1 /* $OpenBSD: ssh_api.c,v 1.19 2019/10/31 21:23:19 djm Exp $ */ 2 /* 3 * Copyright (c) 2012 Markus Friedl. All rights reserved. 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <sys/types.h> 19 20 #include <stdio.h> 21 #include <stdlib.h> 22 23 #include "ssh_api.h" 24 #include "compat.h" 25 #include "log.h" 26 #include "authfile.h" 27 #include "sshkey.h" 28 #include "misc.h" 29 #include "ssh2.h" 30 #include "version.h" 31 #include "myproposal.h" 32 #include "ssherr.h" 33 #include "sshbuf.h" 34 35 #include <string.h> 36 37 int _ssh_exchange_banner(struct ssh *); 38 int _ssh_send_banner(struct ssh *, struct sshbuf *); 39 int _ssh_read_banner(struct ssh *, struct sshbuf *); 40 int _ssh_order_hostkeyalgs(struct ssh *); 41 int _ssh_verify_host_key(struct sshkey *, struct ssh *); 42 struct sshkey *_ssh_host_public_key(int, int, struct ssh *); 43 struct sshkey *_ssh_host_private_key(int, int, struct ssh *); 44 int _ssh_host_key_sign(struct ssh *, struct sshkey *, struct sshkey *, 45 u_char **, size_t *, const u_char *, size_t, const char *); 46 47 /* 48 * stubs for the server side implementation of kex. 49 * disable privsep so our stubs will never be called. 50 */ 51 int use_privsep = 0; 52 int mm_sshkey_sign(struct sshkey *, u_char **, u_int *, 53 const u_char *, u_int, const char *, const char *, u_int); 54 55 #ifdef WITH_OPENSSL 56 DH *mm_choose_dh(int, int, int); 57 #endif 58 59 /* Define these two variables here so that they are part of the library */ 60 u_char *session_id2 = NULL; 61 u_int session_id2_len = 0; 62 63 int 64 mm_sshkey_sign(struct sshkey *key, u_char **sigp, u_int *lenp, 65 const u_char *data, u_int datalen, const char *alg, const char *sk_provider, 66 u_int compat) 67 { 68 return (-1); 69 } 70 71 #ifdef WITH_OPENSSL 72 DH * 73 mm_choose_dh(int min, int nbits, int max) 74 { 75 return (NULL); 76 } 77 #endif 78 79 /* API */ 80 81 int 82 ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params) 83 { 84 char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; 85 struct ssh *ssh; 86 char **proposal; 87 static int called; 88 int r; 89 90 if (!called) { 91 #ifdef WITH_OPENSSL 92 OpenSSL_add_all_algorithms(); 93 #endif 94 called = 1; 95 } 96 97 if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL) 98 return SSH_ERR_ALLOC_FAIL; 99 if (is_server) 100 ssh_packet_set_server(ssh); 101 102 /* Initialize key exchange */ 103 proposal = kex_params ? kex_params->proposal : myproposal; 104 if ((r = kex_ready(ssh, proposal)) != 0) { 105 ssh_free(ssh); 106 return r; 107 } 108 ssh->kex->server = is_server; 109 if (is_server) { 110 #ifdef WITH_OPENSSL 111 ssh->kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server; 112 ssh->kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server; 113 ssh->kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_server; 114 ssh->kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_server; 115 ssh->kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_server; 116 ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 117 ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 118 ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_server; 119 #endif /* WITH_OPENSSL */ 120 ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_server; 121 ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; 122 ssh->kex->load_host_public_key=&_ssh_host_public_key; 123 ssh->kex->load_host_private_key=&_ssh_host_private_key; 124 ssh->kex->sign=&_ssh_host_key_sign; 125 } else { 126 #ifdef WITH_OPENSSL 127 ssh->kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_client; 128 ssh->kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_client; 129 ssh->kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_client; 130 ssh->kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_client; 131 ssh->kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_client; 132 ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 133 ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 134 ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; 135 #endif /* WITH_OPENSSL */ 136 ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; 137 ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client; 138 ssh->kex->verify_host_key =&_ssh_verify_host_key; 139 } 140 *sshp = ssh; 141 return 0; 142 } 143 144 void 145 ssh_free(struct ssh *ssh) 146 { 147 struct key_entry *k; 148 149 ssh_packet_close(ssh); 150 /* 151 * we've only created the public keys variants in case we 152 * are a acting as a server. 153 */ 154 while ((k = TAILQ_FIRST(&ssh->public_keys)) != NULL) { 155 TAILQ_REMOVE(&ssh->public_keys, k, next); 156 if (ssh->kex && ssh->kex->server) 157 sshkey_free(k->key); 158 free(k); 159 } 160 while ((k = TAILQ_FIRST(&ssh->private_keys)) != NULL) { 161 TAILQ_REMOVE(&ssh->private_keys, k, next); 162 free(k); 163 } 164 if (ssh->kex) 165 kex_free(ssh->kex); 166 free(ssh); 167 } 168 169 void 170 ssh_set_app_data(struct ssh *ssh, void *app_data) 171 { 172 ssh->app_data = app_data; 173 } 174 175 void * 176 ssh_get_app_data(struct ssh *ssh) 177 { 178 return ssh->app_data; 179 } 180 181 /* Returns < 0 on error, 0 otherwise */ 182 int 183 ssh_add_hostkey(struct ssh *ssh, struct sshkey *key) 184 { 185 struct sshkey *pubkey = NULL; 186 struct key_entry *k = NULL, *k_prv = NULL; 187 int r; 188 189 if (ssh->kex->server) { 190 if ((r = sshkey_from_private(key, &pubkey)) != 0) 191 return r; 192 if ((k = malloc(sizeof(*k))) == NULL || 193 (k_prv = malloc(sizeof(*k_prv))) == NULL) { 194 free(k); 195 sshkey_free(pubkey); 196 return SSH_ERR_ALLOC_FAIL; 197 } 198 k_prv->key = key; 199 TAILQ_INSERT_TAIL(&ssh->private_keys, k_prv, next); 200 201 /* add the public key, too */ 202 k->key = pubkey; 203 TAILQ_INSERT_TAIL(&ssh->public_keys, k, next); 204 r = 0; 205 } else { 206 if ((k = malloc(sizeof(*k))) == NULL) 207 return SSH_ERR_ALLOC_FAIL; 208 k->key = key; 209 TAILQ_INSERT_TAIL(&ssh->public_keys, k, next); 210 r = 0; 211 } 212 213 return r; 214 } 215 216 int 217 ssh_set_verify_host_key_callback(struct ssh *ssh, 218 int (*cb)(struct sshkey *, struct ssh *)) 219 { 220 if (cb == NULL || ssh->kex == NULL) 221 return SSH_ERR_INVALID_ARGUMENT; 222 223 ssh->kex->verify_host_key = cb; 224 225 return 0; 226 } 227 228 int 229 ssh_input_append(struct ssh *ssh, const u_char *data, size_t len) 230 { 231 return sshbuf_put(ssh_packet_get_input(ssh), data, len); 