- Merge big update to OpenSSH-2.0 from OpenBSD CVS

[README.openssh2] - interop w/ F-secure windows client - sync documentation - ssh_host_dsa_key not ssh_dsa_key [auth-rsa.c] - missing fclose [auth.c authfile.c compat.c dsa.c dsa.h hostfile.c key.c key.h radix.c] [readconf.c readconf.h ssh-add.c ssh-keygen.c ssh.c ssh.h sshconnect.c] [sshd.c uuencode.c uuencode.h authfile.h] - add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol. [auth.c auth.h authfile.c sshconnect.c auth1.c auth2.c sshconnect.h] [sshconnect1.c sshconnect2.c] - split auth/sshconnect in one file per protocol version [sshconnect2.c] - remove debug [uuencode.c] - add trailing = [version.h] - OpenSSH-2.0 [ssh-keygen.1 ssh-keygen.c] - add -R flag: exit code indicates if RSA is alive [sshd.c] - remove unused silent if -Q is specified [ssh.h] - host key becomes /etc/ssh_host_dsa_key [readconf.c servconf.c ] - ssh/sshd default to proto 1 and 2 [uuencode.c] - remove debug [auth2.c ssh-keygen.c sshconnect2.c sshd.c] - xfree DSA blobs [auth2.c serverloop.c session.c] - cleanup logging for sshd/2, respect PasswordAuth no [sshconnect2.c] - less debug, respect .ssh/config [README.openssh2 channels.c channels.h] - clientloop.c session.c ssh.c - support for x11-fwding, client+server
author: Damien Miller <djm@mindrot.org> 2000-04-29 23:57:08 +1000
committer: Damien Miller <djm@mindrot.org> 2000-04-29 23:57:08 +1000
commit: eba71bab9bf01c0d688f829a8971f902732558df (patch)
tree: a9d5b50568bfc10cc50291fd3604debfaf3e3783 /sshd.c
parent: 8117111a3c1360727e3c54aad31aa045e7a7871b (diff)
1 files changed, 139 insertions, 82 deletions
diff --git a/sshd.c b/sshd.c
index c1dcdd8e9..fc2d1d20e 100644
--- a/sshd.c
+++ b/sshd.c
@@ -14,7 +14,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.107 2000/04/19 07:05:50 deraadt Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.111 2000/04/27 08:01:28 markus Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@@ -40,6 +40,7 @@ RCSID("$OpenBSD: sshd.c,v 1.107 2000/04/19 07:05:50 deraadt Exp $");
 #include "auth.h"
 #include "myproposal.h"
+#include "authfile.h"
 #ifdef LIBWRAP
 #include <tcpd.h>
@@ -112,8 +113,9 @@ char *server_version_string = NULL;
 * not very useful.  Currently, memory locking is not implemented.
 */
 struct {
-        RSA *private_key;        /* Private part of server key. */
+        RSA *private_key;        /* Private part of empheral server key. */
        RSA *host_key;           /* Private part of host key. */
+        Key *dsa_host_key;       /* Private DSA host key. */
 } sensitive_data;
 /*
@@ -132,6 +134,10 @@ RSA *public_key;
 /* session identifier, used by RSA-auth */
 unsigned char session_id[16];
+/* same for ssh2 */
+unsigned char *session_id2 = NULL;
+int session_id2_len = 0;
 /* Prototypes for various functions defined later in this file. */
 void do_ssh1_kex();
 void do_ssh2_kex();
@@ -224,6 +230,7 @@ grace_alarm_handler(int sig)
 * Thus there should be no concurrency control/asynchronous execution
 * problems.
