mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 17:38:00 +00:00
e08641c912
In the past, I've had a lot of macros which you call with double
parentheses, along the lines of debug(("format string", params)), so
that the inner parens protect the commas and permit the macro to treat
the whole printf-style argument list as one macro argument.
That's all very well, but it's a bit inconvenient (it doesn't leave
you any way to implement such a macro by prepending another argument
to the list), and now this code base's rules allow C99isms, I can
switch all those macros to using a single pair of parens, using the
C99 ability to say '...' in the parameter list of the #define and get
at the corresponding suffix of the arguments as __VA_ARGS__.
So I'm doing it. I've made the following printf-style macros variadic:
bpp_logevent, ppl_logevent, ppl_printf and debug.
While I'm here, I've also fixed up a collection of conditioned-out
calls to debug() in the Windows front end which were clearly expecting
a macro with a different calling syntax, because they had an integer
parameter first. If I ever have a need to condition those back in,
they should actually work now.
290 lines
10 KiB
C
290 lines
10 KiB
C
/*
|
|
* Server side of key exchange for the SSH-2 transport protocol (RFC 4253).
|
|
*/
|
|
|
|
#include <assert.h>
|
|
|
|
#include "putty.h"
|
|
#include "ssh.h"
|
|
#include "sshbpp.h"
|
|
#include "sshppl.h"
|
|
#include "sshcr.h"
|
|
#include "storage.h"
|
|
#include "ssh2transport.h"
|
|
|
|
void ssh2_transport_provide_hostkeys(PacketProtocolLayer *ppl,
|
|
ssh_key *const *hostkeys, int nhostkeys)
|
|
{
|
|
struct ssh2_transport_state *s =
|
|
container_of(ppl, struct ssh2_transport_state, ppl);
|
|
|
|
s->hostkeys = hostkeys;
|
|
s->nhostkeys = nhostkeys;
|
|
}
|
|
|
|
static strbuf *finalise_and_sign_exhash(struct ssh2_transport_state *s)
|
|
{
|
|
strbuf *sb;
|
|
ssh2transport_finalise_exhash(s);
|
|
sb = strbuf_new();
|
|
ssh_key_sign(s->hkey, s->exchange_hash, s->kex_alg->hash->hlen, 0,
|
|
BinarySink_UPCAST(sb));
|
|
return sb;
|
|
}
|
|
|
|
static void no_progress(void *param, int action, int phase, int iprogress)
|
|
{
|
|
}
|
|
|
|
void ssh2kex_coroutine(struct ssh2_transport_state *s)
|
|
{
|
|
PacketProtocolLayer *ppl = &s->ppl; /* for ppl_logevent */
|
|
PktIn *pktin;
|
|
PktOut *pktout;
|
|
|
|
crBegin(s->crStateKex);
|
|
|
|
{
|
|
int i;
|
|
for (i = 0; i < s->nhostkeys; i++)
|
|
if (ssh_key_alg(s->hostkeys[i]) == s->hostkey_alg) {
|
|
s->hkey = s->hostkeys[i];
|
|
break;
|
|
}
|
|
assert(s->hkey);
|
|
}
|
|
|
|
s->hostkeyblob->len = 0;
|
|
ssh_key_public_blob(s->hkey, BinarySink_UPCAST(s->hostkeyblob));
|
|
s->hostkeydata = ptrlen_from_strbuf(s->hostkeyblob);
|
|
|
|
put_stringpl(s->exhash, s->hostkeydata);
|
|
|
|
if (s->kex_alg->main_type == KEXTYPE_DH) {
|
|
/*
|
|
* If we're doing Diffie-Hellman group exchange, start by
|
|
* waiting for the group request.
