Annotation of src/usr.bin/ssh/sshconnect1.c, Revision 1.77
1.77 ! djm 1: /* $OpenBSD: sshconnect1.c,v 1.76 2014/07/15 15:54:14 millert Exp $ */
1.1 markus 2: /*
3: * Author: Tatu Ylonen <ylo@cs.hut.fi>
4: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: * All rights reserved
6: * Code to connect to a remote host, and to perform the client side of the
7: * login (authentication) dialog.
8: *
1.6 deraadt 9: * As far as I am concerned, the code I have written for this software
10: * can be used freely for any purpose. Any derived versions of this
11: * software must be clearly marked as such, and if the derived work is
12: * incompatible with the protocol description in the RFC file, it must be
13: * called by a name other than "ssh" or "Secure Shell".
1.1 markus 14: */
15:
1.69 deraadt 16: #include <sys/types.h>
17: #include <sys/socket.h>
1.1 markus 18:
19: #include <openssl/bn.h>
1.66 stevesk 20:
1.77 ! djm 21: #include <errno.h>
1.68 stevesk 22: #include <stdio.h>
1.67 stevesk 23: #include <stdlib.h>
1.66 stevesk 24: #include <string.h>
1.69 deraadt 25: #include <signal.h>
26: #include <pwd.h>
1.1 markus 27:
1.69 deraadt 28: #include "xmalloc.h"
1.18 markus 29: #include "ssh.h"
30: #include "ssh1.h"
1.1 markus 31: #include "rsa.h"
32: #include "buffer.h"
33: #include "packet.h"
1.69 deraadt 34: #include "key.h"
35: #include "cipher.h"
1.58 djm 36: #include "kex.h"
1.1 markus 37: #include "uidswap.h"
1.18 markus 38: #include "log.h"
1.76 millert 39: #include "misc.h"
1.1 markus 40: #include "readconf.h"
1.4 markus 41: #include "authfd.h"
1.1 markus 42: #include "sshconnect.h"
43: #include "authfile.h"
1.18 markus 44: #include "canohost.h"
1.69 deraadt 45: #include "hostfile.h"
1.37 dugsong 46: #include "auth.h"
1.73 markus 47: #include "digest.h"
1.77 ! djm 48: #include "ssherr.h"
1.1 markus 49:
50: /* Session id for the current session. */
1.13 markus 51: u_char session_id[16];
52: u_int supported_authentications = 0;
1.1 markus 53:
54: extern Options options;
55: extern char *__progname;
56:
57: /*
58: * Checks if the user has an authentication agent, and if so, tries to
59: * authenticate using the agent.
60: */
1.35 itojun 61: static int
1.24 itojun 62: try_agent_authentication(void)
1.1 markus 63: {
1.77 ! djm 64: int r, type, agent_fd, ret = 0;
1.13 markus 65: u_char response[16];
1.77 ! djm 66: size_t i;
1.5 markus 67: BIGNUM *challenge;
1.77 ! djm 68: struct ssh_identitylist *idlist = NULL;
1.1 markus 69:
70: /* Get connection to the agent. */
1.77 ! djm 71: if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {
! 72: if (r != SSH_ERR_AGENT_NOT_PRESENT)
! 73: debug("%s: ssh_get_authentication_socket: %s",
! 74: __func__, ssh_err(r));
1.1 markus 75: return 0;
1.77 ! djm 76: }
1.1 markus 77:
1.43 markus 78: if ((challenge = BN_new()) == NULL)
79: fatal("try_agent_authentication: BN_new failed");
1.77 ! djm 80:
1.1 markus 81: /* Loop through identities served by the agent. */
1.77 ! djm 82: if ((r = ssh_fetch_identitylist(agent_fd, 1, &idlist)) != 0) {
