1 /* $OpenBSD: kex.c,v 1.168 2021/04/03 06:18:40 djm Exp $ */
2 /*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26 #include "includes.h"
27
28 #include <sys/types.h>
29 #include <errno.h>
30 #include <signal.h>
31 #include <stdarg.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 #ifdef HAVE_POLL_H
37 #include <poll.h>
38 #endif
39
40 #ifdef WITH_OPENSSL
41 #include <openssl/crypto.h>
42 #include <openssl/dh.h>
43 #endif
44
45 #include "ssh.h"
46 #include "ssh2.h"
47 #include "atomicio.h"
48 #include "version.h"
49 #include "packet.h"
50 #include "compat.h"
51 #include "cipher.h"
52 #include "sshkey.h"
53 #include "kex.h"
54 #include "log.h"
55 #include "mac.h"
56 #include "match.h"
57 #include "misc.h"
58 #include "dispatch.h"
59 #include "monitor.h"
60
61 #include "ssherr.h"
62 #include "sshbuf.h"
63 #include "digest.h"
64
65 /* prototype */
66 static int kex_choose_conf(struct ssh *);
67 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
68
69 static const char *proposal_names[PROPOSAL_MAX] = {
70 "KEX algorithms",
71 "host key algorithms",
72 "ciphers ctos",
73 "ciphers stoc",
74 "MACs ctos",
75 "MACs stoc",
76 "compression ctos",
77 "compression stoc",
78 "languages ctos",
79 "languages stoc",
80 };
81
82 struct kexalg {
83 char *name;
84 u_int type;
85 int ec_nid;
86 int hash_alg;
87 };
88 static const struct kexalg kexalgs[] = {
89 #ifdef WITH_OPENSSL
90 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
91 { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
92 { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
93 { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
94 { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
95 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
96 #ifdef HAVE_EVP_SHA256
97 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
98 #endif /* HAVE_EVP_SHA256 */
99 #ifdef OPENSSL_HAS_ECC
100 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
101 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
102 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
103 SSH_DIGEST_SHA384 },
104 # ifdef OPENSSL_HAS_NISTP521
105 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
106 SSH_DIGEST_SHA512 },
107 # endif /* OPENSSL_HAS_NISTP521 */
108 #endif /* OPENSSL_HAS_ECC */
109 #endif /* WITH_OPENSSL */
110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
111 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
112 { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
113 #ifdef USE_SNTRUP761X25519
114 { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0,
115 SSH_DIGEST_SHA512 },
116 #endif
117 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
118 { NULL, 0, -1, -1},
119 };
120
121 char *
kex_alg_list(char sep)122 kex_alg_list(char sep)
123 {
124 char *ret = NULL, *tmp;
125 size_t nlen, rlen = 0;
126 const struct kexalg *k;
127
128 for (k = kexalgs; k->name != NULL; k++) {
129 if (ret != NULL)
130 ret[rlen++] = sep;
131 nlen = strlen(k->name);
132 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
133 free(ret);
134 return NULL;
135 }
136 ret = tmp;
137 memcpy(ret + rlen, k->name, nlen + 1);
138 rlen += nlen;
139 }
140 return ret;
141 }
142
143 static const struct kexalg *
kex_alg_by_name(const char * name)144 kex_alg_by_name(const char *name)
145 {
146 const struct kexalg *k;
147
148 for (k = kexalgs; k->name != NULL; k++) {
149 if (strcmp(k->name, name) == 0)
150 return k;
151 }
152 return NULL;
153 }
154
155 /* Validate KEX method name list */
156 int
kex_names_valid(const char * names)157 kex_names_valid(const char *names)
158 {
159 char *s, *cp, *p;
160
161 if (names == NULL || strcmp(names, "") == 0)
162 return 0;
163 if ((s = cp = strdup(names)) == NULL)
164 return 0;
165 for ((p = strsep(&cp, ",")); p && *p != '\0';
166 (p = strsep(&cp, ","))) {
167 if (kex_alg_by_name(p) == NULL) {
168 error("Unsupported KEX algorithm \"%.100s\"", p);
169 free(s);
170 return 0;
171 }
172 }
173 debug3("kex names ok: [%s]", names);
174 free(s);
175 return 1;
176 }
177
178 /*
179 * Concatenate algorithm names, avoiding duplicates in the process.
180 * Caller must free returned string.
181 */
182 char *
kex_names_cat(const char * a,const char * b)183 kex_names_cat(const char *a, const char *b)
184 {
185 char *ret = NULL, *tmp = NULL, *cp, *p, *m;
186 size_t len;
187
188 if (a == NULL || *a == '\0')
189 return strdup(b);
190 if (b == NULL || *b == '\0')
191 return strdup(a);
192 if (strlen(b) > 1024*1024)
193 return NULL;
194 len = strlen(a) + strlen(b) + 2;
195 if ((tmp = cp = strdup(b)) == NULL ||
196 (ret = calloc(1, len)) == NULL) {
197 free(tmp);
198 return NULL;
199 }
200 strlcpy(ret, a, len);
201 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
202 if ((m = match_list(ret, p, NULL)) != NULL) {
203 free(m);
204 continue; /* Algorithm already present */
205 }
206 if (strlcat(ret, ",", len) >= len ||
207 strlcat(ret, p, len) >= len) {
208 free(tmp);
209 free(ret);
210 return NULL; /* Shouldn't happen */
211 }
212 }
213 free(tmp);
214 return ret;
215 }
216
217 /*
218 * Assemble a list of algorithms from a default list and a string from a
219 * configuration file. The user-provided string may begin with '+' to
220 * indicate that it should be appended to the default, '-' that the
221 * specified names should be removed, or '^' that they should be placed
222 * at the head.
