2006-04-23 18:26:03 +00:00
|
|
|
/*
|
|
|
|
|
* Diffie-Hellman implementation for PuTTY.
|
|
|
|
|
*/
|
|
|
|
|
|
2000-09-05 14:28:17 +00:00
|
|
|
#include "ssh.h"
|
|
|
|
|
|
|
|
|
|
/*
|
2004-12-22 10:53:58 +00:00
|
|
|
* The primes used in the group1 and group14 key exchange.
|
2000-09-05 14:28:17 +00:00
|
|
|
*/
|
2004-12-22 10:53:58 +00:00
|
|
|
static const unsigned char P1[] = {
|
2001-03-01 17:41:26 +00:00
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
|
|
|
|
|
0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
|
|
|
|
|
0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
|
|
|
|
|
0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
|
|
|
|
|
0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
|
|
|
|
|
0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
|
|
|
|
|
0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
|
|
|
|
|
0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
|
|
|
|
|
0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
|
|
|
|
|
0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81,
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
|
2000-09-05 14:28:17 +00:00
|
|
|
};
|
2004-12-22 10:53:58 +00:00
|
|
|
static const unsigned char P14[] = {
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
|
|
|
|
|
0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
|
|
|
|
|
0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
|
|
|
|
|
0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
|
|
|
|
|
0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
|
|
|
|
|
0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
|
|
|
|
|
0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
|
|
|
|
|
0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
|
|
|
|
|
0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
|
|
|
|
|
0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
|
|
|
|
|
0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
|
|
|
|
|
0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
|
|
|
|
|
0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
|
|
|
|
|
0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
|
|
|
|
|
0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
|
|
|
|
|
0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
|
|
|
|
|
0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
|
|
|
|
|
0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
|
|
|
|
|
0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
|
|
|
|
|
0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
|
|
|
|
|
0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
|
|
|
0xFF, 0xFF, 0xFF, 0xFF
|
|
|
|
|
};
|
2000-09-05 14:28:17 +00:00
|
|
|
|
|
|
|
|
/*
|
2004-12-22 10:53:58 +00:00
|
|
|
* The generator g = 2 (used for both group1 and group14).
|
2000-09-05 14:28:17 +00:00
|
|
|
*/
|
2002-10-25 13:08:01 +00:00
|
|
|
static const unsigned char G[] = { 2 };
|
2000-09-05 14:28:17 +00:00
|
|
|
|
2015-05-15 09:12:08 +00:00
|
|
|
struct dh_extra {
|
|
|
|
|
const unsigned char *pdata, *gdata; /* NULL means group exchange */
|
|
|
|
|
int plen, glen;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const struct dh_extra extra_group1 = {
|
|
|
|
|
P1, G, lenof(P1), lenof(G),
|
|
|
|
|
};
|
|
|
|
|
|
2005-09-03 13:41:43 +00:00
|
|
|
static const struct ssh_kex ssh_diffiehellman_group1_sha1 = {
|
2004-12-22 10:53:58 +00:00
|
|
|
"diffie-hellman-group1-sha1", "group1",
|
2015-05-15 09:12:08 +00:00
|
|
|
KEXTYPE_DH, &ssh_sha1, &extra_group1,
|
2004-12-22 10:53:58 +00:00
|
|
|
};
|
|
|
|
|
|
2005-09-03 13:41:43 +00:00
|
|
|
static const struct ssh_kex *const group1_list[] = {
|
|
|
|
|
&ssh_diffiehellman_group1_sha1
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const struct ssh_kexes ssh_diffiehellman_group1 = {
|
|
|
|
|
sizeof(group1_list) / sizeof(*group1_list),
|
|
|
|
|
group1_list
|
|
|
|
|
};
|
|
|
|
|
|
2015-05-15 09:12:08 +00:00
|
|
|
static const struct dh_extra extra_group14 = {
|
|
|
|
|
P14, G, lenof(P14), lenof(G),
|
|
|
|
|
};
|
|
|
|
|
|
2018-03-08 07:00:54 +00:00
|
|
|
static const struct ssh_kex ssh_diffiehellman_group14_sha256 = {
|
|
|
|
|
"diffie-hellman-group14-sha256", "group14",
|
|
|
|
|