! 83: if (r != SSH_ERR_AGENT_NO_IDENTITIES)
! 84: debug("%s: ssh_fetch_identitylist: %s",
! 85: __func__, ssh_err(r));
! 86: goto out;
! 87: }
! 88: for (i = 0; i < idlist->nkeys; i++) {
1.1 markus 89: /* Try this identity. */
1.77 ! djm 90: debug("Trying RSA authentication via agent with '%.100s'",
! 91: idlist->comments[i]);
1.1 markus 92:
93: /* Tell the server that we are willing to authenticate using this key. */
94: packet_start(SSH_CMSG_AUTH_RSA);
1.77 ! djm 95: packet_put_bignum(idlist->keys[i]->rsa->n);
1.1 markus 96: packet_send();
97: packet_write_wait();
98:
99: /* Wait for server's response. */
1.47 markus 100: type = packet_read();
1.1 markus 101:
1.62 djm 102: /* The server sends failure if it doesn't like our key or
1.1 markus 103: does not support RSA authentication. */
104: if (type == SSH_SMSG_FAILURE) {
105: debug("Server refused our key.");
106: continue;
107: }
108: /* Otherwise it should have sent a challenge. */
109: if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
110: packet_disconnect("Protocol error during RSA authentication: %d",
111: type);
112:
1.46 markus 113: packet_get_bignum(challenge);
1.45 markus 114: packet_check_eom();
1.1 markus 115:
116: debug("Received RSA challenge from server.");
117:
118: /* Ask the agent to decrypt the challenge. */
1.77 ! djm 119: if ((r = ssh_decrypt_challenge(agent_fd, idlist->keys[i],
! 120: challenge, session_id, response)) != 0) {
1.5 markus 121: /*
122: * The agent failed to authenticate this identifier
123: * although it advertised it supports this. Just
124: * return a wrong value.
125: */
1.77 ! djm 126: logit("Authentication agent failed to decrypt "
! 127: "challenge: %s", ssh_err(r));
1.74 djm 128: explicit_bzero(response, sizeof(response));
1.1 markus 129: }
130: debug("Sending response to RSA challenge.");
131:
132: /* Send the decrypted challenge back to the server. */
133: packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
134: for (i = 0; i < 16; i++)
135: packet_put_char(response[i]);
136: packet_send();
137: packet_write_wait();
138:
139: /* Wait for response from the server. */
1.47 markus 140: type = packet_read();
1.1 markus 141:
1.77 ! djm 142: /*
! 143: * The server returns success if it accepted the
! 144: * authentication.
! 145: */
1.1 markus 146: if (type == SSH_SMSG_SUCCESS) {
147: debug("RSA authentication accepted by server.");
1.77 ! djm 148: ret = 1;
! 149: break;
! 150: } else if (type != SSH_SMSG_FAILURE)
! 151: packet_disconnect("Protocol error waiting RSA auth "
! 152: "response: %d", type);
1.1 markus 153: }
1.77 ! djm 154: if (ret != 1)
! 155: debug("RSA authentication using agent refused.");
! 156: out:
! 157: ssh_free_identitylist(idlist);
! 158: ssh_close_authentication_socket(agent_fd);
1.1 markus 159: BN_clear_free(challenge);
1.77 ! djm 160: return ret;
1.1 markus 161: }
162:
163: /*
164: * Computes the proper response to a RSA challenge, and sends the response to
165: * the server.
