xref: /openssh-portable/kex.c (revision 553b90fe)
1 /* $OpenBSD: kex.c,v 1.162 2020/12/04 02:27:57 djm Exp $ */
2 /*
3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 #include <sys/types.h>
29 #include <errno.h>
30 #include <signal.h>
31 #include <stdarg.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 #ifdef HAVE_POLL_H
37 #include <poll.h>
38 #endif
39 
40 #ifdef WITH_OPENSSL
41 #include <openssl/crypto.h>
42 #include <openssl/dh.h>
43 #endif
44 
45 #include "ssh.h"
46 #include "ssh2.h"
47 #include "atomicio.h"
48 #include "version.h"
49 #include "packet.h"
50 #include "compat.h"
51 #include "cipher.h"
52 #include "sshkey.h"
53 #include "kex.h"
54 #include "log.h"
55 #include "mac.h"
56 #include "match.h"
57 #include "misc.h"
58 #include "dispatch.h"
59 #include "monitor.h"
60 
61 #include "ssherr.h"
62 #include "sshbuf.h"
63 #include "digest.h"
64 
65 /* prototype */
66 static int kex_choose_conf(struct ssh *);
67 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
68 
69 static const char *proposal_names[PROPOSAL_MAX] = {
70 	"KEX algorithms",
71 	"host key algorithms",
72 	"ciphers ctos",
73 	"ciphers stoc",
74 	"MACs ctos",
75 	"MACs stoc",
76 	"compression ctos",
77 	"compression stoc",
78 	"languages ctos",
79 	"languages stoc",
80 };
81 
82 struct kexalg {
83 	char *name;
84 	u_int type;
85 	int ec_nid;
86 	int hash_alg;
87 };
88 static const struct kexalg kexalgs[] = {
89 #ifdef WITH_OPENSSL
90 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
91 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
92 	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
93 	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
94 	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
95 	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
96 #ifdef HAVE_EVP_SHA256
97 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
98 #endif /* HAVE_EVP_SHA256 */
99 #ifdef OPENSSL_HAS_ECC
100 	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
101 	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
102 	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
103 	    SSH_DIGEST_SHA384 },
104 # ifdef OPENSSL_HAS_NISTP521
105 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
106 	    SSH_DIGEST_SHA512 },
107 # endif /* OPENSSL_HAS_NISTP521 */
108 #endif /* OPENSSL_HAS_ECC */
109 #endif /* WITH_OPENSSL */
110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
111 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
112 	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
113 	{ KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0,
114 	    SSH_DIGEST_SHA512 },
115 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
116 	{ NULL, 0, -1, -1},
117 };
118 
119 char *
120 kex_alg_list(char sep)
121 {
122 	char *ret = NULL, *tmp;
123 	size_t nlen, rlen = 0;
124 	const struct kexalg *k;
125 
126 	for (k = kexalgs; k->name != NULL; k++) {
127 		if (ret != NULL)
128 			ret[rlen++] = sep;
129 		nlen = strlen(k->name);
130 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
131 			free(ret);
132 			return NULL;
133 		}
134 		ret = tmp;
135 		memcpy(ret + rlen, k->name, nlen + 1);
136 		rlen += nlen;
137 	}
138 	return ret;
139 }
140 
141 static const struct kexalg *
142 kex_alg_by_name(const char *name)
143 {
144 	const struct kexalg *k;
145 
146 	for (k = kexalgs; k->name != NULL; k++) {
147 		if (strcmp(k->name, name) == 0)
148 			return k;
149 	}
150 	return NULL;
151 }
152 
153 /* Validate KEX method name list */
154 int
155 kex_names_valid(const char *names)
156 {
157 	char *s, *cp, *p;
158 
159 	if (names == NULL || strcmp(names, "") == 0)
160 		return 0;
161 	if ((s = cp = strdup(names)) == NULL)
162 		return 0;
163 	for ((p = strsep(&cp, ",")); p && *p != '\0';
164 	    (p = strsep(&cp, ","))) {
165 		if (kex_alg_by_name(p) == NULL) {
166 			error("Unsupported KEX algorithm \"%.100s\"", p);
167 			free(s);
168 			return 0;
169 		}
170 	}
171 	debug3("kex names ok: [%s]", names);
172 	free(s);
173 	return 1;
174 }
175 
176 /*
177  * Concatenate algorithm names, avoiding duplicates in the process.
178  * Caller must free returned string.
179  */
180 char *
181 kex_names_cat(const char *a, const char *b)
182 {
183 	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
184 	size_t len;
185 
186 	if (a == NULL || *a == '\0')
187 		return strdup(b);
188 	if (b == NULL || *b == '\0')
189 		return strdup(a);
190 	if (strlen(b) > 1024*1024)
191 		return NULL;
192 	len = strlen(a) + strlen(b) + 2;
193 	if ((tmp = cp = strdup(b)) == NULL ||
194 	    (ret = calloc(1, len)) == NULL) {
195 		free(tmp);
196 		return NULL;
197 	}
198 	strlcpy(ret, a, len);
199 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
200 		if ((m = match_list(ret, p, NULL)) != NULL) {
201 			free(m);
202 			continue; /* Algorithm already present */
203 		}
204 		if (strlcat(ret, ",", len) >= len ||
205 		    strlcat(ret, p, len) >= len) {
206 			free(tmp);
207 			free(ret);
208 			return NULL; /* Shouldn't happen */
209 		}
210 	}
211 	free(tmp);
212 	return ret;
213 }
214 
215 /*
216  * Assemble a list of algorithms from a default list and a string from a
217  * configuration file. The user-provided string may begin with '+' to
218  * indicate that it should be appended to the default, '-' that the
219  * specified names should be removed, or '^' that they should be placed
220  * at the head.
