Bug Summary

File:src/usr.bin/ssh/sshd/../sshd.c
Warning:line 522, column 18
Access to field 'm_pid' results in a dereference of a null pointer (loaded from variable 'pmonitor')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name sshd.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/ssh/sshd/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.bin/ssh/sshd/.. -D WITH_OPENSSL -D WITH_ZLIB -D ENABLE_PKCS11 -D HAVE_DLOPEN -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -fdebug-compilation-dir=/usr/src/usr.bin/ssh/sshd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/ssh/sshd/../sshd.c
1/* $OpenBSD: sshd.c,v 1.582 2021/11/18 03:07:59 djm Exp $ */
2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved
6 * This program is the ssh daemon. It listens for connections from clients,
7 * and performs authentication, executes use commands or shell, and forwards
8 * information to/from the application to the user client over an encrypted
9 * connection. This can also handle forwarding of X11, TCP/IP, and
10 * authentication agent connections.
11 *
12 * As far as I am concerned, the code I have written for this software
13 * can be used freely for any purpose. Any derived versions of this
14 * software must be clearly marked as such, and if the derived work is
15 * incompatible with the protocol description in the RFC file, it must be
16 * called by a name other than "ssh" or "Secure Shell".
17 *
18 * SSH2 implementation:
19 * Privilege Separation:
20 *
21 * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved.
22 * Copyright (c) 2002 Niels Provos. All rights reserved.
23 *
24 * Redistribution and use in source and binary forms, with or without
25 * modification, are permitted provided that the following conditions
26 * are met:
27 * 1. Redistributions of source code must retain the above copyright
28 * notice, this list of conditions and the following disclaimer.
29 * 2. Redistributions in binary form must reproduce the above copyright
30 * notice, this list of conditions and the following disclaimer in the
31 * documentation and/or other materials provided with the distribution.
32 *
33 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
34 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
35 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
36 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
37 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
38 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
39 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
40 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
41 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
42 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
43 */
44
45#include <sys/types.h>
46#include <sys/ioctl.h>
47#include <sys/wait.h>
48#include <sys/tree.h>
49#include <sys/stat.h>
50#include <sys/socket.h>
51#include <sys/time.h>
52#include <sys/queue.h>
53
54#include <errno(*__errno()).h>
55#include <fcntl.h>
56#include <netdb.h>
57#include <paths.h>
58#include <poll.h>
59#include <pwd.h>
60#include <signal.h>
61#include <stdio.h>
62#include <stdlib.h>
63#include <string.h>
64#include <stdarg.h>
65#include <unistd.h>
66#include <limits.h>
67
68#ifdef WITH_OPENSSL1
69#include <openssl/bn.h>
70#endif
71
72#include "xmalloc.h"
73#include "ssh.h"
74#include "ssh2.h"
75#include "sshpty.h"
76#include "packet.h"
77#include "log.h"
78#include "sshbuf.h"
79#include "misc.h"
80#include "match.h"
81#include "servconf.h"
82#include "uidswap.h"
83#include "compat.h"
84#include "cipher.h"
85#include "digest.h"
86#include "sshkey.h"
87#include "kex.h"
88#include "myproposal.h"
89#include "authfile.h"
90#include "pathnames.h"
91#include "atomicio.h"
92#include "canohost.h"
93#include "hostfile.h"
94#include "auth.h"
95#include "authfd.h"
96#include "msg.h"
97#include "dispatch.h"
98#include "channels.h"
99#include "session.h"
100#include "monitor.h"
101#ifdef GSSAPI
102#include "ssh-gss.h"
103#endif
104#include "monitor_wrap.h"
105#include "ssh-sandbox.h"
106#include "auth-options.h"
107#include "version.h"
108#include "ssherr.h"
109#include "sk-api.h"
110#include "srclimit.h"
111#include "dh.h"
112
113/* Re-exec fds */
114#define REEXEC_DEVCRYPTO_RESERVED_FD(2 + 1) (STDERR_FILENO2 + 1)
115#define REEXEC_STARTUP_PIPE_FD(2 + 2) (STDERR_FILENO2 + 2)
116#define REEXEC_CONFIG_PASS_FD(2 + 3) (STDERR_FILENO2 + 3)
117#define REEXEC_MIN_FREE_FD(2 + 4) (STDERR_FILENO2 + 4)
118
119extern char *__progname;
120
121/* Server configuration options. */
122ServerOptions options;
123
124/* Name of the server configuration file. */
125char *config_file_name = _PATH_SERVER_CONFIG_FILE"/etc" "/ssh" "/sshd_config";
126
127/*
128 * Debug mode flag. This can be set on the command line. If debug
129 * mode is enabled, extra debugging output will be sent to the system
130 * log, the daemon will not go to background, and will exit after processing
131 * the first connection.
132 */
133int debug_flag = 0;
134
135/*
136 * Indicating that the daemon should only test the configuration and keys.
137 * If test_flag > 1 ("-T" flag), then sshd will also dump the effective
138 * configuration, optionally using connection information provided by the
139 * "-C" flag.
140 */
141static int test_flag = 0;
142
143/* Flag indicating that the daemon is being started from inetd. */
144static int inetd_flag = 0;
145
146/* Flag indicating that sshd should not detach and become a daemon. */
147static int no_daemon_flag = 0;
148
149/* debug goes to stderr unless inetd_flag is set */
150static int log_stderr = 0;
151
152/* Saved arguments to main(). */
153static char **saved_argv;
154
155/* re-exec */
156static int rexeced_flag = 0;
157static int rexec_flag = 1;
158static int rexec_argc = 0;
159static char **rexec_argv;
160
161/*
162 * The sockets that the server is listening; this is used in the SIGHUP
163 * signal handler.
164 */
165#define MAX_LISTEN_SOCKS16 16
166static int listen_socks[MAX_LISTEN_SOCKS16];
167static int num_listen_socks = 0;
168
169/* Daemon's agent connection */
170int auth_sock = -1;
171static int have_agent = 0;
172
173/*
174 * Any really sensitive data in the application is contained in this
175 * structure. The idea is that this structure could be locked into memory so
176 * that the pages do not get written into swap. However, there are some
177 * problems. The private key contains BIGNUMs, and we do not (in principle)
178 * have access to the internals of them, and locking just the structure is
179 * not very useful. Currently, memory locking is not implemented.
180 */
181struct {
182 struct sshkey **host_keys; /* all private host keys */
183 struct sshkey **host_pubkeys; /* all public host keys */
184 struct sshkey **host_certificates; /* all public host certificates */
185 int have_ssh2_key;
186} sensitive_data;
187
188/* This is set to true when a signal is received. */
189static volatile sig_atomic_t received_sighup = 0;
190static volatile sig_atomic_t received_sigterm = 0;
191
192/* record remote hostname or ip */
193u_int utmp_len = HOST_NAME_MAX255+1;
194
195/*
196 * startup_pipes/flags are used for tracking children of the listening sshd
197 * process early in their lifespans. This tracking is needed for three things:
198 *
199 * 1) Implementing the MaxStartups limit of concurrent unauthenticated
200 * connections.
201 * 2) Avoiding a race condition for SIGHUP processing, where child processes
202 * may have listen_socks open that could collide with main listener process
203 * after it restarts.
204 * 3) Ensuring that rexec'd sshd processes have received their initial state
205 * from the parent listen process before handling SIGHUP.
206 *
207 * Child processes signal that they have completed closure of the listen_socks
208 * and (if applicable) received their rexec state by sending a char over their
209 * sock. Child processes signal that authentication has completed by closing
210 * the sock (or by exiting).
211 */
212static int *startup_pipes = NULL((void*)0);
213static int *startup_flags = NULL((void*)0); /* Indicates child closed listener */
214static int startup_pipe = -1; /* in child */
215
216/* variables used for privilege separation */
217int use_privsep = -1;
218struct monitor *pmonitor = NULL((void*)0);
219int privsep_is_preauth = 1;
220
221/* global connection state and authentication contexts */
222Authctxt *the_authctxt = NULL((void*)0);
223struct ssh *the_active_state;
224
225/* global key/cert auth options. XXX move to permanent ssh->authctxt? */
226struct sshauthopt *auth_opts = NULL((void*)0);
227
228/* sshd_config buffer */
229struct sshbuf *cfg;
230
231/* Included files from the configuration file */
232struct include_list includes = TAILQ_HEAD_INITIALIZER(includes){ ((void*)0), &(includes).tqh_first };
233
234/* message to be displayed after login */
235struct sshbuf *loginmsg;
236
237/* Prototypes for various functions defined later in this file. */
238void destroy_sensitive_data(void);
239void demote_sensitive_data(void);
240static void do_ssh2_kex(struct ssh *);
241
242static char *listener_proctitle;
243
244/*
245 * Close all listening sockets
246 */
247static void
248close_listen_socks(void)
249{
250 int i;
251
252 for (i = 0; i < num_listen_socks; i++)
253 close(listen_socks[i]);
254 num_listen_socks = 0;
255}
256
257static void
258close_startup_pipes(void)
259{
260 int i;
261
262 if (startup_pipes)
263 for (i = 0; i < options.max_startups; i++)
264 if (startup_pipes[i] != -1)
265 close(startup_pipes[i]);
266}
267
268/*
269 * Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP;
270 * the effect is to reread the configuration file (and to regenerate
271 * the server key).
272 */
273
274/*ARGSUSED*/
275static void
276sighup_handler(int sig)
277{
278 received_sighup = 1;
279}
280
281/*
282 * Called from the main program after receiving SIGHUP.
283 * Restarts the server.
284 */
285static void
286sighup_restart(void)
287{
288 logit("Received SIGHUP; restarting.")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 288, 0
, SYSLOG_LEVEL_INFO, ((void*)0), "Received SIGHUP; restarting."
);
289 if (options.pid_file != NULL((void*)0))
290 unlink(options.pid_file);
291 close_listen_socks();
292 close_startup_pipes();
293 ssh_signal(SIGHUP1, SIG_IGN(void (*)(int))1); /* will be restored after exec */
294 execv(saved_argv[0], saved_argv);
295 logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 296, 0
, SYSLOG_LEVEL_INFO, ((void*)0), "RESTART FAILED: av[0]='%.100s', error: %.100s."
, saved_argv[0], strerror((*__errno())))
296 strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 296, 0
, SYSLOG_LEVEL_INFO, ((void*)0), "RESTART FAILED: av[0]='%.100s', error: %.100s."
, saved_argv[0], strerror((*__errno())));
297 exit(1);
298}
299
300/*
301 * Generic signal handler for terminating signals in the master daemon.
302 */
303/*ARGSUSED*/
304static void
305sigterm_handler(int sig)
306{
307 received_sigterm = sig;
308}
309
310/*
311 * SIGCHLD handler. This is called whenever a child dies. This will then
312 * reap any zombies left by exited children.
313 */
314/*ARGSUSED*/
315static void
316main_sigchld_handler(int sig)
317{
318 int save_errno = errno(*__errno());
319 pid_t pid;
320 int status;
321
322 while ((pid = waitpid(-1, &status, WNOHANG1)) > 0 ||
323 (pid == -1 && errno(*__errno()) == EINTR4))
324 ;
325 errno(*__errno()) = save_errno;
326}
327
328/*
329 * Signal handler for the alarm after the login grace period has expired.
330 */
331/*ARGSUSED*/
332static void
333grace_alarm_handler(int sig)
334{
335 if (use_privsep && pmonitor != NULL((void*)0) && pmonitor->m_pid > 0)
336 kill(pmonitor->m_pid, SIGALRM14);
337
338 /*
339 * Try to kill any processes that we have spawned, E.g. authorized
340 * keys command helpers.
341 */
342 if (getpgid(0) == getpid()) {
343 ssh_signal(SIGTERM15, SIG_IGN(void (*)(int))1);
344 kill(0, SIGTERM15);
345 }
346
347 /* Log error and exit. */
348 if (use_privsep && pmonitor != NULL((void*)0) && pmonitor->m_pid <= 0)
349 cleanup_exit(255); /* don't log in privsep child */
350 else {
351 sigdie("Timeout before authentication for %s port %d",sshsigdie("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 353
, 0, SYSLOG_LEVEL_ERROR, ((void*)0), "Timeout before authentication for %s port %d"
, ssh_remote_ipaddr(the_active_state), ssh_remote_port(the_active_state
))
352 ssh_remote_ipaddr(the_active_state),sshsigdie("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 353
, 0, SYSLOG_LEVEL_ERROR, ((void*)0), "Timeout before authentication for %s port %d"
, ssh_remote_ipaddr(the_active_state), ssh_remote_port(the_active_state
))
353 ssh_remote_port(the_active_state))sshsigdie("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 353
, 0, SYSLOG_LEVEL_ERROR, ((void*)0), "Timeout before authentication for %s port %d"
, ssh_remote_ipaddr(the_active_state), ssh_remote_port(the_active_state
));
354 }
355}
356
357/* Destroy the host and server keys. They will no longer be needed. */
358void
359destroy_sensitive_data(void)
360{
361 u_int i;
362
363 for (i = 0; i < options.num_host_key_files; i++) {
364 if (sensitive_data.host_keys[i]) {
365 sshkey_free(sensitive_data.host_keys[i]);
366 sensitive_data.host_keys[i] = NULL((void*)0);
367 }
368 if (sensitive_data.host_certificates[i]) {
369 sshkey_free(sensitive_data.host_certificates[i]);
370 sensitive_data.host_certificates[i] = NULL((void*)0);
371 }
372 }
373}
374
375/* Demote private to public keys for network child */
376void
377demote_sensitive_data(void)
378{
379 struct sshkey *tmp;
380 u_int i;
381 int r;
382
383 for (i = 0; i < options.num_host_key_files; i++) {
384 if (sensitive_data.host_keys[i]) {
385 if ((r = sshkey_from_private(
386 sensitive_data.host_keys[i], &tmp)) != 0)
387 fatal_r(r, "could not demote host %s key",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 388
, 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "could not demote host %s key"
, sshkey_type(sensitive_data.host_keys[i]))
388 sshkey_type(sensitive_data.host_keys[i]))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 388
, 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "could not demote host %s key"
, sshkey_type(sensitive_data.host_keys[i]));
389 sshkey_free(sensitive_data.host_keys[i]);
390 sensitive_data.host_keys[i] = tmp;
391 }
392 /* Certs do not need demotion */
393 }
394}
395
396static void
397privsep_preauth_child(void)
398{
399 gid_t gidset[1];
400 struct passwd *pw;
401
402 /* Enable challenge-response authentication for privilege separation */
403 privsep_challenge_enable();
404
405#ifdef GSSAPI
406 /* Cache supported mechanism OIDs for later use */
407 ssh_gssapi_prepare_supported_oids();
408#endif
409
410 /* Demote the private keys to public keys. */
411 demote_sensitive_data();
412
413 /* Demote the child */
414 if (getuid() == 0 || geteuid() == 0) {
415 if ((pw = getpwnam(SSH_PRIVSEP_USER"sshd")) == NULL((void*)0))
416 fatal("Privilege separation user %s does not exist",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 417
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Privilege separation user %s does not exist"
, "sshd")
417 SSH_PRIVSEP_USER)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 417
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Privilege separation user %s does not exist"
, "sshd");
418 pw = pwcopy(pw); /* Ensure mutable */
419 endpwent();
420 freezero(pw->pw_passwd, strlen(pw->pw_passwd));
421
422 /* Change our root directory */
423 if (chroot(_PATH_PRIVSEP_CHROOT_DIR"/var/empty") == -1)
424 fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 425
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "chroot(\"%s\"): %s", "/var/empty"
, strerror((*__errno())))
425 strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 425
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "chroot(\"%s\"): %s", "/var/empty"
, strerror((*__errno())));
426 if (chdir("/") == -1)
427 fatal("chdir(\"/\"): %s", strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 427
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "chdir(\"/\"): %s", strerror
((*__errno())));
428
429 /*
430 * Drop our privileges
431 * NB. Can't use setusercontext() after chroot.
