xref: /titanic_41/usr/src/cmd/ssh/sshd/sshd.c (revision 24a1f0af9f770e0e795ef1fa1c6dece8dd8dc959)
1 /*
2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  * This program is the ssh daemon.  It listens for connections from clients,
6  * and performs authentication, executes use commands or shell, and forwards
7  * information to/from the application to the user client over an encrypted
8  * connection.  This can also handle forwarding of X11, TCP/IP, and
9  * authentication agent connections.
10  *
11  * As far as I am concerned, the code I have written for this software
12  * can be used freely for any purpose.  Any derived versions of this
13  * software must be clearly marked as such, and if the derived work is
14  * incompatible with the protocol description in the RFC file, it must be
15  * called by a name other than "ssh" or "Secure Shell".
16  *
17  * SSH2 implementation:
18  * Privilege Separation:
19  *
20  * Copyright (c) 2000, 2001, 2002 Markus Friedl.  All rights reserved.
21  * Copyright (c) 2002 Niels Provos.  All rights reserved.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the above copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  *
32  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
33  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
34  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
35  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
36  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
37  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
38  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
39  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
41  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
42  */
43 /*
44  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
45  * Use is subject to license terms.
46  */
47 
48 #include "includes.h"
49 RCSID("$OpenBSD: sshd.c,v 1.260 2002/09/27 10:42:09 mickey Exp $");
50 
51 #include <openssl/dh.h>
52 #include <openssl/bn.h>
53 #include <openssl/md5.h>
54 
55 #include <openssl/rand.h>
56 #ifdef HAVE_SECUREWARE
57 #include <sys/security.h>
58 #include <prot.h>
59 #endif
60 
61 #include "ssh.h"
62 #include "ssh1.h"
63 #include "ssh2.h"
64 #include "xmalloc.h"
65 #include "rsa.h"
66 #include "sshpty.h"
67 #include "packet.h"
68 #include "mpaux.h"
69 #include "log.h"
70 #include "servconf.h"
71 #include "uidswap.h"
72 #include "compat.h"
73 #include "buffer.h"
74 #include "cipher.h"
75 #include "kex.h"
76 #include "key.h"
77 #include "dh.h"
78 #include "myproposal.h"
79 #include "authfile.h"
80 #include "pathnames.h"
81 #include "atomicio.h"
82 #include "canohost.h"
83 #include "auth.h"
84 #include "misc.h"
85 #include "dispatch.h"
86 #include "channels.h"
87 #include "session.h"
88 #include "g11n.h"
89 #include "sshlogin.h"
90 #include "xlist.h"
91 #include "engine.h"
92 
93 #ifdef HAVE_BSM
94 #include "bsmaudit.h"
95 #endif /* HAVE_BSM */
96 
97 #ifdef ALTPRIVSEP
98 #include "altprivsep.h"
99 #endif /* ALTPRIVSEP */
100 
101 #ifdef HAVE_SOLARIS_CONTRACTS
102 #include <sys/ctfs.h>
103 #include <sys/contract.h>
104 #include <sys/contract/process.h>
105 #include <libcontract.h>
106 #endif /* HAVE_SOLARIS_CONTRACTS */
107 
108 #ifdef GSSAPI
109 #include "ssh-gss.h"
110 #endif /* GSSAPI */
111 
112 #ifdef LIBWRAP
113 #include <tcpd.h>
114 #include <syslog.h>
115 #ifndef lint
116 int allow_severity = LOG_INFO;
117 int deny_severity = LOG_WARNING;
118 #endif /* lint */
119 #endif /* LIBWRAP */
120 
121 #ifndef O_NOCTTY
122 #define O_NOCTTY	0
123 #endif
124 
125 #ifdef HAVE___PROGNAME
126 extern char *__progname;
127 #else
128 char *__progname;
129 #endif
130 
131 /* Server configuration options. */
132 ServerOptions options;
133 
134 /* Name of the server configuration file. */
135 static char *config_file_name = _PATH_SERVER_CONFIG_FILE;
136 
137 /*
138  * Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
139  * Default value is AF_UNSPEC means both IPv4 and IPv6.
140  */
141 #ifdef IPV4_DEFAULT
142 int IPv4or6 = AF_INET;
143 #else
144 int IPv4or6 = AF_UNSPEC;
145 #endif
146 
147 /*
148  * Debug mode flag.  This can be set on the command line.  If debug
149  * mode is enabled, extra debugging output will be sent to the system
150  * log, the daemon will not go to background, and will exit after processing
151  * the first connection.
152  */
153 int debug_flag = 0;
154 
155 /* Flag indicating that the daemon should only test the configuration and keys. */
156 static int test_flag = 0;
157 
158 /* Flag indicating that the daemon is being started from inetd. */
159 static int inetd_flag = 0;
160 
161 /* Flag indicating that sshd should not detach and become a daemon. */
162 static int no_daemon_flag = 0;
163 
164 /* debug goes to stderr unless inetd_flag is set */
165 int log_stderr = 0;
166 
167 /* Saved arguments to main(). */
168 static char **saved_argv;
169 static int saved_argc;
170 
171 /*
172  * The sockets that the server is listening; this is used in the SIGHUP
173  * signal handler.
174  */
175 #define	MAX_LISTEN_SOCKS	16
176 static int listen_socks[MAX_LISTEN_SOCKS];
177 static int num_listen_socks = 0;
178 
179 /*
180  * the client's version string, passed by sshd2 in compat mode. if != NULL,
181  * sshd will skip the version-number exchange
182  */
183 static char *client_version_string = NULL;
184 static char *server_version_string = NULL;
185 
186 /* for rekeying XXX fixme */
187 Kex *xxx_kex;
188 
189 /*
190  * Any really sensitive data in the application is contained in this
191  * structure. The idea is that this structure could be locked into memory so
192  * that the pages do not get written into swap.  However, there are some
193  * problems. The private key contains BIGNUMs, and we do not (in principle)
194  * have access to the internals of them, and locking just the structure is
195  * not very useful.  Currently, memory locking is not implemented.
196  */
197 static struct {
198 	Key	*server_key;		/* ephemeral server key */
199 	Key	*ssh1_host_key;		/* ssh1 host key */
200 	Key	**host_keys;		/* all private host keys */
201 	int	have_ssh1_key;
202 	int	have_ssh2_key;
203 	u_char	ssh1_cookie[SSH_SESSION_KEY_LENGTH];
204 } sensitive_data;
205 
206 /*
207  * Flag indicating whether the RSA server key needs to be regenerated.
208  * Is set in the SIGALRM handler and cleared when the key is regenerated.
209  */
210 static volatile sig_atomic_t key_do_regen = 0;
211 
212 /* This is set to true when a signal is received. */
213 static volatile sig_atomic_t received_sighup = 0;
214 static volatile sig_atomic_t received_sigterm = 0;
215 
216 /* session identifier, used by RSA-auth */
217 u_char session_id[16];
218 
219 /* same for ssh2 */
220 u_char *session_id2 = NULL;
221 int session_id2_len = 0;
222 
223 /* record remote hostname or ip */
224 u_int utmp_len = MAXHOSTNAMELEN;
225 
226 /* options.max_startup sized array of fd ints */
227 static int *startup_pipes = NULL;
228 static int startup_pipe = -1;	/* in child */
229 
230 #ifdef GSSAPI
231 static gss_OID_set mechs = GSS_C_NULL_OID_SET;
232 #endif /* GSSAPI */
233 
234 /* Prototypes for various functions defined later in this file. */
235 void destroy_sensitive_data(void);
236 static void demote_sensitive_data(void);
237 
238 static void do_ssh1_kex(void);
239 static void do_ssh2_kex(void);
240 
241 /*
242  * Close all listening sockets
243  */
244 static void
245 close_listen_socks(void)
246 {
247 	int i;
248 
249 	for (i = 0; i < num_listen_socks; i++)
250 		(void) close(listen_socks[i]);
251 	num_listen_socks = -1;
252 }
253 
254 static void
255 close_startup_pipes(void)
256 {
257 	int i;
258 
259 	if (startup_pipes)
260 		for (i = 0; i < options.max_startups; i++)
261 			if (startup_pipes[i] != -1)
262 				(void) close(startup_pipes[i]);
263 }
264 
265 /*
266  * Signal handler for SIGHUP.  Sshd execs itself when it receives SIGHUP;
267  * the effect is to reread the configuration file (and to regenerate
268  * the server key).
269  */
270 static void
271 sighup_handler(int sig)
272 {
273 	int save_errno = errno;
274 
275 	received_sighup = 1;
276 	(void) signal(SIGHUP, sighup_handler);
277 	errno = save_errno;
278 }
279 
280 /*
281  * Called from the main program after receiving SIGHUP.
282  * Restarts the server.
