1 /* $OpenBSD: kex.c,v 1.184 2023/12/18 14:45:49 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include "includes.h" 27 28 #include <sys/types.h> 29 #include <errno.h> 30 #include <signal.h> 31 #include <stdarg.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 #include <unistd.h> 36 #ifdef HAVE_POLL_H 37 #include <poll.h> 38 #endif 39 40 #ifdef WITH_OPENSSL 41 #include <openssl/crypto.h> 42 #include <openssl/dh.h> 43 #endif 44 45 #include "ssh.h" 46 #include "ssh2.h" 47 #include "atomicio.h" 48 #include "version.h" 49 #include "packet.h" 50 #include "compat.h" 51 #include "cipher.h" 52 #include "sshkey.h" 53 #include "kex.h" 54 #include "log.h" 55 #include "mac.h" 56 #include "match.h" 57 #include "misc.h" 58 #include "dispatch.h" 59 #include "monitor.h" 60 #include "myproposal.h" 61 62 #include "ssherr.h" 63 #include "sshbuf.h" 64 #include "digest.h" 65 #include "xmalloc.h" 66 67 /* prototype */ 68 static int kex_choose_conf(struct ssh *, uint32_t seq); 69 static int kex_input_newkeys(int, u_int32_t, struct ssh *); 70 71 static const char * const proposal_names[PROPOSAL_MAX] = { 72 "KEX algorithms", 73 "host key algorithms", 74 "ciphers ctos", 75 "ciphers stoc", 76 "MACs ctos", 77 "MACs stoc", 78 "compression ctos", 79 "compression stoc", 80 "languages ctos", 81 "languages stoc", 82 }; 83 84 struct kexalg { 85 char *name; 86 u_int type; 87 int ec_nid; 88 int hash_alg; 89 }; 90 static const struct kexalg kexalgs[] = { 91 #ifdef WITH_OPENSSL 92 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, 93 { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, 94 { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, 95 { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, 96 { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, 97 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, 98 #ifdef HAVE_EVP_SHA256 99 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, 100 #endif /* HAVE_EVP_SHA256 */ 101 #ifdef OPENSSL_HAS_ECC 102 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, 103 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, 104 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, 105 SSH_DIGEST_SHA384 }, 106 # ifdef OPENSSL_HAS_NISTP521 107 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, 108 SSH_DIGEST_SHA512 }, 109 # endif /* OPENSSL_HAS_NISTP521 */ 110 #endif /* OPENSSL_HAS_ECC */ 111 #endif /* WITH_OPENSSL */ 112 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) 113 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 114 { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 115 #ifdef USE_SNTRUP761X25519 116 { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, 117 SSH_DIGEST_SHA512 }, 118 #endif 119 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ 120 { NULL, 0, -1, -1}, 121 }; 122 123 char * 124 kex_alg_list(char sep) 125 { 126 char *ret = NULL, *tmp; 127 size_t nlen, rlen = 0; 128 const struct kexalg *k; 129 130 for (k = kexalgs; k->name != NULL; k++) { 131 if (ret != NULL) 132 ret[rlen++] = sep; 133 nlen = strlen(k->name); 134 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 135 free(ret); 136 return NULL; 137 } 138 ret = tmp; 139 memcpy(ret + rlen, k->name, nlen + 1); 140 rlen += nlen; 141 } 142 return ret; 143 } 144 145 static const struct kexalg * 146 kex_alg_by_name(const char *name) 147 { 148 const struct kexalg *k; 149 150 for (k = kexalgs; k->name != NULL; k++) { 151 if (strcmp(k->name, name) == 0) 152 return k; 153 } 154 return NULL; 155 } 156 157 /* Validate KEX method name list */ 158 int 159 kex_names_valid(const char *names) 160 { 161 char *s, *cp, *p; 162 163 if (names == NULL || strcmp(names, "") == 0) 164 return 0; 165 if ((s = cp = strdup(names)) == NULL) 166 return 0; 167 for ((p = strsep(&cp, ",")); p && *p != '\0'; 168 (p = strsep(&cp, ","))) { 169 if (kex_alg_by_name(p) == NULL) { 170 error("Unsupported KEX algorithm \"%.100s\"", p); 171 free(s); 172 return 0; 173 } 174 } 175 debug3("kex names ok: [%s]", names); 176 free(s); 177 return 1; 178 } 179 180 /* returns non-zero if proposal contains any algorithm from algs */ 181 static int 182 has_any_alg(const char *proposal, const char *algs) 183 { 184 char *cp; 185 186 if ((cp = match_list(proposal, algs, NULL)) == NULL) 187 return 0; 188 free(cp); 189 return 1; 190 } 191 192 /* 193 * Concatenate algorithm names, avoiding duplicates in the process. 194 * Caller must free returned string. 195 */ 196 char * 197 kex_names_cat(const char *a, const char *b) 198 { 199 char *ret = NULL, *tmp = NULL, *cp, *p; 200 size_t len; 201 202 if (a == NULL || *a == '\0') 203 return strdup(b); 204 if (b == NULL || *b == '\0') 205 return strdup(a); 206 if (strlen(b) > 1024*1024) 207 return NULL; 208 len = strlen(a) + strlen(b) + 2; 209 if ((tmp = cp = strdup(b)) == NULL || 210 (ret = calloc(1, len)) == NULL) { 211 free(tmp); 212 return NULL; 213 } 214 strlcpy(ret, a, len); 215 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { 216 if (has_any_alg(ret, p)) 217 continue; /* Algorithm already present */ 218 if (strlcat(ret, ",", len) >= len || 219 strlcat(ret, p, len) >= len) { 220 free(tmp); 221 free(ret); 222 return NULL; /* Shouldn't happen */ 223 } 224 } 225 free(tmp); 226 return ret; 227 } 228 229 /* 230 * Assemble a list of algorithms from a default list and a string from a 231 * configuration file. The user-provided string may begin with '+' to 232 * indicate that it should be appended to the default, '-' that the 233 * specified names should be removed, or '^' that they should be placed 234 * at the head. 235 */ 236 int 237 kex_assemble_names(char **listp, const char *def, const char *all) 238 { 239 char *cp, *tmp, *patterns; 240 char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL; 241 int r = SSH_ERR_INTERNAL_ERROR; 242 243 if (listp == NULL || def == NULL || all == NULL) 244 return SSH_ERR_INVALID_ARGUMENT; 245 246 if (*listp == NULL || **listp == '\0') { 247 if ((*listp = strdup(def)) == NULL) 248 return SSH_ERR_ALLOC_FAIL; 249 return 0; 250 } 251 252 list = *listp; 253 *listp = NULL; 254 if (*list == '+') { 255 /* Append names to default list */ 256 if ((tmp = kex_names_cat(def, list + 1)) == NULL) { 257 r = SSH_ERR_ALLOC_FAIL; 258 goto fail; 259 } 260 free(list); 261 list = tmp; 262 } else if (*list == '-') { 263 /* Remove names from default list */ 264 if ((*listp = match_filter_denylist(def, list + 1)) == NULL) { 265 r = SSH_ERR_ALLOC_FAIL; 266 goto fail; 267 } 268 free(list); 269 /* filtering has already been done */ 270 return 0; 271 } else if (*list == '^') { 272 /* Place names at head of default list */ 273 if ((tmp = kex_names_cat(list + 1, def)) == NULL) { 274 r = SSH_ERR_ALLOC_FAIL; 275 goto fail; 276 } 277 free(list); 278 list = tmp; 279 } else { 280 /* Explicit list, overrides default - just use "list" as is */ 281 } 282 283 /* 284 * The supplied names may be a pattern-list. For the -list case, 285 * the patterns are applied above. For the +list and explicit list 286 * cases we need to do it now. 287 */ 288 ret = NULL; 289 if ((patterns = opatterns = strdup(list)) == NULL) { 290 r = SSH_ERR_ALLOC_FAIL; 291 goto fail; 292 } 293 /* Apply positive (i.e. non-negated) patterns from the list */ 294 while ((cp = strsep(&patterns, ",")) != NULL) { 295 if (*cp == '!') { 296 /* negated matches are not supported here */ 297 r = SSH_ERR_INVALID_ARGUMENT; 298 goto fail; 299 } 300 free(matching); 301 if ((matching = match_filter_allowlist(all, cp)) == NULL) { 302 r = SSH_ERR_ALLOC_FAIL; 303 goto fail; 304 } 305 if ((tmp = kex_names_cat(ret, matching)) == NULL) { 306 r = SSH_ERR_ALLOC_FAIL; 307 goto fail; 308 } 309 free(ret); 310 ret = tmp; 311 } 312 if (ret == NULL || *ret == '\0') { 313 /* An empty name-list is an error */ 314 /* XXX better error code? */ 315 r = SSH_ERR_INVALID_ARGUMENT; 316 goto fail; 317 } 318 319 /* success */ 320 *listp = ret; 321 ret = NULL; 322 r = 0; 323 324 fail: 325 free(matching); 326 free(opatterns); 327 free(list); 328 free(ret); 329 return r; 330 } 331 332 /* 333 * Fill out a proposal array with dynamically allocated values, which may 334 * be modified as required for compatibility reasons. 335 * Any of the options may be NULL, in which case the default is used. 336 * Array contents must be freed by calling kex_proposal_free_entries. 337 */ 338 void 339 kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX], 340 const char *kexalgos, const char *ciphers, const char *macs, 341 const char *comp, const char *hkalgs) 342 { 343 const char *defpropserver[PROPOSAL_MAX] = { KEX_SERVER }; 344 const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT }; 345 const char **defprop = ssh->kex->server ? defpropserver : defpropclient; 346 u_int i; 347 char *cp; 348 349 if (prop == NULL) 350 fatal_f("proposal missing"); 351 352 /* Append EXT_INFO signalling to KexAlgorithms */ 353 if (kexalgos == NULL) 354 kexalgos = defprop[PROPOSAL_KEX_ALGS]; 355 if ((cp = kex_names_cat(kexalgos, ssh->kex->server ? 356 "ext-info-s,kex-strict-s-v00@openssh.com" : 357 "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL) 358 fatal_f("kex_names_cat"); 359 360 for (i = 0; i < PROPOSAL_MAX; i++) { 361 switch(i) { 362 case PROPOSAL_KEX_ALGS: 363 prop[i] = compat_kex_proposal(ssh, cp); 364 break; 365 case PROPOSAL_ENC_ALGS_CTOS: 366 case PROPOSAL_ENC_ALGS_STOC: 367 prop[i] = xstrdup(ciphers ? ciphers : defprop[i]); 368 break; 369 case PROPOSAL_MAC_ALGS_CTOS: 370 case PROPOSAL_MAC_ALGS_STOC: 371 prop[i] = xstrdup(macs ? macs : defprop[i]); 372 break; 373 case PROPOSAL_COMP_ALGS_CTOS: 374 case PROPOSAL_COMP_ALGS_STOC: 375 prop[i] = xstrdup(comp ? comp : defprop[i]); 376 break; 377 case PROPOSAL_SERVER_HOST_KEY_ALGS: 378 prop[i] = xstrdup(hkalgs ? hkalgs : defprop[i]); 379 break; 380 default: 381 prop[i] = xstrdup(defprop[i]); 382 } 383 } 384 free(cp); 385 } 386 387 void 388 kex_proposal_free_entries(char *prop[PROPOSAL_MAX]) 389 { 390 u_int i; 391 392 for (i = 0; i < PROPOSAL_MAX; i++) 393 free(prop[i]); 394 } 395 396 /* put algorithm proposal into buffer */ 397 int 398 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) 399 { 400 u_int i; 401 int r; 402 403 sshbuf_reset(b); 404 405 /* 406 * add a dummy cookie, the cookie will be overwritten by 407 * kex_send_kexinit(), each time a kexinit is set 408 */ 409 for (i = 0; i < KEX_COOKIE_LEN; i++) { 410 if ((r = sshbuf_put_u8(b, 0)) != 0) 411 return r; 412 } 413 for (i = 0; i < PROPOSAL_MAX; i++) { 414 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0) 415 return r; 416 } 417 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */ 418 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */ 419 return r; 420 return 0; 421 } 422 423 /* parse buffer and return algorithm proposal */ 424 int 425 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) 426 { 427 struct sshbuf *b = NULL; 428 u_char v; 429 u_int i; 430 char **proposal = NULL; 431 int r; 432 433 *propp = NULL; 434 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL) 435 return SSH_ERR_ALLOC_FAIL; 436 if ((b = sshbuf_fromb(raw)) == NULL) { 437 r = SSH_ERR_ALLOC_FAIL; 438 goto out; 439 } 440 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */ 441 error_fr(r, "consume cookie"); 442 goto out; 443 } 444 /* extract kex init proposal strings */ 445 for (i = 0; i < PROPOSAL_MAX; i++) { 446 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) { 447 error_fr(r, "parse proposal %u", i); 448 goto out; 449 } 450 debug2("%s: %s", proposal_names[i], proposal[i]); 451 } 452 /* first kex follows / reserved */ 453 if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ 454 (r = sshbuf_get_u32(b, &i)) != 0) { /* reserved */ 455 error_fr(r, "parse"); 456 goto out; 457 } 458 if (first_kex_follows != NULL) 459 *first_kex_follows = v; 460 debug2("first_kex_follows %d ", v); 461 debug2("reserved %u ", i); 462 r = 0; 463 *propp = proposal; 464 out: 465 if (r != 