xref: /freebsd/crypto/openssh/kex.c (revision d8a0fe102c0cfdfcd5b818f850eff09d8536c9bc)
1 /* $OpenBSD: kex.c,v 1.131 2017/03/15 07:07:39 markus Exp $ */
2 /*
3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 
29 #include <signal.h>
30 #include <stdarg.h>
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 
35 #ifdef WITH_OPENSSL
36 #include <openssl/crypto.h>
37 #include <openssl/dh.h>
38 #endif
39 
40 #include "ssh2.h"
41 #include "packet.h"
42 #include "compat.h"
43 #include "cipher.h"
44 #include "sshkey.h"
45 #include "kex.h"
46 #include "log.h"
47 #include "mac.h"
48 #include "match.h"
49 #include "misc.h"
50 #include "dispatch.h"
51 #include "monitor.h"
52 
53 #include "ssherr.h"
54 #include "sshbuf.h"
55 #include "digest.h"
56 
57 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
58 # if defined(HAVE_EVP_SHA256)
59 # define evp_ssh_sha256 EVP_sha256
60 # else
61 extern const EVP_MD *evp_ssh_sha256(void);
62 # endif
63 #endif
64 
65 /* prototype */
66 static int kex_choose_conf(struct ssh *);
67 static int kex_input_newkeys(int, u_int32_t, void *);
68 
69 static const char *proposal_names[PROPOSAL_MAX] = {
70 	"KEX algorithms",
71 	"host key algorithms",
72 	"ciphers ctos",
73 	"ciphers stoc",
74 	"MACs ctos",
75 	"MACs stoc",
76 	"compression ctos",
77 	"compression stoc",
78 	"languages ctos",
79 	"languages stoc",
80 };
81 
82 struct kexalg {
83 	char *name;
84 	u_int type;
85 	int ec_nid;
86 	int hash_alg;
87 };
88 static const struct kexalg kexalgs[] = {
89 #ifdef WITH_OPENSSL
90 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
91 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
92 	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
93 	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
94 	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
95 	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
96 #ifdef HAVE_EVP_SHA256
97 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
98 #endif /* HAVE_EVP_SHA256 */
99 #ifdef OPENSSL_HAS_ECC
100 	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
101 	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
102 	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
103 	    SSH_DIGEST_SHA384 },
104 # ifdef OPENSSL_HAS_NISTP521
105 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
106 	    SSH_DIGEST_SHA512 },
107 # endif /* OPENSSL_HAS_NISTP521 */
108 #endif /* OPENSSL_HAS_ECC */
109 #endif /* WITH_OPENSSL */
110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
111 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
112 	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
113 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
114 	{ NULL, -1, -1, -1},
115 };
116 
117 char *
118 kex_alg_list(char sep)
119 {
120 	char *ret = NULL, *tmp;
121 	size_t nlen, rlen = 0;
122 	const struct kexalg *k;
123 
124 	for (k = kexalgs; k->name != NULL; k++) {
125 		if (ret != NULL)
126 			ret[rlen++] = sep;
127 		nlen = strlen(k->name);
128 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
129 			free(ret);
130 			return NULL;
131 		}
132 		ret = tmp;
133 		memcpy(ret + rlen, k->name, nlen + 1);
134 		rlen += nlen;
135 	}
136 	return ret;
137 }
138 
139 static const struct kexalg *
140 kex_alg_by_name(const char *name)
141 {
142 	const struct kexalg *k;
143 
144 	for (k = kexalgs; k->name != NULL; k++) {
145 		if (strcmp(k->name, name) == 0)
146 			return k;
147 	}
148 	return NULL;
149 }
150 
151 /* Validate KEX method name list */
152 int
153 kex_names_valid(const char *names)
154 {
155 	char *s, *cp, *p;
156 
157 	if (names == NULL || strcmp(names, "") == 0)
158 		return 0;
159 	if ((s = cp = strdup(names)) == NULL)
160 		return 0;
161 	for ((p = strsep(&cp, ",")); p && *p != '\0';
162 	    (p = strsep(&cp, ","))) {
163 		if (kex_alg_by_name(p) == NULL) {
164 			error("Unsupported KEX algorithm \"%.100s\"", p);
165 			free(s);
166 			return 0;
167 		}
168 	}
169 	debug3("kex names ok: [%s]", names);
170 	free(s);
171 	return 1;
172 }
173 
174 /*
175  * Concatenate algorithm names, avoiding duplicates in the process.
