int
auth_rsa_challenge_dialog(Key *key)
{
BIGNUM *challenge, *encrypted_challenge;
u_char response[16];
int i, success;
if ((encrypted_challenge = BN_new()) == NULL)
fatal("auth_rsa_challenge_dialog: BN_new() failed");
challenge = PRIVSEP(auth_rsa_generate_challenge(key));
/* Encrypt the challenge with the public key. */
rsa_public_encrypt(encrypted_challenge, challenge, key->rsa);
/* Send the encrypted challenge to the client. */
packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
packet_put_bignum(encrypted_challenge);
packet_send();
BN_clear_free(encrypted_challenge);
packet_write_wait();
/* Wait for a response. */
packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
for (i = 0; i < 16; i++)
response[i] = packet_get_char();
packet_check_eom();
success = PRIVSEP(auth_rsa_verify_response(key, challenge, response));
BN_clear_free(challenge);
return (success);
}
/*
* Performs authentication of an incoming connection. Session key has already
* been exchanged and encryption is enabled.
*/
Authctxt *
do_authentication(void)
{
Authctxt *authctxt;
u_int ulen;
char *user, *style = NULL;
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
/* Get the user name. */
user = packet_get_string(&ulen);
packet_check_eom();
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
authctxt = authctxt_new();
authctxt->user = user;
authctxt->style = style;
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
authctxt->valid = 1;
else {
debug("do_authentication: illegal user %s", user);
authctxt->pw = fakepw();
}
setproctitle("%s%s", authctxt->pw ? user : "******",
use_privsep ? " [net]" : "");
#ifdef USE_PAM
if (options.use_pam)
PRIVSEP(start_pam(user));
#endif
/*
* If we are not running as root, the user must have the same uid as
* the server. (Unless you are running Windows)
*/
#ifndef HAVE_CYGWIN
if (!use_privsep && getuid() != 0 && authctxt->pw &&
authctxt->pw->pw_uid != getuid())
packet_disconnect("Cannot change user when server not running as root.");
#endif
/*
* Loop until the user has been authenticated or the connection is
* closed, do_authloop() returns only if authentication is successful
*/
do_authloop(authctxt);
/* The user has been authenticated and accepted. */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
return (authctxt);
}
void
kex_finish(Kex *kex)
{
kex_reset_dispatch();
packet_start(SSH2_MSG_NEWKEYS);
packet_send();
/* packet_write_wait(); */
debug("SSH2_MSG_NEWKEYS sent");
debug("expecting SSH2_MSG_NEWKEYS");
packet_read_expect(SSH2_MSG_NEWKEYS);
packet_check_eom();
debug("SSH2_MSG_NEWKEYS received");
kex->done = 1;
buffer_clear(&kex->peer);
/* buffer_clear(&kex->my); */
kex->flags &= ~KEX_INIT_SENT;
xfree(kex->name);
kex->name = NULL;
}
void
kexdh_client(Kex *kex)
{
BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
DH *dh;
Key *server_host_key;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
u_int klen, slen, sbloblen, hashlen;
int kout;
/* generate and send 'e', client DH public key */
switch (kex->kex_type) {
case KEX_DH_GRP1_SHA1:
dh = dh_new_group1();
break;
case KEX_DH_GRP14_SHA1:
dh = dh_new_group14();
break;
default:
fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
}
dh_gen_key(dh, kex->we_need * 8);
packet_start(SSH2_MSG_KEXDH_INIT);
packet_put_bignum2(dh->pub_key);
packet_send();
debug("sending SSH2_MSG_KEXDH_INIT");
#ifdef DEBUG_KEXDH
DHparams_print_fp(stderr, dh);
fprintf(stderr, "pub= ");
BN_print_fp(stderr, dh->pub_key);
fprintf(stderr, "\n");
#endif
debug("expecting SSH2_MSG_KEXDH_REPLY");
packet_read_expect(SSH2_MSG_KEXDH_REPLY);
/* key, cert */
server_host_key_blob = packet_get_string(&sbloblen);
server_host_key = key_from_blob(server_host_key_blob, sbloblen);
if (server_host_key == NULL)
fatal("cannot decode server_host_key_blob");
if (server_host_key->type != kex->hostkey_type)
fatal("type mismatch for decoded server_host_key_blob");
if (kex->verify_host_key == NULL)
fatal("cannot verify server_host_key");
if (kex->verify_host_key(server_host_key) == -1)
fatal("server_host_key verification failed");
/* DH parameter f, server public DH key */
if ((dh_server_pub = BN_new()) == NULL)
fatal("dh_server_pub == NULL");
packet_get_bignum2(dh_server_pub);
#ifdef DEBUG_KEXDH
fprintf(stderr, "dh_server_pub= ");
BN_print_fp(stderr, dh_server_pub);
fprintf(stderr, "\n");
debug("bits %d", BN_num_bits(dh_server_pub));
#endif
/* signed H */
signature = packet_get_string(&slen);
packet_check_eom();
if (!dh_pub_is_valid(dh, dh_server_pub))
packet_disconnect("bad server public DH value");
klen = DH_size(dh);
kbuf = xmalloc(klen);
if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0)
fatal("DH_compute_key: failed");
#ifdef DEBUG_KEXDH
dump_digest("shared secret", kbuf, kout);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("kexdh_client: BN_new failed");
if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
fatal("kexdh_client: BN_bin2bn failed");
memset(kbuf, 0, klen);
free(kbuf);
/* calc and verify H */
kex_dh_hash(
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
server_host_key_blob, sbloblen,
dh->pub_key,
dh_server_pub,
shared_secret,
&hash, &hashlen
);
free(server_host_key_blob);
BN_clear_free(dh_server_pub);
DH_free(dh);
if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
free(signature);
/* save session id */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
/*
* Performs authentication of an incoming connection. Session key has already
* been exchanged and encryption is enabled.
*/
void
do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
/* Get the user name. */
user = packet_get_cstring(&ulen);
packet_check_eom();
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
authctxt->user = user;
authctxt->style = style;
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
authctxt->valid = 1;
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
}
/* Configuration may have changed as a result of Match */
if (options.num_auth_methods != 0)
fatal("AuthenticationMethods is not supported with SSH "
"protocol 1");
setproctitle("%s%s", authctxt->valid ? user : "******",
use_privsep ? " [net]" : "");
#ifdef USE_PAM
if (options.use_pam)
PRIVSEP(start_pam(authctxt));
#endif
/*
* If we are not running as root, the user must have the same uid as
* the server.