221  */
222 int
223 kex_assemble_names(char **listp, const char *def, const char *all)
224 {
225 	char *cp, *tmp, *patterns;
226 	char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
227 	int r = SSH_ERR_INTERNAL_ERROR;
228 
229 	if (listp == NULL || def == NULL || all == NULL)
230 		return SSH_ERR_INVALID_ARGUMENT;
231 
232 	if (*listp == NULL || **listp == '\0') {
233 		if ((*listp = strdup(def)) == NULL)
234 			return SSH_ERR_ALLOC_FAIL;
235 		return 0;
236 	}
237 
238 	list = *listp;
239 	*listp = NULL;
240 	if (*list == '+') {
241 		/* Append names to default list */
242 		if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
243 			r = SSH_ERR_ALLOC_FAIL;
244 			goto fail;
245 		}
246 		free(list);
247 		list = tmp;
248 	} else if (*list == '-') {
249 		/* Remove names from default list */
250 		if ((*listp = match_filter_denylist(def, list + 1)) == NULL) {
251 			r = SSH_ERR_ALLOC_FAIL;
252 			goto fail;
253 		}
254 		free(list);
255 		/* filtering has already been done */
256 		return 0;
257 	} else if (*list == '^') {
258 		/* Place names at head of default list */
259 		if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
260 			r = SSH_ERR_ALLOC_FAIL;
261 			goto fail;
262 		}
263 		free(list);
264 		list = tmp;
265 	} else {
266 		/* Explicit list, overrides default - just use "list" as is */
267 	}
268 
269 	/*
270 	 * The supplied names may be a pattern-list. For the -list case,
271 	 * the patterns are applied above. For the +list and explicit list
272 	 * cases we need to do it now.
273 	 */
274 	ret = NULL;
275 	if ((patterns = opatterns = strdup(list)) == NULL) {
276 		r = SSH_ERR_ALLOC_FAIL;
277 		goto fail;
278 	}
279 	/* Apply positive (i.e. non-negated) patterns from the list */
280 	while ((cp = strsep(&patterns, ",")) != NULL) {
281 		if (*cp == '!') {
282 			/* negated matches are not supported here */
283 			r = SSH_ERR_INVALID_ARGUMENT;
284 			goto fail;
285 		}
286 		free(matching);
287 		if ((matching = match_filter_allowlist(all, cp)) == NULL) {
288 			r = SSH_ERR_ALLOC_FAIL;
289 			goto fail;
290 		}
291 		if ((tmp = kex_names_cat(ret, matching)) == NULL) {
292 			r = SSH_ERR_ALLOC_FAIL;
293 			goto fail;
294 		}
295 		free(ret);
296 		ret = tmp;
297 	}
298 	if (ret == NULL || *ret == '\0') {
299 		/* An empty name-list is an error */
300 		/* XXX better error code? */
301 		r = SSH_ERR_INVALID_ARGUMENT;
302 		goto fail;
303 	}
304 
305 	/* success */
306 	*listp = ret;
307 	ret = NULL;
308 	r = 0;
309 
310  fail:
311 	free(matching);
312 	free(opatterns);
313 	free(list);
314 	free(ret);
315 	return r;
316 }
317 
318 /* put algorithm proposal into buffer */
319 int
320 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
321 {
322 	u_int i;
323 	int r;
324 
325 	sshbuf_reset(b);
326 
327 	/*
328 	 * add a dummy cookie, the cookie will be overwritten by
329 	 * kex_send_kexinit(), each time a kexinit is set
330 	 */
331 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
332 		if ((r = sshbuf_put_u8(b, 0)) != 0)
333 			return r;
334 	}
335 	for (i = 0; i < PROPOSAL_MAX; i++) {
336 		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
337 			return r;
338 	}
339 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
340 	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
341 		return r;
342 	return 0;
343 }
344 
345 /* parse buffer and return algorithm proposal */
346 int
347 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
348 {
349 	struct sshbuf *b = NULL;
350 	u_char v;
351 	u_int i;
352 	char **proposal = NULL;
353 	int r;
354 
355 	*propp = NULL;
356 	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
357 		return SSH_ERR_ALLOC_FAIL;
358 	if ((b = sshbuf_fromb(raw)) == NULL) {
359 		r = SSH_ERR_ALLOC_FAIL;
360 		goto out;
361 	}
362 	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */
363 		error_fr(r, "consume cookie");
364 		goto out;
365 	}
366 	/* extract kex init proposal strings */
367 	for (i = 0; i < PROPOSAL_MAX; i++) {
368 		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) {
369 			error_fr(r, "parse proposal %u", i);
370 			goto out;
371 		}
372 		debug2("%s: %s", proposal_names[i], proposal[i]);
373 	}
374 	/* first kex follows / reserved */
375 	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
376 	    (r = sshbuf_get_u32(b, &i)) != 0) {	/* reserved */
377 		error_fr(r, "parse");
378 		goto out;
379 	}
380 	if (first_kex_follows != NULL)
381 		*first_kex_follows = v;
382 	debug2("first_kex_follows %d ", v);
383 	debug2("reserved %u ", i);
384 	r = 0;
385 	*propp = proposal;
386  out:
387 	if (r != 0 && proposal != NULL)
388 		kex_prop_free(proposal);
389 	sshbuf_free(b);
390 	return r;
391 }
392 
393 void
394 kex_prop_free(char **proposal)
395 {
396 	u_int i;
397 
398 	if (proposal == NULL)
399 		return;
400 	for (i = 0; i < PROPOSAL_MAX; i++)
401 		free(proposal[i]);
402 	free(proposal);
403 }
404 
405 /* ARGSUSED */
406 static int
407 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
408 {
409 	int r;
410 
411 	error("kex protocol error: type %d seq %u", type, seq);
412 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
413 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
414 	    (r = sshpkt_send(ssh)) != 0)
415 		return r;
416 	return 0;
417 }
418 
419 static void
