Line | Count | Source |
1 | | /* |
2 | | * server.c - functions for creating a SSH server |
3 | | * |
4 | | * This file is part of the SSH Library |
5 | | * |
6 | | * Copyright (c) 2004-2013 by Aris Adamantiadis |
7 | | * |
8 | | * The SSH Library is free software; you can redistribute it and/or modify |
9 | | * it under the terms of the GNU Lesser General Public License as published by |
10 | | * the Free Software Foundation; either version 2.1 of the License, or (at your |
11 | | * option) any later version. |
12 | | * |
13 | | * The SSH Library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
15 | | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public |
16 | | * License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with the SSH Library; see the file COPYING. If not, write to |
20 | | * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, |
21 | | * MA 02111-1307, USA. |
22 | | */ |
23 | | |
24 | | #include "config.h" |
25 | | |
26 | | #include <errno.h> |
27 | | #include <fcntl.h> |
28 | | #include <stdio.h> |
29 | | #include <string.h> |
30 | | #include <stdlib.h> |
31 | | |
32 | | #ifdef _WIN32 |
33 | | # include <winsock2.h> |
34 | | # include <ws2tcpip.h> |
35 | | |
36 | | /* |
37 | | * <wspiapi.h> is necessary for getaddrinfo before Windows XP, but it isn't |
38 | | * available on some platforms like MinGW. |
39 | | */ |
40 | | # ifdef HAVE_WSPIAPI_H |
41 | | # include <wspiapi.h> |
42 | | # endif |
43 | | #else |
44 | | # include <netinet/in.h> |
45 | | #endif |
46 | | |
47 | | #include "libssh/buffer.h" |
48 | | #include "libssh/curve25519.h" |
49 | | #include "libssh/dh.h" |
50 | | #include "libssh/gssapi.h" |
51 | | #include "libssh/kex.h" |
52 | | #include "libssh/libssh.h" |
53 | | #include "libssh/messages.h" |
54 | | #include "libssh/misc.h" |
55 | | #include "libssh/options.h" |
56 | | #include "libssh/packet.h" |
57 | | #include "libssh/pki.h" |
58 | | #include "libssh/priv.h" |
59 | | #include "libssh/server.h" |
60 | | #include "libssh/session.h" |
61 | | #include "libssh/socket.h" |
62 | | #include "libssh/ssh2.h" |
63 | | #include "libssh/token.h" |
64 | | |
65 | 0 | #define set_status(session, status) do {\ |
66 | 0 | if (session->common.callbacks && session->common.callbacks->connect_status_function) \ |
67 | 0 | session->common.callbacks->connect_status_function(session->common.callbacks->userdata, status); \ |
68 | 0 | } while (0) |
69 | | |
70 | | /** |
71 | | * @addtogroup libssh_server |
72 | | * |
73 | | * @{ |
74 | | */ |
75 | | |
76 | | /** |
77 | | * @internal |
78 | | * @brief Sets the server's key exchange, encryption, MAC, and compression |
79 | | * algorithms. |
80 | | * |
81 | | * Prepares the server key exchange (KEX) proposals by prioritizing the |
82 | | * available host keys (Ed25519, ECDSA, RSA) based on their strength and fills |
83 | | * in the KEX method lists based on session options or defaults. This is |
84 | | * essential for negotiating secure communication parameters in the SSH |
85 | | * handshake. |
86 | | * |
87 | | * @param[in] session The SSH session to set up. |
88 | | * |
89 | | * @return `SSH_OK` on success, `SSH_ERROR` on failure (e.g., no host keys |
90 | | * available, random number generation error, or memory allocation failure). |
91 | | */ |
92 | | int server_set_kex(ssh_session session) |
93 | 0 | { |
94 | 0 | struct ssh_kex_struct *server = &session->next_crypto->server_kex; |
95 | 0 | int i, j, rc; |
96 | 0 | const char *wanted = NULL, *allowed = NULL; |
97 | 0 | char *kept = NULL; |
98 | 0 | char hostkeys[128] = {0}; |
99 | 0 | enum ssh_keytypes_e keytype; |
100 | 0 | size_t len; |
101 | 0 | int ok; |
102 | | #ifdef WITH_GSSAPI |
103 | | char *gssapi_algs = NULL; |
104 | | #endif /* WITH_GSSAPI */ |
105 | | |
106 | | /* Skip if already set, for example for the rekey or when we do the guessing |
107 | | * it could have been already used to make some protocol decisions. */ |
108 | 0 | if (server->methods[0] != NULL) { |
109 | 0 | return SSH_OK; |
110 | 0 | } |
111 | | |
112 | 0 | ok = ssh_get_random(server->cookie, 16, 0); |
113 | 0 | if (!ok) { |
114 | 0 | ssh_set_error(session, SSH_FATAL, "PRNG error"); |
115 | 0 | return -1; |
116 | 0 | } |
117 | | |
118 | 0 | if (session->srv.ed25519_key != NULL) { |
119 | 0 | snprintf(hostkeys, |
120 | 0 | sizeof(hostkeys), |
121 | 0 | "%s", |
122 | 0 | ssh_key_type_to_char(ssh_key_type(session->srv.ed25519_key))); |
123 | 0 | } |
124 | 0 | #ifdef HAVE_ECC |
125 | 0 | if (session->srv.ecdsa_key != NULL) { |
126 | 0 | len = strlen(hostkeys); |
127 | 0 | snprintf(hostkeys + len, sizeof(hostkeys) - len, |
128 | 0 | ",%s", session->srv.ecdsa_key->type_c); |
129 | 0 | } |
130 | 0 | #endif |
131 | 0 | if (session->srv.rsa_key != NULL) { |
132 | | /* We support also the SHA2 variants */ |
133 | 0 | len = strlen(hostkeys); |
134 | 0 | snprintf(hostkeys + len, sizeof(hostkeys) - len, |
135 | 0 | ",rsa-sha2-512,rsa-sha2-256"); |
136 | |
|
137 | 0 | len = strlen(hostkeys); |
138 | 0 | keytype = ssh_key_type(session->srv.rsa_key); |
139 | |
|
140 | 0 | snprintf(hostkeys + len, sizeof(hostkeys) - len, |
141 | 0 | ",%s", ssh_key_type_to_char(keytype)); |
142 | 0 | } |
143 | |
|
144 | 0 | if (session->opts.wanted_methods[SSH_HOSTKEYS]) { |
145 | 0 | allowed = session->opts.wanted_methods[SSH_HOSTKEYS]; |
146 | 0 | } else { |
147 | 0 | if (ssh_fips_mode()) { |
148 | 0 | allowed = ssh_kex_get_fips_methods(SSH_HOSTKEYS); |
149 | 0 | } else { |
150 | 0 | allowed = ssh_kex_get_default_methods(SSH_HOSTKEYS); |
151 | 0 | } |
152 | 0 | } |
153 | |
|
154 | 0 | if (strlen(hostkeys) != 0) { |
155 | | /* It is expected for the list of allowed hostkeys to be ordered by |
156 | | * preference */ |
157 | 0 | kept = |
158 | 0 | ssh_find_all_matching(hostkeys[0] == ',' ? hostkeys + 1 : hostkeys, |
159 | 0 | allowed); |
160 | 0 | if (kept == NULL) { |
161 | | /* Nothing was allowed */ |
162 | 0 | return -1; |
163 | 0 | } |
164 | | |
165 | 0 | rc = ssh_options_set_algo(session, |
166 | 0 | SSH_HOSTKEYS, |
167 | 0 | kept, |
168 | 0 | &session->opts.wanted_methods[SSH_HOSTKEYS]); |
169 | 0 | SAFE_FREE(kept); |
170 | 0 | if (rc < 0) { |
171 | 0 | return -1; |
172 | 0 | } |
173 | 0 | } |
174 | | #ifdef WITH_GSSAPI |
175 | | if (session->opts.gssapi_key_exchange) { |
176 | | ok = ssh_gssapi_init(session); |
177 | | if (ok != SSH_OK) { |
178 | | ssh_set_error_oom(session); |
179 | | return SSH_ERROR; |
180 | | } |
181 | | |
182 | | gssapi_algs = ssh_gssapi_kex_mechs(session); |
183 | | if (gssapi_algs == NULL) { |
184 | | return SSH_ERROR; |
185 | | } |
186 | | ssh_gssapi_free(session); |
187 | | |
188 | | /* Prefix the default algorithms with gsskex algs */ |
189 | | session->opts.wanted_methods[SSH_KEX] = |
190 | | ssh_prefix_without_duplicates(ssh_kex_get_default_methods(SSH_KEX), |
191 | | gssapi_algs); |
192 | | |
193 | | if (strlen(hostkeys) == 0) { |
194 | | session->opts.wanted_methods[SSH_HOSTKEYS] = strdup("null"); |
195 | | } |
196 | | |
197 | | SAFE_FREE(gssapi_algs); |
198 | | } |
199 | | #endif /* WITH_GSSAPI */ |
200 | | |
201 | 0 | for (i = 0; i < SSH_KEX_METHODS; i++) { |
202 | 0 | wanted = session->opts.wanted_methods[i]; |
203 | 0 | if (wanted == NULL) { |
204 | 0 | if (ssh_fips_mode()) { |
205 | 0 | wanted = ssh_kex_get_fips_methods(i); |
206 | 0 | } else { |
207 | 0 | wanted = ssh_kex_get_default_methods(i); |
208 | 0 | } |
209 | 0 | } |
210 | 0 | if (wanted == NULL) { |
211 | 0 | for (j = 0; j < i; j++) { |
212 | 0 | SAFE_FREE(server->methods[j]); |
213 | 0 | } |
