mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 17:38:00 +00:00
25b034ee39
The old 'Bignum' data type is gone completely, and so is sshbn.c. In its place is a new thing called 'mp_int', handled by an entirely new library module mpint.c, with API differences both large and small. The main aim of this change is that the new library should be free of timing- and cache-related side channels. I've written the code so that it _should_ - assuming I haven't made any mistakes - do all of its work without either control flow or memory addressing depending on the data words of the input numbers. (Though, being an _arbitrary_ precision library, it does have to at least depend on the sizes of the numbers - but there's a 'formal' size that can vary separately from the actual magnitude of the represented integer, so if you want to keep it secret that your number is actually small, it should work fine to have a very long mp_int and just happen to store 23 in it.) So I've done all my conditionalisation by means of computing both answers and doing bit-masking to swap the right one into place, and all loops over the words of an mp_int go up to the formal size rather than the actual size. I haven't actually tested the constant-time property in any rigorous way yet (I'm still considering the best way to do it). But this code is surely at the very least a big improvement on the old version, even if I later find a few more things to fix. I've also completely rewritten the low-level elliptic curve arithmetic from sshecc.c; the new ecc.c is closer to being an adjunct of mpint.c than it is to the SSH end of the code. The new elliptic curve code keeps all coordinates in Montgomery-multiplication transformed form to speed up all the multiplications mod the same prime, and only converts them back when you ask for the affine coordinates. Also, I adopted extended coordinates for the Edwards curve implementation. sshecc.c has also had a near-total rewrite in the course of switching it over to the new system. While I was there, I've separated ECDSA and EdDSA more completely - they now have separate vtables, instead of a single vtable in which nearly every function had a big if statement in it - and also made the externally exposed types for an ECDSA key and an ECDH context different. A minor new feature: since the new arithmetic code includes a modular square root function, we can now support the compressed point representation for the NIST curves. We seem to have been getting along fine without that so far, but it seemed a shame not to put it in, since it was suddenly easy. In sshrsa.c, one major change is that I've removed the RSA blinding step in rsa_privkey_op, in which we randomise the ciphertext before doing the decryption. The purpose of that was to avoid timing leaks giving away the plaintext - but the new arithmetic code should take that in its stride in the course of also being careful enough to avoid leaking the _private key_, which RSA blinding had no way to do anything about in any case. Apart from those specific points, most of the rest of the changes are more or less mechanical, just changing type names and translating code into the new API.
300 lines
11 KiB
C
300 lines
11 KiB
C
/*
|
|
* Server side of key exchange for the SSH-2 transport protocol (RFC 4253).
|
|
*/
|
|
|
|
#include <assert.h>
|
|
|
|
#include "putty.h"
|
|
#include "ssh.h"
|
|
#include "sshbpp.h"
|
|
#include "sshppl.h"
|
|
#include "sshcr.h"
|
|
#include "storage.h"
|
|
#include "ssh2transport.h"
|
|
#include "mpint.h"
|
|
|
|
void ssh2_transport_provide_hostkeys(PacketProtocolLayer *ppl,
|
|
ssh_key *const *hostkeys, int nhostkeys)
|
|
{
|
|
struct ssh2_transport_state *s =
|
|
container_of(ppl, struct ssh2_transport_state, ppl);
|
|
|
|
s->hostkeys = hostkeys;
|
|
s->nhostkeys = nhostkeys;
|
|
}
|
|
|
|
static strbuf *finalise_and_sign_exhash(struct ssh2_transport_state *s)
|
|
{
|
|
strbuf *sb;
|
|
ssh2transport_finalise_exhash(s);
|
|
sb = strbuf_new();
|
|
ssh_key_sign(s->hkey, s->exchange_hash, s->kex_alg->hash->hlen, 0,
|
|
BinarySink_UPCAST(sb));
|
|
return sb;
|
|
}
|
|
|
|
static void no_progress(void *param, int action, int phase, int iprogress)
|
|
{
|
|
}
|
|
|
|
void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
|
|
{
|
|
PacketProtocolLayer *ppl = &s->ppl; /* for ppl_logevent */
|
|
PktIn *pktin;
|
|
PktOut *pktout;
|
|
|
|
crBegin(s->crStateKex);
|
|
|
|
{
|
|
int i;
|
|
for (i = 0; i < s->nhostkeys; i++)
|
|
if (ssh_key_alg(s->hostkeys[i]) == s->hostkey_alg) {
|
|
s->hkey = s->hostkeys[i];
|
|
break;
|
|
}
|
|
assert(s->hkey);
|
|
}
|
|
|
|
s->hostkeyblob->len = 0;
|
|
ssh_key_public_blob(s->hkey, BinarySink_UPCAST(s->hostkeyblob));
|
|
s->hostkeydata = ptrlen_from_strbuf(s->hostkeyblob);
|
|
|
|
put_stringpl(s->exhash, s->hostkeydata);
|
|
|
|
if (s->kex_alg->main_type == KEXTYPE_DH) {
|
|
/*
|
|
* If we're doing Diffie-Hellman group exchange, start by
|
|
* waiting for the group request.
