1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Created: Fri Mar 17 17:09:28 1995 ylo 6 * This program is the ssh daemon. It listens for connections from clients, and 7 * performs authentication, executes use commands or shell, and forwards 8 * information to/from the application to the user client over an encrypted 9 * connection. This can also handle forwarding of X11, TCP/IP, and authentication 10 * agent connections. 11 * 12 * SSH2 implementation, 13 * Copyright (c) 2000 Markus Friedl. All rights reserved. 14 * 15 * $FreeBSD$ 16 */ 17 18 #include "includes.h" 19 RCSID("$OpenBSD: sshd.c,v 1.118 2000/05/25 20:45:20 markus Exp $"); 20 21 #include "xmalloc.h" 22 #include "rsa.h" 23 #include "ssh.h" 24 #include "pty.h" 25 #include "packet.h" 26 #include "cipher.h" 27 #include "mpaux.h" 28 #include "servconf.h" 29 #include "uidswap.h" 30 #include "compat.h" 31 #include "buffer.h" 32 #include <poll.h> 33 #include <time.h> 34 35 #include "ssh2.h" 36 #include <openssl/dh.h> 37 #include <openssl/bn.h> 38 #include <openssl/hmac.h> 39 #include "kex.h" 40 #include <openssl/dsa.h> 41 #include <openssl/rsa.h> 42 #include "key.h" 43 #include "dsa.h" 44 45 #include "auth.h" 46 #include "myproposal.h" 47 #include "authfile.h" 48 49 #ifdef LIBWRAP 50 #include <tcpd.h> 51 #include <syslog.h> 52 int allow_severity = LOG_INFO; 53 int deny_severity = LOG_WARNING; 54 #endif /* LIBWRAP */ 55 56 #ifndef O_NOCTTY 57 #define O_NOCTTY 0 58 #endif 59 60 #ifdef KRB5 61 #include <krb5.h> 62 #endif /* KRB5 */ 63 64 /* Server configuration options. */ 65 ServerOptions options; 66 67 /* Name of the server configuration file. */ 68 char *config_file_name = SERVER_CONFIG_FILE; 69 70 /* 71 * Flag indicating whether IPv4 or IPv6. This can be set on the command line. 72 * Default value is AF_UNSPEC means both IPv4 and IPv6. 73 */ 74 int IPv4or6 = AF_UNSPEC; 75 76 /* 77 * Debug mode flag. This can be set on the command line. If debug 78 * mode is enabled, extra debugging output will be sent to the system 79 * log, the daemon will not go to background, and will exit after processing 80 * the first connection. 81 */ 82 int debug_flag = 0; 83 84 /* Flag indicating that the daemon is being started from inetd. */ 85 int inetd_flag = 0; 86 87 /* debug goes to stderr unless inetd_flag is set */ 88 int log_stderr = 0; 89 90 /* argv[0] without path. */ 91 char *av0; 92 93 /* Saved arguments to main(). */ 94 char **saved_argv; 95 96 /* 97 * The sockets that the server is listening; this is used in the SIGHUP 98 * signal handler. 99 */ 100 #define MAX_LISTEN_SOCKS 16 101 int listen_socks[MAX_LISTEN_SOCKS]; 102 int num_listen_socks = 0; 103 104 /* 105 * the client's version string, passed by sshd2 in compat mode. if != NULL, 106 * sshd will skip the version-number exchange 107 */ 108 char *client_version_string = NULL; 109 char *server_version_string = NULL; 110 111 /* 112 * Any really sensitive data in the application is contained in this 113 * structure. The idea is that this structure could be locked into memory so 114 * that the pages do not get written into swap. However, there are some 115 * problems. The private key contains BIGNUMs, and we do not (in principle) 116 * have access to the internals of them, and locking just the structure is 117 * not very useful. Currently, memory locking is not implemented. 118 */ 119 struct { 120 RSA *private_key; /* Private part of empheral server key. */ 121 RSA *host_key; /* Private part of host key. */ 122 Key *dsa_host_key; /* Private DSA host key. */ 123 } sensitive_data; 124 125 /* 126 * Flag indicating whether the current session key has been used. This flag 127 * is set whenever the key is used, and cleared when the key is regenerated. 128 */ 129 int key_used = 0; 130 131 /* This is set to true when SIGHUP is received. */ 132 int received_sighup = 0; 133 134 /* Public side of the server key. This value is regenerated regularly with 135 the private key. */ 136 RSA *public_key; 137 138 /* session identifier, used by RSA-auth */ 139 unsigned char session_id[16]; 140 141 /* same for ssh2 */ 142 unsigned char *session_id2 = NULL; 143 int session_id2_len = 0; 144 145 /* These are used to implement connections_per_period. */ 146 struct magic_connection { 147 struct timeval connections_begin; 148 unsigned int connections_this_period; 149 } *magic_connections; 150 /* Magic number, too! TODO: this doesn't have to be static. */ 151 const size_t MAGIC_CONNECTIONS_SIZE = 1; 152 153 static __inline int 154 magic_hash(struct sockaddr *sa) { 155 156 return 0; 157 } 158 159 static __inline struct timeval 160 timevaldiff(struct timeval *tv1, struct timeval *tv2) { 161 struct timeval diff; 162 int carry; 163 164 carry = tv1->tv_usec > tv2->tv_usec; 165 diff.tv_sec = tv2->tv_sec - tv1->tv_sec - (carry ? 0 : 1); 166 diff.tv_usec = tv2->tv_usec - tv1->tv_usec + (carry ? 1000000 : 0); 167 168 return diff; 169 } 170 171 /* Prototypes for various functions defined later in this file. */ 172 void do_ssh1_kex(); 173 void do_ssh2_kex(); 174 175 /* 176 * Close all listening sockets 177 */ 178 void 179 close_listen_socks(void) 180 { 181 int i; 182 for (i = 0; i < num_listen_socks; i++) 183 close(listen_socks[i]); 184 num_listen_socks = -1; 185 } 186 187 /* 188 * Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP; 189 * the effect is to reread the configuration file (and to regenerate 190 * the server key). 