Home Verkennen Help
Inloggen
8516
/
Test
1
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Aftakking: master
Aftakkingen Labels
Test
/
EVSE
/
GPL
/
dropbear-2017.75
/
common-kex.c

common-kex.c 28 KB
Permalink Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957 
  1. /*
    2. 

  2.  * Dropbear SSH
    3. 

  3.  * 
    4. 

  4.  * Copyright (c) 2002-2004 Matt Johnston
    5. 

  5.  * Portions Copyright (c) 2004 by Mihnea Stoenescu
    6. 

  6.  * All rights reserved.
    7. 

  7.  * 
    8. 

  8.  * Permission is hereby granted, free of charge, to any person obtaining a copy
    9. 

  9.  * of this software and associated documentation files (the "Software"), to deal
    10. 

  10.  * in the Software without restriction, including without limitation the rights
    11. 

  11.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    12. 

  12.  * copies of the Software, and to permit persons to whom the Software is
    13. 

  13.  * furnished to do so, subject to the following conditions:
    14. 

  14.  * 
    15. 

  15.  * The above copyright notice and this permission notice shall be included in
    16. 

  16.  * all copies or substantial portions of the Software.
    17. 

  17.  * 
    18. 

  18.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    19. 

  19.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    20. 

  20.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    21. 

  21.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    22. 

  22.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    23. 

  23.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    24. 

  24.  * SOFTWARE. */
    25. 

  25. 

  26. #include "includes.h"
    27. 

  27. #include "dbutil.h"
    28. 

  28. #include "algo.h"
    29. 

  29. #include "buffer.h"
    30. 

  30. #include "session.h"
    31. 

  31. #include "kex.h"
    32. 

  32. #include "dh_groups.h"
    33. 

  33. #include "ssh.h"
    34. 

  34. #include "packet.h"
    35. 

  35. #include "bignum.h"
    36. 

  36. #include "dbrandom.h"
    37. 

  37. #include "runopts.h"
    38. 

  38. #include "ecc.h"
    39. 

  39. #include "crypto_desc.h"
    40. 

  40. 

  41. static void kexinitialise(void);
    42. 

  42. static void gen_new_keys(void);
    43. 

  43. #ifndef DISABLE_ZLIB
    44. 

  44. static void gen_new_zstream_recv(void);
    45. 

  45. static void gen_new_zstream_trans(void);
    46. 

  46. #endif
    47. 

  47. static void read_kex_algos(void);
    48. 

  48. /* helper function for gen_new_keys */
    49. 

  49. static void hashkeys(unsigned char *out, unsigned int outlen, 
    50. 

  50. 		const hash_state * hs, const unsigned char X);
    51. 

  51. static void finish_kexhashbuf(void);
    52. 

  52. 

  53. 

  54. /* Send our list of algorithms we can use */
    55. 

  55. void send_msg_kexinit() {
    56. 

  56. 

  57. 	CHECKCLEARTOWRITE();
    58. 

  58. 	buf_putbyte(ses.writepayload, SSH_MSG_KEXINIT);
    59. 

  59. 

  60. 	/* cookie */
    61. 

  61. 	genrandom(buf_getwriteptr(ses.writepayload, 16), 16);
    62. 

  62. 	buf_incrwritepos(ses.writepayload, 16);
    63. 

  63. 

  64. 	/* kex algos */
    65. 

  65. 	buf_put_algolist(ses.writepayload, sshkex);
    66. 

  66. 

  67. 	/* server_host_key_algorithms */
    68. 

  68. 	buf_put_algolist(ses.writepayload, sshhostkey);
    69. 

  69. 

  70. 	/* encryption_algorithms_client_to_server */
    71. 

  71. 	buf_put_algolist(ses.writepayload, sshciphers);
    72. 

  72. 

  73. 	/* encryption_algorithms_server_to_client */
    74. 

  74. 	buf_put_algolist(ses.writepayload, sshciphers);
    75. 

  75. 

  76. 	/* mac_algorithms_client_to_server */
    77. 

  77. 	buf_put_algolist(ses.writepayload, sshhashes);
    78. 

  78. 

  79. 	/* mac_algorithms_server_to_client */
    80. 

  80. 	buf_put_algolist(ses.writepayload, sshhashes);
    81. 

  81. 

  82. 

  83. 	/* compression_algorithms_client_to_server */
    84. 

  84. 	buf_put_algolist(ses.writepayload, ses.compress_algos);
    85. 

  85. 

  86. 	/* compression_algorithms_server_to_client */
    87. 

  87. 	buf_put_algolist(ses.writepayload, ses.compress_algos);
    88. 

  88. 

  89. 	/* languages_client_to_server */
    90. 

  90. 	buf_putstring(ses.writepayload, "", 0);
    91. 

  91. 

  92. 	/* languages_server_to_client */
    93. 

  93. 	buf_putstring(ses.writepayload, "", 0);
    94. 

  94. 

  95. 	/* first_kex_packet_follows */
    96. 

  96. 	buf_putbyte(ses.writepayload, (ses.send_kex_first_guess != NULL));
    97. 

  97. 

  98. 	/* reserved unit32 */
    99. 

  99. 	buf_putint(ses.writepayload, 0);
    100. 

  100. 

  101. 	/* set up transmitted kex packet buffer for hashing. 
    102. 

  102. 	 * This is freed after the end of the kex */
    103. 

  103. 	ses.transkexinit = buf_newcopy(ses.writepayload);
    104. 

  104. 

  105. 	encrypt_packet();
    106. 

  106. 	ses.dataallowed = 0; /* don't send other packets during kex */
    107. 

  107. 

  108. 	ses.kexstate.sentkexinit = 1;
    109. 

  109. 

  110. 	ses.newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
    111. 

  111. 

  112. 	if (ses.send_kex_first_guess) {
    113. 

  113. 		ses.newkeys->algo_kex = sshkex[0].data;
    114. 

  114. 		ses.newkeys->algo_hostkey = sshhostkey[0].val;
    115. 

  115. 		ses.send_kex_first_guess();
    116. 

  116. 	}
    117. 

  117. 

  118. 	TRACE(("DATAALLOWED=0"))
    119. 

  119. 	TRACE(("-> KEXINIT"))
    120. 

  120. 

  121. }
    122. 

  122. 

  123. static void switch_keys() {
    124. 

  124. 	TRACE2(("enter switch_keys"))
    125. 

  125. 	if (!(ses.kexstate.sentkexinit && ses.kexstate.recvkexinit)) {
    126. 

  126. 		dropbear_exit("Unexpected newkeys message");
    127. 

  127. 	}
    128. 

  128. 

  129. 	if (!ses.keys) {
    130. 

  130. 		ses.keys = m_malloc(sizeof(*ses.newkeys));
    131. 

  131. 	}
    132. 

  132. 	if (ses.kexstate.recvnewkeys && ses.newkeys->recv.valid) {
    133. 

  133. 		TRACE(("switch_keys recv"))
    134. 

  134. #ifndef DISABLE_ZLIB
    135. 

