src/usr.bin/ssh/sshd.c - diff

Return to sshd.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/sshd.c between version 1.132 and 1.132.2.3

version 1.132, 2000/10/13 18:34:46

version 1.132.2.3, 2001/03/21 19:46:31

Line 42

#include "includes.h"

RCSID("$OpenBSD$");

#include <openssl/dh.h>

#include <openssl/bn.h>

#include <openssl/hmac.h>

#include "ssh.h"

#include "ssh1.h"

#include "ssh2.h"

#include "xmalloc.h"

#include "rsa.h"

#include "ssh.h"

#include "sshpty.h"

#include "pty.h"

#include "packet.h"

#include "mpaux.h"

#include "log.h"

#include "servconf.h"

#include "uidswap.h"

#include "compat.h"

#include "buffer.h"

#include "cipher.h"

#include "ssh2.h"

#include <openssl/dh.h>

#include <openssl/bn.h>

#include <openssl/hmac.h>

#include "kex.h"

#include <openssl/dsa.h>

#include <openssl/rsa.h>

#include "key.h"

#include "dsa.h"

#include "dh.h"

#include "auth.h"

#include "myproposal.h"

#include "authfile.h"

#include "pathnames.h"

#include "atomicio.h"

#include "canohost.h"

#include "auth.h"

#include "misc.h"

#ifdef LIBWRAP

#include <tcpd.h>

Line 79

Line 82

#define O_NOCTTY 0

#endif

extern char *__progname;

/* Server configuration options. */

ServerOptions options;

/* Name of the server configuration file. */

char *config_file_name = SERVER_CONFIG_FILE;

char *config_file_name = _PATH_SERVER_CONFIG_FILE;

* Flag indicating whether IPv4 or IPv6. This can be set on the command line.

Line 102

Line 107

/* Flag indicating that the daemon is being started from inetd. */

int inetd_flag = 0;

/* Flag indicating that sshd should not detach and become a daemon. */

int no_daemon_flag = 0;

/* debug goes to stderr unless inetd_flag is set */

int log_stderr = 0;

/* argv[0] without path. */

char *av0;

/* Saved arguments to main(). */

char **saved_argv;

Line 135

Line 140

* not very useful. Currently, memory locking is not implemented.

struct {

RSA *private_key; /* Private part of empheral server key. */

Key *server_key; /* ephemeral server key */

RSA *host_key; /* Private part of host key. */

Key *ssh1_host_key; /* ssh1 host key */

Key *dsa_host_key; /* Private DSA host key. */

Key **host_keys; /* all private host keys */

int have_ssh1_key;

int have_ssh2_key;

u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH];

} sensitive_data;

* Flag indicating whether the current session key has been used. This flag

* Flag indicating whether the RSA server key needs to be regenerated.

* is set whenever the key is used, and cleared when the key is regenerated.

* Is set in the SIGALRM handler and cleared when the key is regenerated.

int key_used = 0;

int key_do_regen = 0;

/* This is set to true when SIGHUP is received. */

int received_sighup = 0;

/* Public side of the server key. This value is regenerated regularly with

the private key. */

RSA *public_key;

/* session identifier, used by RSA-auth */

unsigned char session_id[16];

u_char session_id[16];

/* same for ssh2 */

unsigned char *session_id2 = NULL;

u_char *session_id2 = NULL;

int session_id2_len = 0;

/* record remote hostname or ip */

unsigned int utmp_len = MAXHOSTNAMELEN;

u_int utmp_len = MAXHOSTNAMELEN;

/* Prototypes for various functions defined later in this file. */

void do_ssh1_kex();

void do_ssh1_kex(void);

void do_ssh2_kex();

void do_ssh2_kex(void);

void ssh_dh1_server(Kex *, Buffer *_kexinit, Buffer *);

void ssh_dhgex_server(Kex *, Buffer *_kexinit, Buffer *);

Line 199

Line 203

* Restarts the server.

void

sighup_restart()

sighup_restart(void)

{

log("Received SIGHUP; restarting.");

close_listen_socks();

execv(saved_argv[0], saved_argv);

log("RESTART FAILED: av0='%s', error: %s.", av0, strerror(errno));

log("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], strerror(errno));

exit(1);

}

Line 259

Line 263

* Thus there should be no concurrency control/asynchronous execution

* problems.