166: */
1.35 itojun 167: static void
1.1 markus 168: respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
169: {
1.13 markus 170: u_char buf[32], response[16];
1.73 markus 171: struct ssh_digest_ctx *md;
1.1 markus 172: int i, len;
173:
174: /* Decrypt the challenge using the private key. */
1.21 markus 175: /* XXX think about Bleichenbacher, too */
1.75 djm 176: if (rsa_private_decrypt(challenge, challenge, prv) != 0)
1.21 markus 177: packet_disconnect(
178: "respond_to_rsa_challenge: rsa_private_decrypt failed");
1.1 markus 179:
180: /* Compute the response. */
181: /* The response is MD5 of decrypted challenge plus session id. */
182: len = BN_num_bytes(challenge);
1.61 djm 183: if (len <= 0 || (u_int)len > sizeof(buf))
1.21 markus 184: packet_disconnect(
185: "respond_to_rsa_challenge: bad challenge length %d", len);
1.1 markus 186:
187: memset(buf, 0, sizeof(buf));
188: BN_bn2bin(challenge, buf + sizeof(buf) - len);
1.73 markus 189: if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
190: ssh_digest_update(md, buf, 32) < 0 ||
191: ssh_digest_update(md, session_id, 16) < 0 ||
192: ssh_digest_final(md, response, sizeof(response)) < 0)
193: fatal("%s: md5 failed", __func__);
194: ssh_digest_free(md);
1.1 markus 195:
196: debug("Sending response to host key RSA challenge.");
197:
198: /* Send the response back to the server. */
199: packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
200: for (i = 0; i < 16; i++)
201: packet_put_char(response[i]);
202: packet_send();
203: packet_write_wait();
204:
1.74 djm 205: explicit_bzero(buf, sizeof(buf));
206: explicit_bzero(response, sizeof(response));
207: explicit_bzero(&md, sizeof(md));
1.1 markus 208: }
209:
210: /*
211: * Checks if the user has authentication file, and if so, tries to authenticate
212: * the user using it.
213: */
1.35 itojun 214: static int
1.38 markus 215: try_rsa_authentication(int idx)
1.1 markus 216: {
217: BIGNUM *challenge;
1.36 markus 218: Key *public, *private;
1.38 markus 219: char buf[300], *passphrase, *comment, *authfile;
1.65 dtucker 220: int i, perm_ok = 1, type, quit;
1.1 markus 221:
1.38 markus 222: public = options.identity_keys[idx];
223: authfile = options.identity_files[idx];
224: comment = xstrdup(authfile);
225:
1.1 markus 226: debug("Trying RSA authentication with key '%.100s'", comment);
227:
228: /* Tell the server that we are willing to authenticate using this key. */
229: packet_start(SSH_CMSG_AUTH_RSA);
230: packet_put_bignum(public->rsa->n);
231: packet_send();
232: packet_write_wait();
233:
234: /* Wait for server's response. */
1.47 markus 235: type = packet_read();
1.1 markus 236:
237: /*
1.62 djm 238: * The server responds with failure if it doesn't like our key or
239: * doesn't support RSA authentication.
1.1 markus 240: */
241: if (type == SSH_SMSG_FAILURE) {
242: debug("Server refused our key.");
1.71 djm 243: free(comment);
1.1 markus 244: return 0;
245: }
246: /* Otherwise, the server should respond with a challenge. */
247: if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
248: packet_disconnect("Protocol error during RSA authentication: %d", type);
249:
250: /* Get the challenge from the packet. */
1.43 markus 251: if ((challenge = BN_new()) == NULL)
252: fatal("try_rsa_authentication: BN_new failed");
1.46 markus 253: packet_get_bignum(challenge);
1.45 markus 254: packet_check_eom();
1.1 markus 255:
256: debug("Received RSA challenge from server.");
257:
258: /*
1.38 markus 259: * If the key is not stored in external hardware, we have to
260: * load the private key. Try first with empty passphrase; if it
1.1 markus 261: * fails, ask for a passphrase.
