1 /* $OpenBSD: kex.c,v 1.168 2021/04/03 06:18:40 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 27 #include <sys/types.h> 28 #include <errno.h> 29 #include <signal.h> 30 #include <stdio.h> 31 #include <stdlib.h> 32 #include <string.h> 33 #include <unistd.h> 34 #include <poll.h> 35 36 #ifdef WITH_OPENSSL 37 #include <openssl/crypto.h> 38 #endif 39 40 #include "ssh.h" 41 #include "ssh2.h" 42 #include "atomicio.h" 43 #include "version.h" 44 #include "packet.h" 45 #include "compat.h" 46 #include "cipher.h" 47 #include "sshkey.h" 48 #include "kex.h" 49 #include "log.h" 50 #include "mac.h" 51 #include "match.h" 52 #include "misc.h" 53 #include "dispatch.h" 54 #include "monitor.h" 55 56 #include "ssherr.h" 57 #include "sshbuf.h" 58 #include "digest.h" 59 60 /* prototype */ 61 static int kex_choose_conf(struct ssh *); 62 static int kex_input_newkeys(int, u_int32_t, struct ssh *); 63 64 static const char *proposal_names[PROPOSAL_MAX] = { 65 "KEX algorithms", 66 "host key algorithms", 67 "ciphers ctos", 68 "ciphers stoc", 69 "MACs ctos", 70 "MACs stoc", 71 "compression ctos", 72 "compression stoc", 73 "languages ctos", 74 "languages stoc", 75 }; 76 77 struct kexalg { 78 char *name; 79 u_int type; 80 int ec_nid; 81 int hash_alg; 82 }; 83 static const struct kexalg kexalgs[] = { 84 #ifdef WITH_OPENSSL 85 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, 86 { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, 87 { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, 88 { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, 89 { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, 90 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, 91 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, 92 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, 93 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, 94 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, 95 SSH_DIGEST_SHA384 }, 96 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, 97 SSH_DIGEST_SHA512 }, 98 #endif 99 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 100 { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 101 { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, 102 SSH_DIGEST_SHA512 }, 103 { NULL, 0, -1, -1}, 104 }; 105 106 char * 107 kex_alg_list(char sep) 108 { 109 char *ret = NULL, *tmp; 110 size_t nlen, rlen = 0; 111 const struct kexalg *k; 112 113 for (k = kexalgs; k->name != NULL; k++) { 114 if (ret != NULL) 115 ret[rlen++] = sep; 116 nlen = strlen(k->name); 117 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 118 free(ret); 119 return NULL; 120 } 121 ret = tmp; 122 memcpy(ret + rlen, k->name, nlen + 1); 123 rlen += nlen; 124 } 125 return ret; 126 } 127 128 static const struct kexalg * 129 kex_alg_by_name(const char *name) 130 { 131 const struct kexalg *k; 132 133 for (k = kexalgs; k->name != NULL; k++) { 134 if (strcmp(k->name, name) == 0) 135 return k; 136 } 137 return NULL; 138 } 139 140 /* Validate KEX method name list */ 141 int 142 kex_names_valid(const char *names) 143 { 144 char *s, *cp, *p; 145 146 if (names == NULL || strcmp(names, "") == 0) 147 return 0; 148 if ((s = cp = strdup(names)) == NULL) 149 return 0; 150 for ((p = strsep(&cp, ",")); p && *p != '\0'; 151 (p = strsep(&cp, ","))) { 152 if (kex_alg_by_name(p) == NULL) { 153 error("Unsupported KEX algorithm \"%.100s\"", p); 154 free(s); 155 return 0; 156 } 157 } 158 debug3("kex names ok: [%s]", names); 159 free(s); 160 return 1; 161 } 162 163 /* 164 * Concatenate algorithm names, avoiding duplicates in the process. 165 * Caller must free returned string. 166 */ 167 char * 168 kex_names_cat(const char *a, const char *b) 169 { 170 char *ret = NULL, *tmp = NULL, *cp, *p, *m; 171 size_t len; 172 173 if (a == NULL || *a == '\0') 174 return strdup(b); 175 if (b == NULL || *b == '\0') 176 return strdup(a); 177 if (strlen(b) > 1024*1024) 178 return NULL; 179 len = strlen(a) + strlen(b) + 2; 180 if ((tmp = cp = strdup(b)) == NULL || 181 (ret = calloc(1, len)) == NULL) { 182 free(tmp); 183 return NULL; 184 } 185 strlcpy(ret, a, len); 186 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { 187 if ((m = match_list(ret, p, NULL)) != NULL) { 188 free(m); 189 continue; /* Algorithm already present */ 190 } 191 if (strlcat(ret, ",", len) >= len || 192 strlcat(ret, p, len) >= len) { 193 free(tmp); 194 free(ret); 195 return NULL; /* Shouldn't happen */ 196 } 197 } 198 free(tmp); 199 return ret; 200 } 201 202 /* 203 * Assemble a list of algorithms from a default list and a string from a 204 * configuration file. The user-provided string may begin with '+' to 205 * indicate that it should be appended to the default, '-' that the 206 * specified