/src/dropbear/src/svr-session.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Dropbear - a SSH2 server |
3 | | * |
4 | | * Copyright (c) 2002,2003 Matt Johnston |
5 | | * All rights reserved. |
6 | | * |
7 | | * Permission is hereby granted, free of charge, to any person obtaining a copy |
8 | | * of this software and associated documentation files (the "Software"), to deal |
9 | | * in the Software without restriction, including without limitation the rights |
10 | | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
11 | | * copies of the Software, and to permit persons to whom the Software is |
12 | | * furnished to do so, subject to the following conditions: |
13 | | * |
14 | | * The above copyright notice and this permission notice shall be included in |
15 | | * all copies or substantial portions of the Software. |
16 | | * |
17 | | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
18 | | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
19 | | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
20 | | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
21 | | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
22 | | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
23 | | * SOFTWARE. */ |
24 | | |
25 | | #include "includes.h" |
26 | | #include "session.h" |
27 | | #include "dbutil.h" |
28 | | #include "packet.h" |
29 | | #include "algo.h" |
30 | | #include "buffer.h" |
31 | | #include "dss.h" |
32 | | #include "ssh.h" |
33 | | #include "dbrandom.h" |
34 | | #include "kex.h" |
35 | | #include "channel.h" |
36 | | #include "chansession.h" |
37 | | #include "atomicio.h" |
38 | | #include "tcpfwd.h" |
39 | | #include "service.h" |
40 | | #include "auth.h" |
41 | | #include "runopts.h" |
42 | | #include "crypto_desc.h" |
43 | | #include "fuzz.h" |
44 | | |
45 | | static void svr_remoteclosed(void); |
46 | | static void svr_algos_initialise(void); |
47 | | |
48 | | struct serversession svr_ses; /* GLOBAL */ |
49 | | |
50 | | static const packettype svr_packettypes[] = { |
51 | | {SSH_MSG_CHANNEL_DATA, recv_msg_channel_data}, |
52 | | {SSH_MSG_CHANNEL_WINDOW_ADJUST, recv_msg_channel_window_adjust}, |
53 | | {SSH_MSG_USERAUTH_REQUEST, recv_msg_userauth_request}, /* server */ |
54 | | {SSH_MSG_SERVICE_REQUEST, recv_msg_service_request}, /* server */ |
55 | | {SSH_MSG_KEXINIT, recv_msg_kexinit}, |
56 | | {SSH_MSG_KEXDH_INIT, recv_msg_kexdh_init}, /* server */ |
57 | | {SSH_MSG_NEWKEYS, recv_msg_newkeys}, |
58 | | {SSH_MSG_GLOBAL_REQUEST, recv_msg_global_request_remotetcp}, |
59 | | {SSH_MSG_CHANNEL_REQUEST, recv_msg_channel_request}, |
60 | | {SSH_MSG_CHANNEL_OPEN, recv_msg_channel_open}, |
61 | | {SSH_MSG_CHANNEL_EOF, recv_msg_channel_eof}, |
62 | | {SSH_MSG_CHANNEL_CLOSE, recv_msg_channel_close}, |
63 | | {SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response}, |
64 | | {SSH_MSG_CHANNEL_FAILURE, ignore_recv_response}, |
65 | | {SSH_MSG_REQUEST_FAILURE, ignore_recv_response}, /* for keepalive */ |
