int ssh_hashbufin_add_cookie(ssh_session session, unsigned char *cookie) { int rc; session->in_hashbuf = ssh_buffer_new(); if (session->in_hashbuf == NULL) { return -1; } rc = ssh_buffer_allocate_size(session->in_hashbuf, sizeof(uint8_t) + 20 + 16); if (rc < 0) { ssh_buffer_reinit(session->in_hashbuf); return -1; } if (ssh_buffer_add_u8(session->in_hashbuf, 20) < 0) { ssh_buffer_reinit(session->in_hashbuf); return -1; } if (ssh_buffer_add_data(session->in_hashbuf,cookie, 16) < 0) { ssh_buffer_reinit(session->in_hashbuf); return -1; } return 0; }
int ssh_auth_reply_success(ssh_session session, int partial) { int r; if (session == NULL) { return SSH_ERROR; } if (partial) { return ssh_auth_reply_default(session, partial); } session->session_state = SSH_SESSION_STATE_AUTHENTICATED; session->flags |= SSH_SESSION_FLAG_AUTHENTICATED; if (ssh_buffer_add_u8(session->out_buffer,SSH2_MSG_USERAUTH_SUCCESS) < 0) { return SSH_ERROR; } r = ssh_packet_send(session); if(session->current_crypto && session->current_crypto->delayed_compress_out){ SSH_LOG(SSH_LOG_PROTOCOL,"Enabling delayed compression OUT"); session->current_crypto->do_compress_out=1; } if(session->current_crypto && session->current_crypto->delayed_compress_in){ SSH_LOG(SSH_LOG_PROTOCOL,"Enabling delayed compression IN"); session->current_crypto->do_compress_in=1; } return r; }
int ssh_message_global_request_reply_success(ssh_message msg, uint16_t bound_port) { int rc; SSH_LOG(SSH_LOG_FUNCTIONS, "Accepting a global request"); if (msg->global_request.want_reply) { if (ssh_buffer_add_u8(msg->session->out_buffer , SSH2_MSG_REQUEST_SUCCESS) < 0) { goto error; } if(msg->global_request.type == SSH_GLOBAL_REQUEST_TCPIP_FORWARD && msg->global_request.bind_port == 0) { rc = ssh_buffer_pack(msg->session->out_buffer, "d", bound_port); if (rc != SSH_OK) { ssh_set_error_oom(msg->session); goto error; } } return ssh_packet_send(msg->session); } if(msg->global_request.type == SSH_GLOBAL_REQUEST_TCPIP_FORWARD && msg->global_request.bind_port == 0) { SSH_LOG(SSH_LOG_PACKET, "The client doesn't want to know the remote port!"); } return SSH_OK; error: return SSH_ERROR; }
/** @internal * @brief Starts ecdh-sha2-nistp256 key exchange */ int ssh_client_ecdh_init(ssh_session session){ EC_KEY *key; const EC_GROUP *group; const EC_POINT *pubkey; ssh_string client_pubkey; int len; int rc; bignum_CTX ctx = BN_CTX_new(); rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT); if (rc < 0) { BN_CTX_free(ctx); return SSH_ERROR; } key = EC_KEY_new_by_curve_name(NISTP256); if (key == NULL) { BN_CTX_free(ctx); return SSH_ERROR; } group = EC_KEY_get0_group(key); EC_KEY_generate_key(key); pubkey=EC_KEY_get0_public_key(key); len = EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED, NULL,0,ctx); client_pubkey = ssh_string_new(len); if (client_pubkey == NULL) { BN_CTX_free(ctx); EC_KEY_free(key); return SSH_ERROR; } EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED, ssh_string_data(client_pubkey),len,ctx); BN_CTX_free(ctx); rc = ssh_buffer_add_ssh_string(session->out_buffer,client_pubkey); if (rc < 0) { EC_KEY_free(key); ssh_string_free(client_pubkey); return SSH_ERROR; } session->next_crypto->ecdh_privkey = key; session->next_crypto->ecdh_client_pubkey = client_pubkey; rc = ssh_packet_send(session); return rc; }