 */
+/* XXX do we really want this work to be done in a signal handler ? -m */
 void
 key_regeneration_alarm(int sig)
 {
@@ -344,6 +351,13 @@ sshd_exchange_identification(int sock_in, int sock_out)
        mismatch = 0;
        switch(remote_major) {
        case 1:
+                if (remote_minor == 99) {
+                        if (options.protocol & SSH_PROTO_2)
+                                enable_compat20();
+                        else
+                                mismatch = 1;
+                        break;
+                }
                if (!(options.protocol & SSH_PROTO_1)) {
                        mismatch = 1;
                        break;
@@ -355,12 +369,6 @@ sshd_exchange_identification(int sock_in, int sock_out)
                        /* note that this disables agent-forwarding */
                        enable_compat13();
                }
-                if (remote_minor == 99) {
-                        if (options.protocol & SSH_PROTO_2)
-                                enable_compat20();
-                        else
-                                mismatch = 1;
-                }
                break;
        case 2:
                if (options.protocol & SSH_PROTO_2) {
@@ -386,6 +394,20 @@ sshd_exchange_identification(int sock_in, int sock_out)
                    server_version_string, client_version_string);
                fatal_cleanup();
        }
+        if (compat20)
+                packet_set_ssh2_format();
+}
+void
+destroy_sensitive_data(void)
+{
+        /* Destroy the private and public keys.  They will no longer be needed. */
+        RSA_free(public_key);
+        RSA_free(sensitive_data.private_key);
+        RSA_free(sensitive_data.host_key);
+        if (sensitive_data.dsa_host_key != NULL)
+                key_free(sensitive_data.dsa_host_key);
 }
 /*
@@ -399,12 +421,11 @@ main(int ac, char **av)
        int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, on = 1;
        pid_t pid;
        socklen_t fromlen;
-        int silentrsa = 0;
+        int silent = 0;
        fd_set *fdset;
        struct sockaddr_storage from;
        const char *remote_ip;
        int remote_port;
-        char *comment;
        FILE *f;
        struct linger linger;
        struct addrinfo *ai;
@@ -441,7 +462,7 @@ main(int ac, char **av)
                        inetd_flag = 1;
                        break;
                case 'Q':
-                        silentrsa = 1;
+                        silent = 1;
                        break;
                case 'q':
                        options.log_level = SYSLOG_LEVEL_QUIET;
@@ -497,27 +518,14 @@ main(int ac, char **av)
        log_init(av0,
            options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
            options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,
-            !inetd_flag);
+            !silent && !inetd_flag);
-        /* check if RSA support exists */
-        if (rsa_alive() == 0) {
-                if (silentrsa == 0)
-                        printf("sshd: no RSA support in libssl and libcrypto -- exiting.  See ssl(8)\n");
-                log("no RSA support in libssl and libcrypto -- exiting.  See ssl(8)");
-                exit(1);
-        }
        /* Read server configuration options from the configuration file. */
        read_server_config(&options, config_file_name);
        /* Fill in default values for those options not explicitly set. */
        fill_default_server_options(&options);
-        /* Check certain values for sanity. */
-        if (options.server_key_bits < 512 ||
-            options.server_key_bits > 32768) {
-                fprintf(stderr, "Bad server key size.\n");
-                exit(1);
-        }
        /* Check that there are no remaining arguments. */
        if (optind < ac) {
                fprintf(stderr, "Extra argument %s.\n", av[optind]);
@@ -526,26 +534,79 @@ main(int ac, char **av)
        debug("sshd version %.100s", SSH_VERSION);
-        sensitive_data.host_key = RSA_new();
+        sensitive_data.dsa_host_key = NULL;
-        errno = 0;
+        sensitive_data.host_key = NULL;
-        /* Load the host key.  It must have empty passphrase. */
-        if (!load_private_key(options.host_key_file, "",
+        /* check if RSA support exists */
-                              sensitive_data.host_key, &comment)) {
+        if ((options.protocol & SSH_PROTO_1) &&
-                error("Could not load host key: %.200s: %.100s",
+            rsa_alive() == 0) {
-                      options.host_key_file, strerror(errno));
+                log("no RSA support in libssl and libcrypto.  See ssl(8)");
+                log("Disabling protocol version 1");
+                options.protocol &= ~SSH_PROTO_1;
+        }
+        /* Load the RSA/DSA host key.  It must have empty passphrase. */
+        if (options.protocol & SSH_PROTO_1) {
+                Key k;
+                sensitive_data.host_key = RSA_new();
+                k.type = KEY_RSA;
+                k.rsa = sensitive_data.host_key;
+                errno = 0;
+                if (!load_private_key(options.host_key_file, "", &k, NULL)) {
+                        error("Could not load host key: %.200s: %.100s",
+                            options.host_key_file, strerror(errno));
