upstream commit

adapt kex to sshbuf and struct ssh; ok djm@
author: markus@openbsd.org <markus@openbsd.org> 2015-01-19 20:16:15 +0000
committer: Damien Miller <djm@mindrot.org> 2015-01-20 09:19:39 +1100
commit: 57d10cbe861a235dd269c74fb2fe248469ecee9d (patch)
tree: c65deed24700490bd3b20300c4829d4d5466ff6d /kexgexs.c
parent: 3fdc88a0def4f86aa88a5846ac079dc964c0546a (diff)
1 files changed, 161 insertions, 96 deletions
diff --git a/kexgexs.c b/kexgexs.c
index 1021e0bf6..6e2b009b5 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.20 2015/01/19 19:52:16 markus Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.21 2015/01/19 20:16:15 markus Exp $ */
 /*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -37,10 +37,9 @@
 #include <openssl/dh.h>
-#include "xmalloc.h"
+#include "sshkey.h"
-#include "buffer.h"
-#include "key.h"
 #include "cipher.h"
+#include "digest.h"
 #include "kex.h"
 #include "log.h"
 #include "packet.h"
@@ -51,33 +50,43 @@
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
+#include "dispatch.h"
+#include "ssherr.h"
+#include "sshbuf.h"
-void
+static int input_kex_dh_gex_request(int, u_int32_t, void *);
-kexgex_server(Kex *kex)
+static int input_kex_dh_gex_init(int, u_int32_t, void *);
+int
+kexgex_server(struct ssh *ssh)
 {
-        BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
+        ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD,
-        Key *server_host_public, *server_host_private;
+            &input_kex_dh_gex_request);
-        DH *dh;
+        ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
-        u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
+            &input_kex_dh_gex_request);
-        u_int sbloblen, klen, slen, hashlen;
+        debug("expecting SSH2_MSG_KEX_DH_GEX_REQUEST");
-        int omin = -1, min = -1, omax = -1, max = -1, onbits = -1, nbits = -1;
+        return 0;
-        int type, kout;
+}
+static int
+input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt)
+{
+        struct ssh *ssh = ctxt;
+        struct kex *kex = ssh->kex;
+        int r;
+        u_int min = 0, max = 0, nbits = 0;
-        if (kex->load_host_public_key == NULL ||
-            kex->load_host_private_key == NULL)
-                fatal("Cannot load hostkey");
-        server_host_public = kex->load_host_public_key(kex->hostkey_type);
-        if (server_host_public == NULL)
-                fatal("Unsupported hostkey type %d", kex->hostkey_type);
-        server_host_private = kex->load_host_private_key(kex->hostkey_type);
-        type = packet_read();
        switch (type) {
        case SSH2_MSG_KEX_DH_GEX_REQUEST:
                debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
-                omin = min = packet_get_int();
+                if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
-                onbits = nbits = packet_get_int();
+                    (r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
-                omax = max = packet_get_int();
+                    (r = sshpkt_get_u32(ssh, &max)) != 0 ||
+                    (r = sshpkt_get_end(ssh)) != 0)
+                        goto out;
+                kex->nbits = nbits;
+                kex->min = min;
+                kex->max = max;
                min = MAX(DH_GRP_MIN, min);
                max = MIN(DH_GRP_MAX, max);
                nbits = MAX(DH_GRP_MIN, nbits);
@@ -85,45 +94,88 @@ kexgex_server(Kex *kex)
                break;
        case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
                debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");
-                onbits = nbits = packet_get_int();
+                if ((r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
+                    (r = sshpkt_get_end(ssh)) != 0)
+                        goto out;
+                kex->nbits = nbits;
                /* unused for old GEX */
-                omin = min = DH_GRP_MIN;
+                kex->min = min = DH_GRP_MIN;
-                omax = max = DH_GRP_MAX;
+                kex->max = max = DH_GRP_MAX;
                break;
        default:
-                fatal("protocol error during kex, no DH_GEX_REQUEST: %d", type);
+                r = SSH_ERR_INVALID_ARGUMENT;
+                goto out;
        }
-        packet_check_eom();
-        if (omax < omin || onbits < omin || omax < onbits)
+        if (kex->max < kex->min || kex->nbits < kex->min ||
-                fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d",