283  */
284 static void
285 sighup_restart(void)
286 {
287 	log("Received SIGHUP; restarting.");
288 	close_listen_socks();
289 	close_startup_pipes();
290 	(void) execv(saved_argv[0], saved_argv);
291 	log("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
292 	    strerror(errno));
293 	exit(1);
294 }
295 
296 /*
297  * Generic signal handler for terminating signals in the master daemon.
298  */
299 static void
300 sigterm_handler(int sig)
301 {
302 	received_sigterm = sig;
303 }
304 
305 /*
306  * SIGCHLD handler.  This is called whenever a child dies.  This will then
307  * reap any zombies left by exited children.
308  */
309 static void
310 main_sigchld_handler(int sig)
311 {
312 	int save_errno = errno;
313 	pid_t pid;
314 	int status;
315 
316 	while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
317 	    (pid < 0 && errno == EINTR))
318 		;
319 
320 	(void) signal(SIGCHLD, main_sigchld_handler);
321 	errno = save_errno;
322 }
323 
324 /*
325  * Signal handler for the alarm after the login grace period has expired.
326  */
327 static void
328 grace_alarm_handler(int sig)
329 {
330 	/* XXX no idea how fix this signal handler */
331 
332 	/* Log error and exit. */
333 	fatal("Timeout before authentication for %s", get_remote_ipaddr());
334 }
335 
336 #ifdef HAVE_SOLARIS_CONTRACTS
337 static int contracts_fd = -1;
338 void
339 contracts_pre_fork()
340 {
341 	const char *during = "opening process contract template";
342 
343 	/*
344 	 * Failure should not be treated as fatal on the theory that
345 	 * it's better to start with children in the same contract as
346 	 * the master listener than not at all.
347 	 */
348 
349 	if (contracts_fd == -1) {
350 		if ((contracts_fd = open64(CTFS_ROOT "/process/template",
351 				O_RDWR)) == -1)
352 			goto cleanup;
353 
354 		during = "setting sundry contract terms";
355 		if ((errno = ct_pr_tmpl_set_param(contracts_fd, CT_PR_PGRPONLY)))
356 			goto cleanup;
357 
358 		if ((errno = ct_tmpl_set_informative(contracts_fd, CT_PR_EV_HWERR)))
359 			goto cleanup;
360 
361 		if ((errno = ct_pr_tmpl_set_fatal(contracts_fd, CT_PR_EV_HWERR)))
362 			goto cleanup;
363 
364 		if ((errno = ct_tmpl_set_critical(contracts_fd, 0)))
365 			goto cleanup;
366 	}
367 
368 	during = "setting active template";
369 	if ((errno = ct_tmpl_activate(contracts_fd)))
370 		goto cleanup;
371 
372 	debug3("Set active contract");
373 	return;
374 
375 cleanup:
376 	if (contracts_fd != -1)
377 		(void) close(contracts_fd);
378 
379 	contracts_fd = -1;
380 
381 	if (errno)
382 		debug2("Error while trying to set up active contract"
383 			" template: %s while %s", strerror(errno), during);
384 }
385 
386 void
387 contracts_post_fork_child()
388 {
389 	/* Clear active template so fork() creates no new contracts. */
390 
391 	if (contracts_fd == -1)
392 		return;
393 
394 	if ((errno = (ct_tmpl_clear(contracts_fd))))
395 		debug2("Error while trying to clear active contract template"
396 			" (child): %s", strerror(errno));
397 	else
398 		debug3("Cleared active contract template (child)");
399 
400 	(void) close(contracts_fd);
401 
402 	contracts_fd = -1;
403 }
404 
405 void
406 contracts_post_fork_parent(int fork_succeeded)
407 {
408 	char path[PATH_MAX];
409 	int cfd, n;
410 	ct_stathdl_t st;
411 	ctid_t latest;
412 
413 	/* Clear active template, abandon latest contract. */
414 	if (contracts_fd == -1)
415 		return;
416 
417 	if ((errno = ct_tmpl_clear(contracts_fd)))
418 		debug2("Error while clearing active contract template: %s",
419 			strerror(errno));
420 	else
421 		debug3("Cleared active contract template (parent)");
422 
423 	if (!fork_succeeded)
424 		return;
425 
426 	if ((cfd = open64(CTFS_ROOT "/process/latest", O_RDONLY)) == -1) {
427 		debug2("Error while getting latest contract: %s",
428 			strerror(errno));
429 		return;
430 	}
431 
432 	if ((errno = ct_status_read(cfd, CTD_COMMON, &st)) != 0) {
433 		debug2("Error while getting latest contract ID: %s",
434 			strerror(errno));
435 		(void) close(cfd);
436 		return;
437 	}
438 
439 	latest = ct_status_get_id(st);
440 	ct_status_free(st);
441 	(void) close(cfd);
442 
443 	n = snprintf(path, PATH_MAX, CTFS_ROOT "/all/%ld/ctl", latest);
444 
445 	if (n >= PATH_MAX) {
446 		debug2("Error while opening the latest contract ctl file: %s",
447 			strerror(ENAMETOOLONG));
448 		return;
449 	}
450 
451 	if ((cfd = open64(path, O_WRONLY)) == -1) {
452 		debug2("Error while opening the latest contract ctl file: %s",
453 			strerror(errno));
454 		return;
455 	}
456 
457 	if ((errno = ct_ctl_abandon(cfd)))
458 		debug2("Error while abandoning latest contract: %s",
459 			strerror(errno));
460 	else
461 		debug3("Abandoned latest contract");
462 
463 	(void) close(cfd);
464 }
465 #endif /* HAVE_SOLARIS_CONTRACTS */
466 
467 /*
468  * Signal handler for the key regeneration alarm.  Note that this
469  * alarm only occurs in the daemon waiting for connections, and it does not
470  * do anything with the private key or random state before forking.
471  * Thus there should be no concurrency control/asynchronous execution
472  * problems.
473  */
474 static void
475 generate_ephemeral_server_key(void)
476 {
477 	u_int32_t rnd = 0;
478 	int i;
479 
480 	verbose("Generating %s%d bit RSA key.",
481 	    sensitive_data.server_key ? "new " : "", options.server_key_bits);
482 	if (sensitive_data.server_key != NULL)
483 		key_free(sensitive_data.server_key);
484 	sensitive_data.server_key = key_generate(KEY_RSA1,
485 	    options.server_key_bits);
486 	verbose("RSA key generation complete.");
487 
488 	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
489 		if (i % 4 == 0)
490 			rnd = arc4random();
491 		sensitive_data.ssh1_cookie[i] = rnd & 0xff;
492 		rnd >>= 8;
493 	}
494 	arc4random_stir();
495 }
496 
497 static void
498 key_regeneration_alarm(int sig)
499 {
500 	int save_errno = errno;
501 
502 	(void) signal(SIGALRM, SIG_DFL);
503 	errno = save_errno;
504 	key_do_regen = 1;
505 }
506 
507 static void
508 sshd_exchange_identification(int sock_in, int sock_out)
509 {
510 	int i, mismatch;
511 	int remote_major, remote_minor;
512 	int major, minor;
513 	char *s;
514 	char buf[256];			/* Must not be larger than remote_version. */
515 	char remote_version[256];	/* Must be at least as big as buf. */
516 
517 	if ((options.protocol & SSH_PROTO_1) &&
518 	    (options.protocol & SSH_PROTO_2)) {
519 		major = PROTOCOL_MAJOR_1;
520 		minor = 99;
521 	} else if (options.protocol & SSH_PROTO_2) {
522 		major = PROTOCOL_MAJOR_2;
523 		minor = PROTOCOL_MINOR_2;
524 	} else {
525 		major = PROTOCOL_MAJOR_1;
526 		minor = PROTOCOL_MINOR_1;
527 	}
528 	(void) snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
529 	server_version_string = xstrdup(buf);
530 
531 	if (client_version_string == NULL) {
532 		/* Send our protocol version identification. */
533 		if (atomicio(write, sock_out, server_version_string,
534 		    strlen(server_version_string))
535 		    != strlen(server_version_string)) {
536 			log("Could not write ident string to %s", get_remote_ipaddr());
537 			fatal_cleanup();
538 		}
539 
540 		/* Read other sides version identification. */
541 		(void) memset(buf, 0, sizeof(buf));
542 		for (i = 0; i < sizeof(buf) - 1; i++) {
543 			if (atomicio(read, sock_in, &buf[i], 1) != 1) {
544 				log("Did not receive identification string from %s",
545 				    get_remote_ipaddr());
546 				fatal_cleanup();
547 			}
548 			if (buf[i] == '\r') {
549 				buf[i] = 0;
550 				/* Kludge for F-Secure Macintosh < 1.0.2 */
551 				if (i == 12 &&
552 				    strncmp(buf, "SSH-1.5-W1.0", 12) == 0)
553 					break;
554 				continue;
555 			}
556 			if (buf[i] == '\n') {
557 				buf[i] = 0;
558 				break;
559 			}
560 		}
561 		buf[sizeof(buf) - 1] = 0;
562 		client_version_string = xstrdup(buf);
563 	}
564 
565 	/*
566 	 * Check that the versions match.  In future this might accept
567 	 * several versions and set appropriate flags to handle them.