  135. 		gen_new_zstream_recv();
    136. 

  136. #endif
    137. 

  137. 		ses.keys->recv = ses.newkeys->recv;
    138. 

  138. 		m_burn(&ses.newkeys->recv, sizeof(ses.newkeys->recv));
    139. 

  139. 		ses.newkeys->recv.valid = 0;
    140. 

  140. 	}
    141. 

  141. 	if (ses.kexstate.sentnewkeys && ses.newkeys->trans.valid) {
    142. 

  142. 		TRACE(("switch_keys trans"))
    143. 

  143. #ifndef DISABLE_ZLIB
    144. 

  144. 		gen_new_zstream_trans();
    145. 

  145. #endif
    146. 

  146. 		ses.keys->trans = ses.newkeys->trans;
    147. 

  147. 		m_burn(&ses.newkeys->trans, sizeof(ses.newkeys->trans));
    148. 

  148. 		ses.newkeys->trans.valid = 0;
    149. 

  149. 	}
    150. 

  150. 	if (ses.kexstate.sentnewkeys && ses.kexstate.recvnewkeys)
    151. 

  151. 	{
    152. 

  152. 		TRACE(("switch_keys done"))
    153. 

  153. 		ses.keys->algo_kex = ses.newkeys->algo_kex;
    154. 

  154. 		ses.keys->algo_hostkey = ses.newkeys->algo_hostkey;
    155. 

  155. 		ses.keys->allow_compress = 0;
    156. 

  156. 		m_free(ses.newkeys);
    157. 

  157. 		ses.newkeys = NULL;
    158. 

  158. 		kexinitialise();
    159. 

  159. 	}
    160. 

  160. 	TRACE2(("leave switch_keys"))
    161. 

  161. }
    162. 

  162. 

  163. /* Bring new keys into use after a key exchange, and let the client know*/
    164. 

  164. void send_msg_newkeys() {
    165. 

  165. 

  166. 	TRACE(("enter send_msg_newkeys"))
    167. 

  167. 

  168. 	/* generate the kexinit request */
    169. 

  169. 	CHECKCLEARTOWRITE();
    170. 

  170. 	buf_putbyte(ses.writepayload, SSH_MSG_NEWKEYS);
    171. 

  171. 	encrypt_packet();
    172. 

  172. 

  173. 	
    174. 

  174. 	/* set up our state */
    175. 

  175. 	ses.kexstate.sentnewkeys = 1;
    176. 

  176. 	ses.kexstate.donefirstkex = 1;
    177. 

  177. 	ses.dataallowed = 1; /* we can send other packets again now */
    178. 

  178. 	gen_new_keys();
    179. 

  179. 	switch_keys();
    180. 

  180. 

  181. 	TRACE(("leave send_msg_newkeys"))
    182. 

  182. }
    183. 

  183. 

  184. /* Bring the new keys into use after a key exchange */
    185. 

  185. void recv_msg_newkeys() {
    186. 

  186. 

  187. 	TRACE(("enter recv_msg_newkeys"))
    188. 

  188. 

  189. 	ses.kexstate.recvnewkeys = 1;
    190. 

  190. 	switch_keys();
    191. 

  191. 	
    192. 

  192. 	TRACE(("leave recv_msg_newkeys"))
    193. 

  193. }
    194. 

  194. 

  195. 

  196. /* Set up the kex for the first time */
    197. 

  197. void kexfirstinitialise() {
    198. 

  198. 	ses.kexstate.donefirstkex = 0;
    199. 

  199. 

  200. #ifdef DISABLE_ZLIB
    201. 

  201. 	ses.compress_algos = ssh_nocompress;
    202. 

  202. #else
    203. 

  203. 	switch (opts.compress_mode)
    204. 

  204. 	{
    205. 

  205. 		case DROPBEAR_COMPRESS_DELAYED:
    206. 

  206. 			ses.compress_algos = ssh_delaycompress;
    207. 

  207. 			break;
    208. 

  208. 

  209. 		case DROPBEAR_COMPRESS_ON:
    210. 

  210. 			ses.compress_algos = ssh_compress;
    211. 

  211. 			break;
    212. 

  212. 

  213. 		case DROPBEAR_COMPRESS_OFF:
    214. 

  214. 			ses.compress_algos = ssh_nocompress;
    215. 

  215. 			break;
    216. 

  216. 	}
    217. 

  217. #endif
    218. 

  218. 	kexinitialise();
    219. 

  219. }
    220. 

  220. 

  221. /* Reset the kex state, ready for a new negotiation */
    222. 

  222. static void kexinitialise() {
    223. 

  223. 

  224. 	TRACE(("kexinitialise()"))
    225. 

  225. 

  226. 	/* sent/recv'd MSG_KEXINIT */
    227. 

  227. 	ses.kexstate.sentkexinit = 0;
    228. 

  228. 	ses.kexstate.recvkexinit = 0;
    229. 

  229. 

  230. 	/* sent/recv'd MSG_NEWKEYS */
    231. 

  231. 	ses.kexstate.recvnewkeys = 0;
    232. 

  232. 	ses.kexstate.sentnewkeys = 0;
    233. 

  233. 

  234. 	/* first_packet_follows */
    235. 

  235. 	ses.kexstate.them_firstfollows = 0;
    236. 

  236. 

  237. 	ses.kexstate.datatrans = 0;
    238. 

  238. 	ses.kexstate.datarecv = 0;
    239. 

  239. 

  240. 	ses.kexstate.our_first_follows_matches = 0;
    241. 

  241. 

  242. 	ses.kexstate.lastkextime = monotonic_now();
    243. 

  243. 

  244. }
    245. 

  245. 

  246. /* Helper function for gen_new_keys, creates a hash. It makes a copy of the
    247. 

  247.  * already initialised hash_state hs, which should already have processed
    248. 

  248.  * the dh_K and hash, since these are common. X is the letter 'A', 'B' etc.
    249. 

  249.  * out must have at least min(SHA1_HASH_SIZE, outlen) bytes allocated.
    250. 

  250.  *
    251. 

  251.  * See Section 7.2 of rfc4253 (ssh transport) for details */
    252. 

  252. static void hashkeys(unsigned char *out, unsigned int outlen, 
    253. 

  253. 		const hash_state * hs, const unsigned char X) {
    254. 

  254. 

  255. 	const struct ltc_hash_descriptor *hash_desc = ses.newkeys->algo_kex->hash_desc;
    256. 

  256. 	hash_state hs2;
    257. 

  257. 	unsigned int offset;
    258. 

  258. 	unsigned char tmpout[MAX_HASH_SIZE];
    259. 

  259. 

  260. 	memcpy(&hs2, hs, sizeof(hash_state));
    261. 

  261. 	hash_desc->process(&hs2, &X, 1);
    262. 

  262. 	hash_desc->process(&hs2, ses.session_id->data, ses.session_id->len);
    263. 

  263. 	hash_desc->done(&hs2, tmpout);
    264. 