+            kex->max < kex->nbits) {
-                    omin, onbits, omax);
+                r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
+                goto out;
+        }
        /* Contact privileged parent */
-        dh = PRIVSEP(choose_dh(min, nbits, max));
+        kex->dh = PRIVSEP(choose_dh(min, nbits, max));
-        if (dh == NULL)
+        if (kex->dh == NULL) {
-                packet_disconnect("Protocol error: no matching DH grp found");
+                sshpkt_disconnect(ssh, "no matching DH grp found");
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
        debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
-        packet_start(SSH2_MSG_KEX_DH_GEX_GROUP);
+        if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_GROUP)) != 0 ||
-        packet_put_bignum2(dh->p);
+            (r = sshpkt_put_bignum2(ssh, kex->dh->p)) != 0 ||
-        packet_put_bignum2(dh->g);
+            (r = sshpkt_put_bignum2(ssh, kex->dh->g)) != 0 ||
-        packet_send();
+            (r = sshpkt_send(ssh)) != 0)
+                goto out;
-        /* flush */
-        packet_write_wait();
        /* Compute our exchange value in parallel with the client */
-        dh_gen_key(dh, kex->we_need * 8);
+        if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
+                goto out;
+        /* old KEX does not use min/max in kexgex_hash() */
+        if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
+                kex->min = kex->max = -1;
        debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");
-        packet_read_expect(SSH2_MSG_KEX_DH_GEX_INIT);
+        ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &input_kex_dh_gex_init);
+        r = 0;
+ out:
+        return r;
+}
+static int
+input_kex_dh_gex_init(int type, u_int32_t seq, void *ctxt)
+{
+        struct ssh *ssh = ctxt;
+        struct kex *kex = ssh->kex;
+        BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
+        struct sshkey *server_host_public, *server_host_private;
+        u_char *kbuf = NULL, *signature = NULL, *server_host_key_blob = NULL;
+        u_char hash[SSH_DIGEST_MAX_LENGTH];
+        size_t sbloblen, slen;
+        size_t klen = 0, hashlen;
+        int kout, r;
+        if (kex->load_host_public_key == NULL ||
+            kex->load_host_private_key == NULL) {
+                r = SSH_ERR_INVALID_ARGUMENT;
+                goto out;
+        }
+        if ((server_host_public = kex->load_host_public_key(kex->hostkey_type,
+            ssh)) == NULL ||
+            (server_host_private = kex->load_host_private_key(kex->hostkey_type,
+            ssh)) == NULL) {
+                r = SSH_ERR_NO_HOSTKEY_LOADED;
+                goto out;
+        }
        /* key, cert */
-        if ((dh_client_pub = BN_new()) == NULL)
+        if ((dh_client_pub = BN_new()) == NULL) {
-                fatal("dh_client_pub == NULL");
+                r = SSH_ERR_ALLOC_FAIL;
-        packet_get_bignum2(dh_client_pub);
+                goto out;
-        packet_check_eom();
+        }
+        if ((r = sshpkt_get_bignum2(ssh, dh_client_pub)) != 0 ||
+            (r = sshpkt_get_end(ssh)) != 0)
+                goto out;
 #ifdef DEBUG_KEXDH
        fprintf(stderr, "dh_client_pub= ");
@@ -133,79 +185,92 @@ kexgex_server(Kex *kex)
 #endif
 #ifdef DEBUG_KEXDH
-        DHparams_print_fp(stderr, dh);
+        DHparams_print_fp(stderr, kex->dh);
        fprintf(stderr, "pub= ");
-        BN_print_fp(stderr, dh->pub_key);
+        BN_print_fp(stderr, kex->dh->pub_key);
        fprintf(stderr, "\n");
 #endif
-        if (!dh_pub_is_valid(dh, dh_client_pub))
+        if (!dh_pub_is_valid(kex->dh, dh_client_pub)) {
-                packet_disconnect("bad client public DH value");
+                sshpkt_disconnect(ssh, "bad client public DH value");
+                r = SSH_ERR_MESSAGE_INCOMPLETE;
+                goto out;
+        }
-        klen = DH_size(dh);
+        klen = DH_size(kex->dh);
-        kbuf = xmalloc(klen);
+        if ((kbuf = malloc(klen)) == NULL ||
-        if ((kout = DH_compute_key(kbuf, dh_client_pub, dh)) < 0)
+            (shared_secret = BN_new()) == NULL) {
-                fatal("DH_compute_key: failed");
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if ((kout = DH_compute_key(kbuf, dh_client_pub, kex->dh)) < 0 ||
+            BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
+                r = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