223 */
224 int
kex_assemble_names(char ** listp,const char * def,const char * all)225 kex_assemble_names(char **listp, const char *def, const char *all)
226 {
227 char *cp, *tmp, *patterns;
228 char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
229 int r = SSH_ERR_INTERNAL_ERROR;
230
231 if (listp == NULL || def == NULL || all == NULL)
232 return SSH_ERR_INVALID_ARGUMENT;
233
234 if (*listp == NULL || **listp == '\0') {
235 if ((*listp = strdup(def)) == NULL)
236 return SSH_ERR_ALLOC_FAIL;
237 return 0;
238 }
239
240 list = *listp;
241 *listp = NULL;
242 if (*list == '+') {
243 /* Append names to default list */
244 if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
245 r = SSH_ERR_ALLOC_FAIL;
246 goto fail;
247 }
248 free(list);
249 list = tmp;
250 } else if (*list == '-') {
251 /* Remove names from default list */
252 if ((*listp = match_filter_denylist(def, list + 1)) == NULL) {
253 r = SSH_ERR_ALLOC_FAIL;
254 goto fail;
255 }
256 free(list);
257 /* filtering has already been done */
258 return 0;
259 } else if (*list == '^') {
260 /* Place names at head of default list */
261 if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
262 r = SSH_ERR_ALLOC_FAIL;
263 goto fail;
264 }
265 free(list);
266 list = tmp;
267 } else {
268 /* Explicit list, overrides default - just use "list" as is */
269 }
270
271 /*
272 * The supplied names may be a pattern-list. For the -list case,
273 * the patterns are applied above. For the +list and explicit list
274 * cases we need to do it now.
275 */
276 ret = NULL;
277 if ((patterns = opatterns = strdup(list)) == NULL) {
278 r = SSH_ERR_ALLOC_FAIL;
279 goto fail;
280 }
281 /* Apply positive (i.e. non-negated) patterns from the list */
282 while ((cp = strsep(&patterns, ",")) != NULL) {
283 if (*cp == '!') {
284 /* negated matches are not supported here */
285 r = SSH_ERR_INVALID_ARGUMENT;
286 goto fail;
287 }
288 free(matching);
289 if ((matching = match_filter_allowlist(all, cp)) == NULL) {
290 r = SSH_ERR_ALLOC_FAIL;
291 goto fail;
292 }
293 if ((tmp = kex_names_cat(ret, matching)) == NULL) {
294 r = SSH_ERR_ALLOC_FAIL;
295 goto fail;
296 }
297 free(ret);
298 ret = tmp;
299 }
300 if (ret == NULL || *ret == '\0') {
301 /* An empty name-list is an error */
302 /* XXX better error code? */
303 r = SSH_ERR_INVALID_ARGUMENT;
304 goto fail;
305 }
306
307 /* success */
308 *listp = ret;
309 ret = NULL;
310 r = 0;
311
312 fail:
313 free(matching);
314 free(opatterns);
315 free(list);
316 free(ret);
317 return r;
318 }
319
320 /* put algorithm proposal into buffer */
321 int
kex_prop2buf(struct sshbuf * b,char * proposal[PROPOSAL_MAX])322 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
323 {
324 u_int i;
325 int r;
326
327 sshbuf_reset(b);
328
329 /*
330 * add a dummy cookie, the cookie will be overwritten by
331 * kex_send_kexinit(), each time a kexinit is set
332 */
333 for (i = 0; i < KEX_COOKIE_LEN; i++) {
334 if ((r = sshbuf_put_u8(b, 0)) != 0)
335 return r;
336 }
337 for (i = 0; i < PROPOSAL_MAX; i++) {
338 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
339 return r;
340 }
341 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */
342 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */
343 return r;
344 return 0;
345 }
346
347 /* parse buffer and return algorithm proposal */
348 int
kex_buf2prop(struct sshbuf * raw,int * first_kex_follows,char *** propp)349 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
350 {
351 struct sshbuf *b = NULL;
352 u_char v;
353 u_int i;
354 char **proposal = NULL;
355 int r;
356
357 *propp = NULL;
358 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
359 return SSH_ERR_ALLOC_FAIL;
360 if ((b = sshbuf_fromb(raw)) == NULL) {
361 r = SSH_ERR_ALLOC_FAIL;
362 goto out;
363 }
364 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */
365 error_fr(r, "consume cookie");
366 goto out;
367 }
368 /* extract kex init proposal strings */
369 for (i = 0; i < PROPOSAL_MAX; i++) {
370 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) {
371 error_fr(r, "parse proposal %u", i);
372 goto out;
373 }
374 debug2("%s: %s", proposal_names[i], proposal[i]);
375 }
376 /* first kex follows / reserved */
377 if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */
378 (r = sshbuf_get_u32(b, &i)) != 0) { /* reserved */
379 error_fr(r, "parse");
380 goto out;
381 }
382 if (first_kex_follows != NULL)
383 *first_kex_follows = v;
384 debug2("first_kex_follows %d ", v);
385 debug2("reserved %u ", i);
386 r = 0;
387 *propp = proposal;
388 out:
389 if (r != 0 && proposal != NULL)
390 kex_prop_free(proposal);
391 sshbuf_free(b);
392 return r;
393 }
394
395 void
kex_prop_free(char ** proposal)396 kex_prop_free(char **proposal)
397 {
398 u_int i;
399
400 if (proposal == NULL)
401 return;
402 for (i = 0; i < PROPOSAL_MAX; i++)
403 free(proposal[i]);
404 free(proposal);
405 }
406
407 /* ARGSUSED */
408 int
kex_protocol_error(int type,u_int32_t seq,struct ssh * ssh)409 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
410 {
411 int r;
412
413 error("kex protocol error: type %d seq %u", type, seq);
414 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
415 (r = sshpkt_put_u32(ssh, seq)) != 0 ||
416 (r = sshpkt_send(ssh)) != 0)
417 return r;
418 return 0;
419 }
420
421 static void