  264. 	memcpy(out, tmpout, MIN(hash_desc->hashsize, outlen));
    265. 

  265. 	for (offset = hash_desc->hashsize; 
    266. 

  266. 			offset < outlen; 
    267. 

  267. 			offset += hash_desc->hashsize)
    268. 

  268. 	{
    269. 

  269. 		/* need to extend */
    270. 

  270. 		memcpy(&hs2, hs, sizeof(hash_state));
    271. 

  271. 		hash_desc->process(&hs2, out, offset);
    272. 

  272. 		hash_desc->done(&hs2, tmpout);
    273. 

  273. 		memcpy(&out[offset], tmpout, MIN(outlen - offset, hash_desc->hashsize));
    274. 

  274. 	}
    275. 

  275. 	m_burn(&hs2, sizeof(hash_state));
    276. 

  276. }
    277. 

  277. 

  278. /* Generate the actual encryption/integrity keys, using the results of the
    279. 

  279.  * key exchange, as specified in section 7.2 of the transport rfc 4253.
    280. 

  280.  * This occurs after the DH key-exchange.
    281. 

  281.  *
    282. 

  282.  * ses.newkeys is the new set of keys which are generated, these are only
    283. 

  283.  * taken into use after both sides have sent a newkeys message */
    284. 

  284. 

  285. static void gen_new_keys() {
    286. 

  286. 

  287. 	unsigned char C2S_IV[MAX_IV_LEN];
    288. 

  288. 	unsigned char C2S_key[MAX_KEY_LEN];
    289. 

  289. 	unsigned char S2C_IV[MAX_IV_LEN];
    290. 

  290. 	unsigned char S2C_key[MAX_KEY_LEN];
    291. 

  291. 	/* unsigned char key[MAX_KEY_LEN]; */
    292. 

  292. 	unsigned char *trans_IV, *trans_key, *recv_IV, *recv_key;
    293. 

  293. 

  294. 	hash_state hs;
    295. 

  295. 	const struct ltc_hash_descriptor *hash_desc = ses.newkeys->algo_kex->hash_desc;
    296. 

  296. 	char mactransletter, macrecvletter; /* Client or server specific */
    297. 

  297. 

  298. 	TRACE(("enter gen_new_keys"))
    299. 

  299. 	/* the dh_K and hash are the start of all hashes, we make use of that */
    300. 

  300. 

  301. 	hash_desc->init(&hs);
    302. 

  302. 	hash_process_mp(hash_desc, &hs, ses.dh_K);
    303. 

  303. 	mp_clear(ses.dh_K);
    304. 

  304. 	m_free(ses.dh_K);
    305. 

  305. 	hash_desc->process(&hs, ses.hash->data, ses.hash->len);
    306. 

  306. 	buf_burn(ses.hash);
    307. 

  307. 	buf_free(ses.hash);
    308. 

  308. 	ses.hash = NULL;
    309. 

  309. 

  310. 	if (IS_DROPBEAR_CLIENT) {
    311. 

  311. 		trans_IV	= C2S_IV;
    312. 

  312. 		recv_IV		= S2C_IV;
    313. 

  313. 		trans_key	= C2S_key;
    314. 

  314. 		recv_key	= S2C_key;
    315. 

  315. 		mactransletter = 'E';
    316. 

  316. 		macrecvletter = 'F';
    317. 

  317. 	} else {
    318. 

  318. 		trans_IV	= S2C_IV;
    319. 

  319. 		recv_IV		= C2S_IV;
    320. 

  320. 		trans_key	= S2C_key;
    321. 

  321. 		recv_key	= C2S_key;
    322. 

  322. 		mactransletter = 'F';
    323. 

  323. 		macrecvletter = 'E';
    324. 

  324. 	}
    325. 

  325. 

  326. 	hashkeys(C2S_IV, sizeof(C2S_IV), &hs, 'A');
    327. 

  327. 	hashkeys(S2C_IV, sizeof(S2C_IV), &hs, 'B');
    328. 

  328. 	hashkeys(C2S_key, sizeof(C2S_key), &hs, 'C');
    329. 

  329. 	hashkeys(S2C_key, sizeof(S2C_key), &hs, 'D');
    330. 

  330. 

  331. 	if (ses.newkeys->recv.algo_crypt->cipherdesc != NULL) {
    332. 

  332. 		int recv_cipher = find_cipher(ses.newkeys->recv.algo_crypt->cipherdesc->name);
    333. 

  333. 		if (recv_cipher < 0)
    334. 

  334. 			dropbear_exit("Crypto error");
    335. 

  335. 		if (ses.newkeys->recv.crypt_mode->start(recv_cipher, 
    336. 

  336. 				recv_IV, recv_key, 
    337. 

  337. 				ses.newkeys->recv.algo_crypt->keysize, 0, 
    338. 

  338. 				&ses.newkeys->recv.cipher_state) != CRYPT_OK) {
    339. 

  339. 			dropbear_exit("Crypto error");
    340. 

  340. 		}
    341. 

  341. 	}
    342. 

  342. 

  343. 	if (ses.newkeys->trans.algo_crypt->cipherdesc != NULL) {
    344. 

  344. 		int trans_cipher = find_cipher(ses.newkeys->trans.algo_crypt->cipherdesc->name);
    345. 

  345. 		if (trans_cipher < 0)
    346. 

  346. 			dropbear_exit("Crypto error");
    347. 

  347. 		if (ses.newkeys->trans.crypt_mode->start(trans_cipher, 
    348. 

  348. 				trans_IV, trans_key, 
    349. 

  349. 				ses.newkeys->trans.algo_crypt->keysize, 0, 
    350. 

  350. 				&ses.newkeys->trans.cipher_state) != CRYPT_OK) {
    351. 

  351. 			dropbear_exit("Crypto error");
    352. 

  352. 		}
    353. 

  353. 	}
    354. 

  354. 

  355. 	if (ses.newkeys->trans.algo_mac->hash_desc != NULL) {
    356. 

  356. 		hashkeys(ses.newkeys->trans.mackey, 
    357. 

  357. 				ses.newkeys->trans.algo_mac->keysize, &hs, mactransletter);
    358. 

  358. 		ses.newkeys->trans.hash_index = find_hash(ses.newkeys->trans.algo_mac->hash_desc->name);
    359. 

  359. 	}
    360. 

  360. 

  361. 	if (ses.newkeys->recv.algo_mac->hash_desc != NULL) {
    362. 

  362. 		hashkeys(ses.newkeys->recv.mackey, 
    363. 

  363. 				ses.newkeys->recv.algo_mac->keysize, &hs, macrecvletter);
    364. 

  364. 		ses.newkeys->recv.hash_index = find_hash(ses.newkeys->recv.algo_mac->hash_desc->name);
    365. 

  365. 	}
    366. 

  366. 

  367. 	/* Ready to switch over */
    368. 

  368. 	ses.newkeys->trans.valid = 1;
    369. 

  369. 	ses.newkeys->recv.valid = 1;
    370. 

  370. 

