Attachment #939 for bug #1023

Lines 3-9 Link Here

(-)Makefile.inc (-1 / +1 lines)
3	CFLAGS+= -I${.CURDIR}/..	3	CFLAGS+= -I${.CURDIR}/..
4		4
5	CDIAGFLAGS= -Wall	5	CDIAGFLAGS= -Wall
6	#CDIAGFLAGS+= -Werror	6	CDIAGFLAGS+= -Werror
7	CDIAGFLAGS+= -Wpointer-arith	7	CDIAGFLAGS+= -Wpointer-arith
8	CDIAGFLAGS+= -Wno-uninitialized	8	CDIAGFLAGS+= -Wno-uninitialized
9	CDIAGFLAGS+= -Wstrict-prototypes	9	CDIAGFLAGS+= -Wstrict-prototypes

Lines 44-49 RCSID("$OpenBSD: kex.c,v 1.63 2005/07/17 Link Here

(-)kex.c (-11 / +38 lines)
44		44
45	#define KEX_COOKIE_LEN 16	45	#define KEX_COOKIE_LEN 16
46		46
		47	extern const EVP_MD *evp_ssh_sha256(void);
		48
47	/* prototype */	49	/* prototype */
48	static void kex_kexinit_finish(Kex *);	50	static void kex_kexinit_finish(Kex *);
49	static void kex_choose_conf(Kex *);	51	static void kex_choose_conf(Kex *);
Lines 294-301 choose_kex(Kex k, char client, char *s Link Here
294	k->kex_type = KEX_DH_GRP1_SHA1;	296	k->kex_type = KEX_DH_GRP1_SHA1;
295	} else if (strcmp(k->name, KEX_DH14) == 0) {	297	} else if (strcmp(k->name, KEX_DH14) == 0) {
296	k->kex_type = KEX_DH_GRP14_SHA1;	298	k->kex_type = KEX_DH_GRP14_SHA1;
297	} else if (strcmp(k->name, KEX_DHGEX) == 0) {	299	} else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
298	k->kex_type = KEX_DH_GEX_SHA1;	300	k->kex_type = KEX_DH_GEX_SHA1;
		301	} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
		302	k->kex_type = KEX_DH_GEX_SHA256;
299	} else	303	} else
300	fatal("bad kex alg %s", k->name);	304	fatal("bad kex alg %s", k->name);
301	}	305	}
Lines 402-429 kex_choose_conf(Kex *kex) Link Here
402	}	406	}
403		407
404	static u_char *	408	static u_char *
405	derive_key(Kex kex, int id, u_int need, u_char hash, BIGNUM *shared_secret)	409	derive_key(Kex kex, int id, u_int need, u_char hash, u_int hashlen,
		410	BIGNUM *shared_secret)
406	{	411	{
407	Buffer b;	412	Buffer b;
408	const EVP_MD *evp_md = EVP_sha1();	413	const EVP_MD *evp_md;
409	EVP_MD_CTX md;	414	EVP_MD_CTX md;
410	char c = id;	415	char c = id;
411	u_int have;	416	u_int have;
412	int mdsz = EVP_MD_size(evp_md);	417	int mdsz;
413	u_char *digest;	418	u_char *digest;
414		419
		420	buffer_init(&b);
		421	buffer_put_bignum2(&b, shared_secret);
		422
		423	switch (kex->kex_type) {
		424	case KEX_DH_GRP1_SHA1:
		425	case KEX_DH_GRP14_SHA1:
		426	case KEX_DH_GEX_SHA1:
		427	evp_md = EVP_sha1();
		428	break;
		429	case KEX_DH_GEX_SHA256:
		430	evp_md = evp_ssh_sha256();
		431	break;
		432	default:
		433	fatal("derive_key: unknown kex_type %d", kex->kex_type);
		434	}
		435
		436	mdsz = EVP_MD_size(evp_md);
415	if (mdsz < 0)	437	if (mdsz < 0)
416	fatal("derive_key: mdsz < 0");	438	fatal("derive_key: mdsz < 0");
417	digest = xmalloc(roundup(need, mdsz));	439	digest = xmalloc(roundup(need, mdsz));
418		440
419	buffer_init(&b);
420	buffer_put_bignum2(&b, shared_secret);
421
422	/* K1 = HASH(K \|\| H \|\| "A" \|\| session_id) */	441	/* K1 = HASH(K \|\| H \|\| "A" \|\| session_id) */
423	EVP_DigestInit(&md, evp_md);	442	EVP_DigestInit(&md, evp_md);
424	if (!(datafellows & SSH_BUG_DERIVEKEY))	443	if (!(datafellows & SSH_BUG_DERIVEKEY))
425	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));	444	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
426	EVP_DigestUpdate(&md, hash, mdsz);	445	EVP_DigestUpdate(&md, hash, hashlen);
427	EVP_DigestUpdate(&md, &c, 1);	446	EVP_DigestUpdate(&md, &c, 1);
428	EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len);	447	EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len);
429	EVP_DigestFinal(&md, digest, NULL);	448	EVP_DigestFinal(&md, digest, NULL);
Lines 433-439 derive_key(Kex *kex, int id, u_int need, Link Here
433	* Kn = HASH(K \|\| H \|\| K1 \|\| K2 \|\| ... \|\| Kn-1)	452	* Kn = HASH(K \|\| H \|\| K1 \|\| K2 \|\| ... \|\| Kn-1)
434	* Key = K1 \|\| K2 \|\| ... \|\| Kn	453	* Key = K1 \|\| K2 \|\| ... \|\| Kn
435	*/	454	*/
		455	#ifdef DEBUG_KEX
		456	fprintf(stderr, "expand key: mdsz %d need %d\n", mdsz, need);
		457	#endif
436	for (have = mdsz; need > have; have += mdsz) {	458	for (have = mdsz; need > have; have += mdsz) {
		459	#ifdef DEBUG_KEX
		460	fprintf(stderr, "expand key: have %d\n", have);
		461	#endif
437	EVP_DigestInit(&md, evp_md);	462	EVP_DigestInit(&md, evp_md);
438	if (!(datafellows & SSH_BUG_DERIVEKEY))	463	if (!(datafellows & SSH_BUG_DERIVEKEY))
439	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));	464	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
Lines 453-465 Newkeys *current_keys[MODE_MAX]; Link Here
453		478
454	#define NKEYS 6	479	#define NKEYS 6
455	void	480	void
456	kex_derive_keys(Kex kex, u_char hash, BIGNUM *shared_secret)	481	kex_derive_keys(Kex kex, u_char hash, u_int hashlen, BIGNUM *shared_secret)
457	{	482	{
458	u_char *keys[NKEYS];	483	u_char *keys[NKEYS];
459	u_int i, mode, ctos;	484	u_int i, mode, ctos;
460		485
461	for (i = 0; i < NKEYS; i++)	486	for (i = 0; i < NKEYS; i++) {
462	keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret);	487	keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen,
		488	shared_secret);
		489	}
463		490
464	debug2("kex_derive_keys");	491	debug2("kex_derive_keys");
465	for (mode = 0; mode < MODE_MAX; mode++) {	492	for (mode = 0; mode < MODE_MAX; mode++) {




