/usr/src/usr.bin/ssh/sshd/../sshd.c

Bug Summary

File:	src/usr.bin/ssh/sshd/../sshd.c
Warning:	line 1260, column 5 Value stored to 'pid' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name sshd.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/ssh/sshd/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.bin/ssh/sshd/.. -D WITH_OPENSSL -D WITH_ZLIB -D ENABLE_PKCS11 -D HAVE_DLOPEN -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -fdebug-compilation-dir=/usr/src/usr.bin/ssh/sshd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/ssh/sshd/../sshd.c

1	/* $OpenBSD: sshd.c,v 1.582 2021/11/18 03:07:59 djm Exp $ */
2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5	* All rights reserved
6	* This program is the ssh daemon. It listens for connections from clients,
7	* and performs authentication, executes use commands or shell, and forwards
8	* information to/from the application to the user client over an encrypted
9	* connection. This can also handle forwarding of X11, TCP/IP, and
10	* authentication agent connections.
11	*
12	* As far as I am concerned, the code I have written for this software
13	* can be used freely for any purpose. Any derived versions of this
14	* software must be clearly marked as such, and if the derived work is
15	* incompatible with the protocol description in the RFC file, it must be
16	* called by a name other than "ssh" or "Secure Shell".
17	*
18	* SSH2 implementation:
19	* Privilege Separation:
20	*
21	* Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved.
22	* Copyright (c) 2002 Niels Provos. All rights reserved.
23	*
24	* Redistribution and use in source and binary forms, with or without
25	* modification, are permitted provided that the following conditions
26	* are met:
27	* 1. Redistributions of source code must retain the above copyright
28	* notice, this list of conditions and the following disclaimer.
29	* 2. Redistributions in binary form must reproduce the above copyright
30	* notice, this list of conditions and the following disclaimer in the
31	* documentation and/or other materials provided with the distribution.
32	*
33	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
34	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
35	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
36	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
37	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
38	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
39	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
40	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
41	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
42	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
43	*/
44
45	#include <sys/types.h>
46	#include <sys/ioctl.h>
47	#include <sys/wait.h>
48	#include <sys/tree.h>
49	#include <sys/stat.h>
50	#include <sys/socket.h>
51	#include <sys/time.h>
52	#include <sys/queue.h>
53
54	#include <errno(*__errno()).h>
55	#include <fcntl.h>
56	#include <netdb.h>
57	#include <paths.h>
58	#include <poll.h>
59	#include <pwd.h>
60	#include <signal.h>
61	#include <stdio.h>
62	#include <stdlib.h>
63	#include <string.h>
64	#include <stdarg.h>
65	#include <unistd.h>
66	#include <limits.h>
67
68	#ifdef WITH_OPENSSL1
69	#include <openssl/bn.h>
70	#endif
71
72	#include "xmalloc.h"
73	#include "ssh.h"
74	#include "ssh2.h"
75	#include "sshpty.h"
76	#include "packet.h"
77	#include "log.h"
78	#include "sshbuf.h"
79	#include "misc.h"
80	#include "match.h"
81	#include "servconf.h"
82	#include "uidswap.h"
83	#include "compat.h"
84	#include "cipher.h"
85	#include "digest.h"
86	#include "sshkey.h"
87	#include "kex.h"
88	#include "myproposal.h"
89	#include "authfile.h"
90	#include "pathnames.h"
91	#include "atomicio.h"
92	#include "canohost.h"
93	#include "hostfile.h"
94	#include "auth.h"
95	#include "authfd.h"
96	#include "msg.h"
97	#include "dispatch.h"
98	#include "channels.h"
99	#include "session.h"
100	#include "monitor.h"
101	#ifdef GSSAPI
102	#include "ssh-gss.h"
103	#endif
104	#include "monitor_wrap.h"
105	#include "ssh-sandbox.h"
106	#include "auth-options.h"
107	#include "version.h"
108	#include "ssherr.h"
109	#include "sk-api.h"
110	#include "srclimit.h"
111	#include "dh.h"
112
113	/* Re-exec fds */
114	#define REEXEC_DEVCRYPTO_RESERVED_FD(2 + 1) (STDERR_FILENO2 + 1)
115	#define REEXEC_STARTUP_PIPE_FD(2 + 2) (STDERR_FILENO2 + 2)
116	#define REEXEC_CONFIG_PASS_FD(2 + 3) (STDERR_FILENO2 + 3)
117	#define REEXEC_MIN_FREE_FD(2 + 4) (STDERR_FILENO2 + 4)
118
119	extern char *__progname;
120
121	/* Server configuration options. */
122	ServerOptions options;
123
124	/* Name of the server configuration file. */
125	char *config_file_name = _PATH_SERVER_CONFIG_FILE"/etc" "/ssh" "/sshd_config";
126
127	/*
128	* Debug mode flag. This can be set on the command line. If debug
129	* mode is enabled, extra debugging output will be sent to the system
130	* log, the daemon will not go to background, and will exit after processing
131	* the first connection.
132	*/
133	int debug_flag = 0;
134
135	/*
136	* Indicating that the daemon should only test the configuration and keys.
137	* If test_flag > 1 ("-T" flag), then sshd will also dump the effective
138	* configuration, optionally using connection information provided by the
139	* "-C" flag.
140	*/
141	static int test_flag = 0;
142
143	/* Flag indicating that the daemon is being started from inetd. */
144	static int inetd_flag = 0;
145
146	/* Flag indicating that sshd should not detach and become a daemon. */
147	static int no_daemon_flag = 0;
148
149	/* debug goes to stderr unless inetd_flag is set */
150	static int log_stderr = 0;
151
152	/* Saved arguments to main(). */
153	static char **saved_argv;
154
155	/* re-exec */
156	static int rexeced_flag = 0;
157	static int rexec_flag = 1;
158	static int rexec_argc = 0;
159	static char **rexec_argv;
160
161	/*
162	* The sockets that the server is listening; this is used in the SIGHUP
163	* signal handler.
164	*/
165	#define MAX_LISTEN_SOCKS16 16
166	static int listen_socks[MAX_LISTEN_SOCKS16];
167	static int num_listen_socks = 0;
168
169	/* Daemon's agent connection */
170	int auth_sock = -1;
171	static int have_agent = 0;
172
173	/*
174	* Any really sensitive data in the application is contained in this
175	* structure. The idea is that this structure could be locked into memory so
176	* that the pages do not get written into swap. However, there are some
177	* problems. The private key contains BIGNUMs, and we do not (in principle)
178	* have access to the internals of them, and locking just the structure is
179	* not very useful. Currently, memory locking is not implemented.
180	*/
181	struct {
182	struct sshkey *host_keys; / all private host keys */
183	struct sshkey *host_pubkeys; / all public host keys */
184	struct sshkey *host_certificates; / all public host certificates */
185	int have_ssh2_key;
186	} sensitive_data;
187
188	/* This is set to true when a signal is received. */
189	static volatile sig_atomic_t received_sighup = 0;
190	static volatile sig_atomic_t received_sigterm = 0;
191
192	/* record remote hostname or ip */
193	u_int utmp_len = HOST_NAME_MAX255+1;
194
195	/*
196	* startup_pipes/flags are used for tracking children of the listening sshd
197	* process early in their lifespans. This tracking is needed for three things:
198	*
199	* 1) Implementing the MaxStartups limit of concurrent unauthenticated
200	* connections.
201	* 2) Avoiding a race condition for SIGHUP processing, where child processes
202	* may have listen_socks open that could collide with main listener process
203	* after it restarts.
204	* 3) Ensuring that rexec'd sshd processes have received their initial state
205	* from the parent listen process before handling SIGHUP.
206	*
207	* Child processes signal that they have completed closure of the listen_socks
208	* and (if applicable) received their rexec state by sending a char over their
209	* sock. Child processes signal that authentication has completed by closing
210	* the sock (or by exiting).
211	*/
212	static int startup_pipes = NULL((void)0);
213	static int startup_flags = NULL((void)0); /* Indicates child closed listener */
214	static int startup_pipe = -1; /* in child */
215
216	/* variables used for privilege separation */
217	int use_privsep = -1;
218	struct monitor pmonitor = NULL((void)0);
219	int privsep_is_preauth = 1;
220
221	/* global connection state and authentication contexts */
222	Authctxt the_authctxt = NULL((void)0);
223	struct ssh *the_active_state;
224
225	/* global key/cert auth options. XXX move to permanent ssh->authctxt? */
226	struct sshauthopt auth_opts = NULL((void)0);
227
228	/* sshd_config buffer */
229	struct sshbuf *cfg;
230
231	/* Included files from the configuration file */
232	struct include_list includes = TAILQ_HEAD_INITIALIZER(includes){ ((void*)0), &(includes).tqh_first };
233
234	/* message to be displayed after login */
235	struct sshbuf *loginmsg;
236
237	/* Prototypes for various functions defined later in this file. */
238	void destroy_sensitive_data(void);
239	void demote_sensitive_data(void);
240	static void do_ssh2_kex(struct ssh *);
241
242	static char *listener_proctitle;
243
244	/*
245	* Close all listening sockets
246	*/
247	static void
248	close_listen_socks(void)
249	{
250	int i;
251
252	for (i = 0; i < num_listen_socks; i++)
253	close(listen_socks[i]);
254	num_listen_socks = 0;
255	}
256
257	static void
258	close_startup_pipes(void)
259	{
260	int i;
261
262	if (startup_pipes)
263	for (i = 0; i < options.max_startups; i++)
264	if (startup_pipes[i] != -1)
265	close(startup_pipes[i]);
266	}
267
268	/*
269	* Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP;
270	* the effect is to reread the configuration file (and to regenerate
271	* the server key).
272	*/
273
274	/ARGSUSED/
275	static void
276	sighup_handler(int sig)
277	{
278	received_sighup = 1;
279	}
280
281	/*
282	* Called from the main program after receiving SIGHUP.
283	* Restarts the server.
284	*/
285	static void
286	sighup_restart(void)
287	{
288	logit("Received SIGHUP; restarting.")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 288, 0 , SYSLOG_LEVEL_INFO, ((void*)0), "Received SIGHUP; restarting." );
289	if (options.pid_file != NULL((void*)0))
290	unlink(options.pid_file);
291	close_listen_socks();
292	close_startup_pipes();
293	ssh_signal(SIGHUP1, SIG_IGN(void ()(int))1); / will be restored after exec */
294	execv(saved_argv[0], saved_argv);
295	logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 296, 0 , SYSLOG_LEVEL_INFO, ((void)0), "RESTART FAILED: av[0]='%.100s', error: %.100s." , saved_argv[0], strerror((__errno())))
296	strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 296, 0 , SYSLOG_LEVEL_INFO, ((void)0), "RESTART FAILED: av[0]='%.100s', error: %.100s." , saved_argv[0], strerror((__errno())));
297	exit(1);
298	}
299
300	/*
301	* Generic signal handler for terminating signals in the master daemon.
302	*/
303	/ARGSUSED/
304	static void
305	sigterm_handler(int sig)
306	{
307	received_sigterm = sig;
308	}
309
310	/*
311	* SIGCHLD handler. This is called whenever a child dies. This will then
312	* reap any zombies left by exited children.
313	*/
314	/ARGSUSED/
315	static void
316	main_sigchld_handler(int sig)
317	{
318	int save_errno = errno(*__errno());
319	pid_t pid;
320	int status;
321
322	while ((pid = waitpid(-1, &status, WNOHANG1)) > 0 \|\|
323	(pid == -1 && errno(*__errno()) == EINTR4))
324	;
325	errno(*__errno()) = save_errno;
326	}
327
328	/*
329	* Signal handler for the alarm after the login grace period has expired.
330	*/
331	/ARGSUSED/
332	static void
333	grace_alarm_handler(int sig)
334	{
335	if (use_privsep && pmonitor != NULL((void*)0) && pmonitor->m_pid > 0)
336	kill(pmonitor->m_pid, SIGALRM14);
337
338	/*
339	* Try to kill any processes that we have spawned, E.g. authorized
340	* keys command helpers.
