diff options
Diffstat (limited to 'sshd.c')
-rw-r--r-- | sshd.c | 479 |
1 files changed, 17 insertions, 462 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.471 2016/08/03 04:23:55 dtucker Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.472 2016/08/13 17:47:41 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -87,7 +87,6 @@ | |||
87 | 87 | ||
88 | #include "xmalloc.h" | 88 | #include "xmalloc.h" |
89 | #include "ssh.h" | 89 | #include "ssh.h" |
90 | #include "ssh1.h" | ||
91 | #include "ssh2.h" | 90 | #include "ssh2.h" |
92 | #include "rsa.h" | 91 | #include "rsa.h" |
93 | #include "sshpty.h" | 92 | #include "sshpty.h" |
@@ -201,22 +200,12 @@ int have_agent = 0; | |||
201 | * not very useful. Currently, memory locking is not implemented. | 200 | * not very useful. Currently, memory locking is not implemented. |
202 | */ | 201 | */ |
203 | struct { | 202 | struct { |
204 | Key *server_key; /* ephemeral server key */ | ||
205 | Key *ssh1_host_key; /* ssh1 host key */ | ||
206 | Key **host_keys; /* all private host keys */ | 203 | Key **host_keys; /* all private host keys */ |
207 | Key **host_pubkeys; /* all public host keys */ | 204 | Key **host_pubkeys; /* all public host keys */ |
208 | Key **host_certificates; /* all public host certificates */ | 205 | Key **host_certificates; /* all public host certificates */ |
209 | int have_ssh1_key; | ||
210 | int have_ssh2_key; | 206 | int have_ssh2_key; |
211 | u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH]; | ||
212 | } sensitive_data; | 207 | } sensitive_data; |
213 | 208 | ||
214 | /* | ||
215 | * Flag indicating whether the RSA server key needs to be regenerated. | ||
216 | * Is set in the SIGALRM handler and cleared when the key is regenerated. | ||
217 | */ | ||
218 | static volatile sig_atomic_t key_do_regen = 0; | ||
219 | |||
220 | /* This is set to true when a signal is received. */ | 209 | /* This is set to true when a signal is received. */ |
221 | static volatile sig_atomic_t received_sighup = 0; | 210 | static volatile sig_atomic_t received_sighup = 0; |
222 | static volatile sig_atomic_t received_sigterm = 0; | 211 | static volatile sig_atomic_t received_sigterm = 0; |
@@ -255,10 +244,6 @@ struct passwd *privsep_pw = NULL; | |||
255 | /* Prototypes for various functions defined later in this file. */ | 244 | /* Prototypes for various functions defined later in this file. */ |
256 | void destroy_sensitive_data(void); | 245 | void destroy_sensitive_data(void); |
257 | void demote_sensitive_data(void); | 246 | void demote_sensitive_data(void); |
258 | |||
259 | #ifdef WITH_SSH1 | ||
260 | static void do_ssh1_kex(void); | ||
261 | #endif | ||
262 | static void do_ssh2_kex(void); | 247 | static void do_ssh2_kex(void); |
263 | 248 | ||
264 | /* | 249 | /* |
@@ -375,43 +360,10 @@ grace_alarm_handler(int sig) | |||
375 | ssh_remote_ipaddr(active_state), ssh_remote_port(active_state)); | 360 | ssh_remote_ipaddr(active_state), ssh_remote_port(active_state)); |
376 | } | 361 | } |
377 | 362 | ||
378 | /* | ||
379 | * Signal handler for the key regeneration alarm. Note that this | ||
380 | * alarm only occurs in the daemon waiting for connections, and it does not | ||
381 | * do anything with the private key or random state before forking. | ||
382 | * Thus there should be no concurrency control/asynchronous execution | ||
383 | * problems. | ||
384 | */ | ||
385 | static void | ||
386 | generate_ephemeral_server_key(void) | ||
387 | { | ||
388 | verbose("Generating %s%d bit RSA key.", | ||
389 | sensitive_data.server_key ? "new " : "", options.server_key_bits); | ||
390 | if (sensitive_data.server_key != NULL) | ||
391 | key_free(sensitive_data.server_key); | ||
392 | sensitive_data.server_key = key_generate(KEY_RSA1, | ||
393 | options.server_key_bits); | ||
394 | verbose("RSA key generation complete."); | ||
395 | |||
396 | arc4random_buf(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); | ||
397 | } | ||
398 | |||
399 | /*ARGSUSED*/ | ||
400 | static void | ||
401 | key_regeneration_alarm(int sig) | ||
402 | { | ||
403 | int save_errno = errno; | ||
404 | |||
405 | signal(SIGALRM, SIG_DFL); | ||
406 | errno = save_errno; | ||
407 | key_do_regen = 1; | ||
408 | } | ||
409 | |||
410 | static void | 363 | static void |
