1 /* $OpenBSD: kex.c,v 1.158 2020/03/13 04:01:56 djm Exp $ */
2 /*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26 #include "includes.h"
27
28 #include <sys/types.h>
29 #include <errno.h>
30 #include <signal.h>
31 #include <stdarg.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 #ifdef HAVE_POLL_H
37 #include <poll.h>
38 #endif
39
40 #ifdef WITH_OPENSSL
41 #include <openssl/crypto.h>
42 #include <openssl/dh.h>
43 #endif
44
45 #include "ssh.h"
46 #include "ssh2.h"
47 #include "atomicio.h"
48 #include "version.h"
49 #include "packet.h"
50 #include "compat.h"
51 #include "cipher.h"
52 #include "sshkey.h"
53 #include "kex.h"
54 #include "log.h"
55 #include "mac.h"
56 #include "match.h"
57 #include "misc.h"
58 #include "dispatch.h"
59 #include "monitor.h"
60
61 #include "ssherr.h"
62 #include "sshbuf.h"
63 #include "digest.h"
64
65 /* prototype */
66 static int kex_choose_conf(struct ssh *);
67 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
68
69 static const char *proposal_names[PROPOSAL_MAX] = {
70 "KEX algorithms",
71 "host key algorithms",
72 "ciphers ctos",
73 "ciphers stoc",
74 "MACs ctos",
75 "MACs stoc",
76 "compression ctos",
77 "compression stoc",
78 "languages ctos",
79 "languages stoc",
80 };
81
82 struct kexalg {
83 char *name;
84 u_int type;
85 int ec_nid;
86 int hash_alg;
87 };
88 static const struct kexalg kexalgs[] = {
89 #ifdef WITH_OPENSSL
90 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
91 { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
92 { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
93 { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
94 { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
95 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
96 #ifdef HAVE_EVP_SHA256
97 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
98 #endif /* HAVE_EVP_SHA256 */
99 #ifdef OPENSSL_HAS_ECC
100 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
101 NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
102 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
103 SSH_DIGEST_SHA384 },
104 # ifdef OPENSSL_HAS_NISTP521
105 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
106 SSH_DIGEST_SHA512 },
107 # endif /* OPENSSL_HAS_NISTP521 */
108 #endif /* OPENSSL_HAS_ECC */
109 #endif /* WITH_OPENSSL */
110 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
111 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
112 { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
113 { KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0,
114 SSH_DIGEST_SHA512 },
115 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
116 { NULL, 0, -1, -1},
117 };
118
119 char *
kex_alg_list(char sep)120 kex_alg_list(char sep)
121 {
122 char *ret = NULL, *tmp;
123 size_t nlen, rlen = 0;
124 const struct kexalg *k;
125
126 for (k = kexalgs; k->name != NULL; k++) {
127 if (ret != NULL)
128 ret[rlen++] = sep;
129 nlen = strlen(k->name);
130 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
131 free(ret);
132 return NULL;
133 }
134 ret = tmp;
135 memcpy(ret + rlen, k->name, nlen + 1);
136 rlen += nlen;
137 }
138 return ret;
139 }
140
141 static const struct kexalg *
kex_alg_by_name(const char * name)142 kex_alg_by_name(const char *name)
143 {
144 const struct kexalg *k;
145
146 for (k = kexalgs; k->name != NULL; k++) {
147 if (strcmp(k->name, name) == 0)
148 return k;
149 }
150 return NULL;
151 }
152
153 /* Validate KEX method name list */
154 int
kex_names_valid(const char * names)155 kex_names_valid(const char *names)
156 {
157 char *s, *cp, *p;
158
159 if (names == NULL || strcmp(names, "") == 0)
160 return 0;
161 if ((s = cp = strdup(names)) == NULL)
162 return 0;
163 for ((p = strsep(&cp, ",")); p && *p != '\0';
164 (p = strsep(&cp, ","))) {
165 if (kex_alg_by_name(p) == NULL) {
166 error("Unsupported KEX algorithm \"%.100s\"", p);
167 free(s);
168 return 0;
169 }
170 }
171 debug3("kex names ok: [%s]", names);
172 free(s);
173 return 1;
174 }
175
176 /*
177 * Concatenate algorithm names, avoiding duplicates in the process.
178 * Caller must free returned string.
179 */
180 char *
kex_names_cat(const char * a,const char * b)181 kex_names_cat(const char *a, const char *b)
182 {
183 char *ret = NULL, *tmp = NULL, *cp, *p, *m;
184 size_t len;
185
186 if (a == NULL || *a == '\0')
187 return strdup(b);
188 if (b == NULL || *b == '\0')
189 return strdup(a);
190 if (strlen(b) > 1024*1024)
191 return NULL;
192 len = strlen(a) + strlen(b) + 2;
193 if ((tmp = cp = strdup(b)) == NULL ||
194 (ret = calloc(1, len)) == NULL) {
195 free(tmp);
196 return NULL;
197 }
198 strlcpy(ret, a, len);
199 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
200 if ((m = match_list(ret, p, NULL)) != NULL) {
201 free(m);
202 continue; /* Algorithm already present */
203 }
204 if (strlcat(ret, ",", len) >= len ||
205 strlcat(ret, p, len) >= len) {
206 free(tmp);
207 free(ret);
208 return NULL; /* Shouldn't happen */
209 }
210 }
211 free(tmp);
212 return ret;
213 }
214
215 /*
216 * Assemble a list of algorithms from a default list and a string from a
217 * configuration file. The user-provided string may begin with '+' to
218 * indicate that it should be appended to the default, '-' that the
219 * specified names should be removed, or '^' that they should be placed
220 * at the head.
