/* Handle requests for a channel. These can be execution requests,
* or x11/authagent forwarding. These are passed to appropriate handlers */
void chansessionrequest(struct Channel *channel) {
unsigned char * type;
unsigned int typelen;
unsigned char wantreply;
int ret = 1;
struct ChanSess *chansess;
TRACE(("enter chansessionrequest"));
assert(channel->type == CHANNEL_ID_SESSION);
type = buf_getstring(ses.payload, &typelen);
wantreply = buf_getbyte(ses.payload);
if (typelen > MAX_NAME_LEN) {
send_msg_channel_failure(channel);
m_free(type);
TRACE(("leave chansessionrequest: type too long")); /* XXX send error?*/
return;
}
chansess = (struct ChanSess*)channel->typedata;
assert(chansess != NULL);
TRACE(("type is %s\n", type));
if (strcmp(type, "window-change") == 0) {
ret = sessionwinchange(chansess);
} else if (strcmp(type, "shell") == 0) {
ret = sessioncommand(channel, chansess, 0);
} else if (strcmp(type, "pty-req") == 0) {
ret = sessionpty(chansess);
} else if (strcmp(type, "exec") == 0) {
ret = sessioncommand(channel, chansess, 1);
#ifndef DISABLE_X11FWD
} else if (strcmp(type, "x11-req") == 0) {
ret = x11req(chansess);
#endif
#ifndef DISABLE_AGENTFWD
} else if (strcmp(type, "*****@*****.**") == 0) {
ret = agentreq(chansess);
#endif
} else if (strcmp(type, "signal") == 0) {
ret = sessionsignal(chansess);
} else {
/* etc, todo "env", "subsystem" */
}
if (wantreply) {
if (ret == 0) {
send_msg_channel_success(channel);
} else {
send_msg_channel_failure(channel);
}
}
m_free(type);
TRACE(("leave chansessionrequest"));
}
/* Get a bool from the buffer and increment the pos */
unsigned char buf_getbool(buffer* buf) {
unsigned char b;
b = buf_getbyte(buf);
if (b != 0)
b = 1;
return b;
}
/* Notification that our channel open request failed */
void recv_msg_channel_open_failure() {
unsigned int chan;
struct Channel * channel;
chan = buf_getbyte(ses.payload);
channel = getchannel(chan);
if (channel == NULL) {
dropbear_exit("Unknown channel");
}
closechannel(channel);
}
/* process a decrypted packet, call the appropriate handler */
void process_packet() {
unsigned char type;
TRACE(("enter process_packet"));
type = buf_getbyte(ses.payload);
TRACE(("process_packet: packet type = %d", type));
/* these packets we can receive at any time, regardless of expecting
* other packets: */
switch(type) {
case SSH_MSG_IGNORE:
case SSH_MSG_DEBUG:
TRACE(("received SSH_MSG_IGNORE or SSH_MSG_DEBUG"));
goto out;
case SSH_MSG_UNIMPLEMENTED:
/* debugging XXX */
TRACE(("SSH_MSG_UNIMPLEMENTED"));
dropbear_exit("received SSH_MSG_UNIMPLEMENTED");
case SSH_MSG_DISCONNECT:
/* TODO cleanup? */
dropbear_close("Disconnect received");
}
/* check that we aren't expecting a particular packet */
if (ses.expecting && ses.expecting != type) {
/* TODO send disconnect? */
dropbear_exit("unexpected packet type %d, expected %d", type,
ses.expecting);
}
/* handle the packet depending on type */
ses.expecting = 0;
switch (type) {
case SSH_MSG_SERVICE_REQUEST:
recv_msg_service_request();
break;
case SSH_MSG_USERAUTH_REQUEST:
recv_msg_userauth_request();
break;
case SSH_MSG_KEXINIT:
recv_msg_kexinit();
break;
case SSH_MSG_KEXDH_INIT:
recv_msg_kexdh_init();
break;
case SSH_MSG_NEWKEYS:
recv_msg_newkeys();
break;
/* this is ugly, need to make a cleaner way to do it */
case SSH_MSG_CHANNEL_DATA:
case SSH_MSG_CHANNEL_WINDOW_ADJUST:
case SSH_MSG_CHANNEL_REQUEST:
case SSH_MSG_CHANNEL_OPEN:
case SSH_MSG_CHANNEL_EOF:
case SSH_MSG_CHANNEL_CLOSE:
case SSH_MSG_CHANNEL_OPEN_CONFIRMATION:
case SSH_MSG_CHANNEL_OPEN_FAILURE:
