xref: /openssh-portable/kex.c (revision ac0364b8)
1 /* $OpenBSD: kex.c,v 1.161 2020/12/04 02:27:08 djm Exp $ */
2 /*
3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 #include <sys/types.h>
29 #include <errno.h>
30 #include <signal.h>
31 #include <stdarg.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 #ifdef HAVE_POLL_H
37 #include <poll.h>
38 #endif
39 
40 #ifdef WITH_OPENSSL
41 #include <openssl/crypto.h>
42 #include <openssl/dh.h>
43 #endif
44 
45 #include "ssh.h"
46 #include "ssh2.h"
47 #include "atomicio.h"
48 #include "version.h"
49 #include "packet.h"
50 #include "compat.h"
51 #include "cipher.h"
52 #include "sshkey.h"
53 #include "kex.h"
54 #include "log.h"
55 #include "mac.h"
56 #include "match.h"
57 #include "misc.h"
58 #include "dispatch.h"
59 #include "monitor.h"
60 
61 #include "ssherr.h"
62 #include "sshbuf.h"
63 #include "digest.h"
64 
65 /* prototype */
66 static int kex_choose_conf(struct ssh *);
67 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
68 
69 static const char *proposal_names[PROPOSAL_MAX] = {
70 	"KEX algorithms",
71 	"host key algorithms",
72 	"ciphers ctos",
73 	"ciphers stoc",
74 	"MACs ctos",
75 	"MACs stoc",
76 	"compression ctos",
77 	"compression stoc",
78 	"languages ctos",
79 	"languages stoc",
80 };
81 
82 struct kexalg {
83 	char *name;
84 	u_int type;
85 	int ec_nid;
86 	int hash_alg;
87 };
88 static const struct kexalg kexalgs[] = {
89 #ifdef WITH_OPENSSL
90 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
91 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
92 	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
93 	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
94 	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
95 	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
96 #ifdef HAVE_EVP_SHA256
97 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
98 #endif /* HAVE_EVP_SHA256 */
99 #ifdef OPENSSL_HAS_ECC
100 	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
101 	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
102 	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
103 	    SSH_DIGEST_SHA384 },
104 # ifdef OPENSSL_HAS_NISTP521
105 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
106 	    SSH_DIGEST_SHA512 },
107 # endif /* OPENSSL_HAS_NISTP521 */
108 #endif /* OPENSSL_HAS_ECC */
109 #endif /* WITH_OPENSSL */
110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
111 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
112 	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
113 	{ KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0,
114 	    SSH_DIGEST_SHA512 },
115 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
116 	{ NULL, 0, -1, -1},
117 };
118 
119 char *
120 kex_alg_list(char sep)
121 {
122 	char *ret = NULL, *tmp;
123 	size_t nlen, rlen = 0;
124 	const struct kexalg *k;
125 
126 	for (k = kexalgs; k->name != NULL; k++) {
127 		if (ret != NULL)
128 			ret[rlen++] = sep;
129 		nlen = strlen(k->name);
130 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
131 			free(ret);
132 			return NULL;
133 		}
134 		ret = tmp;
135 		memcpy(ret + rlen, k->name, nlen + 1);
136 		rlen += nlen;
137 	}
138 	return ret;
139 }
140 
141 static const struct kexalg *
142 kex_alg_by_name(const char *name)
143 {
144 	const struct kexalg *k;
145 
146 	for (k = kexalgs; k->name != NULL; k++) {
147 		if (strcmp(k->name, name) == 0)
148 			return k;
149 	}
150 	return NULL;
151 }
152 
153 /* Validate KEX method name list */
154 int
155 kex_names_valid(const char *names)
156 {
157 	char *s, *cp, *p;
158 
159 	if (names == NULL || strcmp(names, "") == 0)
160 		return 0;
161 	if ((s = cp = strdup(names)) == NULL)
162 		return 0;
163 	for ((p = strsep(&cp, ",")); p && *p != '\0';
164 	    (p = strsep(&cp, ","))) {
165 		if (kex_alg_by_name(p) == NULL) {
166 			error("Unsupported KEX algorithm \"%.100s\"", p);
167 			free(s);
168 			return 0;
169 		}
170 	}
171 	debug3("kex names ok: [%s]", names);
172 	free(s);
173 	return 1;
174 }
175 
176 /*
177  * Concatenate algorithm names, avoiding duplicates in the process.
178  * Caller must free returned string.
179  */
180 char *
181 kex_names_cat(const char *a, const char *b)
182 {
183 	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
184 	size_t len;
185 
186 	if (a == NULL || *a == '\0')
187 		return strdup(b);
188 	if (b == NULL || *b == '\0')
189 		return strdup(a);
190 	if (strlen(b) > 1024*1024)
191 		return NULL;
192 	len = strlen(a) + strlen(b) + 2;
193 	if ((tmp = cp = strdup(b)) == NULL ||
194 	    (ret = calloc(1, len)) == NULL) {
195 		free(tmp);
196 		return NULL;
197 	}
198 	strlcpy(ret, a, len);
199 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
200 		if ((m = match_list(ret, p, NULL)) != NULL) {
201 			free(m);
202 			continue; /* Algorithm already present */
203 		}
204 		if (strlcat(ret, ",", len) >= len ||
205 		    strlcat(ret, p, len) >= len) {
206 			free(tmp);
207 			free(ret);
208 			return NULL; /* Shouldn't happen */
209 		}
210 	}
211 	free(tmp);
212 	return ret;
213 }
214 
215 /*
216  * Assemble a list of algorithms from a default list and a string from a
217  * configuration file. The user-provided string may begin with '+' to
218  * indicate that it should be appended to the default, '-' that the
219  * specified names should be removed, or '^' that they should be placed
220  * at the head.