221 */
222 int
kex_assemble_names(char ** listp,const char * def,const char * all)223 kex_assemble_names(char **listp, const char *def, const char *all)
224 {
225 char *cp, *tmp, *patterns;
226 char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
227 int r = SSH_ERR_INTERNAL_ERROR;
228
229 if (listp == NULL || def == NULL || all == NULL)
230 return SSH_ERR_INVALID_ARGUMENT;
231
232 if (*listp == NULL || **listp == '\0') {
233 if ((*listp = strdup(def)) == NULL)
234 return SSH_ERR_ALLOC_FAIL;
235 return 0;
236 }
237
238 list = *listp;
239 *listp = NULL;
240 if (*list == '+') {
241 /* Append names to default list */
242 if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
243 r = SSH_ERR_ALLOC_FAIL;
244 goto fail;
245 }
246 free(list);
247 list = tmp;
248 } else if (*list == '-') {
249 /* Remove names from default list */
250 if ((*listp = match_filter_blacklist(def, list + 1)) == NULL) {
251 r = SSH_ERR_ALLOC_FAIL;
252 goto fail;
253 }
254 free(list);
255 /* filtering has already been done */
256 return 0;
257 } else if (*list == '^') {
258 /* Place names at head of default list */
259 if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
260 r = SSH_ERR_ALLOC_FAIL;
261 goto fail;
262 }
263 free(list);
264 list = tmp;
265 } else {
266 /* Explicit list, overrides default - just use "list" as is */
267 }
268
269 /*
270 * The supplied names may be a pattern-list. For the -list case,
271 * the patterns are applied above. For the +list and explicit list
272 * cases we need to do it now.
273 */
274 ret = NULL;
275 if ((patterns = opatterns = strdup(list)) == NULL) {
276 r = SSH_ERR_ALLOC_FAIL;
277 goto fail;
278 }
279 /* Apply positive (i.e. non-negated) patterns from the list */
280 while ((cp = strsep(&patterns, ",")) != NULL) {
281 if (*cp == '!') {
282 /* negated matches are not supported here */
283 r = SSH_ERR_INVALID_ARGUMENT;
284 goto fail;
285 }
286 free(matching);
287 if ((matching = match_filter_whitelist(all, cp)) == NULL) {
288 r = SSH_ERR_ALLOC_FAIL;
289 goto fail;
290 }
291 if ((tmp = kex_names_cat(ret, matching)) == NULL) {
292 r = SSH_ERR_ALLOC_FAIL;
293 goto fail;
294 }
295 free(ret);
296 ret = tmp;
297 }
298 if (ret == NULL || *ret == '\0') {
299 /* An empty name-list is an error */
300 /* XXX better error code? */
301 r = SSH_ERR_INVALID_ARGUMENT;
302 goto fail;
303 }
304
305 /* success */
306 *listp = ret;
307 ret = NULL;
308 r = 0;
309
310 fail:
311 free(matching);
312 free(opatterns);
313 free(list);
314 free(ret);
315 return r;
316 }
317
318 /* put algorithm proposal into buffer */
319 int
kex_prop2buf(struct sshbuf * b,char * proposal[PROPOSAL_MAX])320 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
321 {
322 u_int i;
323 int r;
324
325 sshbuf_reset(b);
326
327 /*
328 * add a dummy cookie, the cookie will be overwritten by
329 * kex_send_kexinit(), each time a kexinit is set
330 */
331 for (i = 0; i < KEX_COOKIE_LEN; i++) {
332 if ((r = sshbuf_put_u8(b, 0)) != 0)
333 return r;
334 }
335 for (i = 0; i < PROPOSAL_MAX; i++) {
336 if ((r = sshbuf_put_cstring(b, proposal[i])) != 0)
337 return r;
338 }
339 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* first_kex_packet_follows */
340 (r = sshbuf_put_u32(b, 0)) != 0) /* uint32 reserved */
341 return r;
342 return 0;
343 }
344
345 /* parse buffer and return algorithm proposal */
346 int
kex_buf2prop(struct sshbuf * raw,int * first_kex_follows,char *** propp)347 kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
348 {
349 struct sshbuf *b = NULL;
350 u_char v;
351 u_int i;
352 char **proposal = NULL;
353 int r;
354
355 *propp = NULL;
356 if ((proposal = calloc(PROPOSAL_MAX, sizeof(char *))) == NULL)
357 return SSH_ERR_ALLOC_FAIL;
358 if ((b = sshbuf_fromb(raw)) == NULL) {
359 r = SSH_ERR_ALLOC_FAIL;
360 goto out;
361 }
362 if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */
363 error("%s: consume cookie: %s", __func__, ssh_err(r));
364 goto out;
365 }
366 /* extract kex init proposal strings */
367 for (i = 0; i < PROPOSAL_MAX; i++) {
368 if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) {
369 error("%s: parse proposal %u: %s", __func__,
370 i, ssh_err(r));
371 goto out;
372 }
373 debug2("%s: %s", proposal_names[i], proposal[i]);
374 }
375 /* first kex follows / reserved */
376 if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */
377 (r = sshbuf_get_u32(b, &i)) != 0) { /* reserved */
378 error("%s: parse: %s", __func__, ssh_err(r));
379 goto out;
380 }
381 if (first_kex_follows != NULL)
382 *first_kex_follows = v;
383 debug2("first_kex_follows %d ", v);
384 debug2("reserved %u ", i);
385 r = 0;
386 *propp = proposal;
387 out:
388 if (r != 0 && proposal != NULL)
389 kex_prop_free(proposal);
390 sshbuf_free(b);
391 return r;
392 }
393
394 void
kex_prop_free(char ** proposal)395 kex_prop_free(char **proposal)
396 {
397 u_int i;
398
399 if (proposal == NULL)
400 return;
401 for (i = 0; i < PROPOSAL_MAX; i++)
402 free(proposal[i]);
403 free(proposal);
404 }
405
406 /* ARGSUSED */
407 static int
kex_protocol_error(int type,u_int32_t seq,struct ssh * ssh)408 kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
409 {
410 int r;
411
412 error("kex protocol error: type %d seq %u", type, seq);
413 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
414 (r = sshpkt_put_u32(ssh, seq)) != 0 ||
415 (r = sshpkt_send(ssh)) != 0)
416 return r;
417 return 0;
418 }
419
420 static void
kex_reset_dispatch(struct ssh * ssh)421 kex_reset_dispatch(struct ssh *ssh)
