X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=blobdiff_plain;f=ssh.c;h=c4c4fb9054e2aa7f2f3dbbbd0aa226e4cb7fa9d8;hb=f004bcca17a789356c32527a396b68b71a773db2;hp=a7f5882f7dff2f87319578f8c559a884174e53cc;hpb=f45423544437d117d103a3406550dcd535c614b9;p=PuTTY.git

diff --git a/ssh.c b/ssh.c
index a7f5882f..c4c4fb90 100644
--- a/ssh.c
+++ b/ssh.c
@@ -32,6 +32,7 @@ typedef enum {
     SSH2_PKTCTX_NOKEX,
     SSH2_PKTCTX_DHGROUP,
     SSH2_PKTCTX_DHGEX,
+    SSH2_PKTCTX_ECDHKEX,
     SSH2_PKTCTX_RSAKEX
 } Pkt_KCtx;
 typedef enum {
@@ -254,6 +255,8 @@ static char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type)
     translatek(SSH2_MSG_KEXRSA_PUBKEY, SSH2_PKTCTX_RSAKEX);
     translatek(SSH2_MSG_KEXRSA_SECRET, SSH2_PKTCTX_RSAKEX);
     translatek(SSH2_MSG_KEXRSA_DONE, SSH2_PKTCTX_RSAKEX);
+    translatek(SSH2_MSG_KEX_ECDH_INIT, SSH2_PKTCTX_ECDHKEX);
+    translatek(SSH2_MSG_KEX_ECDH_REPLY, SSH2_PKTCTX_ECDHKEX);
     translate(SSH2_MSG_USERAUTH_REQUEST);
     translate(SSH2_MSG_USERAUTH_FAILURE);
     translate(SSH2_MSG_USERAUTH_SUCCESS);
@@ -397,7 +400,10 @@ static void ssh_channel_destroy(struct ssh_channel *c);
 #define OUR_V2_MAXPKT 0x4000UL
 #define OUR_V2_PACKETLIMIT 0x9000UL
 
-const static struct ssh_signkey *hostkey_algs[] = { &ssh_rsa, &ssh_dss };
+const static struct ssh_signkey *hostkey_algs[] = {
+    &ssh_ecdsa_nistp256, &ssh_ecdsa_nistp384, &ssh_ecdsa_nistp521,
+    &ssh_rsa, &ssh_dss
+};
 
 const static struct ssh_mac *macs[] = {
     &ssh_hmac_sha256, &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
@@ -5826,7 +5832,7 @@ static void do_ssh1_connection(Ssh ssh, unsigned char *in, int inlen,
 	ssh_special(ssh, TS_EOF);
 
     if (ssh->ldisc)
-	ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
+	ldisc_echoedit_update(ssh->ldisc);  /* cause ldisc to notice changes */
     ssh->send_ok = 1;
     ssh->channels = newtree234(ssh_channelcmp);
     while (1) {
@@ -5933,7 +5939,8 @@ static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
 /*
  * Utility routine for decoding comma-separated strings in KEXINIT.
  */
-static int in_commasep_string(char *needle, char *haystack, int haylen)
+static int in_commasep_string(char const *needle, char const *haystack,
+			      int haylen)
 {
     int needlen;
     if (!needle || !haystack)	       /* protect against null pointers */
@@ -5964,7 +5971,8 @@ static int in_commasep_string(char *needle, char *haystack, int haylen)
 /*
  * Similar routine for checking whether we have the first string in a list.
  */
-static int first_in_commasep_string(char *needle, char *haystack, int haylen)
+static int first_in_commasep_string(char const *needle, char const *haystack,
+				    int haylen)
 {
     int needlen;
     if (!needle || !haystack)	       /* protect against null pointers */
@@ -5982,6 +5990,19 @@ static int first_in_commasep_string(char *needle, char *haystack, int haylen)
     return 0;
 }
 
+/*
+ * Add a value to the comma-separated string at the end of the packet.
+ * If the value is already in the string, don't bother adding it again.
+ */
+static void ssh2_pkt_addstring_commasep(struct Packet *pkt, const char *data)
+{
+    if (in_commasep_string(data, (char *)pkt->data + pkt->savedpos,
+			   pkt->length - pkt->savedpos)) return;
+    if (pkt->length - pkt->savedpos > 0)
+	ssh_pkt_addstring_str(pkt, ",");
+    ssh_pkt_addstring_str(pkt, data);
+}
+
 
