1 /* 2 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 * 24 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 25 * Use is subject to license terms. 26 */ 27 28 #include "includes.h" 29 RCSID("$OpenBSD: kex.c,v 1.51 2002/06/24 14:55:38 markus Exp $"); 30 31 #include <locale.h> 32 33 #include <openssl/crypto.h> 34 35 #include "ssh2.h" 36 #include "xmalloc.h" 37 #include "buffer.h" 38 #include "bufaux.h" 39 #include "packet.h" 40 #include "compat.h" 41 #include "cipher.h" 42 #include "kex.h" 43 #include "key.h" 44 #include "log.h" 45 #include "mac.h" 46 #include "match.h" 47 #include "dispatch.h" 48 #include "g11n.h" 49 50 #ifdef GSSAPI 51 #include "ssh-gss.h" 52 #endif 53 54 #define KEX_COOKIE_LEN 16 55 56 char *session_lang = NULL; 57 58 59 /* prototype */ 60 static void kex_do_hook(Kex *kex); 61 static void kex_kexinit_finish(Kex *); 62 static void kex_choose_conf(Kex *); 63 64 /* put algorithm proposal into buffer */ 65 static 66 void 67 kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) 68 { 69 int i; 70 71 buffer_clear(b); 72 /* 73 * add a dummy cookie, the cookie will be overwritten by 74 * kex_send_kexinit(), each time a kexinit is set 75 */ 76 for (i = 0; i < KEX_COOKIE_LEN; i++) 77 buffer_put_char(b, 0); 78 for (i = 0; i < PROPOSAL_MAX; i++) 79 buffer_put_cstring(b, proposal[i]); 80 buffer_put_char(b, 0); /* first_kex_packet_follows */ 81 buffer_put_int(b, 0); /* uint32 reserved */ 82 } 83 84 /* parse buffer and return algorithm proposal */ 85 static 86 char ** 87 kex_buf2prop(Buffer *raw, int *first_kex_follows) 88 { 89 Buffer b; 90 int i; 91 char **proposal; 92 93 proposal = xmalloc(PROPOSAL_MAX * sizeof(char *)); 94 95 buffer_init(&b); 96 buffer_append(&b, buffer_ptr(raw), buffer_len(raw)); 97 /* skip cookie */ 98 for (i = 0; i < KEX_COOKIE_LEN; i++) 99 buffer_get_char(&b); 100 /* extract kex init proposal strings */ 101 for (i = 0; i < PROPOSAL_MAX; i++) { 102 proposal[i] = buffer_get_string(&b,NULL); 103 debug2("kex_parse_kexinit: %s", proposal[i]); 104 } 105 /* first kex follows / reserved */ 106 i = buffer_get_char(&b); 107 if (first_kex_follows != NULL) 108 *first_kex_follows = i; 109 debug2("kex_parse_kexinit: first_kex_follows %d ", i); 110 i = buffer_get_int(&b); 111 debug2("kex_parse_kexinit: reserved %d ", i); 112 buffer_free(&b); 113 return proposal; 114 } 115 116 static 117 void 118 kex_prop_free(char **proposal) 119 { 120 int i; 121 122 for (i = 0; i < PROPOSAL_MAX; i++) 123 xfree(proposal[i]); 124 xfree(proposal); 125 } 126 127 static void 128 kex_protocol_error(int type, u_int32_t seq, void *ctxt) 129 { 130 error("Hm, kex protocol error: type %d seq %u", type, seq); 131 } 132 133 static void 134 kex_reset_dispatch(void) 135 { 136 #ifdef ALTPRIVSEP 137 /* unprivileged sshd has a kex packet handler that must not be reset */ 138 debug3("kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? %d && !