KEXTYPE_DH, &ssh_sha256, &extra_group14,
|
|
|
|
|
};
|
|
|
|
|
|
2005-09-03 13:41:43 +00:00
|
|
|
static const struct ssh_kex ssh_diffiehellman_group14_sha1 = {
|
2004-12-22 10:53:58 +00:00
|
|
|
"diffie-hellman-group14-sha1", "group14",
|
2015-05-15 09:12:08 +00:00
|
|
|
KEXTYPE_DH, &ssh_sha1, &extra_group14,
|
2004-12-22 10:53:58 +00:00
|
|
|
};
|
|
|
|
|
|
2005-09-03 13:41:43 +00:00
|
|
|
static const struct ssh_kex *const group14_list[] = {
|
2018-03-08 07:00:54 +00:00
|
|
|
&ssh_diffiehellman_group14_sha256,
|
2005-09-03 13:41:43 +00:00
|
|
|
&ssh_diffiehellman_group14_sha1
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const struct ssh_kexes ssh_diffiehellman_group14 = {
|
|
|
|
|
sizeof(group14_list) / sizeof(*group14_list),
|
|
|
|
|
group14_list
|
|
|
|
|
};
|
|
|
|
|
|
2015-05-15 09:12:08 +00:00
|
|
|
static const struct dh_extra extra_gex = {
|
|
|
|
|
NULL, NULL, 0, 0,
|
|
|
|
|
};
|
|
|
|
|
|
2005-09-04 14:53:39 +00:00
|
|
|
static const struct ssh_kex ssh_diffiehellman_gex_sha256 = {
|
|
|
|
|
"diffie-hellman-group-exchange-sha256", NULL,
|
2015-05-15 09:12:08 +00:00
|
|
|
KEXTYPE_DH, &ssh_sha256, &extra_gex,
|
2005-09-04 14:53:39 +00:00
|
|
|
};
|
|
|
|
|
|
2005-09-03 13:41:43 +00:00
|
|
|
static const struct ssh_kex ssh_diffiehellman_gex_sha1 = {
|
2004-12-22 10:53:58 +00:00
|
|
|
"diffie-hellman-group-exchange-sha1", NULL,
|
2015-05-15 09:12:08 +00:00
|
|
|
KEXTYPE_DH, &ssh_sha1, &extra_gex,
|
2004-12-22 10:53:58 +00:00
|
|
|
};
|
|
|
|
|
|
2005-09-03 13:41:43 +00:00
|
|
|
static const struct ssh_kex *const gex_list[] = {
|
2005-09-04 14:53:39 +00:00
|
|
|
&ssh_diffiehellman_gex_sha256,
|
2005-09-03 13:41:43 +00:00
|
|
|
&ssh_diffiehellman_gex_sha1
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const struct ssh_kexes ssh_diffiehellman_gex = {
|
|
|
|
|
sizeof(gex_list) / sizeof(*gex_list),
|
|
|
|
|
gex_list
|
|
|
|
|
};
|
|
|
|
|
|
Support GSS key exchange, for Kerberos 5 only.
This is a heavily edited (by me) version of a patch originally due to
Nico Williams and Viktor Dukhovni. Their comments:
* Don't delegate credentials when rekeying unless there's a new TGT
or the old service ticket is nearly expired.
* Check for the above conditions more frequently (every two minutes
by default) and rekey when we would delegate credentials.
* Do not rekey with very short service ticket lifetimes; some GSSAPI
libraries may lose the race to use an almost expired ticket. Adjust
the timing of rekey checks to try to avoid this possibility.
My further comments:
The most interesting thing about this patch to me is that the use of
GSS key exchange causes a switch over to a completely different model
of what host keys are for. This comes from RFC 4462 section 2.1: the
basic idea is that when your session is mostly bidirectionally
authenticated by the GSSAPI exchanges happening in initial kex and
every rekey, host keys become more or less vestigial, and their
remaining purpose is to allow a rekey to happen if the requirements of
the SSH protocol demand it at an awkward moment when the GSS
credentials are not currently available (e.g. timed out and haven't
been renewed yet). As such, there's no need for host keys to be
_permanent_ or to be a reliable identifier of a particular host, and
RFC 4462 allows for the possibility that they might be purely
transient and only for this kind of emergency fallback purpose.
Therefore, once PuTTY has done a GSS key exchange, it disconnects
itself completely from the permanent host key cache functions in
storage.h, and instead switches to a _transient_ host key cache stored
in memory with the lifetime of just that SSH session. That cache is
populated with keys received from the server as a side effect of GSS
kex (via the optional SSH2_MSG_KEXGSS_HOSTKEY message), and used if
later in the session we have to fall back to a non-GSS key exchange.
However, in practice servers we've tested against do not send a host
key in that way, so we also have a fallback method of populating the
transient cache by triggering an immediate non-GSS rekey straight
after userauth (reusing the code path we also use to turn on OpenSSH
delayed encryption without the race condition).
