xref: /openssh-portable/kex.c (revision 4ca6a1fa)
1 /* $OpenBSD: kex.c,v 1.164 2021/01/27 09:26:54 djm Exp $ */
2 /*
3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 #include <sys/types.h>
29 #include <errno.h>
30 #include <signal.h>
31 #include <stdarg.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 #ifdef HAVE_POLL_H
37 #include <poll.h>
38 #endif
39 
40 #ifdef WITH_OPENSSL
41 #include <openssl/crypto.h>
42 #include <openssl/dh.h>
43 #endif
44 
45 #include "ssh.h"
46 #include "ssh2.h"
47 #include "atomicio.h"
48 #include "version.h"
49 #include "packet.h"
50 #include "compat.h"
51 #include "cipher.h"
52 #include "sshkey.h"
53 #include "kex.h"
54 #include "log.h"
55 #include "mac.h"
56 #include "match.h"
57 #include "misc.h"
58 #include "dispatch.h"
59 #include "monitor.h"
60 
61 #include "ssherr.h"
62 #include "sshbuf.h"
63 #include "digest.h"
64 
65 /* prototype */
66 static int kex_choose_conf(struct ssh *);
67 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
68 
69 static const char *proposal_names[PROPOSAL_MAX] = {
70 	"KEX algorithms",
71 	"host key algorithms",
72 	"ciphers ctos",
73 	"ciphers stoc",
74 	"MACs ctos",
75 	"MACs stoc",
76 	"compression ctos",
77 	"compression stoc",
78 	"languages ctos",
79 	"languages stoc",
80 };
81 
82 struct kexalg {
83 	char *name;
84 	u_int type;
85 	int ec_nid;
86 	int hash_alg;
87 };
88 static const struct kexalg kexalgs[] = {
89 #ifdef WITH_OPENSSL
90 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
91 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
92 	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
93 	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
94 	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
95 	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
96 #ifdef HAVE_EVP_SHA256
97 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
98 #endif /* HAVE_EVP_SHA256 */
99 #ifdef OPENSSL_HAS_ECC
100 	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
101 	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
102 	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
103 	    SSH_DIGEST_SHA384 },
104 # ifdef OPENSSL_HAS_NISTP521
105 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
106 	    SSH_DIGEST_SHA512 },
107 # endif /* OPENSSL_HAS_NISTP521 */
108 #endif /* OPENSSL_HAS_ECC */
109 #endif /* WITH_OPENSSL */
110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
111 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
112 	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
113 #ifdef USE_SNTRUP761X25519
114 	{ KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0,
115 	    SSH_DIGEST_SHA512 },
116 #endif
117 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
118 	{ NULL, 0, -1, -1},
119 };
120 
121 char *
122 kex_alg_list(char sep)
123 {
124 	char *ret = NULL, *tmp;
125 	size_t nlen, rlen = 0;
126 	const struct kexalg *k;
127 
128 	for (k = kexalgs; k->name != NULL; k++) {
129 		if (ret != NULL)
130 			ret[rlen++] = sep;
131 		nlen = strlen(k->name);
132 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
133 			free(ret);
134 			return NULL;
135 		}
136 		ret = tmp;
137 		memcpy(ret + rlen, k->name, nlen + 1);
138 		rlen += nlen;
139 	}
140 	return ret;
141 }
142 
143 static const struct kexalg *
144 kex_alg_by_name(const char *name)
145 {
146 	const struct kexalg *k;
147 
148 	for (k = kexalgs; k->name != NULL; k++) {
149 		if (strcmp(k->name, name) == 0)
150 			return k;
151 	}
152 	return NULL;
153 }
154 
155 /* Validate KEX method name list */
156 int
157 kex_names_valid(const char *names)
158 {
159 	char *s, *cp, *p;
160 
161 	if (names == NULL || strcmp(names, "") == 0)
162 		return 0;
163 	if ((s = cp = strdup(names)) == NULL)
164 		return 0;
165 	for ((p = strsep(&cp, ",")); p && *p != '\0';
166 	    (p = strsep(&cp, ","))) {
167 		if (kex_alg_by_name(p) == NULL) {
168 			error("Unsupported KEX algorithm \"%.100s\"", p);
169 			free(s);
170 			return 0;
171 		}
172 	}
173 	debug3("kex names ok: [%s]", names);
174 	free(s);
175 	return 1;
176 }
177 
178 /*
179  * Concatenate algorithm names, avoiding duplicates in the process.
180  * Caller must free returned string.
181  */
182 char *
183 kex_names_cat(const char *a, const char *b)
184 {
185 	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
186 	size_t len;
187 
188 	if (a == NULL || *a == '\0')
189 		return strdup(b);
190 	if (b == NULL || *b == '\0')
191 		return strdup(a);
192 	if (strlen(b) > 1024*1024)
193 		return NULL;
194 	len = strlen(a) + strlen(b) + 2;
195 	if ((tmp = cp = strdup(b)) == NULL ||
196 	    (ret = calloc(1, len)) == NULL) {
197 		free(tmp);
198 		return NULL;
199 	}
200 	strlcpy(ret, a, len);
201 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
202 		if ((m = match_list(ret, p, NULL)) != NULL) {
203 			free(m);
204 			continue; /* Algorithm already present */
205 		}
206 		if (strlcat(ret, ",", len) >= len ||
207 		    strlcat(ret, p, len) >= len) {
208 			free(tmp);
209 			free(ret);
210 			return NULL; /* Shouldn't happen */
211 		}
212 	}
213 	free(tmp);
214 	return ret;
215 }
216 
217 /*
218  * Assemble a list of algorithms from a default list and a string from a
219  * configuration file. The user-provided string may begin with '+' to
220  * indicate that it should be appended to the default, '-' that the
221  * specified names should be removed, or '^' that they should be placed
222  * at the head.