341	*/
342	if (getpgid(0) == getpid()) {
343	ssh_signal(SIGTERM15, SIG_IGN(void (*)(int))1);
344	kill(0, SIGTERM15);
345	}
346
347	/* Log error and exit. */
348	if (use_privsep && pmonitor != NULL((void*)0) && pmonitor->m_pid <= 0)
349	cleanup_exit(255); /* don't log in privsep child */
350	else {
351	sigdie("Timeout before authentication for %s port %d",sshsigdie("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 353 , 0, SYSLOG_LEVEL_ERROR, ((void*)0), "Timeout before authentication for %s port %d" , ssh_remote_ipaddr(the_active_state), ssh_remote_port(the_active_state ))
352	ssh_remote_ipaddr(the_active_state),sshsigdie("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 353 , 0, SYSLOG_LEVEL_ERROR, ((void*)0), "Timeout before authentication for %s port %d" , ssh_remote_ipaddr(the_active_state), ssh_remote_port(the_active_state ))
353	ssh_remote_port(the_active_state))sshsigdie("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 353 , 0, SYSLOG_LEVEL_ERROR, ((void*)0), "Timeout before authentication for %s port %d" , ssh_remote_ipaddr(the_active_state), ssh_remote_port(the_active_state ));
354	}
355	}
356
357	/* Destroy the host and server keys. They will no longer be needed. */
358	void
359	destroy_sensitive_data(void)
360	{
361	u_int i;
362
363	for (i = 0; i < options.num_host_key_files; i++) {
364	if (sensitive_data.host_keys[i]) {
365	sshkey_free(sensitive_data.host_keys[i]);
366	sensitive_data.host_keys[i] = NULL((void*)0);
367	}
368	if (sensitive_data.host_certificates[i]) {
369	sshkey_free(sensitive_data.host_certificates[i]);
370	sensitive_data.host_certificates[i] = NULL((void*)0);
371	}
372	}
373	}
374
375	/* Demote private to public keys for network child */
376	void
377	demote_sensitive_data(void)
378	{
379	struct sshkey *tmp;
380	u_int i;
381	int r;
382
383	for (i = 0; i < options.num_host_key_files; i++) {
384	if (sensitive_data.host_keys[i]) {
385	if ((r = sshkey_from_private(
386	sensitive_data.host_keys[i], &tmp)) != 0)
387	fatal_r(r, "could not demote host %s key",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 388 , 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "could not demote host %s key" , sshkey_type(sensitive_data.host_keys[i]))
388	sshkey_type(sensitive_data.host_keys[i]))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 388 , 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "could not demote host %s key" , sshkey_type(sensitive_data.host_keys[i]));
389	sshkey_free(sensitive_data.host_keys[i]);
390	sensitive_data.host_keys[i] = tmp;
391	}
392	/* Certs do not need demotion */
393	}
394	}
395
396	static void
397	privsep_preauth_child(void)
398	{
399	gid_t gidset[1];
400	struct passwd *pw;
401
402	/* Enable challenge-response authentication for privilege separation */
403	privsep_challenge_enable();
404
405	#ifdef GSSAPI
406	/* Cache supported mechanism OIDs for later use */
407	ssh_gssapi_prepare_supported_oids();
408	#endif
409
410	/* Demote the private keys to public keys. */
411	demote_sensitive_data();
412
413	/* Demote the child */
414	if (getuid() == 0 \|\| geteuid() == 0) {
415	if ((pw = getpwnam(SSH_PRIVSEP_USER"sshd")) == NULL((void*)0))
416	fatal("Privilege separation user %s does not exist",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 417 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Privilege separation user %s does not exist" , "sshd")
417	SSH_PRIVSEP_USER)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 417 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Privilege separation user %s does not exist" , "sshd");
418	pw = pwcopy(pw); /* Ensure mutable */
419	endpwent();
420	freezero(pw->pw_passwd, strlen(pw->pw_passwd));
421
422	/* Change our root directory */
423	if (chroot(_PATH_PRIVSEP_CHROOT_DIR"/var/empty") == -1)
424	fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 425 , 0, SYSLOG_LEVEL_FATAL, ((void)0), "chroot(\"%s\"): %s", "/var/empty" , strerror((__errno())))
425	strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 425 , 0, SYSLOG_LEVEL_FATAL, ((void)0), "chroot(\"%s\"): %s", "/var/empty" , strerror((__errno())));
426	if (chdir("/") == -1)
427	fatal("chdir(\"/\"): %s", strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 427 , 0, SYSLOG_LEVEL_FATAL, ((void)0), "chdir(\"/\"): %s", strerror ((__errno())));
428
429	/*
430	* Drop our privileges
431	* NB. Can't use setusercontext() after chroot.
432	*/
433	debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 434, 0 , SYSLOG_LEVEL_DEBUG3, ((void*)0), "privsep user:group %u:%u" , (u_int)pw->pw_uid, (u_int)pw->pw_gid)
434	(u_int)pw->pw_gid)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 434, 0 , SYSLOG_LEVEL_DEBUG3, ((void*)0), "privsep user:group %u:%u" , (u_int)pw->pw_uid, (u_int)pw->pw_gid);
435	gidset[0] = pw->pw_gid;
436	if (setgroups(1, gidset) == -1)
437	fatal("setgroups: %.100s", strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 437 , 0, SYSLOG_LEVEL_FATAL, ((void)0), "setgroups: %.100s", strerror ((__errno())));
438	permanently_set_uid(pw);
439	}
440	}
441
442	static int
443	privsep_preauth(struct ssh *ssh)
444	{
445	int status, r;
446	pid_t pid;
447	struct ssh_sandbox box = NULL((void)0);
448
449	/* Set up unprivileged child process to deal with network data */
450	pmonitor = monitor_init();
451	/* Store a pointer to the kex for later rekeying */
452	pmonitor->m_pkex = &ssh->kex;
453
454	if (use_privsep == PRIVSEP_ON1)
455	box = ssh_sandbox_init();
456	pid = fork();
457	if (pid == -1) {
458	fatal("fork of unprivileged child failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 458 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "fork of unprivileged child failed" );
459	} else if (pid != 0) {
460	debug2("Network child is on pid %ld", (long)pid)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 460, 0 , SYSLOG_LEVEL_DEBUG2, ((void*)0), "Network child is on pid %ld" , (long)pid);
461
462	pmonitor->m_pid = pid;
463	if (have_agent) {
464	r = ssh_get_authentication_socket(&auth_sock);
465	if (r != 0) {
466	error_r(r, "Could not get agent socket")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 466, 0 , SYSLOG_LEVEL_ERROR, ssh_err(r), "Could not get agent socket" );
467	have_agent = 0;
468	}
469	}
470	if (box != NULL((void*)0))
471	ssh_sandbox_parent_preauth(box, pid);
472	monitor_child_preauth(ssh, pmonitor);
473
474	/* Wait for the child's exit status */
475	while (waitpid(pid, &status, 0) == -1) {
476	if (errno(*__errno()) == EINTR4)
477	continue;
478	pmonitor->m_pid = -1;
479	fatal_f("waitpid: %s", strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 479 , 1, SYSLOG_LEVEL_FATAL, ((void)0), "waitpid: %s", strerror( (__errno())));
480	}
481	privsep_is_preauth = 0;
482	pmonitor->m_pid = -1;
483	if (WIFEXITED(status)(((status) & 0177) == 0)) {
484	if (WEXITSTATUS(status)(int)(((unsigned)(status) >> 8) & 0xff) != 0)
485	fatal_f("preauth child exited with status %d",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 486 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "preauth child exited with status %d" , (int)(((unsigned)(status) >> 8) & 0xff))
486	WEXITSTATUS(status))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 486 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "preauth child exited with status %d" , (int)(((unsigned)(status) >> 8) & 0xff));
487	} else if (WIFSIGNALED(status)(((status) & 0177) != 0177 && ((status) & 0177 ) != 0))
488	fatal_f("preauth child terminated by signal %d",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 489 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "preauth child terminated by signal %d" , (((status) & 0177)))
489	WTERMSIG(status))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 489 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "preauth child terminated by signal %d" , (((status) & 0177)));
490	if (box != NULL((void*)0))
491	ssh_sandbox_parent_finish(box);
492	return 1;
493	} else {
494	/* child */
495	close(pmonitor->m_sendfd);
496	close(pmonitor->m_log_recvfd);
497
498	/* Arrange for logging to be sent to the monitor */
499	set_log_handler(mm_log_handler, pmonitor);
500
501	privsep_preauth_child();
502	setproctitle("%s", "[net]");
503	if (box != NULL((void*)0))
504	ssh_sandbox_child(box);
505
506	return 0;
507	}
508	}
509
510	static void
511	privsep_postauth(struct ssh ssh, Authctxt authctxt)
512	{
513	if (authctxt->pw->pw_uid == 0) {
514	/* File descriptor passing is broken or root login */
515	use_privsep = 0;
516	goto skip;
517	}
518
519	/* New socket pair */
520	monitor_reinit(pmonitor);
521
522	pmonitor->m_pid = fork();
523	if (pmonitor->m_pid == -1)
524	fatal("fork of unprivileged child failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 524 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "fork of unprivileged child failed" );
525	else if (pmonitor->m_pid != 0) {
526	verbose("User child is on pid %ld", (long)pmonitor->m_pid)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 526, 0 , SYSLOG_LEVEL_VERBOSE, ((void*)0), "User child is on pid %ld" , (long)pmonitor->m_pid);
527	sshbuf_reset(loginmsg);
528	monitor_clear_keystate(ssh, pmonitor);
529	monitor_child_postauth(ssh, pmonitor);
530
531	/* NEVERREACHED */
532	exit(0);
533	}
534
535	/* child */
536
537	close(pmonitor->m_sendfd);
538	pmonitor->m_sendfd = -1;
539
540	/* Demote the private keys to public keys. */
541	demote_sensitive_data();
542
543	/* Drop privileges */
544	do_setusercontext(authctxt->pw);
545
546	skip:
547	/* It is safe now to apply the key state */
548	monitor_apply_keystate(ssh, pmonitor);
549
550	/*
551	* Tell the packet layer that authentication was successful, since
552	* this information is not part of the key state.
553	*/
554	ssh_packet_set_authenticated(ssh);
555	}
556
557	static void
558	append_hostkey_type(struct sshbuf b, const char s)
559	{
560	int r;
561
562	if (match_pattern_list(s, options.hostkeyalgorithms, 0) != 1) {
563	debug3_f("%s key not permitted by HostkeyAlgorithms", s)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 563, 1 , SYSLOG_LEVEL_DEBUG3, ((void*)0), "%s key not permitted by HostkeyAlgorithms" , s);
564	return;
565	}
566	if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) > 0 ? "," : "", s)) != 0)
567	fatal_fr(r, "sshbuf_putf")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 567 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_putf");
568	}
569
570	static char *
571	list_hostkey_types(void)
572	{
573	struct sshbuf *b;
574	struct sshkey *key;
575	char *ret;
576	u_int i;
577
578	if ((b = sshbuf_new()) == NULL((void*)0))
579	fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 579 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
580	for (i = 0; i < options.num_host_key_files; i++) {
581	key = sensitive_data.host_keys[i];
582	if (key == NULL((void*)0))
583	key = sensitive_data.host_pubkeys[i];
584	if (key == NULL((void*)0))
585	continue;
586	switch (key->type) {
587	case KEY_RSA:
588	/* for RSA we also support SHA2 signatures */
589	append_hostkey_type(b, "rsa-sha2-512");
590	append_hostkey_type(b, "rsa-sha2-256");
591	/* FALLTHROUGH */
592	case KEY_DSA:
593	case KEY_ECDSA:
594	case KEY_ED25519:
595	case KEY_ECDSA_SK:
596	case KEY_ED25519_SK:
597	case KEY_XMSS:
598	append_hostkey_type(b, sshkey_ssh_name(key));
599	break;
600	}
601	/* If the private key has a cert peer, then list that too */
602	key = sensitive_data.host_certificates[i];
603	if (key == NULL((void*)0))
604	continue;
605	switch (key->type) {
606	case KEY_RSA_CERT:
607	/* for RSA we also support SHA2 signatures */
608	append_hostkey_type(b,
609	"rsa-sha2-512-cert-v01@openssh.com");
610	append_hostkey_type(b,
611	"rsa-sha2-256-cert-v01@openssh.com");
612	/* FALLTHROUGH */
613	case KEY_DSA_CERT:
614	case KEY_ECDSA_CERT:
615	case KEY_ED25519_CERT:
616	case KEY_ECDSA_SK_CERT:
617	case KEY_ED25519_SK_CERT:
618	case KEY_XMSS_CERT:
619	append_hostkey_type(b, sshkey_ssh_name(key));
620	break;
621	}
622	}
623	if ((ret = sshbuf_dup_string(b)) == NULL((void*)0))
624	fatal_f("sshbuf_dup_string failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 624 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_dup_string failed" );
625	sshbuf_free(b);
626	debug_f("%s", ret)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 626, 1 , SYSLOG_LEVEL_DEBUG1, ((void*)0), "%s", ret);
627	return ret;
628	}
629
630	static struct sshkey *
631	get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
632	{
633	u_int i;
634	struct sshkey *key;
635
636	for (i = 0; i < options.num_host_key_files; i++) {
637	switch (type) {
638	case KEY_RSA_CERT:
639	case KEY_DSA_CERT:
640	case KEY_ECDSA_CERT:
641	case KEY_ED25519_CERT:
642	case KEY_ECDSA_SK_CERT:
643	case KEY_ED25519_SK_CERT:
644	case KEY_XMSS_CERT:
645	key = sensitive_data.host_certificates[i];
646	break;
647	default:
648	key = sensitive_data.host_keys[i];
649	if (key == NULL((void*)0) && !need_private)
650	key = sensitive_data.host_pubkeys[i];
651	break;
652	}
653	if (key == NULL((void*)0) \|\| key->type != type)
654	continue;
655	switch (type) {
656	case KEY_ECDSA:
657	case KEY_ECDSA_SK:
658	case KEY_ECDSA_CERT:
659	case KEY_ECDSA_SK_CERT:
660	if (key->ecdsa_nid != nid)
661	continue;
662	/* FALLTHROUGH */
663	default:
664	return need_private ?
