crypto/openssh/kex.c

323124Sdes/* $OpenBSD: kex.c,v 1.118 2016/05/02 10:26:04 djm Exp $ */
60573Skris/*
92555Sdes * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
60573Skris *
60573Skris * Redistribution and use in source and binary forms, with or without
60573Skris * modification, are permitted provided that the following conditions
60573Skris * are met:
60573Skris * 1. Redistributions of source code must retain the above copyright
60573Skris *    notice, this list of conditions and the following disclaimer.
60573Skris * 2. Redistributions in binary form must reproduce the above copyright
60573Skris *    notice, this list of conditions and the following disclaimer in the
60573Skris *    documentation and/or other materials provided with the distribution.
60573Skris *
60573Skris * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
60573Skris * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
60573Skris * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
60573Skris * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
60573Skris * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
60573Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
60573Skris * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
60573Skris * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
60573Skris * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
60573Skris * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
60573Skris */
60573Skris
60573Skris#include "includes.h"
60573Skris
295367Sdes#include <sys/param.h>	/* MAX roundup */
162852Sdes
162852Sdes#include <signal.h>
162852Sdes#include <stdarg.h>
162852Sdes#include <stdio.h>
162852Sdes#include <stdlib.h>
162852Sdes#include <string.h>
162852Sdes
295367Sdes#ifdef WITH_OPENSSL
76259Sgreen#include <openssl/crypto.h>
323124Sdes#include <openssl/dh.h>
295367Sdes#endif
76259Sgreen
60573Skris#include "ssh2.h"
61209Skris#include "packet.h"
60573Skris#include "compat.h"
76259Sgreen#include "cipher.h"
295367Sdes#include "sshkey.h"
60573Skris#include "kex.h"
76259Sgreen#include "log.h"
76259Sgreen#include "mac.h"
76259Sgreen#include "match.h"
295367Sdes#include "misc.h"
76259Sgreen#include "dispatch.h"
98675Sdes#include "monitor.h"
295367Sdes
295367Sdes#include "ssherr.h"
295367Sdes#include "sshbuf.h"
262566Sdes#include "digest.h"
60573Skris
162852Sdes#if OPENSSL_VERSION_NUMBER >= 0x00907000L
162852Sdes# if defined(HAVE_EVP_SHA256)
162852Sdes# define evp_ssh_sha256 EVP_sha256
162852Sdes# else
162852Sdesextern const EVP_MD *evp_ssh_sha256(void);
162852Sdes# endif
162852Sdes#endif
162852Sdes
92555Sdes/* prototype */
295367Sdesstatic int kex_choose_conf(struct ssh *);
295367Sdesstatic int kex_input_newkeys(int, u_int32_t, void *);
76259Sgreen
296781Sdesstatic const char *proposal_names[PROPOSAL_MAX] = {
296781Sdes	"KEX algorithms",
296781Sdes	"host key algorithms",
296781Sdes	"ciphers ctos",
296781Sdes	"ciphers stoc",
296781Sdes	"MACs ctos",
296781Sdes	"MACs stoc",
296781Sdes	"compression ctos",
296781Sdes	"compression stoc",
296781Sdes	"languages ctos",
296781Sdes	"languages stoc",
296781Sdes};
296781Sdes
255767Sdesstruct kexalg {
255767Sdes	char *name;
295367Sdes	u_int type;
255767Sdes	int ec_nid;
262566Sdes	int hash_alg;
255767Sdes};
255767Sdesstatic const struct kexalg kexalgs[] = {
295367Sdes#ifdef WITH_OPENSSL
262566Sdes	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
323124Sdes	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
323124Sdes	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
323124Sdes	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
323124Sdes	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
262566Sdes	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
255767Sdes#ifdef HAVE_EVP_SHA256
262566Sdes	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
295367Sdes#endif /* HAVE_EVP_SHA256 */
255767Sdes#ifdef OPENSSL_HAS_ECC
262566Sdes	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
262566Sdes	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
262566Sdes	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
262566Sdes	    SSH_DIGEST_SHA384 },
262566Sdes# ifdef OPENSSL_HAS_NISTP521
262566Sdes	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
262566Sdes	    SSH_DIGEST_SHA512 },
295367Sdes# endif /* OPENSSL_HAS_NISTP521 */