420 kex_reset_dispatch(struct ssh *ssh)
421 {
422 	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
423 	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
424 }
425 
426 static int
427 kex_send_ext_info(struct ssh *ssh)
428 {
429 	int r;
430 	char *algs;
431 
432 	debug("Sending SSH2_MSG_EXT_INFO");
433 	if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
434 		return SSH_ERR_ALLOC_FAIL;
435 	/* XXX filter algs list by allowed pubkey/hostbased types */
436 	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
437 	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
438 	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
439 	    (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
440 	    (r = sshpkt_send(ssh)) != 0) {
441 		error_fr(r, "compose");
442 		goto out;
443 	}
444 	/* success */
445 	r = 0;
446  out:
447 	free(algs);
448 	return r;
449 }
450 
451 int
452 kex_send_newkeys(struct ssh *ssh)
453 {
454 	int r;
455 
456 	kex_reset_dispatch(ssh);
457 	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
458 	    (r = sshpkt_send(ssh)) != 0)
459 		return r;
460 	debug("SSH2_MSG_NEWKEYS sent");
461 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
462 	if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0)
463 		if ((r = kex_send_ext_info(ssh)) != 0)
464 			return r;
465 	debug("expecting SSH2_MSG_NEWKEYS");
466 	return 0;
467 }
468 
469 int
470 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
471 {
472 	struct kex *kex = ssh->kex;
473 	u_int32_t i, ninfo;
474 	char *name;
475 	u_char *val;
476 	size_t vlen;
477 	int r;
478 
479 	debug("SSH2_MSG_EXT_INFO received");
480 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
481 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
482 		return r;
483 	for (i = 0; i < ninfo; i++) {
484 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
485 			return r;
486 		if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) {
487 			free(name);
488 			return r;
489 		}
490 		if (strcmp(name, "server-sig-algs") == 0) {
491 			/* Ensure no \0 lurking in value */
492 			if (memchr(val, '\0', vlen) != NULL) {
493 				error_f("nul byte in %s", name);
494 				return SSH_ERR_INVALID_FORMAT;
495 			}
496 			debug_f("%s=<%s>", name, val);
497 			kex->server_sig_algs = val;
498 			val = NULL;
499 		} else
500 			debug_f("%s (unrecognised)", name);
501 		free(name);
502 		free(val);
503 	}
504 	return sshpkt_get_end(ssh);
505 }
506 
507 static int
508 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
509 {
510 	struct kex *kex = ssh->kex;
511 	int r;
512 
513 	debug("SSH2_MSG_NEWKEYS received");
514 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
515 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
516 	if ((r = sshpkt_get_end(ssh)) != 0)
517 		return r;
518 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
519 		return r;
520 	kex->done = 1;
521 	kex->flags &= ~KEX_INITIAL;
522 	sshbuf_reset(kex->peer);
523 	/* sshbuf_reset(kex->my); */
524 	kex->flags &= ~KEX_INIT_SENT;
525 	free(kex->name);
526 	kex->name = NULL;
527 	return 0;
528 }
529 
530 int
531 kex_send_kexinit(struct ssh *ssh)
532 {
533 	u_char *cookie;
534 	struct kex *kex = ssh->kex;
535 	int r;
536 
537 	if (kex == NULL) {
538 		error_f("no kex");
539 		return SSH_ERR_INTERNAL_ERROR;
540 	}
541 	if (kex->flags & KEX_INIT_SENT)
542 		return 0;
543 	kex->done = 0;
544 
545 	/* generate a random cookie */
546 	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) {
547 		error_f("bad kex length: %zu < %d",
548 		    sshbuf_len(kex->my), KEX_COOKIE_LEN);
549 		return SSH_ERR_INVALID_FORMAT;
550 	}
551 	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) {
552 		error_f("buffer error");
553 		return SSH_ERR_INTERNAL_ERROR;
554 	}
555 	arc4random_buf(cookie, KEX_COOKIE_LEN);
556 
557 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
558 	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
559 	    (r = sshpkt_send(ssh)) != 0) {
560 		error_fr(r, "compose reply");
561 		return r;
562 	}
563 	debug("SSH2_MSG_KEXINIT sent");
564 	kex->flags |= KEX_INIT_SENT;
565 	return 0;
566 }
567 
568 /* ARGSUSED */
569 int
570 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
571 {
572 	struct kex *kex = ssh->kex;
573 	const u_char *ptr;
574 	u_int i;
575 	size_t dlen;
576 	int r;
577 
578 	debug("SSH2_MSG_KEXINIT received");
579 	if (kex == NULL) {
580 		error_f("no kex");
581 		return SSH_ERR_INTERNAL_ERROR;
582 	}
583 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
584 	ptr = sshpkt_ptr(ssh, &dlen);
585 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
586 		return r;
587 
588 	/* discard packet */
589 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
590 		if ((r = sshpkt_get_u8(ssh, NULL)) != 0) {
591 			error_fr(r, "discard cookie");
592 			return r;
593 		}
594 	}
595 	for (i = 0; i < PROPOSAL_MAX; i++) {
596 		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
597 			error_fr(r, "discard proposal");
598 			return r;
599 		}
600 	}
601 	/*
602 	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
603 	 * KEX method has the server move first, but a server might be using
604 	 * a custom method or one that we otherwise don't support. We should
605 	 * be prepared to remember first_kex_follows here so we can eat a
606 	 * packet later.