%d", 139 packet_is_server(), packet_is_monitor()); 140 if (packet_is_server() && !packet_is_monitor()) { 141 debug3("kex_reset_dispatch -- skipping dispatch_set(KEXINIT) in unpriv proc"); 142 return; 143 } 144 #endif /* ALTPRIVSEP */ 145 146 dispatch_range(SSH2_MSG_TRANSPORT_MIN, 147 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); 148 dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); 149 } 150 151 void 152 kex_finish(Kex *kex) 153 { 154 kex_reset_dispatch(); 155 156 packet_start(SSH2_MSG_NEWKEYS); 157 packet_send(); 158 /* packet_write_wait(); */ 159 debug("SSH2_MSG_NEWKEYS sent"); 160 161 #ifdef ALTPRIVSEP 162 if (packet_is_monitor()) 163 goto skip_newkeys; 164 #endif /* ALTPRIVSEP */ 165 debug("expecting SSH2_MSG_NEWKEYS"); 166 packet_read_expect(SSH2_MSG_NEWKEYS); 167 packet_check_eom(); 168 debug("SSH2_MSG_NEWKEYS received"); 169 #ifdef ALTPRIVSEP 170 skip_newkeys: 171 #endif /* ALTPRIVSEP */ 172 173 kex->done = 1; 174 kex->initial_kex_done = 1; /* never to be cleared once set */ 175 buffer_clear(&kex->peer); 176 /* buffer_clear(&kex->my); */ 177 kex->flags &= ~KEX_INIT_SENT; 178 xfree(kex->name); 179 kex->name = NULL; 180 } 181 182 void 183 kex_send_kexinit(Kex *kex) 184 { 185 u_int32_t rand = 0; 186 u_char *cookie; 187 int i; 188 189 if (kex == NULL) { 190 error("kex_send_kexinit: no kex, cannot rekey"); 191 return; 192 } 193 if (kex->flags & KEX_INIT_SENT) { 194 debug("KEX_INIT_SENT"); 195 return; 196 } 197 kex->done = 0; 198 199 /* update my proposal -- e.g., add/remove GSS kexalgs */ 200 kex_do_hook(kex); 201 202 /* generate a random cookie */ 203 if (buffer_len(&kex->my) < KEX_COOKIE_LEN) 204 fatal("kex_send_kexinit: kex proposal too short"); 205 cookie = buffer_ptr(&kex->my); 206 for (i = 0; i < KEX_COOKIE_LEN; i++) { 207 if (i % 4 == 0) 208 rand = arc4random(); 209 cookie[i] = rand; 210 rand >>= 8; 211 } 212 packet_start(SSH2_MSG_KEXINIT); 213 packet_put_raw(buffer_ptr(&kex->my), buffer_len(&kex->my)); 214 packet_send(); 215 debug("SSH2_MSG_KEXINIT sent"); 216 kex->flags |= KEX_INIT_SENT; 217 } 218 219 void 220 kex_input_kexinit(int type, u_int32_t seq, void *ctxt) 221 { 222 char *ptr; 223 u_int dlen; 224 int i; 225 Kex *kex = (Kex *)ctxt; 226 227 debug("SSH2_MSG_KEXINIT received"); 228 if (kex == NULL) 229 fatal("kex_input_kexinit: no kex, cannot rekey"); 230 231 ptr = packet_get_raw(&dlen); 232 buffer_append(&kex->peer, ptr, dlen); 233 234 /* discard packet */ 235 for (i = 0; i < KEX_COOKIE_LEN; i++) 236 packet_get_char(); 237 for (i = 0; i < PROPOSAL_MAX; i++) 238 xfree(packet_get_string(NULL)); 239 (void) packet_get_char(); 240 (void) packet_get_int(); 241 packet_check_eom(); 242 243 kex_kexinit_finish(kex); 244 } 245 246 /* 247 * This is for GSS keyex, where actual KEX offer can change at rekey 248 * time due to credential expiration/renewal... 249 */ 250 static 251 void 252 kex_do_hook(Kex *kex) 253 { 254 char **prop; 255 256 if (kex->kex_hook == NULL) 257 return; 258 259 /* Unmarshall my proposal, let the hook modify it, remarshall it */ 260 prop = kex_buf2prop(&kex->my, NULL); 261 buffer_clear(&kex->my); 262 (kex->kex_hook)(kex, prop); 263 kex_prop2buf(&kex->my, prop); 264 kex_prop_free(prop); 265 } 266 267 /* Initiate the key exchange by sending the SSH2_MSG_KEXINIT message. */ 268 void 269 kex_start(Kex *kex) 270 { 271 kex_send_kexinit(kex); 272 kex_reset_dispatch(); 273 } 274 275 /* 276 * Allocate a key exchange structure and populate it with a proposal we are 277 * going to use. This function does not start the actual key exchange. 