214 | 0 | return -1; |
215 | 0 | } |
216 | | |
217 | 0 | server->methods[i] = strdup(wanted); |
218 | 0 | if (server->methods[i] == NULL) { |
219 | 0 | for (j = 0; j < i; j++) { |
220 | 0 | SAFE_FREE(server->methods[j]); |
221 | 0 | } |
222 | 0 | return -1; |
223 | 0 | } |
224 | 0 | } |
225 | | |
226 | | /* Do not append the extensions during rekey */ |
227 | 0 | if (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) { |
228 | 0 | return SSH_OK; |
229 | 0 | } |
230 | | |
231 | 0 | rc = ssh_kex_append_extensions(session, server); |
232 | 0 | return rc; |
233 | 0 | } |
234 | | |
235 | 0 | int ssh_server_init_kex(ssh_session session) { |
236 | 0 | int i; |
237 | |
|
238 | 0 | if (session->session_state > SSH_SESSION_STATE_BANNER_RECEIVED) { |
239 | 0 | return SSH_ERROR; |
240 | 0 | } |
241 | | |
242 | | /* free any currently-set methods: server_set_kex will allocate new ones */ |
243 | 0 | for (i = 0; i < SSH_KEX_METHODS; i++) { |
244 | 0 | SAFE_FREE(session->next_crypto->server_kex.methods[i]); |
245 | 0 | } |
246 | |
|
247 | 0 | return server_set_kex(session); |
248 | 0 | } |
249 | | |
250 | | /** |
251 | | * @internal |
252 | | * |
253 | | * @brief Sends SSH extension information from the server to client. |
254 | | * |
255 | | * A server may send this message (`SSH_MSG_EXT_INFO`) after its first |
256 | | * `SSH_MSG_NEWKEYS` message or just before sending `SSH_MSG_USERAUTH_SUCCESS` |
257 | | * to provide additional extensions support that are not meant for an |
258 | | * unauthenticated client. |
259 | | * |
260 | | * If any error occurs during the packing or sending of the packet, the function |
261 | | * aborts to avoid partial or corrupted sends. |
262 | | * |
263 | | * @param[in] session The SSH session. |
264 | | * |
265 | | * @return `SSH_OK` on success, `SSH_ERROR` on failure. |
266 | | */ |
267 | | static int ssh_server_send_extensions(ssh_session session) |
268 | 0 | { |
269 | 0 | int rc; |
270 | 0 | const char *hostkey_algorithms = NULL; |
271 | |
|
272 | 0 | SSH_LOG(SSH_LOG_PACKET, "Sending SSH_MSG_EXT_INFO"); |
273 | |
|
274 | 0 | if (session->opts.pubkey_accepted_types) { |
275 | 0 | hostkey_algorithms = session->opts.pubkey_accepted_types; |
276 | 0 | } else { |
277 | 0 | if (ssh_fips_mode()) { |
278 | 0 | hostkey_algorithms = ssh_kex_get_fips_methods(SSH_HOSTKEYS); |
279 | 0 | } else { |
280 | | /* There are no restrictions to the accepted public keys */ |
281 | 0 | hostkey_algorithms = ssh_kex_get_default_methods(SSH_HOSTKEYS); |
282 | 0 | } |
283 | 0 | } |
284 | |
|
285 | 0 | rc = ssh_buffer_pack(session->out_buffer, |
286 | 0 | "bdssssss", |
287 | 0 | SSH2_MSG_EXT_INFO, |
288 | 0 | 3, /* nr. of extensions */ |
289 | 0 | "server-sig-algs", |
290 | 0 | hostkey_algorithms, |
291 | 0 | "publickey-hostbound@openssh.com", |
292 | 0 | "0", |
293 | 0 | "ping@openssh.com", |
294 | 0 | "0"); |
295 | 0 | if (rc != SSH_OK) { |
296 | 0 | goto error; |
297 | 0 | } |
298 | | |
299 | 0 | if (ssh_packet_send(session) == SSH_ERROR) { |
300 | 0 | goto error; |
301 | 0 | } |
302 | | |
303 | 0 | return 0; |
304 | 0 | error: |
305 | 0 | ssh_buffer_reinit(session->out_buffer); |
306 | |
|
307 | 0 | return -1; |
308 | 0 | } |
309 | | |
310 | 0 | SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){ |
311 | 0 | (void)packet; |
312 | 0 | (void)type; |
313 | 0 | (void)user; |
314 | |
|
315 | 0 | SSH_LOG(SSH_LOG_PACKET,"Received SSH_MSG_KEXDH_INIT"); |
316 | 0 | if(session->dh_handshake_state != DH_STATE_INIT){ |
317 | 0 | SSH_LOG(SSH_LOG_RARE,"Invalid state for SSH_MSG_KEXDH_INIT"); |
318 | 0 | session->session_state = SSH_SESSION_STATE_ERROR; |
319 | 0 | return SSH_PACKET_USED; |
320 | 0 | } |
321 | | |
322 | | /* If first_kex_packet_follows guess was wrong, ignore this message. */ |
323 | 0 | if (session->first_kex_follows_guess_wrong != 0) { |
324 | 0 | SSH_LOG(SSH_LOG_RARE, "first_kex_packet_follows guess was wrong, " |
325 | 0 | "ignoring first SSH_MSG_KEXDH_INIT message"); |
326 | 0 | session->first_kex_follows_guess_wrong = 0; |
327 | |
|
328 | 0 | return SSH_PACKET_USED; |
329 | 0 | } |
330 | 0 | SSH_LOG(SSH_LOG_DEBUG, "Calling next KEXDH handler"); |
331 | 0 | return SSH_PACKET_NOT_USED; |
332 | 0 | } |
333 | | |
334 | | /** |
335 | | * @brief Prepares server host key parameters for the key exchange process. |
336 | | * |
337 | | * Selects the appropriate private host key (RSA, ECDSA, or Ed25519) based on |
338 | | * the session's configured host key type, sets the corresponding @p digest |
339 | | * algorithm, and imports the public key blob into the Diffie-Hellman key |
340 | | * exchange state. |
341 | | * |
342 | | * @param[in] session The SSH session to which we are preparing host key |
343 | | * parameters. |
344 | | * @param[out] privkey Pointer to receive the selected private host key. |
345 | | * @param[out] digest Pointer to receive the host key digest algorithm. |
346 | | * |
347 | | * @return `SSH_OK` on success; `SSH_ERROR` on failure (invalid key type, export |
348 | | * failure, or DH import error). |
349 | | */ |
350 | | int |
351 | | ssh_get_key_params(ssh_session session, |
352 | | ssh_key *privkey, |
353 | | enum ssh_digest_e *digest) |
354 | 0 | { |
355 | 0 | ssh_key pubkey = NULL; |
356 | 0 | ssh_string pubkey_blob = NULL; |
357 | 0 | int rc; |
358 | |
|
359 | 0 | switch(session->srv.hostkey) { |
360 | 0 | case SSH_KEYTYPE_RSA: |
361 | 0 | *privkey = session->srv.rsa_key; |
362 | 0 | break; |
363 | 0 | case SSH_KEYTYPE_ECDSA_P256: |
364 | 0 | case SSH_KEYTYPE_ECDSA_P384: |
365 | 0 | case SSH_KEYTYPE_ECDSA_P521: |
366 | 0 | *privkey = session->srv.ecdsa_key; |
367 | 0 | break; |
368 | 0 | case SSH_KEYTYPE_ED25519: |
369 | 0 | *privkey = session->srv.ed25519_key; |
370 | 0 | break; |
371 | 0 | case SSH_KEYTYPE_RSA1: |
372 | 0 | case SSH_KEYTYPE_UNKNOWN: |
373 | 0 | default: |
374 | 0 | *privkey = NULL; |
375 | 0 | } |
376 | | |
377 | 0 | *digest = session->srv.hostkey_digest; |
378 | 0 | rc = ssh_pki_export_privkey_to_pubkey(*privkey, &pubkey); |
379 | 0 | if (rc < 0) { |
380 | 0 | ssh_set_error(session, SSH_FATAL, |
381 | 0 | "Could not get the public key from the private key"); |
382 | |
|
383 | 0 | return -1; |
384 | 0 | } |
385 | | |
386 | 0 | rc = ssh_pki_export_pubkey_blob(pubkey, &pubkey_blob); |
387 | 0 | ssh_key_free(pubkey); |
388 | 0 | if (rc < 0) { |
389 | 0 | ssh_set_error_oom(session); |
390 | 0 | return -1; |
391 | 0 | } |
392 | | |
393 | 0 | rc = ssh_dh_import_next_pubkey_blob(session, pubkey_blob); |
394 | 0 | SSH_STRING_FREE(pubkey_blob); |
395 | 0 | if (rc != 0) { |
396 | 0 | ssh_set_error(session, |
397 | 0 | SSH_FATAL, |
398 | 0 | "Could not import server public key"); |
399 | 0 | return -1; |
400 | 0 | } |
401 | | |
402 | 0 | return SSH_OK; |
403 | 0 | } |
404 | | |
405 | | /** |
406 | | * @internal |
407 | | * |
408 | | * @brief A function to be called each time a step has been done in the |
409 | | * connection. |
410 | | */ |
411 | | static void ssh_server_connection_callback(ssh_session session) |
412 | 0 | { |
413 | 0 | int rc; |
414 | |
|
415 | 0 | switch (session->session_state) { |
416 | 0 | case SSH_SESSION_STATE_NONE: |
417 | 0 | case SSH_SESSION_STATE_CONNECTING: |
418 | 0 | case SSH_SESSION_STATE_SOCKET_CONNECTED: |
419 | 0 | break; |
420 | 0 | case SSH_SESSION_STATE_BANNER_RECEIVED: |
421 | 0 | if (session->clientbanner == NULL) { |
422 | 0 | goto error; |
423 | 0 | } |
424 | 0 | set_status(session, 0.4f); |
425 | 0 | SSH_LOG(SSH_LOG_DEBUG, |
426 | 0 | "SSH client banner: %s", session->clientbanner); |