/** @internal * @brief sends a SSH_MSG_USERAUTH_GSSAPI_RESPONSE packet * @param[in] oid the OID that was selected for authentication */ static int ssh_gssapi_send_response(ssh_session session, ssh_string oid){ if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_USERAUTH_GSSAPI_RESPONSE) < 0 || ssh_buffer_add_ssh_string(session->out_buffer,oid) < 0) { ssh_set_error_oom(session); return SSH_ERROR; } session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN; ssh_packet_send(session); SSH_LOG(SSH_LOG_PACKET, "Sent SSH_MSG_USERAUTH_GSSAPI_RESPONSE"); return SSH_OK; }
static int ssh_message_global_request_reply_default(ssh_message msg) { SSH_LOG(SSH_LOG_FUNCTIONS, "Refusing a global request"); if (msg->global_request.want_reply) { if (ssh_buffer_add_u8(msg->session->out_buffer , SSH2_MSG_REQUEST_FAILURE) < 0) { goto error; } return ssh_packet_send(msg->session); } SSH_LOG(SSH_LOG_PACKET, "The client doesn't want to know the request failed!"); return SSH_OK; error: return SSH_ERROR; }
/** @internal * @brief parses a SSH_MSG_KEX_ECDH_REPLY packet and sends back * a SSH_MSG_NEWKEYS */ int ssh_client_ecdh_reply(ssh_session session, ssh_buffer packet){ ssh_string q_s_string = NULL; ssh_string pubkey = NULL; ssh_string signature = NULL; int rc; pubkey = ssh_buffer_get_ssh_string(packet); if (pubkey == NULL){ ssh_set_error(session,SSH_FATAL, "No public key in packet"); goto error; } ecdh_import_pubkey(session, pubkey); q_s_string = ssh_buffer_get_ssh_string(packet); if (q_s_string == NULL) { ssh_set_error(session,SSH_FATAL, "No Q_S ECC point in packet"); goto error; } session->next_crypto->ecdh_server_pubkey = q_s_string; signature = ssh_buffer_get_ssh_string(packet); if (signature == NULL) { ssh_set_error(session, SSH_FATAL, "No signature in packet"); goto error; } session->next_crypto->dh_server_signature = signature; signature=NULL; /* ownership changed */ /* TODO: verify signature now instead of waiting for NEWKEYS */ if (ecdh_build_k(session) < 0) { ssh_set_error(session, SSH_FATAL, "Cannot build k number"); goto error; } /* Send the MSG_NEWKEYS */ if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) { goto error; } rc=ssh_packet_send(session); SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent"); return rc; error: return SSH_ERROR; }
int ssh_auth_reply_success(ssh_session session, int partial) { struct ssh_crypto_struct *crypto = NULL; int r; if (session == NULL) { return SSH_ERROR; } if (partial) { return ssh_auth_reply_default(session, partial); } r = ssh_buffer_add_u8(session->out_buffer,SSH2_MSG_USERAUTH_SUCCESS); if (r < 0) { return SSH_ERROR; } r = ssh_packet_send(session); /* * Consider the session as having been authenticated only after sending * the USERAUTH_SUCCESS message. Setting these flags after ssh_packet_send * ensures that a rekey is not triggered prematurely, causing the message * to be queued. */ session->session_state = SSH_SESSION_STATE_AUTHENTICATED; session->flags |= SSH_SESSION_FLAG_AUTHENTICATED; crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_OUT); if (crypto != NULL && crypto->delayed_compress_out) { SSH_LOG(SSH_LOG_PROTOCOL, "Enabling delayed compression OUT"); crypto->do_compress_out = 1; } crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN); if (crypto != NULL && crypto->delayed_compress_in) { SSH_LOG(SSH_LOG_PROTOCOL, "Enabling delayed compression IN"); crypto->do_compress_in = 1; } return r; }