/* these should be checked for authdone below */
process_postauth_packet(type);
break;
default:
/* TODO this possibly should be handled */
TRACE(("unknown packet"));
recv_unimplemented();
break;
}
out:
buf_free(ses.payload);
ses.payload = NULL;
TRACE(("leave process_packet"));
}
/* handle the received packet */
void decrypt_packet() {
unsigned char blocksize;
unsigned char macsize;
unsigned int padlen;
unsigned int len;
TRACE(("enter decrypt_packet"));
blocksize = ses.keys->recv_algo_crypt->blocksize;
macsize = ses.keys->recv_algo_mac->hashsize;
ses.kexstate.datarecv += ses.readbuf->len;
/* we've already decrypted the first blocksize in read_packet_init */
buf_setpos(ses.readbuf, blocksize);
buf_resize(ses.decryptreadbuf, ses.readbuf->len - macsize);
buf_setlen(ses.decryptreadbuf, ses.decryptreadbuf->size);
buf_setpos(ses.decryptreadbuf, blocksize);
/* decrypt if encryption is set, memcpy otherwise */
if (ses.keys->recv_algo_crypt->cipherdesc == NULL) {
/* copy it */
len = ses.readbuf->len - macsize - blocksize;
memcpy(buf_getwriteptr(ses.decryptreadbuf, len),
buf_getptr(ses.readbuf, len), len);
} else {
/* decrypt */
while (ses.readbuf->pos < ses.readbuf->len - macsize) {
if (cbc_decrypt(buf_getptr(ses.readbuf, blocksize),
buf_getwriteptr(ses.decryptreadbuf, blocksize),
&ses.keys->recv_symmetric_struct) != CRYPT_OK) {
dropbear_exit("error decrypting");
}
buf_incrpos(ses.readbuf, blocksize);
buf_incrwritepos(ses.decryptreadbuf, blocksize);
}
}
/* check the hmac */
buf_setpos(ses.readbuf, ses.readbuf->len - macsize);
if (checkmac(ses.readbuf, ses.decryptreadbuf) != DROPBEAR_SUCCESS) {
dropbear_exit("Integrity error");
}
/* readbuf no longer required */
buf_free(ses.readbuf);
ses.readbuf = NULL;
/* get padding length */
buf_setpos(ses.decryptreadbuf, PACKET_PADDING_OFF);
padlen = buf_getbyte(ses.decryptreadbuf);
/* payload length */
/* - 4 - 1 is for LEN and PADLEN values */
len = ses.decryptreadbuf->len - padlen - 4 - 1;
if ((len > MAX_PAYLOAD_LEN) || (len < 1)) {
dropbear_exit("bad packet size");
}
buf_setpos(ses.decryptreadbuf, PACKET_PAYLOAD_OFF);
#ifndef DISABLE_ZLIB
if (ses.keys->recv_algo_comp == DROPBEAR_COMP_ZLIB) {
/* decompress */
ses.payload = buf_decompress(ses.decryptreadbuf, len);
} else
#endif
{
/* copy payload */
ses.payload = buf_new(len);
memcpy(ses.payload->data, buf_getptr(ses.decryptreadbuf, len), len);
buf_incrlen(ses.payload, len);
}
buf_free(ses.decryptreadbuf);
ses.decryptreadbuf = NULL;
buf_setpos(ses.payload, 0);
ses.recvseq++;
TRACE(("leave decrypt_packet"));
}
/* process a decrypted packet, call the appropriate handler */
void process_packet() {
unsigned char type;
unsigned int i;
TRACE2(("enter process_packet"))
type = buf_getbyte(ses.payload);
TRACE(("process_packet: packet type = %d, len %d", type, ses.payload->len))
ses.lastpacket = type;
ses.last_packet_time = time(NULL);
/* These packets we can receive at any time */
switch(type) {
case SSH_MSG_IGNORE:
goto out;
case SSH_MSG_DEBUG:
goto out;
case SSH_MSG_UNIMPLEMENTED:
/* debugging XXX */
TRACE(("SSH_MSG_UNIMPLEMENTED"))
dropbear_exit("Received SSH_MSG_UNIMPLEMENTED");
case SSH_MSG_DISCONNECT:
/* TODO cleanup? */
dropbear_close("Disconnect received");
}
/* This applies for KEX, where the spec says the next packet MUST be
* NEWKEYS */
if (ses.requirenext != 0) {
if (ses.requirenext == type)
{
/* Got what we expected */
TRACE(("got expected packet %d during kexinit", type))
}
else
{
/* RFC4253 7.1 - various messages are allowed at this point.