422 {
423 ssh_dispatch_range(ssh, SSH2_MSG_TRANSPORT_MIN,
424 SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
425 }
426
427 static int
kex_send_ext_info(struct ssh * ssh)428 kex_send_ext_info(struct ssh *ssh)
429 {
430 int r;
431 char *algs;
432
433 debug("Sending SSH2_MSG_EXT_INFO");
434 if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
435 return SSH_ERR_ALLOC_FAIL;
436 /* XXX filter algs list by allowed pubkey/hostbased types */
437 if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
438 (r = sshpkt_put_u32(ssh, 1)) != 0 ||
439 (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
440 (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
441 (r = sshpkt_send(ssh)) != 0) {
442 error("%s: compose: %s", __func__, ssh_err(r));
443 goto out;
444 }
445 /* success */
446 r = 0;
447 out:
448 free(algs);
449 return r;
450 }
451
452 int
kex_send_newkeys(struct ssh * ssh)453 kex_send_newkeys(struct ssh *ssh)
454 {
455 int r;
456
457 kex_reset_dispatch(ssh);
458 if ((r = sshpkt_start(ssh, SSH2_MSG_NEWKEYS)) != 0 ||
459 (r = sshpkt_send(ssh)) != 0)
460 return r;
461 debug("SSH2_MSG_NEWKEYS sent");
462 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
463 if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0)
464 if ((r = kex_send_ext_info(ssh)) != 0)
465 return r;
466 debug("expecting SSH2_MSG_NEWKEYS");
467 return 0;
468 }
469
470 int
kex_input_ext_info(int type,u_int32_t seq,struct ssh * ssh)471 kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
472 {
473 struct kex *kex = ssh->kex;
474 u_int32_t i, ninfo;
475 char *name;
476 u_char *val;
477 size_t vlen;
478 int r;
479
480 debug("SSH2_MSG_EXT_INFO received");
481 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
482 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
483 return r;
484 for (i = 0; i < ninfo; i++) {
485 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
486 return r;
487 if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) {
488 free(name);
489 return r;
490 }
491 if (strcmp(name, "server-sig-algs") == 0) {
492 /* Ensure no \0 lurking in value */
493 if (memchr(val, '\0', vlen) != NULL) {
494 error("%s: nul byte in %s", __func__, name);
495 return SSH_ERR_INVALID_FORMAT;
496 }
497 debug("%s: %s=<%s>", __func__, name, val);
498 kex->server_sig_algs = val;
499 val = NULL;
500 } else
501 debug("%s: %s (unrecognised)", __func__, name);
502 free(name);
503 free(val);
504 }
505 return sshpkt_get_end(ssh);
506 }
507
508 static int
kex_input_newkeys(int type,u_int32_t seq,struct ssh * ssh)509 kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
510 {
511 struct kex *kex = ssh->kex;
512 int r;
513
514 debug("SSH2_MSG_NEWKEYS received");
515 ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
516 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
517 if ((r = sshpkt_get_end(ssh)) != 0)
518 return r;
519 if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
520 return r;
521 kex->done = 1;
522 kex->flags &= ~KEX_INITIAL;
523 sshbuf_reset(kex->peer);
524 /* sshbuf_reset(kex->my); */
525 kex->flags &= ~KEX_INIT_SENT;
526 free(kex->name);
527 kex->name = NULL;
528 return 0;
529 }
530
531 int
kex_send_kexinit(struct ssh * ssh)532 kex_send_kexinit(struct ssh *ssh)
533 {
534 u_char *cookie;
535 struct kex *kex = ssh->kex;
536 int r;
537
538 if (kex == NULL) {
539 error("%s: no hex", __func__);
540 return SSH_ERR_INTERNAL_ERROR;
541 }
542 if (kex->flags & KEX_INIT_SENT)
543 return 0;
544 kex->done = 0;
545
546 /* generate a random cookie */
547 if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) {
548 error("%s: bad kex length: %zu < %d", __func__,
549 sshbuf_len(kex->my), KEX_COOKIE_LEN);
550 return SSH_ERR_INVALID_FORMAT;
551 }
552 if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) {
553 error("%s: buffer error", __func__);
554 return SSH_ERR_INTERNAL_ERROR;
555 }
556 arc4random_buf(cookie, KEX_COOKIE_LEN);
557
558 if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 ||
559 (r = sshpkt_putb(ssh, kex->my)) != 0 ||
560 (r = sshpkt_send(ssh)) != 0) {
561 error("%s: compose reply: %s", __func__, ssh_err(r));
562 return r;
563 }
564 debug("SSH2_MSG_KEXINIT sent");
565 kex->flags |= KEX_INIT_SENT;
566 return 0;
567 }
568
569 /* ARGSUSED */
570 int
kex_input_kexinit(int type,u_int32_t seq,struct ssh * ssh)571 kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
572 {
573 struct kex *kex = ssh->kex;
574 const u_char *ptr;
575 u_int i;
576 size_t dlen;
577 int r;
578
579 debug("SSH2_MSG_KEXINIT received");
580 if (kex == NULL) {
581 error("%s: no hex", __func__);
582 return SSH_ERR_INTERNAL_ERROR;
583 }
584 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
585 ptr = sshpkt_ptr(ssh, &dlen);
586 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
587 return r;
588
589 /* discard packet */
590 for (i = 0; i < KEX_COOKIE_LEN; i++) {
591 if ((r = sshpkt_get_u8(ssh, NULL)) != 0) {
592 error("%s: discard cookie: %s", __func__, ssh_err(r));
593 return r;
594 }
595 }
596 for (i = 0; i < PROPOSAL_MAX; i++) {
597 if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
598 error("%s: discard proposal: %s", __func__, ssh_err(r));
599 return r;
600 }
601 }
602 /*
603 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
604 * KEX method has the server move first, but a server might be using
605 * a custom method or one that we otherwise don't support. We should
606 * be prepared to remember first_kex_follows here so we can eat a
607 * packet later.
