summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
authormarkus@openbsd.org <markus@openbsd.org>2016-08-13 17:47:40 +0000
committerDamien Miller <djm@mindrot.org>2016-08-14 11:19:14 +1000
commit6cb6dcffe1a2204ba9006de20f73255c268fcb6b (patch)
tree235267a1264f9363c39c4c0b11b59384e9acbdcf /sshd.c
parent42d47adc5ad1187f22c726cbc52e71d6b1767ca2 (diff)
upstream commit
remove ssh1 server code; ok djm@ Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c479
1 files changed, 17 insertions, 462 deletions
diff --git a/sshd.c b/sshd.c
index 9fc829a91..b50ea1d99 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.471 2016/08/03 04:23:55 dtucker Exp $ */ 1/* $OpenBSD: sshd.c,v 1.472 2016/08/13 17:47:41 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -87,7 +87,6 @@
87 87
88#include "xmalloc.h" 88#include "xmalloc.h"
89#include "ssh.h" 89#include "ssh.h"
90#include "ssh1.h"
91#include "ssh2.h" 90#include "ssh2.h"
92#include "rsa.h" 91#include "rsa.h"
93#include "sshpty.h" 92#include "sshpty.h"
@@ -201,22 +200,12 @@ int have_agent = 0;
201 * not very useful. Currently, memory locking is not implemented. 200 * not very useful. Currently, memory locking is not implemented.
202 */ 201 */
203struct { 202struct {
204 Key *server_key; /* ephemeral server key */
205 Key *ssh1_host_key; /* ssh1 host key */
206 Key **host_keys; /* all private host keys */ 203 Key **host_keys; /* all private host keys */
207 Key **host_pubkeys; /* all public host keys */ 204 Key **host_pubkeys; /* all public host keys */
208 Key **host_certificates; /* all public host certificates */ 205 Key **host_certificates; /* all public host certificates */
209 int have_ssh1_key;
210 int have_ssh2_key; 206 int have_ssh2_key;
211 u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH];
212} sensitive_data; 207} sensitive_data;
213 208
214/*
215 * Flag indicating whether the RSA server key needs to be regenerated.
216 * Is set in the SIGALRM handler and cleared when the key is regenerated.
217 */
218static volatile sig_atomic_t key_do_regen = 0;
219
220/* This is set to true when a signal is received. */ 209/* This is set to true when a signal is received. */
221static volatile sig_atomic_t received_sighup = 0; 210static volatile sig_atomic_t received_sighup = 0;
222static volatile sig_atomic_t received_sigterm = 0; 211static volatile sig_atomic_t received_sigterm = 0;
@@ -255,10 +244,6 @@ struct passwd *privsep_pw = NULL;
255/* Prototypes for various functions defined later in this file. */ 244/* Prototypes for various functions defined later in this file. */
256void destroy_sensitive_data(void); 245void destroy_sensitive_data(void);
257void demote_sensitive_data(void); 246void demote_sensitive_data(void);
258
259#ifdef WITH_SSH1
260static void do_ssh1_kex(void);
261#endif
262static void do_ssh2_kex(void); 247static void do_ssh2_kex(void);
263 248
264/* 249/*
@@ -375,43 +360,10 @@ grace_alarm_handler(int sig)
375 ssh_remote_ipaddr(active_state), ssh_remote_port(active_state)); 360 ssh_remote_ipaddr(active_state), ssh_remote_port(active_state));
376} 361}
377 362
378/*
379 * Signal handler for the key regeneration alarm. Note that this
380 * alarm only occurs in the daemon waiting for connections, and it does not
381 * do anything with the private key or random state before forking.
382 * Thus there should be no concurrency control/asynchronous execution
383 * problems.
