Home | History | Annotate | Download | only in openssh
      1 /* $OpenBSD: kex.c,v 1.131 2017/03/15 07:07:39 markus Exp $ */
      2 /*
      3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
      4  *
      5  * Redistribution and use in source and binary forms, with or without
      6  * modification, are permitted provided that the following conditions
      7  * are met:
      8  * 1. Redistributions of source code must retain the above copyright
      9  *    notice, this list of conditions and the following disclaimer.
     10  * 2. Redistributions in binary form must reproduce the above copyright
     11  *    notice, this list of conditions and the following disclaimer in the
     12  *    documentation and/or other materials provided with the distribution.
     13  *
     14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
     15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
     16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
     17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
     18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
     21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
     23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     24  */
     25 
     26 #include "includes.h"
     27 
     28 
     29 #include <signal.h>
     30 #include <stdarg.h>
     31 #include <stdio.h>
     32 #include <stdlib.h>
     33 #include <string.h>
     34 
     35 #ifdef WITH_OPENSSL
     36 #include <openssl/crypto.h>
     37 #include <openssl/dh.h>
     38 #endif
     39 
     40 #include "ssh2.h"
     41 #include "packet.h"
     42 #include "compat.h"
     43 #include "cipher.h"
     44 #include "sshkey.h"
     45 #include "kex.h"
     46 #include "log.h"
     47 #include "mac.h"
     48 #include "match.h"
     49 #include "misc.h"
     50 #include "dispatch.h"
     51 #include "monitor.h"
     52 
     53 #include "ssherr.h"
     54 #include "sshbuf.h"
     55 #include "digest.h"
     56 
     57 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
     58 # if defined(HAVE_EVP_SHA256)
     59 # define evp_ssh_sha256 EVP_sha256
     60 # else
     61 extern const EVP_MD *evp_ssh_sha256(void);
     62 # endif
     63 #endif
     64 
     65 /* prototype */
     66 static int kex_choose_conf(struct ssh *);
     67 static int kex_input_newkeys(int, u_int32_t, void *);
     68 
     69 static const char *proposal_names[PROPOSAL_MAX] = {
     70 	"KEX algorithms",
     71 	"host key algorithms",
     72 	"ciphers ctos",
     73 	"ciphers stoc",
     74 	"MACs ctos",
     75 	"MACs stoc",
     76 	"compression ctos",
     77 	"compression stoc",
     78 	"languages ctos",
     79 	"languages stoc",
     80 };
     81 
     82 struct kexalg {
     83 	char *name;
     84 	u_int type;
     85 	int ec_nid;
     86 	int hash_alg;
     87 };
     88 static const struct kexalg kexalgs[] = {
     89 #ifdef WITH_OPENSSL
     90 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
     91 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
     92 	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
     93 	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
     94 	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
     95 	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
     96 #ifdef HAVE_EVP_SHA256
     97 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
     98 #endif /* HAVE_EVP_SHA256 */
     99 #ifdef OPENSSL_HAS_ECC
    100 	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
    101 	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
    102 	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
    103 	    SSH_DIGEST_SHA384 },
    104 # ifdef OPENSSL_HAS_NISTP521
    105 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
    106 	    SSH_DIGEST_SHA512 },
    107 # endif /* OPENSSL_HAS_NISTP521 */
    108 #endif /* OPENSSL_HAS_ECC */
    109 #endif /* WITH_OPENSSL */
    110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
    111 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
    112 	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
    113 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
    114 	{ NULL, -1, -1, -1},
    115 };
    116 
    117 char *
    118 kex_alg_list(char sep)
    119 {
    120 	char *ret = NULL, *tmp;
    121 	size_t nlen, rlen = 0;
    122 	const struct kexalg *k;
    123 
    124 	for (k = kexalgs; k->name != NULL; k++) {
    125 		if (ret != NULL)
    126 			ret[rlen++] = sep;
    127 		nlen = strlen(k->name);
    128 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
    129 			free(ret);
    130 			return NULL;
    131 		}
    132 		ret = tmp;
    133 		memcpy(ret + rlen, k->name, nlen + 1);
    134 		rlen += nlen;
    135 	}
    136 	return ret;
    137 }
    138 
    139 static const struct kexalg *
    140 kex_alg_by_name(const char *name)
    141 {
    142 	const struct kexalg *k;
    143 
    144 	for (k = kexalgs; k->name != NULL; k++) {
    145 		if (strcmp(k->name, name) == 0)
    146 			return k;
    147 	}
    148 	return NULL;
    149 }
    150 
    151 /* Validate KEX method name list */
    152 int
    153 kex_names_valid(const char *names)
    154 {
    155 	char *s, *cp, *p;
    156 
    157 	if (names == NULL || strcmp(names, "") == 0)
    158 		return 0;
    159 	if ((s = cp = strdup(names)) == NULL)
    160 		return 0;
    161 	for ((p = strsep(&cp, ",")); p && *p != '\0';
    162 	    (p = strsep(&cp, ","))) {
    163 		if (kex_alg_by_name(p) == NULL) {
    164 			error("Unsupported KEX algorithm \"%.100s\"", p);
    165 			free(s);
    166 			return 0;
    167 		}
    168 	}
    169 	debug3("kex names ok: [%s]", names);
    170 	free(s);
    171 	return 1;
    172 }
    173 
    174 /*
    175  * Concatenate algorithm names, avoiding duplicates in the process.
