1 #include <u.h> 2 #include <libc.h> 3 #include <mp.h> 4 #include <libsec.h> 5 #include <fcall.h> 6 #include <thread.h> 7 #include <9p.h> 8 #include <auth.h> 9 #include <ip.h> 10 #include <pool.h> 11 #include "netssh.h" 12 13 static int dh_server(Conn *, Packet *, mpint *, int); 14 static void genkeys(Conn *, uchar [], mpint *); 15 16 /* 17 * Second Oakley Group from RFC 2409 18 */ 19 static char *group1p = 20 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" 21 "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" 22 "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" 23 "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" 24 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" 25 "FFFFFFFFFFFFFFFF"; 26 27 /* 28 * 2048-bit MODP group (id 14) from RFC 3526 29 */ 30 static char *group14p = 31 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" 32 "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" 33 "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" 34 "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" 35 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" 36 "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" 37 "83655D23DCA3AD961C62F356208552BB9ED529077096966D" 38 "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" 39 "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" 40 "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" 41 "15728E5A8AACAA68FFFFFFFFFFFFFFFF"; 42 43 mpint *two, *p1, *p14; 44 int nokeyverify; 45 46 static DSApriv mydsskey; 47 static RSApriv myrsakey; 48 49 void 50 dh_init(PKA *pkas[]) 51 { 52 char *buf, *p, *st, *end; 53 int fd, n, k; 54 55 if(debug > 1) 56 sshdebug(nil, "dh_init"); 57 k = 0; 58 pkas[k] = nil; 59 fmtinstall('M', mpfmt); 60 two = strtomp("2", nil, 10, nil); 61 p1 = strtomp(group1p, nil, 16, nil); 62 p14 = strtomp(group14p, nil, 16, nil); 63 64 /* 65 * this really should be done through factotum 66 */ 67 p = getenv("rsakey"); 68 if (p != nil) { 69 remove("/env/rsakey"); 70 st = buf = p; 71 end = buf + strlen(p); 72 } else { 73 /* 74 * it would be better to use bio and rdline here instead of 75 * reading all of factotum's contents into memory at once. 76 */ 77 buf = emalloc9p(Maxfactotum); 78 fd = open("rsakey", OREAD); 79 if (fd < 0 && (fd = open("/mnt/factotum/ctl", OREAD)) < 0) 80 goto norsa; 81 n = readn(fd, buf, Maxfactotum - 1); 82 buf[n >= 0? n: 0] = 0; 83 close(fd); 84 assert(n < Maxfactotum - 1); 85 86 st = strstr(buf, "proto=rsa"); 87 if (st == nil) { 88 sshlog(nil, "no proto=rsa key in factotum"); 89 goto norsa; 90 } 91 end = st; 92 for (; st > buf && *st != '\n'; --st) 93 ; 94 for (; end < buf + Maxfactotum && *end != '\n'; ++end) 95 ; 96 } 97 p = strstr(st, " n="); 98 if (p == nil || p > end) { 99 sshlog(nil, "no key (n) found"); 100 free(buf); 101 return; 102 } 103 myrsakey.pub.n = strtomp(p+3, nil, 16, nil); 104 if (debug > 1) 105 sshdebug(nil, "n=%M", myrsakey.pub.n); 106 p = strstr(st, " ek="); 107 if (p == nil || p > end) { 