Key *key_private_deserialize(buffer_t *blob)
{
int success = 0;
char *type_name = NULL;
Key *k = NULL;
unsigned int pklen, sklen;
int type;
type_name = buffer_get_string_msg(blob, NULL);
if (type_name == NULL)
goto error;
type = get_keytype_from_name(type_name);
k = key_new_private(type);
switch (type) {
case KEY_RSA:
buffer_get_bignum2_msg(blob, k->rsa->n);
buffer_get_bignum2_msg(blob, k->rsa->e);
buffer_get_bignum2_msg(blob, k->rsa->d);
buffer_get_bignum2_msg(blob, k->rsa->iqmp);
buffer_get_bignum2_msg(blob, k->rsa->p);
buffer_get_bignum2_msg(blob, k->rsa->q);
/* Generate additional parameters */
rsa_generate_additional_parameters(k->rsa);
break;
case KEY_DSA:
buffer_get_bignum2_msg(blob, k->dsa->p);
buffer_get_bignum2_msg(blob, k->dsa->q);
buffer_get_bignum2_msg(blob, k->dsa->g);
buffer_get_bignum2_msg(blob, k->dsa->pub_key);
buffer_get_bignum2_msg(blob, k->dsa->priv_key);
break;
case KEY_ECDSA256:
case KEY_ECDSA384:
case KEY_ECDSA521:
{
int success = 0;
unsigned int nid;
char *curve = NULL;
ssh_keytype skt;
BIGNUM *exponent = NULL;
EC_POINT *q = NULL;
nid = keytype_to_cipher_nid(type);
curve = buffer_get_string_msg(blob, NULL);
skt = key_curve_name_to_keytype(curve);
if (nid != keytype_to_cipher_nid(skt))
goto ecdsa_error;
k->ecdsa = EC_KEY_new_by_curve_name(nid);
if (k->ecdsa == NULL)
goto ecdsa_error;
q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa));
if (q == NULL)
goto ecdsa_error;
if ((exponent = BN_new()) == NULL)
goto ecdsa_error;
buffer_get_ecpoint_msg(blob,
EC_KEY_get0_group(k->ecdsa), q);
buffer_get_bignum2_msg(blob, exponent);
if (EC_KEY_set_public_key(k->ecdsa, q) != 1)
goto ecdsa_error;
if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1)
goto ecdsa_error;
if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
EC_KEY_get0_public_key(k->ecdsa)) != 0)
goto ecdsa_error;
if (key_ec_validate_private(k->ecdsa) != 0)
goto ecdsa_error;
success = 1;
ecdsa_error:
free(curve);
if (exponent)
BN_clear_free(exponent);
if (q)
EC_POINT_free(q);
if (success == 0)
goto error;
}
break;
case KEY_ED25519:
k->ed25519_pk = buffer_get_string_msg(blob, &pklen);
k->ed25519_sk = buffer_get_string_msg(blob, &sklen);
if (pklen != ED25519_PK_SZ)
goto error;
if (sklen != ED25519_SK_SZ)
goto error;
break;
default:
goto error;
break;
}
/* enable blinding */
switch (k->type) {
case KEY_RSA1:
case KEY_RSA:
if (RSA_blinding_on(k->rsa, NULL) != 1)
goto error;
break;
}
success = 1;
error:
free(type_name);
if (success == 0) {
key_free(k);
k = NULL;
}
return (k);
}
void
kexecdh_client(Kex *kex)
{
EC_KEY *client_key;
EC_POINT *server_public;
const EC_GROUP *group;
BIGNUM *shared_secret;
Key *server_host_key;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
u_int klen, slen, sbloblen, hashlen;
if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL)
fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
if (EC_KEY_generate_key(client_key) != 1)
fatal("%s: EC_KEY_generate_key failed", __func__);
group = EC_KEY_get0_group(client_key);
packet_start(SSH2_MSG_KEX_ECDH_INIT);
packet_put_ecpoint(group, EC_KEY_get0_public_key(client_key));
packet_send();
debug("sending SSH2_MSG_KEX_ECDH_INIT");
#ifdef DEBUG_KEXECDH
fputs("client private key:\n", stderr);
key_dump_ec_key(client_key);
#endif
debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY);
/* hostkey */
server_host_key_blob = packet_get_string(&sbloblen);
server_host_key = key_from_blob(server_host_key_blob, sbloblen);
if (server_host_key == NULL)
fatal("cannot decode server_host_key_blob");
if (server_host_key->type != kex->hostkey_type)