191 */ 192 void 193 sighup_handler(int sig) 194 { 195 received_sighup = 1; 196 signal(SIGHUP, sighup_handler); 197 } 198 199 /* 200 * Called from the main program after receiving SIGHUP. 201 * Restarts the server. 202 */ 203 void 204 sighup_restart() 205 { 206 log("Received SIGHUP; restarting."); 207 close_listen_socks(); 208 execv(saved_argv[0], saved_argv); 209 log("RESTART FAILED: av0='%s', error: %s.", av0, strerror(errno)); 210 exit(1); 211 } 212 213 /* 214 * Generic signal handler for terminating signals in the master daemon. 215 * These close the listen socket; not closing it seems to cause "Address 216 * already in use" problems on some machines, which is inconvenient. 217 */ 218 void 219 sigterm_handler(int sig) 220 { 221 log("Received signal %d; terminating.", sig); 222 close_listen_socks(); 223 unlink(options.pid_file); 224 exit(255); 225 } 226 227 /* 228 * SIGCHLD handler. This is called whenever a child dies. This will then 229 * reap any zombies left by exited c. 230 */ 231 void 232 main_sigchld_handler(int sig) 233 { 234 int save_errno = errno; 235 int status; 236 237 while (waitpid(-1, &status, WNOHANG) > 0) 238 ; 239 240 signal(SIGCHLD, main_sigchld_handler); 241 errno = save_errno; 242 } 243 244 /* 245 * Signal handler for the alarm after the login grace period has expired. 246 */ 247 void 248 grace_alarm_handler(int sig) 249 { 250 /* Close the connection. */ 251 packet_close(); 252 253 /* Log error and exit. */ 254 fatal("Timeout before authentication for %s.", get_remote_ipaddr()); 255 } 256 257 /* 258 * Signal handler for the key regeneration alarm. Note that this 259 * alarm only occurs in the daemon waiting for connections, and it does not 260 * do anything with the private key or random state before forking. 261 * Thus there should be no concurrency control/asynchronous execution 262 * problems. 263 */ 264 /* XXX do we really want this work to be done in a signal handler ? -m */ 265 void 266 key_regeneration_alarm(int sig) 267 { 268 int save_errno = errno; 269 270 /* Check if we should generate a new key. */ 271 if (key_used) { 272 /* This should really be done in the background. */ 273 log("Generating new %d bit RSA key.", options.server_key_bits); 274 275 if (sensitive_data.private_key != NULL) 276 RSA_free(sensitive_data.private_key); 277 sensitive_data.private_key = RSA_new(); 278 279 if (public_key != NULL) 280 RSA_free(public_key); 281 public_key = RSA_new(); 282 283 rsa_generate_key(sensitive_data.private_key, public_key, 284 options.server_key_bits); 285 arc4random_stir(); 286 key_used = 0; 287 log("RSA key generation complete."); 288 } 289 /* Reschedule the alarm. */ 290 signal(SIGALRM, key_regeneration_alarm); 291 alarm(options.key_regeneration_time); 292 errno = save_errno; 293 } 294 295 void 296 sshd_exchange_identification(int sock_in, int sock_out) 297 { 298 int i, mismatch; 299 int remote_major, remote_minor; 300 int major, minor; 301 char *s; 302 char buf[256]; /* Must not be larger than remote_version. */ 303 char remote_version[256]; /* Must be at least as big as buf. */ 304 305 if ((options.protocol & SSH_PROTO_1) && 306 (options.protocol & SSH_PROTO_2)) { 307 major = PROTOCOL_MAJOR_1; 308 minor = 99; 309 } else if (options.protocol & SSH_PROTO_2) { 310 major = PROTOCOL_MAJOR_2; 311 minor = PROTOCOL_MINOR_2; 312 } else { 313 major = PROTOCOL_MAJOR_1; 314 minor = PROTOCOL_MINOR_1; 315 } 316 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION); 317 server_version_string = xstrdup(buf); 318 319 if (client_version_string == NULL) { 320 /* Send our protocol version identification. */ 321 if (atomicio(write, sock_out, server_version_string, strlen(server_version_string)) 322 != strlen(server_version_string)) { 323 log("Could not write ident string to %s.", get_remote_ipaddr()); 324 fatal_cleanup(); 325 } 326 327 /* Read other side\'s version identification. */ 328 for (i = 0; i < sizeof(buf) - 1; i++) { 329 if (read(sock_in, &buf[i], 1) != 1) { 330 log("Did not receive ident string from %s.", get_remote_ipaddr()); 331 fatal_cleanup(); 332 } 333 if (buf[i] == '\r') { 334 buf[i] = '\n'; 335 buf[i + 1] = 0; 336 continue; 337 } 338 if (buf[i] == '\n') { 339 /* buf[i] == '\n' */ 340 buf[i + 1] = 0; 341 break; 342 } 343 } 344 buf[sizeof(buf) - 1] = 0; 345 client_version_string = xstrdup(buf); 346 } 347 348 /* 349 * Check that the versions match. In future this might accept 350 * several versions and set appropriate flags to handle them. 351 */ 352 if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n", 353 &remote_major, &remote_minor, remote_version) != 3) { 354 s = "Protocol mismatch.\n"; 355 (void) atomicio(write, sock_out, s, strlen(s)); 356 close(sock_in); 357 close(sock_out); 358 log("Bad protocol version identification '%.100s' from %s", 359 client_version_string, get_remote_ipaddr()); 360 fatal_cleanup(); 361 } 362 debug("Client protocol version %d.%d; client software version %.100s", 363 remote_major, remote_minor, remote_version); 364 365 compat_datafellows(remote_version); 366 367 mismatch = 0; 368 switch(remote_major) { 369 case 1: 370 if (remote_minor == 99) { 371 if (options.protocol & SSH_PROTO_2) 372 enable_compat20(); 373 else 374 mismatch = 1; 375 break; 376 } 377 if (!