Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	usr.bin/ssh/ssh-keyscan/../ssh-keyscan.c	Lines:	0	353	0.0 %
Date:	2017-11-07	Branches:	0	229	0.0 %


/* $OpenBSD: ssh-keyscan.c,v 1.115 2017/06/30 04:17:23 dtucker Exp $ */
/*
 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 *
 * Modification and redistribution in source and binary forms is
 * permitted provided that due credit is given to the author and the
 * OpenBSD project by leaving this copyright notice intact.
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <sys/time.h>
#include <sys/resource.h>

#include <openssl/bn.h>

#include <errno.h>
#include <netdb.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <unistd.h>

#include "xmalloc.h"
#include "ssh.h"
#include "sshbuf.h"
#include "sshkey.h"
#include "cipher.h"
#include "kex.h"
#include "compat.h"
#include "myproposal.h"
#include "packet.h"
#include "dispatch.h"
#include "log.h"
#include "atomicio.h"
#include "misc.h"
#include "hostfile.h"
#include "ssherr.h"
#include "ssh_api.h"

/* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
   Default value is AF_UNSPEC means both IPv4 and IPv6. */
int IPv4or6 = AF_UNSPEC;

int ssh_port = SSH_DEFAULT_PORT;

#define KT_DSA		(1)
#define KT_RSA		(1<<1)
#define KT_ECDSA	(1<<2)
#define KT_ED25519	(1<<3)

#define KT_MIN		KT_DSA
#define KT_MAX		KT_ED25519

int get_cert = 0;
int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;

int hash_hosts = 0;		/* Hash hostname on output */

#define MAXMAXFD 256

/* The number of seconds after which to give up on a TCP connection */
int timeout = 5;

int maxfd;
#define MAXCON (maxfd - 10)

extern char *__progname;
fd_set *read_wait;
size_t read_wait_nfdset;
int ncon;

/*
 * Keep a connection structure for each file descriptor.  The state
 * associated with file descriptor n is held in fdcon[n].
 */
typedef struct Connection {
	u_char c_status;	/* State of connection on this file desc. */
#define CS_UNUSED 0		/* File descriptor unused */
#define CS_CON 1		/* Waiting to connect/read greeting */
#define CS_SIZE 2		/* Waiting to read initial packet size */
#define CS_KEYS 3		/* Waiting to read public key packet */
	int c_fd;		/* Quick lookup: c->c_fd == c - fdcon */
	int c_plen;		/* Packet length field for ssh packet */
	int c_len;		/* Total bytes which must be read. */
	int c_off;		/* Length of data read so far. */
	int c_keytype;		/* Only one of KT_* */
	sig_atomic_t c_done;	/* SSH2 done */
	char *c_namebase;	/* Address to free for c_name and c_namelist */
	char *c_name;		/* Hostname of connection for errors */
	char *c_namelist;	/* Pointer to other possible addresses */
	char *c_output_name;	/* Hostname of connection for output */
	char *c_data;		/* Data read from this fd */
	struct ssh *c_ssh;	/* SSH-connection */
	struct timeval c_tv;	/* Time at which connection gets aborted */
	TAILQ_ENTRY(Connection) c_link;	/* List of connections in timeout order. */
} con;

TAILQ_HEAD(conlist, Connection) tq;	/* Timeout Queue */
con *fdcon;

static void keyprint(con *c, struct sshkey *key);

static int
fdlim_get(int hard)
{
	struct rlimit rlfd;

	if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0)
		return (-1);
	if ((hard ? rlfd.rlim_max : rlfd.rlim_cur) == RLIM_INFINITY)
		return sysconf(_SC_OPEN_MAX);
	else
		return hard ? rlfd.rlim_max : rlfd.rlim_cur;
}

static int
fdlim_set(int lim)
{
	struct rlimit rlfd;

	if (lim <= 0)
		return (-1);
	if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0)
		return (-1);
	rlfd.rlim_cur = lim;
	if (setrlimit(RLIMIT_NOFILE, &rlfd) < 0)
		return (-1);
	return (0);
}

/*
 * This is an strsep function that returns a null field for adjacent
 * separators.  This is the same as the 4.4BSD strsep, but different from the
 * one in the GNU libc.
 */
static char *
xstrsep(char **str, const char *delim)
{
	char *s, *e;

	if (!**str)
		return (NULL);

	s = *str;
	e = s + strcspn(s, delim);

	if (*e != '\0')
		*e++ = '\0';
	*str = e;

	return (s);
}

/*
 * Get the next non-null token (like GNU strsep).  Strsep() will return a
 * null token for two adjacent separators, so we may have to loop.
 */
static char *
strnnsep(char **stringp, char *delim)
{
	char *tok;

	do {
		tok = xstrsep(stringp, delim);
	} while (tok && *tok == '\0');
	return (tok);
}


static int
key_print_wrapper(struct sshkey *hostkey, struct ssh *ssh)
{
	con *c;

	if ((c = ssh_get_app_data(ssh)) != NULL)
		keyprint(c, hostkey);
	/* always abort key exchange */
	return -1;
}

static int
ssh2_capable(int remote_major, int remote_minor)
{
	switch (remote_major) {
	case 1:
		if (remote_minor == 99)
			return 1;
		break;
	case 2:
		return 1;
	default:
		break;
	}
	return 0;
}

static void
keygrab_ssh2(con *c)
{
	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
	int r;

