projects / u / mdw / putty / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Sebastian Kuschel reports that pfd_closing can be called for a socket
[u/mdw/putty] / sshdh.c
1 /*
2 * Diffie-Hellman implementation for PuTTY.
3 */
4
5 #include "ssh.h"
6
7 /*
8 * The primes used in the group1 and group14 key exchange.
9 */
10 static const unsigned char P1[] = {
11 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
12 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
13 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
14 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
15 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
16 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
17 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
18 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
19 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
20 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81,
21 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
22 };
23 static const unsigned char P14[] = {
24 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
25 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
26 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
27 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
28 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
29 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
30 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
31 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
32 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
33 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
34 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
35 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
36 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
37 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
38 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
39 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
40 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
41 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
42 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
43 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
44 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF,
45 0xFF, 0xFF, 0xFF, 0xFF
46 };
47
48 /*
49 * The generator g = 2 (used for both group1 and group14).
50 */
51 static const unsigned char G[] = { 2 };
52
53 static const struct ssh_kex ssh_diffiehellman_group1_sha1 = {
54 "diffie-hellman-group1-sha1", "group1",
55 KEXTYPE_DH, P1, G, lenof(P1), lenof(G), &ssh_sha1
56 };
57
58 static const struct ssh_kex *const group1_list[] = {
59 &ssh_diffiehellman_group1_sha1
60 };
61
62 const struct ssh_kexes ssh_diffiehellman_group1 = {
63 sizeof(group1_list) / sizeof(*group1_list),
64 group1_list
65 };
66
67 static const struct ssh_kex ssh_diffiehellman_group14_sha1 = {
68 "diffie-hellman-group14-sha1", "group14",
69 KEXTYPE_DH, P14, G, lenof(P14), lenof(G), &ssh_sha1
70 };
71
72 static const struct ssh_kex *const group14_list[] = {
73 &ssh_diffiehellman_group14_sha1
74 };
75
76 const struct ssh_kexes ssh_diffiehellman_group14 = {
77 sizeof(group14_list) / sizeof(*group14_list),
78 group14_list
79 };
80
81 static const struct ssh_kex ssh_diffiehellman_gex_sha256 = {
82 "diffie-hellman-group-exchange-sha256", NULL,
83 KEXTYPE_DH, NULL, NULL, 0, 0, &ssh_sha256
84 };
85
86 static const struct ssh_kex ssh_diffiehellman_gex_sha1 = {
87 "diffie-hellman-group-exchange-sha1", NULL,
88 KEXTYPE_DH, NULL, NULL, 0, 0, &ssh_sha1
89 };
90
91 static const struct ssh_kex *const gex_list[] = {
92 &ssh_diffiehellman_gex_sha256,
93 &ssh_diffiehellman_gex_sha1
94 };
95
96 const struct ssh_kexes ssh_diffiehellman_gex = {
97 sizeof(gex_list) / sizeof(*gex_list),
98 gex_list
99 };
100
101 /*
102 * Variables.
103 */
104 struct dh_ctx {
105 Bignum x, e, p, q, qmask, g;
106 };
107
108 /*
109 * Common DH initialisation.
110 */
111 static void dh_init(struct dh_ctx *ctx)
112 {
113 ctx->q = bignum_rshift(ctx->p, 1);
114 ctx->qmask = bignum_bitmask(ctx->q);
115 ctx->x = ctx->e = NULL;
116 }
117
118 /*
119 * Initialise DH for a standard group.
120 */
121 void *dh_setup_group(const struct ssh_kex *kex)
122 {
123 struct dh_ctx *ctx = snew(struct dh_ctx);
124 ctx->p = bignum_from_bytes(kex->pdata, kex->plen);
125 ctx->g = bignum_from_bytes(kex->gdata, kex->glen);
126 dh_init(ctx);
127 return ctx;
128 }
129
130 /*
131 * Initialise DH for a server-supplied group.
132 */
133 void *dh_setup_gex(Bignum pval, Bignum gval)
134 {
135 struct dh_ctx *ctx = snew(struct dh_ctx);
136 ctx->p = copybn(pval);
137 ctx->g = copybn(gval);
138 dh_init(ctx);
139 return ctx;
140 }
141
142 /*
143 * Clean up and free a context.
144 */
145 void dh_cleanup(void *handle)
146 {
147 struct dh_ctx *ctx = (struct dh_ctx *)handle;
148 freebn(ctx->x);
149 freebn(ctx->e);
150 freebn(ctx->p);
151 freebn(ctx->g);
152 freebn(ctx->q);
153 freebn(ctx->qmask);
154 sfree(ctx);
155 }
156
157 /*
158 * DH stage 1: invent a number x between 1 and q, and compute e =
159 * g^x mod p. Return e.
160 *
161 * If `nbits' is greater than zero, it is used as an upper limit
162 * for the number of bits in x. This is safe provided that (a) you
163 * use twice as many bits in x as the number of bits you expect to
164 * use in your session key, and (b) the DH group is a safe prime
165 * (which SSH demands that it must be).
166 *
167 * P. C. van Oorschot, M. J. Wiener
168 * "On Diffie-Hellman Key Agreement with Short Exponents".
169 * Advances in Cryptology: Proceedings of Eurocrypt '96
170 * Springer-Verlag, May 1996.
171 */
172 Bignum dh_create_e(void *handle, int nbits)
173 {
174 struct dh_ctx *ctx = (struct dh_ctx *)handle;
175 int i;
176
177 int nbytes;
178 unsigned char *buf;
179
180 nbytes = ssh1_bignum_length(ctx->qmask);
181 buf = snewn(nbytes, unsigned char);
182
183 do {
184 /*
185 * Create a potential x, by ANDing a string of random bytes
186 * with qmask.
187 */
188 if (ctx->x)
189 freebn(ctx->x);
190 if (nbits == 0 || nbits > bignum_bitcount(ctx->qmask)) {
191 ssh1_write_bignum(buf, ctx->qmask);
192 for (i = 2; i < nbytes; i++)
193 buf[i] &= random_byte();
194 ssh1_read_bignum(buf, nbytes, &ctx->x); /* can't fail */
195 } else {
196 int b, nb;
197 ctx->x = bn_power_2(nbits);
198 b = nb = 0;
199 for (i = 0; i < nbits; i++) {
200 if (nb == 0) {
201 nb = 8;
202 b = random_byte();
203 }
204 bignum_set_bit(ctx->x, i, b & 1);
205 b >>= 1;
206 nb--;
207 }
208 }
209 } while (bignum_cmp(ctx->x, One) <= 0 || bignum_cmp(ctx->x, ctx->q) >= 0);
210
211 sfree(buf);
212
213 /*
214 * Done. Now compute e = g^x mod p.
215 */
216 ctx->e = modpow(ctx->g, ctx->x, ctx->p);
217
218 return ctx->e;
219 }
220
221 /*
222 * DH stage 2: given a number f, compute K = f^x mod p.
223 */
224 Bignum dh_find_K(void *handle, Bignum f)
225 {
226 struct dh_ctx *ctx = (struct dh_ctx *)handle;
227 Bignum ret;
228 ret = modpow(f, ctx->x, ctx->p);
229 return ret;
230 }
Local modifications for Simon Tatham's `PuTTY' SSH client and terminal emulator