Grid Community Toolkit  6.2.1705709074 (tag: v6.2.20240202)
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
kex.h
1 /* $OpenBSD: kex.h,v 1.118 2023/03/06 12:14:48 dtucker Exp $ */
2 
3 /*
4  * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  * notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  * notice, this list of conditions and the following disclaimer in the
13  * documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26 #ifndef KEX_H
27 #define KEX_H
28 
29 #include "mac.h"
30 #include "crypto_api.h"
31 
32 #ifdef WITH_OPENSSL
33 # include <openssl/bn.h>
34 # include <openssl/dh.h>
35 # include <openssl/ecdsa.h>
36 # include <openssl/evp.h>
37 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
38 # include <openssl/core_names.h>
39 # include <openssl/param_build.h>
40 # endif
41 # ifdef OPENSSL_HAS_ECC
42 # include <openssl/ec.h>
43 # else /* OPENSSL_HAS_ECC */
44 # define EC_KEY void
45 # define EC_GROUP void
46 # define EC_POINT void
47 # endif /* OPENSSL_HAS_ECC */
48 #else /* WITH_OPENSSL */
49 # define DH void
50 # define BIGNUM void
51 # define EC_KEY void
52 # define EC_GROUP void
53 # define EC_POINT void
54 #endif /* WITH_OPENSSL */
55 
56 #define KEX_COOKIE_LEN 16
57 
58 #define KEX_DH1 "diffie-hellman-group1-sha1"
59 #define KEX_DH14_SHA1 "diffie-hellman-group14-sha1"
60 #define KEX_DH14_SHA256 "diffie-hellman-group14-sha256"
61 #define KEX_DH16_SHA512 "diffie-hellman-group16-sha512"
62 #define KEX_DH18_SHA512 "diffie-hellman-group18-sha512"
63 #define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
64 #define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256"
65 #define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256"
66 #define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384"
67 #define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
68 #define KEX_CURVE25519_SHA256 "curve25519-sha256"
69 #define KEX_CURVE25519_SHA256_OLD "[email protected]"
70 #define KEX_SNTRUP761X25519_SHA512 "[email protected]"
71 
72 #define COMP_NONE 0
73 /* pre-auth compression (COMP_ZLIB) is only supported in the client */
74 #define COMP_ZLIB 1
75 #define COMP_DELAYED 2
76 
77 #define CURVE25519_SIZE 32
78 
79 enum kex_init_proposals {
80  PROPOSAL_KEX_ALGS,
81  PROPOSAL_SERVER_HOST_KEY_ALGS,
82  PROPOSAL_ENC_ALGS_CTOS,
83  PROPOSAL_ENC_ALGS_STOC,
84  PROPOSAL_MAC_ALGS_CTOS,
85  PROPOSAL_MAC_ALGS_STOC,
86  PROPOSAL_COMP_ALGS_CTOS,
87  PROPOSAL_COMP_ALGS_STOC,
88  PROPOSAL_LANG_CTOS,
89  PROPOSAL_LANG_STOC,
90  PROPOSAL_MAX
91 };
92 
93 enum kex_modes {
94  MODE_IN,
95  MODE_OUT,
96  MODE_MAX
97 };
98 
99 enum kex_exchange {
100  KEX_DH_GRP1_SHA1,
101  KEX_DH_GRP14_SHA1,
102  KEX_DH_GRP14_SHA256,
103  KEX_DH_GRP16_SHA512,
104  KEX_DH_GRP18_SHA512,
105  KEX_DH_GEX_SHA1,
106  KEX_DH_GEX_SHA256,
107  KEX_ECDH_SHA2,
108  KEX_C25519_SHA256,
109  KEX_KEM_SNTRUP761X25519_SHA512,
110 #ifdef GSSAPI
111  KEX_GSS_GRP1_SHA1,
112  KEX_GSS_GRP14_SHA1,
113  KEX_GSS_GRP14_SHA256,
114  KEX_GSS_GRP16_SHA512,
115  KEX_GSS_GEX_SHA1,
116  KEX_GSS_NISTP256_SHA256,
117  KEX_GSS_C25519_SHA256,
118 #endif
119  KEX_MAX
120 };
121 
122 /* kex->flags */
123 #define KEX_INIT_SENT 0x0001
124 #define KEX_INITIAL 0x0002
125 #define KEX_HAS_PUBKEY_HOSTBOUND 0x0004
126 #define KEX_RSA_SHA2_256_SUPPORTED 0x0008 /* only set in server for now */
127 #define KEX_RSA_SHA2_512_SUPPORTED 0x0010 /* only set in server for now */
