1 /* $NetBSD: kex.c,v 1.15 2016/03/16 21:06:06 christos Exp $ */ 2 /* $OpenBSD: kex.c,v 1.117 2016/02/08 10:57:07 djm Exp $ */ 3 4 /* 5 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include "includes.h" 29 __RCSID("$NetBSD: kex.c,v 1.15 2016/03/16 21:06:06 christos Exp $"); 30 #include <sys/param.h> /* MAX roundup */ 31 32 #include <signal.h> 33 #include <stdio.h> 34 #include <stdlib.h> 35 #include <string.h> 36 37 #ifdef WITH_OPENSSL 38 #include <openssl/crypto.h> 39 #endif 40 41 #include "ssh2.h" 42 #include "packet.h" 43 #include "compat.h" 44 #include "cipher.h" 45 #include "sshkey.h" 46 #include "kex.h" 47 #include "log.h" 48 #include "mac.h" 49 #include "match.h" 50 #include "misc.h" 51 #include "dispatch.h" 52 #include "monitor.h" 53 #include "canohost.h" 54 55 #include "ssherr.h" 56 #include "sshbuf.h" 57 #include "digest.h" 58 59 /* prototype */ 60 static int kex_choose_conf(struct ssh *); 61 static int kex_input_newkeys(int, u_int32_t, void *); 62 63 static const char *proposal_names[PROPOSAL_MAX] = { 64 "KEX algorithms", 65 "host key algorithms", 66 "ciphers ctos", 67 "ciphers stoc", 68 "MACs ctos", 69 "MACs stoc", 70 "compression ctos", 71 "compression stoc", 72 "languages ctos", 73 "languages stoc", 74 }; 75 76 struct kexalg { 77 const char *name; 78 u_int type; 79 int ec_nid; 80 int hash_alg; 81 }; 82 static const struct kexalg kexalgs[] = { 83 #ifdef WITH_OPENSSL 84 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, 85 { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, 86 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, 87 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, 88 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, 89 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, 90 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, 91 SSH_DIGEST_SHA384 }, 92 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, 93 SSH_DIGEST_SHA512 }, 94 #endif 95 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 96 { NULL, (u_int)-1, -1, -1}, 97 }; 98 99 char * 100 kex_alg_list(char sep) 101 { 102 char *ret = NULL, *tmp; 103 size_t nlen, rlen = 0; 104 const struct kexalg *k; 105 106 for (k = kexalgs; k->name != NULL; k++) { 107 if (ret != NULL) 108 ret[rlen++] = sep; 109 nlen = strlen(k->name); 110 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 111 free(ret); 112 return NULL; 113 } 114 ret = tmp; 115 memcpy(ret + rlen, k->name, nlen + 1); 116 rlen += nlen; 117 } 118 return ret; 119 } 120 121 static const struct kexalg * 122 kex_alg_by_name(const char *name) 123 { 124 const struct kexalg *k; 125 126 for (k = kexalgs; k->name != NULL; k++) { 127 if (strcmp(k->name, name) == 0) 128 return k; 129 } 130 return NULL; 131 } 132 133 /* Validate KEX method name list */ 134 int 135 kex_names_valid(const char *names) 136 { 137 char *s, *cp, *p; 138 139 if (names == NULL || strcmp(names, "") == 0) 140 return 0; 141 if ((s = cp = strdup(names)) == NULL) 142 return 0; 143 for ((p = strsep(&cp, ",")); p && *p != '\0'; 144 (p = strsep(&cp, ","))) { 145 if (kex_alg_by_name(p) == NULL) { 146 error("Unsupported KEX algorithm \"%.100s\"", p); 147 free(s); 148 return 0; 149 } 150 } 151 debug3("kex names ok: [%s]", names); 152 free(s); 153 return 1; 154 } 155 156 /* 157 * Concatenate algorithm names, avoiding duplicates in the process. 158 * Caller must free returned string. 159 */ 160 char * 161 kex_names_cat(const char *a, const char *b) 162 { 163 char *ret = NULL, *tmp = NULL, *cp, *p; 164 size_t len; 165 166 if (a == NULL || *a == '\0') 167 return NULL; 168 if (b == NULL || *b == '\0') 169 return strdup(a); 170 if (strlen(b) > 1024*1024) 171 return NULL; 172 len = strlen(a) + strlen(b) + 2; 173 if ((tmp = cp = strdup(b)) == NULL || 174 (ret = calloc(1, len)) == NULL) { 175 free(tmp); 176 return NULL; 177 } 178 strlcpy(ret, a, len); 179 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { 180 if (match_list(ret, p, NULL) != NULL) 181 continue; /* Algorithm already present */ 182 if (strlcat(ret, ",", len) >= len || 183 strlcat(ret, p, len) >= len) { 184 free(tmp); 185 free(ret); 186 return NULL; /* Shouldn't happen */ 187 } 188 } 189 free(tmp); 190 return ret; 191 } 192 193 /* 194 * Assemble a list of algorithms from a default list and a string from a 195 * configuration file. The user-provided string may begin with '+' to 196 * indicate that it should be appended to the default. 197 */ 198 int 199 kex_assemble_names(const char *def, char **list) 200 { 201 char *ret; 202 203 if (list == NULL || *list == NULL || **list == '\0') { 204 *list = strdup(def); 205 return 0; 206 } 207 if (**list != '+') { 208 return 0; 209 } 210 211 if ((ret = kex_names_cat(def, *list + 1)) == NULL) 212 return SSH_ERR_ALLOC_FAIL; 213 free(*list); 214 *list = ret; 215 return 0; 216 } 217 218 /* put algorithm proposal into buffer */ 219 int 220 kex_prop2buf(struct sshbuf *b, const char *proposal[PROPOSAL_MAX]) 221 { 222 u_int i; 223 int r; 224 225 sshbuf_reset(b); 226 227 /* 228 * add a dummy cookie, the cookie will be overwritten by 229 * kex_send_kexinit(), each time a kexinit is set 230 */ 231 for (i = 0; i < KEX_COOKIE_LEN; i++) { 232 if ((r = sshbuf_put_u8(b, 0)) != 0) 233 return r; 234 } 235 for (i = 0; i < PROPOSAL_MAX; i++) { 236 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0) 237 return r; 238 } 239 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */ 240 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */ 241 return r; 242 return 0; 243 } 244 245 /* parse buffer and return algorithm proposal */ 246 int 247 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) 248 { 249 struct sshbuf *b = NULL; 250 u_char v; 251 u_int i; 252 char **proposal = NULL; 253 int r; 254 255 *propp = NULL; 256 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL) 257 return SSH_ERR_ALLOC_FAIL; 258 if ((b = sshbuf_fromb(raw)) == NULL) { 259 r = SSH_ERR_ALLOC_FAIL; 260 goto out; 261 } 262 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */ 263 goto out; 264 /* extract kex init proposal strings */ 265 for (i = 0; i < PROPOSAL_MAX; i++) { 266 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) 267 goto out; 268 debug2("%s: %s", proposal_names[i], proposal[i]); 269 } 270 /* first kex follows / reserved */ 271 if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ 272 (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */ 273 goto out; 274 if (first_kex_follows != NULL) 275 *first_kex_follows = v; 276 debug2("first_kex_follows %d ", v); 277 debug2("reserved %u ", i); 278 r = 0; 279 *propp = proposal; 280 out: 281 if (r != 0 && proposal != NULL) 282 kex_prop_free(proposal); 283 sshbuf_free(b); 284 return r; 285 } 286 287 void 288 kex_prop_free(char **proposal) 289 { 290 u_int i; 291 292 if (proposal == NULL) 293 return; 294 for (i = 0; i < PROPOSAL_MAX; i++) 295 free(proposal[i]); 296 free(proposal); 297 } 298 299 /* ARGSUSED */ 300 static int 301 kex_protocol_error(int type, u_int32_t seq, void *ctxt) 302 { 303 struct ssh *ssh = active_state; /* XXX */ 304 int r; 305 306 error("kex protocol error: type %d seq %u", type, seq); 307 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || 308 (r = sshpkt_put_u32(ssh, seq)) != 0 || 309 (r = sshpkt_send(ssh)) != 0) 310 return r; 311 return 0; 312 } 313 314 static void 315 kex_reset_dispatch(struct ssh *ssh) 316 { 317 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN, 318 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); 319 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 320 } 321 322 static int 323 kex_send_ext_info(struct ssh *ssh) 324 { 325 int r; 326 327 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || 328 (r = sshpkt_put_u32(ssh, 1)) != 0 || 329 (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || 330 (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 || 331 (r = sshpkt_send(ssh)) != 0) 332 return r; 333 return 0; 334 } 335 336 int 337 kex_send_newkeys(struct ssh *ssh) 338 { 339 int r; 340 341 kex_reset_dispatch(ssh); 342 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 || 343 (r = sshpkt_send(ssh)) != 0) 344 return r; 345 debug("SSH2_MSG_NEWKEYS sent"); 346 debug("expecting SSH2_MSG_NEWKEYS"); 347 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); 348 if (ssh->kex->ext_info_c) 349 if ((r = kex_send_ext_info(ssh)) != 0) 350 return r; 351 return 0; 352 } 353 354 int 355 kex_input_ext_info(int type, u_int32_t seq, void *ctxt) 356 { 357 struct ssh *ssh = ctxt; 358 struct kex *kex = ssh->kex; 359 u_int32_t i, ninfo; 360 char *name, *val, *found; 361 int r; 362 363 debug("SSH2_MSG_EXT_INFO received"); 364 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); 365 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) 366 return r; 367 if (ninfo > 1024) { 368 fatal("%s: too many %u fields", __func__, ninfo); 369 return SSH_ERR_INTERNAL_ERROR; 370 } 371 for (i = 0; i < ninfo; i++) { 372 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) 373 return r; 374 if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) { 375 free(name); 376 return r; 377 } 378 debug("%s: %s=<%s>", __func__, name, val); 379 if (strcmp(name, "server-sig-algs") == 0) { 380 found = match_list("rsa-sha2-256", val, NULL); 381 if (found) { 382 kex->rsa_sha2 = 256; 383 free(found); 384 } 385 found = match_list("rsa-sha2-512", val, NULL); 386 if (found) { 387 kex->rsa_sha2 = 512; 388 free(found); 389 } 390 } 391 free(name); 392 free(val); 393 } 394 return sshpkt_get_end(ssh); 395 } 396 397 static int 398 kex_input_newkeys(int type, u_int32_t seq, void *ctxt) 399 { 400 struct ssh *ssh = ctxt; 401 struct kex *kex = ssh->kex; 402 int r; 403 404 debug("SSH2_MSG_NEWKEYS received"); 405 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); 406 if ((r = sshpkt_get_end(ssh)) != 0) 407 return r; 408 kex->done = 1; 409 sshbuf_reset(kex->peer); 410 /* sshbuf_reset(kex->my); */ 411 kex->flags &= ~KEX_INIT_SENT; 412 free(kex->name); 413 kex->name = NULL; 414 return 0; 415 } 416 417 int 418 kex_send_kexinit(struct ssh *ssh) 419 { 420 u_char *cookie; 421 struct kex *kex = ssh->kex; 422 int r; 423 424 if (kex == NULL) 425 return SSH_ERR_INTERNAL_ERROR; 426 if (kex->flags & KEX_INIT_SENT) 427 return 0; 428 kex->done = 0; 429 430 /* generate a random cookie */ 431 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) 432 return SSH_ERR_INVALID_FORMAT; 433 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) 434 return SSH_ERR_INTERNAL_ERROR; 435 arc4random_buf(cookie, KEX_COOKIE_LEN); 436 437 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 || 438 (r = sshpkt_putb(ssh, kex->my)) != 0 || 439 (r = sshpkt_send(ssh)) != 0) 440 return r; 441 debug("SSH2_MSG_KEXINIT sent"); 442 kex->flags |= KEX_INIT_SENT; 443 return 0; 444 } 445 446 /* ARGSUSED */ 447 int 448 kex_input_kexinit(int type, u_int32_t seq, void *ctxt) 449 { 450 struct ssh *ssh = ctxt; 451 struct kex *kex = ssh->kex; 452 const u_char *ptr; 453 u_int i; 454 size_t dlen; 455 int r; 456 457 debug("SSH2_MSG_KEXINIT received"); 458 if (kex == NULL) 459 return SSH_ERR_INVALID_ARGUMENT; 460 461 ptr = sshpkt_ptr(ssh, &dlen); 462 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) 463 return r; 464 465 /* discard packet */ 466 for (i = 0; i < KEX_COOKIE_LEN; i++) 467 if ((r = sshpkt_get_u8(ssh, NULL)) != 0) 468 return r; 469 for (i = 0; i < PROPOSAL_MAX; i++) 470 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) 471 return r; 472 /* 473 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported 474 * KEX method has the server move first, but a server might be using 475 * a custom method or one that we otherwise don't support. We should 476 * be prepared to remember first_kex_follows here so we can eat a 477 * packet later. 478 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means 479 * for cases where the server *doesn't* go first. I guess we should 480 * ignore it when it is set for these cases, which is what we do now. 481 */ 482 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */ 483 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */ 484 (r = sshpkt_get_end(ssh)) != 0) 485 return r; 486 487 if (!(kex->flags & KEX_INIT_SENT)) 488 if ((r = kex_send_kexinit(ssh)) != 0) 489 return r; 490 if ((r = kex_choose_conf(ssh)) != 0) 491 return r; 492 493 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) 494 return (kex->kex[kex->kex_type])(ssh); 495 496 return SSH_ERR_INTERNAL_ERROR; 497 } 498 499 int 500 kex_new(struct ssh *ssh, const char *proposal[PROPOSAL_MAX], struct kex **kexp) 501 { 502 struct kex *kex; 503 int r; 504 505 *kexp = NULL; 506 if ((kex = calloc(1, sizeof(*kex))) == NULL) 507 return SSH_ERR_ALLOC_FAIL; 508 if ((kex->peer = sshbuf_new()) == NULL || 509 (kex->my = sshbuf_new()) == NULL) { 510 r = SSH_ERR_ALLOC_FAIL; 511 goto out; 512 } 513 if ((r = kex_prop2buf(kex->my, proposal)) != 0) 514 goto out; 515 kex->done = 0; 516 kex_reset_dispatch(ssh); 517 r = 0; 518 *kexp = kex; 519 out: 520 if (r != 0) 521 kex_free(kex); 522 return r; 523 } 524 525 void 526 kex_free_newkeys(struct newkeys *newkeys) 527 { 528 if (newkeys == NULL) 529 return; 530 if (newkeys->enc.key) { 531 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len); 532 free(newkeys->enc.key); 533 newkeys->enc.key = NULL; 534 } 535 if (newkeys->enc.iv) { 536 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len); 537 free(newkeys->enc.iv); 538 newkeys->enc.iv = NULL; 539 } 540 free(newkeys->enc.name); 541 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc)); 542 free(newkeys->comp.name); 543 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp)); 544 mac_clear(&newkeys->mac); 545 if (newkeys->mac.key) { 546 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len); 547 free(newkeys->mac.key); 548 newkeys->mac.key = NULL; 549 } 550 free(newkeys->mac.name); 551 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac)); 552 explicit_bzero(newkeys, sizeof(*newkeys)); 553 free(newkeys); 554 } 555 556 void 557 kex_free(struct kex *kex) 558 { 559 u_int mode; 560 561 #ifdef WITH_OPENSSL 562 if (kex->dh) 563 DH_free(kex->dh); 564 if (kex->ec_client_key) 565 EC_KEY_free(kex->ec_client_key); 566 #endif 567 for (mode = 0; mode < MODE_MAX; mode++) { 568 kex_free_newkeys(kex->newkeys[mode]); 569 kex->newkeys[mode] = NULL; 570 } 571 sshbuf_free(kex->peer); 572 sshbuf_free(kex->my); 573 free(kex->session_id); 574 free(kex->client_version_string); 575 free(kex->server_version_string); 576 free(kex->failed_choice); 577 free(kex->hostkey_alg); 578 free(kex->name); 579 free(kex); 580 } 581 582 int 583 kex_setup(struct ssh *ssh, const char *proposal[PROPOSAL_MAX]) 584 { 585 int r; 586 587 if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0) 588 return r; 589 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */ 590 kex_free(ssh->kex); 591 ssh->kex = NULL; 592 return r; 593 } 594 return 0; 595 } 596 597 /* 598 * Request key re-exchange, returns 0 on success or a ssherr.h error 599 * code otherwise. Must not be called if KEX is incomplete or in-progress. 600 */ 601 int 602 kex_start_rekex(struct ssh *ssh) 603 { 604 if (ssh->kex == NULL) { 605 error("%s: no kex", __func__); 606 return SSH_ERR_INTERNAL_ERROR; 607 } 608 if (ssh->kex->done == 0) { 609 error("%s: requested twice", __func__); 610 return SSH_ERR_INTERNAL_ERROR; 611 } 612 ssh->kex->done = 0; 613 return kex_send_kexinit(ssh); 614 } 615 616 static int 617 choose_enc(struct sshenc *enc, char *client, char *server) 618 { 619 char *name = match_list(client, server, NULL); 620 621 if (name == NULL) 622 return SSH_ERR_NO_CIPHER_ALG_MATCH; 623 624 if ((enc->cipher = cipher_by_name(name)) == NULL) 625 return SSH_ERR_INTERNAL_ERROR; 626 enc->name = name; 627 enc->enabled = 0; 628 enc->iv = NULL; 629 enc->iv_len = cipher_ivlen(enc->cipher); 630 enc->key = NULL; 631 enc->key_len = cipher_keylen(enc->cipher); 632 enc->block_size = cipher_blocksize(enc->cipher); 633 return 0; 634 } 635 636 static int 637 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) 638 { 639 char *name = match_list(client, server, NULL); 640 641 if (name == NULL) 642 return SSH_ERR_NO_MAC_ALG_MATCH; 643 if (mac_setup(mac, name) < 0) 644 return SSH_ERR_INTERNAL_ERROR; 645 /* truncate the key */ 646 if (ssh->compat & SSH_BUG_HMAC) 647 mac->key_len = 16; 648 mac->name = name; 649 mac->key = NULL; 650 mac->enabled = 0; 651 return 0; 652 } 653 654 static int 655 choose_comp(struct sshcomp *comp, char *client, char *server) 656 { 657 char *name = match_list(client, server, NULL); 658 659 if (name == NULL) 660 return SSH_ERR_NO_COMPRESS_ALG_MATCH; 661 if (strcmp(name, "zlib@openssh.com") == 0) { 662 comp->type = COMP_DELAYED; 663 } else if (strcmp(name, "zlib") == 0) { 664 comp->type = COMP_ZLIB; 665 } else if (strcmp(name, "none") == 0) { 666 comp->type = COMP_NONE; 667 } else { 668 return SSH_ERR_INTERNAL_ERROR; 669 } 670 comp->name = name; 671 return 0; 672 } 673 674 static int 675 choose_kex(struct kex *k, char *client, char *server) 676 { 677 const struct kexalg *kexalg; 678 679 k->name = match_list(client, server, NULL); 680 681 debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); 682 if (k->name == NULL) 683 return SSH_ERR_NO_KEX_ALG_MATCH; 684 if ((kexalg = kex_alg_by_name(k->name)) == NULL) 685 return SSH_ERR_INTERNAL_ERROR; 686 k->kex_type = kexalg->type; 687 k->hash_alg = kexalg->hash_alg; 688 k->ec_nid = kexalg->ec_nid; 689 return 0; 690 } 691 692 static int 693 choose_hostkeyalg(struct kex *k, char *client, char *server) 694 { 695 k->hostkey_alg = match_list(client, server, NULL); 696 697 debug("kex: host key algorithm: %s", 698 k->hostkey_alg ? k->hostkey_alg : "(no match)"); 699 if (k->hostkey_alg == NULL) 700 return SSH_ERR_NO_HOSTKEY_ALG_MATCH; 701 k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); 702 if (k->hostkey_type == KEY_UNSPEC) 703 return SSH_ERR_INTERNAL_ERROR; 704 k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); 705 return 0; 706 } 707 708 static int 709 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) 710 { 711 static int check[] = { 712 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 713 }; 714 int *idx; 715 char *p; 716 717 for (idx = &check[0]; *idx != -1; idx++) { 718 if ((p = strchr(my[*idx], ',')) != NULL) 719 *p = '\0'; 720 if ((p = strchr(peer[*idx], ',')) != NULL) 721 *p = '\0'; 722 if (strcmp(my[*idx], peer[*idx]) != 0) { 723 debug2("proposal mismatch: my %s peer %s", 724 my[*idx], peer[*idx]); 725 return (0); 726 } 727 } 728 debug2("proposals match"); 729 return (1); 730 } 731 732 static int 733 kex_choose_conf(struct ssh *ssh) 734 { 735 struct kex *kex = ssh->kex; 736 struct newkeys *newkeys; 737 char **my = NULL, **peer = NULL; 738 char **cprop, **sprop; 739 int nenc, nmac, ncomp; 740 u_int mode, ctos, need, dh_need, authlen; 741 int log_flag = 0; 742 int r, first_kex_follows; 743 744 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); 745 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) 746 goto out; 747 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server"); 748 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) 749 goto out; 750 751 if (kex->server) { 752 cprop=peer; 753 sprop=my; 754 } else { 755 cprop=my; 756 sprop=peer; 757 } 758 759 /* Check whether client supports ext_info_c */ 760 if (kex->server) { 761 char *ext; 762 763 ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); 764 if (ext) { 765 kex->ext_info_c = 1; 766 free(ext); 767 } 768 } 769 770 /* Algorithm Negotiation */ 771 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], 772 sprop[PROPOSAL_KEX_ALGS])) != 0) { 773 kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; 774 peer[PROPOSAL_KEX_ALGS] = NULL; 775 goto out; 776 } 777 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], 778 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { 779 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; 780 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; 781 goto out; 782 } 783 for (mode = 0; mode < MODE_MAX; mode++) { 784 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) { 785 r = SSH_ERR_ALLOC_FAIL; 786 goto out; 787 } 788 kex->newkeys[mode] = newkeys; 789 ctos = (!kex->server && mode == MODE_OUT) || 790 (kex->server && mode == MODE_IN); 791 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 792 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 793 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 794 if ((r = choose_enc(&newkeys->enc, cprop[nenc], 795 sprop[nenc])) != 0) { 796 kex->failed_choice = peer[nenc]; 797 peer[nenc] = NULL; 798 goto out; 799 } 800 authlen = cipher_authlen(newkeys->enc.cipher); 801 /* ignore mac for authenticated encryption */ 802 if (authlen == 0 && 803 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac], 804 sprop[nmac])) != 0) { 805 kex->failed_choice = peer[nmac]; 806 peer[nmac] = NULL; 807 goto out; 808 } 809 if ((r = choose_comp(&newkeys->comp, cprop[ncomp], 810 sprop[ncomp])) != 0) { 811 kex->failed_choice = peer[ncomp]; 812 peer[ncomp] = NULL; 813 goto out; 814 } 815 debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); 816 if (strcmp(newkeys->enc.name, "none") == 0) { 817 int auth_flag; 818 819 auth_flag = ssh_packet_authentication_state(); 820 debug("Requesting NONE. Authflag is %d", auth_flag); 821 if (auth_flag == 1) { 822 debug("None requested post authentication."); 823 } else { 824 fatal("Pre-authentication none cipher requests are not allowed."); 825 } 826 } 827 debug("kex: %s cipher: %s MAC: %s compression: %s", 828 ctos ? "client->server" : "server->client", 829 newkeys->enc.name, 830 authlen == 0 ? newkeys->mac.name : "<implicit>", 831 newkeys->comp.name); 832 /* client starts withctos = 0 && log flag = 0 and no log*/ 833 /* 2nd client pass ctos=1 and flag = 1 so no log*/ 834 /* server starts with ctos =1 && log_flag = 0 so log */ 835 /* 2nd sever pass ctos = 1 && log flag = 1 so no log*/ 836 /* -cjr*/ 837 if (ctos && !log_flag) { 838 logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s", 839 get_remote_ipaddr(), 840 get_remote_port(), 841 newkeys->enc.name, 842 newkeys->mac.name, 843 newkeys->comp.name); 844 } 845 log_flag = 1; 846 } 847 need = dh_need = 0; 848 for (mode = 0; mode < MODE_MAX; mode++) { 849 newkeys = kex->newkeys[mode]; 850 need = MAX(need, newkeys->enc.key_len); 851 need = MAX(need, newkeys->enc.block_size); 852 need = MAX(need, newkeys->enc.iv_len); 853 need = MAX(need, newkeys->mac.key_len); 854 dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher)); 855 dh_need = MAX(dh_need, newkeys->enc.block_size); 856 dh_need = MAX(dh_need, newkeys->enc.iv_len); 857 dh_need = MAX(dh_need, newkeys->mac.key_len); 858 } 859 /* XXX need runden? */ 860 kex->we_need = need; 861 kex->dh_need = dh_need; 862 863 /* ignore the next message if the proposals do not match */ 864 if (first_kex_follows && !proposals_match(my, peer) && 865 !(ssh->compat & SSH_BUG_FIRSTKEX)) 866 ssh->dispatch_skip_packets = 1; 867 r = 0; 868 out: 869 kex_prop_free(my); 870 kex_prop_free(peer); 871 return r; 872 } 873 874 static int 875 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, 876 const struct sshbuf *shared_secret, u_char **keyp) 877 { 878 struct kex *kex = ssh->kex; 879 struct ssh_digest_ctx *hashctx = NULL; 880 char c = id; 881 u_int have; 882 size_t mdsz; 883 u_char *digest; 884 int r; 885 886 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) 887 return SSH_ERR_INVALID_ARGUMENT; 888 if ((digest = calloc(1, roundup(need, mdsz))) == NULL) { 889 r = SSH_ERR_ALLOC_FAIL; 890 goto out; 891 } 892 893 /* K1 = HASH(K || H || "A" || session_id) */ 894 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 895 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 896 ssh_digest_update(hashctx, hash, hashlen) != 0 || 897 ssh_digest_update(hashctx, &c, 1) != 0 || 898 ssh_digest_update(hashctx, kex->session_id, 899 kex->session_id_len) != 0 || 900 ssh_digest_final(hashctx, digest, mdsz) != 0) { 901 r = SSH_ERR_LIBCRYPTO_ERROR; 902 goto out; 903 } 904 ssh_digest_free(hashctx); 905 hashctx = NULL; 906 907 /* 908 * expand key: 909 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) 910 * Key = K1 || K2 || ... || Kn 911 */ 912 for (have = mdsz; need > have; have += mdsz) { 913 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 914 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 915 ssh_digest_update(hashctx, hash, hashlen) != 0 || 916 ssh_digest_update(hashctx, digest, have) != 0 || 917 ssh_digest_final(hashctx, digest + have, mdsz) != 0) { 918 r = SSH_ERR_LIBCRYPTO_ERROR; 919 goto out; 920 } 921 ssh_digest_free(hashctx); 922 hashctx = NULL; 923 } 924 #ifdef DEBUG_KEX 925 fprintf(stderr, "key '%c'== ", c); 926 dump_digest("key", digest, need); 927 #endif 928 *keyp = digest; 929 digest = NULL; 930 r = 0; 931 out: 932 free(digest); 933 ssh_digest_free(hashctx); 934 return r; 935 } 936 937 #define NKEYS 6 938 int 939 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen, 940 const struct sshbuf *shared_secret) 941 { 942 struct kex *kex = ssh->kex; 943 u_char *keys[NKEYS]; 944 u_int i, j, mode, ctos; 945 int r; 946 947 for (i = 0; i < NKEYS; i++) { 948 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen, 949 shared_secret, &keys[i])) != 0) { 950 for (j = 0; j < i; j++) 951 free(keys[j]); 952 return r; 953 } 954 } 955 for (mode = 0; mode < MODE_MAX; mode++) { 956 ctos = (!kex->server && mode == MODE_OUT) || 957 (kex->server && mode == MODE_IN); 958 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1]; 959 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3]; 960 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5]; 961 } 962 return 0; 963 } 964 965 #ifdef WITH_OPENSSL 966 int 967 kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen, 968 const BIGNUM *secret) 969 { 970 struct sshbuf *shared_secret; 971 int r; 972 973 if ((shared_secret = sshbuf_new()) == NULL) 974 return SSH_ERR_ALLOC_FAIL; 975 if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0) 976 r = kex_derive_keys(ssh, hash, hashlen, shared_secret); 977 sshbuf_free(shared_secret); 978 return r; 979 } 980 #endif 981 982 #ifdef WITH_SSH1 983 int 984 derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus, 985 u_int8_t cookie[8], u_int8_t id[16]) 986 { 987 u_int8_t hbuf[2048], sbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH]; 988 struct ssh_digest_ctx *hashctx = NULL; 989 size_t hlen, slen; 990 int r; 991 992 hlen = BN_num_bytes(host_modulus); 993 slen = BN_num_bytes(server_modulus); 994 if (hlen < (512 / 8) || (u_int)hlen > sizeof(hbuf) || 995 slen < (512 / 8) || (u_int)slen > sizeof(sbuf)) 996 return SSH_ERR_KEY_BITS_MISMATCH; 997 if (BN_bn2bin(host_modulus, hbuf) <= 0 || 998 BN_bn2bin(server_modulus, sbuf) <= 0) { 999 r = SSH_ERR_LIBCRYPTO_ERROR; 1000 goto out; 1001 } 1002 if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) { 1003 r = SSH_ERR_ALLOC_FAIL; 1004 goto out; 1005 } 1006 if (ssh_digest_update(hashctx, hbuf, hlen) != 0 || 1007 ssh_digest_update(hashctx, sbuf, slen) != 0 || 1008 ssh_digest_update(hashctx, cookie, 8) != 0 || 1009 ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) { 1010 r = SSH_ERR_LIBCRYPTO_ERROR; 1011 goto out; 1012 } 1013 memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5)); 1014 r = 0; 1015 out: 1016 ssh_digest_free(hashctx); 1017 explicit_bzero(hbuf, sizeof(hbuf)); 1018 explicit_bzero(sbuf, sizeof(sbuf)); 1019 explicit_bzero(obuf, sizeof(obuf)); 1020 return r; 1021 } 1022 #endif 1023 1024 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) 1025 void 1026 dump_digest(char *msg, u_char *digest, int len) 1027 { 1028 fprintf(stderr, "%s\n", msg); 1029 sshbuf_dump_data(digest, len, stderr); 1030 } 1031 #endif 1032