	switch (c->c_keytype) {
	case KT_DSA:
		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
		    "ssh-dss-cert-v01@openssh.com" : "ssh-dss";
		break;
	case KT_RSA:
		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
		    "ssh-rsa-cert-v01@openssh.com" : "ssh-rsa";
		break;
	case KT_ED25519:
		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
		    "ssh-ed25519-cert-v01@openssh.com" : "ssh-ed25519";
		break;
	case KT_ECDSA:
		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
		    "ecdsa-sha2-nistp256-cert-v01@openssh.com,"
		    "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
		    "ecdsa-sha2-nistp521-cert-v01@openssh.com" :
		    "ecdsa-sha2-nistp256,"
		    "ecdsa-sha2-nistp384,"
		    "ecdsa-sha2-nistp521";
		break;
	default:
		fatal("unknown key type %d", c->c_keytype);
		break;
	}
	if ((r = kex_setup(c->c_ssh, myproposal)) != 0) {
		free(c->c_ssh);
		fprintf(stderr, "kex_setup: %s\n", ssh_err(r));
		exit(1);
	}
#ifdef WITH_OPENSSL
	c->c_ssh->kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
	c->c_ssh->kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
	c->c_ssh->kex->kex[KEX_DH_GRP14_SHA256] = kexdh_client;
	c->c_ssh->kex->kex[KEX_DH_GRP16_SHA512] = kexdh_client;
	c->c_ssh->kex->kex[KEX_DH_GRP18_SHA512] = kexdh_client;
	c->c_ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
	c->c_ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
	c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
#endif
	c->c_ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_client;
	ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper);
	/*
	 * do the key-exchange until an error occurs or until
	 * the key_print_wrapper() callback sets c_done.
	 */
	ssh_dispatch_run(c->c_ssh, DISPATCH_BLOCK, &c->c_done);
}

static void
keyprint_one(const char *host, struct sshkey *key)
{
	char *hostport;
	const char *known_host, *hashed;

	hostport = put_host_port(host, ssh_port);
	lowercase(hostport);
	if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
		fatal("host_hash failed");
	known_host = hash_hosts ? hashed : hostport;
	if (!get_cert)
		fprintf(stdout, "%s ", known_host);
	sshkey_write(key, stdout);
	fputs("\n", stdout);
	free(hostport);
}

static void
keyprint(con *c, struct sshkey *key)
{
	char *hosts = c->c_output_name ? c->c_output_name : c->c_name;
	char *host, *ohosts;

	if (key == NULL)
		return;
	if (get_cert || (!hash_hosts && ssh_port == SSH_DEFAULT_PORT)) {
		keyprint_one(hosts, key);
		return;
	}
	ohosts = hosts = xstrdup(hosts);
	while ((host = strsep(&hosts, ",")) != NULL)
		keyprint_one(host, key);
	free(ohosts);
}

static int
tcpconnect(char *host)
{
	struct addrinfo hints, *ai, *aitop;
	char strport[NI_MAXSERV];
	int gaierr, s = -1;

	snprintf(strport, sizeof strport, "%d", ssh_port);
	memset(&hints, 0, sizeof(hints));
	hints.ai_family = IPv4or6;
	hints.ai_socktype = SOCK_STREAM;
	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
		error("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
		return -1;
	}
	for (ai = aitop; ai; ai = ai->ai_next) {
		s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
		if (s < 0) {
			error("socket: %s", strerror(errno));
			continue;
		}
		if (set_nonblock(s) == -1)
			fatal("%s: set_nonblock(%d)", __func__, s);
		if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0 &&
		    errno != EINPROGRESS)
			error("connect (`%s'): %s", host, strerror(errno));
		else
			break;
		close(s);
		s = -1;
	}
	freeaddrinfo(aitop);
	return s;
}

static int
conalloc(char *iname, char *oname, int keytype)
{
	char *namebase, *name, *namelist;
	int s;

	namebase = namelist = xstrdup(iname);

	do {
		name = xstrsep(&namelist, ",");
		if (!name) {
			free(namebase);
			return (-1);
		}
	} while ((s = tcpconnect(name)) < 0);

	if (s >= maxfd)
		fatal("conalloc: fdno %d too high", s);
	if (fdcon[s].c_status)
		fatal("conalloc: attempt to reuse fdno %d", s);

	debug3("%s: oname %s kt %d", __func__, oname, keytype);
	fdcon[s].c_fd = s;
	fdcon[s].c_status = CS_CON;
	fdcon[s].c_namebase = namebase;
	fdcon[s].c_name = name;
	fdcon[s].c_namelist = namelist;
	fdcon[s].c_output_name = xstrdup(oname);
	fdcon[s].c_data = (char *) &fdcon[s].c_plen;
	fdcon[s].c_len = 4;
	fdcon[s].c_off = 0;
	fdcon[s].c_keytype = keytype;
	gettimeofday(&fdcon[s].c_tv, NULL);
	fdcon[s].c_tv.tv_sec += timeout;
	TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link);
	FD_SET(s, read_wait);
	ncon++;
	return (s);
}

static void
confree(int s)
{
	if (s >= maxfd || fdcon[s].c_status == CS_UNUSED)
		fatal("confree: attempt to free bad fdno %d", s);
	free(fdcon[s].c_namebase);
	free(fdcon[s].c_output_name);
	if (fdcon[s].c_status == CS_KEYS)
		free(fdcon[s].c_data);
	fdcon[s].c_status = CS_UNUSED;
	fdcon[s].c_keytype = 0;
	if (fdcon[s].c_ssh) {
		ssh_packet_close(fdcon[s].c_ssh);
		free(fdcon[s].c_ssh);
		fdcon[s].c_ssh = NULL;
	} else
		close(s);
	TAILQ_REMOVE(&tq, &fdcon[s], c_link);
	FD_CLR(s, read_wait);
	ncon--;
}

static void
contouch(int s)
{
	TAILQ_REMOVE(&tq, &fdcon[s], c_link);
	gettimeofday(&fdcon[s].c_tv, NULL);
	fdcon[s].c_tv.tv_sec += timeout;
	TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link);
}

static int
conrecycle(int s)
{
	con *c = &fdcon[s];
	int ret;

	ret = conalloc(c->c_namelist, c->c_output_name, c->c_keytype);
	confree(s);
	return (ret);
}

static void
congreet(int s)
{
	int n = 0, remote_major = 0, remote_minor = 0;
	char buf[256], *cp;
	char remote_version[sizeof buf];
	size_t bufsiz;
	con *c = &fdcon[s];

