1 /* $OpenBSD: kex.c,v 1.150 2019/01/21 12:08:13 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include "includes.h" 27 28 #include <sys/types.h> 29 #include <errno.h> 30 #include <signal.h> 31 #include <stdarg.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 #include <unistd.h> 36 #include <poll.h> 37 38 #ifdef WITH_OPENSSL 39 #include <openssl/crypto.h> 40 #include <openssl/dh.h> 41 #endif 42 43 #include "ssh.h" 44 #include "ssh2.h" 45 #include "atomicio.h" 46 #include "version.h" 47 #include "packet.h" 48 #include "compat.h" 49 #include "cipher.h" 50 #include "sshkey.h" 51 #include "kex.h" 52 #include "log.h" 53 #include "mac.h" 54 #include "match.h" 55 #include "misc.h" 56 #include "dispatch.h" 57 #include "monitor.h" 58 59 #include "ssherr.h" 60 #include "sshbuf.h" 61 #include "digest.h" 62 63 /* prototype */ 64 static int kex_choose_conf(struct ssh *); 65 static int kex_input_newkeys(int, u_int32_t, struct ssh *); 66 67 static const char *proposal_names[PROPOSAL_MAX] = { 68 "KEX algorithms", 69 "host key algorithms", 70 "ciphers ctos", 71 "ciphers stoc", 72 "MACs ctos", 73 "MACs stoc", 74 "compression ctos", 75 "compression stoc", 76 "languages ctos", 77 "languages stoc", 78 }; 79 80 struct kexalg { 81 char *name; 82 u_int type; 83 int ec_nid; 84 int hash_alg; 85 }; 86 static const struct kexalg kexalgs[] = { 87 #ifdef WITH_OPENSSL 88 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, 89 { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, 90 { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, 91 { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, 92 { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, 93 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, 94 #ifdef HAVE_EVP_SHA256 95 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, 96 #endif /* HAVE_EVP_SHA256 */ 97 #ifdef OPENSSL_HAS_ECC 98 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, 99 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, 100 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, 101 SSH_DIGEST_SHA384 }, 102 # ifdef OPENSSL_HAS_NISTP521 103 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, 104 SSH_DIGEST_SHA512 }, 105 # endif /* OPENSSL_HAS_NISTP521 */ 106 #endif /* OPENSSL_HAS_ECC */ 107 #endif /* WITH_OPENSSL */ 108 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) 109 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 110 { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 111 { KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0, 112 SSH_DIGEST_SHA512 }, 113 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ 114 { NULL, -1, -1, -1}, 115 }; 116 117 char * 118 kex_alg_list(char sep) 119 { 120 char *ret = NULL, *tmp; 121 size_t nlen, rlen = 0; 122 const struct kexalg *k; 123 124 for (k = kexalgs; k->name != NULL; k++) { 125 if (ret != NULL) 126 ret[rlen++] = sep; 127 nlen = strlen(k->name); 128 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 129 free(ret); 130 return NULL; 131 } 132 ret = tmp; 133 memcpy(ret + rlen, k->name, nlen + 1); 134 rlen += nlen; 135 } 136 return ret; 137 } 138 139 static const struct kexalg * 140 kex_alg_by_name(const char *name) 141 { 142 const struct kexalg *k; 143 144 for (k = kexalgs; k->name != NULL; k++) { 145 if (strcmp(k->name, name) == 0) 146 return k; 147 } 148 return NULL; 149 } 150 151 /* Validate KEX method name list */ 152 int 153 kex_names_valid(const char *names) 154 { 155 char *s, *cp, *p; 156 157 if (names == NULL || strcmp(names, "") == 0) 158 return 0; 159 if ((s = cp = strdup(names)) == NULL) 160 return 0; 161 for ((p = strsep(&cp, ",")); p && *p != '\0'; 162 (p = strsep(&cp, ","))) { 163 if (kex_alg_by_name(p) == NULL) { 164 error("Unsupported KEX algorithm \"%.100s\"", p); 165 free(s); 166 return 0; 167 } 168 } 169 debug3("kex names ok: [%s]", names); 170 free(s); 171 return 1; 172 } 173 174 /* 175 * Concatenate algorithm names, avoiding duplicates in the process. 176 * Caller must free returned string. 177 */ 178 char * 179 kex_names_cat(const char *a, const char *b) 180 { 181 char *ret = NULL, *tmp = NULL, *cp, *p, *m; 182 size_t len; 183 184 if (a == NULL || *a == '\0') 185 return strdup(b); 186 if (b == NULL || *b == '\0') 187 return strdup(a); 188 if (strlen(b) > 1024*1024) 189 return NULL; 190 len = strlen(a) + strlen(b) + 2; 191 if ((tmp = cp = strdup(b)) == NULL || 192 (ret = calloc(1, len)) == NULL) { 193 free(tmp); 194 return NULL; 195 } 196 strlcpy(ret, a, len); 197 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { 198 if ((m = match_list(ret, p, NULL)) != NULL) { 199 free(m); 200 continue; /* Algorithm already present */ 201 } 202 if (strlcat(ret, ",", len) >= len || 203 strlcat(ret, p, len) >= len) { 204 free(tmp); 205 free(ret); 206 return NULL; /* Shouldn't happen */ 207 } 208 } 209 free(tmp); 210 return ret; 211 } 212 213 /* 214 * Assemble a list of algorithms from a default list and a string from a 215 * configuration file. The user-provided string may begin with '+' to 216 * indicate that it should be appended to the default or '-' that the 217 * specified names should be removed. 