1323136Sdes/* $OpenBSD: sshconnect1.c,v 1.80 2017/03/10 03:53:11 dtucker Exp $ */ 260573Skris/* 360573Skris * Author: Tatu Ylonen <ylo@cs.hut.fi> 460573Skris * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 560573Skris * All rights reserved 660573Skris * Code to connect to a remote host, and to perform the client side of the 760573Skris * login (authentication) dialog. 860573Skris * 965674Skris * As far as I am concerned, the code I have written for this software 1065674Skris * can be used freely for any purpose. Any derived versions of this 1165674Skris * software must be clearly marked as such, and if the derived work is 1265674Skris * incompatible with the protocol description in the RFC file, it must be 1365674Skris * called by a name other than "ssh" or "Secure Shell". 1460573Skris */ 1560573Skris 1660573Skris#include "includes.h" 1760573Skris 18294332Sdes#ifdef WITH_SSH1 19294332Sdes 20162856Sdes#include <sys/types.h> 21162856Sdes#include <sys/socket.h> 22162856Sdes 2360573Skris#include <openssl/bn.h> 2460573Skris 25294332Sdes#include <errno.h> 26162856Sdes#include <stdarg.h> 27162856Sdes#include <stdio.h> 28162856Sdes#include <stdlib.h> 29162856Sdes#include <string.h> 30162856Sdes#include <signal.h> 31162856Sdes#include <pwd.h> 32162856Sdes 33162856Sdes#include "xmalloc.h" 3476262Sgreen#include "ssh.h" 3576262Sgreen#include "ssh1.h" 3660573Skris#include "rsa.h" 3760573Skris#include "buffer.h" 3860573Skris#include "packet.h" 39162856Sdes#include "key.h" 40162856Sdes#include "cipher.h" 41137019Sdes#include "kex.h" 4260573Skris#include "uidswap.h" 4376262Sgreen#include "log.h" 44294328Sdes#include "misc.h" 4560573Skris#include "readconf.h" 4665674Skris#include "authfd.h" 4760573Skris#include "sshconnect.h" 4860573Skris#include "authfile.h" 4976262Sgreen#include "canohost.h" 50162856Sdes#include "hostfile.h" 5176265Sgreen#include "auth.h" 52263712Sdes#include "digest.h" 53294332Sdes#include "ssherr.h" 5460573Skris 5560573Skris/* Session id for the current session. */ 5676262Sgreenu_char session_id[16]; 5776262Sgreenu_int supported_authentications = 0; 5860573Skris 5960573Skrisextern Options options; 6060573Skrisextern char *__progname; 6160573Skris 6260573Skris/* 6360573Skris * Checks if the user has an authentication agent, and if so, tries to 6460573Skris * authenticate using the agent. 6560573Skris */ 6692559Sdesstatic int 6776262Sgreentry_agent_authentication(void) 6860573Skris{ 69294332Sdes int r, type, agent_fd, ret = 0; 7076262Sgreen u_char response[16]; 71294332Sdes size_t i; 7265674Skris BIGNUM *challenge; 73294332Sdes struct ssh_identitylist *idlist = NULL; 7460573Skris 7560573Skris /* Get connection to the agent. */ 76294332Sdes if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) { 77294332Sdes if (r != SSH_ERR_AGENT_NOT_PRESENT) 78294332Sdes debug("%s: ssh_get_authentication_socket: %s", 79294332Sdes __func__, ssh_err(r)); 8060573Skris return 0; 81294332Sdes } 8260573Skris 8392559Sdes if ((challenge = BN_new()) == NULL) 8492559Sdes fatal("try_agent_authentication: BN_new failed"); 85294332Sdes 8660573Skris /* Loop through identities served by the agent. */ 87294332Sdes if ((r = ssh_fetch_identitylist(agent_fd, 1, &idlist)) != 0) { 88294332Sdes if (r != SSH_ERR_AGENT_NO_IDENTITIES) 89294332Sdes debug("%s: ssh_fetch_identitylist: %s", 90294332Sdes __func__, ssh_err(r)); 91294332Sdes goto out; 92294332Sdes } 93294332Sdes for (i = 0; i < idlist->nkeys; i++) { 9460573Skris /* Try this identity. */ 95294332Sdes debug("Trying RSA authentication via agent with '%.100s'", 96294332Sdes idlist->comments[i]); 9760573Skris 9860573Skris /* Tell the server that we are willing to authenticate using this key. */ 9960573Skris packet_start(SSH_CMSG_AUTH_RSA); 100294332Sdes packet_put_bignum(idlist->keys[i]->rsa->n); 10160573Skris packet_send(); 10260573Skris packet_write_wait(); 10360573Skris 10460573Skris /* Wait for server's response. */ 10592559Sdes type = packet_read(); 10660573Skris 107157019Sdes /* The server sends failure