1 #include <u.h>
2 #include <libc.h>
3 #include <mp.h>
4 #include <libsec.h>
5 #include <fcall.h>
6 #include <thread.h>
7 #include <9p.h>
8 #include <auth.h>
9 #include <ip.h>
10 #include <pool.h>
11 #include "netssh.h"
12
13 #undef VERIFYKEYS /* TODO until it's fixed */
14
15 enum {
16 Errnokey = -2, /* no key on keyring */
17 Errnoverify, /* factotum found a key, but verification failed */
18 Errfactotum, /* factotum failure (e.g., no key) */
19 Errnone, /* key verified */
20 };
21
22 static int dh_server(Conn *, Packet *, mpint *, int);
23 static int dh_client1(Conn *, mpint *, int, int);
24 static int dh_client2(Conn *, Packet *, mpint *, int);
25 static void genkeys(Conn *, uchar [], mpint *);
26
27 /*
28 * Second Oakley Group from RFC 2409
29 */
30 static char *group1p =
31 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
32 "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
33 "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
34 "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
35 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381"
36 "FFFFFFFFFFFFFFFF";
37
38 /*
39 * 2048-bit MODP group (id 14) from RFC 3526
40 */
41 static char *group14p =
42 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
43 "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
44 "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
45 "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
46 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
47 "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
48 "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
49 "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"
50 "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"
51 "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"
52 "15728E5A8AACAA68FFFFFFFFFFFFFFFF";
53
54 mpint *two, *p1, *p14;
55 int nokeyverify;
56
57 static DSApriv mydsskey;
58 static RSApriv myrsakey;
59
60 void
dh_init(PKA * pkas[])61 dh_init(PKA *pkas[])
62 {
63 char *buf, *p, *st, *end;
64 int fd, n, k;
65
66 if(debug > 1)
67 sshdebug(nil, "dh_init");
68 k = 0;
69 pkas[k] = nil;
70 fmtinstall('M', mpfmt);
71 two = strtomp("2", nil, 10, nil);
72 p1 = strtomp(group1p, nil, 16, nil);
73 p14 = strtomp(group14p, nil, 16, nil);
74
75 /*
76 * this really should be done through factotum
77 */
78 p = getenv("rsakey");
79 if (p != nil) {
80 remove("/env/rsakey");
81 st = buf = p;
82 end = buf + strlen(p);
83 } else {
84 /*
85 * it would be better to use bio and rdline here instead of
86 * reading all of factotum's contents into memory at once.
87 */
88 buf = emalloc9p(Maxfactotum);
89 fd = open("rsakey", OREAD);
90 if (fd < 0 && (fd = open("/mnt/factotum/ctl", OREAD)) < 0)
91 goto norsa;
92 n = readn(fd, buf, Maxfactotum - 1);
93 buf[n >= 0? n: 0] = 0;
94 close(fd);
95 assert(n < Maxfactotum - 1);
96
97 st = strstr(buf, "proto=rsa");
98 if (st == nil) {
99 sshlog(nil, "no proto=rsa key in factotum");
100 goto norsa;
101 }
102 end = st;
103 for (; st > buf && *st != '\n'; --st)
104 ;
105 for (; end < buf + Maxfactotum && *end != '\n'; ++end)
106 ;
107 }
108 p = strstr(st, " n=");
109 if (p == nil || p > end) {
110 sshlog(nil, "no key (n) found");
111 free(buf);
112 return;
113 }
114 myrsakey.pub.n = strtomp(p+3, nil, 16, nil);
115 if (debug > 1)
116 sshdebug(nil, "n=%M", myrsakey.pub.n);
117 p = strstr(st, " ek=");
118 if (p == nil || p > end) {
119 sshlog(nil, "no key (ek) found");
120 free(buf);
121 return;
122 }
123 pkas[k++] = &rsa_pka;
124 pkas[k] = nil;
125 myrsakey.pub.ek = strtomp(p+4, nil, 16, nil);
126 if (debug > 1)
127 sshdebug(nil, "ek=%M", myrsakey.pub.ek);
128 p = strstr(st, " !dk=");
129 if (p == nil) {
130 p = strstr(st, "!dk?");
131 if (p == nil || p > end) {
132 // sshlog(nil, "no key (dk) found");
133 free(buf);
134 return;
135 }
136 goto norsa;
137 }
138 myrsakey.dk = strtomp(p+5, nil, 16, nil);
139 if (debug > 1)
140 sshdebug(nil, "dk=%M", myrsakey.dk);
141 norsa:
142 free(buf);
143
144 p = getenv("dsskey");
145 if (p != nil) {
146 remove("/env/dsskey");
147 buf = p;
148 end = buf + strlen(p);
149 } else {
150 /*
151 * it would be better to use bio and rdline here instead of
152 * reading all of factotum's contents into memory at once.
