[openssh.git] / kex.c

/*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *      This product includes software developed by Markus Friedl.
 * 4. The name of the author may not be used to endorse or promote products
 *    derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"
RCSID("$Id$");

#include "ssh.h"
#include "ssh2.h"
#include "xmalloc.h"
#include "buffer.h"
#include "bufaux.h"
#include "cipher.h"
#include "compat.h"

#if HAVE_OPENSSL
# include <openssl/bn.h>
# include <openssl/dh.h>
# include <openssl/crypto.h>
# include <openssl/bio.h>
# include <openssl/pem.h>
#endif /* HAVE_OPENSSL */
#if HAVE_SSL
# include <ssl/bn.h>
# include <ssl/dh.h>
# include <ssl/crypto.h>
# include <ssl/bio.h>
# include <ssl/pem.h>
#endif /* HAVE_SSL */

#include "kex.h"

Buffer *
kex_init(char *myproposal[PROPOSAL_MAX])
{
	char c = 0;
	unsigned char cookie[16];
	u_int32_t rand = 0;
	int i;
	Buffer *ki = xmalloc(sizeof(*ki));
	for (i = 0; i < 16; i++) {
		if (i % 4 == 0)
			rand = arc4random();
		cookie[i] = rand & 0xff;
		rand >>= 8;
	}
	buffer_init(ki);
	buffer_append(ki, (char *)cookie, sizeof cookie);
	for (i = 0; i < PROPOSAL_MAX; i++)
		buffer_put_cstring(ki, myproposal[i]);
	buffer_append(ki, &c, 1); /* boolean   first_kex_packet_follows */
	buffer_put_int(ki, 0);    /* uint32    0 (reserved for future extension) */
	return ki;
}

/* diffie-hellman-group1-sha1 */

int
dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
{
	int i;
	int n = BN_num_bits(dh_pub);
	int bits_set = 0;

	/* we only accept g==2 */
	if (!BN_is_word(dh->g, 2)) {
		log("invalid DH base != 2");
		return 0;
	}
	if (dh_pub->neg) {
		log("invalid public DH value: negativ");
		return 0;
	}
	for (i = 0; i <= n; i++)
		if (BN_is_bit_set(dh_pub, i))
			bits_set++;
	debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p));

	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
		return 1;
	log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
	return 0;
}

DH *
dh_new_group1()
{
	static char *group1 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	    "FFFFFFFF" "FFFFFFFF";
	DH *dh;
	int ret, tries = 0;
	dh = DH_new();
	if(dh == NULL)
		fatal("DH_new");
	ret = BN_hex2bn(&dh->p, group1);
	if(ret<0)
		fatal("BN_hex2bn");
	dh->g = BN_new();
	if(dh->g == NULL)
		fatal("DH_new g");
	BN_set_word(dh->g, 2);
	do {
		if (DH_generate_key(dh) == 0)
			fatal("DH_generate_key");
		if (tries++ > 10)
			fatal("dh_new_group1: too many bad keys: giving up");
	} while (!dh_pub_is_valid(dh, dh->pub_key));
	return dh;
}

void
bignum_print(BIGNUM *b)
{
	BN_print_fp(stderr,b);
}

void
dump_digest(unsigned char *digest, int len)
{
	int i;
        for (i = 0; i< len; i++){
                fprintf(stderr, "%02x", digest[i]);
		if(i%2!=0)
			fprintf(stderr, " ");
	}
        fprintf(stderr, "\n");
}

unsigned char *
kex_hash(
    char *client_version_string,
    char *server_version_string,
    char *ckexinit, int ckexinitlen,
    char *skexinit, int skexinitlen,
    char *serverhostkeyblob, int sbloblen,
    BIGNUM *client_dh_pub,
    BIGNUM *server_dh_pub,
    BIGNUM *shared_secret)
{
	Buffer b;
	static unsigned char digest[EVP_MAX_MD_SIZE];
	EVP_MD *evp_md = EVP_sha1();
	EVP_MD_CTX md;

	buffer_init(&b);
	buffer_put_string(&b, client_version_string, strlen(client_version_string));
	buffer_put_string(&b, server_version_string, strlen(server_version_string));

	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
	buffer_put_int(&b, ckexinitlen+1);
	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	buffer_append(&b, ckexinit, ckexinitlen);
	buffer_put_int(&b, skexinitlen+1);
	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	buffer_append(&b, skexinit, skexinitlen);

	buffer_put_string(&b, serverhostkeyblob, sbloblen);
	buffer_put_bignum2(&b, client_dh_pub);
	buffer_put_bignum2(&b, server_dh_pub);
	buffer_put_bignum2(&b, shared_secret);
	
