xref: /openssh-portable/kex.c (revision 6fc7e1c6)
1 /* $OpenBSD: kex.c,v 1.155 2019/10/08 22:40:39 dtucker Exp $ */
2 /*
3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 #include <sys/types.h>
29 #include <errno.h>
30 #include <signal.h>
31 #include <stdarg.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 #ifdef HAVE_POLL_H
37 #include <poll.h>
38 #endif
39 
40 #ifdef WITH_OPENSSL
41 #include <openssl/crypto.h>
42 #include <openssl/dh.h>
43 #endif
44 
45 #include "ssh.h"
46 #include "ssh2.h"
47 #include "atomicio.h"
48 #include "version.h"
49 #include "packet.h"
50 #include "compat.h"
51 #include "cipher.h"
52 #include "sshkey.h"
53 #include "kex.h"
54 #include "log.h"
55 #include "mac.h"
56 #include "match.h"
57 #include "misc.h"
58 #include "dispatch.h"
59 #include "monitor.h"
60 
61 #include "ssherr.h"
62 #include "sshbuf.h"
63 #include "digest.h"
64 
65 /* prototype */
66 static int kex_choose_conf(struct ssh *);
67 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
68 
69 static const char *proposal_names[PROPOSAL_MAX] = {
70 	"KEX algorithms",
71 	"host key algorithms",
72 	"ciphers ctos",
73 	"ciphers stoc",
74 	"MACs ctos",
75 	"MACs stoc",
76 	"compression ctos",
77 	"compression stoc",
78 	"languages ctos",
79 	"languages stoc",
80 };
81 
82 struct kexalg {
83 	char *name;
84 	u_int type;
85 	int ec_nid;
86 	int hash_alg;
87 };
88 static const struct kexalg kexalgs[] = {
89 #ifdef WITH_OPENSSL
90 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
91 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
92 	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
93 	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
94 	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
95 	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
96 #ifdef HAVE_EVP_SHA256
97 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
98 #endif /* HAVE_EVP_SHA256 */
99 #ifdef OPENSSL_HAS_ECC
100 	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
101 	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
102 	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
103 	    SSH_DIGEST_SHA384 },
104 # ifdef OPENSSL_HAS_NISTP521
105 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
106 	    SSH_DIGEST_SHA512 },
107 # endif /* OPENSSL_HAS_NISTP521 */
108 #endif /* OPENSSL_HAS_ECC */
109 #endif /* WITH_OPENSSL */
110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
111 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
112 	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
113 	{ KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0,
114 	    SSH_DIGEST_SHA512 },
115 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
116 	{ NULL, 0, -1, -1},
117 };
118 
119 char *
120 kex_alg_list(char sep)
121 {
122 	char *ret = NULL, *tmp;
123 	size_t nlen, rlen = 0;
124 	const struct kexalg *k;
125 
126 	for (k = kexalgs; k->name != NULL; k++) {
127 		if (ret != NULL)
128 			ret[rlen++] = sep;
129 		nlen = strlen(k->name);
130 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
131 			free(ret);
132 			return NULL;
133 		}
134 		ret = tmp;
135 		memcpy(ret + rlen, k->name, nlen + 1);
136 		rlen += nlen;
137 	}
138 	return ret;
139 }
140 
141 static const struct kexalg *
142 kex_alg_by_name(const char *name)
143 {
144 	const struct kexalg *k;
145 
146 	for (k = kexalgs; k->name != NULL; k++) {
147 		if (strcmp(k->name, name) == 0)
148 			return k;
149 	}
150 	return NULL;
151 }
152 
153 /* Validate KEX method name list */
154 int
155 kex_names_valid(const char *names)
156 {
157 	char *s, *cp, *p;
158 
159 	if (names == NULL || strcmp(names, "") == 0)
160 		return 0;
161 	if ((s = cp = strdup(names)) == NULL)
162 		return 0;
163 	for ((p = strsep(&cp, ",")); p && *p != '\0';
164 	    (p = strsep(&cp, ","))) {
165 		if (kex_alg_by_name(p) == NULL) {
166 			error("Unsupported KEX algorithm \"%.100s\"", p);
167 			free(s);
168 			return 0;
169 		}
170 	}
171 	debug3("kex names ok: [%s]", names);
172 	free(s);
173 	return 1;
174 }
175 
176 /*
177  * Concatenate algorithm names, avoiding duplicates in the process.
178  * Caller must free returned string.
179  */
180 char *
181 kex_names_cat(const char *a, const char *b)
182 {
183 	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
184 	size_t len;
185 
186 	if (a == NULL || *a == '\0')
187 		return strdup(b);
188 	if (b == NULL || *b == '\0')
189 		return strdup(a);
190 	if (strlen(b) > 1024*1024)
191 		return NULL;
192 	len = strlen(a) + strlen(b) + 2;
193 	if ((tmp = cp = strdup(b)) == NULL ||
194 	    (ret = calloc(1, len)) == NULL) {
195 		free(tmp);
196 		return NULL;
197 	}
198 	strlcpy(ret, a, len);
199 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
200 		if ((m = match_list(ret, p, NULL)) != NULL) {
201 			free(m);
202 			continue; /* Algorithm already present */
203 		}
204 		if (strlcat(ret, ",", len) >= len ||
205 		    strlcat(ret, p, len) >= len) {
206 			free(tmp);
207 			free(ret);
208 			return NULL; /* Shouldn't happen */
209 		}
210 	}
211 	free(tmp);
212 	return ret;
213 }
214 
215 /*
216  * Assemble a list of algorithms from a default list and a string from a
217  * configuration file. The user-provided string may begin with '+' to
218  * indicate that it should be appended to the default, '-' that the
219  * specified names should be removed, or '^' that they should be placed
220  * at the head.