232 } 233 234 int 235 ssh_packet_next(struct ssh *ssh, u_char *typep) 236 { 237 int r; 238 u_int32_t seqnr; 239 u_char type; 240 241 /* 242 * Try to read a packet. Return SSH_MSG_NONE if no packet or not 243 * enough data. 244 */ 245 *typep = SSH_MSG_NONE; 246 if (sshbuf_len(ssh->kex->client_version) == 0 || 247 sshbuf_len(ssh->kex->server_version) == 0) 248 return _ssh_exchange_banner(ssh); 249 /* 250 * If we enough data and a dispatch function then 251 * call the function and get the next packet. 252 * Otherwise return the packet type to the caller so it 253 * can decide how to go on. 254 * 255 * We will only call the dispatch function for: 256 * 20-29 Algorithm negotiation 257 * 30-49 Key exchange method specific (numbers can be reused for 258 * different authentication methods) 259 */ 260 for (;;) { 261 if ((r = ssh_packet_read_poll2(ssh, &type, &seqnr)) != 0) 262 return r; 263 if (type > 0 && type < DISPATCH_MAX && 264 type >= SSH2_MSG_KEXINIT && type <= SSH2_MSG_TRANSPORT_MAX && 265 ssh->dispatch[type] != NULL) { 266 if ((r = (*ssh->dispatch[type])(type, seqnr, ssh)) != 0) 267 return r; 268 } else { 269 *typep = type; 270 return 0; 271 } 272 } 273 } 274 275 const u_char * 276 ssh_packet_payload(struct ssh *ssh, size_t *lenp) 277 { 278 return sshpkt_ptr(ssh, lenp); 279 } 280 281 int 282 ssh_packet_put(struct ssh *ssh, int type, const u_char *data, size_t len) 283 { 284 int r; 285 286 if ((r = sshpkt_start(ssh, type)) != 0 || 287 (r = sshpkt_put(ssh, data, len)) != 0 || 288 (r = sshpkt_send(ssh)) != 0) 289 return r; 290 return 0; 291 } 292 293 const u_char * 294 ssh_output_ptr(struct ssh *ssh, size_t *len) 295 { 296 struct sshbuf *output = ssh_packet_get_output(ssh); 297 298 *len = sshbuf_len(output); 299 return sshbuf_ptr(output); 300 } 301 302 int 303 ssh_output_consume(struct ssh *ssh, size_t len) 304 { 305 return sshbuf_consume(ssh_packet_get_output(ssh), len); 306 } 307 308 int 309 ssh_output_space(struct ssh *ssh, size_t len) 310 { 311 return (0 == sshbuf_check_reserve(ssh_packet_get_output(ssh), len)); 312 } 313 314 int 315 ssh_input_space(struct ssh *ssh, size_t len) 316 { 317 return (0 == sshbuf_check_reserve(ssh_packet_get_input(ssh), len)); 318 } 319 320 /* Read other side's version identification. */ 321 int 322 _ssh_read_banner(struct ssh *ssh, struct sshbuf *banner) 323 { 324 struct sshbuf *input = ssh_packet_get_input(ssh); 325 const char *mismatch = "Protocol mismatch.\r\n"; 326 const u_char *s = sshbuf_ptr(input); 327 u_char c; 328 char *cp = NULL, *remote_version = NULL; 329 int r = 0, remote_major, remote_minor, expect_nl; 330 size_t n, j; 331 332 for (j = n = 0;;) { 333 sshbuf_reset(banner); 334 expect_nl = 0; 335 for (;;) { 336 if (j >= sshbuf_len(input)) 337 return 0; /* insufficient data in input buf */ 338 c = s[j++]; 339 if (c == '\r') { 340 expect_nl = 1; 341 continue; 342 } 343 if (c == '\n') 344 break; 345 if (expect_nl) 346 goto bad; 347 if ((r = sshbuf_put_u8(banner, c)) != 0) 348 return r; 349 if (sshbuf_len(banner) > SSH_MAX_BANNER_LEN) 350 goto bad; 351 } 352 if (sshbuf_len(banner) >= 4 && 353 memcmp(sshbuf_ptr(banner), "SSH-", 4) == 0) 354 break; 355 debug("%s: %.