Permalink
Switch branches/tags
Nothing to show
Find file
Fetching contributors…
Cannot retrieve contributors at this time
9886 lines (9030 sloc) 289 KB
/*
* SSH backend.
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <assert.h>
#include <limits.h>
#include <signal.h>
#include "putty.h"
#include "tree234.h"
#include "ssh.h"
#ifndef NO_GSSAPI
#include "sshgssc.h"
#include "sshgss.h"
#endif
#ifndef FALSE
#define FALSE 0
#endif
#ifndef TRUE
#define TRUE 1
#endif
#define SSH1_MSG_DISCONNECT 1 /* 0x1 */
#define SSH1_SMSG_PUBLIC_KEY 2 /* 0x2 */
#define SSH1_CMSG_SESSION_KEY 3 /* 0x3 */
#define SSH1_CMSG_USER 4 /* 0x4 */
#define SSH1_CMSG_AUTH_RSA 6 /* 0x6 */
#define SSH1_SMSG_AUTH_RSA_CHALLENGE 7 /* 0x7 */
#define SSH1_CMSG_AUTH_RSA_RESPONSE 8 /* 0x8 */
#define SSH1_CMSG_AUTH_PASSWORD 9 /* 0x9 */
#define SSH1_CMSG_REQUEST_PTY 10 /* 0xa */
#define SSH1_CMSG_WINDOW_SIZE 11 /* 0xb */
#define SSH1_CMSG_EXEC_SHELL 12 /* 0xc */
#define SSH1_CMSG_EXEC_CMD 13 /* 0xd */
#define SSH1_SMSG_SUCCESS 14 /* 0xe */
#define SSH1_SMSG_FAILURE 15 /* 0xf */
#define SSH1_CMSG_STDIN_DATA 16 /* 0x10 */
#define SSH1_SMSG_STDOUT_DATA 17 /* 0x11 */
#define SSH1_SMSG_STDERR_DATA 18 /* 0x12 */
#define SSH1_CMSG_EOF 19 /* 0x13 */
#define SSH1_SMSG_EXIT_STATUS 20 /* 0x14 */
#define SSH1_MSG_CHANNEL_OPEN_CONFIRMATION 21 /* 0x15 */
#define SSH1_MSG_CHANNEL_OPEN_FAILURE 22 /* 0x16 */
#define SSH1_MSG_CHANNEL_DATA 23 /* 0x17 */
#define SSH1_MSG_CHANNEL_CLOSE 24 /* 0x18 */
#define SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION 25 /* 0x19 */
#define SSH1_SMSG_X11_OPEN 27 /* 0x1b */
#define SSH1_CMSG_PORT_FORWARD_REQUEST 28 /* 0x1c */
#define SSH1_MSG_PORT_OPEN 29 /* 0x1d */
#define SSH1_CMSG_AGENT_REQUEST_FORWARDING 30 /* 0x1e */
#define SSH1_SMSG_AGENT_OPEN 31 /* 0x1f */
#define SSH1_MSG_IGNORE 32 /* 0x20 */
#define SSH1_CMSG_EXIT_CONFIRMATION 33 /* 0x21 */
#define SSH1_CMSG_X11_REQUEST_FORWARDING 34 /* 0x22 */
#define SSH1_CMSG_AUTH_RHOSTS_RSA 35 /* 0x23 */
#define SSH1_MSG_DEBUG 36 /* 0x24 */
#define SSH1_CMSG_REQUEST_COMPRESSION 37 /* 0x25 */
#define SSH1_CMSG_AUTH_TIS 39 /* 0x27 */
#define SSH1_SMSG_AUTH_TIS_CHALLENGE 40 /* 0x28 */
#define SSH1_CMSG_AUTH_TIS_RESPONSE 41 /* 0x29 */
#define SSH1_CMSG_AUTH_CCARD 70 /* 0x46 */
#define SSH1_SMSG_AUTH_CCARD_CHALLENGE 71 /* 0x47 */
#define SSH1_CMSG_AUTH_CCARD_RESPONSE 72 /* 0x48 */
#define SSH1_AUTH_RHOSTS 1 /* 0x1 */
#define SSH1_AUTH_RSA 2 /* 0x2 */
#define SSH1_AUTH_PASSWORD 3 /* 0x3 */
#define SSH1_AUTH_RHOSTS_RSA 4 /* 0x4 */
#define SSH1_AUTH_TIS 5 /* 0x5 */
#define SSH1_AUTH_CCARD 16 /* 0x10 */
#define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */
/* Mask for protoflags we will echo back to server if seen */
#define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */
#define SSH2_MSG_DISCONNECT 1 /* 0x1 */
#define SSH2_MSG_IGNORE 2 /* 0x2 */
#define SSH2_MSG_UNIMPLEMENTED 3 /* 0x3 */
#define SSH2_MSG_DEBUG 4 /* 0x4 */
#define SSH2_MSG_SERVICE_REQUEST 5 /* 0x5 */
#define SSH2_MSG_SERVICE_ACCEPT 6 /* 0x6 */
#define SSH2_MSG_KEXINIT 20 /* 0x14 */
#define SSH2_MSG_NEWKEYS 21 /* 0x15 */
#define SSH2_MSG_KEXDH_INIT 30 /* 0x1e */
#define SSH2_MSG_KEXDH_REPLY 31 /* 0x1f */
#define SSH2_MSG_KEX_DH_GEX_REQUEST 30 /* 0x1e */
#define SSH2_MSG_KEX_DH_GEX_GROUP 31 /* 0x1f */
#define SSH2_MSG_KEX_DH_GEX_INIT 32 /* 0x20 */
#define SSH2_MSG_KEX_DH_GEX_REPLY 33 /* 0x21 */
#define SSH2_MSG_KEXRSA_PUBKEY 30 /* 0x1e */
#define SSH2_MSG_KEXRSA_SECRET 31 /* 0x1f */
#define SSH2_MSG_KEXRSA_DONE 32 /* 0x20 */
#define SSH2_MSG_USERAUTH_REQUEST 50 /* 0x32 */
#define SSH2_MSG_USERAUTH_FAILURE 51 /* 0x33 */
#define SSH2_MSG_USERAUTH_SUCCESS 52 /* 0x34 */
#define SSH2_MSG_USERAUTH_BANNER 53 /* 0x35 */
#define SSH2_MSG_USERAUTH_PK_OK 60 /* 0x3c */
#define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60 /* 0x3c */
#define SSH2_MSG_USERAUTH_INFO_REQUEST 60 /* 0x3c */
#define SSH2_MSG_USERAUTH_INFO_RESPONSE 61 /* 0x3d */
#define SSH2_MSG_GLOBAL_REQUEST 80 /* 0x50 */
#define SSH2_MSG_REQUEST_SUCCESS 81 /* 0x51 */
#define SSH2_MSG_REQUEST_FAILURE 82 /* 0x52 */
#define SSH2_MSG_CHANNEL_OPEN 90 /* 0x5a */
#define SSH2_MSG_CHANNEL_OPEN_CONFIRMATION 91 /* 0x5b */
#define SSH2_MSG_CHANNEL_OPEN_FAILURE 92 /* 0x5c */
#define SSH2_MSG_CHANNEL_WINDOW_ADJUST 93 /* 0x5d */
#define SSH2_MSG_CHANNEL_DATA 94 /* 0x5e */
#define SSH2_MSG_CHANNEL_EXTENDED_DATA 95 /* 0x5f */
#define SSH2_MSG_CHANNEL_EOF 96 /* 0x60 */
#define SSH2_MSG_CHANNEL_CLOSE 97 /* 0x61 */
#define SSH2_MSG_CHANNEL_REQUEST 98 /* 0x62 */
#define SSH2_MSG_CHANNEL_SUCCESS 99 /* 0x63 */
#define SSH2_MSG_CHANNEL_FAILURE 100 /* 0x64 */
#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60
#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61
#define SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE 63
#define SSH2_MSG_USERAUTH_GSSAPI_ERROR 64
#define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65
#define SSH2_MSG_USERAUTH_GSSAPI_MIC 66
/*
* Packet type contexts, so that ssh2_pkt_type can correctly decode
* the ambiguous type numbers back into the correct type strings.
*/
typedef enum {
SSH2_PKTCTX_NOKEX,
SSH2_PKTCTX_DHGROUP,
SSH2_PKTCTX_DHGEX,
SSH2_PKTCTX_RSAKEX
} Pkt_KCtx;
typedef enum {
SSH2_PKTCTX_NOAUTH,
SSH2_PKTCTX_PUBLICKEY,
SSH2_PKTCTX_PASSWORD,
SSH2_PKTCTX_GSSAPI,
SSH2_PKTCTX_KBDINTER
} Pkt_ACtx;
#define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */
#define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */
#define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */
#define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */
#define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */
#define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */
#define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */
#define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */
#define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */
#define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */
#define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */
#define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */
#define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */
#define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */
#define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */
static const char *const ssh2_disconnect_reasons[] = {
NULL,
"host not allowed to connect",
"protocol error",
"key exchange failed",
"host authentication failed",
"MAC error",
"compression error",
"service not available",
"protocol version not supported",
"host key not verifiable",
"connection lost",
"by application",
"too many connections",
"auth cancelled by user",
"no more auth methods available",
"illegal user name",
};
#define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */
#define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */
#define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */
#define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */
#define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */
/*
* Various remote-bug flags.
*/
#define BUG_CHOKES_ON_SSH1_IGNORE 1
#define BUG_SSH2_HMAC 2
#define BUG_NEEDS_SSH1_PLAIN_PASSWORD 4
#define BUG_CHOKES_ON_RSA 8
#define BUG_SSH2_RSA_PADDING 16
#define BUG_SSH2_DERIVEKEY 32
#define BUG_SSH2_REKEY 64
#define BUG_SSH2_PK_SESSIONID 128
#define BUG_SSH2_MAXPKT 256
#define BUG_CHOKES_ON_SSH2_IGNORE 512
/*
* Codes for terminal modes.
* Most of these are the same in SSH-1 and SSH-2.
* This list is derived from RFC 4254 and
* SSH-1 RFC-1.2.31.
*/
static const struct {
const char* const mode;
int opcode;
enum { TTY_OP_CHAR, TTY_OP_BOOL } type;
} ssh_ttymodes[] = {
/* "V" prefix discarded for special characters relative to SSH specs */
{ "INTR", 1, TTY_OP_CHAR },
{ "QUIT", 2, TTY_OP_CHAR },
{ "ERASE", 3, TTY_OP_CHAR },
{ "KILL", 4, TTY_OP_CHAR },
{ "EOF", 5, TTY_OP_CHAR },
{ "EOL", 6, TTY_OP_CHAR },
{ "EOL2", 7, TTY_OP_CHAR },
{ "START", 8, TTY_OP_CHAR },
{ "STOP", 9, TTY_OP_CHAR },
{ "SUSP", 10, TTY_OP_CHAR },
{ "DSUSP", 11, TTY_OP_CHAR },
{ "REPRINT", 12, TTY_OP_CHAR },
{ "WERASE", 13, TTY_OP_CHAR },
{ "LNEXT", 14, TTY_OP_CHAR },
{ "FLUSH", 15, TTY_OP_CHAR },
{ "SWTCH", 16, TTY_OP_CHAR },
{ "STATUS", 17, TTY_OP_CHAR },
{ "DISCARD", 18, TTY_OP_CHAR },
{ "IGNPAR", 30, TTY_OP_BOOL },
{ "PARMRK", 31, TTY_OP_BOOL },
{ "INPCK", 32, TTY_OP_BOOL },
{ "ISTRIP", 33, TTY_OP_BOOL },
{ "INLCR", 34, TTY_OP_BOOL },
{ "IGNCR", 35, TTY_OP_BOOL },
{ "ICRNL", 36, TTY_OP_BOOL },
{ "IUCLC", 37, TTY_OP_BOOL },
{ "IXON", 38, TTY_OP_BOOL },
{ "IXANY", 39, TTY_OP_BOOL },
{ "IXOFF", 40, TTY_OP_BOOL },
{ "IMAXBEL", 41, TTY_OP_BOOL },
{ "ISIG", 50, TTY_OP_BOOL },
{ "ICANON", 51, TTY_OP_BOOL },
{ "XCASE", 52, TTY_OP_BOOL },
{ "ECHO", 53, TTY_OP_BOOL },
{ "ECHOE", 54, TTY_OP_BOOL },
{ "ECHOK", 55, TTY_OP_BOOL },
{ "ECHONL", 56, TTY_OP_BOOL },
{ "NOFLSH", 57, TTY_OP_BOOL },
{ "TOSTOP", 58, TTY_OP_BOOL },
{ "IEXTEN", 59, TTY_OP_BOOL },
{ "ECHOCTL", 60, TTY_OP_BOOL },
{ "ECHOKE", 61, TTY_OP_BOOL },
{ "PENDIN", 62, TTY_OP_BOOL }, /* XXX is this a real mode? */
{ "OPOST", 70, TTY_OP_BOOL },
{ "OLCUC", 71, TTY_OP_BOOL },
{ "ONLCR", 72, TTY_OP_BOOL },
{ "OCRNL", 73, TTY_OP_BOOL },
{ "ONOCR", 74, TTY_OP_BOOL },
{ "ONLRET", 75, TTY_OP_BOOL },
{ "CS7", 90, TTY_OP_BOOL },
{ "CS8", 91, TTY_OP_BOOL },
{ "PARENB", 92, TTY_OP_BOOL },
{ "PARODD", 93, TTY_OP_BOOL }
};
/* Miscellaneous other tty-related constants. */
#define SSH_TTY_OP_END 0
/* The opcodes for ISPEED/OSPEED differ between SSH-1 and SSH-2. */
#define SSH1_TTY_OP_ISPEED 192
#define SSH1_TTY_OP_OSPEED 193
#define SSH2_TTY_OP_ISPEED 128
#define SSH2_TTY_OP_OSPEED 129
/* Helper functions for parsing tty-related config. */
static unsigned int ssh_tty_parse_specchar(char *s)
{
unsigned int ret;
if (*s) {
char *next = NULL;
ret = ctrlparse(s, &next);
if (!next) ret = s[0];
} else {
ret = 255; /* special value meaning "don't set" */
}
return ret;
}
static unsigned int ssh_tty_parse_boolean(char *s)
{
if (stricmp(s, "yes") == 0 ||
stricmp(s, "on") == 0 ||
stricmp(s, "true") == 0 ||
stricmp(s, "+") == 0)
return 1; /* true */
else if (stricmp(s, "no") == 0 ||
stricmp(s, "off") == 0 ||
stricmp(s, "false") == 0 ||
stricmp(s, "-") == 0)
return 0; /* false */
else
return (atoi(s) != 0);
}
#define translate(x) if (type == x) return #x
#define translatek(x,ctx) if (type == x && (pkt_kctx == ctx)) return #x
#define translatea(x,ctx) if (type == x && (pkt_actx == ctx)) return #x
static char *ssh1_pkt_type(int type)
{
translate(SSH1_MSG_DISCONNECT);
translate(SSH1_SMSG_PUBLIC_KEY);
translate(SSH1_CMSG_SESSION_KEY);
translate(SSH1_CMSG_USER);
translate(SSH1_CMSG_AUTH_RSA);
translate(SSH1_SMSG_AUTH_RSA_CHALLENGE);
translate(SSH1_CMSG_AUTH_RSA_RESPONSE);
translate(SSH1_CMSG_AUTH_PASSWORD);
translate(SSH1_CMSG_REQUEST_PTY);
translate(SSH1_CMSG_WINDOW_SIZE);
translate(SSH1_CMSG_EXEC_SHELL);
translate(SSH1_CMSG_EXEC_CMD);
translate(SSH1_SMSG_SUCCESS);
translate(SSH1_SMSG_FAILURE);
translate(SSH1_CMSG_STDIN_DATA);
translate(SSH1_SMSG_STDOUT_DATA);
translate(SSH1_SMSG_STDERR_DATA);
translate(SSH1_CMSG_EOF);
translate(SSH1_SMSG_EXIT_STATUS);
translate(SSH1_MSG_CHANNEL_OPEN_CONFIRMATION);
translate(SSH1_MSG_CHANNEL_OPEN_FAILURE);
translate(SSH1_MSG_CHANNEL_DATA);
translate(SSH1_MSG_CHANNEL_CLOSE);
translate(SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION);
translate(SSH1_SMSG_X11_OPEN);
translate(SSH1_CMSG_PORT_FORWARD_REQUEST);
translate(SSH1_MSG_PORT_OPEN);
translate(SSH1_CMSG_AGENT_REQUEST_FORWARDING);
translate(SSH1_SMSG_AGENT_OPEN);
translate(SSH1_MSG_IGNORE);
translate(SSH1_CMSG_EXIT_CONFIRMATION);
translate(SSH1_CMSG_X11_REQUEST_FORWARDING);
translate(SSH1_CMSG_AUTH_RHOSTS_RSA);
translate(SSH1_MSG_DEBUG);
translate(SSH1_CMSG_REQUEST_COMPRESSION);
translate(SSH1_CMSG_AUTH_TIS);
translate(SSH1_SMSG_AUTH_TIS_CHALLENGE);
translate(SSH1_CMSG_AUTH_TIS_RESPONSE);
translate(SSH1_CMSG_AUTH_CCARD);
translate(SSH1_SMSG_AUTH_CCARD_CHALLENGE);
translate(SSH1_CMSG_AUTH_CCARD_RESPONSE);
return "unknown";
}
static char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type)
{
translatea(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE,SSH2_PKTCTX_GSSAPI);
translatea(SSH2_MSG_USERAUTH_GSSAPI_TOKEN,SSH2_PKTCTX_GSSAPI);
translatea(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,SSH2_PKTCTX_GSSAPI);
translatea(SSH2_MSG_USERAUTH_GSSAPI_ERROR,SSH2_PKTCTX_GSSAPI);
translatea(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK,SSH2_PKTCTX_GSSAPI);
translatea(SSH2_MSG_USERAUTH_GSSAPI_MIC, SSH2_PKTCTX_GSSAPI);
translate(SSH2_MSG_DISCONNECT);
translate(SSH2_MSG_IGNORE);
translate(SSH2_MSG_UNIMPLEMENTED);
translate(SSH2_MSG_DEBUG);
translate(SSH2_MSG_SERVICE_REQUEST);
translate(SSH2_MSG_SERVICE_ACCEPT);
translate(SSH2_MSG_KEXINIT);
translate(SSH2_MSG_NEWKEYS);
translatek(SSH2_MSG_KEXDH_INIT, SSH2_PKTCTX_DHGROUP);
translatek(SSH2_MSG_KEXDH_REPLY, SSH2_PKTCTX_DHGROUP);
translatek(SSH2_MSG_KEX_DH_GEX_REQUEST, SSH2_PKTCTX_DHGEX);
translatek(SSH2_MSG_KEX_DH_GEX_GROUP, SSH2_PKTCTX_DHGEX);
translatek(SSH2_MSG_KEX_DH_GEX_INIT, SSH2_PKTCTX_DHGEX);
translatek(SSH2_MSG_KEX_DH_GEX_REPLY, SSH2_PKTCTX_DHGEX);
translatek(SSH2_MSG_KEXRSA_PUBKEY, SSH2_PKTCTX_RSAKEX);
translatek(SSH2_MSG_KEXRSA_SECRET, SSH2_PKTCTX_RSAKEX);
translatek(SSH2_MSG_KEXRSA_DONE, SSH2_PKTCTX_RSAKEX);
translate(SSH2_MSG_USERAUTH_REQUEST);
translate(SSH2_MSG_USERAUTH_FAILURE);
translate(SSH2_MSG_USERAUTH_SUCCESS);
translate(SSH2_MSG_USERAUTH_BANNER);
translatea(SSH2_MSG_USERAUTH_PK_OK, SSH2_PKTCTX_PUBLICKEY);
translatea(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, SSH2_PKTCTX_PASSWORD);
translatea(SSH2_MSG_USERAUTH_INFO_REQUEST, SSH2_PKTCTX_KBDINTER);
translatea(SSH2_MSG_USERAUTH_INFO_RESPONSE, SSH2_PKTCTX_KBDINTER);
translate(SSH2_MSG_GLOBAL_REQUEST);
translate(SSH2_MSG_REQUEST_SUCCESS);
translate(SSH2_MSG_REQUEST_FAILURE);
translate(SSH2_MSG_CHANNEL_OPEN);
translate(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
translate(SSH2_MSG_CHANNEL_OPEN_FAILURE);