108 sshlog(nil, "no key (ek) found"); 109 free(buf); 110 return; 111 } 112 pkas[k++] = &rsa_pka; 113 pkas[k] = nil; 114 myrsakey.pub.ek = strtomp(p+4, nil, 16, nil); 115 if (debug > 1) 116 sshdebug(nil, "ek=%M", myrsakey.pub.ek); 117 p = strstr(st, " !dk="); 118 if (p == nil) { 119 p = strstr(st, "!dk?"); 120 if (p == nil || p > end) { 121 // sshlog(nil, "no key (dk) found"); 122 free(buf); 123 return; 124 } 125 goto norsa; 126 } 127 myrsakey.dk = strtomp(p+5, nil, 16, nil); 128 if (debug > 1) 129 sshdebug(nil, "dk=%M", myrsakey.dk); 130 norsa: 131 free(buf); 132 133 p = getenv("dsskey"); 134 if (p != nil) { 135 remove("/env/dsskey"); 136 buf = p; 137 end = buf + strlen(p); 138 } else { 139 /* 140 * it would be better to use bio and rdline here instead of 141 * reading all of factotum's contents into memory at once. 142 */ 143 buf = emalloc9p(Maxfactotum); 144 fd = open("dsskey", OREAD); 145 if (fd < 0 && (fd = open("/mnt/factotum/ctl", OREAD)) < 0) 146 return; 147 n = readn(fd, buf, Maxfactotum - 1); 148 buf[n >= 0? n: 0] = 0; 149 close(fd); 150 assert(n < Maxfactotum - 1); 151 152 st = strstr(buf, "proto=dsa"); 153 if (st == nil) { 154 sshlog(nil, "no proto=dsa key in factotum"); 155 free(buf); 156 return; 157 } 158 end = st; 159 for (; st > buf && *st != '\n'; --st) 160 ; 161 for (; end < buf + Maxfactotum && *end != '\n'; ++end) 162 ; 163 } 164 p = strstr(buf, " p="); 165 if (p == nil || p > end) { 166 sshlog(nil, "no key (p) found"); 167 free(buf); 168 return; 169 } 170 mydsskey.pub.p = strtomp(p+3, nil, 16, nil); 171 p = strstr(buf, " q="); 172 if (p == nil || p > end) { 173 sshlog(nil, "no key (q) found"); 174 free(buf); 175 return; 176 } 177 mydsskey.pub.q = strtomp(p+3, nil, 16, nil); 178 p = strstr(buf, " alpha="); 179 if (p == nil || p > end) { 180 sshlog(nil, "no key (g) found"); 181 free(buf); 182 return; 183 } 184 mydsskey.pub.alpha = strtomp(p+7, nil, 16, nil); 185 p = strstr(buf, " key="); 186 if (p == nil || p > end) { 187 sshlog(nil, "no key (y) found"); 188 free(buf); 189 return; 190 } 191 mydsskey.pub.key = strtomp(p+5, nil, 16, nil); 192 pkas[k++] = &dss_pka; 193 pkas[k] = nil; 194 p = strstr(buf, " !secret="); 195 if (p == nil) { 196 p = strstr(buf, "!secret?"); 197 if (p == nil || p > end) 198 sshlog(nil, "no key (x) found"); 199 free(buf); 200 return; 201 } 202 mydsskey.secret = strtomp(p+9, nil, 16, nil); 203 free(buf); 204 } 205 206 static Packet * 207 rsa_ks(Conn *c) 208 { 209 Packet *ks; 210 211 if (myrsakey.pub.ek == nil || myrsakey.pub.n == nil) { 212 sshlog(c, "no public RSA key info"); 213 return nil; 214 } 215 ks = new_packet(c); 216 add_string(ks, "ssh-rsa"); 217 add_mp(ks, myrsakey.pub.ek); 218 add_mp(ks, myrsakey.pub.n); 219 return ks; 220 } 221 222 static void 223 esma_encode(uchar *h, uchar *em, int nb) 224 { 225 int n, i; 226 uchar hh[SHA1dlen]; 227 static uchar sha1der[] = { 228 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 229 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 