|
|
*/
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
ppl_logevent("Doing Diffie-Hellman group exchange");
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_DHGEX;
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
if (pktin->type != SSH2_MSG_KEX_DH_GEX_REQUEST &&
|
|
pktin->type != SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
"expecting Diffie-Hellman group exchange "
|
|
"request, type %d (%s)", pktin->type,
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
s->ppl.bpp->pls->actx,
|
|
pktin->type));
|
|
return;
|
|
}
|
|
|
|
if (pktin->type != SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) {
|
|
s->dh_got_size_bounds = true;
|
|
s->dh_min_size = get_uint32(pktin);
|
|
s->pbits = get_uint32(pktin);
|
|
s->dh_max_size = get_uint32(pktin);
|
|
} else {
|
|
s->dh_got_size_bounds = false;
|
|
s->pbits = get_uint32(pktin);
|
|
}
|
|
|
|
/*
|
|
* This is a hopeless strategy for making a secure DH
|
|
* group! It's good enough for testing a client against,
|
|
* but not for serious use.
|
|
*/
|
|
s->p = primegen(s->pbits, 2, 2, NULL, 1, no_progress, NULL, 1);
|
|
s->g = bignum_from_long(2);
|
|
s->dh_ctx = dh_setup_gex(s->p, s->g);
|
|
s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
|
|
s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEX_DH_GEX_GROUP);
|
|
put_mp_ssh2(pktout, s->p);
|
|
put_mp_ssh2(pktout, s->g);
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
} else {
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_DHGROUP;
|
|
s->dh_ctx = dh_setup_group(s->kex_alg);
|
|
s->kex_init_value = SSH2_MSG_KEXDH_INIT;
|
|
s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
|
|
ppl_logevent("Using Diffie-Hellman with standard group \"%s\"",
|
|
s->kex_alg->groupname);
|
|
}
|
|
|
|
ppl_logevent("Doing Diffie-Hellman key exchange with hash %s",
|
|
s->kex_alg->hash->text_name);
|
|
|
|
/*
|
|
* Generate e for Diffie-Hellman.
|
|
*/
|
|
s->e = dh_create_e(s->dh_ctx, s->nbits * 2);
|
|
|
|
/*
|
|
* Wait to receive f.
|
|
*/
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
if (pktin->type != s->kex_init_value) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
"expecting Diffie-Hellman initial packet, "
|
|
"type %d (%s)", pktin->type,
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
s->ppl.bpp->pls->actx,
|
|
pktin->type));
|
|
return;
|
|
}
|
|
s->f = get_mp_ssh2(pktin);
|
|
if (get_err(pktin)) {
|
|
ssh_proto_error(s->ppl.ssh,
|
|
"Unable to parse Diffie-Hellman initial packet");
|
|
return;
|
|
}
|
|
|
|
{
|
|
const char *err = dh_validate_f(s->dh_ctx, s->f);
|
|
if (err) {
|
|
ssh_proto_error(s->ppl.ssh, "Diffie-Hellman initial packet "
|
|
"failed validation: %s", err);
|
|
return;
|
|
}
|
|
}
|
|
s->K = dh_find_K(s->dh_ctx, s->f);
|
|
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
if (s->dh_got_size_bounds)
|
|
put_uint32(s->exhash, s->dh_min_size);
|
|
put_uint32(s->exhash, s->pbits);
|
|
if (s->dh_got_size_bounds)
|
|
put_uint32(s->exhash, s->dh_max_size);
|
|
put_mp_ssh2(s->exhash, s->p);
|
|
put_mp_ssh2(s->exhash, s->g);
|
|
}
|
|
put_mp_ssh2(s->exhash, s->f);
|
|
put_mp_ssh2(s->exhash, s->e);
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, s->kex_reply_value);
|
|
put_stringpl(pktout, s->hostkeydata);
|
|
put_mp_ssh2(pktout, s->e);
|
|
put_stringsb(pktout, finalise_and_sign_exhash(s));
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
dh_cleanup(s->dh_ctx);
|
|
s->dh_ctx = NULL;
|
|
freebn(s->f); s->f = NULL;
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