153 */
154 buf = emalloc9p(Maxfactotum);
155 fd = open("dsskey", OREAD);
156 if (fd < 0 && (fd = open("/mnt/factotum/ctl", OREAD)) < 0)
157 return;
158 n = readn(fd, buf, Maxfactotum - 1);
159 buf[n >= 0? n: 0] = 0;
160 close(fd);
161 assert(n < Maxfactotum - 1);
162
163 st = strstr(buf, "proto=dsa");
164 if (st == nil) {
165 sshlog(nil, "no proto=dsa key in factotum");
166 free(buf);
167 return;
168 }
169 end = st;
170 for (; st > buf && *st != '\n'; --st)
171 ;
172 for (; end < buf + Maxfactotum && *end != '\n'; ++end)
173 ;
174 }
175 p = strstr(buf, " p=");
176 if (p == nil || p > end) {
177 sshlog(nil, "no key (p) found");
178 free(buf);
179 return;
180 }
181 mydsskey.pub.p = strtomp(p+3, nil, 16, nil);
182 p = strstr(buf, " q=");
183 if (p == nil || p > end) {
184 sshlog(nil, "no key (q) found");
185 free(buf);
186 return;
187 }
188 mydsskey.pub.q = strtomp(p+3, nil, 16, nil);
189 p = strstr(buf, " alpha=");
190 if (p == nil || p > end) {
191 sshlog(nil, "no key (g) found");
192 free(buf);
193 return;
194 }
195 mydsskey.pub.alpha = strtomp(p+7, nil, 16, nil);
196 p = strstr(buf, " key=");
197 if (p == nil || p > end) {
198 sshlog(nil, "no key (y) found");
199 free(buf);
200 return;
201 }
202 mydsskey.pub.key = strtomp(p+5, nil, 16, nil);
203 pkas[k++] = &dss_pka;
204 pkas[k] = nil;
205 p = strstr(buf, " !secret=");
206 if (p == nil) {
207 p = strstr(buf, "!secret?");
208 if (p == nil || p > end)
209 sshlog(nil, "no key (x) found");
210 free(buf);
211 return;
212 }
213 mydsskey.secret = strtomp(p+9, nil, 16, nil);
214 free(buf);
215 }
216
217 static Packet *
rsa_ks(Conn * c)218 rsa_ks(Conn *c)
219 {
220 Packet *ks;
221
222 if (myrsakey.pub.ek == nil || myrsakey.pub.n == nil) {
223 sshlog(c, "no public RSA key info");
224 return nil;
225 }
226 ks = new_packet(c);
227 add_string(ks, "ssh-rsa");
228 add_mp(ks, myrsakey.pub.ek);
229 add_mp(ks, myrsakey.pub.n);
230 return ks;
231 }
232
233 static void
esma_encode(uchar * h,uchar * em,int nb)234 esma_encode(uchar *h, uchar *em, int nb)
235 {
236 int n, i;
237 uchar hh[SHA1dlen];
238 static uchar sha1der[] = {
239 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
240 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14,
241 };
242
243 sha1(h, SHA1dlen, hh, nil);
244 n = nb - (nelem(sha1der) + SHA1dlen) - 3;
245 i = 0;
246 em[i++] = 0;
247 em[i++] = 1;
248 memset(em + i, 0xff, n);
249 i += n;
250 em[i++] = 0;
251 memmove(em + i, sha1der, sizeof sha1der);
252 i += sizeof sha1der;
253 memmove(em + i, hh, SHA1dlen);
254 }
255
256 static Packet *
rsa_sign(Conn * c,uchar * m,int nm)257 rsa_sign(Conn *c, uchar *m, int nm)
258 {
259 AuthRpc *ar;
260 Packet *sig;
261 mpint *s, *mm;
262 int fd, n, nbit;
263 uchar hh[SHA1dlen];
264 uchar *sstr, *em;
265
266 if (myrsakey.dk) {
267 nbit = mpsignif (myrsakey.pub.n);
268 n = (nbit + 7) / 8;
269 sstr = emalloc9p(n);
270 em = emalloc9p(n);
271 /* Compute s: RFC 3447 */
272 esma_encode(m, em, n);
273 mm = betomp(em, n, nil);
274 s = mpnew(nbit);
275 mpexp(mm, myrsakey.dk, myrsakey.pub.n, s);