#include "cipher.h"
#include "key.h"

#define	KEX_DH1			"diffie-hellman-group1-sha1"
#define	KEX_DH14		"diffie-hellman-group14-sha1"
#define	KEX_DHGEX_SHA1		"diffie-hellman-group-exchange-sha1"
#define	KEX_DHGEX_SHA256	"diffie-hellman-group-exchange-sha256"

enum kex_init_proposals {
	PROPOSAL_KEX_ALGS,

	KEX_DH_GRP1_SHA1,
	KEX_DH_GRP14_SHA1,
	KEX_DH_GEX_SHA1,
	KEX_DH_GEX_SHA256,
	KEX_MAX
};



void	 kex_send_kexinit(Kex *);
void	 kex_input_kexinit(int, u_int32_t, void *);
void	 kex_derive_keys(Kex *, u_char *, u_int, BIGNUM *);

Newkeys *kex_get_newkeys(int);


void	 kexgex_client(Kex *);
void	 kexgex_server(Kex *);

void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
    BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
void
kexgex_hash(int, char *, char *, char *, int, char *, int, u_char *, int,
    int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
    u_char **, u_int *);

void
derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);




#include "ssh2.h"
#include "kex.h"

void
kex_dh_hash(
    char *client_version_string,
    char *server_version_string,

    u_char *serverhostkeyblob, int sbloblen,
    BIGNUM *client_dh_pub,
    BIGNUM *server_dh_pub,
    BIGNUM *shared_secret,
    u_char **hash, u_int *hashlen)
{
	Buffer b;
	static u_char digest[EVP_MAX_MD_SIZE];

#ifdef DEBUG_KEX
	dump_digest("hash", digest, EVP_MD_size(evp_md));
#endif
	*hash = digest;
	*hashlen = EVP_MD_size(evp_md);
}




	Key *server_host_key;
	u_char *server_host_key_blob = NULL, *signature = NULL;
	u_char *kbuf, *hash;
	u_int klen, kout, slen, sbloblen, hashlen;

	/* generate and send 'e', client DH public key */
	switch (kex->kex_type) {

	xfree(kbuf);

	/* calc and verify H */
	kex_dh_hash(
	    kex->client_version_string,
	    kex->server_version_string,
	    buffer_ptr(&kex->my), buffer_len(&kex->my),

	    server_host_key_blob, sbloblen,
	    dh->pub_key,
	    dh_server_pub,
	    shared_secret,
	    &hash, &hashlen
	);
	xfree(server_host_key_blob);
	BN_clear_free(dh_server_pub);
	DH_free(dh);