221  */
222 int
223 kex_assemble_names(char **listp, const char *def, const char *all)
224 {
225 	char *cp, *tmp, *patterns;
226 	char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
227 	int r = SSH_ERR_INTERNAL_ERROR;
228 
229 	if (listp == NULL || def == NULL || all == NULL)
230 		return SSH_ERR_INVALID_ARGUMENT;
231 
232 	if (*listp == NULL || **listp == '\0') {
233 		if ((*listp = strdup(def)) == NULL)
234 			return SSH_ERR_ALLOC_FAIL;
235 		return 0;
236 	}
237 
238 	list = *listp;
239 	*listp = NULL;
240 	if (*list == '+') {
241 		/* Append names to default list */
242 		if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
243 			r = SSH_ERR_ALLOC_FAIL;
244 			goto fail;
245 		}
246 		free(list);
247 		list = tmp;
248 	} else if (*list == '-') {
249 		/* Remove names from default list */
250 		if ((*listp = match_filter_denylist(def, list + 1)) == NULL) {
251 			r = SSH_ERR_ALLOC_FAIL;
252 			goto fail;
253 		}
254 		free(list);
255 		/* filtering has already been done */
256 		return 0;
257 	} else if (*list == '^') {
258 		/* Place names at head of default list */
259 		if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
260 			r = SSH_ERR_ALLOC_FAIL;
261 			goto fail;
262 		}
263 		free(list);
264 		list = tmp;
265 	} else {
266 		/* Explicit list, overrides default - just use "list" as is */
267 	}
268 
269 	/*
270 	 * The supplied names may be a pattern-list. For the -list case,
271 	 * the patterns are applied above. For the +list and explicit list
272 	 * cases we need to do it now.
273 	 */
274 	ret = NULL;
275 	if ((patterns = opatterns = strdup(list)) == NULL) {
276 		r = SSH_ERR_ALLOC_FAIL;
277 		goto fail;
278 	}
279 	/* Apply positive (i.e. non-negated) patterns from the list */
280 	while ((cp = strsep(&patterns, ",")) != NULL) {
281 		if (*cp == '!') {
282 			/* negated matches are not supported here */
283 			r = SSH_ERR_INVALID_ARGUMENT;
284 			goto fail;
285 		}
286 		free(matching);
287 		if ((matching = match_filter_allowlist(all, cp)) == NULL) {
288 			r = SSH_ERR_ALLOC_FAIL;
289 			goto fail;
290 		}
291 		if ((tmp = kex_names_cat(ret, matching)) == NULL) {
292 			r = SSH_ERR_ALLOC_FAIL;
293 			goto fail;
294 		}
295 		free(ret);
296 		ret = tmp;
297 	}
298 	if (ret == NULL || *ret == '\0') {
299 		/* An empty name-list is an error */
300 		/* XXX better error code? */
301 		r = SSH_ERR_INVALID_ARGUMENT;
302 		goto fail;
303 	}
304 
305 	/* success */
306 	*listp = ret;
307 	ret = NULL;
308 	r = 0;
309 
310  fail:
311 	free(matching);
312 	free(opatterns);
313 	free(list);
314 	free(ret);
315 	return r;
316 }
317 
318 /* put algorithm proposal into buffer */
319 int
320 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
321 {
322 	u_int i;
323 	int r;
324 
325 	sshbuf_reset(b);
326 
327 	/*
328 	 * add a dummy cookie, the cookie will be overwritten by
329 	 * kex_send_kexinit(), each time a kexinit is set
330 	 */
331 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
332 		if ((r = sshbuf_put_u8(b, 0)) != 0)
333 			return r;
334 	}
335 	for (i = 0; i < PROPOSAL_MAX; i++) {
336 		if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
337 			return r;
338 	}
339 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* first_kex_packet_follows */
340 	    (r = sshbuf_put_u32(b, 0)) != 0)	/* uint32 reserved */
341 		return r;
342 	return 0;
343 }
344 
345 /* parse buffer and return algorithm proposal */
346 int
347 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
348 {
349 	struct sshbuf *b = NULL;
350 	u_char v;
351 	u_int i;
352 	char **proposal = NULL;
353 	int r;
354 
355 	*propp = NULL;
356 	if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
357 		return SSH_ERR_ALLOC_FAIL;
358 	if ((b = sshbuf_fromb(raw)) == NULL) {
359 		r = SSH_ERR_ALLOC_FAIL;
360 		goto out;
361 	}
362 	if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */
363 		error_fr(r, "consume cookie");
364 		goto out;
365 	}
366 	/* extract kex init proposal strings */
367 	for (i = 0; i < PROPOSAL_MAX; i++) {
368 		if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) {
369 			error_fr(r, "parse proposal %u", i);
370 			goto out;
371 		}
372 		debug2("%s: %s", proposal_names[i], proposal[i]);
373 	}
374 	/* first kex follows / reserved */
375 	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
376 	    (r = sshbuf_get_u32(b, &i)) != 0) {	/* reserved */
377 		error_fr(r, "parse");
378 		goto out;
379 	}
380 	if (first_kex_follows != NULL)
381 		*first_kex_follows = v;
382 	debug2("first_kex_follows %d ", v);
383 	debug2("reserved %u ", i);
384 	r = 0;
385 	*propp = proposal;
386  out:
387 	if (r != 0 && proposal != NULL)
388 		kex_prop_free(proposal);
389 	sshbuf_free(b);
390 	return r;
391 }
392 
393 void
394 kex_prop_free(char **proposal)
395 {
396 	u_int i;
397 
398 	if (proposal == NULL)
399 		return;
400 	for (i = 0; i < PROPOSAL_MAX; i++)
401 		free(proposal[i]);
402 	free(proposal);
403 }
404 
405 /* ARGSUSED */
406 static int
407 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
408 {
409 	int r;
410 
411 	error("kex protocol error: type %d seq %u", type, seq);
412 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
413 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
414 	    (r = sshpkt_send(ssh)) != 0)
415 		return r;
416 	return 0;
417 }
418 