221  */
222 int
223 kex_assemble_names(char **listp, const char *def, const char *all)
224 {
225 	char *cp, *tmp, *patterns;
226 	char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
227 	int r = SSH_ERR_INTERNAL_ERROR;
228 
229 	if (listp == NULL || def == NULL || all == NULL)
230 		return SSH_ERR_INVALID_ARGUMENT;
231 
232 	if (*listp == NULL || **listp == '\0') {
233 		if ((*listp = strdup(def)) == NULL)
234 			return SSH_ERR_ALLOC_FAIL;
235 		return 0;
236 	}
237 
238 	list = *listp;
239 	*listp = NULL;
240 	if (*list == '+') {
241 		/* Append names to default list */
242 		if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
243 			r = SSH_ERR_ALLOC_FAIL;
244 			goto fail;
245 		}
246 		free(list);
247 		list = tmp;
248 	} else if (*list == '-') {
249 		/* Remove names from default list */
250 		if ((*listp = match_filter_blacklist(def, list + 1)) == NULL) {
251 			r = SSH_ERR_ALLOC_FAIL;
252 			goto fail;
253 		}
254 		free(list);
255 		/* filtering has already been done */
256 		return 0;
257 	} else if (*list == '^') {
258 		/* Place names at head of default list */
259 		if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
260 			r = SSH_ERR_ALLOC_FAIL;
261 			goto fail;
262 		}
263 		free(list);
264 		list = tmp;
265 	} else {
266 		/* Explicit list, overrides default - just use "list" as is */
267 	}
268 
269 	/*
270 	 * The supplied names may be a pattern-list. For the -list case,
271 	 * the patterns are applied above. For the +list and explicit list
272 	 * cases we need to do it now.
273 	 */
274 	ret = NULL;
275 	if ((patterns = opatterns = strdup(list)) == NULL) {
276 		r = SSH_ERR_ALLOC_FAIL;
277 		goto fail;
278 	}
279 	/* Apply positive (i.e. non-negated) patterns from the list */
280 	while ((cp = strsep(&patterns, ",")) != NULL) {
281 		if (*cp == '!') {
282 			/* negated matches are not supported here */
283 			r = SSH_ERR_INVALID_ARGUMENT;
284 			goto fail;
285 		}
286 		free(matching);
287 		if ((matching = match_filter_whitelist(all, cp)) == NULL) {
288 			r = SSH_ERR_ALLOC_FAIL;
289 			goto fail;
290 		}
291 		if ((tmp = kex_names_cat(ret, matching)) == NULL) {
292 			r = SSH_ERR_ALLOC_FAIL;
293 			goto fail;
294 		}
295 		free(ret);
296 		ret = tmp;
297 	}
298 	if (ret == NULL || *ret == '\0') {
299 		/* An empty name-list is an error */
300 		/* XXX better error code? */
301 		r = SSH_ERR_INVALID_ARGUMENT;
302 		goto fail;
303 	}
304 
305 	/* success */
306 	*listp = ret;
307 	ret = NULL;
308 	r = 0;
309 
310  fail:
311 	free(matching);
312 	free(opatterns);
313 	free(list);
314 	free(ret);
315 	return r;
316 }
317 
318 /* put algorithm proposal into buffer */
319 int
320 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
321 {
322 	u_int i;
323 	int r;
324 
325 	sshbuf_reset(b);
326 
327 	/*
328 	 * add a dummy cookie, the cookie will be overwritten by
329 	 * kex_send_kexinit(), each time a kexinit is set
330 	 */
331 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
332 		if ((r = sshbuf_put_u8(b, 0)) != 0)
333 			return r;
334 	}
335 	for (i = 0; i < PROPOSAL_MAX; i++) {
336 		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
337 			return r;
338 	}
339 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
340 	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
341 		return r;
342 	return 0;
343 }
344 
345 /* parse buffer and return algorithm proposal */
346 int
347 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
348 {
349 	struct sshbuf *b = NULL;
350 	u_char v;
351 	u_int i;
352 	char **proposal = NULL;
353 	int r;
354 
355 	*propp = NULL;
356 	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
357 		return SSH_ERR_ALLOC_FAIL;
358 	if ((b = sshbuf_fromb(raw)) == NULL) {
359 		r = SSH_ERR_ALLOC_FAIL;
360 		goto out;
361 	}
362 	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */
363 		error("%s: consume cookie: %s", __func__, ssh_err(r));
364 		goto out;
365 	}
366 	/* extract kex init proposal strings */
367 	for (i = 0; i < PROPOSAL_MAX; i++) {
368 		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) {
369 			error("%s: parse proposal %u: %s", __func__,
370 			    i, ssh_err(r));
371 			goto out;
372 		}
373 		debug2("%s: %s", proposal_names[i], proposal[i]);
374 	}
375 	/* first kex follows / reserved */
376 	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
377 	    (r = sshbuf_get_u32(b, &i)) != 0) {	/* reserved */
378 		error("%s: parse: %s", __func__, ssh_err(r));
379 		goto out;
380 	}
381 	if (first_kex_follows != NULL)
382 		*first_kex_follows = v;
383 	debug2("first_kex_follows %d ", v);
384 	debug2("reserved %u ", i);
385 	r = 0;
386 	*propp = proposal;
387  out:
388 	if (r != 0 && proposal != NULL)
389 		kex_prop_free(proposal);
390 	sshbuf_free(b);
391 	return r;
392 }
393 
394 void
395 kex_prop_free(char **proposal)
396 {
397 	u_int i;
398 
399 	if (proposal == NULL)
400 		return;
401 	for (i = 0; i < PROPOSAL_MAX; i++)
402 		free(proposal[i]);
403 	free(proposal);
404 }
405 
406 /* ARGSUSED */
407 static int
408 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
409 {
410 	int r;
411 
412 	error("kex protocol error: type %d seq %u", type, seq);
413 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
414 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
415 	    (r = sshpkt_send(ssh)) != 0)
416 		return r;
417 	return 0;
418 }
419 
420 static void
421 kex_reset_dispatch(struct ssh *ssh)
422 {