608 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
609 * for cases where the server *doesn't* go first. I guess we should
610 * ignore it when it is set for these cases, which is what we do now.
611 */
612 if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || /* first_kex_follows */
613 (r = sshpkt_get_u32(ssh, NULL)) != 0 || /* reserved */
614 (r = sshpkt_get_end(ssh)) != 0)
615 return r;
616
617 if (!(kex->flags & KEX_INIT_SENT))
618 if ((r = kex_send_kexinit(ssh)) != 0)
619 return r;
620 if ((r = kex_choose_conf(ssh)) != 0)
621 return r;
622
623 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
624 return (kex->kex[kex->kex_type])(ssh);
625
626 error("%s: unknown kex type %u", __func__, kex->kex_type);
627 return SSH_ERR_INTERNAL_ERROR;
628 }
629
630 struct kex *
kex_new(void)631 kex_new(void)
632 {
633 struct kex *kex;
634
635 if ((kex = calloc(1, sizeof(*kex))) == NULL ||
636 (kex->peer = sshbuf_new()) == NULL ||
637 (kex->my = sshbuf_new()) == NULL ||
638 (kex->client_version = sshbuf_new()) == NULL ||
639 (kex->server_version = sshbuf_new()) == NULL) {
640 kex_free(kex);
641 return NULL;
642 }
643 return kex;
644 }
645
646 void
kex_free_newkeys(struct newkeys * newkeys)647 kex_free_newkeys(struct newkeys *newkeys)
648 {
649 if (newkeys == NULL)
650 return;
651 if (newkeys->enc.key) {
652 explicit_bzero(newkeys->enc.key, newkeys->enc.key_len);
653 free(newkeys->enc.key);
654 newkeys->enc.key = NULL;
655 }
656 if (newkeys->enc.iv) {
657 explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len);
658 free(newkeys->enc.iv);
659 newkeys->enc.iv = NULL;
660 }
661 free(newkeys->enc.name);
662 explicit_bzero(&newkeys->enc, sizeof(newkeys->enc));
663 free(newkeys->comp.name);
664 explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
665 mac_clear(&newkeys->mac);
666 if (newkeys->mac.key) {
667 explicit_bzero(newkeys->mac.key, newkeys->mac.key_len);
668 free(newkeys->mac.key);
669 newkeys->mac.key = NULL;
670 }
671 free(newkeys->mac.name);
672 explicit_bzero(&newkeys->mac, sizeof(newkeys->mac));
673 freezero(newkeys, sizeof(*newkeys));
674 }
675
676 void
kex_free(struct kex * kex)677 kex_free(struct kex *kex)
678 {
679 u_int mode;
680
681 if (kex == NULL)
682 return;
683
684 #ifdef WITH_OPENSSL
685 DH_free(kex->dh);
686 #ifdef OPENSSL_HAS_ECC
687 EC_KEY_free(kex->ec_client_key);
688 #endif /* OPENSSL_HAS_ECC */
689 #endif /* WITH_OPENSSL */
690 for (mode = 0; mode < MODE_MAX; mode++) {
691 kex_free_newkeys(kex->newkeys[mode]);
692 kex->newkeys[mode] = NULL;
693 }
694 sshbuf_free(kex->peer);
695 sshbuf_free(kex->my);
696 sshbuf_free(kex->client_version);
697 sshbuf_free(kex->server_version);
698 sshbuf_free(kex->client_pub);
699 free(kex->session_id);
700 free(kex->failed_choice);
701 free(kex->hostkey_alg);
702 free(kex->name);
703 free(kex);
704 }
705
706 int
kex_ready(struct ssh * ssh,char * proposal[PROPOSAL_MAX])707 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
708 {
709 int r;
710
711 if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
712 return r;
713 ssh->kex->flags = KEX_INITIAL;
714 kex_reset_dispatch(ssh);
715 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
716 return 0;
717 }
718
719 int
kex_setup(struct ssh * ssh,char * proposal[PROPOSAL_MAX])720 kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
721 {
722 int r;
723
724 if ((r = kex_ready(ssh, proposal)) != 0)
725 return r;
726 if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */
727 kex_free(ssh->kex);
728 ssh->kex = NULL;
729 return r;
730 }
731 return 0;
732 }
733
734 /*
735 * Request key re-exchange, returns 0 on success or a ssherr.h error
736 * code otherwise. Must not be called if KEX is incomplete or in-progress.