419 static void
420 kex_reset_dispatch(struct ssh *ssh)
421 {
422 	ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
423 	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
424 }
425 
426 static int
427 kex_send_ext_info(struct ssh *ssh)
428 {
429 	int r;
430 	char *algs;
431 
432 	debug("Sending SSH2_MSG_EXT_INFO");
433 	if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
434 		return SSH_ERR_ALLOC_FAIL;
435 	/* XXX filter algs list by allowed pubkey/hostbased types */
436 	if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
437 	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
438 	    (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
439 	    (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
440 	    (r = sshpkt_send(ssh)) != 0) {
441 		error_fr(r, "compose");
442 		goto out;
443 	}
444 	/* success */
445 	r = 0;
446  out:
447 	free(algs);
448 	return r;
449 }
450 
451 int
452 kex_send_newkeys(struct ssh *ssh)
453 {
454 	int r;
455 
456 	kex_reset_dispatch(ssh);
457 	if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
458 	    (r = sshpkt_send(ssh)) != 0)
459 		return r;
460 	debug("SSH2_MSG_NEWKEYS sent");
461 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
462 	if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0)
463 		if ((r = kex_send_ext_info(ssh)) != 0)
464 			return r;
465 	debug("expecting SSH2_MSG_NEWKEYS");
466 	return 0;
467 }
468 
469 int
470 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
471 {
472 	struct kex *kex = ssh->kex;
473 	u_int32_t i, ninfo;
474 	char *name;
475 	u_char *val;
476 	size_t vlen;
477 	int r;
478 
479 	debug("SSH2_MSG_EXT_INFO received");
480 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
481 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
482 		return r;
483 	for (i = 0; i < ninfo; i++) {
484 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
485 			return r;
486 		if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) {
487 			free(name);
488 			return r;
489 		}
490 		if (strcmp(name, "server-sig-algs") == 0) {
491 			/* Ensure no \0 lurking in value */
492 			if (memchr(val, '\0', vlen) != NULL) {
493 				error_f("nul byte in %s", name);
494 				return SSH_ERR_INVALID_FORMAT;
495 			}
496 			debug_f("%s=<%s>", name, val);
497 			kex->server_sig_algs = val;
498 			val = NULL;
499 		} else
500 			debug_f("%s (unrecognised)", name);
501 		free(name);
502 		free(val);
503 	}
504 	return sshpkt_get_end(ssh);
505 }
506 
507 static int
508 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
509 {
510 	struct kex *kex = ssh->kex;
511 	int r;
512 
513 	debug("SSH2_MSG_NEWKEYS received");
514 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
515 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
516 	if ((r = sshpkt_get_end(ssh)) != 0)
517 		return r;
518 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
519 		return r;
520 	kex->done = 1;
521 	kex->flags &= ~KEX_INITIAL;
522 	sshbuf_reset(kex->peer);
523 	/* sshbuf_reset(kex->my); */
524 	kex->flags &= ~KEX_INIT_SENT;
525 	free(kex->name);
526 	kex->name = NULL;
527 	return 0;
528 }
529 
530 int
531 kex_send_kexinit(struct ssh *ssh)
532 {
533 	u_char *cookie;
534 	struct kex *kex = ssh->kex;
535 	int r;
536 
537 	if (kex == NULL) {
538 		error_f("no kex");
539 		return SSH_ERR_INTERNAL_ERROR;
540 	}
541 	if (kex->flags & KEX_INIT_SENT)
542 		return 0;
543 	kex->done = 0;
544 
545 	/* generate a random cookie */
546 	if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) {
547 		error_f("bad kex length: %zu < %d",
548 		    sshbuf_len(kex->my), KEX_COOKIE_LEN);
549 		return SSH_ERR_INVALID_FORMAT;
550 	}
551 	if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) {
552 		error_f("buffer error");
553 		return SSH_ERR_INTERNAL_ERROR;
554 	}
555 	arc4random_buf(cookie, KEX_COOKIE_LEN);
556 
557 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
558 	    (r = sshpkt_putb(ssh, kex->my)) != 0 ||
559 	    (r = sshpkt_send(ssh)) != 0) {
560 		error_fr(r, "compose reply");
561 		return r;
562 	}
563 	debug("SSH2_MSG_KEXINIT sent");
564 	kex->flags |= KEX_INIT_SENT;
565 	return 0;
566 }
567 
568 /* ARGSUSED */
569 int
570 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
571 {
572 	struct kex *kex = ssh->kex;
573 	const u_char *ptr;
574 	u_int i;
575 	size_t dlen;
576 	int r;
577 
578 	debug("SSH2_MSG_KEXINIT received");
579 	if (kex == NULL) {
580 		error_f("no kex");
581 		return SSH_ERR_INTERNAL_ERROR;
582 	}
583 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
584 	ptr = sshpkt_ptr(ssh, &dlen);
585 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
586 		return r;
587 
588 	/* discard packet */
589 	for (i = 0; i < KEX_COOKIE_LEN; i++) {
590 		if ((r = sshpkt_get_u8(ssh, NULL)) != 0) {
591 			error_fr(r, "discard cookie");
592 			return r;
593 		}
594 	}
595 	for (i = 0; i < PROPOSAL_MAX; i++) {
596 		if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
597 			error_fr(r, "discard proposal");
598 			return r;
599 		}
600 	}
601 	/*
602 	 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
603 	 * KEX method has the server move first, but a server might be using
604 	 * a custom method or one that we otherwise don't support. We should
605 	 * be prepared to remember first_kex_follows here so we can eat a
606 	 * packet later.