0 && proposal != NULL) 466 kex_prop_free(proposal); 467 sshbuf_free(b); 468 return r; 469 } 470 471 void 472 kex_prop_free(char **proposal) 473 { 474 u_int i; 475 476 if (proposal == NULL) 477 return; 478 for (i = 0; i < PROPOSAL_MAX; i++) 479 free(proposal[i]); 480 free(proposal); 481 } 482 483 int 484 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) 485 { 486 int r; 487 488 /* If in strict mode, any unexpected message is an error */ 489 if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) { 490 ssh_packet_disconnect(ssh, "strict KEX violation: " 491 "unexpected packet type %u (seqnr %u)", type, seq); 492 } 493 error_f("type %u seq %u", type, seq); 494 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || 495 (r = sshpkt_put_u32(ssh, seq)) != 0 || 496 (r = sshpkt_send(ssh)) != 0) 497 return r; 498 return 0; 499 } 500 501 static void 502 kex_reset_dispatch(struct ssh *ssh) 503 { 504 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN, 505 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); 506 } 507 508 void 509 kex_set_server_sig_algs(struct ssh *ssh, const char *allowed_algs) 510 { 511 char *alg, *oalgs, *algs, *sigalgs; 512 const char *sigalg; 513 514 /* 515 * NB. allowed algorithms may contain certificate algorithms that 516 * map to a specific plain signature type, e.g. 517 * rsa-sha2-512-cert-v01@openssh.com => rsa-sha2-512 518 * We need to be careful here to match these, retain the mapping 519 * and only add each signature algorithm once. 520 */ 521 if ((sigalgs = sshkey_alg_list(0, 1, 1, ',')) == NULL) 522 fatal_f("sshkey_alg_list failed"); 523 oalgs = algs = xstrdup(allowed_algs); 524 free(ssh->kex->server_sig_algs); 525 ssh->kex->server_sig_algs = NULL; 526 for ((alg = strsep(&algs, ",")); alg != NULL && *alg != '\0'; 527 (alg = strsep(&algs, ","))) { 528 if ((sigalg = sshkey_sigalg_by_name(alg)) == NULL) 529 continue; 530 if (!has_any_alg(sigalg, sigalgs)) 531 continue; 532 /* Don't add an algorithm twice. */ 533 if (ssh->kex->server_sig_algs != NULL && 534 has_any_alg(sigalg, ssh->kex->server_sig_algs)) 535 continue; 536 xextendf(&ssh->kex->server_sig_algs, ",", "%s", sigalg); 537 } 538 free(oalgs); 539 free(sigalgs); 540 if (ssh->kex->server_sig_algs == NULL) 541 ssh->kex->server_sig_algs = xstrdup(""); 542 } 543 544 static int 545 kex_compose_ext_info_server(struct ssh *ssh, struct sshbuf *m) 546 { 547 int r; 548 549 if (ssh->kex->server_sig_algs == NULL && 550 (ssh->kex->server_sig_algs = sshkey_alg_list(0, 1, 1, ',')) == NULL) 551 return SSH_ERR_ALLOC_FAIL; 552 if ((r = sshbuf_put_u32(m, 3)) != 0 || 553 (r = sshbuf_put_cstring(m, "server-sig-algs")) != 0 || 554 (r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0 || 555 (r = sshbuf_put_cstring(m, 556 "publickey-hostbound@openssh.com")) != 0 || 557 (r = sshbuf_put_cstring(m, "0")) != 0 || 558 (r = sshbuf_put_cstring(m, "ping@openssh.com")) != 0 || 559 (r = sshbuf_put_cstring(m, "0")) != 0) { 560 error_fr(r, "compose"); 561 return r; 562 } 563 return 0; 564 } 565 566 static int 567 kex_compose_ext_info_client(struct ssh *ssh, struct sshbuf *m) 568 { 569 int r; 570 571 if ((r = sshbuf_put_u32(m, 1)) != 0 || 572 (r = sshbuf_put_cstring(m, "ext-info-in-auth@openssh.com")) != 0 || 573 (r = sshbuf_put_cstring(m, "0")) != 0) { 574 error_fr(r, "compose"); 575 goto out; 576 } 577 /* success */ 578 r = 0; 579 out: 580 return r; 581 } 582 583 static int 584 kex_maybe_send_ext_info(struct ssh *ssh) 585 { 586 int r; 587 struct sshbuf *m = NULL; 588 589 if ((ssh->kex->flags & KEX_INITIAL) == 0) 590 return 0; 591 if (!ssh->kex->ext_info_c && !ssh->kex->ext_info_s) 592 return 0; 593 594 /* Compose EXT_INFO packet. */ 595 if ((m = sshbuf_new()) == NULL) 596 fatal_f("sshbuf_new failed"); 597 if (ssh->kex->ext_info_c && 598 (r = kex_compose_ext_info_server(ssh, m)) != 0) 599 goto fail; 600 if (ssh->kex->ext_info_s && 601 (r = kex_compose_ext_info_client(ssh, m)) != 0) 602 goto fail; 603 604 /* Send the actual KEX_INFO packet */ 605 debug("Sending SSH2_MSG_EXT_INFO"); 606 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || 607 (r = sshpkt_putb(ssh, m)) != 0 || 608 (r = sshpkt_send(ssh)) != 0) { 609 error_f("send EXT_INFO"); 610 goto fail; 611 } 612 613 r = 0; 614 615 fail: 616 sshbuf_free(m); 617 return r; 618 } 619 620 int 621 kex_server_update_ext_info(struct ssh *ssh) 622 { 623 int r; 624 625 if ((ssh->kex->flags & KEX_HAS_EXT_INFO_IN_AUTH) == 0) 626 return 0; 627 628 debug_f("Sending SSH2_MSG_EXT_INFO"); 629 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || 630 (r = sshpkt_put_u32(ssh, 1)) != 0 || 631 (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || 632 (r = sshpkt_put_cstring(ssh, ssh->kex->server_sig_algs)) != 0 || 633 (r = sshpkt_send(ssh)) != 0) { 634 error_f("send EXT_INFO"); 635 return r; 636 } 637 return 0; 638 } 639 640 int 641 kex_send_newkeys(struct ssh *ssh) 642 { 643 int r; 644 645 kex_reset_dispatch(ssh); 646 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 || 647 (r = sshpkt_send(ssh)) != 0) 648 return r; 649 debug("SSH2_MSG_NEWKEYS sent"); 650 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); 651 if ((r = kex_maybe_send_ext_info(ssh)) != 0) 652 return r; 653 debug("expecting SSH2_MSG_NEWKEYS"); 654 return 0; 655 } 656 657 /* Check whether an ext_info value contains the expected version string */ 658 static int 659 kex_ext_info_check_ver(struct kex *kex, const char *name, 660 const u_char *val, size_t len, const char *want_ver, u_int flag) 661 { 662 if (memchr(val, '\0', len) != NULL) { 663 error("SSH2_MSG_EXT_INFO: %s value contains nul byte", name); 664 return SSH_ERR_INVALID_FORMAT; 665 } 666 debug_f("%s=<%s>", name, val); 667 if (strcmp(val, want_ver) == 0) 668 kex->flags |= flag; 669 else 670 debug_f("unsupported version of %s extension", name); 671 return 0; 672 } 673 674 static int 675 kex_ext_info_client_parse(struct ssh *ssh, const char *name, 676 const u_char *value, size_t