xref: /freebsd/crypto/openssh/kex.c (revision 1323ec571215a77ddd21294f0871979d5ad6b992)
1 /* $OpenBSD: kex.c,v 1.172 2022/02/01 23:32:51 djm Exp $ */
2 /*
3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 #include <sys/types.h>
29 #include <errno.h>
30 #include <signal.h>
31 #include <stdarg.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 #ifdef HAVE_POLL_H
37 #include <poll.h>
38 #endif
39 
40 #ifdef WITH_OPENSSL
41 #include <openssl/crypto.h>
42 #include <openssl/dh.h>
43 #endif
44 
45 #include "ssh.h"
46 #include "ssh2.h"
47 #include "atomicio.h"
48 #include "version.h"
49 #include "packet.h"
50 #include "compat.h"
51 #include "cipher.h"
52 #include "sshkey.h"
53 #include "kex.h"
54 #include "log.h"
55 #include "mac.h"
56 #include "match.h"
57 #include "misc.h"
58 #include "dispatch.h"
59 #include "monitor.h"
60 
61 #include "ssherr.h"
62 #include "sshbuf.h"
63 #include "digest.h"
64 
65 /* prototype */
66 static int kex_choose_conf(struct ssh *);
67 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
68 
69 static const char * const proposal_names[PROPOSAL_MAX] = {
70 	"KEX algorithms",
71 	"host key algorithms",
72 	"ciphers ctos",
73 	"ciphers stoc",
74 	"MACs ctos",
75 	"MACs stoc",
76 	"compression ctos",
77 	"compression stoc",
78 	"languages ctos",
79 	"languages stoc",
80 };
81 
82 struct kexalg {
83 	char *name;
84 	u_int type;
85 	int ec_nid;
86 	int hash_alg;
87 };
88 static const struct kexalg kexalgs[] = {
89 #ifdef WITH_OPENSSL
90 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
91 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
92 	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
93 	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
94 	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
95 	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
96 #ifdef HAVE_EVP_SHA256
97 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
98 #endif /* HAVE_EVP_SHA256 */
99 #ifdef OPENSSL_HAS_ECC
100 	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
101 	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
102 	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
103 	    SSH_DIGEST_SHA384 },
104 # ifdef OPENSSL_HAS_NISTP521
105 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
106 	    SSH_DIGEST_SHA512 },
107 # endif /* OPENSSL_HAS_NISTP521 */
108 #endif /* OPENSSL_HAS_ECC */
109 #endif /* WITH_OPENSSL */
110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
111 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
112 	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
113 #ifdef USE_SNTRUP761X25519
114 	{ KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0,
115 	    SSH_DIGEST_SHA512 },
116 #endif
117 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
118 	{ NULL, 0, -1, -1},
119 };
120 
121 char *
122 kex_alg_list(char sep)
123 {
124 	char *ret = NULL, *tmp;
125 	size_t nlen, rlen = 0;
126 	const struct kexalg *k;
127 
128 	for (k = kexalgs; k->name != NULL; k++) {
129 		if (ret != NULL)
130 			ret[rlen++] = sep;
131 		nlen = strlen(k->name);
132 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
133 			free(ret);
134 			return NULL;
135 		}
136 		ret = tmp;
137 		memcpy(ret + rlen, k->name, nlen + 1);
138 		rlen += nlen;
139 	}
140 	return ret;
141 }
142 
143 static const struct kexalg *
144 kex_alg_by_name(const char *name)
145 {
146 	const struct kexalg *k;
147 
148 	for (k = kexalgs; k->name != NULL; k++) {
149 		if (strcmp(k->name, name) == 0)
150 			return k;
151 	}
152 	return NULL;
153 }
154 
155 /* Validate KEX method name list */
156 int
157 kex_names_valid(const char *names)
158 {
159 	char *s, *cp, *p;
160 
161 	if (names == NULL || strcmp(names, "") == 0)
162 		return 0;
163 	if ((s = cp = strdup(names)) == NULL)
164 		return 0;
165 	for ((p = strsep(&cp, ",")); p && *p != '\0';
166 	    (p = strsep(&cp, ","))) {
167 		if (kex_alg_by_name(p) == NULL) {
168 			error("Unsupported KEX algorithm \"%.100s\"", p);
169 			free(s);
170 			return 0;
171 		}
172 	}
173 	debug3("kex names ok: [%s]", names);
174 	free(s);
175 	return 1;
176 }
177 
178 /*
179  * Concatenate algorithm names, avoiding duplicates in the process.
180  * Caller must free returned string.
181  */
182 char *
183 kex_names_cat(const char *a, const char *b)
184 {
185 	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
186 	size_t len;
187 
188 	if (a == NULL || *a == '\0')
189 		return strdup(b);
190 	if (b == NULL || *b == '\0')
191 		return strdup(a);
192 	if (strlen(b) > 1024*1024)
193 		return NULL;
194 	len = strlen(a) + strlen(b) + 2;
195 	if ((tmp = cp = strdup(b)) == NULL ||
196 	    (ret = calloc(1, len)) == NULL) {
197 		free(tmp);
198 		return NULL;
199 	}
200 	strlcpy(ret, a, len);
201 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
202 		if ((m = match_list(ret, p, NULL)) != NULL) {
203 			free(m);
204 			continue; /* Algorithm already present */
205 		}
206 		if (strlcat(ret, ",", len) >= len ||
207 		    strlcat(ret, p, len) >= len) {
208 			free(tmp);
209 			free(ret);
210 			return NULL; /* Shouldn't happen */
211 		}
212 	}
213 	free(tmp);
214 	return ret;
215 }
216 
217 /*
218  * Assemble a list of algorithms from a default list and a string from a
219  * configuration file. The user-provided string may begin with '+' to
220  * indicate that it should be appended to the default, '-' that the
221  * specified names should be removed, or '^' that they should be placed
222  * at the head.
