projects / u / mdw / putty / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Jacob correctly points out that I accidentally lost a clearing of
[u/mdw/putty] / ssh.c
1 /*
2 * SSH backend.
3 */
4
5 #include <stdio.h>
6 #include <stdlib.h>
7 #include <stdarg.h>
8 #include <assert.h>
9 #include <limits.h>
10 #include <signal.h>
11
12 #include "putty.h"
13 #include "tree234.h"
14 #include "ssh.h"
15 #include "sshgss.h"
16
17 #ifndef FALSE
18 #define FALSE 0
19 #endif
20 #ifndef TRUE
21 #define TRUE 1
22 #endif
23
24 #define SSH1_MSG_DISCONNECT 1 /* 0x1 */
25 #define SSH1_SMSG_PUBLIC_KEY 2 /* 0x2 */
26 #define SSH1_CMSG_SESSION_KEY 3 /* 0x3 */
27 #define SSH1_CMSG_USER 4 /* 0x4 */
28 #define SSH1_CMSG_AUTH_RSA 6 /* 0x6 */
29 #define SSH1_SMSG_AUTH_RSA_CHALLENGE 7 /* 0x7 */
30 #define SSH1_CMSG_AUTH_RSA_RESPONSE 8 /* 0x8 */
31 #define SSH1_CMSG_AUTH_PASSWORD 9 /* 0x9 */
32 #define SSH1_CMSG_REQUEST_PTY 10 /* 0xa */
33 #define SSH1_CMSG_WINDOW_SIZE 11 /* 0xb */
34 #define SSH1_CMSG_EXEC_SHELL 12 /* 0xc */
35 #define SSH1_CMSG_EXEC_CMD 13 /* 0xd */
36 #define SSH1_SMSG_SUCCESS 14 /* 0xe */
37 #define SSH1_SMSG_FAILURE 15 /* 0xf */
38 #define SSH1_CMSG_STDIN_DATA 16 /* 0x10 */
39 #define SSH1_SMSG_STDOUT_DATA 17 /* 0x11 */
40 #define SSH1_SMSG_STDERR_DATA 18 /* 0x12 */
41 #define SSH1_CMSG_EOF 19 /* 0x13 */
42 #define SSH1_SMSG_EXIT_STATUS 20 /* 0x14 */
43 #define SSH1_MSG_CHANNEL_OPEN_CONFIRMATION 21 /* 0x15 */
44 #define SSH1_MSG_CHANNEL_OPEN_FAILURE 22 /* 0x16 */
45 #define SSH1_MSG_CHANNEL_DATA 23 /* 0x17 */
46 #define SSH1_MSG_CHANNEL_CLOSE 24 /* 0x18 */
47 #define SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION 25 /* 0x19 */
48 #define SSH1_SMSG_X11_OPEN 27 /* 0x1b */
49 #define SSH1_CMSG_PORT_FORWARD_REQUEST 28 /* 0x1c */
50 #define SSH1_MSG_PORT_OPEN 29 /* 0x1d */
51 #define SSH1_CMSG_AGENT_REQUEST_FORWARDING 30 /* 0x1e */
52 #define SSH1_SMSG_AGENT_OPEN 31 /* 0x1f */
53 #define SSH1_MSG_IGNORE 32 /* 0x20 */
54 #define SSH1_CMSG_EXIT_CONFIRMATION 33 /* 0x21 */
55 #define SSH1_CMSG_X11_REQUEST_FORWARDING 34 /* 0x22 */
56 #define SSH1_CMSG_AUTH_RHOSTS_RSA 35 /* 0x23 */
57 #define SSH1_MSG_DEBUG 36 /* 0x24 */
58 #define SSH1_CMSG_REQUEST_COMPRESSION 37 /* 0x25 */
59 #define SSH1_CMSG_AUTH_TIS 39 /* 0x27 */
60 #define SSH1_SMSG_AUTH_TIS_CHALLENGE 40 /* 0x28 */
61 #define SSH1_CMSG_AUTH_TIS_RESPONSE 41 /* 0x29 */
62 #define SSH1_CMSG_AUTH_CCARD 70 /* 0x46 */
63 #define SSH1_SMSG_AUTH_CCARD_CHALLENGE 71 /* 0x47 */
64 #define SSH1_CMSG_AUTH_CCARD_RESPONSE 72 /* 0x48 */
65
66 #define SSH1_AUTH_RHOSTS 1 /* 0x1 */
67 #define SSH1_AUTH_RSA 2 /* 0x2 */
68 #define SSH1_AUTH_PASSWORD 3 /* 0x3 */
69 #define SSH1_AUTH_RHOSTS_RSA 4 /* 0x4 */
70 #define SSH1_AUTH_TIS 5 /* 0x5 */