423 	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
424 	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
425 }
426 
427 static int
428 kex_send_ext_info(struct ssh *ssh)
429 {
430 	int r;
431 	char *algs;
432 
433 	debug("Sending SSH2_MSG_EXT_INFO");
434 	if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
435 		return SSH_ERR_ALLOC_FAIL;
436 	/* XXX filter algs list by allowed pubkey/hostbased types */
437 	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
438 	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
439 	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
440 	    (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
441 	    (r = sshpkt_send(ssh)) != 0) {
442 		error("%s: compose: %s", __func__, ssh_err(r));
443 		goto out;
444 	}
445 	/* success */
446 	r = 0;
447  out:
448 	free(algs);
449 	return r;
450 }
451 
452 int
453 kex_send_newkeys(struct ssh *ssh)
454 {
455 	int r;
456 
457 	kex_reset_dispatch(ssh);
458 	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
459 	    (r = sshpkt_send(ssh)) != 0)
460 		return r;
461 	debug("SSH2_MSG_NEWKEYS sent");
462 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
463 	if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0)
464 		if ((r = kex_send_ext_info(ssh)) != 0)
465 			return r;
466 	debug("expecting SSH2_MSG_NEWKEYS");
467 	return 0;
468 }
469 
470 int
471 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
472 {
473 	struct kex *kex = ssh->kex;
474 	u_int32_t i, ninfo;
475 	char *name;
476 	u_char *val;
477 	size_t vlen;
478 	int r;
479 
480 	debug("SSH2_MSG_EXT_INFO received");
481 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
482 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
483 		return r;
484 	for (i = 0; i < ninfo; i++) {
485 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
486 			return r;
487 		if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) {
488 			free(name);
489 			return r;
490 		}
491 		if (strcmp(name, "server-sig-algs") == 0) {
492 			/* Ensure no \0 lurking in value */
493 			if (memchr(val, '\0', vlen) != NULL) {
494 				error("%s: nul byte in %s", __func__, name);
495 				return SSH_ERR_INVALID_FORMAT;
496 			}
497 			debug("%s: %s=<%s>", __func__, name, val);
498 			kex->server_sig_algs = val;
499 			val = NULL;
500 		} else
501 			debug("%s: %s (unrecognised)", __func__, name);
502 		free(name);
503 		free(val);
504 	}
505 	return sshpkt_get_end(ssh);
506 }
507 
508 static int
509 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
510 {
511 	struct kex *kex = ssh->kex;
512 	int r;
513 
514 	debug("SSH2_MSG_NEWKEYS received");
515 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
516 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
517 	if ((r = sshpkt_get_end(ssh)) != 0)
518 		return r;
519 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
520 		return r;
521 	kex->done = 1;
522 	kex->flags &= ~KEX_INITIAL;
523 	sshbuf_reset(kex->peer);
524 	/* sshbuf_reset(kex->my); */
525 	kex->flags &= ~KEX_INIT_SENT;
526 	free(kex->name);
527 	kex->name = NULL;
528 	return 0;
529 }
530 
531 int
532 kex_send_kexinit(struct ssh *ssh)
533 {
534 	u_char *cookie;
535 	struct kex *kex = ssh->kex;
536 	int r;
537 
538 	if (kex == NULL) {
539 		error("%s: no hex", __func__);
540 		return SSH_ERR_INTERNAL_ERROR;
541 	}
542 	if (kex->flags & KEX_INIT_SENT)
543 		return 0;
544 	kex->done = 0;
545 
546 	/* generate a random cookie */
547 	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) {
548 		error("%s: bad kex length: %zu < %d", __func__,
549 		    sshbuf_len(kex->my), KEX_COOKIE_LEN);
550 		return SSH_ERR_INVALID_FORMAT;
551 	}
552 	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) {
553 		error("%s: buffer error", __func__);
554 		return SSH_ERR_INTERNAL_ERROR;
555 	}
556 	arc4random_buf(cookie, KEX_COOKIE_LEN);
557 
558 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
559 	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
560 	    (r = sshpkt_send(ssh)) != 0) {
561 		error("%s: compose reply: %s", __func__, ssh_err(r));
562 		return r;
563 	}
564 	debug("SSH2_MSG_KEXINIT sent");
565 	kex->flags |= KEX_INIT_SENT;
566 	return 0;
567 }
568 
569 /* ARGSUSED */
570 int
571 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
572 {
573 	struct kex *kex = ssh->kex;
574 	const u_char *ptr;
575 	u_int i;
576 	size_t dlen;
577 	int r;
578 
579 	debug("SSH2_MSG_KEXINIT received");
580 	if (kex == NULL) {
581 		error("%s: no hex", __func__);
582 		return SSH_ERR_INTERNAL_ERROR;
583 	}
584 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
585 	ptr = sshpkt_ptr(ssh, &dlen);
586 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
587 		return r;
588 
589 	/* discard packet */
590 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
591 		if ((r = sshpkt_get_u8(ssh, NULL)) != 0) {
592 			error("%s: discard cookie: %s", __func__, ssh_err(r));
593 			return r;
594 		}
595 	}
596 	for (i = 0; i < PROPOSAL_MAX; i++) {
597 		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
598 			error("%s: discard proposal: %s", __func__, ssh_err(r));
599 			return r;
600 		}
601 	}
602 	/*
603 	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
604 	 * KEX method has the server move first, but a server might be using
605 	 * a custom method or one that we otherwise don't support. We should
606 	 * be prepared to remember first_kex_follows here so we can eat a
607 	 * packet later.