295367Sdes#endif /* OPENSSL_HAS_ECC */
295367Sdes#endif /* WITH_OPENSSL */
295367Sdes#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
262566Sdes	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
295367Sdes#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
262566Sdes	{ NULL, -1, -1, -1},
255767Sdes};
255767Sdes
255767Sdeschar *
262566Sdeskex_alg_list(char sep)
255767Sdes{
295367Sdes	char *ret = NULL, *tmp;
255767Sdes	size_t nlen, rlen = 0;
255767Sdes	const struct kexalg *k;
255767Sdes
255767Sdes	for (k = kexalgs; k->name != NULL; k++) {
255767Sdes		if (ret != NULL)
262566Sdes			ret[rlen++] = sep;
255767Sdes		nlen = strlen(k->name);
295367Sdes		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
295367Sdes			free(ret);
295367Sdes			return NULL;
295367Sdes		}
295367Sdes		ret = tmp;
255767Sdes		memcpy(ret + rlen, k->name, nlen + 1);
255767Sdes		rlen += nlen;
255767Sdes	}
255767Sdes	return ret;
255767Sdes}
255767Sdes
255767Sdesstatic const struct kexalg *
255767Sdeskex_alg_by_name(const char *name)
255767Sdes{
255767Sdes	const struct kexalg *k;
255767Sdes
255767Sdes	for (k = kexalgs; k->name != NULL; k++) {
255767Sdes		if (strcmp(k->name, name) == 0)
255767Sdes			return k;
255767Sdes	}
255767Sdes	return NULL;
255767Sdes}
255767Sdes
221420Sdes/* Validate KEX method name list */
221420Sdesint
221420Sdeskex_names_valid(const char *names)
221420Sdes{
221420Sdes	char *s, *cp, *p;
221420Sdes
221420Sdes	if (names == NULL || strcmp(names, "") == 0)
221420Sdes		return 0;
295367Sdes	if ((s = cp = strdup(names)) == NULL)
295367Sdes		return 0;
221420Sdes	for ((p = strsep(&cp, ",")); p && *p != '\0';
221420Sdes	    (p = strsep(&cp, ","))) {
255767Sdes		if (kex_alg_by_name(p) == NULL) {
221420Sdes			error("Unsupported KEX algorithm \"%.100s\"", p);
255767Sdes			free(s);
221420Sdes			return 0;
221420Sdes		}
221420Sdes	}
221420Sdes	debug3("kex names ok: [%s]", names);
255767Sdes	free(s);
221420Sdes	return 1;
221420Sdes}
221420Sdes
295367Sdes/*
295367Sdes * Concatenate algorithm names, avoiding duplicates in the process.
295367Sdes * Caller must free returned string.
295367Sdes */
295367Sdeschar *
295367Sdeskex_names_cat(const char *a, const char *b)
295367Sdes{
295367Sdes	char *ret = NULL, *tmp = NULL, *cp, *p;
295367Sdes	size_t len;
295367Sdes
295367Sdes	if (a == NULL || *a == '\0')
295367Sdes		return NULL;
295367Sdes	if (b == NULL || *b == '\0')
295367Sdes		return strdup(a);
295367Sdes	if (strlen(b) > 1024*1024)
295367Sdes		return NULL;
295367Sdes	len = strlen(a) + strlen(b) + 2;
295367Sdes	if ((tmp = cp = strdup(b)) == NULL ||
295367Sdes	    (ret = calloc(1, len)) == NULL) {
295367Sdes		free(tmp);
295367Sdes		return NULL;
295367Sdes	}
295367Sdes	strlcpy(ret, a, len);
295367Sdes	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
295367Sdes		if (match_list(ret, p, NULL) != NULL)
295367Sdes			continue; /* Algorithm already present */
295367Sdes		if (strlcat(ret, ",", len) >= len ||
295367Sdes		    strlcat(ret, p, len) >= len) {
295367Sdes			free(tmp);
295367Sdes			free(ret);
295367Sdes			return NULL; /* Shouldn't happen */
295367Sdes		}
295367Sdes	}
295367Sdes	free(tmp);
295367Sdes	return ret;
295367Sdes}
295367Sdes
295367Sdes/*
295367Sdes * Assemble a list of algorithms from a default list and a string from a
295367Sdes * configuration file. The user-provided string may begin with '+' to
295367Sdes * indicate that it should be appended to the default.
295367Sdes */
295367Sdesint
295367Sdeskex_assemble_names(const char *def, char **list)
295367Sdes{
295367Sdes	char *ret;
295367Sdes
295367Sdes	if (list == NULL || *list == NULL || **list == '\0') {
295367Sdes		*list = strdup(def);
295367Sdes		return 0;
295367Sdes	}
295367Sdes	if (**list != '+') {
295367Sdes		return 0;
295367Sdes	}
295367Sdes
295367Sdes	if ((ret = kex_names_cat(def, *list + 1)) == NULL)
295367Sdes		return SSH_ERR_ALLOC_FAIL;
295367Sdes	free(*list);
295367Sdes	*list = ret;
295367Sdes	return 0;
295367Sdes}
295367Sdes
294693Sdes/* put algorithm proposal into buffer */
295367Sdesint
295367Sdeskex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
60573Skris{
149749Sdes	u_int i;
295367Sdes	int r;
76259Sgreen
295367Sdes	sshbuf_reset(b);
295367Sdes
98675Sdes	/*
98675Sdes	 * add a dummy cookie, the cookie will be overwritten by
