1 /* $OpenBSD: kex.c,v 1.134 2017/06/13 12:13:59 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include "includes.h" 27 28 29 #include <signal.h> 30 #include <stdarg.h> 31 #include <stdio.h> 32 #include <stdlib.h> 33 #include <string.h> 34 35 #ifdef WITH_OPENSSL 36 #include <openssl/crypto.h> 37 #include <openssl/dh.h> 38 #endif 39 40 #include "ssh2.h" 41 #include "packet.h" 42 #include "compat.h" 43 #include "cipher.h" 44 #include "sshkey.h" 45 #include "kex.h" 46 #include "log.h" 47 #include "mac.h" 48 #include "match.h" 49 #include "misc.h" 50 #include "dispatch.h" 51 #include "monitor.h" 52 53 #include "ssherr.h" 54 #include "sshbuf.h" 55 #include "digest.h" 56 57 /* prototype */ 58 static int kex_choose_conf(struct ssh *); 59 static int kex_input_newkeys(int, u_int32_t, struct ssh *); 60 61 static const char *proposal_names[PROPOSAL_MAX] = { 62 "KEX algorithms", 63 "host key algorithms", 64 "ciphers ctos", 65 "ciphers stoc", 66 "MACs ctos", 67 "MACs stoc", 68 "compression ctos", 69 "compression stoc", 70 "languages ctos", 71 "languages stoc", 72 }; 73 74 struct kexalg { 75 char *name; 76 u_int type; 77 int ec_nid; 78 int hash_alg; 79 }; 80 static const struct kexalg kexalgs[] = { 81 #ifdef WITH_OPENSSL 82 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, 83 { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, 84 { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, 85 { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, 86 { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, 87 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, 88 #ifdef HAVE_EVP_SHA256 89 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, 90 #endif /* HAVE_EVP_SHA256 */ 91 #ifdef OPENSSL_HAS_ECC 92 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, 93 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, 94 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, 95 SSH_DIGEST_SHA384 }, 96 # ifdef OPENSSL_HAS_NISTP521 97 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, 98 SSH_DIGEST_SHA512 }, 99 # endif /* OPENSSL_HAS_NISTP521 */ 100 #endif /* OPENSSL_HAS_ECC */ 101 #endif /* WITH_OPENSSL */ 102 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) 103 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 104 { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 105 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ 106 { NULL, -1, -1, -1}, 107 }; 108 109 char * 110 kex_alg_list(char sep) 111 { 112 char *ret = NULL, *tmp; 113 size_t nlen, rlen = 0; 114 const struct kexalg *k; 115 116 for (k = kexalgs; k->name != NULL; k++) { 117 if (ret != NULL) 118 ret[rlen++] = sep; 119 nlen = strlen(k->name); 120 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 121 free(ret); 122 return NULL; 123 } 124 ret = tmp; 125 memcpy(ret + rlen, k->name, nlen + 1); 126 rlen += nlen; 127 } 128 return ret; 129 } 130 131 static const struct kexalg * 132 kex_alg_by_name(const char *name) 133 { 134 const struct kexalg *k; 135 136 for (k = kexalgs; k->name != NULL; k++) { 137 if (strcmp(k->name, name) == 0) 138 return k; 139 } 140 return NULL; 141 } 142 143 /* Validate KEX method name list */ 144 int 145 kex_names_valid(const char *names) 146 { 147 char *s, *cp, *p; 148 149 if (names == NULL || strcmp(names, "") == 0) 150 return 0; 151 if ((s = cp = strdup(names)) == NULL) 152 return 0; 153 for ((p = strsep(&cp, ",")); p && *p != '\0'; 154 (p = strsep(&cp, ","))) { 155 if (kex_alg_by_name(p) == NULL) { 156 error("Unsupported KEX algorithm \"%.100s\"", p); 157 free(s); 158 return 0; 159 } 160 } 161 debug3("kex names ok: [%s]", names); 162 free(s); 163 return 1; 164 } 165 166 /* 167 * Concatenate algorithm names, avoiding duplicates in the process. 168 * Caller must free returned string. 