+                        log("Disabling protocol version 1");
+                        options.protocol &= ~SSH_PROTO_1;
+                }
+                k.rsa = NULL;
+        }
+        if (options.protocol & SSH_PROTO_2) {
+                sensitive_data.dsa_host_key = key_new(KEY_DSA);
+                if (!load_private_key(options.dsa_key_file, "", sensitive_data.dsa_host_key, NULL)) {
+                        error("Could not load DSA host key: %.200s", options.dsa_key_file);
+                        log("Disabling protocol version 2");
+                        options.protocol &= ~SSH_PROTO_2;
+                }
+        }
+        if (! options.protocol & (SSH_PROTO_1|SSH_PROTO_2)) {
+                if (silent == 0)
+                        fprintf(stderr, "sshd: no hostkeys available -- exiting.\n");
+                log("sshd: no hostkeys available -- exiting.\n");
                exit(1);
        }
-        xfree(comment);
-        /* Initialize the log (it is reinitialized below in case we
+        /* Check certain values for sanity. */
-           forked). */
+        if (options.protocol & SSH_PROTO_1) {
+                if (options.server_key_bits < 512 ||
+                    options.server_key_bits > 32768) {
+                        fprintf(stderr, "Bad server key size.\n");
+                        exit(1);
+                }
+                /*
+                 * Check that server and host key lengths differ sufficiently. This
+                 * is necessary to make double encryption work with rsaref. Oh, I
+                 * hate software patents. I dont know if this can go? Niels
+                 */
+                if (options.server_key_bits >
+                    BN_num_bits(sensitive_data.host_key->n) - SSH_KEY_BITS_RESERVED &&
+                    options.server_key_bits <
+                    BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {
+                        options.server_key_bits =
+                            BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED;
+                        debug("Forcing server key to %d bits to make it differ from host key.",
+                            options.server_key_bits);
+                }
+        }
+        /* Initialize the log (it is reinitialized below in case we forked). */
        if (debug_flag && !inetd_flag)
                log_stderr = 1;
        log_init(av0, options.log_level, options.log_facility, log_stderr);
-        /* If not in debugging mode, and not started from inetd,
+        /*
-           disconnect from the controlling terminal, and fork.  The
+         * If not in debugging mode, and not started from inetd, disconnect
-           original process exits. */
+         * from the controlling terminal, and fork.  The original process
+         * exits.
+         */
        if (!debug_flag && !inetd_flag) {
 #ifdef TIOCNOTTY
                int fd;
@@ -565,18 +626,6 @@ main(int ac, char **av)
        /* Reinitialize the log (because of the fork above). */
        log_init(av0, options.log_level, options.log_facility, log_stderr);
-        /* Check that server and host key lengths differ sufficiently.
-           This is necessary to make double encryption work with rsaref.
-           Oh, I hate software patents. I dont know if this can go? Niels */
-        if (options.server_key_bits >
-        BN_num_bits(sensitive_data.host_key->n) - SSH_KEY_BITS_RESERVED &&
-            options.server_key_bits <
-        BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {
-                options.server_key_bits =
-                        BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED;
-                debug("Forcing server key to %d bits to make it differ from host key.",
-                      options.server_key_bits);
-        }
        /* Do not display messages to stdout in RSA code. */
        rsa_set_verbose(0);
@@ -594,20 +643,22 @@ main(int ac, char **av)
                s2 = dup(s1);
                sock_in = dup(0);
                sock_out = dup(1);
-                /* We intentionally do not close the descriptors 0, 1, and 2
+                /*
-                   as our code for setting the descriptors won\'t work
+                 * We intentionally do not close the descriptors 0, 1, and 2
-                   if ttyfd happens to be one of those. */
+                 * as our code for setting the descriptors won\'t work if
+                 * ttyfd happens to be one of those.
+                 */
                debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
-                public_key = RSA_new();
+                if (options.protocol & SSH_PROTO_1) {
-                sensitive_data.private_key = RSA_new();
+                        public_key = RSA_new();
+                        sensitive_data.private_key = RSA_new();
-                /* XXX check options.protocol */
+                        log("Generating %d bit RSA key.", options.server_key_bits);
-                log("Generating %d bit RSA key.", options.server_key_bits);
+                        rsa_generate_key(sensitive_data.private_key, public_key,
-                rsa_generate_key(sensitive_data.private_key, public_key,
+                            options.server_key_bits);