vlen) 677 { 678 int r; 679 680 /* NB. some messages are only accepted in the initial EXT_INFO */ 681 if (strcmp(name, "server-sig-algs") == 0) { 682 /* Ensure no \0 lurking in value */ 683 if (memchr(value, '\0', vlen) != NULL) { 684 error_f("nul byte in %s", name); 685 return SSH_ERR_INVALID_FORMAT; 686 } 687 debug_f("%s=<%s>", name, value); 688 free(ssh->kex->server_sig_algs); 689 ssh->kex->server_sig_algs = xstrdup((const char *)value); 690 } else if (ssh->kex->ext_info_received == 1 && 691 strcmp(name, "publickey-hostbound@openssh.com") == 0) { 692 if ((r = kex_ext_info_check_ver(ssh->kex, name, value, vlen, 693 "0", KEX_HAS_PUBKEY_HOSTBOUND)) != 0) { 694 return r; 695 } 696 } else if (ssh->kex->ext_info_received == 1 && 697 strcmp(name, "ping@openssh.com") == 0) { 698 if ((r = kex_ext_info_check_ver(ssh->kex, name, value, vlen, 699 "0", KEX_HAS_PING)) != 0) { 700 return r; 701 } 702 } else 703 debug_f("%s (unrecognised)", name); 704 705 return 0; 706 } 707 708 static int 709 kex_ext_info_server_parse(struct ssh *ssh, const char *name, 710 const u_char *value, size_t vlen) 711 { 712 int r; 713 714 if (strcmp(name, "ext-info-in-auth@openssh.com") == 0) { 715 if ((r = kex_ext_info_check_ver(ssh->kex, name, value, vlen, 716 "0", KEX_HAS_EXT_INFO_IN_AUTH)) != 0) { 717 return r; 718 } 719 } else 720 debug_f("%s (unrecognised)", name); 721 return 0; 722 } 723 724 int 725 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) 726 { 727 struct kex *kex = ssh->kex; 728 const int max_ext_info = kex->server ? 1 : 2; 729 u_int32_t i, ninfo; 730 char *name; 731 u_char *val; 732 size_t vlen; 733 int r; 734 735 debug("SSH2_MSG_EXT_INFO received"); 736 if (++kex->ext_info_received > max_ext_info) { 737 error("too many SSH2_MSG_EXT_INFO messages sent by peer"); 738 return dispatch_protocol_error(type, seq, ssh); 739 } 740 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); 741 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) 742 return r; 743 if (ninfo >= 1024) { 744 error("SSH2_MSG_EXT_INFO with too many entries, expected " 745 "<=1024, received %u", ninfo); 746 return dispatch_protocol_error(type, seq, ssh); 747 } 748 for (i = 0; i < ninfo; i++) { 749 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) 750 return r; 751 if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) { 752 free(name); 753 return r; 754 } 755 debug3_f("extension %s", name); 756 if (kex->server) { 757 if ((r = kex_ext_info_server_parse(ssh, name, 758 val, vlen)) != 0) 759 return r; 760 } else { 761 if ((r = kex_ext_info_client_parse(ssh, name, 762 val, vlen)) != 0) 763 return r; 764 } 765 free(name); 766 free(val); 767 } 768 return sshpkt_get_end(ssh); 769 } 770 771 static int 772 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh) 773 { 774 struct kex *kex = ssh->kex; 775 int r; 776 777 debug("SSH2_MSG_NEWKEYS received"); 778 if (kex->ext_info_c && (kex->flags & KEX_INITIAL) != 0) 779 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_input_ext_info); 780 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); 781 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 782 if ((r = sshpkt_get_end(ssh)) != 0) 783 return r; 784 if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) 785 return r; 786 kex->done = 1; 787 kex->flags &= ~KEX_INITIAL; 788 sshbuf_reset(kex->peer); 789 /* sshbuf_reset(kex->my); */ 790 kex->flags &= ~KEX_INIT_SENT; 791 free(kex->name); 792 kex->name = NULL; 793 return 0; 794 } 795 796 int 797 kex_send_kexinit(struct ssh *ssh) 798 { 799 u_char *cookie; 800 struct kex *kex = ssh->kex; 801 int r; 802 803 if (kex == NULL) { 804 error_f("no kex"); 805 return SSH_ERR_INTERNAL_ERROR; 806 } 807 if (kex->flags & KEX_INIT_SENT) 808 return 0; 809 kex->done = 0; 810 811 /* generate a random cookie */ 812 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) { 813 error_f("bad kex length: %zu < %d", 814 sshbuf_len(kex->my), KEX_COOKIE_LEN); 815 return SSH_ERR_INVALID_FORMAT; 816 } 817 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) { 818 error_f("buffer error"); 819 return SSH_ERR_INTERNAL_ERROR; 820 } 821 arc4random_buf(cookie, KEX_COOKIE_LEN); 822 823 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 || 824 (r = sshpkt_putb(ssh, kex->my)) != 0 || 825 (r = sshpkt_send(ssh)) != 0) { 826 error_fr(r, "compose reply"); 827 return r; 828 } 829 debug("SSH2_MSG_KEXINIT sent"); 830 kex->flags |= KEX_INIT_SENT; 831 return 0; 832 } 833 834 int 835 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) 836 { 837 struct kex *kex = ssh->kex; 838 const u_char *ptr; 839 u_int i; 840 size_t dlen; 841 int r; 842 843 debug("SSH2_MSG_KEXINIT received"); 844 if (kex == NULL) { 845 error_f("no kex"); 846 return SSH_ERR_INTERNAL_ERROR; 847 } 848 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error); 849 ptr = sshpkt_ptr(ssh, &dlen); 850 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) 851 return r; 852 853 /* discard packet */ 854 for (i = 0; i < KEX_COOKIE_LEN; i++) { 855 if ((r = sshpkt_get_u8(ssh, NULL)) != 0) { 856 error_fr(r, "discard cookie"); 857 return r; 858 } 859 } 860 for (i = 0; i < PROPOSAL_MAX; i++) { 861 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) { 862 error_fr(r, "discard proposal"); 863 return r; 864 } 865 } 866 /* 867 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported 868 * KEX method has the server move first, but a server might be using 869 * a custom method or one that we otherwise don't support. We should 870 * be prepared to remember first_kex_follows here so we can eat a 871 * packet later. 872 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means 873 * for cases where the server *doesn't* go first. I guess we should 874 * ignore it when it is set for these cases, which is what we do now. 875 */ 876 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */ 877 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */ 878 (r = sshpkt_get_end(ssh)) != 0) 879 return r; 880 881 if (!