Trang chủ Khám phá Trợ giúp
Đăng nhập
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Các tập tin Các vấn đề 0 Yêu cầu kéo về 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
dropbear-2022.82
/
common-kex.c

common-kex.c 30 KB
Permalink Lịch sử Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021 
  1. /*
    2. 

  2.  * Dropbear SSH
    3. 

  3.  * 
    4. 

  4.  * Copyright (c) 2002-2004 Matt Johnston
    5. 

  5.  * Portions Copyright (c) 2004 by Mihnea Stoenescu
    6. 

  6.  * All rights reserved.
    7. 

  7.  * 
    8. 

  8.  * Permission is hereby granted, free of charge, to any person obtaining a copy
    9. 

  9.  * of this software and associated documentation files (the "Software"), to deal
    10. 

  10.  * in the Software without restriction, including without limitation the rights
    11. 

  11.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    12. 

  12.  * copies of the Software, and to permit persons to whom the Software is
    13. 

  13.  * furnished to do so, subject to the following conditions:
    14. 

  14.  * 
    15. 

  15.  * The above copyright notice and this permission notice shall be included in
    16. 

  16.  * all copies or substantial portions of the Software.
    17. 

  17.  * 
    18. 

  18.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    19. 

  19.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    20. 

  20.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    21. 

  21.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    22. 

  22.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    23. 

  23.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    24. 

  24.  * SOFTWARE. */
    25. 

  25. 

  26. #include "includes.h"
    27. 

  27. #include "dbutil.h"
    28. 

  28. #include "algo.h"
    29. 

  29. #include "buffer.h"
    30. 

  30. #include "session.h"
    31. 

  31. #include "kex.h"
    32. 

  32. #include "dh_groups.h"
    33. 

  33. #include "ssh.h"
    34. 

  34. #include "packet.h"
    35. 

  35. #include "bignum.h"
    36. 

  36. #include "dbrandom.h"
    37. 

  37. #include "runopts.h"
    38. 

  38. #include "ecc.h"
    39. 

  39. #include "curve25519.h"
    40. 

  40. #include "crypto_desc.h"
    41. 

  41. 

  42. static void kexinitialise(void);
    43. 

  43. static void gen_new_keys(void);
    44. 

  44. #ifndef DISABLE_ZLIB
    45. 

  45. static void gen_new_zstream_recv(void);
    46. 

  46. static void gen_new_zstream_trans(void);
    47. 

  47. #endif
    48. 

  48. static void read_kex_algos(void);
    49. 

  49. /* helper function for gen_new_keys */
    50. 

  50. static void hashkeys(unsigned char *out, unsigned int outlen, 
    51. 

  51. 		const hash_state * hs, const unsigned char X);
    52. 

  52. 

  53. 

  54. /* Send our list of algorithms we can use */
    55. 

  55. void send_msg_kexinit() {
    56. 

  56. 

  57. 	CHECKCLEARTOWRITE();
    58. 

  58. 	buf_putbyte(ses.writepayload, SSH_MSG_KEXINIT);
    59. 

  59. 

  60. 	/* cookie */
    61. 

  61. 	genrandom(buf_getwriteptr(ses.writepayload, 16), 16);
    62. 

  62. 	buf_incrwritepos(ses.writepayload, 16);
    63. 

  63. 

  64. 	/* kex algos */
    65. 

  65. 	buf_put_algolist(ses.writepayload, sshkex);
    66. 

  66. 

  67. 	/* server_host_key_algorithms */
    68. 

  68. 	buf_put_algolist(ses.writepayload, sigalgs);
    69. 

  69. 

  70. 	/* encryption_algorithms_client_to_server */
    71. 

  71. 	buf_put_algolist(ses.writepayload, sshciphers);
    72. 

  72. 

  73. 	/* encryption_algorithms_server_to_client */
    74. 

  74. 	buf_put_algolist(ses.writepayload, sshciphers);
    75. 

  75. 

  76. 	/* mac_algorithms_client_to_server */
    77. 

  77. 	buf_put_algolist(ses.writepayload, sshhashes);
    78. 

  78. 

  79. 	/* mac_algorithms_server_to_client */
    80. 

  80. 	buf_put_algolist(ses.writepayload, sshhashes);
    81. 

  81. 

  82. 

  83. 	/* compression_algorithms_client_to_server */
    84. 

  84. 	buf_put_algolist(ses.writepayload, ses.compress_algos);
    85. 

  85. 

  86. 	/* compression_algorithms_server_to_client */
    87. 

  87. 	buf_put_algolist(ses.writepayload, ses.compress_algos);
    88. 

  88. 

  89. 	/* languages_client_to_server */
    90. 

  90. 	buf_putstring(ses.writepayload, "", 0);
    91. 

  91. 

  92. 	/* languages_server_to_client */
    93. 

  93. 	buf_putstring(ses.writepayload, "", 0);
    94. 

  94. 

  95. 	/* first_kex_packet_follows */
    96. 

  96. 	buf_putbyte(ses.writepayload, (ses.send_kex_first_guess != NULL));
    97. 

  97. 

  98. 	/* reserved unit32 */
    99. 

  99. 	buf_putint(ses.writepayload, 0);
    100. 

  100. 

  101. 	/* set up transmitted kex packet buffer for hashing. 
    102. 

  102. 	 * This is freed after the end of the kex */
    103. 

  103. 	ses.transkexinit = buf_newcopy(ses.writepayload);
    104. 

  104. 

  105. 	encrypt_packet();
    106. 

  106. 	ses.dataallowed = 0; /* don't send other packets during kex */
    107. 

  107. 

  108. 	ses.kexstate.sentkexinit = 1;
    109. 

  109. 

  110. 	ses.newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
    111. 

  111. 

  112. 	if (ses.send_kex_first_guess) {
    113. 

  113. 		ses.newkeys->algo_kex = first_usable_algo(sshkex)->data;
    114. 

  114. 		ses.newkeys->algo_signature = first_usable_algo(sigalgs)->val;
    115. 

  115. 		ses.newkeys->algo_hostkey = signkey_type_from_signature(ses.newkeys->algo_signature);
    116. 

  116. 		ses.send_kex_first_guess();
    117. 

  117. 	}
    118. 

  118. 

  119. 	TRACE(("DATAALLOWED=0"))
    120. 

  120. 	TRACE(("-> KEXINIT"))
    121. 

  121. 

  122. }
    123. 

  123. 

  124. static void switch_keys() {
    125. 

  125. 	TRACE2(("enter switch_keys"))
    126. 

  126. 	if (!(ses.kexstate.sentkexinit && ses.kexstate.recvkexinit)) {
    127. 

  127. 		dropbear_exit("Unexpected newkeys message");
    128. 

  128. 	}
    129. 

  129. 

  130. 	if (!ses.keys) {
    131. 

  131. 		ses.keys = m_malloc(sizeof(*ses.newkeys));
    132. 

  132. 	}
    133. 

  133. 	if (ses.kexstate.recvnewkeys && ses.newkeys->recv.valid) {
    134. 

  134. 		TRACE(("switch_keys recv"))
    135. 

  135. #ifndef DISABLE_ZLIB
    136. 

  136. 		gen_new_zstream_recv();
    137. 

  137. #endif
    138. 

  138. 		ses.keys->recv = ses.newkeys->recv;
    139. 

  139. 		m_burn(&ses.newkeys->recv, sizeof(ses.newkeys->recv));
    140. 

  140. 		ses.newkeys->recv.valid = 0;
    141. 

  141. 	}
    142. 