169 */ 170 char * 171 kex_names_cat(const char *a, const char *b) 172 { 173 char *ret = NULL, *tmp = NULL, *cp, *p, *m; 174 size_t len; 175 176 if (a == NULL || *a == '\0') 177 return NULL; 178 if (b == NULL || *b == '\0') 179 return strdup(a); 180 if (strlen(b) > 1024*1024) 181 return NULL; 182 len = strlen(a) + strlen(b) + 2; 183 if ((tmp = cp = strdup(b)) == NULL || 184 (ret = calloc(1, len)) == NULL) { 185 free(tmp); 186 return NULL; 187 } 188 strlcpy(ret, a, len); 189 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { 190 if ((m = match_list(ret, p, NULL)) != NULL) { 191 free(m); 192 continue; /* Algorithm already present */ 193 } 194 if (strlcat(ret, ",", len) >= len || 195 strlcat(ret, p, len) >= len) { 196 free(tmp); 197 free(ret); 198 return NULL; /* Shouldn't happen */ 199 } 200 } 201 free(tmp); 202 return ret; 203 } 204 205 /* 206 * Assemble a list of algorithms from a default list and a string from a 207 * configuration file. The user-provided string may begin with '+' to 208 * indicate that it should be appended to the default or '-' that the 209 * specified names should be removed. 210 */ 211 int 212 kex_assemble_names(const char *def, char **list) 213 { 214 char *ret; 215 216 if (list == NULL || *list == NULL || **list == '\0') { 217 *list = strdup(def); 218 return 0; 219 } 220 if (**list == '+') { 221 if ((ret = kex_names_cat(def, *list + 1)) == NULL) 222 return SSH_ERR_ALLOC_FAIL; 223 free(*list); 224 *list = ret; 225 } else if (**list == '-') { 226 if ((ret = match_filter_list(def, *list + 1)) == NULL) 227 return SSH_ERR_ALLOC_FAIL; 228 free(*list); 229 *list = ret; 230 } 231 232 return 0; 233 } 234 235 /* put algorithm proposal into buffer */ 236 int 237 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) 238 { 239 u_int i; 240 int r; 241 242 sshbuf_reset(b); 243 244 /* 245 * add a dummy cookie, the cookie will be overwritten by 246 * kex_send_kexinit(), each time a kexinit is set 247 */ 248 for (i = 0; i < KEX_COOKIE_LEN; i++) { 249 if ((r = sshbuf_put_u8(b, 0)) != 0) 250 return r; 251 } 252 for (i = 0; i < PROPOSAL_MAX; i++) { 253 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0) 254 return r; 255 } 256 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */ 257 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */ 258 return r; 259 return 0; 260 } 261 262 /* parse buffer and return algorithm proposal */ 263 int 264 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) 265 { 266 struct sshbuf *b = NULL; 267 u_char v; 268 u_int i; 269 char **proposal = NULL; 270 int r; 271 272 *propp = NULL; 273 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL) 274 return SSH_ERR_ALLOC_FAIL; 275 if ((b = sshbuf_fromb(raw)) == NULL) { 276 r = SSH_ERR_ALLOC_FAIL; 277 goto out; 278 } 279 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */ 280 goto out; 281 /* extract kex init proposal strings */ 282 for (i = 0; i < PROPOSAL_MAX; i++) { 283 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) 284 goto out; 285 debug2("%s: %s", proposal_names[i], proposal[i]); 286 } 287 /* first kex follows / reserved */ 288 if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ 289 (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */ 290 goto out; 291 if (first_kex_follows != NULL) 292 *first_kex_follows = v; 293 debug2("first_kex_follows %d ", v); 294 debug2("reserved %u ", i); 295 r = 0; 296 *propp = proposal; 297 out: 298 if (r != 0 && proposal != NULL) 299 kex_prop_free(proposal); 300 sshbuf_free(b); 301 return r; 302 } 303 304 void 305 kex_prop_free(char **proposal) 306 { 307 u_int i; 308 309 if (proposal == NULL) 310 return; 311 for (i = 0; i < PROPOSAL_MAX; i++) 312 free(proposal[i]); 313 free(proposal); 314 } 315 316 /* ARGSUSED */ 317 static int 318 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) 