1 /* $OpenBSD: kex.c,v 1.161 2020/12/04 02:27:08 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include "includes.h" 27 28 #include <sys/types.h> 29 #include <errno.h> 30 #include <signal.h> 31 #include <stdarg.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 #include <unistd.h> 36 #ifdef HAVE_POLL_H 37 #include <poll.h> 38 #endif 39 40 #ifdef WITH_OPENSSL 41 #include <openssl/crypto.h> 42 #include <openssl/dh.h> 43 #endif 44 45 #include "ssh.h" 46 #include "ssh2.h" 47 #include "atomicio.h" 48 #include "version.h" 49 #include "packet.h" 50 #include "compat.h" 51 #include "cipher.h" 52 #include "sshkey.h" 53 #include "kex.h" 54 #include "log.h" 55 #include "mac.h" 56 #include "match.h" 57 #include "misc.h" 58 #include "dispatch.h" 59 #include "monitor.h" 60 61 #include "ssherr.h" 62 #include "sshbuf.h" 63 #include "digest.h" 64 65 /* prototype */ 66 static int kex_choose_conf(struct ssh *); 67 static int kex_input_newkeys(int, u_int32_t, struct ssh *); 68 69 static const char *proposal_names[PROPOSAL_MAX] = { 70 "KEX algorithms", 71 "host key algorithms", 72 "ciphers ctos", 73 "ciphers stoc", 74 "MACs ctos", 75 "MACs stoc", 76 "compression ctos", 77 "compression stoc", 78 "languages ctos", 79 "languages stoc", 80 }; 81 82 struct kexalg { 83 char *name; 84 u_int type; 85 int ec_nid; 86 int hash_alg; 87 }; 88 static const struct kexalg kexalgs[] = { 89 #ifdef WITH_OPENSSL 90 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, 91 { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, 92 { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, 93 { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, 94 { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, 95 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, 96 #ifdef HAVE_EVP_SHA256 97 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, 98 #endif /* HAVE_EVP_SHA256 */ 99 #ifdef OPENSSL_HAS_ECC 100 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, 101 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, 102 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, 103 SSH_DIGEST_SHA384 }, 104 # ifdef OPENSSL_HAS_NISTP521 105 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, 106 SSH_DIGEST_SHA512 }, 107 # endif /* OPENSSL_HAS_NISTP521 */ 108 #endif /* OPENSSL_HAS_ECC */ 109 #endif /* WITH_OPENSSL */ 110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) 111 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 112 { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 113 { KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0, 114 SSH_DIGEST_SHA512 }, 115 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ 116 { NULL, 0, -1, -1}, 117 }; 118 119 char * 120 kex_alg_list(char sep) 121 { 122 char *ret = NULL, *tmp; 123 size_t nlen, rlen = 0; 124 const struct kexalg *k; 125 126 for (k = kexalgs; k->name != NULL; k++) { 127 if (ret != NULL) 128 ret[rlen++] = sep; 129 nlen = strlen(k->name); 130 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 131 free(ret); 132 return NULL; 133 } 134 ret = tmp; 135 memcpy(ret + rlen, k->name, nlen + 1); 136 rlen += nlen; 137 } 138 return ret; 139 } 140 141 static const struct kexalg * 142 kex_alg_by_name(const char *name) 143 { 144 const struct kexalg *k; 145 146 for (k = kexalgs; k->name != NULL; k++) { 147 if (strcmp(k->name, name) == 0) 148 return k; 149 } 150 return NULL; 151 } 152 153 /* Validate KEX method name list */ 154 int 155 kex_names_valid(const char *names) 156 { 157 char *s, *cp, *p; 158 159 if (names == NULL || strcmp(names, "") == 0) 160 return 0; 161 if ((s = cp = strdup(names)) == NULL) 162 return 0; 163 for ((p = strsep(&cp, ",")); p && *p != '\0'; 164 (p = strsep(&cp, ","))) { 165 if (kex_alg_by_name(p) == NULL) { 166 error("Unsupported KEX algorithm \"%.100s\"", p); 167 free(s); 168 return 0; 169 } 170 } 171 debug3("kex names ok: [%s]", names); 172 free(s); 173 return 1; 174 } 175 176 /* 177 * Concatenate algorithm names, avoiding duplicates in the process. 178 * Caller must free returned string. 179 */ 180 char * 181 kex_names_cat(const char *a, const char *b) 182 { 183 char *ret = NULL, *tmp = NULL, *cp, *p, *m; 184 size_t len; 185 186 if (a == NULL || *a == '\0') 187 return strdup(b); 188 if (b == NULL || *b == '\0') 189 return strdup(a); 190 if (strlen(b) > 1024*1024) 191 return NULL; 192 len = strlen(a) + strlen(b) + 2; 193 if ((tmp = cp = strdup(b)) == NULL || 194 (ret = calloc(1, len)) == NULL) { 195 free(tmp); 196 return NULL; 197 } 198 strlcpy(ret, a, len); 199 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { 200 if ((m = match_list(ret, p, NULL)) != NULL) { 201 free(m); 202 continue; /* Algorithm already present */ 203 } 204 if (strlcat(ret, ",", len) >= len || 205 