-                                 options.server_key_bits);
+                        arc4random_stir();
-                arc4random_stir();
+                        log("RSA key generation complete.");
-                log("RSA key generation complete.");
+                }
        } else {
                for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
                        if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -684,19 +735,20 @@ main(int ac, char **av)
                                fclose(f);
                        }
                }
+                if (options.protocol & SSH_PROTO_1) {
+                        public_key = RSA_new();
+                        sensitive_data.private_key = RSA_new();
-                public_key = RSA_new();
+                        log("Generating %d bit RSA key.", options.server_key_bits);
-                sensitive_data.private_key = RSA_new();
+                        rsa_generate_key(sensitive_data.private_key, public_key,
+                            options.server_key_bits);
-                log("Generating %d bit RSA key.", options.server_key_bits);
+                        arc4random_stir();
-                rsa_generate_key(sensitive_data.private_key, public_key,
+                        log("RSA key generation complete.");
-                                 options.server_key_bits);
-                arc4random_stir();
-                log("RSA key generation complete.");
-                /* Schedule server key regeneration alarm. */
+                        /* Schedule server key regeneration alarm. */
-                signal(SIGALRM, key_regeneration_alarm);
+                        signal(SIGALRM, key_regeneration_alarm);
-                alarm(options.key_regeneration_time);
+                        alarm(options.key_regeneration_time);
+                }
                /* Arrange to restart on SIGHUP.  The handler needs listen_sock. */
                signal(SIGHUP, sighup_handler);
@@ -1069,9 +1121,7 @@ do_ssh1_kex()
                           sensitive_data.private_key->n);
        /* Destroy the private and public keys.  They will no longer be needed. */
-        RSA_free(public_key);
+        destroy_sensitive_data();
-        RSA_free(sensitive_data.private_key);
-        RSA_free(sensitive_data.host_key);
        /*
         * Extract session key from the decrypted integer.  The key is in the
@@ -1130,7 +1180,6 @@ do_ssh2_kex()
        unsigned char *kbuf;
        unsigned char *hash;
        Kex *kex;
-        Key *server_host_key;
        char *cprop[PROPOSAL_MAX];
        char *sprop[PROPOSAL_MAX];
@@ -1231,8 +1280,8 @@ do_ssh2_kex()
        memset(kbuf, 0, klen);
        xfree(kbuf);
-        server_host_key = dsa_get_serverkey(options.dsa_key_file);
+        /* XXX precompute? */
-        dsa_make_serverkey_blob(server_host_key, &server_host_key_blob, &sbloblen);
+        dsa_make_key_blob(sensitive_data.dsa_host_key, &server_host_key_blob, &sbloblen);
        /* calc H */                    /* XXX depends on 'kex' */
        hash = kex_hash(
@@ -1255,10 +1304,17 @@ do_ssh2_kex()
                fprintf(stderr, "%02x", (hash[i])&0xff);
        fprintf(stderr, "\n");
 #endif
+        /* save session id := H */
+        /* XXX hashlen depends on KEX */
+        session_id2_len = 20;
+        session_id2 = xmalloc(session_id2_len);
+        memcpy(session_id2, hash, session_id2_len);
        /* sign H */
-        dsa_sign(server_host_key, &signature, &slen, hash, 20);
+        /* XXX hashlen depends on KEX */
-                /* hashlen depends on KEX */
+        dsa_sign(sensitive_data.dsa_host_key, &signature, &slen, hash, 20);
-        key_free(server_host_key);
+        destroy_sensitive_data();
        /* send server hostkey, DH pubkey 'f' and singed H */
        packet_start(SSH2_MSG_KEXDH_REPLY);
@@ -1267,6 +1323,7 @@ do_ssh2_kex()
        packet_put_string((char *)signature, slen);
        packet_send();
        xfree(signature);
+        xfree(server_host_key_blob);
        packet_write_wait();
        kex_derive_keys(kex, hash, shared_secret);
author	Damien Miller <djm@mindrot.org>	2000-04-29 23:57:08 +1000
committer	Damien Miller <djm@mindrot.org>	2000-04-29 23:57:08 +1000
commit	eba71bab9bf01c0d688f829a8971f902732558df (patch)
tree	a9d5b50568bfc10cc50291fd3604debfaf3e3783 /sshd.c
parent	8117111a3c1360727e3c54aad31aa045e7a7871b (diff)

diff --git a/sshd.c b/sshd.c index c1dcdd8e9..fc2d1d20e 100644 --- a/sshd.c +++ b/sshd.c
@@ -14,7 +14,7 @@
14	*/	14	*/
15		15
16	#include "includes.h"	16	#include "includes.h"
17	RCSID("$OpenBSD: sshd.c,v 1.107 2000/04/19 07:05:50 deraadt Exp $");	17	RCSID("$OpenBSD: sshd.c,v 1.111 2000/04/27 08:01:28 markus Exp $");
18		18
19	#include "xmalloc.h"	19	#include "xmalloc.h"
20	#include "rsa.h"	20	#include "rsa.h"
@@ -40,6 +40,7 @@ RCSID("$OpenBSD: sshd.c,v 1.107 2000/04/19 07:05:50 deraadt Exp $");
40		40
41	#include "auth.h"	41	#include "auth.h"
42	#include "myproposal.h"	42	#include "myproposal.h"
		43	#include "authfile.h"
43		44
44	#ifdef LIBWRAP	45	#ifdef LIBWRAP
45	#include <tcpd.h>	46	#include <tcpd.h>
@@ -112,8 +113,9 @@ char *server_version_string = NULL;
112	* not very useful. Currently, memory locking is not implemented.	113	* not very useful. Currently, memory locking is not implemented.