218 */ 219 int 220 kex_assemble_names(char **listp, const char *def, const char *all) 221 { 222 char *cp, *tmp, *patterns; 223 char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL; 224 int r = SSH_ERR_INTERNAL_ERROR; 225 226 if (listp == NULL || *listp == NULL || **listp == '\0') { 227 if ((*listp = strdup(def)) == NULL) 228 return SSH_ERR_ALLOC_FAIL; 229 return 0; 230 } 231 232 list = *listp; 233 *listp = NULL; 234 if (*list == '+') { 235 /* Append names to default list */ 236 if ((tmp = kex_names_cat(def, list + 1)) == NULL) { 237 r = SSH_ERR_ALLOC_FAIL; 238 goto fail; 239 } 240 free(list); 241 list = tmp; 242 } else if (*list == '-') { 243 /* Remove names from default list */ 244 if ((*listp = match_filter_blacklist(def, list + 1)) == NULL) { 245 r = SSH_ERR_ALLOC_FAIL; 246 goto fail; 247 } 248 free(list); 249 /* filtering has already been done */ 250 return 0; 251 } else { 252 /* Explicit list, overrides default - just use "list" as is */ 253 } 254 255 /* 256 * The supplied names may be a pattern-list. For the -list case, 257 * the patterns are applied above. For the +list and explicit list 258 * cases we need to do it now. 259 */ 260 ret = NULL; 261 if ((patterns = opatterns = strdup(list)) == NULL) { 262 r = SSH_ERR_ALLOC_FAIL; 263 goto fail; 264 } 265 /* Apply positive (i.e. non-negated) patterns from the list */ 266 while ((cp = strsep(&patterns, ",")) != NULL) { 267 if (*cp == '!') { 268 /* negated matches are not supported here */ 269 r = SSH_ERR_INVALID_ARGUMENT; 270 goto fail; 271 } 272 free(matching); 273 if ((matching = match_filter_whitelist(all, cp)) == NULL) { 274 r = SSH_ERR_ALLOC_FAIL; 275 goto fail; 276 } 277 if ((tmp = kex_names_cat(ret, matching)) == NULL) { 278 r = SSH_ERR_ALLOC_FAIL; 279 goto fail; 280 } 281 free(ret); 282 ret = tmp; 283 } 284 if (ret == NULL || *ret == '\0') { 285 /* An empty name-list is an error */ 286 /* XXX better error code? */ 287 r = SSH_ERR_INVALID_ARGUMENT; 288 goto fail; 289 } 290 291 /* success */ 292 *listp = ret; 293 ret = NULL; 294 r = 0; 295 296 fail: 297 free(matching); 298 free(opatterns); 299 free(list); 300 free(ret); 301 return r; 302 } 303 304 /* put algorithm proposal into buffer */ 305 int 306 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) 307 { 308 u_int i; 309 int r; 310 311 sshbuf_reset(b); 312 313 /* 314 * add a dummy cookie, the cookie will be overwritten by 315 * kex_send_kexinit(), each time a kexinit is set 316 */ 317 for (i = 0; i < KEX_COOKIE_LEN; i++) { 318 if ((r = sshbuf_put_u8(b, 0)) != 0) 319 return r; 320 } 321 for (i = 0; i < PROPOSAL_MAX; i++) { 322 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0) 323 return r; 324 } 325 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */ 326 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */ 327 return r; 328 return 0; 329 } 330 331 /* parse buffer and return algorithm proposal */ 332 int 333 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) 334 { 335 struct sshbuf *b = NULL; 336 u_char v; 337 u_int i; 338 char **proposal = NULL; 339 int r; 340 341 *propp = NULL; 342 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL) 343 return SSH_ERR_ALLOC_FAIL; 344 if ((b = sshbuf_fromb(raw)) == NULL) { 345 r = SSH_ERR_ALLOC_FAIL; 346 goto out; 347 } 348 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */ 349 goto out; 350 /* extract kex init proposal strings */ 351 for (i = 0; i < PROPOSAL_MAX; i++) { 352 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) 353 goto out; 354 debug2("%s: %s", proposal_names[i], proposal[i]); 355 } 356 /* first kex follows / reserved */ 357 if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ 358 (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */ 359 goto out; 360 if (first_kex_follows != NULL) 361 *first_kex_follows = v; 362 debug2("first_kex_follows %d ", v); 363 debug2("reserved %u ", i); 364 r = 0; 365 *propp = proposal; 366 out: 367 if (r != 0 && proposal != NULL) 368 kex_prop_free(proposal); 369 sshbuf_free(b); 370 return r; 371 } 372 373 