*s", __func__, (int)sshbuf_len(banner), 356 sshbuf_ptr(banner)); 357 /* Accept lines before banner only on client */ 358 if (ssh->kex->server || ++n > SSH_MAX_PRE_BANNER_LINES) { 359 bad: 360 if ((r = sshbuf_put(ssh_packet_get_output(ssh), 361 mismatch, strlen(mismatch))) != 0) 362 return r; 363 return SSH_ERR_NO_PROTOCOL_VERSION; 364 } 365 } 366 if ((r = sshbuf_consume(input, j)) != 0) 367 return r; 368 369 /* XXX remote version must be the same size as banner for sscanf */ 370 if ((cp = sshbuf_dup_string(banner)) == NULL || 371 (remote_version = calloc(1, sshbuf_len(banner))) == NULL) { 372 r = SSH_ERR_ALLOC_FAIL; 373 goto out; 374 } 375 376 /* 377 * Check that the versions match. In future this might accept 378 * several versions and set appropriate flags to handle them. 379 */ 380 if (sscanf(cp, "SSH-%d.%d-%[^\n]\n", 381 &remote_major, &remote_minor, remote_version) != 3) { 382 r = SSH_ERR_INVALID_FORMAT; 383 goto out; 384 } 385 debug("Remote protocol version %d.%d, remote software version %.100s", 386 remote_major, remote_minor, remote_version); 387 388 ssh->compat = compat_datafellows(remote_version); 389 if (remote_major == 1 && remote_minor == 99) { 390 remote_major = 2; 391 remote_minor = 0; 392 } 393 if (remote_major != 2) 394 r = SSH_ERR_PROTOCOL_MISMATCH; 395 396 debug("Remote version string %.100s", cp); 397 out: 398 free(cp); 399 free(remote_version); 400 return r; 401 } 402 403 /* Send our own protocol version identification. */ 404 int 405 _ssh_send_banner(struct ssh *ssh, struct sshbuf *banner) 406 { 407 char *cp; 408 int r; 409 410 if ((r = sshbuf_putf(banner, "SSH-2.0-%.100s\r\n", SSH_VERSION)) != 0) 411 return r; 412 if ((r = sshbuf_putb(ssh_packet_get_output(ssh), banner)) != 0) 413 return r; 414 /* Remove trailing \r\n */ 415 if ((r = sshbuf_consume_end(banner, 2)) != 0) 416 return r; 417 if ((cp = sshbuf_dup_string(banner)) == NULL) 418 return SSH_ERR_ALLOC_FAIL; 419 debug("Local version string %.100s", cp); 420 free(cp); 421 return 0; 422 } 423 424 int 425 _ssh_exchange_banner(struct ssh *ssh) 426 { 427 struct kex *kex = ssh->kex; 428 int r; 429 430 /* 431 * if _ssh_read_banner() cannot parse a full version string 432 * it will return NULL and we end up calling it again. 433 */ 434 435 r = 0; 436 if (kex->server) { 437 if (sshbuf_len(ssh->kex->server_version) == 0) 438 r = _ssh_send_banner(ssh, ssh->kex->server_version); 439 if (r == 0 && 440 sshbuf_len(ssh->kex->server_version) != 0 && 441 sshbuf_len(ssh->kex->client_version) == 0) 442 r = _ssh_read_banner(ssh, ssh->kex->client_version); 443 } else { 444 if (sshbuf_len(ssh->kex->server_version) == 0) 445 r = _ssh_read_banner(ssh, ssh->kex->server_version); 446 if (r == 0 && 447 sshbuf_len(ssh->kex->server_version) != 0 && 448 sshbuf_len(ssh->kex->client_version) == 0) 449 r = _ssh_send_banner(ssh, ssh->kex->client_version); 450 } 451 if (r != 0) 452 return r; 453 /* start initial kex as soon as we have exchanged the banners */ 454 if (sshbuf_len(ssh->kex->server_version) != 0 && 455 sshbuf_len(ssh->kex->client_version) != 0) { 456 if ((r = _ssh_order_hostkeyalgs(ssh)) != 0 || 457 (r = kex_send_kexinit(ssh)) != 