	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
		fatal("key_verify failed for server_host_key");
	key_free(server_host_key);
	xfree(signature);

	/* save session id */
	if (kex->session_id == NULL) {
		kex->session_id_len = hashlen;
		kex->session_id = xmalloc(kex->session_id_len);
		memcpy(kex->session_id, hash, kex->session_id_len);
	}

	kex_derive_keys(kex, hash, hashlen, shared_secret);
	BN_clear_free(shared_secret);
	kex_finish(kex);
}




	DH *dh;
	Key *server_host_key;
	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
	u_int sbloblen, klen, kout, hashlen;
	u_int slen;

	/* generate server DH public key */

	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);

	/* calc H */
	kex_dh_hash(
	    kex->client_version_string,
	    kex->server_version_string,
	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),

	    server_host_key_blob, sbloblen,
	    dh_client_pub,
	    dh->pub_key,
	    shared_secret,
	    &hash, &hashlen
	);
	BN_clear_free(dh_client_pub);

	/* save session id := H */
	/* XXX hashlen depends on KEX */
	if (kex->session_id == NULL) {
		kex->session_id_len = hashlen;
		kex->session_id = xmalloc(kex->session_id_len);
		memcpy(kex->session_id, hash, kex->session_id_len);
	}

	/* sign H */
	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));

	/* destroy_sensitive_data(); */


	/* have keys, free DH */
	DH_free(dh);

	kex_derive_keys(kex, hash, hashlen, shared_secret);
	BN_clear_free(shared_secret);
	kex_finish(kex);
}




#include "includes.h"
RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $");

#include <openssl/sha.h>

#include "buffer.h"
#include "bufaux.h"
#include "kex.h"
#include "ssh2.h"
#include "log.h"

extern const EVP_MD *evp_ssh_sha256(void);

void
kexgex_hash(
    int kex_type,
    char *client_version_string,
    char *server_version_string,
    char *ckexinit, int ckexinitlen,

    int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,
    BIGNUM *client_dh_pub,
    BIGNUM *server_dh_pub,
    BIGNUM *shared_secret,
    u_char **hash, u_int *hashlen)
{
	Buffer b;
	static u_char digest[64];
	const EVP_MD *evp_md;
	EVP_MD_CTX md;

	buffer_init(&b);

#ifdef DEBUG_KEXDH
	buffer_dump(&b);
#endif

	switch (kex_type) {
	case KEX_DH_GEX_SHA1:
		evp_md = EVP_sha1();
		break;
	case KEX_DH_GEX_SHA256:
		evp_md = evp_ssh_sha256();
		break;
	default:
		fatal("kexgex_hash: unknown kex_type %d", kex_type);
	}

	EVP_DigestInit(&md, evp_md);
	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	EVP_DigestFinal(&md, digest, NULL);
	
	buffer_free(&b);
	*hash = digest;
	*hashlen = EVP_MD_size(evp_md);
#ifdef DEBUG_KEXDH
	dump_digest("hash", digest, *hashlen);
#endif
	return digest;
}




	BIGNUM *p = NULL, *g = NULL;
	Key *server_host_key;
	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
	u_int klen, kout, slen, sbloblen, hashlen;
	int min, max, nbits;
	DH *dh;


		min = max = -1;

	/* calc and verify H */
	kexgex_hash(
	    kex->kex_type,
	    kex->client_version_string,
	    kex->server_version_string,
	    buffer_ptr(&kex->my), buffer_len(&kex->my),

	    dh->p, dh->g,
	    dh->pub_key,
	    dh_server_pub,
	    shared_secret,
	    &hash, &hashlen
	);

	/* have keys, free DH */
	DH_free(dh);
	xfree(server_host_key_blob);
	BN_clear_free(dh_server_pub);

	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
		fatal("key_verify failed for server_host_key");
	key_free(server_host_key);
	xfree(signature);

	/* save session id */
	if (kex->session_id == NULL) {
		kex->session_id_len = hashlen;
		kex->session_id = xmalloc(kex->session_id_len);
		memcpy(kex->session_id, hash, kex->session_id_len);
	}
	kex_derive_keys(kex, hash, hashlen, shared_secret);
	BN_clear_free(shared_secret);

	kex_finish(kex);




	Key *server_host_key;
	DH *dh;
	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
	u_int sbloblen, klen, kout, slen, hashlen;
	int min = -1, max = -1, nbits = -1, type;

	if (kex->load_host_key == NULL)

		min = max = -1;

	/* calc H */			/* XXX depends on 'kex' */
	kexgex_hash(
	    kex->kex_type,
	    kex->client_version_string,
	    kex->server_version_string,
	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),

	    dh->p, dh->g,
	    dh_client_pub,
	    dh->pub_key,
	    shared_secret,
	    &hash, &hashlen
	);
	BN_clear_free(dh_client_pub);

