xref: /openssh-portable/kex.c (revision 7f8e66fe)
1 /* $OpenBSD: kex.c,v 1.156 2020/01/23 10:24:29 dtucker Exp $ */
2 /*
3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 #include <sys/types.h>
29 #include <errno.h>
30 #include <signal.h>
31 #include <stdarg.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 #ifdef HAVE_POLL_H
37 #include <poll.h>
38 #endif
39 
40 #ifdef WITH_OPENSSL
41 #include <openssl/crypto.h>
42 #include <openssl/dh.h>
43 #endif
44 
45 #include "ssh.h"
46 #include "ssh2.h"
47 #include "atomicio.h"
48 #include "version.h"
49 #include "packet.h"
50 #include "compat.h"
51 #include "cipher.h"
52 #include "sshkey.h"
53 #include "kex.h"
54 #include "log.h"
55 #include "mac.h"
56 #include "match.h"
57 #include "misc.h"
58 #include "dispatch.h"
59 #include "monitor.h"
60 
61 #include "ssherr.h"
62 #include "sshbuf.h"
63 #include "digest.h"
64 
65 /* prototype */
66 static int kex_choose_conf(struct ssh *);
67 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
68 
69 static const char *proposal_names[PROPOSAL_MAX] = {
70 	"KEX algorithms",
71 	"host key algorithms",
72 	"ciphers ctos",
73 	"ciphers stoc",
74 	"MACs ctos",
75 	"MACs stoc",
76 	"compression ctos",
77 	"compression stoc",
78 	"languages ctos",
79 	"languages stoc",
80 };
81 
82 struct kexalg {
83 	char *name;
84 	u_int type;
85 	int ec_nid;
86 	int hash_alg;
87 };
88 static const struct kexalg kexalgs[] = {
89 #ifdef WITH_OPENSSL
90 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
91 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
92 	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
93 	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
94 	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
95 	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
96 #ifdef HAVE_EVP_SHA256
97 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
98 #endif /* HAVE_EVP_SHA256 */
99 #ifdef OPENSSL_HAS_ECC
100 	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
101 	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
102 	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
103 	    SSH_DIGEST_SHA384 },
104 # ifdef OPENSSL_HAS_NISTP521
105 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
106 	    SSH_DIGEST_SHA512 },
107 # endif /* OPENSSL_HAS_NISTP521 */
108 #endif /* OPENSSL_HAS_ECC */
109 #endif /* WITH_OPENSSL */
110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
111 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
112 	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
113 	{ KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0,
114 	    SSH_DIGEST_SHA512 },
115 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
116 	{ NULL, 0, -1, -1},
117 };
118 
119 char *
120 kex_alg_list(char sep)
121 {
122 	char *ret = NULL, *tmp;
123 	size_t nlen, rlen = 0;
124 	const struct kexalg *k;
125 
126 	for (k = kexalgs; k->name != NULL; k++) {
127 		if (ret != NULL)
128 			ret[rlen++] = sep;
129 		nlen = strlen(k->name);
130 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
131 			free(ret);
132 			return NULL;
133 		}
134 		ret = tmp;
135 		memcpy(ret + rlen, k->name, nlen + 1);
136 		rlen += nlen;
137 	}
138 	return ret;
139 }
140 
141 static const struct kexalg *
142 kex_alg_by_name(const char *name)
143 {
144 	const struct kexalg *k;
145 
146 	for (k = kexalgs; k->name != NULL; k++) {
147 		if (strcmp(k->name, name) == 0)
148 			return k;
149 	}
150 	return NULL;
151 }
152 
153 /* Validate KEX method name list */
154 int
155 kex_names_valid(const char *names)
156 {
157 	char *s, *cp, *p;
158 
159 	if (names == NULL || strcmp(names, "") == 0)
160 		return 0;
161 	if ((s = cp = strdup(names)) == NULL)
162 		return 0;
163 	for ((p = strsep(&cp, ",")); p && *p != '\0';
164 	    (p = strsep(&cp, ","))) {
165 		if (kex_alg_by_name(p) == NULL) {
166 			error("Unsupported KEX algorithm \"%.100s\"", p);
167 			free(s);
168 			return 0;
169 		}
170 	}
171 	debug3("kex names ok: [%s]", names);
172 	free(s);
173 	return 1;
174 }
175 
176 /*
177  * Concatenate algorithm names, avoiding duplicates in the process.
178  * Caller must free returned string.
179  */
180 char *
181 kex_names_cat(const char *a, const char *b)
182 {
183 	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
184 	size_t len;
185 
186 	if (a == NULL || *a == '\0')
187 		return strdup(b);
188 	if (b == NULL || *b == '\0')
189 		return strdup(a);
190 	if (strlen(b) > 1024*1024)
191 		return NULL;
192 	len = strlen(a) + strlen(b) + 2;
193 	if ((tmp = cp = strdup(b)) == NULL ||
194 	    (ret = calloc(1, len)) == NULL) {
195 		free(tmp);
196 		return NULL;
197 	}
198 	strlcpy(ret, a, len);
199 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
200 		if ((m = match_list(ret, p, NULL)) != NULL) {
201 			free(m);
202 			continue; /* Algorithm already present */
203 		}
204 		if (strlcat(ret, ",", len) >= len ||
205 		    strlcat(ret, p, len) >= len) {
206 			free(tmp);
207 			free(ret);
208 			return NULL; /* Shouldn't happen */
209 		}
210 	}
211 	free(tmp);
212 	return ret;
213 }
214 
215 /*
216  * Assemble a list of algorithms from a default list and a string from a
217  * configuration file. The user-provided string may begin with '+' to
218  * indicate that it should be appended to the default, '-' that the
219  * specified names should be removed, or '^' that they should be placed
220  * at the head.