176  * Caller must free returned string.
177  */
178 char *
179 kex_names_cat(const char *a, const char *b)
180 {
181 	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
182 	size_t len;
183 
184 	if (a == NULL || *a == '\0')
185 		return NULL;
186 	if (b == NULL || *b == '\0')
187 		return strdup(a);
188 	if (strlen(b) > 1024*1024)
189 		return NULL;
190 	len = strlen(a) + strlen(b) + 2;
191 	if ((tmp = cp = strdup(b)) == NULL ||
192 	    (ret = calloc(1, len)) == NULL) {
193 		free(tmp);
194 		return NULL;
195 	}
196 	strlcpy(ret, a, len);
197 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
198 		if ((m = match_list(ret, p, NULL)) != NULL) {
199 			free(m);
200 			continue; /* Algorithm already present */
201 		}
202 		if (strlcat(ret, ",", len) >= len ||
203 		    strlcat(ret, p, len) >= len) {
204 			free(tmp);
205 			free(ret);
206 			return NULL; /* Shouldn't happen */
207 		}
208 	}
209 	free(tmp);
210 	return ret;
211 }
212 
213 /*
214  * Assemble a list of algorithms from a default list and a string from a
215  * configuration file. The user-provided string may begin with '+' to
216  * indicate that it should be appended to the default or '-' that the
217  * specified names should be removed.
218  */
219 int
220 kex_assemble_names(const char *def, char **list)
221 {
222 	char *ret;
223 
224 	if (list == NULL || *list == NULL || **list == '\0') {
225 		*list = strdup(def);
226 		return 0;
227 	}
228 	if (**list == '+') {
229 		if ((ret = kex_names_cat(def, *list + 1)) == NULL)
230 			return SSH_ERR_ALLOC_FAIL;
231 		free(*list);
232 		*list = ret;
233 	} else if (**list == '-') {
234 		if ((ret = match_filter_list(def, *list + 1)) == NULL)
235 			return SSH_ERR_ALLOC_FAIL;
236 		free(*list);
237 		*list = ret;
238 	}
239 
240 	return 0;
241 }
242 
243 /* put algorithm proposal into buffer */
244 int
245 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
246 {
247 	u_int i;
248 	int r;
249 
250 	sshbuf_reset(b);
251 
252 	/*
253 	 * add a dummy cookie, the cookie will be overwritten by
254 	 * kex_send_kexinit(), each time a kexinit is set
255 	 */
256 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
257 		if ((r = sshbuf_put_u8(b, 0)) != 0)
258 			return r;
259 	}
260 	for (i = 0; i < PROPOSAL_MAX; i++) {
261 		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
262 			return r;
263 	}
264 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
265 	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
266 		return r;
267 	return 0;
268 }
269 
270 /* parse buffer and return algorithm proposal */
271 int
272 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
273 {
274 	struct sshbuf *b = NULL;
275 	u_char v;
276 	u_int i;
277 	char **proposal = NULL;
278 	int r;
279 
280 	*propp = NULL;
281 	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
282 		return SSH_ERR_ALLOC_FAIL;
283 	if ((b = sshbuf_fromb(raw)) == NULL) {
284 		r = SSH_ERR_ALLOC_FAIL;
285 		goto out;
286 	}
287 	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */
288 		goto out;
289 	/* extract kex init proposal strings */
290 	for (i = 0; i < PROPOSAL_MAX; i++) {
291 		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0)
292 			goto out;
293 		debug2("%s: %s", proposal_names[i], proposal[i]);
294 	}
295 	/* first kex follows / reserved */
296 	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
297 	    (r = sshbuf_get_u32(b, &i)) != 0)	/* reserved */
298 		goto out;
299 	if (first_kex_follows != NULL)
300 		*first_kex_follows = v;
301 	debug2("first_kex_follows %d ", v);
302 	debug2("reserved %u ", i);
