Annotation of src/usr.bin/ssh/sshconnect1.c, Revision 1.80
1.80 ! dtucker 1: /* $OpenBSD: sshconnect1.c,v 1.79 2016/09/19 07:52:42 natano Exp $ */
1.1 markus 2: /*
3: * Author: Tatu Ylonen <ylo@cs.hut.fi>
4: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: * All rights reserved
6: * Code to connect to a remote host, and to perform the client side of the
7: * login (authentication) dialog.
8: *
1.6 deraadt 9: * As far as I am concerned, the code I have written for this software
10: * can be used freely for any purpose. Any derived versions of this
11: * software must be clearly marked as such, and if the derived work is
12: * incompatible with the protocol description in the RFC file, it must be
13: * called by a name other than "ssh" or "Secure Shell".
1.1 markus 14: */
15:
1.69 deraadt 16: #include <sys/types.h>
17: #include <sys/socket.h>
1.1 markus 18:
19: #include <openssl/bn.h>
1.66 stevesk 20:
1.77 djm 21: #include <errno.h>
1.68 stevesk 22: #include <stdio.h>
1.67 stevesk 23: #include <stdlib.h>
1.66 stevesk 24: #include <string.h>
1.69 deraadt 25: #include <signal.h>
26: #include <pwd.h>
1.1 markus 27:
1.69 deraadt 28: #include "xmalloc.h"
1.18 markus 29: #include "ssh.h"
30: #include "ssh1.h"
1.1 markus 31: #include "rsa.h"
32: #include "buffer.h"
33: #include "packet.h"
1.69 deraadt 34: #include "key.h"
35: #include "cipher.h"
1.58 djm 36: #include "kex.h"
1.1 markus 37: #include "uidswap.h"
1.18 markus 38: #include "log.h"
1.76 millert 39: #include "misc.h"
1.1 markus 40: #include "readconf.h"
1.4 markus 41: #include "authfd.h"
1.1 markus 42: #include "sshconnect.h"
43: #include "authfile.h"
1.18 markus 44: #include "canohost.h"
1.69 deraadt 45: #include "hostfile.h"
1.37 dugsong 46: #include "auth.h"
1.73 markus 47: #include "digest.h"
1.77 djm 48: #include "ssherr.h"
1.1 markus 49:
50: /* Session id for the current session. */
1.13 markus 51: u_char session_id[16];
52: u_int supported_authentications = 0;
1.1 markus 53:
54: extern Options options;
55: extern char *__progname;
56:
57: /*
58: * Checks if the user has an authentication agent, and if so, tries to
59: * authenticate using the agent.
60: */
1.35 itojun 61: static int
1.24 itojun 62: try_agent_authentication(void)
1.1 markus 63: {
1.77 djm 64: int r, type, agent_fd, ret = 0;
1.13 markus 65: u_char response[16];
1.77 djm 66: size_t i;
1.5 markus 67: BIGNUM *challenge;
1.77 djm 68: struct ssh_identitylist *idlist = NULL;
1.1 markus 69:
70: /* Get connection to the agent. */
1.77 djm 71: if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {
72: if (r != SSH_ERR_AGENT_NOT_PRESENT)
73: debug("%s: ssh_get_authentication_socket: %s",
74: __func__, ssh_err(r));
1.1 markus 75: return 0;
1.77 djm 76: }
1.1 markus 77:
1.43 markus 78: if ((challenge = BN_new()) == NULL)
79: fatal("try_agent_authentication: BN_new failed");
1.77 djm 80:
1.1 markus 81: /* Loop through identities served by the agent. */
1.77 djm 82: if ((r = ssh_fetch_identitylist(agent_fd, 1, &idlist)) != 0) {
83: if (r != SSH_ERR_AGENT_NO_IDENTITIES)
84: debug("%s: ssh_fetch_identitylist: %s",
85: __func__, ssh_err(r));
86: goto out;
87: }
88: for (i = 0; i < idlist->nkeys; i++) {
1.1 markus 89: /* Try this identity. */
1.77 djm 90: debug("Trying RSA authentication via agent with '%.100s'",
91: idlist->comments[i]);
1.1 markus 92:
93: /* Tell the server that we are willing to authenticate using this key. */
94: packet_start(SSH_CMSG_AUTH_RSA);
1.77 djm 95: packet_put_bignum(idlist->keys[i]->rsa->n);
1.1 markus 96: packet_send();
97: packet_write_wait();
98:
99: /* Wait for server's response. */
1.47 markus 100: type = packet_read();
1.1 markus 101:
1.62 djm 102: /* The server sends failure if it doesn't like our key or
1.1 markus 103: does not support RSA authentication. */
104: if (type == SSH_SMSG_FAILURE) {
105: debug("Server refused our key.");