665	sensitive_data.host_keys[i] : key;
666	}
667	}
668	return NULL((void*)0);
669	}
670
671	struct sshkey *
672	get_hostkey_public_by_type(int type, int nid, struct ssh *ssh)
673	{
674	return get_hostkey_by_type(type, nid, 0, ssh);
675	}
676
677	struct sshkey *
678	get_hostkey_private_by_type(int type, int nid, struct ssh *ssh)
679	{
680	return get_hostkey_by_type(type, nid, 1, ssh);
681	}
682
683	struct sshkey *
684	get_hostkey_by_index(int ind)
685	{
686	if (ind < 0 \|\| (u_int)ind >= options.num_host_key_files)
687	return (NULL((void*)0));
688	return (sensitive_data.host_keys[ind]);
689	}
690
691	struct sshkey *
692	get_hostkey_public_by_index(int ind, struct ssh *ssh)
693	{
694	if (ind < 0 \|\| (u_int)ind >= options.num_host_key_files)
695	return (NULL((void*)0));
696	return (sensitive_data.host_pubkeys[ind]);
697	}
698
699	int
700	get_hostkey_index(struct sshkey key, int compare, struct ssh ssh)
701	{
702	u_int i;
703
704	for (i = 0; i < options.num_host_key_files; i++) {
705	if (sshkey_is_cert(key)) {
706	if (key == sensitive_data.host_certificates[i] \|\|
707	(compare && sensitive_data.host_certificates[i] &&
708	sshkey_equal(key,
709	sensitive_data.host_certificates[i])))
710	return (i);
711	} else {
712	if (key == sensitive_data.host_keys[i] \|\|
713	(compare && sensitive_data.host_keys[i] &&
714	sshkey_equal(key, sensitive_data.host_keys[i])))
715	return (i);
716	if (key == sensitive_data.host_pubkeys[i] \|\|
717	(compare && sensitive_data.host_pubkeys[i] &&
718	sshkey_equal(key, sensitive_data.host_pubkeys[i])))
719	return (i);
720	}
721	}
722	return (-1);
723	}
724
725	/* Inform the client of all hostkeys */
726	static void
727	notify_hostkeys(struct ssh *ssh)
728	{
729	struct sshbuf *buf;
730	struct sshkey *key;
731	u_int i, nkeys;
732	int r;
733	char *fp;
734
735	/* Some clients cannot cope with the hostkeys message, skip those. */
736	if (ssh->compat & SSH_BUG_HOSTKEYS0x20000000)
737	return;
738
739	if ((buf = sshbuf_new()) == NULL((void*)0))
740	fatal_f("sshbuf_new")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 740 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new");
741	for (i = nkeys = 0; i < options.num_host_key_files; i++) {
742	key = get_hostkey_public_by_index(i, ssh);
743	if (key == NULL((void*)0) \|\| key->type == KEY_UNSPEC \|\|
744	sshkey_is_cert(key))
745	continue;
746	fp = sshkey_fingerprint(key, options.fingerprint_hash,
747	SSH_FP_DEFAULT);
748	debug3_f("key %d: %s %s", i, sshkey_ssh_name(key), fp)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 748, 1 , SYSLOG_LEVEL_DEBUG3, ((void*)0), "key %d: %s %s", i, sshkey_ssh_name (key), fp);
749	free(fp);
750	if (nkeys == 0) {
751	/*
752	* Start building the request when we find the
753	* first usable key.
754	*/
755	if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 \|\|
756	(r = sshpkt_put_cstring(ssh, "hostkeys-00@openssh.com")) != 0 \|\|
757	(r = sshpkt_put_u8(ssh, 0)) != 0) /* want reply */
758	sshpkt_fatal(ssh, r, "%s: start request", __func__);
759	}
760	/* Append the key to the request */
761	sshbuf_reset(buf);
762	if ((r = sshkey_putb(key, buf)) != 0)
763	fatal_fr(r, "couldn't put hostkey %d", i)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 763 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "couldn't put hostkey %d" , i);
764	if ((r = sshpkt_put_stringb(ssh, buf)) != 0)
765	sshpkt_fatal(ssh, r, "%s: append key", __func__);
766	nkeys++;
767	}
768	debug3_f("sent %u hostkeys", nkeys)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 768, 1 , SYSLOG_LEVEL_DEBUG3, ((void*)0), "sent %u hostkeys", nkeys);
769	if (nkeys == 0)
770	fatal_f("no hostkeys")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 770 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "no hostkeys");
771	if ((r = sshpkt_send(ssh)) != 0)
772	sshpkt_fatal(ssh, r, "%s: send", __func__);
773	sshbuf_free(buf);
774	}
775
776	/*
777	* returns 1 if connection should be dropped, 0 otherwise.
778	* dropping starts at connection #max_startups_begin with a probability
779	* of (max_startups_rate/100). the probability increases linearly until
780	* all connections are dropped for startups > max_startups
781	*/
782	static int
783	should_drop_connection(int startups)
784	{
785	int p, r;
786
787	if (startups < options.max_startups_begin)
788	return 0;
789	if (startups >= options.max_startups)
790	return 1;
791	if (options.max_startups_rate == 100)
792	return 1;
793
794	p = 100 - options.max_startups_rate;
795	p *= startups - options.max_startups_begin;
796	p /= options.max_startups - options.max_startups_begin;
797	p += options.max_startups_rate;
798	r = arc4random_uniform(100);
799
800	debug_f("p %d, r %d", p, r)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 800, 1 , SYSLOG_LEVEL_DEBUG1, ((void*)0), "p %d, r %d", p, r);
801	return (r < p) ? 1 : 0;
802	}
803
804	/*
805	* Check whether connection should be accepted by MaxStartups.
806	* Returns 0 if the connection is accepted. If the connection is refused,
807	* returns 1 and attempts to send notification to client.
808	* Logs when the MaxStartups condition is entered or exited, and periodically
809	* while in that state.
810	*/
811	static int
812	drop_connection(int sock, int startups, int notify_pipe)
813	{
814	char laddr, raddr;
815	const char msg[] = "Exceeded MaxStartups\r\n";
816	static time_t last_drop, first_drop;
817	static u_int ndropped;
818	LogLevel drop_level = SYSLOG_LEVEL_VERBOSE;
819	time_t now;
820
821	now = monotime();
822	if (!should_drop_connection(startups) &&
823	srclimit_check_allow(sock, notify_pipe) == 1) {
824	if (last_drop != 0 &&
825	startups < options.max_startups_begin - 1) {
826	/* XXX maybe need better hysteresis here */
827	logit("exited MaxStartups throttling after %s, "sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 829, 0 , SYSLOG_LEVEL_INFO, ((void*)0), "exited MaxStartups throttling after %s, " "%u connections dropped", fmt_timeframe(now - first_drop), ndropped )
828	"%u connections dropped",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 829, 0 , SYSLOG_LEVEL_INFO, ((void*)0), "exited MaxStartups throttling after %s, " "%u connections dropped", fmt_timeframe(now - first_drop), ndropped )
829	fmt_timeframe(now - first_drop), ndropped)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 829, 0 , SYSLOG_LEVEL_INFO, ((void*)0), "exited MaxStartups throttling after %s, " "%u connections dropped", fmt_timeframe(now - first_drop), ndropped );
830	last_drop = 0;
831	}
832	return 0;
833	}
834
835	#define SSHD_MAXSTARTUPS_LOG_INTERVAL(5 * 60) (5 * 60)
836	if (last_drop == 0) {
837	error("beginning MaxStartups throttling")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 837, 0 , SYSLOG_LEVEL_ERROR, ((void*)0), "beginning MaxStartups throttling" );
838	drop_level = SYSLOG_LEVEL_INFO;
839	first_drop = now;
840	ndropped = 0;
841	} else if (last_drop + SSHD_MAXSTARTUPS_LOG_INTERVAL(5 * 60) < now) {
842	/* Periodic logs */
843	error("in MaxStartups throttling for %s, "sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 845, 0 , SYSLOG_LEVEL_ERROR, ((void*)0), "in MaxStartups throttling for %s, " "%u connections dropped", fmt_timeframe(now - first_drop), ndropped + 1)
844	"%u connections dropped",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 845, 0 , SYSLOG_LEVEL_ERROR, ((void*)0), "in MaxStartups throttling for %s, " "%u connections dropped", fmt_timeframe(now - first_drop), ndropped + 1)
845	fmt_timeframe(now - first_drop), ndropped + 1)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 845, 0 , SYSLOG_LEVEL_ERROR, ((void*)0), "in MaxStartups throttling for %s, " "%u connections dropped", fmt_timeframe(now - first_drop), ndropped + 1);
846	drop_level = SYSLOG_LEVEL_INFO;
847	}
848	last_drop = now;
849	ndropped++;
850
851	laddr = get_local_ipaddr(sock);
852	raddr = get_peer_ipaddr(sock);
853	do_log2(drop_level, "drop connection #%d from [%s]:%d on [%s]:%d "sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 855, 0 , drop_level, ((void*)0), "drop connection #%d from [%s]:%d on [%s]:%d " "past MaxStartups", startups, raddr, get_peer_port(sock), laddr , get_local_port(sock))
854	"past MaxStartups", startups, raddr, get_peer_port(sock),sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 855, 0 , drop_level, ((void*)0), "drop connection #%d from [%s]:%d on [%s]:%d " "past MaxStartups", startups, raddr, get_peer_port(sock), laddr , get_local_port(sock))
855	laddr, get_local_port(sock))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 855, 0 , drop_level, ((void*)0), "drop connection #%d from [%s]:%d on [%s]:%d " "past MaxStartups", startups, raddr, get_peer_port(sock), laddr , get_local_port(sock));
856	free(laddr);
857	free(raddr);
858	/* best-effort notification to client */
859	(void)write(sock, msg, sizeof(msg) - 1);
860	return 1;
861	}
862
863	static void
864	usage(void)
865	{
866	fprintf(stderr(&__sF[2]), "%s, %s\n", SSH_VERSION"OpenSSH_8.8", SSH_OPENSSL_VERSIONOpenSSL_version(0));
867	fprintf(stderr(&__sF[2]),
868	"usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
869	" [-E log_file] [-f config_file] [-g login_grace_time]\n"
870	" [-h host_key_file] [-o option] [-p port] [-u len]\n"
871	);
872	exit(1);
873	}
874
875	static void
876	send_rexec_state(int fd, struct sshbuf *conf)
877	{
878	struct sshbuf m = NULL((void)0), inc = NULL((void)0);
879	struct include_item item = NULL((void)0);
880	int r;
881
882	debug3_f("entering fd = %d config len %zu", fd,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 883, 1 , SYSLOG_LEVEL_DEBUG3, ((void*)0), "entering fd = %d config len %zu" , fd, sshbuf_len(conf))
883	sshbuf_len(conf))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 883, 1 , SYSLOG_LEVEL_DEBUG3, ((void*)0), "entering fd = %d config len %zu" , fd, sshbuf_len(conf));
884
885	if ((m = sshbuf_new()) == NULL((void)0) \|\| (inc = sshbuf_new()) == NULL((void)0))
886	fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 886 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
887
888	/* pack includes into a string */
889	TAILQ_FOREACH(item, &includes, entry)for((item) = ((&includes)->tqh_first); (item) != ((void *)0); (item) = ((item)->entry.tqe_next)) {
890	if ((r = sshbuf_put_cstring(inc, item->selector)) != 0 \|\|
891	(r = sshbuf_put_cstring(inc, item->filename)) != 0 \|\|
892	(r = sshbuf_put_stringb(inc, item->contents)) != 0)
893	fatal_fr(r, "compose includes")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 893 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "compose includes");
894	}
895
896	/*
897	* Protocol from reexec master to child:
898	* string configuration
899	* string included_files[] {
900	* string selector
901	* string filename
902	* string contents
903	* }
904	*/
905	if ((r = sshbuf_put_stringb(m, conf)) != 0 \|\|
906	(r = sshbuf_put_stringb(m, inc)) != 0)
907	fatal_fr(r, "compose config")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 907 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "compose config");
908	if (ssh_msg_send(fd, 0, m) == -1)
909	error_f("ssh_msg_send failed")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 909, 1 , SYSLOG_LEVEL_ERROR, ((void*)0), "ssh_msg_send failed");
910
911	sshbuf_free(m);
912	sshbuf_free(inc);
913
914	debug3_f("done")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 914, 1 , SYSLOG_LEVEL_DEBUG3, ((void*)0), "done");
915	}
916
917	static void
918	recv_rexec_state(int fd, struct sshbuf *conf)
919	{
920	struct sshbuf m, inc;
921	u_char *cp, ver;
922	size_t len;
923	int r;
924	struct include_item *item;
925
926	debug3_f("entering fd = %d", fd)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 926, 1 , SYSLOG_LEVEL_DEBUG3, ((void*)0), "entering fd = %d", fd);
927
928	if ((m = sshbuf_new()) == NULL((void)0) \|\| (inc = sshbuf_new()) == NULL((void)0))
929	fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 929 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
930	if (ssh_msg_recv(fd, m) == -1)
931	fatal_f("ssh_msg_recv failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 931 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "ssh_msg_recv failed");
932	if ((r = sshbuf_get_u8(m, &ver)) != 0)
933	fatal_fr(r, "parse version")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 933 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "parse version");
934	if (ver != 0)
935	fatal_f("rexec version mismatch")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 935 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "rexec version mismatch" );
936	if ((r = sshbuf_get_string(m, &cp, &len)) != 0 \|\|
937	(r = sshbuf_get_stringb(m, inc)) != 0)
938	fatal_fr(r, "parse config")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 938 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "parse config");
939
940	if (conf != NULL((void*)0) && (r = sshbuf_put(conf, cp, len)))
941	fatal_fr(r, "sshbuf_put")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 941 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_put");
942
943	while (sshbuf_len(inc) != 0) {
944	item = xcalloc(1, sizeof(*item));
945	if ((item->contents = sshbuf_new()) == NULL((void*)0))
946	fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 946 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
947	if ((r = sshbuf_get_cstring(inc, &item->selector, NULL((void*)0))) != 0 \|\|
948	(r = sshbuf_get_cstring(inc, &item->filename, NULL((void*)0))) != 0 \|\|
949	(r = sshbuf_get_stringb(inc, item->contents)) != 0)
950	fatal_fr(r, "parse includes")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 950 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "parse includes");
951	TAILQ_INSERT_TAIL(&includes, item, entry)do { (item)->entry.tqe_next = ((void)0); (item)->entry .tqe_prev = (&includes)->tqh_last; (&includes)-> tqh_last = (item); (&includes)->tqh_last = &(item) ->entry.tqe_next; } while (0);
952	}
953
954	free(cp);
955	sshbuf_free(m);
956
957	debug3_f("done")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 957, 1 , SYSLOG_LEVEL_DEBUG3, ((void*)0), "done");
958	}
959
960	/* Accept a connection from inetd */
961	static void
962	server_accept_inetd(int sock_in, int sock_out)
963	{
964	if (rexeced_flag) {
965	close(REEXEC_CONFIG_PASS_FD(2 + 3));
966	sock_in = sock_out = dup(STDIN_FILENO0);
967	} else {
968	*sock_in = dup(STDIN_FILENO0);
969	*sock_out = dup(STDOUT_FILENO1);
970	}
971	/*
972	* We intentionally do not close the descriptors 0, 1, and 2
973	* as our code for setting the descriptors won't work if
974	* ttyfd happens to be one of those.