66 | | {SSH_MSG_REQUEST_SUCCESS, ignore_recv_response}, /* client */ |
67 | | #if DROPBEAR_LISTENERS |
68 | | {SSH_MSG_CHANNEL_OPEN_CONFIRMATION, recv_msg_channel_open_confirmation}, |
69 | | {SSH_MSG_CHANNEL_OPEN_FAILURE, recv_msg_channel_open_failure}, |
70 | | #endif |
71 | | {0, NULL} /* End */ |
72 | | }; |
73 | | |
74 | | static const struct ChanType *svr_chantypes[] = { |
75 | | &svrchansess, |
76 | | #if DROPBEAR_SVR_LOCALTCPFWD |
77 | | &svr_chan_tcpdirect, |
78 | | #endif |
79 | | NULL /* Null termination is mandatory. */ |
80 | | }; |
81 | | |
82 | | static void |
83 | 0 | svr_session_cleanup(void) { |
84 | | /* free potential public key options */ |
85 | 0 | svr_pubkey_options_cleanup(); |
86 | |
|
87 | 0 | m_free(svr_ses.addrstring); |
88 | 0 | m_free(svr_ses.remotehost); |
89 | 0 | m_free(svr_ses.childpids); |
90 | 0 | svr_ses.childpidsize = 0; |
91 | |
|
92 | | #if DROPBEAR_PLUGIN |
93 | | if (svr_ses.plugin_handle != NULL) { |
94 | | if (svr_ses.plugin_instance) { |
95 | | svr_ses.plugin_instance->delete_plugin(svr_ses.plugin_instance); |
96 | | svr_ses.plugin_instance = NULL; |
97 | | } |
98 | | |
99 | | dlclose(svr_ses.plugin_handle); |
100 | | svr_ses.plugin_handle = NULL; |
101 | | } |
102 | | #endif |
103 | 0 | } |
104 | | |
105 | 0 | void svr_session(int sock, int childpipe) { |
106 | 0 | char *host, *port; |
107 | 0 | size_t len; |
108 | |
|
109 | 0 | common_session_init(sock, sock); |
110 | | |
111 | | /* Initialise server specific parts of the session */ |
112 | 0 | svr_ses.childpipe = childpipe; |
113 | | #if DROPBEAR_VFORK |
114 | | svr_ses.server_pid = getpid(); |
115 | | #endif |
116 | | |
117 | | /* for logging the remote address */ |
118 | 0 | get_socket_address(ses.sock_in, NULL, NULL, &host, &port, 0); |
119 | 0 | len = strlen(host) + strlen(port) + 2; |
120 | 0 | svr_ses.addrstring = m_malloc(len); |
121 | 0 | snprintf(svr_ses.addrstring, len, "%s:%s", host, port); |
122 | 0 | m_free(host); |
123 | 0 | m_free(port); |
124 | |
|
125 | | #if DROPBEAR_PLUGIN |
126 | | /* Initializes the PLUGIN Plugin */ |
127 | | svr_ses.plugin_handle = NULL; |
128 | | svr_ses.plugin_instance = NULL; |
129 | | if (svr_opts.pubkey_plugin) { |
130 | | #if DEBUG_TRACE |
131 | | const int verbose = debug_trace; |
132 | | #else |
133 | | const int verbose = 0; |
134 | | #endif |
135 | | PubkeyExtPlugin_newFn pluginConstructor; |
136 | | |
137 | | /* RTLD_NOW: fails if not all the symbols are resolved now. Better fail now than at run-time */ |
138 | | svr_ses.plugin_handle = dlopen(svr_opts.pubkey_plugin, RTLD_NOW); |
139 | | if (svr_ses.plugin_handle == NULL) { |
140 | | dropbear_exit("failed to load external pubkey plugin '%s': %s", svr_opts.pubkey_plugin, dlerror()); |
141 | | } |
142 | | pluginConstructor = (PubkeyExtPlugin_newFn)dlsym(svr_ses.plugin_handle, DROPBEAR_PUBKEY_PLUGIN_FNNAME_NEW); |
143 | | if (!pluginConstructor) { |
144 | | dropbear_exit("plugin constructor method not found in external pubkey plugin"); |