kex_reset_dispatch(struct ssh * ssh)422 kex_reset_dispatch(struct ssh *ssh)
423 {
424 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
425 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
426 }
427
428 static int
kex_send_ext_info(struct ssh * ssh)429 kex_send_ext_info(struct ssh *ssh)
430 {
431 int r;
432 char *algs;
433
434 debug("Sending SSH2_MSG_EXT_INFO");
435 if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
436 return SSH_ERR_ALLOC_FAIL;
437 /* XXX filter algs list by allowed pubkey/hostbased types */
438 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
439 (r = sshpkt_put_u32(ssh, 1)) != 0 ||
440 (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
441 (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
442 (r = sshpkt_send(ssh)) != 0) {
443 error_fr(r, "compose");
444 goto out;
445 }
446 /* success */
447 r = 0;
448 out:
449 free(algs);
450 return r;
451 }
452
453 int
kex_send_newkeys(struct ssh * ssh)454 kex_send_newkeys(struct ssh *ssh)
455 {
456 int r;
457
458 kex_reset_dispatch(ssh);
459 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
460 (r = sshpkt_send(ssh)) != 0)
461 return r;
462 debug("SSH2_MSG_NEWKEYS sent");
463 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
464 if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0)
465 if ((r = kex_send_ext_info(ssh)) != 0)
466 return r;
467 debug("expecting SSH2_MSG_NEWKEYS");
468 return 0;
469 }
470
471 int
kex_input_ext_info(int type,u_int32_t seq,struct ssh * ssh)472 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
473 {
474 struct kex *kex = ssh->kex;
475 u_int32_t i, ninfo;
476 char *name;
477 u_char *val;
478 size_t vlen;
479 int r;
480
481 debug("SSH2_MSG_EXT_INFO received");
482 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
483 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
484 return r;
485 for (i = 0; i < ninfo; i++) {
486 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
487 return r;
488 if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) {
489 free(name);
490 return r;
491 }
492 if (strcmp(name, "server-sig-algs") == 0) {
493 /* Ensure no \0 lurking in value */
494 if (memchr(val, '\0', vlen) != NULL) {
495 error_f("nul byte in %s", name);
496 return SSH_ERR_INVALID_FORMAT;
497 }
498 debug_f("%s=<%s>", name, val);
499 kex->server_sig_algs = val;
500 val = NULL;
501 } else
502 debug_f("%s (unrecognised)", name);
503 free(name);
504 free(val);
505 }
506 return sshpkt_get_end(ssh);
507 }
508
509 static int
kex_input_newkeys(int type,u_int32_t seq,struct ssh * ssh)510 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
511 {
512 struct kex *kex = ssh->kex;
513 int r;
514
515 debug("SSH2_MSG_NEWKEYS received");
516 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
517 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
518 if ((r = sshpkt_get_end(ssh)) != 0)
519 return r;
520 if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
521 return r;
522 kex->done = 1;
523 kex->flags &= ~KEX_INITIAL;
524 sshbuf_reset(kex->peer);
525 /* sshbuf_reset(kex->my); */
526 kex->flags &= ~KEX_INIT_SENT;
527 free(kex->name);
528 kex->name = NULL;
529 return 0;
530 }
531
532 int
kex_send_kexinit(struct ssh * ssh)533 kex_send_kexinit(struct ssh *ssh)
534 {
535 u_char *cookie;
536 struct kex *kex = ssh->kex;
537 int r;
538
539 if (kex == NULL) {
540 error_f("no kex");
541 return SSH_ERR_INTERNAL_ERROR;
542 }
543 if (kex->flags & KEX_INIT_SENT)
544 return 0;
545 kex->done = 0;
546
547 /* generate a random cookie */
548 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) {
549 error_f("bad kex length: %zu < %d",
550 sshbuf_len(kex->my), KEX_COOKIE_LEN);
551 return SSH_ERR_INVALID_FORMAT;
552 }
553 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) {
554 error_f("buffer error");
555 return SSH_ERR_INTERNAL_ERROR;
556 }
557 arc4random_buf(cookie, KEX_COOKIE_LEN);
558
559 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
560 (r = sshpkt_putb(ssh, kex->my)) != 0 ||
561 (r = sshpkt_send(ssh)) != 0) {
562 error_fr(r, "compose reply");
563 return r;
564 }
565 debug("SSH2_MSG_KEXINIT sent");
566 kex->flags |= KEX_INIT_SENT;
567 return 0;
568 }
569
570 /* ARGSUSED */
571 int
kex_input_kexinit(int type,u_int32_t seq,struct ssh * ssh)572 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
573 {
574 struct kex *kex = ssh->kex;
575 const u_char *ptr;
576 u_int i;
577 size_t dlen;
578 int r;
579
580 debug("SSH2_MSG_KEXINIT received");
581 if (kex == NULL) {
582 error_f("no kex");
583 return SSH_ERR_INTERNAL_ERROR;
584 }
585 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
586 ptr = sshpkt_ptr(ssh, &dlen);
587 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
588 return r;
589
590 /* discard packet */
591 for (i = 0; i < KEX_COOKIE_LEN; i++) {
592 if ((r = sshpkt_get_u8(ssh, NULL)) != 0) {
593 error_fr(r, "discard cookie");
594 return r;
595 }
596 }
597 for (i = 0; i < PROPOSAL_MAX; i++) {
598 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
599 error_fr(r, "discard proposal");
600 return r;
601 }
602 }
603 /*
604 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
605 * KEX method has the server move first, but a server might be using
606 * a custom method or one that we otherwise don't support. We should
607 * be prepared to remember first_kex_follows here so we can eat a
608 * packet later.