221  */
222 int
223 kex_assemble_names(char **listp, const char *def, const char *all)
224 {
225 	char *cp, *tmp, *patterns;
226 	char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
227 	int r = SSH_ERR_INTERNAL_ERROR;
228 
229 	if (listp == NULL || def == NULL || all == NULL)
230 		return SSH_ERR_INVALID_ARGUMENT;
231 
232 	if (*listp == NULL || **listp == '\0') {
233 		if ((*listp = strdup(def)) == NULL)
234 			return SSH_ERR_ALLOC_FAIL;
235 		return 0;
236 	}
237 
238 	list = *listp;
239 	*listp = NULL;
240 	if (*list == '+') {
241 		/* Append names to default list */
242 		if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
243 			r = SSH_ERR_ALLOC_FAIL;
244 			goto fail;
245 		}
246 		free(list);
247 		list = tmp;
248 	} else if (*list == '-') {
249 		/* Remove names from default list */
250 		if ((*listp = match_filter_blacklist(def, list + 1)) == NULL) {
251 			r = SSH_ERR_ALLOC_FAIL;
252 			goto fail;
253 		}
254 		free(list);
255 		/* filtering has already been done */
256 		return 0;
257 	} else if (*list == '^') {
258 		/* Place names at head of default list */
259 		if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
260 			r = SSH_ERR_ALLOC_FAIL;
261 			goto fail;
262 		}
263 		free(list);
264 		list = tmp;
265 	} else {
266 		/* Explicit list, overrides default - just use "list" as is */
267 	}
268 
269 	/*
270 	 * The supplied names may be a pattern-list. For the -list case,
271 	 * the patterns are applied above. For the +list and explicit list
272 	 * cases we need to do it now.
273 	 */
274 	ret = NULL;
275 	if ((patterns = opatterns = strdup(list)) == NULL) {
276 		r = SSH_ERR_ALLOC_FAIL;
277 		goto fail;
278 	}
279 	/* Apply positive (i.e. non-negated) patterns from the list */
280 	while ((cp = strsep(&patterns, ",")) != NULL) {
281 		if (*cp == '!') {
282 			/* negated matches are not supported here */
283 			r = SSH_ERR_INVALID_ARGUMENT;
284 			goto fail;
285 		}
286 		free(matching);
287 		if ((matching = match_filter_whitelist(all, cp)) == NULL) {
288 			r = SSH_ERR_ALLOC_FAIL;
289 			goto fail;
290 		}
291 		if ((tmp = kex_names_cat(ret, matching)) == NULL) {
292 			r = SSH_ERR_ALLOC_FAIL;
293 			goto fail;
294 		}
295 		free(ret);
296 		ret = tmp;
297 	}
298 	if (ret == NULL || *ret == '\0') {
299 		/* An empty name-list is an error */
300 		/* XXX better error code? */
301 		r = SSH_ERR_INVALID_ARGUMENT;
302 		goto fail;
303 	}
304 
305 	/* success */
306 	*listp = ret;
307 	ret = NULL;
308 	r = 0;
309 
310  fail:
311 	free(matching);
312 	free(opatterns);
313 	free(list);
314 	free(ret);
315 	return r;
316 }
317 
318 /* put algorithm proposal into buffer */
319 int
320 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
321 {
322 	u_int i;
323 	int r;
324 
325 	sshbuf_reset(b);
326 
327 	/*
328 	 * add a dummy cookie, the cookie will be overwritten by
329 	 * kex_send_kexinit(), each time a kexinit is set
330 	 */
331 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
332 		if ((r = sshbuf_put_u8(b, 0)) != 0)
333 			return r;
334 	}
335 	for (i = 0; i < PROPOSAL_MAX; i++) {
336 		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
337 			return r;
338 	}
339 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
340 	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
341 		return r;
342 	return 0;
343 }
344 
345 /* parse buffer and return algorithm proposal */
346 int
347 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
348 {
349 	struct sshbuf *b = NULL;
350 	u_char v;
351 	u_int i;
352 	char **proposal = NULL;
353 	int r;
354 
355 	*propp = NULL;
356 	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
357 		return SSH_ERR_ALLOC_FAIL;
358 	if ((b = sshbuf_fromb(raw)) == NULL) {
359 		r = SSH_ERR_ALLOC_FAIL;
360 		goto out;
361 	}
362 	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */
363 		error("%s: consume cookie: %s", __func__, ssh_err(r));
364 		goto out;
365 	}
366 	/* extract kex init proposal strings */
367 	for (i = 0; i < PROPOSAL_MAX; i++) {
368 		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) {
369 			error("%s: parse proposal %u: %s", __func__,
370 			    i, ssh_err(r));
371 			goto out;
372 		}
373 		debug2("%s: %s", proposal_names[i], proposal[i]);
374 	}
375 	/* first kex follows / reserved */
376 	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
377 	    (r = sshbuf_get_u32(b, &i)) != 0) {	/* reserved */
378 		error("%s: parse: %s", __func__, ssh_err(r));
379 		goto out;
380 	}
381 	if (first_kex_follows != NULL)
382 		*first_kex_follows = v;
383 	debug2("first_kex_follows %d ", v);
384 	debug2("reserved %u ", i);
385 	r = 0;
386 	*propp = proposal;
387  out:
388 	if (r != 0 && proposal != NULL)
389 		kex_prop_free(proposal);
390 	sshbuf_free(b);
391 	return r;
392 }
393 
394 void
395 kex_prop_free(char **proposal)
396 {
397 	u_int i;
398 
399 	if (proposal == NULL)
400 		return;
401 	for (i = 0; i < PROPOSAL_MAX; i++)
402 		free(proposal[i]);
403 	free(proposal);
404 }
405 
406 /* ARGSUSED */
407 static int
408 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
409 {
410 	int r;
411 
412 	error("kex protocol error: type %d seq %u", type, seq);
413 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
414 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
415 	    (r = sshpkt_send(ssh)) != 0)
416 		return r;
417 	return 0;
418 }
419 
420 static void
421 kex_reset_dispatch(struct ssh *ssh)
422 {