384 */
385static void
386generate_ephemeral_server_key(void)
387{
388 verbose("Generating %s%d bit RSA key.",
389 sensitive_data.server_key ? "new " : "", options.server_key_bits);
390 if (sensitive_data.server_key != NULL)
391 key_free(sensitive_data.server_key);
392 sensitive_data.server_key = key_generate(KEY_RSA1,
393 options.server_key_bits);
394 verbose("RSA key generation complete.");
395
396 arc4random_buf(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
397}
398
399/*ARGSUSED*/
400static void
401key_regeneration_alarm(int sig)
402{
403 int save_errno = errno;
404
405 signal(SIGALRM, SIG_DFL);
406 errno = save_errno;
407 key_do_regen = 1;
408}
409
410static void 363static void
411sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 364sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
412{ 365{
413 u_int i; 366 u_int i;
414 int mismatch;
415 int remote_major, remote_minor; 367 int remote_major, remote_minor;
416 int major, minor; 368 int major, minor;
417 char *s, *newline = "\n"; 369 char *s, *newline = "\n";
@@ -511,42 +463,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
511 "refusing connection", remote_version); 463 "refusing connection", remote_version);
512 } 464 }
513 465
514 mismatch = 0;
515 switch (remote_major) {
516 case 1:
517 if (remote_minor == 99) {
518 if (options.protocol & SSH_PROTO_2)
519 enable_compat20();
520 else
521 mismatch = 1;
522 break;
523 }
524 if (!(options.protocol & SSH_PROTO_1)) {
525 mismatch = 1;
526 break;
527 }
528 if (remote_minor < 3) {
529 packet_disconnect("Your ssh version is too old and "
530 "is no longer supported. Please install a newer version.");
531 } else if (remote_minor == 3) {
532 /* note that this disables agent-forwarding */
533 enable_compat13();
534 }
535 break;
536 case 2:
537 if (options.protocol & SSH_PROTO_2) {
538 enable_compat20();
539 break;
540 }
541 /* FALLTHROUGH */
542 default:
543 mismatch = 1;
544 break;
545 }
546 chop(server_version_string); 466 chop(server_version_string);
547 debug("Local version string %.200s", server_version_string); 467 debug("Local version string %.200s", server_version_string);
548 468
549 if (mismatch) { 469 if (remote_major == 2 ||
470 (remote_major == 1 && remote_minor == 99)) {
471 enable_compat20();
472 } else {
550 s = "Protocol major versions differ.\n"; 473 s = "Protocol major versions differ.\n";
551 (void) atomicio(vwrite, sock_out, s, strlen(s)); 474 (void) atomicio(vwrite, sock_out, s, strlen(s));
552 close(sock_in); 475 close(sock_in);
@@ -565,10 +488,6 @@ destroy_sensitive_data(void)
565{ 488{
566 int i; 489 int i;
567 490
568 if (sensitive_data.server_key) {
569 key_free(sensitive_data.server_key);
570 sensitive_data.server_key = NULL;
571 }
572 for (i = 0; i < options.num_host_key_files; i++) { 491 for (i = 0; i < options.num_host_key_files; i++) {
573 if (sensitive_data.host_keys[i]) { 492 if (sensitive_data.host_keys[i]) {
574 key_free(sensitive_data.host_keys[i]); 493 key_free(sensitive_data.host_keys[i]);
@@ -579,8 +498,6 @@ destroy_sensitive_data(void)
579 sensitive_data.host_certificates[i] = NULL; 498 sensitive_data.host_certificates[i] = NULL;
580 } 499 }
581 } 500 }
582 sensitive_data.ssh1_host_key = NULL;
583 explicit_bzero(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
584} 501}
585 502
586/* Demote private to public keys for network child */ 503/* Demote private to public keys for network child */
@@ -590,24 +507,14 @@ demote_sensitive_data(void)
590 Key *tmp; 507 Key *tmp;
591 int i; 508 int i;
592 509
593 if (sensitive_data.server_key) {