607 	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
608 	 * for cases where the server *doesn't* go first. I guess we should
609 	 * ignore it when it is set for these cases, which is what we do now.
610 	 */
611 	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
612 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
613 	    (r = sshpkt_get_end(ssh)) != 0)
614 			return r;
615 
616 	if (!(kex->flags & KEX_INIT_SENT))
617 		if ((r = kex_send_kexinit(ssh)) != 0)
618 			return r;
619 	if ((r = kex_choose_conf(ssh)) != 0)
620 		return r;
621 
622 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
623 		return (kex->kex[kex->kex_type])(ssh);
624 
625 	error_f("unknown kex type %u", kex->kex_type);
626 	return SSH_ERR_INTERNAL_ERROR;
627 }
628 
629 struct kex *
630 kex_new(void)
631 {
632 	struct kex *kex;
633 
634 	if ((kex = calloc(1, sizeof(*kex))) == NULL ||
635 	    (kex->peer = sshbuf_new()) == NULL ||
636 	    (kex->my = sshbuf_new()) == NULL ||
637 	    (kex->client_version = sshbuf_new()) == NULL ||
638 	    (kex->server_version = sshbuf_new()) == NULL) {
639 		kex_free(kex);
640 		return NULL;
641 	}
642 	return kex;
643 }
644 
645 void
646 kex_free_newkeys(struct newkeys *newkeys)
647 {
648 	if (newkeys == NULL)
649 		return;
650 	if (newkeys->enc.key) {
651 		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
652 		free(newkeys->enc.key);
653 		newkeys->enc.key = NULL;
654 	}
655 	if (newkeys->enc.iv) {
656 		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
657 		free(newkeys->enc.iv);
658 		newkeys->enc.iv = NULL;
659 	}
660 	free(newkeys->enc.name);
661 	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
662 	free(newkeys->comp.name);
663 	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
664 	mac_clear(&newkeys->mac);
665 	if (newkeys->mac.key) {
666 		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
667 		free(newkeys->mac.key);
668 		newkeys->mac.key = NULL;
669 	}
670 	free(newkeys->mac.name);
671 	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
672 	freezero(newkeys, sizeof(*newkeys));
673 }
674 
675 void
676 kex_free(struct kex *kex)
677 {
678 	u_int mode;
679 
680 	if (kex == NULL)
681 		return;
682 
683 #ifdef WITH_OPENSSL
684 	DH_free(kex->dh);
685 #ifdef OPENSSL_HAS_ECC
686 	EC_KEY_free(kex->ec_client_key);
687 #endif /* OPENSSL_HAS_ECC */
688 #endif /* WITH_OPENSSL */
689 	for (mode = 0; mode < MODE_MAX; mode++) {
690 		kex_free_newkeys(kex->newkeys[mode]);
691 		kex->newkeys[mode] = NULL;
692 	}
693 	sshbuf_free(kex->peer);
694 	sshbuf_free(kex->my);
695 	sshbuf_free(kex->client_version);
696 	sshbuf_free(kex->server_version);
697 	sshbuf_free(kex->client_pub);
698 	free(kex->session_id);
699 	free(kex->failed_choice);
700 	free(kex->hostkey_alg);
701 	free(kex->name);
702 	free(kex);
703 }
704 
705 int
706 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
707 {
708 	int r;
709 
710 	if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
711 		return r;
712 	ssh->kex->flags = KEX_INITIAL;
713 	kex_reset_dispatch(ssh);
714 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
715 	return 0;
716 }
717 
718 int
719 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
720 {
721 	int r;
722 
723 	if ((r = kex_ready(ssh, proposal)) != 0)
724 		return r;
725 	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
726 		kex_free(ssh->kex);
727 		ssh->kex = NULL;
728 		return r;
729 	}
730 	return 0;
731 }
732 
733 /*
734  * Request key re-exchange, returns 0 on success or a ssherr.h error
735  * code otherwise. Must not be called if KEX is incomplete or in-progress.