223  */
224 int
225 kex_assemble_names(char **listp, const char *def, const char *all)
226 {
227 	char *cp, *tmp, *patterns;
228 	char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
229 	int r = SSH_ERR_INTERNAL_ERROR;
230 
231 	if (listp == NULL || def == NULL || all == NULL)
232 		return SSH_ERR_INVALID_ARGUMENT;
233 
234 	if (*listp == NULL || **listp == '\0') {
235 		if ((*listp = strdup(def)) == NULL)
236 			return SSH_ERR_ALLOC_FAIL;
237 		return 0;
238 	}
239 
240 	list = *listp;
241 	*listp = NULL;
242 	if (*list == '+') {
243 		/* Append names to default list */
244 		if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
245 			r = SSH_ERR_ALLOC_FAIL;
246 			goto fail;
247 		}
248 		free(list);
249 		list = tmp;
250 	} else if (*list == '-') {
251 		/* Remove names from default list */
252 		if ((*listp = match_filter_denylist(def, list + 1)) == NULL) {
253 			r = SSH_ERR_ALLOC_FAIL;
254 			goto fail;
255 		}
256 		free(list);
257 		/* filtering has already been done */
258 		return 0;
259 	} else if (*list == '^') {
260 		/* Place names at head of default list */
261 		if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
262 			r = SSH_ERR_ALLOC_FAIL;
263 			goto fail;
264 		}
265 		free(list);
266 		list = tmp;
267 	} else {
268 		/* Explicit list, overrides default - just use "list" as is */
269 	}
270 
271 	/*
272 	 * The supplied names may be a pattern-list. For the -list case,
273 	 * the patterns are applied above. For the +list and explicit list
274 	 * cases we need to do it now.
275 	 */
276 	ret = NULL;
277 	if ((patterns = opatterns = strdup(list)) == NULL) {
278 		r = SSH_ERR_ALLOC_FAIL;
279 		goto fail;
280 	}
281 	/* Apply positive (i.e. non-negated) patterns from the list */
282 	while ((cp = strsep(&patterns, ",")) != NULL) {
283 		if (*cp == '!') {
284 			/* negated matches are not supported here */
285 			r = SSH_ERR_INVALID_ARGUMENT;
286 			goto fail;
287 		}
288 		free(matching);
289 		if ((matching = match_filter_allowlist(all, cp)) == NULL) {
290 			r = SSH_ERR_ALLOC_FAIL;
291 			goto fail;
292 		}
293 		if ((tmp = kex_names_cat(ret, matching)) == NULL) {
294 			r = SSH_ERR_ALLOC_FAIL;
295 			goto fail;
296 		}
297 		free(ret);
298 		ret = tmp;
299 	}
300 	if (ret == NULL || *ret == '\0') {
301 		/* An empty name-list is an error */
302 		/* XXX better error code? */
303 		r = SSH_ERR_INVALID_ARGUMENT;
304 		goto fail;
305 	}
306 
307 	/* success */
308 	*listp = ret;
309 	ret = NULL;
310 	r = 0;
311 
312  fail:
313 	free(matching);
314 	free(opatterns);
315 	free(list);
316 	free(ret);
317 	return r;
318 }
319 
320 /* put algorithm proposal into buffer */
321 int
322 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
323 {
324 	u_int i;
325 	int r;
326 
327 	sshbuf_reset(b);
328 
329 	/*
330 	 * add a dummy cookie, the cookie will be overwritten by
331 	 * kex_send_kexinit(), each time a kexinit is set
332 	 */
333 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
334 		if ((r = sshbuf_put_u8(b, 0)) != 0)
335 			return r;
336 	}
337 	for (i = 0; i < PROPOSAL_MAX; i++) {
338 		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
339 			return r;
340 	}
341 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
342 	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
343 		return r;
344 	return 0;
345 }
346 
347 /* parse buffer and return algorithm proposal */
348 int
349 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
350 {
351 	struct sshbuf *b = NULL;
352 	u_char v;
353 	u_int i;
354 	char **proposal = NULL;
355 	int r;
356 
357 	*propp = NULL;
358 	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
359 		return SSH_ERR_ALLOC_FAIL;
360 	if ((b = sshbuf_fromb(raw)) == NULL) {
361 		r = SSH_ERR_ALLOC_FAIL;
362 		goto out;
363 	}
364 	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */
365 		error_fr(r, "consume cookie");
366 		goto out;
367 	}
368 	/* extract kex init proposal strings */
369 	for (i = 0; i < PROPOSAL_MAX; i++) {
370 		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) {
371 			error_fr(r, "parse proposal %u", i);
372 			goto out;
373 		}
374 		debug2("%s: %s", proposal_names[i], proposal[i]);
375 	}
376 	/* first kex follows / reserved */
377 	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
378 	    (r = sshbuf_get_u32(b, &i)) != 0) {	/* reserved */
379 		error_fr(r, "parse");
380 		goto out;
381 	}
382 	if (first_kex_follows != NULL)
383 		*first_kex_follows = v;
384 	debug2("first_kex_follows %d ", v);
385 	debug2("reserved %u ", i);
386 	r = 0;
387 	*propp = proposal;
388  out:
389 	if (r != 0 && proposal != NULL)
390 		kex_prop_free(proposal);
391 	sshbuf_free(b);
392 	return r;
393 }
394 
395 void
396 kex_prop_free(char **proposal)
397 {
398 	u_int i;
399 
400 	if (proposal == NULL)
401 		return;
402 	for (i = 0; i < PROPOSAL_MAX; i++)
403 		free(proposal[i]);
404 	free(proposal);
405 }
406 
407 /* ARGSUSED */
408 static int
409 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
410 {
411 	int r;
412 
413 	error("kex protocol error: type %d seq %u", type, seq);
414 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
415 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
416 	    (r = sshpkt_send(ssh)) != 0)
417 		return r;
418 	return 0;
419 }
420 
421 static void