230 }; 231 232 sha1(h, SHA1dlen, hh, nil); 233 n = nb - (nelem(sha1der) + SHA1dlen) - 3; 234 i = 0; 235 em[i++] = 0; 236 em[i++] = 1; 237 memset(em + i, 0xff, n); 238 i += n; 239 em[i++] = 0; 240 memmove(em + i, sha1der, sizeof sha1der); 241 i += sizeof sha1der; 242 memmove(em + i, hh, SHA1dlen); 243 } 244 245 static Packet * 246 rsa_sign(Conn *c, uchar *m, int nm) 247 { 248 AuthRpc *ar; 249 Packet *sig; 250 mpint *s, *mm; 251 int fd, n, nbit; 252 uchar hh[SHA1dlen]; 253 uchar *sstr, *em; 254 255 if (myrsakey.dk) { 256 nbit = mpsignif (myrsakey.pub.n); 257 n = (nbit + 7) / 8; 258 sstr = emalloc9p(n); 259 em = emalloc9p(n); 260 /* Compute s: RFC 3447 */ 261 esma_encode(m, em, n); 262 mm = betomp(em, n, nil); 263 s = mpnew(nbit); 264 mpexp(mm, myrsakey.dk, myrsakey.pub.n, s); 265 mptobe(s, sstr, n, nil); 266 mpfree(mm); 267 mpfree(s); 268 free(em); 269 } else { 270 fd = open("/mnt/factotum/rpc", ORDWR); 271 if (fd < 0) 272 return nil; 273 sha1(m, nm, hh, nil); 274 ar = auth_allocrpc(fd); 275 if (ar == nil || 276 auth_rpc(ar, "start", "role=sign proto=rsa", 19) != ARok || 277 auth_rpc(ar, "write", hh, SHA1dlen) != ARok || 278 auth_rpc(ar, "read", nil, 0) != ARok || 279 ar->arg == nil) { 280 sshdebug(c, "got error in factotum: %r"); 281 auth_freerpc(ar); 282 close(fd); 283 return nil; 284 } 285 sstr = emalloc9p(ar->narg); 286 memmove(sstr, ar->arg, ar->narg); 287 n = ar->narg; 288 289 auth_freerpc(ar); 290 close(fd); 291 } 292 sig = new_packet(c); 293 add_string(sig, pkas[c->pkalg]->name); 294 add_block(sig, sstr, n); 295 free(sstr); 296 return sig; 297 } 298 299 /* 300 * 0 - If factotum failed, e.g. no key 301 * 1 - If key is verified 302 * -1 - If factotum found a key, but the verification fails 303 */ 304 static int 305 rsa_verify(Conn *c, uchar *m, int nm, char *user, char *sig, int) 306 { 307 int fd, n, retval, nbit; 308 char *buf, *p, *sigblob; 309 uchar *sstr, *em; 310 uchar hh[SHA1dlen]; 311 mpint *s, *mm, *rsa_exponent, *host_modulus; 312 AuthRpc *ar; 313 314 sshdebug(c, "in rsa_verify for connection: %d", c->id); 315 SET(rsa_exponent, host_modulus); 316 USED(rsa_exponent, host_modulus); 317 if (0 && rsa_exponent) { 318 nbit = mpsignif(host_modulus); 319 n = (nbit + 7) / 8; 320 em = emalloc9p(n); 321 /* Compute s: RFC 3447 */ 322 esma_encode(m, em, n); 323 mm = betomp(em, n, nil); 324 s = mpnew(1024); 325 mpexp(mm, rsa_exponent, host_modulus, s); 326 sstr = emalloc9p(n); 327 mptobe(s, sstr, n, nil); 328 free(em); 329 mpfree(mm); 330 mpfree(s); 331 retval = memcmp(sig, sstr, n); 332 free(sstr); 333 retval = (retval == 0); 334 } else { 335 retval = 1; 336 fd = open("/mnt/factotum/rpc", ORDWR); 337 if (fd < 0) { 338 sshdebug(c, "could not open factotum RPC: %r"); 339 return 0; 340 } 341 buf = emalloc9p(Blobsz / 2); 342 sigblob = emalloc9p(Blobsz); 343 p = (char *)get_string(nil, (uchar *)sig, buf, Blobsz / 2, nil); 344 get_string(nil, (uchar *)p, sigblob, Blobsz, &n); 345 sha1(m, nm, hh, nil); 346 if (user != nil) 347 p = smprint("role=verify proto=rsa user=%s", user); 348 else 349 p = smprint("role=verify proto=rsa sys=%s", c->remote); 350 351 ar = auth_allocrpc(fd); 352 if (ar == nil || auth_rpc(ar, "start", p, strlen(p)) != ARok || 353 auth_rpc(ar, "write", hh, SHA1dlen) != ARok || 354 auth_rpc(ar, "write", sigblob, n) != ARok || 355 auth_rpc(ar, "read", nil, 0) != ARok) { 356 sshdebug(c, "got error in factotum: %r"); 357 retval = 0; 358 } else { 359 sshdebug(c, "factotum returned %s", ar->ibuf); 360 if (strstr(ar->ibuf, "does not verify") != nil) 361 retval = -1; 362 } 363 if (ar != nil) 364 auth_freerpc(ar); 365 free(p); 366 close(fd); 367 free(sigblob); 368 free(buf); 369 } 370 return retval; 371 } 372 373 static Packet * 374 dss_ks(Conn *c) 375 { 376 Packet *ks; 377 378 if (mydsskey.pub.p == nil) 379 return nil; 380 ks = new_packet(c); 381 add_string(ks, "ssh-dss"); 382 add_mp(ks, mydsskey.pub.p); 383 add_mp(ks, mydsskey.pub.q); 384 add_mp(ks, mydsskey.pub.alpha); 385 add_mp(ks, mydsskey.pub.key); 386 return ks; 387 } 388 389 static Packet * 390 dss_sign(Conn *c, uchar *m, int nm) 391 { 392 AuthRpc *ar; 393 DSAsig *s; 394 Packet *sig; 395 mpint *mm; 396 int fd; 397 uchar sstr[2*SHA1dlen]; 398 399 sha1(m, nm, sstr, nil); 400 sig = new_packet(c); 401 add_string(sig, pkas[c->pkalg]->name); 402 if (mydsskey.secret) { 403 mm = betomp(sstr, SHA1dlen, nil); 404 s = dsasign(&mydsskey, mm); 405 mptobe(s->r, sstr, SHA1dlen, nil); 406 mptobe(s->s, sstr+SHA1dlen, SHA1dlen, nil); 407 dsasigfree(s); 408 mpfree(mm); 409 } else { 410 fd = open("/mnt/factotum/rpc", ORDWR); 411 if (fd < 0) 412 return nil; 413 ar = auth_allocrpc(fd); 414 if (ar == nil || 415 auth_rpc(ar, "start", "role=sign proto=dsa", 19) != ARok || 416 auth_rpc(ar, "write", sstr, SHA1dlen) != ARok || 417 auth_rpc(ar, "read", nil, 0) != ARok) { 418 sshdebug(c, "got error in factotum: %r"); 419 auth_freerpc(ar); 420 close(fd); 421 return nil; 422 } 423 memmove(sstr, ar->arg, ar->narg); 424 auth_freerpc(ar); 425 close(fd); 426 } 427 add_block(sig, sstr, 2*SHA1dlen); 428 return sig; 429 } 430 431 static int 432 dss_verify(Conn *c, uchar *m, int nm, char *user, char *sig, int nsig) 433 { 434 sshdebug(c, "in dss_verify for connection: %d", c->id); 435 USED(m, nm, user, sig, nsig); 436 return 0; 437 } 438 439 static int 440 dh_server1(Conn *c, Packet *pack1) 441 { 442 return dh_server(c, pack1, p1, 1024); 443 } 444 445 static int 446 dh_server14(Conn *c, Packet *pack1) 447 { 448 return dh_server(c, pack1, p14, 2048); 449 } 450 451 static int 452 dh_server(Conn *c, Packet *pack1, mpint *grp, int nbit) 453 { 454 Packet *pack2, *ks, *sig; 455 mpint *y, *e, *f, *k; 456 int n, ret; 457 uchar h[SHA1dlen]; 458 459 ret = -1; 460 qlock(&c->l); 461 f = mpnew(nbit); 462 k = mpnew(nbit); 463 464 /* Compute f: RFC4253 */ 465 y = mprand(nbit / 8, genrandom, nil); 466 if (debug > 1) 467 sshdebug(c, "y=%M", y); 468 mpexp(two, y, grp, f); 469 if (debug > 1) 470 sshdebug(c, "f=%M", f); 471 472 /* Compute k: RFC4253 */ 473 if (debug > 1) 474 dump_packet(pack1); 475 e = get_mp(pack1->payload+1); 476 if (debug > 1) 477 sshdebug(c, "e=%M", e); 478 mpexp(e, y, grp, k); 479 if (debug > 1) 480 sshdebug(c, "k=%M", k); 481 482 /* Compute H: RFC 4253 */ 483 pack2 = new_packet(c); 484 sshdebug(c, "ID strings: %s---%s", c->otherid, MYID); 485 add_string(pack2, c->otherid); 486 add_string(pack2, MYID); 487 if (debug > 1) { 488 fprint(2, "received kexinit:"); 489 dump_packet(c->rkexinit); 490 fprint(2, "\nsent kexinit:"); 491 dump_packet(c->skexinit); 492 } 493 add_block(pack2, c->rkexinit->payload, c->rkexinit->rlength - 1); 494 add_block(pack2, c->skexinit->payload, 495 c->skexinit->rlength - c->skexinit->pad_len - 1); 496 sig = nil; 497 ks = pkas[c->pkalg]->ks(c); 498 if (ks == nil) 499 goto err; 500 add_block(pack2, ks->payload, ks->rlength - 1); 501 add_mp(pack2, e); 502 add_mp(pack2, f); 503 add_mp(pack2, k); 504 sha1(pack2->payload, pack2->rlength - 1, h, nil); 505 506 if (c->got_sessid == 0) { 507 memmove(c->sessid, h, SHA1dlen); 508 c->got_sessid = 1; 509 } 510 sig = pkas[c->pkalg]->sign(c, h, SHA1dlen); 511 if (sig == nil) { 512 sshlog(c, "failed to generate signature: %r"); 513 goto err; 514 } 515 516 /* Send (K_s || f || s) to client: RFC4253 */ 517 init_packet(pack2); 518 pack2->c = c; 519 add_byte(pack2, SSH_MSG_KEXDH_REPLY); 520 add_block(pack2, ks->payload, ks->rlength - 1); 521 add_mp(pack2, f); 522 add_block(pack2, sig->payload, sig->rlength - 1); 523 if (debug > 1) 524 dump_packet(pack2); 525 n = finish_packet(pack2); 526 if (debug > 1) { 527 sshdebug(c, "writing %d bytes: len %d", n, nhgetl(pack2->nlength)); 528 dump_packet(pack2); 529 } 530 iowrite(c->dio, c->datafd, pack2->nlength, n); 531 532 genkeys(c, h, k); 533 534 /* Send SSH_MSG_NEWKEYS */ 535 init_packet(pack2); 536 pack2->c = c; 537 add_byte(pack2, SSH_MSG_NEWKEYS); 538 n = finish_packet(pack2); 539 iowrite(c->dio, c->datafd, pack2->nlength, n); 540 ret = 0; 541 err: 542 mpfree(f); 543 mpfree(e); 544 mpfree(k); 545 mpfree(y); 546 free(sig); 547 free(ks); 548 free(pack2); 549 qunlock(&c->l); 550 return ret; 551 } 552 553 static int 554 dh_client11(Conn *c, Packet *) 555 { 556 Packet *p; 557 int n; 558 559 if (c->e) 560 mpfree(c->e); 561 c->e = mpnew(1024); 562 563 /* Compute e: RFC4253 */ 564 if (c->x) 565 mpfree(c->x); 566 c->x = mprand(128, genrandom, nil); 567 mpexp(two, c->x, p1, c->e); 568 569 p = new_packet(c); 570 add_byte(p, SSH_MSG_KEXDH_INIT); 571 add_mp(p, c->e); 572 n = finish_packet(p); 573 iowrite(c->dio, c->datafd, p->nlength, n); 574 free(p); 575 return 0; 576 } 577 578 static int 579 findkeyinuserring(Conn *c, RSApub *srvkey) 580 { 581 int n; 582 char *home, *newkey, *r; 583 584 home = getenv("home"); 585 if (home == nil) { 586 newkey = "No home directory for key file"; 587 free(keymbox.msg); 588 keymbox.msg = smprint("b%04ld%s", strlen(newkey), newkey); 589 return -1; 590 } 591 592 r = smprint("%s/lib/keyring", home); 593 free(home); 594 if ((n = findkey(r, c->remote, srvkey)) != KeyOk) { 595 newkey = smprint("ek=%M n=%M", srvkey->ek, srvkey->n); 596 free(keymbox.msg); 597 keymbox.msg = smprint("%c%04ld%s", n == NoKeyFile || n == NoKey? 