  142. 	if (ses.kexstate.sentnewkeys && ses.newkeys->trans.valid) {
    143. 

  143. 		TRACE(("switch_keys trans"))
    144. 

  144. #ifndef DISABLE_ZLIB
    145. 

  145. 		gen_new_zstream_trans();
    146. 

  146. #endif
    147. 

  147. 		ses.keys->trans = ses.newkeys->trans;
    148. 

  148. 		m_burn(&ses.newkeys->trans, sizeof(ses.newkeys->trans));
    149. 

  149. 		ses.newkeys->trans.valid = 0;
    150. 

  150. 	}
    151. 

  151. 	if (ses.kexstate.sentnewkeys && ses.kexstate.recvnewkeys)
    152. 

  152. 	{
    153. 

  153. 		TRACE(("switch_keys done"))
    154. 

  154. 		ses.keys->algo_kex = ses.newkeys->algo_kex;
    155. 

  155. 		ses.keys->algo_hostkey = ses.newkeys->algo_hostkey;
    156. 

  156. 		ses.keys->algo_signature = ses.newkeys->algo_signature;
    157. 

  157. 		ses.keys->allow_compress = 0;
    158. 

  158. 		m_free(ses.newkeys);
    159. 

  159. 		ses.newkeys = NULL;
    160. 

  160. 		kexinitialise();
    161. 

  161. 	}
    162. 

  162. 	TRACE2(("leave switch_keys"))
    163. 

  163. }
    164. 

  164. 

  165. /* Bring new keys into use after a key exchange, and let the client know*/
    166. 

  166. void send_msg_newkeys() {
    167. 

  167. 

  168. 	TRACE(("enter send_msg_newkeys"))
    169. 

  169. 

  170. 	/* generate the kexinit request */
    171. 

  171. 	CHECKCLEARTOWRITE();
    172. 

  172. 	buf_putbyte(ses.writepayload, SSH_MSG_NEWKEYS);
    173. 

  173. 	encrypt_packet();
    174. 

  174. 

  175. 	
    176. 

  176. 	/* set up our state */
    177. 

  177. 	ses.kexstate.sentnewkeys = 1;
    178. 

  178. 	if (ses.kexstate.donefirstkex) {
    179. 

  179. 		ses.kexstate.donesecondkex = 1;
    180. 

  180. 	}
    181. 

  181. 	ses.kexstate.donefirstkex = 1;
    182. 

  182. 	ses.dataallowed = 1; /* we can send other packets again now */
    183. 

  183. 	gen_new_keys();
    184. 

  184. 	switch_keys();
    185. 

  185. 

  186. 	TRACE(("leave send_msg_newkeys"))
    187. 

  187. }
    188. 

  188. 

  189. /* Bring the new keys into use after a key exchange */
    190. 

  190. void recv_msg_newkeys() {
    191. 

  191. 

  192. 	TRACE(("enter recv_msg_newkeys"))
    193. 

  193. 

  194. 	ses.kexstate.recvnewkeys = 1;
    195. 

  195. 	switch_keys();
    196. 

  196. 	
    197. 

  197. 	TRACE(("leave recv_msg_newkeys"))
    198. 

  198. }
    199. 

  199. 

  200. 

  201. /* Set up the kex for the first time */
    202. 

  202. void kexfirstinitialise() {
    203. 

  203. #ifdef DISABLE_ZLIB
    204. 

  204. 	ses.compress_algos = ssh_nocompress;
    205. 

  205. #else
    206. 

  206. 	switch (opts.compress_mode)
    207. 

  207. 	{
    208. 

  208. 		case DROPBEAR_COMPRESS_DELAYED:
    209. 

  209. 			ses.compress_algos = ssh_delaycompress;
    210. 

  210. 			break;
    211. 

  211. 

  212. 		case DROPBEAR_COMPRESS_ON:
    213. 

  213. 			ses.compress_algos = ssh_compress;
    214. 

  214. 			break;
    215. 

  215. 

  216. 		case DROPBEAR_COMPRESS_OFF:
    217. 

  217. 			ses.compress_algos = ssh_nocompress;
    218. 

  218. 			break;
    219. 

  219. 	}
    220. 

  220. #endif
    221. 

  221. 	kexinitialise();
    222. 

  222. }
    223. 

  223. 

  224. /* Reset the kex state, ready for a new negotiation */
    225. 

  225. static void kexinitialise() {
    226. 

  226. 

  227. 	TRACE(("kexinitialise()"))
    228. 

  228. 

  229. 	/* sent/recv'd MSG_KEXINIT */
    230. 

  230. 	ses.kexstate.sentkexinit = 0;
    231. 

  231. 	ses.kexstate.recvkexinit = 0;
    232. 

  232. 

  233. 	/* sent/recv'd MSG_NEWKEYS */
    234. 

  234. 	ses.kexstate.recvnewkeys = 0;
    235. 

  235. 	ses.kexstate.sentnewkeys = 0;
    236. 

  236. 

  237. 	/* first_packet_follows */
    238. 

  238. 	ses.kexstate.them_firstfollows = 0;
    239. 

  239. 

  240. 	ses.kexstate.datatrans = 0;
    241. 

  241. 	ses.kexstate.datarecv = 0;
    242. 

  242. 

  243. 	ses.kexstate.our_first_follows_matches = 0;
    244. 

  244. 

  245. 	ses.kexstate.lastkextime = monotonic_now();
    246. 

  246. 

  247. }
    248. 

  248. 

  249. /* Helper function for gen_new_keys, creates a hash. It makes a copy of the
    250. 

  250.  * already initialised hash_state hs, which should already have processed
    251. 

  251.  * the dh_K and hash, since these are common. X is the letter 'A', 'B' etc.
    252. 

  252.  * out must have at least min(hash_size, outlen) bytes allocated.
    253. 

  253.  *
    254. 

  254.  * See Section 7.2 of rfc4253 (ssh transport) for details */
    255. 

  255. static void hashkeys(unsigned char *out, unsigned int outlen, 
    256. 

  256. 		const hash_state * hs, const unsigned char X) {
    257. 

  257. 

  258. 	const struct ltc_hash_descriptor *hash_desc = ses.newkeys->algo_kex->hash_desc;
    259. 

  259. 	hash_state hs2;
    260. 

  260. 	unsigned int offset;
    261. 

  261. 	unsigned char tmpout[MAX_HASH_SIZE];
    262. 

  262. 

  263. 	memcpy(&hs2, hs, sizeof(hash_state));
    264. 

  264. 	hash_desc->process(&hs2, &X, 1);
    265. 

  265. 	hash_desc->process(&hs2, ses.session_id->data, ses.session_id->len);
    266. 

  266. 	hash_desc->done(&hs2, tmpout);
    267. 

  267. 	memcpy(out, tmpout, MIN(hash_desc->hashsize, outlen));
    268. 

  268. 	for (offset = hash_desc->hashsize; 
    269. 

  269. 			offset < outlen; 
    270. 

  270. 			offset += hash_desc->hashsize)
    271. 

  271. 	{
    272. 

  272. 		/* need to extend */
    273. 

  273. 		memcpy(&hs2, hs, sizeof(hash_state));
    274. 

  274. 		hash_desc->process(&hs2, out, offset);
    275. 

  275. 		hash_desc->done(&hs2, tmpout);
    276. 

  276. 		memcpy(&out[offset], tmpout, MIN(outlen - offset, hash_desc->hashsize));
    277. 

  277. 	}
    278. 

  278. 	m_burn(&hs2, sizeof(hash_state));
    279. 

