Subversion Repositories planix.SVN

#include <u.h>

#include <libc.h>

#include <mp.h>

#include <libsec.h>

#include <fcall.h>

#include <thread.h>

#include <9p.h>

#include <auth.h>

#include <ip.h>

#include <pool.h>

#include "netssh.h"

#undef VERIFYKEYS		/* TODO until it's fixed */

enum {

	Errnokey = -2,	/* no key on keyring */

	Errnoverify,	/* factotum found a key, but verification failed */

	Errfactotum,	/* factotum failure (e.g., no key) */

	Errnone,	/* key verified */

};

static int dh_server(Conn *, Packet *, mpint *, int);

static void genkeys(Conn *, uchar [], mpint *);

/*

 * Second Oakley Group from RFC 2409

 */

static char *group1p =

         "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"

         "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"

         "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"

         "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"

         "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381"

         "FFFFFFFFFFFFFFFF";

/*

 * 2048-bit MODP group (id 14) from RFC 3526

*/

static char *group14p =

      "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"

      "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"

      "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"

      "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"

      "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"

      "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"

      "83655D23DCA3AD961C62F356208552BB9ED529077096966D"

      "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"

      "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"

      "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"

      "15728E5A8AACAA68FFFFFFFFFFFFFFFF";

mpint *two, *p1, *p14;

int nokeyverify;

static DSApriv mydsskey;

static RSApriv myrsakey;

void

dh_init(PKA *pkas[])

{

	char *buf, *p, *st, *end;

	int fd, n, k;

	if(debug > 1)

		sshdebug(nil, "dh_init");

	k = 0;

	pkas[k] = nil;

	fmtinstall('M', mpfmt);

	two = strtomp("2", nil, 10, nil);

	p1 = strtomp(group1p, nil, 16, nil);

	p14 = strtomp(group14p, nil, 16, nil);

	/*

	 * this really should be done through factotum

	 */

	p = getenv("rsakey");

	if (p != nil) {

		remove("/env/rsakey");

		st = buf = p;

		end = buf + strlen(p);

	} else {

		/*

		 * it would be better to use bio and rdline here instead of

		 * reading all of factotum's contents into memory at once.

		 */

		buf = emalloc9p(Maxfactotum);

		fd = open("rsakey", OREAD);

		if (fd < 0 && (fd = open("/mnt/factotum/ctl", OREAD)) < 0)

			goto norsa;

		n = readn(fd, buf, Maxfactotum - 1);

		buf[n >= 0? n: 0] = 0;

		close(fd);

		assert(n < Maxfactotum - 1);

		st = strstr(buf, "proto=rsa");

		if (st == nil) {

			sshlog(nil, "no proto=rsa key in factotum");

			goto norsa;

		}

		end = st;

		for (; st > buf && *st != '\n'; --st)

			;

		for (; end < buf + Maxfactotum && *end != '\n'; ++end)

			;

	}

	p = strstr(st, " n=");

	if (p == nil || p > end) {

		sshlog(nil, "no key (n) found");

		free(buf);

		return;

	}

	myrsakey.pub.n = strtomp(p+3, nil, 16, nil);

	if (debug > 1)

		sshdebug(nil, "n=%M", myrsakey.pub.n);

	p = strstr(st, " ek=");

	if (p == nil || p > end) {

		sshlog(nil, "no key (ek) found");

		free(buf);

		return;

	}

	pkas[k++] = &rsa_pka;

	pkas[k] = nil;

	myrsakey.pub.ek = strtomp(p+4, nil, 16, nil);

	if (debug > 1)

		sshdebug(nil, "ek=%M", myrsakey.pub.ek);

	p = strstr(st, " !dk=");

	if (p == nil) {

		p = strstr(st, "!dk?");

		if (p == nil || p > end) {

			// sshlog(nil, "no key (dk) found");

			free(buf);

			return;

		}

		goto norsa;

	}

	myrsakey.dk = strtomp(p+5, nil, 16, nil);

	if (debug > 1)

		sshdebug(nil, "dk=%M", myrsakey.dk);

norsa:

	free(buf);

	p = getenv("dsskey");

	if (p != nil) {

		remove("/env/dsskey");

		buf = p;

		end = buf + strlen(p);

	} else {

		/*

		 * it would be better to use bio and rdline here instead of

		 * reading all of factotum's contents into memory at once.