/* XXX do we really want this work to be done in a signal handler ? -m */

void

key_regeneration_alarm(int sig)

generate_ephemeral_server_key(void)

{

int save_errno = errno;

u_int32_t rand = 0;

int i;

/* Check if we should generate a new key. */

log("Generating %s%d bit RSA key.", sensitive_data.server_key ? "new " : "",

if (key_used) {

options.server_key_bits);

/* This should really be done in the background. */

if (sensitive_data.server_key != NULL)

log("Generating new %d bit RSA key.", options.server_key_bits);

key_free(sensitive_data.server_key);

sensitive_data.server_key = key_generate(KEY_RSA1, options.server_key_bits);

log("RSA key generation complete.");

if (sensitive_data.private_key != NULL)

for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {

RSA_free(sensitive_data.private_key);

if (i % 4 == 0)

sensitive_data.private_key = RSA_new();

rand = arc4random();

sensitive_data.ssh1_cookie[i] = rand & 0xff;

if (public_key != NULL)

rand >>= 8;

RSA_free(public_key);

public_key = RSA_new();

rsa_generate_key(sensitive_data.private_key, public_key,

options.server_key_bits);

arc4random_stir();

key_used = 0;

log("RSA key generation complete.");

}

/* Reschedule the alarm. */

arc4random_stir();

signal(SIGALRM, key_regeneration_alarm);

}

alarm(options.key_regeneration_time);

void

key_regeneration_alarm(int sig)

{

int save_errno = errno;

signal(SIGALRM, SIG_DFL);

errno = save_errno;

key_do_regen = 1;

}

void

Line 322

Line 326

fatal_cleanup();

}

/* Read other side\'s version identification. */

/* Read other side's version identification. */

memset(buf, 0, sizeof(buf));

for (i = 0; i < sizeof(buf) - 1; i++) {

if (atomicio(read, sock_in, &buf[i], 1) != 1) {

log("Did not receive ident string from %s.", get_remote_ipaddr());

log("Did not receive identification string from %s.",

get_remote_ipaddr());

fatal_cleanup();

}

if (buf[i] == '\r') {

Line 366

Line 372

compat_datafellows(remote_version);

if (datafellows & SSH_BUG_SCANNER) {

log("scanned from %s with %s. Don't panic.",

get_remote_ipaddr(), client_version_string);

fatal_cleanup();

}

mismatch = 0;

switch(remote_major) {

case 1:

Line 417

Line 429

}

/* Destroy the host and server keys. They will no longer be needed. */

void

destroy_sensitive_data(void)

{

/* Destroy the private and public keys. They will no longer be needed. */

int i;

if (public_key)

RSA_free(public_key);

if (sensitive_data.server_key) {

if (sensitive_data.private_key)

key_free(sensitive_data.server_key);

RSA_free(sensitive_data.private_key);

sensitive_data.server_key = NULL;

if (sensitive_data.host_key)

}

RSA_free(sensitive_data.host_key);

for(i = 0; i < options.num_host_key_files; i++) {

if (sensitive_data.dsa_host_key != NULL)

if (sensitive_data.host_keys[i]) {

key_free(sensitive_data.dsa_host_key);

key_free(sensitive_data.host_keys[i]);

sensitive_data.host_keys[i] = NULL;

}

sensitive_data.ssh1_host_key = NULL;

memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH);

}

Key *

load_private_key_autodetect(const char *filename)

{

struct stat st;

int type;

Key *public, *private;

if (stat(filename, &st) < 0) {

perror(filename);

return NULL;

}

* try to load the public key. right now this only works for RSA1,

* since SSH2 keys are fully encrypted

type = KEY_RSA1;

public = key_new(type);

if (!load_public_key(filename, public, NULL)) {

/* ok, so we will assume this is 'some' key */

type = KEY_UNSPEC;

}

key_free(public);

/* Ok, try key with empty passphrase */

private = key_new(type);

if (load_private_key(filename, "", private, NULL)) {

debug("load_private_key_autodetect: type %d %s",

private->type, key_type(private));

return private;

}

key_free(private);

return NULL;

}

char *

list_hostkey_types(void)

{

static char buf[1024];

int i;

buf[0] = '\0';

for(i = 0; i < options.num_host_key_files; i++) {

Key *key = sensitive_data.host_keys[i];

if (key == NULL)

continue;

switch(key->type) {

case KEY_RSA:

case KEY_DSA:

strlcat(buf, key_ssh_name(key), sizeof buf);

strlcat(buf, ",", sizeof buf);

break;

}

i = strlen(buf);

if (i > 0 && buf[i-1] == ',')

buf[i-1] = '\0';

debug("list_hostkey_types: %s", buf);

return buf;

}

Key *

get_hostkey_by_type(int type)

{

int i;

for(i = 0; i < options.num_host_key_files; i++) {

Key *key = sensitive_data.host_keys[i];

if (key != NULL && key->type == type)

return key;

}

return NULL;

}

* returns 1 if connection should be dropped, 0 otherwise.