(kex->flags & KEX_INIT_SENT)) 882 if ((r = kex_send_kexinit(ssh)) != 0) 883 return r; 884 if ((r = kex_choose_conf(ssh, seq)) != 0) 885 return r; 886 887 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) 888 return (kex->kex[kex->kex_type])(ssh); 889 890 error_f("unknown kex type %u", kex->kex_type); 891 return SSH_ERR_INTERNAL_ERROR; 892 } 893 894 struct kex * 895 kex_new(void) 896 { 897 struct kex *kex; 898 899 if ((kex = calloc(1, sizeof(*kex))) == NULL || 900 (kex->peer = sshbuf_new()) == NULL || 901 (kex->my = sshbuf_new()) == NULL || 902 (kex->client_version = sshbuf_new()) == NULL || 903 (kex->server_version = sshbuf_new()) == NULL || 904 (kex->session_id = sshbuf_new()) == NULL) { 905 kex_free(kex); 906 return NULL; 907 } 908 return kex; 909 } 910 911 void 912 kex_free_newkeys(struct newkeys *newkeys) 913 { 914 if (newkeys == NULL) 915 return; 916 if (newkeys->enc.key) { 917 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len); 918 free(newkeys->enc.key); 919 newkeys->enc.key = NULL; 920 } 921 if (newkeys->enc.iv) { 922 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len); 923 free(newkeys->enc.iv); 924 newkeys->enc.iv = NULL; 925 } 926 free(newkeys->enc.name); 927 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc)); 928 free(newkeys->comp.name); 929 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp)); 930 mac_clear(&newkeys->mac); 931 if (newkeys->mac.key) { 932 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len); 933 free(newkeys->mac.key); 934 newkeys->mac.key = NULL; 935 } 936 free(newkeys->mac.name); 937 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac)); 938 freezero(newkeys, sizeof(*newkeys)); 939 } 940 941 void 942 kex_free(struct kex *kex) 943 { 944 u_int mode; 945 946 if (kex == NULL) 947 return; 948 949 #ifdef WITH_OPENSSL 950 DH_free(kex->dh); 951 #ifdef OPENSSL_HAS_ECC 952 EC_KEY_free(kex->ec_client_key); 953 #endif /* OPENSSL_HAS_ECC */ 954 #endif /* WITH_OPENSSL */ 955 for (mode = 0; mode < MODE_MAX; mode++) { 956 kex_free_newkeys(kex->newkeys[mode]); 957 kex->newkeys[mode] = NULL; 958 } 959 sshbuf_free(kex->peer); 960 sshbuf_free(kex->my); 961 sshbuf_free(kex->client_version); 962 sshbuf_free(kex->server_version); 963 sshbuf_free(kex->client_pub); 964 sshbuf_free(kex->session_id); 965 sshbuf_free(kex->initial_sig); 966 sshkey_free(kex->initial_hostkey); 967 free(kex->failed_choice); 968 free(kex->hostkey_alg); 969 free(kex->name); 970 free(kex); 971 } 972 973 int 974 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) 975 { 976 int r; 977 978 if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0) 979 return r; 980 ssh->kex->flags = KEX_INITIAL; 981 kex_reset_dispatch(ssh); 982 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 983 return 0; 984 } 985 986 int 987 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) 988 { 989 int r; 990 991 if ((r = kex_ready(ssh, proposal)) != 0) 992 return r; 993 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */ 994 kex_free(ssh->kex); 995 ssh->kex = NULL; 996 return r; 997 } 998 return 0; 999 } 1000 1001 /* 1002 * Request key re-exchange, returns 0 on success or a ssherr.h error 1003 * code otherwise. Must not be called if KEX is incomplete or in-progress. 1004 */ 1005 int 1006 kex_start_rekex(struct ssh *ssh) 1007 { 1008 if (ssh->kex == NULL) { 1009 error_f("no kex"); 1010 return SSH_ERR_INTERNAL_ERROR; 1011 } 1012 if (ssh->kex->done == 0) { 1013 error_f("requested twice"); 1014 return SSH_ERR_INTERNAL_ERROR; 1015 } 1016 ssh->kex->done = 0; 1017 return kex_send_kexinit(ssh); 1018 } 1019 1020 static int 1021 choose_enc(struct sshenc *enc, char *client, char *server) 1022 { 1023 char *name = match_list(client, server, NULL); 1024 1025 if (name == NULL) 1026 return SSH_ERR_NO_CIPHER_ALG_MATCH; 1027 if ((enc->cipher = cipher_by_name(name)) == NULL) { 1028 error_f("unsupported cipher %s", name); 1029 free(name); 1030 return SSH_ERR_INTERNAL_ERROR; 1031 } 1032 enc->name = name; 1033 enc->enabled = 0; 1034 enc->iv = NULL; 1035 enc->iv_len = cipher_ivlen(enc->cipher); 1036 enc->key = NULL; 1037 enc->key_len = cipher_keylen(enc->cipher); 1038 enc->block_size = cipher_blocksize(enc->cipher); 1039 return 0; 1040 } 1041 1042 static int 1043 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) 1044 { 1045 char *name = match_list(client, server, NULL); 1046 1047 if (name == NULL) 1048 return SSH_ERR_NO_MAC_ALG_MATCH; 1049 if (mac_setup(mac, name) < 0) { 1050 error_f("unsupported MAC %s", name); 1051 free(name); 1052 return SSH_ERR_INTERNAL_ERROR; 1053 } 1054 mac->name = name; 1055 mac->key = NULL; 1056 mac->enabled = 0; 1057 return 0; 1058 } 1059 1060 static int 1061 choose_comp(struct sshcomp *comp, char *client, char *server) 1062 { 1063 char *name = match_list(client, server, NULL); 1064 1065 if (name == NULL) 1066 return SSH_ERR_NO_COMPRESS_ALG_MATCH; 1067 #ifdef WITH_ZLIB 1068 if (strcmp(name, "zlib@openssh.com") == 0) { 1069 comp->type = COMP_DELAYED; 1070 } else if (strcmp(name, "zlib") == 0) { 1071 comp->type = COMP_ZLIB; 1072 } else 1073 #endif /* WITH_ZLIB */ 1074 if (strcmp(name, "none") == 0) { 1075 comp->type = COMP_NONE; 1076 } else { 1077 error_f("unsupported compression scheme %s", name); 1078 free(name); 1079 return SSH_ERR_INTERNAL_ERROR; 1080 } 1081 comp->name = name; 1082 return 0; 1083 } 1084 1085 static int 1086 choose_kex(struct kex *k, char *client, char *server) 1087 { 1088 const struct kexalg *kexalg; 1089 1090 k->name = match_list(client, server, NULL); 1091 1092 debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); 1093 if (k->name == NULL) 1094 return SSH_ERR_NO_KEX_ALG_MATCH; 1095 if ((kexalg = kex_alg_by_name(k->name)) == NULL) { 1096 error_f("unsupported KEX method %s", k->name); 1097 return SSH_ERR_INTERNAL_ERROR; 1098 } 1099 k->kex_type = kexalg->type; 1100 k->hash_alg = kexalg->hash_alg; 1101 k->ec_nid = kexalg->ec_nid; 