xref: /freebsd/crypto/openssh/kex.c (revision 2284664ef9fcb0baaf59f1ef7df877c0b0f2b187)
1 /* $OpenBSD: kex.c,v 1.141 2018/07/09 13:37:10 sf Exp $ */
2 /*
3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 
29 #include <signal.h>
30 #include <stdarg.h>
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 
35 #ifdef WITH_OPENSSL
36 #include <openssl/crypto.h>
37 #include <openssl/dh.h>
38 #endif
39 
40 #include "ssh2.h"
41 #include "packet.h"
42 #include "compat.h"
43 #include "cipher.h"
44 #include "sshkey.h"
45 #include "kex.h"
46 #include "log.h"
47 #include "mac.h"
48 #include "match.h"
49 #include "misc.h"
50 #include "dispatch.h"
51 #include "monitor.h"
52 
53 #include "ssherr.h"
54 #include "sshbuf.h"
55 #include "digest.h"
56 
57 /* prototype */
58 static int kex_choose_conf(struct ssh *);
59 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
60 
61 static const char *proposal_names[PROPOSAL_MAX] = {
62 	"KEX algorithms",
63 	"host key algorithms",
64 	"ciphers ctos",
65 	"ciphers stoc",
66 	"MACs ctos",
67 	"MACs stoc",
68 	"compression ctos",
69 	"compression stoc",
70 	"languages ctos",
71 	"languages stoc",
72 };
73 
74 struct kexalg {
75 	char *name;
76 	u_int type;
77 	int ec_nid;
78 	int hash_alg;
79 };
80 static const struct kexalg kexalgs[] = {
81 #ifdef WITH_OPENSSL
82 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
83 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
84 	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
85 	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
86 	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
87 	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
88 #ifdef HAVE_EVP_SHA256
89 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
90 #endif /* HAVE_EVP_SHA256 */
91 #ifdef OPENSSL_HAS_ECC
92 	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
93 	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
94 	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
95 	    SSH_DIGEST_SHA384 },
96 # ifdef OPENSSL_HAS_NISTP521
97 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
98 	    SSH_DIGEST_SHA512 },
99 # endif /* OPENSSL_HAS_NISTP521 */
100 #endif /* OPENSSL_HAS_ECC */
101 #endif /* WITH_OPENSSL */
102 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
103 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
104 	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
105 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
106 	{ NULL, -1, -1, -1},
107 };
108 
109 char *
110 kex_alg_list(char sep)
111 {
112 	char *ret = NULL, *tmp;
113 	size_t nlen, rlen = 0;
114 	const struct kexalg *k;
115 
116 	for (k = kexalgs; k->name != NULL; k++) {
117 		if (ret != NULL)
118 			ret[rlen++] = sep;
119 		nlen = strlen(k->name);
120 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
121 			free(ret);
122 			return NULL;
123 		}
124 		ret = tmp;
125 		memcpy(ret + rlen, k->name, nlen + 1);
126 		rlen += nlen;
127 	}
128 	return ret;
129 }
130 
131 static const struct kexalg *
132 kex_alg_by_name(const char *name)
133 {
134 	const struct kexalg *k;
135 
136 	for (k = kexalgs; k->name != NULL; k++) {
137 		if (strcmp(k->name, name) == 0)
138 			return k;
139 	}
140 	return NULL;
141 }
142 
143 /* Validate KEX method name list */
144 int
145 kex_names_valid(const char *names)
146 {
147 	char *s, *cp, *p;
148 
149 	if (names == NULL || strcmp(names, "") == 0)
150 		return 0;
151 	if ((s = cp = strdup(names)) == NULL)
152 		return 0;
153 	for ((p = strsep(&cp, ",")); p && *p != '\0';
154 	    (p = strsep(&cp, ","))) {
155 		if (kex_alg_by_name(p) == NULL) {
156 			error("Unsupported KEX algorithm \"%.100s\"", p);
157 			free(s);
158 			return 0;
159 		}
160 	}
161 	debug3("kex names ok: [%s]", names);
162 	free(s);
163 	return 1;
164 }
165 
166 /*
167  * Concatenate algorithm names, avoiding duplicates in the process.
168  * Caller must free returned string.