The only ones we know about have already been handled though,
so just return "unimplemented" */
if (type >= 1 && type <= 49
&& type != SSH_MSG_SERVICE_REQUEST
&& type != SSH_MSG_SERVICE_ACCEPT
&& type != SSH_MSG_KEXINIT)
{
TRACE(("unknown allowed packet during kexinit"))
recv_unimplemented();
goto out;
}
else
{
TRACE(("disallowed packet during kexinit"))
dropbear_exit("Unexpected packet type %d, expected %d", type,
ses.requirenext);
}
}
}
/* Check if we should ignore this packet. Used currently only for
* KEX code, with first_kex_packet_follows */
if (ses.ignorenext) {
TRACE(("Ignoring packet, type = %d", type))
ses.ignorenext = 0;
goto out;
}
/* Only clear the flag after we have checked ignorenext */
if (ses.requirenext != 0 && ses.requirenext == type)
{
ses.requirenext = 0;
}
/* Kindly the protocol authors gave all the preauth packets type values
* less-than-or-equal-to 60 ( == MAX_UNAUTH_PACKET_TYPE ).
* NOTE: if the protocol changes and new types are added, revisit this
* assumption */
if ( !ses.authstate.authdone && type > MAX_UNAUTH_PACKET_TYPE ) {
dropbear_exit("Received message %d before userauth", type);
}
for (i = 0; ; i++) {
if (ses.packettypes[i].type == 0) {
/* end of list */
break;
}
if (ses.packettypes[i].type == type) {
ses.packettypes[i].handler();
goto out;
}
}
/* TODO do something more here? */
TRACE(("preauth unknown packet"))
recv_unimplemented();
out:
buf_free(ses.payload);
ses.payload = NULL;
TRACE2(("leave process_packet"))
}
/* read the client's choice of algorithms */
static void read_kex() {
algo_type * algo;
unsigned char* str;
char * erralgo = NULL;
buf_incrpos(ses.payload, 16); /* start after the cookie */
ses.newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
/* kex_algorithms */
algo = buf_match_algo(ses.payload, sshkex);
if (algo == NULL) {
erralgo = "kex";
goto error;
}
ses.newkeys->algo_kex = algo->val;
/* server_host_key_algorithms */
algo = buf_match_algo(ses.payload, sshhostkey);
if (algo == NULL) {
erralgo = "hostkey";
goto error;
}
ses.newkeys->algo_hostkey = algo->val;
/* encryption_algorithms_client_to_server */
algo = buf_match_algo(ses.payload, sshciphers);
if (algo == NULL) {
erralgo = "enc c->s";
goto error;
}
ses.newkeys->recv_algo_crypt = (struct dropbear_cipher*)algo->data;
/* encryption_algorithms_server_to_client */
algo = buf_match_algo(ses.payload, sshciphers);
if (algo == NULL) {
erralgo = "enc s->c";
goto error;
}
ses.newkeys->trans_algo_crypt = (struct dropbear_cipher*)algo->data;
/* mac_algorithms_client_to_server */
algo = buf_match_algo(ses.payload, sshhashes);
if (algo == NULL) {
erralgo = "mac c->s";
goto error;
}
ses.newkeys->recv_algo_mac = (struct dropbear_hash*)algo->data;
/* mac_algorithms_server_to_client */
algo = buf_match_algo(ses.payload, sshhashes);
if (algo == NULL) {
erralgo = "mac s->c";