223  */
224 int
225 kex_assemble_names(char **listp, const char *def, const char *all)
226 {
227 	char *cp, *tmp, *patterns;
228 	char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
229 	int r = SSH_ERR_INTERNAL_ERROR;
230 
231 	if (listp == NULL || def == NULL || all == NULL)
232 		return SSH_ERR_INVALID_ARGUMENT;
233 
234 	if (*listp == NULL || **listp == '\0') {
235 		if ((*listp = strdup(def)) == NULL)
236 			return SSH_ERR_ALLOC_FAIL;
237 		return 0;
238 	}
239 
240 	list = *listp;
241 	*listp = NULL;
242 	if (*list == '+') {
243 		/* Append names to default list */
244 		if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
245 			r = SSH_ERR_ALLOC_FAIL;
246 			goto fail;
247 		}
248 		free(list);
249 		list = tmp;
250 	} else if (*list == '-') {
251 		/* Remove names from default list */
252 		if ((*listp = match_filter_denylist(def, list + 1)) == NULL) {
253 			r = SSH_ERR_ALLOC_FAIL;
254 			goto fail;
255 		}
256 		free(list);
257 		/* filtering has already been done */
258 		return 0;
259 	} else if (*list == '^') {
260 		/* Place names at head of default list */
261 		if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
262 			r = SSH_ERR_ALLOC_FAIL;
263 			goto fail;
264 		}
265 		free(list);
266 		list = tmp;
267 	} else {
268 		/* Explicit list, overrides default - just use "list" as is */
269 	}
270 
271 	/*
272 	 * The supplied names may be a pattern-list. For the -list case,
273 	 * the patterns are applied above. For the +list and explicit list
274 	 * cases we need to do it now.
275 	 */
276 	ret = NULL;
277 	if ((patterns = opatterns = strdup(list)) == NULL) {
278 		r = SSH_ERR_ALLOC_FAIL;
279 		goto fail;
280 	}
281 	/* Apply positive (i.e. non-negated) patterns from the list */
282 	while ((cp = strsep(&patterns, ",")) != NULL) {
283 		if (*cp == '!') {
284 			/* negated matches are not supported here */
285 			r = SSH_ERR_INVALID_ARGUMENT;
286 			goto fail;
287 		}
288 		free(matching);
289 		if ((matching = match_filter_allowlist(all, cp)) == NULL) {
290 			r = SSH_ERR_ALLOC_FAIL;
291 			goto fail;
292 		}
293 		if ((tmp = kex_names_cat(ret, matching)) == NULL) {
294 			r = SSH_ERR_ALLOC_FAIL;
295 			goto fail;
296 		}
297 		free(ret);
298 		ret = tmp;
299 	}
300 	if (ret == NULL || *ret == '\0') {
301 		/* An empty name-list is an error */
302 		/* XXX better error code? */
303 		r = SSH_ERR_INVALID_ARGUMENT;
304 		goto fail;
305 	}
306 
307 	/* success */
308 	*listp = ret;
309 	ret = NULL;
310 	r = 0;
311 
312  fail:
313 	free(matching);
314 	free(opatterns);
315 	free(list);
316 	free(ret);
317 	return r;
318 }
319 
320 /* put algorithm proposal into buffer */
321 int
322 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
323 {
324 	u_int i;
325 	int r;
326 
327 	sshbuf_reset(b);
328 
329 	/*
330 	 * add a dummy cookie, the cookie will be overwritten by
331 	 * kex_send_kexinit(), each time a kexinit is set
332 	 */
333 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
334 		if ((r = sshbuf_put_u8(b, 0)) != 0)
335 			return r;
336 	}
337 	for (i = 0; i < PROPOSAL_MAX; i++) {
338 		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
339 			return r;
340 	}
341 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
342 	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
343 		return r;
344 	return 0;
345 }
346 
347 /* parse buffer and return algorithm proposal */
348 int
349 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
350 {
351 	struct sshbuf *b = NULL;
352 	u_char v;
353 	u_int i;
354 	char **proposal = NULL;
355 	int r;
356 
357 	*propp = NULL;
358 	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
359 		return SSH_ERR_ALLOC_FAIL;
360 	if ((b = sshbuf_fromb(raw)) == NULL) {
361 		r = SSH_ERR_ALLOC_FAIL;
362 		goto out;
363 	}
364 	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */
365 		error_fr(r, "consume cookie");
366 		goto out;
367 	}
368 	/* extract kex init proposal strings */
369 	for (i = 0; i < PROPOSAL_MAX; i++) {
370 		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) {
371 			error_fr(r, "parse proposal %u", i);
372 			goto out;
373 		}
374 		debug2("%s: %s", proposal_names[i], proposal[i]);
375 	}
376 	/* first kex follows / reserved */
377 	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
378 	    (r = sshbuf_get_u32(b, &i)) != 0) {	/* reserved */
379 		error_fr(r, "parse");
380 		goto out;
381 	}
382 	if (first_kex_follows != NULL)
383 		*first_kex_follows = v;
384 	debug2("first_kex_follows %d ", v);
385 	debug2("reserved %u ", i);
386 	r = 0;
387 	*propp = proposal;
388  out:
389 	if (r != 0 && proposal != NULL)
390 		kex_prop_free(proposal);
391 	sshbuf_free(b);
392 	return r;
393 }
394 
395 void
396 kex_prop_free(char **proposal)
397 {
398 	u_int i;
399 
400 	if (proposal == NULL)
401 		return;
402 	for (i = 0; i < PROPOSAL_MAX; i++)
403 		free(proposal[i]);
404 	free(proposal);
405 }
406 
407 /* ARGSUSED */
408 int
409 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
410 {
411 	int r;
412 
413 	error("kex protocol error: type %d seq %u", type, seq);
414 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
415 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
416 	    (r = sshpkt_send(ssh)) != 0)
417 		return r;
418 	return 0;
419 }
420 
421 static void
422 kex_reset_dispatch(struct ssh *ssh)
423 {
424 	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
425 	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
426 }
427 
428 static int
429 kex_send_ext_info(struct ssh *ssh)
430 {
431 	int r;
432 	char *algs;
433 
434 	debug("Sending SSH2_MSG_EXT_INFO");