169  */
170 char *
171 kex_names_cat(const char *a, const char *b)
172 {
173 	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
174 	size_t len;
175 
176 	if (a == NULL || *a == '\0')
177 		return strdup(b);
178 	if (b == NULL || *b == '\0')
179 		return strdup(a);
180 	if (strlen(b) > 1024*1024)
181 		return NULL;
182 	len = strlen(a) + strlen(b) + 2;
183 	if ((tmp = cp = strdup(b)) == NULL ||
184 	    (ret = calloc(1, len)) == NULL) {
185 		free(tmp);
186 		return NULL;
187 	}
188 	strlcpy(ret, a, len);
189 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
190 		if ((m = match_list(ret, p, NULL)) != NULL) {
191 			free(m);
192 			continue; /* Algorithm already present */
193 		}
194 		if (strlcat(ret, ",", len) >= len ||
195 		    strlcat(ret, p, len) >= len) {
196 			free(tmp);
197 			free(ret);
198 			return NULL; /* Shouldn't happen */
199 		}
200 	}
201 	free(tmp);
202 	return ret;
203 }
204 
205 /*
206  * Assemble a list of algorithms from a default list and a string from a
207  * configuration file. The user-provided string may begin with '+' to
208  * indicate that it should be appended to the default or '-' that the
209  * specified names should be removed.
210  */
211 int
212 kex_assemble_names(char **listp, const char *def, const char *all)
213 {
214 	char *cp, *tmp, *patterns;
215 	char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
216 	int r = SSH_ERR_INTERNAL_ERROR;
217 
218 	if (listp == NULL || *listp == NULL || **listp == '\0') {
219 		if ((*listp = strdup(def)) == NULL)
220 			return SSH_ERR_ALLOC_FAIL;
221 		return 0;
222 	}
223 
224 	list = *listp;
225 	*listp = NULL;
226 	if (*list == '+') {
227 		/* Append names to default list */
228 		if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
229 			r = SSH_ERR_ALLOC_FAIL;
230 			goto fail;
231 		}
232 		free(list);
233 		list = tmp;
234 	} else if (*list == '-') {
235 		/* Remove names from default list */
236 		if ((*listp = match_filter_blacklist(def, list + 1)) == NULL) {
237 			r = SSH_ERR_ALLOC_FAIL;
238 			goto fail;
239 		}
240 		free(list);
241 		/* filtering has already been done */
242 		return 0;
243 	} else {
244 		/* Explicit list, overrides default - just use "list" as is */
245 	}
246 
247 	/*
248 	 * The supplied names may be a pattern-list. For the -list case,
249 	 * the patterns are applied above. For the +list and explicit list
250 	 * cases we need to do it now.
251 	 */
252 	ret = NULL;
253 	if ((patterns = opatterns = strdup(list)) == NULL) {
254 		r = SSH_ERR_ALLOC_FAIL;
255 		goto fail;
256 	}
257 	/* Apply positive (i.e. non-negated) patterns from the list */
258 	while ((cp = strsep(&patterns, ",")) != NULL) {
259 		if (*cp == '!') {
260 			/* negated matches are not supported here */
261 			r = SSH_ERR_INVALID_ARGUMENT;
262 			goto fail;
263 		}
264 		free(matching);
265 		if ((matching = match_filter_whitelist(all, cp)) == NULL) {
266 			r = SSH_ERR_ALLOC_FAIL;
267 			goto fail;
268 		}
269 		if ((tmp = kex_names_cat(ret, matching)) == NULL) {
270 			r = SSH_ERR_ALLOC_FAIL;
271 			goto fail;
272 		}
273 		free(ret);
274 		ret = tmp;
275 	}
276 	if (ret == NULL || *ret == '\0') {
277 		/* An empty name-list is an error */
278 		/* XXX better error code? */
279 		r = SSH_ERR_INVALID_ARGUMENT;
280 		goto fail;
281 	}
282 
283 	/* success */
284 	*listp = ret;
285 	ret = NULL;
286 	r = 0;
287 
288  fail:
289 	free(matching);
290 	free(opatterns);
291 	free(list);
292 	free(ret);
293 	return r;
294 }
295 
296 /* put algorithm proposal into buffer */
297 int
298 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
299 {
300 	u_int i;
301 	int r;
302 
303 	sshbuf_reset(b);
304 
305 	/*
306 	 * add a dummy cookie, the cookie will be overwritten by
307 	 * kex_send_kexinit(), each time a kexinit is set
308 	 */
309 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
310 		if ((r = sshbuf_put_u8(b, 0)) != 0)
311 			return r;
312 	}
313 	for (i = 0; i < PROPOSAL_MAX; i++) {
314 		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
315 			return r;
316 	}
317 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
318 	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
319 		return r;
320 	return 0;