names should be removed, or '^' that they should be placed 207 * at the head. 208 */ 209 int 210 kex_assemble_names(char **listp, const char *def, const char *all) 211 { 212 char *cp, *tmp, *patterns; 213 char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL; 214 int r = SSH_ERR_INTERNAL_ERROR; 215 216 if (listp == NULL || def == NULL || all == NULL) 217 return SSH_ERR_INVALID_ARGUMENT; 218 219 if (*listp == NULL || **listp == '\0') { 220 if ((*listp = strdup(def)) == NULL) 221 return SSH_ERR_ALLOC_FAIL; 222 return 0; 223 } 224 225 list = *listp; 226 *listp = NULL; 227 if (*list == '+') { 228 /* Append names to default list */ 229 if ((tmp = kex_names_cat(def, list + 1)) == NULL) { 230 r = SSH_ERR_ALLOC_FAIL; 231 goto fail; 232 } 233 free(list); 234 list = tmp; 235 } else if (*list == '-') { 236 /* Remove names from default list */ 237 if ((*listp = match_filter_denylist(def, list + 1)) == NULL) { 238 r = SSH_ERR_ALLOC_FAIL; 239 goto fail; 240 } 241 free(list); 242 /* filtering has already been done */ 243 return 0; 244 } else if (*list == '^') { 245 /* Place names at head of default list */ 246 if ((tmp = kex_names_cat(list + 1, def)) == NULL) { 247 r = SSH_ERR_ALLOC_FAIL; 248 goto fail; 249 } 250 free(list); 251 list = tmp; 252 } else { 253 /* Explicit list, overrides default - just use "list" as is */ 254 } 255 256 /* 257 * The supplied names may be a pattern-list. For the -list case, 258 * the patterns are applied above. For the +list and explicit list 259 * cases we need to do it now. 260 */ 261 ret = NULL; 262 if ((patterns = opatterns = strdup(list)) == NULL) { 263 r = SSH_ERR_ALLOC_FAIL; 264 goto fail; 265 } 266 /* Apply positive (i.e. non-negated) patterns from the list */ 267 while ((cp = strsep(&patterns, ",")) != NULL) { 268 if (*cp == '!') { 269 /* negated matches are not supported here */ 270 r = SSH_ERR_INVALID_ARGUMENT; 271 goto fail; 272 } 273 free(matching); 274 if ((matching = match_filter_allowlist(all, cp)) == NULL) { 275 r = SSH_ERR_ALLOC_FAIL; 276 goto fail; 277 } 278 if ((tmp = kex_names_cat(ret, matching)) == NULL) { 279 r = SSH_ERR_ALLOC_FAIL; 280 goto fail; 281 } 282 free(ret); 283 ret = tmp; 284 } 285 if (ret == NULL || *ret == '\0') { 286 /* An empty name-list is an error */ 287 /* XXX better error code? */ 288 r = SSH_ERR_INVALID_ARGUMENT; 289 goto fail; 290 } 291 292 /* success */ 293 *listp = ret; 294 ret = NULL; 295 r = 0; 296 297 fail: 298 free(matching); 299 free(opatterns); 300 free(list); 301 free(ret); 302 return r; 303 } 304 305 /* put algorithm proposal into buffer */ 306 int 307 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) 308 { 309 u_int i; 310 int r; 311 312 sshbuf_reset(b); 313 314 /* 315 * add a dummy cookie, the cookie will be overwritten by 316 * kex_send_kexinit(), each time a kexinit is set 317 */ 318 for (i = 0; i < KEX_COOKIE_LEN; i++) { 319 if ((r = sshbuf_put_u8(b, 0)) != 0) 320 return r; 321 } 322 for (i = 0; i < PROPOSAL_MAX; i++) { 323 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0) 324 return r; 325 } 326 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */ 327 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */ 328 return r; 329 return 0; 330 } 331 332 /* parse buffer and return algorithm proposal */ 333 int 334 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) 335 { 336 struct sshbuf *b = NULL; 337 u_char v; 338 u_int i; 339 char **proposal = NULL; 340 int r; 341 342 *propp = NULL; 343 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL) 344 return SSH_ERR_ALLOC_FAIL; 345 if ((b = sshbuf_fromb(raw)) == NULL) { 346 r = SSH_ERR_ALLOC_FAIL; 347 goto out; 348 } 349 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */ 350 error_fr(r, "consume cookie"); 351 goto out; 352 } 353 /* extract kex init proposal strings */ 354 for (i = 0; i < PROPOSAL_MAX; i++) { 355 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) { 356 error_fr(r, "parse proposal %u", i); 357 goto out; 358 } 359 debug2("%s: %s", proposal_names[i], proposal[i]); 360 } 361 /* first kex follows / reserved */ 362 if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ 363 (r = sshbuf_get_u32(b, &i)) != 0) { /* reserved */ 364 error_fr(r, "parse"); 365 goto out; 366 } 367 if (first_kex_follows != NULL) 368 *first_kex_follows = v; 369 debug2("first_kex_follows %d ", v); 370 debug2("reserved %u ", i); 371 r = 0; 372 *propp = proposal; 373 out: 374 if (r != 0 && proposal != NULL) 375 kex_prop_free(proposal); 376 sshbuf_free(b); 377 return r; 378 } 379 380 void 381 kex_prop_free(char **proposal) 382 { 383 u_int i; 384 385 if (proposal == NULL) 386 return; 387 for (i = 0; i < PROPOSAL_MAX; i++) 388 free(proposal[i]); 389 free(proposal); 390 } 