xref: /freebsd/crypto/openssh/kex.c (revision 23f6875a43f7ce365f2d52cf857da010c47fb03b)
1 /* $OpenBSD: kex.c,v 1.117 2016/02/08 10:57:07 djm Exp $ */
2 /*
3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 #include <sys/param.h>	/* MAX roundup */
29 
30 #include <signal.h>
31 #include <stdarg.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 
36 #ifdef WITH_OPENSSL
37 #include <openssl/crypto.h>
38 #endif
39 
40 #include "ssh2.h"
41 #include "packet.h"
42 #include "compat.h"
43 #include "cipher.h"
44 #include "sshkey.h"
45 #include "kex.h"
46 #include "log.h"
47 #include "mac.h"
48 #include "match.h"
49 #include "misc.h"
50 #include "dispatch.h"
51 #include "monitor.h"
52 
53 #include "ssherr.h"
54 #include "sshbuf.h"
55 #include "digest.h"
56 
57 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
58 # if defined(HAVE_EVP_SHA256)
59 # define evp_ssh_sha256 EVP_sha256
60 # else
61 extern const EVP_MD *evp_ssh_sha256(void);
62 # endif
63 #endif
64 
65 /* prototype */
66 static int kex_choose_conf(struct ssh *);
67 static int kex_input_newkeys(int, u_int32_t, void *);
68 
69 static const char *proposal_names[PROPOSAL_MAX] = {
70 	"KEX algorithms",
71 	"host key algorithms",
72 	"ciphers ctos",
73 	"ciphers stoc",
74 	"MACs ctos",
75 	"MACs stoc",
76 	"compression ctos",
77 	"compression stoc",
78 	"languages ctos",
79 	"languages stoc",
80 };
81 
82 struct kexalg {
83 	char *name;
84 	u_int type;
85 	int ec_nid;
86 	int hash_alg;
87 };
88 static const struct kexalg kexalgs[] = {
89 #ifdef WITH_OPENSSL
90 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
91 	{ KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
92 	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
93 #ifdef HAVE_EVP_SHA256
94 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
95 #endif /* HAVE_EVP_SHA256 */
96 #ifdef OPENSSL_HAS_ECC
97 	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
98 	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
99 	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
100 	    SSH_DIGEST_SHA384 },
101 # ifdef OPENSSL_HAS_NISTP521
102 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
103 	    SSH_DIGEST_SHA512 },
104 # endif /* OPENSSL_HAS_NISTP521 */
105 #endif /* OPENSSL_HAS_ECC */
106 #endif /* WITH_OPENSSL */
107 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
108 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
109 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
110 	{ NULL, -1, -1, -1},
111 };
112 
113 char *
114 kex_alg_list(char sep)
115 {
116 	char *ret = NULL, *tmp;
117 	size_t nlen, rlen = 0;
118 	const struct kexalg *k;
119 
120 	for (k = kexalgs; k->name != NULL; k++) {
121 		if (ret != NULL)
122 			ret[rlen++] = sep;
123 		nlen = strlen(k->name);
124 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
125 			free(ret);
126 			return NULL;
127 		}
128 		ret = tmp;
129 		memcpy(ret + rlen, k->name, nlen + 1);
130 		rlen += nlen;
131 	}
132 	return ret;
133 }
134 
135 static const struct kexalg *
136 kex_alg_by_name(const char *name)
137 {
138 	const struct kexalg *k;
139 
140 	for (k = kexalgs; k->name != NULL; k++) {
141 		if (strcmp(k->name, name) == 0)
142 			return k;
143 	}
144 	return NULL;
145 }
146 
147 /* Validate KEX method name list */
148 int
149 kex_names_valid(const char *names)
150 {
151 	char *s, *cp, *p;
152 
153 	if (names == NULL || strcmp(names, "") == 0)
154 		return 0;
155 	if ((s = cp = strdup(names)) == NULL)
156 		return 0;
157 	for ((p = strsep(&cp, ",")); p && *p != '\0';
158 	    (p = strsep(&cp, ","))) {
159 		if (kex_alg_by_name(p) == NULL) {
160 			error("Unsupported KEX algorithm \"%.100s\"", p);
161 			free(s);
162 			return 0;
163 		}
164 	}
165 	debug3("kex names ok: [%s]", names);
166 	free(s);
167 	return 1;
168 }
169 
170 /*
171  * Concatenate algorithm names, avoiding duplicates in the process.
