1 /* $OpenBSD: kex.c,v 1.122 2016/09/19 19:02:19 markus Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 27 #include <signal.h> 28 #include <stdio.h> 29 #include <stdlib.h> 30 #include <string.h> 31 32 #ifdef WITH_OPENSSL 33 #include <openssl/crypto.h> 34 #endif 35 36 #include "ssh2.h" 37 #include "packet.h" 38 #include "compat.h" 39 #include "cipher.h" 40 #include "sshkey.h" 41 #include "kex.h" 42 #include "log.h" 43 #include "mac.h" 44 #include "match.h" 45 #include "misc.h" 46 #include "dispatch.h" 47 #include "monitor.h" 48 49 #include "ssherr.h" 50 #include "sshbuf.h" 51 #include "digest.h" 52 53 /* prototype */ 54 static int kex_choose_conf(struct ssh *); 55 static int kex_input_newkeys(int, u_int32_t, void *); 56 57 static const char *proposal_names[PROPOSAL_MAX] = { 58 "KEX algorithms", 59 "host key algorithms", 60 "ciphers ctos", 61 "ciphers stoc", 62 "MACs ctos", 63 "MACs stoc", 64 "compression ctos", 65 "compression stoc", 66 "languages ctos", 67 "languages stoc", 68 }; 69 70 struct kexalg { 71 char *name; 72 u_int type; 73 int ec_nid; 74 int hash_alg; 75 }; 76 static const struct kexalg kexalgs[] = { 77 #ifdef WITH_OPENSSL 78 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, 79 { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, 80 { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, 81 { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, 82 { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, 83 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, 84 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, 85 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, 86 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, 87 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, 88 SSH_DIGEST_SHA384 }, 89 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, 90 SSH_DIGEST_SHA512 }, 91 #endif 92 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 93 { NULL, -1, -1, -1}, 94 }; 95 96 char * 97 kex_alg_list(char sep) 98 { 99 char *ret = NULL, *tmp; 100 size_t nlen, rlen = 0; 101 const struct kexalg *k; 102 103 for (k = kexalgs; k->name != NULL; k++) { 104 if (ret != NULL) 105 ret[rlen++] = sep; 106 nlen = strlen(k->name); 107 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 108 free(ret); 109 return NULL; 110 } 111 ret = tmp; 112 memcpy(ret + rlen, k->name, nlen + 1); 113 rlen += nlen; 114 } 115 return ret; 116 } 117 118 static const struct kexalg * 119 kex_alg_by_name(const char *name) 120 { 121 const struct kexalg *k; 122 123 for (k = kexalgs; k->name != NULL; k++) { 124 if (strcmp(k->name, name) == 0) 125 return k; 126 } 127 return NULL; 128 } 129 130 /* Validate KEX method name list */ 131 int 132 kex_names_valid(const char *names) 133 { 134 char *s, *cp, *p; 135 136 if (names == NULL || strcmp(names, "") == 0) 137 return 0; 138 if ((s = cp = strdup(names)) == NULL) 139 return 0; 140 for ((p = strsep(&cp, ",")); p && *p != '\0'; 141 (p = strsep(&cp, ","))) { 142 if (kex_alg_by_name(p) == NULL) { 143 error("Unsupported KEX algorithm \"%.100s\"", p); 144 free(s); 145 return 0; 146 } 147 } 148 debug3("kex names ok: [%s]", names); 149 free(s); 150 return 1; 151 } 152 153 /* 154 * Concatenate algorithm names, avoiding duplicates in the process. 155 * Caller must free returned string. 156 */ 157 char * 158 kex_names_cat(const char *a, const char *b) 159 { 160 char *ret = NULL, *tmp = NULL, *cp, *p; 161 size_t len; 162 163 if (a == NULL || *a == '\0') 164 return NULL; 165 if (b == NULL || *b == '\0') 166 return strdup(a); 167 if (strlen(b) > 1024*1024) 168 return NULL; 169 len = strlen(a) + strlen(b) + 2; 170 if ((tmp = cp = strdup(b)) == NULL || 171 (ret = calloc(1, len)) == NULL) { 172 free(tmp); 173 return NULL; 174 } 175 strlcpy(ret, a, len); 176 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { 177 if (match_list(ret, p, NULL) != NULL) 178 continue; /* Algorithm already present */ 179 if (strlcat(ret, ",", len) >= len || 180 strlcat(ret, p, len) >= len) { 181 free(tmp); 182 free(ret); 183 return NULL; /* Shouldn't happen */ 184 } 185 } 186 free(tmp); 187 return ret; 188 } 189 190 /* 191 * Assemble a list of algorithms from a default list and a string from a 192 * configuration file. The user-provided string may begin with '+' to 193 * indicate that it should be appended to the default. 