|
Packit |
6c0a39 |
/*
|
|
Packit |
6c0a39 |
* This file is part of the SSH Library
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* Copyright (c) 2019 by Simo Sorce - Red Hat, Inc.
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* The SSH Library is free software; you can redistribute it and/or modify
|
|
Packit |
6c0a39 |
* it under the terms of the GNU Lesser General Public License as published by
|
|
Packit |
6c0a39 |
* the Free Software Foundation; either version 2.1 of the License, or (at your
|
|
Packit |
6c0a39 |
* option) any later version.
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* The SSH Library is distributed in the hope that it will be useful, but
|
|
Packit |
6c0a39 |
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
Packit |
6c0a39 |
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
|
|
Packit |
6c0a39 |
* License for more details.
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit |
6c0a39 |
* along with the SSH Library; see the file COPYING. If not, write to
|
|
Packit |
6c0a39 |
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
|
|
Packit |
6c0a39 |
* MA 02111-1307, USA.
|
|
Packit |
6c0a39 |
*/
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
#include "config.h"
|
|
Packit |
6c0a39 |
#include "libssh/session.h"
|
|
Packit |
6c0a39 |
#include "libssh/dh.h"
|
|
Packit |
6c0a39 |
#include "libssh/buffer.h"
|
|
Packit |
6c0a39 |
#include "libssh/ssh2.h"
|
|
Packit |
6c0a39 |
#include "libssh/pki.h"
|
|
Packit |
6c0a39 |
#include "libssh/bignum.h"
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
#include "openssl/crypto.h"
|
|
Packit |
6c0a39 |
#include "openssl/dh.h"
|
|
Packit |
6c0a39 |
#include "libcrypto-compat.h"
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
extern bignum ssh_dh_generator;
|
|
Packit |
6c0a39 |
extern bignum ssh_dh_group1;
|
|
Packit |
6c0a39 |
extern bignum ssh_dh_group14;
|
|
Packit |
6c0a39 |
extern bignum ssh_dh_group16;
|
|
Packit |
6c0a39 |
extern bignum ssh_dh_group18;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
struct dh_ctx {
|
|
Packit |
6c0a39 |
DH *keypair[2];
|
|
Packit |
6c0a39 |
};
|
|
Packit |
6c0a39 |
|
|
Packit Service |
fcc0d2 |
void ssh_dh_debug_crypto(struct ssh_crypto_struct *c)
|
|
Packit Service |
fcc0d2 |
{
|
|
Packit Service |
fcc0d2 |
#ifdef DEBUG_CRYPTO
|
|
Packit Service |
fcc0d2 |
const_bignum x = NULL, y = NULL, e = NULL, f = NULL;
|
|
Packit Service |
fcc0d2 |
|
|
Packit Service |
fcc0d2 |
ssh_dh_keypair_get_keys(c->dh_ctx, DH_CLIENT_KEYPAIR, &x, &e);
|
|
Packit Service |
fcc0d2 |
ssh_dh_keypair_get_keys(c->dh_ctx, DH_SERVER_KEYPAIR, &y, &f);
|
|
Packit Service |
fcc0d2 |
ssh_print_bignum("x", x);
|
|
Packit Service |
fcc0d2 |
ssh_print_bignum("y", y);
|
|
Packit Service |
fcc0d2 |
ssh_print_bignum("e", e);
|
|
Packit Service |
fcc0d2 |
ssh_print_bignum("f", f);
|
|
Packit Service |
fcc0d2 |
|
|
Packit Service |
fcc0d2 |
ssh_log_hexdump("Session server cookie", c->server_kex.cookie, 16);
|
|
Packit Service |
fcc0d2 |
ssh_log_hexdump("Session client cookie", c->client_kex.cookie, 16);
|
|
Packit Service |
fcc0d2 |
ssh_print_bignum("k", c->shared_secret);
|
|
Packit Service |
fcc0d2 |