    176  * Caller must free returned string.
    177  */
    178 char *
    179 kex_names_cat(const char *a, const char *b)
    180 {
    181 	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
    182 	size_t len;
    183 
    184 	if (a == NULL || *a == '\0')
    185 		return NULL;
    186 	if (b == NULL || *b == '\0')
    187 		return strdup(a);
    188 	if (strlen(b) > 1024*1024)
    189 		return NULL;
    190 	len = strlen(a) + strlen(b) + 2;
    191 	if ((tmp = cp = strdup(b)) == NULL ||
    192 	    (ret = calloc(1, len)) == NULL) {
    193 		free(tmp);
    194 		return NULL;
    195 	}
    196 	strlcpy(ret, a, len);
    197 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
    198 		if ((m = match_list(ret, p, NULL)) != NULL) {
    199 			free(m);
    200 			continue; /* Algorithm already present */
    201 		}
    202 		if (strlcat(ret, ",", len) >= len ||
    203 		    strlcat(ret, p, len) >= len) {
    204 			free(tmp);
    205 			free(ret);
    206 			return NULL; /* Shouldn't happen */
    207 		}
    208 	}
    209 	free(tmp);
    210 	return ret;
    211 }
    212 
    213 /*
    214  * Assemble a list of algorithms from a default list and a string from a
    215  * configuration file. The user-provided string may begin with '+' to
    216  * indicate that it should be appended to the default or '-' that the
    217  * specified names should be removed.
    218  */
    219 int
    220 kex_assemble_names(const char *def, char **list)
    221 {
    222 	char *ret;
    223 
    224 	if (list == NULL || *list == NULL || **list == '\0') {
    225 		*list = strdup(def);
    226 		return 0;
    227 	}
    228 	if (**list == '+') {
    229 		if ((ret = kex_names_cat(def, *list + 1)) == NULL)
    230 			return SSH_ERR_ALLOC_FAIL;
    231 		free(*list);
    232 		*list = ret;
    233 	} else if (**list == '-') {
    234 		if ((ret = match_filter_list(def, *list + 1)) == NULL)
    235 			return SSH_ERR_ALLOC_FAIL;
    236 		free(*list);
    237 		*list = ret;
    238 	}
    239 
    240 	return 0;
    241 }
    242 
    243 /* put algorithm proposal into buffer */
    244 int
    245 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
    246 {
    247 	u_int i;
    248 	int r;
    249 
    250 	sshbuf_reset(b);
    251 
    252 	/*
    253 	 * add a dummy cookie, the cookie will be overwritten by
    254 	 * kex_send_kexinit(), each time a kexinit is set
    255 	 */
    256 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
    257 		if ((r = sshbuf_put_u8(b, 0)) != 0)
    258 			return r;
    259 	}
    260 	for (i = 0; i < PROPOSAL_MAX; i++) {
    261 		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
    262 			return r;
    263 	}
    264 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
    265 	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
    266 		return r;
    267 	return 0;
    268 }
    269 
    270 /* parse buffer and return algorithm proposal */
    271 int
    272 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
    273 {
    274 	struct sshbuf *b = NULL;
    275 	u_char v;
    276 	u_int i;
    277 	char **proposal = NULL;
    278 	int r;
    279 
    280 	*propp = NULL;
    281 	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
    282 		return SSH_ERR_ALLOC_FAIL;
    283 	if ((b = sshbuf_fromb(raw)) == NULL) {
    284 		r = SSH_ERR_ALLOC_FAIL;
    285 		goto out;
    286 	}
    287 	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */
    288 		goto out;
    289 	/* extract kex init proposal strings */
    290 	for (i = 0; i < PROPOSAL_MAX; i++) {
