New upstream release (8.0p1)

1 files changed, 357 insertions, 45 deletions

diff --git a/kex.c b/kex.c
index fb5bfaea5..bbb7a2340 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.141 2018/07/09 13:37:10 sf Exp $ */
+/* $OpenBSD: kex.c,v 1.150 2019/01/21 12:08:13 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -25,19 +25,25 @@
 
 #include "includes.h"
 
-
+#include <sys/types.h>
+#include <errno.h>
 #include <signal.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
+#include <poll.h>
 
 #ifdef WITH_OPENSSL
 #include <openssl/crypto.h>
 #include <openssl/dh.h>
 #endif
 
+#include "ssh.h"
 #include "ssh2.h"
+#include "atomicio.h"
+#include "version.h"
 #include "packet.h"
 #include "compat.h"
 #include "cipher.h"
@@ -49,6 +55,7 @@
 #include "misc.h"
 #include "dispatch.h"
 #include "monitor.h"
+#include "xmalloc.h"
 
 #include "ssherr.h"
 #include "sshbuf.h"
@@ -106,26 +113,33 @@ static const struct kexalg kexalgs[] = {
 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
         { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
         { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
+        { KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0,
+            SSH_DIGEST_SHA512 },
 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
         { NULL, -1, -1, -1},
 };
-static const struct kexalg kexalg_prefixes[] = {
+static const struct kexalg gss_kexalgs[] = {
 #ifdef GSSAPI
         { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
         { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
         { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+        { KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
+        { KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
+        { KEX_GSS_NISTP256_SHA256_ID, KEX_GSS_NISTP256_SHA256,
+            NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
+        { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
 #endif
         { NULL, -1, -1, -1 },
 };
 
-char *
-kex_alg_list(char sep)
+static char *
+kex_alg_list_internal(char sep, const struct kexalg *algs)
 {
         char *ret = NULL, *tmp;
         size_t nlen, rlen = 0;
         const struct kexalg *k;
 
-        for (k = kexalgs; k->name != NULL; k++) {
+        for (k = algs; k->name != NULL; k++) {
                 if (ret != NULL)
                         ret[rlen++] = sep;
                 nlen = strlen(k->name);
@@ -140,6 +154,18 @@ kex_alg_list(char sep)
         return ret;
 }
 
+char *
+kex_alg_list(char sep)
+{
+        return kex_alg_list_internal(sep, kexalgs);
+}
+
+char *
+kex_gss_alg_list(char sep)
+{
+        return kex_alg_list_internal(sep, gss_kexalgs);
+}
+
 static const struct kexalg *
 kex_alg_by_name(const char *name)
 {
@@ -149,7 +175,7 @@ kex_alg_by_name(const char *name)
                 if (strcmp(k->name, name) == 0)
                         return k;
         }
-        for (k = kexalg_prefixes; k->name != NULL; k++) {
+        for (k = gss_kexalgs; k->name != NULL; k++) {
                 if (strncmp(k->name, name, strlen(k->name)) == 0)
                         return k;
         }
@@ -309,6 +335,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
         return r;
 }
 
+/* Validate GSS KEX method name list */
+int
+kex_gss_names_valid(const char *names)
+{
+        char *s, *cp, *p;
+
+        if (names == NULL || *names == '\0')
+                return 0;
+        s = cp = xstrdup(names);
+        for ((p = strsep(&cp, ",")); p && *p != '\0';
+            (p = strsep(&cp, ","))) {
+                if (strncmp(p, "gss-", 4) != 0
+                  || kex_alg_by_name(p) == NULL) {
+                        error("Unsupported KEX algorithm \"%.100s\"", p);
+                        free(s);
+                        return 0;
+                }
+        }
+        debug3("gss kex names ok: [%s]", names);
+        free(s);
+        return 1;
+}
+
 /* put algorithm proposal into buffer */
 int
 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
@@ -503,6 +552,7 @@ kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
         if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
                 return r;
         kex->done = 1;
+        kex->flags &= ~KEX_INITIAL;
         sshbuf_reset(kex->peer);
         /* sshbuf_reset(kex->my); */
         kex->flags &= ~KEX_INIT_SENT;
@@ -593,31 +643,20 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
         return SSH_ERR_INTERNAL_ERROR;
 }
 