427 | | |
428 | | /* Here we analyze the different protocols the server allows. */ |
429 | 0 | rc = ssh_analyze_banner(session, 1); |
430 | 0 | if (rc < 0) { |
431 | 0 | ssh_set_error(session, SSH_FATAL, |
432 | 0 | "No version of SSH protocol usable (banner: %s)", |
433 | 0 | session->clientbanner); |
434 | 0 | goto error; |
435 | 0 | } |
436 | | |
437 | | /* from now, the packet layer is handling incoming packets */ |
438 | 0 | ssh_packet_register_socket_callback(session, session->socket); |
439 | |
|
440 | 0 | ssh_packet_set_default_callbacks(session); |
441 | 0 | set_status(session, 0.5f); |
442 | 0 | session->session_state = SSH_SESSION_STATE_INITIAL_KEX; |
443 | 0 | rc = ssh_send_kex(session); |
444 | 0 | if (rc < 0) { |
445 | 0 | goto error; |
446 | 0 | } |
447 | 0 | break; |
448 | 0 | case SSH_SESSION_STATE_INITIAL_KEX: |
449 | | /* TODO: This state should disappear in favor of get_key handle */ |
450 | 0 | break; |
451 | 0 | case SSH_SESSION_STATE_KEXINIT_RECEIVED: |
452 | 0 | set_status(session, 0.6f); |
453 | 0 | if ((session->flags & SSH_SESSION_FLAG_KEXINIT_SENT) == 0) { |
454 | 0 | rc = server_set_kex(session); |
455 | 0 | if (rc == SSH_ERROR) { |
456 | 0 | goto error; |
457 | 0 | } |
458 | | /* We are in a rekeying, so we need to send the server kex */ |
459 | 0 | rc = ssh_send_kex(session); |
460 | 0 | if (rc < 0) { |
461 | 0 | goto error; |
462 | 0 | } |
463 | 0 | } |
464 | 0 | ssh_list_kex(&session->next_crypto->client_kex); // log client kex |
465 | 0 | rc = ssh_kex_select_methods(session); |
466 | 0 | if (rc < 0) { |
467 | 0 | goto error; |
468 | 0 | } |
469 | 0 | rc = crypt_set_algorithms_server(session); |
470 | 0 | if (rc == SSH_ERROR) { |
471 | 0 | goto error; |
472 | 0 | } |
473 | 0 | set_status(session, 0.8f); |
474 | 0 | session->session_state = SSH_SESSION_STATE_DH; |
475 | 0 | break; |
476 | 0 | case SSH_SESSION_STATE_DH: |
477 | 0 | if (session->dh_handshake_state == DH_STATE_FINISHED) { |
478 | |
|
479 | 0 | rc = ssh_packet_set_newkeys(session, SSH_DIRECTION_IN); |
480 | 0 | if (rc != SSH_OK) { |
481 | 0 | goto error; |
482 | 0 | } |
483 | | |
484 | | /* |
485 | | * If the client supports extension negotiation, we will send |
486 | | * our supported extensions now. This is the first message after |
487 | | * sending NEWKEYS message and after turning on crypto. |
488 | | */ |
489 | 0 | if (session->extensions & SSH_EXT_NEGOTIATION && |
490 | 0 | session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
491 | | /* |
492 | | * Only send an SSH_MSG_EXT_INFO message the first time the |
493 | | * client undergoes NEWKEYS. It is unexpected for this message |
494 | | * to be sent upon rekey, and may cause clients to log error |
495 | | * messages. |
496 | | * |
497 | | * The session_state can not be used for this purpose because it |
498 | | * is re-set to SSH_SESSION_STATE_KEXINIT_RECEIVED during rekey. |
499 | | * So, use the connected flag which transitions from non-zero |
500 | | * below. |
501 | | * |
502 | | * See also: |
503 | | * - https://bugzilla.mindrot.org/show_bug.cgi?id=2929 |
504 | | */ |
505 | 0 | if (session->connected == 0) { |
506 | 0 | ssh_server_send_extensions(session); |
507 | 0 | } |
508 | 0 | } |
509 | |
|
510 | 0 | set_status(session, 1.0f); |
511 | 0 | session->connected = 1; |
512 | 0 | session->session_state = SSH_SESSION_STATE_AUTHENTICATING; |
513 | 0 | if (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) |
514 | 0 | session->session_state = SSH_SESSION_STATE_AUTHENTICATED; |
515 | |
|
516 | 0 | } |
517 | 0 | break; |
518 | 0 | case SSH_SESSION_STATE_AUTHENTICATING: |
519 | 0 | break; |
520 | 0 | case SSH_SESSION_STATE_ERROR: |
521 | 0 | goto error; |
522 | 0 | default: |
523 | 0 | ssh_set_error(session, SSH_FATAL, "Invalid state %d", |
524 | 0 | session->session_state); |
525 | 0 | } |
526 | | |
527 | 0 | return; |
528 | 0 | error: |
529 | 0 | ssh_socket_close(session->socket); |
530 | 0 | session->alive = 0; |
531 | 0 | session->session_state = SSH_SESSION_STATE_ERROR; |
532 | 0 | } |
533 | | |
534 | | /** |
535 | | * @internal |
536 | | * |
537 | | * @brief Gets the banner from socket and saves it in session. |
538 | | * Updates the session state |
539 | | * |
540 | | * @param data pointer to the beginning of header |
541 | | * @param len size of the banner |
542 | | * @param user is a pointer to session |
543 | | * @returns Number of bytes processed, or zero if the banner is not complete. |
544 | | */ |
545 | | static size_t callback_receive_banner(const void *data, size_t len, void *user) |
546 | 0 | { |
547 | 0 | char *buffer = (char *)data; |
548 | 0 | ssh_session session = (ssh_session)user; |
549 | 0 | char *str = NULL; |
550 | 0 | size_t i; |
551 | 0 | size_t processed = 0; |
552 | |
|
553 | 0 | for (i = 0; i < len; i++) { |
554 | 0 | #ifdef WITH_PCAP |
555 | 0 | if (session->pcap_ctx && buffer[i] == '\n') { |
556 | 0 | ssh_pcap_context_write(session->pcap_ctx, |
557 | 0 | SSH_PCAP_DIR_IN, |
558 | 0 | buffer, |
559 | 0 | (uint32_t)(i + 1), |
560 | 0 | (uint32_t)(i + 1)); |
561 | 0 | } |
562 | 0 | #endif |
563 | 0 | if (buffer[i] == '\r') { |
564 | 0 | buffer[i] = '\0'; |
565 | 0 | } |
566 | |
|
567 | 0 | if (buffer[i] == '\n') { |
568 | 0 | buffer[i] = '\0'; |
569 | |
|
570 | 0 | str = strdup(buffer); |
571 | 0 | if (str == NULL) { |
572 | 0 | session->session_state = SSH_SESSION_STATE_ERROR; |
573 | 0 | ssh_set_error_oom(session); |
574 | 0 | return 0; |
575 | 0 | } |
576 | | /* number of bytes read */ |
577 | 0 | processed = i + 1; |
578 | 0 | session->clientbanner = str; |
579 | 0 | session->session_state = SSH_SESSION_STATE_BANNER_RECEIVED; |
580 | 0 | SSH_LOG(SSH_LOG_PACKET, "Received banner: %s", str); |
581 | 0 | session->ssh_connection_callback(session); |
582 | |
|
583 | 0 | return processed; |
584 | 0 | } |
585 | | |
586 | 0 | if (i > 127) { |
587 | | /* Too big banner */ |
588 | 0 | session->session_state = SSH_SESSION_STATE_ERROR; |
589 | 0 | ssh_set_error(session, SSH_FATAL, |
590 | 0 | "Receiving banner: too large banner"); |
591 | |
|
592 | 0 | return 0; |
593 | 0 | } |
594 | 0 | } |
595 | | |
596 | 0 | return processed; |
597 | 0 | } |
598 | | |
599 | | /* returns 0 until the key exchange is not finished */ |
600 | 0 | static int ssh_server_kex_termination(void *s){ |
601 | 0 | ssh_session session = s; |
602 | 0 | if (session->session_state != SSH_SESSION_STATE_ERROR && |
603 | 0 | session->session_state != SSH_SESSION_STATE_AUTHENTICATING && |
604 | 0 | session->session_state != SSH_SESSION_STATE_AUTHENTICATED && |
605 | 0 | session->session_state != SSH_SESSION_STATE_DISCONNECTED) |
606 | 0 | return 0; |
607 | 0 | else |
608 | 0 | return 1; |
609 | 0 | } |
610 | | |
611 | | /* FIXME: auth_methods should be unsigned */ |
612 | | void ssh_set_auth_methods(ssh_session session, int auth_methods) |
613 | 0 | { |
614 | | /* accept only methods in range */ |
615 | 0 | session->auth.supported_methods = (uint32_t)auth_methods & 0x3fU; |
616 | 0 | } |
617 | | |
618 | | int ssh_send_issue_banner(ssh_session session, const ssh_string banner) |
619 | 0 | { |
620 | 0 | int rc = SSH_ERROR; |
621 | |
|
622 | 0 | if (session == NULL) { |
623 | 0 | return SSH_ERROR; |
624 | 0 | } |
625 | | |
626 | 0 | SSH_LOG(SSH_LOG_PACKET, |
627 | 0 | "Sending a server issue banner"); |
628 | |
|
629 | 0 | rc = ssh_buffer_pack(session->out_buffer, |
630 | 0 | "bSs", |
631 | 0 | SSH2_MSG_USERAUTH_BANNER, |
632 | 0 | banner, |
633 | 0 | ""); |
634 | 0 | if (rc != SSH_OK) { |
635 | 0 | ssh_set_error_oom(session); |