278 */ 279 Kex * 280 kex_setup(const char *host, char *proposal[PROPOSAL_MAX], Kex_hook_func hook) 281 { 282 Kex *kex; 283 284 kex = xmalloc(sizeof(*kex)); 285 memset(kex, 0, sizeof(*kex)); 286 buffer_init(&kex->peer); 287 buffer_init(&kex->my); 288 289 kex->kex_hook = hook; /* called by kex_send_kexinit() */ 290 291 if (host != NULL && *host != '\0') 292 kex->serverhost = xstrdup(host); 293 else 294 kex->server = 1; 295 296 kex_prop2buf(&kex->my, proposal); 297 298 return kex; 299 } 300 301 static void 302 kex_kexinit_finish(Kex *kex) 303 { 304 if (!(kex->flags & KEX_INIT_SENT)) 305 kex_send_kexinit(kex); 306 307 kex_choose_conf(kex); 308 309 if (kex->kex_type >= 0 && kex->kex_type < KEX_MAX && 310 kex->kex[kex->kex_type] != NULL) 311 (kex->kex[kex->kex_type])(kex); 312 else 313 fatal("Unsupported key exchange %d", kex->kex_type); 314 } 315 316 static void 317 choose_lang(char **lang, char *client, char *server) 318 { 319 if (datafellows & SSH_BUG_LOCALES_NOT_LANGTAGS) 320 *lang = match_list(client, server, NULL); 321 else 322 *lang = g11n_srvr_locale_negotiate(client, NULL); 323 } 324 325 /* 326 * Make the message clear enough so that if this happens the user can figure out 327 * the workaround of changing the Ciphers option. 328 */ 329 #define CLIENT_ERR_MSG \ 330 "Client and server could not agree on a common cipher:\n" \ 331 " client: %s\n" \ 332 " server: %s\n" \ 333 "\n" \ 334 "The client cipher list can be controlled using the \"Ciphers\" option, \n" \ 335 "see ssh_config(4) for more information. The \"-o Ciphers=<cipher-list>\"\n" \ 336 "option may be used to temporarily override the ciphers the client\n" \ 337 "offers." 338 339 /* 340 * The server side message goes to syslogd and we do not want to send multiline 341 * messages there. What's more, the server side notification may be shorter 342 * since we expect that an administrator will deal with that, not the user. 343 */ 344 #define SERVER_ERR_MSG \ 345 "Client and server could not agree on a common cipher: client \"%s\", " \ 346 "server \"%s\". The server cipher list can be controlled using the " \ 347 "\"Ciphers\" option, see sshd_config(4) for more information." 348 349 static void 350 choose_enc(int is_server, Enc *enc, char *client, char *server) 351 { 352 char *name = match_list(client, server, NULL); 353 354 if (name == NULL) { 355 if (is_server == 1) 356 fatal(SERVER_ERR_MSG, client, server); 357 else 358 fatal(CLIENT_ERR_MSG, client, server); 359 } 360 361 if ((enc->cipher = cipher_by_name(name)) == NULL) 362 fatal("matching cipher is not supported: %s", name); 363 364 enc->name = name; 365 enc->enabled = 0; 366 enc->iv = NULL; 367 enc->key = NULL; 368 enc->key_len = cipher_keylen(enc->cipher); 369 enc->block_size = cipher_blocksize(enc->cipher); 370 } 371 372 static void 373 choose_mac(Mac *mac, char *client, char *server) 374 { 375 char *name = match_list(client, server, NULL); 376 if (name == NULL) 377 fatal("no matching mac found: client %s server %s", 378 client, server); 379 if (mac_setup(mac, name) < 0) 380 fatal("unsupported mac %s", name); 381 /* truncate the key */ 382 if (datafellows & SSH_BUG_HMAC) 383 mac->key_len = 16; 384 mac->name = name; 385 mac->key = NULL; 386 mac->enabled = 0; 387 } 388 389 static