4 * Copyright (c) 2002-2004 Matt Johnston
5 * Portions Copyright (c) 2004 by Mihnea Stoenescu
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
38 /* diffie-hellman-group1-sha1 value for p */
39 static const unsigned char dh_p_val
[] = {
40 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
41 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
42 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
43 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
44 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
45 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
46 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
47 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
48 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
49 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81,
50 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
51 #define DH_P_LEN sizeof(dh_p_val)
53 static const int DH_G_VAL
= 2;
55 static void kexinitialise();
58 static void gen_new_zstreams();
60 static void read_kex_algos();
61 /* helper function for gen_new_keys */
62 static void hashkeys(unsigned char *out
, int outlen
,
63 const hash_state
* hs
, unsigned const char X
);
66 /* Send our list of algorithms we can use */
67 void send_msg_kexinit() {
70 buf_putbyte(ses
.writepayload
, SSH_MSG_KEXINIT
);
73 genrandom(buf_getwriteptr(ses
.writepayload
, 16), 16);
74 buf_incrwritepos(ses
.writepayload
, 16);
77 buf_put_algolist(ses
.writepayload
, sshkex
);
79 /* server_host_key_algorithms */
80 buf_put_algolist(ses
.writepayload
, sshhostkey
);
82 /* encryption_algorithms_client_to_server */
83 buf_put_algolist(ses
.writepayload
, sshciphers
);
85 /* encryption_algorithms_server_to_client */
86 buf_put_algolist(ses
.writepayload
, sshciphers
);
88 /* mac_algorithms_client_to_server */
89 buf_put_algolist(ses
.writepayload
, sshhashes
);
91 /* mac_algorithms_server_to_client */
92 buf_put_algolist(ses
.writepayload
, sshhashes
);
94 /* compression_algorithms_client_to_server */
95 buf_put_algolist(ses
.writepayload
, ses
.compress_algos
);
97 /* compression_algorithms_server_to_client */
98 buf_put_algolist(ses
.writepayload
, ses
.compress_algos
);
100 /* languages_client_to_server */
101 buf_putstring(ses
.writepayload
, "", 0);
103 /* languages_server_to_client */
104 buf_putstring(ses
.writepayload
, "", 0);
106 /* first_kex_packet_follows - unimplemented for now */
107 buf_putbyte(ses
.writepayload
, 0x00);
109 /* reserved unit32 */
110 buf_putint(ses
.writepayload
, 0);
112 /* set up transmitted kex packet buffer for hashing.
113 * This is freed after the end of the kex */
114 ses
.transkexinit
= buf_newcopy(ses
.writepayload
);
117 ses
.dataallowed
= 0; /* don't send other packets during kex */
119 TRACE(("DATAALLOWED=0"))
120 TRACE(("-> KEXINIT"))
121 ses
.kexstate
.sentkexinit
= 1;
124 /* *** NOTE regarding (send|recv)_msg_newkeys ***
125 * Changed by mihnea from the original kex.c to set dataallowed after a
126 * completed key exchange, no matter the order in which it was performed.
127 * This enables client mode without affecting server functionality.