568 	 */
569 	if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
570 	    &remote_major, &remote_minor, remote_version) != 3) {
571 		s = "Protocol mismatch.\n";
572 		(void) atomicio(write, sock_out, s, strlen(s));
573 		(void) close(sock_in);
574 		(void) close(sock_out);
575 		log("Bad protocol version identification '%.100s' from %s",
576 		    client_version_string, get_remote_ipaddr());
577 		fatal_cleanup();
578 	}
579 	debug("Client protocol version %d.%d; client software version %.100s",
580 	    remote_major, remote_minor, remote_version);
581 
582 	compat_datafellows(remote_version);
583 
584 	if (datafellows & SSH_BUG_PROBE) {
585 		log("probed from %s with %s.  Don't panic.",
586 		    get_remote_ipaddr(), client_version_string);
587 		fatal_cleanup();
588 	}
589 
590 	if (datafellows & SSH_BUG_SCANNER) {
591 		log("scanned from %s with %s.  Don't panic.",
592 		    get_remote_ipaddr(), client_version_string);
593 		fatal_cleanup();
594 	}
595 
596 	mismatch = 0;
597 	switch (remote_major) {
598 	case 1:
599 		if (remote_minor == 99) {
600 			if (options.protocol & SSH_PROTO_2)
601 				enable_compat20();
602 			else
603 				mismatch = 1;
604 			break;
605 		}
606 		if (!(options.protocol & SSH_PROTO_1)) {
607 			mismatch = 1;
608 			break;
609 		}
610 		if (remote_minor < 3) {
611 			packet_disconnect("Your ssh version is too old and "
612 			    "is no longer supported.  Please install a newer version.");
613 		} else if (remote_minor == 3) {
614 			/* note that this disables agent-forwarding */
615 			enable_compat13();
616 		}
617 		break;
618 	case 2:
619 		if (options.protocol & SSH_PROTO_2) {
620 			enable_compat20();
621 			break;
622 		}
623 		/* FALLTHROUGH */
624 	default:
625 		mismatch = 1;
626 		break;
627 	}
628 	chop(server_version_string);
629 	debug("Local version string %.200s", server_version_string);
630 
631 	if (mismatch) {
632 		s = "Protocol major versions differ.\n";
633 		(void) atomicio(write, sock_out, s, strlen(s));
634 		(void) close(sock_in);
635 		(void) close(sock_out);
636 		log("Protocol major versions differ for %s: %.200s vs. %.200s",
637 		    get_remote_ipaddr(),
638 		    server_version_string, client_version_string);
639 		fatal_cleanup();
640 	}
641 }
642 
643 /* Destroy the host and server keys.  They will no longer be needed. */
644 void
645 destroy_sensitive_data(void)
646 {
647 	int i;
648 
649 	if (sensitive_data.server_key) {
650 		key_free(sensitive_data.server_key);
651 		sensitive_data.server_key = NULL;
652 	}
653 	for (i = 0; i < options.num_host_key_files; i++) {
654 		if (sensitive_data.host_keys[i]) {
655 			key_free(sensitive_data.host_keys[i]);
656 			sensitive_data.host_keys[i] = NULL;
657 		}
658 	}
659 	sensitive_data.ssh1_host_key = NULL;
660 	(void) memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH);
661 }
662 
663 /* Demote private to public keys for network child */
664 static void
665 demote_sensitive_data(void)
666 {
667 	Key *tmp;
668 	int i;
669 
670 	if (sensitive_data.server_key) {
671 		tmp = key_demote(sensitive_data.server_key);
672 		key_free(sensitive_data.server_key);
673 		sensitive_data.server_key = tmp;
674 	}
675 
676 	for (i = 0; i < options.num_host_key_files; i++) {
677 		if (sensitive_data.host_keys[i]) {
678 			tmp = key_demote(sensitive_data.host_keys[i]);
679 			key_free(sensitive_data.host_keys[i]);
680 			sensitive_data.host_keys[i] = tmp;
681 			if (tmp->type == KEY_RSA1)
682 				sensitive_data.ssh1_host_key = tmp;
683 		}
684 	}
685 
686 	/* We do not clear ssh1_host key and cookie.  XXX - Okay Niels? */
687 }
688 
689 static char *
690 list_hostkey_types(void)
691 {
692 	Buffer b;
693 	char *p;
694 	int i;
695 
696 	buffer_init(&b);
697 	for (i = 0; i < options.num_host_key_files; i++) {
698 		Key *key = sensitive_data.host_keys[i];
699 		if (key == NULL)
700 			continue;
701 		switch (key->type) {
702 		case KEY_RSA:
703 		case KEY_DSA:
704 			if (buffer_len(&b) > 0)
705 				buffer_append(&b, ",", 1);
706 			p = key_ssh_name(key);
707 			buffer_append(&b, p, strlen(p));
708 			break;
709 		}
710 	}
711 	buffer_append(&b, "\0", 1);
712 	p = xstrdup(buffer_ptr(&b));
713 	buffer_free(&b);
714 	debug("list_hostkey_types: %s", p);
715 	return p;
716 }
717 
718 #ifdef lint
719 static
720 #endif /* lint */
721 Key *
722 get_hostkey_by_type(int type)
723 {
724 	int i;
725 
726 	for (i = 0; i < options.num_host_key_files; i++) {
727 		Key *key = sensitive_data.host_keys[i];
728 		if (key != NULL && key->type == type)
729 			return key;
730 	}
731 	return NULL;
732 }
733 
734 #ifdef lint
735 static
736 #endif /* lint */
737 Key *
738 get_hostkey_by_index(int ind)
739 {
740 	if (ind < 0 || ind >= options.num_host_key_files)
741 		return (NULL);
742 	return (sensitive_data.host_keys[ind]);
743 }
744 
745 #ifdef lint
746 static
747 #endif /* lint */
748 int
749 get_hostkey_index(Key *key)
750 {
751 	int i;
752 
753 	for (i = 0; i < options.num_host_key_files; i++) {
754 		if (key == sensitive_data.host_keys[i])
755 			return (i);
756 	}
757 	return (-1);
758 }
759 
760 /*
761  * returns 1 if connection should be dropped, 0 otherwise.
762  * dropping starts at connection #max_startups_begin with a probability
763  * of (max_startups_rate/100). the probability increases linearly until
764  * all connections are dropped for startups > max_startups
765  */
766 static int
767 drop_connection(int startups)
768 {
769 	double p, r;
770 
771 	if (startups < options.max_startups_begin)
772 		return 0;
773 	if (startups >= options.max_startups)
774 		return 1;
775 	if (options.max_startups_rate == 100)
776 		return 1;
777 
778 	p  = 100 - options.max_startups_rate;
779 	p *= startups - options.max_startups_begin;
780 	p /= (double) (options.max_startups - options.max_startups_begin);
781 	p += options.max_startups_rate;
782 	p /= 100.0;
783 	r = arc4random() / (double) UINT_MAX;
784 
785 	debug("drop_connection: p %g, r %g", p, r);
786 	return (r < p) ? 1 : 0;
787 }
788 
789 static void
790 usage(void)
791 {
792 	(void) fprintf(stderr, gettext("sshd version %s\n"), SSH_VERSION);
793 	(void) fprintf(stderr,
794 	    gettext("Usage: %s [options]\n"
795 		"Options:\n"
796 		"  -f file    Configuration file (default %s)\n"
797 		"  -d         Debugging mode (multiple -d means more "
798 		"debugging)\n"
799 		"  -i         Started from inetd\n"
800 		"  -D         Do not fork into daemon mode\n"
801 		"  -t         Only test configuration file and keys\n"
802 		"  -q         Quiet (no logging)\n"
803 		"  -p port    Listen on the specified port (default: 22)\n"
804 		"  -k seconds Regenerate server key every this many seconds "
805 		"(default: 3600)\n"
806 		"  -g seconds Grace period for authentication (default: 600)\n"
807 		"  -b bits    Size of server RSA key (default: 768 bits)\n"
808 		"  -h file    File from which to read host key (default: %s)\n"
809 		"  -4         Use IPv4 only\n"
810 		"  -6         Use IPv6 only\n"
811 		"  -o option  Process the option as if it was read from "
812 		"a configuration file.\n"),
813 	    __progname, _PATH_SERVER_CONFIG_FILE, _PATH_HOST_KEY_FILE);
814 	exit(1);
815 }
816 
817 /*
818  * Main program for the daemon.