|
|
Packit Service |
fcc0d2 |
#else
|
|
Packit Service |
fcc0d2 |
(void)c; /* UNUSED_PARAM */
|
|
Packit Service |
fcc0d2 |
#endif
|
|
Packit Service |
fcc0d2 |
}
|
|
Packit Service |
fcc0d2 |
|
|
Packit |
6c0a39 |
int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
|
|
Packit |
6c0a39 |
const_bignum *priv, const_bignum *pub)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
if (((peer != DH_CLIENT_KEYPAIR) && (peer != DH_SERVER_KEYPAIR)) ||
|
|
Packit |
6c0a39 |
((priv == NULL) && (pub == NULL)) || (ctx == NULL) ||
|
|
Packit |
6c0a39 |
(ctx->keypair[peer] == NULL)) {
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
DH_get0_key(ctx->keypair[peer], pub, priv);
|
|
Packit |
6c0a39 |
if (priv && (*priv == NULL || bignum_num_bits(*priv) == 0)) {
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
if (pub && (*pub == NULL || bignum_num_bits(*pub) == 0)) {
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
return SSH_OK;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
|
Packit |
6c0a39 |
const bignum priv, const bignum pub)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
bignum priv_key = NULL;
|
|
Packit |
6c0a39 |
bignum pub_key = NULL;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if (((peer != DH_CLIENT_KEYPAIR) && (peer != DH_SERVER_KEYPAIR)) ||
|
|
Packit |
6c0a39 |
((priv == NULL) && (pub == NULL)) || (ctx == NULL) ||
|
|
Packit |
6c0a39 |
(ctx->keypair[peer] == NULL)) {
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if (priv) {
|
|
Packit |
6c0a39 |
priv_key = priv;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
if (pub) {
|
|
Packit |
6c0a39 |
pub_key = pub;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
(void)DH_set0_key(ctx->keypair[peer], pub_key, priv_key);
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
return SSH_OK;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
int ssh_dh_get_parameters(struct dh_ctx *ctx,
|
|
Packit |
6c0a39 |
const_bignum *modulus, const_bignum *generator)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
if (ctx == NULL || ctx->keypair[0] == NULL) {
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
DH_get0_pqg(ctx->keypair[0], modulus, NULL, generator);
|
|
Packit |
6c0a39 |
return SSH_OK;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
int ssh_dh_set_parameters(struct dh_ctx *ctx,
|
|
Packit |
6c0a39 |
const bignum modulus, const bignum generator)
|
|
Packit |
6c0a39 |
{
|
|
Packit Service |
fcc0d2 |
size_t i;
|
|
Packit |
6c0a39 |
int rc;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if ((ctx == NULL) || (modulus == NULL) || (generator == NULL)) {
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit Service |
fcc0d2 |
|
|
Packit Service |
fcc0d2 |
for (i = 0; i < 2; i++) {
|
|
Packit |
6c0a39 |
bignum p = NULL;
|
|
Packit |
6c0a39 |
bignum g = NULL;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
/* when setting modulus or generator,
|
|
Packit |
6c0a39 |
* make sure to invalidate existing keys */
|
|
Packit |
6c0a39 |
DH_free(ctx->keypair[i]);
|
|
Packit |
6c0a39 |
ctx->keypair[i] = DH_new();
|
|
Packit |
6c0a39 |
if (ctx->keypair[i] == NULL) {
|
|
Packit |
6c0a39 |
rc = SSH_ERROR;
|
|
Packit |