0) 458 return r; 459 } 460 return 0; 461 } 462 463 struct sshkey * 464 _ssh_host_public_key(int type, int nid, struct ssh *ssh) 465 { 466 struct key_entry *k; 467 468 debug3("%s: need %d", __func__, type); 469 TAILQ_FOREACH(k, &ssh->public_keys, next) { 470 debug3("%s: check %s", __func__, sshkey_type(k->key)); 471 if (k->key->type == type && 472 (type != KEY_ECDSA || k->key->ecdsa_nid == nid)) 473 return (k->key); 474 } 475 return (NULL); 476 } 477 478 struct sshkey * 479 _ssh_host_private_key(int type, int nid, struct ssh *ssh) 480 { 481 struct key_entry *k; 482 483 debug3("%s: need %d", __func__, type); 484 TAILQ_FOREACH(k, &ssh->private_keys, next) { 485 debug3("%s: check %s", __func__, sshkey_type(k->key)); 486 if (k->key->type == type && 487 (type != KEY_ECDSA || k->key->ecdsa_nid == nid)) 488 return (k->key); 489 } 490 return (NULL); 491 } 492 493 int 494 _ssh_verify_host_key(struct sshkey *hostkey, struct ssh *ssh) 495 { 496 struct key_entry *k; 497 498 debug3("%s: need %s", __func__, sshkey_type(hostkey)); 499 TAILQ_FOREACH(k, &ssh->public_keys, next) { 500 debug3("%s: check %s", __func__, sshkey_type(k->key)); 501 if (sshkey_equal_public(hostkey, k->key)) 502 return (0); /* ok */ 503 } 504 return (-1); /* failed */ 505 } 506 507 /* offer hostkey algorithms in kexinit depending on registered keys */ 508 int 509 _ssh_order_hostkeyalgs(struct ssh *ssh) 510 { 511 struct key_entry *k; 512 char *orig, *avail, *oavail = NULL, *alg, *replace = NULL; 513 char **proposal; 514 size_t maxlen; 515 int ktype, r; 516 517 /* XXX we de-serialize ssh->kex->my, modify it, and change it */ 518 if ((r = kex_buf2prop(ssh->kex->my, NULL, &proposal)) != 0) 519 return r; 520 orig = proposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; 521 if ((oavail = avail = strdup(orig)) == NULL) { 522 r = SSH_ERR_ALLOC_FAIL; 523 goto out; 524 } 525 maxlen = strlen(avail) + 1; 526 if ((replace = calloc(1, maxlen)) == NULL) { 527 r = SSH_ERR_ALLOC_FAIL; 528 goto out; 529 } 530 *replace = '\0'; 531 while ((alg = strsep(&avail, ",")) && *alg != '\0') { 532 if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC) 533 continue; 534 TAILQ_FOREACH(k, &ssh->public_keys, next) { 535 if (k->key->type == ktype || 536 (sshkey_is_cert(k->key) && k->key->type == 537 sshkey_type_plain(ktype))) { 538 if (*replace != '\0') 539 strlcat(replace, ",", maxlen); 540 strlcat(replace, alg, maxlen); 541 break; 542 } 543 } 544 } 545 if (*replace != '\0') { 546 debug2("%s: orig/%d %s", __func__, ssh->kex->server, orig); 547 debug2("%s: replace/%d %s", __func__, ssh->kex->server, replace); 548 free(orig); 549 proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = replace; 550 replace = NULL; /* owned by proposal */ 551 r = kex_prop2buf(ssh->kex->my, proposal); 552 } 553 out: 554 free(oavail); 555 free(replace); 556 kex_prop_free(proposal); 557 return r; 558 } 559 560 int 561 _ssh_host_key_sign(struct ssh *ssh, struct sshkey *privkey, 562 struct sshkey *pubkey, u_char **signature, size_t *slen, 563 const u_char *data, size_t dlen, const char *alg) 564 { 565 return sshkey_sign(privkey, signature, slen, data, dlen, 566 alg, NULL, ssh->compat); 567 } 568