819  */
820 int
821 main(int ac, char **av)
822 {
823 	extern char *optarg;
824 	extern int optind;
825 	int opt, j, i, fdsetsz, sock_in = 0, sock_out = 0, newsock = -1, on = 1;
826 	pid_t pid;
827 	socklen_t fromlen;
828 	fd_set *fdset;
829 	struct sockaddr_storage from;
830 	const char *remote_ip;
831 	int remote_port;
832 	FILE *f;
833 	struct addrinfo *ai;
834 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
835 	int listen_sock, maxfd;
836 	int startup_p[2];
837 	int startups = 0;
838 	Authctxt *authctxt = NULL;
839 	Key *key;
840 	int ret, key_used = 0;
841 #ifdef HAVE_BSM
842 	au_id_t	    auid = AU_NOAUDITID;
843 #endif /* HAVE_BSM */
844 	int mpipe;
845 
846 	__progname = get_progname(av[0]);
847 
848 	(void) g11n_setlocale(LC_ALL, "");
849 
850 #ifdef HAVE_SECUREWARE
851 	(void)set_auth_parameters(ac, av);
852 #endif
853 
854 	init_rng();
855 
856 	/* Save argv. */
857 	saved_argc = ac;
858 	saved_argv = av;
859 
860 	/* Initialize configuration options to their default values. */
861 	initialize_server_options(&options);
862 
863 	/* Parse command-line arguments. */
864 	while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:o:dDeiqtQ46")) != -1) {
865 		switch (opt) {
866 		case '4':
867 			IPv4or6 = AF_INET;
868 			break;
869 		case '6':
870 			IPv4or6 = AF_INET6;
871 			break;
872 		case 'f':
873 			config_file_name = optarg;
874 			break;
875 		case 'd':
876 			if (0 == debug_flag) {
877 				debug_flag = 1;
878 				options.log_level = SYSLOG_LEVEL_DEBUG1;
879 			} else if (options.log_level < SYSLOG_LEVEL_DEBUG3) {
880 				options.log_level++;
881 			} else {
882 				(void) fprintf(stderr,
883 					gettext("Debug level too high.\n"));
884 				exit(1);
885 			}
886 			break;
887 		case 'D':
888 			no_daemon_flag = 1;
889 			break;
890 		case 'e':
891 			log_stderr = 1;
892 			break;
893 		case 'i':
894 			inetd_flag = 1;
895 			break;
896 		case 'Q':
897 			/* ignored */
898 			break;
899 		case 'q':
900 			options.log_level = SYSLOG_LEVEL_QUIET;
901 			break;
902 		case 'b':
903 			options.server_key_bits = atoi(optarg);
904 			break;
905 		case 'p':
906 			options.ports_from_cmdline = 1;
907 			if (options.num_ports >= MAX_PORTS) {
908 				(void) fprintf(stderr, gettext("too many ports.\n"));
909 				exit(1);
910 			}
911 			options.ports[options.num_ports++] = a2port(optarg);
912 			if (options.ports[options.num_ports-1] == 0) {
913 				(void) fprintf(stderr, gettext("Bad port number.\n"));
914 				exit(1);
915 			}
916 			break;
917 		case 'g':
918 			if ((options.login_grace_time = convtime(optarg)) == -1) {
919 				(void) fprintf(stderr,
920 					gettext("Invalid login grace time.\n"));
921 				exit(1);
922 			}
923 			break;
924 		case 'k':
925 			if ((options.key_regeneration_time = convtime(optarg)) == -1) {
926 				(void) fprintf(stderr,
927 					gettext("Invalid key regeneration "
928 						"interval.\n"));
929 				exit(1);
930 			}
931 			break;
932 		case 'h':
933 			if (options.num_host_key_files >= MAX_HOSTKEYS) {
934 				(void) fprintf(stderr,
935 					gettext("too many host keys.\n"));
936 				exit(1);
937 			}
938 			options.host_key_files[options.num_host_key_files++] = optarg;
939 			break;
940 		case 'V':
941 			client_version_string = optarg;
942 			/* only makes sense with inetd_flag, i.e. no listen() */
943 			inetd_flag = 1;
944 			break;
945 		case 't':
946 			test_flag = 1;
947 			break;
948 		case 'o':
949 			if (process_server_config_line(&options, optarg,
950 			    "command-line", 0) != 0)
951 				exit(1);
952 			break;
953 		case '?':
954 		default:
955 			usage();
956 			break;
957 		}
958 	}
959 
960 	/*
961 	 * There is no need to use the PKCS#11 engine in the master SSH process.
962 	 */
963 	SSLeay_add_all_algorithms();
964 	seed_rng();
965 	channel_set_af(IPv4or6);
966 
967 	/*
968 	 * Force logging to stderr until we have loaded the private host
969 	 * key (unless started from inetd)
970 	 */
971 	log_init(__progname,
972 	    options.log_level == SYSLOG_LEVEL_NOT_SET ?
973 	    SYSLOG_LEVEL_INFO : options.log_level,
974 	    options.log_facility == SYSLOG_FACILITY_NOT_SET ?
975 	    SYSLOG_FACILITY_AUTH : options.log_facility,
976 	    !inetd_flag);
977 
978 #ifdef _UNICOS
979 	/* Cray can define user privs drop all prives now!
980 	 * Not needed on PRIV_SU systems!
981 	 */
982 	drop_cray_privs();
983 #endif
984 
985 	/* Read server configuration options from the configuration file. */
986 	read_server_config(&options, config_file_name);
987 
988 	/* Fill in default values for those options not explicitly set. */
989 	fill_default_server_options(&options);
990 
991 	utmp_len = options.lookup_client_hostnames ? utmp_len : 0;
992 
993 	/* Check that there are no remaining arguments. */
994 	if (optind < ac) {
995 		(void) fprintf(stderr, gettext("Extra argument %s.\n"), av[optind]);
996 		exit(1);
997 	}
998 
999 	debug("sshd version %.100s", SSH_VERSION);
1000 
1001 	/* load private host keys */
1002 	if (options.num_host_key_files > 0)
1003 		sensitive_data.host_keys =
1004 		    xmalloc(options.num_host_key_files * sizeof(Key *));
1005 	for (i = 0; i < options.num_host_key_files; i++)
1006 		sensitive_data.host_keys[i] = NULL;
1007 	sensitive_data.server_key = NULL;
1008 	sensitive_data.ssh1_host_key = NULL;
1009 	sensitive_data.have_ssh1_key = 0;
1010 	sensitive_data.have_ssh2_key = 0;
1011 
1012 	for (i = 0; i < options.num_host_key_files; i++) {
1013 		key = key_load_private(options.host_key_files[i], "", NULL);
1014 		sensitive_data.host_keys[i] = key;
1015 		if (key == NULL) {
1016 			error("Could not load host key: %s",
1017 			    options.host_key_files[i]);
1018 			sensitive_data.host_keys[i] = NULL;
1019 			continue;
1020 		}
1021 		switch (key->type) {
1022 		case KEY_RSA1:
1023 			sensitive_data.ssh1_host_key = key;
1024 			sensitive_data.have_ssh1_key = 1;
1025 			break;
1026 		case KEY_RSA:
1027 		case KEY_DSA:
1028 			sensitive_data.have_ssh2_key = 1;
1029 			break;
1030 		}
1031 		debug("private host key: #%d type %d %s", i, key->type,
1032 		    key_type(key));
1033 	}
1034 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
1035 		log("Disabling protocol version 1. Could not load host key");
1036 		options.protocol &= ~SSH_PROTO_1;
1037 	}
1038 	if ((options.protocol & SSH_PROTO_2) &&
1039 	    !sensitive_data.have_ssh2_key) {
1040 #ifdef GSSAPI
1041 		if (options.gss_keyex)
1042 			ssh_gssapi_server_mechs(&mechs);
1043 
1044 		if (mechs == GSS_C_NULL_OID_SET) {
1045 			log("Disabling protocol version 2. Could not load host"
1046 			    "key or GSS-API mechanisms");
1047 			options.protocol &= ~SSH_PROTO_2;
1048 		}
1049 #else
1050 		log("Disabling protocol version 2. Could not load host key");
1051 		options.protocol &= ~SSH_PROTO_2;
1052 #endif /* GSSAPI */
1053 	}
1054 	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
1055 		log("sshd: no hostkeys available -- exiting.");
1056 		exit(1);
1057 	}
1058 
1059 	/* Check certain values for sanity. */
1060 	if (options.protocol & SSH_PROTO_1) {
1061 		if (options.server_key_bits < 512 ||
1062 		    options.server_key_bits > 32768) {
1063 			(void) fprintf(stderr, gettext("Bad server key size.\n"));
1064 			exit(1);
1065 		}
1066 		/*
1067 		 * Check that server and host key lengths differ sufficiently. This
1068 		 * is necessary to make double encryption work with rsaref. Oh, I
1069 		 * hate software patents. I dont know if this can go? Niels
1070 		 */
1071 		if (options.server_key_bits >
1072 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) -
1073 		    SSH_KEY_BITS_RESERVED && options.server_key_bits <
1074 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1075 		    SSH_KEY_BITS_RESERVED) {
1076 			options.server_key_bits =
1077 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1078 			    SSH_KEY_BITS_RESERVED;
1079 			debug("Forcing server key to %d bits to make it differ from host key.",
1080 			    options.server_key_bits);
1081 		}
1082 	}
1083 
1084 	/* Configuration looks good, so exit if in test mode. */
1085 	if (test_flag)
1086 		exit(0);
1087 
1088 	/*
1089 	 * Clear out any supplemental groups we may have inherited.  This
1090 	 * prevents inadvertent creation of files with bad modes (in the
1091 	 * portable version at least, it's certainly possible for PAM
1092 	 * to create a file, and we can't control the code in every
1093 	 * module which might be used).