	/* save session id := H */
	/* XXX hashlen depends on KEX */
	if (kex->session_id == NULL) {
		kex->session_id_len = hashlen;
		kex->session_id = xmalloc(kex->session_id_len);
		memcpy(kex->session_id, hash, kex->session_id_len);
	}

	/* sign H */
	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));

	/* destroy_sensitive_data(); */


	/* have keys, free DH */
	DH_free(dh);

	kex_derive_keys(kex, hash, hashlen, shared_secret);
	BN_clear_free(shared_secret);

	kex_finish(kex);

Lines 473-479 mm_answer_sign(int sock, Buffer *m) Link Here

(-)monitor.c (-1 / +6 lines)
473	keyid = buffer_get_int(m);	473	keyid = buffer_get_int(m);
474	p = buffer_get_string(m, &datlen);	474	p = buffer_get_string(m, &datlen);
475		475
476	if (datlen != 20)	476	/*
		477	* Supported KEX types will only return SHA1 (20 byte) or
		478	* SHA256 (32 byte) hashes
		479	*/
		480	if (datlen != 20 && datlen != 32)
477	fatal("%s: data length incorrect: %u", __func__, datlen);	481	fatal("%s: data length incorrect: %u", __func__, datlen);
478		482
479	/* save session id, it will be passed on the first call */	483	/* save session id, it will be passed on the first call */
Lines 1375-1380 mm_get_kex(Buffer *m) Link Here
1375	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;	1379	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
1376	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;	1380	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1377	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1381	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
		1382	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
1378	kex->server = 1;	1383	kex->server = 1;
1379	kex->hostkey_type = buffer_get_int(m);	1384	kex->hostkey_type = buffer_get_int(m);
1380	kex->kex_type = buffer_get_int(m);	1385	kex->kex_type = buffer_get_int(m);

Lines 23-31 Link Here

(-)myproposal.h (-3 / +5 lines)
23	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	23	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	24	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25	*/	25	*/
26	#define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1," \	26	#define KEX_DEFAULT_KEX \
27	"diffie-hellman-group14-sha1," \	27	"diffie-hellman-group-exchange-sha256," \
28	"diffie-hellman-group1-sha1"	28	"diffie-hellman-group-exchange-sha1," \
		29	"diffie-hellman-group14-sha1," \
		30	"diffie-hellman-group1-sha1"
29	#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"	31	#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"
30	#define KEX_DEFAULT_ENCRYPT \	32	#define KEX_DEFAULT_ENCRYPT \
31	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \	33	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \

Lines 341-346 keygrab_ssh2(con *c) Link Here

(-)ssh-keyscan.c (+1 lines)
341	c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;	341	c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
342	c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;	342	c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
343	c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;	343	c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
		344	c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
344	c->c_kex->verify_host_key = hostjump;	345	c->c_kex->verify_host_key = hostjump;
345		346
346	if (!(j = setjmp(kexjmp))) {	347	if (!(j = setjmp(kexjmp))) {

Lines 120-125 ssh_kex2(char host, struct sockaddr ho Link Here

(-)sshconnect2.c (+1 lines)
120	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;	120	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
121	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;	121	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
122	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;	122	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
		123	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
123	kex->client_version_string=client_version_string;	124	kex->client_version_string=client_version_string;
124	kex->server_version_string=server_version_string;	125	kex->server_version_string=server_version_string;
125	kex->verify_host_key=&verify_host_key_callback;	126	kex->verify_host_key=&verify_host_key_callback;

Lines 1910-1915 do_ssh2_kex(void) Link Here

(-)sshd.c (+1 lines)
1910	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;	1910	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
1911	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;	1911	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1912	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1912	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
		1913	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
1913	kex->server = 1;	1914	kex->server = 1;
1914	kex->client_version_string=client_version_string;	1915	kex->client_version_string=client_version_string;
1915	kex->server_version_string=server_version_string;	1916	kex->server_version_string=server_version_string;

Lines 11-17 SRCS= authfd.c authfile.c bufaux.c buffe Link Here

(-)lib/Makefile (-1 / +1 lines)
11	key.c dispatch.c kex.c mac.c uidswap.c uuencode.c misc.c \	11	key.c dispatch.c kex.c mac.c uidswap.c uuencode.c misc.c \
12	ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \	12	ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \
13	kexdhc.c kexgexc.c scard.c msg.c progressmeter.c dns.c \	13	kexdhc.c kexgexc.c scard.c msg.c progressmeter.c dns.c \
14	monitor_fdpass.c	14	monitor_fdpass.c md-sha256.c
15		15
16	DEBUGLIBS= no	16	DEBUGLIBS= no
17	NOPROFILE= yes	17	NOPROFILE= yes

