Commit b4bcc606 authored by Matt Johnston's avatar Matt Johnston
Browse files

More changes for KEX and ECDH. Set up hash descriptors, make ECC code work,

ses.hash and ses.session_id are now buffers (doesn't compile)

--HG--
branch : ecc
parent 5139bd42
......@@ -35,8 +35,8 @@
struct Algo_Type {
unsigned char *name; /* identifying name */
char val; /* a value for this cipher, or -1 for invalid */
const unsigned char *name; /* identifying name */
const char val; /* a value for this cipher, or -1 for invalid */
const void *data; /* algorithm specific data */
char usable; /* whether we can use this algorithm */
const void *mode; /* the mode, currently only used for ciphers,
......@@ -59,8 +59,8 @@ extern const struct dropbear_hash dropbear_nohash;
struct dropbear_cipher {
const struct ltc_cipher_descriptor *cipherdesc;
unsigned long keysize;
unsigned char blocksize;
const unsigned long keysize;
const unsigned char blocksize;
};
struct dropbear_cipher_mode {
......@@ -75,14 +75,14 @@ struct dropbear_cipher_mode {
struct dropbear_hash {
const struct ltc_hash_descriptor *hashdesc;
unsigned long keysize;
unsigned char hashsize;
const unsigned long keysize;
const unsigned char hashsize;
};
struct dropbear_kex {
// "normal" DH KEX
unsigned char *dh_p_bytes;
int dh_p_len;
const unsigned char *dh_p_bytes;
const int dh_p_len;
// elliptic curve DH KEX
#ifdef DROPBEAR_ECDH
......@@ -108,14 +108,6 @@ int check_user_algos(const char* user_algo_list, algo_type * algos,
char * algolist_string(algo_type algos[]);
#endif
enum kex_type {
DROPBEAR_KEX_DH_GROUP1,
DROPBEAR_KEX_DH_GROUP14,
DROPBEAR_KEX_ECDH_SECP256R1,
DROPBEAR_KEX_ECDH_SECP384R1,
DROPBEAR_KEX_ECDH_SECP521R1,
};
#ifdef DROPBEAR_ECDH
#define IS_NORMAL_DH(algo) ((algo)->dh_p_bytes != NULL)
#else
......
......@@ -96,12 +96,15 @@ void recv_msg_kexdh_reply() {
kexdh_comb_key(cli_ses.dh_param, &dh_f, hostkey);
mp_clear(&dh_f);
free_kexdh_param(cli_ses.dh_param);
cli_ses.dh_param = NULL;
} else {
#ifdef DROPBEAR_ECDH
buffer *ecdh_qs = buf_getstringbuf(ses.payload);
kexecdh_comb_key(cli_ses.dh_param, ecdh_qs, hostkey);
buf_free(ecdh_qs);
#endif
}
free_kexdh_param(cli_ses.dh_param);
cli_ses.dh_param = NULL;
if (buf_verify(ses.payload, hostkey, ses.hash, SHA1_HASH_SIZE)
!= DROPBEAR_SUCCESS) {
......
