diff options
Diffstat (limited to 'lib/ssh/src')
27 files changed, 3291 insertions, 2245 deletions
| diff --git a/lib/ssh/src/Makefile b/lib/ssh/src/Makefile index 7ab6f22424..9e8d80c71f 100644 --- a/lib/ssh/src/Makefile +++ b/lib/ssh/src/Makefile @@ -1,7 +1,7 @@  #  # %CopyrightBegin%  # -# Copyright Ericsson AB 2004-2016. All Rights Reserved. +# Copyright Ericsson AB 2004-2017. All Rights Reserved.  #  # Licensed under the Apache License, Version 2.0 (the "License");  # you may not use this file except in compliance with the License. @@ -51,6 +51,7 @@ MODULES= \  	ssh_sup \  	sshc_sup \  	sshd_sup \ +	ssh_options \  	ssh_connection_sup \  	ssh_connection \  	ssh_connection_handler \ diff --git a/lib/ssh/src/ssh.app.src b/lib/ssh/src/ssh.app.src index 7859ab4064..974292fde1 100644 --- a/lib/ssh/src/ssh.app.src +++ b/lib/ssh/src/ssh.app.src @@ -7,6 +7,7 @@  	     ssh_app,  	     ssh_acceptor,  	     ssh_acceptor_sup, +             ssh_options,  	     ssh_auth,  	     ssh_message,  	     ssh_bits, diff --git a/lib/ssh/src/ssh.erl b/lib/ssh/src/ssh.erl index 290525cec0..032d87bdad 100644 --- a/lib/ssh/src/ssh.erl +++ b/lib/ssh/src/ssh.erl @@ -26,6 +26,7 @@  -include("ssh_connect.hrl").  -include_lib("public_key/include/public_key.hrl").  -include_lib("kernel/include/file.hrl"). +-include_lib("kernel/include/inet.hrl").  -export([start/0, start/1, stop/0,  	 connect/2, connect/3, connect/4, @@ -34,16 +35,31 @@  	 daemon/1, daemon/2, daemon/3,  	 daemon_info/1,  	 default_algorithms/0, +         chk_algos_opts/1,  	 stop_listener/1, stop_listener/2,  stop_listener/3,  	 stop_daemon/1, stop_daemon/2, stop_daemon/3,  	 shell/1, shell/2, shell/3  	]).  %%% Type exports --export_type([connection_ref/0, -	      channel_id/0 +-export_type([ssh_daemon_ref/0, +              ssh_connection_ref/0, +	      ssh_channel_id/0, +              role/0, +              subsystem_spec/0, +              subsystem_name/0, +              channel_callback/0, +              channel_init_args/0, +              algs_list/0, +              alg_entry/0, +              simple_algs/0, +              double_algs/0  	     ]). +-opaque ssh_daemon_ref()     :: daemon_ref() . +-opaque ssh_connection_ref() :: connection_ref() . +-opaque ssh_channel_id()     :: channel_id(). +  %%--------------------------------------------------------------------  -spec start() -> ok | {error, term()}.  -spec start(permanent | transient | temporary) -> ok | {error, term()}. @@ -71,55 +87,63 @@ stop() ->      application:stop(ssh).  %%-------------------------------------------------------------------- --spec connect(port(), proplists:proplist()) -> {ok, pid()} |  {error, term()}. +-spec connect(inet:socket(), proplists:proplist()) -> ok_error(connection_ref()). + +-spec connect(inet:socket(), proplists:proplist(), timeout()) -> ok_error(connection_ref()) +           ; (string(), inet:port_number(), proplists:proplist()) -> ok_error(connection_ref()). --spec connect(port(),   proplists:proplist(), timeout()) -> {ok, pid()} |  {error, term()} -           ; (string(), integer(), proplists:proplist()) -> {ok, pid()} |  {error, term()}. +-spec connect(string(), inet:port_number(), proplists:proplist(), timeout()) -> ok_error(connection_ref()). --spec connect(string(), integer(), proplists:proplist(), timeout()) -> {ok, pid()} |  {error, term()}.  %%  %% Description: Starts an ssh connection.  %%-------------------------------------------------------------------- -connect(Socket, Options) -> -    connect(Socket, Options, infinity). +connect(Socket, UserOptions) when is_port(Socket), +                                  is_list(UserOptions) -> +    connect(Socket, UserOptions, infinity). -connect(Socket, Options, Timeout) when is_port(Socket) -> -    case handle_options(Options) of +connect(Socket, UserOptions, Timeout) when is_port(Socket), +                                           is_list(UserOptions) -> +    case ssh_options:handle_options(client, UserOptions) of  	{error, Error} ->  	    {error, Error}; -	{_SocketOptions, SshOptions} -> -	    case valid_socket_to_use(Socket, Options) of +	Options -> +            case valid_socket_to_use(Socket, ?GET_OPT(transport,Options)) of  		ok ->  		    {ok, {Host,_Port}} = inet:sockname(Socket), -		    Opts =  [{user_pid,self()}, {host,fmt_host(Host)} | SshOptions], +		    Opts = ?PUT_INTERNAL_OPT([{user_pid,self()}, {host,Host}], Options),  		    ssh_connection_handler:start_connection(client, Socket, Opts, Timeout);  		{error,SockError} ->  		    {error,SockError}  	    end      end; -connect(Host, Port, Options) when is_integer(Port), Port>0 -> -    connect(Host, Port, Options, infinity). +connect(Host, Port, UserOptions) when is_integer(Port), +                                      Port>0, +                                      is_list(UserOptions) -> +    connect(Host, Port, UserOptions, infinity). -connect(Host, Port, Options, Timeout) -> -    case handle_options(Options) of +connect(Host0, Port, UserOptions, Timeout) when is_integer(Port), +                                               Port>0, +                                               is_list(UserOptions) -> +    case ssh_options:handle_options(client, UserOptions) of  	{error, _Reason} = Error ->  	    Error; -	{SocketOptions, SshOptions} -> -	    {_, Transport, _} = TransportOpts = -		proplists:get_value(transport, Options, {tcp, gen_tcp, tcp_closed}), -	    ConnectionTimeout = proplists:get_value(connect_timeout, Options, infinity), -	    try Transport:connect(Host, Port,  [ {active, false} | SocketOptions], ConnectionTimeout) of +        Options -> +	    {_, Transport, _} = TransportOpts = ?GET_OPT(transport, Options), +	    ConnectionTimeout = ?GET_OPT(connect_timeout, Options), +            SocketOpts = [{active,false} | ?GET_OPT(socket_options,Options)], +            Host = mangle_connect_address(Host0, SocketOpts), +	    try Transport:connect(Host, Port, SocketOpts, ConnectionTimeout) of  		{ok, Socket} -> -		    Opts =  [{user_pid,self()}, {host,Host} | SshOptions], +		    Opts = ?PUT_INTERNAL_OPT([{user_pid,self()}, {host,Host}], Options),  		    ssh_connection_handler:start_connection(client, Socket, Opts, Timeout);  		{error, Reason} ->  		    {error, Reason}  	    catch -		exit:{function_clause, _} -> +		exit:{function_clause, _F} ->  		    {error, {options, {transport, TransportOpts}}};  		exit:badarg -> -		    {error, {options, {socket_options, SocketOptions}}} +		    {error, {options, {socket_options, SocketOpts}}}  	    end      end. @@ -148,9 +172,11 @@ channel_info(ConnectionRef, ChannelId, Options) ->      ssh_connection_handler:channel_info(ConnectionRef, ChannelId, Options).  %%-------------------------------------------------------------------- --spec daemon(integer()) -> {ok, pid()} | {error, term()}. --spec daemon(integer()|port(), proplists:proplist()) -> {ok, pid()} | {error, term()}. --spec daemon(any | inet:ip_address(), integer(), proplists:proplist()) -> {ok, pid()} | {error, term()}. +-spec daemon(inet:port_number()) ->  ok_error(daemon_ref()). +-spec daemon(inet:port_number()|inet:socket(), proplists:proplist()) -> ok_error(daemon_ref()). +-spec daemon(any | inet:ip_address(), inet:port_number(), proplists:proplist()) -> ok_error(daemon_ref()) +           ;(socket, inet:socket(), proplists:proplist()) -> ok_error(daemon_ref()) +            .  %% Description: Starts a server listening for SSH connections  %% on the given port. @@ -158,34 +184,117 @@ channel_info(ConnectionRef, ChannelId, Options) ->  daemon(Port) ->      daemon(Port, []). -daemon(Port, Options) when is_integer(Port) -> -    daemon(any, Port, Options); -daemon(Socket, Options0) when is_port(Socket) -> -    Options = daemon_shell_opt(Options0), -    start_daemon(Socket, Options). +daemon(Socket, UserOptions) when is_port(Socket) -> +    try +        #{} = Options = ssh_options:handle_options(server, UserOptions), + +        case valid_socket_to_use(Socket, ?GET_OPT(transport,Options)) of +            ok -> +                {ok, {IP,Port}} = inet:sockname(Socket), +                finalize_start(IP, Port, ?GET_OPT(profile, Options), +                               ?PUT_INTERNAL_OPT({connected_socket, Socket}, Options), +                               fun(Opts, DefaultResult) -> +                                       try ssh_acceptor:handle_established_connection( +                                             IP, Port, Opts, Socket) +                                       of +                                           {error,Error} -> +                                               {error,Error}; +                                           _ -> +                                               DefaultResult +                                       catch +                                           C:R -> +                                               {error,{could_not_start_connection,{C,R}}} +                                       end +                               end); +            {error,SockError} -> +                {error,SockError} +            end +    catch +        throw:bad_fd -> +            {error,bad_fd}; +        throw:bad_socket -> +            {error,bad_socket}; +        error:{badmatch,{error,Error}} -> +            {error,Error}; +        error:Error -> +            {error,Error}; +        _C:_E -> +            {error,{cannot_start_daemon,_C,_E}} +    end; + +daemon(Port, UserOptions) when 0 =< Port, Port =< 65535 -> +    daemon(any, Port, UserOptions). + + +daemon(Host0, Port0, UserOptions0) when 0 =< Port0, Port0 =< 65535, +                                        Host0 == any ; Host0 == loopback ; is_tuple(Host0) -> +    try +        {Host1, UserOptions} = handle_daemon_args(Host0, UserOptions0), +        #{} = Options0 = ssh_options:handle_options(server, UserOptions), + +        {{Host,Port}, ListenSocket} = +            open_listen_socket(Host1, Port0, Options0), + +        %% Now Host,Port is what to use for the supervisor to register its name, +        %% and ListenSocket is for listening on connections. But it is still owned +        %% by self()... + +        finalize_start(Host, Port, ?GET_OPT(profile, Options0), +                       ?PUT_INTERNAL_OPT({lsocket,{ListenSocket,self()}}, Options0), +                       fun(Opts, Result) -> +                               {_, Callback, _} = ?GET_OPT(transport, Opts), +                               receive +                                   {request_control, ListenSocket, ReqPid} -> +                                       ok = Callback:controlling_process(ListenSocket, ReqPid), +                                       ReqPid ! {its_yours,ListenSocket}, +                                       Result +                               end +                       end) +    catch +        throw:bad_fd -> +            {error,bad_fd}; +        throw:bad_socket -> +            {error,bad_socket}; +        error:{badmatch,{error,Error}} -> +            {error,Error}; +        error:Error -> +            {error,Error}; +        _C:_E -> +            {error,{cannot_start_daemon,_C,_E}} +    end; + +daemon(_, _, _) -> +    {error, badarg}. + -daemon(HostAddr, Port, Options0) -> -    Options1 = daemon_shell_opt(Options0), -    {Host, Inet, Options} = daemon_host_inet_opt(HostAddr, Options1), -    start_daemon(Host, Port, Options, Inet).  %%-------------------------------------------------------------------- +-spec daemon_info(daemon_ref()) -> ok_error( [{atom(), term()}] ). +  daemon_info(Pid) ->      case catch ssh_system_sup:acceptor_supervisor(Pid) of  	AsupPid when is_pid(AsupPid) -> -	    [Port] = -		[Prt || {{ssh_acceptor_sup,_,Prt,_}, -			 _WorkerPid,worker,[ssh_acceptor]} <- supervisor:which_children(AsupPid)], -	    {ok, [{port,Port}]}; - +	    [{IP,Port,Profile}] = +		[{IP,Prt,Prf}  +                 || {{ssh_acceptor_sup,Hst,Prt,Prf},_Pid,worker,[ssh_acceptor]}  +                        <- supervisor:which_children(AsupPid), +                    IP <- [case inet:parse_strict_address(Hst) of +                               {ok,IP} -> IP; +                               _ -> Hst +                           end] +                ], +	    {ok, [{port,Port}, +                  {ip,IP}, +                  {profile,Profile} +                 ]};  	_ ->  	    {error,bad_daemon_ref}      end.  %%-------------------------------------------------------------------- --spec stop_listener(pid()) -> ok. --spec stop_listener(inet:ip_address(), integer()) -> ok. +-spec stop_listener(daemon_ref()) -> ok. +-spec stop_listener(inet:ip_address(), inet:port_number()) -> ok.  %%  %% Description: Stops the listener, but leaves  %% existing connections started by the listener up and running. @@ -194,12 +303,19 @@ stop_listener(SysSup) ->      ssh_system_sup:stop_listener(SysSup).  stop_listener(Address, Port) ->      stop_listener(Address, Port, ?DEFAULT_PROFILE). +stop_listener(any, Port, Profile) -> +    map_ip(fun(IP) -> +                   ssh_system_sup:stop_listener(IP, Port, Profile)  +           end, [{0,0,0,0},{0,0,0,0,0,0,0,0}]);  stop_listener(Address, Port, Profile) -> -    ssh_system_sup:stop_listener(Address, Port, Profile). +    map_ip(fun(IP) -> +                   ssh_system_sup:stop_listener(IP, Port, Profile)  +           end, {address,Address}).  %%-------------------------------------------------------------------- --spec stop_daemon(pid()) -> ok. --spec stop_daemon(inet:ip_address(), integer()) -> ok. +-spec stop_daemon(daemon_ref()) -> ok. +-spec stop_daemon(inet:ip_address(), inet:port_number()) -> ok. +-spec stop_daemon(inet:ip_address(), inet:port_number(), atom()) -> ok.  %%  %% Description: Stops the listener and all connections started by  %% the listener. @@ -207,13 +323,20 @@ stop_listener(Address, Port, Profile) ->  stop_daemon(SysSup) ->      ssh_system_sup:stop_system(SysSup).  stop_daemon(Address, Port) -> -    ssh_system_sup:stop_system(Address, Port, ?DEFAULT_PROFILE). +    stop_daemon(Address, Port, ?DEFAULT_PROFILE). +stop_daemon(any, Port, Profile) -> +    map_ip(fun(IP) -> +                   ssh_system_sup:stop_system(IP, Port, Profile)  +           end, [{0,0,0,0},{0,0,0,0,0,0,0,0}]);  stop_daemon(Address, Port, Profile) -> -    ssh_system_sup:stop_system(Address, Port, Profile). +    map_ip(fun(IP) -> +                   ssh_system_sup:stop_system(IP, Port, Profile)  +           end, {address,Address}). +  %%-------------------------------------------------------------------- --spec shell(port() | string()) ->  _. --spec shell(port() | string(), proplists:proplist()) ->  _. --spec shell(string(), integer(), proplists:proplist()) ->  _. +-spec shell(inet:socket() | string()) ->  _. +-spec shell(inet:socket() | string(), proplists:proplist()) ->  _. +-spec shell(string(), inet:port_number(), proplists:proplist()) ->  _.  %%   Host = string()  %%   Port = integer() @@ -254,747 +377,137 @@ start_shell(Error) ->      Error.  %%-------------------------------------------------------------------- +-spec default_algorithms() -> algs_list() .  %%--------------------------------------------------------------------  default_algorithms() ->      ssh_transport:default_algorithms().  %%-------------------------------------------------------------------- -%%% Internal functions +-spec chk_algos_opts(list(any())) -> algs_list() .  %%-------------------------------------------------------------------- -valid_socket_to_use(Socket, Options) -> -    case proplists:get_value(transport, Options, {tcp, gen_tcp, tcp_closed}) of -	{tcp,_,_} -> -	    %% Is this tcp-socket a valid socket? -	    case {is_tcp_socket(Socket), -		  {ok,[{active,false}]} == inet:getopts(Socket, [active]) -		 } -	    of -		{true, true} -> -		    ok; -		{true, false} -> -		    {error, not_passive_mode}; -		_ -> -		    {error, not_tcp_socket} -	    end; -	{L4,_,_} -> -	    {error, {unsupported,L4}} -    end. - -is_tcp_socket(Socket) -> -    case inet:getopts(Socket, [delay_send]) of -        {ok,[_]} -> true; -        _ -> false -    end. - -daemon_shell_opt(Options) -> -     case proplists:get_value(shell, Options) of -	 undefined -> -	     [{shell, {shell, start, []}}  | Options]; -	 _ -> -	     Options -     end. - -daemon_host_inet_opt(HostAddr, Options1) -> -    case HostAddr of -	any -> -	    {ok, Host0} = inet:gethostname(), -	    {Host0,  proplists:get_value(inet, Options1, inet), Options1}; -	{_,_,_,_} -> -	    {HostAddr, inet, -	     [{ip, HostAddr} | Options1]}; -	{_,_,_,_,_,_,_,_} -> -	    {HostAddr, inet6, -	     [{ip, HostAddr} | Options1]} +chk_algos_opts(Opts) -> +    case lists:foldl( +           fun({preferred_algorithms,_}, Acc) -> Acc; +              ({modify_algorithms,_}, Acc) -> Acc; +              (KV, Acc) -> [KV|Acc] +           end, [], Opts) +    of +        [] -> +            case ssh_options:handle_options(client, Opts) of +                M when is_map(M) -> +                    maps:get(preferred_algorithms, M); +                Others -> +                    Others +            end; +        OtherOps -> +            {error, {non_algo_opts_found,OtherOps}}      end. +%%-------------------------------------------------------------------- +%%% Internal functions +%%-------------------------------------------------------------------- +%% The handle_daemon_args/2 function basically only sets the ip-option in Opts +%% so that it is correctly set when opening the listening socket. -start_daemon(Socket, Options) -> -    case handle_options(Options) of -	{error, Error} -> -	    {error, Error}; -	{SocketOptions, SshOptions} -> -	    case valid_socket_to_use(Socket, Options) of -		ok -> -		    try -			do_start_daemon(Socket, [{role,server}|SshOptions], SocketOptions) -		    catch -			throw:bad_fd -> {error,bad_fd}; -			throw:bad_socket -> {error,bad_socket}; -			_C:_E -> {error,{cannot_start_daemon,_C,_E}} -		    end; -		{error,SockError} -> -		    {error,SockError} -	    end -    end. - -start_daemon(Host, Port, Options, Inet) -> -    case handle_options(Options) of -	{error, _Reason} = Error -> -	    Error; -	{SocketOptions, SshOptions}-> -	    try -		do_start_daemon(Host, Port, [{role,server}|SshOptions] , [Inet|SocketOptions]) -	    catch -		throw:bad_fd -> {error,bad_fd}; -		throw:bad_socket -> {error,bad_socket}; -		_C:_E -> {error,{cannot_start_daemon,_C,_E}} -	    end -    end. +handle_daemon_args(any, Opts) -> +    case proplists:get_value(ip, Opts) of +        undefined -> {any, Opts}; +        IP -> {IP, Opts} +    end; -do_start_daemon(Socket, SshOptions, SocketOptions) -> -    {ok, {IP,Port}} = -	try {ok,_} = inet:sockname(Socket) -	catch -	    _:_ -> throw(bad_socket) -	end, -    Host = fmt_host(IP), -    Profile = proplists:get_value(profile, SshOptions, ?DEFAULT_PROFILE), -    Opts = [{asocket, Socket}, -	    {asock_owner,self()}, -	    {address, Host}, -	    {port, Port}, -	    {role, server}, -	    {socket_opts, SocketOptions}, -	    {ssh_opts, SshOptions}], -    {_, Callback, _} = proplists:get_value(transport, SshOptions, {tcp, gen_tcp, tcp_closed}), -    case ssh_system_sup:system_supervisor(Host, Port, Profile) of -	undefined -> -	    %% It would proably make more sense to call the -	    %% address option host but that is a too big change at the -	    %% monent. The name is a legacy name! -	    try sshd_sup:start_child(Opts) of -		{error, {already_started, _}} -> -		    {error, eaddrinuse}; -		Result = {ok,_} -> -		    call_ssh_acceptor_handle_connection(Callback, Host, Port, Opts, Socket, Result); -		Result = {error, _} -> -		    Result -	    catch -		exit:{noproc, _} -> -		    {error, ssh_not_started} -	    end; -	Sup  -> -	    AccPid = ssh_system_sup:acceptor_supervisor(Sup), -	    case ssh_acceptor_sup:start_child(AccPid, Opts) of -		{error, {already_started, _}} -> -		    {error, eaddrinuse}; -		{ok, _} -> -		    call_ssh_acceptor_handle_connection(Callback, Host, Port, Opts, Socket, {ok, Sup}); -		Other -> -		    Other -	    end +handle_daemon_args(IPaddr, Opts) when is_tuple(IPaddr) ; IPaddr == loopback -> +    case proplists:get_value(ip, Opts) of +        undefined -> {IPaddr, [{ip,IPaddr}|Opts]}; +        IPaddr -> {IPaddr, Opts}; +        IP -> {IPaddr, [{ip,IPaddr}|Opts--[{ip,IP}]]} %% Backward compatibility      end. -do_start_daemon(Host0, Port0, SshOptions, SocketOptions) -> -    {Host,Port1} = -	try -	    case proplists:get_value(fd, SocketOptions) of -		undefined -> -		    {Host0,Port0}; -		Fd when Port0==0 -> -		    find_hostport(Fd); -		_ -> -		    {Host0,Port0} -	    end -	catch -	    _:_ -> throw(bad_fd) -	end, -    Profile = proplists:get_value(profile, SshOptions, ?DEFAULT_PROFILE), -    {Port, WaitRequestControl, Opts0} = -	case Port1 of -	    0 -> %% Allocate the socket here to get the port number... -		{_, Callback, _} = -		    proplists:get_value(transport, SshOptions, {tcp, gen_tcp, tcp_closed}), -		{ok,LSock} = ssh_acceptor:callback_listen(Callback, 0, SocketOptions), -		{ok,{_,LPort}} = inet:sockname(LSock), -		{LPort, -		 {LSock,Callback}, -		 [{lsocket,LSock},{lsock_owner,self()}] -		}; -	    _ -> -		{Port1, false, []} -	end, -    Opts = [{address, Host}, -	    {port, Port}, -	    {role, server}, -	    {socket_opts, SocketOptions}, -	    {ssh_opts, SshOptions} | Opts0], -    case ssh_system_sup:system_supervisor(Host, Port, Profile) of -	undefined -> -	    %% It would proably make more sense to call the -	    %% address option host but that is a too big change at the -	    %% monent. The name is a legacy name! -	    try sshd_sup:start_child(Opts) of -		{error, {already_started, _}} -> -		    {error, eaddrinuse}; -		Result = {ok,_} -> -		    sync_request_control(WaitRequestControl), -		    Result; -		Result = {error, _} -> -		    Result -	    catch -		exit:{noproc, _} -> -		    {error, ssh_not_started} -	    end; -	Sup  -> -	    AccPid = ssh_system_sup:acceptor_supervisor(Sup), -	    case ssh_acceptor_sup:start_child(AccPid, Opts) of -		{error, {already_started, _}} -> -		    {error, eaddrinuse}; -		{ok, _} -> -		    sync_request_control(WaitRequestControl), -		    {ok, Sup}; -		Other -> -		    Other -	    end -    end. - -call_ssh_acceptor_handle_connection(Callback, Host, Port, Opts, Socket, DefaultResult) -> -    try ssh_acceptor:handle_connection(Callback, Host, Port, Opts, Socket) +%%%---------------------------------------------------------------- +valid_socket_to_use(Socket, {tcp,_,_}) -> +    %% Is this tcp-socket a valid socket? +    try {is_tcp_socket(Socket), +         {ok,[{active,false}]} == inet:getopts(Socket, [active]) +        }      of -        {error,Error} -> {error,Error}; -        _ -> DefaultResult +        {true,  true} -> ok; +        {true, false} -> {error, not_passive_mode}; +        _ ->             {error, not_tcp_socket}      catch -        C:R -> {error,{could_not_start_connection,{C,R}}} -    end. -              - -sync_request_control(false) -> -    ok; -sync_request_control({LSock,Callback}) -> -    receive -	{request_control,LSock,ReqPid} -> -	    ok = Callback:controlling_process(LSock, ReqPid), -	    ReqPid ! {its_yours,LSock}, -	    ok -    end. - -find_hostport(Fd) -> -    %% Using internal functions inet:open/8 and inet:close/0. -    %% Don't try this at home unless you know what you are doing! -    {ok,S} = inet:open(Fd, {0,0,0,0}, 0, [], tcp, inet, stream, inet_tcp), -    {ok, HostPort} = inet:sockname(S), -    ok = inet:close(S), -    HostPort. - +        _:_ ->           {error, bad_socket} +    end; -handle_options(Opts) -> -    try handle_option(algs_compatibility(proplists:unfold(Opts)), [], []) of -	{Inet, Ssh} -> -	    {handle_ip(Inet), Ssh} -    catch -	throw:Error -> -	    Error -    end. +valid_socket_to_use(_, {L4,_,_}) -> +    {error, {unsupported,L4}}. -algs_compatibility(Os0) -> -    %% Take care of old options 'public_key_alg' and 'pref_public_key_algs' -    case proplists:get_value(public_key_alg, Os0) of -	undefined -> -	    Os0; -	A when is_atom(A) -> -	    %% Skip public_key_alg if pref_public_key_algs is defined: -	    Os = lists:keydelete(public_key_alg, 1, Os0), -	    case proplists:get_value(pref_public_key_algs,Os) of -		undefined when A == 'ssh-rsa' ; A==ssh_rsa -> -		    [{pref_public_key_algs,['ssh-rsa','ssh-dss']} | Os]; -		undefined when A == 'ssh-dss' ; A==ssh_dsa -> -		    [{pref_public_key_algs,['ssh-dss','ssh-rsa']} | Os]; -		undefined -> -		    throw({error, {eoptions, {public_key_alg,A} }}); -		_ -> -		    Os -	    end; -	V -> -	    throw({error, {eoptions, {public_key_alg,V} }}) +is_tcp_socket(Socket) -> +    case inet:getopts(Socket, [delay_send]) of +        {ok,[_]} -> true; +        _ -> false      end. - -handle_option([], SocketOptions, SshOptions) -> -    {SocketOptions, SshOptions}; -handle_option([{system_dir, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{user_dir, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{user_dir_fun, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{silently_accept_hosts, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{user_interaction, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{connect_timeout, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{user, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{dsa_pass_phrase, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{rsa_pass_phrase, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{password, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{user_passwords, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{pwdfun, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{key_cb, {Module, Options}} | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option({key_cb, Module}), -                                        handle_ssh_priv_option({key_cb_private, Options}) | -                                        SshOptions]); -handle_option([{key_cb, Module} | Rest], SocketOptions, SshOptions) -> -    handle_option([{key_cb, {Module, []}} | Rest], SocketOptions, SshOptions); -handle_option([{keyboard_interact_fun, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -%%Backwards compatibility -handle_option([{allow_user_interaction, Value}  | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option({user_interaction, Value}) | SshOptions]); -handle_option([{infofun, _} = Opt | Rest],SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{connectfun, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{disconnectfun, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{unexpectedfun, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{failfun, _} = Opt | Rest],  SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{ssh_msg_debug_fun, _} = Opt | Rest],  SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -%%Backwards compatibility should not be underscore between ip and v6 in API -handle_option([{ip_v6_disabled, Value} | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option({ipv6_disabled, Value}) | SshOptions]); -handle_option([{ipv6_disabled, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{transport, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{subsystems, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{ssh_cli, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{shell, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{exec, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{auth_methods, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{auth_method_kb_interactive_data, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{pref_public_key_algs, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{preferred_algorithms,_} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{dh_gex_groups,_} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{dh_gex_limits,_} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{quiet_mode, _} = Opt|Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{idle_time, _} = Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{rekey_limit, _} = Opt|Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{max_sessions, _} = Opt|Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{max_channels, _} = Opt|Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{negotiation_timeout, _} = Opt|Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{parallel_login, _} = Opt|Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -%% (Is handled by proplists:unfold above:) -%% handle_option([parallel_login|Rest], SocketOptions, SshOptions) -> -%%     handle_option(Rest, SocketOptions, [handle_ssh_option({parallel_login,true}) | SshOptions]); -handle_option([{minimal_remote_max_packet_size, _} = Opt|Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{id_string, _ID} = Opt|Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{profile, _ID} = Opt|Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{max_random_length_padding, _Bool} = Opt|Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([{tstflg, _} = Opt|Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); -handle_option([Opt | Rest], SocketOptions, SshOptions) -> -    handle_option(Rest, [handle_inet_option(Opt) | SocketOptions], SshOptions). - - -handle_ssh_option({tstflg,_F} = Opt) -> Opt; -handle_ssh_option({minimal_remote_max_packet_size, Value} = Opt) when is_integer(Value), Value >=0 -> -    Opt; -handle_ssh_option({system_dir, Value} = Opt) when is_list(Value) -> -    check_dir(Opt); -handle_ssh_option({user_dir, Value} = Opt) when is_list(Value) -> -    check_dir(Opt); -handle_ssh_option({user_dir_fun, Value} = Opt) when is_function(Value) -> -    Opt; -handle_ssh_option({silently_accept_hosts, Value} = Opt) when is_boolean(Value) -> -    Opt; -handle_ssh_option({silently_accept_hosts, Value} = Opt) when is_function(Value,2) -> -    Opt; -handle_ssh_option({silently_accept_hosts, {DigestAlg,Value}} = Opt) when is_function(Value,2) -> -    Algs = if is_atom(DigestAlg) -> [DigestAlg]; -              is_list(DigestAlg) -> DigestAlg; -              true -> throw({error, {eoptions, Opt}}) -           end, -    case [A || A <- Algs, -               not lists:member(A, [md5, sha, sha224, sha256, sha384, sha512])] of -        [_|_] = UnSup1 -> -            throw({error, {{eoptions, Opt}, {not_fingerprint_algos,UnSup1}}}); -        [] -> -            CryptoHashAlgs = proplists:get_value(hashs, crypto:supports(), []), -            case [A || A <- Algs, -                       not lists:member(A, CryptoHashAlgs)] of -                [_|_] = UnSup2 -> -                    throw({error, {{eoptions, Opt}, {unsupported_algo,UnSup2}}}); -                [] -> Opt -            end -    end; -handle_ssh_option({user_interaction, Value} = Opt) when is_boolean(Value) -> -    Opt; -handle_ssh_option({preferred_algorithms,[_|_]} = Opt) -> -    handle_pref_algs(Opt); - -handle_ssh_option({dh_gex_groups,L0}) when is_list(L0) -> -    {dh_gex_groups, -     collect_per_size( -       lists:foldl( -	 fun({N,G,P}, Acc) when is_integer(N),N>0, -				is_integer(G),G>0, -				is_integer(P),P>0 -> -		 [{N,{G,P}} | Acc]; -	    ({N,{G,P}}, Acc) when is_integer(N),N>0, -				  is_integer(G),G>0, -				  is_integer(P),P>0 -> -		 [{N,{G,P}} | Acc]; -	    ({N,GPs}, Acc) when is_list(GPs) -> -		 lists:foldr(fun({Gi,Pi}, Acci) when is_integer(Gi),Gi>0, -						     is_integer(Pi),Pi>0 -> -				     [{N,{Gi,Pi}} | Acci] -			     end, Acc, GPs) -	 end, [], L0))}; - -handle_ssh_option({dh_gex_groups,{Tag,File=[C|_]}}=Opt) when is_integer(C), C>0, -							      Tag == file ; -							      Tag == ssh_moduli_file -> -    {ok,GroupDefs} = -	case Tag of -	    file -> -		file:consult(File); -	    ssh_moduli_file -> -		case file:open(File,[read]) of -		    {ok,D} -> -			try -			    {ok,Moduli} = read_moduli_file(D, 1, []), -			    file:close(D), -			    {ok, Moduli} -			catch -			    _:_ -> -				throw({error, {{eoptions, Opt}, "Bad format in file "++File}}) -			end; -		    {error,enoent} -> -			throw({error, {{eoptions, Opt}, "File not found:"++File}}); -		    {error,Error} -> -			throw({error, {{eoptions, Opt}, io_lib:format("Error reading file ~s: ~p",[File,Error])}}) -		end -	end, - +%%%---------------------------------------------------------------- +open_listen_socket(_Host0, Port0, Options0) -> +    {ok,LSock} = +        case ?GET_SOCKET_OPT(fd, Options0) of +            undefined -> +                ssh_acceptor:listen(Port0, Options0); +            Fd when is_integer(Fd) -> +                %% Do gen_tcp:listen with the option {fd,Fd}: +                ssh_acceptor:listen(0, Options0) +        end, +    {ok,{LHost,LPort}} = inet:sockname(LSock), +    {{LHost,LPort}, LSock}. + +%%%---------------------------------------------------------------- +finalize_start(Host, Port, Profile, Options0, F) ->      try -	handle_ssh_option({dh_gex_groups,GroupDefs}) -    catch -	_:_ -> -	    throw({error, {{eoptions, Opt}, "Bad format in file: "++File}}) -    end; - +        %% throws error:Error if no usable hostkey is found +        ssh_connection_handler:available_hkey_algorithms(server, Options0), -handle_ssh_option({dh_gex_limits,{Min,Max}} = Opt) when is_integer(Min), Min>0, -							is_integer(Max), Max>=Min -> -    %% Server -    Opt; -handle_ssh_option({dh_gex_limits,{Min,I,Max}} = Opt) when is_integer(Min), Min>0, -							  is_integer(I),   I>=Min, -							  is_integer(Max), Max>=I -> -    %% Client -    Opt; -handle_ssh_option({pref_public_key_algs, Value} = Opt) when is_list(Value), length(Value) >= 1 -> -    case handle_user_pref_pubkey_algs(Value, []) of -	{true, NewOpts} -> -	    {pref_public_key_algs, NewOpts}; -	_ -> -	    throw({error, {eoptions, Opt}}) -    end; -handle_ssh_option({connect_timeout, Value} = Opt) when is_integer(Value); Value == infinity -> -    Opt; -handle_ssh_option({max_sessions, Value} = Opt) when is_integer(Value), Value>0 -> -    Opt; -handle_ssh_option({max_channels, Value} = Opt) when is_integer(Value), Value>0 -> -    Opt; -handle_ssh_option({negotiation_timeout, Value} = Opt) when is_integer(Value); Value == infinity -> -    Opt; -handle_ssh_option({parallel_login, Value} = Opt) when Value==true ; Value==false -> -    Opt; -handle_ssh_option({user, Value} = Opt) when is_list(Value) -> -    Opt; -handle_ssh_option({dsa_pass_phrase, Value} = Opt) when is_list(Value) -> -    Opt; -handle_ssh_option({rsa_pass_phrase, Value} = Opt) when is_list(Value) -> -    Opt; -handle_ssh_option({password, Value} = Opt) when is_list(Value) -> -    Opt; -handle_ssh_option({user_passwords, Value} = Opt) when is_list(Value)-> -    Opt; -handle_ssh_option({pwdfun, Value} = Opt) when is_function(Value,2) -> -    Opt; -handle_ssh_option({pwdfun, Value} = Opt) when is_function(Value,4) -> -    Opt; -handle_ssh_option({key_cb, Value} = Opt)  when is_atom(Value) -> -    Opt; -handle_ssh_option({key_cb, {CallbackMod, CallbackOptions}} = Opt) when is_atom(CallbackMod), -                                                                      is_list(CallbackOptions) -> -    Opt; -handle_ssh_option({keyboard_interact_fun, Value} = Opt) when is_function(Value,3) -> -    Opt; -handle_ssh_option({compression, Value} = Opt) when is_atom(Value) -> -    Opt; -handle_ssh_option({exec, {Module, Function, _}} = Opt) when is_atom(Module), -							    is_atom(Function) -> -    Opt; -handle_ssh_option({exec, Function} = Opt) when is_function(Function) -> -    Opt; -handle_ssh_option({auth_methods, Value} = Opt)  when is_list(Value) -> -    Opt; -handle_ssh_option({auth_method_kb_interactive_data, {Name,Instruction,Prompt,Echo}} = Opt) when is_list(Name), -												is_list(Instruction), -												is_list(Prompt), -												is_boolean(Echo) -> -    Opt; -handle_ssh_option({auth_method_kb_interactive_data, F} = Opt) when is_function(F,3) -> -    Opt; -handle_ssh_option({infofun, Value} = Opt)  when is_function(Value) -> -    Opt; -handle_ssh_option({connectfun, Value} = Opt) when is_function(Value) -> -    Opt; -handle_ssh_option({disconnectfun, Value} = Opt) when is_function(Value) -> -    Opt; -handle_ssh_option({unexpectedfun, Value} = Opt) when is_function(Value,2) -> -    Opt; -handle_ssh_option({failfun, Value} = Opt) when is_function(Value) -> -    Opt; -handle_ssh_option({ssh_msg_debug_fun, Value} = Opt) when is_function(Value,4) -> -    Opt; - -handle_ssh_option({ipv6_disabled, Value} = Opt) when is_boolean(Value) -> -    throw({error, {{ipv6_disabled, Opt}, option_no_longer_valid_use_inet_option_instead}}); -handle_ssh_option({transport, {Protocol, Cb, ClosTag}} = Opt) when is_atom(Protocol), -								   is_atom(Cb), -								   is_atom(ClosTag) -> -    Opt; -handle_ssh_option({subsystems, Value} = Opt) when is_list(Value) -> -    Opt; -handle_ssh_option({ssh_cli, {Cb, _}}= Opt) when is_atom(Cb) -> -    Opt; -handle_ssh_option({ssh_cli, no_cli} = Opt) -> -    Opt; -handle_ssh_option({shell, {Module, Function, _}} = Opt)  when is_atom(Module), -							      is_atom(Function) -> -    Opt; -handle_ssh_option({shell, Value} = Opt) when is_function(Value) -> -    Opt; -handle_ssh_option({quiet_mode, Value} = Opt) when is_boolean(Value) -> -    Opt; -handle_ssh_option({idle_time, Value} = Opt) when is_integer(Value), Value > 0 -> -    Opt; -handle_ssh_option({rekey_limit, Value} = Opt) when is_integer(Value) -> -    Opt; -handle_ssh_option({id_string, random}) -> -    {id_string, {random,2,5}}; %% 2 - 5 random characters -handle_ssh_option({id_string, ID} = Opt) when is_list(ID) -> -    Opt; -handle_ssh_option({max_random_length_padding, Value} = Opt) when is_integer(Value), -								 Value =< 255 -> -    Opt; -handle_ssh_option({profile, Value} = Opt) when is_atom(Value) -> -    Opt; -handle_ssh_option(Opt) -> -    throw({error, {eoptions, Opt}}). - -handle_ssh_priv_option({key_cb_private, Value} = Opt) when is_list(Value) -> -    Opt. - -handle_inet_option({active, _} = Opt) -> -    throw({error, {{eoptions, Opt}, "SSH has built in flow control, " -		   "and active is handled internally, user