276 mptobe(s, sstr, n, nil);
277 mpfree(mm);
278 mpfree(s);
279 free(em);
280 } else {
281 fd = open("/mnt/factotum/rpc", ORDWR);
282 if (fd < 0)
283 return nil;
284 sha1(m, nm, hh, nil);
285 ar = auth_allocrpc(fd);
286 if (ar == nil ||
287 auth_rpc(ar, "start", "role=sign proto=rsa", 19) != ARok ||
288 auth_rpc(ar, "write", hh, SHA1dlen) != ARok ||
289 auth_rpc(ar, "read", nil, 0) != ARok ||
290 ar->arg == nil) {
291 sshdebug(c, "got error in factotum: %r");
292 auth_freerpc(ar);
293 close(fd);
294 return nil;
295 }
296 sstr = emalloc9p(ar->narg);
297 memmove(sstr, ar->arg, ar->narg);
298 n = ar->narg;
299
300 auth_freerpc(ar);
301 close(fd);
302 }
303 sig = new_packet(c);
304 add_string(sig, pkas[c->pkalg]->name);
305 add_block(sig, sstr, n);
306 free(sstr);
307 return sig;
308 }
309
310 /*
311 * 0 - If factotum failed, e.g. no key
312 * 1 - If key is verified
313 * -1 - If factotum found a key, but the verification fails
314 */
315 static int
rsa_verify(Conn * c,uchar * m,int nm,char * user,char * sig,int)316 rsa_verify(Conn *c, uchar *m, int nm, char *user, char *sig, int)
317 {
318 int fd, n, retval, nbit;
319 char *buf, *p, *sigblob;
320 uchar *sstr, *em;
321 uchar hh[SHA1dlen];
322 mpint *s, *mm, *rsa_exponent, *host_modulus;
323 AuthRpc *ar;
324
325 sshdebug(c, "in rsa_verify for connection: %d", c->id);
326 SET(rsa_exponent, host_modulus);
327 USED(rsa_exponent, host_modulus);
328 if (0 && rsa_exponent) {
329 nbit = mpsignif(host_modulus);
330 n = (nbit + 7) / 8;
331 em = emalloc9p(n);
332 /* Compute s: RFC 3447 */
333 esma_encode(m, em, n);
334 mm = betomp(em, n, nil);
335 s = mpnew(1024);
336 mpexp(mm, rsa_exponent, host_modulus, s);
337 sstr = emalloc9p(n);
338 mptobe(s, sstr, n, nil);
339 free(em);
340 mpfree(mm);
341 mpfree(s);
342 retval = memcmp(sig, sstr, n);
343 free(sstr);
344 retval = (retval == 0);
345 } else {
346 retval = 1;
347 fd = open("/mnt/factotum/rpc", ORDWR);
348 if (fd < 0) {
349 sshdebug(c, "could not open factotum RPC: %r");
350 return 0;
351 }
352 buf = emalloc9p(Blobsz / 2);
353 sigblob = emalloc9p(Blobsz);
354 p = (char *)get_string(nil, (uchar *)sig, buf, Blobsz / 2, nil);
355 get_string(nil, (uchar *)p, sigblob, Blobsz, &n);
356 sha1(m, nm, hh, nil);
357 if (user != nil)
358 p = smprint("role=verify proto=rsa user=%s", user);
359 else
360 p = smprint("role=verify proto=rsa sys=%s", c->remote);
361
362 ar = auth_allocrpc(fd);
363 if (ar == nil || auth_rpc(ar, "start", p, strlen(p)) != ARok ||
364 auth_rpc(ar, "write", hh, SHA1dlen) != ARok ||
365 auth_rpc(ar, "write", sigblob, n) != ARok ||
366 auth_rpc(ar, "read", nil, 0) != ARok) {
367 sshdebug(c, "got error in factotum: %r");
368 retval = 0;
369 } else {
370 sshdebug(c, "factotum returned %s", ar->ibuf);
371 if (strstr(ar->ibuf, "does not verify") != nil)
372 retval = -1;
373 }
374 if (ar != nil)
375 auth_freerpc(ar);
376 free(p);
377 close(fd);
378 free(sigblob);
379 free(buf);
380 }
381 return retval;
382 }
383
384 static Packet *
dss_ks(Conn * c)385 dss_ks(Conn *c)