113	*/	114	*/
114	struct {	115	struct {
115	RSA private_key; / Private part of server key. */	116	RSA private_key; / Private part of empheral server key. */
116	RSA host_key; / Private part of host key. */	117	RSA host_key; / Private part of host key. */
		118	Key dsa_host_key; / Private DSA host key. */
117	} sensitive_data;	119	} sensitive_data;
118		120
119	/*	121	/*
@@ -132,6 +134,10 @@ RSA *public_key;
132	/* session identifier, used by RSA-auth */	134	/* session identifier, used by RSA-auth */
133	unsigned char session_id[16];	135	unsigned char session_id[16];
134		136
		137	/* same for ssh2 */
		138	unsigned char *session_id2 = NULL;
		139	int session_id2_len = 0;
		140
135	/* Prototypes for various functions defined later in this file. */	141	/* Prototypes for various functions defined later in this file. */
136	void do_ssh1_kex();	142	void do_ssh1_kex();
137	void do_ssh2_kex();	143	void do_ssh2_kex();
@@ -224,6 +230,7 @@ grace_alarm_handler(int sig)
224	* Thus there should be no concurrency control/asynchronous execution	230	* Thus there should be no concurrency control/asynchronous execution
225	* problems.	231	* problems.
226	*/	232	*/
		233	/* XXX do we really want this work to be done in a signal handler ? -m */
227	void	234	void
228	key_regeneration_alarm(int sig)	235	key_regeneration_alarm(int sig)
229	{	236	{
@@ -344,6 +351,13 @@ sshd_exchange_identification(int sock_in, int sock_out)
344	mismatch = 0;	351	mismatch = 0;
345	switch(remote_major) {	352	switch(remote_major) {
346	case 1:	353	case 1:
		354	if (remote_minor == 99) {
		355	if (options.protocol & SSH_PROTO_2)
		356	enable_compat20();
		357	else
		358	mismatch = 1;
		359	break;
		360	}
347	if (!(options.protocol & SSH_PROTO_1)) {	361	if (!(options.protocol & SSH_PROTO_1)) {
348	mismatch = 1;	362	mismatch = 1;
349	break;	363	break;
@@ -355,12 +369,6 @@ sshd_exchange_identification(int sock_in, int sock_out)
355	/* note that this disables agent-forwarding */	369	/* note that this disables agent-forwarding */
356	enable_compat13();	370	enable_compat13();
357	}	371	}
358	if (remote_minor == 99) {
359	if (options.protocol & SSH_PROTO_2)
360	enable_compat20();
361	else
362	mismatch = 1;
363	}
364	break;	372	break;
365	case 2:	373	case 2:
366	if (options.protocol & SSH_PROTO_2) {	374	if (options.protocol & SSH_PROTO_2) {
@@ -386,6 +394,20 @@ sshd_exchange_identification(int sock_in, int sock_out)
386	server_version_string, client_version_string);	394	server_version_string, client_version_string);
387	fatal_cleanup();	395	fatal_cleanup();
388	}	396	}
		397	if (compat20)
		398	packet_set_ssh2_format();
		399	}
		400
		401
		402	void
		403	destroy_sensitive_data(void)
		404	{
		405	/* Destroy the private and public keys. They will no longer be needed. */
		406	RSA_free(public_key);
		407	RSA_free(sensitive_data.private_key);
		408	RSA_free(sensitive_data.host_key);
		409	if (sensitive_data.dsa_host_key != NULL)
		410	key_free(sensitive_data.dsa_host_key);
389	}	411	}
390		412
391	/*	413	/*
@@ -399,12 +421,11 @@ main(int ac, char **av)
399	int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, on = 1;	421	int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, on = 1;
400	pid_t pid;	422	pid_t pid;
401	socklen_t fromlen;	423	socklen_t fromlen;
402	int silentrsa = 0;	424	int silent = 0;
403	fd_set *fdset;	425	fd_set *fdset;
404	struct sockaddr_storage from;	426	struct sockaddr_storage from;
405	const char *remote_ip;	427	const char *remote_ip;
406	int remote_port;	428	int remote_port;
407	char *comment;
408	FILE *f;	429	FILE *f;
409	struct linger linger;	430	struct linger linger;
410	struct addrinfo *ai;	431	struct addrinfo *ai;
@@ -441,7 +462,7 @@ main(int ac, char **av)
441	inetd_flag = 1;	462	inetd_flag = 1;
442	break;	463	break;
443	case 'Q':	464	case 'Q':
444	silentrsa = 1;	465	silent = 1;
445	break;	466	break;
446	case 'q':	467	case 'q':
447	options.log_level = SYSLOG_LEVEL_QUIET;	468	options.log_level = SYSLOG_LEVEL_QUIET;
@@ -497,27 +518,14 @@ main(int ac, char **av)
497	log_init(av0,	518	log_init(av0,
498	options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,	519	options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
499	options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,	520	options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,
500	!inetd_flag);	521	!silent && !inetd_flag);
501		522
502	/* check if RSA support exists */
503	if (rsa_alive() == 0) {
504	if (silentrsa == 0)
505	printf("sshd: no RSA support in libssl and libcrypto -- exiting. See ssl(8)\n");
506	log("no RSA support in libssl and libcrypto -- exiting. See ssl(8)");