#ifdef DEBUG_KEX
	buffer_dump(&b);
#endif

	EVP_DigestInit(&md, evp_md);
	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	EVP_DigestFinal(&md, digest, NULL);

	buffer_free(&b);

#ifdef DEBUG_KEX
        dump_digest(digest, evp_md->md_size);
#endif
	return digest;
}

unsigned char *
derive_key(int id, int need, char unsigned *hash, BIGNUM *shared_secret)
{
	Buffer b;
	EVP_MD *evp_md = EVP_sha1();
	EVP_MD_CTX md;
	char c = id;
	int have;
	int mdsz = evp_md->md_size;
	unsigned char *digest = xmalloc(((need+mdsz-1)/mdsz)*mdsz);

	buffer_init(&b);
	buffer_put_bignum2(&b, shared_secret);

	EVP_DigestInit(&md, evp_md);
	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));	/* shared_secret K */
	EVP_DigestUpdate(&md, hash, mdsz);		/* transport-06 */
	EVP_DigestUpdate(&md, &c, 1);			/* key id */
	EVP_DigestUpdate(&md, hash, mdsz);		/* session id */
	EVP_DigestFinal(&md, digest, NULL);

	/* expand */
	for (have = mdsz; need > have; have += mdsz) {
		EVP_DigestInit(&md, evp_md);
		EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
		EVP_DigestUpdate(&md, hash, mdsz);
		EVP_DigestUpdate(&md, digest, have);
		EVP_DigestFinal(&md, digest + have, NULL);
	}
	buffer_free(&b);
#ifdef DEBUG_KEX
	fprintf(stderr, "Digest '%c'== ", c);
	dump_digest(digest, need);
#endif
	return digest;
}

#define NKEYS	6

#define	MAX_PROP	20
#define	SEP	","

char *
get_match(char *client, char *server)
{
	char *sproposals[MAX_PROP];
	char *p;
	int i, j, nproposals;

	for ((p = strtok(server, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) {
		if (i < MAX_PROP)
			sproposals[i] = p;
		else
			break;
	}
	nproposals = i;

	for ((p = strtok(client, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) {
		for (j = 0; j < nproposals; j++)
			if (strcmp(p, sproposals[j]) == 0)
				return xstrdup(p);
	}
	return NULL;
}
void
choose_enc(Enc *enc, char *client, char *server)
{
	char *name = get_match(client, server);
	if (name == NULL)
		fatal("no matching cipher found: client %s server %s", client, server);
	enc->type = cipher_number(name);

	switch (enc->type) {
	case SSH_CIPHER_3DES_CBC:
		enc->key_len = 24;
		enc->iv_len = 8;
		enc->block_size = 8;
		break;
	case SSH_CIPHER_BLOWFISH_CBC:
	case SSH_CIPHER_CAST128_CBC:
		enc->key_len = 16;
		enc->iv_len = 8;
		enc->block_size = 8;
		break;
	case SSH_CIPHER_ARCFOUR:
		enc->key_len = 16;
		enc->iv_len = 0;
		enc->block_size = 8;
		break;
	default:
		fatal("unsupported cipher %s", name);
	}
	enc->name = name;
	enc->enabled = 0;
	enc->iv = NULL;
	enc->key = NULL;
}
void
choose_mac(Mac *mac, char *client, char *server)
{
	char *name = get_match(client, server);
	if (name == NULL)
		fatal("no matching mac found: client %s server %s", client, server);
	if (strcmp(name, "hmac-md5") == 0) {
		mac->md = EVP_md5();
	} else if (strcmp(name, "hmac-sha1") == 0) {
		mac->md = EVP_sha1();
	} else if (strcmp(name, "hmac-ripemd160@openssh.com") == 0) {
		mac->md = EVP_ripemd160();
	} else {
		fatal("unsupported mac %s", name);
	}
	mac->name = name;
	mac->mac_len = mac->md->md_size;
	mac->key_len = datafellows ? 16 : mac->mac_len;
	mac->key = NULL;
	mac->enabled = 0;
}
void
choose_comp(Comp *comp, char *client, char *server)
{
	char *name = get_match(client, server);
	if (name == NULL)
		fatal("no matching comp found: client %s server %s", client, server);
	if (strcmp(name, "zlib") == 0) {
		comp->type = 1;
	} else if (strcmp(name, "none") == 0) {
		comp->type = 0;
	} else {
		fatal("unsupported comp %s", name);
	}
	comp->name = name;
}
void
choose_kex(Kex *k, char *client, char *server)
{
	k->name = get_match(client, server);
	if (k->name == NULL)
		fatal("no kex alg");
    	if (strcmp(k->name, KEX_DH1) != 0)
		fatal("bad kex alg %s", k->name);
}
void
choose_hostkeyalg(Kex *k, char *client, char *server)
{
	k->hostkeyalg = get_match(client, server);
	if (k->hostkeyalg == NULL)
		fatal("no hostkey alg");
	if (strcmp(k->hostkeyalg, KEX_DSS) != 0)
		fatal("bad hostkey alg %s", k->hostkeyalg);
}