fatal("type mismatch for decoded server_host_key_blob");
if (kex->verify_host_key == NULL)
fatal("cannot verify server_host_key");
if (kex->verify_host_key(server_host_key) == -1)
fatal("server_host_key verification failed");
/* Q_S, server public key */
if ((server_public = EC_POINT_new(group)) == NULL)
fatal("%s: EC_POINT_new failed", __func__);
packet_get_ecpoint(group, server_public);
if (key_ec_validate_public(group, server_public) != 0)
fatal("%s: invalid server public key", __func__);
#ifdef DEBUG_KEXECDH
fputs("server public key:\n", stderr);
key_dump_ec_point(group, server_public);
#endif
/* signed H */
signature = packet_get_string(&slen);
packet_check_eom();
klen = (EC_GROUP_get_degree(group) + 7) / 8;
kbuf = xmalloc(klen);
if (ECDH_compute_key(kbuf, klen, server_public,
client_key, NULL) != (int)klen)
fatal("%s: ECDH_compute_key failed", __func__);
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("%s: BN_new failed", __func__);
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
fatal("%s: BN_bin2bn failed", __func__);
memset(kbuf, 0, klen);
free(kbuf);
/* calc and verify H */
kex_ecdh_hash(
kex->evp_md,
group,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
server_host_key_blob, sbloblen,
EC_KEY_get0_public_key(client_key),
server_public,
shared_secret,
&hash, &hashlen
);
free(server_host_key_blob);
EC_POINT_clear_free(server_public);
EC_KEY_free(client_key);
if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
free(signature);
/* save session id */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
//
// バッファからキー情報を取り出す(for SSH2)
// NOTE: 返値はアロケート領域になるので、呼び出し側で解放すること。
//
Key *key_from_blob(char *data, int blen)
{
int keynamelen, len;
char key[128];
RSA *rsa = NULL;
DSA *dsa = NULL;
EC_KEY *ecdsa = NULL;
EC_POINT *q = NULL;
char *curve = NULL;
Key *hostkey; // hostkey
ssh_keytype type;
unsigned char *pk = NULL;
hostkey = malloc(sizeof(Key));
if (hostkey == NULL)
goto error;
memset(hostkey, 0, sizeof(Key));
keynamelen = get_uint32_MSBfirst(data);
if (keynamelen >= sizeof(key)) {
goto error;
}
data += 4;
memcpy(key, data, keynamelen);
key[keynamelen] = 0;
data += keynamelen;
type = get_keytype_from_name(key);
switch (type) {
case KEY_RSA: // RSA key
rsa = RSA_new();
if (rsa == NULL) {
goto error;
}
rsa->n = BN_new();
rsa->e = BN_new();
if (rsa->n == NULL || rsa->e == NULL) {
goto error;
}
buffer_get_bignum2(&data, rsa->e);
buffer_get_bignum2(&data, rsa->n);
hostkey->type = type;
hostkey->rsa = rsa;
break;
case KEY_DSA: // DSA key
dsa = DSA_new();
if (dsa == NULL) {
goto error;
}
dsa->p = BN_new();
dsa->q = BN_new();
dsa->g = BN_new();
dsa->pub_key = BN_new();
if (dsa->p == NULL ||
dsa->q == NULL ||
dsa->g == NULL ||
dsa->pub_key == NULL) {
goto error;
}
buffer_get_bignum2(&data, dsa->p);
buffer_get_bignum2(&data, dsa->q);
buffer_get_bignum2(&data, dsa->g);
buffer_get_bignum2(&data, dsa->pub_key);
hostkey->type = type;
hostkey->dsa = dsa;
break;
case KEY_ECDSA256: // ECDSA
case KEY_ECDSA384:
case KEY_ECDSA521:
curve = buffer_get_string(&data, NULL);
if (type != key_curve_name_to_keytype(curve)) {
goto error;
}
ecdsa = EC_KEY_new_by_curve_name(keytype_to_cipher_nid(type));
if (ecdsa == NULL) {
goto error;
}
q = EC_POINT_new(EC_KEY_get0_group(ecdsa));
if (q == NULL) {
goto error;
}
buffer_get_ecpoint(&data, EC_KEY_get0_group(ecdsa), q);
if (key_ec_validate_public(EC_KEY_get0_group(ecdsa), q) == -1) {
goto error;
}
if (EC_KEY_set_public_key(ecdsa, q) != 1) {
goto error;
}
hostkey->type = type;
hostkey->ecdsa = ecdsa;
break;