strlcat(ret, p, len) >= len) { 206 free(tmp); 207 free(ret); 208 return NULL; /* Shouldn't happen */ 209 } 210 } 211 free(tmp); 212 return ret; 213 } 214 215 /* 216 * Assemble a list of algorithms from a default list and a string from a 217 * configuration file. The user-provided string may begin with '+' to 218 * indicate that it should be appended to the default, '-' that the 219 * specified names should be removed, or '^' that they should be placed 220 * at the head. 221 */ 222 int 223 kex_assemble_names(char **listp, const char *def, const char *all) 224 { 225 char *cp, *tmp, *patterns; 226 char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL; 227 int r = SSH_ERR_INTERNAL_ERROR; 228 229 if (listp == NULL || def == NULL || all == NULL) 230 return SSH_ERR_INVALID_ARGUMENT; 231 232 if (*listp == NULL || **listp == '\0') { 233 if ((*listp = strdup(def)) == NULL) 234 return SSH_ERR_ALLOC_FAIL; 235 return 0; 236 } 237 238 list = *listp; 239 *listp = NULL; 240 if (*list == '+') { 241 /* Append names to default list */ 242 if ((tmp = kex_names_cat(def, list + 1)) == NULL) { 243 r = SSH_ERR_ALLOC_FAIL; 244 goto fail; 245 } 246 free(list); 247 list = tmp; 248 } else if (*list == '-') { 249 /* Remove names from default list */ 250 if ((*listp = match_filter_denylist(def, list + 1)) == NULL) { 251 r = SSH_ERR_ALLOC_FAIL; 252 goto fail; 253 } 254 free(list); 255 /* filtering has already been done */ 256 return 0; 257 } else if (*list == '^') { 258 /* Place names at head of default list */ 259 if ((tmp = kex_names_cat(list + 1, def)) == NULL) { 260 r = SSH_ERR_ALLOC_FAIL; 261 goto fail; 262 } 263 free(list); 264 list = tmp; 265 } else { 266 /* Explicit list, overrides default - just use "list" as is */ 267 } 268 269 /* 270 * The supplied names may be a pattern-list. For the -list case, 271 * the patterns are applied above. For the +list and explicit list 272 * cases we need to do it now. 273 */ 274 ret = NULL; 275 if ((patterns = opatterns = strdup(list)) == NULL) { 276 r = SSH_ERR_ALLOC_FAIL; 277 goto fail; 278 } 279 /* Apply positive (i.e. non-negated) patterns from the list */ 280 while ((cp = strsep(&patterns, ",")) != NULL) { 281 if (*cp == '!') { 282 /* negated matches are not supported here */ 283 r = SSH_ERR_INVALID_ARGUMENT; 284 goto fail; 285 } 286 free(matching); 287 if ((matching = match_filter_allowlist(all, cp)) == NULL) { 288 r = SSH_ERR_ALLOC_FAIL; 289 goto fail; 290 } 291 if ((tmp = kex_names_cat(ret, matching)) == NULL) { 292 r = SSH_ERR_ALLOC_FAIL; 293 goto fail; 294 } 295 free(ret); 296 ret = tmp; 297 } 298 if (ret == NULL || *ret == '\0') { 299 /* An empty name-list is an error */ 300 /* XXX better error code? */ 301 r = SSH_ERR_INVALID_ARGUMENT; 302 goto fail; 303 } 304 305 /* success */ 306 *listp = ret; 307 ret = NULL; 308 r = 0; 309 310 fail: 311 free(matching); 312 free(opatterns); 313 free(list); 314 free(ret); 315 return r; 316 } 317 318 /* put algorithm proposal into buffer */ 319 int 320 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) 321 { 322 u_int i; 323 int r; 324 325 sshbuf_reset(b); 326 327 /* 328 * add a dummy cookie, the cookie will be overwritten by 329 * kex_send_kexinit(), each time a kexinit is set 330 */ 331 for (i = 0; i < KEX_COOKIE_LEN; i++) { 332 if ((r = sshbuf_put_u8(b, 0)) != 0) 333 return r; 334 } 335 for (i = 0; i < PROPOSAL_MAX; i++) { 336 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0) 337 return r; 338 } 339 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */ 340 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */ 341 return r; 342 return 0; 343 } 344 345 /* parse buffer and return algorithm proposal */ 346 int 347 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) 348 { 349 struct sshbuf *b = NULL; 350 u_char v; 351 u_int i; 352 char **proposal = NULL; 353 int r; 354 355 *propp = NULL; 356 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL) 357 return SSH_ERR_ALLOC_FAIL; 358 if ((b = sshbuf_fromb(raw)) == NULL) { 359 r = SSH_ERR_ALLOC_FAIL; 360 goto out; 361 } 362 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */ 363 error_fr(r, "consume cookie"); 364 goto out; 365 } 366 /* extract kex init proposal strings */ 367 for (i = 0; i < PROPOSAL_MAX; i++) { 368 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) { 369 error_fr(r, "parse proposal %u", i); 370 goto out; 371 } 372 debug2("%s: %s", proposal_names[i], proposal[i]); 373 } 374 /* first kex follows / reserved */ 375 if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ 376 (r = sshbuf_get_u32(b, &i)) != 0) { /* reserved */ 377 error_fr(r, "parse"); 378 goto out; 379 } 380 if (first_kex_follows != NULL) 381 *first_kex_follows = v; 382 debug2("first_kex_follows %d ", v); 383 debug2("reserved %u ", i); 384 