598 'c': 'b', strlen(newkey), newkey); 599 free(newkey); 600 601 nbsendul(keymbox.mchan, 1); 602 recvul(keymbox.mchan); 603 if (keymbox.msg == nil || keymbox.msg[0] == 'n') { 604 free(keymbox.msg); 605 keymbox.msg = nil; 606 newkey = "Server key reject"; 607 keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey); 608 return -1; 609 } 610 sshdebug(c, "adding key"); 611 if (keymbox.msg[0] == 'y') 612 appendkey(r, c->remote, srvkey); 613 else if (keymbox.msg[0] == 'r') 614 replacekey(r, c->remote, srvkey); 615 } 616 free(r); 617 return 0; 618 } 619 620 static int 621 verifyhostkey(Conn *c, RSApub *srvkey, Packet *sig) 622 { 623 int fd, n; 624 char *newkey; 625 uchar h[SHA1dlen]; 626 627 sshdebug(c, "verifying server signature"); 628 if (findkey("/sys/lib/ssh/keyring", c->remote, srvkey) != KeyOk && 629 findkeyinuserring(c, srvkey) < 0) { 630 nbsendul(keymbox.mchan, 1); 631 mpfree(srvkey->ek); 632 mpfree(srvkey->n); 633 return -2; 634 } 635 636 newkey = smprint("key proto=rsa role=verify sys=%s size=%d ek=%M n=%M", 637 c->remote, mpsignif(srvkey->n), srvkey->ek, srvkey->n); 638 if (newkey == nil) { 639 sshlog(c, "out of memory"); 640 exits("out of memory"); 641 } 642 643 fd = open("/mnt/factotum/ctl", OWRITE); 644 if (fd >= 0) 645 write(fd, newkey, strlen(newkey)); 646 /* leave fd open */ 647 else 648 sshdebug(c, "factotum open failed: %r"); 649 650 free(newkey); 651 mpfree(srvkey->ek); 652 mpfree(srvkey->n); 653 free(keymbox.msg); 654 keymbox.msg = nil; 655 656 n = pkas[c->pkalg]->verify(c, h, SHA1dlen, nil, (char *)sig->payload, 657 sig->rlength); 658 659 /* fd is perhaps still open */ 660 if (fd >= 0) { 661 /* sys here is a dotted-quad ip address */ 662 newkey = smprint("delkey proto=rsa role=verify sys=%s", 663 c->remote); 664 if (newkey) { 665 seek(fd, 0, 0); 666 write(fd, newkey, strlen(newkey)); 667 free(newkey); 668 } 669 close(fd); 670 } 671 return n; 672 } 673 674 static int 675 dh_client12(Conn *c, Packet *p) 676 { 677 int n, retval; 678 char *newkey; 679 char buf[10]; 680 uchar *q; 681 uchar h[SHA1dlen]; 682 mpint *f, *k; 683 Packet *ks, *sig, *pack2; 684 RSApub *srvkey; 685 686 retval = -1; 687 ks = new_packet(c); 688 sig = new_packet(c); 689 pack2 = new_packet(c); 690 691 q = get_string(p, p->payload+1, (char *)ks->payload, Maxpktpay, &n); 692 ks->rlength = n + 1; 693 f = get_mp(q); 694 q += nhgetl(q) + 4; 695 get_string(p, q, (char *)sig->payload, Maxpktpay, &n); 696 sig->rlength = n; 697 k = mpnew(1024); 698 mpexp(f, c->x, p1, k); 699 700 /* Compute H: RFC 4253 */ 701 init_packet(pack2); 702 pack2->c = c; 703 if (debug > 1) 704 sshdebug(c, "ID strings: %s---%s", c->otherid, MYID); 705 add_string(pack2, MYID); 706 add_string(pack2, c->otherid); 707 if (debug > 1) { 708 fprint(2, "received kexinit:"); 709 dump_packet(c->rkexinit); 