	/* send client banner */
	n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n",
	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2);
	if (n < 0 || (size_t)n >= sizeof(buf)) {
		error("snprintf: buffer too small");
		confree(s);
		return;
	}
	if (atomicio(vwrite, s, buf, n) != (size_t)n) {
		error("write (%s): %s", c->c_name, strerror(errno));
		confree(s);
		return;
	}

	for (;;) {
		memset(buf, '\0', sizeof(buf));
		bufsiz = sizeof(buf);
		cp = buf;
		while (bufsiz-- &&
		    (n = atomicio(read, s, cp, 1)) == 1 && *cp != '\n') {
			if (*cp == '\r')
				*cp = '\n';
			cp++;
		}
		if (n != 1 || strncmp(buf, "SSH-", 4) == 0)
			break;
	}
	if (n == 0) {
		switch (errno) {
		case EPIPE:
			error("%s: Connection closed by remote host", c->c_name);
			break;
		case ECONNREFUSED:
			break;
		default:
			error("read (%s): %s", c->c_name, strerror(errno));
			break;
		}
		conrecycle(s);
		return;
	}
	if (*cp != '\n' && *cp != '\r') {
		error("%s: bad greeting", c->c_name);
		confree(s);
		return;
	}
	*cp = '\0';
	if ((c->c_ssh = ssh_packet_set_connection(NULL, s, s)) == NULL)
		fatal("ssh_packet_set_connection failed");
	ssh_packet_set_timeout(c->c_ssh, timeout, 1);
	ssh_set_app_data(c->c_ssh, c);	/* back link */
	if (sscanf(buf, "SSH-%d.%d-%[^\n]\n",
	    &remote_major, &remote_minor, remote_version) == 3)
		c->c_ssh->compat = compat_datafellows(remote_version);
	else
		c->c_ssh->compat = 0;
	if (!ssh2_capable(remote_major, remote_minor)) {
		debug("%s doesn't support ssh2", c->c_name);
		confree(s);
		return;
	}
	fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf));
	keygrab_ssh2(c);
	confree(s);
}

static void
conread(int s)
{
	con *c = &fdcon[s];
	size_t n;

	if (c->c_status == CS_CON) {
		congreet(s);
		return;
	}
	n = atomicio(read, s, c->c_data + c->c_off, c->c_len - c->c_off);
	if (n == 0) {
		error("read (%s): %s", c->c_name, strerror(errno));
		confree(s);
		return;
	}
	c->c_off += n;

	if (c->c_off == c->c_len)
		switch (c->c_status) {
		case CS_SIZE:
			c->c_plen = htonl(c->c_plen);
			c->c_len = c->c_plen + 8 - (c->c_plen & 7);
			c->c_off = 0;
			c->c_data = xmalloc(c->c_len);
			c->c_status = CS_KEYS;
			break;
		default:
			fatal("conread: invalid status %d", c->c_status);
			break;
		}

	contouch(s);
}

static void
conloop(void)
{
	struct timeval seltime, now;
	fd_set *r, *e;
	con *c;
	int i;

	gettimeofday(&now, NULL);
	c = TAILQ_FIRST(&tq);

	if (c && (c->c_tv.tv_sec > now.tv_sec ||
	    (c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec > now.tv_usec))) {
		seltime = c->c_tv;
		seltime.tv_sec -= now.tv_sec;
		seltime.tv_usec -= now.tv_usec;
		if (seltime.tv_usec < 0) {
			seltime.tv_usec += 1000000;
			seltime.tv_sec--;
		}
	} else
		timerclear(&seltime);

	r = xcalloc(read_wait_nfdset, sizeof(fd_mask));
	e = xcalloc(read_wait_nfdset, sizeof(fd_mask));
	memcpy(r, read_wait, read_wait_nfdset * sizeof(fd_mask));
	memcpy(e, read_wait, read_wait_nfdset * sizeof(fd_mask));

	while (select(maxfd, r, NULL, e, &seltime) == -1 &&
	    (errno == EAGAIN || errno == EINTR))
		;

	for (i = 0; i < maxfd; i++) {
		if (FD_ISSET(i, e)) {
			error("%s: exception!", fdcon[i].c_name);
			confree(i);
		} else if (FD_ISSET(i, r))
			conread(i);
	}
	free(r);
	free(e);

	c = TAILQ_FIRST(&tq);
	while (c && (c->c_tv.tv_sec < now.tv_sec ||
	    (c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec < now.tv_usec))) {
		int s = c->c_fd;

		c = TAILQ_NEXT(c, c_link);
		conrecycle(s);
	}
}

static void
do_host(char *host)
{
	char *name = strnnsep(&host, " \t\n");
	int j;

	if (name == NULL)
		return;
	for (j = KT_MIN; j <= KT_MAX; j *= 2) {
		if (get_keytypes & j) {
			while (ncon >= MAXCON)
				conloop();
			conalloc(name, *host ? host : name, j);
		}
	}
}

void
fatal(const char *fmt,...)
{
	va_list args;

	va_start(args, fmt);
	do_log(SYSLOG_LEVEL_FATAL, fmt, args);
	va_end(args);
	exit(255);
}

static void
usage(void)
{
	fprintf(stderr,
	    "usage: %s [-46cHv] [-f file] [-p port] [-T timeout] [-t type]\n"
	    "\t\t   [host | addrlist namelist] ...\n",
	    __progname);
	exit(1);
}

int
main(int argc, char **argv)
{
	int debug_flag = 0, log_level = SYSLOG_LEVEL_INFO;
	int opt, fopt_count = 0, j;
	char *tname, *cp, line[NI_MAXHOST];
	FILE *fp;
	u_long linenum;

	extern int optind;
	extern char *optarg;

	ssh_malloc_init();	/* must be called before any mallocs */
	TAILQ_INIT(&tq);