  371. 	m_burn(C2S_IV, sizeof(C2S_IV));
    372. 

  372. 	m_burn(C2S_key, sizeof(C2S_key));
    373. 

  373. 	m_burn(S2C_IV, sizeof(S2C_IV));
    374. 

  374. 	m_burn(S2C_key, sizeof(S2C_key));
    375. 

  375. 	m_burn(&hs, sizeof(hash_state));
    376. 

  376. 

  377. 	TRACE(("leave gen_new_keys"))
    378. 

  378. }
    379. 

  379. 

  380. #ifndef DISABLE_ZLIB
    381. 

  381. 

  382. int is_compress_trans() {
    383. 

  383. 	return ses.keys->trans.algo_comp == DROPBEAR_COMP_ZLIB
    384. 

  384. 		|| (ses.authstate.authdone
    385. 

  385. 			&& ses.keys->trans.algo_comp == DROPBEAR_COMP_ZLIB_DELAY);
    386. 

  386. }
    387. 

  387. 

  388. int is_compress_recv() {
    389. 

  389. 	return ses.keys->recv.algo_comp == DROPBEAR_COMP_ZLIB
    390. 

  390. 		|| (ses.authstate.authdone
    391. 

  391. 			&& ses.keys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY);
    392. 

  392. }
    393. 

  393. 

  394. /* Set up new zlib compression streams, close the old ones. Only
    395. 

  395.  * called from gen_new_keys() */
    396. 

  396. static void gen_new_zstream_recv() {
    397. 

  397. 

  398. 	/* create new zstreams */
    399. 

  399. 	if (ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB
    400. 

  400. 			|| ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
    401. 

  401. 		ses.newkeys->recv.zstream = (z_streamp)m_malloc(sizeof(z_stream));
    402. 

  402. 		ses.newkeys->recv.zstream->zalloc = Z_NULL;
    403. 

  403. 		ses.newkeys->recv.zstream->zfree = Z_NULL;
    404. 

  404. 		
    405. 

  405. 		if (inflateInit(ses.newkeys->recv.zstream) != Z_OK) {
    406. 

  406. 			dropbear_exit("zlib error");
    407. 

  407. 		}
    408. 

  408. 	} else {
    409. 

  409. 		ses.newkeys->recv.zstream = NULL;
    410. 

  410. 	}
    411. 

  411. 	/* clean up old keys */
    412. 

  412. 	if (ses.keys->recv.zstream != NULL) {
    413. 

  413. 		if (inflateEnd(ses.keys->recv.zstream) == Z_STREAM_ERROR) {
    414. 

  414. 			/* Z_DATA_ERROR is ok, just means that stream isn't ended */
    415. 

  415. 			dropbear_exit("Crypto error");
    416. 

  416. 		}
    417. 

  417. 		m_free(ses.keys->recv.zstream);
    418. 

  418. 	}
    419. 

  419. }
    420. 

  420. 

  421. static void gen_new_zstream_trans() {
    422. 

  422. 

  423. 	if (ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB
    424. 

  424. 			|| ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
    425. 

  425. 		ses.newkeys->trans.zstream = (z_streamp)m_malloc(sizeof(z_stream));
    426. 

  426. 		ses.newkeys->trans.zstream->zalloc = Z_NULL;
    427. 

  427. 		ses.newkeys->trans.zstream->zfree = Z_NULL;
    428. 

  428. 	
    429. 

  429. 		if (deflateInit2(ses.newkeys->trans.zstream, Z_DEFAULT_COMPRESSION,
    430. 

  430. 					Z_DEFLATED, DROPBEAR_ZLIB_WINDOW_BITS, 
    431. 

  431. 					DROPBEAR_ZLIB_MEM_LEVEL, Z_DEFAULT_STRATEGY)
    432. 

  432. 				!= Z_OK) {
    433. 

  433. 			dropbear_exit("zlib error");
    434. 

  434. 		}
    435. 

  435. 	} else {
    436. 

  436. 		ses.newkeys->trans.zstream = NULL;
    437. 

  437. 	}
    438. 

  438. 

  439. 	if (ses.keys->trans.zstream != NULL) {
    440. 

  440. 		if (deflateEnd(ses.keys->trans.zstream) == Z_STREAM_ERROR) {
    441. 

  441. 			/* Z_DATA_ERROR is ok, just means that stream isn't ended */
    442. 

  442. 			dropbear_exit("Crypto error");
    443. 

  443. 		}
    444. 

  444. 		m_free(ses.keys->trans.zstream);
    445. 

  445. 	}
    446. 

  446. }
    447. 

  447. #endif /* DISABLE_ZLIB */
    448. 

  448. 

  449. 

  450. /* Executed upon receiving a kexinit message from the client to initiate
    451. 

  451.  * key exchange. If we haven't already done so, we send the list of our
    452. 

  452.  * preferred algorithms. The client's requested algorithms are processed,
    453. 

  453.  * and we calculate the first portion of the key-exchange-hash for used
    454. 

  454.  * later in the key exchange. No response is sent, as the client should
    455. 

  455.  * initiate the diffie-hellman key exchange */
    456. 

  456. void recv_msg_kexinit() {
    457. 

  457. 	
    458. 

  458. 	unsigned int kexhashbuf_len = 0;
    459. 

  459. 	unsigned int remote_ident_len = 0;
    460. 

  460. 	unsigned int local_ident_len = 0;
    461. 

  461. 

  462. 	TRACE(("<- KEXINIT"))
    463. 

  463. 	TRACE(("enter recv_msg_kexinit"))
    464. 

  464. 	
    465. 

  465. 	if (!ses.kexstate.sentkexinit) {
    466. 

  466. 		/* we need to send a kex packet */
    467. 

  467. 		send_msg_kexinit();
    468. 

  468. 		TRACE(("continue recv_msg_kexinit: sent kexinit"))
    469. 

  469. 	}
    470. 

  470. 

  471. 	/* start the kex hash */
    472. 

  472. 	local_ident_len = strlen(LOCAL_IDENT);
    473. 

  473. 	remote_ident_len = strlen(ses.remoteident);
    474. 

  474. 

  475. 	kexhashbuf_len = local_ident_len + remote_ident_len
    476. 

  476. 		+ ses.transkexinit->len + ses.payload->len
    477. 

  477. 		+ KEXHASHBUF_MAX_INTS;
    478. 

  478. 

  479. 	ses.kexhashbuf = buf_new(kexhashbuf_len);
    480. 

  480. 

  481. 	if (IS_DROPBEAR_CLIENT) {
    482. 

  482. 

  483. 		/* read the peer's choice of algos */
    484. 

  484. 		read_kex_algos();
    485. 

  485. 

  486. 		/* V_C, the client's version string (CR and NL excluded) */
    487. 

  487. 		buf_putstring(ses.kexhashbuf, LOCAL_IDENT, local_ident_len);
    488. 

  488. 		/* V_S, the server's version string (CR and NL excluded) */
    489. 

  489. 		buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
    490. 

