- OpenBSD CVS update:

- [packet.h packet.c] ssh2 packet format - [packet.h packet.c nchan2.ms nchan.h compat.h compat.c] [channels.h channels.c] channel layer support for ssh2 - [kex.h kex.c hmac.h hmac.c dsa.c dsa.h] DSA, keyexchange, algorithm agreement for ssh2
author: Damien Miller <djm@mindrot.org> 2000-04-04 14:38:59 +1000
committer: Damien Miller <djm@mindrot.org> 2000-04-04 14:38:59 +1000
commit: 33b13568b520b25990261206e10c941a9270238f (patch)
tree: be9d549ee0c9c7774e3ec1da8d807b2e04b00bec /kex.c
parent: 193ba88dd6e9d6bcd5f476c7f5ddde8fd0b752bf (diff)
1 files changed, 407 insertions, 0 deletions
diff --git a/kex.c b/kex.c
new file mode 100644
index 000000000..e730536ac
--- /dev/null
+++ b/kex.c
@@ -0,0 +1,407 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$Id: kex.c,v 1.1 2000/04/04 04:39:02 damien Exp $");
+#include "ssh.h"
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "cipher.h"
+#include "compat.h"
+#if HAVE_OPENSSL
+# include <openssl/bn.h>
+# include <openssl/dh.h>
+# include <openssl/crypto.h>
+# include <openssl/bio.h>
+# include <openssl/bn.h>
+# include <openssl/dh.h>
+# include <openssl/pem.h>
+#endif /* HAVE_OPENSSL */
+#if HAVE_SSL
+# include <ssl/bn.h>
+# include <ssl/dh.h>
+# include <ssl/crypto.h>
+# include <ssl/bio.h>
+# include <ssl/bn.h>
+# include <ssl/dh.h>
+# include <ssl/pem.h>
+#endif /* HAVE_SSL */
+#include "entropy.h"
+#include "kex.h"
+Buffer *
+kex_init(char *myproposal[PROPOSAL_MAX])
+{
+        char c = 0;
+        unsigned char cookie[16];
+        u_int32_t rand = 0;
+        int i;
+        Buffer *ki = xmalloc(sizeof(*ki));
+        for (i = 0; i < 16; i++) {
+                if (i % 4 == 0)
+                        rand = arc4random();
+                cookie[i] = rand & 0xff;
+                rand >>= 8;
+        }
+        buffer_init(ki);
+        buffer_append(ki, (char *)cookie, sizeof cookie);
+        for (i = 0; i < PROPOSAL_MAX; i++)
+                buffer_put_cstring(ki, myproposal[i]);
+        buffer_append(ki, &c, 1); /* boolean   first_kex_packet_follows */
+        buffer_put_int(ki, 0);    /* uint32    0 (reserved for future extension) */
+        return ki;
+}
+/* diffie-hellman-group1-sha1 */
+DH *
+new_dh_group1()
+{
+        static char *group1 =
+            "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
+            "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
+            "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
+            "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
+            "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
+            "FFFFFFFF" "FFFFFFFF";
+        DH *dh;
+        int ret;
+        dh = DH_new();
+        if(dh == NULL)
+                fatal("DH_new");
+        ret = BN_hex2bn(&dh->p,group1);
+        if(ret<0)
+                fatal("BN_hex2bn");
+        dh->g = BN_new();
+        if(dh->g == NULL)
+                fatal("DH_new g");
+        BN_set_word(dh->g,2);
+        seed_rng();
+        if (DH_generate_key(dh) == 0)
+                fatal("DH_generate_key");
+        seed_rng();
+        return dh;
+}
+void
+bignum_print(BIGNUM *b)
+{
+        BN_print_fp(stderr,b);
+}
+void
+dump_digest(unsigned char *digest, int len)
+{
+        int i;
+        for (i = 0; i< len; i++){
+                fprintf(stderr, "%02x", digest[i]);
+                if(i%2!=0)
+                        fprintf(stderr, " ");
+        }
+        fprintf(stderr, "\n");
+}
+unsigned char *
+kex_hash(
+    char *client_version_string,