Kex *
kex_choose_conf(char *cprop[PROPOSAL_MAX], char *sprop[PROPOSAL_MAX], int server)
{
	int i;
	int mode;
	int ctos;				/* direction: if true client-to-server */
	int need;
	Kex *k;

	k = xmalloc(sizeof(*k));
	memset(k, 0, sizeof(*k));
	k->server = server;

	for (mode = 0; mode < MODE_MAX; mode++) {
		int nenc, nmac, ncomp;
		ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN);
		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
		choose_enc (&k->enc [mode], cprop[nenc],  sprop[nenc]);
		choose_mac (&k->mac [mode], cprop[nmac],  sprop[nmac]);
		choose_comp(&k->comp[mode], cprop[ncomp], sprop[ncomp]);
		debug("kex: %s %s %s %s",
		    ctos ? "client->server" : "server->client",
		    k->enc[mode].name,
		    k->mac[mode].name,
		    k->comp[mode].name);
	}
	choose_kex(k, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
	choose_hostkeyalg(k, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
	for (i = 0; i < PROPOSAL_MAX; i++) {
		xfree(cprop[i]);
		xfree(sprop[i]);
	}
	need = 0;
	for (mode = 0; mode < MODE_MAX; mode++) {
	    if (need < k->enc[mode].key_len)
		    need = k->enc[mode].key_len;
	    if (need < k->enc[mode].iv_len)
		    need = k->enc[mode].iv_len;
	    if (need < k->mac[mode].key_len)
		    need = k->mac[mode].key_len;
	}
	/* need runden? */
#define WE_NEED 32
	k->we_need = WE_NEED;
	k->we_need = need;
	return k;
}

int
kex_derive_keys(Kex *k, unsigned char *hash, BIGNUM *shared_secret)
{
	int i;
	int mode;
	int ctos;
	unsigned char *keys[NKEYS];

	for (i = 0; i < NKEYS; i++)
		keys[i] = derive_key('A'+i, k->we_need, hash, shared_secret);