422 kex_reset_dispatch(struct ssh *ssh)
423 {
424 	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
425 	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
426 }
427 
428 static int
429 kex_send_ext_info(struct ssh *ssh)
430 {
431 	int r;
432 	char *algs;
433 
434 	debug("Sending SSH2_MSG_EXT_INFO");
435 	if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
436 		return SSH_ERR_ALLOC_FAIL;
437 	/* XXX filter algs list by allowed pubkey/hostbased types */
438 	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
439 	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
440 	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
441 	    (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
442 	    (r = sshpkt_send(ssh)) != 0) {
443 		error_fr(r, "compose");
444 		goto out;
445 	}
446 	/* success */
447 	r = 0;
448  out:
449 	free(algs);
450 	return r;
451 }
452 
453 int
454 kex_send_newkeys(struct ssh *ssh)
455 {
456 	int r;
457 
458 	kex_reset_dispatch(ssh);
459 	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
460 	    (r = sshpkt_send(ssh)) != 0)
461 		return r;
462 	debug("SSH2_MSG_NEWKEYS sent");
463 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
464 	if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0)
465 		if ((r = kex_send_ext_info(ssh)) != 0)
466 			return r;
467 	debug("expecting SSH2_MSG_NEWKEYS");
468 	return 0;
469 }
470 
471 int
472 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
473 {
474 	struct kex *kex = ssh->kex;
475 	u_int32_t i, ninfo;
476 	char *name;
477 	u_char *val;
478 	size_t vlen;
479 	int r;
480 
481 	debug("SSH2_MSG_EXT_INFO received");
482 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
483 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
484 		return r;
485 	for (i = 0; i < ninfo; i++) {
486 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
487 			return r;
488 		if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) {
489 			free(name);
490 			return r;
491 		}
492 		if (strcmp(name, "server-sig-algs") == 0) {
493 			/* Ensure no \0 lurking in value */
494 			if (memchr(val, '\0', vlen) != NULL) {
495 				error_f("nul byte in %s", name);
496 				return SSH_ERR_INVALID_FORMAT;
497 			}
498 			debug_f("%s=<%s>", name, val);
499 			kex->server_sig_algs = val;
500 			val = NULL;
501 		} else
502 			debug_f("%s (unrecognised)", name);
503 		free(name);
504 		free(val);
505 	}
506 	return sshpkt_get_end(ssh);
507 }
508 
509 static int
510 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
511 {
512 	struct kex *kex = ssh->kex;
513 	int r;
514 
515 	debug("SSH2_MSG_NEWKEYS received");
516 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
517 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
518 	if ((r = sshpkt_get_end(ssh)) != 0)
519 		return r;
520 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
521 		return r;
522 	kex->done = 1;
523 	kex->flags &= ~KEX_INITIAL;
524 	sshbuf_reset(kex->peer);
525 	/* sshbuf_reset(kex->my); */
526 	kex->flags &= ~KEX_INIT_SENT;
527 	free(kex->name);
528 	kex->name = NULL;
529 	return 0;
530 }
531 
532 int
533 kex_send_kexinit(struct ssh *ssh)
534 {
535 	u_char *cookie;
536 	struct kex *kex = ssh->kex;
537 	int r;
538 
539 	if (kex == NULL) {
540 		error_f("no kex");
541 		return SSH_ERR_INTERNAL_ERROR;
542 	}
543 	if (kex->flags & KEX_INIT_SENT)
544 		return 0;
545 	kex->done = 0;
546 
547 	/* generate a random cookie */
548 	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) {
549 		error_f("bad kex length: %zu < %d",
550 		    sshbuf_len(kex->my), KEX_COOKIE_LEN);
551 		return SSH_ERR_INVALID_FORMAT;
552 	}
553 	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) {
554 		error_f("buffer error");
555 		return SSH_ERR_INTERNAL_ERROR;
556 	}
557 	arc4random_buf(cookie, KEX_COOKIE_LEN);
558 
559 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
560 	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
561 	    (r = sshpkt_send(ssh)) != 0) {
562 		error_fr(r, "compose reply");
563 		return r;
564 	}
565 	debug("SSH2_MSG_KEXINIT sent");
566 	kex->flags |= KEX_INIT_SENT;
567 	return 0;
568 }
569 
570 /* ARGSUSED */
571 int
572 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
573 {
574 	struct kex *kex = ssh->kex;
575 	const u_char *ptr;
576 	u_int i;
577 	size_t dlen;
578 	int r;
579 
580 	debug("SSH2_MSG_KEXINIT received");
581 	if (kex == NULL) {
582 		error_f("no kex");
583 		return SSH_ERR_INTERNAL_ERROR;
584 	}
585 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
586 	ptr = sshpkt_ptr(ssh, &dlen);
587 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
588 		return r;
589 
590 	/* discard packet */
591 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
592 		if ((r = sshpkt_get_u8(ssh, NULL)) != 0) {
593 			error_fr(r, "discard cookie");
594 			return r;
595 		}
596 	}
597 	for (i = 0; i < PROPOSAL_MAX; i++) {
598 		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
599 			error_fr(r, "discard proposal");
600 			return r;
601 		}
602 	}
603 	/*
604 	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
605 	 * KEX method has the server move first, but a server might be using
606 	 * a custom method or one that we otherwise don't support. We should
607 	 * be prepared to remember first_kex_follows here so we can eat a
608 	 * packet later.