262: */
1.75 djm 263: if (public->flags & SSHKEY_FLAG_EXT)
1.38 markus 264: private = public;
265: else
1.65 dtucker 266: private = key_load_private_type(KEY_RSA1, authfile, "", NULL,
267: &perm_ok);
268: if (private == NULL && !options.batch_mode && perm_ok) {
1.36 markus 269: snprintf(buf, sizeof(buf),
270: "Enter passphrase for RSA key '%.100s': ", comment);
271: for (i = 0; i < options.number_of_password_prompts; i++) {
1.1 markus 272: passphrase = read_passphrase(buf, 0);
1.36 markus 273: if (strcmp(passphrase, "") != 0) {
274: private = key_load_private_type(KEY_RSA1,
1.65 dtucker 275: authfile, passphrase, NULL, NULL);
1.36 markus 276: quit = 0;
277: } else {
278: debug2("no passphrase given, try next key");
279: quit = 1;
280: }
1.74 djm 281: explicit_bzero(passphrase, strlen(passphrase));
1.71 djm 282: free(passphrase);
1.36 markus 283: if (private != NULL || quit)
284: break;
285: debug2("bad passphrase given, try again...");
1.1 markus 286: }
287: }
288: /* We no longer need the comment. */
1.71 djm 289: free(comment);
1.36 markus 290:
291: if (private == NULL) {
1.65 dtucker 292: if (!options.batch_mode && perm_ok)
1.36 markus 293: error("Bad passphrase.");
294:
295: /* Send a dummy response packet to avoid protocol error. */
296: packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
297: for (i = 0; i < 16; i++)
298: packet_put_char(0);
299: packet_send();
300: packet_write_wait();
301:
302: /* Expect the server to reject it... */
1.47 markus 303: packet_read_expect(SSH_SMSG_FAILURE);
1.36 markus 304: BN_clear_free(challenge);
305: return 0;
306: }
1.1 markus 307:
308: /* Compute and send a response to the challenge. */
309: respond_to_rsa_challenge(challenge, private->rsa);
310:
1.38 markus 311: /* Destroy the private key unless it in external hardware. */
1.75 djm 312: if (!(private->flags & SSHKEY_FLAG_EXT))
1.38 markus 313: key_free(private);
1.1 markus 314:
315: /* We no longer need the challenge. */
316: BN_clear_free(challenge);
317:
318: /* Wait for response from the server. */
1.47 markus 319: type = packet_read();
1.1 markus 320: if (type == SSH_SMSG_SUCCESS) {
321: debug("RSA authentication accepted by server.");
322: return 1;
323: }
324: if (type != SSH_SMSG_FAILURE)
325: packet_disconnect("Protocol error waiting RSA auth response: %d", type);
326: debug("RSA authentication refused.");
327: return 0;
328: }
329:
330: /*
331: * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
332: * authentication and RSA host authentication.
333: */
1.35 itojun 334: static int
1.29 markus 335: try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
1.1 markus 336: {
337: int type;
338: BIGNUM *challenge;
339:
340: debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
341:
342: /* Tell the server that we are willing to authenticate using this key. */
343: packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
1.33 markus 344: packet_put_cstring(local_user);
1.29 markus 345: packet_put_int(BN_num_bits(host_key->rsa->n));
346: packet_put_bignum(host_key->rsa->e);
347: packet_put_bignum(host_key->rsa->n);
1.1 markus 348: packet_send();
349: packet_write_wait();
350:
351: /* Wait for server's response. */
1.47 markus 352: type = packet_read();
1.1 markus 353:
354: /* The server responds with failure if it doesn't admit our
355: .rhosts authentication or doesn't know our host key. */
356: if (type == SSH_SMSG_FAILURE) {
357: debug("Server refused our rhosts authentication or host key.");
358: return 0;
359: }
360: /* Otherwise, the server should respond with a challenge. */
361: if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
362: packet_disconnect("Protocol error during RSA authentication: %d", type);
363:
364: /* Get the challenge from the packet. */
1.43 markus 365: if ((challenge = BN_new()) == NULL)
366: fatal("try_rhosts_rsa_authentication: BN_new failed");
1.46 markus 367: packet_get_bignum(challenge);
1.45 markus 368: packet_check_eom();
1.1 markus 369:
370: debug("Received RSA challenge for host key from server.");
371:
372: /* Compute a response to the challenge. */
1.29 markus 373: respond_to_rsa_challenge(challenge, host_key->rsa);
1.1 markus 374:
375: /* We no longer need the challenge. */
376: BN_clear_free(challenge);
377:
378: /* Wait for response from the server. */
1.47 markus 379: type = packet_read();
1.1 markus 380: if (type == SSH_SMSG_SUCCESS) {
381: debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
382: return 1;
383: }
384: if (type != SSH_SMSG_FAILURE)
385: packet_disconnect("Protocol error waiting RSA auth response: %d", type);
386: debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
387: return 0;
388: }
389:
390: /*
391: * Tries to authenticate with any string-based challenge/response system.
