1 /* $NetBSD: kexgexc.c,v 1.19 2026/04/08 18:58:40 christos Exp $ */ 2 /* $OpenBSD: kexgexc.c,v 1.42 2026/03/03 09:57:25 dtucker Exp $ */ 3 4 /* 5 * Copyright (c) 2000 Niels Provos. All rights reserved. 6 * Copyright (c) 2001 Markus Friedl. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 #include "includes.h" 30 __RCSID("$NetBSD: kexgexc.c,v 1.19 2026/04/08 18:58:40 christos Exp $"); 31 32 #include <sys/param.h> 33 #include <sys/types.h> 34 35 #include <openssl/bn.h> 36 #include <openssl/dh.h> 37 38 #include <stdarg.h> 39 #include <stdio.h> 40 #include <string.h> 41 #include <signal.h> 42 43 #include "sshkey.h" 44 #include "digest.h" 45 #include "kex.h" 46 #include "log.h" 47 #include "packet.h" 48 #include "dh.h" 49 #include "ssh2.h" 50 #include "compat.h" 51 #include "dispatch.h" 52 #include "ssherr.h" 53 #include "sshbuf.h" 54 #include "misc.h" 55 56 static int input_kex_dh_gex_group(int, uint32_t, struct ssh *); 57 static int input_kex_dh_gex_reply(int, uint32_t, struct ssh *); 58 59 int 60 kexgex_client(struct ssh *ssh) 61 { 62 struct kex *kex = ssh->kex; 63 int r; 64 u_int nbits; 65 66 nbits = dh_estimate(kex->dh_need * 8); 67 68 kex->min = DH_GRP_MIN; 69 kex->max = DH_GRP_MAX; 70 kex->nbits = nbits; 71 if (ssh->compat & SSH_BUG_DHGEX_LARGE) 72 kex->nbits = MINIMUM(kex->nbits, 4096); 73 /* New GEX request */ 74 if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 || 75 (r = sshpkt_put_u32(ssh, kex->min)) != 0 || 76 (r = sshpkt_put_u32(ssh, kex->nbits)) != 0 || 77 (r = sshpkt_put_u32(ssh, kex->max)) != 0 || 78 (r = sshpkt_send(ssh)) != 0) 79 goto out; 80 debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent", 81 kex->min, kex->nbits, kex->max); 82 #ifdef DEBUG_KEXDH 83 fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n", 84 kex->min, kex->nbits, kex->max); 85 #endif 86 debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP"); 87 ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_GROUP, 88 &input_kex_dh_gex_group); 89 r = 0; 90 out: 91 return r; 92 } 93 94 static int 95 input_kex_dh_gex_group(int type, uint32_t seq, struct ssh *ssh) 96 { 97 struct kex *kex = ssh->kex; 98 BIGNUM *p = NULL, *g = NULL; 99 const BIGNUM *pub_key; 100 int r, bits; 101 102 debug("SSH2_MSG_KEX_DH_GEX_GROUP received"); 103 ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_GROUP, &kex_protocol_error); 104 105 if ((r = sshpkt_get_bignum2(ssh, &p)) != 0 || 106 (r = sshpkt_get_bignum2(ssh, &g)) != 0 || 107 (r = sshpkt_get_end(ssh)) != 0) 108 goto out; 109 if ((bits = BN_num_bits(p)) < 0 || 110 (u_int)bits < kex->min || (u_int)bits > kex->max) { 111 r = SSH_ERR_DH_GEX_OUT_OF_RANGE; 112 goto out; 113 } 114 if ((kex->dh = dh_new_group(g, p)) == NULL) { 115 r = SSH_ERR_ALLOC_FAIL; 116 goto out; 117 } 118 p = g = NULL; /* belong to kex->dh now */ 119 120 /* generate and send 'e', client DH public key */ 121 if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0) 122 goto out; 123 DH_get0_key(kex->dh, &pub_key, NULL); 124 if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_INIT)) != 0 || 125 (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || 126 (r = sshpkt_send(ssh)) != 0) 127 goto out; 128 debug("SSH2_MSG_KEX_DH_GEX_INIT sent"); 129 #ifdef DEBUG_KEXDH 130 DHparams_print_fp(stderr, kex->dh); 131 fprintf(stderr, "pub= "); 132 BN_print_fp(stderr, pub_key); 