106: continue;
107: }
108: /* Otherwise it should have sent a challenge. */
109: if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
110: packet_disconnect("Protocol error during RSA authentication: %d",
111: type);
112:
1.46 markus 113: packet_get_bignum(challenge);
1.45 markus 114: packet_check_eom();
1.1 markus 115:
116: debug("Received RSA challenge from server.");
117:
118: /* Ask the agent to decrypt the challenge. */
1.77 djm 119: if ((r = ssh_decrypt_challenge(agent_fd, idlist->keys[i],
120: challenge, session_id, response)) != 0) {
1.5 markus 121: /*
122: * The agent failed to authenticate this identifier
123: * although it advertised it supports this. Just
124: * return a wrong value.
125: */
1.77 djm 126: logit("Authentication agent failed to decrypt "
127: "challenge: %s", ssh_err(r));
1.74 djm 128: explicit_bzero(response, sizeof(response));
1.1 markus 129: }
130: debug("Sending response to RSA challenge.");
131:
132: /* Send the decrypted challenge back to the server. */
133: packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
134: for (i = 0; i < 16; i++)
135: packet_put_char(response[i]);
136: packet_send();
137: packet_write_wait();
138:
139: /* Wait for response from the server. */
1.47 markus 140: type = packet_read();
1.1 markus 141:
1.77 djm 142: /*
143: * The server returns success if it accepted the
144: * authentication.
145: */
1.1 markus 146: if (type == SSH_SMSG_SUCCESS) {
147: debug("RSA authentication accepted by server.");
1.77 djm 148: ret = 1;
149: break;
150: } else if (type != SSH_SMSG_FAILURE)
151: packet_disconnect("Protocol error waiting RSA auth "
152: "response: %d", type);
1.1 markus 153: }
1.77 djm 154: if (ret != 1)
155: debug("RSA authentication using agent refused.");
156: out:
157: ssh_free_identitylist(idlist);
158: ssh_close_authentication_socket(agent_fd);
1.1 markus 159: BN_clear_free(challenge);
1.77 djm 160: return ret;
1.1 markus 161: }
162:
163: /*
164: * Computes the proper response to a RSA challenge, and sends the response to
165: * the server.
166: */
1.35 itojun 167: static void
1.1 markus 168: respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
169: {
1.13 markus 170: u_char buf[32], response[16];
1.73 markus 171: struct ssh_digest_ctx *md;
1.1 markus 172: int i, len;
173:
174: /* Decrypt the challenge using the private key. */
1.21 markus 175: /* XXX think about Bleichenbacher, too */
1.75 djm 176: if (rsa_private_decrypt(challenge, challenge, prv) != 0)
1.21 markus 177: packet_disconnect(
178: "respond_to_rsa_challenge: rsa_private_decrypt failed");
1.1 markus 179:
180: /* Compute the response. */
181: /* The response is MD5 of decrypted challenge plus session id. */
182: len = BN_num_bytes(challenge);
1.61 djm 183: if (len <= 0 || (u_int)len > sizeof(buf))
1.21 markus 184: packet_disconnect(
185: "respond_to_rsa_challenge: bad challenge length %d", len);
1.1 markus 186:
187: memset(buf, 0, sizeof(buf));
188: BN_bn2bin(challenge, buf + sizeof(buf) - len);
1.73 markus 189: if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
190: ssh_digest_update(md, buf, 32) < 0 ||
191: ssh_digest_update(md, session_id, 16) < 0 ||
192: ssh_digest_final(md, response, sizeof(response)) < 0)
193: fatal("%s: md5 failed", __func__);
194: ssh_digest_free(md);
1.1 markus 195:
196: debug("Sending response to host key RSA challenge.");
197:
198: /* Send the response back to the server. */
199: packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
200: for (i = 0; i < 16; i++)
201: packet_put_char(response[i]);
202: packet_send();
203: packet_write_wait();
204:
1.74 djm 205: explicit_bzero(buf, sizeof(buf));
206: explicit_bzero(response, sizeof(response));
207: explicit_bzero(&md, sizeof(md));
1.1 markus 208: }
209:
210: /*
211: * Checks if the user has authentication file, and if so, tries to authenticate
212: * the user using it.