int ssh_hashbufout_add_cookie(ssh_session session) { int rc; session->out_hashbuf = ssh_buffer_new(); if (session->out_hashbuf == NULL) { return -1; } rc = ssh_buffer_allocate_size(session->out_hashbuf, sizeof(uint8_t) + 16); if (rc < 0) { ssh_buffer_reinit(session->out_hashbuf); return -1; } if (ssh_buffer_add_u8(session->out_hashbuf, 20) < 0) { ssh_buffer_reinit(session->out_hashbuf); return -1; } if (session->server) { if (ssh_buffer_add_data(session->out_hashbuf, session->next_crypto->server_kex.cookie, 16) < 0) { ssh_buffer_reinit(session->out_hashbuf); return -1; } } else { if (ssh_buffer_add_data(session->out_hashbuf, session->next_crypto->client_kex.cookie, 16) < 0) { ssh_buffer_reinit(session->out_hashbuf); return -1; } } return 0; }
int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){ /* ECDH keys */ ssh_string q_c_string; ssh_string q_s_string; EC_KEY *ecdh_key; const EC_GROUP *group; const EC_POINT *ecdh_pubkey; bignum_CTX ctx; /* SSH host keys (rsa,dsa,ecdsa) */ ssh_key privkey; ssh_string sig_blob = NULL; int len; int rc; /* Extract the client pubkey from the init packet */ q_c_string = ssh_buffer_get_ssh_string(packet); if (q_c_string == NULL) { ssh_set_error(session,SSH_FATAL, "No Q_C ECC point in packet"); return SSH_ERROR; } session->next_crypto->ecdh_client_pubkey = q_c_string; /* Build server's keypair */ ctx = BN_CTX_new(); ecdh_key = EC_KEY_new_by_curve_name(NISTP256); if (ecdh_key == NULL) { ssh_set_error_oom(session); BN_CTX_free(ctx); return SSH_ERROR; } group = EC_KEY_get0_group(ecdh_key); EC_KEY_generate_key(ecdh_key); ecdh_pubkey = EC_KEY_get0_public_key(ecdh_key); len = EC_POINT_point2oct(group, ecdh_pubkey, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, ctx); q_s_string = ssh_string_new(len); if (q_s_string == NULL) { EC_KEY_free(ecdh_key); BN_CTX_free(ctx); return SSH_ERROR; } EC_POINT_point2oct(group, ecdh_pubkey, POINT_CONVERSION_UNCOMPRESSED, ssh_string_data(q_s_string), len, ctx); BN_CTX_free(ctx); session->next_crypto->ecdh_privkey = ecdh_key; session->next_crypto->ecdh_server_pubkey = q_s_string; /* build k and session_id */ rc = ecdh_build_k(session); if (rc < 0) { ssh_set_error(session, SSH_FATAL, "Cannot build k number"); return SSH_ERROR; } /* privkey is not allocated */ rc = ssh_get_key_params(session, &privkey); if (rc == SSH_ERROR) { return SSH_ERROR; } rc = ssh_make_sessionid(session); if (rc != SSH_OK) { ssh_set_error(session, SSH_FATAL, "Could not create a session id"); return SSH_ERROR; } sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey); if (sig_blob == NULL) { ssh_set_error(session, SSH_FATAL, "Could not sign the session id"); return SSH_ERROR; } rc = ssh_buffer_pack(session->out_buffer, "bSSS", SSH2_MSG_KEXDH_REPLY, session->next_crypto->server_pubkey, /* host's pubkey */ q_s_string, /* ecdh public key */ sig_blob); /* signature blob */ ssh_string_free(sig_blob); if (rc != SSH_OK) { ssh_set_error_oom(session); return SSH_ERROR; } SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent"); rc = ssh_packet_send(session); if (rc == SSH_ERROR) { return SSH_ERROR; } /* Send the MSG_NEWKEYS */ rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS); if (rc < 0) { return SSH_ERROR;; } session->dh_handshake_state = DH_STATE_NEWKEYS_SENT; rc = ssh_packet_send(session); SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent"); return rc; }
static int dh_handshake_server(ssh_session session) { ssh_key privkey; ssh_string sig_blob; ssh_string f; ssh_string pubkey_blob = NULL; int rc; if (ssh_dh_generate_y(session) < 0) { ssh_set_error(session, SSH_FATAL, "Could not create y number"); return -1; } if (ssh_dh_generate_f(session) < 0) { ssh_set_error(session, SSH_FATAL, "Could not create f number"); return -1; } f = ssh_dh_get_f(session); if (f == NULL) { ssh_set_error(session, SSH_FATAL, "Could not get the f number"); return -1; } if (ssh_get_key_params(session,&privkey) != SSH_OK){ ssh_string_free(f); return -1; } if (ssh_dh_build_k(session) < 0) { ssh_set_error(session, SSH_FATAL, "Could not import the public key"); ssh_string_free(f); return -1; } if (ssh_make_sessionid(session) != SSH_OK) { ssh_set_error(session, SSH_FATAL, "Could not create a session id"); ssh_string_free(f); return -1; } sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey); if (sig_blob == NULL) { ssh_set_error(session, SSH_FATAL, "Could not sign the session id"); ssh_string_free(f); return -1; } rc = ssh_dh_get_next_server_publickey_blob(session, &pubkey_blob); if (rc != SSH_OK) { ssh_set_error_oom(session); ssh_string_free(f); ssh_string_free(sig_blob); return -1; } rc = ssh_buffer_pack(session->out_buffer, "bSSS", SSH2_MSG_KEXDH_REPLY, pubkey_blob, f, sig_blob); ssh_string_free(f); ssh_string_free(sig_blob); ssh_string_free(pubkey_blob); if(rc != SSH_OK){ ssh_set_error_oom(session); ssh_buffer_reinit(session->out_buffer); return -1; } if (ssh_packet_send(session) == SSH_ERROR) { return -1; } if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) { ssh_buffer_reinit(session->out_buffer); return -1; } if (ssh_packet_send(session) == SSH_ERROR) { return -1; } SSH_LOG(SSH_LOG_PACKET, "SSH_MSG_NEWKEYS sent"); session->dh_handshake_state=DH_STATE_NEWKEYS_SENT; return 0; }
static int send_username(ssh_session session, const char *username) { ssh_string user = NULL; int rc; /* returns SSH_AUTH_SUCCESS or SSH_AUTH_DENIED */ if(session->auth_service_state == SSH_AUTH_SERVICE_USER_SENT) { if(session->auth_state == SSH_AUTH_STATE_FAILED) return SSH_AUTH_DENIED; if(session->auth_state == SSH_AUTH_STATE_SUCCESS) return SSH_AUTH_SUCCESS; return SSH_AUTH_ERROR; } if (session->auth_service_state == SSH_AUTH_SERVICE_SENT) goto pending; if (!username) { if(!