128 
129 struct sshenc {
130  char *name;
131  const struct sshcipher *cipher;
132  int enabled;
133  u_int key_len;
134  u_int iv_len;
135  u_int block_size;
136  u_char *key;
137  u_char *iv;
138 };
139 struct sshcomp {
140  u_int type;
141  int enabled;
142  char *name;
143 };
144 struct newkeys {
145  struct sshenc enc;
146  struct sshmac mac;
147  struct sshcomp comp;
148 };
149 
150 struct ssh;
151 struct sshbuf;
152 
153 struct kex {
154  struct newkeys *newkeys[MODE_MAX];
155  u_int we_need;
156  u_int dh_need;
157  int server;
158  char *name;
159  char *hostkey_alg;
160  int hostkey_type;
161  int hostkey_nid;
162  u_int kex_type;
163  char *server_sig_algs;
164  int ext_info_c;
165  struct sshbuf *my;
166  struct sshbuf *peer;
167  struct sshbuf *client_version;
168  struct sshbuf *server_version;
169  struct sshbuf *session_id;
170  struct sshbuf *initial_sig;
171  struct sshkey *initial_hostkey;
172  sig_atomic_t done;
173  u_int flags;
174  int hash_alg;
175  int ec_nid;
176 #ifdef GSSAPI
177  int gss_deleg_creds;
178  int gss_trust_dns;
179  char *gss_host;
180  char *gss_client;
181 #endif
182  char *failed_choice;
183  int (*verify_host_key)(struct sshkey *, struct ssh *);
184  struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
185  struct sshkey *(*load_host_private_key)(int, int, struct ssh *);
186  int (*host_key_index)(struct sshkey *, int, struct ssh *);
187  int (*sign)(struct ssh *, struct sshkey *, struct sshkey *,
188  u_char **, size_t *, const u_char *, size_t, const char *);
189  int (*kex[KEX_MAX])(struct ssh *);
190  /* kex specific state */
191  DH *dh; /* DH */
192  u_int min, max, nbits; /* GEX */
193  EC_KEY *ec_client_key; /* ECDH */
194  const EC_GROUP *ec_group; /* ECDH */
195  u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 + KEM */
196  u_char c25519_client_pubkey[CURVE25519_SIZE]; /* 25519 */
197  u_char sntrup761_client_key[crypto_kem_sntrup761_SECRETKEYBYTES]; /* KEM */
198  struct sshbuf *client_pub;
199 };
200 
201 int kex_names_valid(const char *);
202 char *kex_alg_list(char);
203 char *kex_gss_alg_list(char);
204 char *kex_names_cat(const char *, const char *);
205 int kex_assemble_names(char **, const char *, const char *);
206 int kex_gss_names_valid(const char *);
207 void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
208  const char *, const char *, const char *, const char *, const char *);
209 void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
210 
211 int kex_exchange_identification(struct ssh *, int, const char *);
212 
213 struct kex *kex_new(void);
214 int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
215 int kex_setup(struct ssh *, char *[PROPOSAL_MAX]);
216 void kex_free_newkeys(struct newkeys *);
217 void kex_free(struct kex *);
218 
219 int kex_buf2prop(struct sshbuf *, int *, char ***);
220 int kex_prop2buf(struct sshbuf *, char *proposal[PROPOSAL_MAX]);
221 void kex_prop_free(char **);
222 int kex_load_hostkey(struct ssh *, struct sshkey **, struct sshkey **);
223 int kex_verify_host_key(struct ssh *, struct sshkey *);
224 
225 int kex_send_kexinit(struct ssh *);
226 int kex_input_kexinit(int, u_int32_t, struct ssh *);
227 int kex_input_ext_info(int, u_int32_t, struct ssh *);
228 int kex_protocol_error(int, u_int32_t, struct ssh *);
229 int kex_derive_keys(struct ssh *, u_char *, u_int, const struct sshbuf *);