-int
-kex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp)
+struct kex *
+kex_new(void)
 {
         struct kex *kex;
-        int r;
 
-        *kexp = NULL;
-        if ((kex = calloc(1, sizeof(*kex))) == NULL)
-                return SSH_ERR_ALLOC_FAIL;
-        if ((kex->peer = sshbuf_new()) == NULL ||
-            (kex->my = sshbuf_new()) == NULL) {
-                r = SSH_ERR_ALLOC_FAIL;
-                goto out;
-        }
-        if ((r = kex_prop2buf(kex->my, proposal)) != 0)
-                goto out;
-        kex->done = 0;
-        kex_reset_dispatch(ssh);
-        ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
-        r = 0;
-        *kexp = kex;
- out:
-        if (r != 0)
+        if ((kex = calloc(1, sizeof(*kex))) == NULL ||
+            (kex->peer = sshbuf_new()) == NULL ||
+            (kex->my = sshbuf_new()) == NULL ||
+            (kex->client_version = sshbuf_new()) == NULL ||
+            (kex->server_version = sshbuf_new()) == NULL) {
                 kex_free(kex);
-        return r;
+                return NULL;
+        }
+        return kex;
 }
 
 void
@@ -656,6 +695,9 @@ kex_free(struct kex *kex)
 {
         u_int mode;
 
+        if (kex == NULL)
+                return;
+
 #ifdef WITH_OPENSSL
         DH_free(kex->dh);
 #ifdef OPENSSL_HAS_ECC
@@ -668,12 +710,13 @@ kex_free(struct kex *kex)
         }
         sshbuf_free(kex->peer);
         sshbuf_free(kex->my);
+        sshbuf_free(kex->client_version);
+        sshbuf_free(kex->server_version);
+        sshbuf_free(kex->client_pub);
         free(kex->session_id);
 #ifdef GSSAPI
         free(kex->gss_host);
 #endif /* GSSAPI */
-        free(kex->client_version_string);
-        free(kex->server_version_string);
         free(kex->failed_choice);
         free(kex->hostkey_alg);
         free(kex->name);
@@ -681,11 +724,24 @@ kex_free(struct kex *kex)
 }
 
 int
+kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
+{
+        int r;
+
+        if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
+                return r;
+        ssh->kex->flags = KEX_INITIAL;
+        kex_reset_dispatch(ssh);
+        ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
+        return 0;
+}
+
+int
 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
 {
         int r;
 
-        if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0)
+        if ((r = kex_ready(ssh, proposal)) != 0)
                 return r;
         if ((r = kex_send_kexinit(ssh)) != 0) {         /* we start */
                 kex_free(ssh->kex);
@@ -858,7 +914,7 @@ kex_choose_conf(struct ssh *ssh)
         }
 
         /* Check whether client supports ext_info_c */
-        if (kex->server) {
+        if (kex->server && (kex->flags & KEX_INITIAL)) {
                 char *ext;
 
                 ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
@@ -1016,6 +1072,14 @@ kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
         u_int i, j, mode, ctos;
         int r;
 
+        /* save initial hash as session id */
+        if (kex->session_id == NULL) {
+                kex->session_id_len = hashlen;
+                kex->session_id = malloc(kex->session_id_len);
+                if (kex->session_id == NULL)
+                        return SSH_ERR_ALLOC_FAIL;
+                memcpy(kex->session_id, hash, kex->session_id_len);
+        }
         for (i = 0; i < NKEYS; i++) {
                 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
                     shared_secret, &keys[i])) != 0) {
@@ -1034,29 +1098,277 @@ kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
         return 0;
 }
 
-#ifdef WITH_OPENSSL
 int
-kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
-    const BIGNUM *secret)
+kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
 {
-        struct sshbuf *shared_secret;
-        int r;
+        struct kex *kex = ssh->kex;
 
-        if ((shared_secret = sshbuf_new()) == NULL)
-                return SSH_ERR_ALLOC_FAIL;
-        if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
-                r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
-        sshbuf_free(shared_secret);
-        return r;
+        *pubp = NULL;
+        *prvp = NULL;
+        if (kex->load_host_public_key == NULL ||
+            kex->load_host_private_key == NULL)
+                return SSH_ERR_INVALID_ARGUMENT;
+        *pubp = kex->load_host_public_key(kex->hostkey_type,
+            kex->hostkey_nid, ssh);
+        *prvp = kex->load_host_private_key(kex->hostkey_type,
+            kex->hostkey_nid, ssh);
+        if (*pubp == NULL)
+                return SSH_ERR_NO_HOSTKEY_LOADED;
+        return 0;
 }
-#endif
 