975	*/
976	if (stdfd_devnull(1, 1, !log_stderr) == -1)
977	error_f("stdfd_devnull failed")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 977, 1 , SYSLOG_LEVEL_ERROR, ((void*)0), "stdfd_devnull failed");
978	debug("inetd sockets after dupping: %d, %d", sock_in, sock_out)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 978, 0 , SYSLOG_LEVEL_DEBUG1, ((void)0), "inetd sockets after dupping: %d, %d" , sock_in, *sock_out);
979	}
980
981	/*
982	* Listen for TCP connections
983	*/
984	static void
985	listen_on_addrs(struct listenaddr *la)
986	{
987	int ret, listen_sock;
988	struct addrinfo *ai;
989	char ntop[NI_MAXHOST256], strport[NI_MAXSERV32];
990
991	for (ai = la->addrs; ai; ai = ai->ai_next) {
992	if (ai->ai_family != AF_INET2 && ai->ai_family != AF_INET624)
993	continue;
994	if (num_listen_socks >= MAX_LISTEN_SOCKS16)
995	fatal("Too many listen sockets. "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 996 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Too many listen sockets. " "Enlarge MAX_LISTEN_SOCKS")
996	"Enlarge MAX_LISTEN_SOCKS")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 996 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Too many listen sockets. " "Enlarge MAX_LISTEN_SOCKS");
997	if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
998	ntop, sizeof(ntop), strport, sizeof(strport),
999	NI_NUMERICHOST1\|NI_NUMERICSERV2)) != 0) {
1000	error("getnameinfo failed: %.100s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1001, 0, SYSLOG_LEVEL_ERROR, ((void*)0), "getnameinfo failed: %.100s" , ssh_gai_strerror(ret))
1001	ssh_gai_strerror(ret))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1001, 0, SYSLOG_LEVEL_ERROR, ((void*)0), "getnameinfo failed: %.100s" , ssh_gai_strerror(ret));
1002	continue;
1003	}
1004	/* Create socket for listening. */
1005	listen_sock = socket(ai->ai_family, ai->ai_socktype,
1006	ai->ai_protocol);
1007	if (listen_sock == -1) {
1008	/* kernel may not support ipv6 */
1009	verbose("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1009, 0, SYSLOG_LEVEL_VERBOSE, ((void)0), "socket: %.100s", strerror ((__errno())));
1010	continue;
1011	}
1012	if (set_nonblock(listen_sock) == -1) {
1013	close(listen_sock);
1014	continue;
1015	}
1016	if (fcntl(listen_sock, F_SETFD2, FD_CLOEXEC1) == -1) {
1017	verbose("socket: CLOEXEC: %s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1017, 0, SYSLOG_LEVEL_VERBOSE, ((void)0), "socket: CLOEXEC: %s", strerror ((__errno())));
1018	close(listen_sock);
1019	continue;
1020	}
1021	/* Socket options */
1022	set_reuseaddr(listen_sock);
1023	if (la->rdomain != NULL((void*)0) &&
1024	set_rdomain(listen_sock, la->rdomain) == -1) {
1025	close(listen_sock);
1026	continue;
1027	}
1028
1029	debug("Bind to port %s on %s.", strport, ntop)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1029, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "Bind to port %s on %s." , strport, ntop);
1030
1031	/* Bind the socket to the desired port. */
1032	if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
1033	error("Bind to port %s on %s failed: %.200s.",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1034, 0, SYSLOG_LEVEL_ERROR, ((void)0), "Bind to port %s on %s failed: %.200s." , strport, ntop, strerror((__errno())))
1034	strport, ntop, strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1034, 0, SYSLOG_LEVEL_ERROR, ((void)0), "Bind to port %s on %s failed: %.200s." , strport, ntop, strerror((__errno())));
1035	close(listen_sock);
1036	continue;
1037	}
1038	listen_socks[num_listen_socks] = listen_sock;
1039	num_listen_socks++;
1040
1041	/* Start listening on the port. */
1042	if (listen(listen_sock, SSH_LISTEN_BACKLOG128) == -1)
1043	fatal("listen on [%s]:%s: %.100s",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1044 , 0, SYSLOG_LEVEL_FATAL, ((void)0), "listen on [%s]:%s: %.100s" , ntop, strport, strerror((__errno())))
1044	ntop, strport, strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1044 , 0, SYSLOG_LEVEL_FATAL, ((void)0), "listen on [%s]:%s: %.100s" , ntop, strport, strerror((__errno())));
1045	logit("Server listening on %s port %s%s%s.",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1048, 0, SYSLOG_LEVEL_INFO, ((void)0), "Server listening on %s port %s%s%s." , ntop, strport, la->rdomain == ((void)0) ? "" : " rdomain " , la->rdomain == ((void*)0) ? "" : la->rdomain)
1046	ntop, strport,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1048, 0, SYSLOG_LEVEL_INFO, ((void)0), "Server listening on %s port %s%s%s." , ntop, strport, la->rdomain == ((void)0) ? "" : " rdomain " , la->rdomain == ((void*)0) ? "" : la->rdomain)
1047	la->rdomain == NULL ? "" : " rdomain ",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1048, 0, SYSLOG_LEVEL_INFO, ((void)0), "Server listening on %s port %s%s%s." , ntop, strport, la->rdomain == ((void)0) ? "" : " rdomain " , la->rdomain == ((void*)0) ? "" : la->rdomain)
1048	la->rdomain == NULL ? "" : la->rdomain)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1048, 0, SYSLOG_LEVEL_INFO, ((void)0), "Server listening on %s port %s%s%s." , ntop, strport, la->rdomain == ((void)0) ? "" : " rdomain " , la->rdomain == ((void*)0) ? "" : la->rdomain);
1049	}
1050	}
1051
1052	static void
1053	server_listen(void)
1054	{
1055	u_int i;
1056
1057	/* Initialise per-source limit tracking. */
1058	srclimit_init(options.max_startups, options.per_source_max_startups,
1059	options.per_source_masklen_ipv4, options.per_source_masklen_ipv6);
1060
1061	for (i = 0; i < options.num_listen_addrs; i++) {
1062	listen_on_addrs(&options.listen_addrs[i]);
1063	freeaddrinfo(options.listen_addrs[i].addrs);
1064	free(options.listen_addrs[i].rdomain);
1065	memset(&options.listen_addrs[i], 0,
1066	sizeof(options.listen_addrs[i]));
1067	}
1068	free(options.listen_addrs);
1069	options.listen_addrs = NULL((void*)0);
1070	options.num_listen_addrs = 0;
1071
1072	if (!num_listen_socks)
1073	fatal("Cannot bind any address.")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1073 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Cannot bind any address." );
1074	}
1075
1076	/*
1077	* The main TCP accept loop. Note that, for the non-debug case, returns
1078	* from this function are in a forked subprocess.
1079	*/
1080	static void
1081	server_accept_loop(int sock_in, int sock_out, int newsock, int config_s)
1082	{
1083	struct pollfd pfd = NULL((void)0);
1084	int i, j, ret;
1085	int ostartups = -1, startups = 0, listening = 0, lameduck = 0;
1086	int startup_p[2] = { -1 , -1 };
1087	char c = 0;
1088	struct sockaddr_storage from;
1089	socklen_t fromlen;
1090	pid_t pid;
1091	sigset_t nsigset, osigset;
1092
1093	/* setup fd set for accept */
1094	/* pipes connected to unauthenticated child sshd processes */
1095	startup_pipes = xcalloc(options.max_startups, sizeof(int));
1096	startup_flags = xcalloc(options.max_startups, sizeof(int));
1097	for (i = 0; i < options.max_startups; i++)
1098	startup_pipes[i] = -1;
1099
1100	/*
1101	* Prepare signal mask that we use to block signals that might set
1102	* received_sigterm or received_sighup, so that we are guaranteed
1103	* to immediately wake up the ppoll if a signal is received after
1104	* the flag is checked.
1105	*/
1106	sigemptyset(&nsigset);
1107	sigaddset(&nsigset, SIGHUP1);
1108	sigaddset(&nsigset, SIGCHLD20);
1109	sigaddset(&nsigset, SIGTERM15);
1110	sigaddset(&nsigset, SIGQUIT3);
1111
1112	pfd = xcalloc(num_listen_socks + options.max_startups,
1113	sizeof(struct pollfd));
1114
1115	/*
1116	* Stay listening for connections until the system crashes or
1117	* the daemon is killed with a signal.
1118	*/
1119	for (;;) {
1120	sigprocmask(SIG_BLOCK1, &nsigset, &osigset);
1121	if (received_sigterm) {
1122	logit("Received signal %d; terminating.",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1123, 0, SYSLOG_LEVEL_INFO, ((void*)0), "Received signal %d; terminating." , (int) received_sigterm)
1123	(int) received_sigterm)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1123, 0, SYSLOG_LEVEL_INFO, ((void*)0), "Received signal %d; terminating." , (int) received_sigterm);
1124	close_listen_socks();
1125	if (options.pid_file != NULL((void*)0))
1126	unlink(options.pid_file);
1127	exit(received_sigterm == SIGTERM15 ? 0 : 255);
1128	}
1129	if (ostartups != startups) {
1130	setproctitle("%s [listener] %d of %d-%d startups",
1131	listener_proctitle, startups,
1132	options.max_startups_begin, options.max_startups);
1133	ostartups = startups;
1134	}
1135	if (received_sighup) {
1136	if (!lameduck) {
1137	debug("Received SIGHUP; waiting for children")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1137, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "Received SIGHUP; waiting for children" );
1138	close_listen_socks();
1139	lameduck = 1;
1140	}
1141	if (listening <= 0) {
1142	sigprocmask(SIG_SETMASK3, &osigset, NULL((void*)0));
1143	sighup_restart();
1144	}
1145	}
1146
1147	for (i = 0; i < num_listen_socks; i++) {
1148	pfd[i].fd = listen_socks[i];
1149	pfd[i].events = POLLIN0x0001;
1150	}
1151	for (i = 0; i < options.max_startups; i++) {
1152	pfd[num_listen_socks+i].fd = startup_pipes[i];
1153	if (startup_pipes[i] != -1)
1154	pfd[num_listen_socks+i].events = POLLIN0x0001;
1155	}
1156
1157	/* Wait until a connection arrives or a child exits. */
1158	ret = ppoll(pfd, num_listen_socks + options.max_startups,
1159	NULL((void*)0), &osigset);
1160	if (ret == -1 && errno(*__errno()) != EINTR4)
1161	error("ppoll: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1161, 0, SYSLOG_LEVEL_ERROR, ((void)0), "ppoll: %.100s", strerror ((__errno())));
1162	sigprocmask(SIG_SETMASK3, &osigset, NULL((void*)0));
1163	if (ret == -1)
1164	continue;
1165
1166	for (i = 0; i < options.max_startups; i++) {
1167	if (startup_pipes[i] == -1 \|\|
1168	!(pfd[num_listen_socks+i].revents & (POLLIN0x0001\|POLLHUP0x0010)))
1169	continue;
1170	switch (read(startup_pipes[i], &c, sizeof(c))) {
1171	case -1:
1172	if (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35)
1173	continue;
1174	if (errno(*__errno()) != EPIPE32) {
1175	error_f("startup pipe %d (fd=%d): "sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1177, 1, SYSLOG_LEVEL_ERROR, ((void)0), "startup pipe %d (fd=%d): " "read %s", i, startup_pipes[i], strerror((__errno())))
1176	"read %s", i, startup_pipes[i],sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1177, 1, SYSLOG_LEVEL_ERROR, ((void)0), "startup pipe %d (fd=%d): " "read %s", i, startup_pipes[i], strerror((__errno())))
1177	strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1177, 1, SYSLOG_LEVEL_ERROR, ((void)0), "startup pipe %d (fd=%d): " "read %s", i, startup_pipes[i], strerror((__errno())));
1178	}
1179	/* FALLTHROUGH */
1180	case 0:
1181	/* child exited or completed auth */
1182	close(startup_pipes[i]);
1183	srclimit_done(startup_pipes[i]);
1184	startup_pipes[i] = -1;
1185	startups--;
1186	if (startup_flags[i])
1187	listening--;
1188	break;
1189	case 1:
1190	/* child has finished preliminaries */
1191	if (startup_flags[i]) {
1192	listening--;
1193	startup_flags[i] = 0;
1194	}
1195	break;
1196	}
1197	}
1198	for (i = 0; i < num_listen_socks; i++) {
1199	if (!(pfd[i].revents & POLLIN0x0001))
1200	continue;
1201	fromlen = sizeof(from);
1202	*newsock = accept(listen_socks[i],
1203	(struct sockaddr *)&from, &fromlen);
1204	if (*newsock == -1) {
1205	if (errno(__errno()) != EINTR4 && errno(__errno()) != EWOULDBLOCK35 &&
1206	errno(*__errno()) != ECONNABORTED53)
1207	error("accept: %.100s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1208, 0, SYSLOG_LEVEL_ERROR, ((void)0), "accept: %.100s", strerror ((__errno())))
1208	strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1208, 0, SYSLOG_LEVEL_ERROR, ((void)0), "accept: %.100s", strerror ((__errno())));
1209	if (errno(__errno()) == EMFILE24 \|\| errno(__errno()) == ENFILE23)
1210	usleep(100 * 1000);
1211	continue;
1212	}
1213	if (unset_nonblock(*newsock) == -1 \|\|
1214	pipe(startup_p) == -1) {
1215	close(*newsock);
1216	continue;
1217	}
1218	if (drop_connection(*newsock, startups, startup_p[0])) {
1219	close(*newsock);
1220	close(startup_p[0]);
1221	close(startup_p[1]);
1222	continue;
1223	}
1224
1225	if (rexec_flag && socketpair(AF_UNIX1,
1226	SOCK_STREAM1, 0, config_s) == -1) {
1227	error("reexec socketpair: %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1228, 0, SYSLOG_LEVEL_ERROR, ((void)0), "reexec socketpair: %s", strerror ((__errno())))
1228	strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1228, 0, SYSLOG_LEVEL_ERROR, ((void)0), "reexec socketpair: %s", strerror ((__errno())));
1229	close(*newsock);
1230	close(startup_p[0]);
1231	close(startup_p[1]);
1232	continue;
1233	}
1234
1235	for (j = 0; j < options.max_startups; j++)
1236	if (startup_pipes[j] == -1) {
1237	startup_pipes[j] = startup_p[0];
1238	startups++;
1239	startup_flags[j] = 1;
1240	break;
1241	}
1242
1243	/*
1244	* Got connection. Fork a child to handle it, unless
1245	* we are in debugging mode.