+    char *server_version_string,
+    char *ckexinit, int ckexinitlen,
+    char *skexinit, int skexinitlen,
+    char *serverhostkeyblob, int sbloblen,
+    BIGNUM *client_dh_pub,
+    BIGNUM *server_dh_pub,
+    BIGNUM *shared_secret)
+{
+        Buffer b;
+        static unsigned char digest[EVP_MAX_MD_SIZE];
+        EVP_MD *evp_md = EVP_sha1();
+        EVP_MD_CTX md;
+        buffer_init(&b);
+        buffer_put_string(&b, client_version_string, strlen(client_version_string));
+        buffer_put_string(&b, server_version_string, strlen(server_version_string));
+        /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
+        buffer_put_int(&b, ckexinitlen+1);
+        buffer_put_char(&b, SSH2_MSG_KEXINIT);
+        buffer_append(&b, ckexinit, ckexinitlen);
+        buffer_put_int(&b, skexinitlen+1);
+        buffer_put_char(&b, SSH2_MSG_KEXINIT);
+        buffer_append(&b, skexinit, skexinitlen);
+        buffer_put_string(&b, serverhostkeyblob, sbloblen);
+        buffer_put_bignum2(&b, client_dh_pub);
+        buffer_put_bignum2(&b, server_dh_pub);
+        buffer_put_bignum2(&b, shared_secret);
+        
+#ifdef DEBUG_KEX
+        buffer_dump(&b);
+#endif
+        EVP_DigestInit(&md, evp_md);
+        EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
+        EVP_DigestFinal(&md, digest, NULL);
+        buffer_free(&b);
+#ifdef DEBUG_KEX
+        dump_digest(digest, evp_md->md_size);
+#endif
+        return digest;
+}
+unsigned char *
+derive_key(int id, int need, char unsigned *hash, BIGNUM *shared_secret)
+{
+        Buffer b;
+        EVP_MD *evp_md = EVP_sha1();
+        EVP_MD_CTX md;
+        char c = id;
+        int have;
+        int mdsz = evp_md->md_size;
+        unsigned char *digest = xmalloc(((need+mdsz-1)/mdsz)*mdsz);
+        buffer_init(&b);
+        buffer_put_bignum2(&b, shared_secret);
+        EVP_DigestInit(&md, evp_md);
+        EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));  /* shared_secret K */
+        EVP_DigestUpdate(&md, hash, mdsz);              /* transport-06 */
+        EVP_DigestUpdate(&md, &c, 1);                   /* key id */
+        EVP_DigestUpdate(&md, hash, mdsz);              /* session id */
+        EVP_DigestFinal(&md, digest, NULL);
+        /* expand */
+        for (have = mdsz; need > have; have += mdsz) {
+                EVP_DigestInit(&md, evp_md);
+                EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
+                EVP_DigestUpdate(&md, hash, mdsz);
+                EVP_DigestUpdate(&md, digest, have);
+                EVP_DigestFinal(&md, digest + have, NULL);
+        }
+        buffer_free(&b);
+#ifdef DEBUG_KEX
+        fprintf(stderr, "Digest '%c'== ", c);
+        dump_digest(digest, need);
+#endif
+        return digest;
+}
+#define NKEYS   6
+#define MAX_PROP        20
+#define SEP     ","
+char *
+get_match(char *client, char *server)
+{
+        char *sproposals[MAX_PROP];
+        char *p;
+        int i, j, nproposals;
+        for ((p = strtok(server, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) {
+                if (i < MAX_PROP)
+                        sproposals[i] = p;
+                else
+                        break;
+        }
+        nproposals = i;
+        for ((p = strtok(client, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) {
+                for (j = 0; j < nproposals; j++)
+                        if (strcmp(p, sproposals[j]) == 0)
+                                return xstrdup(p);
+        }