if it doesn't like our key or 10860573Skris does not support RSA authentication. */ 10960573Skris if (type == SSH_SMSG_FAILURE) { 11060573Skris debug("Server refused our key."); 11160573Skris continue; 11260573Skris } 11360573Skris /* Otherwise it should have sent a challenge. */ 11460573Skris if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 11560573Skris packet_disconnect("Protocol error during RSA authentication: %d", 11660573Skris type); 11760573Skris 11892559Sdes packet_get_bignum(challenge); 11992559Sdes packet_check_eom(); 12060573Skris 12160573Skris debug("Received RSA challenge from server."); 12260573Skris 12360573Skris /* Ask the agent to decrypt the challenge. */ 124294332Sdes if ((r = ssh_decrypt_challenge(agent_fd, idlist->keys[i], 125294332Sdes challenge, session_id, response)) != 0) { 12665674Skris /* 12765674Skris * The agent failed to authenticate this identifier 12865674Skris * although it advertised it supports this. Just 12965674Skris * return a wrong value. 13065674Skris */ 131294332Sdes logit("Authentication agent failed to decrypt " 132294332Sdes "challenge: %s", ssh_err(r)); 133263712Sdes explicit_bzero(response, sizeof(response)); 13460573Skris } 13560573Skris debug("Sending response to RSA challenge."); 13660573Skris 13760573Skris /* Send the decrypted challenge back to the server. */ 13860573Skris packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 13960573Skris for (i = 0; i < 16; i++) 14060573Skris packet_put_char(response[i]); 14160573Skris packet_send(); 14260573Skris packet_write_wait(); 14360573Skris 14460573Skris /* Wait for response from the server. */ 14592559Sdes type = packet_read(); 14660573Skris 147294332Sdes /* 148294332Sdes * The server returns success if it accepted the 149294332Sdes * authentication. 150294332Sdes */ 15160573Skris if (type == SSH_SMSG_SUCCESS) { 15260573Skris debug("RSA authentication accepted by server."); 153294332Sdes ret = 1; 154294332Sdes break; 155294332Sdes } else if (type != SSH_SMSG_FAILURE) 156294332Sdes packet_disconnect("Protocol error waiting RSA auth " 157294332Sdes "response: %d", type); 15860573Skris } 159294332Sdes if (ret != 1) 160294332Sdes debug("RSA authentication using agent refused."); 161294332Sdes out: 162294332Sdes ssh_free_identitylist(idlist); 163294332Sdes ssh_close_authentication_socket(agent_fd); 16460573Skris BN_clear_free(challenge); 165294332Sdes return ret; 16660573Skris} 16760573Skris 16860573Skris/* 16960573Skris * Computes the proper response to a RSA challenge, and sends the response to 17060573Skris * the server. 17160573Skris */ 17292559Sdesstatic void 17360573Skrisrespond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) 17460573Skris{ 17576262Sgreen u_char buf[32], response[16]; 176263712Sdes struct ssh_digest_ctx *md; 17760573Skris int i, len; 17860573Skris 17960573Skris /* Decrypt the challenge using the private key. */ 18072397Skris /* XXX think about Bleichenbacher, too */ 181294328Sdes if (rsa_private_decrypt(challenge, challenge, prv) != 0) 18272397Skris packet_disconnect( 18372397Skris "respond_to_rsa_challenge: rsa_private_decrypt failed"); 18460573Skris 18560573Skris /* Compute the response. */ 18660573Skris /* The response is MD5 of decrypted challenge plus session id. */ 18760573Skris len = BN_num_bytes(challenge); 188149753Sdes if (len <= 0 || (u_int)len > sizeof(buf)) 18972397Skris packet_disconnect( 19072397Skris "respond_to_rsa_challenge: bad challenge length %d", len); 19160573Skris 19260573Skris memset(buf, 0, sizeof(buf)); 19360573Skris BN_bn2bin(challenge, buf + sizeof(buf) - len); 194263712Sdes if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || 195263712Sdes ssh_digest_update(md, buf, 32) < 0 || 196263712Sdes ssh_digest_update(md, session_id, 16) < 0 || 197263712Sdes ssh_digest_final(md, response, sizeof(response)) < 0) 198263712Sdes fatal("%s: md5 failed", __func__); 199263712Sdes ssh_digest_free(md); 20060573Skris 20160573Skris debug("Sending response to host key RSA challenge."); 