608 	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
609 	 * for cases where the server *doesn't* go first. I guess we should
610 	 * ignore it when it is set for these cases, which is what we do now.
611 	 */
612 	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
613 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
614 	    (r = sshpkt_get_end(ssh)) != 0)
615 			return r;
616 
617 	if (!(kex->flags & KEX_INIT_SENT))
618 		if ((r = kex_send_kexinit(ssh)) != 0)
619 			return r;
620 	if ((r = kex_choose_conf(ssh)) != 0)
621 		return r;
622 
623 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
624 		return (kex->kex[kex->kex_type])(ssh);
625 
626 	error("%s: unknown kex type %u", __func__, kex->kex_type);
627 	return SSH_ERR_INTERNAL_ERROR;
628 }
629 
630 struct kex *
631 kex_new(void)
632 {
633 	struct kex *kex;
634 
635 	if ((kex = calloc(1, sizeof(*kex))) == NULL ||
636 	    (kex->peer = sshbuf_new()) == NULL ||
637 	    (kex->my = sshbuf_new()) == NULL ||
638 	    (kex->client_version = sshbuf_new()) == NULL ||
639 	    (kex->server_version = sshbuf_new()) == NULL) {
640 		kex_free(kex);
641 		return NULL;
642 	}
643 	return kex;
644 }
645 
646 void
647 kex_free_newkeys(struct newkeys *newkeys)
648 {
649 	if (newkeys == NULL)
650 		return;
651 	if (newkeys->enc.key) {
652 		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
653 		free(newkeys->enc.key);
654 		newkeys->enc.key = NULL;
655 	}
656 	if (newkeys->enc.iv) {
657 		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
658 		free(newkeys->enc.iv);
659 		newkeys->enc.iv = NULL;
660 	}
661 	free(newkeys->enc.name);
662 	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
663 	free(newkeys->comp.name);
664 	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
665 	mac_clear(&newkeys->mac);
666 	if (newkeys->mac.key) {
667 		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
668 		free(newkeys->mac.key);
669 		newkeys->mac.key = NULL;
670 	}
671 	free(newkeys->mac.name);
672 	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
673 	explicit_bzero(newkeys, sizeof(*newkeys));
674 	free(newkeys);
675 }
676 
677 void
678 kex_free(struct kex *kex)
679 {
680 	u_int mode;
681 
682 	if (kex == NULL)
683 		return;
684 
685 #ifdef WITH_OPENSSL
686 	DH_free(kex->dh);
687 #ifdef OPENSSL_HAS_ECC
688 	EC_KEY_free(kex->ec_client_key);
689 #endif /* OPENSSL_HAS_ECC */
690 #endif /* WITH_OPENSSL */
691 	for (mode = 0; mode < MODE_MAX; mode++) {
692 		kex_free_newkeys(kex->newkeys[mode]);
693 		kex->newkeys[mode] = NULL;
694 	}
695 	sshbuf_free(kex->peer);
696 	sshbuf_free(kex->my);
697 	sshbuf_free(kex->client_version);
698 	sshbuf_free(kex->server_version);
699 	sshbuf_free(kex->client_pub);
700 	free(kex->session_id);
701 	free(kex->failed_choice);
702 	free(kex->hostkey_alg);
703 	free(kex->name);
704 	free(kex);
705 }
706 
707 int
708 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
709 {
710 	int r;
711 
712 	if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
713 		return r;
714 	ssh->kex->flags = KEX_INITIAL;
715 	kex_reset_dispatch(ssh);
716 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
717 	return 0;
718 }
719 
720 int
721 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
722 {
723 	int r;
724 
725 	if ((r = kex_ready(ssh, proposal)) != 0)
726 		return r;
727 	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
728 		kex_free(ssh->kex);
729 		ssh->kex = NULL;
730 		return r;
731 	}
732 	return 0;
733 }
734 
735 /*
736  * Request key re-exchange, returns 0 on success or a ssherr.h error
737  * code otherwise. Must not be called if KEX is incomplete or in-progress.