2018-04-26 06:18:59 +00:00
|
|
|
/*
|
|
|
|
|
* Suffix on GSSAPI SSH protocol identifiers that indicates Kerberos 5
|
|
|
|
|
* as the mechanism.
|
|
|
|
|
*
|
|
|
|
|
* This suffix is the base64-encoded MD5 hash of the byte sequence
|
|
|
|
|
* 06 09 2A 86 48 86 F7 12 01 02 02, which in turn is the ASN.1 DER
|
|
|
|
|
* encoding of the object ID 1.2.840.113554.1.2.2 which designates
|
|
|
|
|
* Kerberos v5.
|
|
|
|
|
*
|
|
|
|
|
* (The same encoded OID, minus the two-byte DER header, is defined in
|
|
|
|
|
* pgssapi.c as GSS_MECH_KRB5.)
|
|
|
|
|
*/
|
|
|
|
|
#define GSS_KRB5_OID_HASH "toWM5Slw5Ew8Mqkay+al2g=="
|
|
|
|
|
|
|
|
|
|
static const struct ssh_kex ssh_gssk5_diffiehellman_gex_sha1 = {
|
|
|
|
|
"gss-gex-sha1-" GSS_KRB5_OID_HASH, NULL,
|
|
|
|
|
KEXTYPE_GSS, &ssh_sha1, &extra_gex,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const struct ssh_kex ssh_gssk5_diffiehellman_group14_sha1 = {
|
|
|
|
|
"gss-group14-sha1-" GSS_KRB5_OID_HASH, "group14",
|
|
|
|
|
KEXTYPE_GSS, &ssh_sha1, &extra_group14,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const struct ssh_kex ssh_gssk5_diffiehellman_group1_sha1 = {
|
|
|
|
|
"gss-group1-sha1-" GSS_KRB5_OID_HASH, "group1",
|
|
|
|
|
KEXTYPE_GSS, &ssh_sha1, &extra_group1,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const struct ssh_kex *const gssk5_sha1_kex_list[] = {
|
|
|
|
|
&ssh_gssk5_diffiehellman_gex_sha1,
|
|
|
|
|
&ssh_gssk5_diffiehellman_group14_sha1,
|
|
|
|
|
&ssh_gssk5_diffiehellman_group1_sha1
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const struct ssh_kexes ssh_gssk5_sha1_kex = {
|
|
|
|
|
sizeof(gssk5_sha1_kex_list) / sizeof(*gssk5_sha1_kex_list),
|
|
|
|
|
gssk5_sha1_kex_list
|
|
|
|
|
};
|
|
|
|
|
|
2000-09-05 14:28:17 +00:00
|
|
|
/*
|
2001-03-01 17:41:26 +00:00
|
|
|
* Variables.
|
2000-09-05 14:28:17 +00:00
|
|
|
*/
|
2002-10-25 13:08:01 +00:00
|
|
|
struct dh_ctx {
|
|
|
|
|
Bignum x, e, p, q, qmask, g;
|
|
|
|
|
};
|
2000-09-05 14:28:17 +00:00
|
|
|
|
|
|
|
|
/*
|
2001-03-01 17:41:26 +00:00
|
|
|
* Common DH initialisation.
|
2000-09-05 14:28:17 +00:00
|
|
|
*/
|
2002-10-25 13:08:01 +00:00
|
|
|
static void dh_init(struct dh_ctx *ctx)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2002-10-25 13:08:01 +00:00
|
|
|
ctx->q = bignum_rshift(ctx->p, 1);
|
|
|
|
|
ctx->qmask = bignum_bitmask(ctx->q);
|
|
|
|
|
ctx->x = ctx->e = NULL;
|
2001-03-01 17:41:26 +00:00
|
|
|
}
|
2000-09-05 14:28:17 +00:00
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool dh_is_gex(const struct ssh_kex *kex)
|
2015-05-15 09:12:08 +00:00
|
|
|
{
|
|
|
|
|
const struct dh_extra *extra = (const struct dh_extra *)kex->extra;
|
|
|
|
|
return extra->pdata == NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2000-09-05 14:28:17 +00:00
|
|
|
/*
|
2004-12-22 10:53:58 +00:00
|
|
|
* Initialise DH for a standard group.