594 tmp = key_demote(sensitive_data.server_key);
595 key_free(sensitive_data.server_key);
596 sensitive_data.server_key = tmp;
597 }
598
599 for (i = 0; i < options.num_host_key_files; i++) { 510 for (i = 0; i < options.num_host_key_files; i++) {
600 if (sensitive_data.host_keys[i]) { 511 if (sensitive_data.host_keys[i]) {
601 tmp = key_demote(sensitive_data.host_keys[i]); 512 tmp = key_demote(sensitive_data.host_keys[i]);
602 key_free(sensitive_data.host_keys[i]); 513 key_free(sensitive_data.host_keys[i]);
603 sensitive_data.host_keys[i] = tmp; 514 sensitive_data.host_keys[i] = tmp;
604 if (tmp->type == KEY_RSA1)
605 sensitive_data.ssh1_host_key = tmp;
606 } 515 }
607 /* Certs do not need demotion */ 516 /* Certs do not need demotion */
608 } 517 }
609
610 /* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */
611} 518}
612 519
613static void 520static void
@@ -803,7 +710,7 @@ list_hostkey_types(void)
803 key = sensitive_data.host_keys[i]; 710 key = sensitive_data.host_keys[i];
804 if (key == NULL) 711 if (key == NULL)
805 key = sensitive_data.host_pubkeys[i]; 712 key = sensitive_data.host_pubkeys[i];
806 if (key == NULL || key->type == KEY_RSA1) 713 if (key == NULL)
807 continue; 714 continue;
808 /* Check that the key is accepted in HostkeyAlgorithms */ 715 /* Check that the key is accepted in HostkeyAlgorithms */
809 if (match_pattern_list(sshkey_ssh_name(key), 716 if (match_pattern_list(sshkey_ssh_name(key),
@@ -952,7 +859,7 @@ notify_hostkeys(struct ssh *ssh)
952 for (i = nkeys = 0; i < options.num_host_key_files; i++) { 859 for (i = nkeys = 0; i < options.num_host_key_files; i++) {
953 key = get_hostkey_public_by_index(i, ssh); 860 key = get_hostkey_public_by_index(i, ssh);
954 if (key == NULL || key->type == KEY_UNSPEC || 861 if (key == NULL || key->type == KEY_UNSPEC ||
955 key->type == KEY_RSA1 || sshkey_is_cert(key)) 862 sshkey_is_cert(key))
956 continue; 863 continue;
957 fp = sshkey_fingerprint(key, options.fingerprint_hash, 864 fp = sshkey_fingerprint(key, options.fingerprint_hash,
958 SSH_FP_DEFAULT); 865 SSH_FP_DEFAULT);
@@ -1038,13 +945,6 @@ send_rexec_state(int fd, struct sshbuf *conf)
1038 /* 945 /*
1039 * Protocol from reexec master to child: 946 * Protocol from reexec master to child:
1040 * string configuration 947 * string configuration
1041 * u_int ephemeral_key_follows
1042 * bignum e (only if ephemeral_key_follows == 1)
1043 * bignum n "
1044 * bignum d "
1045 * bignum iqmp "
1046 * bignum p "
1047 * bignum q "
1048 * string rngseed (only if OpenSSL is not self-seeded) 948 * string rngseed (only if OpenSSL is not self-seeded)
1049 */ 949 */
1050 if ((m = sshbuf_new()) == NULL) 950 if ((m = sshbuf_new()) == NULL)
@@ -1052,28 +952,6 @@ send_rexec_state(int fd, struct sshbuf *conf)
1052 if ((r = sshbuf_put_stringb(m, conf)) != 0) 952 if ((r = sshbuf_put_stringb(m, conf)) != 0)
1053 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 953 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1054 954
1055#ifdef WITH_SSH1
1056 if (sensitive_data.server_key != NULL &&
1057 sensitive_data.server_key->type == KEY_RSA1) {
1058 if ((r = sshbuf_put_u32(m, 1)) != 0 ||
1059 (r = sshbuf_put_bignum1(m,
1060 sensitive_data.server_key->rsa->e)) != 0 ||
1061 (r = sshbuf_put_bignum1(m,
1062 sensitive_data.server_key->rsa->n)) != 0 ||
1063 (r = sshbuf_put_bignum1(m,
1064 sensitive_data.server_key->rsa->d)) != 0 ||
1065 (r = sshbuf_put_bignum1(m,
1066 sensitive_data.server_key->rsa->iqmp)) != 0 ||
1067 (r = sshbuf_put_bignum1(m,
1068 sensitive_data.server_key->rsa->p)) != 0 ||