432 */
433 debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 434, 0
, SYSLOG_LEVEL_DEBUG3, ((void*)0), "privsep user:group %u:%u"
, (u_int)pw->pw_uid, (u_int)pw->pw_gid)
434 (u_int)pw->pw_gid)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 434, 0
, SYSLOG_LEVEL_DEBUG3, ((void*)0), "privsep user:group %u:%u"
, (u_int)pw->pw_uid, (u_int)pw->pw_gid);
435 gidset[0] = pw->pw_gid;
436 if (setgroups(1, gidset) == -1)
437 fatal("setgroups: %.100s", strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 437
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "setgroups: %.100s", strerror
((*__errno())));
438 permanently_set_uid(pw);
439 }
440}
441
442static int
443privsep_preauth(struct ssh *ssh)
444{
445 int status, r;
446 pid_t pid;
447 struct ssh_sandbox *box = NULL((void*)0);
448
449 /* Set up unprivileged child process to deal with network data */
450 pmonitor = monitor_init();
451 /* Store a pointer to the kex for later rekeying */
452 pmonitor->m_pkex = &ssh->kex;
453
454 if (use_privsep == PRIVSEP_ON1)
455 box = ssh_sandbox_init();
456 pid = fork();
457 if (pid == -1) {
458 fatal("fork of unprivileged child failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 458
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "fork of unprivileged child failed"
);
459 } else if (pid != 0) {
460 debug2("Network child is on pid %ld", (long)pid)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 460, 0
, SYSLOG_LEVEL_DEBUG2, ((void*)0), "Network child is on pid %ld"
, (long)pid);
461
462 pmonitor->m_pid = pid;
463 if (have_agent) {
464 r = ssh_get_authentication_socket(&auth_sock);
465 if (r != 0) {
466 error_r(r, "Could not get agent socket")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 466, 0
, SYSLOG_LEVEL_ERROR, ssh_err(r), "Could not get agent socket"
);
467 have_agent = 0;
468 }
469 }
470 if (box != NULL((void*)0))
471 ssh_sandbox_parent_preauth(box, pid);
472 monitor_child_preauth(ssh, pmonitor);
473
474 /* Wait for the child's exit status */
475 while (waitpid(pid, &status, 0) == -1) {
476 if (errno(*__errno()) == EINTR4)
477 continue;
478 pmonitor->m_pid = -1;
479 fatal_f("waitpid: %s", strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 479
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "waitpid: %s", strerror(
(*__errno())));
480 }
481 privsep_is_preauth = 0;
482 pmonitor->m_pid = -1;
483 if (WIFEXITED(status)(((status) & 0177) == 0)) {
484 if (WEXITSTATUS(status)(int)(((unsigned)(status) >> 8) & 0xff) != 0)
485 fatal_f("preauth child exited with status %d",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 486
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "preauth child exited with status %d"
, (int)(((unsigned)(status) >> 8) & 0xff))
486 WEXITSTATUS(status))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 486
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "preauth child exited with status %d"
, (int)(((unsigned)(status) >> 8) & 0xff));
487 } else if (WIFSIGNALED(status)(((status) & 0177) != 0177 && ((status) & 0177
) != 0))
488 fatal_f("preauth child terminated by signal %d",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 489
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "preauth child terminated by signal %d"
, (((status) & 0177)))
489 WTERMSIG(status))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 489
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "preauth child terminated by signal %d"
, (((status) & 0177)));
490 if (box != NULL((void*)0))
491 ssh_sandbox_parent_finish(box);
492 return 1;
493 } else {
494 /* child */
495 close(pmonitor->m_sendfd);
496 close(pmonitor->m_log_recvfd);
497
498 /* Arrange for logging to be sent to the monitor */
499 set_log_handler(mm_log_handler, pmonitor);
500
501 privsep_preauth_child();
502 setproctitle("%s", "[net]");
503 if (box != NULL((void*)0))
504 ssh_sandbox_child(box);
505
506 return 0;
507 }
508}
509
510static void
511privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
512{
513 if (authctxt->pw->pw_uid == 0) {
89
Assuming field 'pw_uid' is not equal to 0
90
Taking false branch
514 /* File descriptor passing is broken or root login */
515 use_privsep = 0;
516 goto skip;
517 }
518
519 /* New socket pair */
520 monitor_reinit(pmonitor);
521
522 pmonitor->m_pid = fork();
91
Access to field 'm_pid' results in a dereference of a null pointer (loaded from variable 'pmonitor')
523 if (pmonitor->m_pid == -1)
524 fatal("fork of unprivileged child failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 524
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "fork of unprivileged child failed"
);
525 else if (pmonitor->m_pid != 0) {
526 verbose("User child is on pid %ld", (long)pmonitor->m_pid)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 526, 0
, SYSLOG_LEVEL_VERBOSE, ((void*)0), "User child is on pid %ld"
, (long)pmonitor->m_pid);
527 sshbuf_reset(loginmsg);
528 monitor_clear_keystate(ssh, pmonitor);
529 monitor_child_postauth(ssh, pmonitor);
530
531 /* NEVERREACHED */
532 exit(0);
533 }
534
535 /* child */
536
537 close(pmonitor->m_sendfd);
538 pmonitor->m_sendfd = -1;
539
540 /* Demote the private keys to public keys. */
541 demote_sensitive_data();
542
543 /* Drop privileges */
544 do_setusercontext(authctxt->pw);
545
546 skip:
547 /* It is safe now to apply the key state */
548 monitor_apply_keystate(ssh, pmonitor);
549
550 /*
551 * Tell the packet layer that authentication was successful, since
552 * this information is not part of the key state.
553 */
554 ssh_packet_set_authenticated(ssh);
555}
556
557static void
558append_hostkey_type(struct sshbuf *b, const char *s)
559{
560 int r;
561
562 if (match_pattern_list(s, options.hostkeyalgorithms, 0) != 1) {
563 debug3_f("%s key not permitted by HostkeyAlgorithms", s)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 563, 1
, SYSLOG_LEVEL_DEBUG3, ((void*)0), "%s key not permitted by HostkeyAlgorithms"
, s);
564 return;
565 }
566 if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) > 0 ? "," : "", s)) != 0)
567 fatal_fr(r, "sshbuf_putf")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 567
, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_putf");
568}
569
570static char *
571list_hostkey_types(void)
572{
573 struct sshbuf *b;
574 struct sshkey *key;
575 char *ret;
576 u_int i;
577
578 if ((b = sshbuf_new()) == NULL((void*)0))
579 fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 579
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
580 for (i = 0; i < options.num_host_key_files; i++) {
581 key = sensitive_data.host_keys[i];
582 if (key == NULL((void*)0))
583 key = sensitive_data.host_pubkeys[i];
584 if (key == NULL((void*)0))
585 continue;
586 switch (key->type) {
587 case KEY_RSA:
588 /* for RSA we also support SHA2 signatures */
589 append_hostkey_type(b, "rsa-sha2-512");
590 append_hostkey_type(b, "rsa-sha2-256");
591 /* FALLTHROUGH */
592 case KEY_DSA:
593 case KEY_ECDSA:
594 case KEY_ED25519:
595 case KEY_ECDSA_SK:
596 case KEY_ED25519_SK:
597 case KEY_XMSS:
598 append_hostkey_type(b, sshkey_ssh_name(key));
599 break;
600 }
601 /* If the private key has a cert peer, then list that too */
602 key = sensitive_data.host_certificates[i];
603 if (key == NULL((void*)0))
604 continue;
605 switch (key->type) {
606 case KEY_RSA_CERT:
607 /* for RSA we also support SHA2 signatures */
608 append_hostkey_type(b,
609 "rsa-sha2-512-cert-v01@openssh.com");
610 append_hostkey_type(b,
611 "rsa-sha2-256-cert-v01@openssh.com");
612 /* FALLTHROUGH */
613 case KEY_DSA_CERT:
614 case KEY_ECDSA_CERT:
615 case KEY_ED25519_CERT:
616 case KEY_ECDSA_SK_CERT:
617 case KEY_ED25519_SK_CERT:
618 case KEY_XMSS_CERT:
619 append_hostkey_type(b, sshkey_ssh_name(key));
620 break;
621 }
622 }
623 if ((ret = sshbuf_dup_string(b)) == NULL((void*)0))
624 fatal_f("sshbuf_dup_string failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 624
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_dup_string failed"
);
625 sshbuf_free(b);
626 debug_f("%s", ret)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 626, 1
, SYSLOG_LEVEL_DEBUG1, ((void*)0), "%s", ret);
627 return ret;
628}
629
630static struct sshkey *
631get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
632{
633 u_int i;
634 struct sshkey *key;
635
636 for (i = 0; i < options.num_host_key_files; i++) {
637 switch (type) {
638 case KEY_RSA_CERT:
639 case KEY_DSA_CERT:
640 case KEY_ECDSA_CERT:
641 case KEY_ED25519_CERT:
642 case KEY_ECDSA_SK_CERT:
643 case KEY_ED25519_SK_CERT:
644 case KEY_XMSS_CERT:
645 key = sensitive_data.host_certificates[i];
646 break;
647 default:
648 key = sensitive_data.host_keys[i];
649 if (key == NULL((void*)0) && !need_private)
650 key = sensitive_data.host_pubkeys[i];
651 break;
652 }
653 if (key == NULL((void*)0) || key->type != type)
654 continue;
655 switch (type) {
656 case KEY_ECDSA:
657 case KEY_ECDSA_SK:
658 case KEY_ECDSA_CERT:
659 case KEY_ECDSA_SK_CERT:
660 if (key->ecdsa_nid != nid)
661 continue;
662 /* FALLTHROUGH */
663 default:
664 return need_private ?
665 sensitive_data.host_keys[i] : key;
666 }
667 }
668 return NULL((void*)0);
669}
670
671struct sshkey *
672get_hostkey_public_by_type(int type, int nid, struct ssh *ssh)
673{
674 return get_hostkey_by_type(type, nid, 0, ssh);
675}
676
677struct sshkey *
678get_hostkey_private_by_type(int type, int nid, struct ssh *ssh)
679{
680 return get_hostkey_by_type(type, nid, 1, ssh);
681}
682
683struct sshkey *
684get_hostkey_by_index(int ind)
685{
686 if (ind < 0 || (u_int)ind >= options.num_host_key_files)
687 return (NULL((void*)0));
688 return (sensitive_data.host_keys[ind]);
689}
690
691struct sshkey *
692get_hostkey_public_by_index(int ind, struct ssh *ssh)
693{
694 if (ind < 0 || (u_int)ind >= options.num_host_key_files)
695 return (NULL((void*)0));
696 return (sensitive_data.host_pubkeys[ind]);
697}
698
699int
700get_hostkey_index(struct sshkey *key, int compare, struct ssh *ssh)
701{
702 u_int i;
703
704 for (i = 0; i < options.num_host_key_files; i++) {
705 if (sshkey_is_cert(key)) {
706 if (key == sensitive_data.host_certificates[i] ||
707 (compare && sensitive_data.host_certificates[i] &&
708 sshkey_equal(key,
709 sensitive_data.host_certificates[i])))
710 return (i);
711 } else {
712 if (key == sensitive_data.host_keys[i] ||
713 (compare && sensitive_data.host_keys[i] &&
714 sshkey_equal(key, sensitive_data.host_keys[i])))
715 return (i);
716 if (key == sensitive_data.host_pubkeys[i] ||
717 (compare && sensitive_data.host_pubkeys[i] &&
718 sshkey_equal(key, sensitive_data.host_pubkeys[i])))
719 return (i);
720 }
721 }
722 return (-1);
723}
724
725/* Inform the client of all hostkeys */
726static void
727notify_hostkeys(struct ssh *ssh)
728{
729 struct sshbuf *buf;
730 struct sshkey *key;
731 u_int i, nkeys;
732 int r;
733 char *fp;
734
735 /* Some clients cannot cope with the hostkeys message, skip those. */
736 if (ssh->compat & SSH_BUG_HOSTKEYS0x20000000)
737 return;
738
739 if ((buf = sshbuf_new()) == NULL((void*)0))
740 fatal_f("sshbuf_new")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 740
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new");
741 for (i = nkeys = 0; i < options.num_host_key_files; i++) {
742 key = get_hostkey_public_by_index(i, ssh);
743 if (key == NULL((void*)0) || key->type == KEY_UNSPEC ||
744 sshkey_is_cert(key))
745 continue;
746 fp = sshkey_fingerprint(key, options.fingerprint_hash,
747 SSH_FP_DEFAULT);
748 debug3_f("key %d: %s %s", i, sshkey_ssh_name(key), fp)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 748, 1
, SYSLOG_LEVEL_DEBUG3, ((void*)0), "key %d: %s %s", i, sshkey_ssh_name
(key), fp);
749 free(fp);
750 if (nkeys == 0) {
751 /*
752 * Start building the request when we find the
753 * first usable key.