  490. 

  491. 		/* I_C, the payload of the client's SSH_MSG_KEXINIT */
    492. 

  492. 		buf_putstring(ses.kexhashbuf,
    493. 

  493. 			(const char*)ses.transkexinit->data, ses.transkexinit->len);
    494. 

  494. 		/* I_S, the payload of the server's SSH_MSG_KEXINIT */
    495. 

  495. 		buf_setpos(ses.payload, ses.payload_beginning);
    496. 

  496. 		buf_putstring(ses.kexhashbuf,
    497. 

  497. 			(const char*)buf_getptr(ses.payload, ses.payload->len-ses.payload->pos),
    498. 

  498. 			ses.payload->len-ses.payload->pos);
    499. 

  499. 		ses.requirenext = SSH_MSG_KEXDH_REPLY;
    500. 

  500. 	} else {
    501. 

  501. 		/* SERVER */
    502. 

  502. 

  503. 		/* read the peer's choice of algos */
    504. 

  504. 		read_kex_algos();
    505. 

  505. 		/* V_C, the client's version string (CR and NL excluded) */
    506. 

  506. 		buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
    507. 

  507. 		/* V_S, the server's version string (CR and NL excluded) */
    508. 

  508. 		buf_putstring(ses.kexhashbuf, LOCAL_IDENT, local_ident_len);
    509. 

  509. 

  510. 		/* I_C, the payload of the client's SSH_MSG_KEXINIT */
    511. 

  511. 		buf_setpos(ses.payload, ses.payload_beginning);
    512. 

  512. 		buf_putstring(ses.kexhashbuf, 
    513. 

  513. 			(const char*)buf_getptr(ses.payload, ses.payload->len-ses.payload->pos),
    514. 

  514. 			ses.payload->len-ses.payload->pos);
    515. 

  515. 

  516. 		/* I_S, the payload of the server's SSH_MSG_KEXINIT */
    517. 

  517. 		buf_putstring(ses.kexhashbuf,
    518. 

  518. 			(const char*)ses.transkexinit->data, ses.transkexinit->len);
    519. 

  519. 

  520. 		ses.requirenext = SSH_MSG_KEXDH_INIT;
    521. 

  521. 	}
    522. 

  522. 

  523. 	buf_free(ses.transkexinit);
    524. 

  524. 	ses.transkexinit = NULL;
    525. 

  525. 	/* the rest of ses.kexhashbuf will be done after DH exchange */
    526. 

  526. 

  527. 	ses.kexstate.recvkexinit = 1;
    528. 

  528. 

  529. 	TRACE(("leave recv_msg_kexinit"))
    530. 

  530. }
    531. 

  531. 

  532. static void load_dh_p(mp_int * dh_p)
    533. 

  533. {
    534. 

  534. 	bytes_to_mp(dh_p, ses.newkeys->algo_kex->dh_p_bytes, 
    535. 

  535. 		ses.newkeys->algo_kex->dh_p_len);
    536. 

  536. }
    537. 

  537. 

  538. /* Initialises and generate one side of the diffie-hellman key exchange values.
    539. 

  539.  * See the transport rfc 4253 section 8 for details */
    540. 

  540. /* dh_pub and dh_priv MUST be already initialised */
    541. 

  541. struct kex_dh_param *gen_kexdh_param() {
    542. 

  542. 	struct kex_dh_param *param = NULL;
    543. 

  543. 

  544. 	DEF_MP_INT(dh_p);
    545. 

  545. 	DEF_MP_INT(dh_q);
    546. 

  546. 	DEF_MP_INT(dh_g);
    547. 

  547. 

  548. 	TRACE(("enter gen_kexdh_vals"))
    549. 

  549. 

  550. 	param = m_malloc(sizeof(*param));
    551. 

  551. 	m_mp_init_multi(&param->pub, &param->priv, &dh_g, &dh_p, &dh_q, NULL);
    552. 

  552. 

  553. 	/* read the prime and generator*/
    554. 

  554. 	load_dh_p(&dh_p);
    555. 

  555. 	
    556. 

  556. 	if (mp_set_int(&dh_g, DH_G_VAL) != MP_OKAY) {
    557. 

  557. 		dropbear_exit("Diffie-Hellman error");
    558. 

  558. 	}
    559. 

  559. 

  560. 	/* calculate q = (p-1)/2 */
    561. 

  561. 	/* dh_priv is just a temp var here */
    562. 

  562. 	if (mp_sub_d(&dh_p, 1, &param->priv) != MP_OKAY) { 
    563. 

  563. 		dropbear_exit("Diffie-Hellman error");
    564. 

  564. 	}
    565. 

  565. 	if (mp_div_2(&param->priv, &dh_q) != MP_OKAY) {
    566. 

  566. 		dropbear_exit("Diffie-Hellman error");
    567. 

  567. 	}
    568. 

  568. 

  569. 	/* Generate a private portion 0 < dh_priv < dh_q */
    570. 

  570. 	gen_random_mpint(&dh_q, &param->priv);
    571. 

  571. 

  572. 	/* f = g^y mod p */
    573. 

  573. 	if (mp_exptmod(&dh_g, &param->priv, &dh_p, &param->pub) != MP_OKAY) {
    574. 

  574. 		dropbear_exit("Diffie-Hellman error");
    575. 

  575. 	}
    576. 

  576. 	mp_clear_multi(&dh_g, &dh_p, &dh_q, NULL);
    577. 

  577. 	return param;
    578. 

  578. }
    579. 

  579. 

  580. void free_kexdh_param(struct kex_dh_param *param)
    581. 

  581. {
    582. 

  582. 	mp_clear_multi(&param->pub, &param->priv, NULL);
    583. 

  583. 	m_free(param);
    584. 

  584. }
    585. 

  585. 

  586. /* This function is fairly common between client/server, with some substitution
    587. 

  587.  * of dh_e/dh_f etc. Hence these arguments:
    588. 

  588.  * dh_pub_us is 'e' for the client, 'f' for the server. dh_pub_them is 
    589. 

  589.  * vice-versa. dh_priv is the x/y value corresponding to dh_pub_us */
    590. 

  590. void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them,
    591. 

  591. 		sign_key *hostkey) {
    592. 

  592. 

  593. 	DEF_MP_INT(dh_p);
    594. 

  594. 	DEF_MP_INT(dh_p_min1);
    595. 

  595. 	mp_int *dh_e = NULL, *dh_f = NULL;
    596. 

  596. 

  597. 	m_mp_init_multi(&dh_p, &dh_p_min1, NULL);
    598. 

  598. 	load_dh_p(&dh_p);
    599. 

  599. 

  600. 	if (mp_sub_d(&dh_p, 1, &dh_p_min1) != MP_OKAY) { 
    601. 

  601. 		dropbear_exit("Diffie-Hellman error");
    602. 

  602. 	}
    603. 

  603. 

  604. 	/* Check that dh_pub_them (dh_e or dh_f) is in the range [2, p-2] */
    605. 