|
|
*/
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
ppl_logevent("Doing Diffie-Hellman group exchange");
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_DHGEX;
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
if (pktin->type != SSH2_MSG_KEX_DH_GEX_REQUEST &&
|
|
pktin->type != SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
"expecting Diffie-Hellman group exchange "
|
|
"request, type %d (%s)", pktin->type,
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
s->ppl.bpp->pls->actx,
|
|
pktin->type));
|
|
*aborted = true;
|
|
return;
|
|
}
|
|
|
|
if (pktin->type != SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) {
|
|
s->dh_got_size_bounds = true;
|
|
s->dh_min_size = get_uint32(pktin);
|
|
s->pbits = get_uint32(pktin);
|
|
s->dh_max_size = get_uint32(pktin);
|
|
} else {
|
|
s->dh_got_size_bounds = false;
|
|
s->pbits = get_uint32(pktin);
|
|
}
|
|
|
|
/*
|
|
* This is a hopeless strategy for making a secure DH
|
|
* group! It's good enough for testing a client against,
|
|
* but not for serious use.
|
|
*/
|
|
s->p = primegen(s->pbits, 2, 2, NULL, 1, no_progress, NULL, 1);
|
|
s->g = mp_from_integer(2);
|
|
s->dh_ctx = dh_setup_gex(s->p, s->g);
|
|
s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
|
|
s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEX_DH_GEX_GROUP);
|
|
put_mp_ssh2(pktout, s->p);
|
|
put_mp_ssh2(pktout, s->g);
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
} else {
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_DHGROUP;
|
|
s->dh_ctx = dh_setup_group(s->kex_alg);
|
|
s->kex_init_value = SSH2_MSG_KEXDH_INIT;
|
|
s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
|
|
ppl_logevent("Using Diffie-Hellman with standard group \"%s\"",
|
|
s->kex_alg->groupname);
|
|
}
|
|
|
|
ppl_logevent("Doing Diffie-Hellman key exchange with hash %s",
|
|
s->kex_alg->hash->text_name);
|
|
|
|
/*
|
|
* Generate e for Diffie-Hellman.
|
|
*/
|
|
s->e = dh_create_e(s->dh_ctx, s->nbits * 2);
|
|
|
|
/*
|
|
* Wait to receive f.
|
|
*/
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
if (pktin->type != s->kex_init_value) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
"expecting Diffie-Hellman initial packet, "
|
|
"type %d (%s)", pktin->type,
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
s->ppl.bpp->pls->actx,
|
|
pktin->type));
|
|
*aborted = true;
|
|
return;
|
|
}
|
|
s->f = get_mp_ssh2(pktin);
|
|
if (get_err(pktin)) {
|
|
ssh_proto_error(s->ppl.ssh,
|
|
"Unable to parse Diffie-Hellman initial packet");
|
|
*aborted = true;
|
|
return;
|
|
}
|
|
|
|
{
|
|
const char *err = dh_validate_f(s->dh_ctx, s->f);
|
|
if (err) {
|
|
ssh_proto_error(s->ppl.ssh, "Diffie-Hellman initial packet "
|
|
"failed validation: %s", err);
|
|
*aborted = true;
|
|
return;
|
|
}
|
|
}
|
|
s->K = dh_find_K(s->dh_ctx, s->f);
|
|
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
if (s->dh_got_size_bounds)
|
|
put_uint32(s->exhash, s->dh_min_size);
|
|
put_uint32(s->exhash, s->pbits);
|
|
if (s->dh_got_size_bounds)
|
|
put_uint32(s->exhash, s->dh_max_size);
|
|
put_mp_ssh2(s->exhash, s->p);
|
|
put_mp_ssh2(s->exhash, s->g);
|
|
}
|
|
put_mp_ssh2(s->exhash, s->f);
|
|
put_mp_ssh2(s->exhash, s->e);
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, s->kex_reply_value);
|
|
put_stringpl(pktout, s->hostkeydata);
|
|
put_mp_ssh2(pktout, s->e);
|
|
put_stringsb(pktout, finalise_and_sign_exhash(s));
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
dh_cleanup(s->dh_ctx);
|
|
s->dh_ctx = NULL;
|
|
mp_free(s->f); s->f = NULL;
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