391 392 /* ARGSUSED */ 393 int 394 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) 395 { 396 int r; 397 398 error("kex protocol error: type %d seq %u", type, seq); 399 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || 400 (r = sshpkt_put_u32(ssh, seq)) != 0 || 401 (r = sshpkt_send(ssh)) != 0) 402 return r; 403 return 0; 404 } 405 406 static void 407 kex_reset_dispatch(struct ssh *ssh) 408 { 409 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN, 410 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error); 411 } 412 413 static int 414 kex_send_ext_info(struct ssh *ssh) 415 { 416 int r; 417 char *algs; 418 419 debug("Sending SSH2_MSG_EXT_INFO"); 420 if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL) 421 return SSH_ERR_ALLOC_FAIL; 422 /* XXX filter algs list by allowed pubkey/hostbased types */ 423 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || 424 (r = sshpkt_put_u32(ssh, 1)) != 0 || 425 (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || 426 (r = sshpkt_put_cstring(ssh, algs)) != 0 || 427 (r = sshpkt_send(ssh)) != 0) { 428 error_fr(r, "compose"); 429 goto out; 430 } 431 /* success */ 432 r = 0; 433 out: 434 free(algs); 435 return r; 436 } 437 438 int 439 kex_send_newkeys(struct ssh *ssh) 440 { 441 int r; 442 443 kex_reset_dispatch(ssh); 444 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 || 445 (r = sshpkt_send(ssh)) != 0) 446 return r; 447 debug("SSH2_MSG_NEWKEYS sent"); 448 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); 449 if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0) 450 if ((r = kex_send_ext_info(ssh)) != 0) 451 return r; 452 debug("expecting SSH2_MSG_NEWKEYS"); 453 return 0; 454 } 455 456 int 457 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) 458 { 459 struct kex *kex = ssh->kex; 460 u_int32_t i, ninfo; 461 char *name; 462 u_char *val; 463 size_t vlen; 464 int r; 465 466 debug("SSH2_MSG_EXT_INFO received"); 467 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); 468 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) 469 return r; 470 for (i = 0; i < ninfo; i++) { 471 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) 472 return r; 473 if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) { 474 free(name); 475 return r; 476 } 477 if (strcmp(name, "server-sig-algs") == 0) { 478 /* Ensure no \0 lurking in value */ 479 if (memchr(val, '\0', vlen) != NULL) { 480 error_f("nul byte in %s", name); 481 return SSH_ERR_INVALID_FORMAT; 482 } 483 debug_f("%s=<%s>", name, val); 484 kex->server_sig_algs = val; 485 val = NULL; 486 } else 487 debug_f("%s (unrecognised)", name); 488 free(name); 489 free(val); 490 } 491 return sshpkt_get_end(ssh); 492 } 493 494 static int 495 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh) 496 { 497 struct kex *kex = ssh->kex; 498 int r; 499 500 debug("SSH2_MSG_NEWKEYS received"); 501 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); 502 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 503 if ((r = sshpkt_get_end(ssh)) != 0) 504 return r; 505 if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) 506 return r; 507 kex->done = 1; 508 kex->flags &= ~KEX_INITIAL; 509 sshbuf_reset(kex->peer); 510 /* sshbuf_reset(kex->my); */ 511 kex->flags &= ~KEX_INIT_SENT; 512 free(kex->name); 513 kex->name = NULL; 514 return 0; 515 } 516 517 int 518 kex_send_kexinit(struct ssh *ssh) 519 { 520 u_char *cookie; 521 struct kex *kex = ssh->kex; 522 int r; 523 524 if (kex == NULL) { 525 error_f("no kex"); 526 return SSH_ERR_INTERNAL_ERROR; 527 } 528 if (kex->flags & KEX_INIT_SENT) 529 return 0; 530 kex->done = 0; 531 532 /* generate a random cookie */ 533 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) { 534 error_f("bad kex length: %zu < %d", 535 sshbuf_len(kex->my), KEX_COOKIE_LEN); 536 return SSH_ERR_INVALID_FORMAT; 537 } 538 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) { 539 error_f("buffer error"); 540 return SSH_ERR_INTERNAL_ERROR; 541 } 542 arc4random_buf(cookie, KEX_COOKIE_LEN); 543 544 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 || 545 (r = sshpkt_putb(ssh, kex->my)) != 0 || 546 (r = sshpkt_send(ssh)) != 0) { 547 error_fr(r, "compose reply"); 548 return r; 549 } 550 debug("SSH2_MSG_KEXINIT sent"); 551 kex->flags |= KEX_INIT_SENT; 552 return 0; 553 } 554 555 /* ARGSUSED */ 556 int 557 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) 558 { 559 struct kex *kex = ssh->kex; 560 const u_char *ptr; 561 u_int i; 562 size_t dlen; 563 int r; 564 565 debug("SSH2_MSG_KEXINIT received"); 566 if (kex == NULL) { 567 error_f("no kex"); 568 return SSH_ERR_INTERNAL_ERROR; 569 } 570 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); 571 ptr = sshpkt_ptr(ssh, &dlen); 