321 }
322 
323 /* parse buffer and return algorithm proposal */
324 int
325 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
326 {
327 	struct sshbuf *b = NULL;
328 	u_char v;
329 	u_int i;
330 	char **proposal = NULL;
331 	int r;
332 
333 	*propp = NULL;
334 	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
335 		return SSH_ERR_ALLOC_FAIL;
336 	if ((b = sshbuf_fromb(raw)) == NULL) {
337 		r = SSH_ERR_ALLOC_FAIL;
338 		goto out;
339 	}
340 	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */
341 		goto out;
342 	/* extract kex init proposal strings */
343 	for (i = 0; i < PROPOSAL_MAX; i++) {
344 		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0)
345 			goto out;
346 		debug2("%s: %s", proposal_names[i], proposal[i]);
347 	}
348 	/* first kex follows / reserved */
349 	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
350 	    (r = sshbuf_get_u32(b, &i)) != 0)	/* reserved */
351 		goto out;
352 	if (first_kex_follows != NULL)
353 		*first_kex_follows = v;
354 	debug2("first_kex_follows %d ", v);
355 	debug2("reserved %u ", i);
356 	r = 0;
357 	*propp = proposal;
358  out:
359 	if (r != 0 && proposal != NULL)
360 		kex_prop_free(proposal);
361 	sshbuf_free(b);
362 	return r;
363 }
364 
365 void
366 kex_prop_free(char **proposal)
367 {
368 	u_int i;
369 
370 	if (proposal == NULL)
371 		return;
372 	for (i = 0; i < PROPOSAL_MAX; i++)
373 		free(proposal[i]);
374 	free(proposal);
375 }
376 
377 /* ARGSUSED */
378 static int
379 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
380 {
381 	int r;
382 
383 	error("kex protocol error: type %d seq %u", type, seq);
384 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
385 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
386 	    (r = sshpkt_send(ssh)) != 0)
387 		return r;
388 	return 0;
389 }
390 
391 static void
392 kex_reset_dispatch(struct ssh *ssh)
393 {
394 	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
395 	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
396 }
397 
398 static int
399 kex_send_ext_info(struct ssh *ssh)
400 {
401 	int r;
402 	char *algs;
403 
404 	if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
405 		return SSH_ERR_ALLOC_FAIL;
406 	/* XXX filter algs list by allowed pubkey/hostbased types */
407 	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
408 	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
409 	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
410 	    (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
411 	    (r = sshpkt_send(ssh)) != 0)
412 		goto out;
413 	/* success */
414 	r = 0;
415  out:
416 	free(algs);
417 	return r;
418 }
419 
420 int
421 kex_send_newkeys(struct ssh *ssh)
422 {
423 	int r;
424 
425 	kex_reset_dispatch(ssh);
426 	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
427 	    (r = sshpkt_send(ssh)) != 0)
428 		return r;
429 	debug("SSH2_MSG_NEWKEYS sent");
430 	debug("expecting SSH2_MSG_NEWKEYS");
431 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
432 	if (ssh->kex->ext_info_c)
433 		if ((r = kex_send_ext_info(ssh)) != 0)
434 			return r;
435 	return 0;
436 }
437 
438 int
439 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
440 {
441 	struct kex *kex = ssh->kex;
442 	u_int32_t i, ninfo;
443 	char *name;
444 	u_char *val;
445 	size_t vlen;
446 	int r;
447 
448 	debug("SSH2_MSG_EXT_INFO received");
449 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
450 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
451 		return r;
452 	for (i = 0; i < ninfo; i++) {
453 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
454 			return r;
455 		if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) {
456 			free(name);
457 			return r;
458 		}
459 		if (strcmp(name, "server-sig-algs") == 0) {
460 			/* Ensure no \0 lurking in value */
461 			if (memchr(val, '\0', vlen) != NULL) {
462 				error("%s: nul byte in %s", __func__, name);
463 				return SSH_ERR_INVALID_FORMAT;
464 			}
465 			debug("%s: %s=<%s>", __func__, name, val);
466 			kex->server_sig_algs = val;
467 			val = NULL;
468 		} else
469 			debug("%s: %s (unrecognised)", __func__, name);
470 		free(name);
471 		free(val);
472 	}
473 	return sshpkt_get_end(ssh);