194 */ 195 int 196 kex_assemble_names(const char *def, char **list) 197 { 198 char *ret; 199 200 if (list == NULL || *list == NULL || **list == '\0') { 201 *list = strdup(def); 202 return 0; 203 } 204 if (**list != '+') { 205 return 0; 206 } 207 208 if ((ret = kex_names_cat(def, *list + 1)) == NULL) 209 return SSH_ERR_ALLOC_FAIL; 210 free(*list); 211 *list = ret; 212 return 0; 213 } 214 215 /* put algorithm proposal into buffer */ 216 int 217 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) 218 { 219 u_int i; 220 int r; 221 222 sshbuf_reset(b); 223 224 /* 225 * add a dummy cookie, the cookie will be overwritten by 226 * kex_send_kexinit(), each time a kexinit is set 227 */ 228 for (i = 0; i < KEX_COOKIE_LEN; i++) { 229 if ((r = sshbuf_put_u8(b, 0)) != 0) 230 return r; 231 } 232 for (i = 0; i < PROPOSAL_MAX; i++) { 233 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0) 234 return r; 235 } 236 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */ 237 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */ 238 return r; 239 return 0; 240 } 241 242 /* parse buffer and return algorithm proposal */ 243 int 244 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) 245 { 246 struct sshbuf *b = NULL; 247 u_char v; 248 u_int i; 249 char **proposal = NULL; 250 int r; 251 252 *propp = NULL; 253 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL) 254 return SSH_ERR_ALLOC_FAIL; 255 if ((b = sshbuf_fromb(raw)) == NULL) { 256 r = SSH_ERR_ALLOC_FAIL; 257 goto out; 258 } 259 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */ 260 goto out; 261 /* extract kex init proposal strings */ 262 for (i = 0; i < PROPOSAL_MAX; i++) { 263 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) 264 goto out; 265 debug2("%s: %s", proposal_names[i], proposal[i]); 266 } 267 /* first kex follows / reserved */ 268 if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ 269 (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */ 270 goto out; 271 if (first_kex_follows != NULL) 272 *first_kex_follows = v; 273 debug2("first_kex_follows %d ", v); 274 debug2("reserved %u ", i); 275 r = 0; 276 *propp = proposal; 277 out: 278 if (r != 0 && proposal != NULL) 279 kex_prop_free(proposal); 280 sshbuf_free(b); 281 return r; 282 } 283 284 void 285 kex_prop_free(char **proposal) 286 { 287 u_int i; 288 289 if (proposal == NULL) 290 return; 291 for (i = 0; i < PROPOSAL_MAX; i++) 292 free(proposal[i]); 293 free(proposal); 294 } 295 296 /* ARGSUSED */ 297 static int 298 kex_protocol_error(int type, u_int32_t seq, void *ctxt) 299 { 300 struct ssh *ssh = active_state; /* XXX */ 301 int r; 302 303 error("kex protocol error: type %d seq %u", type, seq); 304 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || 305 (r = sshpkt_put_u32(ssh, seq)) != 0 || 306 (r = sshpkt_send(ssh)) != 0) 307 return r; 308 return 0; 309 } 310 311 static void 312 kex_reset_dispatch(struct ssh *ssh) 313 { 314 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN, 315 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); 316 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 317 } 318 319 static int 320 kex_send_ext_info(struct ssh *ssh) 321 { 322 int r; 323 char *algs; 324 325 if ((algs = sshkey_alg_list(0, 1, ',')) == NULL) 326 return SSH_ERR_ALLOC_FAIL; 327 