145 | | } |
146 | | |
147 | | /* Create an instance of the plugin */ |
148 | | svr_ses.plugin_instance = pluginConstructor(verbose, svr_opts.pubkey_plugin_options, svr_ses.addrstring); |
149 | | if (svr_ses.plugin_instance == NULL) { |
150 | | dropbear_exit("external plugin initialization failed"); |
151 | | } |
152 | | /* Check if the plugin is compatible */ |
153 | | if ( (svr_ses.plugin_instance->api_version[0] != DROPBEAR_PLUGIN_VERSION_MAJOR) || |
154 | | (svr_ses.plugin_instance->api_version[1] < DROPBEAR_PLUGIN_VERSION_MINOR) ) { |
155 | | dropbear_exit("plugin version check failed: " |
156 | | "Dropbear=%d.%d, plugin=%d.%d", |
157 | | DROPBEAR_PLUGIN_VERSION_MAJOR, DROPBEAR_PLUGIN_VERSION_MINOR, |
158 | | svr_ses.plugin_instance->api_version[0], svr_ses.plugin_instance->api_version[1]); |
159 | | } |
160 | | if (svr_ses.plugin_instance->api_version[1] > DROPBEAR_PLUGIN_VERSION_MINOR) { |
161 | | dropbear_log(LOG_WARNING, "plugin API newer than dropbear API: " |
162 | | "Dropbear=%d.%d, plugin=%d.%d", |
163 | | DROPBEAR_PLUGIN_VERSION_MAJOR, DROPBEAR_PLUGIN_VERSION_MINOR, |
164 | | svr_ses.plugin_instance->api_version[0], svr_ses.plugin_instance->api_version[1]); |
165 | | } |
166 | | dropbear_log(LOG_INFO, "successfully loaded and initialized pubkey plugin '%s'", svr_opts.pubkey_plugin); |
167 | | } |
168 | | #endif |
169 | |
|
170 | 0 | svr_authinitialise(); |
171 | 0 | chaninitialise(svr_chantypes); |
172 | 0 | svr_chansessinitialise(); |
173 | 0 | svr_algos_initialise(); |
174 | |
|
175 | 0 | get_socket_address(ses.sock_in, NULL, NULL, |
176 | 0 | &svr_ses.remotehost, NULL, 1); |
177 | | |
178 | | /* set up messages etc */ |
179 | 0 | ses.remoteclosed = svr_remoteclosed; |
180 | 0 | ses.extra_session_cleanup = svr_session_cleanup; |
181 | | |
182 | | /* packet handlers */ |
183 | 0 | ses.packettypes = svr_packettypes; |
184 | |
|
185 | 0 | ses.isserver = 1; |
186 | | |
187 | | /* We're ready to go now */ |
188 | 0 | ses.init_done = 1; |
189 | | |
190 | | /* exchange identification, version etc */ |
191 | 0 | send_session_identification(); |
192 | | |
193 | 0 | kexfirstinitialise(); /* initialise the kex state */ |
194 | | |
195 | | /* start off with key exchange */ |
196 | 0 | send_msg_kexinit(); |
197 | |
|
198 | 0 | #if DROPBEAR_FUZZ |
199 | 0 | if (fuzz.fuzzing) { |
200 | 0 | fuzz_svr_hook_preloop(); |
201 | 0 | } |
202 | 0 | #endif |
203 | | |
204 | | /* Run the main for-loop. */ |
205 | 0 | session_loop(svr_chansess_checksignal); |
206 | | |
207 | | /* Not reached */ |
208 | |
|
209 | 0 | } |
210 | | |
211 | | /* cleanup and exit - format must be <= 100 chars */ |
212 | 150 | void svr_dropbear_exit(int exitcode, const char* format, va_list param) { |
213 | 150 | char exitmsg[150]; |
214 | 150 | char fullmsg[300]; |
215 | 150 | char fromaddr[60]; |
216 | 150 | int i; |
217 | 150 | int add_delay = 0; |
218 | | |
219 | | #if DROPBEAR_PLUGIN |