609 	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
610 	 * for cases where the server *doesn't* go first. I guess we should
611 	 * ignore it when it is set for these cases, which is what we do now.
612 	 */
613 	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
614 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
615 	    (r = sshpkt_get_end(ssh)) != 0)
616 			return r;
617 
618 	if (!(kex->flags & KEX_INIT_SENT))
619 		if ((r = kex_send_kexinit(ssh)) != 0)
620 			return r;
621 	if ((r = kex_choose_conf(ssh)) != 0)
622 		return r;
623 
624 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
625 		return (kex->kex[kex->kex_type])(ssh);
626 
627 	error_f("unknown kex type %u", kex->kex_type);
628 	return SSH_ERR_INTERNAL_ERROR;
629 }
630 
631 struct kex *
632 kex_new(void)
633 {
634 	struct kex *kex;
635 
636 	if ((kex = calloc(1, sizeof(*kex))) == NULL ||
637 	    (kex->peer = sshbuf_new()) == NULL ||
638 	    (kex->my = sshbuf_new()) == NULL ||
639 	    (kex->client_version = sshbuf_new()) == NULL ||
640 	    (kex->server_version = sshbuf_new()) == NULL) {
641 		kex_free(kex);
642 		return NULL;
643 	}
644 	return kex;
645 }
646 
647 void
648 kex_free_newkeys(struct newkeys *newkeys)
649 {
650 	if (newkeys == NULL)
651 		return;
652 	if (newkeys->enc.key) {
653 		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
654 		free(newkeys->enc.key);
655 		newkeys->enc.key = NULL;
656 	}
657 	if (newkeys->enc.iv) {
658 		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
659 		free(newkeys->enc.iv);
660 		newkeys->enc.iv = NULL;
661 	}
662 	free(newkeys->enc.name);
663 	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
664 	free(newkeys->comp.name);
665 	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
666 	mac_clear(&newkeys->mac);
667 	if (newkeys->mac.key) {
668 		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
669 		free(newkeys->mac.key);
670 		newkeys->mac.key = NULL;
671 	}
672 	free(newkeys->mac.name);
673 	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
674 	freezero(newkeys, sizeof(*newkeys));
675 }
676 
677 void
678 kex_free(struct kex *kex)
679 {
680 	u_int mode;
681 
682 	if (kex == NULL)
683 		return;
684 
685 #ifdef WITH_OPENSSL
686 	DH_free(kex->dh);
687 #ifdef OPENSSL_HAS_ECC
688 	EC_KEY_free(kex->ec_client_key);
689 #endif /* OPENSSL_HAS_ECC */
690 #endif /* WITH_OPENSSL */
691 	for (mode = 0; mode < MODE_MAX; mode++) {
692 		kex_free_newkeys(kex->newkeys[mode]);
693 		kex->newkeys[mode] = NULL;
694 	}
695 	sshbuf_free(kex->peer);
696 	sshbuf_free(kex->my);
697 	sshbuf_free(kex->client_version);
698 	sshbuf_free(kex->server_version);
699 	sshbuf_free(kex->client_pub);
700 	free(kex->session_id);
701 	free(kex->failed_choice);
702 	free(kex->hostkey_alg);
703 	free(kex->name);
704 	free(kex);
705 }
706 
707 int
708 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
709 {
710 	int r;
711 
712 	if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
713 		return r;
714 	ssh->kex->flags = KEX_INITIAL;
715 	kex_reset_dispatch(ssh);
716 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
717 	return 0;
718 }
719 
720 int
721 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
722 {
723 	int r;
724 
725 	if ((r = kex_ready(ssh, proposal)) != 0)
726 		return r;
727 	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
728 		kex_free(ssh->kex);
729 		ssh->kex = NULL;
730 		return r;
731 	}
732 	return 0;
733 }
734 
735 /*
736  * Request key re-exchange, returns 0 on success or a ssherr.h error
737  * code otherwise. Must not be called if KEX is incomplete or in-progress.