(username = session->opts.username)) { if (ssh_options_set(session, SSH_OPTIONS_USER, NULL) < 0) { session->auth_service_state = SSH_AUTH_SERVICE_DENIED; return SSH_ERROR; } else { username = session->opts.username; } } } user = ssh_string_from_char(username); if (user == NULL) { return SSH_AUTH_ERROR; } if (ssh_buffer_add_u8(session->out_buffer, SSH_CMSG_USER) < 0) { ssh_string_free(user); return SSH_AUTH_ERROR; } if (ssh_buffer_add_ssh_string(session->out_buffer, user) < 0) { ssh_string_free(user); return SSH_AUTH_ERROR; } ssh_string_free(user); session->auth_state=SSH_AUTH_STATE_NONE; session->auth_service_state = SSH_AUTH_SERVICE_SENT; if (ssh_packet_send(session) == SSH_ERROR) { return SSH_AUTH_ERROR; } pending: rc = wait_auth1_status(session); switch (rc){ case SSH_AUTH_SUCCESS: session->auth_service_state=SSH_AUTH_SERVICE_USER_SENT; session->auth_state=SSH_AUTH_STATE_SUCCESS; ssh_set_error(session, SSH_NO_ERROR, "Authentication successful"); return SSH_AUTH_SUCCESS; case SSH_AUTH_DENIED: session->auth_service_state=SSH_AUTH_SERVICE_USER_SENT; ssh_set_error(session,SSH_REQUEST_DENIED,"Password authentication necessary for user %s",username); return SSH_AUTH_DENIED; case SSH_AUTH_AGAIN: return SSH_AUTH_AGAIN; default: session->auth_service_state = SSH_AUTH_SERVICE_NONE; session->auth_state=SSH_AUTH_STATE_ERROR; return SSH_AUTH_ERROR; } }
int ssh_userauth1_password(ssh_session session, const char *username, const char *password) { ssh_string pwd = NULL; int rc; rc = send_username(session, username); if (rc != SSH_AUTH_DENIED) { return rc; } if (session->pending_call_state == SSH_PENDING_CALL_AUTH_PASSWORD) goto pending; /* we trick a bit here. A known flaw in SSH1 protocol is that it's * easy to guess password sizes. * not that sure ... */ /* XXX fix me here ! */ /* cisco IOS doesn't like when a password is followed by zeroes and random pad. */ if(1 || strlen(password) >= 128) { /* not risky to disclose the size of such a big password .. */ pwd = ssh_string_from_char(password); if (pwd == NULL) { return SSH_AUTH_ERROR; } } else { char buf[128] = {0}; /* fill the password string from random things. the strcpy * ensure there is at least a nul byte after the password. * most implementation won't see the garbage at end. * why garbage ? because nul bytes will be compressed by * gzip and disclose password len. */ pwd = ssh_string_new(sizeof(buf)); if (pwd == NULL) { return SSH_AUTH_ERROR; } ssh_get_random(buf, sizeof(buf), 0); strcpy(buf, password); ssh_string_fill(pwd, buf, sizeof(buf)); } if (ssh_buffer_add_u8(session->out_buffer, SSH_CMSG_AUTH_PASSWORD) < 0) { ssh_string_burn(pwd); ssh_string_free(pwd); return SSH_AUTH_ERROR; } if (ssh_buffer_add_ssh_string(session->out_buffer, pwd) < 0) { ssh_string_burn(pwd); ssh_string_free(pwd); return SSH_AUTH_ERROR; } ssh_string_burn(pwd); ssh_string_free(pwd); session->auth_state=SSH_AUTH_STATE_NONE; session->pending_call_state = SSH_PENDING_CALL_AUTH_PASSWORD; if (ssh_packet_send(session) == SSH_ERROR) { return SSH_AUTH_ERROR; } pending: rc = wait_auth1_status(session); if (rc != SSH_AUTH_AGAIN) session->pending_call_state = SSH_PENDING_CALL_NONE; return rc; }