1246	*/
1247	if (debug_flag) {
1248	/*
1249	* In debugging mode. Close the listening
1250	* socket, and start processing the
1251	* connection without forking.
1252	*/
1253	debug("Server will not fork when running in debugging mode.")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1253, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "Server will not fork when running in debugging mode." );
1254	close_listen_socks();
1255	sock_in = newsock;
1256	sock_out = newsock;
1257	close(startup_p[0]);
1258	close(startup_p[1]);
1259	startup_pipe = -1;
1260	pid = getpid();
	Value stored to 'pid' is never read
1261	if (rexec_flag) {
1262	send_rexec_state(config_s[0], cfg);
1263	close(config_s[0]);
1264	}
1265	free(pfd);
1266	return;
1267	}
1268
1269	/*
1270	* Normal production daemon. Fork, and have
1271	* the child process the connection. The
1272	* parent continues listening.
1273	*/
1274	listening++;
1275	if ((pid = fork()) == 0) {
1276	/*
1277	* Child. Close the listening and
1278	* max_startup sockets. Start using
1279	* the accepted socket. Reinitialize
1280	* logging (since our pid has changed).
1281	* We return from this function to handle
1282	* the connection.
1283	*/
1284	startup_pipe = startup_p[1];
1285	close_startup_pipes();
1286	close_listen_socks();
1287	sock_in = newsock;
1288	sock_out = newsock;
1289	log_init(__progname,
1290	options.log_level,
1291	options.log_facility,
1292	log_stderr);
1293	if (rexec_flag)
1294	close(config_s[0]);
1295	else {
1296	/*
1297	* Signal parent that the preliminaries
1298	* for this child are complete. For the
1299	* re-exec case, this happens after the
1300	* child has received the rexec state
1301	* from the server.
1302	*/
1303	(void)atomicio(vwrite(ssize_t ()(int, void , size_t))write, startup_pipe,
1304	"\0", 1);
1305	}
1306	free(pfd);
1307	return;
1308	}
1309
1310	/* Parent. Stay in the loop. */
1311	if (pid == -1)
1312	error("fork: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1312, 0, SYSLOG_LEVEL_ERROR, ((void)0), "fork: %.100s", strerror( (__errno())));
1313	else
1314	debug("Forked child %ld.", (long)pid)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1314, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "Forked child %ld.", (long )pid);
1315
1316	close(startup_p[1]);
1317
1318	if (rexec_flag) {
1319	close(config_s[1]);
1320	send_rexec_state(config_s[0], cfg);
1321	close(config_s[0]);
1322	}
1323	close(*newsock);
1324	}
1325	}
1326	}
1327
1328	/*
1329	* If IP options are supported, make sure there are none (log and
1330	* return an error if any are found). Basically we are worried about
1331	* source routing; it can be used to pretend you are somebody
1332	* (ip-address) you are not. That itself may be "almost acceptable"
1333	* under certain circumstances, but rhosts authentication is useless
1334	* if source routing is accepted. Notice also that if we just dropped
1335	* source routing here, the other side could use IP spoofing to do
1336	* rest of the interaction and could still bypass security. So we
1337	* exit here if we detect any IP options.
1338	*/
1339	static void
1340	check_ip_options(struct ssh *ssh)
1341	{
1342	int sock_in = ssh_packet_get_connection_in(ssh);
1343	struct sockaddr_storage from;
1344	u_char opts[200];
1345	socklen_t i, option_size = sizeof(opts), fromlen = sizeof(from);
1346	char text[sizeof(opts) * 3 + 1];
1347
1348	memset(&from, 0, sizeof(from));
1349	if (getpeername(sock_in, (struct sockaddr *)&from,
1350	&fromlen) == -1)
1351	return;
1352	if (from.ss_family != AF_INET2)
1353	return;
1354	/* XXX IPv6 options? */
1355
1356	if (getsockopt(sock_in, IPPROTO_IP0, IP_OPTIONS1, opts,
1357	&option_size) >= 0 && option_size != 0) {
1358	text[0] = '\0';
1359	for (i = 0; i < option_size; i++)
1360	snprintf(text + i3, sizeof(text) - i3,
1361	" %2.2x", opts[i]);
1362	fatal("Connection from %.100s port %d with IP opts: %.800s",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1363 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Connection from %.100s port %d with IP opts: %.800s" , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text)
1363	ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1363 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Connection from %.100s port %d with IP opts: %.800s" , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
1364	}
1365	return;
1366	}
1367
1368	/* Set the routing domain for this process */
1369	static void
1370	set_process_rdomain(struct ssh ssh, const char name)
1371	{
1372	int rtable, ortable = getrtable();
1373	const char *errstr;
1374
1375	if (name == NULL((void*)0))
1376	return; /* default */
1377
1378	if (strcmp(name, "%D") == 0) {
1379	/* "expands" to routing domain of connection */
1380	if ((name = ssh_packet_rdomain_in(ssh)) == NULL((void*)0))
1381	return;
1382	}
1383
1384	rtable = (int)strtonum(name, 0, 255, &errstr);
1385	if (errstr != NULL((void)0)) / Shouldn't happen */
1386	fatal("Invalid routing domain \"%s\": %s", name, errstr)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1386 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Invalid routing domain \"%s\": %s" , name, errstr);
1387	if (rtable != ortable && setrtable(rtable) != 0)
1388	fatal("Unable to set routing domain %d: %s",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1389 , 0, SYSLOG_LEVEL_FATAL, ((void)0), "Unable to set routing domain %d: %s" , rtable, strerror((__errno())))
1389	rtable, strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1389 , 0, SYSLOG_LEVEL_FATAL, ((void)0), "Unable to set routing domain %d: %s" , rtable, strerror((__errno())));
1390	debug_f("set routing domain %d (was %d)", rtable, ortable)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1390, 1, SYSLOG_LEVEL_DEBUG1, ((void*)0), "set routing domain %d (was %d)" , rtable, ortable);
1391	}
1392
1393	static void
1394	accumulate_host_timing_secret(struct sshbuf *server_cfg,
1395	struct sshkey *key)
1396	{
1397	static struct ssh_digest_ctx *ctx;
1398	u_char *hash;
1399	size_t len;
1400	struct sshbuf *buf;
1401	int r;
1402
1403	if (ctx == NULL((void)0) && (ctx = ssh_digest_start(SSH_DIGEST_SHA5124)) == NULL((void)0))
1404	fatal_f("ssh_digest_start")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1404 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "ssh_digest_start");
1405	if (key == NULL((void)0)) { / finalize */
1406	/* add server config in case we are using agent for host keys */
1407	if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
1408	sshbuf_len(server_cfg)) != 0)
1409	fatal_f("ssh_digest_update")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1409 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "ssh_digest_update");
1410	len = ssh_digest_bytes(SSH_DIGEST_SHA5124);
1411	hash = xmalloc(len);
1412	if (ssh_digest_final(ctx, hash, len) != 0)
1413	fatal_f("ssh_digest_final")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1413 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "ssh_digest_final");
1414	options.timing_secret = PEEK_U64(hash)(((u_int64_t)(((const u_char )(hash))[0]) << 56) \| ((u_int64_t )(((const u_char )(hash))[1]) << 48) \| ((u_int64_t)((( const u_char )(hash))[2]) << 40) \| ((u_int64_t)(((const u_char )(hash))[3]) << 32) \| ((u_int64_t)(((const u_char )(hash))[4]) << 24) \| ((u_int64_t)(((const u_char )( hash))[5]) << 16) \| ((u_int64_t)(((const u_char )(hash ))[6]) << 8) \| (u_int64_t)(((const u_char )(hash))[7]) );
1415	freezero(hash, len);
1416	ssh_digest_free(ctx);
1417	ctx = NULL((void*)0);
1418	return;
1419	}
1420	if ((buf = sshbuf_new()) == NULL((void*)0))
1421	fatal_f("could not allocate buffer")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1421 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "could not allocate buffer" );
1422	if ((r = sshkey_private_serialize(key, buf)) != 0)
1423	fatal_fr(r, "decode key")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1423 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "decode key");
1424	if (ssh_digest_update(ctx, sshbuf_ptr(buf), sshbuf_len(buf)) != 0)
1425	fatal_f("ssh_digest_update")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1425 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "ssh_digest_update");
1426	sshbuf_reset(buf);
1427	sshbuf_free(buf);
1428	}
1429
1430	static char *
1431	prepare_proctitle(int ac, char **av)
1432	{
1433	char ret = NULL((void)0);
1434	int i;
1435
1436	for (i = 0; i < ac; i++)
1437	xextendf(&ret, " ", "%s", av[i]);
1438	return ret;
1439	}
1440
1441	/*
1442	* Main program for the daemon.
1443	*/
1444	int
1445	main(int ac, char **av)
1446	{
1447	struct ssh ssh = NULL((void)0);
1448	extern char *optarg;
1449	extern int optind;
1450	int r, opt, on = 1, already_daemon, remote_port;
1451	int sock_in = -1, sock_out = -1, newsock = -1;
1452	const char remote_ip, rdomain;
1453	char fp, line, laddr, logfile = NULL((void*)0);
1454	int config_s[2] = { -1 , -1 };
1455	u_int i, j;
1456	u_int64_t ibytes, obytes;
1457	mode_t new_umask;
1458	struct sshkey *key;
1459	struct sshkey *pubkey;
1460	int keytype;
1461	Authctxt *authctxt;
1462	struct connection_info connection_info = NULL((void)0);
1463
1464	/* Save argv. */
1465	saved_argv = av;
1466	rexec_argc = ac;
1467
1468	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1469	sanitise_stdfd();
1470
1471	/* Initialize configuration options to their default values. */
1472	initialize_server_options(&options);
1473
1474	/* Parse command-line arguments. */
1475	while ((opt = getopt(ac, av,
1476	"C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
1477	switch (opt) {
1478	case '4':
1479	options.address_family = AF_INET2;
1480	break;
1481	case '6':
1482	options.address_family = AF_INET624;
1483	break;
1484	case 'f':
1485	config_file_name = optarg;
1486	break;
1487	case 'c':
1488	servconf_add_hostcert("[command-line]", 0,
1489	&options, optarg);
1490	break;
1491	case 'd':
1492	if (debug_flag == 0) {
1493	debug_flag = 1;
1494	options.log_level = SYSLOG_LEVEL_DEBUG1;
1495	} else if (options.log_level < SYSLOG_LEVEL_DEBUG3)
1496	options.log_level++;
1497	break;
1498	case 'D':
1499	no_daemon_flag = 1;
1500	break;
1501	case 'E':
1502	logfile = optarg;
1503	/* FALLTHROUGH */
1504	case 'e':
1505	log_stderr = 1;
1506	break;
1507	case 'i':
1508	inetd_flag = 1;
1509	break;
1510	case 'r':
1511	rexec_flag = 0;
1512	break;
1513	case 'R':
1514	rexeced_flag = 1;
1515	inetd_flag = 1;
1516	break;
1517	case 'Q':
1518	/* ignored */
1519	break;
1520	case 'q':
1521	options.log_level = SYSLOG_LEVEL_QUIET;
1522	break;
1523	case 'b':
1524	/* protocol 1, ignored */
1525	break;
1526	case 'p':
1527	options.ports_from_cmdline = 1;
1528	if (options.num_ports >= MAX_PORTS256) {
1529	fprintf(stderr(&__sF[2]), "too many ports.\n");
1530	exit(1);
1531	}
1532	options.ports[options.num_ports++] = a2port(optarg);
1533	if (options.ports[options.num_ports-1] <= 0) {
1534	fprintf(stderr(&__sF[2]), "Bad port number.\n");
1535	exit(1);
1536	}
1537	break;
1538	case 'g':
1539	if ((options.login_grace_time = convtime(optarg)) == -1) {
1540	fprintf(stderr(&__sF[2]), "Invalid login grace time.\n");
1541	exit(1);
1542	}
1543	break;
1544	case 'k':
1545	/* protocol 1, ignored */
1546	break;
1547	case 'h':
1548	servconf_add_hostkey("[command-line]", 0,
1549	&options, optarg, 1);
1550	break;
1551	case 't':
1552	test_flag = 1;
1553	break;
1554	case 'T':
1555	test_flag = 2;
1556	break;
1557	case 'C':
1558	connection_info = get_connection_info(ssh, 0, 0);
1559	if (parse_server_match_testspec(connection_info,
1560	optarg) == -1)
1561	exit(1);
1562	break;
1563	case 'u':
1564	utmp_len = (u_int)strtonum(optarg, 0, HOST_NAME_MAX255+1+1, NULL((void*)0));
1565	if (utmp_len > HOST_NAME_MAX255+1) {
1566	fprintf(stderr(&__sF[2]), "Invalid utmp length.\n");
1567	exit(1);
1568	}
1569	break;
1570	case 'o':
1571	line = xstrdup(optarg);
1572	if (process_server_config_line(&options, line,
1573	"command-line", 0, NULL((void)0), NULL((void)0), &includes) != 0)
1574	exit(1);
1575	free(line);
1576	break;
1577	case '?':
1578	default:
1579	usage();
1580	break;
1581	}
1582	}
1583	if (rexeced_flag \|\| inetd_flag)
1584	rexec_flag = 0;
1585	if (!test_flag && rexec_flag && !path_absolute(av[0]))
1586	fatal("sshd re-exec requires execution with an absolute path")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1586 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "sshd re-exec requires execution with an absolute path" );
1587	if (rexeced_flag)
1588	closefrom(REEXEC_MIN_FREE_FD(2 + 4));
1589	else
1590	closefrom(REEXEC_DEVCRYPTO_RESERVED_FD(2 + 1));
1591
1592	#ifdef WITH_OPENSSL1
1593	OpenSSL_add_all_algorithms()OPENSSL_add_all_algorithms_noconf();
1594	#endif
1595
1596	/* If requested, redirect the logs to the specified logfile. */
1597	if (logfile != NULL((void*)0))
1598	log_redirect_stderr_to(logfile);
1599	/*
1600	* Force logging to stderr until we have loaded the private host
1601	* key (unless started from inetd)
1602	*/
1603	log_init(__progname,
1604	options.log_level == SYSLOG_LEVEL_NOT_SET ?