(options.protocol & SSH_PROTO_1)) { 378 mismatch = 1; 379 break; 380 } 381 if (remote_minor < 3) { 382 packet_disconnect("Your ssh version is too old and" 383 "is no longer supported. Please install a newer version."); 384 } else if (remote_minor == 3) { 385 /* note that this disables agent-forwarding */ 386 enable_compat13(); 387 } 388 break; 389 case 2: 390 if (options.protocol & SSH_PROTO_2) { 391 enable_compat20(); 392 break; 393 } 394 /* FALLTHROUGH */ 395 default: 396 mismatch = 1; 397 break; 398 } 399 chop(server_version_string); 400 chop(client_version_string); 401 debug("Local version string %.200s", server_version_string); 402 403 if (mismatch) { 404 s = "Protocol major versions differ.\n"; 405 (void) atomicio(write, sock_out, s, strlen(s)); 406 close(sock_in); 407 close(sock_out); 408 log("Protocol major versions differ for %s: %.200s vs. %.200s", 409 get_remote_ipaddr(), 410 server_version_string, client_version_string); 411 fatal_cleanup(); 412 } 413 if (compat20) 414 packet_set_ssh2_format(); 415 } 416 417 418 void 419 destroy_sensitive_data(void) 420 { 421 /* Destroy the private and public keys. They will no longer be needed. */ 422 if (public_key) 423 RSA_free(public_key); 424 if (sensitive_data.private_key) 425 RSA_free(sensitive_data.private_key); 426 if (sensitive_data.host_key) 427 RSA_free(sensitive_data.host_key); 428 if (sensitive_data.dsa_host_key != NULL) 429 key_free(sensitive_data.dsa_host_key); 430 } 431 432 /* 433 * Main program for the daemon. 434 */ 435 int 436 main(int ac, char **av) 437 { 438 extern char *optarg; 439 extern int optind; 440 int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, on = 1; 441 pid_t pid; 442 socklen_t fromlen; 443 int silent = 0; 444 fd_set *fdset; 445 struct sockaddr_storage from; 446 const char *remote_ip; 447 int remote_port; 448 FILE *f; 449 struct linger linger; 450 struct addrinfo *ai; 451 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 452 int listen_sock, maxfd; 453 int connections_per_period_exceeded = 0; 454 455 /* Save argv[0]. */ 456 saved_argv = av; 457 if (strchr(av[0], '/')) 458 av0 = strrchr(av[0], '/') + 1; 459 else 460 av0 = av[0]; 461 462 /* Initialize configuration options to their default values. */ 463 initialize_server_options(&options); 464 465 /* Parse command-line arguments. */ 466 while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:diqQ46")) != EOF) { 467 switch (opt) { 468 case '4': 469 IPv4or6 = AF_INET; 470 break; 471 case '6': 472 IPv4or6 = AF_INET6; 473 break; 474 case 'f': 475 config_file_name = optarg; 476 break; 477 case 'd': 478 debug_flag = 1; 479 options.log_level = SYSLOG_LEVEL_DEBUG; 480 break; 481 case 'i': 482 inetd_flag = 1; 483 break; 484 case 'Q': 485 silent = 1; 486 break; 487 case 'q': 488 options.log_level = SYSLOG_LEVEL_QUIET; 489 break; 490 case 'b': 491 options.server_key_bits = atoi(optarg); 492 break; 493 case 'p': 494 options.ports_from_cmdline = 1; 495 if (options.num_ports >= MAX_PORTS) 496 fatal("too many ports.\n"); 497 options.ports[options.num_ports++] = atoi(optarg); 498 break; 499 case 'g': 500 options.login_grace_time = atoi(optarg); 501 break; 502 case 'k': 503 options.key_regeneration_time = atoi(optarg); 504 break; 505 case 'h': 506 options.host_key_file = optarg; 507 break; 508 case 'V': 509 client_version_string = optarg; 510 /* only makes sense with inetd_flag, i.e. no listen() */ 511 inetd_flag = 1; 512 break; 513 case '?': 514 default: 515 fprintf(stderr, "sshd version %s\n", SSH_VERSION); 516 fprintf(stderr, "Usage: %s [options]\n", av0); 517 fprintf(stderr, "Options:\n"); 518 fprintf(stderr, " -f file Configuration file (default %s)\n", SERVER_CONFIG_FILE); 519 fprintf(stderr, " -d Debugging mode\n"); 520 fprintf(stderr, " -i Started from inetd\n"); 521 fprintf(stderr, " -q Quiet (no logging)\n"); 522 fprintf(stderr, " -p port Listen on the specified port (default: 22)\n"); 523 fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n"); 524 fprintf(stderr, " -g seconds Grace period for authentication (default: 300)\n"); 525 fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n"); 526 fprintf(stderr, " -h file File from which to read host key (default: %s)\n", 527 HOST_KEY_FILE); 528 fprintf(stderr, " -4 Use IPv4 only\n"); 529 fprintf(stderr, " -6 Use IPv6 only\n"); 530 exit(1); 531 } 532 } 533 534 /* 535 * Force logging to stderr until we have loaded the private host 536 * key (unless started from inetd) 537 */ 538 log_init(av0, 539 options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, 540 options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility, 541 !silent && !inetd_flag); 542 543 /* Read server configuration options from the configuration file. */ 544 read_server_config(&options, config_file_name); 545 546 /* Fill in default values for those options not explicitly set. */ 547 fill_default_server_options(&options); 548 549 /* Check that there are no remaining arguments. */ 550 if (optind < ac) { 551 fprintf(stderr, "Extra argument %s.