From b50dd9f0f8dd451095401901f441dfe1ff1d8bf4 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Tue, 26 Mar 2013 01:35:22 +0800 Subject: refactor kexdh code a bit, start working on ecdh etc --- Makefile.in | 2 +- algo.h | 18 ++++ cli-kex.c | 44 +++++----- common-algo.c | 1 + common-kex.c | 41 ++++++--- configure.ac | 2 +- ecc.c | 17 ++++ kex.h | 24 +++++- libtomcrypt/src/headers/tomcrypt_custom.h | 7 ++ ltc_prng.c | 136 ++++++++++++++++++++++++++++++ options.h | 2 + random.c | 9 ++ random.h | 2 + session.h | 10 +-- svr-kex.c | 54 +++++++----- sysoptions.h | 19 +++-- 16 files changed, 320 insertions(+), 68 deletions(-) create mode 100644 ecc.c create mode 100644 ltc_prng.c diff --git a/Makefile.in b/Makefile.in index cec35f1..4eabd20 100644 --- a/Makefile.in +++ b/Makefile.in @@ -26,7 +26,7 @@ COMMONOBJS=dbutil.o buffer.o \ dss.o bignum.o \ signkey.o rsa.o random.o \ queue.o \ - atomicio.o compat.o fake-rfc2553.o + atomicio.o compat.o fake-rfc2553.o ltc_prng.o ecc.o SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \ svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \ diff --git a/algo.h b/algo.h index ad57037..89d05e3 100644 --- a/algo.h +++ b/algo.h @@ -94,5 +94,23 @@ int check_user_algos(const char* user_algo_list, algo_type * algos, char * algolist_string(algo_type algos[]); #endif +enum { + DROPBEAR_KEX_DH_GROUP1, + DROPBEAR_KEX_DH_GROUP14, + DROPBEAR_KEX_ECDH_SECP256R1, +}; + +#ifdef DROPBEAR_ECDH +#define IS_NORMAL_DH(algo) ((algo) == DROPBEAR_KEX_DH_GROUP1 || (algo) == DROPBEAR_KEX_DH_GROUP14) +#else +#define IS_NORMAL_DH(algo) 1 +#endif + +enum { + DROPBEAR_COMP_NONE, + DROPBEAR_COMP_ZLIB, + DROPBEAR_COMP_ZLIB_DELAY, +}; + #endif /* _ALGO_H_ */ diff --git a/cli-kex.c b/cli-kex.c index 9dadb3c..ddd2efc 100644 --- a/cli-kex.c +++ b/cli-kex.c @@ -42,16 +42,16 @@ static void checkhostkey(unsigned char* keyblob, unsigned int keybloblen); #define MAX_KNOWNHOSTS_LINE 4500 void send_msg_kexdh_init() { - - cli_ses.dh_e = (mp_int*)m_malloc(sizeof(mp_int)); - cli_ses.dh_x = (mp_int*)m_malloc(sizeof(mp_int)); - m_mp_init_multi(cli_ses.dh_e, cli_ses.dh_x, NULL); - - gen_kexdh_vals(cli_ses.dh_e, cli_ses.dh_x); - CHECKCLEARTOWRITE(); buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT); - buf_putmpint(ses.writepayload, cli_ses.dh_e); + if (IS_NORMAL_DH(ses.newkeys->algo_kex)) { + cli_ses.dh_param = gen_kexdh_param(); + buf_putmpint(ses.writepayload, &cli_ses.dh_param->pub); + } else { +#ifdef DROPBEAR_ECDH + cli_ses.ecdh_param = +#endif + } encrypt_packet(); ses.requirenext = SSH_MSG_KEXDH_REPLY; } @@ -59,18 +59,15 @@ void send_msg_kexdh_init() { /* Handle a diffie-hellman key exchange reply. */ void recv_msg_kexdh_reply() { - DEF_MP_INT(dh_f); sign_key *hostkey = NULL; unsigned int type, keybloblen; unsigned char* keyblob = NULL; - TRACE(("enter recv_msg_kexdh_reply")) if (cli_ses.kex_state != KEXDH_INIT_SENT) { dropbear_exit("Received out-of-order kexdhreply"); } - m_mp_init(&dh_f); type = ses.newkeys->algo_hostkey; TRACE(("type is %d", type)) @@ -88,16 +85,23 @@ void recv_msg_kexdh_reply() { dropbear_exit("Bad KEX packet"); } - if (buf_getmpint(ses.payload, &dh_f) != DROPBEAR_SUCCESS) { - TRACE(("failed getting mpint")) - dropbear_exit("Bad KEX packet"); - } + if (IS_NORMAL_DH(ses.newkeys->algo_kex)) { + // Normal diffie-hellman + DEF_MP_INT(dh_f); + m_mp_init(&dh_f); + if (buf_getmpint(ses.payload, &dh_f) != DROPBEAR_SUCCESS) { + TRACE(("failed getting mpint")) + dropbear_exit("Bad KEX packet"); + } - kexdh_comb_key(cli_ses.dh_e, cli_ses.dh_x, &dh_f, hostkey); - mp_clear(&dh_f); - mp_clear_multi(cli_ses.dh_e, cli_ses.dh_x, NULL); - m_free(cli_ses.dh_e); - m_free(cli_ses.dh_x); + kexdh_comb_key(cli_ses.dh_param, &dh_f, hostkey); + mp_clear(&dh_f); + free_kexdh_param(cli_ses.dh_param); + cli_ses.dh_param = NULL; + } else { +#ifdef DROPBEAR_ECDH +#endif + } if (buf_verify(ses.payload, hostkey, ses.hash, SHA1_HASH_SIZE) != DROPBEAR_SUCCESS) { diff --git a/common-algo.c b/common-algo.c index 4a14651..91d27b2 100644 --- a/common-algo.c +++ b/common-algo.c @@ -213,6 +213,7 @@ algo_type sshhostkey[] = { }; algo_type sshkex[] = { +// {"ecdh-sha2-secp256r1", DROPBEAR_KEX_ECDH_SECP256R1, NULL, 1, NULL}, {"diffie-hellman-group1-sha1", DROPBEAR_KEX_DH_GROUP1, NULL, 1, NULL}, {"diffie-hellman-group14-sha1", DROPBEAR_KEX_DH_GROUP14, NULL, 1, NULL}, {NULL, 0, NULL, 0, NULL} diff --git a/common-kex.c b/common-kex.c index 56b206d..c153c8f 100644 --- a/common-kex.c +++ b/common-kex.c @@ -549,15 +549,16 @@ static void load_dh_p(mp_int * dh_p) /* Initialises and generate one side of the diffie-hellman key exchange values. * See the transport rfc 4253 section 8 for details */ /* dh_pub and dh_priv MUST be already initialised */ -void gen_kexdh_vals(mp_int *dh_pub, mp_int *dh_priv) { +struct kex_dh_param *gen_kexdh_param() { DEF_MP_INT(dh_p); DEF_MP_INT(dh_q); DEF_MP_INT(dh_g); TRACE(("enter send_msg_kexdh_reply")) - - m_mp_init_multi(&dh_g, &dh_p, &dh_q, NULL); + + struct kex_dh_param *param = m_malloc(sizeof(*param)); + m_mp_init_multi(¶m->pub, ¶m->priv, NULL); /* read the prime and generator*/ load_dh_p(&dh_p); @@ -568,32 +569,40 @@ void gen_kexdh_vals(mp_int *dh_pub, mp_int *dh_priv) { /* calculate q = (p-1)/2 */ /* dh_priv is just a temp var here */ - if (mp_sub_d(&dh_p, 1, dh_priv) != MP_OKAY) { + if (mp_sub_d(&dh_p, 1, ¶m->priv) != MP_OKAY) { dropbear_exit("Diffie-Hellman error"); } - if (mp_div_2(dh_priv, &dh_q) != MP_OKAY) { + if (mp_div_2(¶m->priv, &dh_q) != MP_OKAY) { dropbear_exit("Diffie-Hellman error"); } /* Generate a private portion 0 < dh_priv < dh_q */ - gen_random_mpint(&dh_q, dh_priv); + gen_random_mpint(&dh_q, ¶m->priv); /* f = g^y mod p */ - if (mp_exptmod(&dh_g, dh_priv, &dh_p, dh_pub) != MP_OKAY) { + if (mp_exptmod(&dh_g, ¶m->priv, &dh_p, ¶m->pub) != MP_OKAY) { dropbear_exit("Diffie-Hellman error"); } mp_clear_multi(&dh_g, &dh_p, &dh_q, NULL); + return param; +} + +void free_kexdh_param(struct kex_dh_param *param) +{ + mp_clear_multi(¶m->pub, ¶m->priv, NULL); + m_free(param); } /* This function is fairly common between client/server, with some substitution * of dh_e/dh_f etc. Hence these arguments: * dh_pub_us is 'e' for the client, 'f' for the server. dh_pub_them is * vice-versa. dh_priv is the x/y value corresponding to dh_pub_us */ -void kexdh_comb_key(mp_int *dh_pub_us, mp_int *dh_priv, mp_int *dh_pub_them, +void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them, sign_key *hostkey) { mp_int dh_p; mp_int *dh_e = NULL, *dh_f = NULL; + hash_state hs; /* read the prime and generator*/ @@ -609,7 +618,7 @@ void kexdh_comb_key(mp_int *dh_pub_us, mp_int *dh_priv, mp_int *dh_pub_them, /* K = e^y mod p = f^x mod p */ ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int)); m_mp_init(ses.dh_K); - if (mp_exptmod(dh_pub_them, dh_priv, &dh_p, ses.dh_K) != MP_OKAY) { + if (mp_exptmod(dh_pub_them, ¶m->priv, &dh_p, ses.dh_K) != MP_OKAY) { dropbear_exit("Diffie-Hellman error"); } @@ -619,11 +628,11 @@ void kexdh_comb_key(mp_int *dh_pub_us, mp_int *dh_priv, mp_int *dh_pub_them, /* From here on, the code needs to work with the _same_ vars on each side, * not vice-versaing for client/server */ if (IS_DROPBEAR_CLIENT) { - dh_e = dh_pub_us; + dh_e = ¶m->pub; dh_f = dh_pub_them; } else { dh_e = dh_pub_them; - dh_f = dh_pub_us; + dh_f = ¶m->pub; } /* Create the remainder of the hash buffer, to generate the exchange hash */ @@ -655,6 +664,16 @@ void kexdh_comb_key(mp_int *dh_pub_us, mp_int *dh_priv, mp_int *dh_pub_them, } } +#ifdef DROPBEAR_ECDH +struct kex_ecdh_param *gen_kexecdh_param() { + struct kex_ecdh_param *param = m_malloc(sizeof(*param)); + if (ecc_make_key_ex(NULL, dropbear_ltc_prng, ¶m->key +} +void free_kexecdh_param(struct kex_ecdh_param *param); +void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, + sign_key *hostkey); +#endif + /* read the other side's algo list. buf_match_algo is a callback to match * algos for the client or server. */ static void read_kex_algos() { diff --git a/configure.ac b/configure.ac index 3b82bb7..d3d30b4 100644 --- a/configure.ac +++ b/configure.ac @@ -685,7 +685,7 @@ AS_MKDIR_P(libtomcrypt/src/pk/dsa) AS_MKDIR_P(libtomcrypt/src/pk/ecc) AS_MKDIR_P(libtomcrypt/src/pk/pkcs1) AS_MKDIR_P(libtomcrypt/src/pk/rsa) -AS_MKDIR_P(libtomcrypt/src/prng) +AS_MKDIR_P(libtomcrypt/src/prngs) AC_CONFIG_HEADER(config.h) AC_OUTPUT(Makefile) AC_OUTPUT(libtomcrypt/Makefile) diff --git a/ecc.c b/ecc.c new file mode 100644 index 0000000..cf67ec0 --- /dev/null +++ b/ecc.c @@ -0,0 +1,17 @@ +#ifdef DROPBEAR_ECC + +void buf_put_ecc_key_string(buffer *buf, ecc_key *key) { + int len = key->dp->size*2 + 1; + buf_putint(len); + int err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len); + if (err != CRYPT_OK) { + dropbear_exit("ECC error"); + } + buf_incrwritepos(buf, len); +} + +int buf_get_ecc_key_string(buffer *buf, ecc_key *key) { +} + + +#endif diff --git a/kex.h b/kex.h index c89b0a3..f9d70b8 100644 --- a/kex.h +++ b/kex.h @@ -33,10 +33,19 @@ void recv_msg_kexinit(); void send_msg_newkeys(); void recv_msg_newkeys(); void kexfirstinitialise(); -void gen_kexdh_vals(mp_int *dh_pub, mp_int *dh_priv); -void kexdh_comb_key(mp_int *dh_pub_us, mp_int *dh_priv, mp_int *dh_pub_them, + +struct kex_dh_param *gen_kexdh_param(); +void free_kexdh_param(struct kex_dh_param *param); +void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them, sign_key *hostkey); +#ifdef DROPBEAR_ECDH +struct kex_ecdh_param *gen_kexecdh_param(); +void free_kexecdh_param(struct kex_ecdh_param *param); +void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, + sign_key *hostkey); +#endif + #ifndef DISABLE_ZLIB int is_compress_trans(); int is_compress_recv(); @@ -64,6 +73,17 @@ struct KEXState { }; +struct kex_dh_param { + mp_int pub; + mp_int priv; +}; + +#ifdef DROPBEAR_ECDH +struct kex_ecdh_param { + ecc_key key; +}; +#endif + #define MAX_KEXHASHBUF 2000 #endif /* _KEX_H_ */ diff --git a/libtomcrypt/src/headers/tomcrypt_custom.h b/libtomcrypt/src/headers/tomcrypt_custom.h index acc149a..1304ce7 100644 --- a/libtomcrypt/src/headers/tomcrypt_custom.h +++ b/libtomcrypt/src/headers/tomcrypt_custom.h @@ -134,6 +134,13 @@ #define LTC_HMAC +#ifdef DROPBEAR_ECDH +#define MECC +#define ECC256 +#define ECC384 +#define ECC521 +#endif + /* Various tidbits of modern neatoness */ #define BASE64 diff --git a/ltc_prng.c b/ltc_prng.c new file mode 100644 index 0000000..cfd98fc --- /dev/null +++ b/ltc_prng.c @@ -0,0 +1,136 @@ +/* Copied from libtomcrypt/src/prngs/sprng.c and modified to + * use Dropbear's genrandom(). */ + +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com + */ +#include "options.h" +#include "includes.h" +#include "random.h" + +/** + @file sprng.c + Secure PRNG, Tom St Denis +*/ + +/* A secure PRNG using the RNG functions. Basically this is a + * wrapper that allows you to use a secure RNG as a PRNG + * in the various other functions. + */ + +#ifdef DROPBEAR_LTC_PRNG + +/** + Start the PRNG + @param prng [out] The PRNG state to initialize + @return CRYPT_OK if successful +*/ +int dropbear_prng_start(prng_state *prng) +{ + return CRYPT_OK; +} + +/** + Add entropy to the PRNG state + @param in The data to add + @param inlen Length of the data to add + @param prng PRNG state to update + @return CRYPT_OK if successful +*/ +int dropbear_prng_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng) +{ + return CRYPT_OK; +} + +/** + Make the PRNG ready to read from + @param prng The PRNG to make active + @return CRYPT_OK if successful +*/ +int dropbear_prng_ready(prng_state *prng) +{ + return CRYPT_OK; +} + +/** + Read from the PRNG + @param out Destination + @param outlen Length of output + @param prng The active PRNG to read from + @return Number of octets read +*/ +unsigned long dropbear_prng_read(unsigned char *out, unsigned long outlen, prng_state *prng) +{ + LTC_ARGCHK(out != NULL); + genrandom(out, outlen); + return CRYPT_OK; +} + +/** + Terminate the PRNG + @param prng The PRNG to terminate + @return CRYPT_OK if successful +*/ +int dropbear_prng_done(prng_state *prng) +{ + return CRYPT_OK; +} + +/** + Export the PRNG state + @param out [out] Destination + @param outlen [in/out] Max size and resulting size of the state + @param prng The PRNG to export + @return CRYPT_OK if successful +*/ +int dropbear_prng_export(unsigned char *out, unsigned long *outlen, prng_state *prng) +{ + LTC_ARGCHK(outlen != NULL); + + *outlen = 0; + return CRYPT_OK; +} + +/** + Import a PRNG state + @param in The PRNG state + @param inlen Size of the state + @param prng The PRNG to import + @return CRYPT_OK if successful +*/ +int dropbear_prng_import(const unsigned char *in, unsigned long inlen, prng_state *prng) +{ + return CRYPT_OK; +} + +/** + PRNG self-test + @return CRYPT_OK if successful, CRYPT_NOP if self-testing has been disabled +*/ +int dropbear_prng_test(void) +{ + return CRYPT_OK; +} + +const struct ltc_prng_descriptor dropbear_prng_desc = +{ + "dropbear_prng", 0, + &dropbear_prng_start, + &dropbear_prng_add_entropy, + &dropbear_prng_ready, + &dropbear_prng_read, + &dropbear_prng_done, + &dropbear_prng_export, + &dropbear_prng_import, + &dropbear_prng_test +}; + + +#endif // DROPBEAR_LTC_PRNG diff --git a/options.h b/options.h index c52d6c2..4c42c02 100644 --- a/options.h +++ b/options.h @@ -136,6 +136,8 @@ much traffic. */ #define DROPBEAR_RSA #define DROPBEAR_DSS +#define DROPBEAR_ECDH + /* RSA can be vulnerable to timing attacks which use the time required for * signing to guess the private key. Blinding avoids this attack, though makes * signing operations slightly slower. */ diff --git a/random.c b/random.c index 0378e9a..20095aa 100644 --- a/random.c +++ b/random.c @@ -36,6 +36,8 @@ static uint32_t counter = 0; static unsigned char hashpool[SHA1_HASH_SIZE] = {0}; static int donerandinit = 0; +int dropbear_ltc_prng = -1; + #define INIT_SEED_SIZE 32 /* 256 bits */ /* The basic setup is we read some data from /dev/(u)random or prngd and hash it @@ -231,6 +233,13 @@ void seedrandom() { sha1_done(&hs, hashpool); +#ifdef DROPBEAR_LTC_PRNG + if (dropbear_ltc_prng == -1) { + dropbear_ltc_prng = register_prng(&dropbear_prng_desc); + dropbear_assert(dropbear_ltc_prng != -1); + } +#endif + counter = 0; donerandinit = 1; diff --git a/random.h b/random.h index 544e77e..4042757 100644 --- a/random.h +++ b/random.h @@ -32,4 +32,6 @@ void genrandom(unsigned char* buf, unsigned int len); void addrandom(char * buf, unsigned int len); void gen_random_mpint(mp_int *max, mp_int *rand); +extern int dropbear_ltc_prng; + #endif /* _RANDOM_H_ */ diff --git a/session.h b/session.h index 0719e34..145f695 100644 --- a/session.h +++ b/session.h @@ -67,7 +67,7 @@ struct key_context_directional { const struct dropbear_cipher_mode *crypt_mode; const struct dropbear_hash *algo_mac; int hash_index; /* lookup for libtomcrypt */ - char algo_comp; /* compression */ + int algo_comp; /* compression */ #ifndef DISABLE_ZLIB z_streamp zstream; #endif @@ -86,8 +86,8 @@ struct key_context { struct key_context_directional recv; struct key_context_directional trans; - char algo_kex; - char algo_hostkey; + int algo_kex; + int algo_hostkey; int allow_compress; /* whether compression has started (useful in zlib@openssh.com delayed compression case) */ @@ -244,8 +244,8 @@ typedef enum { } cli_state; struct clientsession { - - mp_int *dh_e, *dh_x; /* Used during KEX */ + struct kex_dh_param *dh_param; + struct kex_ecdh_param *ecdh_param; cli_kex_state kex_state; /* Used for progressing KEX */ cli_state state; /* Used to progress auth/channelsession etc */ unsigned donefirstkex : 1; /* Set when we set sentnewkeys, never reset */ diff --git a/svr-kex.c b/svr-kex.c index abd7986..e30a2d4 100644 --- a/svr-kex.c +++ b/svr-kex.c @@ -36,7 +36,7 @@ #include "runopts.h" -static void send_msg_kexdh_reply(mp_int *dh_e); +static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs); /* Handle a diffie-hellman key exchange initialisation. This involves * calculating a session key reply value, and corresponding hash. These @@ -45,20 +45,29 @@ static void send_msg_kexdh_reply(mp_int *dh_e); void recv_msg_kexdh_init() { DEF_MP_INT(dh_e); + buffer *ecdh_qs = NULL; TRACE(("enter recv_msg_kexdh_init")) if (!ses.kexstate.recvkexinit) { dropbear_exit("Premature kexdh_init message received"); } - m_mp_init(&dh_e); - if (buf_getmpint(ses.payload, &dh_e) != DROPBEAR_SUCCESS) { - dropbear_exit("Failed to get kex value"); + if (IS_NORMAL_DH(ses.newkeys->algo_kex)) { + m_mp_init(&dh_e); + if (buf_getmpint(ses.payload, &dh_e) != DROPBEAR_SUCCESS) { + dropbear_exit("Failed to get kex value"); + } + } else { +#ifdef DROPBEAR_ECDH +#endif } - send_msg_kexdh_reply(&dh_e); + send_msg_kexdh_reply(&dh_e, ecdh_qs); mp_clear(&dh_e); + if (ecdh_qs) { + buf_free(ecdh_qs); + } send_msg_newkeys(); ses.requirenext = SSH_MSG_NEWKEYS; @@ -70,19 +79,10 @@ void recv_msg_kexdh_init() { * that, the session hash is calculated, and signed with RSA or DSS. The * result is sent to the client. * - * See the transport rfc 4253 section 8 for details */ -static void send_msg_kexdh_reply(mp_int *dh_e) { - - DEF_MP_INT(dh_y); - DEF_MP_INT(dh_f); - + * See the transport RFC4253 section 8 for details + * or RFC5656 section 4 for elliptic curve variant. */ +static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) { TRACE(("enter send_msg_kexdh_reply")) - m_mp_init_multi(&dh_y, &dh_f, NULL); - - gen_kexdh_vals(&dh_f, &dh_y); - - kexdh_comb_key(&dh_f, &dh_y, dh_e, svr_opts.hostkey); - mp_clear(&dh_y); /* we can start creating the kexdh_reply packet */ CHECKCLEARTOWRITE(); @@ -90,9 +90,23 @@ static void send_msg_kexdh_reply(mp_int *dh_e) { buf_put_pub_key(ses.writepayload, svr_opts.hostkey, ses.newkeys->algo_hostkey); - /* put f */ - buf_putmpint(ses.writepayload, &dh_f); - mp_clear(&dh_f); + if (IS_NORMAL_DH(ses.newkeys->algo_kex)) { + // Normal diffie-hellman + struct kex_dh_param * dh_param = gen_kexdh_param(); + kexdh_comb_key(dh_param, dh_e, svr_opts.hostkey); + + /* put f */ + buf_putmpint(ses.writepayload, &dh_param->pub); + free_kexdh_param(dh_param); + } else { +#ifdef DROPBEAR_ECDH + struct kex_ecdh_param *ecdh_param = gen_kexecdh_param(); + kexecdh_comb_key(ecdh_param, ecdh_qs, svr_opts.hostkey); + + buf_put_ecc_pub(ses.writepayload, &ecdh_param->key); + free_kexecdh_param(ecdh_param); +#endif + } /* calc the signature */ buf_put_sign(ses.writepayload, svr_opts.hostkey, diff --git a/sysoptions.h b/sysoptions.h index 8c591ea..20c2e57 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -60,24 +60,20 @@ #define DROPBEAR_SUCCESS 0 #define DROPBEAR_FAILURE -1 -/* various algorithm identifiers */ -#define DROPBEAR_KEX_DH_GROUP1 0 -#define DROPBEAR_KEX_DH_GROUP14 1 - #define DROPBEAR_SIGNKEY_ANY 0 #define DROPBEAR_SIGNKEY_RSA 1 #define DROPBEAR_SIGNKEY_DSS 2 #define DROPBEAR_SIGNKEY_NONE 3 -#define DROPBEAR_COMP_NONE 0 -#define DROPBEAR_COMP_ZLIB 1 -#define DROPBEAR_COMP_ZLIB_DELAY 2 - /* Required for pubkey auth */ #if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT) #define DROPBEAR_SIGNKEY_VERIFY #endif +#ifdef DROPBEAR_ECDH +#define DROPBEAR_LTC_PRNG +#endif + #define SHA1_HASH_SIZE 20 #define MD5_HASH_SIZE 16 @@ -93,6 +89,13 @@ #define MAX_MAC_LEN 20 #endif +#if defined(DROPBEAR_ECDH) || defined (DROPBEAR_ECDSA) +#define DROPBEAR_ECC +#endif + +// roughly 2x 521 bits +#define MAX_ECC_SIZE 140 + #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't explicitly specified for all protocols (just for algos) but seems valid */ -- cgit v1.2.1 From 01662a05d87c31680542e4ad1fa8029cf6fa330a Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Wed, 27 Mar 2013 00:38:03 +0800 Subject: more bits on ecc branch --- Makefile.in | 2 +- algo.h | 20 ++++++- cli-kex.c | 2 +- common-algo.c | 32 +++++++++- common-kex.c | 97 ++++++++++++++++++++++++++----- ecc.c | 97 +++++++++++++++++++++++++++++++ ecc.h | 34 +++++++++++ kex.h | 5 ++ libtomcrypt/src/headers/tomcrypt_custom.h | 8 ++- session.h | 2 +- sysoptions.h | 7 +++ 11 files changed, 281 insertions(+), 25 deletions(-) create mode 100644 ecc.h diff --git a/Makefile.in b/Makefile.in index 4eabd20..eef6fbe 100644 --- a/Makefile.in +++ b/Makefile.in @@ -26,7 +26,7 @@ COMMONOBJS=dbutil.o buffer.o \ dss.o bignum.o \ signkey.o rsa.o random.o \ queue.o \ - atomicio.o compat.o fake-rfc2553.o ltc_prng.o ecc.o + atomicio.o compat.o fake-rfc2553.o ltc_prng.o ecc.o SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \ svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \ diff --git a/algo.h b/algo.h index 89d05e3..aeb5641 100644 --- a/algo.h +++ b/algo.h @@ -79,6 +79,20 @@ struct dropbear_hash { unsigned char hashsize; }; +struct dropbear_kex { + // "normal" DH KEX + unsigned char *dh_p_bytes; + int dh_p_len; + + // elliptic curve DH KEX +#ifdef DROPBEAR_ECDH + const struct dropbear_ecc_curve *ecc_curve; +#endif + + // both + const struct ltc_hash_descriptor *hashdesc; +}; + void crypto_init(); int have_algo(char* algo, size_t algolen, algo_type algos[]); void buf_put_algolist(buffer * buf, algo_type localalgos[]); @@ -94,14 +108,16 @@ int check_user_algos(const char* user_algo_list, algo_type * algos, char * algolist_string(algo_type algos[]); #endif -enum { +enum kex_type { DROPBEAR_KEX_DH_GROUP1, DROPBEAR_KEX_DH_GROUP14, DROPBEAR_KEX_ECDH_SECP256R1, + DROPBEAR_KEX_ECDH_SECP384R1, + DROPBEAR_KEX_ECDH_SECP521R1, }; #ifdef DROPBEAR_ECDH -#define IS_NORMAL_DH(algo) ((algo) == DROPBEAR_KEX_DH_GROUP1 || (algo) == DROPBEAR_KEX_DH_GROUP14) +#define IS_NORMAL_DH(algo) ((algo)->dh_p_bytes != NULL) #else #define IS_NORMAL_DH(algo) 1 #endif diff --git a/cli-kex.c b/cli-kex.c index ddd2efc..8090756 100644 --- a/cli-kex.c +++ b/cli-kex.c @@ -49,7 +49,7 @@ void send_msg_kexdh_init() { buf_putmpint(ses.writepayload, &cli_ses.dh_param->pub); } else { #ifdef DROPBEAR_ECDH - cli_ses.ecdh_param = + cli_ses.ecdh_param = gen_kexecdh_param(); #endif } encrypt_packet(); diff --git a/common-algo.c b/common-algo.c index 91d27b2..87592e1 100644 --- a/common-algo.c +++ b/common-algo.c @@ -212,10 +212,36 @@ algo_type sshhostkey[] = { {NULL, 0, NULL, 0, NULL} }; +static struct dropbear_kex kex_dh_group1 {dh_p_1, DH_P_1_LEN, NULL, sha1_desc }; +static struct dropbear_kex kex_dh_group14 {dh_p_14, DH_P_14_LEN, NULL, sha1_desc }; + +#ifdef DROPBEAR_ECC_DH +#ifdef DROPBEAR_ECC_256 +static struct dropbear_kex kex_ecdh_secp256r1 {NULL, 0, &ecc_curve_secp256r1, sha256_desc }; +#endif +#ifdef DROPBEAR_ECC_384 +static struct dropbear_kex kex_ecdh_secp384r1 {NULL, 0, &ecc_curve_secp384r1, sha384_desc }; +#endif +#ifdef DROPBEAR_ECC_521 +static struct dropbear_kex kex_ecdh_secp521r1 {NULL, 0, &ecc_curve_secp521r1, sha512_desc }; +#endif +#endif // DROPBEAR_ECC_DH + + algo_type sshkex[] = { -// {"ecdh-sha2-secp256r1", DROPBEAR_KEX_ECDH_SECP256R1, NULL, 1, NULL}, - {"diffie-hellman-group1-sha1", DROPBEAR_KEX_DH_GROUP1, NULL, 1, NULL}, - {"diffie-hellman-group14-sha1", DROPBEAR_KEX_DH_GROUP14, NULL, 1, NULL}, +#ifdef DROPBEAR_ECC_DH +#ifdef DROPBEAR_ECC_256 + {"ecdh-sha2-secp256r1", 0, &kex_ecdh_descp256r1, 1, NULL}, +#endif +#ifdef DROPBEAR_ECC_384 + {"ecdh-sha2-secp384r1", 0, &kex_ecdh_descp384r1, 1, NULL}, +#endif +#ifdef DROPBEAR_ECC_521 + {"ecdh-sha2-secp521r1", 0, &kex_ecdh_descp521r1, 1, NULL}, +#endif +#endif + {"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL}, + {"diffie-hellman-group14-sha1", 0, &kex_dh_group14, 1, NULL}, {NULL, 0, NULL, 0, NULL} }; diff --git a/common-kex.c b/common-kex.c index c153c8f..5d46f79 100644 --- a/common-kex.c +++ b/common-kex.c @@ -36,8 +36,7 @@ #include "runopts.h" /* diffie-hellman-group1-sha1 value for p */ -#define DH_P_1_LEN 128 -static const unsigned char dh_p_1[DH_P_1_LEN] = { +const unsigned char dh_p_1[DH_P_1_LEN] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, @@ -51,8 +50,7 @@ static const unsigned char dh_p_1[DH_P_1_LEN] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; /* diffie-hellman-group14-sha1 value for p */ -#define DH_P_14_LEN 256 -static const unsigned char dh_p_14[DH_P_14_LEN] = { +const unsigned char dh_p_14[DH_P_14_LEN] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, @@ -536,14 +534,8 @@ void recv_msg_kexinit() { static void load_dh_p(mp_int * dh_p) { - switch (ses.newkeys->algo_kex) { - case DROPBEAR_KEX_DH_GROUP1: - bytes_to_mp(dh_p, dh_p_1, DH_P_1_LEN); - break; - case DROPBEAR_KEX_DH_GROUP14: - bytes_to_mp(dh_p, dh_p_14, DH_P_14_LEN); - break; - } + bytes_to_mp(dh_p, ses.newkeys->algo_kex->dh_p_bytes, + ses.newkeys->algo_kex->dh_p_len); } /* Initialises and generate one side of the diffie-hellman key exchange values. @@ -667,11 +659,84 @@ void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them, #ifdef DROPBEAR_ECDH struct kex_ecdh_param *gen_kexecdh_param() { struct kex_ecdh_param *param = m_malloc(sizeof(*param)); - if (ecc_make_key_ex(NULL, dropbear_ltc_prng, ¶m->key + if (ecc_make_key_ex(NULL, dropbear_ltc_prng, + ¶m->key, ses.newkeys->algo_kex->ecc_curve) != CRYPT_OK) { + dropbear_exit("ECC error") + } + return param; +} + +void free_kexecdh_param(struct kex_ecdh_param *param) { + ecc_free(¶m->key); + m_free(param); + } -void free_kexecdh_param(struct kex_ecdh_param *param); void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, - sign_key *hostkey); + sign_key *hostkey) { + + hash_state hs; + // public keys from client and server + ecc_key *Q_C, *Q_S, *Q_them; + + // XXX load Q_them + + ses.dh_K = dropbear_ecc_shared_secret() + + /* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */ + if (mp_cmp(dh_pub_them, &dh_p) != MP_LT + || mp_cmp_d(dh_pub_them, 0) != MP_GT) { + dropbear_exit("Diffie-Hellman error"); + } + + /* K = e^y mod p = f^x mod p */ + ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int)); + m_mp_init(ses.dh_K); + if (mp_exptmod(dh_pub_them, ¶m->priv, &dh_p, ses.dh_K) != MP_OKAY) { + dropbear_exit("Diffie-Hellman error"); + } + + /* clear no longer needed vars */ + mp_clear_multi(&dh_p, NULL); + + /* From here on, the code needs to work with the _same_ vars on each side, + * not vice-versaing for client/server */ + if (IS_DROPBEAR_CLIENT) { + dh_e = ¶m->pub; + dh_f = dh_pub_them; + } else { + dh_e = dh_pub_them; + dh_f = ¶m->pub; + } + + /* Create the remainder of the hash buffer, to generate the exchange hash */ + /* K_S, the host key */ + buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey); + /* e, exchange value sent by the client */ + buf_putmpint(ses.kexhashbuf, dh_e); + /* f, exchange value sent by the server */ + buf_putmpint(ses.kexhashbuf, dh_f); + /* K, the shared secret */ + buf_putmpint(ses.kexhashbuf, ses.dh_K); + + /* calculate the hash H to sign */ + sha1_init(&hs); + buf_setpos(ses.kexhashbuf, 0); + sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), + ses.kexhashbuf->len); + sha1_done(&hs, ses.hash); + + buf_burn(ses.kexhashbuf); + buf_free(ses.kexhashbuf); + ses.kexhashbuf = NULL; + + /* first time around, we set the session_id to H */ + if (ses.session_id == NULL) { + /* create the session_id, this never needs freeing */ + ses.session_id = (unsigned char*)m_malloc(SHA1_HASH_SIZE); + memcpy(ses.session_id, ses.hash, SHA1_HASH_SIZE); + } + +} #endif /* read the other side's algo list. buf_match_algo is a callback to match @@ -707,7 +772,7 @@ static void read_kex_algos() { goto error; } TRACE(("kex algo %s", algo->name)) - ses.newkeys->algo_kex = algo->val; + ses.newkeys->algo_kex = algo->data; /* server_host_key_algorithms */ algo = ses.buf_match_algo(ses.payload, sshhostkey, &goodguess); diff --git a/ecc.c b/ecc.c index cf67ec0..873a92a 100644 --- a/ecc.c +++ b/ecc.c @@ -1,6 +1,37 @@ +#include "includes.h" +#include "options.h" +#include "ecc.h" + #ifdef DROPBEAR_ECC +#ifdef DROPBEAR_ECC_256 +const struct ecc_curve_secp256r1 { + .ltc_set = <c_ecc_sets[0], + .hash_desc = sha256_desc, + .name = "secp256r1" +}; +#endif + + +#ifdef DROPBEAR_ECC_384 +const struct ecc_curve_secp384r1 { + .ltc_set = <c_ecc_sets[1], + .hash_desc = sha384_desc, + .name = "secp384r1" +}; +#endif + +#ifdef DROPBEAR_ECC_256 +const struct ecc_curve_secp256r1 { + .ltc_set = <c_ecc_sets[0], + .hash_desc = sha256_desc, + .name = "secp256r1" +}; +#endif + + void buf_put_ecc_key_string(buffer *buf, ecc_key *key) { + // XXX point compression int len = key->dp->size*2 + 1; buf_putint(len); int err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len); @@ -13,5 +44,71 @@ void buf_put_ecc_key_string(buffer *buf, ecc_key *key) { int buf_get_ecc_key_string(buffer *buf, ecc_key *key) { } +// a modified version of libtomcrypt's "ecc_shared_secret" to output +// a mp_int instead. +mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, ecc_key *private_key) +{ + ecc_point *result = NULL + mp_int *prime = NULL, *shared_secret = NULL; + int ret = DROPBEAR_FAILURE; + + /* type valid? */ + if (private_key->type != PK_PRIVATE) { + goto done; + } + + if (private_key->dp != public_key->dp) { + goto done; + } + +#if 0 + // XXX - possibly not neccessary tests? + if (ltc_ecc_is_valid_idx(private_key->idx) == 0 || ltc_ecc_is_valid_idx(public_key->idx) == 0) { + goto done; + } + + if (XSTRCMP(private_key->dp->name, public_key->dp->name) != 0) { + goto done; + } +#endif + + /* make new point */ + result = ltc_ecc_new_point(); + if (result == NULL) { + goto done; + } + + prime = m_malloc(sizeof(*prime)); + m_mp_init(prime); + + if (mp_read_radix(prime, (char *)private_key->dp->prime, 16) != CRYPT_OK) { + goto done; + } + if (ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, prime, 1) != CRYPT_OK) { + goto done; + } + + err = DROPBEAR_SUCCESS; +done: + if (err == DROPBEAR_SUCCESS) { + shared_secret = prime; + prime = NULL; + } + + if (prime) { + mp_clear(prime); + m_free(prime); + } + ltc_ecc_del_point(result); + + if (err == DROPBEAR_FAILURE) { + dropbear_exit("ECC error"); + } + + return shared_secret; + return err; +} + +} #endif diff --git a/ecc.h b/ecc.h new file mode 100644 index 0000000..426f698 --- /dev/null +++ b/ecc.h @@ -0,0 +1,34 @@ +#ifndef _DROPBEAR_ECC_H +#define _DROPBEAR_ECC_H + +#include "includes.h" +#include "options.h" + +#include "buffer.h" + +#ifdef DROPBEAR_ECC + +struct dropbear_ecc_curve { + const ltc_ecc_set_type* ltc_set; + const struct ltc_hash_descriptor *hash_desc; + const char *name; +}; + +extern const struct dropbear_ecc_curve ecc_curve_secp256r1; +extern const struct dropbear_ecc_curve ecc_curve_secp384r1; +extern const struct dropbear_ecc_curve ecc_curve_secp521r1; + +// "pubkey" refers to a point, but LTC uses ecc_key structure for both public +// and private keys +void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key); +int buf_get_ecc_pubkey_string(buffer *buf, ecc_key *key); +int buf_get_ecc_privkey_string(buffer *buf, ecc_key *key); + +mp_int * dropbear_ecc_shared_secret(ecc_key *pub_key, ecc_key *priv_key); + + +const ltc_ecc_set_type* get_ecc_curve(enum kex_type type); + +#endif + +#endif // _DROPBEAR_ECC_H \ No newline at end of file diff --git a/kex.h b/kex.h index f9d70b8..57019ff 100644 --- a/kex.h +++ b/kex.h @@ -73,6 +73,11 @@ struct KEXState { }; +#define DH_P_1_LEN 128 +extern const const unsigned char dh_p_1[DH_P_1_LEN]; +#define DH_P_14_LEN 256 +const unsigned char dh_p_14[DH_P_14_LEN] = { + struct kex_dh_param { mp_int pub; mp_int priv; diff --git a/libtomcrypt/src/headers/tomcrypt_custom.h b/libtomcrypt/src/headers/tomcrypt_custom.h index 1304ce7..344835f 100644 --- a/libtomcrypt/src/headers/tomcrypt_custom.h +++ b/libtomcrypt/src/headers/tomcrypt_custom.h @@ -134,12 +134,18 @@ #define LTC_HMAC -#ifdef DROPBEAR_ECDH +#ifdef DROPBEAR_ECC #define MECC +#ifdef DROPBEAR_ECC_256 #define ECC256 +#endif +#ifdef DROPBEAR_ECC_384 #define ECC384 +#endif +#ifdef DROPBEAR_ECC_521 #define ECC521 #endif +#endif /* Various tidbits of modern neatoness */ #define BASE64 diff --git a/session.h b/session.h index 145f695..6939536 100644 --- a/session.h +++ b/session.h @@ -86,7 +86,7 @@ struct key_context { struct key_context_directional recv; struct key_context_directional trans; - int algo_kex; + const struct dropbear_kex *algo_kex; int algo_hostkey; int allow_compress; /* whether compression has started (useful in diff --git a/sysoptions.h b/sysoptions.h index 20c2e57..8fa3ff0 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -93,6 +93,13 @@ #define DROPBEAR_ECC #endif + +#ifdef DROPBEAR_ECC +#define DROPBEAR_ECC_256 +#define DROPBEAR_ECC_384 +#define DROPBEAR_ECC_521 +#endif + // roughly 2x 521 bits #define MAX_ECC_SIZE 140 -- cgit v1.2.1 From eafe3303f91ab444b3dcc87dce08950c401002ea Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Wed, 27 Mar 2013 23:50:52 +0800 Subject: ecc key import function --- common-kex.c | 7 +++--- ecc.c | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++--------- ecc.h | 2 +- 3 files changed, 73 insertions(+), 15 deletions(-) diff --git a/common-kex.c b/common-kex.c index 5d46f79..aa4c3a4 100644 --- a/common-kex.c +++ b/common-kex.c @@ -678,10 +678,11 @@ void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, // public keys from client and server ecc_key *Q_C, *Q_S, *Q_them; - // XXX load Q_them +oj // XXX load Q_them + Q_them = buf_get_ecc_key_string() + + ses.dh_K = dropbear_ecc_shared_secret(); - ses.dh_K = dropbear_ecc_shared_secret() - /* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */ if (mp_cmp(dh_pub_them, &dh_p) != MP_LT || mp_cmp_d(dh_pub_them, 0) != MP_GT) { diff --git a/ecc.c b/ecc.c index 873a92a..0172516 100644 --- a/ecc.c +++ b/ecc.c @@ -4,9 +4,11 @@ #ifdef DROPBEAR_ECC +// TODO: use raw bytes for the dp rather than the hex strings in libtomcrypt's ecc.c + #ifdef DROPBEAR_ECC_256 -const struct ecc_curve_secp256r1 { - .ltc_set = <c_ecc_sets[0], +const struct dropbear_ecc_curve ecc_curve_secp256r1 { + .dp = <c_ecc_sets[0], .hash_desc = sha256_desc, .name = "secp256r1" }; @@ -14,23 +16,23 @@ const struct ecc_curve_secp256r1 { #ifdef DROPBEAR_ECC_384 -const struct ecc_curve_secp384r1 { - .ltc_set = <c_ecc_sets[1], +const struct dropbear_ecc_curve ecc_curve_secp384r1 { + .dp = <c_ecc_sets[1], .hash_desc = sha384_desc, .name = "secp384r1" }; #endif -#ifdef DROPBEAR_ECC_256 -const struct ecc_curve_secp256r1 { - .ltc_set = <c_ecc_sets[0], - .hash_desc = sha256_desc, - .name = "secp256r1" +#ifdef DROPBEAR_ECC_521 +const struct dropbear_ecc_curve ecc_curve_secp521r1 { + .dp = <c_ecc_sets[2], + .hash_desc = sha521_desc, + .name = "secp521r1" }; #endif -void buf_put_ecc_key_string(buffer *buf, ecc_key *key) { +void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key) { // XXX point compression int len = key->dp->size*2 + 1; buf_putint(len); @@ -41,7 +43,62 @@ void buf_put_ecc_key_string(buffer *buf, ecc_key *key) { buf_incrwritepos(buf, len); } -int buf_get_ecc_key_string(buffer *buf, ecc_key *key) { +ecc_key * buf_get_ecc_key_string(buffer *buf, const struct dropbear_ecc_curve *curve) { + ecc_key *key = NULL; + int ret = DROPBEAR_FAILURE; + const int size = curve->dp->size; + unsigned int len = buf_get_string(buf); + unsigned char first = buf_get_char(buf); + if (first == 2 || first == 3) { + dropbear_log("Dropbear doesn't support ECC point compression"); + return NULL; + } + if (first != 4 || len != 1+2*size) { + return NULL; + } + + key = m_malloc(sizeof(*key)); + m_mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, NULL); + + if (mp_read_unsigned_bin(&key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) { + goto out; + } + buf_incrpos(buf, size); + + if (mp_read_unsigned_bin(&key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) { + goto out; + } + buf_incrpos(buf, size); + + if (mp_set(key->pubkey.z, 1) != MP_OKAY) { + goto out; + } + + if (is_point(key) != CRYPT_OK) { + goto out; + } + + // SEC1 3.2.3.1 Check that Q != 0 + if (mp_cmp_d(key->pubkey.x, 0) == LTC_MP_EQ) { + goto out; + } + if (mp_cmp_d(key->pubkey.y, 0) == LTC_MP_EQ) { + goto out; + } + + ret = DROPBEAR_SUCCESS; + +out: + if (ret == DROPBEAR_FAILURE) { + if (key) { + mp_free_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, NULL); + m_free(key); + key = NULL; + } + } + + return key; + } // a modified version of libtomcrypt's "ecc_shared_secret" to output diff --git a/ecc.h b/ecc.h index 426f698..019282d 100644 --- a/ecc.h +++ b/ecc.h @@ -9,7 +9,7 @@ #ifdef DROPBEAR_ECC struct dropbear_ecc_curve { - const ltc_ecc_set_type* ltc_set; + const ltc_ecc_set_type *dp; // curve domain parameters const struct ltc_hash_descriptor *hash_desc; const char *name; }; -- cgit v1.2.1 From 2e09a5d54328e3573aa62d747dd89e094f382992 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 29 Mar 2013 00:26:46 +0800 Subject: Set LTC_SOURCE for proper ltm_desc etc --- libtomcrypt/Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libtomcrypt/Makefile.in b/libtomcrypt/Makefile.in index ecc1ce6..14bce99 100644 --- a/libtomcrypt/Makefile.in +++ b/libtomcrypt/Makefile.in @@ -19,7 +19,7 @@ srcdir=@srcdir@ # Compilation flags. Note the += does not write over the user's CFLAGS! # The rest of the flags come from the parent Dropbear makefile -CFLAGS += -c -I$(srcdir)/src/headers/ -I$(srcdir)/../ +CFLAGS += -c -I$(srcdir)/src/headers/ -I$(srcdir)/../ -DLTC_SOURCE # additional warnings (newer GCC 3.4 and higher) ifdef GCC_34 -- cgit v1.2.1 From 92d78720daabce7e98b73975043179a4ac539755 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 29 Mar 2013 00:28:09 +0800 Subject: More changes for KEX and ECDH. Set up hash descriptors, make ECC code work, ses.hash and ses.session_id are now buffers (doesn't compile) --- algo.h | 24 ++---- cli-kex.c | 7 +- common-algo.c | 18 +++-- common-kex.c | 61 +++++++-------- ecc.c | 119 ++++++++++++++++++++++-------- ecc.h | 5 +- kex.h | 5 +- libtomcrypt/src/headers/tomcrypt_custom.h | 4 +- ltc_prng.c | 1 + ltc_prng.h | 13 ++++ random.c | 2 + session.h | 6 +- svr-kex.c | 1 + sysoptions.h | 28 +++---- 14 files changed, 180 insertions(+), 114 deletions(-) create mode 100644 ltc_prng.h diff --git a/algo.h b/algo.h index aeb5641..bda03dc 100644 --- a/algo.h +++ b/algo.h @@ -35,8 +35,8 @@ struct Algo_Type { - unsigned char *name; /* identifying name */ - char val; /* a value for this cipher, or -1 for invalid */ + const unsigned char *name; /* identifying name */ + const char val; /* a value for this cipher, or -1 for invalid */ const void *data; /* algorithm specific data */ char usable; /* whether we can use this algorithm */ const void *mode; /* the mode, currently only used for ciphers, @@ -59,8 +59,8 @@ extern const struct dropbear_hash dropbear_nohash; struct dropbear_cipher { const struct ltc_cipher_descriptor *cipherdesc; - unsigned long keysize; - unsigned char blocksize; + const unsigned long keysize; + const unsigned char blocksize; }; struct dropbear_cipher_mode { @@ -75,14 +75,14 @@ struct dropbear_cipher_mode { struct dropbear_hash { const struct ltc_hash_descriptor *hashdesc; - unsigned long keysize; - unsigned char hashsize; + const unsigned long keysize; + const unsigned char hashsize; }; struct dropbear_kex { // "normal" DH KEX - unsigned char *dh_p_bytes; - int dh_p_len; + const unsigned char *dh_p_bytes; + const int dh_p_len; // elliptic curve DH KEX #ifdef DROPBEAR_ECDH @@ -108,14 +108,6 @@ int check_user_algos(const char* user_algo_list, algo_type * algos, char * algolist_string(algo_type algos[]); #endif -enum kex_type { - DROPBEAR_KEX_DH_GROUP1, - DROPBEAR_KEX_DH_GROUP14, - DROPBEAR_KEX_ECDH_SECP256R1, - DROPBEAR_KEX_ECDH_SECP384R1, - DROPBEAR_KEX_ECDH_SECP521R1, -}; - #ifdef DROPBEAR_ECDH #define IS_NORMAL_DH(algo) ((algo)->dh_p_bytes != NULL) #else diff --git a/cli-kex.c b/cli-kex.c index 8090756..d6ebaf9 100644 --- a/cli-kex.c +++ b/cli-kex.c @@ -96,12 +96,15 @@ void recv_msg_kexdh_reply() { kexdh_comb_key(cli_ses.dh_param, &dh_f, hostkey); mp_clear(&dh_f); - free_kexdh_param(cli_ses.dh_param); - cli_ses.dh_param = NULL; } else { #ifdef DROPBEAR_ECDH + buffer *ecdh_qs = buf_getstringbuf(ses.payload); + kexecdh_comb_key(cli_ses.dh_param, ecdh_qs, hostkey); + buf_free(ecdh_qs); #endif } + free_kexdh_param(cli_ses.dh_param); + cli_ses.dh_param = NULL; if (buf_verify(ses.payload, hostkey, ses.hash, SHA1_HASH_SIZE) != DROPBEAR_SUCCESS) { diff --git a/common-algo.c b/common-algo.c index 87592e1..7fb1503 100644 --- a/common-algo.c +++ b/common-algo.c @@ -25,6 +25,7 @@ #include "algo.h" #include "dbutil.h" +#include "kex.h" /* This file (algo.c) organises the ciphers which can be used, and is used to * decide which ciphers/hashes/compression/signing to use during key exchange*/ @@ -212,18 +213,18 @@ algo_type sshhostkey[] = { {NULL, 0, NULL, 0, NULL} }; -static struct dropbear_kex kex_dh_group1 {dh_p_1, DH_P_1_LEN, NULL, sha1_desc }; -static struct dropbear_kex kex_dh_group14 {dh_p_14, DH_P_14_LEN, NULL, sha1_desc }; +static struct dropbear_kex kex_dh_group1 = {dh_p_1, DH_P_1_LEN, NULL, &sha1_desc }; +static struct dropbear_kex kex_dh_group14 = {dh_p_14, DH_P_14_LEN, NULL, &sha1_desc }; #ifdef DROPBEAR_ECC_DH #ifdef DROPBEAR_ECC_256 -static struct dropbear_kex kex_ecdh_secp256r1 {NULL, 0, &ecc_curve_secp256r1, sha256_desc }; +static struct dropbear_kex kex_ecdh_secp256r1 = {NULL, 0, &ecc_curve_secp256r1, &sha256_desc }; #endif #ifdef DROPBEAR_ECC_384 -static struct dropbear_kex kex_ecdh_secp384r1 {NULL, 0, &ecc_curve_secp384r1, sha384_desc }; +static struct dropbear_kex kex_ecdh_secp384r1 = {NULL, 0, &ecc_curve_secp384r1, &sha384_desc }; #endif #ifdef DROPBEAR_ECC_521 -static struct dropbear_kex kex_ecdh_secp521r1 {NULL, 0, &ecc_curve_secp521r1, sha512_desc }; +static struct dropbear_kex kex_ecdh_secp521r1 = {NULL, 0, &ecc_curve_secp521r1, &sha512_desc }; #endif #endif // DROPBEAR_ECC_DH @@ -272,10 +273,13 @@ void crypto_init() { #ifdef DROPBEAR_MD5_HMAC &md5_desc, #endif -#ifdef DROPBEAR_SHA2_256_HMAC +#ifdef DROPBEAR_SHA256 &sha256_desc, #endif -#ifdef DROPBEAR_SHA2_512_HMAC +#ifdef DROPBEAR_SHA384 + &sha384_desc, +#endif +#ifdef DROPBEAR_SHA512 &sha512_desc, #endif NULL diff --git a/common-kex.c b/common-kex.c index aa4c3a4..e241101 100644 --- a/common-kex.c +++ b/common-kex.c @@ -34,6 +34,7 @@ #include "bignum.h" #include "random.h" #include "runopts.h" +#include "ecc.h" /* diffie-hellman-group1-sha1 value for p */ const unsigned char dh_p_1[DH_P_1_LEN] = { @@ -642,6 +643,9 @@ void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them, buf_setpos(ses.kexhashbuf, 0); sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), ses.kexhashbuf->len); + + ses.hash = m_malloc(SHA1_HASH_SIZE); + } sha1_done(&hs, ses.hash); buf_burn(ses.kexhashbuf); @@ -660,8 +664,8 @@ void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them, struct kex_ecdh_param *gen_kexecdh_param() { struct kex_ecdh_param *param = m_malloc(sizeof(*param)); if (ecc_make_key_ex(NULL, dropbear_ltc_prng, - ¶m->key, ses.newkeys->algo_kex->ecc_curve) != CRYPT_OK) { - dropbear_exit("ECC error") + ¶m->key, ses.newkeys->algo_kex->ecc_curve->dp) != CRYPT_OK) { + dropbear_exit("ECC error"); } return param; } @@ -673,58 +677,45 @@ void free_kexecdh_param(struct kex_ecdh_param *param) { } void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, sign_key *hostkey) { - + const struct dropbear_kex *algo_kex = ses.newkeys->algo_kex; hash_state hs; // public keys from client and server ecc_key *Q_C, *Q_S, *Q_them; -oj // XXX load Q_them - Q_them = buf_get_ecc_key_string() + // XXX load Q_them + Q_them = buf_get_ecc_pubkey(pub_them, algo_kex->ecc_curve); - ses.dh_K = dropbear_ecc_shared_secret(); - - /* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */ - if (mp_cmp(dh_pub_them, &dh_p) != MP_LT - || mp_cmp_d(dh_pub_them, 0) != MP_GT) { - dropbear_exit("Diffie-Hellman error"); - } - - /* K = e^y mod p = f^x mod p */ - ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int)); - m_mp_init(ses.dh_K); - if (mp_exptmod(dh_pub_them, ¶m->priv, &dh_p, ses.dh_K) != MP_OKAY) { - dropbear_exit("Diffie-Hellman error"); - } - - /* clear no longer needed vars */ - mp_clear_multi(&dh_p, NULL); + ses.dh_K = dropbear_ecc_shared_secret(Q_them, param->key); /* From here on, the code needs to work with the _same_ vars on each side, * not vice-versaing for client/server */ if (IS_DROPBEAR_CLIENT) { - dh_e = ¶m->pub; - dh_f = dh_pub_them; + Q_C = param->key; + Q_S = Q_them; } else { - dh_e = dh_pub_them; - dh_f = ¶m->pub; + Q_C = Q_them; + Q_S = param->key; } /* Create the remainder of the hash buffer, to generate the exchange hash */ /* K_S, the host key */ buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey); - /* e, exchange value sent by the client */ - buf_putmpint(ses.kexhashbuf, dh_e); - /* f, exchange value sent by the server */ - buf_putmpint(ses.kexhashbuf, dh_f); + /* Q_C, client's ephemeral public key octet string */ + buf_put_ecc_pubkey_string(Q_C); + /* Q_S, server's ephemeral public key octet string */ + buf_put_ecc_pubkey_string(Q_S); /* K, the shared secret */ buf_putmpint(ses.kexhashbuf, ses.dh_K); /* calculate the hash H to sign */ - sha1_init(&hs); + algo_kex->hashdesc->init(&hs); buf_setpos(ses.kexhashbuf, 0); - sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), + algo_kex->hashdesc->process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), ses.kexhashbuf->len); - sha1_done(&hs, ses.hash); + if (!ses.hash) { + ses.hash = m_malloc(algo_kex->hashdesc->hashsize); + } + algo_kex->hashdesc->done(&hs, ses.hash); buf_burn(ses.kexhashbuf); buf_free(ses.kexhashbuf); @@ -733,8 +724,8 @@ oj // XXX load Q_them /* first time around, we set the session_id to H */ if (ses.session_id == NULL) { /* create the session_id, this never needs freeing */ - ses.session_id = (unsigned char*)m_malloc(SHA1_HASH_SIZE); - memcpy(ses.session_id, ses.hash, SHA1_HASH_SIZE); + ses.session_id = m_malloc(algo_kex->hashdesc->hashsize); + memcpy(ses.session_id, ses.hash, algo_kex->hashdesc->hashsize); } } diff --git a/ecc.c b/ecc.c index 0172516..8b3422c 100644 --- a/ecc.c +++ b/ecc.c @@ -1,41 +1,48 @@ #include "includes.h" #include "options.h" #include "ecc.h" +#include "dbutil.h" +#include "bignum.h" #ifdef DROPBEAR_ECC // TODO: use raw bytes for the dp rather than the hex strings in libtomcrypt's ecc.c #ifdef DROPBEAR_ECC_256 -const struct dropbear_ecc_curve ecc_curve_secp256r1 { +const struct dropbear_ecc_curve ecc_curve_secp256r1 = { .dp = <c_ecc_sets[0], - .hash_desc = sha256_desc, + .hash_desc = &sha256_desc, .name = "secp256r1" }; #endif - - #ifdef DROPBEAR_ECC_384 -const struct dropbear_ecc_curve ecc_curve_secp384r1 { +const struct dropbear_ecc_curve ecc_curve_secp384r1 = { .dp = <c_ecc_sets[1], - .hash_desc = sha384_desc, + .hash_desc = &sha384_desc, .name = "secp384r1" }; #endif - #ifdef DROPBEAR_ECC_521 -const struct dropbear_ecc_curve ecc_curve_secp521r1 { +const struct dropbear_ecc_curve ecc_curve_secp521r1 = { .dp = <c_ecc_sets[2], - .hash_desc = sha521_desc, + .hash_desc = &sha512_desc, .name = "secp521r1" }; #endif +static ecc_key * new_ecc_key(void) { + ecc_key *key = m_malloc(sizeof(*key)); + key->pubkey.x = m_malloc(sizeof(mp_int)); + key->pubkey.y = m_malloc(sizeof(mp_int)); + key->pubkey.z = m_malloc(sizeof(mp_int)); + key->k = m_malloc(sizeof(mp_init)); + m_mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL); + return key; +} void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key) { - // XXX point compression - int len = key->dp->size*2 + 1; - buf_putint(len); + unsigned long len = key->dp->size*2 + 1; + buf_putint(buf, len); int err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len); if (err != CRYPT_OK) { dropbear_exit("ECC error"); @@ -43,38 +50,93 @@ void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key) { buf_incrwritepos(buf, len); } -ecc_key * buf_get_ecc_key_string(buffer *buf, const struct dropbear_ecc_curve *curve) { +// Copied from libtomcrypt ecc_import.c (version there is static), modified +// for different mp_int pointer without LTC_SOURCE +static int ecc_is_point(ecc_key *key) +{ + mp_int *prime, *b, *t1, *t2; + int err; + + prime = m_malloc(sizeof(mp_int)); + b = m_malloc(sizeof(mp_int)); + t1 = m_malloc(sizeof(mp_int)); + t2 = m_malloc(sizeof(mp_int)); + + m_mp_init_multi(prime, b, t1, t2, NULL); + + /* load prime and b */ + if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) { goto error; } + if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) { goto error; } + + /* compute y^2 */ + if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK) { goto error; } + + /* compute x^3 */ + if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK) { goto error; } + if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK) { goto error; } + if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK) { goto error; } + + /* compute y^2 - x^3 */ + if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK) { goto error; } + + /* compute y^2 - x^3 + 3x */ + if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } + if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } + if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } + if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK) { goto error; } + while (mp_cmp_d(t1, 0) == LTC_MP_LT) { + if ((err = mp_add(t1, prime, t1)) != CRYPT_OK) { goto error; } + } + while (mp_cmp(t1, prime) != LTC_MP_LT) { + if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK) { goto error; } + } + + /* compare to b */ + if (mp_cmp(t1, b) != LTC_MP_EQ) { + err = CRYPT_INVALID_PACKET; + } else { + err = CRYPT_OK; + } + +error: + mp_clear_multi(prime, b, t1, t2, NULL); + m_free(prime); + m_free(b); + m_free(t1); + m_free(t2); + return err; +} + +ecc_key * buf_get_ecc_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve) { ecc_key *key = NULL; int ret = DROPBEAR_FAILURE; const int size = curve->dp->size; - unsigned int len = buf_get_string(buf); - unsigned char first = buf_get_char(buf); + buf_setpos(buf, 0); + unsigned int len = buf->len; + unsigned char first = buf_getbyte(buf); if (first == 2 || first == 3) { - dropbear_log("Dropbear doesn't support ECC point compression"); + dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression"); return NULL; } if (first != 4 || len != 1+2*size) { return NULL; } - key = m_malloc(sizeof(*key)); - m_mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, NULL); + key = new_ecc_key(); - if (mp_read_unsigned_bin(&key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) { + if (mp_read_unsigned_bin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) { goto out; } buf_incrpos(buf, size); - if (mp_read_unsigned_bin(&key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) { + if (mp_read_unsigned_bin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) { goto out; } buf_incrpos(buf, size); - if (mp_set(key->pubkey.z, 1) != MP_OKAY) { - goto out; - } + mp_set(key->pubkey.z, 1); - if (is_point(key) != CRYPT_OK) { + if (ecc_is_point(key) != CRYPT_OK) { goto out; } @@ -91,7 +153,7 @@ ecc_key * buf_get_ecc_key_string(buffer *buf, const struct dropbear_ecc_curve *c out: if (ret == DROPBEAR_FAILURE) { if (key) { - mp_free_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, NULL); + ecc_free(key); m_free(key); key = NULL; } @@ -105,9 +167,9 @@ out: // a mp_int instead. mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, ecc_key *private_key) { - ecc_point *result = NULL + ecc_point *result = NULL; mp_int *prime = NULL, *shared_secret = NULL; - int ret = DROPBEAR_FAILURE; + int err = DROPBEAR_FAILURE; /* type valid? */ if (private_key->type != PK_PRIVATE) { @@ -163,9 +225,6 @@ done: } return shared_secret; - return err; -} - } #endif diff --git a/ecc.h b/ecc.h index 019282d..d72fbb1 100644 --- a/ecc.h +++ b/ecc.h @@ -21,14 +21,11 @@ extern const struct dropbear_ecc_curve ecc_curve_secp521r1; // "pubkey" refers to a point, but LTC uses ecc_key structure for both public // and private keys void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key); -int buf_get_ecc_pubkey_string(buffer *buf, ecc_key *key); +ecc_key * buf_get_ecc_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve); int buf_get_ecc_privkey_string(buffer *buf, ecc_key *key); mp_int * dropbear_ecc_shared_secret(ecc_key *pub_key, ecc_key *priv_key); - -const ltc_ecc_set_type* get_ecc_curve(enum kex_type type); - #endif #endif // _DROPBEAR_ECC_H \ No newline at end of file diff --git a/kex.h b/kex.h index 57019ff..10b31c8 100644 --- a/kex.h +++ b/kex.h @@ -27,6 +27,7 @@ #include "includes.h" #include "algo.h" +#include "signkey.h" void send_msg_kexinit(); void recv_msg_kexinit(); @@ -74,9 +75,9 @@ struct KEXState { }; #define DH_P_1_LEN 128 -extern const const unsigned char dh_p_1[DH_P_1_LEN]; +extern const unsigned char dh_p_1[DH_P_1_LEN]; #define DH_P_14_LEN 256 -const unsigned char dh_p_14[DH_P_14_LEN] = { +extern const unsigned char dh_p_14[DH_P_14_LEN]; struct kex_dh_param { mp_int pub; diff --git a/libtomcrypt/src/headers/tomcrypt_custom.h b/libtomcrypt/src/headers/tomcrypt_custom.h index 344835f..d1d86c6 100644 --- a/libtomcrypt/src/headers/tomcrypt_custom.h +++ b/libtomcrypt/src/headers/tomcrypt_custom.h @@ -127,7 +127,9 @@ #ifdef DROPBEAR_SHA256 #define SHA256 #endif - +#ifdef DROPBEAR_SHA384 +#define SHA384 +#endif #ifdef DROPBEAR_SHA512 #define SHA512 #endif diff --git a/ltc_prng.c b/ltc_prng.c index cfd98fc..31a0658 100644 --- a/ltc_prng.c +++ b/ltc_prng.c @@ -14,6 +14,7 @@ #include "options.h" #include "includes.h" #include "random.h" +#include "ltc_prng.h" /** @file sprng.c diff --git a/ltc_prng.h b/ltc_prng.h new file mode 100644 index 0000000..d7ec904 --- /dev/null +++ b/ltc_prng.h @@ -0,0 +1,13 @@ +#ifndef _LTC_PRNG_H_DROPBEAR +#define _LTC_PRNG_H_DROPBEAR + +#include "options.h" +#include "includes.h" + +#ifdef DROPBEAR_LTC_PRNG + +extern const struct ltc_prng_descriptor dropbear_prng_desc; + +#endif // DROPBEAR_LTC_PRNG + +#endif // _LTC_PRNG_H_DROPBEAR \ No newline at end of file diff --git a/random.c b/random.c index 20095aa..8907644 100644 --- a/random.c +++ b/random.c @@ -27,6 +27,8 @@ #include "dbutil.h" #include "bignum.h" #include "random.h" +#include "ltc_prng.h" + /* this is used to generate unique output from the same hashpool */ static uint32_t counter = 0; diff --git a/session.h b/session.h index 6939536..91af1a3 100644 --- a/session.h +++ b/session.h @@ -154,10 +154,10 @@ struct sshsession { struct KEXState kexstate; struct key_context *keys; struct key_context *newkeys; - unsigned char *session_id; /* this is the hash from the first kex */ - /* The below are used temorarily during kex, are freed after use */ + buffer *session_id; /* this is the hash from the first kex */ + /* The below are used temporarily during kex, are freed after use */ mp_int * dh_K; /* SSH_MSG_KEXDH_REPLY and sending SSH_MSH_NEWKEYS */ - unsigned char hash[SHA1_HASH_SIZE]; /* the hash*/ + buffer *hash/* the session hash */ buffer* kexhashbuf; /* session hash buffer calculated from various packets*/ buffer* transkexinit; /* the kexinit packet we send should be kept so we can add it to the hash when generating keys */ diff --git a/svr-kex.c b/svr-kex.c index e30a2d4..d9106a9 100644 --- a/svr-kex.c +++ b/svr-kex.c @@ -59,6 +59,7 @@ void recv_msg_kexdh_init() { } } else { #ifdef DROPBEAR_ECDH + buffer *ecdh_qs = buf_getstringbuf(ses.payload); #endif } diff --git a/sysoptions.h b/sysoptions.h index 8fa3ff0..9b7c15a 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -93,13 +93,26 @@ #define DROPBEAR_ECC #endif - #ifdef DROPBEAR_ECC #define DROPBEAR_ECC_256 #define DROPBEAR_ECC_384 #define DROPBEAR_ECC_521 #endif +// hashes which will be linked and registered +#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) +#define DROPBEAR_SHA256 +#endif +#if defined(DROPBEAR_ECC_384) +#define DROPBEAR_SHA384 +#endif +#if defined(DROPBEAR_SHA2_512_HMAC) || defined(DROPBEAR_ECC_521) +#define DROPBEAR_SHA512 +#endif +#if defined(DROPBEAR_MD5_HMAC) +#define DROPBEAR_MD5 +#endif + // roughly 2x 521 bits #define MAX_ECC_SIZE 140 @@ -155,19 +168,6 @@ #define DROPBEAR_TWOFISH #endif -#ifdef DROPBEAR_MD5_HMAC -#define DROPBEAR_MD5 -#endif - -#ifdef DROPBEAR_SHA2_256_HMAC -#define DROPBEAR_SHA256 -#endif - -#if (defined(DROPBEAR_DSS) && defined(DSS_PROTOK)) \ - || defined(DROPBEAR_SHA2_512_HMAC) -#define DROPBEAR_SHA512 -#endif - #ifndef ENABLE_X11FWD #define DISABLE_X11FWD #endif -- cgit v1.2.1 From c56b3437098b757289eb77b3a02142d3d8fe6681 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sat, 6 Apr 2013 16:00:37 +0800 Subject: Make _sign and _verify functions take a buffer* rather than void* and int --- agentfwd.h | 2 +- buffer.c | 5 +++++ buffer.h | 1 + cli-agentfwd.c | 6 +++--- cli-authpubkey.c | 14 +++++--------- dss.c | 12 ++++-------- dss.h | 6 ++---- rsa.c | 21 +++++++-------------- rsa.h | 6 ++---- signkey.c | 24 ++++++++---------------- signkey.h | 6 ++---- 11 files changed, 40 insertions(+), 63 deletions(-) diff --git a/agentfwd.h b/agentfwd.h index e4a831c..113370c 100644 --- a/agentfwd.h +++ b/agentfwd.h @@ -40,7 +40,7 @@ /* client functions */ void cli_load_agent_keys(m_list * ret_list); void agent_buf_sign(buffer *sigblob, sign_key *key, - const unsigned char *data, unsigned int len); + buffer *data_buf); void cli_setup_agent(struct Channel *channel); #ifdef __hpux diff --git a/buffer.c b/buffer.c index 13fa1ce..d25adab 100644 --- a/buffer.c +++ b/buffer.c @@ -269,6 +269,11 @@ void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len) { } +/* puts an entire buffer as a SSH string. ignore pos of buf_str. */ +void buf_putbufstring(buffer *buf, const buffer* buf_str) { + buf_putstring(buf, buf_str->data, buf_str->len); +} + /* put the set of len bytes into the buffer, incrementing the pos, increasing * len if required */ void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) { diff --git a/buffer.h b/buffer.h index 5964370..b18ccaa 100644 --- a/buffer.h +++ b/buffer.h @@ -59,6 +59,7 @@ buffer * buf_getstringbuf(buffer *buf); void buf_eatstring(buffer *buf); void buf_putint(buffer* buf, unsigned int val); void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len); +void buf_putstringbuf(buffer *buf, const buffer* buf_str); void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len); void buf_putmpint(buffer* buf, mp_int * mp); int buf_getmpint(buffer* buf, mp_int* mp); diff --git a/cli-agentfwd.c b/cli-agentfwd.c index c661455..b7b8da3 100644 --- a/cli-agentfwd.c +++ b/cli-agentfwd.c @@ -254,7 +254,7 @@ void cli_load_agent_keys(m_list *ret_list) { } void agent_buf_sign(buffer *sigblob, sign_key *key, - const unsigned char *data, unsigned int len) { + buffer *data_buf) { buffer *request_data = NULL; buffer *response = NULL; unsigned int siglen; @@ -266,10 +266,10 @@ void agent_buf_sign(buffer *sigblob, sign_key *key, string data uint32 flags */ - request_data = buf_new(MAX_PUBKEY_SIZE + len + 12); + request_data = buf_new(MAX_PUBKEY_SIZE + data_buf>-len + 12); buf_put_pub_key(request_data, key, key->type); - buf_putstring(request_data, data, len); + buf_putbufstring(request_data, data_buf); buf_putint(request_data, 0); response = agent_request(SSH2_AGENTC_SIGN_REQUEST, request_data); diff --git a/cli-authpubkey.c b/cli-authpubkey.c index 49853ed..adcf2a8 100644 --- a/cli-authpubkey.c +++ b/cli-authpubkey.c @@ -121,23 +121,19 @@ void recv_msg_userauth_pk_ok() { } void cli_buf_put_sign(buffer* buf, sign_key *key, int type, - const unsigned char *data, unsigned int len) -{ + buffer *data_buf) { #ifdef ENABLE_CLI_AGENTFWD if (key->source == SIGNKEY_SOURCE_AGENT) { /* Format the agent signature ourselves, as buf_put_sign would. */ buffer *sigblob; sigblob = buf_new(MAX_PUBKEY_SIZE); - agent_buf_sign(sigblob, key, data, len); - buf_setpos(sigblob, 0); - buf_putstring(buf, buf_getptr(sigblob, sigblob->len), - sigblob->len); - + agent_buf_sign(sigblob, key, data_buf); + buf_putbufstring(buf, sigblob); buf_free(sigblob); } else #endif /* ENABLE_CLI_AGENTFWD */ { - buf_put_sign(buf, key, type, data, len); + buf_put_sign(buf, key, type, data_buf); } } @@ -174,7 +170,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) { /* We put the signature as well - this contains string(session id), then * the contents of the write payload to this point */ sigbuf = buf_new(4 + SHA1_HASH_SIZE + ses.writepayload->len); - buf_putstring(sigbuf, ses.session_id, SHA1_HASH_SIZE); + buf_putbufstring(sigbuf, ses.session_id); buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); cli_buf_put_sign(ses.writepayload, key, type, sigbuf->data, sigbuf->len); buf_free(sigbuf); /* Nothing confidential in the buffer */ diff --git a/dss.c b/dss.c index d984669..d19033f 100644 --- a/dss.c +++ b/dss.c @@ -161,9 +161,7 @@ void buf_put_dss_priv_key(buffer* buf, dropbear_dss_key *key) { #ifdef DROPBEAR_SIGNKEY_VERIFY /* Verify a DSS signature (in buf) made on data by the key given. * returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ -int buf_dss_verify(buffer* buf, dropbear_dss_key *key, const unsigned char* data, - unsigned int len) { - +int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf) { unsigned char msghash[SHA1_HASH_SIZE]; hash_state hs; int ret = DROPBEAR_FAILURE; @@ -187,7 +185,7 @@ int buf_dss_verify(buffer* buf, dropbear_dss_key *key, const unsigned char* data /* hash the data */ sha1_init(&hs); - sha1_process(&hs, data, len); + sha1_process(&hs, data_buf->data, data_buf->len); sha1_done(&hs, msghash); /* create the signature - s' and r' are the received signatures in buf */ @@ -260,9 +258,7 @@ out: /* Sign the data presented with key, writing the signature contents * to the buffer */ -void buf_put_dss_sign(buffer* buf, dropbear_dss_key *key, const unsigned char* data, - unsigned int len) { - +void buf_put_dss_sign(buffer* buf, dropbear_dss_key *key, buffer *data_buf) { unsigned char msghash[SHA1_HASH_SIZE]; unsigned int writelen; unsigned int i; @@ -279,7 +275,7 @@ void buf_put_dss_sign(buffer* buf, dropbear_dss_key *key, const unsigned char* d /* hash the data */ sha1_init(&hs); - sha1_process(&hs, data, len); + sha1_process(&hs, data_buf->data, data_buf->len); sha1_done(&hs, msghash); m_mp_init_multi(&dss_k, &dss_temp1, &dss_temp2, &dss_r, &dss_s, diff --git a/dss.h b/dss.h index 4331b9a..57400ad 100644 --- a/dss.h +++ b/dss.h @@ -43,11 +43,9 @@ typedef struct { } dropbear_dss_key; -void buf_put_dss_sign(buffer* buf, dropbear_dss_key *key, const unsigned char* data, - unsigned int len); +void buf_put_dss_sign(buffer* buf, dropbear_dss_key *key, buffer *data_buf); #ifdef DROPBEAR_SIGNKEY_VERIFY -int buf_dss_verify(buffer* buf, dropbear_dss_key *key, const unsigned char* data, - unsigned int len); +int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf); #endif int buf_get_dss_pub_key(buffer* buf, dropbear_dss_key *key); int buf_get_dss_priv_key(buffer* buf, dropbear_dss_key *key); diff --git a/rsa.c b/rsa.c index 91bf59d..836b9f3 100644 --- a/rsa.c +++ b/rsa.c @@ -39,8 +39,7 @@ #ifdef DROPBEAR_RSA static void rsa_pad_em(dropbear_rsa_key * key, - const unsigned char * data, unsigned int len, - mp_int * rsa_em); + buffer *data_buf, mp_int * rsa_em); /* Load a public rsa key from a buffer, initialising the values. * The key will have the same format as buf_put_rsa_key. @@ -213,9 +212,7 @@ void buf_put_rsa_priv_key(buffer* buf, dropbear_rsa_key *key) { #ifdef DROPBEAR_SIGNKEY_VERIFY /* Verify a signature in buf, made on data by the key given. * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ -int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, const unsigned char* data, - unsigned int len) { - +int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, buffer *data_buf) { unsigned int slen; DEF_MP_INT(rsa_s); DEF_MP_INT(rsa_mdash); @@ -247,7 +244,7 @@ int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, const unsigned char* dat } /* create the magic PKCS padded value */ - rsa_pad_em(key, data, len, &rsa_em); + rsa_pad_em(key, data_buf, &rsa_em); if (mp_exptmod(&rsa_s, key->e, key->n, &rsa_mdash) != MP_OKAY) { TRACE(("failed exptmod rsa_s")) @@ -270,9 +267,7 @@ out: /* Sign the data presented with key, writing the signature contents * to the buffer */ -void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, const unsigned char* data, - unsigned int len) { - +void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf) { unsigned int nsize, ssize; unsigned int i; DEF_MP_INT(rsa_s); @@ -285,7 +280,7 @@ void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, const unsigned char* d m_mp_init_multi(&rsa_s, &rsa_tmp1, &rsa_tmp2, &rsa_tmp3, NULL); - rsa_pad_em(key, data, len, &rsa_tmp1); + rsa_pad_em(key, data_buf, &rsa_tmp1); /* the actual signing of the padded data */ @@ -377,8 +372,7 @@ void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, const unsigned char* d * rsa_em must be a pointer to an initialised mp_int. */ static void rsa_pad_em(dropbear_rsa_key * key, - const unsigned char * data, unsigned int len, - mp_int * rsa_em) { + buffer *data_buf, mp_int * rsa_em) { /* ASN1 designator (including the 0x00 preceding) */ const unsigned char rsa_asn1_magic[] = @@ -391,7 +385,6 @@ static void rsa_pad_em(dropbear_rsa_key * key, unsigned int nsize; dropbear_assert(key != NULL); - dropbear_assert(data != NULL); nsize = mp_unsigned_bin_size(key->n); rsa_EM = buf_new(nsize-1); @@ -408,7 +401,7 @@ static void rsa_pad_em(dropbear_rsa_key * key, /* The hash of the data */ sha1_init(&hs); - sha1_process(&hs, data, len); + sha1_process(&hs, data_buf->data, data_buf->len); sha1_done(&hs, buf_getwriteptr(rsa_EM, SHA1_HASH_SIZE)); buf_incrwritepos(rsa_EM, SHA1_HASH_SIZE); diff --git a/rsa.h b/rsa.h index 716a152..7c99282 100644 --- a/rsa.h +++ b/rsa.h @@ -43,11 +43,9 @@ typedef struct { } dropbear_rsa_key; -void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, const unsigned char* data, - unsigned int len); +void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf); #ifdef DROPBEAR_SIGNKEY_VERIFY -int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, const unsigned char* data, - unsigned int len); +int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, buffer *data_buf); #endif int buf_get_rsa_pub_key(buffer* buf, dropbear_rsa_key *key); int buf_get_rsa_priv_key(buffer* buf, dropbear_rsa_key *key); diff --git a/signkey.c b/signkey.c index 1d908f4..c130adb 100644 --- a/signkey.c +++ b/signkey.c @@ -218,10 +218,7 @@ void buf_put_pub_key(buffer* buf, sign_key *key, int type) { dropbear_exit("Bad key types in buf_put_pub_key"); } - buf_setpos(pubkeys, 0); - buf_putstring(buf, buf_getptr(pubkeys, pubkeys->len), - pubkeys->len); - + buf_putbufstring(buf, pubkeys); buf_free(pubkeys); TRACE(("leave buf_put_pub_key")) } @@ -364,28 +361,24 @@ char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen) { } void buf_put_sign(buffer* buf, sign_key *key, int type, - const unsigned char *data, unsigned int len) { - + buffer *data_buf) { buffer *sigblob; sigblob = buf_new(MAX_PUBKEY_SIZE); #ifdef DROPBEAR_DSS if (type == DROPBEAR_SIGNKEY_DSS) { - buf_put_dss_sign(sigblob, key->dsskey, data, len); + buf_put_dss_sign(sigblob, key->dsskey, data_buf); } #endif #ifdef DROPBEAR_RSA if (type == DROPBEAR_SIGNKEY_RSA) { - buf_put_rsa_sign(sigblob, key->rsakey, data, len); + buf_put_rsa_sign(sigblob, key->rsakey, data_buf); } #endif if (sigblob->len == 0) { dropbear_exit("Non-matching signing type"); } - buf_setpos(sigblob, 0); - buf_putstring(buf, buf_getptr(sigblob, sigblob->len), - sigblob->len); - + buf_putbufstring(buf, sigblob); buf_free(sigblob); } @@ -395,8 +388,7 @@ void buf_put_sign(buffer* buf, sign_key *key, int type, * If FAILURE is returned, the position of * buf is undefined. If SUCCESS is returned, buf will be positioned after the * signature blob */ -int buf_verify(buffer * buf, sign_key *key, const unsigned char *data, - unsigned int len) { +int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) { unsigned int bloblen; unsigned char * ident = NULL; @@ -414,7 +406,7 @@ int buf_verify(buffer * buf, sign_key *key, const unsigned char *data, if (key->dsskey == NULL) { dropbear_exit("No DSS key to verify signature"); } - return buf_dss_verify(buf, key->dsskey, data, len); + return buf_dss_verify(buf, key->dsskey, data_buf); } #endif @@ -424,7 +416,7 @@ int buf_verify(buffer * buf, sign_key *key, const unsigned char *data, if (key->rsakey == NULL) { dropbear_exit("No RSA key to verify signature"); } - return buf_rsa_verify(buf, key->rsakey, data, len); + return buf_rsa_verify(buf, key->rsakey, data_buf); } #endif diff --git a/signkey.h b/signkey.h index 7e4a149..e4dd7ce 100644 --- a/signkey.h +++ b/signkey.h @@ -63,11 +63,9 @@ int buf_get_priv_key(buffer* buf, sign_key *key, int *type); void buf_put_pub_key(buffer* buf, sign_key *key, int type); void buf_put_priv_key(buffer* buf, sign_key *key, int type); void sign_key_free(sign_key *key); -void buf_put_sign(buffer* buf, sign_key *key, int type, - const unsigned char *data, unsigned int len); +void buf_put_sign(buffer* buf, sign_key *key, int type, buffer *data_buf); #ifdef DROPBEAR_SIGNKEY_VERIFY -int buf_verify(buffer * buf, sign_key *key, const unsigned char *data, - unsigned int len); +int buf_verify(buffer * buf, sign_key *key, buffer *data_buf); char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen); #endif int cmp_base64_key(const unsigned char* keyblob, unsigned int keybloblen, -- cgit v1.2.1 From cb5ab7d220319bf69068e3f8ac8c6285b949e681 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sun, 7 Apr 2013 01:36:42 +0800 Subject: ecc kind of works, needs fixing/testing --- Makefile.in | 8 +-- algo.h | 3 +- buffer.h | 2 +- cli-agentfwd.c | 2 +- cli-authpubkey.c | 2 +- cli-chansession.c | 2 +- cli-kex.c | 6 +- common-algo.c | 40 +++++++++---- common-kex.c | 66 ++++++++++------------ common-session.c | 13 ++++- debug.h | 4 +- ecc.c | 3 +- libtomcrypt/Makefile.in | 50 +++++++++++++++- libtomcrypt/src/headers/tomcrypt.h | 2 +- libtomcrypt/src/headers/tomcrypt_custom.h | 2 + libtomcrypt/src/headers/tomcrypt_math.h | 6 -- .../src/misc/crypt/crypt_ltc_mp_descriptor.c | 2 +- libtomcrypt/src/pk/ecc/ecc_decrypt_key.c | 2 +- libtomcrypt/src/pk/ecc/ecc_encrypt_key.c | 2 +- libtomcrypt/src/pk/ecc/ecc_export.c | 2 +- libtomcrypt/src/pk/ecc/ecc_import.c | 2 +- libtomcrypt/src/pk/ecc/ecc_sign_hash.c | 2 +- libtomcrypt/src/pk/ecc/ecc_verify_hash.c | 2 +- ltc_prng.c | 16 +++--- options.h | 8 +-- random.c | 10 ---- random.h | 2 - session.h | 2 +- svr-auth.c | 10 ++-- svr-authpubkey.c | 5 +- svr-kex.c | 8 +-- sysoptions.h | 8 +-- 32 files changed, 174 insertions(+), 120 deletions(-) diff --git a/Makefile.in b/Makefile.in index eef6fbe..f456a72 100644 --- a/Makefile.in +++ b/Makefile.in @@ -17,9 +17,9 @@ LTC=libtomcrypt/libtomcrypt.a LTM=libtommath/libtommath.a ifeq (@BUNDLED_LIBTOM@, 1) -LIBTOM_DEPS=$(LTC) $(LTM) -CFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/ -LIBS+=$(LTC) $(LTM) +LIBTOM_DEPS=$(LTM) $(LTC) +CFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/ +LIBS+=$(LTM) $(LTC) endif COMMONOBJS=dbutil.o buffer.o \ @@ -185,7 +185,7 @@ link%: -ln -s dropbearmulti$(EXEEXT) $*$(EXEEXT) $(LTC): options.h - cd libtomcrypt && $(MAKE) clean && $(MAKE) + cd libtomcrypt && $(MAKE) $(LTM): options.h cd libtommath && $(MAKE) diff --git a/algo.h b/algo.h index bda03dc..500c449 100644 --- a/algo.h +++ b/algo.h @@ -36,7 +36,7 @@ struct Algo_Type { const unsigned char *name; /* identifying name */ - const char val; /* a value for this cipher, or -1 for invalid */ + char val; /* a value for this cipher, or -1 for invalid */ const void *data; /* algorithm specific data */ char usable; /* whether we can use this algorithm */ const void *mode; /* the mode, currently only used for ciphers, @@ -120,5 +120,6 @@ enum { DROPBEAR_COMP_ZLIB_DELAY, }; +extern int dropbear_ltc_prng; #endif /* _ALGO_H_ */ diff --git a/buffer.h b/buffer.h index b18ccaa..1d83f8e 100644 --- a/buffer.h +++ b/buffer.h @@ -59,7 +59,7 @@ buffer * buf_getstringbuf(buffer *buf); void buf_eatstring(buffer *buf); void buf_putint(buffer* buf, unsigned int val); void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len); -void buf_putstringbuf(buffer *buf, const buffer* buf_str); +void buf_putbufstring(buffer *buf, const buffer* buf_str); void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len); void buf_putmpint(buffer* buf, mp_int * mp); int buf_getmpint(buffer* buf, mp_int* mp); diff --git a/cli-agentfwd.c b/cli-agentfwd.c index b7b8da3..ba07f54 100644 --- a/cli-agentfwd.c +++ b/cli-agentfwd.c @@ -266,7 +266,7 @@ void agent_buf_sign(buffer *sigblob, sign_key *key, string data uint32 flags */ - request_data = buf_new(MAX_PUBKEY_SIZE + data_buf>-len + 12); + request_data = buf_new(MAX_PUBKEY_SIZE + data_buf->len + 12); buf_put_pub_key(request_data, key, key->type); buf_putbufstring(request_data, data_buf); diff --git a/cli-authpubkey.c b/cli-authpubkey.c index adcf2a8..96eee05 100644 --- a/cli-authpubkey.c +++ b/cli-authpubkey.c @@ -172,7 +172,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) { sigbuf = buf_new(4 + SHA1_HASH_SIZE + ses.writepayload->len); buf_putbufstring(sigbuf, ses.session_id); buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); - cli_buf_put_sign(ses.writepayload, key, type, sigbuf->data, sigbuf->len); + cli_buf_put_sign(ses.writepayload, key, type, sigbuf); buf_free(sigbuf); /* Nothing confidential in the buffer */ } diff --git a/cli-chansession.c b/cli-chansession.c index 65d1f4f..d3b14bb 100644 --- a/cli-chansession.c +++ b/cli-chansession.c @@ -455,7 +455,7 @@ do_escape(unsigned char c) { } static -void cli_escape_handler(struct Channel *channel, unsigned char* buf, int *len) { +void cli_escape_handler(struct Channel* UNUSED(channel), unsigned char* buf, int *len) { char c; int skip_char = 0; diff --git a/cli-kex.c b/cli-kex.c index d6ebaf9..23b7308 100644 --- a/cli-kex.c +++ b/cli-kex.c @@ -36,6 +36,7 @@ #include "random.h" #include "runopts.h" #include "signkey.h" +#include "ecc.h" static void checkhostkey(unsigned char* keyblob, unsigned int keybloblen); @@ -50,6 +51,7 @@ void send_msg_kexdh_init() { } else { #ifdef DROPBEAR_ECDH cli_ses.ecdh_param = gen_kexecdh_param(); + buf_put_ecc_pubkey_string(ses.writepayload, &cli_ses.ecdh_param->key); #endif } encrypt_packet(); @@ -99,14 +101,14 @@ void recv_msg_kexdh_reply() { } else { #ifdef DROPBEAR_ECDH buffer *ecdh_qs = buf_getstringbuf(ses.payload); - kexecdh_comb_key(cli_ses.dh_param, ecdh_qs, hostkey); + kexecdh_comb_key(cli_ses.ecdh_param, ecdh_qs, hostkey); buf_free(ecdh_qs); #endif } free_kexdh_param(cli_ses.dh_param); cli_ses.dh_param = NULL; - if (buf_verify(ses.payload, hostkey, ses.hash, SHA1_HASH_SIZE) + if (buf_verify(ses.payload, hostkey, ses.hash) != DROPBEAR_SUCCESS) { dropbear_exit("Bad hostkey signature"); } diff --git a/common-algo.c b/common-algo.c index 7fb1503..04bbd51 100644 --- a/common-algo.c +++ b/common-algo.c @@ -23,24 +23,33 @@ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */ +#include "includes.h" #include "algo.h" #include "dbutil.h" #include "kex.h" +#include "ltc_prng.h" +#include "ecc.h" /* This file (algo.c) organises the ciphers which can be used, and is used to * decide which ciphers/hashes/compression/signing to use during key exchange*/ +#ifdef DROPBEAR_LTC_PRNG + int dropbear_ltc_prng = -1; +#endif + + + static int void_cipher(const unsigned char* in, unsigned char* out, - unsigned long len, void *cipher_state) { + unsigned long len, void* UNUSED(cipher_state)) { if (in != out) { memmove(out, in, len); } return CRYPT_OK; } -static int void_start(int cipher, const unsigned char *IV, - const unsigned char *key, - int keylen, int num_rounds, void *cipher_state) { +static int void_start(int UNUSED(cipher), const unsigned char* UNUSED(IV), + const unsigned char* UNUSED(key), + int UNUSED(keylen), int UNUSED(num_rounds), void* UNUSED(cipher_state)) { return CRYPT_OK; } @@ -216,7 +225,7 @@ algo_type sshhostkey[] = { static struct dropbear_kex kex_dh_group1 = {dh_p_1, DH_P_1_LEN, NULL, &sha1_desc }; static struct dropbear_kex kex_dh_group14 = {dh_p_14, DH_P_14_LEN, NULL, &sha1_desc }; -#ifdef DROPBEAR_ECC_DH +#ifdef DROPBEAR_ECDH #ifdef DROPBEAR_ECC_256 static struct dropbear_kex kex_ecdh_secp256r1 = {NULL, 0, &ecc_curve_secp256r1, &sha256_desc }; #endif @@ -226,19 +235,19 @@ static struct dropbear_kex kex_ecdh_secp384r1 = {NULL, 0, &ecc_curve_secp384r1, #ifdef DROPBEAR_ECC_521 static struct dropbear_kex kex_ecdh_secp521r1 = {NULL, 0, &ecc_curve_secp521r1, &sha512_desc }; #endif -#endif // DROPBEAR_ECC_DH +#endif // DROPBEAR_ECDH algo_type sshkex[] = { -#ifdef DROPBEAR_ECC_DH +#ifdef DROPBEAR_ECDH #ifdef DROPBEAR_ECC_256 - {"ecdh-sha2-secp256r1", 0, &kex_ecdh_descp256r1, 1, NULL}, + {"ecdh-sha2-secp256r1", 0, &kex_ecdh_secp256r1, 1, NULL}, #endif #ifdef DROPBEAR_ECC_384 - {"ecdh-sha2-secp384r1", 0, &kex_ecdh_descp384r1, 1, NULL}, + {"ecdh-sha2-secp384r1", 0, &kex_ecdh_secp384r1, 1, NULL}, #endif #ifdef DROPBEAR_ECC_521 - {"ecdh-sha2-secp521r1", 0, &kex_ecdh_descp521r1, 1, NULL}, + {"ecdh-sha2-secp521r1", 0, &kex_ecdh_secp521r1, 1, NULL}, #endif #endif {"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL}, @@ -297,6 +306,17 @@ void crypto_init() { dropbear_exit("Error registering crypto"); } } + +#ifdef DROPBEAR_LTC_PRNG + dropbear_ltc_prng = register_prng(&dropbear_prng_desc); + if (dropbear_ltc_prng == -1) { + dropbear_exit("Error registering crypto"); + } +#endif + +#ifdef DROPBEAR_ECC + ltc_mp = ltm_desc; +#endif } /* algolen specifies the length of algo, algos is our local list to match diff --git a/common-kex.c b/common-kex.c index e241101..48569fe 100644 --- a/common-kex.c +++ b/common-kex.c @@ -87,6 +87,7 @@ static void read_kex_algos(); /* helper function for gen_new_keys */ static void hashkeys(unsigned char *out, int outlen, const hash_state * hs, unsigned const char X); +static void finish_kexhashbuf(void); /* Send our list of algorithms we can use */ @@ -258,7 +259,7 @@ static void hashkeys(unsigned char *out, int outlen, memcpy(&hs2, hs, sizeof(hash_state)); sha1_process(&hs2, &X, 1); - sha1_process(&hs2, ses.session_id, SHA1_HASH_SIZE); + sha1_process(&hs2, ses.session_id->data, ses.session_id->len); sha1_done(&hs2, out); for (offset = SHA1_HASH_SIZE; offset < outlen; @@ -301,8 +302,10 @@ void gen_new_keys() { sha1_process_mp(&hs, ses.dh_K); mp_clear(ses.dh_K); m_free(ses.dh_K); - sha1_process(&hs, ses.hash, SHA1_HASH_SIZE); - m_burn(ses.hash, SHA1_HASH_SIZE); + sha1_process(&hs, ses.hash->data, ses.hash->len); + buf_burn(ses.hash); + buf_free(ses.hash); + ses.hash = NULL; if (IS_DROPBEAR_CLIENT) { trans_IV = C2S_IV; @@ -596,8 +599,6 @@ void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them, mp_int dh_p; mp_int *dh_e = NULL, *dh_f = NULL; - hash_state hs; - /* read the prime and generator*/ m_mp_init(&dh_p); load_dh_p(&dh_p); @@ -639,25 +640,7 @@ void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them, buf_putmpint(ses.kexhashbuf, ses.dh_K); /* calculate the hash H to sign */ - sha1_init(&hs); - buf_setpos(ses.kexhashbuf, 0); - sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), - ses.kexhashbuf->len); - - ses.hash = m_malloc(SHA1_HASH_SIZE); - } - sha1_done(&hs, ses.hash); - - buf_burn(ses.kexhashbuf); - buf_free(ses.kexhashbuf); - ses.kexhashbuf = NULL; - - /* first time around, we set the session_id to H */ - if (ses.session_id == NULL) { - /* create the session_id, this never needs freeing */ - ses.session_id = (unsigned char*)m_malloc(SHA1_HASH_SIZE); - memcpy(ses.session_id, ses.hash, SHA1_HASH_SIZE); - } + finish_kexhashbuf(); } #ifdef DROPBEAR_ECDH @@ -685,25 +668,25 @@ void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, // XXX load Q_them Q_them = buf_get_ecc_pubkey(pub_them, algo_kex->ecc_curve); - ses.dh_K = dropbear_ecc_shared_secret(Q_them, param->key); + ses.dh_K = dropbear_ecc_shared_secret(Q_them, ¶m->key); /* From here on, the code needs to work with the _same_ vars on each side, * not vice-versaing for client/server */ if (IS_DROPBEAR_CLIENT) { - Q_C = param->key; + Q_C = ¶m->key; Q_S = Q_them; } else { Q_C = Q_them; - Q_S = param->key; + Q_S = ¶m->key; } /* Create the remainder of the hash buffer, to generate the exchange hash */ /* K_S, the host key */ buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey); /* Q_C, client's ephemeral public key octet string */ - buf_put_ecc_pubkey_string(Q_C); + buf_put_ecc_pubkey_string(ses.kexhashbuf, Q_C); /* Q_S, server's ephemeral public key octet string */ - buf_put_ecc_pubkey_string(Q_S); + buf_put_ecc_pubkey_string(ses.kexhashbuf, Q_S); /* K, the shared secret */ buf_putmpint(ses.kexhashbuf, ses.dh_K); @@ -712,10 +695,23 @@ void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, buf_setpos(ses.kexhashbuf, 0); algo_kex->hashdesc->process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), ses.kexhashbuf->len); - if (!ses.hash) { - ses.hash = m_malloc(algo_kex->hashdesc->hashsize); - } - algo_kex->hashdesc->done(&hs, ses.hash); + + /* calculate the hash H to sign */ + finish_kexhashbuf(); +} +#endif + +static void finish_kexhashbuf(void) { + hash_state hs; + const struct ltc_hash_descriptor *hashdesc = ses.newkeys->algo_kex->hashdesc; + + hashdesc->init(&hs); + buf_setpos(ses.kexhashbuf, 0); + hashdesc->process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), + ses.kexhashbuf->len); + ses.hash = buf_new(hashdesc->hashsize); + hashdesc->done(&hs, buf_getwriteptr(ses.hash, hashdesc->hashsize)); + buf_setlen(ses.hash, hashdesc->hashsize); buf_burn(ses.kexhashbuf); buf_free(ses.kexhashbuf); @@ -724,12 +720,10 @@ void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, /* first time around, we set the session_id to H */ if (ses.session_id == NULL) { /* create the session_id, this never needs freeing */ - ses.session_id = m_malloc(algo_kex->hashdesc->hashsize); - memcpy(ses.session_id, ses.hash, algo_kex->hashdesc->hashsize); + ses.session_id = buf_newcopy(ses.hash); } } -#endif /* read the other side's algo list. buf_match_algo is a callback to match * algos for the client or server. */ diff --git a/common-session.c b/common-session.c index f4fa579..ef8e6fa 100644 --- a/common-session.c +++ b/common-session.c @@ -103,7 +103,7 @@ void common_session_init(int sock_in, int sock_out) { ses.keys->recv.algo_mac = &dropbear_nohash; ses.keys->trans.algo_mac = &dropbear_nohash; - ses.keys->algo_kex = -1; + ses.keys->algo_kex = NULL; ses.keys->algo_hostkey = -1; ses.keys->recv.algo_comp = DROPBEAR_COMP_NONE; ses.keys->trans.algo_comp = DROPBEAR_COMP_NONE; @@ -235,7 +235,16 @@ void common_session_cleanup() { return; } - m_free(ses.session_id); + if (ses.session_id) { + buf_burn(ses.session_id); + buf_free(ses.session_id); + ses.session_id = NULL; + } + if (ses.hash) { + buf_burn(ses.hash); + buf_free(ses.hash); + ses.hash = NULL; + } m_burn(ses.keys, sizeof(struct key_context)); m_free(ses.keys); diff --git a/debug.h b/debug.h index b20e685..02c100f 100644 --- a/debug.h +++ b/debug.h @@ -39,7 +39,7 @@ * Caution: Don't use this in an unfriendly environment (ie unfirewalled), * since the printing may not sanitise strings etc. This will add a reasonable * amount to your executable size. */ -/*#define DEBUG_TRACE */ +#define DEBUG_TRACE /* All functions writing to the cleartext payload buffer call * CHECKCLEARTOWRITE() before writing. This is only really useful if you're @@ -69,7 +69,7 @@ /* To debug with GDB it is easier to run with no forking of child processes. You will need to pass "-F" as well. */ -/* #define DEBUG_NOFORK */ +#define DEBUG_NOFORK /* For testing as non-root on shadowed systems, include the crypt of a password diff --git a/ecc.c b/ecc.c index 8b3422c..0f988ac 100644 --- a/ecc.c +++ b/ecc.c @@ -110,7 +110,7 @@ error: ecc_key * buf_get_ecc_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve) { ecc_key *key = NULL; int ret = DROPBEAR_FAILURE; - const int size = curve->dp->size; + const unsigned int size = curve->dp->size; buf_setpos(buf, 0); unsigned int len = buf->len; unsigned char first = buf_getbyte(buf); @@ -123,6 +123,7 @@ ecc_key * buf_get_ecc_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve } key = new_ecc_key(); + key->dp = curve->dp; if (mp_read_unsigned_bin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) { goto out; diff --git a/libtomcrypt/Makefile.in b/libtomcrypt/Makefile.in index 14bce99..3056ef0 100644 --- a/libtomcrypt/Makefile.in +++ b/libtomcrypt/Makefile.in @@ -19,7 +19,7 @@ srcdir=@srcdir@ # Compilation flags. Note the += does not write over the user's CFLAGS! # The rest of the flags come from the parent Dropbear makefile -CFLAGS += -c -I$(srcdir)/src/headers/ -I$(srcdir)/../ -DLTC_SOURCE +CFLAGS += -c -I$(srcdir)/src/headers/ -I$(srcdir)/../ -DLTC_SOURCE -I$(srcdir)/../libtommath/ # additional warnings (newer GCC 3.4 and higher) ifdef GCC_34 @@ -157,7 +157,53 @@ src/modes/lrw/lrw_decrypt.o src/modes/lrw/lrw_done.o src/modes/lrw/lrw_encrypt.o src/modes/lrw/lrw_getiv.o src/modes/lrw/lrw_process.o src/modes/lrw/lrw_setiv.o \ src/modes/lrw/lrw_start.o src/modes/lrw/lrw_test.o src/modes/ofb/ofb_decrypt.o src/modes/ofb/ofb_done.o \ src/modes/ofb/ofb_encrypt.o src/modes/ofb/ofb_getiv.o src/modes/ofb/ofb_setiv.o \ -src/modes/ofb/ofb_start.o +src/modes/ofb/ofb_start.o src/pk/asn1/der/bit/der_decode_bit_string.o \ +src/pk/asn1/der/bit/der_encode_bit_string.o src/pk/asn1/der/bit/der_length_bit_string.o \ +src/pk/asn1/der/boolean/der_decode_boolean.o src/pk/asn1/der/boolean/der_encode_boolean.o \ +src/pk/asn1/der/boolean/der_length_boolean.o src/pk/asn1/der/choice/der_decode_choice.o \ +src/pk/asn1/der/ia5/der_decode_ia5_string.o src/pk/asn1/der/ia5/der_encode_ia5_string.o \ +src/pk/asn1/der/ia5/der_length_ia5_string.o src/pk/asn1/der/integer/der_decode_integer.o \ +src/pk/asn1/der/integer/der_encode_integer.o src/pk/asn1/der/integer/der_length_integer.o \ +src/pk/asn1/der/object_identifier/der_decode_object_identifier.o \ +src/pk/asn1/der/object_identifier/der_encode_object_identifier.o \ +src/pk/asn1/der/object_identifier/der_length_object_identifier.o \ +src/pk/asn1/der/octet/der_decode_octet_string.o src/pk/asn1/der/octet/der_encode_octet_string.o \ +src/pk/asn1/der/octet/der_length_octet_string.o \ +src/pk/asn1/der/printable_string/der_decode_printable_string.o \ +src/pk/asn1/der/printable_string/der_encode_printable_string.o \ +src/pk/asn1/der/printable_string/der_length_printable_string.o \ +src/pk/asn1/der/sequence/der_decode_sequence_ex.o \ +src/pk/asn1/der/sequence/der_decode_sequence_flexi.o \ +src/pk/asn1/der/sequence/der_decode_sequence_multi.o \ +src/pk/asn1/der/sequence/der_encode_sequence_ex.o \ +src/pk/asn1/der/sequence/der_encode_sequence_multi.o src/pk/asn1/der/sequence/der_length_sequence.o \ +src/pk/asn1/der/sequence/der_sequence_free.o src/pk/asn1/der/set/der_encode_set.o \ +src/pk/asn1/der/set/der_encode_setof.o src/pk/asn1/der/short_integer/der_decode_short_integer.o \ +src/pk/asn1/der/short_integer/der_encode_short_integer.o \ +src/pk/asn1/der/short_integer/der_length_short_integer.o src/pk/asn1/der/utctime/der_decode_utctime.o \ +src/pk/asn1/der/utctime/der_encode_utctime.o src/pk/asn1/der/utctime/der_length_utctime.o \ +src/pk/asn1/der/utf8/der_decode_utf8_string.o src/pk/asn1/der/utf8/der_encode_utf8_string.o \ +src/pk/asn1/der/utf8/der_length_utf8_string.o src/pk/dsa/dsa_decrypt_key.o \ +src/pk/dsa/dsa_encrypt_key.o src/pk/dsa/dsa_export.o src/pk/dsa/dsa_free.o src/pk/dsa/dsa_import.o \ +src/pk/dsa/dsa_make_key.o src/pk/dsa/dsa_shared_secret.o src/pk/dsa/dsa_sign_hash.o \ +src/pk/dsa/dsa_verify_hash.o src/pk/dsa/dsa_verify_key.o src/pk/ecc/ecc.o \ +src/pk/ecc/ecc_ansi_x963_export.o src/pk/ecc/ecc_ansi_x963_import.o src/pk/ecc/ecc_decrypt_key.o \ +src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_size.o \ +src/pk/ecc/ecc_import.o src/pk/ecc/ecc_make_key.o src/pk/ecc/ecc_shared_secret.o \ +src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_test.o src/pk/ecc/ecc_verify_hash.o \ +src/pk/ecc/ltc_ecc_is_valid_idx.o src/pk/ecc/ltc_ecc_map.o src/pk/ecc/ltc_ecc_mul2add.o \ +src/pk/ecc/ltc_ecc_mulmod.o src/pk/ecc/ltc_ecc_mulmod_timing.o src/pk/ecc/ltc_ecc_points.o \ +src/pk/ecc/ltc_ecc_projective_add_point.o src/pk/ecc/ltc_ecc_projective_dbl_point.o \ +src/pk/katja/katja_decrypt_key.o src/pk/katja/katja_encrypt_key.o src/pk/katja/katja_export.o \ +src/pk/katja/katja_exptmod.o src/pk/katja/katja_free.o src/pk/katja/katja_import.o \ +src/pk/katja/katja_make_key.o src/pk/pkcs1/pkcs_1_i2osp.o src/pk/pkcs1/pkcs_1_mgf1.o \ +src/pk/pkcs1/pkcs_1_oaep_decode.o src/pk/pkcs1/pkcs_1_oaep_encode.o src/pk/pkcs1/pkcs_1_os2ip.o \ +src/pk/pkcs1/pkcs_1_pss_decode.o src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/pkcs1/pkcs_1_v1_5_decode.o \ +src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_encrypt_key.o \ +src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_import.o \ +src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o \ +src/prngs/rc4.o src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o \ +src/prngs/sprng.o src/prngs/yarrow.o HEADERS=src/headers/tomcrypt_cfg.h src/headers/tomcrypt_mac.h src/headers/tomcrypt_macros.h \ src/headers/tomcrypt_custom.