 /*
  * SSH-2 key creation method.
@@ -6037,6 +6058,7 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
 	int hostkeylen, siglen, rsakeylen;
 	void *hkey;		       /* actual host key */
 	void *rsakey;		       /* for RSA kex */
+        void *eckey;                   /* for ECDH kex */
 	unsigned char exchange_hash[SSH2_KEX_MAX_HASH_LEN];
 	int n_preferred_kex;
 	const struct ssh_kexes *preferred_kex[KEX_MAX];
@@ -6076,7 +6098,7 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
   begin_key_exchange:
     ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
     {
-	int i, j, k, commalist_started;
+	int i, j, k;
 
 	/*
 	 * Set up the preferred key exchange. (NULL => warn below here)
@@ -6100,6 +6122,10 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
 		s->preferred_kex[s->n_preferred_kex++] =
 		    &ssh_rsa_kex;
 		break;
+              case KEX_ECDH:
+                s->preferred_kex[s->n_preferred_kex++] =
+                    &ssh_ecdh_kex;
+                break;
 	      case KEX_WARN:
 		/* Flag for later. Don't bother if it's the last in
 		 * the list. */
@@ -6170,16 +6196,11 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
 	    ssh2_pkt_addbyte(s->pktout, (unsigned char) random_byte());
 	/* List key exchange algorithms. */
 	ssh2_pkt_addstring_start(s->pktout);
-	commalist_started = 0;
 	for (i = 0; i < s->n_preferred_kex; i++) {
 	    const struct ssh_kexes *k = s->preferred_kex[i];
 	    if (!k) continue;	       /* warning flag */
-	    for (j = 0; j < k->nkexes; j++) {
-		if (commalist_started)
-		    ssh2_pkt_addstring_str(s->pktout, ",");
-		ssh2_pkt_addstring_str(s->pktout, k->list[j]->name);
-		commalist_started = 1;
-	    }
+	    for (j = 0; j < k->nkexes; j++)
+		ssh2_pkt_addstring_commasep(s->pktout, k->list[j]->name);
 	}
 	/* List server host key algorithms. */
         if (!s->got_session_id) {
@@ -6188,11 +6209,8 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
              * we're prepared to cope with.
              */
             ssh2_pkt_addstring_start(s->pktout);
-            for (i = 0; i < lenof(hostkey_algs); i++) {
-                ssh2_pkt_addstring_str(s->pktout, hostkey_algs[i]->name);
-                if (i < lenof(hostkey_algs) - 1)
-                    ssh2_pkt_addstring_str(s->pktout, ",");
-            }
+            for (i = 0; i < lenof(hostkey_algs); i++)
+                ssh2_pkt_addstring_commasep(s->pktout, hostkey_algs[i]->name);
         } else {
             /*
              * In subsequent key exchanges, we list only the kex
@@ -6207,26 +6225,18 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
 	/* List encryption algorithms (client->server then server->client). */
 	for (k = 0; k < 2; k++) {
 	    ssh2_pkt_addstring_start(s->pktout);
-	    commalist_started = 0;
 	    for (i = 0; i < s->n_preferred_ciphers; i++) {
 		const struct ssh2_ciphers *c = s->preferred_ciphers[i];
 		if (!c) continue;	       /* warning flag */
-		for (j = 0; j < c->nciphers; j++) {
-		    if (commalist_started)
-			ssh2_pkt_addstring_str(s->pktout, ",");
-		    ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
-		    commalist_started = 1;
-		}
+		for (j = 0; j < c->nciphers; j++)
+		    ssh2_pkt_addstring_commasep(s->pktout, c->list[j]->name);
 	    }
 	}
 	/* List MAC algorithms (client->server then server->client). */
 	for (j = 0; j < 2; j++) {
 	    ssh2_pkt_addstring_start(s->pktout);
-	    for (i = 0; i < s->nmacs; i++) {
-		ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
-		if (i < s->nmacs - 1)
-		    ssh2_pkt_addstring_str(s->pktout, ",");
-	    }
+	    for (i = 0; i < s->nmacs; i++)
+		ssh2_pkt_addstring_commasep(s->pktout, s->maclist[i]->name);
 	}
 	/* List client->server compression algorithms,
 	 * then server->client compression algorithms. (We use the
@@ -6235,25 +6245,18 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
 	    ssh2_pkt_addstring_start(s->pktout);
 	    assert(lenof(compressions) > 1);
 	    /* Prefer non-delayed versions */
-	    ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
+	    ssh2_pkt_addstring_commasep(s->pktout, s->preferred_comp->name);
 	    /* We don't even list delayed versions of algorithms until
 	     * they're allowed to be used, to avoid a race. See the end of
 	     * this function. */
-	    if (s->userauth_succeeded && s->preferred_comp->delayed_name) {