20260573Skris 20360573Skris /* Send the response back to the server. */ 20460573Skris packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 20560573Skris for (i = 0; i < 16; i++) 20660573Skris packet_put_char(response[i]); 20760573Skris packet_send(); 20860573Skris packet_write_wait(); 20960573Skris 210263712Sdes explicit_bzero(buf, sizeof(buf)); 211263712Sdes explicit_bzero(response, sizeof(response)); 212263712Sdes explicit_bzero(&md, sizeof(md)); 21360573Skris} 21460573Skris 21560573Skris/* 21660573Skris * Checks if the user has authentication file, and if so, tries to authenticate 21760573Skris * the user using it. 21860573Skris */ 21992559Sdesstatic int 22092559Sdestry_rsa_authentication(int idx) 22160573Skris{ 22260573Skris BIGNUM *challenge; 22392559Sdes Key *public, *private; 224296633Sdes char buf[300], *passphrase = NULL, *comment, *authfile; 225162856Sdes int i, perm_ok = 1, type, quit; 22660573Skris 22792559Sdes public = options.identity_keys[idx]; 22892559Sdes authfile = options.identity_files[idx]; 22992559Sdes comment = xstrdup(authfile); 23092559Sdes 23160573Skris debug("Trying RSA authentication with key '%.100s'", comment); 23260573Skris 23360573Skris /* Tell the server that we are willing to authenticate using this key. */ 23460573Skris packet_start(SSH_CMSG_AUTH_RSA); 23560573Skris packet_put_bignum(public->rsa->n); 23660573Skris packet_send(); 23760573Skris packet_write_wait(); 23860573Skris 23960573Skris /* Wait for server's response. */ 24092559Sdes type = packet_read(); 24160573Skris 24260573Skris /* 243157019Sdes * The server responds with failure if it doesn't like our key or 244157019Sdes * doesn't support RSA authentication. 24560573Skris */ 24660573Skris if (type == SSH_SMSG_FAILURE) { 24760573Skris debug("Server refused our key."); 248255767Sdes free(comment); 24960573Skris return 0; 25060573Skris } 25160573Skris /* Otherwise, the server should respond with a challenge. */ 25260573Skris if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 25360573Skris packet_disconnect("Protocol error during RSA authentication: %d", type); 25460573Skris 25560573Skris /* Get the challenge from the packet. */ 25692559Sdes if ((challenge = BN_new()) == NULL) 25792559Sdes fatal("try_rsa_authentication: BN_new failed"); 25892559Sdes packet_get_bignum(challenge); 25992559Sdes packet_check_eom(); 26060573Skris 26160573Skris debug("Received RSA challenge from server."); 26260573Skris 26360573Skris /* 26492559Sdes * If the key is not stored in external hardware, we have to 26592559Sdes * load the private key. Try first with empty passphrase; if it 26660573Skris * fails, ask for a passphrase. 26760573Skris */ 268294328Sdes if (public->flags & SSHKEY_FLAG_EXT) 26992559Sdes private = public; 27092559Sdes else 271162856Sdes private = key_load_private_type(KEY_RSA1, authfile, "", NULL, 272162856Sdes &perm_ok); 273162856Sdes if (private == NULL && !options.batch_mode && perm_ok) { 27492559Sdes snprintf(buf, sizeof(buf), 27592559Sdes "Enter passphrase for RSA key '%.100s': ", comment); 27692559Sdes for (i = 0; i < options.number_of_password_prompts; i++) { 27760573Skris passphrase = read_passphrase(buf, 0); 27892559Sdes if (strcmp(passphrase, "") != 0) { 27992559Sdes private = key_load_private_type(KEY_RSA1, 280162856Sdes authfile, passphrase, NULL, NULL); 28192559Sdes quit = 0; 28292559Sdes } else { 28392559Sdes debug2("no passphrase given, try next key"); 28492559Sdes quit = 1; 28592559Sdes } 28692559Sdes if (private != NULL || quit) 28792559Sdes break; 28892559Sdes debug2("bad passphrase given, try again..."); 28960573Skris } 29060573Skris } 291296633Sdes 292296633Sdes if (private != NULL) 293296633Sdes maybe_add_key_to_agent(authfile, private, comment, passphrase); 294296633Sdes 295296633Sdes if (passphrase != NULL) { 296296633Sdes explicit_bzero(passphrase, strlen(passphrase)); 297296633Sdes free(passphrase); 298296633Sdes } 299296633Sdes 30060573Skris /* We no longer need the comment. */ 301255767Sdes free(comment); 30260573Skris 