423 	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
424 	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
425 }
426 
427 static int
428 kex_send_ext_info(struct ssh *ssh)
429 {
430 	int r;
431 	char *algs;
432 
433 	debug("Sending SSH2_MSG_EXT_INFO");
434 	if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
435 		return SSH_ERR_ALLOC_FAIL;
436 	/* XXX filter algs list by allowed pubkey/hostbased types */
437 	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
438 	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
439 	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
440 	    (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
441 	    (r = sshpkt_send(ssh)) != 0) {
442 		error("%s: compose: %s", __func__, ssh_err(r));
443 		goto out;
444 	}
445 	/* success */
446 	r = 0;
447  out:
448 	free(algs);
449 	return r;
450 }
451 
452 int
453 kex_send_newkeys(struct ssh *ssh)
454 {
455 	int r;
456 
457 	kex_reset_dispatch(ssh);
458 	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
459 	    (r = sshpkt_send(ssh)) != 0)
460 		return r;
461 	debug("SSH2_MSG_NEWKEYS sent");
462 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
463 	if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0)
464 		if ((r = kex_send_ext_info(ssh)) != 0)
465 			return r;
466 	debug("expecting SSH2_MSG_NEWKEYS");
467 	return 0;
468 }
469 
470 int
471 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
472 {
473 	struct kex *kex = ssh->kex;
474 	u_int32_t i, ninfo;
475 	char *name;
476 	u_char *val;
477 	size_t vlen;
478 	int r;
479 
480 	debug("SSH2_MSG_EXT_INFO received");
481 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
482 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
483 		return r;
484 	for (i = 0; i < ninfo; i++) {
485 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
486 			return r;
487 		if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) {
488 			free(name);
489 			return r;
490 		}
491 		if (strcmp(name, "server-sig-algs") == 0) {
492 			/* Ensure no \0 lurking in value */
493 			if (memchr(val, '\0', vlen) != NULL) {
494 				error("%s: nul byte in %s", __func__, name);
495 				return SSH_ERR_INVALID_FORMAT;
496 			}
497 			debug("%s: %s=<%s>", __func__, name, val);
498 			kex->server_sig_algs = val;
499 			val = NULL;
500 		} else
501 			debug("%s: %s (unrecognised)", __func__, name);
502 		free(name);
503 		free(val);
504 	}
505 	return sshpkt_get_end(ssh);
506 }
507 
508 static int
509 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
510 {
511 	struct kex *kex = ssh->kex;
512 	int r;
513 
514 	debug("SSH2_MSG_NEWKEYS received");
515 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
516 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
517 	if ((r = sshpkt_get_end(ssh)) != 0)
518 		return r;
519 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
520 		return r;
521 	kex->done = 1;
522 	kex->flags &= ~KEX_INITIAL;
523 	sshbuf_reset(kex->peer);
524 	/* sshbuf_reset(kex->my); */
525 	kex->flags &= ~KEX_INIT_SENT;
526 	free(kex->name);
527 	kex->name = NULL;
528 	return 0;
529 }
530 
531 int
532 kex_send_kexinit(struct ssh *ssh)
533 {
534 	u_char *cookie;
535 	struct kex *kex = ssh->kex;
536 	int r;
537 
538 	if (kex == NULL) {
539 		error("%s: no hex", __func__);
540 		return SSH_ERR_INTERNAL_ERROR;
541 	}
542 	if (kex->flags & KEX_INIT_SENT)
543 		return 0;
544 	kex->done = 0;
545 
546 	/* generate a random cookie */
547 	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) {
548 		error("%s: bad kex length: %zu < %d", __func__,
549 		    sshbuf_len(kex->my), KEX_COOKIE_LEN);
550 		return SSH_ERR_INVALID_FORMAT;
551 	}
552 	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) {
553 		error("%s: buffer error", __func__);
554 		return SSH_ERR_INTERNAL_ERROR;
555 	}
556 	arc4random_buf(cookie, KEX_COOKIE_LEN);
557 
558 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
559 	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
560 	    (r = sshpkt_send(ssh)) != 0) {
561 		error("%s: compose reply: %s", __func__, ssh_err(r));
562 		return r;
563 	}
564 	debug("SSH2_MSG_KEXINIT sent");
565 	kex->flags |= KEX_INIT_SENT;
566 	return 0;
567 }
568 
569 /* ARGSUSED */
570 int
571 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
572 {
573 	struct kex *kex = ssh->kex;
574 	const u_char *ptr;
575 	u_int i;
576 	size_t dlen;
577 	int r;
578 
579 	debug("SSH2_MSG_KEXINIT received");
580 	if (kex == NULL) {
581 		error("%s: no hex", __func__);
582 		return SSH_ERR_INTERNAL_ERROR;
583 	}
584 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
585 	ptr = sshpkt_ptr(ssh, &dlen);
586 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
587 		return r;
588 
589 	/* discard packet */
590 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
591 		if ((r = sshpkt_get_u8(ssh, NULL)) != 0) {
592 			error("%s: discard cookie: %s", __func__, ssh_err(r));
593 			return r;
594 		}
595 	}
596 	for (i = 0; i < PROPOSAL_MAX; i++) {
597 		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
598 			error("%s: discard proposal: %s", __func__, ssh_err(r));
599 			return r;
600 		}
601 	}
602 	/*
603 	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
604 	 * KEX method has the server move first, but a server might be using
605 	 * a custom method or one that we otherwise don't support. We should
606 	 * be prepared to remember first_kex_follows here so we can eat a
607 	 * packet later.