	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
	sanitise_stdfd();

	if (argc <= 1)
		usage();

	while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
		switch (opt) {
		case 'H':
			hash_hosts = 1;
			break;
		case 'c':
			get_cert = 1;
			break;
		case 'p':
			ssh_port = a2port(optarg);
			if (ssh_port <= 0) {
				fprintf(stderr, "Bad port '%s'\n", optarg);
				exit(1);
			}
			break;
		case 'T':
			timeout = convtime(optarg);
			if (timeout == -1 || timeout == 0) {
				fprintf(stderr, "Bad timeout '%s'\n", optarg);
				usage();
			}
			break;
		case 'v':
			if (!debug_flag) {
				debug_flag = 1;
				log_level = SYSLOG_LEVEL_DEBUG1;
			}
			else if (log_level < SYSLOG_LEVEL_DEBUG3)
				log_level++;
			else
				fatal("Too high debugging level.");
			break;
		case 'f':
			if (strcmp(optarg, "-") == 0)
				optarg = NULL;
			argv[fopt_count++] = optarg;
			break;
		case 't':
			get_keytypes = 0;
			tname = strtok(optarg, ",");
			while (tname) {
				int type = sshkey_type_from_name(tname);

				switch (type) {
				case KEY_DSA:
					get_keytypes |= KT_DSA;
					break;
				case KEY_ECDSA:
					get_keytypes |= KT_ECDSA;
					break;
				case KEY_RSA:
					get_keytypes |= KT_RSA;
					break;
				case KEY_ED25519:
					get_keytypes |= KT_ED25519;
					break;
				case KEY_UNSPEC:
				default:
					fatal("Unknown key type \"%s\"", tname);
				}
				tname = strtok(NULL, ",");
			}
			break;
		case '4':
			IPv4or6 = AF_INET;
			break;
		case '6':
			IPv4or6 = AF_INET6;
			break;
		case '?':
		default:
			usage();
		}
	}
	if (optind == argc && !fopt_count)
		usage();

	log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1);

	maxfd = fdlim_get(1);
	if (maxfd < 0)
		fatal("%s: fdlim_get: bad value", __progname);
	if (maxfd > MAXMAXFD)
		maxfd = MAXMAXFD;
	if (MAXCON <= 0)
		fatal("%s: not enough file descriptors", __progname);
	if (maxfd > fdlim_get(0))
		fdlim_set(maxfd);
	fdcon = xcalloc(maxfd, sizeof(con));

	read_wait_nfdset = howmany(maxfd, NFDBITS);
	read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));

	for (j = 0; j < fopt_count; j++) {
		if (argv[j] == NULL)
			fp = stdin;
		else if ((fp = fopen(argv[j], "r")) == NULL)
			fatal("%s: %s: %s", __progname, argv[j],
			    strerror(errno));
		linenum = 0;

		while (read_keyfile_line(fp,
		    argv[j] == NULL ? "(stdin)" : argv[j], line, sizeof(line),
		    &linenum) != -1) {
			/* Chomp off trailing whitespace and comments */
			if ((cp = strchr(line, '#')) == NULL)
				cp = line + strlen(line) - 1;
			while (cp >= line) {
				if (*cp == ' ' || *cp == '\t' ||
				    *cp == '\n' || *cp == '#')
					*cp-- = '\0';
				else
					break;
			}

			/* Skip empty lines */
			if (*line == '\0')
				continue;

			do_host(line);
		}

		if (ferror(fp))
			fatal("%s: %s: %s", __progname, argv[j],
			    strerror(errno));

		fclose(fp);
	}

	while (optind < argc)
		do_host(argv[optind++]);

	while (ncon > 0)
		conloop();

	return (0);
}


Generated by: GCOVR (Version 3.3)