|
2000-09-05 14:28:17 +00:00
|
|
|
*/
|
2018-09-14 07:48:54 +00:00
|
|
|
struct dh_ctx *dh_setup_group(const struct ssh_kex *kex)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2015-05-15 09:12:08 +00:00
|
|
|
const struct dh_extra *extra = (const struct dh_extra *)kex->extra;
|
2003-03-29 16:14:26 +00:00
|
|
|
struct dh_ctx *ctx = snew(struct dh_ctx);
|
2015-05-15 09:12:08 +00:00
|
|
|
ctx->p = bignum_from_bytes(extra->pdata, extra->plen);
|
|
|
|
|
ctx->g = bignum_from_bytes(extra->gdata, extra->glen);
|
2002-10-25 13:08:01 +00:00
|
|
|
dh_init(ctx);
|
|
|
|
|
return ctx;
|
2001-03-01 17:41:26 +00:00
|
|
|
}
|
|
|
|
|
|
2001-03-01 17:55:40 +00:00
|
|
|
/*
|
2004-12-22 10:53:58 +00:00
|
|
|
* Initialise DH for a server-supplied group.
|
2001-03-01 17:55:40 +00:00
|
|
|
*/
|
2018-09-14 07:48:54 +00:00
|
|
|
struct dh_ctx *dh_setup_gex(Bignum pval, Bignum gval)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2003-03-29 16:14:26 +00:00
|
|
|
struct dh_ctx *ctx = snew(struct dh_ctx);
|
2002-10-25 13:08:01 +00:00
|
|
|
ctx->p = copybn(pval);
|
|
|
|
|
ctx->g = copybn(gval);
|
|
|
|
|
dh_init(ctx);
|
|
|
|
|
return ctx;
|
2001-03-01 17:55:40 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-18 13:39:46 +00:00
|
|
|
/*
|
|
|
|
|
* Return size of DH modulus p.
|
|
|
|
|
*/
|
|
|
|
|
int dh_modulus_bit_size(const struct dh_ctx *ctx)
|
|
|
|
|
{
|
|
|
|
|
return bignum_bitcount(ctx->p);
|
|
|
|
|
}
|
|
|
|
|
|
2001-03-01 17:41:26 +00:00
|
|
|
/*
|
2002-10-25 13:08:01 +00:00
|
|
|
* Clean up and free a context.
|
2001-03-01 17:41:26 +00:00
|
|
|
*/
|
2018-09-14 07:48:54 +00:00
|
|
|
void dh_cleanup(struct dh_ctx *ctx)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2002-10-25 13:08:01 +00:00
|
|
|
freebn(ctx->x);
|
|
|
|
|
freebn(ctx->e);
|
|
|
|
|
freebn(ctx->p);
|
|
|
|
|
freebn(ctx->g);
|
|
|
|
|
freebn(ctx->q);
|
|
|
|
|
freebn(ctx->qmask);
|
|
|
|
|
sfree(ctx);
|
2001-03-01 17:41:26 +00:00
|
|
|
}
|
2000-09-05 14:28:17 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* DH stage 1: invent a number x between 1 and q, and compute e =
|
|
|
|
|
* g^x mod p. Return e.
|
2001-03-10 11:04:07 +00:00
|
|
|
*
|
|
|
|
|
* If `nbits' is greater than zero, it is used as an upper limit
|
|
|
|
|
* for the number of bits in x. This is safe provided that (a) you
|
|
|
|
|
* use twice as many bits in x as the number of bits you expect to
|
|
|
|
|
* use in your session key, and (b) the DH group is a safe prime
|
|
|
|
|
* (which SSH demands that it must be).
|
|
|
|
|
*
|
|
|
|
|
* P. C. van Oorschot, M. J. Wiener
|
|
|
|
|
* "On Diffie-Hellman Key Agreement with Short Exponents".
|
|
|
|
|
* Advances in Cryptology: Proceedings of Eurocrypt '96
|
|
|
|
|
* Springer-Verlag, May 1996.
|
2000-09-05 14:28:17 +00:00
|
|
|
*/
|
2018-09-14 07:48:54 +00:00
|
|
|
Bignum dh_create_e(struct dh_ctx *ctx, int nbits)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2000-09-05 14:28:17 +00:00
|
|
|
int i;
|
|
|
|
|
|
2001-03-01 17:41:26 +00:00
|
|
|
int nbytes;
|
|
|
|
|
unsigned char *buf;
|
|
|
|
|
|
2018-05-29 19:36:21 +00:00
|
|
|
nbytes = (bignum_bitcount(ctx->qmask) + 7) / 8;
|
2003-03-29 16:14:26 +00:00
|
|
|
buf = snewn(nbytes, unsigned char);
|
2000-09-05 14:28:17 +00:00
|
|
|
|
2000-10-25 06:57:36 +00:00
|
|
|
do {
|
|
|
|
|
/*
|
|
|
|
|
* Create a potential x, by ANDing a string of random bytes
|
2001-03-01 17:41:26 +00:00
|
|
|
* with qmask.