r = 0; 385 *propp = proposal; 386 out: 387 if (r != 0 && proposal != NULL) 388 kex_prop_free(proposal); 389 sshbuf_free(b); 390 return r; 391 } 392 393 void 394 kex_prop_free(char **proposal) 395 { 396 u_int i; 397 398 if (proposal == NULL) 399 return; 400 for (i = 0; i < PROPOSAL_MAX; i++) 401 free(proposal[i]); 402 free(proposal); 403 } 404 405 /* ARGSUSED */ 406 static int 407 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) 408 { 409 int r; 410 411 error("kex protocol error: type %d seq %u", type, seq); 412 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || 413 (r = sshpkt_put_u32(ssh, seq)) != 0 || 414 (r = sshpkt_send(ssh)) != 0) 415 return r; 416 return 0; 417 } 418 419 static void 420 kex_reset_dispatch(struct ssh *ssh) 421 { 422 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN, 423 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); 424 } 425 426 static int 427 kex_send_ext_info(struct ssh *ssh) 428 { 429 int r; 430 char *algs; 431 432 debug("Sending SSH2_MSG_EXT_INFO"); 433 if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL) 434 return SSH_ERR_ALLOC_FAIL; 435 /* XXX filter algs list by allowed pubkey/hostbased types */ 436 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || 437 (r = sshpkt_put_u32(ssh, 1)) != 0 || 438 (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || 439 (r = sshpkt_put_cstring(ssh, algs)) != 0 || 440 (r = sshpkt_send(ssh)) != 0) { 441 error_fr(r, "compose"); 442 goto out; 443 } 444 /* success */ 445 r = 0; 446 out: 447 free(algs); 448 return r; 449 } 450 451 int 452 kex_send_newkeys(struct ssh *ssh) 453 { 454 int r; 455 456 kex_reset_dispatch(ssh); 457 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 || 458 (r = sshpkt_send(ssh)) != 0) 459 return r; 460 debug("SSH2_MSG_NEWKEYS sent"); 461 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); 462 if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0) 463 if ((r = kex_send_ext_info(ssh)) != 0) 464 return r; 465 debug("expecting SSH2_MSG_NEWKEYS"); 466 return 0; 467 } 468 469 int 470 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) 471 { 472 struct kex *kex = ssh->kex; 473 u_int32_t i, ninfo; 474 char *name; 475 u_char *val; 476 size_t vlen; 477 int r; 478 479 debug("SSH2_MSG_EXT_INFO received"); 480 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); 481 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) 482 return r; 483 for (i = 0; i < ninfo; i++) { 484 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) 485 return r; 486 if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) { 487 free(name); 488 return r; 489 } 490 if (strcmp(name, "server-sig-algs") == 0) { 491 /* Ensure no \0 lurking in value */ 492 if (memchr(val, '\0', vlen) != NULL) { 493 error_f("nul byte in %s", name); 494 return SSH_ERR_INVALID_FORMAT; 495 } 496 debug_f("%s=<%s>", name, val); 497 kex->server_sig_algs = val; 498 val = NULL; 499 } else 500 debug_f("%s (unrecognised)", name); 501 free(name); 502 free(val); 503 } 504 return sshpkt_get_end(ssh); 505 } 506 507 static int 508 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh) 509 { 510 struct kex *kex = ssh->kex; 511 int r; 512 513 debug("SSH2_MSG_NEWKEYS received"); 514 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); 515 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 516 if ((r = sshpkt_get_end(ssh)) != 0) 517 return r; 518 if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) 519 return r; 520 kex->done = 1; 521 kex->flags &= ~KEX_INITIAL; 522 sshbuf_reset(kex->peer); 523 /* sshbuf_reset(kex->my); */ 524 kex->flags &= ~KEX_INIT_SENT; 525 free(kex->name); 526 kex->name = NULL; 527 return 0; 528 } 529 530 int 531 kex_send_kexinit(struct ssh *ssh) 532 { 533 u_char *cookie; 534 struct kex *kex = ssh->kex; 535 int r; 536 537 if (kex == NULL) { 538 error_f("no kex"); 539 return SSH_ERR_INTERNAL_ERROR; 540 } 541 if (kex->flags & KEX_INIT_SENT) 542 return 0; 543 kex->done = 0; 544 545 /* generate a random cookie */ 546 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) { 547 error_f("bad kex length: %zu < %d", 548 sshbuf_len(kex->my), KEX_COOKIE_LEN); 549 return SSH_ERR_INVALID_FORMAT; 550 } 551 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) { 552 error_f("buffer error"); 553 return SSH_ERR_INTERNAL_ERROR; 554 } 555 arc4random_buf(cookie, KEX_COOKIE_LEN); 556 557 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 || 558 (r = sshpkt_putb(ssh, kex->my)) != 0 || 559 (r = sshpkt_send(ssh)) != 0) { 560 error_fr(r, "compose reply"); 561 return r; 562 } 563 debug("SSH2_MSG_KEXINIT sent"); 564 kex->flags |= KEX_INIT_SENT; 565 return 0; 566 } 567 568 /* ARGSUSED */ 569 int 570 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) 571 { 572 struct kex *kex = ssh->kex; 573 const u_char *ptr; 574 u_int i; 575 size_t dlen; 576 int r; 577 578 debug("SSH2_MSG_KEXINIT received"); 579 if (kex == NULL) { 580 error_f("no kex"); 581 return SSH_ERR_INTERNAL_ERROR; 582 } 583 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); 584 ptr = sshpkt_ptr(ssh, &dlen); 585 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) 586 return r; 587 588 /* discard packet */ 589 for (i = 0; i < KEX_COOKIE_LEN; i++) { 590 if ((r = sshpkt_get_u8(ssh, NULL)) != 0) { 591 error_fr(r, "discard cookie"); 592 return r; 593 } 594 } 595 for (i = 0; i < PROPOSAL_MAX; i++) { 596 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) { 597 error_fr(r, "discard proposal"); 598 return r; 599 } 600 } 601 /* 602 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported 603 * KEX method has the server move first, but a server might be using 604 * a custom method or one that we otherwise don't support. We should 605 * be prepared to remember first_kex_follows here so we can eat a 606 * packet later. 607 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means 608 * for cases where the server *doesn't* go first. I guess we should 609 * ignore it when it is set for these cases, which is what we do now. 610 */ 611 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */ 612 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */ 613 (r = sshpkt_get_end(ssh)) != 0) 614 return r; 615 616 if (!(kex->flags & KEX_INIT_SENT)) 617 if ((r = kex_send_kexinit(ssh)) != 0) 618 return r; 619 if ((r = kex_choose_conf(ssh)) != 0) 620 return r; 621 622 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) 623 return (kex->kex[kex->kex_type])(ssh); 624 625 error_f("unknown kex type %u", kex->kex_type); 626 return SSH_ERR_INTERNAL_ERROR; 627 } 628 629 struct kex * 630 kex_new(void) 631 { 632 struct kex *kex; 633 634 if ((kex = calloc(1, sizeof(*kex))) == NULL || 635 (kex->peer = sshbuf_new()) == NULL || 636 (kex->my = sshbuf_new()) == NULL || 637 (kex->client_version = sshbuf_new()) == NULL || 638 (kex->server_version = sshbuf_new()) == NULL) { 639 kex_free(kex); 640 return NULL; 641 } 642 return kex; 643 } 644 645 void 646 kex_free_newkeys(struct newkeys *newkeys) 647 { 648 if (newkeys == NULL) 649 return; 650 if (newkeys->enc.key) { 651 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len); 652 free(newkeys->enc.key); 653 newkeys->enc.key = NULL; 654 } 655 if (newkeys->enc.iv) { 656 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len); 657 free(newkeys->enc.iv); 658 newkeys->enc.iv = NULL; 659 } 660 free(newkeys->enc.name); 661 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc)); 662 free(newkeys->comp.name); 663 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp)); 664 mac_clear(&newkeys->mac); 665 if (newkeys->mac.key) { 666 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len); 667 free(newkeys->mac.key); 668 newkeys->mac.key = NULL; 669 } 670 free(newkeys->mac.name); 671 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac)); 672 freezero(newkeys, sizeof(*newkeys)); 673 } 674 675 void 676 kex_free(struct kex *kex) 677 { 678 u_int mode; 679 680 if (kex == NULL) 681 return; 682 683 #ifdef WITH_OPENSSL 684 DH_free(kex->dh); 685 #ifdef OPENSSL_HAS_ECC 686 EC_KEY_free(kex->ec_client_key); 687 #endif /* OPENSSL_HAS_ECC */ 688 #endif /* WITH_OPENSSL */ 689 for (mode = 0; mode < MODE_MAX; mode++) { 690 kex_free_newkeys(kex->newkeys[mode]); 691 kex->newkeys[mode] = NULL; 692 } 693 sshbuf_free(kex->peer); 694 sshbuf_free(kex->my); 695 sshbuf_free(kex->client_version); 696 sshbuf_free(kex->server_version); 697 sshbuf_free(kex->client_pub); 698 free(kex->session_id); 699 free(kex->failed_choice); 700 free(kex->hostkey_alg); 701 free(kex->name); 702 free(kex); 703 } 704 705 int 706 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) 707 { 708 int r; 709 710 if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0) 711 return r; 712 ssh->kex->flags = KEX_INITIAL; 713 kex_reset_dispatch(ssh); 714 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 715 return 0; 716 } 717 718 int 719 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) 720 { 721 int r; 722 723 if ((r = kex_ready(ssh, proposal)) != 0) 724 return r; 725 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */ 726 kex_free(ssh->kex); 727 ssh->kex = NULL; 728 return r; 729 } 730 return 0; 731 } 732 733 /* 734 * Request key re-exchange, returns 0 on success or a ssherr.h error 735 * code otherwise. Must not be called if KEX is incomplete or in-progress. 