172  * Caller must free returned string.
173  */
174 char *
175 kex_names_cat(const char *a, const char *b)
176 {
177 	char *ret = NULL, *tmp = NULL, *cp, *p;
178 	size_t len;
179 
180 	if (a == NULL || *a == '\0')
181 		return NULL;
182 	if (b == NULL || *b == '\0')
183 		return strdup(a);
184 	if (strlen(b) > 1024*1024)
185 		return NULL;
186 	len = strlen(a) + strlen(b) + 2;
187 	if ((tmp = cp = strdup(b)) == NULL ||
188 	    (ret = calloc(1, len)) == NULL) {
189 		free(tmp);
190 		return NULL;
191 	}
192 	strlcpy(ret, a, len);
193 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
194 		if (match_list(ret, p, NULL) != NULL)
195 			continue; /* Algorithm already present */
196 		if (strlcat(ret, ",", len) >= len ||
197 		    strlcat(ret, p, len) >= len) {
198 			free(tmp);
199 			free(ret);
200 			return NULL; /* Shouldn't happen */
201 		}
202 	}
203 	free(tmp);
204 	return ret;
205 }
206 
207 /*
208  * Assemble a list of algorithms from a default list and a string from a
209  * configuration file. The user-provided string may begin with '+' to
210  * indicate that it should be appended to the default.
211  */
212 int
213 kex_assemble_names(const char *def, char **list)
214 {
215 	char *ret;
216 
217 	if (list == NULL || *list == NULL || **list == '\0') {
218 		*list = strdup(def);
219 		return 0;
220 	}
221 	if (**list != '+') {
222 		return 0;
223 	}
224 
225 	if ((ret = kex_names_cat(def, *list + 1)) == NULL)
226 		return SSH_ERR_ALLOC_FAIL;
227 	free(*list);
228 	*list = ret;
229 	return 0;
230 }
231 
232 /* put algorithm proposal into buffer */
233 int
234 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
235 {
236 	u_int i;
237 	int r;
238 
239 	sshbuf_reset(b);
240 
241 	/*
242 	 * add a dummy cookie, the cookie will be overwritten by
243 	 * kex_send_kexinit(), each time a kexinit is set
244 	 */
245 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
246 		if ((r = sshbuf_put_u8(b, 0)) != 0)
247 			return r;
248 	}
249 	for (i = 0; i < PROPOSAL_MAX; i++) {
250 		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
251 			return r;
252 	}
253 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
254 	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
255 		return r;
256 	return 0;
257 }
258 
259 /* parse buffer and return algorithm proposal */
260 int
261 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
262 {
263 	struct sshbuf *b = NULL;
264 	u_char v;
265 	u_int i;
266 	char **proposal = NULL;
267 	int r;
268 
269 	*propp = NULL;
270 	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
271 		return SSH_ERR_ALLOC_FAIL;
272 	if ((b = sshbuf_fromb(raw)) == NULL) {
273 		r = SSH_ERR_ALLOC_FAIL;
274 		goto out;
275 	}
276 	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */
277 		goto out;
278 	/* extract kex init proposal strings */
279 	for (i = 0; i < PROPOSAL_MAX; i++) {
280 		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0)
281 			goto out;
282 		debug2("%s: %s", proposal_names[i], proposal[i]);
283 	}
284 	/* first kex follows / reserved */
285 	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
286 	    (r = sshbuf_get_u32(b, &i)) != 0)	/* reserved */
287 		goto out;
288 	if (first_kex_follows != NULL)
289 		*first_kex_follows = v;
290 	debug2("first_kex_follows %d ", v);
291 	debug2("reserved %u ", i);
292 	r = 0;
293 	*propp = proposal;
294  out:
295 	if (r != 0 && proposal != NULL)
296 		kex_prop_free(proposal);
297 	sshbuf_free(b);
298 	return r;
299 }
300 
301 void
302 kex_prop_free(char **proposal)
303 {
304 	u_int i;
305 
306 	if (proposal == NULL)
307 		return;
308 	for (i = 0; i < PROPOSAL_MAX; i++)
309 		free(proposal[i]);
310 	free(proposal);
311 }
312 
313 /* ARGSUSED */
314 static int
315 kex_protocol_error(int type, u_int32_t seq, void *ctxt)
316 {
317 	struct ssh *ssh = active_state; /* XXX */
318 	int r;
319 
320 	error("kex protocol error: type %d seq %u", type, seq);
321 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
322 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
323 	    (r = sshpkt_send(ssh)) != 0)
324 		return r;
325 	return 0;
326 }
327 
328 static void
329 kex_reset_dispatch(struct ssh *ssh)
330 {
331 	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
332 	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
333 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