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cipher.h \ diff --git a/libtomcrypt/src/headers/tomcrypt.h b/libtomcrypt/src/headers/tomcrypt.h index 15ccd04..ba9f181 100644 --- a/libtomcrypt/src/headers/tomcrypt.h +++ b/libtomcrypt/src/headers/tomcrypt.h @@ -24,7 +24,7 @@ extern "C" { /* descriptor table size */ /* Dropbear change - this should be smaller, saves some size */ -#define TAB_SIZE 4 +#define TAB_SIZE 5 /* error codes [will be expanded in future releases] */ enum { diff --git a/libtomcrypt/src/headers/tomcrypt_custom.h b/libtomcrypt/src/headers/tomcrypt_custom.h index d1d86c6..91a2ccb 100644 --- a/libtomcrypt/src/headers/tomcrypt_custom.h +++ b/libtomcrypt/src/headers/tomcrypt_custom.h @@ -138,6 +138,8 @@ #ifdef DROPBEAR_ECC #define MECC +#define MPI +#define LTM_DESC #ifdef DROPBEAR_ECC_256 #define ECC256 #endif diff --git a/libtomcrypt/src/headers/tomcrypt_math.h b/libtomcrypt/src/headers/tomcrypt_math.h index 8bf544f..c996e41 100644 --- a/libtomcrypt/src/headers/tomcrypt_math.h +++ b/libtomcrypt/src/headers/tomcrypt_math.h @@ -11,12 +11,9 @@ typedef void ecc_point; #endif -/* Dropbear has its own rsa_key. We just comment this out. */ -#if 0 #ifndef MRSA typedef void rsa_key; #endif -#endif /** math descriptor */ typedef struct { @@ -389,8 +386,6 @@ typedef struct { ecc_point *C, void *modulus); -/* Dropbear has its own rsa code */ -#if 0 /* ---- (optional) rsa optimized math (for internal CRT) ---- */ /** RSA Key Generation @@ -416,7 +411,6 @@ typedef struct { int (*rsa_me)(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen, int which, rsa_key *key); -#endif } ltc_math_descriptor; extern ltc_math_descriptor ltc_mp; diff --git a/libtomcrypt/src/misc/crypt/crypt_ltc_mp_descriptor.c b/libtomcrypt/src/misc/crypt/crypt_ltc_mp_descriptor.c index 907862f..e042910 100644 --- a/libtomcrypt/src/misc/crypt/crypt_ltc_mp_descriptor.c +++ b/libtomcrypt/src/misc/crypt/crypt_ltc_mp_descriptor.c @@ -10,4 +10,4 @@ */ #include "tomcrypt.h" -ltc_math_descriptor ltc_mp; +ltc_math_descriptor ltc_mp = {0}; diff --git a/libtomcrypt/src/pk/ecc/ecc_decrypt_key.c b/libtomcrypt/src/pk/ecc/ecc_decrypt_key.c index bb56208..97039d0 100644 --- a/libtomcrypt/src/pk/ecc/ecc_decrypt_key.c +++ b/libtomcrypt/src/pk/ecc/ecc_decrypt_key.c @@ -21,7 +21,7 @@ ECC Crypto, Tom St Denis */ -#ifdef MECC +#if defined(MECC) && defined(LTC_DER) /** Decrypt an ECC encrypted key diff --git a/libtomcrypt/src/pk/ecc/ecc_encrypt_key.c b/libtomcrypt/src/pk/ecc/ecc_encrypt_key.c index dd9bab0..d11ffe4 100644 --- a/libtomcrypt/src/pk/ecc/ecc_encrypt_key.c +++ b/libtomcrypt/src/pk/ecc/ecc_encrypt_key.c @@ -21,7 +21,7 @@ ECC Crypto, Tom St Denis */ -#ifdef MECC +#if defined(MECC) && defined(LTC_DER) /** Encrypt a symmetric key with ECC diff --git a/libtomcrypt/src/pk/ecc/ecc_export.c b/libtomcrypt/src/pk/ecc/ecc_export.c index 1919849..08c8d31 100644 --- a/libtomcrypt/src/pk/ecc/ecc_export.c +++ b/libtomcrypt/src/pk/ecc/ecc_export.c @@ -21,7 +21,7 @@ ECC Crypto, Tom St Denis */ -#ifdef MECC +#if defined(MECC) && defined(LTC_DER) /** Export an ECC key as a binary packet diff --git a/libtomcrypt/src/pk/ecc/ecc_import.c b/libtomcrypt/src/pk/ecc/ecc_import.c index 4adb28e..97eaa7d 100644 --- a/libtomcrypt/src/pk/ecc/ecc_import.c +++ b/libtomcrypt/src/pk/ecc/ecc_import.c @@ -21,7 +21,7 @@ ECC Crypto, Tom St Denis */ -#ifdef MECC +#if defined(MECC) && defined(LTC_DER) static int is_point(ecc_key *key) { diff --git a/libtomcrypt/src/pk/ecc/ecc_sign_hash.c b/libtomcrypt/src/pk/ecc/ecc_sign_hash.c index 44f949e..34c5893 100644 --- a/libtomcrypt/src/pk/ecc/ecc_sign_hash.c +++ b/libtomcrypt/src/pk/ecc/ecc_sign_hash.c @@ -21,7 +21,7 @@ ECC Crypto, Tom St Denis */ -#ifdef MECC +#if defined(MECC) && defined(LTC_DER) /** Sign a message digest diff --git a/libtomcrypt/src/pk/ecc/ecc_verify_hash.c b/libtomcrypt/src/pk/ecc/ecc_verify_hash.c index bd8a840..65a96e6 100644 --- a/libtomcrypt/src/pk/ecc/ecc_verify_hash.c +++ b/libtomcrypt/src/pk/ecc/ecc_verify_hash.c @@ -21,7 +21,7 @@ ECC Crypto, Tom St Denis */ -#ifdef MECC +#if defined(MECC) && defined(LTC_DER) /* verify * diff --git a/ltc_prng.c b/ltc_prng.c index 31a0658..11e95d6 100644 --- a/ltc_prng.c +++ b/ltc_prng.c @@ -33,7 +33,7 @@ @param prng [out] The PRNG state to initialize @return CRYPT_OK if successful */ -int dropbear_prng_start(prng_state *prng) +int dropbear_prng_start(prng_state* UNUSED(prng)) { return CRYPT_OK; } @@ -45,7 +45,7 @@ int dropbear_prng_start(prng_state *prng) @param prng PRNG state to update @return CRYPT_OK if successful */ -int dropbear_prng_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng) +int dropbear_prng_add_entropy(const unsigned char* UNUSED(in), unsigned long UNUSED(inlen), prng_state* UNUSED(prng)) { return CRYPT_OK; } @@ -55,7 +55,7 @@ int dropbear_prng_add_entropy(const unsigned char *in, unsigned long inlen, prng @param prng The PRNG to make active @return CRYPT_OK if successful */ -int dropbear_prng_ready(prng_state *prng) +int dropbear_prng_ready(prng_state* UNUSED(prng)) { return CRYPT_OK; } @@ -67,11 +67,11 @@ int dropbear_prng_ready(prng_state *prng) @param prng The active PRNG to read from @return Number of octets read */ -unsigned long dropbear_prng_read(unsigned char *out, unsigned long outlen, prng_state *prng) +unsigned long dropbear_prng_read(unsigned char* out, unsigned long outlen, prng_state* UNUSED(prng)) { LTC_ARGCHK(out != NULL); genrandom(out, outlen); - return CRYPT_OK; + return outlen; } /** @@ -79,7 +79,7 @@ unsigned long dropbear_prng_read(unsigned char *out, unsigned long outlen, prng_ @param prng The PRNG to terminate @return CRYPT_OK if successful */ -int dropbear_prng_done(prng_state *prng) +int dropbear_prng_done(prng_state* UNUSED(prng)) { return CRYPT_OK; } @@ -91,7 +91,7 @@ int dropbear_prng_done(prng_state *prng) @param prng The PRNG to export @return CRYPT_OK if successful */ -int dropbear_prng_export(unsigned char *out, unsigned long *outlen, prng_state *prng) +int dropbear_prng_export(unsigned char* UNUSED(out), unsigned long* outlen, prng_state* UNUSED(prng)) { LTC_ARGCHK(outlen != NULL); @@ -106,7 +106,7 @@ int dropbear_prng_export(unsigned char *out, unsigned long *outlen, prng_state * @param prng The PRNG to import @return CRYPT_OK if successful */ -int dropbear_prng_import(const unsigned char *in, unsigned long inlen, prng_state *prng) +int dropbear_prng_import(const unsigned char* UNUSED(in), unsigned long UNUSED(inlen), prng_state* UNUSED(prng)) { return CRYPT_OK; } diff --git a/options.h b/options.h index 4c42c02..4f0dc12 100644 --- a/options.h +++ b/options.h @@ -5,10 +5,10 @@ #ifndef _OPTIONS_H_ #define _OPTIONS_H_ -/****************************************************************** - * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" - * parts are to allow for commandline -DDROPBEAR_XXX options etc. - ******************************************************************/ +/* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" + * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ + +// XXX XXX You should probably run "make clean" after changing most options */ #ifndef DROPBEAR_DEFPORT #define DROPBEAR_DEFPORT "22" diff --git a/random.c b/random.c index 8907644..c5a522e 100644 --- a/random.c +++ b/random.c @@ -27,7 +27,6 @@ #include "dbutil.h" #include "bignum.h" #include "random.h" -#include "ltc_prng.h" /* this is used to generate unique output from the same hashpool */ @@ -38,8 +37,6 @@ static uint32_t counter = 0; static unsigned char hashpool[SHA1_HASH_SIZE] = {0}; static int donerandinit = 0; -int dropbear_ltc_prng = -1; - #define INIT_SEED_SIZE 32 /* 256 bits */ /* The basic setup is we read some data from /dev/(u)random or prngd and hash it @@ -235,13 +232,6 @@ void seedrandom() { sha1_done(&hs, hashpool); -#ifdef DROPBEAR_LTC_PRNG - if (dropbear_ltc_prng == -1) { - dropbear_ltc_prng = register_prng(&dropbear_prng_desc); - dropbear_assert(dropbear_ltc_prng != -1); - } -#endif - counter = 0; donerandinit = 1; diff --git a/random.h b/random.h index 4042757..544e77e 100644 --- a/random.h +++ b/random.h @@ -32,6 +32,4 @@ void genrandom(unsigned char* buf, unsigned int len); void addrandom(char * buf, unsigned int len); void gen_random_mpint(mp_int *max, mp_int *rand); -extern int dropbear_ltc_prng; - #endif /* _RANDOM_H_ */ diff --git a/session.h b/session.h index 91af1a3..be789b3 100644 --- a/session.h +++ b/session.h @@ -157,7 +157,7 @@ struct sshsession { buffer *session_id; /* this is the hash from the first kex */ /* The below are used temporarily during kex, are freed after use */ mp_int * dh_K; /* SSH_MSG_KEXDH_REPLY and sending SSH_MSH_NEWKEYS */ - buffer *hash/* the session hash */ + buffer *hash; /* the session hash */ buffer* kexhashbuf; /* session hash buffer calculated from various packets*/ buffer* transkexinit; /* the kexinit packet we send should be kept so we can add it to the hash when generating keys */ diff --git a/svr-auth.c b/svr-auth.c index 404232e..dca95f5 100644 --- a/svr-auth.c +++ b/svr-auth.c @@ -93,8 +93,7 @@ static void send_msg_userauth_banner() { CHECKCLEARTOWRITE(); buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER); - buf_putstring(ses.writepayload, buf_getptr(svr_opts.banner, - svr_opts.banner->len), svr_opts.banner->len); + buf_putbufstring(ses.writepayload, svr_opts.banner); buf_putstring(ses.writepayload, "en", 2); encrypt_packet(); @@ -330,11 +329,10 @@ void send_msg_userauth_failure(int partial, int incrfail) { buf_putbytes(typebuf, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN); } - buf_setpos(typebuf, 0); - buf_putstring(ses.writepayload, buf_getptr(typebuf, typebuf->len), - typebuf->len); + buf_putbufstring(ses.writepayload, typebuf); - TRACE(("auth fail: methods %d, '%s'", ses.authstate.authtypes, + TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes, + typebuf->len, buf_getptr(typebuf, typebuf->len))); buf_free(typebuf); diff --git a/svr-authpubkey.c b/svr-authpubkey.c index d483e9d..1c5f9d6 100644 --- a/svr-authpubkey.c +++ b/svr-authpubkey.c @@ -126,14 +126,13 @@ void svr_auth_pubkey() { /* create the data which has been signed - this a string containing * session_id, concatenated with the payload packet up to the signature */ signbuf = buf_new(ses.payload->pos + 4 + SHA1_HASH_SIZE); - buf_putstring(signbuf, ses.session_id, SHA1_HASH_SIZE); + buf_putbufstring(signbuf, ses.session_id); buf_putbytes(signbuf, ses.payload->data, ses.payload->pos); buf_setpos(signbuf, 0); /* ... and finally verify the signature */ fp = sign_key_fingerprint(keyblob, keybloblen); - if (buf_verify(ses.payload, key, buf_getptr(signbuf, signbuf->len), - signbuf->len) == DROPBEAR_SUCCESS) { + if (buf_verify(ses.payload, key, signbuf) == DROPBEAR_SUCCESS) { dropbear_log(LOG_NOTICE, "Pubkey auth succeeded for '%s' with key %s from %s", ses.authstate.pw_name, fp, svr_ses.addrstring); diff --git a/svr-kex.c b/svr-kex.c index d9106a9..a4376df 100644 --- a/svr-kex.c +++ b/svr-kex.c @@ -34,7 +34,7 @@ #include "bignum.h" #include "random.h" #include "runopts.h" - +#include "ecc.h" static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs); @@ -59,7 +59,7 @@ void recv_msg_kexdh_init() { } } else { #ifdef DROPBEAR_ECDH - buffer *ecdh_qs = buf_getstringbuf(ses.payload); + ecdh_qs = buf_getstringbuf(ses.payload); #endif } @@ -104,14 +104,14 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) { struct kex_ecdh_param *ecdh_param = gen_kexecdh_param(); kexecdh_comb_key(ecdh_param, ecdh_qs, svr_opts.hostkey); - buf_put_ecc_pub(ses.writepayload, &ecdh_param->key); + buf_put_ecc_pubkey_string(ses.writepayload, &ecdh_param->key); free_kexecdh_param(ecdh_param); #endif } /* calc the signature */ buf_put_sign(ses.writepayload, svr_opts.hostkey, - ses.newkeys->algo_hostkey, ses.hash, SHA1_HASH_SIZE); + ses.newkeys->algo_hostkey, ses.hash); /* the SSH_MSG_KEXDH_REPLY is done */ encrypt_packet(); diff --git a/sysoptions.h b/sysoptions.h index 9b7c15a..d31b56f 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -70,10 +70,6 @@ #define DROPBEAR_SIGNKEY_VERIFY #endif -#ifdef DROPBEAR_ECDH -#define DROPBEAR_LTC_PRNG -#endif - #define SHA1_HASH_SIZE 20 #define MD5_HASH_SIZE 16 @@ -99,6 +95,10 @@ #define DROPBEAR_ECC_521 #endif +#ifdef DROPBEAR_ECC +#define DROPBEAR_LTC_PRNG +#endif + // hashes which will be linked and registered #if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) #define DROPBEAR_SHA256 -- cgit v1.2.1 From 8dd2f70401bb7a6dfc92396e6398a44640d06245 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Mon, 8 Apr 2013 00:10:57 +0800 Subject: - Fix various hardcoded uses of SHA1 - rename curves to nistp256 etc - fix svr-auth.c TRACE problem --- bignum.c | 7 +++---- bignum.h | 3 ++- cli-authpubkey.c | 2 +- common-algo.c | 12 ++++++------ common-kex.c | 46 ++++++++++++++++++++++------------------------ ecc.c | 14 +++++++------- ecc.h | 6 +++--- svr-auth.c | 3 +-- svr-authpubkey.c | 2 +- sysoptions.h | 3 +-- 10 files changed, 47 insertions(+), 51 deletions(-) diff --git a/bignum.c b/bignum.c index cf50ddc..886568d 100644 --- a/bignum.c +++ b/bignum.c @@ -60,7 +60,8 @@ void bytes_to_mp(mp_int *mp, const unsigned char* bytes, unsigned int len) { } /* hash the ssh representation of the mp_int mp */ -void sha1_process_mp(hash_state *hs, mp_int *mp) { +void hash_process_mp(const struct ltc_hash_descriptor *hash_desc, + hash_state *hs, mp_int *mp) { int i; buffer * buf; @@ -68,8 +69,6 @@ void sha1_process_mp(hash_state *hs, mp_int *mp) { buf = buf_new(512 + 20); /* max buffer is a 4096 bit key, plus header + some leeway*/ buf_putmpint(buf, mp); - i = buf->pos; - buf_setpos(buf, 0); - sha1_process(hs, buf_getptr(buf, i), i); + hash_desc->process(hs, buf->data, buf->len); buf_free(buf); } diff --git a/bignum.h b/bignum.h index 042f811..f7abc7d 100644 --- a/bignum.h +++ b/bignum.h @@ -30,6 +30,7 @@ void m_mp_init(mp_int *mp); void m_mp_init_multi(mp_int *mp, ...); void bytes_to_mp(mp_int *mp, const unsigned char* bytes, unsigned int len); -void sha1_process_mp(hash_state *hs, mp_int *mp); +void hash_process_mp(const struct ltc_hash_descriptor *hash_desc, + hash_state *hs, mp_int *mp); #endif /* _BIGNUM_H_ */ diff --git a/cli-authpubkey.c b/cli-authpubkey.c index 96eee05..9fcc256 100644 --- a/cli-authpubkey.c +++ b/cli-authpubkey.c @@ -169,7 +169,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) { TRACE(("realsign")) /* We put the signature as well - this contains string(session id), then * the contents of the write payload to this point */ - sigbuf = buf_new(4 + SHA1_HASH_SIZE + ses.writepayload->len); + sigbuf = buf_new(4 + ses.session_id->len + ses.writepayload->len); buf_putbufstring(sigbuf, ses.session_id); buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); cli_buf_put_sign(ses.writepayload, key, type, sigbuf); diff --git a/common-algo.c b/common-algo.c index 04bbd51..025faae 100644 --- a/common-algo.c +++ b/common-algo.c @@ -227,13 +227,13 @@ static struct dropbear_kex kex_dh_group14 = {dh_p_14, DH_P_14_LEN, NULL, &sha1_d #ifdef DROPBEAR_ECDH #ifdef DROPBEAR_ECC_256 -static struct dropbear_kex kex_ecdh_secp256r1 = {NULL, 0, &ecc_curve_secp256r1, &sha256_desc }; +static struct dropbear_kex kex_ecdh_nistp256 = {NULL, 0, &ecc_curve_nistp256, &sha256_desc }; #endif #ifdef DROPBEAR_ECC_384 -static struct dropbear_kex kex_ecdh_secp384r1 = {NULL, 0, &ecc_curve_secp384r1, &sha384_desc }; +static struct dropbear_kex kex_ecdh_nistp384 = {NULL, 0, &ecc_curve_nistp384, &sha384_desc }; #endif #ifdef DROPBEAR_ECC_521 -static struct dropbear_kex kex_ecdh_secp521r1 = {NULL, 0, &ecc_curve_secp521r1, &sha512_desc }; +static struct dropbear_kex kex_ecdh_nistp521 = {NULL, 0, &ecc_curve_nistp521, &sha512_desc }; #endif #endif // DROPBEAR_ECDH @@ -241,13 +241,13 @@ static struct dropbear_kex kex_ecdh_secp521r1 = {NULL, 0, &ecc_curve_secp521r1, algo_type sshkex[] = { #ifdef DROPBEAR_ECDH #ifdef DROPBEAR_ECC_256 - {"ecdh-sha2-secp256r1", 0, &kex_ecdh_secp256r1, 1, NULL}, + {"ecdh-sha2-nistp256", 0, &kex_ecdh_nistp256, 1, NULL}, #endif #ifdef DROPBEAR_ECC_384 - {"ecdh-sha2-secp384r1", 0, &kex_ecdh_secp384r1, 1, NULL}, + {"ecdh-sha2-nistp384", 0, &kex_ecdh_nistp384, 1, NULL}, #endif #ifdef DROPBEAR_ECC_521 - {"ecdh-sha2-secp521r1", 0, &kex_ecdh_secp521r1, 1, NULL}, + {"ecdh-sha2-nistp521", 0, &kex_ecdh_nistp521, 1, NULL}, #endif #endif {"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL}, diff --git a/common-kex.c b/common-kex.c index 48569fe..1543fb8 100644 --- a/common-kex.c +++ b/common-kex.c @@ -85,8 +85,8 @@ static void gen_new_zstreams(); #endif static void read_kex_algos(); /* helper function for gen_new_keys */ -static void hashkeys(unsigned char *out, int outlen, - const hash_state * hs, unsigned const char X); +static void hashkeys(unsigned char *out, unsigned int outlen, + const hash_state * hs, const unsigned char X); static void finish_kexhashbuf(void); @@ -251,26 +251,28 @@ static void kexinitialise() { * out must have at least min(SHA1_HASH_SIZE, outlen) bytes allocated. * * See Section 7.2 of rfc4253 (ssh transport) for details */ -static void hashkeys(unsigned char *out, int outlen, +static void hashkeys(unsigned char *out, unsigned int outlen, const hash_state * hs, const unsigned char X) { + const struct ltc_hash_descriptor *hashdesc = ses.newkeys->algo_kex->hashdesc; hash_state hs2; - int offset; + unsigned int offset; + unsigned char tmpout[hashdesc->hashsize]; memcpy(&hs2, hs, sizeof(hash_state)); - sha1_process(&hs2, &X, 1); - sha1_process(&hs2, ses.session_id->data, ses.session_id->len); - sha1_done(&hs2, out); - for (offset = SHA1_HASH_SIZE; + hashdesc->process(&hs2, &X, 1); + hashdesc->process(&hs2, ses.session_id->data, ses.session_id->len); + hashdesc->done(&hs2, tmpout); + memcpy(out, tmpout, MIN(hashdesc->hashsize, outlen)); + for (offset = hashdesc->hashsize; offset < outlen; - offset += SHA1_HASH_SIZE) + offset += hashdesc->hashsize) { /* need to extend */ - unsigned char k2[SHA1_HASH_SIZE]; memcpy(&hs2, hs, sizeof(hash_state)); - sha1_process(&hs2, out, offset); - sha1_done(&hs2, k2); - memcpy(&out[offset], k2, MIN(outlen - offset, SHA1_HASH_SIZE)); + hashdesc->process(&hs2, out, offset); + hashdesc->done(&hs2, tmpout); + memcpy(&out[offset], tmpout, MIN(outlen - offset, hashdesc->hashsize)); } } @@ -292,14 +294,14 @@ void gen_new_keys() { unsigned char *trans_IV, *trans_key, *recv_IV, *recv_key; hash_state hs; - unsigned int C2S_keysize, S2C_keysize; + const struct ltc_hash_descriptor *hashdesc = ses.newkeys->algo_kex->hashdesc; char mactransletter, macrecvletter; /* Client or server specific */ TRACE(("enter gen_new_keys")) /* the dh_K and hash are the start of all hashes, we make use of that */ - sha1_init(&hs); - sha1_process_mp(&hs, ses.dh_K); + hashdesc->init(&hs); + hash_process_mp(hashdesc, &hs, ses.dh_K); mp_clear(ses.dh_K); m_free(ses.dh_K); sha1_process(&hs, ses.hash->data, ses.hash->len); @@ -312,8 +314,6 @@ void gen_new_keys() { recv_IV = S2C_IV; trans_key = C2S_key; recv_key = S2C_key; - C2S_keysize = ses.newkeys->trans.algo_crypt->keysize; - S2C_keysize = ses.newkeys->recv.algo_crypt->keysize; mactransletter = 'E'; macrecvletter = 'F'; } else { @@ -321,16 +321,14 @@ void gen_new_keys() { recv_IV = C2S_IV; trans_key = S2C_key; recv_key = C2S_key; - C2S_keysize = ses.newkeys->recv.algo_crypt->keysize; - S2C_keysize = ses.newkeys->trans.algo_crypt->keysize; mactransletter = 'F'; macrecvletter = 'E'; } - hashkeys(C2S_IV, SHA1_HASH_SIZE, &hs, 'A'); - hashkeys(S2C_IV, SHA1_HASH_SIZE, &hs, 'B'); - hashkeys(C2S_key, C2S_keysize, &hs, 'C'); - hashkeys(S2C_key, S2C_keysize, &hs, 'D'); + hashkeys(C2S_IV, sizeof(C2S_IV), &hs, 'A'); + hashkeys(S2C_IV, sizeof(S2C_IV), &hs, 'B'); + hashkeys(C2S_key, sizeof(C2S_key), &hs, 'C'); + hashkeys(S2C_key, sizeof(S2C_key), &hs, 'D'); if (ses.newkeys->recv.algo_crypt->cipherdesc != NULL) { int recv_cipher = find_cipher(ses.newkeys->recv.algo_crypt->cipherdesc->name); diff --git a/ecc.c b/ecc.c index 0f988ac..fc5ea9d 100644 --- a/ecc.c +++ b/ecc.c @@ -9,24 +9,24 @@ // TODO: use raw bytes for the dp rather than the hex strings in libtomcrypt's ecc.c #ifdef DROPBEAR_ECC_256 -const struct dropbear_ecc_curve ecc_curve_secp256r1 = { +const struct dropbear_ecc_curve ecc_curve_nistp256 = { .dp = <c_ecc_sets[0], .hash_desc = &sha256_desc, - .name = "secp256r1" + .name = "nistp256" }; #endif #ifdef DROPBEAR_ECC_384 -const struct dropbear_ecc_curve ecc_curve_secp384r1 = { +const struct dropbear_ecc_curve ecc_curve_nistp384 = { .dp = <c_ecc_sets[1], .hash_desc = &sha384_desc, - .name = "secp384r1" + .name = "nistp384" }; #endif #ifdef DROPBEAR_ECC_521 -const struct dropbear_ecc_curve ecc_curve_secp521r1 = { +const struct dropbear_ecc_curve ecc_curve_nistp521 = { .dp = <c_ecc_sets[2], .hash_desc = &sha512_desc, - .name = "secp521r1" + .name = "nistp521" }; #endif @@ -35,7 +35,7 @@ static ecc_key * new_ecc_key(void) { key->pubkey.x = m_malloc(sizeof(mp_int)); key->pubkey.y = m_malloc(sizeof(mp_int)); key->pubkey.z = m_malloc(sizeof(mp_int)); - key->k = m_malloc(sizeof(mp_init)); + key->k = m_malloc(sizeof(mp_int)); m_mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL); return key; } diff --git a/ecc.h b/ecc.h index d72fbb1..dcf190e 100644 --- a/ecc.h +++ b/ecc.h @@ -14,9 +14,9 @@ struct dropbear_ecc_curve { const char *name; }; -extern const struct dropbear_ecc_curve ecc_curve_secp256r1; -extern const struct dropbear_ecc_curve ecc_curve_secp384r1; -extern const struct dropbear_ecc_curve ecc_curve_secp521r1; +extern const struct dropbear_ecc_curve ecc_curve_nistp256; +extern const struct dropbear_ecc_curve ecc_curve_nistp384; +extern const struct dropbear_ecc_curve ecc_curve_nistp521; // "pubkey" refers to a point, but LTC uses ecc_key structure for both public // and private keys diff --git a/svr-auth.c b/svr-auth.c index dca95f5..eb518fc 100644 --- a/svr-auth.c +++ b/svr-auth.c @@ -332,8 +332,7 @@ void send_msg_userauth_failure(int partial, int incrfail) { buf_putbufstring(ses.writepayload, typebuf); TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes, - typebuf->len, - buf_getptr(typebuf, typebuf->len))); + typebuf->len, typebuf->data)) buf_free(typebuf); diff --git a/svr-authpubkey.c b/svr-authpubkey.c index 1c5f9d6..e0727de 100644 --- a/svr-authpubkey.c +++ b/svr-authpubkey.c @@ -125,7 +125,7 @@ void svr_auth_pubkey() { /* create the data which has been signed - this a string containing * session_id, concatenated with the payload packet up to the signature */ - signbuf = buf_new(ses.payload->pos + 4 + SHA1_HASH_SIZE); + signbuf = buf_new(ses.payload->pos + 4 + ses.session_id->len); buf_putbufstring(signbuf, ses.session_id); buf_putbytes(signbuf, ses.payload->data, ses.payload->pos); buf_setpos(signbuf, 0); diff --git a/sysoptions.h b/sysoptions.h index d31b56f..a6b1364 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -74,8 +74,7 @@ #define MD5_HASH_SIZE 16 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */ -#define MAX_IV_LEN 20 /* must be same as max blocksize, - and >= SHA1_HASH_SIZE */ +#define MAX_IV_LEN 20 /* must be same as max blocksize, */ #if defined(DROPBEAR_SHA2_512_HMAC) #define MAX_MAC_LEN 64 -- cgit v1.2.1 From bceb7433b81737a3a205a6432e8f2ea7b53a5a26 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Mon, 8 Apr 2013 23:12:20 +0800 Subject: ecdh works against OpenSSH --- common-kex.c | 10 +--------- ecc.c | 22 +++++++--------------- 2 files changed, 8 insertions(+), 24 deletions(-) diff --git a/common-kex.c b/common-kex.c index 1543fb8..729b5d8 100644 --- a/common-kex.c +++ b/common-kex.c @@ -304,7 +304,7 @@ void gen_new_keys() { hash_process_mp(hashdesc, &hs, ses.dh_K); mp_clear(ses.dh_K); m_free(ses.dh_K); - sha1_process(&hs, ses.hash->data, ses.hash->len); + hashdesc->process(&hs, ses.hash->data, ses.hash->len); buf_burn(ses.hash); buf_free(ses.hash); ses.hash = NULL; @@ -659,11 +659,9 @@ void free_kexecdh_param(struct kex_ecdh_param *param) { void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, sign_key *hostkey) { const struct dropbear_kex *algo_kex = ses.newkeys->algo_kex; - hash_state hs; // public keys from client and server ecc_key *Q_C, *Q_S, *Q_them; - // XXX load Q_them Q_them = buf_get_ecc_pubkey(pub_them, algo_kex->ecc_curve); ses.dh_K = dropbear_ecc_shared_secret(Q_them, ¶m->key); @@ -688,12 +686,6 @@ void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, /* K, the shared secret */ buf_putmpint(ses.kexhashbuf, ses.dh_K); - /* calculate the hash H to sign */ - algo_kex->hashdesc->init(&hs); - buf_setpos(ses.kexhashbuf, 0); - algo_kex->hashdesc->process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), - ses.kexhashbuf->len); - /* calculate the hash H to sign */ finish_kexhashbuf(); } diff --git a/ecc.c b/ecc.c index fc5ea9d..de893f2 100644 --- a/ecc.c +++ b/ecc.c @@ -181,17 +181,6 @@ mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, ecc_key *private_key) goto done; } -#if 0 - // XXX - possibly not neccessary tests? - if (ltc_ecc_is_valid_idx(private_key->idx) == 0 || ltc_ecc_is_valid_idx(public_key->idx) == 0) { - goto done; - } - - if (XSTRCMP(private_key->dp->name, public_key->dp->name) != 0) { - goto done; - } -#endif - /* make new point */ result = ltc_ecc_new_point(); if (result == NULL) { @@ -211,20 +200,23 @@ mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, ecc_key *private_key) err = DROPBEAR_SUCCESS; done: if (err == DROPBEAR_SUCCESS) { - shared_secret = prime; - prime = NULL; + shared_secret = m_malloc(sizeof(*shared_secret)); + m_mp_init(shared_secret); + mp_copy(result->x, shared_secret); } if (prime) { mp_clear(prime); m_free(prime); } - ltc_ecc_del_point(result); + if (result) + { + ltc_ecc_del_point(result); + } if (err == DROPBEAR_FAILURE) { dropbear_exit("ECC error"); } - return shared_secret; } -- cgit v1.2.1 From c60df7d1a35acf7b1f25be488cbc09e7c24e0f4b Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Mon, 8 Apr 2013 23:12:35 +0800 Subject: add printmpint() for debugging --- dbutil.c | 8 ++++++++ dbutil.h | 1 + 2 files changed, 9 insertions(+) diff --git a/dbutil.c b/dbutil.c index 044388a..f2fe5b9 100644 --- a/dbutil.c +++ b/dbutil.c @@ -651,6 +651,14 @@ void printhex(const char * label, const unsigned char * buf, int len) { } fprintf(stderr, "\n"); } + +void printmpint(const char *label, mp_int *mp) { + buffer *buf = buf_new(1000); + buf_putmpint(buf, mp); + printhex(label, buf->data, buf->len); + buf_free(buf); + +} #endif /* Strip all control characters from text (a null-terminated string), except diff --git a/dbutil.h b/dbutil.h index 0f16bf3..5be3465 100644 --- a/dbutil.h +++ b/dbutil.h @@ -58,6 +58,7 @@ void fail_assert(const char* expr, const char* file, int line) ATTRIB_NORETURN; #ifdef DEBUG_TRACE void dropbear_trace(const char* format, ...) ATTRIB_PRINTF(1,2); void printhex(const char * label, const unsigned char * buf, int len); +void printmpint(const char *label, mp_int *mp); extern int debug_trace; #endif -- cgit v1.2.1 From 8a479734d84a64315bc0ade6b2831f6a549e0dba Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Mon, 8 Apr 2013 23:56:31 +0800 Subject: - Rename buf_put_ecc_pubkey_string() to buf_put_ecc_raw_pubkey_string() - Reindent ecc.c properly --- cli-kex.c | 2 +- common-kex.c | 6 +- ecc.c | 310 ++++++++++++++++++++++++++++++----------------------------- ecc.h | 4 +- svr-kex.c | 2 +- 5 files changed, 163 insertions(+), 161 deletions(-) diff --git a/cli-kex.c b/cli-kex.c index 23b7308..f1bf67c 100644 --- a/cli-kex.c +++ b/cli-kex.c @@ -51,7 +51,7 @@ void send_msg_kexdh_init() { } else { #ifdef DROPBEAR_ECDH cli_ses.ecdh_param = gen_kexecdh_param(); - buf_put_ecc_pubkey_string(ses.writepayload, &cli_ses.ecdh_param->key); + buf_put_ecc_raw_pubkey_string(ses.writepayload, &cli_ses.ecdh_param->key); #endif } encrypt_packet(); diff --git a/common-kex.c b/common-kex.c index 729b5d8..99d0859 100644 --- a/common-kex.c +++ b/common-kex.c @@ -662,7 +662,7 @@ void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, // public keys from client and server ecc_key *Q_C, *Q_S, *Q_them; - Q_them = buf_get_ecc_pubkey(pub_them, algo_kex->ecc_curve); + Q_them = buf_get_ecc_raw_pubkey(pub_them, algo_kex->ecc_curve); ses.dh_K = dropbear_ecc_shared_secret(Q_them, ¶m->key); @@ -680,9 +680,9 @@ void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, /* K_S, the host key */ buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey); /* Q_C, client's ephemeral public key octet string */ - buf_put_ecc_pubkey_string(ses.kexhashbuf, Q_C); + buf_put_ecc_raw_pubkey_string(ses.kexhashbuf, Q_C); /* Q_S, server's ephemeral public key octet string */ - buf_put_ecc_pubkey_string(ses.kexhashbuf, Q_S); + buf_put_ecc_raw_pubkey_string(ses.kexhashbuf, Q_S); /* K, the shared secret */ buf_putmpint(ses.kexhashbuf, ses.dh_K); diff --git a/ecc.c b/ecc.c index de893f2..56ab47a 100644 --- a/ecc.c +++ b/ecc.c @@ -31,136 +31,138 @@ const struct dropbear_ecc_curve ecc_curve_nistp521 = { #endif static ecc_key * new_ecc_key(void) { - ecc_key *key = m_malloc(sizeof(*key)); - key->pubkey.x = m_malloc(sizeof(mp_int)); - key->pubkey.y = m_malloc(sizeof(mp_int)); - key->pubkey.z = m_malloc(sizeof(mp_int)); - key->k = m_malloc(sizeof(mp_int)); - m_mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL); - return key; -} - -void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key) { - unsigned long len = key->dp->size*2 + 1; - buf_putint(buf, len); - int err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len); - if (err != CRYPT_OK) { - dropbear_exit("ECC error"); - } - buf_incrwritepos(buf, len); + ecc_key *key = m_malloc(sizeof(*key)); + key->pubkey.x = m_malloc(sizeof(mp_int)); + key->pubkey.y = m_malloc(sizeof(mp_int)); + key->pubkey.z = m_malloc(sizeof(mp_int)); + key->k = m_malloc(sizeof(mp_int)); + m_mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL); + return key; } // Copied from libtomcrypt ecc_import.c (version there is static), modified // for different mp_int pointer without LTC_SOURCE static int ecc_is_point(ecc_key *key) { - mp_int *prime, *b, *t1, *t2; - int err; - - prime = m_malloc(sizeof(mp_int)); - b = m_malloc(sizeof(mp_int)); - t1 = m_malloc(sizeof(mp_int)); - t2 = m_malloc(sizeof(mp_int)); - - m_mp_init_multi(prime, b, t1, t2, NULL); - + mp_int *prime, *b, *t1, *t2; + int err; + + prime = m_malloc(sizeof(mp_int)); + b = m_malloc(sizeof(mp_int)); + t1 = m_malloc(sizeof(mp_int)); + t2 = m_malloc(sizeof(mp_int)); + + m_mp_init_multi(prime, b, t1, t2, NULL); + /* load prime and b */ - if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) { goto error; } - if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) { goto error; } - + if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) { goto error; } + if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) { goto error; } + /* compute y^2 */ - if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK) { goto error; } - + if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK) { goto error; } + /* compute x^3 */ - if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK) { goto error; } - if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK) { goto error; } - if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK) { goto error; } - + if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK) { goto error; } + if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK) { goto error; } + if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK) { goto error; } + /* compute y^2 - x^3 */ - if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK) { goto error; } - + if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK) { goto error; } + /* compute y^2 - x^3 + 3x */ - if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } - if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } - if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } - if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK) { goto error; } - while (mp_cmp_d(t1, 0) == LTC_MP_LT) { - if ((err = mp_add(t1, prime, t1)) != CRYPT_OK) { goto error; } - } - while (mp_cmp(t1, prime) != LTC_MP_LT) { - if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK) { goto error; } - } - + if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } + if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } + if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } + if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK) { goto error; } + while (mp_cmp_d(t1, 0) == LTC_MP_LT) { + if ((err = mp_add(t1, prime, t1)) != CRYPT_OK) { goto error; } + } + while (mp_cmp(t1, prime) != LTC_MP_LT) { + if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK) { goto error; } + } + /* compare to b */ - if (mp_cmp(t1, b) != LTC_MP_EQ) { - err = CRYPT_INVALID_PACKET; - } else { - err = CRYPT_OK; - } - -error: - mp_clear_multi(prime, b, t1, t2, NULL); - m_free(prime); - m_free(b); - m_free(t1); - m_free(t2); - return err; + if (mp_cmp(t1, b) != LTC_MP_EQ) { + err = CRYPT_INVALID_PACKET; + } else { + err = CRYPT_OK; + } + + error: + mp_clear_multi(prime, b, t1, t2, NULL); + m_free(prime); + m_free(b); + m_free(t1); + m_free(t2); + return err; } -ecc_key * buf_get_ecc_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve) { - ecc_key *key = NULL; - int ret = DROPBEAR_FAILURE; - const unsigned int size = curve->dp->size; - buf_setpos(buf, 0); - unsigned int len = buf->len; - unsigned char first = buf_getbyte(buf); - if (first == 2 || first == 3) { - dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression"); - return NULL; - } - if (first != 4 || len != 1+2*size) { - return NULL; - } - - key = new_ecc_key(); - key->dp = curve->dp; - - if (mp_read_unsigned_bin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) { - goto out; - } - buf_incrpos(buf, size); - - if (mp_read_unsigned_bin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) { - goto out; - } - buf_incrpos(buf, size); - - mp_set(key->pubkey.z, 1); - - if (ecc_is_point(key) != CRYPT_OK) { - goto out; - } +/* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */ +void buf_put_ecc_raw_pubkey_string(buffer *buf, ecc_key *key) { + unsigned long len = key->dp->size*2 + 1; + buf_putint(buf, len); + int err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len); + if (err != CRYPT_OK) { + dropbear_exit("ECC error"); + } + buf_incrwritepos(buf, len); +} + +/* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */ +ecc_key * buf_get_ecc_raw_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve) { + ecc_key *key = NULL; + int ret = DROPBEAR_FAILURE; + const unsigned int size = curve->dp->size; + buf_setpos(buf, 0); + unsigned int len = buf->len; + unsigned char first = buf_getbyte(buf); + if (first == 2 || first == 3) { + dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression"); + return NULL; + } + if (first != 4 || len != 1+2*size) { + return NULL; + } + + key = new_ecc_key(); + key->dp = curve->dp; + + if (mp_read_unsigned_bin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) { + goto out; + } + buf_incrpos(buf, size); + + if (mp_read_unsigned_bin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) { + goto out; + } + buf_incrpos(buf, size); + + mp_set(key->pubkey.z, 1); + + if (ecc_is_point(key) != CRYPT_OK) { + goto out; + } // SEC1 3.2.3.1 Check that Q != 0 - if (mp_cmp_d(key->pubkey.x, 0) == LTC_MP_EQ) { - goto out; - } - if (mp_cmp_d(key->pubkey.y, 0) == LTC_MP_EQ) { - goto out; - } - - ret = DROPBEAR_SUCCESS; - -out: - if (ret == DROPBEAR_FAILURE) { - if (key) { - ecc_free(key); - m_free(key); - key = NULL; - } - } - - return key; + if (mp_cmp_d(key->pubkey.x, 0) == LTC_MP_EQ) { + goto out; + } + if (mp_cmp_d(key->pubkey.y, 0) == LTC_MP_EQ) { + goto out; + } + + ret = DROPBEAR_SUCCESS; + + out: + if (ret == DROPBEAR_FAILURE) { + if (key) { + ecc_free(key); + m_free(key); + key = NULL; + } + } + + return key; } @@ -168,56 +170,56 @@ out: // a mp_int instead. mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, ecc_key *private_key) { - ecc_point *result = NULL; - mp_int *prime = NULL, *shared_secret = NULL; - int err = DROPBEAR_FAILURE; + ecc_point *result = NULL; + mp_int *prime = NULL, *shared_secret = NULL; + int err = DROPBEAR_FAILURE; /* type valid? */ - if (private_key->type != PK_PRIVATE) { - goto done; - } + if (private_key->type != PK_PRIVATE) { + goto done; + } - if (private_key->dp != public_key->dp) { - goto done; - } + if (private_key->dp != public_key->dp) { + goto done; + } /* make new point */ - result = ltc_ecc_new_point(); - if (result == NULL) { - goto done; - } - - prime = m_malloc(sizeof(*prime)); - m_mp_init(prime); - - if (mp_read_radix(prime, (char *)private_key->dp->prime, 16) != CRYPT_OK) { - goto done; - } - if (ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, prime, 1) != CRYPT_OK) { - goto done; - } - - err = DROPBEAR_SUCCESS; -done: + result = ltc_ecc_new_point(); + if (result == NULL) { + goto done; + } + + prime = m_malloc(sizeof(*prime)); + m_mp_init(prime); + + if (mp_read_radix(prime, (char *)private_key->dp->prime, 16) != CRYPT_OK) { + goto done; + } + if (ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, prime, 1) != CRYPT_OK) { + goto done; + } + + err = DROPBEAR_SUCCESS; + done: if (err == DROPBEAR_SUCCESS) { shared_secret = m_malloc(sizeof(*shared_secret)); - m_mp_init(shared_secret); - mp_copy(result->x, shared_secret); + m_mp_init(shared_secret); + mp_copy(result->x, shared_secret); } if (prime) { - mp_clear(prime); - m_free(prime); - } - if (result) - { - ltc_ecc_del_point(result); - } - - if (err == DROPBEAR_FAILURE) { - dropbear_exit("ECC error"); - } - return shared_secret; + mp_clear(prime); + m_free(prime); + } + if (result) + { + ltc_ecc_del_point(result); + } + + if (err == DROPBEAR_FAILURE) { + dropbear_exit("ECC error"); + } + return shared_secret; } #endif diff --git a/ecc.h b/ecc.h index dcf190e..9457ebe 100644 --- a/ecc.h +++ b/ecc.h @@ -20,8 +20,8 @@ extern const struct dropbear_ecc_curve ecc_curve_nistp521; // "pubkey" refers to a point, but LTC uses ecc_key structure for both public // and private keys -void buf_put_ecc_pubkey_string(buffer *buf, ecc_key *key); -ecc_key * buf_get_ecc_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve); +void buf_put_ecc_raw_pubkey_string(buffer *buf, ecc_key *key); +ecc_key * buf_get_ecc_raw_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve); int buf_get_ecc_privkey_string(buffer *buf, ecc_key *key); mp_int * dropbear_ecc_shared_secret(ecc_key *pub_key, ecc_key *priv_key); diff --git a/svr-kex.c b/svr-kex.c index a4376df..2d2cdb1 100644 --- a/svr-kex.c +++ b/svr-kex.c @@ -104,7 +104,7 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) { struct kex_ecdh_param *ecdh_param = gen_kexecdh_param(); kexecdh_comb_key(ecdh_param, ecdh_qs, svr_opts.hostkey); - buf_put_ecc_pubkey_string(ses.writepayload, &ecdh_param->key); + buf_put_ecc_raw_pubkey_string(ses.writepayload, &ecdh_param->key); free_kexecdh_param(ecdh_param); #endif } -- cgit v1.2.1 From da9eb9946aa0ef4bcfdb2cee5da56cb2db518d3d Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Tue, 9 Apr 2013 00:36:04 +0800 Subject: start on ecdsa keys --- Makefile.in | 5 ++-- algo.h | 3 --- cli-session.c | 1 + common-algo.c | 70 -------------------------------------------------------- common-kex.c | 1 + crypto_desc.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ crypto_desc.h | 9 ++++++++ dropbearkey.c | 1 + ecc.c | 7 +++--- ecc.h | 2 +- ecdsa.c | 53 +++++++++++++++++++++++++++++++++++++++++++ ecdsa.h | 0 options.h | 1 + signkey.h | 3 +++ svr-session.c | 1 + sysoptions.h | 11 +++++---- 16 files changed, 157 insertions(+), 84 deletions(-) create mode 100644 crypto_desc.c create mode 100644 crypto_desc.h create mode 100644 ecdsa.c create mode 100644 ecdsa.h diff --git a/Makefile.in b/Makefile.in index f456a72..13d8e83 100644 --- a/Makefile.in +++ b/Makefile.in @@ -26,7 +26,8 @@ COMMONOBJS=dbutil.o buffer.o \ dss.o bignum.o \ signkey.o rsa.o random.o \ queue.o \ - atomicio.o compat.o fake-rfc2553.o ltc_prng.o ecc.o + atomicio.o compat.o fake-rfc2553.o \ + ltc_prng.o ecc.o ecdsa.o crypto_desc.o SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \ svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \ @@ -54,7 +55,7 @@ HEADERS=options.h dbutil.h session.h packet.h algo.h ssh.h buffer.h kex.h \ debug.h channel.h chansession.h config.h queue.h sshpty.h \ termcodes.h gendss.h genrsa.h runopts.h includes.h \ loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ - listener.h fake-rfc2553.h + listener.h fake-rfc2553.h ecc.h ecdsa.h dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) diff --git a/algo.h b/algo.h index 500c449..4be7cf3 100644 --- a/algo.h +++ b/algo.h @@ -93,7 +93,6 @@ struct dropbear_kex { const struct ltc_hash_descriptor *hashdesc; }; -void crypto_init(); int have_algo(char* algo, size_t algolen, algo_type algos[]); void buf_put_algolist(buffer * buf, algo_type localalgos[]); @@ -120,6 +119,4 @@ enum { DROPBEAR_COMP_ZLIB_DELAY, }; -extern int dropbear_ltc_prng; - #endif /* _ALGO_H_ */ diff --git a/cli-session.c b/cli-session.c index e58fdbd..2905389 100644 --- a/cli-session.c +++ b/cli-session.c @@ -36,6 +36,7 @@ #include "runopts.h" #include "chansession.h" #include "agentfwd.h" +#include "crypto_desc.h" static void cli_remoteclosed(); static void cli_sessionloop(); diff --git a/common-algo.c b/common-algo.c index 025faae..9915ce6 100644 --- a/common-algo.c +++ b/common-algo.c @@ -33,12 +33,6 @@ /* This file (algo.c) organises the ciphers which can be used, and is used to * decide which ciphers/hashes/compression/signing to use during key exchange*/ -#ifdef DROPBEAR_LTC_PRNG - int dropbear_ltc_prng = -1; -#endif - - - static int void_cipher(const unsigned char* in, unsigned char* out, unsigned long len, void* UNUSED(cipher_state)) { if (in != out) { @@ -255,70 +249,6 @@ algo_type sshkex[] = { {NULL, 0, NULL, 0, NULL} }; - -/* Register the compiled in ciphers. - * This should be run before using any of the ciphers/hashes */ -void crypto_init() { - - const struct ltc_cipher_descriptor *regciphers[] = { -#ifdef DROPBEAR_AES - &aes_desc, -#endif -#ifdef DROPBEAR_BLOWFISH - &blowfish_desc, -#endif -#ifdef DROPBEAR_TWOFISH - &twofish_desc, -#endif -#ifdef DROPBEAR_3DES - &des3_desc, -#endif - NULL - }; - - const struct ltc_hash_descriptor *reghashes[] = { - /* we need sha1 for hostkey stuff regardless */ - &sha1_desc, -#ifdef DROPBEAR_MD5_HMAC - &md5_desc, -#endif -#ifdef DROPBEAR_SHA256 - &sha256_desc, -#endif -#ifdef DROPBEAR_SHA384 - &sha384_desc, -#endif -#ifdef DROPBEAR_SHA512 - &sha512_desc, -#endif - NULL - }; - int i; - - for (i = 0; regciphers[i] != NULL; i++) { - if (register_cipher(regciphers[i]) == -1) { - dropbear_exit("Error registering crypto"); - } - } - - for (i = 0; reghashes[i] != NULL; i++) { - if (register_hash(reghashes[i]) == -1) { - dropbear_exit("Error registering crypto"); - } - } - -#ifdef DROPBEAR_LTC_PRNG - dropbear_ltc_prng = register_prng(&dropbear_prng_desc); - if (dropbear_ltc_prng == -1) { - dropbear_exit("Error registering crypto"); - } -#endif - -#ifdef DROPBEAR_ECC - ltc_mp = ltm_desc; -#endif -} - /* algolen specifies the length of algo, algos is our local list to match * against. * Returns DROPBEAR_SUCCESS if we have a match for algo, DROPBEAR_FAILURE diff --git a/common-kex.c b/common-kex.c index 99d0859..c68b227 100644 --- a/common-kex.c +++ b/common-kex.c @@ -35,6 +35,7 @@ #include "random.h" #include "runopts.h" #include "ecc.h" +#include "crypto_desc.h" /* diffie-hellman-group1-sha1 value for p */ const unsigned char dh_p_1[DH_P_1_LEN] = { diff --git a/crypto_desc.c b/crypto_desc.c new file mode 100644 index 0000000..403e085 --- /dev/null +++ b/crypto_desc.c @@ -0,0 +1,73 @@ +#include "includes.h" +#include "dbutil.h" +#include "crypto_desc.h" +#include "ltc_prng.h" + +#ifdef DROPBEAR_LTC_PRNG + int dropbear_ltc_prng = -1; +#endif + + +/* Register the compiled in ciphers. + * This should be run before using any of the ciphers/hashes */ +void crypto_init() { + + const struct ltc_cipher_descriptor *regciphers[] = { +#ifdef DROPBEAR_AES + &aes_desc, +#endif +#ifdef DROPBEAR_BLOWFISH + &blowfish_desc, +#endif +#ifdef DROPBEAR_TWOFISH + &twofish_desc, +#endif +#ifdef DROPBEAR_3DES + &des3_desc, +#endif + NULL + }; + + const struct ltc_hash_descriptor *reghashes[] = { + /* we need sha1 for hostkey stuff regardless */ + &sha1_desc, +#ifdef DROPBEAR_MD5_HMAC + &md5_desc, +#endif +#ifdef DROPBEAR_SHA256 + &sha256_desc, +#endif +#ifdef DROPBEAR_SHA384 + &sha384_desc, +#endif +#ifdef DROPBEAR_SHA512 + &sha512_desc, +#endif + NULL + }; + int i; + + for (i = 0; regciphers[i] != NULL; i++) { + if (register_cipher(regciphers[i]) == -1) { + dropbear_exit("Error registering crypto"); + } + } + + for (i = 0; reghashes[i] != NULL; i++) { + if (register_hash(reghashes[i]) == -1) { + dropbear_exit("Error registering crypto"); + } + } + +#ifdef DROPBEAR_LTC_PRNG + dropbear_ltc_prng = register_prng(&dropbear_prng_desc); + if (dropbear_ltc_prng == -1) { + dropbear_exit("Error registering crypto"); + } +#endif + +#ifdef DROPBEAR_ECC + ltc_mp = ltm_desc; +#endif +} + diff --git a/crypto_desc.h b/crypto_desc.h new file mode 100644 index 0000000..ff04066 --- /dev/null +++ b/crypto_desc.h @@ -0,0 +1,9 @@ +#ifndef _CRYPTO_DESC_H +#define _CRYPTO_DESC_H + +void crypto_init(); + +extern int dropbear_ltc_prng; + +#endif // _CRYPTO_DESC_H + diff --git a/dropbearkey.c b/dropbearkey.c index 9b82a77..a9d80fd 100644 --- a/dropbearkey.c +++ b/dropbearkey.c @@ -188,6 +188,7 @@ int main(int argc, char ** argv) { exit(EXIT_FAILURE); } + // TODO: put RSA and DSS size checks into genrsa.c etc if (keytype == DROPBEAR_SIGNKEY_DSS && bits != 1024) { fprintf(stderr, "DSS keys have a fixed size of 1024 bits\n"); exit(EXIT_FAILURE); diff --git a/ecc.c b/ecc.c index 56ab47a..10ae322 100644 --- a/ecc.c +++ b/ecc.c @@ -7,25 +7,24 @@ #ifdef DROPBEAR_ECC // TODO: use raw bytes for the dp rather than the hex strings in libtomcrypt's ecc.c - #ifdef DROPBEAR_ECC_256 const struct dropbear_ecc_curve ecc_curve_nistp256 = { .dp = <c_ecc_sets[0], - .hash_desc = &sha256_desc, + .hashdesc = &sha256_desc, .name = "nistp256" }; #endif #ifdef DROPBEAR_ECC_384 const struct dropbear_ecc_curve ecc_curve_nistp384 = { .dp = <c_ecc_sets[1], - .hash_desc = &sha384_desc, + .hashdesc = &sha384_desc, .name = "nistp384" }; #endif #ifdef DROPBEAR_ECC_521 const struct dropbear_ecc_curve ecc_curve_nistp521 = { .dp = <c_ecc_sets[2], - .hash_desc = &sha512_desc, + .hashdesc = &sha512_desc, .name = "nistp521" }; #endif diff --git a/ecc.h b/ecc.h index 9457ebe..35775d8 100644 --- a/ecc.h +++ b/ecc.h @@ -10,7 +10,7 @@ struct dropbear_ecc_curve { const ltc_ecc_set_type *dp; // curve domain parameters - const struct ltc_hash_descriptor *hash_desc; + const struct ltc_hash_descriptor *hashdesc; const char *name; }; diff --git a/ecdsa.c b/ecdsa.c new file mode 100644 index 0000000..b29ef1f --- /dev/null +++ b/ecdsa.c @@ -0,0 +1,53 @@ +#include "includes.h" +#include "dbutil.h" +#include "crypto_desc.h" + +#ifdef DROPBEAR_ECDSA + +ecc_key *gen_ecdsa_priv_key(unsigned int bit_size) { + const ltc_ecc_set_type *dp = NULL; // curve domain parameters + // TODO: use raw bytes for the dp rather than the hex strings in libtomcrypt's ecc.c + switch (bit_size) { +#ifdef DROPBEAR_ECC_256 + case 256: + dp = <c_ecc_sets[0]; + break; +#endif +#ifdef DROPBEAR_ECC_384 + case 384: + dp = <c_ecc_sets[0]; + break; +#endif +#ifdef DROPBEAR_ECC_521 + case 521: + dp = <c_ecc_sets[0]; + break; +#endif + } + if (!dp) { + dropbear_exit("Key size %d isn't valid. Try " +#ifdef DROPBEAR_ECC_256 + "256 " +#endif +#ifdef DROPBEAR_ECC_384 + "384 " +#endif +#ifdef DROPBEAR_ECC_521 + "521 " +#endif + , bit_size); + } + + ecc_key *new_key = m_malloc(sizeof(*new_key)); + if (ecc_make_key_ex(NULL, dropbear_ltc_prng, new_key, dp) != CRYPT_OK) { + dropbear_exit("ECC error"); + } + return new_key; +} + +int buf_get_ecdsa_pub_key(buffer* buf, ecc_key *key) { + +} + + +#endif // DROPBEAR_ECDSA diff --git a/ecdsa.h b/ecdsa.h new file mode 100644 index 0000000..e69de29 diff --git a/options.h b/options.h index 4f0dc12..2547c99 100644 --- a/options.h +++ b/options.h @@ -137,6 +137,7 @@ much traffic. */ #define DROPBEAR_DSS #define DROPBEAR_ECDH +#define DROPBEAR_ECDSA /* RSA can be vulnerable to timing attacks which use the time required for * signing to guess the private key. Blinding avoids this attack, though makes diff --git a/signkey.h b/signkey.h index e4dd7ce..316ca49 100644 --- a/signkey.h +++ b/signkey.h @@ -51,6 +51,9 @@ struct SIGN_key { #ifdef DROPBEAR_RSA dropbear_rsa_key * rsakey; #endif +#ifdef DROPBEAR_ECDSA + ecc_key *ecckey; +#endif }; typedef struct SIGN_key sign_key; diff --git a/svr-session.c b/svr-session.c index cf82289..b3b8d5e 100644 --- a/svr-session.c +++ b/svr-session.c @@ -39,6 +39,7 @@ #include "service.h" #include "auth.h" #include "runopts.h" +#include "crypto_desc.h" static void svr_remoteclosed(); diff --git a/sysoptions.h b/sysoptions.h index a6b1364..af3efe4 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -60,10 +60,13 @@ #define DROPBEAR_SUCCESS 0 #define DROPBEAR_FAILURE -1 -#define DROPBEAR_SIGNKEY_ANY 0 -#define DROPBEAR_SIGNKEY_RSA 1 -#define DROPBEAR_SIGNKEY_DSS 2 -#define DROPBEAR_SIGNKEY_NONE 3 +enum { + DROPBEAR_SIGNKEY_ANY, + DROPBEAR_SIGNKEY_RSA, + DROPBEAR_SIGNKEY_DSS, + DROPBEAR_SIGNKEY_ECDSA, + DROPBEAR_SIGNKEY_NONE, +}; /* Required for pubkey auth */ #if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT) -- cgit v1.2.1 From 6efaae829993371789dd8bb851f9043319553d9a Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Tue, 9 Apr 2013 22:44:19 +0800 Subject: Be safer with how we handle ltc_ecc_sets[] (particularly with system libtomcrypt) A bit of progress with ecdsa code --- crypto_desc.c | 2 ++ debug.h | 4 ++-- ecc.c | 46 ++++++++++++++++++++++++++++++++++++++-------- ecc.h | 10 +++++++--- ecdsa.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++---- 5 files changed, 100 insertions(+), 17 deletions(-) diff --git a/crypto_desc.c b/crypto_desc.c index 403e085..ed4de30 100644 --- a/crypto_desc.c +++ b/crypto_desc.c @@ -2,6 +2,7 @@ #include "dbutil.h" #include "crypto_desc.h" #include "ltc_prng.h" +#include "ecc.h" #ifdef DROPBEAR_LTC_PRNG int dropbear_ltc_prng = -1; @@ -68,6 +69,7 @@ void crypto_init() { #ifdef DROPBEAR_ECC ltc_mp = ltm_desc; + dropbear_ecc_fill_dp(); #endif } diff --git a/debug.h b/debug.h index 02c100f..200c004 100644 --- a/debug.h +++ b/debug.h @@ -39,7 +39,7 @@ * Caution: Don't use this in an unfriendly environment (ie unfirewalled), * since the printing may not sanitise strings etc. This will add a reasonable * amount to your executable size. */ -#define DEBUG_TRACE +/*#define DEBUG_TRACE*/ /* All functions writing to the cleartext payload buffer call * CHECKCLEARTOWRITE() before writing. This is only really useful if you're @@ -69,7 +69,7 @@ /* To debug with GDB it is easier to run with no forking of child processes. You will need to pass "-F" as well. */ -#define DEBUG_NOFORK +/*#define DEBUG_NOFORK*/ /* For testing as non-root on shadowed systems, include the crypt of a password diff --git a/ecc.c b/ecc.c index 10ae322..9e013bf 100644 --- a/ecc.c +++ b/ecc.c @@ -6,30 +6,60 @@ #ifdef DROPBEAR_ECC -// TODO: use raw bytes for the dp rather than the hex strings in libtomcrypt's ecc.c +// .dp members are filled out by dropbear_ecc_fill_dp() at startup #ifdef DROPBEAR_ECC_256 -const struct dropbear_ecc_curve ecc_curve_nistp256 = { - .dp = <c_ecc_sets[0], +struct dropbear_ecc_curve ecc_curve_nistp256 = { + .ltc_size = 32, .hashdesc = &sha256_desc, .name = "nistp256" }; #endif #ifdef DROPBEAR_ECC_384 -const struct dropbear_ecc_curve ecc_curve_nistp384 = { - .dp = <c_ecc_sets[1], +struct dropbear_ecc_curve ecc_curve_nistp384 = { + .ltc_size = 48, .hashdesc = &sha384_desc, .name = "nistp384" }; #endif #ifdef DROPBEAR_ECC_521 -const struct dropbear_ecc_curve ecc_curve_nistp521 = { - .dp = <c_ecc_sets[2], +struct dropbear_ecc_curve ecc_curve_nistp521 = { + .ltc_size = 66, .hashdesc = &sha512_desc, .name = "nistp521" }; #endif -static ecc_key * new_ecc_key(void) { +struct dropbear_ecc_curve *dropbear_ecc_curves[] = { +#ifdef DROPBEAR_ECC_256 + &ecc_curve_nistp256, +#endif +#ifdef DROPBEAR_ECC_384 + &ecc_curve_nistp384, +#endif +#ifdef DROPBEAR_ECC_521 + &ecc_curve_nistp521, +#endif + NULL +}; + +void dropbear_ecc_fill_dp() { + struct dropbear_ecc_curve **curve; + // libtomcrypt guarantees they're ordered by size + const ltc_ecc_set_type *dp = ltc_ecc_sets; + for (curve = dropbear_ecc_curves; *curve; curve++) { + for (;dp->size > 0; dp++) { + if (dp->size == (*curve)->ltc_size) { + (*curve)->dp = dp; + break; + } + } + if (!