		 */

		buf = emalloc9p(Maxfactotum);

		fd = open("dsskey", OREAD);

		if (fd < 0 && (fd = open("/mnt/factotum/ctl", OREAD)) < 0)

			return;

		n = readn(fd, buf, Maxfactotum - 1);

		buf[n >= 0? n: 0] = 0;

		close(fd);

		assert(n < Maxfactotum - 1);

		st = strstr(buf, "proto=dsa");

		if (st == nil) {

			sshlog(nil, "no proto=dsa key in factotum");

			free(buf);

			return;

		}

		end = st;

		for (; st > buf && *st != '\n'; --st)

			;

		for (; end < buf + Maxfactotum && *end != '\n'; ++end)

			;

	}

	p = strstr(buf, " p=");

	if (p == nil || p > end) {

		sshlog(nil, "no key (p) found");

		free(buf);

		return;

	}

	mydsskey.pub.p = strtomp(p+3, nil, 16, nil);

	p = strstr(buf, " q=");

	if (p == nil || p > end) {

		sshlog(nil, "no key (q) found");

		free(buf);

		return;

	}

	mydsskey.pub.q = strtomp(p+3, nil, 16, nil);

	p = strstr(buf, " alpha=");

	if (p == nil || p > end) {

		sshlog(nil, "no key (g) found");

		free(buf);

		return;

	}

	mydsskey.pub.alpha = strtomp(p+7, nil, 16, nil);

	p = strstr(buf, " key=");

	if (p == nil || p > end) {

		sshlog(nil, "no key (y) found");

		free(buf);

		return;

	}

	mydsskey.pub.key = strtomp(p+5, nil, 16, nil);

	pkas[k++] = &dss_pka;

	pkas[k] = nil;

	p = strstr(buf, " !secret=");

	if (p == nil) {

		p = strstr(buf, "!secret?");

		if (p == nil || p > end)

			sshlog(nil, "no key (x) found");

		free(buf);

		return;

	}

	mydsskey.secret = strtomp(p+9, nil, 16, nil);

	free(buf);

}

static Packet *

rsa_ks(Conn *c)

{

	Packet *ks;

	if (myrsakey.pub.ek == nil || myrsakey.pub.n == nil) {

		sshlog(c, "no public RSA key info");

		return nil;

	}

	ks = new_packet(c);

	add_string(ks, "ssh-rsa");

	add_mp(ks, myrsakey.pub.ek);

	add_mp(ks, myrsakey.pub.n);

	return ks;

}

static void

esma_encode(uchar *h, uchar *em, int nb)

{

	int n, i;

	uchar hh[SHA1dlen];

	static uchar sha1der[] = {

		0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,

		0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14,

	};

	sha1(h, SHA1dlen, hh, nil);

	n = nb - (nelem(sha1der) + SHA1dlen) - 3;

	i = 0;

	em[i++] = 0;

	em[i++] = 1;

	memset(em + i, 0xff, n);

	i += n;

	em[i++] = 0;

	memmove(em + i, sha1der, sizeof sha1der);

	i += sizeof sha1der;

	memmove(em + i, hh, SHA1dlen);

}

static Packet *

rsa_sign(Conn *c, uchar *m, int nm)

{

	AuthRpc *ar;

	Packet *sig;

	mpint *s, *mm;

	int fd, n, nbit;

	uchar hh[SHA1dlen];

	uchar *sstr, *em;

	if (myrsakey.dk) {

		nbit = mpsignif (myrsakey.pub.n);

		n = (nbit + 7) / 8;

		sstr = emalloc9p(n);

		em = emalloc9p(n);

		/* Compute s: RFC 3447 */

		esma_encode(m, em, n);

		mm = betomp(em, n, nil);

		s = mpnew(nbit);

		mpexp(mm, myrsakey.dk, myrsakey.pub.n, s);

		mptobe(s, sstr, n, nil);

		mpfree(mm);

		mpfree(s);

		free(em);