|
2000-10-25 06:57:36 +00:00
|
|
|
*/
|
2002-10-25 13:08:01 +00:00
|
|
|
if (ctx->x)
|
|
|
|
|
freebn(ctx->x);
|
|
|
|
|
if (nbits == 0 || nbits > bignum_bitcount(ctx->qmask)) {
|
2018-05-29 19:36:21 +00:00
|
|
|
for (i = 0; i < nbytes; i++)
|
|
|
|
|
buf[i] = bignum_byte(ctx->qmask, i) & random_byte();
|
|
|
|
|
ctx->x = bignum_from_bytes(buf, nbytes);
|
2001-03-10 11:04:07 +00:00
|
|
|
} else {
|
|
|
|
|
int b, nb;
|
2002-10-25 13:08:01 +00:00
|
|
|
ctx->x = bn_power_2(nbits);
|
2001-05-13 14:02:28 +00:00
|
|
|
b = nb = 0;
|
2001-03-10 11:04:07 +00:00
|
|
|
for (i = 0; i < nbits; i++) {
|
|
|
|
|
if (nb == 0) {
|
|
|
|
|
nb = 8;
|
|
|
|
|
b = random_byte();
|
|
|
|
|
}
|
2002-10-25 13:08:01 +00:00
|
|
|
bignum_set_bit(ctx->x, i, b & 1);
|
2001-03-10 11:04:07 +00:00
|
|
|
b >>= 1;
|
|
|
|
|
nb--;
|
|
|
|
|
}
|
|
|
|
|
}
|
2002-10-25 13:08:01 +00:00
|
|
|
} while (bignum_cmp(ctx->x, One) <= 0 || bignum_cmp(ctx->x, ctx->q) >= 0);
|
2000-09-05 14:28:17 +00:00
|
|
|
|
2003-06-14 18:27:10 +00:00
|
|
|
sfree(buf);
|
|
|
|
|
|
2000-09-05 14:28:17 +00:00
|
|
|
/*
|
|
|
|
|
* Done. Now compute e = g^x mod p.
|
|
|
|
|
*/
|
2002-10-25 13:08:01 +00:00
|
|
|
ctx->e = modpow(ctx->g, ctx->x, ctx->p);
|
2000-09-05 14:28:17 +00:00
|
|
|
|
2002-10-25 13:08:01 +00:00
|
|
|
return ctx->e;
|
2000-09-05 14:28:17 +00:00
|
|
|
}
|
|
|
|
|
|
2015-02-05 19:39:17 +00:00
|
|
|
/*
|
|
|
|
|
* DH stage 2-epsilon: given a number f, validate it to ensure it's in
|
|
|
|
|
* range. (RFC 4253 section 8: "Values of 'e' or 'f' that are not in
|
|
|
|
|
* the range [1, p-1] MUST NOT be sent or accepted by either side."
|
|
|
|
|
* Also, we rule out 1 and p-1 too, since that's easy to do and since
|
|
|
|
|
* they lead to obviously weak keys that even a passive eavesdropper
|
|
|
|
|
* can figure out.)
|
|
|
|
|
*/
|
2018-09-14 07:48:54 +00:00
|
|
|
const char *dh_validate_f(struct dh_ctx *ctx, Bignum f)
|
2015-02-05 19:39:17 +00:00
|
|
|
{
|
|
|
|
|
if (bignum_cmp(f, One) <= 0) {
|
|
|
|
|
return "f value received is too small";
|
|
|
|
|
} else {
|
|
|
|
|
Bignum pm1 = bigsub(ctx->p, One);
|
|
|
|
|
int cmp = bignum_cmp(f, pm1);
|
|
|
|
|
freebn(pm1);
|
|
|
|
|
if (cmp >= 0)
|
|
|
|
|
return "f value received is too large";
|
|
|
|
|
}
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2000-09-05 14:28:17 +00:00
|
|
|
/*
|
|
|
|
|
* DH stage 2: given a number f, compute K = f^x mod p.
|
|
|
|
|
*/
|
2018-09-14 07:48:54 +00:00
|
|
|
Bignum dh_find_K(struct dh_ctx *ctx, Bignum f)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2001-03-10 11:04:07 +00:00
|
|
|
Bignum ret;
|
2002-10-25 13:08:01 +00:00
|
|
|
ret = modpow(f, ctx->x, ctx->p);
|
2001-03-10 11:04:07 +00:00
|
|
|
return ret;
|
2000-09-05 14:28:17 +00:00
|
|
|
}
|