303 	r = 0;
304 	*propp = proposal;
305  out:
306 	if (r != 0 && proposal != NULL)
307 		kex_prop_free(proposal);
308 	sshbuf_free(b);
309 	return r;
310 }
311 
312 void
313 kex_prop_free(char **proposal)
314 {
315 	u_int i;
316 
317 	if (proposal == NULL)
318 		return;
319 	for (i = 0; i < PROPOSAL_MAX; i++)
320 		free(proposal[i]);
321 	free(proposal);
322 }
323 
324 /* ARGSUSED */
325 static int
326 kex_protocol_error(int type, u_int32_t seq, void *ctxt)
327 {
328 	struct ssh *ssh = active_state; /* XXX */
329 	int r;
330 
331 	error("kex protocol error: type %d seq %u", type, seq);
332 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
333 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
334 	    (r = sshpkt_send(ssh)) != 0)
335 		return r;
336 	return 0;
337 }
338 
339 static void
340 kex_reset_dispatch(struct ssh *ssh)
341 {
342 	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
343 	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
344 }
345 
346 static int
347 kex_send_ext_info(struct ssh *ssh)
348 {
349 	int r;
350 	char *algs;
351 
352 	if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
353 		return SSH_ERR_ALLOC_FAIL;
354 	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
355 	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
356 	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
357 	    (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
358 	    (r = sshpkt_send(ssh)) != 0)
359 		goto out;
360 	/* success */
361 	r = 0;
362  out:
363 	free(algs);
364 	return r;
365 }
366 
367 int
368 kex_send_newkeys(struct ssh *ssh)
369 {
370 	int r;
371 
372 	kex_reset_dispatch(ssh);
373 	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
374 	    (r = sshpkt_send(ssh)) != 0)
375 		return r;
376 	debug("SSH2_MSG_NEWKEYS sent");
377 	debug("expecting SSH2_MSG_NEWKEYS");
378 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
379 	if (ssh->kex->ext_info_c)
380 		if ((r = kex_send_ext_info(ssh)) != 0)
381 			return r;
382 	return 0;
383 }
384 
385 int
386 kex_input_ext_info(int type, u_int32_t seq, void *ctxt)
387 {
388 	struct ssh *ssh = ctxt;
389 	struct kex *kex = ssh->kex;
390 	u_int32_t i, ninfo;
391 	char *name, *val, *found;
392 	int r;
393 
394 	debug("SSH2_MSG_EXT_INFO received");
395 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
396 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
397 		return r;
398 	for (i = 0; i < ninfo; i++) {
399 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
400 			return r;
401 		if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) {
402 			free(name);
403 			return r;
404 		}
405 		debug("%s: %s=<%s>", __func__, name, val);
406 		if (strcmp(name, "server-sig-algs") == 0) {
407 			found = match_list("rsa-sha2-256", val, NULL);
408 			if (found) {
409 				kex->rsa_sha2 = 256;
410 				free(found);
411 			}
412 			found = match_list("rsa-sha2-512", val, NULL);
413 			if (found) {
414 				kex->rsa_sha2 = 512;
415 				free(found);
416 			}
417 		}
418 		free(name);
419 		free(val);
420 	}
421 	return sshpkt_get_end(ssh);
422 }
423 
424 static int
425 kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
426 {
427 	struct ssh *ssh = ctxt;
428 	struct kex *kex = ssh->kex;
429 	int r;
430 
431 	debug("SSH2_MSG_NEWKEYS received");
432 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
433 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
434 	if ((r = sshpkt_get_end(ssh)) != 0)
435 		return r;
436 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
437 		return r;
438 	kex->done = 1;
439 	sshbuf_reset(kex->peer);