*/
#ifndef HAVE_CYGWIN
if (!use_privsep && getuid() != 0 && authctxt->pw &&
authctxt->pw->pw_uid != getuid())
packet_disconnect("Cannot change user when server not running as root.");
#endif
/*
* Loop until the user has been authenticated or the connection is
* closed, do_authloop() returns only if authentication is successful
*/
do_authloop(authctxt);
/* The user has been authenticated and accepted. */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
}
void
kexgex_server(Kex *kex)
{
BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
Key *server_host_public, *server_host_private;
DH *dh;
u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
u_int sbloblen, klen, slen, hashlen;
int omin = -1, min = -1, omax = -1, max = -1, onbits = -1, nbits = -1;
int type, kout;
if (kex->load_host_public_key == NULL ||
kex->load_host_private_key == NULL)
fatal("Cannot load hostkey");
server_host_public = kex->load_host_public_key(kex->hostkey_type);
if (server_host_public == NULL)
fatal("Unsupported hostkey type %d", kex->hostkey_type);
server_host_private = kex->load_host_private_key(kex->hostkey_type);
type = packet_read();
switch (type) {
case SSH2_MSG_KEX_DH_GEX_REQUEST:
debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
omin = min = packet_get_int();
onbits = nbits = packet_get_int();
omax = max = packet_get_int();
min = MAX(DH_GRP_MIN, min);
max = MIN(DH_GRP_MAX, max);
nbits = MAX(DH_GRP_MIN, nbits);
nbits = MIN(DH_GRP_MAX, nbits);
break;
case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");
onbits = nbits = packet_get_int();
/* unused for old GEX */
omin = min = DH_GRP_MIN;
omax = max = DH_GRP_MAX;
break;
default:
fatal("protocol error during kex, no DH_GEX_REQUEST: %d", type);
}
packet_check_eom();
if (omax < omin || onbits < omin || omax < onbits)
fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d",
omin, onbits, omax);
/* Contact privileged parent */
dh = PRIVSEP(choose_dh(min, nbits, max));
if (dh == NULL)
packet_disconnect("Protocol error: no matching DH grp found");
debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
packet_start(SSH2_MSG_KEX_DH_GEX_GROUP);
packet_put_bignum2(dh->p);
packet_put_bignum2(dh->g);
packet_send();
/* flush */
packet_write_wait();
/* Compute our exchange value in parallel with the client */
dh_gen_key(dh, kex->we_need * 8);
debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");
packet_read_expect(SSH2_MSG_KEX_DH_GEX_INIT);
/* key, cert */
if ((dh_client_pub = BN_new()) == NULL)
fatal("dh_client_pub == NULL");
packet_get_bignum2(dh_client_pub);
packet_check_eom();
#ifdef DEBUG_KEXDH
fprintf(stderr, "dh_client_pub= ");
BN_print_fp(stderr, dh_client_pub);
fprintf(stderr, "\n");
debug("bits %d", BN_num_bits(dh_client_pub));
#endif
#ifdef DEBUG_KEXDH
DHparams_print_fp(stderr, dh);
fprintf(stderr, "pub= ");
BN_print_fp(stderr, dh->pub_key);
fprintf(stderr, "\n");
#endif
if (!dh_pub_is_valid(dh, dh_client_pub))
packet_disconnect("bad client public DH value");
klen = DH_size(dh);
kbuf = xmalloc(klen);
if ((kout = DH_compute_key(kbuf, dh_client_pub, dh)) < 0)
fatal("DH_compute_key: failed");
#ifdef DEBUG_KEXDH
dump_digest("shared secret", kbuf, kout);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("kexgex_server: BN_new failed");
if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
fatal("kexgex_server: BN_bin2bn failed");
memset(kbuf, 0, klen);
free(kbuf);
key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
omin = min = omax = max = -1;
/* calc H */
kexgex_hash(
kex->evp_md,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
buffer_ptr(&kex->my), buffer_len(&kex->my),
server_host_key_blob, sbloblen,
omin, onbits, omax,
dh->p, dh->g,
dh_client_pub,
dh->pub_key,
shared_secret,
&hash, &hashlen
);
BN_clear_free(dh_client_pub);
/* save session id := H */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
kex->sign(server_host_private, server_host_public, &signature, &slen,
hash, hashlen);
/* destroy_sensitive_data(); */
/* send server hostkey, DH pubkey 'f' and singed H */
debug("SSH2_MSG_KEX_DH_GEX_REPLY sent");
packet_start(SSH2_MSG_KEX_DH_GEX_REPLY);
packet_put_string(server_host_key_blob, sbloblen);
packet_put_bignum2(dh->pub_key); /* f */
packet_put_string(signature, slen);
packet_send();
free(signature);
free(server_host_key_blob);
/* have keys, free DH */
DH_free(dh);
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
void
kexgss_server(Kex *kex)
{
OM_uint32 maj_status, min_status;
/*
* Some GSSAPI implementations use the input value of ret_flags (an
* output variable) as a means of triggering mechanism specific
* features. Initializing it to zero avoids inadvertently
* activating this non-standard behaviour.