	} else {

		fd = open("/mnt/factotum/rpc", ORDWR);

		if (fd < 0)

			return nil;

		sha1(m, nm, hh, nil);

		ar = auth_allocrpc(fd);

		if (ar == nil ||

		    auth_rpc(ar, "start", "role=sign proto=rsa", 19) != ARok ||

		    auth_rpc(ar, "write", hh, SHA1dlen) != ARok ||

		    auth_rpc(ar, "read", nil, 0) != ARok ||

		    ar->arg == nil) {

			sshdebug(c, "got error in factotum: %r");

			auth_freerpc(ar);

			close(fd);

			return nil;

		}

		sstr = emalloc9p(ar->narg);

		memmove(sstr, ar->arg, ar->narg);

		n = ar->narg;

		auth_freerpc(ar);

		close(fd);

	}

	sig = new_packet(c);

	add_string(sig, pkas[c->pkalg]->name);

	add_block(sig, sstr, n);

	free(sstr);

	return sig;

}

/*

 * 0 - If factotum failed, e.g. no key

 * 1 - If key is verified

 * -1 - If factotum found a key, but the verification fails

 */

static int

rsa_verify(Conn *c, uchar *m, int nm, char *user, char *sig, int)

{

	int fd, n, retval, nbit;

	char *buf, *p, *sigblob;

	uchar *sstr, *em;

	uchar hh[SHA1dlen];

	mpint *s, *mm, *rsa_exponent, *host_modulus;

	AuthRpc *ar;

	sshdebug(c, "in rsa_verify for connection: %d", c->id);

	SET(rsa_exponent, host_modulus);

	USED(rsa_exponent, host_modulus);

	if (0 && rsa_exponent) {

		nbit = mpsignif(host_modulus);

		n = (nbit + 7) / 8;

		em = emalloc9p(n);

		/* Compute s: RFC 3447 */

		esma_encode(m, em, n);

		mm = betomp(em, n, nil);

		s = mpnew(1024);

		mpexp(mm, rsa_exponent, host_modulus, s);

		sstr = emalloc9p(n);

		mptobe(s, sstr, n, nil);

		free(em);

		mpfree(mm);

		mpfree(s);

		retval = memcmp(sig, sstr, n);

		free(sstr);

		retval = (retval == 0);

	} else {

		retval = 1;

		fd = open("/mnt/factotum/rpc", ORDWR);

		if (fd < 0) {

			sshdebug(c, "could not open factotum RPC: %r");

			return 0;

		}

		buf = emalloc9p(Blobsz / 2);

		sigblob = emalloc9p(Blobsz);

		p = (char *)get_string(nil, (uchar *)sig, buf, Blobsz / 2, nil);

		get_string(nil, (uchar *)p, sigblob, Blobsz, &n);

		sha1(m, nm, hh, nil);

		if (user != nil)

			p = smprint("role=verify proto=rsa user=%s", user);

		else

			p = smprint("role=verify proto=rsa sys=%s", c->remote);

		ar = auth_allocrpc(fd);

		if (ar == nil || auth_rpc(ar, "start", p, strlen(p)) != ARok ||

		    auth_rpc(ar, "write", hh, SHA1dlen) != ARok ||

		    auth_rpc(ar, "write", sigblob, n) != ARok ||

		    auth_rpc(ar, "read", nil, 0) != ARok) {

			sshdebug(c, "got error in factotum: %r");

			retval = 0;

		} else {

			sshdebug(c, "factotum returned %s", ar->ibuf);

			if (strstr(ar->ibuf, "does not verify") != nil)

				retval = -1;

		}

		if (ar != nil)

			auth_freerpc(ar);

		free(p);

		close(fd);

		free(sigblob);

		free(buf);

	}

	return retval;

}

static Packet *

dss_ks(Conn *c)