1069 (r = sshbuf_put_bignum1(m,
1070 sensitive_data.server_key->rsa->q)) != 0)
1071 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1072 } else
1073#endif
1074 if ((r = sshbuf_put_u32(m, 0)) != 0)
1075 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1076
1077#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) 955#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
1078 rexec_send_rng_seed(m); 956 rexec_send_rng_seed(m);
1079#endif 957#endif
@@ -1107,24 +985,6 @@ recv_rexec_state(int fd, Buffer *conf)
1107 buffer_append(conf, cp, len); 985 buffer_append(conf, cp, len);
1108 free(cp); 986 free(cp);
1109 987
1110 if (buffer_get_int(&m)) {
1111#ifdef WITH_SSH1
1112 if (sensitive_data.server_key != NULL)
1113 key_free(sensitive_data.server_key);
1114 sensitive_data.server_key = key_new_private(KEY_RSA1);
1115 buffer_get_bignum(&m, sensitive_data.server_key->rsa->e);
1116 buffer_get_bignum(&m, sensitive_data.server_key->rsa->n);
1117 buffer_get_bignum(&m, sensitive_data.server_key->rsa->d);
1118 buffer_get_bignum(&m, sensitive_data.server_key->rsa->iqmp);
1119 buffer_get_bignum(&m, sensitive_data.server_key->rsa->p);
1120 buffer_get_bignum(&m, sensitive_data.server_key->rsa->q);
1121 if (rsa_generate_additional_parameters(
1122 sensitive_data.server_key->rsa) != 0)
1123 fatal("%s: rsa_generate_additional_parameters "
1124 "error", __func__);
1125#endif
1126 }
1127
1128#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) 988#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
1129 rexec_recv_rng_seed(&m); 989 rexec_recv_rng_seed(&m);
1130#endif 990#endif
@@ -1248,7 +1108,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1248{ 1108{
1249 fd_set *fdset; 1109 fd_set *fdset;
1250 int i, j, ret, maxfd; 1110 int i, j, ret, maxfd;
1251 int key_used = 0, startups = 0; 1111 int startups = 0;
1252 int startup_p[2] = { -1 , -1 }; 1112 int startup_p[2] = { -1 , -1 };
1253 struct sockaddr_storage from; 1113 struct sockaddr_storage from;
1254 socklen_t fromlen; 1114 socklen_t fromlen;
@@ -1295,11 +1155,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1295 unlink(options.pid_file); 1155 unlink(options.pid_file);
1296 exit(received_sigterm == SIGTERM ? 0 : 255); 1156 exit(received_sigterm == SIGTERM ? 0 : 255);
1297 } 1157 }
1298 if (key_used && key_do_regen) {
1299 generate_ephemeral_server_key();
1300 key_used = 0;
1301 key_do_regen = 0;
1302 }
1303 if (ret < 0) 1158 if (ret < 0)
1304 continue; 1159 continue;
1305 1160
@@ -1434,19 +1289,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1434 close(config_s[0]); 1289 close(config_s[0]);
1435 close(config_s[1]); 1290 close(config_s[1]);
1436 } 1291 }
1437
1438 /*
1439 * Mark that the key has been used (it
1440 * was "given" to the child).
1441 */
1442 if ((options.protocol & SSH_PROTO_1) &&
1443 key_used == 0) {
1444 /* Schedule server key regeneration alarm. */
1445 signal(SIGALRM, key_regeneration_alarm);
1446 alarm(options.key_regeneration_time);
1447 key_used = 1;
1448 }
1449
1450 close(*newsock); 1292 close(*newsock);
1451 1293
1452 /* 1294 /*
@@ -1619,8 +1461,7 @@ main(int ac, char **av)
1619 options.log_level = SYSLOG_LEVEL_QUIET; 1461 options.log_level = SYSLOG_LEVEL_QUIET;
1620 break; 1462 break;
1621 case 'b': 1463 case 'b':
1622 options.server_key_bits = (int)strtonum(optarg, 256, 1464 /* ignored */
1623 32768, NULL);
1624 break; 1465 break;
1625 case 'p': 1466 case 'p':
1626 options.ports_from_cmdline = 1; 1467 options.ports_from_cmdline = 1;
@@ -1726,9 +1567,6 @@ main(int ac, char **av)