+        return NULL;
+}
+void
+choose_enc(Enc *enc, char *client, char *server)
+{
+        char *name = get_match(client, server);
+        if (name == NULL)
+                fatal("no matching cipher found: client %s server %s", client, server);
+        enc->type = cipher_number(name);
+        switch (enc->type) {
+        case SSH_CIPHER_3DES_CBC:
+                enc->key_len = 24;
+                enc->iv_len = 8;
+                enc->block_size = 8;
+                break;
+        case SSH_CIPHER_BLOWFISH_CBC:
+        case SSH_CIPHER_CAST128_CBC:
+                enc->key_len = 16;
+                enc->iv_len = 8;
+                enc->block_size = 8;
+                break;
+        case SSH_CIPHER_ARCFOUR:
+                enc->key_len = 16;
+                enc->iv_len = 0;
+                enc->block_size = 8;
+                break;
+        default:
+                fatal("unsupported cipher %s", name);
+        }
+        enc->name = name;
+        enc->enabled = 0;
+        enc->iv = NULL;
+        enc->key = NULL;
+}
+void
+choose_mac(Mac *mac, char *client, char *server)
+{
+        char *name = get_match(client, server);
+        if (name == NULL)
+                fatal("no matching mac found: client %s server %s", client, server);
+        if (strcmp(name, "hmac-md5") == 0) {
+                mac->md = EVP_md5();
+        } else if (strcmp(name, "hmac-sha1") == 0) {
+                mac->md = EVP_sha1();
+        } else if (strcmp(name, "hmac-ripemd160@openssh.com") == 0) {
+                mac->md = EVP_ripemd160();
+        } else {
+                fatal("unsupported mac %s", name);
+        }
+        mac->name = name;
+        mac->mac_len = mac->md->md_size;
+        mac->key_len = datafellows ? 16 : mac->mac_len;
+        mac->key = NULL;
+        mac->enabled = 0;
+}
+void
+choose_comp(Comp *comp, char *client, char *server)
+{
+        char *name = get_match(client, server);
+        if (name == NULL)
+                fatal("no matching comp found: client %s server %s", client, server);
+        if (strcmp(name, "zlib") == 0) {
+                comp->type = 1;
+        } else if (strcmp(name, "none") == 0) {
+                comp->type = 0;
+        } else {
+                fatal("unsupported comp %s", name);
+        }
+        comp->name = name;
+}
+void
+choose_kex(Kex *k, char *client, char *server)
+{
+        k->name = get_match(client, server);
+        if (k->name == NULL)
+                fatal("no kex alg");
+        if (strcmp(k->name, KEX_DH1) != 0)
+                fatal("bad kex alg %s", k->name);
+}
+void
+choose_hostkeyalg(Kex *k, char *client, char *server)
+{
+        k->hostkeyalg = get_match(client, server);
+        if (k->hostkeyalg == NULL)
+                fatal("no hostkey alg");
+        if (strcmp(k->hostkeyalg, KEX_DSS) != 0)
+                fatal("bad hostkey alg %s", k->hostkeyalg);
+}
+Kex *
+kex_choose_conf(char *cprop[PROPOSAL_MAX], char *sprop[PROPOSAL_MAX], int server)
+{
+        int i;
+        int mode;
+        int ctos;                               /* direction: if true client-to-server */
+        int need;
+        Kex *k;
+        k = xmalloc(sizeof(*k));
+        memset(k, 0, sizeof(*k));
+        k->server = server;
+        for (mode = 0; mode < MODE_MAX; mode++) {
+                int nenc, nmac, ncomp;
+                ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN);
+                nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