572 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) 573 return r; 574 575 /* discard packet */ 576 for (i = 0; i < KEX_COOKIE_LEN; i++) { 577 if ((r = sshpkt_get_u8(ssh, NULL)) != 0) { 578 error_fr(r, "discard cookie"); 579 return r; 580 } 581 } 582 for (i = 0; i < PROPOSAL_MAX; i++) { 583 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) { 584 error_fr(r, "discard proposal"); 585 return r; 586 } 587 } 588 /* 589 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported 590 * KEX method has the server move first, but a server might be using 591 * a custom method or one that we otherwise don't support. We should 592 * be prepared to remember first_kex_follows here so we can eat a 593 * packet later. 594 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means 595 * for cases where the server *doesn't* go first. I guess we should 596 * ignore it when it is set for these cases, which is what we do now. 597 */ 598 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */ 599 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */ 600 (r = sshpkt_get_end(ssh)) != 0) 601 return r; 602 603 if (!(kex->flags & KEX_INIT_SENT)) 604 if ((r = kex_send_kexinit(ssh)) != 0) 605 return r; 606 if ((r = kex_choose_conf(ssh)) != 0) 607 return r; 608 609 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) 610 return (kex->kex[kex->kex_type])(ssh); 611 612 error_f("unknown kex type %u", kex->kex_type); 613 return SSH_ERR_INTERNAL_ERROR; 614 } 615 616 struct kex * 617 kex_new(void) 618 { 619 struct kex *kex; 620 621 if ((kex = calloc(1, sizeof(*kex))) == NULL || 622 (kex->peer = sshbuf_new()) == NULL || 623 (kex->my = sshbuf_new()) == NULL || 624 (kex->client_version = sshbuf_new()) == NULL || 625 (kex->server_version = sshbuf_new()) == NULL || 626 (kex->session_id = sshbuf_new()) == NULL) { 627 kex_free(kex); 628 return NULL; 629 } 630 return kex; 631 } 632 633 void 634 kex_free_newkeys(struct newkeys *newkeys) 635 { 636 if (newkeys == NULL) 637 return; 638 if (newkeys->enc.key) { 639 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len); 640 free(newkeys->enc.key); 641 newkeys->enc.key = NULL; 642 } 643 if (newkeys->enc.iv) { 644 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len); 645 free(newkeys->enc.iv); 646 newkeys->enc.iv = NULL; 647 } 648 free(newkeys->enc.name); 649 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc)); 650 free(newkeys->comp.name); 651 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp)); 652 mac_clear(&newkeys->mac); 653 if (newkeys->mac.key) { 654 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len); 655 free(newkeys->mac.key); 656 newkeys->mac.key = NULL; 657 } 658 free(newkeys->mac.name); 659 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac)); 660 freezero(newkeys, sizeof(*newkeys)); 661 } 662 663 void 664 kex_free(struct kex *kex) 665 { 666 u_int mode; 667 668 if (kex == NULL) 669 return; 670 671 #ifdef WITH_OPENSSL 672 DH_free(kex->dh); 673 EC_KEY_free(kex->ec_client_key); 674 #endif 675 for (mode = 0; mode < MODE_MAX; mode++) { 676 kex_free_newkeys(kex->newkeys[mode]); 677 kex->newkeys[mode] = NULL; 678 } 679 sshbuf_free(kex->peer); 680 sshbuf_free(kex->my); 681 sshbuf_free(kex->client_version); 682 sshbuf_free(kex->server_version); 683 sshbuf_free(kex->client_pub); 684 sshbuf_free(kex->session_id); 685 free(kex->failed_choice); 686 free(kex->hostkey_alg); 687 free(kex->name); 688 free(kex); 689 } 690 691 int 692 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) 693 { 694 int r; 695 696 if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0) 697 return r; 698 ssh->kex->flags = KEX_INITIAL; 699 kex_reset_dispatch(ssh); 700 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); 701 return 0; 702 } 703 704 int 705 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) 706 { 707 int r; 708 709 if ((r = kex_ready(ssh, proposal)) != 0) 710 return r; 711 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */ 712 kex_free(ssh->kex); 713 ssh->kex = NULL; 714 return r; 715 } 716 return 0; 717 } 718 719 /* 720 * Request key re-exchange, returns 0 on success or a ssherr.h error 721 * code otherwise. Must not be called if KEX is incomplete or in-progress. 