507	exit(1);
508	}
509	/* Read server configuration options from the configuration file. */	523	/* Read server configuration options from the configuration file. */
510	read_server_config(&options, config_file_name);	524	read_server_config(&options, config_file_name);
511		525
512	/* Fill in default values for those options not explicitly set. */	526	/* Fill in default values for those options not explicitly set. */
513	fill_default_server_options(&options);	527	fill_default_server_options(&options);
514		528
515	/* Check certain values for sanity. */
516	if (options.server_key_bits < 512 \|\|
517	options.server_key_bits > 32768) {
518	fprintf(stderr, "Bad server key size.\n");
519	exit(1);
520	}
521	/* Check that there are no remaining arguments. */	529	/* Check that there are no remaining arguments. */
522	if (optind < ac) {	530	if (optind < ac) {
523	fprintf(stderr, "Extra argument %s.\n", av[optind]);	531	fprintf(stderr, "Extra argument %s.\n", av[optind]);
@@ -526,26 +534,79 @@ main(int ac, char **av)
526		534
527	debug("sshd version %.100s", SSH_VERSION);	535	debug("sshd version %.100s", SSH_VERSION);
528		536
529	sensitive_data.host_key = RSA_new();	537	sensitive_data.dsa_host_key = NULL;
530	errno = 0;	538	sensitive_data.host_key = NULL;
531	/* Load the host key. It must have empty passphrase. */	539
532	if (!load_private_key(options.host_key_file, "",	540	/* check if RSA support exists */
533	sensitive_data.host_key, &comment)) {	541	if ((options.protocol & SSH_PROTO_1) &&
534	error("Could not load host key: %.200s: %.100s",	542	rsa_alive() == 0) {
535	options.host_key_file, strerror(errno));	543	log("no RSA support in libssl and libcrypto. See ssl(8)");
		544	log("Disabling protocol version 1");
		545	options.protocol &= ~SSH_PROTO_1;
		546	}
		547	/* Load the RSA/DSA host key. It must have empty passphrase. */
		548	if (options.protocol & SSH_PROTO_1) {
		549	Key k;
		550	sensitive_data.host_key = RSA_new();
		551	k.type = KEY_RSA;
		552	k.rsa = sensitive_data.host_key;
		553	errno = 0;
		554	if (!load_private_key(options.host_key_file, "", &k, NULL)) {
		555	error("Could not load host key: %.200s: %.100s",
		556	options.host_key_file, strerror(errno));
		557	log("Disabling protocol version 1");
		558	options.protocol &= ~SSH_PROTO_1;
		559	}
		560	k.rsa = NULL;
		561	}
		562	if (options.protocol & SSH_PROTO_2) {
		563	sensitive_data.dsa_host_key = key_new(KEY_DSA);
		564	if (!load_private_key(options.dsa_key_file, "", sensitive_data.dsa_host_key, NULL)) {
		565	error("Could not load DSA host key: %.200s", options.dsa_key_file);
		566	log("Disabling protocol version 2");
		567	options.protocol &= ~SSH_PROTO_2;
		568	}
		569	}
		570	if (! options.protocol & (SSH_PROTO_1\|SSH_PROTO_2)) {
		571	if (silent == 0)
		572	fprintf(stderr, "sshd: no hostkeys available -- exiting.\n");
		573	log("sshd: no hostkeys available -- exiting.\n");
536	exit(1);	574	exit(1);
537	}	575	}
538	xfree(comment);
539		576
540	/* Initialize the log (it is reinitialized below in case we	577	/* Check certain values for sanity. */
541	forked). */	578	if (options.protocol & SSH_PROTO_1) {
		579	if (options.server_key_bits < 512 \|\|
		580	options.server_key_bits > 32768) {
		581	fprintf(stderr, "Bad server key size.\n");
		582	exit(1);
		583	}
		584	/*
		585	* Check that server and host key lengths differ sufficiently. This
		586	* is necessary to make double encryption work with rsaref. Oh, I
		587	* hate software patents. I dont know if this can go? Niels
		588	*/
		589	if (options.server_key_bits >
		590	BN_num_bits(sensitive_data.host_key->n) - SSH_KEY_BITS_RESERVED &&
		591	options.server_key_bits <
		592	BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {
		593	options.server_key_bits =
		594	BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED;
		595	debug("Forcing server key to %d bits to make it differ from host key.",
		596	options.server_key_bits);
		597	}
		598	}
		599
		600	/* Initialize the log (it is reinitialized below in case we forked). */
542	if (debug_flag && !inetd_flag)	601	if (debug_flag && !inetd_flag)
543	log_stderr = 1;	602	log_stderr = 1;
544	log_init(av0, options.log_level, options.log_facility, log_stderr);	603	log_init(av0, options.log_level, options.log_facility, log_stderr);
545		604
546	/* If not in debugging mode, and not started from inetd,	605	/*
547	disconnect from the controlling terminal, and fork. The	606	* If not in debugging mode, and not started from inetd, disconnect
548	original process exits. */	607	* from the controlling terminal, and fork. The original process
		608	* exits.