440 	/* sshbuf_reset(kex->my); */
441 	kex->flags &= ~KEX_INIT_SENT;
442 	free(kex->name);
443 	kex->name = NULL;
444 	return 0;
445 }
446 
447 int
448 kex_send_kexinit(struct ssh *ssh)
449 {
450 	u_char *cookie;
451 	struct kex *kex = ssh->kex;
452 	int r;
453 
454 	if (kex == NULL)
455 		return SSH_ERR_INTERNAL_ERROR;
456 	if (kex->flags & KEX_INIT_SENT)
457 		return 0;
458 	kex->done = 0;
459 
460 	/* generate a random cookie */
461 	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN)
462 		return SSH_ERR_INVALID_FORMAT;
463 	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL)
464 		return SSH_ERR_INTERNAL_ERROR;
465 	arc4random_buf(cookie, KEX_COOKIE_LEN);
466 
467 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
468 	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
469 	    (r = sshpkt_send(ssh)) != 0)
470 		return r;
471 	debug("SSH2_MSG_KEXINIT sent");
472 	kex->flags |= KEX_INIT_SENT;
473 	return 0;
474 }
475 
476 /* ARGSUSED */
477 int
478 kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
479 {
480 	struct ssh *ssh = ctxt;
481 	struct kex *kex = ssh->kex;
482 	const u_char *ptr;
483 	u_int i;
484 	size_t dlen;
485 	int r;
486 
487 	debug("SSH2_MSG_KEXINIT received");
488 	if (kex == NULL)
489 		return SSH_ERR_INVALID_ARGUMENT;
490 
491 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
492 	ptr = sshpkt_ptr(ssh, &dlen);
493 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
494 		return r;
495 
496 	/* discard packet */
497 	for (i = 0; i < KEX_COOKIE_LEN; i++)
498 		if ((r = sshpkt_get_u8(ssh, NULL)) != 0)
499 			return r;
500 	for (i = 0; i < PROPOSAL_MAX; i++)
501 		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0)
502 			return r;
503 	/*
504 	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
505 	 * KEX method has the server move first, but a server might be using
506 	 * a custom method or one that we otherwise don't support. We should
507 	 * be prepared to remember first_kex_follows here so we can eat a
508 	 * packet later.
509 	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
510 	 * for cases where the server *doesn't* go first. I guess we should
511 	 * ignore it when it is set for these cases, which is what we do now.
512 	 */
513 	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
514 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
515 	    (r = sshpkt_get_end(ssh)) != 0)
516 			return r;
517 
518 	if (!(kex->flags & KEX_INIT_SENT))
519 		if ((r = kex_send_kexinit(ssh)) != 0)
520 			return r;
521 	if ((r = kex_choose_conf(ssh)) != 0)
522 		return r;
523 
524 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
525 		return (kex->kex[kex->kex_type])(ssh);
526 
527 	return SSH_ERR_INTERNAL_ERROR;
528 }
529 
530 int
531 kex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp)
532 {
533 	struct kex *kex;
534 	int r;
535 
536 	*kexp = NULL;
537 	if ((kex = calloc(1, sizeof(*kex))) == NULL)
538 		return SSH_ERR_ALLOC_FAIL;
539 	if ((kex->peer = sshbuf_new()) == NULL ||
540 	    (kex->my = sshbuf_new()) == NULL) {
541 		r = SSH_ERR_ALLOC_FAIL;
542 		goto out;
543 	}
544 	if ((r = kex_prop2buf(kex->my, proposal)) != 0)
545 		goto out;
546 	kex->done = 0;
547 	kex_reset_dispatch(ssh);
548 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
549 	r = 0;
550 	*kexp = kex;
551  out:
552 	if (r != 0)
553 		kex_free(kex);
554 	return r;
555 }
556 
557 void
558 kex_free_newkeys(struct newkeys *newkeys)
559 {
560 	if (newkeys == NULL)
561 		return;
562 	if (newkeys->enc.key) {
563 		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