608 	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
609 	 * for cases where the server *doesn't* go first. I guess we should
610 	 * ignore it when it is set for these cases, which is what we do now.
611 	 */
612 	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
613 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
614 	    (r = sshpkt_get_end(ssh)) != 0)
615 			return r;
616 
617 	if (!(kex->flags & KEX_INIT_SENT))
618 		if ((r = kex_send_kexinit(ssh)) != 0)
619 			return r;
620 	if ((r = kex_choose_conf(ssh)) != 0)
621 		return r;
622 
623 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
624 		return (kex->kex[kex->kex_type])(ssh);
625 
626 	error("%s: unknown kex type %u", __func__, kex->kex_type);
627 	return SSH_ERR_INTERNAL_ERROR;
628 }
629 
630 struct kex *
631 kex_new(void)
632 {
633 	struct kex *kex;
634 
635 	if ((kex = calloc(1, sizeof(*kex))) == NULL ||
636 	    (kex->peer = sshbuf_new()) == NULL ||
637 	    (kex->my = sshbuf_new()) == NULL ||
638 	    (kex->client_version = sshbuf_new()) == NULL ||
639 	    (kex->server_version = sshbuf_new()) == NULL) {
640 		kex_free(kex);
641 		return NULL;
642 	}
643 	return kex;
644 }
645 
646 void
647 kex_free_newkeys(struct newkeys *newkeys)
648 {
649 	if (newkeys == NULL)
650 		return;
651 	if (newkeys->enc.key) {
652 		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
653 		free(newkeys->enc.key);
654 		newkeys->enc.key = NULL;
655 	}
656 	if (newkeys->enc.iv) {
657 		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
658 		free(newkeys->enc.iv);
659 		newkeys->enc.iv = NULL;
660 	}
661 	free(newkeys->enc.name);
662 	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
663 	free(newkeys->comp.name);
664 	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
665 	mac_clear(&newkeys->mac);
666 	if (newkeys->mac.key) {
667 		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
668 		free(newkeys->mac.key);
669 		newkeys->mac.key = NULL;
670 	}
671 	free(newkeys->mac.name);
672 	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
673 	explicit_bzero(newkeys, sizeof(*newkeys));
674 	free(newkeys);
675 }
676 
677 void
678 kex_free(struct kex *kex)
679 {
680 	u_int mode;
681 
682 	if (kex == NULL)
683 		return;
684 
685 #ifdef WITH_OPENSSL
686 	DH_free(kex->dh);
687 #ifdef OPENSSL_HAS_ECC
688 	EC_KEY_free(kex->ec_client_key);
689 #endif /* OPENSSL_HAS_ECC */
690 #endif /* WITH_OPENSSL */
691 	for (mode = 0; mode < MODE_MAX; mode++) {
692 		kex_free_newkeys(kex->newkeys[mode]);
693 		kex->newkeys[mode] = NULL;
694 	}
695 	sshbuf_free(kex->peer);
696 	sshbuf_free(kex->my);
697 	sshbuf_free(kex->client_version);
698 	sshbuf_free(kex->server_version);
699 	sshbuf_free(kex->client_pub);
700 	free(kex->session_id);
701 	free(kex->failed_choice);
702 	free(kex->hostkey_alg);
703 	free(kex->name);
704 	free(kex);
705 }
706 
707 int
708 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
709 {
710 	int r;
711 
712 	if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
713 		return r;
714 	ssh->kex->flags = KEX_INITIAL;
715 	kex_reset_dispatch(ssh);
716 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
717 	return 0;
718 }
719 
720 int
721 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
722 {
723 	int r;
724 
725 	if ((r = kex_ready(ssh, proposal)) != 0)
726 		return r;
727 	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
728 		kex_free(ssh->kex);
729 		ssh->kex = NULL;
730 		return r;
731 	}
732 	return 0;
733 }
734 
735 /*
736  * Request key re-exchange, returns 0 on success or a ssherr.h error
737  * code otherwise. Must not be called if KEX is incomplete or in-progress.