void 374 kex_prop_free(char **proposal) 375 { 376 u_int i; 377 378 if (proposal == NULL) 379 return; 380 for (i = 0; i < PROPOSAL_MAX; i++) 381 free(proposal[i]); 382 free(proposal); 383 } 384 385 /* ARGSUSED */ 386 static int 387 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) 388 { 389 int r; 390 391 error("kex protocol error: type %d seq %u", type, seq); 392 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || 393 (r = sshpkt_put_u32(ssh, seq)) != 0 || 394 (r = sshpkt_send(ssh)) != 0) 395 return r; 396 return 0; 397 } 398 399 static void 400 kex_reset_dispatch(struct ssh *ssh) 401 { 402 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN, 403 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); 404 } 405 406 static int 407 kex_send_ext_info(struct ssh *ssh) 408 { 409 int r; 410 char *algs; 411 412 if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL) 413 return SSH_ERR_ALLOC_FAIL; 414 /* XXX filter algs list by allowed pubkey/hostbased types */ 415 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || 416 (r = sshpkt_put_u32(ssh, 1)) != 0 || 417 (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || 418 (r = sshpkt_put_cstring(ssh, algs)) != 0 || 419 (r = sshpkt_send(ssh)) != 0) 420 goto out; 421 /* success */ 422 r = 0; 423 out: 424 free(algs); 425 return r; 426 } 427 428 int 429 kex_send_newkeys(struct ssh *ssh) 430 { 431 int r; 432 433 kex_reset_dispatch(ssh); 434 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 || 435 (r = sshpkt_send(ssh)) != 0) 436 return r; 437 debug("SSH2_MSG_NEWKEYS sent"); 438 debug("expecting SSH2_MSG_NEWKEYS"); 439 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); 440 if (ssh->kex->ext_info_c) 441 if ((r = kex_send_ext_info(ssh)) != 0) 442 return r; 443 return 0; 444 } 445 446 int 447 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) 448 { 449 struct kex *kex = ssh->kex; 450 u_int32_t i, ninfo; 451 char *name; 452 u_char *val; 453 size_t vlen; 454 int r; 455 456 debug("SSH2_MSG_EXT_INFO received"); 457 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); 458 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) 459 return r; 460 for (i = 0; i < ninfo; i++) { 461 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) 462 return r; 463 if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) { 464 free(name); 465 return r; 466 } 467 if (strcmp(name, "server-sig-algs") == 0) { 468 /* Ensure no \0 lurking in value */ 469 if (memchr(val, '\0', vlen) != NULL) { 470 error("%s: nul byte in %s", __func__, name); 471 return SSH_ERR_INVALID_FORMAT; 472 } 473 debug("%s: %s=<%s>", __func__, name, val); 474 kex->server_sig_algs = val; 475 val = NULL; 476 } else 477 debug("%s: %s (unrecognised)", __func__, name); 478 free(name); 479 free(val); 480 } 481 return sshpkt_get_end(ssh); 482 } 483 484 static int 485 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh) 486 { 487 struct kex *kex = ssh->kex; 488 int r; 489 490 debug("SSH2_MSG_NEWKEYS received"); 491 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); 492 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 493 if ((r = sshpkt_get_end(ssh)) != 0) 494 return r; 495 if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) 496 return r; 497 kex->done = 1; 498 kex->flags &= ~KEX_INITIAL; 499 sshbuf_reset(kex->peer); 500 /* sshbuf_reset(kex->my); */ 501 kex->flags &= ~KEX_INIT_SENT; 502 free(kex->name); 503 kex->name = NULL; 504 return 0; 505 } 506 507 int 508 kex_send_kexinit(struct ssh *ssh) 509 { 510 u_char *cookie; 511 struct kex *kex = ssh->kex; 512 int r; 513 514 if (kex == NULL) 515 return SSH_ERR_INTERNAL_ERROR; 516 if (kex->flags & KEX_INIT_SENT) 517 return 0; 518 kex->done = 0; 519 520 /* generate a random cookie */ 521 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) 522 return SSH_ERR_INVALID_FORMAT; 523 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) 524 return SSH_ERR_INTERNAL_ERROR; 525 arc4random_buf(cookie, KEX_COOKIE_LEN); 526 527 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 || 528 (r = sshpkt_putb(ssh, kex->my)) != 0 || 529 (r = sshpkt_send(ssh)) != 0) 530 return r; 531 debug("SSH2_MSG_KEXINIT sent"); 532 kex->flags |= KEX_INIT_SENT; 533 return 0; 534 } 535 536 /* ARGSUSED */ 537 int 538 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) 539 { 540 struct kex *kex = ssh->kex; 541 const u_char *ptr; 542 u_int i; 543 size_t dlen; 544 int r; 545 546 debug("SSH2_MSG_KEXINIT received"); 547 if (kex == NULL) 548 return SSH_ERR_INVALID_ARGUMENT; 549 550 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); 551 ptr = sshpkt_ptr(ssh, &dlen); 552 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) 553 return r; 554 555 /* discard packet */ 556 for (i = 0; i < KEX_COOKIE_LEN; i++) 557 if ((r = sshpkt_get_u8(ssh, NULL)) != 0) 558 return r; 559 for (i = 0; i < PROPOSAL_MAX; i++) 560 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) 561 return r; 562 /* 563 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported 564 * KEX method has the server move first, but a server might be using 565 * a custom method or one that we otherwise don't support. We should 566 * be prepared to remember first_kex_follows here so we can eat a 567 * packet later. 