 #ifdef DEBUG_KEXDH
        dump_digest("shared secret", kbuf, kout);
 #endif
-        if ((shared_secret = BN_new()) == NULL)
+        if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
-                fatal("kexgex_server: BN_new failed");
+            &sbloblen)) != 0)
-        if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
+                goto out;
-                fatal("kexgex_server: BN_bin2bn failed");
-        explicit_bzero(kbuf, klen);
-        free(kbuf);
-        key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
-        if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
-                omin = min = omax = max = -1;
        /* calc H */
-        kexgex_hash(
+        hashlen = sizeof(hash);
+        if ((r = kexgex_hash(
            kex->hash_alg,
            kex->client_version_string,
            kex->server_version_string,
-            buffer_ptr(kex->peer), buffer_len(kex->peer),
+            sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
-            buffer_ptr(kex->my), buffer_len(kex->my),
+            sshbuf_ptr(kex->my), sshbuf_len(kex->my),
            server_host_key_blob, sbloblen,
-            omin, onbits, omax,
+            kex->min, kex->nbits, kex->max,
-            dh->p, dh->g,
+            kex->dh->p, kex->dh->g,
            dh_client_pub,
-            dh->pub_key,
+            kex->dh->pub_key,
            shared_secret,
-            &hash, &hashlen
+            hash, &hashlen)) != 0)
-        );
+                goto out;
-        BN_clear_free(dh_client_pub);
        /* save session id := H */
        if (kex->session_id == NULL) {
                kex->session_id_len = hashlen;
-                kex->session_id = xmalloc(kex->session_id_len);
+                kex->session_id = malloc(kex->session_id_len);
+                if (kex->session_id == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
                memcpy(kex->session_id, hash, kex->session_id_len);
        }
        /* sign H */
-        kex->sign(server_host_private, server_host_public, &signature, &slen,
+        if ((r = kex->sign(server_host_private, server_host_public,
-            hash, hashlen);
+            &signature, &slen, hash, hashlen, ssh->compat)) < 0)
+                goto out;
        /* destroy_sensitive_data(); */
        /* send server hostkey, DH pubkey 'f' and singed H */
-        debug("SSH2_MSG_KEX_DH_GEX_REPLY sent");
+        if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REPLY)) != 0 ||
-        packet_start(SSH2_MSG_KEX_DH_GEX_REPLY);
+            (r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
-        packet_put_string(server_host_key_blob, sbloblen);
+            (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 ||     /* f */
-        packet_put_bignum2(dh->pub_key);        /* f */
+            (r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
-        packet_put_string(signature, slen);
+            (r = sshpkt_send(ssh)) != 0)
-        packet_send();
+                goto out;
-        free(signature);
+        if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
+                r = kex_send_newkeys(ssh);
+ out:
+        DH_free(kex->dh);
+        kex->dh = NULL;
+        if (dh_client_pub)
+                BN_clear_free(dh_client_pub);
+        if (kbuf) {
+                explicit_bzero(kbuf, klen);
+                free(kbuf);
+        }
+        if (shared_secret)
+                BN_clear_free(shared_secret);
        free(server_host_key_blob);
-        /* have keys, free DH */
+        free(signature);
-        DH_free(dh);
+        return r;
-        kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
-        BN_clear_free(shared_secret);
-        kex_finish(kex);
 }
 #endif /* WITH_OPENSSL */
author	markus@openbsd.org <markus@openbsd.org>	2015-01-19 20:16:15 +0000
committer	Damien Miller <djm@mindrot.org>	2015-01-20 09:19:39 +1100
commit	57d10cbe861a235dd269c74fb2fe248469ecee9d (patch)
tree	c65deed24700490bd3b20300c4829d4d5466ff6d /kexgexs.c
parent	3fdc88a0def4f86aa88a5846ac079dc964c0546a (diff)

diff --git a/kexgexs.c b/kexgexs.c index 1021e0bf6..6e2b009b5 100644 --- a/kexgexs.c +++ b/kexgexs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: kexgexs.c,v 1.20 2015/01/19 19:52:16 markus Exp $ */	1	/* $OpenBSD: kexgexs.c,v 1.21 2015/01/19 20:16:15 markus Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Niels Provos. All rights reserved.	3	* Copyright (c) 2000 Niels Provos. All rights reserved.