1094 	 */
1095 	if (setgroups(0, NULL) < 0)
1096 		debug("setgroups() failed: %.200s", strerror(errno));
1097 
1098 	/* Initialize the log (it is reinitialized below in case we forked). */
1099 	if (debug_flag && !inetd_flag)
1100 		log_stderr = 1;
1101 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
1102 
1103 #ifdef HAVE_BSM
1104 	(void) setauid(&auid);
1105 #endif /* HAVE_BSM */
1106 
1107 	/*
1108 	 * If not in debugging mode, and not started from inetd, disconnect
1109 	 * from the controlling terminal, and fork.  The original process
1110 	 * exits.
1111 	 */
1112 	if (!(debug_flag || inetd_flag || no_daemon_flag)) {
1113 #ifdef TIOCNOTTY
1114 		int fd;
1115 #endif /* TIOCNOTTY */
1116 		if (daemon(0, 0) < 0)
1117 			fatal("daemon() failed: %.200s", strerror(errno));
1118 
1119 		/* Disconnect from the controlling tty. */
1120 #ifdef TIOCNOTTY
1121 		fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
1122 		if (fd >= 0) {
1123 			(void) ioctl(fd, TIOCNOTTY, NULL);
1124 			(void) close(fd);
1125 		}
1126 #endif /* TIOCNOTTY */
1127 	}
1128 	/* Reinitialize the log (because of the fork above). */
1129 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
1130 
1131 	/* Initialize the random number generator. */
1132 	arc4random_stir();
1133 
1134 	/* Chdir to the root directory so that the current disk can be
1135 	   unmounted if desired. */
1136 	(void) chdir("/");
1137 
1138 	/* ignore SIGPIPE */
1139 	(void) signal(SIGPIPE, SIG_IGN);
1140 
1141 	/* Start listening for a socket, unless started from inetd. */
1142 	if (inetd_flag) {
1143 		int s1;
1144 		s1 = dup(0);	/* Make sure descriptors 0, 1, and 2 are in use. */
1145 		(void) dup(s1);
1146 		sock_in = dup(0);
1147 		sock_out = dup(1);
1148 		startup_pipe = -1;
1149 		/* we need this later for setting audit context */
1150 		newsock = sock_in;
1151 		/*
1152 		 * We intentionally do not close the descriptors 0, 1, and 2
1153 		 * as our code for setting the descriptors won\'t work if
1154 		 * ttyfd happens to be one of those.
1155 		 */
1156 		debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
1157 		if (options.protocol & SSH_PROTO_1)
1158 			generate_ephemeral_server_key();
1159 	} else {
1160 		for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
1161 			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1162 				continue;
1163 			if (num_listen_socks >= MAX_LISTEN_SOCKS)
1164 				fatal("Too many listen sockets. "
1165 				    "Enlarge MAX_LISTEN_SOCKS");
1166 			if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
1167 			    ntop, sizeof(ntop), strport, sizeof(strport),
1168 			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1169 				error("getnameinfo failed");
1170 				continue;
1171 			}
1172 			/* Create socket for listening. */
1173 			listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
1174 			if (listen_sock < 0) {
1175 				/* kernel may not support ipv6 */
1176 				verbose("socket: %.100s", strerror(errno));
1177 				continue;
1178 			}
1179 			if (fcntl(listen_sock, F_SETFL, O_NONBLOCK) < 0) {
1180 				error("listen_sock O_NONBLOCK: %s", strerror(errno));
1181 				(void) close(listen_sock);
1182 				continue;
1183 			}
1184 			/*
1185 			 * Set socket options.
1186 			 * Allow local port reuse in TIME_WAIT.
1187 			 */
1188 			if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
1189 			    &on, sizeof(on)) == -1)
1190 				error("setsockopt SO_REUSEADDR: %s", strerror(errno));
1191 
1192 			debug("Bind to port %s on %s.", strport, ntop);
1193 
1194 			/* Bind the socket to the desired port. */
1195 			if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1196 				if (!ai->ai_next)
1197 				    error("Bind to port %s on %s failed: %.200s.",
1198 					    strport, ntop, strerror(errno));
1199 				(void) close(listen_sock);
1200 				continue;
1201 			}
1202 			listen_socks[num_listen_socks] = listen_sock;
1203 			num_listen_socks++;
1204 
1205 			/* Start listening on the port. */
1206 			log("Server listening on %s port %s.", ntop, strport);
1207 			if (listen(listen_sock, 5) < 0)
1208 				fatal("listen: %.100s", strerror(errno));
1209 
1210 		}
1211 		freeaddrinfo(options.listen_addrs);
1212 
1213 		if (!num_listen_socks)
1214 			fatal("Cannot bind any address.");
1215 
1216 		if (options.protocol & SSH_PROTO_1)
1217 			generate_ephemeral_server_key();
1218 
1219 		/*
1220 		 * Arrange to restart on SIGHUP.  The handler needs
1221 		 * listen_sock.
1222 		 */
1223 		(void) signal(SIGHUP, sighup_handler);
1224 
1225 		(void) signal(SIGTERM, sigterm_handler);
1226 		(void) signal(SIGQUIT, sigterm_handler);
1227 
1228 		/* Arrange SIGCHLD to be caught. */
1229 		(void) signal(SIGCHLD, main_sigchld_handler);
1230 
1231 		/* Write out the pid file after the sigterm handler is setup */
1232 		if (!debug_flag) {
1233 			/*
1234 			 * Record our pid in /var/run/sshd.pid to make it
1235 			 * easier to kill the correct sshd.  We don't want to
1236 			 * do this before the bind above because the bind will
1237 			 * fail if there already is a daemon, and this will
1238 			 * overwrite any old pid in the file.
1239 			 */
1240 			f = fopen(options.pid_file, "wb");
1241 			if (f) {
1242 				(void) fprintf(f, "%ld\n", (long) getpid());
1243 				(void) fclose(f);
1244 			}
1245 		}
1246 
1247 		/* setup fd set for listen */
1248 		fdset = NULL;
1249 		maxfd = 0;
1250 		for (i = 0; i < num_listen_socks; i++)
1251 			if (listen_socks[i] > maxfd)
1252 				maxfd = listen_socks[i];
1253 		/* pipes connected to unauthenticated childs */
1254 		startup_pipes = xmalloc(options.max_startups * sizeof(int));
1255 		for (i = 0; i < options.max_startups; i++)
1256 			startup_pipes[i] = -1;
1257 
1258 		/*
1259 		 * Stay listening for connections until the system crashes or
1260 		 * the daemon is killed with a signal.