* dropping starts at connection #max_startups_begin with a probability

Line 474

Line 562

int opt, sock_in = 0, sock_out = 0, newsock, j, i, fdsetsz, on = 1;

pid_t pid;

socklen_t fromlen;

int silent = 0;

fd_set *fdset;

struct sockaddr_storage from;

const char *remote_ip;

Line 486

Line 573

int listen_sock, maxfd;

int startup_p[2];

int startups = 0;

int ret, key_used = 0;

/* Save argv[0]. */

/* Save argv. */

saved_argv = av;

if (strchr(av[0], '/'))

av0 = strrchr(av[0], '/') + 1;

else

av0 = av[0];

/* Initialize configuration options to their default values. */

initialize_server_options(&options);

/* Parse command-line arguments. */

while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:diqQ46")) != EOF) {

while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:dDiqQ46")) != -1) {

switch (opt) {

case '4':

IPv4or6 = AF_INET;

Line 520

Line 604

exit(1);

}

break;

case 'D':

no_daemon_flag = 1;

break;

case 'i':

inetd_flag = 1;

break;

case 'Q':

silent = 1;

/* ignored */

break;

case 'q':

options.log_level = SYSLOG_LEVEL_QUIET;

Line 547

Line 634

options.key_regeneration_time = atoi(optarg);

break;

case 'h':

options.host_key_file = optarg;

if (options.num_host_key_files >= MAX_HOSTKEYS) {

fprintf(stderr, "too many host keys.\n");

exit(1);

}

options.host_key_files[options.num_host_key_files++] = optarg;

break;

case 'V':

client_version_string = optarg;

Line 560

Line 651

case '?':

default:

fprintf(stderr, "sshd version %s\n", SSH_VERSION);

fprintf(stderr, "Usage: %s [options]\n", av0);

fprintf(stderr, "Usage: %s [options]\n", __progname);

fprintf(stderr, "Options:\n");

fprintf(stderr, " -f file Configuration file (default %s)\n", SERVER_CONFIG_FILE);

fprintf(stderr, " -f file Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE);

fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n");

fprintf(stderr, " -i Started from inetd\n");

fprintf(stderr, " -D Do not fork into daemon mode\n");

fprintf(stderr, " -q Quiet (no logging)\n");

fprintf(stderr, " -p port Listen on the specified port (default: 22)\n");

fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n");

fprintf(stderr, " -g seconds Grace period for authentication (default: 300)\n");

fprintf(stderr, " -g seconds Grace period for authentication (default: 600)\n");

fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n");

fprintf(stderr, " -h file File from which to read host key (default: %s)\n",

HOST_KEY_FILE);

_PATH_HOST_KEY_FILE);

fprintf(stderr, " -u len Maximum hostname length for utmp recording\n");

fprintf(stderr, " -4 Use IPv4 only\n");

fprintf(stderr, " -6 Use IPv6 only\n");

Line 583

Line 675

* Force logging to stderr until we have loaded the private host

* key (unless started from inetd)

log_init(av0,

log_init(__progname,

options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,

options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,

!silent && !inetd_flag);

!inetd_flag);

/* Read server configuration options from the configuration file. */

read_server_config(&options, config_file_name);

Line 602

Line 694

debug("sshd version %.100s", SSH_VERSION);

sensitive_data.dsa_host_key = NULL;

/* load private host keys */

sensitive_data.host_key = NULL;

sensitive_data.host_keys = xmalloc(options.num_host_key_files*sizeof(Key*));

for(i = 0; i < options.num_host_key_files; i++)

sensitive_data.host_keys[i] = NULL;

sensitive_data.server_key = NULL;

sensitive_data.ssh1_host_key = NULL;

sensitive_data.have_ssh1_key = 0;

sensitive_data.have_ssh2_key = 0;

/* check if RSA support exists */

for(i = 0; i < options.num_host_key_files; i++) {

if ((options.protocol & SSH_PROTO_1) &&

Key *key = load_private_key_autodetect(options.host_key_files[i]);

rsa_alive() == 0) {

if (key == NULL) {

log("no RSA support in libssl and libcrypto. See ssl(8)");

log("Disabling protocol version 1");

options.protocol &= ~SSH_PROTO_1;

