Mercurial > dropbear
changeset 759:76fba0856749 ecc
More changes for KEX and ECDH. Set up hash descriptors, make ECC code work,
ses.hash and ses.session_id are now buffers (doesn't compile)
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Fri, 29 Mar 2013 00:28:09 +0800 |
parents | 1c607a62d235 |
children | f336d232fc63 |
files | algo.h cli-kex.c common-algo.c common-kex.c ecc.c ecc.h kex.h libtomcrypt/src/headers/tomcrypt_custom.h ltc_prng.c ltc_prng.h random.c session.h svr-kex.c sysoptions.h |
diffstat | 14 files changed, 180 insertions(+), 114 deletions(-) [+] |
line wrap: on
line diff
--- a/algo.h Fri Mar 29 00:26:46 2013 +0800 +++ b/algo.h Fri Mar 29 00:28:09 2013 +0800 @@ -35,8 +35,8 @@ struct Algo_Type { - unsigned char *name; /* identifying name */ - char val; /* a value for this cipher, or -1 for invalid */ + const unsigned char *name; /* identifying name */ + const char val; /* a value for this cipher, or -1 for invalid */ const void *data; /* algorithm specific data */ char usable; /* whether we can use this algorithm */ const void *mode; /* the mode, currently only used for ciphers, @@ -59,8 +59,8 @@ struct dropbear_cipher { const struct ltc_cipher_descriptor *cipherdesc; - unsigned long keysize; - unsigned char blocksize; + const unsigned long keysize; + const unsigned char blocksize; }; struct dropbear_cipher_mode { @@ -75,14 +75,14 @@ struct dropbear_hash { const struct ltc_hash_descriptor *hashdesc; - unsigned long keysize; - unsigned char hashsize; + const unsigned long keysize; + const unsigned char hashsize; }; struct dropbear_kex { // "normal" DH KEX - unsigned char *dh_p_bytes; - int dh_p_len; + const unsigned char *dh_p_bytes; + const int dh_p_len; // elliptic curve DH KEX #ifdef DROPBEAR_ECDH @@ -108,14 +108,6 @@ char * algolist_string(algo_type algos[]); #endif -enum kex_type { - DROPBEAR_KEX_DH_GROUP1, - DROPBEAR_KEX_DH_GROUP14, - DROPBEAR_KEX_ECDH_SECP256R1, - DROPBEAR_KEX_ECDH_SECP384R1, - DROPBEAR_KEX_ECDH_SECP521R1, -}; - #ifdef DROPBEAR_ECDH #define IS_NORMAL_DH(algo) ((algo)->dh_p_bytes != NULL) #else
--- a/cli-kex.c Fri Mar 29 00:26:46 2013 +0800 +++ b/cli-kex.c Fri Mar 29 00:28:09 2013 +0800 @@ -96,12 +96,15 @@ kexdh_comb_key(cli_ses.dh_param, &dh_f, hostkey); mp_clear(&dh_f); - free_kexdh_param(cli_ses.dh_param); - cli_ses.dh_param = NULL; } else { #ifdef DROPBEAR_ECDH + buffer *ecdh_qs = buf_getstringbuf(ses.payload); + kexecdh_comb_key(cli_ses.dh_param, ecdh_qs, hostkey); + buf_free(ecdh_qs); #endif } + free_kexdh_param(cli_ses.dh_param); + cli_ses.dh_param = NULL; if (buf_verify(ses.payload, hostkey, ses.hash, SHA1_HASH_SIZE) != DROPBEAR_SUCCESS) {
--- a/common-algo.c Fri Mar 29 00:26:46 2013 +0800 +++ b/common-algo.c Fri Mar 29 00:28:09 2013 +0800 @@ -25,6 +25,7 @@ #include "algo.h" #include "dbutil.h" +#include "kex.h" /* This file (algo.c) organises the ciphers which can be used, and is used to * decide which ciphers/hashes/compression/signing to use during key exchange*/ @@ -212,18 +213,18 @@ {NULL, 0, NULL, 0, NULL} }; -static struct dropbear_kex kex_dh_group1 {dh_p_1, DH_P_1_LEN, NULL, sha1_desc }; -static struct dropbear_kex kex_dh_group14 {dh_p_14, DH_P_14_LEN, NULL, sha1_desc }; +static struct dropbear_kex kex_dh_group1 = {dh_p_1, DH_P_1_LEN, NULL, &sha1_desc }; +static struct dropbear_kex kex_dh_group14 = {dh_p_14, DH_P_14_LEN, NULL, &sha1_desc }; #ifdef DROPBEAR_ECC_DH #ifdef DROPBEAR_ECC_256 -static struct dropbear_kex kex_ecdh_secp256r1 {NULL, 0, &ecc_curve_secp256r1, sha256_desc }; +static struct dropbear_kex kex_ecdh_secp256r1 = {NULL, 0, &ecc_curve_secp256r1, &sha256_desc }; #endif #ifdef DROPBEAR_ECC_384 -static struct dropbear_kex kex_ecdh_secp384r1 {NULL, 0, &ecc_curve_secp384r1, sha384_desc }; +static struct dropbear_kex kex_ecdh_secp384r1 = {NULL, 0, &ecc_curve_secp384r1, &sha384_desc }; #endif #ifdef DROPBEAR_ECC_521 -static struct dropbear_kex kex_ecdh_secp521r1 {NULL, 0, &ecc_curve_secp521r1, sha512_desc }; +static struct dropbear_kex kex_ecdh_secp521r1 = {NULL, 0, &ecc_curve_secp521r1, &sha512_desc }; #endif #endif // DROPBEAR_ECC_DH @@ -272,10 +273,13 @@ #ifdef DROPBEAR_MD5_HMAC &md5_desc, #endif -#ifdef DROPBEAR_SHA2_256_HMAC +#ifdef DROPBEAR_SHA256 &sha256_desc, #endif -#ifdef DROPBEAR_SHA2_512_HMAC +#ifdef DROPBEAR_SHA384 + &sha384_desc, +#endif +#ifdef DROPBEAR_SHA512 &sha512_desc, #endif NULL
--- a/common-kex.c Fri Mar 29 00:26:46 2013 +0800 +++ b/common-kex.c Fri Mar 29 00:28:09 2013 +0800 @@ -34,6 +34,7 @@ #include "bignum.h" #include "random.h" #include "runopts.h" +#include "ecc.h" /* diffie-hellman-group1-sha1 value for p */ const unsigned char dh_p_1[DH_P_1_LEN] = { @@ -642,6 +643,9 @@ buf_setpos(ses.kexhashbuf, 0); sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), ses.kexhashbuf->len); + + ses.hash = m_malloc(SHA1_HASH_SIZE); + } sha1_done(&hs, ses.hash); buf_burn(ses.kexhashbuf); @@ -660,8 +664,8 @@ struct kex_ecdh_param *gen_kexecdh_param() { struct kex_ecdh_param *param = m_malloc(sizeof(*param)); if (ecc_make_key_ex(NULL, dropbear_ltc_prng, - ¶m->key, ses.newkeys->algo_kex->ecc_curve) != CRYPT_OK) { - dropbear_exit("ECC error") + ¶m->key, ses.newkeys->algo_kex->ecc_curve->dp) != CRYPT_OK) { + dropbear_exit("ECC error"); } return param; } @@ -673,58 +677,45 @@ } void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, sign_key *hostkey) { - + const struct dropbear_kex *algo_kex = ses.newkeys->algo_kex; hash_state hs; // public keys from client and server ecc_key *Q_C, *Q_S, *Q_them; -oj // XXX load Q_them - Q_them = buf_get_ecc_key_string() - - ses.dh_K = dropbear_ecc_shared_secret(); + // XXX load Q_them + Q_them = buf_get_ecc_pubkey(pub_them, algo_kex->ecc_curve); - /* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */ - if (mp_cmp(dh_pub_them, &dh_p) != MP_LT - || mp_cmp_d(dh_pub_them, 0) != MP_GT) { - dropbear_exit("Diffie-Hellman error"); - } - - /* K = e^y mod p = f^x mod p */ - ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int)); - m_mp_init(ses.dh_K); - if (mp_exptmod(dh_pub_them, ¶m->priv, &dh_p, ses.dh_K) != MP_OKAY) { - dropbear_exit("Diffie-Hellman error"); - } - - /* clear no longer needed vars */ - mp_clear_multi(&dh_p, NULL); + ses.dh_K = dropbear_ecc_shared_secret(Q_them, param->key); /* From here on, the code needs to work with the _same_ vars on each side, * not vice-versaing for client/server */ if (IS_DROPBEAR_CLIENT) { - dh_e = ¶m->pub; - dh_f = dh_pub_them; + Q_C = param->key; + Q_S = Q_them; } else { - dh_e = dh_pub_them; - dh_f = ¶m->pub; + Q_C = Q_them; + Q_S = param->key; } /* Create the remainder of the hash buffer, to generate the exchange hash */ /* K_S, the host key */ buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey); - /* e, exchange value sent by the client */ - buf_putmpint(ses.kexhashbuf, dh_e); - /* f, exchange value sent by the server */ - buf_putmpint(ses.kexhashbuf, dh_f); + /* Q_C, client's ephemeral public key octet string */ + buf_put_ecc_pubkey_string(Q_C); + /* Q_S, server's ephemeral public key octet string */ + buf_put_ecc_pubkey_string(Q_S); /* K, the shared secret */ buf_putmpint(ses.kexhashbuf, ses.dh_K); /* calculate the hash H to sign */ - sha1_init(&hs); + algo_kex->hashdesc->init(&hs); buf_setpos(ses.kexhashbuf, 0); - sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), + algo_kex->hashdesc->process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), ses.kexhashbuf->len); - sha1_done(&hs, ses.hash); + if (!ses.hash) { + ses.hash = m_malloc(algo_kex->hashdesc->hashsize); + } + algo_kex->hashdesc->done(&hs, ses.hash); buf_burn(ses.kexhashbuf); buf_free(ses.kexhashbuf); @@ -733,8 +724,8 @@ /* first time around, we set the session_id to H */ if (ses.session_id == NULL) { /* create the session_id, this never needs freeing */ - ses.session_id = (unsigned char*)m_malloc(SHA1_HASH_SIZE); - memcpy(ses.session_id, ses.hash, SHA1_HASH_SIZE); + ses.session_id = m_malloc(algo_kex->hashdesc->hashsize); + memcpy(ses.session_id, ses.hash, algo_kex->hashdesc->hashsize); } }
--- a/ecc.c Fri Mar 29 00:26:46 2013 +0800 +++ b/ecc.c Fri Mar 29 00:28:09 2013 +0800 @@ -1,41 +1,48 @@ #include "includes.h" #include "options.h" #include "ecc.h" +#include "dbutil.h" +#include "bignum.h" #ifdef DROPBEAR_ECC // TODO: use raw bytes for the dp rather than the hex strings in libtomcrypt's ecc.c #ifdef DROPBEAR_ECC_256 -const struct dropbear_ecc_curve ecc_curve_secp256r1 { +const struct dropbear_ecc_curve ecc_curve_secp256r1 = { .dp = <c_ecc_sets[0], - .hash_desc = sha256_desc, + .hash_desc = &sha256_desc, .name = "secp256r1" }; #endif - - #ifdef DROPBEAR_ECC_384 -const struct dropbear_ecc_curve ecc_curve_secp384r1 { +const struct dropbear_ecc_curve ecc_curve_secp384r1 = { .dp = <c_ecc_sets[1], - .hash_desc = sha384_desc, + .hash_desc = &sha384_desc, .name = "secp384r1" }; #endif - #ifdef DROPBEAR_ECC_521 -const struct dropbear_ecc_curve ecc_curve_secp521r1 { +const struct dropbear_ecc_curve ecc_curve_secp521r1 = { .dp = <c_ecc_sets[2], - .hash_desc = sha521_desc, + .hash_desc = &sha512_desc, .name = "secp521r1" }; #endif +static ecc_key * new_ecc_key(void) { + ecc_key *key = m_malloc(sizeof(*key)); + key->pubkey.x = m_malloc(sizeof(mp_int)); + key->pubkey.y = m_malloc(sizeof(mp_int)); + key->pubkey.z = m_malloc(sizeof(mp_int)); + key->k = m_malloc(sizeof(mp_init)); + m_mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL); + return key; +} void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key) { - // XXX point compression - int len = key->dp->size*2 + 1; - buf_putint(len); + unsigned long len = key->dp->size*2 + 1; + buf_putint(buf, len); int err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len); if (err != CRYPT_OK) { dropbear_exit("ECC error"); @@ -43,38 +50,93 @@ buf_incrwritepos(buf, len); } -ecc_key * buf_get_ecc_key_string(buffer *buf, const struct dropbear_ecc_curve *curve) { +// Copied from libtomcrypt ecc_import.c (version there is static), modified +// for different mp_int pointer without LTC_SOURCE +static int ecc_is_point(ecc_key *key) +{ + mp_int *prime, *b, *t1, *t2; + int err; + + prime = m_malloc(sizeof(mp_int)); + b = m_malloc(sizeof(mp_int)); + t1 = m_malloc(sizeof(mp_int)); + t2 = m_malloc(sizeof(mp_int)); + + m_mp_init_multi(prime, b, t1, t2, NULL); + + /* load prime and b */ + if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) { goto error; } + if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) { goto error; } + + /* compute y^2 */ + if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK) { goto error; } + + /* compute x^3 */ + if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK) { goto error; } + if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK) { goto error; } + if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK) { goto error; } + + /* compute y^2 - x^3 */ + if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK) { goto error; } + + /* compute y^2 - x^3 + 3x */ + if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } + if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } + if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } + if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK) { goto error; } + while (mp_cmp_d(t1, 0) == LTC_MP_LT) { + if ((err = mp_add(t1, prime, t1)) != CRYPT_OK) { goto error; } + } + while (mp_cmp(t1, prime) != LTC_MP_LT) { + if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK) { goto error; } + } + + /* compare to b */ + if (mp_cmp(t1, b) != LTC_MP_EQ) { + err = CRYPT_INVALID_PACKET; + } else { + err = CRYPT_OK; + } + +error: + mp_clear_multi(prime, b, t1, t2, NULL); + m_free(prime); + m_free(b); + m_free(t1); + m_free(t2); + return err; +} + +ecc_key * buf_get_ecc_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve) { ecc_key *key = NULL; int ret = DROPBEAR_FAILURE; const int size = curve->dp->size; - unsigned int len = buf_get_string(buf); - unsigned char first = buf_get_char(buf); + buf_setpos(buf, 0); + unsigned int len = buf->len; + unsigned char first = buf_getbyte(buf); if (first == 2 || first == 3) { - dropbear_log("Dropbear doesn't support ECC point compression"); + dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression"); return NULL; } if (first != 4 || len != 1+2*size) { return NULL; } - key = m_malloc(sizeof(*key)); - m_mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, NULL); + key = new_ecc_key(); - if (mp_read_unsigned_bin(&key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) { + if (mp_read_unsigned_bin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) { goto out; } buf_incrpos(buf, size); - if (mp_read_unsigned_bin(&key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) { + if (mp_read_unsigned_bin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) { goto out; } buf_incrpos(buf, size); - if (mp_set(key->pubkey.z, 1) != MP_OKAY) { - goto out; - } + mp_set(key->pubkey.z, 1); - if (is_point(key) != CRYPT_OK) { + if (ecc_is_point(key) != CRYPT_OK) { goto out; } @@ -91,7 +153,7 @@ out: if (ret == DROPBEAR_FAILURE) { if (key) { - mp_free_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, NULL); + ecc_free(key); m_free(key); key = NULL; } @@ -105,9 +167,9 @@ // a mp_int instead. mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, ecc_key *private_key) { - ecc_point *result = NULL + ecc_point *result = NULL; mp_int *prime = NULL, *shared_secret = NULL; - int ret = DROPBEAR_FAILURE; + int err = DROPBEAR_FAILURE; /* type valid? */ if (private_key->type != PK_PRIVATE) { @@ -163,9 +225,6 @@ } return shared_secret; - return err; -} - } #endif
--- a/ecc.h Fri Mar 29 00:26:46 2013 +0800 +++ b/ecc.h Fri Mar 29 00:28:09 2013 +0800 @@ -21,14 +21,11 @@ // "pubkey" refers to a point, but LTC uses ecc_key structure for both public // and private keys void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key); -int buf_get_ecc_pubkey_string(buffer *buf, ecc_key *key); +ecc_key * buf_get_ecc_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve); int buf_get_ecc_privkey_string(buffer *buf, ecc_key *key); mp_int * dropbear_ecc_shared_secret(ecc_key *pub_key, ecc_key *priv_key); - -const ltc_ecc_set_type* get_ecc_curve(enum kex_type type); - #endif #endif // _DROPBEAR_ECC_H \ No newline at end of file
