From 2ff8003af3d0ccda9b7df5a8a58189917418b659 Mon Sep 17 00:00:00 2001
From: djm <djm>
Date: Wed, 15 Mar 2006 01:08:28 +0000
Subject: [PATCH]    - djm@cvs.openbsd.org 2006/03/07 09:07:40      [kex.c
 kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]     
 Implement the diffie-hellman-group-exchange-sha256 key exchange method     
 using the SHA256 code in libc (and wrapper to make it into an OpenSSL     
 EVP), interop tested against CVS PuTTY      NB. no portability bits committed
 yet

---
 ChangeLog     |  6 +++++
 kex.c         |  7 ++++-
 kex.h         |  4 ++-
 md-sha256.c   | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++
 monitor.c     |  9 +++++--
 myproposal.h  | 10 +++++---
 ssh-keyscan.c |  3 ++-
 sshconnect2.c |  3 ++-
 sshd.c        |  1 +
 9 files changed, 104 insertions(+), 10 deletions(-)
 create mode 100644 md-sha256.c

diff --git a/ChangeLog b/ChangeLog
index e2c6b895..20823b0f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -236,6 +236,12 @@
    - markus@cvs.openbsd.org 2006/03/14 16:32:48
      [ssh_config.5 sshd_config.5]
      *AliveCountMax applies to protcol v2 only; ok dtucker, djm
+   - djm@cvs.openbsd.org 2006/03/07 09:07:40
+     [kex.c kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
+     Implement the diffie-hellman-group-exchange-sha256 key exchange method
+     using the SHA256 code in libc (and wrapper to make it into an OpenSSL
+     EVP), interop tested against CVS PuTTY
+     NB. no portability bits committed yet
 
 20060313
  - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
diff --git a/kex.c b/kex.c
index cd71be9c..175613b4 100644
--- a/kex.c
+++ b/kex.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
+RCSID("$OpenBSD: kex.c,v 1.66 2006/03/07 09:07:40 djm Exp $");
 
 #include <openssl/crypto.h>
 
@@ -44,6 +44,8 @@ RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
 
 #define KEX_COOKIE_LEN	16
 
+extern const EVP_MD *evp_ssh_sha256(void);
+
 /* prototype */
 static void kex_kexinit_finish(Kex *);
 static void kex_choose_conf(Kex *);
@@ -301,6 +303,9 @@ choose_kex(Kex *k, char *client, char *server)
 	} else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
 		k->kex_type = KEX_DH_GEX_SHA1;
 		k->evp_md = EVP_sha1();
+	} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
+		k->kex_type = KEX_DH_GEX_SHA256;
+		k->evp_md = evp_ssh_sha256();
 	} else
 		fatal("bad kex alg %s", k->name);
 }
diff --git a/kex.h b/kex.h
index bbd931e0..e2ba0a98 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kex.h,v 1.38 2005/11/04 05:15:59 djm Exp $	*/
+/*	$OpenBSD: kex.h,v 1.39 2006/03/07 09:07:40 djm Exp $	*/
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -34,6 +34,7 @@
 #define	KEX_DH1			"diffie-hellman-group1-sha1"
 #define	KEX_DH14		"diffie-hellman-group14-sha1"
 #define	KEX_DHGEX_SHA1		"diffie-hellman-group-exchange-sha1"
+#define	KEX_DHGEX_SHA256	"diffie-hellman-group-exchange-sha256"
 
 #define COMP_NONE	0
 #define COMP_ZLIB	1
@@ -63,6 +64,7 @@ enum kex_exchange {
 	KEX_DH_GRP1_SHA1,
 	KEX_DH_GRP14_SHA1,
 	KEX_DH_GEX_SHA1,
+	KEX_DH_GEX_SHA256,
 	KEX_MAX
 };
 