722 */ 723 int 724 kex_start_rekex(struct ssh *ssh) 725 { 726 if (ssh->kex == NULL) { 727 error_f("no kex"); 728 return SSH_ERR_INTERNAL_ERROR; 729 } 730 if (ssh->kex->done == 0) { 731 error_f("requested twice"); 732 return SSH_ERR_INTERNAL_ERROR; 733 } 734 ssh->kex->done = 0; 735 return kex_send_kexinit(ssh); 736 } 737 738 static int 739 choose_enc(struct sshenc *enc, char *client, char *server) 740 { 741 char *name = match_list(client, server, NULL); 742 743 if (name == NULL) 744 return SSH_ERR_NO_CIPHER_ALG_MATCH; 745 if ((enc->cipher = cipher_by_name(name)) == NULL) { 746 error_f("unsupported cipher %s", name); 747 free(name); 748 return SSH_ERR_INTERNAL_ERROR; 749 } 750 enc->name = name; 751 enc->enabled = 0; 752 enc->iv = NULL; 753 enc->iv_len = cipher_ivlen(enc->cipher); 754 enc->key = NULL; 755 enc->key_len = cipher_keylen(enc->cipher); 756 enc->block_size = cipher_blocksize(enc->cipher); 757 return 0; 758 } 759 760 static int 761 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) 762 { 763 char *name = match_list(client, server, NULL); 764 765 if (name == NULL) 766 return SSH_ERR_NO_MAC_ALG_MATCH; 767 if (mac_setup(mac, name) < 0) { 768 error_f("unsupported MAC %s", name); 769 free(name); 770 return SSH_ERR_INTERNAL_ERROR; 771 } 772 mac->name = name; 773 mac->key = NULL; 774 mac->enabled = 0; 775 return 0; 776 } 777 778 static int 779 choose_comp(struct sshcomp *comp, char *client, char *server) 780 { 781 char *name = match_list(client, server, NULL); 782 783 if (name == NULL) 784 return SSH_ERR_NO_COMPRESS_ALG_MATCH; 785 #ifdef WITH_ZLIB 786 if (strcmp(name, "zlib@openssh.com") == 0) { 787 comp->type = COMP_DELAYED; 788 } else if (strcmp(name, "zlib") == 0) { 789 comp->type = COMP_ZLIB; 790 } else 791 #endif /* WITH_ZLIB */ 792 if (strcmp(name, "none") == 0) { 793 comp->type = COMP_NONE; 794 } else { 795 error_f("unsupported compression scheme %s", name); 796 free(name); 797 return SSH_ERR_INTERNAL_ERROR; 798 } 799 comp->name = name; 800 return 0; 801 } 802 803 static int 804 choose_kex(struct kex *k, char *client, char *server) 805 { 806 const struct kexalg *kexalg; 807 808 k->name = match_list(client, server, NULL); 809 810 debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); 811 if (k->name == NULL) 812 return SSH_ERR_NO_KEX_ALG_MATCH; 813 if ((kexalg = kex_alg_by_name(k->name)) == NULL) { 814 error_f("unsupported KEX method %s", k->name); 815 return SSH_ERR_INTERNAL_ERROR; 816 } 817 k->kex_type = kexalg->type; 818 k->hash_alg = kexalg->hash_alg; 819 k->ec_nid = kexalg->ec_nid; 820 return 0; 821 } 822 823 static int 824 choose_hostkeyalg(struct kex *k, char *client, char *server) 825 { 826 free(k->hostkey_alg); 827 k->hostkey_alg = match_list(client, server, NULL); 828 829 debug("kex: host key algorithm: %s", 830 k->hostkey_alg ? k->hostkey_alg : "(no match)"); 831 if (k->hostkey_alg == NULL) 832 return SSH_ERR_NO_HOSTKEY_ALG_MATCH; 833 k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); 834 if (k->hostkey_type == KEY_UNSPEC) { 835 error_f("unsupported hostkey algorithm %s", k->hostkey_alg); 836 return SSH_ERR_INTERNAL_ERROR; 837 } 838 k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); 839 return 0; 840 } 841 842 static int 843 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) 844 { 845 static int check[] = { 846 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 847 }; 848 int *idx; 849 char *p; 850 851 for (idx = &check[0]; *idx != -1; idx++) { 852 if ((p = strchr(my[*idx], ',')) != NULL) 853 *p = '\0'; 854 if ((p = strchr(peer[*idx], ',')) != NULL) 855 *p = '\0'; 856 if (strcmp(my[*idx], peer[*idx]) != 0) { 857 debug2("proposal mismatch: my %s peer %s", 858 my[*idx], peer[*idx]); 859 return (0); 860 } 861 } 862 debug2("proposals match"); 863 return (1); 864 } 865 866 static int 867 kex_choose_conf(struct ssh *ssh) 868 { 869 struct kex *kex = ssh->kex; 870 struct newkeys *newkeys; 871 char **my = NULL, **peer = NULL; 872 char **cprop, **sprop; 873 int nenc, nmac, ncomp; 874 u_int mode, ctos, need, dh_need, authlen; 875 int r, first_kex_follows; 876 877 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); 878 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) 879 goto out; 880 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server"); 881 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) 882 goto out; 883 884 if (kex->server) { 885 cprop=peer; 886 sprop=my; 887 } else { 888 cprop=my; 889 sprop=peer; 890 } 891 892 /* Check whether client supports ext_info_c */ 893 if (kex->server && (kex->flags & KEX_INITIAL)) { 894 char *ext; 895 896 ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); 897 kex->ext_info_c = (ext != NULL); 898 free(ext); 899 } 900 901 /* Algorithm Negotiation */ 902 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], 903 sprop[PROPOSAL_KEX_ALGS])) != 0) { 904 kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; 905 peer[PROPOSAL_KEX_ALGS] = NULL; 906 goto out; 907 } 908 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], 909 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { 910 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; 911 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; 