+int
+kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
+{
+        struct kex *kex = ssh->kex;
+
+        if (kex->verify_host_key == NULL)
+                return SSH_ERR_INVALID_ARGUMENT;
+        if (server_host_key->type != kex->hostkey_type ||
+            (kex->hostkey_type == KEY_ECDSA &&
+            server_host_key->ecdsa_nid != kex->hostkey_nid))
+                return SSH_ERR_KEY_TYPE_MISMATCH;
+        if (kex->verify_host_key(server_host_key, ssh) == -1)
+                return  SSH_ERR_SIGNATURE_INVALID;
+        return 0;
+}
 
 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
 void
-dump_digest(char *msg, u_char *digest, int len)
+dump_digest(const char *msg, const u_char *digest, int len)
 {
         fprintf(stderr, "%s\n", msg);
         sshbuf_dump_data(digest, len, stderr);
 }
 #endif
+
+/*
+ * Send a plaintext error message to the peer, suffixed by \r\n.
+ * Only used during banner exchange, and there only for the server.
+ */
+static void
+send_error(struct ssh *ssh, char *msg)
+{
+        char *crnl = "\r\n";
+
+        if (!ssh->kex->server)
+                return;
+
+        if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
+            msg, strlen(msg)) != strlen(msg) ||
+            atomicio(vwrite, ssh_packet_get_connection_out(ssh),
+            crnl, strlen(crnl)) != strlen(crnl))
+                error("%s: write: %.100s", __func__, strerror(errno));
+}
+
+/*
+ * Sends our identification string and waits for the peer's. Will block for
+ * up to timeout_ms (or indefinitely if timeout_ms <= 0).
+ * Returns on 0 success or a ssherr.h code on failure.
+ */
+int
+kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+    int debian_banner, const char *version_addendum)
+{
+        int remote_major, remote_minor, mismatch;
+        size_t len, i, n;
+        int r, expect_nl;
+        u_char c;
+        struct sshbuf *our_version = ssh->kex->server ?
+            ssh->kex->server_version : ssh->kex->client_version;
+        struct sshbuf *peer_version = ssh->kex->server ?
+            ssh->kex->client_version : ssh->kex->server_version;
+        char *our_version_string = NULL, *peer_version_string = NULL;
+        char *cp, *remote_version = NULL;
+
+        /* Prepare and send our banner */
+        sshbuf_reset(our_version);
+        if (version_addendum != NULL && *version_addendum == '\0')
+                version_addendum = NULL;
+        if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+           PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+            debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
+            version_addendum == NULL ? "" : " ",
+            version_addendum == NULL ? "" : version_addendum)) != 0) {
+                error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
+                goto out;
+        }
+
+        if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
+            sshbuf_mutable_ptr(our_version),
+            sshbuf_len(our_version)) != sshbuf_len(our_version)) {
+                error("%s: write: %.100s", __func__, strerror(errno));
+                r = SSH_ERR_SYSTEM_ERROR;
+                goto out;
+        }
+        if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
+                error("%s: sshbuf_consume_end: %s", __func__, ssh_err(r));
+                goto out;
+        }
+        our_version_string = sshbuf_dup_string(our_version);
+        if (our_version_string == NULL) {
+                error("%s: sshbuf_dup_string failed", __func__);
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        debug("Local version string %.100s", our_version_string);
+
+        /* Read other side's version identification. */
+        for (n = 0; ; n++) {
+                if (n >= SSH_MAX_PRE_BANNER_LINES) {
+                        send_error(ssh, "No SSH identification string "
+                            "received.");
+                        error("%s: No SSH version received in first %u lines "
+                            "from server", __func__, SSH_MAX_PRE_BANNER_LINES);
+                        r = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                sshbuf_reset(peer_version);
+                expect_nl = 0;
+                for (i = 0; ; i++) {
+                        if (timeout_ms > 0) {
+                                r = waitrfd(ssh_packet_get_connection_in(ssh),
+                                    &timeout_ms);
+                                if (r == -1 && errno == ETIMEDOUT) {
+                                        send_error(ssh, "Timed out waiting "
+                                            "for SSH identification string.");
+                                        error("Connection timed out during "
+                                            "banner exchange");
+                                        r = SSH_ERR_CONN_TIMEOUT;
+                                        goto out;
+                                } else if (r == -1) {
+                                        error("%s: %s",
+                                            __func__, strerror(errno));
+                                        r = SSH_ERR_SYSTEM_ERROR;
+                                        goto out;
+                                }
+                        }
+
+                        len = atomicio(read, ssh_packet_get_connection_in(ssh),
+                            &c, 1);