636 | 0 | return SSH_ERROR; |
637 | 0 | } |
638 | | |
639 | 0 | rc = ssh_packet_send(session); |
640 | 0 | return rc; |
641 | 0 | } |
642 | | |
643 | | /* Do the banner and key exchange */ |
644 | | int ssh_handle_key_exchange(ssh_session session) |
645 | 0 | { |
646 | 0 | int rc; |
647 | |
|
648 | 0 | if (session->session_state != SSH_SESSION_STATE_NONE) { |
649 | 0 | goto pending; |
650 | 0 | } |
651 | | |
652 | 0 | rc = ssh_send_banner(session, 1); |
653 | 0 | if (rc < 0) { |
654 | 0 | return SSH_ERROR; |
655 | 0 | } |
656 | | |
657 | 0 | session->alive = 1; |
658 | |
|
659 | 0 | session->ssh_connection_callback = ssh_server_connection_callback; |
660 | 0 | session->session_state = SSH_SESSION_STATE_SOCKET_CONNECTED; |
661 | 0 | ssh_socket_set_callbacks(session->socket,&session->socket_callbacks); |
662 | 0 | session->socket_callbacks.data = callback_receive_banner; |
663 | 0 | session->socket_callbacks.exception = ssh_socket_exception_callback; |
664 | 0 | session->socket_callbacks.userdata = session; |
665 | |
|
666 | 0 | rc = server_set_kex(session); |
667 | 0 | if (rc < 0) { |
668 | 0 | return SSH_ERROR; |
669 | 0 | } |
670 | 0 | pending: |
671 | 0 | rc = ssh_handle_packets_termination(session, SSH_TIMEOUT_USER, |
672 | 0 | ssh_server_kex_termination,session); |
673 | 0 | SSH_LOG(SSH_LOG_PACKET, "ssh_handle_key_exchange: current state : %d", |
674 | 0 | session->session_state); |
675 | 0 | if (rc != SSH_OK) { |
676 | 0 | return rc; |
677 | 0 | } |
678 | 0 | if (session->session_state == SSH_SESSION_STATE_ERROR || |
679 | 0 | session->session_state == SSH_SESSION_STATE_DISCONNECTED) { |
680 | 0 | return SSH_ERROR; |
681 | 0 | } |
682 | | |
683 | 0 | return SSH_OK; |
684 | 0 | } |
685 | | |
686 | | /* messages */ |
687 | | |
688 | | /** @internal |
689 | | * replies to an SSH_AUTH packet with a default (denied) response. |
690 | | */ |
691 | 0 | int ssh_auth_reply_default(ssh_session session,int partial) { |
692 | 0 | char methods_c[128] = {0}; |
693 | 0 | int rc = SSH_ERROR; |
694 | | |
695 | |
|
696 | 0 | if (session->auth.supported_methods == 0) { |
697 | 0 | session->auth.supported_methods = SSH_AUTH_METHOD_PUBLICKEY | SSH_AUTH_METHOD_PASSWORD; |
698 | 0 | } |
699 | 0 | if (session->auth.supported_methods & SSH_AUTH_METHOD_PUBLICKEY) { |
700 | 0 | strlcat(methods_c, "publickey,", sizeof(methods_c)); |
701 | 0 | } |
702 | 0 | if (session->auth.supported_methods & SSH_AUTH_METHOD_GSSAPI_MIC){ |
703 | 0 | strlcat(methods_c, "gssapi-with-mic,", sizeof(methods_c)); |
704 | 0 | } |
705 | | /* Check if GSSAPI Key exchange was performed */ |
706 | 0 | if (session->auth.supported_methods & SSH_AUTH_METHOD_GSSAPI_KEYEX) { |
707 | 0 | if (ssh_kex_is_gss(session->current_crypto)) { |
708 | 0 | strlcat(methods_c, "gssapi-keyex,", sizeof(methods_c)); |
709 | 0 | } |
710 | 0 | } |
711 | 0 | if (session->auth.supported_methods & SSH_AUTH_METHOD_INTERACTIVE) { |
712 | 0 | strlcat(methods_c, "keyboard-interactive,", sizeof(methods_c)); |
713 | 0 | } |
714 | 0 | if (session->auth.supported_methods & SSH_AUTH_METHOD_PASSWORD) { |
715 | 0 | strlcat(methods_c, "password,", sizeof(methods_c)); |
716 | 0 | } |
717 | 0 | if (session->auth.supported_methods & SSH_AUTH_METHOD_HOSTBASED) { |
718 | 0 | strlcat(methods_c, "hostbased,", sizeof(methods_c)); |
719 | 0 | } |
720 | |
|
721 | 0 | if (methods_c[0] == '\0' || methods_c[strlen(methods_c)-1] != ',') { |
722 | 0 | return SSH_ERROR; |
723 | 0 | } |
724 | | |
725 | | /* Strip the comma. */ |
726 | 0 | methods_c[strlen(methods_c) - 1] = '\0'; // strip the comma. We are sure there is at |
727 | |
|
728 | 0 | SSH_LOG(SSH_LOG_PACKET, |
729 | 0 | "Sending a auth failure. methods that can continue: %s", methods_c); |
730 | |
|
731 | 0 | rc = ssh_buffer_pack(session->out_buffer, |
732 | 0 | "bsb", |
733 | 0 | SSH2_MSG_USERAUTH_FAILURE, |
734 | 0 | methods_c, |
735 | 0 | partial ? 1 : 0); |
736 | 0 | if (rc != SSH_OK){ |
737 | 0 | ssh_set_error_oom(session); |
738 | 0 | return SSH_ERROR; |
739 | 0 | } |
740 | 0 | rc = ssh_packet_send(session); |
741 | 0 | return rc; |
742 | 0 | } |
743 | | |
744 | | /** |
745 | | * @internal |
746 | | * |
747 | | * @brief Sends default refusal for a channel open request. |
748 | | * |
749 | | * Default handler that rejects incoming SSH channel open requests by sending |
750 | | * a `SSH2_MSG_CHANNEL_OPEN_FAILURE` packet with "administratively prohibited" |
751 | | * reason code. Used when no custom channel open handler is registered. |
752 | | * |
753 | | * @param[in] msg The SSH message containing the channel open request details. |
754 | | * |
755 | | * @return `SSH_OK` on successful packet send; `SSH_ERROR` on buffer allocation |
756 | | * or packet send failure. |
757 | | */ |
758 | 0 | static int ssh_message_channel_request_open_reply_default(ssh_message msg) { |
759 | 0 | int rc; |
760 | |
|
761 | 0 | SSH_LOG(SSH_LOG_FUNCTIONS, "Refusing a channel"); |
762 | |
|
763 | 0 | rc = ssh_buffer_pack(msg->session->out_buffer, |
764 | 0 | "bdddd", |
765 | 0 | SSH2_MSG_CHANNEL_OPEN_FAILURE, |
766 | 0 | msg->channel_request_open.sender, |
767 | 0 | SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED, |
768 | 0 | 0, /* reason is empty string */ |
769 | 0 | 0); /* language string */ |
770 | 0 | if (rc != SSH_OK){ |
771 | 0 | ssh_set_error_oom(msg->session); |
772 | 0 | return SSH_ERROR; |
773 | 0 | } |
774 | | |
775 | 0 | rc = ssh_packet_send(msg->session); |
776 | 0 | return rc; |
777 | 0 | } |
778 | | |
779 | | /** |
780 | | * @internal |
781 | | * |
782 | | * @brief Sends default refusal for a channel request. |
783 | | * |
784 | | * Default handler that rejects incoming SSH channel requests. If the client |
785 | | * requested a reply (`want_reply`), sends `SSH2_MSG_CHANNEL_FAILURE` to the |
786 | | * specific channel. If no reply requested, logs the refusal and returns |
787 | | * success. |
788 | | * |
789 | | * @param[in] msg The SSH message containing the channel request details. |
790 | | * |
791 | | * @return `SSH_OK` on success; `SSH_ERROR` if buffer allocation or packet send |
792 | | * fails. |
793 | | */ |
794 | 0 | static int ssh_message_channel_request_reply_default(ssh_message msg) { |
795 | 0 | uint32_t channel; |
796 | 0 | int rc; |
797 | |
|
798 | 0 | if (msg->channel_request.want_reply) { |
799 | 0 | channel = msg->channel_request.channel->remote_channel; |
800 | |
|
801 | 0 | SSH_LOG(SSH_LOG_PACKET, |
802 | 0 | "Sending a default channel_request denied to channel %" PRIu32, channel); |
803 | |
|
804 | 0 | rc = ssh_buffer_pack(msg->session->out_buffer, |
805 | 0 | "bd", |
806 | 0 | SSH2_MSG_CHANNEL_FAILURE, |
807 | 0 | channel); |
808 | 0 | if (rc != SSH_OK){ |
809 | 0 | ssh_set_error_oom(msg->session); |
810 | 0 | return SSH_ERROR; |
811 | 0 | } |
812 | 0 | return ssh_packet_send(msg->session); |
813 | 0 | } |
814 | | |
815 | 0 | SSH_LOG(SSH_LOG_PACKET, |
816 | 0 | "The client doesn't want to know the request failed!"); |
817 | |
|
818 | 0 | return SSH_OK; |
819 | 0 | } |
820 | | |
821 | 0 | static int ssh_message_service_request_reply_default(ssh_message msg) { |
822 | | /* The only return code accepted by specifications are success or disconnect */ |
823 | 0 | return ssh_message_service_reply_success(msg); |
824 | 0 | } |
825 | | |
826 | | /** |
827 | | * @brief Sends `SSH2_MSG_SERVICE_ACCEPT` to the client |
828 | | * |
829 | | * @param msg The message to reply to |
830 | | * |
831 | | * @returns `SSH_OK` when success otherwise `SSH_ERROR` |
832 | | */ |