  279. }
    280. 

  280. 

  281. /* Generate the actual encryption/integrity keys, using the results of the
    282. 

  282.  * key exchange, as specified in section 7.2 of the transport rfc 4253.
    283. 

  283.  * This occurs after the DH key-exchange.
    284. 

  284.  *
    285. 

  285.  * ses.newkeys is the new set of keys which are generated, these are only
    286. 

  286.  * taken into use after both sides have sent a newkeys message */
    287. 

  287. 

  288. static void gen_new_keys() {
    289. 

  289. 

  290. 	unsigned char C2S_IV[MAX_IV_LEN];
    291. 

  291. 	unsigned char C2S_key[MAX_KEY_LEN];
    292. 

  292. 	unsigned char S2C_IV[MAX_IV_LEN];
    293. 

  293. 	unsigned char S2C_key[MAX_KEY_LEN];
    294. 

  294. 	/* unsigned char key[MAX_KEY_LEN]; */
    295. 

  295. 	unsigned char *trans_IV, *trans_key, *recv_IV, *recv_key;
    296. 

  296. 

  297. 	hash_state hs;
    298. 

  298. 	const struct ltc_hash_descriptor *hash_desc = ses.newkeys->algo_kex->hash_desc;
    299. 

  299. 	char mactransletter, macrecvletter; /* Client or server specific */
    300. 

  300. 

  301. 	TRACE(("enter gen_new_keys"))
    302. 

  302. 	/* the dh_K and hash are the start of all hashes, we make use of that */
    303. 

  303. 

  304. 	hash_desc->init(&hs);
    305. 

  305. 	hash_process_mp(hash_desc, &hs, ses.dh_K);
    306. 

  306. 	mp_clear(ses.dh_K);
    307. 

  307. 	m_free(ses.dh_K);
    308. 

  308. 	hash_desc->process(&hs, ses.hash->data, ses.hash->len);
    309. 

  309. 	buf_burn_free(ses.hash);
    310. 

  310. 	ses.hash = NULL;
    311. 

  311. 

  312. 	if (IS_DROPBEAR_CLIENT) {
    313. 

  313. 		trans_IV	= C2S_IV;
    314. 

  314. 		recv_IV		= S2C_IV;
    315. 

  315. 		trans_key	= C2S_key;
    316. 

  316. 		recv_key	= S2C_key;
    317. 

  317. 		mactransletter = 'E';
    318. 

  318. 		macrecvletter = 'F';
    319. 

  319. 	} else {
    320. 

  320. 		trans_IV	= S2C_IV;
    321. 

  321. 		recv_IV		= C2S_IV;
    322. 

  322. 		trans_key	= S2C_key;
    323. 

  323. 		recv_key	= C2S_key;
    324. 

  324. 		mactransletter = 'F';
    325. 

  325. 		macrecvletter = 'E';
    326. 

  326. 	}
    327. 

  327. 

  328. 	hashkeys(C2S_IV, sizeof(C2S_IV), &hs, 'A');
    329. 

  329. 	hashkeys(S2C_IV, sizeof(S2C_IV), &hs, 'B');
    330. 

  330. 	hashkeys(C2S_key, sizeof(C2S_key), &hs, 'C');
    331. 

  331. 	hashkeys(S2C_key, sizeof(S2C_key), &hs, 'D');
    332. 

  332. 

  333. 	if (ses.newkeys->recv.algo_crypt->cipherdesc != NULL) {
    334. 

  334. 		int recv_cipher = -1;
    335. 

  335. 		if (ses.newkeys->recv.algo_crypt->cipherdesc->name != NULL) {
    336. 

  336. 			recv_cipher = find_cipher(ses.newkeys->recv.algo_crypt->cipherdesc->name);
    337. 

  337. 			if (recv_cipher < 0) {
    338. 

  338. 				dropbear_exit("Crypto error");
    339. 

  339. 			}
    340. 

  340. 		}
    341. 

  341. 		if (ses.newkeys->recv.crypt_mode->start(recv_cipher, 
    342. 

  342. 				recv_IV, recv_key, 
    343. 

  343. 				ses.newkeys->recv.algo_crypt->keysize, 0, 
    344. 

  344. 				&ses.newkeys->recv.cipher_state) != CRYPT_OK) {
    345. 

  345. 			dropbear_exit("Crypto error");
    346. 

  346. 		}
    347. 

  347. 	}
    348. 

  348. 

  349. 	if (ses.newkeys->trans.algo_crypt->cipherdesc != NULL) {
    350. 

  350. 		int trans_cipher = -1;
    351. 

  351. 		if (ses.newkeys->trans.algo_crypt->cipherdesc->name != NULL) {
    352. 

  352. 			trans_cipher = find_cipher(ses.newkeys->trans.algo_crypt->cipherdesc->name);
    353. 

  353. 			if (trans_cipher < 0) {
    354. 

  354. 				dropbear_exit("Crypto error");
    355. 

  355. 			}
    356. 

  356. 		}
    357. 

  357. 		if (ses.newkeys->trans.crypt_mode->start(trans_cipher, 
    358. 

  358. 				trans_IV, trans_key, 
    359. 

  359. 				ses.newkeys->trans.algo_crypt->keysize, 0, 
    360. 

  360. 				&ses.newkeys->trans.cipher_state) != CRYPT_OK) {
    361. 

  361. 			dropbear_exit("Crypto error");
    362. 

  362. 		}
    363. 

  363. 	}
    364. 

  364. 

  365. 	if (ses.newkeys->trans.algo_mac->hash_desc != NULL) {
    366. 

  366. 		hashkeys(ses.newkeys->trans.mackey, 
    367. 

  367. 				ses.newkeys->trans.algo_mac->keysize, &hs, mactransletter);
    368. 

  368. 		ses.newkeys->trans.hash_index = find_hash(ses.newkeys->trans.algo_mac->hash_desc->name);
    369. 

  369. 	}
    370. 

  370. 

  371. 	if (ses.newkeys->recv.algo_mac->hash_desc != NULL) {
    372. 

  372. 		hashkeys(ses.newkeys->recv.mackey, 
    373. 

  373. 				ses.newkeys->recv.algo_mac->keysize, &hs, macrecvletter);
    374. 

  374. 		ses.newkeys->recv.hash_index = find_hash(ses.newkeys->recv.algo_mac->hash_desc->name);
    375. 

  375. 	}
    376. 

  376. 

  377. 	/* Ready to switch over */
    378. 

  378. 	ses.newkeys->trans.valid = 1;
    379. 

  379. 	ses.newkeys->recv.valid = 1;
    380. 

  380. 

  381. 	m_burn(C2S_IV, sizeof(C2S_IV));
    382. 

  382. 	m_burn(C2S_key, sizeof(C2S_key));
    383. 

  383. 	m_burn(S2C_IV, sizeof(S2C_IV));
    384. 

  384. 	m_burn(S2C_key, sizeof(S2C_key));
    385. 

  385. 	m_burn(&hs, sizeof(hash_state));
    386. 

  386. 

  387. 	TRACE(("leave gen_new_keys"))
    388. 

  388. }
    389. 

  389. 

  390. #ifndef DISABLE_ZLIB
    391. 

  391. 

  392. int is_compress_trans() {
    393. 

  393. 	return ses.keys->trans.algo_comp == DROPBEAR_COMP_ZLIB
    394. 

  394. 		|| (ses.authstate.authdone
    395. 

  395. 			&& ses.keys->trans.algo_comp == DROPBEAR_COMP_ZLIB_DELAY);
    396. 