435 	if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
436 		return SSH_ERR_ALLOC_FAIL;
437 	/* XXX filter algs list by allowed pubkey/hostbased types */
438 	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
439 	    (r = sshpkt_put_u32(ssh, 2)) != 0 ||
440 	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
441 	    (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
442 	    (r = sshpkt_put_cstring(ssh,
443 	    "publickey-hostbound@openssh.com")) != 0 ||
444 	    (r = sshpkt_put_cstring(ssh, "0")) != 0 ||
445 	    (r = sshpkt_send(ssh)) != 0) {
446 		error_fr(r, "compose");
447 		goto out;
448 	}
449 	/* success */
450 	r = 0;
451  out:
452 	free(algs);
453 	return r;
454 }
455 
456 int
457 kex_send_newkeys(struct ssh *ssh)
458 {
459 	int r;
460 
461 	kex_reset_dispatch(ssh);
462 	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
463 	    (r = sshpkt_send(ssh)) != 0)
464 		return r;
465 	debug("SSH2_MSG_NEWKEYS sent");
466 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
467 	if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0)
468 		if ((r = kex_send_ext_info(ssh)) != 0)
469 			return r;
470 	debug("expecting SSH2_MSG_NEWKEYS");
471 	return 0;
472 }
473 
474 int
475 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
476 {
477 	struct kex *kex = ssh->kex;
478 	u_int32_t i, ninfo;
479 	char *name;
480 	u_char *val;
481 	size_t vlen;
482 	int r;
483 
484 	debug("SSH2_MSG_EXT_INFO received");
485 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
486 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
487 		return r;
488 	for (i = 0; i < ninfo; i++) {
489 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
490 			return r;
491 		if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) {
492 			free(name);
493 			return r;
494 		}
495 		if (strcmp(name, "server-sig-algs") == 0) {
496 			/* Ensure no \0 lurking in value */
497 			if (memchr(val, '\0', vlen) != NULL) {
498 				error_f("nul byte in %s", name);
499 				return SSH_ERR_INVALID_FORMAT;
500 			}
501 			debug_f("%s=<%s>", name, val);
502 			kex->server_sig_algs = val;
503 			val = NULL;
504 		} else if (strcmp(name,
505 		    "publickey-hostbound@openssh.com") == 0) {
506 			/* XXX refactor */
507 			/* Ensure no \0 lurking in value */
508 			if (memchr(val, '\0', vlen) != NULL) {
509 				error_f("nul byte in %s", name);
510 				return SSH_ERR_INVALID_FORMAT;
511 			}
512 			debug_f("%s=<%s>", name, val);
513 			if (strcmp(val, "0") == 0)
514 				kex->flags |= KEX_HAS_PUBKEY_HOSTBOUND;
515 			else {
516 				debug_f("unsupported version of %s extension",
517 				    name);
518 			}
519 		} else
520 			debug_f("%s (unrecognised)", name);
521 		free(name);
522 		free(val);
523 	}
524 	return sshpkt_get_end(ssh);
525 }
526 
527 static int
528 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
529 {
530 	struct kex *kex = ssh->kex;
531 	int r;
532 
533 	debug("SSH2_MSG_NEWKEYS received");
534 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
535 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
536 	if ((r = sshpkt_get_end(ssh)) != 0)
537 		return r;
538 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
539 		return r;
540 	kex->done = 1;
541 	kex->flags &= ~KEX_INITIAL;
542 	sshbuf_reset(kex->peer);
543 	/* sshbuf_reset(kex->my); */
544 	kex->flags &= ~KEX_INIT_SENT;
545 	free(kex->name);
546 	kex->name = NULL;
547 	return 0;
548 }
549 
550 int
551 kex_send_kexinit(struct ssh *ssh)
552 {
553 	u_char *cookie;
554 	struct kex *kex = ssh->kex;
555 	int r;
556 
557 	if (kex == NULL) {
558 		error_f("no kex");
559 		return SSH_ERR_INTERNAL_ERROR;
560 	}
561 	if (kex->flags & KEX_INIT_SENT)
562 		return 0;
563 	kex->done = 0;
564 
565 	/* generate a random cookie */
566 	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) {
567 		error_f("bad kex length: %zu < %d",
568 		    sshbuf_len(kex->my), KEX_COOKIE_LEN);
569 		return SSH_ERR_INVALID_FORMAT;
570 	}
571 	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) {
572 		error_f("buffer error");
573 		return SSH_ERR_INTERNAL_ERROR;
574 	}
575 	arc4random_buf(cookie, KEX_COOKIE_LEN);
576 
577 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
578 	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
579 	    (r = sshpkt_send(ssh)) != 0) {
580 		error_fr(r, "compose reply");
581 		return r;
582 	}
583 	debug("SSH2_MSG_KEXINIT sent");
584 	kex->flags |= KEX_INIT_SENT;
585 	return 0;
586 }
587 
588 /* ARGSUSED */
589 int
590 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
591 {
592 	struct kex *kex = ssh->kex;
593 	const u_char *ptr;
594 	u_int i;
595 	size_t dlen;
596 	int r;
597 
598 	debug("SSH2_MSG_KEXINIT received");
599 	if (kex == NULL) {
600 		error_f("no kex");
601 		return SSH_ERR_INTERNAL_ERROR;
602 	}
603 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
604 	ptr = sshpkt_ptr(ssh, &dlen);
605 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
606 		return r;
607 
608 	/* discard packet */
609 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
610 		if ((r = sshpkt_get_u8(ssh, NULL)) != 0) {
611 			error_fr(r, "discard cookie");
612 			return r;
613 		}
614 	}
615 	for (i = 0; i < PROPOSAL_MAX; i++) {
616 		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
617 			error_fr(r, "discard proposal");
618 			return r;
619 		}
620 	}
621 	/*
622 	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
623 	 * KEX method has the server move first, but a server might be using
624 	 * a custom method or one that we otherwise don't support. We should
625 	 * be prepared to remember first_kex_follows here so we can eat a
626 	 * packet later.