}

/* Load the RSA/DSA host key. It must have empty passphrase. */

if (options.protocol & SSH_PROTO_1) {

Key k;

sensitive_data.host_key = RSA_new();

k.type = KEY_RSA;

k.rsa = sensitive_data.host_key;

errno = 0;

if (!load_private_key(options.host_key_file, "", &k, NULL)) {

error("Could not load host key: %.200s: %.100s",

options.host_key_file, strerror(errno));

options.host_key_files[i], strerror(errno));

log("Disabling protocol version 1");

continue;

options.protocol &= ~SSH_PROTO_1;

}

k.rsa = NULL;

switch(key->type){

}

case KEY_RSA1:

if (options.protocol & SSH_PROTO_2) {

sensitive_data.ssh1_host_key = key;

sensitive_data.dsa_host_key = key_new(KEY_DSA);

sensitive_data.have_ssh1_key = 1;

if (!load_private_key(options.host_dsa_key_file, "", sensitive_data.dsa_host_key, NULL)) {

break;

case KEY_RSA:

error("Could not load DSA host key: %.200s", options.host_dsa_key_file);

case KEY_DSA:

log("Disabling protocol version 2");

sensitive_data.have_ssh2_key = 1;

options.protocol &= ~SSH_PROTO_2;

break;

}

sensitive_data.host_keys[i] = key;

}

if (! options.protocol & (SSH_PROTO_1|SSH_PROTO_2)) {

if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {

if (silent == 0)

log("Disabling protocol version 1. Could not load host key");

fprintf(stderr, "sshd: no hostkeys available -- exiting.\n");

options.protocol &= ~SSH_PROTO_1;

log("sshd: no hostkeys available -- exiting.\n");

}

if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {

log("Disabling protocol version 2. Could not load host key");

options.protocol &= ~SSH_PROTO_2;

}

if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {

log("sshd: no hostkeys available -- exiting.");

exit(1);

}

Line 656

Line 748

* hate software patents. I dont know if this can go? Niels

if (options.server_key_bits >

BN_num_bits(sensitive_data.host_key->n) - SSH_KEY_BITS_RESERVED &&

BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) - SSH_KEY_BITS_RESERVED &&

options.server_key_bits <

BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {

BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {

options.server_key_bits =

BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED;

BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED;

debug("Forcing server key to %d bits to make it differ from host key.",

options.server_key_bits);

}

Line 669

Line 761

/* Initialize the log (it is reinitialized below in case we forked). */

if (debug_flag && !inetd_flag)

log_stderr = 1;

log_init(av0, options.log_level, options.log_facility, log_stderr);

log_init(__progname, options.log_level, options.log_facility, log_stderr);

* If not in debugging mode, and not started from inetd, disconnect

* from the controlling terminal, and fork. The original process

* exits.

if (!debug_flag && !inetd_flag) {

if (!(debug_flag || inetd_flag || no_daemon_flag)) {

#ifdef TIOCNOTTY

int fd;

#endif /* TIOCNOTTY */

Line 685

Line 777

/* Disconnect from the controlling tty. */

#ifdef TIOCNOTTY

fd = open("/dev/tty", O_RDWR | O_NOCTTY);

fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);

if (fd >= 0) {

(void) ioctl(fd, TIOCNOTTY, NULL);

close(fd);

Line 693

Line 785

#endif /* TIOCNOTTY */

}

/* Reinitialize the log (because of the fork above). */

log_init(av0, options.log_level, options.log_facility, log_stderr);

log_init(__progname, options.log_level, options.log_facility, log_stderr);

/* Do not display messages to stdout in RSA code. */

rsa_set_verbose(0);

/* Initialize the random number generator. */

arc4random_stir();

Line 719

Line 808

* ttyfd happens to be one of those.

debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);

if (options.protocol & SSH_PROTO_1)

if (options.protocol & SSH_PROTO_1) {

generate_ephemeral_server_key();

public_key = RSA_new();

sensitive_data.private_key = RSA_new();

log("Generating %d bit RSA key.", options.server_key_bits);

rsa_generate_key(sensitive_data.private_key, public_key,

options.server_key_bits);

arc4random_stir();

log("RSA key generation complete.");

}

} else {

for (ai = options.listen_addrs; ai; ai = ai->ai_next) {

if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)

