#include #include #include #include #include #include #include <9p.h> #include #include #include #include "netssh.h" #undef VERIFYKEYS /* TODO until it's fixed */ enum { Errnokey = -2, /* no key on keyring */ Errnoverify, /* factotum found a key, but verification failed */ Errfactotum, /* factotum failure (e.g., no key) */ Errnone, /* key verified */ }; static int dh_server(Conn *, Packet *, mpint *, int); static void genkeys(Conn *, uchar [], mpint *); /* * Second Oakley Group from RFC 2409 */ static char *group1p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" "FFFFFFFFFFFFFFFF"; /* * 2048-bit MODP group (id 14) from RFC 3526 */ static char *group14p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" "83655D23DCA3AD961C62F356208552BB9ED529077096966D" "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" "15728E5A8AACAA68FFFFFFFFFFFFFFFF"; mpint *two, *p1, *p14; int nokeyverify; static DSApriv mydsskey; static RSApriv myrsakey; void dh_init(PKA *pkas[]) { char *buf, *p, *st, *end; int fd, n, k; if(debug > 1) sshdebug(nil, "dh_init"); k = 0; pkas[k] = nil; fmtinstall('M', mpfmt); two = strtomp("2", nil, 10, nil); p1 = strtomp(group1p, nil, 16, nil); p14 = strtomp(group14p, nil, 16, nil); /* * this really should be done through factotum */ p = getenv("rsakey"); if (p != nil) { remove("/env/rsakey"); st = buf = p; end = buf + strlen(p); } else { /* * it would be better to use bio and rdline here instead of * reading all of factotum's contents into memory at once. */ buf = emalloc9p(Maxfactotum); fd = open("rsakey", OREAD); if (fd < 0 && (fd = open("/mnt/factotum/ctl", OREAD)) < 0) goto norsa; n = readn(fd, buf, Maxfactotum - 1); buf[n >= 0? n: 0] = 0; close(fd); assert(n < Maxfactotum - 1); st = strstr(buf, "proto=rsa"); if (st == nil) { sshlog(nil, "no proto=rsa key in factotum"); goto norsa; } end = st; for (; st > buf && *st != '\n'; --st) ; for (; end < buf + Maxfactotum && *end != '\n'; ++end) ; } p = strstr(st, " n="); if (p == nil || p > end) { sshlog(nil, "no key (n) found"); free(buf); return; } myrsakey.pub.n = strtomp(p+3, nil, 16, nil); if (debug > 1) sshdebug(nil, "n=%M", myrsakey.pub.n); p = strstr(st, " ek="); if (p == nil || p > end) { sshlog(nil, "no key (ek) found"); free(buf); return; } pkas[k++] = &rsa_pka; pkas[k] = nil; myrsakey.pub.ek = strtomp(p+4, nil, 16, nil); if (debug > 1) sshdebug(nil, "ek=%M", myrsakey.pub.ek); p = strstr(st, " !dk="); if (p == nil) { p = strstr(st, "!dk?"); if (p == nil || p > end) { // sshlog(nil, "no key (dk) found"); free(buf); return; } goto norsa; } myrsakey.dk = strtomp(p+5, nil, 16, nil); if (debug > 1) sshdebug(nil, "dk=%M", myrsakey.dk); norsa: free(buf); p = getenv("dsskey"); if (p != nil) { remove("/env/dsskey"); buf = p; end = buf + strlen(p); } else { /* * it would be better to use bio and rdline here instead of * reading all of factotum's contents into memory at once. */ buf = emalloc9p(Maxfactotum); fd = open("dsskey", OREAD); if (fd < 0 && (fd = open("/mnt/factotum/ctl", OREAD)) < 0) return; n = readn(fd, buf, Maxfactotum - 1); buf[n >= 0? n: 0] = 0; close(fd); assert(n < Maxfactotum - 1); st = strstr(buf, "proto=dsa"); if (st == nil) { sshlog(nil, "no proto=dsa key in factotum"); free(buf); return; } end = st; for (; st > buf && *st != '\n'; --st) ; for (; end < buf + Maxfactotum && *end != '\n'; ++end) ; } p = strstr(buf, " p="); if (p == nil || p > end) { sshlog(nil, "no key (p) found"); free(buf); return; } mydsskey.pub.p = strtomp(p+3, nil, 16, nil); p = strstr(buf, " q="); if (p == nil || p > end) { sshlog(nil, "no key (q) found"); free(buf); return; } mydsskey.pub.q = strtomp(p+3, nil, 16, nil); p = strstr(buf, " alpha="); if (p == nil || p > end) { sshlog(nil, "no key (g) found"); free(buf); return; } mydsskey.pub.alpha = strtomp(p+7, nil, 16, nil); p = strstr(buf, " key="); if (p == nil || p > end) { sshlog(nil, "no key (y) found"); free(buf); return; } mydsskey.pub.key = strtomp(p+5, nil, 16, nil); pkas[k++] = &dss_pka; pkas[k] = nil; p = strstr(buf, " !secret="); if (p == nil) { p = strstr(buf, "!secret?"); if (p == nil || p > end) sshlog(nil, "no key (x) found"); free(buf); return; } mydsskey.secret = strtomp(p+9, nil, 16, nil); free(buf); } static Packet * rsa_ks(Conn *c) { Packet *ks; if (myrsakey.pub.ek == nil || myrsakey.pub.n == nil) { sshlog(c, "no public RSA key info"); return nil; } ks = new_packet(c); add_string(ks, "ssh-rsa"); add_mp(ks, myrsakey.pub.ek); add_mp(ks, myrsakey.pub.n); return ks; } static void esma_encode(uchar *h, uchar *em, int nb) { int n, i; uchar hh[SHA1dlen]; static uchar sha1der[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, }; sha1(h, SHA1dlen, hh, nil); n = nb - (nelem(sha1der) + SHA1dlen) - 3; i = 0; em[i++] = 0; em[i++] = 1; memset(em + i, 0xff, n); i += n; em[i++] = 0; memmove(em + i, sha1der, sizeof sha1der); i += sizeof sha1der; memmove(em + i, hh, SHA1dlen); } static Packet * rsa_sign(Conn *c, uchar *m, int nm) { AuthRpc *ar; Packet *sig; mpint *s, *mm; int fd, n, nbit; uchar hh[SHA1dlen]; uchar *sstr, *em; if (myrsakey.dk) { nbit = mpsignif (myrsakey.pub.n); n = (nbit + 7) / 8; sstr = emalloc9p(n); em = emalloc9p(n); /* Compute s: RFC 3447 */ esma_encode(m, em, n); mm = betomp(em, n, nil); s = mpnew(nbit); mpexp(mm, myrsakey.dk, myrsakey.pub.n, s); mptobe(s, sstr, n, nil); mpfree(mm); mpfree(s); free(em); } else { fd = open("/mnt/factotum/rpc", ORDWR); if (fd < 0) return nil; sha1(m, nm, hh, nil); ar = auth_allocrpc(fd); if (ar == nil || auth_rpc(ar, "start", "role=sign proto=rsa", 19) != ARok || auth_rpc(ar, "write", hh, SHA1dlen) != ARok || auth_rpc(ar, "read", nil, 0) != ARok || ar->arg == nil) { sshdebug(c, "got error in factotum: %r"); auth_freerpc(ar); close(fd); return nil; } sstr = emalloc9p(ar->narg); memmove(sstr, ar->arg, ar->narg); n = ar->narg; auth_freerpc(ar); close(fd); } sig = new_packet(c); add_string(sig, pkas[c->pkalg]->name); add_block(sig, sstr, n); free(sstr); return sig; } /* * 0 - If factotum failed, e.g. no key * 1 - If key is verified * -1 - If factotum found a key, but the verification fails */ static int rsa_verify(Conn *c, uchar *m, int nm, char *user, char *sig, int) { int fd, n, retval, nbit; char *buf, *p, *sigblob; uchar *sstr, *em; uchar hh[SHA1dlen]; mpint *s, *mm, *rsa_exponent, *host_modulus; AuthRpc *ar; sshdebug(c, "in rsa_verify for connection: %d", c->id); SET(rsa_exponent, host_modulus); USED(rsa_exponent, host_modulus); if (0 && rsa_exponent) { nbit = mpsignif(host_modulus); n = (nbit + 7) / 8; em = emalloc9p(n); /* Compute s: RFC 3447 */ esma_encode(m, em, n); mm = betomp(em, n, nil); s = mpnew(1024); mpexp(mm, rsa_exponent, host_modulus, s); sstr = emalloc9p(n); mptobe(s, sstr, n, nil); free(em); mpfree(mm); mpfree(s); retval = memcmp(sig, sstr, n); free(sstr); retval = (retval == 0); } else { retval = 1; fd = open("/mnt/factotum/rpc", ORDWR); if (fd < 0) { sshdebug(c, "could not open factotum RPC: %r"); return 0; } buf = emalloc9p(Blobsz / 2); sigblob = emalloc9p(Blobsz); p = (char *)get_string(nil, (uchar *)sig, buf, Blobsz / 2, nil); get_string(nil, (uchar *)p, sigblob, Blobsz, &n); sha1(m, nm, hh, nil); if (user != nil) p = smprint("role=verify proto=rsa user=%s", user); else p = smprint("role=verify proto=rsa sys=%s", c->remote); ar = auth_allocrpc(fd); if (ar == nil || auth_rpc(ar, "start", p, strlen(p)) != ARok || auth_rpc(ar, "write", hh, SHA1dlen) != ARok || auth_rpc(ar, "write", sigblob, n) != ARok || auth_rpc(ar, "read", nil, 0) != ARok) { sshdebug(c, "got error in factotum: %r"); retval = 0; } else { sshdebug(c, "factotum returned %s", ar->ibuf); if (strstr(ar->ibuf, "does not verify") != nil) retval = -1; } if (ar != nil) auth_freerpc(ar); free(p); close(fd); free(sigblob); free(buf); } return retval; } static Packet * dss_ks(Conn *c) { Packet *ks; if (mydsskey.pub.p == nil) return nil; ks = new_packet(c); add_string(ks, "ssh-dss"); add_mp(ks, mydsskey.pub.p); add_mp(ks, mydsskey.pub.q); add_mp(ks, mydsskey.pub.alpha); add_mp(ks, mydsskey.pub.key); return ks; } static Packet * dss_sign(Conn *c, uchar *m, int nm) { AuthRpc *ar; DSAsig *s; Packet *sig; mpint *mm; int fd; uchar sstr[2*SHA1dlen]; sha1(m, nm, sstr, nil); sig = new_packet(c); add_string(sig, pkas[c->pkalg]->name); if (mydsskey.secret) { mm = betomp(sstr, SHA1dlen, nil); s = dsasign(&mydsskey, mm); mptobe(s->r, sstr, SHA1dlen, nil); mptobe(s->s, sstr+SHA1dlen, SHA1dlen, nil); dsasigfree(s); mpfree(mm); } else { fd = open("/mnt/factotum/rpc", ORDWR); if (fd < 0) return nil; ar = auth_allocrpc(fd); if (ar == nil || auth_rpc(ar, "start", "role=sign proto=dsa", 19) != ARok || auth_rpc(ar, "write", sstr, SHA1dlen) != ARok || auth_rpc(ar, "read", nil, 0) != ARok) { sshdebug(c, "got error in factotum: %r"); auth_freerpc(ar); close(fd); return nil; } memmove(sstr, ar->arg, ar->narg); auth_freerpc(ar); close(fd); } add_block(sig, sstr, 2*SHA1dlen); return sig; } static int dss_verify(Conn *c, uchar *m, int nm, char *user, char *sig, int nsig) { sshdebug(c, "in dss_verify for connection: %d", c->id); USED(m, nm, user, sig, nsig); return 0; } static int dh_server1(Conn *c, Packet *pack1) { return dh_server(c, pack1, p1, 1024); } static int dh_server14(Conn *c, Packet *pack1) { return dh_server(c, pack1, p14, 2048); } static int dh_server(Conn *c, Packet *pack1, mpint *grp, int nbit) { Packet *pack2, *ks, *sig; mpint *y, *e, *f, *k; int n, ret; uchar h[SHA1dlen]; ret = -1; qlock(&c->l); f = mpnew(nbit); k = mpnew(nbit); /* Compute f: RFC4253 */ y = mprand(nbit / 8, genrandom, nil); if (debug > 1) sshdebug(c, "y=%M", y); mpexp(two, y, grp, f); if (debug > 1) sshdebug(c, "f=%M", f); /* Compute k: RFC4253 */ if (debug > 1) dump_packet(pack1); e = get_mp(pack1->payload+1); if (debug > 1) sshdebug(c, "e=%M", e); mpexp(e, y, grp, k); if (debug > 1) sshdebug(c, "k=%M", k); /* Compute H: RFC 4253 */ pack2 = new_packet(c); sshdebug(c, "ID strings: %s---%s", c->otherid, MYID); add_string(pack2, c->otherid); add_string(pack2, MYID); if (debug > 1) { fprint(2, "received kexinit:"); dump_packet(c->rkexinit); fprint(2, "\nsent kexinit:"); dump_packet(c->skexinit); } add_block(pack2, c->rkexinit->payload, c->rkexinit->rlength - 1); add_block(pack2, c->skexinit->payload, c->skexinit->rlength - c->skexinit->pad_len - 1); sig = nil; ks = pkas[c->pkalg]->ks(c); if (ks == nil) goto err; add_block(pack2, ks->payload, ks->rlength - 1); add_mp(pack2, e); add_mp(pack2, f); add_mp(pack2, k); sha1(pack2->payload, pack2->rlength - 1, h, nil); if (c->got_sessid == 0) { memmove(c->sessid, h, SHA1dlen); c->got_sessid = 1; } sig = pkas[c->pkalg]->sign(c, h, SHA1dlen); if (sig == nil) { sshlog(c, "failed to generate signature: %r"); goto err; } /* Send (K_s || f || s) to client: RFC4253 */ init_packet(pack2); pack2->c = c; add_byte(pack2, SSH_MSG_KEXDH_REPLY); add_block(pack2, ks->payload, ks->rlength - 1); add_mp(pack2, f); add_block(pack2, sig->payload, sig->rlength - 1); if (debug > 1) dump_packet(pack2); n = finish_packet(pack2); if (debug > 1) { sshdebug(c, "writing %d bytes: len %d", n, nhgetl(pack2->nlength)); dump_packet(pack2); } iowrite(c->dio, c->datafd, pack2->nlength, n); genkeys(c, h, k); /* Send SSH_MSG_NEWKEYS */ init_packet(pack2); pack2->c = c; add_byte(pack2, SSH_MSG_NEWKEYS); n = finish_packet(pack2); iowrite(c->dio, c->datafd, pack2->nlength, n); ret = 0; err: mpfree(f); mpfree(e); mpfree(k); mpfree(y); free(sig); free(ks); free(pack2); qunlock(&c->l); return ret; } static int dh_client11(Conn *c, Packet *) { Packet *p; int n; if (c->e) mpfree(c->e); c->e = mpnew(1024); /* Compute e: RFC4253 */ if (c->x) mpfree(c->x); c->x = mprand(128, genrandom, nil); mpexp(two, c->x, p1, c->e); p = new_packet(c); add_byte(p, SSH_MSG_KEXDH_INIT); add_mp(p, c->e); n = finish_packet(p); iowrite(c->dio, c->datafd, p->nlength, n); free(p); return 0; } static int findkeyinuserring(Conn *c, RSApub *srvkey) { int n; char *home, *newkey, *r; home = getenv("home"); if (home == nil) { newkey = "No home directory for key file"; free(keymbox.msg); keymbox.msg = smprint("b%04ld%s", strlen(newkey), newkey); return -1; } r = smprint("%s/lib/keyring", home); free(home); if ((n = findkey(r, c->remote, srvkey)) != KeyOk) { newkey = smprint("ek=%M n=%M", srvkey->ek, srvkey->n); free(keymbox.msg); keymbox.msg = smprint("%c%04ld%s", n == NoKeyFile || n == NoKey? 'c': 'b', strlen(newkey), newkey); free(newkey); nbsendul(keymbox.mchan, 1); recvul(keymbox.mchan); if (keymbox.msg == nil || keymbox.msg[0] == 'n') { free(keymbox.msg); keymbox.msg = nil; newkey = "Server key reject"; keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey); return -1; } sshdebug(c, "adding key"); if (keymbox.msg[0] == 'y') appendkey(r, c->remote, srvkey); else if (keymbox.msg[0] == 'r') replacekey(r, c->remote, srvkey); } free(r); return 0; } static int verifyhostkey(Conn *c, RSApub *srvkey, Packet *sig) { int fd, n; char *newkey; uchar h[SHA1dlen]; sshdebug(c, "verifying server signature"); if (findkey("/sys/lib/ssh/keyring", c->remote, srvkey) != KeyOk && findkeyinuserring(c, srvkey) < 0) { nbsendul(keymbox.mchan, 1); mpfree(srvkey->ek); mpfree(srvkey->n); return Errnokey; } newkey = smprint("key proto=rsa role=verify sys=%s size=%d ek=%M n=%M", c->remote, mpsignif(srvkey->n), srvkey->ek, srvkey->n); if (newkey == nil) { sshlog(c, "out of memory"); threadexits("out of memory"); } fd = open("/mnt/factotum/ctl", OWRITE); if (fd >= 0) write(fd, newkey, strlen(newkey)); /* leave fd open */ else sshdebug(c, "factotum open failed: %r"); free(newkey); mpfree(srvkey->ek); mpfree(srvkey->n); free(keymbox.msg); keymbox.msg = nil; n = pkas[c->pkalg]->verify(c, h, SHA1dlen, nil, (char *)sig->payload, sig->rlength); /* fd is perhaps still open */ if (fd >= 0) { /* sys here is a dotted-quad ip address */ newkey = smprint("delkey proto=rsa role=verify sys=%s", c->remote); if (newkey) { seek(fd, 0, 0); write(fd, newkey, strlen(newkey)); free(newkey); } close(fd); } return n; } static int dh_client12(Conn *c, Packet *p) { int n, retval; #ifdef VERIFYKEYS char *newkey; #endif char buf[10]; uchar *q; uchar h[SHA1dlen]; mpint *f, *k; Packet *ks, *sig, *pack2; RSApub *srvkey; ks = new_packet(c); sig = new_packet(c); pack2 = new_packet(c); q = get_string(p, p->payload+1, (char *)ks->payload, Maxpktpay, &n); ks->rlength = n + 1; f = get_mp(q); q += nhgetl(q) + 4; get_string(p, q, (char *)sig->payload, Maxpktpay, &n); sig->rlength = n; k = mpnew(1024); mpexp(f, c->x, p1, k); /* Compute H: RFC 4253 */ init_packet(pack2); pack2->c = c; if (debug > 1) sshdebug(c, "ID strings: %s---%s", c->otherid, MYID); add_string(pack2, MYID); add_string(pack2, c->otherid); if (debug > 1) { fprint(2, "received kexinit:"); dump_packet(c->rkexinit); fprint(2, "\nsent kexinit:"); dump_packet(c->skexinit); } add_block(pack2, c->skexinit->payload, c->skexinit->rlength - c->skexinit->pad_len - 1); add_block(pack2, c->rkexinit->payload, c->rkexinit->rlength - 1); add_block(pack2, ks->payload, ks->rlength - 1); add_mp(pack2, c->e); add_mp(pack2, f); add_mp(pack2, k); sha1(pack2->payload, pack2->rlength - 1, h, nil); mpfree(f); if (c->got_sessid == 0) { memmove(c->sessid, h, SHA1dlen); c->got_sessid = 1; } q = get_string(ks, ks->payload, buf, sizeof buf, nil); srvkey = emalloc9p(sizeof (RSApub)); srvkey->ek = get_mp(q); q += nhgetl(q) + 4; srvkey->n = get_mp(q); /* * key verification is really pretty pedantic and * not doing it lets us talk to ssh v1 implementations. */ if (nokeyverify) n = Errnone; else n = verifyhostkey(c, srvkey, sig); retval = -1; USED(retval); switch (n) { #ifdef VERIFYKEYS case Errnokey: goto out; case Errnoverify: newkey = "signature verification failed; try netssh -v"; keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey); break; case Errfactotum: newkey = "factotum dialogue failed; try netssh -v"; keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey); break; case Errnone: #else default: #endif keymbox.msg = smprint("o0000"); retval = 0; break; } nbsendul(keymbox.mchan, 1); if (retval == 0) genkeys(c, h, k); #ifdef VERIFYKEYS out: #endif mpfree(k); free(ks); free(sig); free(pack2); free(srvkey); return retval; } static int dh_client141(Conn *c, Packet *) { Packet *p; mpint *e, *x; int n; /* Compute e: RFC4253 */ e = mpnew(2048); x = mprand(256, genrandom, nil); mpexp(two, x, p14, e); p = new_packet(c); add_byte(p, SSH_MSG_KEXDH_INIT); add_mp(p, e); n = finish_packet(p); iowrite(c->dio, c->datafd, p->nlength, n); free(p); mpfree(e); mpfree(x); return 0; } static int dh_client142(Conn *, Packet *) { return 0; } static void initsha1pkt(Packet *pack2, mpint *k, uchar *h) { init_packet(pack2); add_mp(pack2, k); add_packet(pack2, h, SHA1dlen); } static void genkeys(Conn *c, uchar h[], mpint *k) { Packet *pack2; char buf[82], *bp, *be; /* magic 82 */ int n; pack2 = new_packet(c); /* Compute 40 bytes (320 bits) of keys: each alg can use what it needs */ /* Client to server IV */ if (debug > 1) { fprint(2, "k=%M\nh=", k); for (n = 0; n < SHA1dlen; ++n) fprint(2, "%02ux", h[n]); fprint(2, "\nsessid="); for (n = 0; n < SHA1dlen; ++n) fprint(2, "%02ux", c->sessid[n]); fprint(2, "\n"); } initsha1pkt(pack2, k, h); add_byte(pack2, 'A'); add_packet(pack2, c->sessid, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->nc2siv, nil); initsha1pkt(pack2, k, h); add_packet(pack2, c->nc2siv, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->nc2siv + SHA1dlen, nil); /* Server to client IV */ initsha1pkt(pack2, k, h); add_byte(pack2, 'B'); add_packet(pack2, c->sessid, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->ns2civ, nil); initsha1pkt(pack2, k, h); add_packet(pack2, c->ns2civ, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->ns2civ + SHA1dlen, nil); /* Client to server encryption key */ initsha1pkt(pack2, k, h); add_byte(pack2, 'C'); add_packet(pack2, c->sessid, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->nc2sek, nil); initsha1pkt(pack2, k, h); add_packet(pack2, c->nc2sek, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->nc2sek + SHA1dlen, nil); /* Server to client encryption key */ initsha1pkt(pack2, k, h); add_byte(pack2, 'D'); add_packet(pack2, c->sessid, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->ns2cek, nil); initsha1pkt(pack2, k, h); add_packet(pack2, c->ns2cek, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->ns2cek + SHA1dlen, nil); /* Client to server integrity key */ initsha1pkt(pack2, k, h); add_byte(pack2, 'E'); add_packet(pack2, c->sessid, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->nc2sik, nil); initsha1pkt(pack2, k, h); add_packet(pack2, c->nc2sik, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->nc2sik + SHA1dlen, nil); /* Server to client integrity key */ initsha1pkt(pack2, k, h); add_byte(pack2, 'F'); add_packet(pack2, c->sessid, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->ns2cik, nil); initsha1pkt(pack2, k, h); add_packet(pack2, c->ns2cik, SHA1dlen); sha1(pack2->payload, pack2->rlength - 1, c->ns2cik + SHA1dlen, nil); if (debug > 1) { be = buf + sizeof buf; fprint(2, "Client to server IV:\n"); for (n = 0, bp = buf; n < SHA1dlen*2; ++n) bp = seprint(bp, be, "%02x", c->nc2siv[n]); fprint(2, "%s\n", buf); fprint(2, "Server to client IV:\n"); for (n = 0, bp = buf; n < SHA1dlen*2; ++n) bp = seprint(bp, be, "%02x", c->ns2civ[n]); fprint(2, "%s\n", buf); fprint(2, "Client to server EK:\n"); for (n = 0, bp = buf; n < SHA1dlen*2; ++n) bp = seprint(bp, be, "%02x", c->nc2sek[n]); fprint(2, "%s\n", buf); fprint(2, "Server to client EK:\n"); for (n = 0, bp = buf; n < SHA1dlen*2; ++n) bp = seprint(bp, be, "%02x", c->ns2cek[n]); fprint(2, "%s\n", buf); } free(pack2); } Kex dh1sha1 = { "diffie-hellman-group1-sha1", dh_server1, dh_client11, dh_client12 }; Kex dh14sha1 = { "diffie-hellman-group14-sha1", dh_server14, dh_client141, dh_client142 }; PKA rsa_pka = { "ssh-rsa", rsa_ks, rsa_sign, rsa_verify }; PKA dss_pka = { "ssh-dss", dss_ks, dss_sign, dss_verify };