  605. 	if (mp_cmp(dh_pub_them, &dh_p_min1) != MP_LT 
    606. 

  606. 			|| mp_cmp_d(dh_pub_them, 1) != MP_GT) {
    607. 

  607. 		dropbear_exit("Diffie-Hellman error");
    608. 

  608. 	}
    609. 

  609. 	
    610. 

  610. 	/* K = e^y mod p = f^x mod p */
    611. 

  611. 	m_mp_alloc_init_multi(&ses.dh_K, NULL);
    612. 

  612. 	if (mp_exptmod(dh_pub_them, &param->priv, &dh_p, ses.dh_K) != MP_OKAY) {
    613. 

  613. 		dropbear_exit("Diffie-Hellman error");
    614. 

  614. 	}
    615. 

  615. 

  616. 	/* clear no longer needed vars */
    617. 

  617. 	mp_clear_multi(&dh_p, &dh_p_min1, NULL);
    618. 

  618. 

  619. 	/* From here on, the code needs to work with the _same_ vars on each side,
    620. 

  620. 	 * not vice-versaing for client/server */
    621. 

  621. 	if (IS_DROPBEAR_CLIENT) {
    622. 

  622. 		dh_e = &param->pub;
    623. 

  623. 		dh_f = dh_pub_them;
    624. 

  624. 	} else {
    625. 

  625. 		dh_e = dh_pub_them;
    626. 

  626. 		dh_f = &param->pub;
    627. 

  627. 	} 
    628. 

  628. 

  629. 	/* Create the remainder of the hash buffer, to generate the exchange hash */
    630. 

  630. 	/* K_S, the host key */
    631. 

  631. 	buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
    632. 

  632. 	/* e, exchange value sent by the client */
    633. 

  633. 	buf_putmpint(ses.kexhashbuf, dh_e);
    634. 

  634. 	/* f, exchange value sent by the server */
    635. 

  635. 	buf_putmpint(ses.kexhashbuf, dh_f);
    636. 

  636. 	/* K, the shared secret */
    637. 

  637. 	buf_putmpint(ses.kexhashbuf, ses.dh_K);
    638. 

  638. 

  639. 	/* calculate the hash H to sign */
    640. 

  640. 	finish_kexhashbuf();
    641. 

  641. }
    642. 

  642. 

  643. #ifdef DROPBEAR_ECDH
    644. 

  644. struct kex_ecdh_param *gen_kexecdh_param() {
    645. 

  645. 	struct kex_ecdh_param *param = m_malloc(sizeof(*param));
    646. 

  646. 	if (ecc_make_key_ex(NULL, dropbear_ltc_prng, 
    647. 

  647. 		&param->key, ses.newkeys->algo_kex->ecc_curve->dp) != CRYPT_OK) {
    648. 

  648. 		dropbear_exit("ECC error");
    649. 

  649. 	}
    650. 

  650. 	return param;
    651. 

  651. }
    652. 

  652. 

  653. void free_kexecdh_param(struct kex_ecdh_param *param) {
    654. 

  654. 	ecc_free(&param->key);
    655. 

  655. 	m_free(param);
    656. 

  656. 

  657. }
    658. 

  658. void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them,
    659. 

  659. 		sign_key *hostkey) {
    660. 

  660. 	const struct dropbear_kex *algo_kex = ses.newkeys->algo_kex;
    661. 

  661. 	/* public keys from client and server */
    662. 

  662. 	ecc_key *Q_C, *Q_S, *Q_them;
    663. 

  663. 

  664. 	Q_them = buf_get_ecc_raw_pubkey(pub_them, algo_kex->ecc_curve);
    665. 

  665. 	if (Q_them == NULL) {
    666. 

  666. 		dropbear_exit("ECC error");
    667. 

  667. 	}
    668. 

  668. 

  669. 	ses.dh_K = dropbear_ecc_shared_secret(Q_them, &param->key);
    670. 

  670. 

  671. 	/* Create the remainder of the hash buffer, to generate the exchange hash
    672. 

  672. 	   See RFC5656 section 4 page 7 */
    673. 

  673. 	if (IS_DROPBEAR_CLIENT) {
    674. 

  674. 		Q_C = &param->key;
    675. 

  675. 		Q_S = Q_them;
    676. 

  676. 	} else {
    677. 

  677. 		Q_C = Q_them;
    678. 

  678. 		Q_S = &param->key;
    679. 

  679. 	} 
    680. 

  680. 

  681. 	/* K_S, the host key */
    682. 

  682. 	buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
    683. 

  683. 	/* Q_C, client's ephemeral public key octet string */
    684. 

  684. 	buf_put_ecc_raw_pubkey_string(ses.kexhashbuf, Q_C);
    685. 

  685. 	/* Q_S, server's ephemeral public key octet string */
    686. 

  686. 	buf_put_ecc_raw_pubkey_string(ses.kexhashbuf, Q_S);
    687. 

  687. 	/* K, the shared secret */
    688. 

  688. 	buf_putmpint(ses.kexhashbuf, ses.dh_K);
    689. 

  689. 

  690. 	/* calculate the hash H to sign */
    691. 

  691. 	finish_kexhashbuf();
    692. 

  692. }
    693. 

  693. #endif /* DROPBEAR_ECDH */
    694. 

  694. 

  695. #ifdef DROPBEAR_CURVE25519
    696. 

  696. struct kex_curve25519_param *gen_kexcurve25519_param () {
    697. 

  697. 	/* Per http://cr.yp.to/ecdh.html */
    698. 

  698. 	struct kex_curve25519_param *param = m_malloc(sizeof(*param));
    699. 

  699. 	const unsigned char basepoint[32] = {9};
    700. 

  700. 

  701. 	genrandom(param->priv, CURVE25519_LEN);
    702. 

  702. 	param->priv[0] &= 248;
    703. 

  703. 	param->priv[31] &= 127;
    704. 

  704. 	param->priv[31] |= 64;
    705. 

  705. 

  706. 	curve25519_donna(param->pub, param->priv, basepoint);
    707. 

  707. 

  708. 	return param;
    709. 

  709. }
    710. 

  710. 

  711. void free_kexcurve25519_param(struct kex_curve25519_param *param)
    712. 

  712. {
    713. 

  713. 	m_burn(param->priv, CURVE25519_LEN);
    714. 

  714. 	m_free(param);
    715. 

  715. }
    716. 

  716. 

  717. void kexcurve25519_comb_key(struct kex_curve25519_param *param, buffer *buf_pub_them,
    718. 

  718. 	sign_key *hostkey) {
    719. 

  719. 	unsigned char out[CURVE25519_LEN];
    720. 

  720. 	const unsigned char* Q_C = NULL;
    721. 

  721. 	const unsigned char* Q_S = NULL;
    722. 

  722. 	char zeroes[CURVE25519_LEN] = {0};
    723. 

  723. 

  724. 	if (buf_pub_them->len != CURVE25519_LEN)
    725. 

  725. 	{
    726. 

  726. 		dropbear_exit("Bad curve25519");
    727. 