Line 792

Line 873

if (!debug_flag) {

* Record our pid in /etc/sshd_pid to make it easier

* Record our pid in /var/run/sshd.pid to make it

* to kill the correct sshd. We don\'t want to do

* easier to kill the correct sshd. We don't want to

* this before the bind above because the bind will

* do this before the bind above because the bind will

* fail if there already is a daemon, and this will

* overwrite any old pid in the file.

f = fopen(options.pid_file, "w");

if (f) {

fprintf(f, "%u\n", (unsigned int) getpid());

fprintf(f, "%u\n", (u_int) getpid());

fclose(f);

}

if (options.protocol & SSH_PROTO_1) {

if (options.protocol & SSH_PROTO_1)

public_key = RSA_new();

generate_ephemeral_server_key();

sensitive_data.private_key = RSA_new();

log("Generating %d bit RSA key.", options.server_key_bits);

rsa_generate_key(sensitive_data.private_key, public_key,

options.server_key_bits);

arc4random_stir();

log("RSA key generation complete.");

/* Schedule server key regeneration alarm. */

signal(SIGALRM, key_regeneration_alarm);

alarm(options.key_regeneration_time);

}

/* Arrange to restart on SIGHUP. The handler needs listen_sock. */

signal(SIGHUP, sighup_handler);

Line 848

Line 917

sighup_restart();

if (fdset != NULL)

xfree(fdset);

fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask);

fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask);

fdset = (fd_set *)xmalloc(fdsetsz);

memset(fdset, 0, fdsetsz);

Line 859

Line 928

FD_SET(startup_pipes[i], fdset);

/* Wait in select until there is a connection. */

if (select(maxfd + 1, fdset, NULL, NULL, NULL) < 0) {

ret = select(maxfd+1, fdset, NULL, NULL, NULL);

if (errno != EINTR)

if (ret < 0 && errno != EINTR)

error("select: %.100s", strerror(errno));

continue;

if (key_used && key_do_regen) {

generate_ephemeral_server_key();

key_used = 0;

key_do_regen = 0;

}

if (ret < 0)

continue;

for (i = 0; i < options.max_startups; i++)

if (startup_pipes[i] != -1 &&

FD_ISSET(startup_pipes[i], fdset)) {

* the read end of the pipe is ready

* if the child has closed the pipe

* after successfull authentication

* after successful authentication

* or if the child has died

close(startup_pipes[i]);

Line 910

Line 985

startups++;

break;

}

* Got connection. Fork a child to handle it, unless

* we are in debugging mode.

Line 949

Line 1024

close_listen_socks();

sock_in = newsock;

sock_out = newsock;

log_init(av0, options.log_level, options.log_facility, log_stderr);

log_init(__progname, options.log_level, options.log_facility, log_stderr);

break;

}

Line 963

Line 1038

close(startup_p[1]);

/* Mark that the key has been used (it was "given" to the child). */

key_used = 1;

if ((options.protocol & SSH_PROTO_1) &&

key_used == 0) {

/* Schedule server key regeneration alarm. */

signal(SIGALRM, key_regeneration_alarm);

alarm(options.key_regeneration_time);

key_used = 1;

}

arc4random_stir();

Line 1000

Line 1081

linger.l_linger = 5;

setsockopt(sock_in, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger));

/* Set keepalives if requested. */

if (options.keepalives &&

setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,

sizeof(on)) < 0)

error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));

* Register our connection. This turns encryption off because we do

* not have a key.

Line 1015

Line 1102

{

struct request_info req;

request_init(&req, RQ_DAEMON, av0, RQ_FILE, sock_in, NULL);

request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, NULL);

fromhost(&req);

if (!hosts_access(&req)) {

Line 1043

Line 1130

sshd_exchange_identification(sock_in, sock_out);

* Check that the connection comes from a privileged port. Rhosts-

* Check that the connection comes from a privileged port.

* and Rhosts-RSA-Authentication only make sense from priviledged

* Rhosts-Authentication only makes sense from priviledged

* programs. Of course, if the intruder has root access on his local

* machine, he can connect from any port. So do not use these

* authentication methods from machines that you do not trust.

if (remote_port >= IPPORT_RESERVED ||

remote_port < IPPORT_RESERVED / 2) {

debug("Rhosts Authentication disabled, "

"originating port not trusted.");

options.rhosts_authentication = 0;

options.rhosts_rsa_authentication = 0;

}

#ifdef KRB4

if (!packet_connection_is_ipv4() &&

Line 1061

Line 1149

options.kerberos_authentication = 0;