130 /* Bring new keys into use after a key exchange, and let the client know*/
131 void send_msg_newkeys() {
133 TRACE(("enter send_msg_newkeys"))
135 /* generate the kexinit request */
137 buf_putbyte(ses
.writepayload
, SSH_MSG_NEWKEYS
);
141 /* set up our state */
142 if (ses
.kexstate
.recvnewkeys
) {
143 TRACE(("while RECVNEWKEYS=1"))
145 kexinitialise(); /* we've finished with this kex */
146 TRACE((" -> DATAALLOWED=1"))
147 ses
.dataallowed
= 1; /* we can send other packets again now */
148 ses
.kexstate
.donefirstkex
= 1;
150 ses
.kexstate
.sentnewkeys
= 1;
151 TRACE(("SENTNEWKEYS=1"))
154 TRACE(("-> MSG_NEWKEYS"))
155 TRACE(("leave send_msg_newkeys"))
158 /* Bring the new keys into use after a key exchange */
159 void recv_msg_newkeys() {
161 TRACE(("<- MSG_NEWKEYS"))
162 TRACE(("enter recv_msg_newkeys"))
164 /* simply check if we've sent SSH_MSG_NEWKEYS, and if so,
165 * switch to the new keys */
166 if (ses
.kexstate
.sentnewkeys
) {
167 TRACE(("while SENTNEWKEYS=1"))
169 kexinitialise(); /* we've finished with this kex */
170 TRACE((" -> DATAALLOWED=1"))
171 ses
.dataallowed
= 1; /* we can send other packets again now */
172 ses
.kexstate
.donefirstkex
= 1;
174 TRACE(("RECVNEWKEYS=1"))
175 ses
.kexstate
.recvnewkeys
= 1;
178 TRACE(("leave recv_msg_newkeys"))
182 /* Set up the kex for the first time */
183 void kexfirstinitialise() {
184 ses
.kexstate
.donefirstkex
= 0;
187 if (opts
.enable_compress
) {
188 ses
.compress_algos
= ssh_compress
;
192 ses
.compress_algos
= ssh_nocompress
;
197 /* Reset the kex state, ready for a new negotiation */
198 static void kexinitialise() {
200 TRACE(("kexinitialise()"))
202 /* sent/recv'd MSG_KEXINIT */
203 ses
.kexstate
.sentkexinit
= 0;
204 ses
.kexstate
.recvkexinit
= 0;
206 /* sent/recv'd MSG_NEWKEYS */
207 ses
.kexstate
.recvnewkeys
= 0;
208 ses
.kexstate
.sentnewkeys
= 0;
210 /* first_packet_follows */
211 ses
.kexstate
.firstfollows
= 0;
213 ses
.kexstate
.datatrans
= 0;
214 ses
.kexstate
.datarecv
= 0;
216 ses
.kexstate
.lastkextime
= time(NULL
);
220 /* Helper function for gen_new_keys, creates a hash. It makes a copy of the
221 * already initialised hash_state hs, which should already have processed
222 * the dh_K and hash, since these are common. X is the letter 'A', 'B' etc.
223 * out must have at least min(SHA1_HASH_SIZE, outlen) bytes allocated.
224 * The output will only be expanded once, as we are assured that
225 * outlen <= 2*SHA1_HASH_SIZE for all known hashes.
227 * See Section 7.2 of rfc4253 (ssh transport) for details */
228 static void hashkeys(unsigned char *out
, int outlen
,
229 const hash_state
* hs
, const unsigned char X
) {
232 unsigned char k2
[SHA1_HASH_SIZE
]; /* used to extending */
234 memcpy(&hs2
, hs
, sizeof(hash_state
));
235 sha1_process(&hs2
, &X
, 1);
236 sha1_process(&hs2
, ses
.session_id
, SHA1_HASH_SIZE
);
237 sha1_done(&hs2
, out
);
238 if (SHA1_HASH_SIZE
< outlen
) {
240 memcpy(&hs2
, hs
, sizeof(hash_state
));
241 sha1_process(&hs2
, out
, SHA1_HASH_SIZE
);
243 memcpy(&out
[SHA1_HASH_SIZE
], k2
, outlen
- SHA1_HASH_SIZE
);
247 /* Generate the actual encryption/integrity keys, using the results of the
248 * key exchange, as specified in section 5.2 of the IETF secsh-transport
249 * draft. This occurs after the DH key-exchange.