627 	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
628 	 * for cases where the server *doesn't* go first. I guess we should
629 	 * ignore it when it is set for these cases, which is what we do now.
630 	 */
631 	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
632 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
633 	    (r = sshpkt_get_end(ssh)) != 0)
634 			return r;
635 
636 	if (!(kex->flags & KEX_INIT_SENT))
637 		if ((r = kex_send_kexinit(ssh)) != 0)
638 			return r;
639 	if ((r = kex_choose_conf(ssh)) != 0)
640 		return r;
641 
642 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
643 		return (kex->kex[kex->kex_type])(ssh);
644 
645 	error_f("unknown kex type %u", kex->kex_type);
646 	return SSH_ERR_INTERNAL_ERROR;
647 }
648 
649 struct kex *
650 kex_new(void)
651 {
652 	struct kex *kex;
653 
654 	if ((kex = calloc(1, sizeof(*kex))) == NULL ||
655 	    (kex->peer = sshbuf_new()) == NULL ||
656 	    (kex->my = sshbuf_new()) == NULL ||
657 	    (kex->client_version = sshbuf_new()) == NULL ||
658 	    (kex->server_version = sshbuf_new()) == NULL ||
659 	    (kex->session_id = sshbuf_new()) == NULL) {
660 		kex_free(kex);
661 		return NULL;
662 	}
663 	return kex;
664 }
665 
666 void
667 kex_free_newkeys(struct newkeys *newkeys)
668 {
669 	if (newkeys == NULL)
670 		return;
671 	if (newkeys->enc.key) {
672 		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
673 		free(newkeys->enc.key);
674 		newkeys->enc.key = NULL;
675 	}
676 	if (newkeys->enc.iv) {
677 		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
678 		free(newkeys->enc.iv);
679 		newkeys->enc.iv = NULL;
680 	}
681 	free(newkeys->enc.name);
682 	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
683 	free(newkeys->comp.name);
684 	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
685 	mac_clear(&newkeys->mac);
686 	if (newkeys->mac.key) {
687 		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
688 		free(newkeys->mac.key);
689 		newkeys->mac.key = NULL;
690 	}
691 	free(newkeys->mac.name);
692 	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
693 	freezero(newkeys, sizeof(*newkeys));
694 }
695 
696 void
697 kex_free(struct kex *kex)
698 {
699 	u_int mode;
700 
701 	if (kex == NULL)
702 		return;
703 
704 #ifdef WITH_OPENSSL
705 	DH_free(kex->dh);
706 #ifdef OPENSSL_HAS_ECC
707 	EC_KEY_free(kex->ec_client_key);
708 #endif /* OPENSSL_HAS_ECC */
709 #endif /* WITH_OPENSSL */
710 	for (mode = 0; mode < MODE_MAX; mode++) {
711 		kex_free_newkeys(kex->newkeys[mode]);
712 		kex->newkeys[mode] = NULL;
713 	}
714 	sshbuf_free(kex->peer);
715 	sshbuf_free(kex->my);
716 	sshbuf_free(kex->client_version);
717 	sshbuf_free(kex->server_version);
718 	sshbuf_free(kex->client_pub);
719 	sshbuf_free(kex->session_id);
720 	sshbuf_free(kex->initial_sig);
721 	sshkey_free(kex->initial_hostkey);
722 	free(kex->failed_choice);
723 	free(kex->hostkey_alg);
724 	free(kex->name);
725 	free(kex);
726 }
727 
728 int
729 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
730 {
731 	int r;
732 
733 	if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
734 		return r;
735 	ssh->kex->flags = KEX_INITIAL;
736 	kex_reset_dispatch(ssh);
737 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
738 	return 0;
739 }
740 
741 int
742 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
743 {
744 	int r;
745 
746 	if ((r = kex_ready(ssh, proposal)) != 0)
747 		return r;
748 	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
749 		kex_free(ssh->kex);
750 		ssh->kex = NULL;
751 		return r;
752 	}
753 	return 0;
754 }
755 
756 /*
757  * Request key re-exchange, returns 0 on success or a ssherr.h error
758  * code otherwise. Must not be called if KEX is incomplete or in-progress.