392: * Note that the client code is not tied to s/key or TIS.
393: */
1.35 itojun 394: static int
1.32 markus 395: try_challenge_response_authentication(void)
1.1 markus 396: {
397: int type, i;
1.13 markus 398: u_int clen;
1.12 markus 399: char prompt[1024];
1.1 markus 400: char *challenge, *response;
1.40 markus 401:
402: debug("Doing challenge response authentication.");
403:
1.12 markus 404: for (i = 0; i < options.number_of_password_prompts; i++) {
405: /* request a challenge */
406: packet_start(SSH_CMSG_AUTH_TIS);
407: packet_send();
408: packet_write_wait();
1.1 markus 409:
1.47 markus 410: type = packet_read();
1.12 markus 411: if (type != SSH_SMSG_FAILURE &&
412: type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
413: packet_disconnect("Protocol error: got %d in response "
1.20 markus 414: "to SSH_CMSG_AUTH_TIS", type);
1.12 markus 415: }
416: if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
1.20 markus 417: debug("No challenge.");
1.12 markus 418: return 0;
419: }
420: challenge = packet_get_string(&clen);
1.45 markus 421: packet_check_eom();
1.16 markus 422: snprintf(prompt, sizeof prompt, "%s%s", challenge,
1.42 deraadt 423: strchr(challenge, '\n') ? "" : "\nResponse: ");
1.71 djm 424: free(challenge);
1.1 markus 425: if (i != 0)
426: error("Permission denied, please try again.");
1.12 markus 427: if (options.cipher == SSH_CIPHER_NONE)
1.53 itojun 428: logit("WARNING: Encryption is disabled! "
1.50 stevesk 429: "Response will be transmitted in clear text.");
1.12 markus 430: response = read_passphrase(prompt, 0);
431: if (strcmp(response, "") == 0) {
1.71 djm 432: free(response);
1.12 markus 433: break;
434: }
1.1 markus 435: packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
1.27 markus 436: ssh_put_password(response);
1.74 djm 437: explicit_bzero(response, strlen(response));
1.71 djm 438: free(response);
1.1 markus 439: packet_send();
440: packet_write_wait();
1.47 markus 441: type = packet_read();
1.1 markus 442: if (type == SSH_SMSG_SUCCESS)
443: return 1;
444: if (type != SSH_SMSG_FAILURE)
445: packet_disconnect("Protocol error: got %d in response "
1.20 markus 446: "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
1.1 markus 447: }
448: /* failure */
449: return 0;
450: }
451:
452: /*
453: * Tries to authenticate with plain passwd authentication.
454: */
1.35 itojun 455: static int
1.1 markus 456: try_password_authentication(char *prompt)
457: {
1.47 markus 458: int type, i;
1.1 markus 459: char *password;
460:
461: debug("Doing password authentication.");
462: if (options.cipher == SSH_CIPHER_NONE)
1.53 itojun 463: logit("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
1.1 markus 464: for (i = 0; i < options.number_of_password_prompts; i++) {
465: if (i != 0)
466: error("Permission denied, please try again.");
467: password = read_passphrase(prompt, 0);
468: packet_start(SSH_CMSG_AUTH_PASSWORD);
1.27 markus 469: ssh_put_password(password);
1.74 djm 470: explicit_bzero(password, strlen(password));
1.71 djm 471: free(password);
1.1 markus 472: packet_send();
473: packet_write_wait();
474:
1.47 markus 475: type = packet_read();
1.1 markus 476: if (type == SSH_SMSG_SUCCESS)
477: return 1;
478: if (type != SSH_SMSG_FAILURE)
479: packet_disconnect("Protocol error: got %d in response to passwd auth", type);