Return to bug 1023

Lines 31-39 Link Here

(-)kex.h (-9 / +12 lines)
31	#include "cipher.h"	31	#include "cipher.h"
32	#include "key.h"	32	#include "key.h"
33		33
34	#define KEX_DH1 "diffie-hellman-group1-sha1"	34	#define KEX_DH1 "diffie-hellman-group1-sha1"
35	#define KEX_DH14 "diffie-hellman-group14-sha1"	35	#define KEX_DH14 "diffie-hellman-group14-sha1"
36	#define KEX_DHGEX "diffie-hellman-group-exchange-sha1"	36	#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
		37	#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256"
37		38
38	enum kex_init_proposals {	39	enum kex_init_proposals {
39	PROPOSAL_KEX_ALGS,	40	PROPOSAL_KEX_ALGS,
Lines 59-64 enum kex_exchange { Link Here
59	KEX_DH_GRP1_SHA1,	60	KEX_DH_GRP1_SHA1,
60	KEX_DH_GRP14_SHA1,	61	KEX_DH_GRP14_SHA1,
61	KEX_DH_GEX_SHA1,	62	KEX_DH_GEX_SHA1,
		63	KEX_DH_GEX_SHA256,
62	KEX_MAX	64	KEX_MAX
63	};	65	};
64		66
Lines 123-129 void kex_finish(Kex *); Link Here
123		125
124	void kex_send_kexinit(Kex *);	126	void kex_send_kexinit(Kex *);
125	void kex_input_kexinit(int, u_int32_t, void *);	127	void kex_input_kexinit(int, u_int32_t, void *);
126	void kex_derive_keys(Kex , u_char , BIGNUM *);	128	void kex_derive_keys(Kex , u_char , u_int, BIGNUM *);
127		129
128	Newkeys *kex_get_newkeys(int);	130	Newkeys *kex_get_newkeys(int);
129		131
Lines 132-143 void kexdh_server(Kex *); Link Here
132	void kexgex_client(Kex *);	134	void kexgex_client(Kex *);
133	void kexgex_server(Kex *);	135	void kexgex_server(Kex *);
134		136
135	u_char *	137	void
136	kex_dh_hash(char , char , char , int, char , int, u_char *, int,	138	kex_dh_hash(char , char , char , int, char , int, u_char *, int,
137	BIGNUM , BIGNUM , BIGNUM *);	139	BIGNUM , BIGNUM , BIGNUM , u_char , u_int );
138	u_char *	140	void
139	kexgex_hash(char , char , char , int, char , int, u_char *, int,	141	kexgex_hash(int, char , char , char , int, char , int, u_char *, int,
140	int, int, int, BIGNUM , BIGNUM , BIGNUM , BIGNUM , BIGNUM *);	142	int, int, int, BIGNUM , BIGNUM , BIGNUM , BIGNUM , BIGNUM *,
		143	u_char *, u_int );
141		144
142	void	145	void
143	derive_ssh1_session_id(BIGNUM , BIGNUM , u_int8_t[8], u_int8_t[16]);	146	derive_ssh1_session_id(BIGNUM , BIGNUM , u_int8_t[8], u_int8_t[16]);

Lines 32-38 RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/ Link Here

(-)kexdh.c (-3 / +5 lines)
32	#include "ssh2.h"	32	#include "ssh2.h"
33	#include "kex.h"	33	#include "kex.h"
34		34
35	u_char *	35	void
36	kex_dh_hash(	36	kex_dh_hash(
37	char *client_version_string,	37	char *client_version_string,
38	char *server_version_string,	38	char *server_version_string,
Lines 41-47 kex_dh_hash( Link Here
41	u_char *serverhostkeyblob, int sbloblen,	41	u_char *serverhostkeyblob, int sbloblen,
42	BIGNUM *client_dh_pub,	42	BIGNUM *client_dh_pub,
43	BIGNUM *server_dh_pub,	43	BIGNUM *server_dh_pub,
44	BIGNUM *shared_secret)	44	BIGNUM *shared_secret,
		45	u_char *hash, u_int hashlen)
45	{	46	{
46	Buffer b;	47	Buffer b;
47	static u_char digest[EVP_MAX_MD_SIZE];	48	static u_char digest[EVP_MAX_MD_SIZE];
Lines 77-81 kex_dh_hash( Link Here
77	#ifdef DEBUG_KEX	78	#ifdef DEBUG_KEX
78	dump_digest("hash", digest, EVP_MD_size(evp_md));	79	dump_digest("hash", digest, EVP_MD_size(evp_md));
79	#endif	80	#endif
80	return digest;	81	*hash = digest;
		82	*hashlen = EVP_MD_size(evp_md);
81	}	83	}