607 	 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
608 	 * for cases where the server *doesn't* go first. I guess we should
609 	 * ignore it when it is set for these cases, which is what we do now.
610 	 */
611 	if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||	/* first_kex_follows */
612 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* reserved */
613 	    (r = sshpkt_get_end(ssh)) != 0)
614 			return r;
615 
616 	if (!(kex->flags & KEX_INIT_SENT))
617 		if ((r = kex_send_kexinit(ssh)) != 0)
618 			return r;
619 	if ((r = kex_choose_conf(ssh)) != 0)
620 		return r;
621 
622 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
623 		return (kex->kex[kex->kex_type])(ssh);
624 
625 	error_f("unknown kex type %u", kex->kex_type);
626 	return SSH_ERR_INTERNAL_ERROR;
627 }
628 
629 struct kex *
630 kex_new(void)
631 {
632 	struct kex *kex;
633 
634 	if ((kex = calloc(1, sizeof(*kex))) == NULL ||
635 	    (kex->peer = sshbuf_new()) == NULL ||
636 	    (kex->my = sshbuf_new()) == NULL ||
637 	    (kex->client_version = sshbuf_new()) == NULL ||
638 	    (kex->server_version = sshbuf_new()) == NULL) {
639 		kex_free(kex);
640 		return NULL;
641 	}
642 	return kex;
643 }
644 
645 void
646 kex_free_newkeys(struct newkeys *newkeys)
647 {
648 	if (newkeys == NULL)
649 		return;
650 	if (newkeys->enc.key) {
651 		explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
652 		free(newkeys->enc.key);
653 		newkeys->enc.key = NULL;
654 	}
655 	if (newkeys->enc.iv) {
656 		explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
657 		free(newkeys->enc.iv);
658 		newkeys->enc.iv = NULL;
659 	}
660 	free(newkeys->enc.name);
661 	explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
662 	free(newkeys->comp.name);
663 	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
664 	mac_clear(&newkeys->mac);
665 	if (newkeys->mac.key) {
666 		explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
667 		free(newkeys->mac.key);
668 		newkeys->mac.key = NULL;
669 	}
670 	free(newkeys->mac.name);
671 	explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
672 	freezero(newkeys, sizeof(*newkeys));
673 }
674 
675 void
676 kex_free(struct kex *kex)
677 {
678 	u_int mode;
679 
680 	if (kex == NULL)
681 		return;
682 
683 #ifdef WITH_OPENSSL
684 	DH_free(kex->dh);
685 #ifdef OPENSSL_HAS_ECC
686 	EC_KEY_free(kex->ec_client_key);
687 #endif /* OPENSSL_HAS_ECC */
688 #endif /* WITH_OPENSSL */
689 	for (mode = 0; mode < MODE_MAX; mode++) {
690 		kex_free_newkeys(kex->newkeys[mode]);
691 		kex->newkeys[mode] = NULL;
692 	}
693 	sshbuf_free(kex->peer);
694 	sshbuf_free(kex->my);
695 	sshbuf_free(kex->client_version);
696 	sshbuf_free(kex->server_version);
697 	sshbuf_free(kex->client_pub);
698 	free(kex->session_id);
699 	free(kex->failed_choice);
700 	free(kex->hostkey_alg);
701 	free(kex->name);
702 	free(kex);
703 }
704 
705 int
706 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
707 {
708 	int r;
709 
710 	if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
711 		return r;
712 	ssh->kex->flags = KEX_INITIAL;
713 	kex_reset_dispatch(ssh);
714 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
715 	return 0;
716 }
717 
718 int
719 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
720 {
721 	int r;
722 
723 	if ((r = kex_ready(ssh, proposal)) != 0)
724 		return r;
725 	if ((r = kex_send_kexinit(ssh)) != 0) {		/* we start */
726 		kex_free(ssh->kex);
727 		ssh->kex = NULL;
728 		return r;
729 	}
730 	return 0;
731 }
732 
733 /*
734  * Request key re-exchange, returns 0 on success or a ssherr.h error
735  * code otherwise. Must not be called if KEX is incomplete or in-progress.