71 #define SSH1_AUTH_CCARD 16 /* 0x10 */
72
73 #define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */
74 /* Mask for protoflags we will echo back to server if seen */
75 #define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */
76
77 #define SSH2_MSG_DISCONNECT 1 /* 0x1 */
78 #define SSH2_MSG_IGNORE 2 /* 0x2 */
79 #define SSH2_MSG_UNIMPLEMENTED 3 /* 0x3 */
80 #define SSH2_MSG_DEBUG 4 /* 0x4 */
81 #define SSH2_MSG_SERVICE_REQUEST 5 /* 0x5 */
82 #define SSH2_MSG_SERVICE_ACCEPT 6 /* 0x6 */
83 #define SSH2_MSG_KEXINIT 20 /* 0x14 */
84 #define SSH2_MSG_NEWKEYS 21 /* 0x15 */
85 #define SSH2_MSG_KEXDH_INIT 30 /* 0x1e */
86 #define SSH2_MSG_KEXDH_REPLY 31 /* 0x1f */
87 #define SSH2_MSG_KEX_DH_GEX_REQUEST 30 /* 0x1e */
88 #define SSH2_MSG_KEX_DH_GEX_GROUP 31 /* 0x1f */
89 #define SSH2_MSG_KEX_DH_GEX_INIT 32 /* 0x20 */
90 #define SSH2_MSG_KEX_DH_GEX_REPLY 33 /* 0x21 */
91 #define SSH2_MSG_KEXRSA_PUBKEY 30 /* 0x1e */
92 #define SSH2_MSG_KEXRSA_SECRET 31 /* 0x1f */
93 #define SSH2_MSG_KEXRSA_DONE 32 /* 0x20 */
94 #define SSH2_MSG_USERAUTH_REQUEST 50 /* 0x32 */
95 #define SSH2_MSG_USERAUTH_FAILURE 51 /* 0x33 */
96 #define SSH2_MSG_USERAUTH_SUCCESS 52 /* 0x34 */
97 #define SSH2_MSG_USERAUTH_BANNER 53 /* 0x35 */
98 #define SSH2_MSG_USERAUTH_PK_OK 60 /* 0x3c */
99 #define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60 /* 0x3c */
100 #define SSH2_MSG_USERAUTH_INFO_REQUEST 60 /* 0x3c */
101 #define SSH2_MSG_USERAUTH_INFO_RESPONSE 61 /* 0x3d */
102 #define SSH2_MSG_GLOBAL_REQUEST 80 /* 0x50 */
103 #define SSH2_MSG_REQUEST_SUCCESS 81 /* 0x51 */
104 #define SSH2_MSG_REQUEST_FAILURE 82 /* 0x52 */
105 #define SSH2_MSG_CHANNEL_OPEN 90 /* 0x5a */
106 #define SSH2_MSG_CHANNEL_OPEN_CONFIRMATION 91 /* 0x5b */
107 #define SSH2_MSG_CHANNEL_OPEN_FAILURE 92 /* 0x5c */
108 #define SSH2_MSG_CHANNEL_WINDOW_ADJUST 93 /* 0x5d */
109 #define SSH2_MSG_CHANNEL_DATA 94 /* 0x5e */
110 #define SSH2_MSG_CHANNEL_EXTENDED_DATA 95 /* 0x5f */
111 #define SSH2_MSG_CHANNEL_EOF 96 /* 0x60 */
112 #define SSH2_MSG_CHANNEL_CLOSE 97 /* 0x61 */
113 #define SSH2_MSG_CHANNEL_REQUEST 98 /* 0x62 */
114 #define SSH2_MSG_CHANNEL_SUCCESS 99 /* 0x63 */
115 #define SSH2_MSG_CHANNEL_FAILURE 100 /* 0x64 */
116 #define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60
117 #define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61
118 #define SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE 63
119 #define SSH2_MSG_USERAUTH_GSSAPI_ERROR 64
120 #define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65
121 #define SSH2_MSG_USERAUTH_GSSAPI_MIC 66
122
123 /*
124 * Packet type contexts, so that ssh2_pkt_type can correctly decode
125 * the ambiguous type numbers back into the correct type strings.