1102 return 0; 1103 } 1104 1105 static int 1106 choose_hostkeyalg(struct kex *k, char *client, char *server) 1107 { 1108 free(k->hostkey_alg); 1109 k->hostkey_alg = match_list(client, server, NULL); 1110 1111 debug("kex: host key algorithm: %s", 1112 k->hostkey_alg ? k->hostkey_alg : "(no match)"); 1113 if (k->hostkey_alg == NULL) 1114 return SSH_ERR_NO_HOSTKEY_ALG_MATCH; 1115 k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); 1116 if (k->hostkey_type == KEY_UNSPEC) { 1117 error_f("unsupported hostkey algorithm %s", k->hostkey_alg); 1118 return SSH_ERR_INTERNAL_ERROR; 1119 } 1120 k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); 1121 return 0; 1122 } 1123 1124 static int 1125 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) 1126 { 1127 static int check[] = { 1128 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 1129 }; 1130 int *idx; 1131 char *p; 1132 1133 for (idx = &check[0]; *idx != -1; idx++) { 1134 if ((p = strchr(my[*idx], ',')) != NULL) 1135 *p = '\0'; 1136 if ((p = strchr(peer[*idx], ',')) != NULL) 1137 *p = '\0'; 1138 if (strcmp(my[*idx], peer[*idx]) != 0) { 1139 debug2("proposal mismatch: my %s peer %s", 1140 my[*idx], peer[*idx]); 1141 return (0); 1142 } 1143 } 1144 debug2("proposals match"); 1145 return (1); 1146 } 1147 1148 static int 1149 kexalgs_contains(char **peer, const char *ext) 1150 { 1151 return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext); 1152 } 1153 1154 static int 1155 kex_choose_conf(struct ssh *ssh, uint32_t seq) 1156 { 1157 struct kex *kex = ssh->kex; 1158 struct newkeys *newkeys; 1159 char **my = NULL, **peer = NULL; 1160 char **cprop, **sprop; 1161 int nenc, nmac, ncomp; 1162 u_int mode, ctos, need, dh_need, authlen; 1163 int r, first_kex_follows; 1164 1165 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); 1166 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) 1167 goto out; 1168 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server"); 1169 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) 1170 goto out; 1171 1172 if (kex->server) { 1173 cprop=peer; 1174 sprop=my; 1175 } else { 1176 cprop=my; 1177 sprop=peer; 1178 } 1179 1180 /* Check whether peer supports ext_info/kex_strict */ 1181 if ((kex->flags & KEX_INITIAL) != 0) { 1182 if (kex->server) { 1183 kex->ext_info_c = kexalgs_contains(peer, "ext-info-c"); 1184 kex->kex_strict = kexalgs_contains(peer, 1185 "kex-strict-c-v00@openssh.com"); 1186 } else { 1187 kex->ext_info_s = kexalgs_contains(peer, "ext-info-s"); 1188 kex->kex_strict = kexalgs_contains(peer, 1189 "kex-strict-s-v00@openssh.com"); 1190 } 1191 if (kex->kex_strict) { 1192 debug3_f("will use strict KEX ordering"); 1193 if (seq != 0) 1194 ssh_packet_disconnect(ssh, 1195 "strict KEX violation: " 1196 "KEXINIT was not the first packet"); 1197 } 1198 } 1199 1200 /* Check whether client supports rsa-sha2 algorithms */ 1201 if (kex->server && (kex->flags & KEX_INITIAL)) { 1202 if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS], 1203 "rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com")) 1204 kex->flags |= KEX_RSA_SHA2_256_SUPPORTED; 1205 if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS], 1206 "rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com")) 1207 kex->flags |= KEX_RSA_SHA2_512_SUPPORTED; 1208 } 1209 1210 /* Algorithm Negotiation */ 1211 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], 1212 sprop[PROPOSAL_KEX_ALGS])) != 0) { 1213 kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; 1214 peer[PROPOSAL_KEX_ALGS] = NULL; 1215 goto out; 1216 } 1217 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], 1218 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { 1219 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; 1220 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; 1221 goto out; 1222 } 1223 for (mode = 0; mode < MODE_MAX; mode++) { 1224 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) { 1225 r = SSH_ERR_ALLOC_FAIL; 1226 goto out; 1227 } 1228 kex->newkeys[mode] = newkeys; 1229 ctos = (!kex->server && mode == MODE_OUT) || 1230 (kex->server && mode == MODE_IN); 1231 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 1232 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 1233 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 1234 if ((r = choose_enc(&newkeys->enc, cprop[nenc], 1235 sprop[nenc])) != 0) { 1236 kex->failed_choice = peer[nenc]; 1237 peer[nenc] = NULL; 1238 goto out; 1239 } 1240 authlen = cipher_authlen(newkeys->enc.cipher); 1241 /* ignore mac for authenticated encryption */ 1242 if (authlen == 0 && 1243 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac], 1244 sprop[nmac])) != 0) { 1245 kex->failed_choice = peer[nmac]; 1246 peer[nmac] = NULL; 1247 goto out; 1248 } 1249 if ((r = choose_comp(&newkeys->comp, cprop[ncomp], 1250 sprop[ncomp])) != 0) { 1251 kex->failed_choice = peer[ncomp]; 1252 peer[ncomp] = NULL; 1253 goto out; 1254 } 1255 debug("kex: %s cipher: %s MAC: %s compression: %s", 1256 ctos ? "client->server" : "server->client", 1257 newkeys->enc.name, 1258 authlen == 0 ? newkeys->mac.name : "<implicit>", 1259 newkeys->comp.name); 1260 } 1261 need = dh_need = 0; 1262 for (mode = 0; mode < MODE_MAX; mode++) { 1263 newkeys = kex->newkeys[mode]; 1264 need = MAXIMUM(need, newkeys->enc.key_len); 1265 need = MAXIMUM(need, newkeys->enc.block_size); 1266 need = MAXIMUM(need, newkeys->enc.iv_len); 1267 need = MAXIMUM(need, newkeys->mac.key_len); 1268 dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher)); 1269 dh_need = MAXIMUM(dh_need, newkeys->enc.block_size); 1270 dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len); 1271 dh_need = MAXIMUM(dh_need, newkeys->mac.key_len); 1272 } 1273 /* XXX need runden? */ 1274 kex->we_need = need; 1275 kex->dh_need = dh_need; 1276 1277 /* ignore the next message if the proposals do not match */ 1278 if (first_kex_follows && !proposals_match(my, peer)) 1279 ssh->dispatch_skip_packets = 1; 1280 r = 0; 1281 out: 1282 kex_prop_free(my); 1283 kex_prop_free(peer); 1284 return r; 1285 } 1286 1287 static int 1288 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, 1289 const struct sshbuf *shared_secret, u_char **keyp) 1290 { 1291 struct kex *kex = ssh->kex; 1292 struct ssh_digest_ctx *hashctx = NULL; 1293 char c = id; 1294 u_int have; 1295 size_t mdsz; 1296 u_char *digest; 1297 int r; 1298 1299 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) 1300 return SSH_ERR_INVALID_ARGUMENT; 1301 if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) { 1302 r = SSH_ERR_ALLOC_FAIL; 1303 goto out; 1304 } 1305 1306 /* K1 = HASH(K || H || "A" || session_id) */ 1307 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 1308 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 1309 ssh_digest_update(hashctx, hash, hashlen) != 0 || 1310 ssh_digest_update(hashctx, &c, 1) != 0 || 1311 ssh_digest_update_buffer(hashctx, kex->session_id) != 0 || 1312 ssh_digest_final(hashctx, digest, mdsz) != 0) { 1313 r = SSH_ERR_LIBCRYPTO_ERROR; 1314 error_f("KEX hash failed"); 1315 goto out; 1316 } 1317 ssh_digest_free(hashctx); 1318 hashctx = NULL; 1319 1320 /* 1321 * expand key: 1322 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) 1323 * Key = K1 || K2 || ... || Kn 1324 */ 1325 for (have = mdsz; need > have; have += mdsz) { 1326 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 1327 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 1328 ssh_digest_update(hashctx, hash, hashlen) != 0 || 1329 ssh_digest_update(hashctx, digest, have) != 0 || 1330 ssh_digest_final(hashctx, digest + have, mdsz) != 0) { 1331 error_f("KDF failed"); 1332 r = SSH_ERR_LIBCRYPTO_ERROR; 1333 goto out; 1334 } 1335 ssh_digest_free(hashctx); 1336 hashctx = NULL; 1337 } 1338 #ifdef DEBUG_KEX 1339 fprintf(stderr, "key '%c'== ", c); 1340 dump_digest("key", digest, need); 1341 #endif 1342 *keyp = digest; 1343 digest = NULL; 1344 r = 0; 1345 out: 1346 free(digest); 1347 ssh_digest_free(hashctx); 1348 return r; 1349 } 1350 1351 #define NKEYS 6 1352 int 1353 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen, 1354 const struct sshbuf *shared_secret) 1355 { 1356 struct kex *kex = ssh->kex; 1357 u_char *keys[NKEYS]; 1358 u_int i, j, mode, ctos; 1359 int r; 1360 1361 /* save initial hash as session id */ 1362 if ((kex->flags & KEX_INITIAL) != 0) { 1363 if (sshbuf_len(kex->session_id) != 0) { 1364 error_f("already have session ID at kex"); 1365 return SSH_ERR_INTERNAL_ERROR; 1366 } 1367 if ((r = sshbuf_put(kex->session_id, hash, hashlen)) != 0) 1368 return r; 1369 } else if (sshbuf_len(kex->session_id) == 0) { 1370 error_f("no session ID in rekex"); 1371 return SSH_ERR_INTERNAL_ERROR; 1372 } 1373 for (i = 0; i < NKEYS; i++) { 1374 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen, 1375 shared_secret, &keys[i])) != 0) { 1376 for (j = 0; j < i; j++) 1377 free(keys[j]); 1378 return r; 1379 } 1380 } 1381 for (mode = 0; mode < MODE_MAX; mode++) { 1382 ctos = (!kex->server && mode == MODE_OUT) || 1383 (kex->server && mode == MODE_IN); 1384 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1]; 1385 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3]; 1386 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5]; 1387 } 1388 return 0; 1389 } 1390 1391 int 1392 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp) 1393 { 1394 struct kex *kex = ssh->kex; 1395 1396 *pubp = NULL; 1397 *prvp = NULL; 1398 if (kex->load_host_public_key == NULL || 1399 kex->load_host_private_key == NULL) { 1400 error_f("missing hostkey loader"); 1401 return SSH_ERR_INVALID_ARGUMENT; 1402 } 1403 *pubp = kex->load_host_public_key(kex->hostkey_type, 1404 kex->hostkey_nid, ssh); 1405 *prvp = kex->load_host_private_key(kex->hostkey_type, 1406 kex->hostkey_nid, ssh); 1407 if (*pubp == NULL) 1408 return SSH_ERR_NO_HOSTKEY_LOADED; 1409 return 0; 1410 } 1411 1412 int 1413 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key) 1414 { 1415 struct kex *kex = ssh->kex; 1416 1417 if (kex->verify_host_key == NULL) { 1418 error_f("missing hostkey verifier"); 1419 return SSH_ERR_INVALID_ARGUMENT; 1420 } 1421 if (server_host_key->type != kex->hostkey_type || 1422 (kex->hostkey_type == KEY_ECDSA && 1423 server_host_key->ecdsa_nid != kex->hostkey_nid)) 1424 return SSH_ERR_KEY_TYPE_MISMATCH; 1425 if (kex->verify_host_key(server_host_key, ssh) == -1) 1426 return SSH_ERR_SIGNATURE_INVALID; 1427 return 0; 1428 } 1429 1430 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) 1431 void 1432 dump_digest(const char *msg, const u_char *digest, int len) 1433 { 1434 fprintf(stderr, "%s\n", msg); 1435 sshbuf_dump_data(digest, len, stderr); 1436 } 1437 #endif 1438 1439 /* 1440 * Send a plaintext error message to the peer, suffixed by \r\n. 1441 * Only used during banner exchange, and there only for the server. 1442 */ 1443 static void 1444 send_error(struct ssh *ssh, char *msg) 1445 { 1446 char *crnl = "\r\n"; 1447 1448 if (!ssh->kex->server) 1449 return; 1450 1451 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1452 msg, strlen(msg)) != strlen(msg) || 1453 atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1454 crnl, strlen(crnl)) != strlen(crnl)) 1455 error_f("write: %.100s", strerror(errno)); 1456 } 1457 1458 /* 1459 * Sends our identification string and waits for the peer's. Will block for 1460 * up to timeout_ms (or indefinitely if timeout_ms <= 0). 1461 * Returns on 0 success or a ssherr.h code on failure. 1462 */ 1463 int 1464 kex_exchange_identification(struct ssh *ssh, int timeout_ms, 1465 const char *version_addendum) 1466 { 1467 int remote_major, remote_minor, mismatch, oerrno = 0; 1468 size_t len, n; 1469 int r, expect_nl; 1470 u_char c; 1471 struct sshbuf *our_version = ssh->kex->server ? 1472 ssh->kex->server_version : ssh->kex->client_version; 1473 struct sshbuf *peer_version = ssh->kex->server ? 