754 */
755 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 ||
756 (r = sshpkt_put_cstring(ssh, "hostkeys-00@openssh.com")) != 0 ||
757 (r = sshpkt_put_u8(ssh, 0)) != 0) /* want reply */
758 sshpkt_fatal(ssh, r, "%s: start request", __func__);
759 }
760 /* Append the key to the request */
761 sshbuf_reset(buf);
762 if ((r = sshkey_putb(key, buf)) != 0)
763 fatal_fr(r, "couldn't put hostkey %d", i)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 763
, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "couldn't put hostkey %d"
, i);
764 if ((r = sshpkt_put_stringb(ssh, buf)) != 0)
765 sshpkt_fatal(ssh, r, "%s: append key", __func__);
766 nkeys++;
767 }
768 debug3_f("sent %u hostkeys", nkeys)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 768, 1
, SYSLOG_LEVEL_DEBUG3, ((void*)0), "sent %u hostkeys", nkeys);
769 if (nkeys == 0)
770 fatal_f("no hostkeys")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 770
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "no hostkeys");
771 if ((r = sshpkt_send(ssh)) != 0)
772 sshpkt_fatal(ssh, r, "%s: send", __func__);
773 sshbuf_free(buf);
774}
775
776/*
777 * returns 1 if connection should be dropped, 0 otherwise.
778 * dropping starts at connection #max_startups_begin with a probability
779 * of (max_startups_rate/100). the probability increases linearly until
780 * all connections are dropped for startups > max_startups
781 */
782static int
783should_drop_connection(int startups)
784{
785 int p, r;
786
787 if (startups < options.max_startups_begin)
788 return 0;
789 if (startups >= options.max_startups)
790 return 1;
791 if (options.max_startups_rate == 100)
792 return 1;
793
794 p = 100 - options.max_startups_rate;
795 p *= startups - options.max_startups_begin;
796 p /= options.max_startups - options.max_startups_begin;
797 p += options.max_startups_rate;
798 r = arc4random_uniform(100);
799
800 debug_f("p %d, r %d", p, r)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 800, 1
, SYSLOG_LEVEL_DEBUG1, ((void*)0), "p %d, r %d", p, r);
801 return (r < p) ? 1 : 0;
802}
803
804/*
805 * Check whether connection should be accepted by MaxStartups.
806 * Returns 0 if the connection is accepted. If the connection is refused,
807 * returns 1 and attempts to send notification to client.
808 * Logs when the MaxStartups condition is entered or exited, and periodically
809 * while in that state.
810 */
811static int
812drop_connection(int sock, int startups, int notify_pipe)
813{
814 char *laddr, *raddr;
815 const char msg[] = "Exceeded MaxStartups\r\n";
816 static time_t last_drop, first_drop;
817 static u_int ndropped;
818 LogLevel drop_level = SYSLOG_LEVEL_VERBOSE;
819 time_t now;
820
821 now = monotime();
822 if (!should_drop_connection(startups) &&
823 srclimit_check_allow(sock, notify_pipe) == 1) {
824 if (last_drop != 0 &&
825 startups < options.max_startups_begin - 1) {
826 /* XXX maybe need better hysteresis here */
827 logit("exited MaxStartups throttling after %s, "sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 829, 0
, SYSLOG_LEVEL_INFO, ((void*)0), "exited MaxStartups throttling after %s, "
"%u connections dropped", fmt_timeframe(now - first_drop), ndropped
)
828 "%u connections dropped",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 829, 0
, SYSLOG_LEVEL_INFO, ((void*)0), "exited MaxStartups throttling after %s, "
"%u connections dropped", fmt_timeframe(now - first_drop), ndropped
)
829 fmt_timeframe(now - first_drop), ndropped)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 829, 0
, SYSLOG_LEVEL_INFO, ((void*)0), "exited MaxStartups throttling after %s, "
"%u connections dropped", fmt_timeframe(now - first_drop), ndropped
);
830 last_drop = 0;
831 }
832 return 0;
833 }
834
835#define SSHD_MAXSTARTUPS_LOG_INTERVAL(5 * 60) (5 * 60)
836 if (last_drop == 0) {
837 error("beginning MaxStartups throttling")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 837, 0
, SYSLOG_LEVEL_ERROR, ((void*)0), "beginning MaxStartups throttling"
);
838 drop_level = SYSLOG_LEVEL_INFO;
839 first_drop = now;
840 ndropped = 0;
841 } else if (last_drop + SSHD_MAXSTARTUPS_LOG_INTERVAL(5 * 60) < now) {
842 /* Periodic logs */
843 error("in MaxStartups throttling for %s, "sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 845, 0
, SYSLOG_LEVEL_ERROR, ((void*)0), "in MaxStartups throttling for %s, "
"%u connections dropped", fmt_timeframe(now - first_drop), ndropped
+ 1)
844 "%u connections dropped",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 845, 0
, SYSLOG_LEVEL_ERROR, ((void*)0), "in MaxStartups throttling for %s, "
"%u connections dropped", fmt_timeframe(now - first_drop), ndropped
+ 1)
845 fmt_timeframe(now - first_drop), ndropped + 1)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 845, 0
, SYSLOG_LEVEL_ERROR, ((void*)0), "in MaxStartups throttling for %s, "
"%u connections dropped", fmt_timeframe(now - first_drop), ndropped
+ 1);
846 drop_level = SYSLOG_LEVEL_INFO;
847 }
848 last_drop = now;
849 ndropped++;
850
851 laddr = get_local_ipaddr(sock);
852 raddr = get_peer_ipaddr(sock);
853 do_log2(drop_level, "drop connection #%d from [%s]:%d on [%s]:%d "sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 855, 0
, drop_level, ((void*)0), "drop connection #%d from [%s]:%d on [%s]:%d "
"past MaxStartups", startups, raddr, get_peer_port(sock), laddr
, get_local_port(sock))
854 "past MaxStartups", startups, raddr, get_peer_port(sock),sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 855, 0
, drop_level, ((void*)0), "drop connection #%d from [%s]:%d on [%s]:%d "
"past MaxStartups", startups, raddr, get_peer_port(sock), laddr
, get_local_port(sock))
855 laddr, get_local_port(sock))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 855, 0
, drop_level, ((void*)0), "drop connection #%d from [%s]:%d on [%s]:%d "
"past MaxStartups", startups, raddr, get_peer_port(sock), laddr
, get_local_port(sock));
856 free(laddr);
857 free(raddr);
858 /* best-effort notification to client */
859 (void)write(sock, msg, sizeof(msg) - 1);
860 return 1;
861}
862
863static void
864usage(void)
865{
866 fprintf(stderr(&__sF[2]), "%s, %s\n", SSH_VERSION"OpenSSH_8.8", SSH_OPENSSL_VERSIONOpenSSL_version(0));
867 fprintf(stderr(&__sF[2]),
868"usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
869" [-E log_file] [-f config_file] [-g login_grace_time]\n"
870" [-h host_key_file] [-o option] [-p port] [-u len]\n"
871 );
872 exit(1);
873}
874
875static void
876send_rexec_state(int fd, struct sshbuf *conf)
877{
878 struct sshbuf *m = NULL((void*)0), *inc = NULL((void*)0);
879 struct include_item *item = NULL((void*)0);
880 int r;
881
882 debug3_f("entering fd = %d config len %zu", fd,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 883, 1
, SYSLOG_LEVEL_DEBUG3, ((void*)0), "entering fd = %d config len %zu"
, fd, sshbuf_len(conf))
883 sshbuf_len(conf))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 883, 1
, SYSLOG_LEVEL_DEBUG3, ((void*)0), "entering fd = %d config len %zu"
, fd, sshbuf_len(conf));
884
885 if ((m = sshbuf_new()) == NULL((void*)0) || (inc = sshbuf_new()) == NULL((void*)0))
886 fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 886
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
887
888 /* pack includes into a string */
889 TAILQ_FOREACH(item, &includes, entry)for((item) = ((&includes)->tqh_first); (item) != ((void
*)0); (item) = ((item)->entry.tqe_next)) {
890 if ((r = sshbuf_put_cstring(inc, item->selector)) != 0 ||
891 (r = sshbuf_put_cstring(inc, item->filename)) != 0 ||
892 (r = sshbuf_put_stringb(inc, item->contents)) != 0)
893 fatal_fr(r, "compose includes")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 893
, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "compose includes");
894 }
895
896 /*
897 * Protocol from reexec master to child:
898 * string configuration
899 * string included_files[] {
900 * string selector
901 * string filename
902 * string contents
903 * }
904 */
905 if ((r = sshbuf_put_stringb(m, conf)) != 0 ||
906 (r = sshbuf_put_stringb(m, inc)) != 0)
907 fatal_fr(r, "compose config")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 907
, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "compose config");
908 if (ssh_msg_send(fd, 0, m) == -1)
909 error_f("ssh_msg_send failed")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 909, 1
, SYSLOG_LEVEL_ERROR, ((void*)0), "ssh_msg_send failed");
910
911 sshbuf_free(m);
912 sshbuf_free(inc);
913
914 debug3_f("done")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 914, 1
, SYSLOG_LEVEL_DEBUG3, ((void*)0), "done");
915}
916
917static void
918recv_rexec_state(int fd, struct sshbuf *conf)
919{
920 struct sshbuf *m, *inc;
921 u_char *cp, ver;
922 size_t len;
923 int r;
924 struct include_item *item;
925
926 debug3_f("entering fd = %d", fd)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 926, 1
, SYSLOG_LEVEL_DEBUG3, ((void*)0), "entering fd = %d", fd);
927
928 if ((m = sshbuf_new()) == NULL((void*)0) || (inc = sshbuf_new()) == NULL((void*)0))
929 fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 929
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
930 if (ssh_msg_recv(fd, m) == -1)
931 fatal_f("ssh_msg_recv failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 931
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "ssh_msg_recv failed");
932 if ((r = sshbuf_get_u8(m, &ver)) != 0)
933 fatal_fr(r, "parse version")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 933
, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "parse version");
934 if (ver != 0)
935 fatal_f("rexec version mismatch")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 935
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "rexec version mismatch"
);
936 if ((r = sshbuf_get_string(m, &cp, &len)) != 0 ||
937 (r = sshbuf_get_stringb(m, inc)) != 0)
938 fatal_fr(r, "parse config")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 938
, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "parse config");
939
940 if (conf != NULL((void*)0) && (r = sshbuf_put(conf, cp, len)))
941 fatal_fr(r, "sshbuf_put")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 941
, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_put");
942
943 while (sshbuf_len(inc) != 0) {
944 item = xcalloc(1, sizeof(*item));
945 if ((item->contents = sshbuf_new()) == NULL((void*)0))
946 fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 946
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
947 if ((r = sshbuf_get_cstring(inc, &item->selector, NULL((void*)0))) != 0 ||
948 (r = sshbuf_get_cstring(inc, &item->filename, NULL((void*)0))) != 0 ||
949 (r = sshbuf_get_stringb(inc, item->contents)) != 0)
950 fatal_fr(r, "parse includes")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 950
, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "parse includes");
951 TAILQ_INSERT_TAIL(&includes, item, entry)do { (item)->entry.tqe_next = ((void*)0); (item)->entry
.tqe_prev = (&includes)->tqh_last; *(&includes)->
tqh_last = (item); (&includes)->tqh_last = &(item)
->entry.tqe_next; } while (0);
952 }
953
954 free(cp);
955 sshbuf_free(m);
956
957 debug3_f("done")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 957, 1
, SYSLOG_LEVEL_DEBUG3, ((void*)0), "done");
958}
959
960/* Accept a connection from inetd */
961static void
962server_accept_inetd(int *sock_in, int *sock_out)
963{
964 if (rexeced_flag) {
965 close(REEXEC_CONFIG_PASS_FD(2 + 3));
966 *sock_in = *sock_out = dup(STDIN_FILENO0);
967 } else {
968 *sock_in = dup(STDIN_FILENO0);
969 *sock_out = dup(STDOUT_FILENO1);
970 }
971 /*
972 * We intentionally do not close the descriptors 0, 1, and 2
973 * as our code for setting the descriptors won't work if
974 * ttyfd happens to be one of those.