int ssh_make_sessionid(ssh_session session) { ssh_string num = NULL; ssh_buffer server_hash = NULL; ssh_buffer client_hash = NULL; ssh_buffer buf = NULL; ssh_string server_pubkey_blob = NULL; const_bignum client_pubkey, server_pubkey; #ifdef WITH_GEX const_bignum modulus, generator; #endif int rc = SSH_ERROR; buf = ssh_buffer_new(); if (buf == NULL) { return rc; } rc = ssh_buffer_pack(buf, "ss", session->clientbanner, session->serverbanner); if (rc == SSH_ERROR) { goto error; } if (session->client) { server_hash = session->in_hashbuf; client_hash = session->out_hashbuf; } else { server_hash = session->out_hashbuf; client_hash = session->in_hashbuf; } /* * Handle the two final fields for the KEXINIT message (RFC 4253 7.1): * * boolean first_kex_packet_follows * uint32 0 (reserved for future extension) */ rc = ssh_buffer_add_u8(server_hash, 0); if (rc < 0) { goto error; } rc = ssh_buffer_add_u32(server_hash, 0); if (rc < 0) { goto error; } /* These fields are handled for the server case in ssh_packet_kexinit. */ if (session->client) { rc = ssh_buffer_add_u8(client_hash, 0); if (rc < 0) { goto error; } rc = ssh_buffer_add_u32(client_hash, 0); if (rc < 0) { goto error; } } rc = ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob); if (rc != SSH_OK) { goto error; } rc = ssh_buffer_pack(buf, "dPdPS", ssh_buffer_get_len(client_hash), ssh_buffer_get_len(client_hash), ssh_buffer_get(client_hash), ssh_buffer_get_len(server_hash), ssh_buffer_get_len(server_hash), ssh_buffer_get(server_hash), server_pubkey_blob); ssh_string_free(server_pubkey_blob); if(rc != SSH_OK){ goto error; } switch(session->next_crypto->kex_type) { case SSH_KEX_DH_GROUP1_SHA1: case SSH_KEX_DH_GROUP14_SHA1: case SSH_KEX_DH_GROUP16_SHA512: case SSH_KEX_DH_GROUP18_SHA512: rc = ssh_dh_keypair_get_keys(session->next_crypto->dh_ctx, DH_CLIENT_KEYPAIR, NULL, &client_pubkey); if (rc != SSH_OK) { goto error; } rc = ssh_dh_keypair_get_keys(session->next_crypto->dh_ctx, DH_SERVER_KEYPAIR, NULL, &server_pubkey); if (rc != SSH_OK) { goto error; } rc = ssh_buffer_pack(buf, "BB", client_pubkey, server_pubkey); if (rc != SSH_OK) { goto error; } break; #ifdef WITH_GEX case SSH_KEX_DH_GEX_SHA1: case SSH_KEX_DH_GEX_SHA256: rc = ssh_dh_keypair_get_keys(session->next_crypto->dh_ctx, DH_CLIENT_KEYPAIR, NULL, &client_pubkey); if (rc != SSH_OK) { goto error; } rc = ssh_dh_keypair_get_keys(session->next_crypto->dh_ctx, DH_SERVER_KEYPAIR, NULL, &server_pubkey); if (rc != SSH_OK) { goto error; } rc = ssh_dh_get_parameters(session->next_crypto->dh_ctx, &modulus, &generator); if (rc != SSH_OK) { goto error; } rc = ssh_buffer_pack(buf, "dddBBBB", session->next_crypto->dh_pmin, session->next_crypto->dh_pn, session->next_crypto->dh_pmax, modulus, generator, client_pubkey, server_pubkey); if (rc != SSH_OK) { goto error; } break; #endif /* WITH_GEX */ #ifdef HAVE_ECDH case SSH_KEX_ECDH_SHA2_NISTP256: case SSH_KEX_ECDH_SHA2_NISTP384: case SSH_KEX_ECDH_SHA2_NISTP521: if (session->next_crypto->ecdh_client_pubkey == NULL || session->next_crypto->ecdh_server_pubkey == NULL) { SSH_LOG(SSH_LOG_WARNING, "ECDH parameted missing"); goto error; } rc = ssh_buffer_pack(buf, "SS", session->next_crypto->ecdh_client_pubkey, session->next_crypto->ecdh_server_pubkey); if (rc != SSH_OK) { goto error; } break; #endif #ifdef HAVE_CURVE25519 case SSH_KEX_CURVE25519_SHA256: case SSH_KEX_CURVE25519_SHA256_LIBSSH_ORG: rc = ssh_buffer_pack(buf, "dPdP", CURVE25519_PUBKEY_SIZE, (size_t)CURVE25519_PUBKEY_SIZE, session->next_crypto->curve25519_client_pubkey, CURVE25519_PUBKEY_SIZE, (size_t)CURVE25519_PUBKEY_SIZE, session->next_crypto->curve25519_server_pubkey); if (rc != SSH_OK) { goto error; } break; #endif } rc = ssh_buffer_pack(buf, "B", session->next_crypto->shared_secret); if (rc != SSH_OK) { goto error; } #ifdef DEBUG_CRYPTO ssh_print_hexa("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf)); #endif switch (session->next_crypto->kex_type) { case SSH_KEX_DH_GROUP1_SHA1: case SSH_KEX_DH_GROUP14_SHA1: #ifdef WITH_GEX case SSH_KEX_DH_GEX_SHA1: #endif /* WITH_GEX */ session->next_crypto->digest_len = SHA_DIGEST_LENGTH; session->next_crypto->digest_type = SSH_KDF_SHA1; session->next_crypto->secret_hash = malloc(session->next_crypto->digest_len); if (session->next_crypto->secret_hash == NULL) { ssh_set_error_oom(session); goto error; } sha1(ssh_buffer_get(buf), ssh_buffer_get_len(buf), session->next_crypto->secret_hash); break; case SSH_KEX_ECDH_SHA2_NISTP256: case SSH_KEX_CURVE25519_SHA256: case SSH_KEX_CURVE25519_SHA256_LIBSSH_ORG: #ifdef WITH_GEX case SSH_KEX_DH_GEX_SHA256: #endif /* WITH_GEX */ session->next_crypto->digest_len = SHA256_DIGEST_LENGTH; session->next_crypto->digest_type = SSH_KDF_SHA256; session->next_crypto->secret_hash = malloc(session->next_crypto->digest_len); if (session->next_crypto->secret_hash == NULL) { ssh_set_error_oom(session); goto error; } sha256(ssh_buffer_get(buf), ssh_buffer_get_len(buf), session->next_crypto->secret_hash); break; case SSH_KEX_ECDH_SHA2_NISTP384: session->next_crypto->digest_len = SHA384_DIGEST_LENGTH; session->next_crypto->digest_type = SSH_KDF_SHA384; session->next_crypto->secret_hash = malloc(session->next_crypto->digest_len); if (session->next_crypto->secret_hash == NULL) { ssh_set_error_oom(session); goto error; } sha384(ssh_buffer_get(buf), ssh_buffer_get_len(buf), session->next_crypto->secret_hash); break; case SSH_KEX_DH_GROUP16_SHA512: case SSH_KEX_DH_GROUP18_SHA512: case SSH_KEX_ECDH_SHA2_NISTP521: session->next_crypto->digest_len = SHA512_DIGEST_LENGTH; session->next_crypto->digest_type = SSH_KDF_SHA512; session->next_crypto->secret_hash = malloc(session->next_crypto->digest_len); if (session->next_crypto->secret_hash == NULL) { ssh_set_error_oom(session); goto error; } sha512(ssh_buffer_get(buf), ssh_buffer_get_len(buf), session->next_crypto->secret_hash); break; } /* During the first kex, secret hash and session ID are equal. However, after * a key re-exchange, a new secret hash is calculated. This hash will not replace * but complement existing session id. */ if (!session->next_crypto->session_id) { session->next_crypto->session_id = malloc(session->next_crypto->digest_len); if (session->next_crypto->session_id == NULL) { ssh_set_error_oom(session); goto error; } memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash, session->next_crypto->digest_len); } #ifdef DEBUG_CRYPTO printf("Session hash: \n"); ssh_print_hexa("secret hash", session->next_crypto->secret_hash, session->next_crypto->digest_len); ssh_print_hexa("session id", session->next_crypto->session_id, session->next_crypto->digest_len); #endif rc = SSH_OK; error: ssh_buffer_free(buf); ssh_buffer_free(client_hash); ssh_buffer_free(server_hash); session->in_hashbuf = NULL; session->out_hashbuf = NULL; ssh_string_free(num); return rc; }