1 /* $OpenBSD: ssh_api.c,v 1.27 2021/04/03 06:18:41 djm Exp $ */
2 /*
3 * Copyright (c) 2012 Markus Friedl. All rights reserved.
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include "includes.h"
19
20 #include <sys/types.h>
21
22 #include <stdio.h>
23 #include <stdlib.h>
24
25 #include "ssh_api.h"
26 #include "compat.h"
27 #include "log.h"
28 #include "authfile.h"
29 #include "sshkey.h"
30 #include "misc.h"
31 #include "ssh2.h"
32 #include "version.h"
33 #include "myproposal.h"
34 #include "ssherr.h"
35 #include "sshbuf.h"
36
37 #include "openbsd-compat/openssl-compat.h"
38
39 #include <string.h>
40
41 int _ssh_exchange_banner(struct ssh *);
42 int _ssh_send_banner(struct ssh *, struct sshbuf *);
43 int _ssh_read_banner(struct ssh *, struct sshbuf *);
44 int _ssh_order_hostkeyalgs(struct ssh *);
45 int _ssh_verify_host_key(struct sshkey *, struct ssh *);
46 struct sshkey *_ssh_host_public_key(int, int, struct ssh *);
47 struct sshkey *_ssh_host_private_key(int, int, struct ssh *);
48 int _ssh_host_key_sign(struct ssh *, struct sshkey *, struct sshkey *,
49 u_char **, size_t *, const u_char *, size_t, const char *);
50
51 /*
52 * stubs for the server side implementation of kex.
53 * disable privsep so our stubs will never be called.
54 */
55 int use_privsep = 0;
56 int mm_sshkey_sign(struct sshkey *, u_char **, u_int *,
57 const u_char *, u_int, const char *, const char *, const char *, u_int);
58
59 #ifdef WITH_OPENSSL
60 DH *mm_choose_dh(int, int, int);
61 #endif
62
63 int
mm_sshkey_sign(struct sshkey * key,u_char ** sigp,u_int * lenp,const u_char * data,u_int datalen,const char * alg,const char * sk_provider,const char * sk_pin,u_int compat)64 mm_sshkey_sign(struct sshkey *key, u_char **sigp, u_int *lenp,
65 const u_char *data, u_int datalen, const char *alg,
66 const char *sk_provider, const char *sk_pin, u_int compat)
67 {
68 return (-1);
69 }
70
71 #ifdef WITH_OPENSSL
72 DH *
mm_choose_dh(int min,int nbits,int max)73 mm_choose_dh(int min, int nbits, int max)
74 {
75 return (NULL);
76 }
77 #endif
78
79 /* API */
80
81 int
ssh_init(struct ssh ** sshp,int is_server,struct kex_params * kex_params)82 ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
83 {
84 char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
85 struct ssh *ssh;
86 char **proposal;
87 static int called;
88 int r;
89
90 if (!called) {
91 seed_rng();
92 called = 1;
93 }
94
95 if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL)
96 return SSH_ERR_ALLOC_FAIL;
97 if (is_server)
98 ssh_packet_set_server(ssh);
99
100 /* Initialize key exchange */
101 proposal = kex_params ? kex_params->proposal : myproposal;
102 if ((r = kex_ready(ssh, proposal)) != 0) {
103 ssh_free(ssh);
104 return r;
105 }
106 ssh->kex->server = is_server;
107 if (is_server) {
108 #ifdef WITH_OPENSSL
109 ssh->kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server;
110 ssh->kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server;
111 ssh->kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_server;
112 ssh->kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_server;
113 ssh->kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_server;
114 ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
115 ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
116 # ifdef OPENSSL_HAS_ECC
117 ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
118 # endif
119 #endif /* WITH_OPENSSL */
120 ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_server;
121 ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
122 ssh->kex->load_host_public_key=&_ssh_host_public_key;
123 ssh->kex->load_host_private_key=&_ssh_host_private_key;
124 ssh->kex->sign=&_ssh_host_key_sign;
125 } else {
126 #ifdef WITH_OPENSSL
127 ssh->kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_client;
128 ssh->kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_client;
129 ssh->kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_client;
130 ssh->kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_client;
131 ssh->kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_client;
132 ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
133 ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
134 # ifdef OPENSSL_HAS_ECC
135 ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
136 # endif
137 #endif /* WITH_OPENSSL */
138 ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
139 ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
140 ssh->kex->verify_host_key =&_ssh_verify_host_key;
141 }
142 *sshp = ssh;
143 return 0;
144 }
145
146 void
ssh_free(struct ssh * ssh)147 ssh_free(struct ssh *ssh)
148 {
149 struct key_entry *k;
150
151 if (ssh == NULL)
152 return;
153
154 /*
155 * we've only created the public keys variants in case we
156 * are a acting as a server.