    291 		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0)
    292 			goto out;
    293 		debug2("%s: %s", proposal_names[i], proposal[i]);
    294 	}
    295 	/* first kex follows / reserved */
    296 	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
    297 	    (r = sshbuf_get_u32(b, &i)) != 0)	/* reserved */
    298 		goto out;
    299 	if (first_kex_follows != NULL)
    300 		*first_kex_follows = v;
    301 	debug2("first_kex_follows %d ", v);
    302 	debug2("reserved %u ", i);
    303 	r = 0;
    304 	*propp = proposal;
    305  out:
    306 	if (r != 0 && proposal != NULL)
    307 		kex_prop_free(proposal);
    308 	sshbuf_free(b);
    309 	return r;
    310 }
    311 
    312 void
    313 kex_prop_free(char **proposal)
    314 {
    315 	u_int i;
    316 
    317 	if (proposal == NULL)
    318 		return;
    319 	for (i = 0; i < PROPOSAL_MAX; i++)
    320 		free(proposal[i]);
    321 	free(proposal);
    322 }
    323 
    324 /* ARGSUSED */
    325 static int
    326 kex_protocol_error(int type, u_int32_t seq, void *ctxt)
    327 {
    328 	struct ssh *ssh = active_state; /* XXX */
    329 	int r;
    330 
    331 	error("kex protocol error: type %d seq %u", type, seq);
    332 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
    333 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
    334 	    (r = sshpkt_send(ssh)) != 0)
    335 		return r;
    336 	return 0;
    337 }
    338 
    339 static void
    340 kex_reset_dispatch(struct ssh *ssh)
    341 {
    342 	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
    343 	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
    344 }
    345 
    346 static int
    347 kex_send_ext_info(struct ssh *ssh)
    348 {
    349 	int r;
    350 	char *algs;
    351 
    352 	if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
    353 		return SSH_ERR_ALLOC_FAIL;
    354 	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
    355 	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
    356 	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
    357 	    (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
    358 	    (r = sshpkt_send(ssh)) != 0)
    359 		goto out;
    360 	/* success */
    361 	r = 0;
    362  out:
    363 	free(algs);
    364 	return r;
    365 }
    366 
    367 int
    368 kex_send_newkeys(struct ssh *ssh)
    369 {
    370 	int r;
    371 
    372 	kex_reset_dispatch(ssh);
    373 	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
    374 	    (r = sshpkt_send(ssh)) != 0)
    375 		return r;
    376 	debug("SSH2_MSG_NEWKEYS sent");
    377 	debug("expecting SSH2_MSG_NEWKEYS");
    378 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
    379 	if (ssh->kex->ext_info_c)
    380 		if ((r = kex_send_ext_info(ssh)) != 0)
    381 			return r;
    382 	return 0;
    383 }
    384 
    385 int
    386 kex_input_ext_info(int type, u_int32_t seq, void *ctxt)
    387 {
    388 	struct ssh *ssh = ctxt;
    389 	struct kex *kex = ssh->kex;
    390 	u_int32_t i, ninfo;
    391 	char *name, *val, *found;
    392 	int r;
    393 
    394 	debug("SSH2_MSG_EXT_INFO received");
    395 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
    396 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
    397 		return r;
    398 	for (i = 0; i < ninfo; i++) {
    399 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
    400 			return r;
    401 		if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) {
    402 			free(name);
    403 			return r;
    404 		}
    405 		debug("%s: %s=<%s>", __func__, name, val);