213: */
1.35 itojun 214: static int
1.38 markus 215: try_rsa_authentication(int idx)
1.1 markus 216: {
217: BIGNUM *challenge;
1.36 markus 218: Key *public, *private;
1.78 jcs 219: char buf[300], *passphrase = NULL, *comment, *authfile;
1.65 dtucker 220: int i, perm_ok = 1, type, quit;
1.1 markus 221:
1.38 markus 222: public = options.identity_keys[idx];
223: authfile = options.identity_files[idx];
224: comment = xstrdup(authfile);
225:
1.1 markus 226: debug("Trying RSA authentication with key '%.100s'", comment);
227:
228: /* Tell the server that we are willing to authenticate using this key. */
229: packet_start(SSH_CMSG_AUTH_RSA);
230: packet_put_bignum(public->rsa->n);
231: packet_send();
232: packet_write_wait();
233:
234: /* Wait for server's response. */
1.47 markus 235: type = packet_read();
1.1 markus 236:
237: /*
1.62 djm 238: * The server responds with failure if it doesn't like our key or
239: * doesn't support RSA authentication.
1.1 markus 240: */
241: if (type == SSH_SMSG_FAILURE) {
242: debug("Server refused our key.");
1.71 djm 243: free(comment);
1.1 markus 244: return 0;
245: }
246: /* Otherwise, the server should respond with a challenge. */
247: if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
248: packet_disconnect("Protocol error during RSA authentication: %d", type);
249:
250: /* Get the challenge from the packet. */
1.43 markus 251: if ((challenge = BN_new()) == NULL)
252: fatal("try_rsa_authentication: BN_new failed");
1.46 markus 253: packet_get_bignum(challenge);
1.45 markus 254: packet_check_eom();
1.1 markus 255:
256: debug("Received RSA challenge from server.");
257:
258: /*
1.38 markus 259: * If the key is not stored in external hardware, we have to
260: * load the private key. Try first with empty passphrase; if it
1.1 markus 261: * fails, ask for a passphrase.