833 | | int ssh_message_service_reply_success(ssh_message msg) |
834 | 0 | { |
835 | 0 | ssh_session session = NULL; |
836 | 0 | int rc; |
837 | |
|
838 | 0 | if (msg == NULL) { |
839 | 0 | return SSH_ERROR; |
840 | 0 | } |
841 | 0 | session = msg->session; |
842 | |
|
843 | 0 | SSH_LOG(SSH_LOG_PACKET, |
844 | 0 | "Sending a SERVICE_ACCEPT for service %s", msg->service_request.service); |
845 | |
|
846 | 0 | rc = ssh_buffer_pack(session->out_buffer, |
847 | 0 | "bs", |
848 | 0 | SSH2_MSG_SERVICE_ACCEPT, |
849 | 0 | msg->service_request.service); |
850 | 0 | if (rc != SSH_OK){ |
851 | 0 | ssh_set_error_oom(session); |
852 | 0 | return SSH_ERROR; |
853 | 0 | } |
854 | 0 | rc = ssh_packet_send(msg->session); |
855 | 0 | return rc; |
856 | 0 | } |
857 | | |
858 | | /** |
859 | | * @brief Send a global request success message |
860 | | * |
861 | | * @param msg The message |
862 | | * |
863 | | * @param bound_port The remote bind port |
864 | | * |
865 | | * @returns `SSH_OK` on success, otherwise `SSH_ERROR` |
866 | | */ |
867 | 0 | int ssh_message_global_request_reply_success(ssh_message msg, uint16_t bound_port) { |
868 | 0 | int rc; |
869 | |
|
870 | 0 | SSH_LOG(SSH_LOG_FUNCTIONS, "Accepting a global request"); |
871 | |
|
872 | 0 | if (msg->global_request.want_reply) { |
873 | 0 | if (ssh_buffer_add_u8(msg->session->out_buffer |
874 | 0 | , SSH2_MSG_REQUEST_SUCCESS) < 0) { |
875 | 0 | goto error; |
876 | 0 | } |
877 | | |
878 | 0 | if(msg->global_request.type == SSH_GLOBAL_REQUEST_TCPIP_FORWARD |
879 | 0 | && msg->global_request.bind_port == 0) { |
880 | 0 | rc = ssh_buffer_pack(msg->session->out_buffer, "d", bound_port); |
881 | 0 | if (rc != SSH_OK) { |
882 | 0 | ssh_set_error_oom(msg->session); |
883 | 0 | goto error; |
884 | 0 | } |
885 | 0 | } |
886 | | |
887 | 0 | return ssh_packet_send(msg->session); |
888 | 0 | } |
889 | | |
890 | 0 | if(msg->global_request.type == SSH_GLOBAL_REQUEST_TCPIP_FORWARD |
891 | 0 | && msg->global_request.bind_port == 0) { |
892 | 0 | SSH_LOG(SSH_LOG_PACKET, |
893 | 0 | "The client doesn't want to know the remote port!"); |
894 | 0 | } |
895 | |
|
896 | 0 | return SSH_OK; |
897 | 0 | error: |
898 | 0 | return SSH_ERROR; |
899 | 0 | } |
900 | | |
901 | | /** |
902 | | * @internal |
903 | | * |
904 | | * @brief Sends default refusal for a global request. |
905 | | * |
906 | | * Default handler that rejects incoming SSH global requests. If the client |
907 | | * requested a reply (`want_reply`), sends `SSH2_MSG_REQUEST_FAILURE`. If no |
908 | | * reply requested, logs the refusal and returns success immediately. |
909 | | * |
910 | | * @param[in] msg The SSH message containing the global request details. |
911 | | * |
912 | | * @return `SSH_OK` on success; `SSH_ERROR` if buffer allocation or packet send |
913 | | * fails. |
914 | | */ |
915 | 0 | static int ssh_message_global_request_reply_default(ssh_message msg) { |
916 | 0 | SSH_LOG(SSH_LOG_FUNCTIONS, "Refusing a global request"); |
917 | |
|
918 | 0 | if (msg->global_request.want_reply) { |
919 | 0 | if (ssh_buffer_add_u8(msg->session->out_buffer |
920 | 0 | , SSH2_MSG_REQUEST_FAILURE) < 0) { |
921 | 0 | goto error; |
922 | 0 | } |
923 | 0 | return ssh_packet_send(msg->session); |
924 | 0 | } |
925 | 0 | SSH_LOG(SSH_LOG_PACKET, |
926 | 0 | "The client doesn't want to know the request failed!"); |
927 | |
|
928 | 0 | return SSH_OK; |
929 | 0 | error: |
930 | 0 | return SSH_ERROR; |
931 | 0 | } |
932 | | |
933 | 0 | int ssh_message_reply_default(ssh_message msg) { |
934 | 0 | if (msg == NULL) { |
935 | 0 | return -1; |
936 | 0 | } |
937 | | |
938 | 0 | switch(msg->type) { |
939 | 0 | case SSH_REQUEST_AUTH: |
940 | 0 | return ssh_auth_reply_default(msg->session, 0); |
941 | 0 | case SSH_REQUEST_CHANNEL_OPEN: |
942 | 0 | return ssh_message_channel_request_open_reply_default(msg); |
943 | 0 | case SSH_REQUEST_CHANNEL: |
944 | 0 | return ssh_message_channel_request_reply_default(msg); |
945 | 0 | case SSH_REQUEST_SERVICE: |
946 | 0 | return ssh_message_service_request_reply_default(msg); |
947 | 0 | case SSH_REQUEST_GLOBAL: |
948 | 0 | return ssh_message_global_request_reply_default(msg); |
949 | 0 | default: |
950 | 0 | SSH_LOG(SSH_LOG_PACKET, |
951 | 0 | "Don't know what to default reply to %d type", |
952 | 0 | msg->type); |
953 | 0 | break; |
954 | 0 | } |
955 | | |
956 | 0 | return -1; |
957 | 0 | } |
958 | | |
959 | | /** |
960 | | * @brief Gets the service name from the service request message |
961 | | * |
962 | | * @param msg The service request message |
963 | | * |
964 | | * @returns the service name from the message |
965 | | */ |
966 | 0 | const char *ssh_message_service_service(ssh_message msg){ |
967 | 0 | if (msg == NULL) { |
968 | 0 | return NULL; |
969 | 0 | } |
970 | 0 | return msg->service_request.service; |
971 | 0 | } |
972 | | |
973 | 0 | const char *ssh_message_auth_user(ssh_message msg) { |
974 | 0 | if (msg == NULL) { |
975 | 0 | return NULL; |
976 | 0 | } |
977 | | |
978 | 0 | return msg->auth_request.username; |
979 | 0 | } |
980 | | |
981 | 0 | const char *ssh_message_auth_password(ssh_message msg){ |
982 | 0 | if (msg == NULL) { |
983 | 0 | return NULL; |
984 | 0 | } |
985 | | |
986 | 0 | return msg->auth_request.password; |
987 | 0 | } |
988 | | |
989 | 0 | ssh_key ssh_message_auth_pubkey(ssh_message msg) { |
990 | 0 | if (msg == NULL) { |
991 | 0 | return NULL; |
992 | 0 | } |
993 | | |
994 | 0 | return msg->auth_request.pubkey; |
995 | 0 | } |
996 | | |
997 | 0 | ssh_public_key ssh_message_auth_publickey(ssh_message msg){ |
998 | 0 | if (msg == NULL) { |
999 | 0 | return NULL; |
1000 | 0 | } |
1001 | | |
1002 | 0 | return ssh_pki_convert_key_to_publickey(msg->auth_request.pubkey); |
1003 | 0 | } |
1004 | | |
1005 | 0 | enum ssh_publickey_state_e ssh_message_auth_publickey_state(ssh_message msg){ |
1006 | 0 | if (msg == NULL) { |
1007 | 0 | return -1; |
1008 | 0 | } |
1009 | 0 | return msg->auth_request.signature_state; |
1010 | 0 | } |
1011 | | |
1012 | | /** |
1013 | | * @brief Check if the message is a keyboard-interactive response |
1014 | | * |
1015 | | * @param msg The message to check |
1016 | | * |
1017 | | * @returns 1 if the message is a response, otherwise 0 |
1018 | | */ |
1019 | 0 | int ssh_message_auth_kbdint_is_response(ssh_message msg) { |
1020 | 0 | if (msg == NULL) { |
1021 | 0 | return -1; |
1022 | 0 | } |
1023 | | |
1024 | 0 | return msg->auth_request.kbdint_response != 0; |
1025 | 0 | } |
1026 | | |
1027 | | /* FIXME: methods should be unsigned */ |
1028 | | /** |
1029 | | * @brief Sets the supported authentication methods to a message |
1030 | | * |
1031 | | * @param msg The message |
1032 | | * |
1033 | | * @param methods Methods to set to the message. |
1034 | | * The supported methods are listed in ssh_set_auth_methods |
1035 | | * @see ssh_set_auth_methods |
1036 | | * |
1037 | | * @returns 0 on success, otherwise -1 |
1038 | | */ |
1039 | 0 | int ssh_message_auth_set_methods(ssh_message msg, int methods) { |
1040 | 0 | if (msg == NULL || msg->session == NULL) { |
1041 | 0 | return -1; |
1042 | 0 | } |
1043 | | |
1044 | 0 | if (methods < 0) { |
1045 | 0 | return -1; |
1046 | 0 | } |
1047 | | |
1048 | 0 | msg->session->auth.supported_methods = (uint32_t)methods; |
1049 | |
|
1050 | 0 | return 0; |
1051 | 0 | } |
1052 | | |
1053 | | /** |
1054 | | * @brief Sends an interactive authentication request message. |
1055 | | * |
1056 | | * Builds and sends an `SSH2_MSG_USERAUTH_INFO_REQUEST` packet containing the |