6c0a39 |
goto done;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
p = BN_dup(modulus);
|
|
Packit |
6c0a39 |
g = BN_dup(generator);
|
|
Packit |
6c0a39 |
rc = DH_set0_pqg(ctx->keypair[i], p, NULL, g);
|
|
Packit |
6c0a39 |
if (rc != 1) {
|
|
Packit |
6c0a39 |
BN_free(p);
|
|
Packit |
6c0a39 |
BN_free(g);
|
|
Packit |
6c0a39 |
rc = SSH_ERROR;
|
|
Packit |
6c0a39 |
goto done;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
rc = SSH_OK;
|
|
Packit |
6c0a39 |
done:
|
|
Packit |
6c0a39 |
if (rc != SSH_OK) {
|
|
Packit |
6c0a39 |
DH_free(ctx->keypair[0]);
|
|
Packit |
6c0a39 |
DH_free(ctx->keypair[1]);
|
|
Packit |
6c0a39 |
ctx->keypair[0] = NULL;
|
|
Packit |
6c0a39 |
ctx->keypair[1] = NULL;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
return rc;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
/**
|
|
Packit |
6c0a39 |
* @internal
|
|
Packit |
6c0a39 |
* @brief allocate and initialize ephemeral values used in dh kex
|
|
Packit |
6c0a39 |
*/
|
|
Packit |
6c0a39 |
int ssh_dh_init_common(struct ssh_crypto_struct *crypto)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
struct dh_ctx *ctx;
|
|
Packit |
6c0a39 |
int rc;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
ctx = calloc(1, sizeof(*ctx));
|
|
Packit |
6c0a39 |
if (ctx == NULL) {
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
crypto->dh_ctx = ctx;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
switch (crypto->kex_type) {
|
|
Packit |
6c0a39 |
case SSH_KEX_DH_GROUP1_SHA1:
|
|
Packit |
6c0a39 |
rc = ssh_dh_set_parameters(ctx, ssh_dh_group1, ssh_dh_generator);
|
|
Packit |
6c0a39 |
break;
|
|
Packit |
6c0a39 |
case SSH_KEX_DH_GROUP14_SHA1:
|
|
Packit Service |
fcc0d2 |
case SSH_KEX_DH_GROUP14_SHA256:
|
|
Packit |
6c0a39 |
rc = ssh_dh_set_parameters(ctx, ssh_dh_group14, ssh_dh_generator);
|
|
Packit |
6c0a39 |
break;
|
|
Packit |
6c0a39 |
case SSH_KEX_DH_GROUP16_SHA512:
|
|
Packit |
6c0a39 |
rc = ssh_dh_set_parameters(ctx, ssh_dh_group16, ssh_dh_generator);
|
|
Packit |
6c0a39 |
break;
|
|
Packit |
6c0a39 |
case SSH_KEX_DH_GROUP18_SHA512:
|
|
Packit |
6c0a39 |
rc = ssh_dh_set_parameters(ctx, ssh_dh_group18, ssh_dh_generator);
|
|
Packit |
6c0a39 |
break;
|
|
Packit |
6c0a39 |
default:
|
|
Packit |
6c0a39 |
rc = SSH_OK;
|
|
Packit |
6c0a39 |
break;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if (rc != SSH_OK) {
|
|
Packit |
6c0a39 |
ssh_dh_cleanup(crypto);
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
return rc;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
void ssh_dh_cleanup(struct ssh_crypto_struct *crypto)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
if (crypto->dh_ctx != NULL) {
|
|
Packit |
6c0a39 |
DH_free(crypto->dh_ctx->keypair[0]);
|
|
Packit |
6c0a39 |
DH_free(crypto->dh_ctx->keypair[1]);
|
|
Packit |
6c0a39 |
free(crypto->dh_ctx);
|
|
Packit |
6c0a39 |
crypto->dh_ctx = NULL;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
/** @internal
|
|
Packit |
6c0a39 |
* @brief generates a secret DH parameter of at least DH_SECURITY_BITS
|
|
Packit |
6c0a39 |
* security as well as the corresponding public key.
|
|
Packit |
6c0a39 |
* @param[out] parms a dh_ctx that will hold the new keys.