262: */
1.75 djm 263: if (public->flags & SSHKEY_FLAG_EXT)
1.38 markus 264: private = public;
265: else
1.65 dtucker 266: private = key_load_private_type(KEY_RSA1, authfile, "", NULL,
267: &perm_ok);
268: if (private == NULL && !options.batch_mode && perm_ok) {
1.36 markus 269: snprintf(buf, sizeof(buf),
270: "Enter passphrase for RSA key '%.100s': ", comment);
271: for (i = 0; i < options.number_of_password_prompts; i++) {
1.1 markus 272: passphrase = read_passphrase(buf, 0);
1.36 markus 273: if (strcmp(passphrase, "") != 0) {
274: private = key_load_private_type(KEY_RSA1,
1.65 dtucker 275: authfile, passphrase, NULL, NULL);
1.36 markus 276: quit = 0;
277: } else {
278: debug2("no passphrase given, try next key");
279: quit = 1;
280: }
281: if (private != NULL || quit)
282: break;
283: debug2("bad passphrase given, try again...");
1.1 markus 284: }
285: }
1.78 jcs 286:
287: if (private != NULL)
288: maybe_add_key_to_agent(authfile, private, comment, passphrase);
289:
290: if (passphrase != NULL) {
291: explicit_bzero(passphrase, strlen(passphrase));
292: free(passphrase);
293: }
294:
1.1 markus 295: /* We no longer need the comment. */
1.71 djm 296: free(comment);
1.36 markus 297:
298: if (private == NULL) {
1.65 dtucker 299: if (!options.batch_mode && perm_ok)
1.36 markus 300: error("Bad passphrase.");
301:
302: /* Send a dummy response packet to avoid protocol error. */
303: packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
304: for (i = 0; i < 16; i++)
305: packet_put_char(0);
306: packet_send();
307: packet_write_wait();
308:
309: /* Expect the server to reject it... */
1.47 markus 310: packet_read_expect(SSH_SMSG_FAILURE);
1.36 markus 311: BN_clear_free(challenge);
312: return 0;
313: }
1.1 markus 314:
315: /* Compute and send a response to the challenge. */
316: respond_to_rsa_challenge(challenge, private->rsa);
317:
1.38 markus 318: /* Destroy the private key unless it in external hardware. */
1.75 djm 319: if (!(private->flags & SSHKEY_FLAG_EXT))
1.38 markus 320: key_free(private);
1.1 markus 321:
322: /* We no longer need the challenge. */
323: BN_clear_free(challenge);
324:
325: /* Wait for response from the server. */
1.47 markus 326: type = packet_read();
1.1 markus 327: if (type == SSH_SMSG_SUCCESS) {
328: debug("RSA authentication accepted by server.");
329: return 1;
330: }
331: if (type != SSH_SMSG_FAILURE)
332: packet_disconnect("Protocol error waiting RSA auth response: %d", type);
333: debug("RSA authentication refused.");
334: return 0;
335: }
336:
337: /*
338: * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
339: * authentication and RSA host authentication.
340: */
1.35 itojun 341: static int
1.29 markus 342: try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
1.1 markus 343: {
344: int type;
345: BIGNUM *challenge;
346:
347: debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
348:
349: /* Tell the server that we are willing to authenticate using this key. */
350: packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
1.33 markus 351: packet_put_cstring(local_user);
1.29 markus 352: packet_put_int(BN_num_bits(host_key->rsa->n));
353: packet_put_bignum(host_key->rsa->e);
354: packet_put_bignum(host_key->rsa->n);
1.1 markus 355: packet_send();
356: packet_write_wait();
357:
358: /* Wait for server's response. */
1.47 markus 359: type = packet_read();
1.1 markus 360:
361: /* The server responds with failure if it doesn't admit our
362: .rhosts authentication or doesn't know our host key. */
363: if (type == SSH_SMSG_FAILURE) {
364: debug("Server refused our rhosts authentication or host key.");
365: return 0;
366: }
367: /* Otherwise, the server should respond with a challenge. */
368: if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
369: packet_disconnect("Protocol error during RSA authentication: %d", type);
370:
371: /* Get the challenge from the packet. */
1.43 markus 372: if ((challenge = BN_new()) == NULL)
373: fatal("try_rhosts_rsa_authentication: BN_new failed");
1.46 markus 374: packet_get_bignum(challenge);
1.45 markus 375: packet_check_eom();
1.1 markus 376:
377: debug("Received RSA challenge for host key from server.");
378:
379: /* Compute a response to the challenge. */
1.29 markus 380: respond_to_rsa_challenge(challenge, host_key->rsa);
1.1 markus 381:
382: /* We no longer need the challenge. */
383: BN_clear_free(challenge);
384:
385: /* Wait for response from the server. */
1.47 markus 386: type = packet_read();
1.1 markus 387: if (type == SSH_SMSG_SUCCESS) {
388: debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
389: return 1;
390: }
391: if (type != SSH_SMSG_FAILURE)
392: packet_disconnect("Protocol error waiting RSA auth response: %d", type);
393: debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
394: return 0;
395: }
396:
397: /*
398: * Tries to authenticate with any string-based challenge/response system.