220 | | if ((ses.plugin_session != NULL)) { |
221 | | svr_ses.plugin_instance->delete_session(ses.plugin_session); |
222 | | } |
223 | | ses.plugin_session = NULL; |
224 | | svr_opts.pubkey_plugin_options = NULL; |
225 | | m_free(svr_opts.pubkey_plugin); |
226 | | #endif |
227 | | |
228 | | /* Render the formatted exit message */ |
229 | 150 | vsnprintf(exitmsg, sizeof(exitmsg), format, param); |
230 | | |
231 | | /* svr_ses.addrstring may not be set for some early exits, or for |
232 | | the listener process */ |
233 | 150 | fromaddr[0] = '\0'; |
234 | 150 | if (svr_ses.addrstring) { |
235 | 0 | snprintf(fromaddr, sizeof(fromaddr), " from <%s>", svr_ses.addrstring); |
236 | 0 | } |
237 | | |
238 | | /* Add the prefix depending on session/auth state */ |
239 | 150 | if (!ses.init_done) { |
240 | | /* before session init */ |
241 | 150 | snprintf(fullmsg, sizeof(fullmsg), "Early exit%s: %s", fromaddr, exitmsg); |
242 | 150 | } else if (ses.authstate.authdone) { |
243 | | /* user has authenticated */ |
244 | 0 | snprintf(fullmsg, sizeof(fullmsg), |
245 | 0 | "Exit (%s)%s: %s", |
246 | 0 | ses.authstate.pw_name, fromaddr, exitmsg); |
247 | 0 | } else if (ses.authstate.pw_name) { |
248 | | /* we have a potential user */ |
249 | 0 | snprintf(fullmsg, sizeof(fullmsg), |
250 | 0 | "Exit before auth%s: (user '%s', %u fails): %s", |
251 | 0 | fromaddr, ses.authstate.pw_name, ses.authstate.failcount, exitmsg); |
252 | 0 | add_delay = 1; |
253 | 0 | } else { |
254 | | /* before userauth */ |
255 | 0 | snprintf(fullmsg, sizeof(fullmsg), "Exit before auth%s: %s", fromaddr, exitmsg); |
256 | 0 | add_delay = 1; |
257 | 0 | } |
258 | | |
259 | 150 | dropbear_log(LOG_INFO, "%s", fullmsg); |
260 | | |
261 | | /* To make it harder for attackers, introduce a delay to keep an |
262 | | * unauthenticated session open a bit longer, thus blocking a connection |
263 | | * slot until after the delay. Without this, while there is a limit on |
264 | | * the amount of attempts an attacker can make at the same time |
265 | | * (MAX_UNAUTH_PER_IP), the time taken by dropbear to handle one attempt |
266 | | * is still short and thus for each of the allowed parallel attempts |
267 | | * many attempts can be chained one after the other. The attempt rate is |
268 | | * then: |
269 | | * "MAX_UNAUTH_PER_IP / <process time of one attempt>". |
270 | | * With the delay, this rate becomes: |
271 | | * "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY". |
272 | | */ |
273 | 150 | if ((add_delay != 0) && (UNAUTH_CLOSE_DELAY > 0)) { |
274 | 0 | TRACE(("svr_dropbear_exit: start delay of %d seconds", UNAUTH_CLOSE_DELAY)); |
275 | 0 | sleep(UNAUTH_CLOSE_DELAY); |
276 | 0 | TRACE(("svr_dropbear_exit: end delay of %d seconds", UNAUTH_CLOSE_DELAY)); |
277 | 0 | } |
278 | | |
279 | | #if DROPBEAR_VFORK |
280 | | /* For uclinux only the main server process should cleanup - we don't want |
281 | | * forked children doing that */ |
282 | | if (svr_ses.server_pid == getpid()) |