(*curve)->dp) { + dropbear_exit("Missing ECC params %s", (*curve)->name); + } + } +} + +ecc_key * new_ecc_key(void) { ecc_key *key = m_malloc(sizeof(*key)); key->pubkey.x = m_malloc(sizeof(mp_int)); key->pubkey.y = m_malloc(sizeof(mp_int)); diff --git a/ecc.h b/ecc.h index 35775d8..7791a70 100644 --- a/ecc.h +++ b/ecc.h @@ -9,14 +9,18 @@ #ifdef DROPBEAR_ECC struct dropbear_ecc_curve { + int ltc_size; // to match the byte sizes in ltc_ecc_sets[] const ltc_ecc_set_type *dp; // curve domain parameters const struct ltc_hash_descriptor *hashdesc; const char *name; }; -extern const struct dropbear_ecc_curve ecc_curve_nistp256; -extern const struct dropbear_ecc_curve ecc_curve_nistp384; -extern const struct dropbear_ecc_curve ecc_curve_nistp521; +extern struct dropbear_ecc_curve ecc_curve_nistp256; +extern struct dropbear_ecc_curve ecc_curve_nistp384; +extern struct dropbear_ecc_curve ecc_curve_nistp521; +extern struct dropbear_ecc_curve *dropbear_ecc_curves[]; + +void dropbear_ecc_fill_dp(); // "pubkey" refers to a point, but LTC uses ecc_key structure for both public // and private keys diff --git a/ecdsa.c b/ecdsa.c index b29ef1f..9784c97 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -1,6 +1,7 @@ #include "includes.h" #include "dbutil.h" #include "crypto_desc.h" +#include "ecc.h" #ifdef DROPBEAR_ECDSA @@ -10,17 +11,17 @@ ecc_key *gen_ecdsa_priv_key(unsigned int bit_size) { switch (bit_size) { #ifdef DROPBEAR_ECC_256 case 256: - dp = <c_ecc_sets[0]; + dp = ecc_curve_nistp256.dp; break; #endif #ifdef DROPBEAR_ECC_384 case 384: - dp = <c_ecc_sets[0]; + dp = ecc_curve_nistp384.dp; break; #endif #ifdef DROPBEAR_ECC_521 case 521: - dp = <c_ecc_sets[0]; + dp = ecc_curve_nistp521.dp; break; #endif } @@ -45,8 +46,54 @@ ecc_key *gen_ecdsa_priv_key(unsigned int bit_size) { return new_key; } -int buf_get_ecdsa_pub_key(buffer* buf, ecc_key *key) { +ecc_key *buf_get_ecdsa_pub_key(buffer* buf) { + unsigned char *key_ident = NULL, *identifier = NULL; + unsigned int key_ident_len, identifier_len; + buffer *q_buf = NULL; + struct dropbear_ecc_curve **curve; + ecc_key *new_key = NULL; + // string "ecdsa-sha2-[identifier]" + key_ident = buf_getstring(buf, &key_ident_len); + // string "ecdsa-sha2-[identifier]" + identifier = buf_getstring(buf, &identifier_len); + + if (key_ident_len != identifier_len + strlen("ecdsa-sha2-")) { + TRACE(("Bad identifier lengths")) + goto out; + } + if (memcmp(&key_ident[strlen("ecdsa-sha2-")], identifier, identifier_len) != 0) { + TRACE(("mismatching identifiers")) + goto out; + } + + for (curve = dropbear_ecc_curves; *curve; curve++) { + if (memcmp(identifier, (*curve)->name, strlen((*curve)->name)) == 0) { + break; + } + } + if (!*curve) { + TRACE(("couldn't match ecc curve")) + goto out; + } + + // string Q + q_buf = buf_getstringbuf(buf); + new_key = buf_get_ecc_raw_pubkey(q_buf, *curve); + +out: + if (key_ident) { + m_free(key_ident); + } + if (identifier) { + m_free(identifier); + } + if (q_buf) { + buf_free(q_buf); + q_buf = NULL; + } + TRACE(("leave buf_get_ecdsa_pub_key")) + return new_key; } -- cgit v1.2.1 From c5bc294d96f5f736d7664fad38ac5ddd242242f3 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Tue, 9 Apr 2013 22:47:03 +0800 Subject: A bit of debugging output --- ecc.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/ecc.c b/ecc.c index 9e013bf..d67d3b2 100644 --- a/ecc.c +++ b/ecc.c @@ -142,14 +142,18 @@ ecc_key * buf_get_ecc_raw_pubkey(buffer *buf, const struct dropbear_ecc_curve *c ecc_key *key = NULL; int ret = DROPBEAR_FAILURE; const unsigned int size = curve->dp->size; + unsigned char first; + + TRACE(("enter buf_get_ecc_raw_pubkey")) + buf_setpos(buf, 0); - unsigned int len = buf->len; - unsigned char first = buf_getbyte(buf); + first = buf_getbyte(buf); if (first == 2 || first == 3) { dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression"); return NULL; } - if (first != 4 || len != 1+2*size) { + if (first != 4 || buf->len != 1+2*size) { + TRACE(("leave, wrong size")) return NULL; } @@ -157,11 +161,13 @@ ecc_key * buf_get_ecc_raw_pubkey(buffer *buf, const struct dropbear_ecc_curve *c key->dp = curve->dp; if (mp_read_unsigned_bin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) { + TRACE(("failed to read x")) goto out; } buf_incrpos(buf, size); if (mp_read_unsigned_bin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) { + TRACE(("failed to read y")) goto out; } buf_incrpos(buf, size); @@ -169,14 +175,17 @@ ecc_key * buf_get_ecc_raw_pubkey(buffer *buf, const struct dropbear_ecc_curve *c mp_set(key->pubkey.z, 1); if (ecc_is_point(key) != CRYPT_OK) { + TRACE(("failed, not a point")) goto out; } // SEC1 3.2.3.1 Check that Q != 0 if (mp_cmp_d(key->pubkey.x, 0) == LTC_MP_EQ) { + TRACE(("failed, x == 0")) goto out; } if (mp_cmp_d(key->pubkey.y, 0) == LTC_MP_EQ) { + TRACE(("failed, y == 0")) goto out; } -- cgit v1.2.1 From 45149ad7965fbcb3e3774b62c9f2574fd0129af6 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sun, 14 Apr 2013 00:50:03 +0800 Subject: A bit of work on ecdsa for host/auth keys --- algo.h | 6 +- common-kex.c | 50 ++--- ecc.c | 17 +- ecc.h | 5 +- ecdsa.c | 320 +++++++++++++++++++++++++++++- ecdsa.h | 16 ++ keyimport.c | 4 +- libtomcrypt/src/headers/tomcrypt_custom.h | 2 + signkey.c | 7 - 9 files changed, 379 insertions(+), 48 deletions(-) diff --git a/algo.h b/algo.h index 4be7cf3..8c41eac 100644 --- a/algo.h +++ b/algo.h @@ -74,8 +74,10 @@ struct dropbear_cipher_mode { }; struct dropbear_hash { - const struct ltc_hash_descriptor *hashdesc; + const struct ltc_hash_descriptor *hash_desc; const unsigned long keysize; + // hashsize may be truncated from the size returned by hash_desc, + // eg sha1-96 const unsigned char hashsize; }; @@ -90,7 +92,7 @@ struct dropbear_kex { #endif // both - const struct ltc_hash_descriptor *hashdesc; + const struct ltc_hash_descriptor *hash_desc; }; int have_algo(char* algo, size_t algolen, algo_type algos[]); diff --git a/common-kex.c b/common-kex.c index c68b227..8e1b6e0 100644 --- a/common-kex.c +++ b/common-kex.c @@ -255,25 +255,25 @@ static void kexinitialise() { static void hashkeys(unsigned char *out, unsigned int outlen, const hash_state * hs, const unsigned char X) { - const struct ltc_hash_descriptor *hashdesc = ses.newkeys->algo_kex->hashdesc; + const struct ltc_hash_descriptor *hash_desc = ses.newkeys->algo_kex->hash_desc; hash_state hs2; unsigned int offset; - unsigned char tmpout[hashdesc->hashsize]; + unsigned char tmpout[hash_desc->hashsize]; memcpy(&hs2, hs, sizeof(hash_state)); - hashdesc->process(&hs2, &X, 1); - hashdesc->process(&hs2, ses.session_id->data, ses.session_id->len); - hashdesc->done(&hs2, tmpout); - memcpy(out, tmpout, MIN(hashdesc->hashsize, outlen)); - for (offset = hashdesc->hashsize; + hash_desc->process(&hs2, &X, 1); + hash_desc->process(&hs2, ses.session_id->data, ses.session_id->len); + hash_desc->done(&hs2, tmpout); + memcpy(out, tmpout, MIN(hash_desc->hashsize, outlen)); + for (offset = hash_desc->hashsize; offset < outlen; - offset += hashdesc->hashsize) + offset += hash_desc->hashsize) { /* need to extend */ memcpy(&hs2, hs, sizeof(hash_state)); - hashdesc->process(&hs2, out, offset); - hashdesc->done(&hs2, tmpout); - memcpy(&out[offset], tmpout, MIN(outlen - offset, hashdesc->hashsize)); + hash_desc->process(&hs2, out, offset); + hash_desc->done(&hs2, tmpout); + memcpy(&out[offset], tmpout, MIN(outlen - offset, hash_desc->hashsize)); } } @@ -295,17 +295,17 @@ void gen_new_keys() { unsigned char *trans_IV, *trans_key, *recv_IV, *recv_key; hash_state hs; - const struct ltc_hash_descriptor *hashdesc = ses.newkeys->algo_kex->hashdesc; + const struct ltc_hash_descriptor *hash_desc = ses.newkeys->algo_kex->hash_desc; char mactransletter, macrecvletter; /* Client or server specific */ TRACE(("enter gen_new_keys")) /* the dh_K and hash are the start of all hashes, we make use of that */ - hashdesc->init(&hs); - hash_process_mp(hashdesc, &hs, ses.dh_K); + hash_desc->init(&hs); + hash_process_mp(hash_desc, &hs, ses.dh_K); mp_clear(ses.dh_K); m_free(ses.dh_K); - hashdesc->process(&hs, ses.hash->data, ses.hash->len); + hash_desc->process(&hs, ses.hash->data, ses.hash->len); buf_burn(ses.hash); buf_free(ses.hash); ses.hash = NULL; @@ -355,16 +355,16 @@ void gen_new_keys() { } } - if (ses.newkeys->trans.algo_mac->hashdesc != NULL) { + if (ses.newkeys->trans.algo_mac->hash_desc != NULL) { hashkeys(ses.newkeys->trans.mackey, ses.newkeys->trans.algo_mac->keysize, &hs, mactransletter); - ses.newkeys->trans.hash_index = find_hash(ses.newkeys->trans.algo_mac->hashdesc->name); + ses.newkeys->trans.hash_index = find_hash(ses.newkeys->trans.algo_mac->hash_desc->name); } - if (ses.newkeys->recv.algo_mac->hashdesc != NULL) { + if (ses.newkeys->recv.algo_mac->hash_desc != NULL) { hashkeys(ses.newkeys->recv.mackey, ses.newkeys->recv.algo_mac->keysize, &hs, macrecvletter); - ses.newkeys->recv.hash_index = find_hash(ses.newkeys->recv.algo_mac->hashdesc->name); + ses.newkeys->recv.hash_index = find_hash(ses.newkeys->recv.algo_mac->hash_desc->name); } #ifndef DISABLE_ZLIB @@ -694,15 +694,15 @@ void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, static void finish_kexhashbuf(void) { hash_state hs; - const struct ltc_hash_descriptor *hashdesc = ses.newkeys->algo_kex->hashdesc; + const struct ltc_hash_descriptor *hash_desc = ses.newkeys->algo_kex->hash_desc; - hashdesc->init(&hs); + hash_desc->init(&hs); buf_setpos(ses.kexhashbuf, 0); - hashdesc->process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), + hash_desc->process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), ses.kexhashbuf->len); - ses.hash = buf_new(hashdesc->hashsize); - hashdesc->done(&hs, buf_getwriteptr(ses.hash, hashdesc->hashsize)); - buf_setlen(ses.hash, hashdesc->hashsize); + ses.hash = buf_new(hash_desc->hashsize); + hash_desc->done(&hs, buf_getwriteptr(ses.hash, hash_desc->hashsize)); + buf_setlen(ses.hash, hash_desc->hashsize); buf_burn(ses.kexhashbuf); buf_free(ses.kexhashbuf); diff --git a/ecc.c b/ecc.c index d67d3b2..03f8864 100644 --- a/ecc.c +++ b/ecc.c @@ -10,21 +10,21 @@ #ifdef DROPBEAR_ECC_256 struct dropbear_ecc_curve ecc_curve_nistp256 = { .ltc_size = 32, - .hashdesc = &sha256_desc, + .hash_desc = &sha256_desc, .name = "nistp256" }; #endif #ifdef DROPBEAR_ECC_384 struct dropbear_ecc_curve ecc_curve_nistp384 = { .ltc_size = 48, - .hashdesc = &sha384_desc, + .hash_desc = &sha384_desc, .name = "nistp384" }; #endif #ifdef DROPBEAR_ECC_521 struct dropbear_ecc_curve ecc_curve_nistp521 = { .ltc_size = 66, - .hashdesc = &sha512_desc, + .hash_desc = &sha512_desc, .name = "nistp521" }; #endif @@ -59,6 +59,17 @@ void dropbear_ecc_fill_dp() { } } +struct dropbear_ecc_curve* curve_for_dp(const ltc_ecc_set_type *dp) { + struct dropbear_ecc_curve **curve = NULL; + for (curve = dropbear_ecc_curves; *curve; curve++) { + if ((*curve)->dp == dp) { + break; + } + } + assert(*curve); + return *curve; +} + ecc_key * new_ecc_key(void) { ecc_key *key = m_malloc(sizeof(*key)); key->pubkey.x = m_malloc(sizeof(mp_int)); diff --git a/ecc.h b/ecc.h index 7791a70..9744de2 100644 --- a/ecc.h +++ b/ecc.h @@ -11,8 +11,8 @@ struct dropbear_ecc_curve { int ltc_size; // to match the byte sizes in ltc_ecc_sets[] const ltc_ecc_set_type *dp; // curve domain parameters - const struct ltc_hash_descriptor *hashdesc; - const char *name; + const struct ltc_hash_descriptor *hash_desc; + const unsigned char *name; }; extern struct dropbear_ecc_curve ecc_curve_nistp256; @@ -21,6 +21,7 @@ extern struct dropbear_ecc_curve ecc_curve_nistp521; extern struct dropbear_ecc_curve *dropbear_ecc_curves[]; void dropbear_ecc_fill_dp(); +struct dropbear_ecc_curve* curve_for_dp(const ltc_ecc_set_type *dp); // "pubkey" refers to a point, but LTC uses ecc_key structure for both public // and private keys diff --git a/ecdsa.c b/ecdsa.c index 9784c97..2f92b12 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -2,6 +2,7 @@ #include "dbutil.h" #include "crypto_desc.h" #include "ecc.h" +#include "ecdsa.h" #ifdef DROPBEAR_ECDSA @@ -55,7 +56,7 @@ ecc_key *buf_get_ecdsa_pub_key(buffer* buf) { // string "ecdsa-sha2-[identifier]" key_ident = buf_getstring(buf, &key_ident_len); - // string "ecdsa-sha2-[identifier]" + // string "[identifier]" identifier = buf_getstring(buf, &identifier_len); if (key_ident_len != identifier_len + strlen("ecdsa-sha2-")) { @@ -68,7 +69,7 @@ ecc_key *buf_get_ecdsa_pub_key(buffer* buf) { } for (curve = dropbear_ecc_curves; *curve; curve++) { - if (memcmp(identifier, (*curve)->name, strlen((*curve)->name)) == 0) { + if (memcmp(identifier, (char*)(*curve)->name, strlen((char*)(*curve)->name)) == 0) { break; } } @@ -82,12 +83,8 @@ ecc_key *buf_get_ecdsa_pub_key(buffer* buf) { new_key = buf_get_ecc_raw_pubkey(q_buf, *curve); out: - if (key_ident) { - m_free(key_ident); - } - if (identifier) { - m_free(identifier); - } + m_free(key_ident); + m_free(identifier); if (q_buf) { buf_free(q_buf); q_buf = NULL; @@ -96,5 +93,312 @@ out: return new_key; } +ecc_key *buf_get_ecdsa_priv_key(buffer *buf) { + ecc_key *new_key = NULL; + TRACE(("enter buf_get_ecdsa_priv_key")) + new_key = buf_get_ecdsa_pub_key(buf); + if (!new_key) { + return NULL; + } + + if (buf_getmpint(buf, new_key->k) != DROPBEAR_SUCCESS) { + ecc_free(new_key); + return NULL; + } + + return new_key; +} + +void buf_put_ecdsa_pub_key(buffer *buf, ecc_key *key) { + struct dropbear_ecc_curve *curve = NULL; + unsigned char key_ident[30]; + + curve = curve_for_dp(key->dp); + snprintf((char*)key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name); + buf_putstring(buf, key_ident, strlen(key_ident)); + buf_putstring(buf, curve->name, strlen(curve->name)); + buf_put_ecc_raw_pubkey_string(buf, key); +} + +void buf_put_ecdsa_priv_key(buffer *buf, ecc_key *key) { + buf_put_ecdsa_pub_key(buf, key); + buf_putmpint(buf, key->k); +} + +void buf_put_ecdsa_sign(buffer *buf, ecc_key *key, buffer *data_buf) { + /* Based on libtomcrypt's ecc_sign_hash but without the asn1 */ + int err = DROPBEAR_FAILURE; + struct dropbear_ecc_curve *curve = NULL; + hash_state hs; + unsigned char hash[64]; + void *e = NULL, *p = NULL, *s = NULL, *r; + unsigned char key_ident[30]; + buffer *sigbuf = NULL; + + TRACE(("buf_put_ecdsa_sign")) + curve = curve_for_dp(key->dp); + + if (ltc_init_multi(&r, &s, &p, &e, NULL) != CRYPT_OK) { + goto out; + } + + curve->hash_desc->init(&hs); + curve->hash_desc->process(&hs, data_buf->data, data_buf->len); + curve->hash_desc->done(&hs, hash); + + if (ltc_mp.unsigned_read(e, hash, curve->hash_desc->hashsize) != CRYPT_OK) { + goto out; + } + + if (ltc_mp.read_radix(p, (char *)key->dp->order, 16) != CRYPT_OK) { + goto out; + } + + for (;;) { + ecc_key R_key; // ephemeral key + if (ecc_make_key_ex(NULL, dropbear_ltc_prng, &R_key, key->dp) != CRYPT_OK) { + goto out; + } + if (ltc_mp.mpdiv(R_key.pubkey.x, p, NULL, r) != CRYPT_OK) { + goto out; + } + if (ltc_mp.compare_d(r, 0) == LTC_MP_EQ) { + // try again + ecc_free(&R_key); + continue; + } + /* k = 1/k */ + if (ltc_mp.invmod(R_key.k, p, R_key.k) != CRYPT_OK) { + goto out; + } + /* s = xr */ + if (ltc_mp.mulmod(key->k, r, p, s) != CRYPT_OK) { + goto out; + } + /* s = e + xr */ + if (ltc_mp.add(e, s, s) != CRYPT_OK) { + goto out; + } + if (ltc_mp.mpdiv(s, p, NULL, s) != CRYPT_OK) { + goto out; + } + /* s = (e + xr)/k */ + if (ltc_mp.mulmod(s, R_key.k, p, s) != CRYPT_OK) { + goto out; + } + ecc_free(&R_key); + + if (ltc_mp.compare_d(s, 0) != LTC_MP_EQ) { + break; + } + } + + snprintf((char*)key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name); + buf_putstring(buf, key_ident, strlen(key_ident)); + // enough for nistp521 + sigbuf = buf_new(200); + buf_putmpint(sigbuf, (mp_int*)r); + buf_putmpint(sigbuf, (mp_int*)s); + buf_putbufstring(buf, sigbuf); + + err = DROPBEAR_SUCCESS; + +out: + if (r && s && p && e) { + ltc_deinit_multi(r, s, p, e, NULL); + } + + if (sigbuf) { + buf_free(sigbuf); + } + + if (err == DROPBEAR_FAILURE) { + dropbear_exit("ECC error"); + } +} + +// returns values in s and r +// returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE +static int buf_get_ecdsa_verify_params(buffer *buf, struct dropbear_ecc_curve *curve, + void *r, void* s) { + int ret = DROPBEAR_FAILURE; + unsigned char* ident = NULL; + unsigned int ident_len; + unsigned int sig_len; + unsigned int sig_pos; + unsigned char key_ident[30]; + + ident = buf_getstring(buf, &ident_len); + snprintf((char*)key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name); + if (strlen((char*)key_ident) != ident_len) { + goto out; + } + if (memcmp(key_ident, ident, ident_len) != 0) { + goto out; + } + sig_len = buf_getint(buf); + sig_pos = buf->pos; + if (buf_getmpint(buf, r) != DROPBEAR_SUCCESS) { + goto out; + } + if (buf_getmpint(buf, s) != DROPBEAR_SUCCESS) { + goto out; + } + if (buf->pos - sig_pos != sig_len) { + goto out; + } + ret = DROPBEAR_SUCCESS; + +out: + m_free(ident); + return ret; +} + + +int buf_ecdsa_verify(buffer *buf, ecc_key *key, buffer *data_buf) { + /* Based on libtomcrypt's ecc_verify_hash but without the asn1 */ + int ret = DROPBEAR_FAILURE; + hash_state hs; + struct dropbear_ecc_curve *curve = NULL; + unsigned char hash[64]; + ecc_point *mG = NULL, *mQ = NULL; + void *r = NULL, *s = NULL, *v = NULL, *w = NULL, *u1 = NULL, *u2 = NULL, + *e = NULL, *p = NULL, *m = NULL; + void *mp = NULL; + + /* verify + * + * w = s^-1 mod n + * u1 = xw + * u2 = rw + * X = u1*G + u2*Q + * v = X_x1 mod n + * accept if v == r + */ + + TRACE(("buf_ecdsa_verify")) + curve = curve_for_dp(key->dp); + + mG = ltc_ecc_new_point(); + mQ = ltc_ecc_new_point(); + if (ltc_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL) != CRYPT_OK + || !mG + || !mQ) { + dropbear_exit("ECC error"); + } + + if (buf_get_ecdsa_verify_params(buf, curve, r, s) != DROPBEAR_SUCCESS) { + goto out; + } + + curve->hash_desc->init(&hs); + curve->hash_desc->process(&hs, data_buf->data, data_buf->len); + curve->hash_desc->done(&hs, hash); + + if (ltc_mp.unsigned_read(e, hash, curve->hash_desc->hashsize) != CRYPT_OK) { + goto out; + } + + /* get the order */ + if (ltc_mp.read_radix(p, (char *)key->dp->order, 16) != CRYPT_OK) { + goto out; + } + + /* get the modulus */ + if (ltc_mp.read_radix(m, (char *)key->dp->prime, 16) != CRYPT_OK) { + goto out; + } + + /* check for zero */ + if (ltc_mp.compare_d(r, 0) == LTC_MP_EQ + || ltc_mp.compare_d(s, 0) == LTC_MP_EQ + || ltc_mp.compare(r, p) != LTC_MP_LT + || ltc_mp.compare(s, p) != LTC_MP_LT) { + goto out; + } + + /* w = s^-1 mod n */ + if (ltc_mp.invmod(s, p, w) != CRYPT_OK) { + goto out; + } + + /* u1 = ew */ + if (ltc_mp.mulmod(e, w, p, u1) != CRYPT_OK) { + goto out; + } + + /* u2 = rw */ + if (ltc_mp.mulmod(r, w, p, u2) != CRYPT_OK) { + goto out; + } + + /* find mG and mQ */ + if (ltc_mp.read_radix(mG->x, (char *)key->dp->Gx, 16) != CRYPT_OK) { + goto out; + } + if (ltc_mp.read_radix(mG->y, (char *)key->dp->Gy, 16) != CRYPT_OK) { + goto out; + } + if (ltc_mp.set_int(mG->z, 1) != CRYPT_OK) { + goto out; + } + + if (ltc_mp.copy(key->pubkey.x, mQ->x) != CRYPT_OK + || ltc_mp.copy(key->pubkey.y, mQ->y) != CRYPT_OK + || ltc_mp.copy(key->pubkey.z, mQ->z) != CRYPT_OK) { + goto out; + } + + /* compute u1*mG + u2*mQ = mG */ + if (ltc_mp.ecc_mul2add == NULL) { + if (ltc_mp.ecc_ptmul(u1, mG, mG, m, 0) != CRYPT_OK) { + goto out; + } + if (ltc_mp.ecc_ptmul(u2, mQ, mQ, m, 0) != CRYPT_OK) { + goto out; + } + + /* find the montgomery mp */ + if (ltc_mp.montgomery_setup(m, &mp) != CRYPT_OK) { + goto out; + } + + /* add them */ + if (ltc_mp.ecc_ptadd(mQ, mG, mG, m, mp) != CRYPT_OK) { + goto out; + } + + /* reduce */ + if (ltc_mp.ecc_map(mG, m, mp) != CRYPT_OK) { + goto out; + } + } else { + /* use Shamir's trick to compute u1*mG + u2*mQ using half of the doubles */ + if (ltc_mp.ecc_mul2add(mG, u1, mQ, u2, mG, m) != CRYPT_OK) { + goto out; + } + } + + /* v = X_x1 mod n */ + if (ltc_mp.mpdiv(mG->x, p, NULL, v) != CRYPT_OK) { + goto out; + } + + /* does v == r */ + if (ltc_mp.compare(v, r) == LTC_MP_EQ) { + ret = DROPBEAR_SUCCESS; + } + +out: + ltc_ecc_del_point(mG); + ltc_ecc_del_point(mQ); + mp_clear_multi(r, s, v, w, u1, u2, p, e, m, NULL); + if (mp != NULL) { + ltc_mp.montgomery_deinit(mp); + } + return ret; +} + + #endif // DROPBEAR_ECDSA diff --git a/ecdsa.h b/ecdsa.h index e69de29..592d0c5 100644 --- a/ecdsa.h +++ b/ecdsa.h @@ -0,0 +1,16 @@ +#ifndef _ECDSA_H_ +#define _ECDSA_H_ + +#include "includes.h" +#include "buffer.h" + +ecc_key *gen_ecdsa_priv_key(unsigned int bit_size); +ecc_key *buf_get_ecdsa_pub_key(buffer* buf); +ecc_key *buf_get_ecdsa_priv_key(buffer *buf); +void buf_put_ecdsa_pub_key(buffer *buf, ecc_key *key); +void buf_put_ecdsa_priv_key(buffer *buf, ecc_key *key); + +void buf_put_ecdsa_sign(buffer *buf, ecc_key *key, buffer *data_buf); +int buf_ecdsa_verify(buffer *buf, ecc_key *key, buffer *data_buf); + +#endif // _ECDSA_H_ \ No newline at end of file diff --git a/keyimport.c b/keyimport.c index 76b92f1..e8fded7 100644 --- a/keyimport.c +++ b/keyimport.c @@ -349,7 +349,7 @@ struct mpint_pos { void *start; int bytes; }; * Code to read and write OpenSSH private keys. */ -enum { OSSH_DSA, OSSH_RSA }; +enum { OSSH_DSA, OSSH_RSA, OSSH_EC }; struct openssh_key { int type; int encrypted; @@ -392,6 +392,8 @@ static struct openssh_key *load_openssh_key(const char *filename) ret->type = OSSH_RSA; else if (!strcmp(buffer, "-----BEGIN DSA PRIVATE KEY-----\n")) ret->type = OSSH_DSA; + else if (!strcmp(buffer, "-----BEGIN EC PRIVATE KEY-----\n")) + ret->type = OSSH_EC; else { errmsg = "Unrecognised key type"; goto error; diff --git a/libtomcrypt/src/headers/tomcrypt_custom.h b/libtomcrypt/src/headers/tomcrypt_custom.h index 91a2ccb..cbfaeb3 100644 --- a/libtomcrypt/src/headers/tomcrypt_custom.h +++ b/libtomcrypt/src/headers/tomcrypt_custom.h @@ -138,6 +138,8 @@ #ifdef DROPBEAR_ECC #define MECC +#define LTC_ECC_SHAMIR +#define LTC_ECC_TIMING_RESISTANT #define MPI #define LTM_DESC #ifdef DROPBEAR_ECC_256 diff --git a/signkey.c b/signkey.c index c130adb..ae70337 100644 --- a/signkey.c +++ b/signkey.c @@ -34,13 +34,6 @@ sign_key * new_sign_key() { sign_key * ret; ret = (sign_key*)m_malloc(sizeof(sign_key)); -#ifdef DROPBEAR_DSS - ret->dsskey = NULL; -#endif -#ifdef DROPBEAR_RSA - ret->rsakey = NULL; -#endif - ret->filename = NULL; ret->type = DROPBEAR_SIGNKEY_NONE; ret->source = SIGNKEY_SOURCE_INVALID; return ret; -- cgit v1.2.1 From 140e57260018dfb014f828e18dff429b2530ef37 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sun, 28 Apr 2013 23:17:43 +0800 Subject: more ecdsa signkey work, not correct --- dropbearkey.c | 72 ++++++++++++++++----------- dss.h | 2 - ecdsa.c | 2 +- ecdsa.h | 10 ++++ gendss.c | 8 +-- genrsa.c | 23 +++++---- signkey.c | 155 +++++++++++++++++++++++++++++++++++++++++----------------- signkey.h | 28 ++++++++++- sysoptions.h | 8 --- 9 files changed, 210 insertions(+), 98 deletions(-) diff --git a/dropbearkey.c b/dropbearkey.c index a9d80fd..fb8461e 100644 --- a/dropbearkey.c +++ b/dropbearkey.c @@ -51,11 +51,13 @@ #include "genrsa.h" #include "gendss.h" +#include "ecdsa.h" +#include "crypto_desc.h" static void printhelp(char * progname); -#define RSA_SIZE (1024/8) /* 1024 bit */ -#define DSS_SIZE (1024/8) /* 1024 bit */ +#define RSA_DEFAULT_SIZE 1024 +#define DSS_DEFAULT_SIZE 1024 static void buf_writefile(buffer * buf, const char * filename); static void printpubkey(sign_key * key, int keytype); @@ -71,10 +73,28 @@ static void printhelp(char * progname) { #endif #ifdef DROPBEAR_DSS " dss\n" +#endif +#ifdef DROPBEAR_ECDSA + " ecdsa\n" #endif "-f filename Use filename for the secret key\n" "-s bits Key size in bits, should be a multiple of 8 (optional)\n" - " (DSS has a fixed size of 1024 bits)\n" +#ifdef DROPBEAR_DSS + " DSS has a fixed size of 1024 bits\n" +#endif +#ifdef DROPBEAR_ECDSA + " ECDSA has sizes " +#ifdef DROPBEAR_ECC_256 + "256 " +#endif +#ifdef DROPBEAR_ECC_384 + "384 " +#endif +#ifdef DROPBEAR_ECC_521 + "521 " +#endif + "\n" +#endif "-y Just print the publickey and fingerprint for the\n private key in .\n" #ifdef DEBUG_TRACE "-v verbose\n" @@ -94,11 +114,10 @@ int main(int argc, char ** argv) { sign_key *key = NULL; buffer *buf = NULL; char * filename = NULL; - int keytype = -1; + enum signkey_type keytype = DROPBEAR_SIGNKEY_NONE; char * typetext = NULL; char * sizetext = NULL; unsigned int bits; - unsigned int keysize; int printpub = 0; /* get the commandline options */ @@ -162,21 +181,9 @@ int main(int argc, char ** argv) { exit(EXIT_FAILURE); } - if (strlen(typetext) == 3) { -#ifdef DROPBEAR_RSA - if (strncmp(typetext, "rsa", 3) == 0) { - keytype = DROPBEAR_SIGNKEY_RSA; - TRACE(("type is rsa")) - } -#endif -#ifdef DROPBEAR_DSS - if (strncmp(typetext, "dss", 3) == 0) { - keytype = DROPBEAR_SIGNKEY_DSS; - TRACE(("type is dss")) - } -#endif - } - if (keytype == -1) { + keytype = signkey_type_from_name(typetext, strlen(typetext)); + + if (keytype == DROPBEAR_SIGNKEY_NONE) { fprintf(stderr, "Unknown key type '%s'\n", typetext); printhelp(argv[0]); exit(EXIT_FAILURE); @@ -197,25 +204,29 @@ int main(int argc, char ** argv) { " multiple of 8\n"); exit(EXIT_FAILURE); } - - keysize = bits / 8; } else { if (keytype == DROPBEAR_SIGNKEY_DSS) { - keysize = DSS_SIZE; + bits = DSS_DEFAULT_SIZE; } else if (keytype == DROPBEAR_SIGNKEY_RSA) { - keysize = RSA_SIZE; + bits = RSA_DEFAULT_SIZE; + } else if (keytype == DROPBEAR_SIGNKEY_ECDSA_KEYGEN) { + bits = ECDSA_DEFAULT_SIZE; } else { exit(EXIT_FAILURE); /* not reached */ } } - fprintf(stderr, "Will output %d bit %s secret key to '%s'\n", keysize*8, + fprintf(stderr, "Will output %d bit %s secret key to '%s'\n", bits, typetext, filename); /* don't want the file readable by others */ umask(077); + crypto_init(); + seedrandom(); + + /* now we can generate the key */ key = new_sign_key(); @@ -223,12 +234,17 @@ int main(int argc, char ** argv) { switch(keytype) { #ifdef DROPBEAR_RSA case DROPBEAR_SIGNKEY_RSA: - key->rsakey = gen_rsa_priv_key(keysize); /* 128 bytes = 1024 bit */ + key->rsakey = gen_rsa_priv_key(bits); break; #endif #ifdef DROPBEAR_DSS case DROPBEAR_SIGNKEY_DSS: - key->dsskey = gen_dss_priv_key(keysize); /* 128 bytes = 1024 bit */ + key->dsskey = gen_dss_priv_key(bits); + break; +#endif +#ifdef DROPBEAR_ECDSA + case DROPBEAR_SIGNKEY_ECDSA_KEYGEN: + key->ecckey = gen_ecdsa_priv_key(bits); break; #endif default: @@ -320,7 +336,7 @@ static void printpubkey(sign_key * key, int keytype) { fprintf(stderr, "base64 failed"); } - typestring = signkey_name_from_type(keytype, &err); + typestring = signkey_name_from_type(keytype, NULL); fp = sign_key_fingerprint(buf_getptr(buf, len), len); diff --git a/dss.h b/dss.h index 57400ad..f921ae4 100644 --- a/dss.h +++ b/dss.h @@ -30,8 +30,6 @@ #ifdef DROPBEAR_DSS -#define DSS_SIGNATURE_SIZE 4+SSH_SIGNKEY_DSS_LEN+4+2*SHA1_HASH_SIZE - typedef struct { mp_int* p; diff --git a/ecdsa.c b/ecdsa.c index 2f92b12..360f988 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -1,3 +1,4 @@ +#include "options.h" #include "includes.h" #include "dbutil.h" #include "crypto_desc.h" @@ -8,7 +9,6 @@ ecc_key *gen_ecdsa_priv_key(unsigned int bit_size) { const ltc_ecc_set_type *dp = NULL; // curve domain parameters - // TODO: use raw bytes for the dp rather than the hex strings in libtomcrypt's ecc.c switch (bit_size) { #ifdef DROPBEAR_ECC_256 case 256: diff --git a/ecdsa.h b/ecdsa.h index 592d0c5..312b7cf 100644 --- a/ecdsa.h +++ b/ecdsa.h @@ -4,6 +4,16 @@ #include "includes.h" #include "buffer.h" +#ifdef DROPBEAR_ECC_256 +#define ECDSA_DEFAULT_SIZE 256 +#elif DROPBEAR_ECC_384 +#define ECDSA_DEFAULT_SIZE 384 +#elif DROPBEAR_ECC_521 +#define ECDSA_DEFAULT_SIZE 521 +#else +#define ECDSA_DEFAULT_SIZE 0 +#endif + ecc_key *gen_ecdsa_priv_key(unsigned int bit_size); ecc_key *buf_get_ecdsa_pub_key(buffer* buf); ecc_key *buf_get_ecdsa_priv_key(buffer *buf); diff --git a/gendss.c b/gendss.c index 5abb4d8..be8f89f 100644 --- a/gendss.c +++ b/gendss.c @@ -47,6 +47,10 @@ dropbear_dss_key * gen_dss_priv_key(unsigned int size) { dropbear_dss_key *key; + if (size != 1024) { + dropbear_exit("DSS keys have a fixed size of 1024 bits"); + } + key = m_malloc(sizeof(*key)); key->p = (mp_int*)m_malloc(sizeof(mp_int)); @@ -56,10 +60,8 @@ dropbear_dss_key * gen_dss_priv_key(unsigned int size) { key->x = (mp_int*)m_malloc(sizeof(mp_int)); m_mp_init_multi(key->p, key->q, key->g, key->y, key->x, NULL); - seedrandom(); - getq(key); - getp(key, size); + getp(key, size/8); getg(key); getx(key); gety(key); diff --git a/genrsa.c b/genrsa.c index b0867e2..465502b 100644 --- a/genrsa.c +++ b/genrsa.c @@ -34,7 +34,7 @@ #ifdef DROPBEAR_RSA static void getrsaprime(mp_int* prime, mp_int *primeminus, - mp_int* rsa_e, unsigned int size); + mp_int* rsa_e, unsigned int size_bytes); /* mostly taken from libtomcrypt's rsa key generation routine */ dropbear_rsa_key * gen_rsa_priv_key(unsigned int size) { @@ -44,6 +44,11 @@ dropbear_rsa_key * gen_rsa_priv_key(unsigned int size) { DEF_MP_INT(qminus); DEF_MP_INT(lcm); + if (size < 512 || size > 4096 || (size % 8 != 0)) { + dropbear_exit("Bits must satisfy 512 <= bits <= 