334 }
335 
336 static int
337 kex_send_ext_info(struct ssh *ssh)
338 {
339 	int r;
340 
341 	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
342 	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
343 	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
344 	    (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 ||
345 	    (r = sshpkt_send(ssh)) != 0)
346 		return r;
347 	return 0;
348 }
349 
350 int
351 kex_send_newkeys(struct ssh *ssh)
352 {
353 	int r;
354 
355 	kex_reset_dispatch(ssh);
356 	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
357 	    (r = sshpkt_send(ssh)) != 0)
358 		return r;
359 	debug("SSH2_MSG_NEWKEYS sent");
360 	debug("expecting SSH2_MSG_NEWKEYS");
361 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
362 	if (ssh->kex->ext_info_c)
363 		if ((r = kex_send_ext_info(ssh)) != 0)
364 			return r;
365 	return 0;
366 }
367 
368 int
369 kex_input_ext_info(int type, u_int32_t seq, void *ctxt)
370 {
371 	struct ssh *ssh = ctxt;
372 	struct kex *kex = ssh->kex;
373 	u_int32_t i, ninfo;
374 	char *name, *val, *found;
375 	int r;
376 
377 	debug("SSH2_MSG_EXT_INFO received");
378 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
379 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
380 		return r;
381 	for (i = 0; i < ninfo; i++) {
382 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
383 			return r;
384 		if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) {
385 			free(name);
386 			return r;
387 		}
388 		debug("%s: %s=<%s>", __func__, name, val);
389 		if (strcmp(name, "server-sig-algs") == 0) {
390 			found = match_list("rsa-sha2-256", val, NULL);
391 			if (found) {
392 				kex->rsa_sha2 = 256;
393 				free(found);
394 			}
395 			found = match_list("rsa-sha2-512", val, NULL);
396 			if (found) {
397 				kex->rsa_sha2 = 512;
398 				free(found);
399 			}
400 		}
401 		free(name);
402 		free(val);
403 	}
404 	return sshpkt_get_end(ssh);
405 }
406 
407 static int
408 kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
409 {
410 	struct ssh *ssh = ctxt;
411 	struct kex *kex = ssh->kex;
412 	int r;
413 
414 	debug("SSH2_MSG_NEWKEYS received");
415 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
416 	if ((r = sshpkt_get_end(ssh)) != 0)
417 		return r;
418 	kex->done = 1;
419 	sshbuf_reset(kex->peer);
420 	/* sshbuf_reset(kex->my); */
421 	kex->flags &= ~KEX_INIT_SENT;
422 	free(kex->name);
423 	kex->name = NULL;
424 	return 0;
425 }
426 
427 int
428 kex_send_kexinit(struct ssh *ssh)
429 {
430 	u_char *cookie;
431 	struct kex *kex = ssh->kex;
432 	int r;
433 
434 	if (kex == NULL)
435 		return SSH_ERR_INTERNAL_ERROR;
436 	if (kex->flags & KEX_INIT_SENT)
437 		return 0;
438 	kex->done = 0;
439 
440 	/* generate a random cookie */
441 	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN)
442 		return SSH_ERR_INVALID_FORMAT;
443 	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL)
444 		return SSH_ERR_INTERNAL_ERROR;
445 	arc4random_buf(cookie, KEX_COOKIE_LEN);
446 
447 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
448 	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
449 	    (r = sshpkt_send(ssh)) != 0)
450 		return r;
451 	debug("SSH2_MSG_KEXINIT sent");
452 	kex->flags |= KEX_INIT_SENT;
453 	return 0;
454 }
455 
456 /* ARGSUSED */
457 int
458 kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
459 {
460 	struct ssh *ssh = ctxt;
461 	struct kex *kex = ssh->kex;
462 	const u_char *ptr;
463 	u_int i;
464 	size_t dlen;
465 	int r;
466 
467 	debug("SSH2_MSG_KEXINIT received");
468 	if (kex == NULL)
469 		return SSH_ERR_INVALID_ARGUMENT;
470 
471 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
472 	ptr = sshpkt_ptr(ssh, &dlen);
473 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
474 		return r;
475 
476 	/* discard packet */
477 	for (i = 0; i < KEX_COOKIE_LEN; i++)
478 		if ((r = sshpkt_get_u8(ssh, NULL)) != 0)
479 			return r;
480 	for (i = 0; i < PROPOSAL_MAX; i++)
481 		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0)
482 			return r;
483 	/*
484 	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
485 	 * KEX method has the server move first, but a server might be using
486 	 * a custom method or one that we otherwise don't support. We should
487 	 * be prepared to remember first_kex_follows here so we can eat a
488 	 * packet later.