386 {
387 Packet *ks;
388
389 if (mydsskey.pub.p == nil)
390 return nil;
391 ks = new_packet(c);
392 add_string(ks, "ssh-dss");
393 add_mp(ks, mydsskey.pub.p);
394 add_mp(ks, mydsskey.pub.q);
395 add_mp(ks, mydsskey.pub.alpha);
396 add_mp(ks, mydsskey.pub.key);
397 return ks;
398 }
399
400 static Packet *
dss_sign(Conn * c,uchar * m,int nm)401 dss_sign(Conn *c, uchar *m, int nm)
402 {
403 AuthRpc *ar;
404 DSAsig *s;
405 Packet *sig;
406 mpint *mm;
407 int fd;
408 uchar sstr[2*SHA1dlen];
409
410 sha1(m, nm, sstr, nil);
411 sig = new_packet(c);
412 add_string(sig, pkas[c->pkalg]->name);
413 if (mydsskey.secret) {
414 mm = betomp(sstr, SHA1dlen, nil);
415 s = dsasign(&mydsskey, mm);
416 mptobe(s->r, sstr, SHA1dlen, nil);
417 mptobe(s->s, sstr+SHA1dlen, SHA1dlen, nil);
418 dsasigfree(s);
419 mpfree(mm);
420 } else {
421 fd = open("/mnt/factotum/rpc", ORDWR);
422 if (fd < 0)
423 return nil;
424 ar = auth_allocrpc(fd);
425 if (ar == nil ||
426 auth_rpc(ar, "start", "role=sign proto=dsa", 19) != ARok ||
427 auth_rpc(ar, "write", sstr, SHA1dlen) != ARok ||
428 auth_rpc(ar, "read", nil, 0) != ARok) {
429 sshdebug(c, "got error in factotum: %r");
430 auth_freerpc(ar);
431 close(fd);
432 return nil;
433 }
434 memmove(sstr, ar->arg, ar->narg);
435 auth_freerpc(ar);
436 close(fd);
437 }
438 add_block(sig, sstr, 2*SHA1dlen);
439 return sig;
440 }
441
442 static int
dss_verify(Conn * c,uchar * m,int nm,char * user,char * sig,int nsig)443 dss_verify(Conn *c, uchar *m, int nm, char *user, char *sig, int nsig)
444 {
445 sshdebug(c, "in dss_verify for connection: %d", c->id);
446 USED(m, nm, user, sig, nsig);
447 return 0;
448 }
449
450 static int
dh_server1(Conn * c,Packet * pack1)451 dh_server1(Conn *c, Packet *pack1)
452 {
453 return dh_server(c, pack1, p1, 1024);
454 }
455
456 static int
dh_server14(Conn * c,Packet * pack1)457 dh_server14(Conn *c, Packet *pack1)
458 {
459 return dh_server(c, pack1, p14, 2048);
460 }
461
462 static int
dh_server(Conn * c,Packet * pack1,mpint * grp,int nbit)463 dh_server(Conn *c, Packet *pack1, mpint *grp, int nbit)
464 {
465 Packet *pack2, *ks, *sig;
466 mpint *y, *e, *f, *k;
467 int n, ret;
468 uchar h[SHA1dlen];
469
470 ret = -1;
471 qlock(&c->l);
472 f = mpnew(nbit);
473 k = mpnew(nbit);
474
475 /* Compute f: RFC4253 */
476 y = mprand(nbit / 8, genrandom, nil);
477 if (debug > 1)
478 sshdebug(c, "y=%M", y);
479 mpexp(two, y, grp, f);
480 if (debug > 1)
481 sshdebug(c, "f=%M", f);
482
483 /* Compute k: RFC4253 */
484 if (debug > 1)
485 dump_packet(pack1);
486 e = get_mp(pack1->payload+1);
487 if (debug > 1)
488 sshdebug(c, "e=%M", e);
489 mpexp(e, y, grp, k);
490 if (debug > 1)
491 sshdebug(c, "k=%M", k);
492
493 /* Compute H: RFC 4253 */
494 pack2 = new_packet(c);
495 sshdebug(c, "ID strings: %s---%s", c->otherid, MYID);
496 add_string(pack2, c->otherid);
497 add_string(pack2, MYID);
498 if (debug > 1) {
499 fprint(2, "received kexinit:");
500 dump_packet(c->rkexinit);
501 fprint(2, "\nsent kexinit:");
502 dump_packet(c->skexinit);
503 }