975 */
976 if (stdfd_devnull(1, 1, !log_stderr) == -1)
977 error_f("stdfd_devnull failed")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 977, 1
, SYSLOG_LEVEL_ERROR, ((void*)0), "stdfd_devnull failed");
978 debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 978, 0
, SYSLOG_LEVEL_DEBUG1, ((void*)0), "inetd sockets after dupping: %d, %d"
, *sock_in, *sock_out);
979}
980
981/*
982 * Listen for TCP connections
983 */
984static void
985listen_on_addrs(struct listenaddr *la)
986{
987 int ret, listen_sock;
988 struct addrinfo *ai;
989 char ntop[NI_MAXHOST256], strport[NI_MAXSERV32];
990
991 for (ai = la->addrs; ai; ai = ai->ai_next) {
992 if (ai->ai_family != AF_INET2 && ai->ai_family != AF_INET624)
993 continue;
994 if (num_listen_socks >= MAX_LISTEN_SOCKS16)
995 fatal("Too many listen sockets. "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 996
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Too many listen sockets. "
"Enlarge MAX_LISTEN_SOCKS")
996 "Enlarge MAX_LISTEN_SOCKS")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 996
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Too many listen sockets. "
"Enlarge MAX_LISTEN_SOCKS");
997 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
998 ntop, sizeof(ntop), strport, sizeof(strport),
999 NI_NUMERICHOST1|NI_NUMERICSERV2)) != 0) {
1000 error("getnameinfo failed: %.100s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1001,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "getnameinfo failed: %.100s"
, ssh_gai_strerror(ret))
1001 ssh_gai_strerror(ret))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1001,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "getnameinfo failed: %.100s"
, ssh_gai_strerror(ret));
1002 continue;
1003 }
1004 /* Create socket for listening. */
1005 listen_sock = socket(ai->ai_family, ai->ai_socktype,
1006 ai->ai_protocol);
1007 if (listen_sock == -1) {
1008 /* kernel may not support ipv6 */
1009 verbose("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1009,
0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "socket: %.100s", strerror
((*__errno())));
1010 continue;
1011 }
1012 if (set_nonblock(listen_sock) == -1) {
1013 close(listen_sock);
1014 continue;
1015 }
1016 if (fcntl(listen_sock, F_SETFD2, FD_CLOEXEC1) == -1) {
1017 verbose("socket: CLOEXEC: %s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1017,
0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "socket: CLOEXEC: %s", strerror
((*__errno())));
1018 close(listen_sock);
1019 continue;
1020 }
1021 /* Socket options */
1022 set_reuseaddr(listen_sock);
1023 if (la->rdomain != NULL((void*)0) &&
1024 set_rdomain(listen_sock, la->rdomain) == -1) {
1025 close(listen_sock);
1026 continue;
1027 }
1028
1029 debug("Bind to port %s on %s.", strport, ntop)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1029,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "Bind to port %s on %s."
, strport, ntop);
1030
1031 /* Bind the socket to the desired port. */
1032 if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
1033 error("Bind to port %s on %s failed: %.200s.",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1034,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "Bind to port %s on %s failed: %.200s."
, strport, ntop, strerror((*__errno())))
1034 strport, ntop, strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1034,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "Bind to port %s on %s failed: %.200s."
, strport, ntop, strerror((*__errno())));
1035 close(listen_sock);
1036 continue;
1037 }
1038 listen_socks[num_listen_socks] = listen_sock;
1039 num_listen_socks++;
1040
1041 /* Start listening on the port. */
1042 if (listen(listen_sock, SSH_LISTEN_BACKLOG128) == -1)
1043 fatal("listen on [%s]:%s: %.100s",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1044
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "listen on [%s]:%s: %.100s"
, ntop, strport, strerror((*__errno())))
1044 ntop, strport, strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1044
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "listen on [%s]:%s: %.100s"
, ntop, strport, strerror((*__errno())));
1045 logit("Server listening on %s port %s%s%s.",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1048,
0, SYSLOG_LEVEL_INFO, ((void*)0), "Server listening on %s port %s%s%s."
, ntop, strport, la->rdomain == ((void*)0) ? "" : " rdomain "
, la->rdomain == ((void*)0) ? "" : la->rdomain)
1046 ntop, strport,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1048,
0, SYSLOG_LEVEL_INFO, ((void*)0), "Server listening on %s port %s%s%s."
, ntop, strport, la->rdomain == ((void*)0) ? "" : " rdomain "
, la->rdomain == ((void*)0) ? "" : la->rdomain)
1047 la->rdomain == NULL ? "" : " rdomain ",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1048,
0, SYSLOG_LEVEL_INFO, ((void*)0), "Server listening on %s port %s%s%s."
, ntop, strport, la->rdomain == ((void*)0) ? "" : " rdomain "
, la->rdomain == ((void*)0) ? "" : la->rdomain)
1048 la->rdomain == NULL ? "" : la->rdomain)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1048,
0, SYSLOG_LEVEL_INFO, ((void*)0), "Server listening on %s port %s%s%s."
, ntop, strport, la->rdomain == ((void*)0) ? "" : " rdomain "
, la->rdomain == ((void*)0) ? "" : la->rdomain);
1049 }
1050}
1051
1052static void
1053server_listen(void)
1054{
1055 u_int i;
1056
1057 /* Initialise per-source limit tracking. */
1058 srclimit_init(options.max_startups, options.per_source_max_startups,
1059 options.per_source_masklen_ipv4, options.per_source_masklen_ipv6);
1060
1061 for (i = 0; i < options.num_listen_addrs; i++) {
1062 listen_on_addrs(&options.listen_addrs[i]);
1063 freeaddrinfo(options.listen_addrs[i].addrs);
1064 free(options.listen_addrs[i].rdomain);
1065 memset(&options.listen_addrs[i], 0,
1066 sizeof(options.listen_addrs[i]));
1067 }
1068 free(options.listen_addrs);
1069 options.listen_addrs = NULL((void*)0);
1070 options.num_listen_addrs = 0;
1071
1072 if (!num_listen_socks)
1073 fatal("Cannot bind any address.")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1073
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Cannot bind any address."
);
1074}
1075
1076/*
1077 * The main TCP accept loop. Note that, for the non-debug case, returns
1078 * from this function are in a forked subprocess.
1079 */
1080static void
1081server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1082{
1083 struct pollfd *pfd = NULL((void*)0);
1084 int i, j, ret;
1085 int ostartups = -1, startups = 0, listening = 0, lameduck = 0;
1086 int startup_p[2] = { -1 , -1 };
1087 char c = 0;
1088 struct sockaddr_storage from;
1089 socklen_t fromlen;
1090 pid_t pid;
1091 sigset_t nsigset, osigset;
1092
1093 /* setup fd set for accept */
1094 /* pipes connected to unauthenticated child sshd processes */
1095 startup_pipes = xcalloc(options.max_startups, sizeof(int));
1096 startup_flags = xcalloc(options.max_startups, sizeof(int));
1097 for (i = 0; i < options.max_startups; i++)
1098 startup_pipes[i] = -1;
1099
1100 /*
1101 * Prepare signal mask that we use to block signals that might set
1102 * received_sigterm or received_sighup, so that we are guaranteed
1103 * to immediately wake up the ppoll if a signal is received after
1104 * the flag is checked.
1105 */
1106 sigemptyset(&nsigset);
1107 sigaddset(&nsigset, SIGHUP1);
1108 sigaddset(&nsigset, SIGCHLD20);
1109 sigaddset(&nsigset, SIGTERM15);
1110 sigaddset(&nsigset, SIGQUIT3);
1111
1112 pfd = xcalloc(num_listen_socks + options.max_startups,
1113 sizeof(struct pollfd));
1114
1115 /*
1116 * Stay listening for connections until the system crashes or
1117 * the daemon is killed with a signal.
1118 */
1119 for (;;) {
1120 sigprocmask(SIG_BLOCK1, &nsigset, &osigset);
1121 if (received_sigterm) {
1122 logit("Received signal %d; terminating.",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1123,
0, SYSLOG_LEVEL_INFO, ((void*)0), "Received signal %d; terminating."
, (int) received_sigterm)
1123 (int) received_sigterm)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1123,
0, SYSLOG_LEVEL_INFO, ((void*)0), "Received signal %d; terminating."
, (int) received_sigterm);
1124 close_listen_socks();
1125 if (options.pid_file != NULL((void*)0))
1126 unlink(options.pid_file);
1127 exit(received_sigterm == SIGTERM15 ? 0 : 255);
1128 }
1129 if (ostartups != startups) {
1130 setproctitle("%s [listener] %d of %d-%d startups",
1131 listener_proctitle, startups,
1132 options.max_startups_begin, options.max_startups);
1133 ostartups = startups;
1134 }
1135 if (received_sighup) {
1136 if (!lameduck) {
1137 debug("Received SIGHUP; waiting for children")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1137,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "Received SIGHUP; waiting for children"
);
1138 close_listen_socks();
1139 lameduck = 1;
1140 }
1141 if (listening <= 0) {
1142 sigprocmask(SIG_SETMASK3, &osigset, NULL((void*)0));
1143 sighup_restart();
1144 }
1145 }
1146
1147 for (i = 0; i < num_listen_socks; i++) {
1148 pfd[i].fd = listen_socks[i];
1149 pfd[i].events = POLLIN0x0001;
1150 }
1151 for (i = 0; i < options.max_startups; i++) {
1152 pfd[num_listen_socks+i].fd = startup_pipes[i];
1153 if (startup_pipes[i] != -1)
1154 pfd[num_listen_socks+i].events = POLLIN0x0001;
1155 }
1156
1157 /* Wait until a connection arrives or a child exits. */
1158 ret = ppoll(pfd, num_listen_socks + options.max_startups,
1159 NULL((void*)0), &osigset);
1160 if (ret == -1 && errno(*__errno()) != EINTR4)
1161 error("ppoll: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1161,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "ppoll: %.100s", strerror
((*__errno())));
1162 sigprocmask(SIG_SETMASK3, &osigset, NULL((void*)0));
1163 if (ret == -1)
1164 continue;
1165
1166 for (i = 0; i < options.max_startups; i++) {
1167 if (startup_pipes[i] == -1 ||
1168 !(pfd[num_listen_socks+i].revents & (POLLIN0x0001|POLLHUP0x0010)))
1169 continue;
1170 switch (read(startup_pipes[i], &c, sizeof(c))) {
1171 case -1:
1172 if (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)
1173 continue;
1174 if (errno(*__errno()) != EPIPE32) {
1175 error_f("startup pipe %d (fd=%d): "sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1177,
1, SYSLOG_LEVEL_ERROR, ((void*)0), "startup pipe %d (fd=%d): "
"read %s", i, startup_pipes[i], strerror((*__errno())))
1176 "read %s", i, startup_pipes[i],sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1177,
1, SYSLOG_LEVEL_ERROR, ((void*)0), "startup pipe %d (fd=%d): "
"read %s", i, startup_pipes[i], strerror((*__errno())))
1177 strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1177,
1, SYSLOG_LEVEL_ERROR, ((void*)0), "startup pipe %d (fd=%d): "
"read %s", i, startup_pipes[i], strerror((*__errno())));
1178 }
1179 /* FALLTHROUGH */
1180 case 0:
1181 /* child exited or completed auth */
1182 close(startup_pipes[i]);
1183 srclimit_done(startup_pipes[i]);
1184 startup_pipes[i] = -1;
1185 startups--;
1186 if (startup_flags[i])
1187 listening--;
1188 break;
1189 case 1:
1190 /* child has finished preliminaries */
1191 if (startup_flags[i]) {
1192 listening--;
1193 startup_flags[i] = 0;
1194 }
1195 break;
1196 }
1197 }
1198 for (i = 0; i < num_listen_socks; i++) {
1199 if (!(pfd[i].revents & POLLIN0x0001))
1200 continue;
1201 fromlen = sizeof(from);
1202 *newsock = accept(listen_socks[i],
1203 (struct sockaddr *)&from, &fromlen);
1204 if (*newsock == -1) {
1205 if (errno(*__errno()) != EINTR4 && errno(*__errno()) != EWOULDBLOCK35 &&
1206 errno(*__errno()) != ECONNABORTED53)
1207 error("accept: %.100s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1208,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "accept: %.100s", strerror
((*__errno())))
1208 strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1208,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "accept: %.100s", strerror
((*__errno())));
1209 if (errno(*__errno()) == EMFILE24 || errno(*__errno()) == ENFILE23)
1210 usleep(100 * 1000);
1211 continue;
1212 }
1213 if (unset_nonblock(*newsock) == -1 ||
1214 pipe(startup_p) == -1) {
1215 close(*newsock);
1216 continue;
1217 }
1218 if (drop_connection(*newsock, startups, startup_p[0])) {
1219 close(*newsock);
1220 close(startup_p[0]);
1221 close(startup_p[1]);
1222 continue;
1223 }
1224
1225 if (rexec_flag && socketpair(AF_UNIX1,
1226 SOCK_STREAM1, 0, config_s) == -1) {
1227 error("reexec socketpair: %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1228,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "reexec socketpair: %s", strerror
((*__errno())))
1228 strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1228,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "reexec socketpair: %s", strerror
((*__errno())));
1229 close(*newsock);
1230 close(startup_p[0]);
1231 close(startup_p[1]);
1232 continue;
1233 }
1234
1235 for (j = 0; j < options.max_startups; j++)
1236 if (startup_pipes[j] == -1) {
1237 startup_pipes[j] = startup_p[0];
1238 startups++;
1239 startup_flags[j] = 1;
1240 break;
1241 }
1242
1243 /*
1244 * Got connection. Fork a child to handle it, unless
1245 * we are in debugging mode.
1246 */
1247 if (debug_flag) {
1248 /*
1249 * In debugging mode. Close the listening
1250 * socket, and start processing the
1251 * connection without forking.
1252 */
1253 debug("Server will not fork when running in debugging mode.")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1253,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "Server will not fork when running in debugging mode."
);
1254 close_listen_socks();
1255 *sock_in = *newsock;
1256 *sock_out = *newsock;
1257 close(startup_p[0]);
1258 close(startup_p[1]);
1259 startup_pipe = -1;
1260 pid = getpid();
1261 if (rexec_flag) {
1262 send_rexec_state(config_s[0], cfg);
1263 close(config_s[0]);
1264 }
1265 free(pfd);
1266 return;
1267 }
1268
1269 /*
1270 * Normal production daemon. Fork, and have
1271 * the child process the connection. The
1272 * parent continues listening.