738  */
739 int
740 kex_start_rekex(struct ssh *ssh)
741 {
742 	if (ssh->kex == NULL) {
743 		error("%s: no kex", __func__);
744 		return SSH_ERR_INTERNAL_ERROR;
745 	}
746 	if (ssh->kex->done == 0) {
747 		error("%s: requested twice", __func__);
748 		return SSH_ERR_INTERNAL_ERROR;
749 	}
750 	ssh->kex->done = 0;
751 	return kex_send_kexinit(ssh);
752 }
753 
754 static int
755 choose_enc(struct sshenc *enc, char *client, char *server)
756 {
757 	char *name = match_list(client, server, NULL);
758 
759 	if (name == NULL)
760 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
761 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
762 		error("%s: unsupported cipher %s", __func__, name);
763 		free(name);
764 		return SSH_ERR_INTERNAL_ERROR;
765 	}
766 	enc->name = name;
767 	enc->enabled = 0;
768 	enc->iv = NULL;
769 	enc->iv_len = cipher_ivlen(enc->cipher);
770 	enc->key = NULL;
771 	enc->key_len = cipher_keylen(enc->cipher);
772 	enc->block_size = cipher_blocksize(enc->cipher);
773 	return 0;
774 }
775 
776 static int
777 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
778 {
779 	char *name = match_list(client, server, NULL);
780 
781 	if (name == NULL)
782 		return SSH_ERR_NO_MAC_ALG_MATCH;
783 	if (mac_setup(mac, name) < 0) {
784 		error("%s: unsupported MAC %s", __func__, name);
785 		free(name);
786 		return SSH_ERR_INTERNAL_ERROR;
787 	}
788 	mac->name = name;
789 	mac->key = NULL;
790 	mac->enabled = 0;
791 	return 0;
792 }
793 
794 static int
795 choose_comp(struct sshcomp *comp, char *client, char *server)
796 {
797 	char *name = match_list(client, server, NULL);
798 
799 	if (name == NULL)
800 		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
801 #ifdef WITH_ZLIB
802 	if (strcmp(name, "zlib@openssh.com") == 0) {
803 		comp->type = COMP_DELAYED;
804 	} else if (strcmp(name, "zlib") == 0) {
805 		comp->type = COMP_ZLIB;
806 	} else
807 #endif	/* WITH_ZLIB */
808 	if (strcmp(name, "none") == 0) {
809 		comp->type = COMP_NONE;
810 	} else {
811 		error("%s: unsupported compression scheme %s", __func__, name);
812 		free(name);
813 		return SSH_ERR_INTERNAL_ERROR;
814 	}
815 	comp->name = name;
816 	return 0;
817 }
818 
819 static int
820 choose_kex(struct kex *k, char *client, char *server)
821 {
822 	const struct kexalg *kexalg;
823 
824 	k->name = match_list(client, server, NULL);
825 
826 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
827 	if (k->name == NULL)
828 		return SSH_ERR_NO_KEX_ALG_MATCH;
829 	if ((kexalg = kex_alg_by_name(k->name)) == NULL) {
830 		error("%s: unsupported KEX method %s", __func__, k->name);
831 		return SSH_ERR_INTERNAL_ERROR;
832 	}
833 	k->kex_type = kexalg->type;
834 	k->hash_alg = kexalg->hash_alg;
835 	k->ec_nid = kexalg->ec_nid;
836 	return 0;
837 }
838 
839 static int
840 choose_hostkeyalg(struct kex *k, char *client, char *server)
841 {
842 	k->hostkey_alg = match_list(client, server, NULL);
843 
844 	debug("kex: host key algorithm: %s",
845 	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
846 	if (k->hostkey_alg == NULL)
847 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
848 	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
849 	if (k->hostkey_type == KEY_UNSPEC) {
850 		error("%s: unsupported hostkey algorithm %s", __func__,
851 		    k->hostkey_alg);
852 		return SSH_ERR_INTERNAL_ERROR;
853 	}
854 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
855 	return 0;
856 }
857 
858 static int
859 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
860 {
861 	static int check[] = {
862 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
863 	};
864 	int *idx;
865 	char *p;
866 
867 	for (idx = &check[0]; *idx != -1; idx++) {
868 		if ((p = strchr(my[*idx], ',')) != NULL)
869 			*p = '\0';
870 		if ((p = strchr(peer[*idx], ',')) != NULL)
871 			*p = '\0';
872 		if (strcmp(my[*idx], peer[*idx]) != 0) {
873 			debug2("proposal mismatch: my %s peer %s",
874 			    my[*idx], peer[*idx]);
875 			return (0);
876 		}
877 	}
878 	debug2("proposals match");
879 	return (1);
880 }
881 
882 static int
883 kex_choose_conf(struct ssh *ssh)
884 {
885 	struct kex *kex = ssh->kex;
886 	struct newkeys *newkeys;
887 	char **my = NULL, **peer = NULL;
888 	char **cprop, **sprop;
889 	int nenc, nmac, ncomp;
890 	u_int mode, ctos, need, dh_need, authlen;
891 	int r, first_kex_follows;
892 
893 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
894 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
895 		goto out;
896 	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
897 	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
898 		goto out;
899 
900 	if (kex->server) {
901 		cprop=peer;
902 		sprop=my;
903 	} else {
904 		cprop=my;
905 		sprop=peer;
906 	}
907 
908 	/* Check whether client supports ext_info_c */
909 	if (kex->server && (kex->flags & KEX_INITIAL)) {
910 		char *ext;
911 
912 		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
913 		kex->ext_info_c = (ext != NULL);
914 		free(ext);
915 	}
916 
917 	/* Algorithm Negotiation */
918 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
919 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
