From 4778081866249903c0d66a02fcae247059ab950c Mon Sep 17 00:00:00 2001
From: Warren <warren@momentry.ddns.net>
Date: Sun, 14 Jun 2026 23:14:14 +0800
Subject: [PATCH] Critical fix: KEXINIT exchange hash encoding (prepend
 SSH_MSG_KEXINIT byte)

OpenSSH kexgex.c source code analysis:
- KEXINIT payload stored without SSH_MSG_KEXINIT type byte
- Exchange hash prepends SSH_MSG_KEXINIT byte (20) with adjusted length

Before fix:
- client_kexinit_payload included SSH_MSG_KEXINIT byte
- Direct use without prepending

After fix:
- Remove SSH_MSG_KEXINIT byte from payload
- Prepend byte (20) in exchange hash with length+1
- Both kex_exchange.rs and kex_complete.rs updated

Testing result: MAC still fails, indicating additional encoding issues
Next: Detailed comparison of all exchange hash components
---
 data/auth.sqlite                             | Bin 73728 -> 73728 bytes
 markbase-core/src/ssh_server/kex_complete.rs |  16 ++++++++++----
 markbase-core/src/ssh_server/kex_exchange.rs |  22 +++++++++++++++----
 3 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/data/auth.sqlite b/data/auth.sqlite
index 41ae3dc63b5810950b6a2dbb710c448e90456d86..8dfdb1072de1764e1f13ad3266e367816da992a6 100644
GIT binary patch
delta 171
zcmZoTz|wGlWr8&0)QK|Aj8iuzw97CmPd+H6FquR44%^|@CXQa!&97wH7=i4@x?YvZ
z-{k%<9d6zHMgBRz<Pu(HS*G0l+|<01qDr=<oXnz3DXF>nY>PL4(f`0Nu!NPFlZkC9
q0|N_~0Ti{zD(dgOo>70Y!~acSga7~MXVl;Rg`e?1Kd(Lm5&!@|5;wE}

delta 171
zcmZoTz|wGlWr8&0#ECM_j1xB|w97CmOg<>3FquR44%_w>O&q;Sn_tPYF#_3*b-jv{
zzsdb!+P-4*7y0M>k_&m6WtnpGb5rw5iYnO_aWacCrKINOvn|;CMgIf8z(Q7LPA0ZR
q3=Aw_22j)<tEj*CdPcp;4*xfS4gUY1pHXl77k<Y7{JeS$NB{s+H8<e^

diff --git a/markbase-core/src/ssh_server/kex_complete.rs b/markbase-core/src/ssh_server/kex_complete.rs
index 16a972e..2355403 100644
--- a/markbase-core/src/ssh_server/kex_complete.rs
+++ b/markbase-core/src/ssh_server/kex_complete.rs
@@ -71,11 +71,19 @@ impl KexState {
         // V_S: 服务器版本字符串（SSH string格式）
         write_ssh_string_to_hash(&mut hasher, &self.server_version)?;
         
-        // I_C: 客户端KEXINIT payload（SSH string格式）
-        write_ssh_string_to_hash(&mut hasher, &String::from_utf8_lossy(&self.client_kexinit_payload))?;
+        // OpenSSH kexgex.c: "kexinit messages: fake header: len+SSH2_MSG_KEXINIT"
+        // Remove SSH_MSG_KEXINIT type byte from payloads and prepend it in exchange hash
         
-        // I_S: 服务器KEXINIT payload（SSH string格式）
-        write_ssh_string_to_hash(&mut hasher, &String::from_utf8_lossy(&self.server_kexinit_payload))?;
+        let client_kexinit_without_type = &self.client_kexinit_payload[1..];
+        let server_kexinit_without_type = &self.server_kexinit_payload[1..];
+        
+        hasher.update(&((client_kexinit_without_type.len() + 1) as u32).to_be_bytes());
+        hasher.update(&[20]);  // SSH_MSG_KEXINIT type byte
+        hasher.update(client_kexinit_without_type);
+        
+        hasher.update(&((server_kexinit_without_type.len() + 1) as u32).to_be_bytes());
+        hasher.update(&[20]);  // SSH_MSG_KEXINIT type byte
+        hasher.update(server_kexinit_without_type);
         
         // K_S: 服务器主机密钥blob（SSH string格式）
         hasher.update(server_host_key_blob);
diff --git a/markbase-core/src/ssh_server/kex_exchange.rs b/markbase-core/src/ssh_server/kex_exchange.rs
index a5963bf..47fe19f 100644
--- a/markbase-core/src/ssh_server/kex_exchange.rs
+++ b/markbase-core/src/ssh_server/kex_exchange.rs
@@ -215,11 +215,25 @@ impl KexExchangeHandler {
         hasher.update(&(server_version.len() as u32).to_be_bytes());
         hasher.update(server_version.as_bytes());
         
-        hasher.update(&(client_kexinit_payload.len() as u32).to_be_bytes());
-        hasher.update(client_kexinit_payload);
+        // OpenSSH kexgex.c: "kexinit messages: fake header: len+SSH2_MSG_KEXINIT"
+        // KEXINIT payload should NOT include SSH_MSG_KEXINIT type byte
+        // OpenSSH stores payload starting from cookie, prepends SSH_MSG_KEXINIT in exchange hash
         
-        hasher.update(&(server_kexinit_payload.len() as u32).to_be_bytes());
-        hasher.update(server_kexinit_payload);
+        // Remove SSH_MSG_KEXINIT type byte from payloads (our payload includes it)
+        let client_kexinit_without_type = &client_kexinit_payload[1..];
+        let server_kexinit_without_type = &server_kexinit_payload[1..];
+        
+        info!("I_C (client KEXINIT without type byte): {} bytes (first byte should be cookie)", client_kexinit_without_type.len());
+        info!("I_S (server KEXINIT without type byte): {} bytes", server_kexinit_without_type.len());
+        
+        // Exchange hash: uint32(len+1) + uint8(SSH_MSG_KEXINIT) + payload_without_type
+        hasher.update(&((client_kexinit_without_type.len() + 1) as u32).to_be_bytes());
+        hasher.update(&[20]);  // SSH_MSG_KEXINIT type byte
+        hasher.update(client_kexinit_without_type);
+        
+        hasher.update(&((server_kexinit_without_type.len() + 1) as u32).to_be_bytes());
+        hasher.update(&[20]);  // SSH_MSG_KEXINIT type byte
+        hasher.update(server_kexinit_without_type);
         
         hasher.update(&(host_key_blob.len() as u32).to_be_bytes());
         hasher.update(host_key_blob);