  727. 	}
    728. 

  728. 

  729. 	curve25519_donna(out, param->priv, buf_pub_them->data);
    730. 

  730. 

  731. 	if (constant_time_memcmp(zeroes, out, CURVE25519_LEN) == 0) {
    732. 

  732. 		dropbear_exit("Bad curve25519");
    733. 

  733. 	}
    734. 

  734. 

  735. 	m_mp_alloc_init_multi(&ses.dh_K, NULL);
    736. 

  736. 	bytes_to_mp(ses.dh_K, out, CURVE25519_LEN);
    737. 

  737. 	m_burn(out, sizeof(out));
    738. 

  738. 

  739. 	/* Create the remainder of the hash buffer, to generate the exchange hash.
    740. 

  740. 	   See RFC5656 section 4 page 7 */
    741. 

  741. 	if (IS_DROPBEAR_CLIENT) {
    742. 

  742. 		Q_C = param->pub;
    743. 

  743. 		Q_S = buf_pub_them->data;
    744. 

  744. 	} else {
    745. 

  745. 		Q_S = param->pub;
    746. 

  746. 		Q_C = buf_pub_them->data;
    747. 

  747. 	}
    748. 

  748. 

  749. 	/* K_S, the host key */
    750. 

  750. 	buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
    751. 

  751. 	/* Q_C, client's ephemeral public key octet string */
    752. 

  752. 	buf_putstring(ses.kexhashbuf, (const char*)Q_C, CURVE25519_LEN);
    753. 

  753. 	/* Q_S, server's ephemeral public key octet string */
    754. 

  754. 	buf_putstring(ses.kexhashbuf, (const char*)Q_S, CURVE25519_LEN);
    755. 

  755. 	/* K, the shared secret */
    756. 

  756. 	buf_putmpint(ses.kexhashbuf, ses.dh_K);
    757. 

  757. 

  758. 	/* calculate the hash H to sign */
    759. 

  759. 	finish_kexhashbuf();
    760. 

  760. }
    761. 

  761. #endif /* DROPBEAR_CURVE25519 */
    762. 

  762. 

  763. 

  764. 

  765. static void finish_kexhashbuf(void) {
    766. 

  766. 	hash_state hs;
    767. 

  767. 	const struct ltc_hash_descriptor *hash_desc = ses.newkeys->algo_kex->hash_desc;
    768. 

  768. 

  769. 	hash_desc->init(&hs);
    770. 

  770. 	buf_setpos(ses.kexhashbuf, 0);
    771. 

  771. 	hash_desc->process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len),
    772. 

  772. 			ses.kexhashbuf->len);
    773. 

  773. 	ses.hash = buf_new(hash_desc->hashsize);
    774. 

  774. 	hash_desc->done(&hs, buf_getwriteptr(ses.hash, hash_desc->hashsize));
    775. 

  775. 	buf_setlen(ses.hash, hash_desc->hashsize);
    776. 

  776. 

  777. #if defined(DEBUG_KEXHASH) && defined(DEBUG_TRACE)
    778. 

  778. 	if (!debug_trace) {
    779. 

  779. 		printhex("kexhashbuf", ses.kexhashbuf->data, ses.kexhashbuf->len);
    780. 

  780. 		printhex("kexhash", ses.hash->data, ses.hash->len);
    781. 

  781. 	}
    782. 

  782. #endif
    783. 

  783. 

  784. 	buf_burn(ses.kexhashbuf);
    785. 

  785. 	buf_free(ses.kexhashbuf);
    786. 

  786. 	m_burn(&hs, sizeof(hash_state));
    787. 

  787. 	ses.kexhashbuf = NULL;
    788. 

  788. 	
    789. 

  789. 	/* first time around, we set the session_id to H */
    790. 

  790. 	if (ses.session_id == NULL) {
    791. 

  791. 		/* create the session_id, this never needs freeing */
    792. 

  792. 		ses.session_id = buf_newcopy(ses.hash);
    793. 

  793. 	}
    794. 

  794. }
    795. 

  795. 

  796. /* read the other side's algo list. buf_match_algo is a callback to match
    797. 

  797.  * algos for the client or server. */
    798. 

  798. static void read_kex_algos() {
    799. 

  799. 

  800. 	/* for asymmetry */
    801. 

  801. 	algo_type * c2s_hash_algo = NULL;
    802. 

  802. 	algo_type * s2c_hash_algo = NULL;
    803. 

  803. 	algo_type * c2s_cipher_algo = NULL;
    804. 

  804. 	algo_type * s2c_cipher_algo = NULL;
    805. 

  805. 	algo_type * c2s_comp_algo = NULL;
    806. 

  806. 	algo_type * s2c_comp_algo = NULL;
    807. 

  807. 	/* the generic one */
    808. 

  808. 	algo_type * algo = NULL;
    809. 

  809. 

  810. 	/* which algo couldn't match */
    811. 

  811. 	char * erralgo = NULL;
    812. 

  812. 

  813. 	int goodguess = 0;
    814. 

  814. 	int allgood = 1; /* we AND this with each goodguess and see if its still
    815. 

  815. 						true after */
    816. 

  816. 

  817. #ifdef USE_KEXGUESS2
    818. 

  818. 	enum kexguess2_used kexguess2 = KEXGUESS2_LOOK;
    819. 

  819. #else
    820. 

  820. 	enum kexguess2_used kexguess2 = KEXGUESS2_NO;
    821. 

  821. #endif
    822. 

  822. 

  823. 	buf_incrpos(ses.payload, 16); /* start after the cookie */
    824. 

  824. 

  825. 	memset(ses.newkeys, 0x0, sizeof(*ses.newkeys));
    826. 

  826. 

  827. 	/* kex_algorithms */
    828. 

  828. 	algo = buf_match_algo(ses.payload, sshkex, &kexguess2, &goodguess);
    829. 

  829. 	allgood &= goodguess;
    830. 

  830. 	if (algo == NULL || algo->val == KEXGUESS2_ALGO_ID) {
    831. 

  831. 		erralgo = "kex";
    832. 

  832. 		goto error;
    833. 

  833. 	}
    834. 

  834. 	TRACE(("kexguess2 %d", kexguess2))
    835. 

  835. 	TRACE(("kex algo %s", algo->name))
    836. 

  836. 	ses.newkeys->algo_kex = algo->data;
    837. 

  837. 

  838. 	/* server_host_key_algorithms */
    839. 

  839. 	algo = buf_match_algo(ses.payload, sshhostkey, &kexguess2, &goodguess);
    840. 

  840. 	allgood &= goodguess;
    841. 

  841. 	if (algo == NULL) {
    842. 

  842. 		erralgo = "hostkey";
    843. 

  843. 		goto error;
    844. 

  844. 	}
    845. 

  845. 	TRACE(("hostkey algo %s", algo->name))
    846. 

  846. 	ses.newkeys->algo_hostkey = algo->val;
    847. 

  847. 

  848. 	/* encryption_algorithms_client_to_server */
    849. 