736  */
737 int
738 kex_start_rekex(struct ssh *ssh)
739 {
740 	if (ssh->kex == NULL) {
741 		error_f("no kex");
742 		return SSH_ERR_INTERNAL_ERROR;
743 	}
744 	if (ssh->kex->done == 0) {
745 		error_f("requested twice");
746 		return SSH_ERR_INTERNAL_ERROR;
747 	}
748 	ssh->kex->done = 0;
749 	return kex_send_kexinit(ssh);
750 }
751 
752 static int
753 choose_enc(struct sshenc *enc, char *client, char *server)
754 {
755 	char *name = match_list(client, server, NULL);
756 
757 	if (name == NULL)
758 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
759 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
760 		error_f("unsupported cipher %s", name);
761 		free(name);
762 		return SSH_ERR_INTERNAL_ERROR;
763 	}
764 	enc->name = name;
765 	enc->enabled = 0;
766 	enc->iv = NULL;
767 	enc->iv_len = cipher_ivlen(enc->cipher);
768 	enc->key = NULL;
769 	enc->key_len = cipher_keylen(enc->cipher);
770 	enc->block_size = cipher_blocksize(enc->cipher);
771 	return 0;
772 }
773 
774 static int
775 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
776 {
777 	char *name = match_list(client, server, NULL);
778 
779 	if (name == NULL)
780 		return SSH_ERR_NO_MAC_ALG_MATCH;
781 	if (mac_setup(mac, name) < 0) {
782 		error_f("unsupported MAC %s", name);
783 		free(name);
784 		return SSH_ERR_INTERNAL_ERROR;
785 	}
786 	mac->name = name;
787 	mac->key = NULL;
788 	mac->enabled = 0;
789 	return 0;
790 }
791 
792 static int
793 choose_comp(struct sshcomp *comp, char *client, char *server)
794 {
795 	char *name = match_list(client, server, NULL);
796 
797 	if (name == NULL)
798 		return SSH_ERR_NO_COMPRESS_ALG_MATCH;
799 #ifdef WITH_ZLIB
800 	if (strcmp(name, "zlib@openssh.com") == 0) {
801 		comp->type = COMP_DELAYED;
802 	} else if (strcmp(name, "zlib") == 0) {
803 		comp->type = COMP_ZLIB;
804 	} else
805 #endif	/* WITH_ZLIB */
806 	if (strcmp(name, "none") == 0) {
807 		comp->type = COMP_NONE;
808 	} else {
809 		error_f("unsupported compression scheme %s", name);
810 		free(name);
811 		return SSH_ERR_INTERNAL_ERROR;
812 	}
813 	comp->name = name;
814 	return 0;
815 }
816 
817 static int
818 choose_kex(struct kex *k, char *client, char *server)
819 {
820 	const struct kexalg *kexalg;
821 
822 	k->name = match_list(client, server, NULL);
823 
824 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
825 	if (k->name == NULL)
826 		return SSH_ERR_NO_KEX_ALG_MATCH;
827 	if ((kexalg = kex_alg_by_name(k->name)) == NULL) {
828 		error_f("unsupported KEX method %s", k->name);
829 		return SSH_ERR_INTERNAL_ERROR;
830 	}
831 	k->kex_type = kexalg->type;
832 	k->hash_alg = kexalg->hash_alg;
833 	k->ec_nid = kexalg->ec_nid;
834 	return 0;
835 }
836 
837 static int
838 choose_hostkeyalg(struct kex *k, char *client, char *server)
839 {
840 	k->hostkey_alg = match_list(client, server, NULL);
841 
842 	debug("kex: host key algorithm: %s",
843 	    k->hostkey_alg ? k->hostkey_alg : "(no match)");
844 	if (k->hostkey_alg == NULL)
845 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
846 	k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
847 	if (k->hostkey_type == KEY_UNSPEC) {
848 		error_f("unsupported hostkey algorithm %s", k->hostkey_alg);
849 		return SSH_ERR_INTERNAL_ERROR;
850 	}
851 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
852 	return 0;
853 }
854 
855 static int
856 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
857 {
858 	static int check[] = {
859 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
860 	};
861 	int *idx;
862 	char *p;
863 
864 	for (idx = &check[0]; *idx != -1; idx++) {
865 		if ((p = strchr(my[*idx], ',')) != NULL)
866 			*p = '\0';
867 		if ((p = strchr(peer[*idx], ',')) != NULL)
868 			*p = '\0';
869 		if (strcmp(my[*idx], peer[*idx]) != 0) {
870 			debug2("proposal mismatch: my %s peer %s",
871 			    my[*idx], peer[*idx]);
872 			return (0);
873 		}
874 	}
875 	debug2("proposals match");
876 	return (1);
877 }
878 
879 static int
880 kex_choose_conf(struct ssh *ssh)
881 {
882 	struct kex *kex = ssh->kex;
883 	struct newkeys *newkeys;
884 	char **my = NULL, **peer = NULL;
885 	char **cprop, **sprop;
886 	int nenc, nmac, ncomp;
887 	u_int mode, ctos, need, dh_need, authlen;
888 	int r, first_kex_follows;
889 
890 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
891 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
892 		goto out;
893 	debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
894 	if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
895 		goto out;
896 
897 	if (kex->server) {
898 		cprop=peer;
899 		sprop=my;
900 	} else {
901 		cprop=my;
902 		sprop=peer;
903 	}
904 
905 	/* Check whether client supports ext_info_c */
906 	if (kex->server && (kex->flags & KEX_INITIAL)) {
907 		char *ext;
908 
909 		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
910 		kex->ext_info_c = (ext != NULL);
911 		free(ext);
912 	}
913 
914 	/* Algorithm Negotiation */
915 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
916 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