1726 drop_cray_privs(); 1567 drop_cray_privs();
1727#endif 1568#endif
1728 1569
1729 sensitive_data.server_key = NULL;
1730 sensitive_data.ssh1_host_key = NULL;
1731 sensitive_data.have_ssh1_key = 0;
1732 sensitive_data.have_ssh2_key = 0; 1570 sensitive_data.have_ssh2_key = 0;
1733 1571
1734 /* 1572 /*
@@ -1852,8 +1690,7 @@ main(int ac, char **av)
1852 sensitive_data.host_keys[i] = key; 1690 sensitive_data.host_keys[i] = key;
1853 sensitive_data.host_pubkeys[i] = pubkey; 1691 sensitive_data.host_pubkeys[i] = pubkey;
1854 1692
1855 if (key == NULL && pubkey != NULL && pubkey->type != KEY_RSA1 && 1693 if (key == NULL && pubkey != NULL && have_agent) {
1856 have_agent) {
1857 debug("will rely on agent for hostkey %s", 1694 debug("will rely on agent for hostkey %s",
1858 options.host_key_files[i]); 1695 options.host_key_files[i]);
1859 keytype = pubkey->type; 1696 keytype = pubkey->type;
@@ -1868,10 +1705,6 @@ main(int ac, char **av)
1868 } 1705 }
1869 1706
1870 switch (keytype) { 1707 switch (keytype) {
1871 case KEY_RSA1:
1872 sensitive_data.ssh1_host_key = key;
1873 sensitive_data.have_ssh1_key = 1;
1874 break;
1875 case KEY_RSA: 1708 case KEY_RSA:
1876 case KEY_DSA: 1709 case KEY_DSA:
1877 case KEY_ECDSA: 1710 case KEY_ECDSA:
@@ -1884,19 +1717,10 @@ main(int ac, char **av)
1884 SSH_FP_DEFAULT)) == NULL) 1717 SSH_FP_DEFAULT)) == NULL)
1885 fatal("sshkey_fingerprint failed"); 1718 fatal("sshkey_fingerprint failed");
1886 debug("%s host key #%d: %s %s", 1719 debug("%s host key #%d: %s %s",
1887 key ? "private" : "agent", i, keytype == KEY_RSA1 ? 1720 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
1888 sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
1889 free(fp); 1721 free(fp);
1890 } 1722 }
1891 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { 1723 if (!sensitive_data.have_ssh2_key) {
1892 logit("Disabling protocol version 1. Could not load host key");
1893 options.protocol &= ~SSH_PROTO_1;
1894 }
1895 if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
1896 logit("Disabling protocol version 2. Could not load host key");
1897 options.protocol &= ~SSH_PROTO_2;
1898 }
1899 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
1900 logit("sshd: no hostkeys available -- exiting."); 1724 logit("sshd: no hostkeys available -- exiting.");
1901 exit(1); 1725 exit(1);
1902 } 1726 }
@@ -1944,33 +1768,6 @@ main(int ac, char **av)
1944 key_type(key)); 1768 key_type(key));
1945 } 1769 }
1946 1770
1947#ifdef WITH_SSH1
1948 /* Check certain values for sanity. */
1949 if (options.protocol & SSH_PROTO_1) {
1950 if (options.server_key_bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
1951 options.server_key_bits > OPENSSL_RSA_MAX_MODULUS_BITS) {
1952 fprintf(stderr, "Bad server key size.\n");
1953 exit(1);
1954 }
1955 /*
1956 * Check that server and host key lengths differ sufficiently. This
1957 * is necessary to make double encryption work with rsaref. Oh, I
1958 * hate software patents. I dont know if this can go? Niels
1959 */
1960 if (options.server_key_bits >
1961 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) -
1962 SSH_KEY_BITS_RESERVED && options.server_key_bits <
1963 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1964 SSH_KEY_BITS_RESERVED) {
1965 options.server_key_bits =
1966 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1967 SSH_KEY_BITS_RESERVED;
1968 debug("Forcing server key to %d bits to make it differ from host key.",
1969 options.server_key_bits);
1970 }
1971 }
1972#endif
1973
1974 if (use_privsep) { 1771 if (use_privsep) {
1975 struct stat st; 1772 struct stat st;
