Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / c71be375a69af00c2d0a0c24d8752bec12d8fd1b / . / kex.c
blob: d8793b91959d1cd8ffc9934909d5f7051db0b279 [file] [log] [blame]
djm@openbsd.org179c3532015-10-13 00:21:27 +0000[diff] [blame]1/* $OpenBSD: kex.c,v 1.111 2015/10/13 00:21:27 djm Exp $ */
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]2/*
Ben Lindstrom44697232001-07-04 03:32:30 +0000[diff] [blame]3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "includes.h"
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]27
deraadt@openbsd.org087266e2015-01-20 23:14:00 +0000[diff] [blame]28#include <sys/param.h> /* MAX roundup */
Damien Miller8dbffe72006-08-05 11:02:17 +1000[diff] [blame]29
Damien Millerd7834352006-08-05 12:39:39 +1000[diff] [blame]30#include <signal.h>
Damien Millerded319c2006-09-01 15:38:36 +1000[diff] [blame]31#include <stdarg.h>
Damien Millera7a73ee2006-08-05 11:37:59 +1000[diff] [blame]32#include <stdio.h>
Damien Millere7a1e5c2006-08-05 11:34:19 +1000[diff] [blame]33#include <stdlib.h>
Damien Millere3476ed2006-07-24 14:13:33 +1000[diff] [blame]34#include <string.h>
35
Damien Miller1f0311c2014-05-15 14:24:09 +1000[diff] [blame]36#ifdef WITH_OPENSSL
Damien Millerd7834352006-08-05 12:39:39 +1000[diff] [blame]37#include <openssl/crypto.h>
Damien Miller1f0311c2014-05-15 14:24:09 +1000[diff] [blame]38#endif
Damien Millerd7834352006-08-05 12:39:39 +1000[diff] [blame]39
Damien Millerd7834352006-08-05 12:39:39 +1000[diff] [blame]40#include "ssh2.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]41#include "packet.h"
42#include "compat.h"
43#include "cipher.h"
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]44#include "sshkey.h"
Damien Millerd7834352006-08-05 12:39:39 +1000[diff] [blame]45#include "kex.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]46#include "log.h"
Ben Lindstrom06b33aa2001-02-15 03:01:59 +0000[diff] [blame]47#include "mac.h"
Ben Lindstromb9be60a2001-03-11 01:49:19 +0000[diff] [blame]48#include "match.h"
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]49#include "misc.h"
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]50#include "dispatch.h"
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000[diff] [blame]51#include "monitor.h"
Darren Tucker36331b52010-01-08 16:50:41 +1100[diff] [blame]52#include "roaming.h"
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]53
54#include "ssherr.h"
55#include "sshbuf.h"
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]56#include "digest.h"
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]57
Damien Millerb3092032006-03-16 18:22:18 +1100[diff] [blame]58#if OPENSSL_VERSION_NUMBER >= 0x00907000L
59# if defined(HAVE_EVP_SHA256)
Damien Milleraf87af12006-03-15 13:02:28 +1100[diff] [blame]60# define evp_ssh_sha256 EVP_sha256
Damien Millerb3092032006-03-16 18:22:18 +1100[diff] [blame]61# else
Damien Millera63128d2006-03-15 12:08:28 +1100[diff] [blame]62extern const EVP_MD *evp_ssh_sha256(void);
Damien Millerb3092032006-03-16 18:22:18 +1100[diff] [blame]63# endif
Tim Rice425a6882006-03-15 20:17:05 -0800[diff] [blame]64#endif
Damien Millera63128d2006-03-15 12:08:28 +1100[diff] [blame]65
Ben Lindstrombba81212001-06-25 05:01:22 +0000[diff] [blame]66/* prototype */
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]67static int kex_choose_conf(struct ssh *);
68static int kex_input_newkeys(int, u_int32_t, void *);
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]69
djm@openbsd.org9690b782015-08-21 23:57:48 +0000[diff] [blame]70static const char *proposal_names[PROPOSAL_MAX] = {
71 "KEX algorithms",
72 "host key algorithms",
73 "ciphers ctos",
74 "ciphers stoc",
75 "MACs ctos",
76 "MACs stoc",
77 "compression ctos",
78 "compression stoc",
79 "languages ctos",
80 "languages stoc",
81};
82
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]83struct kexalg {
84 char *name;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]85 u_int type;
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]86 int ec_nid;
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]87 int hash_alg;
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]88};
89static const struct kexalg kexalgs[] = {
Damien Miller1f0311c2014-05-15 14:24:09 +1000[diff] [blame]90#ifdef WITH_OPENSSL
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]91 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
92 { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
93 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
Darren Tuckera75d2472013-05-10 18:11:55 +1000[diff] [blame]94#ifdef HAVE_EVP_SHA256
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]95 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