+                nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
+                ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
+                choose_enc (&k->enc [mode], cprop[nenc],  sprop[nenc]);
+                choose_mac (&k->mac [mode], cprop[nmac],  sprop[nmac]);
+                choose_comp(&k->comp[mode], cprop[ncomp], sprop[ncomp]);
+                log("kex: %s %s %s %s",
+                    ctos ? "client->server" : "server->client",
+                    k->enc[mode].name,
+                    k->mac[mode].name,
+                    k->comp[mode].name);
+        }
+        choose_kex(k, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
+        choose_hostkeyalg(k, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
+            sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
+        for (i = 0; i < PROPOSAL_MAX; i++) {
+                xfree(cprop[i]);
+                xfree(sprop[i]);
+        }
+        need = 0;
+        for (mode = 0; mode < MODE_MAX; mode++) {
+            if (need < k->enc[mode].key_len)
+                    need = k->enc[mode].key_len;
+            if (need < k->enc[mode].iv_len)
+                    need = k->enc[mode].iv_len;
+            if (need < k->mac[mode].key_len)
+                    need = k->mac[mode].key_len;
+        }
+        /* need runden? */
+#define WE_NEED 32
+        k->we_need = WE_NEED;
+        k->we_need = need;
+        return k;
+}
+int
+kex_derive_keys(Kex *k, unsigned char *hash, BIGNUM *shared_secret)
+{
+        int i;
+        int mode;
+        int ctos;
+        unsigned char *keys[NKEYS];
+        for (i = 0; i < NKEYS; i++)
+                keys[i] = derive_key('A'+i, k->we_need, hash, shared_secret);
+        for (mode = 0; mode < MODE_MAX; mode++) {
+                ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN);
+                k->enc[mode].iv  = keys[ctos ? 0 : 1];
+                k->enc[mode].key = keys[ctos ? 2 : 3];
+                k->mac[mode].key = keys[ctos ? 4 : 5];
+        }
+        return 0;
+}
author	Damien Miller <djm@mindrot.org>	2000-04-04 14:38:59 +1000
committer	Damien Miller <djm@mindrot.org>	2000-04-04 14:38:59 +1000
commit	33b13568b520b25990261206e10c941a9270238f (patch)
tree	be9d549ee0c9c7774e3ec1da8d807b2e04b00bec /kex.c
parent	193ba88dd6e9d6bcd5f476c7f5ddde8fd0b752bf (diff)

diff --git a/kex.c b/kex.c new file mode 100644 index 000000000..e730536ac --- /dev/null +++ b/kex.c
@@ -0,0 +1,407 @@
	1	/*
	2	* Copyright (c) 2000 Markus Friedl. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	* 3. All advertising materials mentioning features or use of this software
	13	* must display the following acknowledgement:
	14	* This product includes software developed by Markus Friedl.
	15	* 4. The name of the author may not be used to endorse or promote products
	16	* derived from this software without specific prior written permission.
	17	*
	18	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	19	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	20	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	21	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	22	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	23	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	24	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	25	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	26	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	27	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	28	*/
	29
	30	#include "includes.h"