30392559Sdes if (private == NULL) { 304162856Sdes if (!options.batch_mode && perm_ok) 30592559Sdes error("Bad passphrase."); 30692559Sdes 30792559Sdes /* Send a dummy response packet to avoid protocol error. */ 30892559Sdes packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 30992559Sdes for (i = 0; i < 16; i++) 31092559Sdes packet_put_char(0); 31192559Sdes packet_send(); 31292559Sdes packet_write_wait(); 31392559Sdes 31492559Sdes /* Expect the server to reject it... */ 31592559Sdes packet_read_expect(SSH_SMSG_FAILURE); 31692559Sdes BN_clear_free(challenge); 31792559Sdes return 0; 31892559Sdes } 31992559Sdes 32060573Skris /* Compute and send a response to the challenge. */ 32160573Skris respond_to_rsa_challenge(challenge, private->rsa); 32260573Skris 32392559Sdes /* Destroy the private key unless it in external hardware. */ 324294328Sdes if (!(private->flags & SSHKEY_FLAG_EXT)) 32592559Sdes key_free(private); 32660573Skris 32760573Skris /* We no longer need the challenge. */ 32860573Skris BN_clear_free(challenge); 32960573Skris 33060573Skris /* Wait for response from the server. */ 33192559Sdes type = packet_read(); 33260573Skris if (type == SSH_SMSG_SUCCESS) { 33360573Skris debug("RSA authentication accepted by server."); 33460573Skris return 1; 33560573Skris } 33660573Skris if (type != SSH_SMSG_FAILURE) 33760573Skris packet_disconnect("Protocol error waiting RSA auth response: %d", type); 33860573Skris debug("RSA authentication refused."); 33960573Skris return 0; 34060573Skris} 34160573Skris 34260573Skris/* 34360573Skris * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv 34460573Skris * authentication and RSA host authentication. 34560573Skris */ 34692559Sdesstatic int 34776262Sgreentry_rhosts_rsa_authentication(const char *local_user, Key * host_key) 34860573Skris{ 34960573Skris int type; 35060573Skris BIGNUM *challenge; 35160573Skris 35260573Skris debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication."); 35360573Skris 35460573Skris /* Tell the server that we are willing to authenticate using this key. */ 35560573Skris packet_start(SSH_CMSG_AUTH_RHOSTS_RSA); 35692559Sdes packet_put_cstring(local_user); 35776262Sgreen packet_put_int(BN_num_bits(host_key->rsa->n)); 35876262Sgreen packet_put_bignum(host_key->rsa->e); 35976262Sgreen packet_put_bignum(host_key->rsa->n); 36060573Skris packet_send(); 36160573Skris packet_write_wait(); 36260573Skris 36360573Skris /* Wait for server's response. */ 36492559Sdes type = packet_read(); 36560573Skris 36660573Skris /* The server responds with failure if it doesn't admit our 36760573Skris .rhosts authentication or doesn't know our host key. */ 36860573Skris if (type == SSH_SMSG_FAILURE) { 36960573Skris debug("Server refused our rhosts authentication or host key."); 37060573Skris return 0; 37160573Skris } 37260573Skris /* Otherwise, the server should respond with a challenge. */ 37360573Skris if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 37460573Skris packet_disconnect("Protocol error during RSA authentication: %d", type); 37560573Skris 37660573Skris /* Get the challenge from the packet. */ 37792559Sdes if ((challenge = BN_new()) == NULL) 37892559Sdes fatal("try_rhosts_rsa_authentication: BN_new failed"); 37992559Sdes packet_get_bignum(challenge); 38092559Sdes packet_check_eom(); 38160573Skris 38260573Skris debug("Received RSA challenge for host key from server."); 38360573Skris 38460573Skris /* Compute a response to the challenge. */ 38576262Sgreen respond_to_rsa_challenge(challenge, host_key->rsa); 38660573Skris 38760573Skris /* We no longer need the challenge. */ 38860573Skris BN_clear_free(challenge); 38960573Skris 39060573Skris /* Wait for response from the server. */ 39192559Sdes type = packet_read(); 39260573Skris if (type == SSH_SMSG_SUCCESS) { 39360573Skris debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server."); 39460573Skris return 1; 39560573Skris } 39660573Skris if (type != SSH_SMSG_FAILURE) 39760573Skris packet_disconnect("Protocol error waiting RSA auth response: %d", type); 39860573Skris debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused."); 39960573Skris return 0; 40060573Skris} 40160573Skris 40260573Skris/* 40360573Skris * Tries to authenticate with any string-based challenge/response system. 