- djm@cvs.openbsd.org 2005/11/04 05:15:59

[kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
     remove hardcoded hash lengths in key exchange code, allowing
     implementation of KEX methods with different hashes (e.g. SHA-256);
     ok markus@ dtucker@ stevesk@

ChangeLog

@@ -93,6 +93,11 @@
    - dtucker@cvs.openbsd.org 2005/11/03 13:38:29
      [canohost.c]
      Cache reverse lookups with and without DNS separately; ok markus@
+   - djm@cvs.openbsd.org 2005/11/04 05:15:59
+     [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
+     remove hardcoded hash lengths in key exchange code, allowing
+     implementation of KEX methods with different hashes (e.g. SHA-256);
+     ok markus@ dtucker@ stevesk@
 
 20051102
  - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
@@ -3226,4 +3231,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3950 2005/11/05 04:16:52 djm Exp $
+$Id: ChangeLog,v 1.3951 2005/11/05 04:19:35 djm Exp $

kex.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
 
 #include <openssl/crypto.h>
 
@@ -294,13 +294,17 @@ choose_kex(Kex *k, char *client, char *server)
 		fatal("no kex alg");
 	if (strcmp(k->name, KEX_DH1) == 0) {
 		k->kex_type = KEX_DH_GRP1_SHA1;
+		k->evp_md = EVP_sha1();
 	} else if (strcmp(k->name, KEX_DH14) == 0) {
 		k->kex_type = KEX_DH_GRP14_SHA1;
-	} else if (strcmp(k->name, KEX_DHGEX) == 0) {
+		k->evp_md = EVP_sha1();
+	} else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
 		k->kex_type = KEX_DH_GEX_SHA1;
+		k->evp_md = EVP_sha1();
 	} else
 		fatal("bad kex alg %s", k->name);
 }
+
 static void
 choose_hostkeyalg(Kex *k, char *client, char *server)
 {
@@ -404,28 +408,28 @@ kex_choose_conf(Kex *kex)
 }
 
 static u_char *
-derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret)
+derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen,
+    BIGNUM *shared_secret)
 {
 	Buffer b;
-	const EVP_MD *evp_md = EVP_sha1();
 	EVP_MD_CTX md;
 	char c = id;
 	u_int have;
-	int mdsz = EVP_MD_size(evp_md);
+	int mdsz;
 	u_char *digest;
 
-	if (mdsz < 0)
-		fatal("derive_key: mdsz < 0");
-	digest = xmalloc(roundup(need, mdsz));
+	if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0)
+		fatal("bad kex md size %d", mdsz);
+ 	digest = xmalloc(roundup(need, mdsz));
 
 	buffer_init(&b);
 	buffer_put_bignum2(&b, shared_secret);
 
 	/* K1 = HASH(K || H || "A" || session_id) */
-	EVP_DigestInit(&md, evp_md);
+	EVP_DigestInit(&md, kex->evp_md);
 	if (!(datafellows & SSH_BUG_DERIVEKEY))
 		EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
-	EVP_DigestUpdate(&md, hash, mdsz);
+	EVP_DigestUpdate(&md, hash, hashlen);
 	EVP_DigestUpdate(&md, &c, 1);
 	EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len);
 	EVP_DigestFinal(&md, digest, NULL);
@@ -436,10 +440,10 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret)
 	 * Key = K1 || K2 || ... || Kn
 	 */
 	for (have = mdsz; need > have; have += mdsz) {
-		EVP_DigestInit(&md, evp_md);
+		EVP_DigestInit(&md, kex->evp_md);
 		if (!(datafellows & SSH_BUG_DERIVEKEY))
 			EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
-		EVP_DigestUpdate(&md, hash, mdsz);
+		EVP_DigestUpdate(&md, hash, hashlen);
 		EVP_DigestUpdate(&md, digest, have);
 		EVP_DigestFinal(&md, digest + have, NULL);
 	}
@@ -455,13 +459,15 @@ Newkeys *current_keys[MODE_MAX];
 
 #define NKEYS	6
 void
-kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret)
+kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret)
 {
 	u_char *keys[NKEYS];
 	u_int i, mode, ctos;
 
