Mercurial > dropbear

annotate svr-session.c @ 1790:42745af83b7d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Introduce extra delay before closing unauthenticated sessions To make it harder for attackers, introduce a delay to keep an unauthenticated session open a bit longer, thus blocking a connection slot until after the delay. Without this, while there is a limit on the amount of attempts an attacker can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to handle one attempt is still short and thus for each of the allowed parallel attempts many attempts can be chained one after the other. The attempt rate is then: "MAX_UNAUTH_PER_IP / <process time of one attempt>". With the delay, this rate becomes: "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
author Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
date Wed, 15 Feb 2017 13:53:04 +0100
parents a6da10ac64b5
children 8a78cc13eb30
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
1 /*
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
2 * Dropbear - a SSH2 server
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
4 * Copyright (c) 2002,2003 Matt Johnston
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
5 * All rights reserved.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
6 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
8 * of this software and associated documentation files (the "Software"), to deal
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
9 * in the Software without restriction, including without limitation the rights
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
11 * copies of the Software, and to permit persons to whom the Software is
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
12 * furnished to do so, subject to the following conditions:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
14 * The above copyright notice and this permission notice shall be included in
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
15 * all copies or substantial portions of the Software.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
16 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
23 * SOFTWARE. */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
24
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
25 #include "includes.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
26 #include "session.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
27 #include "dbutil.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
28 #include "packet.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
29 #include "algo.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
30 #include "buffer.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
31 #include "dss.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
32 #include "ssh.h"
858
220f55d540ae rename random.h to dbrandom.h since some OSes have a system random.h
Matt Johnston <matt@ucc.asn.au>
parents: 801
diff changeset
33 #include "dbrandom.h"
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
34 #include "kex.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
35 #include "channel.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
36 #include "chansession.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
37 #include "atomicio.h"
68
eee77ac31ccc cleaning up the pubkey defines
Matt Johnston <matt@ucc.asn.au>
parents: 62
diff changeset
38 #include "tcpfwd.h"
22
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
39 #include "service.h"
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
40 #include "auth.h"
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
41 #include "runopts.h"
766
d1575fdc29a6 start on ecdsa keys
Matt Johnston <matt@ucc.asn.au>
parents: 687
diff changeset
42 #include "crypto_desc.h"
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents: 1347
diff changeset
43 #include "fuzz.h"
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
44
1276
9169e4e7cbee fix empty C prototypes
Francois Perrad <francois.perrad@gadz.org>
parents: 1237
diff changeset
45 static void svr_remoteclosed(void);
1544
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1495
diff changeset
46 static void svr_algos_initialise(void);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
47
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
48 struct serversession svr_ses; /* GLOBAL */
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
49
22
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
50 static const packettype svr_packettypes[] = {
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
51 {SSH_MSG_CHANNEL_DATA, recv_msg_channel_data},
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
52 {SSH_MSG_CHANNEL_WINDOW_ADJUST, recv_msg_channel_window_adjust},
45
9ee8996a375f Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
53 {SSH_MSG_USERAUTH_REQUEST, recv_msg_userauth_request}, /* server */
9ee8996a375f Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
54 {SSH_MSG_SERVICE_REQUEST, recv_msg_service_request}, /* server */
9ee8996a375f Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
55 {SSH_MSG_KEXINIT, recv_msg_kexinit},
9ee8996a375f Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
56 {SSH_MSG_KEXDH_INIT, recv_msg_kexdh_init}, /* server */
9ee8996a375f Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
57 {SSH_MSG_NEWKEYS, recv_msg_newkeys},
22
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
58 {SSH_MSG_GLOBAL_REQUEST, recv_msg_global_request_remotetcp},