98675Sdes	 * kex_send_kexinit(), each time a kexinit is set
98675Sdes	 */
295367Sdes	for (i = 0; i < KEX_COOKIE_LEN; i++) {
295367Sdes		if ((r = sshbuf_put_u8(b, 0)) != 0)
295367Sdes			return r;
295367Sdes	}
295367Sdes	for (i = 0; i < PROPOSAL_MAX; i++) {
295367Sdes		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
295367Sdes			return r;
295367Sdes	}
295367Sdes	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
295367Sdes	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
295367Sdes		return r;
295367Sdes	return 0;
60573Skris}
60573Skris
76259Sgreen/* parse buffer and return algorithm proposal */
295367Sdesint
295367Sdeskex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
61209Skris{
295367Sdes	struct sshbuf *b = NULL;
295367Sdes	u_char v;
181111Sdes	u_int i;
295367Sdes	char **proposal = NULL;
295367Sdes	int r;
61209Skris
295367Sdes	*propp = NULL;
295367Sdes	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
295367Sdes		return SSH_ERR_ALLOC_FAIL;
295367Sdes	if ((b = sshbuf_fromb(raw)) == NULL) {
295367Sdes		r = SSH_ERR_ALLOC_FAIL;
295367Sdes		goto out;
295367Sdes	}
295367Sdes	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */
295367Sdes		goto out;
61209Skris	/* extract kex init proposal strings */
61209Skris	for (i = 0; i < PROPOSAL_MAX; i++) {
295367Sdes		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0)
295367Sdes			goto out;
296781Sdes		debug2("%s: %s", proposal_names[i], proposal[i]);
61209Skris	}
76259Sgreen	/* first kex follows / reserved */
295367Sdes	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
295367Sdes	    (r = sshbuf_get_u32(b, &i)) != 0)	/* reserved */
295367Sdes		goto out;
113908Sdes	if (first_kex_follows != NULL)
295367Sdes		*first_kex_follows = v;
295367Sdes	debug2("first_kex_follows %d ", v);
295367Sdes	debug2("reserved %u ", i);
295367Sdes	r = 0;
295367Sdes	*propp = proposal;
295367Sdes out:
295367Sdes	if (r != 0 && proposal != NULL)
295367Sdes		kex_prop_free(proposal);
295367Sdes	sshbuf_free(b);
295367Sdes	return r;
61209Skris}
61209Skris
295367Sdesvoid
76259Sgreenkex_prop_free(char **proposal)
60573Skris{
149749Sdes	u_int i;
60573Skris
295367Sdes	if (proposal == NULL)
295367Sdes		return;
76259Sgreen	for (i = 0; i < PROPOSAL_MAX; i++)
255767Sdes		free(proposal[i]);
255767Sdes	free(proposal);
60573Skris}
60573Skris
181111Sdes/* ARGSUSED */
295367Sdesstatic int
92555Sdeskex_protocol_error(int type, u_int32_t seq, void *ctxt)
60573Skris{
296781Sdes	struct ssh *ssh = active_state; /* XXX */
296781Sdes	int r;
296781Sdes
296781Sdes	error("kex protocol error: type %d seq %u", type, seq);
296781Sdes	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
296781Sdes	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
296781Sdes	    (r = sshpkt_send(ssh)) != 0)
296781Sdes		return r;
295367Sdes	return 0;
60573Skris}
60573Skris
92555Sdesstatic void
295367Sdeskex_reset_dispatch(struct ssh *ssh)
69587Sgreen{
295367Sdes	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
92555Sdes	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
295367Sdes	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
69587Sgreen}
69587Sgreen
296781Sdesstatic int
296781Sdeskex_send_ext_info(struct ssh *ssh)
296781Sdes{
296781Sdes	int r;
296781Sdes
296781Sdes	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
296781Sdes	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
296781Sdes	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
296781Sdes	    (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 ||
296781Sdes	    (r = sshpkt_send(ssh)) != 0)
296781Sdes		return r;
296781Sdes	return 0;
296781Sdes}
296781Sdes
295367Sdesint
295367Sdeskex_send_newkeys(struct ssh *ssh)
69587Sgreen{
295367Sdes	int r;
69587Sgreen
295367Sdes	kex_reset_dispatch(ssh);
295367Sdes	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
295367Sdes	    (r = sshpkt_send(ssh)) != 0)
295367Sdes		return r;
76259Sgreen	debug("SSH2_MSG_NEWKEYS sent");
295367Sdes	debug("expecting SSH2_MSG_NEWKEYS");
295367Sdes	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
296781Sdes	if (ssh->kex->ext_info_c)
296781Sdes		if ((r = kex_send_ext_info(ssh)) != 0)
296781Sdes			return r;
295367Sdes	return 0;
295367Sdes}
69587Sgreen
296781Sdesint
296781Sdeskex_input_ext_info(int type, u_int32_t seq, void *ctxt)