void 390 choose_comp(Comp *comp, char *client, char *server) 391 { 392 char *name = match_list(client, server, NULL); 393 if (name == NULL) 394 fatal("no matching comp found: client %s server %s", client, server); 395 if (strcmp(name, "zlib") == 0) { 396 comp->type = 1; 397 } else if (strcmp(name, "none") == 0) { 398 comp->type = 0; 399 } else { 400 fatal("unsupported comp %s", name); 401 } 402 comp->name = name; 403 } 404 405 static void 406 choose_kex(Kex *k, char *client, char *server) 407 { 408 k->name = match_list(client, server, NULL); 409 if (k->name == NULL) 410 fatal("no common kex alg: client '%s', server '%s'", client, 411 server); 412 /* XXX Finish 3.6/7 merge of kex stuff -- choose_kex() done */ 413 if (strcmp(k->name, KEX_DH1) == 0) { 414 k->kex_type = KEX_DH_GRP1_SHA1; 415 } else if (strcmp(k->name, KEX_DHGEX) == 0) { 416 k->kex_type = KEX_DH_GEX_SHA1; 417 #ifdef GSSAPI 418 } else if (strncmp(k->name, KEX_GSS_SHA1, sizeof(KEX_GSS_SHA1)-1) == 0) { 419 k->kex_type = KEX_GSS_GRP1_SHA1; 420 #endif 421 } else 422 fatal("bad kex alg %s", k->name); 423 } 424 425 static void 426 choose_hostkeyalg(Kex *k, char *client, char *server) 427 { 428 char *hostkeyalg = match_list(client, server, NULL); 429 if (hostkeyalg == NULL) 430 fatal("no hostkey alg"); 431 k->hostkey_type = key_type_from_name(hostkeyalg); 432 if (k->hostkey_type == KEY_UNSPEC) 433 fatal("bad hostkey alg '%s'", hostkeyalg); 434 xfree(hostkeyalg); 435 } 436 437 static int 438 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) 439 { 440 static int check[] = { 441 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 442 }; 443 int *idx; 444 char *p; 445 446 for (idx = &check[0]; *idx != -1; idx++) { 447 if ((p = strchr(my[*idx], ',')) != NULL) 448 *p = '\0'; 449 if ((p = strchr(peer[*idx], ',')) != NULL) 450 *p = '\0'; 451 if (strcmp(my[*idx], peer[*idx]) != 0) { 452 debug2("proposal mismatch: my %s peer %s", 453 my[*idx], peer[*idx]); 454 return (0); 455 } 456 } 457 debug2("proposals match"); 458 return (1); 459 } 460 461 static void 462 kex_choose_conf(Kex *kex) 463 { 464 Newkeys *newkeys; 465 char **my, **peer; 466 char **cprop, **sprop; 467 char *p_langs_c2s, *p_langs_s2c; /* peer's langs */ 468 char *plangs = NULL; /* peer's langs*/ 469 char *mlangs = NULL; /* my langs */ 470 int nenc, nmac, ncomp; 471 int mode; 472 int ctos; /* direction: if true client-to-server */ 473 int need; 474 int first_kex_follows, type; 475 476 my = kex_buf2prop(&kex->my, NULL); 477 peer = kex_buf2prop(&kex->peer, &first_kex_follows); 478 479 if (kex->server) { 480 cprop=peer; 481 sprop=my; 482 } else { 483 cprop=my; 484 sprop=peer; 485 } 486 487 /* Algorithm Negotiation */ 488 for (mode = 0; mode < MODE_MAX; mode++) { 489 newkeys = xmalloc(sizeof(*newkeys)); 490 memset(newkeys, 0, sizeof(*newkeys)); 491 kex->newkeys[mode] = newkeys; 492 ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN); 493 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 494 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 495 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 496 choose_enc(kex->server, &newkeys->enc, cprop[nenc], sprop[nenc]); 497 choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]); 498 choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); 499 debug("kex: %s %s %s %s", 500 ctos ? "client->server" : "server->client", 501 newkeys->enc.name, 502 newkeys->mac.name, 503 newkeys->comp.name); 504 } 505 choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); 506 choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], 507 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); 508 need = 0; 509 for (mode = 0; mode < MODE_MAX; mode++) { 510 newkeys = kex->newkeys[mode]; 511 if (need < newkeys->enc.key_len) 512 need = newkeys->enc.key_len; 513 if (need < newkeys->enc.block_size) 514 need = newkeys->enc.block_size; 515 if (need < newkeys->mac.key_len) 516 need = newkeys->mac.key_len; 517 } 518 /* XXX need runden? */ 519 kex->we_need = need; 520 521 /* ignore the next message if the proposals do not match */ 522 if (first_kex_follows && !proposals_match(my, peer) && 523 !(datafellows & SSH_BUG_FIRSTKEX)) { 524 type = packet_read(); 525 debug2("skipping next packet (type %u)", type); 526 } 527 528 /* Language/locale negotiation -- not worth doing on re-key */ 529 530 if (!kex->initial_kex_done) { 531 p_langs_c2s = peer[PROPOSAL_LANG_CTOS]; 532 p_langs_s2c = peer[PROPOSAL_LANG_STOC]; 533 debug("Peer sent proposed langtags, ctos: %s", p_langs_c2s); 534 debug("Peer sent proposed langtags, stoc: %s", p_langs_s2c); 535 plangs = NULL; 536 537 /* We propose the same langs for each protocol direction */ 538 mlangs = my[PROPOSAL_LANG_STOC]; 539 debug("We proposed langtags, ctos: %s", my[PROPOSAL_LANG_CTOS]); 540 debug("We proposed langtags, stoc: %s", mlangs); 541 542 /* 543 * Why oh why did they bother with negotiating langs for 544 * each protocol direction?! 545 * 546 * The semantics of this are vaguely specified, but one can 547 * imagine using one language (locale) for the whole session and 548 * a different one for message localization (e.g., 'en_US.UTF-8' 549 * overall and 'fr' for messages). Weird? Maybe. But lang 550 * tags don't include codeset info, like locales do... 551 * 552 * So, server-side we want: 553 * - setlocale(LC_ALL, c2s_locale); 554 * and 555 * - setlocale(LC_MESSAGES, s2c_locale); 556 * 557 * Client-side we don't really care. But we could do: 558 * 559 * - when very verbose, tell the use what lang the server's 560 * messages are in, if left out in the protocol 561 * - when sending messages to the server, and if applicable, we 562 * can localize them according to the language negotiated for 563 * that direction. 564 * 565 * But for now we do nothing on the client side. 566 */ 567 if ((p_langs_c2s && *p_langs_c2s) && !(p_langs_s2c && *p_langs_s2c)) 568 plangs = p_langs_c2s; 569 else if ((p_langs_s2c && *p_langs_s2c) && !(p_langs_c2s && *p_langs_c2s)) 570 plangs = p_langs_s2c; 571 else 572 plangs = p_langs_c2s; 573 574 if (kex->server) { 575 if (plangs && mlangs && *plangs && *mlangs) { 576 char *locale; 577 578 g11n_test_langtag(plangs, 1); 579 580 choose_lang(&locale, plangs, mlangs); 581 if (locale) { 582 g11n_setlocale(LC_ALL, locale); 583 debug("Negotiated main locale: %s", locale); 584 packet_send_debug("Negotiated main locale: %s", locale); 585 xfree(locale); 586 } 587 if (plangs != p_langs_s2c && 588 p_langs_s2c && *p_langs_s2c) { 589 choose_lang(&locale, p_langs_s2c, mlangs); 590 if (locale) { 591 g11n_setlocale(LC_MESSAGES, locale); 592 debug("Negotiated messages locale: %s", locale); 593 packet_send_debug("Negotiated " 594 "messages locale: %s", locale); 595 xfree(locale); 596 } 597 } 598 } 599 } 600 else { 601 if (plangs && mlangs && *plangs && *mlangs && 602 !