{

	Packet *ks;

	if (mydsskey.pub.p == nil)

		return nil;

	ks = new_packet(c);

	add_string(ks, "ssh-dss");

	add_mp(ks, mydsskey.pub.p);

	add_mp(ks, mydsskey.pub.q);

	add_mp(ks, mydsskey.pub.alpha);

	add_mp(ks, mydsskey.pub.key);

	return ks;

}

static Packet *

dss_sign(Conn *c, uchar *m, int nm)

{

	AuthRpc *ar;

	DSAsig *s;

	Packet *sig;

	mpint *mm;

	int fd;

	uchar sstr[2*SHA1dlen];

	sha1(m, nm, sstr, nil);

	sig = new_packet(c);

	add_string(sig, pkas[c->pkalg]->name);

	if (mydsskey.secret) {

		mm = betomp(sstr, SHA1dlen, nil);

		s = dsasign(&mydsskey, mm);

		mptobe(s->r, sstr, SHA1dlen, nil);

		mptobe(s->s, sstr+SHA1dlen, SHA1dlen, nil);

		dsasigfree(s);

		mpfree(mm);

	} else {

		fd = open("/mnt/factotum/rpc", ORDWR);

		if (fd < 0)

			return nil;

		ar = auth_allocrpc(fd);

		if (ar == nil ||

		    auth_rpc(ar, "start", "role=sign proto=dsa", 19) != ARok ||

		    auth_rpc(ar, "write", sstr, SHA1dlen) != ARok ||

		    auth_rpc(ar, "read", nil, 0) != ARok) {

			sshdebug(c, "got error in factotum: %r");

			auth_freerpc(ar);

			close(fd);

			return nil;

		}

		memmove(sstr, ar->arg, ar->narg);

		auth_freerpc(ar);

		close(fd);

	}

	add_block(sig, sstr, 2*SHA1dlen);

	return sig;

}

static int

dss_verify(Conn *c, uchar *m, int nm, char *user, char *sig, int nsig)

{

	sshdebug(c, "in dss_verify for connection: %d", c->id);

	USED(m, nm, user, sig, nsig);

	return 0;

}

static int

dh_server1(Conn *c, Packet *pack1)

{

	return dh_server(c, pack1, p1, 1024);

}

static int

dh_server14(Conn *c, Packet *pack1)

{

	return dh_server(c, pack1, p14, 2048);

}

static int

dh_server(Conn *c, Packet *pack1, mpint *grp, int nbit)

{

	Packet *pack2, *ks, *sig;

	mpint *y, *e, *f, *k;

	int n, ret;

	uchar h[SHA1dlen];

	ret = -1;

	qlock(&c->l);

	f = mpnew(nbit);

	k = mpnew(nbit);

	/* Compute f: RFC4253 */

	y = mprand(nbit / 8, genrandom, nil);

	if (debug > 1)

		sshdebug(c, "y=%M", y);

	mpexp(two, y, grp, f);

	if (debug > 1)

		sshdebug(c, "f=%M", f);

	/* Compute k: RFC4253 */

	if (debug > 1)

		dump_packet(pack1);

	e = get_mp(pack1->payload+1);

	if (debug > 1)

		sshdebug(c, "e=%M", e);

	mpexp(e, y, grp, k);

	if (debug > 1)

		sshdebug(c, "k=%M", k);

	/* Compute H: RFC 4253 */

	pack2 = new_packet(c);

	sshdebug(c, "ID strings: %s---%s", c->otherid, MYID);

	add_string(pack2, c->otherid);

	add_string(pack2, MYID);

	if (debug > 1) {

		fprint(2, "received kexinit:");

		dump_packet(c->rkexinit);

		fprint(2, "\nsent kexinit:");

		dump_packet(c->skexinit);

	}

	add_block(pack2, c->rkexinit->payload, c->rkexinit->rlength - 1);

	add_block(pack2, c->skexinit->payload,

		c->skexinit->rlength - c->skexinit->pad_len - 1);

	sig = nil;

	ks = pkas[c->pkalg]->ks(c);

	if (ks == nil)

		goto err;

	add_block(pack2, ks->payload, ks->rlength - 1);

	add_mp(pack2, e);

	add_mp(pack2, f);

	add_mp(pack2, k);

	sha1(pack2->payload, pack2->rlength - 1, h, nil);

	if (c->got_sessid == 0) {

		memmove(c->sessid, h, SHA1dlen);

		c->got_sessid = 1;