    406 		if (strcmp(name, "server-sig-algs") == 0) {
    407 			found = match_list("rsa-sha2-256", val, NULL);
    408 			if (found) {
    409 				kex->rsa_sha2 = 256;
    410 				free(found);
    411 			}
    412 			found = match_list("rsa-sha2-512", val, NULL);
    413 			if (found) {
    414 				kex->rsa_sha2 = 512;
    415 				free(found);
    416 			}
    417 		}
    418 		free(name);
    419 		free(val);
    420 	}
    421 	return sshpkt_get_end(ssh);
    422 }
    423 
    424 static int
    425 kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
    426 {
    427 	struct ssh *ssh = ctxt;
    428 	struct kex *kex = ssh->kex;
    429 	int r;
    430 
    431 	debug("SSH2_MSG_NEWKEYS received");
    432 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
    433 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
    434 	if ((r = sshpkt_get_end(ssh)) != 0)
    435 		return r;
    436 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
    437 		return r;
    438 	kex->done = 1;
    439 	sshbuf_reset(kex->peer);
    440 	/* sshbuf_reset(kex->my); */
    441 	kex->flags &= ~KEX_INIT_SENT;
    442 	free(kex->name);
    443 	kex->name = NULL;
    444 	return 0;
    445 }
    446 
    447 int
    448 kex_send_kexinit(struct ssh *ssh)
    449 {
    450 	u_char *cookie;
    451 	struct kex *kex = ssh->kex;
    452 	int r;
    453 
    454 	if (kex == NULL)
    455 		return SSH_ERR_INTERNAL_ERROR;
    456 	if (kex->flags & KEX_INIT_SENT)
    457 		return 0;
    458 	kex->done = 0;
    459 
    460 	/* generate a random cookie */
    461 	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN)
    462 		return SSH_ERR_INVALID_FORMAT;
    463 	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL)
    464 		return SSH_ERR_INTERNAL_ERROR;
    465 	arc4random_buf(cookie, KEX_COOKIE_LEN);
    466 
    467 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
    468 	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
    469 	    (r = sshpkt_send(ssh)) != 0)
    470 		return r;
    471 	debug("SSH2_MSG_KEXINIT sent");
    472 	kex->flags |= KEX_INIT_SENT;
    473 	return 0;
    474 }
    475 
    476 /* ARGSUSED */
    477 int
    478 kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
    479 {
    480 	struct ssh *ssh = ctxt;
    481 	struct kex *kex = ssh->kex;
    482 	const u_char *ptr;
    483 	u_int i;
    484 	size_t dlen;
    485 	int r;
    486 
    487 	debug("SSH2_MSG_KEXINIT received");
    488 	if (kex == NULL)
    489 		return SSH_ERR_INVALID_ARGUMENT;
    490 
    491 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
    492 	ptr = sshpkt_ptr(ssh, &dlen);
    493 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
    494 		return r;
    495 
    496 	/* discard packet */
    497 	for (i = 0; i < KEX_COOKIE_LEN; i++)
    498 		if ((r = sshpkt_get_u8(ssh, NULL)) != 0)
    499 			return r;
    500 	for (i = 0; i < PROPOSAL_MAX; i++)
    501 		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0)
    502 			return r;
    503 	/*
    504 	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
    505 	 * KEX method has the server move first, but a server might be using
    506 	 * a custom method or one that we otherwise don't support. We should
    507 	 * be prepared to remember first_kex_follows here so we can eat a
    508 	 * packet later.
    509 	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
    510 	 * for cases where the server *doesn't* go first. I guess we should
    511 	 * ignore it when it is set for these cases, which is what we do now.