  396. }
    397. 

  397. 

  398. int is_compress_recv() {
    399. 

  399. 	return ses.keys->recv.algo_comp == DROPBEAR_COMP_ZLIB
    400. 

  400. 		|| (ses.authstate.authdone
    401. 

  401. 			&& ses.keys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY);
    402. 

  402. }
    403. 

  403. 

  404. static void* dropbear_zalloc(void* UNUSED(opaque), uInt items, uInt size) {
    405. 

  405. 	return m_calloc(items, size);
    406. 

  406. }
    407. 

  407. 

  408. static void dropbear_zfree(void* UNUSED(opaque), void* ptr) {
    409. 

  409. 	m_free(ptr);
    410. 

  410. }
    411. 

  411. 

  412. /* Set up new zlib compression streams, close the old ones. Only
    413. 

  413.  * called from gen_new_keys() */
    414. 

  414. static void gen_new_zstream_recv() {
    415. 

  415. 

  416. 	/* create new zstreams */
    417. 

  417. 	if (ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB
    418. 

  418. 			|| ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
    419. 

  419. 		ses.newkeys->recv.zstream = (z_streamp)m_malloc(sizeof(z_stream));
    420. 

  420. 		ses.newkeys->recv.zstream->zalloc = dropbear_zalloc;
    421. 

  421. 		ses.newkeys->recv.zstream->zfree = dropbear_zfree;
    422. 

  422. 		
    423. 

  423. 		if (inflateInit(ses.newkeys->recv.zstream) != Z_OK) {
    424. 

  424. 			dropbear_exit("zlib error");
    425. 

  425. 		}
    426. 

  426. 	} else {
    427. 

  427. 		ses.newkeys->recv.zstream = NULL;
    428. 

  428. 	}
    429. 

  429. 	/* clean up old keys */
    430. 

  430. 	if (ses.keys->recv.zstream != NULL) {
    431. 

  431. 		if (inflateEnd(ses.keys->recv.zstream) == Z_STREAM_ERROR) {
    432. 

  432. 			/* Z_DATA_ERROR is ok, just means that stream isn't ended */
    433. 

  433. 			dropbear_exit("Crypto error");
    434. 

  434. 		}
    435. 

  435. 		m_free(ses.keys->recv.zstream);
    436. 

  436. 	}
    437. 

  437. }
    438. 

  438. 

  439. static void gen_new_zstream_trans() {
    440. 

  440. 

  441. 	if (ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB
    442. 

  442. 			|| ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
    443. 

  443. 		ses.newkeys->trans.zstream = (z_streamp)m_malloc(sizeof(z_stream));
    444. 

  444. 		ses.newkeys->trans.zstream->zalloc = dropbear_zalloc;
    445. 

  445. 		ses.newkeys->trans.zstream->zfree = dropbear_zfree;
    446. 

  446. 	
    447. 

  447. 		if (deflateInit2(ses.newkeys->trans.zstream, Z_DEFAULT_COMPRESSION,
    448. 

  448. 					Z_DEFLATED, DROPBEAR_ZLIB_WINDOW_BITS, 
    449. 

  449. 					DROPBEAR_ZLIB_MEM_LEVEL, Z_DEFAULT_STRATEGY)
    450. 

  450. 				!= Z_OK) {
    451. 

  451. 			dropbear_exit("zlib error");
    452. 

  452. 		}
    453. 

  453. 	} else {
    454. 

  454. 		ses.newkeys->trans.zstream = NULL;
    455. 

  455. 	}
    456. 

  456. 

  457. 	if (ses.keys->trans.zstream != NULL) {
    458. 

  458. 		if (deflateEnd(ses.keys->trans.zstream) == Z_STREAM_ERROR) {
    459. 

  459. 			/* Z_DATA_ERROR is ok, just means that stream isn't ended */
    460. 

  460. 			dropbear_exit("Crypto error");
    461. 

  461. 		}
    462. 

  462. 		m_free(ses.keys->trans.zstream);
    463. 

  463. 	}
    464. 

  464. }
    465. 

  465. #endif /* DISABLE_ZLIB */
    466. 

  466. 

  467. 

  468. /* Executed upon receiving a kexinit message from the client to initiate
    469. 

  469.  * key exchange. If we haven't already done so, we send the list of our
    470. 

  470.  * preferred algorithms. The client's requested algorithms are processed,
    471. 

  471.  * and we calculate the first portion of the key-exchange-hash for used
    472. 

  472.  * later in the key exchange. No response is sent, as the client should
    473. 

  473.  * initiate the diffie-hellman key exchange */
    474. 

  474. void recv_msg_kexinit() {
    475. 

  475. 	
    476. 

  476. 	unsigned int kexhashbuf_len = 0;
    477. 

  477. 	unsigned int remote_ident_len = 0;
    478. 

  478. 	unsigned int local_ident_len = 0;
    479. 

  479. 

  480. 	TRACE(("<- KEXINIT"))
    481. 

  481. 	TRACE(("enter recv_msg_kexinit"))
    482. 

  482. 	
    483. 

  483. 	if (!ses.kexstate.sentkexinit) {
    484. 

  484. 		/* we need to send a kex packet */
    485. 

  485. 		send_msg_kexinit();
    486. 

  486. 		TRACE(("continue recv_msg_kexinit: sent kexinit"))
    487. 

  487. 	}
    488. 

  488. 

  489. 	/* "Once a party has sent a SSH_MSG_KEXINIT message ...
    490. 

  490. 	further SSH_MSG_KEXINIT messages MUST NOT be sent" */
    491. 

  491. 	if (ses.kexstate.recvkexinit) {
    492. 

  492. 		dropbear_exit("Unexpected KEXINIT");
    493. 

  493. 	}
    494. 

  494. 

  495. 	/* start the kex hash */
    496. 

  496. 	local_ident_len = strlen(LOCAL_IDENT);
    497. 

  497. 	remote_ident_len = strlen(ses.remoteident);
    498. 

  498. 

  499. 	kexhashbuf_len = local_ident_len + remote_ident_len
    500. 

  500. 		+ ses.transkexinit->len + ses.payload->len
    501. 

  501. 		+ KEXHASHBUF_MAX_INTS;
    502. 

  502. 

  503. 	ses.kexhashbuf = buf_new(kexhashbuf_len);
    504. 

  504. 

  505. 	if (IS_DROPBEAR_CLIENT) {
    506. 

  506. 

  507. 		/* read the peer's choice of algos */
    508. 

  508. 		read_kex_algos();
    509. 

  509. 

  510. 		/* V_C, the client's version string (CR and NL excluded) */
    511. 

  511. 		buf_putstring(ses.kexhashbuf, LOCAL_IDENT, local_ident_len);
    512. 

  512. 		/* V_S, the server's version string (CR and NL excluded) */
    513. 

  513. 		buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
    514. 

  514. 

  515. 		/* I_C, the payload of the client's SSH_MSG_KEXINIT */
    516. 

  516. 		buf_putstring(ses.kexhashbuf,
    517. 

  517. 			(const char*)ses.transkexinit->data, ses.transkexinit->len);
    518. 

  518. 		/* I_S, the payload of the server's SSH_MSG_KEXINIT */
    519. 

  519. 		buf_setpos(ses.payload, ses.payload_beginning);
    520. 

  520. 		buf_putstring(ses.kexhashbuf,
    521. 

  521. 			(const char*)buf_getptr(ses.payload, ses.payload->len-ses.payload->pos),
    522. 