504 add_block(pack2, c->rkexinit->payload, c->rkexinit->rlength - 1);
505 add_block(pack2, c->skexinit->payload,
506 c->skexinit->rlength - c->skexinit->pad_len - 1);
507 sig = nil;
508 ks = pkas[c->pkalg]->ks(c);
509 if (ks == nil)
510 goto err;
511 add_block(pack2, ks->payload, ks->rlength - 1);
512 add_mp(pack2, e);
513 add_mp(pack2, f);
514 add_mp(pack2, k);
515 sha1(pack2->payload, pack2->rlength - 1, h, nil);
516
517 if (c->got_sessid == 0) {
518 memmove(c->sessid, h, SHA1dlen);
519 c->got_sessid = 1;
520 }
521 sig = pkas[c->pkalg]->sign(c, h, SHA1dlen);
522 if (sig == nil) {
523 sshlog(c, "failed to generate signature: %r");
524 goto err;
525 }
526
527 /* Send (K_s || f || s) to client: RFC4253 */
528 init_packet(pack2);
529 pack2->c = c;
530 add_byte(pack2, SSH_MSG_KEXDH_REPLY);
531 add_block(pack2, ks->payload, ks->rlength - 1);
532 add_mp(pack2, f);
533 add_block(pack2, sig->payload, sig->rlength - 1);
534 if (debug > 1)
535 dump_packet(pack2);
536 n = finish_packet(pack2);
537 if (debug > 1) {
538 sshdebug(c, "writing %d bytes: len %d", n, nhgetl(pack2->nlength));
539 dump_packet(pack2);
540 }
541 iowrite(c->dio, c->datafd, pack2->nlength, n);
542
543 genkeys(c, h, k);
544
545 /* Send SSH_MSG_NEWKEYS */
546 init_packet(pack2);
547 pack2->c = c;
548 add_byte(pack2, SSH_MSG_NEWKEYS);
549 n = finish_packet(pack2);
550 iowrite(c->dio, c->datafd, pack2->nlength, n);
551 ret = 0;
552 err:
553 mpfree(f);
554 mpfree(e);
555 mpfree(k);
556 mpfree(y);
557 free(sig);
558 free(ks);
559 free(pack2);
560 qunlock(&c->l);
561 return ret;
562 }
563
564 static int
dh_client11(Conn * c,Packet *)565 dh_client11(Conn *c, Packet *)
566 {
567 return dh_client1(c, p1, 128, 1024);
568 }
569
570 static int
dh_client141(Conn * c,Packet *)571 dh_client141(Conn *c, Packet *)
572 {
573 return dh_client1(c, p14, 256, 2014);
574 }
575
576 static int
dh_client1(Conn * c,mpint * grp,int nrand,int nbit)577 dh_client1(Conn *c, mpint *grp, int nrand, int nbit)
578 {
579 Packet *p;
580 int n;
581
582 if (c->e)
583 mpfree(c->e);
584 c->e = mpnew(nbit);
585
586 /* Compute e: RFC4253 */
587 if (c->x)
588 mpfree(c->x);
589 c->x = mprand(nrand, genrandom, nil);
590 mpexp(two, c->x, grp, c->e);
591
592 p = new_packet(c);
593 add_byte(p, SSH_MSG_KEXDH_INIT);
594 add_mp(p, c->e);
595 n = finish_packet(p);
596 iowrite(c->dio, c->datafd, p->nlength, n);
597 free(p);
598 return 0;
599 }
600
601 static int
findkeyinuserring(Conn * c,RSApub * srvkey)602 findkeyinuserring(Conn *c, RSApub *srvkey)
603 {
604 int n;
605 char *home, *newkey, *r;
606
607 home = getenv("home");
608 if (home == nil) {
609 newkey = "No home directory for key file";
610 free(keymbox.msg);
611 keymbox.msg = smprint("b%04ld%s", strlen(newkey), newkey);
612 return -1;
613 }
614
615 r = smprint("%s/lib/keyring", home);
616 free(home);
617 if ((n = findkey(r, c->remote, srvkey)) != KeyOk) {
618 newkey = smprint("ek=%M n=%M", srvkey->ek, srvkey->n);
619 free(keymbox.msg);
620 keymbox.msg = smprint("%c%04ld%s", n == NoKeyFile || n == NoKey?