1605	SYSLOG_LEVEL_INFO : options.log_level,
1606	options.log_facility == SYSLOG_FACILITY_NOT_SET ?
1607	SYSLOG_FACILITY_AUTH : options.log_facility,
1608	log_stderr \|\| !inetd_flag \|\| debug_flag);
1609
1610	sensitive_data.have_ssh2_key = 0;
1611
1612	/*
1613	* If we're not doing an extended test do not silently ignore connection
1614	* test params.
1615	*/
1616	if (test_flag < 2 && connection_info != NULL((void*)0))
1617	fatal("Config test connection parameter (-C) provided without "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1618 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Config test connection parameter (-C) provided without " "test mode (-T)")
1618	"test mode (-T)")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1618 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Config test connection parameter (-C) provided without " "test mode (-T)");
1619
1620	/* Fetch our configuration */
1621	if ((cfg = sshbuf_new()) == NULL((void*)0))
1622	fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1622 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
1623	if (rexeced_flag) {
1624	setproctitle("%s", "[rexeced]");
1625	recv_rexec_state(REEXEC_CONFIG_PASS_FD(2 + 3), cfg);
1626	if (!debug_flag) {
1627	startup_pipe = dup(REEXEC_STARTUP_PIPE_FD(2 + 2));
1628	close(REEXEC_STARTUP_PIPE_FD(2 + 2));
1629	/*
1630	* Signal parent that this child is at a point where
1631	* they can go away if they have a SIGHUP pending.
1632	*/
1633	(void)atomicio(vwrite(ssize_t ()(int, void , size_t))write, startup_pipe, "\0", 1);
1634	}
1635	} else if (strcasecmp(config_file_name, "none") != 0)
1636	load_server_config(config_file_name, cfg);
1637
1638	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
1639	cfg, &includes, NULL((void*)0));
1640
1641	#ifdef WITH_OPENSSL1
1642	if (options.moduli_file != NULL((void*)0))
1643	dh_set_moduli_file(options.moduli_file);
1644	#endif
1645
1646	/* Fill in default values for those options not explicitly set. */
1647	fill_default_server_options(&options);
1648
1649	/* Check that options are sensible */
1650	if (options.authorized_keys_command_user == NULL((void*)0) &&
1651	(options.authorized_keys_command != NULL((void*)0) &&
1652	strcasecmp(options.authorized_keys_command, "none") != 0))
1653	fatal("AuthorizedKeysCommand set without "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1654 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthorizedKeysCommand set without " "AuthorizedKeysCommandUser")
1654	"AuthorizedKeysCommandUser")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1654 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthorizedKeysCommand set without " "AuthorizedKeysCommandUser");
1655	if (options.authorized_principals_command_user == NULL((void*)0) &&
1656	(options.authorized_principals_command != NULL((void*)0) &&
1657	strcasecmp(options.authorized_principals_command, "none") != 0))
1658	fatal("AuthorizedPrincipalsCommand set without "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1659 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthorizedPrincipalsCommand set without " "AuthorizedPrincipalsCommandUser")
1659	"AuthorizedPrincipalsCommandUser")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1659 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthorizedPrincipalsCommand set without " "AuthorizedPrincipalsCommandUser");
1660
1661	/*
1662	* Check whether there is any path through configured auth methods.
1663	* Unfortunately it is not possible to verify this generally before
1664	* daemonisation in the presence of Match block, but this catches
1665	* and warns for trivial misconfigurations that could break login.
1666	*/
1667	if (options.num_auth_methods != 0) {
1668	for (i = 0; i < options.num_auth_methods; i++) {
1669	if (auth2_methods_valid(options.auth_methods[i],
1670	1) == 0)
1671	break;
1672	}
1673	if (i >= options.num_auth_methods)
1674	fatal("AuthenticationMethods cannot be satisfied by "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1675 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthenticationMethods cannot be satisfied by " "enabled authentication methods")
1675	"enabled authentication methods")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1675 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "AuthenticationMethods cannot be satisfied by " "enabled authentication methods");
1676	}
1677
1678	/* Check that there are no remaining arguments. */
1679	if (optind < ac) {
1680	fprintf(stderr(&__sF[2]), "Extra argument %s.\n", av[optind]);
1681	exit(1);
1682	}
1683
1684	debug("sshd version %s, %s", SSH_VERSION, SSH_OPENSSL_VERSION)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1684, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "sshd version %s, %s", "OpenSSH_8.8" , OpenSSL_version(0));
1685
1686	/* load host keys */
1687	sensitive_data.host_keys = xcalloc(options.num_host_key_files,
1688	sizeof(struct sshkey *));
1689	sensitive_data.host_pubkeys = xcalloc(options.num_host_key_files,
1690	sizeof(struct sshkey *));
1691
1692	if (options.host_key_agent) {
1693	if (strcmp(options.host_key_agent, SSH_AUTHSOCKET_ENV_NAME"SSH_AUTH_SOCK"))
1694	setenv(SSH_AUTHSOCKET_ENV_NAME"SSH_AUTH_SOCK",
1695	options.host_key_agent, 1);
1696	if ((r = ssh_get_authentication_socket(NULL((void*)0))) == 0)
1697	have_agent = 1;
1698	else
1699	error_r(r, "Could not connect to agent \"%s\"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1700, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Could not connect to agent \"%s\"" , options.host_key_agent)
1700	options.host_key_agent)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1700, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Could not connect to agent \"%s\"" , options.host_key_agent);
1701	}
1702
1703	for (i = 0; i < options.num_host_key_files; i++) {
1704	int ll = options.host_key_file_userprovided[i] ?
1705	SYSLOG_LEVEL_ERROR : SYSLOG_LEVEL_DEBUG1;
1706
1707	if (options.host_key_files[i] == NULL((void*)0))
1708	continue;
1709	if ((r = sshkey_load_private(options.host_key_files[i], "",
1710	&key, NULL((void*)0))) != 0 && r != SSH_ERR_SYSTEM_ERROR-24)
1711	do_log2_r(r, ll, "Unable to load host key \"%s\"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1712, 0, ll, ssh_err(r), "Unable to load host key \"%s\"", options .host_key_files[i])
1712	options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1712, 0, ll, ssh_err(r), "Unable to load host key \"%s\"", options .host_key_files[i]);
1713	if (sshkey_is_sk(key) &&
1714	key->sk_flags & SSH_SK_USER_PRESENCE_REQD0x01) {
1715	debug("host key %s requires user presence, ignoring",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1716, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "host key %s requires user presence, ignoring" , options.host_key_files[i])
1716	options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1716, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "host key %s requires user presence, ignoring" , options.host_key_files[i]);
1717	key->sk_flags &= ~SSH_SK_USER_PRESENCE_REQD0x01;
1718	}
1719	if (r == 0 && key != NULL((void*)0) &&
1720	(r = sshkey_shield_private(key)) != 0) {
1721	do_log2_r(r, ll, "Unable to shield host key \"%s\"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1722, 0, ll, ssh_err(r), "Unable to shield host key \"%s\"", options .host_key_files[i])
1722	options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1722, 0, ll, ssh_err(r), "Unable to shield host key \"%s\"", options .host_key_files[i]);
1723	sshkey_free(key);
1724	key = NULL((void*)0);
1725	}
1726	if ((r = sshkey_load_public(options.host_key_files[i],
1727	&pubkey, NULL((void*)0))) != 0 && r != SSH_ERR_SYSTEM_ERROR-24)
1728	do_log2_r(r, ll, "Unable to load host key \"%s\"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1729, 0, ll, ssh_err(r), "Unable to load host key \"%s\"", options .host_key_files[i])
1729	options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1729, 0, ll, ssh_err(r), "Unable to load host key \"%s\"", options .host_key_files[i]);
1730	if (pubkey != NULL((void)0) && key != NULL((void)0)) {
1731	if (!sshkey_equal(pubkey, key)) {
1732	error("Public key for %s does not match "sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1733, 0, SYSLOG_LEVEL_ERROR, ((void*)0), "Public key for %s does not match " "private key", options.host_key_files[i])
1733	"private key", options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1733, 0, SYSLOG_LEVEL_ERROR, ((void*)0), "Public key for %s does not match " "private key", options.host_key_files[i]);
1734	sshkey_free(pubkey);
1735	pubkey = NULL((void*)0);
1736	}
1737	}
1738	if (pubkey == NULL((void)0) && key != NULL((void)0)) {
1739	if ((r = sshkey_from_private(key, &pubkey)) != 0)
1740	fatal_r(r, "Could not demote key: \"%s\"",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1741 , 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "Could not demote key: \"%s\"" , options.host_key_files[i])
1741	options.host_key_files[i])sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1741 , 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "Could not demote key: \"%s\"" , options.host_key_files[i]);
1742	}
1743	sensitive_data.host_keys[i] = key;
1744	sensitive_data.host_pubkeys[i] = pubkey;
1745
1746	if (key == NULL((void)0) && pubkey != NULL((void)0) && have_agent) {
1747	debug("will rely on agent for hostkey %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1748, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "will rely on agent for hostkey %s" , options.host_key_files[i])
1748	options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1748, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "will rely on agent for hostkey %s" , options.host_key_files[i]);
1749	keytype = pubkey->type;
1750	} else if (key != NULL((void*)0)) {
1751	keytype = key->type;
1752	accumulate_host_timing_secret(cfg, key);
1753	} else {
1754	do_log2(ll, "Unable to load host key: %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1755, 0, ll, ((void*)0), "Unable to load host key: %s", options.host_key_files [i])
1755	options.host_key_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1755, 0, ll, ((void*)0), "Unable to load host key: %s", options.host_key_files [i]);
1756	sensitive_data.host_keys[i] = NULL((void*)0);
1757	sensitive_data.host_pubkeys[i] = NULL((void*)0);
1758	continue;
1759	}
1760
1761	switch (keytype) {
1762	case KEY_RSA:
1763	case KEY_DSA:
1764	case KEY_ECDSA:
1765	case KEY_ED25519:
1766	case KEY_ECDSA_SK:
1767	case KEY_ED25519_SK:
1768	case KEY_XMSS:
1769	if (have_agent \|\| key != NULL((void*)0))
1770	sensitive_data.have_ssh2_key = 1;
1771	break;
1772	}
1773	if ((fp = sshkey_fingerprint(pubkey, options.fingerprint_hash,
1774	SSH_FP_DEFAULT)) == NULL((void*)0))
1775	fatal("sshkey_fingerprint failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1775 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "sshkey_fingerprint failed" );
1776	debug("%s host key #%d: %s %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1777, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "%s host key #%d: %s %s" , key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp)
1777	key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1777, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "%s host key #%d: %s %s" , key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
1778	free(fp);
1779	}
1780	accumulate_host_timing_secret(cfg, NULL((void*)0));
1781	if (!sensitive_data.have_ssh2_key) {
1782	logit("sshd: no hostkeys available -- exiting.")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1782, 0, SYSLOG_LEVEL_INFO, ((void*)0), "sshd: no hostkeys available -- exiting." );
1783	exit(1);
1784	}
1785
1786	/*
1787	* Load certificates. They are stored in an array at identical
1788	* indices to the public keys that they relate to.