710 fprint(2, "\nsent kexinit:"); 711 dump_packet(c->skexinit); 712 } 713 add_block(pack2, c->skexinit->payload, 714 c->skexinit->rlength - c->skexinit->pad_len - 1); 715 add_block(pack2, c->rkexinit->payload, c->rkexinit->rlength - 1); 716 add_block(pack2, ks->payload, ks->rlength - 1); 717 add_mp(pack2, c->e); 718 add_mp(pack2, f); 719 add_mp(pack2, k); 720 sha1(pack2->payload, pack2->rlength - 1, h, nil); 721 mpfree(f); 722 723 if (c->got_sessid == 0) { 724 memmove(c->sessid, h, SHA1dlen); 725 c->got_sessid = 1; 726 } 727 728 q = get_string(ks, ks->payload, buf, sizeof buf, nil); 729 srvkey = emalloc9p(sizeof (RSApub)); 730 srvkey->ek = get_mp(q); 731 q += nhgetl(q) + 4; 732 srvkey->n = get_mp(q); 733 734 /* 735 * key verification is really pretty pedantic and 736 * not doing it lets us talk to ssh v1 implementations. 737 */ 738 if (nokeyverify) 739 n = 1; 740 else 741 n = verifyhostkey(c, srvkey, sig); 742 switch (n) { 743 case -2: 744 goto out; 745 case -1: 746 newkey = "Signature verification failed; try ssh -v"; 747 keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey); 748 break; 749 case 0: 750 newkey = "Key verification dialog failed; try ssh -v"; 751 keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey); 752 break; 753 case 1: 754 keymbox.msg = smprint("o0000"); 755 retval = 0; 756 break; 757 } 758 nbsendul(keymbox.mchan, 1); 759 if (retval == 0) 760 genkeys(c, h, k); 761 out: 762 mpfree(k); 763 free(ks); 764 free(sig); 765 free(pack2); 766 free(srvkey); 767 return retval; 768 } 769 770 static int 771 dh_client141(Conn *c, Packet *) 772 { 773 Packet *p; 774 mpint *e, *x; 775 int n; 776 777 /* Compute e: RFC4253 */ 778 e = mpnew(2048); 779 x = mprand(256, genrandom, nil); 780 mpexp(two, x, p14, e); 781 p = new_packet(c); 782 add_byte(p, SSH_MSG_KEXDH_INIT); 783 add_mp(p, e); 784 n = finish_packet(p); 785 iowrite(c->dio, c->datafd, p->nlength, n); 786 free(p); 787 mpfree(e); 788 mpfree(x); 789 return 0; 790 } 791 792 static int 793 dh_client142(Conn *, Packet *) 794 { 795 return 0; 796 } 797 798 static void 799 initsha1pkt(Packet *pack2, mpint *k, uchar *h) 800 { 801 init_packet(pack2); 802 add_mp(pack2, k); 803 add_packet(pack2, h, SHA1dlen); 804 } 805 806 static void 807 genkeys(Conn *c, uchar h[], mpint *k) 808 { 809 Packet *pack2; 810 char buf[82], *bp, *be; /* magic 82 */ 811 int n; 812 813 pack2 = new_packet(c); 814 /* Compute 40 bytes (320 bits) of keys: each alg can use what it needs */ 815 816 /* Client to server IV */ 817 if (debug > 1) { 818 fprint(2, "k=%M\nh=", k); 819 for (n = 0; n < SHA1dlen; ++n) 820 fprint(2, "%02ux", h[n]); 821 fprint(2, "\nsessid="); 822 for (n = 0; n < SHA1dlen; ++n) 823 fprint(2, "%02ux", c->sessid[n]); 824 fprint(2, "\n"); 825 } 826 initsha1pkt(pack2, k, h); 827 add_byte(pack2, 'A'); 828 add_packet(pack2, c->sessid, SHA1dlen); 829 sha1(pack2->payload, pack2->rlength - 1, c->nc2siv, nil); 830 initsha1pkt(pack2, k, h); 831 add_packet(pack2, c->nc2siv, SHA1dlen); 832 