480: }
481: /* failure */
482: return 0;
483: }
484:
485: /*
486: * SSH1 key exchange
487: */
488: void
489: ssh_kex(char *host, struct sockaddr *hostaddr)
490: {
491: int i;
492: BIGNUM *key;
1.43 markus 493: Key *host_key, *server_key;
1.1 markus 494: int bits, rbits;
495: int ssh_cipher_default = SSH_CIPHER_3DES;
1.13 markus 496: u_char session_key[SSH_SESSION_KEY_LENGTH];
497: u_char cookie[8];
498: u_int supported_ciphers;
499: u_int server_flags, client_flags;
1.59 avsm 500: u_int32_t rnd = 0;
1.1 markus 501:
502: debug("Waiting for server public key.");
503:
504: /* Wait for a public key packet from the server. */
1.47 markus 505: packet_read_expect(SSH_SMSG_PUBLIC_KEY);
1.1 markus 506:
507: /* Get cookie from the packet. */
508: for (i = 0; i < 8; i++)
509: cookie[i] = packet_get_char();
510:
511: /* Get the public key. */
1.43 markus 512: server_key = key_new(KEY_RSA1);
513: bits = packet_get_int();
1.46 markus 514: packet_get_bignum(server_key->rsa->e);
515: packet_get_bignum(server_key->rsa->n);
1.1 markus 516:
1.43 markus 517: rbits = BN_num_bits(server_key->rsa->n);
1.1 markus 518: if (bits != rbits) {
1.53 itojun 519: logit("Warning: Server lies about size of server public key: "
1.1 markus 520: "actual size is %d bits vs. announced %d.", rbits, bits);
1.53 itojun 521: logit("Warning: This may be due to an old implementation of ssh.");
1.1 markus 522: }
523: /* Get the host key. */
1.43 markus 524: host_key = key_new(KEY_RSA1);
525: bits = packet_get_int();
1.46 markus 526: packet_get_bignum(host_key->rsa->e);
527: packet_get_bignum(host_key->rsa->n);
1.1 markus 528:
1.43 markus 529: rbits = BN_num_bits(host_key->rsa->n);
1.1 markus 530: if (bits != rbits) {
1.53 itojun 531: logit("Warning: Server lies about size of server host key: "
1.1 markus 532: "actual size is %d bits vs. announced %d.", rbits, bits);
1.53 itojun 533: logit("Warning: This may be due to an old implementation of ssh.");
1.1 markus 534: }
535:
536: /* Get protocol flags. */
537: server_flags = packet_get_int();
538: packet_set_protocol_flags(server_flags);
539:
540: supported_ciphers = packet_get_int();
541: supported_authentications = packet_get_int();
1.45 markus 542: packet_check_eom();
1.1 markus 543:
544: debug("Received server public key (%d bits) and host key (%d bits).",
1.43 markus 545: BN_num_bits(server_key->rsa->n), BN_num_bits(host_key->rsa->n));
1.1 markus 546:
1.43 markus 547: if (verify_host_key(host, hostaddr, host_key) == -1)
1.41 markus 548: fatal("Host key verification failed.");
1.1 markus 549:
550: client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;
551:
1.58 djm 552: derive_ssh1_session_id(host_key->rsa->n, server_key->rsa->n, cookie, session_id);
1.1 markus 553:
554: /*
555: * Generate an encryption key for the session. The key is a 256 bit
556: * random number, interpreted as a 32-byte key, with the least
557: * significant 8 bits being the first byte of the key.
558: */
559: for (i = 0; i < 32; i++) {
560: if (i % 4 == 0)
1.59 avsm 561: rnd = arc4random();
562: session_key[i] = rnd & 0xff;
563: rnd >>= 8;
1.1 markus 564: }
565:
566: /*
567: * According to the protocol spec, the first byte of the session key
568: * is the highest byte of the integer. The session key is xored with
569: * the first 16 bytes of the session id.