738  */
739 int
740 kex_start_rekex(struct ssh *ssh)
741 {
742 	if (ssh->kex == NULL) {
743 		error_f("no kex");
744 		return SSH_ERR_INTERNAL_ERROR;
745 	}
746 	if (ssh->kex->done == 0) {
747 		error_f("requested twice");
748 		return SSH_ERR_INTERNAL_ERROR;
749 	}
750 	ssh->kex->done = 0;
751 	return kex_send_kexinit(ssh);
752 }
753 
754 static int
755 choose_enc(struct sshenc *enc, char *client, char *server)
756 {
757 	char *name = match_list(client, server, NULL);
758 
759 	if (name == NULL)
760 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
761 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
762 		error_f("unsupported cipher %s", name);
763 		free(name);
764 		return SSH_ERR_INTERNAL_ERROR;
765 	}
766 	enc->name = name;
767 	enc->enabled = 0;
768 	enc->iv = NULL;
769 	enc->iv_len = cipher_ivlen(enc->cipher);
770 	enc->key = NULL;
771 	enc->key_len = cipher_keylen(enc->cipher);
772 	enc->block_size = cipher_blocksize(enc->cipher);
773 	return 0;
774 }
775 
776 static int
777 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
778 {
779 	char *name = match_list(client, server, NULL);
780 
781 	if (name == NULL)
782 		return SSH_ERR_NO_MAC_ALG_MATCH;
783 	if (mac_setup(mac, name) < 0) {
784 		error_f("unsupported MAC %s", name);
785 		free(name);
786 		return SSH_ERR_INTERNAL_ERROR;
787 	}
788 	mac->name = name;
789 	mac->key = NULL;
790 	mac->enabled = 0;
791 	return 0;
792 }
793 
794 static int
795 choose_comp(struct sshcomp *comp, char *client, char *server)
796 {
797 	char *name = match_list(client, server, NULL);
798 
799 	if (name == NULL)
800 		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
801 #ifdef WITH_ZLIB
802 	if (strcmp(name, "zlib@openssh.com") == 0) {
803 		comp->type = COMP_DELAYED;
804 	} else if (strcmp(name, "zlib") == 0) {
805 		comp->type = COMP_ZLIB;
806 	} else
807 #endif	/* WITH_ZLIB */
808 	if (strcmp(name, "none") == 0) {
809 		comp->type = COMP_NONE;
810 	} else {
811 		error_f("unsupported compression scheme %s", name);
812 		free(name);
813 		return SSH_ERR_INTERNAL_ERROR;
814 	}
815 	comp->name = name;
816 	return 0;
817 }
818 
819 static int
820 choose_kex(struct kex *k, char *client, char *server)
821 {
822 	const struct kexalg *kexalg;
823 
824 	k->name = match_list(client, server, NULL);
825 
826 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
827 	if (k->name == NULL)
828 		return SSH_ERR_NO_KEX_ALG_MATCH;
829 	if ((kexalg = kex_alg_by_name(k->name)) == NULL) {
830 		error_f("unsupported KEX method %s", k->name);
831 		return SSH_ERR_INTERNAL_ERROR;
832 	}
833 	k->kex_type = kexalg->type;
834 	k->hash_alg = kexalg->hash_alg;
835 	k->ec_nid = kexalg->ec_nid;
836 	return 0;
837 }
838 
839 static int
840 choose_hostkeyalg(struct kex *k, char *client, char *server)
841 {
842 	free(k->hostkey_alg);
843 	k->hostkey_alg = match_list(client, server, NULL);
844 
845 	debug("kex: host key algorithm: %s",
846 	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
847 	if (k->hostkey_alg == NULL)
848 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
849 	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
850 	if (k->hostkey_type == KEY_UNSPEC) {
851 		error_f("unsupported hostkey algorithm %s", k->hostkey_alg);
852 		return SSH_ERR_INTERNAL_ERROR;
853 	}
854 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
855 	return 0;
856 }
857 
858 static int
859 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
860 {
861 	static int check[] = {
862 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
863 	};
864 	int *idx;
865 	char *p;
866 
867 	for (idx = &check[0]; *idx != -1; idx++) {
868 		if ((p = strchr(my[*idx], ',')) != NULL)
869 			*p = '\0';
870 		if ((p = strchr(peer[*idx], ',')) != NULL)
871 			*p = '\0';
872 		if (strcmp(my[*idx], peer[*idx]) != 0) {
873 			debug2("proposal mismatch: my %s peer %s",
874 			    my[*idx], peer[*idx]);
875 			return (0);
876 		}
877 	}
878 	debug2("proposals match");
879 	return (1);
880 }
881 
882 static int
883 kex_choose_conf(struct ssh *ssh)
884 {
885 	struct kex *kex = ssh->kex;
886 	struct newkeys *newkeys;
887 	char **my = NULL, **peer = NULL;
888 	char **cprop, **sprop;
889 	int nenc, nmac, ncomp;
890 	u_int mode, ctos, need, dh_need, authlen;
891 	int r, first_kex_follows;
892 
893 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
894 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
895 		goto out;
896 	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
897 	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
898 		goto out;
899 
900 	if (kex->server) {
901 		cprop=peer;
902 		sprop=my;
903 	} else {
904 		cprop=my;
905 		sprop=peer;
906 	}
907 
908 	/* Check whether client supports ext_info_c */
909 	if (kex->server && (kex->flags & KEX_INITIAL)) {
910 		char *ext;
911 
912 		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
913 		kex->ext_info_c = (ext != NULL);
914 		free(ext);
915 	}
916 
917 	/* Algorithm Negotiation */
918 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
919 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