-	for (i = 0; i < NKEYS; i++)
-		keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret);
+	for (i = 0; i < NKEYS; i++) {
+		keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen,
+		    shared_secret);
+	}
 
 	debug2("kex_derive_keys");
 	for (mode = 0; mode < MODE_MAX; mode++) {

kex.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $	*/
+/*	$OpenBSD: kex.h,v 1.38 2005/11/04 05:15:59 djm Exp $	*/
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -31,9 +31,9 @@
 #include "cipher.h"
 #include "key.h"
 
-#define	KEX_DH1		"diffie-hellman-group1-sha1"
-#define	KEX_DH14	"diffie-hellman-group14-sha1"
-#define	KEX_DHGEX	"diffie-hellman-group-exchange-sha1"
+#define	KEX_DH1			"diffie-hellman-group1-sha1"
+#define	KEX_DH14		"diffie-hellman-group14-sha1"
+#define	KEX_DHGEX_SHA1		"diffie-hellman-group-exchange-sha1"
 
 #define COMP_NONE	0
 #define COMP_ZLIB	1
@@ -114,6 +114,7 @@ struct Kex {
 	Buffer	peer;
 	int	done;
 	int	flags;
+	const EVP_MD *evp_md;
 	char	*client_version_string;
 	char	*server_version_string;
 	int	(*verify_host_key)(Key *);
@@ -127,7 +128,7 @@ void	 kex_finish(Kex *);
 
 void	 kex_send_kexinit(Kex *);
 void	 kex_input_kexinit(int, u_int32_t, void *);
-void	 kex_derive_keys(Kex *, u_char *, BIGNUM *);
+void	 kex_derive_keys(Kex *, u_char *, u_int, BIGNUM *);
 
 Newkeys *kex_get_newkeys(int);
 
@@ -136,12 +137,13 @@ void	 kexdh_server(Kex *);
 void	 kexgex_client(Kex *);
 void	 kexgex_server(Kex *);
 
-u_char *
+void
 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
-    BIGNUM *, BIGNUM *, BIGNUM *);
-u_char *
-kexgex_hash(char *, char *, char *, int, char *, int, u_char *, int,
-    int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *);
+    BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
+void
+kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
+    int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, 
+    BIGNUM *, BIGNUM *, u_char **, u_int *);
 
 void
 derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);

kexdh.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexdh.c,v 1.20 2005/11/04 05:15:59 djm Exp $");
 
 #include <openssl/evp.h>
 
@@ -32,7 +32,7 @@ RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $");
 #include "ssh2.h"
 #include "kex.h"
 
-u_char *
+void
 kex_dh_hash(
     char *client_version_string,
     char *server_version_string,
@@ -41,7 +41,8 @@ kex_dh_hash(
     u_char *serverhostkeyblob, int sbloblen,
     BIGNUM *client_dh_pub,
     BIGNUM *server_dh_pub,
-    BIGNUM *shared_secret)
+    BIGNUM *shared_secret,
+    u_char **hash, u_int *hashlen)
 {
 	Buffer b;
 	static u_char digest[EVP_MAX_MD_SIZE];
@@ -77,5 +78,6 @@ kex_dh_hash(
 #ifdef DEBUG_KEX
 	dump_digest("hash", digest, EVP_MD_size(evp_md));
 #endif
-	return digest;
+	*hash = digest;
+	*hashlen = EVP_MD_size(evp_md);
 }

kexdhc.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexdhc.c,v 1.2 2004/06/13 12:53:24 djm Exp $");
+RCSID("$OpenBSD: kexdhc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
 
 #include "xmalloc.h"
 #include "key.h"
@@ -41,7 +41,7 @@ kexdh_client(Kex *kex)
 	Key *server_host_key;
 	u_char *server_host_key_blob = NULL, *signature = NULL;
 	u_char *kbuf, *hash;
-	u_int klen, kout, slen, sbloblen;
+	u_int klen, kout, slen, sbloblen, hashlen;
 
 	/* generate and send 'e', client DH public key */
 	switch (kex->kex_type) {
@@ -114,7 +114,7 @@ kexdh_client(Kex *kex)
 	xfree(kbuf);
 
 	/* calc and verify H */
-	hash = kex_dh_hash(
+	kex_dh_hash(
 	    kex->client_version_string,
 	    kex->server_version_string,
 	    buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -122,25 +122,26 @@ kexdh_client(Kex *kex)
 	    server_host_key_blob, sbloblen,
 	    dh->pub_key,
 	    dh_server_pub,
-	    shared_secret
+	    shared_secret,
+	    &hash, &hashlen
 	);
 	xfree(server_host_key_blob);
 	BN_clear_free(dh_server_pub);
 	DH_free(dh);
 