126 */
127 typedef enum {
128 SSH2_PKTCTX_NOKEX,
129 SSH2_PKTCTX_DHGROUP,
130 SSH2_PKTCTX_DHGEX,
131 SSH2_PKTCTX_RSAKEX
132 } Pkt_KCtx;
133 typedef enum {
134 SSH2_PKTCTX_NOAUTH,
135 SSH2_PKTCTX_PUBLICKEY,
136 SSH2_PKTCTX_PASSWORD,
137 SSH2_PKTCTX_GSSAPI,
138 SSH2_PKTCTX_KBDINTER
139 } Pkt_ACtx;
140
141 #define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */
142 #define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */
143 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */
144 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */
145 #define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */
146 #define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */
147 #define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */
148 #define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */
149 #define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */
150 #define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */
151 #define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */
152 #define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */
153 #define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */
154 #define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */
155 #define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */
156
157 static const char *const ssh2_disconnect_reasons[] = {
158 NULL,
159 "host not allowed to connect",
160 "protocol error",
161 "key exchange failed",
162 "host authentication failed",
163 "MAC error",
164 "compression error",
165 "service not available",
166 "protocol version not supported",
167 "host key not verifiable",
168 "connection lost",
169 "by application",
170 "too many connections",
171 "auth cancelled by user",
172 "no more auth methods available",
173 "illegal user name",
174 };
175
176 #define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */
177 #define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */
178 #define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */
179 #define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */
180
181 #define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */
182
183 /*
184 * Various remote-bug flags.
185 */
186 #define BUG_CHOKES_ON_SSH1_IGNORE 1
187 #define BUG_SSH2_HMAC 2
188 #define BUG_NEEDS_SSH1_PLAIN_PASSWORD 4
189 #define BUG_CHOKES_ON_RSA 8
190 #define BUG_SSH2_RSA_PADDING 16
191 #define BUG_SSH2_DERIVEKEY 32
192 #define BUG_SSH2_REKEY 64
193 #define BUG_SSH2_PK_SESSIONID 128
194 #define BUG_SSH2_MAXPKT 256
195
196 /*
197 * Codes for terminal modes.
198 * Most of these are the same in SSH-1 and SSH-2.
199 * This list is derived from RFC 4254 and
200 * SSH-1 RFC-1.2.31.
201 */
202 static const struct {
203 const char* const mode;
204 int opcode;
205 enum { TTY_OP_CHAR, TTY_OP_BOOL } type;
206 } ssh_ttymodes[] = {
207 /* "V" prefix discarded for special characters relative to SSH specs */
208 { "INTR", 1, TTY_OP_CHAR },
209 { "QUIT", 2, TTY_OP_CHAR },
210 { "ERASE", 3, TTY_OP_CHAR },
211 { "KILL", 4, TTY_OP_CHAR },
212 { "EOF", 5, TTY_OP_CHAR },