738  */
739 int
740 kex_start_rekex(struct ssh *ssh)
741 {
742 	if (ssh->kex == NULL) {
743 		error("%s: no kex", __func__);
744 		return SSH_ERR_INTERNAL_ERROR;
745 	}
746 	if (ssh->kex->done == 0) {
747 		error("%s: requested twice", __func__);
748 		return SSH_ERR_INTERNAL_ERROR;
749 	}
750 	ssh->kex->done = 0;
751 	return kex_send_kexinit(ssh);
752 }
753 
754 static int
755 choose_enc(struct sshenc *enc, char *client, char *server)
756 {
757 	char *name = match_list(client, server, NULL);
758 
759 	if (name == NULL)
760 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
761 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
762 		error("%s: unsupported cipher %s", __func__, name);
763 		free(name);
764 		return SSH_ERR_INTERNAL_ERROR;
765 	}
766 	enc->name = name;
767 	enc->enabled = 0;
768 	enc->iv = NULL;
769 	enc->iv_len = cipher_ivlen(enc->cipher);
770 	enc->key = NULL;
771 	enc->key_len = cipher_keylen(enc->cipher);
772 	enc->block_size = cipher_blocksize(enc->cipher);
773 	return 0;
774 }
775 
776 static int
777 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
778 {
779 	char *name = match_list(client, server, NULL);
780 
781 	if (name == NULL)
782 		return SSH_ERR_NO_MAC_ALG_MATCH;
783 	if (mac_setup(mac, name) < 0) {
784 		error("%s: unsupported MAC %s", __func__, name);
785 		free(name);
786 		return SSH_ERR_INTERNAL_ERROR;
787 	}
788 	mac->name = name;
789 	mac->key = NULL;
790 	mac->enabled = 0;
791 	return 0;
792 }
793 
794 static int
795 choose_comp(struct sshcomp *comp, char *client, char *server)
796 {
797 	char *name = match_list(client, server, NULL);
798 
799 	if (name == NULL)
800 		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
801 	if (strcmp(name, "zlib@openssh.com") == 0) {
802 		comp->type = COMP_DELAYED;
803 	} else if (strcmp(name, "zlib") == 0) {
804 		comp->type = COMP_ZLIB;
805 	} else if (strcmp(name, "none") == 0) {
806 		comp->type = COMP_NONE;
807 	} else {
808 		error("%s: unsupported compression scheme %s", __func__, name);
809 		free(name);
810 		return SSH_ERR_INTERNAL_ERROR;
811 	}
812 	comp->name = name;
813 	return 0;
814 }
815 
816 static int
817 choose_kex(struct kex *k, char *client, char *server)
818 {
819 	const struct kexalg *kexalg;
820 
821 	k->name = match_list(client, server, NULL);
822 
823 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
824 	if (k->name == NULL)
825 		return SSH_ERR_NO_KEX_ALG_MATCH;
826 	if ((kexalg = kex_alg_by_name(k->name)) == NULL) {
827 		error("%s: unsupported KEX method %s", __func__, k->name);
828 		return SSH_ERR_INTERNAL_ERROR;
829 	}
830 	k->kex_type = kexalg->type;
831 	k->hash_alg = kexalg->hash_alg;
832 	k->ec_nid = kexalg->ec_nid;
833 	return 0;
834 }
835 
836 static int
837 choose_hostkeyalg(struct kex *k, char *client, char *server)
838 {
839 	k->hostkey_alg = match_list(client, server, NULL);
840 
841 	debug("kex: host key algorithm: %s",
842 	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
843 	if (k->hostkey_alg == NULL)
844 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
845 	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
846 	if (k->hostkey_type == KEY_UNSPEC) {
847 		error("%s: unsupported hostkey algorithm %s", __func__,
848 		    k->hostkey_alg);
849 		return SSH_ERR_INTERNAL_ERROR;
850 	}
851 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
852 	return 0;
853 }
854 
855 static int
856 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
857 {
858 	static int check[] = {
859 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
860 	};
861 	int *idx;
862 	char *p;
863 
864 	for (idx = &check[0]; *idx != -1; idx++) {
865 		if ((p = strchr(my[*idx], ',')) != NULL)
866 			*p = '\0';
867 		if ((p = strchr(peer[*idx], ',')) != NULL)
868 			*p = '\0';
869 		if (strcmp(my[*idx], peer[*idx]) != 0) {
870 			debug2("proposal mismatch: my %s peer %s",
871 			    my[*idx], peer[*idx]);
872 			return (0);
873 		}
874 	}
875 	debug2("proposals match");
876 	return (1);
877 }
878 
879 static int
880 kex_choose_conf(struct ssh *ssh)
881 {
882 	struct kex *kex = ssh->kex;
883 	struct newkeys *newkeys;
884 	char **my = NULL, **peer = NULL;
885 	char **cprop, **sprop;
886 	int nenc, nmac, ncomp;
887 	u_int mode, ctos, need, dh_need, authlen;
888 	int r, first_kex_follows;
889 
890 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
891 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
892 		goto out;
893 	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
894 	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
895 		goto out;
896 
897 	if (kex->server) {
898 		cprop=peer;
899 		sprop=my;
900 	} else {
901 		cprop=my;
902 		sprop=peer;
903 	}
904 
905 	/* Check whether client supports ext_info_c */
906 	if (kex->server && (kex->flags & KEX_INITIAL)) {
907 		char *ext;
908 
909 		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
910 		kex->ext_info_c = (ext != NULL);
911 		free(ext);
912 	}
913 
914 	/* Algorithm Negotiation */
915 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
916 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