Line	Branch	Exec	Source
1			/* $OpenBSD: ssh-keyscan.c,v 1.115 2017/06/30 04:17:23 dtucker Exp $ */
2			/*
3			* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4			*
5			* Modification and redistribution in source and binary forms is
6			* permitted provided that due credit is given to the author and the
7			* OpenBSD project by leaving this copyright notice intact.
8			*/
9
10			#include <sys/types.h>
11			#include <sys/socket.h>
12			#include <sys/queue.h>
13			#include <sys/time.h>
14			#include <sys/resource.h>
15
16			#include <openssl/bn.h>
17
18			#include <errno.h>
19			#include <netdb.h>
20			#include <stdarg.h>
21			#include <stdio.h>
22			#include <stdlib.h>
23			#include <signal.h>
24			#include <string.h>
25			#include <unistd.h>
26
27			#include "xmalloc.h"
28			#include "ssh.h"
29			#include "sshbuf.h"
30			#include "sshkey.h"
31			#include "cipher.h"
32			#include "kex.h"
33			#include "compat.h"
34			#include "myproposal.h"
35			#include "packet.h"
36			#include "dispatch.h"
37			#include "log.h"
38			#include "atomicio.h"
39			#include "misc.h"
40			#include "hostfile.h"
41			#include "ssherr.h"
42			#include "ssh_api.h"
43
44			/* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
45			Default value is AF_UNSPEC means both IPv4 and IPv6. */
46			int IPv4or6 = AF_UNSPEC;
47
48			int ssh_port = SSH_DEFAULT_PORT;
49
50			#define KT_DSA (1)
51			#define KT_RSA (1<<1)
52			#define KT_ECDSA (1<<2)
53			#define KT_ED25519 (1<<3)
54
55			#define KT_MIN KT_DSA
56			#define KT_MAX KT_ED25519
57
58			int get_cert = 0;
59			int get_keytypes = KT_RSA\|KT_ECDSA\|KT_ED25519;
60
61			int hash_hosts = 0; /* Hash hostname on output */
62
63			#define MAXMAXFD 256
64
65			/* The number of seconds after which to give up on a TCP connection */
66			int timeout = 5;
67
68			int maxfd;
69			#define MAXCON (maxfd - 10)
70
71			extern char *__progname;
72			fd_set *read_wait;
73			size_t read_wait_nfdset;
74			int ncon;
75
76			/*
77			* Keep a connection structure for each file descriptor. The state
78			* associated with file descriptor n is held in fdcon[n].
79			*/
80			typedef struct Connection {
81			u_char c_status; /* State of connection on this file desc. */
82			#define CS_UNUSED 0 /* File descriptor unused */
83			#define CS_CON 1 /* Waiting to connect/read greeting */
84			#define CS_SIZE 2 /* Waiting to read initial packet size */
85			#define CS_KEYS 3 /* Waiting to read public key packet */
86			int c_fd; /* Quick lookup: c->c_fd == c - fdcon */
87			int c_plen; /* Packet length field for ssh packet */
88			int c_len; /* Total bytes which must be read. */
89			int c_off; /* Length of data read so far. */
90			int c_keytype; /* Only one of KT_* */
91			sig_atomic_t c_done; /* SSH2 done */
92			char c_namebase; / Address to free for c_name and c_namelist */
93			char c_name; / Hostname of connection for errors */
94			char c_namelist; / Pointer to other possible addresses */
95			char c_output_name; / Hostname of connection for output */
96			char c_data; / Data read from this fd */
97			struct ssh c_ssh; / SSH-connection */
98			struct timeval c_tv; /* Time at which connection gets aborted */
99			TAILQ_ENTRY(Connection) c_link; /* List of connections in timeout order. */
100			} con;
101
102			TAILQ_HEAD(conlist, Connection) tq; /* Timeout Queue */
103			con *fdcon;
104
105			static void keyprint(con c, struct sshkey key);
106
107			static int
108			fdlim_get(int hard)
109			{
110			struct rlimit rlfd;
111
112			if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0)
113			return (-1);
114			if ((hard ? rlfd.rlim_max : rlfd.rlim_cur) == RLIM_INFINITY)
115			return sysconf(_SC_OPEN_MAX);
116			else
117			return hard ? rlfd.rlim_max : rlfd.rlim_cur;
118			}
119
120			static int
121			fdlim_set(int lim)
122			{
123			struct rlimit rlfd;
124
125			if (lim <= 0)
126			return (-1);
127			if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0)
128			return (-1);
129			rlfd.rlim_cur = lim;
130			if (setrlimit(RLIMIT_NOFILE, &rlfd) < 0)
131			return (-1);
132			return (0);
133			}
134
135			/*
136			* This is an strsep function that returns a null field for adjacent
137			* separators. This is the same as the 4.4BSD strsep, but different from the
138			* one in the GNU libc.
139			*/
140			static char *
141			xstrsep(char *str, const char delim)
142			{
143			char s, e;
144
145			if (!**str)
146			return (NULL);
147
148			s = *str;
149			e = s + strcspn(s, delim);
150
151			if (*e != '\0')
152			*e++ = '\0';
153			*str = e;
154
155			return (s);
156			}
157
158			/*
159			* Get the next non-null token (like GNU strsep). Strsep() will return a
160			* null token for two adjacent separators, so we may have to loop.
161			*/
162			static char *
163			strnnsep(char *stringp, char delim)
164			{
165			char *tok;
166
167			do {
168			tok = xstrsep(stringp, delim);
169			} while (tok && *tok == '\0');
170			return (tok);
171			}
172
173
174			static int
175			key_print_wrapper(struct sshkey hostkey, struct ssh ssh)
176			{
177			con *c;
178
179			if ((c = ssh_get_app_data(ssh)) != NULL)
180			keyprint(c, hostkey);
181			/* always abort key exchange */