912 goto out; 913 } 914 for (mode = 0; mode < MODE_MAX; mode++) { 915 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) { 916 r = SSH_ERR_ALLOC_FAIL; 917 goto out; 918 } 919 kex->newkeys[mode] = newkeys; 920 ctos = (!kex->server && mode == MODE_OUT) || 921 (kex->server && mode == MODE_IN); 922 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 923 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 924 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 925 if ((r = choose_enc(&newkeys->enc, cprop[nenc], 926 sprop[nenc])) != 0) { 927 kex->failed_choice = peer[nenc]; 928 peer[nenc] = NULL; 929 goto out; 930 } 931 authlen = cipher_authlen(newkeys->enc.cipher); 932 /* ignore mac for authenticated encryption */ 933 if (authlen == 0 && 934 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac], 935 sprop[nmac])) != 0) { 936 kex->failed_choice = peer[nmac]; 937 peer[nmac] = NULL; 938 goto out; 939 } 940 if ((r = choose_comp(&newkeys->comp, cprop[ncomp], 941 sprop[ncomp])) != 0) { 942 kex->failed_choice = peer[ncomp]; 943 peer[ncomp] = NULL; 944 goto out; 945 } 946 debug("kex: %s cipher: %s MAC: %s compression: %s", 947 ctos ? "client->server" : "server->client", 948 newkeys->enc.name, 949 authlen == 0 ? newkeys->mac.name : "<implicit>", 950 newkeys->comp.name); 951 } 952 need = dh_need = 0; 953 for (mode = 0; mode < MODE_MAX; mode++) { 954 newkeys = kex->newkeys[mode]; 955 need = MAXIMUM(need, newkeys->enc.key_len); 956 need = MAXIMUM(need, newkeys->enc.block_size); 957 need = MAXIMUM(need, newkeys->enc.iv_len); 958 need = MAXIMUM(need, newkeys->mac.key_len); 959 dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher)); 960 dh_need = MAXIMUM(dh_need, newkeys->enc.block_size); 961 dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len); 962 dh_need = MAXIMUM(dh_need, newkeys->mac.key_len); 963 } 964 /* XXX need runden? */ 965 kex->we_need = need; 966 kex->dh_need = dh_need; 967 968 /* ignore the next message if the proposals do not match */ 969 if (first_kex_follows && !proposals_match(my, peer)) 970 ssh->dispatch_skip_packets = 1; 971 r = 0; 972 out: 973 kex_prop_free(my); 974 kex_prop_free(peer); 975 return r; 976 } 977 978 static int 979 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, 980 const struct sshbuf *shared_secret, u_char **keyp) 981 { 982 struct kex *kex = ssh->kex; 983 struct ssh_digest_ctx *hashctx = NULL; 984 char c = id; 985 u_int have; 986 size_t mdsz; 987 u_char *digest; 988 int r; 989 990 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) 991 return SSH_ERR_INVALID_ARGUMENT; 992 if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) { 993 r = SSH_ERR_ALLOC_FAIL; 994 goto out; 995 } 996 997 /* K1 = HASH(K || H || "A" || session_id) */ 998 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 999 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 1000 ssh_digest_update(hashctx, hash, hashlen) != 0 || 1001 ssh_digest_update(hashctx, &c, 1) != 0 || 1002 ssh_digest_update_buffer(hashctx, kex->session_id) != 0 || 1003 ssh_digest_final(hashctx, digest, mdsz) != 0) { 1004 r = SSH_ERR_LIBCRYPTO_ERROR; 1005 error_f("KEX hash failed"); 1006 goto out; 1007 } 1008 ssh_digest_free(hashctx); 1009 hashctx = NULL; 1010 1011 /* 1012 * expand key: 1013 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) 1014 * Key = K1 || K2 || ... || Kn 1015 */ 1016 for (have = mdsz; need > have; have += mdsz) { 1017 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || 1018 ssh_digest_update_buffer(hashctx, shared_secret) != 0 || 1019 ssh_digest_update(hashctx, hash, hashlen) != 0 || 1020 ssh_digest_update(hashctx, digest, have) != 0 || 1021 ssh_digest_final(hashctx, digest + have, mdsz) != 0) { 1022 error_f("KDF failed"); 1023 r = SSH_ERR_LIBCRYPTO_ERROR; 1024 goto out; 1025 } 1026 ssh_digest_free(hashctx); 1027 hashctx = NULL; 1028 } 1029 #ifdef DEBUG_KEX 1030 fprintf(stderr, "key '%c'== ", c); 1031 dump_digest("key", digest, need); 1032 #endif 1033 *keyp = digest; 1034 digest = NULL; 1035 r = 0; 1036 out: 1037 free(digest); 1038 ssh_digest_free(hashctx); 1039 return r; 1040 } 1041 1042 #define NKEYS 6 1043 int 1044 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen, 1045 const struct sshbuf *shared_secret) 1046 { 1047 struct kex *kex = ssh->kex; 1048 u_char *keys[NKEYS]; 1049 u_int i, j, mode, ctos; 1050 int r; 1051 1052 /* save initial hash as session id */ 1053 if ((kex->flags & KEX_INITIAL) != 0) { 1054 if (sshbuf_len(kex->session_id) != 0) { 1055 error_f("already have session ID at kex"); 1056 return SSH_ERR_INTERNAL_ERROR; 1057 } 1058 if ((r = sshbuf_put(kex->session_id, hash, hashlen)) != 0) 1059 return r; 1060 } else if (sshbuf_len(kex->session_id) == 0) { 