737 */
738 int
kex_start_rekex(struct ssh * ssh)739 kex_start_rekex(struct ssh *ssh)
740 {
741 if (ssh->kex == NULL) {
742 error("%s: no kex", __func__);
743 return SSH_ERR_INTERNAL_ERROR;
744 }
745 if (ssh->kex->done == 0) {
746 error("%s: requested twice", __func__);
747 return SSH_ERR_INTERNAL_ERROR;
748 }
749 ssh->kex->done = 0;
750 return kex_send_kexinit(ssh);
751 }
752
753 static int
choose_enc(struct sshenc * enc,char * client,char * server)754 choose_enc(struct sshenc *enc, char *client, char *server)
755 {
756 char *name = match_list(client, server, NULL);
757
758 if (name == NULL)
759 return SSH_ERR_NO_CIPHER_ALG_MATCH;
760 if ((enc->cipher = cipher_by_name(name)) == NULL) {
761 error("%s: unsupported cipher %s", __func__, name);
762 free(name);
763 return SSH_ERR_INTERNAL_ERROR;
764 }
765 enc->name = name;
766 enc->enabled = 0;
767 enc->iv = NULL;
768 enc->iv_len = cipher_ivlen(enc->cipher);
769 enc->key = NULL;
770 enc->key_len = cipher_keylen(enc->cipher);
771 enc->block_size = cipher_blocksize(enc->cipher);
772 return 0;
773 }
774
775 static int
choose_mac(struct ssh * ssh,struct sshmac * mac,char * client,char * server)776 choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
777 {
778 char *name = match_list(client, server, NULL);
779
780 if (name == NULL)
781 return SSH_ERR_NO_MAC_ALG_MATCH;
782 if (mac_setup(mac, name) < 0) {
783 error("%s: unsupported MAC %s", __func__, name);
784 free(name);
785 return SSH_ERR_INTERNAL_ERROR;
786 }
787 mac->name = name;
788 mac->key = NULL;
789 mac->enabled = 0;
790 return 0;
791 }
792
793 static int
choose_comp(struct sshcomp * comp,char * client,char * server)794 choose_comp(struct sshcomp *comp, char *client, char *server)
795 {
796 char *name = match_list(client, server, NULL);
797
798 if (name == NULL)
799 return SSH_ERR_NO_COMPRESS_ALG_MATCH;
800 #ifdef WITH_ZLIB
801 if (strcmp(name, "zlib@openssh.com") == 0) {
802 comp->type = COMP_DELAYED;
803 } else if (strcmp(name, "zlib") == 0) {
804 comp->type = COMP_ZLIB;
805 } else
806 #endif /* WITH_ZLIB */
807 if (strcmp(name, "none") == 0) {
808 comp->type = COMP_NONE;
809 } else {
810 error("%s: unsupported compression scheme %s", __func__, name);
811 free(name);
812 return SSH_ERR_INTERNAL_ERROR;
813 }
814 comp->name = name;
815 return 0;
816 }
817
818 static int
choose_kex(struct kex * k,char * client,char * server)819 choose_kex(struct kex *k, char *client, char *server)
820 {
821 const struct kexalg *kexalg;
822
823 k->name = match_list(client, server, NULL);
824
825 debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
826 if (k->name == NULL)
827 return SSH_ERR_NO_KEX_ALG_MATCH;
828 if ((kexalg = kex_alg_by_name(k->name)) == NULL) {
829 error("%s: unsupported KEX method %s", __func__, k->name);
830 return SSH_ERR_INTERNAL_ERROR;
831 }
832 k->kex_type = kexalg->type;
833 k->hash_alg = kexalg->hash_alg;
834 k->ec_nid = kexalg->ec_nid;
835 return 0;
836 }
837
838 static int
choose_hostkeyalg(struct kex * k,char * client,char * server)839 choose_hostkeyalg(struct kex *k, char *client, char *server)
840 {
841 k->hostkey_alg = match_list(client, server, NULL);
842
843 debug("kex: host key algorithm: %s",
844 k->hostkey_alg ? k->hostkey_alg : "(no match)");
845 if (k->hostkey_alg == NULL)
846 return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
847 k->hostkey_type = sshkey_type_from_name(k->hostkey_alg);
848 if (k->hostkey_type == KEY_UNSPEC) {
849 error("%s: unsupported hostkey algorithm %s", __func__,
850 k->hostkey_alg);
851 return SSH_ERR_INTERNAL_ERROR;
852 }
853 k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg);
854 return 0;
855 }
856
857 static int
proposals_match(char * my[PROPOSAL_MAX],char * peer[PROPOSAL_MAX])858 proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
859 {
860 static int check[] = {
861 PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
862 };
863 int *idx;
864 char *p;
865
866 for (idx = &check[0]; *idx != -1; idx++) {
867 if ((p = strchr(my[*idx], ',')) != NULL)
868 *p = '\0';
869 if ((p = strchr(peer[*idx], ',')) != NULL)
870 *p = '\0';
871 if (strcmp(my[*idx], peer[*idx]) != 0) {
872 debug2("proposal mismatch: my %s peer %s",
873 my[*idx], peer[*idx]);
874 return (0);
875 }
876 }
877 debug2("proposals match");
878 return (1);
879 }
880
881 static int
kex_choose_conf(struct ssh * ssh)882 kex_choose_conf(struct ssh *ssh)
883 {
884 struct kex *kex = ssh->kex;
885 struct newkeys *newkeys;
886 char **my = NULL, **peer = NULL;
887 char **cprop, **sprop;
888 int nenc, nmac, ncomp;
889 u_int mode, ctos, need, dh_need, authlen;
890 int r, first_kex_follows;
891
892 debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
893 if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