489 	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
490 	 * for cases where the server *doesn't* go first. I guess we should
491 	 * ignore it when it is set for these cases, which is what we do now.
492 	 */
493 	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
494 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
495 	    (r = sshpkt_get_end(ssh)) != 0)
496 			return r;
497 
498 	if (!(kex->flags & KEX_INIT_SENT))
499 		if ((r = kex_send_kexinit(ssh)) != 0)
500 			return r;
501 	if ((r = kex_choose_conf(ssh)) != 0)
502 		return r;
503 
504 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
505 		return (kex->kex[kex->kex_type])(ssh);
506 
507 	return SSH_ERR_INTERNAL_ERROR;
508 }
509 
510 int
511 kex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp)
512 {
513 	struct kex *kex;
514 	int r;
515 
516 	*kexp = NULL;
517 	if ((kex = calloc(1, sizeof(*kex))) == NULL)
518 		return SSH_ERR_ALLOC_FAIL;
519 	if ((kex->peer = sshbuf_new()) == NULL ||
520 	    (kex->my = sshbuf_new()) == NULL) {
521 		r = SSH_ERR_ALLOC_FAIL;
522 		goto out;
523 	}
524 	if ((r = kex_prop2buf(kex->my, proposal)) != 0)
525 		goto out;
526 	kex->done = 0;
527 	kex_reset_dispatch(ssh);
528 	r = 0;
529 	*kexp = kex;
530  out:
531 	if (r != 0)
532 		kex_free(kex);
533 	return r;
534 }
535 
536 void
537 kex_free_newkeys(struct newkeys *newkeys)
538 {
539 	if (newkeys == NULL)
540 		return;
541 	if (newkeys->enc.key) {
542 		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
543 		free(newkeys->enc.key);
544 		newkeys->enc.key = NULL;
545 	}
546 	if (newkeys->enc.iv) {
547 		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
548 		free(newkeys->enc.iv);
549 		newkeys->enc.iv = NULL;
550 	}
551 	free(newkeys->enc.name);
552 	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
553 	free(newkeys->comp.name);
554 	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
555 	mac_clear(&newkeys->mac);
556 	if (newkeys->mac.key) {
557 		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
558 		free(newkeys->mac.key);
559 		newkeys->mac.key = NULL;
560 	}
561 	free(newkeys->mac.name);
562 	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
563 	explicit_bzero(newkeys, sizeof(*newkeys));
564 	free(newkeys);
565 }
566 
567 void
568 kex_free(struct kex *kex)
569 {
570 	u_int mode;
571 
572 #ifdef WITH_OPENSSL
573 	if (kex->dh)
574 		DH_free(kex->dh);
575 #ifdef OPENSSL_HAS_ECC
576 	if (kex->ec_client_key)
577 		EC_KEY_free(kex->ec_client_key);
578 #endif /* OPENSSL_HAS_ECC */
579 #endif /* WITH_OPENSSL */
580 	for (mode = 0; mode < MODE_MAX; mode++) {
581 		kex_free_newkeys(kex->newkeys[mode]);
582 		kex->newkeys[mode] = NULL;
583 	}
584 	sshbuf_free(kex->peer);
585 	sshbuf_free(kex->my);
586 	free(kex->session_id);
587 	free(kex->client_version_string);
588 	free(kex->server_version_string);
589 	free(kex->failed_choice);
590 	free(kex->hostkey_alg);
591 	free(kex->name);
592 	free(kex);
593 }
594 
595 int
596 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
597 {
598 	int r;
599 
600 	if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0)
601 		return r;
602 	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
603 		kex_free(ssh->kex);
604 		ssh->kex = NULL;
605 		return r;
606 	}
607 	return 0;
608 }
609 
610 /*
611  * Request key re-exchange, returns 0 on success or a ssherr.h error
612  * code otherwise. Must not be called if KEX is incomplete or in-progress.