*/
OM_uint32 ret_flags = 0;
gss_buffer_desc gssbuf, recv_tok, msg_tok;
gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
Gssctxt *ctxt = NULL;
u_int slen, klen, kout, hashlen;
u_char *kbuf, *hash;
DH *dh;
int min = -1, max = -1, nbits = -1;
BIGNUM *shared_secret = NULL;
BIGNUM *dh_client_pub = NULL;
int type = 0;
gss_OID oid;
char *mechs;
/* Initialise GSSAPI */
/* If we're rekeying, privsep means that some of the private structures
* in the GSSAPI code are no longer available. This kludges them back
* into life
*/
if (!ssh_gssapi_oid_table_ok())
if ((mechs = ssh_gssapi_server_mechanisms()))
xfree(mechs);
debug2("%s: Identifying %s", __func__, kex->name);
oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
if (oid == GSS_C_NO_OID)
fatal("Unknown gssapi mechanism");
debug2("%s: Acquiring credentials", __func__);
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
fatal("Unable to acquire credentials for the server");
switch (kex->kex_type) {
case KEX_GSS_GRP1_SHA1:
dh = dh_new_group1();
break;
case KEX_GSS_GRP14_SHA1:
dh = dh_new_group14();
break;
case KEX_GSS_GEX_SHA1:
debug("Doing group exchange");
packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
min = packet_get_int();
nbits = packet_get_int();
max = packet_get_int();
min = MAX(DH_GRP_MIN, min);
max = MIN(DH_GRP_MAX, max);
packet_check_eom();
if (max < min || nbits < min || max < nbits)
fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
min, nbits, max);
dh = PRIVSEP(choose_dh(min, nbits, max));
if (dh == NULL)
packet_disconnect("Protocol error: no matching group found");
packet_start(SSH2_MSG_KEXGSS_GROUP);
packet_put_bignum2(dh->p);
packet_put_bignum2(dh->g);
packet_send();
packet_write_wait();
break;
default:
fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
}
dh_gen_key(dh, kex->we_need * 8);
do {
debug("Wait SSH2_MSG_GSSAPI_INIT");
type = packet_read();
switch(type) {
case SSH2_MSG_KEXGSS_INIT:
if (dh_client_pub != NULL)
fatal("Received KEXGSS_INIT after initialising");
recv_tok.value = packet_get_string(&slen);
recv_tok.length = slen;
if ((dh_client_pub = BN_new()) == NULL)
fatal("dh_client_pub == NULL");
packet_get_bignum2(dh_client_pub);
/* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
break;
case SSH2_MSG_KEXGSS_CONTINUE:
recv_tok.value = packet_get_string(&slen);
recv_tok.length = slen;
break;
default:
packet_disconnect(
"Protocol error: didn't expect packet type %d",
type);
}
maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
&send_tok, &ret_flags));
xfree(recv_tok.value);
if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
fatal("Zero length token output when incomplete");
if (dh_client_pub == NULL)
fatal("No client public key");
if (maj_status & GSS_S_CONTINUE_NEEDED) {
debug("Sending GSSAPI_CONTINUE");
packet_start(SSH2_MSG_KEXGSS_CONTINUE);
packet_put_string(send_tok.value, send_tok.length);
packet_send();
gss_release_buffer(&min_status, &send_tok);
}
} while (maj_status & GSS_S_CONTINUE_NEEDED);
if (GSS_ERROR(maj_status)) {
if (send_tok.length > 0) {
packet_start(SSH2_MSG_KEXGSS_CONTINUE);
packet_put_string(send_tok.value, send_tok.length);
packet_send();
}
fatal("accept_ctx died");
}
if (!(ret_flags & GSS_C_MUTUAL_FLAG))
fatal("Mutual Authentication flag wasn't set");
if (!(ret_flags & GSS_C_INTEG_FLAG))
fatal("Integrity flag wasn't set");
if (!dh_pub_is_valid(dh, dh_client_pub))
packet_disconnect("bad client public DH value");
klen = DH_size(dh);
kbuf = xmalloc(klen);
kout = DH_compute_key(kbuf, dh_client_pub, dh);
if (kout < 0)
fatal("DH_compute_key: failed");
shared_secret = BN_new();
if (shared_secret == NULL)
fatal("kexgss_server: BN_new failed");
if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
fatal("kexgss_server: BN_bin2bn failed");
memset(kbuf, 0, klen);
xfree(kbuf);
switch (kex->kex_type) {
case KEX_GSS_GRP1_SHA1:
case KEX_GSS_GRP14_SHA1:
kex_dh_hash(
kex->client_version_string, kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
buffer_ptr(&kex->my), buffer_len(&kex->my),
NULL, 0, /* Change this if we start sending host keys */
dh_client_pub, dh->pub_key, shared_secret,
&hash, &hashlen
);
break;
case KEX_GSS_GEX_SHA1:
kexgex_hash(
kex->evp_md,
kex->client_version_string, kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
buffer_ptr(&kex->my), buffer_len(&kex->my),
NULL, 0,
min, nbits, max,
dh->p, dh->g,
dh_client_pub,
dh->pub_key,
shared_secret,
&hash, &hashlen
);
break;
default:
fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
}
BN_clear_free(dh_client_pub);
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
gssbuf.value = hash;
gssbuf.length = hashlen;
if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok))))
fatal("Couldn't get MIC");
packet_start(SSH2_MSG_KEXGSS_COMPLETE);
packet_put_bignum2(dh->pub_key);
packet_put_string(msg_tok.value,msg_tok.length);
if (send_tok.length != 0) {
packet_put_char(1); /* true */
packet_put_string(send_tok.value, send_tok.length);
} else {
packet_put_char(0); /* false */
}
packet_send();
gss_release_buffer(&min_status, &send_tok);
gss_release_buffer(&min_status, &msg_tok);
if (gss_kex_context == NULL)
gss_kex_context = ctxt;
else
ssh_gssapi_delete_ctx(&ctxt);
DH_free(dh);
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
/* If this was a rekey, then save out any delegated credentials we
* just exchanged. */
if (options.gss_store_rekey)
ssh_gssapi_rekey_creds();
}
/*
* SSH1 key exchange
*/
void
do_ssh1_kex(void)
{
int i, len;
int rsafail = 0;
BIGNUM *session_key_int;
u_char session_key[SSH_SESSION_KEY_LENGTH];
u_char cookie[8];
u_int cipher_type, auth_mask, protocol_flags;
u_int32_t rnd = 0;
/*
* Generate check bytes that the client must send back in the user
* packet in order for it to be accepted; this is used to defy ip
* spoofing attacks. Note that this only works against somebody
* doing IP spoofing from a remote machine; any machine on the local
* network can still see outgoing packets and catch the random
* cookie. This only affects rhosts authentication, and this is one
* of the reasons why it is inherently insecure.
*/
for (i = 0; i < 8; i++) {
if (i % 4 == 0)
rnd = arc4random();
cookie[i] = rnd & 0xff;
rnd >>= 8;
}
/*
* Send our public key. We include in the packet 64 bits of random
* data that must be matched in the reply in order to prevent IP
* spoofing.