  522. 			ses.payload->len-ses.payload->pos);
    523. 

  523. 		ses.requirenext = SSH_MSG_KEXDH_REPLY;
    524. 

  524. 	} else {
    525. 

  525. 		/* SERVER */
    526. 

  526. 

  527. 		/* read the peer's choice of algos */
    528. 

  528. 		read_kex_algos();
    529. 

  529. 		/* V_C, the client's version string (CR and NL excluded) */
    530. 

  530. 		buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len);
    531. 

  531. 		/* V_S, the server's version string (CR and NL excluded) */
    532. 

  532. 		buf_putstring(ses.kexhashbuf, LOCAL_IDENT, local_ident_len);
    533. 

  533. 

  534. 		/* I_C, the payload of the client's SSH_MSG_KEXINIT */
    535. 

  535. 		buf_setpos(ses.payload, ses.payload_beginning);
    536. 

  536. 		buf_putstring(ses.kexhashbuf, 
    537. 

  537. 			(const char*)buf_getptr(ses.payload, ses.payload->len-ses.payload->pos),
    538. 

  538. 			ses.payload->len-ses.payload->pos);
    539. 

  539. 

  540. 		/* I_S, the payload of the server's SSH_MSG_KEXINIT */
    541. 

  541. 		buf_putstring(ses.kexhashbuf,
    542. 

  542. 			(const char*)ses.transkexinit->data, ses.transkexinit->len);
    543. 

  543. 

  544. 		ses.requirenext = SSH_MSG_KEXDH_INIT;
    545. 

  545. 	}
    546. 

  546. 

  547. 	buf_free(ses.transkexinit);
    548. 

  548. 	ses.transkexinit = NULL;
    549. 

  549. 	/* the rest of ses.kexhashbuf will be done after DH exchange */
    550. 

  550. 

  551. 	ses.kexstate.recvkexinit = 1;
    552. 

  552. 

  553. 	TRACE(("leave recv_msg_kexinit"))
    554. 

  554. }
    555. 

  555. 

  556. #if DROPBEAR_NORMAL_DH
    557. 

  557. static void load_dh_p(mp_int * dh_p)
    558. 

  558. {
    559. 

  559. 	bytes_to_mp(dh_p, ses.newkeys->algo_kex->dh_p_bytes, 
    560. 

  560. 		ses.newkeys->algo_kex->dh_p_len);
    561. 

  561. }
    562. 

  562. 

  563. /* Initialises and generate one side of the diffie-hellman key exchange values.
    564. 

  564.  * See the transport rfc 4253 section 8 for details */
    565. 

  565. /* dh_pub and dh_priv MUST be already initialised */
    566. 

  566. struct kex_dh_param *gen_kexdh_param() {
    567. 

  567. 	struct kex_dh_param *param = NULL;
    568. 

  568. 

  569. 	DEF_MP_INT(dh_p);
    570. 

  570. 	DEF_MP_INT(dh_q);
    571. 

  571. 	DEF_MP_INT(dh_g);
    572. 

  572. 

  573. 	TRACE(("enter gen_kexdh_vals"))
    574. 

  574. 

  575. 	param = m_malloc(sizeof(*param));
    576. 

  576. 	m_mp_init_multi(&param->pub, &param->priv, &dh_g, &dh_p, &dh_q, NULL);
    577. 

  577. 

  578. 	/* read the prime and generator*/
    579. 

  579. 	load_dh_p(&dh_p);
    580. 

  580. 	
    581. 

  581. 	mp_set_ul(&dh_g, DH_G_VAL);
    582. 

  582. 

  583. 	/* calculate q = (p-1)/2 */
    584. 

  584. 	/* dh_priv is just a temp var here */
    585. 

  585. 	if (mp_sub_d(&dh_p, 1, &param->priv) != MP_OKAY) { 
    586. 

  586. 		dropbear_exit("Diffie-Hellman error");
    587. 

  587. 	}
    588. 

  588. 	if (mp_div_2(&param->priv, &dh_q) != MP_OKAY) {
    589. 

  589. 		dropbear_exit("Diffie-Hellman error");
    590. 

  590. 	}
    591. 

  591. 

  592. 	/* Generate a private portion 0 < dh_priv < dh_q */
    593. 

  593. 	gen_random_mpint(&dh_q, &param->priv);
    594. 

  594. 

  595. 	/* f = g^y mod p */
    596. 

  596. 	if (mp_exptmod(&dh_g, &param->priv, &dh_p, &param->pub) != MP_OKAY) {
    597. 

  597. 		dropbear_exit("Diffie-Hellman error");
    598. 

  598. 	}
    599. 

  599. 	mp_clear_multi(&dh_g, &dh_p, &dh_q, NULL);
    600. 

  600. 	return param;
    601. 

  601. }
    602. 

  602. 

  603. void free_kexdh_param(struct kex_dh_param *param)
    604. 

  604. {
    605. 

  605. 	mp_clear_multi(&param->pub, &param->priv, NULL);
    606. 

  606. 	m_free(param);
    607. 

  607. }
    608. 

  608. 

  609. /* This function is fairly common between client/server, with some substitution
    610. 

  610.  * of dh_e/dh_f etc. Hence these arguments:
    611. 

  611.  * dh_pub_us is 'e' for the client, 'f' for the server. dh_pub_them is 
    612. 

  612.  * vice-versa. dh_priv is the x/y value corresponding to dh_pub_us */
    613. 

  613. void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them,
    614. 

  614. 		sign_key *hostkey) {
    615. 

  615. 

  616. 	DEF_MP_INT(dh_p);
    617. 

  617. 	DEF_MP_INT(dh_p_min1);
    618. 

  618. 	mp_int *dh_e = NULL, *dh_f = NULL;
    619. 

  619. 

  620. 	m_mp_init_multi(&dh_p, &dh_p_min1, NULL);
    621. 

  621. 	load_dh_p(&dh_p);
    622. 

  622. 

  623. 	if (mp_sub_d(&dh_p, 1, &dh_p_min1) != MP_OKAY) { 
    624. 

  624. 		dropbear_exit("Diffie-Hellman error");
    625. 

  625. 	}
    626. 

  626. 

  627. 	/* Check that dh_pub_them (dh_e or dh_f) is in the range [2, p-2] */
    628. 

  628. 	if (mp_cmp(dh_pub_them, &dh_p_min1) != MP_LT 
    629. 

  629. 			|| mp_cmp_d(dh_pub_them, 1) != MP_GT) {
    630. 

  630. 		dropbear_exit("Diffie-Hellman error");
    631. 

  631. 	}
    632. 

  632. 	
    633. 

  633. 	/* K = e^y mod p = f^x mod p */
    634. 

  634. 	m_mp_alloc_init_multi(&ses.dh_K, NULL);
    635. 

  635. 	if (mp_exptmod(dh_pub_them, &param->priv, &dh_p, ses.dh_K) != MP_OKAY) {
    636. 

  636. 		dropbear_exit("Diffie-Hellman error");
    637. 

  637. 	}
    638. 

  638. 

  639. 	/* clear no longer needed vars */
    640. 

  640. 	mp_clear_multi(&dh_p, &dh_p_min1, NULL);
    641. 

  641. 

  642. 	/* From here on, the code needs to work with the _same_ vars on each side,
    643. 

  643. 	 * not vice-versaing for client/server */
    644. 

  644. 	if (IS_DROPBEAR_CLIENT) {
    645. 

  645. 		dh_e = &param->pub;
    646. 

  646. 		dh_f = dh_pub_them;
    647. 