613  */
614 int
615 kex_start_rekex(struct ssh *ssh)
616 {
617 	if (ssh->kex == NULL) {
618 		error("%s: no kex", __func__);
619 		return SSH_ERR_INTERNAL_ERROR;
620 	}
621 	if (ssh->kex->done == 0) {
622 		error("%s: requested twice", __func__);
623 		return SSH_ERR_INTERNAL_ERROR;
624 	}
625 	ssh->kex->done = 0;
626 	return kex_send_kexinit(ssh);
627 }
628 
629 static int
630 choose_enc(struct sshenc *enc, char *client, char *server)
631 {
632 	char *name = match_list(client, server, NULL);
633 
634 	if (name == NULL)
635 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
636 	if ((enc->cipher = cipher_by_name(name)) == NULL)
637 		return SSH_ERR_INTERNAL_ERROR;
638 	enc->name = name;
639 	enc->enabled = 0;
640 	enc->iv = NULL;
641 	enc->iv_len = cipher_ivlen(enc->cipher);
642 	enc->key = NULL;
643 	enc->key_len = cipher_keylen(enc->cipher);
644 	enc->block_size = cipher_blocksize(enc->cipher);
645 	return 0;
646 }
647 
648 static int
649 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
650 {
651 	char *name = match_list(client, server, NULL);
652 
653 	if (name == NULL)
654 		return SSH_ERR_NO_MAC_ALG_MATCH;
655 	if (mac_setup(mac, name) < 0)
656 		return SSH_ERR_INTERNAL_ERROR;
657 	/* truncate the key */
658 	if (ssh->compat & SSH_BUG_HMAC)
659 		mac->key_len = 16;
660 	mac->name = name;
661 	mac->key = NULL;
662 	mac->enabled = 0;
663 	return 0;
664 }
665 
666 static int
667 choose_comp(struct sshcomp *comp, char *client, char *server)
668 {
669 	char *name = match_list(client, server, NULL);
670 
671 	if (name == NULL)
672 		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
673 	if (strcmp(name, "zlib@openssh.com") == 0) {
674 		comp->type = COMP_DELAYED;
675 	} else if (strcmp(name, "zlib") == 0) {
676 		comp->type = COMP_ZLIB;
677 	} else if (strcmp(name, "none") == 0) {
678 		comp->type = COMP_NONE;
679 	} else {
680 		return SSH_ERR_INTERNAL_ERROR;
681 	}
682 	comp->name = name;
683 	return 0;
684 }
685 
686 static int
687 choose_kex(struct kex *k, char *client, char *server)
688 {
689 	const struct kexalg *kexalg;
690 
691 	k->name = match_list(client, server, NULL);
692 
693 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
694 	if (k->name == NULL)
695 		return SSH_ERR_NO_KEX_ALG_MATCH;
696 	if ((kexalg = kex_alg_by_name(k->name)) == NULL)
697 		return SSH_ERR_INTERNAL_ERROR;
698 	k->kex_type = kexalg->type;
699 	k->hash_alg = kexalg->hash_alg;
700 	k->ec_nid = kexalg->ec_nid;
701 	return 0;
702 }
703 
704 static int
705 choose_hostkeyalg(struct kex *k, char *client, char *server)
706 {
707 	k->hostkey_alg = match_list(client, server, NULL);
708 
709 	debug("kex: host key algorithm: %s",
710 	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
711 	if (k->hostkey_alg == NULL)
712 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
713 	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
714 	if (k->hostkey_type == KEY_UNSPEC)
715 		return SSH_ERR_INTERNAL_ERROR;
716 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
717 	return 0;
718 }
719 
720 static int
721 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
722 {
723 	static int check[] = {
724 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
725 	};
726 	int *idx;
727 	char *p;
728 
729 	for (idx = &check[0]; *idx != -1; idx++) {
730 		if ((p = strchr(my[*idx], ',')) != NULL)
731 			*p = '\0';
732 		if ((p = strchr(peer[*idx], ',')) != NULL)
733 			*p = '\0';
734 		if (strcmp(my[*idx], peer[*idx]) != 0) {
735 			debug2("proposal mismatch: my %s peer %s",
736 			    my[*idx], peer[*idx]);
737 			return (0);
738 		}
739 	}
740 	debug2("proposals match");
741 	return (1);
742 }
743 
744 static int
745 kex_choose_conf(struct ssh *ssh)
746 {
747 	struct kex *kex = ssh->kex;
748 	struct newkeys *newkeys;
749 	char **my = NULL, **peer = NULL;
750 	char **cprop, **sprop;
751 	int nenc, nmac, ncomp;
752 	u_int mode, ctos, need, dh_need, authlen;
753 	int r, first_kex_follows;
754 
755 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
756 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
757 		goto out;