474 }
475 
476 static int
477 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
478 {
479 	struct kex *kex = ssh->kex;
480 	int r;
481 
482 	debug("SSH2_MSG_NEWKEYS received");
483 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
484 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
485 	if ((r = sshpkt_get_end(ssh)) != 0)
486 		return r;
487 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
488 		return r;
489 	kex->done = 1;
490 	sshbuf_reset(kex->peer);
491 	/* sshbuf_reset(kex->my); */
492 	kex->flags &= ~KEX_INIT_SENT;
493 	free(kex->name);
494 	kex->name = NULL;
495 	return 0;
496 }
497 
498 int
499 kex_send_kexinit(struct ssh *ssh)
500 {
501 	u_char *cookie;
502 	struct kex *kex = ssh->kex;
503 	int r;
504 
505 	if (kex == NULL)
506 		return SSH_ERR_INTERNAL_ERROR;
507 	if (kex->flags & KEX_INIT_SENT)
508 		return 0;
509 	kex->done = 0;
510 
511 	/* generate a random cookie */
512 	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN)
513 		return SSH_ERR_INVALID_FORMAT;
514 	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL)
515 		return SSH_ERR_INTERNAL_ERROR;
516 	arc4random_buf(cookie, KEX_COOKIE_LEN);
517 
518 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
519 	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
520 	    (r = sshpkt_send(ssh)) != 0)
521 		return r;
522 	debug("SSH2_MSG_KEXINIT sent");
523 	kex->flags |= KEX_INIT_SENT;
524 	return 0;
525 }
526 
527 /* ARGSUSED */
528 int
529 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
530 {
531 	struct kex *kex = ssh->kex;
532 	const u_char *ptr;
533 	u_int i;
534 	size_t dlen;
535 	int r;
536 
537 	debug("SSH2_MSG_KEXINIT received");
538 	if (kex == NULL)
539 		return SSH_ERR_INVALID_ARGUMENT;
540 
541 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
542 	ptr = sshpkt_ptr(ssh, &dlen);
543 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
544 		return r;
545 
546 	/* discard packet */
547 	for (i = 0; i < KEX_COOKIE_LEN; i++)
548 		if ((r = sshpkt_get_u8(ssh, NULL)) != 0)
549 			return r;
550 	for (i = 0; i < PROPOSAL_MAX; i++)
551 		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0)
552 			return r;
553 	/*
554 	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
555 	 * KEX method has the server move first, but a server might be using
556 	 * a custom method or one that we otherwise don't support. We should
557 	 * be prepared to remember first_kex_follows here so we can eat a
558 	 * packet later.
559 	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
560 	 * for cases where the server *doesn't* go first. I guess we should
561 	 * ignore it when it is set for these cases, which is what we do now.
562 	 */
563 	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
564 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
565 	    (r = sshpkt_get_end(ssh)) != 0)
566 			return r;
567 
568 	if (!(kex->flags & KEX_INIT_SENT))
569 		if ((r = kex_send_kexinit(ssh)) != 0)
570 			return r;
571 	if ((r = kex_choose_conf(ssh)) != 0)
572 		return r;
573 
574 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
575 		return (kex->kex[kex->kex_type])(ssh);
576 
577 	return SSH_ERR_INTERNAL_ERROR;
578 }
579 
580 int
581 kex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp)
582 {
583 	struct kex *kex;
584 	int r;
585 
586 	*kexp = NULL;
587 	if ((kex = calloc(1, sizeof(*kex))) == NULL)
588 		return SSH_ERR_ALLOC_FAIL;
589 	if ((kex->peer = sshbuf_new()) == NULL ||
590 	    (kex->my = sshbuf_new()) == NULL) {
591 		r = SSH_ERR_ALLOC_FAIL;
592 		goto out;
593 	}
594 	if ((r = kex_prop2buf(kex->my, proposal)) != 0)
595 		goto out;
596 	kex->done = 0;
597 	kex_reset_dispatch(ssh);
598 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
599 	r = 0;
600 	*kexp = kex;
601  out:
602 	if (r != 0)
603 		kex_free(kex);
604 	return r;
605 }
606 
607 void
608 kex_free_newkeys(struct newkeys *newkeys)
609 {
610 	if (newkeys == NULL)
611 		return;
612 	if (newkeys->enc.key) {
613 		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
614 		free(newkeys->enc.key);
615 		newkeys->enc.key = NULL;
616 	}
617 	if (newkeys->enc.iv) {
618 		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