609 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
610 * for cases where the server *doesn't* go first. I guess we should
611 * ignore it when it is set for these cases, which is what we do now.
612 */
613 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */
614 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */
615 (r = sshpkt_get_end(ssh)) != 0)
616 return r;
617
618 if (!(kex->flags & KEX_INIT_SENT))
619 if ((r = kex_send_kexinit(ssh)) != 0)
620 return r;
621 if ((r = kex_choose_conf(ssh)) != 0)
622 return r;
623
624 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
625 return (kex->kex[kex->kex_type])(ssh);
626
627 error_f("unknown kex type %u", kex->kex_type);
628 return SSH_ERR_INTERNAL_ERROR;
629 }
630
631 struct kex *
kex_new(void)632 kex_new(void)
633 {
634 struct kex *kex;
635
636 if ((kex = calloc(1, sizeof(*kex))) == NULL ||
637 (kex->peer = sshbuf_new()) == NULL ||
638 (kex->my = sshbuf_new()) == NULL ||
639 (kex->client_version = sshbuf_new()) == NULL ||
640 (kex->server_version = sshbuf_new()) == NULL ||
641 (kex->session_id = sshbuf_new()) == NULL) {
642 kex_free(kex);
643 return NULL;
644 }
645 return kex;
646 }
647
648 void
kex_free_newkeys(struct newkeys * newkeys)649 kex_free_newkeys(struct newkeys *newkeys)
650 {
651 if (newkeys == NULL)
652 return;
653 if (newkeys->enc.key) {
654 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
655 free(newkeys->enc.key);
656 newkeys->enc.key = NULL;
657 }
658 if (newkeys->enc.iv) {
659 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
660 free(newkeys->enc.iv);
661 newkeys->enc.iv = NULL;
662 }
663 free(newkeys->enc.name);
664 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
665 free(newkeys->comp.name);
666 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
667 mac_clear(&newkeys->mac);
668 if (newkeys->mac.key) {
669 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
670 free(newkeys->mac.key);
671 newkeys->mac.key = NULL;
672 }
673 free(newkeys->mac.name);
674 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
675 freezero(newkeys, sizeof(*newkeys));
676 }
677
678 void
kex_free(struct kex * kex)679 kex_free(struct kex *kex)
680 {
681 u_int mode;
682
683 if (kex == NULL)
684 return;
685
686 #ifdef WITH_OPENSSL
687 DH_free(kex->dh);
688 #ifdef OPENSSL_HAS_ECC
689 EC_KEY_free(kex->ec_client_key);
690 #endif /* OPENSSL_HAS_ECC */
691 #endif /* WITH_OPENSSL */
692 for (mode = 0; mode < MODE_MAX; mode++) {
693 kex_free_newkeys(kex->newkeys[mode]);
694 kex->newkeys[mode] = NULL;
695 }
696 sshbuf_free(kex->peer);
697 sshbuf_free(kex->my);
698 sshbuf_free(kex->client_version);
699 sshbuf_free(kex->server_version);
700 sshbuf_free(kex->client_pub);
701 sshbuf_free(kex->session_id);
702 free(kex->failed_choice);
703 free(kex->hostkey_alg);
704 free(kex->name);
705 free(kex);
706 }
707
708 int
kex_ready(struct ssh * ssh,char * proposal[PROPOSAL_MAX])709 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
710 {
711 int r;
712
713 if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
714 return r;
715 ssh->kex->flags = KEX_INITIAL;
716 kex_reset_dispatch(ssh);
717 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
718 return 0;
719 }
720
721 int
kex_setup(struct ssh * ssh,char * proposal[PROPOSAL_MAX])722 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
723 {
724 int r;
725
726 if ((r = kex_ready(ssh, proposal)) != 0)
727 return r;
728 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */
729 kex_free(ssh->kex);
730 ssh->kex = NULL;
731 return r;
732 }
733 return 0;
734 }
735
736 /*
737 * Request key re-exchange, returns 0 on success or a ssherr.h error
738 * code otherwise. Must not be called if KEX is incomplete or in-progress.
