1 /* $NetBSD: kex.c,v 1.16 2016/08/02 13:45:12 christos Exp $ */ 2 /* $OpenBSD: kex.c,v 1.118 2016/05/02 10:26:04 djm Exp $ */ 3 /* 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include "includes.h" 28 __RCSID("$NetBSD: kex.c,v 1.16 2016/08/02 13:45:12 christos Exp $"); 29 #include <sys/param.h> /* MAX roundup */ 30 31 #include <signal.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 36 #ifdef WITH_OPENSSL 37 #include <openssl/crypto.h> 38 #endif 39 40 #include "ssh2.h" 41 #include "packet.h" 42 #include "compat.h" 43 #include "cipher.h" 44 #include "sshkey.h" 45 #include "kex.h" 46 #include "log.h" 47 #include "mac.h" 48 #include "match.h" 49 #include "misc.h" 50 #include "dispatch.h" 51 #include "packet.h" 52 #include "monitor.h" 53 #include "canohost.h" 54 55 #include "ssherr.h" 56 #include "sshbuf.h" 57 #include "digest.h" 58 59 /* prototype */ 60 static int kex_choose_conf(struct ssh *); 61 static int kex_input_newkeys(int, u_int32_t, void *); 62 63 static const char *proposal_names[PROPOSAL_MAX] = { 64 "KEX algorithms", 65 "host key algorithms", 66 "ciphers ctos", 67 "ciphers stoc", 68 "MACs ctos", 69 "MACs stoc", 70 "compression ctos", 71 "compression stoc", 72 "languages ctos", 73 "languages stoc", 74 }; 75 76 struct kexalg { 77 const char *name; 78 u_int type; 79 int ec_nid; 80 int hash_alg; 81 }; 82 static const struct kexalg kexalgs[] = { 83 #ifdef WITH_OPENSSL 84 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, 85 { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, 86 { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, 87 { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, 88 { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, 89 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, 90 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, 91 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, 92 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, 93 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, 94 SSH_DIGEST_SHA384 }, 95 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, 96 SSH_DIGEST_SHA512 }, 97 #endif 98 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 99 { NULL, (u_int)-1, -1, -1}, 100 }; 101 102 char * 103 kex_alg_list(char sep) 104 { 105 char *ret = NULL, *tmp; 106 size_t nlen, rlen = 0; 107 const struct kexalg *k; 108 109 for (k = kexalgs; k->name != NULL; k++) { 110 if (ret != NULL) 111 ret[rlen++] = sep; 112 nlen = strlen(k->name); 113 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 114 free(ret); 115 return NULL; 116 } 117 ret = tmp; 118 memcpy(ret + rlen, k->name, nlen + 1); 119 rlen += nlen; 120 } 121 return ret; 122 } 123 124 static const struct kexalg * 125 kex_alg_by_name(const char *name) 126 { 127 const struct kexalg *k; 128 129 for (k = kexalgs; k->name != NULL; k++) { 130 if (strcmp(k->name, name) == 0) 131 return k; 132 } 133 return NULL; 134 } 135 136 /* Validate KEX method name list */ 137 int 138 kex_names_valid(const char *names) 139 { 140 char *s, *cp, *p; 141 142 if (names == NULL || strcmp(names, "") == 0) 143 return 0; 144 if ((s = cp = strdup(names)) == NULL) 145 return 0; 146 for ((p = strsep(&cp, ",")); p && *p != '\0'; 147 (p = strsep(&cp, ","))) { 148 if (kex_alg_by_name(p) == NULL) { 149 error("Unsupported KEX algorithm \"%.100s\"", p); 150 free(s); 151 return 0; 152 } 153 } 154 debug3("kex names ok: [%s]", names); 155 free(s); 156 return 1; 157 } 158 159 /* 160 * Concatenate algorithm names, avoiding duplicates in the process. 