564 		free(newkeys->enc.key);
565 		newkeys->enc.key = NULL;
566 	}
567 	if (newkeys->enc.iv) {
568 		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
569 		free(newkeys->enc.iv);
570 		newkeys->enc.iv = NULL;
571 	}
572 	free(newkeys->enc.name);
573 	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
574 	free(newkeys->comp.name);
575 	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
576 	mac_clear(&newkeys->mac);
577 	if (newkeys->mac.key) {
578 		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
579 		free(newkeys->mac.key);
580 		newkeys->mac.key = NULL;
581 	}
582 	free(newkeys->mac.name);
583 	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
584 	explicit_bzero(newkeys, sizeof(*newkeys));
585 	free(newkeys);
586 }
587 
588 void
589 kex_free(struct kex *kex)
590 {
591 	u_int mode;
592 
593 #ifdef WITH_OPENSSL
594 	if (kex->dh)
595 		DH_free(kex->dh);
596 #ifdef OPENSSL_HAS_ECC
597 	if (kex->ec_client_key)
598 		EC_KEY_free(kex->ec_client_key);
599 #endif /* OPENSSL_HAS_ECC */
600 #endif /* WITH_OPENSSL */
601 	for (mode = 0; mode < MODE_MAX; mode++) {
602 		kex_free_newkeys(kex->newkeys[mode]);
603 		kex->newkeys[mode] = NULL;
604 	}
605 	sshbuf_free(kex->peer);
606 	sshbuf_free(kex->my);
607 	free(kex->session_id);
608 	free(kex->client_version_string);
609 	free(kex->server_version_string);
610 	free(kex->failed_choice);
611 	free(kex->hostkey_alg);
612 	free(kex->name);
613 	free(kex);
614 }
615 
616 int
617 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
618 {
619 	int r;
620 
621 	if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0)
622 		return r;
623 	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
624 		kex_free(ssh->kex);
625 		ssh->kex = NULL;
626 		return r;
627 	}
628 	return 0;
629 }
630 
631 /*
632  * Request key re-exchange, returns 0 on success or a ssherr.h error
633  * code otherwise. Must not be called if KEX is incomplete or in-progress.
634  */
635 int
636 kex_start_rekex(struct ssh *ssh)
637 {
638 	if (ssh->kex == NULL) {
639 		error("%s: no kex", __func__);
640 		return SSH_ERR_INTERNAL_ERROR;
641 	}
642 	if (ssh->kex->done == 0) {
643 		error("%s: requested twice", __func__);
644 		return SSH_ERR_INTERNAL_ERROR;
645 	}
646 	ssh->kex->done = 0;
647 	return kex_send_kexinit(ssh);
648 }
649 
650 static int
651 choose_enc(struct sshenc *enc, char *client, char *server)
652 {
653 	char *name = match_list(client, server, NULL);
654 
655 	if (name == NULL)
656 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
657 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
658 		free(name);
659 		return SSH_ERR_INTERNAL_ERROR;
660 	}
661 	enc->name = name;
662 	enc->enabled = 0;
663 	enc->iv = NULL;
664 	enc->iv_len = cipher_ivlen(enc->cipher);
665 	enc->key = NULL;
666 	enc->key_len = cipher_keylen(enc->cipher);
667 	enc->block_size = cipher_blocksize(enc->cipher);
668 	return 0;
669 }
670 
671 static int
672 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
673 {
674 	char *name = match_list(client, server, NULL);
675 
676 	if (name == NULL)
677 		return SSH_ERR_NO_MAC_ALG_MATCH;
678 	if (mac_setup(mac, name) < 0) {
679 		free(name);
680 		return SSH_ERR_INTERNAL_ERROR;
681 	}
682 	/* truncate the key */
683 	if (ssh->compat & SSH_BUG_HMAC)
684 		mac->key_len = 16;
685 	mac->name = name;
686 	mac->key = NULL;
687 	mac->enabled = 0;
688 	return 0;
689 }
690 
691 static int
692 choose_comp(struct sshcomp *comp, char *client, char *server)
693 {
694 	char *name = match_list(client, server, NULL);
695 
696 	if (name == NULL)