1273 */
1274 listening++;
1275 if ((pid = fork()) == 0) {
1276 /*
1277 * Child. Close the listening and
1278 * max_startup sockets. Start using
1279 * the accepted socket. Reinitialize
1280 * logging (since our pid has changed).
1281 * We return from this function to handle
1282 * the connection.
1283 */
1284 startup_pipe = startup_p[1];
1285 close_startup_pipes();
1286 close_listen_socks();
1287 *sock_in = *newsock;
1288 *sock_out = *newsock;
1289 log_init(__progname,
1290 options.log_level,
1291 options.log_facility,
1292 log_stderr);
1293 if (rexec_flag)
1294 close(config_s[0]);
1295 else {
1296 /*
1297 * Signal parent that the preliminaries
1298 * for this child are complete. For the
1299 * re-exec case, this happens after the
1300 * child has received the rexec state
1301 * from the server.
1302 */
1303 (void)atomicio(vwrite(ssize_t (*)(int, void *, size_t))write, startup_pipe,
1304 "\0", 1);
1305 }
1306 free(pfd);
1307 return;
1308 }
1309
1310 /* Parent. Stay in the loop. */
1311 if (pid == -1)
1312 error("fork: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1312,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "fork: %.100s", strerror(
(*__errno())));
1313 else
1314 debug("Forked child %ld.", (long)pid)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1314,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "Forked child %ld.", (long
)pid);
1315
1316 close(startup_p[1]);
1317
1318 if (rexec_flag) {
1319 close(config_s[1]);
1320 send_rexec_state(config_s[0], cfg);
1321 close(config_s[0]);
1322 }
1323 close(*newsock);
1324 }
1325 }
1326}
1327
1328/*
1329 * If IP options are supported, make sure there are none (log and
1330 * return an error if any are found). Basically we are worried about
1331 * source routing; it can be used to pretend you are somebody
1332 * (ip-address) you are not. That itself may be "almost acceptable"
1333 * under certain circumstances, but rhosts authentication is useless
1334 * if source routing is accepted. Notice also that if we just dropped
1335 * source routing here, the other side could use IP spoofing to do
1336 * rest of the interaction and could still bypass security. So we
1337 * exit here if we detect any IP options.
1338 */
1339static void
1340check_ip_options(struct ssh *ssh)
1341{
1342 int sock_in = ssh_packet_get_connection_in(ssh);
1343 struct sockaddr_storage from;
1344 u_char opts[200];
1345 socklen_t i, option_size = sizeof(opts), fromlen = sizeof(from);
1346 char text[sizeof(opts) * 3 + 1];
1347
1348 memset(&from, 0, sizeof(from));
1349 if (getpeername(sock_in, (struct sockaddr *)&from,
1350 &fromlen) == -1)
1351 return;
1352 if (from.ss_family != AF_INET2)
1353 return;
1354 /* XXX IPv6 options? */
1355
1356 if (getsockopt(sock_in, IPPROTO_IP0, IP_OPTIONS1, opts,
1357 &option_size) >= 0 && option_size != 0) {
1358 text[0] = '\0';
1359 for (i = 0; i < option_size; i++)
1360 snprintf(text + i*3, sizeof(text) - i*3,
1361 " %2.2x", opts[i]);
1362 fatal("Connection from %.100s port %d with IP opts: %.800s",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1363
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Connection from %.100s port %d with IP opts: %.800s"
, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text)
1363 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1363
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Connection from %.100s port %d with IP opts: %.800s"
, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
1364 }
1365 return;
1366}
1367
1368/* Set the routing domain for this process */
1369static void
1370set_process_rdomain(struct ssh *ssh, const char *name)
1371{
1372 int rtable, ortable = getrtable();
1373 const char *errstr;
1374
1375 if (name == NULL((void*)0))
1376 return; /* default */
1377
1378 if (strcmp(name, "%D") == 0) {
1379 /* "expands" to routing domain of connection */
1380 if ((name = ssh_packet_rdomain_in(ssh)) == NULL((void*)0))
1381 return;
1382 }
1383
1384 rtable = (int)strtonum(name, 0, 255, &errstr);
1385 if (errstr != NULL((void*)0)) /* Shouldn't happen */
1386 fatal("Invalid routing domain \"%s\": %s", name, errstr)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1386
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Invalid routing domain \"%s\": %s"
, name, errstr);
1387 if (rtable != ortable && setrtable(rtable) != 0)
1388 fatal("Unable to set routing domain %d: %s",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1389
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Unable to set routing domain %d: %s"
, rtable, strerror((*__errno())))
1389 rtable, strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1389
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Unable to set routing domain %d: %s"
, rtable, strerror((*__errno())));
1390 debug_f("set routing domain %d (was %d)", rtable, ortable)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1390,
1, SYSLOG_LEVEL_DEBUG1, ((void*)0), "set routing domain %d (was %d)"
, rtable, ortable);
1391}
1392
1393static void
1394accumulate_host_timing_secret(struct sshbuf *server_cfg,
1395 struct sshkey *key)
1396{
1397 static struct ssh_digest_ctx *ctx;
1398 u_char *hash;
1399 size_t len;
1400 struct sshbuf *buf;
1401 int r;
1402
1403 if (ctx == NULL((void*)0) && (ctx = ssh_digest_start(SSH_DIGEST_SHA5124)) == NULL((void*)0))
1404 fatal_f("ssh_digest_start")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1404
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "ssh_digest_start");
1405 if (key == NULL((void*)0)) { /* finalize */
1406 /* add server config in case we are using agent for host keys */
1407 if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
1408 sshbuf_len(server_cfg)) != 0)
1409 fatal_f("ssh_digest_update")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1409
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "ssh_digest_update");
1410 len = ssh_digest_bytes(SSH_DIGEST_SHA5124);
1411 hash = xmalloc(len);
1412 if (ssh_digest_final(ctx, hash, len) != 0)
1413 fatal_f("ssh_digest_final")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1413
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "ssh_digest_final");
1414 options.timing_secret = PEEK_U64(hash)(((u_int64_t)(((const u_char *)(hash))[0]) << 56) | ((u_int64_t
)(((const u_char *)(hash))[1]) << 48) | ((u_int64_t)(((
const u_char *)(hash))[2]) << 40) | ((u_int64_t)(((const
u_char *)(hash))[3]) << 32) | ((u_int64_t)(((const u_char
*)(hash))[4]) << 24) | ((u_int64_t)(((const u_char *)(
hash))[5]) << 16) | ((u_int64_t)(((const u_char *)(hash
))[6]) << 8) | (u_int64_t)(((const u_char *)(hash))[7])
);
1415 freezero(hash, len);
1416 ssh_digest_free(ctx);
1417 ctx = NULL((void*)0);
1418 return;
1419 }
1420 if ((buf = sshbuf_new()) == NULL((void*)0))
1421 fatal_f("could not allocate buffer")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1421
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "could not allocate buffer"
);
1422 if ((r = sshkey_private_serialize(key, buf)) != 0)
1423 fatal_fr(r, "decode key")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1423
, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "decode key");
1424 if (ssh_digest_update(ctx, sshbuf_ptr(buf), sshbuf_len(buf)) != 0)
1425 fatal_f("ssh_digest_update")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1425
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "ssh_digest_update");
1426 sshbuf_reset(buf);
1427 sshbuf_free(buf);
1428}
1429
1430static char *
1431prepare_proctitle(int ac, char **av)
1432{
1433 char *ret = NULL((void*)0);
1434 int i;
1435
1436 for (i = 0; i < ac; i++)
1437 xextendf(&ret, " ", "%s", av[i]);
1438 return ret;
1439}
1440
1441/*
1442 * Main program for the daemon.
1443 */
1444int
1445main(int ac, char **av)
1446{
1447 struct ssh *ssh = NULL((void*)0);
1448 extern char *optarg;
1449 extern int optind;
1450 int r, opt, on = 1, already_daemon, remote_port;
1451 int sock_in = -1, sock_out = -1, newsock = -1;
1452 const char *remote_ip, *rdomain;
1453 char *fp, *line, *laddr, *logfile = NULL((void*)0);
1454 int config_s[2] = { -1 , -1 };
1455 u_int i, j;
1456 u_int64_t ibytes, obytes;
1457 mode_t new_umask;
1458 struct sshkey *key;
1459 struct sshkey *pubkey;
1460 int keytype;
1461 Authctxt *authctxt;
1462 struct connection_info *connection_info = NULL((void*)0);
1463
1464 /* Save argv. */
1465 saved_argv = av;
1466 rexec_argc = ac;
1467
1468 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1469 sanitise_stdfd();
1470
1471 /* Initialize configuration options to their default values. */
1472 initialize_server_options(&options);
1473
1474 /* Parse command-line arguments. */
1475 while ((opt = getopt(ac, av,
1
Assuming the condition is false
2
Loop condition is false. Execution continues on line 1583
1476 "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
1477 switch (opt) {
1478 case '4':
1479 options.address_family = AF_INET2;
1480 break;
1481 case '6':
1482 options.address_family = AF_INET624;
1483 break;
1484 case 'f':
1485 config_file_name = optarg;
1486 break;
1487 case 'c':
1488 servconf_add_hostcert("[command-line]", 0,
1489 &options, optarg);
1490 break;
1491 case 'd':
1492 if (debug_flag == 0) {
1493 debug_flag = 1;
1494 options.log_level = SYSLOG_LEVEL_DEBUG1;
1495 } else if (options.log_level < SYSLOG_LEVEL_DEBUG3)
1496 options.log_level++;
1497 break;
1498 case 'D':
1499 no_daemon_flag = 1;
1500 break;
1501 case 'E':
1502 logfile = optarg;
1503 /* FALLTHROUGH */
1504 case 'e':
1505 log_stderr = 1;
1506 break;
1507 case 'i':
1508 inetd_flag = 1;
1509 break;
1510 case 'r':
1511 rexec_flag = 0;
1512 break;
1513 case 'R':
1514 rexeced_flag = 1;
1515 inetd_flag = 1;
1516 break;
1517 case 'Q':
1518 /* ignored */
1519 break;
1520 case 'q':
1521 options.log_level = SYSLOG_LEVEL_QUIET;
1522 break;
1523 case 'b':
1524 /* protocol 1, ignored */
1525 break;
1526 case 'p':
1527 options.ports_from_cmdline = 1;
1528 if (options.num_ports >= MAX_PORTS256) {
1529 fprintf(stderr(&__sF[2]), "too many ports.\n");
1530 exit(1);
1531 }
1532 options.ports[options.num_ports++] = a2port(optarg);
1533 if (options.ports[options.num_ports-1] <= 0) {
1534 fprintf(stderr(&__sF[2]), "Bad port number.\n");
1535 exit(1);
1536 }
1537 break;
1538 case 'g':
1539 if ((options.login_grace_time = convtime(optarg)) == -1) {
1540 fprintf(stderr(&__sF[2]), "Invalid login grace time.\n");
1541 exit(1);
1542 }
1543 break;
1544 case 'k':
1545 /* protocol 1, ignored */
1546 break;
1547 case 'h':
1548 servconf_add_hostkey("[command-line]", 0,
1549 &options, optarg, 1);
1550 break;
1551 case 't':
1552 test_flag = 1;
1553 break;
1554 case 'T':
1555 test_flag = 2;
1556 break;
1557 case 'C':
1558 connection_info = get_connection_info(ssh, 0, 0);
1559 if (parse_server_match_testspec(connection_info,
1560 optarg) == -1)
1561 exit(1);
1562 break;
1563 case 'u':
1564 utmp_len = (u_int)strtonum(optarg, 0, HOST_NAME_MAX255+1+1, NULL((void*)0));
1565 if (utmp_len > HOST_NAME_MAX255+1) {
1566 fprintf(stderr(&__sF[2]), "Invalid utmp length.\n");
1567 exit(1);
1568 }
1569 break;
1570 case 'o':
1571 line = xstrdup(optarg);
1572 if (process_server_config_line(&options, line,
1573 "command-line", 0, NULL((void*)0), NULL((void*)0), &includes) != 0)
1574 exit(1);
1575 free(line);
1576 break;
1577 case '?':
1578 default:
1579 usage();
1580 break;
1581 }
1582 }
1583 if (rexeced_flag
2.1
'rexeced_flag' is 0
 || inetd_flag
2.2
'inetd_flag' is 0
)
3
Taking false branch
1584 rexec_flag = 0;
1585 if (!test_flag
3.1
'test_flag' is 0
 && rexec_flag
3.2
'rexec_flag' is 1
 && !path_absolute(av[0]))
4
Assuming the condition is false
5
Taking false branch
1586 fatal("sshd re-exec requires execution with an absolute path")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1586
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "sshd re-exec requires execution with an absolute path"
);
1587 if (rexeced_flag
5.1
'rexeced_flag' is 0
)
6
Taking false branch
1588 closefrom(REEXEC_MIN_FREE_FD(2 + 4));
1589 else
1590 closefrom(REEXEC_DEVCRYPTO_RESERVED_FD(2 + 1));
1591
1592#ifdef WITH_OPENSSL1
1593 OpenSSL_add_all_algorithms()OPENSSL_add_all_algorithms_noconf();
1594#endif
1595
1596 /* If requested, redirect the logs to the specified logfile. */
1597 if (logfile
6.1
'logfile' is equal to NULL
 != NULL((void*)0))
7
Taking false branch
1598 log_redirect_stderr_to(logfile);
1599 /*
1600 * Force logging to stderr until we have loaded the private host
1601 * key (unless started from inetd)
1602 */
1603 log_init(__progname,
1604 options.log_level == SYSLOG_LEVEL_NOT_SET ?