917 		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
918 		peer[PROPOSAL_KEX_ALGS] = NULL;
919 		goto out;
920 	}
921 	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
922 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
923 		kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
924 		peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
925 		goto out;
926 	}
927 	for (mode = 0; mode < MODE_MAX; mode++) {
928 		if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
929 			r = SSH_ERR_ALLOC_FAIL;
930 			goto out;
931 		}
932 		kex->newkeys[mode] = newkeys;
933 		ctos = (!kex->server && mode == MODE_OUT) ||
934 		    (kex->server && mode == MODE_IN);
935 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
936 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
937 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
938 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
939 		    sprop[nenc])) != 0) {
940 			kex->failed_choice = peer[nenc];
941 			peer[nenc] = NULL;
942 			goto out;
943 		}
944 		authlen = cipher_authlen(newkeys->enc.cipher);
945 		/* ignore mac for authenticated encryption */
946 		if (authlen == 0 &&
947 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
948 		    sprop[nmac])) != 0) {
949 			kex->failed_choice = peer[nmac];
950 			peer[nmac] = NULL;
951 			goto out;
952 		}
953 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
954 		    sprop[ncomp])) != 0) {
955 			kex->failed_choice = peer[ncomp];
956 			peer[ncomp] = NULL;
957 			goto out;
958 		}
959 		debug("kex: %s cipher: %s MAC: %s compression: %s",
960 		    ctos ? "client->server" : "server->client",
961 		    newkeys->enc.name,
962 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
963 		    newkeys->comp.name);
964 	}
965 	need = dh_need = 0;
966 	for (mode = 0; mode < MODE_MAX; mode++) {
967 		newkeys = kex->newkeys[mode];
968 		need = MAXIMUM(need, newkeys->enc.key_len);
969 		need = MAXIMUM(need, newkeys->enc.block_size);
970 		need = MAXIMUM(need, newkeys->enc.iv_len);
971 		need = MAXIMUM(need, newkeys->mac.key_len);
972 		dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
973 		dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
974 		dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
975 		dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
976 	}
977 	/* XXX need runden? */
978 	kex->we_need = need;
979 	kex->dh_need = dh_need;
980 
981 	/* ignore the next message if the proposals do not match */
982 	if (first_kex_follows && !proposals_match(my, peer))
983 		ssh->dispatch_skip_packets = 1;
984 	r = 0;
985  out:
986 	kex_prop_free(my);
987 	kex_prop_free(peer);
988 	return r;
989 }
990 
991 static int
992 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
993     const struct sshbuf *shared_secret, u_char **keyp)
994 {
995 	struct kex *kex = ssh->kex;
996 	struct ssh_digest_ctx *hashctx = NULL;
997 	char c = id;
998 	u_int have;
999 	size_t mdsz;
1000 	u_char *digest;
1001 	int r;
1002 
1003 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
1004 		return SSH_ERR_INVALID_ARGUMENT;
1005 	if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
1006 		r = SSH_ERR_ALLOC_FAIL;
1007 		goto out;
1008 	}
1009 
1010 	/* K1 = HASH(K || H || "A" || session_id) */
1011 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1012 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1013 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1014 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
1015 	    ssh_digest_update(hashctx, kex->session_id,
1016 	    kex->session_id_len) != 0 ||
1017 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
1018 		r = SSH_ERR_LIBCRYPTO_ERROR;
1019 		error_f("KEX hash failed");
1020 		goto out;
1021 	}
1022 	ssh_digest_free(hashctx);
1023 	hashctx = NULL;
1024 
1025 	/*
1026 	 * expand key:
1027 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
1028 	 * Key = K1 || K2 || ... || Kn
1029 	 */
1030 	for (have = mdsz; need > have; have += mdsz) {
1031 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1032 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1033 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1034 		    ssh_digest_update(hashctx, digest, have) != 0 ||
1035 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
1036 			error_f("KDF failed");
1037 			r = SSH_ERR_LIBCRYPTO_ERROR;
1038 			goto out;
1039 		}
1040 		ssh_digest_free(hashctx);
1041 		hashctx = NULL;
1042 	}
1043 #ifdef DEBUG_KEX
1044 	fprintf(stderr, "key '%c'== ", c);
1045 	dump_digest("key", digest, need);
1046 #endif
1047 	*keyp = digest;
1048 	digest = NULL;
1049 	r = 0;
1050  out:
1051 	free(digest);
1052 	ssh_digest_free(hashctx);
1053 	return r;
1054 }
1055 
1056 #define NKEYS	6
1057 int
1058 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
1059     const struct sshbuf *shared_secret)
1060 {
1061 	struct kex *kex = ssh->kex;
1062 	u_char *keys[NKEYS];
1063 	u_int i, j, mode, ctos;
1064 	int r;
1065 
1066 	/* save initial hash as session id */
1067 	if (kex->session_id == NULL) {
1068 		kex->session_id_len = hashlen;