freebn(s->g); s->g = NULL;
|
|
freebn(s->p); s->p = NULL;
|
|
}
|
|
} else if (s->kex_alg->main_type == KEXTYPE_ECDH) {
|
|
ppl_logevent("Doing ECDH key exchange with curve %s and hash %s",
|
|
ssh_ecdhkex_curve_textname(s->kex_alg),
|
|
s->kex_alg->hash->text_name);
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_ECDHKEX;
|
|
|
|
s->ecdh_key = ssh_ecdhkex_newkey(s->kex_alg);
|
|
if (!s->ecdh_key) {
|
|
ssh_sw_abort(s->ppl.ssh, "Unable to generate key for ECDH");
|
|
return;
|
|
}
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
if (pktin->type != SSH2_MSG_KEX_ECDH_INIT) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
"expecting ECDH initial packet, type %d (%s)",
|
|
pktin->type,
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
s->ppl.bpp->pls->actx,
|
|
pktin->type));
|
|
return;
|
|
}
|
|
|
|
{
|
|
ptrlen keydata = get_string(pktin);
|
|
put_stringpl(s->exhash, keydata);
|
|
|
|
s->K = ssh_ecdhkex_getkey(s->ecdh_key, keydata.ptr, keydata.len);
|
|
if (!get_err(pktin) && !s->K) {
|
|
ssh_proto_error(s->ppl.ssh, "Received invalid elliptic curve "
|
|
"point in ECDH initial packet");
|
|
return;
|
|
}
|
|
}
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEX_ECDH_REPLY);
|
|
put_stringpl(pktout, s->hostkeydata);
|
|
{
|
|
strbuf *pubpoint = strbuf_new();
|
|
ssh_ecdhkex_getpublic(s->ecdh_key, BinarySink_UPCAST(pubpoint));
|
|
put_string(s->exhash, pubpoint->u, pubpoint->len);
|
|
put_stringsb(pktout, pubpoint);
|
|
}
|
|
put_stringsb(pktout, finalise_and_sign_exhash(s));
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
ssh_ecdhkex_freekey(s->ecdh_key);
|
|
s->ecdh_key = NULL;
|
|
} else if (s->kex_alg->main_type == KEXTYPE_GSS) {
|
|
ssh_sw_abort(s->ppl.ssh, "GSS key exchange not supported in server");
|
|
} else {
|
|
assert(s->kex_alg->main_type == KEXTYPE_RSA);
|
|
ppl_logevent("Doing RSA key exchange with hash %s",
|
|
s->kex_alg->hash->text_name);
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_RSAKEX;
|
|
|
|
{
|
|
const struct ssh_rsa_kex_extra *extra =
|
|
(const struct ssh_rsa_kex_extra *)s->kex_alg->extra;
|
|
|
|
s->rsa_kex_key = snew(struct RSAKey);
|
|
rsa_generate(s->rsa_kex_key, extra->minklen, no_progress, NULL);
|
|
s->rsa_kex_key->comment = NULL;
|
|
}
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXRSA_PUBKEY);
|
|
put_stringpl(pktout, s->hostkeydata);
|
|
{
|
|
strbuf *pubblob = strbuf_new();
|
|
ssh_key_public_blob(&s->rsa_kex_key->sshk,
|
|
BinarySink_UPCAST(pubblob));
|
|
put_string(s->exhash, pubblob->u, pubblob->len);
|
|
put_stringsb(pktout, pubblob);
|
|
}
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
if (pktin->type != SSH2_MSG_KEXRSA_SECRET) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
"expecting RSA kex secret, type %d (%s)",
|
|
pktin->type,
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
s->ppl.bpp->pls->actx,
|
|
pktin->type));
|
|
return;
|
|
}
|
|
|
|
{
|
|
ptrlen encrypted_secret = get_string(pktin);
|
|
put_stringpl(s->exhash, encrypted_secret);
|
|
s->K = ssh_rsakex_decrypt(
|
|
s->kex_alg->hash, encrypted_secret, s->rsa_kex_key);
|
|
}
|
|
|
|
if (!s->K) {
|
|
ssh_proto_error(s->ppl.ssh, "Unable to decrypt RSA kex secret");
|
|
return;
|
|
}
|
|
|
|
ssh_rsakex_freekey(s->rsa_kex_key);
|
|
s->rsa_kex_key = NULL;
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXRSA_DONE);
|
|
put_stringsb(pktout, finalise_and_sign_exhash(s));
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
}
|
|
|
|
crFinishV;
|
|
}
|