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
59 {SSH_MSG_CHANNEL_REQUEST, recv_msg_channel_request},
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
60 {SSH_MSG_CHANNEL_OPEN, recv_msg_channel_open},
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
61 {SSH_MSG_CHANNEL_EOF, recv_msg_channel_eof},
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
62 {SSH_MSG_CHANNEL_CLOSE, recv_msg_channel_close},
970
0bb16232e7c4 Make keepalive handling more robust, this should now match what OpenSSH does
Matt Johnston <matt@ucc.asn.au>
parents: 968
diff changeset
63 {SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response},
0bb16232e7c4 Make keepalive handling more robust, this should now match what OpenSSH does
Matt Johnston <matt@ucc.asn.au>
parents: 968
diff changeset
64 {SSH_MSG_CHANNEL_FAILURE, ignore_recv_response},
0bb16232e7c4 Make keepalive handling more robust, this should now match what OpenSSH does
Matt Johnston <matt@ucc.asn.au>
parents: 968
diff changeset
65 {SSH_MSG_REQUEST_FAILURE, ignore_recv_response}, /* for keepalive */
0bb16232e7c4 Make keepalive handling more robust, this should now match what OpenSSH does
Matt Johnston <matt@ucc.asn.au>
parents: 968
diff changeset
66 {SSH_MSG_REQUEST_SUCCESS, ignore_recv_response}, /* client */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
67 #if DROPBEAR_LISTENERS
22
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
68 {SSH_MSG_CHANNEL_OPEN_CONFIRMATION, recv_msg_channel_open_confirmation},
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
69 {SSH_MSG_CHANNEL_OPEN_FAILURE, recv_msg_channel_open_failure},
156
8c2b3506f112 Rearrange preprocessor parts so that compilation with various options
Matt Johnston <matt@ucc.asn.au>
parents: 98
diff changeset
70 #endif
1404
e8f67918fdc9 when pointer, use NULL instead of 0
Francois Perrad <francois.perrad@gadz.org>
parents: 1316
diff changeset
71 {0, NULL} /* End */
22
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
72 };
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
73
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
74 static const struct ChanType *svr_chantypes[] = {
6
ab00ef513e97 Sorted out the first channel init issues.
Matt Johnston <matt@ucc.asn.au>
parents: 5
diff changeset
75 &svrchansess,
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
76 #if DROPBEAR_SVR_LOCALTCPFWD
62
20563735e8b5 just checkpointing
Matt Johnston <matt@ucc.asn.au>
parents: 45
diff changeset
77 &svr_chan_tcpdirect,
156
8c2b3506f112 Rearrange preprocessor parts so that compilation with various options
Matt Johnston <matt@ucc.asn.au>
parents: 98
diff changeset
78 #endif
6
ab00ef513e97 Sorted out the first channel init issues.
Matt Johnston <matt@ucc.asn.au>
parents: 5
diff changeset
79 NULL /* Null termination is mandatory. */
ab00ef513e97 Sorted out the first channel init issues.
Matt Johnston <matt@ucc.asn.au>
parents: 5
diff changeset
80 };
ab00ef513e97 Sorted out the first channel init issues.
Matt Johnston <matt@ucc.asn.au>
parents: 5
diff changeset
81
733
70811267715c Run the cleanup handler also when we close due to TCP connection being closed
Matt Johnston <matt@ucc.asn.au>
parents: 726
diff changeset
82 static void
1040
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
83 svr_session_cleanup(void) {
733
70811267715c Run the cleanup handler also when we close due to TCP connection being closed
Matt Johnston <matt@ucc.asn.au>
parents: 726
diff changeset
84 /* free potential public key options */
70811267715c Run the cleanup handler also when we close due to TCP connection being closed
Matt Johnston <matt@ucc.asn.au>
parents: 726
diff changeset
85 svr_pubkey_options_cleanup();
1040
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
86
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
87 m_free(svr_ses.addrstring);
1041
3fb883a6aa81 Some additional cleanup functions
Matt Johnston <matt@ucc.asn.au>
parents: 1040
diff changeset
88 m_free(svr_ses.remotehost);
1040
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
89 m_free(svr_ses.childpids);
1041
3fb883a6aa81 Some additional cleanup functions
Matt Johnston <matt@ucc.asn.au>
parents: 1040
diff changeset
90 svr_ses.childpidsize = 0;
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
91
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
92 #if DROPBEAR_PLUGIN
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
93 if (svr_ses.plugin_handle != NULL) {
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
94 if (svr_ses.plugin_instance) {
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
95 svr_ses.plugin_instance->delete_plugin(svr_ses.plugin_instance);
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
96 svr_ses.plugin_instance = NULL;
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
97 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
98
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
99 dlclose(svr_ses.plugin_handle);
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
100 svr_ses.plugin_handle = NULL;
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
101 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
102 #endif
733
70811267715c Run the cleanup handler also when we close due to TCP connection being closed
Matt Johnston <matt@ucc.asn.au>
parents: 726
diff changeset
103 }
70811267715c Run the cleanup handler also when we close due to TCP connection being closed
Matt Johnston <matt@ucc.asn.au>
parents: 726
diff changeset
104
568
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