1069 		kex->session_id = malloc(kex->session_id_len);
1070 		if (kex->session_id == NULL)
1071 			return SSH_ERR_ALLOC_FAIL;
1072 		memcpy(kex->session_id, hash, kex->session_id_len);
1073 	}
1074 	for (i = 0; i < NKEYS; i++) {
1075 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
1076 		    shared_secret, &keys[i])) != 0) {
1077 			for (j = 0; j < i; j++)
1078 				free(keys[j]);
1079 			return r;
1080 		}
1081 	}
1082 	for (mode = 0; mode < MODE_MAX; mode++) {
1083 		ctos = (!kex->server && mode == MODE_OUT) ||
1084 		    (kex->server && mode == MODE_IN);
1085 		kex->newkeys[mode]->enc.iv  = keys[ctos ? 0 : 1];
1086 		kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
1087 		kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
1088 	}
1089 	return 0;
1090 }
1091 
1092 int
1093 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
1094 {
1095 	struct kex *kex = ssh->kex;
1096 
1097 	*pubp = NULL;
1098 	*prvp = NULL;
1099 	if (kex->load_host_public_key == NULL ||
1100 	    kex->load_host_private_key == NULL) {
1101 		error_f("missing hostkey loader");
1102 		return SSH_ERR_INVALID_ARGUMENT;
1103 	}
1104 	*pubp = kex->load_host_public_key(kex->hostkey_type,
1105 	    kex->hostkey_nid, ssh);
1106 	*prvp = kex->load_host_private_key(kex->hostkey_type,
1107 	    kex->hostkey_nid, ssh);
1108 	if (*pubp == NULL)
1109 		return SSH_ERR_NO_HOSTKEY_LOADED;
1110 	return 0;
1111 }
1112 
1113 int
1114 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
1115 {
1116 	struct kex *kex = ssh->kex;
1117 
1118 	if (kex->verify_host_key == NULL) {
1119 		error_f("missing hostkey verifier");
1120 		return SSH_ERR_INVALID_ARGUMENT;
1121 	}
1122 	if (server_host_key->type != kex->hostkey_type ||
1123 	    (kex->hostkey_type == KEY_ECDSA &&
1124 	    server_host_key->ecdsa_nid != kex->hostkey_nid))
1125 		return SSH_ERR_KEY_TYPE_MISMATCH;
1126 	if (kex->verify_host_key(server_host_key, ssh) == -1)
1127 		return  SSH_ERR_SIGNATURE_INVALID;
1128 	return 0;
1129 }
1130 
1131 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1132 void
1133 dump_digest(const char *msg, const u_char *digest, int len)
1134 {
1135 	fprintf(stderr, "%s\n", msg);
1136 	sshbuf_dump_data(digest, len, stderr);
1137 }
1138 #endif
1139 
1140 /*
1141  * Send a plaintext error message to the peer, suffixed by \r\n.
1142  * Only used during banner exchange, and there only for the server.
1143  */
1144 static void
1145 send_error(struct ssh *ssh, char *msg)
1146 {
1147 	char *crnl = "\r\n";
1148 
1149 	if (!ssh->kex->server)
1150 		return;
1151 
1152 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1153 	    msg, strlen(msg)) != strlen(msg) ||
1154 	    atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1155 	    crnl, strlen(crnl)) != strlen(crnl))
1156 		error_f("write: %.100s", strerror(errno));
1157 }
1158 
1159 /*
1160  * Sends our identification string and waits for the peer's. Will block for
1161  * up to timeout_ms (or indefinitely if timeout_ms <= 0).
1162  * Returns on 0 success or a ssherr.h code on failure.
1163  */
1164 int
1165 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1166     const char *version_addendum)
1167 {
1168 	int remote_major, remote_minor, mismatch, oerrno = 0;
1169 	size_t len, i, n;
1170 	int r, expect_nl;
1171 	u_char c;
1172 	struct sshbuf *our_version = ssh->kex->server ?
1173 	    ssh->kex->server_version : ssh->kex->client_version;
1174 	struct sshbuf *peer_version = ssh->kex->server ?
1175 	    ssh->kex->client_version : ssh->kex->server_version;
1176 	char *our_version_string = NULL, *peer_version_string = NULL;
1177 	char *cp, *remote_version = NULL;
1178 
1179 	/* Prepare and send our banner */
1180 	sshbuf_reset(our_version);
1181 	if (version_addendum != NULL && *version_addendum == '\0')
1182 		version_addendum = NULL;
1183 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
1184 	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
1185 	    version_addendum == NULL ? "" : " ",
1186 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
1187 		oerrno = errno;
1188 		error_fr(r, "sshbuf_putf");
1189 		goto out;
1190 	}
1191 
1192 	if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1193 	    sshbuf_mutable_ptr(our_version),
1194 	    sshbuf_len(our_version)) != sshbuf_len(our_version)) {
1195 		oerrno = errno;
1196 		debug_f("write: %.100s", strerror(errno));
1197 		r = SSH_ERR_SYSTEM_ERROR;
1198 		goto out;
1199 	}
1200 	if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
1201 		oerrno = errno;
1202 		error_fr(r, "sshbuf_consume_end");
1203 		goto out;
1204 	}
1205 	our_version_string = sshbuf_dup_string(our_version);
1206 	if (our_version_string == NULL) {
1207 		error_f("sshbuf_dup_string failed");
1208 		r = SSH_ERR_ALLOC_FAIL;
1209 		goto out;
1210 	}
1211 	debug("Local version string %.100s", our_version_string);
1212 
1213 	/* Read other side's version identification. */
1214 	for (n = 0; ; n++) {
1215 		if (n >= SSH_MAX_PRE_BANNER_LINES) {
1216 			send_error(ssh, "No SSH identification string "
1217 			    "received.");