	for (mode = 0; mode < MODE_MAX; mode++) {
		ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN);
		k->enc[mode].iv  = keys[ctos ? 0 : 1];
		k->enc[mode].key = keys[ctos ? 2 : 3];
		k->mac[mode].key = keys[ctos ? 4 : 5];
	}
	return 0;
}
Commit	Line	Data
7e7327a1	1	/*
	2	* Copyright (c) 2000 Markus Friedl. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	* 3. All advertising materials mentioning features or use of this software
	13	* must display the following acknowledgement:
	14	* This product includes software developed by Markus Friedl.
	15	* 4. The name of the author may not be used to endorse or promote products
	16	* derived from this software without specific prior written permission.
	17	*
	18	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	19	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	20	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	21	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	22	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	23	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	24	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	25	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	26	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	27	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	28	*/
	29
	30	#include "includes.h"
	31	RCSID("$Id$");
	32
	33	#include "ssh.h"
	34	#include "ssh2.h"
	35	#include "xmalloc.h"
	36	#include "buffer.h"
	37	#include "bufaux.h"
	38	#include "cipher.h"
	39	#include "compat.h"
	40
	41	#if HAVE_OPENSSL
	42	# include <openssl/bn.h>
	43	# include <openssl/dh.h>
	44	# include <openssl/crypto.h>
	45	# include <openssl/bio.h>
7e7327a1	46	# include <openssl/pem.h>
	47	#endif /* HAVE_OPENSSL */
	48	#if HAVE_SSL
	49	# include <ssl/bn.h>
	50	# include <ssl/dh.h>
	51	# include <ssl/crypto.h>
	52	# include <ssl/bio.h>
7e7327a1	53	# include <ssl/pem.h>
	54	#endif /* HAVE_SSL */
	55
7e7327a1	56	#include "kex.h"
	57
	58	Buffer *
	59	kex_init(char *myproposal[PROPOSAL_MAX])
	60	{
	61	char c = 0;
	62	unsigned char cookie[16];
	63	u_int32_t rand = 0;
	64	int i;
	65	Buffer ki = xmalloc(sizeof(ki));
	66	for (i = 0; i < 16; i++) {
	67	if (i % 4 == 0)
	68	rand = arc4random();
	69	cookie[i] = rand & 0xff;
	70	rand >>= 8;
	71	}
	72	buffer_init(ki);
	73	buffer_append(ki, (char *)cookie, sizeof cookie);
	74	for (i = 0; i < PROPOSAL_MAX; i++)
	75	buffer_put_cstring(ki, myproposal[i]);
	76	buffer_append(ki, &c, 1); /* boolean first_kex_packet_follows */
	77	buffer_put_int(ki, 0); /* uint32 0 (reserved for future extension) */
	78	return ki;
	79	}
	80
	81	/* diffie-hellman-group1-sha1 */
	82
a8be9f80	83	int
	84	dh_pub_is_valid(DH dh, BIGNUM dh_pub)
	85	{
	86	int i;
	87	int n = BN_num_bits(dh_pub);
	88	int bits_set = 0;
	89
	90	/* we only accept g==2 */
	91	if (!BN_is_word(dh->g, 2)) {
	92	log("invalid DH base != 2");
	93	return 0;
	94	}
	95	if (dh_pub->neg) {
	96	log("invalid public DH value: negativ");
	97	return 0;
	98	}
	99	for (i = 0; i <= n; i++)
	100	if (BN_is_bit_set(dh_pub, i))
	101	bits_set++;
	102	debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
	103
	104	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	105	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
	106	return 1;
	107	log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
	108	return 0;
	109	}
	110
7e7327a1	111	DH *
a8be9f80	112	dh_new_group1()
7e7327a1	113	{
	114	static char *group1 =
	115	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	116	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	117	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	118	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	119	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	120	"FFFFFFFF" "FFFFFFFF";
	121	DH *dh;
a8be9f80	122	int ret, tries = 0;
7e7327a1	123	dh = DH_new();
	124	if(dh == NULL)
	125	fatal("DH_new");
a8be9f80	126	ret = BN_hex2bn(&dh->p, group1);
7e7327a1	127	if(ret<0)
	128	fatal("BN_hex2bn");
	129	dh->g = BN_new();
	130	if(dh->g == NULL)
	131	fatal("DH_new g");
a8be9f80	132	BN_set_word(dh->g, 2);
	133	do {
	134	if (DH_generate_key(dh) == 0)
	135	fatal("DH_generate_key");
	136	if (tries++ > 10)