translate(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
translate(SSH2_MSG_CHANNEL_DATA);
translate(SSH2_MSG_CHANNEL_EXTENDED_DATA);
translate(SSH2_MSG_CHANNEL_EOF);
translate(SSH2_MSG_CHANNEL_CLOSE);
translate(SSH2_MSG_CHANNEL_REQUEST);
translate(SSH2_MSG_CHANNEL_SUCCESS);
translate(SSH2_MSG_CHANNEL_FAILURE);
return "unknown";
}
#undef translate
#undef translatec
/* Enumeration values for fields in SSH-1 packets */
enum {
PKT_END, PKT_INT, PKT_CHAR, PKT_DATA, PKT_STR, PKT_BIGNUM,
/* These values are for communicating relevant semantics of
* fields to the packet logging code. */
PKTT_OTHER, PKTT_PASSWORD, PKTT_DATA
};
/*
* Coroutine mechanics for the sillier bits of the code. If these
* macros look impenetrable to you, you might find it helpful to
* read
*
* http://www.chiark.greenend.org.uk/~sgtatham/coroutines.html
*
* which explains the theory behind these macros.
*
* In particular, if you are getting `case expression not constant'
* errors when building with MS Visual Studio, this is because MS's
* Edit and Continue debugging feature causes their compiler to
* violate ANSI C. To disable Edit and Continue debugging:
*
* - right-click ssh.c in the FileView
* - click Settings
* - select the C/C++ tab and the General category
* - under `Debug info:', select anything _other_ than `Program
* Database for Edit and Continue'.
*/
#define crBegin(v) { int *crLine = &v; switch(v) { case 0:;
#define crState(t) \
struct t *s; \
if (!ssh->t) ssh->t = snew(struct t); \
s = ssh->t;
#define crFinish(z) } *crLine = 0; return (z); }
#define crFinishV } *crLine = 0; return; }
#define crReturn(z) \
do {\
*crLine =__LINE__; return (z); case __LINE__:;\
} while (0)
#define crReturnV \
do {\
*crLine=__LINE__; return; case __LINE__:;\
} while (0)
#define crStop(z) do{ *crLine = 0; return (z); }while(0)
#define crStopV do{ *crLine = 0; return; }while(0)
#define crWaitUntil(c) do { crReturn(0); } while (!(c))
#define crWaitUntilV(c) do { crReturnV; } while (!(c))
typedef struct ssh_tag *Ssh;
struct Packet;
static struct Packet *ssh1_pkt_init(int pkt_type);
static struct Packet *ssh2_pkt_init(int pkt_type);
static void ssh_pkt_ensure(struct Packet *, int length);
static void ssh_pkt_adddata(struct Packet *, void *data, int len);
static void ssh_pkt_addbyte(struct Packet *, unsigned char value);
static void ssh2_pkt_addbool(struct Packet *, unsigned char value);
static void ssh_pkt_adduint32(struct Packet *, unsigned long value);
static void ssh_pkt_addstring_start(struct Packet *);
static void ssh_pkt_addstring_str(struct Packet *, char *data);
static void ssh_pkt_addstring_data(struct Packet *, char *data, int len);
static void ssh_pkt_addstring(struct Packet *, char *data);
static unsigned char *ssh2_mpint_fmt(Bignum b, int *len);
static void ssh1_pkt_addmp(struct Packet *, Bignum b);
static void ssh2_pkt_addmp(struct Packet *, Bignum b);
static int ssh2_pkt_construct(Ssh, struct Packet *);
static void ssh2_pkt_send(Ssh, struct Packet *);
static void ssh2_pkt_send_noqueue(Ssh, struct Packet *);
static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
struct Packet *pktin);
static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
struct Packet *pktin);
/*
* Buffer management constants. There are several of these for
* various different purposes:
*
* - SSH1_BUFFER_LIMIT is the amount of backlog that must build up
* on a local data stream before we throttle the whole SSH
* connection (in SSH-1 only). Throttling the whole connection is
* pretty drastic so we set this high in the hope it won't
* happen very often.
*
* - SSH_MAX_BACKLOG is the amount of backlog that must build up
* on the SSH connection itself before we defensively throttle
* _all_ local data streams. This is pretty drastic too (though
* thankfully unlikely in SSH-2 since the window mechanism should
* ensure that the server never has any need to throttle its end
* of the connection), so we set this high as well.
*
* - OUR_V2_WINSIZE is the maximum window size we present on SSH-2
* channels.
*
* - OUR_V2_BIGWIN is the window size we advertise for the only
* channel in a simple connection. It must be <= INT_MAX.
*
* - OUR_V2_MAXPKT is the official "maximum packet size" we send
* to the remote side. This actually has nothing to do with the
* size of the _packet_, but is instead a limit on the amount
* of data we're willing to receive in a single SSH2 channel
* data message.
*
* - OUR_V2_PACKETLIMIT is actually the maximum size of SSH
* _packet_ we're prepared to cope with. It must be a multiple
* of the cipher block size, and must be at least 35000.
*/
#define SSH1_BUFFER_LIMIT 32768
#define SSH_MAX_BACKLOG 32768
#define OUR_V2_WINSIZE 16384
#define OUR_V2_BIGWIN 0x7fffffff
#define OUR_V2_MAXPKT 0x4000UL
#define OUR_V2_PACKETLIMIT 0x9000UL
/* Maximum length of passwords/passphrases (arbitrary) */
#define SSH_MAX_PASSWORD_LEN 100
const static struct ssh_signkey *hostkey_algs[] = { &ssh_rsa, &ssh_dss };
const static struct ssh_mac *macs[] = {
&ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
};
const static struct ssh_mac *buggymacs[] = {
&ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
};
static void *ssh_comp_none_init(void)
{
return NULL;
}
static void ssh_comp_none_cleanup(void *handle)
{
}
static int ssh_comp_none_block(void *handle, unsigned char *block, int len,
unsigned char **outblock, int *outlen)
{
return 0;
}
static int ssh_comp_none_disable(void *handle)
{
return 0;
}
const static struct ssh_compress ssh_comp_none = {
"none",
ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
ssh_comp_none_disable, NULL
};
extern const struct ssh_compress ssh_zlib;
const static struct ssh_compress *compressions[] = {
&ssh_zlib, &ssh_comp_none
};
enum { /* channel types */
CHAN_MAINSESSION,
CHAN_X11,
CHAN_AGENT,
CHAN_SOCKDATA,
CHAN_SOCKDATA_DORMANT /* one the remote hasn't confirmed */
};
/*
* little structure to keep track of outstanding WINDOW_ADJUSTs
*/
struct winadj {
struct winadj *next;
unsigned size;
};
/*
* 2-3-4 tree storing channels.
*/
struct ssh_channel {
Ssh ssh; /* pointer back to main context */
unsigned remoteid, localid;
int type;
/* True if we opened this channel but server hasn't confirmed. */
int halfopen;
/*
* In SSH-1, this value contains four bits:
*
* 1 We have sent SSH1_MSG_CHANNEL_CLOSE.
* 2 We have sent SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
* 4 We have received SSH1_MSG_CHANNEL_CLOSE.
* 8 We have received SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
*
* A channel is completely finished with when all four bits are set.
*/
int closes;
/*
* This flag indicates that a close is pending on the outgoing
* side of the channel: that is, wherever we're getting the data
* for this channel has sent us some data followed by EOF. We
* can't actually close the channel until we've finished sending
* the data, so we set this flag instead to remind us to
* initiate the closing process once our buffer is clear.
*/
int pending_close;
/*
* True if this channel is causing the underlying connection to be
* throttled.
*/
int throttling_conn;
union {
struct ssh2_data_channel {
bufchain outbuffer;
unsigned remwindow, remmaxpkt;
/* locwindow is signed so we can cope with excess data. */
int locwindow, locmaxwin;
/*
* remlocwin is the amount of local window that we think
* the remote end had available to it after it sent the
* last data packet or window adjust ack.
*/
int remlocwin;
/*
* These store the list of window adjusts that haven't
* been acked.
*/
struct winadj *winadj_head, *winadj_tail;
enum { THROTTLED, UNTHROTTLING, UNTHROTTLED } throttle_state;
} v2;
} v;
union {
struct ssh_agent_channel {
unsigned char *message;
unsigned char msglen[4];
unsigned lensofar, totallen;
} a;
struct ssh_x11_channel {
Socket s;
} x11;
struct ssh_pfd_channel {
Socket s;
} pfd;
} u;
};
/*
* 2-3-4 tree storing remote->local port forwardings. SSH-1 and SSH-2
* use this structure in different ways, reflecting SSH-2's
* altogether saner approach to port forwarding.
*
* In SSH-1, you arrange a remote forwarding by sending the server
* the remote port number, and the local destination host:port.
* When a connection comes in, the server sends you back that
* host:port pair, and you connect to it. This is a ready-made
* security hole if you're not on the ball: a malicious server
* could send you back _any_ host:port pair, so if you trustingly
* connect to the address it gives you then you've just opened the
* entire inside of your corporate network just by connecting
* through it to a dodgy SSH server. Hence, we must store a list of
* host:port pairs we _are_ trying to forward to, and reject a
* connection request from the server if it's not in the list.
*
* In SSH-2, each side of the connection minds its own business and
* doesn't send unnecessary information to the other. You arrange a
* remote forwarding by sending the server just the remote port
* number. When a connection comes in, the server tells you which
* of its ports was connected to; and _you_ have to remember what
* local host:port pair went with that port number.
*
* Hence, in SSH-1 this structure is indexed by destination
* host:port pair, whereas in SSH-2 it is indexed by source port.
*/
struct ssh_portfwd; /* forward declaration */
struct ssh_rportfwd {
unsigned sport, dport;
char dhost[256];
char *sportdesc;
struct ssh_portfwd *pfrec;
};
#define free_rportfwd(pf) ( \
((pf) ? (sfree((pf)->sportdesc)) : (void)0 ), sfree(pf) )
/*
* Separately to the rportfwd tree (which is for looking up port
* open requests from the server), a tree of _these_ structures is
* used to keep track of all the currently open port forwardings,
* so that we can reconfigure in mid-session if the user requests
* it.
*/
struct ssh_portfwd {
enum { DESTROY, KEEP, CREATE } status;
int type;
unsigned sport, dport;
char *saddr, *daddr;
char *sserv, *dserv;
struct ssh_rportfwd *remote;
int addressfamily;
void *local;
};
#define free_portfwd(pf) ( \
((pf) ? (sfree((pf)->saddr), sfree((pf)->daddr), \
sfree((pf)->sserv), sfree((pf)->dserv)) : (void)0 ), sfree(pf) )
struct Packet {
long length; /* length of `data' actually used */
long forcepad; /* SSH-2: force padding to at least this length */
int type; /* only used for incoming packets */
unsigned long sequence; /* SSH-2 incoming sequence number */
unsigned char *data; /* allocated storage */
unsigned char *body; /* offset of payload within `data' */
long savedpos; /* temporary index into `data' (for strings) */
long maxlen; /* amount of storage allocated for `data' */
long encrypted_len; /* for SSH-2 total-size counting */
/*
* State associated with packet logging
*/
int logmode;
int nblanks;
struct logblank_t *blanks;
};
static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
struct Packet *pktin);
static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
struct Packet *pktin);
static void ssh1_protocol_setup(Ssh ssh);
static void ssh2_protocol_setup(Ssh ssh);
static void ssh_size(void *handle, int width, int height);
static void ssh_special(void *handle, Telnet_Special);
static int ssh2_try_send(struct ssh_channel *c);
static void ssh2_add_channel_data(struct ssh_channel *c, char *buf, int len);
static void ssh_throttle_all(Ssh ssh, int enable, int bufsize);
static void ssh2_set_window(struct ssh_channel *c, int newwin);
static int ssh_sendbuffer(void *handle);
static int ssh_do_close(Ssh ssh, int notify_exit);
static unsigned long ssh_pkt_getuint32(struct Packet *pkt);
static int ssh2_pkt_getbool(struct Packet *pkt);
static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length);
static void ssh2_timer(void *ctx, long now);
static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
struct Packet *pktin);
struct rdpkt1_state_tag {
long len, pad, biglen, to_read;
unsigned long realcrc, gotcrc;
unsigned char *p;
int i;
int chunk;
struct Packet *pktin;
};
struct rdpkt2_state_tag {
long len, pad, payload, packetlen, maclen;
int i;
int cipherblk;
unsigned long incoming_sequence;
struct Packet *pktin;
};
typedef void (*handler_fn_t)(Ssh ssh, struct Packet *pktin);
typedef void (*chandler_fn_t)(Ssh ssh, struct Packet *pktin, void *ctx);
struct queued_handler;
struct queued_handler {
int msg1, msg2;
chandler_fn_t handler;
void *ctx;
struct queued_handler *next;
};
struct ssh_tag {
const struct plug_function_table *fn;
/* the above field _must_ be first in the structure */
char *v_c, *v_s;
void *exhash;
Socket s;
void *ldisc;
void *logctx;
unsigned char session_key[32];
int v1_compressing;
int v1_remote_protoflags;
int v1_local_protoflags;
int agentfwd_enabled;
int X11_fwd_enabled;
int remote_bugs;
const struct ssh_cipher *cipher;
void *v1_cipher_ctx;
void *crcda_ctx;
const struct ssh2_cipher *cscipher, *sccipher;
void *cs_cipher_ctx, *sc_cipher_ctx;
const struct ssh_mac *csmac, *scmac;
void *cs_mac_ctx, *sc_mac_ctx;
const struct ssh_compress *cscomp, *sccomp;
void *cs_comp_ctx, *sc_comp_ctx;
const struct ssh_kex *kex;
const struct ssh_signkey *hostkey;
unsigned char v2_session_id[SSH2_KEX_MAX_HASH_LEN];
int v2_session_id_len;
void *kex_ctx;
char *savedhost;
int savedport;
int send_ok;
int echoing, editing;
void *frontend;
int ospeed, ispeed; /* temporaries */
int term_width, term_height;
tree234 *channels; /* indexed by local id */
struct ssh_channel *mainchan; /* primary session channel */
int ncmode; /* is primary channel direct-tcpip? */
int exitcode;
int close_expected;
int clean_exit;
tree234 *rportfwds, *portfwds;
enum {
SSH_STATE_PREPACKET,
SSH_STATE_BEFORE_SIZE,
SSH_STATE_INTERMED,
SSH_STATE_SESSION,
SSH_STATE_CLOSED
} state;
int size_needed, eof_needed;
struct Packet **queue;
int queuelen, queuesize;
int queueing;
unsigned char *deferred_send_data;
int deferred_len, deferred_size;
/*
* Gross hack: pscp will try to start SFTP but fall back to
* scp1 if that fails. This variable is the means by which
* scp.c can reach into the SSH code and find out which one it
* got.