1474 ssh->kex->client_version : ssh->kex->server_version; 1475 char *our_version_string = NULL, *peer_version_string = NULL; 1476 char *cp, *remote_version = NULL; 1477 1478 /* Prepare and send our banner */ 1479 sshbuf_reset(our_version); 1480 if (version_addendum != NULL && *version_addendum == '\0') 1481 version_addendum = NULL; 1482 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n", 1483 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, 1484 version_addendum == NULL ? "" : " ", 1485 version_addendum == NULL ? "" : version_addendum)) != 0) { 1486 oerrno = errno; 1487 error_fr(r, "sshbuf_putf"); 1488 goto out; 1489 } 1490 1491 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1492 sshbuf_mutable_ptr(our_version), 1493 sshbuf_len(our_version)) != sshbuf_len(our_version)) { 1494 oerrno = errno; 1495 debug_f("write: %.100s", strerror(errno)); 1496 r = SSH_ERR_SYSTEM_ERROR; 1497 goto out; 1498 } 1499 if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */ 1500 oerrno = errno; 1501 error_fr(r, "sshbuf_consume_end"); 1502 goto out; 1503 } 1504 our_version_string = sshbuf_dup_string(our_version); 1505 if (our_version_string == NULL) { 1506 error_f("sshbuf_dup_string failed"); 1507 r = SSH_ERR_ALLOC_FAIL; 1508 goto out; 1509 } 1510 debug("Local version string %.100s", our_version_string); 1511 1512 /* Read other side's version identification. */ 1513 for (n = 0; ; n++) { 1514 if (n >= SSH_MAX_PRE_BANNER_LINES) { 1515 send_error(ssh, "No SSH identification string " 1516 "received."); 1517 error_f("No SSH version received in first %u lines " 1518 "from server", SSH_MAX_PRE_BANNER_LINES); 1519 r = SSH_ERR_INVALID_FORMAT; 1520 goto out; 1521 } 1522 sshbuf_reset(peer_version); 1523 expect_nl = 0; 1524 for (;;) { 1525 if (timeout_ms > 0) { 1526 r = waitrfd(ssh_packet_get_connection_in(ssh), 1527 &timeout_ms, NULL); 1528 if (r == -1 && errno == ETIMEDOUT) { 1529 send_error(ssh, "Timed out waiting " 1530 "for SSH identification string."); 1531 error("Connection timed out during " 1532 "banner exchange"); 1533 r = SSH_ERR_CONN_TIMEOUT; 1534 goto out; 1535 } else if (r == -1) { 1536 oerrno = errno; 1537 error_f("%s", strerror(errno)); 1538 r = SSH_ERR_SYSTEM_ERROR; 1539 goto out; 1540 } 1541 } 1542 1543 len = atomicio(read, ssh_packet_get_connection_in(ssh), 1544 &c, 1); 1545 if (len != 1 && errno == EPIPE) { 1546 verbose_f("Connection closed by remote host"); 1547 r = SSH_ERR_CONN_CLOSED; 1548 goto out; 1549 } else if (len != 1) { 1550 oerrno = errno; 1551 error_f("read: %.100s", strerror(errno)); 1552 r = SSH_ERR_SYSTEM_ERROR; 1553 goto out; 1554 } 1555 if (c == '\r') { 1556 expect_nl = 1; 1557 continue; 1558 } 1559 if (c == '\n') 1560 break; 1561 if (c == '\0' || expect_nl) { 1562 verbose_f("banner line contains invalid " 1563 "characters"); 1564 goto invalid; 1565 } 1566 if ((r = sshbuf_put_u8(peer_version, c)) != 0) { 1567 oerrno = errno; 1568 error_fr(r, "sshbuf_put"); 1569 goto out; 1570 } 1571 if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) { 1572 verbose_f("banner line too long"); 1573 goto invalid; 1574 } 1575 } 1576 /* Is this an actual protocol banner? */ 1577 if (sshbuf_len(peer_version) > 4 && 1578 memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0) 1579 break; 1580 /* If not, then just log the line and continue */ 1581 if ((cp = sshbuf_dup_string(peer_version)) == NULL) { 1582 error_f("sshbuf_dup_string failed"); 1583 r = SSH_ERR_ALLOC_FAIL; 1584 goto out; 1585 } 1586 /* Do not accept lines before the SSH ident from a client */ 1587 if (ssh->kex->server) { 1588 verbose_f("client sent invalid protocol identifier " 1589 "\"%.256s\"", cp); 1590 free(cp); 1591 goto invalid; 1592 } 1593 debug_f("banner line %zu: %s", n, cp); 1594 free(cp); 1595 } 1596 peer_version_string = sshbuf_dup_string(peer_version); 1597 if (peer_version_string == NULL) 1598 fatal_f("sshbuf_dup_string failed"); 1599 /* XXX must be same size for sscanf */ 1600 if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) { 1601 error_f("calloc failed"); 1602 r = SSH_ERR_ALLOC_FAIL; 1603 goto out; 1604 } 1605 1606 /* 1607 * Check that the versions match. In future this might accept 1608 * several versions and set appropriate flags to handle them. 1609 */ 1610 if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n", 1611 &remote_major, &remote_minor, remote_version) != 3) { 1612 error("Bad remote protocol version identification: '%.100s'", 1613 peer_version_string); 1614 invalid: 1615 send_error(ssh, "Invalid SSH identification string."); 1616 r = SSH_ERR_INVALID_FORMAT; 1617 goto out; 1618 } 1619 debug("Remote protocol version %d.%d, remote software version %.100s", 1620 remote_major, remote_minor, remote_version); 1621 compat_banner(ssh, remote_version); 1622 1623 mismatch = 0; 1624 switch (remote_major) { 1625 case 2: 1626 break; 1627 case 1: 1628 if (remote_minor != 99) 1629 mismatch = 1; 1630 break; 1631 default: 1632 mismatch = 1; 1633 break; 1634 } 1635 if (mismatch) { 1636 error("Protocol major versions differ: %d vs. %d", 1637 PROTOCOL_MAJOR_2, remote_major); 1638 send_error(ssh, "Protocol major versions differ."); 1639 r = SSH_ERR_NO_PROTOCOL_VERSION; 1640 goto out; 1641 } 1642 1643 if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) { 1644 logit("probed from %s port %d with %s. Don't panic.", 1645 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), 1646 peer_version_string); 1647 r = SSH_ERR_CONN_CLOSED; /* XXX */ 1648 goto out; 1649 } 1650 if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) { 1651 logit("scanned from %s port %d with %s. Don't panic.", 1652 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), 1653 peer_version_string); 1654 r = SSH_ERR_CONN_CLOSED; /* XXX */ 1655 goto out; 1656 } 1657 /* success */ 1658 r = 0; 1659 out: 1660 free(our_version_string); 1661 free(peer_version_string); 1662 free(remote_version); 1663 if (r == SSH_ERR_SYSTEM_ERROR) 1664 errno = oerrno; 1665 return r; 1666 } 1667 1668