917 		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
918 		peer[PROPOSAL_KEX_ALGS] = NULL;
919 		goto out;
920 	}
921 	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
922 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
923 		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
924 		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
925 		goto out;
926 	}
927 	for (mode = 0; mode < MODE_MAX; mode++) {
928 		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
929 			r = SSH_ERR_ALLOC_FAIL;
930 			goto out;
931 		}
932 		kex->newkeys[mode] = newkeys;
933 		ctos = (!kex->server && mode == MODE_OUT) ||
934 		    (kex->server && mode == MODE_IN);
935 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
936 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
937 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
938 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
939 		    sprop[nenc])) != 0) {
940 			kex->failed_choice = peer[nenc];
941 			peer[nenc] = NULL;
942 			goto out;
943 		}
944 		authlen = cipher_authlen(newkeys->enc.cipher);
945 		/* ignore mac for authenticated encryption */
946 		if (authlen == 0 &&
947 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
948 		    sprop[nmac])) != 0) {
949 			kex->failed_choice = peer[nmac];
950 			peer[nmac] = NULL;
951 			goto out;
952 		}
953 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
954 		    sprop[ncomp])) != 0) {
955 			kex->failed_choice = peer[ncomp];
956 			peer[ncomp] = NULL;
957 			goto out;
958 		}
959 		debug("kex: %s cipher: %s MAC: %s compression: %s",
960 		    ctos ? "client->server" : "server->client",
961 		    newkeys->enc.name,
962 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
963 		    newkeys->comp.name);
964 	}
965 	need = dh_need = 0;
966 	for (mode = 0; mode < MODE_MAX; mode++) {
967 		newkeys = kex->newkeys[mode];
968 		need = MAXIMUM(need, newkeys->enc.key_len);
969 		need = MAXIMUM(need, newkeys->enc.block_size);
970 		need = MAXIMUM(need, newkeys->enc.iv_len);
971 		need = MAXIMUM(need, newkeys->mac.key_len);
972 		dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
973 		dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
974 		dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
975 		dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
976 	}
977 	/* XXX need runden? */
978 	kex->we_need = need;
979 	kex->dh_need = dh_need;
980 
981 	/* ignore the next message if the proposals do not match */
982 	if (first_kex_follows && !proposals_match(my, peer))
983 		ssh->dispatch_skip_packets = 1;
984 	r = 0;
985  out:
986 	kex_prop_free(my);
987 	kex_prop_free(peer);
988 	return r;
989 }
990 
991 static int
992 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
993     const struct sshbuf *shared_secret, u_char **keyp)
994 {
995 	struct kex *kex = ssh->kex;
996 	struct ssh_digest_ctx *hashctx = NULL;
997 	char c = id;
998 	u_int have;
999 	size_t mdsz;
1000 	u_char *digest;
1001 	int r;
1002 
1003 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
1004 		return SSH_ERR_INVALID_ARGUMENT;
1005 	if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
1006 		r = SSH_ERR_ALLOC_FAIL;
1007 		goto out;
1008 	}
1009 
1010 	/* K1 = HASH(K || H || "A" || session_id) */
1011 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1012 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1013 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1014 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
1015 	    ssh_digest_update(hashctx, kex->session_id,
1016 	    kex->session_id_len) != 0 ||
1017 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
1018 		r = SSH_ERR_LIBCRYPTO_ERROR;
1019 		error("%s: KEX hash failed", __func__);
1020 		goto out;
1021 	}
1022 	ssh_digest_free(hashctx);
1023 	hashctx = NULL;
1024 
1025 	/*
1026 	 * expand key:
1027 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
1028 	 * Key = K1 || K2 || ... || Kn
1029 	 */
1030 	for (have = mdsz; need > have; have += mdsz) {
1031 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1032 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1033 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1034 		    ssh_digest_update(hashctx, digest, have) != 0 ||
1035 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
1036 			error("%s: KDF failed", __func__);
1037 			r = SSH_ERR_LIBCRYPTO_ERROR;
1038 			goto out;
1039 		}
1040 		ssh_digest_free(hashctx);
1041 		hashctx = NULL;
1042 	}
1043 #ifdef DEBUG_KEX
1044 	fprintf(stderr, "key '%c'== ", c);
1045 	dump_digest("key", digest, need);
1046 #endif
1047 	*keyp = digest;
1048 	digest = NULL;
1049 	r = 0;
1050  out:
1051 	free(digest);
1052 	ssh_digest_free(hashctx);
1053 	return r;
1054 }
1055 
1056 #define NKEYS	6
1057 int
1058 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
1059     const struct sshbuf *shared_secret)
1060 {
1061 	struct kex *kex = ssh->kex;
1062 	u_char *keys[NKEYS];
1063 	u_int i, j, mode, ctos;
1064 	int r;
1065 
1066 	/* save initial hash as session id */
1067 	if (kex->session_id == NULL) {
1068 		kex->session_id_len = hashlen;
1069 		kex->session_id = malloc(kex->session_id_len);