920 		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
921 		peer[PROPOSAL_KEX_ALGS] = NULL;
922 		goto out;
923 	}
924 	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
925 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
926 		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
927 		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
928 		goto out;
929 	}
930 	for (mode = 0; mode < MODE_MAX; mode++) {
931 		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
932 			r = SSH_ERR_ALLOC_FAIL;
933 			goto out;
934 		}
935 		kex->newkeys[mode] = newkeys;
936 		ctos = (!kex->server && mode == MODE_OUT) ||
937 		    (kex->server && mode == MODE_IN);
938 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
939 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
940 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
941 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
942 		    sprop[nenc])) != 0) {
943 			kex->failed_choice = peer[nenc];
944 			peer[nenc] = NULL;
945 			goto out;
946 		}
947 		authlen = cipher_authlen(newkeys->enc.cipher);
948 		/* ignore mac for authenticated encryption */
949 		if (authlen == 0 &&
950 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
951 		    sprop[nmac])) != 0) {
952 			kex->failed_choice = peer[nmac];
953 			peer[nmac] = NULL;
954 			goto out;
955 		}
956 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
957 		    sprop[ncomp])) != 0) {
958 			kex->failed_choice = peer[ncomp];
959 			peer[ncomp] = NULL;
960 			goto out;
961 		}
962 		debug("kex: %s cipher: %s MAC: %s compression: %s",
963 		    ctos ? "client->server" : "server->client",
964 		    newkeys->enc.name,
965 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
966 		    newkeys->comp.name);
967 	}
968 	need = dh_need = 0;
969 	for (mode = 0; mode < MODE_MAX; mode++) {
970 		newkeys = kex->newkeys[mode];
971 		need = MAXIMUM(need, newkeys->enc.key_len);
972 		need = MAXIMUM(need, newkeys->enc.block_size);
973 		need = MAXIMUM(need, newkeys->enc.iv_len);
974 		need = MAXIMUM(need, newkeys->mac.key_len);
975 		dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
976 		dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
977 		dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
978 		dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
979 	}
980 	/* XXX need runden? */
981 	kex->we_need = need;
982 	kex->dh_need = dh_need;
983 
984 	/* ignore the next message if the proposals do not match */
985 	if (first_kex_follows && !proposals_match(my, peer))
986 		ssh->dispatch_skip_packets = 1;
987 	r = 0;
988  out:
989 	kex_prop_free(my);
990 	kex_prop_free(peer);
991 	return r;
992 }
993 
994 static int
995 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
996     const struct sshbuf *shared_secret, u_char **keyp)
997 {
998 	struct kex *kex = ssh->kex;
999 	struct ssh_digest_ctx *hashctx = NULL;
1000 	char c = id;
1001 	u_int have;
1002 	size_t mdsz;
1003 	u_char *digest;
1004 	int r;
1005 
1006 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
1007 		return SSH_ERR_INVALID_ARGUMENT;
1008 	if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
1009 		r = SSH_ERR_ALLOC_FAIL;
1010 		goto out;
1011 	}
1012 
1013 	/* K1 = HASH(K || H || "A" || session_id) */
1014 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1015 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1016 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1017 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
1018 	    ssh_digest_update(hashctx, kex->session_id,
1019 	    kex->session_id_len) != 0 ||
1020 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
1021 		r = SSH_ERR_LIBCRYPTO_ERROR;
1022 		error_f("KEX hash failed");
1023 		goto out;
1024 	}
1025 	ssh_digest_free(hashctx);
1026 	hashctx = NULL;
1027 
1028 	/*
1029 	 * expand key:
1030 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
1031 	 * Key = K1 || K2 || ... || Kn
1032 	 */
1033 	for (have = mdsz; need > have; have += mdsz) {
1034 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1035 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1036 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1037 		    ssh_digest_update(hashctx, digest, have) != 0 ||
1038 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
1039 			error_f("KDF failed");
1040 			r = SSH_ERR_LIBCRYPTO_ERROR;
1041 			goto out;
1042 		}
1043 		ssh_digest_free(hashctx);
1044 		hashctx = NULL;
1045 	}
1046 #ifdef DEBUG_KEX
1047 	fprintf(stderr, "key '%c'== ", c);
1048 	dump_digest("key", digest, need);
1049 #endif
1050 	*keyp = digest;
1051 	digest = NULL;
1052 	r = 0;
1053  out:
1054 	free(digest);
1055 	ssh_digest_free(hashctx);
1056 	return r;
1057 }
1058 
1059 #define NKEYS	6
1060 int
1061 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
1062     const struct sshbuf *shared_secret)
1063 {
1064 	struct kex *kex = ssh->kex;
1065 	u_char *keys[NKEYS];
1066 	u_int i, j, mode, ctos;
1067 	int r;
1068 
1069 	/* save initial hash as session id */
1070 	if (kex->session_id == NULL) {
1071 		kex->session_id_len = hashlen;