411 | sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) | 364 | sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) |
412 | { | 365 | { |
413 | u_int i; | 366 | u_int i; |
414 | int mismatch; | ||
415 | int remote_major, remote_minor; | 367 | int remote_major, remote_minor; |
416 | int major, minor; | 368 | int major, minor; |
417 | char *s, *newline = "\n"; | 369 | char *s, *newline = "\n"; |
@@ -511,42 +463,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) | |||
511 | "refusing connection", remote_version); | 463 | "refusing connection", remote_version); |
512 | } | 464 | } |
513 | 465 | ||
514 | mismatch = 0; | ||
515 | switch (remote_major) { | ||
516 | case 1: | ||
517 | if (remote_minor == 99) { | ||
518 | if (options.protocol & SSH_PROTO_2) | ||
519 | enable_compat20(); | ||
520 | else | ||
521 | mismatch = 1; | ||
522 | break; | ||
523 | } | ||
524 | if (!(options.protocol & SSH_PROTO_1)) { | ||
525 | mismatch = 1; | ||
526 | break; | ||
527 | } | ||
528 | if (remote_minor < 3) { | ||
529 | packet_disconnect("Your ssh version is too old and " | ||
530 | "is no longer supported. Please install a newer version."); | ||
531 | } else if (remote_minor == 3) { | ||
532 | /* note that this disables agent-forwarding */ | ||
533 | enable_compat13(); | ||
534 | } | ||
535 | break; | ||
536 | case 2: | ||
537 | if (options.protocol & SSH_PROTO_2) { | ||
538 | enable_compat20(); | ||
539 | break; | ||
540 | } | ||
541 | /* FALLTHROUGH */ | ||
542 | default: | ||
543 | mismatch = 1; | ||
544 | break; | ||
545 | } | ||
546 | chop(server_version_string); | 466 | chop(server_version_string); |
547 | debug("Local version string %.200s", server_version_string); | 467 | debug("Local version string %.200s", server_version_string); |
548 | 468 | ||
549 | if (mismatch) { | 469 | if (remote_major == 2 || |
470 | (remote_major == 1 && remote_minor == 99)) { | ||
471 | enable_compat20(); | ||
472 | } else { | ||
550 | s = "Protocol major versions differ.\n"; | 473 | s = "Protocol major versions differ.\n"; |
551 | (void) atomicio(vwrite, sock_out, s, strlen(s)); | 474 | (void) atomicio(vwrite, sock_out, s, strlen(s)); |
552 | close(sock_in); | 475 | close(sock_in); |
@@ -565,10 +488,6 @@ destroy_sensitive_data(void) | |||
565 | { | 488 | { |
566 | int i; | 489 | int i; |
567 | 490 | ||
568 | if (sensitive_data.server_key) { | ||
569 | key_free(sensitive_data.server_key); | ||
570 | sensitive_data.server_key = NULL; | ||
571 | } | ||
572 | for (i = 0; i < options.num_host_key_files; i++) { | 491 | for (i = 0; i < options.num_host_key_files; i++) { |
573 | if (sensitive_data.host_keys[i]) { | 492 | if (sensitive_data.host_keys[i]) { |
574 | key_free(sensitive_data.host_keys[i]); | 493 | key_free(sensitive_data.host_keys[i]); |
@@ -579,8 +498,6 @@ destroy_sensitive_data(void) | |||
579 | sensitive_data.host_certificates[i] = NULL; | 498 | sensitive_data.host_certificates[i] = NULL; |
580 | } | 499 | } |
581 | } | 500 | } |
582 | sensitive_data.ssh1_host_key = NULL; | ||
583 | explicit_bzero(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); | ||
584 | } | 501 | } |
585 | 502 | ||
586 | /* Demote private to public keys for network child */ | 503 | /* Demote private to public keys for network child */ |
@@ -590,24 +507,14 @@ demote_sensitive_data(void) | |||
590 | Key *tmp; | 507 | Key *tmp; |
591 | int i; | 508 | int i; |
592 | 509 | ||
593 | if (sensitive_data.server_key) { | ||
594 | tmp = key_demote(sensitive_data.server_key); | ||
595 | key_free(sensitive_data.server_key); | ||
596 | sensitive_data.server_key = tmp; | ||
597 | } | ||
598 | |||
599 | for (i = 0; i < options.num_host_key_files; i++) { | 510 | for (i = 0; i < options.num_host_key_files; i++) { |
600 | if (sensitive_data.host_keys[i]) { | 511 | if (sensitive_data.host_keys[i]) { |
601 | tmp = key_demote(sensitive_data.host_keys[i]); | 512 | tmp = key_demote(sensitive_data.host_keys[i]); |
602 | key_free(sensitive_data.host_keys[i]); | 513 | key_free(sensitive_data.host_keys[i]); |
603 | sensitive_data.host_keys[i] = tmp; | 514 | sensitive_data.host_keys[i] = tmp; |
604 | if (tmp->type == KEY_RSA1) | ||
605 | sensitive_data.ssh1_host_key = tmp; | ||
606 | } | 515 | } |