1261 		 */
1262 		for (;;) {
1263 			if (received_sighup)
1264 				sighup_restart();
1265 			if (fdset != NULL)
1266 				xfree(fdset);
1267 			fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask);
1268 			fdset = (fd_set *)xmalloc(fdsetsz);
1269 			(void) memset(fdset, 0, fdsetsz);
1270 
1271 			for (i = 0; i < num_listen_socks; i++)
1272 				FD_SET(listen_socks[i], fdset);
1273 			for (i = 0; i < options.max_startups; i++)
1274 				if (startup_pipes[i] != -1)
1275 					FD_SET(startup_pipes[i], fdset);
1276 
1277 			/* Wait in select until there is a connection. */
1278 			ret = select(maxfd+1, fdset, NULL, NULL, NULL);
1279 			if (ret < 0 && errno != EINTR)
1280 				error("select: %.100s", strerror(errno));
1281 			if (received_sigterm) {
1282 				log("Received signal %d; terminating.",
1283 				    (int) received_sigterm);
1284 				close_listen_socks();
1285 				(void) unlink(options.pid_file);
1286 				exit(255);
1287 			}
1288 			if (key_used && key_do_regen) {
1289 				generate_ephemeral_server_key();
1290 				key_used = 0;
1291 				key_do_regen = 0;
1292 			}
1293 			if (ret < 0)
1294 				continue;
1295 
1296 			for (i = 0; i < options.max_startups; i++)
1297 				if (startup_pipes[i] != -1 &&
1298 				    FD_ISSET(startup_pipes[i], fdset)) {
1299 					/*
1300 					 * the read end of the pipe is ready
1301 					 * if the child has closed the pipe
1302 					 * after successful authentication
1303 					 * or if the child has died
1304 					 */
1305 					(void) close(startup_pipes[i]);
1306 					startup_pipes[i] = -1;
1307 					startups--;
1308 				}
1309 			for (i = 0; i < num_listen_socks; i++) {
1310 				if (!FD_ISSET(listen_socks[i], fdset))
1311 					continue;
1312 				fromlen = sizeof(from);
1313 				newsock = accept(listen_socks[i], (struct sockaddr *)&from,
1314 				    &fromlen);
1315 				if (newsock < 0) {
1316 					if (errno != EINTR && errno != EWOULDBLOCK)
1317 						error("accept: %.100s", strerror(errno));
1318 					continue;
1319 				}
1320 				if (fcntl(newsock, F_SETFL, 0) < 0) {
1321 					error("newsock del O_NONBLOCK: %s", strerror(errno));
1322 					(void) close(newsock);
1323 					continue;
1324 				}
1325 				if (drop_connection(startups) == 1) {
1326 					debug("drop connection #%d", startups);
1327 					(void) close(newsock);
1328 					continue;
1329 				}
1330 				if (pipe(startup_p) == -1) {
1331 					(void) close(newsock);
1332 					continue;
1333 				}
1334 
1335 				for (j = 0; j < options.max_startups; j++)
1336 					if (startup_pipes[j] == -1) {
1337 						startup_pipes[j] = startup_p[0];
1338 						if (maxfd < startup_p[0])
1339 							maxfd = startup_p[0];
1340 						startups++;
1341 						break;
1342 					}
1343 
1344 				/*
1345 				 * Got connection.  Fork a child to handle it, unless
1346 				 * we are in debugging mode.
1347 				 */
1348 				if (debug_flag) {
1349 					/*
1350 					 * In debugging mode.  Close the listening
1351 					 * socket, and start processing the
1352 					 * connection without forking.
1353 					 */
1354 					debug("Server will not fork when running in debugging mode.");
1355 					close_listen_socks();
1356 					sock_in = newsock;
1357 					sock_out = newsock;
1358 					startup_pipe = -1;
1359 					pid = getpid();
1360 					break;
1361 				} else {
1362 					/*
1363 					 * Normal production daemon.  Fork, and have
1364 					 * the child process the connection. The
1365 					 * parent continues listening.
1366 					 */
1367 #ifdef HAVE_SOLARIS_CONTRACTS
1368 					/*
1369 					 * Setup Solaris contract template so
1370 					 * the child process is in a different
1371 					 * process contract than the parent;
1372 					 * prevents established connections from
1373 					 * being killed when the sshd master
1374 					 * listener service is stopped.
1375 					 */
1376 					contracts_pre_fork();
1377 #endif /* HAVE_SOLARIS_CONTRACTS */
1378 					if ((pid = fork()) == 0) {
1379 						/*
1380 						 * Child.  Close the listening and max_startup
1381 						 * sockets.  Start using the accepted socket.
1382 						 * Reinitialize logging (since our pid has
1383 						 * changed).  We break out of the loop to handle
1384 						 * the connection.
1385 						 */
1386 #ifdef HAVE_SOLARIS_CONTRACTS
1387 						contracts_post_fork_child();
1388 #endif /* HAVE_SOLARIS_CONTRACTS */
1389 						xfree(fdset);
1390 						startup_pipe = startup_p[1];
1391 						close_startup_pipes();
1392 						close_listen_socks();
1393 						sock_in = newsock;
1394 						sock_out = newsock;
1395 						log_init(__progname, options.log_level, options.log_facility, log_stderr);
1396 						break;
1397 					}
1398 
1399 #ifdef HAVE_SOLARIS_CONTRACTS
1400 					contracts_post_fork_parent((pid > 0));
1401 #endif /* HAVE_SOLARIS_CONTRACTS */
1402 				}
1403 
1404 				/* Parent.  Stay in the loop. */
1405 				if (pid < 0)
1406 					error("fork: %.100s", strerror(errno));
1407 				else
1408 					debug("Forked child %ld.", (long)pid);
1409 
1410 				(void) close(startup_p[1]);
1411 
1412 				/* Mark that the key has been used (it was "given" to the child). */
1413 				if ((options.protocol & SSH_PROTO_1) &&
1414 				    key_used == 0) {
1415 					/* Schedule server key regeneration alarm. */
1416 					(void) signal(SIGALRM, key_regeneration_alarm);
1417 					(void) alarm(options.key_regeneration_time);
1418 					key_used = 1;
1419 				}
1420 
1421 				arc4random_stir();
1422 
1423 				/*
1424 				 * Close the accepted socket since the child
1425 				 * will now take care of the new connection.
1426 				 */
1427 				(void) close(newsock);
1428 			}
1429 			/* child process check (or debug mode) */
1430 			if (num_listen_socks < 0)
1431 				break;
1432 		}
1433 	}
1434 
1435 	/*
1436 	 * This is the child processing a new connection, the SSH master process
1437 	 * stays in the ( ; ; ) loop above.
1438 	 */
1439 #ifdef HAVE_BSM
1440 	audit_sshd_settid(newsock);
1441 #endif
1442 	/*
1443 	 * Create a new session and process group since the 4.4BSD
1444 	 * setlogin() affects the entire process group.  We don't
1445 	 * want the child to be able to affect the parent.
1446 	 */
1447 #if 0
1448 	/* XXX: this breaks Solaris */
1449 	if (!debug_flag && !inetd_flag && setsid() < 0)
1450 		error("setsid: %.100s", strerror(errno));
1451 #endif
1452 
1453 	/*
1454 	 * Disable the key regeneration alarm.  We will not regenerate the
1455 	 * key since we are no longer in a position to give it to anyone. We
1456 	 * will not restart on SIGHUP since it no longer makes sense.
1457 	 */
1458 	(void) alarm(0);
1459 	(void) signal(SIGALRM, SIG_DFL);
1460 	(void) signal(SIGHUP, SIG_DFL);
1461 	(void) signal(SIGTERM, SIG_DFL);
1462 	(void) signal(SIGQUIT, SIG_DFL);
1463 	(void) signal(SIGCHLD, SIG_DFL);
1464 	(void) signal(SIGINT, SIG_DFL);
1465 
1466 	/* Set keepalives if requested. */
1467 	if (options.keepalives &&
1468 	    setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
1469 	    sizeof(on)) < 0)
1470 		debug2("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
1471 
1472 	/*
1473 	 * Register our connection.  This turns encryption off because we do
1474 	 * not have a key.
1475 	 */
1476 	packet_set_connection(sock_in, sock_out);
1477 
1478 	remote_port = get_remote_port();
1479 	remote_ip = get_remote_ipaddr();
1480 
1481 #ifdef LIBWRAP
1482 	/* Check whether logins are denied from this host. */
1483 	{
1484 		struct request_info req;
1485 
1486 		(void) request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
1487 		fromhost(&req);
1488 
1489 		if (!hosts_access(&req)) {
1490 			debug("Connection refused by tcp wrapper");
1491 			refuse(&req);
1492 			/* NOTREACHED */
1493 			fatal("libwrap refuse returns");
1494 		}
1495 	}
1496 #endif /* LIBWRAP */
1497 
1498 	/* Log the connection. */
1499 	verbose("Connection from %.500s port %d", remote_ip, remote_port);
1500 
1501 	/*
1502 	 * We don\'t want to listen forever unless the other side
1503 	 * successfully authenticates itself.  So we set up an alarm which is
1504 	 * cleared after successful authentication.  A limit of zero
1505 	 * indicates no limit. Note that we don\'t set the alarm in debugging
1506 	 * mode; it is just annoying to have the server exit just when you
1507 	 * are about to discover the bug.
1508 	 */
1509 	(void) signal(SIGALRM, grace_alarm_handler);
1510 	if (!debug_flag)
1511 		(void) alarm(options.login_grace_time);
1512 
1513 	sshd_exchange_identification(sock_in, sock_out);
1514 	/*
1515 	 * Check that the connection comes from a privileged port.
1516 	 * Rhosts-Authentication only makes sense from privileged
1517 	 * programs.  Of course, if the intruder has root access on his local
1518 	 * machine, he can connect from any port.  So do not use these
1519 	 * authentication methods from machines that you do not trust.