1976 1773
@@ -2068,9 +1865,6 @@ main(int ac, char **av)
2068 platform_pre_listen(); 1865 platform_pre_listen();
2069 server_listen(); 1866 server_listen();
2070 1867
2071 if (options.protocol & SSH_PROTO_1)
2072 generate_ephemeral_server_key();
2073
2074 signal(SIGHUP, sighup_handler); 1868 signal(SIGHUP, sighup_handler);
2075 signal(SIGCHLD, main_sigchld_handler); 1869 signal(SIGCHLD, main_sigchld_handler);
2076 signal(SIGTERM, sigterm_handler); 1870 signal(SIGTERM, sigterm_handler);
@@ -2220,11 +2014,6 @@ main(int ac, char **av)
2220 alarm(options.login_grace_time); 2014 alarm(options.login_grace_time);
2221 2015
2222 sshd_exchange_identification(ssh, sock_in, sock_out); 2016 sshd_exchange_identification(ssh, sock_in, sock_out);
2223
2224 /* In inetd mode, generate ephemeral key only for proto 1 connections */
2225 if (!compat20 && inetd_flag && sensitive_data.server_key == NULL)
2226 generate_ephemeral_server_key();
2227
2228 packet_set_nonblocking(); 2017 packet_set_nonblocking();
2229 2018
2230 /* allocate authentication context */ 2019 /* allocate authentication context */
@@ -2242,7 +2031,7 @@ main(int ac, char **av)
2242 if (use_privsep) { 2031 if (use_privsep) {
2243 if (privsep_preauth(authctxt) == 1) 2032 if (privsep_preauth(authctxt) == 1)
2244 goto authenticated; 2033 goto authenticated;
2245 } else if (compat20 && have_agent) { 2034 } else if (have_agent) {
2246 if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) { 2035 if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) {
2247 error("Unable to get agent socket: %s", ssh_err(r)); 2036 error("Unable to get agent socket: %s", ssh_err(r));
2248 have_agent = 0; 2037 have_agent = 0;
@@ -2251,17 +2040,9 @@ main(int ac, char **av)
2251 2040
2252 /* perform the key exchange */ 2041 /* perform the key exchange */
2253 /* authenticate user and start session */ 2042 /* authenticate user and start session */
2254 if (compat20) { 2043 do_ssh2_kex();
2255 do_ssh2_kex(); 2044 do_authentication2(authctxt);
2256 do_authentication2(authctxt); 2045
2257 } else {
2258#ifdef WITH_SSH1
2259 do_ssh1_kex();
2260 do_authentication(authctxt);
2261#else
2262 fatal("ssh1 not supported");
2263#endif
2264 }
2265 /* 2046 /*
2266 * If we use privilege separation, the unprivileged child transfers 2047 * If we use privilege separation, the unprivileged child transfers
2267 * the current keystate and exits 2048 * the current keystate and exits
@@ -2309,16 +2090,13 @@ main(int ac, char **av)
2309 if (use_privsep) { 2090 if (use_privsep) {
2310 privsep_postauth(authctxt); 2091 privsep_postauth(authctxt);
2311 /* the monitor process [priv] will not return */ 2092 /* the monitor process [priv] will not return */
2312 if (!compat20)
2313 destroy_sensitive_data();
2314 } 2093 }
2315 2094
2316 packet_set_timeout(options.client_alive_interval, 2095 packet_set_timeout(options.client_alive_interval,
2317 options.client_alive_count_max); 2096 options.client_alive_count_max);
2318 2097
2319 /* Try to send all our hostkeys to the client */ 2098 /* Try to send all our hostkeys to the client */
2320 if (compat20) 2099 notify_hostkeys(active_state);
2321 notify_hostkeys(active_state);
2322 2100
2323 /* Start session. */ 2101 /* Start session. */
2324 do_authenticated(authctxt); 2102 do_authenticated(authctxt);
@@ -2347,229 +2125,6 @@ main(int ac, char **av)
2347 exit(0); 2125 exit(0);
2348} 2126}
2349 2127
2350#ifdef WITH_SSH1
2351/*
2352 * Decrypt session_key_int using our private server key and private host key
2353 * (key with larger modulus first).