8
Assuming field 'log_level' is equal to SYSLOG_LEVEL_NOT_SET
9
'?' condition is true
1605 SYSLOG_LEVEL_INFO : options.log_level,
1606 options.log_facility == SYSLOG_FACILITY_NOT_SET ?
10
Assuming field 'log_facility' is equal to SYSLOG_FACILITY_NOT_SET
11
'?' condition is true
1607 SYSLOG_FACILITY_AUTH : options.log_facility,
1608 log_stderr
11.1
'log_stderr' is 0
 || !inetd_flag
11.2
'inetd_flag' is 0
 || debug_flag);
1609
1610 sensitive_data.have_ssh2_key = 0;
1611
1612 /*
1613 * If we're not doing an extended test do not silently ignore connection
1614 * test params.
1615 */
1616 if (test_flag
11.3
'test_flag' is < 2
 < 2 && connection_info
11.4
'connection_info' is equal to NULL
 != NULL((void*)0))
12
Taking false branch
1617 fatal("Config test connection parameter (-C) provided without "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1618
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Config test connection parameter (-C) provided without "
"test mode (-T)")
1618 "test mode (-T)")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1618
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Config test connection parameter (-C) provided without "
"test mode (-T)");
1619
1620 /* Fetch our configuration */
1621 if ((cfg = sshbuf_new()) == NULL((void*)0))
13
Assuming the condition is false
14
Taking false branch
1622 fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1622
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
1623 if (rexeced_flag
14.1
'rexeced_flag' is 0
) {
15
Taking false branch
1624 setproctitle("%s", "[rexeced]");
1625 recv_rexec_state(REEXEC_CONFIG_PASS_FD(2 + 3), cfg);
1626 if (!debug_flag) {
1627 startup_pipe = dup(REEXEC_STARTUP_PIPE_FD(2 + 2));
1628 close(REEXEC_STARTUP_PIPE_FD(2 + 2));
1629 /*
1630 * Signal parent that this child is at a point where
1631 * they can go away if they have a SIGHUP pending.
1632 */
1633 (void)atomicio(vwrite(ssize_t (*)(int, void *, size_t))write, startup_pipe, "\0", 1);
1634 }
1635 } else if (strcasecmp(config_file_name, "none") != 0)
16
Taking true branch
1636 load_server_config(config_file_name, cfg);
1637
1638 parse_server_config(&options, rexeced_flag
16.1
'rexeced_flag' is 0
 ? "rexec" : config_file_name,
17
'?' condition is false
1639 cfg, &includes, NULL((void*)0));
1640
1641#ifdef WITH_OPENSSL1
1642 if (options.moduli_file != NULL((void*)0))
18
Assuming field 'moduli_file' is equal to NULL
19
Taking false branch
1643 dh_set_moduli_file(options.moduli_file);
1644#endif
1645
1646 /* Fill in default values for those options not explicitly set. */
1647 fill_default_server_options(&options);
1648
1649 /* Check that options are sensible */
1650 if (options.authorized_keys_command_user == NULL((void*)0) &&
20
Assuming field 'authorized_keys_command_user' is not equal to NULL
1651 (options.authorized_keys_command != NULL((void*)0) &&
1652 strcasecmp(options.authorized_keys_command, "none") != 0))
1653 fatal("AuthorizedKeysCommand set without "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1654
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthorizedKeysCommand set without "
"AuthorizedKeysCommandUser")
1654 "AuthorizedKeysCommandUser")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1654
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthorizedKeysCommand set without "
"AuthorizedKeysCommandUser");
1655 if (options.authorized_principals_command_user == NULL((void*)0) &&
21
Assuming field 'authorized_principals_command_user' is not equal to NULL
1656 (options.authorized_principals_command != NULL((void*)0) &&
1657 strcasecmp(options.authorized_principals_command, "none") != 0))
1658 fatal("AuthorizedPrincipalsCommand set without "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1659
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthorizedPrincipalsCommand set without "
"AuthorizedPrincipalsCommandUser")
1659 "AuthorizedPrincipalsCommandUser")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1659
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthorizedPrincipalsCommand set without "
"AuthorizedPrincipalsCommandUser");
1660
1661 /*
1662 * Check whether there is any path through configured auth methods.
1663 * Unfortunately it is not possible to verify this generally before
1664 * daemonisation in the presence of Match block, but this catches
1665 * and warns for trivial misconfigurations that could break login.
1666 */
1667 if (options.num_auth_methods != 0) {
22
Assuming field 'num_auth_methods' is equal to 0
23
Taking false branch
1668 for (i = 0; i < options.num_auth_methods; i++) {
1669 if (auth2_methods_valid(options.auth_methods[i],
1670 1) == 0)
1671 break;
1672 }
1673 if (i >= options.num_auth_methods)
1674 fatal("AuthenticationMethods cannot be satisfied by "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1675
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthenticationMethods cannot be satisfied by "
"enabled authentication methods")
1675 "enabled authentication methods")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1675
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthenticationMethods cannot be satisfied by "
"enabled authentication methods");
1676 }
1677
1678 /* Check that there are no remaining arguments. */
1679 if (optind < ac) {
24
Assuming 'optind' is >= 'ac'
25
Taking false branch
1680 fprintf(stderr(&__sF[2]), "Extra argument %s.\n", av[optind]);
1681 exit(1);
1682 }
1683
1684 debug("sshd version %s, %s", SSH_VERSION, SSH_OPENSSL_VERSION)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1684,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "sshd version %s, %s", "OpenSSH_8.8"
, OpenSSL_version(0));
1685
1686 /* load host keys */
1687 sensitive_data.host_keys = xcalloc(options.num_host_key_files,
1688 sizeof(struct sshkey *));
1689 sensitive_data.host_pubkeys = xcalloc(options.num_host_key_files,
1690 sizeof(struct sshkey *));
1691
1692 if (options.host_key_agent) {
26
Assuming field 'host_key_agent' is null
27
Taking false branch
1693 if (strcmp(options.host_key_agent, SSH_AUTHSOCKET_ENV_NAME"SSH_AUTH_SOCK"))
1694 setenv(SSH_AUTHSOCKET_ENV_NAME"SSH_AUTH_SOCK",
1695 options.host_key_agent, 1);
1696 if ((r = ssh_get_authentication_socket(NULL((void*)0))) == 0)
1697 have_agent = 1;
1698 else
1699 error_r(r, "Could not connect to agent \"%s\"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1700,
0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Could not connect to agent \"%s\""
, options.host_key_agent)
1700 options.host_key_agent)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1700,
0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Could not connect to agent \"%s\""
, options.host_key_agent);
1701 }
1702
1703 for (i = 0; i < options.num_host_key_files; i++) {
28
Assuming 'i' is >= field 'num_host_key_files'
29
Loop condition is false. Execution continues on line 1780
1704 int ll = options.host_key_file_userprovided[i] ?
1705 SYSLOG_LEVEL_ERROR : SYSLOG_LEVEL_DEBUG1;
1706
1707 if (options.host_key_files[i] == NULL((void*)0))
1708 continue;
1709 if ((r = sshkey_load_private(options.host_key_files[i], "",
1710 &key, NULL((void*)0))) != 0 && r != SSH_ERR_SYSTEM_ERROR-24)
1711 do_log2_r(r, ll, "Unable to load host key \"%s\"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1712,
0, ll, ssh_err(r), "Unable to load host key \"%s\"", options
.host_key_files[i])
1712 options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1712,
0, ll, ssh_err(r), "Unable to load host key \"%s\"", options
.host_key_files[i]);
1713 if (sshkey_is_sk(key) &&
1714 key->sk_flags & SSH_SK_USER_PRESENCE_REQD0x01) {
1715 debug("host key %s requires user presence, ignoring",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1716,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "host key %s requires user presence, ignoring"
, options.host_key_files[i])
1716 options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1716,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "host key %s requires user presence, ignoring"
, options.host_key_files[i]);
1717 key->sk_flags &= ~SSH_SK_USER_PRESENCE_REQD0x01;
1718 }
1719 if (r == 0 && key != NULL((void*)0) &&
1720 (r = sshkey_shield_private(key)) != 0) {
1721 do_log2_r(r, ll, "Unable to shield host key \"%s\"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1722,
0, ll, ssh_err(r), "Unable to shield host key \"%s\"", options
.host_key_files[i])
1722 options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1722,
0, ll, ssh_err(r), "Unable to shield host key \"%s\"", options
.host_key_files[i]);
1723 sshkey_free(key);
1724 key = NULL((void*)0);
1725 }
1726 if ((r = sshkey_load_public(options.host_key_files[i],
1727 &pubkey, NULL((void*)0))) != 0 && r != SSH_ERR_SYSTEM_ERROR-24)
1728 do_log2_r(r, ll, "Unable to load host key \"%s\"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1729,
0, ll, ssh_err(r), "Unable to load host key \"%s\"", options
.host_key_files[i])
1729 options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1729,
0, ll, ssh_err(r), "Unable to load host key \"%s\"", options
.host_key_files[i]);
1730 if (pubkey != NULL((void*)0) && key != NULL((void*)0)) {
1731 if (!sshkey_equal(pubkey, key)) {
1732 error("Public key for %s does not match "sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1733,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "Public key for %s does not match "
"private key", options.host_key_files[i])
1733 "private key", options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1733,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "Public key for %s does not match "
"private key", options.host_key_files[i]);
1734 sshkey_free(pubkey);
1735 pubkey = NULL((void*)0);
1736 }
1737 }
1738 if (pubkey == NULL((void*)0) && key != NULL((void*)0)) {
1739 if ((r = sshkey_from_private(key, &pubkey)) != 0)
1740 fatal_r(r, "Could not demote key: \"%s\"",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1741
, 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "Could not demote key: \"%s\""
, options.host_key_files[i])
1741 options.host_key_files[i])sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1741
, 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "Could not demote key: \"%s\""
, options.host_key_files[i]);
1742 }
1743 sensitive_data.host_keys[i] = key;
1744 sensitive_data.host_pubkeys[i] = pubkey;
1745
1746 if (key == NULL((void*)0) && pubkey != NULL((void*)0) && have_agent) {
1747 debug("will rely on agent for hostkey %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1748,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "will rely on agent for hostkey %s"
, options.host_key_files[i])
1748 options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1748,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "will rely on agent for hostkey %s"
, options.host_key_files[i]);
1749 keytype = pubkey->type;
1750 } else if (key != NULL((void*)0)) {
1751 keytype = key->type;
1752 accumulate_host_timing_secret(cfg, key);
1753 } else {
1754 do_log2(ll, "Unable to load host key: %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1755,
0, ll, ((void*)0), "Unable to load host key: %s", options.host_key_files
[i])
1755 options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1755,
0, ll, ((void*)0), "Unable to load host key: %s", options.host_key_files
[i]);
1756 sensitive_data.host_keys[i] = NULL((void*)0);
1757 sensitive_data.host_pubkeys[i] = NULL((void*)0);
1758 continue;
1759 }
1760
1761 switch (keytype) {
1762 case KEY_RSA:
1763 case KEY_DSA:
1764 case KEY_ECDSA:
1765 case KEY_ED25519:
1766 case KEY_ECDSA_SK:
1767 case KEY_ED25519_SK:
1768 case KEY_XMSS:
1769 if (have_agent || key != NULL((void*)0))
1770 sensitive_data.have_ssh2_key = 1;
1771 break;
1772 }
1773 if ((fp = sshkey_fingerprint(pubkey, options.fingerprint_hash,
1774 SSH_FP_DEFAULT)) == NULL((void*)0))
1775 fatal("sshkey_fingerprint failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1775
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "sshkey_fingerprint failed"
);
1776 debug("%s host key #%d: %s %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1777,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "%s host key #%d: %s %s"
, key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp)
1777 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1777,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "%s host key #%d: %s %s"
, key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
1778 free(fp);
1779 }
1780 accumulate_host_timing_secret(cfg, NULL((void*)0));
1781 if (!sensitive_data.have_ssh2_key) {
30
Assuming field 'have_ssh2_key' is not equal to 0
31
Taking false branch
1782 logit("sshd: no hostkeys available -- exiting.")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1782,
0, SYSLOG_LEVEL_INFO, ((void*)0), "sshd: no hostkeys available -- exiting."
);
1783 exit(1);
1784 }
1785
1786 /*
1787 * Load certificates. They are stored in an array at identical
1788 * indices to the public keys that they relate to.