894 goto out;
895 debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server");
896 if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
897 goto out;
898
899 if (kex->server) {
900 cprop=peer;
901 sprop=my;
902 } else {
903 cprop=my;
904 sprop=peer;
905 }
906
907 /* Check whether client supports ext_info_c */
908 if (kex->server && (kex->flags & KEX_INITIAL)) {
909 char *ext;
910
911 ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
912 kex->ext_info_c = (ext != NULL);
913 free(ext);
914 }
915
916 /* Algorithm Negotiation */
917 if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
918 sprop[PROPOSAL_KEX_ALGS])) != 0) {
919 kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
920 peer[PROPOSAL_KEX_ALGS] = NULL;
921 goto out;
922 }
923 if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
924 sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
925 kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS];
926 peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
927 goto out;
928 }
929 for (mode = 0; mode < MODE_MAX; mode++) {
930 if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) {
931 r = SSH_ERR_ALLOC_FAIL;
932 goto out;
933 }
934 kex->newkeys[mode] = newkeys;
935 ctos = (!kex->server && mode == MODE_OUT) ||
936 (kex->server && mode == MODE_IN);
937 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
938 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
939 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
940 if ((r = choose_enc(&newkeys->enc, cprop[nenc],
941 sprop[nenc])) != 0) {
942 kex->failed_choice = peer[nenc];
943 peer[nenc] = NULL;
944 goto out;
945 }
946 authlen = cipher_authlen(newkeys->enc.cipher);
947 /* ignore mac for authenticated encryption */
948 if (authlen == 0 &&
949 (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
950 sprop[nmac])) != 0) {
951 kex->failed_choice = peer[nmac];
952 peer[nmac] = NULL;
953 goto out;
954 }
955 if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
956 sprop[ncomp])) != 0) {
957 kex->failed_choice = peer[ncomp];
958 peer[ncomp] = NULL;
959 goto out;
960 }
961 debug("kex: %s cipher: %s MAC: %s compression: %s",
962 ctos ? "client->server" : "server->client",
963 newkeys->enc.name,
964 authlen == 0 ? newkeys->mac.name : "<implicit>",
965 newkeys->comp.name);
966 }
967 need = dh_need = 0;
968 for (mode = 0; mode < MODE_MAX; mode++) {
969 newkeys = kex->newkeys[mode];
970 need = MAXIMUM(need, newkeys->enc.key_len);
971 need = MAXIMUM(need, newkeys->enc.block_size);
972 need = MAXIMUM(need, newkeys->enc.iv_len);
973 need = MAXIMUM(need, newkeys->mac.key_len);
974 dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
975 dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
976 dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
977 dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
978 }
979 /* XXX need runden? */
980 kex->we_need = need;
981 kex->dh_need = dh_need;
982
983 /* ignore the next message if the proposals do not match */
984 if (first_kex_follows && !proposals_match(my, peer))
985 ssh->dispatch_skip_packets = 1;
986 r = 0;
987 out:
988 kex_prop_free(my);
989 kex_prop_free(peer);
990 return r;
991 }
992
993 static int
derive_key(struct ssh * ssh,int id,u_int need,u_char * hash,u_int hashlen,const struct sshbuf * shared_secret,u_char ** keyp)994 derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
995 const struct sshbuf *shared_secret, u_char **keyp)
996 {
997 struct kex *kex = ssh->kex;
998 struct ssh_digest_ctx *hashctx = NULL;
999 char c = id;
1000 u_int have;
1001 size_t mdsz;
1002 u_char *digest;
1003 int r;
1004
1005 if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
1006 return SSH_ERR_INVALID_ARGUMENT;
1007 if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
1008 r = SSH_ERR_ALLOC_FAIL;
1009 goto out;
1010 }
1011
1012 /* K1 = HASH(K || H || "A" || session_id) */
1013 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1014 ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1015 ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1016 ssh_digest_update(hashctx, &c, 1) != 0 ||
1017 ssh_digest_update(hashctx, kex->session_id,
1018 kex->session_id_len) != 0 ||
1019 ssh_digest_final(hashctx, digest, mdsz) != 0) {
1020 r = SSH_ERR_LIBCRYPTO_ERROR;
1021 error("%s: KEX hash failed", __func__);
1022 goto out;
1023 }
1024 ssh_digest_free(hashctx);
1025 hashctx = NULL;
1026
1027 /*
1028 * expand key:
1029 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
1030 * Key = K1 || K2 || ... || Kn
1031 */
1032 for (have = mdsz; need > have; have += mdsz) {
1033 if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
1034 ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