920 		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
921 		peer[PROPOSAL_KEX_ALGS] = NULL;
922 		goto out;
923 	}
924 	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
925 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
926 		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
927 		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
928 		goto out;
929 	}
930 	for (mode = 0; mode < MODE_MAX; mode++) {
931 		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
932 			r = SSH_ERR_ALLOC_FAIL;
933 			goto out;
934 		}
935 		kex->newkeys[mode] = newkeys;
936 		ctos = (!kex->server && mode == MODE_OUT) ||
937 		    (kex->server && mode == MODE_IN);
938 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
939 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
940 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
941 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
942 		    sprop[nenc])) != 0) {
943 			kex->failed_choice = peer[nenc];
944 			peer[nenc] = NULL;
945 			goto out;
946 		}
947 		authlen = cipher_authlen(newkeys->enc.cipher);
948 		/* ignore mac for authenticated encryption */
949 		if (authlen == 0 &&
950 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
951 		    sprop[nmac])) != 0) {
952 			kex->failed_choice = peer[nmac];
953 			peer[nmac] = NULL;
954 			goto out;
955 		}
956 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
957 		    sprop[ncomp])) != 0) {
958 			kex->failed_choice = peer[ncomp];
959 			peer[ncomp] = NULL;
960 			goto out;
961 		}
962 		debug("kex: %s cipher: %s MAC: %s compression: %s",
963 		    ctos ? "client->server" : "server->client",
964 		    newkeys->enc.name,
965 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
966 		    newkeys->comp.name);
967 	}
968 	need = dh_need = 0;
969 	for (mode = 0; mode < MODE_MAX; mode++) {
970 		newkeys = kex->newkeys[mode];
971 		need = MAXIMUM(need, newkeys->enc.key_len);
972 		need = MAXIMUM(need, newkeys->enc.block_size);
973 		need = MAXIMUM(need, newkeys->enc.iv_len);
974 		need = MAXIMUM(need, newkeys->mac.key_len);
975 		dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
976 		dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
977 		dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
978 		dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
979 	}
980 	/* XXX need runden? */
981 	kex->we_need = need;
982 	kex->dh_need = dh_need;
983 
984 	/* ignore the next message if the proposals do not match */
985 	if (first_kex_follows && !proposals_match(my, peer))
986 		ssh->dispatch_skip_packets = 1;
987 	r = 0;
988  out:
989 	kex_prop_free(my);
990 	kex_prop_free(peer);
991 	return r;
992 }
993 
994 static int
995 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
996     const struct sshbuf *shared_secret, u_char **keyp)
997 {
998 	struct kex *kex = ssh->kex;
999 	struct ssh_digest_ctx *hashctx = NULL;
1000 	char c = id;
1001 	u_int have;
1002 	size_t mdsz;
1003 	u_char *digest;
1004 	int r;
1005 
1006 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
1007 		return SSH_ERR_INVALID_ARGUMENT;
1008 	if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
1009 		r = SSH_ERR_ALLOC_FAIL;
1010 		goto out;
1011 	}
1012 
1013 	/* K1 = HASH(K || H || "A" || session_id) */
1014 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1015 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1016 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1017 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
1018 	    ssh_digest_update(hashctx, kex->session_id,
1019 	    kex->session_id_len) != 0 ||
1020 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
1021 		r = SSH_ERR_LIBCRYPTO_ERROR;
1022 		error("%s: KEX hash failed", __func__);
1023 		goto out;
1024 	}
1025 	ssh_digest_free(hashctx);
1026 	hashctx = NULL;
1027 
1028 	/*
1029 	 * expand key:
1030 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
1031 	 * Key = K1 || K2 || ... || Kn
1032 	 */
1033 	for (have = mdsz; need > have; have += mdsz) {
1034 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1035 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1036 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1037 		    ssh_digest_update(hashctx, digest, have) != 0 ||
1038 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
1039 			error("%s: KDF failed", __func__);
1040 			r = SSH_ERR_LIBCRYPTO_ERROR;
1041 			goto out;
1042 		}
1043 		ssh_digest_free(hashctx);
1044 		hashctx = NULL;
1045 	}
1046 #ifdef DEBUG_KEX
1047 	fprintf(stderr, "key '%c'== ", c);
1048 	dump_digest("key", digest, need);
1049 #endif
1050 	*keyp = digest;
1051 	digest = NULL;
1052 	r = 0;
1053  out:
1054 	free(digest);
1055 	ssh_digest_free(hashctx);
1056 	return r;
1057 }
1058 
1059 #define NKEYS	6
1060 int
1061 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
1062     const struct sshbuf *shared_secret)
1063 {
1064 	struct kex *kex = ssh->kex;
1065 	u_char *keys[NKEYS];
1066 	u_int i, j, mode, ctos;
1067 	int r;
1068 
1069 	/* save initial hash as session id */
1070 	if (kex->session_id == NULL) {
1071 		kex->session_id_len = hashlen;