739 */
740 int
kex_start_rekex(struct ssh * ssh)741 kex_start_rekex(struct ssh *ssh)
742 {
743 if (ssh->kex == NULL) {
744 error_f("no kex");
745 return SSH_ERR_INTERNAL_ERROR;
746 }
747 if (ssh->kex->done == 0) {
748 error_f("requested twice");
749 return SSH_ERR_INTERNAL_ERROR;
750 }
751 ssh->kex->done = 0;
752 return kex_send_kexinit(ssh);
753 }
754
755 static int
choose_enc(struct sshenc * enc,char * client,char * server)756 choose_enc(struct sshenc *enc, char *client, char *server)
757 {
758 char *name = match_list(client, server, NULL);
759
760 if (name == NULL)
761 return SSH_ERR_NO_CIPHER_ALG_MATCH;
762 if ((enc->cipher = cipher_by_name(name)) == NULL) {
763 error_f("unsupported cipher %s", name);
764 free(name);
765 return SSH_ERR_INTERNAL_ERROR;
766 }
767 enc->name = name;
768 enc->enabled = 0;
769 enc->iv = NULL;
770 enc->iv_len = cipher_ivlen(enc->cipher);
771 enc->key = NULL;
772 enc->key_len = cipher_keylen(enc->cipher);
773 enc->block_size = cipher_blocksize(enc->cipher);
774 return 0;
775 }
776
777 static int
choose_mac(struct ssh * ssh,struct sshmac * mac,char * client,char * server)778 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
779 {
780 char *name = match_list(client, server, NULL);
781
782 if (name == NULL)
783 return SSH_ERR_NO_MAC_ALG_MATCH;
784 if (mac_setup(mac, name) < 0) {
785 error_f("unsupported MAC %s", name);
786 free(name);
787 return SSH_ERR_INTERNAL_ERROR;
788 }
789 mac->name = name;
790 mac->key = NULL;
791 mac->enabled = 0;
792 return 0;
793 }
794
795 static int
choose_comp(struct sshcomp * comp,char * client,char * server)796 choose_comp(struct sshcomp *comp, char *client, char *server)
797 {
798 char *name = match_list(client, server, NULL);
799
800 if (name == NULL)
801 return SSH_ERR_NO_COMPRESS_ALG_MATCH;
802 #ifdef WITH_ZLIB
803 if (strcmp(name, "zlib@openssh.com") == 0) {
804 comp->type = COMP_DELAYED;
805 } else if (strcmp(name, "zlib") == 0) {
806 comp->type = COMP_ZLIB;
807 } else
808 #endif /* WITH_ZLIB */
809 if (strcmp(name, "none") == 0) {
810 comp->type = COMP_NONE;
811 } else {
812 error_f("unsupported compression scheme %s", name);
813 free(name);
814 return SSH_ERR_INTERNAL_ERROR;
815 }
816 comp->name = name;
817 return 0;
818 }
819
820 static int
choose_kex(struct kex * k,char * client,char * server)821 choose_kex(struct kex *k, char *client, char *server)
822 {
823 const struct kexalg *kexalg;
824
825 k->name = match_list(client, server, NULL);
826
827 debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
828 if (k->name == NULL)
829 return SSH_ERR_NO_KEX_ALG_MATCH;
830 if ((kexalg = kex_alg_by_name(k->name)) == NULL) {
831 error_f("unsupported KEX method %s", k->name);
832 return SSH_ERR_INTERNAL_ERROR;
833 }
834 k->kex_type = kexalg->type;
835 k->hash_alg = kexalg->hash_alg;
836 k->ec_nid = kexalg->ec_nid;
837 return 0;
838 }
839
840 static int
choose_hostkeyalg(struct kex * k,char * client,char * server)841 choose_hostkeyalg(struct kex *k, char *client, char *server)
842 {
843 free(k->hostkey_alg);
844 k->hostkey_alg = match_list(client, server, NULL);
845
846 debug("kex: host key algorithm: %s",
847 k->hostkey_alg ? k->hostkey_alg : "(no match)");
848 if (k->hostkey_alg == NULL)
849 return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
850 k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
851 if (k->hostkey_type == KEY_UNSPEC) {
852 error_f("unsupported hostkey algorithm %s", k->hostkey_alg);
853 return SSH_ERR_INTERNAL_ERROR;
854 }
855 k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
856 return 0;
857 }
858
859 static int
proposals_match(char * my[PROPOSAL_MAX],char * peer[PROPOSAL_MAX])860 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
861 {
862 static int check[] = {
863 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
864 };
865 int *idx;
866 char *p;
867
868 for (idx = &check[0]; *idx != -1; idx++) {
869 if ((p = strchr(my[*idx], ',')) != NULL)
870 *p = '\0';
871 if ((p = strchr(peer[*idx], ',')) != NULL)
872 *p = '\0';
873 if (strcmp(my[*idx], peer[*idx]) != 0) {
874 debug2("proposal mismatch: my %s peer %s",
875 my[*idx], peer[*idx]);
876 return (0);
877 }
878 }
879 debug2("proposals match");
880 return (1);
881 }
882
883 static int
kex_choose_conf(struct ssh * ssh)884 kex_choose_conf(struct ssh *ssh)
885 {
886 struct kex *kex = ssh->kex;
887 struct newkeys *newkeys;
888 char **my = NULL, **peer = NULL;
889 char **cprop, **sprop;
890 int nenc, nmac, ncomp;
891 u_int mode, ctos, need, dh_need, authlen;
892 int r, first_kex_follows;
893
894 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
895 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
896 goto out;