157 */
158 while ((k = TAILQ_FIRST(&ssh->public_keys)) != NULL) {
159 TAILQ_REMOVE(&ssh->public_keys, k, next);
160 if (ssh->kex && ssh->kex->server)
161 sshkey_free(k->key);
162 free(k);
163 }
164 while ((k = TAILQ_FIRST(&ssh->private_keys)) != NULL) {
165 TAILQ_REMOVE(&ssh->private_keys, k, next);
166 free(k);
167 }
168 ssh_packet_close(ssh);
169 free(ssh);
170 }
171
172 void
ssh_set_app_data(struct ssh * ssh,void * app_data)173 ssh_set_app_data(struct ssh *ssh, void *app_data)
174 {
175 ssh->app_data = app_data;
176 }
177
178 void *
ssh_get_app_data(struct ssh * ssh)179 ssh_get_app_data(struct ssh *ssh)
180 {
181 return ssh->app_data;
182 }
183
184 /* Returns < 0 on error, 0 otherwise */
185 int
ssh_add_hostkey(struct ssh * ssh,struct sshkey * key)186 ssh_add_hostkey(struct ssh *ssh, struct sshkey *key)
187 {
188 struct sshkey *pubkey = NULL;
189 struct key_entry *k = NULL, *k_prv = NULL;
190 int r;
191
192 if (ssh->kex->server) {
193 if ((r = sshkey_from_private(key, &pubkey)) != 0)
194 return r;
195 if ((k = malloc(sizeof(*k))) == NULL ||
196 (k_prv = malloc(sizeof(*k_prv))) == NULL) {
197 free(k);
198 sshkey_free(pubkey);
199 return SSH_ERR_ALLOC_FAIL;
200 }
201 k_prv->key = key;
202 TAILQ_INSERT_TAIL(&ssh->private_keys, k_prv, next);
203
204 /* add the public key, too */
205 k->key = pubkey;
206 TAILQ_INSERT_TAIL(&ssh->public_keys, k, next);
207 r = 0;
208 } else {
209 if ((k = malloc(sizeof(*k))) == NULL)
210 return SSH_ERR_ALLOC_FAIL;
211 k->key = key;
212 TAILQ_INSERT_TAIL(&ssh->public_keys, k, next);
213 r = 0;
214 }
215
216 return r;
217 }
218
219 int
ssh_set_verify_host_key_callback(struct ssh * ssh,int (* cb)(struct sshkey *,struct ssh *))220 ssh_set_verify_host_key_callback(struct ssh *ssh,
221 int (*cb)(struct sshkey *, struct ssh *))
222 {
223 if (cb == NULL || ssh->kex == NULL)
224 return SSH_ERR_INVALID_ARGUMENT;
225
226 ssh->kex->verify_host_key = cb;
227
228 return 0;
229 }
230
231 int
ssh_input_append(struct ssh * ssh,const u_char * data,size_t len)232 ssh_input_append(struct ssh *ssh, const u_char *data, size_t len)
233 {
234 return sshbuf_put(ssh_packet_get_input(ssh), data, len);
235 }
236
237 int
ssh_packet_next(struct ssh * ssh,u_char * typep)238 ssh_packet_next(struct ssh *ssh, u_char *typep)
239 {
240 int r;
241 u_int32_t seqnr;
242 u_char type;
243
244 /*
245 * Try to read a packet. Return SSH_MSG_NONE if no packet or not
246 * enough data.
247 */
248 *typep = SSH_MSG_NONE;
249 if (sshbuf_len(ssh->kex->client_version) == 0 ||
250 sshbuf_len(ssh->kex->server_version) == 0)
251 return _ssh_exchange_banner(ssh);
252 /*
253 * If we enough data and a dispatch function then
254 * call the function and get the next packet.