568 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means 569 * for cases where the server *doesn't* go first. I guess we should 570 * ignore it when it is set for these cases, which is what we do now. 571 */ 572 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */ 573 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */ 574 (r = sshpkt_get_end(ssh)) != 0) 575 return r; 576 577 if (!(kex->flags & KEX_INIT_SENT)) 578 if ((r = kex_send_kexinit(ssh)) != 0) 579 return r; 580 if ((r = kex_choose_conf(ssh)) != 0) 581 return r; 582 583 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) 584 return (kex->kex[kex->kex_type])(ssh); 585 586 return SSH_ERR_INTERNAL_ERROR; 587 } 588 589 struct kex * 590 kex_new(void) 591 { 592 struct kex *kex; 593 594 if ((kex = calloc(1, sizeof(*kex))) == NULL || 595 (kex->peer = sshbuf_new()) == NULL || 596 (kex->my = sshbuf_new()) == NULL || 597 (kex->client_version = sshbuf_new()) == NULL || 598 (kex->server_version = sshbuf_new()) == NULL) { 599 kex_free(kex); 600 return NULL; 601 } 602 return kex; 603 } 604 605 void 606 kex_free_newkeys(struct newkeys *newkeys) 607 { 608 if (newkeys == NULL) 609 return; 610 if (newkeys->enc.key) { 611 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len); 612 free(newkeys->enc.key); 613 newkeys->enc.key = NULL; 614 } 615 if (newkeys->enc.iv) { 616 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len); 617 free(newkeys->enc.iv); 618 newkeys->enc.iv = NULL; 619 } 620 free(newkeys->enc.name); 621 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc)); 622 free(newkeys->comp.name); 623 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp)); 624 mac_clear(&newkeys->mac); 625 if (newkeys->mac.key) { 626 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len); 627 free(newkeys->mac.key); 628 newkeys->mac.key = NULL; 629 } 630 free(newkeys->mac.name); 631 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac)); 632 explicit_bzero(newkeys, sizeof(*newkeys)); 633 free(newkeys); 634 } 635 636 void 637 kex_free(struct kex *kex) 638 { 639 u_int mode; 640 641 if (kex == NULL) 642 return; 643 644 #ifdef WITH_OPENSSL 645 DH_free(kex->dh); 646 #ifdef OPENSSL_HAS_ECC 647 EC_KEY_free(kex->ec_client_key); 648 #endif /* OPENSSL_HAS_ECC */ 649 #endif /* WITH_OPENSSL */ 650 for (mode = 0; mode < MODE_MAX; mode++) { 651 kex_free_newkeys(kex->newkeys[mode]); 652 kex->newkeys[mode] = NULL; 653 } 654 sshbuf_free(kex->peer); 655 sshbuf_free(kex->my); 656 sshbuf_free(kex->client_version); 657 sshbuf_free(kex->server_version); 658 sshbuf_free(kex->client_pub); 659 free(kex->session_id); 660 free(kex->failed_choice); 661 free(kex->hostkey_alg); 662 free(kex->name); 663 free(kex); 664 } 665 666 int 667 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) 668 { 669 int r; 670 671 if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0) 672 return r; 673 ssh->kex->flags = KEX_INITIAL; 674 kex_reset_dispatch(ssh); 675 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 676 return 0; 677 } 678 679 int 680 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) 681 { 682 int r; 683 684 if ((r = kex_ready(ssh, proposal)) != 0) 685 return r; 686 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */ 687 kex_free(ssh->kex); 688 ssh->kex = NULL; 689 return r; 690 } 691 return 0; 692 } 693 694 /* 695 * Request key re-exchange, returns 0 on success or a ssherr.h error 696 * code otherwise. Must not be called if KEX is incomplete or in-progress. 