251 * ses.newkeys is the new set of keys which are generated, these are only
252 * taken into use after both sides have sent a newkeys message */
254 /* Originally from kex.c, generalized for cli/svr mode --mihnea */
255 void gen_new_keys() {
257 unsigned char C2S_IV
[MAX_IV_LEN
];
258 unsigned char C2S_key
[MAX_KEY_LEN
];
259 unsigned char S2C_IV
[MAX_IV_LEN
];
260 unsigned char S2C_key
[MAX_KEY_LEN
];
261 /* unsigned char key[MAX_KEY_LEN]; */
262 unsigned char *trans_IV
, *trans_key
, *recv_IV
, *recv_key
;
265 unsigned int C2S_keysize
, S2C_keysize
;
266 char mactransletter
, macrecvletter
; /* Client or server specific */
267 int recv_cipher
= 0, trans_cipher
= 0;
269 TRACE(("enter gen_new_keys"))
270 /* the dh_K and hash are the start of all hashes, we make use of that */
273 sha1_process_mp(&hs
, ses
.dh_K
);
276 sha1_process(&hs
, ses
.hash
, SHA1_HASH_SIZE
);
277 m_burn(ses
.hash
, SHA1_HASH_SIZE
);
279 if (IS_DROPBEAR_CLIENT
) {
284 C2S_keysize
= ses
.newkeys
->trans
.algo_crypt
->keysize
;
285 S2C_keysize
= ses
.newkeys
->recv
.algo_crypt
->keysize
;
286 mactransletter
= 'E';
293 C2S_keysize
= ses
.newkeys
->recv
.algo_crypt
->keysize
;
294 S2C_keysize
= ses
.newkeys
->trans
.algo_crypt
->keysize
;
295 mactransletter
= 'F';
299 hashkeys(C2S_IV
, SHA1_HASH_SIZE
, &hs
, 'A');
300 hashkeys(S2C_IV
, SHA1_HASH_SIZE
, &hs
, 'B');
301 hashkeys(C2S_key
, C2S_keysize
, &hs
, 'C');
302 hashkeys(S2C_key
, S2C_keysize
, &hs
, 'D');
304 recv_cipher
= find_cipher(ses
.newkeys
->recv
.algo_crypt
->cipherdesc
->name
);
306 dropbear_exit("crypto error");
307 if (ses
.newkeys
->recv
.crypt_mode
->start(recv_cipher
,
309 ses
.newkeys
->recv
.algo_crypt
->keysize
, 0,
310 &ses
.newkeys
->recv
.cipher_state
) != CRYPT_OK
) {
311 dropbear_exit("crypto error");
314 trans_cipher
= find_cipher(ses
.newkeys
->trans
.algo_crypt
->cipherdesc
->name
);
315 if (trans_cipher
< 0)
316 dropbear_exit("crypto error");
317 if (ses
.newkeys
->trans
.crypt_mode
->start(trans_cipher
,
319 ses
.newkeys
->trans
.algo_crypt
->keysize
, 0,
320 &ses
.newkeys
->trans
.cipher_state
) != CRYPT_OK
) {
321 dropbear_exit("crypto error");
325 hashkeys(ses
.newkeys
->trans
.mackey
,
326 ses
.newkeys
->trans
.algo_mac
->keysize
, &hs
, mactransletter
);
327 hashkeys(ses
.newkeys
->recv
.mackey
,
328 ses
.newkeys
->recv
.algo_mac
->keysize
, &hs
, macrecvletter
);
329 ses
.newkeys
->trans
.hash_index
= find_hash(ses
.newkeys
->trans
.algo_mac
->hashdesc
->name
),
330 ses
.newkeys
->recv
.hash_index
= find_hash(ses
.newkeys
->recv
.algo_mac
->hashdesc
->name
),
336 /* Switch over to the new keys */
337 m_burn(ses
.keys
, sizeof(struct key_context
));
339 ses
.keys
= ses
.newkeys
;
342 TRACE(("leave gen_new_keys"))
347 int is_compress_trans() {
348 return ses
.keys
->trans
.algo_comp
== DROPBEAR_COMP_ZLIB
349 || (ses
.authstate
.authdone
350 && ses
.keys
->trans
.algo_comp
== DROPBEAR_COMP_ZLIB_DELAY
);
353 int is_compress_recv() {
354 return ses
.keys
->recv
.algo_comp
== DROPBEAR_COMP_ZLIB
355 || (ses
.authstate
.authdone
356 && ses
.keys
->recv
.algo_comp