40460573Skris * Note that the client code is not tied to s/key or TIS. 40560573Skris */ 40692559Sdesstatic int 40792559Sdestry_challenge_response_authentication(void) 40860573Skris{ 40960573Skris int type, i; 41076262Sgreen u_int clen; 41176262Sgreen char prompt[1024]; 41260573Skris char *challenge, *response; 41360573Skris 41492559Sdes debug("Doing challenge response authentication."); 41560573Skris 41692559Sdes for (i = 0; i < options.number_of_password_prompts; i++) { 41792559Sdes /* request a challenge */ 41892559Sdes packet_start(SSH_CMSG_AUTH_TIS); 41992559Sdes packet_send(); 42092559Sdes packet_write_wait(); 42160573Skris 42292559Sdes type = packet_read(); 42392559Sdes if (type != SSH_SMSG_FAILURE && 42492559Sdes type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 42592559Sdes packet_disconnect("Protocol error: got %d in response " 42692559Sdes "to SSH_CMSG_AUTH_TIS", type); 42792559Sdes } 42892559Sdes if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 42992559Sdes debug("No challenge."); 43092559Sdes return 0; 43192559Sdes } 43292559Sdes challenge = packet_get_string(&clen); 43392559Sdes packet_check_eom(); 43492559Sdes snprintf(prompt, sizeof prompt, "%s%s", challenge, 43592559Sdes strchr(challenge, '\n') ? "" : "\nResponse: "); 436255767Sdes free(challenge); 43760573Skris if (i != 0) 43860573Skris error("Permission denied, please try again."); 43976262Sgreen if (options.cipher == SSH_CIPHER_NONE) 440124211Sdes logit("WARNING: Encryption is disabled! " 44198684Sdes "Response will be transmitted in clear text."); 44276262Sgreen response = read_passphrase(prompt, 0); 44376262Sgreen if (strcmp(response, "") == 0) { 444255767Sdes free(response); 44576262Sgreen break; 44676262Sgreen } 44760573Skris packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); 44874500Sgreen ssh_put_password(response); 449263712Sdes explicit_bzero(response, strlen(response)); 450255767Sdes free(response); 45160573Skris packet_send(); 45260573Skris packet_write_wait(); 45392559Sdes type = packet_read(); 45460573Skris if (type == SSH_SMSG_SUCCESS) 45560573Skris return 1; 45660573Skris if (type != SSH_SMSG_FAILURE) 45760573Skris packet_disconnect("Protocol error: got %d in response " 45876262Sgreen "to SSH_CMSG_AUTH_TIS_RESPONSE", type); 45960573Skris } 46060573Skris /* failure */ 46160573Skris return 0; 46260573Skris} 46360573Skris 46460573Skris/* 46560573Skris * Tries to authenticate with plain passwd authentication. 46660573Skris */ 46792559Sdesstatic int 46860573Skristry_password_authentication(char *prompt) 46960573Skris{ 47092559Sdes int type, i; 47160573Skris char *password; 47260573Skris 47360573Skris debug("Doing password authentication."); 47460573Skris if (options.cipher == SSH_CIPHER_NONE) 475124211Sdes logit("WARNING: Encryption is disabled! Password will be transmitted in clear text."); 47660573Skris for (i = 0; i < options.number_of_password_prompts; i++) { 47760573Skris if (i != 0) 47860573Skris error("Permission denied, please try again."); 47960573Skris password = read_passphrase(prompt, 0); 48060573Skris packet_start(SSH_CMSG_AUTH_PASSWORD); 48174500Sgreen ssh_put_password(password); 482263712Sdes explicit_bzero(password, strlen(password)); 483255767Sdes free(password); 48460573Skris packet_send(); 48560573Skris packet_write_wait(); 48660573Skris 48792559Sdes type = packet_read(); 48860573Skris if (type == SSH_SMSG_SUCCESS) 48960573Skris return 1; 49060573Skris if (type != SSH_SMSG_FAILURE) 49160573Skris packet_disconnect("Protocol error: got %d in response to passwd auth", type); 49260573Skris } 49360573Skris /* failure */ 49460573Skris return 0; 49560573Skris} 49660573Skris 49760573Skris/* 49860573Skris * SSH1 key exchange 49960573Skris */ 50060573Skrisvoid 