	}

	sig = pkas[c->pkalg]->sign(c, h, SHA1dlen);

	if (sig == nil) {

		sshlog(c, "failed to generate signature: %r");

		goto err;

	}

	/* Send (K_s || f || s) to client: RFC4253 */

	init_packet(pack2);

	pack2->c = c;

	add_byte(pack2, SSH_MSG_KEXDH_REPLY);

	add_block(pack2, ks->payload, ks->rlength - 1);

	add_mp(pack2, f);

	add_block(pack2, sig->payload, sig->rlength - 1);

	if (debug > 1)

		dump_packet(pack2);

	n = finish_packet(pack2);

	if (debug > 1) {

		sshdebug(c, "writing %d bytes: len %d", n, nhgetl(pack2->nlength));

		dump_packet(pack2);

	}

	iowrite(c->dio, c->datafd, pack2->nlength, n);

	genkeys(c, h, k);

	/* Send SSH_MSG_NEWKEYS */

	init_packet(pack2);

	pack2->c = c;

	add_byte(pack2, SSH_MSG_NEWKEYS);

	n = finish_packet(pack2);

	iowrite(c->dio, c->datafd, pack2->nlength, n);

	ret = 0;

err:

	mpfree(f);

	mpfree(e);

	mpfree(k);

	mpfree(y);

	free(sig);

	free(ks);

	free(pack2);

	qunlock(&c->l);

	return ret;

}

static int

dh_client11(Conn *c, Packet *)

{

	Packet *p;

	int n;

	if (c->e)

		mpfree(c->e);

	c->e = mpnew(1024);

	/* Compute e: RFC4253 */

	if (c->x)

		mpfree(c->x);

	c->x = mprand(128, genrandom, nil);

	mpexp(two, c->x, p1, c->e);

	p = new_packet(c);

	add_byte(p, SSH_MSG_KEXDH_INIT);

	add_mp(p, c->e);

	n = finish_packet(p);

	iowrite(c->dio, c->datafd, p->nlength, n);

	free(p);

	return 0;

}

static int

findkeyinuserring(Conn *c, RSApub *srvkey)

{

	int n;

	char *home, *newkey, *r;

	home = getenv("home");

	if (home == nil) {

		newkey = "No home directory for key file";

		free(keymbox.msg);

		keymbox.msg = smprint("b%04ld%s", strlen(newkey), newkey);

		return -1;

	}

	r = smprint("%s/lib/keyring", home);

	free(home);

	if ((n = findkey(r, c->remote, srvkey)) != KeyOk) {

		newkey = smprint("ek=%M n=%M", srvkey->ek, srvkey->n);

		free(keymbox.msg);

		keymbox.msg = smprint("%c%04ld%s", n == NoKeyFile || n == NoKey?

			'c': 'b', strlen(newkey), newkey);

		free(newkey);

		nbsendul(keymbox.mchan, 1);

		recvul(keymbox.mchan);

		if (keymbox.msg == nil || keymbox.msg[0] == 'n') {

			free(keymbox.msg);

			keymbox.msg = nil;

			newkey = "Server key reject";

			keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey);

			return -1;

		}

		sshdebug(c, "adding key");

		if (keymbox.msg[0] == 'y')

			appendkey(r, c->remote, srvkey);

		else if (keymbox.msg[0] == 'r')

			replacekey(r, c->remote, srvkey);

	}

	free(r);

	return 0;

}

static int

verifyhostkey(Conn *c, RSApub *srvkey, Packet *sig)

{

	int fd, n;

	char *newkey;

	uchar h[SHA1dlen];

	sshdebug(c, "verifying server signature");

	if (findkey("/sys/lib/ssh/keyring", c->remote, srvkey) != KeyOk &&

	    findkeyinuserring(c, srvkey) < 0) {

		nbsendul(keymbox.mchan, 1);

		mpfree(srvkey->ek);

		mpfree(srvkey->n);

		return Errnokey;