1789	*/
1790	sensitive_data.host_certificates = xcalloc(options.num_host_key_files,
1791	sizeof(struct sshkey *));
1792	for (i = 0; i < options.num_host_key_files; i++)
1793	sensitive_data.host_certificates[i] = NULL((void*)0);
1794
1795	for (i = 0; i < options.num_host_cert_files; i++) {
1796	if (options.host_cert_files[i] == NULL((void*)0))
1797	continue;
1798	if ((r = sshkey_load_public(options.host_cert_files[i],
1799	&key, NULL((void*)0))) != 0) {
1800	error_r(r, "Could not load host certificate \"%s\"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1801, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Could not load host certificate \"%s\"" , options.host_cert_files[i])
1801	options.host_cert_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1801, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Could not load host certificate \"%s\"" , options.host_cert_files[i]);
1802	continue;
1803	}
1804	if (!sshkey_is_cert(key)) {
1805	error("Certificate file is not a certificate: %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1806, 0, SYSLOG_LEVEL_ERROR, ((void*)0), "Certificate file is not a certificate: %s" , options.host_cert_files[i])
1806	options.host_cert_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1806, 0, SYSLOG_LEVEL_ERROR, ((void*)0), "Certificate file is not a certificate: %s" , options.host_cert_files[i]);
1807	sshkey_free(key);
1808	continue;
1809	}
1810	/* Find matching private key */
1811	for (j = 0; j < options.num_host_key_files; j++) {
1812	if (sshkey_equal_public(key,
1813	sensitive_data.host_pubkeys[j])) {
1814	sensitive_data.host_certificates[j] = key;
1815	break;
1816	}
1817	}
1818	if (j >= options.num_host_key_files) {
1819	error("No matching private key for certificate: %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1820, 0, SYSLOG_LEVEL_ERROR, ((void*)0), "No matching private key for certificate: %s" , options.host_cert_files[i])
1820	options.host_cert_files[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1820, 0, SYSLOG_LEVEL_ERROR, ((void*)0), "No matching private key for certificate: %s" , options.host_cert_files[i]);
1821	sshkey_free(key);
1822	continue;
1823	}
1824	sensitive_data.host_certificates[j] = key;
1825	debug("host certificate: #%u type %d %s", j, key->type,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1826, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "host certificate: #%u type %d %s" , j, key->type, sshkey_type(key))
1826	sshkey_type(key))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1826, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "host certificate: #%u type %d %s" , j, key->type, sshkey_type(key));
1827	}
1828
1829	if (use_privsep) {
1830	struct stat st;
1831
1832	if (getpwnam(SSH_PRIVSEP_USER"sshd") == NULL((void*)0))
1833	fatal("Privilege separation user %s does not exist",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1834 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Privilege separation user %s does not exist" , "sshd")
1834	SSH_PRIVSEP_USER)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1834 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Privilege separation user %s does not exist" , "sshd");
1835	endpwent();
1836	if ((stat(_PATH_PRIVSEP_CHROOT_DIR"/var/empty", &st) == -1) \|\|
1837	(S_ISDIR(st.st_mode)((st.st_mode & 0170000) == 0040000) == 0))
1838	fatal("Missing privilege separation directory: %s",sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1839 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Missing privilege separation directory: %s" , "/var/empty")
1839	_PATH_PRIVSEP_CHROOT_DIR)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1839 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Missing privilege separation directory: %s" , "/var/empty");
1840	if (st.st_uid != 0 \|\| (st.st_mode & (S_IWGRP0000020\|S_IWOTH0000002)) != 0)
1841	fatal("%s must be owned by root and not group or "sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1842 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "%s must be owned by root and not group or " "world-writable.", "/var/empty")
1842	"world-writable.", _PATH_PRIVSEP_CHROOT_DIR)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1842 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "%s must be owned by root and not group or " "world-writable.", "/var/empty");
1843	}
1844
1845	if (test_flag > 1) {
1846	/*
1847	* If no connection info was provided by -C then use
1848	* use a blank one that will cause no predicate to match.
1849	*/
1850	if (connection_info == NULL((void*)0))
1851	connection_info = get_connection_info(ssh, 0, 0);
1852	connection_info->test = 1;
1853	parse_server_match_config(&options, &includes, connection_info);
1854	dump_config(&options);
1855	}
1856
1857	/* Configuration looks good, so exit if in test mode. */
1858	if (test_flag)
1859	exit(0);
1860
1861	if (rexec_flag) {
1862	if (rexec_argc < 0)
1863	fatal("rexec_argc %d < 0", rexec_argc)sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1863 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "rexec_argc %d < 0", rexec_argc );
1864	rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
1865	for (i = 0; i < (u_int)rexec_argc; i++) {
1866	debug("rexec_argv[%d]='%s'", i, saved_argv[i])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1866, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "rexec_argv[%d]='%s'", i , saved_argv[i]);
1867	rexec_argv[i] = saved_argv[i];
1868	}
1869	rexec_argv[rexec_argc] = "-R";
1870	rexec_argv[rexec_argc + 1] = NULL((void*)0);
1871	}
1872	listener_proctitle = prepare_proctitle(ac, av);
1873
1874	/* Ensure that umask disallows at least group and world write */
1875	new_umask = umask(0077) \| 0022;
1876	(void) umask(new_umask);
1877
1878	/* Initialize the log (it is reinitialized below in case we forked). */
1879	if (debug_flag && (!inetd_flag \|\| rexeced_flag))
1880	log_stderr = 1;
1881	log_init(__progname, options.log_level,
1882	options.log_facility, log_stderr);
1883	for (i = 0; i < options.num_log_verbose; i++)
1884	log_verbose_add(options.log_verbose[i]);
1885
1886	/*
1887	* If not in debugging mode, not started from inetd and not already
1888	* daemonized (eg re-exec via SIGHUP), disconnect from the controlling
1889	* terminal, and fork. The original process exits.
1890	*/
1891	already_daemon = daemonized();
1892	if (!(debug_flag \|\| inetd_flag \|\| no_daemon_flag \|\| already_daemon)) {
1893
1894	if (daemon(0, 0) == -1)
1895	fatal("daemon() failed: %.200s", strerror(errno))sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1895 , 0, SYSLOG_LEVEL_FATAL, ((void)0), "daemon() failed: %.200s" , strerror((__errno())));
1896
1897	disconnect_controlling_tty();
1898	}
1899	/* Reinitialize the log (because of the fork above). */
1900	log_init(__progname, options.log_level, options.log_facility, log_stderr);
1901
1902	/*
1903	* Chdir to the root directory so that the current disk can be
1904	* unmounted if desired.
1905	*/
1906	if (chdir("/") == -1)
1907	error("chdir(\"/\"): %s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1907, 0, SYSLOG_LEVEL_ERROR, ((void)0), "chdir(\"/\"): %s", strerror ((__errno())));
1908
1909	/* ignore SIGPIPE */
1910	ssh_signal(SIGPIPE13, SIG_IGN(void (*)(int))1);
1911
1912	/* Get a connection, either from inetd or a listening TCP socket */
1913	if (inetd_flag) {
1914	server_accept_inetd(&sock_in, &sock_out);
1915	} else {
1916	server_listen();
1917
1918	ssh_signal(SIGHUP1, sighup_handler);
1919	ssh_signal(SIGCHLD20, main_sigchld_handler);
1920	ssh_signal(SIGTERM15, sigterm_handler);
1921	ssh_signal(SIGQUIT3, sigterm_handler);
1922
1923	/*
1924	* Write out the pid file after the sigterm handler
1925	* is setup and the listen sockets are bound
1926	*/
1927	if (options.pid_file != NULL((void*)0) && !debug_flag) {
1928	FILE *f = fopen(options.pid_file, "w");
1929
1930	if (f == NULL((void*)0)) {
1931	error("Couldn't create pid file \"%s\": %s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1932, 0, SYSLOG_LEVEL_ERROR, ((void)0), "Couldn't create pid file \"%s\": %s" , options.pid_file, strerror((__errno())))
1932	options.pid_file, strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1932, 0, SYSLOG_LEVEL_ERROR, ((void)0), "Couldn't create pid file \"%s\": %s" , options.pid_file, strerror((__errno())));
1933	} else {
1934	fprintf(f, "%ld\n", (long) getpid());
1935	fclose(f);
1936	}
1937	}
1938
1939	/* Accept a connection and return in a forked child */
1940	server_accept_loop(&sock_in, &sock_out,
1941	&newsock, config_s);
1942	}
1943
1944	/* This is the child processing a new connection. */
1945	setproctitle("%s", "[accepted]");
1946
1947	/*
1948	* Create a new session and process group since the 4.4BSD
1949	* setlogin() affects the entire process group. We don't
1950	* want the child to be able to affect the parent.
1951	*/
1952	if (!debug_flag && !inetd_flag && setsid() == -1)
1953	error("setsid: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1953, 0, SYSLOG_LEVEL_ERROR, ((void)0), "setsid: %.100s", strerror ((__errno())));
1954
1955	if (rexec_flag) {
1956	debug("rexec start in %d out %d newsock %d pipe %d sock %d",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1957, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "rexec start in %d out %d newsock %d pipe %d sock %d" , sock_in, sock_out, newsock, startup_pipe, config_s[0])
1957	sock_in, sock_out, newsock, startup_pipe, config_s[0])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1957, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "rexec start in %d out %d newsock %d pipe %d sock %d" , sock_in, sock_out, newsock, startup_pipe, config_s[0]);
1958	dup2(newsock, STDIN_FILENO0);
1959	dup2(STDIN_FILENO0, STDOUT_FILENO1);
1960	if (startup_pipe == -1)
1961	close(REEXEC_STARTUP_PIPE_FD(2 + 2));
1962	else if (startup_pipe != REEXEC_STARTUP_PIPE_FD(2 + 2)) {
1963	dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD(2 + 2));
1964	close(startup_pipe);
1965	startup_pipe = REEXEC_STARTUP_PIPE_FD(2 + 2);
1966	}
1967
1968	dup2(config_s[1], REEXEC_CONFIG_PASS_FD(2 + 3));
1969	close(config_s[1]);
1970
1971	ssh_signal(SIGHUP1, SIG_IGN(void ()(int))1); / avoid reset to SIG_DFL */
1972	execv(rexec_argv[0], rexec_argv);
1973
1974	/* Reexec has failed, fall back and continue */
1975	error("rexec of %s failed: %s", rexec_argv[0], strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1975, 0, SYSLOG_LEVEL_ERROR, ((void)0), "rexec of %s failed: %s", rexec_argv[0], strerror((__errno())));
1976	recv_rexec_state(REEXEC_CONFIG_PASS_FD(2 + 3), NULL((void*)0));
1977	log_init(__progname, options.log_level,
1978	options.log_facility, log_stderr);
1979
1980	/* Clean up fds */
1981	close(REEXEC_CONFIG_PASS_FD(2 + 3));
1982	newsock = sock_out = sock_in = dup(STDIN_FILENO0);
1983	if (stdfd_devnull(1, 1, 0) == -1)
1984	error_f("stdfd_devnull failed")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1984, 1, SYSLOG_LEVEL_ERROR, ((void*)0), "stdfd_devnull failed");
1985	debug("rexec cleanup in %d out %d newsock %d pipe %d sock %d",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1986, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "rexec cleanup in %d out %d newsock %d pipe %d sock %d" , sock_in, sock_out, newsock, startup_pipe, config_s[0])
1986	sock_in, sock_out, newsock, startup_pipe, config_s[0])sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 1986, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "rexec cleanup in %d out %d newsock %d pipe %d sock %d" , sock_in, sock_out, newsock, startup_pipe, config_s[0]);
1987	}
1988
1989	/* Executed child processes don't need these. */
1990	fcntl(sock_out, F_SETFD2, FD_CLOEXEC1);
1991	fcntl(sock_in, F_SETFD2, FD_CLOEXEC1);
1992
1993	/* We will not restart on SIGHUP since it no longer makes sense. */
1994	ssh_signal(SIGALRM14, SIG_DFL(void (*)(int))0);
1995	ssh_signal(SIGHUP1, SIG_DFL(void (*)(int))0);
1996	ssh_signal(SIGTERM15, SIG_DFL(void (*)(int))0);
1997	ssh_signal(SIGQUIT3, SIG_DFL(void (*)(int))0);
1998	ssh_signal(SIGCHLD20, SIG_DFL(void (*)(int))0);
1999
2000	/*
2001	* Register our connection. This turns encryption off because we do
2002	* not have a key.
2003	*/
2004	if ((ssh = ssh_packet_set_connection(NULL((void)0), sock_in, sock_out)) == NULL((void)0))
2005	fatal("Unable to create connection")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2005 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "Unable to create connection" );
2006	the_active_state = ssh;
2007	ssh_packet_set_server(ssh);
2008
2009	check_ip_options(ssh);
2010
2011	/* Prepare the channels layer */
2012	channel_init_channels(ssh);
2013	channel_set_af(ssh, options.address_family);
2014	process_permitopen(ssh, &options);
2015
2016	/* Set SO_KEEPALIVE if requested. */
2017	if (options.tcp_keep_alive && ssh_packet_connection_is_on_socket(ssh) &&
2018	setsockopt(sock_in, SOL_SOCKET0xffff, SO_KEEPALIVE0x0008, &on, sizeof(on)) == -1)
2019	error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2019, 0, SYSLOG_LEVEL_ERROR, ((void)0), "setsockopt SO_KEEPALIVE: %.100s" , strerror((__errno())));
2020
2021	if ((remote_port = ssh_remote_port(ssh)) < 0) {
2022	debug("ssh_remote_port failed")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2022, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "ssh_remote_port failed" );
2023	cleanup_exit(255);
2024	}
2025
2026	/*
2027	* The rest of the code depends on the fact that
2028	* ssh_remote_ipaddr() caches the remote ip, even if
2029	* the socket goes away.