4	* Copyright (c) 2001 Markus Friedl. All rights reserved.	4	* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -37,10 +37,9 @@
37		37
38	#include <openssl/dh.h>	38	#include <openssl/dh.h>
39		39
40	#include "xmalloc.h"	40	#include "sshkey.h"
41	#include "buffer.h"
42	#include "key.h"
43	#include "cipher.h"	41	#include "cipher.h"
		42	#include "digest.h"
44	#include "kex.h"	43	#include "kex.h"
45	#include "log.h"	44	#include "log.h"
46	#include "packet.h"	45	#include "packet.h"
@@ -51,33 +50,43 @@
51	#include "ssh-gss.h"	50	#include "ssh-gss.h"
52	#endif	51	#endif
53	#include "monitor_wrap.h"	52	#include "monitor_wrap.h"
		53	#include "dispatch.h"
		54	#include "ssherr.h"
		55	#include "sshbuf.h"
54		56
55	void	57	static int input_kex_dh_gex_request(int, u_int32_t, void *);
56	kexgex_server(Kex *kex)	58	static int input_kex_dh_gex_init(int, u_int32_t, void *);
		59
		60	int
		61	kexgex_server(struct ssh *ssh)
57	{	62	{
58	BIGNUM shared_secret = NULL, dh_client_pub = NULL;	63	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD,
59	Key server_host_public, server_host_private;	64	&input_kex_dh_gex_request);
60	DH *dh;	65	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
61	u_char kbuf, hash, signature = NULL, server_host_key_blob = NULL;	66	&input_kex_dh_gex_request);
62	u_int sbloblen, klen, slen, hashlen;	67	debug("expecting SSH2_MSG_KEX_DH_GEX_REQUEST");
63	int omin = -1, min = -1, omax = -1, max = -1, onbits = -1, nbits = -1;	68	return 0;
64	int type, kout;	69	}
		70
		71	static int
		72	input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt)
		73	{
		74	struct ssh *ssh = ctxt;
		75	struct kex *kex = ssh->kex;
		76	int r;
		77	u_int min = 0, max = 0, nbits = 0;
65		78
66	if (kex->load_host_public_key == NULL \|\|
67	kex->load_host_private_key == NULL)
68	fatal("Cannot load hostkey");
69	server_host_public = kex->load_host_public_key(kex->hostkey_type);
70	if (server_host_public == NULL)
71	fatal("Unsupported hostkey type %d", kex->hostkey_type);
72	server_host_private = kex->load_host_private_key(kex->hostkey_type);
73
74	type = packet_read();
75	switch (type) {	79	switch (type) {
76	case SSH2_MSG_KEX_DH_GEX_REQUEST:	80	case SSH2_MSG_KEX_DH_GEX_REQUEST:
77	debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");	81	debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
78	omin = min = packet_get_int();	82	if ((r = sshpkt_get_u32(ssh, &min)) != 0 \|\|
79	onbits = nbits = packet_get_int();	83	(r = sshpkt_get_u32(ssh, &nbits)) != 0 \|\|
80	omax = max = packet_get_int();	84	(r = sshpkt_get_u32(ssh, &max)) != 0 \|\|
		85	(r = sshpkt_get_end(ssh)) != 0)
		86	goto out;
		87	kex->nbits = nbits;
		88	kex->min = min;
		89	kex->max = max;
81	min = MAX(DH_GRP_MIN, min);	90	min = MAX(DH_GRP_MIN, min);
82	max = MIN(DH_GRP_MAX, max);	91	max = MIN(DH_GRP_MAX, max);
83	nbits = MAX(DH_GRP_MIN, nbits);	92	nbits = MAX(DH_GRP_MIN, nbits);
@@ -85,45 +94,88 @@ kexgex_server(Kex *kex)
85	break;	94	break;
86	case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:	95	case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
