kexc25519c.c revision 262566 
1/* $OpenBSD: kexc25519c.c,v 1.4 2014/01/12 08:13:13 djm Exp $ */
2/*
3 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
4 * Copyright (c) 2010 Damien Miller.  All rights reserved.
5 * Copyright (c) 2013 Aris Adamantiadis.  All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in the
14 *    documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28#include "includes.h"
29
30#include <sys/types.h>
31
32#include <stdio.h>
33#include <string.h>
34#include <signal.h>
35
36#include "xmalloc.h"
37#include "buffer.h"
38#include "key.h"
39#include "cipher.h"
40#include "kex.h"
41#include "log.h"
42#include "packet.h"
43#include "ssh2.h"
44
45void
46kexc25519_client(Kex *kex)
47{
48	Key *server_host_key;
49	u_char client_key[CURVE25519_SIZE];
50	u_char client_pubkey[CURVE25519_SIZE];
51	u_char *server_pubkey = NULL;
52	u_char *server_host_key_blob = NULL, *signature = NULL;
53	u_char *hash;
54	u_int slen, sbloblen, hashlen;
55	Buffer shared_secret;
56
57	kexc25519_keygen(client_key, client_pubkey);
58
59	packet_start(SSH2_MSG_KEX_ECDH_INIT);
60	packet_put_string(client_pubkey, sizeof(client_pubkey));
61	packet_send();
62	debug("sending SSH2_MSG_KEX_ECDH_INIT");
63
64#ifdef DEBUG_KEXECDH
65	dump_digest("client private key:", client_key, sizeof(client_key));
66#endif
67
68	debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
69	packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY);
70
71	/* hostkey */
72	server_host_key_blob = packet_get_string(&sbloblen);
73	server_host_key = key_from_blob(server_host_key_blob, sbloblen);
74	if (server_host_key == NULL)
75		fatal("cannot decode server_host_key_blob");
76	if (server_host_key->type != kex->hostkey_type)
77		fatal("type mismatch for decoded server_host_key_blob");
78	if (kex->verify_host_key == NULL)
79		fatal("cannot verify server_host_key");
80	if (kex->verify_host_key(server_host_key) == -1)
81		fatal("server_host_key verification failed");
82
83	/* Q_S, server public key */
84	server_pubkey = packet_get_string(&slen);
85	if (slen != CURVE25519_SIZE)
86		fatal("Incorrect size for server Curve25519 pubkey: %d", slen);
87
88#ifdef DEBUG_KEXECDH
89	dump_digest("server public key:", server_pubkey, CURVE25519_SIZE);
90#endif
91
92	/* signed H */
93	signature = packet_get_string(&slen);
94	packet_check_eom();
95
96	buffer_init(&shared_secret);
97	kexc25519_shared_key(client_key, server_pubkey, &shared_secret);
98
99	/* calc and verify H */
100	kex_c25519_hash(
101	    kex->hash_alg,
102	    kex->client_version_string,
103	    kex->server_version_string,
104	    buffer_ptr(&kex->my), buffer_len(&kex->my),
105	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
106	    server_host_key_blob, sbloblen,
107	    client_pubkey,
108	    server_pubkey,
109	    buffer_ptr(&shared_secret), buffer_len(&shared_secret),
110	    &hash, &hashlen
111	);
112	free(server_host_key_blob);
113	free(server_pubkey);
114	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
115		fatal("key_verify failed for server_host_key");
116	key_free(server_host_key);
117	free(signature);
118
119	/* save session id */
120	if (kex->session_id == NULL) {
121		kex->session_id_len = hashlen;
122		kex->session_id = xmalloc(kex->session_id_len);
123		memcpy(kex->session_id, hash, kex->session_id_len);
124	}
125	kex_derive_keys(kex, hash, hashlen,
126	    buffer_ptr(&shared_secret), buffer_len(&shared_secret));
127	buffer_free(&shared_secret);
128	kex_finish(kex);
129}
130