-	if (key_verify(server_host_key, signature, slen, hash, 20) != 1)
+	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
 		fatal("key_verify failed for server_host_key");
 	key_free(server_host_key);
 	xfree(signature);
 
 	/* save session id */
 	if (kex->session_id == NULL) {
-		kex->session_id_len = 20;
+		kex->session_id_len = hashlen;
 		kex->session_id = xmalloc(kex->session_id_len);
 		memcpy(kex->session_id, hash, kex->session_id_len);
 	}
 
-	kex_derive_keys(kex, hash, shared_secret);
+	kex_derive_keys(kex, hash, hashlen, shared_secret);
 	BN_clear_free(shared_secret);
 	kex_finish(kex);
 }

kexdhs.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexdhs.c,v 1.2 2004/06/13 12:53:24 djm Exp $");
+RCSID("$OpenBSD: kexdhs.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
 
 #include "xmalloc.h"
 #include "key.h"
@@ -41,7 +41,7 @@ kexdh_server(Kex *kex)
 	DH *dh;
 	Key *server_host_key;
 	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-	u_int sbloblen, klen, kout;
+	u_int sbloblen, klen, kout, hashlen;
 	u_int slen;
 
 	/* generate server DH public key */
@@ -103,7 +103,7 @@ kexdh_server(Kex *kex)
 	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
 
 	/* calc H */
-	hash = kex_dh_hash(
+	kex_dh_hash(
 	    kex->client_version_string,
 	    kex->server_version_string,
 	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
@@ -111,21 +111,20 @@ kexdh_server(Kex *kex)
 	    server_host_key_blob, sbloblen,
 	    dh_client_pub,
 	    dh->pub_key,
-	    shared_secret
+	    shared_secret,
+	    &hash, &hashlen
 	);
 	BN_clear_free(dh_client_pub);
 
 	/* save session id := H */
-	/* XXX hashlen depends on KEX */
 	if (kex->session_id == NULL) {
-		kex->session_id_len = 20;
+		kex->session_id_len = hashlen;
 		kex->session_id = xmalloc(kex->session_id_len);
 		memcpy(kex->session_id, hash, kex->session_id_len);
 	}
 
 	/* sign H */
-	/* XXX hashlen depends on KEX */
-	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
+	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
 
 	/* destroy_sensitive_data(); */
 
@@ -141,7 +140,7 @@ kexdh_server(Kex *kex)
 	/* have keys, free DH */
 	DH_free(dh);
 
-	kex_derive_keys(kex, hash, shared_secret);
+	kex_derive_keys(kex, hash, hashlen, shared_secret);
 	BN_clear_free(shared_secret);
 	kex_finish(kex);
 }

kexgex.c

@@ -24,7 +24,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexgex.c,v 1.24 2005/11/04 05:15:59 djm Exp $");
 
 #include <openssl/evp.h>
 
@@ -33,8 +33,9 @@ RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $");
 #include "kex.h"
 #include "ssh2.h"
 
-u_char *
+void
 kexgex_hash(
+    const EVP_MD *evp_md,
     char *client_version_string,
     char *server_version_string,
     char *ckexinit, int ckexinitlen,
@@ -43,11 +44,11 @@ kexgex_hash(
     int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,
     BIGNUM *client_dh_pub,
     BIGNUM *server_dh_pub,
-    BIGNUM *shared_secret)
+    BIGNUM *shared_secret,
+    u_char **hash, u_int *hashlen)
 {
 	Buffer b;
 	static u_char digest[EVP_MAX_MD_SIZE];
-	const EVP_MD *evp_md = EVP_sha1();
 	EVP_MD_CTX md;
 
 	buffer_init(&b);
@@ -79,14 +80,15 @@ kexgex_hash(
 #ifdef DEBUG_KEXDH
 	buffer_dump(&b);
 #endif
+
 	EVP_DigestInit(&md, evp_md);
 	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
 	EVP_DigestFinal(&md, digest, NULL);
 
 	buffer_free(&b);
-
+	*hash = digest;
+	*hashlen = EVP_MD_size(evp_md);
 #ifdef DEBUG_KEXDH
-	dump_digest("hash", digest, EVP_MD_size(evp_md));
+	dump_digest("hash", digest, *hashlen);
 #endif
-	return digest;
 }

kexgexc.c

@@ -24,7 +24,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexgexc.c,v 1.2 2003/12/08 11:00:47 markus Exp $");
+RCSID("$OpenBSD: kexgexc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
 