}

#endif /* KRB4 */

#ifdef AFS

/* If machine has AFS, set process authentication group. */

if (k_hasafs()) {

k_setpag();

k_unlog();

}

#endif /* AFS */

packet_set_nonblocking();

Line 1090

Line 1185

* SSH1 key exchange

void

do_ssh1_kex()

do_ssh1_kex(void)

{

int i, len;

int plen, slen;

int rsafail = 0;

BIGNUM *session_key_int;

unsigned char session_key[SSH_SESSION_KEY_LENGTH];

u_char session_key[SSH_SESSION_KEY_LENGTH];

unsigned char cookie[8];

u_char cookie[8];

unsigned int cipher_type, auth_mask, protocol_flags;

u_int cipher_type, auth_mask, protocol_flags;

u_int32_t rand = 0;

Line 1126

Line 1222

packet_put_char(cookie[i]);

/* Store our public server RSA key. */

packet_put_int(BN_num_bits(public_key->n));

packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n));

packet_put_bignum(public_key->e);

packet_put_bignum(sensitive_data.server_key->rsa->e);

packet_put_bignum(public_key->n);

packet_put_bignum(sensitive_data.server_key->rsa->n);

/* Store our public host RSA key. */

packet_put_int(BN_num_bits(sensitive_data.host_key->n));

packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));

packet_put_bignum(sensitive_data.host_key->e);

packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);

packet_put_bignum(sensitive_data.host_key->n);

packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);

/* Put protocol flags. */

packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);

Line 1159

Line 1255

if (options.afs_token_passing)

auth_mask |= 1 << SSH_PASS_AFS_TOKEN;

#endif

#ifdef SKEY

if (options.challenge_reponse_authentication == 1)

if (options.skey_authentication == 1)

auth_mask |= 1 << SSH_AUTH_TIS;

#endif

if (options.password_authentication)

auth_mask |= 1 << SSH_AUTH_PASSWORD;

packet_put_int(auth_mask);

Line 1171

Line 1265

packet_send();

packet_write_wait();

debug("Sent %d bit public key and %d bit host key.",

debug("Sent %d bit server key and %d bit host key.",

BN_num_bits(public_key->n), BN_num_bits(sensitive_data.host_key->n));

BN_num_bits(sensitive_data.server_key->rsa->n),

BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));

/* Read clients reply (cipher type and session key). */

packet_read_expect(&plen, SSH_CMSG_SESSION_KEY);

Line 1204

Line 1299

* Decrypt it using our private server key and private host key (key

* with larger modulus first).

if (BN_cmp(sensitive_data.private_key->n, sensitive_data.host_key->n) > 0) {

if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) {

/* Private key has bigger modulus. */

/* Server key has bigger modulus. */

if (BN_num_bits(sensitive_data.private_key->n) <

if (BN_num_bits(sensitive_data.server_key->rsa->n) <

BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {

BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {

fatal("do_connection: %s: private_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",

fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",

get_remote_ipaddr(),

BN_num_bits(sensitive_data.private_key->n),

BN_num_bits(sensitive_data.server_key->rsa->n),

BN_num_bits(sensitive_data.host_key->n),

BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),

SSH_KEY_BITS_RESERVED);

}

rsa_private_decrypt(session_key_int, session_key_int,

if (rsa_private_decrypt(session_key_int, session_key_int,

sensitive_data.private_key);

sensitive_data.server_key->rsa) <= 0)

rsa_private_decrypt(session_key_int, session_key_int,

rsafail++;

sensitive_data.host_key);

if (rsa_private_decrypt(session_key_int, session_key_int,

sensitive_data.ssh1_host_key->rsa) <= 0)

rsafail++;

} else {

/* Host key has bigger modulus (or they are equal). */

if (BN_num_bits(sensitive_data.host_key->n) <

if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) <

BN_num_bits(sensitive_data.private_key->n) + SSH_KEY_BITS_RESERVED) {

BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {

fatal("do_connection: %s: host_key %d < private_key %d + SSH_KEY_BITS_RESERVED %d",

fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",

get_remote_ipaddr(),

BN_num_bits(sensitive_data.host_key->n),

BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),

BN_num_bits(sensitive_data.private_key->n),

BN_num_bits(sensitive_data.server_key->rsa->n),

SSH_KEY_BITS_RESERVED);

}

rsa_private_decrypt(session_key_int, session_key_int,

if (rsa_private_decrypt(session_key_int, session_key_int,

sensitive_data.host_key);

sensitive_data.ssh1_host_key->rsa) < 0)

rsa_private_decrypt(session_key_int, session_key_int,

rsafail++;

sensitive_data.private_key);

if (rsa_private_decrypt(session_key_int, session_key_int,

sensitive_data.server_key->rsa) < 0)

rsafail++;

}

compute_session_id(session_id, cookie,

sensitive_data.host_key->n,

sensitive_data.private_key->n);

/* Destroy the private and public keys. They will no longer be needed. */

destroy_sensitive_data();

* Extract session key from the decrypted integer. The key is in the

* least significant 256 bits of the integer; the first byte of the

* key is in the highest bits.