182			return -1;
183			}
184
185			static int
186			ssh2_capable(int remote_major, int remote_minor)
187			{
188			switch (remote_major) {
189			case 1:
190			if (remote_minor == 99)
191			return 1;
192			break;
193			case 2:
194			return 1;
195			default:
196			break;
197			}
198			return 0;
199			}
200
201			static void
202			keygrab_ssh2(con *c)
203			{
204			char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
205			int r;
206
207			switch (c->c_keytype) {
208			case KT_DSA:
209			myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
210			"ssh-dss-cert-v01@openssh.com" : "ssh-dss";
211			break;
212			case KT_RSA:
213			myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
214			"ssh-rsa-cert-v01@openssh.com" : "ssh-rsa";
215			break;
216			case KT_ED25519:
217			myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
218			"ssh-ed25519-cert-v01@openssh.com" : "ssh-ed25519";
219			break;
220			case KT_ECDSA:
221			myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
222			"ecdsa-sha2-nistp256-cert-v01@openssh.com,"
223			"ecdsa-sha2-nistp384-cert-v01@openssh.com,"
224			"ecdsa-sha2-nistp521-cert-v01@openssh.com" :
225			"ecdsa-sha2-nistp256,"
226			"ecdsa-sha2-nistp384,"
227			"ecdsa-sha2-nistp521";
228			break;
229			default:
230			fatal("unknown key type %d", c->c_keytype);
231			break;
232			}
233			if ((r = kex_setup(c->c_ssh, myproposal)) != 0) {
234			free(c->c_ssh);
235			fprintf(stderr, "kex_setup: %s\n", ssh_err(r));
236			exit(1);
237			}
238			#ifdef WITH_OPENSSL
239			c->c_ssh->kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
240			c->c_ssh->kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
241			c->c_ssh->kex->kex[KEX_DH_GRP14_SHA256] = kexdh_client;
242			c->c_ssh->kex->kex[KEX_DH_GRP16_SHA512] = kexdh_client;
243			c->c_ssh->kex->kex[KEX_DH_GRP18_SHA512] = kexdh_client;
244			c->c_ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
245			c->c_ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
246			c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
247			#endif
248			c->c_ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_client;
249			ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper);
250			/*
251			* do the key-exchange until an error occurs or until
252			* the key_print_wrapper() callback sets c_done.
253			*/
254			ssh_dispatch_run(c->c_ssh, DISPATCH_BLOCK, &c->c_done);
255			}
256
257			static void
258			keyprint_one(const char host, struct sshkey key)
259			{
260			char *hostport;
261			const char known_host, hashed;
262
263			hostport = put_host_port(host, ssh_port);
264			lowercase(hostport);
265			if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
266			fatal("host_hash failed");
267			known_host = hash_hosts ? hashed : hostport;
268			if (!get_cert)
269			fprintf(stdout, "%s ", known_host);
270			sshkey_write(key, stdout);
271			fputs("\n", stdout);
272			free(hostport);
273			}
274
275			static void
276			keyprint(con c, struct sshkey key)
277			{
278			char *hosts = c->c_output_name ? c->c_output_name : c->c_name;
279			char host, ohosts;
280
281			if (key == NULL)
282			return;
283			if (get_cert \|\| (!hash_hosts && ssh_port == SSH_DEFAULT_PORT)) {
284			keyprint_one(hosts, key);
285			return;
286			}
287			ohosts = hosts = xstrdup(hosts);
288			while ((host = strsep(&hosts, ",")) != NULL)
289			keyprint_one(host, key);
290			free(ohosts);
291			}
292
293			static int
294			tcpconnect(char *host)
295			{
296			struct addrinfo hints, ai, aitop;
297			char strport[NI_MAXSERV];
298			int gaierr, s = -1;
299
300			snprintf(strport, sizeof strport, "%d", ssh_port);
301			memset(&hints, 0, sizeof(hints));
302			hints.ai_family = IPv4or6;
303			hints.ai_socktype = SOCK_STREAM;
304			if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
305			error("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
306			return -1;
307			}
308			for (ai = aitop; ai; ai = ai->ai_next) {
309			s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
310			if (s < 0) {
311			error("socket: %s", strerror(errno));
312			continue;
313			}
314			if (set_nonblock(s) == -1)
315			fatal("%s: set_nonblock(%d)", __func__, s);
316			if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0 &&
317			errno != EINPROGRESS)
318			error("connect (`%s'): %s", host, strerror(errno));
319			else
320			break;
321			close(s);
322			s = -1;
323			}
324			freeaddrinfo(aitop);
325			return s;
326			}
327
328			static int
329			conalloc(char iname, char oname, int keytype)
330			{
331			char namebase, name, *namelist;
332			int s;
333
334			namebase = namelist = xstrdup(iname);
335
336			do {
337			name = xstrsep(&namelist, ",");
338			if (!name) {
339			free(namebase);
340			return (-1);
341			}
342			} while ((s = tcpconnect(name)) < 0);
343
344			if (s >= maxfd)
345			fatal("conalloc: fdno %d too high", s);
346			if (fdcon[s].c_status)
347			fatal("conalloc: attempt to reuse fdno %d", s);
348
349			debug3("%s: oname %s kt %d", __func__, oname, keytype);
350			fdcon[s].c_fd = s;
351			fdcon[s].c_status = CS_CON;
352			fdcon[s].c_namebase = namebase;
353			fdcon[s].c_name = name;
354			fdcon[s].c_namelist = namelist;
