer_append(&b, skexinit, skexinitlen);`

			`buffer_put_string(&b, serverhostkeyblob, sbloblen);`
- markus@cvs.openbsd.org 2001/04/05 10:42:57 [auth-chall.c authfd.c channels.c clientloop.c kex.c kexgex.c key.c mac.c packet.c serverloop.c sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c sftp-server.c sftp.c ssh-keygen.c sshconnect.c sshconnect2.c sshd.c] fix whitespace: unexpand + trailing spaces. 2001-04-06 03:26:32 +04:00			`if (min == -1 \|\| max == -1)`
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00			`buffer_put_int(&b, wantbits);`
			`else {`
			`buffer_put_int(&b, min);`
			`buffer_put_int(&b, wantbits);`
			`buffer_put_int(&b, max);`
			`}`
			`buffer_put_bignum2(&b, prime);`
			`buffer_put_bignum2(&b, gen);`
			`buffer_put_bignum2(&b, client_dh_pub);`
			`buffer_put_bignum2(&b, server_dh_pub);`
			`buffer_put_bignum2(&b, shared_secret);`

			`#ifdef DEBUG_KEXDH`
			`buffer_dump(&b);`
			`#endif`
- djm@cvs.openbsd.org 2005/11/04 05:15:59 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c] remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@ 2005-11-05 07:19:35 +03:00
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00			`EVP_DigestInit(&md, evp_md);`
			`EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));`
			`EVP_DigestFinal(&md, digest, NULL);`

			`buffer_free(&b);`
- djm@cvs.openbsd.org 2005/11/04 05:15:59 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c] remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@ 2005-11-05 07:19:35 +03:00			`*hash = digest;`
			`*hashlen = EVP_MD_size(evp_md);`
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00			`#ifdef DEBUG_KEXDH`
- djm@cvs.openbsd.org 2005/11/04 05:15:59 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c] remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@ 2005-11-05 07:19:35 +03:00			`dump_digest("hash", digest, *hashlen);`
- (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. 2001-04-04 21:39:19 +04:00			`#endif`
			`}`