(datafellows & SSH_BUG_LOCALES_NOT_LANGTAGS)) { 603 char *lang; 604 lang = g11n_clnt_langtag_negotiate(mlangs, plangs); 605 if (lang) { 606 session_lang = lang; 607 debug("Negotiated lang: %s", lang); 608 g11n_test_langtag(lang, 0); 609 } 610 } 611 } 612 } 613 614 kex_prop_free(my); 615 kex_prop_free(peer); 616 } 617 618 static u_char * 619 derive_key(Kex *kex, int id, int need, u_char *hash, BIGNUM *shared_secret) 620 { 621 Buffer b; 622 const EVP_MD *evp_md = EVP_sha1(); 623 EVP_MD_CTX md; 624 char c = id; 625 int have; 626 int mdsz = EVP_MD_size(evp_md); 627 u_char *digest = xmalloc(roundup(need, mdsz)); 628 629 buffer_init(&b); 630 buffer_put_bignum2(&b, shared_secret); 631 632 /* K1 = HASH(K || H || "A" || session_id) */ 633 EVP_DigestInit(&md, evp_md); 634 if (!(datafellows & SSH_BUG_DERIVEKEY)) 635 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); 636 EVP_DigestUpdate(&md, hash, mdsz); 637 EVP_DigestUpdate(&md, &c, 1); 638 EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len); 639 EVP_DigestFinal(&md, digest, NULL); 640 641 /* 642 * expand key: 643 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) 644 * Key = K1 || K2 || ... || Kn 645 */ 646 for (have = mdsz; need > have; have += mdsz) { 647 EVP_DigestInit(&md, evp_md); 648 if (!(datafellows & SSH_BUG_DERIVEKEY)) 649 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); 650 EVP_DigestUpdate(&md, hash, mdsz); 651 EVP_DigestUpdate(&md, digest, have); 652 EVP_DigestFinal(&md, digest + have, NULL); 653 } 654 buffer_free(&b); 655 #ifdef DEBUG_KEX 656 fprintf(stderr, "key '%c'== ", c); 657 dump_digest("key", digest, need); 658 #endif 659 return digest; 660 } 661 662 Newkeys *current_keys[MODE_MAX]; 663 664 #define NKEYS 6 665 void 666 kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret) 667 { 668 u_char *keys[NKEYS]; 669 int i, mode, ctos; 670 671 for (i = 0; i < NKEYS; i++) 672 keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret); 673 674 debug2("kex_derive_keys"); 675 for (mode = 0; mode < MODE_MAX; mode++) { 676 current_keys[mode] = kex->newkeys[mode]; 677 kex->newkeys[mode] = NULL; 678 ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN); 679 current_keys[mode]->enc.iv = keys[ctos ? 0 : 1]; 680 current_keys[mode]->enc.key = keys[ctos ? 2 : 3]; 681 current_keys[mode]->mac.key = keys[ctos ? 4 : 5]; 682 } 683 } 684 685 Newkeys * 686 kex_get_newkeys(int mode) 687 { 688 Newkeys *ret; 689 690 ret = current_keys[mode]; 691 current_keys[mode] = NULL; 692 return ret; 693 } 694 695 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) 696 void 697 dump_digest(char *msg, u_char *digest, int len) 698 { 699 int i; 700 701 fprintf(stderr, "%s\n", msg); 702 for (i = 0; i< len; i++) { 703 fprintf(stderr, "%02x", digest[i]); 704 if (i%32 == 31) 705 fprintf(stderr, "\n"); 706 else if (i%8 == 7) 707 fprintf(stderr, " "); 708 } 709 fprintf(stderr, "\n"); 710 } 711 #endif 712