621 'c': 'b', strlen(newkey), newkey);
622 free(newkey);
623
624 nbsendul(keymbox.mchan, 1);
625 recvul(keymbox.mchan);
626 if (keymbox.msg == nil || keymbox.msg[0] == 'n') {
627 free(keymbox.msg);
628 keymbox.msg = nil;
629 newkey = "Server key reject";
630 keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey);
631 return -1;
632 }
633 sshdebug(c, "adding key");
634 if (keymbox.msg[0] == 'y')
635 appendkey(r, c->remote, srvkey);
636 else if (keymbox.msg[0] == 'r')
637 replacekey(r, c->remote, srvkey);
638 }
639 free(r);
640 return 0;
641 }
642
643 static int
verifyhostkey(Conn * c,RSApub * srvkey,Packet * sig)644 verifyhostkey(Conn *c, RSApub *srvkey, Packet *sig)
645 {
646 int fd, n;
647 char *newkey;
648 uchar h[SHA1dlen];
649
650 sshdebug(c, "verifying server signature");
651 if (findkey("/sys/lib/ssh/keyring", c->remote, srvkey) != KeyOk &&
652 findkeyinuserring(c, srvkey) < 0) {
653 nbsendul(keymbox.mchan, 1);
654 mpfree(srvkey->ek);
655 mpfree(srvkey->n);
656 return Errnokey;
657 }
658
659 newkey = smprint("key proto=rsa role=verify sys=%s size=%d ek=%M n=%M",
660 c->remote, mpsignif(srvkey->n), srvkey->ek, srvkey->n);
661 if (newkey == nil) {
662 sshlog(c, "out of memory");
663 threadexits("out of memory");
664 }
665
666 fd = open("/mnt/factotum/ctl", OWRITE);
667 if (fd >= 0)
668 write(fd, newkey, strlen(newkey));
669 /* leave fd open */
670 else
671 sshdebug(c, "factotum open failed: %r");
672
673 free(newkey);
674 mpfree(srvkey->ek);
675 mpfree(srvkey->n);
676 free(keymbox.msg);
677 keymbox.msg = nil;
678
679 n = pkas[c->pkalg]->verify(c, h, SHA1dlen, nil, (char *)sig->payload,
680 sig->rlength);
681
682 /* fd is perhaps still open */
683 if (fd >= 0) {
684 /* sys here is a dotted-quad ip address */
685 newkey = smprint("delkey proto=rsa role=verify sys=%s",
686 c->remote);
687 if (newkey) {
688 seek(fd, 0, 0);
689 write(fd, newkey, strlen(newkey));
690 free(newkey);
691 }
692 close(fd);
693 }
694 return n;
695 }
696
697 static int
dh_client12(Conn * c,Packet * p)698 dh_client12(Conn *c, Packet *p)
699 {
700 return dh_client2(c, p, p1, 1024);
701 }
702
703 static int
dh_client142(Conn * c,Packet * p)704 dh_client142(Conn *c, Packet *p)
705 {
706 return dh_client2(c, p, p14, 2048);
707 }
708
709 static int
dh_client2(Conn * c,Packet * p,mpint * grp,int nbits)710 dh_client2(Conn *c, Packet *p, mpint *grp, int nbits)
711 {
712 int n, retval;
713 #ifdef VERIFYKEYS
714 char *newkey;
715 #endif
716 char buf[10];
717 uchar *q;
718 uchar h[SHA1dlen];
719 mpint *f, *k;
720 Packet *ks, *sig, *pack2;
721 RSApub *srvkey;
722
723 ks = new_packet(c);
724 sig = new_packet(c);
725 pack2 = new_packet(c);
726
727 q = get_string(p, p->payload+1, (char *)ks->payload, Maxpktpay, &n);
728 ks->rlength = n + 1;
729 f = get_mp(q);
730 q += nhgetl(q) + 4;
731 get_string(p, q, (char *)sig->payload, Maxpktpay, &n);
732 sig->rlength = n;
733 k = mpnew(nbits);
734 mpexp(f, c->x, grp, k);
735
736 /* Compute H: RFC 4253 */
737 init_packet(pack2);