50160573Skrisssh_kex(char *host, struct sockaddr *hostaddr) 50260573Skris{ 50360573Skris int i; 50460573Skris BIGNUM *key; 50592559Sdes Key *host_key, *server_key; 50660573Skris int bits, rbits; 50760573Skris int ssh_cipher_default = SSH_CIPHER_3DES; 50876262Sgreen u_char session_key[SSH_SESSION_KEY_LENGTH]; 50976262Sgreen u_char cookie[8]; 51076262Sgreen u_int supported_ciphers; 51176262Sgreen u_int server_flags, client_flags; 51260573Skris 51360573Skris debug("Waiting for server public key."); 51460573Skris 51560573Skris /* Wait for a public key packet from the server. */ 51692559Sdes packet_read_expect(SSH_SMSG_PUBLIC_KEY); 51760573Skris 51860573Skris /* Get cookie from the packet. */ 51960573Skris for (i = 0; i < 8; i++) 52060573Skris cookie[i] = packet_get_char(); 52160573Skris 52260573Skris /* Get the public key. */ 523323136Sdes if ((server_key = key_new(KEY_RSA1)) == NULL) 524323136Sdes fatal("%s: key_new(KEY_RSA1) failed", __func__); 52592559Sdes bits = packet_get_int(); 52692559Sdes packet_get_bignum(server_key->rsa->e); 52792559Sdes packet_get_bignum(server_key->rsa->n); 52860573Skris 52992559Sdes rbits = BN_num_bits(server_key->rsa->n); 53060573Skris if (bits != rbits) { 531124211Sdes logit("Warning: Server lies about size of server public key: " 53260573Skris "actual size is %d bits vs. announced %d.", rbits, bits); 533124211Sdes logit("Warning: This may be due to an old implementation of ssh."); 53460573Skris } 53560573Skris /* Get the host key. */ 536323136Sdes if ((host_key = key_new(KEY_RSA1)) == NULL) 537323136Sdes fatal("%s: key_new(KEY_RSA1) failed", __func__); 53892559Sdes bits = packet_get_int(); 53992559Sdes packet_get_bignum(host_key->rsa->e); 54092559Sdes packet_get_bignum(host_key->rsa->n); 54160573Skris 54292559Sdes rbits = BN_num_bits(host_key->rsa->n); 54360573Skris if (bits != rbits) { 544124211Sdes logit("Warning: Server lies about size of server host key: " 54560573Skris "actual size is %d bits vs. announced %d.", rbits, bits); 546124211Sdes logit("Warning: This may be due to an old implementation of ssh."); 54760573Skris } 54860573Skris 54960573Skris /* Get protocol flags. */ 55060573Skris server_flags = packet_get_int(); 55160573Skris packet_set_protocol_flags(server_flags); 55260573Skris 55360573Skris supported_ciphers = packet_get_int(); 55460573Skris supported_authentications = packet_get_int(); 55592559Sdes packet_check_eom(); 55660573Skris 55760573Skris debug("Received server public key (%d bits) and host key (%d bits).", 55892559Sdes BN_num_bits(server_key->rsa->n), BN_num_bits(host_key->rsa->n)); 55960573Skris 56092559Sdes if (verify_host_key(host, hostaddr, host_key) == -1) 56192559Sdes fatal("Host key verification failed."); 56260573Skris 56360573Skris client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; 56460573Skris 565137019Sdes derive_ssh1_session_id(host_key->rsa->n, server_key->rsa->n, cookie, session_id); 56660573Skris 56760573Skris /* 56860573Skris * Generate an encryption key for the session. The key is a 256 bit 56960573Skris * random number, interpreted as a 32-byte key, with the least 57060573Skris * significant 8 bits being the first byte of the key. 57160573Skris */ 572323134Sdes arc4random_buf(session_key, sizeof(session_key)); 57360573Skris 57460573Skris /* 57560573Skris * According to the protocol spec, the first byte of the session key 57660573Skris * is the highest byte of the integer. The session key is xored with 57760573Skris * the first 16 bytes of the session id. 57860573Skris */ 57992559Sdes if ((key = BN_new()) == NULL) 580164149Sdes fatal("ssh_kex: BN_new failed"); 581164149Sdes if (BN_set_word(key, 0) == 0) 582164149Sdes fatal("ssh_kex: BN_set_word failed"); 58360573Skris for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { 584164149Sdes if (BN_lshift(key, key, 8) == 0) 585164149Sdes fatal("ssh_kex: BN_lshift failed"); 586164149Sdes if (i < 16) { 587164149Sdes if (BN_add_word(key, session_key[i] ^ session_id[i]) 588164149Sdes == 0) 589164149Sdes fatal("ssh_kex: BN_add_word failed"); 590164149Sdes } else { 591164149Sdes if (BN_add_word(key, session_key[i]) == 0) 592164149Sdes fatal("ssh_kex: BN_add_word failed"); 593164149Sdes } 59460573Skris } 59560573Skris 59660573Skris /* 59760573Skris * Encrypt the integer using the public key and host key of the 59860573Skris * server (key with smaller modulus first). 