mp_free(s->g); s->g = NULL;
|
|
mp_free(s->p); s->p = NULL;
|
|
}
|
|
} else if (s->kex_alg->main_type == KEXTYPE_ECDH) {
|
|
ppl_logevent("Doing ECDH key exchange with curve %s and hash %s",
|
|
ssh_ecdhkex_curve_textname(s->kex_alg),
|
|
s->kex_alg->hash->text_name);
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_ECDHKEX;
|
|
|
|
s->ecdh_key = ssh_ecdhkex_newkey(s->kex_alg);
|
|
if (!s->ecdh_key) {
|
|
ssh_sw_abort(s->ppl.ssh, "Unable to generate key for ECDH");
|
|
*aborted = true;
|
|
return;
|
|
}
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
if (pktin->type != SSH2_MSG_KEX_ECDH_INIT) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
"expecting ECDH initial packet, type %d (%s)",
|
|
pktin->type,
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
s->ppl.bpp->pls->actx,
|
|
pktin->type));
|
|
*aborted = true;
|
|
return;
|
|
}
|
|
|
|
{
|
|
ptrlen keydata = get_string(pktin);
|
|
put_stringpl(s->exhash, keydata);
|
|
|
|
s->K = ssh_ecdhkex_getkey(s->ecdh_key, keydata);
|
|
if (!get_err(pktin) && !s->K) {
|
|
ssh_proto_error(s->ppl.ssh, "Received invalid elliptic curve "
|
|
"point in ECDH initial packet");
|
|
*aborted = true;
|
|
return;
|
|
}
|
|
}
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEX_ECDH_REPLY);
|
|
put_stringpl(pktout, s->hostkeydata);
|
|
{
|
|
strbuf *pubpoint = strbuf_new();
|
|
ssh_ecdhkex_getpublic(s->ecdh_key, BinarySink_UPCAST(pubpoint));
|
|
put_string(s->exhash, pubpoint->u, pubpoint->len);
|
|
put_stringsb(pktout, pubpoint);
|
|
}
|
|
put_stringsb(pktout, finalise_and_sign_exhash(s));
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
ssh_ecdhkex_freekey(s->ecdh_key);
|
|
s->ecdh_key = NULL;
|
|
} else if (s->kex_alg->main_type == KEXTYPE_GSS) {
|
|
ssh_sw_abort(s->ppl.ssh, "GSS key exchange not supported in server");
|
|
} else {
|
|
assert(s->kex_alg->main_type == KEXTYPE_RSA);
|
|
ppl_logevent("Doing RSA key exchange with hash %s",
|
|
s->kex_alg->hash->text_name);
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_RSAKEX;
|
|
|
|
{
|
|
const struct ssh_rsa_kex_extra *extra =
|
|
(const struct ssh_rsa_kex_extra *)s->kex_alg->extra;
|
|
|
|
s->rsa_kex_key = snew(struct RSAKey);
|
|
rsa_generate(s->rsa_kex_key, extra->minklen, no_progress, NULL);
|
|
s->rsa_kex_key->comment = NULL;
|
|
}
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXRSA_PUBKEY);
|
|
put_stringpl(pktout, s->hostkeydata);
|
|
{
|
|
strbuf *pubblob = strbuf_new();
|
|
ssh_key_public_blob(&s->rsa_kex_key->sshk,
|
|
BinarySink_UPCAST(pubblob));
|
|
put_string(s->exhash, pubblob->u, pubblob->len);
|
|
put_stringsb(pktout, pubblob);
|
|
}
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
if (pktin->type != SSH2_MSG_KEXRSA_SECRET) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
"expecting RSA kex secret, type %d (%s)",
|
|
pktin->type,
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
s->ppl.bpp->pls->actx,
|
|
pktin->type));
|
|
*aborted = true;
|
|
return;
|
|
}
|
|
|
|
{
|
|
ptrlen encrypted_secret = get_string(pktin);
|
|
put_stringpl(s->exhash, encrypted_secret);
|
|
s->K = ssh_rsakex_decrypt(
|
|
s->kex_alg->hash, encrypted_secret, s->rsa_kex_key);
|
|
}
|
|
|
|
if (!s->K) {
|
|
ssh_proto_error(s->ppl.ssh, "Unable to decrypt RSA kex secret");
|
|
*aborted = true;
|
|
return;
|
|
}
|
|
|
|
ssh_rsakex_freekey(s->rsa_kex_key);
|
|
s->rsa_kex_key = NULL;
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXRSA_DONE);
|
|
put_stringsb(pktout, finalise_and_sign_exhash(s));
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
}
|
|
|
|
crFinishV;
|
|
}
|