1057 | | * given name and @p instruction, followed by a number of @p prompts with |
1058 | | * associated @p echo flags to control whether user input is echoed. |
1059 | | * It initializes the keyboard-interactive state in the session. |
1060 | | * |
1061 | | * @param[in] msg The SSH message representing the client |
1062 | | * authentication request. |
1063 | | * @param[in] name The name of the authentication request. |
1064 | | * @param[in] instruction Instruction string with information for the user. |
1065 | | * @param[in] num_prompts Number of prompts to send. The arrays prompts and |
1066 | | * echo must both have num_prompts elements. |
1067 | | * @param[in] prompts Array of @p num_prompts prompt strings to display. |
1068 | | * @param[in] echo Array of num_prompts boolean values (0 or 1). A |
1069 | | * non-zero value means the user input for that prompt |
1070 | | * is echoed (visible); 0 means the input is hidden |
1071 | | * (typically for passwords). |
1072 | | * |
1073 | | * @return `SSH_OK` on successful send; `SSH_ERROR` on failure. |
1074 | | */ |
1075 | | int ssh_message_auth_interactive_request(ssh_message msg, const char *name, |
1076 | | const char *instruction, unsigned int num_prompts, |
1077 | 0 | const char **prompts, char *echo) { |
1078 | 0 | int rc; |
1079 | 0 | unsigned int i = 0; |
1080 | |
|
1081 | 0 | if(name == NULL || instruction == NULL) { |
1082 | 0 | return SSH_ERROR; |
1083 | 0 | } |
1084 | 0 | if(num_prompts > 0 && (prompts == NULL || echo == NULL)) { |
1085 | 0 | return SSH_ERROR; |
1086 | 0 | } |
1087 | | |
1088 | 0 | rc = ssh_buffer_pack(msg->session->out_buffer, |
1089 | 0 | "bsssd", |
1090 | 0 | SSH2_MSG_USERAUTH_INFO_REQUEST, |
1091 | 0 | name, |
1092 | 0 | instruction, |
1093 | 0 | "", /* language tag */ |
1094 | 0 | num_prompts); |
1095 | 0 | if (rc != SSH_OK){ |
1096 | 0 | ssh_set_error_oom(msg->session); |
1097 | 0 | return SSH_ERROR; |
1098 | 0 | } |
1099 | | |
1100 | 0 | for(i = 0; i < num_prompts; i++) { |
1101 | 0 | rc = ssh_buffer_pack(msg->session->out_buffer, |
1102 | 0 | "sb", |
1103 | 0 | prompts[i], |
1104 | 0 | echo[i] ? 1 : 0); |
1105 | 0 | if (rc != SSH_OK){ |
1106 | 0 | ssh_set_error_oom(msg->session); |
1107 | 0 | return SSH_ERROR; |
1108 | 0 | } |
1109 | 0 | } |
1110 | | |
1111 | 0 | rc = ssh_packet_send(msg->session); |
1112 | | |
1113 | | /* fill in the kbdint structure */ |
1114 | 0 | if (msg->session->kbdint == NULL) { |
1115 | 0 | SSH_LOG(SSH_LOG_DEBUG, "Warning: Got a keyboard-interactive response " |
1116 | 0 | "but it seems we didn't send the request."); |
1117 | |
|
1118 | 0 | msg->session->kbdint = ssh_kbdint_new(); |
1119 | 0 | if (msg->session->kbdint == NULL) { |
1120 | 0 | ssh_set_error_oom(msg->session); |
1121 | |
|
1122 | 0 | return SSH_ERROR; |
1123 | 0 | } |
1124 | 0 | } else { |
1125 | 0 | ssh_kbdint_clean(msg->session->kbdint); |
1126 | 0 | } |
1127 | | |
1128 | 0 | msg->session->kbdint->name = strdup(name); |
1129 | 0 | if(msg->session->kbdint->name == NULL) { |
1130 | 0 | ssh_set_error_oom(msg->session); |
1131 | 0 | ssh_kbdint_free(msg->session->kbdint); |
1132 | 0 | msg->session->kbdint = NULL; |
1133 | 0 | return SSH_PACKET_USED; |
1134 | 0 | } |
1135 | 0 | msg->session->kbdint->instruction = strdup(instruction); |
1136 | 0 | if(msg->session->kbdint->instruction == NULL) { |
1137 | 0 | ssh_set_error_oom(msg->session); |
1138 | 0 | ssh_kbdint_free(msg->session->kbdint); |
1139 | 0 | msg->session->kbdint = NULL; |
1140 | 0 | return SSH_PACKET_USED; |
1141 | 0 | } |
1142 | | |
1143 | 0 | msg->session->kbdint->nprompts = num_prompts; |
1144 | 0 | if(num_prompts > 0) { |
1145 | 0 | msg->session->kbdint->prompts = calloc(num_prompts, sizeof(char *)); |
1146 | 0 | if (msg->session->kbdint->prompts == NULL) { |
1147 | 0 | msg->session->kbdint->nprompts = 0; |
1148 | 0 | ssh_set_error_oom(msg->session); |
1149 | 0 | ssh_kbdint_free(msg->session->kbdint); |
1150 | 0 | msg->session->kbdint = NULL; |
1151 | 0 | return SSH_ERROR; |
1152 | 0 | } |
1153 | 0 | msg->session->kbdint->echo = calloc(num_prompts, sizeof(unsigned char)); |
1154 | 0 | if (msg->session->kbdint->echo == NULL) { |
1155 | 0 | ssh_set_error_oom(msg->session); |
1156 | 0 | ssh_kbdint_free(msg->session->kbdint); |
1157 | 0 | msg->session->kbdint = NULL; |
1158 | 0 | return SSH_ERROR; |
1159 | 0 | } |
1160 | 0 | for (i = 0; i < num_prompts; i++) { |
1161 | 0 | msg->session->kbdint->echo[i] = echo[i]; |
1162 | 0 | msg->session->kbdint->prompts[i] = strdup(prompts[i]); |
1163 | 0 | if (msg->session->kbdint->prompts[i] == NULL) { |
1164 | 0 | ssh_set_error_oom(msg->session); |
1165 | 0 | msg->session->kbdint->nprompts = i; |
1166 | 0 | ssh_kbdint_free(msg->session->kbdint); |
1167 | 0 | msg->session->kbdint = NULL; |
1168 | 0 | return SSH_PACKET_USED; |
1169 | 0 | } |
1170 | 0 | } |
1171 | 0 | } else { |
1172 | 0 | msg->session->kbdint->prompts = NULL; |
1173 | 0 | msg->session->kbdint->echo = NULL; |
1174 | 0 | } |
1175 | 0 | msg->session->auth.state = SSH_AUTH_STATE_INFO; |
1176 | |
|
1177 | 0 | return rc; |
1178 | 0 | } |
1179 | | |
1180 | | /** |
1181 | | * @brief Sends `SSH2_MSG_USERAUTH_SUCCESS` or `SSH2_MSG_USERAUTH_FAILURE` |
1182 | | * message depending on the success of the authentication method |
1183 | | * |
1184 | | * @param session The session to reply to |
1185 | | * |
1186 | | * @param partial Denotes if the authentication process was partially completed |
1187 | | * (unsuccessful) |
1188 | | * |
1189 | | * @returns `SSH_OK` on success, otherwise `SSH_ERROR` |
1190 | | */ |
1191 | | int ssh_auth_reply_success(ssh_session session, int partial) |
1192 | 0 | { |
1193 | 0 | struct ssh_crypto_struct *crypto = NULL; |
1194 | 0 | int r; |
1195 | |
|
1196 | 0 | if (session == NULL) { |
1197 | 0 | return SSH_ERROR; |
1198 | 0 | } |
1199 | | |
1200 | 0 | if (partial) { |
1201 | 0 | return ssh_auth_reply_default(session, partial); |
1202 | 0 | } |
1203 | | |
1204 | 0 | r = ssh_buffer_add_u8(session->out_buffer,SSH2_MSG_USERAUTH_SUCCESS); |
1205 | 0 | if (r < 0) { |
1206 | 0 | return SSH_ERROR; |
1207 | 0 | } |
1208 | | |
1209 | 0 | r = ssh_packet_send(session); |
1210 | | |
1211 | | /* |
1212 | | * Consider the session as having been authenticated only after sending |
1213 | | * the `USERAUTH_SUCCESS` message. Setting these flags after |
1214 | | * ssh_packet_send ensures that a rekey is not triggered prematurely, |
1215 | | * causing the message to be queued. |
1216 | | */ |
1217 | 0 | session->session_state = SSH_SESSION_STATE_AUTHENTICATED; |
1218 | 0 | session->flags |= SSH_SESSION_FLAG_AUTHENTICATED; |
1219 | |
|
1220 | 0 | crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_OUT); |
1221 | 0 | if (crypto != NULL && crypto->delayed_compress_out) { |
1222 | 0 | SSH_LOG(SSH_LOG_DEBUG, "Enabling delayed compression OUT"); |
1223 | 0 | crypto->do_compress_out = 1; |
1224 | 0 | } |
1225 | |
|
1226 | 0 | crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN); |
1227 | 0 | if (crypto != NULL && crypto->delayed_compress_in) { |
1228 | 0 | SSH_LOG(SSH_LOG_DEBUG, "Enabling delayed compression IN"); |
1229 | 0 | crypto->do_compress_in = 1; |
1230 | 0 | } |
1231 | 0 | return r; |
1232 | 0 | } |
1233 | | |
1234 | | /** |
1235 | | * @brief Replies to an authentication request with success. |
1236 | | * |
1237 | | * Sends an authentication success message (`SSH2_MSG_USERAUTH_SUCCESS`) to the |
1238 | | * client, or a partial success if further authentication steps are required. |
1239 | | * |
1240 | | * @param[in] msg The SSH authentication message being handled. |
