1 /* $OpenBSD: kex.c,v 1.150 2019/01/21 12:08:13 djm Exp $ */
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #include <sys/types.h>
39 #include <openssl/crypto.h>
40 #include <openssl/dh.h>
64 static int kex_choose_conf(struct ssh *);
65 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
67 static const char *proposal_names[PROPOSAL_MAX] = {
69 "host key algorithms",
86 static const struct kexalg kexalgs[] = {
88 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
89 { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
90 { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
91 { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
92 { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
93 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
94 #ifdef HAVE_EVP_SHA256
95 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
96 #endif /* HAVE_EVP_SHA256 */
97 #ifdef OPENSSL_HAS_ECC
98 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
99 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
100 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
102 # ifdef OPENSSL_HAS_NISTP521
103 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
105 # endif /* OPENSSL_HAS_NISTP521 */
106 #endif /* OPENSSL_HAS_ECC */
107 #endif /* WITH_OPENSSL */
108 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
109 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
110 { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
111 { KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0,
113 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
118 kex_alg_list(char sep)
120 char *ret = NULL, *tmp;
121 size_t nlen, rlen = 0;
122 const struct kexalg *k;
124 for (k = kexalgs; k->name != NULL; k++) {
127 nlen = strlen(k->name);
128 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
133 memcpy(ret + rlen, k->name, nlen + 1);
139 static const struct kexalg *
140 kex_alg_by_name(const char *name)
142 const struct kexalg *k;
144 for (k = kexalgs; k->name != NULL; k++) {
145 if (strcmp(k->name, name) == 0)
151 /* Validate KEX method name list */
153 kex_names_valid(const char *names)
157 if (names == NULL || strcmp(names, "") == 0)
159 if ((s = cp = strdup(names)) == NULL)
161 for ((p = strsep(&cp, ",")); p && *p != '\0';
162 (p = strsep(&cp, ","))) {
163 if (kex_alg_by_name(p) == NULL) {
164 error("Unsupported KEX algorithm \"%.100s\"", p);
169 debug3("kex names ok: [%s]", names);
175 * Concatenate algorithm names, avoiding duplicates in the process.
176 * Caller must free returned string.
179 kex_names_cat(const char *a, const char *b)
181 char *ret = NULL, *tmp = NULL, *cp, *p, *m;
184 if (a == NULL || *a == '\0')
186 if (b == NULL || *b == '\0')
188 if (strlen(b) > 1024*1024)
190 len = strlen(a) + strlen(b) + 2;
191 if ((tmp = cp = strdup(b)) == NULL ||
192 (ret = calloc(1, len)) == NULL) {
196 strlcpy(ret, a, len);
197 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
198 if ((m = match_list(ret, p, NULL)) != NULL) {
200 continue; /* Algorithm already present */
202 if (strlcat(ret, ",", len) >= len ||
203 strlcat(ret, p, len) >= len) {
206 return NULL; /* Shouldn't happen */
214 * Assemble a list of algorithms from a default list and a string from a
215 * configuration file. The user-provided string may begin with '+' to
216 * indicate that it should be appended to the default or '-' that the
217 * specified names should be removed.
220 kex_assemble_names(char **listp, const char *def, const char *all)
222 char *cp, *tmp, *patterns;
223 char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
224 int r = SSH_ERR_INTERNAL_ERROR;
226 if (listp == NULL || *listp == NULL || **listp == '\0') {
227 if ((*listp = strdup(def)) == NULL)
228 return SSH_ERR_ALLOC_FAIL;
235 /* Append names to default list */
236 if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
237 r = SSH_ERR_ALLOC_FAIL;
242 } else if (*list == '-') {
243 /* Remove names from default list */
244 if ((*listp = match_filter_blacklist(def, list + 1)) == NULL) {
245 r = SSH_ERR_ALLOC_FAIL;
249 /* filtering has already been done */
252 /* Explicit list, overrides default - just use "list" as is */
256 * The supplied names may be a pattern-list. For the -list case,
257 * the patterns are applied above. For the +list and explicit list
258 * cases we need to do it now.
261 if ((patterns = opatterns = strdup(list)) == NULL) {
262 r = SSH_ERR_ALLOC_FAIL;
265 /* Apply positive (i.e. non-negated) patterns from the list */
266 while ((cp = strsep(&patterns, ",")) != NULL) {
268 /* negated matches are not supported here */
269 r = SSH_ERR_INVALID_ARGUMENT;
273 if ((matching = match_filter_whitelist(all, cp)) == NULL) {
274 r = SSH_ERR_ALLOC_FAIL;
277 if ((tmp = kex_names_cat(ret, matching)) == NULL) {
278 r = SSH_ERR_ALLOC_FAIL;
284 if (ret == NULL || *ret == '\0') {
285 /* An empty name-list is an error */
286 /* XXX better error code? */
287 r = SSH_ERR_INVALID_ARGUMENT;
304 /* put algorithm proposal into buffer */
306 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
314 * add a dummy cookie, the cookie will be overwritten by
315 * kex_send_kexinit(), each time a kexinit is set
317 for (i = 0; i < KEX_COOKIE_LEN; i++) {
318 if ((r = sshbuf_put_u8(b, 0)) != 0)
321 for (i = 0; i < PROPOSAL_MAX; i++) {
322 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
325 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */
326 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */
331 /* parse buffer and return algorithm proposal */
333 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
335 struct sshbuf *b = NULL;
338 char **proposal = NULL;
342 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
343 return SSH_ERR_ALLOC_FAIL;
344 if ((b = sshbuf_fromb(raw)) == NULL) {
345 r = SSH_ERR_ALLOC_FAIL;
348 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */
350 /* extract kex init proposal strings */
351 for (i = 0; i < PROPOSAL_MAX; i++) {
352 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0)
354 debug2("%s: %s", proposal_names[i], proposal[i]);
356 /* first kex follows / reserved */
357 if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */
358 (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */
360 if (first_kex_follows != NULL)
361 *first_kex_follows = v;
362 debug2("first_kex_follows %d ", v);
363 debug2("reserved %u ", i);
367 if (r != 0 && proposal != NULL)
368 kex_prop_free(proposal);
374 kex_prop_free(char **proposal)
378 if (proposal == NULL)
380 for (i = 0; i < PROPOSAL_MAX; i++)
387 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
391 error("kex protocol error: type %d seq %u", type, seq);
392 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
393 (r = sshpkt_put_u32(ssh, seq)) != 0 ||
394 (r = sshpkt_send(ssh)) != 0)
400 kex_reset_dispatch(struct ssh *ssh)
402 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
403 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
407 kex_send_ext_info(struct ssh *ssh)
412 if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
413 return SSH_ERR_ALLOC_FAIL;
414 /* XXX filter algs list by allowed pubkey/hostbased types */
415 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
416 (r = sshpkt_put_u32(ssh, 1)) != 0 ||
417 (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
418 (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
419 (r = sshpkt_send(ssh)) != 0)
429 kex_send_newkeys(struct ssh *ssh)
433 kex_reset_dispatch(ssh);
434 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
435 (r = sshpkt_send(ssh)) != 0)
437 debug("SSH2_MSG_NEWKEYS sent");
438 debug("expecting SSH2_MSG_NEWKEYS");
439 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
440 if (ssh->kex->ext_info_c)
441 if ((r = kex_send_ext_info(ssh)) != 0)
447 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
449 struct kex *kex = ssh->kex;
456 debug("SSH2_MSG_EXT_INFO received");
457 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
458 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
460 for (i = 0; i < ninfo; i++) {
461 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
463 if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) {
467 if (strcmp(name, "server-sig-algs") == 0) {
468 /* Ensure no \0 lurking in value */
469 if (memchr(val, '\0', vlen) != NULL) {
470 error("%s: nul byte in %s", __func__, name);
471 return SSH_ERR_INVALID_FORMAT;
473 debug("%s: %s=<%s>", __func__, name, val);
474 kex->server_sig_algs = val;
477 debug("%s: %s (unrecognised)", __func__, name);
481 return sshpkt_get_end(ssh);
485 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
487 struct kex *kex = ssh->kex;
490 debug("SSH2_MSG_NEWKEYS received");
491 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
492 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
493 if ((r = sshpkt_get_end(ssh)) != 0)
495 if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
498 kex->flags &= ~KEX_INITIAL;
499 sshbuf_reset(kex->peer);
500 /* sshbuf_reset(kex->my); */
501 kex->flags &= ~KEX_INIT_SENT;
508 kex_send_kexinit(struct ssh *ssh)
511 struct kex *kex = ssh->kex;
515 return SSH_ERR_INTERNAL_ERROR;
516 if (kex->flags & KEX_INIT_SENT)
520 /* generate a random cookie */
521 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN)
522 return SSH_ERR_INVALID_FORMAT;
523 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL)
524 return SSH_ERR_INTERNAL_ERROR;
525 arc4random_buf(cookie, KEX_COOKIE_LEN);
527 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
528 (r = sshpkt_putb(ssh, kex->my)) != 0 ||
529 (r = sshpkt_send(ssh)) != 0)
531 debug("SSH2_MSG_KEXINIT sent");
532 kex->flags |= KEX_INIT_SENT;
538 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
540 struct kex *kex = ssh->kex;
546 debug("SSH2_MSG_KEXINIT received");
548 return SSH_ERR_INVALID_ARGUMENT;
550 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
551 ptr = sshpkt_ptr(ssh, &dlen);
552 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
556 for (i = 0; i < KEX_COOKIE_LEN; i++)
557 if ((r = sshpkt_get_u8(ssh, NULL)) != 0)
559 for (i = 0; i < PROPOSAL_MAX; i++)
560 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0)
563 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
564 * KEX method has the server move first, but a server might be using
565 * a custom method or one that we otherwise don't support. We should
566 * be prepared to remember first_kex_follows here so we can eat a
568 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
569 * for cases where the server *doesn't* go first. I guess we should
570 * ignore it when it is set for these cases, which is what we do now.
572 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */
573 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */
574 (r = sshpkt_get_end(ssh)) != 0)
577 if (!(kex->flags & KEX_INIT_SENT))
578 if ((r = kex_send_kexinit(ssh)) != 0)
580 if ((r = kex_choose_conf(ssh)) != 0)
583 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
584 return (kex->kex[kex->kex_type])(ssh);
586 return SSH_ERR_INTERNAL_ERROR;
594 if ((kex = calloc(1, sizeof(*kex))) == NULL ||
595 (kex->peer = sshbuf_new()) == NULL ||
596 (kex->my = sshbuf_new()) == NULL ||
597 (kex->client_version = sshbuf_new()) == NULL ||
598 (kex->server_version = sshbuf_new()) == NULL) {
606 kex_free_newkeys(struct newkeys *newkeys)
610 if (newkeys->enc.key) {
611 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
612 free(newkeys->enc.key);
613 newkeys->enc.key = NULL;
615 if (newkeys->enc.iv) {
616 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
617 free(newkeys->enc.iv);
618 newkeys->enc.iv = NULL;
620 free(newkeys->enc.name);
621 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
622 free(newkeys->comp.name);
623 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
624 mac_clear(&newkeys->mac);
625 if (newkeys->mac.key) {
626 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
627 free(newkeys->mac.key);
628 newkeys->mac.key = NULL;
630 free(newkeys->mac.name);
631 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
632 explicit_bzero(newkeys, sizeof(*newkeys));
637 kex_free(struct kex *kex)
646 #ifdef OPENSSL_HAS_ECC
647 EC_KEY_free(kex->ec_client_key);
648 #endif /* OPENSSL_HAS_ECC */
649 #endif /* WITH_OPENSSL */
650 for (mode = 0; mode < MODE_MAX; mode++) {
651 kex_free_newkeys(kex->newkeys[mode]);
652 kex->newkeys[mode] = NULL;
654 sshbuf_free(kex->peer);
655 sshbuf_free(kex->my);
656 sshbuf_free(kex->client_version);
657 sshbuf_free(kex->server_version);
658 sshbuf_free(kex->client_pub);
659 free(kex->session_id);
660 free(kex->failed_choice);
661 free(kex->hostkey_alg);
667 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
671 if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
673 ssh->kex->flags = KEX_INITIAL;
674 kex_reset_dispatch(ssh);
675 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
680 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
684 if ((r = kex_ready(ssh, proposal)) != 0)
686 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */
695 * Request key re-exchange, returns 0 on success or a ssherr.h error
696 * code otherwise. Must not be called if KEX is incomplete or in-progress.
699 kex_start_rekex(struct ssh *ssh)
701 if (ssh->kex == NULL) {
702 error("%s: no kex", __func__);
703 return SSH_ERR_INTERNAL_ERROR;
705 if (ssh->kex->done == 0) {
706 error("%s: requested twice", __func__);
707 return SSH_ERR_INTERNAL_ERROR;
710 return kex_send_kexinit(ssh);
714 choose_enc(struct sshenc *enc, char *client, char *server)
716 char *name = match_list(client, server, NULL);
719 return SSH_ERR_NO_CIPHER_ALG_MATCH;
720 if ((enc->cipher = cipher_by_name(name)) == NULL) {
722 return SSH_ERR_INTERNAL_ERROR;
727 enc->iv_len = cipher_ivlen(enc->cipher);
729 enc->key_len = cipher_keylen(enc->cipher);
730 enc->block_size = cipher_blocksize(enc->cipher);
735 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
737 char *name = match_list(client, server, NULL);
740 return SSH_ERR_NO_MAC_ALG_MATCH;
741 if (mac_setup(mac, name) < 0) {
743 return SSH_ERR_INTERNAL_ERROR;
752 choose_comp(struct sshcomp *comp, char *client, char *server)
754 char *name = match_list(client, server, NULL);
757 return SSH_ERR_NO_COMPRESS_ALG_MATCH;
758 if (strcmp(name, "zlib@openssh.com") == 0) {
759 comp->type = COMP_DELAYED;
760 } else if (strcmp(name, "zlib") == 0) {
761 comp->type = COMP_ZLIB;
762 } else if (strcmp(name, "none") == 0) {
763 comp->type = COMP_NONE;
766 return SSH_ERR_INTERNAL_ERROR;
773 choose_kex(struct kex *k, char *client, char *server)
775 const struct kexalg *kexalg;
777 k->name = match_list(client, server, NULL);
779 debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
781 return SSH_ERR_NO_KEX_ALG_MATCH;
782 if ((kexalg = kex_alg_by_name(k->name)) == NULL)
783 return SSH_ERR_INTERNAL_ERROR;
784 k->kex_type = kexalg->type;
785 k->hash_alg = kexalg->hash_alg;
786 k->ec_nid = kexalg->ec_nid;
791 choose_hostkeyalg(struct kex *k, char *client, char *server)
793 k->hostkey_alg = match_list(client, server, NULL);
795 debug("kex: host key algorithm: %s",
796 k->hostkey_alg ? k->hostkey_alg : "(no match)");
797 if (k->hostkey_alg == NULL)
798 return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
799 k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
800 if (k->hostkey_type == KEY_UNSPEC)
801 return SSH_ERR_INTERNAL_ERROR;
802 k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
807 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
809 static int check[] = {
810 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
815 for (idx = &check[0]; *idx != -1; idx++) {
816 if ((p = strchr(my[*idx], ',')) != NULL)
818 if ((p = strchr(peer[*idx], ',')) != NULL)
820 if (strcmp(my[*idx], peer[*idx]) != 0) {
821 debug2("proposal mismatch: my %s peer %s",
822 my[*idx], peer[*idx]);
826 debug2("proposals match");
831 kex_choose_conf(struct ssh *ssh)
833 struct kex *kex = ssh->kex;
834 struct newkeys *newkeys;
835 char **my = NULL, **peer = NULL;
836 char **cprop, **sprop;
837 int nenc, nmac, ncomp;
838 u_int mode, ctos, need, dh_need, authlen;
839 int r, first_kex_follows;
841 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
842 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
844 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
845 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
856 /* Check whether client supports ext_info_c */
857 if (kex->server && (kex->flags & KEX_INITIAL)) {
860 ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
861 kex->ext_info_c = (ext != NULL);
865 /* Algorithm Negotiation */
866 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
867 sprop[PROPOSAL_KEX_ALGS])) != 0) {
868 kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
869 peer[PROPOSAL_KEX_ALGS] = NULL;
872 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
873 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
874 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
875 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
878 for (mode = 0; mode < MODE_MAX; mode++) {
879 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
880 r = SSH_ERR_ALLOC_FAIL;
883 kex->newkeys[mode] = newkeys;
884 ctos = (!kex->server && mode == MODE_OUT) ||
885 (kex->server && mode == MODE_IN);
886 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
887 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
888 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
889 if ((r = choose_enc(&newkeys->enc, cprop[nenc],
890 sprop[nenc])) != 0) {
891 kex->failed_choice = peer[nenc];
895 authlen = cipher_authlen(newkeys->enc.cipher);
896 /* ignore mac for authenticated encryption */
898 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
899 sprop[nmac])) != 0) {
900 kex->failed_choice = peer[nmac];
904 if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
905 sprop[ncomp])) != 0) {
906 kex->failed_choice = peer[ncomp];
910 debug("kex: %s cipher: %s MAC: %s compression: %s",
911 ctos ? "client->server" : "server->client",
913 authlen == 0 ? newkeys->mac.name : "<implicit>",
917 for (mode = 0; mode < MODE_MAX; mode++) {
918 newkeys = kex->newkeys[mode];
919 need = MAXIMUM(need, newkeys->enc.key_len);
920 need = MAXIMUM(need, newkeys->enc.block_size);
921 need = MAXIMUM(need, newkeys->enc.iv_len);
922 need = MAXIMUM(need, newkeys->mac.key_len);
923 dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
924 dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
925 dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
926 dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
928 /* XXX need runden? */
930 kex->dh_need = dh_need;
932 /* ignore the next message if the proposals do not match */
933 if (first_kex_follows && !proposals_match(my, peer))
934 ssh->dispatch_skip_packets = 1;
943 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
944 const struct sshbuf *shared_secret, u_char **keyp)
946 struct kex *kex = ssh->kex;
947 struct ssh_digest_ctx *hashctx = NULL;
954 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
955 return SSH_ERR_INVALID_ARGUMENT;
956 if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
957 r = SSH_ERR_ALLOC_FAIL;
961 /* K1 = HASH(K || H || "A" || session_id) */
962 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
963 ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
964 ssh_digest_update(hashctx, hash, hashlen) != 0 ||
965 ssh_digest_update(hashctx, &c, 1) != 0 ||
966 ssh_digest_update(hashctx, kex->session_id,
967 kex->session_id_len) != 0 ||
968 ssh_digest_final(hashctx, digest, mdsz) != 0) {
969 r = SSH_ERR_LIBCRYPTO_ERROR;
972 ssh_digest_free(hashctx);
977 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
978 * Key = K1 || K2 || ... || Kn
980 for (have = mdsz; need > have; have += mdsz) {
981 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
982 ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
983 ssh_digest_update(hashctx, hash, hashlen) != 0 ||
984 ssh_digest_update(hashctx, digest, have) != 0 ||
985 ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
986 r = SSH_ERR_LIBCRYPTO_ERROR;
989 ssh_digest_free(hashctx);
993 fprintf(stderr, "key '%c'== ", c);
994 dump_digest("key", digest, need);
1001 ssh_digest_free(hashctx);
1007 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
1008 const struct sshbuf *shared_secret)
1010 struct kex *kex = ssh->kex;
1011 u_char *keys[NKEYS];
1012 u_int i, j, mode, ctos;
1015 /* save initial hash as session id */
1016 if (kex->session_id == NULL) {
1017 kex->session_id_len = hashlen;
1018 kex->session_id = malloc(kex->session_id_len);
1019 if (kex->session_id == NULL)
1020 return SSH_ERR_ALLOC_FAIL;
1021 memcpy(kex->session_id, hash, kex->session_id_len);
1023 for (i = 0; i < NKEYS; i++) {
1024 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
1025 shared_secret, &keys[i])) != 0) {
1026 for (j = 0; j < i; j++)
1031 for (mode = 0; mode < MODE_MAX; mode++) {
1032 ctos = (!kex->server && mode == MODE_OUT) ||
1033 (kex->server && mode == MODE_IN);
1034 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1];
1035 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
1036 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
1042 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
1044 struct kex *kex = ssh->kex;
1048 if (kex->load_host_public_key == NULL ||
1049 kex->load_host_private_key == NULL)
1050 return SSH_ERR_INVALID_ARGUMENT;
1051 *pubp = kex->load_host_public_key(kex->hostkey_type,
1052 kex->hostkey_nid, ssh);
1053 *prvp = kex->load_host_private_key(kex->hostkey_type,
1054 kex->hostkey_nid, ssh);
1056 return SSH_ERR_NO_HOSTKEY_LOADED;
1061 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
1063 struct kex *kex = ssh->kex;
1065 if (kex->verify_host_key == NULL)
1066 return SSH_ERR_INVALID_ARGUMENT;
1067 if (server_host_key->type != kex->hostkey_type ||
1068 (kex->hostkey_type == KEY_ECDSA &&
1069 server_host_key->ecdsa_nid != kex->hostkey_nid))
1070 return SSH_ERR_KEY_TYPE_MISMATCH;
1071 if (kex->verify_host_key(server_host_key, ssh) == -1)
1072 return SSH_ERR_SIGNATURE_INVALID;
1076 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1078 dump_digest(const char *msg, const u_char *digest, int len)
1080 fprintf(stderr, "%s\n", msg);
1081 sshbuf_dump_data(digest, len, stderr);
1086 * Send a plaintext error message to the peer, suffixed by \r\n.
1087 * Only used during banner exchange, and there only for the server.
1090 send_error(struct ssh *ssh, char *msg)
1092 char *crnl = "\r\n";
1094 if (!ssh->kex->server)
1097 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1098 msg, strlen(msg)) != strlen(msg) ||
1099 atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1100 crnl, strlen(crnl)) != strlen(crnl))
1101 error("%s: write: %.100s", __func__, strerror(errno));
1105 * Sends our identification string and waits for the peer's. Will block for
1106 * up to timeout_ms (or indefinitely if timeout_ms <= 0).
1107 * Returns on 0 success or a ssherr.h code on failure.
1110 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1111 const char *version_addendum)
1113 int remote_major, remote_minor, mismatch;
1117 struct sshbuf *our_version = ssh->kex->server ?
1118 ssh->kex->server_version : ssh->kex->client_version;
1119 struct sshbuf *peer_version = ssh->kex->server ?
1120 ssh->kex->client_version : ssh->kex->server_version;
1121 char *our_version_string = NULL, *peer_version_string = NULL;
1122 char *cp, *remote_version = NULL;
1124 /* Prepare and send our banner */
1125 sshbuf_reset(our_version);
1126 if (version_addendum != NULL && *version_addendum == '\0')
1127 version_addendum = NULL;
1128 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
1129 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
1130 version_addendum == NULL ? "" : " ",
1131 version_addendum == NULL ? "" : version_addendum)) != 0) {
1132 error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
1136 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1137 sshbuf_mutable_ptr(our_version),
1138 sshbuf_len(our_version)) != sshbuf_len(our_version)) {
1139 error("%s: write: %.100s", __func__, strerror(errno));
1140 r = SSH_ERR_SYSTEM_ERROR;
1143 if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
1144 error("%s: sshbuf_consume_end: %s", __func__, ssh_err(r));
1147 our_version_string = sshbuf_dup_string(our_version);
1148 if (our_version_string == NULL) {
1149 error("%s: sshbuf_dup_string failed", __func__);
1150 r = SSH_ERR_ALLOC_FAIL;
1153 debug("Local version string %.100s", our_version_string);
1155 /* Read other side's version identification. */
1156 for (n = 0; ; n++) {
1157 if (n >= SSH_MAX_PRE_BANNER_LINES) {
1158 send_error(ssh, "No SSH identification string "
1160 error("%s: No SSH version received in first %u lines "
1161 "from server", __func__, SSH_MAX_PRE_BANNER_LINES);
1162 r = SSH_ERR_INVALID_FORMAT;
1165 sshbuf_reset(peer_version);
1167 for (i = 0; ; i++) {
1168 if (timeout_ms > 0) {
1169 r = waitrfd(ssh_packet_get_connection_in(ssh),
1171 if (r == -1 && errno == ETIMEDOUT) {
1172 send_error(ssh, "Timed out waiting "
1173 "for SSH identification string.");
1174 error("Connection timed out during "
1176 r = SSH_ERR_CONN_TIMEOUT;
1178 } else if (r == -1) {
1180 __func__, strerror(errno));
1181 r = SSH_ERR_SYSTEM_ERROR;
1186 len = atomicio(read, ssh_packet_get_connection_in(ssh),
1188 if (len != 1 && errno == EPIPE) {
1189 error("%s: Connection closed by remote host",
1191 r = SSH_ERR_CONN_CLOSED;
1193 } else if (len != 1) {
1194 error("%s: read: %.100s",
1195 __func__, strerror(errno));
1196 r = SSH_ERR_SYSTEM_ERROR;
1205 if (c == '\0' || expect_nl) {
1206 error("%s: banner line contains invalid "
1207 "characters", __func__);
1210 if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
1211 error("%s: sshbuf_put: %s",
1212 __func__, ssh_err(r));
1215 if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
1216 error("%s: banner line too long", __func__);
1220 /* Is this an actual protocol banner? */
1221 if (sshbuf_len(peer_version) > 4 &&
1222 memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
1224 /* If not, then just log the line and continue */
1225 if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
1226 error("%s: sshbuf_dup_string failed", __func__);
1227 r = SSH_ERR_ALLOC_FAIL;
1230 /* Do not accept lines before the SSH ident from a client */
1231 if (ssh->kex->server) {
1232 error("%s: client sent invalid protocol identifier "
1233 "\"%.256s\"", __func__, cp);
1237 debug("%s: banner line %zu: %s", __func__, n, cp);
1240 peer_version_string = sshbuf_dup_string(peer_version);
1241 if (peer_version_string == NULL)
1242 error("%s: sshbuf_dup_string failed", __func__);
1243 /* XXX must be same size for sscanf */
1244 if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
1245 error("%s: calloc failed", __func__);
1246 r = SSH_ERR_ALLOC_FAIL;
1251 * Check that the versions match. In future this might accept
1252 * several versions and set appropriate flags to handle them.
1254 if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
1255 &remote_major, &remote_minor, remote_version) != 3) {
1256 error("Bad remote protocol version identification: '%.100s'",
1257 peer_version_string);
1259 send_error(ssh, "Invalid SSH identification string.");
1260 r = SSH_ERR_INVALID_FORMAT;
1263 debug("Remote protocol version %d.%d, remote software version %.100s",
1264 remote_major, remote_minor, remote_version);
1265 ssh->compat = compat_datafellows(remote_version);
1268 switch (remote_major) {
1272 if (remote_minor != 99)
1280 error("Protocol major versions differ: %d vs. %d",
1281 PROTOCOL_MAJOR_2, remote_major);
1282 send_error(ssh, "Protocol major versions differ.");
1283 r = SSH_ERR_NO_PROTOCOL_VERSION;
1287 if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
1288 logit("probed from %s port %d with %s. Don't panic.",
1289 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1290 peer_version_string);
1291 r = SSH_ERR_CONN_CLOSED; /* XXX */
1294 if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
1295 logit("scanned from %s port %d with %s. Don't panic.",
1296 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1297 peer_version_string);
1298 r = SSH_ERR_CONN_CLOSED; /* XXX */
1301 if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
1302 logit("Remote version \"%.100s\" uses unsafe RSA signature "
1303 "scheme; disabling use of RSA keys", remote_version);
1308 free(our_version_string);
1309 free(peer_version_string);
1310 free(remote_version);