BN_mask_bits(session_key_int, sizeof(session_key) * 8);

if (!rsafail) {

len = BN_num_bytes(session_key_int);

BN_mask_bits(session_key_int, sizeof(session_key) * 8);

if (len < 0 || len > sizeof(session_key))

len = BN_num_bytes(session_key_int);

fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d",

if (len < 0 || len > sizeof(session_key)) {

get_remote_ipaddr(),

error("do_connection: bad session key len from %s: "

len, sizeof(session_key));

"session_key_int %d > sizeof(session_key) %lu",

memset(session_key, 0, sizeof(session_key));

get_remote_ipaddr(), len, (u_long)sizeof(session_key));

BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len);

rsafail++;

} else {

memset(session_key, 0, sizeof(session_key));

BN_bn2bin(session_key_int,

session_key + sizeof(session_key) - len);

compute_session_id(session_id, cookie,

sensitive_data.ssh1_host_key->rsa->n,

sensitive_data.server_key->rsa->n);

* Xor the first 16 bytes of the session key with the

* session id.

for (i = 0; i < 16; i++)

session_key[i] ^= session_id[i];

}

if (rsafail) {

int bytes = BN_num_bytes(session_key_int);

char *buf = xmalloc(bytes);

MD5_CTX md;

log("do_connection: generating a fake encryption key");

BN_bn2bin(session_key_int, buf);

MD5_Init(&md);

MD5_Update(&md, buf, bytes);

MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);

MD5_Final(session_key, &md);

MD5_Init(&md);

MD5_Update(&md, session_key, 16);

MD5_Update(&md, buf, bytes);

MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);

MD5_Final(session_key + 16, &md);

memset(buf, 0, bytes);

xfree(buf);

for (i = 0; i < 16; i++)

session_id[i] = session_key[i] ^ session_key[i + 16];

}

/* Destroy the private and public keys. They will no longer be needed. */

destroy_sensitive_data();

/* Destroy the decrypted integer. It is no longer needed. */

BN_clear_free(session_key_int);

/* Xor the first 16 bytes of the session key with the session id. */

for (i = 0; i < 16; i++)

session_key[i] ^= session_id[i];

/* Set the session key. From this on all communications will be encrypted. */

packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);

Line 1280

Line 1406

* SSH2 key exchange: diffie-hellman-group1-sha1

void

do_ssh2_kex()

do_ssh2_kex(void)

{

Buffer *server_kexinit;

Buffer *client_kexinit;

Line 1295

Line 1421

myproposal[PROPOSAL_ENC_ALGS_CTOS] =

myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;

}

if (options.macs != NULL) {

myproposal[PROPOSAL_MAC_ALGS_CTOS] =

myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;

}

myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();

server_kexinit = kex_init(myproposal);

client_kexinit = xmalloc(sizeof(*client_kexinit));

buffer_init(client_kexinit);

Line 1351

Line 1483

#endif

int payload_len, dlen;

int slen;

unsigned char *signature = NULL;

u_char *signature = NULL;

unsigned char *server_host_key_blob = NULL;

u_char *server_host_key_blob = NULL;

unsigned int sbloblen;

u_int sbloblen;

unsigned int klen, kout;

u_int klen, kout;

unsigned char *kbuf;

u_char *kbuf;

unsigned char *hash;

u_char *hash;

BIGNUM *shared_secret = 0;

DH *dh;

BIGNUM *dh_client_pub = 0;

Key *hostkey;

hostkey = get_hostkey_by_type(kex->hostkey_type);

if (hostkey == NULL)

fatal("Unsupported hostkey type %d", kex->hostkey_type);

/* KEXDH */

/* generate DH key */

dh = dh_new_group1(); /* XXX depends on 'kex' */

dh_gen_key(dh, kex->we_need * 8);

debug("Wait SSH2_MSG_KEXDH_INIT.");

packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT);