213 { "EOL", 6, TTY_OP_CHAR },
214 { "EOL2", 7, TTY_OP_CHAR },
215 { "START", 8, TTY_OP_CHAR },
216 { "STOP", 9, TTY_OP_CHAR },
217 { "SUSP", 10, TTY_OP_CHAR },
218 { "DSUSP", 11, TTY_OP_CHAR },
219 { "REPRINT", 12, TTY_OP_CHAR },
220 { "WERASE", 13, TTY_OP_CHAR },
221 { "LNEXT", 14, TTY_OP_CHAR },
222 { "FLUSH", 15, TTY_OP_CHAR },
223 { "SWTCH", 16, TTY_OP_CHAR },
224 { "STATUS", 17, TTY_OP_CHAR },
225 { "DISCARD", 18, TTY_OP_CHAR },
226 { "IGNPAR", 30, TTY_OP_BOOL },
227 { "PARMRK", 31, TTY_OP_BOOL },
228 { "INPCK", 32, TTY_OP_BOOL },
229 { "ISTRIP", 33, TTY_OP_BOOL },
230 { "INLCR", 34, TTY_OP_BOOL },
231 { "IGNCR", 35, TTY_OP_BOOL },
232 { "ICRNL", 36, TTY_OP_BOOL },
233 { "IUCLC", 37, TTY_OP_BOOL },
234 { "IXON", 38, TTY_OP_BOOL },
235 { "IXANY", 39, TTY_OP_BOOL },
236 { "IXOFF", 40, TTY_OP_BOOL },
237 { "IMAXBEL", 41, TTY_OP_BOOL },
238 { "ISIG", 50, TTY_OP_BOOL },
239 { "ICANON", 51, TTY_OP_BOOL },
240 { "XCASE", 52, TTY_OP_BOOL },
241 { "ECHO", 53, TTY_OP_BOOL },
242 { "ECHOE", 54, TTY_OP_BOOL },
243 { "ECHOK", 55, TTY_OP_BOOL },
244 { "ECHONL", 56, TTY_OP_BOOL },
245 { "NOFLSH", 57, TTY_OP_BOOL },
246 { "TOSTOP", 58, TTY_OP_BOOL },
247 { "IEXTEN", 59, TTY_OP_BOOL },
248 { "ECHOCTL", 60, TTY_OP_BOOL },
249 { "ECHOKE", 61, TTY_OP_BOOL },
250 { "PENDIN", 62, TTY_OP_BOOL }, /* XXX is this a real mode? */
251 { "OPOST", 70, TTY_OP_BOOL },
252 { "OLCUC", 71, TTY_OP_BOOL },
253 { "ONLCR", 72, TTY_OP_BOOL },
254 { "OCRNL", 73, TTY_OP_BOOL },
255 { "ONOCR", 74, TTY_OP_BOOL },
256 { "ONLRET", 75, TTY_OP_BOOL },
257 { "CS7", 90, TTY_OP_BOOL },
258 { "CS8", 91, TTY_OP_BOOL },
259 { "PARENB", 92, TTY_OP_BOOL },
260 { "PARODD", 93, TTY_OP_BOOL }
261 };
262
263 /* Miscellaneous other tty-related constants. */
264 #define SSH_TTY_OP_END 0
265 /* The opcodes for ISPEED/OSPEED differ between SSH-1 and SSH-2. */
266 #define SSH1_TTY_OP_ISPEED 192
267 #define SSH1_TTY_OP_OSPEED 193
268 #define SSH2_TTY_OP_ISPEED 128
269 #define SSH2_TTY_OP_OSPEED 129
270
271 /* Helper functions for parsing tty-related config. */
272 static unsigned int ssh_tty_parse_specchar(char *s)
273 {
274 unsigned int ret;
275 if (*s) {
276 char *next = NULL;
277 ret = ctrlparse(s, &next);
278 if (!next) ret = s[0];
279 } else {
280 ret = 255; /* special value meaning "don't set" */
281 }
282 return ret;
283 }
284 static unsigned int ssh_tty_parse_boolean(char *s)
285 {
286 if (stricmp(s, "yes") == 0 ||
287 stricmp(s, "on") == 0 ||
288 stricmp(s, "true") == 0 ||
289 stricmp(s, "+") == 0)
290 return 1; /* true */
291 else if (stricmp(s, "no") == 0 ||
292 stricmp(s, "off") == 0 ||
293 stricmp(s, "false") == 0 ||
294 stricmp(s, "-") == 0)
295 return 0; /* false */
296 else
297 return (atoi(s) != 0);
298 }
299
300 #define translate(x) if (type == x) return #x
301 #define translatek(x,ctx) if (type == x && (pkt_kctx == ctx)) return #x
302 #define translatea(x,ctx) if (type == x && (pkt_actx == ctx)) return #x
303 static char *ssh1_pkt_type(int type)
304 {
305 translate(SSH1_MSG_DISCONNECT);
306 translate(SSH1_SMSG_PUBLIC_KEY);
307 translate(SSH1_CMSG_SESSION_KEY);