736  */
737 int
738 kex_start_rekex(struct ssh *ssh)
739 {
740 	if (ssh->kex == NULL) {
741 		error_f("no kex");
742 		return SSH_ERR_INTERNAL_ERROR;
743 	}
744 	if (ssh->kex->done == 0) {
745 		error_f("requested twice");
746 		return SSH_ERR_INTERNAL_ERROR;
747 	}
748 	ssh->kex->done = 0;
749 	return kex_send_kexinit(ssh);
750 }
751 
752 static int
753 choose_enc(struct sshenc *enc, char *client, char *server)
754 {
755 	char *name = match_list(client, server, NULL);
756 
757 	if (name == NULL)
758 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
759 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
760 		error_f("unsupported cipher %s", name);
761 		free(name);
762 		return SSH_ERR_INTERNAL_ERROR;
763 	}
764 	enc->name = name;
765 	enc->enabled = 0;
766 	enc->iv = NULL;
767 	enc->iv_len = cipher_ivlen(enc->cipher);
768 	enc->key = NULL;
769 	enc->key_len = cipher_keylen(enc->cipher);
770 	enc->block_size = cipher_blocksize(enc->cipher);
771 	return 0;
772 }
773 
774 static int
775 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
776 {
777 	char *name = match_list(client, server, NULL);
778 
779 	if (name == NULL)
780 		return SSH_ERR_NO_MAC_ALG_MATCH;
781 	if (mac_setup(mac, name) < 0) {
782 		error_f("unsupported MAC %s", name);
783 		free(name);
784 		return SSH_ERR_INTERNAL_ERROR;
785 	}
786 	mac->name = name;
787 	mac->key = NULL;
788 	mac->enabled = 0;
789 	return 0;
790 }
791 
792 static int
793 choose_comp(struct sshcomp *comp, char *client, char *server)
794 {
795 	char *name = match_list(client, server, NULL);
796 
797 	if (name == NULL)
798 		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
799 #ifdef WITH_ZLIB
800 	if (strcmp(name, "zlib@openssh.com") == 0) {
801 		comp->type = COMP_DELAYED;
802 	} else if (strcmp(name, "zlib") == 0) {
803 		comp->type = COMP_ZLIB;
804 	} else
805 #endif	/* WITH_ZLIB */
806 	if (strcmp(name, "none") == 0) {
807 		comp->type = COMP_NONE;
808 	} else {
809 		error_f("unsupported compression scheme %s", name);
810 		free(name);
811 		return SSH_ERR_INTERNAL_ERROR;
812 	}
813 	comp->name = name;
814 	return 0;
815 }
816 
817 static int
818 choose_kex(struct kex *k, char *client, char *server)
819 {
820 	const struct kexalg *kexalg;
821 
822 	k->name = match_list(client, server, NULL);
823 
824 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
825 	if (k->name == NULL)
826 		return SSH_ERR_NO_KEX_ALG_MATCH;
827 	if ((kexalg = kex_alg_by_name(k->name)) == NULL) {
828 		error_f("unsupported KEX method %s", k->name);
829 		return SSH_ERR_INTERNAL_ERROR;
830 	}
831 	k->kex_type = kexalg->type;
832 	k->hash_alg = kexalg->hash_alg;
833 	k->ec_nid = kexalg->ec_nid;
834 	return 0;
835 }
836 
837 static int
838 choose_hostkeyalg(struct kex *k, char *client, char *server)
839 {
840 	free(k->hostkey_alg);
841 	k->hostkey_alg = match_list(client, server, NULL);
842 
843 	debug("kex: host key algorithm: %s",
844 	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
845 	if (k->hostkey_alg == NULL)
846 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
847 	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
848 	if (k->hostkey_type == KEY_UNSPEC) {
849 		error_f("unsupported hostkey algorithm %s", k->hostkey_alg);
850 		return SSH_ERR_INTERNAL_ERROR;
851 	}
852 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
853 	return 0;
854 }
855 
856 static int
857 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
858 {
859 	static int check[] = {
860 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
861 	};
862 	int *idx;
863 	char *p;
864 
865 	for (idx = &check[0]; *idx != -1; idx++) {
866 		if ((p = strchr(my[*idx], ',')) != NULL)
867 			*p = '\0';
868 		if ((p = strchr(peer[*idx], ',')) != NULL)
869 			*p = '\0';
870 		if (strcmp(my[*idx], peer[*idx]) != 0) {
871 			debug2("proposal mismatch: my %s peer %s",
872 			    my[*idx], peer[*idx]);
873 			return (0);
874 		}
875 	}
876 	debug2("proposals match");
877 	return (1);
878 }
879 
880 static int
881 kex_choose_conf(struct ssh *ssh)
882 {
883 	struct kex *kex = ssh->kex;
884 	struct newkeys *newkeys;
885 	char **my = NULL, **peer = NULL;
886 	char **cprop, **sprop;
887 	int nenc, nmac, ncomp;
888 	u_int mode, ctos, need, dh_need, authlen;
889 	int r, first_kex_follows;
890 
891 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
892 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
893 		goto out;
894 	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
895 	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
896 		goto out;
897 
898 	if (kex->server) {
899 		cprop=peer;
900 		sprop=my;
901 	} else {
902 		cprop=my;
903 		sprop=peer;
904 	}
905 
906 	/* Check whether client supports ext_info_c */
907 	if (kex->server && (kex->flags & KEX_INITIAL)) {
908 		char *ext;
909 
910 		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
911 		kex->ext_info_c = (ext != NULL);
912 		free(ext);
913 	}
914 
915 	/* Algorithm Negotiation */
916 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
917 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