607 | /* Certs do not need demotion */ | 516 | /* Certs do not need demotion */ |
608 | } | 517 | } |
609 | |||
610 | /* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */ | ||
611 | } | 518 | } |
612 | 519 | ||
613 | static void | 520 | static void |
@@ -803,7 +710,7 @@ list_hostkey_types(void) | |||
803 | key = sensitive_data.host_keys[i]; | 710 | key = sensitive_data.host_keys[i]; |
804 | if (key == NULL) | 711 | if (key == NULL) |
805 | key = sensitive_data.host_pubkeys[i]; | 712 | key = sensitive_data.host_pubkeys[i]; |
806 | if (key == NULL || key->type == KEY_RSA1) | 713 | if (key == NULL) |
807 | continue; | 714 | continue; |
808 | /* Check that the key is accepted in HostkeyAlgorithms */ | 715 | /* Check that the key is accepted in HostkeyAlgorithms */ |
809 | if (match_pattern_list(sshkey_ssh_name(key), | 716 | if (match_pattern_list(sshkey_ssh_name(key), |
@@ -952,7 +859,7 @@ notify_hostkeys(struct ssh *ssh) | |||
952 | for (i = nkeys = 0; i < options.num_host_key_files; i++) { | 859 | for (i = nkeys = 0; i < options.num_host_key_files; i++) { |
953 | key = get_hostkey_public_by_index(i, ssh); | 860 | key = get_hostkey_public_by_index(i, ssh); |
954 | if (key == NULL || key->type == KEY_UNSPEC || | 861 | if (key == NULL || key->type == KEY_UNSPEC || |
955 | key->type == KEY_RSA1 || sshkey_is_cert(key)) | 862 | sshkey_is_cert(key)) |
956 | continue; | 863 | continue; |
957 | fp = sshkey_fingerprint(key, options.fingerprint_hash, | 864 | fp = sshkey_fingerprint(key, options.fingerprint_hash, |
958 | SSH_FP_DEFAULT); | 865 | SSH_FP_DEFAULT); |
@@ -1038,13 +945,6 @@ send_rexec_state(int fd, struct sshbuf *conf) | |||
1038 | /* | 945 | /* |
1039 | * Protocol from reexec master to child: | 946 | * Protocol from reexec master to child: |
1040 | * string configuration | 947 | * string configuration |
1041 | * u_int ephemeral_key_follows | ||
1042 | * bignum e (only if ephemeral_key_follows == 1) | ||
1043 | * bignum n " | ||
1044 | * bignum d " | ||
1045 | * bignum iqmp " | ||
1046 | * bignum p " | ||
1047 | * bignum q " | ||
1048 | * string rngseed (only if OpenSSL is not self-seeded) | 948 | * string rngseed (only if OpenSSL is not self-seeded) |
1049 | */ | 949 | */ |
1050 | if ((m = sshbuf_new()) == NULL) | 950 | if ((m = sshbuf_new()) == NULL) |
@@ -1052,28 +952,6 @@ send_rexec_state(int fd, struct sshbuf *conf) | |||
1052 | if ((r = sshbuf_put_stringb(m, conf)) != 0) | 952 | if ((r = sshbuf_put_stringb(m, conf)) != 0) |
1053 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 953 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
1054 | 954 | ||
1055 | #ifdef WITH_SSH1 | ||
1056 | if (sensitive_data.server_key != NULL && | ||
1057 | sensitive_data.server_key->type == KEY_RSA1) { | ||
1058 | if ((r = sshbuf_put_u32(m, 1)) != 0 || | ||
1059 | (r = sshbuf_put_bignum1(m, | ||
1060 | sensitive_data.server_key->rsa->e)) != 0 || | ||
1061 | (r = sshbuf_put_bignum1(m, | ||
1062 | sensitive_data.server_key->rsa->n)) != 0 || | ||
1063 | (r = sshbuf_put_bignum1(m, | ||
1064 | sensitive_data.server_key->rsa->d)) != 0 || | ||
1065 | (r = sshbuf_put_bignum1(m, | ||
1066 | sensitive_data.server_key->rsa->iqmp)) != 0 || | ||
1067 | (r = sshbuf_put_bignum1(m, | ||
1068 | sensitive_data.server_key->rsa->p)) != 0 || | ||
1069 | (r = sshbuf_put_bignum1(m, | ||
1070 | sensitive_data.server_key->rsa->q)) != 0) | ||
1071 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
1072 | } else | ||
1073 | #endif | ||
1074 | if ((r = sshbuf_put_u32(m, 0)) != 0) | ||
1075 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
1076 | |||
1077 | #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) | 955 | #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) |
1078 | rexec_send_rng_seed(m); | 956 | rexec_send_rng_seed(m); |
1079 | #endif | 957 | #endif |
@@ -1107,24 +985,6 @@ recv_rexec_state(int fd, Buffer *conf) | |||
1107 | buffer_append(conf, cp, len); | 985 | buffer_append(conf, cp, len); |
1108 | free(cp); | 986 | free(cp); |
1109 | 987 | ||
1110 | if (buffer_get_int(&m)) { | ||
1111 | #ifdef WITH_SSH1 | ||
1112 | if (sensitive_data.server_key != NULL) | ||
1113 | key_free(sensitive_data.server_key); | ||
1114 | sensitive_data.server_key = key_new_private(KEY_RSA1); | ||
1115 | buffer_get_bignum(&m, sensitive_data.server_key->rsa->e); | ||