283 | | #endif |
284 | 150 | { |
285 | | /* must be after we've done with username etc */ |
286 | 150 | session_cleanup(); |
287 | 150 | } |
288 | | |
289 | 150 | #if DROPBEAR_FUZZ |
290 | | /* longjmp before cleaning up svr_opts */ |
291 | 150 | if (fuzz.do_jmp) { |
292 | 150 | longjmp(fuzz.jmp, 1); |
293 | 150 | } |
294 | 0 | #endif |
295 | | |
296 | 0 | if (svr_opts.hostkey) { |
297 | 0 | sign_key_free(svr_opts.hostkey); |
298 | 0 | svr_opts.hostkey = NULL; |
299 | 0 | } |
300 | 0 | for (i = 0; i < DROPBEAR_MAX_PORTS; i++) { |
301 | 0 | m_free(svr_opts.addresses[i]); |
302 | 0 | m_free(svr_opts.ports[i]); |
303 | 0 | } |
304 | | |
305 | | |
306 | 0 | exit(exitcode); |
307 | | |
308 | 150 | } |
309 | | |
310 | | /* priority is priority as with syslog() */ |
311 | 0 | void svr_dropbear_log(int priority, const char* format, va_list param) { |
312 | |
|
313 | 0 | char printbuf[1024]; |
314 | 0 | char datestr[20]; |
315 | 0 | time_t timesec; |
316 | 0 | int havetrace = 0; |
317 | |
|
318 | 0 | vsnprintf(printbuf, sizeof(printbuf), format, param); |
319 | |
|
320 | 0 | #ifndef DISABLE_SYSLOG |
321 | 0 | if (opts.usingsyslog) { |
322 | 0 | syslog(priority, "%s", printbuf); |
323 | 0 | } |
324 | 0 | #endif |
325 | | |
326 | | /* if we are using DEBUG_TRACE, we want to print to stderr even if |
327 | | * syslog is used, so it is included in error reports */ |
328 | | #if DEBUG_TRACE |
329 | | havetrace = debug_trace; |
330 | | #endif |
331 | |
|
332 | 0 | if (!opts.usingsyslog || havetrace) { |
333 | 0 | struct tm * local_tm = NULL; |
334 | 0 | timesec = time(NULL); |
335 | 0 | local_tm = localtime(×ec); |
336 | 0 | if (local_tm == NULL |
337 | 0 | || strftime(datestr, sizeof(datestr), "%b %d %H:%M:%S", |
338 | 0 | local_tm) == 0) |
339 | 0 | { |
340 | | /* upon failure, just print the epoch-seconds time. */ |
341 | 0 | snprintf(datestr, sizeof(datestr), "%d", (int)timesec); |
342 | 0 | } |
343 | 0 | fprintf(stderr, "[%d] %s %s\n", getpid(), datestr, printbuf); |
344 | 0 | } |
345 | 0 | } |
346 | | |
347 | | /* called when the remote side closes the connection */ |
348 | 0 | static void svr_remoteclosed() { |
349 | |
|
350 | 0 | m_close(ses.sock_in); |
351 | 0 | if (ses.sock_in != ses.sock_out) { |
352 | 0 | m_close(ses.sock_out); |
353 | 0 | } |
354 | 0 | ses.sock_in = -1; |
355 | 0 | ses.sock_out = -1; |
356 | 0 | dropbear_close("Exited normally"); |
357 | |
|
358 | 0 | } |
359 | | |
360 | 0 | static void svr_algos_initialise(void) { |
361 | 0 | algo_type *algo; |
362 | 0 | for (algo = sshkex; algo->name; algo++) { |
363 | | #if DROPBEAR_DH_GROUP1 && DROPBEAR_DH_GROUP1_CLIENTONLY |
364 | | if (strcmp(algo->name, "diffie-hellman-group1-sha1") == 0) { |
365 | | algo->usable = 0; |
366 | | } |
367 | | #endif |
368 | 0 | #if DROPBEAR_EXT_INFO |
369 | 0 | if (strcmp(algo->name, SSH_EXT_INFO_C) == 0) { |
370 | 0 | algo->usable = 0; |
371 | 0 | } |
372 | 0 | #endif |
373 | 0 | } |
374 | 0 | } |
375 | | |