296781Sdes{
296781Sdes	struct ssh *ssh = ctxt;
296781Sdes	struct kex *kex = ssh->kex;
296781Sdes	u_int32_t i, ninfo;
296781Sdes	char *name, *val, *found;
296781Sdes	int r;
296781Sdes
296781Sdes	debug("SSH2_MSG_EXT_INFO received");
296781Sdes	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
296781Sdes	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
296781Sdes		return r;
296781Sdes	for (i = 0; i < ninfo; i++) {
296781Sdes		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
296781Sdes			return r;
296781Sdes		if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) {
296781Sdes			free(name);
296781Sdes			return r;
296781Sdes		}
296781Sdes		debug("%s: %s=<%s>", __func__, name, val);
296781Sdes		if (strcmp(name, "server-sig-algs") == 0) {
296781Sdes			found = match_list("rsa-sha2-256", val, NULL);
296781Sdes			if (found) {
296781Sdes				kex->rsa_sha2 = 256;
296781Sdes				free(found);
296781Sdes			}
296781Sdes			found = match_list("rsa-sha2-512", val, NULL);
296781Sdes			if (found) {
296781Sdes				kex->rsa_sha2 = 512;
296781Sdes				free(found);
296781Sdes			}
296781Sdes		}
296781Sdes		free(name);
296781Sdes		free(val);
296781Sdes	}
296781Sdes	return sshpkt_get_end(ssh);
296781Sdes}
296781Sdes
295367Sdesstatic int
295367Sdeskex_input_newkeys(int type, u_int32_t seq, void *ctxt)
295367Sdes{
295367Sdes	struct ssh *ssh = ctxt;
295367Sdes	struct kex *kex = ssh->kex;
295367Sdes	int r;
295367Sdes
76259Sgreen	debug("SSH2_MSG_NEWKEYS received");
295367Sdes	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
295367Sdes	if ((r = sshpkt_get_end(ssh)) != 0)
295367Sdes		return r;
76259Sgreen	kex->done = 1;
295367Sdes	sshbuf_reset(kex->peer);
295367Sdes	/* sshbuf_reset(kex->my); */
76259Sgreen	kex->flags &= ~KEX_INIT_SENT;
255767Sdes	free(kex->name);
76259Sgreen	kex->name = NULL;
295367Sdes	return 0;
69587Sgreen}
69587Sgreen
295367Sdesint
295367Sdeskex_send_kexinit(struct ssh *ssh)
60573Skris{
98675Sdes	u_char *cookie;
295367Sdes	struct kex *kex = ssh->kex;
295367Sdes	int r;
98675Sdes
295367Sdes	if (kex == NULL)
295367Sdes		return SSH_ERR_INTERNAL_ERROR;
295367Sdes	if (kex->flags & KEX_INIT_SENT)
295367Sdes		return 0;
76259Sgreen	kex->done = 0;
98675Sdes
98675Sdes	/* generate a random cookie */
295367Sdes	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN)
295367Sdes		return SSH_ERR_INVALID_FORMAT;
295367Sdes	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL)
295367Sdes		return SSH_ERR_INTERNAL_ERROR;
295367Sdes	arc4random_buf(cookie, KEX_COOKIE_LEN);
295367Sdes
295367Sdes	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
295367Sdes	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
295367Sdes	    (r = sshpkt_send(ssh)) != 0)
295367Sdes		return r;
76259Sgreen	debug("SSH2_MSG_KEXINIT sent");
76259Sgreen	kex->flags |= KEX_INIT_SENT;
295367Sdes	return 0;
60573Skris}
60573Skris
181111Sdes/* ARGSUSED */
295367Sdesint
92555Sdeskex_input_kexinit(int type, u_int32_t seq, void *ctxt)
60573Skris{
295367Sdes	struct ssh *ssh = ctxt;
295367Sdes	struct kex *kex = ssh->kex;
295367Sdes	const u_char *ptr;
295367Sdes	u_int i;
295367Sdes	size_t dlen;
295367Sdes	int r;
60573Skris
76259Sgreen	debug("SSH2_MSG_KEXINIT received");
76259Sgreen	if (kex == NULL)
295367Sdes		return SSH_ERR_INVALID_ARGUMENT;
60573Skris
295367Sdes	ptr = sshpkt_ptr(ssh, &dlen);
295367Sdes	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
295367Sdes		return r;
60573Skris
76259Sgreen	/* discard packet */
76259Sgreen	for (i = 0; i < KEX_COOKIE_LEN; i++)
295367Sdes		if ((r = sshpkt_get_u8(ssh, NULL)) != 0)
295367Sdes			return r;
76259Sgreen	for (i = 0; i < PROPOSAL_MAX; i++)
295367Sdes		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0)
295367Sdes			return r;
248619Sdes	/*
248619Sdes	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
248619Sdes	 * KEX method has the server move first, but a server might be using
248619Sdes	 * a custom method or one that we otherwise don't support. We should
248619Sdes	 * be prepared to remember first_kex_follows here so we can eat a
248619Sdes	 * packet later.
248619Sdes	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
248619Sdes	 * for cases where the server *doesn't* go first. I guess we should
248619Sdes	 * ignore it when it is set for these cases, which is what we do now.