918 		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
919 		peer[PROPOSAL_KEX_ALGS] = NULL;
920 		goto out;
921 	}
922 	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
923 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
924 		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
925 		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
926 		goto out;
927 	}
928 	for (mode = 0; mode < MODE_MAX; mode++) {
929 		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
930 			r = SSH_ERR_ALLOC_FAIL;
931 			goto out;
932 		}
933 		kex->newkeys[mode] = newkeys;
934 		ctos = (!kex->server && mode == MODE_OUT) ||
935 		    (kex->server && mode == MODE_IN);
936 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
937 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
938 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
939 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
940 		    sprop[nenc])) != 0) {
941 			kex->failed_choice = peer[nenc];
942 			peer[nenc] = NULL;
943 			goto out;
944 		}
945 		authlen = cipher_authlen(newkeys->enc.cipher);
946 		/* ignore mac for authenticated encryption */
947 		if (authlen == 0 &&
948 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
949 		    sprop[nmac])) != 0) {
950 			kex->failed_choice = peer[nmac];
951 			peer[nmac] = NULL;
952 			goto out;
953 		}
954 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
955 		    sprop[ncomp])) != 0) {
956 			kex->failed_choice = peer[ncomp];
957 			peer[ncomp] = NULL;
958 			goto out;
959 		}
960 		debug("kex: %s cipher: %s MAC: %s compression: %s",
961 		    ctos ? "client->server" : "server->client",
962 		    newkeys->enc.name,
963 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
964 		    newkeys->comp.name);
965 	}
966 	need = dh_need = 0;
967 	for (mode = 0; mode < MODE_MAX; mode++) {
968 		newkeys = kex->newkeys[mode];
969 		need = MAXIMUM(need, newkeys->enc.key_len);
970 		need = MAXIMUM(need, newkeys->enc.block_size);
971 		need = MAXIMUM(need, newkeys->enc.iv_len);
972 		need = MAXIMUM(need, newkeys->mac.key_len);
973 		dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
974 		dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
975 		dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
976 		dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
977 	}
978 	/* XXX need runden? */
979 	kex->we_need = need;
980 	kex->dh_need = dh_need;
981 
982 	/* ignore the next message if the proposals do not match */
983 	if (first_kex_follows && !proposals_match(my, peer))
984 		ssh->dispatch_skip_packets = 1;
985 	r = 0;
986  out:
987 	kex_prop_free(my);
988 	kex_prop_free(peer);
989 	return r;
990 }
991 
992 static int
993 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
994     const struct sshbuf *shared_secret, u_char **keyp)
995 {
996 	struct kex *kex = ssh->kex;
997 	struct ssh_digest_ctx *hashctx = NULL;
998 	char c = id;
999 	u_int have;
1000 	size_t mdsz;
1001 	u_char *digest;
1002 	int r;
1003 
1004 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
1005 		return SSH_ERR_INVALID_ARGUMENT;
1006 	if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
1007 		r = SSH_ERR_ALLOC_FAIL;
1008 		goto out;
1009 	}
1010 
1011 	/* K1 = HASH(K || H || "A" || session_id) */
1012 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1013 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1014 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1015 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
1016 	    ssh_digest_update(hashctx, kex->session_id,
1017 	    kex->session_id_len) != 0 ||
1018 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
1019 		r = SSH_ERR_LIBCRYPTO_ERROR;
1020 		error_f("KEX hash failed");
1021 		goto out;
1022 	}
1023 	ssh_digest_free(hashctx);
1024 	hashctx = NULL;
1025 
1026 	/*
1027 	 * expand key:
1028 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
1029 	 * Key = K1 || K2 || ... || Kn
1030 	 */
1031 	for (have = mdsz; need > have; have += mdsz) {
1032 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1033 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1034 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1035 		    ssh_digest_update(hashctx, digest, have) != 0 ||
1036 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
1037 			error_f("KDF failed");
1038 			r = SSH_ERR_LIBCRYPTO_ERROR;
1039 			goto out;
1040 		}
1041 		ssh_digest_free(hashctx);
1042 		hashctx = NULL;
1043 	}
1044 #ifdef DEBUG_KEX
1045 	fprintf(stderr, "key '%c'== ", c);
1046 	dump_digest("key", digest, need);
1047 #endif
1048 	*keyp = digest;
1049 	digest = NULL;
1050 	r = 0;
1051  out:
1052 	free(digest);
1053 	ssh_digest_free(hashctx);
1054 	return r;
1055 }
1056 
1057 #define NKEYS	6
1058 int
1059 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
1060     const struct sshbuf *shared_secret)
1061 {
1062 	struct kex *kex = ssh->kex;
1063 	u_char *keys[NKEYS];
1064 	u_int i, j, mode, ctos;
1065 	int r;
1066 
1067 	/* save initial hash as session id */
1068 	if (kex->session_id == NULL) {
1069 		kex->session_id_len = hashlen;
