File: packet_kexdh.c

package info (click to toggle)
tinyssh 20250501-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 3,388 kB
  • sloc: ansic: 20,245; sh: 1,582; python: 1,449; makefile: 913
file content (140 lines) | stat: -rw-r--r-- 5,043 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
/*
20141025
Jan Mojzis
Public domain.
*/

#include "buf.h"
#include "ssh.h"
#include "e.h"
#include "crypto_uint32.h"
#include "byte.h"
#include "sshcrypto.h"
#include "packetparser.h"
#include "bug.h"
#include "log.h"
#include "purge.h"
#include "subprocess.h"
#include "packet.h"

int packet_kexdh(const char *keydir, struct buf *b1, struct buf *b2) {

    unsigned char clientpk[sshcrypto_kem_PUBLICKEYMAX];
    unsigned char serverpk[sshcrypto_kem_CIPHERTEXTMAX];
    unsigned char sharedsecret[sshcrypto_kem_MAX];
    unsigned char sm[sshcrypto_sign_MAX];
    unsigned char key[sshcrypto_cipher_KEYMAX];
    unsigned char hash[sshcrypto_hash_MAX];
    long long pos = 0;
    crypto_uint8 ch;
    crypto_uint32 len;
    long long i;

    if (packet.kex_packet_follows && !packet.kex_guess) {
        buf_purge(b1);
        if (!packet_getall(b1, SSH_MSG_KEXDH_INIT)) return 0;
    }

    buf_purge(b1);
    if (!packet_getall(b1, SSH_MSG_KEXDH_INIT)) return 0;
    pos = packetparser_uint8(b1->buf, b1->len, pos,
                             &ch); /* byte      SSH_MSG_KEXDH_INIT */
    if (ch != SSH_MSG_KEXDH_INIT) bug_proto();
    pos = packetparser_uint32(b1->buf, b1->len, pos,
                              &len); /* string    client's public key */
    if (len != sshcrypto_kem_publickeybytes) bug_proto();
    pos = packetparser_copy(b1->buf, b1->len, pos, clientpk, len);
    pos = packetparser_end(b1->buf, b1->len, pos);
    buf_purge(b1);

    /* generate key and compute shared secret */
    do {
        /* XXX - workaroud for bug in OpenSSH 6.5 - 6.6 */
        if (sshcrypto_enc(serverpk, sharedsecret, clientpk) != 0) bug_proto();
    } while (sharedsecret[0] == 0 && sshcrypto_kem_publickeybytes == 32);

    /* create hash */
    buf_purge(&packet.hashbuf);
    buf_putstringlen(&packet.hashbuf, packet.helloreceive.buf,
                     packet.helloreceive.len);
    buf_putstringlen(&packet.hashbuf, packet.hellosend.buf,
                     packet.hellosend.len);
    buf_putstringlen(&packet.hashbuf, packet.kexrecv.buf, packet.kexrecv.len);
    buf_putstringlen(&packet.hashbuf, packet.kexsend.buf, packet.kexsend.len);
    sshcrypto_buf_putsignpk(&packet.hashbuf, sshcrypto_sign_publickey);
    buf_putstringlen(&packet.hashbuf, clientpk, sshcrypto_kem_publickeybytes);
    buf_putstringlen(&packet.hashbuf, serverpk, sshcrypto_kem_ciphertextbytes);
    sshcrypto_buf_putkemkey(&packet.hashbuf, sharedsecret);
    sshcrypto_hash(hash, packet.hashbuf.buf, packet.hashbuf.len);

    /* session id */
    if (!packet.flagrekeying)
        byte_copy(packet.sessionid, sshcrypto_hash_bytes, hash);
    packet.flagrekeying = 1;

    /* signature */
    if (subprocess_sign(sm, sshcrypto_sign_bytes, keydir, hash,
                        sshcrypto_hash_bytes) != 0)
        return 0;
    buf_purge(b1);
    buf_purge(b2);

    /* send server kex_ecdh_reply */
    buf_putnum8(b2, SSH_MSG_KEXDH_REPLY); /* SSH_MSG_KEXDH_REPLY */
    sshcrypto_buf_putsignpk(b2, sshcrypto_sign_publickey); /* public key */
    buf_putstringlen(b2, serverpk,
                     sshcrypto_kem_ciphertextbytes); /* servers's public key */
    sshcrypto_buf_putsignature(b2, sm);              /* signature */
    packet_put(b2);

    /* send server newkeys */
    buf_purge(b2);
    buf_putnum8(b2, SSH_MSG_NEWKEYS);
    packet_put(b2);
    if (!packet_sendall()) return 0;

    /* receive new keys */
    for (;;) {
        buf_purge(b2);
        if (!packet_getall(b2, 0)) return 0;
        if (b2->buf[0] == SSH_MSG_NEWKEYS) break;
        if (sshcrypto_kex_flags & sshcrypto_FLAGSTRICTKEX) {
            log_f1("strict KEX mode: rejecting non-SSH_MSG_NEWKEYS packet");
            return 0;
        }
    }

    /* key derivation */
    for (i = 0; i < 6; ++i) {
        buf_purge(b1);
        sshcrypto_buf_putkemkey(b1, sharedsecret);
        buf_put(b1, hash, sshcrypto_hash_bytes);
        buf_putnum8(b1, 'A' + i);
        buf_put(b1, packet.sessionid, sshcrypto_hash_bytes);
        sshcrypto_hash(key, b1->buf, b1->len);

        /* one extend */
        buf_purge(b1);
        sshcrypto_buf_putkemkey(b1, sharedsecret);
        buf_put(b1, hash, sshcrypto_hash_bytes);
        buf_put(b1, key, sshcrypto_hash_bytes);
        sshcrypto_hash(key + sshcrypto_hash_bytes, b1->buf, b1->len);

        if (i == 0) byte_copy(packet.clientnonce, sshcrypto_cipher_KEYMAX, key);
        if (i == 1) byte_copy(packet.servernonce, sshcrypto_cipher_KEYMAX, key);
        if (i == 2) byte_copy(packet.clientkey, sshcrypto_cipher_KEYMAX, key);
        if (i == 3) byte_copy(packet.serverkey, sshcrypto_cipher_KEYMAX, key);
        if (i == 4)
            byte_copy(packet.clientmackey, sshcrypto_cipher_KEYMAX, key);
        if (i == 5)
            byte_copy(packet.servermackey, sshcrypto_cipher_KEYMAX, key);
    }

    purge(clientpk, sizeof clientpk);
    purge(serverpk, sizeof serverpk);
    purge(sharedsecret, sizeof sharedsecret);
    purge(sm, sizeof sm);
    purge(key, sizeof key);
    purge(hash, sizeof hash);
    return 1;
}