1116 | buffer_get_bignum(&m, sensitive_data.server_key->rsa->n); | ||
1117 | buffer_get_bignum(&m, sensitive_data.server_key->rsa->d); | ||
1118 | buffer_get_bignum(&m, sensitive_data.server_key->rsa->iqmp); | ||
1119 | buffer_get_bignum(&m, sensitive_data.server_key->rsa->p); | ||
1120 | buffer_get_bignum(&m, sensitive_data.server_key->rsa->q); | ||
1121 | if (rsa_generate_additional_parameters( | ||
1122 | sensitive_data.server_key->rsa) != 0) | ||
1123 | fatal("%s: rsa_generate_additional_parameters " | ||
1124 | "error", __func__); | ||
1125 | #endif | ||
1126 | } | ||
1127 | |||
1128 | #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) | 988 | #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) |
1129 | rexec_recv_rng_seed(&m); | 989 | rexec_recv_rng_seed(&m); |
1130 | #endif | 990 | #endif |
@@ -1248,7 +1108,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
1248 | { | 1108 | { |
1249 | fd_set *fdset; | 1109 | fd_set *fdset; |
1250 | int i, j, ret, maxfd; | 1110 | int i, j, ret, maxfd; |
1251 | int key_used = 0, startups = 0; | 1111 | int startups = 0; |
1252 | int startup_p[2] = { -1 , -1 }; | 1112 | int startup_p[2] = { -1 , -1 }; |
1253 | struct sockaddr_storage from; | 1113 | struct sockaddr_storage from; |
1254 | socklen_t fromlen; | 1114 | socklen_t fromlen; |
@@ -1295,11 +1155,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
1295 | unlink(options.pid_file); | 1155 | unlink(options.pid_file); |
1296 | exit(received_sigterm == SIGTERM ? 0 : 255); | 1156 | exit(received_sigterm == SIGTERM ? 0 : 255); |
1297 | } | 1157 | } |
1298 | if (key_used && key_do_regen) { | ||
1299 | generate_ephemeral_server_key(); | ||
1300 | key_used = 0; | ||
1301 | key_do_regen = 0; | ||
1302 | } | ||
1303 | if (ret < 0) | 1158 | if (ret < 0) |
1304 | continue; | 1159 | continue; |
1305 | 1160 | ||
@@ -1434,19 +1289,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
1434 | close(config_s[0]); | 1289 | close(config_s[0]); |
1435 | close(config_s[1]); | 1290 | close(config_s[1]); |
1436 | } | 1291 | } |
1437 | |||
1438 | /* | ||
1439 | * Mark that the key has been used (it | ||
1440 | * was "given" to the child). | ||
1441 | */ | ||
1442 | if ((options.protocol & SSH_PROTO_1) && | ||
1443 | key_used == 0) { | ||
1444 | /* Schedule server key regeneration alarm. */ | ||
1445 | signal(SIGALRM, key_regeneration_alarm); | ||
1446 | alarm(options.key_regeneration_time); | ||
1447 | key_used = 1; | ||
1448 | } | ||
1449 | |||
1450 | close(*newsock); | 1292 | close(*newsock); |
1451 | 1293 | ||
1452 | /* | 1294 | /* |
@@ -1619,8 +1461,7 @@ main(int ac, char **av) | |||
1619 | options.log_level = SYSLOG_LEVEL_QUIET; | 1461 | options.log_level = SYSLOG_LEVEL_QUIET; |
1620 | break; | 1462 | break; |
1621 | case 'b': | 1463 | case 'b': |
1622 | options.server_key_bits = (int)strtonum(optarg, 256, | 1464 | /* ignored */ |
1623 | 32768, NULL); | ||
1624 | break; | 1465 | break; |
1625 | case 'p': | 1466 | case 'p': |
1626 | options.ports_from_cmdline = 1; | 1467 | options.ports_from_cmdline = 1; |
@@ -1726,9 +1567,6 @@ main(int ac, char **av) | |||
1726 | drop_cray_privs(); | 1567 | drop_cray_privs(); |
1727 | #endif | 1568 | #endif |
1728 | 1569 | ||
1729 | sensitive_data.server_key = NULL; | ||
1730 | sensitive_data.ssh1_host_key = NULL; | ||
1731 | sensitive_data.have_ssh1_key = 0; | ||
1732 | sensitive_data.have_ssh2_key = 0; | 1570 | sensitive_data.have_ssh2_key = 0; |
1733 | 1571 | ||
1734 | /* | 1572 | /* |
@@ -1852,8 +1690,7 @@ main(int ac, char **av) | |||
1852 | sensitive_data.host_keys[i] = key; | 1690 | sensitive_data.host_keys[i] = key; |
1853 | sensitive_data.host_pubkeys[i] = pubkey; | 1691 | sensitive_data.host_pubkeys[i] = pubkey; |
1854 | 1692 | ||
1855 | if (key == NULL && pubkey != NULL && pubkey->type != KEY_RSA1 && | 1693 | if (key == NULL && pubkey != NULL && have_agent) { |
1856 | have_agent) { | ||
1857 | debug("will rely on agent for hostkey %s", | 1694 | debug("will rely on agent for hostkey %s", |
1858 | options.host_key_files[i]); | 1695 | options.host_key_files[i]); |
1859 | keytype = pubkey->type; | 1696 | keytype = pubkey->type; |
@@ -1868,10 +1705,6 @@ main(int ac, char **av) | |||
1868 | } | 1705 | } |
1869 | 1706 | ||