\n", av[optind]); 552 exit(1); 553 } 554 555 debug("sshd version %.100s", SSH_VERSION); 556 557 sensitive_data.dsa_host_key = NULL; 558 sensitive_data.host_key = NULL; 559 560 /* check if RSA support exists */ 561 if ((options.protocol & SSH_PROTO_1) && 562 rsa_alive() == 0) { 563 log("no RSA support in libssl and libcrypto. See ssl(8)"); 564 log("Disabling protocol version 1"); 565 options.protocol &= ~SSH_PROTO_1; 566 } 567 /* Load the RSA/DSA host key. It must have empty passphrase. */ 568 if (options.protocol & SSH_PROTO_1) { 569 Key k; 570 sensitive_data.host_key = RSA_new(); 571 k.type = KEY_RSA; 572 k.rsa = sensitive_data.host_key; 573 errno = 0; 574 if (!load_private_key(options.host_key_file, "", &k, NULL)) { 575 error("Could not load host key: %.200s: %.100s", 576 options.host_key_file, strerror(errno)); 577 log("Disabling protocol version 1"); 578 options.protocol &= ~SSH_PROTO_1; 579 } 580 k.rsa = NULL; 581 } 582 if (options.protocol & SSH_PROTO_2) { 583 sensitive_data.dsa_host_key = key_new(KEY_DSA); 584 if (!load_private_key(options.host_dsa_key_file, "", sensitive_data.dsa_host_key, NULL)) { 585 586 error("Could not load DSA host key: %.200s", options.host_dsa_key_file); 587 log("Disabling protocol version 2"); 588 options.protocol &= ~SSH_PROTO_2; 589 } 590 } 591 if (! options.protocol & (SSH_PROTO_1|SSH_PROTO_2)) { 592 if (silent == 0) 593 fprintf(stderr, "sshd: no hostkeys available -- exiting.\n"); 594 log("sshd: no hostkeys available -- exiting.\n"); 595 exit(1); 596 } 597 598 /* Check certain values for sanity. */ 599 if (options.protocol & SSH_PROTO_1) { 600 if (options.server_key_bits < 512 || 601 options.server_key_bits > 32768) { 602 fprintf(stderr, "Bad server key size.\n"); 603 exit(1); 604 } 605 /* 606 * Check that server and host key lengths differ sufficiently. This 607 * is necessary to make double encryption work with rsaref. Oh, I 608 * hate software patents. I dont know if this can go? Niels 609 */ 610 if (options.server_key_bits > 611 BN_num_bits(sensitive_data.host_key->n) - SSH_KEY_BITS_RESERVED && 612 options.server_key_bits < 613 BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) { 614 options.server_key_bits = 615 BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED; 616 debug("Forcing server key to %d bits to make it differ from host key.", 617 options.server_key_bits); 618 } 619 } 620 621 /* Initialize the log (it is reinitialized below in case we forked). */ 622 if (debug_flag && !inetd_flag) 623 log_stderr = 1; 624 log_init(av0, options.log_level, options.log_facility, log_stderr); 625 626 /* 627 * If not in debugging mode, and not started from inetd, disconnect 628 * from the controlling terminal, and fork. The original process 629 * exits. 630 */ 631 if (!debug_flag && !inetd_flag) { 632 #ifdef TIOCNOTTY 633 int fd; 634 #endif /* TIOCNOTTY */ 635 if (daemon(0, 0) < 0) 636 fatal("daemon() failed: %.200s", strerror(errno)); 637 638 /* Disconnect from the controlling tty. */ 639 #ifdef TIOCNOTTY 640 fd = open("/dev/tty", O_RDWR | O_NOCTTY); 641 if (fd >= 0) { 642 (void) ioctl(fd, TIOCNOTTY, NULL); 643 close(fd); 644 } 645 #endif /* TIOCNOTTY */ 646 } 647 /* Reinitialize the log (because of the fork above). */ 648 log_init(av0, options.log_level, options.log_facility, log_stderr); 649 650 /* Do not display messages to stdout in RSA code. */ 651 rsa_set_verbose(0); 652 653 /* Initialize the random number generator. */ 654 arc4random_stir(); 655 656 /* Chdir to the root directory so that the current disk can be 657 unmounted if desired. */ 658 chdir("/"); 659 660 /* Start listening for a socket, unless started from inetd. */ 661 if (inetd_flag) { 662 int s1, s2; 663 s1 = dup(0); /* Make sure descriptors 0, 1, and 2 are in use. */ 664 s2 = dup(s1); 665 sock_in = dup(0); 666 sock_out = dup(1); 667 /* 668 * We intentionally do not close the descriptors 0, 1, and 2 669 * as our code for setting the descriptors won\'t work if 670 * ttyfd happens to be one of those. 671 */ 672 debug("inetd sockets after dupping: %d, %d", sock_in, sock_out); 673 674 if (options.protocol & SSH_PROTO_1) { 675 public_key = RSA_new(); 676 sensitive_data.private_key = RSA_new(); 677 log("Generating %d bit RSA key.", options.server_key_bits); 678 rsa_generate_key(sensitive_data.private_key, public_key, 679 options.server_key_bits); 680 arc4random_stir(); 681 log("RSA key generation complete."); 682 } 683 } else { 684 for (ai = options.listen_addrs; ai; ai = ai->ai_next) { 685 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 686 continue; 687 if (num_listen_socks >= MAX_LISTEN_SOCKS) 688 fatal("Too many listen sockets. " 689 "Enlarge MAX_LISTEN_SOCKS"); 690 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, 691 ntop, sizeof(ntop), strport, sizeof(strport), 692 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 693 error("getnameinfo failed"); 694 continue; 695 } 696 /* Create socket for listening. */ 697 listen_sock = socket(ai->ai_family, SOCK_STREAM, 0); 698 if (listen_sock < 0) { 699 /* kernel may not support ipv6 */ 700 verbose("socket: %.100s", strerror(errno)); 701 continue; 702 } 703 if (fcntl(listen_sock, F_SETFL, O_NONBLOCK) < 0) { 704 error("listen_sock O_NONBLOCK: %s", strerror(errno)); 705 close(listen_sock); 706 continue; 707 } 708 /* 709 * Set socket options. We try to make the port 710 * reusable and have it close as fast as possible 711 * without waiting in unnecessary wait states on 712 * close. 