1789 */
1790 sensitive_data.host_certificates = xcalloc(options.num_host_key_files,
1791 sizeof(struct sshkey *));
1792 for (i = 0; i < options.num_host_key_files; i++)
32
Assuming 'i' is >= field 'num_host_key_files'
33
Loop condition is false. Execution continues on line 1795
1793 sensitive_data.host_certificates[i] = NULL((void*)0);
1794
1795 for (i = 0; i < options.num_host_cert_files; i++) {
34
Assuming 'i' is >= field 'num_host_cert_files'
35
Loop condition is false. Execution continues on line 1829
1796 if (options.host_cert_files[i] == NULL((void*)0))
1797 continue;
1798 if ((r = sshkey_load_public(options.host_cert_files[i],
1799 &key, NULL((void*)0))) != 0) {
1800 error_r(r, "Could not load host certificate \"%s\"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1801,
0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Could not load host certificate \"%s\""
, options.host_cert_files[i])
1801 options.host_cert_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1801,
0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Could not load host certificate \"%s\""
, options.host_cert_files[i]);
1802 continue;
1803 }
1804 if (!sshkey_is_cert(key)) {
1805 error("Certificate file is not a certificate: %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1806,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "Certificate file is not a certificate: %s"
, options.host_cert_files[i])
1806 options.host_cert_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1806,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "Certificate file is not a certificate: %s"
, options.host_cert_files[i]);
1807 sshkey_free(key);
1808 continue;
1809 }
1810 /* Find matching private key */
1811 for (j = 0; j < options.num_host_key_files; j++) {
1812 if (sshkey_equal_public(key,
1813 sensitive_data.host_pubkeys[j])) {
1814 sensitive_data.host_certificates[j] = key;
1815 break;
1816 }
1817 }
1818 if (j >= options.num_host_key_files) {
1819 error("No matching private key for certificate: %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1820,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "No matching private key for certificate: %s"
, options.host_cert_files[i])
1820 options.host_cert_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1820,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "No matching private key for certificate: %s"
, options.host_cert_files[i]);
1821 sshkey_free(key);
1822 continue;
1823 }
1824 sensitive_data.host_certificates[j] = key;
1825 debug("host certificate: #%u type %d %s", j, key->type,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1826,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "host certificate: #%u type %d %s"
, j, key->type, sshkey_type(key))
1826 sshkey_type(key))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1826,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "host certificate: #%u type %d %s"
, j, key->type, sshkey_type(key));
1827 }
1828
1829 if (use_privsep
35.1
'use_privsep' is -1
) {
36
Taking true branch
1830 struct stat st;
1831
1832 if (getpwnam(SSH_PRIVSEP_USER"sshd") == NULL((void*)0))
37
Assuming the condition is false
38
Taking false branch
1833 fatal("Privilege separation user %s does not exist",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1834
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Privilege separation user %s does not exist"
, "sshd")
1834 SSH_PRIVSEP_USER)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1834
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Privilege separation user %s does not exist"
, "sshd");
1835 endpwent();
1836 if ((stat(_PATH_PRIVSEP_CHROOT_DIR"/var/empty", &st) == -1) ||
39
Assuming the condition is false
41
Taking false branch
1837 (S_ISDIR(st.st_mode)((st.st_mode & 0170000) == 0040000) == 0))
40
Assuming the condition is true
1838 fatal("Missing privilege separation directory: %s",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1839
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Missing privilege separation directory: %s"
, "/var/empty")
1839 _PATH_PRIVSEP_CHROOT_DIR)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1839
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Missing privilege separation directory: %s"
, "/var/empty");
1840 if (st.st_uid != 0 || (st.st_mode & (S_IWGRP0000020|S_IWOTH0000002)) != 0)
42
Assuming field 'st_uid' is equal to 0
43
Assuming the condition is false
44
Taking false branch
1841 fatal("%s must be owned by root and not group or "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1842
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "%s must be owned by root and not group or "
"world-writable.", "/var/empty")
1842 "world-writable.", _PATH_PRIVSEP_CHROOT_DIR)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1842
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "%s must be owned by root and not group or "
"world-writable.", "/var/empty");
1843 }
1844
1845 if (test_flag
44.1
'test_flag' is <= 1
 > 1) {
45
Taking false branch
1846 /*
1847 * If no connection info was provided by -C then use
1848 * use a blank one that will cause no predicate to match.
1849 */
1850 if (connection_info == NULL((void*)0))
1851 connection_info = get_connection_info(ssh, 0, 0);
1852 connection_info->test = 1;
1853 parse_server_match_config(&options, &includes, connection_info);
1854 dump_config(&options);
1855 }
1856
1857 /* Configuration looks good, so exit if in test mode. */
1858 if (test_flag
45.1
'test_flag' is 0
)
46
Taking false branch
1859 exit(0);
1860
1861 if (rexec_flag
46.1
'rexec_flag' is 1
) {
47
Taking true branch
1862 if (rexec_argc
47.1
'rexec_argc' is >= 0
 < 0)
48
Taking false branch
1863 fatal("rexec_argc %d < 0", rexec_argc)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1863
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "rexec_argc %d < 0", rexec_argc
);
1864 rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
1865 for (i = 0; i < (u_int)rexec_argc; i++) {
49
Loop condition is false. Execution continues on line 1869
1866 debug("rexec_argv[%d]='%s'", i, saved_argv[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1866,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "rexec_argv[%d]='%s'", i
, saved_argv[i]);
1867 rexec_argv[i] = saved_argv[i];
1868 }
1869 rexec_argv[rexec_argc] = "-R";
1870 rexec_argv[rexec_argc + 1] = NULL((void*)0);
1871 }
1872 listener_proctitle = prepare_proctitle(ac, av);
1873
1874 /* Ensure that umask disallows at least group and world write */
1875 new_umask = umask(0077) | 0022;
1876 (void) umask(new_umask);
1877
1878 /* Initialize the log (it is reinitialized below in case we forked). */
1879 if (debug_flag
49.1
'debug_flag' is 0
 && (!inetd_flag || rexeced_flag))
1880 log_stderr = 1;
1881 log_init(__progname, options.log_level,
1882 options.log_facility, log_stderr);
1883 for (i = 0; i < options.num_log_verbose; i++)
50
Assuming 'i' is >= field 'num_log_verbose'
51
Loop condition is false. Execution continues on line 1891
1884 log_verbose_add(options.log_verbose[i]);
1885
1886 /*
1887 * If not in debugging mode, not started from inetd and not already
1888 * daemonized (eg re-exec via SIGHUP), disconnect from the controlling
1889 * terminal, and fork. The original process exits.
1890 */
1891 already_daemon = daemonized();
1892 if (!(debug_flag
51.1
'debug_flag' is 0
 || inetd_flag
51.2
'inetd_flag' is 0
 || no_daemon_flag
51.3
'no_daemon_flag' is 0
 || already_daemon)) {
52
Assuming the condition is false
53
Taking false branch
1893
1894 if (daemon(0, 0) == -1)
1895 fatal("daemon() failed: %.200s", strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1895
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "daemon() failed: %.200s"
, strerror((*__errno())));
1896
1897 disconnect_controlling_tty();
1898 }
1899 /* Reinitialize the log (because of the fork above). */
1900 log_init(__progname, options.log_level, options.log_facility, log_stderr);
1901
1902 /*
1903 * Chdir to the root directory so that the current disk can be
1904 * unmounted if desired.
1905 */
1906 if (chdir("/") == -1)
54
Assuming the condition is false
55
Taking false branch
1907 error("chdir(\"/\"): %s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1907,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "chdir(\"/\"): %s", strerror
((*__errno())));
1908
1909 /* ignore SIGPIPE */
1910 ssh_signal(SIGPIPE13, SIG_IGN(void (*)(int))1);
1911
1912 /* Get a connection, either from inetd or a listening TCP socket */
1913 if (inetd_flag
55.1
'inetd_flag' is 0
) {
56
Taking false branch
1914 server_accept_inetd(&sock_in, &sock_out);
1915 } else {
1916 server_listen();
1917
1918 ssh_signal(SIGHUP1, sighup_handler);
1919 ssh_signal(SIGCHLD20, main_sigchld_handler);
1920 ssh_signal(SIGTERM15, sigterm_handler);
1921 ssh_signal(SIGQUIT3, sigterm_handler);
1922
1923 /*
1924 * Write out the pid file after the sigterm handler
1925 * is setup and the listen sockets are bound
1926 */
1927 if (options.pid_file != NULL((void*)0) && !debug_flag) {
57
Assuming field 'pid_file' is equal to NULL
1928 FILE *f = fopen(options.pid_file, "w");
1929
1930 if (f == NULL((void*)0)) {
1931 error("Couldn't create pid file \"%s\": %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1932,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "Couldn't create pid file \"%s\": %s"
, options.pid_file, strerror((*__errno())))
1932 options.pid_file, strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1932,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "Couldn't create pid file \"%s\": %s"
, options.pid_file, strerror((*__errno())));
1933 } else {
1934 fprintf(f, "%ld\n", (long) getpid());
1935 fclose(f);
1936 }
1937 }
1938
1939 /* Accept a connection and return in a forked child */
1940 server_accept_loop(&sock_in, &sock_out,
1941 &newsock, config_s);
1942 }
1943
1944 /* This is the child processing a new connection. */
1945 setproctitle("%s", "[accepted]");
1946
1947 /*
1948 * Create a new session and process group since the 4.4BSD
1949 * setlogin() affects the entire process group. We don't
1950 * want the child to be able to affect the parent.
1951 */
1952 if (!debug_flag
57.1
'debug_flag' is 0
 && !inetd_flag
57.2
'inetd_flag' is 0
 && setsid() == -1)
58
Assuming the condition is false
59
Taking false branch
1953 error("setsid: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1953,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "setsid: %.100s", strerror
((*__errno())));
1954
1955 if (rexec_flag
59.1
'rexec_flag' is 1
) {
60
Taking true branch
1956 debug("rexec start in %d out %d newsock %d pipe %d sock %d",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1957,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "rexec start in %d out %d newsock %d pipe %d sock %d"
, sock_in, sock_out, newsock, startup_pipe, config_s[0])
1957 sock_in, sock_out, newsock, startup_pipe, config_s[0])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1957,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "rexec start in %d out %d newsock %d pipe %d sock %d"
, sock_in, sock_out, newsock, startup_pipe, config_s[0]);
1958 dup2(newsock, STDIN_FILENO0);
1959 dup2(STDIN_FILENO0, STDOUT_FILENO1);
1960 if (startup_pipe == -1)
61
Taking true branch
1961 close(REEXEC_STARTUP_PIPE_FD(2 + 2));
1962 else if (startup_pipe != REEXEC_STARTUP_PIPE_FD(2 + 2)) {
1963 dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD(2 + 2));
1964 close(startup_pipe);
1965 startup_pipe = REEXEC_STARTUP_PIPE_FD(2 + 2);
1966 }
1967
1968 dup2(config_s[1], REEXEC_CONFIG_PASS_FD(2 + 3));
1969 close(config_s[1]);
1970
1971 ssh_signal(SIGHUP1, SIG_IGN(void (*)(int))1); /* avoid reset to SIG_DFL */
1972 execv(rexec_argv[0], rexec_argv);
1973
1974 /* Reexec has failed, fall back and continue */
1975 error("rexec of %s failed: %s", rexec_argv[0], strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1975,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "rexec of %s failed: %s",
rexec_argv[0], strerror((*__errno())));
1976 recv_rexec_state(REEXEC_CONFIG_PASS_FD(2 + 3), NULL((void*)0));
1977 log_init(__progname, options.log_level,
1978 options.log_facility, log_stderr);
1979
1980 /* Clean up fds */
1981 close(REEXEC_CONFIG_PASS_FD(2 + 3));
1982 newsock = sock_out = sock_in = dup(STDIN_FILENO0);
1983 if (stdfd_devnull(1, 1, 0) == -1)
62
Assuming the condition is false
63
Taking false branch
1984 error_f("stdfd_devnull failed")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1984,
1, SYSLOG_LEVEL_ERROR, ((void*)0), "stdfd_devnull failed");
1985 debug("rexec cleanup in %d out %d newsock %d pipe %d sock %d",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1986,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "rexec cleanup in %d out %d newsock %d pipe %d sock %d"
, sock_in, sock_out, newsock, startup_pipe, config_s[0])
1986 sock_in, sock_out, newsock, startup_pipe, config_s[0])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1986,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "rexec cleanup in %d out %d newsock %d pipe %d sock %d"
, sock_in, sock_out, newsock, startup_pipe, config_s[0]);
1987 }
1988
1989 /* Executed child processes don't need these. */
1990 fcntl(sock_out, F_SETFD2, FD_CLOEXEC1);
1991 fcntl(sock_in, F_SETFD2, FD_CLOEXEC1);
1992
1993 /* We will not restart on SIGHUP since it no longer makes sense. */
1994 ssh_signal(SIGALRM14, SIG_DFL(void (*)(int))0);
1995 ssh_signal(SIGHUP1, SIG_DFL(void (*)(int))0);
1996 ssh_signal(SIGTERM15, SIG_DFL(void (*)(int))0);
1997 ssh_signal(SIGQUIT3, SIG_DFL(void (*)(int))0);
1998 ssh_signal(SIGCHLD20, SIG_DFL(void (*)(int))0);
1999
2000 /*
2001 * Register our connection. This turns encryption off because we do
2002 * not have a key.
2003 */
2004 if ((ssh = ssh_packet_set_connection(NULL((void*)0), sock_in, sock_out)) == NULL((void*)0))
64
Assuming the condition is false
65
Taking false branch
2005 fatal("Unable to create connection")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2005
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Unable to create connection"
);
2006 the_active_state = ssh;
2007 ssh_packet_set_server(ssh);
2008
2009 check_ip_options(ssh);
2010
2011 /* Prepare the channels layer */
2012 channel_init_channels(ssh);
2013 channel_set_af(ssh, options.address_family);
2014 process_permitopen(ssh, &options);
2015
2016 /* Set SO_KEEPALIVE if requested. */
2017 if (options.tcp_keep_alive && ssh_packet_connection_is_on_socket(ssh) &&
66
Assuming field 'tcp_keep_alive' is 0
2018 setsockopt(sock_in, SOL_SOCKET0xffff, SO_KEEPALIVE0x0008, &on, sizeof(on)) == -1)
2019 error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2019,
0, SYSLOG_LEVEL_ERROR, ((void*)0), "setsockopt SO_KEEPALIVE: %.100s"
, strerror((*__errno())));
2020
2021 if ((remote_port = ssh_remote_port(ssh)) < 0) {
67
Assuming the condition is false
68
Taking false branch
2022 debug("ssh_remote_port failed")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2022,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "ssh_remote_port failed"
);
2023 cleanup_exit(255);
2024 }
2025
2026 /*
2027 * The rest of the code depends on the fact that
2028 * ssh_remote_ipaddr() caches the remote ip, even if
2029 * the socket goes away.