736 */ 737 int 738 kex_start_rekex(struct ssh *ssh) 739 { 740 if (ssh->kex == NULL) { 741 error_f("no kex"); 742 return SSH_ERR_INTERNAL_ERROR; 743 } 744 if (ssh->kex->done == 0) { 745 error_f("requested twice"); 746 return SSH_ERR_INTERNAL_ERROR; 747 } 748 ssh->kex->done = 0; 749 return kex_send_kexinit(ssh); 750 } 751 752 static int 753 choose_enc(struct sshenc *enc, char *client, char *server) 754 { 755 char *name = match_list(client, server, NULL); 756 757 if (name == NULL) 758 return SSH_ERR_NO_CIPHER_ALG_MATCH; 759 if ((enc->cipher = cipher_by_name(name)) == NULL) { 760 error_f("unsupported cipher %s", name); 761 free(name); 762 return SSH_ERR_INTERNAL_ERROR; 763 } 764 enc->name = name; 765 enc->enabled = 0; 766 enc->iv = NULL; 767 enc->iv_len = cipher_ivlen(enc->cipher); 768 enc->key = NULL; 769 enc->key_len = cipher_keylen(enc->cipher); 770 enc->block_size = cipher_blocksize(enc->cipher); 771 return 0; 772 } 773 774 static int 775 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) 776 { 777 char *name = match_list(client, server, NULL); 778 779 if (name == NULL) 780 return SSH_ERR_NO_MAC_ALG_MATCH; 781 if (mac_setup(mac, name) < 0) { 782 error_f("unsupported MAC %s", name); 783 free(name); 784 return SSH_ERR_INTERNAL_ERROR; 785 } 786 mac->name = name; 787 mac->key = NULL; 788 mac->enabled = 0; 789 return 0; 790 } 791 792 static int 793 choose_comp(struct sshcomp *comp, char *client, char *server) 794 { 795 char *name = match_list(client, server, NULL); 796 797 if (name == NULL) 798 return SSH_ERR_NO_COMPRESS_ALG_MATCH; 799 #ifdef WITH_ZLIB 800 if (strcmp(name, "zlib@openssh.com") == 0) { 801 comp->type = COMP_DELAYED; 802 } else if (strcmp(name, "zlib") == 0) { 803 comp->type = COMP_ZLIB; 804 } else 805 #endif /* WITH_ZLIB */ 806 if (strcmp(name, "none") == 0) { 807 comp->type = COMP_NONE; 808 } else { 809 error_f("unsupported compression scheme %s", name); 810 free(name); 811 return SSH_ERR_INTERNAL_ERROR; 812 } 813 comp->name = name; 814 return 0; 815 } 816 817 static int 818 choose_kex(struct kex *k, char *client, char *server) 819 { 820 const struct kexalg *kexalg; 821 822 k->name = match_list(client, server, NULL); 823 824 debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); 825 if (k->name == NULL) 826 return SSH_ERR_NO_KEX_ALG_MATCH; 827 if ((kexalg = kex_alg_by_name(k->name)) == NULL) { 828 error_f("unsupported KEX method %s", k->name); 829 return SSH_ERR_INTERNAL_ERROR; 830 } 831 k->kex_type = kexalg->type; 832 k->hash_alg = kexalg->hash_alg; 833 k->ec_nid = kexalg->ec_nid; 834 return 0; 835 } 836 837 static int 838 choose_hostkeyalg(struct kex *k, char *client, char *server) 839 { 840 k->hostkey_alg = match_list(client, server, NULL); 841 842 debug("kex: host key algorithm: %s", 843 k->hostkey_alg ? k->hostkey_alg : "(no match)"); 844 if (k->hostkey_alg == NULL) 845 return SSH_ERR_NO_HOSTKEY_ALG_MATCH; 846 k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); 847 if (k->hostkey_type == KEY_UNSPEC) { 848 error_f("unsupported hostkey algorithm %s", k->hostkey_alg); 849 return SSH_ERR_INTERNAL_ERROR; 850 } 851 k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); 852 return 0; 853 } 854 855 static int 856 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) 857 { 858 static int check[] = { 859 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 860 }; 861 int *idx; 862 char *p; 863 864 for (idx = &check[0]; *idx != -1; idx++) { 865 if ((p = strchr(my[*idx], ',')) != NULL) 866 *p = '\0'; 867 if ((p = strchr(peer[*idx], ',')) != NULL) 868 *p = '\0'; 869 if (strcmp(my[*idx], peer[*idx]) != 0) { 870 debug2("proposal mismatch: my %s peer %s", 871 my[*idx], peer[*idx]); 872 return (0); 873 } 874 } 875 debug2("proposals match"); 876 return (1); 877 } 878 879 static int 880 kex_choose_conf(struct ssh *ssh) 881 { 882 struct kex *kex = ssh->kex; 883 struct newkeys *newkeys; 884 char **my = NULL, **peer = NULL; 885 char **cprop, **sprop; 886 int nenc, nmac, ncomp; 887 u_int mode, ctos, need, dh_need, authlen; 888 int r, first_kex_follows; 889 890 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); 891 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) 892 goto out; 893 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server"); 894 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) 895 goto out; 896 897 if (kex->server) { 898 cprop=peer; 899 sprop=my; 900 } else { 901 cprop=my; 902 sprop=peer; 903 } 904 905 /* Check whether client supports ext_info_c */ 906 if (kex->server && (kex->flags & KEX_INITIAL)) { 907 char *ext; 908 909 ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); 910 kex->ext_info_c = (ext != NULL); 911 free(ext); 912 } 913 914 /* Algorithm Negotiation */ 915 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], 916 sprop[PROPOSAL_KEX_ALGS])) != 0) { 917 kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; 918 peer[PROPOSAL_KEX_ALGS] = NULL; 919 goto out; 920 } 921 