1520 	 */
1521 	if (options.rhosts_authentication &&
1522 	    (remote_port >= IPPORT_RESERVED ||
1523 	    remote_port < IPPORT_RESERVED / 2)) {
1524 		debug("Rhosts Authentication disabled, "
1525 		    "originating port %d not trusted.", remote_port);
1526 		options.rhosts_authentication = 0;
1527 	}
1528 #if defined(KRB4) && !defined(KRB5)
1529 	if (!packet_connection_is_ipv4() &&
1530 	    options.kerberos_authentication) {
1531 		debug("Kerberos Authentication disabled, only available for IPv4.");
1532 		options.kerberos_authentication = 0;
1533 	}
1534 #endif /* KRB4 && !KRB5 */
1535 #ifdef AFS
1536 	/* If machine has AFS, set process authentication group. */
1537 	if (k_hasafs()) {
1538 		k_setpag();
1539 		k_unlog();
1540 	}
1541 #endif /* AFS */
1542 
1543 	packet_set_nonblocking();
1544 
1545 	/*
1546 	 * Start the monitor. That way both processes will have their own
1547 	 * PKCS#11 sessions. See the PKCS#11 standard for more information on
1548 	 * fork safety and packet.c for information about forking with the
1549 	 * engine.
1550 	 */
1551 	altprivsep_start_and_do_monitor(options.use_openssl_engine,
1552 	    inetd_flag, newsock, startup_pipe);
1553 
1554 	/*
1555 	 * The child is about to start the first key exchange while the monitor
1556 	 * stays in altprivsep_start_and_do_monitor() function.
1557 	 */
1558 	(void) pkcs11_engine_load(options.use_openssl_engine);
1559 
1560 	/* perform the key exchange */
1561 	/* authenticate user and start session */
1562 	if (compat20) {
1563 		do_ssh2_kex();
1564 		authctxt = do_authentication2();
1565 	} else {
1566 		do_ssh1_kex();
1567 		authctxt = do_authentication();
1568 	}
1569 
1570 authenticated:
1571 	/* Authentication complete */
1572 	(void) alarm(0);
1573 	/* we no longer need an alarm handler */
1574 	(void) signal(SIGALRM, SIG_DFL);
1575 
1576 	if (startup_pipe != -1) {
1577 		(void) close(startup_pipe);
1578 		startup_pipe = -1;
1579 	}
1580 
1581 	/* ALTPRIVSEP Child */
1582 
1583 	/*
1584 	 * Drop privileges, access to privileged resources.
1585 	 *
1586 	 * Destroy private host keys, if any.
1587 	 *
1588 	 * No need to release any GSS credentials -- sshd only acquires
1589 	 * creds to determine what mechs it can negotiate then releases
1590 	 * them right away and uses GSS_C_NO_CREDENTIAL to accept
1591 	 * contexts.
1592 	 */
1593 	debug2("Unprivileged server process dropping privileges");
1594 	permanently_set_uid(authctxt->pw);
1595 	destroy_sensitive_data();
1596 	ssh_gssapi_server_mechs(NULL); /* release cached mechs list */
1597 	packet_set_server();
1598 
1599 	/* now send the authentication context to the monitor */
1600 	altprivsep_send_auth_context(authctxt);
1601 
1602 	mpipe = altprivsep_get_pipe_fd();
1603 	if (fcntl(mpipe, F_SETFL, O_NONBLOCK) < 0)
1604 		error("fcntl O_NONBLOCK: %.100s", strerror(errno));
1605 
1606 #ifdef HAVE_BSM
1607 	fatal_remove_cleanup(
1608 		(void (*)(void *))audit_failed_login_cleanup,
1609 		(void *)authctxt);
1610 #endif /* HAVE_BSM */
1611 
1612 	if (compat20) {
1613 		debug3("setting handler to forward re-key packets to the monitor");
1614 		dispatch_range(SSH2_MSG_KEXINIT, SSH2_MSG_TRANSPORT_MAX,
1615 			&altprivsep_rekey);
1616 	}
1617 
1618 	/* Logged-in session. */
1619 	do_authenticated(authctxt);
1620 
1621 	/* The connection has been terminated. */
1622 	verbose("Closing connection to %.100s", remote_ip);
1623 
1624 	packet_close();
1625 
1626 #ifdef USE_PAM
1627 	finish_pam(authctxt);
1628 #endif /* USE_PAM */
1629 
1630 	return (0);
1631 }
1632 
1633 /*
1634  * Decrypt session_key_int using our private server key and private host key
1635  * (key with larger modulus first).
1636  */
1637 int
1638 ssh1_session_key(BIGNUM *session_key_int)
1639 {
1640 	int rsafail = 0;
1641 
1642 	if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) {
1643 		/* Server key has bigger modulus. */
1644 		if (BN_num_bits(sensitive_data.server_key->rsa->n) <
1645 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
1646 			fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
1647 			    get_remote_ipaddr(),
1648 			    BN_num_bits(sensitive_data.server_key->rsa->n),
1649 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
1650 			    SSH_KEY_BITS_RESERVED);
1651 		}
1652 		if (rsa_private_decrypt(session_key_int, session_key_int,
1653 		    sensitive_data.server_key->rsa) <= 0)
1654 			rsafail++;
1655 		if (rsa_private_decrypt(session_key_int, session_key_int,
1656 		    sensitive_data.ssh1_host_key->rsa) <= 0)
1657 			rsafail++;
1658 	} else {
1659 		/* Host key has bigger modulus (or they are equal). */
1660 		if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) <
1661 		    BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
1662 			fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",
1663 			    get_remote_ipaddr(),
1664 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
1665 			    BN_num_bits(sensitive_data.server_key->rsa->n),
1666 			    SSH_KEY_BITS_RESERVED);
1667 		}
1668 		if (rsa_private_decrypt(session_key_int, session_key_int,
1669 		    sensitive_data.ssh1_host_key->rsa) < 0)
1670 			rsafail++;
1671 		if (rsa_private_decrypt(session_key_int, session_key_int,
1672 		    sensitive_data.server_key->rsa) < 0)
1673 			rsafail++;
1674 	}
1675 	return (rsafail);
1676 }
1677 /*
1678  * SSH1 key exchange
1679  */
1680 static void
1681 do_ssh1_kex(void)
1682 {
1683 	int i, len;
1684 	int rsafail = 0;
1685 	BIGNUM *session_key_int;
1686 	u_char session_key[SSH_SESSION_KEY_LENGTH];
1687 	u_char cookie[8];
1688 	u_int cipher_type, auth_mask, protocol_flags;
1689 	u_int32_t rnd = 0;
1690 
1691 	/*
1692 	 * Generate check bytes that the client must send back in the user
1693 	 * packet in order for it to be accepted; this is used to defy ip
1694 	 * spoofing attacks.  Note that this only works against somebody
1695 	 * doing IP spoofing from a remote machine; any machine on the local
1696 	 * network can still see outgoing packets and catch the random
1697 	 * cookie.  This only affects rhosts authentication, and this is one
1698 	 * of the reasons why it is inherently insecure.
1699 	 */
1700 	for (i = 0; i < 8; i++) {
1701 		if (i % 4 == 0)
1702 			rnd = arc4random();
1703 		cookie[i] = rnd & 0xff;
1704 		rnd >>= 8;
1705 	}
1706 
1707 	/*
1708 	 * Send our public key.  We include in the packet 64 bits of random
1709 	 * data that must be matched in the reply in order to prevent IP
1710 	 * spoofing.