759  */
760 int
761 kex_start_rekex(struct ssh *ssh)
762 {
763 	if (ssh->kex == NULL) {
764 		error_f("no kex");
765 		return SSH_ERR_INTERNAL_ERROR;
766 	}
767 	if (ssh->kex->done == 0) {
768 		error_f("requested twice");
769 		return SSH_ERR_INTERNAL_ERROR;
770 	}
771 	ssh->kex->done = 0;
772 	return kex_send_kexinit(ssh);
773 }
774 
775 static int
776 choose_enc(struct sshenc *enc, char *client, char *server)
777 {
778 	char *name = match_list(client, server, NULL);
779 
780 	if (name == NULL)
781 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
782 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
783 		error_f("unsupported cipher %s", name);
784 		free(name);
785 		return SSH_ERR_INTERNAL_ERROR;
786 	}
787 	enc->name = name;
788 	enc->enabled = 0;
789 	enc->iv = NULL;
790 	enc->iv_len = cipher_ivlen(enc->cipher);
791 	enc->key = NULL;
792 	enc->key_len = cipher_keylen(enc->cipher);
793 	enc->block_size = cipher_blocksize(enc->cipher);
794 	return 0;
795 }
796 
797 static int
798 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
799 {
800 	char *name = match_list(client, server, NULL);
801 
802 	if (name == NULL)
803 		return SSH_ERR_NO_MAC_ALG_MATCH;
804 	if (mac_setup(mac, name) < 0) {
805 		error_f("unsupported MAC %s", name);
806 		free(name);
807 		return SSH_ERR_INTERNAL_ERROR;
808 	}
809 	mac->name = name;
810 	mac->key = NULL;
811 	mac->enabled = 0;
812 	return 0;
813 }
814 
815 static int
816 choose_comp(struct sshcomp *comp, char *client, char *server)
817 {
818 	char *name = match_list(client, server, NULL);
819 
820 	if (name == NULL)
821 		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
822 #ifdef WITH_ZLIB
823 	if (strcmp(name, "zlib@openssh.com") == 0) {
824 		comp->type = COMP_DELAYED;
825 	} else if (strcmp(name, "zlib") == 0) {
826 		comp->type = COMP_ZLIB;
827 	} else
828 #endif	/* WITH_ZLIB */
829 	if (strcmp(name, "none") == 0) {
830 		comp->type = COMP_NONE;
831 	} else {
832 		error_f("unsupported compression scheme %s", name);
833 		free(name);
834 		return SSH_ERR_INTERNAL_ERROR;
835 	}
836 	comp->name = name;
837 	return 0;
838 }
839 
840 static int
841 choose_kex(struct kex *k, char *client, char *server)
842 {
843 	const struct kexalg *kexalg;
844 
845 	k->name = match_list(client, server, NULL);
846 
847 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
848 	if (k->name == NULL)
849 		return SSH_ERR_NO_KEX_ALG_MATCH;
850 	if ((kexalg = kex_alg_by_name(k->name)) == NULL) {
851 		error_f("unsupported KEX method %s", k->name);
852 		return SSH_ERR_INTERNAL_ERROR;
853 	}
854 	k->kex_type = kexalg->type;
855 	k->hash_alg = kexalg->hash_alg;
856 	k->ec_nid = kexalg->ec_nid;
857 	return 0;
858 }
859 
860 static int
861 choose_hostkeyalg(struct kex *k, char *client, char *server)
862 {
863 	free(k->hostkey_alg);
864 	k->hostkey_alg = match_list(client, server, NULL);
865 
866 	debug("kex: host key algorithm: %s",
867 	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
868 	if (k->hostkey_alg == NULL)
869 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
870 	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
871 	if (k->hostkey_type == KEY_UNSPEC) {
872 		error_f("unsupported hostkey algorithm %s", k->hostkey_alg);
873 		return SSH_ERR_INTERNAL_ERROR;
874 	}
875 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
876 	return 0;
877 }
878 
879 static int
880 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
881 {
882 	static int check[] = {
883 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
884 	};
885 	int *idx;
886 	char *p;
887 
888 	for (idx = &check[0]; *idx != -1; idx++) {
889 		if ((p = strchr(my[*idx], ',')) != NULL)
890 			*p = '\0';
891 		if ((p = strchr(peer[*idx], ',')) != NULL)
892 			*p = '\0';
893 		if (strcmp(my[*idx], peer[*idx]) != 0) {
894 			debug2("proposal mismatch: my %s peer %s",
895 			    my[*idx], peer[*idx]);
896 			return (0);
897 		}
898 	}
899 	debug2("proposals match");
900 	return (1);
901 }
902 
903 /* returns non-zero if proposal contains any algorithm from algs */
904 static int
905 has_any_alg(const char *proposal, const char *algs)
906 {
907 	char *cp;
908 
909 	if ((cp = match_list(proposal, algs, NULL)) == NULL)
910 		return 0;
911 	free(cp);
912 	return 1;
913 }
914 
915 static int
916 kex_choose_conf(struct ssh *ssh)
917 {
918 	struct kex *kex = ssh->kex;
919 	struct newkeys *newkeys;
920 	char **my = NULL, **peer = NULL;
921 	char **cprop, **sprop;
922 	int nenc, nmac, ncomp;
923 	u_int mode, ctos, need, dh_need, authlen;
924 	int r, first_kex_follows;
925 
926 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
927 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
928 		goto out;
929 	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
930 	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
931 		goto out;
932 
933 	if (kex->server) {