4096, and be a" + " multiple of 8"); + } + key = m_malloc(sizeof(*key)); key->e = (mp_int*)m_malloc(sizeof(mp_int)); @@ -55,15 +60,13 @@ dropbear_rsa_key * gen_rsa_priv_key(unsigned int size) { m_mp_init_multi(key->e, key->n, key->d, key->p, key->q, &pminus, &lcm, &qminus, NULL); - seedrandom(); - if (mp_set_int(key->e, RSA_E) != MP_OKAY) { fprintf(stderr, "RSA generation failed\n"); exit(1); } - getrsaprime(key->p, &pminus, key->e, size/2); - getrsaprime(key->q, &qminus, key->e, size/2); + getrsaprime(key->p, &pminus, key->e, size/16); + getrsaprime(key->q, &qminus, key->e, size/16); if (mp_mul(key->p, key->q, key->n) != MP_OKAY) { fprintf(stderr, "RSA generation failed\n"); @@ -90,21 +93,21 @@ dropbear_rsa_key * gen_rsa_priv_key(unsigned int size) { /* return a prime suitable for p or q */ static void getrsaprime(mp_int* prime, mp_int *primeminus, - mp_int* rsa_e, unsigned int size) { + mp_int* rsa_e, unsigned int size_bytes) { unsigned char *buf; DEF_MP_INT(temp_gcd); - buf = (unsigned char*)m_malloc(size+1); + buf = (unsigned char*)m_malloc(size_bytes+1); m_mp_init(&temp_gcd); do { /* generate a random odd number with MSB set, then find the the next prime above it */ - genrandom(buf, size+1); + genrandom(buf, size_bytes+1); buf[0] |= 0x80; /* MSB set */ - bytes_to_mp(prime, buf, size+1); + bytes_to_mp(prime, buf, size_bytes+1); /* find the next integer which is prime, 8 round of miller-rabin */ if (mp_prime_next_prime(prime, 8, 0) != MP_OKAY) { @@ -126,7 +129,7 @@ static void getrsaprime(mp_int* prime, mp_int *primeminus, /* now we have a good value for result */ mp_clear(&temp_gcd); - m_burn(buf, size+1); + m_burn(buf, size_bytes+1); m_free(buf); } diff --git a/signkey.c b/signkey.c index ae70337..40b5378 100644 --- a/signkey.c +++ b/signkey.c @@ -27,6 +27,28 @@ #include "signkey.h" #include "buffer.h" #include "ssh.h" +#include "ecdsa.h" + +static const char *signkey_names[DROPBEAR_SIGNKEY_NUM_NAMED] = { +#ifdef DROPBEAR_RSA + "ssh-rsa", +#endif +#ifdef DROPBEAR_DSS + "ssh-dss", +#endif +#ifdef DROPBEAR_ECDSA +#ifdef DROPBEAR_ECC_256 + "ecdsa-sha2-nistp256", +#endif +#ifdef DROPBEAR_ECC_384 + "ecdsa-sha2-nistp384", +#endif +#ifdef DROPBEAR_ECC_521 + "ecdsa-sha2-nistp521", +#endif + "ecdsa" // for keygen +#endif // DROPBEAR_ECDSA +}; /* malloc a new sign_key and set the dss and rsa keys to NULL */ sign_key * new_sign_key() { @@ -39,42 +61,29 @@ sign_key * new_sign_key() { return ret; } -/* Returns "ssh-dss" or "ssh-rsa" corresponding to the type. Exits fatally +/* Returns key name corresponding to the type. Exits fatally * if the type is invalid */ -const char* signkey_name_from_type(int type, int *namelen) { - -#ifdef DROPBEAR_RSA - if (type == DROPBEAR_SIGNKEY_RSA) { - *namelen = SSH_SIGNKEY_RSA_LEN; - return SSH_SIGNKEY_RSA; +const char* signkey_name_from_type(enum signkey_type type, unsigned int *namelen) { + if (type >= DROPBEAR_SIGNKEY_NUM_NAMED) { + dropbear_exit("Bad key type %d", type); } -#endif -#ifdef DROPBEAR_DSS - if (type == DROPBEAR_SIGNKEY_DSS) { - *namelen = SSH_SIGNKEY_DSS_LEN; - return SSH_SIGNKEY_DSS; + + if (namelen) { + *namelen = strlen(signkey_names[type]); } -#endif - dropbear_exit("Bad key type %d", type); - return NULL; /* notreached */ + return signkey_names[type]; } -/* Returns DROPBEAR_SIGNKEY_RSA, DROPBEAR_SIGNKEY_DSS, - * or DROPBEAR_SIGNKEY_NONE */ -int signkey_type_from_name(const char* name, int namelen) { - -#ifdef DROPBEAR_RSA - if (namelen == SSH_SIGNKEY_RSA_LEN - && memcmp(name, SSH_SIGNKEY_RSA, SSH_SIGNKEY_RSA_LEN) == 0) { - return DROPBEAR_SIGNKEY_RSA; - } -#endif -#ifdef DROPBEAR_DSS - if (namelen == SSH_SIGNKEY_DSS_LEN - && memcmp(name, SSH_SIGNKEY_DSS, SSH_SIGNKEY_DSS_LEN) == 0) { - return DROPBEAR_SIGNKEY_DSS; +/* Returns DROPBEAR_SIGNKEY_NONE if none match */ +enum signkey_type signkey_type_from_name(const char* name, unsigned int namelen) { + int i; + for (i = 0; i < DROPBEAR_SIGNKEY_NUM_NAMED; i++) { + const char *fixed_name = signkey_names[i]; + if (namelen == strlen(fixed_name) + && memcmp(fixed_name, name, namelen) == 0) { + return i; + } } -#endif TRACE(("signkey_type_from_name unexpected key type.")) @@ -129,6 +138,19 @@ int buf_get_pub_key(buffer *buf, sign_key *key, int *type) { } } #endif +#ifdef DROPBEAR_ECDSA + if (keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP256 + || keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP384 + || keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + if (key->ecckey) { + ecc_free(key->ecckey); + } + key->ecckey = buf_get_ecdsa_pub_key(buf); + if (key->ecckey) { + ret = DROPBEAR_SUCCESS; + } + } +#endif TRACE(("leave buf_get_pub_key")) @@ -182,6 +204,19 @@ int buf_get_priv_key(buffer *buf, sign_key *key, int *type) { } } #endif +#ifdef DROPBEAR_ECDSA + if (keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP256 + || keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP384 + || keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + if (key->ecckey) { + ecc_free(key->ecckey); + } + key->ecckey = buf_get_ecdsa_priv_key(buf); + if (key->ecckey) { + ret = DROPBEAR_SUCCESS; + } + } +#endif TRACE(("leave buf_get_priv_key")) @@ -206,6 +241,13 @@ void buf_put_pub_key(buffer* buf, sign_key *key, int type) { if (type == DROPBEAR_SIGNKEY_RSA) { buf_put_rsa_pub_key(pubkeys, key->rsakey); } +#endif +#ifdef DROPBEAR_ECDSA + if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256 + || type == DROPBEAR_SIGNKEY_ECDSA_NISTP384 + || type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + buf_put_ecdsa_pub_key(pubkeys, key->ecckey); + } #endif if (pubkeys->len == 0) { dropbear_exit("Bad key types in buf_put_pub_key"); @@ -235,6 +277,14 @@ void buf_put_priv_key(buffer* buf, sign_key *key, int type) { TRACE(("leave buf_put_priv_key: rsa done")) return; } +#endif +#ifdef DROPBEAR_ECDSA + if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256 + || type == DROPBEAR_SIGNKEY_ECDSA_NISTP384 + || type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + buf_put_ecdsa_pub_key(buf, key->ecckey); + return; + } #endif dropbear_exit("Bad key types in put pub key"); } @@ -251,6 +301,12 @@ void sign_key_free(sign_key *key) { rsa_key_free(key->rsakey); key->rsakey = NULL; #endif +#ifdef DROPBEAR_ECDSA + if (key->ecckey) { + ecc_free(key->ecckey); + key->ecckey = NULL; + } +#endif m_free(key->filename); @@ -259,7 +315,6 @@ void sign_key_free(sign_key *key) { } static char hexdig(unsigned char x) { - if (x > 0xf) return 'X'; @@ -323,14 +378,14 @@ static char * sign_key_sha1_fingerprint(unsigned char* keyblob, sha1_done(&hs, hash); - /* "sha1 hexfingerprinthere\0", each hex digit is "AB:" etc */ - buflen = 5 + 3*SHA1_HASH_SIZE; + /* "sha1!! hexfingerprinthere\0", each hex digit is "AB:" etc */ + buflen = 7 + 3*SHA1_HASH_SIZE; ret = (char*)m_malloc(buflen); - strcpy(ret, "sha1 "); + strcpy(ret, "sha1!! "); for (i = 0; i < SHA1_HASH_SIZE; i++) { - unsigned int pos = 5 + 3*i; + unsigned int pos = 7 + 3*i; ret[pos] = hexdig(hash[i] >> 4); ret[pos+1] = hexdig(hash[i] & 0x0f); ret[pos+2] = ':'; @@ -367,6 +422,13 @@ void buf_put_sign(buffer* buf, sign_key *key, int type, if (type == DROPBEAR_SIGNKEY_RSA) { buf_put_rsa_sign(sigblob, key->rsakey, data_buf); } +#endif +#ifdef DROPBEAR_ECDSA + if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256 + || type == DROPBEAR_SIGNKEY_ECDSA_NISTP384 + || type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + buf_put_ecdsa_sign(sigblob, key->ecckey, data_buf); + } #endif if (sigblob->len == 0) { dropbear_exit("Non-matching signing type"); @@ -384,18 +446,18 @@ void buf_put_sign(buffer* buf, sign_key *key, int type, int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) { unsigned int bloblen; - unsigned char * ident = NULL; - unsigned int identlen = 0; + unsigned char * type_name = NULL; + unsigned int type_name_len = 0; TRACE(("enter buf_verify")) bloblen = buf_getint(buf); - ident = buf_getstring(buf, &identlen); + type_name = buf_getstring(buf, &type_name_len); + enum signkey_type type = signkey_type_from_name(type_name, type_name_len); + m_free(type_name); #ifdef DROPBEAR_DSS - if (bloblen == DSS_SIGNATURE_SIZE && - memcmp(ident, SSH_SIGNKEY_DSS, identlen) == 0) { - m_free(ident); + if (type == DROPBEAR_SIGNKEY_DSS) { if (key->dsskey == NULL) { dropbear_exit("No DSS key to verify signature"); } @@ -404,16 +466,21 @@ int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) { #endif #ifdef DROPBEAR_RSA - if (memcmp(ident, SSH_SIGNKEY_RSA, identlen) == 0) { - m_free(ident); + if (type == DROPBEAR_SIGNKEY_RSA) { if (key->rsakey == NULL) { dropbear_exit("No RSA key to verify signature"); } return buf_rsa_verify(buf, key->rsakey, data_buf); } #endif +#ifdef DROPBEAR_ECDSA + if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256 + || type == DROPBEAR_SIGNKEY_ECDSA_NISTP384 + || type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + return buf_ecdsa_verify(buf, key->ecckey, data_buf); + } +#endif - m_free(ident); dropbear_exit("Non-matching signing type"); return DROPBEAR_FAILURE; } diff --git a/signkey.h b/signkey.h index 316ca49..7758d45 100644 --- a/signkey.h +++ b/signkey.h @@ -29,6 +29,30 @@ #include "dss.h" #include "rsa.h" +enum signkey_type { +#ifdef DROPBEAR_RSA + DROPBEAR_SIGNKEY_RSA, +#endif +#ifdef DROPBEAR_DSS + DROPBEAR_SIGNKEY_DSS, +#endif +#ifdef DROPBEAR_ECDSA +#ifdef DROPBEAR_ECC_256 + DROPBEAR_SIGNKEY_ECDSA_NISTP256, +#endif +#ifdef DROPBEAR_ECC_384 + DROPBEAR_SIGNKEY_ECDSA_NISTP384, +#endif +#ifdef DROPBEAR_ECC_521 + DROPBEAR_SIGNKEY_ECDSA_NISTP521, +#endif + DROPBEAR_SIGNKEY_ECDSA_KEYGEN, // just "ecdsa" for keygen +#endif // DROPBEAR_ECDSA + DROPBEAR_SIGNKEY_NUM_NAMED, + DROPBEAR_SIGNKEY_ANY = 80, + DROPBEAR_SIGNKEY_NONE = 90, +}; + /* Sources for signing keys */ typedef enum { @@ -59,8 +83,8 @@ struct SIGN_key { typedef struct SIGN_key sign_key; sign_key * new_sign_key(); -const char* signkey_name_from_type(int type, int *namelen); -int signkey_type_from_name(const char* name, int namelen); +const char* signkey_name_from_type(enum signkey_type type, unsigned int *namelen); +enum signkey_type signkey_type_from_name(const char* name, unsigned int namelen); int buf_get_pub_key(buffer *buf, sign_key *key, int *type); int buf_get_priv_key(buffer* buf, sign_key *key, int *type); void buf_put_pub_key(buffer* buf, sign_key *key, int type); diff --git a/sysoptions.h b/sysoptions.h index af3efe4..0619cf1 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -60,14 +60,6 @@ #define DROPBEAR_SUCCESS 0 #define DROPBEAR_FAILURE -1 -enum { - DROPBEAR_SIGNKEY_ANY, - DROPBEAR_SIGNKEY_RSA, - DROPBEAR_SIGNKEY_DSS, - DROPBEAR_SIGNKEY_ECDSA, - DROPBEAR_SIGNKEY_NONE, -}; - /* Required for pubkey auth */ #if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT) #define DROPBEAR_SIGNKEY_VERIFY -- cgit v1.2.1 From 5123549bfccccaa43871481c300ea4d627dcfbda Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 3 May 2013 23:07:48 +0800 Subject: ecdsa is working --- cli-main.c | 5 ++ cli-session.c | 4 -- common-algo.c | 11 +++++ dropbearkey.c | 9 ++-- ecdsa.c | 20 ++++++++ ecdsa.h | 2 + options.h | 5 +- runopts.h | 7 ++- signkey.c | 51 +++++++++---------- signkey.h | 20 ++++---- svr-main.c | 5 +- svr-runopts.c | 154 +++++++++++++++++++++++++++++++++++++++++----------------- svr-session.c | 1 - sysoptions.h | 2 + 14 files changed, 203 insertions(+), 93 deletions(-) diff --git a/cli-main.c b/cli-main.c index 5f72969..2d4905e 100644 --- a/cli-main.c +++ b/cli-main.c @@ -28,6 +28,8 @@ #include "dbutil.h" #include "runopts.h" #include "session.h" +#include "random.h" +#include "crypto_desc.h" static void cli_dropbear_exit(int exitcode, const char* format, va_list param) ATTRIB_NORETURN; static void cli_dropbear_log(int priority, const char* format, va_list param); @@ -51,6 +53,9 @@ int main(int argc, char ** argv) { disallow_core(); + seedrandom(); + crypto_init(); + cli_getopts(argc, argv); TRACE(("user='%s' host='%s' port='%s'", cli_opts.username, diff --git a/cli-session.c b/cli-session.c index 2905389..55040af 100644 --- a/cli-session.c +++ b/cli-session.c @@ -85,10 +85,6 @@ static const struct ChanType *cli_chantypes[] = { void cli_session(int sock_in, int sock_out) { - seedrandom(); - - crypto_init(); - common_session_init(sock_in, sock_out); chaninitialise(cli_chantypes); diff --git a/common-algo.c b/common-algo.c index 9915ce6..5d5de01 100644 --- a/common-algo.c +++ b/common-algo.c @@ -207,6 +207,17 @@ algo_type ssh_nocompress[] = { }; algo_type sshhostkey[] = { +#ifdef DROPBEAR_ECDSA +#ifdef DROPBEAR_ECC_256 + {"ecdsa-sha2-nistp256", DROPBEAR_SIGNKEY_ECDSA_NISTP256, NULL, 1, NULL}, +#endif +#ifdef DROPBEAR_ECC_384 + {"ecdsa-sha2-nistp384", DROPBEAR_SIGNKEY_ECDSA_NISTP384, NULL, 1, NULL}, +#endif +#ifdef DROPBEAR_ECC_521 + {"ecdsa-sha2-nistp521", DROPBEAR_SIGNKEY_ECDSA_NISTP521, NULL, 1, NULL}, +#endif +#endif #ifdef DROPBEAR_RSA {"ssh-rsa", DROPBEAR_SIGNKEY_RSA, NULL, 1, NULL}, #endif diff --git a/dropbearkey.c b/dropbearkey.c index fb8461e..8bc114c 100644 --- a/dropbearkey.c +++ b/dropbearkey.c @@ -53,6 +53,7 @@ #include "gendss.h" #include "ecdsa.h" #include "crypto_desc.h" +#include "random.h" static void printhelp(char * progname); @@ -120,6 +121,9 @@ int main(int argc, char ** argv) { unsigned int bits; int printpub = 0; + crypto_init(); + seedrandom(); + /* get the commandline options */ for (i = 1; i < argc; i++) { if (argv[i] == NULL) { @@ -223,10 +227,6 @@ int main(int argc, char ** argv) { /* don't want the file readable by others */ umask(077); - crypto_init(); - seedrandom(); - - /* now we can generate the key */ key = new_sign_key(); @@ -245,6 +245,7 @@ int main(int argc, char ** argv) { #ifdef DROPBEAR_ECDSA case DROPBEAR_SIGNKEY_ECDSA_KEYGEN: key->ecckey = gen_ecdsa_priv_key(bits); + keytype = ecdsa_signkey_type(key->ecckey); break; #endif default: diff --git a/ecdsa.c b/ecdsa.c index 360f988..03b51a2 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -4,9 +4,29 @@ #include "crypto_desc.h" #include "ecc.h" #include "ecdsa.h" +#include "signkey.h" #ifdef DROPBEAR_ECDSA +enum signkey_type ecdsa_signkey_type(ecc_key * key) { +#ifdef DROPBEAR_ECC_256 + if (key->dp == ecc_curve_nistp256.dp) { + return DROPBEAR_SIGNKEY_ECDSA_NISTP256; + } +#endif +#ifdef DROPBEAR_ECC_384 + if (key->dp == ecc_curve_nistp384.dp) { + return DROPBEAR_SIGNKEY_ECDSA_NISTP384; + } +#endif +#ifdef DROPBEAR_ECC_521 + if (key->dp == ecc_curve_nistp521.dp) { + return DROPBEAR_SIGNKEY_ECDSA_NISTP521; + } +#endif + return DROPBEAR_SIGNKEY_NONE; +} + ecc_key *gen_ecdsa_priv_key(unsigned int bit_size) { const ltc_ecc_set_type *dp = NULL; // curve domain parameters switch (bit_size) { diff --git a/ecdsa.h b/ecdsa.h index 312b7cf..db4ae18 100644 --- a/ecdsa.h +++ b/ecdsa.h @@ -3,6 +3,7 @@ #include "includes.h" #include "buffer.h" +#include "signkey.h" #ifdef DROPBEAR_ECC_256 #define ECDSA_DEFAULT_SIZE 256 @@ -19,6 +20,7 @@ ecc_key *buf_get_ecdsa_pub_key(buffer* buf); ecc_key *buf_get_ecdsa_priv_key(buffer *buf); void buf_put_ecdsa_pub_key(buffer *buf, ecc_key *key); void buf_put_ecdsa_priv_key(buffer *buf, ecc_key *key); +enum signkey_type ecdsa_signkey_type(ecc_key * key); void buf_put_ecdsa_sign(buffer *buf, ecc_key *key, buffer *data_buf); int buf_ecdsa_verify(buffer *buf, ecc_key *key, buffer *data_buf); diff --git a/options.h b/options.h index 2547c99..0d30282 100644 --- a/options.h +++ b/options.h @@ -8,7 +8,7 @@ /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ -// XXX XXX You should probably run "make clean" after changing most options */ +/* Important: Many options will require "make clean" after changes */ #ifndef DROPBEAR_DEFPORT #define DROPBEAR_DEFPORT "22" @@ -26,6 +26,9 @@ #ifndef RSA_PRIV_FILENAME #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" #endif +#ifndef ECDSA_PRIV_FILENAME +#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" +#endif /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens * on chosen ports and keeps accepting connections. This is the default. diff --git a/runopts.h b/runopts.h index 9cd84d0..d5dcc9d 100644 --- a/runopts.h +++ b/runopts.h @@ -57,11 +57,10 @@ typedef struct runopts { extern runopts opts; int readhostkey(const char * filename, sign_key * hostkey, int *type); +void load_all_hostkeys(); typedef struct svr_runopts { - char * rsakeyfile; - char * dsskeyfile; char * bannerfile; int forkbg; @@ -99,6 +98,10 @@ typedef struct svr_runopts { #endif sign_key *hostkey; + + char *hostkey_files[MAX_HOSTKEYS]; + int num_hostkey_files; + buffer * banner; char * pidfile; diff --git a/signkey.c b/signkey.c index 40b5378..ef7556e 100644 --- a/signkey.c +++ b/signkey.c @@ -37,15 +37,9 @@ static const char *signkey_names[DROPBEAR_SIGNKEY_NUM_NAMED] = { "ssh-dss", #endif #ifdef DROPBEAR_ECDSA -#ifdef DROPBEAR_ECC_256 "ecdsa-sha2-nistp256", -#endif -#ifdef DROPBEAR_ECC_384 "ecdsa-sha2-nistp384", -#endif -#ifdef DROPBEAR_ECC_521 "ecdsa-sha2-nistp521", -#endif "ecdsa" // for keygen #endif // DROPBEAR_ECDSA }; @@ -81,6 +75,25 @@ enum signkey_type signkey_type_from_name(const char* name, unsigned int namelen) const char *fixed_name = signkey_names[i]; if (namelen == strlen(fixed_name) && memcmp(fixed_name, name, namelen) == 0) { + +#ifdef DROPBEAR_ECDSA + /* Some of the ECDSA key sizes are defined even if they're not compiled in */ + if (0 +#ifndef DROPBEAR_ECC_256 + || i == DROPBEAR_SIGNKEY_ECDSA_NISTP256 +#endif +#ifndef DROPBEAR_ECC_384 + || i == DROPBEAR_SIGNKEY_ECDSA_NISTP384 +#endif +#ifndef DROPBEAR_ECC_521 + || i == DROPBEAR_SIGNKEY_ECDSA_NISTP521 +#endif + ) { + TRACE(("attempt to use ecdsa type %d not compiled in", i)) + return DROPBEAR_SIGNKEY_NONE; + } +#endif + return i; } } @@ -139,9 +152,7 @@ int buf_get_pub_key(buffer *buf, sign_key *key, int *type) { } #endif #ifdef DROPBEAR_ECDSA - if (keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP256 - || keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP384 - || keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + if (IS_ECDSA_KEY(keytype)) { if (key->ecckey) { ecc_free(key->ecckey); } @@ -205,9 +216,7 @@ int buf_get_priv_key(buffer *buf, sign_key *key, int *type) { } #endif #ifdef DROPBEAR_ECDSA - if (keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP256 - || keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP384 - || keytype == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + if (IS_ECDSA_KEY(keytype)) { if (key->ecckey) { ecc_free(key->ecckey); } @@ -243,9 +252,7 @@ void buf_put_pub_key(buffer* buf, sign_key *key, int type) { } #endif #ifdef DROPBEAR_ECDSA - if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256 - || type == DROPBEAR_SIGNKEY_ECDSA_NISTP384 - || type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + if (IS_ECDSA_KEY(type)) { buf_put_ecdsa_pub_key(pubkeys, key->ecckey); } #endif @@ -279,10 +286,8 @@ void buf_put_priv_key(buffer* buf, sign_key *key, int type) { } #endif #ifdef DROPBEAR_ECDSA - if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256 - || type == DROPBEAR_SIGNKEY_ECDSA_NISTP384 - || type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { - buf_put_ecdsa_pub_key(buf, key->ecckey); + if (IS_ECDSA_KEY(type)) { + buf_put_ecdsa_priv_key(buf, key->ecckey); return; } #endif @@ -424,9 +429,7 @@ void buf_put_sign(buffer* buf, sign_key *key, int type, } #endif #ifdef DROPBEAR_ECDSA - if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256 - || type == DROPBEAR_SIGNKEY_ECDSA_NISTP384 - || type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + if (IS_ECDSA_KEY(type)) { buf_put_ecdsa_sign(sigblob, key->ecckey, data_buf); } #endif @@ -474,9 +477,7 @@ int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) { } #endif #ifdef DROPBEAR_ECDSA - if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256 - || type == DROPBEAR_SIGNKEY_ECDSA_NISTP384 - || type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + if (IS_ECDSA_KEY(type)) { return buf_ecdsa_verify(buf, key->ecckey, data_buf); } #endif diff --git a/signkey.h b/signkey.h index 7758d45..61095c7 100644 --- a/signkey.h +++ b/signkey.h @@ -37,15 +37,9 @@ enum signkey_type { DROPBEAR_SIGNKEY_DSS, #endif #ifdef DROPBEAR_ECDSA -#ifdef DROPBEAR_ECC_256 DROPBEAR_SIGNKEY_ECDSA_NISTP256, -#endif -#ifdef DROPBEAR_ECC_384 DROPBEAR_SIGNKEY_ECDSA_NISTP384, -#endif -#ifdef DROPBEAR_ECC_521 DROPBEAR_SIGNKEY_ECDSA_NISTP521, -#endif DROPBEAR_SIGNKEY_ECDSA_KEYGEN, // just "ecdsa" for keygen #endif // DROPBEAR_ECDSA DROPBEAR_SIGNKEY_NUM_NAMED, @@ -63,11 +57,9 @@ typedef enum { struct SIGN_key { - int type; /* The type of key (dss or rsa) */ + enum signkey_type type; signkey_source source; char *filename; - /* the buffer? for encrypted keys, so we can later get - * the private key portion */ #ifdef DROPBEAR_DSS dropbear_dss_key * dsskey; @@ -76,7 +68,7 @@ struct SIGN_key { dropbear_rsa_key * rsakey; #endif #ifdef DROPBEAR_ECDSA - ecc_key *ecckey; + ecc_key * ecckey; #endif }; @@ -99,4 +91,12 @@ int cmp_base64_key(const unsigned char* keyblob, unsigned int keybloblen, const unsigned char* algoname, unsigned int algolen, buffer * line, char ** fingerprint); +#ifdef DROPBEAR_ECDSA +#define IS_ECDSA_KEY(type) \ + ((type) == DROPBEAR_SIGNKEY_ECDSA_NISTP256 \ + || (type) == DROPBEAR_SIGNKEY_ECDSA_NISTP384 \ + || (type) == DROPBEAR_SIGNKEY_ECDSA_NISTP521 \ + || (type) == DROPBEAR_SIGNKEY_ECDSA_KEYGEN) +#endif + #endif /* _SIGNKEY_H_ */ diff --git a/svr-main.c b/svr-main.c index 461aeaf..5e4150a 100644 --- a/svr-main.c +++ b/svr-main.c @@ -29,6 +29,7 @@ #include "signkey.h" #include "runopts.h" #include "random.h" +#include "crypto_desc.h" static size_t listensockets(int *sock, size_t sockcount, int *maxfd); static void sigchld_handler(int dummy); @@ -383,9 +384,11 @@ static void commonsetup() { dropbear_exit("signal() error"); } + crypto_init(); + /* Now we can setup the hostkeys - needs to be after logging is on, * otherwise we might end up blatting error messages to the socket */ - loadhostkeys(); + load_all_hostkeys(); seedrandom(); } diff --git a/svr-runopts.c b/svr-runopts.c index f6ce86c..a775ea3 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -28,11 +28,14 @@ #include "buffer.h" #include "dbutil.h" #include "algo.h" +#include "ecdsa.h" svr_runopts svr_opts; /* GLOBAL */ static void printhelp(const char * progname); static void addportandaddress(char* spec); +static void loadhostkey(const char *keyfile, int fatal_duplicate); +static void addhostkey(const char *keyfile); static void printhelp(const char * progname) { @@ -105,10 +108,10 @@ void svr_getopts(int argc, char ** argv) { char* recv_window_arg = NULL; char* keepalive_arg = NULL; char* idle_timeout_arg = NULL; + char* keyfile = NULL; + /* see printhelp() for options */ - svr_opts.rsakeyfile = NULL; - svr_opts.dsskeyfile = NULL; svr_opts.bannerfile = NULL; svr_opts.banner = NULL; svr_opts.forkbg = 1; @@ -160,6 +163,11 @@ void svr_getopts(int argc, char ** argv) { dropbear_exit("Invalid null argument"); } next = 0x00; + + if (keyfile) { + addhostkey(keyfile); + keyfile = NULL; + } continue; } @@ -168,16 +176,10 @@ void svr_getopts(int argc, char ** argv) { case 'b': next = &svr_opts.bannerfile; break; -#ifdef DROPBEAR_DSS case 'd': - next = &svr_opts.dsskeyfile; - break; -#endif -#ifdef DROPBEAR_RSA case 'r': - next = &svr_opts.rsakeyfile; + next = &keyfile; break; -#endif case 'F': svr_opts.forkbg = 0; break; @@ -267,13 +269,6 @@ void svr_getopts(int argc, char ** argv) { svr_opts.portcount = 1; } - if (svr_opts.dsskeyfile == NULL) { - svr_opts.dsskeyfile = DSS_PRIV_FILENAME; - } - if (svr_opts.rsakeyfile == NULL) { - svr_opts.rsakeyfile = RSA_PRIV_FILENAME; - } - if (svr_opts.bannerfile) { struct stat buf; if (stat(svr_opts.bannerfile, &buf) != 0) { @@ -292,7 +287,6 @@ void svr_getopts(int argc, char ** argv) { svr_opts.bannerfile); } buf_setpos(svr_opts.banner, 0); - } if (recv_window_arg) { @@ -370,55 +364,125 @@ static void addportandaddress(char* spec) { } } -static void disablekey(int type, const char* filename) { - +static void disablekey(int type) { int i; - for (i = 0; sshhostkey[i].name != NULL; i++) { if (sshhostkey[i].val == type) { - sshhostkey[i].usable = 0; + sshhostkey[i].usable = 1; break; } } - dropbear_log(LOG_WARNING, "Failed reading '%s', disabling %s", filename, - type == DROPBEAR_SIGNKEY_DSS ? "DSS" : "RSA"); } /* Must be called after syslog/etc is working */ -void loadhostkeys() { +static void loadhostkey(const char *keyfile, int fatal_duplicate) { + sign_key * read_key = new_sign_key(); + int type = DROPBEAR_SIGNKEY_ANY; + if (readhostkey(keyfile, read_key, &type) == DROPBEAR_FAILURE) { + dropbear_log(LOG_WARNING, "Failed loading %s", keyfile); + } - int ret; - int type; +#ifdef DROPBEAR_RSA + if (type == DROPBEAR_SIGNKEY_RSA) { + if (svr_opts.hostkey->rsakey) { + if (fatal_duplicate) { + dropbear_exit("Only one RSA key can be specified"); + } + } else { + svr_opts.hostkey->rsakey = read_key->rsakey; + read_key->rsakey = NULL; + } + } +#endif - TRACE(("enter loadhostkeys")) +#ifdef DROPBEAR_DSS + if (type == DROPBEAR_SIGNKEY_DSS) { + if (svr_opts.hostkey->dsskey) { + if (fatal_duplicate) { + dropbear_exit("Only one DSS key can be specified"); + } + } else { + svr_opts.hostkey->dsskey = read_key->dsskey; + read_key->dsskey = NULL; + } + } +#endif + +#ifdef DROPBEAR_ECDSA + if (IS_ECDSA_KEY(type)) { + if (svr_opts.hostkey->ecckey) { + if (fatal_duplicate) { + dropbear_exit("Only one ECDSA key can be specified"); + } + } else { + svr_opts.hostkey->ecckey = read_key->ecckey; + read_key->ecckey = NULL; + } + } +#endif + sign_key_free(read_key); + TRACE(("leave loadhostkey")) +} + +static void addhostkey(const char *keyfile) { + if (svr_opts.num_hostkey_files >= MAX_HOSTKEYS) { + dropbear_exit("Too many hostkeys"); + } + svr_opts.hostkey_files[svr_opts.num_hostkey_files] = m_strdup(keyfile); + svr_opts.num_hostkey_files++; +} + +void load_all_hostkeys() { + int i; svr_opts.hostkey = new_sign_key(); -#ifdef DROPBEAR_RSA - type = DROPBEAR_SIGNKEY_RSA; - ret = readhostkey(svr_opts.rsakeyfile, svr_opts.hostkey, &type); - if (ret == DROPBEAR_FAILURE) { - disablekey(DROPBEAR_SIGNKEY_RSA, svr_opts.rsakeyfile); + for (i = 0; i < svr_opts.num_hostkey_files; i++) { + char *hostkey_file = svr_opts.hostkey_files[i]; + loadhostkey(hostkey_file, 1); + m_free(hostkey_file); } + +#ifdef DROPBEAR_RSA + loadhostkey(RSA_PRIV_FILENAME, 0); #endif + #ifdef DROPBEAR_DSS - type = DROPBEAR_SIGNKEY_DSS; - ret = readhostkey(svr_opts.dsskeyfile, svr_opts.hostkey, &type); - if (ret == DROPBEAR_FAILURE) { - disablekey(DROPBEAR_SIGNKEY_DSS, svr_opts.dsskeyfile); - } + loadhostkey(DSS_PRIV_FILENAME, 0); #endif - if ( 1 -#ifdef DROPBEAR_DSS - && svr_opts.hostkey->dsskey == NULL +#ifdef DROPBEAR_ECDSA + loadhostkey(ECDSA_PRIV_FILENAME, 0); #endif + #ifdef DROPBEAR_RSA - && svr_opts.hostkey->rsakey == NULL + if (!svr_opts.hostkey->rsakey) { + disablekey(DROPBEAR_SIGNKEY_RSA); + } #endif - ) { - dropbear_exit("No hostkeys available"); +#ifdef DROPBEAR_DSS + if (!svr_opts.hostkey->dsskey) { + disablekey(DROPBEAR_SIGNKEY_RSA); } - - TRACE(("leave loadhostkeys")) +#endif +#ifdef DROPBEAR_ECDSA +#ifdef DROPBEAR_ECC_256 + if (!svr_opts.hostkey->ecckey + || ecdsa_signkey_type(svr_opts.hostkey->ecckey) != DROPBEAR_SIGNKEY_ECDSA_NISTP256) { + disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256); + } +#endif +#ifdef DROPBEAR_ECC_384 + if (!svr_opts.hostkey->ecckey + || ecdsa_signkey_type(svr_opts.hostkey->ecckey) != DROPBEAR_SIGNKEY_ECDSA_NISTP384) { + disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384); + } +#endif +#ifdef DROPBEAR_ECC_521 + if (!svr_opts.hostkey->ecckey + || ecdsa_signkey_type(svr_opts.hostkey->ecckey) != DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521); + } +#endif +#endif } diff --git a/svr-session.c b/svr-session.c index b3b8d5e..a207d78 100644 --- a/svr-session.c +++ b/svr-session.c @@ -77,7 +77,6 @@ void svr_session(int sock, int childpipe) { char *host, *port; size_t len; - crypto_init(); common_session_init(sock, sock); /* Initialise server specific parts of the session */ diff --git a/sysoptions.h b/sysoptions.h index 0619cf1..d2ef0ab 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -141,6 +141,8 @@ /* For a 4096 bit DSS key, empirically determined */ #define MAX_PRIVKEY_SIZE 1700 +#define MAX_HOSTKEYS 3 + /* The maximum size of the bignum portion of the kexhash buffer */ /* Sect. 8 of the transport rfc 4253, K_S + e + f + K */ #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130) -- cgit v1.2.1 From 1a4f945bb6f4fd1d9234db1e20a171c929934a7b Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 9 May 2013 23:24:05 +0800 Subject: Fix ecdsa verification --- ecdsa.