  647. 	} else {
    648. 

  648. 		dh_e = dh_pub_them;
    649. 

  649. 		dh_f = &param->pub;
    650. 

  650. 	} 
    651. 

  651. 

  652. 	/* Create the remainder of the hash buffer, to generate the exchange hash */
    653. 

  653. 	/* K_S, the host key */
    654. 

  654. 	buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
    655. 

  655. 	/* e, exchange value sent by the client */
    656. 

  656. 	buf_putmpint(ses.kexhashbuf, dh_e);
    657. 

  657. 	/* f, exchange value sent by the server */
    658. 

  658. 	buf_putmpint(ses.kexhashbuf, dh_f);
    659. 

  659. 	/* K, the shared secret */
    660. 

  660. 	buf_putmpint(ses.kexhashbuf, ses.dh_K);
    661. 

  661. 

  662. 	/* calculate the hash H to sign */
    663. 

  663. 	finish_kexhashbuf();
    664. 

  664. }
    665. 

  665. #endif
    666. 

  666. 

  667. #if DROPBEAR_ECDH
    668. 

  668. struct kex_ecdh_param *gen_kexecdh_param() {
    669. 

  669. 	struct kex_ecdh_param *param = m_malloc(sizeof(*param));
    670. 

  670. 	if (ecc_make_key_ex(NULL, dropbear_ltc_prng, 
    671. 

  671. 		&param->key, ses.newkeys->algo_kex->ecc_curve->dp) != CRYPT_OK) {
    672. 

  672. 		dropbear_exit("ECC error");
    673. 

  673. 	}
    674. 

  674. 	return param;
    675. 

  675. }
    676. 

  676. 

  677. void free_kexecdh_param(struct kex_ecdh_param *param) {
    678. 

  678. 	ecc_free(&param->key);
    679. 

  679. 	m_free(param);
    680. 

  680. 

  681. }
    682. 

  682. void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them,
    683. 

  683. 		sign_key *hostkey) {
    684. 

  684. 	const struct dropbear_kex *algo_kex = ses.newkeys->algo_kex;
    685. 

  685. 	/* public keys from client and server */
    686. 

  686. 	ecc_key *Q_C, *Q_S, *Q_them;
    687. 

  687. 

  688. 	Q_them = buf_get_ecc_raw_pubkey(pub_them, algo_kex->ecc_curve);
    689. 

  689. 	if (Q_them == NULL) {
    690. 

  690. 		dropbear_exit("ECC error");
    691. 

  691. 	}
    692. 

  692. 

  693. 	ses.dh_K = dropbear_ecc_shared_secret(Q_them, &param->key);
    694. 

  694. 

  695. 	/* Create the remainder of the hash buffer, to generate the exchange hash
    696. 

  696. 	   See RFC5656 section 4 page 7 */
    697. 

  697. 	if (IS_DROPBEAR_CLIENT) {
    698. 

  698. 		Q_C = &param->key;
    699. 

  699. 		Q_S = Q_them;
    700. 

  700. 	} else {
    701. 

  701. 		Q_C = Q_them;
    702. 

  702. 		Q_S = &param->key;
    703. 

  703. 	} 
    704. 

  704. 

  705. 	/* K_S, the host key */
    706. 

  706. 	buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
    707. 

  707. 	/* Q_C, client's ephemeral public key octet string */
    708. 

  708. 	buf_put_ecc_raw_pubkey_string(ses.kexhashbuf, Q_C);
    709. 

  709. 	/* Q_S, server's ephemeral public key octet string */
    710. 

  710. 	buf_put_ecc_raw_pubkey_string(ses.kexhashbuf, Q_S);
    711. 

  711. 	/* K, the shared secret */
    712. 

  712. 	buf_putmpint(ses.kexhashbuf, ses.dh_K);
    713. 

  713. 

  714. 	ecc_free(Q_them);
    715. 

  715. 	m_free(Q_them);
    716. 

  716. 

  717. 	/* calculate the hash H to sign */
    718. 

  718. 	finish_kexhashbuf();
    719. 

  719. }
    720. 

  720. #endif /* DROPBEAR_ECDH */
    721. 

  721. 

  722. #if DROPBEAR_CURVE25519
    723. 

  723. struct kex_curve25519_param *gen_kexcurve25519_param() {
    724. 

  724. 	/* Per http://cr.yp.to/ecdh.html */
    725. 

  725. 	struct kex_curve25519_param *param = m_malloc(sizeof(*param));
    726. 

  726. 	const unsigned char basepoint[32] = {9};
    727. 

  727. 

  728. 	genrandom(param->priv, CURVE25519_LEN);
    729. 

  729. 	dropbear_curve25519_scalarmult(param->pub, param->priv, basepoint);
    730. 

  730. 

  731. 	return param;
    732. 

  732. }
    733. 

  733. 

  734. void free_kexcurve25519_param(struct kex_curve25519_param *param) {
    735. 

  735. 	m_burn(param->priv, CURVE25519_LEN);
    736. 

  736. 	m_free(param);
    737. 

  737. }
    738. 

  738. 

  739. void kexcurve25519_comb_key(const struct kex_curve25519_param *param, const buffer *buf_pub_them,
    740. 

  740. 	sign_key *hostkey) {
    741. 

  741. 	unsigned char out[CURVE25519_LEN];
    742. 

  742. 	const unsigned char* Q_C = NULL;
    743. 

  743. 	const unsigned char* Q_S = NULL;
    744. 

  744. 	char zeroes[CURVE25519_LEN] = {0};
    745. 

  745. 

  746. 	if (buf_pub_them->len != CURVE25519_LEN)
    747. 

  747. 	{
    748. 

  748. 		dropbear_exit("Bad curve25519");
    749. 

  749. 	}
    750. 

  750. 

  751. 	dropbear_curve25519_scalarmult(out, param->priv, buf_pub_them->data);
    752. 

  752. 

  753. 	if (constant_time_memcmp(zeroes, out, CURVE25519_LEN) == 0) {
    754. 

  754. 		dropbear_exit("Bad curve25519");
    755. 

  755. 	}
    756. 

  756. 

  757. 	m_mp_alloc_init_multi(&ses.dh_K, NULL);
    758. 

  758. 	bytes_to_mp(ses.dh_K, out, CURVE25519_LEN);
    759. 

  759. 	m_burn(out, sizeof(out));
    760. 

  760. 

  761. 	/* Create the remainder of the hash buffer, to generate the exchange hash.
    762. 

  762. 	   See RFC5656 section 4 page 7 */
    763. 

  763. 	if (IS_DROPBEAR_CLIENT) {
    764. 

  764. 		Q_C = param->pub;
    765. 

  765. 		Q_S = buf_pub_them->data;
    766. 

  766. 	} else {
    767. 

  767. 		Q_S = param->pub;
    768. 

  768. 		Q_C = buf_pub_them->data;
    769. 

  769. 	}
    770. 

  770. 

  771. 	/* K_S, the host key */
    772. 

  772. 	buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey);
    773. 

  773. 	/* Q_C, client's ephemeral public key octet string */
    774. 

  774. 	buf_putstring(ses.kexhashbuf, (const char*)Q_C, CURVE25519_LEN);
    775. 

  775. 	/* Q_S, server's ephemeral public key octet string */
    776. 

  776. 	buf_putstring(ses.kexhashbuf, (const char*)Q_S, CURVE25519_LEN);
    777. 

  777. 	/* K, the shared secret */
    778. 

  778. 	buf_putmpint(ses.kexhashbuf, ses.dh_K);
    779. 