1072 		kex->session_id = malloc(kex->session_id_len);
1073 		if (kex->session_id == NULL)
1074 			return SSH_ERR_ALLOC_FAIL;
1075 		memcpy(kex->session_id, hash, kex->session_id_len);
1076 	}
1077 	for (i = 0; i < NKEYS; i++) {
1078 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
1079 		    shared_secret, &keys[i])) != 0) {
1080 			for (j = 0; j < i; j++)
1081 				free(keys[j]);
1082 			return r;
1083 		}
1084 	}
1085 	for (mode = 0; mode < MODE_MAX; mode++) {
1086 		ctos = (!kex->server && mode == MODE_OUT) ||
1087 		    (kex->server && mode == MODE_IN);
1088 		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
1089 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
1090 		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
1091 	}
1092 	return 0;
1093 }
1094 
1095 int
1096 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
1097 {
1098 	struct kex *kex = ssh->kex;
1099 
1100 	*pubp = NULL;
1101 	*prvp = NULL;
1102 	if (kex->load_host_public_key == NULL ||
1103 	    kex->load_host_private_key == NULL) {
1104 		error_f("missing hostkey loader");
1105 		return SSH_ERR_INVALID_ARGUMENT;
1106 	}
1107 	*pubp = kex->load_host_public_key(kex->hostkey_type,
1108 	    kex->hostkey_nid, ssh);
1109 	*prvp = kex->load_host_private_key(kex->hostkey_type,
1110 	    kex->hostkey_nid, ssh);
1111 	if (*pubp == NULL)
1112 		return SSH_ERR_NO_HOSTKEY_LOADED;
1113 	return 0;
1114 }
1115 
1116 int
1117 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
1118 {
1119 	struct kex *kex = ssh->kex;
1120 
1121 	if (kex->verify_host_key == NULL) {
1122 		error_f("missing hostkey verifier");
1123 		return SSH_ERR_INVALID_ARGUMENT;
1124 	}
1125 	if (server_host_key->type != kex->hostkey_type ||
1126 	    (kex->hostkey_type == KEY_ECDSA &&
1127 	    server_host_key->ecdsa_nid != kex->hostkey_nid))
1128 		return SSH_ERR_KEY_TYPE_MISMATCH;
1129 	if (kex->verify_host_key(server_host_key, ssh) == -1)
1130 		return  SSH_ERR_SIGNATURE_INVALID;
1131 	return 0;
1132 }
1133 
1134 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1135 void
1136 dump_digest(const char *msg, const u_char *digest, int len)
1137 {
1138 	fprintf(stderr, "%s\n", msg);
1139 	sshbuf_dump_data(digest, len, stderr);
1140 }
1141 #endif
1142 
1143 /*
1144  * Send a plaintext error message to the peer, suffixed by \r\n.
1145  * Only used during banner exchange, and there only for the server.
1146  */
1147 static void
1148 send_error(struct ssh *ssh, char *msg)
1149 {
1150 	char *crnl = "\r\n";
1151 
1152 	if (!ssh->kex->server)
1153 		return;
1154 
1155 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1156 	    msg, strlen(msg)) != strlen(msg) ||
1157 	    atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1158 	    crnl, strlen(crnl)) != strlen(crnl))
1159 		error_f("write: %.100s", strerror(errno));
1160 }
1161 
1162 /*
1163  * Sends our identification string and waits for the peer's. Will block for
1164  * up to timeout_ms (or indefinitely if timeout_ms <= 0).
1165  * Returns on 0 success or a ssherr.h code on failure.
1166  */
1167 int
1168 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1169     const char *version_addendum)
1170 {
1171 	int remote_major, remote_minor, mismatch, oerrno = 0;
1172 	size_t len, i, n;
1173 	int r, expect_nl;
1174 	u_char c;
1175 	struct sshbuf *our_version = ssh->kex->server ?
1176 	    ssh->kex->server_version : ssh->kex->client_version;
1177 	struct sshbuf *peer_version = ssh->kex->server ?
1178 	    ssh->kex->client_version : ssh->kex->server_version;
1179 	char *our_version_string = NULL, *peer_version_string = NULL;
1180 	char *cp, *remote_version = NULL;
1181 
1182 	/* Prepare and send our banner */
1183 	sshbuf_reset(our_version);
1184 	if (version_addendum != NULL && *version_addendum == '\0')
1185 		version_addendum = NULL;
1186 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
1187 	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
1188 	    version_addendum == NULL ? "" : " ",
1189 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
1190 		oerrno = errno;
1191 		error_fr(r, "sshbuf_putf");
1192 		goto out;
1193 	}
1194 
1195 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1196 	    sshbuf_mutable_ptr(our_version),
1197 	    sshbuf_len(our_version)) != sshbuf_len(our_version)) {
1198 		oerrno = errno;
1199 		debug_f("write: %.100s", strerror(errno));
1200 		r = SSH_ERR_SYSTEM_ERROR;
1201 		goto out;
1202 	}
1203 	if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
1204 		oerrno = errno;
1205 		error_fr(r, "sshbuf_consume_end");
1206 		goto out;
1207 	}
1208 	our_version_string = sshbuf_dup_string(our_version);
1209 	if (our_version_string == NULL) {
1210 		error_f("sshbuf_dup_string failed");
1211 		r = SSH_ERR_ALLOC_FAIL;
1212 		goto out;
1213 	}
1214 	debug("Local version string %.100s", our_version_string);
1215 
1216 	/* Read other side's version identification. */
1217 	for (n = 0; ; n++) {
1218 		if (n >= SSH_MAX_PRE_BANNER_LINES) {
1219 			send_error(ssh, "No SSH identification string "
1220 			    "received.");