248619Sdes	 */
295367Sdes	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
295367Sdes	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
295367Sdes	    (r = sshpkt_get_end(ssh)) != 0)
295367Sdes			return r;
60573Skris
295367Sdes	if (!(kex->flags & KEX_INIT_SENT))
295367Sdes		if ((r = kex_send_kexinit(ssh)) != 0)
295367Sdes			return r;
295367Sdes	if ((r = kex_choose_conf(ssh)) != 0)
295367Sdes		return r;
295367Sdes
295367Sdes	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
295367Sdes		return (kex->kex[kex->kex_type])(ssh);
295367Sdes
295367Sdes	return SSH_ERR_INTERNAL_ERROR;
60573Skris}
60573Skris
295367Sdesint
295367Sdeskex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp)
69587Sgreen{
295367Sdes	struct kex *kex;
295367Sdes	int r;
69587Sgreen
295367Sdes	*kexp = NULL;
295367Sdes	if ((kex = calloc(1, sizeof(*kex))) == NULL)
295367Sdes		return SSH_ERR_ALLOC_FAIL;
295367Sdes	if ((kex->peer = sshbuf_new()) == NULL ||
295367Sdes	    (kex->my = sshbuf_new()) == NULL) {
295367Sdes		r = SSH_ERR_ALLOC_FAIL;
295367Sdes		goto out;
295367Sdes	}
295367Sdes	if ((r = kex_prop2buf(kex->my, proposal)) != 0)
295367Sdes		goto out;
76259Sgreen	kex->done = 0;
295367Sdes	kex_reset_dispatch(ssh);
295367Sdes	r = 0;
295367Sdes	*kexp = kex;
295367Sdes out:
295367Sdes	if (r != 0)
295367Sdes		kex_free(kex);
295367Sdes	return r;
295367Sdes}
69587Sgreen
295367Sdesvoid
295367Sdeskex_free_newkeys(struct newkeys *newkeys)
295367Sdes{
295367Sdes	if (newkeys == NULL)
295367Sdes		return;
295367Sdes	if (newkeys->enc.key) {
295367Sdes		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
295367Sdes		free(newkeys->enc.key);
295367Sdes		newkeys->enc.key = NULL;
295367Sdes	}
295367Sdes	if (newkeys->enc.iv) {
296781Sdes		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
295367Sdes		free(newkeys->enc.iv);
295367Sdes		newkeys->enc.iv = NULL;
295367Sdes	}
295367Sdes	free(newkeys->enc.name);
295367Sdes	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
295367Sdes	free(newkeys->comp.name);
295367Sdes	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
295367Sdes	mac_clear(&newkeys->mac);
295367Sdes	if (newkeys->mac.key) {
295367Sdes		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
295367Sdes		free(newkeys->mac.key);
295367Sdes		newkeys->mac.key = NULL;
295367Sdes	}
295367Sdes	free(newkeys->mac.name);
295367Sdes	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
295367Sdes	explicit_bzero(newkeys, sizeof(*newkeys));
295367Sdes	free(newkeys);
295367Sdes}
69587Sgreen
295367Sdesvoid
295367Sdeskex_free(struct kex *kex)
295367Sdes{
295367Sdes	u_int mode;
295367Sdes
295367Sdes#ifdef WITH_OPENSSL
295367Sdes	if (kex->dh)
295367Sdes		DH_free(kex->dh);
295367Sdes#ifdef OPENSSL_HAS_ECC
295367Sdes	if (kex->ec_client_key)
295367Sdes		EC_KEY_free(kex->ec_client_key);
295367Sdes#endif /* OPENSSL_HAS_ECC */
295367Sdes#endif /* WITH_OPENSSL */
295367Sdes	for (mode = 0; mode < MODE_MAX; mode++) {
295367Sdes		kex_free_newkeys(kex->newkeys[mode]);
295367Sdes		kex->newkeys[mode] = NULL;
295367Sdes	}
295367Sdes	sshbuf_free(kex->peer);
295367Sdes	sshbuf_free(kex->my);
295367Sdes	free(kex->session_id);
295367Sdes	free(kex->client_version_string);
295367Sdes	free(kex->server_version_string);
295367Sdes	free(kex->failed_choice);
296781Sdes	free(kex->hostkey_alg);
296781Sdes	free(kex->name);
295367Sdes	free(kex);
69587Sgreen}
69587Sgreen
295367Sdesint
295367Sdeskex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
60573Skris{
295367Sdes	int r;
60573Skris
295367Sdes	if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0)
295367Sdes		return r;
295367Sdes	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
295367Sdes		kex_free(ssh->kex);
295367Sdes		ssh->kex = NULL;
295367Sdes		return r;
60573Skris	}
295367Sdes	return 0;
60573Skris}
60573Skris
296781Sdes/*
296781Sdes * Request key re-exchange, returns 0 on success or a ssherr.h error
296781Sdes * code otherwise. Must not be called if KEX is incomplete or in-progress.
296781Sdes */
296781Sdesint
296781Sdeskex_start_rekex(struct ssh *ssh)
296781Sdes{
296781Sdes	if (ssh->kex == NULL) {
296781Sdes		error("%s: no kex", __func__);
296781Sdes		return SSH_ERR_INTERNAL_ERROR;
296781Sdes	}
296781Sdes	if (ssh->kex->done == 0) {
296781Sdes		error("%s: requested twice", __func__);
296781Sdes		return SSH_ERR_INTERNAL_ERROR;
296781Sdes	}
296781Sdes	ssh->kex->done = 0;
296781Sdes	return kex_send_kexinit(ssh);
296781Sdes}
296781Sdes
295367Sdesstatic int
295367Sdeschoose_enc(struct sshenc *enc, char *client, char *server)
60573Skris{
76259Sgreen	char *name = match_list(client, server, NULL);
295367Sdes
60573Skris	if (name == NULL)
295367Sdes		return SSH_ERR_NO_CIPHER_ALG_MATCH;