1070 		kex->session_id = malloc(kex->session_id_len);
1071 		if (kex->session_id == NULL)
1072 			return SSH_ERR_ALLOC_FAIL;
1073 		memcpy(kex->session_id, hash, kex->session_id_len);
1074 	}
1075 	for (i = 0; i < NKEYS; i++) {
1076 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
1077 		    shared_secret, &keys[i])) != 0) {
1078 			for (j = 0; j < i; j++)
1079 				free(keys[j]);
1080 			return r;
1081 		}
1082 	}
1083 	for (mode = 0; mode < MODE_MAX; mode++) {
1084 		ctos = (!kex->server && mode == MODE_OUT) ||
1085 		    (kex->server && mode == MODE_IN);
1086 		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
1087 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
1088 		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
1089 	}
1090 	return 0;
1091 }
1092 
1093 int
1094 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
1095 {
1096 	struct kex *kex = ssh->kex;
1097 
1098 	*pubp = NULL;
1099 	*prvp = NULL;
1100 	if (kex->load_host_public_key == NULL ||
1101 	    kex->load_host_private_key == NULL) {
1102 		error_f("missing hostkey loader");
1103 		return SSH_ERR_INVALID_ARGUMENT;
1104 	}
1105 	*pubp = kex->load_host_public_key(kex->hostkey_type,
1106 	    kex->hostkey_nid, ssh);
1107 	*prvp = kex->load_host_private_key(kex->hostkey_type,
1108 	    kex->hostkey_nid, ssh);
1109 	if (*pubp == NULL)
1110 		return SSH_ERR_NO_HOSTKEY_LOADED;
1111 	return 0;
1112 }
1113 
1114 int
1115 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
1116 {
1117 	struct kex *kex = ssh->kex;
1118 
1119 	if (kex->verify_host_key == NULL) {
1120 		error_f("missing hostkey verifier");
1121 		return SSH_ERR_INVALID_ARGUMENT;
1122 	}
1123 	if (server_host_key->type != kex->hostkey_type ||
1124 	    (kex->hostkey_type == KEY_ECDSA &&
1125 	    server_host_key->ecdsa_nid != kex->hostkey_nid))
1126 		return SSH_ERR_KEY_TYPE_MISMATCH;
1127 	if (kex->verify_host_key(server_host_key, ssh) == -1)
1128 		return  SSH_ERR_SIGNATURE_INVALID;
1129 	return 0;
1130 }
1131 
1132 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1133 void
1134 dump_digest(const char *msg, const u_char *digest, int len)
1135 {
1136 	fprintf(stderr, "%s\n", msg);
1137 	sshbuf_dump_data(digest, len, stderr);
1138 }
1139 #endif
1140 
1141 /*
1142  * Send a plaintext error message to the peer, suffixed by \r\n.
1143  * Only used during banner exchange, and there only for the server.
1144  */
1145 static void
1146 send_error(struct ssh *ssh, char *msg)
1147 {
1148 	char *crnl = "\r\n";
1149 
1150 	if (!ssh->kex->server)
1151 		return;
1152 
1153 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1154 	    msg, strlen(msg)) != strlen(msg) ||
1155 	    atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1156 	    crnl, strlen(crnl)) != strlen(crnl))
1157 		error_f("write: %.100s", strerror(errno));
1158 }
1159 
1160 /*
1161  * Sends our identification string and waits for the peer's. Will block for
1162  * up to timeout_ms (or indefinitely if timeout_ms <= 0).
1163  * Returns on 0 success or a ssherr.h code on failure.
1164  */
1165 int
1166 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1167     const char *version_addendum)
1168 {
1169 	int remote_major, remote_minor, mismatch, oerrno = 0;
1170 	size_t len, i, n;
1171 	int r, expect_nl;
1172 	u_char c;
1173 	struct sshbuf *our_version = ssh->kex->server ?
1174 	    ssh->kex->server_version : ssh->kex->client_version;
1175 	struct sshbuf *peer_version = ssh->kex->server ?
1176 	    ssh->kex->client_version : ssh->kex->server_version;
1177 	char *our_version_string = NULL, *peer_version_string = NULL;
1178 	char *cp, *remote_version = NULL;
1179 
1180 	/* Prepare and send our banner */
1181 	sshbuf_reset(our_version);
1182 	if (version_addendum != NULL && *version_addendum == '\0')
1183 		version_addendum = NULL;
1184 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
1185 	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
1186 	    version_addendum == NULL ? "" : " ",
1187 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
1188 		oerrno = errno;
1189 		error_fr(r, "sshbuf_putf");
1190 		goto out;
1191 	}
1192 
1193 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1194 	    sshbuf_mutable_ptr(our_version),
1195 	    sshbuf_len(our_version)) != sshbuf_len(our_version)) {
1196 		oerrno = errno;
1197 		debug_f("write: %.100s", strerror(errno));
1198 		r = SSH_ERR_SYSTEM_ERROR;
1199 		goto out;
1200 	}
1201 	if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
1202 		oerrno = errno;
1203 		error_fr(r, "sshbuf_consume_end");
1204 		goto out;
1205 	}
1206 	our_version_string = sshbuf_dup_string(our_version);
1207 	if (our_version_string == NULL) {
1208 		error_f("sshbuf_dup_string failed");
1209 		r = SSH_ERR_ALLOC_FAIL;
1210 		goto out;
1211 	}
1212 	debug("Local version string %.100s", our_version_string);
1213 
1214 	/* Read other side's version identification. */
1215 	for (n = 0; ; n++) {
1216 		if (n >= SSH_MAX_PRE_BANNER_LINES) {
1217 			send_error(ssh, "No SSH identification string "
1218 			    "received.");