1061 error_f("no session ID in rekex"); 1062 return SSH_ERR_INTERNAL_ERROR; 1063 } 1064 for (i = 0; i < NKEYS; i++) { 1065 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen, 1066 shared_secret, &keys[i])) != 0) { 1067 for (j = 0; j < i; j++) 1068 free(keys[j]); 1069 return r; 1070 } 1071 } 1072 for (mode = 0; mode < MODE_MAX; mode++) { 1073 ctos = (!kex->server && mode == MODE_OUT) || 1074 (kex->server && mode == MODE_IN); 1075 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1]; 1076 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3]; 1077 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5]; 1078 } 1079 return 0; 1080 } 1081 1082 int 1083 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp) 1084 { 1085 struct kex *kex = ssh->kex; 1086 1087 *pubp = NULL; 1088 *prvp = NULL; 1089 if (kex->load_host_public_key == NULL || 1090 kex->load_host_private_key == NULL) { 1091 error_f("missing hostkey loader"); 1092 return SSH_ERR_INVALID_ARGUMENT; 1093 } 1094 *pubp = kex->load_host_public_key(kex->hostkey_type, 1095 kex->hostkey_nid, ssh); 1096 *prvp = kex->load_host_private_key(kex->hostkey_type, 1097 kex->hostkey_nid, ssh); 1098 if (*pubp == NULL) 1099 return SSH_ERR_NO_HOSTKEY_LOADED; 1100 return 0; 1101 } 1102 1103 int 1104 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key) 1105 { 1106 struct kex *kex = ssh->kex; 1107 1108 if (kex->verify_host_key == NULL) { 1109 error_f("missing hostkey verifier"); 1110 return SSH_ERR_INVALID_ARGUMENT; 1111 } 1112 if (server_host_key->type != kex->hostkey_type || 1113 (kex->hostkey_type == KEY_ECDSA && 1114 server_host_key->ecdsa_nid != kex->hostkey_nid)) 1115 return SSH_ERR_KEY_TYPE_MISMATCH; 1116 if (kex->verify_host_key(server_host_key, ssh) == -1) 1117 return SSH_ERR_SIGNATURE_INVALID; 1118 return 0; 1119 } 1120 1121 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) 1122 void 1123 dump_digest(const char *msg, const u_char *digest, int len) 1124 { 1125 fprintf(stderr, "%s\n", msg); 1126 sshbuf_dump_data(digest, len, stderr); 1127 } 1128 #endif 1129 1130 /* 1131 * Send a plaintext error message to the peer, suffixed by \r\n. 1132 * Only used during banner exchange, and there only for the server. 1133 */ 1134 static void 1135 send_error(struct ssh *ssh, char *msg) 1136 { 1137 char *crnl = "\r\n"; 1138 1139 if (!ssh->kex->server) 1140 return; 1141 1142 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1143 msg, strlen(msg)) != strlen(msg) || 1144 atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1145 crnl, strlen(crnl)) != strlen(crnl)) 1146 error_f("write: %.100s", strerror(errno)); 1147 } 1148 1149 /* 1150 * Sends our identification string and waits for the peer's. Will block for 1151 * up to timeout_ms (or indefinitely if timeout_ms <= 0). 1152 * Returns on 0 success or a ssherr.h code on failure. 1153 */ 1154 int 1155 kex_exchange_identification(struct ssh *ssh, int timeout_ms, 1156 const char *version_addendum) 1157 { 1158 int remote_major, remote_minor, mismatch, oerrno = 0; 1159 size_t len, i, n; 1160 int r, expect_nl; 1161 u_char c; 1162 struct sshbuf *our_version = ssh->kex->server ? 1163 ssh->kex->server_version : ssh->kex->client_version; 1164 struct sshbuf *peer_version = ssh->kex->server ? 1165 ssh->kex->client_version : ssh->kex->server_version; 1166 char *our_version_string = NULL, *peer_version_string = NULL; 1167 char *cp, *remote_version = NULL; 1168 1169 /* Prepare and send our banner */ 1170 sshbuf_reset(our_version); 1171 if (version_addendum != NULL && *version_addendum == '\0') 1172 version_addendum = NULL; 1173 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", 1174 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, 1175 version_addendum == NULL ? "" : " ", 1176 version_addendum == NULL ? "" : version_addendum)) != 0) { 1177 oerrno = errno; 1178 error_fr(r, "sshbuf_putf"); 1179 goto out; 1180 } 1181 1182 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh), 1183 sshbuf_mutable_ptr(our_version), 1184 sshbuf_len(our_version)) != sshbuf_len(our_version)) { 1185 oerrno = errno; 1186 debug_f("write: %.100s", strerror(errno)); 1187 r = SSH_ERR_SYSTEM_ERROR; 1188 goto out; 1189 } 1190 if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */ 1191 oerrno = errno; 1192 error_fr(r, "sshbuf_consume_end"); 1193 goto out; 1194 } 1195 our_version_string = sshbuf_dup_string(our_version); 1196 if (our_version_string == NULL) { 1197 error_f("sshbuf_dup_string failed"); 1198 r = SSH_ERR_ALLOC_FAIL; 1199 goto out; 1200 } 1201 debug("Local version string %.100s", our_version_string); 1202 1203 /* Read other side's version identification. */ 1204 for (n = 0; ; n++) { 1205 if (n >= SSH_MAX_PRE_BANNER_LINES) { 1206 