59960573Skris */ 60092559Sdes if (BN_cmp(server_key->rsa->n, host_key->rsa->n) < 0) { 60160573Skris /* Public key has smaller modulus. */ 60292559Sdes if (BN_num_bits(host_key->rsa->n) < 60392559Sdes BN_num_bits(server_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 60492559Sdes fatal("respond_to_rsa_challenge: host_key %d < server_key %d + " 60592559Sdes "SSH_KEY_BITS_RESERVED %d", 60692559Sdes BN_num_bits(host_key->rsa->n), 60792559Sdes BN_num_bits(server_key->rsa->n), 60892559Sdes SSH_KEY_BITS_RESERVED); 60960573Skris } 610294328Sdes if (rsa_public_encrypt(key, key, server_key->rsa) != 0 || 611294328Sdes rsa_public_encrypt(key, key, host_key->rsa) != 0) 612294328Sdes fatal("%s: rsa_public_encrypt failed", __func__); 61360573Skris } else { 61460573Skris /* Host key has smaller modulus (or they are equal). */ 61592559Sdes if (BN_num_bits(server_key->rsa->n) < 61692559Sdes BN_num_bits(host_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 61792559Sdes fatal("respond_to_rsa_challenge: server_key %d < host_key %d + " 61892559Sdes "SSH_KEY_BITS_RESERVED %d", 61992559Sdes BN_num_bits(server_key->rsa->n), 62092559Sdes BN_num_bits(host_key->rsa->n), 62192559Sdes SSH_KEY_BITS_RESERVED); 62260573Skris } 623294328Sdes if (rsa_public_encrypt(key, key, host_key->rsa) != 0 || 624294328Sdes rsa_public_encrypt(key, key, server_key->rsa) != 0) 625294328Sdes fatal("%s: rsa_public_encrypt failed", __func__); 62660573Skris } 62760573Skris 62860573Skris /* Destroy the public keys since we no longer need them. */ 62992559Sdes key_free(server_key); 63092559Sdes key_free(host_key); 63160573Skris 63276262Sgreen if (options.cipher == SSH_CIPHER_NOT_SET) { 63376262Sgreen if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) 63476262Sgreen options.cipher = ssh_cipher_default; 635137019Sdes } else if (options.cipher == SSH_CIPHER_INVALID || 63676262Sgreen !(cipher_mask_ssh1(1) & (1 << options.cipher))) { 637124211Sdes logit("No valid SSH1 cipher, using %.100s instead.", 63869591Sgreen cipher_name(ssh_cipher_default)); 63969591Sgreen options.cipher = ssh_cipher_default; 64060573Skris } 64160573Skris /* Check that the selected cipher is supported. */ 64260573Skris if (!(supported_ciphers & (1 << options.cipher))) 64360573Skris fatal("Selected cipher type %.100s not supported by server.", 64492559Sdes cipher_name(options.cipher)); 64560573Skris 64660573Skris debug("Encryption type: %.100s", cipher_name(options.cipher)); 64760573Skris 64860573Skris /* Send the encrypted session key to the server. */ 64960573Skris packet_start(SSH_CMSG_SESSION_KEY); 65060573Skris packet_put_char(options.cipher); 65160573Skris 65260573Skris /* Send the cookie back to the server. */ 65360573Skris for (i = 0; i < 8; i++) 65460573Skris packet_put_char(cookie[i]); 65560573Skris 65660573Skris /* Send and destroy the encrypted encryption key integer. */ 65760573Skris packet_put_bignum(key); 65860573Skris BN_clear_free(key); 65960573Skris 66060573Skris /* Send protocol flags. */ 66160573Skris packet_put_int(client_flags); 66260573Skris 66360573Skris /* Send the packet now. */ 66460573Skris packet_send(); 66560573Skris packet_write_wait(); 66660573Skris 66760573Skris debug("Sent encrypted session key."); 66860573Skris 66960573Skris /* Set the encryption key. */ 67060573Skris packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher); 67160573Skris 672263712Sdes /* 673263712Sdes * We will no longer need the session key here. 674263712Sdes * Destroy any extra copies. 