697 		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
698 	if (strcmp(name, "zlib@openssh.com") == 0) {
699 		comp->type = COMP_DELAYED;
700 	} else if (strcmp(name, "zlib") == 0) {
701 		comp->type = COMP_ZLIB;
702 	} else if (strcmp(name, "none") == 0) {
703 		comp->type = COMP_NONE;
704 	} else {
705 		free(name);
706 		return SSH_ERR_INTERNAL_ERROR;
707 	}
708 	comp->name = name;
709 	return 0;
710 }
711 
712 static int
713 choose_kex(struct kex *k, char *client, char *server)
714 {
715 	const struct kexalg *kexalg;
716 
717 	k->name = match_list(client, server, NULL);
718 
719 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
720 	if (k->name == NULL)
721 		return SSH_ERR_NO_KEX_ALG_MATCH;
722 	if ((kexalg = kex_alg_by_name(k->name)) == NULL)
723 		return SSH_ERR_INTERNAL_ERROR;
724 	k->kex_type = kexalg->type;
725 	k->hash_alg = kexalg->hash_alg;
726 	k->ec_nid = kexalg->ec_nid;
727 	return 0;
728 }
729 
730 static int
731 choose_hostkeyalg(struct kex *k, char *client, char *server)
732 {
733 	k->hostkey_alg = match_list(client, server, NULL);
734 
735 	debug("kex: host key algorithm: %s",
736 	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
737 	if (k->hostkey_alg == NULL)
738 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
739 	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
740 	if (k->hostkey_type == KEY_UNSPEC)
741 		return SSH_ERR_INTERNAL_ERROR;
742 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
743 	return 0;
744 }
745 
746 static int
747 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
748 {
749 	static int check[] = {
750 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
751 	};
752 	int *idx;
753 	char *p;
754 
755 	for (idx = &check[0]; *idx != -1; idx++) {
756 		if ((p = strchr(my[*idx], ',')) != NULL)
757 			*p = '\0';
758 		if ((p = strchr(peer[*idx], ',')) != NULL)
759 			*p = '\0';
760 		if (strcmp(my[*idx], peer[*idx]) != 0) {
761 			debug2("proposal mismatch: my %s peer %s",
762 			    my[*idx], peer[*idx]);
763 			return (0);
764 		}
765 	}
766 	debug2("proposals match");
767 	return (1);
768 }
769 
770 static int
771 kex_choose_conf(struct ssh *ssh)
772 {
773 	struct kex *kex = ssh->kex;
774 	struct newkeys *newkeys;
775 	char **my = NULL, **peer = NULL;
776 	char **cprop, **sprop;
777 	int nenc, nmac, ncomp;
778 	u_int mode, ctos, need, dh_need, authlen;
779 	int r, first_kex_follows;
780 
781 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
782 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
783 		goto out;
784 	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
785 	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
786 		goto out;
787 
788 	if (kex->server) {
789 		cprop=peer;
790 		sprop=my;
791 	} else {
792 		cprop=my;
793 		sprop=peer;
794 	}
795 
796 	/* Check whether client supports ext_info_c */
797 	if (kex->server) {
798 		char *ext;
799 
800 		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
801 		kex->ext_info_c = (ext != NULL);
802 		free(ext);
803 	}
804 
805 	/* Algorithm Negotiation */
806 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
807 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
808 		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
809 		peer[PROPOSAL_KEX_ALGS] = NULL;
810 		goto out;
811 	}
812 	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
813 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
814 		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
815 		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
816 		goto out;
817 	}
818 	for (mode = 0; mode < MODE_MAX; mode++) {