|
|
Packit |
6c0a39 |
* @param peer Select either client or server key storage. Valid values are:
|
|
Packit |
6c0a39 |
* DH_CLIENT_KEYPAIR or DH_SERVER_KEYPAIR
|
|
Packit |
6c0a39 |
*
|
|
Packit |
6c0a39 |
* @return SSH_OK on success, SSH_ERROR on error
|
|
Packit |
6c0a39 |
*/
|
|
Packit |
6c0a39 |
int ssh_dh_keypair_gen_keys(struct dh_ctx *dh_ctx, int peer)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
int rc;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if ((dh_ctx == NULL) || (dh_ctx->keypair[peer] == NULL)) {
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
rc = DH_generate_key(dh_ctx->keypair[peer]);
|
|
Packit |
6c0a39 |
if (rc != 1) {
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
return SSH_OK;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
/** @internal
|
|
Packit |
6c0a39 |
* @brief generates a shared secret between the local peer and the remote
|
|
Packit |
6c0a39 |
* peer. The local peer must have been initialized using either the
|
|
Packit |
6c0a39 |
* ssh_dh_keypair_gen_keys() function or by seetting manually both
|
|
Packit |
6c0a39 |
* the private and public keys. The remote peer only needs to have
|
|
Packit |
6c0a39 |
* the remote's peer public key set.
|
|
Packit |
6c0a39 |
* @param[in] local peer identifier (DH_CLIENT_KEYPAIR or DH_SERVER_KEYPAIR)
|
|
Packit |
6c0a39 |
* @param[in] remote peer identifier (DH_CLIENT_KEYPAIR or DH_SERVER_KEYPAIR)
|
|
Packit |
6c0a39 |
* @param[out] dest a new bignum with the shared secret value is returned.
|
|
Packit |
6c0a39 |
* @return SSH_OK on success, SSH_ERROR on error
|
|
Packit |
6c0a39 |
*/
|
|
Packit |
6c0a39 |
int ssh_dh_compute_shared_secret(struct dh_ctx *dh_ctx, int local, int remote,
|
|
Packit |
6c0a39 |
bignum *dest)
|
|
Packit |
6c0a39 |
{
|
|
Packit |
6c0a39 |
unsigned char *kstring = NULL;
|
|
Packit |
6c0a39 |
const_bignum pub_key = NULL;
|
|
Packit |
6c0a39 |
int klen, rc;
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
if ((dh_ctx == NULL) ||
|
|
Packit |
6c0a39 |
(dh_ctx->keypair[local] == NULL) ||
|
|
Packit |
6c0a39 |
(dh_ctx->keypair[remote] == NULL)) {
|
|
Packit |
6c0a39 |
return SSH_ERROR;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
kstring = malloc(DH_size(dh_ctx->keypair[local]));
|
|
Packit |
6c0a39 |
if (kstring == NULL) {
|
|
Packit |
6c0a39 |
rc = SSH_ERROR;
|
|
Packit |
6c0a39 |
goto done;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
rc = ssh_dh_keypair_get_keys(dh_ctx, remote, NULL, &pub_key);
|
|
Packit |
6c0a39 |
if (rc != SSH_OK) {
|
|
Packit |
6c0a39 |
rc = SSH_ERROR;
|
|
Packit |
6c0a39 |
goto done;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
klen = DH_compute_key(kstring, pub_key, dh_ctx->keypair[local]);
|
|
Packit |
6c0a39 |
if (klen == -1) {
|
|
Packit |
6c0a39 |
rc = SSH_ERROR;
|
|
Packit |
6c0a39 |
goto done;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
*dest = BN_bin2bn(kstring, klen, NULL);
|
|
Packit |
6c0a39 |
if (*dest == NULL) {
|
|
Packit |
6c0a39 |
rc = SSH_ERROR;
|
|
Packit |
6c0a39 |
goto done;
|
|
Packit |
6c0a39 |
}
|
|
Packit |
6c0a39 |
|
|
Packit |
6c0a39 |
rc = SSH_OK;
|
|
Packit |
6c0a39 |
done:
|
|
Packit |
6c0a39 |
free(kstring);
|
|
Packit |
6c0a39 |
return rc;
|
|
Packit |
6c0a39 |
}
|