570: */
1.43 markus 571: if ((key = BN_new()) == NULL)
1.70 markus 572: fatal("ssh_kex: BN_new failed");
573: if (BN_set_word(key, 0) == 0)
574: fatal("ssh_kex: BN_set_word failed");
1.1 markus 575: for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
1.70 markus 576: if (BN_lshift(key, key, 8) == 0)
577: fatal("ssh_kex: BN_lshift failed");
578: if (i < 16) {
579: if (BN_add_word(key, session_key[i] ^ session_id[i])
580: == 0)
581: fatal("ssh_kex: BN_add_word failed");
582: } else {
583: if (BN_add_word(key, session_key[i]) == 0)
584: fatal("ssh_kex: BN_add_word failed");
585: }
1.1 markus 586: }
587:
588: /*
589: * Encrypt the integer using the public key and host key of the
590: * server (key with smaller modulus first).
591: */
1.43 markus 592: if (BN_cmp(server_key->rsa->n, host_key->rsa->n) < 0) {
1.1 markus 593: /* Public key has smaller modulus. */
1.43 markus 594: if (BN_num_bits(host_key->rsa->n) <
595: BN_num_bits(server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
596: fatal("respond_to_rsa_challenge: host_key %d < server_key %d + "
1.42 deraadt 597: "SSH_KEY_BITS_RESERVED %d",
1.43 markus 598: BN_num_bits(host_key->rsa->n),
599: BN_num_bits(server_key->rsa->n),
1.42 deraadt 600: SSH_KEY_BITS_RESERVED);
1.1 markus 601: }
1.75 djm 602: if (rsa_public_encrypt(key, key, server_key->rsa) != 0 ||
603: rsa_public_encrypt(key, key, host_key->rsa) != 0)
604: fatal("%s: rsa_public_encrypt failed", __func__);
1.1 markus 605: } else {
606: /* Host key has smaller modulus (or they are equal). */
1.43 markus 607: if (BN_num_bits(server_key->rsa->n) <
608: BN_num_bits(host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
609: fatal("respond_to_rsa_challenge: server_key %d < host_key %d + "
1.42 deraadt 610: "SSH_KEY_BITS_RESERVED %d",
1.43 markus 611: BN_num_bits(server_key->rsa->n),
612: BN_num_bits(host_key->rsa->n),
1.42 deraadt 613: SSH_KEY_BITS_RESERVED);
1.1 markus 614: }
1.75 djm 615: if (rsa_public_encrypt(key, key, host_key->rsa) != 0 ||
616: rsa_public_encrypt(key, key, server_key->rsa) != 0)
617: fatal("%s: rsa_public_encrypt failed", __func__);
1.1 markus 618: }
619:
620: /* Destroy the public keys since we no longer need them. */
1.43 markus 621: key_free(server_key);
622: key_free(host_key);
1.1 markus 623:
1.11 markus 624: if (options.cipher == SSH_CIPHER_NOT_SET) {
625: if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
626: options.cipher = ssh_cipher_default;
1.60 markus 627: } else if (options.cipher == SSH_CIPHER_INVALID ||
1.10 markus 628: !(cipher_mask_ssh1(1) & (1 << options.cipher))) {
1.53 itojun 629: logit("No valid SSH1 cipher, using %.100s instead.",
1.7 markus 630: cipher_name(ssh_cipher_default));
631: options.cipher = ssh_cipher_default;
1.1 markus 632: }
633: /* Check that the selected cipher is supported. */
634: if (!(supported_ciphers & (1 << options.cipher)))
635: fatal("Selected cipher type %.100s not supported by server.",
1.42 deraadt 636: cipher_name(options.cipher));
1.1 markus 637:
638: debug("Encryption type: %.100s", cipher_name(options.cipher));
639:
640: /* Send the encrypted session key to the server. */
641: packet_start(SSH_CMSG_SESSION_KEY);
642: packet_put_char(options.cipher);
643:
644: /* Send the cookie back to the server. */
645: for (i = 0; i < 8; i++)
646: packet_put_char(cookie[i]);
647:
648: /* Send and destroy the encrypted encryption key integer. */
649: packet_put_bignum(key);
650: BN_clear_free(key);
651:
652: /* Send protocol flags. */
653: packet_put_int(client_flags);
654:
655: /* Send the packet now. */
656: packet_send();
657: packet_write_wait();
658:
659: debug("Sent encrypted session key.");
660:
661: /* Set the encryption key. */
662: packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
663:
1.74 djm 664: /*
665: * We will no longer need the session key here.