1070 		if (kex->session_id == NULL)
1071 			return SSH_ERR_ALLOC_FAIL;
1072 		memcpy(kex->session_id, hash, kex->session_id_len);
1073 	}
1074 	for (i = 0; i < NKEYS; i++) {
1075 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
1076 		    shared_secret, &keys[i])) != 0) {
1077 			for (j = 0; j < i; j++)
1078 				free(keys[j]);
1079 			return r;
1080 		}
1081 	}
1082 	for (mode = 0; mode < MODE_MAX; mode++) {
1083 		ctos = (!kex->server && mode == MODE_OUT) ||
1084 		    (kex->server && mode == MODE_IN);
1085 		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
1086 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
1087 		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
1088 	}
1089 	return 0;
1090 }
1091 
1092 int
1093 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
1094 {
1095 	struct kex *kex = ssh->kex;
1096 
1097 	*pubp = NULL;
1098 	*prvp = NULL;
1099 	if (kex->load_host_public_key == NULL ||
1100 	    kex->load_host_private_key == NULL) {
1101 		error("%s: missing hostkey loader", __func__);
1102 		return SSH_ERR_INVALID_ARGUMENT;
1103 	}
1104 	*pubp = kex->load_host_public_key(kex->hostkey_type,
1105 	    kex->hostkey_nid, ssh);
1106 	*prvp = kex->load_host_private_key(kex->hostkey_type,
1107 	    kex->hostkey_nid, ssh);
1108 	if (*pubp == NULL)
1109 		return SSH_ERR_NO_HOSTKEY_LOADED;
1110 	return 0;
1111 }
1112 
1113 int
1114 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
1115 {
1116 	struct kex *kex = ssh->kex;
1117 
1118 	if (kex->verify_host_key == NULL) {
1119 		error("%s: missing hostkey verifier", __func__);
1120 		return SSH_ERR_INVALID_ARGUMENT;
1121 	}
1122 	if (server_host_key->type != kex->hostkey_type ||
1123 	    (kex->hostkey_type == KEY_ECDSA &&
1124 	    server_host_key->ecdsa_nid != kex->hostkey_nid))
1125 		return SSH_ERR_KEY_TYPE_MISMATCH;
1126 	if (kex->verify_host_key(server_host_key, ssh) == -1)
1127 		return  SSH_ERR_SIGNATURE_INVALID;
1128 	return 0;
1129 }
1130 
1131 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1132 void
1133 dump_digest(const char *msg, const u_char *digest, int len)
1134 {
1135 	fprintf(stderr, "%s\n", msg);
1136 	sshbuf_dump_data(digest, len, stderr);
1137 }
1138 #endif
1139 
1140 /*
1141  * Send a plaintext error message to the peer, suffixed by \r\n.
1142  * Only used during banner exchange, and there only for the server.
1143  */
1144 static void
1145 send_error(struct ssh *ssh, char *msg)
1146 {
1147 	char *crnl = "\r\n";
1148 
1149 	if (!ssh->kex->server)
1150 		return;
1151 
1152 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1153 	    msg, strlen(msg)) != strlen(msg) ||
1154 	    atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1155 	    crnl, strlen(crnl)) != strlen(crnl))
1156 		error("%s: write: %.100s", __func__, strerror(errno));
1157 }
1158 
1159 /*
1160  * Sends our identification string and waits for the peer's. Will block for
1161  * up to timeout_ms (or indefinitely if timeout_ms <= 0).
1162  * Returns on 0 success or a ssherr.h code on failure.
1163  */
1164 int
1165 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1166     const char *version_addendum)
1167 {
1168 	int remote_major, remote_minor, mismatch;
1169 	size_t len, i, n;
1170 	int r, expect_nl;
1171 	u_char c;
1172 	struct sshbuf *our_version = ssh->kex->server ?
1173 	    ssh->kex->server_version : ssh->kex->client_version;
1174 	struct sshbuf *peer_version = ssh->kex->server ?
1175 	    ssh->kex->client_version : ssh->kex->server_version;
1176 	char *our_version_string = NULL, *peer_version_string = NULL;
1177 	char *cp, *remote_version = NULL;
1178 
1179 	/* Prepare and send our banner */
1180 	sshbuf_reset(our_version);
1181 	if (version_addendum != NULL && *version_addendum == '\0')
1182 		version_addendum = NULL;
1183 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
1184 	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
1185 	    version_addendum == NULL ? "" : " ",
1186 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
1187 		error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
1188 		goto out;
1189 	}
1190 
1191 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1192 	    sshbuf_mutable_ptr(our_version),
1193 	    sshbuf_len(our_version)) != sshbuf_len(our_version)) {
1194 		error("%s: write: %.100s", __func__, strerror(errno));
1195 		r = SSH_ERR_SYSTEM_ERROR;
1196 		goto out;
1197 	}
1198 	if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
1199 		error("%s: sshbuf_consume_end: %s", __func__, ssh_err(r));
1200 		goto out;
1201 	}
1202 	our_version_string = sshbuf_dup_string(our_version);
1203 	if (our_version_string == NULL) {
1204 		error("%s: sshbuf_dup_string failed", __func__);
1205 		r = SSH_ERR_ALLOC_FAIL;
1206 		goto out;
1207 	}
1208 	debug("Local version string %.100s", our_version_string);
1209 
1210 	/* Read other side's version identification. */
1211 	for (n = 0; ; n++) {
1212 		if (n >= SSH_MAX_PRE_BANNER_LINES) {
1213 			send_error(ssh, "No SSH identification string "
1214 			    "received.");
1215 			error("%s: No SSH version received in first %u lines "