Damien Miller1f0311c2014-05-15 14:24:09 +1000[diff] [blame]96#endif /* HAVE_EVP_SHA256 */
Darren Tuckera75d2472013-05-10 18:11:55 +1000[diff] [blame]97#ifdef OPENSSL_HAS_ECC
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]98 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
99 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
100 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
101 SSH_DIGEST_SHA384 },
Darren Tucker37bcef52013-11-09 18:39:25 +1100[diff] [blame]102# ifdef OPENSSL_HAS_NISTP521
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]103 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
104 SSH_DIGEST_SHA512 },
Damien Miller1f0311c2014-05-15 14:24:09 +1000[diff] [blame]105# endif /* OPENSSL_HAS_NISTP521 */
106#endif /* OPENSSL_HAS_ECC */
Damien Miller1f0311c2014-05-15 14:24:09 +1000[diff] [blame]107#endif /* WITH_OPENSSL */
Damien Miller72ef7c12015-01-15 02:21:31 +1100[diff] [blame]108#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]109 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
Damien Miller72ef7c12015-01-15 02:21:31 +1100[diff] [blame]110#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]111 { NULL, -1, -1, -1},
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]112};
113
114char *
Damien Miller690d9892013-11-08 12:16:49 +1100[diff] [blame]115kex_alg_list(char sep)
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]116{
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]117 char *ret = NULL, *tmp;
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]118 size_t nlen, rlen = 0;
119 const struct kexalg *k;
120
121 for (k = kexalgs; k->name != NULL; k++) {
122 if (ret != NULL)
Damien Miller690d9892013-11-08 12:16:49 +1100[diff] [blame]123 ret[rlen++] = sep;
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]124 nlen = strlen(k->name);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]125 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
126 free(ret);
127 return NULL;
128 }
129 ret = tmp;
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]130 memcpy(ret + rlen, k->name, nlen + 1);
131 rlen += nlen;
132 }
133 return ret;
134}
135
136static const struct kexalg *
137kex_alg_by_name(const char *name)
138{
139 const struct kexalg *k;
140
141 for (k = kexalgs; k->name != NULL; k++) {
142 if (strcmp(k->name, name) == 0)
143 return k;
144 }
145 return NULL;
146}
147
Damien Millerd5f62bf2010-09-24 22:11:14 +1000[diff] [blame]148/* Validate KEX method name list */
149int
150kex_names_valid(const char *names)
151{
152 char *s, *cp, *p;
153
154 if (names == NULL || strcmp(names, "") == 0)
155 return 0;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]156 if ((s = cp = strdup(names)) == NULL)
157 return 0;
Damien Millerd5f62bf2010-09-24 22:11:14 +1000[diff] [blame]158 for ((p = strsep(&cp, ",")); p && *p != '\0';
159 (p = strsep(&cp, ","))) {
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]160 if (kex_alg_by_name(p) == NULL) {
Damien Millerd5f62bf2010-09-24 22:11:14 +1000[diff] [blame]161 error("Unsupported KEX algorithm \"%.100s\"", p);
Darren Tuckera627d422013-06-02 07:31:17 +1000[diff] [blame]162 free(s);
Damien Millerd5f62bf2010-09-24 22:11:14 +1000[diff] [blame]163 return 0;
164 }
165 }
166 debug3("kex names ok: [%s]", names);
Darren Tuckera627d422013-06-02 07:31:17 +1000[diff] [blame]167 free(s);
Damien Millerd5f62bf2010-09-24 22:11:14 +1000[diff] [blame]168 return 1;
169}
170
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000[diff] [blame]171/*
172 * Concatenate algorithm names, avoiding duplicates in the process.
173 * Caller must free returned string.
174 */
175char *
176kex_names_cat(const char *a, const char *b)
177{
178 char *ret = NULL, *tmp = NULL, *cp, *p;
179 size_t len;
180
181 if (a == NULL || *a == '\0')
182 return NULL;
183 if (b == NULL || *b == '\0')
184 return strdup(a);
185 if (strlen(b) > 1024*1024)
186 return NULL;
187 len = strlen(a) + strlen(b) + 2;
188 if ((tmp = cp = strdup(b)) == NULL ||
189 (ret = calloc(1, len)) == NULL) {
190 free(tmp);
191 return NULL;
192 }
193 strlcpy(ret, a, len);
194 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
195 if (match_list(ret, p, NULL) != NULL)
196 continue; /* Algorithm already present */
197 if (strlcat(ret, ",", len) >= len ||
198 strlcat(ret, p, len) >= len) {
199 free(tmp);
200 free(ret);
201 return NULL; /* Shouldn't happen */
202 }
203 }
204 free(tmp);
205 return ret;
206}
207
208/*
209 * Assemble a list of algorithms from a default list and a string from a
210 * configuration file. The user-provided string may begin with '+' to
211 * indicate that it should be appended to the default.