1241 | | * @param[in] partial Set to nonzero if partial success (more auth needed), zero |
1242 | | * for full success. |
1243 | | * |
1244 | | * @return `SSH_OK` on success, `SSH_ERROR` if msg is NULL or on send failure. |
1245 | | */ |
1246 | 0 | int ssh_message_auth_reply_success(ssh_message msg, int partial) { |
1247 | 0 | if(msg == NULL) |
1248 | 0 | return SSH_ERROR; |
1249 | 0 | return ssh_auth_reply_success(msg->session, partial); |
1250 | 0 | } |
1251 | | |
1252 | | /** |
1253 | | * @brief Answer `SSH2_MSG_USERAUTH_PK_OK` to a pubkey authentication request |
1254 | | * |
1255 | | * @param msg The message |
1256 | | * |
1257 | | * @param algo The algorithm of the accepted public key |
1258 | | * |
1259 | | * @param pubkey The accepted public key |
1260 | | * |
1261 | | * @returns `SSH_OK` on success, otherwise `SSH_ERROR` |
1262 | | */ |
1263 | 0 | int ssh_message_auth_reply_pk_ok(ssh_message msg, ssh_string algo, ssh_string pubkey) { |
1264 | 0 | int rc; |
1265 | 0 | if (msg == NULL) { |
1266 | 0 | return SSH_ERROR; |
1267 | 0 | } |
1268 | | |
1269 | 0 | rc = ssh_buffer_pack(msg->session->out_buffer, |
1270 | 0 | "bSS", |
1271 | 0 | SSH2_MSG_USERAUTH_PK_OK, |
1272 | 0 | algo, |
1273 | 0 | pubkey); |
1274 | 0 | if(rc != SSH_OK){ |
1275 | 0 | ssh_set_error_oom(msg->session); |
1276 | 0 | return SSH_ERROR; |
1277 | 0 | } |
1278 | | |
1279 | 0 | rc = ssh_packet_send(msg->session); |
1280 | 0 | return rc; |
1281 | 0 | } |
1282 | | |
1283 | | /** |
1284 | | * @brief Answer `SSH2_MSG_USERAUTH_PK_OK` to a pubkey authentication request |
1285 | | * |
1286 | | * @param msg The message |
1287 | | * |
1288 | | * @returns `SSH_OK` on success, otherwise `SSH_ERROR` |
1289 | | */ |
1290 | | int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) |
1291 | 0 | { |
1292 | 0 | ssh_string algo = NULL; |
1293 | 0 | ssh_string pubkey_blob = NULL; |
1294 | 0 | int ret; |
1295 | |
|
1296 | 0 | algo = ssh_string_from_char(msg->auth_request.sigtype); |
1297 | 0 | if (algo == NULL) { |
1298 | 0 | return SSH_ERROR; |
1299 | 0 | } |
1300 | | |
1301 | 0 | ret = ssh_pki_export_pubkey_blob(msg->auth_request.pubkey, &pubkey_blob); |
1302 | 0 | if (ret < 0) { |
1303 | 0 | SSH_STRING_FREE(algo); |
1304 | 0 | return SSH_ERROR; |
1305 | 0 | } |
1306 | | |
1307 | 0 | ret = ssh_message_auth_reply_pk_ok(msg, algo, pubkey_blob); |
1308 | |
|
1309 | 0 | SSH_STRING_FREE(algo); |
1310 | 0 | SSH_STRING_FREE(pubkey_blob); |
1311 | |
|
1312 | 0 | return ret; |
1313 | 0 | } |
1314 | | |
1315 | | /** |
1316 | | * @brief Get the originator address from the channel open message. |
1317 | | * |
1318 | | * @param[in] msg The message. |
1319 | | * |
1320 | | * @return The originator address, or NULL. |
1321 | | */ |
1322 | 0 | const char *ssh_message_channel_request_open_originator(ssh_message msg){ |
1323 | 0 | return msg->channel_request_open.originator; |
1324 | 0 | } |
1325 | | |
1326 | | /** |
1327 | | * @brief Get the originator port from the channel open message. |
1328 | | * |
1329 | | * @param[in] msg The message. |
1330 | | * |
1331 | | * @return The originator port. |
1332 | | */ |
1333 | 0 | int ssh_message_channel_request_open_originator_port(ssh_message msg){ |
1334 | 0 | return msg->channel_request_open.originator_port; |
1335 | 0 | } |
1336 | | |
1337 | | /** |
1338 | | * @brief Get the destination address from the channel open message. |
1339 | | * |
1340 | | * @param[in] msg The message. |
1341 | | * |
1342 | | * @return The destination address, or NULL. |
1343 | | */ |
1344 | 0 | const char *ssh_message_channel_request_open_destination(ssh_message msg){ |
1345 | 0 | return msg->channel_request_open.destination; |
1346 | 0 | } |
1347 | | |
1348 | | /** |
1349 | | * @brief Get the destination port from the channel open message. |
1350 | | * |
1351 | | * @param[in] msg The message. |
1352 | | * |
1353 | | * @return The destination port. |
1354 | | */ |
1355 | 0 | int ssh_message_channel_request_open_destination_port(ssh_message msg){ |
1356 | 0 | return msg->channel_request_open.destination_port; |
1357 | 0 | } |
1358 | | |
1359 | | /** |
1360 | | * @brief Get the channel associated with the message. |
1361 | | * |
1362 | | * @param[in] msg The message. |
1363 | | * |
1364 | | * @return The channel associated with the message. |
1365 | | */ |
1366 | 0 | ssh_channel ssh_message_channel_request_channel(ssh_message msg){ |
1367 | 0 | return msg->channel_request.channel; |
1368 | 0 | } |
1369 | | |
1370 | | /** |
1371 | | * @brief Get the terminal type from the message. |
1372 | | * |
1373 | | * @param[in] msg The message. |
1374 | | * |
1375 | | * @return The terminal type (e.g. "xterm"), or NULL. |
1376 | | * |
1377 | | * @deprecated This function should not be used anymore as there is a |
1378 | | * callback based server implementation function channel_pty_request_function. |
1379 | | * |
1380 | | * @see channel_pty_request_function. |
1381 | | */ |
1382 | 0 | const char *ssh_message_channel_request_pty_term(ssh_message msg){ |
1383 | 0 | return msg->channel_request.TERM; |
1384 | 0 | } |
1385 | | |
1386 | | /** |
1387 | | * @brief Get the terminal width from the message. |
1388 | | * |
1389 | | * @param[in] msg The message. |
1390 | | * |
1391 | | * @return The terminal width in characters. |
1392 | | * |
1393 | | * @deprecated This function should not be used anymore as there is a |
1394 | | * callback based server implementation function channel_pty_request_function. |
1395 | | * |
1396 | | * @see channel_pty_request_function. |
1397 | | */ |
1398 | 0 | int ssh_message_channel_request_pty_width(ssh_message msg){ |
1399 | 0 | return msg->channel_request.width; |
1400 | 0 | } |
1401 | | |
1402 | | /** |
1403 | | * @brief Get the terminal height from the message. |
1404 | | * |
1405 | | * @param[in] msg The message. |
1406 | | * |
1407 | | * @return The terminal height in characters. |
1408 | | * |
1409 | | * @deprecated This function should not be used anymore as there is a |
1410 | | * callback based server implementation function channel_pty_request_function. |
1411 | | * |
1412 | | * @see channel_pty_request_function. |
1413 | | */ |
1414 | 0 | int ssh_message_channel_request_pty_height(ssh_message msg){ |
1415 | 0 | return msg->channel_request.height; |
1416 | 0 | } |
1417 | | |
1418 | | /** |
1419 | | * @brief Get the terminal pixel width from the message. |
1420 | | * |
1421 | | * @param[in] msg The message. |
1422 | | * |
1423 | | * @return The pixel width. |
1424 | | * |
1425 | | * @deprecated This function should not be used anymore as there is a |
1426 | | * callback based server implementation function channel_pty_request_function. |
1427 | | * |
1428 | | * @see channel_pty_request_function. |
1429 | | */ |
1430 | 0 | int ssh_message_channel_request_pty_pxwidth(ssh_message msg){ |
1431 | 0 | return msg->channel_request.pxwidth; |
1432 | 0 | } |
1433 | | |
1434 | | /** |
1435 | | * @brief Get the terminal pixel height from the message. |
1436 | | * |
1437 | | * @param[in] msg The message. |
1438 | | * |
1439 | | * @return The pixel height. |
1440 | | * |
1441 | | * @deprecated This function should not be used anymore as there is a |
1442 | | * callback based server implementation function channel_pty_request_function. |
1443 | | * |
1444 | | * @see channel_pty_request_function. |
1445 | | */ |
1446 | 0 | int ssh_message_channel_request_pty_pxheight(ssh_message msg){ |
1447 | 0 | return msg->channel_request.pxheight; |
1448 | 0 | } |
1449 | | |
1450 | | /** |