+                        if (len != 1 && errno == EPIPE) {
+                                error("%s: Connection closed by remote host",
+                                    __func__);
+                                r = SSH_ERR_CONN_CLOSED;
+                                goto out;
+                        } else if (len != 1) {
+                                error("%s: read: %.100s",
+                                    __func__, strerror(errno));
+                                r = SSH_ERR_SYSTEM_ERROR;
+                                goto out;
+                        }
+                        if (c == '\r') {
+                                expect_nl = 1;
+                                continue;
+                        }
+                        if (c == '\n')
+                                break;
+                        if (c == '\0' || expect_nl) {
+                                error("%s: banner line contains invalid "
+                                    "characters", __func__);
+                                goto invalid;
+                        }
+                        if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
+                                error("%s: sshbuf_put: %s",
+                                    __func__, ssh_err(r));
+                                goto out;
+                        }
+                        if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
+                                error("%s: banner line too long", __func__);
+                                goto invalid;
+                        }
+                }
+                /* Is this an actual protocol banner? */
+                if (sshbuf_len(peer_version) > 4 &&
+                    memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
+                        break;
+                /* If not, then just log the line and continue */
+                if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
+                        error("%s: sshbuf_dup_string failed", __func__);
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                /* Do not accept lines before the SSH ident from a client */
+                if (ssh->kex->server) {
+                        error("%s: client sent invalid protocol identifier "
+                            "\"%.256s\"", __func__, cp);
+                        free(cp);
+                        goto invalid;
+                }
+                debug("%s: banner line %zu: %s", __func__, n, cp);
+                free(cp);
+        }
+        peer_version_string = sshbuf_dup_string(peer_version);
+        if (peer_version_string == NULL)
+                error("%s: sshbuf_dup_string failed", __func__);
+        /* XXX must be same size for sscanf */
+        if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
+                error("%s: calloc failed", __func__);
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+
+        /*
+         * Check that the versions match.  In future this might accept
+         * several versions and set appropriate flags to handle them.
+         */
+        if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
+            &remote_major, &remote_minor, remote_version) != 3) {
+                error("Bad remote protocol version identification: '%.100s'",
+                    peer_version_string);
+ invalid:
+                send_error(ssh, "Invalid SSH identification string.");
+                r = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+        debug("Remote protocol version %d.%d, remote software version %.100s",
+            remote_major, remote_minor, remote_version);
+        ssh->compat = compat_datafellows(remote_version);
+
+        mismatch = 0;
+        switch (remote_major) {
+        case 2:
+                break;
+        case 1:
+                if (remote_minor != 99)
+                        mismatch = 1;
+                break;
+        default:
+                mismatch = 1;
+                break;
+        }
+        if (mismatch) {
+                error("Protocol major versions differ: %d vs. %d",
+                    PROTOCOL_MAJOR_2, remote_major);
+                send_error(ssh, "Protocol major versions differ.");
+                r = SSH_ERR_NO_PROTOCOL_VERSION;
+                goto out;
+        }
+
+        if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
+                logit("probed from %s port %d with %s.  Don't panic.",
+                    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+                    peer_version_string);
+                r = SSH_ERR_CONN_CLOSED; /* XXX */
+                goto out;
+        }
+        if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
+                logit("scanned from %s port %d with %s.  Don't panic.",
+                    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+                    peer_version_string);
+                r = SSH_ERR_CONN_CLOSED; /* XXX */
+                goto out;
+        }
+        if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
+                logit("Remote version \"%.100s\" uses unsafe RSA signature "
+                    "scheme; disabling use of RSA keys", remote_version);
+        }
+        /* success */
+        r = 0;
+ out:
+        free(our_version_string);
+        free(peer_version_string);
+        free(remote_version);
+        return r;
+}
+