934 		cprop=peer;
935 		sprop=my;
936 	} else {
937 		cprop=my;
938 		sprop=peer;
939 	}
940 
941 	/* Check whether client supports ext_info_c */
942 	if (kex->server && (kex->flags & KEX_INITIAL)) {
943 		char *ext;
944 
945 		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
946 		kex->ext_info_c = (ext != NULL);
947 		free(ext);
948 	}
949 
950 	/* Check whether client supports rsa-sha2 algorithms */
951 	if (kex->server && (kex->flags & KEX_INITIAL)) {
952 		if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
953 		    "rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com"))
954 			kex->flags |= KEX_RSA_SHA2_256_SUPPORTED;
955 		if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
956 		    "rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com"))
957 			kex->flags |= KEX_RSA_SHA2_512_SUPPORTED;
958 	}
959 
960 	/* Algorithm Negotiation */
961 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
962 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
963 		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
964 		peer[PROPOSAL_KEX_ALGS] = NULL;
965 		goto out;
966 	}
967 	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
968 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
969 		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
970 		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
971 		goto out;
972 	}
973 	for (mode = 0; mode < MODE_MAX; mode++) {
974 		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
975 			r = SSH_ERR_ALLOC_FAIL;
976 			goto out;
977 		}
978 		kex->newkeys[mode] = newkeys;
979 		ctos = (!kex->server && mode == MODE_OUT) ||
980 		    (kex->server && mode == MODE_IN);
981 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
982 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
983 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
984 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
985 		    sprop[nenc])) != 0) {
986 			kex->failed_choice = peer[nenc];
987 			peer[nenc] = NULL;
988 			goto out;
989 		}
990 		authlen = cipher_authlen(newkeys->enc.cipher);
991 		/* ignore mac for authenticated encryption */
992 		if (authlen == 0 &&
993 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
994 		    sprop[nmac])) != 0) {
995 			kex->failed_choice = peer[nmac];
996 			peer[nmac] = NULL;
997 			goto out;
998 		}
999 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
1000 		    sprop[ncomp])) != 0) {
1001 			kex->failed_choice = peer[ncomp];
1002 			peer[ncomp] = NULL;
1003 			goto out;
1004 		}
1005 		debug("kex: %s cipher: %s MAC: %s compression: %s",
1006 		    ctos ? "client->server" : "server->client",
1007 		    newkeys->enc.name,
1008 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
1009 		    newkeys->comp.name);
1010 	}
1011 	need = dh_need = 0;
1012 	for (mode = 0; mode < MODE_MAX; mode++) {
1013 		newkeys = kex->newkeys[mode];
1014 		need = MAXIMUM(need, newkeys->enc.key_len);
1015 		need = MAXIMUM(need, newkeys->enc.block_size);
1016 		need = MAXIMUM(need, newkeys->enc.iv_len);
1017 		need = MAXIMUM(need, newkeys->mac.key_len);
1018 		dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
1019 		dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
1020 		dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
1021 		dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
1022 	}
1023 	/* XXX need runden? */
1024 	kex->we_need = need;
1025 	kex->dh_need = dh_need;
1026 
1027 	/* ignore the next message if the proposals do not match */
1028 	if (first_kex_follows && !proposals_match(my, peer))
1029 		ssh->dispatch_skip_packets = 1;
1030 	r = 0;
1031  out:
1032 	kex_prop_free(my);
1033 	kex_prop_free(peer);
1034 	return r;
1035 }
1036 
1037 static int
1038 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
1039     const struct sshbuf *shared_secret, u_char **keyp)
1040 {
1041 	struct kex *kex = ssh->kex;
1042 	struct ssh_digest_ctx *hashctx = NULL;
1043 	char c = id;
1044 	u_int have;
1045 	size_t mdsz;
1046 	u_char *digest;
1047 	int r;
1048 
1049 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
1050 		return SSH_ERR_INVALID_ARGUMENT;
1051 	if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
1052 		r = SSH_ERR_ALLOC_FAIL;
1053 		goto out;
1054 	}
1055 
1056 	/* K1 = HASH(K || H || "A" || session_id) */
1057 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1058 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1059 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1060 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
1061 	    ssh_digest_update_buffer(hashctx, kex->session_id) != 0 ||
1062 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
1063 		r = SSH_ERR_LIBCRYPTO_ERROR;
1064 		error_f("KEX hash failed");
1065 		goto out;
1066 	}
1067 	ssh_digest_free(hashctx);
1068 	hashctx = NULL;
1069 
1070 	/*
1071 	 * expand key:
1072 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
1073 	 * Key = K1 || K2 || ... || Kn
1074 	 */
1075 	for (have = mdsz; need > have; have += mdsz) {
1076 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1077 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1078 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1079 		    ssh_digest_update(hashctx, digest, have) != 0 ||
1080 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
1081 			error_f("KDF failed");
1082 			r = SSH_ERR_LIBCRYPTO_ERROR;
1083 			goto out;
1084 		}
1085 		ssh_digest_free(hashctx);
1086 		hashctx = NULL;
1087 	}
1088 #ifdef DEBUG_KEX
1089 	fprintf(stderr, "key '%c'== ", c);
1090 	dump_digest("key", digest, need);
1091 #endif
1092 	*keyp = digest;
1093 	digest = NULL;
1094 	r = 0;
1095  out:
1096 	free(digest);
1097 	ssh_digest_free(hashctx);
1098 	return r;
1099 }
1100 
1101 #define NKEYS	6
1102 int
1103 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
1104     const struct sshbuf *shared_secret)
1105 {
1106 	struct kex *kex = ssh->kex;
1107 	u_char *keys[NKEYS];
1108 	u_int i, j, mode, ctos;
1109 	int r;
1110 
1111 	/* save initial hash as session id */
1112 	if ((kex->flags & KEX_INITIAL) != 0) {
1113 		if (sshbuf_len(kex->session_id) != 0) {
1114 			error_f("already have session ID at kex");
1115 			return SSH_ERR_INTERNAL_ERROR;
1116 		}
1117 		if ((r = sshbuf_put(kex->session_id, hash, hashlen)) != 0)
1118 			return r;
1119 	} else if (sshbuf_len(kex->session_id) == 0) {
1120 		error_f("no session ID in rekex");
1121 		return SSH_ERR_INTERNAL_ERROR;
1122 	}
1123 	for (i = 0; i < NKEYS; i++) {
1124 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
1125 		    shared_secret, &keys[i])) != 0) {
1126 			for (j = 0; j < i; j++)
1127 				free(keys[j]);
1128 			return r;
1129 		}
1130 	}
1131 	for (mode = 0; mode < MODE_MAX; mode++) {
1132 		ctos = (!kex->server && mode == MODE_OUT) ||
1133 		    (kex->server && mode == MODE_IN);
1134 		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
1135 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
1136 		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
1137 	}
1138 	return 0;
1139 }
1140 
1141 int
1142 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
1143 {
1144 	struct kex *kex = ssh->kex;
1145 
1146 	*pubp = NULL;
1147 	*prvp = NULL;
1148 	if (kex->load_host_public_key == NULL ||
1149 	    kex->load_host_private_key == NULL) {
1150 		error_f("missing hostkey loader");
1151 		return SSH_ERR_INVALID_ARGUMENT;
1152 	}
1153 	*pubp = kex->load_host_public_key(kex->hostkey_type,
1154 	    kex->hostkey_nid, ssh);
1155 	*prvp = kex->load_host_private_key(kex->hostkey_type,
1156 	    kex->hostkey_nid, ssh);
1157 	if (*pubp == NULL)
1158 		return SSH_ERR_NO_HOSTKEY_LOADED;
1159 	return 0;
1160 }
1161 
1162 int
1163 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
1164 {
1165 	struct kex *kex = ssh->kex;
1166 
1167 	if (kex->verify_host_key == NULL) {
1168 		error_f("missing hostkey verifier");
1169 		return SSH_ERR_INVALID_ARGUMENT;
1170 	}
1171 	if (server_host_key->type != kex->hostkey_type ||
1172 	    (kex->hostkey_type == KEY_ECDSA &&
1173 	    server_host_key->ecdsa_nid != kex->hostkey_nid))
1174 		return SSH_ERR_KEY_TYPE_MISMATCH;
1175 	if (kex->verify_host_key(server_host_key, ssh) == -1)
1176 		return  SSH_ERR_SIGNATURE_INVALID;
1177 	return 0;
1178 }
1179 
1180 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1181 void
1182 dump_digest(const char *msg, const u_char *digest, int len)
1183 {
1184 	fprintf(stderr, "%s\n", msg);
1185 	sshbuf_dump_data(digest, len, stderr);
1186 }
1187 #endif
1188 
1189 /*
1190  * Send a plaintext error message to the peer, suffixed by \r\n.
1191  * Only used during banner exchange, and there only for the server.
1192  */
1193 static void
1194 send_error(struct ssh *ssh, char *msg)
1195 {
1196 	char *crnl = "\r\n";
1197 
1198 	if (!ssh->kex->server)
1199 		return;
1200 
1201 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1202 	    msg, strlen(msg)) != strlen(msg) ||
1203 	    atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1204 	    crnl, strlen(crnl)) != strlen(crnl))
1205 		error_f("write: %.100s", strerror(errno));
1206 }
1207 
1208 /*
1209  * Sends our identification string and waits for the peer's. Will block for
1210  * up to timeout_ms (or indefinitely if timeout_ms <= 0).
1211  * Returns on 0 success or a ssherr.h code on failure.
1212  */
1213 int
1214 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1215     const char *version_addendum)
1216 {
1217 	int remote_major, remote_minor, mismatch, oerrno = 0;
1218 	size_t len, i, n;
1219 	int r, expect_nl;
1220 	u_char c;
1221 	struct sshbuf *our_version = ssh->kex->server ?
1222 	    ssh->kex->server_version : ssh->kex->client_version;
1223 	struct sshbuf *peer_version = ssh->kex->server ?