1216 			    "from server", __func__, SSH_MAX_PRE_BANNER_LINES);
1217 			r = SSH_ERR_INVALID_FORMAT;
1218 			goto out;
1219 		}
1220 		sshbuf_reset(peer_version);
1221 		expect_nl = 0;
1222 		for (i = 0; ; i++) {
1223 			if (timeout_ms > 0) {
1224 				r = waitrfd(ssh_packet_get_connection_in(ssh),
1225 				    &timeout_ms);
1226 				if (r == -1 && errno == ETIMEDOUT) {
1227 					send_error(ssh, "Timed out waiting "
1228 					    "for SSH identification string.");
1229 					error("Connection timed out during "
1230 					    "banner exchange");
1231 					r = SSH_ERR_CONN_TIMEOUT;
1232 					goto out;
1233 				} else if (r == -1) {
1234 					error("%s: %s",
1235 					    __func__, strerror(errno));
1236 					r = SSH_ERR_SYSTEM_ERROR;
1237 					goto out;
1238 				}
1239 			}
1240 
1241 			len = atomicio(read, ssh_packet_get_connection_in(ssh),
1242 			    &c, 1);
1243 			if (len != 1 && errno == EPIPE) {
1244 				error("%s: Connection closed by remote host",
1245 				    __func__);
1246 				r = SSH_ERR_CONN_CLOSED;
1247 				goto out;
1248 			} else if (len != 1) {
1249 				error("%s: read: %.100s",
1250 				    __func__, strerror(errno));
1251 				r = SSH_ERR_SYSTEM_ERROR;
1252 				goto out;
1253 			}
1254 			if (c == '\r') {
1255 				expect_nl = 1;
1256 				continue;
1257 			}
1258 			if (c == '\n')
1259 				break;
1260 			if (c == '\0' || expect_nl) {
1261 				error("%s: banner line contains invalid "
1262 				    "characters", __func__);
1263 				goto invalid;
1264 			}
1265 			if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
1266 				error("%s: sshbuf_put: %s",
1267 				    __func__, ssh_err(r));
1268 				goto out;
1269 			}
1270 			if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
1271 				error("%s: banner line too long", __func__);
1272 				goto invalid;
1273 			}
1274 		}
1275 		/* Is this an actual protocol banner? */
1276 		if (sshbuf_len(peer_version) > 4 &&
1277 		    memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
1278 			break;
1279 		/* If not, then just log the line and continue */
1280 		if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
1281 			error("%s: sshbuf_dup_string failed", __func__);
1282 			r = SSH_ERR_ALLOC_FAIL;
1283 			goto out;
1284 		}
1285 		/* Do not accept lines before the SSH ident from a client */
1286 		if (ssh->kex->server) {
1287 			error("%s: client sent invalid protocol identifier "
1288 			    "\"%.256s\"", __func__, cp);
1289 			free(cp);
1290 			goto invalid;
1291 		}
1292 		debug("%s: banner line %zu: %s", __func__, n, cp);
1293 		free(cp);
1294 	}
1295 	peer_version_string = sshbuf_dup_string(peer_version);
1296 	if (peer_version_string == NULL)
1297 		error("%s: sshbuf_dup_string failed", __func__);
1298 	/* XXX must be same size for sscanf */
1299 	if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
1300 		error("%s: calloc failed", __func__);
1301 		r = SSH_ERR_ALLOC_FAIL;
1302 		goto out;
1303 	}
1304 
1305 	/*
1306 	 * Check that the versions match.  In future this might accept
1307 	 * several versions and set appropriate flags to handle them.
1308 	 */
1309 	if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
1310 	    &remote_major, &remote_minor, remote_version) != 3) {
1311 		error("Bad remote protocol version identification: '%.100s'",
1312 		    peer_version_string);
1313  invalid:
1314 		send_error(ssh, "Invalid SSH identification string.");
1315 		r = SSH_ERR_INVALID_FORMAT;
1316 		goto out;
1317 	}
1318 	debug("Remote protocol version %d.%d, remote software version %.100s",
1319 	    remote_major, remote_minor, remote_version);
1320 	ssh->compat = compat_datafellows(remote_version);
1321 
1322 	mismatch = 0;
1323 	switch (remote_major) {
1324 	case 2:
1325 		break;
1326 	case 1:
1327 		if (remote_minor != 99)
1328 			mismatch = 1;
1329 		break;
1330 	default:
1331 		mismatch = 1;
1332 		break;
1333 	}
1334 	if (mismatch) {
1335 		error("Protocol major versions differ: %d vs. %d",
1336 		    PROTOCOL_MAJOR_2, remote_major);
1337 		send_error(ssh, "Protocol major versions differ.");
1338 		r = SSH_ERR_NO_PROTOCOL_VERSION;
1339 		goto out;
1340 	}
1341 
1342 	if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
1343 		logit("probed from %s port %d with %s.  Don't panic.",
1344 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1345 		    peer_version_string);
1346 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1347 		goto out;
1348 	}
1349 	if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
1350 		logit("scanned from %s port %d with %s.  Don't panic.",
1351 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1352 		    peer_version_string);
1353 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1354 		goto out;
1355 	}
1356 	if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
1357 		logit("Remote version \"%.100s\" uses unsafe RSA signature "
1358 		    "scheme; disabling use of RSA keys", remote_version);
1359 	}
1360 	/* success */
1361 	r = 0;
1362  out:
1363 	free(our_version_string);
1364 	free(peer_version_string);
1365 	free(remote_version);
1366 	return r;
1367 }
1368 
1369