319 { 320 int r; 321 322 error("kex protocol error: type %d seq %u", type, seq); 323 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || 324 (r = sshpkt_put_u32(ssh, seq)) != 0 || 325 (r = sshpkt_send(ssh)) != 0) 326 return r; 327 return 0; 328 } 329 330 static void 331 kex_reset_dispatch(struct ssh *ssh) 332 { 333 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN, 334 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); 335 } 336 337 static int 338 kex_send_ext_info(struct ssh *ssh) 339 { 340 int r; 341 char *algs; 342 343 if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL) 344 return SSH_ERR_ALLOC_FAIL; 345 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || 346 (r = sshpkt_put_u32(ssh, 1)) != 0 || 347 (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || 348 (r = sshpkt_put_cstring(ssh, algs)) != 0 || 349 (r = sshpkt_send(ssh)) != 0) 350 goto out; 351 /* success */ 352 r = 0; 353 out: 354 free(algs); 355 return r; 356 } 357 358 int 359 kex_send_newkeys(struct ssh *ssh) 360 { 361 int r; 362 363 kex_reset_dispatch(ssh); 364 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 || 365 (r = sshpkt_send(ssh)) != 0) 366 return r; 367 debug("SSH2_MSG_NEWKEYS sent"); 368 debug("expecting SSH2_MSG_NEWKEYS"); 369 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); 370 if (ssh->kex->ext_info_c) 371 if ((r = kex_send_ext_info(ssh)) != 0) 372 return r; 373 return 0; 374 } 375 376 int 377 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) 378 { 379 struct kex *kex = ssh->kex; 380 u_int32_t i, ninfo; 381 char *name, *found; 382 u_char *val; 383 size_t vlen; 384 int r; 385 386 debug("SSH2_MSG_EXT_INFO received"); 387 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); 388 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) 389 return r; 390 for (i = 0; i < ninfo; i++) { 391 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) 392 return r; 393 if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) { 394 free(name); 395 return r; 396 } 397 if (strcmp(name, "server-sig-algs") == 0) { 398 /* Ensure no \0 lurking in value */ 399 if (memchr(val, '\0', vlen) != NULL) { 400 error("%s: nul byte in %s", __func__, name); 401 return SSH_ERR_INVALID_FORMAT; 402 } 403 debug("%s: %s=<%s>", __func__, name, val); 404 found = match_list("rsa-sha2-256", val, NULL); 405 if (found) { 406 kex->rsa_sha2 = 256; 407 free(found); 408 } 409 found = match_list("rsa-sha2-512", val, NULL); 410 if (found) { 411 kex->rsa_sha2 = 512; 412 free(found); 413 } 414 } else 415 debug("%s: %s (unrecognised)", __func__, name); 416 free(name); 417 free(val); 418 } 419 return sshpkt_get_end(ssh); 420 } 421 422 static int 423 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh) 424 { 425 struct kex *kex = ssh->kex; 426 int r; 427 428 debug("SSH2_MSG_NEWKEYS received"); 429 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); 430 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 431 if ((r = sshpkt_get_end(ssh)) != 0) 432 return r; 433 if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) 434 return r; 435 kex->done = 1; 436 sshbuf_reset(kex->peer); 437 /* sshbuf_reset(kex->my); */ 438 kex->flags &= ~KEX_INIT_SENT; 439 free(kex->name); 440 kex->name = NULL; 441 return 0; 442 } 443 444 int 445 kex_send_kexinit(struct ssh *ssh) 446 { 447 u_char *cookie; 448 struct kex *kex = ssh->kex; 449 int r; 450 451 if (kex == NULL) 452 return SSH_ERR_INTERNAL_ERROR; 453 if (kex->flags & KEX_INIT_SENT) 454 return 0; 455 kex->done = 0; 456 457 /* generate a random cookie */ 458 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) 459 return SSH_ERR_INVALID_FORMAT; 460 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) 461 return SSH_ERR_INTERNAL_ERROR; 462 arc4random_buf(cookie, KEX_COOKIE_LEN); 