675263712Sdes */ 676263712Sdes explicit_bzero(session_key, sizeof(session_key)); 67760573Skris 67860573Skris /* 67960573Skris * Expect a success message from the server. Note that this message 68060573Skris * will be received in encrypted form. 68160573Skris */ 68292559Sdes packet_read_expect(SSH_SMSG_SUCCESS); 68360573Skris 68460573Skris debug("Received encrypted confirmation."); 68560573Skris} 68660573Skris 68760573Skris/* 68860573Skris * Authenticate user 68960573Skris */ 69060573Skrisvoid 69176262Sgreenssh_userauth1(const char *local_user, const char *server_user, char *host, 69298684Sdes Sensitive *sensitive) 69360573Skris{ 69460573Skris int i, type; 69560573Skris 69660573Skris if (supported_authentications == 0) 69776262Sgreen fatal("ssh_userauth1: server supports no auth methods"); 69860573Skris 69960573Skris /* Send the name of the user to log in as on the server. */ 70060573Skris packet_start(SSH_CMSG_USER); 70192559Sdes packet_put_cstring(server_user); 70260573Skris packet_send(); 70360573Skris packet_write_wait(); 70460573Skris 70560573Skris /* 70660573Skris * The server should respond with success if no authentication is 70760573Skris * needed (the user has no password). Otherwise the server responds 70860573Skris * with failure. 70960573Skris */ 71092559Sdes type = packet_read(); 71160573Skris 71260573Skris /* check whether the connection was accepted without authentication. */ 71360573Skris if (type == SSH_SMSG_SUCCESS) 71492559Sdes goto success; 71560573Skris if (type != SSH_SMSG_FAILURE) 71692559Sdes packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type); 71760573Skris 71860573Skris /* 71960573Skris * Try .rhosts or /etc/hosts.equiv authentication with RSA host 72060573Skris * authentication. 72160573Skris */ 72260573Skris if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) && 72376262Sgreen options.rhosts_rsa_authentication) { 72498684Sdes for (i = 0; i < sensitive->nkeys; i++) { 72598684Sdes if (sensitive->keys[i] != NULL && 72698684Sdes sensitive->keys[i]->type == KEY_RSA1 && 72798684Sdes try_rhosts_rsa_authentication(local_user, 72898684Sdes sensitive->keys[i])) 72992559Sdes goto success; 73076262Sgreen } 73160573Skris } 73260573Skris /* Try RSA authentication if the server supports it. */ 73360573Skris if ((supported_authentications & (1 << SSH_AUTH_RSA)) && 73460573Skris options.rsa_authentication) { 73560573Skris /* 73660573Skris * Try RSA authentication using the authentication agent. The 73760573Skris * agent is tried first because no passphrase is needed for 73860573Skris * it, whereas identity files may require passphrases. 73960573Skris */ 74060573Skris if (try_agent_authentication()) 74192559Sdes goto success; 74260573Skris 74360573Skris /* Try RSA authentication for each identity. */ 74460573Skris for (i = 0; i < options.num_identity_files; i++) 74576262Sgreen if (options.identity_keys[i] != NULL && 74676262Sgreen options.identity_keys[i]->type == KEY_RSA1 && 74792559Sdes try_rsa_authentication(i)) 74892559Sdes goto success; 74960573Skris } 75076262Sgreen /* Try challenge response authentication if the server supports it. */ 75160573Skris if ((supported_authentications & (1 << SSH_AUTH_TIS)) && 75292559Sdes options.challenge_response_authentication && !options.batch_mode) { 75392559Sdes if (try_challenge_response_authentication()) 75492559Sdes goto success; 75560573Skris } 75660573Skris /* Try password authentication if the server supports it. */ 75760573Skris if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && 75860573Skris options.password_authentication && !options.batch_mode) { 75960573Skris char prompt[80]; 76060573Skris 76176262Sgreen snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ", 76260573Skris server_user, host); 76360573Skris if (try_password_authentication(prompt)) 76492559Sdes goto success; 76560573Skris } 76660573Skris /* All authentication methods have failed. Exit with an error message. */ 76760573Skris fatal("Permission denied."); 76860573Skris /* NOTREACHED */ 76992559Sdes 77092559Sdes success: 77192559Sdes return; /* need statement after label */ 77260573Skris} 773294332Sdes 774294332Sdes#endif /* WITH_SSH1 */ 775