758 	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
759 	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
760 		goto out;
761 
762 	if (kex->server) {
763 		cprop=peer;
764 		sprop=my;
765 	} else {
766 		cprop=my;
767 		sprop=peer;
768 	}
769 
770 	/* Check whether client supports ext_info_c */
771 	if (kex->server) {
772 		char *ext;
773 
774 		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
775 		if (ext) {
776 			kex->ext_info_c = 1;
777 			free(ext);
778 		}
779 	}
780 
781 	/* Algorithm Negotiation */
782 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
783 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
784 		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
785 		peer[PROPOSAL_KEX_ALGS] = NULL;
786 		goto out;
787 	}
788 	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
789 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
790 		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
791 		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
792 		goto out;
793 	}
794 	for (mode = 0; mode < MODE_MAX; mode++) {
795 		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
796 			r = SSH_ERR_ALLOC_FAIL;
797 			goto out;
798 		}
799 		kex->newkeys[mode] = newkeys;
800 		ctos = (!kex->server && mode == MODE_OUT) ||
801 		    (kex->server && mode == MODE_IN);
802 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
803 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
804 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
805 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
806 		    sprop[nenc])) != 0) {
807 			kex->failed_choice = peer[nenc];
808 			peer[nenc] = NULL;
809 			goto out;
810 		}
811 		authlen = cipher_authlen(newkeys->enc.cipher);
812 		/* ignore mac for authenticated encryption */
813 		if (authlen == 0 &&
814 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
815 		    sprop[nmac])) != 0) {
816 			kex->failed_choice = peer[nmac];
817 			peer[nmac] = NULL;
818 			goto out;
819 		}
820 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
821 		    sprop[ncomp])) != 0) {
822 			kex->failed_choice = peer[ncomp];
823 			peer[ncomp] = NULL;
824 			goto out;
825 		}
826 		debug("kex: %s cipher: %s MAC: %s compression: %s",
827 		    ctos ? "client->server" : "server->client",
828 		    newkeys->enc.name,
829 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
830 		    newkeys->comp.name);
831 	}
832 	need = dh_need = 0;
833 	for (mode = 0; mode < MODE_MAX; mode++) {
834 		newkeys = kex->newkeys[mode];
835 		need = MAX(need, newkeys->enc.key_len);
836 		need = MAX(need, newkeys->enc.block_size);
837 		need = MAX(need, newkeys->enc.iv_len);
838 		need = MAX(need, newkeys->mac.key_len);
839 		dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher));
840 		dh_need = MAX(dh_need, newkeys->enc.block_size);
841 		dh_need = MAX(dh_need, newkeys->enc.iv_len);
842 		dh_need = MAX(dh_need, newkeys->mac.key_len);
843 	}
844 	/* XXX need runden? */
845 	kex->we_need = need;
846 	kex->dh_need = dh_need;
847 
848 	/* ignore the next message if the proposals do not match */
849 	if (first_kex_follows && !proposals_match(my, peer) &&
850 	    !(ssh->compat & SSH_BUG_FIRSTKEX))
851 		ssh->dispatch_skip_packets = 1;
852 	r = 0;
853  out:
854 	kex_prop_free(my);
855 	kex_prop_free(peer);
856 	return r;
857 }
858 
859 static int
860 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
861     const struct sshbuf *shared_secret, u_char **keyp)
862 {
863 	struct kex *kex = ssh->kex;
864 	struct ssh_digest_ctx *hashctx = NULL;
865 	char c = id;
866 	u_int have;
867 	size_t mdsz;
868 	u_char *digest;
869 	int r;
870 
871 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
872 		return SSH_ERR_INVALID_ARGUMENT;
873 	if ((digest = calloc(1, roundup(need, mdsz))) == NULL) {
874 		r = SSH_ERR_ALLOC_FAIL;
875 		goto out;
876 	}
877 
878 	/* K1 = HASH(K || H || "A" || session_id) */
879 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
880 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
881 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