87	debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");	96	debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");
88	onbits = nbits = packet_get_int();	97	if ((r = sshpkt_get_u32(ssh, &nbits)) != 0 \|\|
		98	(r = sshpkt_get_end(ssh)) != 0)
		99	goto out;
		100	kex->nbits = nbits;
89	/* unused for old GEX */	101	/* unused for old GEX */
90	omin = min = DH_GRP_MIN;	102	kex->min = min = DH_GRP_MIN;
91	omax = max = DH_GRP_MAX;	103	kex->max = max = DH_GRP_MAX;
92	break;	104	break;
93	default:	105	default:
94	fatal("protocol error during kex, no DH_GEX_REQUEST: %d", type);	106	r = SSH_ERR_INVALID_ARGUMENT;
		107	goto out;
95	}	108	}
96	packet_check_eom();
97		109
98	if (omax < omin \|\| onbits < omin \|\| omax < onbits)	110	if (kex->max < kex->min \|\| kex->nbits < kex->min \|\|
99	fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d",	111	kex->max < kex->nbits) {
100	omin, onbits, omax);	112	r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
		113	goto out;
		114	}
101		115
102	/* Contact privileged parent */	116	/* Contact privileged parent */
103	dh = PRIVSEP(choose_dh(min, nbits, max));	117	kex->dh = PRIVSEP(choose_dh(min, nbits, max));
104	if (dh == NULL)	118	if (kex->dh == NULL) {
105	packet_disconnect("Protocol error: no matching DH grp found");	119	sshpkt_disconnect(ssh, "no matching DH grp found");
106		120	r = SSH_ERR_ALLOC_FAIL;
		121	goto out;
		122	}
107	debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");	123	debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
108	packet_start(SSH2_MSG_KEX_DH_GEX_GROUP);	124	if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_GROUP)) != 0 \|\|
109	packet_put_bignum2(dh->p);	125	(r = sshpkt_put_bignum2(ssh, kex->dh->p)) != 0 \|\|
110	packet_put_bignum2(dh->g);	126	(r = sshpkt_put_bignum2(ssh, kex->dh->g)) != 0 \|\|
111	packet_send();	127	(r = sshpkt_send(ssh)) != 0)
112		128	goto out;
113	/* flush */
114	packet_write_wait();
115		129
116	/* Compute our exchange value in parallel with the client */	130	/* Compute our exchange value in parallel with the client */
117	dh_gen_key(dh, kex->we_need * 8);	131	if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
		132	goto out;
		133
		134	/* old KEX does not use min/max in kexgex_hash() */
		135	if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
		136	kex->min = kex->max = -1;
118		137
119	debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");	138	debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");
120	packet_read_expect(SSH2_MSG_KEX_DH_GEX_INIT);	139	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &input_kex_dh_gex_init);
		140	r = 0;
		141	out:
		142	return r;
		143	}
		144
		145	static int
		146	input_kex_dh_gex_init(int type, u_int32_t seq, void *ctxt)
		147	{
		148	struct ssh *ssh = ctxt;
		149	struct kex *kex = ssh->kex;
		150	BIGNUM shared_secret = NULL, dh_client_pub = NULL;
		151	struct sshkey server_host_public, server_host_private;
		152	u_char kbuf = NULL, signature = NULL, *server_host_key_blob = NULL;