*/
int fallback_cmd;
bufchain banner; /* accumulates banners during do_ssh2_authconn */
Pkt_KCtx pkt_kctx;
Pkt_ACtx pkt_actx;
struct X11Display *x11disp;
int version;
int conn_throttle_count;
int overall_bufsize;
int throttled_all;
int v1_stdout_throttling;
unsigned long v2_outgoing_sequence;
int ssh1_rdpkt_crstate;
int ssh2_rdpkt_crstate;
int do_ssh_init_crstate;
int ssh_gotdata_crstate;
int do_ssh1_login_crstate;
int do_ssh1_connection_crstate;
int do_ssh2_transport_crstate;
int do_ssh2_authconn_crstate;
void *do_ssh_init_state;
void *do_ssh1_login_state;
void *do_ssh2_transport_state;
void *do_ssh2_authconn_state;
struct rdpkt1_state_tag rdpkt1_state;
struct rdpkt2_state_tag rdpkt2_state;
/* SSH-1 and SSH-2 use this for different things, but both use it */
int protocol_initial_phase_done;
void (*protocol) (Ssh ssh, void *vin, int inlen,
struct Packet *pkt);
struct Packet *(*s_rdpkt) (Ssh ssh, unsigned char **data, int *datalen);
/*
* We maintain a full _copy_ of a Config structure here, not
* merely a pointer to it. That way, when we're passed a new
* one for reconfiguration, we can check the differences and
* potentially reconfigure port forwardings etc in mid-session.
*/
Config cfg;
/*
* Used to transfer data back from async callbacks.
*/
void *agent_response;
int agent_response_len;
int user_response;
/*
* The SSH connection can be set as `frozen', meaning we are
* not currently accepting incoming data from the network. This
* is slightly more serious than setting the _socket_ as
* frozen, because we may already have had data passed to us
* from the network which we need to delay processing until
* after the freeze is lifted, so we also need a bufchain to
* store that data.
*/
int frozen;
bufchain queued_incoming_data;
/*
* Dispatch table for packet types that we may have to deal
* with at any time.
*/
handler_fn_t packet_dispatch[256];
/*
* Queues of one-off handler functions for success/failure
* indications from a request.
*/
struct queued_handler *qhead, *qtail;
/*
* This module deals with sending keepalives.
*/
Pinger pinger;
/*
* Track incoming and outgoing data sizes and time, for
* size-based rekeys.
*/
unsigned long incoming_data_size, outgoing_data_size, deferred_data_size;
unsigned long max_data_size;
int kex_in_progress;
long next_rekey, last_rekey;
char *deferred_rekey_reason; /* points to STATIC string; don't free */
/*
* Fully qualified host name, which we need if doing GSSAPI.
*/
char *fullhostname;
#ifndef NO_GSSAPI
/*
* GSSAPI libraries for this session.
*/
struct ssh_gss_liblist *gsslibs;
#endif
};
#define logevent(s) logevent(ssh->frontend, s)
/* logevent, only printf-formatted. */
static void logeventf(Ssh ssh, const char *fmt, ...)
{
va_list ap;
char *buf;
va_start(ap, fmt);
buf = dupvprintf(fmt, ap);
va_end(ap);
logevent(buf);
sfree(buf);
}
#define bombout(msg) \
do { \
char *text = dupprintf msg; \
ssh_do_close(ssh, FALSE); \
logevent(text); \
connection_fatal(ssh->frontend, "%s", text); \
sfree(text); \
} while (0)
/* Functions to leave bits out of the SSH packet log file. */
static void dont_log_password(Ssh ssh, struct Packet *pkt, int blanktype)
{
if (ssh->cfg.logomitpass)
pkt->logmode = blanktype;
}
static void dont_log_data(Ssh ssh, struct Packet *pkt, int blanktype)
{
if (ssh->cfg.logomitdata)
pkt->logmode = blanktype;
}
static void end_log_omission(Ssh ssh, struct Packet *pkt)
{
pkt->logmode = PKTLOG_EMIT;
}
/* Helper function for common bits of parsing cfg.ttymodes. */
static void parse_ttymodes(Ssh ssh, char *modes,
void (*do_mode)(void *data, char *mode, char *val),
void *data)
{
while (*modes) {
char *t = strchr(modes, '\t');
char *m = snewn(t-modes+1, char);
char *val;
strncpy(m, modes, t-modes);
m[t-modes] = '\0';
if (*(t+1) == 'A')
val = get_ttymode(ssh->frontend, m);
else
val = dupstr(t+2);
if (val)
do_mode(data, m, val);
sfree(m);
sfree(val);
modes += strlen(modes) + 1;
}
}
static int ssh_channelcmp(void *av, void *bv)
{
struct ssh_channel *a = (struct ssh_channel *) av;
struct ssh_channel *b = (struct ssh_channel *) bv;
if (a->localid < b->localid)
return -1;
if (a->localid > b->localid)
return +1;
return 0;
}
static int ssh_channelfind(void *av, void *bv)
{
unsigned *a = (unsigned *) av;
struct ssh_channel *b = (struct ssh_channel *) bv;
if (*a < b->localid)
return -1;
if (*a > b->localid)
return +1;
return 0;
}
static int ssh_rportcmp_ssh1(void *av, void *bv)
{
struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
int i;
if ( (i = strcmp(a->dhost, b->dhost)) != 0)
return i < 0 ? -1 : +1;
if (a->dport > b->dport)
return +1;
if (a->dport < b->dport)
return -1;
return 0;
}
static int ssh_rportcmp_ssh2(void *av, void *bv)
{
struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
if (a->sport > b->sport)
return +1;
if (a->sport < b->sport)
return -1;
return 0;
}
/*
* Special form of strcmp which can cope with NULL inputs. NULL is
* defined to sort before even the empty string.
*/
static int nullstrcmp(const char *a, const char *b)
{
if (a == NULL && b == NULL)
return 0;
if (a == NULL)
return -1;
if (b == NULL)
return +1;
return strcmp(a, b);
}
static int ssh_portcmp(void *av, void *bv)
{
struct ssh_portfwd *a = (struct ssh_portfwd *) av;
struct ssh_portfwd *b = (struct ssh_portfwd *) bv;
int i;
if (a->type > b->type)
return +1;
if (a->type < b->type)
return -1;
if (a->addressfamily > b->addressfamily)
return +1;
if (a->addressfamily < b->addressfamily)
return -1;
if ( (i = nullstrcmp(a->saddr, b->saddr)) != 0)
return i < 0 ? -1 : +1;
if (a->sport > b->sport)
return +1;
if (a->sport < b->sport)
return -1;
if (a->type != 'D') {
if ( (i = nullstrcmp(a->daddr, b->daddr)) != 0)
return i < 0 ? -1 : +1;
if (a->dport > b->dport)
return +1;
if (a->dport < b->dport)
return -1;
}
return 0;
}
static int alloc_channel_id(Ssh ssh)
{
const unsigned CHANNEL_NUMBER_OFFSET = 256;
unsigned low, high, mid;
int tsize;
struct ssh_channel *c;
/*
* First-fit allocation of channel numbers: always pick the
* lowest unused one. To do this, binary-search using the
* counted B-tree to find the largest channel ID which is in a
* contiguous sequence from the beginning. (Precisely
* everything in that sequence must have ID equal to its tree
* index plus CHANNEL_NUMBER_OFFSET.)
*/
tsize = count234(ssh->channels);
low = -1;
high = tsize;
while (high - low > 1) {
mid = (high + low) / 2;
c = index234(ssh->channels, mid);
if (c->localid == mid + CHANNEL_NUMBER_OFFSET)
low = mid; /* this one is fine */
else
high = mid; /* this one is past it */
}
/*
* Now low points to either -1, or the tree index of the
* largest ID in the initial sequence.
*/
{
unsigned i = low + 1 + CHANNEL_NUMBER_OFFSET;
assert(NULL == find234(ssh->channels, &i, ssh_channelfind));
}
return low + 1 + CHANNEL_NUMBER_OFFSET;
}
static void c_write_stderr(int trusted, const char *buf, int len)
{
int i;
for (i = 0; i < len; i++)
if (buf[i] != '\r' && (trusted || buf[i] == '\n' || (buf[i] & 0x60)))
fputc(buf[i], stderr);
}
static void c_write(Ssh ssh, const char *buf, int len)
{
if (flags & FLAG_STDERR)
c_write_stderr(1, buf, len);
else
from_backend(ssh->frontend, 1, buf, len);
}
static void c_write_untrusted(Ssh ssh, const char *buf, int len)
{
if (flags & FLAG_STDERR)
c_write_stderr(0, buf, len);
else
from_backend_untrusted(ssh->frontend, buf, len);
}
static void c_write_str(Ssh ssh, const char *buf)
{
c_write(ssh, buf, strlen(buf));
}
static void ssh_free_packet(struct Packet *pkt)
{
sfree(pkt->data);
sfree(pkt);
}
static struct Packet *ssh_new_packet(void)
{
struct Packet *pkt = snew(struct Packet);
pkt->body = pkt->data = NULL;
pkt->maxlen = 0;
pkt->logmode = PKTLOG_EMIT;
pkt->nblanks = 0;
pkt->blanks = NULL;
return pkt;
}
/*
* Collect incoming data in the incoming packet buffer.
* Decipher and verify the packet when it is completely read.
* Drop SSH1_MSG_DEBUG and SSH1_MSG_IGNORE packets.
* Update the *data and *datalen variables.
* Return a Packet structure when a packet is completed.
*/
static struct Packet *ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
{
struct rdpkt1_state_tag *st = &ssh->rdpkt1_state;
crBegin(ssh->ssh1_rdpkt_crstate);
st->pktin = ssh_new_packet();
st->pktin->type = 0;
st->pktin->length = 0;
for (st->i = st->len = 0; st->i < 4; st->i++) {
while ((*datalen) == 0)
crReturn(NULL);
st->len = (st->len << 8) + **data;
(*data)++, (*datalen)--;
}
st->pad = 8 - (st->len % 8);
st->biglen = st->len + st->pad;
st->pktin->length = st->len - 5;
if (st->biglen < 0) {
bombout(("Extremely large packet length from server suggests"
" data stream corruption"));
ssh_free_packet(st->pktin);
crStop(NULL);
}
st->pktin->maxlen = st->biglen;
st->pktin->data = snewn(st->biglen + APIEXTRA, unsigned char);
st->to_read = st->biglen;
st->p = st->pktin->data;
while (st->to_read > 0) {
st->chunk = st->to_read;
while ((*datalen) == 0)
crReturn(NULL);
if (st->chunk > (*datalen))
st->chunk = (*datalen);
memcpy(st->p, *data, st->chunk);
*data += st->chunk;
*datalen -= st->chunk;
st->p += st->chunk;
st->to_read -= st->chunk;
}
if (ssh->cipher && detect_attack(ssh->crcda_ctx, st->pktin->data,
st->biglen, NULL)) {
bombout(("Network attack (CRC compensation) detected!"));
ssh_free_packet(st->pktin);
crStop(NULL);
}
if (ssh->cipher)
ssh->cipher->decrypt(ssh->v1_cipher_ctx, st->pktin->data, st->biglen);
st->realcrc = crc32_compute(st->pktin->data, st->biglen - 4);
st->gotcrc = GET_32BIT(st->pktin->data + st->biglen - 4);
if (st->gotcrc != st->realcrc) {
bombout(("Incorrect CRC received on packet"));
ssh_free_packet(st->pktin);
crStop(NULL);
}
st->pktin->body = st->pktin->data + st->pad + 1;
st->pktin->savedpos = 0;
if (ssh->v1_compressing) {
unsigned char *decompblk;
int decomplen;
if (!zlib_decompress_block(ssh->sc_comp_ctx,
st->pktin->body - 1, st->pktin->length + 1,
&decompblk, &decomplen)) {
bombout(("Zlib decompression encountered invalid data"));
ssh_free_packet(st->pktin);
crStop(NULL);
}
if (st->pktin->maxlen < st->pad + decomplen) {
st->pktin->maxlen = st->pad + decomplen;
st->pktin->data = sresize(st->pktin->data,
st->pktin->maxlen + APIEXTRA,
unsigned char);
st->pktin->body = st->pktin->data + st->pad + 1;
}
memcpy(st->pktin->body - 1, decompblk, decomplen);
sfree(decompblk);
st->pktin->length = decomplen - 1;
}
st->pktin->type = st->pktin->body[-1];
/*
* Log incoming packet, possibly omitting sensitive fields.
*/
if (ssh->logctx) {
int nblanks = 0;
struct logblank_t blank;
if (ssh->cfg.logomitdata) {
int do_blank = FALSE, blank_prefix = 0;
/* "Session data" packets - omit the data field */
if ((st->pktin->type == SSH1_SMSG_STDOUT_DATA) ||
(st->pktin->type == SSH1_SMSG_STDERR_DATA)) {
do_blank = TRUE; blank_prefix = 4;
} else if (st->pktin->type == SSH1_MSG_CHANNEL_DATA) {
do_blank = TRUE; blank_prefix = 8;
}
if (do_blank) {
blank.offset = blank_prefix;
blank.len = st->pktin->length;
blank.type = PKTLOG_OMIT;
nblanks = 1;
}
}
log_packet(ssh->logctx,
PKT_INCOMING, st->pktin->type,
ssh1_pkt_type(st->pktin->type),
st->pktin->body, st->pktin->length,
nblanks, &blank, NULL);
}
crFinish(st->pktin);
}
static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
{
struct rdpkt2_state_tag *st = &ssh->rdpkt2_state;
crBegin(ssh->ssh2_rdpkt_crstate);
st->pktin = ssh_new_packet();
st->pktin->type = 0;
st->pktin->length = 0;
if (ssh->sccipher)
st->cipherblk = ssh->sccipher->blksize;
else
st->cipherblk = 8;
if (st->cipherblk < 8)
st->cipherblk = 8;
st->maclen = ssh->scmac ? ssh->scmac->len : 0;
if (ssh->sccipher && (ssh->sccipher->flags & SSH_CIPHER_IS_CBC) &&
ssh->scmac) {
/*
* When dealing with a CBC-mode cipher, we want to avoid the
* possibility of an attacker's tweaking the ciphertext stream
* so as to cause us to feed the same block to the block
* cipher more than once and thus leak information
* (VU#958563). The way we do this is not to take any
* decisions on the basis of anything we've decrypted until
* we've verified it with a MAC. That includes the packet
* length, so we just read data and check the MAC repeatedly,
* and when the MAC passes, see if the length we've got is
* plausible.