1870 | switch (keytype) { | 1707 | switch (keytype) { |
1871 | case KEY_RSA1: | ||
1872 | sensitive_data.ssh1_host_key = key; | ||
1873 | sensitive_data.have_ssh1_key = 1; | ||
1874 | break; | ||
1875 | case KEY_RSA: | 1708 | case KEY_RSA: |
1876 | case KEY_DSA: | 1709 | case KEY_DSA: |
1877 | case KEY_ECDSA: | 1710 | case KEY_ECDSA: |
@@ -1884,19 +1717,10 @@ main(int ac, char **av) | |||
1884 | SSH_FP_DEFAULT)) == NULL) | 1717 | SSH_FP_DEFAULT)) == NULL) |
1885 | fatal("sshkey_fingerprint failed"); | 1718 | fatal("sshkey_fingerprint failed"); |
1886 | debug("%s host key #%d: %s %s", | 1719 | debug("%s host key #%d: %s %s", |
1887 | key ? "private" : "agent", i, keytype == KEY_RSA1 ? | 1720 | key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); |
1888 | sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp); | ||
1889 | free(fp); | 1721 | free(fp); |
1890 | } | 1722 | } |
1891 | if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { | 1723 | if (!sensitive_data.have_ssh2_key) { |
1892 | logit("Disabling protocol version 1. Could not load host key"); | ||
1893 | options.protocol &= ~SSH_PROTO_1; | ||
1894 | } | ||
1895 | if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { | ||
1896 | logit("Disabling protocol version 2. Could not load host key"); | ||
1897 | options.protocol &= ~SSH_PROTO_2; | ||
1898 | } | ||
1899 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | ||
1900 | logit("sshd: no hostkeys available -- exiting."); | 1724 | logit("sshd: no hostkeys available -- exiting."); |
1901 | exit(1); | 1725 | exit(1); |
1902 | } | 1726 | } |
@@ -1944,33 +1768,6 @@ main(int ac, char **av) | |||
1944 | key_type(key)); | 1768 | key_type(key)); |
1945 | } | 1769 | } |
1946 | 1770 | ||
1947 | #ifdef WITH_SSH1 | ||
1948 | /* Check certain values for sanity. */ | ||
1949 | if (options.protocol & SSH_PROTO_1) { | ||
1950 | if (options.server_key_bits < SSH_RSA_MINIMUM_MODULUS_SIZE || | ||
1951 | options.server_key_bits > OPENSSL_RSA_MAX_MODULUS_BITS) { | ||
1952 | fprintf(stderr, "Bad server key size.\n"); | ||
1953 | exit(1); | ||
1954 | } | ||
1955 | /* | ||
1956 | * Check that server and host key lengths differ sufficiently. This | ||
1957 | * is necessary to make double encryption work with rsaref. Oh, I | ||
1958 | * hate software patents. I dont know if this can go? Niels | ||
1959 | */ | ||
1960 | if (options.server_key_bits > | ||
1961 | BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) - | ||
1962 | SSH_KEY_BITS_RESERVED && options.server_key_bits < | ||
1963 | BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + | ||
1964 | SSH_KEY_BITS_RESERVED) { | ||
1965 | options.server_key_bits = | ||
1966 | BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + | ||
1967 | SSH_KEY_BITS_RESERVED; | ||
1968 | debug("Forcing server key to %d bits to make it differ from host key.", | ||
1969 | options.server_key_bits); | ||
1970 | } | ||
1971 | } | ||
1972 | #endif | ||
1973 | |||
1974 | if (use_privsep) { | 1771 | if (use_privsep) { |
1975 | struct stat st; | 1772 | struct stat st; |
1976 | 1773 | ||
@@ -2068,9 +1865,6 @@ main(int ac, char **av) | |||
2068 | platform_pre_listen(); | 1865 | platform_pre_listen(); |
2069 | server_listen(); | 1866 | server_listen(); |
2070 | 1867 | ||
2071 | if (options.protocol & SSH_PROTO_1) | ||
2072 | generate_ephemeral_server_key(); | ||
2073 | |||
2074 | signal(SIGHUP, sighup_handler); | 1868 | signal(SIGHUP, sighup_handler); |
2075 | signal(SIGCHLD, main_sigchld_handler); | 1869 | signal(SIGCHLD, main_sigchld_handler); |
2076 | signal(SIGTERM, sigterm_handler); | 1870 | signal(SIGTERM, sigterm_handler); |
@@ -2220,11 +2014,6 @@ main(int ac, char **av) | |||
2220 | alarm(options.login_grace_time); | 2014 | alarm(options.login_grace_time); |
2221 | 2015 | ||
2222 | sshd_exchange_identification(ssh, sock_in, sock_out); | 2016 | sshd_exchange_identification(ssh, sock_in, sock_out); |
2223 | |||
2224 | /* In inetd mode, generate ephemeral key only for proto 1 connections */ | ||
2225 | if (!compat20 && inetd_flag && sensitive_data.server_key == NULL) | ||
2226 | generate_ephemeral_server_key(); | ||
2227 | |||
2228 | packet_set_nonblocking(); | 2017 | packet_set_nonblocking(); |
2229 | 2018 | ||