		153	u_char hash[SSH_DIGEST_MAX_LENGTH];
		154	size_t sbloblen, slen;
		155	size_t klen = 0, hashlen;
		156	int kout, r;
		157
		158	if (kex->load_host_public_key == NULL \|\|
		159	kex->load_host_private_key == NULL) {
		160	r = SSH_ERR_INVALID_ARGUMENT;
		161	goto out;
		162	}
		163	if ((server_host_public = kex->load_host_public_key(kex->hostkey_type,
		164	ssh)) == NULL \|\|
		165	(server_host_private = kex->load_host_private_key(kex->hostkey_type,
		166	ssh)) == NULL) {
		167	r = SSH_ERR_NO_HOSTKEY_LOADED;
		168	goto out;
		169	}
121		170
122	/* key, cert */	171	/* key, cert */
123	if ((dh_client_pub = BN_new()) == NULL)	172	if ((dh_client_pub = BN_new()) == NULL) {
124	fatal("dh_client_pub == NULL");	173	r = SSH_ERR_ALLOC_FAIL;
125	packet_get_bignum2(dh_client_pub);	174	goto out;
126	packet_check_eom();	175	}
		176	if ((r = sshpkt_get_bignum2(ssh, dh_client_pub)) != 0 \|\|
		177	(r = sshpkt_get_end(ssh)) != 0)
		178	goto out;
127		179
128	#ifdef DEBUG_KEXDH	180	#ifdef DEBUG_KEXDH
129	fprintf(stderr, "dh_client_pub= ");	181	fprintf(stderr, "dh_client_pub= ");
@@ -133,79 +185,92 @@ kexgex_server(Kex *kex)
133	#endif	185	#endif
134		186
135	#ifdef DEBUG_KEXDH	187	#ifdef DEBUG_KEXDH
136	DHparams_print_fp(stderr, dh);	188	DHparams_print_fp(stderr, kex->dh);
137	fprintf(stderr, "pub= ");	189	fprintf(stderr, "pub= ");
138	BN_print_fp(stderr, dh->pub_key);	190	BN_print_fp(stderr, kex->dh->pub_key);
139	fprintf(stderr, "\n");	191	fprintf(stderr, "\n");
140	#endif	192	#endif
141	if (!dh_pub_is_valid(dh, dh_client_pub))	193	if (!dh_pub_is_valid(kex->dh, dh_client_pub)) {
142	packet_disconnect("bad client public DH value");	194	sshpkt_disconnect(ssh, "bad client public DH value");
		195	r = SSH_ERR_MESSAGE_INCOMPLETE;
		196	goto out;
		197	}
143		198
144	klen = DH_size(dh);	199	klen = DH_size(kex->dh);
145	kbuf = xmalloc(klen);	200	if ((kbuf = malloc(klen)) == NULL \|\|
146	if ((kout = DH_compute_key(kbuf, dh_client_pub, dh)) < 0)	201	(shared_secret = BN_new()) == NULL) {
147	fatal("DH_compute_key: failed");	202	r = SSH_ERR_ALLOC_FAIL;
		203	goto out;
		204	}
		205	if ((kout = DH_compute_key(kbuf, dh_client_pub, kex->dh)) < 0 \|\|
		206	BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
		207	r = SSH_ERR_LIBCRYPTO_ERROR;
		208	goto out;
		209	}
148	#ifdef DEBUG_KEXDH	210	#ifdef DEBUG_KEXDH
149	dump_digest("shared secret", kbuf, kout);	211	dump_digest("shared secret", kbuf, kout);
150	#endif	212	#endif
151	if ((shared_secret = BN_new()) == NULL)	213	if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
152	fatal("kexgex_server: BN_new failed");	214	&sbloblen)) != 0)
153	if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)	215	goto out;
154	fatal("kexgex_server: BN_bin2bn failed");
155	explicit_bzero(kbuf, klen);
156	free(kbuf);
157
158	key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
159
160	if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
161	omin = min = omax = max = -1;
162
163	/* calc H */	216	/* calc H */
164	kexgex_hash(	217	hashlen = sizeof(hash);
		218	if ((r = kexgex_hash(