*/
packet_start(SSH_SMSG_PUBLIC_KEY);
for (i = 0; i < 8; i++)
packet_put_char(cookie[i]);
/* Store our public server RSA key. */
packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n));
packet_put_bignum(sensitive_data.server_key->rsa->e);
packet_put_bignum(sensitive_data.server_key->rsa->n);
/* Store our public host RSA key. */
packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
/* Put protocol flags. */
packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
/* Declare which ciphers we support. */
packet_put_int(cipher_mask_ssh1(0));
/* Declare supported authentication types. */
auth_mask = 0;
if (options.rhosts_rsa_authentication)
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
if (options.rsa_authentication)
auth_mask |= 1 << SSH_AUTH_RSA;
if (options.challenge_response_authentication == 1)
auth_mask |= 1 << SSH_AUTH_TIS;
if (options.password_authentication)
auth_mask |= 1 << SSH_AUTH_PASSWORD;
packet_put_int(auth_mask);
/* Send the packet and wait for it to be sent. */
packet_send();
packet_write_wait();
debug("Sent %d bit server key and %d bit host key.",
BN_num_bits(sensitive_data.server_key->rsa->n),
BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
/* Read clients reply (cipher type and session key). */
packet_read_expect(SSH_CMSG_SESSION_KEY);
/* Get cipher type and check whether we accept this. */
cipher_type = packet_get_char();
if (!(cipher_mask_ssh1(0) & (1 << cipher_type)))
packet_disconnect("Warning: client selects unsupported cipher.");
/* Get check bytes from the packet. These must match those we
sent earlier with the public key packet. */
for (i = 0; i < 8; i++)
if (cookie[i] != packet_get_char())
packet_disconnect("IP Spoofing check bytes do not match.");
debug("Encryption type: %.200s", cipher_name(cipher_type));
/* Get the encrypted integer. */
if ((session_key_int = BN_new()) == NULL)
fatal("do_ssh1_kex: BN_new failed");
packet_get_bignum(session_key_int);
protocol_flags = packet_get_int();
packet_set_protocol_flags(protocol_flags);
packet_check_eom();
/* Decrypt session_key_int using host/server keys */
rsafail = PRIVSEP(ssh1_session_key(session_key_int));
/*
* Extract session key from the decrypted integer. The key is in the
* least significant 256 bits of the integer; the first byte of the
* key is in the highest bits.
*/
if (!rsafail) {
BN_mask_bits(session_key_int, sizeof(session_key) * 8);
len = BN_num_bytes(session_key_int);
if (len < 0 || len > sizeof(session_key)) {
error("do_connection: bad session key len from %s: "
"session_key_int %d > sizeof(session_key) %lu",
get_remote_ipaddr(), len, (u_long)sizeof(session_key));
rsafail++;
} else {
memset(session_key, 0, sizeof(session_key));
BN_bn2bin(session_key_int,
session_key + sizeof(session_key) - len);
derive_ssh1_session_id(
sensitive_data.ssh1_host_key->rsa->n,
sensitive_data.server_key->rsa->n,
cookie, session_id);
/*
* Xor the first 16 bytes of the session key with the
* session id.
*/
for (i = 0; i < 16; i++)
session_key[i] ^= session_id[i];
}
}
if (rsafail) {
int bytes = BN_num_bytes(session_key_int);
u_char *buf = xmalloc(bytes);
MD5_CTX md;
logit("do_connection: generating a fake encryption key");
BN_bn2bin(session_key_int, buf);
MD5_Init(&md);
MD5_Update(&md, buf, bytes);
MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
MD5_Final(session_key, &md);
MD5_Init(&md);
MD5_Update(&md, session_key, 16);
MD5_Update(&md, buf, bytes);
MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
MD5_Final(session_key + 16, &md);
memset(buf, 0, bytes);
xfree(buf);
for (i = 0; i < 16; i++)
session_id[i] = session_key[i] ^ session_key[i + 16];
}
/* Destroy the private and public keys. No longer. */
destroy_sensitive_data();
if (use_privsep)
mm_ssh1_session_id(session_id);
/* Destroy the decrypted integer. It is no longer needed. */
BN_clear_free(session_key_int);
/* Set the session key. From this on all communications will be encrypted. */
packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
/* Destroy our copy of the session key. It is no longer needed. */
memset(session_key, 0, sizeof(session_key));
debug("Received session key; encryption turned on.");
/* Send an acknowledgment packet. Note that this packet is sent encrypted. */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
}
void
kexecdh_client(Kex *kex)
{
EC_KEY *client_key;
EC_POINT *server_public;
const EC_GROUP *group;
BIGNUM *shared_secret;
Key *server_host_key;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
u_int klen, slen, sbloblen, hashlen;
if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL)
fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
if (EC_KEY_generate_key(client_key) != 1)
fatal("%s: EC_KEY_generate_key failed", __func__);
group = EC_KEY_get0_group(client_key);
packet_start(SSH2_MSG_KEX_ECDH_INIT);
packet_put_ecpoint(group, EC_KEY_get0_public_key(client_key));
packet_send();
debug("sending SSH2_MSG_KEX_ECDH_INIT");
#ifdef DEBUG_KEXECDH
fputs("client private key:\n", stderr);
key_dump_ec_key(client_key);
#endif
debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY);
/* hostkey */
server_host_key_blob = packet_get_string(&sbloblen);
server_host_key = key_from_blob(server_host_key_blob, sbloblen);
if (server_host_key == NULL)
fatal("cannot decode server_host_key_blob");
if (server_host_key->type != kex->hostkey_type)
fatal("type mismatch for decoded server_host_key_blob");
if (kex->verify_host_key == NULL)
fatal("cannot verify server_host_key");
if (kex->verify_host_key(server_host_key) == -1)
fatal("server_host_key verification failed");
/* Q_S, server public key */
if ((server_public = EC_POINT_new(group)) == NULL)
fatal("%s: EC_POINT_new failed", __func__);
packet_get_ecpoint(group, server_public);
if (key_ec_validate_public(group, server_public) != 0)
fatal("%s: invalid server public key", __func__);
#ifdef DEBUG_KEXECDH
fputs("server public key:\n", stderr);
key_dump_ec_point(group, server_public);
#endif
/* signed H */
signature = packet_get_string(&slen);
packet_check_eom();