1072 		kex->session_id = malloc(kex->session_id_len);
1073 		if (kex->session_id == NULL)
1074 			return SSH_ERR_ALLOC_FAIL;
1075 		memcpy(kex->session_id, hash, kex->session_id_len);
1076 	}
1077 	for (i = 0; i < NKEYS; i++) {
1078 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
1079 		    shared_secret, &keys[i])) != 0) {
1080 			for (j = 0; j < i; j++)
1081 				free(keys[j]);
1082 			return r;
1083 		}
1084 	}
1085 	for (mode = 0; mode < MODE_MAX; mode++) {
1086 		ctos = (!kex->server && mode == MODE_OUT) ||
1087 		    (kex->server && mode == MODE_IN);
1088 		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
1089 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
1090 		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
1091 	}
1092 	return 0;
1093 }
1094 
1095 int
1096 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
1097 {
1098 	struct kex *kex = ssh->kex;
1099 
1100 	*pubp = NULL;
1101 	*prvp = NULL;
1102 	if (kex->load_host_public_key == NULL ||
1103 	    kex->load_host_private_key == NULL) {
1104 		error("%s: missing hostkey loader", __func__);
1105 		return SSH_ERR_INVALID_ARGUMENT;
1106 	}
1107 	*pubp = kex->load_host_public_key(kex->hostkey_type,
1108 	    kex->hostkey_nid, ssh);
1109 	*prvp = kex->load_host_private_key(kex->hostkey_type,
1110 	    kex->hostkey_nid, ssh);
1111 	if (*pubp == NULL)
1112 		return SSH_ERR_NO_HOSTKEY_LOADED;
1113 	return 0;
1114 }
1115 
1116 int
1117 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
1118 {
1119 	struct kex *kex = ssh->kex;
1120 
1121 	if (kex->verify_host_key == NULL) {
1122 		error("%s: missing hostkey verifier", __func__);
1123 		return SSH_ERR_INVALID_ARGUMENT;
1124 	}
1125 	if (server_host_key->type != kex->hostkey_type ||
1126 	    (kex->hostkey_type == KEY_ECDSA &&
1127 	    server_host_key->ecdsa_nid != kex->hostkey_nid))
1128 		return SSH_ERR_KEY_TYPE_MISMATCH;
1129 	if (kex->verify_host_key(server_host_key, ssh) == -1)
1130 		return  SSH_ERR_SIGNATURE_INVALID;
1131 	return 0;
1132 }
1133 
1134 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1135 void
1136 dump_digest(const char *msg, const u_char *digest, int len)
1137 {
1138 	fprintf(stderr, "%s\n", msg);
1139 	sshbuf_dump_data(digest, len, stderr);
1140 }
1141 #endif
1142 
1143 /*
1144  * Send a plaintext error message to the peer, suffixed by \r\n.
1145  * Only used during banner exchange, and there only for the server.
1146  */
1147 static void
1148 send_error(struct ssh *ssh, char *msg)
1149 {
1150 	char *crnl = "\r\n";
1151 
1152 	if (!ssh->kex->server)
1153 		return;
1154 
1155 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1156 	    msg, strlen(msg)) != strlen(msg) ||
1157 	    atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1158 	    crnl, strlen(crnl)) != strlen(crnl))
1159 		error("%s: write: %.100s", __func__, strerror(errno));
1160 }
1161 
1162 /*
1163  * Sends our identification string and waits for the peer's. Will block for
1164  * up to timeout_ms (or indefinitely if timeout_ms <= 0).
1165  * Returns on 0 success or a ssherr.h code on failure.
1166  */
1167 int
1168 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1169     const char *version_addendum)
1170 {
1171 	int remote_major, remote_minor, mismatch;
1172 	size_t len, i, n;
1173 	int r, expect_nl;
1174 	u_char c;
1175 	struct sshbuf *our_version = ssh->kex->server ?
1176 	    ssh->kex->server_version : ssh->kex->client_version;
1177 	struct sshbuf *peer_version = ssh->kex->server ?
1178 	    ssh->kex->client_version : ssh->kex->server_version;
1179 	char *our_version_string = NULL, *peer_version_string = NULL;
1180 	char *cp, *remote_version = NULL;
1181 
1182 	/* Prepare and send our banner */
1183 	sshbuf_reset(our_version);
1184 	if (version_addendum != NULL && *version_addendum == '\0')
1185 		version_addendum = NULL;
1186 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
1187 	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
1188 	    version_addendum == NULL ? "" : " ",
1189 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
1190 		error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
1191 		goto out;
1192 	}
1193 
1194 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1195 	    sshbuf_mutable_ptr(our_version),
1196 	    sshbuf_len(our_version)) != sshbuf_len(our_version)) {
1197 		error("%s: write: %.100s", __func__, strerror(errno));
1198 		r = SSH_ERR_SYSTEM_ERROR;
1199 		goto out;
1200 	}
1201 	if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
1202 		error("%s: sshbuf_consume_end: %s", __func__, ssh_err(r));
1203 		goto out;
1204 	}
1205 	our_version_string = sshbuf_dup_string(our_version);
1206 	if (our_version_string == NULL) {
1207 		error("%s: sshbuf_dup_string failed", __func__);
1208 		r = SSH_ERR_ALLOC_FAIL;
1209 		goto out;
1210 	}
1211 	debug("Local version string %.100s", our_version_string);
1212 
1213 	/* Read other side's version identification. */
1214 	for (n = 0; ; n++) {
1215 		if (n >= SSH_MAX_PRE_BANNER_LINES) {
1216 			send_error(ssh, "No SSH identification string "
1217 			    "received.");
1218 			error("%s: No SSH version received in first %u lines "