133 fprintf(stderr, "\n"); 134 #endif 135 debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY"); 136 ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &input_kex_dh_gex_reply); 137 r = 0; 138 out: 139 BN_clear_free(p); 140 BN_clear_free(g); 141 return r; 142 } 143 144 static int 145 input_kex_dh_gex_reply(int type, uint32_t seq, struct ssh *ssh) 146 { 147 struct kex *kex = ssh->kex; 148 BIGNUM *dh_server_pub = NULL; 149 const BIGNUM *pub_key, *dh_p, *dh_g; 150 struct sshbuf *shared_secret = NULL; 151 struct sshbuf *tmp = NULL, *server_host_key_blob = NULL; 152 struct sshkey *server_host_key = NULL; 153 u_char *signature = NULL; 154 u_char hash[SSH_DIGEST_MAX_LENGTH]; 155 size_t slen, hashlen; 156 int r; 157 158 debug("SSH2_MSG_KEX_DH_GEX_REPLY received"); 159 ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &kex_protocol_error); 160 161 /* key, cert */ 162 if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0) 163 goto out; 164 /* sshkey_fromb() consumes its buffer, so make a copy */ 165 if ((tmp = sshbuf_fromb(server_host_key_blob)) == NULL) { 166 r = SSH_ERR_ALLOC_FAIL; 167 goto out; 168 } 169 if ((r = sshkey_fromb(tmp, &server_host_key)) != 0 || 170 (r = kex_verify_host_key(ssh, server_host_key)) != 0) 171 goto out; 172 /* DH parameter f, server public DH key, signed H */ 173 if ((r = sshpkt_get_bignum2(ssh, &dh_server_pub)) != 0 || 174 (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 || 175 (r = sshpkt_get_end(ssh)) != 0) 176 goto out; 177 if ((shared_secret = sshbuf_new()) == NULL) { 178 r = SSH_ERR_ALLOC_FAIL; 179 goto out; 180 } 181 if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0) 182 goto out; 183 if (ssh->compat & SSH_OLD_DHGEX) 184 kex->min = kex->max = -1; 185 186 /* calc and verify H */ 187 DH_get0_key(kex->dh, &pub_key, NULL); 188 DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g); 189 hashlen = sizeof(hash); 190 if ((r = kexgex_hash( 191 kex->hash_alg, 192 kex->client_version, 193 kex->server_version, 194 kex->my, 195 kex->peer, 196 server_host_key_blob, 197 kex->min, kex->nbits, kex->max, 198 dh_p, dh_g, 199 pub_key, 200 dh_server_pub, 201 sshbuf_ptr(shared_secret), sshbuf_len(shared_secret), 202 hash, &hashlen)) != 0) 203 goto out; 204 205 if ((r = sshkey_verify(server_host_key, signature, slen, hash, 206 hashlen, kex->hostkey_alg, ssh->compat, NULL)) != 0) 207 goto out; 208 209 if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) != 0 || 210 (r = kex_send_newkeys(ssh)) != 0) 211 goto out; 212 213 /* save initial signature and hostkey */ 214 if ((kex->flags & KEX_INITIAL) != 0) { 215 if (kex->initial_hostkey != NULL || kex->initial_sig != NULL) { 216 r = SSH_ERR_INTERNAL_ERROR; 217 goto out; 218 } 219 if ((kex->initial_sig = sshbuf_new()) == NULL) { 220 r = SSH_ERR_ALLOC_FAIL; 221 goto out; 222 } 223 if ((r = sshbuf_put(kex->initial_sig, signature, slen)) != 0) 224 goto out; 225 kex->initial_hostkey = server_host_key; 226 server_host_key = NULL; 227 } 228 /* success */ 229 out: 230 explicit_bzero(hash, sizeof(hash)); 231 DH_free(kex->dh); 232 kex->dh = NULL; 233 BN_clear_free(dh_server_pub); 234 sshbuf_free(shared_secret); 235 sshkey_free(server_host_key); 236 sshbuf_free(tmp); 237 sshbuf_free(server_host_key_blob); 238 free(signature); 239 return r; 240 } 241
Indexes created Tue Jun 23 00:25:03 UTC 2026