== DROPBEAR_COMP_ZLIB_DELAY
);
359 /* Set up new zlib compression streams, close the old ones. Only
360 * called from gen_new_keys() */
361 static void gen_new_zstreams() {
363 /* create new zstreams */
364 if (ses
.newkeys
->recv
.algo_comp
== DROPBEAR_COMP_ZLIB
365 || ses
.newkeys
->recv
.algo_comp
== DROPBEAR_COMP_ZLIB_DELAY
) {
366 ses
.newkeys
->recv
.zstream
= (z_streamp
)m_malloc(sizeof(z_stream
));
367 ses
.newkeys
->recv
.zstream
->zalloc
= Z_NULL
;
368 ses
.newkeys
->recv
.zstream
->zfree
= Z_NULL
;
370 if (inflateInit(ses
.newkeys
->recv
.zstream
) != Z_OK
) {
371 dropbear_exit("zlib error");
374 ses
.newkeys
->recv
.zstream
= NULL
;
377 if (ses
.newkeys
->trans
.algo_comp
== DROPBEAR_COMP_ZLIB
378 || ses
.newkeys
->trans
.algo_comp
== DROPBEAR_COMP_ZLIB_DELAY
) {
379 ses
.newkeys
->trans
.zstream
= (z_streamp
)m_malloc(sizeof(z_stream
));
380 ses
.newkeys
->trans
.zstream
->zalloc
= Z_NULL
;
381 ses
.newkeys
->trans
.zstream
->zfree
= Z_NULL
;
383 if (deflateInit2(ses
.newkeys
->trans
.zstream
, Z_DEFAULT_COMPRESSION
,
384 Z_DEFLATED
, DROPBEAR_ZLIB_WINDOW_BITS
,
385 DROPBEAR_ZLIB_MEM_LEVEL
, Z_DEFAULT_STRATEGY
)
387 dropbear_exit("zlib error");
390 ses
.newkeys
->trans
.zstream
= NULL
;
393 /* clean up old keys */
394 if (ses
.keys
->recv
.zstream
!= NULL
) {
395 if (inflateEnd(ses
.keys
->recv
.zstream
) == Z_STREAM_ERROR
) {
396 /* Z_DATA_ERROR is ok, just means that stream isn't ended */
397 dropbear_exit("crypto error");
399 m_free(ses
.keys
->recv
.zstream
);
401 if (ses
.keys
->trans
.zstream
!= NULL
) {
402 if (deflateEnd(ses
.keys
->trans
.zstream
) == Z_STREAM_ERROR
) {
403 /* Z_DATA_ERROR is ok, just means that stream isn't ended */
404 dropbear_exit("crypto error");
406 m_free(ses
.keys
->trans
.zstream
);
409 #endif /* DISABLE_ZLIB */
412 /* Executed upon receiving a kexinit message from the client to initiate
413 * key exchange. If we haven't already done so, we send the list of our
414 * preferred algorithms. The client's requested algorithms are processed,
415 * and we calculate the first portion of the key-exchange-hash for used
416 * later in the key exchange. No response is sent, as the client should
417 * initiate the diffie-hellman key exchange */
419 /* Originally from kex.c, generalized for cli/svr mode --mihnea */
420 /* Belongs in common_kex.c where it should be moved after review */
421 void recv_msg_kexinit() {
423 unsigned int kexhashbuf_len
= 0;
424 unsigned int remote_ident_len
= 0;
425 unsigned int local_ident_len
= 0;
427 TRACE(("<- KEXINIT"))
428 TRACE(("enter recv_msg_kexinit"))
430 if (!ses
.kexstate
.sentkexinit
) {
431 /* we need to send a kex packet */
433 TRACE(("continue recv_msg_kexinit: sent kexinit"))
436 /* start the kex hash */
437 local_ident_len
= strlen(LOCAL_IDENT
);
438 remote_ident_len
= strlen((char*)ses
.remoteident
);
440 kexhashbuf_len
= local_ident_len
+ remote_ident_len
441 + ses
.transkexinit
->len
+ ses
.payload
->len
442 + KEXHASHBUF_MAX_INTS
;
444 ses
.kexhashbuf
= buf_new(kexhashbuf_len
);
446 if (IS_DROPBEAR_CLIENT
) {
448 /* read the peer's choice of algos */
