xref: /plan9/sys/src/cmd/ssh2/dh.c (revision 48207d97b4e803eefbe4064a810e27dec2c3d9bb)

#include <u.h>
#include <libc.h>
#include <mp.h>
#include <libsec.h>
#include <fcall.h>
#include <thread.h>
#include <9p.h>
#include <auth.h>
#include <ip.h>
#include <pool.h>
#include "netssh.h"

#undef VERIFYKEYS		/* TODO until it's fixed */

enum {
	Errnokey = -2,	/* no key on keyring */
	Errnoverify,	/* factotum found a key, but verification failed */
	Errfactotum,	/* factotum failure (e.g., no key) */
	Errnone,	/* key verified */
};

static int dh_server(Conn *, Packet *, mpint *, int);
static void genkeys(Conn *, uchar [], mpint *);

/*
 * Second Oakley Group from RFC 2409
 */
static char *group1p =
         "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
         "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
         "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
         "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
         "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381"
         "FFFFFFFFFFFFFFFF";

/*
 * 2048-bit MODP group (id 14) from RFC 3526
*/
static char *group14p =
      "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
      "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
      "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
      "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
      "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
      "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
      "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
      "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"
      "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"
      "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"
      "15728E5A8AACAA68FFFFFFFFFFFFFFFF";

mpint *two, *p1, *p14;
int nokeyverify;

static DSApriv mydsskey;
static RSApriv myrsakey;

void
dh_init(PKA *pkas[])
{
	char *buf, *p, *st, *end;
	int fd, n, k;

	if(debug > 1)
		sshdebug(nil, "dh_init");
	k = 0;
	pkas[k] = nil;
	fmtinstall('M', mpfmt);
	two = strtomp("2", nil, 10, nil);
	p1 = strtomp(group1p, nil, 16, nil);
	p14 = strtomp(group14p, nil, 16, nil);

	/*
	 * this really should be done through factotum
	 */
	p = getenv("rsakey");
	if (p != nil) {
		remove("/env/rsakey");
		st = buf = p;
		end = buf + strlen(p);
	} else {
		/*
		 * it would be better to use bio and rdline here instead of
		 * reading all of factotum's contents into memory at once.
		 */
		buf = emalloc9p(Maxfactotum);
		fd = open("rsakey", OREAD);
		if (fd < 0 && (fd = open("/mnt/factotum/ctl", OREAD)) < 0)
			goto norsa;
		n = readn(fd, buf, Maxfactotum - 1);
		buf[n >= 0? n: 0] = 0;
		close(fd);
		assert(n < Maxfactotum - 1);

		st = strstr(buf, "proto=rsa");
		if (st == nil) {
			sshlog(nil, "no proto=rsa key in factotum");
			goto norsa;
		}
		end = st;
		for (; st > buf && *st != '\n'; --st)
			;
		for (; end < buf + Maxfactotum && *end != '\n'; ++end)
			;
	}
	p = strstr(st, " n=");
	if (p == nil || p > end) {
		sshlog(nil, "no key (n) found");
		free(buf);
		return;
	}
	myrsakey.pub.n = strtomp(p+3, nil, 16, nil);
	if (debug > 1)
		sshdebug(nil, "n=%M", myrsakey.pub.n);
	p = strstr(st, " ek=");
	if (p == nil || p > end) {
		sshlog(nil, "no key (ek) found");
		free(buf);
		return;
	}
	pkas[k++] = &rsa_pka;
	pkas[k] = nil;
	myrsakey.pub.ek = strtomp(p+4, nil, 16, nil);
	if (debug > 1)
		sshdebug(nil, "ek=%M", myrsakey.pub.ek);
	p = strstr(st, " !dk=");
	if (p == nil) {
		p = strstr(st, "!dk?");
		if (p == nil || p > end) {
			// sshlog(nil, "no key (dk) found");
			free(buf);
			return;
		}
		goto norsa;
	}
	myrsakey.dk = strtomp(p+5, nil, 16, nil);
	if (debug > 1)
		sshdebug(nil, "dk=%M", myrsakey.dk);
norsa:
	free(buf);

	p = getenv("dsskey");
	if (p != nil) {
		remove("/env/dsskey");
		buf = p;
		end = buf + strlen(p);
	} else {
		/*
		 * it would be better to use bio and rdline here instead of
		 * reading all of factotum's contents into memory at once.
		 */
		buf = emalloc9p(Maxfactotum);
		fd = open("dsskey", OREAD);
		if (fd < 0 && (fd = open("/mnt/factotum/ctl", OREAD)) < 0)
			return;
		n = readn(fd, buf, Maxfactotum - 1);
		buf[n >= 0? n: 0] = 0;
		close(fd);
		assert(n < Maxfactotum - 1);

		st = strstr(buf, "proto=dsa");
		if (st == nil) {
			sshlog(nil, "no proto=dsa key in factotum");
			free(buf);
			return;
		}
		end = st;
		for (; st > buf && *st != '\n'; --st)
			;
		for (; end < buf + Maxfactotum && *end != '\n'; ++end)
			;
	}
	p = strstr(buf, " p=");
	if (p == nil || p > end) {
		sshlog(nil, "no key (p) found");
		free(buf);
		return;
	}
	mydsskey.pub.p = strtomp(p+3, nil, 16, nil);
	p = strstr(buf, " q=");
	if (p == nil || p > end) {
		sshlog(nil, "no key (q) found");
		free(buf);
		return;
	}
	mydsskey.pub.q = strtomp(p+3, nil, 16, nil);
	p = strstr(buf, " alpha=");
	if (p == nil || p > end) {
		sshlog(nil, "no key (g) found");
		free(buf);
		return;
	}
	mydsskey.pub.alpha = strtomp(p+7, nil, 16, nil);
	p = strstr(buf, " key=");
	if (p == nil || p > end) {
		sshlog(nil, "no key (y) found");
		free(buf);
		return;
	}
	mydsskey.pub.key = strtomp(p+5, nil, 16, nil);
	pkas[k++] = &dss_pka;
	pkas[k] = nil;
	p = strstr(buf, " !secret=");
	if (p == nil) {
		p = strstr(buf, "!secret?");
		if (p == nil || p > end)
			sshlog(nil, "no key (x) found");
		free(buf);
		return;
	}
	mydsskey.secret = strtomp(p+9, nil, 16, nil);
	free(buf);
}

static Packet *
rsa_ks(Conn *c)
{
	Packet *ks;

	if (myrsakey.pub.ek == nil || myrsakey.pub.n == nil) {
		sshlog(c, "no public RSA key info");
		return nil;
	}
	ks = new_packet(c);
	add_string(ks, "ssh-rsa");
	add_mp(ks, myrsakey.pub.ek);
	add_mp(ks, myrsakey.pub.n);
	return ks;
}

static void
esma_encode(uchar *h, uchar *em, int nb)
{
	int n, i;
	uchar hh[SHA1dlen];
	static uchar sha1der[] = {
		0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
		0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14,
	};

	sha1(h, SHA1dlen, hh, nil);
	n = nb - (nelem(sha1der) + SHA1dlen) - 3;
	i = 0;
	em[i++] = 0;
	em[i++] = 1;
	memset(em + i, 0xff, n);
	i += n;
	em[i++] = 0;
	memmove(em + i, sha1der, sizeof sha1der);
	i += sizeof sha1der;
	memmove(em + i, hh, SHA1dlen);
}

static Packet *
rsa_sign(Conn *c, uchar *m, int nm)
{
	AuthRpc *ar;
	Packet *sig;
	mpint *s, *mm;
	int fd, n, nbit;
	uchar hh[SHA1dlen];
	uchar *sstr, *em;

	if (myrsakey.dk) {
		nbit = mpsignif (myrsakey.pub.n);
		n = (nbit + 7) / 8;
		sstr = emalloc9p(n);
		em = emalloc9p(n);
		/* Compute s: RFC 3447 */
		esma_encode(m, em, n);
		mm = betomp(em, n, nil);
		s = mpnew(nbit);
		mpexp(mm, myrsakey.dk, myrsakey.pub.n, s);
		mptobe(s, sstr, n, nil);
		mpfree(mm);
		mpfree(s);
		free(em);
	} else {
		fd = open("/mnt/factotum/rpc", ORDWR);
		if (fd < 0)
			return nil;
		sha1(m, nm, hh, nil);
		ar = auth_allocrpc(fd);
		if (ar == nil ||
		    auth_rpc(ar, "start", "role=sign proto=rsa", 19) != ARok ||
		    auth_rpc(ar, "write", hh, SHA1dlen) != ARok ||
		    auth_rpc(ar, "read", nil, 0) != ARok ||
		    ar->arg == nil) {
			sshdebug(c, "got error in factotum: %r");
			auth_freerpc(ar);
			close(fd);
			return nil;
		}
		sstr = emalloc9p(ar->narg);
		memmove(sstr, ar->arg, ar->narg);
		n = ar->narg;

		auth_freerpc(ar);
		close(fd);
	}
	sig = new_packet(c);
	add_string(sig, pkas[c->pkalg]->name);
	add_block(sig, sstr, n);
	free(sstr);
	return sig;
}

/*
 * 0 - If factotum failed, e.g. no key
 * 1 - If key is verified
 * -1 - If factotum found a key, but the verification fails
 */
static int
rsa_verify(Conn *c, uchar *m, int nm, char *user, char *sig, int)
{
	int fd, n, retval, nbit;
	char *buf, *p, *sigblob;
	uchar *sstr, *em;
	uchar hh[SHA1dlen];
	mpint *s, *mm, *rsa_exponent, *host_modulus;
	AuthRpc *ar;

	sshdebug(c, "in rsa_verify for connection: %d", c->id);
	SET(rsa_exponent, host_modulus);
	USED(rsa_exponent, host_modulus);
	if (0 && rsa_exponent) {
		nbit = mpsignif(host_modulus);
		n = (nbit + 7) / 8;
		em = emalloc9p(n);
		/* Compute s: RFC 3447 */
		esma_encode(m, em, n);
		mm = betomp(em, n, nil);
		s = mpnew(1024);
		mpexp(mm, rsa_exponent, host_modulus, s);
		sstr = emalloc9p(n);
		mptobe(s, sstr, n, nil);
		free(em);
		mpfree(mm);
		mpfree(s);
		retval = memcmp(sig, sstr, n);
		free(sstr);
		retval = (retval == 0);
	} else {
		retval = 1;
		fd = open("/mnt/factotum/rpc", ORDWR);
		if (fd < 0) {
			sshdebug(c, "could not open factotum RPC: %r");
			return 0;
		}
		buf = emalloc9p(Blobsz / 2);
		sigblob = emalloc9p(Blobsz);
		p = (char *)get_string(nil, (uchar *)sig, buf, Blobsz / 2, nil);
		get_string(nil, (uchar *)p, sigblob, Blobsz, &n);
		sha1(m, nm, hh, nil);
		if (user != nil)
			p = smprint("role=verify proto=rsa user=%s", user);
		else
			p = smprint("role=verify proto=rsa sys=%s", c->remote);

		ar = auth_allocrpc(fd);
		if (ar == nil || auth_rpc(ar, "start", p, strlen(p)) != ARok ||
		    auth_rpc(ar, "write", hh, SHA1dlen) != ARok ||
		    auth_rpc(ar, "write", sigblob, n) != ARok ||
		    auth_rpc(ar, "read", nil, 0) != ARok) {
			sshdebug(c, "got error in factotum: %r");
			retval = 0;
		} else {
			sshdebug(c, "factotum returned %s", ar->ibuf);
			if (strstr(ar->ibuf, "does not verify") != nil)
				retval = -1;
		}
		if (ar != nil)
			auth_freerpc(ar);
		free(p);
		close(fd);
		free(sigblob);
		free(buf);
	}
	return retval;
}

static Packet *
dss_ks(Conn *c)
{
	Packet *ks;

	if (mydsskey.pub.p == nil)
		return nil;
	ks = new_packet(c);
	add_string(ks, "ssh-dss");
	add_mp(ks, mydsskey.pub.p);
	add_mp(ks, mydsskey.pub.q);
	add_mp(ks, mydsskey.pub.alpha);
	add_mp(ks, mydsskey.pub.key);
	return ks;
}

static Packet *
dss_sign(Conn *c, uchar *m, int nm)
{
	AuthRpc *ar;
	DSAsig *s;
	Packet *sig;
	mpint *mm;
	int fd;
	uchar sstr[2*SHA1dlen];

	sha1(m, nm, sstr, nil);
	sig = new_packet(c);
	add_string(sig, pkas[c->pkalg]->name);
	if (mydsskey.secret) {
		mm = betomp(sstr, SHA1dlen, nil);
		s = dsasign(&mydsskey, mm);
		mptobe(s->r, sstr, SHA1dlen, nil);
		mptobe(s->s, sstr+SHA1dlen, SHA1dlen, nil);
		dsasigfree(s);
		mpfree(mm);
	} else {
		fd = open("/mnt/factotum/rpc", ORDWR);
		if (fd < 0)
			return nil;
		ar = auth_allocrpc(fd);
		if (ar == nil ||
		    auth_rpc(ar, "start", "role=sign proto=dsa", 19) != ARok ||
		    auth_rpc(ar, "write", sstr, SHA1dlen) != ARok ||
		    auth_rpc(ar, "read", nil, 0) != ARok) {
			sshdebug(c, "got error in factotum: %r");
			auth_freerpc(ar);
			close(fd);
			return nil;
		}
		memmove(sstr, ar->arg, ar->narg);
		auth_freerpc(ar);
		close(fd);
	}
	add_block(sig, sstr, 2*SHA1dlen);
	return sig;
}

static int
dss_verify(Conn *c, uchar *m, int nm, char *user, char *sig, int nsig)
{
	sshdebug(c, "in dss_verify for connection: %d", c->id);
	USED(m, nm, user, sig, nsig);
	return 0;
}

static int
dh_server1(Conn *c, Packet *pack1)
{
	return dh_server(c, pack1, p1, 1024);
}

static int
dh_server14(Conn *c, Packet *pack1)
{
	return dh_server(c, pack1, p14, 2048);
}

static int
dh_server(Conn *c, Packet *pack1, mpint *grp, int nbit)
{
	Packet *pack2, *ks, *sig;
	mpint *y, *e, *f, *k;
	int n, ret;
	uchar h[SHA1dlen];

	ret = -1;
	qlock(&c->l);
	f = mpnew(nbit);
	k = mpnew(nbit);

	/* Compute f: RFC4253 */
	y = mprand(nbit / 8, genrandom, nil);
	if (debug > 1)
		sshdebug(c, "y=%M", y);
	mpexp(two, y, grp, f);
	if (debug > 1)
		sshdebug(c, "f=%M", f);

	/* Compute k: RFC4253 */
	if (debug > 1)
		dump_packet(pack1);
	e = get_mp(pack1->payload+1);
	if (debug > 1)
		sshdebug(c, "e=%M", e);
	mpexp(e, y, grp, k);
	if (debug > 1)
		sshdebug(c, "k=%M", k);

	/* Compute H: RFC 4253 */
	pack2 = new_packet(c);
	sshdebug(c, "ID strings: %s---%s", c->otherid, MYID);
	add_string(pack2, c->otherid);
	add_string(pack2, MYID);
	if (debug > 1) {
		fprint(2, "received kexinit:");
		dump_packet(c->rkexinit);
		fprint(2, "\nsent kexinit:");
		dump_packet(c->skexinit);
	}
	add_block(pack2, c->rkexinit->payload, c->rkexinit->rlength - 1);
	add_block(pack2, c->skexinit->payload,
		c->skexinit->rlength - c->skexinit->pad_len - 1);
	sig = nil;
	ks = pkas[c->pkalg]->ks(c);
	if (ks == nil)
		goto err;
	add_block(pack2, ks->payload, ks->rlength - 1);
	add_mp(pack2, e);
	add_mp(pack2, f);
	add_mp(pack2, k);
	sha1(pack2->payload, pack2->rlength - 1, h, nil);

	if (c->got_sessid == 0) {
		memmove(c->sessid, h, SHA1dlen);
		c->got_sessid = 1;
	}
	sig = pkas[c->pkalg]->sign(c, h, SHA1dlen);
	if (sig == nil) {
		sshlog(c, "failed to generate signature: %r");
		goto err;
	}

	/* Send (K_s || f || s) to client: RFC4253 */
	init_packet(pack2);
	pack2->c = c;
	add_byte(pack2, SSH_MSG_KEXDH_REPLY);
	add_block(pack2, ks->payload, ks->rlength - 1);
	add_mp(pack2, f);
	add_block(pack2, sig->payload, sig->rlength - 1);
	if (debug > 1)
		dump_packet(pack2);
	n = finish_packet(pack2);
	if (debug > 1) {
		sshdebug(c, "writing %d bytes: len %d", n, nhgetl(pack2->nlength));
		dump_packet(pack2);
	}
	iowrite(c->dio, c->datafd, pack2->nlength, n);

	genkeys(c, h, k);

	/* Send SSH_MSG_NEWKEYS */
	init_packet(pack2);
	pack2->c = c;
	add_byte(pack2, SSH_MSG_NEWKEYS);
	n = finish_packet(pack2);
	iowrite(c->dio, c->datafd, pack2->nlength, n);
	ret = 0;
err:
	mpfree(f);
	mpfree(e);
	mpfree(k);
	mpfree(y);
	free(sig);
	free(ks);
	free(pack2);
	qunlock(&c->l);
	return ret;
}

static int
dh_client11(Conn *c, Packet *)
{
	Packet *p;
	int n;

	if (c->e)
		mpfree(c->e);
	c->e = mpnew(1024);

	/* Compute e: RFC4253 */
	if (c->x)
		mpfree(c->x);
	c->x = mprand(128, genrandom, nil);
	mpexp(two, c->x, p1, c->e);

	p = new_packet(c);
	add_byte(p, SSH_MSG_KEXDH_INIT);
	add_mp(p, c->e);
	n = finish_packet(p);
	iowrite(c->dio, c->datafd, p->nlength, n);
	free(p);
	return 0;
}

static int
findkeyinuserring(Conn *c, RSApub *srvkey)
{
	int n;
	char *home, *newkey, *r;

	home = getenv("home");
	if (home == nil) {
		newkey = "No home directory for key file";
		free(keymbox.msg);
		keymbox.msg = smprint("b%04ld%s", strlen(newkey), newkey);
		return -1;
	}

	r = smprint("%s/lib/keyring", home);
	free(home);
	if ((n = findkey(r, c->remote, srvkey)) != KeyOk) {
		newkey = smprint("ek=%M n=%M", srvkey->ek, srvkey->n);
		free(keymbox.msg);
		keymbox.msg = smprint("%c%04ld%s", n == NoKeyFile || n == NoKey?
			'c': 'b', strlen(newkey), newkey);
		free(newkey);

		nbsendul(keymbox.mchan, 1);
		recvul(keymbox.mchan);
		if (keymbox.msg == nil || keymbox.msg[0] == 'n') {
			free(keymbox.msg);
			keymbox.msg = nil;
			newkey = "Server key reject";
			keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey);
			return -1;
		}
		sshdebug(c, "adding key");
		if (keymbox.msg[0] == 'y')
			appendkey(r, c->remote, srvkey);
		else if (keymbox.msg[0] == 'r')
			replacekey(r, c->remote, srvkey);
	}
	free(r);
	return 0;
}

static int
verifyhostkey(Conn *c, RSApub *srvkey, Packet *sig)
{
	int fd, n;
	char *newkey;
	uchar h[SHA1dlen];

	sshdebug(c, "verifying server signature");
	if (findkey("/sys/lib/ssh/keyring", c->remote, srvkey) != KeyOk &&
	    findkeyinuserring(c, srvkey) < 0) {
		nbsendul(keymbox.mchan, 1);
		mpfree(srvkey->ek);
		mpfree(srvkey->n);
		return Errnokey;
	}

	newkey = smprint("key proto=rsa role=verify sys=%s size=%d ek=%M n=%M",
		c->remote, mpsignif(srvkey->n), srvkey->ek, srvkey->n);
	if (newkey == nil) {
		sshlog(c, "out of memory");
		threadexits("out of memory");
	}

	fd = open("/mnt/factotum/ctl", OWRITE);
	if (fd >= 0)
		write(fd, newkey, strlen(newkey));
		/* leave fd open */
	else
		sshdebug(c, "factotum open failed: %r");

	free(newkey);
	mpfree(srvkey->ek);
	mpfree(srvkey->n);
	free(keymbox.msg);
	keymbox.msg = nil;

	n = pkas[c->pkalg]->verify(c, h, SHA1dlen, nil, (char *)sig->payload,
		sig->rlength);

	/* fd is perhaps still open */
	if (fd >= 0) {
		/* sys here is a dotted-quad ip address */
		newkey = smprint("delkey proto=rsa role=verify sys=%s",
			c->remote);
		if (newkey) {
			seek(fd, 0, 0);
			write(fd, newkey, strlen(newkey));
			free(newkey);
		}
		close(fd);
	}
	return n;
}

static int
dh_client12(Conn *c, Packet *p)
{
	int n, retval;
#ifdef VERIFYKEYS
	char *newkey;
#endif
	char buf[10];
	uchar *q;
	uchar h[SHA1dlen];
	mpint *f, *k;
	Packet *ks, *sig, *pack2;
	RSApub *srvkey;

	ks = new_packet(c);
	sig = new_packet(c);
	pack2 = new_packet(c);

	q = get_string(p, p->payload+1, (char *)ks->payload, Maxpktpay, &n);
	ks->rlength = n + 1;
	f = get_mp(q);
	q += nhgetl(q) + 4;
	get_string(p, q, (char *)sig->payload, Maxpktpay, &n);
	sig->rlength = n;
	k = mpnew(1024);
	mpexp(f, c->x, p1, k);

	/* Compute H: RFC 4253 */
	init_packet(pack2);
	pack2->c = c;
	if (debug > 1)
		sshdebug(c, "ID strings: %s---%s", c->otherid, MYID);
	add_string(pack2, MYID);
	add_string(pack2, c->otherid);
	if (debug > 1) {
		fprint(2, "received kexinit:");
		dump_packet(c->rkexinit);
		fprint(2, "\nsent kexinit:");
		dump_packet(c->skexinit);
	}
	add_block(pack2, c->skexinit->payload,
		c->skexinit->rlength - c->skexinit->pad_len - 1);
	add_block(pack2, c->rkexinit->payload, c->rkexinit->rlength - 1);
	add_block(pack2, ks->payload, ks->rlength - 1);
	add_mp(pack2, c->e);
	add_mp(pack2, f);
	add_mp(pack2, k);
	sha1(pack2->payload, pack2->rlength - 1, h, nil);
	mpfree(f);

	if (c->got_sessid == 0) {
		memmove(c->sessid, h, SHA1dlen);
		c->got_sessid = 1;
	}

	q = get_string(ks, ks->payload, buf, sizeof buf, nil);
	srvkey = emalloc9p(sizeof (RSApub));
	srvkey->ek = get_mp(q);
	q += nhgetl(q) + 4;
	srvkey->n = get_mp(q);

	/*
	 * key verification is really pretty pedantic and
	 * not doing it lets us talk to ssh v1 implementations.
	 */
	if (nokeyverify)
		n = Errnone;
	else
		n = verifyhostkey(c, srvkey, sig);
	retval = -1;
	USED(retval);
	switch (n) {
#ifdef VERIFYKEYS
	case Errnokey:
		goto out;
	case Errnoverify:
		newkey = "signature verification failed; try netssh -v";
		keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey);
		break;
	case Errfactotum:
		newkey = "factotum dialogue failed; try netssh -v";
		keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey);
		break;
	case Errnone:
#else
	default:
#endif
		keymbox.msg = smprint("o0000");
		retval = 0;
		break;
	}
	nbsendul(keymbox.mchan, 1);
	if (retval == 0)
		genkeys(c, h, k);
#ifdef VERIFYKEYS
out:
#endif
	mpfree(k);
	free(ks);
	free(sig);
	free(pack2);
	free(srvkey);
	return retval;
}

static int
dh_client141(Conn *c, Packet *)
{
	Packet *p;
	mpint *e, *x;
	int n;

	/* Compute e: RFC4253 */
	e = mpnew(2048);
	x = mprand(256, genrandom, nil);
	mpexp(two, x, p14, e);
	p = new_packet(c);
	add_byte(p, SSH_MSG_KEXDH_INIT);
	add_mp(p, e);
	n = finish_packet(p);
	iowrite(c->dio, c->datafd, p->nlength, n);
	free(p);
	mpfree(e);
	mpfree(x);
	return 0;
}

static int
dh_client142(Conn *, Packet *)
{
	return 0;
}

static void
initsha1pkt(Packet *pack2, mpint *k, uchar *h)
{
	init_packet(pack2);
	add_mp(pack2, k);
	add_packet(pack2, h, SHA1dlen);
}

static void
genkeys(Conn *c, uchar h[], mpint *k)
{
	Packet *pack2;
	char buf[82], *bp, *be;			/* magic 82 */
	int n;

	pack2 = new_packet(c);
	/* Compute 40 bytes (320 bits) of keys: each alg can use what it needs */

	/* Client to server IV */
	if (debug > 1) {
		fprint(2, "k=%M\nh=", k);
		for (n = 0; n < SHA1dlen; ++n)
			fprint(2, "%02ux", h[n]);
		fprint(2, "\nsessid=");
		for (n = 0; n < SHA1dlen; ++n)
			fprint(2, "%02ux", c->sessid[n]);
		fprint(2, "\n");
	}
	initsha1pkt(pack2, k, h);
	add_byte(pack2, 'A');
	add_packet(pack2, c->sessid, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->nc2siv, nil);
	initsha1pkt(pack2, k, h);
	add_packet(pack2, c->nc2siv, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->nc2siv + SHA1dlen, nil);

	/* Server to client IV */
	initsha1pkt(pack2, k, h);
	add_byte(pack2, 'B');
	add_packet(pack2, c->sessid, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->ns2civ, nil);
	initsha1pkt(pack2, k, h);
	add_packet(pack2, c->ns2civ, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->ns2civ + SHA1dlen, nil);

	/* Client to server encryption key */
	initsha1pkt(pack2, k, h);
	add_byte(pack2, 'C');
	add_packet(pack2, c->sessid, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->nc2sek, nil);
	initsha1pkt(pack2, k, h);
	add_packet(pack2, c->nc2sek, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->nc2sek + SHA1dlen, nil);

	/* Server to client encryption key */
	initsha1pkt(pack2, k, h);
	add_byte(pack2, 'D');
	add_packet(pack2, c->sessid, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->ns2cek, nil);
	initsha1pkt(pack2, k, h);
	add_packet(pack2, c->ns2cek, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->ns2cek + SHA1dlen, nil);

	/* Client to server integrity key */
	initsha1pkt(pack2, k, h);
	add_byte(pack2, 'E');
	add_packet(pack2, c->sessid, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->nc2sik, nil);
	initsha1pkt(pack2, k, h);
	add_packet(pack2, c->nc2sik, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->nc2sik + SHA1dlen, nil);

	/* Server to client integrity key */
	initsha1pkt(pack2, k, h);
	add_byte(pack2, 'F');
	add_packet(pack2, c->sessid, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->ns2cik, nil);
	initsha1pkt(pack2, k, h);
	add_packet(pack2, c->ns2cik, SHA1dlen);
	sha1(pack2->payload, pack2->rlength - 1, c->ns2cik + SHA1dlen, nil);

	if (debug > 1) {
		be = buf + sizeof buf;
		fprint(2, "Client to server IV:\n");
		for (n = 0, bp = buf; n < SHA1dlen*2; ++n)
			bp = seprint(bp, be, "%02x", c->nc2siv[n]);
		fprint(2, "%s\n", buf);

		fprint(2, "Server to client IV:\n");
		for (n = 0, bp = buf; n < SHA1dlen*2; ++n)
			bp = seprint(bp, be, "%02x", c->ns2civ[n]);
		fprint(2, "%s\n", buf);

		fprint(2, "Client to server EK:\n");
		for (n = 0, bp = buf; n < SHA1dlen*2; ++n)
			bp = seprint(bp, be, "%02x", c->nc2sek[n]);
		fprint(2, "%s\n", buf);

		fprint(2, "Server to client EK:\n");
		for (n = 0, bp = buf; n < SHA1dlen*2; ++n)
			bp = seprint(bp, be, "%02x", c->ns2cek[n]);
		fprint(2, "%s\n", buf);
	}
	free(pack2);
}

Kex dh1sha1 = {
	"diffie-hellman-group1-sha1",
	dh_server1,
	dh_client11,
	dh_client12
};

Kex dh14sha1 = {
	"diffie-hellman-group14-sha1",
	dh_server14,
	dh_client141,
	dh_client142
};

PKA rsa_pka = {
	"ssh-rsa",
	rsa_ks,
	rsa_sign,
	rsa_verify
};

PKA dss_pka = {
	"ssh-dss",
	dss_ks,
	dss_sign,
	dss_verify
};