Lines 41-47 kexdh_client(Kex *kex) Link Here

(-)kexdhc.c (-6 / +7 lines)
41	Key *server_host_key;	41	Key *server_host_key;
42	u_char server_host_key_blob = NULL, signature = NULL;	42	u_char server_host_key_blob = NULL, signature = NULL;
43	u_char kbuf, hash;	43	u_char kbuf, hash;
44	u_int klen, kout, slen, sbloblen;	44	u_int klen, kout, slen, sbloblen, hashlen;
45		45
46	/* generate and send 'e', client DH public key */	46	/* generate and send 'e', client DH public key */
47	switch (kex->kex_type) {	47	switch (kex->kex_type) {
Lines 114-120 kexdh_client(Kex *kex) Link Here
114	xfree(kbuf);	114	xfree(kbuf);
115		115
116	/* calc and verify H */	116	/* calc and verify H */
117	hash = kex_dh_hash(	117	kex_dh_hash(
118	kex->client_version_string,	118	kex->client_version_string,
119	kex->server_version_string,	119	kex->server_version_string,
120	buffer_ptr(&kex->my), buffer_len(&kex->my),	120	buffer_ptr(&kex->my), buffer_len(&kex->my),
Lines 122-146 kexdh_client(Kex *kex) Link Here
122	server_host_key_blob, sbloblen,	122	server_host_key_blob, sbloblen,
123	dh->pub_key,	123	dh->pub_key,
124	dh_server_pub,	124	dh_server_pub,
125	shared_secret	125	shared_secret,
		126	&hash, &hashlen
126	);	127	);
127	xfree(server_host_key_blob);	128	xfree(server_host_key_blob);
128	BN_clear_free(dh_server_pub);	129	BN_clear_free(dh_server_pub);
129	DH_free(dh);	130	DH_free(dh);
130		131
131	if (key_verify(server_host_key, signature, slen, hash, 20) != 1)	132	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
132	fatal("key_verify failed for server_host_key");	133	fatal("key_verify failed for server_host_key");
133	key_free(server_host_key);	134	key_free(server_host_key);
134	xfree(signature);	135	xfree(signature);
135		136
136	/* save session id */	137	/* save session id */
137	if (kex->session_id == NULL) {	138	if (kex->session_id == NULL) {
138	kex->session_id_len = 20;	139	kex->session_id_len = hashlen;
139	kex->session_id = xmalloc(kex->session_id_len);	140	kex->session_id = xmalloc(kex->session_id_len);
140	memcpy(kex->session_id, hash, kex->session_id_len);	141	memcpy(kex->session_id, hash, kex->session_id_len);
141	}	142	}
142		143
143	kex_derive_keys(kex, hash, shared_secret);	144	kex_derive_keys(kex, hash, hashlen, shared_secret);
144	BN_clear_free(shared_secret);	145	BN_clear_free(shared_secret);
145	kex_finish(kex);	146	kex_finish(kex);
146	}	147	}

Lines 41-47 kexdh_server(Kex *kex) Link Here

(-)kexdhs.c (-8 / +7 lines)
41	DH *dh;	41	DH *dh;
42	Key *server_host_key;	42	Key *server_host_key;
43	u_char kbuf, hash, signature = NULL, server_host_key_blob = NULL;	43	u_char kbuf, hash, signature = NULL, server_host_key_blob = NULL;
44	u_int sbloblen, klen, kout;	44	u_int sbloblen, klen, kout, hashlen;
45	u_int slen;	45	u_int slen;
46		46
47	/* generate server DH public key */	47	/* generate server DH public key */
Lines 103-109 kexdh_server(Kex *kex) Link Here
103	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);	103	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
104		104
105	/* calc H */	105	/* calc H */
106	hash = kex_dh_hash(	106	kex_dh_hash(
107	kex->client_version_string,	107	kex->client_version_string,
108	kex->server_version_string,	108	kex->server_version_string,
109	buffer_ptr(&kex->peer), buffer_len(&kex->peer),	109	buffer_ptr(&kex->peer), buffer_len(&kex->peer),
Lines 111-131 kexdh_server(Kex *kex) Link Here
111	server_host_key_blob, sbloblen,	111	server_host_key_blob, sbloblen,
112	dh_client_pub,	112	dh_client_pub,
113	dh->pub_key,	113	dh->pub_key,
114	shared_secret	114	shared_secret,
		115	&hash, &hashlen
115	);	116	);
116	BN_clear_free(dh_client_pub);	117	BN_clear_free(dh_client_pub);
117		118
118	/* save session id := H */	119	/* save session id := H */
119	/* XXX hashlen depends on KEX */
120	if (kex->session_id == NULL) {	120	if (kex->session_id == NULL) {
121	kex->session_id_len = 20;	121	kex->session_id_len = hashlen;
122	kex->session_id = xmalloc(kex->session_id_len);	122	kex->session_id = xmalloc(kex->session_id_len);
123	memcpy(kex->session_id, hash, kex->session_id_len);	123	memcpy(kex->session_id, hash, kex->session_id_len);
124	}	124	}
125		125
126	/* sign H */	126	/* sign H */
127	/* XXX hashlen depends on KEX */	127	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
128	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
129		128
130	/* destroy_sensitive_data(); */	129	/* destroy_sensitive_data(); */
131		130
Lines 141-147 kexdh_server(Kex *kex) Link Here
141	/* have keys, free DH */	140	/* have keys, free DH */
142	DH_free(dh);	141	DH_free(dh);
143		142
144	kex_derive_keys(kex, hash, shared_secret);	143	kex_derive_keys(kex, hash, hashlen, shared_secret);
145	BN_clear_free(shared_secret);	144	BN_clear_free(shared_secret);
146	kex_finish(kex);	145	kex_finish(kex);
147	}	146	}