2230 | /* allocate authentication context */ | 2019 | /* allocate authentication context */ |
@@ -2242,7 +2031,7 @@ main(int ac, char **av) | |||
2242 | if (use_privsep) { | 2031 | if (use_privsep) { |
2243 | if (privsep_preauth(authctxt) == 1) | 2032 | if (privsep_preauth(authctxt) == 1) |
2244 | goto authenticated; | 2033 | goto authenticated; |
2245 | } else if (compat20 && have_agent) { | 2034 | } else if (have_agent) { |
2246 | if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) { | 2035 | if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) { |
2247 | error("Unable to get agent socket: %s", ssh_err(r)); | 2036 | error("Unable to get agent socket: %s", ssh_err(r)); |
2248 | have_agent = 0; | 2037 | have_agent = 0; |
@@ -2251,17 +2040,9 @@ main(int ac, char **av) | |||
2251 | 2040 | ||
2252 | /* perform the key exchange */ | 2041 | /* perform the key exchange */ |
2253 | /* authenticate user and start session */ | 2042 | /* authenticate user and start session */ |
2254 | if (compat20) { | 2043 | do_ssh2_kex(); |
2255 | do_ssh2_kex(); | 2044 | do_authentication2(authctxt); |
2256 | do_authentication2(authctxt); | 2045 | |
2257 | } else { | ||
2258 | #ifdef WITH_SSH1 | ||
2259 | do_ssh1_kex(); | ||
2260 | do_authentication(authctxt); | ||
2261 | #else | ||
2262 | fatal("ssh1 not supported"); | ||
2263 | #endif | ||
2264 | } | ||
2265 | /* | 2046 | /* |
2266 | * If we use privilege separation, the unprivileged child transfers | 2047 | * If we use privilege separation, the unprivileged child transfers |
2267 | * the current keystate and exits | 2048 | * the current keystate and exits |
@@ -2309,16 +2090,13 @@ main(int ac, char **av) | |||
2309 | if (use_privsep) { | 2090 | if (use_privsep) { |
2310 | privsep_postauth(authctxt); | 2091 | privsep_postauth(authctxt); |
2311 | /* the monitor process [priv] will not return */ | 2092 | /* the monitor process [priv] will not return */ |
2312 | if (!compat20) | ||
2313 | destroy_sensitive_data(); | ||
2314 | } | 2093 | } |
2315 | 2094 | ||
2316 | packet_set_timeout(options.client_alive_interval, | 2095 | packet_set_timeout(options.client_alive_interval, |
2317 | options.client_alive_count_max); | 2096 | options.client_alive_count_max); |
2318 | 2097 | ||
2319 | /* Try to send all our hostkeys to the client */ | 2098 | /* Try to send all our hostkeys to the client */ |
2320 | if (compat20) | 2099 | notify_hostkeys(active_state); |
2321 | notify_hostkeys(active_state); | ||
2322 | 2100 | ||
2323 | /* Start session. */ | 2101 | /* Start session. */ |
2324 | do_authenticated(authctxt); | 2102 | do_authenticated(authctxt); |
@@ -2347,229 +2125,6 @@ main(int ac, char **av) | |||
2347 | exit(0); | 2125 | exit(0); |
2348 | } | 2126 | } |
2349 | 2127 | ||
2350 | #ifdef WITH_SSH1 | ||
2351 | /* | ||
2352 | * Decrypt session_key_int using our private server key and private host key | ||
2353 | * (key with larger modulus first). | ||
2354 | */ | ||
2355 | int | ||
2356 | ssh1_session_key(BIGNUM *session_key_int) | ||
2357 | { | ||
2358 | struct ssh *ssh = active_state; /* XXX */ | ||
2359 | int rsafail = 0; | ||
2360 | |||
2361 | if (BN_cmp(sensitive_data.server_key->rsa->n, | ||
2362 | sensitive_data.ssh1_host_key->rsa->n) > 0) { | ||
2363 | /* Server key has bigger modulus. */ | ||
2364 | if (BN_num_bits(sensitive_data.server_key->rsa->n) < | ||
2365 | BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + | ||
2366 | SSH_KEY_BITS_RESERVED) { | ||
2367 | fatal("do_connection: %s port %d: " | ||
2368 | "server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d", | ||
2369 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | ||
2370 | BN_num_bits(sensitive_data.server_key->rsa->n), | ||
2371 | BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), | ||
2372 | SSH_KEY_BITS_RESERVED); | ||
2373 | } | ||
2374 | if (rsa_private_decrypt(session_key_int, session_key_int, | ||
2375 | sensitive_data.server_key->rsa) != 0) | ||
2376 | rsafail++; | ||
2377 | if (rsa_private_decrypt(session_key_int, session_key_int, | ||
2378 | sensitive_data.ssh1_host_key->rsa) != 0) | ||
2379 | rsafail++; | ||
2380 | } else { | ||
2381 | /* Host key has bigger modulus (or they are equal). */ | ||
2382 | if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) < | ||
2383 | BN_num_bits(sensitive_data.server_key->rsa->n) + | ||