897 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
898 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
899 goto out;
900
901 if (kex->server) {
902 cprop=peer;
903 sprop=my;
904 } else {
905 cprop=my;
906 sprop=peer;
907 }
908
909 /* Check whether client supports ext_info_c */
910 if (kex->server && (kex->flags & KEX_INITIAL)) {
911 char *ext;
912
913 ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
914 kex->ext_info_c = (ext != NULL);
915 free(ext);
916 }
917
918 /* Algorithm Negotiation */
919 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
920 sprop[PROPOSAL_KEX_ALGS])) != 0) {
921 kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
922 peer[PROPOSAL_KEX_ALGS] = NULL;
923 goto out;
924 }
925 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
926 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
927 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
928 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
929 goto out;
930 }
931 for (mode = 0; mode < MODE_MAX; mode++) {
932 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
933 r = SSH_ERR_ALLOC_FAIL;
934 goto out;
935 }
936 kex->newkeys[mode] = newkeys;
937 ctos = (!kex->server && mode == MODE_OUT) ||
938 (kex->server && mode == MODE_IN);
939 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
940 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
941 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
942 if ((r = choose_enc(&newkeys->enc, cprop[nenc],
943 sprop[nenc])) != 0) {
944 kex->failed_choice = peer[nenc];
945 peer[nenc] = NULL;
946 goto out;
947 }
948 authlen = cipher_authlen(newkeys->enc.cipher);
949 /* ignore mac for authenticated encryption */
950 if (authlen == 0 &&
951 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
952 sprop[nmac])) != 0) {
953 kex->failed_choice = peer[nmac];
954 peer[nmac] = NULL;
955 goto out;
956 }
957 if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
958 sprop[ncomp])) != 0) {
959 kex->failed_choice = peer[ncomp];
960 peer[ncomp] = NULL;
961 goto out;
962 }
963 debug("kex: %s cipher: %s MAC: %s compression: %s",
964 ctos ? "client->server" : "server->client",
965 newkeys->enc.name,
966 authlen == 0 ? newkeys->mac.name : "<implicit>",
967 newkeys->comp.name);
968 }
969 need = dh_need = 0;
970 for (mode = 0; mode < MODE_MAX; mode++) {
971 newkeys = kex->newkeys[mode];
972 need = MAXIMUM(need, newkeys->enc.key_len);
973 need = MAXIMUM(need, newkeys->enc.block_size);
974 need = MAXIMUM(need, newkeys->enc.iv_len);
975 need = MAXIMUM(need, newkeys->mac.key_len);
976 dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
977 dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
978 dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
979 dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
980 }
981 /* XXX need runden? */
982 kex->we_need = need;
983 kex->dh_need = dh_need;
984
985 /* ignore the next message if the proposals do not match */
986 if (first_kex_follows && !proposals_match(my, peer))
987 ssh->dispatch_skip_packets = 1;
988 r = 0;
989 out:
990 kex_prop_free(my);
991 kex_prop_free(peer);
992 return r;
993 }
994
995 static int
derive_key(struct ssh * ssh,int id,u_int need,u_char * hash,u_int hashlen,const struct sshbuf * shared_secret,u_char ** keyp)996 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
997 const struct sshbuf *shared_secret, u_char **keyp)
998 {
999 struct kex *kex = ssh->kex;
1000 struct ssh_digest_ctx *hashctx = NULL;
1001 char c = id;
1002 u_int have;
1003 size_t mdsz;
1004 u_char *digest;
1005 int r;
1006
1007 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
1008 return SSH_ERR_INVALID_ARGUMENT;
1009 if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
1010 r = SSH_ERR_ALLOC_FAIL;
1011 goto out;
1012 }
1013
1014 /* K1 = HASH(K || H || "A" || session_id) */
1015 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1016 ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1017 ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1018 ssh_digest_update(hashctx, &c, 1) != 0 ||
1019 ssh_digest_update_buffer(hashctx, kex->session_id) != 0 ||
1020 ssh_digest_final(hashctx, digest, mdsz) != 0) {
1021 r = SSH_ERR_LIBCRYPTO_ERROR;
1022 error_f("KEX hash failed");
1023 goto out;
1024 }
1025 ssh_digest_free(hashctx);
1026 hashctx = NULL;
1027
1028 /*
1029 * expand key:
1030 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
1031 * Key = K1 || K2 || ... || Kn
1032 */
1033 for (have = mdsz; need > have; have += mdsz) {
1034 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1035 ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1036 ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1037 ssh_digest_update(hashctx, digest, have) != 0 ||