105 void svr_session(int sock, int childpipe) {
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
106 char *host, *port;
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
107 size_t len;
272
3be7ae2e8dfa Only read /dev/random once when the program starts
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
108
568
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
109 common_session_init(sock, sock);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
110
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
111 /* Initialise server specific parts of the session */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
112 svr_ses.childpipe = childpipe;
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
113 #if DROPBEAR_VFORK
553
8711f20b89ab - For uclinux, only cleanup on exit for the main process. This avoids
Matt Johnston <matt@ucc.asn.au>
parents: 496
diff changeset
114 svr_ses.server_pid = getpid();
8711f20b89ab - For uclinux, only cleanup on exit for the main process. This avoids
Matt Johnston <matt@ucc.asn.au>
parents: 496
diff changeset
115 #endif
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
116
568
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
117 /* for logging the remote address */
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
118 get_socket_address(ses.sock_in, NULL, NULL, &host, &port, 0);
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
119 len = strlen(host) + strlen(port) + 2;
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
120 svr_ses.addrstring = m_malloc(len);
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
121 snprintf(svr_ses.addrstring, len, "%s:%s", host, port);
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
122 m_free(host);
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
123 m_free(port);
005530560594 Rearrange getaddrstring() etc
Matt Johnston <matt@ucc.asn.au>
parents: 553
diff changeset
124
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
125 #if DROPBEAR_PLUGIN
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
126 /* Initializes the PLUGIN Plugin */
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
127 svr_ses.plugin_handle = NULL;
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
128 svr_ses.plugin_instance = NULL;
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
129 if (svr_opts.pubkey_plugin) {
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
130 #if DEBUG_TRACE
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
131 const int verbose = debug_trace;
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
132 #else
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
133 const int verbose = 0;
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
134 #endif
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
135 PubkeyExtPlugin_newFn pluginConstructor;
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
136
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
137 /* RTLD_NOW: fails if not all the symbols are resolved now. Better fail now than at run-time */
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
138 svr_ses.plugin_handle = dlopen(svr_opts.pubkey_plugin, RTLD_NOW);
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
139 if (svr_ses.plugin_handle == NULL) {
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
140 dropbear_exit("failed to load external pubkey plugin '%s': %s", svr_opts.pubkey_plugin, dlerror());
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
141 }
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
142 pluginConstructor = (PubkeyExtPlugin_newFn)dlsym(svr_ses.plugin_handle, DROPBEAR_PUBKEY_PLUGIN_FNNAME_NEW);
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
143 if (!pluginConstructor) {
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
144 dropbear_exit("plugin constructor method not found in external pubkey plugin");
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
145 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
146
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
147 /* Create an instance of the plugin */
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
148 svr_ses.plugin_instance = pluginConstructor(verbose, svr_opts.pubkey_plugin_options, svr_ses.addrstring);
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
149 if (svr_ses.plugin_instance == NULL) {
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
150 dropbear_exit("external plugin initialization failed");
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
151 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
152 /* Check if the plugin is compatible */
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
153 if ( (svr_ses.plugin_instance->api_version[0] != DROPBEAR_PLUGIN_VERSION_MAJOR) ||
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
154 (svr_ses.plugin_instance->api_version[1] < DROPBEAR_PLUGIN_VERSION_MINOR) ) {
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
155 dropbear_exit("plugin version check failed: "
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
156 "Dropbear=%d.%d, plugin=%d.%d",
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
157 DROPBEAR_PLUGIN_VERSION_MAJOR, DROPBEAR_PLUGIN_VERSION_MINOR,
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
158 svr_ses.plugin_instance->api_version[0], svr_ses.plugin_instance->api_version[1]);
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
159 }
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