2030	*/
2031	remote_ip = ssh_remote_ipaddr(ssh);
2032
2033	rdomain = ssh_packet_rdomain_in(ssh);
2034
2035	/* Log the connection. */
2036	laddr = get_local_ipaddr(sock_in);
2037	verbose("Connection from %s port %d on %s port %d%s%s%s",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2041, 0, SYSLOG_LEVEL_VERBOSE, ((void)0), "Connection from %s port %d on %s port %d%s%s%s" , remote_ip, remote_port, laddr, ssh_local_port(ssh), rdomain == ((void)0) ? "" : " rdomain \"", rdomain == ((void)0) ? "" : rdomain, rdomain == ((void)0) ? "" : "\"")
2038	remote_ip, remote_port, laddr, ssh_local_port(ssh),sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2041, 0, SYSLOG_LEVEL_VERBOSE, ((void)0), "Connection from %s port %d on %s port %d%s%s%s" , remote_ip, remote_port, laddr, ssh_local_port(ssh), rdomain == ((void)0) ? "" : " rdomain \"", rdomain == ((void)0) ? "" : rdomain, rdomain == ((void)0) ? "" : "\"")
2039	rdomain == NULL ? "" : " rdomain \"",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2041, 0, SYSLOG_LEVEL_VERBOSE, ((void)0), "Connection from %s port %d on %s port %d%s%s%s" , remote_ip, remote_port, laddr, ssh_local_port(ssh), rdomain == ((void)0) ? "" : " rdomain \"", rdomain == ((void)0) ? "" : rdomain, rdomain == ((void)0) ? "" : "\"")
2040	rdomain == NULL ? "" : rdomain,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2041, 0, SYSLOG_LEVEL_VERBOSE, ((void)0), "Connection from %s port %d on %s port %d%s%s%s" , remote_ip, remote_port, laddr, ssh_local_port(ssh), rdomain == ((void)0) ? "" : " rdomain \"", rdomain == ((void)0) ? "" : rdomain, rdomain == ((void)0) ? "" : "\"")
2041	rdomain == NULL ? "" : "\"")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2041, 0, SYSLOG_LEVEL_VERBOSE, ((void)0), "Connection from %s port %d on %s port %d%s%s%s" , remote_ip, remote_port, laddr, ssh_local_port(ssh), rdomain == ((void)0) ? "" : " rdomain \"", rdomain == ((void)0) ? "" : rdomain, rdomain == ((void)0) ? "" : "\"");
2042	free(laddr);
2043
2044	/*
2045	* We don't want to listen forever unless the other side
2046	* successfully authenticates itself. So we set up an alarm which is
2047	* cleared after successful authentication. A limit of zero
2048	* indicates no limit. Note that we don't set the alarm in debugging
2049	* mode; it is just annoying to have the server exit just when you
2050	* are about to discover the bug.
2051	*/
2052	ssh_signal(SIGALRM14, grace_alarm_handler);
2053	if (!debug_flag)
2054	alarm(options.login_grace_time);
2055
2056	if ((r = kex_exchange_identification(ssh, -1,
2057	options.version_addendum)) != 0)
2058	sshpkt_fatal(ssh, r, "banner exchange");
2059
2060	ssh_packet_set_nonblocking(ssh);
2061
2062	/* allocate authentication context */
2063	authctxt = xcalloc(1, sizeof(*authctxt));
2064	ssh->authctxt = authctxt;
2065
2066	/* XXX global for cleanup, access from other modules */
2067	the_authctxt = authctxt;
2068
2069	/* Set default key authentication options */
2070	if ((auth_opts = sshauthopt_new_with_keys_defaults()) == NULL((void*)0))
2071	fatal("allocation failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2071 , 0, SYSLOG_LEVEL_FATAL, ((void*)0), "allocation failed");
2072
2073	/* prepare buffer to collect messages to display to user after login */
2074	if ((loginmsg = sshbuf_new()) == NULL((void*)0))
2075	fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2075 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "sshbuf_new failed");
2076	auth_debug_reset();
2077
2078	if (use_privsep) {
2079	if (privsep_preauth(ssh) == 1)
2080	goto authenticated;
2081	} else if (have_agent) {
2082	if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) {
2083	error_r(r, "Unable to get agent socket")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2083, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "Unable to get agent socket" );
2084	have_agent = 0;
2085	}
2086	}
2087
2088	/* perform the key exchange */
2089	/* authenticate user and start session */
2090	do_ssh2_kex(ssh);
2091	do_authentication2(ssh);
2092
2093	/*
2094	* If we use privilege separation, the unprivileged child transfers
2095	* the current keystate and exits
2096	*/
2097	if (use_privsep) {
2098	mm_send_keystate(ssh, pmonitor);
2099	ssh_packet_clear_keys(ssh);
2100	exit(0);
2101	}
2102
2103	authenticated:
2104	/*
2105	* Cancel the alarm we set to limit the time taken for
2106	* authentication.
2107	*/
2108	alarm(0);
2109	ssh_signal(SIGALRM14, SIG_DFL(void (*)(int))0);
2110	authctxt->authenticated = 1;
2111	if (startup_pipe != -1) {
2112	close(startup_pipe);
2113	startup_pipe = -1;
2114	}
2115
2116	if (options.routing_domain != NULL((void*)0))
2117	set_process_rdomain(ssh, options.routing_domain);
2118
2119	/*
2120	* In privilege separation, we fork another child and prepare
2121	* file descriptor passing.
2122	*/
2123	if (use_privsep) {
2124	privsep_postauth(ssh, authctxt);
2125	/* the monitor process [priv] will not return */
2126	}
2127
2128	ssh_packet_set_timeout(ssh, options.client_alive_interval,
2129	options.client_alive_count_max);
2130
2131	/* Try to send all our hostkeys to the client */
2132	notify_hostkeys(ssh);
2133
2134	/* Start session. */
2135	do_authenticated(ssh, authctxt);
2136
2137	/* The connection has been terminated. */
2138	ssh_packet_get_bytes(ssh, &ibytes, &obytes);
2139	verbose("Transferred: sent %llu, received %llu bytes",sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2140, 0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "Transferred: sent %llu, received %llu bytes" , (unsigned long long)obytes, (unsigned long long)ibytes)
2140	(unsigned long long)obytes, (unsigned long long)ibytes)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2140, 0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "Transferred: sent %llu, received %llu bytes" , (unsigned long long)obytes, (unsigned long long)ibytes);
2141
2142	verbose("Closing connection to %.500s port %d", remote_ip, remote_port)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2142, 0, SYSLOG_LEVEL_VERBOSE, ((void*)0), "Closing connection to %.500s port %d" , remote_ip, remote_port);
2143	ssh_packet_close(ssh);
2144
2145	if (use_privsep)
2146	mm_terminate();
2147
2148	exit(0);
2149	}
2150
2151	int
2152	sshd_hostkey_sign(struct ssh ssh, struct sshkey privkey,
2153	struct sshkey pubkey, u_char signature, size_t slenp,
2154	const u_char data, size_t dlen, const char alg)
2155	{
2156	int r;
2157
2158	if (use_privsep) {
2159	if (privkey) {
2160	if (mm_sshkey_sign(ssh, privkey, signature, slenp,
2161	data, dlen, alg, options.sk_provider, NULL((void*)0),
2162	ssh->compat) < 0)
2163	fatal_f("privkey sign failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2163 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "privkey sign failed");
2164	} else {
2165	if (mm_sshkey_sign(ssh, pubkey, signature, slenp,
2166	data, dlen, alg, options.sk_provider, NULL((void*)0),
2167	ssh->compat) < 0)
2168	fatal_f("pubkey sign failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2168 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "pubkey sign failed");
2169	}
2170	} else {
2171	if (privkey) {
2172	if (sshkey_sign(privkey, signature, slenp, data, dlen,
2173	alg, options.sk_provider, NULL((void*)0), ssh->compat) < 0)
2174	fatal_f("privkey sign failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2174 , 1, SYSLOG_LEVEL_FATAL, ((void*)0), "privkey sign failed");
2175	} else {
2176	if ((r = ssh_agent_sign(auth_sock, pubkey,
2177	signature, slenp, data, dlen, alg,
2178	ssh->compat)) != 0) {
2179	fatal_fr(r, "agent sign failed")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2179 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "agent sign failed");
2180	}
2181	}
2182	}
2183	return 0;
2184	}
2185
2186	/* SSH2 key exchange */
2187	static void
2188	do_ssh2_kex(struct ssh *ssh)
2189	{
2190	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER"curve25519-sha256," "curve25519-sha256@libssh.org," "ecdh-sha2-nistp256," "ecdh-sha2-nistp384," "ecdh-sha2-nistp521," "sntrup761x25519-sha512@openssh.com," "diffie-hellman-group-exchange-sha256," "diffie-hellman-group16-sha512," "diffie-hellman-group18-sha512," "diffie-hellman-group14-sha256" , "ssh-ed25519-cert-v01@openssh.com," "ecdsa-sha2-nistp256-cert-v01@openssh.com," "ecdsa-sha2-nistp384-cert-v01@openssh.com," "ecdsa-sha2-nistp521-cert-v01@openssh.com," "sk-ssh-ed25519-cert-v01@openssh.com," "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," "rsa-sha2-512-cert-v01@openssh.com," "rsa-sha2-256-cert-v01@openssh.com," "ssh-ed25519," "ecdsa-sha2-nistp256," "ecdsa-sha2-nistp384," "ecdsa-sha2-nistp521," "sk-ssh-ed25519@openssh.com," "sk-ecdsa-sha2-nistp256@openssh.com," "rsa-sha2-512," "rsa-sha2-256", "chacha20-poly1305@openssh.com," "aes128-ctr,aes192-ctr,aes256-ctr," "aes128-gcm@openssh.com,aes256-gcm@openssh.com" , "chacha20-poly1305@openssh.com," "aes128-ctr,aes192-ctr,aes256-ctr," "aes128-gcm@openssh.com,aes256-gcm@openssh.com", "umac-64-etm@openssh.com," "umac-128-etm@openssh.com," "hmac-sha2-256-etm@openssh.com," "hmac-sha2-512-etm@openssh.com," "hmac-sha1-etm@openssh.com," "umac-64@openssh.com," "umac-128@openssh.com," "hmac-sha2-256," "hmac-sha2-512," "hmac-sha1", "umac-64-etm@openssh.com," "umac-128-etm@openssh.com," "hmac-sha2-256-etm@openssh.com," "hmac-sha2-512-etm@openssh.com," "hmac-sha1-etm@openssh.com," "umac-64@openssh.com," "umac-128@openssh.com," "hmac-sha2-256," "hmac-sha2-512," "hmac-sha1", "none,zlib@openssh.com" , "none,zlib@openssh.com", "", "" };
2191	struct kex *kex;
2192	int r;
2193
2194	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
2195	options.kex_algorithms);
2196	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
2197	options.ciphers);
2198	myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(ssh,
2199	options.ciphers);
2200	myproposal[PROPOSAL_MAC_ALGS_CTOS] =
2201	myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
2202
2203	if (options.compression == COMP_NONE0) {
2204	myproposal[PROPOSAL_COMP_ALGS_CTOS] =
2205	myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
2206	}
2207
2208	if (options.rekey_limit \|\| options.rekey_interval)
2209	ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
2210	options.rekey_interval);
2211
2212	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
2213	ssh, list_hostkey_types());
2214
2215	/* start key exchange */
2216	if ((r = kex_setup(ssh, myproposal)) != 0)
2217	fatal_r(r, "kex_setup")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2217 , 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "kex_setup");
2218	kex = ssh->kex;
2219	#ifdef WITH_OPENSSL1
2220	kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server;
2221	kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server;
2222	kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_server;
2223	kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_server;
2224	kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_server;
2225	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2226	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2227	kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
2228	#endif
2229	kex->kex[KEX_C25519_SHA256] = kex_gen_server;
2230	kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
2231	kex->load_host_public_key=&get_hostkey_public_by_type;
2232	kex->load_host_private_key=&get_hostkey_private_by_type;
2233	kex->host_key_index=&get_hostkey_index;
2234	kex->sign = sshd_hostkey_sign;
2235
2236	ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &kex->done);
2237
2238	#ifdef DEBUG_KEXDH
2239	/* send 1st encrypted/maced/compressed message */
2240	if ((r = sshpkt_start(ssh, SSH2_MSG_IGNORE2)) != 0 \|\|
2241	(r = sshpkt_put_cstring(ssh, "markus")) != 0 \|\|
2242	(r = sshpkt_send(ssh)) != 0 \|\|
2243	(r = ssh_packet_write_wait(ssh)) != 0)
2244	fatal_fr(r, "send test")sshfatal("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2244 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "send test");
2245	#endif
2246	debug("KEX done")sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2246, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "KEX done");
2247	}
2248
2249	/* server specific fatal cleanup */
2250	void
2251	cleanup_exit(int i)
2252	{
2253	if (the_active_state != NULL((void)0) && the_authctxt != NULL((void)0)) {
2254	do_cleanup(the_active_state, the_authctxt);
2255	if (use_privsep && privsep_is_preauth &&
2256	pmonitor != NULL((void*)0) && pmonitor->m_pid > 1) {
2257	debug("Killing privsep child %d", pmonitor->m_pid)sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2257, 0, SYSLOG_LEVEL_DEBUG1, ((void*)0), "Killing privsep child %d" , pmonitor->m_pid);
2258	if (kill(pmonitor->m_pid, SIGKILL9) != 0 &&
2259	errno(*__errno()) != ESRCH3) {
2260	error_f("kill(%d): %s", pmonitor->m_pid,sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2261, 1, SYSLOG_LEVEL_ERROR, ((void)0), "kill(%d): %s", pmonitor-> m_pid, strerror((__errno())))
2261	strerror(errno))sshlog("/usr/src/usr.bin/ssh/sshd/../sshd.c", __func__, 2261, 1, SYSLOG_LEVEL_ERROR, ((void)0), "kill(%d): %s", pmonitor-> m_pid, strerror((__errno())));
2262	}
2263	}
2264	}
2265	_exit(i);
2266	}