212 */
213int
214kex_assemble_names(const char *def, char **list)
215{
216 char *ret;
217
218 if (list == NULL || *list == NULL || **list == '\0') {
219 *list = strdup(def);
220 return 0;
221 }
222 if (**list != '+') {
223 return 0;
224 }
225
226 if ((ret = kex_names_cat(def, *list + 1)) == NULL)
227 return SSH_ERR_ALLOC_FAIL;
228 free(*list);
229 *list = ret;
230 return 0;
231}
232
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]233/* put algorithm proposal into buffer */
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]234int
235kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]236{
Damien Millereccb9de2005-06-17 12:59:34 +1000[diff] [blame]237 u_int i;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]238 int r;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]239
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]240 sshbuf_reset(b);
241
Ben Lindstrom59971722002-03-27 17:42:57 +0000[diff] [blame]242 /*
243 * add a dummy cookie, the cookie will be overwritten by
244 * kex_send_kexinit(), each time a kexinit is set
245 */
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]246 for (i = 0; i < KEX_COOKIE_LEN; i++) {
247 if ((r = sshbuf_put_u8(b, 0)) != 0)
248 return r;
249 }
250 for (i = 0; i < PROPOSAL_MAX; i++) {
251 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
252 return r;
253 }
254 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */
255 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */
256 return r;
257 return 0;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]258}
259
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]260/* parse buffer and return algorithm proposal */
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]261int
262kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
Damien Millerb1715dc2000-05-30 13:44:51 +1000[diff] [blame]263{
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]264 struct sshbuf *b = NULL;
265 u_char v;
Darren Tucker0d0d1952007-06-05 18:23:28 +1000[diff] [blame]266 u_int i;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]267 char **proposal = NULL;
268 int r;
Damien Millerb1715dc2000-05-30 13:44:51 +1000[diff] [blame]269
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]270 *propp = NULL;
271 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
272 return SSH_ERR_ALLOC_FAIL;
273 if ((b = sshbuf_fromb(raw)) == NULL) {
274 r = SSH_ERR_ALLOC_FAIL;
275 goto out;
276 }
277 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */
278 goto out;
Damien Millerb1715dc2000-05-30 13:44:51 +1000[diff] [blame]279 /* extract kex init proposal strings */
280 for (i = 0; i < PROPOSAL_MAX; i++) {
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]281 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0)
282 goto out;
djm@openbsd.org9690b782015-08-21 23:57:48 +0000[diff] [blame]283 debug2("%s: %s", proposal_names[i], proposal[i]);
Damien Millerb1715dc2000-05-30 13:44:51 +1000[diff] [blame]284 }
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]285 /* first kex follows / reserved */
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]286 if ((r = sshbuf_get_u8(b, &v)) != 0 ||
287 (r = sshbuf_get_u32(b, &i)) != 0)
288 goto out;
Damien Millerbabb47a2003-02-24 11:53:32 +1100[diff] [blame]289 if (first_kex_follows != NULL)
290 *first_kex_follows = i;
djm@openbsd.org9690b782015-08-21 23:57:48 +0000[diff] [blame]291 debug2("first_kex_follows %d ", v);
292 debug2("reserved %u ", i);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]293 r = 0;
294 *propp = proposal;
295 out:
296 if (r != 0 && proposal != NULL)
297 kex_prop_free(proposal);
298 sshbuf_free(b);
299 return r;
Damien Millerb1715dc2000-05-30 13:44:51 +1000[diff] [blame]300}
301
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]302void
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]303kex_prop_free(char **proposal)
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]304{
Damien Millereccb9de2005-06-17 12:59:34 +1000[diff] [blame]305 u_int i;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]306
djm@openbsd.org44a8e7c2015-04-17 13:25:52 +0000[diff] [blame]307 if (proposal == NULL)
308 return;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]309 for (i = 0; i < PROPOSAL_MAX; i++)
Darren Tuckera627d422013-06-02 07:31:17 +1000[diff] [blame]310 free(proposal[i]);
311 free(proposal);
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]312}
313
Darren Tucker0d0d1952007-06-05 18:23:28 +1000[diff] [blame]314/* ARGSUSED */
markus@openbsd.org3fdc88a2015-01-19 20:07:45 +0000[diff] [blame]315static int
Damien Miller630d6f42002-01-22 23:17:30 +1100[diff] [blame]316kex_protocol_error(int type, u_int32_t seq, void *ctxt)
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]317{
Damien Miller630d6f42002-01-22 23:17:30 +1100[diff] [blame]318 error("Hm, kex protocol error: type %d seq %u", type, seq);
markus@openbsd.org3fdc88a2015-01-19 20:07:45 +0000[diff] [blame]319 return 0;
Damien Miller874d77b2000-10-14 16:23:11 +1100[diff] [blame]320}
321
Ben Lindstrombba81212001-06-25 05:01:22 +0000[diff] [blame]322static void
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]323kex_reset_dispatch(struct ssh *ssh)
Ben Lindstrom8ac91062001-04-04 17:57:54 +0000[diff] [blame]324{
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]325 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
Damien Miller7d053392002-01-22 23:24:13 +1100[diff] [blame]326 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]327 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
Ben Lindstrom8ac91062001-04-04 17:57:54 +0000[diff] [blame]328}
329
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]330int
331kex_send_newkeys(struct ssh *ssh)
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]332{
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]333 int r;
Ben Lindstrom238abf62001-04-04 17:52:53 +0000[diff] [blame]334
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]335 kex_reset_dispatch(ssh);
336 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
337 (r = sshpkt_send(ssh)) != 0)
338 return r;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]339 debug("SSH2_MSG_NEWKEYS sent");
Ben Lindstrom064496f2002-12-23 02:04:22 +0000[diff] [blame]340 debug("expecting SSH2_MSG_NEWKEYS");
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]341 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
342 return 0;
343}