*/
/* May as well allocate the whole lot now. */
st->pktin->data = snewn(OUR_V2_PACKETLIMIT + st->maclen + APIEXTRA,
unsigned char);
/* Read an amount corresponding to the MAC. */
for (st->i = 0; st->i < st->maclen; st->i++) {
while ((*datalen) == 0)
crReturn(NULL);
st->pktin->data[st->i] = *(*data)++;
(*datalen)--;
}
st->packetlen = 0;
{
unsigned char seq[4];
ssh->scmac->start(ssh->sc_mac_ctx);
PUT_32BIT(seq, st->incoming_sequence);
ssh->scmac->bytes(ssh->sc_mac_ctx, seq, 4);
}
for (;;) { /* Once around this loop per cipher block. */
/* Read another cipher-block's worth, and tack it onto the end. */
for (st->i = 0; st->i < st->cipherblk; st->i++) {
while ((*datalen) == 0)
crReturn(NULL);
st->pktin->data[st->packetlen+st->maclen+st->i] = *(*data)++;
(*datalen)--;
}
/* Decrypt one more block (a little further back in the stream). */
ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
st->pktin->data + st->packetlen,
st->cipherblk);
/* Feed that block to the MAC. */
ssh->scmac->bytes(ssh->sc_mac_ctx,
st->pktin->data + st->packetlen, st->cipherblk);
st->packetlen += st->cipherblk;
/* See if that gives us a valid packet. */
if (ssh->scmac->verresult(ssh->sc_mac_ctx,
st->pktin->data + st->packetlen) &&
(st->len = GET_32BIT(st->pktin->data)) + 4 == st->packetlen)
break;
if (st->packetlen >= OUR_V2_PACKETLIMIT) {
bombout(("No valid incoming packet found"));
ssh_free_packet(st->pktin);
crStop(NULL);
}
}
st->pktin->maxlen = st->packetlen + st->maclen;
st->pktin->data = sresize(st->pktin->data,
st->pktin->maxlen + APIEXTRA,
unsigned char);
} else {
st->pktin->data = snewn(st->cipherblk + APIEXTRA, unsigned char);
/*
* Acquire and decrypt the first block of the packet. This will
* contain the length and padding details.
*/
for (st->i = st->len = 0; st->i < st->cipherblk; st->i++) {
while ((*datalen) == 0)
crReturn(NULL);
st->pktin->data[st->i] = *(*data)++;
(*datalen)--;
}
if (ssh->sccipher)
ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
st->pktin->data, st->cipherblk);
/*
* Now get the length figure.
*/
st->len = GET_32BIT(st->pktin->data);
/*
* _Completely_ silly lengths should be stomped on before they
* do us any more damage.
*/
if (st->len < 0 || st->len > OUR_V2_PACKETLIMIT ||
(st->len + 4) % st->cipherblk != 0) {
bombout(("Incoming packet was garbled on decryption"));
ssh_free_packet(st->pktin);
crStop(NULL);
}
/*
* So now we can work out the total packet length.
*/
st->packetlen = st->len + 4;
/*
* Allocate memory for the rest of the packet.
*/
st->pktin->maxlen = st->packetlen + st->maclen;
st->pktin->data = sresize(st->pktin->data,
st->pktin->maxlen + APIEXTRA,
unsigned char);
/*
* Read and decrypt the remainder of the packet.
*/
for (st->i = st->cipherblk; st->i < st->packetlen + st->maclen;
st->i++) {
while ((*datalen) == 0)
crReturn(NULL);
st->pktin->data[st->i] = *(*data)++;
(*datalen)--;
}
/* Decrypt everything _except_ the MAC. */
if (ssh->sccipher)
ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
st->pktin->data + st->cipherblk,
st->packetlen - st->cipherblk);
/*
* Check the MAC.
*/
if (ssh->scmac
&& !ssh->scmac->verify(ssh->sc_mac_ctx, st->pktin->data,
st->len + 4, st->incoming_sequence)) {
bombout(("Incorrect MAC received on packet"));
ssh_free_packet(st->pktin);
crStop(NULL);
}
}
/* Get and sanity-check the amount of random padding. */
st->pad = st->pktin->data[4];
if (st->pad < 4 || st->len - st->pad < 1) {
bombout(("Invalid padding length on received packet"));
ssh_free_packet(st->pktin);
crStop(NULL);
}
/*
* This enables us to deduce the payload length.
*/
st->payload = st->len - st->pad - 1;
st->pktin->length = st->payload + 5;
st->pktin->encrypted_len = st->packetlen;
st->pktin->sequence = st->incoming_sequence++;
/*
* Decompress packet payload.
*/
{
unsigned char *newpayload;
int newlen;
if (ssh->sccomp &&
ssh->sccomp->decompress(ssh->sc_comp_ctx,
st->pktin->data + 5, st->pktin->length - 5,
&newpayload, &newlen)) {
if (st->pktin->maxlen < newlen + 5) {
st->pktin->maxlen = newlen + 5;
st->pktin->data = sresize(st->pktin->data,
st->pktin->maxlen + APIEXTRA,
unsigned char);
}
st->pktin->length = 5 + newlen;
memcpy(st->pktin->data + 5, newpayload, newlen);
sfree(newpayload);
}
}
st->pktin->savedpos = 6;
st->pktin->body = st->pktin->data;
st->pktin->type = st->pktin->data[5];
/*
* Log incoming packet, possibly omitting sensitive fields.
*/
if (ssh->logctx) {
int nblanks = 0;
struct logblank_t blank;
if (ssh->cfg.logomitdata) {
int do_blank = FALSE, blank_prefix = 0;
/* "Session data" packets - omit the data field */
if (st->pktin->type == SSH2_MSG_CHANNEL_DATA) {
do_blank = TRUE; blank_prefix = 8;
} else if (st->pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA) {
do_blank = TRUE; blank_prefix = 12;
}
if (do_blank) {
blank.offset = blank_prefix;
blank.len = (st->pktin->length-6) - blank_prefix;
blank.type = PKTLOG_OMIT;
nblanks = 1;
}
}
log_packet(ssh->logctx, PKT_INCOMING, st->pktin->type,
ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx,
st->pktin->type),
st->pktin->data+6, st->pktin->length-6,
nblanks, &blank, &st->pktin->sequence);
}
crFinish(st->pktin);
}
static int s_wrpkt_prepare(Ssh ssh, struct Packet *pkt, int *offset_p)
{
int pad, biglen, i, pktoffs;
unsigned long crc;
#ifdef __SC__
/*
* XXX various versions of SC (including 8.8.4) screw up the
* register allocation in this function and use the same register
* (D6) for len and as a temporary, with predictable results. The
* following sledgehammer prevents this.
*/
volatile
#endif
int len;
if (ssh->logctx)
log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[12],
ssh1_pkt_type(pkt->data[12]),
pkt->body, pkt->length - (pkt->body - pkt->data),
pkt->nblanks, pkt->blanks, NULL);
sfree(pkt->blanks); pkt->blanks = NULL;
pkt->nblanks = 0;
if (ssh->v1_compressing) {
unsigned char *compblk;
int complen;
zlib_compress_block(ssh->cs_comp_ctx,
pkt->data + 12, pkt->length - 12,
&compblk, &complen);
ssh_pkt_ensure(pkt, complen + 2); /* just in case it's got bigger */
memcpy(pkt->data + 12, compblk, complen);
sfree(compblk);
pkt->length = complen + 12;
}
ssh_pkt_ensure(pkt, pkt->length + 4); /* space for CRC */
pkt->length += 4;
len = pkt->length - 4 - 8; /* len(type+data+CRC) */
pad = 8 - (len % 8);
pktoffs = 8 - pad;
biglen = len + pad; /* len(padding+type+data+CRC) */
for (i = pktoffs; i < 4+8; i++)
pkt->data[i] = random_byte();
crc = crc32_compute(pkt->data + pktoffs + 4, biglen - 4); /* all ex len */
PUT_32BIT(pkt->data + pktoffs + 4 + biglen - 4, crc);
PUT_32BIT(pkt->data + pktoffs, len);
if (ssh->cipher)
ssh->cipher->encrypt(ssh->v1_cipher_ctx,
pkt->data + pktoffs + 4, biglen);
if (offset_p) *offset_p = pktoffs;
return biglen + 4; /* len(length+padding+type+data+CRC) */
}
static int s_write(Ssh ssh, void *data, int len)
{
if (ssh->logctx)
log_packet(ssh->logctx, PKT_OUTGOING, -1, NULL, data, len,
0, NULL, NULL);
return sk_write(ssh->s, (char *)data, len);
}
static void s_wrpkt(Ssh ssh, struct Packet *pkt)
{
int len, backlog, offset;
len = s_wrpkt_prepare(ssh, pkt, &offset);
backlog = s_write(ssh, pkt->data + offset, len);
if (backlog > SSH_MAX_BACKLOG)
ssh_throttle_all(ssh, 1, backlog);
ssh_free_packet(pkt);
}
static void s_wrpkt_defer(Ssh ssh, struct Packet *pkt)
{
int len, offset;
len = s_wrpkt_prepare(ssh, pkt, &offset);
if (ssh->deferred_len + len > ssh->deferred_size) {
ssh->deferred_size = ssh->deferred_len + len + 128;
ssh->deferred_send_data = sresize(ssh->deferred_send_data,
ssh->deferred_size,
unsigned char);
}
memcpy(ssh->deferred_send_data + ssh->deferred_len,
pkt->data + offset, len);
ssh->deferred_len += len;
ssh_free_packet(pkt);
}
/*
* Construct a SSH-1 packet with the specified contents.
* (This all-at-once interface used to be the only one, but now SSH-1
* packets can also be constructed incrementally.)
*/
static struct Packet *construct_packet(Ssh ssh, int pkttype, va_list ap)
{
int argtype;
Bignum bn;
struct Packet *pkt;
pkt = ssh1_pkt_init(pkttype);
while ((argtype = va_arg(ap, int)) != PKT_END) {
unsigned char *argp, argchar;
char *sargp;
unsigned long argint;
int arglen;
switch (argtype) {
/* Actual fields in the packet */
case PKT_INT:
argint = va_arg(ap, int);
ssh_pkt_adduint32(pkt, argint);
break;
case PKT_CHAR:
argchar = (unsigned char) va_arg(ap, int);
ssh_pkt_addbyte(pkt, argchar);
break;
case PKT_DATA:
argp = va_arg(ap, unsigned char *);
arglen = va_arg(ap, int);
ssh_pkt_adddata(pkt, argp, arglen);
break;
case PKT_STR:
sargp = va_arg(ap, char *);
ssh_pkt_addstring(pkt, sargp);
break;
case PKT_BIGNUM:
bn = va_arg(ap, Bignum);
ssh1_pkt_addmp(pkt, bn);
break;
/* Tokens for modifications to packet logging */
case PKTT_PASSWORD:
dont_log_password(ssh, pkt, PKTLOG_BLANK);
break;
case PKTT_DATA:
dont_log_data(ssh, pkt, PKTLOG_OMIT);
break;
case PKTT_OTHER:
end_log_omission(ssh, pkt);
break;
}
}
return pkt;
}
static void send_packet(Ssh ssh, int pkttype, ...)
{
struct Packet *pkt;
va_list ap;
va_start(ap, pkttype);
pkt = construct_packet(ssh, pkttype, ap);
va_end(ap);
s_wrpkt(ssh, pkt);
}
static void defer_packet(Ssh ssh, int pkttype, ...)
{
struct Packet *pkt;
va_list ap;
va_start(ap, pkttype);
pkt = construct_packet(ssh, pkttype, ap);
va_end(ap);
s_wrpkt_defer(ssh, pkt);
}
static int ssh_versioncmp(char *a, char *b)
{
char *ae, *be;
unsigned long av, bv;
av = strtoul(a, &ae, 10);
bv = strtoul(b, &be, 10);
if (av != bv)
return (av < bv ? -1 : +1);
if (*ae == '.')
ae++;
if (*be == '.')
be++;
av = strtoul(ae, &ae, 10);
bv = strtoul(be, &be, 10);
if (av != bv)
return (av < bv ? -1 : +1);
return 0;
}
/*
* Utility routines for putting an SSH-protocol `string' and
* `uint32' into a hash state.
*/
static void hash_string(const struct ssh_hash *h, void *s, void *str, int len)
{
unsigned char lenblk[4];
PUT_32BIT(lenblk, len);
h->bytes(s, lenblk, 4);
h->bytes(s, str, len);
}
static void hash_uint32(const struct ssh_hash *h, void *s, unsigned i)
{
unsigned char intblk[4];
PUT_32BIT(intblk, i);
h->bytes(s, intblk, 4);
}
/*
* Packet construction functions. Mostly shared between SSH-1 and SSH-2.
*/
static void ssh_pkt_ensure(struct Packet *pkt, int length)
{
if (pkt->maxlen < length) {
unsigned char *body = pkt->body;
int offset = body ? body - pkt->data : 0;
pkt->maxlen = length + 256;
pkt->data = sresize(pkt->data, pkt->maxlen + APIEXTRA, unsigned char);
if (body) pkt->body = pkt->data + offset;
}
}
static void ssh_pkt_adddata(struct Packet *pkt, void *data, int len)
{
if (pkt->logmode != PKTLOG_EMIT) {
pkt->nblanks++;
pkt->blanks = sresize(pkt->blanks, pkt->nblanks, struct logblank_t);
assert(pkt->body);
pkt->blanks[pkt->nblanks-1].offset = pkt->length -
(pkt->body - pkt->data);
pkt->blanks[pkt->nblanks-1].len = len;
pkt->blanks[pkt->nblanks-1].type = pkt->logmode;
}
pkt->length += len;
ssh_pkt_ensure(pkt, pkt->length);
memcpy(pkt->data + pkt->length - len, data, len);
}
static void ssh_pkt_addbyte(struct Packet *pkt, unsigned char byte)
{
ssh_pkt_adddata(pkt, &byte, 1);
}
static void ssh2_pkt_addbool(struct Packet *pkt, unsigned char value)
{
ssh_pkt_adddata(pkt, &value, 1);
}
static void ssh_pkt_adduint32(struct Packet *pkt, unsigned long value)
{
unsigned char x[4];
PUT_32BIT(x, value);
ssh_pkt_adddata(pkt, x, 4);
}
static void ssh_pkt_addstring_start(struct Packet *pkt)
{
ssh_pkt_adduint32(pkt, 0);
pkt->savedpos = pkt->length;
}
static void ssh_pkt_addstring_str(struct Packet *pkt, char *data)
{
ssh_pkt_adddata(pkt, data, strlen(data));
PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
}
static void ssh_pkt_addstring_data(struct Packet *pkt, char *data, int len)
{
ssh_pkt_adddata(pkt, data, len);
PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
}
static void ssh_pkt_addstring(struct Packet *pkt, char *data)
{
ssh_pkt_addstring_start(pkt);
ssh_pkt_addstring_str(pkt, data);
}
static void ssh1_pkt_addmp(struct Packet *pkt, Bignum b)
{
int len = ssh1_bignum_length(b);
unsigned char *data = snewn(len, unsigned char);
(void) ssh1_write_bignum(data, b);
ssh_pkt_adddata(pkt, data, len);
sfree(data);
}
static unsigned char *ssh2_mpint_fmt(Bignum b, int *len)
{
unsigned char *p;
int i, n = (bignum_bitcount(b) + 7) / 8;
p = snewn(n + 1, unsigned char);
p[0] = 0;
for (i = 1; i <= n; i++)
p[i] = bignum_byte(b, n - i);
i = 0;
while (i <= n && p[i] == 0 && (p[i + 1] & 0x80) == 0)
i++;
memmove(p, p + i, n + 1 - i);
*len = n + 1 - i;
return p;
}
static void ssh2_pkt_addmp(struct Packet *pkt, Bignum b)
{
unsigned char *p;
int len;
p = ssh2_mpint_fmt(b, &len);
ssh_pkt_addstring_start(pkt);
ssh_pkt_addstring_data(pkt, (char *)p, len);
sfree(p);
}
static struct Packet *ssh1_pkt_init(int pkt_type)
{
struct Packet *pkt = ssh_new_packet();
pkt->length = 4 + 8; /* space for length + max padding */
ssh_pkt_addbyte(pkt, pkt_type);
pkt->body = pkt->data + pkt->length;
return pkt;
}
/* For legacy code (SSH-1 and -2 packet construction used to be separate) */
#define ssh2_pkt_ensure(pkt, length) ssh_pkt_ensure(pkt, length)
#define ssh2_pkt_adddata(pkt, data, len) ssh_pkt_adddata(pkt, data, len)
#define ssh2_pkt_addbyte(pkt, byte) ssh_pkt_addbyte(pkt, byte)
#define ssh2_pkt_adduint32(pkt, value) ssh_pkt_adduint32(pkt, value)
#define ssh2_pkt_addstring_start(pkt) ssh_pkt_addstring_start(pkt)
#define ssh2_pkt_addstring_str(pkt, data) ssh_pkt_addstring_str(pkt, data)
#define ssh2_pkt_addstring_data(pkt, data, len) ssh_pkt_addstring_data(pkt, data, len)
#define ssh2_pkt_addstring(pkt, data) ssh_pkt_addstring(pkt, data)
static struct Packet *ssh2_pkt_init(int pkt_type)
{
struct Packet *pkt = ssh_new_packet();
pkt->length = 5; /* space for packet length + padding length */
pkt->forcepad = 0;
ssh_pkt_addbyte(pkt, (unsigned char) pkt_type);
pkt->body = pkt->data + pkt->length; /* after packet type */
return pkt;
}
/*
* Construct an SSH-2 final-form packet: compress it, encrypt it,
* put the MAC on it. Final packet, ready to be sent, is stored in
* pkt->data. Total length is returned.