666: * Destroy any extra copies.
667: */
668: explicit_bzero(session_key, sizeof(session_key));
1.1 markus 669:
670: /*
671: * Expect a success message from the server. Note that this message
672: * will be received in encrypted form.
673: */
1.47 markus 674: packet_read_expect(SSH_SMSG_SUCCESS);
1.1 markus 675:
676: debug("Received encrypted confirmation.");
677: }
678:
679: /*
680: * Authenticate user
681: */
682: void
1.30 markus 683: ssh_userauth1(const char *local_user, const char *server_user, char *host,
1.51 markus 684: Sensitive *sensitive)
1.1 markus 685: {
686: int i, type;
1.42 deraadt 687:
1.1 markus 688: if (supported_authentications == 0)
1.30 markus 689: fatal("ssh_userauth1: server supports no auth methods");
1.1 markus 690:
691: /* Send the name of the user to log in as on the server. */
692: packet_start(SSH_CMSG_USER);
1.33 markus 693: packet_put_cstring(server_user);
1.1 markus 694: packet_send();
695: packet_write_wait();
696:
697: /*
698: * The server should respond with success if no authentication is
699: * needed (the user has no password). Otherwise the server responds
700: * with failure.
701: */
1.47 markus 702: type = packet_read();
1.1 markus 703:
704: /* check whether the connection was accepted without authentication. */
705: if (type == SSH_SMSG_SUCCESS)
1.37 dugsong 706: goto success;
1.1 markus 707: if (type != SSH_SMSG_FAILURE)
1.37 dugsong 708: packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
1.42 deraadt 709:
1.1 markus 710: /*
711: * Try .rhosts or /etc/hosts.equiv authentication with RSA host
712: * authentication.
713: */
714: if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
1.30 markus 715: options.rhosts_rsa_authentication) {
1.51 markus 716: for (i = 0; i < sensitive->nkeys; i++) {
717: if (sensitive->keys[i] != NULL &&
718: sensitive->keys[i]->type == KEY_RSA1 &&
719: try_rhosts_rsa_authentication(local_user,
720: sensitive->keys[i]))
1.37 dugsong 721: goto success;
1.30 markus 722: }
1.1 markus 723: }
724: /* Try RSA authentication if the server supports it. */
725: if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
726: options.rsa_authentication) {
727: /*
728: * Try RSA authentication using the authentication agent. The
729: * agent is tried first because no passphrase is needed for
730: * it, whereas identity files may require passphrases.
731: */
732: if (try_agent_authentication())
1.37 dugsong 733: goto success;
1.1 markus 734:
735: /* Try RSA authentication for each identity. */
736: for (i = 0; i < options.num_identity_files; i++)
1.28 markus 737: if (options.identity_keys[i] != NULL &&
738: options.identity_keys[i]->type == KEY_RSA1 &&
1.38 markus 739: try_rsa_authentication(i))
1.37 dugsong 740: goto success;
1.1 markus 741: }
1.20 markus 742: /* Try challenge response authentication if the server supports it. */
1.1 markus 743: if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
1.32 markus 744: options.challenge_response_authentication && !options.batch_mode) {
745: if (try_challenge_response_authentication())
1.37 dugsong 746: goto success;
1.1 markus 747: }
748: /* Try password authentication if the server supports it. */
749: if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
750: options.password_authentication && !options.batch_mode) {
751: char prompt[80];
752:
1.23 itojun 753: snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
1.1 markus 754: server_user, host);
755: if (try_password_authentication(prompt))
1.37 dugsong 756: goto success;
1.1 markus 757: }
758: /* All authentication methods have failed. Exit with an error message. */
759: fatal("Permission denied.");
760: /* NOTREACHED */
1.37 dugsong 761:
762: success:
1.39 stevesk 763: return; /* need statement after label */
1.1 markus 764: }