  779. 

  780. 	/* calculate the hash H to sign */
    781. 

  781. 	finish_kexhashbuf();
    782. 

  782. }
    783. 

  783. #endif /* DROPBEAR_CURVE25519 */
    784. 

  784. 

  785. 

  786. void finish_kexhashbuf(void) {
    787. 

  787. 	hash_state hs;
    788. 

  788. 	const struct ltc_hash_descriptor *hash_desc = ses.newkeys->algo_kex->hash_desc;
    789. 

  789. 

  790. 	hash_desc->init(&hs);
    791. 

  791. 	buf_setpos(ses.kexhashbuf, 0);
    792. 

  792. 	hash_desc->process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len),
    793. 

  793. 			ses.kexhashbuf->len);
    794. 

  794. 	ses.hash = buf_new(hash_desc->hashsize);
    795. 

  795. 	hash_desc->done(&hs, buf_getwriteptr(ses.hash, hash_desc->hashsize));
    796. 

  796. 	buf_setlen(ses.hash, hash_desc->hashsize);
    797. 

  797. 

  798. #if defined(DEBUG_KEXHASH) && DEBUG_TRACE
    799. 

  799. 	if (!debug_trace) {
    800. 

  800. 		printhex("kexhashbuf", ses.kexhashbuf->data, ses.kexhashbuf->len);
    801. 

  801. 		printhex("kexhash", ses.hash->data, ses.hash->len);
    802. 

  802. 	}
    803. 

  803. #endif
    804. 

  804. 

  805. 	buf_burn_free(ses.kexhashbuf);
    806. 

  806. 	m_burn(&hs, sizeof(hash_state));
    807. 

  807. 	ses.kexhashbuf = NULL;
    808. 

  808. 	
    809. 

  809. 	/* first time around, we set the session_id to H */
    810. 

  810. 	if (ses.session_id == NULL) {
    811. 

  811. 		/* create the session_id, this never needs freeing */
    812. 

  812. 		ses.session_id = buf_newcopy(ses.hash);
    813. 

  813. 	}
    814. 

  814. }
    815. 

  815. 

  816. /* read the other side's algo list. buf_match_algo is a callback to match
    817. 

  817.  * algos for the client or server. */
    818. 

  818. static void read_kex_algos() {
    819. 

  819. 

  820. 	/* for asymmetry */
    821. 

  821. 	algo_type * c2s_hash_algo = NULL;
    822. 

  822. 	algo_type * s2c_hash_algo = NULL;
    823. 

  823. 	algo_type * c2s_cipher_algo = NULL;
    824. 

  824. 	algo_type * s2c_cipher_algo = NULL;
    825. 

  825. 	algo_type * c2s_comp_algo = NULL;
    826. 

  826. 	algo_type * s2c_comp_algo = NULL;
    827. 

  827. 	/* the generic one */
    828. 

  828. 	algo_type * algo = NULL;
    829. 

  829. 

  830. 	/* which algo couldn't match */
    831. 

  831. 	char * erralgo = NULL;
    832. 

  832. 

  833. 	int goodguess = 0;
    834. 

  834. 	int allgood = 1; /* we AND this with each goodguess and see if its still
    835. 

  835. 						true after */
    836. 

  836. 	int kexguess2 = 0;
    837. 

  837. 

  838. 	buf_incrpos(ses.payload, 16); /* start after the cookie */
    839. 

  839. 

  840. 	memset(ses.newkeys, 0x0, sizeof(*ses.newkeys));
    841. 

  841. 

  842. 	/* kex_algorithms */
    843. 

  843. #if DROPBEAR_KEXGUESS2
    844. 

  844. 	if (buf_has_algo(ses.payload, KEXGUESS2_ALGO_NAME) == DROPBEAR_SUCCESS) {
    845. 

  845. 		kexguess2 = 1;
    846. 

  846. 	}
    847. 

  847. #endif
    848. 

  848. 

  849. #if DROPBEAR_EXT_INFO
    850. 

  850. 	/* Determine if SSH_MSG_EXT_INFO messages should be sent.
    851. 

  851. 	Should be done for the first key exchange. Only required on server side
    852. 

  852.     for server-sig-algs */
    853. 

  853. 	if (IS_DROPBEAR_SERVER) {
    854. 

  854. 		if (!ses.kexstate.donefirstkex) {
    855. 

  855. 			if (buf_has_algo(ses.payload, SSH_EXT_INFO_C) == DROPBEAR_SUCCESS) {
    856. 

  856. 				ses.allow_ext_info = 1;
    857. 

  857. 			}
    858. 

  858. 		}
    859. 

  859. 	}
    860. 

  860. #endif
    861. 

  861. 

  862. 	algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess);
    863. 

  863. 	allgood &= goodguess;
    864. 

  864. 	if (algo == NULL || algo->data == NULL) {
    865. 

  865. 		/* kexguess2, ext-info-c, ext-info-s should not match negotiation */
    866. 

  866. 		erralgo = "kex";
    867. 

  867. 		goto error;
    868. 

  868. 	}
    869. 

  869. 	TRACE(("kexguess2 %d", kexguess2))
    870. 

  870. 	DEBUG3(("kex algo %s", algo->name))
    871. 

  871. 	ses.newkeys->algo_kex = algo->data;
    872. 

  872. 

  873. 	/* server_host_key_algorithms */
    874. 

  874. 	algo = buf_match_algo(ses.payload, sigalgs, kexguess2, &goodguess);
    875. 

  875. 	allgood &= goodguess;
    876. 

  876. 	if (algo == NULL) {
    877. 

  877. 		erralgo = "hostkey";
    878. 

  878. 		goto error;
    879. 

  879. 	}
    880. 

  880. 	DEBUG2(("hostkey algo %s", algo->name))
    881. 

  881. 	ses.newkeys->algo_signature = algo->val;
    882. 

  882. 	ses.newkeys->algo_hostkey = signkey_type_from_signature(ses.newkeys->algo_signature);
    883. 

  883. 

  884. 	/* encryption_algorithms_client_to_server */
    885. 

  885. 	c2s_cipher_algo = buf_match_algo(ses.payload, sshciphers, 0, NULL);
    886. 

  886. 	if (c2s_cipher_algo == NULL) {
    887. 

  887. 		erralgo = "enc c->s";
    888. 

  888. 		goto error;
    889. 

  889. 	}
    890. 

  890. 	DEBUG2(("enc  c2s is %s", c2s_cipher_algo->name))
    891. 

  891. 

  892. 	/* encryption_algorithms_server_to_client */
    893. 

  893. 	s2c_cipher_algo = buf_match_algo(ses.payload, sshciphers, 0, NULL);
    894. 

  894. 	if (s2c_cipher_algo == NULL) {
    895. 

  895. 		erralgo = "enc s->c";
    896. 

  896. 		goto error;
    897. 

  897. 	}
    898. 

  898. 	DEBUG2(("enc  s2c is %s", s2c_cipher_algo->name))
    899. 

  899. 

  900. 	/* mac_algorithms_client_to_server */
    901. 

  901. 	c2s_hash_algo = buf_match_algo(ses.payload, sshhashes, 0, NULL);
    902. 

  902. #if DROPBEAR_AEAD_MODE
    903. 

  903. 	if (((struct dropbear_cipher_mode*)c2s_cipher_algo->mode)->aead_crypt != NULL) {
    904. 

  904. 		c2s_hash_algo = NULL;
    905. 

  905. 	} else
    906. 

  906. #endif
    907. 