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || 328 (r = sshpkt_put_u32(ssh, 1)) != 0 || 329 (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || 330 (r = sshpkt_put_cstring(ssh, algs)) != 0 || 331 (r = sshpkt_send(ssh)) != 0) 332 goto out; 333 /* success */ 334 r = 0; 335 out: 336 free(algs); 337 return 0; 338 } 339 340 int 341 kex_send_newkeys(struct ssh *ssh) 342 { 343 int r; 344 345 kex_reset_dispatch(ssh); 346 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 || 347 (r = sshpkt_send(ssh)) != 0) 348 return r; 349 debug("SSH2_MSG_NEWKEYS sent"); 350 debug("expecting SSH2_MSG_NEWKEYS"); 351 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); 352 if (ssh->kex->ext_info_c) 353 if ((r = kex_send_ext_info(ssh)) != 0) 354 return r; 355 return 0; 356 } 357 358 int 359 kex_input_ext_info(int type, u_int32_t seq, void *ctxt) 360 { 361 struct ssh *ssh = ctxt; 362 struct kex *kex = ssh->kex; 363 u_int32_t i, ninfo; 364 char *name, *val, *found; 365 int r; 366 367 debug("SSH2_MSG_EXT_INFO received"); 368 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); 369 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) 370 return r; 371 for (i = 0; i < ninfo; i++) { 372 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) 373 return r; 374 if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) { 375 free(name); 376 return r; 377 } 378 debug("%s: %s=<%s>", __func__, name, val); 379 if (strcmp(name, "server-sig-algs") == 0) { 380 found = match_list("rsa-sha2-256", val, NULL); 381 if (found) { 382 kex->rsa_sha2 = 256; 383 free(found); 384 } 385 found = match_list("rsa-sha2-512", val, NULL); 386 if (found) { 387 kex->rsa_sha2 = 512; 388 free(found); 389 } 390 } 391 free(name); 392 free(val); 393 } 394 return sshpkt_get_end(ssh); 395 } 396 397 static int 398 kex_input_newkeys(int type, u_int32_t seq, void *ctxt) 399 { 400 struct ssh *ssh = ctxt; 401 struct kex *kex = ssh->kex; 402 int r; 403 404 debug("SSH2_MSG_NEWKEYS received"); 405 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); 406 if ((r = sshpkt_get_end(ssh)) != 0) 407 return r; 408 if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) 409 return r; 410 kex->done = 1; 411 sshbuf_reset(kex->peer); 412 /* sshbuf_reset(kex->my); */ 413 kex->flags &= ~KEX_INIT_SENT; 414 free(kex->name); 415 kex->name = NULL; 416 return 0; 417 } 418 419 int 420 kex_send_kexinit(struct ssh *ssh) 421 { 422 u_char *cookie; 423 struct kex *kex = ssh->kex; 424 int r; 425 426 if (kex == NULL) 427 return SSH_ERR_INTERNAL_ERROR; 428 if (kex->flags & KEX_INIT_SENT) 429 return 0; 430 kex->done = 0; 431 432 /* generate a random cookie */ 433 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) 434 return SSH_ERR_INVALID_FORMAT; 435 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) 436 return SSH_ERR_INTERNAL_ERROR; 437 arc4random_buf(cookie, KEX_COOKIE_LEN); 438 439 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 || 440 (r = sshpkt_putb(ssh, kex->my)) != 0 || 441 (r = sshpkt_send(ssh)) != 0) 442 return r; 443 debug("SSH2_MSG_KEXINIT sent"); 444 kex->flags |= KEX_INIT_SENT; 445 return 0; 446 } 447 448 /* ARGSUSED */ 449 int 450 kex_input_kexinit(int type, u_int32_t seq, void *ctxt) 451 { 452 struct ssh *ssh = ctxt; 453 struct kex *kex = ssh->kex; 454 const u_char *ptr; 455 u_int i; 456 size_t dlen; 457 int r; 458 459 debug("SSH2_MSG_KEXINIT received"); 460 if (kex == NULL) 461 return SSH_ERR_INVALID_ARGUMENT; 462 463 ptr = sshpkt_ptr(ssh, &dlen); 464 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) 465 return r; 466 467 /* discard packet */ 468 for (i = 0; i < KEX_COOKIE_LEN; i++) 469 if ((r = sshpkt_get_u8(ssh, NULL)) != 0) 470 return r; 471 for (i = 0; i < PROPOSAL_MAX; i++) 472 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) 473 return r; 474 /* 475 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported 476 * KEX method has the server move first, but a server might be using 477 * a custom method or one that we otherwise don't support. We should 478 * be prepared to remember first_kex_follows here so we can eat a 479 * packet later. 480 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means 481 * for cases where the server *doesn't* go first. I guess we should 482 * ignore it when it is set for these cases, which is what we do now. 483 */ 484 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */ 485 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */ 486 (r = sshpkt_get_end(ssh)) != 0) 487 return r; 488 489 if (!(kex->flags & KEX_INIT_SENT)) 490 if ((r = kex_send_kexinit(ssh)) != 0) 491 return r; 492 if ((r = kex_choose_conf(ssh)) != 0) 493 return r; 494 495 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) 496 return (kex->kex[kex->kex_type])(ssh); 497 498 return SSH_ERR_INTERNAL_ERROR; 499 } 500 501 int 502 kex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp) 503 { 504 struct kex *kex; 505 int r; 506 507 *kexp = NULL; 508 if ((kex = calloc(1, sizeof(*kex))) == NULL) 509 return SSH_ERR_ALLOC_FAIL; 510 if ((kex->peer = sshbuf_new()) == NULL || 511 (kex->my = sshbuf_new()) == NULL) { 512 r = SSH_ERR_ALLOC_FAIL; 513 goto out; 514 } 515 if ((r = kex_prop2buf(kex->my, proposal)) != 0) 516 goto out; 517 kex->done = 0; 518 kex_reset_dispatch(ssh); 519 r = 0; 520 *kexp = kex; 521 out: 522 if (r != 0) 523 kex_free(kex); 524 return r; 525 } 526 527 void 528 kex_free_newkeys(struct newkeys *newkeys) 529 { 530 if (newkeys == NULL) 531 return; 532 if (newkeys->enc.key) { 533 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len); 534 free(newkeys->enc.key); 535 newkeys->enc.key = NULL; 536 } 537 if (newkeys->enc.iv) { 538 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len); 539 free(newkeys->enc.iv); 540 newkeys->enc.iv = NULL; 541 } 542 free(newkeys->enc.name); 543 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc)); 544 free(newkeys->comp.name); 545 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp)); 546 mac_clear(&newkeys->mac); 547 if (newkeys->mac.key) { 548 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len); 549 free(newkeys->mac.key); 550 newkeys->mac.key = NULL; 551 } 552 free(newkeys->mac.name); 553 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac)); 554 explicit_bzero(newkeys, sizeof(*newkeys)); 555 free(newkeys); 556 } 557 558 void 559 kex_free(struct kex *kex) 560 { 561 u_int mode; 562 563 #ifdef WITH_OPENSSL 564 if (kex->dh) 565 DH_free(kex->dh); 566 if (kex->ec_client_key) 567 EC_KEY_free(kex->ec_client_key); 568 #endif 569 for (mode = 0; mode < MODE_MAX; mode++) { 570 kex_free_newkeys(kex->newkeys[mode]); 571 kex->newkeys[mode] = NULL; 572 } 573 sshbuf_free(kex->peer); 574 sshbuf_free(kex->my); 575 free(kex->session_id); 576 free(kex->client_version_string); 577 free(kex->server_version_string); 578 free(kex->failed_choice); 579 free(kex->hostkey_alg); 580 free(kex->name); 581 free(kex); 582 } 583 584 int 585 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) 586 { 587 int r; 588 589 if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0) 590 return r; 591 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */ 592 kex_free(ssh->kex); 593 ssh->kex = NULL; 594 return r; 595 } 596 return 0; 597 } 598 599 /* 600 * Request key re-exchange, returns 0 on success or a ssherr.h error 601 * code otherwise. Must not be called if KEX is incomplete or in-progress. 602 */ 603 int 604 kex_start_rekex(struct ssh *ssh) 605 { 606 if (ssh->kex == NULL) { 607 error("%s: no kex", __func__); 608 return SSH_ERR_INTERNAL_ERROR; 609 } 610 if (ssh->kex->done == 0) { 611 error("%s: requested twice", __func__); 612 return SSH_ERR_INTERNAL_ERROR; 613 } 614 ssh->kex->done = 0; 615 return kex_send_kexinit(ssh); 616 } 617 618 static int 619 choose_enc(struct sshenc *enc, char *client, char *server) 620 { 621 char *name = match_list(client, server, NULL); 622 623 if (name == NULL) 624 return SSH_ERR_NO_CIPHER_ALG_MATCH; 625 if ((enc->cipher = cipher_by_name(name)) == NULL) 626 return SSH_ERR_INTERNAL_ERROR; 627 enc->name = name; 628 enc->enabled = 0; 629 enc->iv = NULL; 630 enc->iv_len = cipher_ivlen(enc->cipher); 631 enc->key = NULL; 632 enc->key_len = cipher_keylen(enc->cipher); 633 enc->block_size = cipher_blocksize(enc->cipher); 634 return 0; 635 } 636 637 static int 638 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) 639 { 640 char *name = match_list(client, server, NULL); 641 642 if (name == NULL) 643 return SSH_ERR_NO_MAC_ALG_MATCH; 644 if (mac_setup(mac, name) < 0) 645 return SSH_ERR_INTERNAL_ERROR; 646 /* truncate the key */ 647 if (ssh->compat & SSH_BUG_HMAC) 648 mac->key_len = 16; 649 mac->name = name; 650 mac->key = NULL; 651 mac->enabled = 0; 652 return 0; 653 } 654 655 static int 656 choose_comp(struct sshcomp *comp, char *client, char *server) 657 { 658 char *name = match_list(client, server, NULL); 659 660 if (name == NULL) 661 return SSH_ERR_NO_COMPRESS_ALG_MATCH; 662 if (strcmp(name, "zlib@openssh.com") == 0) { 663 comp->type = COMP_DELAYED; 664 } else if (strcmp(name, "zlib") == 0) { 665 comp->type = COMP_ZLIB; 666 } else if (strcmp(name, "none") == 0) { 667 comp->type = COMP_NONE; 668 } else { 669 return SSH_ERR_INTERNAL_ERROR; 670 } 671 comp->name = name; 672 return 0; 673 } 674 675 static int 676 choose_kex(struct kex *k, char *client, char *server) 677 { 678 const struct kexalg *kexalg; 679 680 k->name = match_list(client, server, NULL); 681 682 debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); 683 if (k->name == NULL) 684 return SSH_ERR_NO_KEX_ALG_MATCH; 685 if ((kexalg = kex_alg_by_name(k->name)) == NULL) 686 return SSH_ERR_INTERNAL_ERROR; 687 k->kex_type = kexalg->type; 688 k->hash_alg = kexalg->hash_alg; 689 k->ec_nid = kexalg->ec_nid; 690 return 0; 691 } 692 693 static int 694 choose_hostkeyalg(struct kex *k, char *client, char *server) 695 { 696 k->hostkey_alg = match_list(client, server, NULL); 697 698 debug("kex: host key algorithm: %s", 699 k->hostkey_alg ? k->hostkey_alg : "(no match)"); 700 if (k->hostkey_alg == NULL) 701 return SSH_ERR_NO_HOSTKEY_ALG_MATCH; 702 k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); 703 if (k->hostkey_type == KEY_UNSPEC) 704 return SSH_ERR_INTERNAL_ERROR; 705 k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); 706 return 0; 707 } 708 709 static int 710 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) 711 { 712 static int check[] = { 713 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 714 }; 715 int *idx; 716 char *p; 717 718 for (idx = &check[0]; *idx != -1; idx++) { 719 if ((p = strchr(my[*idx], ',')) != NULL) 720 *p = '\0'; 721 if ((p = strchr(peer[*idx], ',')) != NULL) 722 *p = '\0'; 723 if (strcmp(my[*idx], peer[*idx]) != 0) { 724 debug2("proposal mismatch: my %s peer %s", 725 my[*idx], peer[*idx]); 726 return (0); 727 } 728 } 729 debug2("proposals match"); 730 return (1); 731 } 732 733 static int 734 kex_choose_conf(struct ssh *ssh) 735 { 736 struct kex *kex = ssh->kex; 737 struct newkeys *newkeys; 738 char **my = NULL, **peer = NULL; 739 char **cprop, **sprop; 740 int nenc, nmac, ncomp; 741 u_int mode, ctos, need, dh_need, authlen; 742 int r, first_kex_follows; 743 744 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); 745 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) 746 goto out; 747 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server"); 748 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) 749 goto out; 750 751 if (kex->server) { 752 cprop=peer; 753 sprop=my; 754 } else { 755 cprop=my; 756 sprop=peer; 757 } 758 759 /* Check whether client supports ext_info_c */ 760 if (kex->server) { 761 char *ext; 762 763 ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); 764 kex->ext_info_c = (ext != NULL); 765 free(ext); 766 } 767 768 /* Algorithm Negotiation */ 769 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], 770 sprop[PROPOSAL_KEX_ALGS])) != 0) { 771 kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; 772 peer[PROPOSAL_KEX_ALGS] = NULL; 773 goto out; 774 } 775 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], 776 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { 777 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; 778 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; 779 goto out; 780 } 781 for (mode = 0; mode < MODE_MAX; mode++) { 782 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) { 783 r = SSH_ERR_ALLOC_FAIL; 784 goto out; 785 } 786 kex->newkeys[mode] = newkeys; 787 ctos = (!kex->server && mode == MODE_OUT) || 788 (kex->server && mode == MODE_IN); 789 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 790 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 791 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 792 if ((r = choose_enc(&newkeys->enc, cprop[nenc], 793 sprop[nenc])) != 0) { 794 kex->failed_choice = peer[nenc]; 795 peer[nenc] = NULL; 796 goto out; 797 } 798 authlen = cipher_authlen(newkeys->enc.cipher); 799 /* ignore mac for authenticated encryption */ 800 if (authlen == 0 && 801 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac], 802 sprop[nmac])) != 0) { 803 kex->failed_choice = peer[nmac]; 804 peer[nmac] = NULL; 805 goto out; 806 } 807 if ((r = choose_comp(&newkeys->comp, cprop[ncomp], 808 sprop[ncomp])) != 0) { 809 kex->failed_choice = peer[ncomp]; 810 peer[ncomp] = NULL; 811 goto out; 812 } 813 debug("kex: %s cipher: %s MAC: %s compression: %s", 814 ctos ? "client->server" : "server->client", 815 newkeys->enc.name, 816 authlen == 0 ? newkeys->mac.name : "<implicit>", 817 newkeys->comp.name); 818 } 819 need = dh_need = 0; 820 for (mode = 0; mode < MODE_MAX; mode++) { 821 newkeys = kex->newkeys[mode]; 822 need = MAXIMUM(need, newkeys->enc.key_len); 823 need = MAXIMUM(need, newkeys->enc.block_size); 824 need = MAXIMUM(need, newkeys->enc.iv_len); 825 need = MAXIMUM(need, newkeys->mac.key_len); 826 dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher)); 827 dh_need = MAXIMUM(dh_need, newkeys->enc.block_size); 828 dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len); 829 dh_need = MAXIMUM(dh_need, newkeys->mac.key_len); 830 } 831 /* XXX need runden? */ 832 kex->we_need = need; 833 kex->dh_need = dh_need; 834 835 /* ignore the next message if the proposals do not match */ 836 if (first_kex_follows && !proposals_match(my, peer) && 837 !(ssh->compat & SSH_BUG_FIRSTKEX)) 838 ssh->dispatch_skip_packets = 1; 839 r = 0; 840 out: 841 kex_prop_free(my); 842 kex_prop_free(peer); 843 return r; 844 } 845 846 static int 847 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, 848 const struct sshbuf *shared_secret, u_char **keyp) 849 { 850 struct kex *kex = ssh->kex; 851 struct ssh_digest_ctx *hashctx = NULL; 852 char c = id; 853 u_int have; 854 size_t mdsz; 855 u_char *digest; 856 int r; 857 858 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) 859 return SSH_ERR_INVALID_ARGUMENT; 860 if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) { 861 r = SSH_ERR_ALLOC_FAIL; 862 goto out; 863 } 864 865 /* K1 = HASH(K || H || "A" || session_id) */ 866 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 867 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 868 ssh_digest_update(hashctx, hash, hashlen) != 0 || 869 ssh_digest_update(hashctx, &c, 1) != 0 || 870 ssh_digest_update(hashctx, kex->session_id, 871 kex->session_id_len) != 0 || 872 ssh_digest_final(hashctx, digest, mdsz) != 0) { 873 r = SSH_ERR_LIBCRYPTO_ERROR; 874 goto out; 875 } 876 ssh_digest_free(hashctx); 877 hashctx = NULL; 878 879 /* 880 * expand key: 881 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) 882 * Key = K1 || K2 || ... || Kn 883 */ 884 for (have = mdsz; need > have; have += mdsz) { 885 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 886 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 887 ssh_digest_update(hashctx, hash, hashlen) != 0 || 888 ssh_digest_update(hashctx, digest, have) != 0 || 889 ssh_digest_final(hashctx, digest + have, mdsz) != 0) { 890 r = SSH_ERR_LIBCRYPTO_ERROR; 891 goto out; 892 } 893 ssh_digest_free(hashctx); 894 hashctx = NULL; 895 } 896 #ifdef DEBUG_KEX 897 fprintf(stderr, "key '%c'== ", c); 898 dump_digest("key", digest, need); 899 #endif 900 *keyp = digest; 901 digest = NULL; 902 r = 0; 903 out: 904 free(digest); 905 ssh_digest_free(hashctx); 906 return r; 907 } 908 909 #define NKEYS 6 910 int 911 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen, 912 const struct sshbuf *shared_secret) 913 { 914 struct kex *kex = ssh->kex; 915 u_char *keys[NKEYS]; 916 u_int i, j, mode, ctos; 917 int r; 918 919 for (i = 0; i < NKEYS; i++) { 920 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen, 921 shared_secret, &keys[i])) != 0) { 922 for (j = 0; j < i; j++) 923 free(keys[j]); 924 return r; 925 } 926 } 927 for (mode = 0; mode < MODE_MAX; mode++) { 928 ctos = (!kex->server && mode == MODE_OUT) || 929 (kex->server && mode == MODE_IN); 930 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1]; 931 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3]; 932 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5]; 933 } 934 return 0; 935 } 936 937 #ifdef WITH_OPENSSL 938 int 939 kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen, 940 const BIGNUM *secret) 941 { 942 struct sshbuf *shared_secret; 943 int r; 944 945 if ((shared_secret = sshbuf_new()) == NULL) 946 return SSH_ERR_ALLOC_FAIL; 947 if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0) 948 r = kex_derive_keys(ssh, hash, hashlen, shared_secret); 949 sshbuf_free(shared_secret); 950 return r; 951 } 952 #endif 953 954 #ifdef WITH_SSH1 955 int 956 derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus, 957 u_int8_t cookie[8], u_int8_t id[16]) 958 { 959 u_int8_t hbuf[2048], sbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH]; 960 struct ssh_digest_ctx *hashctx = NULL; 961 size_t hlen, slen; 962 int r; 963 964 hlen = BN_num_bytes(host_modulus); 965 slen = BN_num_bytes(server_modulus); 966 if (hlen < (512 / 8) || (u_int)hlen > sizeof(hbuf) || 967 slen < (512 / 8) || (u_int)slen > sizeof(sbuf)) 968 return SSH_ERR_KEY_BITS_MISMATCH; 969 if (BN_bn2bin(host_modulus, hbuf) <= 0 || 970 BN_bn2bin(server_modulus, sbuf) <= 0) { 971 r = SSH_ERR_LIBCRYPTO_ERROR; 972 goto out; 973 } 974 if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) { 975 r = SSH_ERR_ALLOC_FAIL; 976 goto out; 977 } 978 if (ssh_digest_update(hashctx, hbuf, hlen) != 0 || 979 ssh_digest_update(hashctx, sbuf, slen) != 0 || 980 ssh_digest_update(hashctx, cookie, 8) != 0 || 981 ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) { 982 r = SSH_ERR_LIBCRYPTO_ERROR; 983 goto out; 984 } 985 memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5)); 986 r = 0; 987 out: 988 ssh_digest_free(hashctx); 989 explicit_bzero(hbuf, sizeof(hbuf)); 990 explicit_bzero(sbuf, sizeof(sbuf)); 991 explicit_bzero(obuf, sizeof(obuf)); 992 return r; 993 } 994 #endif 995 996 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) 997 void 998 dump_digest(char *msg, u_char *digest, int len) 999 { 1000 fprintf(stderr, "%s\n", msg); 1001 sshbuf_dump_data(digest, len, stderr); 1002 } 1003 #endif 1004