165	kex->hash_alg,	219	kex->hash_alg,
166	kex->client_version_string,	220	kex->client_version_string,
167	kex->server_version_string,	221	kex->server_version_string,
168	buffer_ptr(kex->peer), buffer_len(kex->peer),	222	sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
169	buffer_ptr(kex->my), buffer_len(kex->my),	223	sshbuf_ptr(kex->my), sshbuf_len(kex->my),
170	server_host_key_blob, sbloblen,	224	server_host_key_blob, sbloblen,
171	omin, onbits, omax,	225	kex->min, kex->nbits, kex->max,
172	dh->p, dh->g,	226	kex->dh->p, kex->dh->g,
173	dh_client_pub,	227	dh_client_pub,
174	dh->pub_key,	228	kex->dh->pub_key,
175	shared_secret,	229	shared_secret,
176	&hash, &hashlen	230	hash, &hashlen)) != 0)
177	);	231	goto out;
178	BN_clear_free(dh_client_pub);
179		232
180	/* save session id := H */	233	/* save session id := H */
181	if (kex->session_id == NULL) {	234	if (kex->session_id == NULL) {
182	kex->session_id_len = hashlen;	235	kex->session_id_len = hashlen;
183	kex->session_id = xmalloc(kex->session_id_len);	236	kex->session_id = malloc(kex->session_id_len);
		237	if (kex->session_id == NULL) {
		238	r = SSH_ERR_ALLOC_FAIL;
		239	goto out;
		240	}
184	memcpy(kex->session_id, hash, kex->session_id_len);	241	memcpy(kex->session_id, hash, kex->session_id_len);
185	}	242	}
186		243
187	/* sign H */	244	/* sign H */
188	kex->sign(server_host_private, server_host_public, &signature, &slen,	245	if ((r = kex->sign(server_host_private, server_host_public,
189	hash, hashlen);	246	&signature, &slen, hash, hashlen, ssh->compat)) < 0)
		247	goto out;
190		248
191	/* destroy_sensitive_data(); */	249	/* destroy_sensitive_data(); */
192		250
193	/* send server hostkey, DH pubkey 'f' and singed H */	251	/* send server hostkey, DH pubkey 'f' and singed H */
194	debug("SSH2_MSG_KEX_DH_GEX_REPLY sent");	252	if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REPLY)) != 0 \|\|
195	packet_start(SSH2_MSG_KEX_DH_GEX_REPLY);	253	(r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 \|\|
196	packet_put_string(server_host_key_blob, sbloblen);	254	(r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 \|\| /* f */
197	packet_put_bignum2(dh->pub_key); /* f */	255	(r = sshpkt_put_string(ssh, signature, slen)) != 0 \|\|
198	packet_put_string(signature, slen);	256	(r = sshpkt_send(ssh)) != 0)
199	packet_send();	257	goto out;
200		258
201	free(signature);	259	if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
		260	r = kex_send_newkeys(ssh);
		261	out:
		262	DH_free(kex->dh);
		263	kex->dh = NULL;
		264	if (dh_client_pub)
		265	BN_clear_free(dh_client_pub);
		266	if (kbuf) {
		267	explicit_bzero(kbuf, klen);
		268	free(kbuf);
		269	}
		270	if (shared_secret)
		271	BN_clear_free(shared_secret);
202	free(server_host_key_blob);	272	free(server_host_key_blob);
203	/* have keys, free DH */	273	free(signature);
204	DH_free(dh);	274	return r;
205
206	kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
207	BN_clear_free(shared_secret);
208
209	kex_finish(kex);
210	}	275	}
211	#endif /* WITH_OPENSSL */	276	#endif /* WITH_OPENSSL */