		609	*/
549	if (!debug_flag && !inetd_flag) {	610	if (!debug_flag && !inetd_flag) {
550	#ifdef TIOCNOTTY	611	#ifdef TIOCNOTTY
551	int fd;	612	int fd;
@@ -565,18 +626,6 @@ main(int ac, char **av)
565	/* Reinitialize the log (because of the fork above). */	626	/* Reinitialize the log (because of the fork above). */
566	log_init(av0, options.log_level, options.log_facility, log_stderr);	627	log_init(av0, options.log_level, options.log_facility, log_stderr);
567		628
568	/* Check that server and host key lengths differ sufficiently.
569	This is necessary to make double encryption work with rsaref.
570	Oh, I hate software patents. I dont know if this can go? Niels */
571	if (options.server_key_bits >
572	BN_num_bits(sensitive_data.host_key->n) - SSH_KEY_BITS_RESERVED &&
573	options.server_key_bits <
574	BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {
575	options.server_key_bits =
576	BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED;
577	debug("Forcing server key to %d bits to make it differ from host key.",
578	options.server_key_bits);
579	}
580	/* Do not display messages to stdout in RSA code. */	629	/* Do not display messages to stdout in RSA code. */
581	rsa_set_verbose(0);	630	rsa_set_verbose(0);
582		631
@@ -594,20 +643,22 @@ main(int ac, char **av)
594	s2 = dup(s1);	643	s2 = dup(s1);
595	sock_in = dup(0);	644	sock_in = dup(0);
596	sock_out = dup(1);	645	sock_out = dup(1);
597	/* We intentionally do not close the descriptors 0, 1, and 2	646	/*
598	as our code for setting the descriptors won\'t work	647	* We intentionally do not close the descriptors 0, 1, and 2
599	if ttyfd happens to be one of those. */	648	* as our code for setting the descriptors won\'t work if
		649	* ttyfd happens to be one of those.
		650	*/
600	debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);	651	debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
601		652
602	public_key = RSA_new();	653	if (options.protocol & SSH_PROTO_1) {
603	sensitive_data.private_key = RSA_new();	654	public_key = RSA_new();
604		655	sensitive_data.private_key = RSA_new();
605	/* XXX check options.protocol */	656	log("Generating %d bit RSA key.", options.server_key_bits);
606	log("Generating %d bit RSA key.", options.server_key_bits);	657	rsa_generate_key(sensitive_data.private_key, public_key,
607	rsa_generate_key(sensitive_data.private_key, public_key,	658	options.server_key_bits);
608	options.server_key_bits);	659	arc4random_stir();
609	arc4random_stir();	660	log("RSA key generation complete.");
610	log("RSA key generation complete.");	661	}
611	} else {	662	} else {
612	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {	663	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
613	if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)	664	if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -684,19 +735,20 @@ main(int ac, char **av)
684	fclose(f);	735	fclose(f);
685	}	736	}
686	}	737	}
		738	if (options.protocol & SSH_PROTO_1) {
		739	public_key = RSA_new();
		740	sensitive_data.private_key = RSA_new();
687		741
688	public_key = RSA_new();	742	log("Generating %d bit RSA key.", options.server_key_bits);
689	sensitive_data.private_key = RSA_new();	743	rsa_generate_key(sensitive_data.private_key, public_key,
690		744	options.server_key_bits);
691	log("Generating %d bit RSA key.", options.server_key_bits);	745	arc4random_stir();
692	rsa_generate_key(sensitive_data.private_key, public_key,	746	log("RSA key generation complete.");