160 if (svr_ses.plugin_instance->api_version[1] > DROPBEAR_PLUGIN_VERSION_MINOR) {
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
161 dropbear_log(LOG_WARNING, "plugin API newer than dropbear API: "
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
162 "Dropbear=%d.%d, plugin=%d.%d",
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
163 DROPBEAR_PLUGIN_VERSION_MAJOR, DROPBEAR_PLUGIN_VERSION_MINOR,
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
164 svr_ses.plugin_instance->api_version[0], svr_ses.plugin_instance->api_version[1]);
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
165 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
166 dropbear_log(LOG_INFO, "successfully loaded and initialized pubkey plugin '%s'", svr_opts.pubkey_plugin);
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
167 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
168 #endif
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
169
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
170 svr_authinitialise();
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
171 chaninitialise(svr_chantypes);
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
172 svr_chansessinitialise();
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
173 svr_algos_initialise();
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
174
572
8fd0ac8c8cab Move remotehost into svr_ses structure since we can't look it up
Matt Johnston <matt@ucc.asn.au>
parents: 568
diff changeset
175 get_socket_address(ses.sock_in, NULL, NULL,
8fd0ac8c8cab Move remotehost into svr_ses structure since we can't look it up
Matt Johnston <matt@ucc.asn.au>
parents: 568
diff changeset
176 &svr_ses.remotehost, NULL, 1);
8fd0ac8c8cab Move remotehost into svr_ses structure since we can't look it up
Matt Johnston <matt@ucc.asn.au>
parents: 568
diff changeset
177
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
178 /* set up messages etc */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 26
diff changeset
179 ses.remoteclosed = svr_remoteclosed;
733
70811267715c Run the cleanup handler also when we close due to TCP connection being closed
Matt Johnston <matt@ucc.asn.au>
parents: 726
diff changeset
180 ses.extra_session_cleanup = svr_session_cleanup;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
181
22
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
182 /* packet handlers */
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
183 ses.packettypes = svr_packettypes;
c1e5d9195402 merge of abac2150ee4f4031a98016241fbd136d24fed127
Matt Johnston <matt@ucc.asn.au>
parents: 14
diff changeset
184
35
0ad5fb979f42 set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents: 33
diff changeset
185 ses.isserver = 1;
0ad5fb979f42 set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents: 33
diff changeset
186
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
187 /* We're ready to go now */
1495
0c16b4ccbd54 make signal flags volatile, simplify handling
Matt Johnston <matt@ucc.asn.au>
parents: 1404
diff changeset
188 ses.init_done = 1;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
189
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
190 /* exchange identification, version etc */
726
78eda530c000 send out our kexinit packet before blocking to read the SSH version string
Matt Johnston <matt@ucc.asn.au>
parents: 687
diff changeset
191 send_session_identification();
1083
8e0280986710 Make sure kexfirstinitialise is called early enough
Matt Johnston <matt@ucc.asn.au>
parents: 1041
diff changeset
192
8e0280986710 Make sure kexfirstinitialise is called early enough
Matt Johnston <matt@ucc.asn.au>
parents: 1041
diff changeset
193 kexfirstinitialise(); /* initialise the kex state */
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
194
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
195 /* start off with key exchange */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
196 send_msg_kexinit();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
197
1782
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1681
diff changeset
198 #if DROPBEAR_FUZZ
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1681
diff changeset
199 if (fuzz.fuzzing) {
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1681
diff changeset
200 fuzz_svr_hook_preloop();
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1681
diff changeset
201 }
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1681
diff changeset
202 #endif
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1681
diff changeset
203
26
0969767bca0d snapshot of stuff
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
204 /* Run the main for loop. NULL is for the dispatcher - only the client
0969767bca0d snapshot of stuff
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
205 * code makes use of it */
1495
0c16b4ccbd54 make signal flags volatile, simplify handling
Matt Johnston <matt@ucc.asn.au>
parents: 1404
diff changeset
206 session_loop(svr_chansess_checksignal);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
207
26
0969767bca0d snapshot of stuff
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
208 /* Not reached */
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
209
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
210 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
211
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
212 /* failure exit - format must be <= 100 chars */
5
bc6477a6c393 syntactical fixups - it compiles, but channel handling code requires fixing.