Line 1378

Line 1519

debug("bits %d", BN_num_bits(dh_client_pub));

#endif

/* generate DH key */

dh = dh_new_group1(); /* XXX depends on 'kex' */

#ifdef DEBUG_KEXDH

fprintf(stderr, "\np= ");

BN_print_fp(stderr, dh->p);

Line 1389

Line 1527

fprintf(stderr, "\npub= ");

BN_print_fp(stderr, dh->pub_key);

fprintf(stderr, "\n");

DHparams_print_fp(stderr, dh);

#endif

if (!dh_pub_is_valid(dh, dh_client_pub))

packet_disconnect("bad client public DH value");

Line 1412

Line 1550

xfree(kbuf);

/* XXX precompute? */

dsa_make_key_blob(sensitive_data.dsa_host_key,

key_to_blob(hostkey, &server_host_key_blob, &sbloblen);

&server_host_key_blob, &sbloblen);

/* calc H */ /* XXX depends on 'kex' */

hash = kex_hash(

Line 1430

Line 1567

buffer_free(server_kexinit);

xfree(client_kexinit);

xfree(server_kexinit);

BN_free(dh_client_pub);

#ifdef DEBUG_KEXDH

fprintf(stderr, "hash == ");

for (i = 0; i< 20; i++)

Line 1444

Line 1582

/* sign H */

/* XXX hashlen depends on KEX */

dsa_sign(sensitive_data.dsa_host_key, &signature, &slen, hash, 20);

key_sign(hostkey, &signature, &slen, hash, 20);

destroy_sensitive_data();

Line 1459

Line 1597

packet_write_wait();

kex_derive_keys(kex, hash, shared_secret);

BN_clear_free(shared_secret);

packet_set_kex(kex);

/* have keys, free DH */

Line 1475

Line 1614

#endif

int payload_len, dlen;

int slen, nbits;

unsigned char *signature = NULL;

u_char *signature = NULL;

unsigned char *server_host_key_blob = NULL;

u_char *server_host_key_blob = NULL;

unsigned int sbloblen;

u_int sbloblen;

unsigned int klen, kout;

u_int klen, kout;

unsigned char *kbuf;

u_char *kbuf;

unsigned char *hash;

u_char *hash;

BIGNUM *shared_secret = 0;

DH *dh;

BIGNUM *dh_client_pub = 0;

Key *hostkey;

hostkey = get_hostkey_by_type(kex->hostkey_type);

if (hostkey == NULL)

fatal("Unsupported hostkey type %d", kex->hostkey_type);

/* KEXDHGEX */

debug("Wait SSH2_MSG_KEX_DH_GEX_REQUEST.");

packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_REQUEST);

Line 1498

Line 1642

packet_send();

packet_write_wait();

/* Compute our exchange value in parallel with the client */

dh_gen_key(dh, kex->we_need * 8);

debug("Wait SSH2_MSG_KEX_DH_GEX_INIT.");

packet_read_expect(&payload_len, SSH2_MSG_KEX_DH_GEX_INIT);

Line 1522

Line 1670

fprintf(stderr, "\npub= ");

BN_print_fp(stderr, dh->pub_key);

fprintf(stderr, "\n");

DHparams_print_fp(stderr, dh);

#endif

if (!dh_pub_is_valid(dh, dh_client_pub))

packet_disconnect("bad client public DH value");

Line 1545

Line 1693

xfree(kbuf);

/* XXX precompute? */

dsa_make_key_blob(sensitive_data.dsa_host_key,

key_to_blob(hostkey, &server_host_key_blob, &sbloblen);

&server_host_key_blob, &sbloblen);

/* calc H */ /* XXX depends on 'kex' */

hash = kex_hash_gex(

Line 1564

Line 1711

buffer_free(server_kexinit);

xfree(client_kexinit);

xfree(server_kexinit);

BN_free(dh_client_pub);

#ifdef DEBUG_KEXDH

fprintf(stderr, "hash == ");

for (i = 0; i< 20; i++)

Line 1578

Line 1726

/* sign H */

/* XXX hashlen depends on KEX */

dsa_sign(sensitive_data.dsa_host_key, &signature, &slen, hash, 20);

key_sign(hostkey, &signature, &slen, hash, 20);

destroy_sensitive_data();

Line 1593

Line 1741

packet_write_wait();

kex_derive_keys(kex, hash, shared_secret);

BN_clear_free(shared_secret);

packet_set_kex(kex);

/* have keys, free DH */

DH_free(dh);

}