klen = (EC_GROUP_get_degree(group) + 7) / 8;
kbuf = xmalloc(klen);
if (ECDH_compute_key(kbuf, klen, server_public,
client_key, NULL) != (int)klen)
fatal("%s: ECDH_compute_key failed", __func__);
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("%s: BN_new failed", __func__);
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
fatal("%s: BN_bin2bn failed", __func__);
memset(kbuf, 0, klen);
free(kbuf);
/* calc and verify H */
kex_ecdh_hash(
kex->evp_md,
group,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
server_host_key_blob, sbloblen,
EC_KEY_get0_public_key(client_key),
server_public,
shared_secret,
&hash, &hashlen
);
free(server_host_key_blob);
EC_POINT_clear_free(server_public);
EC_KEY_free(client_key);
if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
free(signature);
/* save session id */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
void
kexdh_server(Kex *kex)
{
BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
DH *dh;
Key *server_host_key;
u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
u_int sbloblen, klen, kout, hashlen;
u_int slen;
/* generate server DH public key */
switch (kex->kex_type) {
case KEX_DH_GRP1_SHA1:
dh = dh_new_group1();
break;
case KEX_DH_GRP14_SHA1:
dh = dh_new_group14();
break;
default:
fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
}
dh_gen_key(dh, kex->we_need * 8);
debug("expecting SSH2_MSG_KEXDH_INIT");
packet_read_expect(SSH2_MSG_KEXDH_INIT);
if (kex->load_host_key == NULL)
fatal("Cannot load hostkey");
server_host_key = kex->load_host_key(kex->hostkey_type);
if (server_host_key == NULL)
fatal("Unsupported hostkey type %d", kex->hostkey_type);
/* key, cert */
if ((dh_client_pub = BN_new()) == NULL)
fatal("dh_client_pub == NULL");
packet_get_bignum2(dh_client_pub);
packet_check_eom();
#ifdef DEBUG_KEXDH
fprintf(stderr, "dh_client_pub= ");
BN_print_fp(stderr, dh_client_pub);
fprintf(stderr, "\n");
debug("bits %d", BN_num_bits(dh_client_pub));
#endif
#ifdef DEBUG_KEXDH
DHparams_print_fp(stderr, dh);
fprintf(stderr, "pub= ");
BN_print_fp(stderr, dh->pub_key);
fprintf(stderr, "\n");
#endif
if (!dh_pub_is_valid(dh, dh_client_pub))
packet_disconnect("bad client public DH value");
klen = DH_size(dh);
kbuf = xmalloc(klen);
kout = DH_compute_key(kbuf, dh_client_pub, dh);
#ifdef DEBUG_KEXDH
dump_digest("shared secret", kbuf, kout);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("kexdh_server: BN_new failed");
BN_bin2bn(kbuf, kout, shared_secret);
memset(kbuf, 0, klen);
xfree(kbuf);
key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
/* calc H */
kex_dh_hash(
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
buffer_ptr(&kex->my), buffer_len(&kex->my),
server_host_key_blob, sbloblen,
dh_client_pub,
dh->pub_key,
shared_secret,
&hash, &hashlen
);
BN_clear_free(dh_client_pub);
/* save session id := H */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
/* destroy_sensitive_data(); */
/* send server hostkey, DH pubkey 'f' and singed H */
packet_start(SSH2_MSG_KEXDH_REPLY);
packet_put_string(server_host_key_blob, sbloblen);
packet_put_bignum2(dh->pub_key); /* f */
packet_put_string(signature, slen);
packet_send();
xfree(signature);
xfree(server_host_key_blob);
/* have keys, free DH */
DH_free(dh);
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
void
kexgss_client(Kex *kex) {
gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
Gssctxt *ctxt;
OM_uint32 maj_status, min_status, ret_flags;
u_int klen, kout, slen = 0, hashlen, strlen;
DH *dh;
BIGNUM *dh_server_pub = NULL;
BIGNUM *shared_secret = NULL;
BIGNUM *p = NULL;
BIGNUM *g = NULL;
u_char *kbuf, *hash;
u_char *serverhostkey = NULL;
u_char *empty = "";
char *msg;
char *lang;
int type = 0;
int first = 1;
int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
/* Initialise our GSSAPI world */
ssh_gssapi_build_ctx(&ctxt);
if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type)
== GSS_C_NO_OID)
fatal("Couldn't identify host exchange");
if (ssh_gssapi_import_name(ctxt, kex->gss_host))
fatal("Couldn't import hostname");
if (kex->gss_client &&
ssh_gssapi_client_identity(ctxt, kex->gss_client))
fatal("Couldn't acquire client credentials");
switch (kex->kex_type) {
case KEX_GSS_GRP1_SHA1:
dh = dh_new_group1();
break;
case KEX_GSS_GRP14_SHA1:
dh = dh_new_group14();
break;
case KEX_GSS_GEX_SHA1:
debug("Doing group exchange\n");
nbits = dh_estimate(kex->we_need * 8);
packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
packet_put_int(min);
packet_put_int(nbits);
packet_put_int(max);
packet_send();
packet_read_expect(SSH2_MSG_KEXGSS_GROUP);
if ((p = BN_new()) == NULL)
fatal("BN_new() failed");
packet_get_bignum2(p);
if ((g = BN_new()) == NULL)
fatal("BN_new() failed");
packet_get_bignum2(g);
packet_check_eom();
if (BN_num_bits(p) < min || BN_num_bits(p) > max)
fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
min, BN_num_bits(p), max);
dh = dh_new_group(g, p);
break;
default:
fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
}
/* Step 1 - e is dh->pub_key */
dh_gen_key(dh, kex->we_need * 8);
/* This is f, we initialise it now to make life easier */
dh_server_pub = BN_new();
if (dh_server_pub == NULL)
fatal("dh_server_pub == NULL");
token_ptr = GSS_C_NO_BUFFER;
do {
debug("Calling gss_init_sec_context");
maj_status = ssh_gssapi_init_ctx(ctxt,
kex->gss_deleg_creds, token_ptr, &send_tok,
&ret_flags);
if (GSS_ERROR(maj_status)) {
if (send_tok.length != 0) {
packet_start(SSH2_MSG_KEXGSS_CONTINUE);
packet_put_string(send_tok.value,
send_tok.length);
}
fatal("gss_init_context failed");
}
/* If we've got an old receive buffer get rid of it */
if (token_ptr != GSS_C_NO_BUFFER)
xfree(recv_tok.value);
if (maj_status == GSS_S_COMPLETE) {
/* If mutual state flag is not true, kex fails */
if (!(ret_flags & GSS_C_MUTUAL_FLAG))
fatal("Mutual authentication failed");
/* If integ avail flag is not true kex fails */
if (!(ret_flags & GSS_C_INTEG_FLAG))
fatal("Integrity check failed");
}
/*
* If we have data to send, then the last message that we
* received cannot have been a 'complete'.