*/
static int ssh2_pkt_construct(Ssh ssh, struct Packet *pkt)
{
int cipherblk, maclen, padding, i;
if (ssh->logctx)
log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[5],
ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx, pkt->data[5]),
pkt->body, pkt->length - (pkt->body - pkt->data),
pkt->nblanks, pkt->blanks, &ssh->v2_outgoing_sequence);
sfree(pkt->blanks); pkt->blanks = NULL;
pkt->nblanks = 0;
/*
* Compress packet payload.
*/
{
unsigned char *newpayload;
int newlen;
if (ssh->cscomp &&
ssh->cscomp->compress(ssh->cs_comp_ctx, pkt->data + 5,
pkt->length - 5,
&newpayload, &newlen)) {
pkt->length = 5;
ssh2_pkt_adddata(pkt, newpayload, newlen);
sfree(newpayload);
}
}
/*
* Add padding. At least four bytes, and must also bring total
* length (minus MAC) up to a multiple of the block size.
* If pkt->forcepad is set, make sure the packet is at least that size
* after padding.
*/
cipherblk = ssh->cscipher ? ssh->cscipher->blksize : 8; /* block size */
cipherblk = cipherblk < 8 ? 8 : cipherblk; /* or 8 if blksize < 8 */
padding = 4;
if (pkt->length + padding < pkt->forcepad)
padding = pkt->forcepad - pkt->length;
padding +=
(cipherblk - (pkt->length + padding) % cipherblk) % cipherblk;
assert(padding <= 255);
maclen = ssh->csmac ? ssh->csmac->len : 0;
ssh2_pkt_ensure(pkt, pkt->length + padding + maclen);
pkt->data[4] = padding;
for (i = 0; i < padding; i++)
pkt->data[pkt->length + i] = random_byte();
PUT_32BIT(pkt->data, pkt->length + padding - 4);
if (ssh->csmac)
ssh->csmac->generate(ssh->cs_mac_ctx, pkt->data,
pkt->length + padding,
ssh->v2_outgoing_sequence);
ssh->v2_outgoing_sequence++; /* whether or not we MACed */
if (ssh->cscipher)
ssh->cscipher->encrypt(ssh->cs_cipher_ctx,
pkt->data, pkt->length + padding);
pkt->encrypted_len = pkt->length + padding;
/* Ready-to-send packet starts at pkt->data. We return length. */
return pkt->length + padding + maclen;
}
/*
* Routines called from the main SSH code to send packets. There
* are quite a few of these, because we have two separate
* mechanisms for delaying the sending of packets:
*
* - In order to send an IGNORE message and a password message in
* a single fixed-length blob, we require the ability to
* concatenate the encrypted forms of those two packets _into_ a
* single blob and then pass it to our <network.h> transport
* layer in one go. Hence, there's a deferment mechanism which
* works after packet encryption.
*
* - In order to avoid sending any connection-layer messages
* during repeat key exchange, we have to queue up any such
* outgoing messages _before_ they are encrypted (and in
* particular before they're allocated sequence numbers), and
* then send them once we've finished.
*
* I call these mechanisms `defer' and `queue' respectively, so as
* to distinguish them reasonably easily.
*
* The functions send_noqueue() and defer_noqueue() free the packet
* structure they are passed. Every outgoing packet goes through
* precisely one of these functions in its life; packets passed to
* ssh2_pkt_send() or ssh2_pkt_defer() either go straight to one of
* these or get queued, and then when the queue is later emptied
* the packets are all passed to defer_noqueue().
*
* When using a CBC-mode cipher, it's necessary to ensure that an
* attacker can't provide data to be encrypted using an IV that they
* know. We ensure this by prefixing each packet that might contain
* user data with an SSH_MSG_IGNORE. This is done using the deferral
* mechanism, so in this case send_noqueue() ends up redirecting to
* defer_noqueue(). If you don't like this inefficiency, don't use
* CBC.
*/
static void ssh2_pkt_defer_noqueue(Ssh, struct Packet *, int);
static void ssh_pkt_defersend(Ssh);
/*
* Send an SSH-2 packet immediately, without queuing or deferring.
*/
static void ssh2_pkt_send_noqueue(Ssh ssh, struct Packet *pkt)
{
int len;
int backlog;
if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC)) {
/* We need to send two packets, so use the deferral mechanism. */
ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
ssh_pkt_defersend(ssh);
return;
}
len = ssh2_pkt_construct(ssh, pkt);
backlog = s_write(ssh, pkt->data, len);
if (backlog > SSH_MAX_BACKLOG)
ssh_throttle_all(ssh, 1, backlog);
ssh->outgoing_data_size += pkt->encrypted_len;
if (!ssh->kex_in_progress &&
ssh->max_data_size != 0 &&
ssh->outgoing_data_size > ssh->max_data_size)
do_ssh2_transport(ssh, "too much data sent", -1, NULL);
ssh_free_packet(pkt);
}
/*
* Defer an SSH-2 packet.
*/
static void ssh2_pkt_defer_noqueue(Ssh ssh, struct Packet *pkt, int noignore)
{
int len;
if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC) &&
ssh->deferred_len == 0 && !noignore &&
!(ssh->remote_bugs & BUG_CHOKES_ON_SSH2_IGNORE)) {
/*
* Interpose an SSH_MSG_IGNORE to ensure that user data don't
* get encrypted with a known IV.
*/
struct Packet *ipkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
ssh2_pkt_addstring_start(ipkt);
ssh2_pkt_defer_noqueue(ssh, ipkt, TRUE);
}
len = ssh2_pkt_construct(ssh, pkt);
if (ssh->deferred_len + len > ssh->deferred_size) {
ssh->deferred_size = ssh->deferred_len + len + 128;
ssh->deferred_send_data = sresize(ssh->deferred_send_data,
ssh->deferred_size,
unsigned char);
}
memcpy(ssh->deferred_send_data + ssh->deferred_len, pkt->data, len);
ssh->deferred_len += len;
ssh->deferred_data_size += pkt->encrypted_len;
ssh_free_packet(pkt);
}
/*
* Queue an SSH-2 packet.
*/
static void ssh2_pkt_queue(Ssh ssh, struct Packet *pkt)
{
assert(ssh->queueing);
if (ssh->queuelen >= ssh->queuesize) {
ssh->queuesize = ssh->queuelen + 32;
ssh->queue = sresize(ssh->queue, ssh->queuesize, struct Packet *);
}
ssh->queue[ssh->queuelen++] = pkt;
}
/*
* Either queue or send a packet, depending on whether queueing is
* set.
*/
static void ssh2_pkt_send(Ssh ssh, struct Packet *pkt)
{
if (ssh->queueing)
ssh2_pkt_queue(ssh, pkt);
else
ssh2_pkt_send_noqueue(ssh, pkt);
}
/*
* Either queue or defer a packet, depending on whether queueing is
* set.
*/
static void ssh2_pkt_defer(Ssh ssh, struct Packet *pkt)
{
if (ssh->queueing)
ssh2_pkt_queue(ssh, pkt);
else
ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
}
/*
* Send the whole deferred data block constructed by
* ssh2_pkt_defer() or SSH-1's defer_packet().
*
* The expected use of the defer mechanism is that you call
* ssh2_pkt_defer() a few times, then call ssh_pkt_defersend(). If
* not currently queueing, this simply sets up deferred_send_data
* and then sends it. If we _are_ currently queueing, the calls to
* ssh2_pkt_defer() put the deferred packets on to the queue
* instead, and therefore ssh_pkt_defersend() has no deferred data
* to send. Hence, there's no need to make it conditional on
* ssh->queueing.
*/
static void ssh_pkt_defersend(Ssh ssh)
{
int backlog;
backlog = s_write(ssh, ssh->deferred_send_data, ssh->deferred_len);
ssh->deferred_len = ssh->deferred_size = 0;
sfree(ssh->deferred_send_data);
ssh->deferred_send_data = NULL;
if (backlog > SSH_MAX_BACKLOG)
ssh_throttle_all(ssh, 1, backlog);
ssh->outgoing_data_size += ssh->deferred_data_size;
if (!ssh->kex_in_progress &&
ssh->max_data_size != 0 &&
ssh->outgoing_data_size > ssh->max_data_size)
do_ssh2_transport(ssh, "too much data sent", -1, NULL);
ssh->deferred_data_size = 0;
}
/*
* Send a packet whose length needs to be disguised (typically
* passwords or keyboard-interactive responses).
*/
static void ssh2_pkt_send_with_padding(Ssh ssh, struct Packet *pkt,
int padsize)
{
#if 0
if (0) {
/*
* The simplest way to do this is to adjust the
* variable-length padding field in the outgoing packet.
*
* Currently compiled out, because some Cisco SSH servers
* don't like excessively padded packets (bah, why's it
* always Cisco?)
*/
pkt->forcepad = padsize;
ssh2_pkt_send(ssh, pkt);
} else
#endif
{
/*
* If we can't do that, however, an alternative approach is
* to use the pkt_defer mechanism to bundle the packet
* tightly together with an SSH_MSG_IGNORE such that their
* combined length is a constant. So first we construct the
* final form of this packet and defer its sending.
*/
ssh2_pkt_defer(ssh, pkt);
/*
* Now construct an SSH_MSG_IGNORE which includes a string
* that's an exact multiple of the cipher block size. (If
* the cipher is NULL so that the block size is
* unavailable, we don't do this trick at all, because we
* gain nothing by it.)
*/
if (ssh->cscipher &&
!(ssh->remote_bugs & BUG_CHOKES_ON_SSH2_IGNORE)) {
int stringlen, i;
stringlen = (256 - ssh->deferred_len);
stringlen += ssh->cscipher->blksize - 1;
stringlen -= (stringlen % ssh->cscipher->blksize);
if (ssh->cscomp) {
/*
* Temporarily disable actual compression, so we
* can guarantee to get this string exactly the
* length we want it. The compression-disabling
* routine should return an integer indicating how
* many bytes we should adjust our string length
* by.
*/
stringlen -=
ssh->cscomp->disable_compression(ssh->cs_comp_ctx);
}
pkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
ssh2_pkt_addstring_start(pkt);
for (i = 0; i < stringlen; i++) {
char c = (char) random_byte();
ssh2_pkt_addstring_data(pkt, &c, 1);
}
ssh2_pkt_defer(ssh, pkt);
}
ssh_pkt_defersend(ssh);
}
}
/*
* Send all queued SSH-2 packets. We send them by means of
* ssh2_pkt_defer_noqueue(), in case they included a pair of
* packets that needed to be lumped together.
*/
static void ssh2_pkt_queuesend(Ssh ssh)
{
int i;
assert(!ssh->queueing);
for (i = 0; i < ssh->queuelen; i++)
ssh2_pkt_defer_noqueue(ssh, ssh->queue[i], FALSE);
ssh->queuelen = 0;
ssh_pkt_defersend(ssh);
}
#if 0
void bndebug(char *string, Bignum b)
{
unsigned char *p;
int i, len;
p = ssh2_mpint_fmt(b, &len);
debug(("%s", string));
for (i = 0; i < len; i++)
debug((" %02x", p[i]));
debug(("\n"));
sfree(p);
}
#endif
static void hash_mpint(const struct ssh_hash *h, void *s, Bignum b)
{
unsigned char *p;
int len;
p = ssh2_mpint_fmt(b, &len);
hash_string(h, s, p, len);
sfree(p);
}
/*
* Packet decode functions for both SSH-1 and SSH-2.
*/
static unsigned long ssh_pkt_getuint32(struct Packet *pkt)
{
unsigned long value;
if (pkt->length - pkt->savedpos < 4)
return 0; /* arrgh, no way to decline (FIXME?) */
value = GET_32BIT(pkt->body + pkt->savedpos);
pkt->savedpos += 4;
return value;
}
static int ssh2_pkt_getbool(struct Packet *pkt)
{
unsigned long value;
if (pkt->length - pkt->savedpos < 1)
return 0; /* arrgh, no way to decline (FIXME?) */
value = pkt->body[pkt->savedpos] != 0;
pkt->savedpos++;
return value;
}
static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length)
{
int len;
*p = NULL;
*length = 0;
if (pkt->length - pkt->savedpos < 4)
return;
len = GET_32BIT(pkt->body + pkt->savedpos);
if (len < 0)
return;
*length = len;
pkt->savedpos += 4;
if (pkt->length - pkt->savedpos < *length)
return;
*p = (char *)(pkt->body + pkt->savedpos);
pkt->savedpos += *length;
}
static void *ssh_pkt_getdata(struct Packet *pkt, int length)
{
if (pkt->length - pkt->savedpos < length)
return NULL;
pkt->savedpos += length;
return pkt->body + (pkt->savedpos - length);
}
static int ssh1_pkt_getrsakey(struct Packet *pkt, struct RSAKey *key,
unsigned char **keystr)
{
int j;
j = makekey(pkt->body + pkt->savedpos,
pkt->length - pkt->savedpos,
key, keystr, 0);
if (j < 0)
return FALSE;
pkt->savedpos += j;
assert(pkt->savedpos < pkt->length);
return TRUE;
}
static Bignum ssh1_pkt_getmp(struct Packet *pkt)
{
int j;
Bignum b;
j = ssh1_read_bignum(pkt->body + pkt->savedpos,
pkt->length - pkt->savedpos, &b);
if (j < 0)
return NULL;
pkt->savedpos += j;
return b;
}
static Bignum ssh2_pkt_getmp(struct Packet *pkt)
{
char *p;
int length;
Bignum b;
ssh_pkt_getstring(pkt, &p, &length);
if (!p)
return NULL;
if (p[0] & 0x80)
return NULL;
b = bignum_from_bytes((unsigned char *)p, length);
return b;
}
/*
* Helper function to add an SSH-2 signature blob to a packet.
* Expects to be shown the public key blob as well as the signature
* blob. Normally works just like ssh2_pkt_addstring, but will
* fiddle with the signature packet if necessary for
* BUG_SSH2_RSA_PADDING.
*/
static void ssh2_add_sigblob(Ssh ssh, struct Packet *pkt,
void *pkblob_v, int pkblob_len,
void *sigblob_v, int sigblob_len)
{
unsigned char *pkblob = (unsigned char *)pkblob_v;
unsigned char *sigblob = (unsigned char *)sigblob_v;
/* dmemdump(pkblob, pkblob_len); */
/* dmemdump(sigblob, sigblob_len); */
/*
* See if this is in fact an ssh-rsa signature and a buggy
* server; otherwise we can just do this the easy way.
*/
if ((ssh->remote_bugs & BUG_SSH2_RSA_PADDING) &&
(GET_32BIT(pkblob) == 7 && !memcmp(pkblob+4, "ssh-rsa", 7))) {
int pos, len, siglen;
/*
* Find the byte length of the modulus.
*/
pos = 4+7; /* skip over "ssh-rsa" */
pos += 4 + GET_32BIT(pkblob+pos); /* skip over exponent */
len = GET_32BIT(pkblob+pos); /* find length of modulus */
pos += 4; /* find modulus itself */
while (len > 0 && pkblob[pos] == 0)
len--, pos++;
/* debug(("modulus length is %d\n", len)); */
/*
* Now find the signature integer.