92555Sdes	if ((enc->cipher = cipher_by_name(name)) == NULL)
295367Sdes		return SSH_ERR_INTERNAL_ERROR;
60573Skris	enc->name = name;
60573Skris	enc->enabled = 0;
60573Skris	enc->iv = NULL;
248619Sdes	enc->iv_len = cipher_ivlen(enc->cipher);
60573Skris	enc->key = NULL;
92555Sdes	enc->key_len = cipher_keylen(enc->cipher);
92555Sdes	enc->block_size = cipher_blocksize(enc->cipher);
295367Sdes	return 0;
60573Skris}
162852Sdes
295367Sdesstatic int
295367Sdeschoose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
60573Skris{
76259Sgreen	char *name = match_list(client, server, NULL);
295367Sdes
60573Skris	if (name == NULL)
295367Sdes		return SSH_ERR_NO_MAC_ALG_MATCH;
181111Sdes	if (mac_setup(mac, name) < 0)
295367Sdes		return SSH_ERR_INTERNAL_ERROR;
76259Sgreen	/* truncate the key */
295367Sdes	if (ssh->compat & SSH_BUG_HMAC)
76259Sgreen		mac->key_len = 16;
60573Skris	mac->name = name;
60573Skris	mac->key = NULL;
60573Skris	mac->enabled = 0;
295367Sdes	return 0;
60573Skris}
162852Sdes
295367Sdesstatic int
295367Sdeschoose_comp(struct sshcomp *comp, char *client, char *server)
60573Skris{
76259Sgreen	char *name = match_list(client, server, NULL);
295367Sdes
60573Skris	if (name == NULL)
295367Sdes		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
149749Sdes	if (strcmp(name, "zlib@openssh.com") == 0) {
149749Sdes		comp->type = COMP_DELAYED;
149749Sdes	} else if (strcmp(name, "zlib") == 0) {
149749Sdes		comp->type = COMP_ZLIB;
60573Skris	} else if (strcmp(name, "none") == 0) {
149749Sdes		comp->type = COMP_NONE;
60573Skris	} else {
295367Sdes		return SSH_ERR_INTERNAL_ERROR;
60573Skris	}
60573Skris	comp->name = name;
295367Sdes	return 0;
60573Skris}
162852Sdes
295367Sdesstatic int
295367Sdeschoose_kex(struct kex *k, char *client, char *server)
60573Skris{
255767Sdes	const struct kexalg *kexalg;
255767Sdes
76259Sgreen	k->name = match_list(client, server, NULL);
295367Sdes
296781Sdes	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
60573Skris	if (k->name == NULL)
295367Sdes		return SSH_ERR_NO_KEX_ALG_MATCH;
255767Sdes	if ((kexalg = kex_alg_by_name(k->name)) == NULL)
295367Sdes		return SSH_ERR_INTERNAL_ERROR;
255767Sdes	k->kex_type = kexalg->type;
262566Sdes	k->hash_alg = kexalg->hash_alg;
255767Sdes	k->ec_nid = kexalg->ec_nid;
295367Sdes	return 0;
60573Skris}
157016Sdes
295367Sdesstatic int
295367Sdeschoose_hostkeyalg(struct kex *k, char *client, char *server)
60573Skris{
296781Sdes	k->hostkey_alg = match_list(client, server, NULL);
295367Sdes
296781Sdes	debug("kex: host key algorithm: %s",
296781Sdes	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
296781Sdes	if (k->hostkey_alg == NULL)
295367Sdes		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
296781Sdes	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
76259Sgreen	if (k->hostkey_type == KEY_UNSPEC)
295367Sdes		return SSH_ERR_INTERNAL_ERROR;
296781Sdes	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
295367Sdes	return 0;
60573Skris}
60573Skris
126274Sdesstatic int
113908Sdesproposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
113908Sdes{
113908Sdes	static int check[] = {
113908Sdes		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
113908Sdes	};
113908Sdes	int *idx;
113908Sdes	char *p;
113908Sdes
113908Sdes	for (idx = &check[0]; *idx != -1; idx++) {
113908Sdes		if ((p = strchr(my[*idx], ',')) != NULL)
113908Sdes			*p = '\0';
113908Sdes		if ((p = strchr(peer[*idx], ',')) != NULL)
113908Sdes			*p = '\0';
113908Sdes		if (strcmp(my[*idx], peer[*idx]) != 0) {
113908Sdes			debug2("proposal mismatch: my %s peer %s",
113908Sdes			    my[*idx], peer[*idx]);
113908Sdes			return (0);
113908Sdes		}
113908Sdes	}
113908Sdes	debug2("proposals match");
113908Sdes	return (1);
113908Sdes}
113908Sdes
295367Sdesstatic int
295367Sdeskex_choose_conf(struct ssh *ssh)
60573Skris{
295367Sdes	struct kex *kex = ssh->kex;
295367Sdes	struct newkeys *newkeys;
295367Sdes	char **my = NULL, **peer = NULL;
76259Sgreen	char **cprop, **sprop;
76259Sgreen	int nenc, nmac, ncomp;
262566Sdes	u_int mode, ctos, need, dh_need, authlen;
295367Sdes	int r, first_kex_follows;
60573Skris
296781Sdes	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
296781Sdes	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
295367Sdes		goto out;
296781Sdes	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
296781Sdes	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
296781Sdes		goto out;
60573Skris
76259Sgreen	if (kex->server) {
76259Sgreen		cprop=peer;
76259Sgreen		sprop=my;
76259Sgreen	} else {
76259Sgreen		cprop=my;
76259Sgreen		sprop=peer;
76259Sgreen	}
76259Sgreen
296781Sdes	/* Check whether client supports ext_info_c */
296781Sdes	if (kex->server) {