goto error;
}
ses.newkeys->trans_algo_mac = (struct dropbear_hash*)algo->data;
/* compression_algorithms_client_to_server */
algo = buf_match_algo(ses.payload, sshcompress);
if (algo == NULL) {
erralgo = "comp c->s";
goto error;
}
ses.newkeys->recv_algo_comp = algo->val;
/* compression_algorithms_server_to_client */
algo = buf_match_algo(ses.payload, sshcompress);
if (algo == NULL) {
erralgo = "comp s->c";
goto error;
}
ses.newkeys->trans_algo_comp = algo->val;
/* languages_client_to_server */
str = buf_getstring(ses.payload, NULL);
m_free(str);
/* languages_server_to_client */
str = buf_getstring(ses.payload, NULL);
m_free(str);
/* first_kex_packet_follows */
if (buf_getbyte(ses.payload)) {
ses.kexstate.firstfollows = 1;
/* XXX currently not handled */
}
/* reserved for future extensions */
buf_getint(ses.payload);
return;
error:
dropbear_exit("no matching algo %s", erralgo);
}
/* process a decrypted packet, call the appropriate handler */
void process_packet() {
unsigned char type;
unsigned int i;
TRACE(("enter process_packet"))
type = buf_getbyte(ses.payload);
TRACE(("process_packet: packet type = %d", type))
ses.lastpacket = type;
/* These packets we can receive at any time */
switch(type) {
case SSH_MSG_IGNORE:
case SSH_MSG_DEBUG:
TRACE(("received SSH_MSG_IGNORE or SSH_MSG_DEBUG"))
goto out;
case SSH_MSG_UNIMPLEMENTED:
/* debugging XXX */
TRACE(("SSH_MSG_UNIMPLEMENTED"))
dropbear_exit("received SSH_MSG_UNIMPLEMENTED");
case SSH_MSG_DISCONNECT:
/* TODO cleanup? */
dropbear_close("Disconnect received");
}
/* This applies for KEX, where the spec says the next packet MUST be
* NEWKEYS */
if (ses.requirenext != 0) {
if (ses.requirenext != type) {
/* TODO send disconnect? */
dropbear_exit("unexpected packet type %d, expected %d", type,
ses.requirenext);
} else {
/* Got what we expected */
ses.requirenext = 0;
}
}
/* Check if we should ignore this packet. Used currently only for
* KEX code, with first_kex_packet_follows */
if (ses.ignorenext) {
TRACE(("Ignoring packet, type = %d", type))
ses.ignorenext = 0;
goto out;
}
/* Kindly the protocol authors gave all the preauth packets type values
* less-than-or-equal-to 60 ( == MAX_UNAUTH_PACKET_TYPE ).
* NOTE: if the protocol changes and new types are added, revisit this
* assumption */
if ( !ses.authstate.authdone && type > MAX_UNAUTH_PACKET_TYPE ) {
dropbear_exit("received message %d before userauth", type);
}
for (i = 0; ; i++) {
if (ses.packettypes[i].type == 0) {
/* end of list */
break;
}
if (ses.packettypes[i].type == type) {
ses.packettypes[i].handler();
goto out;
}
}
/* TODO do something more here? */
TRACE(("preauth unknown packet"))
recv_unimplemented();
out:
buf_free(ses.payload);
ses.payload = NULL;
TRACE(("leave process_packet"))
}
/* Parse pubkey options and set ses.authstate.pubkey_options accordingly.
* Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */
int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filename) {
int ret = DROPBEAR_FAILURE;
TRACE(("enter addpubkeyoptions"))
ses.authstate.pubkey_options = (struct PubKeyOptions*)m_malloc(sizeof( struct PubKeyOptions ));
buf_setpos(options_buf, 0);
while (options_buf->pos < options_buf->len) {
if (match_option(options_buf, "no-port-forwarding") == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Port forwarding disabled.");
ses.authstate.pubkey_options->no_port_forwarding_flag = 1;
goto next_option;
}
#ifdef ENABLE_SVR_AGENTFWD
if (match_option(options_buf, "no-agent-forwarding") == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Agent forwarding disabled.");
ses.authstate.pubkey_options->no_agent_forwarding_flag = 1;
goto next_option;
}
#endif
#ifdef ENABLE_X11FWD
if (match_option(options_buf, "no-X11-forwarding") == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "X11 forwarding disabled.");
ses.authstate.pubkey_options->no_x11_forwarding_flag = 1;
goto next_option;
}
#endif
if (match_option(options_buf, "no-pty") == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Pty allocation disabled.");
ses.authstate.pubkey_options->no_pty_flag = 1;
goto next_option;
}
if (match_option(options_buf, "command=\"") == DROPBEAR_SUCCESS) {
int escaped = 0;
const unsigned char* command_start = buf_getptr(options_buf, 0);
while (options_buf->pos < options_buf->len) {
const char c = buf_getbyte(options_buf);
if (!escaped && c == '"') {
const int command_len = buf_getptr(options_buf, 0) - command_start;
ses.authstate.pubkey_options->forced_command = m_malloc(command_len);
memcpy(ses.authstate.pubkey_options->forced_command,
command_start, command_len-1);
ses.authstate.pubkey_options->forced_command[command_len-1] = '\0';
dropbear_log(LOG_WARNING, "Forced command '%s'",
ses.authstate.pubkey_options->forced_command);
goto next_option;
}
escaped = (!escaped && c == '\\');
}
dropbear_log(LOG_WARNING, "Badly formatted command= authorized_keys option");
goto bad_option;
}
next_option:
/*
* Skip the comma, and move to the next option
* (or break out if there are no more).
*/
if (options_buf->pos < options_buf->len
&& buf_getbyte(options_buf) != ',') {
goto bad_option;
}
/* Process the next option. */
}
/* parsed all options with no problem */
ret = DROPBEAR_SUCCESS;
goto end;
bad_option:
ret = DROPBEAR_FAILURE;
m_free(ses.authstate.pubkey_options);
ses.authstate.pubkey_options = NULL;
dropbear_log(LOG_WARNING, "Bad public key options at %s:%d", filename, line_num);
end:
TRACE(("leave addpubkeyoptions"))
return ret;
}
/* Set up a session pty which will be used to execute the shell or program.
* The pty is allocated now, and kept for when the shell/program executes.
* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
static int sessionpty(struct ChanSess * chansess) {
unsigned int termlen;
unsigned char namebuf[65];
struct termios termio;
TRACE(("enter sessionpty"));
chansess->term = buf_getstring(ses.payload, &termlen);
if (termlen > MAX_TERM_LEN) {
/* TODO send disconnect ? */
TRACE(("leave sessionpty: term len too long"));
return DROPBEAR_FAILURE;
}
chansess->termc = buf_getint(ses.payload);
chansess->termr = buf_getint(ses.payload);
chansess->termw = buf_getint(ses.payload);
chansess->termh = buf_getint(ses.payload);
/* allocate the pty */
assert(chansess->master == -1); /* haven't already got one */
if (pty_allocate(&chansess->master, &chansess->slave, namebuf, 64) == 0) {
TRACE(("leave sessionpty: failed to allocate pty"));
return DROPBEAR_FAILURE;
}
chansess->tty = (char*)strdup(namebuf);
if (!chansess->tty) {
dropbear_exit("out of memory"); /* TODO disconnect */
}
pty_setowner(ses.authstate.pw, chansess->tty);
pty_change_window_size(chansess->master, chansess->termr, chansess->termc,
chansess->termw, chansess->termh);
/* Term modes */
/* We'll ignore errors and continue if we can't set modes.