......@@ -25,6 +25,7 @@
#include "algo.h"
#include "dbutil.h"
#include "kex.h"
/* This file (algo.c) organises the ciphers which can be used, and is used to
* decide which ciphers/hashes/compression/signing to use during key exchange*/
......@@ -212,18 +213,18 @@ algo_type sshhostkey[] = {
{NULL, 0, NULL, 0, NULL}
};
static struct dropbear_kex kex_dh_group1 {dh_p_1, DH_P_1_LEN, NULL, sha1_desc };
static struct dropbear_kex kex_dh_group14 {dh_p_14, DH_P_14_LEN, NULL, sha1_desc };
static struct dropbear_kex kex_dh_group1 = {dh_p_1, DH_P_1_LEN, NULL, &sha1_desc };
static struct dropbear_kex kex_dh_group14 = {dh_p_14, DH_P_14_LEN, NULL, &sha1_desc };
#ifdef DROPBEAR_ECC_DH
#ifdef DROPBEAR_ECC_256
static struct dropbear_kex kex_ecdh_secp256r1 {NULL, 0, &ecc_curve_secp256r1, sha256_desc };
static struct dropbear_kex kex_ecdh_secp256r1 = {NULL, 0, &ecc_curve_secp256r1, &sha256_desc };
#endif
#ifdef DROPBEAR_ECC_384
static struct dropbear_kex kex_ecdh_secp384r1 {NULL, 0, &ecc_curve_secp384r1, sha384_desc };
static struct dropbear_kex kex_ecdh_secp384r1 = {NULL, 0, &ecc_curve_secp384r1, &sha384_desc };
#endif
#ifdef DROPBEAR_ECC_521
static struct dropbear_kex kex_ecdh_secp521r1 {NULL, 0, &ecc_curve_secp521r1, sha512_desc };
static struct dropbear_kex kex_ecdh_secp521r1 = {NULL, 0, &ecc_curve_secp521r1, &sha512_desc };
#endif
#endif // DROPBEAR_ECC_DH
......@@ -272,10 +273,13 @@ void crypto_init() {
#ifdef DROPBEAR_MD5_HMAC
&md5_desc,
#endif
#ifdef DROPBEAR_SHA2_256_HMAC
#ifdef DROPBEAR_SHA256
&sha256_desc,
#endif
#ifdef DROPBEAR_SHA2_512_HMAC
#ifdef DROPBEAR_SHA384
&sha384_desc,
#endif
#ifdef DROPBEAR_SHA512
&sha512_desc,
#endif
NULL
......
......@@ -34,6 +34,7 @@
#include "bignum.h"
#include "random.h"
#include "runopts.h"
#include "ecc.h"
/* diffie-hellman-group1-sha1 value for p */
const unsigned char dh_p_1[DH_P_1_LEN] = {
......@@ -642,6 +643,9 @@ void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them,
buf_setpos(ses.kexhashbuf, 0);
sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len),
ses.kexhashbuf->len);
ses.hash = m_malloc(SHA1_HASH_SIZE);
}
sha1_done(&hs, ses.hash);
buf_burn(ses.kexhashbuf);
......@@ -660,8 +664,8 @@ void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them,
struct kex_ecdh_param *gen_kexecdh_param() {
struct kex_ecdh_param *param = m_malloc(sizeof(*param));
if (ecc_make_key_ex(NULL, dropbear_ltc_prng,
&param->key, ses.newkeys->algo_kex->ecc_curve) != CRYPT_OK) {
dropbear_exit("ECC error")
&param->key, ses.newkeys->algo_kex->ecc_curve->dp) != CRYPT_OK) {
dropbear_exit("ECC error");
}
return param;
}
......@@ -673,58 +677,45 @@ void free_kexecdh_param(struct kex_ecdh_param *param) {
}
void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them,
sign_key *hostkey) {
const struct dropbear_kex *algo_kex = ses.newkeys->algo_kex;
hash_state hs;
// public keys from client and server
ecc_key *Q_C, *Q_S, *Q_them;
oj // XXX load Q_them
Q_them = buf_get_ecc_key_string()
// XXX load Q_them
Q_them = buf_get_ecc_pubkey(pub_them, algo_kex->ecc_curve);
ses.dh_K = dropbear_ecc_shared_secret();
/* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */
if (mp_cmp(dh_pub_them, &dh_p) != MP_LT
|| mp_cmp_d(dh_pub_them, 0) != MP_GT) {
dropbear_exit("Diffie-Hellman error");
}
/* K = e^y mod p = f^x mod p */
ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int));
m_mp_init(ses.dh_K);
if (mp_exptmod(dh_pub_them, &param->priv, &dh_p, ses.dh_K) != MP_OKAY) {
dropbear_exit("Diffie-Hellman error");
}
/* clear no longer needed vars */
mp_clear_multi(&dh_p, NULL);
ses.dh_K = dropbear_ecc_shared_secret(Q_them, param->key);
/* From here on, the code needs to work with the _same_ vars on each side,
* not vice-versaing for client/server */
if (IS_DROPBEAR_CLIENT) {
dh_e = &param->pub;
dh_f = dh_pub_them;
Q_C = param->key;
Q_S = Q_them;
} else {
dh_e = dh_pub_them;
dh_f = &param->pub;
Q_C = Q_them;
Q_S = param->key;