697 */ 698 int 699 kex_start_rekex(struct ssh *ssh) 700 { 701 if (ssh->kex == NULL) { 702 error("%s: no kex", __func__); 703 return SSH_ERR_INTERNAL_ERROR; 704 } 705 if (ssh->kex->done == 0) { 706 error("%s: requested twice", __func__); 707 return SSH_ERR_INTERNAL_ERROR; 708 } 709 ssh->kex->done = 0; 710 return kex_send_kexinit(ssh); 711 } 712 713 static int 714 choose_enc(struct sshenc *enc, char *client, char *server) 715 { 716 char *name = match_list(client, server, NULL); 717 718 if (name == NULL) 719 return SSH_ERR_NO_CIPHER_ALG_MATCH; 720 if ((enc->cipher = cipher_by_name(name)) == NULL) { 721 free(name); 722 return SSH_ERR_INTERNAL_ERROR; 723 } 724 enc->name = name; 725 enc->enabled = 0; 726 enc->iv = NULL; 727 enc->iv_len = cipher_ivlen(enc->cipher); 728 enc->key = NULL; 729 enc->key_len = cipher_keylen(enc->cipher); 730 enc->block_size = cipher_blocksize(enc->cipher); 731 return 0; 732 } 733 734 static int 735 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) 736 { 737 char *name = match_list(client, server, NULL); 738 739 if (name == NULL) 740 return SSH_ERR_NO_MAC_ALG_MATCH; 741 if (mac_setup(mac, name) < 0) { 742 free(name); 743 return SSH_ERR_INTERNAL_ERROR; 744 } 745 mac->name = name; 746 mac->key = NULL; 747 mac->enabled = 0; 748 return 0; 749 } 750 751 static int 752 choose_comp(struct sshcomp *comp, char *client, char *server) 753 { 754 char *name = match_list(client, server, NULL); 755 756 if (name == NULL) 757 return SSH_ERR_NO_COMPRESS_ALG_MATCH; 758 if (strcmp(name, "zlib@openssh.com") == 0) { 759 comp->type = COMP_DELAYED; 760 } else if (strcmp(name, "zlib") == 0) { 761 comp->type = COMP_ZLIB; 762 } else if (strcmp(name, "none") == 0) { 763 comp->type = COMP_NONE; 764 } else { 765 free(name); 766 return SSH_ERR_INTERNAL_ERROR; 767 } 768 comp->name = name; 769 return 0; 770 } 771 772 static int 773 choose_kex(struct kex *k, char *client, char *server) 774 { 775 const struct kexalg *kexalg; 776 777 k->name = match_list(client, server, NULL); 778 779 debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); 780 if (k->name == NULL) 781 return SSH_ERR_NO_KEX_ALG_MATCH; 782 if ((kexalg = kex_alg_by_name(k->name)) == NULL) 783 return SSH_ERR_INTERNAL_ERROR; 784 k->kex_type = kexalg->type; 785 k->hash_alg = kexalg->hash_alg; 786 k->ec_nid = kexalg->ec_nid; 787 return 0; 788 } 789 790 static int 791 choose_hostkeyalg(struct kex *k, char *client, char *server) 792 { 793 k->hostkey_alg = match_list(client, server, NULL); 794 795 debug("kex: host key algorithm: %s", 796 k->hostkey_alg ? k->hostkey_alg : "(no match)"); 797 if (k->hostkey_alg == NULL) 798 return SSH_ERR_NO_HOSTKEY_ALG_MATCH; 799 k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); 800 if (k->hostkey_type == KEY_UNSPEC) 801 return SSH_ERR_INTERNAL_ERROR; 802 k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); 803 return 0; 804 } 805 806 static int 807 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) 808 { 809 static int check[] = { 810 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 811 }; 812 int *idx; 813 char *p; 814 815 for (idx = &check[0]; *idx != -1; idx++) { 816 if ((p = strchr(my[*idx], ',')) != NULL) 817 *p = '\0'; 818 if ((p = strchr(peer[*idx], ',')) != NULL) 819 *p = '\0'; 820 if (strcmp(my[*idx], peer[*idx]) != 0) { 821 debug2("proposal mismatch: my %s peer %s", 822 my[*idx], peer[*idx]); 823 return (0); 824 } 825 } 826 debug2("proposals match"); 827 return (1); 828 } 829 830 static int 831 kex_choose_conf(struct ssh *ssh) 832 { 833 struct kex *kex = ssh->kex; 834 struct newkeys *newkeys; 835 char **my = NULL, **peer = NULL; 836 char **cprop, **sprop; 837 int nenc, nmac, ncomp; 838 u_int mode, ctos, need, dh_need, authlen; 839 int r, first_kex_follows; 840 841 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); 842 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) 843 goto out; 844 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server"); 845 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) 846 goto out; 847 848 if (kex->server) { 849 cprop=peer; 850 sprop=my; 851 } else { 852 cprop=my; 853 sprop=peer; 854 } 855 856 /* Check whether client supports ext_info_c */ 857 if (kex->server && (kex->flags & KEX_INITIAL)) { 858 char *ext; 859 860 ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); 861 kex->ext_info_c = (ext != NULL); 862 free(ext); 863 } 864 865 /* Algorithm Negotiation */ 866 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], 867 sprop[PROPOSAL_KEX_ALGS])) != 0) { 868 kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; 869 peer[PROPOSAL_KEX_ALGS] = NULL; 870 goto out; 871 } 872 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], 873 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { 874 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; 875 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; 876 goto out; 877 } 878 for (mode = 0; mode < MODE_MAX; mode++) { 879 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) { 880 r = SSH_ERR_ALLOC_FAIL; 