230 int kex_send_newkeys(struct ssh *);
231 int kex_start_rekex(struct ssh *);
232 
233 int kexgex_client(struct ssh *);
234 int kexgex_server(struct ssh *);
235 int kex_gen_client(struct ssh *);
236 int kex_gen_server(struct ssh *);
237 #if defined(GSSAPI) && defined(WITH_OPENSSL)
238 int kexgssgex_client(struct ssh *);
239 int kexgssgex_server(struct ssh *);
240 int kexgss_client(struct ssh *);
241 int kexgss_server(struct ssh *);
242 #endif
243 
244 void newkeys_destroy(struct newkeys *newkeys);
245 
246 int kex_dh_keypair(struct kex *);
247 int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
248  struct sshbuf **);
249 int kex_dh_dec(struct kex *, const struct sshbuf *, struct sshbuf **);
250 
251 int kex_ecdh_keypair(struct kex *);
252 int kex_ecdh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
253  struct sshbuf **);
254 int kex_ecdh_dec(struct kex *, const struct sshbuf *, struct sshbuf **);
255 
256 int kex_c25519_keypair(struct kex *);
257 int kex_c25519_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
258  struct sshbuf **);
259 int kex_c25519_dec(struct kex *, const struct sshbuf *, struct sshbuf **);
260 
261 int kex_kem_sntrup761x25519_keypair(struct kex *);
262 int kex_kem_sntrup761x25519_enc(struct kex *, const struct sshbuf *,
263  struct sshbuf **, struct sshbuf **);
264 int kex_kem_sntrup761x25519_dec(struct kex *, const struct sshbuf *,
265  struct sshbuf **);
266 
267 int kex_dh_keygen(struct kex *);
268 int kex_dh_compute_key(struct kex *, BIGNUM *, struct sshbuf *);
269 
270 int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
271  const struct sshbuf *, const struct sshbuf *, const struct sshbuf *,
272  int, int, int,
273  const BIGNUM *, const BIGNUM *, const BIGNUM *,
274  const BIGNUM *, const u_char *, size_t,
275  u_char *, size_t *);
276 
277 int kex_gen_hash(int hash_alg, const struct sshbuf *client_version,
278  const struct sshbuf *server_version, const struct sshbuf *client_kexinit,
279  const struct sshbuf *server_kexinit, const struct sshbuf *server_host_key_blob,
280  const struct sshbuf *client_pub, const struct sshbuf *server_pub,
281  const struct sshbuf *shared_secret, u_char *hash, size_t *hashlen);
282 
283 void kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
284  __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
285  __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
286 int kexc25519_shared_key(const u_char key[CURVE25519_SIZE],
287  const u_char pub[CURVE25519_SIZE], struct sshbuf *out)
288  __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
289  __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
290 int kexc25519_shared_key_ext(const u_char key[CURVE25519_SIZE],
291  const u_char pub[CURVE25519_SIZE], struct sshbuf *out, int)
292  __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
293  __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
294 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
295 int kex_create_evp_dh(EVP_PKEY **, const BIGNUM *, const BIGNUM *,
296  const BIGNUM *, const BIGNUM *, const BIGNUM *);
297 # endif
298 
299 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
300 void dump_digest(const char *, const u_char *, int);
301 #endif
302 
303 #if !defined(WITH_OPENSSL) || !defined(OPENSSL_HAS_ECC)
304 # undef EC_KEY
305 # undef EC_GROUP
306 # undef EC_POINT
307 #endif
308 
309 #endif