}
/* Create the remainder of the hash buffer, to generate the exchange hash */
/* K_S, the host key */
buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
/* e, exchange value sent by the client */
buf_putmpint(ses.kexhashbuf, dh_e);
/* f, exchange value sent by the server */
buf_putmpint(ses.kexhashbuf, dh_f);
/* Q_C, client's ephemeral public key octet string */
buf_put_ecc_pubkey_string(Q_C);
/* Q_S, server's ephemeral public key octet string */
buf_put_ecc_pubkey_string(Q_S);
/* K, the shared secret */
buf_putmpint(ses.kexhashbuf, ses.dh_K);
/* calculate the hash H to sign */
sha1_init(&hs);
algo_kex->hashdesc->init(&hs);
buf_setpos(ses.kexhashbuf, 0);
sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len),
algo_kex->hashdesc->process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len),
ses.kexhashbuf->len);
sha1_done(&hs, ses.hash);
if (!ses.hash) {
ses.hash = m_malloc(algo_kex->hashdesc->hashsize);
}
algo_kex->hashdesc->done(&hs, ses.hash);
buf_burn(ses.kexhashbuf);
buf_free(ses.kexhashbuf);
......@@ -733,8 +724,8 @@ oj // XXX load Q_them
/* first time around, we set the session_id to H */
if (ses.session_id == NULL) {
/* create the session_id, this never needs freeing */
ses.session_id = (unsigned char*)m_malloc(SHA1_HASH_SIZE);
memcpy(ses.session_id, ses.hash, SHA1_HASH_SIZE);
ses.session_id = m_malloc(algo_kex->hashdesc->hashsize);
memcpy(ses.session_id, ses.hash, algo_kex->hashdesc->hashsize);
}
}
......
#include "includes.h"
#include "options.h"
#include "ecc.h"
#include "dbutil.h"
#include "bignum.h"
#ifdef DROPBEAR_ECC
// TODO: use raw bytes for the dp rather than the hex strings in libtomcrypt's ecc.c
#ifdef DROPBEAR_ECC_256
const struct dropbear_ecc_curve ecc_curve_secp256r1 {
const struct dropbear_ecc_curve ecc_curve_secp256r1 = {
.dp = &ltc_ecc_sets[0],
.hash_desc = sha256_desc,
.hash_desc = &sha256_desc,
.name = "secp256r1"
};
#endif
#ifdef DROPBEAR_ECC_384
const struct dropbear_ecc_curve ecc_curve_secp384r1 {
const struct dropbear_ecc_curve ecc_curve_secp384r1 = {
.dp = &ltc_ecc_sets[1],
.hash_desc = sha384_desc,
.hash_desc = &sha384_desc,
.name = "secp384r1"
};
#endif
#ifdef DROPBEAR_ECC_521
const struct dropbear_ecc_curve ecc_curve_secp521r1 {
const struct dropbear_ecc_curve ecc_curve_secp521r1 = {
.dp = &ltc_ecc_sets[2],
.hash_desc = sha521_desc,
.hash_desc = &sha512_desc,
.name = "secp521r1"
};
#endif
static ecc_key * new_ecc_key(void) {
ecc_key *key = m_malloc(sizeof(*key));
key->pubkey.x = m_malloc(sizeof(mp_int));
key->pubkey.y = m_malloc(sizeof(mp_int));
key->pubkey.z = m_malloc(sizeof(mp_int));
key->k = m_malloc(sizeof(mp_init));
m_mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL);
return key;
}
void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key) {
// XXX point compression
int len = key->dp->size*2 + 1;
buf_putint(len);
unsigned long len = key->dp->size*2 + 1;
buf_putint(buf, len);
int err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len);
if (err != CRYPT_OK) {
dropbear_exit("ECC error");
......@@ -43,38 +50,93 @@ void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key) {
buf_incrwritepos(buf, len);
}
ecc_key * buf_get_ecc_key_string(buffer *buf, const struct dropbear_ecc_curve *curve) {
// Copied from libtomcrypt ecc_import.c (version there is static), modified
// for different mp_int pointer without LTC_SOURCE
static int ecc_is_point(ecc_key *key)
{
mp_int *prime, *b, *t1, *t2;
int err;
prime = m_malloc(sizeof(mp_int));
b = m_malloc(sizeof(mp_int));
t1 = m_malloc(sizeof(mp_int));
t2 = m_malloc(sizeof(mp_int));
m_mp_init_multi(prime, b, t1, t2, NULL);
/* load prime and b */
if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) { goto error; }
if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) { goto error; }
/* compute y^2 */
if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK) { goto error; }
/* compute x^3 */