1038 ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
1039 error_f("KDF failed");
1040 r = SSH_ERR_LIBCRYPTO_ERROR;
1041 goto out;
1042 }
1043 ssh_digest_free(hashctx);
1044 hashctx = NULL;
1045 }
1046 #ifdef DEBUG_KEX
1047 fprintf(stderr, "key '%c'== ", c);
1048 dump_digest("key", digest, need);
1049 #endif
1050 *keyp = digest;
1051 digest = NULL;
1052 r = 0;
1053 out:
1054 free(digest);
1055 ssh_digest_free(hashctx);
1056 return r;
1057 }
1058
1059 #define NKEYS 6
1060 int
kex_derive_keys(struct ssh * ssh,u_char * hash,u_int hashlen,const struct sshbuf * shared_secret)1061 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
1062 const struct sshbuf *shared_secret)
1063 {
1064 struct kex *kex = ssh->kex;
1065 u_char *keys[NKEYS];
1066 u_int i, j, mode, ctos;
1067 int r;
1068
1069 /* save initial hash as session id */
1070 if ((kex->flags & KEX_INITIAL) != 0) {
1071 if (sshbuf_len(kex->session_id) != 0) {
1072 error_f("already have session ID at kex");
1073 return SSH_ERR_INTERNAL_ERROR;
1074 }
1075 if ((r = sshbuf_put(kex->session_id, hash, hashlen)) != 0)
1076 return r;
1077 } else if (sshbuf_len(kex->session_id) == 0) {
1078 error_f("no session ID in rekex");
1079 return SSH_ERR_INTERNAL_ERROR;
1080 }
1081 for (i = 0; i < NKEYS; i++) {
1082 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
1083 shared_secret, &keys[i])) != 0) {
1084 for (j = 0; j < i; j++)
1085 free(keys[j]);
1086 return r;
1087 }
1088 }
1089 for (mode = 0; mode < MODE_MAX; mode++) {
1090 ctos = (!kex->server && mode == MODE_OUT) ||
1091 (kex->server && mode == MODE_IN);
1092 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1];
1093 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
1094 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
1095 }
1096 return 0;
1097 }
1098
1099 int
kex_load_hostkey(struct ssh * ssh,struct sshkey ** prvp,struct sshkey ** pubp)1100 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
1101 {
1102 struct kex *kex = ssh->kex;
1103
1104 *pubp = NULL;
1105 *prvp = NULL;
1106 if (kex->load_host_public_key == NULL ||
1107 kex->load_host_private_key == NULL) {
1108 error_f("missing hostkey loader");
1109 return SSH_ERR_INVALID_ARGUMENT;
1110 }
1111 *pubp = kex->load_host_public_key(kex->hostkey_type,
1112 kex->hostkey_nid, ssh);
1113 *prvp = kex->load_host_private_key(kex->hostkey_type,
1114 kex->hostkey_nid, ssh);
1115 if (*pubp == NULL)
1116 return SSH_ERR_NO_HOSTKEY_LOADED;
1117 return 0;
1118 }
1119
1120 int
kex_verify_host_key(struct ssh * ssh,struct sshkey * server_host_key)1121 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
1122 {
1123 struct kex *kex = ssh->kex;
1124
1125 if (kex->verify_host_key == NULL) {
1126 error_f("missing hostkey verifier");
1127 return SSH_ERR_INVALID_ARGUMENT;
1128 }
1129 if (server_host_key->type != kex->hostkey_type ||
1130 (kex->hostkey_type == KEY_ECDSA &&
1131 server_host_key->ecdsa_nid != kex->hostkey_nid))
1132 return SSH_ERR_KEY_TYPE_MISMATCH;
1133 if (kex->verify_host_key(server_host_key, ssh) == -1)
1134 return SSH_ERR_SIGNATURE_INVALID;
1135 return 0;
1136 }
1137
1138 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1139 void
dump_digest(const char * msg,const u_char * digest,int len)1140 dump_digest(const char *msg, const u_char *digest, int len)
1141 {
1142 fprintf(stderr, "%s\n", msg);
1143 sshbuf_dump_data(digest, len, stderr);
1144 }
1145 #endif
1146
1147 /*
1148 * Send a plaintext error message to the peer, suffixed by \r\n.
1149 * Only used during banner exchange, and there only for the server.
1150 */
1151 static void
send_error(struct ssh * ssh,char * msg)1152 send_error(struct ssh *ssh, char *msg)
1153 {
1154 char *crnl = "\r\n";
1155
1156 if (!ssh->kex->server)
1157 return;
1158
1159 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1160 msg, strlen(msg)) != strlen(msg) ||
1161 atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1162 crnl, strlen(crnl)) != strlen(crnl))
1163 error_f("write: %.100s", strerror(errno));
1164 }
1165
1166 /*
1167 * Sends our identification string and waits for the peer's. Will block for
1168 * up to timeout_ms (or indefinitely if timeout_ms <= 0).
1169 * Returns on 0 success or a ssherr.h code on failure.
1170 */
1171 int
kex_exchange_identification(struct ssh * ssh,int timeout_ms,const char * version_addendum)1172 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1173 const char *version_addendum)
1174 {
1175 int remote_major, remote_minor, mismatch, oerrno = 0;
1176 size_t len, i, n;
1177 int r, expect_nl;
1178 u_char c;
1179 struct sshbuf *our_version = ssh->kex->server ?
1180 ssh->kex->server_version : ssh->kex->client_version;
1181 struct sshbuf *peer_version = ssh->kex->server ?