send_error(ssh, "No SSH identification string " 1207 "received."); 1208 error_f("No SSH version received in first %u lines " 1209 "from server", SSH_MAX_PRE_BANNER_LINES); 1210 r = SSH_ERR_INVALID_FORMAT; 1211 goto out; 1212 } 1213 sshbuf_reset(peer_version); 1214 expect_nl = 0; 1215 for (i = 0; ; i++) { 1216 if (timeout_ms > 0) { 1217 r = waitrfd(ssh_packet_get_connection_in(ssh), 1218 &timeout_ms); 1219 if (r == -1 && errno == ETIMEDOUT) { 1220 send_error(ssh, "Timed out waiting " 1221 "for SSH identification string."); 1222 error("Connection timed out during " 1223 "banner exchange"); 1224 r = SSH_ERR_CONN_TIMEOUT; 1225 goto out; 1226 } else if (r == -1) { 1227 oerrno = errno; 1228 error_f("%s", strerror(errno)); 1229 r = SSH_ERR_SYSTEM_ERROR; 1230 goto out; 1231 } 1232 } 1233 1234 len = atomicio(read, ssh_packet_get_connection_in(ssh), 1235 &c, 1); 1236 if (len != 1 && errno == EPIPE) { 1237 error_f("Connection closed by remote host"); 1238 r = SSH_ERR_CONN_CLOSED; 1239 goto out; 1240 } else if (len != 1) { 1241 oerrno = errno; 1242 error_f("read: %.100s", strerror(errno)); 1243 r = SSH_ERR_SYSTEM_ERROR; 1244 goto out; 1245 } 1246 if (c == '\r') { 1247 expect_nl = 1; 1248 continue; 1249 } 1250 if (c == '\n') 1251 break; 1252 if (c == '\0' || expect_nl) { 1253 error_f("banner line contains invalid " 1254 "characters"); 1255 goto invalid; 1256 } 1257 if ((r = sshbuf_put_u8(peer_version, c)) != 0) { 1258 oerrno = errno; 1259 error_fr(r, "sshbuf_put"); 1260 goto out; 1261 } 1262 if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) { 1263 error_f("banner line too long"); 1264 goto invalid; 1265 } 1266 } 1267 /* Is this an actual protocol banner? */ 1268 if (sshbuf_len(peer_version) > 4 && 1269 memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0) 1270 break; 1271 /* If not, then just log the line and continue */ 1272 if ((cp = sshbuf_dup_string(peer_version)) == NULL) { 1273 error_f("sshbuf_dup_string failed"); 1274 r = SSH_ERR_ALLOC_FAIL; 1275 goto out; 1276 } 1277 /* Do not accept lines before the SSH ident from a client */ 1278 if (ssh->kex->server) { 1279 error_f("client sent invalid protocol identifier " 1280 "\"%.256s\"", cp); 1281 free(cp); 1282 goto invalid; 1283 } 1284 debug_f("banner line %zu: %s", n, cp); 1285 free(cp); 1286 } 1287 peer_version_string = sshbuf_dup_string(peer_version); 1288 if (peer_version_string == NULL) 1289 error_f("sshbuf_dup_string failed"); 1290 /* XXX must be same size for sscanf */ 1291 if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) { 1292 error_f("calloc failed"); 1293 r = SSH_ERR_ALLOC_FAIL; 1294 goto out; 1295 } 1296 1297 /* 1298 * Check that the versions match. In future this might accept 1299 * several versions and set appropriate flags to handle them. 1300 */ 1301 if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n", 1302 &remote_major, &remote_minor, remote_version) != 3) { 1303 error("Bad remote protocol version identification: '%.100s'", 1304 peer_version_string); 1305 invalid: 1306 send_error(ssh, "Invalid SSH identification string."); 1307 r = SSH_ERR_INVALID_FORMAT; 1308 goto out; 1309 } 1310 debug("Remote protocol version %d.%d, remote software version %.100s", 1311 remote_major, remote_minor, remote_version); 1312 compat_banner(ssh, remote_version); 1313 1314 mismatch = 0; 1315 switch (remote_major) { 1316 case 2: 1317 break; 1318 case 1: 1319 if (remote_minor != 99) 1320 mismatch = 1; 1321 break; 1322 default: 1323 mismatch = 1; 1324 break; 1325 } 1326 if (mismatch) { 1327 error("Protocol major versions differ: %d vs. %d", 1328 PROTOCOL_MAJOR_2, remote_major); 1329 send_error(ssh, "Protocol major versions differ."); 1330 r = SSH_ERR_NO_PROTOCOL_VERSION; 1331 goto out; 1332 } 1333 1334 if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) { 1335 logit("probed from %s port %d with %s. Don't panic.", 1336 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), 1337 peer_version_string); 1338 r = SSH_ERR_CONN_CLOSED; /* XXX */ 1339 goto out; 1340 } 1341 if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) { 1342 logit("scanned from %s port %d with %s. Don't panic.", 1343 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), 1344 peer_version_string); 1345 r = SSH_ERR_CONN_CLOSED; /* XXX */ 1346 goto out; 1347 } 1348 if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) { 1349 logit("Remote version \"%.100s\" uses unsafe RSA signature " 1350 "scheme; disabling use of RSA keys", remote_version); 1351 } 1352 /* success */ 1353 r = 0; 1354 out: 1355 free(our_version_string); 1356 free(peer_version_string); 1357 free(remote_version); 1358 if (r == SSH_ERR_SYSTEM_ERROR) 1359 errno = oerrno; 1360 return r; 1361 } 1362 1363