819 		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
820 			r = SSH_ERR_ALLOC_FAIL;
821 			goto out;
822 		}
823 		kex->newkeys[mode] = newkeys;
824 		ctos = (!kex->server && mode == MODE_OUT) ||
825 		    (kex->server && mode == MODE_IN);
826 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
827 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
828 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
829 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
830 		    sprop[nenc])) != 0) {
831 			kex->failed_choice = peer[nenc];
832 			peer[nenc] = NULL;
833 			goto out;
834 		}
835 		authlen = cipher_authlen(newkeys->enc.cipher);
836 		/* ignore mac for authenticated encryption */
837 		if (authlen == 0 &&
838 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
839 		    sprop[nmac])) != 0) {
840 			kex->failed_choice = peer[nmac];
841 			peer[nmac] = NULL;
842 			goto out;
843 		}
844 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
845 		    sprop[ncomp])) != 0) {
846 			kex->failed_choice = peer[ncomp];
847 			peer[ncomp] = NULL;
848 			goto out;
849 		}
850 		debug("kex: %s cipher: %s MAC: %s compression: %s",
851 		    ctos ? "client->server" : "server->client",
852 		    newkeys->enc.name,
853 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
854 		    newkeys->comp.name);
855 	}
856 	need = dh_need = 0;
857 	for (mode = 0; mode < MODE_MAX; mode++) {
858 		newkeys = kex->newkeys[mode];
859 		need = MAXIMUM(need, newkeys->enc.key_len);
860 		need = MAXIMUM(need, newkeys->enc.block_size);
861 		need = MAXIMUM(need, newkeys->enc.iv_len);
862 		need = MAXIMUM(need, newkeys->mac.key_len);
863 		dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
864 		dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
865 		dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
866 		dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
867 	}
868 	/* XXX need runden? */
869 	kex->we_need = need;
870 	kex->dh_need = dh_need;
871 
872 	/* ignore the next message if the proposals do not match */
873 	if (first_kex_follows && !proposals_match(my, peer) &&
874 	    !(ssh->compat & SSH_BUG_FIRSTKEX))
875 		ssh->dispatch_skip_packets = 1;
876 	r = 0;
877  out:
878 	kex_prop_free(my);
879 	kex_prop_free(peer);
880 	return r;
881 }
882 
883 static int
884 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
885     const struct sshbuf *shared_secret, u_char **keyp)
886 {
887 	struct kex *kex = ssh->kex;
888 	struct ssh_digest_ctx *hashctx = NULL;
889 	char c = id;
890 	u_int have;
891 	size_t mdsz;
892 	u_char *digest;
893 	int r;
894 
895 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
896 		return SSH_ERR_INVALID_ARGUMENT;
897 	if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
898 		r = SSH_ERR_ALLOC_FAIL;
899 		goto out;
900 	}
901 
902 	/* K1 = HASH(K || H || "A" || session_id) */
903 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
904 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
905 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
906 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
907 	    ssh_digest_update(hashctx, kex->session_id,
908 	    kex->session_id_len) != 0 ||
909 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
910 		r = SSH_ERR_LIBCRYPTO_ERROR;
911 		goto out;
912 	}
913 	ssh_digest_free(hashctx);
914 	hashctx = NULL;
915 
916 	/*
917 	 * expand key:
918 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
919 	 * Key = K1 || K2 || ... || Kn
920 	 */
921 	for (have = mdsz; need > have; have += mdsz) {