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], 922 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { 923 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; 924 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; 925 goto out; 926 } 927 for (mode = 0; mode < MODE_MAX; mode++) { 928 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) { 929 r = SSH_ERR_ALLOC_FAIL; 930 goto out; 931 } 932 kex->newkeys[mode] = newkeys; 933 ctos = (!kex->server && mode == MODE_OUT) || 934 (kex->server && mode == MODE_IN); 935 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 936 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 937 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 938 if ((r = choose_enc(&newkeys->enc, cprop[nenc], 939 sprop[nenc])) != 0) { 940 kex->failed_choice = peer[nenc]; 941 peer[nenc] = NULL; 942 goto out; 943 } 944 authlen = cipher_authlen(newkeys->enc.cipher); 945 /* ignore mac for authenticated encryption */ 946 if (authlen == 0 && 947 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac], 948 sprop[nmac])) != 0) { 949 kex->failed_choice = peer[nmac]; 950 peer[nmac] = NULL; 951 goto out; 952 } 953 if ((r = choose_comp(&newkeys->comp, cprop[ncomp], 954 sprop[ncomp])) != 0) { 955 kex->failed_choice = peer[ncomp]; 956 peer[ncomp] = NULL; 957 goto out; 958 } 959 debug("kex: %s cipher: %s MAC: %s compression: %s", 960 ctos ? "client->server" : "server->client", 961 newkeys->enc.name, 962 authlen == 0 ? newkeys->mac.name : "<implicit>", 963 newkeys->comp.name); 964 } 965 need = dh_need = 0; 966 for (mode = 0; mode < MODE_MAX; mode++) { 967 newkeys = kex->newkeys[mode]; 968 need = MAXIMUM(need, newkeys->enc.key_len); 969 need = MAXIMUM(need, newkeys->enc.block_size); 970 need = MAXIMUM(need, newkeys->enc.iv_len); 971 need = MAXIMUM(need, newkeys->mac.key_len); 972 dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher)); 973 dh_need = MAXIMUM(dh_need, newkeys->enc.block_size); 974 dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len); 975 dh_need = MAXIMUM(dh_need, newkeys->mac.key_len); 976 } 977 /* XXX need runden? */ 978 kex->we_need = need; 979 kex->dh_need = dh_need; 980 981 /* ignore the next message if the proposals do not match */ 982 if (first_kex_follows && !proposals_match(my, peer)) 983 ssh->dispatch_skip_packets = 1; 984 r = 0; 985 out: 986 kex_prop_free(my); 987 kex_prop_free(peer); 988 return r; 989 } 990 991 static int 992 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, 993 const struct sshbuf *shared_secret, u_char **keyp) 994 { 995 struct kex *kex = ssh->kex; 996 struct ssh_digest_ctx *hashctx = NULL; 997 char c = id; 998 u_int have; 999 size_t mdsz; 1000 u_char *digest; 1001 int r; 1002 1003 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) 1004 return SSH_ERR_INVALID_ARGUMENT; 1005 if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) { 1006 r = SSH_ERR_ALLOC_FAIL; 1007 goto out; 1008 } 1009 1010 /* K1 = HASH(K || H || "A" || session_id) */ 1011 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 1012 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 1013 ssh_digest_update(hashctx, hash, hashlen) != 0 || 1014 ssh_digest_update(hashctx, &c, 1) != 0 || 1015 ssh_digest_update(hashctx, kex->session_id, 1016 kex->session_id_len) != 0 || 1017 ssh_digest_final(hashctx, digest, mdsz) != 0) { 1018 r = SSH_ERR_LIBCRYPTO_ERROR; 1019 error_f("KEX hash failed"); 1020 goto out; 1021 } 1022 ssh_digest_free(hashctx); 1023 hashctx = NULL; 1024 1025 /* 1026 * expand key: 1027 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) 1028 * Key = K1 || K2 || ... || Kn 1029 */ 1030 for (have = mdsz; need > have; have += mdsz) { 1031 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 1032 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 1033 ssh_digest_update(hashctx, hash, hashlen) != 0 || 1034 ssh_digest_update(hashctx, digest, have) != 0 || 1035 ssh_digest_final(hashctx, digest + have, mdsz) != 0) { 1036 error_f("KDF failed"); 1037 r = SSH_ERR_LIBCRYPTO_ERROR; 1038 goto out; 1039 } 1040 ssh_digest_free(hashctx); 1041 hashctx = NULL; 1042 } 1043 #ifdef DEBUG_KEX 1044 fprintf(stderr, "key '%c'== ", c); 1045 dump_digest("key", digest, need); 1046 #endif 1047 *keyp = digest; 1048 digest = NULL; 1049 r = 0; 1050 out: 1051 free(digest); 1052 ssh_digest_free(hashctx); 1053 return r; 1054 } 1055 1056 #define NKEYS 6 1057 int 1058 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen, 1059 const struct sshbuf *shared_secret) 1060 { 1061 struct kex *kex = ssh->kex; 1062 u_char *keys[NKEYS]; 1063 u_int i, j, mode, ctos; 1064 int r; 1065 1066 /* save initial hash as session id */ 1067 if (kex->session_id == NULL) { 1068 kex->session_id_len = hashlen; 1069 kex->session_id = malloc(kex->session_id_len); 1070 if (kex->session_id == NULL) 1071 return SSH_ERR_ALLOC_FAIL; 1072 memcpy(kex->session_id, hash, kex->session_id_len); 1073 } 1074 for (i = 0; i < NKEYS; i++) { 1075 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen, 1076 shared_secret, &keys[i])) != 0) { 1077 for (j = 0; j < i; j++) 1078 free(keys[j]); 1079 return r; 1080 } 1081 } 1082 for (mode = 0; mode < MODE_MAX; mode++) { 1083 ctos = (!kex->server && mode == MODE_OUT) || 1084 (kex->server && mode == MODE_IN); 1085 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1]; 1086 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3]; 1087 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5]; 1088 } 1089 return 0; 1090 } 1091 1092 int 1093 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp) 1094 { 1095 struct kex *kex = ssh->kex; 1096 1097 *pubp = NULL; 1098 *prvp = NULL; 1099 if (kex->load_host_public_key == NULL || 1100 kex->load_host_private_key == NULL) { 1101 error_f("missing hostkey loader"); 1102 return SSH_ERR_INVALID_ARGUMENT; 1103 } 1104 *pubp = kex->load_host_public_key(kex->hostkey_type, 1105 kex->hostkey_nid, ssh); 1106 *prvp = kex->load_host_private_key(kex->hostkey_type, 1107 kex->hostkey_nid, ssh); 1108 if (*pubp == NULL) 1109 return SSH_ERR_NO_HOSTKEY_LOADED; 1110 return 0; 1111 } 1112 1113 int 1114 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key) 1115 { 1116 struct kex *kex = ssh->kex; 1117 1118 if (kex->verify_host_key == NULL) { 1119 error_f("missing hostkey verifier"); 1120 return SSH_ERR_INVALID_ARGUMENT; 1121 } 1122 if (server_host_key->type != kex->hostkey_type || 1123 (kex->hostkey_type == KEY_ECDSA && 1124 server_host_key->ecdsa_nid != kex->hostkey_nid)) 1125 return SSH_ERR_KEY_TYPE_MISMATCH; 1126 if (kex->verify_host_key(server_host_key, ssh) == -1) 1127 return SSH_ERR_SIGNATURE_INVALID; 1128 return 0; 1129 } 1130 1131 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) 1132 void 1133 dump_digest(const char *msg, const u_char *digest, int len) 1134 { 1135 fprintf(stderr, "%s\n", msg); 1136 sshbuf_dump_data(digest, len, stderr); 1137 } 1138 #endif 1139 1140 /* 1141 * Send a plaintext error message to the peer, suffixed by \r\n. 1142 * Only used during banner exchange, and there only for the server. 1143 */ 1144 static void 1145 send_error(struct ssh *ssh, char *msg) 1146 { 1147 char *crnl = "\r\n"; 1148 1149 if (!ssh->kex->server) 1150 return; 1151 1152 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1153 msg, strlen(msg)) != strlen(msg) || 1154 atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1155 crnl, strlen(crnl)) != strlen(crnl)) 1156 error_f("write: %.100s", strerror(errno)); 1157 } 1158 1159 /* 1160 * Sends our identification string and waits for the peer's. Will block for 1161 * up to timeout_ms (or indefinitely if timeout_ms <= 0). 1162 * Returns on 0 success or a ssherr.h code on failure. 1163 */ 1164 int 1165 kex_exchange_identification(struct ssh *ssh, int timeout_ms, 1166 const char *version_addendum) 1167 { 1168 int remote_major, remote_minor, mismatch, oerrno = 0; 1169 size_t len, i, n; 1170 int r, expect_nl; 1171 u_char c; 1172 struct sshbuf *our_version = ssh->kex->server ? 1173 ssh->kex->server_version : ssh->kex->client_version; 1174 struct sshbuf *peer_version = ssh->kex->server ? 1175 ssh->kex->client_version : ssh->kex->server_version; 1176 char *our_version_string = NULL, *peer_version_string = NULL; 1177 char *cp, *remote_version = NULL; 1178 1179 /* Prepare and send our banner */ 1180 sshbuf_reset(our_version); 1181 if (version_addendum != NULL && *version_addendum == '\0') 1182 version_addendum = NULL; 1183 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", 1184 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, 1185 version_addendum == NULL ? "" : " ", 1186 version_addendum == NULL ? "" : version_addendum)) != 0) { 1187 oerrno = errno; 1188 error_fr(r, "sshbuf_putf"); 1189 goto out; 1190 } 1191 1192 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1193 sshbuf_mutable_ptr(our_version), 1194 sshbuf_len(our_version)) != sshbuf_len(our_version)) { 1195 oerrno = errno; 1196 debug_f("write: %.100s", strerror(errno)); 1197 r = SSH_ERR_SYSTEM_ERROR; 1198 goto out; 1199 } 1200 if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */ 1201 oerrno = errno; 1202 error_fr(r, "sshbuf_consume_end"); 1203 goto out; 1204 } 1205 our_version_string = sshbuf_dup_string(our_version); 1206 if (our_version_string == NULL) { 1207 error_f("sshbuf_dup_string failed"); 1208 r = SSH_ERR_ALLOC_FAIL; 1209 goto out; 1210 } 1211 debug("Local version string %.100s", our_version_string); 1212 1213 /* Read other side's version identification. */ 1214 for (n = 0; ; n++) { 1215 if (n >= SSH_MAX_PRE_BANNER_LINES) { 1216 send_error(ssh, "No SSH identification string " 1217 "received."); 1218 error_f("No SSH version received in first %u lines " 1219 "from server", SSH_MAX_PRE_BANNER_LINES); 1220 r = SSH_ERR_INVALID_FORMAT; 1221 goto out; 1222 } 1223 sshbuf_reset(peer_version); 1224 expect_nl = 0; 1225 for (i = 0; ; i++) { 1226 if (timeout_ms > 0) { 1227 r = waitrfd(ssh_packet_get_connection_in(ssh), 1228 &timeout_ms); 1229 if (r == -1 && errno == ETIMEDOUT) { 1230 send_error(ssh, "Timed out waiting " 1231 "for SSH identification string."); 1232 error("Connection timed out during " 1233 "banner exchange"); 1234 r = SSH_ERR_CONN_TIMEOUT; 1235 goto out; 1236 } else if (r == -1) { 1237 oerrno = errno; 1238 error_f("%s", strerror(errno)); 1239 r = SSH_ERR_SYSTEM_ERROR; 1240 goto out; 1241 } 1242 } 1243 1244 len = atomicio(read, ssh_packet_get_connection_in(ssh), 1245 &c, 1); 1246 if (len != 1 && errno == EPIPE) { 1247 error_f("Connection closed by remote host"); 1248 r = SSH_ERR_CONN_CLOSED; 1249 goto out; 1250 } else if (len != 1) { 1251 oerrno = errno; 1252 error_f("read: %.100s", strerror(errno)); 1253 r = SSH_ERR_SYSTEM_ERROR; 1254 goto out; 1255 } 1256 if (c == '\r') { 1257 expect_nl = 1; 1258 continue; 1259 } 1260 if (c == '\n') 1261 break; 1262 if (c == '\0' || expect_nl) { 1263 error_f("banner line contains invalid " 1264 "characters"); 1265 goto invalid; 1266 } 1267 if ((r = sshbuf_put_u8(peer_version, c)) != 0) { 1268 oerrno = errno; 1269 error_fr(r, "sshbuf_put"); 1270 goto out; 1271 } 1272 if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) { 1273 error_f("banner line too long"); 1274 goto invalid; 1275 } 1276 } 1277 /* Is this an actual protocol banner? */ 1278 if (sshbuf_len(peer_version) > 4 && 1279 memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0) 1280 break; 1281 /* If not, then just log the line and continue */ 1282 if ((cp = sshbuf_dup_string(peer_version)) == NULL) { 1283 error_f("sshbuf_dup_string failed"); 1284 r = SSH_ERR_ALLOC_FAIL; 1285 goto out; 1286 } 1287 /* Do not accept lines before the SSH ident from a client */ 1288 if (ssh->kex->server) { 1289 error_f("client sent invalid protocol identifier " 1290 "\"%.256s\"", cp); 1291 free(cp); 1292 goto invalid; 1293 } 1294 debug_f("banner line %zu: %s", n, cp); 1295 free(cp); 1296 } 1297 peer_version_string = sshbuf_dup_string(peer_version); 1298 if (peer_version_string == NULL) 1299 error_f("sshbuf_dup_string failed"); 1300 /* XXX must be same size for sscanf */ 1301 if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) { 1302 error_f("calloc failed"); 1303 r = SSH_ERR_ALLOC_FAIL; 1304 goto out; 1305 } 1306 1307 /* 1308 * Check that the versions match. In future this might accept 1309 * several versions and set appropriate flags to handle them. 1310 */ 1311 if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n", 1312 &remote_major, &remote_minor, remote_version) != 3) { 1313 error("Bad remote protocol version identification: '%.100s'", 1314 peer_version_string); 1315 invalid: 1316 send_error(ssh, "Invalid SSH identification string."); 1317 r = SSH_ERR_INVALID_FORMAT; 1318 goto out; 1319 } 1320 debug("Remote protocol version %d.%d, remote software version %.100s", 1321 remote_major, remote_minor, remote_version); 1322 ssh->compat = compat_datafellows(remote_version); 1323 1324 mismatch = 0; 1325 switch (remote_major) { 1326 case 2: 1327 break; 1328 case 1: 1329 if (remote_minor != 99) 1330 mismatch = 1; 1331 break; 1332 default: 1333 mismatch = 1; 1334 break; 1335 } 1336 if (mismatch) { 1337 error("Protocol major versions differ: %d vs. %d", 1338 PROTOCOL_MAJOR_2, remote_major); 1339 send_error(ssh, "Protocol major versions differ."); 1340 r = SSH_ERR_NO_PROTOCOL_VERSION; 1341 goto out; 1342 } 1343 1344 if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) { 1345 logit("probed from %s port %d with %s. Don't panic.", 1346 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), 1347 peer_version_string); 1348 r = SSH_ERR_CONN_CLOSED; /* XXX */ 1349 goto out; 1350 } 1351 if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) { 1352 logit("scanned from %s port %d with %s. Don't panic.", 1353 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), 1354 peer_version_string); 1355 r = SSH_ERR_CONN_CLOSED; /* XXX */ 1356 goto out; 1357 } 1358 if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) { 1359 logit("Remote version \"%.100s\" uses unsafe RSA signature " 1360 "scheme; disabling use of RSA keys", remote_version); 1361 } 1362 /* success */ 1363 r = 0; 1364 out: 1365 free(our_version_string); 1366 free(peer_version_string); 1367 free(remote_version); 1368 if (r == SSH_ERR_SYSTEM_ERROR) 1369 errno = oerrno; 1370 return r; 1371 } 1372 1373