463 464 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 || 465 (r = sshpkt_putb(ssh, kex->my)) != 0 || 466 (r = sshpkt_send(ssh)) != 0) 467 return r; 468 debug("SSH2_MSG_KEXINIT sent"); 469 kex->flags |= KEX_INIT_SENT; 470 return 0; 471 } 472 473 /* ARGSUSED */ 474 int 475 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) 476 { 477 struct kex *kex = ssh->kex; 478 const u_char *ptr; 479 u_int i; 480 size_t dlen; 481 int r; 482 483 debug("SSH2_MSG_KEXINIT received"); 484 if (kex == NULL) 485 return SSH_ERR_INVALID_ARGUMENT; 486 487 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); 488 ptr = sshpkt_ptr(ssh, &dlen); 489 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) 490 return r; 491 492 /* discard packet */ 493 for (i = 0; i < KEX_COOKIE_LEN; i++) 494 if ((r = sshpkt_get_u8(ssh, NULL)) != 0) 495 return r; 496 for (i = 0; i < PROPOSAL_MAX; i++) 497 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) 498 return r; 499 /* 500 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported 501 * KEX method has the server move first, but a server might be using 502 * a custom method or one that we otherwise don't support. We should 503 * be prepared to remember first_kex_follows here so we can eat a 504 * packet later. 505 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means 506 * for cases where the server *doesn't* go first. I guess we should 507 * ignore it when it is set for these cases, which is what we do now. 508 */ 509 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */ 510 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */ 511 (r = sshpkt_get_end(ssh)) != 0) 512 return r; 513 514 if (!(kex->flags & KEX_INIT_SENT)) 515 if ((r = kex_send_kexinit(ssh)) != 0) 516 return r; 517 if ((r = kex_choose_conf(ssh)) != 0) 518 return r; 519 520 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) 521 return (kex->kex[kex->kex_type])(ssh); 522 523 return SSH_ERR_INTERNAL_ERROR; 524 } 525 526 int 527 kex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp) 528 { 529 struct kex *kex; 530 int r; 531 532 *kexp = NULL; 533 if ((kex = calloc(1, sizeof(*kex))) == NULL) 534 return SSH_ERR_ALLOC_FAIL; 535 if ((kex->peer = sshbuf_new()) == NULL || 536 (kex->my = sshbuf_new()) == NULL) { 537 r = SSH_ERR_ALLOC_FAIL; 538 goto out; 539 } 540 if ((r = kex_prop2buf(kex->my, proposal)) != 0) 541 goto out; 542 kex->done = 0; 543 kex_reset_dispatch(ssh); 544 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 545 r = 0; 546 *kexp = kex; 547 out: 548 if (r != 0) 549 kex_free(kex); 550 return r; 551 } 552 553 void 554 kex_free_newkeys(struct newkeys *newkeys) 555 { 556 if (newkeys == NULL) 557 return; 558 if (newkeys->enc.key) { 559 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len); 560 free(newkeys->enc.key); 561 newkeys->enc.key = NULL; 562 } 563 if (newkeys->enc.iv) { 564 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len); 565 free(newkeys->enc.iv); 566 newkeys->enc.iv = NULL; 567 } 568 free(newkeys->enc.name); 569 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc)); 570 free(newkeys->comp.name); 571 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp)); 572 mac_clear(&newkeys->mac); 573 if (newkeys->mac.key) { 574 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len); 575 free(newkeys->mac.key); 576 newkeys->mac.key = NULL; 577 } 578 free(newkeys->mac.name); 579 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac)); 580 explicit_bzero(newkeys, sizeof(*newkeys)); 581 free(newkeys); 582 } 583 584 void 585 kex_free(struct kex *kex) 586 { 587 u_int mode; 588 589 #ifdef WITH_OPENSSL 590 if (kex->dh) 591 DH_free(kex->dh); 592 #ifdef OPENSSL_HAS_ECC 593 if (kex->ec_client_key) 594 EC_KEY_free(kex->ec_client_key); 595 #endif /* OPENSSL_HAS_ECC */ 596 #endif /* WITH_OPENSSL */ 597 for (mode = 0; mode < MODE_MAX; mode++) { 598 kex_free_newkeys(kex->newkeys[mode]); 599 kex->newkeys[mode] = NULL; 600 } 601 sshbuf_free(kex->peer); 602 sshbuf_free(kex->my); 603 free(kex->session_id); 604 free(kex->client_version_string); 605 free(kex->server_version_string); 606 free(kex->failed_choice); 607 free(kex->hostkey_alg); 608 free(kex->name); 609 free(kex); 610 } 611 612 int 613 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) 614 { 615 int r; 616 617 if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0) 618 return r; 619 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */ 620 kex_free(ssh->kex); 621 ssh->kex = NULL; 622 return r; 623 } 624 return 0; 625 } 626 627 /* 628 * Request key re-exchange, returns 0 on success or a ssherr.h error 629 * code otherwise. Must not be called if KEX is incomplete or in-progress. 630 */ 631 int 632 kex_start_rekex(struct ssh *ssh) 633 { 634 if (ssh->kex == NULL) { 635 error("%s: no kex", __func__); 636 return SSH_ERR_INTERNAL_ERROR; 637 } 638 if (ssh->kex->done == 0) { 639 error("%s: requested twice", __func__); 640 return SSH_ERR_INTERNAL_ERROR; 641 } 642 ssh->kex->done = 0; 643 return kex_send_kexinit(ssh); 644 } 645 646 static int 647 choose_enc(struct sshenc *enc, char *client, char *server) 648 { 649 char *name = match_list(client, server, NULL); 650 651 if (name == NULL) 652 return SSH_ERR_NO_CIPHER_ALG_MATCH; 653 if ((enc->cipher = cipher_by_name(name)) == NULL) { 654 free(name); 655 return SSH_ERR_INTERNAL_ERROR; 656 } 657 enc->name = name; 658 enc->enabled = 0; 659 enc->iv = NULL; 660 enc->iv_len = cipher_ivlen(enc->cipher); 661 enc->key = NULL; 662 enc->key_len = cipher_keylen(enc->cipher); 663 enc->block_size = cipher_blocksize(enc->cipher); 664 return 0; 665 } 666 667 static int 668 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) 669 { 670 char *name = match_list(client, server, NULL); 671 672 if (name == NULL) 673 return SSH_ERR_NO_MAC_ALG_MATCH; 674 if (mac_setup(mac, name) < 0) { 675 free(name); 676 return SSH_ERR_INTERNAL_ERROR; 677 } 678 /* truncate the key */ 679 if (ssh->compat & SSH_BUG_HMAC) 680 mac->key_len = 16; 681 mac->name = name; 682 mac->key = NULL; 683 mac->enabled = 0; 684 return 0; 685 } 686 687 static int 688 choose_comp(struct sshcomp *comp, char *client, char *server) 689 { 690 char *name = match_list(client, server, NULL); 691 692 if (name == NULL) 693 return SSH_ERR_NO_COMPRESS_ALG_MATCH; 694 if (strcmp(name, "zlib@openssh.com") == 0) { 695 comp->type = COMP_DELAYED; 696 } else if (strcmp(name, "zlib") == 0) { 697 comp->type = COMP_ZLIB; 698 } else if (strcmp(name, "none") == 0) { 699 comp->type = COMP_NONE; 700 } else { 701 free(name); 702 return SSH_ERR_INTERNAL_ERROR; 703 } 704 comp->name = name; 705 return 0; 706 } 707 708 static int 709 choose_kex(struct kex *k, char *client, char *server) 710 { 711 const struct kexalg *kexalg; 712 713 k->name = match_list(client, server, NULL); 714 715 debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); 716 if (k->name == NULL) 717 return SSH_ERR_NO_KEX_ALG_MATCH; 718 if ((kexalg = kex_alg_by_name(k->name)) == NULL) 719 return SSH_ERR_INTERNAL_ERROR; 720 k->kex_type = kexalg->type; 721 k->hash_alg = kexalg->hash_alg; 722 k->ec_nid = kexalg->ec_nid; 723 return 0; 724 } 725 726 static int 727 choose_hostkeyalg(struct kex *k, char *client, char *server) 728 { 729 k->hostkey_alg = match_list(client, server, NULL); 730 731 debug("kex: host key algorithm: %s", 732 k->hostkey_alg ? k->hostkey_alg : "(no match)"); 733 if (k->hostkey_alg == NULL) 734 return SSH_ERR_NO_HOSTKEY_ALG_MATCH; 735 k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); 736 if (k->hostkey_type == KEY_UNSPEC) 737 return SSH_ERR_INTERNAL_ERROR; 