	31	RCSID("$Id: kex.c,v 1.1 2000/04/04 04:39:02 damien Exp $");
	32
	33	#include "ssh.h"
	34	#include "ssh2.h"
	35	#include "xmalloc.h"
	36	#include "buffer.h"
	37	#include "bufaux.h"
	38	#include "cipher.h"
	39	#include "compat.h"
	40
	41	#if HAVE_OPENSSL
	42	# include <openssl/bn.h>
	43	# include <openssl/dh.h>
	44	# include <openssl/crypto.h>
	45	# include <openssl/bio.h>
	46	# include <openssl/bn.h>
	47	# include <openssl/dh.h>
	48	# include <openssl/pem.h>
	49	#endif /* HAVE_OPENSSL */
	50	#if HAVE_SSL
	51	# include <ssl/bn.h>
	52	# include <ssl/dh.h>
	53	# include <ssl/crypto.h>
	54	# include <ssl/bio.h>
	55	# include <ssl/bn.h>
	56	# include <ssl/dh.h>
	57	# include <ssl/pem.h>
	58	#endif /* HAVE_SSL */
	59
	60	#include "entropy.h"
	61	#include "kex.h"
	62
	63	Buffer *
	64	kex_init(char *myproposal[PROPOSAL_MAX])
	65	{
	66	char c = 0;
	67	unsigned char cookie[16];
	68	u_int32_t rand = 0;
	69	int i;
	70	Buffer ki = xmalloc(sizeof(ki));
	71	for (i = 0; i < 16; i++) {
	72	if (i % 4 == 0)
	73	rand = arc4random();
	74	cookie[i] = rand & 0xff;
	75	rand >>= 8;
	76	}
	77	buffer_init(ki);
	78	buffer_append(ki, (char *)cookie, sizeof cookie);
	79	for (i = 0; i < PROPOSAL_MAX; i++)
	80	buffer_put_cstring(ki, myproposal[i]);
	81	buffer_append(ki, &c, 1); /* boolean first_kex_packet_follows */
	82	buffer_put_int(ki, 0); /* uint32 0 (reserved for future extension) */
	83	return ki;
	84	}
	85
	86	/* diffie-hellman-group1-sha1 */
	87
	88	DH *
	89	new_dh_group1()
	90	{
	91	static char *group1 =
	92	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	93	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	94	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	95	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	96	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	97	"FFFFFFFF" "FFFFFFFF";
	98	DH *dh;
	99	int ret;
	100	dh = DH_new();
	101	if(dh == NULL)
	102	fatal("DH_new");
	103	ret = BN_hex2bn(&dh->p,group1);
	104	if(ret<0)
	105	fatal("BN_hex2bn");
	106	dh->g = BN_new();
	107	if(dh->g == NULL)
	108	fatal("DH_new g");
	109	BN_set_word(dh->g,2);
	110
	111	seed_rng();
	112	if (DH_generate_key(dh) == 0)
	113	fatal("DH_generate_key");
	114	seed_rng();
	115
	116	return dh;
	117	}
	118
	119	void
	120	bignum_print(BIGNUM *b)
	121	{
	122	BN_print_fp(stderr,b);
	123	}
	124
	125	void
	126	dump_digest(unsigned char *digest, int len)
	127	{
	128	int i;
	129	for (i = 0; i< len; i++){
	130	fprintf(stderr, "%02x", digest[i]);
	131	if(i%2!=0)
	132	fprintf(stderr, " ");
	133	}
	134	fprintf(stderr, "\n");
	135	}
	136
	137	unsigned char *
	138	kex_hash(
	139	char *client_version_string,
	140	char *server_version_string,
	141	char *ckexinit, int ckexinitlen,
	142	char *skexinit, int skexinitlen,
	143	char *serverhostkeyblob, int sbloblen,
	144	BIGNUM *client_dh_pub,
	145	BIGNUM *server_dh_pub,
	146	BIGNUM *shared_secret)
	147	{
	148	Buffer b;
	149	static unsigned char digest[EVP_MAX_MD_SIZE];
	150	EVP_MD *evp_md = EVP_sha1();
	151	EVP_MD_CTX md;
	152
	153	buffer_init(&b);
	154	buffer_put_string(&b, client_version_string, strlen(client_version_string));
	155	buffer_put_string(&b, server_version_string, strlen(server_version_string));
	156
	157	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
	158	buffer_put_int(&b, ckexinitlen+1);
	159	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	160	buffer_append(&b, ckexinit, ckexinitlen);
	161	buffer_put_int(&b, skexinitlen+1);
	162	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	163	buffer_append(&b, skexinit, skexinitlen);
	164