399: * Note that the client code is not tied to s/key or TIS.
400: */
1.35 itojun 401: static int
1.32 markus 402: try_challenge_response_authentication(void)
1.1 markus 403: {
404: int type, i;
1.13 markus 405: u_int clen;
1.12 markus 406: char prompt[1024];
1.1 markus 407: char *challenge, *response;
1.40 markus 408:
409: debug("Doing challenge response authentication.");
410:
1.12 markus 411: for (i = 0; i < options.number_of_password_prompts; i++) {
412: /* request a challenge */
413: packet_start(SSH_CMSG_AUTH_TIS);
414: packet_send();
415: packet_write_wait();
1.1 markus 416:
1.47 markus 417: type = packet_read();
1.12 markus 418: if (type != SSH_SMSG_FAILURE &&
419: type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
420: packet_disconnect("Protocol error: got %d in response "
1.20 markus 421: "to SSH_CMSG_AUTH_TIS", type);
1.12 markus 422: }
423: if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
1.20 markus 424: debug("No challenge.");
1.12 markus 425: return 0;
426: }
427: challenge = packet_get_string(&clen);
1.45 markus 428: packet_check_eom();
1.16 markus 429: snprintf(prompt, sizeof prompt, "%s%s", challenge,
1.42 deraadt 430: strchr(challenge, '\n') ? "" : "\nResponse: ");
1.71 djm 431: free(challenge);
1.1 markus 432: if (i != 0)
433: error("Permission denied, please try again.");
1.12 markus 434: if (options.cipher == SSH_CIPHER_NONE)
1.53 itojun 435: logit("WARNING: Encryption is disabled! "
1.50 stevesk 436: "Response will be transmitted in clear text.");
1.12 markus 437: response = read_passphrase(prompt, 0);
438: if (strcmp(response, "") == 0) {
1.71 djm 439: free(response);
1.12 markus 440: break;
441: }
1.1 markus 442: packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
1.27 markus 443: ssh_put_password(response);
1.74 djm 444: explicit_bzero(response, strlen(response));
1.71 djm 445: free(response);
1.1 markus 446: packet_send();
447: packet_write_wait();
1.47 markus 448: type = packet_read();
1.1 markus 449: if (type == SSH_SMSG_SUCCESS)
450: return 1;
451: if (type != SSH_SMSG_FAILURE)
452: packet_disconnect("Protocol error: got %d in response "
1.20 markus 453: "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
1.1 markus 454: }
455: /* failure */
456: return 0;
457: }
458:
459: /*
460: * Tries to authenticate with plain passwd authentication.
461: */
1.35 itojun 462: static int
1.1 markus 463: try_password_authentication(char *prompt)
464: {
1.47 markus 465: int type, i;
1.1 markus 466: char *password;
467:
468: debug("Doing password authentication.");
469: if (options.cipher == SSH_CIPHER_NONE)
1.53 itojun 470: logit("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
1.1 markus 471: for (i = 0; i < options.number_of_password_prompts; i++) {
472: if (i != 0)
473: error("Permission denied, please try again.");
474: password = read_passphrase(prompt, 0);
475: packet_start(SSH_CMSG_AUTH_PASSWORD);
1.27 markus 476: ssh_put_password(password);
1.74 djm 477: explicit_bzero(password, strlen(password));
1.71 djm 478: free(password);
1.1 markus 479: packet_send();
480: packet_write_wait();
481:
1.47 markus 482: type = packet_read();
1.1 markus 483: if (type == SSH_SMSG_SUCCESS)
484: return 1;
485: if (type != SSH_SMSG_FAILURE)
486: packet_disconnect("Protocol error: got %d in response to passwd auth", type);
487: }
488: /* failure */