296781Sdes		char *ext;
295367Sdes
296781Sdes		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
296781Sdes		if (ext) {
296781Sdes			kex->ext_info_c = 1;
296781Sdes			free(ext);
204917Sdes		}
204917Sdes	}
204917Sdes
76259Sgreen	/* Algorithm Negotiation */
296781Sdes	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
296781Sdes	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
296781Sdes		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
296781Sdes		peer[PROPOSAL_KEX_ALGS] = NULL;
296781Sdes		goto out;
296781Sdes	}
296781Sdes	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
296781Sdes	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
296781Sdes		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
296781Sdes		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
296781Sdes		goto out;
296781Sdes	}
60573Skris	for (mode = 0; mode < MODE_MAX; mode++) {
295367Sdes		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
295367Sdes			r = SSH_ERR_ALLOC_FAIL;
295367Sdes			goto out;
295367Sdes		}
76259Sgreen		kex->newkeys[mode] = newkeys;
181111Sdes		ctos = (!kex->server && mode == MODE_OUT) ||
181111Sdes		    (kex->server && mode == MODE_IN);
60573Skris		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
60573Skris		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
60573Skris		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
295367Sdes		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
295367Sdes		    sprop[nenc])) != 0) {
295367Sdes			kex->failed_choice = peer[nenc];
295367Sdes			peer[nenc] = NULL;
295367Sdes			goto out;
295367Sdes		}
295367Sdes		authlen = cipher_authlen(newkeys->enc.cipher);
248619Sdes		/* ignore mac for authenticated encryption */
295367Sdes		if (authlen == 0 &&
295367Sdes		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
295367Sdes		    sprop[nmac])) != 0) {
295367Sdes			kex->failed_choice = peer[nmac];
295367Sdes			peer[nmac] = NULL;
295367Sdes			goto out;
295367Sdes		}
295367Sdes		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
295367Sdes		    sprop[ncomp])) != 0) {
295367Sdes			kex->failed_choice = peer[ncomp];
295367Sdes			peer[ncomp] = NULL;
295367Sdes			goto out;
295367Sdes		}
296781Sdes		debug("kex: %s cipher: %s MAC: %s compression: %s",
60573Skris		    ctos ? "client->server" : "server->client",
76259Sgreen		    newkeys->enc.name,
248619Sdes		    authlen == 0 ? newkeys->mac.name : "<implicit>",
76259Sgreen		    newkeys->comp.name);
60573Skris	}
262566Sdes	need = dh_need = 0;
60573Skris	for (mode = 0; mode < MODE_MAX; mode++) {
76259Sgreen		newkeys = kex->newkeys[mode];
262566Sdes		need = MAX(need, newkeys->enc.key_len);
262566Sdes		need = MAX(need, newkeys->enc.block_size);
262566Sdes		need = MAX(need, newkeys->enc.iv_len);
262566Sdes		need = MAX(need, newkeys->mac.key_len);
262566Sdes		dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher));
262566Sdes		dh_need = MAX(dh_need, newkeys->enc.block_size);
262566Sdes		dh_need = MAX(dh_need, newkeys->enc.iv_len);
262566Sdes		dh_need = MAX(dh_need, newkeys->mac.key_len);
60573Skris	}
61209Skris	/* XXX need runden? */
76259Sgreen	kex->we_need = need;
262566Sdes	kex->dh_need = dh_need;
76259Sgreen
113908Sdes	/* ignore the next message if the proposals do not match */
126274Sdes	if (first_kex_follows && !proposals_match(my, peer) &&
295367Sdes	    !(ssh->compat & SSH_BUG_FIRSTKEX))
295367Sdes		ssh->dispatch_skip_packets = 1;
295367Sdes	r = 0;
295367Sdes out:
76259Sgreen	kex_prop_free(my);
76259Sgreen	kex_prop_free(peer);
295367Sdes	return r;
60573Skris}
60573Skris
295367Sdesstatic int
295367Sdesderive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
295367Sdes    const struct sshbuf *shared_secret, u_char **keyp)
60573Skris{
295367Sdes	struct kex *kex = ssh->kex;
295367Sdes	struct ssh_digest_ctx *hashctx = NULL;
76259Sgreen	char c = id;
149749Sdes	u_int have;
262566Sdes	size_t mdsz;
149749Sdes	u_char *digest;
295367Sdes	int r;
60573Skris
262566Sdes	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
295367Sdes		return SSH_ERR_INVALID_ARGUMENT;
295367Sdes	if ((digest = calloc(1, roundup(need, mdsz))) == NULL) {
295367Sdes		r = SSH_ERR_ALLOC_FAIL;
295367Sdes		goto out;
295367Sdes	}
149749Sdes
76259Sgreen	/* K1 = HASH(K || H || "A" || session_id) */
295367Sdes	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
295367Sdes	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
262566Sdes	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
262566Sdes	    ssh_digest_update(hashctx, &c, 1) != 0 ||
262566Sdes	    ssh_digest_update(hashctx, kex->session_id,
295367Sdes	    kex->session_id_len) != 0 ||
295367Sdes	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