881 goto out; 882 } 883 kex->newkeys[mode] = newkeys; 884 ctos = (!kex->server && mode == MODE_OUT) || 885 (kex->server && mode == MODE_IN); 886 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 887 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 888 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 889 if ((r = choose_enc(&newkeys->enc, cprop[nenc], 890 sprop[nenc])) != 0) { 891 kex->failed_choice = peer[nenc]; 892 peer[nenc] = NULL; 893 goto out; 894 } 895 authlen = cipher_authlen(newkeys->enc.cipher); 896 /* ignore mac for authenticated encryption */ 897 if (authlen == 0 && 898 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac], 899 sprop[nmac])) != 0) { 900 kex->failed_choice = peer[nmac]; 901 peer[nmac] = NULL; 902 goto out; 903 } 904 if ((r = choose_comp(&newkeys->comp, cprop[ncomp], 905 sprop[ncomp])) != 0) { 906 kex->failed_choice = peer[ncomp]; 907 peer[ncomp] = NULL; 908 goto out; 909 } 910 debug("kex: %s cipher: %s MAC: %s compression: %s", 911 ctos ? "client->server" : "server->client", 912 newkeys->enc.name, 913 authlen == 0 ? newkeys->mac.name : "<implicit>", 914 newkeys->comp.name); 915 } 916 need = dh_need = 0; 917 for (mode = 0; mode < MODE_MAX; mode++) { 918 newkeys = kex->newkeys[mode]; 919 need = MAXIMUM(need, newkeys->enc.key_len); 920 need = MAXIMUM(need, newkeys->enc.block_size); 921 need = MAXIMUM(need, newkeys->enc.iv_len); 922 need = MAXIMUM(need, newkeys->mac.key_len); 923 dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher)); 924 dh_need = MAXIMUM(dh_need, newkeys->enc.block_size); 925 dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len); 926 dh_need = MAXIMUM(dh_need, newkeys->mac.key_len); 927 } 928 /* XXX need runden? */ 929 kex->we_need = need; 930 kex->dh_need = dh_need; 931 932 /* ignore the next message if the proposals do not match */ 933 if (first_kex_follows && !proposals_match(my, peer)) 934 ssh->dispatch_skip_packets = 1; 935 r = 0; 936 out: 937 kex_prop_free(my); 938 kex_prop_free(peer); 939 return r; 940 } 941 942 static int 943 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, 944 const struct sshbuf *shared_secret, u_char **keyp) 945 { 946 struct kex *kex = ssh->kex; 947 struct ssh_digest_ctx *hashctx = NULL; 948 char c = id; 949 u_int have; 950 size_t mdsz; 951 u_char *digest; 952 int r; 953 954 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) 955 return SSH_ERR_INVALID_ARGUMENT; 956 if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) { 957 r = SSH_ERR_ALLOC_FAIL; 958 goto out; 959 } 960 961 /* K1 = HASH(K || H || "A" || session_id) */ 962 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 963 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 964 ssh_digest_update(hashctx, hash, hashlen) != 0 || 965 ssh_digest_update(hashctx, &c, 1) != 0 || 966 ssh_digest_update(hashctx, kex->session_id, 967 kex->session_id_len) != 0 || 968 ssh_digest_final(hashctx, digest, mdsz) != 0) { 969 r = SSH_ERR_LIBCRYPTO_ERROR; 970 goto out; 971 } 972 ssh_digest_free(hashctx); 973 hashctx = NULL; 974 975 /* 976 * expand key: 977 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) 978 * Key = K1 || K2 || ... || Kn 979 */ 980 for (have = mdsz; need > have; have += mdsz) { 981 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 982 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 983 ssh_digest_update(hashctx, hash, hashlen) != 0 || 984 ssh_digest_update(hashctx, digest, have) != 0 || 985 ssh_digest_final(hashctx, digest + have, mdsz) != 0) { 986 r = SSH_ERR_LIBCRYPTO_ERROR; 987 goto out; 988 } 989 ssh_digest_free(hashctx); 990 hashctx = NULL; 991 } 992 #ifdef DEBUG_KEX 993 fprintf(stderr, "key '%c'== ", c); 994 dump_digest("key", digest, need); 995 #endif 996 *keyp = digest; 997 digest = NULL; 998 r = 0; 999 out: 1000 free(digest); 1001 ssh_digest_free(hashctx); 1002 return r; 1003 } 1004 1005 #define NKEYS 6 1006 int 1007 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen, 1008 const struct sshbuf *shared_secret) 1009 { 1010 struct kex *kex = ssh->kex; 1011 u_char *keys[NKEYS]; 1012 u_int i, j, mode, ctos; 1013 int r; 1014 1015 /* save initial hash as session id */ 1016 if (kex->session_id == NULL) { 1017 kex->session_id_len = hashlen; 1018 kex->session_id = malloc(kex->session_id_len); 1019 if (kex->session_id == NULL) 1020 return SSH_ERR_ALLOC_FAIL; 1021 memcpy(kex->session_id, hash, kex->session_id_len); 1022 } 1023 for (i = 0; i < NKEYS; i++) { 1024 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen, 1025 shared_secret, &keys[i])) != 0) { 1026 for (j = 0; j < i; j++) 