	137	fatal("dh_new_group1: too many bad keys: giving up");
	138	} while (!dh_pub_is_valid(dh, dh->pub_key));
7e7327a1	139	return dh;
	140	}
	141
	142	void
	143	bignum_print(BIGNUM *b)
	144	{
	145	BN_print_fp(stderr,b);
	146	}
	147
	148	void
	149	dump_digest(unsigned char *digest, int len)
	150	{
	151	int i;
	152	for (i = 0; i< len; i++){
	153	fprintf(stderr, "%02x", digest[i]);
	154	if(i%2!=0)
	155	fprintf(stderr, " ");
	156	}
	157	fprintf(stderr, "\n");
	158	}
	159
	160	unsigned char *
	161	kex_hash(
	162	char *client_version_string,
	163	char *server_version_string,
	164	char *ckexinit, int ckexinitlen,
	165	char *skexinit, int skexinitlen,
	166	char *serverhostkeyblob, int sbloblen,
	167	BIGNUM *client_dh_pub,
	168	BIGNUM *server_dh_pub,
	169	BIGNUM *shared_secret)
	170	{
	171	Buffer b;
	172	static unsigned char digest[EVP_MAX_MD_SIZE];
	173	EVP_MD *evp_md = EVP_sha1();
	174	EVP_MD_CTX md;
	175
	176	buffer_init(&b);
	177	buffer_put_string(&b, client_version_string, strlen(client_version_string));
	178	buffer_put_string(&b, server_version_string, strlen(server_version_string));
	179
	180	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
	181	buffer_put_int(&b, ckexinitlen+1);
	182	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	183	buffer_append(&b, ckexinit, ckexinitlen);
	184	buffer_put_int(&b, skexinitlen+1);
	185	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	186	buffer_append(&b, skexinit, skexinitlen);
	187
	188	buffer_put_string(&b, serverhostkeyblob, sbloblen);
	189	buffer_put_bignum2(&b, client_dh_pub);
	190	buffer_put_bignum2(&b, server_dh_pub);
	191	buffer_put_bignum2(&b, shared_secret);
	192
	193	#ifdef DEBUG_KEX
	194	buffer_dump(&b);
	195	#endif
	196
	197	EVP_DigestInit(&md, evp_md);
	198	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	199	EVP_DigestFinal(&md, digest, NULL);
	200
	201	buffer_free(&b);
	202
203	#ifdef DEBUG_KEX
204	dump_digest(digest, evp_md->md_size);
205	#endif
206	return digest;
207	}
208
209	unsigned char *
210	derive_key(int id, int need, char unsigned hash, BIGNUM shared_secret)
211	{
212	Buffer b;
213	EVP_MD *evp_md = EVP_sha1();
214	EVP_MD_CTX md;
215	char c = id;
216	int have;
217	int mdsz = evp_md->md_size;
218	unsigned char digest = xmalloc(((need+mdsz-1)/mdsz)mdsz);
219
220	buffer_init(&b);
221	buffer_put_bignum2(&b, shared_secret);
222
223	EVP_DigestInit(&md, evp_md);
224	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); /* shared_secret K */
225	EVP_DigestUpdate(&md, hash, mdsz); /* transport-06 */
226	EVP_DigestUpdate(&md, &c, 1); /* key id */
227	EVP_DigestUpdate(&md, hash, mdsz); /* session id */
228	EVP_DigestFinal(&md, digest, NULL);
229
230	/* expand */
231	for (have = mdsz; need > have; have += mdsz) {
232	EVP_DigestInit(&md, evp_md);
233	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
234	EVP_DigestUpdate(&md, hash, mdsz);
235	EVP_DigestUpdate(&md, digest, have);
236	EVP_DigestFinal(&md, digest + have, NULL);
237	}
238	buffer_free(&b);
239	#ifdef DEBUG_KEX
240	fprintf(stderr, "Digest '%c'== ", c);
241	dump_digest(digest, need);
242	#endif
243	return digest;
244	}
245
246	#define NKEYS 6
247
248	#define MAX_PROP 20
249	#define SEP ","
250
251	char *
252	get_match(char client, char server)
253	{
254	char *sproposals[MAX_PROP];
255	char *p;
256	int i, j, nproposals;
257
258	for ((p = strtok(server, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) {
259	if (i < MAX_PROP)
260	sproposals[i] = p;
261	else
262	break;
263	}
264	nproposals = i;
265
266	for ((p = strtok(client, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) {
267	for (j = 0; j < nproposals; j++)
268	if (strcmp(p, sproposals[j]) == 0)
269	return xstrdup(p);
270	}
271	return NULL;
272	}
273	void
274	choose_enc(Enc enc, char client, char *server)
275	{
276	char *name = get_match(client, server);
277	if (name == NULL)
278	fatal("no matching cipher found: client %s server %s", client, server);
279	enc->type = cipher_number(name);
280
281	switch (enc->type) {
282	case SSH_CIPHER_3DES_CBC:
283	enc->key_len = 24;
284	enc->iv_len = 8;
285	enc->block_size = 8;
286	break;
287	case SSH_CIPHER_BLOWFISH_CBC:
288	case SSH_CIPHER_CAST128_CBC:
289	enc->key_len = 16;