451 /* V_C, the client's version string (CR and NL excluded) */
452 buf_putstring(ses
.kexhashbuf
,
453 (unsigned char*)LOCAL_IDENT
, local_ident_len
);
454 /* V_S, the server's version string (CR and NL excluded) */
455 buf_putstring(ses
.kexhashbuf
, ses
.remoteident
, remote_ident_len
);
457 /* I_C, the payload of the client's SSH_MSG_KEXINIT */
458 buf_putstring(ses
.kexhashbuf
,
459 ses
.transkexinit
->data
, ses
.transkexinit
->len
);
460 /* I_S, the payload of the server's SSH_MSG_KEXINIT */
461 buf_setpos(ses
.payload
, 0);
462 buf_putstring(ses
.kexhashbuf
, ses
.payload
->data
, ses
.payload
->len
);
467 /* read the peer's choice of algos */
469 /* V_C, the client's version string (CR and NL excluded) */
470 buf_putstring(ses
.kexhashbuf
, ses
.remoteident
, remote_ident_len
);
471 /* V_S, the server's version string (CR and NL excluded) */
472 buf_putstring(ses
.kexhashbuf
,
473 (unsigned char*)LOCAL_IDENT
, local_ident_len
);
475 /* I_C, the payload of the client's SSH_MSG_KEXINIT */
476 buf_setpos(ses
.payload
, 0);
477 buf_putstring(ses
.kexhashbuf
, ses
.payload
->data
, ses
.payload
->len
);
479 /* I_S, the payload of the server's SSH_MSG_KEXINIT */
480 buf_putstring(ses
.kexhashbuf
,
481 ses
.transkexinit
->data
, ses
.transkexinit
->len
);
483 ses
.requirenext
= SSH_MSG_KEXDH_INIT
;
486 buf_free(ses
.transkexinit
);
487 ses
.transkexinit
= NULL
;
488 /* the rest of ses.kexhashbuf will be done after DH exchange */
490 ses
.kexstate
.recvkexinit
= 1;
492 TRACE(("leave recv_msg_kexinit"))
495 /* Initialises and generate one side of the diffie-hellman key exchange values.
496 * See the ietf-secsh-transport draft, section 6, for details */
497 /* dh_pub and dh_priv MUST be already initialised */
498 void gen_kexdh_vals(mp_int
*dh_pub
, mp_int
*dh_priv
) {
504 TRACE(("enter send_msg_kexdh_reply"))
506 m_mp_init_multi(&dh_g
, &dh_p
, &dh_q
, NULL
);
508 /* read the prime and generator*/
509 bytes_to_mp(&dh_p
, (unsigned char*)dh_p_val
, DH_P_LEN
);
511 if (mp_set_int(&dh_g
, DH_G_VAL
) != MP_OKAY
) {
512 dropbear_exit("Diffie-Hellman error");
515 /* calculate q = (p-1)/2 */
516 /* dh_priv is just a temp var here */
517 if (mp_sub_d(&dh_p
, 1, dh_priv
) != MP_OKAY
) {
518 dropbear_exit("Diffie-Hellman error");
520 if (mp_div_2(dh_priv
, &dh_q
) != MP_OKAY
) {
521 dropbear_exit("Diffie-Hellman error");
524 /* Generate a private portion 0 < dh_priv < dh_q */
525 gen_random_mpint(&dh_q
, dh_priv
);
528 if (mp_exptmod(&dh_g
, dh_priv
, &dh_p
, dh_pub
) != MP_OKAY
) {
529 dropbear_exit("Diffie-Hellman error");
531 mp_clear_multi(&dh_g
, &dh_p
, &dh_q
, NULL
);
534 /* This function is fairly common between client/server, with some substitution
535 * of dh_e/dh_f etc. Hence these arguments:
536 * dh_pub_us is 'e' for the client, 'f' for the server. dh_pub_them is
537 * vice-versa. dh_priv is the x/y value corresponding to dh_pub_us */
538 void kexdh_comb_key(mp_int
*dh_pub_us
, mp_int
*dh_priv
, mp_int
*dh_pub_them
,
542 mp_int
*dh_e
= NULL
, *dh_f
= NULL
;
545 /* read the prime and generator*/
547 bytes_to_mp(&dh_p
, dh_p_val