738 k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); 739 return 0; 740 } 741 742 static int 743 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) 744 { 745 static int check[] = { 746 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 747 }; 748 int *idx; 749 char *p; 750 751 for (idx = &check[0]; *idx != -1; idx++) { 752 if ((p = strchr(my[*idx], ',')) != NULL) 753 *p = '\0'; 754 if ((p = strchr(peer[*idx], ',')) != NULL) 755 *p = '\0'; 756 if (strcmp(my[*idx], peer[*idx]) != 0) { 757 debug2("proposal mismatch: my %s peer %s", 758 my[*idx], peer[*idx]); 759 return (0); 760 } 761 } 762 debug2("proposals match"); 763 return (1); 764 } 765 766 static int 767 kex_choose_conf(struct ssh *ssh) 768 { 769 struct kex *kex = ssh->kex; 770 struct newkeys *newkeys; 771 char **my = NULL, **peer = NULL; 772 char **cprop, **sprop; 773 int nenc, nmac, ncomp; 774 u_int mode, ctos, need, dh_need, authlen; 775 int r, first_kex_follows; 776 777 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); 778 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) 779 goto out; 780 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server"); 781 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) 782 goto out; 783 784 if (kex->server) { 785 cprop=peer; 786 sprop=my; 787 } else { 788 cprop=my; 789 sprop=peer; 790 } 791 792 /* Check whether client supports ext_info_c */ 793 if (kex->server) { 794 char *ext; 795 796 ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); 797 kex->ext_info_c = (ext != NULL); 798 free(ext); 799 } 800 801 /* Algorithm Negotiation */ 802 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], 803 sprop[PROPOSAL_KEX_ALGS])) != 0) { 804 kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; 805 peer[PROPOSAL_KEX_ALGS] = NULL; 806 goto out; 807 } 808 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], 809 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { 810 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; 811 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; 812 goto out; 813 } 814 for (mode = 0; mode < MODE_MAX; mode++) { 815 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) { 816 r = SSH_ERR_ALLOC_FAIL; 817 goto out; 818 } 819 kex->newkeys[mode] = newkeys; 820 ctos = (!kex->server && mode == MODE_OUT) || 821 (kex->server && mode == MODE_IN); 822 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 823 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 824 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 825 if ((r = choose_enc(&newkeys->enc, cprop[nenc], 826 sprop[nenc])) != 0) { 827 kex->failed_choice = peer[nenc]; 828 peer[nenc] = NULL; 829 goto out; 830 } 831 authlen = cipher_authlen(newkeys->enc.cipher); 832 /* ignore mac for authenticated encryption */ 833 if (authlen == 0 && 834 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac], 835 sprop[nmac])) != 0) { 836 kex->failed_choice = peer[nmac]; 837 peer[nmac] = NULL; 838 goto out; 839 } 840 if ((r = choose_comp(&newkeys->comp, cprop[ncomp], 841 sprop[ncomp])) != 0) { 842 kex->failed_choice = peer[ncomp]; 843 peer[ncomp] = NULL; 844 goto out; 845 } 846 debug("kex: %s cipher: %s MAC: %s compression: %s", 847 ctos ? "client->server" : "server->client", 848 newkeys->enc.name, 849 authlen == 0 ? newkeys->mac.name : "<implicit>", 850 newkeys->comp.name); 851 } 852 need = dh_need = 0; 853 for (mode = 0; mode < MODE_MAX; mode++) { 854 newkeys = kex->newkeys[mode]; 855 need = MAXIMUM(need, newkeys->enc.key_len); 856 need = MAXIMUM(need, newkeys->enc.block_size); 857 need = MAXIMUM(need, newkeys->enc.iv_len); 858 need = MAXIMUM(need, newkeys->mac.key_len); 859 dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher)); 860 dh_need = MAXIMUM(dh_need, newkeys->enc.block_size); 861 dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len); 862 dh_need = MAXIMUM(dh_need, newkeys->mac.key_len); 863 } 864 /* XXX need runden? */ 865 kex->we_need = need; 866 kex->dh_need = dh_need; 867 868 /* ignore the next message if the proposals do not match */ 869 if (first_kex_follows && !proposals_match(my, peer) && 870 !