290	enc->iv_len = 8;
291	enc->block_size = 8;
292	break;
293	case SSH_CIPHER_ARCFOUR:
294	enc->key_len = 16;
295	enc->iv_len = 0;
296	enc->block_size = 8;
297	break;
298	default:
299	fatal("unsupported cipher %s", name);
300	}
301	enc->name = name;
302	enc->enabled = 0;
303	enc->iv = NULL;
304	enc->key = NULL;
305	}
306	void
307	choose_mac(Mac mac, char client, char *server)
308	{
309	char *name = get_match(client, server);
310	if (name == NULL)
311	fatal("no matching mac found: client %s server %s", client, server);
312	if (strcmp(name, "hmac-md5") == 0) {
313	mac->md = EVP_md5();
314	} else if (strcmp(name, "hmac-sha1") == 0) {
315	mac->md = EVP_sha1();
316	} else if (strcmp(name, "hmac-ripemd160@openssh.com") == 0) {
317	mac->md = EVP_ripemd160();
318	} else {
319	fatal("unsupported mac %s", name);
320	}
321	mac->name = name;
322	mac->mac_len = mac->md->md_size;
323	mac->key_len = datafellows ? 16 : mac->mac_len;
324	mac->key = NULL;
325	mac->enabled = 0;
326	}
327	void
328	choose_comp(Comp comp, char client, char *server)
329	{
330	char *name = get_match(client, server);
331	if (name == NULL)
332	fatal("no matching comp found: client %s server %s", client, server);
333	if (strcmp(name, "zlib") == 0) {
334	comp->type = 1;
335	} else if (strcmp(name, "none") == 0) {
336	comp->type = 0;
337	} else {
338	fatal("unsupported comp %s", name);
339	}
340	comp->name = name;
341	}
342	void
343	choose_kex(Kex k, char client, char *server)
344	{
345	k->name = get_match(client, server);
346	if (k->name == NULL)
347	fatal("no kex alg");
348	if (strcmp(k->name, KEX_DH1) != 0)
349	fatal("bad kex alg %s", k->name);
350	}
351	void
352	choose_hostkeyalg(Kex k, char client, char *server)
353	{
354	k->hostkeyalg = get_match(client, server);
355	if (k->hostkeyalg == NULL)
356	fatal("no hostkey alg");
357	if (strcmp(k->hostkeyalg, KEX_DSS) != 0)
358	fatal("bad hostkey alg %s", k->hostkeyalg);
359	}
360
361	Kex *
362	kex_choose_conf(char cprop[PROPOSAL_MAX], char sprop[PROPOSAL_MAX], int server)
363	{
364	int i;
365	int mode;
366	int ctos; /* direction: if true client-to-server */
367	int need;
368	Kex *k;
369
370	k = xmalloc(sizeof(*k));
371	memset(k, 0, sizeof(*k));
372	k->server = server;
373
374	for (mode = 0; mode < MODE_MAX; mode++) {
375	int nenc, nmac, ncomp;
376	ctos = (!k->server && mode == MODE_OUT) \|\| (k->server && mode == MODE_IN);
377	nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
378	nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
379	ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
380	choose_enc (&k->enc [mode], cprop[nenc], sprop[nenc]);
381	choose_mac (&k->mac [mode], cprop[nmac], sprop[nmac]);
382	choose_comp(&k->comp[mode], cprop[ncomp], sprop[ncomp]);
a8be9f80	383	debug("kex: %s %s %s %s",
7e7327a1	384	ctos ? "client->server" : "server->client",
	385	k->enc[mode].name,
	386	k->mac[mode].name,
	387	k->comp[mode].name);
	388	}
	389	choose_kex(k, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
	390	choose_hostkeyalg(k, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
	391	sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
	392	for (i = 0; i < PROPOSAL_MAX; i++) {
	393	xfree(cprop[i]);
	394	xfree(sprop[i]);
	395	}
	396	need = 0;
	397	for (mode = 0; mode < MODE_MAX; mode++) {
	398	if (need < k->enc[mode].key_len)
	399	need = k->enc[mode].key_len;
	400	if (need < k->enc[mode].iv_len)
	401	need = k->enc[mode].iv_len;
	402	if (need < k->mac[mode].key_len)
	403	need = k->mac[mode].key_len;
	404	}
	405	/* need runden? */
	406	#define WE_NEED 32
	407	k->we_need = WE_NEED;
	408	k->we_need = need;
	409	return k;
	410	}
	411
	412	int
	413	kex_derive_keys(Kex k, unsigned char hash, BIGNUM *shared_secret)
	414	{
	415	int i;
	416	int mode;
	417	int ctos;
	418	unsigned char *keys[NKEYS];
	419
	420	for (i = 0; i < NKEYS; i++)
	421	keys[i] = derive_key('A'+i, k->we_need, hash, shared_secret);
	422
	423	for (mode = 0; mode < MODE_MAX; mode++) {
	424	ctos = (!k->server && mode == MODE_OUT) \|\| (k->server && mode == MODE_IN);
	425	k->enc[mode].iv = keys[ctos ? 0 : 1];
	426	k->enc[mode].key = keys[ctos ? 2 : 3];
	427	k->mac[mode].key = keys[ctos ? 4 : 5];
	428	}
	429	return 0;
	430	}