Ben Lindstrom5ba23b32001-04-05 02:05:21 +0000[diff] [blame]344
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]345static int
346kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
347{
348 struct ssh *ssh = ctxt;
349 struct kex *kex = ssh->kex;
350 int r;
351
352 debug("SSH2_MSG_NEWKEYS received");
353 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
354 if ((r = sshpkt_get_end(ssh)) != 0)
355 return r;
Ben Lindstrombe2cc432001-04-04 23:46:07 +0000[diff] [blame]356 kex->done = 1;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]357 sshbuf_reset(kex->peer);
358 /* sshbuf_reset(kex->my); */
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]359 kex->flags &= ~KEX_INIT_SENT;
Darren Tuckera627d422013-06-02 07:31:17 +1000[diff] [blame]360 free(kex->name);
Ben Lindstrom5ba23b32001-04-05 02:05:21 +0000[diff] [blame]361 kex->name = NULL;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]362 return 0;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]363}
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]364
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]365int
366kex_send_kexinit(struct ssh *ssh)
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]367{
Ben Lindstrom59971722002-03-27 17:42:57 +0000[diff] [blame]368 u_char *cookie;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]369 struct kex *kex = ssh->kex;
370 int r;
Ben Lindstrom59971722002-03-27 17:42:57 +0000[diff] [blame]371
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]372 if (kex == NULL)
373 return SSH_ERR_INTERNAL_ERROR;
374 if (kex->flags & KEX_INIT_SENT)
375 return 0;
Ben Lindstrombe2cc432001-04-04 23:46:07 +0000[diff] [blame]376 kex->done = 0;
Ben Lindstrom59971722002-03-27 17:42:57 +0000[diff] [blame]377
378 /* generate a random cookie */
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]379 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN)
380 return SSH_ERR_INVALID_FORMAT;
381 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL)
382 return SSH_ERR_INTERNAL_ERROR;
383 arc4random_buf(cookie, KEX_COOKIE_LEN);
384
385 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
386 (r = sshpkt_putb(ssh, kex->my)) != 0 ||
387 (r = sshpkt_send(ssh)) != 0)
388 return r;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]389 debug("SSH2_MSG_KEXINIT sent");
390 kex->flags |= KEX_INIT_SENT;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]391 return 0;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]392}
393
Darren Tucker0d0d1952007-06-05 18:23:28 +1000[diff] [blame]394/* ARGSUSED */
markus@openbsd.org3fdc88a2015-01-19 20:07:45 +0000[diff] [blame]395int
Damien Miller630d6f42002-01-22 23:17:30 +1100[diff] [blame]396kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]397{
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]398 struct ssh *ssh = ctxt;
399 struct kex *kex = ssh->kex;
400 const u_char *ptr;
markus@openbsd.org091c3022015-01-19 19:52:16 +0000[diff] [blame]401 u_int i;
402 size_t dlen;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]403 int r;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]404
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]405 debug("SSH2_MSG_KEXINIT received");
Ben Lindstrom8ac91062001-04-04 17:57:54 +0000[diff] [blame]406 if (kex == NULL)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]407 return SSH_ERR_INVALID_ARGUMENT;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]408
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]409 ptr = sshpkt_ptr(ssh, &dlen);
410 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
411 return r;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]412
Ben Lindstrom8e312f32001-04-04 23:50:21 +0000[diff] [blame]413 /* discard packet */
414 for (i = 0; i < KEX_COOKIE_LEN; i++)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]415 if ((r = sshpkt_get_u8(ssh, NULL)) != 0)
416 return r;
Ben Lindstrom8e312f32001-04-04 23:50:21 +0000[diff] [blame]417 for (i = 0; i < PROPOSAL_MAX; i++)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]418 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0)
419 return r;
Darren Tuckerae608bd2012-09-06 21:19:51 +1000[diff] [blame]420 /*
421 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
422 * KEX method has the server move first, but a server might be using
423 * a custom method or one that we otherwise don't support. We should
424 * be prepared to remember first_kex_follows here so we can eat a
425 * packet later.
426 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
427 * for cases where the server *doesn't* go first. I guess we should
428 * ignore it when it is set for these cases, which is what we do now.
429 */
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]430 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */
431 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */
432 (r = sshpkt_get_end(ssh)) != 0)
433 return r;
Ben Lindstrom8e312f32001-04-04 23:50:21 +0000[diff] [blame]434
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]435 if (!(kex->flags & KEX_INIT_SENT))
436 if ((r = kex_send_kexinit(ssh)) != 0)
437 return r;
438 if ((r = kex_choose_conf(ssh)) != 0)
439 return r;
440
441 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
442 return (kex->kex[kex->kex_type])(ssh);
443
444 return SSH_ERR_INTERNAL_ERROR;
445}
446
447int
448kex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp)
449{
450 struct kex *kex;
451 int r;
452
453 *kexp = NULL;
454 if ((kex = calloc(1, sizeof(*kex))) == NULL)
455 return SSH_ERR_ALLOC_FAIL;
456 if ((kex->peer = sshbuf_new()) == NULL ||
457 (kex->my = sshbuf_new()) == NULL) {
458 r = SSH_ERR_ALLOC_FAIL;
459 goto out;
460 }
461 if ((r = kex_prop2buf(kex->my, proposal)) != 0)
462 goto out;
463 kex->done = 0;
464 kex_reset_dispatch(ssh);
465 r = 0;
466 *kexp = kex;
467 out:
468 if (r != 0)
469 kex_free(kex);
470 return r;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]471}
472
markus@openbsd.org091c3022015-01-19 19:52:16 +0000[diff] [blame]473void
474kex_free_newkeys(struct newkeys *newkeys)
475{
476 if (newkeys == NULL)
477 return;
478 if (newkeys->enc.key) {
479 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
480 free(newkeys->enc.key);
481 newkeys->enc.key = NULL;
482 }
483 if (newkeys->enc.iv) {
djm@openbsd.org179c3532015-10-13 00:21:27 +0000[diff] [blame]484 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
markus@openbsd.org091c3022015-01-19 19:52:16 +0000[diff] [blame]485 free(newkeys->enc.iv);
486 newkeys->enc.iv = NULL;
487 }
488 free(newkeys->enc.name);
489 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
490 free(newkeys->comp.name);
491 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
492 mac_clear(&newkeys->mac);
493 if (newkeys->mac.key) {
494 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
495 free(newkeys->mac.key);
496 newkeys->mac.key = NULL;
497 }
498 free(newkeys->mac.name);
499 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
500 explicit_bzero(newkeys, sizeof(*newkeys));
501 free(newkeys);
502}
503
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]504void
505kex_free(struct kex *kex)
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]506{
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]507 u_int mode;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]508
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]509#ifdef WITH_OPENSSL
510 if (kex->dh)
511 DH_free(kex->dh);
Damien Miller4df590c2015-03-11 10:02:39 +1100[diff] [blame]512#ifdef OPENSSL_HAS_ECC
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]513 if (kex->ec_client_key)
514 EC_KEY_free(kex->ec_client_key);
Damien Miller4df590c2015-03-11 10:02:39 +1100[diff] [blame]515#endif /* OPENSSL_HAS_ECC */
516#endif /* WITH_OPENSSL */
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]517 for (mode = 0; mode < MODE_MAX; mode++) {
518 kex_free_newkeys(kex->newkeys[mode]);
519 kex->newkeys[mode] = NULL;
markus@openbsd.org091c3022015-01-19 19:52:16 +0000[diff] [blame]520 }
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]521 sshbuf_free(kex->peer);
522 sshbuf_free(kex->my);
523 free(kex->session_id);
524 free(kex->client_version_string);
525 free(kex->server_version_string);
djm@openbsd.orgf3199122015-07-29 04:43:06 +0000[diff] [blame]526 free(kex->failed_choice);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]527 free(kex);
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]528}
529
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]530int
531kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]532{
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]533 int r;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]534
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]535 if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0)
536 return r;
537 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */
538 kex_free(ssh->kex);
539 ssh->kex = NULL;
540 return r;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]541 }
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]542 return 0;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]543}
544
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]545static int
546choose_enc(struct sshenc *enc, char *client, char *server)
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]547{
Ben Lindstromb9be60a2001-03-11 01:49:19 +0000[diff] [blame]548 char *name = match_list(client, server, NULL);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]549
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]550 if (name == NULL)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]551 return SSH_ERR_NO_CIPHER_ALG_MATCH;
Damien Miller963f6b22002-02-19 15:21:23 +1100[diff] [blame]552 if ((enc->cipher = cipher_by_name(name)) == NULL)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]553 return SSH_ERR_INTERNAL_ERROR;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]554 enc->name = name;
555 enc->enabled = 0;
556 enc->iv = NULL;
Damien Miller1d75abf2013-01-09 16:12:19 +1100[diff] [blame]557 enc->iv_len = cipher_ivlen(enc->cipher);
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]558 enc->key = NULL;
Damien Miller963f6b22002-02-19 15:21:23 +1100[diff] [blame]559 enc->key_len = cipher_keylen(enc->cipher);
560 enc->block_size = cipher_blocksize(enc->cipher);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]561 return 0;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]562}
Damien Miller4f7becb2006-03-26 14:10:14 +1100[diff] [blame]563
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]564static int
565choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]566{
Ben Lindstromb9be60a2001-03-11 01:49:19 +0000[diff] [blame]567 char *name = match_list(client, server, NULL);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]568
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]569 if (name == NULL)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]570 return SSH_ERR_NO_MAC_ALG_MATCH;
Darren Tucker5f3d5be2007-06-05 18:30:18 +1000[diff] [blame]571 if (mac_setup(mac, name) < 0)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]572 return SSH_ERR_INTERNAL_ERROR;
Ben Lindstrom06b33aa2001-02-15 03:01:59 +0000[diff] [blame]573 /* truncate the key */
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]574 if (ssh->compat & SSH_BUG_HMAC)
Ben Lindstrom06b33aa2001-02-15 03:01:59 +0000[diff] [blame]575 mac->key_len = 16;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]576 mac->name = name;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]577 mac->key = NULL;
578 mac->enabled = 0;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]579 return 0;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]580}
Damien Miller4f7becb2006-03-26 14:10:14 +1100[diff] [blame]581
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]582static int
583choose_comp(struct sshcomp *comp, char *client, char *server)
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]584{
Ben Lindstromb9be60a2001-03-11 01:49:19 +0000[diff] [blame]585 char *name = match_list(client, server, NULL);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]586
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]587 if (name == NULL)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]588 return SSH_ERR_NO_COMPRESS_ALG_MATCH;
Damien Miller9786e6e2005-07-26 21:54:56 +1000[diff] [blame]589 if (strcmp(name, "zlib@openssh.com") == 0) {
590 comp->type = COMP_DELAYED;
591 } else if (strcmp(name, "zlib") == 0) {
592 comp->type = COMP_ZLIB;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]593 } else if (strcmp(name, "none") == 0) {
Damien Miller9786e6e2005-07-26 21:54:56 +1000[diff] [blame]594 comp->type = COMP_NONE;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]595 } else {
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]596 return SSH_ERR_INTERNAL_ERROR;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]597 }
598 comp->name = name;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]599 return 0;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]600}
Damien Miller4f7becb2006-03-26 14:10:14 +1100[diff] [blame]601
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]602static int
603choose_kex(struct kex *k, char *client, char *server)
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]604{
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]605 const struct kexalg *kexalg;
606
Ben Lindstromb9be60a2001-03-11 01:49:19 +0000[diff] [blame]607 k->name = match_list(client, server, NULL);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]608
djm@openbsd.org9690b782015-08-21 23:57:48 +0000[diff] [blame]609 debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]610 if (k->name == NULL)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]611 return SSH_ERR_NO_KEX_ALG_MATCH;
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]612 if ((kexalg = kex_alg_by_name(k->name)) == NULL)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]613 return SSH_ERR_INTERNAL_ERROR;
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]614 k->kex_type = kexalg->type;
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]615 k->hash_alg = kexalg->hash_alg;
Damien Millerea111192013-04-23 19:24:32 +1000[diff] [blame]616 k->ec_nid = kexalg->ec_nid;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]617 return 0;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]618}
Damien Miller19bb3a52005-11-05 15:19:35 +1100[diff] [blame]619
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]620static int
621choose_hostkeyalg(struct kex *k, char *client, char *server)
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]622{
Ben Lindstromb9be60a2001-03-11 01:49:19 +0000[diff] [blame]623 char *hostkeyalg = match_list(client, server, NULL);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]624
djm@openbsd.org9690b782015-08-21 23:57:48 +0000[diff] [blame]625 debug("kex: host key algorithm: %s",
626 hostkeyalg ? hostkeyalg : "(no match)");
Damien Miller0bc1bd82000-11-13 22:57:25 +1100[diff] [blame]627 if (hostkeyalg == NULL)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]628 return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
629 k->hostkey_type = sshkey_type_from_name(hostkeyalg);
Damien Miller0bc1bd82000-11-13 22:57:25 +1100[diff] [blame]630 if (k->hostkey_type == KEY_UNSPEC)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]631 return SSH_ERR_INTERNAL_ERROR;
djm@openbsd.org5104db72015-01-26 06:10:03 +0000[diff] [blame]632 k->hostkey_nid = sshkey_ecdsa_nid_from_name(hostkeyalg);
Darren Tuckera627d422013-06-02 07:31:17 +1000[diff] [blame]633 free(hostkeyalg);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]634 return 0;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]635}
636
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]637static int
Damien Millerbabb47a2003-02-24 11:53:32 +1100[diff] [blame]638proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
639{
640 static int check[] = {
641 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
642 };
643 int *idx;
644 char *p;
645
646 for (idx = &check[0]; *idx != -1; idx++) {
647 if ((p = strchr(my[*idx], ',')) != NULL)
648 *p = '\0';
649 if ((p = strchr(peer[*idx], ',')) != NULL)
650 *p = '\0';
651 if (strcmp(my[*idx], peer[*idx]) != 0) {
652 debug2("proposal mismatch: my %s peer %s",
653 my[*idx], peer[*idx]);
654 return (0);
655 }
656 }
657 debug2("proposals match");
658 return (1);
659}
660
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]661static int
662kex_choose_conf(struct ssh *ssh)
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]663{
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]664 struct kex *kex = ssh->kex;
665 struct newkeys *newkeys;
666 char **my = NULL, **peer = NULL;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]667 char **cprop, **sprop;
Ben Lindstrom2d90e002001-04-04 02:00:54 +0000[diff] [blame]668 int nenc, nmac, ncomp;
Damien Miller76eea4a2014-01-26 09:37:25 +1100[diff] [blame]669 u_int mode, ctos, need, dh_need, authlen;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]670 int r, first_kex_follows;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]671
djm@openbsd.org9690b782015-08-21 23:57:48 +0000[diff] [blame]672 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
673 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
674 goto out;
675 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
676 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]677 goto out;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]678
Ben Lindstrom2d90e002001-04-04 02:00:54 +0000[diff] [blame]679 if (kex->server) {
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]680 cprop=peer;
681 sprop=my;
682 } else {
683 cprop=my;
684 sprop=peer;
685 }
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]686
Darren Tucker36331b52010-01-08 16:50:41 +1100[diff] [blame]687 /* Check whether server offers roaming */
688 if (!kex->server) {
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]689 char *roaming = match_list(KEX_RESUME,
690 peer[PROPOSAL_KEX_ALGS], NULL);
691
Darren Tucker36331b52010-01-08 16:50:41 +1100[diff] [blame]692 if (roaming) {
693 kex->roaming = 1;
Darren Tuckera627d422013-06-02 07:31:17 +1000[diff] [blame]694 free(roaming);
Darren Tucker36331b52010-01-08 16:50:41 +1100[diff] [blame]695 }
696 }
697
Ben Lindstrombe2cc432001-04-04 23:46:07 +0000[diff] [blame]698 /* Algorithm Negotiation */
djm@openbsd.org9690b782015-08-21 23:57:48 +0000[diff] [blame]699 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
700 sprop[PROPOSAL_KEX_ALGS])) != 0) {
701 kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
702 peer[PROPOSAL_KEX_ALGS] = NULL;
703 goto out;
704 }
705 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
706 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
707 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
708 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
709 goto out;
710 }
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]711 for (mode = 0; mode < MODE_MAX; mode++) {
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]712 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
713 r = SSH_ERR_ALLOC_FAIL;
714 goto out;
715 }
Ben Lindstrombe2cc432001-04-04 23:46:07 +0000[diff] [blame]716 kex->newkeys[mode] = newkeys;
Darren Tucker0d0d1952007-06-05 18:23:28 +1000[diff] [blame]717 ctos = (!kex->server && mode == MODE_OUT) ||
718 (kex->server && mode == MODE_IN);
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]719 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
720 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
721 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]722 if ((r = choose_enc(&newkeys->enc, cprop[nenc],
djm@openbsd.orgf3199122015-07-29 04:43:06 +0000[diff] [blame]723 sprop[nenc])) != 0) {
724 kex->failed_choice = peer[nenc];
725 peer[nenc] = NULL;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]726 goto out;
djm@openbsd.orgf3199122015-07-29 04:43:06 +0000[diff] [blame]727 }
Damien Miller1d75abf2013-01-09 16:12:19 +1100[diff] [blame]728 authlen = cipher_authlen(newkeys->enc.cipher);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]729 /* ignore mac for authenticated encryption */
730 if (authlen == 0 &&
731 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
djm@openbsd.orgf3199122015-07-29 04:43:06 +0000[diff] [blame]732 sprop[nmac])) != 0) {
733 kex->failed_choice = peer[nmac];
734 peer[nmac] = NULL;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]735 goto out;
djm@openbsd.orgf3199122015-07-29 04:43:06 +0000[diff] [blame]736 }
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]737 if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
djm@openbsd.orgf3199122015-07-29 04:43:06 +0000[diff] [blame]738 sprop[ncomp])) != 0) {
739 kex->failed_choice = peer[ncomp];
740 peer[ncomp] = NULL;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]741 goto out;
djm@openbsd.orgf3199122015-07-29 04:43:06 +0000[diff] [blame]742 }
djm@openbsd.org9690b782015-08-21 23:57:48 +0000[diff] [blame]743 debug("kex: %s cipher: %s MAC: %s compression: %s",
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]744 ctos ? "client->server" : "server->client",
Ben Lindstrom2d90e002001-04-04 02:00:54 +0000[diff] [blame]745 newkeys->enc.name,
Damien Miller1d75abf2013-01-09 16:12:19 +1100[diff] [blame]746 authlen == 0 ? newkeys->mac.name : "<implicit>",
Ben Lindstrom2d90e002001-04-04 02:00:54 +0000[diff] [blame]747 newkeys->comp.name);
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]748 }
Damien Miller76eea4a2014-01-26 09:37:25 +1100[diff] [blame]749 need = dh_need = 0;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]750 for (mode = 0; mode < MODE_MAX; mode++) {
Ben Lindstrombe2cc432001-04-04 23:46:07 +0000[diff] [blame]751 newkeys = kex->newkeys[mode];
Damien Millera92ac742014-01-26 09:38:03 +1100[diff] [blame]752 need = MAX(need, newkeys->enc.key_len);
753 need = MAX(need, newkeys->enc.block_size);
754 need = MAX(need, newkeys->enc.iv_len);
755 need = MAX(need, newkeys->mac.key_len);
756 dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher));
757 dh_need = MAX(dh_need, newkeys->enc.block_size);
758 dh_need = MAX(dh_need, newkeys->enc.iv_len);
759 dh_need = MAX(dh_need, newkeys->mac.key_len);
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]760 }
Damien Millerb1715dc2000-05-30 13:44:51 +1000[diff] [blame]761 /* XXX need runden? */
Ben Lindstrom2d90e002001-04-04 02:00:54 +0000[diff] [blame]762 kex->we_need = need;
Damien Miller76eea4a2014-01-26 09:37:25 +1100[diff] [blame]763 kex->dh_need = dh_need;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]764
Damien Millerbabb47a2003-02-24 11:53:32 +1100[diff] [blame]765 /* ignore the next message if the proposals do not match */
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]766 if (first_kex_follows && !proposals_match(my, peer) &&
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]767 !(ssh->compat & SSH_BUG_FIRSTKEX))
768 ssh->dispatch_skip_packets = 1;
769 r = 0;
770 out:
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]771 kex_prop_free(my);
772 kex_prop_free(peer);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]773 return r;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]774}
775
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]776static int
777derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
778 const struct sshbuf *shared_secret, u_char **keyp)
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]779{
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]780 struct kex *kex = ssh->kex;
781 struct ssh_digest_ctx *hashctx = NULL;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]782 char c = id;
Damien Millereccb9de2005-06-17 12:59:34 +1000[diff] [blame]783 u_int have;
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]784 size_t mdsz;
Damien Millereccb9de2005-06-17 12:59:34 +1000[diff] [blame]785 u_char *digest;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]786 int r;
Damien Miller46d38de2005-07-17 17:02:09 +1000[diff] [blame]787
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]788 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]789 return SSH_ERR_INVALID_ARGUMENT;
790 if ((digest = calloc(1, roundup(need, mdsz))) == NULL) {
791 r = SSH_ERR_ALLOC_FAIL;
792 goto out;
793 }
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]794
Ben Lindstrombe2cc432001-04-04 23:46:07 +0000[diff] [blame]795 /* K1 = HASH(K || H || "A" || session_id) */
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]796 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
797 ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]798 ssh_digest_update(hashctx, hash, hashlen) != 0 ||
799 ssh_digest_update(hashctx, &c, 1) != 0 ||
800 ssh_digest_update(hashctx, kex->session_id,
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]801 kex->session_id_len) != 0 ||
802 ssh_digest_final(hashctx, digest, mdsz) != 0) {
803 r = SSH_ERR_LIBCRYPTO_ERROR;
804 goto out;
805 }
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]806 ssh_digest_free(hashctx);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]807 hashctx = NULL;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]808
Ben Lindstrombe2cc432001-04-04 23:46:07 +0000[diff] [blame]809 /*
810 * expand key:
811 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
812 * Key = K1 || K2 || ... || Kn
813 */
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]814 for (have = mdsz; need > have; have += mdsz) {
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]815 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
816 ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]817 ssh_digest_update(hashctx, hash, hashlen) != 0 ||
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]818 ssh_digest_update(hashctx, digest, have) != 0 ||
819 ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
820 r = SSH_ERR_LIBCRYPTO_ERROR;
821 goto out;
822 }
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]823 ssh_digest_free(hashctx);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]824 hashctx = NULL;
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]825 }
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]826#ifdef DEBUG_KEX
827 fprintf(stderr, "key '%c'== ", c);
828 dump_digest("key", digest, need);
829#endif
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]830 *keyp = digest;
831 digest = NULL;
832 r = 0;
833 out:
834 if (digest)
835 free(digest);
836 ssh_digest_free(hashctx);
837 return r;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]838}
839
Ben Lindstromb9be60a2001-03-11 01:49:19 +0000[diff] [blame]840#define NKEYS 6
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]841int
842kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
843 const struct sshbuf *shared_secret)
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]844{
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]845 struct kex *kex = ssh->kex;
Ben Lindstrom46c16222000-12-22 01:43:59 +0000[diff] [blame]846 u_char *keys[NKEYS];
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]847 u_int i, j, mode, ctos;
848 int r;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]849
Damien Miller19bb3a52005-11-05 15:19:35 +1100[diff] [blame]850 for (i = 0; i < NKEYS; i++) {
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]851 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
852 shared_secret, &keys[i])) != 0) {
853 for (j = 0; j < i; j++)
854 free(keys[j]);
855 return r;
856 }
Damien Miller19bb3a52005-11-05 15:19:35 +1100[diff] [blame]857 }
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]858 for (mode = 0; mode < MODE_MAX; mode++) {
Damien Miller4f7becb2006-03-26 14:10:14 +1100[diff] [blame]859 ctos = (!kex->server && mode == MODE_OUT) ||
860 (kex->server && mode == MODE_IN);
markus@openbsd.org091c3022015-01-19 19:52:16 +0000[diff] [blame]861 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1];
862 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
863 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]864 }
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]865 return 0;
Damien Millera664e872000-04-16 11:52:47 +1000[diff] [blame]866}
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]867
Damien Miller1f0311c2014-05-15 14:24:09 +1000[diff] [blame]868#ifdef WITH_OPENSSL
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]869int
870kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
871 const BIGNUM *secret)
Damien Miller91b580e2014-01-12 19:21:22 +1100[diff] [blame]872{
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]873 struct sshbuf *shared_secret;
874 int r;
Damien Miller91b580e2014-01-12 19:21:22 +1100[diff] [blame]875
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]876 if ((shared_secret = sshbuf_new()) == NULL)
877 return SSH_ERR_ALLOC_FAIL;
878 if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
879 r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
880 sshbuf_free(shared_secret);
881 return r;
Damien Miller91b580e2014-01-12 19:21:22 +1100[diff] [blame]882}
Damien Miller1f0311c2014-05-15 14:24:09 +1000[diff] [blame]883#endif
Damien Miller91b580e2014-01-12 19:21:22 +1100[diff] [blame]884
Damien Miller1f0311c2014-05-15 14:24:09 +1000[diff] [blame]885#ifdef WITH_SSH1
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]886int
Darren Tuckere14e0052004-05-13 16:30:44 +1000[diff] [blame]887derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
888 u_int8_t cookie[8], u_int8_t id[16])
889{
djm@openbsd.org25f5f782015-01-30 00:22:25 +0000[diff] [blame]890 u_int8_t hbuf[2048], sbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH];
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]891 struct ssh_digest_ctx *hashctx = NULL;
djm@openbsd.org25f5f782015-01-30 00:22:25 +0000[diff] [blame]892 size_t hlen, slen;
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]893 int r;
Darren Tuckere14e0052004-05-13 16:30:44 +1000[diff] [blame]894
djm@openbsd.org25f5f782015-01-30 00:22:25 +0000[diff] [blame]895 hlen = BN_num_bytes(host_modulus);
896 slen = BN_num_bytes(server_modulus);
897 if (hlen < (512 / 8) || (u_int)hlen > sizeof(hbuf) ||
898 slen < (512 / 8) || (u_int)slen > sizeof(sbuf))
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]899 return SSH_ERR_KEY_BITS_MISMATCH;
djm@openbsd.org25f5f782015-01-30 00:22:25 +0000[diff] [blame]900 if (BN_bn2bin(host_modulus, hbuf) <= 0 ||
901 BN_bn2bin(server_modulus, sbuf) <= 0) {
902 r = SSH_ERR_LIBCRYPTO_ERROR;
903 goto out;
904 }
905 if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) {
906 r = SSH_ERR_ALLOC_FAIL;
907 goto out;
908 }
909 if (ssh_digest_update(hashctx, hbuf, hlen) != 0 ||
910 ssh_digest_update(hashctx, sbuf, slen) != 0 ||
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]911 ssh_digest_update(hashctx, cookie, 8) != 0 ||
912 ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) {
913 r = SSH_ERR_LIBCRYPTO_ERROR;
914 goto out;
915 }
Damien Millerb3051d02014-01-10 10:58:53 +1100[diff] [blame]916 memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5));
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]917 r = 0;
918 out:
919 ssh_digest_free(hashctx);
djm@openbsd.org25f5f782015-01-30 00:22:25 +0000[diff] [blame]920 explicit_bzero(hbuf, sizeof(hbuf));
921 explicit_bzero(sbuf, sizeof(sbuf));
Damien Millera5103f42014-02-04 11:20:14 +1100[diff] [blame]922 explicit_bzero(obuf, sizeof(obuf));
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]923 return r;
Darren Tuckere14e0052004-05-13 16:30:44 +1000[diff] [blame]924}
Damien Miller1f0311c2014-05-15 14:24:09 +1000[diff] [blame]925#endif
Darren Tuckere14e0052004-05-13 16:30:44 +1000[diff] [blame]926
Damien Millereb8b60e2010-08-31 22:41:14 +1000[diff] [blame]927#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]928void
929dump_digest(char *msg, u_char *digest, int len)
930{
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]931 fprintf(stderr, "%s\n", msg);
markus@openbsd.org57d10cb2015-01-19 20:16:15 +0000[diff] [blame]932 sshbuf_dump_data(digest, len, stderr);
Ben Lindstrom20d7c7b2001-04-04 01:56:17 +0000[diff] [blame]933}
934#endif