1035 ssh_digest_update(hashctx, hash, hashlen) != 0 ||
1036 ssh_digest_update(hashctx, digest, have) != 0 ||
1037 ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
1038 error("%s: KDF failed", __func__);
1039 r = SSH_ERR_LIBCRYPTO_ERROR;
1040 goto out;
1041 }
1042 ssh_digest_free(hashctx);
1043 hashctx = NULL;
1044 }
1045 #ifdef DEBUG_KEX
1046 fprintf(stderr, "key '%c'== ", c);
1047 dump_digest("key", digest, need);
1048 #endif
1049 *keyp = digest;
1050 digest = NULL;
1051 r = 0;
1052 out:
1053 free(digest);
1054 ssh_digest_free(hashctx);
1055 return r;
1056 }
1057
1058 #define NKEYS 6
1059 int
kex_derive_keys(struct ssh * ssh,u_char * hash,u_int hashlen,const struct sshbuf * shared_secret)1060 kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
1061 const struct sshbuf *shared_secret)
1062 {
1063 struct kex *kex = ssh->kex;
1064 u_char *keys[NKEYS];
1065 u_int i, j, mode, ctos;
1066 int r;
1067
1068 /* save initial hash as session id */
1069 if (kex->session_id == NULL) {
1070 kex->session_id_len = hashlen;
1071 kex->session_id = malloc(kex->session_id_len);
1072 if (kex->session_id == NULL)
1073 return SSH_ERR_ALLOC_FAIL;
1074 memcpy(kex->session_id, hash, kex->session_id_len);
1075 }
1076 for (i = 0; i < NKEYS; i++) {
1077 if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
1078 shared_secret, &keys[i])) != 0) {
1079 for (j = 0; j < i; j++)
1080 free(keys[j]);
1081 return r;
1082 }
1083 }
1084 for (mode = 0; mode < MODE_MAX; mode++) {
1085 ctos = (!kex->server && mode == MODE_OUT) ||
1086 (kex->server && mode == MODE_IN);
1087 kex->newkeys[mode]->enc.iv = keys[ctos ? 0 : 1];
1088 kex->newkeys[mode]->enc.key = keys[ctos ? 2 : 3];
1089 kex->newkeys[mode]->mac.key = keys[ctos ? 4 : 5];
1090 }
1091 return 0;
1092 }
1093
1094 int
kex_load_hostkey(struct ssh * ssh,struct sshkey ** prvp,struct sshkey ** pubp)1095 kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
1096 {
1097 struct kex *kex = ssh->kex;
1098
1099 *pubp = NULL;
1100 *prvp = NULL;
1101 if (kex->load_host_public_key == NULL ||
1102 kex->load_host_private_key == NULL) {
1103 error("%s: missing hostkey loader", __func__);
1104 return SSH_ERR_INVALID_ARGUMENT;
1105 }
1106 *pubp = kex->load_host_public_key(kex->hostkey_type,
1107 kex->hostkey_nid, ssh);
1108 *prvp = kex->load_host_private_key(kex->hostkey_type,
1109 kex->hostkey_nid, ssh);
1110 if (*pubp == NULL)
1111 return SSH_ERR_NO_HOSTKEY_LOADED;
1112 return 0;
1113 }
1114
1115 int
kex_verify_host_key(struct ssh * ssh,struct sshkey * server_host_key)1116 kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
1117 {
1118 struct kex *kex = ssh->kex;
1119
1120 if (kex->verify_host_key == NULL) {
1121 error("%s: missing hostkey verifier", __func__);
1122 return SSH_ERR_INVALID_ARGUMENT;
1123 }
1124 if (server_host_key->type != kex->hostkey_type ||
1125 (kex->hostkey_type == KEY_ECDSA &&
1126 server_host_key->ecdsa_nid != kex->hostkey_nid))
1127 return SSH_ERR_KEY_TYPE_MISMATCH;
1128 if (kex->verify_host_key(server_host_key, ssh) == -1)
1129 return SSH_ERR_SIGNATURE_INVALID;
1130 return 0;
1131 }
1132
1133 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
1134 void
dump_digest(const char * msg,const u_char * digest,int len)1135 dump_digest(const char *msg, const u_char *digest, int len)
1136 {
1137 fprintf(stderr, "%s\n", msg);
1138 sshbuf_dump_data(digest, len, stderr);
1139 }
1140 #endif
1141
1142 /*
1143 * Send a plaintext error message to the peer, suffixed by \r\n.
1144 * Only used during banner exchange, and there only for the server.
1145 */
1146 static void
send_error(struct ssh * ssh,char * msg)1147 send_error(struct ssh *ssh, char *msg)
1148 {
1149 char *crnl = "\r\n";
1150
1151 if (!ssh->kex->server)
1152 return;
1153
1154 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1155 msg, strlen(msg)) != strlen(msg) ||
1156 atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1157 crnl, strlen(crnl)) != strlen(crnl))
1158 error("%s: write: %.100s", __func__, strerror(errno));
1159 }
1160
1161 /*
1162 * Sends our identification string and waits for the peer's. Will block for
1163 * up to timeout_ms (or indefinitely if timeout_ms <= 0).
1164 * Returns on 0 success or a ssherr.h code on failure.
1165 */
1166 int
kex_exchange_identification(struct ssh * ssh,int timeout_ms,const char * version_addendum)1167 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1168 const char *version_addendum)
1169 {
1170 int remote_major, remote_minor, mismatch, oerrno = 0;
1171 size_t len, i, n;
1172 int r, expect_nl;
1173 u_char c;
1174 struct sshbuf *our_version = ssh->kex->server ?
1175 ssh->kex->server_version : ssh->kex->client_version;
1176 struct sshbuf *peer_version = ssh->kex->server ?