1219 			    "from server", __func__, SSH_MAX_PRE_BANNER_LINES);
1220 			r = SSH_ERR_INVALID_FORMAT;
1221 			goto out;
1222 		}
1223 		sshbuf_reset(peer_version);
1224 		expect_nl = 0;
1225 		for (i = 0; ; i++) {
1226 			if (timeout_ms > 0) {
1227 				r = waitrfd(ssh_packet_get_connection_in(ssh),
1228 				    &timeout_ms);
1229 				if (r == -1 && errno == ETIMEDOUT) {
1230 					send_error(ssh, "Timed out waiting "
1231 					    "for SSH identification string.");
1232 					error("Connection timed out during "
1233 					    "banner exchange");
1234 					r = SSH_ERR_CONN_TIMEOUT;
1235 					goto out;
1236 				} else if (r == -1) {
1237 					error("%s: %s",
1238 					    __func__, strerror(errno));
1239 					r = SSH_ERR_SYSTEM_ERROR;
1240 					goto out;
1241 				}
1242 			}
1243 
1244 			len = atomicio(read, ssh_packet_get_connection_in(ssh),
1245 			    &c, 1);
1246 			if (len != 1 && errno == EPIPE) {
1247 				error("%s: Connection closed by remote host",
1248 				    __func__);
1249 				r = SSH_ERR_CONN_CLOSED;
1250 				goto out;
1251 			} else if (len != 1) {
1252 				error("%s: read: %.100s",
1253 				    __func__, strerror(errno));
1254 				r = SSH_ERR_SYSTEM_ERROR;
1255 				goto out;
1256 			}
1257 			if (c == '\r') {
1258 				expect_nl = 1;
1259 				continue;
1260 			}
1261 			if (c == '\n')
1262 				break;
1263 			if (c == '\0' || expect_nl) {
1264 				error("%s: banner line contains invalid "
1265 				    "characters", __func__);
1266 				goto invalid;
1267 			}
1268 			if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
1269 				error("%s: sshbuf_put: %s",
1270 				    __func__, ssh_err(r));
1271 				goto out;
1272 			}
1273 			if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
1274 				error("%s: banner line too long", __func__);
1275 				goto invalid;
1276 			}
1277 		}
1278 		/* Is this an actual protocol banner? */
1279 		if (sshbuf_len(peer_version) > 4 &&
1280 		    memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
1281 			break;
1282 		/* If not, then just log the line and continue */
1283 		if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
1284 			error("%s: sshbuf_dup_string failed", __func__);
1285 			r = SSH_ERR_ALLOC_FAIL;
1286 			goto out;
1287 		}
1288 		/* Do not accept lines before the SSH ident from a client */
1289 		if (ssh->kex->server) {
1290 			error("%s: client sent invalid protocol identifier "
1291 			    "\"%.256s\"", __func__, cp);
1292 			free(cp);
1293 			goto invalid;
1294 		}
1295 		debug("%s: banner line %zu: %s", __func__, n, cp);
1296 		free(cp);
1297 	}
1298 	peer_version_string = sshbuf_dup_string(peer_version);
1299 	if (peer_version_string == NULL)
1300 		error("%s: sshbuf_dup_string failed", __func__);
1301 	/* XXX must be same size for sscanf */
1302 	if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
1303 		error("%s: calloc failed", __func__);
1304 		r = SSH_ERR_ALLOC_FAIL;
1305 		goto out;
1306 	}
1307 
1308 	/*
1309 	 * Check that the versions match.  In future this might accept
1310 	 * several versions and set appropriate flags to handle them.
1311 	 */
1312 	if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
1313 	    &remote_major, &remote_minor, remote_version) != 3) {
1314 		error("Bad remote protocol version identification: '%.100s'",
1315 		    peer_version_string);
1316  invalid:
1317 		send_error(ssh, "Invalid SSH identification string.");
1318 		r = SSH_ERR_INVALID_FORMAT;
1319 		goto out;
1320 	}
1321 	debug("Remote protocol version %d.%d, remote software version %.100s",
1322 	    remote_major, remote_minor, remote_version);
1323 	ssh->compat = compat_datafellows(remote_version);
1324 
1325 	mismatch = 0;
1326 	switch (remote_major) {
1327 	case 2:
1328 		break;
1329 	case 1:
1330 		if (remote_minor != 99)
1331 			mismatch = 1;
1332 		break;
1333 	default:
1334 		mismatch = 1;
1335 		break;
1336 	}
1337 	if (mismatch) {
1338 		error("Protocol major versions differ: %d vs. %d",
1339 		    PROTOCOL_MAJOR_2, remote_major);
1340 		send_error(ssh, "Protocol major versions differ.");
1341 		r = SSH_ERR_NO_PROTOCOL_VERSION;
1342 		goto out;
1343 	}
1344 
1345 	if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
1346 		logit("probed from %s port %d with %s.  Don't panic.",
1347 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1348 		    peer_version_string);
1349 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1350 		goto out;
1351 	}
1352 	if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
1353 		logit("scanned from %s port %d with %s.  Don't panic.",
1354 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1355 		    peer_version_string);
1356 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1357 		goto out;
1358 	}
1359 	if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
1360 		logit("Remote version \"%.100s\" uses unsafe RSA signature "
1361 		    "scheme; disabling use of RSA keys", remote_version);
1362 	}
1363 	/* success */
1364 	r = 0;
1365  out:
1366 	free(our_version_string);
1367 	free(peer_version_string);
1368 	free(remote_version);
1369 	return r;
1370 }
1371 
1372