713 */ 714 setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, 715 (void *) &on, sizeof(on)); 716 linger.l_onoff = 1; 717 linger.l_linger = 5; 718 setsockopt(listen_sock, SOL_SOCKET, SO_LINGER, 719 (void *) &linger, sizeof(linger)); 720 721 debug("Bind to port %s on %s.", strport, ntop); 722 723 /* Bind the socket to the desired port. */ 724 if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { 725 error("Bind to port %s on %s failed: %.200s.", 726 strport, ntop, strerror(errno)); 727 close(listen_sock); 728 continue; 729 } 730 listen_socks[num_listen_socks] = listen_sock; 731 num_listen_socks++; 732 733 /* Start listening on the port. */ 734 log("Server listening on %s port %s.", ntop, strport); 735 if (listen(listen_sock, 5) < 0) 736 fatal("listen: %.100s", strerror(errno)); 737 738 } 739 freeaddrinfo(options.listen_addrs); 740 741 if (!num_listen_socks) 742 fatal("Cannot bind any address."); 743 744 if (!debug_flag) { 745 /* 746 * Record our pid in /etc/sshd_pid to make it easier 747 * to kill the correct sshd. We don\'t want to do 748 * this before the bind above because the bind will 749 * fail if there already is a daemon, and this will 750 * overwrite any old pid in the file. 751 */ 752 f = fopen(options.pid_file, "w"); 753 if (f) { 754 fprintf(f, "%u\n", (unsigned int) getpid()); 755 fclose(f); 756 } 757 } 758 if (options.protocol & SSH_PROTO_1) { 759 public_key = RSA_new(); 760 sensitive_data.private_key = RSA_new(); 761 762 log("Generating %d bit RSA key.", options.server_key_bits); 763 rsa_generate_key(sensitive_data.private_key, public_key, 764 options.server_key_bits); 765 arc4random_stir(); 766 log("RSA key generation complete."); 767 768 /* Schedule server key regeneration alarm. */ 769 signal(SIGALRM, key_regeneration_alarm); 770 alarm(options.key_regeneration_time); 771 } 772 773 /* Arrange to restart on SIGHUP. The handler needs listen_sock. */ 774 signal(SIGHUP, sighup_handler); 775 signal(SIGTERM, sigterm_handler); 776 signal(SIGQUIT, sigterm_handler); 777 778 /* Arrange SIGCHLD to be caught. */ 779 signal(SIGCHLD, main_sigchld_handler); 780 781 /* setup fd set for listen */ 782 maxfd = 0; 783 for (i = 0; i < num_listen_socks; i++) 784 if (listen_socks[i] > maxfd) 785 maxfd = listen_socks[i]; 786 fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask); 787 fdset = (fd_set *)xmalloc(fdsetsz); 788 789 /* Initialize the magic_connections table. It's magical! */ 790 magic_connections = calloc(MAGIC_CONNECTIONS_SIZE, 791 sizeof(struct magic_connection)); 792 if (magic_connections == NULL) 793 fatal("calloc: %s", strerror(errno)); 794 795 /* 796 * Stay listening for connections until the system crashes or 797 * the daemon is killed with a signal. 798 */ 799 for (;;) { 800 if (received_sighup) 801 sighup_restart(); 802 /* Wait in select until there is a connection. */ 803 memset(fdset, 0, fdsetsz); 804 for (i = 0; i < num_listen_socks; i++) 805 FD_SET(listen_socks[i], fdset); 806 if (select(maxfd + 1, fdset, NULL, NULL, NULL) < 0) { 807 if (errno != EINTR) 808 error("select: %.100s", strerror(errno)); 809 continue; 810 } 811 for (i = 0; i < num_listen_socks; i++) { 812 if (!FD_ISSET(listen_socks[i], fdset)) 813 continue; 814 fromlen = sizeof(from); 815 newsock = accept(listen_socks[i], (struct sockaddr *)&from, 816 &fromlen); 817 if (newsock < 0) { 818 if (errno != EINTR && errno != EWOULDBLOCK) 819 error("accept: %.100s", strerror(errno)); 820 continue; 821 } 822 if (fcntl(newsock, F_SETFL, 0) < 0) { 823 error("newsock del O_NONBLOCK: %s", strerror(errno)); 824 continue; 825 } 826 if (options.connections_per_period != 0) { 827 struct timeval diff, connections_end; 828 struct magic_connection *mc; 829 830 (void)gettimeofday(&connections_end, NULL); 831 mc = &magic_connections[magic_hash((struct sockaddr *)0)]; 832 diff = timevaldiff(&mc->connections_begin, &connections_end); 833 if (diff.tv_sec >= options.connections_period) { 834 /* 835 * Slide the window forward only after completely 836 * leaving it. 837 */ 838 mc->connections_begin = connections_end; 839 mc->connections_this_period = 1; 840 } else { 841 if (++mc->connections_this_period > 842 options.connections_per_period) 843 connections_per_period_exceeded = 1; 844 } 845 } 846 847 /* 848 * Got connection. Fork a child to handle it unless 849 * we are in debugging mode or the maximum number of 850 * connections per period has been exceeded. 851 */ 852 if (debug_flag) { 853 /* 854 * In debugging mode. Close the listening 855 * socket, and start processing the 856 * connection without forking. 857 */ 858 debug("Server will not fork when running in debugging mode."); 859 close_listen_socks(); 860 sock_in = newsock; 861 sock_out = newsock; 862 pid = getpid(); 863 break; 864 } else if (connections_per_period_exceeded) { 865 log("Connection rate limit of %u/%us has been exceeded; " 866 "dropping connection from %s.", 867 options.connections_per_period, options.connections_period, 868 ntop); 869 connections_per_period_exceeded = 0; 870 } else { 871 /* 872 * Normal production daemon. Fork, and have 873 * the child process the connection. The 874 * parent continues listening. 875 */ 876 if ((pid = fork()) == 0) { 877 /* 878 * Child. Close the listening socket, and start using the 879 * accepted socket. Reinitialize logging (since our pid has 880 * changed). We break out of the loop to handle the connection. 