255 * Otherwise return the packet type to the caller so it
256 * can decide how to go on.
257 *
258 * We will only call the dispatch function for:
259 * 20-29 Algorithm negotiation
260 * 30-49 Key exchange method specific (numbers can be reused for
261 * different authentication methods)
262 */
263 for (;;) {
264 if ((r = ssh_packet_read_poll2(ssh, &type, &seqnr)) != 0)
265 return r;
266 if (type > 0 && type < DISPATCH_MAX &&
267 type >= SSH2_MSG_KEXINIT && type <= SSH2_MSG_TRANSPORT_MAX &&
268 ssh->dispatch[type] != NULL) {
269 if ((r = (*ssh->dispatch[type])(type, seqnr, ssh)) != 0)
270 return r;
271 } else {
272 *typep = type;
273 return 0;
274 }
275 }
276 }
277
278 const u_char *
ssh_packet_payload(struct ssh * ssh,size_t * lenp)279 ssh_packet_payload(struct ssh *ssh, size_t *lenp)
280 {
281 return sshpkt_ptr(ssh, lenp);
282 }
283
284 int
ssh_packet_put(struct ssh * ssh,int type,const u_char * data,size_t len)285 ssh_packet_put(struct ssh *ssh, int type, const u_char *data, size_t len)
286 {
287 int r;
288
289 if ((r = sshpkt_start(ssh, type)) != 0 ||
290 (r = sshpkt_put(ssh, data, len)) != 0 ||
291 (r = sshpkt_send(ssh)) != 0)
292 return r;
293 return 0;
294 }
295
296 const u_char *
ssh_output_ptr(struct ssh * ssh,size_t * len)297 ssh_output_ptr(struct ssh *ssh, size_t *len)
298 {
299 struct sshbuf *output = ssh_packet_get_output(ssh);
300
301 *len = sshbuf_len(output);
302 return sshbuf_ptr(output);
303 }
304
305 int
ssh_output_consume(struct ssh * ssh,size_t len)306 ssh_output_consume(struct ssh *ssh, size_t len)
307 {
308 return sshbuf_consume(ssh_packet_get_output(ssh), len);
309 }
310
311 int
ssh_output_space(struct ssh * ssh,size_t len)312 ssh_output_space(struct ssh *ssh, size_t len)
313 {
314 return (0 == sshbuf_check_reserve(ssh_packet_get_output(ssh), len));
315 }
316
317 int
ssh_input_space(struct ssh * ssh,size_t len)318 ssh_input_space(struct ssh *ssh, size_t len)
319 {
320 return (0 == sshbuf_check_reserve(ssh_packet_get_input(ssh), len));
321 }
322
323 /* Read other side's version identification. */
324 int
_ssh_read_banner(struct ssh * ssh,struct sshbuf * banner)325 _ssh_read_banner(struct ssh *ssh, struct sshbuf *banner)
326 {
327 struct sshbuf *input = ssh_packet_get_input(ssh);
328 const char *mismatch = "Protocol mismatch.\r\n";
329 const u_char *s = sshbuf_ptr(input);
330 u_char c;
331 char *cp = NULL, *remote_version = NULL;
332 int r = 0, remote_major, remote_minor, expect_nl;
333 size_t n, j;
334
335 for (j = n = 0;;) {
336 sshbuf_reset(banner);
337 expect_nl = 0;
338 for (;;) {
339 if (j >= sshbuf_len(input))
340 return 0; /* insufficient data in input buf */
341 c = s[j++];
342 if (c == '\r') {
343 expect_nl = 1;
344 continue;
345 }
346 if (c == '\n')
347 break;
348 if (expect_nl)
349 goto bad;
350 if ((r = sshbuf_put_u8(banner, c)) != 0)
351 return r;
352 if (sshbuf_len(banner) > SSH_MAX_BANNER_LEN)
353 goto bad;
354 }
355 if (sshbuf_len(banner) >= 4 &&
356 memcmp(sshbuf_ptr(banner), "SSH-", 4) == 0)
357 break;
358 debug_f("%.*s", (int)sshbuf_len(banner),
359 sshbuf_ptr(banner));
360 /* Accept lines before banner only on client */
361 if (ssh->kex->server || ++n > SSH_MAX_PRE_BANNER_LINES) {
362 bad:
363 if ((r = sshbuf_put(ssh_packet_get_output(ssh),
364 mismatch, strlen(mismatch))) != 0)
365 return r;
366 return SSH_ERR_NO_PROTOCOL_VERSION;
367 }
368 }
369 if ((r = sshbuf_consume(input, j)) != 0)
370 return r;
371
372 /* XXX remote version must be the same size as banner for sscanf */
373 if ((cp = sshbuf_dup_string(banner)) == NULL ||
374 (remote_version = calloc(1, sshbuf_len(banner))) == NULL) {
375 r = SSH_ERR_ALLOC_FAIL;
376 goto out;
377 }
378
379 /*
380 * Check that the versions match. In future this might accept
381 * several versions and set appropriate flags to handle them.