295367Sdes		r = SSH_ERR_LIBCRYPTO_ERROR;
295367Sdes		goto out;
295367Sdes	}
262566Sdes	ssh_digest_free(hashctx);
295367Sdes	hashctx = NULL;
76259Sgreen
76259Sgreen	/*
76259Sgreen	 * expand key:
76259Sgreen	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
76259Sgreen	 * Key = K1 || K2 || ... || Kn
76259Sgreen	 */
76259Sgreen	for (have = mdsz; need > have; have += mdsz) {
295367Sdes		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
295367Sdes		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
262566Sdes		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
295367Sdes		    ssh_digest_update(hashctx, digest, have) != 0 ||
295367Sdes		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
295367Sdes			r = SSH_ERR_LIBCRYPTO_ERROR;
295367Sdes			goto out;
295367Sdes		}
262566Sdes		ssh_digest_free(hashctx);
295367Sdes		hashctx = NULL;
76259Sgreen	}
76259Sgreen#ifdef DEBUG_KEX
76259Sgreen	fprintf(stderr, "key '%c'== ", c);
76259Sgreen	dump_digest("key", digest, need);
76259Sgreen#endif
295367Sdes	*keyp = digest;
295367Sdes	digest = NULL;
295367Sdes	r = 0;
295367Sdes out:
296781Sdes	free(digest);
295367Sdes	ssh_digest_free(hashctx);
295367Sdes	return r;
76259Sgreen}
76259Sgreen
76259Sgreen#define NKEYS	6
295367Sdesint
295367Sdeskex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
295367Sdes    const struct sshbuf *shared_secret)
76259Sgreen{
295367Sdes	struct kex *kex = ssh->kex;
76259Sgreen	u_char *keys[NKEYS];
295367Sdes	u_int i, j, mode, ctos;
295367Sdes	int r;
76259Sgreen
157016Sdes	for (i = 0; i < NKEYS; i++) {
295367Sdes		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
295367Sdes		    shared_secret, &keys[i])) != 0) {
295367Sdes			for (j = 0; j < i; j++)
295367Sdes				free(keys[j]);
295367Sdes			return r;
295367Sdes		}
157016Sdes	}
60573Skris	for (mode = 0; mode < MODE_MAX; mode++) {
162852Sdes		ctos = (!kex->server && mode == MODE_OUT) ||
162852Sdes		    (kex->server && mode == MODE_IN);
295367Sdes		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
295367Sdes		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
295367Sdes		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
60573Skris	}
295367Sdes	return 0;
60573Skris}
76259Sgreen
295367Sdes#ifdef WITH_OPENSSL
295367Sdesint
295367Sdeskex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
295367Sdes    const BIGNUM *secret)
262566Sdes{
295367Sdes	struct sshbuf *shared_secret;
295367Sdes	int r;
262566Sdes
295367Sdes	if ((shared_secret = sshbuf_new()) == NULL)
295367Sdes		return SSH_ERR_ALLOC_FAIL;
295367Sdes	if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
295367Sdes		r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
295367Sdes	sshbuf_free(shared_secret);
295367Sdes	return r;
262566Sdes}
295367Sdes#endif
262566Sdes
295367Sdes#ifdef WITH_SSH1
295367Sdesint
137015Sdesderive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
137015Sdes    u_int8_t cookie[8], u_int8_t id[16])
137015Sdes{
295367Sdes	u_int8_t hbuf[2048], sbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH];
295367Sdes	struct ssh_digest_ctx *hashctx = NULL;
295367Sdes	size_t hlen, slen;
295367Sdes	int r;
137015Sdes
295367Sdes	hlen = BN_num_bytes(host_modulus);
295367Sdes	slen = BN_num_bytes(server_modulus);
295367Sdes	if (hlen < (512 / 8) || (u_int)hlen > sizeof(hbuf) ||
295367Sdes	    slen < (512 / 8) || (u_int)slen > sizeof(sbuf))
295367Sdes		return SSH_ERR_KEY_BITS_MISMATCH;
295367Sdes	if (BN_bn2bin(host_modulus, hbuf) <= 0 ||
295367Sdes	    BN_bn2bin(server_modulus, sbuf) <= 0) {
295367Sdes		r = SSH_ERR_LIBCRYPTO_ERROR;
295367Sdes		goto out;
295367Sdes	}
295367Sdes	if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) {
295367Sdes		r = SSH_ERR_ALLOC_FAIL;
295367Sdes		goto out;
295367Sdes	}
295367Sdes	if (ssh_digest_update(hashctx, hbuf, hlen) != 0 ||
295367Sdes	    ssh_digest_update(hashctx, sbuf, slen) != 0 ||
295367Sdes	    ssh_digest_update(hashctx, cookie, 8) != 0 ||
295367Sdes	    ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) {
295367Sdes		r = SSH_ERR_LIBCRYPTO_ERROR;
295367Sdes		goto out;
295367Sdes	}
262566Sdes	memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5));
295367Sdes	r = 0;
295367Sdes out:
295367Sdes	ssh_digest_free(hashctx);
295367Sdes	explicit_bzero(hbuf, sizeof(hbuf));
295367Sdes	explicit_bzero(sbuf, sizeof(sbuf));
264377Sdes	explicit_bzero(obuf, sizeof(obuf));
295367Sdes	return r;
137015Sdes}
295367Sdes#endif
137015Sdes
221420Sdes#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
76259Sgreenvoid
76259Sgreendump_digest(char *msg, u_char *digest, int len)
76259Sgreen{
76259Sgreen	fprintf(stderr, "%s\n", msg);
295367Sdes	sshbuf_dump_data(digest, len, stderr);
76259Sgreen}
76259Sgreen#endif