922 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
923 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
924 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
925 		    ssh_digest_update(hashctx, digest, have) != 0 ||
926 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
927 			r = SSH_ERR_LIBCRYPTO_ERROR;
928 			goto out;
929 		}
930 		ssh_digest_free(hashctx);
931 		hashctx = NULL;
932 	}
933 #ifdef DEBUG_KEX
934 	fprintf(stderr, "key '%c'== ", c);
935 	dump_digest("key", digest, need);
936 #endif
937 	*keyp = digest;
938 	digest = NULL;
939 	r = 0;
940  out:
941 	free(digest);
942 	ssh_digest_free(hashctx);
943 	return r;
944 }
945 
946 #define NKEYS	6
947 int
948 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
949     const struct sshbuf *shared_secret)
950 {
951 	struct kex *kex = ssh->kex;
952 	u_char *keys[NKEYS];
953 	u_int i, j, mode, ctos;
954 	int r;
955 
956 	for (i = 0; i < NKEYS; i++) {
957 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
958 		    shared_secret, &keys[i])) != 0) {
959 			for (j = 0; j < i; j++)
960 				free(keys[j]);
961 			return r;
962 		}
963 	}
964 	for (mode = 0; mode < MODE_MAX; mode++) {
965 		ctos = (!kex->server && mode == MODE_OUT) ||
966 		    (kex->server && mode == MODE_IN);
967 		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
968 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
969 		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
970 	}
971 	return 0;
972 }
973 
974 #ifdef WITH_OPENSSL
975 int
976 kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
977     const BIGNUM *secret)
978 {
979 	struct sshbuf *shared_secret;
980 	int r;
981 
982 	if ((shared_secret = sshbuf_new()) == NULL)
983 		return SSH_ERR_ALLOC_FAIL;
984 	if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
985 		r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
986 	sshbuf_free(shared_secret);
987 	return r;
988 }
989 #endif
990 
991 #ifdef WITH_SSH1
992 int
993 derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
994     u_int8_t cookie[8], u_int8_t id[16])
995 {
996 	u_int8_t hbuf[2048], sbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH];
997 	struct ssh_digest_ctx *hashctx = NULL;
998 	size_t hlen, slen;
999 	int r;
1000 
1001 	hlen = BN_num_bytes(host_modulus);
1002 	slen = BN_num_bytes(server_modulus);
1003 	if (hlen < (512 / 8) || (u_int)hlen > sizeof(hbuf) ||
1004 	    slen < (512 / 8) || (u_int)slen > sizeof(sbuf))
1005 		return SSH_ERR_KEY_BITS_MISMATCH;
1006 	if (BN_bn2bin(host_modulus, hbuf) <= 0 ||
1007 	    BN_bn2bin(server_modulus, sbuf) <= 0) {
1008 		r = SSH_ERR_LIBCRYPTO_ERROR;
1009 		goto out;
1010 	}
1011 	if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) {
1012 		r = SSH_ERR_ALLOC_FAIL;
1013 		goto out;
1014 	}
1015 	if (ssh_digest_update(hashctx, hbuf, hlen) != 0 ||
1016 	    ssh_digest_update(hashctx, sbuf, slen) != 0 ||
1017 	    ssh_digest_update(hashctx, cookie, 8) != 0 ||
1018 	    ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) {
1019 		r = SSH_ERR_LIBCRYPTO_ERROR;
1020 		goto out;
1021 	}
1022 	memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5));
1023 	r = 0;
1024  out:
1025 	ssh_digest_free(hashctx);
1026 	explicit_bzero(hbuf, sizeof(hbuf));
1027 	explicit_bzero(sbuf, sizeof(sbuf));
1028 	explicit_bzero(obuf, sizeof(obuf));
1029 	return r;
1030 }
1031 #endif
1032 
1033 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1034 void
1035 dump_digest(char *msg, u_char *digest, int len)
1036 {
1037 	fprintf(stderr, "%s\n", msg);
1038 	sshbuf_dump_data(digest, len, stderr);
1039 }
1040 #endif
1041