382 */
383 if (sscanf(cp, "SSH-%d.%d-%[^\n]\n",
384 &remote_major, &remote_minor, remote_version) != 3) {
385 r = SSH_ERR_INVALID_FORMAT;
386 goto out;
387 }
388 debug("Remote protocol version %d.%d, remote software version %.100s",
389 remote_major, remote_minor, remote_version);
390
391 compat_banner(ssh, remote_version);
392 if (remote_major == 1 && remote_minor == 99) {
393 remote_major = 2;
394 remote_minor = 0;
395 }
396 if (remote_major != 2)
397 r = SSH_ERR_PROTOCOL_MISMATCH;
398
399 debug("Remote version string %.100s", cp);
400 out:
401 free(cp);
402 free(remote_version);
403 return r;
404 }
405
406 /* Send our own protocol version identification. */
407 int
_ssh_send_banner(struct ssh * ssh,struct sshbuf * banner)408 _ssh_send_banner(struct ssh *ssh, struct sshbuf *banner)
409 {
410 char *cp;
411 int r;
412
413 if ((r = sshbuf_putf(banner, "SSH-2.0-%.100s\r\n", SSH_VERSION)) != 0)
414 return r;
415 if ((r = sshbuf_putb(ssh_packet_get_output(ssh), banner)) != 0)
416 return r;
417 /* Remove trailing \r\n */
418 if ((r = sshbuf_consume_end(banner, 2)) != 0)
419 return r;
420 if ((cp = sshbuf_dup_string(banner)) == NULL)
421 return SSH_ERR_ALLOC_FAIL;
422 debug("Local version string %.100s", cp);
423 free(cp);
424 return 0;
425 }
426
427 int
_ssh_exchange_banner(struct ssh * ssh)428 _ssh_exchange_banner(struct ssh *ssh)
429 {
430 struct kex *kex = ssh->kex;
431 int r;
432
433 /*
434 * if _ssh_read_banner() cannot parse a full version string
435 * it will return NULL and we end up calling it again.
436 */
437
438 r = 0;
439 if (kex->server) {
440 if (sshbuf_len(ssh->kex->server_version) == 0)
441 r = _ssh_send_banner(ssh, ssh->kex->server_version);
442 if (r == 0 &&
443 sshbuf_len(ssh->kex->server_version) != 0 &&
444 sshbuf_len(ssh->kex->client_version) == 0)
445 r = _ssh_read_banner(ssh, ssh->kex->client_version);
446 } else {
447 if (sshbuf_len(ssh->kex->server_version) == 0)
448 r = _ssh_read_banner(ssh, ssh->kex->server_version);
449 if (r == 0 &&
450 sshbuf_len(ssh->kex->server_version) != 0 &&
451 sshbuf_len(ssh->kex->client_version) == 0)
452 r = _ssh_send_banner(ssh, ssh->kex->client_version);
453 }
454 if (r != 0)
455 return r;
456 /* start initial kex as soon as we have exchanged the banners */
457 if (sshbuf_len(ssh->kex->server_version) != 0 &&
458 sshbuf_len(ssh->kex->client_version) != 0) {
459 if ((r = _ssh_order_hostkeyalgs(ssh)) != 0 ||
460 (r = kex_send_kexinit(ssh)) != 0)
461 return r;
462 }
463 return 0;
464 }
465
466 struct sshkey *
_ssh_host_public_key(int type,int nid,struct ssh * ssh)467 _ssh_host_public_key(int type, int nid, struct ssh *ssh)
468 {
469 struct key_entry *k;
470
471 debug3_f("need %d", type);
472 TAILQ_FOREACH(k, &ssh->public_keys, next) {
473 debug3_f("check %s", sshkey_type(k->key));
474 if (k->key->type == type &&
475 (type != KEY_ECDSA || k->key->ecdsa_nid == nid))
476 return (k->key);
477 }
478 return (NULL);
479 }
480
481 struct sshkey *
_ssh_host_private_key(int type,int nid,struct ssh * ssh)482 _ssh_host_private_key(int type, int nid, struct ssh *ssh)
483 {
484 struct key_entry *k;
485
486 debug3_f("need %d", type);
487 TAILQ_FOREACH(k, &ssh->private_keys, next) {
488 debug3_f("check %s", sshkey_type(k->key));
489 if (k->key->type == type &&
490 (type != KEY_ECDSA || k->key->ecdsa_nid == nid))
491 return (k->key);
492 }
493 return (NULL);
494 }
495
496 int
_ssh_verify_host_key(struct sshkey * hostkey,struct ssh * ssh)497 _ssh_verify_host_key(struct sshkey *hostkey, struct ssh *ssh)
498 {
499 struct key_entry *k;
500
501 debug3_f("need %s", sshkey_type(hostkey));
502 TAILQ_FOREACH(k, &ssh->public_keys, next) {
503 debug3_f("check %s", sshkey_type(k->key));
504 if (sshkey_equal_public(hostkey, k->key))
505 return (0); /* ok */
506 }
507 return (-1); /* failed */
508 }
509
510 /* offer hostkey algorithms in kexinit depending on registered keys */
511 int
_ssh_order_hostkeyalgs(struct ssh * ssh)512 _ssh_order_hostkeyalgs(struct ssh *ssh)
513 {
514 struct key_entry *k;
515 char *orig, *avail, *oavail = NULL, *alg, *replace = NULL;
516 char **proposal;
517 size_t maxlen;
518 int ktype, r;
519
520 /* XXX we de-serialize ssh->kex->my, modify it, and change it */
521 if ((r = kex_buf2prop(ssh->kex->my, NULL, &proposal)) != 0)
522 return r;
523 orig = proposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
524 if ((oavail = avail = strdup(orig)) == NULL) {
525 r = SSH_ERR_ALLOC_FAIL;
526 goto out;
527 }
528 maxlen = strlen(avail) + 1;
529 if ((replace = calloc(1, maxlen)) == NULL) {
530 r = SSH_ERR_ALLOC_FAIL;
531 goto out;
532 }
533 *replace = '\0';
534 while ((alg = strsep(&avail, ",")) && *alg != '\0') {
535 if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC)
536 continue;
537 TAILQ_FOREACH(k, &ssh->public_keys, next) {
538 if (k->key->type == ktype ||
539 (sshkey_is_cert(k->key) && k->key->type ==
540 sshkey_type_plain(ktype))) {
541 if (*replace != '\0')
542 strlcat(replace, ",", maxlen);
543 strlcat(replace, alg, maxlen);
544 break;
545 }
546 }
547 }
548 if (*replace != '\0') {
549 debug2_f("orig/%d %s", ssh->kex->server, orig);
550 debug2_f("replace/%d %s", ssh->kex->server, replace);
551 free(orig);
552 proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = replace;
553 replace = NULL; /* owned by proposal */
554 r = kex_prop2buf(ssh->kex->my, proposal);
555 }
556 out:
557 free(oavail);
558 free(replace);
559 kex_prop_free(proposal);
560 return r;
561 }
562
563 int
_ssh_host_key_sign(struct ssh * ssh,struct sshkey * privkey,struct sshkey * pubkey,u_char ** signature,size_t * slen,const u_char * data,size_t dlen,const char * alg)564 _ssh_host_key_sign(struct ssh *ssh, struct sshkey *privkey,
565 struct sshkey *pubkey, u_char **signature, size_t *slen,
566 const u_char *data, size_t dlen, const char *alg)
567 {
568 return sshkey_sign(privkey, signature, slen, data, dlen,
569 alg, NULL, NULL, ssh->compat);
570 }
571