    512 	 */
    513 	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
    514 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
    515 	    (r = sshpkt_get_end(ssh)) != 0)
    516 			return r;
    517 
    518 	if (!(kex->flags & KEX_INIT_SENT))
    519 		if ((r = kex_send_kexinit(ssh)) != 0)
    520 			return r;
    521 	if ((r = kex_choose_conf(ssh)) != 0)
    522 		return r;
    523 
    524 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
    525 		return (kex->kex[kex->kex_type])(ssh);
    526 
    527 	return SSH_ERR_INTERNAL_ERROR;
    528 }
    529 
    530 int
    531 kex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp)
    532 {
    533 	struct kex *kex;
    534 	int r;
    535 
    536 	*kexp = NULL;
    537 	if ((kex = calloc(1, sizeof(*kex))) == NULL)
    538 		return SSH_ERR_ALLOC_FAIL;
    539 	if ((kex->peer = sshbuf_new()) == NULL ||
    540 	    (kex->my = sshbuf_new()) == NULL) {
    541 		r = SSH_ERR_ALLOC_FAIL;
    542 		goto out;
    543 	}
    544 	if ((r = kex_prop2buf(kex->my, proposal)) != 0)
    545 		goto out;
    546 	kex->done = 0;
    547 	kex_reset_dispatch(ssh);
    548 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
    549 	r = 0;
    550 	*kexp = kex;
    551  out:
    552 	if (r != 0)
    553 		kex_free(kex);
    554 	return r;
    555 }
    556 
    557 void
    558 kex_free_newkeys(struct newkeys *newkeys)
    559 {
    560 	if (newkeys == NULL)
    561 		return;
    562 	if (newkeys->enc.key) {
    563 		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
    564 		free(newkeys->enc.key);
    565 		newkeys->enc.key = NULL;
    566 	}
    567 	if (newkeys->enc.iv) {
    568 		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
    569 		free(newkeys->enc.iv);
    570 		newkeys->enc.iv = NULL;
    571 	}
    572 	free(newkeys->enc.name);
    573 	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
    574 	free(newkeys->comp.name);
    575 	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
    576 	mac_clear(&newkeys->mac);
    577 	if (newkeys->mac.key) {
    578 		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
    579 		free(newkeys->mac.key);
    580 		newkeys->mac.key = NULL;
    581 	}
    582 	free(newkeys->mac.name);
    583 	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
    584 	explicit_bzero(newkeys, sizeof(*newkeys));
    585 	free(newkeys);
    586 }
    587 
    588 void
    589 kex_free(struct kex *kex)
    590 {
    591 	u_int mode;
    592 
    593 #ifdef WITH_OPENSSL
    594 	if (kex->dh)
    595 		DH_free(kex->dh);
    596 #ifdef OPENSSL_HAS_ECC
    597 	if (kex->ec_client_key)
    598 		EC_KEY_free(kex->ec_client_key);
    599 #endif /* OPENSSL_HAS_ECC */
    600 #endif /* WITH_OPENSSL */
    601 	for (mode = 0; mode < MODE_MAX; mode++) {
    602 		kex_free_newkeys(kex->newkeys[mode]);
    603 		kex->newkeys[mode] = NULL;
    604 	}
    605 	sshbuf_free(kex->peer);
    606 	sshbuf_free(kex->my);
    607 	free(kex->session_id);
    608 	free(kex->client_version_string);
    609 	free(kex->server_version_string);
    610 	free(kex->failed_choice);
    611 	free(kex->hostkey_alg);
    612 	free(kex->name);
    613 	free(kex);
    614 }
    615 
    616 int
    617 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
    618 {
    619 	int r;
    620 
    621 	if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0)
    622 		return r;
    623 	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
    624 		kex_free(ssh->kex);
    625 		ssh->kex = NULL;
    626 		return r;
    627 	}
    628 	return 0;
    629 }
    630 
    631 /*
    632  * Request key re-exchange, returns 0 on success or a ssherr.h error
    633  * code otherwise. Must not be called if KEX is incomplete or in-progress.