1182 ssh->kex->client_version : ssh->kex->server_version;
1183 char *our_version_string = NULL, *peer_version_string = NULL;
1184 char *cp, *remote_version = NULL;
1185
1186 /* Prepare and send our banner */
1187 sshbuf_reset(our_version);
1188 if (version_addendum != NULL && *version_addendum == '\0')
1189 version_addendum = NULL;
1190 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
1191 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
1192 version_addendum == NULL ? "" : " ",
1193 version_addendum == NULL ? "" : version_addendum)) != 0) {
1194 oerrno = errno;
1195 error_fr(r, "sshbuf_putf");
1196 goto out;
1197 }
1198
1199 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1200 sshbuf_mutable_ptr(our_version),
1201 sshbuf_len(our_version)) != sshbuf_len(our_version)) {
1202 oerrno = errno;
1203 debug_f("write: %.100s", strerror(errno));
1204 r = SSH_ERR_SYSTEM_ERROR;
1205 goto out;
1206 }
1207 if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
1208 oerrno = errno;
1209 error_fr(r, "sshbuf_consume_end");
1210 goto out;
1211 }
1212 our_version_string = sshbuf_dup_string(our_version);
1213 if (our_version_string == NULL) {
1214 error_f("sshbuf_dup_string failed");
1215 r = SSH_ERR_ALLOC_FAIL;
1216 goto out;
1217 }
1218 debug("Local version string %.100s", our_version_string);
1219
1220 /* Read other side's version identification. */
1221 for (n = 0; ; n++) {
1222 if (n >= SSH_MAX_PRE_BANNER_LINES) {
1223 send_error(ssh, "No SSH identification string "
1224 "received.");
1225 error_f("No SSH version received in first %u lines "
1226 "from server", SSH_MAX_PRE_BANNER_LINES);
1227 r = SSH_ERR_INVALID_FORMAT;
1228 goto out;
1229 }
1230 sshbuf_reset(peer_version);
1231 expect_nl = 0;
1232 for (i = 0; ; i++) {
1233 if (timeout_ms > 0) {
1234 r = waitrfd(ssh_packet_get_connection_in(ssh),
1235 &timeout_ms);
1236 if (r == -1 && errno == ETIMEDOUT) {
1237 send_error(ssh, "Timed out waiting "
1238 "for SSH identification string.");
1239 error("Connection timed out during "
1240 "banner exchange");
1241 r = SSH_ERR_CONN_TIMEOUT;
1242 goto out;
1243 } else if (r == -1) {
1244 oerrno = errno;
1245 error_f("%s", strerror(errno));
1246 r = SSH_ERR_SYSTEM_ERROR;
1247 goto out;
1248 }
1249 }
1250
1251 len = atomicio(read, ssh_packet_get_connection_in(ssh),
1252 &c, 1);
1253 if (len != 1 && errno == EPIPE) {
1254 error_f("Connection closed by remote host");
1255 r = SSH_ERR_CONN_CLOSED;
1256 goto out;
1257 } else if (len != 1) {
1258 oerrno = errno;
1259 error_f("read: %.100s", strerror(errno));
1260 r = SSH_ERR_SYSTEM_ERROR;
1261 goto out;
1262 }
1263 if (c == '\r') {
1264 expect_nl = 1;
1265 continue;
1266 }
1267 if (c == '\n')
1268 break;
1269 if (c == '\0' || expect_nl) {
1270 error_f("banner line contains invalid "
1271 "characters");
1272 goto invalid;
1273 }
1274 if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
1275 oerrno = errno;
1276 error_fr(r, "sshbuf_put");
1277 goto out;
1278 }
1279 if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
1280 error_f("banner line too long");
1281 goto invalid;
1282 }
1283 }
1284 /* Is this an actual protocol banner? */
1285 if (sshbuf_len(peer_version) > 4 &&
1286 memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
1287 break;
1288 /* If not, then just log the line and continue */
1289 if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
1290 error_f("sshbuf_dup_string failed");
1291 r = SSH_ERR_ALLOC_FAIL;
1292 goto out;
1293 }
1294 /* Do not accept lines before the SSH ident from a client */
1295 if (ssh->kex->server) {
1296 error_f("client sent invalid protocol identifier "
1297 "\"%.256s\"", cp);
1298 free(cp);
1299 goto invalid;
1300 }
1301 debug_f("banner line %zu: %s", n, cp);
1302 free(cp);
1303 }
1304 peer_version_string = sshbuf_dup_string(peer_version);
1305 if (peer_version_string == NULL)
1306 error_f("sshbuf_dup_string failed");
1307 /* XXX must be same size for sscanf */
1308 if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
1309 error_f("calloc failed");
1310 r = SSH_ERR_ALLOC_FAIL;
1311 goto out;
1312 }
1313
1314 /*
1315 * Check that the versions match. In future this might accept
1316 * several versions and set appropriate flags to handle them.
1317 */
1318 if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
1319 &remote_major, &remote_minor, remote_version) != 3) {
1320 error("Bad remote protocol version identification: '%.100s'",
1321 peer_version_string);
1322 invalid:
1323 send_error(ssh, "Invalid SSH identification string.");
1324 r = SSH_ERR_INVALID_FORMAT;
1325 goto out;
1326 }
1327 debug("Remote protocol version %d.%d, remote software version %.100s",
1328 remote_major, remote_minor, remote_version);
1329 compat_banner(ssh, remote_version);
1330
1331 mismatch = 0;
1332 switch (remote_major) {
1333 case 2:
1334 break;
1335 case 1:
1336 if (remote_minor != 99)
1337 mismatch = 1;
1338 break;
1339 default:
1340 mismatch = 1;
1341 break;
1342 }
1343 if (mismatch) {
1344 error("Protocol major versions differ: %d vs. %d",
1345 PROTOCOL_MAJOR_2, remote_major);
1346 send_error(ssh, "Protocol major versions differ.");
1347 r = SSH_ERR_NO_PROTOCOL_VERSION;
1348 goto out;
1349 }
1350
1351 if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
1352 logit("probed from %s port %d with %s. Don't panic.",
1353 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1354 peer_version_string);
1355 r = SSH_ERR_CONN_CLOSED; /* XXX */
1356 goto out;
1357 }
1358 if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
1359 logit("scanned from %s port %d with %s. Don't panic.",
1360 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1361 peer_version_string);
1362 r = SSH_ERR_CONN_CLOSED; /* XXX */
1363 goto out;
1364 }
1365 if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
1366 logit("Remote version \"%.100s\" uses unsafe RSA signature "
1367 "scheme; disabling use of RSA keys", remote_version);
1368 }
1369 /* success */
1370 r = 0;
1371 out:
1372 free(our_version_string);
1373 free(peer_version_string);
1374 free(remote_version);
1375 if (r == SSH_ERR_SYSTEM_ERROR)
1376 errno = oerrno;
1377 return r;
1378 }
1379
1380