161 * Caller must free returned string. 162 */ 163 char * 164 kex_names_cat(const char *a, const char *b) 165 { 166 char *ret = NULL, *tmp = NULL, *cp, *p; 167 size_t len; 168 169 if (a == NULL || *a == '\0') 170 return NULL; 171 if (b == NULL || *b == '\0') 172 return strdup(a); 173 if (strlen(b) > 1024*1024) 174 return NULL; 175 len = strlen(a) + strlen(b) + 2; 176 if ((tmp = cp = strdup(b)) == NULL || 177 (ret = calloc(1, len)) == NULL) { 178 free(tmp); 179 return NULL; 180 } 181 strlcpy(ret, a, len); 182 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { 183 if (match_list(ret, p, NULL) != NULL) 184 continue; /* Algorithm already present */ 185 if (strlcat(ret, ",", len) >= len || 186 strlcat(ret, p, len) >= len) { 187 free(tmp); 188 free(ret); 189 return NULL; /* Shouldn't happen */ 190 } 191 } 192 free(tmp); 193 return ret; 194 } 195 196 /* 197 * Assemble a list of algorithms from a default list and a string from a 198 * configuration file. The user-provided string may begin with '+' to 199 * indicate that it should be appended to the default. 200 */ 201 int 202 kex_assemble_names(const char *def, char **list) 203 { 204 char *ret; 205 206 if (list == NULL || *list == NULL || **list == '\0') { 207 *list = strdup(def); 208 return 0; 209 } 210 if (**list != '+') { 211 return 0; 212 } 213 214 if ((ret = kex_names_cat(def, *list + 1)) == NULL) 215 return SSH_ERR_ALLOC_FAIL; 216 free(*list); 217 *list = ret; 218 return 0; 219 } 220 221 /* put algorithm proposal into buffer */ 222 int 223 kex_prop2buf(struct sshbuf *b, const char *proposal[PROPOSAL_MAX]) 224 { 225 u_int i; 226 int r; 227 228 sshbuf_reset(b); 229 230 /* 231 * add a dummy cookie, the cookie will be overwritten by 232 * kex_send_kexinit(), each time a kexinit is set 233 */ 234 for (i = 0; i < KEX_COOKIE_LEN; i++) { 235 if ((r = sshbuf_put_u8(b, 0)) != 0) 236 return r; 237 } 238 for (i = 0; i < PROPOSAL_MAX; i++) { 239 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0) 240 return r; 241 } 242 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */ 243 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */ 244 return r; 245 return 0; 246 } 247 248 /* parse buffer and return algorithm proposal */ 249 int 250 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) 251 { 252 struct sshbuf *b = NULL; 253 u_char v; 254 u_int i; 255 char **proposal = NULL; 256 int r; 257 258 *propp = NULL; 259 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL) 260 return SSH_ERR_ALLOC_FAIL; 261 if ((b = sshbuf_fromb(raw)) == NULL) { 262 r = SSH_ERR_ALLOC_FAIL; 263 goto out; 264 } 265 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */ 266 goto out; 267 /* extract kex init proposal strings */ 268 for (i = 0; i < PROPOSAL_MAX; i++) { 269 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) 270 goto out; 271 debug2("%s: %s", proposal_names[i], proposal[i]); 272 } 273 /* first kex follows / reserved */ 274 if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ 275 (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */ 276 goto out; 277 if (first_kex_follows != NULL) 278 *first_kex_follows = v; 279 debug2("first_kex_follows %d ", v); 280 debug2("reserved %u ", i); 281 r = 0; 282 *propp = proposal; 283 out: 284 if (r != 0 && proposal != NULL) 285 kex_prop_free(proposal); 286 sshbuf_free(b); 287 return r; 288 } 289 290 void 291 kex_prop_free(char **proposal) 292 { 293 u_int i; 294 295 if (proposal == NULL) 296 