* We're ignoring baud rates since they seem evil */
if (tcgetattr(chansess->master, &termio) == 0) {
unsigned char opcode;
unsigned int value;
const struct TermCode * termcode;
while (((opcode = buf_getbyte(ses.payload)) != 0x00) &&
opcode <= 159) {
/* handle types of code */
if (opcode > MAX_TERMCODE) {
continue;
}
termcode = &termcodes[(unsigned int)opcode];
value = buf_getint(ses.payload);
switch (termcode->type) {
case TERMCODE_NONE:
break;
case TERMCODE_CONTROLCHAR:
termio.c_cc[termcode->mapcode] = value;
break;
case TERMCODE_INPUT:
if (value) {
termio.c_iflag |= termcode->mapcode;
} else {
termio.c_iflag &= ~(termcode->mapcode);
}
break;
case TERMCODE_OUTPUT:
if (value) {
termio.c_oflag |= termcode->mapcode;
} else {
termio.c_oflag &= ~(termcode->mapcode);
}
break;
case TERMCODE_LOCAL:
if (value) {
termio.c_lflag |= termcode->mapcode;
} else {
termio.c_lflag &= ~(termcode->mapcode);
}
break;
case TERMCODE_CONTROL:
if (value) {
termio.c_cflag |= termcode->mapcode;
} else {
termio.c_cflag &= ~(termcode->mapcode);
}
break;
}
}
if (tcsetattr(chansess->master, TCSANOW, &termio) < 0) {
dropbear_log(LOG_INFO, "error setting terminal attributes");
}
}
TRACE(("leave sessionpty"));
return DROPBEAR_SUCCESS;
}
/* Process a password auth request, sending success or failure messages as
* appropriate */
void passwordauth() {
#ifdef HAVE_SHADOW_H
struct spwd *spasswd;
#endif
char * passwdcrypt; /* the crypt from /etc/passwd or /etc/shadow */
char * testcrypt; /* crypt generated from the user's password sent */
unsigned char * password;
unsigned int passwordlen;
unsigned char changepw;
passwdcrypt = ses.authstate.pw->pw_passwd;
#ifdef HAVE_SHADOW_H
/* get the shadow password if possible */
spasswd = getspnam(ses.authstate.pw->pw_name);
if (spasswd != NULL && spasswd->sp_pwdp != NULL) {
passwdcrypt = spasswd->sp_pwdp;
}
#endif
#ifdef DEBUG_HACKCRYPT
/* debugging crypt for non-root testing with shadows */
passwdcrypt = DEBUG_HACKCRYPT;
#endif
/* check for empty password - need to do this again here
* since the shadow password may differ to that tested
* in auth.c */
if (passwdcrypt[0] == '\0') {
dropbear_log(LOG_WARNING,
"disallowed login with empty password for '%s' from %s",
ses.authstate.printableuser, ses.addrstring);
send_msg_userauth_failure(0, 1);
return;
}
/* check if client wants to change password */
changepw = buf_getbyte(ses.payload);
if (changepw) {
/* not implemented by this server */
send_msg_userauth_failure(0, 1);
return;
}
password = buf_getstring(ses.payload, &passwordlen);
/* clear the buffer containing the password */
buf_incrpos(ses.payload, -passwordlen - 4);
m_burn(buf_getptr(ses.payload, passwordlen + 4), passwordlen + 4);
/* the first bytes of passwdcrypt are the salt */
testcrypt = crypt((char*)password, passwdcrypt);
if (strcmp(testcrypt, passwdcrypt) == 0) {
/* successful authentication */
dropbear_log(LOG_NOTICE,
"password auth succeeded for '%s' from %s",
ses.authstate.printableuser, ses.addrstring);
send_msg_userauth_success();
} else {
dropbear_log(LOG_WARNING,
"bad password attempt for '%s' from %s",
ses.authstate.printableuser, ses.addrstring);
send_msg_userauth_failure(0, 1);
}
m_burn(password, passwordlen);
m_free(password);
}