-		ssh2_pkt_addstring_str(s->pktout, ",");
-		ssh2_pkt_addstring_str(s->pktout,
-				       s->preferred_comp->delayed_name);
-	    }
+	    if (s->userauth_succeeded && s->preferred_comp->delayed_name)
+		ssh2_pkt_addstring_commasep(s->pktout,
+					    s->preferred_comp->delayed_name);
 	    for (i = 0; i < lenof(compressions); i++) {
 		const struct ssh_compress *c = compressions[i];
-		if (c != s->preferred_comp) {
-		    ssh2_pkt_addstring_str(s->pktout, ",");
-		    ssh2_pkt_addstring_str(s->pktout, c->name);
-		    if (s->userauth_succeeded && c->delayed_name) {
-			ssh2_pkt_addstring_str(s->pktout, ",");
-			ssh2_pkt_addstring_str(s->pktout, c->delayed_name);
-		    }
-		}
+		ssh2_pkt_addstring_commasep(s->pktout, c->name);
+		if (s->userauth_succeeded && c->delayed_name)
+		    ssh2_pkt_addstring_commasep(s->pktout, c->delayed_name);
 	    }
 	}
 	/* List client->server languages. Empty list. */
@@ -6666,6 +6669,83 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
             freebn(s->g);
             freebn(s->p);
         }
+    } else if (ssh->kex->main_type == KEXTYPE_ECDH) {
+
+        logeventf(ssh, "Doing ECDH key exchange with hash %s",
+                  ssh->kex->hash->text_name);
+        ssh->pkt_kctx = SSH2_PKTCTX_ECDHKEX;
+
+        s->eckey = NULL;
+        if (!strcmp(ssh->kex->name, "ecdh-sha2-nistp256")) {
+            s->eckey = ssh_ecdhkex_newkey(ec_p256());
+        } else if (!strcmp(ssh->kex->name, "ecdh-sha2-nistp384")) {
+            s->eckey = ssh_ecdhkex_newkey(ec_p384());
+        } else if (!strcmp(ssh->kex->name, "ecdh-sha2-nistp521")) {
+            s->eckey = ssh_ecdhkex_newkey(ec_p521());
+        }
+        if (!s->eckey) {
+            bombout(("Unable to generate key for ECDH"));
+            crStopV;
+        }
+
+        {
+            char *publicPoint;
+            int publicPointLength;
+            publicPoint = ssh_ecdhkex_getpublic(s->eckey, &publicPointLength);
+            if (!publicPoint) {
+                ssh_ecdhkex_freekey(s->eckey);
+                bombout(("Unable to encode public key for ECDH"));
+                crStopV;
+            }
+            s->pktout = ssh2_pkt_init(SSH2_MSG_KEX_ECDH_INIT);
+            ssh2_pkt_addstring_start(s->pktout);
+            ssh2_pkt_addstring_data(s->pktout, publicPoint, publicPointLength);
+            sfree(publicPoint);
+        }
+
+        ssh2_pkt_send_noqueue(ssh, s->pktout);
+
+        crWaitUntilV(pktin);
+        if (pktin->type != SSH2_MSG_KEX_ECDH_REPLY) {
+            ssh_ecdhkex_freekey(s->eckey);
+            bombout(("expected ECDH reply packet from server"));
+            crStopV;
+        }
+
+        ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
+        hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen);
+        s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
+
+        {
+            char *publicPoint;
+            int publicPointLength;
+            publicPoint = ssh_ecdhkex_getpublic(s->eckey, &publicPointLength);
+            if (!publicPoint) {
+                ssh_ecdhkex_freekey(s->eckey);
+                bombout(("Unable to encode public key for ECDH hash"));
+                crStopV;
+            }
+            hash_string(ssh->kex->hash, ssh->exhash,
+                        publicPoint, publicPointLength);
+            sfree(publicPoint);
+        }
+
+        {
+            char *keydata;
+            int keylen;
+            ssh_pkt_getstring(pktin, &keydata, &keylen);
+            hash_string(ssh->kex->hash, ssh->exhash, keydata, keylen);
+            s->K = ssh_ecdhkex_getkey(s->eckey, keydata, keylen);
+            if (!s->K) {
+                ssh_ecdhkex_freekey(s->eckey);
+                bombout(("point received in ECDH was not valid"));
+                crStopV;
+            }
+        }
+
+        ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
+
+        ssh_ecdhkex_freekey(s->eckey);
     } else {
 	logeventf(ssh, "Doing RSA key exchange with hash %s",
 		  ssh->kex->hash->text_name);
@@ -10246,7 +10326,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
      * Transfer data!
      */
     if (ssh->ldisc)
-	ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
+	ldisc_echoedit_update(ssh->ldisc);  /* cause ldisc to notice changes */
     if (ssh->mainchan)
 	ssh->send_ok = 1;
     while (1) {