Lines 26-40 Link Here

(-)kexgex.c (-9 / +26 lines)
26	#include "includes.h"	26	#include "includes.h"
27	RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $");	27	RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $");
28		28
29	#include <openssl/evp.h>	29	#include <openssl/sha.h>
30		30
31	#include "buffer.h"	31	#include "buffer.h"
32	#include "bufaux.h"	32	#include "bufaux.h"
33	#include "kex.h"	33	#include "kex.h"
34	#include "ssh2.h"	34	#include "ssh2.h"
		35	#include "log.h"
35		36
36	u_char *	37	extern const EVP_MD *evp_ssh_sha256(void);
		38
		39	void
37	kexgex_hash(	40	kexgex_hash(
		41	int kex_type,
38	char *client_version_string,	42	char *client_version_string,
39	char *server_version_string,	43	char *server_version_string,
40	char *ckexinit, int ckexinitlen,	44	char *ckexinit, int ckexinitlen,
Lines 43-53 kexgex_hash( Link Here
43	int min, int wantbits, int max, BIGNUM prime, BIGNUM gen,	47	int min, int wantbits, int max, BIGNUM prime, BIGNUM gen,
44	BIGNUM *client_dh_pub,	48	BIGNUM *client_dh_pub,
45	BIGNUM *server_dh_pub,	49	BIGNUM *server_dh_pub,
46	BIGNUM *shared_secret)	50	BIGNUM *shared_secret,
		51	u_char *hash, u_int hashlen)
47	{	52	{
48	Buffer b;	53	Buffer b;
49	static u_char digest[EVP_MAX_MD_SIZE];	54	static u_char digest[64];
50	const EVP_MD *evp_md = EVP_sha1();	55	const EVP_MD *evp_md;
51	EVP_MD_CTX md;	56	EVP_MD_CTX md;
52		57
53	buffer_init(&b);	58	buffer_init(&b);
Lines 79-92 kexgex_hash( Link Here
79	#ifdef DEBUG_KEXDH	84	#ifdef DEBUG_KEXDH
80	buffer_dump(&b);	85	buffer_dump(&b);
81	#endif	86	#endif
		87
		88	switch (kex_type) {
		89	case KEX_DH_GEX_SHA1:
		90	evp_md = EVP_sha1();
		91	break;
		92	case KEX_DH_GEX_SHA256:
		93	evp_md = evp_ssh_sha256();
		94	break;
		95	default:
		96	fatal("kexgex_hash: unknown kex_type %d", kex_type);
		97	}
		98
82	EVP_DigestInit(&md, evp_md);	99	EVP_DigestInit(&md, evp_md);
83	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));	100	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
84	EVP_DigestFinal(&md, digest, NULL);	101	EVP_DigestFinal(&md, digest, NULL);
85		102
86	buffer_free(&b);	103	buffer_free(&b);
87		104	*hash = digest;
		105	*hashlen = EVP_MD_size(evp_md);
88	#ifdef DEBUG_KEXDH	106	#ifdef DEBUG_KEXDH
89	dump_digest("hash", digest, EVP_MD_size(evp_md));	107	dump_digest("hash", digest, *hashlen);
90	#endif	108	#endif
91	return digest;
92	}	109	}