2030 */
2031 remote_ip = ssh_remote_ipaddr(ssh);
2032
2033 rdomain = ssh_packet_rdomain_in(ssh);
2034
2035 /* Log the connection. */
2036 laddr = get_local_ipaddr(sock_in);
2037 verbose("Connection from %s port %d on %s port %d%s%s%s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2041,
0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "Connection from %s port %d on %s port %d%s%s%s"
, remote_ip, remote_port, laddr, ssh_local_port(ssh), rdomain
== ((void*)0) ? "" : " rdomain \"", rdomain == ((void*)0) ? ""
: rdomain, rdomain == ((void*)0) ? "" : "\"")
69
Assuming 'rdomain' is equal to null
70
'?' condition is true
71
'?' condition is true
72
'?' condition is true
2038 remote_ip, remote_port, laddr, ssh_local_port(ssh),sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2041,
0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "Connection from %s port %d on %s port %d%s%s%s"
, remote_ip, remote_port, laddr, ssh_local_port(ssh), rdomain
== ((void*)0) ? "" : " rdomain \"", rdomain == ((void*)0) ? ""
: rdomain, rdomain == ((void*)0) ? "" : "\"")
2039 rdomain == NULL ? "" : " rdomain \"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2041,
0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "Connection from %s port %d on %s port %d%s%s%s"
, remote_ip, remote_port, laddr, ssh_local_port(ssh), rdomain
== ((void*)0) ? "" : " rdomain \"", rdomain == ((void*)0) ? ""
: rdomain, rdomain == ((void*)0) ? "" : "\"")
2040 rdomain == NULL ? "" : rdomain,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2041,
0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "Connection from %s port %d on %s port %d%s%s%s"
, remote_ip, remote_port, laddr, ssh_local_port(ssh), rdomain
== ((void*)0) ? "" : " rdomain \"", rdomain == ((void*)0) ? ""
: rdomain, rdomain == ((void*)0) ? "" : "\"")
2041 rdomain == NULL ? "" : "\"")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2041,
0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "Connection from %s port %d on %s port %d%s%s%s"
, remote_ip, remote_port, laddr, ssh_local_port(ssh), rdomain
== ((void*)0) ? "" : " rdomain \"", rdomain == ((void*)0) ? ""
: rdomain, rdomain == ((void*)0) ? "" : "\"");
2042 free(laddr);
2043
2044 /*
2045 * We don't want to listen forever unless the other side
2046 * successfully authenticates itself. So we set up an alarm which is
2047 * cleared after successful authentication. A limit of zero
2048 * indicates no limit. Note that we don't set the alarm in debugging
2049 * mode; it is just annoying to have the server exit just when you
2050 * are about to discover the bug.
2051 */
2052 ssh_signal(SIGALRM14, grace_alarm_handler);
2053 if (!debug_flag
72.1
'debug_flag' is 0
)
73
Taking true branch
2054 alarm(options.login_grace_time);
2055
2056 if ((r = kex_exchange_identification(ssh, -1,
74
Assuming the condition is false
75
Taking false branch
2057 options.version_addendum)) != 0)
2058 sshpkt_fatal(ssh, r, "banner exchange");
2059
2060 ssh_packet_set_nonblocking(ssh);
2061
2062 /* allocate authentication context */
2063 authctxt = xcalloc(1, sizeof(*authctxt));
2064 ssh->authctxt = authctxt;
2065
2066 /* XXX global for cleanup, access from other modules */
2067 the_authctxt = authctxt;
2068
2069 /* Set default key authentication options */
2070 if ((auth_opts = sshauthopt_new_with_keys_defaults()) == NULL((void*)0))
76
Assuming the condition is false
77
Taking false branch
2071 fatal("allocation failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2071
, 0, SYSLOG_LEVEL_FATAL, ((void*)0), "allocation failed");
2072
2073 /* prepare buffer to collect messages to display to user after login */
2074 if ((loginmsg = sshbuf_new()) == NULL((void*)0))
78
Assuming the condition is false
79
Taking false branch
2075 fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2075
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
2076 auth_debug_reset();
2077
2078 if (use_privsep
79.1
'use_privsep' is -1
) {
80
Taking true branch
2079 if (privsep_preauth(ssh) == 1)
81
Assuming the condition is true
82
Taking true branch
2080 goto authenticated;
83
Control jumps to line 2108
2081 } else if (have_agent) {
2082 if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) {
2083 error_r(r, "Unable to get agent socket")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2083,
0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Unable to get agent socket"
);
2084 have_agent = 0;
2085 }
2086 }
2087
2088 /* perform the key exchange */
2089 /* authenticate user and start session */
2090 do_ssh2_kex(ssh);
2091 do_authentication2(ssh);
2092
2093 /*
2094 * If we use privilege separation, the unprivileged child transfers
2095 * the current keystate and exits
2096 */
2097 if (use_privsep) {
2098 mm_send_keystate(ssh, pmonitor);
2099 ssh_packet_clear_keys(ssh);
2100 exit(0);
2101 }
2102
2103 authenticated:
2104 /*
2105 * Cancel the alarm we set to limit the time taken for
2106 * authentication.
2107 */
2108 alarm(0);
2109 ssh_signal(SIGALRM14, SIG_DFL(void (*)(int))0);
2110 authctxt->authenticated = 1;
2111 if (startup_pipe != -1) {
84
Taking false branch
2112 close(startup_pipe);
2113 startup_pipe = -1;
2114 }
2115
2116 if (options.routing_domain != NULL((void*)0))
85
Assuming field 'routing_domain' is equal to NULL
86
Taking false branch
2117 set_process_rdomain(ssh, options.routing_domain);
2118
2119 /*
2120 * In privilege separation, we fork another child and prepare
2121 * file descriptor passing.
2122 */
2123 if (use_privsep
86.1
'use_privsep' is -1
) {
87
Taking true branch
2124 privsep_postauth(ssh, authctxt);
88
Calling 'privsep_postauth'
2125 /* the monitor process [priv] will not return */
2126 }
2127
2128 ssh_packet_set_timeout(ssh, options.client_alive_interval,
2129 options.client_alive_count_max);
2130
2131 /* Try to send all our hostkeys to the client */
2132 notify_hostkeys(ssh);
2133
2134 /* Start session. */
2135 do_authenticated(ssh, authctxt);
2136
2137 /* The connection has been terminated. */
2138 ssh_packet_get_bytes(ssh, &ibytes, &obytes);
2139 verbose("Transferred: sent %llu, received %llu bytes",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2140,
0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "Transferred: sent %llu, received %llu bytes"
, (unsigned long long)obytes, (unsigned long long)ibytes)
2140 (unsigned long long)obytes, (unsigned long long)ibytes)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2140,
0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "Transferred: sent %llu, received %llu bytes"
, (unsigned long long)obytes, (unsigned long long)ibytes);
2141
2142 verbose("Closing connection to %.500s port %d", remote_ip, remote_port)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2142,
0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "Closing connection to %.500s port %d"
, remote_ip, remote_port);
2143 ssh_packet_close(ssh);
2144
2145 if (use_privsep)
2146 mm_terminate();
2147
2148 exit(0);
2149}
2150
2151int
2152sshd_hostkey_sign(struct ssh *ssh, struct sshkey *privkey,
2153 struct sshkey *pubkey, u_char **signature, size_t *slenp,
2154 const u_char *data, size_t dlen, const char *alg)
2155{
2156 int r;
2157
2158 if (use_privsep) {
2159 if (privkey) {
2160 if (mm_sshkey_sign(ssh, privkey, signature, slenp,
2161 data, dlen, alg, options.sk_provider, NULL((void*)0),
2162 ssh->compat) < 0)
2163 fatal_f("privkey sign failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2163
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "privkey sign failed");
2164 } else {
2165 if (mm_sshkey_sign(ssh, pubkey, signature, slenp,
2166 data, dlen, alg, options.sk_provider, NULL((void*)0),
2167 ssh->compat) < 0)
2168 fatal_f("pubkey sign failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2168
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "pubkey sign failed");
2169 }
2170 } else {
2171 if (privkey) {
2172 if (sshkey_sign(privkey, signature, slenp, data, dlen,
2173 alg, options.sk_provider, NULL((void*)0), ssh->compat) < 0)
2174 fatal_f("privkey sign failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2174
, 1, SYSLOG_LEVEL_FATAL, ((void*)0), "privkey sign failed");
2175 } else {
2176 if ((r = ssh_agent_sign(auth_sock, pubkey,
2177 signature, slenp, data, dlen, alg,
2178 ssh->compat)) != 0) {
2179 fatal_fr(r, "agent sign failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2179
, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "agent sign failed");
2180 }
2181 }
2182 }
2183 return 0;
2184}
2185
2186/* SSH2 key exchange */
2187static void
2188do_ssh2_kex(struct ssh *ssh)
2189{
2190 char *myproposal[PROPOSAL_MAX] = { KEX_SERVER"curve25519-sha256," "curve25519-sha256@libssh.org," "ecdh-sha2-nistp256,"
"ecdh-sha2-nistp384," "ecdh-sha2-nistp521," "sntrup761x25519-sha512@openssh.com,"
"diffie-hellman-group-exchange-sha256," "diffie-hellman-group16-sha512,"
"diffie-hellman-group18-sha512," "diffie-hellman-group14-sha256"
, "ssh-ed25519-cert-v01@openssh.com," "ecdsa-sha2-nistp256-cert-v01@openssh.com,"
"ecdsa-sha2-nistp384-cert-v01@openssh.com," "ecdsa-sha2-nistp521-cert-v01@openssh.com,"
"sk-ssh-ed25519-cert-v01@openssh.com," "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
"rsa-sha2-512-cert-v01@openssh.com," "rsa-sha2-256-cert-v01@openssh.com,"
"ssh-ed25519," "ecdsa-sha2-nistp256," "ecdsa-sha2-nistp384,"
"ecdsa-sha2-nistp521," "sk-ssh-ed25519@openssh.com," "sk-ecdsa-sha2-nistp256@openssh.com,"
"rsa-sha2-512," "rsa-sha2-256", "chacha20-poly1305@openssh.com,"
"aes128-ctr,aes192-ctr,aes256-ctr," "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
, "chacha20-poly1305@openssh.com," "aes128-ctr,aes192-ctr,aes256-ctr,"
"aes128-gcm@openssh.com,aes256-gcm@openssh.com", "umac-64-etm@openssh.com,"
"umac-128-etm@openssh.com," "hmac-sha2-256-etm@openssh.com,"
"hmac-sha2-512-etm@openssh.com," "hmac-sha1-etm@openssh.com,"
"umac-64@openssh.com," "umac-128@openssh.com," "hmac-sha2-256,"
"hmac-sha2-512," "hmac-sha1", "umac-64-etm@openssh.com," "umac-128-etm@openssh.com,"
"hmac-sha2-256-etm@openssh.com," "hmac-sha2-512-etm@openssh.com,"
"hmac-sha1-etm@openssh.com," "umac-64@openssh.com," "umac-128@openssh.com,"
"hmac-sha2-256," "hmac-sha2-512," "hmac-sha1", "none,zlib@openssh.com"
, "none,zlib@openssh.com", "", "" };
2191 struct kex *kex;
2192 int r;
2193
2194 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
2195 options.kex_algorithms);
2196 myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
2197 options.ciphers);
2198 myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(ssh,
2199 options.ciphers);
2200 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
2201 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
2202
2203 if (options.compression == COMP_NONE0) {
2204 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
2205 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
2206 }
2207
2208 if (options.rekey_limit || options.rekey_interval)
2209 ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
2210 options.rekey_interval);
2211
2212 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
2213 ssh, list_hostkey_types());
2214
2215 /* start key exchange */
2216 if ((r = kex_setup(ssh, myproposal)) != 0)
2217 fatal_r(r, "kex_setup")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2217
, 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "kex_setup");
2218 kex = ssh->kex;
2219#ifdef WITH_OPENSSL1
2220 kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server;
2221 kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server;
2222 kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_server;
2223 kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_server;
2224 kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_server;
2225 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2226 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2227 kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
2228#endif
2229 kex->kex[KEX_C25519_SHA256] = kex_gen_server;
2230 kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
2231 kex->load_host_public_key=&get_hostkey_public_by_type;
2232 kex->load_host_private_key=&get_hostkey_private_by_type;
2233 kex->host_key_index=&get_hostkey_index;
2234 kex->sign = sshd_hostkey_sign;
2235
2236 ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &kex->done);
2237
2238#ifdef DEBUG_KEXDH
2239 /* send 1st encrypted/maced/compressed message */
2240 if ((r = sshpkt_start(ssh, SSH2_MSG_IGNORE2)) != 0 ||
2241 (r = sshpkt_put_cstring(ssh, "markus")) != 0 ||
2242 (r = sshpkt_send(ssh)) != 0 ||
2243 (r = ssh_packet_write_wait(ssh)) != 0)
2244 fatal_fr(r, "send test")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2244
, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "send test");
2245#endif
2246 debug("KEX done")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2246,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "KEX done");
2247}
2248
2249/* server specific fatal cleanup */
2250void
2251cleanup_exit(int i)
2252{
2253 if (the_active_state != NULL((void*)0) && the_authctxt != NULL((void*)0)) {
2254 do_cleanup(the_active_state, the_authctxt);
2255 if (use_privsep && privsep_is_preauth &&
2256 pmonitor != NULL((void*)0) && pmonitor->m_pid > 1) {
2257 debug("Killing privsep child %d", pmonitor->m_pid)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2257,
0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "Killing privsep child %d"
, pmonitor->m_pid);
2258 if (kill(pmonitor->m_pid, SIGKILL9) != 0 &&
2259 errno(*__errno()) != ESRCH3) {
2260 error_f("kill(%d): %s", pmonitor->m_pid,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2261,
1, SYSLOG_LEVEL_ERROR, ((void*)0), "kill(%d): %s", pmonitor->
m_pid, strerror((*__errno())))
2261 strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2261,
1, SYSLOG_LEVEL_ERROR, ((void*)0), "kill(%d): %s", pmonitor->
m_pid, strerror((*__errno())));
2262 }
2263 }
2264 }
2265 _exit(i);
2266}