738 pack2->c = c;
739 if (debug > 1)
740 sshdebug(c, "ID strings: %s---%s", c->otherid, MYID);
741 add_string(pack2, MYID);
742 add_string(pack2, c->otherid);
743 if (debug > 1) {
744 fprint(2, "received kexinit:");
745 dump_packet(c->rkexinit);
746 fprint(2, "\nsent kexinit:");
747 dump_packet(c->skexinit);
748 }
749 add_block(pack2, c->skexinit->payload,
750 c->skexinit->rlength - c->skexinit->pad_len - 1);
751 add_block(pack2, c->rkexinit->payload, c->rkexinit->rlength - 1);
752 add_block(pack2, ks->payload, ks->rlength - 1);
753 add_mp(pack2, c->e);
754 add_mp(pack2, f);
755 add_mp(pack2, k);
756 sha1(pack2->payload, pack2->rlength - 1, h, nil);
757 mpfree(f);
758
759 if (c->got_sessid == 0) {
760 memmove(c->sessid, h, SHA1dlen);
761 c->got_sessid = 1;
762 }
763
764 q = get_string(ks, ks->payload, buf, sizeof buf, nil);
765 srvkey = emalloc9p(sizeof (RSApub));
766 srvkey->ek = get_mp(q);
767 q += nhgetl(q) + 4;
768 srvkey->n = get_mp(q);
769
770 /*
771 * key verification is really pretty pedantic and
772 * not doing it lets us talk to ssh v1 implementations.
773 */
774 if (nokeyverify)
775 n = Errnone;
776 else
777 n = verifyhostkey(c, srvkey, sig);
778 retval = -1;
779 USED(retval);
780 switch (n) {
781 #ifdef VERIFYKEYS
782 case Errnokey:
783 goto out;
784 case Errnoverify:
785 newkey = "signature verification failed; try netssh -v";
786 keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey);
787 break;
788 case Errfactotum:
789 newkey = "factotum dialogue failed; try netssh -v";
790 keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey);
791 break;
792 case Errnone:
793 #else
794 default:
795 #endif
796 keymbox.msg = smprint("o0000");
797 retval = 0;
798 break;
799 }
800 nbsendul(keymbox.mchan, 1);
801 if (retval == 0)
802 genkeys(c, h, k);
803 #ifdef VERIFYKEYS
804 out:
805 #endif
806 mpfree(k);
807 free(ks);
808 free(sig);
809 free(pack2);
810 free(srvkey);
811 return retval;
812 }
813
814 static void
initsha1pkt(Packet * pack2,mpint * k,uchar * h)815 initsha1pkt(Packet *pack2, mpint *k, uchar *h)
816 {
817 init_packet(pack2);
818 add_mp(pack2, k);
819 add_packet(pack2, h, SHA1dlen);
820 }
821
822 static void
genkeys(Conn * c,uchar h[],mpint * k)823 genkeys(Conn *c, uchar h[], mpint *k)
824 {
825 Packet *pack2;
826 char buf[82], *bp, *be; /* magic 82 */
827 int n;
828
829 pack2 = new_packet(c);
830 /* Compute 40 bytes (320 bits) of keys: each alg can use what it needs */
831
832 /* Client to server IV */
833 if (debug > 1) {
834 fprint(2, "k=%M\nh=", k);
835 for (n = 0; n < SHA1dlen; ++n)
836 fprint(2, "%02ux", h[n]);
837 fprint(2, "\nsessid=");
838 for (n = 0; n < SHA1dlen; ++n)
839 fprint(2, "%02ux", c->sessid[n]);
840 fprint(2, "\n");
841 }
842 initsha1pkt(pack2, k, h);
843 add_byte(pack2, 'A');
844 add_packet(pack2, c->sessid, SHA1dlen);
845 sha1(pack2->payload, pack2->rlength - 1, c->nc2siv, nil);
846 initsha1pkt(pack2, k, h);
847 add_packet(pack2, c->nc2siv, SHA1dlen);