489: return 0;
490: }
491:
492: /*
493: * SSH1 key exchange
494: */
495: void
496: ssh_kex(char *host, struct sockaddr *hostaddr)
497: {
498: int i;
499: BIGNUM *key;
1.43 markus 500: Key *host_key, *server_key;
1.1 markus 501: int bits, rbits;
502: int ssh_cipher_default = SSH_CIPHER_3DES;
1.13 markus 503: u_char session_key[SSH_SESSION_KEY_LENGTH];
504: u_char cookie[8];
505: u_int supported_ciphers;
506: u_int server_flags, client_flags;
1.1 markus 507:
508: debug("Waiting for server public key.");
509:
510: /* Wait for a public key packet from the server. */
1.47 markus 511: packet_read_expect(SSH_SMSG_PUBLIC_KEY);
1.1 markus 512:
513: /* Get cookie from the packet. */
514: for (i = 0; i < 8; i++)
515: cookie[i] = packet_get_char();
516:
517: /* Get the public key. */
1.80 ! dtucker 518: if ((server_key = key_new(KEY_RSA1)) == NULL)
! 519: fatal("%s: key_new(KEY_RSA1) failed", __func__);
1.43 markus 520: bits = packet_get_int();
1.46 markus 521: packet_get_bignum(server_key->rsa->e);
522: packet_get_bignum(server_key->rsa->n);
1.1 markus 523:
1.43 markus 524: rbits = BN_num_bits(server_key->rsa->n);
1.1 markus 525: if (bits != rbits) {
1.53 itojun 526: logit("Warning: Server lies about size of server public key: "
1.1 markus 527: "actual size is %d bits vs. announced %d.", rbits, bits);
1.53 itojun 528: logit("Warning: This may be due to an old implementation of ssh.");
1.1 markus 529: }
530: /* Get the host key. */
1.80 ! dtucker 531: if ((host_key = key_new(KEY_RSA1)) == NULL)
! 532: fatal("%s: key_new(KEY_RSA1) failed", __func__);
1.43 markus 533: bits = packet_get_int();
1.46 markus 534: packet_get_bignum(host_key->rsa->e);
535: packet_get_bignum(host_key->rsa->n);
1.1 markus 536:
1.43 markus 537: rbits = BN_num_bits(host_key->rsa->n);
1.1 markus 538: if (bits != rbits) {
1.53 itojun 539: logit("Warning: Server lies about size of server host key: "
1.1 markus 540: "actual size is %d bits vs. announced %d.", rbits, bits);
1.53 itojun 541: logit("Warning: This may be due to an old implementation of ssh.");
1.1 markus 542: }
543:
544: /* Get protocol flags. */
545: server_flags = packet_get_int();
546: packet_set_protocol_flags(server_flags);
547:
548: supported_ciphers = packet_get_int();
549: supported_authentications = packet_get_int();
1.45 markus 550: packet_check_eom();
1.1 markus 551:
552: debug("Received server public key (%d bits) and host key (%d bits).",
1.43 markus 553: BN_num_bits(server_key->rsa->n), BN_num_bits(host_key->rsa->n));
1.1 markus 554:
1.43 markus 555: if (verify_host_key(host, hostaddr, host_key) == -1)
1.41 markus 556: fatal("Host key verification failed.");
1.1 markus 557:
558: client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;
559:
1.58 djm 560: derive_ssh1_session_id(host_key->rsa->n, server_key->rsa->n, cookie, session_id);
1.1 markus 561:
562: /*
563: * Generate an encryption key for the session. The key is a 256 bit
564: * random number, interpreted as a 32-byte key, with the least
565: * significant 8 bits being the first byte of the key.
566: */
1.79 natano 567: arc4random_buf(session_key, sizeof(session_key));
1.1 markus 568:
569: /*
570: * According to the protocol spec, the first byte of the session key
571: * is the highest byte of the integer. The session key is xored with
572: * the first 16 bytes of the session id.