Lines 42-48 kexgex_client(Kex *kex) Link Here

(-)kexgexc.c (-6 / +9 lines)
42	BIGNUM p = NULL, g = NULL;	42	BIGNUM p = NULL, g = NULL;
43	Key *server_host_key;	43	Key *server_host_key;
44	u_char kbuf, hash, signature = NULL, server_host_key_blob = NULL;	44	u_char kbuf, hash, signature = NULL, server_host_key_blob = NULL;
45	u_int klen, kout, slen, sbloblen;	45	u_int klen, kout, slen, sbloblen, hashlen;
46	int min, max, nbits;	46	int min, max, nbits;
47	DH *dh;	47	DH *dh;
48		48
Lines 155-161 kexgex_client(Kex *kex) Link Here
155	min = max = -1;	155	min = max = -1;
156		156
157	/* calc and verify H */	157	/* calc and verify H */
158	hash = kexgex_hash(	158	kexgex_hash(
		159	kex->kex_type,
159	kex->client_version_string,	160	kex->client_version_string,
160	kex->server_version_string,	161	kex->server_version_string,
161	buffer_ptr(&kex->my), buffer_len(&kex->my),	162	buffer_ptr(&kex->my), buffer_len(&kex->my),
Lines 165-189 kexgex_client(Kex *kex) Link Here
165	dh->p, dh->g,	166	dh->p, dh->g,
166	dh->pub_key,	167	dh->pub_key,
167	dh_server_pub,	168	dh_server_pub,
168	shared_secret	169	shared_secret,
		170	&hash, &hashlen
169	);	171	);
		172
170	/* have keys, free DH */	173	/* have keys, free DH */
171	DH_free(dh);	174	DH_free(dh);
172	xfree(server_host_key_blob);	175	xfree(server_host_key_blob);
173	BN_clear_free(dh_server_pub);	176	BN_clear_free(dh_server_pub);
174		177
175	if (key_verify(server_host_key, signature, slen, hash, 20) != 1)	178	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
176	fatal("key_verify failed for server_host_key");	179	fatal("key_verify failed for server_host_key");
177	key_free(server_host_key);	180	key_free(server_host_key);
178	xfree(signature);	181	xfree(signature);
179		182
180	/* save session id */	183	/* save session id */
181	if (kex->session_id == NULL) {	184	if (kex->session_id == NULL) {
182	kex->session_id_len = 20;	185	kex->session_id_len = hashlen;
183	kex->session_id = xmalloc(kex->session_id_len);	186	kex->session_id = xmalloc(kex->session_id_len);
184	memcpy(kex->session_id, hash, kex->session_id_len);	187	memcpy(kex->session_id, hash, kex->session_id_len);
185	}	188	}
186	kex_derive_keys(kex, hash, shared_secret);	189	kex_derive_keys(kex, hash, hashlen, shared_secret);
187	BN_clear_free(shared_secret);	190	BN_clear_free(shared_secret);
188		191
189	kex_finish(kex);	192	kex_finish(kex);

Lines 43-49 kexgex_server(Kex *kex) Link Here

(-)kexgexs.c (-8 / +8 lines)
43	Key *server_host_key;	43	Key *server_host_key;
44	DH *dh;	44	DH *dh;
45	u_char kbuf, hash, signature = NULL, server_host_key_blob = NULL;	45	u_char kbuf, hash, signature = NULL, server_host_key_blob = NULL;
46	u_int sbloblen, klen, kout, slen;	46	u_int sbloblen, klen, kout, slen, hashlen;
47	int min = -1, max = -1, nbits = -1, type;	47	int min = -1, max = -1, nbits = -1, type;
48		48
49	if (kex->load_host_key == NULL)	49	if (kex->load_host_key == NULL)
Lines 138-144 kexgex_server(Kex *kex) Link Here
138	min = max = -1;	138	min = max = -1;
139		139
140	/* calc H / / XXX depends on 'kex' */	140	/* calc H / / XXX depends on 'kex' */
141	hash = kexgex_hash(	141	kexgex_hash(
		142	kex->kex_type,
142	kex->client_version_string,	143	kex->client_version_string,
143	kex->server_version_string,	144	kex->server_version_string,
144	buffer_ptr(&kex->peer), buffer_len(&kex->peer),	145	buffer_ptr(&kex->peer), buffer_len(&kex->peer),
Lines 148-168 kexgex_server(Kex *kex) Link Here
148	dh->p, dh->g,	149	dh->p, dh->g,
149	dh_client_pub,	150	dh_client_pub,
150	dh->pub_key,	151	dh->pub_key,
151	shared_secret	152	shared_secret,
		153	&hash, &hashlen
152	);	154	);
153	BN_clear_free(dh_client_pub);	155	BN_clear_free(dh_client_pub);
154		156
155	/* save session id := H */	157	/* save session id := H */
156	/* XXX hashlen depends on KEX */
157	if (kex->session_id == NULL) {	158	if (kex->session_id == NULL) {
158	kex->session_id_len = 20;	159	kex->session_id_len = hashlen;
159	kex->session_id = xmalloc(kex->session_id_len);	160	kex->session_id = xmalloc(kex->session_id_len);
160	memcpy(kex->session_id, hash, kex->session_id_len);	161	memcpy(kex->session_id, hash, kex->session_id_len);
161	}	162	}
162		163
163	/* sign H */	164	/* sign H */
164	/* XXX hashlen depends on KEX */	165	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
165	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
166		166
167	/* destroy_sensitive_data(); */	167	/* destroy_sensitive_data(); */
168		168
Lines 179-185 kexgex_server(Kex *kex) Link Here
179	/* have keys, free DH */	179	/* have keys, free DH */
180	DH_free(dh);	180	DH_free(dh);
181		181
182	kex_derive_keys(kex, hash, shared_secret);	182	kex_derive_keys(kex, hash, hashlen, shared_secret);
183	BN_clear_free(shared_secret);	183	BN_clear_free(shared_secret);
184		184
185	kex_finish(kex);	185	kex_finish(kex);