*/
if (send_tok.length != 0) {
if (first) {
packet_start(SSH2_MSG_KEXGSS_INIT);
packet_put_string(send_tok.value,
send_tok.length);
packet_put_bignum2(dh->pub_key);
first = 0;
} else {
packet_start(SSH2_MSG_KEXGSS_CONTINUE);
packet_put_string(send_tok.value,
send_tok.length);
}
packet_send();
gss_release_buffer(&min_status, &send_tok);
/* If we've sent them data, they should reply */
do {
type = packet_read();
if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
debug("Received KEXGSS_HOSTKEY");
if (serverhostkey)
fatal("Server host key received more than once");
serverhostkey =
packet_get_string(&slen);
}
} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
switch (type) {
case SSH2_MSG_KEXGSS_CONTINUE:
debug("Received GSSAPI_CONTINUE");
if (maj_status == GSS_S_COMPLETE)
fatal("GSSAPI Continue received from server when complete");
recv_tok.value = packet_get_string(&strlen);
recv_tok.length = strlen;
break;
case SSH2_MSG_KEXGSS_COMPLETE:
debug("Received GSSAPI_COMPLETE");
packet_get_bignum2(dh_server_pub);
msg_tok.value = packet_get_string(&strlen);
msg_tok.length = strlen;
/* Is there a token included? */
if (packet_get_char()) {
recv_tok.value=
packet_get_string(&strlen);
recv_tok.length = strlen;
/* If we're already complete - protocol error */
if (maj_status == GSS_S_COMPLETE)
packet_disconnect("Protocol error: received token when complete");
} else {
/* No token included */
if (maj_status != GSS_S_COMPLETE)
packet_disconnect("Protocol error: did not receive final token");
}
break;
case SSH2_MSG_KEXGSS_ERROR:
debug("Received Error");
maj_status = packet_get_int();
min_status = packet_get_int();
msg = packet_get_string(NULL);
lang = packet_get_string(NULL);
fatal("GSSAPI Error: \n%.400s",msg);
default:
packet_disconnect("Protocol error: didn't expect packet type %d",
type);
}
token_ptr = &recv_tok;
} else {
/* No data, and not complete */
if (maj_status != GSS_S_COMPLETE)
fatal("Not complete, and no token output");
}
} while (maj_status & GSS_S_CONTINUE_NEEDED);
/*
* We _must_ have received a COMPLETE message in reply from the
* server, which will have set dh_server_pub and msg_tok
*/
if (type != SSH2_MSG_KEXGSS_COMPLETE)
fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
/* Check f in range [1, p-1] */
if (!dh_pub_is_valid(dh, dh_server_pub))
packet_disconnect("bad server public DH value");
/* compute K=f^x mod p */
klen = DH_size(dh);
kbuf = xmalloc(klen);
kout = DH_compute_key(kbuf, dh_server_pub, dh);
if (kout < 0)
fatal("DH_compute_key: failed");
shared_secret = BN_new();
if (shared_secret == NULL)
fatal("kexgss_client: BN_new failed");
if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
fatal("kexdh_client: BN_bin2bn failed");
memset(kbuf, 0, klen);
xfree(kbuf);
switch (kex->kex_type) {
case KEX_GSS_GRP1_SHA1:
case KEX_GSS_GRP14_SHA1:
kex_dh_hash( kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
(serverhostkey ? serverhostkey : empty), slen,
dh->pub_key, /* e */
dh_server_pub, /* f */
shared_secret, /* K */
&hash, &hashlen
);
break;
case KEX_GSS_GEX_SHA1:
kexgex_hash(
kex->evp_md,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
(serverhostkey ? serverhostkey : empty), slen,
min, nbits, max,
dh->p, dh->g,
dh->pub_key,
dh_server_pub,
shared_secret,
&hash, &hashlen
);
break;
default:
fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
}
gssbuf.value = hash;
gssbuf.length = hashlen;
/* Verify that the hash matches the MIC we just got. */
if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
packet_disconnect("Hash's MIC didn't verify");
xfree(msg_tok.value);
DH_free(dh);
if (serverhostkey)
xfree(serverhostkey);
BN_clear_free(dh_server_pub);
/* save session id */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
if (kex->gss_deleg_creds)
ssh_gssapi_credentials_updated(ctxt);
if (gss_kex_context == NULL)
gss_kex_context = ctxt;
else
ssh_gssapi_delete_ctx(&ctxt);
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
/*
* Performs authentication of an incoming connection. Session key has already
* been exchanged and encryption is enabled.