693	options.server_key_bits);
694	arc4random_stir();
695	log("RSA key generation complete.");
696		747
697	/* Schedule server key regeneration alarm. */	748	/* Schedule server key regeneration alarm. */
698	signal(SIGALRM, key_regeneration_alarm);	749	signal(SIGALRM, key_regeneration_alarm);
699	alarm(options.key_regeneration_time);	750	alarm(options.key_regeneration_time);
		751	}
700		752
701	/* Arrange to restart on SIGHUP. The handler needs listen_sock. */	753	/* Arrange to restart on SIGHUP. The handler needs listen_sock. */
702	signal(SIGHUP, sighup_handler);	754	signal(SIGHUP, sighup_handler);
@@ -1069,9 +1121,7 @@ do_ssh1_kex()
1069	sensitive_data.private_key->n);	1121	sensitive_data.private_key->n);
1070		1122
1071	/* Destroy the private and public keys. They will no longer be needed. */	1123	/* Destroy the private and public keys. They will no longer be needed. */
1072	RSA_free(public_key);	1124	destroy_sensitive_data();
1073	RSA_free(sensitive_data.private_key);
1074	RSA_free(sensitive_data.host_key);
1075		1125
1076	/*	1126	/*
1077	* Extract session key from the decrypted integer. The key is in the	1127	* Extract session key from the decrypted integer. The key is in the
@@ -1130,7 +1180,6 @@ do_ssh2_kex()
1130	unsigned char *kbuf;	1180	unsigned char *kbuf;
1131	unsigned char *hash;	1181	unsigned char *hash;
1132	Kex *kex;	1182	Kex *kex;
1133	Key *server_host_key;
1134	char *cprop[PROPOSAL_MAX];	1183	char *cprop[PROPOSAL_MAX];
1135	char *sprop[PROPOSAL_MAX];	1184	char *sprop[PROPOSAL_MAX];
1136		1185
@@ -1231,8 +1280,8 @@ do_ssh2_kex()
1231	memset(kbuf, 0, klen);	1280	memset(kbuf, 0, klen);
1232	xfree(kbuf);	1281	xfree(kbuf);
1233		1282
1234	server_host_key = dsa_get_serverkey(options.dsa_key_file);	1283	/* XXX precompute? */
1235	dsa_make_serverkey_blob(server_host_key, &server_host_key_blob, &sbloblen);	1284	dsa_make_key_blob(sensitive_data.dsa_host_key, &server_host_key_blob, &sbloblen);
1236		1285
1237	/* calc H / / XXX depends on 'kex' */	1286	/* calc H / / XXX depends on 'kex' */
1238	hash = kex_hash(	1287	hash = kex_hash(
@@ -1255,10 +1304,17 @@ do_ssh2_kex()
1255	fprintf(stderr, "%02x", (hash[i])&0xff);	1304	fprintf(stderr, "%02x", (hash[i])&0xff);
1256	fprintf(stderr, "\n");	1305	fprintf(stderr, "\n");
1257	#endif	1306	#endif
		1307	/* save session id := H */
		1308	/* XXX hashlen depends on KEX */
		1309	session_id2_len = 20;
		1310	session_id2 = xmalloc(session_id2_len);
		1311	memcpy(session_id2, hash, session_id2_len);
		1312
1258	/* sign H */	1313	/* sign H */
1259	dsa_sign(server_host_key, &signature, &slen, hash, 20);	1314	/* XXX hashlen depends on KEX */
1260	/* hashlen depends on KEX */	1315	dsa_sign(sensitive_data.dsa_host_key, &signature, &slen, hash, 20);
1261	key_free(server_host_key);	1316
		1317	destroy_sensitive_data();
1262		1318
1263	/* send server hostkey, DH pubkey 'f' and singed H */	1319	/* send server hostkey, DH pubkey 'f' and singed H */
1264	packet_start(SSH2_MSG_KEXDH_REPLY);	1320	packet_start(SSH2_MSG_KEXDH_REPLY);
@@ -1267,6 +1323,7 @@ do_ssh2_kex()
1267	packet_put_string((char *)signature, slen);	1323	packet_put_string((char *)signature, slen);
1268	packet_send();	1324	packet_send();
1269	xfree(signature);	1325	xfree(signature);
		1326	xfree(server_host_key_blob);
1270	packet_write_wait();	1327	packet_write_wait();
1271		1328
1272	kex_derive_keys(kex, hash, shared_secret);	1329	kex_derive_keys(kex, hash, shared_secret);