2384 | SSH_KEY_BITS_RESERVED) { | ||
2385 | fatal("do_connection: %s port %d: " | ||
2386 | "host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d", | ||
2387 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | ||
2388 | BN_num_bits(sensitive_data.ssh1_host_key->rsa->n), | ||
2389 | BN_num_bits(sensitive_data.server_key->rsa->n), | ||
2390 | SSH_KEY_BITS_RESERVED); | ||
2391 | } | ||
2392 | if (rsa_private_decrypt(session_key_int, session_key_int, | ||
2393 | sensitive_data.ssh1_host_key->rsa) != 0) | ||
2394 | rsafail++; | ||
2395 | if (rsa_private_decrypt(session_key_int, session_key_int, | ||
2396 | sensitive_data.server_key->rsa) != 0) | ||
2397 | rsafail++; | ||
2398 | } | ||
2399 | return (rsafail); | ||
2400 | } | ||
2401 | |||
2402 | /* | ||
2403 | * SSH1 key exchange | ||
2404 | */ | ||
2405 | static void | ||
2406 | do_ssh1_kex(void) | ||
2407 | { | ||
2408 | struct ssh *ssh = active_state; /* XXX */ | ||
2409 | int i, len; | ||
2410 | int rsafail = 0; | ||
2411 | BIGNUM *session_key_int, *fake_key_int, *real_key_int; | ||
2412 | u_char session_key[SSH_SESSION_KEY_LENGTH]; | ||
2413 | u_char fake_key_bytes[4096 / 8]; | ||
2414 | size_t fake_key_len; | ||
2415 | u_char cookie[8]; | ||
2416 | u_int cipher_type, auth_mask, protocol_flags; | ||
2417 | |||
2418 | /* | ||
2419 | * Generate check bytes that the client must send back in the user | ||
2420 | * packet in order for it to be accepted; this is used to defy ip | ||
2421 | * spoofing attacks. Note that this only works against somebody | ||
2422 | * doing IP spoofing from a remote machine; any machine on the local | ||
2423 | * network can still see outgoing packets and catch the random | ||
2424 | * cookie. This only affects rhosts authentication, and this is one | ||
2425 | * of the reasons why it is inherently insecure. | ||
2426 | */ | ||
2427 | arc4random_buf(cookie, sizeof(cookie)); | ||
2428 | |||
2429 | /* | ||
2430 | * Send our public key. We include in the packet 64 bits of random | ||
2431 | * data that must be matched in the reply in order to prevent IP | ||
2432 | * spoofing. | ||
2433 | */ | ||
2434 | packet_start(SSH_SMSG_PUBLIC_KEY); | ||
2435 | for (i = 0; i < 8; i++) | ||
2436 | packet_put_char(cookie[i]); | ||
2437 | |||
2438 | /* Store our public server RSA key. */ | ||
2439 | packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n)); | ||
2440 | packet_put_bignum(sensitive_data.server_key->rsa->e); | ||
2441 | packet_put_bignum(sensitive_data.server_key->rsa->n); | ||
2442 | |||
2443 | /* Store our public host RSA key. */ | ||
2444 | packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n)); | ||
2445 | packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e); | ||
2446 | packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n); | ||
2447 | |||
2448 | /* Put protocol flags. */ | ||
2449 | packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN); | ||
2450 | |||
2451 | /* Declare which ciphers we support. */ | ||
2452 | packet_put_int(cipher_mask_ssh1(0)); | ||
2453 | |||
2454 | /* Declare supported authentication types. */ | ||
2455 | auth_mask = 0; | ||
2456 | if (options.rhosts_rsa_authentication) | ||
2457 | auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; | ||
2458 | if (options.rsa_authentication) | ||
2459 | auth_mask |= 1 << SSH_AUTH_RSA; | ||
2460 | if (options.challenge_response_authentication == 1) | ||
2461 | auth_mask |= 1 << SSH_AUTH_TIS; | ||
2462 | if (options.password_authentication) | ||
2463 | auth_mask |= 1 << SSH_AUTH_PASSWORD; | ||
2464 | packet_put_int(auth_mask); | ||
2465 | |||
2466 | /* Send the packet and wait for it to be sent. */ | ||
2467 | packet_send(); | ||
2468 | packet_write_wait(); | ||
2469 | |||
2470 | debug("Sent %d bit server key and %d bit host key.", | ||
2471 | BN_num_bits(sensitive_data.server_key->rsa->n), | ||
2472 | BN_num_bits(sensitive_data.ssh1_host_key->rsa->n)); | ||
2473 | |||
2474 | /* Read clients reply (cipher type and session key). */ | ||
2475 | packet_read_expect(SSH_CMSG_SESSION_KEY); | ||
2476 | |||
2477 | /* Get cipher type and check whether we accept this. */ | ||
2478 | cipher_type = packet_get_char(); | ||
2479 | |||
2480 | if (!(cipher_mask_ssh1(0) & (1 << cipher_type))) | ||