1221 			error_f("No SSH version received in first %u lines "
1222 			    "from server", SSH_MAX_PRE_BANNER_LINES);
1223 			r = SSH_ERR_INVALID_FORMAT;
1224 			goto out;
1225 		}
1226 		sshbuf_reset(peer_version);
1227 		expect_nl = 0;
1228 		for (i = 0; ; i++) {
1229 			if (timeout_ms > 0) {
1230 				r = waitrfd(ssh_packet_get_connection_in(ssh),
1231 				    &timeout_ms);
1232 				if (r == -1 && errno == ETIMEDOUT) {
1233 					send_error(ssh, "Timed out waiting "
1234 					    "for SSH identification string.");
1235 					error("Connection timed out during "
1236 					    "banner exchange");
1237 					r = SSH_ERR_CONN_TIMEOUT;
1238 					goto out;
1239 				} else if (r == -1) {
1240 					oerrno = errno;
1241 					error_f("%s", strerror(errno));
1242 					r = SSH_ERR_SYSTEM_ERROR;
1243 					goto out;
1244 				}
1245 			}
1246 
1247 			len = atomicio(read, ssh_packet_get_connection_in(ssh),
1248 			    &c, 1);
1249 			if (len != 1 && errno == EPIPE) {
1250 				error_f("Connection closed by remote host");
1251 				r = SSH_ERR_CONN_CLOSED;
1252 				goto out;
1253 			} else if (len != 1) {
1254 				oerrno = errno;
1255 				error_f("read: %.100s", strerror(errno));
1256 				r = SSH_ERR_SYSTEM_ERROR;
1257 				goto out;
1258 			}
1259 			if (c == '\r') {
1260 				expect_nl = 1;
1261 				continue;
1262 			}
1263 			if (c == '\n')
1264 				break;
1265 			if (c == '\0' || expect_nl) {
1266 				error_f("banner line contains invalid "
1267 				    "characters");
1268 				goto invalid;
1269 			}
1270 			if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
1271 				oerrno = errno;
1272 				error_fr(r, "sshbuf_put");
1273 				goto out;
1274 			}
1275 			if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
1276 				error_f("banner line too long");
1277 				goto invalid;
1278 			}
1279 		}
1280 		/* Is this an actual protocol banner? */
1281 		if (sshbuf_len(peer_version) > 4 &&
1282 		    memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
1283 			break;
1284 		/* If not, then just log the line and continue */
1285 		if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
1286 			error_f("sshbuf_dup_string failed");
1287 			r = SSH_ERR_ALLOC_FAIL;
1288 			goto out;
1289 		}
1290 		/* Do not accept lines before the SSH ident from a client */
1291 		if (ssh->kex->server) {
1292 			error_f("client sent invalid protocol identifier "
1293 			    "\"%.256s\"", cp);
1294 			free(cp);
1295 			goto invalid;
1296 		}
1297 		debug_f("banner line %zu: %s", n, cp);
1298 		free(cp);
1299 	}
1300 	peer_version_string = sshbuf_dup_string(peer_version);
1301 	if (peer_version_string == NULL)
1302 		error_f("sshbuf_dup_string failed");
1303 	/* XXX must be same size for sscanf */
1304 	if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
1305 		error_f("calloc failed");
1306 		r = SSH_ERR_ALLOC_FAIL;
1307 		goto out;
1308 	}
1309 
1310 	/*
1311 	 * Check that the versions match.  In future this might accept
1312 	 * several versions and set appropriate flags to handle them.
1313 	 */
1314 	if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
1315 	    &remote_major, &remote_minor, remote_version) != 3) {
1316 		error("Bad remote protocol version identification: '%.100s'",
1317 		    peer_version_string);
1318  invalid:
1319 		send_error(ssh, "Invalid SSH identification string.");
1320 		r = SSH_ERR_INVALID_FORMAT;
1321 		goto out;
1322 	}
1323 	debug("Remote protocol version %d.%d, remote software version %.100s",
1324 	    remote_major, remote_minor, remote_version);
1325 	compat_banner(ssh, remote_version);
1326 
1327 	mismatch = 0;
1328 	switch (remote_major) {
1329 	case 2:
1330 		break;
1331 	case 1:
1332 		if (remote_minor != 99)
1333 			mismatch = 1;
1334 		break;
1335 	default:
1336 		mismatch = 1;
1337 		break;
1338 	}
1339 	if (mismatch) {
1340 		error("Protocol major versions differ: %d vs. %d",
1341 		    PROTOCOL_MAJOR_2, remote_major);
1342 		send_error(ssh, "Protocol major versions differ.");
1343 		r = SSH_ERR_NO_PROTOCOL_VERSION;
1344 		goto out;
1345 	}
1346 
1347 	if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
1348 		logit("probed from %s port %d with %s.  Don't panic.",
1349 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1350 		    peer_version_string);
1351 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1352 		goto out;
1353 	}
1354 	if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
1355 		logit("scanned from %s port %d with %s.  Don't panic.",
1356 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1357 		    peer_version_string);
1358 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1359 		goto out;
1360 	}
1361 	if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
1362 		logit("Remote version \"%.100s\" uses unsafe RSA signature "
1363 		    "scheme; disabling use of RSA keys", remote_version);
1364 	}
1365 	/* success */
1366 	r = 0;
1367  out:
1368 	free(our_version_string);
1369 	free(peer_version_string);
1370 	free(remote_version);
1371 	if (r == SSH_ERR_SYSTEM_ERROR)
1372 		errno = oerrno;
1373 	return r;
1374 }
1375 
1376