diff --git a/md-sha256.c b/md-sha256.c
new file mode 100644
index 00000000..08848f84
--- /dev/null
+++ b/md-sha256.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2005 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* EVP wrapper for SHA256 */
+
+#include "includes.h"
+#include <openssl/evp.h>
+#include <sha2.h>
+
+RCSID("$OpenBSD: md-sha256.c,v 1.1 2006/03/07 09:07:40 djm Exp $");
+
+const EVP_MD *evp_ssh_sha256(void);
+
+static int
+ssh_sha256_init(EVP_MD_CTX *ctxt)
+{
+	SHA256_Init(ctxt->md_data);
+	return (1);
+}
+
+static int
+ssh_sha256_update(EVP_MD_CTX *ctxt, const void *data, unsigned long len)
+{
+	SHA256_Update(ctxt->md_data, data, len);
+	return (1);
+}
+
+static int
+ssh_sha256_final(EVP_MD_CTX *ctxt, unsigned char *digest)
+{
+	SHA256_Final(digest, ctxt->md_data);
+	return (1);
+}
+
+static int
+ssh_sha256_cleanup(EVP_MD_CTX *ctxt)
+{
+	memset(ctxt->md_data, 0, sizeof(SHA256_CTX));
+	return (1);
+}
+
+const EVP_MD *
+evp_ssh_sha256(void)
+{
+	static EVP_MD ssh_sha256;
+
+	memset(&ssh_sha256, 0, sizeof(ssh_sha256));
+	ssh_sha256.type = NID_undef;
+	ssh_sha256.md_size = SHA256_DIGEST_LENGTH;
+	ssh_sha256.init = ssh_sha256_init;
+	ssh_sha256.update = ssh_sha256_update;
+	ssh_sha256.final = ssh_sha256_final;
+	ssh_sha256.cleanup = ssh_sha256_cleanup;
+	ssh_sha256.block_size = SHA256_BLOCK_LENGTH;
+	ssh_sha256.ctx_size = sizeof(SHA256_CTX);
+
+	return (&ssh_sha256);
+}
diff --git a/monitor.c b/monitor.c
index 3260d473..30849a37 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.68 2006/02/20 17:02:44 stevesk Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.69 2006/03/07 09:07:40 djm Exp $");
 
 #include <sys/types.h>
 #include <sys/wait.h>
@@ -543,7 +543,11 @@ mm_answer_sign(int sock, Buffer *m)
 	keyid = buffer_get_int(m);
 	p = buffer_get_string(m, &datlen);
 
-	if (datlen != 20)
+	/*
+	 * Supported KEX types will only return SHA1 (20 byte) or 
+	 * SHA256 (32 byte) hashes
+	 */
+	if (datlen != 20 && datlen != 32)
 		fatal("%s: data length incorrect: %u", __func__, datlen);
 
 	/* save session id, it will be passed on the first call */
@@ -1627,6 +1631,7 @@ mm_get_kex(Buffer *m)
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
 	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 	kex->server = 1;
 	kex->hostkey_type = buffer_get_int(m);
 	kex->kex_type = buffer_get_int(m);
diff --git a/myproposal.h b/myproposal.h
index d8cba1ca..cc94a8ed 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: myproposal.h,v 1.18 2005/07/25 11:59:39 markus Exp $	*/
+/*	$OpenBSD: myproposal.h,v 1.19 2006/03/07 09:07:40 djm Exp $	*/
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -23,9 +23,11 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-#define KEX_DEFAULT_KEX		"diffie-hellman-group-exchange-sha1," \
-	"diffie-hellman-group14-sha1," \
-	"diffie-hellman-group1-sha1"
+#define KEX_DEFAULT_KEX		\
+	"diffie-hellman-group-exchange-sha256," \
+	"diffie-hellman-group-exchange-sha1," \
+ 	"diffie-hellman-group14-sha1," \
+ 	"diffie-hellman-group1-sha1"
 #define	KEX_DEFAULT_PK_ALG	"ssh-rsa,ssh-dss"
 #define	KEX_DEFAULT_ENCRYPT \
 	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 13e7c721..f05c4697 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -7,7 +7,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.59 2006/02/08 14:31:30 stevesk Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.60 2006/03/07 09:07:40 djm Exp $");
  
 #include "openbsd-compat/sys-queue.h"
 #include <sys/resource.h>
@@ -351,6 +351,7 @@ keygrab_ssh2(con *c)
 	c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
 	c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
 	c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
+	c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 	c->c_kex->verify_host_key = hostjump;
 
 	if (!(j = setjmp(kexjmp))) {
diff --git a/sshconnect2.c b/sshconnect2.c
index f2776edb..b01a3ca5 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.146 2006/02/20 17:19:54 stevesk Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.147 2006/03/07 09:07:40 djm Exp $");
 
 #include <sys/types.h>
 #include <sys/wait.h>
@@ -127,6 +127,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
 	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
+	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
 	kex->verify_host_key=&verify_host_key_callback;
diff --git a/sshd.c b/sshd.c
index 19c2d96a..6f458eb3 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2042,6 +2042,7 @@ do_ssh2_kex(void)
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
 	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 	kex->server = 1;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
-- 
2.45.1