  849. 	c2s_cipher_algo = buf_match_algo(ses.payload, sshciphers, NULL, NULL);
    850. 

  850. 	if (c2s_cipher_algo == NULL) {
    851. 

  851. 		erralgo = "enc c->s";
    852. 

  852. 		goto error;
    853. 

  853. 	}
    854. 

  854. 	TRACE(("enc c2s is  %s", c2s_cipher_algo->name))
    855. 

  855. 

  856. 	/* encryption_algorithms_server_to_client */
    857. 

  857. 	s2c_cipher_algo = buf_match_algo(ses.payload, sshciphers, NULL, NULL);
    858. 

  858. 	if (s2c_cipher_algo == NULL) {
    859. 

  859. 		erralgo = "enc s->c";
    860. 

  860. 		goto error;
    861. 

  861. 	}
    862. 

  862. 	TRACE(("enc s2c is  %s", s2c_cipher_algo->name))
    863. 

  863. 

  864. 	/* mac_algorithms_client_to_server */
    865. 

  865. 	c2s_hash_algo = buf_match_algo(ses.payload, sshhashes, NULL, NULL);
    866. 

  866. 	if (c2s_hash_algo == NULL) {
    867. 

  867. 		erralgo = "mac c->s";
    868. 

  868. 		goto error;
    869. 

  869. 	}
    870. 

  870. 	TRACE(("hash c2s is  %s", c2s_hash_algo->name))
    871. 

  871. 

  872. 	/* mac_algorithms_server_to_client */
    873. 

  873. 	s2c_hash_algo = buf_match_algo(ses.payload, sshhashes, NULL, NULL);
    874. 

  874. 	if (s2c_hash_algo == NULL) {
    875. 

  875. 		erralgo = "mac s->c";
    876. 

  876. 		goto error;
    877. 

  877. 	}
    878. 

  878. 	TRACE(("hash s2c is  %s", s2c_hash_algo->name))
    879. 

  879. 

  880. 	/* compression_algorithms_client_to_server */
    881. 

  881. 	c2s_comp_algo = buf_match_algo(ses.payload, ses.compress_algos, NULL, NULL);
    882. 

  882. 	if (c2s_comp_algo == NULL) {
    883. 

  883. 		erralgo = "comp c->s";
    884. 

  884. 		goto error;
    885. 

  885. 	}
    886. 

  886. 	TRACE(("hash c2s is  %s", c2s_comp_algo->name))
    887. 

  887. 

  888. 	/* compression_algorithms_server_to_client */
    889. 

  889. 	s2c_comp_algo = buf_match_algo(ses.payload, ses.compress_algos, NULL, NULL);
    890. 

  890. 	if (s2c_comp_algo == NULL) {
    891. 

  891. 		erralgo = "comp s->c";
    892. 

  892. 		goto error;
    893. 

  893. 	}
    894. 

  894. 	TRACE(("hash s2c is  %s", s2c_comp_algo->name))
    895. 

  895. 

  896. 	/* languages_client_to_server */
    897. 

  897. 	buf_eatstring(ses.payload);
    898. 

  898. 

  899. 	/* languages_server_to_client */
    900. 

  900. 	buf_eatstring(ses.payload);
    901. 

  901. 

  902. 	/* their first_kex_packet_follows */
    903. 

  903. 	if (buf_getbool(ses.payload)) {
    904. 

  904. 		TRACE(("them kex firstfollows. allgood %d", allgood))
    905. 

  905. 		ses.kexstate.them_firstfollows = 1;
    906. 

  906. 		/* if the guess wasn't good, we ignore the packet sent */
    907. 

  907. 		if (!allgood) {
    908. 

  908. 			ses.ignorenext = 1;
    909. 

  909. 		}
    910. 

  910. 	}
    911. 

  911. 

  912. 	/* Handle the asymmetry */
    913. 

  913. 	if (IS_DROPBEAR_CLIENT) {
    914. 

  914. 		ses.newkeys->recv.algo_crypt = 
    915. 

  915. 			(struct dropbear_cipher*)s2c_cipher_algo->data;
    916. 

  916. 		ses.newkeys->trans.algo_crypt = 
    917. 

  917. 			(struct dropbear_cipher*)c2s_cipher_algo->data;
    918. 

  918. 		ses.newkeys->recv.crypt_mode = 
    919. 

  919. 			(struct dropbear_cipher_mode*)s2c_cipher_algo->mode;
    920. 

  920. 		ses.newkeys->trans.crypt_mode =
    921. 

  921. 			(struct dropbear_cipher_mode*)c2s_cipher_algo->mode;
    922. 

  922. 		ses.newkeys->recv.algo_mac = 
    923. 

  923. 			(struct dropbear_hash*)s2c_hash_algo->data;
    924. 

  924. 		ses.newkeys->trans.algo_mac = 
    925. 

  925. 			(struct dropbear_hash*)c2s_hash_algo->data;
    926. 

  926. 		ses.newkeys->recv.algo_comp = s2c_comp_algo->val;
    927. 

  927. 		ses.newkeys->trans.algo_comp = c2s_comp_algo->val;
    928. 

  928. 	} else {
    929. 

  929. 		/* SERVER */
    930. 

  930. 		ses.newkeys->recv.algo_crypt = 
    931. 

  931. 			(struct dropbear_cipher*)c2s_cipher_algo->data;
    932. 

  932. 		ses.newkeys->trans.algo_crypt = 
    933. 

  933. 			(struct dropbear_cipher*)s2c_cipher_algo->data;
    934. 

  934. 		ses.newkeys->recv.crypt_mode =
    935. 

  935. 			(struct dropbear_cipher_mode*)c2s_cipher_algo->mode;
    936. 

  936. 		ses.newkeys->trans.crypt_mode =
    937. 

  937. 			(struct dropbear_cipher_mode*)s2c_cipher_algo->mode;
    938. 

  938. 		ses.newkeys->recv.algo_mac = 
    939. 

  939. 			(struct dropbear_hash*)c2s_hash_algo->data;
    940. 

  940. 		ses.newkeys->trans.algo_mac = 
    941. 

  941. 			(struct dropbear_hash*)s2c_hash_algo->data;
    942. 

  942. 		ses.newkeys->recv.algo_comp = c2s_comp_algo->val;
    943. 

  943. 		ses.newkeys->trans.algo_comp = s2c_comp_algo->val;
    944. 

  944. 	}
    945. 

  945. 

  946. 	/* reserved for future extensions */
    947. 

  947. 	buf_getint(ses.payload);
    948. 

  948. 

  949. 	if (ses.send_kex_first_guess && allgood) {
    950. 

  950. 		TRACE(("our_first_follows_matches 1"))
    951. 

  951. 		ses.kexstate.our_first_follows_matches = 1;
    952. 

  952. 	}
    953. 

  953. 	return;
    954. 

  954. 

  955. error:
    956. 

  956. 	dropbear_exit("No matching algo %s", erralgo);
    957. 

  957. }
    958.