, DH_P_LEN
);
549 /* Check that dh_pub_them (dh_e or dh_f) is in the range [1, p-1] */
550 if (mp_cmp(dh_pub_them
, &dh_p
) != MP_LT
551 || mp_cmp_d(dh_pub_them
, 0) != MP_GT
) {
552 dropbear_exit("Diffie-Hellman error");
555 /* K = e^y mod p = f^x mod p */
556 ses
.dh_K
= (mp_int
*)m_malloc(sizeof(mp_int
));
558 if (mp_exptmod(dh_pub_them
, dh_priv
, &dh_p
, ses
.dh_K
) != MP_OKAY
) {
559 dropbear_exit("Diffie-Hellman error");
562 /* clear no longer needed vars */
563 mp_clear_multi(&dh_p
, NULL
);
565 /* From here on, the code needs to work with the _same_ vars on each side,
566 * not vice-versaing for client/server */
567 if (IS_DROPBEAR_CLIENT
) {
575 /* Create the remainder of the hash buffer, to generate the exchange hash */
576 /* K_S, the host key */
577 buf_put_pub_key(ses
.kexhashbuf
, hostkey
, ses
.newkeys
->algo_hostkey
);
578 /* e, exchange value sent by the client */
579 buf_putmpint(ses
.kexhashbuf
, dh_e
);
580 /* f, exchange value sent by the server */
581 buf_putmpint(ses
.kexhashbuf
, dh_f
);
582 /* K, the shared secret */
583 buf_putmpint(ses
.kexhashbuf
, ses
.dh_K
);
585 /* calculate the hash H to sign */
587 buf_setpos(ses
.kexhashbuf
, 0);
588 sha1_process(&hs
, buf_getptr(ses
.kexhashbuf
, ses
.kexhashbuf
->len
),
589 ses
.kexhashbuf
->len
);
590 sha1_done(&hs
, ses
.hash
);
592 buf_burn(ses
.kexhashbuf
);
593 buf_free(ses
.kexhashbuf
);
594 ses
.kexhashbuf
= NULL
;
596 /* first time around, we set the session_id to H */
597 if (ses
.session_id
== NULL
) {
598 /* create the session_id, this never needs freeing */
599 ses
.session_id
= (unsigned char*)m_malloc(SHA1_HASH_SIZE
);
600 memcpy(ses
.session_id
, ses
.hash
, SHA1_HASH_SIZE
);
604 /* read the other side's algo list. buf_match_algo is a callback to match
605 * algos for the client or server. */
606 static void read_kex_algos() {
609 algo_type
* c2s_hash_algo
= NULL
;
610 algo_type
* s2c_hash_algo
= NULL
;
611 algo_type
* c2s_cipher_algo
= NULL
;
612 algo_type
* s2c_cipher_algo
= NULL
;
613 algo_type
* c2s_comp_algo
= NULL
;
614 algo_type
* s2c_comp_algo
= NULL
;
615 /* the generic one */
616 algo_type
* algo
= NULL
;
618 /* which algo couldn't match */
619 char * erralgo
= NULL
;
622 int allgood
= 1; /* we AND this with each goodguess and see if its still
625 buf_incrpos(ses
.payload
, 16); /* start after the cookie */
627 ses
.newkeys
= (struct key_context
*)m_malloc(sizeof(struct key_context
));
630 algo
= ses
.buf_match_algo(ses
.payload
, sshkex
, &goodguess
);
631 allgood
&= goodguess
;
636 TRACE(("kex algo %s", algo
->name
))
637 ses
.newkeys
->algo_kex
= algo
->val
;
639 /* server_host_key_algorithms */
640 algo
= ses
.buf_match_algo(ses
.payload
, sshhostkey
, &goodguess
);
641 allgood
&= goodguess
;
646 TRACE(("hostkey algo %s", algo
->name
))
647 ses
.newkeys
->algo_hostkey
= algo
->val
;
649 /* encryption_algorithms_client_to_server */
650 c2s_cipher_algo
= ses
.buf_match_algo(ses
.payload
, sshciphers
, &goodguess
);
651 if (c2s_cipher_algo
== NULL
) {
652 erralgo
= "enc c->s";
655 TRACE(("enc c2s is %s", c2s_cipher_algo
->name
))