(ssh->compat & SSH_BUG_FIRSTKEX)) 871 ssh->dispatch_skip_packets = 1; 872 r = 0; 873 out: 874 kex_prop_free(my); 875 kex_prop_free(peer); 876 return r; 877 } 878 879 static int 880 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, 881 const struct sshbuf *shared_secret, u_char **keyp) 882 { 883 struct kex *kex = ssh->kex; 884 struct ssh_digest_ctx *hashctx = NULL; 885 char c = id; 886 u_int have; 887 size_t mdsz; 888 u_char *digest; 889 int r; 890 891 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) 892 return SSH_ERR_INVALID_ARGUMENT; 893 if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) { 894 r = SSH_ERR_ALLOC_FAIL; 895 goto out; 896 } 897 898 /* K1 = HASH(K || H || "A" || session_id) */ 899 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 900 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 901 ssh_digest_update(hashctx, hash, hashlen) != 0 || 902 ssh_digest_update(hashctx, &c, 1) != 0 || 903 ssh_digest_update(hashctx, kex->session_id, 904 kex->session_id_len) != 0 || 905 ssh_digest_final(hashctx, digest, mdsz) != 0) { 906 r = SSH_ERR_LIBCRYPTO_ERROR; 907 goto out; 908 } 909 ssh_digest_free(hashctx); 910 hashctx = NULL; 911 912 /* 913 * expand key: 914 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) 915 * Key = K1 || K2 || ... || Kn 916 */ 917 for (have = mdsz; need > have; have += mdsz) { 918 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 919 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 920 ssh_digest_update(hashctx, hash, hashlen) != 0 || 921 ssh_digest_update(hashctx, digest, have) != 0 || 922 ssh_digest_final(hashctx, digest + have, mdsz) != 0) { 923 r = SSH_ERR_LIBCRYPTO_ERROR; 924 goto out; 925 } 926 ssh_digest_free(hashctx); 927 hashctx = NULL; 928 } 929 #ifdef DEBUG_KEX 930 fprintf(stderr, "key '%c'== ", c); 931 dump_digest("key", digest, need); 932 #endif 933 *keyp = digest; 934 digest = NULL; 935 r = 0; 936 out: 937 free(digest); 938 ssh_digest_free(hashctx); 939 return r; 940 } 941 942 #define NKEYS 6 943 int 944 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen, 945 const struct sshbuf *shared_secret) 946 { 947 struct kex *kex = ssh->kex; 948 u_char *keys[NKEYS]; 949 u_int i, j, mode, ctos; 950 int r; 951 952 for (i = 0; i < NKEYS; i++) { 953 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen, 954 shared_secret, &keys[i])) != 0) { 955 for (j = 0; j < i; j++) 956 free(keys[j]); 957 return r; 958 } 959 } 960 for (mode = 0; mode < MODE_MAX; mode++) { 961 ctos = (!kex->server && mode == MODE_OUT) || 962 (kex->server && mode == MODE_IN); 963 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1]; 964 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3]; 965 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5]; 966 } 967 return 0; 968 } 969 970 #ifdef WITH_OPENSSL 971 int 972 kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen, 973 const BIGNUM *secret) 974 { 975 struct sshbuf *shared_secret; 976 int r; 977 978 if ((shared_secret = sshbuf_new()) == NULL) 979 return SSH_ERR_ALLOC_FAIL; 980 if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0) 981 r = kex_derive_keys(ssh, hash, hashlen, shared_secret); 982 sshbuf_free(shared_secret); 983 return r; 984 } 985 #endif 986 987 988 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) 989 void 990 dump_digest(char *msg, u_char *digest, int len) 991 { 992 fprintf(stderr, "%s\n", msg); 993 sshbuf_dump_data(digest, len, stderr); 994 } 995 #endif 996