881 */ 882 close_listen_socks(); 883 sock_in = newsock; 884 sock_out = newsock; 885 log_init(av0, options.log_level, options.log_facility, log_stderr); 886 break; 887 } 888 } 889 890 /* Parent. Stay in the loop. */ 891 if (pid < 0) 892 error("fork: %.100s", strerror(errno)); 893 else 894 debug("Forked child %d.", pid); 895 896 /* Mark that the key has been used (it was "given" to the child). */ 897 key_used = 1; 898 899 arc4random_stir(); 900 901 /* Close the new socket (the child is now taking care of it). */ 902 close(newsock); 903 } /* for (i = 0; i < num_listen_socks; i++) */ 904 /* child process check (or debug mode) */ 905 if (num_listen_socks < 0) 906 break; 907 } 908 } 909 910 /* This is the child processing a new connection. */ 911 912 /* 913 * Disable the key regeneration alarm. We will not regenerate the 914 * key since we are no longer in a position to give it to anyone. We 915 * will not restart on SIGHUP since it no longer makes sense. 916 */ 917 alarm(0); 918 signal(SIGALRM, SIG_DFL); 919 signal(SIGHUP, SIG_DFL); 920 signal(SIGTERM, SIG_DFL); 921 signal(SIGQUIT, SIG_DFL); 922 signal(SIGCHLD, SIG_DFL); 923 924 /* 925 * Set socket options for the connection. We want the socket to 926 * close as fast as possible without waiting for anything. If the 927 * connection is not a socket, these will do nothing. 928 */ 929 /* setsockopt(sock_in, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */ 930 linger.l_onoff = 1; 931 linger.l_linger = 5; 932 setsockopt(sock_in, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger)); 933 934 /* 935 * Register our connection. This turns encryption off because we do 936 * not have a key. 937 */ 938 packet_set_connection(sock_in, sock_out); 939 940 remote_port = get_remote_port(); 941 remote_ip = get_remote_ipaddr(); 942 943 /* Check whether logins are denied from this host. */ 944 #ifdef LIBWRAP 945 { 946 struct request_info req; 947 948 request_init(&req, RQ_DAEMON, av0, RQ_FILE, sock_in, NULL); 949 fromhost(&req); 950 951 if (!hosts_access(&req)) { 952 close(sock_in); 953 close(sock_out); 954 refuse(&req); 955 } 956 verbose("Connection from %.500s port %d", eval_client(&req), remote_port); 957 } 958 #endif /* LIBWRAP */ 959 /* Log the connection. */ 960 verbose("Connection from %.500s port %d", remote_ip, remote_port); 961 962 /* 963 * We don\'t want to listen forever unless the other side 964 * successfully authenticates itself. So we set up an alarm which is 965 * cleared after successful authentication. A limit of zero 966 * indicates no limit. Note that we don\'t set the alarm in debugging 967 * mode; it is just annoying to have the server exit just when you 968 * are about to discover the bug. 969 */ 970 signal(SIGALRM, grace_alarm_handler); 971 if (!debug_flag) 972 alarm(options.login_grace_time); 973 974 sshd_exchange_identification(sock_in, sock_out); 975 /* 976 * Check that the connection comes from a privileged port. Rhosts- 977 * and Rhosts-RSA-Authentication only make sense from priviledged 978 * programs. Of course, if the intruder has root access on his local 979 * machine, he can connect from any port. So do not use these 980 * authentication methods from machines that you do not trust. 981 */ 982 if (remote_port >= IPPORT_RESERVED || 983 remote_port < IPPORT_RESERVED / 2) { 984 options.rhosts_authentication = 0; 985 options.rhosts_rsa_authentication = 0; 986 } 987 #ifdef KRB4 988 if (!packet_connection_is_ipv4() && 989 options.krb4_authentication) { 990 debug("Kerberos Authentication disabled, only available for IPv4."); 991 options.krb4_authentication = 0; 992 } 993 #endif /* KRB4 */ 994 995 packet_set_nonblocking(); 996 997 /* perform the key exchange */ 998 /* authenticate user and start session */ 999 if (compat20) { 1000 do_ssh2_kex(); 1001 do_authentication2(); 1002 } else { 1003 do_ssh1_kex(); 1004 do_authentication(); 1005 } 1006 1007 #ifdef KRB4 1008 /* Cleanup user's ticket cache file. */ 1009 if (options.krb4_ticket_cleanup) 1010 (void) dest_tkt(); 1011 #endif /* KRB4 */ 1012 1013 /* The connection has been terminated. */ 1014 verbose("Closing connection to %.100s", remote_ip); 1015 packet_close(); 1016 exit(0); 1017 } 1018 1019 /* 1020 * SSH1 key exchange 1021 */ 1022 void 1023 do_ssh1_kex() 1024 { 1025 int i, len; 1026 int plen, slen; 1027 BIGNUM *session_key_int; 1028 unsigned char session_key[SSH_SESSION_KEY_LENGTH]; 1029 unsigned char cookie[8]; 1030 unsigned int cipher_type, auth_mask, protocol_flags; 1031 u_int32_t rand = 0; 1032 1033 /* 1034 * Generate check bytes that the client must send back in the user 1035 * packet in order for it to be accepted; this is used to defy ip 1036 * spoofing attacks. Note that this only works against somebody 1037 * doing IP spoofing from a remote machine; any machine on the local 1038 * network can still see outgoing packets and catch the random 1039 * cookie. This only affects rhosts authentication, and this is one 1040 * of the reasons why it is inherently insecure. 1041 */ 1042 for (i = 0; i < 8; i++) { 1043 if (i % 4 == 0) 1044 rand = arc4random(); 1045 cookie[i] = rand & 0xff; 1046 rand >>= 8; 1047 } 1048 1049 /* 1050 * Send our public key. We include in the packet 64 bits of random 1051 * data that must be matched in the reply in order to prevent IP 1052 * spoofing. 