1177 ssh->kex->client_version : ssh->kex->server_version;
1178 char *our_version_string = NULL, *peer_version_string = NULL;
1179 char *cp, *remote_version = NULL;
1180
1181 /* Prepare and send our banner */
1182 sshbuf_reset(our_version);
1183 if (version_addendum != NULL && *version_addendum == '\0')
1184 version_addendum = NULL;
1185 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
1186 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
1187 version_addendum == NULL ? "" : " ",
1188 version_addendum == NULL ? "" : version_addendum)) != 0) {
1189 oerrno = errno;
1190 error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
1191 goto out;
1192 }
1193
1194 if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
1195 sshbuf_mutable_ptr(our_version),
1196 sshbuf_len(our_version)) != sshbuf_len(our_version)) {
1197 oerrno = errno;
1198 debug("%s: write: %.100s", __func__, strerror(errno));
1199 r = SSH_ERR_SYSTEM_ERROR;
1200 goto out;
1201 }
1202 if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
1203 oerrno = errno;
1204 error("%s: sshbuf_consume_end: %s", __func__, ssh_err(r));
1205 goto out;
1206 }
1207 our_version_string = sshbuf_dup_string(our_version);
1208 if (our_version_string == NULL) {
1209 error("%s: sshbuf_dup_string failed", __func__);
1210 r = SSH_ERR_ALLOC_FAIL;
1211 goto out;
1212 }
1213 debug("Local version string %.100s", our_version_string);
1214
1215 /* Read other side's version identification. */
1216 for (n = 0; ; n++) {
1217 if (n >= SSH_MAX_PRE_BANNER_LINES) {
1218 send_error(ssh, "No SSH identification string "
1219 "received.");
1220 error("%s: No SSH version received in first %u lines "
1221 "from server", __func__, SSH_MAX_PRE_BANNER_LINES);
1222 r = SSH_ERR_INVALID_FORMAT;
1223 goto out;
1224 }
1225 sshbuf_reset(peer_version);
1226 expect_nl = 0;
1227 for (i = 0; ; i++) {
1228 if (timeout_ms > 0) {
1229 r = waitrfd(ssh_packet_get_connection_in(ssh),
1230 &timeout_ms);
1231 if (r == -1 && errno == ETIMEDOUT) {
1232 send_error(ssh, "Timed out waiting "
1233 "for SSH identification string.");
1234 error("Connection timed out during "
1235 "banner exchange");
1236 r = SSH_ERR_CONN_TIMEOUT;
1237 goto out;
1238 } else if (r == -1) {
1239 oerrno = errno;
1240 error("%s: %s",
1241 __func__, strerror(errno));
1242 r = SSH_ERR_SYSTEM_ERROR;
1243 goto out;
1244 }
1245 }
1246
1247 len = atomicio(read, ssh_packet_get_connection_in(ssh),
1248 &c, 1);
1249 if (len != 1 && errno == EPIPE) {
1250 error("%s: Connection closed by remote host",
1251 __func__);
1252 r = SSH_ERR_CONN_CLOSED;
1253 goto out;
1254 } else if (len != 1) {
1255 oerrno = errno;
1256 error("%s: read: %.100s",
1257 __func__, strerror(errno));
1258 r = SSH_ERR_SYSTEM_ERROR;
1259 goto out;
1260 }
1261 if (c == '\r') {
1262 expect_nl = 1;
1263 continue;
1264 }
1265 if (c == '\n')
1266 break;
1267 if (c == '\0' || expect_nl) {
1268 error("%s: banner line contains invalid "
1269 "characters", __func__);
1270 goto invalid;
1271 }
1272 if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
1273 oerrno = errno;
1274 error("%s: sshbuf_put: %s",
1275 __func__, ssh_err(r));
1276 goto out;
1277 }
1278 if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
1279 error("%s: banner line too long", __func__);
1280 goto invalid;
1281 }
1282 }
1283 /* Is this an actual protocol banner? */
1284 if (sshbuf_len(peer_version) > 4 &&
1285 memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
1286 break;
1287 /* If not, then just log the line and continue */
1288 if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
1289 error("%s: sshbuf_dup_string failed", __func__);
1290 r = SSH_ERR_ALLOC_FAIL;
1291 goto out;
1292 }
1293 /* Do not accept lines before the SSH ident from a client */
1294 if (ssh->kex->server) {
1295 error("%s: client sent invalid protocol identifier "
1296 "\"%.256s\"", __func__, cp);
1297 free(cp);
1298 goto invalid;
1299 }
1300 debug("%s: banner line %zu: %s", __func__, n, cp);
1301 free(cp);
1302 }
1303 peer_version_string = sshbuf_dup_string(peer_version);
1304 if (peer_version_string == NULL)
1305 error("%s: sshbuf_dup_string failed", __func__);
1306 /* XXX must be same size for sscanf */
1307 if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
1308 error("%s: calloc failed", __func__);
1309 r = SSH_ERR_ALLOC_FAIL;
1310 goto out;
1311 }
1312
1313 /*
1314 * Check that the versions match. In future this might accept
1315 * several versions and set appropriate flags to handle them.
1316 */
1317 if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
1318 &remote_major, &remote_minor, remote_version) != 3) {
1319 error("Bad remote protocol version identification: '%.100s'",
1320 peer_version_string);
1321 invalid:
1322 send_error(ssh, "Invalid SSH identification string.");
1323 r = SSH_ERR_INVALID_FORMAT;
1324 goto out;
1325 }
1326 debug("Remote protocol version %d.%d, remote software version %.100s",
1327 remote_major, remote_minor, remote_version);
1328 ssh->compat = compat_datafellows(remote_version);
1329
1330 mismatch = 0;
1331 switch (remote_major) {
1332 case 2:
1333 break;
1334 case 1:
1335 if (remote_minor != 99)
1336 mismatch = 1;
1337 break;
1338 default:
1339 mismatch = 1;
1340 break;
1341 }
1342 if (mismatch) {
1343 error("Protocol major versions differ: %d vs. %d",
1344 PROTOCOL_MAJOR_2, remote_major);
1345 send_error(ssh, "Protocol major versions differ.");
1346 r = SSH_ERR_NO_PROTOCOL_VERSION;
1347 goto out;
1348 }
1349
1350 if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
1351 logit("probed from %s port %d with %s. Don't panic.",
1352 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1353 peer_version_string);
1354 r = SSH_ERR_CONN_CLOSED; /* XXX */
1355 goto out;
1356 }
1357 if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
1358 logit("scanned from %s port %d with %s. Don't panic.",
1359 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
1360 peer_version_string);
1361 r = SSH_ERR_CONN_CLOSED; /* XXX */
1362 goto out;
1363 }
1364 if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
1365 logit("Remote version \"%.100s\" uses unsafe RSA signature "
1366 "scheme; disabling use of RSA keys", remote_version);
1367 }
1368 /* success */
1369 r = 0;
1370 out:
1371 free(our_version_string);
1372 free(peer_version_string);
1373 free(remote_version);
1374 if (r == SSH_ERR_SYSTEM_ERROR)
1375 errno = oerrno;
1376 return r;
1377 }
1378
1379