2354 */
2355int
2356ssh1_session_key(BIGNUM *session_key_int)
2357{
2358 struct ssh *ssh = active_state; /* XXX */
2359 int rsafail = 0;
2360
2361 if (BN_cmp(sensitive_data.server_key->rsa->n,
2362 sensitive_data.ssh1_host_key->rsa->n) > 0) {
2363 /* Server key has bigger modulus. */
2364 if (BN_num_bits(sensitive_data.server_key->rsa->n) <
2365 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
2366 SSH_KEY_BITS_RESERVED) {
2367 fatal("do_connection: %s port %d: "
2368 "server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
2369 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
2370 BN_num_bits(sensitive_data.server_key->rsa->n),
2371 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
2372 SSH_KEY_BITS_RESERVED);
2373 }
2374 if (rsa_private_decrypt(session_key_int, session_key_int,
2375 sensitive_data.server_key->rsa) != 0)
2376 rsafail++;
2377 if (rsa_private_decrypt(session_key_int, session_key_int,
2378 sensitive_data.ssh1_host_key->rsa) != 0)
2379 rsafail++;
2380 } else {
2381 /* Host key has bigger modulus (or they are equal). */
2382 if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) <
2383 BN_num_bits(sensitive_data.server_key->rsa->n) +
2384 SSH_KEY_BITS_RESERVED) {
2385 fatal("do_connection: %s port %d: "
2386 "host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",
2387 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
2388 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
2389 BN_num_bits(sensitive_data.server_key->rsa->n),
2390 SSH_KEY_BITS_RESERVED);
2391 }
2392 if (rsa_private_decrypt(session_key_int, session_key_int,
2393 sensitive_data.ssh1_host_key->rsa) != 0)
2394 rsafail++;
2395 if (rsa_private_decrypt(session_key_int, session_key_int,
2396 sensitive_data.server_key->rsa) != 0)
2397 rsafail++;
2398 }
2399 return (rsafail);
2400}
2401
2402/*
2403 * SSH1 key exchange
2404 */
2405static void
2406do_ssh1_kex(void)
2407{
2408 struct ssh *ssh = active_state; /* XXX */
2409 int i, len;
2410 int rsafail = 0;
2411 BIGNUM *session_key_int, *fake_key_int, *real_key_int;
2412 u_char session_key[SSH_SESSION_KEY_LENGTH];
2413 u_char fake_key_bytes[4096 / 8];
2414 size_t fake_key_len;
2415 u_char cookie[8];
2416 u_int cipher_type, auth_mask, protocol_flags;
2417
2418 /*
2419 * Generate check bytes that the client must send back in the user
2420 * packet in order for it to be accepted; this is used to defy ip
2421 * spoofing attacks. Note that this only works against somebody
2422 * doing IP spoofing from a remote machine; any machine on the local
2423 * network can still see outgoing packets and catch the random
2424 * cookie. This only affects rhosts authentication, and this is one
2425 * of the reasons why it is inherently insecure.
2426 */
2427 arc4random_buf(cookie, sizeof(cookie));
2428
2429 /*
2430 * Send our public key. We include in the packet 64 bits of random
2431 * data that must be matched in the reply in order to prevent IP
2432 * spoofing.
2433 */
2434 packet_start(SSH_SMSG_PUBLIC_KEY);
2435 for (i = 0; i < 8; i++)
2436 packet_put_char(cookie[i]);
2437
2438 /* Store our public server RSA key. */
2439 packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n));
2440 packet_put_bignum(sensitive_data.server_key->rsa->e);
2441 packet_put_bignum(sensitive_data.server_key->rsa->n);
2442
2443 /* Store our public host RSA key. */
2444 packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
2445 packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
2446 packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
2447
2448 /* Put protocol flags. */
2449 packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
2450
2451 /* Declare which ciphers we support. */
2452 packet_put_int(cipher_mask_ssh1(0));
2453
2454 /* Declare supported authentication types. */
2455 auth_mask = 0;
2456 if (options.rhosts_rsa_authentication)
2457 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
2458 if (options.rsa_authentication)
2459 auth_mask |= 1 << SSH_AUTH_RSA;
2460 if (options.challenge_response_authentication == 1)
2461 auth_mask |= 1 << SSH_AUTH_TIS;
2462 if (options.password_authentication)
2463 auth_mask |= 1 << SSH_AUTH_PASSWORD;
2464 packet_put_int(auth_mask);
2465