	}

	newkey = smprint("key proto=rsa role=verify sys=%s size=%d ek=%M n=%M",

		c->remote, mpsignif(srvkey->n), srvkey->ek, srvkey->n);

	if (newkey == nil) {

		sshlog(c, "out of memory");

		threadexits("out of memory");

	}

	fd = open("/mnt/factotum/ctl", OWRITE);

	if (fd >= 0)

		write(fd, newkey, strlen(newkey));

		/* leave fd open */

	else

		sshdebug(c, "factotum open failed: %r");

	free(newkey);

	mpfree(srvkey->ek);

	mpfree(srvkey->n);

	free(keymbox.msg);

	keymbox.msg = nil;

	n = pkas[c->pkalg]->verify(c, h, SHA1dlen, nil, (char *)sig->payload,

		sig->rlength);

	/* fd is perhaps still open */

	if (fd >= 0) {

		/* sys here is a dotted-quad ip address */

		newkey = smprint("delkey proto=rsa role=verify sys=%s",

			c->remote);

		if (newkey) {

			seek(fd, 0, 0);

			write(fd, newkey, strlen(newkey));

			free(newkey);

		}

		close(fd);

	}

	return n;

}

static int

dh_client12(Conn *c, Packet *p)

{

	int n, retval;

#ifdef VERIFYKEYS

	char *newkey;

#endif

	char buf[10];

	uchar *q;

	uchar h[SHA1dlen];

	mpint *f, *k;

	Packet *ks, *sig, *pack2;

	RSApub *srvkey;

	ks = new_packet(c);

	sig = new_packet(c);

	pack2 = new_packet(c);

	q = get_string(p, p->payload+1, (char *)ks->payload, Maxpktpay, &n);

	ks->rlength = n + 1;

	f = get_mp(q);

	q += nhgetl(q) + 4;

	get_string(p, q, (char *)sig->payload, Maxpktpay, &n);

	sig->rlength = n;

	k = mpnew(1024);

	mpexp(f, c->x, p1, k);

	/* Compute H: RFC 4253 */

	init_packet(pack2);

	pack2->c = c;

	if (debug > 1)

		sshdebug(c, "ID strings: %s---%s", c->otherid, MYID);

	add_string(pack2, MYID);

	add_string(pack2, c->otherid);

	if (debug > 1) {

		fprint(2, "received kexinit:");

		dump_packet(c->rkexinit);

		fprint(2, "\nsent kexinit:");

		dump_packet(c->skexinit);

	}

	add_block(pack2, c->skexinit->payload,

		c->skexinit->rlength - c->skexinit->pad_len - 1);

	add_block(pack2, c->rkexinit->payload, c->rkexinit->rlength - 1);

	add_block(pack2, ks->payload, ks->rlength - 1);

	add_mp(pack2, c->e);

	add_mp(pack2, f);

	add_mp(pack2, k);

	sha1(pack2->payload, pack2->rlength - 1, h, nil);

	mpfree(f);

	if (c->got_sessid == 0) {

		memmove(c->sessid, h, SHA1dlen);

		c->got_sessid = 1;

	}

	q = get_string(ks, ks->payload, buf, sizeof buf, nil);

	srvkey = emalloc9p(sizeof (RSApub));

	srvkey->ek = get_mp(q);

	q += nhgetl(q) + 4;

	srvkey->n = get_mp(q);

	/*

	 * key verification is really pretty pedantic and

	 * not doing it lets us talk to ssh v1 implementations.