355			fdcon[s].c_output_name = xstrdup(oname);
356			fdcon[s].c_data = (char *) &fdcon[s].c_plen;
357			fdcon[s].c_len = 4;
358			fdcon[s].c_off = 0;
359			fdcon[s].c_keytype = keytype;
360			gettimeofday(&fdcon[s].c_tv, NULL);
361			fdcon[s].c_tv.tv_sec += timeout;
362			TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link);
363			FD_SET(s, read_wait);
364			ncon++;
365			return (s);
366			}
367
368			static void
369			confree(int s)
370			{
371			if (s >= maxfd \|\| fdcon[s].c_status == CS_UNUSED)
372			fatal("confree: attempt to free bad fdno %d", s);
373			free(fdcon[s].c_namebase);
374			free(fdcon[s].c_output_name);
375			if (fdcon[s].c_status == CS_KEYS)
376			free(fdcon[s].c_data);
377			fdcon[s].c_status = CS_UNUSED;
378			fdcon[s].c_keytype = 0;
379			if (fdcon[s].c_ssh) {
380			ssh_packet_close(fdcon[s].c_ssh);
381			free(fdcon[s].c_ssh);
382			fdcon[s].c_ssh = NULL;
383			} else
384			close(s);
385			TAILQ_REMOVE(&tq, &fdcon[s], c_link);
386			FD_CLR(s, read_wait);
387			ncon--;
388			}
389
390			static void
391			contouch(int s)
392			{
393			TAILQ_REMOVE(&tq, &fdcon[s], c_link);
394			gettimeofday(&fdcon[s].c_tv, NULL);
395			fdcon[s].c_tv.tv_sec += timeout;
396			TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link);
397			}
398
399			static int
400			conrecycle(int s)
401			{
402			con *c = &fdcon[s];
403			int ret;
404
405			ret = conalloc(c->c_namelist, c->c_output_name, c->c_keytype);
406			confree(s);
407			return (ret);
408			}
409
410			static void
411			congreet(int s)
412			{
413			int n = 0, remote_major = 0, remote_minor = 0;
414			char buf[256], *cp;
415			char remote_version[sizeof buf];
416			size_t bufsiz;
417			con *c = &fdcon[s];
418
419			/* send client banner */
420			n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n",
421			PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2);
422			if (n < 0 \|\| (size_t)n >= sizeof(buf)) {
423			error("snprintf: buffer too small");
424			confree(s);
425			return;
426			}
427			if (atomicio(vwrite, s, buf, n) != (size_t)n) {
428			error("write (%s): %s", c->c_name, strerror(errno));
429			confree(s);
430			return;
431			}
432
433			for (;;) {
434			memset(buf, '\0', sizeof(buf));
435			bufsiz = sizeof(buf);
436			cp = buf;
437			while (bufsiz-- &&
438			(n = atomicio(read, s, cp, 1)) == 1 && *cp != '\n') {
439			if (*cp == '\r')
440			*cp = '\n';
441			cp++;
442			}
443			if (n != 1 \|\| strncmp(buf, "SSH-", 4) == 0)
444			break;
445			}
446			if (n == 0) {
447			switch (errno) {
448			case EPIPE:
449			error("%s: Connection closed by remote host", c->c_name);
450			break;
451			case ECONNREFUSED:
452			break;
453			default:
454			error("read (%s): %s", c->c_name, strerror(errno));
455			break;
456			}
457			conrecycle(s);
458			return;
459			}
460			if (cp != '\n' && cp != '\r') {
461			error("%s: bad greeting", c->c_name);
462			confree(s);
463			return;
464			}
465			*cp = '\0';
466			if ((c->c_ssh = ssh_packet_set_connection(NULL, s, s)) == NULL)
467			fatal("ssh_packet_set_connection failed");
468			ssh_packet_set_timeout(c->c_ssh, timeout, 1);
469			ssh_set_app_data(c->c_ssh, c); /* back link */
470			if (sscanf(buf, "SSH-%d.%d-%[^\n]\n",
471			&remote_major, &remote_minor, remote_version) == 3)
472			c->c_ssh->compat = compat_datafellows(remote_version);
473			else
474			c->c_ssh->compat = 0;
475			if (!ssh2_capable(remote_major, remote_minor)) {
476			debug("%s doesn't support ssh2", c->c_name);
477			confree(s);
478			return;
479			}
480			fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf));
481			keygrab_ssh2(c);
482			confree(s);
483			}
484
485			static void
486			conread(int s)
487			{
488			con *c = &fdcon[s];
489			size_t n;
490
491			if (c->c_status == CS_CON) {
492			congreet(s);
493			return;
494			}
495			n = atomicio(read, s, c->c_data + c->c_off, c->c_len - c->c_off);
496			if (n == 0) {
497			error("read (%s): %s", c->c_name, strerror(errno));
498			confree(s);
499			return;
500			}
501			c->c_off += n;
502
503			if (c->c_off == c->c_len)
504			switch (c->c_status) {
505			case CS_SIZE:
506			c->c_plen = htonl(c->c_plen);
507			c->c_len = c->c_plen + 8 - (c->c_plen & 7);
508			c->c_off = 0;
509			c->c_data = xmalloc(c->c_len);
510			c->c_status = CS_KEYS;
511			break;
512			default:
513			fatal("conread: invalid status %d", c->c_status);
514			break;
515			}
516
517			contouch(s);
518			}
519
520			static void
521			conloop(void)
522			{
523			struct timeval seltime, now;
524			fd_set r, e;
525			con *c;
526			int i;
527
528			gettimeofday(&now, NULL);
529			c = TAILQ_FIRST(&tq);
530
531			if (c && (c->c_tv.tv_sec > now.tv_sec \|\|
532			(c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec > now.tv_usec))) {
533			seltime = c->c_tv;
534			seltime.tv_sec -= now.tv_sec;
535			seltime.tv_usec -= now.tv_usec;
536			if (seltime.tv_usec < 0) {
537			seltime.tv_usec += 1000000;
538			seltime.tv_sec--;
539			}
540			} else
541			timerclear(&seltime);
542
543			r = xcalloc(read_wait_nfdset, sizeof(fd_mask));
544			e = xcalloc(read_wait_nfdset, sizeof(fd_mask));
545			memcpy(r, read_wait, read_wait_nfdset * sizeof(fd_mask));
546			memcpy(e, read_wait, read_wait_nfdset * sizeof(fd_mask));