*/
pos = 4+7; /* skip over "ssh-rsa" */
siglen = GET_32BIT(sigblob+pos);
/* debug(("signature length is %d\n", siglen)); */
if (len != siglen) {
unsigned char newlen[4];
ssh2_pkt_addstring_start(pkt);
ssh2_pkt_addstring_data(pkt, (char *)sigblob, pos);
/* dmemdump(sigblob, pos); */
pos += 4; /* point to start of actual sig */
PUT_32BIT(newlen, len);
ssh2_pkt_addstring_data(pkt, (char *)newlen, 4);
/* dmemdump(newlen, 4); */
newlen[0] = 0;
while (len-- > siglen) {
ssh2_pkt_addstring_data(pkt, (char *)newlen, 1);
/* dmemdump(newlen, 1); */
}
ssh2_pkt_addstring_data(pkt, (char *)(sigblob+pos), siglen);
/* dmemdump(sigblob+pos, siglen); */
return;
}
/* Otherwise fall through and do it the easy way. */
}
ssh2_pkt_addstring_start(pkt);
ssh2_pkt_addstring_data(pkt, (char *)sigblob, sigblob_len);
}
/*
* Examine the remote side's version string and compare it against
* a list of known buggy implementations.
*/
static void ssh_detect_bugs(Ssh ssh, char *vstring)
{
char *imp; /* pointer to implementation part */
imp = vstring;
imp += strcspn(imp, "-");
if (*imp) imp++;
imp += strcspn(imp, "-");
if (*imp) imp++;
ssh->remote_bugs = 0;
/*
* General notes on server version strings:
* - Not all servers reporting "Cisco-1.25" have all the bugs listed
* here -- in particular, we've heard of one that's perfectly happy
* with SSH1_MSG_IGNOREs -- but this string never seems to change,
* so we can't distinguish them.
*/
if (ssh->cfg.sshbug_ignore1 == FORCE_ON ||
(ssh->cfg.sshbug_ignore1 == AUTO &&
(!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
!strcmp(imp, "1.2.20") || !strcmp(imp, "1.2.21") ||
!strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25") ||
!strcmp(imp, "OSU_1.4alpha3") || !strcmp(imp, "OSU_1.5alpha4")))) {
/*
* These versions don't support SSH1_MSG_IGNORE, so we have
* to use a different defence against password length
* sniffing.
*/
ssh->remote_bugs |= BUG_CHOKES_ON_SSH1_IGNORE;
logevent("We believe remote version has SSH-1 ignore bug");
}
if (ssh->cfg.sshbug_plainpw1 == FORCE_ON ||
(ssh->cfg.sshbug_plainpw1 == AUTO &&
(!strcmp(imp, "Cisco-1.25") || !strcmp(imp, "OSU_1.4alpha3")))) {
/*
* These versions need a plain password sent; they can't
* handle having a null and a random length of data after
* the password.
*/
ssh->remote_bugs |= BUG_NEEDS_SSH1_PLAIN_PASSWORD;
logevent("We believe remote version needs a plain SSH-1 password");
}
if (ssh->cfg.sshbug_rsa1 == FORCE_ON ||
(ssh->cfg.sshbug_rsa1 == AUTO &&
(!strcmp(imp, "Cisco-1.25")))) {
/*
* These versions apparently have no clue whatever about
* RSA authentication and will panic and die if they see
* an AUTH_RSA message.
*/
ssh->remote_bugs |= BUG_CHOKES_ON_RSA;
logevent("We believe remote version can't handle SSH-1 RSA authentication");
}
if (ssh->cfg.sshbug_hmac2 == FORCE_ON ||
(ssh->cfg.sshbug_hmac2 == AUTO &&
!wc_match("* VShell", imp) &&
(wc_match("2.1.0*", imp) || wc_match("2.0.*", imp) ||
wc_match("2.2.0*", imp) || wc_match("2.3.0*", imp) ||
wc_match("2.1 *", imp)))) {
/*
* These versions have the HMAC bug.
*/
ssh->remote_bugs |= BUG_SSH2_HMAC;
logevent("We believe remote version has SSH-2 HMAC bug");
}
if (ssh->cfg.sshbug_derivekey2 == FORCE_ON ||
(ssh->cfg.sshbug_derivekey2 == AUTO &&
!wc_match("* VShell", imp) &&
(wc_match("2.0.0*", imp) || wc_match("2.0.10*", imp) ))) {
/*
* These versions have the key-derivation bug (failing to
* include the literal shared secret in the hashes that
* generate the keys).
*/
ssh->remote_bugs |= BUG_SSH2_DERIVEKEY;
logevent("We believe remote version has SSH-2 key-derivation bug");
}
if (ssh->cfg.sshbug_rsapad2 == FORCE_ON ||
(ssh->cfg.sshbug_rsapad2 == AUTO &&
(wc_match("OpenSSH_2.[5-9]*", imp) ||
wc_match("OpenSSH_3.[0-2]*", imp)))) {
/*
* These versions have the SSH-2 RSA padding bug.
*/
ssh->remote_bugs |= BUG_SSH2_RSA_PADDING;
logevent("We believe remote version has SSH-2 RSA padding bug");
}
if (ssh->cfg.sshbug_pksessid2 == FORCE_ON ||
(ssh->cfg.sshbug_pksessid2 == AUTO &&
wc_match("OpenSSH_2.[0-2]*", imp))) {
/*
* These versions have the SSH-2 session-ID bug in
* public-key authentication.
*/
ssh->remote_bugs |= BUG_SSH2_PK_SESSIONID;
logevent("We believe remote version has SSH-2 public-key-session-ID bug");
}
if (ssh->cfg.sshbug_rekey2 == FORCE_ON ||
(ssh->cfg.sshbug_rekey2 == AUTO &&
(wc_match("DigiSSH_2.0", imp) ||
wc_match("OpenSSH_2.[0-4]*", imp) ||
wc_match("OpenSSH_2.5.[0-3]*", imp) ||
wc_match("Sun_SSH_1.0", imp) ||
wc_match("Sun_SSH_1.0.1", imp) ||
/* All versions <= 1.2.6 (they changed their format in 1.2.7) */
wc_match("WeOnlyDo-*", imp)))) {
/*
* These versions have the SSH-2 rekey bug.
*/
ssh->remote_bugs |= BUG_SSH2_REKEY;
logevent("We believe remote version has SSH-2 rekey bug");
}
if (ssh->cfg.sshbug_maxpkt2 == FORCE_ON ||
(ssh->cfg.sshbug_maxpkt2 == AUTO &&
(wc_match("1.36_sshlib GlobalSCAPE", imp) ||
wc_match("1.36 sshlib: GlobalScape", imp)))) {
/*
* This version ignores our makpkt and needs to be throttled.
*/
ssh->remote_bugs |= BUG_SSH2_MAXPKT;
logevent("We believe remote version ignores SSH-2 maximum packet size");
}
if (ssh->cfg.sshbug_ignore2 == FORCE_ON) {
/*
* Servers that don't support SSH2_MSG_IGNORE. Currently,
* none detected automatically.
*/
ssh->remote_bugs |= BUG_CHOKES_ON_SSH2_IGNORE;
logevent("We believe remote version has SSH-2 ignore bug");
}
}
/*
* The `software version' part of an SSH version string is required
* to contain no spaces or minus signs.
*/
static void ssh_fix_verstring(char *str)
{
/* Eat "SSH-<protoversion>-". */
assert(*str == 'S'); str++;
assert(*str == 'S'); str++;
assert(*str == 'H'); str++;
assert(*str == '-'); str++;
while (*str && *str != '-') str++;
assert(*str == '-'); str++;
/* Convert minus signs and spaces in the remaining string into
* underscores. */
while (*str) {
if (*str == '-' || *str == ' ')
*str = '_';
str++;
}
}
/*
* Send an appropriate SSH version string.
*/
static void ssh_send_verstring(Ssh ssh, char *svers)
{
char *verstring;
if (ssh->version == 2) {
/*
* Construct a v2 version string.
*/
verstring = dupprintf("SSH-2.0-%s\015\012", sshver);
} else {
/*
* Construct a v1 version string.
*/
verstring = dupprintf("SSH-%s-%s\012",
(ssh_versioncmp(svers, "1.5") <= 0 ?
svers : "1.5"),
sshver);
}
ssh_fix_verstring(verstring);
if (ssh->version == 2) {
size_t len;
/*
* Record our version string.
*/
len = strcspn(verstring, "\015\012");
ssh->v_c = snewn(len + 1, char);
memcpy(ssh->v_c, verstring, len);
ssh->v_c[len] = 0;
}
logeventf(ssh, "We claim version: %.*s",
strcspn(verstring, "\015\012"), verstring);
s_write(ssh, verstring, strlen(verstring));
sfree(verstring);
}
static int do_ssh_init(Ssh ssh, unsigned char c)
{
struct do_ssh_init_state {
int vslen;
char version[10];
char *vstring;
int vstrsize;
int i;
int proto1, proto2;
};
crState(do_ssh_init_state);
crBegin(ssh->do_ssh_init_crstate);
/* Search for a line beginning with the string "SSH-" in the input. */
for (;;) {
if (c != 'S') goto no;
crReturn(1);
if (c != 'S') goto no;
crReturn(1);
if (c != 'H') goto no;
crReturn(1);
if (c != '-') goto no;
break;
no:
while (c != '\012')
crReturn(1);
crReturn(1);
}
s->vstrsize = 16;
s->vstring = snewn(s->vstrsize, char);
strcpy(s->vstring, "SSH-");
s->vslen = 4;
s->i = 0;
while (1) {
crReturn(1); /* get another char */
if (s->vslen >= s->vstrsize - 1) {
s->vstrsize += 16;
s->vstring = sresize(s->vstring, s->vstrsize, char);
}
s->vstring[s->vslen++] = c;
if (s->i >= 0) {
if (c == '-') {
s->version[s->i] = '\0';
s->i = -1;
} else if (s->i < sizeof(s->version) - 1)
s->version[s->i++] = c;
} else if (c == '\012')
break;
}
ssh->agentfwd_enabled = FALSE;
ssh->rdpkt2_state.incoming_sequence = 0;
s->vstring[s->vslen] = 0;
s->vstring[strcspn(s->vstring, "\015\012")] = '\0';/* remove EOL chars */
logeventf(ssh, "Server version: %s", s->vstring);
ssh_detect_bugs(ssh, s->vstring);
/*
* Decide which SSH protocol version to support.
*/
/* Anything strictly below "2.0" means protocol 1 is supported. */
s->proto1 = ssh_versioncmp(s->version, "2.0") < 0;
/* Anything greater or equal to "1.99" means protocol 2 is supported. */
s->proto2 = ssh_versioncmp(s->version, "1.99") >= 0;
if (ssh->cfg.sshprot == 0 && !s->proto1) {
bombout(("SSH protocol version 1 required by user but not provided by server"));
crStop(0);
}
if (ssh->cfg.sshprot == 3 && !s->proto2) {
bombout(("SSH protocol version 2 required by user but not provided by server"));
crStop(0);
}
if (s->proto2 && (ssh->cfg.sshprot >= 2 || !s->proto1))
ssh->version = 2;
else
ssh->version = 1;
logeventf(ssh, "Using SSH protocol version %d", ssh->version);
/* Send the version string, if we haven't already */
if (ssh->cfg.sshprot != 3)
ssh_send_verstring(ssh, s->version);
if (ssh->version == 2) {
size_t len;
/*
* Record their version string.
*/
len = strcspn(s->vstring, "\015\012");
ssh->v_s = snewn(len + 1, char);
memcpy(ssh->v_s, s->vstring, len);
ssh->v_s[len] = 0;
/*
* Initialise SSH-2 protocol.
*/
ssh->protocol = ssh2_protocol;
ssh2_protocol_setup(ssh);
ssh->s_rdpkt = ssh2_rdpkt;
} else {
/*
* Initialise SSH-1 protocol.
*/
ssh->protocol = ssh1_protocol;
ssh1_protocol_setup(ssh);
ssh->s_rdpkt = ssh1_rdpkt;
}
if (ssh->version == 2)
do_ssh2_transport(ssh, NULL, -1, NULL);
update_specials_menu(ssh->frontend);
ssh->state = SSH_STATE_BEFORE_SIZE;
ssh->pinger = pinger_new(&ssh->cfg, &ssh_backend, ssh);
sfree(s->vstring);
crFinish(0);
}
static void ssh_process_incoming_data(Ssh ssh,
unsigned char **data, int *datalen)
{
struct Packet *pktin;
pktin = ssh->s_rdpkt(ssh, data, datalen);
if (pktin) {
ssh->protocol(ssh, NULL, 0, pktin);
ssh_free_packet(pktin);
}
}
static void ssh_queue_incoming_data(Ssh ssh,
unsigned char **data, int *datalen)
{
bufchain_add(&ssh->queued_incoming_data, *data, *datalen);
*data += *datalen;
*datalen = 0;
}
static void ssh_process_queued_incoming_data(Ssh ssh)
{
void *vdata;
unsigned char *data;
int len, origlen;
while (!ssh->frozen && bufchain_size(&ssh->queued_incoming_data)) {
bufchain_prefix(&ssh->queued_incoming_data, &vdata, &len);
data = vdata;
origlen = len;
while (!ssh->frozen && len > 0)
ssh_process_incoming_data(ssh, &data, &len);
if (origlen > len)
bufchain_consume(&ssh->queued_incoming_data, origlen - len);
}
}
static void ssh_set_frozen(Ssh ssh, int frozen)
{
if (ssh->s)
sk_set_frozen(ssh->s, frozen);
ssh->frozen = frozen;
}
static void ssh_gotdata(Ssh ssh, unsigned char *data, int datalen)
{
/* Log raw data, if we're in that mode. */
if (ssh->logctx)
log_packet(ssh->logctx, PKT_INCOMING, -1, NULL, data, datalen,
0, NULL, NULL);
crBegin(ssh->ssh_gotdata_crstate);
/*
* To begin with, feed the characters one by one to the
* protocol initialisation / selection function do_ssh_init().
* When that returns 0, we're done with the initial greeting
* exchange and can move on to packet discipline.
*/
while (1) {
int ret; /* need not be kept across crReturn */
if (datalen == 0)
crReturnV; /* more data please */
ret = do_ssh_init(ssh, *data);
data++;
datalen--;
if (ret == 0)
break;
}
/*
* We emerge from that loop when the initial negotiation is
* over and we have selected an s_rdpkt function. Now pass
* everything to s_rdpkt, and then pass the resulting packets
* to the proper protocol handler.
*/
while (1) {
while (bufchain_size(&ssh->queued_incoming_data) > 0 || datalen > 0) {
if (ssh->frozen) {
ssh_queue_incoming_data(ssh, &data, &datalen);
/* This uses up all data and cannot cause anything interesting
* to happen; indeed, for anything to happen at all, we must
* return, so break out. */
break;
} else if (bufchain_size(&ssh->queued_incoming_data) > 0) {
/* This uses up some or all data, and may freeze the
* session. */
ssh_process_queued_incoming_data(ssh);
} else {
/* This uses up some or all data, and may freeze the
* session. */
ssh_process_incoming_data(ssh, &data, &datalen);
}
/* FIXME this is probably EBW. */
if (ssh->state == SSH_STATE_CLOSED)
return;
}
/* We're out of data. Go and get some more. */
crReturnV;
}
crFinishV;
}
static int ssh_do_close(Ssh ssh, int notify_exit)
{
int ret = 0;
struct ssh_channel *c;
ssh->state = SSH_STATE_CLOSED;
expire_timer_context(ssh);
if (ssh->s) {
sk_close(ssh->s);
ssh->s = NULL;
if (notify_exit)
notify_remote_exit(ssh->frontend);
else
ret = 1;
}
/*
* Now we must shut down any port- and X-forwarded channels going
* through this connection.
*/
if (ssh->channels) {
while (NULL != (c = index234(ssh->channels, 0))) {
switch (c->type) {
case CHAN_X11:
x11_close(c->u.x11.s);
break;
case CHAN_SOCKDATA:
pfd_close(c->u.pfd.s);
break;
}
del234(ssh->channels, c); /* moving next one to index 0 */
if (ssh->version == 2)
bufchain_clear(&c->v.v2.outbuffer);
sfree(c);
}
}
/*
* Go through port-forwardings, and close any associated
* listening sockets.