    634  */
    635 int
    636 kex_start_rekex(struct ssh *ssh)
    637 {
    638 	if (ssh->kex == NULL) {
    639 		error("%s: no kex", __func__);
    640 		return SSH_ERR_INTERNAL_ERROR;
    641 	}
    642 	if (ssh->kex->done == 0) {
    643 		error("%s: requested twice", __func__);
    644 		return SSH_ERR_INTERNAL_ERROR;
    645 	}
    646 	ssh->kex->done = 0;
    647 	return kex_send_kexinit(ssh);
    648 }
    649 
    650 static int
    651 choose_enc(struct sshenc *enc, char *client, char *server)
    652 {
    653 	char *name = match_list(client, server, NULL);
    654 
    655 	if (name == NULL)
    656 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
    657 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
    658 		free(name);
    659 		return SSH_ERR_INTERNAL_ERROR;
    660 	}
    661 	enc->name = name;
    662 	enc->enabled = 0;
    663 	enc->iv = NULL;
    664 	enc->iv_len = cipher_ivlen(enc->cipher);
    665 	enc->key = NULL;
    666 	enc->key_len = cipher_keylen(enc->cipher);
    667 	enc->block_size = cipher_blocksize(enc->cipher);
    668 	return 0;
    669 }
    670 
    671 static int
    672 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
    673 {
    674 	char *name = match_list(client, server, NULL);
    675 
    676 	if (name == NULL)
    677 		return SSH_ERR_NO_MAC_ALG_MATCH;
    678 	if (mac_setup(mac, name) < 0) {
    679 		free(name);
    680 		return SSH_ERR_INTERNAL_ERROR;
    681 	}
    682 	/* truncate the key */
    683 	if (ssh->compat & SSH_BUG_HMAC)
    684 		mac->key_len = 16;
    685 	mac->name = name;
    686 	mac->key = NULL;
    687 	mac->enabled = 0;
    688 	return 0;
    689 }
    690 
    691 static int
    692 choose_comp(struct sshcomp *comp, char *client, char *server)
    693 {
    694 	char *name = match_list(client, server, NULL);
    695 
    696 	if (name == NULL)
    697 		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
    698 	if (strcmp(name, "zlib (at) openssh.com") == 0) {
    699 		comp->type = COMP_DELAYED;
    700 	} else if (strcmp(name, "zlib") == 0) {
    701 		comp->type = COMP_ZLIB;
    702 	} else if (strcmp(name, "none") == 0) {
    703 		comp->type = COMP_NONE;
    704 	} else {
    705 		free(name);
    706 		return SSH_ERR_INTERNAL_ERROR;
    707 	}
    708 	comp->name = name;
    709 	return 0;
    710 }
    711 
    712 static int
    713 choose_kex(struct kex *k, char *client, char *server)
    714 {
    715 	const struct kexalg *kexalg;
    716 
    717 	k->name = match_list(client, server, NULL);
    718 
    719 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
    720 	if (k->name == NULL)
    721 		return SSH_ERR_NO_KEX_ALG_MATCH;
    722 	if ((kexalg = kex_alg_by_name(k->name)) == NULL)
    723 		return SSH_ERR_INTERNAL_ERROR;
    724 	k->kex_type = kexalg->type;
    725 	k->hash_alg = kexalg->hash_alg;
    726 	k->ec_nid = kexalg->ec_nid;
    727 	return 0;
    728 }
    729 
    730 static int
    731 choose_hostkeyalg(struct kex *k, char *client, char *server)
    732 {
    733 	k->hostkey_alg = match_list(client, server, NULL);
    734 
    735 	debug("kex: host key algorithm: %s",
    736 	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
    737 	if (k->hostkey_alg == NULL)
    738 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
    739 	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
    740 	if (k->hostkey_type == KEY_UNSPEC)
    741 		return SSH_ERR_INTERNAL_ERROR;
    742 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
    743 	return 0;
    744 }
    745 
    746 static int
    747 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
    748 {
    749 	static int check[] = {
    750 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
    751 	};
    752 	int *idx;
    753 	char *p;
    754 
    755 	for (idx = &check[0]; *idx != -1; idx++) {
    756 		if ((p = strchr(my[*idx], ',')) != NULL)
    757 			*p = '\0';
    758 		if ((p = strchr(peer[*idx], ',')) != NULL)
    759 			*p = '\0';
    760 		if (strcmp(my[*idx], peer[*idx]) != 0) {
    761 			debug2("proposal mismatch: my %s peer %s",
    762 			    my[*idx], peer[*idx]);
    763 			return (0);
    764 		}
    765 	}
    766 	debug2("proposals match");
    767 	return (1);
    768 }
    769 
    770 static int
    771 kex_choose_conf(struct ssh *ssh)
    772 {
    773 	struct kex *kex = ssh->kex;
    774 	struct newkeys *newkeys;
    775 	char **my = NULL, **peer = NULL;
    776 	char **cprop, **sprop;
    777 	int nenc, nmac, ncomp;
    778 	u_int mode, ctos, need, dh_need, authlen;
    779 	int r, first_kex_follows;
    780 
    781 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
    782 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
    783 		goto out;
    784 	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
    785 	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
    786 		goto out;
    787 
    788 	if (kex->server) {
    789 		cprop=peer;
    790 		sprop=my;
    791 	} else {
    792 		cprop=my;
    793 		sprop=peer;
    794 	}
    795 
    796 	/* Check whether client supports ext_info_c */
    797 	if (kex->server) {
    798 		char *ext;
    799 
    800 		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
    801 		kex->ext_info_c = (ext != NULL);
    802 		free(ext);
    803 	}
    804 
    805 	/* Algorithm Negotiation */
    806 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
    807 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
    808 		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
    809 		peer[PROPOSAL_KEX_ALGS] = NULL;
    810 		goto out;
    811 	}
    812 	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
    813 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
    814 		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
    815 		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
    816 		goto out;
    817 	}
    818 	for (mode = 0; mode < MODE_MAX; mode++) {
    819 		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
    820 			r = SSH_ERR_ALLOC_FAIL;
    821 			goto out;
    822 		}
    823 		kex->newkeys[mode] = newkeys;
    824 		ctos = (!kex->server && mode == MODE_OUT) ||
    825 		    (kex->server && mode == MODE_IN);
    826 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
    827 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
    828 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
    829 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
    830 		    sprop[nenc])) != 0) {
    831 			kex->failed_choice = peer[nenc];
    832 			peer[nenc] = NULL;
    833 			goto out;
    834 		}
    835 		authlen = cipher_authlen(newkeys->enc.cipher);
    836 		/* ignore mac for authenticated encryption */
    837 		if (authlen == 0 &&
    838 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
    839 		    sprop[nmac])) != 0) {
    840 			kex->failed_choice = peer[nmac];
    841 			peer[nmac] = NULL;
    842 			goto out;
    843 		}
    844 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
    845 		    sprop[ncomp])) != 0) {
    846 			kex->failed_choice = peer[ncomp];
    847 			peer[ncomp] = NULL;
    848 			goto out;
    849 		}
    850 		debug("kex: %s cipher: %s MAC: %s compression: %s",
    851 		    ctos ? "client->server" : "server->client",
    852 		    newkeys->enc.name,
    853 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
    854 		    newkeys->comp.name);
    855 	}
    856 	need = dh_need = 0;
    857 	for (mode = 0; mode < MODE_MAX; mode++) {
    858 		newkeys = kex->newkeys[mode];
    859 		need = MAXIMUM(need, newkeys->enc.key_len);
    860 		need = MAXIMUM(need, newkeys->enc.block_size);
    861 		need = MAXIMUM(need, newkeys->enc.iv_len);
    862 		need = MAXIMUM(need, newkeys->mac.key_len);
    863 		dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
    864 		dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
    865 		dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
    866 		dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
    867 	}
    868 	/* XXX need runden? */
    869 	kex->we_need = need;
    870 	kex->dh_need = dh_need;
    871 
    872 	/* ignore the next message if the proposals do not match */
    873 	if (first_kex_follows && !proposals_match(my, peer) &&
    874 	    !(ssh->compat & SSH_BUG_FIRSTKEX))
    875 		ssh->dispatch_skip_packets = 1;
    876 	r = 0;
    877  out:
    878 	kex_prop_free(my);
    879 	kex_prop_free(peer);
    880 	return r;
    881 }
    882 
    883 static int
    884 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
    885     const struct sshbuf *shared_secret, u_char **keyp)
    886 {
    887 	struct kex *kex = ssh->kex;
    888 	struct ssh_digest_ctx *hashctx = NULL;
    889 	char c = id;
    890 	u_int have;
    891 	size_t mdsz;
    892 	u_char *digest;
    893 	int r;
    894 
    895 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
    896 		return SSH_ERR_INVALID_ARGUMENT;
    897 	if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
    898 		r = SSH_ERR_ALLOC_FAIL;
    899 		goto out;
    900 	}
    901 
    902 	/* K1 = HASH(K || H || "A" || session_id) */
    903 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
    904 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