  907. 	if (c2s_hash_algo == NULL) {
    908. 

  908. 		erralgo = "mac c->s";
    909. 

  909. 		goto error;
    910. 

  910. 	}
    911. 

  911. 	DEBUG2(("hmac c2s is %s", c2s_hash_algo ? c2s_hash_algo->name : "<implicit>"))
    912. 

  912. 

  913. 	/* mac_algorithms_server_to_client */
    914. 

  914. 	s2c_hash_algo = buf_match_algo(ses.payload, sshhashes, 0, NULL);
    915. 

  915. #if DROPBEAR_AEAD_MODE
    916. 

  916. 	if (((struct dropbear_cipher_mode*)s2c_cipher_algo->mode)->aead_crypt != NULL) {
    917. 

  917. 		s2c_hash_algo = NULL;
    918. 

  918. 	} else
    919. 

  919. #endif
    920. 

  920. 	if (s2c_hash_algo == NULL) {
    921. 

  921. 		erralgo = "mac s->c";
    922. 

  922. 		goto error;
    923. 

  923. 	}
    924. 

  924. 	DEBUG2(("hmac s2c is %s", s2c_hash_algo ? s2c_hash_algo->name : "<implicit>"))
    925. 

  925. 

  926. 	/* compression_algorithms_client_to_server */
    927. 

  927. 	c2s_comp_algo = buf_match_algo(ses.payload, ses.compress_algos, 0, NULL);
    928. 

  928. 	if (c2s_comp_algo == NULL) {
    929. 

  929. 		erralgo = "comp c->s";
    930. 

  930. 		goto error;
    931. 

  931. 	}
    932. 

  932. 	DEBUG2(("comp c2s is %s", c2s_comp_algo->name))
    933. 

  933. 

  934. 	/* compression_algorithms_server_to_client */
    935. 

  935. 	s2c_comp_algo = buf_match_algo(ses.payload, ses.compress_algos, 0, NULL);
    936. 

  936. 	if (s2c_comp_algo == NULL) {
    937. 

  937. 		erralgo = "comp s->c";
    938. 

  938. 		goto error;
    939. 

  939. 	}
    940. 

  940. 	DEBUG2(("comp s2c is %s", s2c_comp_algo->name))
    941. 

  941. 

  942. 	/* languages_client_to_server */
    943. 

  943. 	buf_eatstring(ses.payload);
    944. 

  944. 

  945. 	/* languages_server_to_client */
    946. 

  946. 	buf_eatstring(ses.payload);
    947. 

  947. 

  948. 	/* their first_kex_packet_follows */
    949. 

  949. 	if (buf_getbool(ses.payload)) {
    950. 

  950. 		TRACE(("them kex firstfollows. allgood %d", allgood))
    951. 

  951. 		ses.kexstate.them_firstfollows = 1;
    952. 

  952. 		/* if the guess wasn't good, we ignore the packet sent */
    953. 

  953. 		if (!allgood) {
    954. 

  954. 			ses.ignorenext = 1;
    955. 

  955. 		}
    956. 

  956. 	}
    957. 

  957. 

  958. 	/* Handle the asymmetry */
    959. 

  959. 	if (IS_DROPBEAR_CLIENT) {
    960. 

  960. 		ses.newkeys->recv.algo_crypt = 
    961. 

  961. 			(struct dropbear_cipher*)s2c_cipher_algo->data;
    962. 

  962. 		ses.newkeys->trans.algo_crypt = 
    963. 

  963. 			(struct dropbear_cipher*)c2s_cipher_algo->data;
    964. 

  964. 		ses.newkeys->recv.crypt_mode = 
    965. 

  965. 			(struct dropbear_cipher_mode*)s2c_cipher_algo->mode;
    966. 

  966. 		ses.newkeys->trans.crypt_mode =
    967. 

  967. 			(struct dropbear_cipher_mode*)c2s_cipher_algo->mode;
    968. 

  968. 		ses.newkeys->recv.algo_mac = 
    969. 

  969. #if DROPBEAR_AEAD_MODE
    970. 

  970. 			s2c_hash_algo == NULL ? ses.newkeys->recv.crypt_mode->aead_mac :
    971. 

  971. #endif
    972. 

  972. 			(struct dropbear_hash*)s2c_hash_algo->data;
    973. 

  973. 		ses.newkeys->trans.algo_mac = 
    974. 

  974. #if DROPBEAR_AEAD_MODE
    975. 

  975. 			c2s_hash_algo == NULL ? ses.newkeys->trans.crypt_mode->aead_mac :
    976. 

  976. #endif
    977. 

  977. 			(struct dropbear_hash*)c2s_hash_algo->data;
    978. 

  978. 		ses.newkeys->recv.algo_comp = s2c_comp_algo->val;
    979. 

  979. 		ses.newkeys->trans.algo_comp = c2s_comp_algo->val;
    980. 

  980. 	} else {
    981. 

  981. 		/* SERVER */
    982. 

  982. 		ses.newkeys->recv.algo_crypt = 
    983. 

  983. 			(struct dropbear_cipher*)c2s_cipher_algo->data;
    984. 

  984. 		ses.newkeys->trans.algo_crypt = 
    985. 

  985. 			(struct dropbear_cipher*)s2c_cipher_algo->data;
    986. 

  986. 		ses.newkeys->recv.crypt_mode =
    987. 

  987. 			(struct dropbear_cipher_mode*)c2s_cipher_algo->mode;
    988. 

  988. 		ses.newkeys->trans.crypt_mode =
    989. 

  989. 			(struct dropbear_cipher_mode*)s2c_cipher_algo->mode;
    990. 

  990. 		ses.newkeys->recv.algo_mac = 
    991. 

  991. #if DROPBEAR_AEAD_MODE
    992. 

  992. 			c2s_hash_algo == NULL ? ses.newkeys->recv.crypt_mode->aead_mac :
    993. 

  993. #endif
    994. 

  994. 			(struct dropbear_hash*)c2s_hash_algo->data;
    995. 

  995. 		ses.newkeys->trans.algo_mac = 
    996. 

  996. #if DROPBEAR_AEAD_MODE
    997. 

  997. 			s2c_hash_algo == NULL ? ses.newkeys->trans.crypt_mode->aead_mac :
    998. 

  998. #endif
    999. 

  999. 			(struct dropbear_hash*)s2c_hash_algo->data;
    1000. 

  1000. 		ses.newkeys->recv.algo_comp = c2s_comp_algo->val;
    1001. 

  1001. 		ses.newkeys->trans.algo_comp = s2c_comp_algo->val;
    1002. 

  1002. 	}
    1003. 

  1003. 

  1004. #if DROPBEAR_FUZZ
    1005. 

  1005. 	if (fuzz.fuzzing) {
    1006. 

  1006. 		fuzz_kex_fakealgos();
    1007. 

  1007. 	}
    1008. 

  1008. #endif
    1009. 

  1009. 

  1010. 	/* reserved for future extensions */
    1011. 

  1011. 	buf_getint(ses.payload);
    1012. 

  1012. 

  1013. 	if (ses.send_kex_first_guess && allgood) {
    1014. 

  1014. 		TRACE(("our_first_follows_matches 1"))
    1015. 

  1015. 		ses.kexstate.our_first_follows_matches = 1;
    1016. 

  1016. 	}
    1017. 

  1017. 	return;
    1018. 

  1018. 

  1019. error:
    1020. 

  1020. 	dropbear_exit("No matching algo %s", erralgo);
    1021. 

  1021. }
    1022.