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/ecdsa.c b/ecdsa.c index 03b51a2..9ff89b3 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -248,14 +248,6 @@ static int buf_get_ecdsa_verify_params(buffer *buf, struct dropbear_ecc_curve *c unsigned int sig_pos; unsigned char key_ident[30]; - ident = buf_getstring(buf, &ident_len); - snprintf((char*)key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name); - if (strlen((char*)key_ident) != ident_len) { - goto out; - } - if (memcmp(key_ident, ident, ident_len) != 0) { - goto out; - } sig_len = buf_getint(buf); sig_pos = buf->pos; if (buf_getmpint(buf, r) != DROPBEAR_SUCCESS) { -- cgit v1.2.1 From 74489acc85000972a5ac88c0487e5e7a0302eb33 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 9 May 2013 23:24:58 +0800 Subject: Fix build for dropbearkey and ecdsa with certain options --- dropbearkey.c | 57 +++++++++++++++++++++++++++++++++++++++------------------ ecdsa.h | 6 +++++- 2 files changed, 44 insertions(+), 19 deletions(-) diff --git a/dropbearkey.c b/dropbearkey.c index 8bc114c..1d3dfe7 100644 --- a/dropbearkey.c +++ b/dropbearkey.c @@ -76,7 +76,7 @@ static void printhelp(char * progname) { " dss\n" #endif #ifdef DROPBEAR_ECDSA - " ecdsa\n" + " ecdsa\n" #endif "-f filename Use filename for the secret key\n" "-s bits Key size in bits, should be a multiple of 8 (optional)\n" @@ -200,23 +200,44 @@ int main(int argc, char ** argv) { } // TODO: put RSA and DSS size checks into genrsa.c etc - if (keytype == DROPBEAR_SIGNKEY_DSS && bits != 1024) { - fprintf(stderr, "DSS keys have a fixed size of 1024 bits\n"); - exit(EXIT_FAILURE); - } else if (bits < 512 || bits > 4096 || (bits % 8 != 0)) { - fprintf(stderr, "Bits must satisfy 512 <= bits <= 4096, and be a" - " multiple of 8\n"); - exit(EXIT_FAILURE); - } - } else { - if (keytype == DROPBEAR_SIGNKEY_DSS) { - bits = DSS_DEFAULT_SIZE; - } else if (keytype == DROPBEAR_SIGNKEY_RSA) { - bits = RSA_DEFAULT_SIZE; - } else if (keytype == DROPBEAR_SIGNKEY_ECDSA_KEYGEN) { - bits = ECDSA_DEFAULT_SIZE; - } else { - exit(EXIT_FAILURE); /* not reached */ + switch (keytype) { +#ifdef DROPBEAR_RSA + case DROPBEAR_SIGNKEY_RSA: + if (bits < 512 || bits > 4096 || (bits % 8 != 0)) { + fprintf(stderr, "Bits must satisfy 512 <= bits <= 4096, and be a" + " multiple of 8\n"); + exit(EXIT_FAILURE); + } + break; +#endif +#ifdef DROPEAR_DSS + case DROPBEAR_SIGNKEY_DSS: + if (bits != 1024) { + fprintf(stderr, "DSS keys have a fixed size of 1024 bits\n"); + exit(EXIT_FAILURE); + } +#endif + // pass. ecdsa handles checks itself + } + + switch (keytype) { +#ifdef DROPBEAR_RSA + case DROPBEAR_SIGNKEY_RSA: + bits = RSA_DEFAULT_SIZE; + break; +#endif +#ifdef DROPBEAR_DSS + case DROPBEAR_SIGNKEY_DSS: + bits = DSS_DEFAULT_SIZE; + break; +#endif +#ifdef DROPBEAR_ECDSA + case DROPBEAR_SIGNKEY_ECDSA_KEYGEN: + bits = ECDSA_DEFAULT_SIZE; + break; +#endif + default: + exit(EXIT_FAILURE); /* not reached */ } } diff --git a/ecdsa.h b/ecdsa.h index db4ae18..84e4000 100644 --- a/ecdsa.h +++ b/ecdsa.h @@ -5,6 +5,8 @@ #include "buffer.h" #include "signkey.h" +#ifdef DROPBEAR_ECDSA + #ifdef DROPBEAR_ECC_256 #define ECDSA_DEFAULT_SIZE 256 #elif DROPBEAR_ECC_384 @@ -25,4 +27,6 @@ enum signkey_type ecdsa_signkey_type(ecc_key * key); void buf_put_ecdsa_sign(buffer *buf, ecc_key *key, buffer *data_buf); int buf_ecdsa_verify(buffer *buf, ecc_key *key, buffer *data_buf); -#endif // _ECDSA_H_ \ No newline at end of file +#endif + +#endif // _ECDSA_H_ -- cgit v1.2.1 From 7eac89cbd9b2e2da5bb6bf9e8f1686059cdcf7b6 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 9 May 2013 23:27:23 +0800 Subject: quieten the compiler --- dropbearkey.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dropbearkey.c b/dropbearkey.c index 1d3dfe7..cf7048e 100644 --- a/dropbearkey.c +++ b/dropbearkey.c @@ -217,7 +217,8 @@ int main(int argc, char ** argv) { exit(EXIT_FAILURE); } #endif - // pass. ecdsa handles checks itself + default: + (void)0; /* quiet, compiler. ecdsa handles checks itself */ } switch (keytype) { -- cgit v1.2.1 From cbc0f5cc730359faaf8f7c2d404993acf78720f6 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Tue, 21 May 2013 12:15:48 +0800 Subject: Fix broken disablekey() --- svr-runopts.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/svr-runopts.c b/svr-runopts.c index a775ea3..07da95c 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -366,9 +366,10 @@ static void addportandaddress(char* spec) { static void disablekey(int type) { int i; + TRACE(("Disabling key type %d", type)) for (i = 0; sshhostkey[i].name != NULL; i++) { if (sshhostkey[i].val == type) { - sshhostkey[i].usable = 1; + sshhostkey[i].usable = 0; break; } } -- cgit v1.2.1 From 5122cdb1ee92dbdea18dc4d5bbbb180ecf1f3240 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Tue, 21 May 2013 13:20:02 +0800 Subject: Fix static library order, libtomcrypt depends on libtommath --- Makefile.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile.in b/Makefile.in index 8d8d279..4f13d1d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -17,9 +17,9 @@ LTC=libtomcrypt/libtomcrypt.a LTM=libtommath/libtommath.a ifeq (@BUNDLED_LIBTOM@, 1) -LIBTOM_DEPS=$(LTM) $(LTC) +LIBTOM_DEPS=$(LTC) $(LTM) CFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/ -LIBS+=$(LTM) $(LTC) +LIBS+=$(LTC) $(LTM) endif COMMONOBJS=dbutil.o buffer.o \ -- cgit v1.2.1 From 215d321736ffc1f3782d2d006bf05768e05d4ef2 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Tue, 21 May 2013 13:44:48 +0800 Subject: Enable SMALL_CODE by default --- options.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/options.h b/options.h index 6199fb6..8109dd3 100644 --- a/options.h +++ b/options.h @@ -52,7 +52,7 @@ several kB in binary size however will make the symmetrical ciphers and hashes slower, perhaps by 50%. Recommended for small systems that aren't doing much traffic. */ -/*#define DROPBEAR_SMALL_CODE*/ +#define DROPBEAR_SMALL_CODE /* Enable X11 Forwarding - server only */ #define ENABLE_X11FWD -- cgit v1.2.1 From 3e02e807552eb48e2eb22fc0dc51af072a54717f Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 23 May 2013 22:18:16 +0800 Subject: Add m_mp_alloc_init_multi() helper --- bignum.c | 16 ++++++++++++++++ bignum.h | 1 + common-kex.c | 3 +-- dss.c | 9 ++------- ecc.c | 9 +++------ gendss.c | 7 +------ genrsa.c | 11 ++--------- rsa.c | 11 +++-------- 8 files changed, 29 insertions(+), 38 deletions(-) diff --git a/bignum.c b/bignum.c index 886568d..e9810b3 100644 --- a/bignum.c +++ b/bignum.c @@ -52,6 +52,22 @@ void m_mp_init_multi(mp_int *mp, ...) va_end(args); } +void m_mp_alloc_init_multi(mp_int **mp, ...) +{ + mp_int** cur_arg = mp; + va_list args; + + va_start(args, mp); /* init args to next argument from caller */ + while (cur_arg != NULL) { + *cur_arg = m_malloc(sizeof(mp_int)); + if (mp_init(*cur_arg) != MP_OKAY) { + dropbear_exit("Mem alloc error"); + } + cur_arg = va_arg(args, mp_int**); + } + va_end(args); +} + void bytes_to_mp(mp_int *mp, const unsigned char* bytes, unsigned int len) { if (mp_read_unsigned_bin(mp, (unsigned char*)bytes, len) != MP_OKAY) { diff --git a/bignum.h b/bignum.h index 11353c6..f9710d7 100644 --- a/bignum.h +++ b/bignum.h @@ -30,6 +30,7 @@ void m_mp_init(mp_int *mp); void m_mp_init_multi(mp_int *mp, ...) ATTRIB_SENTINEL; +void m_mp_alloc_init_multi(mp_int **mp, ...) ATTRIB_SENTINEL; void bytes_to_mp(mp_int *mp, const unsigned char* bytes, unsigned int len); void hash_process_mp(const struct ltc_hash_descriptor *hash_desc, hash_state *hs, mp_int *mp); diff --git a/common-kex.c b/common-kex.c index 0cd3db3..a32ca6d 100644 --- a/common-kex.c +++ b/common-kex.c @@ -633,8 +633,7 @@ void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them, } /* K = e^y mod p = f^x mod p */ - ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int)); - m_mp_init(ses.dh_K); + m_mp_alloc_init_multi(&ses.dh_K, NULL); if (mp_exptmod(dh_pub_them, ¶m->priv, &dh_p, ses.dh_K) != MP_OKAY) { dropbear_exit("Diffie-Hellman error"); } diff --git a/dss.c b/dss.c index 9817392..b3b2bb1 100644 --- a/dss.c +++ b/dss.c @@ -47,11 +47,7 @@ int buf_get_dss_pub_key(buffer* buf, dropbear_dss_key *key) { TRACE(("enter buf_get_dss_pub_key")) dropbear_assert(key != NULL); - key->p = m_malloc(sizeof(mp_int)); - key->q = m_malloc(sizeof(mp_int)); - key->g = m_malloc(sizeof(mp_int)); - key->y = m_malloc(sizeof(mp_int)); - m_mp_init_multi(key->p, key->q, key->g, key->y, NULL); + m_mp_alloc_init_multi(&key->p, &key->q, &key->g, &key->y, NULL); key->x = NULL; buf_incrpos(buf, 4+SSH_SIGNKEY_DSS_LEN); /* int + "ssh-dss" */ @@ -87,8 +83,7 @@ int buf_get_dss_priv_key(buffer* buf, dropbear_dss_key *key) { return DROPBEAR_FAILURE; } - key->x = m_malloc(sizeof(mp_int)); - m_mp_init(key->x); + m_mp_alloc_init_multi(&key->x, NULL); ret = buf_getmpint(buf, key->x); if (ret == DROPBEAR_FAILURE) { m_free(key->x); diff --git a/ecc.c b/ecc.c index 03f8864..3e0763c 100644 --- a/ecc.c +++ b/ecc.c @@ -72,11 +72,8 @@ struct dropbear_ecc_curve* curve_for_dp(const ltc_ecc_set_type *dp) { ecc_key * new_ecc_key(void) { ecc_key *key = m_malloc(sizeof(*key)); - key->pubkey.x = m_malloc(sizeof(mp_int)); - key->pubkey.y = m_malloc(sizeof(mp_int)); - key->pubkey.z = m_malloc(sizeof(mp_int)); - key->k = m_malloc(sizeof(mp_int)); - m_mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL); + m_mp_alloc_init_multi(&key->pubkey.x, &key->pubkey.y, + &key->pubkey.z, &key->k, NULL); return key; } @@ -92,7 +89,7 @@ static int ecc_is_point(ecc_key *key) t1 = m_malloc(sizeof(mp_int)); t2 = m_malloc(sizeof(mp_int)); - m_mp_init_multi(prime, b, t1, t2, NULL); + m_mp_alloc_init_multi(&prime, &b, &t1, &t2, NULL); /* load prime and b */ if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) { goto error; } diff --git a/gendss.c b/gendss.c index be8f89f..2785aec 100644 --- a/gendss.c +++ b/gendss.c @@ -53,12 +53,7 @@ dropbear_dss_key * gen_dss_priv_key(unsigned int size) { key = m_malloc(sizeof(*key)); - key->p = (mp_int*)m_malloc(sizeof(mp_int)); - key->q = (mp_int*)m_malloc(sizeof(mp_int)); - key->g = (mp_int*)m_malloc(sizeof(mp_int)); - key->y = (mp_int*)m_malloc(sizeof(mp_int)); - key->x = (mp_int*)m_malloc(sizeof(mp_int)); - m_mp_init_multi(key->p, key->q, key->g, key->y, key->x, NULL); + m_mp_alloc_init_multi(&key->p, &key->q, &key->g, &key->y, &key->x, NULL); getq(key); getp(key, size/8); diff --git a/genrsa.c b/genrsa.c index 465502b..5df191e 100644 --- a/genrsa.c +++ b/genrsa.c @@ -50,15 +50,8 @@ dropbear_rsa_key * gen_rsa_priv_key(unsigned int size) { } key = m_malloc(sizeof(*key)); - - key->e = (mp_int*)m_malloc(sizeof(mp_int)); - key->n = (mp_int*)m_malloc(sizeof(mp_int)); - key->d = (mp_int*)m_malloc(sizeof(mp_int)); - key->p = (mp_int*)m_malloc(sizeof(mp_int)); - key->q = (mp_int*)m_malloc(sizeof(mp_int)); - - m_mp_init_multi(key->e, key->n, key->d, key->p, key->q, - &pminus, &lcm, &qminus, NULL); + m_mp_alloc_init_multi(&key->e, &key->n, &key->d, &key->p, &key->q, NULL); + m_mp_init_multi(&pminus, &lcm, &qminus, NULL); if (mp_set_int(key->e, RSA_E) != MP_OKAY) { fprintf(stderr, "RSA generation failed\n"); diff --git a/rsa.c b/rsa.c index 6fd30b8..92adee4 100644 --- a/rsa.c +++ b/rsa.c @@ -50,9 +50,7 @@ int buf_get_rsa_pub_key(buffer* buf, dropbear_rsa_key *key) { int ret = DROPBEAR_FAILURE; TRACE(("enter buf_get_rsa_pub_key")) dropbear_assert(key != NULL); - key->e = m_malloc(sizeof(mp_int)); - key->n = m_malloc(sizeof(mp_int)); - m_mp_init_multi(key->e, key->n, NULL); + m_mp_alloc_init_multi(&key->e, &key->n, NULL); key->d = NULL; key->p = NULL; key->q = NULL; @@ -98,8 +96,7 @@ int buf_get_rsa_priv_key(buffer* buf, dropbear_rsa_key *key) { key->p = NULL; key->q = NULL; - key->d = m_malloc(sizeof(mp_int)); - m_mp_init(key->d); + m_mp_alloc_init_multi(&key->d); if (buf_getmpint(buf, key->d) == DROPBEAR_FAILURE) { TRACE(("leave buf_get_rsa_priv_key: d: ret == DROPBEAR_FAILURE")) goto out; @@ -108,9 +105,7 @@ int buf_get_rsa_priv_key(buffer* buf, dropbear_rsa_key *key) { if (buf->pos == buf->len) { /* old Dropbear private keys didn't keep p and q, so we will ignore them*/ } else { - key->p = m_malloc(sizeof(mp_int)); - key->q = m_malloc(sizeof(mp_int)); - m_mp_init_multi(key->p, key->q, NULL); + m_mp_alloc_init_multi(&key->p, &key->q, NULL); if (buf_getmpint(buf, key->p) == DROPBEAR_FAILURE) { TRACE(("leave buf_get_rsa_priv_key: p: ret == DROPBEAR_FAILURE")) -- cgit v1.2.1 From 20b4ac2f61f89fc08b492ab5e4ef1250778635f1 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 23 May 2013 22:18:33 +0800 Subject: hackish ECC import code from OpenSSH --- dropbearconvert.c | 3 ++ keyimport.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 140 insertions(+), 15 deletions(-) diff --git a/dropbearconvert.c b/dropbearconvert.c index 9e16fe7..01fe373 100644 --- a/dropbearconvert.c +++ b/dropbearconvert.c @@ -62,6 +62,9 @@ int main(int argc, char ** argv) { const char* infile; const char* outfile; + crypto_init(); + seedrandom(); + #ifdef DEBUG_TRACE /* It's hard for it to get in the way _too_ much */ debug_trace = 1; diff --git a/keyimport.c b/keyimport.c index e8fded7..d0469de 100644 --- a/keyimport.c +++ b/keyimport.c @@ -36,6 +36,11 @@ #include "bignum.h" #include "buffer.h" #include "dbutil.h" +#include "ecc.h" + +const unsigned char OID_SEC256R1_BLOB[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07}; +const unsigned char OID_SEC384R1_BLOB[] = {0x2b, 0x81, 0x04, 0x00, 0x22}; +const unsigned char OID_SEC521R1_BLOB[] = {0x2b, 0x81, 0x04, 0x00, 0x23}; #define PUT_32BIT(cp, value) do { \ (cp)[3] = (unsigned char)(value); \ @@ -158,7 +163,7 @@ static int dropbear_write(const char*filename, sign_key * key) { #endif buf = buf_new(MAX_PRIVKEY_SIZE); - buf_put_priv_key(buf, key, keytype); + buf_put_priv_key(buf, key, key->type); fp = fopen(filename, "w"); if (!fp) { @@ -523,6 +528,8 @@ static sign_key *openssh_read(const char *filename, char *passphrase) sign_key *retkey; buffer * blobbuf = NULL; + retkey = new_sign_key(); + key = load_openssh_key(filename); if (!key) @@ -599,6 +606,8 @@ static sign_key *openssh_read(const char *filename, char *passphrase) num_integers = 9; else if (key->type == OSSH_DSA) num_integers = 6; + else if (key->type == OSSH_EC) + num_integers = 1; /* * Space to create key blob in. @@ -622,11 +631,18 @@ static sign_key *openssh_read(const char *filename, char *passphrase) } if (i == 0) { - /* - * The first integer should be zero always (I think - * this is some sort of version indication). - */ - if (len != 1 || p[0] != 0) { + /* First integer is a version indicator */ + int expected; + switch (key->type) { + case OSSH_RSA: + case OSSH_DSA: + expected = 0; + break; + case OSSH_EC: + expected = 1; + break; + } + if (len != 1 || p[0] != expected) { errmsg = "Version number mismatch"; goto error; } @@ -657,21 +673,127 @@ static sign_key *openssh_read(const char *filename, char *passphrase) p += len; } +#ifdef DROPBEAR_ECDSA + if (key->type == OSSH_EC) { + const char* ecdsa_name; + unsigned char* private_key_bytes = NULL; + int private_key_len = 0; + unsigned char* public_key_bytes = NULL; + int public_key_len = 0; + ecc_key *ecc; + const struct dropbear_ecc_curve *curve = NULL; + + // See SEC1 v2, Appendix C.4 + // OpenSSL (so OpenSSH) seems to include the optional parts. + + // privateKey OCTET STRING, + ret = ber_read_id_len(p, key->keyblob+key->keyblob_len-p, + &id, &len, &flags); + p += ret; + // id==4 for octet string + if (ret < 0 || id != 4 || + key->keyblob+key->keyblob_len-p < len) { + errmsg = "ASN.1 decoding failure"; + goto error; + } + private_key_bytes = p; + private_key_len = len; + p += len; + + // parameters [0] ECDomainParameters {{ SECGCurveNames }} OPTIONAL, + ret = ber_read_id_len(p, key->keyblob+key->keyblob_len-p, + &id, &len, &flags); + p += ret; + // id==0 + if (ret < 0 || id != 0) { + errmsg = "ASN.1 decoding failure"; + goto error; + } + + ret = ber_read_id_len(p, key->keyblob+key->keyblob_len-p, + &id, &len, &flags); + p += ret; + // id==6 for object + if (ret < 0 || id != 6 || + key->keyblob+key->keyblob_len-p < len) { + errmsg = "ASN.1 decoding failure"; + goto error; + } + + if (len == sizeof(OID_SEC256R1_BLOB) + && memcmp(p, OID_SEC256R1_BLOB, len) == 0) { + retkey->type = DROPBEAR_SIGNKEY_ECDSA_NISTP256; + curve = &ecc_curve_nistp256; + } else if (len == sizeof(OID_SEC384R1_BLOB) + && memcmp(p, OID_SEC384R1_BLOB, len) == 0) { + retkey->type = DROPBEAR_SIGNKEY_ECDSA_NISTP384; + curve = &ecc_curve_nistp384; + } else if (len == sizeof(OID_SEC521R1_BLOB) + && memcmp(p, OID_SEC521R1_BLOB, len) == 0) { + retkey->type = DROPBEAR_SIGNKEY_ECDSA_NISTP521; + curve = &ecc_curve_nistp521; + } else { + errmsg = "Unknown ECC key type"; + goto error; + } + p += len; + + // publicKey [1] BIT STRING OPTIONAL + ret = ber_read_id_len(p, key->keyblob+key->keyblob_len-p, + &id, &len, &flags); + p += ret; + // id==1 + if (ret < 0 || id != 1) { + errmsg = "ASN.1 decoding failure"; + goto error; + } + + ret = ber_read_id_len(p, key->keyblob+key->keyblob_len-p, + &id, &len, &flags); + p += ret; + // id==3 for bit string + if (ret < 0 || id != 3 || + key->keyblob+key->keyblob_len-p < len) { + errmsg = "ASN.1 decoding failure"; + goto error; + } + public_key_bytes = p+1; + public_key_len = len-1; + p += len; + + buf_putbytes(blobbuf, public_key_bytes, public_key_len); + ecc = buf_get_ecc_raw_pubkey(blobbuf, curve); + if (!ecc) { + errmsg = "Error parsing ECC key"; + goto error; + } + m_mp_alloc_init_multi((mp_int**)&ecc->k, NULL); + if (mp_read_unsigned_bin(ecc->k, private_key_bytes, private_key_len) + != MP_OKAY) { + errmsg = "Error parsing ECC key"; + goto error; + } + + retkey->ecckey = ecc; + } +#endif // DROPBEAR_ECDSA + /* * Now put together the actual key. Simplest way to do this is * to assemble our own key blobs and feed them to the createkey * functions; this is a bit faffy but it does mean we get all * the sanity checks for free. */ - retkey = new_sign_key(); - buf_setpos(blobbuf, 0); - type = DROPBEAR_SIGNKEY_ANY; - if (buf_get_priv_key(blobbuf, retkey, &type) - != DROPBEAR_SUCCESS) { - errmsg = "unable to create key structure"; - sign_key_free(retkey); - retkey = NULL; - goto error; + if (key->type == OSSH_RSA || key->type == OSSH_DSA) { + buf_setpos(blobbuf, 0); + type = DROPBEAR_SIGNKEY_ANY; + if (buf_get_priv_key(blobbuf, retkey, &type) + != DROPBEAR_SUCCESS) { + errmsg = "unable to create key structure"; + sign_key_free(retkey); + retkey = NULL; + goto error; + } } errmsg = NULL; /* no error */ -- cgit v1.2.1 From 87fee462c0eeac9e1199bfb85dd7a3e93b3e1676 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sat, 25 May 2013 00:54:19 +0800 Subject: have separate ecdsa keys for each size fix crash from the mp_alloc_init_multi change in RSA --- dropbearkey.c | 7 +++-- keyimport.c | 4 +-- rsa.c | 2 +- signkey.c | 97 +++++++++++++++++++++++++++++++++++++++++++---------------- signkey.h | 16 ++++++---- svr-runopts.c | 62 +++++++++++++++++++------------------- 6 files changed, 120 insertions(+), 68 deletions(-) diff --git a/dropbearkey.c b/dropbearkey.c index cf7048e..eecfbcc 100644 --- a/dropbearkey.c +++ b/dropbearkey.c @@ -266,8 +266,11 @@ int main(int argc, char ** argv) { #endif #ifdef DROPBEAR_ECDSA case DROPBEAR_SIGNKEY_ECDSA_KEYGEN: - key->ecckey = gen_ecdsa_priv_key(bits); - keytype = ecdsa_signkey_type(key->ecckey); + { + ecc_key *ecckey = gen_ecdsa_priv_key(bits); + keytype = ecdsa_signkey_type(ecckey); + *signkey_ecc_key_ptr(key, keytype) = ecckey; + } break; #endif default: diff --git a/keyimport.c b/keyimport.c index d0469de..05bf800 100644 --- a/keyimport.c +++ b/keyimport.c @@ -680,7 +680,7 @@ static sign_key *openssh_read(const char *filename, char *passphrase) int private_key_len = 0; unsigned char* public_key_bytes = NULL; int public_key_len = 0; - ecc_key *ecc; + ecc_key *ecc = NULL; const struct dropbear_ecc_curve *curve = NULL; // See SEC1 v2, Appendix C.4 @@ -774,7 +774,7 @@ static sign_key *openssh_read(const char *filename, char *passphrase) goto error; } - retkey->ecckey = ecc; + *signkey_ecc_key_ptr(retkey, retkey->type) = ecc; } #endif // DROPBEAR_ECDSA diff --git a/rsa.c b/rsa.c index 92adee4..e2abab1 100644 --- a/rsa.c +++ b/rsa.c @@ -96,7 +96,7 @@ int buf_get_rsa_priv_key(buffer* buf, dropbear_rsa_key *key) { key->p = NULL; key->q = NULL; - m_mp_alloc_init_multi(&key->d); + m_mp_alloc_init_multi(&key->d, NULL); if (buf_getmpint(buf, key->d) == DROPBEAR_FAILURE) { TRACE(("leave buf_get_rsa_priv_key: d: ret == DROPBEAR_FAILURE")) goto out; diff --git a/signkey.c b/signkey.c index 194c145..65c22c2 100644 --- a/signkey.c +++ b/signkey.c @@ -103,6 +103,22 @@ enum signkey_type signkey_type_from_name(const char* name, unsigned int namelen) return DROPBEAR_SIGNKEY_NONE; } +#ifdef DROPBEAR_ECDSA +ecc_key ** +signkey_ecc_key_ptr(sign_key *key, enum signkey_type ecc_type) { + switch (ecc_type) { + case DROPBEAR_SIGNKEY_ECDSA_NISTP256: + return &key->ecckey256; + case DROPBEAR_SIGNKEY_ECDSA_NISTP384: + return &key->ecckey384; + case DROPBEAR_SIGNKEY_ECDSA_NISTP521: + return &key->ecckey521; + default: + return NULL; + } +} +#endif + /* returns DROPBEAR_SUCCESS on success, DROPBEAR_FAILURE on fail. * type should be set by the caller to specify the type to read, and * on return is set to the type read (useful when type = _ANY) */ @@ -152,13 +168,17 @@ int buf_get_pub_key(buffer *buf, sign_key *key, int *type) { } #endif #ifdef DROPBEAR_ECDSA - if (IS_ECDSA_KEY(keytype)) { - if (key->ecckey) { - ecc_free(key->ecckey); - } - key->ecckey = buf_get_ecdsa_pub_key(buf); - if (key->ecckey) { - ret = DROPBEAR_SUCCESS; + { + ecc_key **eck = signkey_ecc_key_ptr(key, keytype); + if (eck) { + if (*eck) { + ecc_free(*eck); + *eck = NULL; + } + *eck = buf_get_ecdsa_pub_key(buf); + if (*eck) { + ret = DROPBEAR_SUCCESS; + } } } #endif @@ -216,13 +236,17 @@ int buf_get_priv_key(buffer *buf, sign_key *key, int *type) { } #endif #ifdef DROPBEAR_ECDSA - if (IS_ECDSA_KEY(keytype)) { - if (key->ecckey) { - ecc_free(key->ecckey); - } - key->ecckey = buf_get_ecdsa_priv_key(buf); - if (key->ecckey) { - ret = DROPBEAR_SUCCESS; + { + ecc_key **eck = signkey_ecc_key_ptr(key, keytype); + if (eck) { + if (*eck) { + ecc_free(*eck); + *eck = NULL; + } + *eck = buf_get_ecdsa_priv_key(buf); + if (*eck) { + ret = DROPBEAR_SUCCESS; + } } } #endif @@ -252,8 +276,11 @@ void buf_put_pub_key(buffer* buf, sign_key *key, int type) { } #endif #ifdef DROPBEAR_ECDSA - if (IS_ECDSA_KEY(type)) { - buf_put_ecdsa_pub_key(pubkeys, key->ecckey); + { + ecc_key **eck = signkey_ecc_key_ptr(key, type); + if (eck) { + buf_put_ecdsa_pub_key(pubkeys, *eck); + } } #endif if (pubkeys->len == 0) { @@ -286,9 +313,13 @@ void buf_put_priv_key(buffer* buf, sign_key *key, int type) { } #endif #ifdef DROPBEAR_ECDSA - if (IS_ECDSA_KEY(type)) { - buf_put_ecdsa_priv_key(buf, key->ecckey); - return; + { + ecc_key **eck = signkey_ecc_key_ptr(key, type); + if (eck) { + buf_put_ecdsa_priv_key(buf, *eck); + TRACE(("leave buf_put_priv_key: ecdsa done")) + return; + } } #endif dropbear_exit("Bad key types in put pub key"); @@ -307,9 +338,17 @@ void sign_key_free(sign_key *key) { key->rsakey = NULL; #endif #ifdef DROPBEAR_ECDSA - if (key->ecckey) { - ecc_free(key->ecckey); - key->ecckey = NULL; + if (key->ecckey256) { + ecc_free(key->ecckey256); + key->ecckey256 = NULL; + } + if (key->ecckey384) { + ecc_free(key->ecckey384); + key->ecckey384 = NULL; + } + if (key->ecckey521) { + ecc_free(key->ecckey521); + key->ecckey521 = NULL; } #endif @@ -429,8 +468,11 @@ void buf_put_sign(buffer* buf, sign_key *key, int type, } #endif #ifdef DROPBEAR_ECDSA - if (IS_ECDSA_KEY(type)) { - buf_put_ecdsa_sign(sigblob, key->ecckey, data_buf); + { + ecc_key **eck = signkey_ecc_key_ptr(key, type); + if (eck) { + buf_put_ecdsa_sign(sigblob, *eck, data_buf); + } } #endif if (sigblob->len == 0) { @@ -477,8 +519,11 @@ int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) { } #endif #ifdef DROPBEAR_ECDSA - if (IS_ECDSA_KEY(type)) { - return buf_ecdsa_verify(buf, key->ecckey, data_buf); + { + ecc_key **eck = signkey_ecc_key_ptr(key, type); + if (eck) { + return buf_ecdsa_verify(buf, *eck, data_buf); + } } #endif diff --git a/signkey.h b/signkey.h index 61095c7..6400d47 100644 --- a/signkey.h +++ b/signkey.h @@ -68,7 +68,15 @@ struct SIGN_key { dropbear_rsa_key * rsakey; #endif #ifdef DROPBEAR_ECDSA - ecc_key * ecckey; +#ifdef DROPBEAR_ECC_256 + ecc_key * ecckey256; +#endif +#ifdef DROPBEAR_ECC_384 + ecc_key * ecckey384; +#endif +#ifdef DROPBEAR_ECC_521 + ecc_key * ecckey521; +#endif #endif }; @@ -92,11 +100,7 @@ int cmp_base64_key(const unsigned char* keyblob, unsigned int keybloblen, buffer * line, char ** fingerprint); #ifdef DROPBEAR_ECDSA -#define IS_ECDSA_KEY(type) \ - ((type) == DROPBEAR_SIGNKEY_ECDSA_NISTP256 \ - || (type) == DROPBEAR_SIGNKEY_ECDSA_NISTP384 \ - || (type) == DROPBEAR_SIGNKEY_ECDSA_NISTP521 \ - || (type) == DROPBEAR_SIGNKEY_ECDSA_KEYGEN) +ecc_key ** signkey_ecc_key_ptr(sign_key *key, enum signkey_type ecc_type); #endif #endif /* _SIGNKEY_H_ */ diff --git a/svr-runopts.c b/svr-runopts.c index 07da95c..2db88c2 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -375,6 +375,18 @@ static void disablekey(int type) { } } +static void loadhostkey_helper(const char *name, void** src, void** dst, int fatal_duplicate) { + if (*dst) { + if (fatal_duplicate) { + dropbear_exit("Only one %s key can be specified", name); + } + } else { + *dst = *src; + *src = NULL; + } + +} + /* Must be called after syslog/etc is working */ static void loadhostkey(const char *keyfile, int fatal_duplicate) { sign_key * read_key = new_sign_key(); @@ -385,42 +397,33 @@ static void loadhostkey(const char *keyfile, int fatal_duplicate) { #ifdef DROPBEAR_RSA if (type == DROPBEAR_SIGNKEY_RSA) { - if (svr_opts.hostkey->rsakey) { - if (fatal_duplicate) { - dropbear_exit("Only one RSA key can be specified"); - } - } else { - svr_opts.hostkey->rsakey = read_key->rsakey; - read_key->rsakey = NULL; - } + loadhostkey_helper("RSA", &read_key->rsakey, &svr_opts.hostkey->rsakey, fatal_duplicate); } #endif #ifdef DROPBEAR_DSS if (type == DROPBEAR_SIGNKEY_DSS) { - if (svr_opts.hostkey->dsskey) { - if (fatal_duplicate) { - dropbear_exit("Only one DSS key can be specified"); - } - } else { - svr_opts.hostkey->dsskey = read_key->dsskey; - read_key->dsskey = NULL; - } + loadhostkey_helper("DSS", &read_key->dsskey, &svr_opts.hostkey->dsskey, fatal_duplicate); } #endif #ifdef DROPBEAR_ECDSA - if (IS_ECDSA_KEY(type)) { - if (svr_opts.hostkey->ecckey) { - if (fatal_duplicate) { - dropbear_exit("Only one ECDSA key can be specified"); - } - } else { - svr_opts.hostkey->ecckey = read_key->ecckey; - read_key->ecckey = NULL; - } +#ifdef DROPBEAR_ECC_256 + if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256) { + loadhostkey_helper("ECDSA256", &read_key->ecckey256, &svr_opts.hostkey->ecckey256, fatal_duplicate); + } +#endif +#ifdef DROPBEAR_ECC_384 + if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP384) { + loadhostkey_helper("ECDSA384", &read_key->ecckey384, &svr_opts.hostkey->ecckey384, fatal_duplicate); + } +#endif +#ifdef DROPBEAR_ECC_521 + if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + loadhostkey_helper("ECDSA521", &read_key->ecckey521, &svr_opts.hostkey->ecckey521, fatal_duplicate); } #endif +#endif // DROPBEAR_ECDSA sign_key_free(read_key); TRACE(("leave loadhostkey")) } @@ -468,20 +471,17 @@ void load_all_hostkeys() { #endif #ifdef DROPBEAR_ECDSA #ifdef DROPBEAR_ECC_256 - if (!svr_opts.hostkey->ecckey - || ecdsa_signkey_type(svr_opts.hostkey->ecckey) != DROPBEAR_SIGNKEY_ECDSA_NISTP256) { + if (!svr_opts.hostkey->ecckey256) { disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256); } #endif #ifdef DROPBEAR_ECC_384 - if (!svr_opts.hostkey->ecckey - || ecdsa_signkey_type(svr_opts.hostkey->ecckey) != DROPBEAR_SIGNKEY_ECDSA_NISTP384) { + if (!svr_opts.hostkey->ecckey384) { disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384); } #endif #ifdef DROPBEAR_ECC_521 - if (!svr_opts.hostkey->ecckey - || ecdsa_signkey_type(svr_opts.hostkey->ecckey) != DROPBEAR_SIGNKEY_ECDSA_NISTP521) { + if (!svr_opts.hostkey->ecckey521) { disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521); } #endif -- cgit v1.2.1