2466 /* Send the packet and wait for it to be sent. */
2467 packet_send();
2468 packet_write_wait();
2469
2470 debug("Sent %d bit server key and %d bit host key.",
2471 BN_num_bits(sensitive_data.server_key->rsa->n),
2472 BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
2473
2474 /* Read clients reply (cipher type and session key). */
2475 packet_read_expect(SSH_CMSG_SESSION_KEY);
2476
2477 /* Get cipher type and check whether we accept this. */
2478 cipher_type = packet_get_char();
2479
2480 if (!(cipher_mask_ssh1(0) & (1 << cipher_type)))
2481 packet_disconnect("Warning: client selects unsupported cipher.");
2482
2483 /* Get check bytes from the packet. These must match those we
2484 sent earlier with the public key packet. */
2485 for (i = 0; i < 8; i++)
2486 if (cookie[i] != packet_get_char())
2487 packet_disconnect("IP Spoofing check bytes do not match.");
2488
2489 debug("Encryption type: %.200s", cipher_name(cipher_type));
2490
2491 /* Get the encrypted integer. */
2492 if ((real_key_int = BN_new()) == NULL)
2493 fatal("do_ssh1_kex: BN_new failed");
2494 packet_get_bignum(real_key_int);
2495
2496 protocol_flags = packet_get_int();
2497 packet_set_protocol_flags(protocol_flags);
2498 packet_check_eom();
2499
2500 /* Setup a fake key in case RSA decryption fails */
2501 if ((fake_key_int = BN_new()) == NULL)
2502 fatal("do_ssh1_kex: BN_new failed");
2503 fake_key_len = BN_num_bytes(real_key_int);
2504 if (fake_key_len > sizeof(fake_key_bytes))
2505 fake_key_len = sizeof(fake_key_bytes);
2506 arc4random_buf(fake_key_bytes, fake_key_len);
2507 if (BN_bin2bn(fake_key_bytes, fake_key_len, fake_key_int) == NULL)
2508 fatal("do_ssh1_kex: BN_bin2bn failed");
2509
2510 /* Decrypt real_key_int using host/server keys */
2511 rsafail = PRIVSEP(ssh1_session_key(real_key_int));
2512 /* If decryption failed, use the fake key. Else, the real key. */
2513 if (rsafail)
2514 session_key_int = fake_key_int;
2515 else
2516 session_key_int = real_key_int;
2517
2518 /*
2519 * Extract session key from the decrypted integer. The key is in the
2520 * least significant 256 bits of the integer; the first byte of the
2521 * key is in the highest bits.
2522 */
2523 (void) BN_mask_bits(session_key_int, sizeof(session_key) * 8);
2524 len = BN_num_bytes(session_key_int);
2525 if (len < 0 || (u_int)len > sizeof(session_key)) {
2526 error("%s: bad session key len from %s port %d: "
2527 "session_key_int %d > sizeof(session_key) %lu", __func__,
2528 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
2529 len, (u_long)sizeof(session_key));
2530 rsafail++;
2531 } else {
2532 explicit_bzero(session_key, sizeof(session_key));
2533 BN_bn2bin(session_key_int,
2534 session_key + sizeof(session_key) - len);
2535
2536 derive_ssh1_session_id(
2537 sensitive_data.ssh1_host_key->rsa->n,
2538 sensitive_data.server_key->rsa->n,
2539 cookie, session_id);
2540 /*
2541 * Xor the first 16 bytes of the session key with the
2542 * session id.
2543 */
2544 for (i = 0; i < 16; i++)
2545 session_key[i] ^= session_id[i];
2546 }
2547
2548 /* Destroy the private and public keys. No longer. */
2549 destroy_sensitive_data();
2550
2551 if (use_privsep)
2552 mm_ssh1_session_id(session_id);
2553
2554 /* Destroy the decrypted integer. It is no longer needed. */
2555 BN_clear_free(real_key_int);
2556 BN_clear_free(fake_key_int);
2557
2558 /* Set the session key. From this on all communications will be encrypted. */
2559 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
2560
2561 /* Destroy our copy of the session key. It is no longer needed. */
2562 explicit_bzero(session_key, sizeof(session_key));
2563
2564 debug("Received session key; encryption turned on.");
2565
2566 /* Send an acknowledgment packet. Note that this packet is sent encrypted. */
2567 packet_start(SSH_SMSG_SUCCESS);
2568 packet_send();
2569 packet_write_wait();
2570}
2571#endif
2572
2573int 2128int
2574sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen, 2129sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen,
2575 const u_char *data, size_t dlen, const char *alg, u_int flag) 2130 const u_char *data, size_t dlen, const char *alg, u_int flag)
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 16:12:45 +0000