848 sha1(pack2->payload, pack2->rlength - 1, c->nc2siv + SHA1dlen, nil);
849
850 /* Server to client IV */
851 initsha1pkt(pack2, k, h);
852 add_byte(pack2, 'B');
853 add_packet(pack2, c->sessid, SHA1dlen);
854 sha1(pack2->payload, pack2->rlength - 1, c->ns2civ, nil);
855 initsha1pkt(pack2, k, h);
856 add_packet(pack2, c->ns2civ, SHA1dlen);
857 sha1(pack2->payload, pack2->rlength - 1, c->ns2civ + SHA1dlen, nil);
858
859 /* Client to server encryption key */
860 initsha1pkt(pack2, k, h);
861 add_byte(pack2, 'C');
862 add_packet(pack2, c->sessid, SHA1dlen);
863 sha1(pack2->payload, pack2->rlength - 1, c->nc2sek, nil);
864 initsha1pkt(pack2, k, h);
865 add_packet(pack2, c->nc2sek, SHA1dlen);
866 sha1(pack2->payload, pack2->rlength - 1, c->nc2sek + SHA1dlen, nil);
867
868 /* Server to client encryption key */
869 initsha1pkt(pack2, k, h);
870 add_byte(pack2, 'D');
871 add_packet(pack2, c->sessid, SHA1dlen);
872 sha1(pack2->payload, pack2->rlength - 1, c->ns2cek, nil);
873 initsha1pkt(pack2, k, h);
874 add_packet(pack2, c->ns2cek, SHA1dlen);
875 sha1(pack2->payload, pack2->rlength - 1, c->ns2cek + SHA1dlen, nil);
876
877 /* Client to server integrity key */
878 initsha1pkt(pack2, k, h);
879 add_byte(pack2, 'E');
880 add_packet(pack2, c->sessid, SHA1dlen);
881 sha1(pack2->payload, pack2->rlength - 1, c->nc2sik, nil);
882 initsha1pkt(pack2, k, h);
883 add_packet(pack2, c->nc2sik, SHA1dlen);
884 sha1(pack2->payload, pack2->rlength - 1, c->nc2sik + SHA1dlen, nil);
885
886 /* Server to client integrity key */
887 initsha1pkt(pack2, k, h);
888 add_byte(pack2, 'F');
889 add_packet(pack2, c->sessid, SHA1dlen);
890 sha1(pack2->payload, pack2->rlength - 1, c->ns2cik, nil);
891 initsha1pkt(pack2, k, h);
892 add_packet(pack2, c->ns2cik, SHA1dlen);
893 sha1(pack2->payload, pack2->rlength - 1, c->ns2cik + SHA1dlen, nil);
894
895 if (debug > 1) {
896 be = buf + sizeof buf;
897 fprint(2, "Client to server IV:\n");
898 for (n = 0, bp = buf; n < SHA1dlen*2; ++n)
899 bp = seprint(bp, be, "%02x", c->nc2siv[n]);
900 fprint(2, "%s\n", buf);
901
902 fprint(2, "Server to client IV:\n");
903 for (n = 0, bp = buf; n < SHA1dlen*2; ++n)
904 bp = seprint(bp, be, "%02x", c->ns2civ[n]);
905 fprint(2, "%s\n", buf);
906
907 fprint(2, "Client to server EK:\n");
908 for (n = 0, bp = buf; n < SHA1dlen*2; ++n)
909 bp = seprint(bp, be, "%02x", c->nc2sek[n]);
910 fprint(2, "%s\n", buf);
911
912 fprint(2, "Server to client EK:\n");
913 for (n = 0, bp = buf; n < SHA1dlen*2; ++n)
914 bp = seprint(bp, be, "%02x", c->ns2cek[n]);
915 fprint(2, "%s\n", buf);
916 }
917 free(pack2);
918 }
919
920 Kex dh1sha1 = {
921 "diffie-hellman-group1-sha1",
922 dh_server1,
923 dh_client11,
924 dh_client12
925 };
926
927 Kex dh14sha1 = {
928 "diffie-hellman-group14-sha1",
929 dh_server14,
930 dh_client141,
931 dh_client142
932 };
933
934 PKA rsa_pka = {
935 "ssh-rsa",
936 rsa_ks,
937 rsa_sign,
938 rsa_verify
939 };
940
941 PKA dss_pka = {
942 "ssh-dss",
943 dss_ks,
944 dss_sign,
945 dss_verify
946 };
947