1219 			error_f("No SSH version received in first %u lines "
1220 			    "from server", SSH_MAX_PRE_BANNER_LINES);
1221 			r = SSH_ERR_INVALID_FORMAT;
1222 			goto out;
1223 		}
1224 		sshbuf_reset(peer_version);
1225 		expect_nl = 0;
1226 		for (i = 0; ; i++) {
1227 			if (timeout_ms > 0) {
1228 				r = waitrfd(ssh_packet_get_connection_in(ssh),
1229 				    &timeout_ms);
1230 				if (r == -1 && errno == ETIMEDOUT) {
1231 					send_error(ssh, "Timed out waiting "
1232 					    "for SSH identification string.");
1233 					error("Connection timed out during "
1234 					    "banner exchange");
1235 					r = SSH_ERR_CONN_TIMEOUT;
1236 					goto out;
1237 				} else if (r == -1) {
1238 					oerrno = errno;
1239 					error_f("%s", strerror(errno));
1240 					r = SSH_ERR_SYSTEM_ERROR;
1241 					goto out;
1242 				}
1243 			}
1244 
1245 			len = atomicio(read, ssh_packet_get_connection_in(ssh),
1246 			    &c, 1);
1247 			if (len != 1 && errno == EPIPE) {
1248 				error_f("Connection closed by remote host");
1249 				r = SSH_ERR_CONN_CLOSED;
1250 				goto out;
1251 			} else if (len != 1) {
1252 				oerrno = errno;
1253 				error_f("read: %.100s", strerror(errno));
1254 				r = SSH_ERR_SYSTEM_ERROR;
1255 				goto out;
1256 			}
1257 			if (c == '\r') {
1258 				expect_nl = 1;
1259 				continue;
1260 			}
1261 			if (c == '\n')
1262 				break;
1263 			if (c == '\0' || expect_nl) {
1264 				error_f("banner line contains invalid "
1265 				    "characters");
1266 				goto invalid;
1267 			}
1268 			if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
1269 				oerrno = errno;
1270 				error_fr(r, "sshbuf_put");
1271 				goto out;
1272 			}
1273 			if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
1274 				error_f("banner line too long");
1275 				goto invalid;
1276 			}
1277 		}
1278 		/* Is this an actual protocol banner? */
1279 		if (sshbuf_len(peer_version) > 4 &&
1280 		    memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
1281 			break;
1282 		/* If not, then just log the line and continue */
1283 		if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
1284 			error_f("sshbuf_dup_string failed");
1285 			r = SSH_ERR_ALLOC_FAIL;
1286 			goto out;
1287 		}
1288 		/* Do not accept lines before the SSH ident from a client */
1289 		if (ssh->kex->server) {
1290 			error_f("client sent invalid protocol identifier "
1291 			    "\"%.256s\"", cp);
1292 			free(cp);
1293 			goto invalid;
1294 		}
1295 		debug_f("banner line %zu: %s", n, cp);
1296 		free(cp);
1297 	}
1298 	peer_version_string = sshbuf_dup_string(peer_version);
1299 	if (peer_version_string == NULL)
1300 		error_f("sshbuf_dup_string failed");
1301 	/* XXX must be same size for sscanf */
1302 	if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
1303 		error_f("calloc failed");
1304 		r = SSH_ERR_ALLOC_FAIL;
1305 		goto out;
1306 	}
1307 
1308 	/*
1309 	 * Check that the versions match.  In future this might accept
1310 	 * several versions and set appropriate flags to handle them.
1311 	 */
1312 	if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
1313 	    &remote_major, &remote_minor, remote_version) != 3) {
1314 		error("Bad remote protocol version identification: '%.100s'",
1315 		    peer_version_string);
1316  invalid:
1317 		send_error(ssh, "Invalid SSH identification string.");
1318 		r = SSH_ERR_INVALID_FORMAT;
1319 		goto out;
1320 	}
1321 	debug("Remote protocol version %d.%d, remote software version %.100s",
1322 	    remote_major, remote_minor, remote_version);
1323 	ssh->compat = compat_datafellows(remote_version);
1324 
1325 	mismatch = 0;
1326 	switch (remote_major) {
1327 	case 2:
1328 		break;
1329 	case 1:
1330 		if (remote_minor != 99)
1331 			mismatch = 1;
1332 		break;
1333 	default:
1334 		mismatch = 1;
1335 		break;
1336 	}
1337 	if (mismatch) {
1338 		error("Protocol major versions differ: %d vs. %d",
1339 		    PROTOCOL_MAJOR_2, remote_major);
1340 		send_error(ssh, "Protocol major versions differ.");
1341 		r = SSH_ERR_NO_PROTOCOL_VERSION;
1342 		goto out;
1343 	}
1344 
1345 	if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
1346 		logit("probed from %s port %d with %s.  Don't panic.",
1347 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1348 		    peer_version_string);
1349 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1350 		goto out;
1351 	}
1352 	if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
1353 		logit("scanned from %s port %d with %s.  Don't panic.",
1354 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1355 		    peer_version_string);
1356 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1357 		goto out;
1358 	}
1359 	if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
1360 		logit("Remote version \"%.100s\" uses unsafe RSA signature "
1361 		    "scheme; disabling use of RSA keys", remote_version);
1362 	}
1363 	/* success */
1364 	r = 0;
1365  out:
1366 	free(our_version_string);
1367 	free(peer_version_string);
1368 	free(remote_version);
1369 	if (r == SSH_ERR_SYSTEM_ERROR)
1370 		errno = oerrno;
1371 	return r;
1372 }
1373 
1374