1053 */ 1054 packet_start(SSH_SMSG_PUBLIC_KEY); 1055 for (i = 0; i < 8; i++) 1056 packet_put_char(cookie[i]); 1057 1058 /* Store our public server RSA key. */ 1059 packet_put_int(BN_num_bits(public_key->n)); 1060 packet_put_bignum(public_key->e); 1061 packet_put_bignum(public_key->n); 1062 1063 /* Store our public host RSA key. */ 1064 packet_put_int(BN_num_bits(sensitive_data.host_key->n)); 1065 packet_put_bignum(sensitive_data.host_key->e); 1066 packet_put_bignum(sensitive_data.host_key->n); 1067 1068 /* Put protocol flags. */ 1069 packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN); 1070 1071 /* Declare which ciphers we support. */ 1072 packet_put_int(cipher_mask1()); 1073 1074 /* Declare supported authentication types. */ 1075 auth_mask = 0; 1076 if (options.rhosts_authentication) 1077 auth_mask |= 1 << SSH_AUTH_RHOSTS; 1078 if (options.rhosts_rsa_authentication) 1079 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; 1080 if (options.rsa_authentication) 1081 auth_mask |= 1 << SSH_AUTH_RSA; 1082 #ifdef KRB4 1083 if (options.krb4_authentication) 1084 auth_mask |= 1 << SSH_AUTH_KRB4; 1085 #endif 1086 #ifdef KRB5 1087 if (options.krb5_authentication) { 1088 auth_mask |= 1 << SSH_AUTH_KRB5; 1089 /* compatibility with MetaCentre ssh */ 1090 auth_mask |= 1 << SSH_AUTH_KRB4; 1091 } 1092 if (options.krb5_tgt_passing) 1093 auth_mask |= 1 << SSH_PASS_KRB5_TGT; 1094 #endif /* KRB5 */ 1095 1096 #ifdef AFS 1097 if (options.krb4_tgt_passing) 1098 auth_mask |= 1 << SSH_PASS_KRB4_TGT; 1099 if (options.afs_token_passing) 1100 auth_mask |= 1 << SSH_PASS_AFS_TOKEN; 1101 #endif 1102 #ifdef SKEY 1103 if (options.skey_authentication == 1) 1104 auth_mask |= 1 << SSH_AUTH_TIS; 1105 #endif 1106 if (options.password_authentication) 1107 auth_mask |= 1 << SSH_AUTH_PASSWORD; 1108 packet_put_int(auth_mask); 1109 1110 /* Send the packet and wait for it to be sent. */ 1111 packet_send(); 1112 packet_write_wait(); 1113 1114 debug("Sent %d bit public key and %d bit host key.", 1115 BN_num_bits(public_key->n), BN_num_bits(sensitive_data.host_key->n)); 1116 1117 /* Read clients reply (cipher type and session key). */ 1118 packet_read_expect(&plen, SSH_CMSG_SESSION_KEY); 1119 1120 /* Get cipher type and check whether we accept this. */ 1121 cipher_type = packet_get_char(); 1122 1123 if (!(cipher_mask() & (1 << cipher_type))) 1124 packet_disconnect("Warning: client selects unsupported cipher."); 1125 1126 /* Get check bytes from the packet. These must match those we 1127 sent earlier with the public key packet. */ 1128 for (i = 0; i < 8; i++) 1129 if (cookie[i] != packet_get_char()) 1130 packet_disconnect("IP Spoofing check bytes do not match."); 1131 1132 debug("Encryption type: %.200s", cipher_name(cipher_type)); 1133 1134 /* Get the encrypted integer. */ 1135 session_key_int = BN_new(); 1136 packet_get_bignum(session_key_int, &slen); 1137 1138 protocol_flags = packet_get_int(); 1139 packet_set_protocol_flags(protocol_flags); 1140 1141 packet_integrity_check(plen, 1 + 8 + slen + 4, SSH_CMSG_SESSION_KEY); 1142 1143 /* 1144 * Decrypt it using our private server key and private host key (key 1145 * with larger modulus first). 1146 */ 1147 if (BN_cmp(sensitive_data.private_key->n, sensitive_data.host_key->n) > 0) { 1148 /* Private key has bigger modulus. */ 1149 if (BN_num_bits(sensitive_data.private_key->n) < 1150 BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) { 1151 fatal("do_connection: %s: private_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d", 1152 get_remote_ipaddr(), 1153 BN_num_bits(sensitive_data.private_key->n), 1154 BN_num_bits(sensitive_data.host_key->n), 1155 SSH_KEY_BITS_RESERVED); 1156 } 1157 rsa_private_decrypt(session_key_int, session_key_int, 1158 sensitive_data.private_key); 1159 rsa_private_decrypt(session_key_int, session_key_int, 1160 sensitive_data.host_key); 1161 } else { 1162 /* Host key has bigger modulus (or they are equal). */ 1163 if (BN_num_bits(sensitive_data.host_key->n) < 1164 BN_num_bits(sensitive_data.private_key->n) + SSH_KEY_BITS_RESERVED) { 1165 fatal("do_connection: %s: host_key %d < private_key %d + SSH_KEY_BITS_RESERVED %d", 1166 get_remote_ipaddr(), 1167 BN_num_bits(sensitive_data.host_key->n), 1168 BN_num_bits(sensitive_data.private_key->n), 1169 SSH_KEY_BITS_RESERVED); 1170 } 1171 rsa_private_decrypt(session_key_int, session_key_int, 1172 sensitive_data.host_key); 1173 rsa_private_decrypt(session_key_int, session_key_int, 1174 sensitive_data.private_key); 1175 } 1176 1177 compute_session_id(session_id, cookie, 1178 sensitive_data.host_key->n, 1179 sensitive_data.private_key->n); 1180 1181 /* Destroy the private and public keys. They will no longer be needed. */ 1182 destroy_sensitive_data(); 1183 1184 /* 1185 * Extract session key from the decrypted integer. The key is in the 1186 * least significant 256 bits of the integer; the first byte of the 1187 * key is in the highest bits. 1188 */ 1189 BN_mask_bits(session_key_int, sizeof(session_key) * 8); 1190 len = BN_num_bytes(session_key_int); 1191 if (len < 0 || len > sizeof(session_key)) 1192 fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d", 1193 get_remote_ipaddr(), 1194 len, sizeof(session_key)); 1195 memset(session_key, 0, sizeof(session_key)); 1196 BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len); 1197 1198 /* Destroy the decrypted integer. It is no longer needed. */ 1199 BN_clear_free(session_key_int); 1200 1201 /* Xor the first 16 bytes of the