	 */

	if (nokeyverify)

		n = Errnone;

	else

		n = verifyhostkey(c, srvkey, sig);

	retval = -1;

	USED(retval);

	switch (n) {

#ifdef VERIFYKEYS

	case Errnokey:

		goto out;

	case Errnoverify:

		newkey = "signature verification failed; try netssh -v";

		keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey);

		break;

	case Errfactotum:

		newkey = "factotum dialogue failed; try netssh -v";

		keymbox.msg = smprint("f%04ld%s", strlen(newkey), newkey);

		break;

	case Errnone:

#else

	default:

#endif

		keymbox.msg = smprint("o0000");

		retval = 0;

		break;

	}

	nbsendul(keymbox.mchan, 1);

	if (retval == 0)

		genkeys(c, h, k);

#ifdef VERIFYKEYS

out:

#endif

	mpfree(k);

	free(ks);

	free(sig);

	free(pack2);

	free(srvkey);

	return retval;

}

static int

dh_client141(Conn *c, Packet *)

{

	Packet *p;

	mpint *e, *x;

	int n;

	/* Compute e: RFC4253 */

	e = mpnew(2048);

	x = mprand(256, genrandom, nil);

	mpexp(two, x, p14, e);

	p = new_packet(c);

	add_byte(p, SSH_MSG_KEXDH_INIT);

	add_mp(p, e);

	n = finish_packet(p);

	iowrite(c->dio, c->datafd, p->nlength, n);

	free(p);

	mpfree(e);

	mpfree(x);

	return 0;

}

static int

dh_client142(Conn *, Packet *)

{

	return 0;

}

static void

initsha1pkt(Packet *pack2, mpint *k, uchar *h)

{

	init_packet(pack2);

	add_mp(pack2, k);

	add_packet(pack2, h, SHA1dlen);

}

static void

genkeys(Conn *c, uchar h[], mpint *k)

{

	Packet *pack2;

	char buf[82], *bp, *be;			/* magic 82 */

	int n;

	pack2 = new_packet(c);

	/* Compute 40 bytes (320 bits) of keys: each alg can use what it needs */

	/* Client to server IV */

	if (debug > 1) {

		fprint(2, "k=%M\nh=", k);

		for (n = 0; n < SHA1dlen; ++n)

			fprint(2, "%02ux", h[n]);

		fprint(2, "\nsessid=");

		for (n = 0; n < SHA1dlen; ++n)

			fprint(2, "%02ux", c->sessid[n]);

		fprint(2, "\n");

	}

	initsha1pkt(pack2, k, h);

	add_byte(pack2, 'A');

	add_packet(pack2, c->sessid, SHA1dlen);

	sha1(pack2->payload, pack2->rlength - 1, c->nc2siv, nil);

	initsha1pkt(pack2, k, h);

	add_packet(pack2, c->nc2siv, SHA1dlen);

	sha1(pack2->payload, pack2->rlength - 1, c->nc2siv + SHA1dlen, nil);

	/* Server to client IV */

	initsha1pkt(pack2, k, h);

	add_byte(pack2, 'B');

	add_packet(pack2, c->sessid, SHA1dlen);

	sha1(pack2->payload, pack2->rlength - 1, c->ns2civ, nil);

	initsha1pkt(pack2, k, h);

	add_packet(pack2, c->ns2civ, SHA1dlen);

	sha1(pack2->payload, pack2->rlength - 1, c->ns2civ + SHA1dlen, nil);

	/* Client to server encryption key */

	initsha1pkt(pack2, k, h);

	add_byte(pack2, 'C');

	add_packet(pack2, c->sessid, SHA1dlen);

	sha1(pack2->payload, pack2->rlength - 1, c->nc2sek, nil);

	initsha1pkt(pack2, k, h);

	add_packet(pack2, c->nc2sek, SHA1dlen);

	sha1(pack2->payload, pack2->rlength - 1, c->nc2sek + SHA1dlen, nil);

	/* Server to client encryption key */

	initsha1pkt(pack2, k, h);

	add_byte(pack2, 'D');

	add_packet(pack2, c->sessid, SHA1dlen);

	sha1(pack2->payload, pack2->rlength - 1, c->ns2cek, nil);

	initsha1pkt(pack2, k, h);

	add_packet(pack2, c->ns2cek, SHA1dlen);

	sha1(pack2->payload, pack2->rlength - 1, c->ns2cek + SHA1dlen, nil);

	/* Client to server integrity key */

	initsha1pkt(pack2, k, h);