return; 297 for (i = 0; i < PROPOSAL_MAX; i++) 298 free(proposal[i]); 299 free(proposal); 300 } 301 302 /* ARGSUSED */ 303 static int 304 kex_protocol_error(int type, u_int32_t seq, void *ctxt) 305 { 306 struct ssh *ssh = active_state; /* XXX */ 307 int r; 308 309 error("kex protocol error: type %d seq %u", type, seq); 310 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || 311 (r = sshpkt_put_u32(ssh, seq)) != 0 || 312 (r = sshpkt_send(ssh)) != 0) 313 return r; 314 return 0; 315 } 316 317 static void 318 kex_reset_dispatch(struct ssh *ssh) 319 { 320 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN, 321 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); 322 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 323 } 324 325 static int 326 kex_send_ext_info(struct ssh *ssh) 327 { 328 int r; 329 330 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || 331 (r = sshpkt_put_u32(ssh, 1)) != 0 || 332 (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || 333 (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 || 334 (r = sshpkt_send(ssh)) != 0) 335 return r; 336 return 0; 337 } 338 339 int 340 kex_send_newkeys(struct ssh *ssh) 341 { 342 int r; 343 344 kex_reset_dispatch(ssh); 345 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 || 346 (r = sshpkt_send(ssh)) != 0) 347 return r; 348 debug("SSH2_MSG_NEWKEYS sent"); 349 debug("expecting SSH2_MSG_NEWKEYS"); 350 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); 351 if (ssh->kex->ext_info_c) 352 if ((r = kex_send_ext_info(ssh)) != 0) 353 return r; 354 return 0; 355 } 356 357 int 358 kex_input_ext_info(int type, u_int32_t seq, void *ctxt) 359 { 360 struct ssh *ssh = ctxt; 361 struct kex *kex = ssh->kex; 362 u_int32_t i, ninfo; 363 char *name, *val, *found; 364 int r; 365 366 debug("SSH2_MSG_EXT_INFO received"); 367 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); 368 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) 369 return r; 370 if (ninfo > 1024) { 371 fatal("%s: too many %u fields", __func__, ninfo); 372 return SSH_ERR_INTERNAL_ERROR; 373 } 374 for (i = 0; i < ninfo; i++) { 375 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) 376 return r; 377 if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) { 378 free(name); 379 return r; 380 } 381 debug("%s: %s=<%s>", __func__, name, val); 382 if (strcmp(name, "server-sig-algs") == 0) { 383 found = match_list("rsa-sha2-256", val, NULL); 384 if (found) { 385 kex->rsa_sha2 = 256; 386 free(found); 387 } 388 found = match_list("rsa-sha2-512", val, NULL); 389 if (found) { 390 kex->rsa_sha2 = 512; 391 free(found); 392 } 393 } 394 free(name); 395 free(val); 396 } 397 return sshpkt_get_end(ssh); 398 } 399 400 static int 401 kex_input_newkeys(int type, u_int32_t seq, void *ctxt) 402 { 403 struct ssh *ssh = ctxt; 404 struct kex *kex = ssh->kex; 405 int r; 406 407 debug("SSH2_MSG_NEWKEYS received"); 408 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); 409 if ((r = sshpkt_get_end(ssh)) != 0) 410 return r; 411 kex->done = 1; 412 sshbuf_reset(kex->peer); 413 /* sshbuf_reset(kex->my); */ 414 kex->flags &= ~KEX_INIT_SENT; 415 free(kex->name); 416 kex->name = NULL; 417 return 0; 418 } 419 420 int 421 kex_send_kexinit(struct ssh *ssh) 422 { 423 u_char *cookie; 424 struct kex *kex = ssh->kex; 425 int r; 426 427 if (kex == NULL) 428 return SSH_ERR_INTERNAL_ERROR; 429 if (kex->flags & KEX_INIT_SENT) 430 return 0; 431 kex->done = 0; 432 433 /* generate a random cookie */ 434 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) 435 return SSH_ERR_INVALID_FORMAT; 436 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) 437 return SSH_ERR_INTERNAL_ERROR; 438 arc4random_buf(cookie, KEX_COOKIE_LEN); 439 440 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 || 441 (r = sshpkt_putb(ssh, kex->my)) != 0 || 442 (r = sshpkt_send(ssh)) != 0) 443 return r; 444 debug("SSH2_MSG_KEXINIT sent"); 445 kex->flags |= KEX_INIT_SENT; 446 return 0; 447 } 448 449 /* ARGSUSED */ 450 int 451 kex_input_kexinit(int type, u_int32_t seq, void *ctxt) 452 { 453 struct ssh *ssh = ctxt; 454 struct kex *kex = ssh->kex; 455 const u_char *ptr; 456 u_int i; 457 size_t dlen; 458 int r; 459 460 debug("SSH2_MSG_KEXINIT received"); 461 if (kex == NULL) 462 return SSH_ERR_INVALID_ARGUMENT; 463 464 ptr = sshpkt_ptr(ssh, &dlen); 465 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) 466 return r; 467 468 /* discard packet */ 469 for (i = 0; i < KEX_COOKIE_LEN; i++) 470 if ((r = sshpkt_get_u8(ssh, NULL)) != 0) 471 return r; 472 for (i = 0; i < PROPOSAL_MAX; i++) 473 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) 474 return r; 475 /* 476 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported 477 * KEX method has the server move first, but a server might be using 478 * a custom method or one that we otherwise don't support. We should 479 * be prepared to remember first_kex_follows here so we can eat a 480 * packet later. 481 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means 482 * for cases where the server *doesn't* go first. I guess we should 483 * ignore it when it is set for these cases, which is what we do now. 484 */ 485 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */ 486 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */ 487 (r = sshpkt_get_end(ssh)) != 0) 488 return r; 489 490 if (!(kex->flags & KEX_INIT_SENT)) 491 if ((r = kex_send_kexinit(ssh)) != 0) 492 return r; 493 if ((r = kex_choose_conf(ssh)) != 0) 494 return r; 495 496 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) 497 return (kex->kex[kex->kex_type])(ssh); 498 499 return SSH_ERR_INTERNAL_ERROR; 500 } 501 502 int 503 kex_new(struct ssh *ssh, const char *proposal[PROPOSAL_MAX], struct kex **kexp) 504 { 505 struct kex *kex; 506 int r; 507 508 *kexp = NULL; 509 if ((kex = calloc(1, sizeof(*kex))) == NULL) 510 return SSH_ERR_ALLOC_FAIL; 511 if ((kex->peer = sshbuf_new()) == NULL || 512 (kex->my = sshbuf_new()) == NULL) { 513 r = SSH_ERR_ALLOC_FAIL; 514 goto out; 515 } 516 if ((r = kex_prop2buf(kex->my, proposal)) != 0) 517 goto out; 518 kex->done = 0; 519 kex_reset_dispatch(ssh); 520 r = 0; 521 *kexp = kex; 522 out: 523 if (r != 0) 524 kex_free(kex); 525 return r; 526 } 527 528 void 529 kex_free_newkeys(struct newkeys *newkeys) 530 { 531 if (newkeys == NULL) 532 return; 533 if (newkeys->enc.key) { 534 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len); 535 free(newkeys->enc.key); 536 newkeys->enc.key = NULL; 537 } 538 if (newkeys->enc.iv) { 539 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len); 540 free(newkeys->enc.iv); 541 newkeys->enc.iv = NULL; 542 } 543 free(newkeys->enc.name); 544 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc)); 545 free(newkeys->comp.name); 546 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp)); 547 mac_clear(&newkeys->mac); 548 if (newkeys->mac.key) { 549 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len); 550 free(newkeys->mac.key); 551 newkeys->mac.key = NULL; 552 } 553 free(newkeys->mac.name); 554 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac)); 555 explicit_bzero(newkeys, sizeof(*newkeys)); 556 free(newkeys); 557 } 558 559 void 560 kex_free(struct kex *kex) 561 { 562 u_int mode; 563 564 #ifdef WITH_OPENSSL 565 if (kex->dh) 566 DH_free(kex->dh); 567 if (kex->ec_client_key) 568 EC_KEY_free(kex->ec_client_key); 569 #endif 570 for (mode = 0; mode < MODE_MAX; mode++) { 571 kex_free_newkeys(kex->newkeys[mode]); 572 kex->newkeys[mode] = NULL; 573 } 574 sshbuf_free(kex->peer); 575 sshbuf_free(kex->my); 576 free(kex->session_id); 577 free(kex->client_version_string); 578 free(kex->server_version_string); 579 free(kex->failed_choice); 580 free(kex->hostkey_alg); 581 free(kex->name); 582 free(kex); 583 } 584 585 int 586 kex_setup(struct ssh *ssh, const char *proposal[PROPOSAL_MAX]) 587 { 588 int r; 589 590 if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0) 591 return r; 592 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */ 593 kex_free(ssh->kex); 594 ssh->kex = NULL; 595 return r; 596 } 597 return 0; 598 } 599 600 /* 601 * Request key re-exchange, returns 0 on success or a ssherr.h error 602 * code otherwise. Must not be called if KEX is incomplete or in-progress. 603 */ 604 int 605 kex_start_rekex(struct ssh *ssh) 606 { 607 if (ssh->kex == NULL) { 608 error("%s: no kex", __func__); 609 return SSH_ERR_INTERNAL_ERROR; 610 } 611 if (ssh->kex->done == 0) { 612 error("%s: requested twice", __func__); 613 return SSH_ERR_INTERNAL_ERROR; 614 } 615 ssh->kex->done = 0; 616 return kex_send_kexinit(ssh); 617 } 618 619 static int 620 choose_enc(struct sshenc *enc, char *client, char *server) 621 { 622 char *name = match_list(client, server, NULL); 623 624 if (name == NULL) 625 return SSH_ERR_NO_CIPHER_ALG_MATCH; 626 627 if ((enc->cipher = cipher_by_name(name)) == NULL) 628 return SSH_ERR_INTERNAL_ERROR; 629 enc->name = name; 630 enc->enabled = 0; 631 enc->iv = NULL; 632 enc->iv_len = cipher_ivlen(enc->cipher); 633 enc->key = NULL; 634 enc->key_len = cipher_keylen(enc->cipher); 635 enc->block_size = cipher_blocksize(enc->cipher); 636 return 0; 637 } 638 639 static int 640 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) 641 { 642 char *name = match_list(client, server, NULL); 643 644 if (name == NULL) 645 return SSH_ERR_NO_MAC_ALG_MATCH; 646 if (mac_setup(mac, name) < 0) 647 return SSH_ERR_INTERNAL_ERROR; 648 /* truncate the key */ 649 if (ssh->compat & SSH_BUG_HMAC) 650 mac->key_len = 16; 651 mac->name = name; 652 mac->key = NULL; 653 mac->enabled = 0; 654 return 0; 655 } 656 657 static int 658 choose_comp(struct sshcomp *comp, char *client, char *server) 659 { 660 char *name = match_list(client, server, NULL); 661 662 if (name == NULL) 663 return SSH_ERR_NO_COMPRESS_ALG_MATCH; 664 if (strcmp(name, "zlib@openssh.com") == 0) { 665 comp->type = COMP_DELAYED; 666 } else if (strcmp(name, "zlib") == 0) { 667 comp->type = COMP_ZLIB; 668 } else if (strcmp(name, "none") == 0) { 669 comp->type = COMP_NONE; 670 } else { 671 return SSH_ERR_INTERNAL_ERROR; 672 } 673 comp->name = name; 674 return 0; 675 } 676 677 static int 678 choose_kex(struct kex *k, char *client, char *server) 679 { 680 const struct kexalg *kexalg; 681 682 k->name = match_list(client, server, NULL); 683 684 debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); 685 if (k->name == NULL) 686 return SSH_ERR_NO_KEX_ALG_MATCH; 687 if ((kexalg = kex_alg_by_name(k->name)) == NULL) 688 return SSH_ERR_INTERNAL_ERROR; 689 k->kex_type = kexalg->type; 690 k->hash_alg = kexalg->hash_alg; 691 k->ec_nid = kexalg->ec_nid; 692 return 0; 693 } 694 695 static int 696 choose_hostkeyalg(struct kex *k, char *client, char *server) 697 { 698 k->hostkey_alg = match_list(client, server, NULL); 699 700 debug("kex: host key algorithm: %s", 701 k->hostkey_alg ? k->hostkey_alg : "(no match)"); 702 if (k->hostkey_alg == NULL) 703 return SSH_ERR_NO_HOSTKEY_ALG_MATCH; 704 k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); 705 if (k->hostkey_type == KEY_UNSPEC) 706 return SSH_ERR_INTERNAL_ERROR; 707 k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); 708 return 0; 709 } 710 711 static int 712 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) 713 { 714 static int check[] = { 715 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 716 }; 717 int *idx; 718 char *p; 719 720 for (idx = &check[0]; *idx != -1; idx++) { 721 if ((p = strchr(my[*idx], ',')) != NULL) 722 *p = '\0'; 723 if ((p = strchr(peer[*idx], ',')) != NULL) 724 *p = '\0'; 725 if (strcmp(my[*idx], peer[*idx]) != 0) { 726 debug2("proposal mismatch: my %s peer %s", 727 my[*idx], peer[*idx]); 728 return (0); 729 } 730 } 731 debug2("proposals match"); 732 return (1); 733 } 734 735 static int 736 kex_choose_conf(struct ssh *ssh) 737 { 738 struct kex *kex = ssh->kex; 739 struct newkeys *newkeys; 740 char **my = NULL, **peer = NULL; 741 char **cprop, **sprop; 742 int nenc, nmac, ncomp; 743 u_int mode, ctos, need, dh_need, authlen; 744 int log_flag = 0; 745 int r, first_kex_follows; 746 747 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); 748 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) 749 goto out; 750 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server"); 751 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) 752 goto out; 753 754 if (kex->server) { 755 cprop=peer; 756 sprop=my; 757 } else { 758 cprop=my; 759 sprop=peer; 760 } 761 762 /* Check whether client supports ext_info_c */ 763 if (kex->server) { 764 char *ext; 765 766 ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); 767 if (ext) { 768 kex->ext_info_c = 1; 769 free(ext); 770 } 771 } 772 773 /* Algorithm Negotiation */ 774 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], 775 sprop[PROPOSAL_KEX_ALGS])) != 0) { 776 kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; 777 peer[PROPOSAL_KEX_ALGS] = NULL; 778 goto out; 779 } 780 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], 781 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { 782 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; 783 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; 784 goto out; 785 } 786 for (mode = 0; mode < MODE_MAX; mode++) { 787 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) { 788 r = SSH_ERR_ALLOC_FAIL; 789 goto out; 790 } 791 kex->newkeys[mode] = newkeys; 792 ctos = (!kex->server && mode == MODE_OUT) || 793 (kex->server && mode == MODE_IN); 794 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 795 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 796 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 797 if ((r = choose_enc(&newkeys->enc, cprop[nenc], 798 sprop[nenc])) != 0) { 799 kex->failed_choice = peer[nenc]; 800 peer[nenc] = NULL; 801 goto out; 802 } 803 authlen = cipher_authlen(newkeys->enc.cipher); 804 /* ignore mac for authenticated encryption */ 805 if (authlen == 0 && 806 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac], 807 sprop[nmac])) != 0) { 808 kex->failed_choice = peer[nmac]; 809 peer[nmac] = NULL; 810 goto out; 811 } 812 if ((r = choose_comp(&newkeys->comp, cprop[ncomp], 813 sprop[ncomp])) != 0) { 814 kex->failed_choice = peer[ncomp]; 815 peer[ncomp] = NULL; 816 goto out; 817 } 818 debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); 819 if (strcmp(newkeys->enc.name, "none") == 0) { 820 int auth_flag; 821 822 auth_flag = ssh_packet_authentication_state(); 823 debug("Requesting NONE. Authflag is %d", auth_flag); 824 if (auth_flag == 1) { 825 debug("None requested post authentication."); 826 } else { 827 fatal("Pre-authentication none cipher requests are not allowed."); 828 } 829 } 830 debug("kex: %s cipher: %s MAC: %s compression: %s", 831 ctos ? "client->server" : "server->client", 832 newkeys->enc.name, 833 authlen == 0 ? newkeys->mac.name : "<implicit>", 834 newkeys->comp.name); 835 /* client starts withctos = 0 && log flag = 0 and no log*/ 836 /* 2nd client pass ctos=1 and flag = 1 so no log*/ 837 /* server starts with ctos =1 && log_flag = 0 so log */ 838 /* 2nd sever pass ctos = 1 && log flag = 1 so no log*/ 839 /* -cjr*/ 840 if (ctos && !log_flag) { 841 logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s", 842 ssh_remote_ipaddr(ssh), 843 ssh_remote_port(ssh), 844 newkeys->enc.name, 845 newkeys->mac.name, 846 newkeys->comp.name); 847 } 848 log_flag = 1; 849 } 850 need = dh_need = 0; 851 for (mode = 0; mode < MODE_MAX; mode++) { 852 newkeys = kex->newkeys[mode]; 853 need = MAX(need, newkeys->enc.key_len); 854 need = MAX(need, newkeys->enc.block_size); 855 need = MAX(need, newkeys->enc.iv_len); 856 need = MAX(need, newkeys->mac.key_len); 857 dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher)); 858 dh_need = MAX(dh_need, newkeys->enc.block_size); 859 dh_need = MAX(dh_need, newkeys->enc.iv_len); 860 dh_need = MAX(dh_need, newkeys->mac.key_len); 861 } 862 /* XXX need runden? */ 863 kex->we_need = need; 864 kex->dh_need = dh_need; 865 866 /* ignore the next message if the proposals do not match */ 867 if (first_kex_follows && !proposals_match(my, peer) && 868 !(ssh->compat & SSH_BUG_FIRSTKEX)) 869 ssh->dispatch_skip_packets = 1; 870 r = 0; 871 out: 872 kex_prop_free(my); 873 kex_prop_free(peer); 874 return r; 875 } 876 877 static int 878 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, 879 const struct sshbuf *shared_secret, u_char **keyp) 880 { 881 struct kex *kex = ssh->kex; 882 struct ssh_digest_ctx *hashctx = NULL; 883 char c = id; 884 u_int have; 885 size_t mdsz; 886 u_char *digest; 887 int r; 888 889 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) 890 return SSH_ERR_INVALID_ARGUMENT; 891 if ((digest = calloc(1, roundup(need, mdsz))) == NULL) { 892 r = SSH_ERR_ALLOC_FAIL; 893 goto out; 894 } 895 896 /* K1 = HASH(K || H || "A" || session_id) */ 897 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 898 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 899 ssh_digest_update(hashctx, hash, hashlen) != 0 || 900 ssh_digest_update(hashctx, &c, 1) != 0 || 901 ssh_digest_update(hashctx, kex->session_id, 902 kex->session_id_len) != 0 || 903 ssh_digest_final(hashctx, digest, mdsz) != 0) { 904 r = SSH_ERR_LIBCRYPTO_ERROR; 905 goto out; 906 } 907 ssh_digest_free(hashctx); 908 hashctx = NULL; 909 910 /* 911 * expand key: 912 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) 913 * Key = K1 || K2 || ... || Kn 914 */ 915 for (have = mdsz; need > have; have += mdsz) { 916 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 917 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 918 ssh_digest_update(hashctx, hash, hashlen) != 0 || 919 ssh_digest_update(hashctx, digest, have) != 0 || 920 ssh_digest_final(hashctx, digest + have, mdsz) != 0) { 921 r = SSH_ERR_LIBCRYPTO_ERROR; 922 goto out; 923 } 924 ssh_digest_free(hashctx); 925 hashctx = NULL; 926 } 927 #ifdef DEBUG_KEX 928 fprintf(stderr, "key '%c'== ", c); 929 dump_digest("key", digest, need); 930 #endif 931 *keyp = digest; 932 digest = NULL; 933 r = 0; 934 out: 935 free(digest); 936 ssh_digest_free(hashctx); 937 return r; 938 } 939 940 #define NKEYS 6 941 int 942 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen, 943 const struct sshbuf *shared_secret) 944 { 945 struct kex *kex = ssh->kex; 946 u_char *keys[NKEYS]; 947 u_int i, j, mode, ctos; 948 int r; 949 950 for (i = 0; i < NKEYS; i++) { 951 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen, 952 shared_secret, &keys[i])) != 0) { 953 for (j = 0; j < i; j++) 954 free(keys[j]); 955 return r; 956 } 957 } 958 for (mode = 0; mode < MODE_MAX; mode++) { 959 ctos = (!kex->server && mode == MODE_OUT) || 960 (kex->server && mode == MODE_IN); 961 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1]; 962 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3]; 963 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5]; 964 } 965 return 0; 966 } 967 968 #ifdef WITH_OPENSSL 969 int 970 kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen, 971 const BIGNUM *secret) 972 { 973 struct sshbuf *shared_secret; 974 int r; 975 976 if ((shared_secret = sshbuf_new()) == NULL) 977 return SSH_ERR_ALLOC_FAIL; 978 if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0) 979 r = kex_derive_keys(ssh, hash, hashlen, shared_secret); 980 sshbuf_free(shared_secret); 981 return r; 982 } 983 #endif 984 985 #ifdef WITH_SSH1 986 int 987 derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus, 988 u_int8_t cookie[8], u_int8_t id[16]) 989 { 990 u_int8_t hbuf[2048], sbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH]; 991 struct ssh_digest_ctx *hashctx = NULL; 992 size_t hlen, slen; 993 int r; 994 995 hlen = BN_num_bytes(host_modulus); 996 slen = BN_num_bytes(server_modulus); 997 if (hlen < (512 / 8) || (u_int)hlen > sizeof(hbuf) || 998 slen < (512 / 8) || (u_int)slen > sizeof(sbuf)) 999 return SSH_ERR_KEY_BITS_MISMATCH; 1000 if (BN_bn2bin(host_modulus, hbuf) <= 0 || 1001 BN_bn2bin(server_modulus, sbuf) <= 0) { 1002 r = SSH_ERR_LIBCRYPTO_ERROR; 1003 goto out; 1004 } 1005 if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) { 1006 r = SSH_ERR_ALLOC_FAIL; 1007 goto out; 1008 } 1009 if (ssh_digest_update(hashctx, hbuf, hlen) != 0 || 1010 ssh_digest_update(hashctx, sbuf, slen) != 0 || 1011 ssh_digest_update(hashctx, cookie, 8) != 0 || 1012 ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) { 1013 r = SSH_ERR_LIBCRYPTO_ERROR; 1014 goto out; 1015 } 1016 memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5)); 1017 r = 0; 1018 out: 1019 ssh_digest_free(hashctx); 1020 explicit_bzero(hbuf, sizeof(hbuf)); 1021 explicit_bzero(sbuf, sizeof(sbuf)); 1022 explicit_bzero(obuf, sizeof(obuf)); 1023 return r; 1024 } 1025 #endif 1026 1027 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) 1028 void 1029 dump_digest(char *msg, u_char *digest, int len) 1030 { 1031 fprintf(stderr, "%s\n", msg); 1032 sshbuf_dump_data(digest, len, stderr); 1033 } 1034 #endif 1035