*/
Authctxt *
do_authentication(void)
{
Authctxt *authctxt;
u_int ulen;
char *user, *style = NULL;
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
/* Get the user name. */
user = packet_get_string(&ulen);
packet_check_eom();
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
#ifdef KRB5
/* XXX - SSH.com Kerberos v5 braindeath. */
if ((datafellows & SSH_BUG_K5USER) &&
options.kerberos_authentication) {
char *p;
if ((p = strchr(user, '@')) != NULL)
*p = '\0';
}
#endif
authctxt = authctxt_new();
authctxt->user = user;
authctxt->style = style;
#ifdef HAVE_BSM
fatal_add_cleanup(audit_failed_login_cleanup, authctxt);
#endif /* HAVE_BSM */
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) {
authctxt->valid = 1;
} else {
authctxt->valid = 0;
debug("do_authentication: illegal user %s", user);
}
setproctitle("%s%s", authctxt->pw ? user : "******",
use_privsep ? " [net]" : "");
#if 0
#ifdef USE_PAM
PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
#endif
#endif
/*
* If we are not running as root, the user must have the same uid as
* the server. (Unless you are running Windows)
*/
#ifndef HAVE_CYGWIN
if (!use_privsep && getuid() != 0 && authctxt->pw &&
authctxt->pw->pw_uid != getuid())
packet_disconnect("Cannot change user when server not running as root.");
#endif
/*
* Loop until the user has been authenticated or the connection is
* closed, do_authloop() returns only if authentication is successful
*/
do_authloop(authctxt);
/* The user has been authenticated and accepted. */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
return (authctxt);
}
void
kexgex_client(Kex *kex)
{
BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
BIGNUM *p = NULL, *g = NULL;
Key *server_host_key;
u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
u_int klen, slen, sbloblen, hashlen;
int kout;
int min, max, nbits;
DH *dh;
nbits = dh_estimate(kex->dh_need * 8);
if (datafellows & SSH_OLD_DHGEX) {
/* Old GEX request */
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
packet_put_int(nbits);
min = DH_GRP_MIN;
max = DH_GRP_MAX;
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
} else {
/* New GEX request */
min = DH_GRP_MIN;
max = DH_GRP_MAX;
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
packet_put_int(min);
packet_put_int(nbits);
packet_put_int(max);
debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent",
min, nbits, max);
}
#ifdef DEBUG_KEXDH
fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n",
min, nbits, max);
#endif
packet_send();
debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP");
packet_read_expect(SSH2_MSG_KEX_DH_GEX_GROUP);
if ((p = BN_new()) == NULL)
fatal("BN_new");
packet_get_bignum2(p);
if ((g = BN_new()) == NULL)
fatal("BN_new");
packet_get_bignum2(g);
packet_check_eom();
if (BN_num_bits(p) < min || BN_num_bits(p) > max)
fatal("DH_GEX group out of range: %d !< %d !< %d",
min, BN_num_bits(p), max);
dh = dh_new_group(g, p);
dh_gen_key(dh, kex->we_need * 8);
#ifdef DEBUG_KEXDH
DHparams_print_fp(stderr, dh);
fprintf(stderr, "pub= ");
BN_print_fp(stderr, dh->pub_key);
fprintf(stderr, "\n");
#endif
debug("SSH2_MSG_KEX_DH_GEX_INIT sent");
/* generate and send 'e', client DH public key */
packet_start(SSH2_MSG_KEX_DH_GEX_INIT);
packet_put_bignum2(dh->pub_key);
packet_send();
debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY");
packet_read_expect(SSH2_MSG_KEX_DH_GEX_REPLY);
/* key, cert */
server_host_key_blob = packet_get_string(&sbloblen);
server_host_key = key_from_blob(server_host_key_blob, sbloblen);
if (server_host_key == NULL)
fatal("cannot decode server_host_key_blob");
if (server_host_key->type != kex->hostkey_type)
fatal("type mismatch for decoded server_host_key_blob");
if (kex->verify_host_key == NULL)
fatal("cannot verify server_host_key");
if (kex->verify_host_key(server_host_key) == -1)
fatal("server_host_key verification failed");
/* DH parameter f, server public DH key */
if ((dh_server_pub = BN_new()) == NULL)
fatal("dh_server_pub == NULL");
packet_get_bignum2(dh_server_pub);
#ifdef DEBUG_KEXDH
fprintf(stderr, "dh_server_pub= ");
BN_print_fp(stderr, dh_server_pub);
fprintf(stderr, "\n");
debug("bits %d", BN_num_bits(dh_server_pub));
#endif
/* signed H */
signature = packet_get_string(&slen);
packet_check_eom();
if (!dh_pub_is_valid(dh, dh_server_pub))
packet_disconnect("bad server public DH value");
klen = DH_size(dh);
kbuf = xmalloc(klen);
if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0)
fatal("DH_compute_key: failed");
#ifdef DEBUG_KEXDH
dump_digest("shared secret", kbuf, kout);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("kexgex_client: BN_new failed");
if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
fatal("kexgex_client: BN_bin2bn failed");
explicit_bzero(kbuf, klen);
free(kbuf);
if (datafellows & SSH_OLD_DHGEX)
min = max = -1;
/* calc and verify H */
kexgex_hash(
kex->hash_alg,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
server_host_key_blob, sbloblen,
min, nbits, max,
dh->p, dh->g,
dh->pub_key,
dh_server_pub,
shared_secret,
&hash, &hashlen
);
/* have keys, free DH */
DH_free(dh);
free(server_host_key_blob);
BN_clear_free(dh_server_pub);
if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
free(signature);
/* save session id */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
void
kexecdh_server(Kex *kex)
{
EC_POINT *client_public;
EC_KEY *server_key;
const EC_GROUP *group;
BIGNUM *shared_secret;
Key *server_host_private, *server_host_public;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
u_int klen, slen, sbloblen, hashlen;
int curve_nid;
if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1)
fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name);
if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL)
fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
if (EC_KEY_generate_key(server_key) != 1)
fatal("%s: EC_KEY_generate_key failed", __func__);
group = EC_KEY_get0_group(server_key);
#ifdef DEBUG_KEXECDH
fputs("server private key:\n", stderr);
key_dump_ec_key(server_key);
#endif
if (kex->load_host_public_key == NULL ||
kex->load_host_private_key == NULL)
fatal("Cannot load hostkey");
server_host_public = kex->load_host_public_key(kex->hostkey_type);
if (server_host_public == NULL)
fatal("Unsupported hostkey type %d", kex->hostkey_type);
server_host_private = kex->load_host_private_key(kex->hostkey_type);
if (server_host_private == NULL)
fatal("Missing private key for hostkey type %d",
kex->hostkey_type);
debug("expecting SSH2_MSG_KEX_ECDH_INIT");
packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);
if ((client_public = EC_POINT_new(group)) == NULL)
fatal("%s: EC_POINT_new failed", __func__);
packet_get_ecpoint(group, client_public);