1224 	    ssh->kex->client_version : ssh->kex->server_version;
1225 	char *our_version_string = NULL, *peer_version_string = NULL;
1226 	char *cp, *remote_version = NULL;
1227 
1228 	/* Prepare and send our banner */
1229 	sshbuf_reset(our_version);
1230 	if (version_addendum != NULL && *version_addendum == '\0')
1231 		version_addendum = NULL;
1232 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
1233 	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
1234 	    version_addendum == NULL ? "" : " ",
1235 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
1236 		oerrno = errno;
1237 		error_fr(r, "sshbuf_putf");
1238 		goto out;
1239 	}
1240 
1241 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1242 	    sshbuf_mutable_ptr(our_version),
1243 	    sshbuf_len(our_version)) != sshbuf_len(our_version)) {
1244 		oerrno = errno;
1245 		debug_f("write: %.100s", strerror(errno));
1246 		r = SSH_ERR_SYSTEM_ERROR;
1247 		goto out;
1248 	}
1249 	if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
1250 		oerrno = errno;
1251 		error_fr(r, "sshbuf_consume_end");
1252 		goto out;
1253 	}
1254 	our_version_string = sshbuf_dup_string(our_version);
1255 	if (our_version_string == NULL) {
1256 		error_f("sshbuf_dup_string failed");
1257 		r = SSH_ERR_ALLOC_FAIL;
1258 		goto out;
1259 	}
1260 	debug("Local version string %.100s", our_version_string);
1261 
1262 	/* Read other side's version identification. */
1263 	for (n = 0; ; n++) {
1264 		if (n >= SSH_MAX_PRE_BANNER_LINES) {
1265 			send_error(ssh, "No SSH identification string "
1266 			    "received.");
1267 			error_f("No SSH version received in first %u lines "
1268 			    "from server", SSH_MAX_PRE_BANNER_LINES);
1269 			r = SSH_ERR_INVALID_FORMAT;
1270 			goto out;
1271 		}
1272 		sshbuf_reset(peer_version);
1273 		expect_nl = 0;
1274 		for (i = 0; ; i++) {
1275 			if (timeout_ms > 0) {
1276 				r = waitrfd(ssh_packet_get_connection_in(ssh),
1277 				    &timeout_ms);
1278 				if (r == -1 && errno == ETIMEDOUT) {
1279 					send_error(ssh, "Timed out waiting "
1280 					    "for SSH identification string.");
1281 					error("Connection timed out during "
1282 					    "banner exchange");
1283 					r = SSH_ERR_CONN_TIMEOUT;
1284 					goto out;
1285 				} else if (r == -1) {
1286 					oerrno = errno;
1287 					error_f("%s", strerror(errno));
1288 					r = SSH_ERR_SYSTEM_ERROR;
1289 					goto out;
1290 				}
1291 			}
1292 
1293 			len = atomicio(read, ssh_packet_get_connection_in(ssh),
1294 			    &c, 1);
1295 			if (len != 1 && errno == EPIPE) {
1296 				error_f("Connection closed by remote host");
1297 				r = SSH_ERR_CONN_CLOSED;
1298 				goto out;
1299 			} else if (len != 1) {
1300 				oerrno = errno;
1301 				error_f("read: %.100s", strerror(errno));
1302 				r = SSH_ERR_SYSTEM_ERROR;
1303 				goto out;
1304 			}
1305 			if (c == '\r') {
1306 				expect_nl = 1;
1307 				continue;
1308 			}
1309 			if (c == '\n')
1310 				break;
1311 			if (c == '\0' || expect_nl) {
1312 				error_f("banner line contains invalid "
1313 				    "characters");
1314 				goto invalid;
1315 			}
1316 			if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
1317 				oerrno = errno;
1318 				error_fr(r, "sshbuf_put");
1319 				goto out;
1320 			}
1321 			if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
1322 				error_f("banner line too long");
1323 				goto invalid;
1324 			}
1325 		}
1326 		/* Is this an actual protocol banner? */
1327 		if (sshbuf_len(peer_version) > 4 &&
1328 		    memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
1329 			break;
1330 		/* If not, then just log the line and continue */
1331 		if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
1332 			error_f("sshbuf_dup_string failed");
1333 			r = SSH_ERR_ALLOC_FAIL;
1334 			goto out;
1335 		}
1336 		/* Do not accept lines before the SSH ident from a client */
1337 		if (ssh->kex->server) {
1338 			error_f("client sent invalid protocol identifier "
1339 			    "\"%.256s\"", cp);
1340 			free(cp);
1341 			goto invalid;
1342 		}
1343 		debug_f("banner line %zu: %s", n, cp);
1344 		free(cp);
1345 	}
1346 	peer_version_string = sshbuf_dup_string(peer_version);
1347 	if (peer_version_string == NULL)
1348 		error_f("sshbuf_dup_string failed");
1349 	/* XXX must be same size for sscanf */
1350 	if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
1351 		error_f("calloc failed");
1352 		r = SSH_ERR_ALLOC_FAIL;
1353 		goto out;
1354 	}
1355 
1356 	/*
1357 	 * Check that the versions match.  In future this might accept
1358 	 * several versions and set appropriate flags to handle them.
1359 	 */
1360 	if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
1361 	    &remote_major, &remote_minor, remote_version) != 3) {
1362 		error("Bad remote protocol version identification: '%.100s'",
1363 		    peer_version_string);
1364  invalid:
1365 		send_error(ssh, "Invalid SSH identification string.");
1366 		r = SSH_ERR_INVALID_FORMAT;
1367 		goto out;
1368 	}
1369 	debug("Remote protocol version %d.%d, remote software version %.100s",
1370 	    remote_major, remote_minor, remote_version);
1371 	compat_banner(ssh, remote_version);
1372 
1373 	mismatch = 0;
1374 	switch (remote_major) {
1375 	case 2:
1376 		break;
1377 	case 1:
1378 		if (remote_minor != 99)
1379 			mismatch = 1;
1380 		break;
1381 	default:
1382 		mismatch = 1;
1383 		break;
1384 	}
1385 	if (mismatch) {
1386 		error("Protocol major versions differ: %d vs. %d",
1387 		    PROTOCOL_MAJOR_2, remote_major);
1388 		send_error(ssh, "Protocol major versions differ.");
1389 		r = SSH_ERR_NO_PROTOCOL_VERSION;
1390 		goto out;
1391 	}
1392 
1393 	if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
1394 		logit("probed from %s port %d with %s.  Don't panic.",
1395 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1396 		    peer_version_string);
1397 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1398 		goto out;
1399 	}
1400 	if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
1401 		logit("scanned from %s port %d with %s.  Don't panic.",
1402 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1403 		    peer_version_string);
1404 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1405 		goto out;
1406 	}
1407 	if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
1408 		logit("Remote version \"%.100s\" uses unsafe RSA signature "
1409 		    "scheme; disabling use of RSA keys", remote_version);
1410 	}
1411 	/* success */
1412 	r = 0;
1413  out:
1414 	free(our_version_string);
1415 	free(peer_version_string);
1416 	free(remote_version);
1417 	if (r == SSH_ERR_SYSTEM_ERROR)
1418 		errno = oerrno;
1419 	return r;
1420 }
1421 
1422