1218 			error_f("No SSH version received in first %u lines "
1219 			    "from server", SSH_MAX_PRE_BANNER_LINES);
1220 			r = SSH_ERR_INVALID_FORMAT;
1221 			goto out;
1222 		}
1223 		sshbuf_reset(peer_version);
1224 		expect_nl = 0;
1225 		for (i = 0; ; i++) {
1226 			if (timeout_ms > 0) {
1227 				r = waitrfd(ssh_packet_get_connection_in(ssh),
1228 				    &timeout_ms);
1229 				if (r == -1 && errno == ETIMEDOUT) {
1230 					send_error(ssh, "Timed out waiting "
1231 					    "for SSH identification string.");
1232 					error("Connection timed out during "
1233 					    "banner exchange");
1234 					r = SSH_ERR_CONN_TIMEOUT;
1235 					goto out;
1236 				} else if (r == -1) {
1237 					oerrno = errno;
1238 					error_f("%s", strerror(errno));
1239 					r = SSH_ERR_SYSTEM_ERROR;
1240 					goto out;
1241 				}
1242 			}
1243 
1244 			len = atomicio(read, ssh_packet_get_connection_in(ssh),
1245 			    &c, 1);
1246 			if (len != 1 && errno == EPIPE) {
1247 				error_f("Connection closed by remote host");
1248 				r = SSH_ERR_CONN_CLOSED;
1249 				goto out;
1250 			} else if (len != 1) {
1251 				oerrno = errno;
1252 				error_f("read: %.100s", strerror(errno));
1253 				r = SSH_ERR_SYSTEM_ERROR;
1254 				goto out;
1255 			}
1256 			if (c == '\r') {
1257 				expect_nl = 1;
1258 				continue;
1259 			}
1260 			if (c == '\n')
1261 				break;
1262 			if (c == '\0' || expect_nl) {
1263 				error_f("banner line contains invalid "
1264 				    "characters");
1265 				goto invalid;
1266 			}
1267 			if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
1268 				oerrno = errno;
1269 				error_fr(r, "sshbuf_put");
1270 				goto out;
1271 			}
1272 			if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
1273 				error_f("banner line too long");
1274 				goto invalid;
1275 			}
1276 		}
1277 		/* Is this an actual protocol banner? */
1278 		if (sshbuf_len(peer_version) > 4 &&
1279 		    memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
1280 			break;
1281 		/* If not, then just log the line and continue */
1282 		if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
1283 			error_f("sshbuf_dup_string failed");
1284 			r = SSH_ERR_ALLOC_FAIL;
1285 			goto out;
1286 		}
1287 		/* Do not accept lines before the SSH ident from a client */
1288 		if (ssh->kex->server) {
1289 			error_f("client sent invalid protocol identifier "
1290 			    "\"%.256s\"", cp);
1291 			free(cp);
1292 			goto invalid;
1293 		}
1294 		debug_f("banner line %zu: %s", n, cp);
1295 		free(cp);
1296 	}
1297 	peer_version_string = sshbuf_dup_string(peer_version);
1298 	if (peer_version_string == NULL)
1299 		error_f("sshbuf_dup_string failed");
1300 	/* XXX must be same size for sscanf */
1301 	if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
1302 		error_f("calloc failed");
1303 		r = SSH_ERR_ALLOC_FAIL;
1304 		goto out;
1305 	}
1306 
1307 	/*
1308 	 * Check that the versions match.  In future this might accept
1309 	 * several versions and set appropriate flags to handle them.
1310 	 */
1311 	if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
1312 	    &remote_major, &remote_minor, remote_version) != 3) {
1313 		error("Bad remote protocol version identification: '%.100s'",
1314 		    peer_version_string);
1315  invalid:
1316 		send_error(ssh, "Invalid SSH identification string.");
1317 		r = SSH_ERR_INVALID_FORMAT;
1318 		goto out;
1319 	}
1320 	debug("Remote protocol version %d.%d, remote software version %.100s",
1321 	    remote_major, remote_minor, remote_version);
1322 	ssh->compat = compat_datafellows(remote_version);
1323 
1324 	mismatch = 0;
1325 	switch (remote_major) {
1326 	case 2:
1327 		break;
1328 	case 1:
1329 		if (remote_minor != 99)
1330 			mismatch = 1;
1331 		break;
1332 	default:
1333 		mismatch = 1;
1334 		break;
1335 	}
1336 	if (mismatch) {
1337 		error("Protocol major versions differ: %d vs. %d",
1338 		    PROTOCOL_MAJOR_2, remote_major);
1339 		send_error(ssh, "Protocol major versions differ.");
1340 		r = SSH_ERR_NO_PROTOCOL_VERSION;
1341 		goto out;
1342 	}
1343 
1344 	if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
1345 		logit("probed from %s port %d with %s.  Don't panic.",
1346 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1347 		    peer_version_string);
1348 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1349 		goto out;
1350 	}
1351 	if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
1352 		logit("scanned from %s port %d with %s.  Don't panic.",
1353 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1354 		    peer_version_string);
1355 		r = SSH_ERR_CONN_CLOSED; /* XXX */
1356 		goto out;
1357 	}
1358 	if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
1359 		logit("Remote version \"%.100s\" uses unsafe RSA signature "
1360 		    "scheme; disabling use of RSA keys", remote_version);
1361 	}
1362 	/* success */
1363 	r = 0;
1364  out:
1365 	free(our_version_string);
1366 	free(peer_version_string);
1367 	free(remote_version);
1368 	if (r == SSH_ERR_SYSTEM_ERROR)
1369 		errno = oerrno;
1370 	return r;
1371 }
1372 
1373