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
213 void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
1304
b66a483f3dcb Improve exit message formatting
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
214 char exitmsg[150];
b66a483f3dcb Improve exit message formatting
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
215 char fullmsg[300];
1666
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
216 char fromaddr[60];
1040
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
217 int i;
1790
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
218 int add_delay = 0;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
219
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
220 #if DROPBEAR_PLUGIN
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
221 if ((ses.plugin_session != NULL)) {
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
222 svr_ses.plugin_instance->delete_session(ses.plugin_session);
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
223 }
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
224 ses.plugin_session = NULL;
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
225 #endif
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1559
diff changeset
226
1304
b66a483f3dcb Improve exit message formatting
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
227 /* Render the formatted exit message */
b66a483f3dcb Improve exit message formatting
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
228 vsnprintf(exitmsg, sizeof(exitmsg), format, param);
b66a483f3dcb Improve exit message formatting
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
229
1666
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
230 /* svr_ses.addrstring may not be set for some early exits, or for
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
231 the listener process */
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
232 fromaddr[0] = '\0';
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
233 if (svr_ses.addrstring) {
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
234 snprintf(fromaddr, sizeof(fromaddr), " from <%s>", svr_ses.addrstring);
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
235 }
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
236
1304
b66a483f3dcb Improve exit message formatting
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
237 /* Add the prefix depending on session/auth state */
1495
0c16b4ccbd54 make signal flags volatile, simplify handling
Matt Johnston <matt@ucc.asn.au>
parents: 1404
diff changeset
238 if (!ses.init_done) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
239 /* before session init */
1666
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
240 snprintf(fullmsg, sizeof(fullmsg), "Early exit%s: %s", fromaddr, exitmsg);
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 26
diff changeset
241 } else if (ses.authstate.authdone) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
242 /* user has authenticated */
1304
b66a483f3dcb Improve exit message formatting
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
243 snprintf(fullmsg, sizeof(fullmsg),
1666
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
244 "Exit (%s)%s: %s",
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
245 ses.authstate.pw_name, fromaddr, exitmsg);
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
246 } else if (ses.authstate.pw_name) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
247 /* we have a potential user */
1304
b66a483f3dcb Improve exit message formatting
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
248 snprintf(fullmsg, sizeof(fullmsg),
1666
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
249 "Exit before auth%s: (user '%s', %u fails): %s",
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
250 fromaddr, ses.authstate.pw_name, ses.authstate.failcount, exitmsg);
1790
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
251 add_delay = 1;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
252 } else {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
253 /* before userauth */
1666
c148e7afa0d1 Handle early exit when addrstring isn't set
Matt Johnston <matt@ucc.asn.au>
parents: 1665
diff changeset
254 snprintf(fullmsg, sizeof(fullmsg), "Exit before auth%s: %s", fromaddr, exitmsg);
1790
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
255 add_delay = 1;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
256 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
257
1304
b66a483f3dcb Improve exit message formatting
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
258 dropbear_log(LOG_INFO, "%s", fullmsg);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
259
1790
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
260 /* To make it harder for attackers, introduce a delay to keep an
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
261 * unauthenticated session open a bit longer, thus blocking a connection
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
262 * slot until after the delay. Without this, while there is a limit on
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
263 * the amount of attempts an attacker can make at the same time
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
264 * (MAX_UNAUTH_PER_IP), the time taken by dropbear to handle one attempt
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
265 * is still short and thus for each of the allowed parallel attempts
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
266 * many attempts can be chained one after the other. The attempt rate is
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
267 * then:
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
268 * "MAX_UNAUTH_PER_IP / <process time of one attempt>".
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
269 * With the delay, this rate becomes:
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
270 * "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
271 */
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
272 if ((add_delay != 0) && (UNAUTH_CLOSE_DELAY > 0)) {
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
273 TRACE(("svr_dropbear_exit: start delay of %d seconds", UNAUTH_CLOSE_DELAY));
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
274 sleep(UNAUTH_CLOSE_DELAY);
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
275 TRACE(("svr_dropbear_exit: end delay of %d seconds", UNAUTH_CLOSE_DELAY));
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
276 }