1711 	 */
1712 	packet_start(SSH_SMSG_PUBLIC_KEY);
1713 	for (i = 0; i < 8; i++)
1714 		packet_put_char(cookie[i]);
1715 
1716 	/* Store our public server RSA key. */
1717 	packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n));
1718 	packet_put_bignum(sensitive_data.server_key->rsa->e);
1719 	packet_put_bignum(sensitive_data.server_key->rsa->n);
1720 
1721 	/* Store our public host RSA key. */
1722 	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
1723 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
1724 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
1725 
1726 	/* Put protocol flags. */
1727 	packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
1728 
1729 	/* Declare which ciphers we support. */
1730 	packet_put_int(cipher_mask_ssh1(0));
1731 
1732 	/* Declare supported authentication types. */
1733 	auth_mask = 0;
1734 	if (options.rhosts_authentication)
1735 		auth_mask |= 1 << SSH_AUTH_RHOSTS;
1736 	if (options.rhosts_rsa_authentication)
1737 		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
1738 	if (options.rsa_authentication)
1739 		auth_mask |= 1 << SSH_AUTH_RSA;
1740 #if defined(KRB4) || defined(KRB5)
1741 	if (options.kerberos_authentication)
1742 		auth_mask |= 1 << SSH_AUTH_KERBEROS;
1743 #endif
1744 #if defined(AFS) || defined(KRB5)
1745 	if (options.kerberos_tgt_passing)
1746 		auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
1747 #endif
1748 #ifdef AFS
1749 	if (options.afs_token_passing)
1750 		auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
1751 #endif
1752 	if (options.challenge_response_authentication == 1)
1753 		auth_mask |= 1 << SSH_AUTH_TIS;
1754 	if (options.password_authentication)
1755 		auth_mask |= 1 << SSH_AUTH_PASSWORD;
1756 	packet_put_int(auth_mask);
1757 
1758 	/* Send the packet and wait for it to be sent. */
1759 	packet_send();
1760 	packet_write_wait();
1761 
1762 	debug("Sent %d bit server key and %d bit host key.",
1763 	    BN_num_bits(sensitive_data.server_key->rsa->n),
1764 	    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
1765 
1766 	/* Read clients reply (cipher type and session key). */
1767 	packet_read_expect(SSH_CMSG_SESSION_KEY);
1768 
1769 	/* Get cipher type and check whether we accept this. */
1770 	cipher_type = packet_get_char();
1771 
1772 	if (!(cipher_mask_ssh1(0) & (1 << cipher_type))) {
1773 		packet_disconnect("Warning: client selects unsupported cipher.");
1774 	}
1775 
1776 	/* Get check bytes from the packet.  These must match those we
1777 	   sent earlier with the public key packet. */
1778 	for (i = 0; i < 8; i++) {
1779 		if (cookie[i] != packet_get_char()) {
1780 			packet_disconnect("IP Spoofing check bytes do not match.");
1781 		}
1782 	}
1783 
1784 	debug("Encryption type: %.200s", cipher_name(cipher_type));
1785 
1786 	/* Get the encrypted integer. */
1787 	if ((session_key_int = BN_new()) == NULL)
1788 		fatal("do_ssh1_kex: BN_new failed");
1789 	packet_get_bignum(session_key_int);
1790 
1791 	protocol_flags = packet_get_int();
1792 	packet_set_protocol_flags(protocol_flags);
1793 	packet_check_eom();
1794 
1795 	/* Decrypt session_key_int using host/server keys */
1796 	rsafail = ssh1_session_key(session_key_int);
1797 
1798 	/*
1799 	 * Extract session key from the decrypted integer.  The key is in the
1800 	 * least significant 256 bits of the integer; the first byte of the
1801 	 * key is in the highest bits.
1802 	 */
1803 	if (!rsafail) {
1804 		(void) BN_mask_bits(session_key_int, sizeof(session_key) * 8);
1805 		len = BN_num_bytes(session_key_int);
1806 		if (len < 0 || len > sizeof(session_key)) {
1807 			error("do_connection: bad session key len from %s: "
1808 			    "session_key_int %d > sizeof(session_key) %lu",
1809 			    get_remote_ipaddr(), len, (u_long)sizeof(session_key));
1810 			rsafail++;
1811 		} else {
1812 			(void) memset(session_key, 0, sizeof(session_key));
1813 			(void) BN_bn2bin(session_key_int,
1814 			    session_key + sizeof(session_key) - len);
1815 
1816 			compute_session_id(session_id, cookie,
1817 			    sensitive_data.ssh1_host_key->rsa->n,
1818 			    sensitive_data.server_key->rsa->n);
1819 			/*
1820 			 * Xor the first 16 bytes of the session key with the
1821 			 * session id.
1822 			 */
1823 			for (i = 0; i < 16; i++)
1824 				session_key[i] ^= session_id[i];
1825 		}
1826 	}
1827 	if (rsafail) {
1828 		int bytes = BN_num_bytes(session_key_int);
1829 		u_char *buf = xmalloc(bytes);
1830 		MD5_CTX md;
1831 
1832 		log("do_connection: generating a fake encryption key");
1833 		(void) BN_bn2bin(session_key_int, buf);
1834 		MD5_Init(&md);
1835 		MD5_Update(&md, buf, bytes);
1836 		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
1837 		MD5_Final(session_key, &md);
1838 		MD5_Init(&md);
1839 		MD5_Update(&md, session_key, 16);
1840 		MD5_Update(&md, buf, bytes);
1841 		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
1842 		MD5_Final(session_key + 16, &md);
1843 		(void) memset(buf, 0, bytes);
1844 		xfree(buf);
1845 		for (i = 0; i < 16; i++)
1846 			session_id[i] = session_key[i] ^ session_key[i + 16];
1847 	}
1848 	/* Destroy the private and public keys. No longer. */
1849 	destroy_sensitive_data();
1850 
1851 	/* Destroy the decrypted integer.  It is no longer needed. */
1852 	BN_clear_free(session_key_int);
1853 
1854 	/* Set the session key.  From this on all communications will be encrypted. */
1855 	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
1856 
1857 	/* Destroy our copy of the session key.  It is no longer needed. */
1858 	(void) memset(session_key, 0, sizeof(session_key));
1859 
1860 	debug("Received session key; encryption turned on.");
1861 
1862 	/* Send an acknowledgment packet.  Note that this packet is sent encrypted. */
1863 	packet_start(SSH_SMSG_SUCCESS);
1864 	packet_send();
1865 	packet_write_wait();
1866 }
1867 
1868 /*
1869  * Prepare for SSH2 key exchange.
1870  */
1871 Kex *
1872 prepare_for_ssh2_kex(void)
1873 {
1874 	Kex *kex;
1875 	Kex_hook_func kex_hook = NULL;
1876 	char **locales;
1877 
1878 	if (options.ciphers != NULL) {
1879 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
1880 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
1881 	}
1882 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
1883 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
1884 	myproposal[PROPOSAL_ENC_ALGS_STOC] =
1885 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
1886 
1887 	if (options.macs != NULL) {
1888 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
1889 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
1890 	}
1891 	if (!options.compression) {
1892 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
1893 		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
1894 	}
1895 
1896 	/*
1897 	 * Prepare kex algs / hostkey algs (excluding GSS, which is
1898 	 * handled in the kex hook.
1899 	 *
1900 	 * XXX This should probably move to the kex hook as well, where
1901 	 * all non-constant kex offer material belongs.
1902 	 */
1903 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
1904 
1905 	/* If we have no host key algs we can't offer KEXDH/KEX_DH_GEX */
1906 	if (myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] == NULL ||
1907 	    *myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] == '\0')
1908 		myproposal[PROPOSAL_KEX_ALGS] = "";
1909 
1910 	if ((locales = g11n_getlocales()) != NULL) {
1911 		/* Solaris 9 SSH expects a list of locales */
1912 		if (datafellows & SSH_BUG_LOCALES_NOT_LANGTAGS)
1913 			myproposal[PROPOSAL_LANG_STOC] = xjoin(locales, ',');
1914 		else
1915 			myproposal[PROPOSAL_LANG_STOC] =
1916 				g11n_locales2langs(locales);
1917 	}
1918 
1919 	if (locales != NULL)
1920 		g11n_freelist(locales);
1921 
1922 	if ((myproposal[PROPOSAL_LANG_STOC] != NULL) ||
1923 	    (strcmp(myproposal[PROPOSAL_LANG_STOC], "")) != 0)
1924 		myproposal[PROPOSAL_LANG_CTOS] =
1925 			xstrdup(myproposal[PROPOSAL_LANG_STOC]);
1926 
1927 #ifdef GSSAPI
1928 	if (options.gss_keyex)
1929 		kex_hook = ssh_gssapi_server_kex_hook;
1930 #endif /* GSSAPI */
1931 
1932 	kex = kex_setup(NULL, myproposal, kex_hook);
1933 
1934 	if (myproposal[PROPOSAL_LANG_STOC] != NULL)
1935 		xfree(myproposal[PROPOSAL_LANG_STOC]);
1936 	if (myproposal[PROPOSAL_LANG_CTOS] != NULL)
1937 		xfree(myproposal[PROPOSAL_LANG_CTOS]);
1938 
1939 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
1940 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1941 #ifdef GSSAPI
1942 	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
1943 #endif /* GSSAPI */
1944 	kex->server = 1;
1945 	kex->client_version_string = client_version_string;
1946 	kex->server_version_string = server_version_string;
1947 	kex->load_host_key = &get_hostkey_by_type;
1948 	kex->host_key_index = &get_hostkey_index;
1949 
1950 	xxx_kex = kex;
1951 	return (kex);
1952 }
1953 
1954 /*
1955  * Do SSH2 key exchange.
1956  */
1957 static void
1958 do_ssh2_kex(void)
1959 {
1960 	Kex *kex;
1961 
1962 	kex = prepare_for_ssh2_kex();
1963 	kex_start(kex);
1964 
1965 	dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
1966 
1967 	if (kex->name) {
1968 		xfree(kex->name);
1969 		kex->name = NULL;
1970 	}
1971 	session_id2 = kex->session_id;
1972 	session_id2_len = kex->session_id_len;
1973 
1974 #ifdef DEBUG_KEXDH
1975 	/* send 1st encrypted/maced/compressed message */
1976 	packet_start(SSH2_MSG_IGNORE);
1977 	packet_put_cstring("markus");
1978 	packet_send();
1979 	packet_write_wait();
1980 #endif
1981 	debug("KEX done");
1982 }
1983