session key with the session id. */ 1202 for (i = 0; i < 16; i++) 1203 session_key[i] ^= session_id[i]; 1204 1205 /* Set the session key. From this on all communications will be encrypted. */ 1206 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type); 1207 1208 /* Destroy our copy of the session key. It is no longer needed. */ 1209 memset(session_key, 0, sizeof(session_key)); 1210 1211 debug("Received session key; encryption turned on."); 1212 1213 /* Send an acknowledgement packet. Note that this packet is sent encrypted. */ 1214 packet_start(SSH_SMSG_SUCCESS); 1215 packet_send(); 1216 packet_write_wait(); 1217 } 1218 1219 /* 1220 * SSH2 key exchange: diffie-hellman-group1-sha1 1221 */ 1222 void 1223 do_ssh2_kex() 1224 { 1225 Buffer *server_kexinit; 1226 Buffer *client_kexinit; 1227 int payload_len, dlen; 1228 int slen; 1229 unsigned int klen, kout; 1230 unsigned char *signature = NULL; 1231 unsigned char *server_host_key_blob = NULL; 1232 unsigned int sbloblen; 1233 DH *dh; 1234 BIGNUM *dh_client_pub = 0; 1235 BIGNUM *shared_secret = 0; 1236 int i; 1237 unsigned char *kbuf; 1238 unsigned char *hash; 1239 Kex *kex; 1240 char *cprop[PROPOSAL_MAX]; 1241 1242 /* KEXINIT */ 1243 1244 if (options.ciphers != NULL) { 1245 myproposal[PROPOSAL_ENC_ALGS_CTOS] = 1246 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; 1247 } 1248 server_kexinit = kex_init(myproposal); 1249 client_kexinit = xmalloc(sizeof(*client_kexinit)); 1250 buffer_init(client_kexinit); 1251 1252 /* algorithm negotiation */ 1253 kex_exchange_kexinit(server_kexinit, client_kexinit, cprop); 1254 kex = kex_choose_conf(cprop, myproposal, 1); 1255 for (i = 0; i < PROPOSAL_MAX; i++) 1256 xfree(cprop[i]); 1257 1258 /* KEXDH */ 1259 1260 debug("Wait SSH2_MSG_KEXDH_INIT."); 1261 packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT); 1262 1263 /* key, cert */ 1264 dh_client_pub = BN_new(); 1265 if (dh_client_pub == NULL) 1266 fatal("dh_client_pub == NULL"); 1267 packet_get_bignum2(dh_client_pub, &dlen); 1268 1269 #ifdef DEBUG_KEXDH 1270 fprintf(stderr, "\ndh_client_pub= "); 1271 bignum_print(dh_client_pub); 1272 fprintf(stderr, "\n"); 1273 debug("bits %d", BN_num_bits(dh_client_pub)); 1274 #endif 1275 1276 /* generate DH key */ 1277 dh = dh_new_group1(); /* XXX depends on 'kex' */ 1278 1279 #ifdef DEBUG_KEXDH 1280 fprintf(stderr, "\np= "); 1281 bignum_print(dh->p); 1282 fprintf(stderr, "\ng= "); 1283 bignum_print(dh->g); 1284 fprintf(stderr, "\npub= "); 1285 bignum_print(dh->pub_key); 1286 fprintf(stderr, "\n"); 1287 #endif 1288 if (!dh_pub_is_valid(dh, dh_client_pub)) 1289 packet_disconnect("bad client public DH value"); 1290 1291 klen = DH_size(dh); 1292 kbuf = xmalloc(klen); 1293 kout = DH_compute_key(kbuf, dh_client_pub, dh); 1294 1295 #ifdef DEBUG_KEXDH 1296 debug("shared secret: len %d/%d", klen, kout); 1297 fprintf(stderr, "shared secret == "); 1298 for (i = 0; i< kout; i++) 1299 fprintf(stderr, "%02x", (kbuf[i])&0xff); 1300 fprintf(stderr, "\n"); 1301 #endif 1302 shared_secret = BN_new(); 1303 1304 BN_bin2bn(kbuf, kout, shared_secret); 1305 memset(kbuf, 0, klen); 1306 xfree(kbuf); 1307 1308 /* XXX precompute? */ 1309 dsa_make_key_blob(sensitive_data.dsa_host_key, &server_host_key_blob, &sbloblen); 1310 1311 /* calc H */ /* XXX depends on 'kex' */ 1312 hash = kex_hash( 1313 client_version_string, 1314 server_version_string, 1315 buffer_ptr(client_kexinit), buffer_len(client_kexinit), 1316 buffer_ptr(server_kexinit), buffer_len(server_kexinit), 1317 (char *)server_host_key_blob, sbloblen, 1318 dh_client_pub, 1319 dh->pub_key, 1320 shared_secret 1321 ); 1322 buffer_free(client_kexinit); 1323 buffer_free(server_kexinit); 1324 xfree(client_kexinit); 1325 xfree(server_kexinit); 1326 #ifdef DEBUG_KEXDH 1327 fprintf(stderr, "hash == "); 1328 for (i = 0; i< 20; i++) 1329 fprintf(stderr, "%02x", (hash[i])&0xff); 1330 fprintf(stderr, "\n"); 1331 #endif 1332 /* save session id := H */ 1333 /* XXX hashlen depends on KEX */ 1334 session_id2_len = 20; 1335 session_id2 = xmalloc(session_id2_len); 1336 memcpy(session_id2, hash, session_id2_len); 1337 1338 /* sign H */ 1339 /* XXX hashlen depends on KEX */ 1340 dsa_sign(sensitive_data.dsa_host_key, &signature, &slen, hash, 20); 1341 1342 destroy_sensitive_data(); 1343 1344 /* send server hostkey, DH pubkey 'f' and singed H */ 1345 packet_start(SSH2_MSG_KEXDH_REPLY); 1346 packet_put_string((char *)server_host_key_blob, sbloblen); 1347 packet_put_bignum2(dh->pub_key); /* f */ 1348 packet_put_string((char *)signature, slen); 1349 packet_send(); 1350 xfree(signature); 1351 xfree(server_host_key_blob); 1352 packet_write_wait(); 1353 1354 kex_derive_keys(kex, hash, shared_secret); 1355 packet_set_kex(kex); 1356 1357 /* have keys, free DH */ 1358 DH_free(dh); 1359 1360 debug("send SSH2_MSG_NEWKEYS."); 1361 packet_start(SSH2_MSG_NEWKEYS); 1362 packet_send(); 1363 packet_write_wait(); 1364 debug("done: send SSH2_MSG_NEWKEYS."); 1365 1366 debug("Wait SSH2_MSG_NEWKEYS."); 1367 packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS); 1368 debug("GOT SSH2_MSG_NEWKEYS."); 1369 1370 #ifdef DEBUG_KEXDH 1371 /* send 1st encrypted/maced/compressed message */ 1372 packet_start(SSH2_MSG_IGNORE); 1373 packet_put_cstring("markus"); 1374 packet_send(); 1375 packet_write_wait(); 1376 #endif 1377 debug("done: KEX2."); 1378 } 1379