547
548			while (select(maxfd, r, NULL, e, &seltime) == -1 &&
549			(errno == EAGAIN \|\| errno == EINTR))
550			;
551
552			for (i = 0; i < maxfd; i++) {
553			if (FD_ISSET(i, e)) {
554			error("%s: exception!", fdcon[i].c_name);
555			confree(i);
556			} else if (FD_ISSET(i, r))
557			conread(i);
558			}
559			free(r);
560			free(e);
561
562			c = TAILQ_FIRST(&tq);
563			while (c && (c->c_tv.tv_sec < now.tv_sec \|\|
564			(c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec < now.tv_usec))) {
565			int s = c->c_fd;
566
567			c = TAILQ_NEXT(c, c_link);
568			conrecycle(s);
569			}
570			}
571
572			static void
573			do_host(char *host)
574			{
575			char *name = strnnsep(&host, " \t\n");
576			int j;
577
578			if (name == NULL)
579			return;
580			for (j = KT_MIN; j <= KT_MAX; j *= 2) {
581			if (get_keytypes & j) {
582			while (ncon >= MAXCON)
583			conloop();
584			conalloc(name, *host ? host : name, j);
585			}
586			}
587			}
588
589			void
590			fatal(const char *fmt,...)
591			{
592			va_list args;
593
594			va_start(args, fmt);
595			do_log(SYSLOG_LEVEL_FATAL, fmt, args);
596			va_end(args);
597			exit(255);
598			}
599
600			static void
601			usage(void)
602			{
603			fprintf(stderr,
604			"usage: %s [-46cHv] [-f file] [-p port] [-T timeout] [-t type]\n"
605			"\t\t [host \| addrlist namelist] ...\n",
606			__progname);
607			exit(1);
608			}
609
610			int
611			main(int argc, char **argv)
612			{
613			int debug_flag = 0, log_level = SYSLOG_LEVEL_INFO;
614			int opt, fopt_count = 0, j;
615			char tname, cp, line[NI_MAXHOST];
616			FILE *fp;
617			u_long linenum;
618
619			extern int optind;
620			extern char *optarg;
621
622			ssh_malloc_init(); /* must be called before any mallocs */
623			TAILQ_INIT(&tq);
624
625			/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
626			sanitise_stdfd();
627
628			if (argc <= 1)
629			usage();
630
631			while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
632			switch (opt) {
633			case 'H':
634			hash_hosts = 1;
635			break;
636			case 'c':
637			get_cert = 1;
638			break;
639			case 'p':
640			ssh_port = a2port(optarg);
641			if (ssh_port <= 0) {
642			fprintf(stderr, "Bad port '%s'\n", optarg);
643			exit(1);
644			}
645			break;
646			case 'T':
647			timeout = convtime(optarg);
648			if (timeout == -1 \|\| timeout == 0) {
649			fprintf(stderr, "Bad timeout '%s'\n", optarg);
650			usage();
651			}
652			break;
653			case 'v':
654			if (!debug_flag) {
655			debug_flag = 1;
656			log_level = SYSLOG_LEVEL_DEBUG1;
657			}
658			else if (log_level < SYSLOG_LEVEL_DEBUG3)
659			log_level++;
660			else
661			fatal("Too high debugging level.");
662			break;
663			case 'f':
664			if (strcmp(optarg, "-") == 0)
665			optarg = NULL;
666			argv[fopt_count++] = optarg;
667			break;
668			case 't':
669			get_keytypes = 0;
670			tname = strtok(optarg, ",");
671			while (tname) {
672			int type = sshkey_type_from_name(tname);
673
674			switch (type) {
675			case KEY_DSA:
676			get_keytypes \|= KT_DSA;
677			break;
678			case KEY_ECDSA:
679			get_keytypes \|= KT_ECDSA;
680			break;
681			case KEY_RSA:
682			get_keytypes \|= KT_RSA;
683			break;
684			case KEY_ED25519:
685			get_keytypes \|= KT_ED25519;
686			break;
687			case KEY_UNSPEC:
688			default:
689			fatal("Unknown key type \"%s\"", tname);
690			}
691			tname = strtok(NULL, ",");
692			}
693			break;
694			case '4':
695			IPv4or6 = AF_INET;
696			break;
697			case '6':
698			IPv4or6 = AF_INET6;
699			break;
700			case '?':
701			default:
702			usage();
703			}
704			}
705			if (optind == argc && !fopt_count)
706			usage();
707
708			log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1);
709
710			maxfd = fdlim_get(1);
711			if (maxfd < 0)
712			fatal("%s: fdlim_get: bad value", __progname);
713			if (maxfd > MAXMAXFD)
714			maxfd = MAXMAXFD;
715			if (MAXCON <= 0)
716			fatal("%s: not enough file descriptors", __progname);
717			if (maxfd > fdlim_get(0))
718			fdlim_set(maxfd);
719			fdcon = xcalloc(maxfd, sizeof(con));
720
721			read_wait_nfdset = howmany(maxfd, NFDBITS);
722			read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));
723
724			for (j = 0; j < fopt_count; j++) {
725			if (argv[j] == NULL)
726			fp = stdin;
727			else if ((fp = fopen(argv[j], "r")) == NULL)
728			fatal("%s: %s: %s", __progname, argv[j],
729			strerror(errno));
730			linenum = 0;
731
732			while (read_keyfile_line(fp,
733			argv[j] == NULL ? "(stdin)" : argv[j], line, sizeof(line),
734			&linenum) != -1) {
735			/* Chomp off trailing whitespace and comments */
736			if ((cp = strchr(line, '#')) == NULL)
737			cp = line + strlen(line) - 1;
738			while (cp >= line) {
739			if (cp == ' ' \|\| cp == '\t' \|\|
740			cp == '\n' \|\| cp == '#')
741			*cp-- = '\0';
742			else
743			break;
744			}
745
746			/* Skip empty lines */
747			if (*line == '\0')
748			continue;
749
750			do_host(line);
751			}
752
753			if (ferror(fp))
754			fatal("%s: %s: %s", __progname, argv[j],
755			strerror(errno));
756
757			fclose(fp);
758			}
759
760			while (optind < argc)
761			do_host(argv[optind++]);
762
763			while (ncon > 0)
764			conloop();
765
766			return (0);
767			}