619 		free(newkeys->enc.iv);
620 		newkeys->enc.iv = NULL;
621 	}
622 	free(newkeys->enc.name);
623 	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
624 	free(newkeys->comp.name);
625 	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
626 	mac_clear(&newkeys->mac);
627 	if (newkeys->mac.key) {
628 		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
629 		free(newkeys->mac.key);
630 		newkeys->mac.key = NULL;
631 	}
632 	free(newkeys->mac.name);
633 	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
634 	explicit_bzero(newkeys, sizeof(*newkeys));
635 	free(newkeys);
636 }
637 
638 void
639 kex_free(struct kex *kex)
640 {
641 	u_int mode;
642 
643 #ifdef WITH_OPENSSL
644 	DH_free(kex->dh);
645 #ifdef OPENSSL_HAS_ECC
646 	EC_KEY_free(kex->ec_client_key);
647 #endif /* OPENSSL_HAS_ECC */
648 #endif /* WITH_OPENSSL */
649 	for (mode = 0; mode < MODE_MAX; mode++) {
650 		kex_free_newkeys(kex->newkeys[mode]);
651 		kex->newkeys[mode] = NULL;
652 	}
653 	sshbuf_free(kex->peer);
654 	sshbuf_free(kex->my);
655 	free(kex->session_id);
656 	free(kex->client_version_string);
657 	free(kex->server_version_string);
658 	free(kex->failed_choice);
659 	free(kex->hostkey_alg);
660 	free(kex->name);
661 	free(kex);
662 }
663 
664 int
665 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
666 {
667 	int r;
668 
669 	if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0)
670 		return r;
671 	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
672 		kex_free(ssh->kex);
673 		ssh->kex = NULL;
674 		return r;
675 	}
676 	return 0;
677 }
678 
679 /*
680  * Request key re-exchange, returns 0 on success or a ssherr.h error
681  * code otherwise. Must not be called if KEX is incomplete or in-progress.
682  */
683 int
684 kex_start_rekex(struct ssh *ssh)
685 {
686 	if (ssh->kex == NULL) {
687 		error("%s: no kex", __func__);
688 		return SSH_ERR_INTERNAL_ERROR;
689 	}
690 	if (ssh->kex->done == 0) {
691 		error("%s: requested twice", __func__);
692 		return SSH_ERR_INTERNAL_ERROR;
693 	}
694 	ssh->kex->done = 0;
695 	return kex_send_kexinit(ssh);
696 }
697 
698 static int
699 choose_enc(struct sshenc *enc, char *client, char *server)
700 {
701 	char *name = match_list(client, server, NULL);
702 
703 	if (name == NULL)
704 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
705 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
706 		free(name);
707 		return SSH_ERR_INTERNAL_ERROR;
708 	}
709 	enc->name = name;
710 	enc->enabled = 0;
711 	enc->iv = NULL;
712 	enc->iv_len = cipher_ivlen(enc->cipher);
713 	enc->key = NULL;
714 	enc->key_len = cipher_keylen(enc->cipher);
715 	enc->block_size = cipher_blocksize(enc->cipher);
716 	return 0;
717 }
718 
719 static int
720 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
721 {
722 	char *name = match_list(client, server, NULL);
723 
724 	if (name == NULL)
725 		return SSH_ERR_NO_MAC_ALG_MATCH;
726 	if (mac_setup(mac, name) < 0) {
727 		free(name);
728 		return SSH_ERR_INTERNAL_ERROR;
729 	}
730 	mac->name = name;
731 	mac->key = NULL;
732 	mac->enabled = 0;
733 	return 0;
734 }
735 
736 static int
737 choose_comp(struct sshcomp *comp, char *client, char *server)
738 {
739 	char *name = match_list(client, server, NULL);
740 
741 	if (name == NULL)
742 		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
743 	if (strcmp(name, "zlib@openssh.com") == 0) {
744 		comp->type = COMP_DELAYED;
745 	} else if (strcmp(name, "zlib") == 0) {
746 		comp->type = COMP_ZLIB;
747 	} else if (strcmp(name, "none") == 0) {
748 		comp->type = COMP_NONE;
749 	} else {
750 		free(name);
751 		return SSH_ERR_INTERNAL_ERROR;
752 	}
753 	comp->name = name;
754 	return 0;
755 }
756 
757 static int
758 choose_kex(struct kex *k, char *client, char *server)
759 {
760 	const struct kexalg *kexalg;
761 
762 	k->name = match_list(client, server, NULL);
763 
764 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
765 	if (k->name == NULL)
766 		return SSH_ERR_NO_KEX_ALG_MATCH;
767 	if ((kexalg = kex_alg_by_name(k->name)) == NULL)
768 		return SSH_ERR_INTERNAL_ERROR;
769 	k->kex_type = kexalg->type;
770 	k->hash_alg = kexalg->hash_alg;
771 	k->ec_nid = kexalg->ec_nid;
772 	return 0;
773 }
774 