packet_check_eom();
if (key_ec_validate_public(group, client_public) != 0)
fatal("%s: invalid client public key", __func__);
#ifdef DEBUG_KEXECDH
fputs("client public key:\n", stderr);
key_dump_ec_point(group, client_public);
#endif
/* Calculate shared_secret */
klen = (EC_GROUP_get_degree(group) + 7) / 8;
kbuf = xmalloc(klen);
if (ECDH_compute_key(kbuf, klen, client_public,
server_key, NULL) != (int)klen)
fatal("%s: ECDH_compute_key failed", __func__);
#ifdef DEBUG_KEXDH
dump_digest("shared secret", kbuf, klen);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("%s: BN_new failed", __func__);
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
fatal("%s: BN_bin2bn failed", __func__);
memset(kbuf, 0, klen);
xfree(kbuf);
/* calc H */
key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
kex_ecdh_hash(
kex->evp_md,
group,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
buffer_ptr(&kex->my), buffer_len(&kex->my),
server_host_key_blob, sbloblen,
client_public,
EC_KEY_get0_public_key(server_key),
shared_secret,
&hash, &hashlen
);
EC_POINT_clear_free(client_public);
/* save session id := H */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
if (PRIVSEP(key_sign(server_host_private, &signature, &slen,
hash, hashlen)) < 0)
fatal("kexdh_server: key_sign failed");
/* destroy_sensitive_data(); */
/* send server hostkey, ECDH pubkey 'Q_S' and signed H */
packet_start(SSH2_MSG_KEX_ECDH_REPLY);
packet_put_string(server_host_key_blob, sbloblen);
packet_put_ecpoint(group, EC_KEY_get0_public_key(server_key));
packet_put_string(signature, slen);
packet_send();
xfree(signature);
xfree(server_host_key_blob);
/* have keys, free server key */
EC_KEY_free(server_key);
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
void do_connection(int privileged_port)
{
int i;
MP_INT session_key_int;
unsigned char session_key[SSH_SESSION_KEY_LENGTH];
unsigned char check_bytes[8];
char *user;
unsigned int cipher_type, auth_mask, protocol_flags;
/* Generate check bytes that the client must send back in the user packet
in order for it to be accepted; this is used to defy ip spoofing
attacks. Note that this only works against somebody doing IP spoofing
from a remote machine; any machine on the local network can still see
outgoing packets and catch the random cookie. This only affects
rhosts authentication, and this is one of the reasons why it is
inherently insecure. */
for (i = 0; i < 8; i++)
check_bytes[i] = random_get_byte(&sensitive_data.random_state);
/* Send our public key. We include in the packet 64 bits of random
data that must be matched in the reply in order to prevent IP spoofing. */
packet_start(SSH_SMSG_PUBLIC_KEY);
for (i = 0; i < 8; i++)
packet_put_char(check_bytes[i]);
/* Store our public server RSA key. */
packet_put_int(public_key.bits);
packet_put_mp_int(&public_key.e);
packet_put_mp_int(&public_key.n);
/* Store our public host RSA key. */
packet_put_int(sensitive_data.host_key.bits);
packet_put_mp_int(&sensitive_data.host_key.e);
packet_put_mp_int(&sensitive_data.host_key.n);
/* Put protocol flags. */
packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
/* Declare which ciphers we support. */
packet_put_int(cipher_mask());
/* Declare supported authentication types. */
auth_mask = 0;
if (options.rhosts_authentication)
auth_mask |= 1 << SSH_AUTH_RHOSTS;
if (options.rhosts_rsa_authentication)
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
if (options.rsa_authentication)
auth_mask |= 1 << SSH_AUTH_RSA;
if (options.password_authentication)
auth_mask |= 1 << SSH_AUTH_PASSWORD;
packet_put_int(auth_mask);
/* Send the packet and wait for it to be sent. */
packet_send();
packet_write_wait();
debug("Sent %d bit public key and %d bit host key.", public_key.bits, sensitive_data.host_key.bits);
/* Read clients reply (cipher type and session key). */
packet_read_expect(SSH_CMSG_SESSION_KEY);
/* Get cipher type. */
cipher_type = packet_get_char();
/* Get check bytes from the packet. These must match those we sent earlier
with the public key packet. */
for (i = 0; i < 8; i++)
if (check_bytes[i] != packet_get_char())
packet_disconnect("IP Spoofing check bytes do not match.");
debug("Encryption type: %.200s", cipher_name(cipher_type));
/* Get the encrypted integer. */
mpz_init(&session_key_int);
packet_get_mp_int(&session_key_int);
/* Get protocol flags. */
protocol_flags = packet_get_int();
packet_set_protocol_flags(protocol_flags);
/* Decrypt it using our private server key and private host key (key with
larger modulus first). */
if (mpz_cmp(&sensitive_data.private_key.n, &sensitive_data.host_key.n) > 0) {
/* Private key has bigger modulus. */
assert(sensitive_data.private_key.bits >= sensitive_data.host_key.bits + SSH_KEY_BITS_RESERVED);
rsa_private_decrypt(&session_key_int, &session_key_int, &sensitive_data.private_key);
rsa_private_decrypt(&session_key_int, &session_key_int, &sensitive_data.host_key);
} else {
/* Host key has bigger modulus (or they are equal). */
assert(sensitive_data.host_key.bits >= sensitive_data.private_key.bits + SSH_KEY_BITS_RESERVED);
rsa_private_decrypt(&session_key_int, &session_key_int, &sensitive_data.host_key);
rsa_private_decrypt(&session_key_int, &session_key_int, &sensitive_data.private_key);
}
/* Compute session id for this session. */
compute_session_id(session_id, check_bytes, sensitive_data.host_key.bits, &sensitive_data.host_key.n, sensitive_data.private_key.bits, &sensitive_data.private_key.n);
/* Extract session key from the decrypted integer. The key is in the
least significant 256 bits of the integer; the first byte of the
key is in the highest bits. */
mp_linearize_msb_first(session_key, sizeof(session_key), &session_key_int);
/* Xor the first 16 bytes of the session key with the session id. */
for (i = 0; i < 16; i++)
session_key[i] ^= session_id[i];
/* Destroy the decrypted integer. It is no longer needed. */
mpz_clear(&session_key_int);
/* Set the session key. From this on all communications will be
encrypted. */
packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type, 0);
/* Destroy our copy of the session key. It is no longer needed. */
memset(session_key, 0, sizeof(session_key));
debug("Received session key; encryption turned on.");
/* Send an acknowledgement packet. Note that this packet is sent
encrypted. */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
/* Get the user name. */
user = packet_get_string(NULL);
/* Destroy the private and public keys. They will no longer be needed. */
rsa_clear_public_key(&public_key);
rsa_clear_private_key(&sensitive_data.private_key);
rsa_clear_private_key(&sensitive_data.host_key);
/* Do the authentication. */
do_authentication(user, privileged_port, cipher_type);
}