--- a/kex.h Fri Mar 29 00:26:46 2013 +0800 +++ b/kex.h Fri Mar 29 00:28:09 2013 +0800 @@ -27,6 +27,7 @@ #include "includes.h" #include "algo.h" +#include "signkey.h" void send_msg_kexinit(); void recv_msg_kexinit(); @@ -74,9 +75,9 @@ }; #define DH_P_1_LEN 128 -extern const const unsigned char dh_p_1[DH_P_1_LEN]; +extern const unsigned char dh_p_1[DH_P_1_LEN]; #define DH_P_14_LEN 256 -const unsigned char dh_p_14[DH_P_14_LEN] = { +extern const unsigned char dh_p_14[DH_P_14_LEN]; struct kex_dh_param { mp_int pub;
--- a/libtomcrypt/src/headers/tomcrypt_custom.h Fri Mar 29 00:26:46 2013 +0800 +++ b/libtomcrypt/src/headers/tomcrypt_custom.h Fri Mar 29 00:28:09 2013 +0800 @@ -127,7 +127,9 @@ #ifdef DROPBEAR_SHA256 #define SHA256 #endif - +#ifdef DROPBEAR_SHA384 +#define SHA384 +#endif #ifdef DROPBEAR_SHA512 #define SHA512 #endif
--- a/ltc_prng.c Fri Mar 29 00:26:46 2013 +0800 +++ b/ltc_prng.c Fri Mar 29 00:28:09 2013 +0800 @@ -14,6 +14,7 @@ #include "options.h" #include "includes.h" #include "random.h" +#include "ltc_prng.h" /** @file sprng.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ltc_prng.h Fri Mar 29 00:28:09 2013 +0800 @@ -0,0 +1,13 @@ +#ifndef _LTC_PRNG_H_DROPBEAR +#define _LTC_PRNG_H_DROPBEAR + +#include "options.h" +#include "includes.h" + +#ifdef DROPBEAR_LTC_PRNG + +extern const struct ltc_prng_descriptor dropbear_prng_desc; + +#endif // DROPBEAR_LTC_PRNG + +#endif // _LTC_PRNG_H_DROPBEAR \ No newline at end of file
--- a/random.c Fri Mar 29 00:26:46 2013 +0800 +++ b/random.c Fri Mar 29 00:28:09 2013 +0800 @@ -27,6 +27,8 @@ #include "dbutil.h" #include "bignum.h" #include "random.h" +#include "ltc_prng.h" + /* this is used to generate unique output from the same hashpool */ static uint32_t counter = 0;
--- a/session.h Fri Mar 29 00:26:46 2013 +0800 +++ b/session.h Fri Mar 29 00:28:09 2013 +0800 @@ -154,10 +154,10 @@ struct KEXState kexstate; struct key_context *keys; struct key_context *newkeys; - unsigned char *session_id; /* this is the hash from the first kex */ - /* The below are used temorarily during kex, are freed after use */ + buffer *session_id; /* this is the hash from the first kex */ + /* The below are used temporarily during kex, are freed after use */ mp_int * dh_K; /* SSH_MSG_KEXDH_REPLY and sending SSH_MSH_NEWKEYS */ - unsigned char hash[SHA1_HASH_SIZE]; /* the hash*/ + buffer *hash/* the session hash */ buffer* kexhashbuf; /* session hash buffer calculated from various packets*/ buffer* transkexinit; /* the kexinit packet we send should be kept so we can add it to the hash when generating keys */
--- a/svr-kex.c Fri Mar 29 00:26:46 2013 +0800 +++ b/svr-kex.c Fri Mar 29 00:28:09 2013 +0800 @@ -59,6 +59,7 @@ } } else { #ifdef DROPBEAR_ECDH + buffer *ecdh_qs = buf_getstringbuf(ses.payload); #endif }
--- a/sysoptions.h Fri Mar 29 00:26:46 2013 +0800 +++ b/sysoptions.h Fri Mar 29 00:28:09 2013 +0800 @@ -93,13 +93,26 @@ #define DROPBEAR_ECC #endif - #ifdef DROPBEAR_ECC #define DROPBEAR_ECC_256 #define DROPBEAR_ECC_384 #define DROPBEAR_ECC_521 #endif +// hashes which will be linked and registered +#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) +#define DROPBEAR_SHA256 +#endif +#if defined(DROPBEAR_ECC_384) +#define DROPBEAR_SHA384 +#endif +#if defined(DROPBEAR_SHA2_512_HMAC) || defined(DROPBEAR_ECC_521) +#define DROPBEAR_SHA512 +#endif +#if defined(DROPBEAR_MD5_HMAC) +#define DROPBEAR_MD5 +#endif + // roughly 2x 521 bits #define MAX_ECC_SIZE 140 @@ -155,19 +168,6 @@ #define DROPBEAR_TWOFISH #endif -#ifdef DROPBEAR_MD5_HMAC -#define DROPBEAR_MD5 -#endif - -#ifdef DROPBEAR_SHA2_256_HMAC -#define DROPBEAR_SHA256 -#endif - -#if (defined(DROPBEAR_DSS) && defined(DSS_PROTOK)) \ - || defined(DROPBEAR_SHA2_512_HMAC) -#define DROPBEAR_SHA512 -#endif - #ifndef ENABLE_X11FWD #define DISABLE_X11FWD #endif