775 static int
776 choose_hostkeyalg(struct kex *k, char *client, char *server)
777 {
778 	k->hostkey_alg = match_list(client, server, NULL);
779 
780 	debug("kex: host key algorithm: %s",
781 	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
782 	if (k->hostkey_alg == NULL)
783 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
784 	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
785 	if (k->hostkey_type == KEY_UNSPEC)
786 		return SSH_ERR_INTERNAL_ERROR;
787 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
788 	return 0;
789 }
790 
791 static int
792 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
793 {
794 	static int check[] = {
795 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
796 	};
797 	int *idx;
798 	char *p;
799 
800 	for (idx = &check[0]; *idx != -1; idx++) {
801 		if ((p = strchr(my[*idx], ',')) != NULL)
802 			*p = '\0';
803 		if ((p = strchr(peer[*idx], ',')) != NULL)
804 			*p = '\0';
805 		if (strcmp(my[*idx], peer[*idx]) != 0) {
806 			debug2("proposal mismatch: my %s peer %s",
807 			    my[*idx], peer[*idx]);
808 			return (0);
809 		}
810 	}
811 	debug2("proposals match");
812 	return (1);
813 }
814 
815 static int
816 kex_choose_conf(struct ssh *ssh)
817 {
818 	struct kex *kex = ssh->kex;
819 	struct newkeys *newkeys;
820 	char **my = NULL, **peer = NULL;
821 	char **cprop, **sprop;
822 	int nenc, nmac, ncomp;
823 	u_int mode, ctos, need, dh_need, authlen;
824 	int r, first_kex_follows;
825 
826 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
827 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
828 		goto out;
829 	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
830 	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
831 		goto out;
832 
833 	if (kex->server) {
834 		cprop=peer;
835 		sprop=my;
836 	} else {
837 		cprop=my;
838 		sprop=peer;
839 	}
840 
841 	/* Check whether client supports ext_info_c */
842 	if (kex->server) {
843 		char *ext;
844 
845 		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
846 		kex->ext_info_c = (ext != NULL);
847 		free(ext);
848 	}
849 
850 	/* Algorithm Negotiation */
851 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
852 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
853 		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
854 		peer[PROPOSAL_KEX_ALGS] = NULL;
855 		goto out;
856 	}
857 	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
858 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
859 		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
860 		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
861 		goto out;
862 	}
863 	for (mode = 0; mode < MODE_MAX; mode++) {
864 		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
865 			r = SSH_ERR_ALLOC_FAIL;
866 			goto out;
867 		}
868 		kex->newkeys[mode] = newkeys;
869 		ctos = (!kex->server && mode == MODE_OUT) ||
870 		    (kex->server && mode == MODE_IN);
871 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
872 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
873 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
874 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
875 		    sprop[nenc])) != 0) {
876 			kex->failed_choice = peer[nenc];
877 			peer[nenc] = NULL;
878 			goto out;
879 		}
880 		authlen = cipher_authlen(newkeys->enc.cipher);
881 		/* ignore mac for authenticated encryption */
882 		if (authlen == 0 &&
883 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
884 		    sprop[nmac])) != 0) {
885 			kex->failed_choice = peer[nmac];
886 			peer[nmac] = NULL;
887 			goto out;
888 		}
889 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
890 		    sprop[ncomp])) != 0) {
891 			kex->failed_choice = peer[ncomp];
892 			peer[ncomp] = NULL;
893 			goto out;
894 		}
895 		debug("kex: %s cipher: %s MAC: %s compression: %s",
896 		    ctos ? "client->server" : "server->client",
897 		    newkeys->enc.name,
898 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
899 		    newkeys->comp.name);
900 	}
901 	need = dh_need = 0;
902 	for (mode = 0; mode < MODE_MAX; mode++) {
903 		newkeys = kex->newkeys[mode];
904 		need = MAXIMUM(need, newkeys->enc.key_len);