657 /* encryption_algorithms_server_to_client */
658 s2c_cipher_algo
= ses
.buf_match_algo(ses
.payload
, sshciphers
, &goodguess
);
659 if (s2c_cipher_algo
== NULL
) {
660 erralgo
= "enc s->c";
663 TRACE(("enc s2c is %s", s2c_cipher_algo
->name
))
665 /* mac_algorithms_client_to_server */
666 c2s_hash_algo
= ses
.buf_match_algo(ses
.payload
, sshhashes
, &goodguess
);
667 if (c2s_hash_algo
== NULL
) {
668 erralgo
= "mac c->s";
671 TRACE(("hash c2s is %s", c2s_hash_algo
->name
))
673 /* mac_algorithms_server_to_client */
674 s2c_hash_algo
= ses
.buf_match_algo(ses
.payload
, sshhashes
, &goodguess
);
675 if (s2c_hash_algo
== NULL
) {
676 erralgo
= "mac s->c";
679 TRACE(("hash s2c is %s", s2c_hash_algo
->name
))
681 /* compression_algorithms_client_to_server */
682 c2s_comp_algo
= ses
.buf_match_algo(ses
.payload
, ses
.compress_algos
, &goodguess
);
683 if (c2s_comp_algo
== NULL
) {
684 erralgo
= "comp c->s";
687 TRACE(("hash c2s is %s", c2s_comp_algo
->name
))
689 /* compression_algorithms_server_to_client */
690 s2c_comp_algo
= ses
.buf_match_algo(ses
.payload
, ses
.compress_algos
, &goodguess
);
691 if (s2c_comp_algo
== NULL
) {
692 erralgo
= "comp s->c";
695 TRACE(("hash s2c is %s", s2c_comp_algo
->name
))
697 /* languages_client_to_server */
698 buf_eatstring(ses
.payload
);
700 /* languages_server_to_client */
701 buf_eatstring(ses
.payload
);
703 /* first_kex_packet_follows */
704 if (buf_getbool(ses
.payload
)) {
705 ses
.kexstate
.firstfollows
= 1;
706 /* if the guess wasn't good, we ignore the packet sent */
712 /* Handle the asymmetry */
713 if (IS_DROPBEAR_CLIENT
) {
714 ses
.newkeys
->recv
.algo_crypt
=
715 (struct dropbear_cipher
*)s2c_cipher_algo
->data
;
716 ses
.newkeys
->trans
.algo_crypt
=
717 (struct dropbear_cipher
*)c2s_cipher_algo
->data
;
718 ses
.newkeys
->recv
.crypt_mode
=
719 (struct dropbear_cipher_mode
*)s2c_cipher_algo
->mode
;
720 ses
.newkeys
->trans
.crypt_mode
=
721 (struct dropbear_cipher_mode
*)c2s_cipher_algo
->mode
;
722 ses
.newkeys
->recv
.algo_mac
=
723 (struct dropbear_hash
*)s2c_hash_algo
->data
;
724 ses
.newkeys
->trans
.algo_mac
=
725 (struct dropbear_hash
*)c2s_hash_algo
->data
;
726 ses
.newkeys
->recv
.algo_comp
= s2c_comp_algo
->val
;
727 ses
.newkeys
->trans
.algo_comp
= c2s_comp_algo
->val
;
730 ses
.newkeys
->recv
.algo_crypt
=
731 (struct dropbear_cipher
*)c2s_cipher_algo
->data
;
732 ses
.newkeys
->trans
.algo_crypt
=
733 (struct dropbear_cipher
*)s2c_cipher_algo
->data
;
734 ses
.newkeys
->recv
.crypt_mode
=
735 (struct dropbear_cipher_mode
*)c2s_cipher_algo
->mode
;
736 ses
.newkeys
->trans
.crypt_mode
=
737 (struct dropbear_cipher_mode
*)s2c_cipher_algo
->mode
;
738 ses
.newkeys
->recv
.algo_mac
=
739 (struct dropbear_hash
*)c2s_hash_algo
->data
;
740 ses
.newkeys
->trans
.algo_mac
=
741 (struct dropbear_hash
*)s2c_hash_algo
->data
;
742 ses
.newkeys
->recv
.algo_comp
= c2s_comp_algo
->val
;
743 ses
.newkeys
->trans
.algo_comp
= s2c_comp_algo
->val
;
746 /* reserved for future extensions */
747 buf_getint(ses
.payload
);
751 dropbear_exit("no matching algo %s", erralgo
);