*/
if (ssh->portfwds) {
struct ssh_portfwd *pf;
while (NULL != (pf = index234(ssh->portfwds, 0))) {
/* Dispose of any listening socket. */
if (pf->local)
pfd_terminate(pf->local);
del234(ssh->portfwds, pf); /* moving next one to index 0 */
free_portfwd(pf);
}
freetree234(ssh->portfwds);
ssh->portfwds = NULL;
}
return ret;
}
static void ssh_log(Plug plug, int type, SockAddr addr, int port,
const char *error_msg, int error_code)
{
Ssh ssh = (Ssh) plug;
char addrbuf[256], *msg;
sk_getaddr(addr, addrbuf, lenof(addrbuf));
if (type == 0)
msg = dupprintf("Connecting to %s port %d", addrbuf, port);
else
msg = dupprintf("Failed to connect to %s: %s", addrbuf, error_msg);
logevent(msg);
sfree(msg);
}
static int ssh_closing(Plug plug, const char *error_msg, int error_code,
int calling_back)
{
Ssh ssh = (Ssh) plug;
int need_notify = ssh_do_close(ssh, FALSE);
if (!error_msg) {
if (!ssh->close_expected)
error_msg = "Server unexpectedly closed network connection";
else
error_msg = "Server closed network connection";
}
if (ssh->close_expected && ssh->clean_exit && ssh->exitcode < 0)
ssh->exitcode = 0;
if (need_notify)
notify_remote_exit(ssh->frontend);
if (error_msg)
logevent(error_msg);
if (!ssh->close_expected || !ssh->clean_exit)
connection_fatal(ssh->frontend, "%s", error_msg);
return 0;
}
static int ssh_receive(Plug plug, int urgent, char *data, int len)
{
Ssh ssh = (Ssh) plug;
ssh_gotdata(ssh, (unsigned char *)data, len);
if (ssh->state == SSH_STATE_CLOSED) {
ssh_do_close(ssh, TRUE);
return 0;
}
return 1;
}
static void ssh_sent(Plug plug, int bufsize)
{
Ssh ssh = (Ssh) plug;
/*
* If the send backlog on the SSH socket itself clears, we
* should unthrottle the whole world if it was throttled.
*/
if (bufsize < SSH_MAX_BACKLOG)
ssh_throttle_all(ssh, 0, bufsize);
}
/*
* Connect to specified host and port.
* Returns an error message, or NULL on success.
* Also places the canonical host name into `realhost'. It must be
* freed by the caller.
*/
static const char *connect_to_host(Ssh ssh, char *host, int port,
char **realhost, int nodelay, int keepalive)
{
static const struct plug_function_table fn_table = {
ssh_log,
ssh_closing,
ssh_receive,
ssh_sent,
NULL
};
SockAddr addr;
const char *err;
if (*ssh->cfg.loghost) {
char *colon;
ssh->savedhost = dupstr(ssh->cfg.loghost);
ssh->savedport = 22; /* default ssh port */
/*
* A colon suffix on savedhost also lets us affect
* savedport.
*
* (FIXME: do something about IPv6 address literals here.)
*/
colon = strrchr(ssh->savedhost, ':');
if (colon) {
*colon++ = '\0';
if (*colon)
ssh->savedport = atoi(colon);
}
} else {
ssh->savedhost = dupstr(host);
if (port < 0)
port = 22; /* default ssh port */
ssh->savedport = port;
}
/*
* Try to find host.
*/
logeventf(ssh, "Looking up host \"%s\"%s", host,
(ssh->cfg.addressfamily == ADDRTYPE_IPV4 ? " (IPv4)" :
(ssh->cfg.addressfamily == ADDRTYPE_IPV6 ? " (IPv6)" : "")));
addr = name_lookup(host, port, realhost, &ssh->cfg,
ssh->cfg.addressfamily);
if ((err = sk_addr_error(addr)) != NULL) {
sk_addr_free(addr);
return err;
}
ssh->fullhostname = dupstr(*realhost); /* save in case of GSSAPI */
/*
* Open socket.
*/
ssh->fn = &fn_table;
ssh->s = new_connection(addr, *realhost, port,
0, 1, nodelay, keepalive, (Plug) ssh, &ssh->cfg);
if ((err = sk_socket_error(ssh->s)) != NULL) {
ssh->s = NULL;
notify_remote_exit(ssh->frontend);
return err;
}
/*
* If the SSH version number's fixed, set it now, and if it's SSH-2,
* send the version string too.
*/
if (ssh->cfg.sshprot == 0)
ssh->version = 1;
if (ssh->cfg.sshprot == 3) {
ssh->version = 2;
ssh_send_verstring(ssh, NULL);
}
/*
* loghost, if configured, overrides realhost.
*/
if (*ssh->cfg.loghost) {
sfree(*realhost);
*realhost = dupstr(ssh->cfg.loghost);
}
return NULL;
}
/*
* Throttle or unthrottle the SSH connection.
*/
static void ssh_throttle_conn(Ssh ssh, int adjust)
{
int old_count = ssh->conn_throttle_count;
ssh->conn_throttle_count += adjust;
assert(ssh->conn_throttle_count >= 0);
if (ssh->conn_throttle_count && !old_count) {
ssh_set_frozen(ssh, 1);
} else if (!ssh->conn_throttle_count && old_count) {
ssh_set_frozen(ssh, 0);
}
}
/*
* Throttle or unthrottle _all_ local data streams (for when sends
* on the SSH connection itself back up).
*/
static void ssh_throttle_all(Ssh ssh, int enable, int bufsize)
{
int i;
struct ssh_channel *c;
if (enable == ssh->throttled_all)
return;
ssh->throttled_all = enable;
ssh->overall_bufsize = bufsize;
if (!ssh->channels)
return;
for (i = 0; NULL != (c = index234(ssh->channels, i)); i++) {
switch (c->type) {
case CHAN_MAINSESSION:
/*
* This is treated separately, outside the switch.
*/
break;
case CHAN_X11:
x11_override_throttle(c->u.x11.s, enable);
break;
case CHAN_AGENT:
/* Agent channels require no buffer management. */
break;
case CHAN_SOCKDATA:
pfd_override_throttle(c->u.pfd.s, enable);
break;
}
}
}
static void ssh_agent_callback(void *sshv, void *reply, int replylen)
{
Ssh ssh = (Ssh) sshv;
ssh->agent_response = reply;
ssh->agent_response_len = replylen;
if (ssh->version == 1)
do_ssh1_login(ssh, NULL, -1, NULL);
else
do_ssh2_authconn(ssh, NULL, -1, NULL);
}
static void ssh_dialog_callback(void *sshv, int ret)
{
Ssh ssh = (Ssh) sshv;
ssh->user_response = ret;
if (ssh->version == 1)
do_ssh1_login(ssh, NULL, -1, NULL);
else
do_ssh2_transport(ssh, NULL, -1, NULL);
/*
* This may have unfrozen the SSH connection, so do a
* queued-data run.
*/
ssh_process_queued_incoming_data(ssh);
}
static void ssh_agentf_callback(void *cv, void *reply, int replylen)
{
struct ssh_channel *c = (struct ssh_channel *)cv;
Ssh ssh = c->ssh;
void *sentreply = reply;
if (!sentreply) {
/* Fake SSH_AGENT_FAILURE. */
sentreply = "\0\0\0\1\5";
replylen = 5;
}
if (ssh->version == 2) {
ssh2_add_channel_data(c, sentreply, replylen);
ssh2_try_send(c);
} else {
send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
PKT_INT, c->remoteid,
PKT_INT, replylen,
PKTT_DATA,
PKT_DATA, sentreply, replylen,
PKTT_OTHER,
PKT_END);
}
if (reply)
sfree(reply);
}
/*
* Client-initiated disconnection. Send a DISCONNECT if `wire_reason'
* non-NULL, otherwise just close the connection. `client_reason' == NULL
* => log `wire_reason'.
*/
static void ssh_disconnect(Ssh ssh, char *client_reason, char *wire_reason,
int code, int clean_exit)
{
char *error;
if (!client_reason)
client_reason = wire_reason;
if (client_reason)
error = dupprintf("Disconnected: %s", client_reason);
else
error = dupstr("Disconnected");
if (wire_reason) {
if (ssh->version == 1) {
send_packet(ssh, SSH1_MSG_DISCONNECT, PKT_STR, wire_reason,
PKT_END);
} else if (ssh->version == 2) {
struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_DISCONNECT);
ssh2_pkt_adduint32(pktout, code);
ssh2_pkt_addstring(pktout, wire_reason);
ssh2_pkt_addstring(pktout, "en"); /* language tag */
ssh2_pkt_send_noqueue(ssh, pktout);
}
}
ssh->close_expected = TRUE;
ssh->clean_exit = clean_exit;
ssh_closing((Plug)ssh, error, 0, 0);
sfree(error);
}
/*
* Handle the key exchange and user authentication phases.
*/
static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
struct Packet *pktin)
{
int i, j, ret;
unsigned char cookie[8], *ptr;
struct RSAKey servkey, hostkey;
struct MD5Context md5c;
struct do_ssh1_login_state {
int len;
unsigned char *rsabuf, *keystr1, *keystr2;
unsigned long supported_ciphers_mask, supported_auths_mask;
int tried_publickey, tried_agent;
int tis_auth_refused, ccard_auth_refused;
unsigned char session_id[16];
int cipher_type;
char username[100];
void *publickey_blob;
int publickey_bloblen;
char *publickey_comment;
int publickey_encrypted;
prompts_t *cur_prompt;
char c;
int pwpkt_type;
unsigned char request[5], *response, *p;
int responselen;
int keyi, nkeys;
int authed;
struct RSAKey key;
Bignum challenge;
char *commentp;
int commentlen;
int dlgret;
};
crState(do_ssh1_login_state);
crBegin(ssh->do_ssh1_login_crstate);
if (!pktin)
crWaitUntil(pktin);
if (pktin->type != SSH1_SMSG_PUBLIC_KEY) {
bombout(("Public key packet not received"));
crStop(0);
}
logevent("Received public keys");
ptr = ssh_pkt_getdata(pktin, 8);
if (!ptr) {
bombout(("SSH-1 public key packet stopped before random cookie"));
crStop(0);
}
memcpy(cookie, ptr, 8);
if (!ssh1_pkt_getrsakey(pktin, &servkey, &s->keystr1) ||
!ssh1_pkt_getrsakey(pktin, &hostkey, &s->keystr2)) {
bombout(("Failed to read SSH-1 public keys from public key packet"));
crStop(0);
}
/*
* Log the host key fingerprint.
*/
{
char logmsg[80];
logevent("Host key fingerprint is:");
strcpy(logmsg, " ");
hostkey.comment = NULL;
rsa_fingerprint(logmsg + strlen(logmsg),
sizeof(logmsg) - strlen(logmsg), &hostkey);
logevent(logmsg);
}
ssh->v1_remote_protoflags = ssh_pkt_getuint32(pktin);
s->supported_ciphers_mask = ssh_pkt_getuint32(pktin);
s->supported_auths_mask = ssh_pkt_getuint32(pktin);
if ((ssh->remote_bugs & BUG_CHOKES_ON_RSA))
s->supported_auths_mask &= ~(1 << SSH1_AUTH_RSA);
ssh->v1_local_protoflags =
ssh->v1_remote_protoflags & SSH1_PROTOFLAGS_SUPPORTED;
ssh->v1_local_protoflags |= SSH1_PROTOFLAG_SCREEN_NUMBER;
MD5Init(&md5c);
MD5Update(&md5c, s->keystr2, hostkey.bytes);
MD5Update(&md5c, s->keystr1, servkey.bytes);
MD5Update(&md5c, cookie, 8);
MD5Final(s->session_id, &md5c);
for (i = 0; i < 32; i++)
ssh->session_key[i] = random_byte();
/*
* Verify that the `bits' and `bytes' parameters match.
*/
if (hostkey.bits > hostkey.bytes * 8 ||
servkey.bits > servkey.bytes * 8) {
bombout(("SSH-1 public keys were badly formatted"));
crStop(0);
}
s->len = (hostkey.bytes > servkey.bytes ? hostkey.bytes : servkey.bytes);
s->rsabuf = snewn(s->len, unsigned char);
/*
* Verify the host key.
*/
{
/*
* First format the key into a string.
*/
int len = rsastr_len(&hostkey);
char fingerprint[100];
char *keystr = snewn(len, char);
rsastr_fmt(keystr, &hostkey);
rsa_fingerprint(fingerprint, sizeof(fingerprint), &hostkey);
ssh_set_frozen(ssh, 1);
s->dlgret = verify_ssh_host_key(ssh->frontend,
ssh->savedhost, ssh->savedport,
"rsa", keystr, fingerprint,
ssh_dialog_callback, ssh);
sfree(keystr);
if (s->dlgret < 0) {
do {
crReturn(0);
if (pktin) {
bombout(("Unexpected data from server while waiting"
" for user host key response"));
crStop(0);
}
} while (pktin || inlen > 0);
s->dlgret = ssh->user_response;
}
ssh_set_frozen(ssh, 0);
if (s->dlgret == 0) {
ssh_disconnect(ssh, "User aborted at host key verification",
NULL, 0, TRUE);
crStop(0);
}
}
for (i = 0; i < 32; i++) {
s->rsabuf[i] = ssh->session_key[i];
if (i < 16)
s->rsabuf[i] ^= s->session_id[i];
}
if (hostkey.bytes > servkey.bytes) {
ret = rsaencrypt(s->rsabuf, 32, &servkey);
if (ret)
ret = rsaencrypt(s->rsabuf, servkey.bytes, &hostkey);
} else {
ret = rsaencrypt(s->rsabuf, 32, &hostkey);
if (ret)
ret = rsaencrypt(s->rsabuf, hostkey.bytes, &servkey);
}
if (!ret) {
bombout(("SSH-1 public key encryptions failed due to bad formatting"));
crStop(0);
}
logevent("Encrypted session key");
{
int cipher_chosen = 0, warn = 0;
char *cipher_string = NULL;
int i;
for (i = 0; !cipher_chosen && i < CIPHER_MAX; i++) {
int next_cipher = ssh->cfg.ssh_cipherlist[i];
if (next_cipher == CIPHER_WARN) {
/* If/when we choose a cipher, warn about it */
warn = 1;
} else if (next_cipher == CIPHER_AES) {
/* XXX Probably don't need to mention this. */
logevent("AES not supported in SSH-1, skipping");
} else {
switch (next_cipher) {
case CIPHER_3DES: s->cipher_type = SSH_CIPHER_3DES;
cipher_string = "3DES"; break;
case CIPHER_BLOWFISH: s->cipher_type = SSH_CIPHER_BLOWFISH;
cipher_string = "Blowfish"; break;
case CIPHER_DES: s->cipher_type = SSH_CIPHER_DES;
cipher_string = "single-DES"; break;
}
if (s->supported_ciphers_mask & (1 << s->cipher_type))
cipher_chosen = 1;
}
}
if (!cipher_chosen) {
if ((s->supported_ciphers_mask & (1 << SSH_CIPHER_3DES)) == 0)
bombout(("Server violates SSH-1 protocol by not "
"supporting 3DES encryption"));
else
/* shouldn't happen */
bombout(("No supported ciphers found"));
crStop(0);
}
/* Warn about chosen cipher if necessary. */
if (warn) {
ssh_set_frozen(ssh, 1);
s->dlgret = askalg(ssh->frontend, "cipher", cipher_string,
ssh_dialog_callback, ssh);
if (s->dlgret < 0) {
do {
crReturn(0);
if (pktin) {
bombout(("Unexpected data from server while waiting"
" for user response"));
crStop(0);
}
} while (pktin || inlen > 0);
s->dlgret = ssh->user_response;
}
ssh_set_frozen(ssh, 0);
if (s->dlgret == 0) {
ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
0, TRUE);
crStop(0);
}
}
}
switch (s->cipher_type) {
case SSH_CIPHER_3DES:
logevent("Using 3DES encryption");
break;
case SSH_CIPHER_DES:
logevent("Using single-DES encryption");
break;
case SSH_CIPHER_BLOWFISH:
logevent("Using Blowfish encryption");
break;
}
send_packet(ssh, SSH1_CMSG_SESSION_KEY,
PKT_CHAR, s->cipher_type,
PKT_DATA, cookie, 8,
PKT_CHAR, (s->len * 8) >> 8, PKT_CHAR, (s->len * 8) & 0xFF,
PKT_DATA, s->rsabuf, s->len,
PKT_INT, ssh->v1_local_protoflags, PKT_END);
logevent("Trying to enable encryption...");
sfree(s->rsabuf);
ssh->cipher = (s->cipher_type == SSH_CIPHER_BLOWFISH ? &ssh_blowfish_ssh1 :
s->cipher_type == SSH_CIPHER_DES ? &ssh_des :
&ssh_3des);
ssh->v1_cipher_ctx = ssh->cipher->make_context();
ssh->cipher->sesskey(ssh->v1_cipher_ctx, ssh->session_key);
logeventf(ssh, "Initialised %s encryption", ssh->cipher->text_name);
ssh->crcda_ctx = crcda_make_context();
logevent("Installing CRC compensation attack detector");
if (servkey.modulus) {
sfree(servkey.modulus);
servkey.modulus = NULL;
}
if (servkey.exponent) {
sfree(servkey.exponent);
servkey.exponent = NULL;
}
if (hostkey.modulus) {
sfree(hostkey.modulus);
hostkey.modulus = NULL;
}
if (hostkey.exponent) {
sfree(hostkey.exponent);
hostkey.exponent = NULL;
}
crWaitUntil(pktin);
if (pktin->type != SSH1_SMSG_SUCCESS) {
bombout(("Encryption not successfully enabled"));
crStop(0);
}
logevent("Successfully started encryption");
fflush(stdout); /* FIXME eh? */
{
if (!get_remote_username(&ssh->cfg, s->username,
sizeof(s->username))) {
int ret; /* need not be kept over crReturn */
s->cur_prompt = new_prompts(ssh->frontend);
s->cur_prompt->to_server = TRUE;
s->cur_prompt->name = dupstr("SSH login name");
add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
lenof(s->username));
ret = get_userpass_input(s->cur_prompt, NULL, 0);
while (ret < 0) {
ssh->send_ok = 1;
crWaitUntil(!pktin);
ret = get_userpass_input(s->cur_prompt, in, inlen);
ssh->send_ok = 0;
}
if (!ret) {
/*
* Failed to get a username. Terminate.
