===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/kex.c,v
retrieving revision 1.164
retrieving revision 1.165
diff -u -r1.164 -r1.165
--- src/usr.bin/ssh/kex.c	2021/01/27 09:26:54	1.164
+++ src/usr.bin/ssh/kex.c	2021/01/27 10:05:28	1.165
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.164 2021/01/27 09:26:54 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.165 2021/01/27 10:05:28 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -622,7 +622,8 @@
 	    (kex->peer = sshbuf_new()) == NULL ||
 	    (kex->my = sshbuf_new()) == NULL ||
 	    (kex->client_version = sshbuf_new()) == NULL ||
-	    (kex->server_version = sshbuf_new()) == NULL) {
+	    (kex->server_version = sshbuf_new()) == NULL ||
+	    (kex->session_id = sshbuf_new()) == NULL) {
 		kex_free(kex);
 		return NULL;
 	}
@@ -680,7 +681,7 @@
 	sshbuf_free(kex->client_version);
 	sshbuf_free(kex->server_version);
 	sshbuf_free(kex->client_pub);
-	free(kex->session_id);
+	sshbuf_free(kex->session_id);
 	free(kex->failed_choice);
 	free(kex->hostkey_alg);
 	free(kex->name);
@@ -998,8 +999,7 @@
 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
-	    ssh_digest_update(hashctx, kex->session_id,
-	    kex->session_id_len) != 0 ||
+	    ssh_digest_update_buffer(hashctx, kex->session_id) != 0 ||
 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
 		r = SSH_ERR_LIBCRYPTO_ERROR;
 		error_f("KEX hash failed");
@@ -1050,12 +1050,14 @@
 	int r;
 
 	/* save initial hash as session id */
-	if (kex->session_id == NULL) {
-		kex->session_id_len = hashlen;
-		kex->session_id = malloc(kex->session_id_len);
-		if (kex->session_id == NULL)
+	if ((kex->flags & KEX_INITIAL) != 0) {
+		if ((kex->session_id = sshbuf_new()) == NULL)
 			return SSH_ERR_ALLOC_FAIL;
-		memcpy(kex->session_id, hash, kex->session_id_len);
+		if ((r = sshbuf_put(kex->session_id, hash, hashlen)) != 0)
+			return r;
+	} else if (sshbuf_len(kex->session_id) == 0) {
+		error_f("no session ID in rekex");
+			return SSH_ERR_INTERNAL_ERROR;
 	}
 	for (i = 0; i < NKEYS; i++) {
 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,