573: */
1.43 markus 574: if ((key = BN_new()) == NULL)
1.70 markus 575: fatal("ssh_kex: BN_new failed");
576: if (BN_set_word(key, 0) == 0)
577: fatal("ssh_kex: BN_set_word failed");
1.1 markus 578: for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
1.70 markus 579: if (BN_lshift(key, key, 8) == 0)
580: fatal("ssh_kex: BN_lshift failed");
581: if (i < 16) {
582: if (BN_add_word(key, session_key[i] ^ session_id[i])
583: == 0)
584: fatal("ssh_kex: BN_add_word failed");
585: } else {
586: if (BN_add_word(key, session_key[i]) == 0)
587: fatal("ssh_kex: BN_add_word failed");
588: }
1.1 markus 589: }
590:
591: /*
592: * Encrypt the integer using the public key and host key of the
593: * server (key with smaller modulus first).
594: */
1.43 markus 595: if (BN_cmp(server_key->rsa->n, host_key->rsa->n) < 0) {
1.1 markus 596: /* Public key has smaller modulus. */
1.43 markus 597: if (BN_num_bits(host_key->rsa->n) <
598: BN_num_bits(server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
599: fatal("respond_to_rsa_challenge: host_key %d < server_key %d + "
1.42 deraadt 600: "SSH_KEY_BITS_RESERVED %d",
1.43 markus 601: BN_num_bits(host_key->rsa->n),
602: BN_num_bits(server_key->rsa->n),
1.42 deraadt 603: SSH_KEY_BITS_RESERVED);
1.1 markus 604: }
1.75 djm 605: if (rsa_public_encrypt(key, key, server_key->rsa) != 0 ||
606: rsa_public_encrypt(key, key, host_key->rsa) != 0)
607: fatal("%s: rsa_public_encrypt failed", __func__);
1.1 markus 608: } else {
609: /* Host key has smaller modulus (or they are equal). */
1.43 markus 610: if (BN_num_bits(server_key->rsa->n) <
611: BN_num_bits(host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
612: fatal("respond_to_rsa_challenge: server_key %d < host_key %d + "
1.42 deraadt 613: "SSH_KEY_BITS_RESERVED %d",
1.43 markus 614: BN_num_bits(server_key->rsa->n),
615: BN_num_bits(host_key->rsa->n),
1.42 deraadt 616: SSH_KEY_BITS_RESERVED);
1.1 markus 617: }
1.75 djm 618: if (rsa_public_encrypt(key, key, host_key->rsa) != 0 ||
619: rsa_public_encrypt(key, key, server_key->rsa) != 0)
620: fatal("%s: rsa_public_encrypt failed", __func__);
1.1 markus 621: }
622:
623: /* Destroy the public keys since we no longer need them. */
1.43 markus 624: key_free(server_key);
625: key_free(host_key);
1.1 markus 626:
1.11 markus 627: if (options.cipher == SSH_CIPHER_NOT_SET) {
628: if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
629: options.cipher = ssh_cipher_default;
1.60 markus 630: } else if (options.cipher == SSH_CIPHER_INVALID ||
1.10 markus 631: !(cipher_mask_ssh1(1) & (1 << options.cipher))) {
1.53 itojun 632: logit("No valid SSH1 cipher, using %.100s instead.",
1.7 markus 633: cipher_name(ssh_cipher_default));
634: options.cipher = ssh_cipher_default;
1.1 markus 635: }
636: /* Check that the selected cipher is supported. */
637: if (!(supported_ciphers & (1 << options.cipher)))
638: fatal("Selected cipher type %.100s not supported by server.",
1.42 deraadt 639: cipher_name(options.cipher));
1.1 markus 640:
641: debug("Encryption type: %.100s", cipher_name(options.cipher));
642:
643: /* Send the encrypted session key to the server. */
644: packet_start(SSH_CMSG_SESSION_KEY);
645: packet_put_char(options.cipher);
646:
647: /* Send the cookie back to the server. */
648: for (i = 0; i < 8; i++)
649: packet_put_char(cookie[i]);
650:
651: /* Send and destroy the encrypted encryption key integer. */
652: packet_put_bignum(key);
653: BN_clear_free(key);
654:
655: /* Send protocol flags. */
656: packet_put_int(client_flags);
657:
658: /* Send the packet now. */
659: packet_send();
660: packet_write_wait();
661:
662: debug("Sent encrypted session key.");
663:
664: /* Set the encryption key. */
665: packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
666:
1.74 djm 667: /*
668: * We will no longer need the session key here.