2481 | packet_disconnect("Warning: client selects unsupported cipher."); | ||
2482 | |||
2483 | /* Get check bytes from the packet. These must match those we | ||
2484 | sent earlier with the public key packet. */ | ||
2485 | for (i = 0; i < 8; i++) | ||
2486 | if (cookie[i] != packet_get_char()) | ||
2487 | packet_disconnect("IP Spoofing check bytes do not match."); | ||
2488 | |||
2489 | debug("Encryption type: %.200s", cipher_name(cipher_type)); | ||
2490 | |||
2491 | /* Get the encrypted integer. */ | ||
2492 | if ((real_key_int = BN_new()) == NULL) | ||
2493 | fatal("do_ssh1_kex: BN_new failed"); | ||
2494 | packet_get_bignum(real_key_int); | ||
2495 | |||
2496 | protocol_flags = packet_get_int(); | ||
2497 | packet_set_protocol_flags(protocol_flags); | ||
2498 | packet_check_eom(); | ||
2499 | |||
2500 | /* Setup a fake key in case RSA decryption fails */ | ||
2501 | if ((fake_key_int = BN_new()) == NULL) | ||
2502 | fatal("do_ssh1_kex: BN_new failed"); | ||
2503 | fake_key_len = BN_num_bytes(real_key_int); | ||
2504 | if (fake_key_len > sizeof(fake_key_bytes)) | ||
2505 | fake_key_len = sizeof(fake_key_bytes); | ||
2506 | arc4random_buf(fake_key_bytes, fake_key_len); | ||
2507 | if (BN_bin2bn(fake_key_bytes, fake_key_len, fake_key_int) == NULL) | ||
2508 | fatal("do_ssh1_kex: BN_bin2bn failed"); | ||
2509 | |||
2510 | /* Decrypt real_key_int using host/server keys */ | ||
2511 | rsafail = PRIVSEP(ssh1_session_key(real_key_int)); | ||
2512 | /* If decryption failed, use the fake key. Else, the real key. */ | ||
2513 | if (rsafail) | ||
2514 | session_key_int = fake_key_int; | ||
2515 | else | ||
2516 | session_key_int = real_key_int; | ||
2517 | |||
2518 | /* | ||
2519 | * Extract session key from the decrypted integer. The key is in the | ||
2520 | * least significant 256 bits of the integer; the first byte of the | ||
2521 | * key is in the highest bits. | ||
2522 | */ | ||
2523 | (void) BN_mask_bits(session_key_int, sizeof(session_key) * 8); | ||
2524 | len = BN_num_bytes(session_key_int); | ||
2525 | if (len < 0 || (u_int)len > sizeof(session_key)) { | ||
2526 | error("%s: bad session key len from %s port %d: " | ||
2527 | "session_key_int %d > sizeof(session_key) %lu", __func__, | ||
2528 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | ||
2529 | len, (u_long)sizeof(session_key)); | ||
2530 | rsafail++; | ||
2531 | } else { | ||
2532 | explicit_bzero(session_key, sizeof(session_key)); | ||
2533 | BN_bn2bin(session_key_int, | ||
2534 | session_key + sizeof(session_key) - len); | ||
2535 | |||
2536 | derive_ssh1_session_id( | ||
2537 | sensitive_data.ssh1_host_key->rsa->n, | ||
2538 | sensitive_data.server_key->rsa->n, | ||
2539 | cookie, session_id); | ||
2540 | /* | ||
2541 | * Xor the first 16 bytes of the session key with the | ||
2542 | * session id. | ||
2543 | */ | ||
2544 | for (i = 0; i < 16; i++) | ||
2545 | session_key[i] ^= session_id[i]; | ||
2546 | } | ||
2547 | |||
2548 | /* Destroy the private and public keys. No longer. */ | ||
2549 | destroy_sensitive_data(); | ||
2550 | |||
2551 | if (use_privsep) | ||
2552 | mm_ssh1_session_id(session_id); | ||
2553 | |||
2554 | /* Destroy the decrypted integer. It is no longer needed. */ | ||
2555 | BN_clear_free(real_key_int); | ||
2556 | BN_clear_free(fake_key_int); | ||
2557 | |||
2558 | /* Set the session key. From this on all communications will be encrypted. */ | ||
2559 | packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type); | ||
2560 | |||
2561 | /* Destroy our copy of the session key. It is no longer needed. */ | ||
2562 | explicit_bzero(session_key, sizeof(session_key)); | ||
2563 | |||
2564 | debug("Received session key; encryption turned on."); | ||
2565 | |||
2566 | /* Send an acknowledgment packet. Note that this packet is sent encrypted. */ | ||
2567 | packet_start(SSH_SMSG_SUCCESS); | ||
2568 | packet_send(); | ||
2569 | packet_write_wait(); | ||
2570 | } | ||
2571 | #endif | ||
2572 | |||
2573 | int | 2128 | int |
2574 | sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen, | 2129 | sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen, |
2575 | const u_char *data, size_t dlen, const char *alg, u_int flag) | 2130 | const u_char *data, size_t dlen, const char *alg, u_int flag) |