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1782
diff changeset
277
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
278 #if DROPBEAR_VFORK
667
fc7ae88e63b3 Rename HAVE_FORK to USE_VFORK
Matt Johnston <matt@ucc.asn.au>
parents: 666
diff changeset
279 /* For uclinux only the main server process should cleanup - we don't want
553
8711f20b89ab - For uclinux, only cleanup on exit for the main process. This avoids
Matt Johnston <matt@ucc.asn.au>
parents: 496
diff changeset
280 * forked children doing that */
8711f20b89ab - For uclinux, only cleanup on exit for the main process. This avoids
Matt Johnston <matt@ucc.asn.au>
parents: 496
diff changeset
281 if (svr_ses.server_pid == getpid())
8711f20b89ab - For uclinux, only cleanup on exit for the main process. This avoids
Matt Johnston <matt@ucc.asn.au>
parents: 496
diff changeset
282 #endif
8711f20b89ab - For uclinux, only cleanup on exit for the main process. This avoids
Matt Johnston <matt@ucc.asn.au>
parents: 496
diff changeset
283 {
8711f20b89ab - For uclinux, only cleanup on exit for the main process. This avoids
Matt Johnston <matt@ucc.asn.au>
parents: 496
diff changeset
284 /* must be after we've done with username etc */
733
70811267715c Run the cleanup handler also when we close due to TCP connection being closed
Matt Johnston <matt@ucc.asn.au>
parents: 726
diff changeset
285 session_cleanup();
553
8711f20b89ab - For uclinux, only cleanup on exit for the main process. This avoids
Matt Johnston <matt@ucc.asn.au>
parents: 496
diff changeset
286 }
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
287
1558
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1546
diff changeset
288 #if DROPBEAR_FUZZ
1559
92c93b4a3646 Fix to be able to compile normal(ish) binaries with --enable-fuzz
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
289 /* longjmp before cleaning up svr_opts */
1385
6c92e97553f1 Add a flag whether to longjmp, missed that last commit
Matt Johnston <matt@ucc.asn.au>
parents: 1358
diff changeset
290 if (fuzz.do_jmp) {
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents: 1347
diff changeset
291 longjmp(fuzz.jmp, 1);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents: 1347
diff changeset
292 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents: 1347
diff changeset
293 #endif
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents: 1347
diff changeset
294
1040
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
295 if (svr_opts.hostkey) {
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
296 sign_key_free(svr_opts.hostkey);
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
297 svr_opts.hostkey = NULL;
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
298 }
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
299 for (i = 0; i < DROPBEAR_MAX_PORTS; i++) {
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
300 m_free(svr_opts.addresses[i]);
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
301 m_free(svr_opts.ports[i]);
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
302 }
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 970
diff changeset
303
1347
b28624698130 copy over some fuzzing code from AFL branch
Matt Johnston <matt@ucc.asn.au>
parents: 1304
diff changeset
304
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
305 exit(exitcode);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
306
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
307 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
308
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
309 /* priority is priority as with syslog() */
5
bc6477a6c393 syntactical fixups - it compiles, but channel handling code requires fixing.
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
310 void svr_dropbear_log(int priority, const char* format, va_list param) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
311
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
312 char printbuf[1024];
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
313 char datestr[20];
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
314 time_t timesec;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
315 int havetrace = 0;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
316
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
317 vsnprintf(printbuf, sizeof(printbuf), format, param);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
318
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
319 #ifndef DISABLE_SYSLOG
1210
64a50eac1030 Moved usingsyslog from svr_runopts to runopts.
Konstantin Tokarev <ktokarev@smartlabs.tv>
parents: 1139
diff changeset
320 if (opts.usingsyslog) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
321 syslog(priority, "%s", printbuf);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
322 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
323 #endif
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
324
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
325 /* if we are using DEBUG_TRACE, we want to print to stderr even if
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
326 * syslog is used, so it is included in error reports */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
327 #if DEBUG_TRACE
98
297167ef41bd Fix for printing out things with inetd mode when we have DEBUG_TRACE
Matt Johnston <matt@ucc.asn.au>
parents: 68
diff changeset
328 havetrace = debug_trace;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
329 #endif
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
330
1215
d058e15ea213 A few minor style fixes
Matt Johnston <matt@ucc.asn.au>
parents: 1210
diff changeset
331 if (!opts.usingsyslog || havetrace) {
404
a588558bfc94 Fix potential null pointer dereference found by Klokwork
Matt Johnston <matt@ucc.asn.au>
parents: 272
diff changeset
332 struct tm * local_tm = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
333 timesec = time(NULL);
404
a588558bfc94 Fix potential null pointer dereference found by Klokwork
Matt Johnston <matt@ucc.asn.au>
parents: 272
diff changeset
334 local_tm = localtime(&timesec);
a588558bfc94 Fix potential null pointer dereference found by Klokwork
Matt Johnston <matt@ucc.asn.au>
parents: 272
diff changeset
335 if (local_tm == NULL
a588558bfc94 Fix potential null pointer dereference found by Klokwork
Matt Johnston <matt@ucc.asn.au>
parents: 272
diff changeset
336 || strftime(datestr, sizeof(datestr), "%b %d %H:%M:%S",
618
b5cc8878d5ec Properly fix the bug found years ago by Klocwork, refound again.