	165	buffer_put_string(&b, serverhostkeyblob, sbloblen);
	166	buffer_put_bignum2(&b, client_dh_pub);
	167	buffer_put_bignum2(&b, server_dh_pub);
	168	buffer_put_bignum2(&b, shared_secret);
	169
	170	#ifdef DEBUG_KEX
	171	buffer_dump(&b);
	172	#endif
	173
	174	EVP_DigestInit(&md, evp_md);
	175	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	176	EVP_DigestFinal(&md, digest, NULL);
	177
	178	buffer_free(&b);
	179
	180	#ifdef DEBUG_KEX
	181	dump_digest(digest, evp_md->md_size);
	182	#endif
	183	return digest;
	184	}
	185
	186	unsigned char *
	187	derive_key(int id, int need, char unsigned hash, BIGNUM shared_secret)
	188	{
	189	Buffer b;
	190	EVP_MD *evp_md = EVP_sha1();
	191	EVP_MD_CTX md;
	192	char c = id;
	193	int have;
	194	int mdsz = evp_md->md_size;
	195	unsigned char digest = xmalloc(((need+mdsz-1)/mdsz)mdsz);
	196
	197	buffer_init(&b);
	198	buffer_put_bignum2(&b, shared_secret);
	199
	200	EVP_DigestInit(&md, evp_md);
	201	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); /* shared_secret K */
	202	EVP_DigestUpdate(&md, hash, mdsz); /* transport-06 */
	203	EVP_DigestUpdate(&md, &c, 1); /* key id */
	204	EVP_DigestUpdate(&md, hash, mdsz); /* session id */
	205	EVP_DigestFinal(&md, digest, NULL);
	206
	207	/* expand */
	208	for (have = mdsz; need > have; have += mdsz) {
	209	EVP_DigestInit(&md, evp_md);
	210	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	211	EVP_DigestUpdate(&md, hash, mdsz);
	212	EVP_DigestUpdate(&md, digest, have);
	213	EVP_DigestFinal(&md, digest + have, NULL);
	214	}
	215	buffer_free(&b);
	216	#ifdef DEBUG_KEX
	217	fprintf(stderr, "Digest '%c'== ", c);
	218	dump_digest(digest, need);
	219	#endif
	220	return digest;
	221	}
	222
	223	#define NKEYS 6
	224
	225	#define MAX_PROP 20
	226	#define SEP ","
	227
	228	char *
	229	get_match(char client, char server)
	230	{
	231	char *sproposals[MAX_PROP];
	232	char *p;
	233	int i, j, nproposals;
	234
	235	for ((p = strtok(server, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) {
	236	if (i < MAX_PROP)
	237	sproposals[i] = p;
	238	else
	239	break;
	240	}
	241	nproposals = i;
	242
	243	for ((p = strtok(client, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) {
	244	for (j = 0; j < nproposals; j++)
	245	if (strcmp(p, sproposals[j]) == 0)
	246	return xstrdup(p);
	247	}
	248	return NULL;
	249	}
	250	void
	251	choose_enc(Enc enc, char client, char *server)
	252	{
	253	char *name = get_match(client, server);
	254	if (name == NULL)
	255	fatal("no matching cipher found: client %s server %s", client, server);
	256	enc->type = cipher_number(name);
	257
	258	switch (enc->type) {
	259	case SSH_CIPHER_3DES_CBC:
	260	enc->key_len = 24;
	261	enc->iv_len = 8;
	262	enc->block_size = 8;
	263	break;
	264	case SSH_CIPHER_BLOWFISH_CBC:
	265	case SSH_CIPHER_CAST128_CBC:
	266	enc->key_len = 16;
	267	enc->iv_len = 8;
	268	enc->block_size = 8;
	269	break;
	270	case SSH_CIPHER_ARCFOUR:
	271	enc->key_len = 16;
	272	enc->iv_len = 0;
	273	enc->block_size = 8;
	274	break;
	275	default:
	276	fatal("unsupported cipher %s", name);
	277	}
	278	enc->name = name;
	279	enc->enabled = 0;
	280	enc->iv = NULL;
	281	enc->key = NULL;
	282	}
	283	void
	284	choose_mac(Mac mac, char client, char *server)
	285	{
	286	char *name = get_match(client, server);
	287	if (name == NULL)
	288	fatal("no matching mac found: client %s server %s", client, server);
	289	if (strcmp(name, "hmac-md5") == 0) {
	290	mac->md = EVP_md5();
	291	} else if (strcmp(name, "hmac-sha1") == 0) {
	292	mac->md = EVP_sha1();
	293	} else if (strcmp(name, "hmac-ripemd160@openssh.com") == 0) {