if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK) { goto error; }
if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK) { goto error; }
if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK) { goto error; }
/* compute y^2 - x^3 */
if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK) { goto error; }
/* compute y^2 - x^3 + 3x */
if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK) { goto error; }
while (mp_cmp_d(t1, 0) == LTC_MP_LT) {
if ((err = mp_add(t1, prime, t1)) != CRYPT_OK) { goto error; }
}
while (mp_cmp(t1, prime) != LTC_MP_LT) {
if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK) { goto error; }
}
/* compare to b */
if (mp_cmp(t1, b) != LTC_MP_EQ) {
err = CRYPT_INVALID_PACKET;
} else {
err = CRYPT_OK;
}
error:
mp_clear_multi(prime, b, t1, t2, NULL);
m_free(prime);
m_free(b);
m_free(t1);
m_free(t2);
return err;
}
ecc_key * buf_get_ecc_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve) {
ecc_key *key = NULL;
int ret = DROPBEAR_FAILURE;
const int size = curve->dp->size;
unsigned int len = buf_get_string(buf);
unsigned char first = buf_get_char(buf);
buf_setpos(buf, 0);
unsigned int len = buf->len;
unsigned char first = buf_getbyte(buf);
if (first == 2 || first == 3) {
dropbear_log("Dropbear doesn't support ECC point compression");
dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression");
return NULL;
}
if (first != 4 || len != 1+2*size) {
return NULL;
}
key = m_malloc(sizeof(*key));
m_mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, NULL);
key = new_ecc_key();
if (mp_read_unsigned_bin(&key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) {
if (mp_read_unsigned_bin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) {
goto out;
}
buf_incrpos(buf, size);
if (mp_read_unsigned_bin(&key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) {
if (mp_read_unsigned_bin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) {
goto out;
}
buf_incrpos(buf, size);
if (mp_set(key->pubkey.z, 1) != MP_OKAY) {
goto out;
}
mp_set(key->pubkey.z, 1);
if (is_point(key) != CRYPT_OK) {
if (ecc_is_point(key) != CRYPT_OK) {
goto out;
}
......@@ -91,7 +153,7 @@ ecc_key * buf_get_ecc_key_string(buffer *buf, const struct dropbear_ecc_curve *c
out:
if (ret == DROPBEAR_FAILURE) {
if (key) {
mp_free_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, NULL);
ecc_free(key);
m_free(key);
key = NULL;
}
......@@ -105,9 +167,9 @@ out:
// a mp_int instead.
mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, ecc_key *private_key)
{
ecc_point *result = NULL
ecc_point *result = NULL;
mp_int *prime = NULL, *shared_secret = NULL;
int ret = DROPBEAR_FAILURE;
int err = DROPBEAR_FAILURE;
/* type valid? */
if (private_key->type != PK_PRIVATE) {
......@@ -163,9 +225,6 @@ done:
}
return shared_secret;
return err;
}
}
#endif
......@@ -21,14 +21,11 @@ extern const struct dropbear_ecc_curve ecc_curve_secp521r1;
// "pubkey" refers to a point, but LTC uses ecc_key structure for both public
// and private keys
void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key);
int buf_get_ecc_pubkey_string(buffer *buf, ecc_key *key);
ecc_key * buf_get_ecc_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve);
int buf_get_ecc_privkey_string(buffer *buf, ecc_key *key);
mp_int * dropbear_ecc_shared_secret(ecc_key *pub_key, ecc_key *priv_key);
const ltc_ecc_set_type* get_ecc_curve(enum kex_type type);
#endif
#endif // _DROPBEAR_ECC_H
\ No newline at end of file
......@@ -27,6 +27,7 @@
#include "includes.h"
#include "algo.h"
#include "signkey.h"
void send_msg_kexinit();
void recv_msg_kexinit();
......@@ -74,9 +75,9 @@ struct KEXState {
};
#define DH_P_1_LEN 128
extern const const unsigned char dh_p_1[DH_P_1_LEN];
extern const unsigned char dh_p_1[DH_P_1_LEN];
#define DH_P_14_LEN 256
const unsigned char dh_p_14[DH_P_14_LEN] = {
extern const unsigned char dh_p_14[DH_P_14_LEN];
struct kex_dh_param {
mp_int pub;
......
