kexecdh.c 6.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243
  1. /* $OpenBSD: kexecdh.c,v 1.10 2019/01/21 10:40:11 djm Exp $ */
  2. /*
  3. * Copyright (c) 2010 Damien Miller. All rights reserved.
  4. * Copyright (c) 2019 Markus Friedl. All rights reserved.
  5. *
  6. * Redistribution and use in source and binary forms, with or without
  7. * modification, are permitted provided that the following conditions
  8. * are met:
  9. * 1. Redistributions of source code must retain the above copyright
  10. * notice, this list of conditions and the following disclaimer.
  11. * 2. Redistributions in binary form must reproduce the above copyright
  12. * notice, this list of conditions and the following disclaimer in the
  13. * documentation and/or other materials provided with the distribution.
  14. *
  15. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  16. * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  17. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  18. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  19. * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  20. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  21. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  22. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  23. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  24. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  25. */
  26. #include "includes.h"
  27. #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
  28. #include <sys/types.h>
  29. #include <stdio.h>
  30. #include <string.h>
  31. #include <signal.h>
  32. #include <openssl/ecdh.h>
  33. #include "sshkey.h"
  34. #include "kex.h"
  35. #include "sshbuf.h"
  36. #include "digest.h"
  37. #include "ssherr.h"
  38. static int
  39. kex_ecdh_dec_key_group(struct kex *, const struct sshbuf *, EC_KEY *key,
  40. const EC_GROUP *, struct sshbuf **);
  41. int
  42. kex_ecdh_keypair(struct kex *kex)
  43. {
  44. EC_KEY *client_key = NULL;
  45. const EC_GROUP *group;
  46. const EC_POINT *public_key;
  47. struct sshbuf *buf = NULL;
  48. int r;
  49. if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
  50. r = SSH_ERR_ALLOC_FAIL;
  51. goto out;
  52. }
  53. if (EC_KEY_generate_key(client_key) != 1) {
  54. debug("(EC_KEY_generate_key(client_key) != 1)");
  55. r = SSH_ERR_LIBCRYPTO_ERROR;
  56. goto out;
  57. }
  58. group = EC_KEY_get0_group(client_key);
  59. public_key = EC_KEY_get0_public_key(client_key);
  60. if ((buf = sshbuf_new()) == NULL) {
  61. r = SSH_ERR_ALLOC_FAIL;
  62. goto out;
  63. }
  64. if ((r = sshbuf_put_ec(buf, public_key, group)) != 0 ||
  65. (r = sshbuf_get_u32(buf, NULL)) != 0)
  66. goto out;
  67. #ifdef DEBUG_KEXECDH
  68. fputs("client private key:\n", stderr);
  69. sshkey_dump_ec_key(client_key);
  70. #endif
  71. kex->ec_client_key = client_key;
  72. kex->ec_group = group;
  73. client_key = NULL; /* owned by the kex */
  74. kex->client_pub = buf;
  75. buf = NULL;
  76. out:
  77. EC_KEY_free(client_key);
  78. sshbuf_free(buf);
  79. return r;
  80. }
  81. int
  82. kex_ecdh_enc(struct kex *kex, const struct sshbuf *client_blob,
  83. struct sshbuf **server_blobp, struct sshbuf **shared_secretp)
  84. {
  85. const EC_GROUP *group;
  86. const EC_POINT *pub_key;
  87. EC_KEY *server_key = NULL;
  88. struct sshbuf *server_blob = NULL;
  89. int r;
  90. *server_blobp = NULL;
  91. *shared_secretp = NULL;
  92. if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
  93. r = SSH_ERR_ALLOC_FAIL;
  94. goto out;
  95. }
  96. if (EC_KEY_generate_key(server_key) != 1) {
  97. debug("(EC_KEY_generate_key(server_key) != 1)");
  98. r = SSH_ERR_LIBCRYPTO_ERROR;
  99. goto out;
  100. }
  101. group = EC_KEY_get0_group(server_key);
  102. #ifdef DEBUG_KEXECDH
  103. fputs("server private key:\n", stderr);
  104. sshkey_dump_ec_key(server_key);
  105. #endif
  106. pub_key = EC_KEY_get0_public_key(server_key);
  107. if ((server_blob = sshbuf_new()) == NULL) {
  108. r = SSH_ERR_ALLOC_FAIL;
  109. goto out;
  110. }
  111. if ((r = sshbuf_put_ec(server_blob, pub_key, group)) != 0 ||
  112. (r = sshbuf_get_u32(server_blob, NULL)) != 0)
  113. goto out;
  114. if ((r = kex_ecdh_dec_key_group(kex, client_blob, server_key, group,
  115. shared_secretp)) != 0)
  116. goto out;
  117. *server_blobp = server_blob;
  118. server_blob = NULL;
  119. out:
  120. EC_KEY_free(server_key);
  121. sshbuf_free(server_blob);
  122. return r;
  123. }
  124. static int
  125. kex_ecdh_dec_key_group(struct kex *kex, const struct sshbuf *ec_blob,
  126. EC_KEY *key, const EC_GROUP *group, struct sshbuf **shared_secretp)
  127. {
  128. struct sshbuf *buf = NULL;
  129. BIGNUM *shared_secret = NULL;
  130. EC_POINT *dh_pub = NULL;
  131. u_char *kbuf = NULL;
  132. size_t klen = 0;
  133. int r;
  134. *shared_secretp = NULL;
  135. if ((buf = sshbuf_new()) == NULL) {
  136. r = SSH_ERR_ALLOC_FAIL;
  137. goto out;
  138. }
  139. if ((r = sshbuf_put_stringb(buf, ec_blob)) != 0)
  140. goto out;
  141. if ((dh_pub = EC_POINT_new(group)) == NULL) {
  142. r = SSH_ERR_ALLOC_FAIL;
  143. goto out;
  144. }
  145. if ((r = sshbuf_get_ec(buf, dh_pub, group)) != 0) {
  146. goto out;
  147. }
  148. sshbuf_reset(buf);
  149. #ifdef DEBUG_KEXECDH
  150. fputs("public key:\n", stderr);
  151. sshkey_dump_ec_point(group, dh_pub);
  152. #endif
  153. if (sshkey_ec_validate_public(group, dh_pub) != 0) {
  154. r = SSH_ERR_MESSAGE_INCOMPLETE;
  155. goto out;
  156. }
  157. klen = (EC_GROUP_get_degree(group) + 7) / 8;
  158. if ((kbuf = malloc(klen)) == NULL ||
  159. (shared_secret = BN_new()) == NULL) {
  160. r = SSH_ERR_ALLOC_FAIL;
  161. goto out;
  162. }
  163. if (ECDH_compute_key(kbuf, klen, dh_pub, key, NULL) != (int)klen ||
  164. BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
  165. debug("(ECDH_compute_key(kbuf, klen, dh_pub, key, NULL) != (int)klen || BN_bin2bn(kbuf, klen, shared_secret) == NULL)");
  166. r = SSH_ERR_LIBCRYPTO_ERROR;
  167. goto out;
  168. }
  169. #ifdef DEBUG_KEXECDH
  170. dump_digest("shared secret", kbuf, klen);
  171. #endif
  172. if ((r = sshbuf_put_bignum2(buf, shared_secret)) != 0)
  173. goto out;
  174. *shared_secretp = buf;
  175. buf = NULL;
  176. out:
  177. EC_POINT_clear_free(dh_pub);
  178. BN_clear_free(shared_secret);
  179. freezero(kbuf, klen);
  180. sshbuf_free(buf);
  181. return r;
  182. }
  183. int
  184. kex_ecdh_dec(struct kex *kex, const struct sshbuf *server_blob,
  185. struct sshbuf **shared_secretp)
  186. {
  187. int r;
  188. r = kex_ecdh_dec_key_group(kex, server_blob, kex->ec_client_key,
  189. kex->ec_group, shared_secretp);
  190. EC_KEY_free(kex->ec_client_key);
  191. kex->ec_client_key = NULL;
  192. return r;
  193. }
  194. #else
  195. #include "ssherr.h"
  196. struct kex;
  197. struct sshbuf;
  198. struct sshkey;
  199. int
  200. kex_ecdh_keypair(struct kex *kex)
  201. {
  202. return SSH_ERR_SIGN_ALG_UNSUPPORTED;
  203. }
  204. int
  205. kex_ecdh_enc(struct kex *kex, const struct sshbuf *client_blob,
  206. struct sshbuf **server_blobp, struct sshbuf **shared_secretp)
  207. {
  208. return SSH_ERR_SIGN_ALG_UNSUPPORTED;
  209. }
  210. int
  211. kex_ecdh_dec(struct kex *kex, const struct sshbuf *server_blob,
  212. struct sshbuf **shared_secretp)
  213. {
  214. return SSH_ERR_SIGN_ALG_UNSUPPORTED;
  215. }
  216. #endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */