djm@openbsd.org | 0e8eeec | 2016-05-02 10:26:04 +0000 | [diff] [blame] | 1 | /* $OpenBSD: kex.c,v 1.118 2016/05/02 10:26:04 djm Exp $ */ |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 2 | /* |
Ben Lindstrom | 4469723 | 2001-07-04 03:32:30 +0000 | [diff] [blame] | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 4 | * |
| 5 | * Redistribution and use in source and binary forms, with or without |
| 6 | * modification, are permitted provided that the following conditions |
| 7 | * are met: |
| 8 | * 1. Redistributions of source code must retain the above copyright |
| 9 | * notice, this list of conditions and the following disclaimer. |
| 10 | * 2. Redistributions in binary form must reproduce the above copyright |
| 11 | * notice, this list of conditions and the following disclaimer in the |
| 12 | * documentation and/or other materials provided with the distribution. |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 13 | * |
| 14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
| 15 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| 16 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
| 17 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
| 18 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 19 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 20 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 21 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 22 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 24 | */ |
| 25 | |
| 26 | #include "includes.h" |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 27 | |
deraadt@openbsd.org | 087266e | 2015-01-20 23:14:00 +0000 | [diff] [blame] | 28 | #include <sys/param.h> /* MAX roundup */ |
Damien Miller | 8dbffe7 | 2006-08-05 11:02:17 +1000 | [diff] [blame] | 29 | |
Damien Miller | d783435 | 2006-08-05 12:39:39 +1000 | [diff] [blame] | 30 | #include <signal.h> |
Damien Miller | ded319c | 2006-09-01 15:38:36 +1000 | [diff] [blame] | 31 | #include <stdarg.h> |
Damien Miller | a7a73ee | 2006-08-05 11:37:59 +1000 | [diff] [blame] | 32 | #include <stdio.h> |
Damien Miller | e7a1e5c | 2006-08-05 11:34:19 +1000 | [diff] [blame] | 33 | #include <stdlib.h> |
Damien Miller | e3476ed | 2006-07-24 14:13:33 +1000 | [diff] [blame] | 34 | #include <string.h> |
| 35 | |
Damien Miller | 1f0311c | 2014-05-15 14:24:09 +1000 | [diff] [blame] | 36 | #ifdef WITH_OPENSSL |
Damien Miller | d783435 | 2006-08-05 12:39:39 +1000 | [diff] [blame] | 37 | #include <openssl/crypto.h> |
Damien Miller | 1f0311c | 2014-05-15 14:24:09 +1000 | [diff] [blame] | 38 | #endif |
Damien Miller | d783435 | 2006-08-05 12:39:39 +1000 | [diff] [blame] | 39 | |
Damien Miller | d783435 | 2006-08-05 12:39:39 +1000 | [diff] [blame] | 40 | #include "ssh2.h" |
Ben Lindstrom | 226cfa0 | 2001-01-22 05:34:40 +0000 | [diff] [blame] | 41 | #include "packet.h" |
| 42 | #include "compat.h" |
| 43 | #include "cipher.h" |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 44 | #include "sshkey.h" |
Damien Miller | d783435 | 2006-08-05 12:39:39 +1000 | [diff] [blame] | 45 | #include "kex.h" |
Ben Lindstrom | 226cfa0 | 2001-01-22 05:34:40 +0000 | [diff] [blame] | 46 | #include "log.h" |
Ben Lindstrom | 06b33aa | 2001-02-15 03:01:59 +0000 | [diff] [blame] | 47 | #include "mac.h" |
Ben Lindstrom | b9be60a | 2001-03-11 01:49:19 +0000 | [diff] [blame] | 48 | #include "match.h" |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 49 | #include "misc.h" |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 50 | #include "dispatch.h" |
Ben Lindstrom | 7a2073c | 2002-03-22 02:30:41 +0000 | [diff] [blame] | 51 | #include "monitor.h" |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 52 | |
| 53 | #include "ssherr.h" |
| 54 | #include "sshbuf.h" |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 55 | #include "digest.h" |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 56 | |
Damien Miller | b309203 | 2006-03-16 18:22:18 +1100 | [diff] [blame] | 57 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
| 58 | # if defined(HAVE_EVP_SHA256) |
Damien Miller | af87af1 | 2006-03-15 13:02:28 +1100 | [diff] [blame] | 59 | # define evp_ssh_sha256 EVP_sha256 |
Damien Miller | b309203 | 2006-03-16 18:22:18 +1100 | [diff] [blame] | 60 | # else |
Damien Miller | a63128d | 2006-03-15 12:08:28 +1100 | [diff] [blame] | 61 | extern const EVP_MD *evp_ssh_sha256(void); |
Damien Miller | b309203 | 2006-03-16 18:22:18 +1100 | [diff] [blame] | 62 | # endif |
Tim Rice | 425a688 | 2006-03-15 20:17:05 -0800 | [diff] [blame] | 63 | #endif |
Damien Miller | a63128d | 2006-03-15 12:08:28 +1100 | [diff] [blame] | 64 | |
Ben Lindstrom | bba8121 | 2001-06-25 05:01:22 +0000 | [diff] [blame] | 65 | /* prototype */ |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 66 | static int kex_choose_conf(struct ssh *); |
| 67 | static int kex_input_newkeys(int, u_int32_t, void *); |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 68 | |
djm@openbsd.org | 9690b78 | 2015-08-21 23:57:48 +0000 | [diff] [blame] | 69 | static const char *proposal_names[PROPOSAL_MAX] = { |
| 70 | "KEX algorithms", |
| 71 | "host key algorithms", |
| 72 | "ciphers ctos", |
| 73 | "ciphers stoc", |
| 74 | "MACs ctos", |
| 75 | "MACs stoc", |
| 76 | "compression ctos", |
| 77 | "compression stoc", |
| 78 | "languages ctos", |
| 79 | "languages stoc", |
| 80 | }; |
| 81 | |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 82 | struct kexalg { |
| 83 | char *name; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 84 | u_int type; |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 85 | int ec_nid; |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 86 | int hash_alg; |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 87 | }; |
| 88 | static const struct kexalg kexalgs[] = { |
Damien Miller | 1f0311c | 2014-05-15 14:24:09 +1000 | [diff] [blame] | 89 | #ifdef WITH_OPENSSL |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 90 | { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, |
djm@openbsd.org | 0e8eeec | 2016-05-02 10:26:04 +0000 | [diff] [blame] | 91 | { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, |
| 92 | { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, |
| 93 | { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, |
| 94 | { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 95 | { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, |
Darren Tucker | a75d247 | 2013-05-10 18:11:55 +1000 | [diff] [blame] | 96 | #ifdef HAVE_EVP_SHA256 |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 97 | { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, |
Damien Miller | 1f0311c | 2014-05-15 14:24:09 +1000 | [diff] [blame] | 98 | #endif /* HAVE_EVP_SHA256 */ |
Darren Tucker | a75d247 | 2013-05-10 18:11:55 +1000 | [diff] [blame] | 99 | #ifdef OPENSSL_HAS_ECC |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 100 | { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, |
| 101 | NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, |
| 102 | { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, |
| 103 | SSH_DIGEST_SHA384 }, |
Darren Tucker | 37bcef5 | 2013-11-09 18:39:25 +1100 | [diff] [blame] | 104 | # ifdef OPENSSL_HAS_NISTP521 |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 105 | { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, |
| 106 | SSH_DIGEST_SHA512 }, |
Damien Miller | 1f0311c | 2014-05-15 14:24:09 +1000 | [diff] [blame] | 107 | # endif /* OPENSSL_HAS_NISTP521 */ |
| 108 | #endif /* OPENSSL_HAS_ECC */ |
Damien Miller | 1f0311c | 2014-05-15 14:24:09 +1000 | [diff] [blame] | 109 | #endif /* WITH_OPENSSL */ |
Damien Miller | 72ef7c1 | 2015-01-15 02:21:31 +1100 | [diff] [blame] | 110 | #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 111 | { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, |
Damien Miller | 72ef7c1 | 2015-01-15 02:21:31 +1100 | [diff] [blame] | 112 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 113 | { NULL, -1, -1, -1}, |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 114 | }; |
| 115 | |
| 116 | char * |
Damien Miller | 690d989 | 2013-11-08 12:16:49 +1100 | [diff] [blame] | 117 | kex_alg_list(char sep) |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 118 | { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 119 | char *ret = NULL, *tmp; |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 120 | size_t nlen, rlen = 0; |
| 121 | const struct kexalg *k; |
| 122 | |
| 123 | for (k = kexalgs; k->name != NULL; k++) { |
| 124 | if (ret != NULL) |
Damien Miller | 690d989 | 2013-11-08 12:16:49 +1100 | [diff] [blame] | 125 | ret[rlen++] = sep; |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 126 | nlen = strlen(k->name); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 127 | if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { |
| 128 | free(ret); |
| 129 | return NULL; |
| 130 | } |
| 131 | ret = tmp; |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 132 | memcpy(ret + rlen, k->name, nlen + 1); |
| 133 | rlen += nlen; |
| 134 | } |
| 135 | return ret; |
| 136 | } |
| 137 | |
| 138 | static const struct kexalg * |
| 139 | kex_alg_by_name(const char *name) |
| 140 | { |
| 141 | const struct kexalg *k; |
| 142 | |
| 143 | for (k = kexalgs; k->name != NULL; k++) { |
| 144 | if (strcmp(k->name, name) == 0) |
| 145 | return k; |
| 146 | } |
| 147 | return NULL; |
| 148 | } |
| 149 | |
Damien Miller | d5f62bf | 2010-09-24 22:11:14 +1000 | [diff] [blame] | 150 | /* Validate KEX method name list */ |
| 151 | int |
| 152 | kex_names_valid(const char *names) |
| 153 | { |
| 154 | char *s, *cp, *p; |
| 155 | |
| 156 | if (names == NULL || strcmp(names, "") == 0) |
| 157 | return 0; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 158 | if ((s = cp = strdup(names)) == NULL) |
| 159 | return 0; |
Damien Miller | d5f62bf | 2010-09-24 22:11:14 +1000 | [diff] [blame] | 160 | for ((p = strsep(&cp, ",")); p && *p != '\0'; |
| 161 | (p = strsep(&cp, ","))) { |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 162 | if (kex_alg_by_name(p) == NULL) { |
Damien Miller | d5f62bf | 2010-09-24 22:11:14 +1000 | [diff] [blame] | 163 | error("Unsupported KEX algorithm \"%.100s\"", p); |
Darren Tucker | a627d42 | 2013-06-02 07:31:17 +1000 | [diff] [blame] | 164 | free(s); |
Damien Miller | d5f62bf | 2010-09-24 22:11:14 +1000 | [diff] [blame] | 165 | return 0; |
| 166 | } |
| 167 | } |
| 168 | debug3("kex names ok: [%s]", names); |
Darren Tucker | a627d42 | 2013-06-02 07:31:17 +1000 | [diff] [blame] | 169 | free(s); |
Damien Miller | d5f62bf | 2010-09-24 22:11:14 +1000 | [diff] [blame] | 170 | return 1; |
| 171 | } |
| 172 | |
djm@openbsd.org | f9eca24 | 2015-07-30 00:01:34 +0000 | [diff] [blame] | 173 | /* |
| 174 | * Concatenate algorithm names, avoiding duplicates in the process. |
| 175 | * Caller must free returned string. |
| 176 | */ |
| 177 | char * |
| 178 | kex_names_cat(const char *a, const char *b) |
| 179 | { |
| 180 | char *ret = NULL, *tmp = NULL, *cp, *p; |
| 181 | size_t len; |
| 182 | |
| 183 | if (a == NULL || *a == '\0') |
| 184 | return NULL; |
| 185 | if (b == NULL || *b == '\0') |
| 186 | return strdup(a); |
| 187 | if (strlen(b) > 1024*1024) |
| 188 | return NULL; |
| 189 | len = strlen(a) + strlen(b) + 2; |
| 190 | if ((tmp = cp = strdup(b)) == NULL || |
| 191 | (ret = calloc(1, len)) == NULL) { |
| 192 | free(tmp); |
| 193 | return NULL; |
| 194 | } |
| 195 | strlcpy(ret, a, len); |
| 196 | for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { |
| 197 | if (match_list(ret, p, NULL) != NULL) |
| 198 | continue; /* Algorithm already present */ |
| 199 | if (strlcat(ret, ",", len) >= len || |
| 200 | strlcat(ret, p, len) >= len) { |
| 201 | free(tmp); |
| 202 | free(ret); |
| 203 | return NULL; /* Shouldn't happen */ |
| 204 | } |
| 205 | } |
| 206 | free(tmp); |
| 207 | return ret; |
| 208 | } |
| 209 | |
| 210 | /* |
| 211 | * Assemble a list of algorithms from a default list and a string from a |
| 212 | * configuration file. The user-provided string may begin with '+' to |
| 213 | * indicate that it should be appended to the default. |
| 214 | */ |
| 215 | int |
| 216 | kex_assemble_names(const char *def, char **list) |
| 217 | { |
| 218 | char *ret; |
| 219 | |
| 220 | if (list == NULL || *list == NULL || **list == '\0') { |
| 221 | *list = strdup(def); |
| 222 | return 0; |
| 223 | } |
| 224 | if (**list != '+') { |
| 225 | return 0; |
| 226 | } |
| 227 | |
| 228 | if ((ret = kex_names_cat(def, *list + 1)) == NULL) |
| 229 | return SSH_ERR_ALLOC_FAIL; |
| 230 | free(*list); |
| 231 | *list = ret; |
| 232 | return 0; |
| 233 | } |
| 234 | |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 235 | /* put algorithm proposal into buffer */ |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 236 | int |
| 237 | kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 238 | { |
Damien Miller | eccb9de | 2005-06-17 12:59:34 +1000 | [diff] [blame] | 239 | u_int i; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 240 | int r; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 241 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 242 | sshbuf_reset(b); |
| 243 | |
Ben Lindstrom | 5997172 | 2002-03-27 17:42:57 +0000 | [diff] [blame] | 244 | /* |
| 245 | * add a dummy cookie, the cookie will be overwritten by |
| 246 | * kex_send_kexinit(), each time a kexinit is set |
| 247 | */ |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 248 | for (i = 0; i < KEX_COOKIE_LEN; i++) { |
| 249 | if ((r = sshbuf_put_u8(b, 0)) != 0) |
| 250 | return r; |
| 251 | } |
| 252 | for (i = 0; i < PROPOSAL_MAX; i++) { |
| 253 | if ((r = sshbuf_put_cstring(b, proposal[i])) != 0) |
| 254 | return r; |
| 255 | } |
| 256 | if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */ |
| 257 | (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */ |
| 258 | return r; |
| 259 | return 0; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 260 | } |
| 261 | |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 262 | /* parse buffer and return algorithm proposal */ |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 263 | int |
| 264 | kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) |
Damien Miller | b1715dc | 2000-05-30 13:44:51 +1000 | [diff] [blame] | 265 | { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 266 | struct sshbuf *b = NULL; |
| 267 | u_char v; |
Darren Tucker | 0d0d195 | 2007-06-05 18:23:28 +1000 | [diff] [blame] | 268 | u_int i; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 269 | char **proposal = NULL; |
| 270 | int r; |
Damien Miller | b1715dc | 2000-05-30 13:44:51 +1000 | [diff] [blame] | 271 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 272 | *propp = NULL; |
| 273 | if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL) |
| 274 | return SSH_ERR_ALLOC_FAIL; |
| 275 | if ((b = sshbuf_fromb(raw)) == NULL) { |
| 276 | r = SSH_ERR_ALLOC_FAIL; |
| 277 | goto out; |
| 278 | } |
| 279 | if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */ |
| 280 | goto out; |
Damien Miller | b1715dc | 2000-05-30 13:44:51 +1000 | [diff] [blame] | 281 | /* extract kex init proposal strings */ |
| 282 | for (i = 0; i < PROPOSAL_MAX; i++) { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 283 | if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) |
| 284 | goto out; |
djm@openbsd.org | 9690b78 | 2015-08-21 23:57:48 +0000 | [diff] [blame] | 285 | debug2("%s: %s", proposal_names[i], proposal[i]); |
Damien Miller | b1715dc | 2000-05-30 13:44:51 +1000 | [diff] [blame] | 286 | } |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 287 | /* first kex follows / reserved */ |
djm@openbsd.org | 271df81 | 2015-12-13 22:42:23 +0000 | [diff] [blame] | 288 | if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ |
| 289 | (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */ |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 290 | goto out; |
Damien Miller | babb47a | 2003-02-24 11:53:32 +1100 | [diff] [blame] | 291 | if (first_kex_follows != NULL) |
djm@openbsd.org | 271df81 | 2015-12-13 22:42:23 +0000 | [diff] [blame] | 292 | *first_kex_follows = v; |
djm@openbsd.org | 9690b78 | 2015-08-21 23:57:48 +0000 | [diff] [blame] | 293 | debug2("first_kex_follows %d ", v); |
| 294 | debug2("reserved %u ", i); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 295 | r = 0; |
| 296 | *propp = proposal; |
| 297 | out: |
| 298 | if (r != 0 && proposal != NULL) |
| 299 | kex_prop_free(proposal); |
| 300 | sshbuf_free(b); |
| 301 | return r; |
Damien Miller | b1715dc | 2000-05-30 13:44:51 +1000 | [diff] [blame] | 302 | } |
| 303 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 304 | void |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 305 | kex_prop_free(char **proposal) |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 306 | { |
Damien Miller | eccb9de | 2005-06-17 12:59:34 +1000 | [diff] [blame] | 307 | u_int i; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 308 | |
djm@openbsd.org | 44a8e7c | 2015-04-17 13:25:52 +0000 | [diff] [blame] | 309 | if (proposal == NULL) |
| 310 | return; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 311 | for (i = 0; i < PROPOSAL_MAX; i++) |
Darren Tucker | a627d42 | 2013-06-02 07:31:17 +1000 | [diff] [blame] | 312 | free(proposal[i]); |
| 313 | free(proposal); |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 314 | } |
| 315 | |
Darren Tucker | 0d0d195 | 2007-06-05 18:23:28 +1000 | [diff] [blame] | 316 | /* ARGSUSED */ |
markus@openbsd.org | 3fdc88a | 2015-01-19 20:07:45 +0000 | [diff] [blame] | 317 | static int |
Damien Miller | 630d6f4 | 2002-01-22 23:17:30 +1100 | [diff] [blame] | 318 | kex_protocol_error(int type, u_int32_t seq, void *ctxt) |
Damien Miller | 874d77b | 2000-10-14 16:23:11 +1100 | [diff] [blame] | 319 | { |
djm@openbsd.org | d87063d | 2015-11-13 04:39:35 +0000 | [diff] [blame] | 320 | struct ssh *ssh = active_state; /* XXX */ |
| 321 | int r; |
| 322 | |
| 323 | error("kex protocol error: type %d seq %u", type, seq); |
| 324 | if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || |
| 325 | (r = sshpkt_put_u32(ssh, seq)) != 0 || |
| 326 | (r = sshpkt_send(ssh)) != 0) |
| 327 | return r; |
markus@openbsd.org | 3fdc88a | 2015-01-19 20:07:45 +0000 | [diff] [blame] | 328 | return 0; |
Damien Miller | 874d77b | 2000-10-14 16:23:11 +1100 | [diff] [blame] | 329 | } |
| 330 | |
Ben Lindstrom | bba8121 | 2001-06-25 05:01:22 +0000 | [diff] [blame] | 331 | static void |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 332 | kex_reset_dispatch(struct ssh *ssh) |
Ben Lindstrom | 8ac9106 | 2001-04-04 17:57:54 +0000 | [diff] [blame] | 333 | { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 334 | ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN, |
Damien Miller | 7d05339 | 2002-01-22 23:24:13 +1100 | [diff] [blame] | 335 | SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 336 | ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); |
Ben Lindstrom | 8ac9106 | 2001-04-04 17:57:54 +0000 | [diff] [blame] | 337 | } |
| 338 | |
markus@openbsd.org | 76c9fbb | 2015-12-04 16:41:28 +0000 | [diff] [blame] | 339 | static int |
| 340 | kex_send_ext_info(struct ssh *ssh) |
| 341 | { |
| 342 | int r; |
| 343 | |
| 344 | if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || |
| 345 | (r = sshpkt_put_u32(ssh, 1)) != 0 || |
| 346 | (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || |
| 347 | (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 || |
| 348 | (r = sshpkt_send(ssh)) != 0) |
| 349 | return r; |
| 350 | return 0; |
| 351 | } |
| 352 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 353 | int |
| 354 | kex_send_newkeys(struct ssh *ssh) |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 355 | { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 356 | int r; |
Ben Lindstrom | 238abf6 | 2001-04-04 17:52:53 +0000 | [diff] [blame] | 357 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 358 | kex_reset_dispatch(ssh); |
| 359 | if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 || |
| 360 | (r = sshpkt_send(ssh)) != 0) |
| 361 | return r; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 362 | debug("SSH2_MSG_NEWKEYS sent"); |
Ben Lindstrom | 064496f | 2002-12-23 02:04:22 +0000 | [diff] [blame] | 363 | debug("expecting SSH2_MSG_NEWKEYS"); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 364 | ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); |
markus@openbsd.org | 76c9fbb | 2015-12-04 16:41:28 +0000 | [diff] [blame] | 365 | if (ssh->kex->ext_info_c) |
| 366 | if ((r = kex_send_ext_info(ssh)) != 0) |
| 367 | return r; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 368 | return 0; |
| 369 | } |
Ben Lindstrom | 5ba23b3 | 2001-04-05 02:05:21 +0000 | [diff] [blame] | 370 | |
markus@openbsd.org | 76c9fbb | 2015-12-04 16:41:28 +0000 | [diff] [blame] | 371 | int |
| 372 | kex_input_ext_info(int type, u_int32_t seq, void *ctxt) |
| 373 | { |
| 374 | struct ssh *ssh = ctxt; |
| 375 | struct kex *kex = ssh->kex; |
| 376 | u_int32_t i, ninfo; |
| 377 | char *name, *val, *found; |
| 378 | int r; |
| 379 | |
| 380 | debug("SSH2_MSG_EXT_INFO received"); |
| 381 | ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); |
| 382 | if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) |
| 383 | return r; |
| 384 | for (i = 0; i < ninfo; i++) { |
| 385 | if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) |
| 386 | return r; |
| 387 | if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) { |
| 388 | free(name); |
| 389 | return r; |
| 390 | } |
| 391 | debug("%s: %s=<%s>", __func__, name, val); |
| 392 | if (strcmp(name, "server-sig-algs") == 0) { |
| 393 | found = match_list("rsa-sha2-256", val, NULL); |
| 394 | if (found) { |
| 395 | kex->rsa_sha2 = 256; |
| 396 | free(found); |
| 397 | } |
| 398 | found = match_list("rsa-sha2-512", val, NULL); |
| 399 | if (found) { |
| 400 | kex->rsa_sha2 = 512; |
| 401 | free(found); |
| 402 | } |
| 403 | } |
| 404 | free(name); |
| 405 | free(val); |
| 406 | } |
| 407 | return sshpkt_get_end(ssh); |
| 408 | } |
| 409 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 410 | static int |
| 411 | kex_input_newkeys(int type, u_int32_t seq, void *ctxt) |
| 412 | { |
| 413 | struct ssh *ssh = ctxt; |
| 414 | struct kex *kex = ssh->kex; |
| 415 | int r; |
| 416 | |
| 417 | debug("SSH2_MSG_NEWKEYS received"); |
| 418 | ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); |
| 419 | if ((r = sshpkt_get_end(ssh)) != 0) |
| 420 | return r; |
Ben Lindstrom | be2cc43 | 2001-04-04 23:46:07 +0000 | [diff] [blame] | 421 | kex->done = 1; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 422 | sshbuf_reset(kex->peer); |
| 423 | /* sshbuf_reset(kex->my); */ |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 424 | kex->flags &= ~KEX_INIT_SENT; |
Darren Tucker | a627d42 | 2013-06-02 07:31:17 +1000 | [diff] [blame] | 425 | free(kex->name); |
Ben Lindstrom | 5ba23b3 | 2001-04-05 02:05:21 +0000 | [diff] [blame] | 426 | kex->name = NULL; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 427 | return 0; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 428 | } |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 429 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 430 | int |
| 431 | kex_send_kexinit(struct ssh *ssh) |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 432 | { |
Ben Lindstrom | 5997172 | 2002-03-27 17:42:57 +0000 | [diff] [blame] | 433 | u_char *cookie; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 434 | struct kex *kex = ssh->kex; |
| 435 | int r; |
Ben Lindstrom | 5997172 | 2002-03-27 17:42:57 +0000 | [diff] [blame] | 436 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 437 | if (kex == NULL) |
| 438 | return SSH_ERR_INTERNAL_ERROR; |
| 439 | if (kex->flags & KEX_INIT_SENT) |
| 440 | return 0; |
Ben Lindstrom | be2cc43 | 2001-04-04 23:46:07 +0000 | [diff] [blame] | 441 | kex->done = 0; |
Ben Lindstrom | 5997172 | 2002-03-27 17:42:57 +0000 | [diff] [blame] | 442 | |
| 443 | /* generate a random cookie */ |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 444 | if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) |
| 445 | return SSH_ERR_INVALID_FORMAT; |
| 446 | if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) |
| 447 | return SSH_ERR_INTERNAL_ERROR; |
| 448 | arc4random_buf(cookie, KEX_COOKIE_LEN); |
| 449 | |
| 450 | if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 || |
| 451 | (r = sshpkt_putb(ssh, kex->my)) != 0 || |
| 452 | (r = sshpkt_send(ssh)) != 0) |
| 453 | return r; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 454 | debug("SSH2_MSG_KEXINIT sent"); |
| 455 | kex->flags |= KEX_INIT_SENT; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 456 | return 0; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 457 | } |
| 458 | |
Darren Tucker | 0d0d195 | 2007-06-05 18:23:28 +1000 | [diff] [blame] | 459 | /* ARGSUSED */ |
markus@openbsd.org | 3fdc88a | 2015-01-19 20:07:45 +0000 | [diff] [blame] | 460 | int |
Damien Miller | 630d6f4 | 2002-01-22 23:17:30 +1100 | [diff] [blame] | 461 | kex_input_kexinit(int type, u_int32_t seq, void *ctxt) |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 462 | { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 463 | struct ssh *ssh = ctxt; |
| 464 | struct kex *kex = ssh->kex; |
| 465 | const u_char *ptr; |
markus@openbsd.org | 091c302 | 2015-01-19 19:52:16 +0000 | [diff] [blame] | 466 | u_int i; |
| 467 | size_t dlen; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 468 | int r; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 469 | |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 470 | debug("SSH2_MSG_KEXINIT received"); |
Ben Lindstrom | 8ac9106 | 2001-04-04 17:57:54 +0000 | [diff] [blame] | 471 | if (kex == NULL) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 472 | return SSH_ERR_INVALID_ARGUMENT; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 473 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 474 | ptr = sshpkt_ptr(ssh, &dlen); |
| 475 | if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) |
| 476 | return r; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 477 | |
Ben Lindstrom | 8e312f3 | 2001-04-04 23:50:21 +0000 | [diff] [blame] | 478 | /* discard packet */ |
| 479 | for (i = 0; i < KEX_COOKIE_LEN; i++) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 480 | if ((r = sshpkt_get_u8(ssh, NULL)) != 0) |
| 481 | return r; |
Ben Lindstrom | 8e312f3 | 2001-04-04 23:50:21 +0000 | [diff] [blame] | 482 | for (i = 0; i < PROPOSAL_MAX; i++) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 483 | if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) |
| 484 | return r; |
Darren Tucker | ae608bd | 2012-09-06 21:19:51 +1000 | [diff] [blame] | 485 | /* |
| 486 | * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported |
| 487 | * KEX method has the server move first, but a server might be using |
| 488 | * a custom method or one that we otherwise don't support. We should |
| 489 | * be prepared to remember first_kex_follows here so we can eat a |
| 490 | * packet later. |
| 491 | * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means |
| 492 | * for cases where the server *doesn't* go first. I guess we should |
| 493 | * ignore it when it is set for these cases, which is what we do now. |
| 494 | */ |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 495 | if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */ |
| 496 | (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */ |
| 497 | (r = sshpkt_get_end(ssh)) != 0) |
| 498 | return r; |
Ben Lindstrom | 8e312f3 | 2001-04-04 23:50:21 +0000 | [diff] [blame] | 499 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 500 | if (!(kex->flags & KEX_INIT_SENT)) |
| 501 | if ((r = kex_send_kexinit(ssh)) != 0) |
| 502 | return r; |
| 503 | if ((r = kex_choose_conf(ssh)) != 0) |
| 504 | return r; |
| 505 | |
| 506 | if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) |
| 507 | return (kex->kex[kex->kex_type])(ssh); |
| 508 | |
| 509 | return SSH_ERR_INTERNAL_ERROR; |
| 510 | } |
| 511 | |
| 512 | int |
| 513 | kex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp) |
| 514 | { |
| 515 | struct kex *kex; |
| 516 | int r; |
| 517 | |
| 518 | *kexp = NULL; |
| 519 | if ((kex = calloc(1, sizeof(*kex))) == NULL) |
| 520 | return SSH_ERR_ALLOC_FAIL; |
| 521 | if ((kex->peer = sshbuf_new()) == NULL || |
| 522 | (kex->my = sshbuf_new()) == NULL) { |
| 523 | r = SSH_ERR_ALLOC_FAIL; |
| 524 | goto out; |
| 525 | } |
| 526 | if ((r = kex_prop2buf(kex->my, proposal)) != 0) |
| 527 | goto out; |
| 528 | kex->done = 0; |
| 529 | kex_reset_dispatch(ssh); |
| 530 | r = 0; |
| 531 | *kexp = kex; |
| 532 | out: |
| 533 | if (r != 0) |
| 534 | kex_free(kex); |
| 535 | return r; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 536 | } |
| 537 | |
markus@openbsd.org | 091c302 | 2015-01-19 19:52:16 +0000 | [diff] [blame] | 538 | void |
| 539 | kex_free_newkeys(struct newkeys *newkeys) |
| 540 | { |
| 541 | if (newkeys == NULL) |
| 542 | return; |
| 543 | if (newkeys->enc.key) { |
| 544 | explicit_bzero(newkeys->enc.key, newkeys->enc.key_len); |
| 545 | free(newkeys->enc.key); |
| 546 | newkeys->enc.key = NULL; |
| 547 | } |
| 548 | if (newkeys->enc.iv) { |
djm@openbsd.org | 179c353 | 2015-10-13 00:21:27 +0000 | [diff] [blame] | 549 | explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len); |
markus@openbsd.org | 091c302 | 2015-01-19 19:52:16 +0000 | [diff] [blame] | 550 | free(newkeys->enc.iv); |
| 551 | newkeys->enc.iv = NULL; |
| 552 | } |
| 553 | free(newkeys->enc.name); |
| 554 | explicit_bzero(&newkeys->enc, sizeof(newkeys->enc)); |
| 555 | free(newkeys->comp.name); |
| 556 | explicit_bzero(&newkeys->comp, sizeof(newkeys->comp)); |
| 557 | mac_clear(&newkeys->mac); |
| 558 | if (newkeys->mac.key) { |
| 559 | explicit_bzero(newkeys->mac.key, newkeys->mac.key_len); |
| 560 | free(newkeys->mac.key); |
| 561 | newkeys->mac.key = NULL; |
| 562 | } |
| 563 | free(newkeys->mac.name); |
| 564 | explicit_bzero(&newkeys->mac, sizeof(newkeys->mac)); |
| 565 | explicit_bzero(newkeys, sizeof(*newkeys)); |
| 566 | free(newkeys); |
| 567 | } |
| 568 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 569 | void |
| 570 | kex_free(struct kex *kex) |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 571 | { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 572 | u_int mode; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 573 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 574 | #ifdef WITH_OPENSSL |
| 575 | if (kex->dh) |
| 576 | DH_free(kex->dh); |
Damien Miller | 4df590c | 2015-03-11 10:02:39 +1100 | [diff] [blame] | 577 | #ifdef OPENSSL_HAS_ECC |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 578 | if (kex->ec_client_key) |
| 579 | EC_KEY_free(kex->ec_client_key); |
Damien Miller | 4df590c | 2015-03-11 10:02:39 +1100 | [diff] [blame] | 580 | #endif /* OPENSSL_HAS_ECC */ |
| 581 | #endif /* WITH_OPENSSL */ |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 582 | for (mode = 0; mode < MODE_MAX; mode++) { |
| 583 | kex_free_newkeys(kex->newkeys[mode]); |
| 584 | kex->newkeys[mode] = NULL; |
markus@openbsd.org | 091c302 | 2015-01-19 19:52:16 +0000 | [diff] [blame] | 585 | } |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 586 | sshbuf_free(kex->peer); |
| 587 | sshbuf_free(kex->my); |
| 588 | free(kex->session_id); |
| 589 | free(kex->client_version_string); |
| 590 | free(kex->server_version_string); |
djm@openbsd.org | f319912 | 2015-07-29 04:43:06 +0000 | [diff] [blame] | 591 | free(kex->failed_choice); |
markus@openbsd.org | 76c9fbb | 2015-12-04 16:41:28 +0000 | [diff] [blame] | 592 | free(kex->hostkey_alg); |
| 593 | free(kex->name); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 594 | free(kex); |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 595 | } |
| 596 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 597 | int |
| 598 | kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 599 | { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 600 | int r; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 601 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 602 | if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0) |
| 603 | return r; |
| 604 | if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */ |
| 605 | kex_free(ssh->kex); |
| 606 | ssh->kex = NULL; |
| 607 | return r; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 608 | } |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 609 | return 0; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 610 | } |
| 611 | |
djm@openbsd.org | 19bcf2e | 2016-02-08 10:57:07 +0000 | [diff] [blame] | 612 | /* |
| 613 | * Request key re-exchange, returns 0 on success or a ssherr.h error |
| 614 | * code otherwise. Must not be called if KEX is incomplete or in-progress. |
| 615 | */ |
| 616 | int |
| 617 | kex_start_rekex(struct ssh *ssh) |
| 618 | { |
| 619 | if (ssh->kex == NULL) { |
| 620 | error("%s: no kex", __func__); |
| 621 | return SSH_ERR_INTERNAL_ERROR; |
| 622 | } |
| 623 | if (ssh->kex->done == 0) { |
| 624 | error("%s: requested twice", __func__); |
| 625 | return SSH_ERR_INTERNAL_ERROR; |
| 626 | } |
| 627 | ssh->kex->done = 0; |
| 628 | return kex_send_kexinit(ssh); |
| 629 | } |
| 630 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 631 | static int |
| 632 | choose_enc(struct sshenc *enc, char *client, char *server) |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 633 | { |
Ben Lindstrom | b9be60a | 2001-03-11 01:49:19 +0000 | [diff] [blame] | 634 | char *name = match_list(client, server, NULL); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 635 | |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 636 | if (name == NULL) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 637 | return SSH_ERR_NO_CIPHER_ALG_MATCH; |
Damien Miller | 963f6b2 | 2002-02-19 15:21:23 +1100 | [diff] [blame] | 638 | if ((enc->cipher = cipher_by_name(name)) == NULL) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 639 | return SSH_ERR_INTERNAL_ERROR; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 640 | enc->name = name; |
| 641 | enc->enabled = 0; |
| 642 | enc->iv = NULL; |
Damien Miller | 1d75abf | 2013-01-09 16:12:19 +1100 | [diff] [blame] | 643 | enc->iv_len = cipher_ivlen(enc->cipher); |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 644 | enc->key = NULL; |
Damien Miller | 963f6b2 | 2002-02-19 15:21:23 +1100 | [diff] [blame] | 645 | enc->key_len = cipher_keylen(enc->cipher); |
| 646 | enc->block_size = cipher_blocksize(enc->cipher); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 647 | return 0; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 648 | } |
Damien Miller | 4f7becb | 2006-03-26 14:10:14 +1100 | [diff] [blame] | 649 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 650 | static int |
| 651 | choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 652 | { |
Ben Lindstrom | b9be60a | 2001-03-11 01:49:19 +0000 | [diff] [blame] | 653 | char *name = match_list(client, server, NULL); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 654 | |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 655 | if (name == NULL) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 656 | return SSH_ERR_NO_MAC_ALG_MATCH; |
Darren Tucker | 5f3d5be | 2007-06-05 18:30:18 +1000 | [diff] [blame] | 657 | if (mac_setup(mac, name) < 0) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 658 | return SSH_ERR_INTERNAL_ERROR; |
Ben Lindstrom | 06b33aa | 2001-02-15 03:01:59 +0000 | [diff] [blame] | 659 | /* truncate the key */ |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 660 | if (ssh->compat & SSH_BUG_HMAC) |
Ben Lindstrom | 06b33aa | 2001-02-15 03:01:59 +0000 | [diff] [blame] | 661 | mac->key_len = 16; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 662 | mac->name = name; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 663 | mac->key = NULL; |
| 664 | mac->enabled = 0; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 665 | return 0; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 666 | } |
Damien Miller | 4f7becb | 2006-03-26 14:10:14 +1100 | [diff] [blame] | 667 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 668 | static int |
| 669 | choose_comp(struct sshcomp *comp, char *client, char *server) |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 670 | { |
Ben Lindstrom | b9be60a | 2001-03-11 01:49:19 +0000 | [diff] [blame] | 671 | char *name = match_list(client, server, NULL); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 672 | |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 673 | if (name == NULL) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 674 | return SSH_ERR_NO_COMPRESS_ALG_MATCH; |
Damien Miller | 9786e6e | 2005-07-26 21:54:56 +1000 | [diff] [blame] | 675 | if (strcmp(name, "zlib@openssh.com") == 0) { |
| 676 | comp->type = COMP_DELAYED; |
| 677 | } else if (strcmp(name, "zlib") == 0) { |
| 678 | comp->type = COMP_ZLIB; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 679 | } else if (strcmp(name, "none") == 0) { |
Damien Miller | 9786e6e | 2005-07-26 21:54:56 +1000 | [diff] [blame] | 680 | comp->type = COMP_NONE; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 681 | } else { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 682 | return SSH_ERR_INTERNAL_ERROR; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 683 | } |
| 684 | comp->name = name; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 685 | return 0; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 686 | } |
Damien Miller | 4f7becb | 2006-03-26 14:10:14 +1100 | [diff] [blame] | 687 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 688 | static int |
| 689 | choose_kex(struct kex *k, char *client, char *server) |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 690 | { |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 691 | const struct kexalg *kexalg; |
| 692 | |
Ben Lindstrom | b9be60a | 2001-03-11 01:49:19 +0000 | [diff] [blame] | 693 | k->name = match_list(client, server, NULL); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 694 | |
djm@openbsd.org | 9690b78 | 2015-08-21 23:57:48 +0000 | [diff] [blame] | 695 | debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 696 | if (k->name == NULL) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 697 | return SSH_ERR_NO_KEX_ALG_MATCH; |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 698 | if ((kexalg = kex_alg_by_name(k->name)) == NULL) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 699 | return SSH_ERR_INTERNAL_ERROR; |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 700 | k->kex_type = kexalg->type; |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 701 | k->hash_alg = kexalg->hash_alg; |
Damien Miller | ea11119 | 2013-04-23 19:24:32 +1000 | [diff] [blame] | 702 | k->ec_nid = kexalg->ec_nid; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 703 | return 0; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 704 | } |
Damien Miller | 19bb3a5 | 2005-11-05 15:19:35 +1100 | [diff] [blame] | 705 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 706 | static int |
| 707 | choose_hostkeyalg(struct kex *k, char *client, char *server) |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 708 | { |
markus@openbsd.org | 76c9fbb | 2015-12-04 16:41:28 +0000 | [diff] [blame] | 709 | k->hostkey_alg = match_list(client, server, NULL); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 710 | |
djm@openbsd.org | 9690b78 | 2015-08-21 23:57:48 +0000 | [diff] [blame] | 711 | debug("kex: host key algorithm: %s", |
markus@openbsd.org | 76c9fbb | 2015-12-04 16:41:28 +0000 | [diff] [blame] | 712 | k->hostkey_alg ? k->hostkey_alg : "(no match)"); |
| 713 | if (k->hostkey_alg == NULL) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 714 | return SSH_ERR_NO_HOSTKEY_ALG_MATCH; |
markus@openbsd.org | 76c9fbb | 2015-12-04 16:41:28 +0000 | [diff] [blame] | 715 | k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); |
Damien Miller | 0bc1bd8 | 2000-11-13 22:57:25 +1100 | [diff] [blame] | 716 | if (k->hostkey_type == KEY_UNSPEC) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 717 | return SSH_ERR_INTERNAL_ERROR; |
markus@openbsd.org | 76c9fbb | 2015-12-04 16:41:28 +0000 | [diff] [blame] | 718 | k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 719 | return 0; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 720 | } |
| 721 | |
Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 722 | static int |
Damien Miller | babb47a | 2003-02-24 11:53:32 +1100 | [diff] [blame] | 723 | proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) |
| 724 | { |
| 725 | static int check[] = { |
| 726 | PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 |
| 727 | }; |
| 728 | int *idx; |
| 729 | char *p; |
| 730 | |
| 731 | for (idx = &check[0]; *idx != -1; idx++) { |
| 732 | if ((p = strchr(my[*idx], ',')) != NULL) |
| 733 | *p = '\0'; |
| 734 | if ((p = strchr(peer[*idx], ',')) != NULL) |
| 735 | *p = '\0'; |
| 736 | if (strcmp(my[*idx], peer[*idx]) != 0) { |
| 737 | debug2("proposal mismatch: my %s peer %s", |
| 738 | my[*idx], peer[*idx]); |
| 739 | return (0); |
| 740 | } |
| 741 | } |
| 742 | debug2("proposals match"); |
| 743 | return (1); |
| 744 | } |
| 745 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 746 | static int |
| 747 | kex_choose_conf(struct ssh *ssh) |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 748 | { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 749 | struct kex *kex = ssh->kex; |
| 750 | struct newkeys *newkeys; |
| 751 | char **my = NULL, **peer = NULL; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 752 | char **cprop, **sprop; |
Ben Lindstrom | 2d90e00 | 2001-04-04 02:00:54 +0000 | [diff] [blame] | 753 | int nenc, nmac, ncomp; |
Damien Miller | 76eea4a | 2014-01-26 09:37:25 +1100 | [diff] [blame] | 754 | u_int mode, ctos, need, dh_need, authlen; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 755 | int r, first_kex_follows; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 756 | |
djm@openbsd.org | 9690b78 | 2015-08-21 23:57:48 +0000 | [diff] [blame] | 757 | debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); |
| 758 | if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) |
| 759 | goto out; |
| 760 | debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server"); |
| 761 | if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 762 | goto out; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 763 | |
Ben Lindstrom | 2d90e00 | 2001-04-04 02:00:54 +0000 | [diff] [blame] | 764 | if (kex->server) { |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 765 | cprop=peer; |
| 766 | sprop=my; |
| 767 | } else { |
| 768 | cprop=my; |
| 769 | sprop=peer; |
| 770 | } |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 771 | |
markus@openbsd.org | 76c9fbb | 2015-12-04 16:41:28 +0000 | [diff] [blame] | 772 | /* Check whether client supports ext_info_c */ |
| 773 | if (kex->server) { |
| 774 | char *ext; |
| 775 | |
| 776 | ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); |
| 777 | if (ext) { |
| 778 | kex->ext_info_c = 1; |
| 779 | free(ext); |
| 780 | } |
| 781 | } |
| 782 | |
Ben Lindstrom | be2cc43 | 2001-04-04 23:46:07 +0000 | [diff] [blame] | 783 | /* Algorithm Negotiation */ |
djm@openbsd.org | 9690b78 | 2015-08-21 23:57:48 +0000 | [diff] [blame] | 784 | if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], |
| 785 | sprop[PROPOSAL_KEX_ALGS])) != 0) { |
| 786 | kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; |
| 787 | peer[PROPOSAL_KEX_ALGS] = NULL; |
| 788 | goto out; |
| 789 | } |
| 790 | if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], |
| 791 | sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { |
| 792 | kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; |
| 793 | peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; |
| 794 | goto out; |
| 795 | } |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 796 | for (mode = 0; mode < MODE_MAX; mode++) { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 797 | if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) { |
| 798 | r = SSH_ERR_ALLOC_FAIL; |
| 799 | goto out; |
| 800 | } |
Ben Lindstrom | be2cc43 | 2001-04-04 23:46:07 +0000 | [diff] [blame] | 801 | kex->newkeys[mode] = newkeys; |
Darren Tucker | 0d0d195 | 2007-06-05 18:23:28 +1000 | [diff] [blame] | 802 | ctos = (!kex->server && mode == MODE_OUT) || |
| 803 | (kex->server && mode == MODE_IN); |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 804 | nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; |
| 805 | nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; |
| 806 | ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 807 | if ((r = choose_enc(&newkeys->enc, cprop[nenc], |
djm@openbsd.org | f319912 | 2015-07-29 04:43:06 +0000 | [diff] [blame] | 808 | sprop[nenc])) != 0) { |
| 809 | kex->failed_choice = peer[nenc]; |
| 810 | peer[nenc] = NULL; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 811 | goto out; |
djm@openbsd.org | f319912 | 2015-07-29 04:43:06 +0000 | [diff] [blame] | 812 | } |
Damien Miller | 1d75abf | 2013-01-09 16:12:19 +1100 | [diff] [blame] | 813 | authlen = cipher_authlen(newkeys->enc.cipher); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 814 | /* ignore mac for authenticated encryption */ |
| 815 | if (authlen == 0 && |
| 816 | (r = choose_mac(ssh, &newkeys->mac, cprop[nmac], |
djm@openbsd.org | f319912 | 2015-07-29 04:43:06 +0000 | [diff] [blame] | 817 | sprop[nmac])) != 0) { |
| 818 | kex->failed_choice = peer[nmac]; |
| 819 | peer[nmac] = NULL; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 820 | goto out; |
djm@openbsd.org | f319912 | 2015-07-29 04:43:06 +0000 | [diff] [blame] | 821 | } |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 822 | if ((r = choose_comp(&newkeys->comp, cprop[ncomp], |
djm@openbsd.org | f319912 | 2015-07-29 04:43:06 +0000 | [diff] [blame] | 823 | sprop[ncomp])) != 0) { |
| 824 | kex->failed_choice = peer[ncomp]; |
| 825 | peer[ncomp] = NULL; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 826 | goto out; |
djm@openbsd.org | f319912 | 2015-07-29 04:43:06 +0000 | [diff] [blame] | 827 | } |
djm@openbsd.org | 9690b78 | 2015-08-21 23:57:48 +0000 | [diff] [blame] | 828 | debug("kex: %s cipher: %s MAC: %s compression: %s", |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 829 | ctos ? "client->server" : "server->client", |
Ben Lindstrom | 2d90e00 | 2001-04-04 02:00:54 +0000 | [diff] [blame] | 830 | newkeys->enc.name, |
Damien Miller | 1d75abf | 2013-01-09 16:12:19 +1100 | [diff] [blame] | 831 | authlen == 0 ? newkeys->mac.name : "<implicit>", |
Ben Lindstrom | 2d90e00 | 2001-04-04 02:00:54 +0000 | [diff] [blame] | 832 | newkeys->comp.name); |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 833 | } |
Damien Miller | 76eea4a | 2014-01-26 09:37:25 +1100 | [diff] [blame] | 834 | need = dh_need = 0; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 835 | for (mode = 0; mode < MODE_MAX; mode++) { |
Ben Lindstrom | be2cc43 | 2001-04-04 23:46:07 +0000 | [diff] [blame] | 836 | newkeys = kex->newkeys[mode]; |
Damien Miller | a92ac74 | 2014-01-26 09:38:03 +1100 | [diff] [blame] | 837 | need = MAX(need, newkeys->enc.key_len); |
| 838 | need = MAX(need, newkeys->enc.block_size); |
| 839 | need = MAX(need, newkeys->enc.iv_len); |
| 840 | need = MAX(need, newkeys->mac.key_len); |
| 841 | dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher)); |
| 842 | dh_need = MAX(dh_need, newkeys->enc.block_size); |
| 843 | dh_need = MAX(dh_need, newkeys->enc.iv_len); |
| 844 | dh_need = MAX(dh_need, newkeys->mac.key_len); |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 845 | } |
Damien Miller | b1715dc | 2000-05-30 13:44:51 +1000 | [diff] [blame] | 846 | /* XXX need runden? */ |
Ben Lindstrom | 2d90e00 | 2001-04-04 02:00:54 +0000 | [diff] [blame] | 847 | kex->we_need = need; |
Damien Miller | 76eea4a | 2014-01-26 09:37:25 +1100 | [diff] [blame] | 848 | kex->dh_need = dh_need; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 849 | |
Damien Miller | babb47a | 2003-02-24 11:53:32 +1100 | [diff] [blame] | 850 | /* ignore the next message if the proposals do not match */ |
Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 851 | if (first_kex_follows && !proposals_match(my, peer) && |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 852 | !(ssh->compat & SSH_BUG_FIRSTKEX)) |
| 853 | ssh->dispatch_skip_packets = 1; |
| 854 | r = 0; |
| 855 | out: |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 856 | kex_prop_free(my); |
| 857 | kex_prop_free(peer); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 858 | return r; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 859 | } |
| 860 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 861 | static int |
| 862 | derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, |
| 863 | const struct sshbuf *shared_secret, u_char **keyp) |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 864 | { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 865 | struct kex *kex = ssh->kex; |
| 866 | struct ssh_digest_ctx *hashctx = NULL; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 867 | char c = id; |
Damien Miller | eccb9de | 2005-06-17 12:59:34 +1000 | [diff] [blame] | 868 | u_int have; |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 869 | size_t mdsz; |
Damien Miller | eccb9de | 2005-06-17 12:59:34 +1000 | [diff] [blame] | 870 | u_char *digest; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 871 | int r; |
Damien Miller | 46d38de | 2005-07-17 17:02:09 +1000 | [diff] [blame] | 872 | |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 873 | if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 874 | return SSH_ERR_INVALID_ARGUMENT; |
| 875 | if ((digest = calloc(1, roundup(need, mdsz))) == NULL) { |
| 876 | r = SSH_ERR_ALLOC_FAIL; |
| 877 | goto out; |
| 878 | } |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 879 | |
Ben Lindstrom | be2cc43 | 2001-04-04 23:46:07 +0000 | [diff] [blame] | 880 | /* K1 = HASH(K || H || "A" || session_id) */ |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 881 | if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || |
| 882 | ssh_digest_update_buffer(hashctx, shared_secret) != 0 || |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 883 | ssh_digest_update(hashctx, hash, hashlen) != 0 || |
| 884 | ssh_digest_update(hashctx, &c, 1) != 0 || |
| 885 | ssh_digest_update(hashctx, kex->session_id, |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 886 | kex->session_id_len) != 0 || |
| 887 | ssh_digest_final(hashctx, digest, mdsz) != 0) { |
| 888 | r = SSH_ERR_LIBCRYPTO_ERROR; |
| 889 | goto out; |
| 890 | } |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 891 | ssh_digest_free(hashctx); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 892 | hashctx = NULL; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 893 | |
Ben Lindstrom | be2cc43 | 2001-04-04 23:46:07 +0000 | [diff] [blame] | 894 | /* |
| 895 | * expand key: |
| 896 | * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) |
| 897 | * Key = K1 || K2 || ... || Kn |
| 898 | */ |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 899 | for (have = mdsz; need > have; have += mdsz) { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 900 | if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || |
| 901 | ssh_digest_update_buffer(hashctx, shared_secret) != 0 || |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 902 | ssh_digest_update(hashctx, hash, hashlen) != 0 || |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 903 | ssh_digest_update(hashctx, digest, have) != 0 || |
| 904 | ssh_digest_final(hashctx, digest + have, mdsz) != 0) { |
| 905 | r = SSH_ERR_LIBCRYPTO_ERROR; |
| 906 | goto out; |
| 907 | } |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 908 | ssh_digest_free(hashctx); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 909 | hashctx = NULL; |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 910 | } |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 911 | #ifdef DEBUG_KEX |
| 912 | fprintf(stderr, "key '%c'== ", c); |
| 913 | dump_digest("key", digest, need); |
| 914 | #endif |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 915 | *keyp = digest; |
| 916 | digest = NULL; |
| 917 | r = 0; |
| 918 | out: |
mmcc@openbsd.org | d59ce08 | 2015-12-10 17:08:40 +0000 | [diff] [blame] | 919 | free(digest); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 920 | ssh_digest_free(hashctx); |
| 921 | return r; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 922 | } |
| 923 | |
Ben Lindstrom | b9be60a | 2001-03-11 01:49:19 +0000 | [diff] [blame] | 924 | #define NKEYS 6 |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 925 | int |
| 926 | kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen, |
| 927 | const struct sshbuf *shared_secret) |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 928 | { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 929 | struct kex *kex = ssh->kex; |
Ben Lindstrom | 46c1622 | 2000-12-22 01:43:59 +0000 | [diff] [blame] | 930 | u_char *keys[NKEYS]; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 931 | u_int i, j, mode, ctos; |
| 932 | int r; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 933 | |
Damien Miller | 19bb3a5 | 2005-11-05 15:19:35 +1100 | [diff] [blame] | 934 | for (i = 0; i < NKEYS; i++) { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 935 | if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen, |
| 936 | shared_secret, &keys[i])) != 0) { |
| 937 | for (j = 0; j < i; j++) |
| 938 | free(keys[j]); |
| 939 | return r; |
| 940 | } |
Damien Miller | 19bb3a5 | 2005-11-05 15:19:35 +1100 | [diff] [blame] | 941 | } |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 942 | for (mode = 0; mode < MODE_MAX; mode++) { |
Damien Miller | 4f7becb | 2006-03-26 14:10:14 +1100 | [diff] [blame] | 943 | ctos = (!kex->server && mode == MODE_OUT) || |
| 944 | (kex->server && mode == MODE_IN); |
markus@openbsd.org | 091c302 | 2015-01-19 19:52:16 +0000 | [diff] [blame] | 945 | kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1]; |
| 946 | kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3]; |
| 947 | kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5]; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 948 | } |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 949 | return 0; |
Damien Miller | a664e87 | 2000-04-16 11:52:47 +1000 | [diff] [blame] | 950 | } |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 951 | |
Damien Miller | 1f0311c | 2014-05-15 14:24:09 +1000 | [diff] [blame] | 952 | #ifdef WITH_OPENSSL |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 953 | int |
| 954 | kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen, |
| 955 | const BIGNUM *secret) |
Damien Miller | 91b580e | 2014-01-12 19:21:22 +1100 | [diff] [blame] | 956 | { |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 957 | struct sshbuf *shared_secret; |
| 958 | int r; |
Damien Miller | 91b580e | 2014-01-12 19:21:22 +1100 | [diff] [blame] | 959 | |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 960 | if ((shared_secret = sshbuf_new()) == NULL) |
| 961 | return SSH_ERR_ALLOC_FAIL; |
| 962 | if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0) |
| 963 | r = kex_derive_keys(ssh, hash, hashlen, shared_secret); |
| 964 | sshbuf_free(shared_secret); |
| 965 | return r; |
Damien Miller | 91b580e | 2014-01-12 19:21:22 +1100 | [diff] [blame] | 966 | } |
Damien Miller | 1f0311c | 2014-05-15 14:24:09 +1000 | [diff] [blame] | 967 | #endif |
Damien Miller | 91b580e | 2014-01-12 19:21:22 +1100 | [diff] [blame] | 968 | |
Damien Miller | 1f0311c | 2014-05-15 14:24:09 +1000 | [diff] [blame] | 969 | #ifdef WITH_SSH1 |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 970 | int |
Darren Tucker | e14e005 | 2004-05-13 16:30:44 +1000 | [diff] [blame] | 971 | derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus, |
| 972 | u_int8_t cookie[8], u_int8_t id[16]) |
| 973 | { |
djm@openbsd.org | 25f5f78 | 2015-01-30 00:22:25 +0000 | [diff] [blame] | 974 | u_int8_t hbuf[2048], sbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH]; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 975 | struct ssh_digest_ctx *hashctx = NULL; |
djm@openbsd.org | 25f5f78 | 2015-01-30 00:22:25 +0000 | [diff] [blame] | 976 | size_t hlen, slen; |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 977 | int r; |
Darren Tucker | e14e005 | 2004-05-13 16:30:44 +1000 | [diff] [blame] | 978 | |
djm@openbsd.org | 25f5f78 | 2015-01-30 00:22:25 +0000 | [diff] [blame] | 979 | hlen = BN_num_bytes(host_modulus); |
| 980 | slen = BN_num_bytes(server_modulus); |
| 981 | if (hlen < (512 / 8) || (u_int)hlen > sizeof(hbuf) || |
| 982 | slen < (512 / 8) || (u_int)slen > sizeof(sbuf)) |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 983 | return SSH_ERR_KEY_BITS_MISMATCH; |
djm@openbsd.org | 25f5f78 | 2015-01-30 00:22:25 +0000 | [diff] [blame] | 984 | if (BN_bn2bin(host_modulus, hbuf) <= 0 || |
| 985 | BN_bn2bin(server_modulus, sbuf) <= 0) { |
| 986 | r = SSH_ERR_LIBCRYPTO_ERROR; |
| 987 | goto out; |
| 988 | } |
| 989 | if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) { |
| 990 | r = SSH_ERR_ALLOC_FAIL; |
| 991 | goto out; |
| 992 | } |
| 993 | if (ssh_digest_update(hashctx, hbuf, hlen) != 0 || |
| 994 | ssh_digest_update(hashctx, sbuf, slen) != 0 || |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 995 | ssh_digest_update(hashctx, cookie, 8) != 0 || |
| 996 | ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) { |
| 997 | r = SSH_ERR_LIBCRYPTO_ERROR; |
| 998 | goto out; |
| 999 | } |
Damien Miller | b3051d0 | 2014-01-10 10:58:53 +1100 | [diff] [blame] | 1000 | memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5)); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 1001 | r = 0; |
| 1002 | out: |
| 1003 | ssh_digest_free(hashctx); |
djm@openbsd.org | 25f5f78 | 2015-01-30 00:22:25 +0000 | [diff] [blame] | 1004 | explicit_bzero(hbuf, sizeof(hbuf)); |
| 1005 | explicit_bzero(sbuf, sizeof(sbuf)); |
Damien Miller | a5103f4 | 2014-02-04 11:20:14 +1100 | [diff] [blame] | 1006 | explicit_bzero(obuf, sizeof(obuf)); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 1007 | return r; |
Darren Tucker | e14e005 | 2004-05-13 16:30:44 +1000 | [diff] [blame] | 1008 | } |
Damien Miller | 1f0311c | 2014-05-15 14:24:09 +1000 | [diff] [blame] | 1009 | #endif |
Darren Tucker | e14e005 | 2004-05-13 16:30:44 +1000 | [diff] [blame] | 1010 | |
Damien Miller | eb8b60e | 2010-08-31 22:41:14 +1000 | [diff] [blame] | 1011 | #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 1012 | void |
| 1013 | dump_digest(char *msg, u_char *digest, int len) |
| 1014 | { |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 1015 | fprintf(stderr, "%s\n", msg); |
markus@openbsd.org | 57d10cb | 2015-01-19 20:16:15 +0000 | [diff] [blame] | 1016 | sshbuf_dump_data(digest, len, stderr); |
Ben Lindstrom | 20d7c7b | 2001-04-04 01:56:17 +0000 | [diff] [blame] | 1017 | } |
| 1018 | #endif |