case KEY_ED25519:
pk = buffer_get_string(&data, &len);
if (pk == NULL)
goto error;
if (len != ED25519_PK_SZ)
goto error;
hostkey->type = type;
hostkey->ed25519_pk = pk;
pk = NULL;
break;
default: // unknown key
goto error;
}
return (hostkey);
error:
if (rsa != NULL)
RSA_free(rsa);
if (dsa != NULL)
DSA_free(dsa);
if (ecdsa != NULL)
EC_KEY_free(ecdsa);
free(hostkey);
return NULL;
}
void
kexecdh_server(Kex *kex)
{
EC_POINT *client_public;
EC_KEY *server_key;
const EC_GROUP *group;
BIGNUM *shared_secret;
Key *server_host_private, *server_host_public;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
u_int klen, slen, sbloblen, hashlen;
int curve_nid;
if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1)
fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name);
if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL)
fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
if (EC_KEY_generate_key(server_key) != 1)
fatal("%s: EC_KEY_generate_key failed", __func__);
group = EC_KEY_get0_group(server_key);
#ifdef DEBUG_KEXECDH
fputs("server private key:\n", stderr);
key_dump_ec_key(server_key);
#endif
if (kex->load_host_public_key == NULL ||
kex->load_host_private_key == NULL)
fatal("Cannot load hostkey");
server_host_public = kex->load_host_public_key(kex->hostkey_type);
if (server_host_public == NULL)
fatal("Unsupported hostkey type %d", kex->hostkey_type);
server_host_private = kex->load_host_private_key(kex->hostkey_type);
if (server_host_private == NULL)
fatal("Missing private key for hostkey type %d",
kex->hostkey_type);
debug("expecting SSH2_MSG_KEX_ECDH_INIT");
packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);
if ((client_public = EC_POINT_new(group)) == NULL)
fatal("%s: EC_POINT_new failed", __func__);
packet_get_ecpoint(group, client_public);
packet_check_eom();
if (key_ec_validate_public(group, client_public) != 0)
fatal("%s: invalid client public key", __func__);
#ifdef DEBUG_KEXECDH
fputs("client public key:\n", stderr);
key_dump_ec_point(group, client_public);
#endif
/* Calculate shared_secret */
klen = (EC_GROUP_get_degree(group) + 7) / 8;
kbuf = xmalloc(klen);
if (ECDH_compute_key(kbuf, klen, client_public,
server_key, NULL) != (int)klen)
fatal("%s: ECDH_compute_key failed", __func__);
#ifdef DEBUG_KEXDH
dump_digest("shared secret", kbuf, klen);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("%s: BN_new failed", __func__);
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
fatal("%s: BN_bin2bn failed", __func__);
memset(kbuf, 0, klen);
xfree(kbuf);
/* calc H */
key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
kex_ecdh_hash(
kex->evp_md,
group,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
buffer_ptr(&kex->my), buffer_len(&kex->my),
server_host_key_blob, sbloblen,
client_public,
EC_KEY_get0_public_key(server_key),
shared_secret,
&hash, &hashlen
);
EC_POINT_clear_free(client_public);
/* save session id := H */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
if (PRIVSEP(key_sign(server_host_private, &signature, &slen,
hash, hashlen)) < 0)
fatal("kexdh_server: key_sign failed");
/* destroy_sensitive_data(); */
/* send server hostkey, ECDH pubkey 'Q_S' and signed H */
packet_start(SSH2_MSG_KEX_ECDH_REPLY);
packet_put_string(server_host_key_blob, sbloblen);
packet_put_ecpoint(group, EC_KEY_get0_public_key(server_key));
packet_put_string(signature, slen);
packet_send();
xfree(signature);
xfree(server_host_key_blob);
/* have keys, free server key */
EC_KEY_free(server_key);
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