1451 | | * @brief Get the name of the environment variable from the message. |
1452 | | * |
1453 | | * @param[in] msg The message. |
1454 | | * |
1455 | | * @return The variable name, or NULL. |
1456 | | */ |
1457 | 0 | const char *ssh_message_channel_request_env_name(ssh_message msg){ |
1458 | 0 | return msg->channel_request.var_name; |
1459 | 0 | } |
1460 | | |
1461 | | /** |
1462 | | * @brief Get the value of the environment variable from the message. |
1463 | | * |
1464 | | * @param[in] msg The message. |
1465 | | * |
1466 | | * @return The variable value, or NULL. |
1467 | | */ |
1468 | 0 | const char *ssh_message_channel_request_env_value(ssh_message msg){ |
1469 | 0 | return msg->channel_request.var_value; |
1470 | 0 | } |
1471 | | |
1472 | | /** |
1473 | | * @brief Get the command from a channel request message. |
1474 | | * |
1475 | | * @param[in] msg The message. |
1476 | | * |
1477 | | * @return The command, or NULL. |
1478 | | */ |
1479 | 0 | const char *ssh_message_channel_request_command(ssh_message msg){ |
1480 | 0 | return msg->channel_request.command; |
1481 | 0 | } |
1482 | | |
1483 | | /** |
1484 | | * @brief Get the subsystem from a channel request message. |
1485 | | * |
1486 | | * @param[in] msg The message. |
1487 | | * |
1488 | | * @return The subsystem, or NULL. |
1489 | | */ |
1490 | 0 | const char *ssh_message_channel_request_subsystem(ssh_message msg){ |
1491 | 0 | return msg->channel_request.subsystem; |
1492 | 0 | } |
1493 | | |
1494 | | /** |
1495 | | * @brief Check if the X11 request is for a single connection. |
1496 | | * |
1497 | | * @param[in] msg The message. |
1498 | | * |
1499 | | * @return 1 if single connection, 0 otherwise. |
1500 | | * |
1501 | | * @deprecated This function should not be used anymore as there is a |
1502 | | * callback based server implementation function |
1503 | | * channel_open_request_x11_function. |
1504 | | * |
1505 | | * @see channel_open_request_x11_function. |
1506 | | */ |
1507 | 0 | int ssh_message_channel_request_x11_single_connection(ssh_message msg){ |
1508 | 0 | return msg->channel_request.x11_single_connection ? 1 : 0; |
1509 | 0 | } |
1510 | | |
1511 | | /** |
1512 | | * @brief Get the X11 authentication protocol from the message. |
1513 | | * |
1514 | | * @param[in] msg The message. |
1515 | | * |
1516 | | * @return The authentication protocol, or NULL. |
1517 | | * |
1518 | | * @deprecated This function should not be used anymore as there is a |
1519 | | * callback based server implementation function |
1520 | | * channel_open_request_x11_function. |
1521 | | * |
1522 | | * @see channel_open_request_x11_function. |
1523 | | */ |
1524 | 0 | const char *ssh_message_channel_request_x11_auth_protocol(ssh_message msg){ |
1525 | 0 | return msg->channel_request.x11_auth_protocol; |
1526 | 0 | } |
1527 | | |
1528 | | /** |
1529 | | * @brief Get the X11 authentication cookie from the message. |
1530 | | * |
1531 | | * @param[in] msg The message. |
1532 | | * |
1533 | | * @return The authentication cookie, or NULL. |
1534 | | * |
1535 | | * @deprecated This function should not be used anymore as there is a |
1536 | | * callback based server implementation function |
1537 | | * channel_open_request_x11_function. |
1538 | | * |
1539 | | * @see channel_open_request_x11_function. |
1540 | | */ |
1541 | 0 | const char *ssh_message_channel_request_x11_auth_cookie(ssh_message msg){ |
1542 | 0 | return msg->channel_request.x11_auth_cookie; |
1543 | 0 | } |
1544 | | |
1545 | | /** |
1546 | | * @brief Get the X11 screen number from the message. |
1547 | | * |
1548 | | * @param[in] msg The message. |
1549 | | * |
1550 | | * @return The screen number. |
1551 | | * |
1552 | | * @deprecated This function should not be used anymore as there is a |
1553 | | * callback based server implementation function |
1554 | | * channel_open_request_x11_function. |
1555 | | * |
1556 | | * @see channel_open_request_x11_function. |
1557 | | */ |
1558 | 0 | int ssh_message_channel_request_x11_screen_number(ssh_message msg){ |
1559 | 0 | return msg->channel_request.x11_screen_number; |
1560 | 0 | } |
1561 | | |
1562 | | /** |
1563 | | * @brief Get the bind address from the global request message. |
1564 | | * |
1565 | | * @param[in] msg The message. |
1566 | | * |
1567 | | * @return The bind address, or NULL. |
1568 | | */ |
1569 | 0 | const char *ssh_message_global_request_address(ssh_message msg){ |
1570 | 0 | return msg->global_request.bind_address; |
1571 | 0 | } |
1572 | | |
1573 | | /** |
1574 | | * @brief Get the bind port from the global request message. |
1575 | | * |
1576 | | * @param[in] msg The message. |
1577 | | * |
1578 | | * @return The bind port. |
1579 | | */ |
1580 | 0 | int ssh_message_global_request_port(ssh_message msg){ |
1581 | 0 | return msg->global_request.bind_port; |
1582 | 0 | } |
1583 | | |
1584 | | /** @brief defines the ssh_message callback |
1585 | | * @param session the current ssh session |
1586 | | * @param[in] ssh_bind_message_callback a function pointer to a callback taking the |
1587 | | * current ssh session and received message as parameters. the function returns |
1588 | | * 0 if the message has been parsed and treated successfully, 1 otherwise (libssh |
1589 | | * must take care of the response). |
1590 | | * @param[in] data void pointer to be passed to callback functions |
1591 | | */ |
1592 | | void ssh_set_message_callback(ssh_session session, |
1593 | | int(*ssh_bind_message_callback)(ssh_session session, ssh_message msg, void *data), |
1594 | 0 | void *data) { |
1595 | 0 | session->ssh_message_callback = ssh_bind_message_callback; |
1596 | 0 | session->ssh_message_callback_data = data; |
1597 | 0 | } |
1598 | | |
1599 | | /** |
1600 | | * @brief Execute callbacks for the messages in the queue. |
1601 | | * |
1602 | | * @param[in] session The session. |
1603 | | * |
1604 | | * @return `SSH_OK` on success, `SSH_ERROR` on error. |
1605 | | */ |
1606 | 0 | int ssh_execute_message_callbacks(ssh_session session){ |
1607 | 0 | ssh_message msg=NULL; |
1608 | 0 | int ret; |
1609 | 0 | ssh_handle_packets(session, SSH_TIMEOUT_NONBLOCKING); |
1610 | 0 | if(!session->ssh_message_list) |
1611 | 0 | return SSH_OK; |
1612 | 0 | if(session->ssh_message_callback){ |
1613 | 0 | while((msg=ssh_message_pop_head(session)) != NULL) { |
1614 | 0 | ret=session->ssh_message_callback(session,msg, |
1615 | 0 | session->ssh_message_callback_data); |
1616 | 0 | if(ret==1){ |
1617 | 0 | ret = ssh_message_reply_default(msg); |
1618 | 0 | ssh_message_free(msg); |
1619 | 0 | if(ret != SSH_OK) |
1620 | 0 | return ret; |
1621 | 0 | } else { |
1622 | 0 | ssh_message_free(msg); |
1623 | 0 | } |
1624 | 0 | } |
1625 | 0 | } else { |
1626 | 0 | while((msg=ssh_message_pop_head(session)) != NULL) { |
1627 | 0 | ret = ssh_message_reply_default(msg); |
1628 | 0 | ssh_message_free(msg); |
1629 | 0 | if(ret != SSH_OK) |
1630 | 0 | return ret; |
1631 | 0 | } |
1632 | 0 | } |
1633 | 0 | return SSH_OK; |
1634 | 0 | } |
1635 | | |
1636 | | /** |
1637 | | * @brief Sends a keepalive message to the session |
1638 | | * |
1639 | | * @param session The session to send the message to |
1640 | | * |
1641 | | * @returns `SSH_OK` |
1642 | | */ |
1643 | | int ssh_send_keepalive(ssh_session session) |
1644 | 0 | { |
1645 | | /* Client denies the request, so the error code is not meaningful */ |
1646 | 0 | (void)ssh_global_request(session, "keepalive@openssh.com", NULL, 1); |
1647 | |
|
1648 | 0 | return SSH_OK; |
1649 | 0 | } |
1650 | | |
1651 | | /** @} */ |