882 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
883 	    ssh_digest_update(hashctx, kex->session_id,
884 	    kex->session_id_len) != 0 ||
885 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
886 		r = SSH_ERR_LIBCRYPTO_ERROR;
887 		goto out;
888 	}
889 	ssh_digest_free(hashctx);
890 	hashctx = NULL;
891 
892 	/*
893 	 * expand key:
894 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
895 	 * Key = K1 || K2 || ... || Kn
896 	 */
897 	for (have = mdsz; need > have; have += mdsz) {
898 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
899 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
900 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
901 		    ssh_digest_update(hashctx, digest, have) != 0 ||
902 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
903 			r = SSH_ERR_LIBCRYPTO_ERROR;
904 			goto out;
905 		}
906 		ssh_digest_free(hashctx);
907 		hashctx = NULL;
908 	}
909 #ifdef DEBUG_KEX
910 	fprintf(stderr, "key '%c'== ", c);
911 	dump_digest("key", digest, need);
912 #endif
913 	*keyp = digest;
914 	digest = NULL;
915 	r = 0;
916  out:
917 	free(digest);
918 	ssh_digest_free(hashctx);
919 	return r;
920 }
921 
922 #define NKEYS	6
923 int
924 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
925     const struct sshbuf *shared_secret)
926 {
927 	struct kex *kex = ssh->kex;
928 	u_char *keys[NKEYS];
929 	u_int i, j, mode, ctos;
930 	int r;
931 
932 	for (i = 0; i < NKEYS; i++) {
933 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
934 		    shared_secret, &keys[i])) != 0) {
935 			for (j = 0; j < i; j++)
936 				free(keys[j]);
937 			return r;
938 		}
939 	}
940 	for (mode = 0; mode < MODE_MAX; mode++) {
941 		ctos = (!kex->server && mode == MODE_OUT) ||
942 		    (kex->server && mode == MODE_IN);
943 		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
944 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
945 		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
946 	}
947 	return 0;
948 }
949 
950 #ifdef WITH_OPENSSL
951 int
952 kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
953     const BIGNUM *secret)
954 {
955 	struct sshbuf *shared_secret;
956 	int r;
957 
958 	if ((shared_secret = sshbuf_new()) == NULL)
959 		return SSH_ERR_ALLOC_FAIL;
960 	if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
961 		r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
962 	sshbuf_free(shared_secret);
963 	return r;
964 }
965 #endif
966 
967 #ifdef WITH_SSH1
968 int
969 derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
970     u_int8_t cookie[8], u_int8_t id[16])
971 {
972 	u_int8_t hbuf[2048], sbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH];
973 	struct ssh_digest_ctx *hashctx = NULL;
974 	size_t hlen, slen;
975 	int r;
976 
977 	hlen = BN_num_bytes(host_modulus);
978 	slen = BN_num_bytes(server_modulus);
979 	if (hlen < (512 / 8) || (u_int)hlen > sizeof(hbuf) ||
980 	    slen < (512 / 8) || (u_int)slen > sizeof(sbuf))
981 		return SSH_ERR_KEY_BITS_MISMATCH;
982 	if (BN_bn2bin(host_modulus, hbuf) <= 0 ||
983 	    BN_bn2bin(server_modulus, sbuf) <= 0) {
984 		r = SSH_ERR_LIBCRYPTO_ERROR;
985 		goto out;
986 	}
987 	if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) {
988 		r = SSH_ERR_ALLOC_FAIL;
989 		goto out;
990 	}
991 	if (ssh_digest_update(hashctx, hbuf, hlen) != 0 ||
992 	    ssh_digest_update(hashctx, sbuf, slen) != 0 ||
993 	    ssh_digest_update(hashctx, cookie, 8) != 0 ||
994 	    ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) {
995 		r = SSH_ERR_LIBCRYPTO_ERROR;
996 		goto out;
997 	}
998 	memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5));
999 	r = 0;
1000  out:
1001 	ssh_digest_free(hashctx);
1002 	explicit_bzero(hbuf, sizeof(hbuf));
1003 	explicit_bzero(sbuf, sizeof(sbuf));
1004 	explicit_bzero(obuf, sizeof(obuf));
1005 	return r;
1006 }
1007 #endif
1008 
1009 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1010 void
1011 dump_digest(char *msg, u_char *digest, int len)
1012 {
1013 	fprintf(stderr, "%s\n", msg);
1014 	sshbuf_dump_data(digest, len, stderr);
1015 }
1016 #endif
1017