	294	mac->md = EVP_ripemd160();
	295	} else {
	296	fatal("unsupported mac %s", name);
	297	}
	298	mac->name = name;
	299	mac->mac_len = mac->md->md_size;
	300	mac->key_len = datafellows ? 16 : mac->mac_len;
	301	mac->key = NULL;
	302	mac->enabled = 0;
	303	}
	304	void
	305	choose_comp(Comp comp, char client, char *server)
	306	{
	307	char *name = get_match(client, server);
	308	if (name == NULL)
	309	fatal("no matching comp found: client %s server %s", client, server);
	310	if (strcmp(name, "zlib") == 0) {
	311	comp->type = 1;
	312	} else if (strcmp(name, "none") == 0) {
	313	comp->type = 0;
	314	} else {
	315	fatal("unsupported comp %s", name);
	316	}
	317	comp->name = name;
	318	}
	319	void
	320	choose_kex(Kex k, char client, char *server)
	321	{
	322	k->name = get_match(client, server);
	323	if (k->name == NULL)
	324	fatal("no kex alg");
	325	if (strcmp(k->name, KEX_DH1) != 0)
	326	fatal("bad kex alg %s", k->name);
	327	}
	328	void
	329	choose_hostkeyalg(Kex k, char client, char *server)
	330	{
	331	k->hostkeyalg = get_match(client, server);
	332	if (k->hostkeyalg == NULL)
	333	fatal("no hostkey alg");
	334	if (strcmp(k->hostkeyalg, KEX_DSS) != 0)
	335	fatal("bad hostkey alg %s", k->hostkeyalg);
	336	}
	337
	338	Kex *
	339	kex_choose_conf(char cprop[PROPOSAL_MAX], char sprop[PROPOSAL_MAX], int server)
	340	{
	341	int i;
	342	int mode;
	343	int ctos; /* direction: if true client-to-server */
	344	int need;
	345	Kex *k;
	346
	347	k = xmalloc(sizeof(*k));
	348	memset(k, 0, sizeof(*k));
	349	k->server = server;
	350
	351	for (mode = 0; mode < MODE_MAX; mode++) {
	352	int nenc, nmac, ncomp;
	353	ctos = (!k->server && mode == MODE_OUT) \|\| (k->server && mode == MODE_IN);
	354	nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
	355	nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
	356	ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
	357	choose_enc (&k->enc [mode], cprop[nenc], sprop[nenc]);
	358	choose_mac (&k->mac [mode], cprop[nmac], sprop[nmac]);
	359	choose_comp(&k->comp[mode], cprop[ncomp], sprop[ncomp]);
	360	log("kex: %s %s %s %s",
	361	ctos ? "client->server" : "server->client",
	362	k->enc[mode].name,
	363	k->mac[mode].name,
	364	k->comp[mode].name);
	365	}
	366	choose_kex(k, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
	367	choose_hostkeyalg(k, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
	368	sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
	369	for (i = 0; i < PROPOSAL_MAX; i++) {
	370	xfree(cprop[i]);
	371	xfree(sprop[i]);
	372	}
	373	need = 0;
	374	for (mode = 0; mode < MODE_MAX; mode++) {
	375	if (need < k->enc[mode].key_len)
	376	need = k->enc[mode].key_len;
	377	if (need < k->enc[mode].iv_len)
	378	need = k->enc[mode].iv_len;
	379	if (need < k->mac[mode].key_len)
	380	need = k->mac[mode].key_len;
	381	}
	382	/* need runden? */
	383	#define WE_NEED 32
	384	k->we_need = WE_NEED;
	385	k->we_need = need;
	386	return k;
	387	}
	388
	389	int
	390	kex_derive_keys(Kex k, unsigned char hash, BIGNUM *shared_secret)
	391	{
	392	int i;
	393	int mode;
	394	int ctos;
	395	unsigned char *keys[NKEYS];
	396
	397	for (i = 0; i < NKEYS; i++)
	398	keys[i] = derive_key('A'+i, k->we_need, hash, shared_secret);
	399
	400	for (mode = 0; mode < MODE_MAX; mode++) {
	401	ctos = (!k->server && mode == MODE_OUT) \|\| (k->server && mode == MODE_IN);
	402	k->enc[mode].iv = keys[ctos ? 0 : 1];
	403	k->enc[mode].key = keys[ctos ? 2 : 3];
	404	k->mac[mode].key = keys[ctos ? 4 : 5];
	405	}
	406	return 0;
	407	}