......@@ -127,7 +127,9 @@
#ifdef DROPBEAR_SHA256
#define SHA256
#endif
#ifdef DROPBEAR_SHA384
#define SHA384
#endif
#ifdef DROPBEAR_SHA512
#define SHA512
#endif
......
......@@ -14,6 +14,7 @@
#include "options.h"
#include "includes.h"
#include "random.h"
#include "ltc_prng.h"
/**
@file sprng.c
......
#ifndef _LTC_PRNG_H_DROPBEAR
#define _LTC_PRNG_H_DROPBEAR
#include "options.h"
#include "includes.h"
#ifdef DROPBEAR_LTC_PRNG
extern const struct ltc_prng_descriptor dropbear_prng_desc;
#endif // DROPBEAR_LTC_PRNG
#endif // _LTC_PRNG_H_DROPBEAR
\ No newline at end of file
......@@ -27,6 +27,8 @@
#include "dbutil.h"
#include "bignum.h"
#include "random.h"
#include "ltc_prng.h"
/* this is used to generate unique output from the same hashpool */
static uint32_t counter = 0;
......
......@@ -154,10 +154,10 @@ struct sshsession {
struct KEXState kexstate;
struct key_context *keys;
struct key_context *newkeys;
unsigned char *session_id; /* this is the hash from the first kex */
/* The below are used temorarily during kex, are freed after use */
buffer *session_id; /* this is the hash from the first kex */
/* The below are used temporarily during kex, are freed after use */
mp_int * dh_K; /* SSH_MSG_KEXDH_REPLY and sending SSH_MSH_NEWKEYS */
unsigned char hash[SHA1_HASH_SIZE]; /* the hash*/
buffer *hash/* the session hash */
buffer* kexhashbuf; /* session hash buffer calculated from various packets*/
buffer* transkexinit; /* the kexinit packet we send should be kept so we
can add it to the hash when generating keys */
......
......@@ -59,6 +59,7 @@ void recv_msg_kexdh_init() {
}
} else {
#ifdef DROPBEAR_ECDH
buffer *ecdh_qs = buf_getstringbuf(ses.payload);
#endif
}
......
......@@ -93,13 +93,26 @@
#define DROPBEAR_ECC
#endif
#ifdef DROPBEAR_ECC
#define DROPBEAR_ECC_256
#define DROPBEAR_ECC_384
#define DROPBEAR_ECC_521
#endif
// hashes which will be linked and registered
#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256)
#define DROPBEAR_SHA256
#endif
#if defined(DROPBEAR_ECC_384)
#define DROPBEAR_SHA384
#endif
#if defined(DROPBEAR_SHA2_512_HMAC) || defined(DROPBEAR_ECC_521)
#define DROPBEAR_SHA512
#endif
#if defined(DROPBEAR_MD5_HMAC)
#define DROPBEAR_MD5
#endif
// roughly 2x 521 bits
#define MAX_ECC_SIZE 140
......@@ -155,19 +168,6 @@
#define DROPBEAR_TWOFISH
#endif
#ifdef DROPBEAR_MD5_HMAC
#define DROPBEAR_MD5
#endif
#ifdef DROPBEAR_SHA2_256_HMAC
#define DROPBEAR_SHA256
#endif
#if (defined(DROPBEAR_DSS) && defined(DSS_PROTOK)) \
|| defined(DROPBEAR_SHA2_512_HMAC)
#define DROPBEAR_SHA512
#endif
#ifndef ENABLE_X11FWD
#define DISABLE_X11FWD
#endif
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment