• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* $OpenBSD: kex.c,v 1.158 2020/03/13 04:01:56 djm Exp $ */
2 /*
3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 #include <sys/types.h>
29 #include <errno.h>
30 #include <signal.h>
31 #include <stdarg.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 #ifdef HAVE_POLL_H
37 #include <poll.h>
38 #endif
39 
40 #ifdef WITH_OPENSSL
41 #include <openssl/crypto.h>
42 #include <openssl/dh.h>
43 #endif
44 
45 #include "ssh.h"
46 #include "ssh2.h"
47 #include "atomicio.h"
48 #include "version.h"
49 #include "packet.h"
50 #include "compat.h"
51 #include "cipher.h"
52 #include "sshkey.h"
53 #include "kex.h"
54 #include "log.h"
55 #include "mac.h"
56 #include "match.h"
57 #include "misc.h"
58 #include "dispatch.h"
59 #include "monitor.h"
60 
61 #include "ssherr.h"
62 #include "sshbuf.h"
63 #include "digest.h"
64 
65 /* prototype */
66 static int kex_choose_conf(struct ssh *);
67 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
68 
69 static const char *proposal_names[PROPOSAL_MAX] = {
70 	"KEX algorithms",
71 	"host key algorithms",
72 	"ciphers ctos",
73 	"ciphers stoc",
74 	"MACs ctos",
75 	"MACs stoc",
76 	"compression ctos",
77 	"compression stoc",
78 	"languages ctos",
79 	"languages stoc",
80 };
81 
82 struct kexalg {
83 	char *name;
84 	u_int type;
85 	int ec_nid;
86 	int hash_alg;
87 };
88 static const struct kexalg kexalgs[] = {
89 #ifdef WITH_OPENSSL
90 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
91 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
92 	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
93 	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
94 	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
95 	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
96 #ifdef HAVE_EVP_SHA256
97 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
98 #endif /* HAVE_EVP_SHA256 */
99 #ifdef OPENSSL_HAS_ECC
100 	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
101 	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
102 	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
103 	    SSH_DIGEST_SHA384 },
104 # ifdef OPENSSL_HAS_NISTP521
105 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
106 	    SSH_DIGEST_SHA512 },
107 # endif /* OPENSSL_HAS_NISTP521 */
108 #endif /* OPENSSL_HAS_ECC */
109 #endif /* WITH_OPENSSL */
110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
111 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
112 	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
113 	{ KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0,
114 	    SSH_DIGEST_SHA512 },
115 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
116 	{ NULL, 0, -1, -1},
117 };
118 
119 char *
kex_alg_list(char sep)120 kex_alg_list(char sep)
121 {
122 	char *ret = NULL, *tmp;
123 	size_t nlen, rlen = 0;
124 	const struct kexalg *k;
125 
126 	for (k = kexalgs; k->name != NULL; k++) {
127 		if (ret != NULL)
128 			ret[rlen++] = sep;
129 		nlen = strlen(k->name);
130 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
131 			free(ret);
132 			return NULL;
133 		}
134 		ret = tmp;
135 		memcpy(ret + rlen, k->name, nlen + 1);
136 		rlen += nlen;
137 	}
138 	return ret;
139 }
140 
141 static const struct kexalg *
kex_alg_by_name(const char * name)142 kex_alg_by_name(const char *name)
143 {
144 	const struct kexalg *k;
145 
146 	for (k = kexalgs; k->name != NULL; k++) {
147 		if (strcmp(k->name, name) == 0)
148 			return k;
149 	}
150 	return NULL;
151 }
152 
153 /* Validate KEX method name list */
154 int
kex_names_valid(const char * names)155 kex_names_valid(const char *names)
156 {
157 	char *s, *cp, *p;
158 
159 	if (names == NULL || strcmp(names, "") == 0)
160 		return 0;
161 	if ((s = cp = strdup(names)) == NULL)
162 		return 0;
163 	for ((p = strsep(&cp, ",")); p && *p != '\0';
164 	    (p = strsep(&cp, ","))) {
165 		if (kex_alg_by_name(p) == NULL) {
166 			error("Unsupported KEX algorithm \"%.100s\"", p);
167 			free(s);
168 			return 0;
169 		}
170 	}
171 	debug3("kex names ok: [%s]", names);
172 	free(s);
173 	return 1;
174 }
175 
176 /*
177  * Concatenate algorithm names, avoiding duplicates in the process.
178  * Caller must free returned string.
179  */
180 char *
kex_names_cat(const char * a,const char * b)181 kex_names_cat(const char *a, const char *b)
182 {
183 	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
184 	size_t len;
185 
186 	if (a == NULL || *a == '\0')
187 		return strdup(b);
188 	if (b == NULL || *b == '\0')
189 		return strdup(a);
190 	if (strlen(b) > 1024*1024)
191 		return NULL;
192 	len = strlen(a) + strlen(b) + 2;
193 	if ((tmp = cp = strdup(b)) == NULL ||
194 	    (ret = calloc(1, len)) == NULL) {
195 		free(tmp);
196 		return NULL;
197 	}
198 	strlcpy(ret, a, len);
199 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
200 		if ((m = match_list(ret, p, NULL)) != NULL) {
201 			free(m);
202 			continue; /* Algorithm already present */
203 		}
204 		if (strlcat(ret, ",", len) >= len ||
205 		    strlcat(ret, p, len) >= len) {
206 			free(tmp);
207 			free(ret);
208 			return NULL; /* Shouldn't happen */
209 		}
210 	}
211 	free(tmp);
212 	return ret;
213 }
214 
215 /*
216  * Assemble a list of algorithms from a default list and a string from a
217  * configuration file. The user-provided string may begin with '+' to
218  * indicate that it should be appended to the default, '-' that the
219  * specified names should be removed, or '^' that they should be placed
220  * at the head.
221  */
222 int
kex_assemble_names(char ** listp,const char * def,const char * all)223 kex_assemble_names(char **listp, const char *def, const char *all)
224 {
225 	char *cp, *tmp, *patterns;
226 	char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
227 	int r = SSH_ERR_INTERNAL_ERROR;
228 
229 	if (listp == NULL || def == NULL || all == NULL)
230 		return SSH_ERR_INVALID_ARGUMENT;
231 
232 	if (*listp == NULL || **listp == '\0') {
233 		if ((*listp = strdup(def)) == NULL)
234 			return SSH_ERR_ALLOC_FAIL;
235 		return 0;
236 	}
237 
238 	list = *listp;
239 	*listp = NULL;
240 	if (*list == '+') {
241 		/* Append names to default list */
242 		if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
243 			r = SSH_ERR_ALLOC_FAIL;
244 			goto fail;
245 		}
246 		free(list);
247 		list = tmp;
248 	} else if (*list == '-') {
249 		/* Remove names from default list */
250 		if ((*listp = match_filter_blacklist(def, list + 1)) == NULL) {
251 			r = SSH_ERR_ALLOC_FAIL;
252 			goto fail;
253 		}
254 		free(list);
255 		/* filtering has already been done */
256 		return 0;
257 	} else if (*list == '^') {
258 		/* Place names at head of default list */
259 		if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
260 			r = SSH_ERR_ALLOC_FAIL;
261 			goto fail;
262 		}
263 		free(list);
264 		list = tmp;
265 	} else {
266 		/* Explicit list, overrides default - just use "list" as is */
267 	}
268 
269 	/*
270 	 * The supplied names may be a pattern-list. For the -list case,
271 	 * the patterns are applied above. For the +list and explicit list
272 	 * cases we need to do it now.
273 	 */
274 	ret = NULL;
275 	if ((patterns = opatterns = strdup(list)) == NULL) {
276 		r = SSH_ERR_ALLOC_FAIL;
277 		goto fail;
278 	}
279 	/* Apply positive (i.e. non-negated) patterns from the list */
280 	while ((cp = strsep(&patterns, ",")) != NULL) {
281 		if (*cp == '!') {
282 			/* negated matches are not supported here */
283 			r = SSH_ERR_INVALID_ARGUMENT;
284 			goto fail;
285 		}
286 		free(matching);
287 		if ((matching = match_filter_whitelist(all, cp)) == NULL) {
288 			r = SSH_ERR_ALLOC_FAIL;
289 			goto fail;
290 		}
291 		if ((tmp = kex_names_cat(ret, matching)) == NULL) {
292 			r = SSH_ERR_ALLOC_FAIL;
293 			goto fail;
294 		}
295 		free(ret);
296 		ret = tmp;
297 	}
298 	if (ret == NULL || *ret == '\0') {
299 		/* An empty name-list is an error */
300 		/* XXX better error code? */
301 		r = SSH_ERR_INVALID_ARGUMENT;
302 		goto fail;
303 	}
304 
305 	/* success */
306 	*listp = ret;
307 	ret = NULL;
308 	r = 0;
309 
310  fail:
311 	free(matching);
312 	free(opatterns);
313 	free(list);
314 	free(ret);
315 	return r;
316 }
317 
318 /* put algorithm proposal into buffer */
319 int
kex_prop2buf(struct sshbuf * b,char * proposal[PROPOSAL_MAX])320 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
321 {
322 	u_int i;
323 	int r;
324 
325 	sshbuf_reset(b);
326 
327 	/*
328 	 * add a dummy cookie, the cookie will be overwritten by
329 	 * kex_send_kexinit(), each time a kexinit is set
330 	 */
331 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
332 		if ((r = sshbuf_put_u8(b, 0)) != 0)
333 			return r;
334 	}
335 	for (i = 0; i < PROPOSAL_MAX; i++) {
336 		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
337 			return r;
338 	}
339 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
340 	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
341 		return r;
342 	return 0;
343 }
344 
345 /* parse buffer and return algorithm proposal */
346 int
kex_buf2prop(struct sshbuf * raw,int * first_kex_follows,char *** propp)347 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
348 {
349 	struct sshbuf *b = NULL;
350 	u_char v;
351 	u_int i;
352 	char **proposal = NULL;
353 	int r;
354 
355 	*propp = NULL;
356 	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
357 		return SSH_ERR_ALLOC_FAIL;
358 	if ((b = sshbuf_fromb(raw)) == NULL) {
359 		r = SSH_ERR_ALLOC_FAIL;
360 		goto out;
361 	}
362 	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */
363 		error("%s: consume cookie: %s", __func__, ssh_err(r));
364 		goto out;
365 	}
366 	/* extract kex init proposal strings */
367 	for (i = 0; i < PROPOSAL_MAX; i++) {
368 		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) {
369 			error("%s: parse proposal %u: %s", __func__,
370 			    i, ssh_err(r));
371 			goto out;
372 		}
373 		debug2("%s: %s", proposal_names[i], proposal[i]);
374 	}
375 	/* first kex follows / reserved */
376 	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
377 	    (r = sshbuf_get_u32(b, &i)) != 0) {	/* reserved */
378 		error("%s: parse: %s", __func__, ssh_err(r));
379 		goto out;
380 	}
381 	if (first_kex_follows != NULL)
382 		*first_kex_follows = v;
383 	debug2("first_kex_follows %d ", v);
384 	debug2("reserved %u ", i);
385 	r = 0;
386 	*propp = proposal;
387  out:
388 	if (r != 0 && proposal != NULL)
389 		kex_prop_free(proposal);
390 	sshbuf_free(b);
391 	return r;
392 }
393 
394 void
kex_prop_free(char ** proposal)395 kex_prop_free(char **proposal)
396 {
397 	u_int i;
398 
399 	if (proposal == NULL)
400 		return;
401 	for (i = 0; i < PROPOSAL_MAX; i++)
402 		free(proposal[i]);
403 	free(proposal);
404 }
405 
406 /* ARGSUSED */
407 static int
kex_protocol_error(int type,u_int32_t seq,struct ssh * ssh)408 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
409 {
410 	int r;
411 
412 	error("kex protocol error: type %d seq %u", type, seq);
413 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
414 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
415 	    (r = sshpkt_send(ssh)) != 0)
416 		return r;
417 	return 0;
418 }
419 
420 static void
kex_reset_dispatch(struct ssh * ssh)421 kex_reset_dispatch(struct ssh *ssh)
422 {
423 	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
424 	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
425 }
426 
427 static int
kex_send_ext_info(struct ssh * ssh)428 kex_send_ext_info(struct ssh *ssh)
429 {
430 	int r;
431 	char *algs;
432 
433 	debug("Sending SSH2_MSG_EXT_INFO");
434 	if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
435 		return SSH_ERR_ALLOC_FAIL;
436 	/* XXX filter algs list by allowed pubkey/hostbased types */
437 	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
438 	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
439 	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
440 	    (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
441 	    (r = sshpkt_send(ssh)) != 0) {
442 		error("%s: compose: %s", __func__, ssh_err(r));
443 		goto out;
444 	}
445 	/* success */
446 	r = 0;
447  out:
448 	free(algs);
449 	return r;
450 }
451 
452 int
kex_send_newkeys(struct ssh * ssh)453 kex_send_newkeys(struct ssh *ssh)
454 {
455 	int r;
456 
457 	kex_reset_dispatch(ssh);
458 	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
459 	    (r = sshpkt_send(ssh)) != 0)
460 		return r;
461 	debug("SSH2_MSG_NEWKEYS sent");
462 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
463 	if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0)
464 		if ((r = kex_send_ext_info(ssh)) != 0)
465 			return r;
466 	debug("expecting SSH2_MSG_NEWKEYS");
467 	return 0;
468 }
469 
470 int
kex_input_ext_info(int type,u_int32_t seq,struct ssh * ssh)471 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
472 {
473 	struct kex *kex = ssh->kex;
474 	u_int32_t i, ninfo;
475 	char *name;
476 	u_char *val;
477 	size_t vlen;
478 	int r;
479 
480 	debug("SSH2_MSG_EXT_INFO received");
481 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
482 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
483 		return r;
484 	for (i = 0; i < ninfo; i++) {
485 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
486 			return r;
487 		if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) {
488 			free(name);
489 			return r;
490 		}
491 		if (strcmp(name, "server-sig-algs") == 0) {
492 			/* Ensure no \0 lurking in value */
493 			if (memchr(val, '\0', vlen) != NULL) {
494 				error("%s: nul byte in %s", __func__, name);
495 				return SSH_ERR_INVALID_FORMAT;
496 			}
497 			debug("%s: %s=<%s>", __func__, name, val);
498 			kex->server_sig_algs = val;
499 			val = NULL;
500 		} else
501 			debug("%s: %s (unrecognised)", __func__, name);
502 		free(name);
503 		free(val);
504 	}
505 	return sshpkt_get_end(ssh);
506 }
507 
508 static int
kex_input_newkeys(int type,u_int32_t seq,struct ssh * ssh)509 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
510 {
511 	struct kex *kex = ssh->kex;
512 	int r;
513 
514 	debug("SSH2_MSG_NEWKEYS received");
515 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
516 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
517 	if ((r = sshpkt_get_end(ssh)) != 0)
518 		return r;
519 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
520 		return r;
521 	kex->done = 1;
522 	kex->flags &= ~KEX_INITIAL;
523 	sshbuf_reset(kex->peer);
524 	/* sshbuf_reset(kex->my); */
525 	kex->flags &= ~KEX_INIT_SENT;
526 	free(kex->name);
527 	kex->name = NULL;
528 	return 0;
529 }
530 
531 int
kex_send_kexinit(struct ssh * ssh)532 kex_send_kexinit(struct ssh *ssh)
533 {
534 	u_char *cookie;
535 	struct kex *kex = ssh->kex;
536 	int r;
537 
538 	if (kex == NULL) {
539 		error("%s: no hex", __func__);
540 		return SSH_ERR_INTERNAL_ERROR;
541 	}
542 	if (kex->flags & KEX_INIT_SENT)
543 		return 0;
544 	kex->done = 0;
545 
546 	/* generate a random cookie */
547 	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) {
548 		error("%s: bad kex length: %zu < %d", __func__,
549 		    sshbuf_len(kex->my), KEX_COOKIE_LEN);
550 		return SSH_ERR_INVALID_FORMAT;
551 	}
552 	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) {
553 		error("%s: buffer error", __func__);
554 		return SSH_ERR_INTERNAL_ERROR;
555 	}
556 	arc4random_buf(cookie, KEX_COOKIE_LEN);
557 
558 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
559 	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
560 	    (r = sshpkt_send(ssh)) != 0) {
561 		error("%s: compose reply: %s", __func__, ssh_err(r));
562 		return r;
563 	}
564 	debug("SSH2_MSG_KEXINIT sent");
565 	kex->flags |= KEX_INIT_SENT;
566 	return 0;
567 }
568 
569 /* ARGSUSED */
570 int
kex_input_kexinit(int type,u_int32_t seq,struct ssh * ssh)571 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
572 {
573 	struct kex *kex = ssh->kex;
574 	const u_char *ptr;
575 	u_int i;
576 	size_t dlen;
577 	int r;
578 
579 	debug("SSH2_MSG_KEXINIT received");
580 	if (kex == NULL) {
581 		error("%s: no hex", __func__);
582 		return SSH_ERR_INTERNAL_ERROR;
583 	}
584 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
585 	ptr = sshpkt_ptr(ssh, &dlen);
586 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
587 		return r;
588 
589 	/* discard packet */
590 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
591 		if ((r = sshpkt_get_u8(ssh, NULL)) != 0) {
592 			error("%s: discard cookie: %s", __func__, ssh_err(r));
593 			return r;
594 		}
595 	}
596 	for (i = 0; i < PROPOSAL_MAX; i++) {
597 		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
598 			error("%s: discard proposal: %s", __func__, ssh_err(r));
599 			return r;
600 		}
601 	}
602 	/*
603 	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
604 	 * KEX method has the server move first, but a server might be using
605 	 * a custom method or one that we otherwise don't support. We should
606 	 * be prepared to remember first_kex_follows here so we can eat a
607 	 * packet later.
608 	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
609 	 * for cases where the server *doesn't* go first. I guess we should
610 	 * ignore it when it is set for these cases, which is what we do now.
611 	 */
612 	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
613 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
614 	    (r = sshpkt_get_end(ssh)) != 0)
615 			return r;
616 
617 	if (!(kex->flags & KEX_INIT_SENT))
618 		if ((r = kex_send_kexinit(ssh)) != 0)
619 			return r;
620 	if ((r = kex_choose_conf(ssh)) != 0)
621 		return r;
622 
623 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
624 		return (kex->kex[kex->kex_type])(ssh);
625 
626 	error("%s: unknown kex type %u", __func__, kex->kex_type);
627 	return SSH_ERR_INTERNAL_ERROR;
628 }
629 
630 struct kex *
kex_new(void)631 kex_new(void)
632 {
633 	struct kex *kex;
634 
635 	if ((kex = calloc(1, sizeof(*kex))) == NULL ||
636 	    (kex->peer = sshbuf_new()) == NULL ||
637 	    (kex->my = sshbuf_new()) == NULL ||
638 	    (kex->client_version = sshbuf_new()) == NULL ||
639 	    (kex->server_version = sshbuf_new()) == NULL) {
640 		kex_free(kex);
641 		return NULL;
642 	}
643 	return kex;
644 }
645 
646 void
kex_free_newkeys(struct newkeys * newkeys)647 kex_free_newkeys(struct newkeys *newkeys)
648 {
649 	if (newkeys == NULL)
650 		return;
651 	if (newkeys->enc.key) {
652 		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
653 		free(newkeys->enc.key);
654 		newkeys->enc.key = NULL;
655 	}
656 	if (newkeys->enc.iv) {
657 		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
658 		free(newkeys->enc.iv);
659 		newkeys->enc.iv = NULL;
660 	}
661 	free(newkeys->enc.name);
662 	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
663 	free(newkeys->comp.name);
664 	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
665 	mac_clear(&newkeys->mac);
666 	if (newkeys->mac.key) {
667 		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
668 		free(newkeys->mac.key);
669 		newkeys->mac.key = NULL;
670 	}
671 	free(newkeys->mac.name);
672 	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
673 	freezero(newkeys, sizeof(*newkeys));
674 }
675 
676 void
kex_free(struct kex * kex)677 kex_free(struct kex *kex)
678 {
679 	u_int mode;
680 
681 	if (kex == NULL)
682 		return;
683 
684 #ifdef WITH_OPENSSL
685 	DH_free(kex->dh);
686 #ifdef OPENSSL_HAS_ECC
687 	EC_KEY_free(kex->ec_client_key);
688 #endif /* OPENSSL_HAS_ECC */
689 #endif /* WITH_OPENSSL */
690 	for (mode = 0; mode < MODE_MAX; mode++) {
691 		kex_free_newkeys(kex->newkeys[mode]);
692 		kex->newkeys[mode] = NULL;
693 	}
694 	sshbuf_free(kex->peer);
695 	sshbuf_free(kex->my);
696 	sshbuf_free(kex->client_version);
697 	sshbuf_free(kex->server_version);
698 	sshbuf_free(kex->client_pub);
699 	free(kex->session_id);
700 	free(kex->failed_choice);
701 	free(kex->hostkey_alg);
702 	free(kex->name);
703 	free(kex);
704 }
705 
706 int
kex_ready(struct ssh * ssh,char * proposal[PROPOSAL_MAX])707 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
708 {
709 	int r;
710 
711 	if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
712 		return r;
713 	ssh->kex->flags = KEX_INITIAL;
714 	kex_reset_dispatch(ssh);
715 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
716 	return 0;
717 }
718 
719 int
kex_setup(struct ssh * ssh,char * proposal[PROPOSAL_MAX])720 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
721 {
722 	int r;
723 
724 	if ((r = kex_ready(ssh, proposal)) != 0)
725 		return r;
726 	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
727 		kex_free(ssh->kex);
728 		ssh->kex = NULL;
729 		return r;
730 	}
731 	return 0;
732 }
733 
734 /*
735  * Request key re-exchange, returns 0 on success or a ssherr.h error
736  * code otherwise. Must not be called if KEX is incomplete or in-progress.
737  */
738 int
kex_start_rekex(struct ssh * ssh)739 kex_start_rekex(struct ssh *ssh)
740 {
741 	if (ssh->kex == NULL) {
742 		error("%s: no kex", __func__);
743 		return SSH_ERR_INTERNAL_ERROR;
744 	}
745 	if (ssh->kex->done == 0) {
746 		error("%s: requested twice", __func__);
747 		return SSH_ERR_INTERNAL_ERROR;
748 	}
749 	ssh->kex->done = 0;
750 	return kex_send_kexinit(ssh);
751 }
752 
753 static int
choose_enc(struct sshenc * enc,char * client,char * server)754 choose_enc(struct sshenc *enc, char *client, char *server)
755 {
756 	char *name = match_list(client, server, NULL);
757 
758 	if (name == NULL)
759 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
760 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
761 		error("%s: unsupported cipher %s", __func__, name);
762 		free(name);
763 		return SSH_ERR_INTERNAL_ERROR;
764 	}
765 	enc->name = name;
766 	enc->enabled = 0;
767 	enc->iv = NULL;
768 	enc->iv_len = cipher_ivlen(enc->cipher);
769 	enc->key = NULL;
770 	enc->key_len = cipher_keylen(enc->cipher);
771 	enc->block_size = cipher_blocksize(enc->cipher);
772 	return 0;
773 }
774 
775 static int
choose_mac(struct ssh * ssh,struct sshmac * mac,char * client,char * server)776 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
777 {
778 	char *name = match_list(client, server, NULL);
779 
780 	if (name == NULL)
781 		return SSH_ERR_NO_MAC_ALG_MATCH;
782 	if (mac_setup(mac, name) < 0) {
783 		error("%s: unsupported MAC %s", __func__, name);
784 		free(name);
785 		return SSH_ERR_INTERNAL_ERROR;
786 	}
787 	mac->name = name;
788 	mac->key = NULL;
789 	mac->enabled = 0;
790 	return 0;
791 }
792 
793 static int
choose_comp(struct sshcomp * comp,char * client,char * server)794 choose_comp(struct sshcomp *comp, char *client, char *server)
795 {
796 	char *name = match_list(client, server, NULL);
797 
798 	if (name == NULL)
799 		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
800 #ifdef WITH_ZLIB
801 	if (strcmp(name, "zlib@openssh.com") == 0) {
802 		comp->type = COMP_DELAYED;
803 	} else if (strcmp(name, "zlib") == 0) {
804 		comp->type = COMP_ZLIB;
805 	} else
806 #endif	/* WITH_ZLIB */
807 	if (strcmp(name, "none") == 0) {
808 		comp->type = COMP_NONE;
809 	} else {
810 		error("%s: unsupported compression scheme %s", __func__, name);
811 		free(name);
812 		return SSH_ERR_INTERNAL_ERROR;
813 	}
814 	comp->name = name;
815 	return 0;
816 }
817 
818 static int
choose_kex(struct kex * k,char * client,char * server)819 choose_kex(struct kex *k, char *client, char *server)
820 {
821 	const struct kexalg *kexalg;
822 
823 	k->name = match_list(client, server, NULL);
824 
825 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
826 	if (k->name == NULL)
827 		return SSH_ERR_NO_KEX_ALG_MATCH;
828 	if ((kexalg = kex_alg_by_name(k->name)) == NULL) {
829 		error("%s: unsupported KEX method %s", __func__, k->name);
830 		return SSH_ERR_INTERNAL_ERROR;
831 	}
832 	k->kex_type = kexalg->type;
833 	k->hash_alg = kexalg->hash_alg;
834 	k->ec_nid = kexalg->ec_nid;
835 	return 0;
836 }
837 
838 static int
choose_hostkeyalg(struct kex * k,char * client,char * server)839 choose_hostkeyalg(struct kex *k, char *client, char *server)
840 {
841 	k->hostkey_alg = match_list(client, server, NULL);
842 
843 	debug("kex: host key algorithm: %s",
844 	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
845 	if (k->hostkey_alg == NULL)
846 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
847 	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
848 	if (k->hostkey_type == KEY_UNSPEC) {
849 		error("%s: unsupported hostkey algorithm %s", __func__,
850 		    k->hostkey_alg);
851 		return SSH_ERR_INTERNAL_ERROR;
852 	}
853 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
854 	return 0;
855 }
856 
857 static int
proposals_match(char * my[PROPOSAL_MAX],char * peer[PROPOSAL_MAX])858 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
859 {
860 	static int check[] = {
861 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
862 	};
863 	int *idx;
864 	char *p;
865 
866 	for (idx = &check[0]; *idx != -1; idx++) {
867 		if ((p = strchr(my[*idx], ',')) != NULL)
868 			*p = '\0';
869 		if ((p = strchr(peer[*idx], ',')) != NULL)
870 			*p = '\0';
871 		if (strcmp(my[*idx], peer[*idx]) != 0) {
872 			debug2("proposal mismatch: my %s peer %s",
873 			    my[*idx], peer[*idx]);
874 			return (0);
875 		}
876 	}
877 	debug2("proposals match");
878 	return (1);
879 }
880 
881 static int
kex_choose_conf(struct ssh * ssh)882 kex_choose_conf(struct ssh *ssh)
883 {
884 	struct kex *kex = ssh->kex;
885 	struct newkeys *newkeys;
886 	char **my = NULL, **peer = NULL;
887 	char **cprop, **sprop;
888 	int nenc, nmac, ncomp;
889 	u_int mode, ctos, need, dh_need, authlen;
890 	int r, first_kex_follows;
891 
892 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
893 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
894 		goto out;
895 	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
896 	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
897 		goto out;
898 
899 	if (kex->server) {
900 		cprop=peer;
901 		sprop=my;
902 	} else {
903 		cprop=my;
904 		sprop=peer;
905 	}
906 
907 	/* Check whether client supports ext_info_c */
908 	if (kex->server && (kex->flags & KEX_INITIAL)) {
909 		char *ext;
910 
911 		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
912 		kex->ext_info_c = (ext != NULL);
913 		free(ext);
914 	}
915 
916 	/* Algorithm Negotiation */
917 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
918 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
919 		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
920 		peer[PROPOSAL_KEX_ALGS] = NULL;
921 		goto out;
922 	}
923 	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
924 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
925 		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
926 		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
927 		goto out;
928 	}
929 	for (mode = 0; mode < MODE_MAX; mode++) {
930 		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
931 			r = SSH_ERR_ALLOC_FAIL;
932 			goto out;
933 		}
934 		kex->newkeys[mode] = newkeys;
935 		ctos = (!kex->server && mode == MODE_OUT) ||
936 		    (kex->server && mode == MODE_IN);
937 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
938 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
939 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
940 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
941 		    sprop[nenc])) != 0) {
942 			kex->failed_choice = peer[nenc];
943 			peer[nenc] = NULL;
944 			goto out;
945 		}
946 		authlen = cipher_authlen(newkeys->enc.cipher);
947 		/* ignore mac for authenticated encryption */
948 		if (authlen == 0 &&
949 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
950 		    sprop[nmac])) != 0) {
951 			kex->failed_choice = peer[nmac];
952 			peer[nmac] = NULL;
953 			goto out;
954 		}
955 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
956 		    sprop[ncomp])) != 0) {
957 			kex->failed_choice = peer[ncomp];
958 			peer[ncomp] = NULL;
959 			goto out;
960 		}
961 		debug("kex: %s cipher: %s MAC: %s compression: %s",
962 		    ctos ? "client->server" : "server->client",
963 		    newkeys->enc.name,
964 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
965 		    newkeys->comp.name);
966 	}
967 	need = dh_need = 0;
968 	for (mode = 0; mode < MODE_MAX; mode++) {
969 		newkeys = kex->newkeys[mode];
970 		need = MAXIMUM(need, newkeys->enc.key_len);
971 		need = MAXIMUM(need, newkeys->enc.block_size);
972 		need = MAXIMUM(need, newkeys->enc.iv_len);
973 		need = MAXIMUM(need, newkeys->mac.key_len);
974 		dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
975 		dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
976 		dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
977 		dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
978 	}
979 	/* XXX need runden? */
980 	kex->we_need = need;
981 	kex->dh_need = dh_need;
982 
983 	/* ignore the next message if the proposals do not match */
984 	if (first_kex_follows && !proposals_match(my, peer))
985 		ssh->dispatch_skip_packets = 1;
986 	r = 0;
987  out:
988 	kex_prop_free(my);
989 	kex_prop_free(peer);
990 	return r;
991 }
992 
993 static int
derive_key(struct ssh * ssh,int id,u_int need,u_char * hash,u_int hashlen,const struct sshbuf * shared_secret,u_char ** keyp)994 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
995     const struct sshbuf *shared_secret, u_char **keyp)
996 {
997 	struct kex *kex = ssh->kex;
998 	struct ssh_digest_ctx *hashctx = NULL;
999 	char c = id;
1000 	u_int have;
1001 	size_t mdsz;
1002 	u_char *digest;
1003 	int r;
1004 
1005 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
1006 		return SSH_ERR_INVALID_ARGUMENT;
1007 	if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
1008 		r = SSH_ERR_ALLOC_FAIL;
1009 		goto out;
1010 	}
1011 
1012 	/* K1 = HASH(K || H || "A" || session_id) */
1013 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1014 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1015 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1016 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
1017 	    ssh_digest_update(hashctx, kex->session_id,
1018 	    kex->session_id_len) != 0 ||
1019 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
1020 		r = SSH_ERR_LIBCRYPTO_ERROR;
1021 		error("%s: KEX hash failed", __func__);
1022 		goto out;
1023 	}
1024 	ssh_digest_free(hashctx);
1025 	hashctx = NULL;
1026 
1027 	/*
1028 	 * expand key:
1029 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
1030 	 * Key = K1 || K2 || ... || Kn
1031 	 */
1032 	for (have = mdsz; need > have; have += mdsz) {
1033 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1034 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1035 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1036 		    ssh_digest_update(hashctx, digest, have) != 0 ||
1037 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
1038 			error("%s: KDF failed", __func__);
1039 			r = SSH_ERR_LIBCRYPTO_ERROR;
1040 			goto out;
1041 		}
1042 		ssh_digest_free(hashctx);
1043 		hashctx = NULL;
1044 	}
1045 #ifdef DEBUG_KEX
1046 	fprintf(stderr, "key '%c'== ", c);
1047 	dump_digest("key", digest, need);
1048 #endif
1049 	*keyp = digest;
1050 	digest = NULL;
1051 	r = 0;
1052  out:
1053 	free(digest);
1054 	ssh_digest_free(hashctx);
1055 	return r;
1056 }
1057 
1058 #define NKEYS	6
1059 int
kex_derive_keys(struct ssh * ssh,u_char * hash,u_int hashlen,const struct sshbuf * shared_secret)1060 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
1061     const struct sshbuf *shared_secret)
1062 {
1063 	struct kex *kex = ssh->kex;
1064 	u_char *keys[NKEYS];
1065 	u_int i, j, mode, ctos;
1066 	int r;
1067 
1068 	/* save initial hash as session id */
1069 	if (kex->session_id == NULL) {
1070 		kex->session_id_len = hashlen;
1071 		kex->session_id = malloc(kex->session_id_len);
1072 		if (kex->session_id == NULL)
1073 			return SSH_ERR_ALLOC_FAIL;
1074 		memcpy(kex->session_id, hash, kex->session_id_len);
1075 	}
1076 	for (i = 0; i < NKEYS; i++) {
1077 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
1078 		    shared_secret, &keys[i])) != 0) {
1079 			for (j = 0; j < i; j++)
1080 				free(keys[j]);
1081 			return r;
1082 		}
1083 	}
1084 	for (mode = 0; mode < MODE_MAX; mode++) {
1085 		ctos = (!kex->server && mode == MODE_OUT) ||
1086 		    (kex->server && mode == MODE_IN);
1087 		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
1088 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
1089 		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
1090 	}
1091 	return 0;
1092 }
1093 
1094 int
kex_load_hostkey(struct ssh * ssh,struct sshkey ** prvp,struct sshkey ** pubp)1095 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
1096 {
1097 	struct kex *kex = ssh->kex;
1098 
1099 	*pubp = NULL;
1100 	*prvp = NULL;
1101 	if (kex->load_host_public_key == NULL ||
1102 	    kex->load_host_private_key == NULL) {
1103 		error("%s: missing hostkey loader", __func__);
1104 		return SSH_ERR_INVALID_ARGUMENT;
1105 	}
1106 	*pubp = kex->load_host_public_key(kex->hostkey_type,
1107 	    kex->hostkey_nid, ssh);
1108 	*prvp = kex->load_host_private_key(kex->hostkey_type,
1109 	    kex->hostkey_nid, ssh);
1110 	if (*pubp == NULL)
1111 		return SSH_ERR_NO_HOSTKEY_LOADED;
1112 	return 0;
1113 }
1114 
1115 int
kex_verify_host_key(struct ssh * ssh,struct sshkey * server_host_key)1116 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
1117 {
1118 	struct kex *kex = ssh->kex;
1119 
1120 	if (kex->verify_host_key == NULL) {
1121 		error("%s: missing hostkey verifier", __func__);
1122 		return SSH_ERR_INVALID_ARGUMENT;
1123 	}
1124 	if (server_host_key->type != kex->hostkey_type ||
1125 	    (kex->hostkey_type == KEY_ECDSA &&
1126 	    server_host_key->ecdsa_nid != kex->hostkey_nid))
1127 		return SSH_ERR_KEY_TYPE_MISMATCH;
1128 	if (kex->verify_host_key(server_host_key, ssh) == -1)
1129 		return  SSH_ERR_SIGNATURE_INVALID;
1130 	return 0;
1131 }
1132 
1133 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1134 void
dump_digest(const char * msg,const u_char * digest,int len)1135 dump_digest(const char *msg, const u_char *digest, int len)
1136 {
1137 	fprintf(stderr, "%s\n", msg);
1138 	sshbuf_dump_data(digest, len, stderr);
1139 }
1140 #endif
1141 
1142 /*
1143  * Send a plaintext error message to the peer, suffixed by \r\n.
1144  * Only used during banner exchange, and there only for the server.
1145  */
1146 static void
send_error(struct ssh * ssh,char * msg)1147 send_error(struct ssh *ssh, char *msg)
1148 {
1149 	char *crnl = "\r\n";
1150 
1151 	if (!ssh->kex->server)
1152 		return;
1153 
1154 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1155 	    msg, strlen(msg)) != strlen(msg) ||
1156 	    atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1157 	    crnl, strlen(crnl)) != strlen(crnl))
1158 		error("%s: write: %.100s", __func__, strerror(errno));
1159 }
1160 
1161 /*
1162  * Sends our identification string and waits for the peer's. Will block for
1163  * up to timeout_ms (or indefinitely if timeout_ms <= 0).
1164  * Returns on 0 success or a ssherr.h code on failure.
1165  */
1166 int
kex_exchange_identification(struct ssh * ssh,int timeout_ms,const char * version_addendum)1167 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1168     const char *version_addendum)
1169 {
1170 	int remote_major, remote_minor, mismatch, oerrno = 0;
1171 	size_t len, i, n;
1172 	int r, expect_nl;
1173 	u_char c;
1174 	struct sshbuf *our_version = ssh->kex->server ?
1175 	    ssh->kex->server_version : ssh->kex->client_version;
1176 	struct sshbuf *peer_version = ssh->kex->server ?
1177 	    ssh->kex->client_version : ssh->kex->server_version;
1178 	char *our_version_string = NULL, *peer_version_string = NULL;
1179 	char *cp, *remote_version = NULL;
1180 
1181 	/* Prepare and send our banner */
1182 	sshbuf_reset(our_version);
1183 	if (version_addendum != NULL && *version_addendum == '\0')
1184 		version_addendum = NULL;
1185 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
1186 	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
1187 	    version_addendum == NULL ? "" : " ",
1188 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
1189 		oerrno = errno;
1190 		error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
1191 		goto out;
1192 	}
1193 
1194 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1195 	    sshbuf_mutable_ptr(our_version),
1196 	    sshbuf_len(our_version)) != sshbuf_len(our_version)) {
1197 		oerrno = errno;
1198 		debug("%s: write: %.100s", __func__, strerror(errno));
1199 		r = SSH_ERR_SYSTEM_ERROR;
1200 		goto out;
1201 	}
1202 	if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
1203 		oerrno = errno;
1204 		error("%s: sshbuf_consume_end: %s", __func__, ssh_err(r));
1205 		goto out;
1206 	}
1207 	our_version_string = sshbuf_dup_string(our_version);
1208 	if (our_version_string == NULL) {
1209 		error("%s: sshbuf_dup_string failed", __func__);
1210 		r = SSH_ERR_ALLOC_FAIL;
1211 		goto out;
1212 	}
1213 	debug("Local version string %.100s", our_version_string);
1214 
1215 	/* Read other side's version identification. */
1216 	for (n = 0; ; n++) {
1217 		if (n >= SSH_MAX_PRE_BANNER_LINES) {
1218 			send_error(ssh, "No SSH identification string "
1219 			    "received.");
1220 			error("%s: No SSH version received in first %u lines "
1221 			    "from server", __func__, SSH_MAX_PRE_BANNER_LINES);
1222 			r = SSH_ERR_INVALID_FORMAT;
1223 			goto out;
1224 		}
1225 		sshbuf_reset(peer_version);
1226 		expect_nl = 0;
1227 		for (i = 0; ; i++) {
1228 			if (timeout_ms > 0) {
1229 				r = waitrfd(ssh_packet_get_connection_in(ssh),
1230 				    &timeout_ms);
1231 				if (r == -1 && errno == ETIMEDOUT) {
1232 					send_error(ssh, "Timed out waiting "
1233 					    "for SSH identification string.");
1234 					error("Connection timed out during "
1235 					    "banner exchange");
1236 					r = SSH_ERR_CONN_TIMEOUT;
1237 					goto out;
1238 				} else if (r == -1) {
1239 					oerrno = errno;
1240 					error("%s: %s",
1241 					    __func__, strerror(errno));
1242 					r = SSH_ERR_SYSTEM_ERROR;
1243 					goto out;
1244 				}
1245 			}
1246 
1247 			len = atomicio(read, ssh_packet_get_connection_in(ssh),
1248 			    &c, 1);
1249 			if (len != 1 && errno == EPIPE) {
1250 				error("%s: Connection closed by remote host",
1251 				    __func__);
1252 				r = SSH_ERR_CONN_CLOSED;
1253 				goto out;
1254 			} else if (len != 1) {
1255 				oerrno = errno;
1256 				error("%s: read: %.100s",
1257 				    __func__, strerror(errno));
1258 				r = SSH_ERR_SYSTEM_ERROR;
1259 				goto out;
1260 			}
1261 			if (c == '\r') {
1262 				expect_nl = 1;
1263 				continue;
1264 			}
1265 			if (c == '\n')
1266 				break;
1267 			if (c == '\0' || expect_nl) {
1268 				error("%s: banner line contains invalid "
1269 				    "characters", __func__);
1270 				goto invalid;
1271 			}
1272 			if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
1273 				oerrno = errno;
1274 				error("%s: sshbuf_put: %s",
1275 				    __func__, ssh_err(r));
1276 				goto out;
1277 			}
1278 			if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
1279 				error("%s: banner line too long", __func__);
1280 				goto invalid;
1281 			}
1282 		}
1283 		/* Is this an actual protocol banner? */
1284 		if (sshbuf_len(peer_version) > 4 &&
1285 		    memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
1286 			break;
1287 		/* If not, then just log the line and continue */
1288 		if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
1289 			error("%s: sshbuf_dup_string failed", __func__);
1290 			r = SSH_ERR_ALLOC_FAIL;
1291 			goto out;
1292 		}
1293 		/* Do not accept lines before the SSH ident from a client */
1294 		if (ssh->kex->server) {
1295 			error("%s: client sent invalid protocol identifier "
1296 			    "\"%.256s\"", __func__, cp);
1297 			free(cp);
1298 			goto invalid;
1299 		}
1300 		debug("%s: banner line %zu: %s", __func__, n, cp);
1301 		free(cp);
1302 	}
1303 	peer_version_string = sshbuf_dup_string(peer_version);
1304 	if (peer_version_string == NULL)
1305 		error("%s: sshbuf_dup_string failed", __func__);
1306 	/* XXX must be same size for sscanf */
1307 	if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
1308 		error("%s: calloc failed", __func__);
1309 		r = SSH_ERR_ALLOC_FAIL;
1310 		goto out;
1311 	}
1312 
1313 	/*
1314 	 * Check that the versions match.  In future this might accept
1315 	 * several versions and set appropriate flags to handle them.
1316 	 */
1317 	if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
1318 	    &remote_major, &remote_minor, remote_version) != 3) {
1319 		error("Bad remote protocol version identification: '%.100s'",
1320 		    peer_version_string);
1321  invalid:
1322 		send_error(ssh, "Invalid SSH identification string.");
1323 		r = SSH_ERR_INVALID_FORMAT;
1324 		goto out;
1325 	}
1326 	debug("Remote protocol version %d.%d, remote software version %.100s",
1327 	    remote_major, remote_minor, remote_version);
1328 	ssh->compat = compat_datafellows(remote_version);
1329 
1330 	mismatch = 0;
1331 	switch (remote_major) {
1332 	case 2:
1333 		break;
1334 	case 1:
1335 		if (remote_minor != 99)
1336 			mismatch = 1;
1337 		break;
1338 	default:
1339 		mismatch = 1;
1340 		break;
1341 	}
1342 	if (mismatch) {
1343 		error("Protocol major versions differ: %d vs. %d",
1344 		    PROTOCOL_MAJOR_2, remote_major);
1345 		send_error(ssh, "Protocol major versions differ.");
1346 		r = SSH_ERR_NO_PROTOCOL_VERSION;
1347 		goto out;
1348 	}
1349 
1350 	if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
1351 		logit("probed from %s port %d with %s.  Don't panic.",
1352 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1353 		    peer_version_string);
1354 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1355 		goto out;
1356 	}
1357 	if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
1358 		logit("scanned from %s port %d with %s.  Don't panic.",
1359 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1360 		    peer_version_string);
1361 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1362 		goto out;
1363 	}
1364 	if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
1365 		logit("Remote version \"%.100s\" uses unsafe RSA signature "
1366 		    "scheme; disabling use of RSA keys", remote_version);
1367 	}
1368 	/* success */
1369 	r = 0;
1370  out:
1371 	free(our_version_string);
1372 	free(peer_version_string);
1373 	free(remote_version);
1374 	if (r == SSH_ERR_SYSTEM_ERROR)
1375 		errno = oerrno;
1376 	return r;
1377 }
1378 
1379