 #include "xmalloc.h"
 #include "key.h"
@@ -42,7 +42,7 @@ kexgex_client(Kex *kex)
 	BIGNUM *p = NULL, *g = NULL;
 	Key *server_host_key;
 	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-	u_int klen, kout, slen, sbloblen;
+	u_int klen, kout, slen, sbloblen, hashlen;
 	int min, max, nbits;
 	DH *dh;
 
@@ -155,7 +155,8 @@ kexgex_client(Kex *kex)
 		min = max = -1;
 
 	/* calc and verify H */
-	hash = kexgex_hash(
+	kexgex_hash(
+	    kex->evp_md,
 	    kex->client_version_string,
 	    kex->server_version_string,
 	    buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -165,25 +166,27 @@ kexgex_client(Kex *kex)
 	    dh->p, dh->g,
 	    dh->pub_key,
 	    dh_server_pub,
-	    shared_secret
+	    shared_secret,
+	    &hash, &hashlen
 	);
+
 	/* have keys, free DH */
 	DH_free(dh);
 	xfree(server_host_key_blob);
 	BN_clear_free(dh_server_pub);
 
-	if (key_verify(server_host_key, signature, slen, hash, 20) != 1)
+	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
 		fatal("key_verify failed for server_host_key");
 	key_free(server_host_key);
 	xfree(signature);
 
 	/* save session id */
 	if (kex->session_id == NULL) {
-		kex->session_id_len = 20;
+		kex->session_id_len = hashlen;
 		kex->session_id = xmalloc(kex->session_id_len);
 		memcpy(kex->session_id, hash, kex->session_id_len);
 	}
-	kex_derive_keys(kex, hash, shared_secret);
+	kex_derive_keys(kex, hash, hashlen, shared_secret);
 	BN_clear_free(shared_secret);
 
 	kex_finish(kex);

kexgexs.c

@@ -24,7 +24,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexgexs.c,v 1.1 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexgexs.c,v 1.2 2005/11/04 05:15:59 djm Exp $");
 
 #include "xmalloc.h"
 #include "key.h"
@@ -43,7 +43,7 @@ kexgex_server(Kex *kex)
 	Key *server_host_key;
 	DH *dh;
 	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-	u_int sbloblen, klen, kout, slen;
+	u_int sbloblen, klen, kout, slen, hashlen;
 	int min = -1, max = -1, nbits = -1, type;
 
 	if (kex->load_host_key == NULL)
@@ -137,8 +137,9 @@ kexgex_server(Kex *kex)
 	if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
 		min = max = -1;
 
-	/* calc H */			/* XXX depends on 'kex' */
-	hash = kexgex_hash(
+	/* calc H */
+	kexgex_hash(
+	    kex->evp_md,
 	    kex->client_version_string,
 	    kex->server_version_string,
 	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
@@ -148,21 +149,20 @@ kexgex_server(Kex *kex)
 	    dh->p, dh->g,
 	    dh_client_pub,
 	    dh->pub_key,
-	    shared_secret
+	    shared_secret,
+	    &hash, &hashlen
 	);
 	BN_clear_free(dh_client_pub);
 
 	/* save session id := H */
-	/* XXX hashlen depends on KEX */
 	if (kex->session_id == NULL) {
-		kex->session_id_len = 20;
+		kex->session_id_len = hashlen;
 		kex->session_id = xmalloc(kex->session_id_len);
 		memcpy(kex->session_id, hash, kex->session_id_len);
 	}
 
 	/* sign H */
-	/* XXX hashlen depends on KEX */
-	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
+	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
 
 	/* destroy_sensitive_data(); */
 
@@ -179,7 +179,7 @@ kexgex_server(Kex *kex)
 	/* have keys, free DH */
 	DH_free(dh);
 
-	kex_derive_keys(kex, hash, shared_secret);
+	kex_derive_keys(kex, hash, hashlen, shared_secret);
 	BN_clear_free(shared_secret);
 
 	kex_finish(kex);