is not allowed" -		   "to specify this option"}}); - -handle_inet_option({inet, Value}) when (Value == inet) or (Value == inet6) -> -    Value; -handle_inet_option({reuseaddr, _} = Opt) -> -    throw({error, {{eoptions, Opt},"Is set internally, user is not allowed" -		   "to specify this option"}}); -%% Option verified by inet -handle_inet_option(Opt) -> -    Opt. - - -%% Check preferred algs - -handle_pref_algs({preferred_algorithms,Algs}) -> -    try alg_duplicates(Algs, [], []) of -	[] -> -	    {preferred_algorithms, -	     [try ssh_transport:supported_algorithms(Key) -	      of -		  DefAlgs -> handle_pref_alg(Key,Vals,DefAlgs) -	      catch -		  _:_ -> throw({error, {{eoptions, {preferred_algorithms,Key}}, -					"Bad preferred_algorithms key"}}) -	      end  || {Key,Vals} <- Algs] -	    }; - -	Dups -> -	    throw({error, {{eoptions, {preferred_algorithms,Dups}}, "Duplicates found"}}) +        sshd_sup:start_child(Host, Port, Profile, Options0) +    of +        {error, {already_started, _}} -> +            {error, eaddrinuse}; +        {error, Error} -> +            {error, Error}; +        Result = {ok,_} -> +            F(Options0, Result)      catch -	_:_ -> -	    throw({error, {{eoptions, preferred_algorithms}, "Malformed"}}) -    end. - -alg_duplicates([{K,V}|KVs], Ks, Dups0) -> -    Dups = -	case lists:member(K,Ks) of -	    true -> -		[K|Dups0]; -	    false -> -		Dups0 -	end, -    case V--lists:usort(V) of -	[] -> -	    alg_duplicates(KVs, [K|Ks], Dups); -	Ds -> -	    alg_duplicates(KVs, [K|Ks], Dups++Ds) -    end; -alg_duplicates([], _Ks, Dups) -> -    Dups. - -handle_pref_alg(Key, -		Vs=[{client2server,C2Ss=[_|_]},{server2client,S2Cs=[_|_]}], -		[{client2server,Sup_C2Ss},{server2client,Sup_S2Cs}] -	       ) -> -    chk_alg_vs(Key, C2Ss, Sup_C2Ss), -    chk_alg_vs(Key, S2Cs, Sup_S2Cs), -    {Key, Vs}; - -handle_pref_alg(Key, -		Vs=[{server2client,[_|_]},{client2server,[_|_]}], -		Sup=[{client2server,_},{server2client,_}] -	       ) -> -    handle_pref_alg(Key, lists:reverse(Vs), Sup); - -handle_pref_alg(Key, -		Vs=[V|_], -		Sup=[{client2server,_},{server2client,_}] -	       ) when is_atom(V) -> -    handle_pref_alg(Key, [{client2server,Vs},{server2client,Vs}], Sup); - -handle_pref_alg(Key, -		Vs=[V|_], -		Sup=[S|_] -	       ) when is_atom(V), is_atom(S) -> -    chk_alg_vs(Key, Vs, Sup), -    {Key, Vs}; - -handle_pref_alg(Key, Vs, _) -> -    throw({error, {{eoptions, {preferred_algorithms,[{Key,Vs}]}}, "Badly formed list"}}). - -chk_alg_vs(OptKey, Values, SupportedValues) -> -    case (Values -- SupportedValues) of -	[] -> Values; -	Bad -> throw({error, {{eoptions, {OptKey,Bad}}, "Unsupported value(s) found"}}) -    end. - -handle_ip(Inet) -> %% Default to ipv4 -    case lists:member(inet, Inet) of -	true -> -	    Inet; -	false -> -	    case lists:member(inet6, Inet) of -		true -> -		    Inet; -		false -> -		    [inet | Inet] -	    end -    end. - -check_dir({_,Dir} = Opt) -> -    case directory_exist_readable(Dir) of -	ok -> -	    Opt; -	{error,Error} -> -	    throw({error, {eoptions,{Opt,Error}}}) -    end. - -directory_exist_readable(Dir) -> -    case file:read_file_info(Dir) of -	{ok, #file_info{type = directory, -			access = Access}} -> -	    case Access of -		read -> ok; -		read_write -> ok; -		_ -> {error, eacces} -	    end; - -	{ok, #file_info{}}-> -	    {error, enotdir}; - -	{error, Error} -> -	    {error, Error} -    end. - - - -collect_per_size(L) -> -    lists:foldr( -      fun({Sz,GP}, [{Sz,GPs}|Acc]) -> [{Sz,[GP|GPs]}|Acc]; -	 ({Sz,GP}, Acc) -> [{Sz,[GP]}|Acc] -      end, [], lists:sort(L)). - -read_moduli_file(D, I, Acc) -> -    case io:get_line(D,"") of -	{error,Error} -> -	    {error,Error}; -	eof -> -	    {ok, Acc}; -	"#" ++ _ -> read_moduli_file(D, I+1, Acc); -	<<"#",_/binary>> ->  read_moduli_file(D, I+1, Acc); -	Data -> -	    Line = if is_binary(Data) -> binary_to_list(Data); -		      is_list(Data) -> Data -		   end, -	    try -		[_Time,_Type,_Tests,_Tries,Size,G,P] = string:tokens(Line," \r\n"), -		M = {list_to_integer(Size), -		     {list_to_integer(G), list_to_integer(P,16)} -		    }, -		read_moduli_file(D, I+1, [M|Acc]) -	    catch -		_:_ -> -		    read_moduli_file(D, I+1, Acc) -	    end +        error:{shutdown,Err} -> +            {error,Err}; +        exit:{noproc, _} -> +            {error, ssh_not_started}      end. -handle_user_pref_pubkey_algs([], Acc) -> -    {true, lists:reverse(Acc)}; -handle_user_pref_pubkey_algs([H|T], Acc) -> -    case lists:member(H, ?SUPPORTED_USER_KEYS) of -	true -> -	    handle_user_pref_pubkey_algs(T, [H| Acc]); - -	false when H==ssh_dsa -> handle_user_pref_pubkey_algs(T, ['ssh-dss'| Acc]); -	false when H==ssh_rsa -> handle_user_pref_pubkey_algs(T, ['ssh-rsa'| Acc]); - -	false -> -	    false +%%%---------------------------------------------------------------- +map_ip(Fun, {address,IP}) when is_tuple(IP) -> +    Fun(IP); +map_ip(Fun, {address,Address}) -> +    IPs = try {ok,#hostent{h_addr_list=IP0s}} = inet:gethostbyname(Address), +               IP0s +          catch +              _:_ -> [] +          end, +    map_ip(Fun, IPs); +map_ip(Fun, IPs) -> +    lists:map(Fun, IPs). + +%%%---------------------------------------------------------------- +mangle_connect_address(A, SockOpts) -> +    mangle_connect_address1(A, proplists:get_value(inet6,SockOpts,false)). + +loopback(true) -> {0,0,0,0,0,0,0,1}; +loopback(false) ->      {127,0,0,1}. + +mangle_connect_address1( loopback,     V6flg) -> loopback(V6flg); +mangle_connect_address1(      any,     V6flg) -> loopback(V6flg); +mangle_connect_address1({0,0,0,0},         _) -> loopback(false); +mangle_connect_address1({0,0,0,0,0,0,0,0}, _) -> loopback(true); +mangle_connect_address1(       IP,     _) when is_tuple(IP) -> IP; +mangle_connect_address1(A, _) -> +    case catch inet:parse_address(A) of +        {ok,         {0,0,0,0}} -> loopback(false); +        {ok, {0,0,0,0,0,0,0,0}} -> loopback(true); +        _ -> A      end. - -fmt_host({A,B,C,D}) -> -    lists:concat([A,".",B,".",C,".",D]); -fmt_host(T={_,_,_,_,_,_,_,_}) -> -    lists:flatten(string:join([io_lib:format("~.16B",[A]) || A <- tuple_to_list(T)], ":")). diff --git a/lib/ssh/src/ssh.hrl b/lib/ssh/src/ssh.hrl index 4cd91177f6..3dee1c5521 100644 --- a/lib/ssh/src/ssh.hrl +++ b/lib/ssh/src/ssh.hrl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2004-2016. All Rights Reserved. +%% Copyright Ericsson AB 2004-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -33,8 +33,11 @@  -define(REKEY_DATA_TIMOUT, 60000).  -define(DEFAULT_PROFILE, default). +-define(DEFAULT_TRANSPORT,  {tcp, gen_tcp, tcp_closed} ). + +-define(MAX_RND_PADDING_LEN, 15). +  -define(SUPPORTED_AUTH_METHODS, "publickey,keyboard-interactive,password"). --define(SUPPORTED_USER_KEYS, ['ssh-rsa','ssh-dss','ecdsa-sha2-nistp256','ecdsa-sha2-nistp384','ecdsa-sha2-nistp521']).  -define(FALSE, 0).  -define(TRUE,  1). @@ -60,18 +63,77 @@  -define(uint16(X), << ?UINT16(X) >> ).  -define(uint32(X), << ?UINT32(X) >> ).  -define(uint64(X), << ?UINT64(X) >> ). --define(string(X), << ?STRING(list_to_binary(X)) >> ).  -define(string_utf8(X), << ?STRING(unicode:characters_to_binary(X)) >> ). +-define(string(X), ?string_utf8(X)).  -define(binary(X), << ?STRING(X) >>). +%% Cipher details  -define(SSH_CIPHER_NONE, 0).  -define(SSH_CIPHER_3DES, 3).  -define(SSH_CIPHER_AUTHFILE, ?SSH_CIPHER_3DES). +%% Option access macros +-define(do_get_opt(C,K,O),   ssh_options:get_value(C,K,O,  ?MODULE,?LINE)). +-define(do_get_opt(C,K,O,D), ssh_options:get_value(C,K,O,?LAZY(D),?MODULE,?LINE)). + +-define(LAZY(D), fun()-> D end). + +-define(GET_OPT(Key,Opts),              ?do_get_opt(user_options,    Key,Opts    ) ). +-define(GET_OPT(Key,Opts,Def),          ?do_get_opt(user_options,    Key,Opts,Def) ). +-define(GET_INTERNAL_OPT(Key,Opts),     ?do_get_opt(internal_options,Key,Opts    ) ). +-define(GET_INTERNAL_OPT(Key,Opts,Def), ?do_get_opt(internal_options,Key,Opts,Def) ). +-define(GET_SOCKET_OPT(Key,Opts),       ?do_get_opt(socket_options,  Key,Opts    ) ). +-define(GET_SOCKET_OPT(Key,Opts,Def),   ?do_get_opt(socket_options,  Key,Opts,Def) ). + +-define(do_put_opt(C,KV,O),  ssh_options:put_value(C,KV,O, ?MODULE,?LINE)). + +-define(PUT_OPT(KeyVal,Opts),           ?do_put_opt(user_options,    KeyVal,Opts) ). +-define(PUT_INTERNAL_OPT(KeyVal,Opts),  ?do_put_opt(internal_options,KeyVal,Opts) ). +-define(PUT_SOCKET_OPT(KeyVal,Opts),    ?do_put_opt(socket_options,  KeyVal,Opts) ). + +-define(do_del_opt(C,K,O),  ssh_options:delete_key(C,K,O, ?MODULE,?LINE)). +-define(DELETE_INTERNAL_OPT(Key,Opts),  ?do_del_opt(internal_options,Key,Opts) ). + + +%% Types +-type role()                :: client | server . +-type ok_error(SuccessType) :: {ok, SuccessType} | {error, any()} . +-type daemon_ref()          :: pid() . + +-type subsystem_spec()      :: {subsystem_name(), {channel_callback(), channel_init_args()}} . +-type subsystem_name()      :: string() . +-type channel_callback()    :: atom() . +-type channel_init_args()   :: list() . + +-type algs_list()           :: list( alg_entry() ). +-type alg_entry()           :: {kex, simple_algs()}  +                             | {public_key, simple_algs()} +                             | {cipher, double_algs()} +                             | {mac, double_algs()} +                             | {compression, double_algs()} . +-type simple_algs()         :: list( atom() ) . +-type double_algs()         :: list( {client2serverlist,simple_algs()} | {server2client,simple_algs()} ) +                             | simple_algs() . + +-type options() :: #{socket_options   := socket_options(), +                     internal_options := internal_options(), +                     option_key()     => any() +                    }. + +-type socket_options()   :: proplists:proplist(). +-type internal_options() :: #{option_key() => any()}. + +-type option_key() :: atom(). + + + +%% Records  -record(ssh,  	{ -	  role,         %% client | server -	  peer,         %% string version of peer address  +	  role :: client | role(), +	  peer :: undefined |  +                  {inet:hostname(), +                   {inet:ip_address(),inet:port_number()}},         %% string version of peer address   	  c_vsn,        %% client version {Major,Minor}  	  s_vsn,        %% server version {Major,Minor} @@ -82,6 +144,9 @@  	  c_keyinit,    %% binary payload of kexinit packet  	  s_keyinit,    %% binary payload of kexinit packet +          send_ext_info, %% May send ext-info to peer +          recv_ext_info, %% Expect ext-info from peer +  	  algorithms,   %% #alg{}  	  kex,          %% key exchange algorithm @@ -127,7 +192,7 @@  	  recv_sequence = 0,  	  keyex_key,  	  keyex_info, -	  random_length_padding = 15, % From RFC 4253 section 6. +	  random_length_padding = ?MAX_RND_PADDING_LEN, % From RFC 4253 section 6.  	  %% User auth  	  user, @@ -135,6 +200,7 @@  	  userauth_quiet_mode,              %  boolean()  	  userauth_methods,                 %  list( string() )  eg ["keyboard-interactive", "password"]  	  userauth_supported_methods,       %  string() eg "keyboard-interactive,password" +          userauth_pubkeys,  	  kb_tries_left = 0,                %  integer(), num tries left for "keyboard-interactive"  	  userauth_preference,  	  available_host_keys, @@ -153,7 +219,9 @@  	  compress,  	  decompress,  	  c_lng, -	  s_lng +	  s_lng, +          send_ext_info, +          recv_ext_info  	 }).  -record(ssh_key, diff --git a/lib/ssh/src/ssh_acceptor.erl b/lib/ssh/src/ssh_acceptor.erl index 13c9d9af4a..d66a34c58a 100644 --- a/lib/ssh/src/ssh_acceptor.erl +++ b/lib/ssh/src/ssh_acceptor.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2008-2016. All Rights Reserved. +%% Copyright Ericsson AB 2008-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -25,84 +25,86 @@  -include("ssh.hrl").  %% Internal application API --export([start_link/5, +-export([start_link/4,  	 number_of_connections/1, -	 callback_listen/3, -	 handle_connection/5]). +	 listen/2, +	 handle_established_connection/4]).  %% spawn export   --export([acceptor_init/6, acceptor_loop/6]). +-export([acceptor_init/5, acceptor_loop/6]).  -define(SLEEP_TIME, 200).  %%====================================================================  %% Internal application API  %%==================================================================== -start_link(Port, Address, SockOpts, Opts, AcceptTimeout) -> -    Args = [self(), Port, Address, SockOpts, Opts, AcceptTimeout], +start_link(Port, Address, Options, AcceptTimeout) -> +    Args = [self(), Port, Address, Options, AcceptTimeout],      proc_lib:start_link(?MODULE, acceptor_init, Args). +%%%---------------------------------------------------------------- +number_of_connections(SystemSup) -> +    length([X ||  +	       {R,X,supervisor,[ssh_subsystem_sup]} <- supervisor:which_children(SystemSup), +	       is_pid(X), +	       is_reference(R) +	  ]). + +%%%---------------------------------------------------------------- +listen(Port, Options) -> +    {_, Callback, _} = ?GET_OPT(transport, Options), +    SockOpts = [{active, false}, {reuseaddr,true} | ?GET_OPT(socket_options, Options)], +    case Callback:listen(Port, SockOpts) of +	{error, nxdomain} -> +	    Callback:listen(Port, lists:delete(inet6, SockOpts)); +	{error, enetunreach} -> +	    Callback:listen(Port, lists:delete(inet6, SockOpts)); +	{error, eafnosupport} -> +	    Callback:listen(Port, lists:delete(inet6, SockOpts)); +	Other -> +	    Other +    end. + +%%%---------------------------------------------------------------- +handle_established_connection(Address, Port, Options, Socket) -> +    {_, Callback, _} = ?GET_OPT(transport, Options), +    handle_connection(Callback, Address, Port, Options, Socket). +  %%--------------------------------------------------------------------  %%% Internal functions  %%-------------------------------------------------------------------- -acceptor_init(Parent, Port, Address, SockOpts, Opts, AcceptTimeout) -> -    {_, Callback, _} =   -	proplists:get_value(transport, Opts, {tcp, gen_tcp, tcp_closed}), - -    SockOwner = proplists:get_value(lsock_owner, Opts), -    LSock = proplists:get_value(lsocket, Opts), -    UseExistingSocket = -	case catch inet:sockname(LSock) of -	    {ok,{_,Port}} -> is_pid(SockOwner); -	    _ -> false -	end, - -    case UseExistingSocket of -	true -> -	    proc_lib:init_ack(Parent, {ok, self()}), -	    request_ownership(LSock, SockOwner), -	    acceptor_loop(Callback, Port, Address, Opts, LSock, AcceptTimeout); - -	false ->  -	    case (catch do_socket_listen(Callback, Port, SockOpts)) of -		{ok, ListenSocket} -> -		    proc_lib:init_ack(Parent, {ok, self()}), -		    acceptor_loop(Callback,  -				  Port, Address, Opts, ListenSocket, AcceptTimeout); -		Error -> -		    proc_lib:init_ack(Parent, Error), -		    error -	    end +acceptor_init(Parent, Port, Address, Opts, AcceptTimeout) -> +    try +        ?GET_INTERNAL_OPT(lsocket, Opts) +    of +        {LSock, SockOwner} -> +            case inet:sockname(LSock) of +                {ok,{_,Port}} -> % A usable, open LSock +                    proc_lib:init_ack(Parent, {ok, self()}), +                    request_ownership(LSock, SockOwner), +                    {_, Callback, _} =  ?GET_OPT(transport, Opts), +                    acceptor_loop(Callback, Port, Address, Opts, LSock, AcceptTimeout); + +                {error,_} -> % Not open, a restart +                    {ok,NewLSock} = listen(Port, Opts), +                    proc_lib:init_ack(Parent, {ok, self()}), +                    Opts1 = ?DELETE_INTERNAL_OPT(lsocket, Opts), +                    {_, Callback, _} =  ?GET_OPT(transport, Opts1), +                    acceptor_loop(Callback, Port, Address, Opts1, NewLSock, AcceptTimeout) +            end +    catch +        _:_ -> +            {error,use_existing_socket_failed}      end. +  request_ownership(LSock, SockOwner) ->      SockOwner ! {request_control,LSock,self()},      receive  	{its_yours,LSock} -> ok      end. -    -do_socket_listen(Callback, Port0, Opts) -> -    Port = -	case proplists:get_value(fd, Opts) of -	    undefined -> Port0; -	    _ -> 0 -	end, -    callback_listen(Callback, Port, Opts). - -callback_listen(Callback, Port, Opts0) -> -    Opts = [{active, false}, {reuseaddr,true} | Opts0], -    case Callback:listen(Port, Opts) of -	{error, nxdomain} -> -	    Callback:listen(Port, lists:delete(inet6, Opts)); -	{error, enetunreach} -> -	    Callback:listen(Port, lists:delete(inet6, Opts)); -	{error, eafnosupport} -> -	    Callback:listen(Port, lists:delete(inet6, Opts)); -	Other -> -	    Other -    end. -     +%%%----------------------------------------------------------------      acceptor_loop(Callback, Port, Address, Opts, ListenSocket, AcceptTimeout) ->      case (catch Callback:accept(ListenSocket, AcceptTimeout)) of  	{ok, Socket} -> @@ -119,22 +121,24 @@ acceptor_loop(Callback, Port, Address, Opts, ListenSocket, AcceptTimeout) ->  				  ListenSocket, AcceptTimeout)      end. +%%%----------------------------------------------------------------  handle_connection(Callback, Address, Port, Options, Socket) -> -    SSHopts = proplists:get_value(ssh_opts, Options, []), -    Profile =  proplists:get_value(profile, SSHopts, ?DEFAULT_PROFILE), +    Profile =  ?GET_OPT(profile, Options),      SystemSup = ssh_system_sup:system_supervisor(Address, Port, Profile), -    MaxSessions = proplists:get_value(max_sessions,SSHopts,infinity), +    MaxSessions = ?GET_OPT(max_sessions, Options),      case number_of_connections(SystemSup) < MaxSessions of  	true -> -	    {ok, SubSysSup} = ssh_system_sup:start_subsystem(SystemSup, Options), +	    {ok, SubSysSup} =  +                ssh_system_sup:start_subsystem(SystemSup, server, Address, Port, Profile, Options),  	    ConnectionSup = ssh_subsystem_sup:connection_supervisor(SubSysSup), -	    Timeout = proplists:get_value(negotiation_timeout, SSHopts, 2*60*1000), +	    NegTimeout = ?GET_OPT(negotiation_timeout, Options),  	    ssh_connection_handler:start_connection(server, Socket, -						    [{supervisors, [{system_sup, SystemSup}, -								    {subsystem_sup, SubSysSup}, -								    {connection_sup, ConnectionSup}]} -						     | Options], Timeout); +                                                    ?PUT_INTERNAL_OPT( +                                                       {supervisors, [{system_sup, SystemSup}, +                                                                      {subsystem_sup, SubSysSup}, +                                                                      {connection_sup, ConnectionSup}]}, +                                                       Options), NegTimeout);  	false ->  	    Callback:close(Socket),  	    IPstr = if is_tuple(Address) -> inet:ntoa(Address); @@ -150,7 +154,7 @@ handle_connection(Callback, Address, Port, Options, Socket) ->  	    {error,max_sessions}      end. - +%%%----------------------------------------------------------------  handle_error(timeout) ->      ok; @@ -177,10 +181,3 @@ handle_error(Reason) ->      error_logger:error_report(String),      exit({accept_failed, String}).     - -number_of_connections(SystemSup) -> -    length([X ||  -	       {R,X,supervisor,[ssh_subsystem_sup]} <- supervisor:which_children(SystemSup), -	       is_pid(X), -	       is_reference(R) -	  ]). diff --git a/lib/ssh/src/ssh_acceptor_sup.erl b/lib/ssh/src/ssh_acceptor_sup.erl index 129f85a3e0..a24664793b 100644 --- a/lib/ssh/src/ssh_acceptor_sup.erl +++ b/lib/ssh/src/ssh_acceptor_sup.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2008-2016. All Rights Reserved. +%% Copyright Ericsson AB 2008-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -29,7 +29,7 @@  -include("ssh.hrl"). --export([start_link/1, start_child/2, stop_child/4]). +-export([start_link/4, start_child/5, stop_child/4]).  %% Supervisor callback  -export([init/1]). @@ -41,20 +41,19 @@  %%%=========================================================================  %%%  API  %%%========================================================================= -start_link(Servers) -> -    supervisor:start_link(?MODULE, [Servers]). +start_link(Address, Port, Profile, Options) -> +    supervisor:start_link(?MODULE, [Address, Port, Profile, Options]). -start_child(AccSup, ServerOpts) -> -    Spec = child_spec(ServerOpts),     +start_child(AccSup, Address, Port, Profile, Options) -> +    Spec = child_spec(Address, Port, Profile, Options),      case supervisor:start_child(AccSup, Spec) of  	{error, already_present} -> -	    Address = proplists:get_value(address, ServerOpts), -	    Port = proplists:get_value(port, ServerOpts), -	    Profile = proplists:get_value(profile,   -					  proplists:get_value(ssh_opts, ServerOpts), ?DEFAULT_PROFILE), +            %% Is this ever called?  	    stop_child(AccSup, Address, Port, Profile),  	    supervisor:start_child(AccSup, Spec);  	Reply -> +            %% Reply = {ok,SystemSupPid} when the user calls ssh:daemon +            %% after having called ssh:stop_listening  	    Reply      end. @@ -70,35 +69,29 @@ stop_child(AccSup, Address, Port, Profile) ->  %%%=========================================================================  %%%  Supervisor callback  %%%========================================================================= -init([ServerOpts]) -> -    RestartStrategy = one_for_one, -    MaxR = 10, -    MaxT = 3600, -    Children = [child_spec(ServerOpts)], -    {ok, {{RestartStrategy, MaxR, MaxT}, Children}}. +init([Address, Port, Profile, Options]) -> +    %% Initial start of ssh_acceptor_sup for this port or new start after +    %% ssh:stop_daemon +    SupFlags = #{strategy  => one_for_one,  +                 intensity =>   10, +                 period    => 3600 +                }, +    ChildSpecs = [child_spec(Address, Port, Profile, Options)], +    {ok, {SupFlags,ChildSpecs}}.  %%%=========================================================================  %%%  Internal functions  %%%========================================================================= -child_spec(ServerOpts) -> -    Address = proplists:get_value(address, ServerOpts), -    Port = proplists:get_value(port, ServerOpts), -    Timeout = proplists:get_value(timeout, ServerOpts, ?DEFAULT_TIMEOUT), -    Profile = proplists:get_value(profile,  proplists:get_value(ssh_opts, ServerOpts), ?DEFAULT_PROFILE), -    Name = id(Address, Port, Profile), -    SocketOpts = proplists:get_value(socket_opts, ServerOpts), -    StartFunc = {ssh_acceptor, start_link, [Port, Address, SocketOpts, ServerOpts, Timeout]}, -    Restart = transient,  -    Shutdown = brutal_kill, -    Modules = [ssh_acceptor], -    Type = worker, -    {Name, StartFunc, Restart, Shutdown, Type, Modules}. +child_spec(Address, Port, Profile, Options) -> +    Timeout = ?GET_INTERNAL_OPT(timeout, Options, ?DEFAULT_TIMEOUT), +    #{id       => id(Address, Port, Profile), +      start    => {ssh_acceptor, start_link, [Port, Address, Options, Timeout]}, +      restart  => transient, +      shutdown => 5500, %brutal_kill, +      type     => worker, +      modules  => [ssh_acceptor] +     }.  id(Address, Port, Profile) -> -    case is_list(Address) of -	true -> -	    {ssh_acceptor_sup, any, Port, Profile}; -	false -> -	    {ssh_acceptor_sup, Address, Port, Profile} -    end. +    {ssh_acceptor_sup, Address, Port, Profile}. diff --git a/lib/ssh/src/ssh_auth.erl b/lib/ssh/src/ssh_auth.erl index 9b54ecb2dd..894877f8bf 100644 --- a/lib/ssh/src/ssh_auth.erl +++ b/lib/ssh/src/ssh_auth.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2008-2016. All Rights Reserved. +%% Copyright Ericsson AB 2008-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -28,7 +28,8 @@  -include("ssh_auth.hrl").  -include("ssh_transport.hrl"). --export([publickey_msg/1, password_msg/1, keyboard_interactive_msg/1, +-export([get_public_key/2, +         publickey_msg/1, password_msg/1, keyboard_interactive_msg/1,  	 service_request_msg/1, init_userauth_request_msg/1,  	 userauth_request_msg/1, handle_userauth_request/3,  	 handle_userauth_info_request/2, handle_userauth_info_response/2 @@ -96,14 +97,14 @@ unique(L) ->  password_msg([#ssh{opts = Opts, io_cb = IoCb,  		   user = User, service = Service} = Ssh0]) ->      {Password,Ssh} =  -	case proplists:get_value(password, Opts) of +	case ?GET_OPT(password, Opts) of  	    undefined when IoCb == ssh_no_io ->  		{not_ok, Ssh0};  	    undefined ->  -		{IoCb:read_password("ssh password: ",Ssh0), Ssh0}; +		{IoCb:read_password("ssh password: ",Opts), Ssh0};  	    PW ->  		%% If "password" option is given it should not be tried again -		{PW, Ssh0#ssh{opts = lists:keyreplace(password,1,Opts,{password,not_ok})}} +		{PW, Ssh0#ssh{opts = ?PUT_OPT({password,not_ok}, Opts)}}  	end,      case Password of  	not_ok -> @@ -123,7 +124,7 @@ password_msg([#ssh{opts = Opts, io_cb = IoCb,  keyboard_interactive_msg([#ssh{user = User,  			       opts = Opts,  			       service = Service} = Ssh]) -> -    case proplists:get_value(password, Opts) of +    case ?GET_OPT(password, Opts) of  	not_ok ->  	    {not_ok,Ssh};       % No need to use a failed pwd once more  	_ -> @@ -136,34 +137,52 @@ keyboard_interactive_msg([#ssh{user = User,  	      Ssh)      end. -publickey_msg([Alg, #ssh{user = User, + +get_public_key(SigAlg, #ssh{opts = Opts}) -> +    KeyAlg = key_alg(SigAlg), +    {KeyCb,KeyCbOpts} = ?GET_OPT(key_cb, Opts), +    UserOpts = ?GET_OPT(user_options, Opts), +    case KeyCb:user_key(KeyAlg, [{key_cb_private,KeyCbOpts}|UserOpts]) of +        {ok, PrivKey} -> +            try +                %% Check the key - the KeyCb may be a buggy plugin +                true = ssh_transport:valid_key_sha_alg(PrivKey, KeyAlg), +                Key = ssh_transport:extract_public_key(PrivKey), +                public_key:ssh_encode(Key, ssh2_pubkey) +            of +                PubKeyBlob -> {ok,{PrivKey,PubKeyBlob}} +            catch +                _:_ ->  +                    not_ok +            end; + +	_Error -> +	    not_ok +    end. + + +publickey_msg([SigAlg, #ssh{user = User,  		       session_id = SessionId, -		       service = Service, -		       opts = Opts} = Ssh]) -> -    Hash = ssh_transport:sha(Alg), -    KeyCb = proplists:get_value(key_cb, Opts, ssh_file), -    case KeyCb:user_key(Alg, Opts) of -	{ok, PrivKey} -> -	    StrAlgo = atom_to_list(Alg), -            case encode_public_key(StrAlgo, ssh_transport:extract_public_key(PrivKey)) of -		not_ok -> -		    {not_ok, Ssh}; -		PubKeyBlob -> -		    SigData = build_sig_data(SessionId,  -					     User, Service, PubKeyBlob, StrAlgo), -		    Sig = ssh_transport:sign(SigData, Hash, PrivKey), -		    SigBlob = list_to_binary([?string(StrAlgo), ?binary(Sig)]), -		    ssh_transport:ssh_packet( -		      #ssh_msg_userauth_request{user = User, -						service = Service, -						method = "publickey", -						data = [?TRUE, -							?string(StrAlgo), -							?binary(PubKeyBlob), -							?binary(SigBlob)]}, -		      Ssh) -	    end; -     	_Error -> +		       service = Service} = Ssh]) -> +    case get_public_key(SigAlg, Ssh) of +	{ok, {PrivKey,PubKeyBlob}} -> +            SigAlgStr = atom_to_list(SigAlg), +            SigData = build_sig_data(SessionId, User, Service, +                                     PubKeyBlob, SigAlgStr), +            Hash = ssh_transport:sha(SigAlg), +            Sig = ssh_transport:sign(SigData, Hash, PrivKey), +            SigBlob = list_to_binary([?string(SigAlgStr), +                                      ?binary(Sig)]), +            ssh_transport:ssh_packet( +              #ssh_msg_userauth_request{user = User, +                                        service = Service, +                                        method = "publickey", +                                        data = [?TRUE, +                                                ?string(SigAlgStr), +                                                ?binary(PubKeyBlob), +                                                ?binary(SigBlob)]}, +              Ssh); +     	_ ->  	    {not_ok, Ssh}      end. @@ -174,32 +193,25 @@ service_request_msg(Ssh) ->  %%%----------------------------------------------------------------  init_userauth_request_msg(#ssh{opts = Opts} = Ssh) -> -    case user_name(Opts) of -	{ok, User} -> -	    Msg = #ssh_msg_userauth_request{user = User, -					    service = "ssh-connection", -					    method = "none", -					    data = <<>>}, -	    Algs0 = proplists:get_value(pref_public_key_algs, Opts, ?SUPPORTED_USER_KEYS), -	    %% The following line is not strictly correct. The call returns the -	    %% supported HOST key types while we are interested in USER keys. However, -	    %% they "happens" to be the same (for now).  This could change.... -	    %% There is no danger as long as the set of user keys is a subset of the set -	    %% of host keys. -	    CryptoSupported = ssh_transport:supported_algorithms(public_key), -	    Algs = [A || A <- Algs0, -			 lists:member(A, CryptoSupported)], - -	    Prefs = method_preference(Algs), -	    ssh_transport:ssh_packet(Msg, Ssh#ssh{user = User, -						  userauth_preference = Prefs, -						  userauth_methods = none, -						  service = "ssh-connection"}); -	{error, no_user} -> +    %% Client side +    case ?GET_OPT(user, Opts) of +	undefined ->  	    ErrStr = "Could not determine the users name",  	    ssh_connection_handler:disconnect(  	      #ssh_msg_disconnect{code = ?SSH_DISCONNECT_ILLEGAL_USER_NAME, -				  description = ErrStr}) +				  description = ErrStr}); +         +	User -> +            ssh_transport:ssh_packet( +              #ssh_msg_userauth_request{user = User, +                                        service = "ssh-connection", +                                        method = "none", +                                        data = <<>>}, +              Ssh#ssh{user = User, +                      userauth_preference = method_preference(Ssh#ssh.userauth_pubkeys), +                      userauth_methods = none, +                      service = "ssh-connection"} +             )      end.  %%%---------------------------------------------------------------- @@ -270,8 +282,7 @@ handle_userauth_request(#ssh_msg_userauth_request{user = User,  			#ssh{opts = Opts,  			     userauth_supported_methods = Methods} = Ssh) -> -    case pre_verify_sig(User, binary_to_list(BAlg), -			KeyBlob, Opts) of +    case pre_verify_sig(User, KeyBlob, Opts) of  	true ->  	    {not_authorized, {User, undefined},  	     ssh_transport:ssh_packet( @@ -297,8 +308,7 @@ handle_userauth_request(#ssh_msg_userauth_request{user = User,  			     userauth_supported_methods = Methods} = Ssh) ->      case verify_sig(SessionId, User, "ssh-connection",  -		    binary_to_list(BAlg), -		    KeyBlob, SigWLen, Opts) of +		    BAlg, KeyBlob, SigWLen, Opts) of  	true ->  	    {authorized, User,   	     ssh_transport:ssh_packet( @@ -342,7 +352,7 @@ handle_userauth_request(#ssh_msg_userauth_request{user = User,  		       false},  	    {Name, Instruction, Prompt, Echo} = -		case proplists:get_value(auth_method_kb_interactive_data, Opts) of +		case ?GET_OPT(auth_method_kb_interactive_data, Opts) of  		    undefined ->   			Default;  		    {_,_,_,_}=V ->  @@ -407,9 +417,9 @@ handle_userauth_info_response(#ssh_msg_userauth_info_response{num_responses = 1,  				   user = User,  				   userauth_supported_methods = Methods} = Ssh) ->      SendOneEmpty = -	(proplists:get_value(tstflg,Opts) == one_empty) +	(?GET_OPT(tstflg,Opts) == one_empty)  	orelse  -	proplists:get_value(one_empty, proplists:get_value(tstflg,Opts,[]), false), +	proplists:get_value(one_empty, ?GET_OPT(tstflg,Opts), false),      case check_password(User, unicode:characters_to_list(Password), Opts, Ssh) of  	{true,Ssh1} when SendOneEmpty==true -> @@ -451,36 +461,17 @@ handle_userauth_info_response(#ssh_msg_userauth_info_response{},  %%--------------------------------------------------------------------  %%% Internal functions  %%-------------------------------------------------------------------- -method_preference(Algs) -> -    lists:foldr(fun(A, Acc) -> -		       [{"publickey", ?MODULE, publickey_msg, [A]} | Acc] -	       end,  -	       [{"password", ?MODULE, password_msg, []}, -		{"keyboard-interactive", ?MODULE, keyboard_interactive_msg, []} -	       ], -	       Algs). - -user_name(Opts) -> -    Env = case os:type() of -	      {win32, _} ->  -		  "USERNAME"; -	      {unix, _} ->  -		  "LOGNAME" -	  end, -    case proplists:get_value(user, Opts, os:getenv(Env)) of -	false -> -	    case os:getenv("USER") of -		false ->  -		    {error, no_user}; -		User ->  -		    {ok, User} -	    end; -	User -> -	    {ok, User} -    end. +method_preference(SigKeyAlgs) -> +    %% PubKeyAlgs: List of user (client) public key algorithms to try to use. +    %% All of the acceptable algorithms is the default values. +    PubKeyDefs = [{"publickey", ?MODULE, publickey_msg, [A]} || A <- SigKeyAlgs], +    NonPKmethods = [{"password", ?MODULE, password_msg, []}, +                    {"keyboard-interactive", ?MODULE, keyboard_interactive_msg, []} +                   ], +    PubKeyDefs ++ NonPKmethods.  check_password(User, Password, Opts, Ssh) -> -    case proplists:get_value(pwdfun, Opts) of +    case ?GET_OPT(pwdfun, Opts) of  	undefined ->  	    Static = get_password_option(Opts, User),  	    {Password == Static, Ssh}; @@ -510,38 +501,35 @@ check_password(User, Password, Opts, Ssh) ->      end.  get_password_option(Opts, User) -> -    Passwords = proplists:get_value(user_passwords, Opts, []), +    Passwords = ?GET_OPT(user_passwords, Opts),      case lists:keysearch(User, 1, Passwords) of  	{value, {User, Pw}} -> Pw; -	false -> proplists:get_value(password, Opts, false) +	false -> ?GET_OPT(password, Opts)      end. -pre_verify_sig(User, Alg, KeyBlob, Opts) -> +pre_verify_sig(User, KeyBlob, Opts) ->      try -	{ok, Key} = decode_public_key_v2(KeyBlob, Alg), -	KeyCb =  proplists:get_value(key_cb, Opts, ssh_file), -	KeyCb:is_auth_key(Key, User, Opts) +	Key = public_key:ssh_decode(KeyBlob, ssh2_pubkey), % or exception +        {KeyCb,KeyCbOpts} = ?GET_OPT(key_cb, Opts), +        UserOpts = ?GET_OPT(user_options, Opts), +        KeyCb:is_auth_key(Key, User, [{key_cb_private,KeyCbOpts}|UserOpts])      catch  	_:_ ->  	    false      end. -verify_sig(SessionId, User, Service, Alg, KeyBlob, SigWLen, Opts) -> +verify_sig(SessionId, User, Service, AlgBin, KeyBlob, SigWLen, Opts) ->      try -	{ok, Key} = decode_public_key_v2(KeyBlob, Alg), -	KeyCb =  proplists:get_value(key_cb, Opts, ssh_file), - -	case KeyCb:is_auth_key(Key, User, Opts) of -	    true -> -		PlainText = build_sig_data(SessionId, User, -					   Service, KeyBlob, Alg), -		<<?UINT32(AlgSigLen), AlgSig:AlgSigLen/binary>> = SigWLen, -		<<?UINT32(AlgLen), _Alg:AlgLen/binary, -		  ?UINT32(SigLen), Sig:SigLen/binary>> = AlgSig, -		ssh_transport:verify(PlainText, ssh_transport:sha(list_to_atom(Alg)), Sig, Key); -	    false -> -		false -	end +        Alg = binary_to_list(AlgBin), +        {KeyCb,KeyCbOpts} = ?GET_OPT(key_cb, Opts), +        UserOpts = ?GET_OPT(user_options, Opts), +        Key = public_key:ssh_decode(KeyBlob, ssh2_pubkey), % or exception +        true = KeyCb:is_auth_key(Key, User, [{key_cb_private,KeyCbOpts}|UserOpts]), +        PlainText = build_sig_data(SessionId, User, Service, KeyBlob, Alg), +        <<?UINT32(AlgSigLen), AlgSig:AlgSigLen/binary>> = SigWLen, +        <<?UINT32(AlgLen), _Alg:AlgLen/binary, +          ?UINT32(SigLen), Sig:SigLen/binary>> = AlgSig, +        ssh_transport:verify(PlainText, ssh_transport:sha(Alg), Sig, Key)      catch  	_:_ ->  	    false @@ -565,9 +553,9 @@ decode_keyboard_interactive_prompts(_NumPrompts, Data) ->  keyboard_interact_get_responses(IoCb, Opts, Name, Instr, PromptInfos) ->      NumPrompts = length(PromptInfos), -    keyboard_interact_get_responses(proplists:get_value(user_interaction, Opts, true), -				    proplists:get_value(keyboard_interact_fun, Opts), -				    proplists:get_value(password, Opts, undefined), IoCb, Name, +    keyboard_interact_get_responses(?GET_OPT(user_interaction, Opts), +				    ?GET_OPT(keyboard_interact_fun, Opts), +				    ?GET_OPT(password, Opts), IoCb, Name,  				    Instr, PromptInfos, Opts, NumPrompts). @@ -613,18 +601,7 @@ keyboard_interact_fun(KbdInteractFun, Name, Instr,  PromptInfos, NumPrompts) ->  				       language = "en"}})      end. -decode_public_key_v2(Bin, _Type) -> -    try  -	public_key:ssh_decode(Bin, ssh2_pubkey) -    of -	Key -> {ok, Key} -    catch -	_:_ -> {error, bad_format} -    end. -encode_public_key(_Alg, Key) -> -    try -	public_key:ssh_encode(Key, ssh2_pubkey) -    catch -	_:_ -> not_ok -    end. +key_alg('rsa-sha2-256') -> 'ssh-rsa'; +key_alg('rsa-sha2-512') -> 'ssh-rsa'; +key_alg(Alg) -> Alg. diff --git a/lib/ssh/src/ssh_bits.erl b/lib/ssh/src/ssh_bits.erl index 8bedaaf0c5..3ce7758447 100644 --- a/lib/ssh/src/ssh_bits.erl +++ b/lib/ssh/src/ssh_bits.erl @@ -30,39 +30,31 @@  -export([random/1]).  %%%---------------------------------------------------------------- -name_list([Name]) -> to_bin(Name); -name_list([Name|Ns]) -> <<(to_bin(Name))/binary, ",", (name_list(Ns))/binary>>; -name_list([]) -> <<>>. - -to_bin(A) when is_atom(A) -> list_to_binary(atom_to_list(A)); -to_bin(S) when is_list(S) -> list_to_binary(S); -to_bin(B) when is_binary(B) -> B. +name_list(NamesList) -> list_to_binary(lists:join($,, NamesList)).  %%%----------------------------------------------------------------  %%% Multi Precision Integer encoding  mpint(-1) -> <<0,0,0,1,16#ff>>;  mpint(0) -> <<0,0,0,0>>; -mpint(X) when X < 0 -> mpint_neg(X,0,[]); -mpint(X) -> mpint_pos(X,0,[]). -     -mpint_neg(-1,I,Ds=[MSB|_]) -> -    if MSB band 16#80 =/= 16#80 -> -	    <<?UINT32((I+1)), (list_to_binary([255|Ds]))/binary>>; -       true -> -	    <<?UINT32(I), (list_to_binary(Ds))/binary>> -    end; -mpint_neg(X,I,Ds)  -> -    mpint_neg(X bsr 8,I+1,[(X band 255)|Ds]). -     -mpint_pos(0,I,Ds=[MSB|_]) -> -    if MSB band 16#80 == 16#80 -> -	    <<?UINT32((I+1)), (list_to_binary([0|Ds]))/binary>>; -       true -> -	    <<?UINT32(I), (list_to_binary(Ds))/binary>> +mpint(I) when I>0 -> +    <<B1,V/binary>> = binary:encode_unsigned(I), +    case B1 band 16#80 of +	16#80 -> +	    <<(size(V)+2):32/unsigned-big-integer, 0,B1,V/binary >>; +	_ -> +	    <<(size(V)+1):32/unsigned-big-integer, B1,V/binary >>      end; -mpint_pos(X,I,Ds) -> -    mpint_pos(X bsr 8,I+1,[(X band 255)|Ds]). - +mpint(N) when N<0 ->  +    Sxn =  8*size(binary:encode_unsigned(-N)), +    Sxn1 = Sxn+8, +    <<W:Sxn1>> = <<1, 0:Sxn>>, +    <<B1,V/binary>> = binary:encode_unsigned(W+N), +    case B1 band 16#80 of +	16#80 -> +	    <<(size(V)+1):32/unsigned-big-integer, B1,V/binary >>; +	_ -> +	    <<(size(V)+2):32/unsigned-big-integer, 255,B1,V/binary >> +    end.  %%%----------------------------------------------------------------  %% random/1 diff --git a/lib/ssh/src/ssh_cli.erl b/lib/ssh/src/ssh_cli.erl index 7c7b9e7922..62854346b0 100644 --- a/lib/ssh/src/ssh_cli.erl +++ b/lib/ssh/src/ssh_cli.erl @@ -499,14 +499,12 @@ start_shell(ConnectionHandler, State) ->  						  [peer, user]),      ShellFun = case is_function(Shell) of  		   true -> -		       User =  -			   proplists:get_value(user, ConnectionInfo), +		       User = proplists:get_value(user, ConnectionInfo),  		       case erlang:fun_info(Shell, arity) of  			   {arity, 1} ->  			       fun() -> Shell(User) end;  			   {arity, 2} -> -			       {_, PeerAddr} = -				   proplists:get_value(peer, ConnectionInfo), +			       {_, PeerAddr} = proplists:get_value(peer, ConnectionInfo),  			       fun() -> Shell(User, PeerAddr) end;  			   _ ->  			       Shell @@ -525,8 +523,7 @@ start_shell(ConnectionHandler, Cmd, #state{exec=Shell} = State) when is_function      ConnectionInfo = ssh_connection_handler:connection_info(ConnectionHandler,  						 [peer, user]), -    User =  -	proplists:get_value(user, ConnectionInfo), +    User = proplists:get_value(user, ConnectionInfo),      ShellFun =   	case erlang:fun_info(Shell, arity) of  	    {arity, 1} -> @@ -534,8 +531,7 @@ start_shell(ConnectionHandler, Cmd, #state{exec=Shell} = State) when is_function  	    {arity, 2} ->  		fun() -> Shell(Cmd, User) end;  	    {arity, 3} -> -		{_, PeerAddr} = -		    proplists:get_value(peer, ConnectionInfo), +		{_, PeerAddr} = proplists:get_value(peer, ConnectionInfo),  		fun() -> Shell(Cmd, User, PeerAddr) end;  	    _ ->  		Shell diff --git a/lib/ssh/src/ssh_connect.hrl b/lib/ssh/src/ssh_connect.hrl index 4fb6bc39f3..a8de5f9a2f 100644 --- a/lib/ssh/src/ssh_connect.hrl +++ b/lib/ssh/src/ssh_connect.hrl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2005-2016. All Rights Reserved. +%% Copyright Ericsson AB 2005-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -22,9 +22,9 @@  %%% Description : SSH connection protocol  --type role()               :: client | server . --type connection_ref()     :: pid().  -type channel_id()         :: pos_integer(). +-type connection_ref()     :: pid(). +  -define(DEFAULT_PACKET_SIZE, 65536).  -define(DEFAULT_WINDOW_SIZE, 10*?DEFAULT_PACKET_SIZE). diff --git a/lib/ssh/src/ssh_connection.erl b/lib/ssh/src/ssh_connection.erl index c7a2c92670..7e9ee78fd2 100644 --- a/lib/ssh/src/ssh_connection.erl +++ b/lib/ssh/src/ssh_connection.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2008-2016. All Rights Reserved. +%% Copyright Ericsson AB 2008-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -56,8 +56,8 @@  %%--------------------------------------------------------------------  %%-------------------------------------------------------------------- --spec session_channel(pid(), timeout()) -> {ok, channel_id()} | {error, timeout | closed}. --spec session_channel(pid(), integer(), integer(), timeout()) -> {ok, channel_id()} | {error, timeout | closed}. +-spec session_channel(connection_ref(), timeout()) -> {ok, channel_id()} | {error, timeout | closed}. +-spec session_channel(connection_ref(), integer(), integer(), timeout()) -> {ok, channel_id()} | {error, timeout | closed}.  %% Description: Opens a channel for a ssh session. A session is a  %% remote execution of a program. The program may be a shell, an @@ -81,7 +81,7 @@ session_channel(ConnectionHandler, InitialWindowSize,      end.  %%-------------------------------------------------------------------- --spec exec(pid(), channel_id(), string(), timeout()) ->  +-spec exec(connection_ref(), channel_id(), string(), timeout()) ->   		  success | failure | {error, timeout | closed}.  %% Description: Will request that the server start the @@ -92,7 +92,7 @@ exec(ConnectionHandler, ChannelId, Command, TimeOut) ->  				   true, [?string(Command)], TimeOut).  %%-------------------------------------------------------------------- --spec shell(pid(), channel_id()) -> _. +-spec shell(connection_ref(), channel_id()) -> _.  %% Description: Will request that the user's default shell (typically  %% defined in /etc/passwd in UNIX systems) be started at the other @@ -102,7 +102,7 @@ shell(ConnectionHandler, ChannelId) ->      ssh_connection_handler:request(ConnectionHandler, self(), ChannelId,   				   "shell", false, <<>>, 0).  %%-------------------------------------------------------------------- --spec subsystem(pid(), channel_id(), string(), timeout()) ->  +-spec subsystem(connection_ref(), channel_id(), string(), timeout()) ->   		       success | failure | {error, timeout | closed}.  %%  %% Description: Executes a predefined subsystem. @@ -112,11 +112,11 @@ subsystem(ConnectionHandler, ChannelId, SubSystem, TimeOut) ->  				    ChannelId, "subsystem",   				    true, [?string(SubSystem)], TimeOut).  %%-------------------------------------------------------------------- --spec send(pid(), channel_id(), iodata()) -> +-spec send(connection_ref(), channel_id(), iodata()) ->  		  ok | {error, closed}. --spec send(pid(), channel_id(), integer()| iodata(), timeout() | iodata()) -> +-spec send(connection_ref(), channel_id(), integer()| iodata(), timeout() | iodata()) ->  		  ok | {error, timeout} | {error, closed}. --spec send(pid(), channel_id(), integer(), iodata(), timeout()) -> +-spec send(connection_ref(), channel_id(), integer(), iodata(), timeout()) ->  		  ok | {error, timeout} | {error, closed}.  %%  %% @@ -134,7 +134,7 @@ send(ConnectionHandler, ChannelId, Type, Data, TimeOut) ->      ssh_connection_handler:send(ConnectionHandler, ChannelId,  				Type, Data, TimeOut).  %%-------------------------------------------------------------------- --spec send_eof(pid(), channel_id()) -> ok | {error, closed}. +-spec send_eof(connection_ref(), channel_id()) -> ok | {error, closed}.  %%  %%  %% Description: Sends eof on the channel <ChannelId>. @@ -143,7 +143,7 @@ send_eof(ConnectionHandler, Channel) ->      ssh_connection_handler:send_eof(ConnectionHandler, Channel).  %%-------------------------------------------------------------------- --spec adjust_window(pid(), channel_id(), integer()) -> ok |  {error, closed}. +-spec adjust_window(connection_ref(), channel_id(), integer()) -> ok |  {error, closed}.  %%  %%  %% Description: Adjusts the ssh flowcontrol window. @@ -152,7 +152,7 @@ adjust_window(ConnectionHandler, Channel, Bytes) ->      ssh_connection_handler:adjust_window(ConnectionHandler, Channel, Bytes).  %%-------------------------------------------------------------------- --spec setenv(pid(), channel_id(), string(), string(), timeout()) ->   +-spec setenv(connection_ref(), channel_id(), string(), string(), timeout()) ->    		    success | failure | {error, timeout | closed}.  %%  %% @@ -165,7 +165,7 @@ setenv(ConnectionHandler, ChannelId, Var, Value, TimeOut) ->  %%-------------------------------------------------------------------- --spec close(pid(), channel_id()) -> ok. +-spec close(connection_ref(), channel_id()) -> ok.  %%  %%  %% Description: Sends a close message on the channel <ChannelId>. @@ -174,7 +174,7 @@ close(ConnectionHandler, ChannelId) ->      ssh_connection_handler:close(ConnectionHandler, ChannelId).  %%-------------------------------------------------------------------- --spec reply_request(pid(), boolean(), success | failure, channel_id()) -> ok. +-spec reply_request(connection_ref(), boolean(), success | failure, channel_id()) -> ok.  %%  %%  %% Description: Send status replies to requests that want such replies. @@ -185,9 +185,9 @@ reply_request(_,false, _, _) ->      ok.  %%-------------------------------------------------------------------- --spec ptty_alloc(pid(), channel_id(), proplists:proplist()) ->  +-spec ptty_alloc(connection_ref(), channel_id(), proplists:proplist()) ->   			success | failiure | {error, closed}. --spec ptty_alloc(pid(), channel_id(), proplists:proplist(), timeout()) ->  +-spec ptty_alloc(connection_ref(), channel_id(), proplists:proplist(), timeout()) ->   			success | failiure | {error, timeout} | {error, closed}.  %% @@ -197,16 +197,16 @@ reply_request(_,false, _, _) ->  ptty_alloc(ConnectionHandler, Channel, Options) ->      ptty_alloc(ConnectionHandler, Channel, Options, infinity).  ptty_alloc(ConnectionHandler, Channel, Options0, TimeOut) -> -    Options = backwards_compatible(Options0, []), -    {Width, PixWidth} = pty_default_dimensions(width, Options), -    {Height, PixHeight} = pty_default_dimensions(height, Options), +    TermData = backwards_compatible(Options0, []), % FIXME +    {Width, PixWidth} = pty_default_dimensions(width, TermData), +    {Height, PixHeight} = pty_default_dimensions(height, TermData),      pty_req(ConnectionHandler, Channel, -	    proplists:get_value(term, Options, os:getenv("TERM", ?DEFAULT_TERMINAL)), -	    proplists:get_value(width, Options, Width), -	    proplists:get_value(height, Options, Height), -	    proplists:get_value(pixel_widh, Options, PixWidth), -	    proplists:get_value(pixel_height, Options, PixHeight), -	    proplists:get_value(pty_opts, Options, []), TimeOut +	    proplists:get_value(term, TermData, os:getenv("TERM", ?DEFAULT_TERMINAL)), +	    proplists:get_value(width, TermData, Width), +	    proplists:get_value(height, TermData, Height), +	    proplists:get_value(pixel_widh, TermData, PixWidth), +	    proplists:get_value(pixel_height, TermData, PixHeight), +	    proplists:get_value(pty_opts, TermData, []), TimeOut  	   ).  %%--------------------------------------------------------------------  %% Not yet officialy supported! The following functions are part of the @@ -417,7 +417,8 @@ handle_msg(#ssh_msg_channel_open{channel_type = "session" = Type,  				 maximum_packet_size = PacketSz},   	   #connection{options = SSHopts} = Connection0,  	   server) -> -    MinAcceptedPackSz = proplists:get_value(minimal_remote_max_packet_size, SSHopts, 0), +    MinAcceptedPackSz = +        ?GET_OPT(minimal_remote_max_packet_size, SSHopts),      if   	MinAcceptedPackSz =< PacketSz -> @@ -574,7 +575,6 @@ handle_msg(#ssh_msg_channel_request{recipient_channel = ChannelId,  		  PixWidth, PixHeight, decode_pty_opts(Modes)},      Channel = ssh_channel:cache_lookup(Cache, ChannelId),  -          handle_cli_msg(Connection, Channel,  		   {pty, ChannelId, WantReply, PtyRequest}); @@ -691,7 +691,6 @@ handle_cli_msg(#connection{channel_cache = Cache} = Connection,  	       #channel{user = undefined,   			remote_id = RemoteId,  			local_id = ChannelId} = Channel0, Reply0) ->  -          case (catch start_cli(Connection, ChannelId)) of  	{ok, Pid} ->  	    erlang:monitor(process, Pid), @@ -819,7 +818,7 @@ start_channel(Cb, Id, Args, SubSysSup, Exec, Opts) ->      ssh_channel_sup:start_child(ChannelSup, ChildSpec).  assert_limit_num_channels_not_exceeded(ChannelSup, Opts) -> -    MaxNumChannels = proplists:get_value(max_channels, Opts, infinity), +    MaxNumChannels = ?GET_OPT(max_channels, Opts),      NumChannels = length([x || {_,_,worker,[ssh_channel]} <-   				   supervisor:which_children(ChannelSup)]),      if  @@ -858,8 +857,8 @@ setup_session(#connection{channel_cache = Cache  check_subsystem("sftp"= SsName, Options) -> -    case proplists:get_value(subsystems, Options, no_subsys) of -	no_subsys -> 	 +    case ?GET_OPT(subsystems, Options) of +	no_subsys -> 	% FIXME: Can 'no_subsys' ever be matched?  	    {SsName, {Cb, Opts}} = ssh_sftpd:subsystem_spec([]),  	    {Cb, Opts};  	SubSystems -> @@ -867,7 +866,7 @@ check_subsystem("sftp"= SsName, Options) ->      end;  check_subsystem(SsName, Options) -> -    Subsystems = proplists:get_value(subsystems, Options, []), +    Subsystems = ?GET_OPT(subsystems, Options),      case proplists:get_value(SsName, Subsystems, {none, []}) of  	Fun when is_function(Fun) ->  	    {Fun, []}; @@ -1022,12 +1021,13 @@ pty_req(ConnectionHandler, Channel, Term, Width, Height,  				    ?uint32(PixWidth),?uint32(PixHeight),  				    encode_pty_opts(PtyOpts)], TimeOut). -pty_default_dimensions(Dimension, Options) -> -    case proplists:get_value(Dimension, Options, 0) of +pty_default_dimensions(Dimension, TermData) -> +    case proplists:get_value(Dimension, TermData, 0) of  	N when is_integer(N), N > 0 ->  	    {N, 0};  	_ -> -	    case proplists:get_value(list_to_atom("pixel_" ++ atom_to_list(Dimension)), Options, 0) of +            PixelDim = list_to_atom("pixel_" ++ atom_to_list(Dimension)), +	    case proplists:get_value(PixelDim, TermData, 0) of  		N when is_integer(N), N > 0 ->  		    {0, N};  		_ -> diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl index fc75945a5b..0ca960ef96 100644 --- a/lib/ssh/src/ssh_connection_handler.erl +++ b/lib/ssh/src/ssh_connection_handler.erl @@ -46,6 +46,7 @@  %%% Internal application API  -export([start_connection/4, +         available_hkey_algorithms/2,  	 open_channel/6,  	 request/6, request/7,  	 reply_request/3,  @@ -60,7 +61,7 @@  	]).  %%% Behaviour callbacks --export([callback_mode/0, handle_event/4, terminate/3, +-export([init/1, callback_mode/0, handle_event/4, terminate/3,  	 format_status/2, code_change/4]).  %%% Exports not intended to be used :). They are used for spawning and tests @@ -76,11 +77,15 @@  %%--------------------------------------------------------------------  -spec start_link(role(),  		 inet:socket(), -		 proplists:proplist() +                 ssh_options:options()  		) -> {ok, pid()}.  %% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  start_link(Role, Socket, Options) -> -    {ok, proc_lib:spawn_link(?MODULE, init_connection_handler, [Role, Socket, Options])}. +    {ok, proc_lib:spawn_opt(?MODULE,  +                            init_connection_handler,  +                            [Role, Socket, Options], +                            [link, {message_queue_data,off_heap}] +                           )}.  %%-------------------------------------------------------------------- @@ -99,12 +104,10 @@ stop(ConnectionHandler)->  %% Internal application API  %%==================================================================== --define(DefaultTransport,  {tcp, gen_tcp, tcp_closed} ). -  %%--------------------------------------------------------------------  -spec start_connection(role(),  		       inet:socket(), -		       proplists:proplist(), +                       ssh_options:options(),  		       timeout()  		      ) -> {ok, connection_ref()} | {error, term()}.  %% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @@ -121,9 +124,8 @@ start_connection(client = Role, Socket, Options, Timeout) ->      end;  start_connection(server = Role, Socket, Options, Timeout) -> -    SSH_Opts = proplists:get_value(ssh_opts, Options, []),      try -	case proplists:get_value(parallel_login, SSH_Opts, false) of +	case ?GET_OPT(parallel_login, Options) of  	    true ->  		HandshakerPid =  		    spawn_link(fun() -> @@ -323,30 +325,38 @@ renegotiate_data(ConnectionHandler) ->  %% Internal process state  %%====================================================================  -record(data, { -	  starter                               :: pid(), +	  starter                               :: pid() +						 | undefined,  	  auth_user                             :: string()  						 | undefined,  	  connection_state                      :: #connection{}, -	  latest_channel_id         = 0         :: non_neg_integer(), +	  latest_channel_id         = 0         :: non_neg_integer() +                                                 | undefined,  	  idle_timer_ref                        :: undefined   						 | infinity  						 | reference(),  	  idle_timer_value          = infinity  :: infinity  						 | pos_integer(), -	  transport_protocol                    :: atom(),	% ex: tcp -	  transport_cb                          :: atom(),	% ex: gen_tcp -	  transport_close_tag                   :: atom(),	% ex: tcp_closed +	  transport_protocol                    :: atom() +                                                 | undefined,	% ex: tcp +	  transport_cb                          :: atom() +                                                 | undefined,	% ex: gen_tcp +	  transport_close_tag                   :: atom() +                                                 | undefined,	% ex: tcp_closed  	  ssh_params                            :: #ssh{} -						 | undefined, -	  socket                                :: inet:socket(), -	  decrypted_data_buffer     = <<>>      :: binary(), -	  encrypted_data_buffer     = <<>>      :: binary(), +                                                 | undefined, +	  socket                                :: inet:socket() +                                                 | undefined, +	  decrypted_data_buffer     = <<>>      :: binary() +                                                 | undefined, +	  encrypted_data_buffer     = <<>>      :: binary() +                                                 | undefined,  	  undecrypted_packet_length             :: undefined | non_neg_integer(),  	  key_exchange_init_msg                 :: #ssh_msg_kexinit{}  						 | undefined,  	  last_size_rekey           = 0         :: non_neg_integer(),  	  event_queue               = []        :: list(), -	  opts                                  :: proplists:proplist(), +%	  opts                                  :: ssh_options:options(),  	  inet_initial_recbuf_size              :: pos_integer()  						 | undefined  	 }). @@ -357,110 +367,121 @@ renegotiate_data(ConnectionHandler) ->  %%--------------------------------------------------------------------  -spec init_connection_handler(role(),  			      inet:socket(), -			      proplists:proplist() +			      ssh_options:options()  			     ) -> no_return().  %% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  init_connection_handler(Role, Socket, Opts) -> -    process_flag(trap_exit, true), -    S0 = init_process_state(Role, Socket, Opts), -    try -	{Protocol, Callback, CloseTag} = -	    proplists:get_value(transport, Opts, ?DefaultTransport), -	S0#data{ssh_params = init_ssh_record(Role, Socket, Opts), -		 transport_protocol = Protocol, -		 transport_cb = Callback, -		 transport_close_tag = CloseTag -		} -    of -	S -> -	    gen_statem:enter_loop(?MODULE, -				  [], %%[{debug,[trace,log,statistics,debug]} || Role==server], -				  {hello,Role}, -				  S) -    catch -	_:Error -> -	    gen_statem:enter_loop(?MODULE, -				  [], -				  {init_error,Error}, -				  S0) +    case init([Role, Socket, Opts]) of +        {ok, StartState, D} -> +            process_flag(trap_exit, true), +            gen_statem:enter_loop(?MODULE, +                                  [], %%[{debug,[trace,log,statistics,debug]} ], %% [] +                                  StartState, +                                  D); + +        {stop, Error} -> +            Sups = ?GET_INTERNAL_OPT(supervisors, Opts), +            C = #connection{system_supervisor =     proplists:get_value(system_sup,     Sups), +                            sub_system_supervisor = proplists:get_value(subsystem_sup,  Sups), +                            connection_supervisor = proplists:get_value(connection_sup, Sups) +                           }, +            gen_statem:enter_loop(?MODULE, +                                  [], +                                  {init_error,Error}, +                                  #data{connection_state=C, +                                        socket=Socket})      end. -init_process_state(Role, Socket, Opts) -> -    D = #data{connection_state = -		   C = #connection{channel_cache = ssh_channel:cache_create(), -				   channel_id_seed = 0, -				   port_bindings = [], -				   requests = [], -				   options = Opts}, -	       starter = proplists:get_value(user_pid, Opts), -	       socket = Socket, -	       opts = Opts -	      }, -    case Role of -	client -> -	    %% Start the renegotiation timers -	    timer:apply_after(?REKEY_TIMOUT,      gen_statem, cast, [self(), renegotiate]), -	    timer:apply_after(?REKEY_DATA_TIMOUT, gen_statem, cast, [self(), data_size]), -	    cache_init_idle_timer(D); -	server -> -	    D#data{connection_state = init_connection(Role, C, Opts)} -    end. +init([Role,Socket,Opts]) -> +    case inet:peername(Socket) of +        {ok, PeerAddr} -> +            {Protocol, Callback, CloseTag} = ?GET_OPT(transport, Opts), +            C = #connection{channel_cache = ssh_channel:cache_create(), +                            channel_id_seed = 0, +                            port_bindings = [], +                            requests = [], +                            options = Opts}, +            D0 = #data{starter = ?GET_INTERNAL_OPT(user_pid, Opts), +                       connection_state = C, +                       socket = Socket, +                       transport_protocol = Protocol, +                       transport_cb = Callback, +                       transport_close_tag = CloseTag, +                       ssh_params = init_ssh_record(Role, Socket, PeerAddr, Opts) +              }, +            D = case Role of +                    client -> +                        %% Start the renegotiation timers +                        timer:apply_after(?REKEY_TIMOUT,      gen_statem, cast, [self(), renegotiate]), +                        timer:apply_after(?REKEY_DATA_TIMOUT, gen_statem, cast, [self(), data_size]), +                        cache_init_idle_timer(D0); +                    server -> +                        Sups = ?GET_INTERNAL_OPT(supervisors, Opts), +                        cache_init_idle_timer( +                          D0#data{connection_state =  +                                      C#connection{cli_spec = ?GET_OPT(ssh_cli, Opts, {ssh_cli,[?GET_OPT(shell, Opts)]}), +                                                   exec =     ?GET_OPT(exec,    Opts), +                                                   system_supervisor =     proplists:get_value(system_sup,     Sups), +                                                   sub_system_supervisor = proplists:get_value(subsystem_sup,  Sups), +                                                   connection_supervisor = proplists:get_value(connection_sup, Sups) +                                                  }}) +                end, +            {ok, {hello,Role}, D}; +         +        {error,Error} -> +            {stop, Error} +    end. -init_connection(server, C = #connection{}, Opts) -> -    Sups = proplists:get_value(supervisors, Opts), -    SystemSup = proplists:get_value(system_sup, Sups), -    SubSystemSup = proplists:get_value(subsystem_sup, Sups), -    ConnectionSup = proplists:get_value(connection_sup, Sups), -    Shell = proplists:get_value(shell, Opts), -    Exec = proplists:get_value(exec, Opts), -    CliSpec = proplists:get_value(ssh_cli, Opts, {ssh_cli, [Shell]}), -    C#connection{cli_spec = CliSpec, -		 exec = Exec, -		 system_supervisor = SystemSup, -		 sub_system_supervisor = SubSystemSup, -		 connection_supervisor = ConnectionSup -		}.  init_ssh_record(Role, Socket, Opts) -> -    {ok, PeerAddr} = inet:peername(Socket), -    KeyCb = proplists:get_value(key_cb, Opts, ssh_file), -    AuthMethods = proplists:get_value(auth_methods, -				      Opts, -				      case Role of -					  server -> ?SUPPORTED_AUTH_METHODS; -					  client -> undefined -				      end), +    %% Export of this internal function is +    %% intended for low-level protocol test suites +    {ok,PeerAddr} = inet:peername(Socket), +    init_ssh_record(Role, Socket, PeerAddr, Opts). + +init_ssh_record(Role, _Socket, PeerAddr, Opts) -> +    AuthMethods = ?GET_OPT(auth_methods, Opts),      S0 = #ssh{role = Role, -	      key_cb = KeyCb, +	      key_cb = ?GET_OPT(key_cb, Opts),  	      opts = Opts,  	      userauth_supported_methods = AuthMethods, -	      available_host_keys = supported_host_keys(Role, KeyCb, Opts), -	      random_length_padding = proplists:get_value(max_random_length_padding, -							  Opts, -							  (#ssh{})#ssh.random_length_padding) +	      available_host_keys = available_hkey_algorithms(Role, Opts), +	      random_length_padding = ?GET_OPT(max_random_length_padding, Opts)  	   },      {Vsn, Version} = ssh_transport:versions(Role, Opts),      case Role of  	client -> -	    PeerName =  proplists:get_value(host, Opts), -	    S0#ssh{c_vsn = Vsn, -		   c_version = Version, -		   io_cb = case proplists:get_value(user_interaction, Opts, true) of -			       true ->  ssh_io; -			       false -> ssh_no_io -			   end, -		   userauth_quiet_mode = proplists:get_value(quiet_mode, Opts, false), -		   peer = {PeerName, PeerAddr} -		  }; +	    PeerName = case ?GET_INTERNAL_OPT(host, Opts) of +                           PeerIP when is_tuple(PeerIP) -> +                               inet_parse:ntoa(PeerIP); +                           PeerName0 when is_atom(PeerName0) -> +                               atom_to_list(PeerName0); +                           PeerName0 when is_list(PeerName0) -> +                               PeerName0 +                       end, +            S1 = +                S0#ssh{c_vsn = Vsn, +                       c_version = Version, +                       io_cb = case ?GET_OPT(user_interaction, Opts) of +                                   true ->  ssh_io; +                                   false -> ssh_no_io +                               end, +                       userauth_quiet_mode = ?GET_OPT(quiet_mode, Opts), +                       peer = {PeerName, PeerAddr} +                      }, +            S1#ssh{userauth_pubkeys = [K || K <- ?GET_OPT(pref_public_key_algs, Opts), +                                            is_usable_user_pubkey(K, S1) +                                      ] +                  };  	server ->  	    S0#ssh{s_vsn = Vsn,  		   s_version = Version, -		   io_cb = proplists:get_value(io_cb, Opts, ssh_io), +		   io_cb = ?GET_INTERNAL_OPT(io_cb, Opts, ssh_io),  		   userauth_methods = string:tokens(AuthMethods, ","),  		   kb_tries_left = 3,  		   peer = {undefined, PeerAddr} @@ -478,49 +499,63 @@ init_ssh_record(Role, Socket, Opts) ->  -type renegotiate_flag() :: init | renegotiate.  -type state_name() ::  -	{init_error,any()} -      | {hello, role()} -      | {kexinit, role(), renegotiate_flag()} -      | {key_exchange, role(), renegotiate_flag()} -      | {key_exchange_dh_gex_init, server, renegotiate_flag()} +        {hello,                     role()                    } +      | {kexinit,                   role(), renegotiate_flag()} +      | {key_exchange,              role(), renegotiate_flag()} +      | {key_exchange_dh_gex_init,  server, renegotiate_flag()}        | {key_exchange_dh_gex_reply, client, renegotiate_flag()} -      | {new_keys, role()} -      | {service_request, role()} -      | {userauth, role()} -      | {userauth_keyboard_interactive, role()} -      | {connected, role()} +      | {new_keys,                  role(), renegotiate_flag()} +      | {ext_info,                  role(), renegotiate_flag()} +      | {service_request,           role()                    } +      | {userauth,                  role()                    } +      | {userauth_keyboard_interactive,       role()          } +      | {userauth_keyboard_interactive_extra, server          } +      | {userauth_keyboard_interactive_info_response, client  } +      | {connected,                 role()                    }  	. --type handle_event_result() :: gen_statem:handle_event_result(). +%% The state names must fulfill some rules regarding +%% where the role() and the renegotiate_flag() is placed: + +-spec role(state_name()) -> role(). +role({_,Role}) -> Role; +role({_,Role,_}) -> Role. + +-spec renegotiation(state_name()) -> boolean(). +renegotiation({_,_,ReNeg}) -> ReNeg == renegotiation; +renegotiation(_) -> false. + + +-define(CONNECTED(StateName),  +        (element(1,StateName) == connected orelse +         element(1,StateName) == ext_info ) ).  -spec handle_event(gen_statem:event_type(),  		   event_content(),  		   state_name(),  		   #data{} -		  ) -> handle_event_result(). +		  ) -> gen_statem:event_handler_result(state_name()) .  %% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -%%% ######## Error in the initialisation #### -  callback_mode() ->      handle_event_function. +  handle_event(_, _Event, {init_error,Error}, _) ->      case Error of -	{badmatch,{error,enotconn}} -> -	    %% Handles the abnormal sequence: -	    %%    SYN-> -	    %%            <-SYNACK -	    %%    ACK-> -	    %%    RST-> -	    {stop, {shutdown,"TCP connenction to server was prematurely closed by the client"}}; - -	OtherError -> -	    {stop, {shutdown,{init,OtherError}}} +        enotconn -> +           %% Handles the abnormal sequence: +           %%    SYN-> +           %%            <-SYNACK +           %%    ACK-> +           %%    RST-> +            {stop, {shutdown,"TCP connenction to server was prematurely closed by the client"}}; + +        OtherError -> +            {stop, {shutdown,{init,OtherError}}}      end; -  %%% ######## {hello, client|server} ####  %% The very first event that is sent when the we are set as controlling process of Socket  handle_event(_, socket_control, {hello,_}, D) -> @@ -598,13 +633,17 @@ handle_event(_, {#ssh_msg_kexinit{}=Kex, Payload}, {kexinit,Role,ReNeg},  handle_event(_, #ssh_msg_kexdh_init{} = Msg, {key_exchange,server,ReNeg}, D) ->      {ok, KexdhReply, Ssh1} = ssh_transport:handle_kexdh_init(Msg, D#data.ssh_params),      send_bytes(KexdhReply, D), -    {ok, NewKeys, Ssh} = ssh_transport:new_keys_message(Ssh1), +    {ok, NewKeys, Ssh2} = ssh_transport:new_keys_message(Ssh1),      send_bytes(NewKeys, D), +    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh2), +    send_bytes(ExtInfo, D),      {next_state, {new_keys,server,ReNeg}, D#data{ssh_params=Ssh}};  handle_event(_, #ssh_msg_kexdh_reply{} = Msg, {key_exchange,client,ReNeg}, D) -> -    {ok, NewKeys, Ssh} = ssh_transport:handle_kexdh_reply(Msg, D#data.ssh_params), +    {ok, NewKeys, Ssh1} = ssh_transport:handle_kexdh_reply(Msg, D#data.ssh_params),      send_bytes(NewKeys, D), +    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh1), +    send_bytes(ExtInfo, D),      {next_state, {new_keys,client,ReNeg}, D#data{ssh_params=Ssh}};  %%%---- diffie-hellman group exchange @@ -629,13 +668,17 @@ handle_event(_, #ssh_msg_kex_dh_gex_group{} = Msg, {key_exchange,client,ReNeg},  handle_event(_, #ssh_msg_kex_ecdh_init{} = Msg, {key_exchange,server,ReNeg}, D) ->      {ok, KexEcdhReply, Ssh1} = ssh_transport:handle_kex_ecdh_init(Msg, D#data.ssh_params),      send_bytes(KexEcdhReply, D), -    {ok, NewKeys, Ssh} = ssh_transport:new_keys_message(Ssh1), +    {ok, NewKeys, Ssh2} = ssh_transport:new_keys_message(Ssh1),      send_bytes(NewKeys, D), +    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh2), +    send_bytes(ExtInfo, D),      {next_state, {new_keys,server,ReNeg}, D#data{ssh_params=Ssh}};  handle_event(_, #ssh_msg_kex_ecdh_reply{} = Msg, {key_exchange,client,ReNeg}, D) -> -    {ok, NewKeys, Ssh} = ssh_transport:handle_kex_ecdh_reply(Msg, D#data.ssh_params), +    {ok, NewKeys, Ssh1} = ssh_transport:handle_kex_ecdh_reply(Msg, D#data.ssh_params),      send_bytes(NewKeys, D), +    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh1), +    send_bytes(ExtInfo, D),      {next_state, {new_keys,client,ReNeg}, D#data{ssh_params=Ssh}}; @@ -644,8 +687,10 @@ handle_event(_, #ssh_msg_kex_ecdh_reply{} = Msg, {key_exchange,client,ReNeg}, D)  handle_event(_, #ssh_msg_kex_dh_gex_init{} = Msg, {key_exchange_dh_gex_init,server,ReNeg}, D) ->      {ok, KexGexReply, Ssh1} =  ssh_transport:handle_kex_dh_gex_init(Msg, D#data.ssh_params),      send_bytes(KexGexReply, D), -    {ok, NewKeys, Ssh} = ssh_transport:new_keys_message(Ssh1), +    {ok, NewKeys, Ssh2} = ssh_transport:new_keys_message(Ssh1),      send_bytes(NewKeys, D), +    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh2), +    send_bytes(ExtInfo, D),      {next_state, {new_keys,server,ReNeg}, D#data{ssh_params=Ssh}}; @@ -654,30 +699,60 @@ handle_event(_, #ssh_msg_kex_dh_gex_init{} = Msg, {key_exchange_dh_gex_init,serv  handle_event(_, #ssh_msg_kex_dh_gex_reply{} = Msg, {key_exchange_dh_gex_reply,client,ReNeg}, D) ->      {ok, NewKeys, Ssh1} = ssh_transport:handle_kex_dh_gex_reply(Msg, D#data.ssh_params),      send_bytes(NewKeys, D), -    {next_state, {new_keys,client,ReNeg}, D#data{ssh_params=Ssh1}}; +    {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh1), +    send_bytes(ExtInfo, D), +    {next_state, {new_keys,client,ReNeg}, D#data{ssh_params=Ssh}};  %%% ######## {new_keys, client|server} ####  %% First key exchange round: -handle_event(_, #ssh_msg_newkeys{} = Msg, {new_keys,Role,init}, D) -> +handle_event(_, #ssh_msg_newkeys{} = Msg, {new_keys,client,init}, D) ->      {ok, Ssh1} = ssh_transport:handle_new_keys(Msg, D#data.ssh_params), -    Ssh = case Role of -	      client -> -		  {MsgReq, Ssh2} = ssh_auth:service_request_msg(Ssh1), -		  send_bytes(MsgReq, D), -		  Ssh2; -	      server -> -		  Ssh1 -	  end, -    {next_state, {service_request,Role}, D#data{ssh_params=Ssh}}; +    %% {ok, ExtInfo, Ssh2} = ssh_transport:ext_info_message(Ssh1), +    %% send_bytes(ExtInfo, D), +    {MsgReq, Ssh} = ssh_auth:service_request_msg(Ssh1), +    send_bytes(MsgReq, D), +    {next_state, {ext_info,client,init}, D#data{ssh_params=Ssh}}; + +handle_event(_, #ssh_msg_newkeys{} = Msg, {new_keys,server,init}, D) -> +    {ok, Ssh} = ssh_transport:handle_new_keys(Msg, D#data.ssh_params), +    %% {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh1), +    %% send_bytes(ExtInfo, D), +    {next_state, {ext_info,server,init}, D#data{ssh_params=Ssh}};  %% Subsequent key exchange rounds (renegotiation):  handle_event(_, #ssh_msg_newkeys{} = Msg, {new_keys,Role,renegotiate}, D) ->      {ok, Ssh} = ssh_transport:handle_new_keys(Msg, D#data.ssh_params), -    {next_state, {connected,Role}, D#data{ssh_params=Ssh}}; +    %% {ok, ExtInfo, Ssh} = ssh_transport:ext_info_message(Ssh1), +    %% send_bytes(ExtInfo, D), +    {next_state, {ext_info,Role,renegotiate}, D#data{ssh_params=Ssh}}; + + +%%% ######## {ext_info, client|server, init|renegotiate} #### -%%% ######## {service_request, client|server} +handle_event(_, #ssh_msg_ext_info{}=Msg, {ext_info,Role,init}, D0) -> +    D = handle_ssh_msg_ext_info(Msg, D0), +    {next_state, {service_request,Role}, D}; + +handle_event(_, #ssh_msg_ext_info{}=Msg, {ext_info,Role,renegotiate}, D0) -> +    D = handle_ssh_msg_ext_info(Msg, D0), +    {next_state, {connected,Role}, D}; + +handle_event(_, #ssh_msg_newkeys{}=Msg, {ext_info,_Role,renegotiate}, D) -> +    {ok, Ssh} = ssh_transport:handle_new_keys(Msg, D#data.ssh_params), +    {keep_state, D#data{ssh_params = Ssh}}; +     + +handle_event(internal, Msg, {ext_info,Role,init}, D) when is_tuple(Msg) -> +    %% If something else arrives, goto next state and handle the event in that one +    {next_state, {service_request,Role}, D, [postpone]}; + +handle_event(internal, Msg, {ext_info,Role,_ReNegFlag}, D) when is_tuple(Msg) -> +    %% If something else arrives, goto next state and handle the event in that one +    {next_state, {connected,Role}, D, [postpone]}; + +%%% ######## {service_request, client|server} ####  handle_event(_, Msg = #ssh_msg_service_request{name=ServiceName}, StateName = {service_request,server}, D) ->      case ServiceName of @@ -756,6 +831,11 @@ handle_event(_,      end;  %%---- userauth success to client +handle_event(_, #ssh_msg_ext_info{}=Msg, {userauth,client}, D0) -> +    %% FIXME: need new state to receive this msg! +    D = handle_ssh_msg_ext_info(Msg, D0), +    {keep_state, D}; +  handle_event(_, #ssh_msg_userauth_success{}, {userauth,client}, D=#data{ssh_params = Ssh}) ->      D#data.starter ! ssh_connected,      {next_state, {connected,client}, D#data{ssh_params=Ssh#ssh{authenticated = true}}}; @@ -810,7 +890,7 @@ handle_event(_, #ssh_msg_userauth_info_request{} = Msg, {userauth_keyboard_inter  	    send_bytes(Reply, D),  	    {next_state, {userauth_keyboard_interactive_info_response,client}, D#data{ssh_params = Ssh}};  	not_ok -> -	    {next_state, {userauth,client}, D, [{next_event, internal, Msg}]} +	    {next_state, {userauth,client}, D, [postpone]}      end;  handle_event(_, #ssh_msg_userauth_info_response{} = Msg, {userauth_keyboard_interactive, server}, D) -> @@ -839,42 +919,45 @@ handle_event(_, #ssh_msg_userauth_info_response{} = Msg, {userauth_keyboard_inte      {next_state, {connected,server}, D#data{auth_user = User,  					    ssh_params = Ssh#ssh{authenticated = true}}}; -handle_event(_, Msg = #ssh_msg_userauth_failure{}, {userauth_keyboard_interactive, client}, +handle_event(_, #ssh_msg_userauth_failure{}, {userauth_keyboard_interactive, client},  	     #data{ssh_params = Ssh0} = D0) ->      Prefs = [{Method,M,F,A} || {Method,M,F,A} <- Ssh0#ssh.userauth_preference,  			       Method =/= "keyboard-interactive"],      D = D0#data{ssh_params = Ssh0#ssh{userauth_preference=Prefs}}, -    {next_state, {userauth,client}, D, [{next_event, internal, Msg}]}; +    {next_state, {userauth,client}, D, [postpone]}; -handle_event(_, Msg=#ssh_msg_userauth_failure{}, {userauth_keyboard_interactive_info_response, client}, +handle_event(_, #ssh_msg_userauth_failure{}, {userauth_keyboard_interactive_info_response, client},  	     #data{ssh_params = Ssh0} = D0) ->      Opts = Ssh0#ssh.opts, -    D = case proplists:get_value(password, Opts) of +    D = case ?GET_OPT(password, Opts) of  	    undefined ->  		D0;  	    _ ->  		D0#data{ssh_params = -			    Ssh0#ssh{opts = -					 lists:keyreplace(password,1,Opts, -							  {password,not_ok})}} % FIXME:intermodule dependency +			    Ssh0#ssh{opts = ?PUT_OPT({password,not_ok}, Opts)}} % FIXME:intermodule dependency  	end, -    {next_state, {userauth,client}, D, [{next_event, internal, Msg}]}; +    {next_state, {userauth,client}, D, [postpone]}; -handle_event(_, Msg=#ssh_msg_userauth_success{}, {userauth_keyboard_interactive_info_response, client}, D) -> -    {next_state, {userauth,client}, D, [{next_event, internal, Msg}]}; +handle_event(_, #ssh_msg_ext_info{}=Msg, {userauth_keyboard_interactive_info_response, client}, D0) -> +    %% FIXME: need new state to receive this msg! +    D = handle_ssh_msg_ext_info(Msg, D0), +    {keep_state, D}; -handle_event(_, Msg=#ssh_msg_userauth_info_request{}, {userauth_keyboard_interactive_info_response, client}, D) -> -    {next_state, {userauth_keyboard_interactive,client}, D, [{next_event, internal, Msg}]}; +handle_event(_, #ssh_msg_userauth_success{}, {userauth_keyboard_interactive_info_response, client}, D) -> +    {next_state, {userauth,client}, D, [postpone]}; + +handle_event(_, #ssh_msg_userauth_info_request{}, {userauth_keyboard_interactive_info_response, client}, D) -> +    {next_state, {userauth_keyboard_interactive,client}, D, [postpone]};  %%% ######## {connected, client|server} #### -handle_event(_, {#ssh_msg_kexinit{},_} = Event, {connected,Role}, D0) -> +handle_event(_, {#ssh_msg_kexinit{},_}, {connected,Role}, D0) ->      {KeyInitMsg, SshPacket, Ssh} = ssh_transport:key_exchange_init_msg(D0#data.ssh_params),      D = D0#data{ssh_params = Ssh,  		key_exchange_init_msg = KeyInitMsg},      send_bytes(SshPacket, D), -    {next_state, {kexinit,Role,renegotiate}, D, [{next_event, internal, Event}]}; +    {next_state, {kexinit,Role,renegotiate}, D, [postpone]};  handle_event(_, #ssh_msg_disconnect{description=Desc} = Msg, StateName, D0) ->      {disconnect, _, {{replies,Replies}, _}} = @@ -923,6 +1006,9 @@ handle_event(internal, Msg=#ssh_msg_channel_extended_data{},     StateName, D) -  handle_event(internal, Msg=#ssh_msg_channel_eof{},               StateName, D) ->      handle_connection_msg(Msg, StateName, D); +handle_event(internal, Msg=#ssh_msg_channel_close{},  {connected,server} = StateName, D) -> +    handle_connection_msg(Msg, StateName, cache_request_idle_timer_check(D)); +  handle_event(internal, Msg=#ssh_msg_channel_close{},             StateName, D) ->      handle_connection_msg(Msg, StateName, D); @@ -954,7 +1040,7 @@ handle_event(cast, renegotiate, _, _) ->  handle_event(cast, data_size, {connected,Role}, D) ->      {ok, [{send_oct,Sent0}]} = inet:getstat(D#data.socket, [send_oct]),      Sent = Sent0 - D#data.last_size_rekey, -    MaxSent = proplists:get_value(rekey_limit, D#data.opts, 1024000000), +    MaxSent = ?GET_OPT(rekey_limit, (D#data.ssh_params)#ssh.opts),      timer:apply_after(?REKEY_DATA_TIMOUT, gen_statem, cast, [self(), data_size]),      case Sent >= MaxSent of  	true -> @@ -975,12 +1061,10 @@ handle_event(cast, data_size, _, _) -> -handle_event(cast, _, StateName, _) when StateName /= {connected,server}, -					 StateName /= {connected,client} -> +handle_event(cast, _, StateName, _) when not ?CONNECTED(StateName) ->      {keep_state_and_data, [postpone]}; - -handle_event(cast, {adjust_window,ChannelId,Bytes}, {connected,_}, D) -> +handle_event(cast, {adjust_window,ChannelId,Bytes}, StateName, D) when ?CONNECTED(StateName) ->      case ssh_channel:cache_lookup(cache(D), ChannelId) of  	#channel{recv_window_size = WinSize,  		 recv_window_pending = Pending, @@ -1006,7 +1090,7 @@ handle_event(cast, {adjust_window,ChannelId,Bytes}, {connected,_}, D) ->  	    keep_state_and_data      end; -handle_event(cast, {reply_request,success,ChannelId}, {connected,_}, D) -> +handle_event(cast, {reply_request,success,ChannelId}, StateName, D) when ?CONNECTED(StateName) ->      case ssh_channel:cache_lookup(cache(D), ChannelId) of  	#channel{remote_id = RemoteId} ->  	    Msg = ssh_connection:channel_success_msg(RemoteId), @@ -1017,13 +1101,13 @@ handle_event(cast, {reply_request,success,ChannelId}, {connected,_}, D) ->  	    keep_state_and_data      end; -handle_event(cast, {request,ChannelPid, ChannelId, Type, Data}, {connected,_}, D) -> +handle_event(cast, {request,ChannelPid, ChannelId, Type, Data}, StateName, D) when ?CONNECTED(StateName) ->      {keep_state,  handle_request(ChannelPid, ChannelId, Type, Data, false, none, D)}; -handle_event(cast, {request,ChannelId,Type,Data}, {connected,_}, D) -> +handle_event(cast, {request,ChannelId,Type,Data}, StateName, D) when ?CONNECTED(StateName) ->      {keep_state,  handle_request(ChannelId, Type, Data, false, none, D)}; -handle_event(cast, {unknown,Data}, {connected,_}, D) -> +handle_event(cast, {unknown,Data}, StateName, D) when ?CONNECTED(StateName) ->      Msg = #ssh_msg_unimplemented{sequence = Data},      {keep_state, send_msg(Msg,D)}; @@ -1084,30 +1168,34 @@ handle_event({call,From}, stop, StateName, D0) ->      {Repls,D} = send_replies(Replies, D0),      {stop_and_reply, normal, [{reply,From,ok}|Repls], D#data{connection_state=Connection}}; -handle_event({call,_}, _, StateName, _) when StateName /= {connected,server}, -					     StateName /= {connected,client}  -> + +handle_event({call,_}, _, StateName, _) when not ?CONNECTED(StateName) ->      {keep_state_and_data, [postpone]}; -handle_event({call,From}, {request, ChannelPid, ChannelId, Type, Data, Timeout}, {connected,_}, D0) -> +handle_event({call,From}, {request, ChannelPid, ChannelId, Type, Data, Timeout}, StateName, D0)  +  when ?CONNECTED(StateName) ->      D = handle_request(ChannelPid, ChannelId, Type, Data, true, From, D0),      %% Note reply to channel will happen later when reply is recived from peer on the socket      start_channel_request_timer(ChannelId, From, Timeout),      {keep_state, cache_request_idle_timer_check(D)}; -handle_event({call,From}, {request, ChannelId, Type, Data, Timeout}, {connected,_}, D0) -> +handle_event({call,From}, {request, ChannelId, Type, Data, Timeout}, StateName, D0)  +  when ?CONNECTED(StateName) ->      D = handle_request(ChannelId, Type, Data, true, From, D0),      %% Note reply to channel will happen later when reply is recived from peer on the socket      start_channel_request_timer(ChannelId, From, Timeout),      {keep_state, cache_request_idle_timer_check(D)}; -handle_event({call,From}, {data, ChannelId, Type, Data, Timeout}, {connected,_}, D0) -> +handle_event({call,From}, {data, ChannelId, Type, Data, Timeout}, StateName, D0)  +  when ?CONNECTED(StateName) ->      {{replies, Replies}, Connection} =  	ssh_connection:channel_data(ChannelId, Type, Data, D0#data.connection_state, From),      {Repls,D} = send_replies(Replies, D0#data{connection_state = Connection}),      start_channel_request_timer(ChannelId, From, Timeout), % FIXME: No message exchange so why?      {keep_state, D, Repls}; -handle_event({call,From}, {eof, ChannelId}, {connected,_}, D0) -> +handle_event({call,From}, {eof, ChannelId}, StateName, D0)  +  when ?CONNECTED(StateName) ->      case ssh_channel:cache_lookup(cache(D0), ChannelId) of  	#channel{remote_id = Id, sent_close = false} ->  	    D = send_msg(ssh_connection:channel_eof_msg(Id), D0), @@ -1118,8 +1206,8 @@ handle_event({call,From}, {eof, ChannelId}, {connected,_}, D0) ->  handle_event({call,From},  	     {open, ChannelPid, Type, InitialWindowSize, MaxPacketSize, Data, Timeout}, -	     {connected,_}, -	     D0) -> +	     StateName, +	     D0) when ?CONNECTED(StateName) ->      erlang:monitor(process, ChannelPid),      {ChannelId, D1} = new_channel_id(D0),      D2 = send_msg(ssh_connection:channel_open_msg(Type, ChannelId, @@ -1139,7 +1227,8 @@ handle_event({call,From},      start_channel_request_timer(ChannelId, From, Timeout),      {keep_state, cache_cancel_idle_timer(D)}; -handle_event({call,From}, {send_window, ChannelId}, {connected,_}, D) -> +handle_event({call,From}, {send_window, ChannelId}, StateName, D)  +  when ?CONNECTED(StateName) ->      Reply = case ssh_channel:cache_lookup(cache(D), ChannelId) of  		#channel{send_window_size = WinSize,  			 send_packet_size = Packsize} -> @@ -1149,7 +1238,8 @@ handle_event({call,From}, {send_window, ChannelId}, {connected,_}, D) ->  	    end,      {keep_state_and_data, [{reply,From,Reply}]}; -handle_event({call,From}, {recv_window, ChannelId}, {connected,_}, D) -> +handle_event({call,From}, {recv_window, ChannelId}, StateName, D)  +  when ?CONNECTED(StateName) ->      Reply = case ssh_channel:cache_lookup(cache(D), ChannelId) of  		#channel{recv_window_size = WinSize,  			 recv_packet_size = Packsize} -> @@ -1159,7 +1249,8 @@ handle_event({call,From}, {recv_window, ChannelId}, {connected,_}, D) ->  	    end,      {keep_state_and_data, [{reply,From,Reply}]}; -handle_event({call,From}, {close, ChannelId}, {connected,_}, D0) -> +handle_event({call,From}, {close, ChannelId}, StateName, D0)  +  when ?CONNECTED(StateName) ->      case ssh_channel:cache_lookup(cache(D0), ChannelId) of  	#channel{remote_id = Id} = Channel ->  	    D1 = send_msg(ssh_connection:channel_close_msg(Id), D0), @@ -1291,14 +1382,16 @@ handle_event(info, UnexpectedMessage, StateName, D = #data{ssh_params = Ssh}) ->  	report ->  	    Msg = lists:flatten(  		    io_lib:format( +                      "*** SSH: "  		      "Unexpected message '~p' received in state '~p'\n"  		      "Role: ~p\n"  		      "Peer: ~p\n" -		      "Local Address: ~p\n", [UnexpectedMessage, -					      StateName, -					      Ssh#ssh.role,  -					      Ssh#ssh.peer, -					      proplists:get_value(address, Ssh#ssh.opts)])), +		      "Local Address: ~p\n", +                      [UnexpectedMessage, +                       StateName, +                       Ssh#ssh.role,  +                       Ssh#ssh.peer, +                       ?GET_INTERNAL_OPT(address, Ssh#ssh.opts, undefined)])),  	    error_logger:info_report(Msg),  	    keep_state_and_data; @@ -1307,16 +1400,18 @@ handle_event(info, UnexpectedMessage, StateName, D = #data{ssh_params = Ssh}) ->  	Other ->  	    Msg = lists:flatten( -		    io_lib:format("Call to fun in 'unexpectedfun' failed:~n" +		    io_lib:format("*** SSH: " +                                  "Call to fun in 'unexpectedfun' failed:~n"  				  "Return: ~p\n"  				  "Message: ~p\n"  				  "Role: ~p\n"  				  "Peer: ~p\n" -				  "Local Address: ~p\n", [Other, -							  UnexpectedMessage, -							  Ssh#ssh.role, -							  element(2,Ssh#ssh.peer), -							  proplists:get_value(address, Ssh#ssh.opts)] +				  "Local Address: ~p\n", +                                  [Other, +                                   UnexpectedMessage, +                                   Ssh#ssh.role, +                                   Ssh#ssh.peer, +                                   ?GET_INTERNAL_OPT(address, Ssh#ssh.opts, undefined)]  				 )),  	    error_logger:error_report(Msg),  	    keep_state_and_data @@ -1325,11 +1420,16 @@ handle_event(info, UnexpectedMessage, StateName, D = #data{ssh_params = Ssh}) ->  handle_event(internal, {disconnect,Msg,_Reason}, StateName, D) ->      disconnect(Msg, StateName, D); +handle_event(_Type, _Msg, {ext_info,Role,_ReNegFlag}, D) -> +    %% If something else arrives, goto next state and handle the event in that one +    {next_state, {connected,Role}, D, [postpone]}; +  handle_event(Type, Ev, StateName, D) ->      Descr =  	case catch atom_to_list(element(1,Ev)) of  	    "ssh_msg_" ++_ when Type==internal -> -		"Message in wrong state"; +%%		"Message in wrong state"; +                lists:flatten(io_lib:format("Message ~p in wrong state (~p)", [element(1,Ev), StateName]));  	    _ ->  		"Internal error"  	end, @@ -1438,11 +1538,11 @@ code_change(_OldVsn, StateName, State, _Extra) ->  %%--------------------------------------------------------------------  %% Starting -start_the_connection_child(UserPid, Role, Socket, Options) -> -    Sups = proplists:get_value(supervisors, Options), +start_the_connection_child(UserPid, Role, Socket, Options0) -> +    Sups = ?GET_INTERNAL_OPT(supervisors, Options0),      ConnectionSup = proplists:get_value(connection_sup, Sups), -    Opts = [{supervisors, Sups}, {user_pid, UserPid} | proplists:get_value(ssh_opts, Options, [])], -    {ok, Pid} = ssh_connection_sup:start_child(ConnectionSup, [Role, Socket, Opts]), +    Options = ?PUT_INTERNAL_OPT({user_pid,UserPid}, Options0), +    {ok, Pid} = ssh_connection_sup:start_child(ConnectionSup, [Role, Socket, Options]),      ok = socket_control(Socket, Pid, Options),      Pid. @@ -1469,46 +1569,43 @@ peer_role(client) -> server;  peer_role(server) -> client.  %%-------------------------------------------------------------------- -%% StateName to Role -role({_,Role}) -> Role; -role({_,Role,_}) -> Role. +available_hkey_algorithms(Role, Options) -> +    KeyCb = ?GET_OPT(key_cb, Options), +    case [A || A <- available_hkey_algos(Options), +               (Role==client) orelse available_host_key(KeyCb, A, Options) +         ] of +         +        [] when Role==client -> +	    error({shutdown, "No public key algs"}); + +        [] when Role==server -> +	    error({shutdown, "No host key available"}); -%%-------------------------------------------------------------------- -%% Check the StateName to see if we are in the renegotiation phase -renegotiation({_,_,ReNeg}) -> ReNeg == renegotiation; -renegotiation(_) -> false. - -%%-------------------------------------------------------------------- -supported_host_keys(client, _, Options) -> -    try -	case proplists:get_value(public_key, -				 proplists:get_value(preferred_algorithms,Options,[]) -				) of -	    undefined -> -		ssh_transport:default_algorithms(public_key); -	    L -> -		L -- (L--ssh_transport:default_algorithms(public_key)) -	end -    of -	[] -> -	    {stop, {shutdown, "No public key algs"}};  	Algs ->  	    [atom_to_list(A) || A<-Algs] -    catch -	exit:Reason -> -	    {stop, {shutdown, Reason}} -    end; -supported_host_keys(server, KeyCb, Options) -> -    [atom_to_list(A) || A <- proplists:get_value(public_key, -						 proplists:get_value(preferred_algorithms,Options,[]), -						 ssh_transport:default_algorithms(public_key) -						), -			available_host_key(KeyCb, A, Options) -    ]. +    end. + + +available_hkey_algos(Options) -> +    SupAlgos = ssh_transport:supported_algorithms(public_key), +    HKeys = proplists:get_value(public_key, +                                ?GET_OPT(preferred_algorithms,Options) +                               ), +    NonSupported =  HKeys -- SupAlgos, +    AvailableAndSupported = HKeys -- NonSupported, +    AvailableAndSupported. +  %% Alg :: atom() -available_host_key(KeyCb, Alg, Opts) -> -    element(1, catch KeyCb:host_key(Alg, Opts)) == ok. +available_host_key({KeyCb,KeyCbOpts}, Alg, Opts) -> +    UserOpts = ?GET_OPT(user_options, Opts), +    case KeyCb:host_key(Alg, [{key_cb_private,KeyCbOpts}|UserOpts]) of +        {ok,Key} -> +            %% Check the key - the KeyCb may be a buggy plugin +            ssh_transport:valid_key_sha_alg(Key, Alg); +        _ -> +            false +    end.  send_msg(Msg, State=#data{ssh_params=Ssh0}) when is_tuple(Msg) -> @@ -1516,6 +1613,8 @@ send_msg(Msg, State=#data{ssh_params=Ssh0}) when is_tuple(Msg) ->      send_bytes(Bytes, State),      State#data{ssh_params=Ssh}. +send_bytes("", _D) -> +    ok;  send_bytes(Bytes, #data{socket = Socket, transport_cb = Transport}) ->      _ = Transport:send(Socket, Bytes),      ok. @@ -1622,6 +1721,57 @@ cache(#data{connection_state=C}) -> C#connection.channel_cache.  %%%---------------------------------------------------------------- +handle_ssh_msg_ext_info(#ssh_msg_ext_info{}, D=#data{ssh_params = #ssh{recv_ext_info=false}} ) -> +    % The peer sent this although we didn't allow it! +    D; + +handle_ssh_msg_ext_info(#ssh_msg_ext_info{data=Data}, D0) -> +    lists:foldl(fun ext_info/2, D0, Data). + + +ext_info({"server-sig-algs",SigAlgsStr}, +         D0 = #data{ssh_params=#ssh{role=client, +                                    userauth_pubkeys=ClientSigAlgs}=Ssh0}) -> +    %% ClientSigAlgs are the pub_key algortithms that: +    %%  1) is usable, that is, the user has such a public key and +    %%  2) is either the default list or set by the caller +    %%     with the client option 'pref_public_key_algs' +    %% +    %% The list is already checked for duplicates. + +    SigAlgs = [A || Astr <- string:tokens(SigAlgsStr, ","), +                    A <- try [list_to_existing_atom(Astr)] +                              %% list_to_existing_atom will fail for unknown algorithms +                         catch _:_ -> [] +                         end], + +    CommonAlgs = [A || A <- SigAlgs, +                       lists:member(A, ClientSigAlgs)], + +    %% Re-arrange the client supported public-key algorithms so that the server +    %% preferred ones are tried first. +    %% Trying algorithms not mentioned by the server is ok, since the server can't know +    %% if the client supports 'server-sig-algs' or not. + +    D0#data{ +      ssh_params = +          Ssh0#ssh{ +            userauth_pubkeys = +                CommonAlgs ++ (ClientSigAlgs -- CommonAlgs) +           }}; + +ext_info(_, D0) -> +    %% Not implemented +    D0. + +%%%---------------------------------------------------------------- +is_usable_user_pubkey(A, Ssh) -> +    case ssh_auth:get_public_key(A, Ssh) of +        {ok,_} -> true; +        _ -> false +    end. + +%%%----------------------------------------------------------------  handle_request(ChannelPid, ChannelId, Type, Data, WantReply, From, D) ->      case ssh_channel:cache_lookup(cache(D), ChannelId) of  	#channel{remote_id = Id} = Channel -> @@ -1765,47 +1915,24 @@ get_repl(X, Acc) ->      exit({get_repl,X,Acc}).  %%%---------------------------------------------------------------- -disconnect_fun({disconnect,Msg}, D) -> -    disconnect_fun(Msg, D); -disconnect_fun(Reason,  #data{opts=Opts}) -> -    case proplists:get_value(disconnectfun, Opts) of -	undefined -> -	    ok; -	Fun -> -	    catch Fun(Reason) -     end. - -unexpected_fun(UnexpectedMessage, #data{opts = Opts, -					ssh_params = #ssh{peer = {_,Peer} } -				       } ) -> -    case proplists:get_value(unexpectedfun, Opts) of -	undefined -> -	    report; -	Fun -> -	    catch Fun(UnexpectedMessage, Peer) -    end. +-define(CALL_FUN(Key,D), catch (?GET_OPT(Key, (D#data.ssh_params)#ssh.opts)) ). +disconnect_fun({disconnect,Msg}, D) -> ?CALL_FUN(disconnectfun,D)(Msg); +disconnect_fun(Reason, D)           -> ?CALL_FUN(disconnectfun,D)(Reason). + +unexpected_fun(UnexpectedMessage, #data{ssh_params = #ssh{peer = {_,Peer} }} = D) -> +    ?CALL_FUN(unexpectedfun,D)(UnexpectedMessage, Peer).  debug_fun(#ssh_msg_debug{always_display = Display,  			 message = DbgMsg,  			 language = Lang}, -	  #data{opts = Opts}) -> -    case proplists:get_value(ssh_msg_debug_fun, Opts) of -	undefined -> -	    ok; -	Fun -> -	    catch Fun(self(), Display, DbgMsg, Lang) -    end. +	  D) -> +    ?CALL_FUN(ssh_msg_debug_fun,D)(self(), Display, DbgMsg, Lang). -connected_fun(User, Method, #data{ssh_params = #ssh{peer = {_,Peer}}, -				  opts = Opts}) -> -    case proplists:get_value(connectfun, Opts) of -	undefined -> -	    ok; -	Fun -> -	    catch Fun(User, Peer, Method) -    end. +connected_fun(User, Method, #data{ssh_params = #ssh{peer = {_,Peer}}} = D) -> +    ?CALL_FUN(connectfun,D)(User, Peer, Method). +  retry_fun(_, undefined, _) ->      ok; @@ -1819,7 +1946,7 @@ retry_fun(User, Reason, #data{ssh_params = #ssh{opts = Opts,  	    _ ->  		{infofun, Reason}  	end, -    Fun = proplists:get_value(Tag, Opts, fun(_,_)-> ok end), +    Fun = ?GET_OPT(Tag, Opts),      try erlang:fun_info(Fun, arity)      of  	{arity, 2} -> %% Backwards compatible @@ -1838,7 +1965,7 @@ retry_fun(User, Reason, #data{ssh_params = #ssh{opts = Opts,  %%% channels open for a while.  cache_init_idle_timer(D) -> -    case proplists:get_value(idle_time, D#data.opts, infinity) of +    case ?GET_OPT(idle_time, (D#data.ssh_params)#ssh.opts) of  	infinity ->  	    D#data{idle_timer_value = infinity,  		   idle_timer_ref = infinity	% A flag used later... @@ -1901,9 +2028,8 @@ start_channel_request_timer(Channel, From, Time) ->  %%% Connection start and initalization helpers  socket_control(Socket, Pid, Options) -> -    {_, TransportCallback, _} =		   % For example {_,gen_tcp,_} -	proplists:get_value(transport, Options, ?DefaultTransport), -    case TransportCallback:controlling_process(Socket, Pid) of +    {_, Callback, _} =	?GET_OPT(transport, Options), +    case Callback:controlling_process(Socket, Pid) of  	ok ->  	    gen_statem:cast(Pid, socket_control);  	{error, Reason}	-> @@ -1935,12 +2061,14 @@ handshake(Pid, Ref, Timeout) ->      end.  update_inet_buffers(Socket) -> -    {ok, BufSzs0} = inet:getopts(Socket, [sndbuf,recbuf]), -    MinVal = 655360, -    case -	[{Tag,MinVal} || {Tag,Val} <- BufSzs0, -			 Val < MinVal] +    try +        {ok, BufSzs0} = inet:getopts(Socket, [sndbuf,recbuf]), +        MinVal = 655360, +        [{Tag,MinVal} || {Tag,Val} <- BufSzs0, +                         Val < MinVal]      of  	[] -> ok;  	NewOpts -> inet:setopts(Socket, NewOpts) +    catch +        _:_ -> ok      end. diff --git a/lib/ssh/src/ssh_connection_sup.erl b/lib/ssh/src/ssh_connection_sup.erl index 0f54053f52..60ee8b7c73 100644 --- a/lib/ssh/src/ssh_connection_sup.erl +++ b/lib/ssh/src/ssh_connection_sup.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %%  -%% Copyright Ericsson AB 2008-2016. All Rights Reserved. +%% Copyright Ericsson AB 2008-2017. All Rights Reserved.  %%   %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -45,19 +45,17 @@ start_child(Sup, Args) ->  %%%=========================================================================  %%%  Supervisor callback  %%%========================================================================= --spec init( [term()] ) -> {ok,{supervisor:sup_flags(),[supervisor:child_spec()]}} | ignore . -  init(_) -> -    RestartStrategy = simple_one_for_one, -    MaxR = 0, -    MaxT = 3600, - -    Name = undefined, % As simple_one_for_one is used. -    StartFunc = {ssh_connection_handler, start_link, []}, -    Restart = temporary, % E.g. should not be restarted -    Shutdown = 4000, -    Modules = [ssh_connection_handler], -    Type = worker, - -    ChildSpec = {Name, StartFunc, Restart, Shutdown, Type, Modules}, -    {ok, {{RestartStrategy, MaxR, MaxT}, [ChildSpec]}}. +    SupFlags = #{strategy  => simple_one_for_one,  +                 intensity =>    0, +                 period    => 3600 +                }, +    ChildSpecs = [#{id       => undefined, % As simple_one_for_one is used. +                    start    => {ssh_connection_handler, start_link, []}, +                    restart  => temporary, +                    shutdown => 4000, +                    type     => worker, +                    modules  => [ssh_connection_handler] +                   } +                 ], +    {ok, {SupFlags,ChildSpecs}}. diff --git a/lib/ssh/src/ssh_dbg.erl b/lib/ssh/src/ssh_dbg.erl index 251741da7e..af9ad52d68 100644 --- a/lib/ssh/src/ssh_dbg.erl +++ b/lib/ssh/src/ssh_dbg.erl @@ -22,9 +22,10 @@  -module(ssh_dbg). --export([messages/0, -	 messages/1, -	 messages/2, +-export([messages/0, messages/1, messages/2, messages/3, +	 auth/0,     auth/1,     auth/2,     auth/3, +	 algs/0,     algs/1,     algs/2,     algs/3, +	 hostkey/0,  hostkey/1,  hostkey/2,  hostkey/3,  	 stop/0  	]). @@ -36,101 +37,303 @@  -include("ssh_connect.hrl").  -include("ssh_auth.hrl"). --record(data, { -	  writer, -	  acc = []}).  %%%================================================================ -messages() -> -    messages(fun(String,_D) -> io:format(String) end). - -messages(Write) when is_function(Write,2) -> -    messages(Write, fun(X) -> X end). - -messages(Write, MangleArg) when is_function(Write,2), -				is_function(MangleArg,1) -> -    catch dbg:start(), -    setup_tracer(Write, MangleArg), -    dbg:p(new,[c,timestamp]), -    dbg_ssh_messages(). - -dbg_ssh_messages() -> -    dbg:tp(ssh_message,encode,1, x), -    dbg:tp(ssh_message,decode,1, x), -    dbg:tpl(ssh_transport,select_algorithm,3, x), -    dbg:tp(ssh_transport,hello_version_msg,1, x), -    dbg:tp(ssh_transport,handle_hello_version,1, x). -    +messages() -> start(msg). +messages(F) -> start(msg,F). +messages(F,X) -> start(msg,F,X). +messages(F,M,I) -> start(msg,F,M,I). + +auth() -> start(auth). +auth(F) -> start(auth,F). +auth(F,X) -> start(auth,F,X). +auth(F,M,I) -> start(auth,F,M,I). + +algs() -> start(algs). +algs(F) -> start(algs,F). +algs(F,X) -> start(algs,F,X). +algs(F,M,I) -> start(algs,F,M,I). + +hostkey() -> start(hostkey). +hostkey(F) -> start(hostkey,F). +hostkey(F,X) -> start(hostkey,F,X). +hostkey(F,M,I) -> start(hostkey,F,M,I). + +stop() -> dbg:stop(). + +%%%---------------------------------------------------------------- +start(Type) -> start(Type, fun io:format/2). + +start(Type, F) when is_function(F,2) -> start(Type, fmt_fun(F)); +start(Type, F) when is_function(F,3) -> start(Type, F, id_fun()). + +start(Type, WriteFun, MangleArgFun) when is_function(WriteFun, 3), +                                         is_function(MangleArgFun, 1) -> +    start(Type, WriteFun, MangleArgFun, []); +start(Type, WriteFun, InitValue) -> +    start(Type, WriteFun, id_fun(), InitValue). + +start(Type, WriteFun, MangleArgFun, InitValue) when is_function(WriteFun, 3), +                                                    is_function(MangleArgFun, 1) -> +    cond_start(Type, WriteFun, MangleArgFun, InitValue), +    dbg_ssh(Type). +  %%%---------------------------------------------------------------- -stop() -> -    dbg:stop(). +fmt_fun(F) -> fun(Fmt,Args,Data) -> F(Fmt,Args), Data end. +id_fun() ->  fun(X) -> X end. + +%%%---------------------------------------------------------------- +dbg_ssh(What) -> +    case [E || E <- lists:flatten(dbg_ssh0(What)), +               element(1,E) =/= ok] of +        [] -> ok; +        Other -> Other +    end. +             + +dbg_ssh0(auth) -> +    [dbg:tp(ssh_transport,hello_version_msg,1, x), +     dbg:tp(ssh_transport,handle_hello_version,1, x), +     dbg:tp(ssh_message,encode,1, x), +     dbg:tpl(ssh_transport,select_algorithm,4, x), +     dbg:tpl(ssh_connection_handler,ext_info,2, x), +     lists:map(fun(F) -> dbg:tp(ssh_auth, F, x) end, +               [publickey_msg, password_msg, keyboard_interactive_msg]) +    ]; + +dbg_ssh0(algs) -> +    [dbg:tpl(ssh_transport,select_algorithm,4, x), +     dbg:tpl(ssh_connection_handler,ext_info,2, x) +    ]; + +dbg_ssh0(hostkey) -> +    [dbg:tpl(ssh_transport, verify_host_key, 4, x), +     dbg:tp(ssh_transport, verify, 4, x), +     dbg:tpl(ssh_transport, known_host_key, 3, x), +%%     dbg:tpl(ssh_transport, accepted_host, 4, x), +     dbg:tpl(ssh_transport, add_host_key, 4, x), +     dbg:tpl(ssh_transport, is_host_key, 5, x) +    ]; + +dbg_ssh0(msg) -> +    [dbg_ssh0(hostkey), +     dbg_ssh0(auth), +     dbg:tp(ssh_message,encode,1, x), +     dbg:tp(ssh_message,decode,1, x), +     dbg:tpl(ssh_transport,select_algorithm,4, x), +     dbg:tp(ssh_transport,hello_version_msg,1, x), +     dbg:tp(ssh_transport,handle_hello_version,1, x), +     dbg:tpl(ssh_connection_handler,ext_info,2, x) +    ]. +    +     %%%================================================================ -msg_formater({trace_ts,Pid,call,{ssh_message,encode,[Msg]},TS}, D) -> +cond_start(Type, WriteFun, MangleArgFun, Init) -> +    try +        dbg:start(), +        setup_tracer(Type, WriteFun, MangleArgFun, Init), +        dbg:p(new,[c,timestamp]) +    catch +        _:_ -> ok +    end. + + +msg_formater(msg, {trace_ts,Pid,call,{ssh_message,encode,[Msg]},TS}, D) ->      fmt("~n~s SEND ~p ~s~n", [ts(TS),Pid,wr_record(shrink_bin(Msg))], D); -msg_formater({trace_ts,_Pid,return_from,{ssh_message,encode,1},_Res,_TS}, D) ->  +msg_formater(msg, {trace_ts,_Pid,return_from,{ssh_message,encode,1},_Res,_TS}, D) ->       D; -msg_formater({trace_ts,_Pid,call,{ssh_message,decode,_},_TS}, D) -> +msg_formater(msg, {trace_ts,_Pid,call,{ssh_message,decode,_},_TS}, D) ->      D; -msg_formater({trace_ts,Pid,return_from,{ssh_message,decode,1},Msg,TS}, D) ->  +msg_formater(msg, {trace_ts,Pid,return_from,{ssh_message,decode,1},Msg,TS}, D) ->       fmt("~n~s ~p RECV ~s~n", [ts(TS),Pid,wr_record(shrink_bin(Msg))], D); + +msg_formater(_auth, {trace_ts,Pid,return_from,{ssh_message,decode,1},#ssh_msg_userauth_failure{authentications=As},TS}, D) ->  +    fmt("~n~s ~p Client login FAILURE. Try ~s~n", [ts(TS),Pid,As], D); +	 +msg_formater(_auth, {trace_ts,Pid,return_from,{ssh_message,decode,1},#ssh_msg_userauth_success{},TS}, D) ->  +    fmt("~n~s ~p Client login SUCCESS~n", [ts(TS),Pid], D); + -msg_formater({trace_ts,_Pid,call,{ssh_transport,select_algorithm,_},_TS}, D) -> +msg_formater(_, {trace_ts,_Pid,call,{ssh_transport,select_algorithm,_},_TS}, D) ->      D; -msg_formater({trace_ts,Pid,return_from,{ssh_transport,select_algorithm,3},{ok,Alg},TS}, D) -> +msg_formater(_, {trace_ts,Pid,return_from,{ssh_transport,select_algorithm,_},{ok,Alg},TS}, D) ->      fmt("~n~s ~p ALGORITHMS~n~s~n", [ts(TS),Pid, wr_record(Alg)], D); -msg_formater({trace_ts,_Pid,call,{ssh_transport,hello_version_msg,_},_TS}, D) -> +msg_formater(_, {trace_ts,_Pid,call,{ssh_transport,hello_version_msg,_},_TS}, D) ->      D; -msg_formater({trace_ts,Pid,return_from,{ssh_transport,hello_version_msg,1},Hello,TS}, D) ->  +msg_formater(_, {trace_ts,Pid,return_from,{ssh_transport,hello_version_msg,1},Hello,TS}, D) ->       fmt("~n~s ~p TCP SEND HELLO~n  ~p~n", [ts(TS),Pid,lists:flatten(Hello)], D); -msg_formater({trace_ts,Pid,call,{ssh_transport,handle_hello_version,[Hello]},TS}, D) -> +msg_formater(_, {trace_ts,Pid,call,{ssh_transport,handle_hello_version,[Hello]},TS}, D) ->      fmt("~n~s ~p RECV HELLO~n  ~p~n", [ts(TS),Pid,lists:flatten(Hello)], D); -msg_formater({trace_ts,_Pid,return_from,{ssh_transport,handle_hello_version,1},_,_TS}, D) ->  +msg_formater(_, {trace_ts,_Pid,return_from,{ssh_transport,handle_hello_version,1},_,_TS}, D) ->       D; -msg_formater({trace_ts,Pid,send,{tcp,Sock,Bytes},Pid,TS}, D) -> +msg_formater(_, {trace_ts,Pid,call,{ssh_connection_handler,ext_info,[{"server-sig-algs",SigAlgs},State]},TS}, D) -> +    try lists:keyfind(ssh, 1, tuple_to_list(State)) of +        false -> +            D; +        #ssh{userauth_pubkeys = PKs} -> +            fmt("~n~s ~p Client got suggestion to use user public key sig-algs~n    ~p~n  and can use~n    ~p~n", +                [ts(TS),Pid,string:tokens(SigAlgs,","),PKs], D) +    catch +        _:_ -> +            D +    end; + +msg_formater(_, {trace_ts,Pid,return_from,{ssh_connection_handler,ext_info,2},State,TS}, D) -> +    try lists:keyfind(ssh, 1, tuple_to_list(State)) of +        false -> +            D; +        #ssh{userauth_pubkeys = PKs} -> +            fmt("~n~s ~p Client will try user public key sig-algs~n  ~p~n", [ts(TS),Pid,PKs], D) +    catch +        _:_ -> +            D +    end; + +msg_formater(_, {trace_ts,Pid,call, {ssh_transport,verify_host_key,[_Ssh,_PK,_Dgst,{AlgStr,_Sign}]},TS}, D) -> +    fmt("~n~s ~p Client got a ~s hostkey. Will try to verify it~n", [ts(TS),Pid,AlgStr], D); +msg_formater(_, {trace_ts,Pid,return_from, {ssh_transport,verify_host_key,4}, Result, TS}, D) -> +    case Result of +        ok -> fmt("~n~s ~p Hostkey verified.~n", [ts(TS),Pid], D); +        {error,E} -> +              fmt("~n~s ~p ***** Hostkey NOT verified: ~p ******!~n", [ts(TS),Pid,E], D); +        _  -> fmt("~n~s ~p ***** Hostkey is NOT verified: ~p ******!~n", [ts(TS),Pid,Result], D) +    end; +         +msg_formater(_, {trace_ts,Pid,return_from, {ssh_transport,verify,4}, Result, TS}, D) -> +    case Result of +        true -> D; +        _ -> fmt("~n~s ~p Couldn't verify the signature!~n", [ts(TS),Pid], D) +    end; + +msg_formater(_, {trace_ts,_Pid,call, {ssh_transport,is_host_key,_}, _TS}, D) -> D; +msg_formater(_, {trace_ts,Pid,return_from, {ssh_transport,is_host_key,5}, {CbMod,Result}, TS}, D) -> +    case Result of +        true -> fmt("~n~s ~p Hostkey found by ~p.~n", [ts(TS),Pid,CbMod], D); +        _    -> fmt("~n~s ~p Hostkey NOT found by ~p.~n", [ts(TS),Pid,CbMod], D) +    end; + +msg_formater(_, {trace_ts,_Pid,call, {ssh_transport,add_host_key,_}, _TS}, D) -> D; +msg_formater(_, {trace_ts,Pid,return_from, {ssh_transport,add_host_key,4}, {CbMod,Result}, TS}, D) -> +    case Result of +        ok -> fmt("~n~s ~p New hostkey added by ~p.~n", [ts(TS),Pid,CbMod], D); +        _  -> D +    end; + +msg_formater(_, {trace_ts,_Pid,call,{ssh_transport,known_host_key,_},_TS}, D) -> D; +msg_formater(_, {trace_ts,Pid,return_from, {ssh_transport,known_host_key,3}, Result, TS}, D) -> +    case Result of +        ok -> D; +        {error,E} -> fmt("~n~s ~p Hostkey addition failed: ~p~n", [ts(TS),Pid,E], D); +        _ -> fmt("~n~s ~p Hostkey addition: ~p~n", [ts(TS),Pid,Result], D) +    end; + +msg_formater(_, {trace_ts,Pid,call,{ssh_auth,publickey_msg,[[SigAlg,#ssh{user=User}]]},TS}, D) -> +     fmt("~n~s ~p Client will try to login user ~p with public key algorithm ~p~n", [ts(TS),Pid,User,SigAlg], D); +msg_formater(_, {trace_ts,Pid,return_from,{ssh_auth,publickey_msg,1},{not_ok,#ssh{user=User}},TS}, D) -> +     fmt("~s ~p User ~p can't login with that kind of public key~n", [ts(TS),Pid,User], D); +msg_formater(_, {trace_ts,Pid,return_from,{ssh_auth,publickey_msg,1},{_,#ssh{user=User}},TS}, D) -> +     fmt("~s ~p User ~p logged in~n", [ts(TS),Pid,User], D); + +msg_formater(_, {trace_ts,Pid,call,{ssh_auth,password_msg,[[#ssh{user=User}]]},TS}, D) -> +     fmt("~n~s ~p Client will try to login user ~p with password~n", [ts(TS),Pid,User], D); +msg_formater(_, {trace_ts,Pid,return_from,{ssh_auth,password_msg,1},{not_ok,#ssh{user=User}},TS}, D) -> +     fmt("~s ~p User ~p can't login with password~n", [ts(TS),Pid,User], D); + +msg_formater(_, {trace_ts,Pid,call,{ssh_auth,keyboard_interactive_msg,[[#ssh{user=User}]]},TS}, D) -> +     fmt("~n~s ~p Client will try to login user ~p with password~n", [ts(TS),Pid,User], D); +msg_formater(_, {trace_ts,Pid,return_from,{ssh_auth,keyboard_interactive_msg,1},{not_ok,#ssh{user=User}},TS}, D) -> +     fmt("~s ~p User ~p can't login with keyboard_interactive password~n", [ts(TS),Pid,User], D); + +msg_formater(msg, {trace_ts,Pid,send,{tcp,Sock,Bytes},Pid,TS}, D) ->      fmt("~n~s ~p TCP SEND on ~p~n ~p~n", [ts(TS),Pid,Sock, shrink_bin(Bytes)], D); -msg_formater({trace_ts,Pid,send,{tcp,Sock,Bytes},Dest,TS}, D) -> +msg_formater(msg, {trace_ts,Pid,send,{tcp,Sock,Bytes},Dest,TS}, D) ->      fmt("~n~s ~p TCP SEND from ~p TO ~p~n ~p~n", [ts(TS),Pid,Sock,Dest, shrink_bin(Bytes)], D); -msg_formater({trace_ts,Pid,send,ErlangMsg,Dest,TS}, D) -> +msg_formater(msg, {trace_ts,Pid,send,ErlangMsg,Dest,TS}, D) ->      fmt("~n~s ~p ERL MSG SEND TO ~p~n ~p~n", [ts(TS),Pid,Dest, shrink_bin(ErlangMsg)], D); -msg_formater({trace_ts,Pid,'receive',{tcp,Sock,Bytes},TS}, D) -> +msg_formater(msg, {trace_ts,Pid,'receive',{tcp,Sock,Bytes},TS}, D) ->      fmt("~n~s ~p TCP RECEIVE on ~p~n ~p~n", [ts(TS),Pid,Sock,shrink_bin(Bytes)], D); -msg_formater({trace_ts,Pid,'receive',ErlangMsg,TS}, D) -> +msg_formater(msg, {trace_ts,Pid,'receive',ErlangMsg,TS}, D) ->      fmt("~n~s ~p ERL MSG RECEIVE~n ~p~n", [ts(TS),Pid,shrink_bin(ErlangMsg)], D); -msg_formater(M, D) -> -    fmt("~nDBG ~n~p~n", [shrink_bin(M)], D). +msg_formater(_, _M, D) -> +    fmt("~nDBG other ~n~p~n", [shrink_bin(_M)], D), +    D. -%% msg_formater(_, D) ->  -%%     D. - - -fmt(Fmt, Args,  D=#data{writer=Write,acc=Acc}) -> -    D#data{acc = Write(io_lib:format(Fmt, Args), Acc)}. +%%%---------------------------------------------------------------- +-record(data, {writer, +               initialized, +               acc}). + +fmt(Fmt, Args,  D=#data{initialized=false}) -> +    fmt(Fmt, Args, +        D#data{acc = (D#data.writer)("~s~n", [initial_info()], D#data.acc), +               initialized = true} +       ); +fmt(Fmt, Args,  D=#data{writer=Write, acc=Acc}) -> +    D#data{acc = Write(Fmt,Args,Acc)}.  ts({_,_,Usec}=Now) ->      {_Date,{HH,MM,SS}} = calendar:now_to_local_time(Now),      io_lib:format("~.2.0w:~.2.0w:~.2.0w.~.6.0w",[HH,MM,SS,Usec]);  ts(_) ->      "-". -%%%---------------------------------------------------------------- -setup_tracer(Write, MangleArg) -> + +setup_tracer(Type, WriteFun, MangleArgFun, Init) ->      Handler = fun(Arg, D) -> -		      msg_formater(MangleArg(Arg), D) +		      msg_formater(Type, MangleArgFun(Arg), D)  	      end, -    InitialData = #data{writer = Write}, +    InitialData = #data{writer = WriteFun, +                        initialized = false, +                        acc = Init},      {ok,_} = dbg:tracer(process, {Handler, InitialData}),      ok. + +initial_info() -> +    Lines = +        [ts(erlang:timestamp()), +         "", +         "SSH:"] +        ++ as_list_of_lines(case application:get_key(ssh,vsn) of +                                {ok,Vsn} -> Vsn; +                                _ -> "(ssh not started)" +                            end) +        ++ ["", +            "Cryptolib:"] +        ++ as_list_of_lines(crypto:info_lib()) +        ++ ["", +            "Crypto app:"] +        ++ as_list_of_lines(crypto:supports()), +    W = max_len(Lines), +    append_lines([line_of($*, W+4)] +                 ++ prepend_lines("* ", Lines) +                 ++ [line_of($-, W+4)], +                 io_lib:nl() +               ). +     +     +as_list_of_lines(Term) -> +    prepend_lines("  ", +                  string:tokens(lists:flatten(io_lib:format("~p",[Term])), +                                io_lib:nl()  % Get line endings in current OS +                               ) +                 ). + +line_of(Char,W) -> lists:duplicate(W,Char). +max_len(L) -> lists:max([length(S) || S<-L]). +append_lines(L, X)  -> [S++X || S<-L]. +prepend_lines(X, L) -> [X++S || S<-L]. +  %%%----------------------------------------------------------------  shrink_bin(B) when is_binary(B), size(B)>256 -> {'*** SHRINKED BIN',  						 size(B), @@ -160,6 +363,7 @@ shrink_bin(X) -> X.  ?wr_record(ssh_msg_kexdh_init);  ?wr_record(ssh_msg_kexdh_reply);  ?wr_record(ssh_msg_newkeys); +?wr_record(ssh_msg_ext_info);  ?wr_record(ssh_msg_kex_dh_gex_request);  ?wr_record(ssh_msg_kex_dh_gex_request_old);  ?wr_record(ssh_msg_kex_dh_gex_group); diff --git a/lib/ssh/src/ssh_file.erl b/lib/ssh/src/ssh_file.erl index 216f65f33a..33792da38f 100644 --- a/lib/ssh/src/ssh_file.erl +++ b/lib/ssh/src/ssh_file.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2005-2016. All Rights Reserved. +%% Copyright Ericsson AB 2005-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -75,17 +75,9 @@ host_key(Algorithm, Opts) ->      Password = proplists:get_value(identity_pass_phrase(Algorithm), Opts, ignore),      case decode(File, Password) of  	{ok,Key} -> -	    case {Key,Algorithm} of -		{#'RSAPrivateKey'{}, 'ssh-rsa'} -> {ok,Key}; -		{#'DSAPrivateKey'{}, 'ssh-dss'} -> {ok,Key}; -		{#'ECPrivateKey'{parameters = {namedCurve, ?'secp256r1'}}, 'ecdsa-sha2-nistp256'} -> {ok,Key}; -		{#'ECPrivateKey'{parameters = {namedCurve, ?'secp384r1'}}, 'ecdsa-sha2-nistp384'} -> {ok,Key}; -		{#'ECPrivateKey'{parameters = {namedCurve, ?'secp521r1'}}, 'ecdsa-sha2-nistp521'} -> {ok,Key}; -		_ ->  -		    {error,bad_keytype_in_file} -	    end; -	Other -> -	    Other +            check_key_type(Key, Algorithm); +	{error,DecodeError} -> +            {error,DecodeError}      end.  is_auth_key(Key, User,Opts) -> @@ -109,12 +101,25 @@ is_host_key(Key, PeerName, Algorithm, Opts) ->  user_key(Algorithm, Opts) ->      File = file_name(user, identity_key_filename(Algorithm), Opts),      Password = proplists:get_value(identity_pass_phrase(Algorithm), Opts, ignore), -    decode(File, Password). +    case decode(File, Password) of +        {ok, Key} -> +            check_key_type(Key, Algorithm); +        Error -> +            Error +    end.  %% Internal functions %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +check_key_type(Key, Algorithm) -> +    case ssh_transport:valid_key_sha_alg(Key,Algorithm) of +        true -> {ok,Key}; +        false -> {error,bad_keytype_in_file} +    end.  file_base_name('ssh-rsa'            ) -> "ssh_host_rsa_key"; +file_base_name('rsa-sha2-256'       ) -> "ssh_host_rsa_key"; +file_base_name('rsa-sha2-384'       ) -> "ssh_host_rsa_key"; +file_base_name('rsa-sha2-512'       ) -> "ssh_host_rsa_key";  file_base_name('ssh-dss'            ) -> "ssh_host_dsa_key";  file_base_name('ecdsa-sha2-nistp256') -> "ssh_host_ecdsa_key";  file_base_name('ecdsa-sha2-nistp384') -> "ssh_host_ecdsa_key"; @@ -192,8 +197,8 @@ lookup_user_key(Key, User, Opts) ->  ssh_dir({remoteuser, User}, Opts) ->      case proplists:get_value(user_dir_fun, Opts) of  	undefined -> -	    case proplists:get_value(user_dir, Opts) of -		undefined -> +	    case proplists:get_value(user_dir, Opts, false) of +		false ->  		    default_user_dir();  		Dir ->  		    Dir @@ -221,6 +226,8 @@ file_name(Type, Name, Opts) ->  %% in: "host" out: "host,1.2.3.4. +add_ip(IP) when is_tuple(IP) -> +    ssh_connection:encode_ip(IP);  add_ip(Host)                                                             ->      case inet:getaddr(Host, inet) of  	{ok, Addr} -> @@ -251,12 +258,18 @@ do_lookup_host_key(KeyToMatch, Host, Alg, Opts) ->  identity_key_filename('ssh-dss'            ) -> "id_dsa";  identity_key_filename('ssh-rsa'            ) -> "id_rsa"; +identity_key_filename('rsa-sha2-256'       ) -> "id_rsa"; +identity_key_filename('rsa-sha2-384'       ) -> "id_rsa"; +identity_key_filename('rsa-sha2-512'       ) -> "id_rsa";  identity_key_filename('ecdsa-sha2-nistp256') -> "id_ecdsa";  identity_key_filename('ecdsa-sha2-nistp384') -> "id_ecdsa";  identity_key_filename('ecdsa-sha2-nistp521') -> "id_ecdsa".  identity_pass_phrase("ssh-dss"       ) -> dsa_pass_phrase;  identity_pass_phrase("ssh-rsa"       ) -> rsa_pass_phrase; +identity_pass_phrase("rsa-sha2-256"  ) -> rsa_pass_phrase; +identity_pass_phrase("rsa-sha2-384"  ) -> rsa_pass_phrase; +identity_pass_phrase("rsa-sha2-512"  ) -> rsa_pass_phrase;  identity_pass_phrase("ecdsa-sha2-"++_) -> ecdsa_pass_phrase;  identity_pass_phrase(P) when is_atom(P) ->       identity_pass_phrase(atom_to_list(P)). diff --git a/lib/ssh/src/ssh_io.erl b/lib/ssh/src/ssh_io.erl index 1d8f370884..a7cd1daeec 100644 --- a/lib/ssh/src/ssh_io.erl +++ b/lib/ssh/src/ssh_io.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2005-2016. All Rights Reserved. +%% Copyright Ericsson AB 2005-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -27,24 +27,24 @@  -export([yes_no/2, read_password/2, read_line/2, format/2]).  -include("ssh.hrl"). -read_line(Prompt, Ssh) -> +read_line(Prompt, Opts) ->      format("~s", [listify(Prompt)]), -    proplists:get_value(user_pid, Ssh) ! {self(), question}, +    ?GET_INTERNAL_OPT(user_pid, Opts) ! {self(), question},      receive -	Answer when is_list(Answer) -> -	    Answer +	Answer when is_list(Answer) or is_binary(Answer) -> +	    unicode:characters_to_list(Answer)      end. -yes_no(Prompt, Ssh) -> +yes_no(Prompt, Opts) ->      format("~s [y/n]?", [Prompt]), -    proplists:get_value(user_pid, Ssh#ssh.opts) ! {self(), question}, +    ?GET_INTERNAL_OPT(user_pid, Opts) ! {self(), question},      receive  	%% I can't see that the atoms y and n are ever received, but it must  	%% be investigated before removing  	y -> yes;  	n -> no; -	Answer when is_list(Answer) -> +	Answer when is_list(Answer) or is_binary(Answer) ->  	    case trim(Answer) of  		"y" -> yes;  		"n" -> no; @@ -52,17 +52,15 @@ yes_no(Prompt, Ssh) ->  		"N" -> no;  		_ ->  		    format("please answer y or n\n",[]), -		    yes_no(Prompt, Ssh) +		    yes_no(Prompt, Opts)  	    end      end. - -read_password(Prompt, #ssh{opts=Opts}) -> read_password(Prompt, Opts); -read_password(Prompt, Opts) when is_list(Opts) -> +read_password(Prompt, Opts) ->      format("~s", [listify(Prompt)]), -    proplists:get_value(user_pid, Opts) ! {self(), user_password}, +    ?GET_INTERNAL_OPT(user_pid, Opts) ! {self(), user_password},      receive -	Answer when is_list(Answer) -> +	Answer when is_list(Answer) or is_binary(Answer) ->  	     case trim(Answer) of  		 "" ->  		     read_password(Prompt, Opts); diff --git a/lib/ssh/src/ssh_message.erl b/lib/ssh/src/ssh_message.erl index 562f040477..eb06f05a4a 100644 --- a/lib/ssh/src/ssh_message.erl +++ b/lib/ssh/src/ssh_message.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2013-2016. All Rights Reserved. +%% Copyright Ericsson AB 2013-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -215,6 +215,16 @@ encode(#ssh_msg_service_accept{  	 }) ->      <<?Ebyte(?SSH_MSG_SERVICE_ACCEPT), ?Estring_utf8(Service)>>; +encode(#ssh_msg_ext_info{ +          nr_extensions = N, +          data = Data +         }) -> +    lists:foldl(fun({ExtName,ExtVal}, Acc) -> +                        <<Acc/binary, ?Estring(ExtName), ?Estring(ExtVal)>> +                end, +                <<?Ebyte(?SSH_MSG_EXT_INFO), ?Euint32(N)>>, +                Data); +  encode(#ssh_msg_newkeys{}) ->      <<?Ebyte(?SSH_MSG_NEWKEYS)>>; @@ -242,12 +252,12 @@ encode(#ssh_msg_kexdh_init{e = E}) ->      <<?Ebyte(?SSH_MSG_KEXDH_INIT), ?Empint(E)>>;  encode(#ssh_msg_kexdh_reply{ -	  public_host_key = Key, +	  public_host_key = {Key,SigAlg},  	  f = F,  	  h_sig = Signature  	 }) ->      EncKey = public_key:ssh_encode(Key, ssh2_pubkey), -    EncSign = encode_signature(Key, Signature), +    EncSign = encode_signature(Key, SigAlg, Signature),      <<?Ebyte(?SSH_MSG_KEXDH_REPLY), ?Ebinary(EncKey), ?Empint(F), ?Ebinary(EncSign)>>;  encode(#ssh_msg_kex_dh_gex_request{ @@ -268,20 +278,20 @@ encode(#ssh_msg_kex_dh_gex_init{e = Public}) ->  encode(#ssh_msg_kex_dh_gex_reply{  	  %% Will be private key encode_host_key extracts only the public part! -	  public_host_key = Key, +	  public_host_key = {Key,SigAlg},  	  f = F,  	  h_sig = Signature  	 }) ->      EncKey = public_key:ssh_encode(Key, ssh2_pubkey), -    EncSign = encode_signature(Key, Signature), +    EncSign = encode_signature(Key, SigAlg, Signature),      <<?Ebyte(?SSH_MSG_KEX_DH_GEX_REPLY), ?Ebinary(EncKey), ?Empint(F), ?Ebinary(EncSign)>>;  encode(#ssh_msg_kex_ecdh_init{q_c = Q_c}) ->      <<?Ebyte(?SSH_MSG_KEX_ECDH_INIT), ?Empint(Q_c)>>; -encode(#ssh_msg_kex_ecdh_reply{public_host_key = Key, q_s = Q_s, h_sig = Sign}) -> +encode(#ssh_msg_kex_ecdh_reply{public_host_key = {Key,SigAlg}, q_s = Q_s, h_sig = Sign}) ->      EncKey = public_key:ssh_encode(Key, ssh2_pubkey), -    EncSign = encode_signature(Key, Sign), +    EncSign = encode_signature(Key, SigAlg, Sign),      <<?Ebyte(?SSH_MSG_KEX_ECDH_REPLY), ?Ebinary(EncKey), ?Empint(Q_s), ?Ebinary(EncSign)>>;  encode(#ssh_msg_ignore{data = Data}) -> @@ -435,6 +445,18 @@ decode(<<?BYTE(?SSH_MSG_USERAUTH_INFO_RESPONSE), ?UINT32(Num), Data/binary>>) ->         num_responses = Num,         data = Data}; +decode(<<?BYTE(?SSH_MSG_EXT_INFO), ?UINT32(N), BinData/binary>>) -> +    Data = bin_foldr( +             fun(Bin,Acc) when length(Acc) == N -> +                     {Bin,Acc}; +                (<<?DEC_BIN(V0,__0), ?DEC_BIN(V1,__1), Rest/binary>>, Acc) ->  +                     {Rest,[{binary_to_list(V0),binary_to_list(V1)}|Acc]} +             end, [], BinData), +    #ssh_msg_ext_info{ +       nr_extensions = N, +       data = Data +      }; +  %%% Keyexchange messages  decode(<<?BYTE(?SSH_MSG_KEXINIT), Cookie:128, Data/binary>>) ->      decode_kex_init(Data, [Cookie, ssh_msg_kexinit], 10); @@ -537,17 +559,28 @@ decode(<<?BYTE(?SSH_MSG_DEBUG), ?BYTE(Bool), ?DEC_BIN(Msg,__0), ?DEC_BIN(Lang,__  %%% Helper functions  %%% +bin_foldr(Fun, Acc, Bin) -> +    lists:reverse(bin_foldl(Fun, Acc, Bin)). + +bin_foldl(_, Acc, <<>>) -> Acc; +bin_foldl(Fun, Acc0, Bin0) -> +    {Bin,Acc} = Fun(Bin0,Acc0), +    bin_foldl(Fun, Acc, Bin). + +%%%----------------------------------------------------------------  decode_keyboard_interactive_prompts(<<>>, Acc) ->      lists:reverse(Acc);  decode_keyboard_interactive_prompts(<<?DEC_BIN(Prompt,__0), ?BYTE(Bool), Bin/binary>>,  				    Acc) ->      decode_keyboard_interactive_prompts(Bin, [{Prompt, erl_boolean(Bool)} | Acc]). +%%%----------------------------------------------------------------  erl_boolean(0) ->      false;  erl_boolean(1) ->      true. +%%%----------------------------------------------------------------  decode_kex_init(<<?BYTE(Bool), ?UINT32(X)>>, Acc, 0) ->      list_to_tuple(lists:reverse([X, erl_boolean(Bool) | Acc]));  decode_kex_init(<<?BYTE(Bool)>>, Acc, 0) -> @@ -565,15 +598,16 @@ decode_kex_init(<<?DEC_BIN(Data,__0), Rest/binary>>, Acc, N) ->  %%% Signature decode/encode  %%% -decode_signature(<<?DEC_BIN(_Alg,__0), ?UINT32(_), Signature/binary>>) -> -    Signature. +decode_signature(<<?DEC_BIN(Alg,__0), ?UINT32(_), Signature/binary>>) -> +    {binary_to_list(Alg), Signature}. -encode_signature(#'RSAPublicKey'{}, Signature) -> -    <<?Ebinary(<<"ssh-rsa">>), ?Ebinary(Signature)>>; -encode_signature({_, #'Dss-Parms'{}}, Signature) -> +encode_signature(#'RSAPublicKey'{}, SigAlg, Signature) -> +    SignName = list_to_binary(atom_to_list(SigAlg)), +    <<?Ebinary(SignName), ?Ebinary(Signature)>>; +encode_signature({_, #'Dss-Parms'{}}, _SigAlg, Signature) ->      <<?Ebinary(<<"ssh-dss">>), ?Ebinary(Signature)>>; -encode_signature({#'ECPoint'{}, {namedCurve,OID}}, Signature) -> +encode_signature({#'ECPoint'{}, {namedCurve,OID}}, _SigAlg, Signature) ->      CurveName = public_key:oid2ssh_curvename(OID),      <<?Ebinary(<<"ecdsa-sha2-",CurveName/binary>>), ?Ebinary(Signature)>>. diff --git a/lib/ssh/src/ssh_options.erl b/lib/ssh/src/ssh_options.erl new file mode 100644 index 0000000000..68c99743ee --- /dev/null +++ b/lib/ssh/src/ssh_options.erl @@ -0,0 +1,1030 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2004-2017. All Rights Reserved. +%% +%% Licensed under the Apache License, Version 2.0 (the "License"); +%% you may not use this file except in compliance with the License. +%% You may obtain a copy of the License at +%% +%%     http://www.apache.org/licenses/LICENSE-2.0 +%% +%% Unless required by applicable law or agreed to in writing, software +%% distributed under the License is distributed on an "AS IS" BASIS, +%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +%% See the License for the specific language governing permissions and +%% limitations under the License. +%% +%% %CopyrightEnd% +%% + +%% + +-module(ssh_options). + +-include("ssh.hrl"). +-include_lib("kernel/include/file.hrl"). + +-export([default/1, +         get_value/5,  get_value/6, +         put_value/5, +         delete_key/5, +         handle_options/2 +        ]). + +-export_type([options/0 +             ]). + +%%%================================================================ +%%% Types + +-type option_in() :: proplists:property() | proplists:proplist() . + +-type option_class() :: internal_options | socket_options | user_options .  + +-type option_declaration() :: #{class := user_options, +                                chk := fun((any) -> boolean() | {true,any()}), +                                default => any() +                               }. + +-type option_declarations() :: #{ {option_key(),def} := option_declaration() }. + +-type error() :: {error,{eoptions,any()}} . + +%%%================================================================ +%%% +%%% Get an option +%%% + +-spec get_value(option_class(), option_key(), options(), +                atom(), non_neg_integer()) -> any() | no_return(). + +get_value(Class, Key, Opts, _CallerMod, _CallerLine) when is_map(Opts) -> +    case Class of +        internal_options -> maps:get(Key, maps:get(internal_options,Opts)); +        socket_options   -> proplists:get_value(Key, maps:get(socket_options,Opts)); +        user_options     -> maps:get(Key, Opts) +    end; +get_value(Class, Key, Opts, _CallerMod, _CallerLine) -> +    error({bad_options,Class, Key, Opts, _CallerMod, _CallerLine}). + + +-spec get_value(option_class(), option_key(), options(), fun(() -> any()), +                atom(), non_neg_integer()) -> any() | no_return(). + +get_value(socket_options, Key, Opts, DefFun, _CallerMod, _CallerLine) when is_map(Opts) -> +    proplists:get_value(Key, maps:get(socket_options,Opts), DefFun); +get_value(Class, Key, Opts, DefFun, CallerMod, CallerLine) when is_map(Opts) -> +    try get_value(Class, Key, Opts, CallerMod, CallerLine) +    of +        undefined -> DefFun(); +        Value -> Value +    catch +        error:{badkey,Key} -> DefFun() +    end; +get_value(Class, Key, Opts, _DefFun, _CallerMod, _CallerLine) -> +    error({bad_options,Class, Key, Opts, _CallerMod, _CallerLine}). + + +%%%================================================================ +%%% +%%% Put an option +%%% + +-spec put_value(option_class(), option_in(), options(), +                atom(), non_neg_integer()) -> options(). + +put_value(user_options, KeyVal, Opts, _CallerMod, _CallerLine) when is_map(Opts) -> +    put_user_value(KeyVal, Opts); + +put_value(internal_options, KeyVal, Opts, _CallerMod, _CallerLine) when is_map(Opts) -> +    InternalOpts = maps:get(internal_options,Opts), +    Opts#{internal_options := put_internal_value(KeyVal, InternalOpts)}; + +put_value(socket_options, KeyVal, Opts, _CallerMod, _CallerLine) when is_map(Opts) -> +    SocketOpts = maps:get(socket_options,Opts), +    Opts#{socket_options := put_socket_value(KeyVal, SocketOpts)}. + + +%%%---------------- +put_user_value(L, Opts) when is_list(L) -> +    lists:foldl(fun put_user_value/2, Opts, L); +put_user_value({Key,Value}, Opts) -> +    Opts#{Key := Value}. +     +%%%---------------- +put_internal_value(L, IntOpts) when is_list(L) -> +    lists:foldl(fun put_internal_value/2, IntOpts, L); +put_internal_value({Key,Value}, IntOpts) -> +    IntOpts#{Key => Value}. + +%%%---------------- +put_socket_value(L, SockOpts) when is_list(L) -> +    L ++ SockOpts; +put_socket_value({Key,Value}, SockOpts) -> +    [{Key,Value} | SockOpts]; +put_socket_value(A, SockOpts) when is_atom(A) -> +    [A | SockOpts]. + +%%%================================================================ +%%% +%%% Delete an option +%%% + +-spec delete_key(option_class(), option_key(), options(), +                 atom(), non_neg_integer()) -> options(). + +delete_key(internal_options, Key, Opts, _CallerMod, _CallerLine) when is_map(Opts) -> +    InternalOpts = maps:get(internal_options,Opts), +    Opts#{internal_options := maps:remove(Key, InternalOpts)}. +         + +%%%================================================================ +%%% +%%% Initialize the options +%%% + +-spec handle_options(role(), proplists:proplist()) -> options() | error() . + +-spec handle_options(role(), proplists:proplist(), options()) -> options() | error() . + +handle_options(Role, PropList0) -> +    handle_options(Role, PropList0, #{socket_options   => [], +                                      internal_options => #{}, +                                      user_options     => [] +                                     }). + +handle_options(Role, PropList0, Opts0) when is_map(Opts0), +                                             is_list(PropList0) -> +    PropList1 = proplists:unfold(PropList0),  +    try +        OptionDefinitions = default(Role), +        InitialMap = +            maps:fold( +              fun({K,def}, #{default:=V}, M) -> M#{K=>V}; +                 (_,_,M) -> M +              end, +              Opts0#{user_options =>  +                         maps:get(user_options,Opts0) ++ PropList1 +                   }, +              OptionDefinitions), +        %% Enter the user's values into the map; unknown keys are +        %% treated as socket options +        final_preferred_algorithms( +          lists:foldl(fun(KV, Vals) -> +                              save(KV, OptionDefinitions, Vals) +                      end, InitialMap, PropList1)) +    catch +        error:{eoptions, KV, undefined} ->  +            {error, {eoptions,KV}}; + +        error:{eoptions, KV, Txt} when is_list(Txt) ->  +            {error, {eoptions,{KV,lists:flatten(Txt)}}}; + +        error:{eoptions, KV, Extra} -> +            {error, {eoptions,{KV,Extra}}} +    end. + + +check_fun(Key, Defs) -> +    #{chk := Fun} = maps:get({Key,def}, Defs), +    Fun. + +%%%================================================================ +%%% +%%% Check and save one option +%%% + + +%%% First some prohibited inet options: +save({K,V}, _, _) when K == reuseaddr ; +                       K == active +                       -> +    forbidden_option(K, V); + +%%% then compatibility conversions: +save({allow_user_interaction,V}, Opts, Vals) -> +    save({user_interaction,V}, Opts, Vals); + +%% Special case for socket options 'inet' and 'inet6' +save(Inet, Defs, OptMap) when Inet==inet ; Inet==inet6 -> +    save({inet,Inet}, Defs, OptMap); + +%% Two clauses to prepare for a proplists:unfold +save({Inet,true}, Defs, OptMap) when Inet==inet ; Inet==inet6 ->  save({inet,Inet}, Defs, OptMap); +save({Inet,false}, _Defs, OptMap) when Inet==inet ; Inet==inet6 -> OptMap; + +%% and finaly the 'real stuff': +save({Key,Value}, Defs, OptMap) when is_map(OptMap) -> +    try (check_fun(Key,Defs))(Value) +    of +        true -> +            OptMap#{Key := Value}; +        {true, ModifiedValue} -> +            OptMap#{Key := ModifiedValue}; +        false -> +            error({eoptions, {Key,Value}, "Bad value"}) +    catch +        %% An unknown Key (= not in the definition map) is +        %% regarded as an inet option: +        error:{badkey,{inet,def}} -> +            %% atomic (= non-tuple) options 'inet' and 'inet6': +            OptMap#{socket_options := [Value | maps:get(socket_options,OptMap)]}; +        error:{badkey,{Key,def}} -> +            OptMap#{socket_options := [{Key,Value} | maps:get(socket_options,OptMap)]}; + +        %% But a Key that is known but the value does not validate +        %% by the check fun will give an error exception: +        error:{check,{BadValue,Extra}} -> +            error({eoptions, {Key,BadValue}, Extra}) +    end; +save(Opt, _Defs, OptMap) when is_map(OptMap) -> +    OptMap#{socket_options := [Opt | maps:get(socket_options,OptMap)]}. + + +%%%================================================================ +%%% +%%% Default options +%%% + +-spec default(role() | common) -> option_declarations() . + +default(server) -> +    (default(common)) +        #{ +      {subsystems, def} => +          #{default => [ssh_sftpd:subsystem_spec([])], +            chk => fun(L) -> +                           is_list(L) andalso +                               lists:all(fun({Name,{CB,Args}}) -> +                                                 check_string(Name) andalso +                                                     is_atom(CB) andalso +                                                     is_list(Args); +                                            (_) -> +                                                 false +                                         end, L) +                   end, +            class => user_options +           }, + +      {shell, def} => +          #{default => {shell, start, []}, +            chk => fun({M,F,A}) -> is_atom(M) andalso is_atom(F) andalso is_list(A); +                      (V) -> check_function1(V) orelse check_function2(V) +                   end, +            class => user_options +           }, + +      {exec, def} =>                 % FIXME: need some archeology.... +          #{default => undefined, +            chk => fun({M,F,_}) -> is_atom(M) andalso is_atom(F); +                      (V) -> is_function(V) +                   end, +            class => user_options +           }, + +      {ssh_cli, def} => +          #{default => undefined, +            chk => fun({Cb, As}) -> is_atom(Cb) andalso is_list(As); +                      (V) -> V == no_cli +                   end, +            class => user_options +           }, + +      {system_dir, def} => +          #{default => "/etc/ssh", +            chk => fun(V) -> check_string(V) andalso check_dir(V) end, +            class => user_options +           }, + +      {auth_method_kb_interactive_data, def} => +          #{default => undefined, % Default value can be constructed when User is known +            chk => fun({S1,S2,S3,B}) -> +                           check_string(S1) andalso +                               check_string(S2) andalso +                               check_string(S3) andalso +                               is_boolean(B); +                      (F) -> +                           check_function3(F) +                   end, +            class => user_options +           }, + +      {user_passwords, def} => +          #{default => [], +            chk => fun(V) -> +                           is_list(V) andalso +                               lists:all(fun({S1,S2}) -> +                                                 check_string(S1) andalso  +                                                     check_string(S2)    +                                         end, V) +                   end, +            class => user_options +           }, + +      {password, def} => +          #{default => undefined, +            chk => fun check_string/1, +            class => user_options +           }, + +      {dh_gex_groups, def} => +          #{default => undefined, +            chk => fun check_dh_gex_groups/1, +            class => user_options +           }, + +      {dh_gex_limits, def} => +          #{default => {0, infinity}, +            chk => fun({I1,I2}) -> +                           check_pos_integer(I1) andalso +                               check_pos_integer(I2) andalso +                               I1 < I2; +                      (_) -> +                           false +                   end, +            class => user_options +           }, + +      {pwdfun, def} => +          #{default => undefined, +            chk => fun(V) -> check_function4(V) orelse check_function2(V) end, +            class => user_options +           }, + +      {negotiation_timeout, def} => +          #{default => 2*60*1000, +            chk => fun check_timeout/1, +            class => user_options +           }, + +      {max_sessions, def} => +          #{default => infinity, +            chk => fun check_pos_integer/1, +            class => user_options +           }, + +      {max_channels, def} => +          #{default => infinity, +            chk => fun check_pos_integer/1, +            class => user_options +           }, + +      {parallel_login, def} => +          #{default => false, +            chk => fun erlang:is_boolean/1, +            class => user_options +           }, + +      {minimal_remote_max_packet_size, def} => +          #{default => 0, +            chk => fun check_pos_integer/1, +            class => user_options +           }, + +      {failfun, def} => +          #{default => fun(_,_,_) -> void end, +            chk => fun(V) -> check_function3(V) orelse +                                 check_function2(V) % Backwards compatibility +                   end, +            class => user_options +           }, + +      {connectfun, def} => +          #{default => fun(_,_,_) -> void end, +            chk => fun check_function3/1, +            class => user_options +           }, + +%%%%% Undocumented +      {infofun, def} => +          #{default => fun(_,_,_) -> void end, +            chk => fun(V) -> check_function3(V) orelse +                                 check_function2(V) % Backwards compatibility +                   end, +            class => user_options +           } +     }; + +default(client) -> +    (default(common)) +        #{ +      {dsa_pass_phrase, def} => +          #{default => undefined, +            chk => fun check_string/1, +            class => user_options +           }, + +      {rsa_pass_phrase, def} => +          #{default => undefined, +            chk => fun check_string/1, +            class => user_options +           }, + +      {ecdsa_pass_phrase, def} => +          #{default => undefined, +            chk => fun check_string/1, +            class => user_options +           }, + +      {silently_accept_hosts, def} => +          #{default => false, +            chk => fun check_silently_accept_hosts/1, +            class => user_options +           }, + +      {user_interaction, def} => +          #{default => true, +            chk => fun erlang:is_boolean/1, +            class => user_options +           }, + +      {pref_public_key_algs, def} => +          #{default => ssh_transport:default_algorithms(public_key), +            chk => fun check_pref_public_key_algs/1, +            class => user_options +           }, + +      {dh_gex_limits, def} => +          #{default => {1024, 6144, 8192},      % FIXME: Is this true nowadays? +            chk => fun({Min,I,Max}) -> +                           lists:all(fun check_pos_integer/1, +                                     [Min,I,Max]); +                      (_) -> false +                   end, +            class => user_options +           }, + +      {connect_timeout, def} => +          #{default => infinity, +            chk => fun check_timeout/1, +            class => user_options +           }, + +      {user, def} => +          #{default =>  +                begin +                    Env = case os:type() of +                              {win32, _} -> "USERNAME"; +                              {unix, _} -> "LOGNAME" +                          end, +                    case os:getenv(Env) of +                        false -> +                            case os:getenv("USER") of +                                false -> undefined; +                                User -> User +                            end; +                        User -> +                            User +                    end +                end, +            chk => fun check_string/1, +            class => user_options +           }, + +      {password, def} => +          #{default => undefined, +            chk => fun check_string/1, +            class => user_options +           }, + +      {quiet_mode, def} => +          #{default => false, +            chk => fun erlang:is_boolean/1, +            class => user_options +           }, + +%%%%% Undocumented +      {keyboard_interact_fun, def} => +          #{default => undefined, +            chk => fun check_function3/1, +            class => user_options +           } +     }; + +default(common) -> +    #{ +       {user_dir, def} => +           #{default => false, % FIXME: TBD ~/.ssh at time of call when user is known +             chk => fun(V) -> check_string(V) andalso check_dir(V) end, +             class => user_options +            }, + +       {preferred_algorithms, def} => +           #{default => ssh:default_algorithms(), +             chk => fun check_preferred_algorithms/1, +             class => user_options +            }, + +       %% NOTE: This option is supposed to be used only in this very module (?MODULE). There is +       %% a final stage in handle_options that "merges" the preferred_algorithms option and this one. +       %% The preferred_algorithms is the one to use in the rest of the ssh application! +       {modify_algorithms, def} => +           #{default => undefined, % signals error if unsupported algo in preferred_algorithms :( +             chk => fun check_modify_algorithms/1, +             class => user_options +            }, + +       {id_string, def} =>  +           #{default => undefined, % FIXME: see ssh_transport:ssh_vsn/0 +             chk => fun(random) ->  +                            {true, {random,2,5}}; % 2 - 5 random characters +                       ({random,I1,I2}) ->  +                            %% Undocumented +                            check_pos_integer(I1) andalso +                                check_pos_integer(I2) andalso +                                I1=<I2; +                       (V) -> +                            check_string(V) +                    end, +             class => user_options +            }, + +       {key_cb, def} => +           #{default => {ssh_file, []}, +             chk => fun({Mod,Opts}) -> is_atom(Mod) andalso is_list(Opts); +                       (Mod) when is_atom(Mod) -> {true, {Mod,[]}}; +                       (_) -> false +                    end, +             class => user_options +            }, + +       {profile, def} => +           #{default => ?DEFAULT_PROFILE, +             chk => fun erlang:is_atom/1, +             class => user_options +            }, + +      {idle_time, def} => +          #{default => infinity, +            chk => fun check_timeout/1, +            class => user_options +           }, + +       %% This is a "SocketOption"... +       %% {fd, def} => +       %%     #{default => undefined, +       %%       chk => fun erlang:is_integer/1, +       %%       class => user_options +       %%      }, + +       {disconnectfun, def} => +           #{default => fun(_) -> void end, +             chk => fun check_function1/1, +             class => user_options +            }, + +       {unexpectedfun, def} =>  +           #{default => fun(_,_) -> report end, +             chk => fun check_function2/1, +             class => user_options +            }, + +       {ssh_msg_debug_fun, def} => +           #{default => fun(_,_,_,_) -> void end, +             chk => fun check_function4/1, +             class => user_options +            }, + +      {rekey_limit, def} =>                     % FIXME: Why not common? +          #{default => 1024000000, +            chk => fun check_non_neg_integer/1, +            class => user_options +           }, + +      {auth_methods, def} => +          #{default => ?SUPPORTED_AUTH_METHODS, +            chk => fun(As) -> +                           try +                               Sup = string:tokens(?SUPPORTED_AUTH_METHODS, ","), +                               New = string:tokens(As, ","), +                               [] == [X || X <- New, +                                           not lists:member(X,Sup)] +                           catch +                               _:_ -> false +                           end +                   end, +            class => user_options +           }, + +%%%%% Undocumented +       {transport, def} => +           #{default => ?DEFAULT_TRANSPORT, +             chk => fun({A,B,C}) -> +                            is_atom(A) andalso is_atom(B) andalso is_atom(C) +                    end, +             class => user_options +            }, + +       {vsn, def} => +           #{default => {2,0}, +             chk => fun({Maj,Min}) -> check_non_neg_integer(Maj) andalso check_non_neg_integer(Min); +                       (_) -> false +                    end, +             class => user_options +            }, +     +       {tstflg, def} => +           #{default => [], +             chk => fun erlang:is_list/1, +             class => user_options +            }, + +       {user_dir_fun, def} => +           #{default => undefined, +             chk => fun check_function1/1, +             class => user_options +            }, + +       {max_random_length_padding, def} => +           #{default => ?MAX_RND_PADDING_LEN, +             chk => fun check_non_neg_integer/1, +             class => user_options +            }, + +       {send_ext_info, def} => +           #{default => true, +             chk => fun erlang:is_boolean/1, +             class => user_options +            }, + +       {recv_ext_info, def} => +           #{default => true, +             chk => fun erlang:is_boolean/1, +             class => user_options +            } +     }. + + +%%%================================================================ +%%%================================================================ +%%%================================================================ + +%%% +%%% check_*/1 -> true | false | error({check,Spec}) +%%% See error_in_check/2,3 +%%% + +%%% error_in_check(BadValue) -> error_in_check(BadValue, undefined). + +error_in_check(BadValue, Extra) -> error({check,{BadValue,Extra}}). + + +%%%---------------------------------------------------------------- +check_timeout(infinity) -> true; +check_timeout(I) -> check_pos_integer(I). + +%%%---------------------------------------------------------------- +check_pos_integer(I) -> is_integer(I) andalso I>0. + +%%%---------------------------------------------------------------- +check_non_neg_integer(I) -> is_integer(I) andalso I>=0. + +%%%---------------------------------------------------------------- +check_function1(F) -> is_function(F,1). +check_function2(F) -> is_function(F,2). +check_function3(F) -> is_function(F,3). +check_function4(F) -> is_function(F,4). +      +%%%---------------------------------------------------------------- +check_pref_public_key_algs(V) ->  +    %% Get the dynamically supported keys, that is, thoose +    %% that are stored +    PKs = ssh_transport:supported_algorithms(public_key), +    CHK = fun(A, Ack) -> +                  case lists:member(A, PKs) of +                      true ->  +                          case lists:member(A,Ack) of +                              false -> [A|Ack]; +                              true -> Ack       % Remove duplicates +                          end; +                      false -> error_in_check(A, "Not supported public key") +                  end +          end, +    case lists:foldr( +          fun(ssh_dsa, Ack) -> CHK('ssh-dss', Ack); % compatibility +             (ssh_rsa, Ack) -> CHK('ssh-rsa', Ack); % compatibility +             (X, Ack) -> CHK(X, Ack) +          end, [], V) +    of +        V -> true; +        [] -> false; +        V1 -> {true,V1} +    end. + + +%%%---------------------------------------------------------------- +%% Check that it is a directory and is readable +check_dir(Dir) ->  +    case file:read_file_info(Dir) of +	{ok, #file_info{type = directory, +			access = Access}} -> +	    case Access of +		read -> true; +		read_write -> true; +		_ -> error_in_check(Dir, eacces) +	    end; + +	{ok, #file_info{}}-> +            error_in_check(Dir, enotdir); + +	{error, Error} -> +            error_in_check(Dir, Error) +    end. + +%%%---------------------------------------------------------------- +check_string(S) -> is_list(S).                  % FIXME: stub +                 +%%%---------------------------------------------------------------- +check_dh_gex_groups({file,File}) when is_list(File) -> +    case file:consult(File) of +        {ok, GroupDefs} -> +            check_dh_gex_groups(GroupDefs); +        {error, Error} -> +            error_in_check({file,File},Error) +    end; + +check_dh_gex_groups({ssh_moduli_file,File})  when is_list(File) -> +    case file:open(File,[read]) of +        {ok,D} -> +            try +                read_moduli_file(D, 1, []) +            of +                {ok,Moduli} -> +                    check_dh_gex_groups(Moduli); +                {error,Error} -> +                    error_in_check({ssh_moduli_file,File}, Error) +            catch +                _:_ -> +                    error_in_check({ssh_moduli_file,File}, "Bad format in file "++File) +            after +                file:close(D) +            end; + +        {error, Error} -> +            error_in_check({ssh_moduli_file,File}, Error) +    end; + +check_dh_gex_groups(L0) when is_list(L0), is_tuple(hd(L0)) -> +    {true, +     collect_per_size( +       lists:foldl( +	 fun({N,G,P}, Acc) when is_integer(N),N>0, +				is_integer(G),G>0, +				is_integer(P),P>0 -> +		 [{N,{G,P}} | Acc]; +	    ({N,{G,P}}, Acc) when is_integer(N),N>0, +				  is_integer(G),G>0, +				  is_integer(P),P>0 -> +		 [{N,{G,P}} | Acc]; +	    ({N,GPs}, Acc) when is_list(GPs) -> +		 lists:foldr(fun({Gi,Pi}, Acci) when is_integer(Gi),Gi>0, +						     is_integer(Pi),Pi>0 -> +				     [{N,{Gi,Pi}} | Acci] +			     end, Acc, GPs) +	 end, [], L0))}; + +check_dh_gex_groups(_) -> +    false. + + + +collect_per_size(L) -> +    lists:foldr( +      fun({Sz,GP}, [{Sz,GPs}|Acc]) -> [{Sz,[GP|GPs]}|Acc]; +	 ({Sz,GP}, Acc) -> [{Sz,[GP]}|Acc] +      end, [], lists:sort(L)). + +read_moduli_file(D, I, Acc) -> +    case io:get_line(D,"") of +	{error,Error} -> +	    {error,Error}; +	eof -> +	    {ok, Acc}; +	"#" ++ _ -> read_moduli_file(D, I+1, Acc); +	<<"#",_/binary>> ->  read_moduli_file(D, I+1, Acc); +	Data -> +	    Line = if is_binary(Data) -> binary_to_list(Data); +		      is_list(Data) -> Data +		   end, +	    try +		[_Time,_Class,_Tests,_Tries,Size,G,P] = string:tokens(Line," \r\n"), +		M = {list_to_integer(Size), +		     {list_to_integer(G), list_to_integer(P,16)} +		    }, +		read_moduli_file(D, I+1, [M|Acc]) +	    catch +		_:_ -> +		    read_moduli_file(D, I+1, Acc) +	    end +    end. + +%%%---------------------------------------------------------------- +-define(SHAs, [md5, sha, sha224, sha256, sha384, sha512]). + +check_silently_accept_hosts(B) when is_boolean(B) -> true; +check_silently_accept_hosts(F) when is_function(F,2) -> true; +check_silently_accept_hosts({false,S}) when is_atom(S) -> valid_hash(S); +check_silently_accept_hosts({S,F}) when is_function(F,2) -> valid_hash(S); +check_silently_accept_hosts(_) -> false. + + +valid_hash(S) -> valid_hash(S, proplists:get_value(hashs,crypto:supports())). + +valid_hash(S, Ss) when is_atom(S) -> lists:member(S, ?SHAs) andalso lists:member(S, Ss); +valid_hash(L, Ss) when is_list(L) -> lists:all(fun(S) -> valid_hash(S,Ss) end, L); +valid_hash(X,  _) -> error_in_check(X, "Expect atom or list in fingerprint spec"). + +%%%---------------------------------------------------------------- +check_modify_algorithms(M) when is_list(M) -> +    [error_in_check(Op_KVs, "Bad modify_algorithms") +     || Op_KVs <- M, +        not is_tuple(Op_KVs) +            orelse (size(Op_KVs) =/= 2) +            orelse (not lists:member(element(1,Op_KVs), [append,prepend,rm]))], +    {true, [{Op,normalize_mod_algs(KVs,false)} || {Op,KVs} <- M]}; +check_modify_algorithms(_) -> +    error_in_check(modify_algorithms, "Bad option value. List expected."). + + + + +normalize_mod_algs(KVs, UseDefaultAlgs) -> +    normalize_mod_algs(ssh_transport:algo_classes(), KVs, [], UseDefaultAlgs). + +normalize_mod_algs([K|Ks], KVs0, Acc, UseDefaultAlgs) -> +    %% Pick the expected keys in order and check if they are in the user's list +    {Vs1, KVs} = +        case lists:keytake(K, 1, KVs0) of +            {value, {K,Vs0}, KVs1} -> +                {Vs0, KVs1}; +            false -> +                {[], KVs0} +        end, +    Vs = normalize_mod_alg_list(K, Vs1, UseDefaultAlgs), +    normalize_mod_algs(Ks, KVs, [{K,Vs} | Acc], UseDefaultAlgs); +normalize_mod_algs([], [], Acc, _) -> +    %% No values left in the key-value list after removing the expected entries +    %% (thats good) +    lists:reverse(Acc); +normalize_mod_algs([], [{K,_}|_], _, _) -> +    %% Some values left in the key-value list after removing the expected entries +    %% (thats bad) +    case ssh_transport:algo_class(K) of +        true -> error_in_check(K, "Duplicate key"); +        false -> error_in_check(K, "Unknown key") +    end; +normalize_mod_algs([], [X|_], _, _) -> +    error_in_check(X, "Bad list element"). + + + +%%% Handle the algorithms list +normalize_mod_alg_list(K, Vs, UseDefaultAlgs) -> +    normalize_mod_alg_list(K, +                           ssh_transport:algo_two_spec_class(K), +                           Vs, +                           def_alg(K,UseDefaultAlgs)). + + +normalize_mod_alg_list(_K, _, [], Default) -> +    Default; + +normalize_mod_alg_list(K, true, [{client2server,L1}], [_,{server2client,L2}]) ->  +    [nml1(K,{client2server,L1}), +     {server2client,L2}]; + +normalize_mod_alg_list(K, true, [{server2client,L2}], [{client2server,L1},_]) ->  +    [{client2server,L1}, +     nml1(K,{server2client,L2})]; + +normalize_mod_alg_list(K, true, [{server2client,L2},{client2server,L1}], _) ->  +    [nml1(K,{client2server,L1}), +     nml1(K,{server2client,L2})]; + +normalize_mod_alg_list(K, true, [{client2server,L1},{server2client,L2}], _) ->  +    [nml1(K,{client2server,L1}), +     nml1(K,{server2client,L2})]; + +normalize_mod_alg_list(K, true, L0, _) -> +    L = nml(K,L0), % Throws errors +    [{client2server,L}, +     {server2client,L}]; + +normalize_mod_alg_list(K, false, L, _) -> +    nml(K,L). + + +nml1(K, {T,V}) when T==client2server ; T==server2client -> +    {T, nml({K,T}, V)}. + +nml(K, L) ->  +    [error_in_check(K, "Bad value for this key") % This is a throw +     || V <- L,   +        not is_atom(V) +    ], +    case L -- lists:usort(L) of +        [] -> ok; +        Dups -> error_in_check({K,Dups}, "Duplicates") % This is a throw +    end, +    L. + + +def_alg(K, false) -> +    case ssh_transport:algo_two_spec_class(K) of +        false -> []; +        true ->  [{client2server,[]}, {server2client,[]}] +    end; +def_alg(K, true) -> +    ssh_transport:default_algorithms(K). + +               + +check_preferred_algorithms(Algs) when is_list(Algs) -> +    check_input_ok(Algs), +    {true, normalize_mod_algs(Algs, true)}; + +check_preferred_algorithms(_) -> +    error_in_check(modify_algorithms, "Bad option value. List expected."). + + +check_input_ok(Algs) -> +    [error_in_check(KVs, "Bad preferred_algorithms") +     || KVs <- Algs, +        not is_tuple(KVs) +            orelse (size(KVs) =/= 2)]. + +%%%---------------------------------------------------------------- +final_preferred_algorithms(Options) -> +    Result = +        case ?GET_OPT(modify_algorithms, Options) of +            undefined -> +                rm_non_supported(true, +                                 ?GET_OPT(preferred_algorithms, Options)); +            ModAlgs -> +                rm_non_supported(false, +                                 eval_ops(?GET_OPT(preferred_algorithms, Options), +                                          ModAlgs)) +        end, +    error_if_empty(Result), % Throws errors if any value list is empty +    ?PUT_OPT({preferred_algorithms,Result}, Options). +     +eval_ops(PrefAlgs, ModAlgs) -> +    lists:foldl(fun eval_op/2, PrefAlgs, ModAlgs). + +eval_op({Op,AlgKVs}, PrefAlgs) -> +    eval_op(Op, AlgKVs, PrefAlgs, []). + +eval_op(Op, [{C,L1}|T1], [{C,L2}|T2], Acc) ->  +    eval_op(Op, T1, T2, [{C,eval_op(Op,L1,L2,[])} | Acc]); + +eval_op(_,        [],   [], Acc) -> lists:reverse(Acc); +eval_op(rm,      Opt, Pref,  []) when is_list(Opt), is_list(Pref) -> Pref -- Opt; +eval_op(append,  Opt, Pref,  []) when is_list(Opt), is_list(Pref) -> (Pref--Opt) ++ Opt; +eval_op(prepend, Opt, Pref,  []) when is_list(Opt), is_list(Pref) -> Opt ++ (Pref--Opt). + + +rm_non_supported(UnsupIsErrorFlg, KVs) -> +    [{K,rmns(K,Vs, UnsupIsErrorFlg)} || {K,Vs} <- KVs]. + +rmns(K, Vs, UnsupIsErrorFlg) -> +    case ssh_transport:algo_two_spec_class(K) of +        false -> +            rm_unsup(Vs, ssh_transport:supported_algorithms(K), UnsupIsErrorFlg, K); +        true -> +            [{C, rm_unsup(Vsx, Sup, UnsupIsErrorFlg, {K,C})}  +             || {{C,Vsx},{C,Sup}} <- lists:zip(Vs,ssh_transport:supported_algorithms(K)) +            ] +    end. + +rm_unsup(A, B, Flg, ErrInf) -> +    case A--B of +        Unsup=[_|_] when Flg==true -> error({eoptions, +                                             {preferred_algorithms,{ErrInf,Unsup}}, +                                             "Unsupported value(s) found" +                                            }); +        Unsup -> A -- Unsup +    end. + +             +error_if_empty([{K,[]}|_]) -> +    error({eoptions, K, "Empty resulting algorithm list"}); +error_if_empty([{K,[{client2server,[]}, {server2client,[]}]}]) -> +    error({eoptions, K, "Empty resulting algorithm list"}); +error_if_empty([{K,[{client2server,[]}|_]} | _]) -> +    error({eoptions, {K,client2server}, "Empty resulting algorithm list"}); +error_if_empty([{K,[_,{server2client,[]}|_]} | _]) -> +    error({eoptions, {K,server2client}, "Empty resulting algorithm list"}); +error_if_empty([_|T]) -> +    error_if_empty(T); +error_if_empty([]) -> +    ok. + +%%%---------------------------------------------------------------- +forbidden_option(K,V) -> +    Txt = io_lib:format("The option '~s' is used internally. The " +                        "user is not allowed to specify this option.", +                        [K]), +    error({eoptions, {K,V}, Txt}). + +%%%---------------------------------------------------------------- diff --git a/lib/ssh/src/ssh_sftp.erl b/lib/ssh/src/ssh_sftp.erl index afc2fb88ff..9e1229dc85 100644 --- a/lib/ssh/src/ssh_sftp.erl +++ b/lib/ssh/src/ssh_sftp.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2005-2016. All Rights Reserved. +%% Copyright Ericsson AB 2005-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -37,7 +37,7 @@  -export([open/3, open_tar/3, opendir/2, close/2, readdir/2, pread/4, read/3,           open/4, open_tar/4, opendir/3, close/3, readdir/3, pread/5, read/4,  	 apread/4, aread/3, pwrite/4, write/3, apwrite/4, awrite/3, -	 pwrite/5, write/4,  +	 pwrite/5, write/4,  	 position/3, real_path/2, read_file_info/2, get_file_info/2,  	 position/4, real_path/3, read_file_info/3, get_file_info/3,  	 write_file_info/3, read_link_info/2, read_link/2, make_symlink/3, @@ -52,7 +52,7 @@  %% TODO: Should be placed elsewhere ssh_sftpd should not call functions in ssh_sftp!  -export([info_to_attr/1, attr_to_info/1]). --record(state,  +-record(state,  	{  	  xf,  	  rep_buf = <<>>, @@ -64,7 +64,7 @@  -record(fileinf,  	{ -	  handle,  +	  handle,  	  offset,  	  size,  	  mode @@ -81,7 +81,7 @@  	  enc_text_buf = <<>>,	 % Encrypted text  	  plain_text_buf = <<>>	 % Decrypted text  	}). -	   +  -define(FILEOP_TIMEOUT, infinity).  -define(NEXT_REQID(S), @@ -98,20 +98,16 @@ start_channel(Cm) when is_pid(Cm) ->  start_channel(Socket) when is_port(Socket) ->      start_channel(Socket, []);  start_channel(Host) when is_list(Host) -> -    start_channel(Host, []).					  - -start_channel(Socket, Options) when is_port(Socket) -> -    Timeout = -	%% A mixture of ssh:connect and ssh_sftp:start_channel: -	case proplists:get_value(connect_timeout, Options, undefined) of -	    undefined -> -		proplists:get_value(timeout, Options, infinity); -	    TO -> -		TO -	end, -    case ssh:connect(Socket, Options, Timeout) of -	{ok,Cm} ->  -	    case start_channel(Cm, Options) of +    start_channel(Host, []). + +start_channel(Socket, UserOptions) when is_port(Socket) -> +    {SshOpts, _ChanOpts, SftpOpts} = handle_options(UserOptions), +    Timeout =   % A mixture of ssh:connect and ssh_sftp:start_channel: +        proplists:get_value(connect_timeout, SshOpts, +                            proplists:get_value(timeout, SftpOpts, infinity)), +    case ssh:connect(Socket, SshOpts, Timeout) of +	{ok,Cm} -> +	    case start_channel(Cm, UserOptions) of  		{ok, Pid} ->  		    {ok, Pid, Cm};  		Error -> @@ -120,17 +116,17 @@ start_channel(Socket, Options) when is_port(Socket) ->  	Error ->  	    Error      end; -start_channel(Cm, Opts) when is_pid(Cm) -> -    Timeout = proplists:get_value(timeout, Opts, infinity), -    {_, ChanOpts, SftpOpts} = handle_options(Opts, [], [], []), +start_channel(Cm, UserOptions) when is_pid(Cm) -> +    Timeout = proplists:get_value(timeout, UserOptions, infinity), +    {_SshOpts, ChanOpts, SftpOpts} = handle_options(UserOptions),      case ssh_xfer:attach(Cm, [], ChanOpts) of -	{ok, ChannelId, Cm} ->  -	    case ssh_channel:start(Cm, ChannelId,  +	{ok, ChannelId, Cm} -> +	    case ssh_channel:start(Cm, ChannelId,  				   ?MODULE, [Cm, ChannelId, SftpOpts]) of  		{ok, Pid} ->  		    case wait_for_version_negotiation(Pid, Timeout) of  			ok -> -			    {ok, Pid};  +			    {ok, Pid};  			TimeOut ->  			    TimeOut  		    end; @@ -143,15 +139,17 @@ start_channel(Cm, Opts) when is_pid(Cm) ->  	    Error      end; -start_channel(Host, Opts) -> -    start_channel(Host, 22, Opts). -start_channel(Host, Port, Opts) -> -    {SshOpts, ChanOpts, SftpOpts} = handle_options(Opts, [], [], []), -    Timeout = proplists:get_value(timeout, SftpOpts, infinity), +start_channel(Host, UserOptions) -> +    start_channel(Host, 22, UserOptions). + +start_channel(Host, Port, UserOptions) -> +    {SshOpts, ChanOpts, SftpOpts} = handle_options(UserOptions), +    Timeout =   % A mixture of ssh:connect and ssh_sftp:start_channel: +        proplists:get_value(connect_timeout, SshOpts, +                            proplists:get_value(timeout, SftpOpts, infinity)),      case ssh_xfer:connect(Host, Port, SshOpts, ChanOpts, Timeout) of  	{ok, ChannelId, Cm} -> -	    case ssh_channel:start(Cm, ChannelId, ?MODULE, [Cm,  -							    ChannelId, SftpOpts]) of +	    case ssh_channel:start(Cm, ChannelId, ?MODULE, [Cm,ChannelId,SftpOpts]) of  		{ok, Pid} ->  		    case wait_for_version_negotiation(Pid, Timeout) of  			ok -> @@ -165,7 +163,7 @@ start_channel(Host, Port, Opts) ->  		    {error, ignore}  	    end;  	Error -> -	    Error	     +	    Error      end.  stop_channel(Pid) -> @@ -174,12 +172,12 @@ stop_channel(Pid) ->  	    OldValue = process_flag(trap_exit, true),  	    link(Pid),  	    exit(Pid, ssh_sftp_stop_channel), -	    receive  +	    receive  		{'EXIT', Pid, normal} ->  		    ok  	    after 5000 ->  		    exit(Pid, kill), -		    receive  +		    receive  			{'EXIT', Pid, killed} ->  			    ok  		    end @@ -209,9 +207,9 @@ open_tar(Pid, File, Mode, FileOpTimeout) ->  	    erl_tar:init(Pid, write,  			 fun(write, {_,Data}) ->  				 write_to_remote_tar(Pid, Handle, to_bin(Data), FileOpTimeout); -			    (position, {_,Pos}) ->  +			    (position, {_,Pos}) ->  				 position(Pid, Handle, Pos, FileOpTimeout); -			    (close, _) ->  +			    (close, _) ->  				 close(Pid, Handle, FileOpTimeout)  			 end);  	{true,false,[{crypto,{CryptoInitFun,CryptoEncryptFun,CryptoEndFun}}]} -> @@ -245,9 +243,9 @@ open_tar(Pid, File, Mode, FileOpTimeout) ->  	    erl_tar:init(Pid, read,  			 fun(read2, {_,Len}) ->  				 read_repeat(Pid, Handle, Len, FileOpTimeout); -			    (position, {_,Pos}) ->  +			    (position, {_,Pos}) ->  				 position(Pid, Handle, Pos, FileOpTimeout); -			    (close, _) ->  +			    (close, _) ->  				 close(Pid, Handle, FileOpTimeout)  			 end);  	{false,true,[{crypto,{CryptoInitFun,CryptoDecryptFun}}]} -> @@ -258,9 +256,9 @@ open_tar(Pid, File, Mode, FileOpTimeout) ->  	    erl_tar:init(Pid, read,  			 fun(read2, {_,Len}) ->  				 read_buf(Pid, SftpHandle, BufHandle, Len, FileOpTimeout); -			    (position, {_,Pos}) ->  +			    (position, {_,Pos}) ->  				 position_buf(Pid, SftpHandle, BufHandle, Pos, FileOpTimeout); -			    (close, _) ->  +			    (close, _) ->  				 call(Pid, {erase_bufinf,BufHandle}, FileOpTimeout),  				 close(Pid, SftpHandle, FileOpTimeout)                           end); @@ -292,16 +290,16 @@ pread(Pid, Handle, Offset, Len, FileOpTimeout) ->  read(Pid, Handle, Len) ->      read(Pid, Handle, Len, ?FILEOP_TIMEOUT).  read(Pid, Handle, Len, FileOpTimeout) -> -    call(Pid, {read,false,Handle, Len}, FileOpTimeout).     +    call(Pid, {read,false,Handle, Len}, FileOpTimeout). -%% TODO this ought to be a cast! Is so in all practial meaning +%% TODO this ought to be a cast! Is so in all practical meaning  %% even if it is obscure!  apread(Pid, Handle, Offset, Len) ->      call(Pid, {pread,true,Handle, Offset, Len}, infinity).  %% TODO this ought to be a cast!   aread(Pid, Handle, Len) -> -    call(Pid, {read,true,Handle, Len}, infinity).     +    call(Pid, {read,true,Handle, Len}, infinity).  pwrite(Pid, Handle, Offset, Data) ->      pwrite(Pid, Handle, Offset, Data, ?FILEOP_TIMEOUT). @@ -313,12 +311,12 @@ write(Pid, Handle, Data) ->  write(Pid, Handle, Data, FileOpTimeout) ->      call(Pid, {write,false,Handle,Data}, FileOpTimeout). -%% TODO this ought to be a cast! Is so in all practial meaning +%% TODO this ought to be a cast! Is so in all practical meaning  %% even if it is obscure!  apwrite(Pid, Handle, Offset, Data) ->      call(Pid, {pwrite,true,Handle,Offset,Data}, infinity). -%% TODO this ought to be a cast!  Is so in all practial meaning +%% TODO this ought to be a cast!  Is so in all practical meaning  %% even if it is obscure!  awrite(Pid, Handle, Data) ->      call(Pid, {write,true,Handle,Data}, infinity). @@ -367,7 +365,7 @@ make_symlink(Pid, Name, Target) ->      make_symlink(Pid, Name, Target, ?FILEOP_TIMEOUT).  make_symlink(Pid, Name, Target, FileOpTimeout) ->      call(Pid, {make_symlink,false, Name, Target}, FileOpTimeout). -  +  rename(Pid, FromFile, ToFile) ->      rename(Pid, FromFile, ToFile, ?FILEOP_TIMEOUT).  rename(Pid, FromFile, ToFile, FileOpTimeout) -> @@ -411,8 +409,8 @@ list_dir(Pid, Name, FileOpTimeout) ->  	    close(Pid, Handle, FileOpTimeout),  	    case Res of  		{ok, List} -> -		    NList = lists:foldl(fun({Nm, _Info},Acc) ->  -					  [Nm|Acc] end,  +		    NList = lists:foldl(fun({Nm, _Info},Acc) -> +					  [Nm|Acc] end,  				  [], List),  		    {ok,NList};  		Error -> Error @@ -482,7 +480,7 @@ write_file_loop(Pid, Handle, Pos, Bin, Remain, PacketSz, FileOpTimeout) ->  	    <<_:Pos/binary, Data:PacketSz/binary, _/binary>> = Bin,  	    case write(Pid, Handle, Data, FileOpTimeout) of  		ok -> -		    write_file_loop(Pid, Handle,  +		    write_file_loop(Pid, Handle,  				    Pos+PacketSz, Bin, Remain-PacketSz,  				    PacketSz, FileOpTimeout);  		Error -> @@ -510,7 +508,7 @@ init([Cm, ChannelId, Options]) ->  	    Xf = #ssh_xfer{cm = Cm,  			       channel = ChannelId},  	    {ok, #state{xf = Xf, -			req_id = 0,  +			req_id = 0,  			rep_buf = <<>>,  			inf = new_inf(),  			opts = Options}}; @@ -519,7 +517,7 @@ init([Cm, ChannelId, Options]) ->  	Error ->  	    {stop, {shutdown, Error}}      end. -     +  %%--------------------------------------------------------------------  %% Function: handle_call/3  %% Description: Handling call messages @@ -541,7 +539,7 @@ handle_call({{timeout, Timeout}, wait_for_version_negotiation}, From,  handle_call({_, wait_for_version_negotiation}, _, State) ->      {reply, ok, State}; -	     +  handle_call({{timeout, infinity}, Msg}, From, State) ->      do_handle_call(Msg, From, State);  handle_call({{timeout, Timeout}, Msg}, From,  #state{req_id = Id} = State) -> @@ -555,13 +553,13 @@ code_change(_OldVsn, State, _Extra) ->      {ok, State}.  do_handle_call({get_bufinf,BufHandle}, _From, S=#state{inf=I0}) -> -    {reply, dict:find(BufHandle,I0), S}; +    {reply, maps:find(BufHandle,I0), S};  do_handle_call({put_bufinf,BufHandle,B}, _From, S=#state{inf=I0}) -> -    {reply, ok, S#state{inf=dict:store(BufHandle,B,I0)}}; +    {reply, ok, S#state{inf=maps:put(BufHandle,B,I0)}};  do_handle_call({erase_bufinf,BufHandle}, _From, S=#state{inf=I0}) -> -    {reply, ok, S#state{inf=dict:erase(BufHandle,I0)}}; +    {reply, ok, S#state{inf=maps:remove(BufHandle,I0)}};  do_handle_call({open, Async,FileName,Mode}, From, #state{xf = XF} = State) ->      {Access,Flags,Attrs} = open_mode(XF#ssh_xfer.vsn, Mode), @@ -636,7 +634,7 @@ do_handle_call({pread,Async,Handle,At,Length}, From, State) ->  					binary -> {{ok,Data}, State2};  					text -> {{ok,binary_to_list(Data)}, State2}  				    end; -			       (Rep, State2) ->  +			       (Rep, State2) ->  				    {Rep, State2}  			    end);  	Error -> @@ -777,7 +775,7 @@ do_handle_call(recv_window, _From, State) ->  do_handle_call(stop, _From, State) ->      {stop, shutdown, ok, State}; -do_handle_call(Call, _From, State) ->     +do_handle_call(Call, _From, State) ->      {reply, {error, bad_call, Call, State}, State}.  %%-------------------------------------------------------------------- @@ -785,13 +783,13 @@ do_handle_call(Call, _From, State) ->  %%                          %% Description: Handles channel messages  %%-------------------------------------------------------------------- -handle_ssh_msg({ssh_cm, _ConnectionManager,  -		{data, _ChannelId, 0, Data}}, #state{rep_buf = Data0} =  +handle_ssh_msg({ssh_cm, _ConnectionManager, +		{data, _ChannelId, 0, Data}}, #state{rep_buf = Data0} =  	       State0) ->      State = handle_reply(State0, <<Data0/binary,Data/binary>>),      {ok, State}; -handle_ssh_msg({ssh_cm, _ConnectionManager,  +handle_ssh_msg({ssh_cm, _ConnectionManager,  		{data, _ChannelId, 1, Data}}, State) ->      error_logger:format("ssh: STDERR: ~s\n", [binary_to_list(Data)]),      {ok, State}; @@ -803,7 +801,7 @@ handle_ssh_msg({ssh_cm, _, {signal, _, _}}, State) ->      %% Ignore signals according to RFC 4254 section 6.9.      {ok, State}; -handle_ssh_msg({ssh_cm, _, {exit_signal, ChannelId, _, Error, _}},  +handle_ssh_msg({ssh_cm, _, {exit_signal, ChannelId, _, Error, _}},  	       State0) ->      State = reply_all(State0, {error, Error}),      {stop, ChannelId,  State}; @@ -823,7 +821,7 @@ handle_msg({ssh_channel_up, _, _}, #state{opts = Options, xf = Xf} = State) ->      {ok, State};  %% Version negotiation timed out -handle_msg({timeout, undefined, From},  +handle_msg({timeout, undefined, From},  	   #state{xf = #ssh_xfer{channel = ChannelId}} = State) ->      ssh_channel:reply(From, {error, timeout}),      {stop, ChannelId, State}; @@ -839,12 +837,12 @@ handle_msg({timeout, Id, From}, #state{req_list = ReqList0} = State) ->      end;  %% Connection manager goes down -handle_msg({'DOWN', _Ref, _Type, _Process, _},   +handle_msg({'DOWN', _Ref, _Type, _Process, _},  	   #state{xf = #ssh_xfer{channel = ChannelId}} = State) ->      {stop, ChannelId, State}; -  +  %% Stopped by user -handle_msg({'EXIT', _, ssh_sftp_stop_channel},  +handle_msg({'EXIT', _, ssh_sftp_stop_channel},  	   #state{xf = #ssh_xfer{channel = ChannelId}} = State) ->      {stop, ChannelId, State}; @@ -865,6 +863,9 @@ terminate(_Reason, State) ->  %%====================================================================  %% Internal functions  %%==================================================================== +handle_options(UserOptions) -> +    handle_options(UserOptions, [], [], []). +  handle_options([], Sftp, Chan, Ssh) ->      {Ssh, Chan, Sftp};  handle_options([{timeout, _} = Opt | Rest], Sftp, Chan, Ssh) -> @@ -883,10 +884,10 @@ call(Pid, Msg, TimeOut) ->  handle_reply(State, <<?UINT32(Len),Reply:Len/binary,Rest/binary>>) ->      do_handle_reply(State, Reply, Rest); -handle_reply(State, Data) ->  +handle_reply(State, Data) ->       State#state{rep_buf = Data}. -do_handle_reply(#state{xf = Xf} = State,  +do_handle_reply(#state{xf = Xf} = State,  		<<?SSH_FXP_VERSION, ?UINT32(Version), BinExt/binary>>, Rest) ->      Ext = ssh_xfer:decode_ext(BinExt),      case Xf#ssh_xfer.vsn of @@ -899,7 +900,7 @@ do_handle_reply(#state{xf = Xf} = State,  		    ok  	    end,  	    ssh_channel:reply(From, ok) -    end,     +    end,      State#state{xf = Xf#ssh_xfer{vsn = Version, ext = Ext}, rep_buf = Rest};  do_handle_reply(State0, Data, Rest) -> @@ -919,9 +920,9 @@ handle_req_reply(State0, {_, ReqID, _} = XfReply) ->  	    List = lists:keydelete(ReqID, 1, State0#state.req_list),  	    State1 = State0#state { req_list = List },  	    case catch Fun(xreply(XfReply),State1) of -		{'EXIT', _} ->  +		{'EXIT', _} ->  		    State1; -		State ->  +		State ->  		    State  	    end      end. @@ -998,15 +999,15 @@ reply_all(State, Reply) ->  make_reply(ReqID, true, From, State) ->      {reply, {async, ReqID},       update_request_info(ReqID, State, -			 fun(Reply,State1) ->  +			 fun(Reply,State1) ->  				 async_reply(ReqID,Reply,From,State1)  			 end)};  make_reply(ReqID, false, From, State) ->      {noreply,        update_request_info(ReqID, State, -			 fun(Reply,State1) ->  -				 sync_reply(Reply, From, State1)  +			 fun(Reply,State1) -> +				 sync_reply(Reply, From, State1)  			 end)}.  make_reply_post(ReqID, true, From, State, PostFun) -> @@ -1049,7 +1050,7 @@ attr_to_info(A) when is_record(A, ssh_xfer_attr) ->      #file_info{        size   = A#ssh_xfer_attr.size,        type   = A#ssh_xfer_attr.type, -      access = read_write, %% FIXME: read/write/read_write/none +      access = file_mode_to_owner_access(A#ssh_xfer_attr.permissions),        atime  = unix_to_datetime(A#ssh_xfer_attr.atime),        mtime  = unix_to_datetime(A#ssh_xfer_attr.mtime),        ctime  = unix_to_datetime(A#ssh_xfer_attr.createtime), @@ -1061,26 +1062,39 @@ attr_to_info(A) when is_record(A, ssh_xfer_attr) ->        uid    = A#ssh_xfer_attr.owner,        gid    = A#ssh_xfer_attr.group}. - -%% Added workaround for sftp timestam problem. (Timestamps should be -%% in UTC but they where not) .  The workaround uses a deprecated -%% function i calandar.  This will work as expected most of the time -%% but has problems for the same reason as -%% calendar:local_time_to_universal_time/1. We consider it better that -%% the timestamps work as expected most of the time instead of none of -%% the time. Hopfully the file-api will be updated so that we can -%% solve this problem in a better way in the future. +file_mode_to_owner_access(FileMode) +  when is_integer(FileMode) -> +    %% The file mode contains the access permissions. +    %% The read and write access permission of file owner +    %% are located in 8th and 7th bit of file mode respectively. + +    ReadPermission = ((FileMode bsr 8) band 1), +    WritePermission =  ((FileMode bsr 7) band 1), +    case {ReadPermission, WritePermission} of +        {1, 1} -> +            read_write; +        {1, 0} -> +            read; +        {0, 1} -> +            write; +        {0, 0} -> +            none; +        _ -> +            undefined +    end; +file_mode_to_owner_access(_) -> +    undefined.  unix_to_datetime(undefined) ->      undefined;  unix_to_datetime(UTCSecs) -> -    UTCDateTime =  +    UTCDateTime =  	calendar:gregorian_seconds_to_datetime(UTCSecs + 62167219200),      erlang:universaltime_to_localtime(UTCDateTime).  datetime_to_unix(undefined) ->      undefined; -datetime_to_unix(LocalDateTime) ->     +datetime_to_unix(LocalDateTime) ->      UTCDateTime = erlang:localtime_to_universaltime(LocalDateTime),      calendar:datetime_to_gregorian_seconds(UTCDateTime) - 62167219200. @@ -1128,11 +1142,11 @@ open_mode3(Modes) ->  	 end,      {[], Fl, A}. -%% accessors for inf dict -new_inf() -> dict:new(). +%% accessors for inf map +new_inf() -> #{}.  add_new_handle(Handle, FileMode, Inf) -> -    dict:store(Handle, #fileinf{offset=0, size=0, mode=FileMode}, Inf). +    maps:put(Handle, #fileinf{offset=0, size=0, mode=FileMode}, Inf).  update_size(Handle, NewSize, State) ->      OldSize = get_size(Handle, State), @@ -1152,27 +1166,24 @@ update_offset(Handle, NewOffset, State0) ->  %% access size and offset for handle  put_size(Handle, Size, State) ->      Inf0 = State#state.inf, -    case dict:find(Handle, Inf0) of +    case maps:find(Handle, Inf0) of  	{ok, FI} -> -	    State#state{inf=dict:store(Handle, FI#fileinf{size=Size}, Inf0)}; +	    State#state{inf=maps:put(Handle, FI#fileinf{size=Size}, Inf0)};  	_ -> -	    State#state{inf=dict:store(Handle, #fileinf{size=Size,offset=0}, -				       Inf0)} +	    State#state{inf=maps:put(Handle, #fileinf{size=Size,offset=0}, Inf0)}      end.  put_offset(Handle, Offset, State) ->      Inf0 = State#state.inf, -    case dict:find(Handle, Inf0) of +    case maps:find(Handle, Inf0) of  	{ok, FI} -> -	    State#state{inf=dict:store(Handle, FI#fileinf{offset=Offset}, -				       Inf0)}; +	    State#state{inf=maps:put(Handle, FI#fileinf{offset=Offset}, Inf0)};  	_ -> -	    State#state{inf=dict:store(Handle, #fileinf{size=Offset, -							offset=Offset}, Inf0)} +	    State#state{inf=maps:put(Handle, #fileinf{size=Offset, offset=Offset}, Inf0)}      end.  get_size(Handle, State) -> -    case dict:find(Handle, State#state.inf) of +    case maps:find(Handle, State#state.inf) of  	{ok, FI} ->  	    FI#fileinf.size;  	_ -> @@ -1180,11 +1191,11 @@ get_size(Handle, State) ->      end.  %% get_offset(Handle, State) -> -%%     {ok, FI} = dict:find(Handle, State#state.inf), +%%     {ok, FI} = maps:find(Handle, State#state.inf),  %%     FI#fileinf.offset.  get_mode(Handle, State) -> -    case dict:find(Handle, State#state.inf) of +    case maps:find(Handle, State#state.inf) of  	{ok, FI} ->  	    FI#fileinf.mode;  	_ -> @@ -1192,14 +1203,14 @@ get_mode(Handle, State) ->      end.  erase_handle(Handle, State) -> -    FI = dict:erase(Handle, State#state.inf), +    FI = maps:remove(Handle, State#state.inf),      State#state{inf = FI}.  %%  %% Caluclate a integer offset  %%  lseek_position(Handle, Pos, State) -> -    case dict:find(Handle, State#state.inf) of +    case maps:find(Handle, State#state.inf) of  	{ok, #fileinf{offset=O, size=S}} ->  	    lseek_pos(Pos, O, S);  	_ -> @@ -1229,7 +1240,7 @@ lseek_pos({cur, Offset}, CurOffset, _CurSize)         true ->  	    {ok, NewOffset}      end; -lseek_pos({eof, Offset}, _CurOffset, CurSize)  +lseek_pos({eof, Offset}, _CurOffset, CurSize)    when is_integer(Offset) andalso -(?SSH_FILEXFER_LARGEFILESIZE) =< Offset andalso         Offset < ?SSH_FILEXFER_LARGEFILESIZE ->      NewOffset = CurSize + Offset, @@ -1239,7 +1250,7 @@ lseek_pos({eof, Offset}, _CurOffset, CurSize)  	    {ok, NewOffset}      end;  lseek_pos(_, _, _) -> -    {error, einval}.  +    {error, einval}.  %%%================================================================  %%% @@ -1277,13 +1288,13 @@ position_buf(Pid, SftpHandle, BufHandle, Pos, FileOpTimeout) ->      case Pos of  	{cur,0} when Mode==write ->  	    {ok,Size+size(Buf0)}; -	 +  	{cur,0} when Mode==read ->  	    {ok,Size}; -	 +  	_ when Mode==read, is_integer(Pos) ->  	    Skip = Pos-Size, -	    if  +	    if  		Skip < 0 ->  		    {error, cannot_rewind};  		Skip == 0 -> @@ -1318,7 +1329,7 @@ read_buf(Pid, SftpHandle, BufHandle, WantedLen, FileOpTimeout) ->  	    eof        end. -do_the_read_buf(_Pid, _SftpHandle, WantedLen, _Packet, _FileOpTimeout,  +do_the_read_buf(_Pid, _SftpHandle, WantedLen, _Packet, _FileOpTimeout,  		B=#bufinf{plain_text_buf=PlainBuf0,  			  size = Size})      when size(PlainBuf0) >= WantedLen -> @@ -1327,7 +1338,7 @@ do_the_read_buf(_Pid, _SftpHandle, WantedLen, _Packet, _FileOpTimeout,      {ok,ResultBin,B#bufinf{plain_text_buf=PlainBuf,  			   size = Size + WantedLen}}; -do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout,  +do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout,  		B0=#bufinf{plain_text_buf = PlainBuf0,  			   enc_text_buf = EncBuf0,  			   chunksize = undefined @@ -1335,12 +1346,12 @@ do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout,    when size(EncBuf0) > 0 ->      %% We have (at least) one decodable byte waiting for decodeing.      {ok,DecodedBin,B} = apply_crypto(EncBuf0, B0), -    do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout,  +    do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout,  		    B#bufinf{plain_text_buf = <<PlainBuf0/binary, DecodedBin/binary>>,  			     enc_text_buf = <<>>  			    }); -     -do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout,  + +do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout,  		B0=#bufinf{plain_text_buf = PlainBuf0,  			   enc_text_buf = EncBuf0,  			   chunksize = ChunkSize0 @@ -1349,11 +1360,11 @@ do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout,      %% We have (at least) one chunk of decodable bytes waiting for decodeing.      <<ToDecode:ChunkSize0/binary, EncBuf/binary>> = EncBuf0,      {ok,DecodedBin,B} = apply_crypto(ToDecode, B0), -    do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout,  +    do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout,  		    B#bufinf{plain_text_buf = <<PlainBuf0/binary, DecodedBin/binary>>,  			     enc_text_buf = EncBuf  			    }); -     +  do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout, B=#bufinf{enc_text_buf = EncBuf0}) ->      %% We must read more bytes and append to the buffer of encoded bytes.      case read(Pid, SftpHandle, Packet, FileOpTimeout) of @@ -1370,7 +1381,7 @@ do_the_read_buf(Pid, SftpHandle, WantedLen, Packet, FileOpTimeout, B=#bufinf{enc  write_buf(Pid, SftpHandle, BufHandle, PlainBin, FileOpTimeout) ->      {ok,{_Window,Packet}} = send_window(Pid, FileOpTimeout),      {ok,B0=#bufinf{plain_text_buf=PTB}}  = call(Pid, {get_bufinf,BufHandle}, FileOpTimeout), -    case do_the_write_buf(Pid, SftpHandle, Packet, FileOpTimeout,  +    case do_the_write_buf(Pid, SftpHandle, Packet, FileOpTimeout,  			  B0#bufinf{plain_text_buf = <<PTB/binary,PlainBin/binary>>}) of  	{ok, B} ->  	    call(Pid, {put_bufinf,BufHandle,B}, FileOpTimeout), @@ -1379,7 +1390,7 @@ write_buf(Pid, SftpHandle, BufHandle, PlainBin, FileOpTimeout) ->  	    {error,Error}      end. -do_the_write_buf(Pid, SftpHandle, Packet, FileOpTimeout,  +do_the_write_buf(Pid, SftpHandle, Packet, FileOpTimeout,  		 B=#bufinf{enc_text_buf = EncBuf0,  			   size = Size})    when size(EncBuf0) >= Packet -> @@ -1421,9 +1432,9 @@ do_the_write_buf(_Pid, _SftpHandle, _Packet, _FileOpTimeout, B) ->  apply_crypto(In, B=#bufinf{crypto_state = CState0,  			   crypto_fun = F}) ->      case F(In,CState0) of -	{ok,EncodedBin,CState} ->  +	{ok,EncodedBin,CState} ->  	    {ok, EncodedBin, B#bufinf{crypto_state=CState}}; -	{ok,EncodedBin,CState,ChunkSize} ->  +	{ok,EncodedBin,CState,ChunkSize} ->  	    {ok, EncodedBin, B#bufinf{crypto_state=CState,  				      chunksize=ChunkSize}}      end. diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl index fb680fe11c..427edf01ab 100644 --- a/lib/ssh/src/ssh_sftpd.erl +++ b/lib/ssh/src/ssh_sftpd.erl @@ -34,8 +34,7 @@  %%--------------------------------------------------------------------  %% External exports --export([subsystem_spec/1, -	 listen/1, listen/2, listen/3, stop/1]). +-export([subsystem_spec/1]).  -export([init/1, handle_ssh_msg/2, handle_msg/2, terminate/2]). @@ -76,29 +75,6 @@  subsystem_spec(Options) ->      {"sftp", {?MODULE, Options}}. -%%% DEPRECATED START %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%-------------------------------------------------------------------- -%% Function: listen() -> Pid | {error,Error} -%% Description: Starts the server -%%-------------------------------------------------------------------- -listen(Port) -> -    listen(any, Port, []). -listen(Port, Options) -> -    listen(any, Port, Options). -listen(Addr, Port, Options) -> -    SubSystems = [subsystem_spec(Options)], -    ssh:daemon(Addr, Port, [{subsystems, SubSystems} |Options]). - -%%-------------------------------------------------------------------- -%% Function: stop(Pid) -> ok -%% Description: Stops the listener -%%-------------------------------------------------------------------- -stop(Pid) -> -    ssh:stop_listener(Pid). - - -%%% DEPRECATED END %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%====================================================================  %% subsystem callbacks diff --git a/lib/ssh/src/ssh_subsystem_sup.erl b/lib/ssh/src/ssh_subsystem_sup.erl index 637f5f398f..8db051095c 100644 --- a/lib/ssh/src/ssh_subsystem_sup.erl +++ b/lib/ssh/src/ssh_subsystem_sup.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2008-2016. All Rights Reserved. +%% Copyright Ericsson AB 2008-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -26,7 +26,9 @@  -behaviour(supervisor). --export([start_link/1, +-include("ssh.hrl"). + +-export([start_link/5,  	 connection_supervisor/1,  	 channel_supervisor/1  	]). @@ -37,8 +39,8 @@  %%%=========================================================================  %%%  API  %%%========================================================================= -start_link(Opts) -> -    supervisor:start_link(?MODULE, [Opts]). +start_link(Role, Address, Port, Profile, Options) -> +    supervisor:start_link(?MODULE, [Role, Address, Port, Profile, Options]).  connection_supervisor(SupPid) ->      Children = supervisor:which_children(SupPid), @@ -51,49 +53,40 @@ channel_supervisor(SupPid) ->  %%%=========================================================================  %%%  Supervisor callback  %%%========================================================================= --spec init( [term()] ) -> {ok,{supervisor:sup_flags(),[supervisor:child_spec()]}} | ignore . - -init([Opts]) -> -    RestartStrategy = one_for_all, -    MaxR = 0, -    MaxT = 3600, -    Children = child_specs(Opts), -    {ok, {{RestartStrategy, MaxR, MaxT}, Children}}. +init([Role, Address, Port, Profile, Options]) -> +    SupFlags = #{strategy  => one_for_all, +                 intensity =>    0, +                 period    => 3600 +                }, +    ChildSpecs = child_specs(Role, Address, Port, Profile, Options), +    {ok, {SupFlags,ChildSpecs}}.  %%%=========================================================================  %%%  Internal functions  %%%========================================================================= -child_specs(Opts) -> -    case proplists:get_value(role, Opts) of -	client ->		 -	    []; -	server -> -	    [ssh_channel_child_spec(Opts), ssh_connectinon_child_spec(Opts)] -    end. +child_specs(client, _Address, _Port, _Profile, _Options) -> +    []; +child_specs(server, Address, Port, Profile, Options) -> +    [ssh_channel_child_spec(server, Address, Port, Profile, Options),  +     ssh_connection_child_spec(server, Address, Port, Profile, Options)]. -ssh_connectinon_child_spec(Opts) -> -    Address = proplists:get_value(address, Opts), -    Port = proplists:get_value(port, Opts), -    Role = proplists:get_value(role, Opts), -    Name = id(Role, ssh_connection_sup, Address, Port), -    StartFunc = {ssh_connection_sup, start_link, [Opts]}, -    Restart = temporary, -    Shutdown = 5000, -     Modules = [ssh_connection_sup], -    Type = supervisor, -    {Name, StartFunc, Restart, Shutdown, Type, Modules}. - -ssh_channel_child_spec(Opts) -> -    Address = proplists:get_value(address, Opts), -    Port = proplists:get_value(port, Opts), -    Role = proplists:get_value(role, Opts), -    Name = id(Role, ssh_channel_sup, Address, Port), -    StartFunc = {ssh_channel_sup, start_link, [Opts]}, -    Restart = temporary, -    Shutdown = infinity, -    Modules = [ssh_channel_sup], -    Type = supervisor, -    {Name, StartFunc, Restart, Shutdown, Type, Modules}. +ssh_connection_child_spec(Role, Address, Port, _Profile, Options) -> +    #{id       => id(Role, ssh_connection_sup, Address, Port), +      start    => {ssh_connection_sup, start_link, [Options]}, +      restart  => temporary, +      shutdown => 5000, +      type     => supervisor, +      modules  => [ssh_connection_sup] +     }. + +ssh_channel_child_spec(Role, Address, Port, _Profile, Options) -> +    #{id       => id(Role, ssh_channel_sup, Address, Port), +      start    => {ssh_channel_sup, start_link, [Options]}, +      restart  => temporary, +      shutdown => infinity, +      type     => supervisor, +      modules  => [ssh_channel_sup] +     }.  id(Role, Sup, Address, Port) ->      {Role, Sup, Address, Port}. diff --git a/lib/ssh/src/ssh_sup.erl b/lib/ssh/src/ssh_sup.erl index 8b57387589..eaec7a54e4 100644 --- a/lib/ssh/src/ssh_sup.erl +++ b/lib/ssh/src/ssh_sup.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2008-2016. All Rights Reserved. +%% Copyright Ericsson AB 2008-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -31,63 +31,20 @@  %%%=========================================================================  %%%  Supervisor callback  %%%========================================================================= --spec init( [term()] ) -> {ok,{supervisor:sup_flags(),[supervisor:child_spec()]}} | ignore . - -init([]) -> -    SupFlags = {one_for_one, 10, 3600}, -    Children = children(),  -    {ok, {SupFlags, Children}}. - -%%%========================================================================= -%%%  Internal functions -%%%========================================================================= -get_services() -> -    case (catch application:get_env(ssh, services)) of -	{ok, Services} -> -	    Services; -	_ -> -	    [] -    end.  - -children() -> -    Services = get_services(), -    Clients = [Service || Service <- Services, is_client(Service)], -    Servers =  [Service || Service <- Services, is_server(Service)], - -    [server_child_spec(Servers), client_child_spec(Clients)]. - -server_child_spec(Servers) -> -    Name = sshd_sup, -    StartFunc = {sshd_sup, start_link, [Servers]}, -    Restart = permanent,  -    Shutdown = infinity, -    Modules = [sshd_sup], -    Type = supervisor, -    {Name, StartFunc, Restart, Shutdown, Type, Modules}. - -client_child_spec(Clients) -> -    Name = sshc_sup, -    StartFunc = {sshc_sup, start_link, [Clients]}, -    Restart = permanent,  -    Shutdown = infinity, -    Modules = [sshc_sup], -    Type = supervisor, -    {Name, StartFunc, Restart, Shutdown, Type, Modules}. - -is_server({sftpd, _}) -> -    true; -is_server({shelld, _}) -> -    true; -is_server(_) -> -    false. - -is_client({sftpc, _}) -> -    true; -is_client({shellc, _}) -> -    true; -is_client(_) -> -    false. - - - +init(_) -> +    SupFlags = #{strategy  => one_for_one,  +                 intensity =>   10, +                 period    => 3600 +                }, +    ChildSpecs = [#{id       => Module, +                    start    => {Module, start_link, []}, +                    restart  => permanent, +                    shutdown => 4000, %brutal_kill, +                    type     => supervisor, +                    modules  => [Module] +                   } +                  || Module <- [sshd_sup, +                                sshc_sup] +                 ], +    {ok, {SupFlags,ChildSpecs}}. diff --git a/lib/ssh/src/ssh_system_sup.erl b/lib/ssh/src/ssh_system_sup.erl index e97ac7b01a..e70abf59c2 100644 --- a/lib/ssh/src/ssh_system_sup.erl +++ b/lib/ssh/src/ssh_system_sup.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2008-2016. All Rights Reserved. +%% Copyright Ericsson AB 2008-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -21,7 +21,7 @@  %%  %%----------------------------------------------------------------------  %% Purpose: The ssh server instance supervisor, an instans of this supervisor -%%          exists for every ip-address and port combination, hangs under   +%%          exists for every ip-address and port combination, hangs under  %%          sshd_sup.  %%---------------------------------------------------------------------- @@ -31,64 +31,103 @@  -include("ssh.hrl"). --export([start_link/1, stop_listener/1, +-export([start_link/4, stop_listener/1,  	 stop_listener/3, stop_system/1,  	 stop_system/3, system_supervisor/3, -	 subsystem_supervisor/1, channel_supervisor/1,  -	 connection_supervisor/1,  -	 acceptor_supervisor/1, start_subsystem/2, restart_subsystem/3, -	 restart_acceptor/3, stop_subsystem/2]). +	 subsystem_supervisor/1, channel_supervisor/1, +	 connection_supervisor/1, +	 acceptor_supervisor/1, start_subsystem/6, +	 stop_subsystem/2]).  %% Supervisor callback  -export([init/1]).  %%%========================================================================= -%%% Internal  API +%%% API  %%%========================================================================= -start_link(ServerOpts) -> -    Address = proplists:get_value(address, ServerOpts), -    Port = proplists:get_value(port, ServerOpts), -    Profile = proplists:get_value(profile,  proplists:get_value(ssh_opts, ServerOpts), ?DEFAULT_PROFILE), +start_link(Address, Port, Profile, Options) ->      Name = make_name(Address, Port, Profile), -    supervisor:start_link({local, Name}, ?MODULE, [ServerOpts]). +    supervisor:start_link({local, Name}, ?MODULE, [Address, Port, Profile, Options]). -stop_listener(SysSup) -> -    stop_acceptor(SysSup).  +%%%========================================================================= +%%%  Supervisor callback +%%%========================================================================= +init([Address, Port, Profile, Options]) -> +    SupFlags = #{strategy  => one_for_one, +                 intensity =>    0, +                 period    => 3600 +                }, +    ChildSpecs = +        case ?GET_INTERNAL_OPT(connected_socket,Options,undefined) of +            undefined -> +                [#{id       => id(ssh_acceptor_sup, Address, Port, Profile), +                   start    => {ssh_acceptor_sup, start_link, [Address, Port, Profile, Options]}, +                   restart  => transient, +                   shutdown => infinity, +                   type     => supervisor, +                   modules  => [ssh_acceptor_sup] +                  }]; +            _ -> +                [] +        end, +    {ok, {SupFlags,ChildSpecs}}. + +%%%========================================================================= +%%% Service API +%%%========================================================================= +stop_listener(SystemSup) -> +    {Name, AcceptorSup, _, _} = lookup(ssh_acceptor_sup, SystemSup), +    case supervisor:terminate_child(AcceptorSup, Name) of +        ok -> +            supervisor:delete_child(AcceptorSup, Name); +        Error -> +            Error +    end.  stop_listener(Address, Port, Profile) -> -    Name = make_name(Address, Port, Profile), -    stop_acceptor(whereis(Name)).  -  +    stop_listener( +      system_supervisor(Address, Port, Profile)). + +  stop_system(SysSup) -> -    Name = sshd_sup:system_name(SysSup), -    spawn(fun() -> sshd_sup:stop_child(Name) end), +    spawn(fun() -> sshd_sup:stop_child(SysSup) end),      ok. -stop_system(Address, Port, Profile) ->  +stop_system(Address, Port, Profile) ->      spawn(fun() -> sshd_sup:stop_child(Address, Port, Profile) end),      ok. +  system_supervisor(Address, Port, Profile) ->      Name = make_name(Address, Port, Profile),      whereis(Name).  subsystem_supervisor(SystemSup) -> -    ssh_subsystem_sup(supervisor:which_children(SystemSup)). +    {_, Child, _, _} = lookup(ssh_subsystem_sup, SystemSup), +    Child.  channel_supervisor(SystemSup) -> -    SubSysSup = ssh_subsystem_sup(supervisor:which_children(SystemSup)), -    ssh_subsystem_sup:channel_supervisor(SubSysSup). +    ssh_subsystem_sup:channel_supervisor( +      subsystem_supervisor(SystemSup)).  connection_supervisor(SystemSup) -> -    SubSysSup = ssh_subsystem_sup(supervisor:which_children(SystemSup)), -    ssh_subsystem_sup:connection_supervisor(SubSysSup). +    ssh_subsystem_sup:connection_supervisor( +      subsystem_supervisor(SystemSup)).  acceptor_supervisor(SystemSup) -> -    ssh_acceptor_sup(supervisor:which_children(SystemSup)). +    {_, Child, _, _} = lookup(ssh_acceptor_sup, SystemSup), +    Child. -start_subsystem(SystemSup, Options) -> -    Spec = ssh_subsystem_child_spec(Options), -    supervisor:start_child(SystemSup, Spec). + +start_subsystem(SystemSup, Role, Address, Port, Profile, Options) -> +    SubsystemSpec = +        #{id       => make_ref(), +          start    => {ssh_subsystem_sup, start_link, [Role, Address, Port, Profile, Options]}, +          restart  => temporary, +          shutdown => infinity, +          type     => supervisor, +          modules  => [ssh_subsystem_sup]}, +    supervisor:start_child(SystemSup, SubsystemSpec).  stop_subsystem(SystemSup, SubSys) ->      case catch lists:keyfind(SubSys, 2, supervisor:which_children(SystemSup)) of @@ -106,100 +145,21 @@ stop_subsystem(SystemSup, SubSys) ->  	    ok      end. - -restart_subsystem(Address, Port, Profile) -> -    SysSupName = make_name(Address, Port, Profile), -    SubSysName = id(ssh_subsystem_sup, Address, Port, Profile), -    case supervisor:terminate_child(SysSupName, SubSysName) of -	ok -> -	    supervisor:restart_child(SysSupName, SubSysName); -	Error  -> -	    Error -    end. - -restart_acceptor(Address, Port, Profile) -> -    SysSupName = make_name(Address, Port, Profile), -    AcceptorName = id(ssh_acceptor_sup, Address, Port, Profile), -    supervisor:restart_child(SysSupName, AcceptorName). - -%%%========================================================================= -%%%  Supervisor callback -%%%========================================================================= --spec init( [term()] ) -> {ok,{supervisor:sup_flags(),[supervisor:child_spec()]}} | ignore . - -init([ServerOpts]) -> -    RestartStrategy = one_for_one, -    MaxR = 0, -    MaxT = 3600, -    Children = case proplists:get_value(asocket,ServerOpts) of -		   undefined -> child_specs(ServerOpts); -		   _ -> [] -	       end, -    {ok, {{RestartStrategy, MaxR, MaxT}, Children}}. -  %%%=========================================================================  %%%  Internal functions  %%%========================================================================= -child_specs(ServerOpts) -> -    [ssh_acceptor_child_spec(ServerOpts)].  -   -ssh_acceptor_child_spec(ServerOpts) -> -    Address = proplists:get_value(address, ServerOpts), -    Port = proplists:get_value(port, ServerOpts), -    Profile = proplists:get_value(profile,  proplists:get_value(ssh_opts, ServerOpts), ?DEFAULT_PROFILE), -    Name = id(ssh_acceptor_sup, Address, Port, Profile), -    StartFunc = {ssh_acceptor_sup, start_link, [ServerOpts]}, -    Restart = transient,  -    Shutdown = infinity, -    Modules = [ssh_acceptor_sup], -    Type = supervisor, -    {Name, StartFunc, Restart, Shutdown, Type, Modules}. - -ssh_subsystem_child_spec(ServerOpts) -> -    Name = make_ref(), -    StartFunc = {ssh_subsystem_sup, start_link, [ServerOpts]}, -    Restart = temporary, -    Shutdown = infinity, -    Modules = [ssh_subsystem_sup], -    Type = supervisor, -    {Name, StartFunc, Restart, Shutdown, Type, Modules}. - -  id(Sup, Address, Port, Profile) -> -    case is_list(Address) of	 -	true -> -	    {Sup, any, Port, Profile}; -	false -> -	    {Sup, Address, Port, Profile} -	end. +    {Sup, Address, Port, Profile}.  make_name(Address, Port, Profile) -> -    case is_list(Address) of -	true  -> -	    list_to_atom(lists:flatten(io_lib:format("ssh_system_~p_~p_~p_sup",  -						     [any, Port, Profile]))); -	false  -> -	    list_to_atom(lists:flatten(io_lib:format("ssh_system_~p_~p_~p_sup",  -						     [Address, Port, Profile]))) -    end. +    list_to_atom(lists:flatten(io_lib:format("ssh_system_~s_~p_~p_sup", [fmt_host(Address), Port, Profile]))). -ssh_subsystem_sup([{_, Child, _, [ssh_subsystem_sup]} | _]) -> -    Child; -ssh_subsystem_sup([_ | Rest]) -> -    ssh_subsystem_sup(Rest). +fmt_host(IP) when is_tuple(IP) -> inet:ntoa(IP); +fmt_host(A)  when is_atom(A)   -> A; +fmt_host(S)  when is_list(S)   -> S. -ssh_acceptor_sup([{_, Child, _, [ssh_acceptor_sup]} | _]) -> -    Child; -ssh_acceptor_sup([_ | Rest]) -> -    ssh_acceptor_sup(Rest). -stop_acceptor(Sup) -> -    [{Name, AcceptorSup}] = -	[{SupName, ASup} || {SupName, ASup, _, [ssh_acceptor_sup]} <-  -			  supervisor:which_children(Sup)], -    case supervisor:terminate_child(AcceptorSup, Name) of -        ok -> -            supervisor:delete_child(AcceptorSup, Name); -        Error -> -            Error -    end. +lookup(SupModule, SystemSup) -> +    lists:keyfind([SupModule], 4, +                  supervisor:which_children(SystemSup)). + diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl index 9bebaf2d9b..90a94a7e86 100644 --- a/lib/ssh/src/ssh_transport.erl +++ b/lib/ssh/src/ssh_transport.erl @@ -34,10 +34,13 @@  -export([next_seqnum/1,   	 supported_algorithms/0, supported_algorithms/1,  	 default_algorithms/0, default_algorithms/1, +         algo_classes/0, algo_class/1, +         algo_two_spec_classes/0, algo_two_spec_class/1,  	 handle_packet_part/4,  	 handle_hello_version/1,  	 key_exchange_init_msg/1,  	 key_init/3, new_keys_message/1, +         ext_info_message/1,  	 handle_kexinit_msg/3, handle_kexdh_init/2,  	 handle_kex_dh_gex_group/2, handle_kex_dh_gex_init/2, handle_kex_dh_gex_reply/2,  	 handle_new_keys/2, handle_kex_dh_gex_request/2, @@ -47,6 +50,7 @@           parallell_gen_key/1,  	 extract_public_key/1,  	 ssh_packet/2, pack/2, +         valid_key_sha_alg/2,  	 sha/1, sign/3, verify/4]).  %%% For test suites @@ -79,6 +83,27 @@ default_algorithms() -> [{K,default_algorithms(K)} || K <- algo_classes()].  algo_classes() -> [kex, public_key, cipher, mac, compression]. +algo_class(kex) -> true; +algo_class(public_key) -> true; +algo_class(cipher) -> true; +algo_class(mac) -> true; +algo_class(compression) -> true; +algo_class(_) -> false. + + +algo_two_spec_classes() -> [cipher, mac, compression]. + +algo_two_spec_class(cipher) -> true; +algo_two_spec_class(mac) -> true; +algo_two_spec_class(compression) -> true; +algo_two_spec_class(_) -> false. + +     + +default_algorithms(kex) -> +    supported_algorithms(kex, [ +                               'diffie-hellman-group1-sha1' % Gone in OpenSSH 7.3.p1 +                              ]);  default_algorithms(cipher) ->      supported_algorithms(cipher, same(['AEAD_AES_128_GCM', @@ -86,6 +111,7 @@ default_algorithms(cipher) ->  default_algorithms(mac) ->      supported_algorithms(mac, same(['AEAD_AES_128_GCM',  				    'AEAD_AES_256_GCM'])); +  default_algorithms(Alg) ->      supported_algorithms(Alg, []). @@ -95,34 +121,41 @@ supported_algorithms() -> [{K,supported_algorithms(K)} || K <- algo_classes()].  supported_algorithms(kex) ->      select_crypto_supported(        [ -       {'ecdh-sha2-nistp256',                   [{public_keys,ecdh}, {ec_curve,secp256r1}, {hashs,sha256}]},         {'ecdh-sha2-nistp384',                   [{public_keys,ecdh}, {ec_curve,secp384r1}, {hashs,sha384}]}, -       {'diffie-hellman-group14-sha1',          [{public_keys,dh},   {hashs,sha}]}, +       {'ecdh-sha2-nistp521',                   [{public_keys,ecdh}, {ec_curve,secp521r1}, {hashs,sha512}]}, +       {'ecdh-sha2-nistp256',                   [{public_keys,ecdh}, {ec_curve,secp256r1}, {hashs,sha256}]},         {'diffie-hellman-group-exchange-sha256', [{public_keys,dh},   {hashs,sha256}]}, +       {'diffie-hellman-group16-sha512',        [{public_keys,dh},   {hashs,sha512}]}, % In OpenSSH 7.3.p1 +       {'diffie-hellman-group18-sha512',        [{public_keys,dh},   {hashs,sha512}]}, % In OpenSSH 7.3.p1 +       {'diffie-hellman-group14-sha256',        [{public_keys,dh},   {hashs,sha256}]}, % In OpenSSH 7.3.p1 +       {'diffie-hellman-group14-sha1',          [{public_keys,dh},   {hashs,sha}]},         {'diffie-hellman-group-exchange-sha1',   [{public_keys,dh},   {hashs,sha}]}, -       {'ecdh-sha2-nistp521',                   [{public_keys,ecdh}, {ec_curve,secp521r1}, {hashs,sha512}]},         {'diffie-hellman-group1-sha1',           [{public_keys,dh},   {hashs,sha}]}        ]);  supported_algorithms(public_key) ->      select_crypto_supported( -      [{'ecdsa-sha2-nistp256',  [{public_keys,ecdsa}, {hashs,sha256}, {ec_curve,secp256r1}]}, +      [         {'ecdsa-sha2-nistp384',  [{public_keys,ecdsa}, {hashs,sha384}, {ec_curve,secp384r1}]},         {'ecdsa-sha2-nistp521',  [{public_keys,ecdsa}, {hashs,sha512}, {ec_curve,secp521r1}]}, +       {'ecdsa-sha2-nistp256',  [{public_keys,ecdsa}, {hashs,sha256}, {ec_curve,secp256r1}]},         {'ssh-rsa',              [{public_keys,rsa},   {hashs,sha}                         ]}, -       {'ssh-dss',              [{public_keys,dss},   {hashs,sha}                         ]} +       {'rsa-sha2-256',         [{public_keys,rsa},   {hashs,sha256}                      ]}, +       {'rsa-sha2-512',         [{public_keys,rsa},   {hashs,sha512}                      ]}, +       {'ssh-dss',              [{public_keys,dss},   {hashs,sha}                         ]} % Gone in OpenSSH 7.3.p1        ]);  supported_algorithms(cipher) ->      same(        select_crypto_supported( -	[{'aes256-ctr',       [{ciphers,{aes_ctr,256}}]}, -	 {'aes192-ctr',       [{ciphers,{aes_ctr,192}}]}, -	 {'aes128-ctr',       [{ciphers,{aes_ctr,128}}]}, -	 {'aes128-cbc',       [{ciphers,aes_cbc128}]}, +	[ +         {'[email protected]', [{ciphers,{aes_gcm,256}}]}, +         {'aes256-ctr',       [{ciphers,{aes_ctr,256}}]}, +         {'aes192-ctr',       [{ciphers,{aes_ctr,192}}]},  	 {'[email protected]', [{ciphers,{aes_gcm,128}}]}, -	 {'[email protected]', [{ciphers,{aes_gcm,256}}]}, -	 {'AEAD_AES_128_GCM', [{ciphers,{aes_gcm,128}}]}, +	 {'aes128-ctr',       [{ciphers,{aes_ctr,128}}]},  	 {'AEAD_AES_256_GCM', [{ciphers,{aes_gcm,256}}]}, +	 {'AEAD_AES_128_GCM', [{ciphers,{aes_gcm,128}}]}, +	 {'aes128-cbc',       [{ciphers,aes_cbc128}]},  	 {'3des-cbc',         [{ciphers,des3_cbc}]}  	]         )); @@ -144,14 +177,14 @@ supported_algorithms(compression) ->  %%%----------------------------------------------------------------------------  versions(client, Options)-> -    Vsn = proplists:get_value(vsn, Options, ?DEFAULT_CLIENT_VERSION), +    Vsn = ?GET_INTERNAL_OPT(vsn, Options, ?DEFAULT_CLIENT_VERSION),      {Vsn, format_version(Vsn, software_version(Options))};  versions(server, Options) -> -    Vsn = proplists:get_value(vsn, Options, ?DEFAULT_SERVER_VERSION), +    Vsn = ?GET_INTERNAL_OPT(vsn, Options, ?DEFAULT_SERVER_VERSION),      {Vsn, format_version(Vsn, software_version(Options))}.  software_version(Options) ->  -    case proplists:get_value(id_string, Options) of +    case ?GET_OPT(id_string, Options) of  	undefined ->  	    "Erlang"++ssh_vsn();  	{random,Nlo,Nup} -> @@ -162,7 +195,7 @@ software_version(Options) ->  ssh_vsn() ->      try {ok,L} = application:get_all_key(ssh), -	 proplists:get_value(vsn,L,"") +	 proplists:get_value(vsn, L, "")      of   	"" -> "";  	VSN when is_list(VSN) -> "/" ++ VSN; @@ -172,7 +205,7 @@ ssh_vsn() ->      end.  random_id(Nlo, Nup) -> -    [crypto:rand_uniform($a,$z+1) || _<- lists:duplicate(crypto:rand_uniform(Nlo,Nup+1),x)  ]. +    [$a + rand:uniform($z-$a+1) - 1 || _<- lists:duplicate(Nlo + rand:uniform(Nup-Nlo+1) - 1, x)].  hello_version_msg(Data) ->      [Data,"\r\n"]. @@ -191,9 +224,6 @@ is_valid_mac(Mac, Data, #ssh{recv_mac = Algorithm,  			     recv_mac_key = Key, recv_sequence = SeqNum}) ->      Mac == mac(Algorithm, Key, SeqNum, Data). -yes_no(Ssh, Prompt)  -> -    (Ssh#ssh.io_cb):yes_no(Prompt, Ssh). -  format_version({Major,Minor}, SoftwareVersion) ->      "SSH-" ++ integer_to_list(Major) ++ "." ++   	integer_to_list(Minor) ++ "-" ++ SoftwareVersion. @@ -221,27 +251,37 @@ key_exchange_init_msg(Ssh0) ->      {SshPacket, Ssh} = ssh_packet(Msg, Ssh0),      {Msg, SshPacket, Ssh}. -kex_init(#ssh{role = Role, opts = Opts, available_host_keys = HostKeyAlgs}) -> +kex_init(#ssh{role = Role, opts = Opts, available_host_keys = HostKeyAlgs} = Ssh) ->      Random = ssh_bits:random(16), -    PrefAlgs = -	case proplists:get_value(preferred_algorithms,Opts) of -	    undefined ->  -		default_algorithms(); -	    Algs0 -> -		Algs0 -	end, -    kexinit_message(Role, Random, PrefAlgs, HostKeyAlgs). +    PrefAlgs = adjust_algs_for_peer_version(Role, ?GET_OPT(preferred_algorithms, Opts), Ssh), +    kexinit_message(Role, Random, PrefAlgs, HostKeyAlgs, Opts).  key_init(client, Ssh, Value) ->      Ssh#ssh{c_keyinit = Value};  key_init(server, Ssh, Value) ->      Ssh#ssh{s_keyinit = Value}. - -kexinit_message(_Role, Random, Algs, HostKeyAlgs) -> +adjust_algs_for_peer_version(client, PrefAlgs, #ssh{s_version=V}) -> +    adjust_algs_for_peer_version(V, PrefAlgs); +adjust_algs_for_peer_version(server, PrefAlgs, #ssh{c_version=V}) -> +    adjust_algs_for_peer_version(V, PrefAlgs). +%% +adjust_algs_for_peer_version("SSH-2.0-OpenSSH_6.2"++_, PrefAlgs) -> +    C0 = proplists:get_value(cipher, PrefAlgs, same([])), +    C = [{D,L} || D <- [client2server, server2client], +                  L <- [[K || K <- proplists:get_value(D, C0, []), +                              K =/= '[email protected]', +                              K =/= '[email protected]']] +        ], +    lists:keyreplace(cipher, 1, PrefAlgs, {cipher,C}); +adjust_algs_for_peer_version(_, PrefAlgs) -> +    PrefAlgs. +     +kexinit_message(Role, Random, Algs, HostKeyAlgs, Opts) ->      #ssh_msg_kexinit{  		  cookie = Random, -		  kex_algorithms = to_strings( get_algs(kex,Algs) ), +		  kex_algorithms = to_strings( get_algs(kex,Algs) ) +                                   ++ kex_ext_info(Role,Opts),  		  server_host_key_algorithms = HostKeyAlgs,  		  encryption_algorithms_client_to_server = c2s(cipher,Algs),  		  encryption_algorithms_server_to_client = s2c(cipher,Algs), @@ -263,56 +303,71 @@ get_algs(Key, Algs) -> proplists:get_value(Key, Algs, default_algorithms(Key)).  to_strings(L) -> lists:map(fun erlang:atom_to_list/1, L).  new_keys_message(Ssh0) -> -    {SshPacket, Ssh} =  -	ssh_packet(#ssh_msg_newkeys{}, Ssh0), +    {SshPacket, Ssh1} = ssh_packet(#ssh_msg_newkeys{}, Ssh0), +    Ssh = install_alg(snd, Ssh1),      {ok, SshPacket, Ssh}.  handle_kexinit_msg(#ssh_msg_kexinit{} = CounterPart, #ssh_msg_kexinit{} = Own, -			    #ssh{role = client} = Ssh0) -> -    {ok, Algoritms} = select_algorithm(client, Own, CounterPart),   -    case verify_algorithm(Algoritms) of -	true -> -	    key_exchange_first_msg(Algoritms#alg.kex,  -				   Ssh0#ssh{algorithms = Algoritms}); -	_  -> -	    %% TODO: Correct code? -    ssh_connection_handler:disconnect( -      #ssh_msg_disconnect{code = ?SSH_DISCONNECT_KEY_EXCHANGE_FAILED, -			  description = "Selection of key exchange algorithm failed" -			 }) +                   #ssh{role = client} = Ssh) -> +    try +        {ok, Algorithms} = select_algorithm(client, Own, CounterPart, Ssh#ssh.opts), +        true = verify_algorithm(Algorithms), +        Algorithms +    of +	Algos -> +	    key_exchange_first_msg(Algos#alg.kex,  +				   Ssh#ssh{algorithms = Algos}) +    catch +        _:_ -> +            ssh_connection_handler:disconnect( +              #ssh_msg_disconnect{code = ?SSH_DISCONNECT_KEY_EXCHANGE_FAILED, +                                  description = "Selection of key exchange algorithm failed"})      end;  handle_kexinit_msg(#ssh_msg_kexinit{} = CounterPart, #ssh_msg_kexinit{} = Own, -			    #ssh{role = server} = Ssh) -> -    {ok, Algoritms} = select_algorithm(server, CounterPart, Own), -    case  verify_algorithm(Algoritms) of -	true -> -	    {ok, Ssh#ssh{algorithms = Algoritms}}; -	_ -> -    ssh_connection_handler:disconnect( -      #ssh_msg_disconnect{code = ?SSH_DISCONNECT_KEY_EXCHANGE_FAILED, -			  description = "Selection of key exchange algorithm failed" -			 }) +                   #ssh{role = server} = Ssh) -> +    try +        {ok, Algorithms} = select_algorithm(server, CounterPart, Own, Ssh#ssh.opts), +        true = verify_algorithm(Algorithms), +        Algorithms +    of +	Algos -> +            {ok, Ssh#ssh{algorithms = Algos}} +    catch +        _:_ -> +            ssh_connection_handler:disconnect( +              #ssh_msg_disconnect{code = ?SSH_DISCONNECT_KEY_EXCHANGE_FAILED, +                                  description = "Selection of key exchange algorithm failed"})      end. -verify_algorithm(#alg{kex = undefined}) -> false; -verify_algorithm(#alg{hkey = undefined}) -> false; -verify_algorithm(#alg{send_mac = undefined}) -> false; -verify_algorithm(#alg{recv_mac = undefined}) -> false; -verify_algorithm(#alg{encrypt = undefined}) -> false; -verify_algorithm(#alg{decrypt = undefined}) -> false; -verify_algorithm(#alg{compress = undefined}) -> false; -verify_algorithm(#alg{decompress = undefined}) -> false; -verify_algorithm(#alg{kex = Kex}) -> lists:member(Kex, supported_algorithms(kex)). +verify_algorithm(#alg{kex = undefined})       ->  {false, "kex"}; +verify_algorithm(#alg{hkey = undefined})      ->  {false, "hkey"}; +verify_algorithm(#alg{send_mac = undefined})  ->  {false, "send_mac"}; +verify_algorithm(#alg{recv_mac = undefined})  ->  {false, "recv_mac"}; +verify_algorithm(#alg{encrypt = undefined})   ->  {false, "encrypt"}; +verify_algorithm(#alg{decrypt = undefined})   ->  {false, "decrypt"}; +verify_algorithm(#alg{compress = undefined})  ->  {false, "compress"}; +verify_algorithm(#alg{decompress = undefined}) -> {false, "decompress"}; +verify_algorithm(#alg{kex = Kex}) ->  +    %% This also catches the error if 'ext-info-s' or 'ext-info-c' is selected. +    %% (draft-ietf-curdle-ssh-ext-info-04 2.2) +    case lists:member(Kex, supported_algorithms(kex)) of +        true -> true; +        false -> {false, "kex"} +    end.  %%%----------------------------------------------------------------  %%%  %%% Key exchange initialization  %%%  key_exchange_first_msg(Kex, Ssh0) when Kex == 'diffie-hellman-group1-sha1' ; -				       Kex == 'diffie-hellman-group14-sha1' -> +				       Kex == 'diffie-hellman-group14-sha1' ; +                                       Kex == 'diffie-hellman-group14-sha256' ; +                                       Kex == 'diffie-hellman-group16-sha512' ; +                                       Kex == 'diffie-hellman-group18-sha512' +                                       ->      {G, P} = dh_group(Kex),      Sz = dh_bits(Ssh0#ssh.algorithms),      {Public, Private} = generate_key(dh, [P,G,2*Sz]), @@ -322,10 +377,7 @@ key_exchange_first_msg(Kex, Ssh0) when Kex == 'diffie-hellman-group1-sha1' ;  key_exchange_first_msg(Kex, Ssh0=#ssh{opts=Opts}) when Kex == 'diffie-hellman-group-exchange-sha1' ;  						       Kex == 'diffie-hellman-group-exchange-sha256' -> -    {Min,NBits0,Max} =  -	proplists:get_value(dh_gex_limits, Opts, {?DEFAULT_DH_GROUP_MIN, -						  ?DEFAULT_DH_GROUP_NBITS, -						  ?DEFAULT_DH_GROUP_MAX}), +    {Min,NBits0,Max} = ?GET_OPT(dh_gex_limits, Opts),      DhBits = dh_bits(Ssh0#ssh.algorithms),      NBits1 =           %% NIST Special Publication 800-57 Part 1 Revision 4: Recommendation for Key Management @@ -358,9 +410,13 @@ key_exchange_first_msg(Kex, Ssh0) when Kex == 'ecdh-sha2-nistp256' ;  %%%  %%% diffie-hellman-group1-sha1  %%% diffie-hellman-group14-sha1 +%%% diffie-hellman-group14-sha256 +%%% diffie-hellman-group16-sha512 +%%% diffie-hellman-group18-sha512  %%%   handle_kexdh_init(#ssh_msg_kexdh_init{e = E},  -		  Ssh0 = #ssh{algorithms = #alg{kex=Kex} = Algs}) -> +		  Ssh0 = #ssh{algorithms = #alg{kex=Kex, +                                                hkey=SignAlg} = Algs}) ->      %% server      {G, P} = dh_group(Kex),      if @@ -368,17 +424,17 @@ handle_kexdh_init(#ssh_msg_kexdh_init{e = E},              Sz = dh_bits(Algs),  	    {Public, Private} = generate_key(dh, [P,G,2*Sz]),  	    K = compute_key(dh, E, Private, [P,G]), -	    MyPrivHostKey = get_host_key(Ssh0), +	    MyPrivHostKey = get_host_key(Ssh0, SignAlg),  	    MyPubHostKey = extract_public_key(MyPrivHostKey), -	    H = kex_h(Ssh0, MyPubHostKey, E, Public, K), -	    H_SIG = sign_host_key(Ssh0, MyPrivHostKey, H), +            H = kex_hash(Ssh0, MyPubHostKey, sha(Kex), {E,Public,K}), +            H_SIG = sign(H, sha(SignAlg), MyPrivHostKey),  	    {SshPacket, Ssh1} =  -		ssh_packet(#ssh_msg_kexdh_reply{public_host_key = MyPubHostKey, +		ssh_packet(#ssh_msg_kexdh_reply{public_host_key = {MyPubHostKey,SignAlg},  						f = Public,  						h_sig = H_SIG  					       }, Ssh0),  	    {ok, SshPacket, Ssh1#ssh{keyex_key = {{Private, Public}, {G, P}}, -				     shared_secret = K, +				     shared_secret = ssh_bits:mpint(K),  				     exchanged_hash = H,  				     session_id = sid(Ssh1, H)}}; @@ -394,19 +450,19 @@ handle_kexdh_init(#ssh_msg_kexdh_init{e = E},  handle_kexdh_reply(#ssh_msg_kexdh_reply{public_host_key = PeerPubHostKey,  					f = F,  					h_sig = H_SIG},  -		   #ssh{keyex_key = {{Private, Public}, {G, P}}} = Ssh0) -> +		   #ssh{keyex_key = {{Private, Public}, {G, P}}, +                        algorithms = #alg{kex=Kex}} = Ssh0) ->      %% client      if   	1=<F, F=<(P-1)->  	    K = compute_key(dh, F, Private, [P,G]), -	    H = kex_h(Ssh0, PeerPubHostKey, Public, F, K), - +            H = kex_hash(Ssh0, PeerPubHostKey, sha(Kex), {Public,F,K}),  	    case verify_host_key(Ssh0, PeerPubHostKey, H, H_SIG) of  		ok ->  		    {SshPacket, Ssh} = ssh_packet(#ssh_msg_newkeys{}, Ssh0), -		    {ok, SshPacket, Ssh#ssh{shared_secret  = K, -					    exchanged_hash = H, -					    session_id = sid(Ssh, H)}}; +		    {ok, SshPacket, install_alg(snd, Ssh#ssh{shared_secret  = ssh_bits:mpint(K), +                                                             exchanged_hash = H, +                                                             session_id = sid(Ssh, H)})};  		Error ->  	    ssh_connection_handler:disconnect(  	      #ssh_msg_disconnect{ @@ -436,7 +492,7 @@ handle_kex_dh_gex_request(#ssh_msg_kex_dh_gex_request{min = Min0,      %% server      {Min, Max} = adjust_gex_min_max(Min0, Max0, Opts),      case public_key:dh_gex_group(Min, NBits, Max, -				 proplists:get_value(dh_gex_groups,Opts)) of +				 ?GET_OPT(dh_gex_groups,Opts)) of  	{ok, {_, {G,P}}} ->  	    {SshPacket, Ssh} =   		ssh_packet(#ssh_msg_kex_dh_gex_group{p = P, g = G}, Ssh0), @@ -459,7 +515,7 @@ handle_kex_dh_gex_request(#ssh_msg_kex_dh_gex_request_old{n = NBits},      %% This message was in the draft-00 of rfc4419      %% (https://tools.ietf.org/html/draft-ietf-secsh-dh-group-exchange-00)      %% In later drafts and the rfc is "is used for backward compatibility". -    %% Unfortunatly the rfc does not specify how to treat the parameter n +    %% Unfortunately the rfc does not specify how to treat the parameter n      %% if there is no group of that modulus length :(      %% The draft-00 however specifies that n is the "... number of bits      %% the subgroup should have at least". @@ -470,13 +526,13 @@ handle_kex_dh_gex_request(#ssh_msg_kex_dh_gex_request_old{n = NBits},      Max0 = 8192,      {Min, Max} = adjust_gex_min_max(Min0, Max0, Opts),      case public_key:dh_gex_group(Min, NBits, Max, -				 proplists:get_value(dh_gex_groups,Opts)) of +				 ?GET_OPT(dh_gex_groups,Opts)) of  	{ok, {_, {G,P}}} ->  	    {SshPacket, Ssh} =   		ssh_packet(#ssh_msg_kex_dh_gex_group{p = P, g = G}, Ssh0),  	    {ok, SshPacket,   	     Ssh#ssh{keyex_key = {x, {G, P}}, -		     keyex_info = {-1, -1, NBits} % flag for kex_h hash calc +		     keyex_info = {-1, -1, NBits} % flag for kex_hash calc  		    }};  	{error,_} ->  	    ssh_connection_handler:disconnect( @@ -495,22 +551,18 @@ handle_kex_dh_gex_request(_, _) ->  adjust_gex_min_max(Min0, Max0, Opts) -> -    case proplists:get_value(dh_gex_limits, Opts) of -	undefined -> -	    {Min0, Max0}; -	{Min1, Max1} -> -	    Min2 = max(Min0, Min1), -	    Max2 = min(Max0, Max1), -	    if -		Min2 =< Max2 -> -		    {Min2, Max2}; -		Max2 < Min2 -> -		    ssh_connection_handler:disconnect( -		      #ssh_msg_disconnect{ -			 code = ?SSH_DISCONNECT_PROTOCOL_ERROR, -			 description = "No possible diffie-hellman-group-exchange group possible" -			}) -	    end +    {Min1, Max1} = ?GET_OPT(dh_gex_limits, Opts), +    Min2 = max(Min0, Min1), +    Max2 = min(Max0, Max1), +    if +        Min2 =< Max2 -> +            {Min2, Max2}; +        Max2 < Min2 -> +            ssh_connection_handler:disconnect( +              #ssh_msg_disconnect{ +                 code = ?SSH_DISCONNECT_PROTOCOL_ERROR, +                 description = "No possible diffie-hellman-group-exchange group possible" +                })      end. @@ -526,23 +578,24 @@ handle_kex_dh_gex_group(#ssh_msg_kex_dh_gex_group{p = P, g = G}, Ssh0) ->  handle_kex_dh_gex_init(#ssh_msg_kex_dh_gex_init{e = E},   		       #ssh{keyex_key = {{Private, Public}, {G, P}}, -			    keyex_info = {Min, Max, NBits}} =  -			   Ssh0) -> +			    keyex_info = {Min, Max, NBits}, +                            algorithms = #alg{kex=Kex, +                                              hkey=SignAlg}} = Ssh0) ->      %% server      if  	1=<E, E=<(P-1) ->  	    K = compute_key(dh, E, Private, [P,G]),  	    if  		1<K, K<(P-1) -> -		    MyPrivHostKey = get_host_key(Ssh0), +		    MyPrivHostKey = get_host_key(Ssh0, SignAlg),  		    MyPubHostKey = extract_public_key(MyPrivHostKey), -		    H = kex_h(Ssh0, MyPubHostKey, Min, NBits, Max, P, G, E, Public, K), -		    H_SIG = sign_host_key(Ssh0, MyPrivHostKey, H), +                    H = kex_hash(Ssh0, MyPubHostKey, sha(Kex), {Min,NBits,Max,P,G,E,Public,K}), +                    H_SIG = sign(H, sha(SignAlg), MyPrivHostKey),  		    {SshPacket, Ssh} =  -			ssh_packet(#ssh_msg_kex_dh_gex_reply{public_host_key = MyPubHostKey, +			ssh_packet(#ssh_msg_kex_dh_gex_reply{public_host_key = {MyPubHostKey,SignAlg},  							     f = Public,  							     h_sig = H_SIG}, Ssh0), -		    {ok, SshPacket, Ssh#ssh{shared_secret = K, +		    {ok, SshPacket, Ssh#ssh{shared_secret = ssh_bits:mpint(K),  					    exchanged_hash = H,  					    session_id = sid(Ssh, H)  					   }}; @@ -565,7 +618,8 @@ handle_kex_dh_gex_reply(#ssh_msg_kex_dh_gex_reply{public_host_key = PeerPubHostK  						  f = F,  						  h_sig = H_SIG},  			#ssh{keyex_key = {{Private, Public}, {G, P}}, -			     keyex_info = {Min, Max, NBits}} =  +			     keyex_info = {Min, Max, NBits}, +                             algorithms = #alg{kex=Kex}} =   			    Ssh0) ->      %% client      if  @@ -573,14 +627,13 @@ handle_kex_dh_gex_reply(#ssh_msg_kex_dh_gex_reply{public_host_key = PeerPubHostK  	    K = compute_key(dh, F, Private, [P,G]),  	    if  		1<K, K<(P-1) -> -		    H = kex_h(Ssh0, PeerPubHostKey, Min, NBits, Max, P, G, Public, F, K), - +                    H = kex_hash(Ssh0, PeerPubHostKey, sha(Kex), {Min,NBits,Max,P,G,Public,F,K}),  		    case verify_host_key(Ssh0, PeerPubHostKey, H, H_SIG) of  			ok ->  			    {SshPacket, Ssh} = ssh_packet(#ssh_msg_newkeys{}, Ssh0), -			    {ok, SshPacket, Ssh#ssh{shared_secret  = K, -						    exchanged_hash = H, -						    session_id = sid(Ssh, H)}}; +			    {ok, SshPacket, install_alg(snd, Ssh#ssh{shared_secret  = ssh_bits:mpint(K), +                                                                     exchanged_hash = H, +                                                                     session_id = sid(Ssh, H)})};  			_Error ->  			    ssh_connection_handler:disconnect(  			      #ssh_msg_disconnect{ @@ -610,7 +663,8 @@ handle_kex_dh_gex_reply(#ssh_msg_kex_dh_gex_reply{public_host_key = PeerPubHostK  %%% diffie-hellman-ecdh-sha2-*  %%%   handle_kex_ecdh_init(#ssh_msg_kex_ecdh_init{q_c = PeerPublic}, -		     Ssh0 = #ssh{algorithms = #alg{kex=Kex}}) -> +		     Ssh0 = #ssh{algorithms = #alg{kex=Kex, +                                                   hkey=SignAlg}}) ->      %% at server      Curve = ecdh_curve(Kex),      {MyPublic, MyPrivate} = generate_key(ecdh, Curve), @@ -618,17 +672,17 @@ handle_kex_ecdh_init(#ssh_msg_kex_ecdh_init{q_c = PeerPublic},  	compute_key(ecdh, PeerPublic, MyPrivate, Curve)      of  	K -> -	    MyPrivHostKey = get_host_key(Ssh0), +	    MyPrivHostKey = get_host_key(Ssh0, SignAlg),  	    MyPubHostKey = extract_public_key(MyPrivHostKey), -	    H = kex_h(Ssh0, Curve, MyPubHostKey, PeerPublic, MyPublic, K), -	    H_SIG = sign_host_key(Ssh0, MyPrivHostKey, H), +            H = kex_hash(Ssh0, MyPubHostKey, sha(Curve), {PeerPublic, MyPublic, K}), +            H_SIG = sign(H, sha(SignAlg), MyPrivHostKey),  	    {SshPacket, Ssh1} =  -		ssh_packet(#ssh_msg_kex_ecdh_reply{public_host_key = MyPubHostKey, +		ssh_packet(#ssh_msg_kex_ecdh_reply{public_host_key = {MyPubHostKey,SignAlg},  						   q_s = MyPublic,  						   h_sig = H_SIG},  			   Ssh0),      	    {ok, SshPacket, Ssh1#ssh{keyex_key = {{MyPublic,MyPrivate},Curve}, -				     shared_secret = K, +				     shared_secret = ssh_bits:mpint(K),  				     exchanged_hash = H,  				     session_id = sid(Ssh1, H)}}      catch @@ -643,20 +697,21 @@ handle_kex_ecdh_init(#ssh_msg_kex_ecdh_init{q_c = PeerPublic},  handle_kex_ecdh_reply(#ssh_msg_kex_ecdh_reply{public_host_key = PeerPubHostKey,  					      q_s = PeerPublic,  					      h_sig = H_SIG}, -		      #ssh{keyex_key = {{MyPublic,MyPrivate}, Curve}} = Ssh0 +		      #ssh{keyex_key = {{MyPublic,MyPrivate}, Curve} +                          } = Ssh0  		     ) ->      %% at client      try  	compute_key(ecdh, PeerPublic, MyPrivate, Curve)      of  	K -> -	    H = kex_h(Ssh0, Curve, PeerPubHostKey, MyPublic, PeerPublic, K),  +            H = kex_hash(Ssh0, PeerPubHostKey, sha(Curve), {MyPublic,PeerPublic,K}),  	    case verify_host_key(Ssh0, PeerPubHostKey, H, H_SIG) of  		ok ->  		    {SshPacket, Ssh} = ssh_packet(#ssh_msg_newkeys{}, Ssh0), -		    {ok, SshPacket, Ssh#ssh{shared_secret  = K, -					    exchanged_hash = H, -					    session_id = sid(Ssh, H)}}; +		    {ok, SshPacket, install_alg(snd, Ssh#ssh{shared_secret  = ssh_bits:mpint(K), +                                                             exchanged_hash = H, +                                                             session_id = sid(Ssh, H)})};  		Error ->  		    ssh_connection_handler:disconnect(  		       #ssh_msg_disconnect{ @@ -676,7 +731,7 @@ handle_kex_ecdh_reply(#ssh_msg_kex_ecdh_reply{public_host_key = PeerPubHostKey,  %%%----------------------------------------------------------------  handle_new_keys(#ssh_msg_newkeys{}, Ssh0) -> -    try install_alg(Ssh0) of +    try install_alg(rcv, Ssh0) of  	#ssh{} = Ssh ->  	    {ok, Ssh}      catch  @@ -687,90 +742,170 @@ handle_new_keys(#ssh_msg_newkeys{}, Ssh0) ->  				 })      end.  + +%%%---------------------------------------------------------------- +kex_ext_info(Role, Opts) -> +    case ?GET_OPT(recv_ext_info,Opts) of +        true when Role==client -> ["ext-info-c"]; +        true when Role==server -> ["ext-info-s"]; +        false -> [] +    end. +     +ext_info_message(#ssh{role=client, +                      send_ext_info=true, +                      opts=Opts} = Ssh0) -> +    %% Since no extension sent by the client is implemented, we add a fake one +    %% to be able to test the framework. +    %% Remove this when there is one and update ssh_protocol_SUITE whare it is used. +    case proplists:get_value(ext_info_client, ?GET_OPT(tstflg,Opts)) of +        true -> +            Msg = #ssh_msg_ext_info{nr_extensions = 1, +                                    data = [{"[email protected]", "Testing,PleaseIgnore"}] +                                   }, +            {SshPacket, Ssh} = ssh_packet(Msg, Ssh0), +            {ok, SshPacket, Ssh}; +        _ -> +            {ok, "", Ssh0} +    end; + +ext_info_message(#ssh{role=server, +                      send_ext_info=true, +                      opts = Opts} = Ssh0) -> +    AlgsList = lists:map(fun erlang:atom_to_list/1, +                         proplists:get_value(public_key, +                                             ?GET_OPT(preferred_algorithms, Opts))), +    Msg = #ssh_msg_ext_info{nr_extensions = 1, +                            data = [{"server-sig-algs", string:join(AlgsList,",")}] +                           }, +    {SshPacket, Ssh} = ssh_packet(Msg, Ssh0), +    {ok, SshPacket, Ssh}; + +ext_info_message(Ssh0) -> +    {ok, "", Ssh0}.                          % "" means: 'do not send' + +%%%----------------------------------------------------------------  %% select session id -sid(#ssh{session_id = undefined}, H) ->  -    H; -sid(#ssh{session_id = Id}, _) ->  -    Id. +sid(#ssh{session_id = undefined}, H) ->  H; +sid(#ssh{session_id = Id},        _) -> Id.  %%  %% The host key should be read from storage  %% -get_host_key(SSH) -> -    #ssh{key_cb = Mod, opts = Opts, algorithms = ALG} = SSH, - -    case Mod:host_key(ALG#alg.hkey, Opts) of -	{ok, #'RSAPrivateKey'{} = Key} ->  Key; -	{ok, #'DSAPrivateKey'{} = Key} ->  Key; -	{ok, #'ECPrivateKey'{}  = Key} ->  Key; +get_host_key(SSH, SignAlg) -> +    #ssh{key_cb = {KeyCb,KeyCbOpts}, opts = Opts} = SSH, +    UserOpts = ?GET_OPT(user_options, Opts), +    case KeyCb:host_key(SignAlg, [{key_cb_private,KeyCbOpts}|UserOpts]) of +	{ok, PrivHostKey} -> +            %% Check the key - the KeyCb may be a buggy plugin +            case valid_key_sha_alg(PrivHostKey, SignAlg) of +                true -> PrivHostKey; +                false -> exit({error, bad_hostkey}) +            end;  	Result -> -	    exit({error, {Result, unsupported_key_type}}) +            exit({error, {Result, unsupported_key_type}})      end. -sign_host_key(_Ssh, PrivateKey, H) -> -     sign(H, sign_host_key_sha(PrivateKey), PrivateKey). - -sign_host_key_sha(#'ECPrivateKey'{parameters = {namedCurve,OID}}) -> sha(OID); -sign_host_key_sha(#'RSAPrivateKey'{}) -> sha; -sign_host_key_sha(#'DSAPrivateKey'{}) -> sha. - -  extract_public_key(#'RSAPrivateKey'{modulus = N, publicExponent = E}) ->      #'RSAPublicKey'{modulus = N, publicExponent = E};  extract_public_key(#'DSAPrivateKey'{y = Y, p = P, q = Q, g = G}) ->      {Y,  #'Dss-Parms'{p=P, q=Q, g=G}};  extract_public_key(#'ECPrivateKey'{parameters = {namedCurve,OID},  				   publicKey = Q}) -> -    {#'ECPoint'{point=Q}, {namedCurve,OID}}. - - -verify_host_key(SSH, PublicKey, Digest, Signature) -> -    case verify(Digest, host_key_sha(PublicKey), Signature, PublicKey) of -	false -> -	    {error, bad_signature}; -	true -> -	    known_host_key(SSH, PublicKey, public_algo(PublicKey)) +    {#'ECPoint'{point=Q}, {namedCurve,OID}}; +extract_public_key(#{engine:=_, key_id:=_, algorithm:=Alg} = M) -> +    case {Alg, crypto:privkey_to_pubkey(Alg, M)} of +        {rsa, [E,N]} -> +            #'RSAPublicKey'{modulus = N, publicExponent = E}; +        {dss, [P,Q,G,Y]} -> +            {Y, #'Dss-Parms'{p=P, q=Q, g=G}}      end. -host_key_sha(#'RSAPublicKey'{})    -> sha; -host_key_sha({_, #'Dss-Parms'{}})  -> sha; -host_key_sha({#'ECPoint'{},{namedCurve,OID}}) -> sha(OID). -public_algo(#'RSAPublicKey'{}) ->   'ssh-rsa'; -public_algo({_, #'Dss-Parms'{}}) -> 'ssh-dss'; -public_algo({#'ECPoint'{},{namedCurve,OID}}) ->  -    Curve = public_key:oid2ssh_curvename(OID), -    list_to_atom("ecdsa-sha2-" ++ binary_to_list(Curve)). +verify_host_key(#ssh{algorithms=Alg}=SSH, PublicKey, Digest, {AlgStr,Signature}) -> +    case atom_to_list(Alg#alg.hkey) of +        AlgStr -> +            case verify(Digest, sha(Alg#alg.hkey), Signature, PublicKey) of +                false -> +                    {error, bad_signature}; +                true -> +                    known_host_key(SSH, PublicKey, public_algo(PublicKey)) +            end; +        _ -> +            {error, bad_signature_name} +    end. +%%% -> boolean() | {error,_}  accepted_host(Ssh, PeerName, Public, Opts) -> -    case proplists:get_value(silently_accept_hosts, Opts, false) of -	F when is_function(F,2) -> -	    true == (catch F(PeerName, public_key:ssh_hostkey_fingerprint(Public))); +    case ?GET_OPT(silently_accept_hosts, Opts) of + +        %% Original option values; User question and no host key fingerprints known. +        %% Keep the original question unchanged: +	false -> yes == yes_no(Ssh, "New host " ++ PeerName ++ " accept"); +	true -> true; + +        %% Variant: User question but with host key fingerprint in the question: +        {false,Alg} -> +            HostKeyAlg = (Ssh#ssh.algorithms)#alg.hkey, +            Prompt = io_lib:format("The authenticity of the host can't be established.~n" +                                   "~s host key fingerprint is ~s.~n" +                                   "New host ~p accept", +                                   [fmt_hostkey(HostKeyAlg), +                                    public_key:ssh_hostkey_fingerprint(Alg,Public), +                                    PeerName]), +            yes == yes_no(Ssh, Prompt); + +        %% Call-back alternatives: A user provided fun is called for the decision: +        F when is_function(F,2) -> +            case catch F(PeerName, public_key:ssh_hostkey_fingerprint(Public)) of +                true -> true; +                _ -> {error, fingerprint_check_failed} +            end; +  	{DigestAlg,F} when is_function(F,2) -> -	    true == (catch F(PeerName, public_key:ssh_hostkey_fingerprint(DigestAlg,Public))); -	true -> -	    true; -	false -> -	    yes == yes_no(Ssh, "New host " ++ PeerName ++ " accept") +            case catch F(PeerName, public_key:ssh_hostkey_fingerprint(DigestAlg,Public)) of +                true -> true; +                _ -> {error, {fingerprint_check_failed,DigestAlg}} +            end      end. -known_host_key(#ssh{opts = Opts, key_cb = Mod, peer = Peer} = Ssh,  + +yes_no(Ssh, Prompt)  -> +    (Ssh#ssh.io_cb):yes_no(Prompt, Ssh#ssh.opts). + + +fmt_hostkey('ssh-rsa') -> "RSA"; +fmt_hostkey('ssh-dss') -> "DSA"; +fmt_hostkey(A) when is_atom(A) -> fmt_hostkey(atom_to_list(A)); +fmt_hostkey("ecdsa"++_) -> "ECDSA"; +fmt_hostkey(X) -> X. + + +known_host_key(#ssh{opts = Opts, key_cb = {KeyCb,KeyCbOpts}, peer = {PeerName,_}} = Ssh,   	       Public, Alg) -> -    PeerName = peer_name(Peer), -    case Mod:is_host_key(Public, PeerName, Alg, Opts) of -	true -> +    UserOpts = ?GET_OPT(user_options, Opts), +    case is_host_key(KeyCb, Public, PeerName, Alg, [{key_cb_private,KeyCbOpts}|UserOpts]) of +	{_,true} ->  	    ok; -	false -> +	{_,false} ->  	    case accepted_host(Ssh, PeerName, Public, Opts) of  		true -> -		    Mod:add_host_key(PeerName, Public, Opts); +		    {_,R} = add_host_key(KeyCb, PeerName, Public, [{key_cb_private,KeyCbOpts}|UserOpts]), +                    R;  		false -> -		    {error, rejected} +		    {error, rejected_by_user}; +                {error,E} -> +                    {error,E}  	    end      end. +is_host_key(KeyCb, Public, PeerName, Alg, Data) -> +    {KeyCb, KeyCb:is_host_key(Public, PeerName, Alg, Data)}. + +add_host_key(KeyCb, PeerName, Public, Data) -> +    {KeyCb, KeyCb:add_host_key(PeerName, Public, Data)}. +      %%   Each of the algorithm strings MUST be a comma-separated list of  %%   algorithm names (see ''Algorithm Naming'' in [SSH-ARCH]).  Each @@ -778,7 +913,7 @@ known_host_key(#ssh{opts = Opts, key_cb = Mod, peer = Peer} = Ssh,  %%  %%   The first algorithm in each list MUST be the preferred (guessed)  %%   algorithm.  Each string MUST contain at least one algorithm name. -select_algorithm(Role, Client, Server) -> +select_algorithm(Role, Client, Server, Opts) ->      {Encrypt0, Decrypt0} = select_encrypt_decrypt(Role, Client, Server),      {SendMac0, RecvMac0} = select_send_recv_mac(Role, Client, Server), @@ -803,17 +938,34 @@ select_algorithm(Role, Client, Server) ->      Kex = select(Client#ssh_msg_kexinit.kex_algorithms,  		 Server#ssh_msg_kexinit.kex_algorithms), -    Alg = #alg{kex = Kex,  -	       hkey = HK, -	       encrypt = Encrypt, -	       decrypt = Decrypt, -	       send_mac = SendMac, -	       recv_mac = RecvMac, -	       compress = Compression, -	       decompress = Decompression, -	       c_lng = C_Lng, -	       s_lng = S_Lng}, -    {ok, Alg}. +    SendExtInfo = +        %% To send we must have that option enabled and ... +        ?GET_OPT(send_ext_info,Opts) andalso +        %% ... the peer must have told us to send: +        case Role of +            server -> lists:member("ext-info-c", Client#ssh_msg_kexinit.kex_algorithms); +            client -> lists:member("ext-info-s", Server#ssh_msg_kexinit.kex_algorithms) +        end, + +    RecvExtInfo = +        %% The peer should not send unless told so by us (which is +        %% guided by an option). +        %% (However a malicious peer could send anyway, so we must be prepared) +        ?GET_OPT(recv_ext_info,Opts), + +    {ok, #alg{kex = Kex, +              hkey = HK, +              encrypt = Encrypt, +              decrypt = Decrypt, +              send_mac = SendMac, +              recv_mac = RecvMac, +              compress = Compression, +              decompress = Decompression, +              c_lng = C_Lng, +              s_lng = S_Lng, +              send_ext_info = SendExtInfo, +              recv_ext_info = RecvExtInfo +             }}.  %%% It is an agreed problem with RFC 5674 that if the selection is @@ -894,45 +1046,66 @@ select_compression_decompression(server, Client, Server) ->  	       Server#ssh_msg_kexinit.compression_algorithms_server_to_client),      {Compression, Decompression}. -install_alg(SSH) -> -    SSH1 = alg_final(SSH), -    SSH2 = alg_setup(SSH1), -    alg_init(SSH2). +%% DIr = rcv | snd +install_alg(Dir, SSH) -> +    SSH1 = alg_final(Dir, SSH), +    SSH2 = alg_setup(Dir, SSH1), +    alg_init(Dir, SSH2). -alg_setup(SSH) -> +alg_setup(snd, SSH) ->      ALG = SSH#ssh.algorithms,      SSH#ssh{kex = ALG#alg.kex,  	    hkey = ALG#alg.hkey,  	    encrypt = ALG#alg.encrypt, -	    decrypt = ALG#alg.decrypt,  	    send_mac = ALG#alg.send_mac,  	    send_mac_size = mac_digest_size(ALG#alg.send_mac), +	    compress = ALG#alg.compress, +	    c_lng = ALG#alg.c_lng, +	    s_lng = ALG#alg.s_lng, +            send_ext_info = ALG#alg.send_ext_info, +            recv_ext_info = ALG#alg.recv_ext_info +	   }; + +alg_setup(rcv, SSH) -> +    ALG = SSH#ssh.algorithms, +    SSH#ssh{kex = ALG#alg.kex, +	    hkey = ALG#alg.hkey, +	    decrypt = ALG#alg.decrypt,  	    recv_mac = ALG#alg.recv_mac,  	    recv_mac_size = mac_digest_size(ALG#alg.recv_mac), -	    compress = ALG#alg.compress,  	    decompress = ALG#alg.decompress,  	    c_lng = ALG#alg.c_lng,  	    s_lng = ALG#alg.s_lng, -	    algorithms = undefined +            send_ext_info = ALG#alg.send_ext_info, +            recv_ext_info = ALG#alg.recv_ext_info  	   }. -alg_init(SSH0) -> + +alg_init(snd, SSH0) ->      {ok,SSH1} = send_mac_init(SSH0), -    {ok,SSH2} = recv_mac_init(SSH1), -    {ok,SSH3} = encrypt_init(SSH2), -    {ok,SSH4} = decrypt_init(SSH3), -    {ok,SSH5} = compress_init(SSH4), -    {ok,SSH6} = decompress_init(SSH5), -    SSH6. - -alg_final(SSH0) -> +    {ok,SSH2} = encrypt_init(SSH1), +    {ok,SSH3} = compress_init(SSH2), +    SSH3; + +alg_init(rcv, SSH0) -> +    {ok,SSH1} = recv_mac_init(SSH0), +    {ok,SSH2} = decrypt_init(SSH1), +    {ok,SSH3} = decompress_init(SSH2), +    SSH3. + + +alg_final(snd, SSH0) ->      {ok,SSH1} = send_mac_final(SSH0), -    {ok,SSH2} = recv_mac_final(SSH1), -    {ok,SSH3} = encrypt_final(SSH2), -    {ok,SSH4} = decrypt_final(SSH3), -    {ok,SSH5} = compress_final(SSH4), -    {ok,SSH6} = decompress_final(SSH5), -    SSH6. +    {ok,SSH2} = encrypt_final(SSH1), +    {ok,SSH3} = compress_final(SSH2), +    SSH3; + +alg_final(rcv, SSH0) -> +    {ok,SSH1} = recv_mac_final(SSH0), +    {ok,SSH2} = decrypt_final(SSH1), +    {ok,SSH3} = decompress_final(SSH2), +    SSH3. +  select_all(CL, SL) when length(CL) + length(SL) < ?MAX_NUM_ALGORITHMS ->      A = CL -- SL,  %% algortihms only used by client @@ -1007,7 +1180,7 @@ padding_length(Size, #ssh{encrypt_block_size = BlockSize,  		    end,      PadBlockSize =  max(BlockSize,4),      MaxExtraBlocks = (max(RandomLengthPadding,MinPaddingLen) - MinPaddingLen) div PadBlockSize, -    ExtraPaddingLen = try crypto:rand_uniform(0,MaxExtraBlocks)*PadBlockSize +    ExtraPaddingLen = try (rand:uniform(MaxExtraBlocks+1) - 1) * PadBlockSize  		      catch _:_ -> 0  		      end,      MinPaddingLen + ExtraPaddingLen. @@ -1096,29 +1269,45 @@ payload(<<PacketLen:32, PaddingLen:8, PayloadAndPadding/binary>>) ->      <<Payload:PayloadLen/binary, _/binary>> = PayloadAndPadding,      Payload. -sign(SigData, Hash,  #'DSAPrivateKey'{} = Key) -> -    DerSignature = public_key:sign(SigData, Hash, Key), -    #'Dss-Sig-Value'{r = R, s = S} = public_key:der_decode('Dss-Sig-Value', DerSignature), -    <<R:160/big-unsigned-integer, S:160/big-unsigned-integer>>; -sign(SigData, Hash, Key = #'ECPrivateKey'{}) -> -    DerEncodedSign =  public_key:sign(SigData, Hash, Key), +sign(SigData, HashAlg, #{algorithm:=dss} = Key) -> +    mk_dss_sig(crypto:sign(dss, HashAlg, SigData, Key)); +sign(SigData, HashAlg, #{algorithm:=SigAlg} = Key) -> +    crypto:sign(SigAlg, HashAlg, SigData, Key); +sign(SigData, HashAlg,  #'DSAPrivateKey'{} = Key) -> +    mk_dss_sig(public_key:sign(SigData, HashAlg, Key)); +sign(SigData, HashAlg, Key = #'ECPrivateKey'{}) -> +    DerEncodedSign =  public_key:sign(SigData, HashAlg, Key),      #'ECDSA-Sig-Value'{r=R, s=S} = public_key:der_decode('ECDSA-Sig-Value', DerEncodedSign),      <<?Empint(R),?Empint(S)>>; -sign(SigData, Hash, Key) -> -    public_key:sign(SigData, Hash, Key). - -verify(PlainText, Hash, Sig, {_,  #'Dss-Parms'{}} = Key) -> -    <<R:160/big-unsigned-integer, S:160/big-unsigned-integer>> = Sig, -    Signature = public_key:der_encode('Dss-Sig-Value', #'Dss-Sig-Value'{r = R, s = S}), -    public_key:verify(PlainText, Hash, Signature, Key); -verify(PlainText, Hash, Sig, {#'ECPoint'{},_} = Key) -> -    <<?UINT32(Rlen),R:Rlen/big-signed-integer-unit:8, -      ?UINT32(Slen),S:Slen/big-signed-integer-unit:8>> = Sig, -    Sval = #'ECDSA-Sig-Value'{r=R, s=S}, -    DerEncodedSig = public_key:der_encode('ECDSA-Sig-Value',Sval), -    public_key:verify(PlainText, Hash, DerEncodedSig, Key); -verify(PlainText, Hash, Sig, Key) -> -    public_key:verify(PlainText, Hash, Sig, Key). +sign(SigData, HashAlg, Key) -> +    public_key:sign(SigData, HashAlg, Key). + + +mk_dss_sig(DerSignature) -> +    #'Dss-Sig-Value'{r = R, s = S} = public_key:der_decode('Dss-Sig-Value', DerSignature), +    <<R:160/big-unsigned-integer, S:160/big-unsigned-integer>>. + + +verify(PlainText, HashAlg, Sig, {_,  #'Dss-Parms'{}} = Key) -> +    case Sig of +        <<R:160/big-unsigned-integer, S:160/big-unsigned-integer>> -> +            Signature = public_key:der_encode('Dss-Sig-Value', #'Dss-Sig-Value'{r = R, s = S}), +            public_key:verify(PlainText, HashAlg, Signature, Key); +        _ -> +            false +    end; +verify(PlainText, HashAlg, Sig, {#'ECPoint'{},_} = Key) -> +    case Sig of +        <<?UINT32(Rlen),R:Rlen/big-signed-integer-unit:8, +          ?UINT32(Slen),S:Slen/big-signed-integer-unit:8>> -> +            Sval = #'ECDSA-Sig-Value'{r=R, s=S}, +            DerEncodedSig = public_key:der_encode('ECDSA-Sig-Value',Sval), +            public_key:verify(PlainText, HashAlg, DerEncodedSig, Key); +        _ -> +            false +    end; +verify(PlainText, HashAlg, Sig, Key) -> +    public_key:verify(PlainText, HashAlg, Sig, Key).  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -1604,81 +1793,89 @@ mac('hmac-sha2-256', Key, SeqNum, Data) ->  mac('hmac-sha2-512', Key, SeqNum, Data) ->  	crypto:hmac(sha512, Key, [<<?UINT32(SeqNum)>>, Data]). -%% return N hash bytes (HASH) -hash(SSH, Char, Bits) -> -    HASH = -	case SSH#ssh.kex of -	    'diffie-hellman-group1-sha1' -> -		fun(Data) -> crypto:hash(sha, Data) end; -	    'diffie-hellman-group14-sha1' -> -		fun(Data) -> crypto:hash(sha, Data) end; - -	    'diffie-hellman-group-exchange-sha1' -> -		fun(Data) -> crypto:hash(sha, Data) end; -	    'diffie-hellman-group-exchange-sha256' -> -		fun(Data) -> crypto:hash(sha256, Data) end; - -	    'ecdh-sha2-nistp256' -> -		fun(Data) -> crypto:hash(sha256,Data) end; -	    'ecdh-sha2-nistp384' -> -		fun(Data) -> crypto:hash(sha384,Data) end; -	    'ecdh-sha2-nistp521' -> -		fun(Data) -> crypto:hash(sha512,Data) end; -	    _ -> -		exit({bad_algorithm,SSH#ssh.kex}) -	end, -    hash(SSH, Char, Bits, HASH). -hash(_SSH, _Char, 0, _HASH) -> +%%%---------------------------------------------------------------- +%% return N hash bytes (HASH) +hash(_SSH, _Char, 0) ->      <<>>; -hash(SSH, Char, N, HASH) -> -    K = ssh_bits:mpint(SSH#ssh.shared_secret), +hash(SSH, Char, N) -> +    HashAlg = sha(SSH#ssh.kex), +    K = SSH#ssh.shared_secret,      H = SSH#ssh.exchanged_hash, -    SessionID = SSH#ssh.session_id, -    K1 = HASH([K, H, Char, SessionID]), +    K1 = crypto:hash(HashAlg, [K, H, Char,  SSH#ssh.session_id]),      Sz = N div 8, -    <<Key:Sz/binary, _/binary>> = hash(K, H, K1, N-128, HASH), +    <<Key:Sz/binary, _/binary>> = hash(K, H, K1, N-128, HashAlg),      Key. -hash(_K, _H, Ki, N, _HASH) when N =< 0 -> +hash(_K, _H, Ki, N, _HashAlg) when N =< 0 ->      Ki; -hash(K, H, Ki, N, HASH) -> -    Kj = HASH([K, H, Ki]), -    hash(K, H, <<Ki/binary, Kj/binary>>, N-128, HASH). - -kex_h(SSH, Key, E, F, K) -> -    KeyBin = public_key:ssh_encode(Key, ssh2_pubkey), -    L = <<?Estring(SSH#ssh.c_version), ?Estring(SSH#ssh.s_version), -	  ?Ebinary(SSH#ssh.c_keyinit), ?Ebinary(SSH#ssh.s_keyinit), ?Ebinary(KeyBin), -	  ?Empint(E), ?Empint(F), ?Empint(K)>>, -    crypto:hash(sha((SSH#ssh.algorithms)#alg.kex), L). - -kex_h(SSH, Curve, Key, Q_c, Q_s, K) -> -    KeyBin = public_key:ssh_encode(Key, ssh2_pubkey), -    L = <<?Estring(SSH#ssh.c_version), ?Estring(SSH#ssh.s_version), -	  ?Ebinary(SSH#ssh.c_keyinit), ?Ebinary(SSH#ssh.s_keyinit), ?Ebinary(KeyBin), -	  ?Empint(Q_c), ?Empint(Q_s), ?Empint(K)>>, -    crypto:hash(sha(Curve), L). - -kex_h(SSH, Key, Min, NBits, Max, Prime, Gen, E, F, K) -> -    KeyBin = public_key:ssh_encode(Key, ssh2_pubkey), -    L = if Min==-1; Max==-1 -> -		%% flag from 'ssh_msg_kex_dh_gex_request_old' -		%% It was like this before that message was supported, -		%% why? -		<<?Estring(SSH#ssh.c_version), ?Estring(SSH#ssh.s_version), -		  ?Ebinary(SSH#ssh.c_keyinit), ?Ebinary(SSH#ssh.s_keyinit), ?Ebinary(KeyBin), -		  ?Empint(E), ?Empint(F), ?Empint(K)>>; -	   true -> -		<<?Estring(SSH#ssh.c_version), ?Estring(SSH#ssh.s_version), -		  ?Ebinary(SSH#ssh.c_keyinit), ?Ebinary(SSH#ssh.s_keyinit), ?Ebinary(KeyBin), -		  ?Euint32(Min), ?Euint32(NBits), ?Euint32(Max), -		  ?Empint(Prime), ?Empint(Gen), ?Empint(E), ?Empint(F), ?Empint(K)>> -	end, -    crypto:hash(sha((SSH#ssh.algorithms)#alg.kex), L). -   +hash(K, H, Ki, N, HashAlg) -> +    Kj = crypto:hash(HashAlg, [K, H, Ki]), +    hash(K, H, <<Ki/binary, Kj/binary>>, N-128, HashAlg). + +%%%---------------------------------------------------------------- +kex_hash(SSH, Key, HashAlg, Args) -> +    crypto:hash(HashAlg, kex_plaintext(SSH,Key,Args)). + +kex_plaintext(SSH, Key, Args) -> +    EncodedKey = public_key:ssh_encode(Key, ssh2_pubkey), +    <<?Estring(SSH#ssh.c_version), ?Estring(SSH#ssh.s_version), +      ?Ebinary(SSH#ssh.c_keyinit), ?Ebinary(SSH#ssh.s_keyinit), +      ?Ebinary(EncodedKey), +      (kex_alg_dependent(Args))/binary>>. + +kex_alg_dependent({E, F, K}) -> +    %% diffie-hellman and ec diffie-hellman (with E = Q_c, F = Q_s) +    <<?Empint(E), ?Empint(F), ?Empint(K)>>; + +kex_alg_dependent({-1, _, -1, _, _, E, F, K}) -> +    %% ssh_msg_kex_dh_gex_request_old +    <<?Empint(E), ?Empint(F), ?Empint(K)>>; + +kex_alg_dependent({Min, NBits, Max, Prime, Gen, E, F, K}) -> +    %% diffie-hellman group exchange +    <<?Euint32(Min), ?Euint32(NBits), ?Euint32(Max), +      ?Empint(Prime), ?Empint(Gen), ?Empint(E), ?Empint(F), ?Empint(K)>>. + +%%%---------------------------------------------------------------- + +valid_key_sha_alg(#{engine:=_, key_id:=_}, _Alg) -> true; % Engine key + +valid_key_sha_alg(#'RSAPublicKey'{}, 'rsa-sha2-512') -> true; +valid_key_sha_alg(#'RSAPublicKey'{}, 'rsa-sha2-384') -> true; +valid_key_sha_alg(#'RSAPublicKey'{}, 'rsa-sha2-256') -> true; +valid_key_sha_alg(#'RSAPublicKey'{}, 'ssh-rsa'     ) -> true; + +valid_key_sha_alg(#'RSAPrivateKey'{}, 'rsa-sha2-512') -> true; +valid_key_sha_alg(#'RSAPrivateKey'{}, 'rsa-sha2-384') -> true; +valid_key_sha_alg(#'RSAPrivateKey'{}, 'rsa-sha2-256') -> true; +valid_key_sha_alg(#'RSAPrivateKey'{}, 'ssh-rsa'     ) -> true; + +valid_key_sha_alg({_, #'Dss-Parms'{}}, 'ssh-dss') -> true; +valid_key_sha_alg(#'DSAPrivateKey'{},  'ssh-dss') -> true; + +valid_key_sha_alg({#'ECPoint'{},{namedCurve,OID}},                Alg) -> valid_key_sha_alg_ec(OID, Alg); +valid_key_sha_alg(#'ECPrivateKey'{parameters = {namedCurve,OID}}, Alg) -> valid_key_sha_alg_ec(OID, Alg); +valid_key_sha_alg(_, _) -> false. +     +valid_key_sha_alg_ec(OID, Alg) ->  +    Curve = public_key:oid2ssh_curvename(OID), +    Alg == list_to_atom("ecdsa-sha2-" ++ binary_to_list(Curve)). +     + +public_algo(#'RSAPublicKey'{}) ->   'ssh-rsa';  % FIXME: Not right with draft-curdle-rsa-sha2 +public_algo({_, #'Dss-Parms'{}}) -> 'ssh-dss'; +public_algo({#'ECPoint'{},{namedCurve,OID}}) ->  +    Curve = public_key:oid2ssh_curvename(OID), +    list_to_atom("ecdsa-sha2-" ++ binary_to_list(Curve)). + + +  sha('ssh-rsa') -> sha; +sha('rsa-sha2-256') -> sha256; +sha('rsa-sha2-384') -> sha384; +sha('rsa-sha2-512') -> sha512;  sha('ssh-dss') -> sha;  sha('ecdsa-sha2-nistp256') -> sha(secp256r1);  sha('ecdsa-sha2-nistp384') -> sha(secp384r1); @@ -1688,11 +1885,18 @@ sha(secp384r1) -> sha384;  sha(secp521r1) -> sha512;  sha('diffie-hellman-group1-sha1') -> sha;  sha('diffie-hellman-group14-sha1') -> sha; +sha('diffie-hellman-group14-sha256') -> sha256; +sha('diffie-hellman-group16-sha512') -> sha512; +sha('diffie-hellman-group18-sha512') -> sha512;  sha('diffie-hellman-group-exchange-sha1')   -> sha;  sha('diffie-hellman-group-exchange-sha256') -> sha256;  sha(?'secp256r1') -> sha(secp256r1);  sha(?'secp384r1') -> sha(secp384r1); -sha(?'secp521r1') -> sha(secp521r1). +sha(?'secp521r1') -> sha(secp521r1); +sha('ecdh-sha2-nistp256') -> sha(secp256r1); +sha('ecdh-sha2-nistp384') -> sha(secp384r1); +sha('ecdh-sha2-nistp521') -> sha(secp521r1); +sha(Str) when is_list(Str), length(Str)<50 -> sha(list_to_atom(Str)).  mac_key_bytes('hmac-sha1')    -> 20; @@ -1715,9 +1919,6 @@ mac_digest_size('AEAD_AES_128_GCM') -> 16;  mac_digest_size('AEAD_AES_256_GCM') -> 16;  mac_digest_size(none) -> 0. -peer_name({Host, _}) -> -    Host. -  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%  %% Diffie-Hellman utils @@ -1725,7 +1926,10 @@ peer_name({Host, _}) ->  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  dh_group('diffie-hellman-group1-sha1') ->  ?dh_group1; -dh_group('diffie-hellman-group14-sha1') -> ?dh_group14. +dh_group('diffie-hellman-group14-sha1') -> ?dh_group14; +dh_group('diffie-hellman-group14-sha256') -> ?dh_group14; +dh_group('diffie-hellman-group16-sha512') -> ?dh_group16; +dh_group('diffie-hellman-group18-sha512') -> ?dh_group18.  %%%----------------------------------------------------------------  parallell_gen_key(Ssh = #ssh{keyex_key = {x, {G, P}}, @@ -1816,10 +2020,6 @@ len_supported(Name, Len) ->  same(Algs) ->  [{client2server,Algs}, {server2client,Algs}]. - -%% default_algorithms(kex) -> % Example of how to disable an algorithm -%%     supported_algorithms(kex, ['ecdh-sha2-nistp521']); -  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%  %% Other utils @@ -1827,12 +2027,6 @@ same(Algs) ->  [{client2server,Algs}, {server2client,Algs}].  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  trim_tail(Str) -> -    lists:reverse(trim_head(lists:reverse(Str))). - -trim_head([$\s|Cs]) -> trim_head(Cs); -trim_head([$\t|Cs]) -> trim_head(Cs); -trim_head([$\n|Cs]) -> trim_head(Cs); -trim_head([$\r|Cs]) -> trim_head(Cs); -trim_head(Cs) -> Cs. - - +    lists:takewhile(fun(C) ->  +			    C=/=$\r andalso C=/=$\n +		    end, Str). diff --git a/lib/ssh/src/ssh_transport.hrl b/lib/ssh/src/ssh_transport.hrl index f91cb1dd63..87c3719514 100644 --- a/lib/ssh/src/ssh_transport.hrl +++ b/lib/ssh/src/ssh_transport.hrl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2008-2016. All Rights Reserved. +%% Copyright Ericsson AB 2008-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -48,6 +48,7 @@  -define(SSH_MSG_DEBUG,                  4).  -define(SSH_MSG_SERVICE_REQUEST,        5).  -define(SSH_MSG_SERVICE_ACCEPT,         6). +-define(SSH_MSG_EXT_INFO,               7).  -define(SSH_MSG_KEXINIT,                20).  -define(SSH_MSG_NEWKEYS,                21). @@ -88,6 +89,20 @@  	  name     %% string  	 }). +-record(ssh_msg_ext_info, +       { +         nr_extensions, %% uint32 + +         %% repeat the following 2 fields "nr-extensions" times: +         %%   string   extension-name +         %%   string   extension-value + +         data  %% [{extension-name,    %% string +               %%   extension-value},  %% string +               %%         ... +               %% ] +       }). +  -record(ssh_msg_kexinit,  	{  	  cookie,                                   %% random(16) @@ -112,7 +127,7 @@  %%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% diffie-hellman-group1-sha1 | diffie-hellman-group14-sha1 +%% diffie-hellman-group*-sha*  -define(SSH_MSG_KEXDH_INIT,   30).  -define(SSH_MSG_KEXDH_REPLY,  31). @@ -238,4 +253,15 @@  -define(dh_group14,  	 {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF}). +%%% rfc 3526, ch5 +%%% Size 4096-bit +-define(dh_group16, +        {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF}). + +%%% rfc 3526, ch7 +%%% Size 8192-bit +-define(dh_group18, +        {2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E438777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F5683423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD922222E04A4037C0713EB57A81A23F0C73473FC646CEA306B4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A364597E899A0255DC164F31CC50846851DF9AB48195DED7EA1B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F924009438B481C6CD7889A002ED5EE382BC9190DA6FC026E479558E4475677E9AA9E3050E2765694DFC81F56E880B96E7160C980DD98EDD3DFFFFFFFFFFFFFFFFF}). + +  -endif. % -ifdef(ssh_transport). diff --git a/lib/ssh/src/sshc_sup.erl b/lib/ssh/src/sshc_sup.erl index 15858f36e1..133b2c6450 100644 --- a/lib/ssh/src/sshc_sup.erl +++ b/lib/ssh/src/sshc_sup.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2008-2016. All Rights Reserved. +%% Copyright Ericsson AB 2008-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -27,23 +27,25 @@  -behaviour(supervisor). --export([start_link/1, start_child/1, stop_child/1]). +-export([start_link/0, start_child/1, stop_child/1]).  %% Supervisor callback  -export([init/1]). +-define(SSHC_SUP, ?MODULE). +  %%%=========================================================================  %%%  API  %%%========================================================================= -start_link(Args) -> -    supervisor:start_link({local, ?MODULE}, ?MODULE, [Args]). +start_link() -> +    supervisor:start_link({local,?SSHC_SUP}, ?MODULE, []).  start_child(Args) ->      supervisor:start_child(?MODULE, Args).  stop_child(Client) ->      spawn(fun() ->  -		  ClientSup = whereis(?MODULE), +		  ClientSup = whereis(?SSHC_SUP),  		  supervisor:terminate_child(ClientSup, Client)  	  end),      ok. @@ -51,22 +53,17 @@ stop_child(Client) ->  %%%=========================================================================  %%%  Supervisor callback  %%%========================================================================= --spec init( [term()] ) -> {ok,{supervisor:sup_flags(),[supervisor:child_spec()]}} | ignore . - -init(Args) -> -    RestartStrategy = simple_one_for_one, -    MaxR = 0, -    MaxT = 3600, -    {ok, {{RestartStrategy, MaxR, MaxT}, [child_spec(Args)]}}. - -%%%========================================================================= -%%%  Internal functions -%%%========================================================================= -child_spec(_) -> -    Name = undefined, % As simple_one_for_one is used. -    StartFunc = {ssh_connection_handler, start_link, []}, -    Restart = temporary, -    Shutdown = 4000, -    Modules = [ssh_connection_handler], -    Type = worker, -    {Name, StartFunc, Restart, Shutdown, Type, Modules}. +init(_) -> +    SupFlags = #{strategy  => simple_one_for_one,  +                 intensity =>    0, +                 period    => 3600 +                }, +    ChildSpecs = [#{id       => undefined, % As simple_one_for_one is used. +                    start    => {ssh_connection_handler, start_link, []}, +                    restart  => temporary, +                    shutdown => 4000, +                    type     => worker, +                    modules  => [ssh_connection_handler] +                   } +                 ], +    {ok, {SupFlags,ChildSpecs}}. diff --git a/lib/ssh/src/sshd_sup.erl b/lib/ssh/src/sshd_sup.erl index 04d2df30f7..c23e65d955 100644 --- a/lib/ssh/src/sshd_sup.erl +++ b/lib/ssh/src/sshd_sup.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2008-2016. All Rights Reserved. +%% Copyright Ericsson AB 2008-2017. All Rights Reserved.  %%  %% Licensed under the Apache License, Version 2.0 (the "License");  %% you may not use this file except in compliance with the License. @@ -19,7 +19,7 @@  %%  %%  %%---------------------------------------------------------------------- -%% Purpose: The top supervisor for ssh servers hangs under  +%% Purpose: The top supervisor for ssh servers hangs under  %%          ssh_sup.  %%---------------------------------------------------------------------- @@ -29,90 +29,79 @@  -include("ssh.hrl"). --export([start_link/1, start_child/1, stop_child/1, -	 stop_child/3, system_name/1]). +-export([start_link/0, +         start_child/4, +         stop_child/1, +	 stop_child/3 +]).  %% Supervisor callback  -export([init/1]). +-define(SSHD_SUP, ?MODULE). +  %%%=========================================================================  %%%  API  %%%========================================================================= -start_link(Servers) -> -    supervisor:start_link({local, ?MODULE}, ?MODULE, [Servers]). +start_link() -> +    %% No children are start now. We wait until the user calls ssh:daemon +    %% and uses start_child/4 to create the children +    supervisor:start_link({local,?SSHD_SUP}, ?MODULE, []). -start_child(ServerOpts) -> -    Address = proplists:get_value(address, ServerOpts), -    Port = proplists:get_value(port, ServerOpts),     -    Profile = proplists:get_value(profile,  proplists:get_value(ssh_opts, ServerOpts), ?DEFAULT_PROFILE), +start_child(Address, Port, Profile, Options) ->      case ssh_system_sup:system_supervisor(Address, Port, Profile) of         undefined -> -	    Spec =  child_spec(Address, Port, ServerOpts),     -	    case supervisor:start_child(?MODULE, Spec) of -		{error, already_present} -> -		    Name = id(Address, Port, Profile), -		    supervisor:delete_child(?MODULE, Name), -		    supervisor:start_child(?MODULE, Spec); -		Reply -> -		    Reply -	    end; +            %% Here we start listening on a new Host/Port/Profile +	    Spec = child_spec(Address, Port, Profile, Options), +            supervisor:start_child(?SSHD_SUP, Spec);  	Pid -> +            %% Here we resume listening on a new Host/Port/Profile after +            %% haveing stopped listening to he same with ssh:stop_listen(Pid)  	    AccPid = ssh_system_sup:acceptor_supervisor(Pid), -	    ssh_acceptor_sup:start_child(AccPid, ServerOpts) +            ssh_acceptor_sup:start_child(AccPid, Address, Port, Profile, Options), +            {ok,Pid}      end. -stop_child(Name) -> -    supervisor:terminate_child(?MODULE, Name). +stop_child(ChildId) when is_tuple(ChildId) -> +    supervisor:terminate_child(?SSHD_SUP, ChildId); +stop_child(ChildPid) when is_pid(ChildPid)-> +    stop_child(system_name(ChildPid)). -stop_child(Address, Port, Profile) -> -    Name = id(Address, Port, Profile), -    stop_child(Name). -system_name(SysSup) -> -    Children = supervisor:which_children(sshd_sup), -    system_name(SysSup, Children). +stop_child(Address, Port, Profile) -> +    Id = id(Address, Port, Profile), +    stop_child(Id).  %%%=========================================================================  %%%  Supervisor callback  %%%========================================================================= --spec init( [term()] ) -> {ok,{supervisor:sup_flags(),[supervisor:child_spec()]}} | ignore . - -init([Servers]) -> -    RestartStrategy = one_for_one, -    MaxR = 10, -    MaxT = 3600, -    Fun = fun(ServerOpts) ->  -		  Address = proplists:get_value(address, ServerOpts), -		  Port = proplists:get_value(port, ServerOpts), -		  child_spec(Address, Port, ServerOpts)  -	  end, -    Children = lists:map(Fun, Servers), -    {ok, {{RestartStrategy, MaxR, MaxT}, Children}}. +init(_) -> +    SupFlags = #{strategy  => one_for_one, +                 intensity =>   10, +                 period    => 3600 +                }, +    ChildSpecs = [ +                 ], +    {ok, {SupFlags,ChildSpecs}}.  %%%=========================================================================  %%%  Internal functions  %%%========================================================================= -child_spec(Address, Port, ServerOpts) -> -    Profile = proplists:get_value(profile,  proplists:get_value(ssh_opts, ServerOpts), ?DEFAULT_PROFILE), -    Name = id(Address, Port,Profile), -    StartFunc = {ssh_system_sup, start_link, [ServerOpts]}, -    Restart = temporary,  -    Shutdown = infinity, -    Modules = [ssh_system_sup], -    Type = supervisor, -    {Name, StartFunc, Restart, Shutdown, Type, Modules}. +child_spec(Address, Port, Profile, Options) -> +    #{id       => id(Address, Port, Profile), +      start    => {ssh_system_sup, start_link, [Address, Port, Profile, Options]}, +      restart  => temporary, +      shutdown => infinity, +      type     => supervisor, +      modules  => [ssh_system_sup] +     }.  id(Address, Port, Profile) -> -    case is_list(Address) of	 -	true -> -	    {server, ssh_system_sup, any, Port, Profile}; -	false -> -	    {server, ssh_system_sup, Address, Port, Profile} +    {server, ssh_system_sup, Address, Port, Profile}. + +system_name(SysSup) -> +    case lists:keyfind(SysSup, 2, supervisor:which_children(?SSHD_SUP)) of +        {Name, SysSup, _, _} -> Name; +        false -> undefind      end. -system_name([], _ ) -> -    undefined; -system_name(SysSup, [{Name, SysSup, _, _} | _]) -> -    Name; -system_name(SysSup, [_ | Rest]) -> -    system_name(SysSup, Rest). | 