669: * Destroy any extra copies.
670: */
671: explicit_bzero(session_key, sizeof(session_key));
1.1 markus 672:
673: /*
674: * Expect a success message from the server. Note that this message
675: * will be received in encrypted form.
676: */
1.47 markus 677: packet_read_expect(SSH_SMSG_SUCCESS);
1.1 markus 678:
679: debug("Received encrypted confirmation.");
680: }
681:
682: /*
683: * Authenticate user
684: */
685: void
1.30 markus 686: ssh_userauth1(const char *local_user, const char *server_user, char *host,
1.51 markus 687: Sensitive *sensitive)
1.1 markus 688: {
689: int i, type;
1.42 deraadt 690:
1.1 markus 691: if (supported_authentications == 0)
1.30 markus 692: fatal("ssh_userauth1: server supports no auth methods");
1.1 markus 693:
694: /* Send the name of the user to log in as on the server. */
695: packet_start(SSH_CMSG_USER);
1.33 markus 696: packet_put_cstring(server_user);
1.1 markus 697: packet_send();
698: packet_write_wait();
699:
700: /*
701: * The server should respond with success if no authentication is
702: * needed (the user has no password). Otherwise the server responds
703: * with failure.
704: */
1.47 markus 705: type = packet_read();
1.1 markus 706:
707: /* check whether the connection was accepted without authentication. */
708: if (type == SSH_SMSG_SUCCESS)
1.37 dugsong 709: goto success;
1.1 markus 710: if (type != SSH_SMSG_FAILURE)
1.37 dugsong 711: packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
1.42 deraadt 712:
1.1 markus 713: /*
714: * Try .rhosts or /etc/hosts.equiv authentication with RSA host
715: * authentication.
716: */
717: if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
1.30 markus 718: options.rhosts_rsa_authentication) {
1.51 markus 719: for (i = 0; i < sensitive->nkeys; i++) {
720: if (sensitive->keys[i] != NULL &&
721: sensitive->keys[i]->type == KEY_RSA1 &&
722: try_rhosts_rsa_authentication(local_user,
723: sensitive->keys[i]))
1.37 dugsong 724: goto success;
1.30 markus 725: }
1.1 markus 726: }
727: /* Try RSA authentication if the server supports it. */
728: if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
729: options.rsa_authentication) {
730: /*
731: * Try RSA authentication using the authentication agent. The
732: * agent is tried first because no passphrase is needed for
733: * it, whereas identity files may require passphrases.
734: */
735: if (try_agent_authentication())
1.37 dugsong 736: goto success;
1.1 markus 737:
738: /* Try RSA authentication for each identity. */
739: for (i = 0; i < options.num_identity_files; i++)
1.28 markus 740: if (options.identity_keys[i] != NULL &&
741: options.identity_keys[i]->type == KEY_RSA1 &&
1.38 markus 742: try_rsa_authentication(i))
1.37 dugsong 743: goto success;
1.1 markus 744: }
1.20 markus 745: /* Try challenge response authentication if the server supports it. */
1.1 markus 746: if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
1.32 markus 747: options.challenge_response_authentication && !options.batch_mode) {
748: if (try_challenge_response_authentication())
1.37 dugsong 749: goto success;
1.1 markus 750: }
751: /* Try password authentication if the server supports it. */
752: if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
753: options.password_authentication && !options.batch_mode) {
754: char prompt[80];
755:
1.23 itojun 756: snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
1.1 markus 757: server_user, host);
758: if (try_password_authentication(prompt))
1.37 dugsong 759: goto success;
1.1 markus 760: }
761: /* All authentication methods have failed. Exit with an error message. */
762: fatal("Permission denied.");
763: /* NOTREACHED */
1.37 dugsong 764:
765: success:
1.39 stevesk 766: return; /* need statement after label */
1.1 markus 767: }