    905 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
    906 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
    907 	    ssh_digest_update(hashctx, kex->session_id,
    908 	    kex->session_id_len) != 0 ||
    909 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
    910 		r = SSH_ERR_LIBCRYPTO_ERROR;
    911 		goto out;
    912 	}
    913 	ssh_digest_free(hashctx);
    914 	hashctx = NULL;
    915 
    916 	/*
    917 	 * expand key:
    918 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
    919 	 * Key = K1 || K2 || ... || Kn
    920 	 */
    921 	for (have = mdsz; need > have; have += mdsz) {
    922 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
    923 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
    924 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
    925 		    ssh_digest_update(hashctx, digest, have) != 0 ||
    926 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
    927 			r = SSH_ERR_LIBCRYPTO_ERROR;
    928 			goto out;
    929 		}
    930 		ssh_digest_free(hashctx);
    931 		hashctx = NULL;
    932 	}
    933 #ifdef DEBUG_KEX
    934 	fprintf(stderr, "key '%c'== ", c);
    935 	dump_digest("key", digest, need);
    936 #endif
    937 	*keyp = digest;
    938 	digest = NULL;
    939 	r = 0;
    940  out:
    941 	free(digest);
    942 	ssh_digest_free(hashctx);
    943 	return r;
    944 }
    945 
    946 #define NKEYS	6
    947 int
    948 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
    949     const struct sshbuf *shared_secret)
    950 {
    951 	struct kex *kex = ssh->kex;
    952 	u_char *keys[NKEYS];
    953 	u_int i, j, mode, ctos;
    954 	int r;
    955 
    956 	for (i = 0; i < NKEYS; i++) {
    957 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
    958 		    shared_secret, &keys[i])) != 0) {
    959 			for (j = 0; j < i; j++)
    960 				free(keys[j]);
    961 			return r;
    962 		}
    963 	}
    964 	for (mode = 0; mode < MODE_MAX; mode++) {
    965 		ctos = (!kex->server && mode == MODE_OUT) ||
    966 		    (kex->server && mode == MODE_IN);
    967 		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
    968 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
    969 		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
    970 	}
    971 	return 0;
    972 }
    973 
    974 #ifdef WITH_OPENSSL
    975 int
    976 kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
    977     const BIGNUM *secret)
    978 {
    979 	struct sshbuf *shared_secret;
    980 	int r;
    981 
    982 	if ((shared_secret = sshbuf_new()) == NULL)
    983 		return SSH_ERR_ALLOC_FAIL;
    984 	if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
    985 		r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
    986 	sshbuf_free(shared_secret);
    987 	return r;
    988 }
    989 #endif
    990 
    991 #ifdef WITH_SSH1
    992 int
    993 derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
    994     u_int8_t cookie[8], u_int8_t id[16])
    995 {
    996 	u_int8_t hbuf[2048], sbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH];
    997 	struct ssh_digest_ctx *hashctx = NULL;
    998 	size_t hlen, slen;
    999 	int r;
   1000 
   1001 	hlen = BN_num_bytes(host_modulus);
   1002 	slen = BN_num_bytes(server_modulus);
   1003 	if (hlen < (512 / 8) || (u_int)hlen > sizeof(hbuf) ||
   1004 	    slen < (512 / 8) || (u_int)slen > sizeof(sbuf))
   1005 		return SSH_ERR_KEY_BITS_MISMATCH;
   1006 	if (BN_bn2bin(host_modulus, hbuf) <= 0 ||
   1007 	    BN_bn2bin(server_modulus, sbuf) <= 0) {
   1008 		r = SSH_ERR_LIBCRYPTO_ERROR;
   1009 		goto out;
   1010 	}
   1011 	if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) {
   1012 		r = SSH_ERR_ALLOC_FAIL;
   1013 		goto out;
   1014 	}
   1015 	if (ssh_digest_update(hashctx, hbuf, hlen) != 0 ||
   1016 	    ssh_digest_update(hashctx, sbuf, slen) != 0 ||
   1017 	    ssh_digest_update(hashctx, cookie, 8) != 0 ||
   1018 	    ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) {
   1019 		r = SSH_ERR_LIBCRYPTO_ERROR;
   1020 		goto out;
   1021 	}
   1022 	memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5));
   1023 	r = 0;
   1024  out:
   1025 	ssh_digest_free(hashctx);
   1026 	explicit_bzero(hbuf, sizeof(hbuf));
   1027 	explicit_bzero(sbuf, sizeof(sbuf));
   1028 	explicit_bzero(obuf, sizeof(obuf));
   1029 	return r;
   1030 }
   1031 #endif
   1032 
   1033 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
   1034 void
   1035 dump_digest(char *msg, u_char *digest, int len)
   1036 {
   1037 	fprintf(stderr, "%s\n", msg);
   1038 	sshbuf_dump_data(digest, len, stderr);
   1039 }
   1040 #endif
   1041