Mercurial > dropbear

comparison common-kex.c @ 756:bf9dc2d9c2b1 ecc

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
more bits on ecc branch
author Matt Johnston <matt@ucc.asn.au>
date Wed, 27 Mar 2013 00:38:03 +0800
parents b07eb3dc23ec
children 230666086711
comparison
equal deleted inserted replaced
755:b07eb3dc23ec 756:bf9dc2d9c2b1
34 #include "bignum.h" 34 #include "bignum.h"
35 #include "random.h" 35 #include "random.h"
36 #include "runopts.h" 36 #include "runopts.h"
37 37
38 /* diffie-hellman-group1-sha1 value for p */ 38 /* diffie-hellman-group1-sha1 value for p */
39 #define DH_P_1_LEN 128 39 const unsigned char dh_p_1[DH_P_1_LEN] = {
40 static const unsigned char dh_p_1[DH_P_1_LEN] = {
41 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 40 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
42 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 41 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
43 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, 42 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
44 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 43 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
45 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 44 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
49 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, 48 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
50 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81, 49 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81,
51 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; 50 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
52 51
53 /* diffie-hellman-group14-sha1 value for p */ 52 /* diffie-hellman-group14-sha1 value for p */
54 #define DH_P_14_LEN 256 53 const unsigned char dh_p_14[DH_P_14_LEN] = {
55 static const unsigned char dh_p_14[DH_P_14_LEN] = {
56 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 54 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
57 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 55 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
58 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, 56 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
59 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 57 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
60 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 58 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
534 TRACE(("leave recv_msg_kexinit")) 532 TRACE(("leave recv_msg_kexinit"))
535 } 533 }
536 534
537 static void load_dh_p(mp_int * dh_p) 535 static void load_dh_p(mp_int * dh_p)
538 { 536 {
539 switch (ses.newkeys->algo_kex) { 537 bytes_to_mp(dh_p, ses.newkeys->algo_kex->dh_p_bytes,
540 case DROPBEAR_KEX_DH_GROUP1: 538 ses.newkeys->algo_kex->dh_p_len);
541 bytes_to_mp(dh_p, dh_p_1, DH_P_1_LEN);
542 break;
543 case DROPBEAR_KEX_DH_GROUP14:
544 bytes_to_mp(dh_p, dh_p_14, DH_P_14_LEN);
545 break;
546 }
547 } 539 }
548 540
549 /* Initialises and generate one side of the diffie-hellman key exchange values. 541 /* Initialises and generate one side of the diffie-hellman key exchange values.
550 * See the transport rfc 4253 section 8 for details */ 542 * See the transport rfc 4253 section 8 for details */
551 /* dh_pub and dh_priv MUST be already initialised */ 543 /* dh_pub and dh_priv MUST be already initialised */
665 } 657 }
666 658
667 #ifdef DROPBEAR_ECDH 659 #ifdef DROPBEAR_ECDH
668 struct kex_ecdh_param *gen_kexecdh_param() { 660 struct kex_ecdh_param *gen_kexecdh_param() {
669 struct kex_ecdh_param *param = m_malloc(sizeof(*param)); 661 struct kex_ecdh_param *param = m_malloc(sizeof(*param));
670 if (ecc_make_key_ex(NULL, dropbear_ltc_prng, &param->key 662 if (ecc_make_key_ex(NULL, dropbear_ltc_prng,
671 } 663 &param->key, ses.newkeys->algo_kex->ecc_curve) != CRYPT_OK) {
672 void free_kexecdh_param(struct kex_ecdh_param *param); 664 dropbear_exit("ECC error")
665 }
666 return param;
667 }
668
669 void free_kexecdh_param(struct kex_ecdh_param *param) {
670 ecc_free(&param->key);
671 m_free(param);
672
673 }
673 void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, 674 void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them,
674 sign_key *hostkey); 675 sign_key *hostkey) {
676
677 hash_state hs;
678 // public keys from client and server
679 ecc_key *Q_C, *Q_S, *Q_them;
680
681 // XXX load Q_them
682
683 ses.dh_K = dropbear_ecc_shared_secret()
684
685 /* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */
686 if (mp_cmp(dh_pub_them, &dh_p) != MP_LT
687 || mp_cmp_d(dh_pub_them, 0) != MP_GT) {
688 dropbear_exit("Diffie-Hellman error");
689 }
690
691 /* K = e^y mod p = f^x mod p */
692 ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int));
693 m_mp_init(ses.dh_K);
694 if (mp_exptmod(dh_pub_them, &param->priv, &dh_p, ses.dh_K) != MP_OKAY) {
695 dropbear_exit("Diffie-Hellman error");
696 }
697
698 /* clear no longer needed vars */
699 mp_clear_multi(&dh_p, NULL);
700
701 /* From here on, the code needs to work with the _same_ vars on each side,
702 * not vice-versaing for client/server */
703 if (IS_DROPBEAR_CLIENT) {
704 dh_e = &param->pub;
705 dh_f = dh_pub_them;
706 } else {
707 dh_e = dh_pub_them;
708 dh_f = &param->pub;
709 }
710
711 /* Create the remainder of the hash buffer, to generate the exchange hash */
712 /* K_S, the host key */
713 buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
714 /* e, exchange value sent by the client */
715 buf_putmpint(ses.kexhashbuf, dh_e);
716 /* f, exchange value sent by the server */
717 buf_putmpint(ses.kexhashbuf, dh_f);
718 /* K, the shared secret */
719 buf_putmpint(ses.kexhashbuf, ses.dh_K);
720
721 /* calculate the hash H to sign */
722 sha1_init(&hs);
723 buf_setpos(ses.kexhashbuf, 0);
724 sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len),
725 ses.kexhashbuf->len);
726 sha1_done(&hs, ses.hash);
727
728 buf_burn(ses.kexhashbuf);
729 buf_free(ses.kexhashbuf);
730 ses.kexhashbuf = NULL;
731
732 /* first time around, we set the session_id to H */
733 if (ses.session_id == NULL) {
734 /* create the session_id, this never needs freeing */
735 ses.session_id = (unsigned char*)m_malloc(SHA1_HASH_SIZE);
736 memcpy(ses.session_id, ses.hash, SHA1_HASH_SIZE);
737 }
738
739 }
675 #endif 740 #endif
676 741
677 /* read the other side's algo list. buf_match_algo is a callback to match 742 /* read the other side's algo list. buf_match_algo is a callback to match
678 * algos for the client or server. */ 743 * algos for the client or server. */
679 static void read_kex_algos() { 744 static void read_kex_algos() {
705 if (algo == NULL) { 770 if (algo == NULL) {
706 erralgo = "kex"; 771 erralgo = "kex";
707 goto error; 772 goto error;
708 } 773 }
709 TRACE(("kex algo %s", algo->name)) 774 TRACE(("kex algo %s", algo->name))
710 ses.newkeys->algo_kex = algo->val; 775 ses.newkeys->algo_kex = algo->data;
711 776
712 /* server_host_key_algorithms */ 777 /* server_host_key_algorithms */
713 algo = ses.buf_match_algo(ses.payload, sshhostkey, &goodguess); 778 algo = ses.buf_match_algo(ses.payload, sshhostkey, &goodguess);
714 allgood &= goodguess; 779 allgood &= goodguess;
715 if (algo == NULL) { 780 if (algo == NULL) {