sha1(pack2->payload, pack2->rlength - 1, c->nc2siv + SHA1dlen, nil); 833 834 /* Server to client IV */ 835 initsha1pkt(pack2, k, h); 836 add_byte(pack2, 'B'); 837 add_packet(pack2, c->sessid, SHA1dlen); 838 sha1(pack2->payload, pack2->rlength - 1, c->ns2civ, nil); 839 initsha1pkt(pack2, k, h); 840 add_packet(pack2, c->ns2civ, SHA1dlen); 841 sha1(pack2->payload, pack2->rlength - 1, c->ns2civ + SHA1dlen, nil); 842 843 /* Client to server encryption key */ 844 initsha1pkt(pack2, k, h); 845 add_byte(pack2, 'C'); 846 add_packet(pack2, c->sessid, SHA1dlen); 847 sha1(pack2->payload, pack2->rlength - 1, c->nc2sek, nil); 848 initsha1pkt(pack2, k, h); 849 add_packet(pack2, c->nc2sek, SHA1dlen); 850 sha1(pack2->payload, pack2->rlength - 1, c->nc2sek + SHA1dlen, nil); 851 852 /* Server to client encryption key */ 853 initsha1pkt(pack2, k, h); 854 add_byte(pack2, 'D'); 855 add_packet(pack2, c->sessid, SHA1dlen); 856 sha1(pack2->payload, pack2->rlength - 1, c->ns2cek, nil); 857 initsha1pkt(pack2, k, h); 858 add_packet(pack2, c->ns2cek, SHA1dlen); 859 sha1(pack2->payload, pack2->rlength - 1, c->ns2cek + SHA1dlen, nil); 860 861 /* Client to server integrity key */ 862 initsha1pkt(pack2, k, h); 863 add_byte(pack2, 'E'); 864 add_packet(pack2, c->sessid, SHA1dlen); 865 sha1(pack2->payload, pack2->rlength - 1, c->nc2sik, nil); 866 initsha1pkt(pack2, k, h); 867 add_packet(pack2, c->nc2sik, SHA1dlen); 868 sha1(pack2->payload, pack2->rlength - 1, c->nc2sik + SHA1dlen, nil); 869 870 /* Server to client integrity key */ 871 initsha1pkt(pack2, k, h); 872 add_byte(pack2, 'F'); 873 add_packet(pack2, c->sessid, SHA1dlen); 874 sha1(pack2->payload, pack2->rlength - 1, c->ns2cik, nil); 875 initsha1pkt(pack2, k, h); 876 add_packet(pack2, c->ns2cik, SHA1dlen); 877 sha1(pack2->payload, pack2->rlength - 1, c->ns2cik + SHA1dlen, nil); 878 879 if (debug > 1) { 880 be = buf + sizeof buf; 881 fprint(2, "Client to server IV:\n"); 882 for (n = 0, bp = buf; n < SHA1dlen*2; ++n) 883 bp = seprint(bp, be, "%02x", c->nc2siv[n]); 884 fprint(2, "%s\n", buf); 885 886 fprint(2, "Server to client IV:\n"); 887 for (n = 0, bp = buf; n < SHA1dlen*2; ++n) 888 bp = seprint(bp, be, "%02x", c->ns2civ[n]); 889 fprint(2, "%s\n", buf); 890 891 fprint(2, "Client to server EK:\n"); 892 for (n = 0, bp = buf; n < SHA1dlen*2; ++n) 893 bp = seprint(bp, be, "%02x", c->nc2sek[n]); 894 fprint(2, "%s\n", buf); 895 896 fprint(2, "Server to client EK:\n"); 897 for (n = 0, bp = buf; n < SHA1dlen*2; ++n) 898 bp = seprint(bp, be, "%02x", c->ns2cek[n]); 899 fprint(2, "%s\n", buf); 900 } 901 free(pack2); 902 } 903 904 Kex dh1sha1 = { 905 "diffie-hellman-group1-sha1", 906 dh_server1, 907 dh_client11, 908 dh_client12 909 }; 910 911 Kex dh14sha1 = { 912 "diffie-hellman-group14-sha1", 913 dh_server14, 914 dh_client141, 915 dh_client142 916 }; 917 918 PKA rsa_pka = { 919 "ssh-rsa", 920 rsa_ks, 921 rsa_sign, 922 rsa_verify 923 }; 924 925 PKA dss_pka = { 926 "ssh-dss", 927 dss_ks, 928 dss_sign, 929 dss_verify 930 }; 931