*/
free_prompts(s->cur_prompt);
ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
crStop(0);
}
memcpy(s->username, s->cur_prompt->prompts[0]->result,
lenof(s->username));
free_prompts(s->cur_prompt);
}
send_packet(ssh, SSH1_CMSG_USER, PKT_STR, s->username, PKT_END);
{
char *userlog = dupprintf("Sent username \"%s\"", s->username);
logevent(userlog);
if (flags & FLAG_INTERACTIVE &&
(!((flags & FLAG_STDERR) && (flags & FLAG_VERBOSE)))) {
c_write_str(ssh, userlog);
c_write_str(ssh, "\r\n");
}
sfree(userlog);
}
}
crWaitUntil(pktin);
if ((s->supported_auths_mask & (1 << SSH1_AUTH_RSA)) == 0) {
/* We must not attempt PK auth. Pretend we've already tried it. */
s->tried_publickey = s->tried_agent = 1;
} else {
s->tried_publickey = s->tried_agent = 0;
}
s->tis_auth_refused = s->ccard_auth_refused = 0;
/*
* Load the public half of any configured keyfile for later use.
*/
if (!filename_is_null(ssh->cfg.keyfile)) {
int keytype;
logeventf(ssh, "Reading private key file \"%.150s\"",
filename_to_str(&ssh->cfg.keyfile));
keytype = key_type(&ssh->cfg.keyfile);
if (keytype == SSH_KEYTYPE_SSH1) {
const char *error;
if (rsakey_pubblob(&ssh->cfg.keyfile,
&s->publickey_blob, &s->publickey_bloblen,
&s->publickey_comment, &error)) {
s->publickey_encrypted = rsakey_encrypted(&ssh->cfg.keyfile,
NULL);
} else {
char *msgbuf;
logeventf(ssh, "Unable to load private key (%s)", error);
msgbuf = dupprintf("Unable to load private key file "
"\"%.150s\" (%s)\r\n",
filename_to_str(&ssh->cfg.keyfile),
error);
c_write_str(ssh, msgbuf);
sfree(msgbuf);
s->publickey_blob = NULL;
}
} else {
char *msgbuf;
logeventf(ssh, "Unable to use this key file (%s)",
key_type_to_str(keytype));
msgbuf = dupprintf("Unable to use key file \"%.150s\""
" (%s)\r\n",
filename_to_str(&ssh->cfg.keyfile),
key_type_to_str(keytype));
c_write_str(ssh, msgbuf);
sfree(msgbuf);
s->publickey_blob = NULL;
}
} else
s->publickey_blob = NULL;
while (pktin->type == SSH1_SMSG_FAILURE) {
s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
if (ssh->cfg.tryagent && agent_exists() && !s->tried_agent) {
/*
* Attempt RSA authentication using Pageant.
*/
void *r;
s->authed = FALSE;
s->tried_agent = 1;
logevent("Pageant is running. Requesting keys.");
/* Request the keys held by the agent. */
PUT_32BIT(s->request, 1);
s->request[4] = SSH1_AGENTC_REQUEST_RSA_IDENTITIES;
if (!agent_query(s->request, 5, &r, &s->responselen,
ssh_agent_callback, ssh)) {
do {
crReturn(0);
if (pktin) {
bombout(("Unexpected data from server while waiting"
" for agent response"));
crStop(0);
}
} while (pktin || inlen > 0);
r = ssh->agent_response;
s->responselen = ssh->agent_response_len;
}
s->response = (unsigned char *) r;
if (s->response && s->responselen >= 5 &&
s->response[4] == SSH1_AGENT_RSA_IDENTITIES_ANSWER) {
s->p = s->response + 5;
s->nkeys = GET_32BIT(s->p);
s->p += 4;
logeventf(ssh, "Pageant has %d SSH-1 keys", s->nkeys);
for (s->keyi = 0; s->keyi < s->nkeys; s->keyi++) {
unsigned char *pkblob = s->p;
s->p += 4;
{
int n, ok = FALSE;
do { /* do while (0) to make breaking easy */
n = ssh1_read_bignum
(s->p, s->responselen-(s->p-s->response),
&s->key.exponent);
if (n < 0)
break;
s->p += n;
n = ssh1_read_bignum
(s->p, s->responselen-(s->p-s->response),
&s->key.modulus);
if (n < 0)
break;
s->p += n;
if (s->responselen - (s->p-s->response) < 4)
break;
s->commentlen = GET_32BIT(s->p);
s->p += 4;
if (s->responselen - (s->p-s->response) <
s->commentlen)
break;
s->commentp = (char *)s->p;
s->p += s->commentlen;
ok = TRUE;
} while (0);
if (!ok) {
logevent("Pageant key list packet was truncated");
break;
}
}
if (s->publickey_blob) {
if (!memcmp(pkblob, s->publickey_blob,
s->publickey_bloblen)) {
logeventf(ssh, "Pageant key #%d matches "
"configured key file", s->keyi);
s->tried_publickey = 1;
} else
/* Skip non-configured key */
continue;
}
logeventf(ssh, "Trying Pageant key #%d", s->keyi);
send_packet(ssh, SSH1_CMSG_AUTH_RSA,
PKT_BIGNUM, s->key.modulus, PKT_END);
crWaitUntil(pktin);
if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
logevent("Key refused");
continue;
}
logevent("Received RSA challenge");
if ((s->challenge = ssh1_pkt_getmp(pktin)) == NULL) {
bombout(("Server's RSA challenge was badly formatted"));
crStop(0);
}
{
char *agentreq, *q, *ret;
void *vret;
int len, retlen;
len = 1 + 4; /* message type, bit count */
len += ssh1_bignum_length(s->key.exponent);
len += ssh1_bignum_length(s->key.modulus);
len += ssh1_bignum_length(s->challenge);
len += 16; /* session id */
len += 4; /* response format */
agentreq = snewn(4 + len, char);
PUT_32BIT(agentreq, len);
q = agentreq + 4;
*q++ = SSH1_AGENTC_RSA_CHALLENGE;
PUT_32BIT(q, bignum_bitcount(s->key.modulus));
q += 4;
q += ssh1_write_bignum(q, s->key.exponent);
q += ssh1_write_bignum(q, s->key.modulus);
q += ssh1_write_bignum(q, s->challenge);
memcpy(q, s->session_id, 16);
q += 16;
PUT_32BIT(q, 1); /* response format */
if (!agent_query(agentreq, len + 4, &vret, &retlen,
ssh_agent_callback, ssh)) {
sfree(agentreq);
do {
crReturn(0);
if (pktin) {
bombout(("Unexpected data from server"
" while waiting for agent"
" response"));
crStop(0);
}
} while (pktin || inlen > 0);
vret = ssh->agent_response;
retlen = ssh->agent_response_len;
} else
sfree(agentreq);
ret = vret;
if (ret) {
if (ret[4] == SSH1_AGENT_RSA_RESPONSE) {
logevent("Sending Pageant's response");
send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
PKT_DATA, ret + 5, 16,
PKT_END);
sfree(ret);
crWaitUntil(pktin);
if (pktin->type == SSH1_SMSG_SUCCESS) {
logevent
("Pageant's response accepted");
if (flags & FLAG_VERBOSE) {
c_write_str(ssh, "Authenticated using"
" RSA key \"");
c_write(ssh, s->commentp,
s->commentlen);
c_write_str(ssh, "\" from agent\r\n");
}
s->authed = TRUE;
} else
logevent
("Pageant's response not accepted");
} else {
logevent
("Pageant failed to answer challenge");
sfree(ret);
}
} else {
logevent("No reply received from Pageant");
}
}
freebn(s->key.exponent);
freebn(s->key.modulus);
freebn(s->challenge);
if (s->authed)
break;
}
sfree(s->response);
if (s->publickey_blob && !s->tried_publickey)
logevent("Configured key file not in Pageant");
}
if (s->authed)
break;
}
if (s->publickey_blob && !s->tried_publickey) {
/*
* Try public key authentication with the specified
* key file.
*/
int got_passphrase; /* need not be kept over crReturn */
if (flags & FLAG_VERBOSE)
c_write_str(ssh, "Trying public key authentication.\r\n");
logeventf(ssh, "Trying public key \"%s\"",
filename_to_str(&ssh->cfg.keyfile));
s->tried_publickey = 1;
got_passphrase = FALSE;
while (!got_passphrase) {
/*
* Get a passphrase, if necessary.
*/
char *passphrase = NULL; /* only written after crReturn */
const char *error;
if (!s->publickey_encrypted) {
if (flags & FLAG_VERBOSE)
c_write_str(ssh, "No passphrase required.\r\n");
passphrase = NULL;
} else {
int ret; /* need not be kept over crReturn */
s->cur_prompt = new_prompts(ssh->frontend);
s->cur_prompt->to_server = FALSE;
s->cur_prompt->name = dupstr("SSH key passphrase");
add_prompt(s->cur_prompt,
dupprintf("Passphrase for key \"%.100s\": ",
s->publickey_comment),
FALSE, SSH_MAX_PASSWORD_LEN);
ret = get_userpass_input(s->cur_prompt, NULL, 0);
while (ret < 0) {
ssh->send_ok = 1;
crWaitUntil(!pktin);
ret = get_userpass_input(s->cur_prompt, in, inlen);
ssh->send_ok = 0;
}
if (!ret) {
/* Failed to get a passphrase. Terminate. */
free_prompts(s->cur_prompt);
ssh_disconnect(ssh, NULL, "Unable to authenticate",
0, TRUE);
crStop(0);
}
passphrase = dupstr(s->cur_prompt->prompts[0]->result);
free_prompts(s->cur_prompt);
}
/*
* Try decrypting key with passphrase.
*/
ret = loadrsakey(&ssh->cfg.keyfile, &s->key, passphrase,
&error);
if (passphrase) {
memset(passphrase, 0, strlen(passphrase));
sfree(passphrase);
}
if (ret == 1) {
/* Correct passphrase. */
got_passphrase = TRUE;
} else if (ret == 0) {
c_write_str(ssh, "Couldn't load private key from ");
c_write_str(ssh, filename_to_str(&ssh->cfg.keyfile));
c_write_str(ssh, " (");
c_write_str(ssh, error);
c_write_str(ssh, ").\r\n");
got_passphrase = FALSE;
break; /* go and try something else */
} else if (ret == -1) {
c_write_str(ssh, "Wrong passphrase.\r\n"); /* FIXME */
got_passphrase = FALSE;
/* and try again */
} else {
assert(0 && "unexpected return from loadrsakey()");
got_passphrase = FALSE; /* placate optimisers */
}
}
if (got_passphrase) {
/*
* Send a public key attempt.
*/
send_packet(ssh, SSH1_CMSG_AUTH_RSA,
PKT_BIGNUM, s->key.modulus, PKT_END);
crWaitUntil(pktin);
if (pktin->type == SSH1_SMSG_FAILURE) {
c_write_str(ssh, "Server refused our public key.\r\n");
continue; /* go and try something else */
}
if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
bombout(("Bizarre response to offer of public key"));
crStop(0);
}
{
int i;
unsigned char buffer[32];
Bignum challenge, response;
if ((challenge = ssh1_pkt_getmp(pktin)) == NULL) {
bombout(("Server's RSA challenge was badly formatted"));
crStop(0);
}
response = rsadecrypt(challenge, &s->key);
freebn(s->key.private_exponent);/* burn the evidence */
for (i = 0; i < 32; i++) {
buffer[i] = bignum_byte(response, 31 - i);
}
MD5Init(&md5c);
MD5Update(&md5c, buffer, 32);
MD5Update(&md5c, s->session_id, 16);
MD5Final(buffer, &md5c);
send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
PKT_DATA, buffer, 16, PKT_END);
freebn(challenge);
freebn(response);
}
crWaitUntil(pktin);
if (pktin->type == SSH1_SMSG_FAILURE) {
if (flags & FLAG_VERBOSE)
c_write_str(ssh, "Failed to authenticate with"
" our public key.\r\n");
continue; /* go and try something else */
} else if (pktin->type != SSH1_SMSG_SUCCESS) {
bombout(("Bizarre response to RSA authentication response"));
crStop(0);
}
break; /* we're through! */
}
}
/*
* Otherwise, try various forms of password-like authentication.
*/
s->cur_prompt = new_prompts(ssh->frontend);
if (ssh->cfg.try_tis_auth &&
(s->supported_auths_mask & (1 << SSH1_AUTH_TIS)) &&
!s->tis_auth_refused) {
s->pwpkt_type = SSH1_CMSG_AUTH_TIS_RESPONSE;
logevent("Requested TIS authentication");
send_packet(ssh, SSH1_CMSG_AUTH_TIS, PKT_END);
crWaitUntil(pktin);
if (pktin->type != SSH1_SMSG_AUTH_TIS_CHALLENGE) {
logevent("TIS authentication declined");
if (flags & FLAG_INTERACTIVE)
c_write_str(ssh, "TIS authentication refused.\r\n");
s->tis_auth_refused = 1;
continue;
} else {
char *challenge;
int challengelen;
char *instr_suf, *prompt;
ssh_pkt_getstring(pktin, &challenge, &challengelen);
if (!challenge) {
bombout(("TIS challenge packet was badly formed"));
crStop(0);
}
logevent("Received TIS challenge");
s->cur_prompt->to_server = TRUE;
s->cur_prompt->name = dupstr("SSH TIS authentication");
/* Prompt heuristic comes from OpenSSH */
if (memchr(challenge, '\n', challengelen)) {
instr_suf = dupstr("");
prompt = dupprintf("%.*s", challengelen, challenge);
} else {
instr_suf = dupprintf("%.*s", challengelen, challenge);
prompt = dupstr("Response: ");
}
s->cur_prompt->instruction =
dupprintf("Using TIS authentication.%s%s",
(*instr_suf) ? "\n" : "",
instr_suf);
s->cur_prompt->instr_reqd = TRUE;
add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
sfree(instr_suf);
}
}
if (ssh->cfg.try_tis_auth &&
(s->supported_auths_mask & (1 << SSH1_AUTH_CCARD)) &&
!s->ccard_auth_refused) {
s->pwpkt_type = SSH1_CMSG_AUTH_CCARD_RESPONSE;
logevent("Requested CryptoCard authentication");
send_packet(ssh, SSH1_CMSG_AUTH_CCARD, PKT_END);
crWaitUntil(pktin);
if (pktin->type != SSH1_SMSG_AUTH_CCARD_CHALLENGE) {
logevent("CryptoCard authentication declined");
c_write_str(ssh, "CryptoCard authentication refused.\r\n");
s->ccard_auth_refused = 1;
continue;
} else {
char *challenge;
int challengelen;
char *instr_suf, *prompt;
ssh_pkt_getstring(pktin, &challenge, &challengelen);
if (!challenge) {
bombout(("CryptoCard challenge packet was badly formed"));