1264377Sdes/* $OpenBSD: kexc25519.c,v 1.5 2014/01/31 16:39:19 tedu Exp $ */ 2261287Sdes/* 3261287Sdes * Copyright (c) 2001, 2013 Markus Friedl. All rights reserved. 4261287Sdes * Copyright (c) 2010 Damien Miller. All rights reserved. 5261287Sdes * Copyright (c) 2013 Aris Adamantiadis. All rights reserved. 6261287Sdes * 7261287Sdes * Redistribution and use in source and binary forms, with or without 8261287Sdes * modification, are permitted provided that the following conditions 9261287Sdes * are met: 10261287Sdes * 1. Redistributions of source code must retain the above copyright 11261287Sdes * notice, this list of conditions and the following disclaimer. 12261287Sdes * 2. Redistributions in binary form must reproduce the above copyright 13261287Sdes * notice, this list of conditions and the following disclaimer in the 14261287Sdes * documentation and/or other materials provided with the distribution. 15261287Sdes * 16261287Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17261287Sdes * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18261287Sdes * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19261287Sdes * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20261287Sdes * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21261287Sdes * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22261287Sdes * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23261287Sdes * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24261287Sdes * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25261287Sdes * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26261287Sdes */ 27261287Sdes 28261287Sdes#include "includes.h" 29261287Sdes 30261287Sdes#include <sys/types.h> 31261287Sdes 32261287Sdes#include <signal.h> 33261287Sdes#include <string.h> 34261287Sdes 35261287Sdes#include <openssl/bn.h> 36261287Sdes#include <openssl/evp.h> 37261287Sdes 38261287Sdes#include "buffer.h" 39261287Sdes#include "ssh2.h" 40261287Sdes#include "key.h" 41261287Sdes#include "cipher.h" 42261287Sdes#include "kex.h" 43261287Sdes#include "log.h" 44261287Sdes#include "digest.h" 45261287Sdes 46261287Sdesextern int crypto_scalarmult_curve25519(u_char a[CURVE25519_SIZE], 47261287Sdes const u_char b[CURVE25519_SIZE], const u_char c[CURVE25519_SIZE]) 48261287Sdes __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) 49261287Sdes __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))) 50261287Sdes __attribute__((__bounded__(__minbytes__, 3, CURVE25519_SIZE))); 51261287Sdes 52261287Sdesvoid 53261287Sdeskexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE]) 54261287Sdes{ 55261287Sdes static const u_char basepoint[CURVE25519_SIZE] = {9}; 56261287Sdes 57261287Sdes arc4random_buf(key, CURVE25519_SIZE); 58261287Sdes crypto_scalarmult_curve25519(pub, key, basepoint); 59261287Sdes} 60261287Sdes 61261287Sdesvoid 62261287Sdeskexc25519_shared_key(const u_char key[CURVE25519_SIZE], 63261287Sdes const u_char pub[CURVE25519_SIZE], Buffer *out) 64261287Sdes{ 65261287Sdes u_char shared_key[CURVE25519_SIZE]; 66261287Sdes 67261287Sdes crypto_scalarmult_curve25519(shared_key, key, pub); 68261287Sdes#ifdef DEBUG_KEXECDH 69261287Sdes dump_digest("shared secret", shared_key, CURVE25519_SIZE); 70261287Sdes#endif 71261287Sdes buffer_clear(out); 72261287Sdes buffer_put_bignum2_from_string(out, shared_key, CURVE25519_SIZE); 73264377Sdes explicit_bzero(shared_key, CURVE25519_SIZE); 74261287Sdes} 75261287Sdes 76261287Sdesvoid 77261287Sdeskex_c25519_hash( 78261287Sdes int hash_alg, 79261287Sdes char *client_version_string, 80261287Sdes char *server_version_string, 81261287Sdes char *ckexinit, int ckexinitlen, 82261287Sdes char *skexinit, int skexinitlen, 83261287Sdes u_char *serverhostkeyblob, int sbloblen, 84261287Sdes const u_char client_dh_pub[CURVE25519_SIZE], 85261287Sdes const u_char server_dh_pub[CURVE25519_SIZE], 86261287Sdes const u_char *shared_secret, u_int secretlen, 87261287Sdes u_char **hash, u_int *hashlen) 88261287Sdes{ 89261287Sdes Buffer b; 90261287Sdes static u_char digest[SSH_DIGEST_MAX_LENGTH]; 91261287Sdes 92261287Sdes buffer_init(&b); 93261287Sdes buffer_put_cstring(&b, client_version_string); 94261287Sdes buffer_put_cstring(&b, server_version_string); 95261287Sdes 96261287Sdes /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ 97261287Sdes buffer_put_int(&b, ckexinitlen+1); 98261287Sdes buffer_put_char(&b, SSH2_MSG_KEXINIT); 99261287Sdes buffer_append(&b, ckexinit, ckexinitlen); 100261287Sdes buffer_put_int(&b, skexinitlen+1); 101261287Sdes buffer_put_char(&b, SSH2_MSG_KEXINIT); 102261287Sdes buffer_append(&b, skexinit, skexinitlen); 103261287Sdes 104261287Sdes buffer_put_string(&b, serverhostkeyblob, sbloblen); 105261287Sdes buffer_put_string(&b, client_dh_pub, CURVE25519_SIZE); 106261287Sdes buffer_put_string(&b, server_dh_pub, CURVE25519_SIZE); 107261287Sdes buffer_append(&b, shared_secret, secretlen); 108261287Sdes 109261287Sdes#ifdef DEBUG_KEX 110261287Sdes buffer_dump(&b); 111261287Sdes#endif 112261287Sdes if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0) 113261287Sdes fatal("%s: digest_buffer failed", __func__); 114261287Sdes 115261287Sdes buffer_free(&b); 116261287Sdes 117261287Sdes#ifdef DEBUG_KEX 118261287Sdes dump_digest("hash", digest, ssh_digest_bytes(hash_alg)); 119261287Sdes#endif 120261287Sdes *hash = digest; 121261287Sdes *hashlen = ssh_digest_bytes(hash_alg); 122261287Sdes} 123