Matt Johnston <matt@ucc.asn.au>
parents: 594
diff changeset
337 local_tm) == 0)
404
a588558bfc94 Fix potential null pointer dereference found by Klokwork
Matt Johnston <matt@ucc.asn.au>
parents: 272
diff changeset
338 {
433
c216212001fc Fix for -pedantic -ansi compilation, change // to /**/, plus some signedness
Matt Johnston <matt@ucc.asn.au>
parents: 404
diff changeset
339 /* upon failure, just print the epoch-seconds time. */
479
e3db1f7a2e43 - Split main socket var into ses.sock_in/ses.sock_out in preparation
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
340 snprintf(datestr, sizeof(datestr), "%d", (int)timesec);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
341 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
342 fprintf(stderr, "[%d] %s %s\n", getpid(), datestr, printbuf);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
343 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
344 }
5
bc6477a6c393 syntactical fixups - it compiles, but channel handling code requires fixing.
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
345
bc6477a6c393 syntactical fixups - it compiles, but channel handling code requires fixing.
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
346 /* called when the remote side closes the connection */
bc6477a6c393 syntactical fixups - it compiles, but channel handling code requires fixing.
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
347 static void svr_remoteclosed() {
bc6477a6c393 syntactical fixups - it compiles, but channel handling code requires fixing.
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
348
479
e3db1f7a2e43 - Split main socket var into ses.sock_in/ses.sock_out in preparation
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
349 m_close(ses.sock_in);
1358
6b89eb92f872 glaring wrapfd problems fixed
Matt Johnston <matt@ucc.asn.au>
parents: 1355
diff changeset
350 if (ses.sock_in != ses.sock_out) {
6b89eb92f872 glaring wrapfd problems fixed
Matt Johnston <matt@ucc.asn.au>
parents: 1355
diff changeset
351 m_close(ses.sock_out);
6b89eb92f872 glaring wrapfd problems fixed
Matt Johnston <matt@ucc.asn.au>
parents: 1355
diff changeset
352 }
479
e3db1f7a2e43 - Split main socket var into ses.sock_in/ses.sock_out in preparation
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
353 ses.sock_in = -1;
e3db1f7a2e43 - Split main socket var into ses.sock_in/ses.sock_out in preparation
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
354 ses.sock_out = -1;
5
bc6477a6c393 syntactical fixups - it compiles, but channel handling code requires fixing.
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
355 dropbear_close("Exited normally");
bc6477a6c393 syntactical fixups - it compiles, but channel handling code requires fixing.
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
356
bc6477a6c393 syntactical fixups - it compiles, but channel handling code requires fixing.
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
357 }
bc6477a6c393 syntactical fixups - it compiles, but channel handling code requires fixing.
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
358
1544
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1495
diff changeset
359 static void svr_algos_initialise(void) {
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1495
diff changeset
360 algo_type *algo;
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1495
diff changeset
361 for (algo = sshkex; algo->name; algo++) {
1676
d5cdc60db08e ext-info handling for server-sig-algs
Matt Johnston <matt@ucc.asn.au>
parents: 1666
diff changeset
362 #if DROPBEAR_DH_GROUP1 && DROPBEAR_DH_GROUP1_CLIENTONLY
1544
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1495
diff changeset
363 if (strcmp(algo->name, "diffie-hellman-group1-sha1") == 0) {
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1495
diff changeset
364 algo->usable = 0;
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1495
diff changeset
365 }
1676
d5cdc60db08e ext-info handling for server-sig-algs
Matt Johnston <matt@ucc.asn.au>
parents: 1666
diff changeset
366 #endif
1681
435cfb9ec96e send and handle SSH_MSG_EXT_INFO only at the correct point
Matt Johnston <matt@ucc.asn.au>
parents: 1676
diff changeset
367 #if DROPBEAR_EXT_INFO
1676
d5cdc60db08e ext-info handling for server-sig-algs
Matt Johnston <matt@ucc.asn.au>
parents: 1666
diff changeset
368 if (strcmp(algo->name, SSH_EXT_INFO_C) == 0) {
d5cdc60db08e ext-info handling for server-sig-algs
Matt Johnston <matt@ucc.asn.au>
parents: 1666
diff changeset
369 algo->usable = 0;
d5cdc60db08e ext-info handling for server-sig-algs
Matt Johnston <matt@ucc.asn.au>
parents: 1666
diff changeset
370 }
1681
435cfb9ec96e send and handle SSH_MSG_EXT_INFO only at the correct point
Matt Johnston <matt@ucc.asn.au>
parents: 1676
diff changeset
371 #endif
1544
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1495
diff changeset
372 }
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1495
diff changeset
373 }
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1495
diff changeset
374