905 		need = MAXIMUM(need, newkeys->enc.block_size);
906 		need = MAXIMUM(need, newkeys->enc.iv_len);
907 		need = MAXIMUM(need, newkeys->mac.key_len);
908 		dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
909 		dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
910 		dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
911 		dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
912 	}
913 	/* XXX need runden? */
914 	kex->we_need = need;
915 	kex->dh_need = dh_need;
916 
917 	/* ignore the next message if the proposals do not match */
918 	if (first_kex_follows && !proposals_match(my, peer))
919 		ssh->dispatch_skip_packets = 1;
920 	r = 0;
921  out:
922 	kex_prop_free(my);
923 	kex_prop_free(peer);
924 	return r;
925 }
926 
927 static int
928 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
929     const struct sshbuf *shared_secret, u_char **keyp)
930 {
931 	struct kex *kex = ssh->kex;
932 	struct ssh_digest_ctx *hashctx = NULL;
933 	char c = id;
934 	u_int have;
935 	size_t mdsz;
936 	u_char *digest;
937 	int r;
938 
939 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
940 		return SSH_ERR_INVALID_ARGUMENT;
941 	if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
942 		r = SSH_ERR_ALLOC_FAIL;
943 		goto out;
944 	}
945 
946 	/* K1 = HASH(K || H || "A" || session_id) */
947 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
948 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
949 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
950 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
951 	    ssh_digest_update(hashctx, kex->session_id,
952 	    kex->session_id_len) != 0 ||
953 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
954 		r = SSH_ERR_LIBCRYPTO_ERROR;
955 		goto out;
956 	}
957 	ssh_digest_free(hashctx);
958 	hashctx = NULL;
959 
960 	/*
961 	 * expand key:
962 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
963 	 * Key = K1 || K2 || ... || Kn
964 	 */
965 	for (have = mdsz; need > have; have += mdsz) {
966 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
967 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
968 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
969 		    ssh_digest_update(hashctx, digest, have) != 0 ||
970 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
971 			r = SSH_ERR_LIBCRYPTO_ERROR;
972 			goto out;
973 		}
974 		ssh_digest_free(hashctx);
975 		hashctx = NULL;
976 	}
977 #ifdef DEBUG_KEX
978 	fprintf(stderr, "key '%c'== ", c);
979 	dump_digest("key", digest, need);
980 #endif
981 	*keyp = digest;
982 	digest = NULL;
983 	r = 0;
984  out:
985 	free(digest);
986 	ssh_digest_free(hashctx);
987 	return r;
988 }
989 
990 #define NKEYS	6
991 int
992 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
993     const struct sshbuf *shared_secret)
994 {
995 	struct kex *kex = ssh->kex;
996 	u_char *keys[NKEYS];
997 	u_int i, j, mode, ctos;
998 	int r;
999 
1000 	for (i = 0; i < NKEYS; i++) {
1001 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
1002 		    shared_secret, &keys[i])) != 0) {
1003 			for (j = 0; j < i; j++)
1004 				free(keys[j]);
1005 			return r;
1006 		}
1007 	}
1008 	for (mode = 0; mode < MODE_MAX; mode++) {
1009 		ctos = (!kex->server && mode == MODE_OUT) ||
1010 		    (kex->server && mode == MODE_IN);
1011 		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
1012 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
1013 		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
1014 	}
1015 	return 0;
1016 }
1017 
1018 #ifdef WITH_OPENSSL
1019 int
1020 kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
1021     const BIGNUM *secret)
1022 {
1023 	struct sshbuf *shared_secret;
1024 	int r;
1025 
1026 	if ((shared_secret = sshbuf_new()) == NULL)
1027 		return SSH_ERR_ALLOC_FAIL;
1028 	if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
1029 		r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
1030 	sshbuf_free(shared_secret);
1031 	return r;
1032 }
1033 #endif
1034 
1035 
1036 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1037 void
1038 dump_digest(char *msg, u_char *digest, int len)
1039 {
1040 	fprintf(stderr, "%s\n", msg);
1041 	sshbuf_dump_data(digest, len, stderr);
1042 }
1043 #endif
1044