1027 free(keys[j]); 1028 return r; 1029 } 1030 } 1031 for (mode = 0; mode < MODE_MAX; mode++) { 1032 ctos = (!kex->server && mode == MODE_OUT) || 1033 (kex->server && mode == MODE_IN); 1034 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1]; 1035 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3]; 1036 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5]; 1037 } 1038 return 0; 1039 } 1040 1041 int 1042 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp) 1043 { 1044 struct kex *kex = ssh->kex; 1045 1046 *pubp = NULL; 1047 *prvp = NULL; 1048 if (kex->load_host_public_key == NULL || 1049 kex->load_host_private_key == NULL) 1050 return SSH_ERR_INVALID_ARGUMENT; 1051 *pubp = kex->load_host_public_key(kex->hostkey_type, 1052 kex->hostkey_nid, ssh); 1053 *prvp = kex->load_host_private_key(kex->hostkey_type, 1054 kex->hostkey_nid, ssh); 1055 if (*pubp == NULL) 1056 return SSH_ERR_NO_HOSTKEY_LOADED; 1057 return 0; 1058 } 1059 1060 int 1061 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key) 1062 { 1063 struct kex *kex = ssh->kex; 1064 1065 if (kex->verify_host_key == NULL) 1066 return SSH_ERR_INVALID_ARGUMENT; 1067 if (server_host_key->type != kex->hostkey_type || 1068 (kex->hostkey_type == KEY_ECDSA && 1069 server_host_key->ecdsa_nid != kex->hostkey_nid)) 1070 return SSH_ERR_KEY_TYPE_MISMATCH; 1071 if (kex->verify_host_key(server_host_key, ssh) == -1) 1072 return SSH_ERR_SIGNATURE_INVALID; 1073 return 0; 1074 } 1075 1076 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) 1077 void 1078 dump_digest(const char *msg, const u_char *digest, int len) 1079 { 1080 fprintf(stderr, "%s\n", msg); 1081 sshbuf_dump_data(digest, len, stderr); 1082 } 1083 #endif 1084 1085 /* 1086 * Send a plaintext error message to the peer, suffixed by \r\n. 1087 * Only used during banner exchange, and there only for the server. 1088 */ 1089 static void 1090 send_error(struct ssh *ssh, char *msg) 1091 { 1092 char *crnl = "\r\n"; 1093 1094 if (!ssh->kex->server) 1095 return; 1096 1097 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1098 msg, strlen(msg)) != strlen(msg) || 1099 atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1100 crnl, strlen(crnl)) != strlen(crnl)) 1101 error("%s: write: %.100s", __func__, strerror(errno)); 1102 } 1103 1104 /* 1105 * Sends our identification string and waits for the peer's. Will block for 1106 * up to timeout_ms (or indefinitely if timeout_ms <= 0). 1107 * Returns on 0 success or a ssherr.h code on failure. 1108 */ 1109 int 1110 kex_exchange_identification(struct ssh *ssh, int timeout_ms, 1111 const char *version_addendum) 1112 { 1113 int remote_major, remote_minor, mismatch; 1114 size_t len, i, n; 1115 int r, expect_nl; 1116 u_char c; 1117 struct sshbuf *our_version = ssh->kex->server ? 1118 ssh->kex->server_version : ssh->kex->client_version; 1119 struct sshbuf *peer_version = ssh->kex->server ? 1120 ssh->kex->client_version : ssh->kex->server_version; 1121 char *our_version_string = NULL, *peer_version_string = NULL; 1122 char *cp, *remote_version = NULL; 1123 1124 /* Prepare and send our banner */ 1125 sshbuf_reset(our_version); 1126 if (version_addendum != NULL && *version_addendum == '\0') 1127 version_addendum = NULL; 1128 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", 1129 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, 1130 version_addendum == NULL ? "" : " ", 1131 version_addendum == NULL ? "" : version_addendum)) != 0) { 1132 error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); 1133 goto out; 1134 } 1135 1136 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1137 sshbuf_mutable_ptr(our_version), 1138 sshbuf_len(our_version)) != sshbuf_len(our_version)) { 1139 error("%s: write: %.100s", __func__, strerror(errno)); 1140 r = SSH_ERR_SYSTEM_ERROR; 1141 goto out; 1142 } 1143 if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */ 1144 error("%s: sshbuf_consume_end: %s", __func__, ssh_err(r)); 1145 goto out; 1146 } 1147 our_version_string = sshbuf_dup_string(our_version); 1148 if (our_version_string == NULL) { 1149 error("%s: sshbuf_dup_string failed", __func__); 1150 r = SSH_ERR_ALLOC_FAIL; 1151 goto out; 1152 } 1153 debug("Local version string %.100s", our_version_string); 1154 1155 /* Read other side's version identification. */ 1156 for (n = 0; ; n++) { 1157 if (n >= SSH_MAX_PRE_BANNER_LINES) { 1158 send_error(ssh, "No SSH identification string " 1159 "received."); 1160 error("%s: No SSH version received in first %u lines " 1161 "from server", __func__, SSH_MAX_PRE_BANNER_LINES); 1162 r = SSH_ERR_INVALID_FORMAT; 1163 goto out; 1164 } 1165 sshbuf_reset(peer_version); 1166 expect_nl = 0; 1167 for (i = 0; ; i++) { 1168 if (timeout_ms > 0) { 1169 r = waitrfd(ssh_packet_get_connection_in(ssh), 1170 &timeout_ms); 1171 if (r == -1 && errno == ETIMEDOUT) { 1172 send_error(ssh, "Timed out waiting " 1173 "for SSH identification string."); 1174 error("Connection timed out during " 1175 "banner exchange"); 1176 r = SSH_ERR_CONN_TIMEOUT; 1177 goto out; 1178 } else if (r == -1) { 1179 error("%s: %s", 1180 __func__, strerror(errno)); 1181 r = SSH_ERR_SYSTEM_ERROR; 1182 goto out; 1183 } 1184 } 1185 1186 len = atomicio(read, ssh_packet_get_connection_in(ssh), 1187 &c, 1); 1188 if (len != 1 && errno == EPIPE) { 1189 error("%s: Connection closed by remote host", 1190 __func__); 1191 r = SSH_ERR_CONN_CLOSED; 1192 goto out; 1193 } else if (len != 1) { 1194 error("%s: read: %.100s", 1195 __func__, strerror(errno)); 1196 r = SSH_ERR_SYSTEM_ERROR; 1197 goto out; 1198 } 1199 if (c == '\r') { 1200 expect_nl = 1; 1201 continue; 1202 } 1203 if (c == '\n') 1204 break; 1205 if (c == '\0' || expect_nl) { 1206 error("%s: banner line contains invalid " 1207 "characters", __func__); 1208 goto invalid; 1209 } 1210 if ((r = sshbuf_put_u8(peer_version, c)) != 0) { 1211 error("%s: sshbuf_put: %s", 1212 __func__, ssh_err(r)); 1213 goto out; 1214 } 1215 if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) { 1216 error("%s: banner line too long", __func__); 1217 goto invalid; 1218 } 1219 } 1220 /* Is this an actual protocol banner? */ 1221 if (sshbuf_len(peer_version) > 4 && 1222 memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0) 1223 break; 1224 /* If not, then just log the line and continue */ 1225 if ((cp = sshbuf_dup_string(peer_version)) == NULL) { 1226 error("%s: sshbuf_dup_string failed", __func__); 1227 r = SSH_ERR_ALLOC_FAIL; 1228 goto out; 1229 } 1230 /* Do not accept lines before the SSH ident from a client */ 1231 if (ssh->kex->server) { 1232 error("%s: client sent invalid protocol identifier " 1233 "\"%.256s\"", __func__, cp); 1234 free(cp); 1235 goto invalid; 1236 } 1237 debug("%s: banner line %zu: %s", __func__, n, cp); 1238 free(cp); 1239 } 1240 peer_version_string = sshbuf_dup_string(peer_version); 1241 if (peer_version_string == NULL) 1242 error("%s: sshbuf_dup_string failed", __func__); 1243 /* XXX must be same size for sscanf */ 1244 if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) { 1245 error("%s: calloc failed", __func__); 1246 r = SSH_ERR_ALLOC_FAIL; 1247 goto out; 1248 } 1249 1250 /* 1251 * Check that the versions match. In future this might accept 1252 * several versions and set appropriate flags to handle them. 1253 */ 1254 if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n", 1255 &remote_major, &remote_minor, remote_version) != 3) { 1256 error("Bad remote protocol version identification: '%.100s'", 1257 peer_version_string); 1258 invalid: 1259 send_error(ssh, "Invalid SSH identification string."); 1260 r = SSH_ERR_INVALID_FORMAT; 1261 goto out; 1262 } 1263 debug("Remote protocol version %d.%d, remote software version %.100s", 1264 remote_major, remote_minor, remote_version); 1265 ssh->compat = compat_datafellows(remote_version); 1266 1267 mismatch = 0; 1268 switch (remote_major) { 1269 case 2: 1270 break; 1271 case 1: 1272 if (remote_minor != 99) 1273 mismatch = 1; 1274 break; 1275 default: 1276 mismatch = 1; 1277 break; 1278 } 1279 if (mismatch) { 1280 error("Protocol major versions differ: %d vs. %d", 1281 PROTOCOL_MAJOR_2, remote_major); 1282 send_error(ssh, "Protocol major versions differ."); 1283 r = SSH_ERR_NO_PROTOCOL_VERSION; 1284 goto out; 1285 } 1286 1287 if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) { 1288 logit("probed from %s port %d with %s. Don't panic.", 1289 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), 1290 peer_version_string); 1291 r = SSH_ERR_CONN_CLOSED; /* XXX */ 1292 goto out; 1293 } 1294 if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) { 1295 logit("scanned from %s port %d with %s. Don't panic.", 1296 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), 1297 peer_version_string); 1298 r = SSH_ERR_CONN_CLOSED; /* XXX */ 1299 goto out; 1300 } 1301 if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) { 1302 logit("Remote version \"%.100s\" uses unsafe RSA signature " 1303 "scheme; disabling use of RSA keys", remote_version); 1304 } 1305 /* success */ 1306 r = 0; 1307 out: 1308 free(our_version_string); 1309 free(peer_version_string); 1310 free(remote_version); 1311 return r; 1312 } 1313 1314