308 translate(SSH1_CMSG_USER);
309 translate(SSH1_CMSG_AUTH_RSA);
310 translate(SSH1_SMSG_AUTH_RSA_CHALLENGE);
311 translate(SSH1_CMSG_AUTH_RSA_RESPONSE);
312 translate(SSH1_CMSG_AUTH_PASSWORD);
313 translate(SSH1_CMSG_REQUEST_PTY);
314 translate(SSH1_CMSG_WINDOW_SIZE);
315 translate(SSH1_CMSG_EXEC_SHELL);
316 translate(SSH1_CMSG_EXEC_CMD);
317 translate(SSH1_SMSG_SUCCESS);
318 translate(SSH1_SMSG_FAILURE);
319 translate(SSH1_CMSG_STDIN_DATA);
320 translate(SSH1_SMSG_STDOUT_DATA);
321 translate(SSH1_SMSG_STDERR_DATA);
322 translate(SSH1_CMSG_EOF);
323 translate(SSH1_SMSG_EXIT_STATUS);
324 translate(SSH1_MSG_CHANNEL_OPEN_CONFIRMATION);
325 translate(SSH1_MSG_CHANNEL_OPEN_FAILURE);
326 translate(SSH1_MSG_CHANNEL_DATA);
327 translate(SSH1_MSG_CHANNEL_CLOSE);
328 translate(SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION);
329 translate(SSH1_SMSG_X11_OPEN);
330 translate(SSH1_CMSG_PORT_FORWARD_REQUEST);
331 translate(SSH1_MSG_PORT_OPEN);
332 translate(SSH1_CMSG_AGENT_REQUEST_FORWARDING);
333 translate(SSH1_SMSG_AGENT_OPEN);
334 translate(SSH1_MSG_IGNORE);
335 translate(SSH1_CMSG_EXIT_CONFIRMATION);
336 translate(SSH1_CMSG_X11_REQUEST_FORWARDING);
337 translate(SSH1_CMSG_AUTH_RHOSTS_RSA);
338 translate(SSH1_MSG_DEBUG);
339 translate(SSH1_CMSG_REQUEST_COMPRESSION);
340 translate(SSH1_CMSG_AUTH_TIS);
341 translate(SSH1_SMSG_AUTH_TIS_CHALLENGE);
342 translate(SSH1_CMSG_AUTH_TIS_RESPONSE);
343 translate(SSH1_CMSG_AUTH_CCARD);
344 translate(SSH1_SMSG_AUTH_CCARD_CHALLENGE);
345 translate(SSH1_CMSG_AUTH_CCARD_RESPONSE);
346 return "unknown";
347 }
348 static char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type)
349 {
350 translatea(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE,SSH2_PKTCTX_GSSAPI);
351 translatea(SSH2_MSG_USERAUTH_GSSAPI_TOKEN,SSH2_PKTCTX_GSSAPI);
352 translatea(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,SSH2_PKTCTX_GSSAPI);
353 translatea(SSH2_MSG_USERAUTH_GSSAPI_ERROR,SSH2_PKTCTX_GSSAPI);
354 translatea(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK,SSH2_PKTCTX_GSSAPI);
355 translatea(SSH2_MSG_USERAUTH_GSSAPI_MIC, SSH2_PKTCTX_GSSAPI);
356 translate(SSH2_MSG_DISCONNECT);
357 translate(SSH2_MSG_IGNORE);
358 translate(SSH2_MSG_UNIMPLEMENTED);
359 translate(SSH2_MSG_DEBUG);
360 translate(SSH2_MSG_SERVICE_REQUEST);
361 translate(SSH2_MSG_SERVICE_ACCEPT);
362 translate(SSH2_MSG_KEXINIT);
363 translate(SSH2_MSG_NEWKEYS);
364 translatek(SSH2_MSG_KEXDH_INIT, SSH2_PKTCTX_DHGROUP);
365 translatek(SSH2_MSG_KEXDH_REPLY, SSH2_PKTCTX_DHGROUP);
366 translatek(SSH2_MSG_KEX_DH_GEX_REQUEST, SSH2_PKTCTX_DHGEX);
367 translatek(SSH2_MSG_KEX_DH_GEX_GROUP, SSH2_PKTCTX_DHGEX);
368 translatek(SSH2_MSG_KEX_DH_GEX_INIT, SSH2_PKTCTX_DHGEX);
369 translatek(SSH2_MSG_KEX_DH_GEX_REPLY, SSH2_PKTCTX_DHGEX);
370 translatek(SSH2_MSG_KEXRSA_PUBKEY, SSH2_PKTCTX_RSAKEX);
371 translatek(SSH2_MSG_KEXRSA_SECRET, SSH2_PKTCTX_RSAKEX);
372 translatek(SSH2_MSG_KEXRSA_DONE, SSH2_PKTCTX_RSAKEX);
373 translate(SSH2_MSG_USERAUTH_REQUEST);
374 translate(SSH2_MSG_USERAUTH_FAILURE);
375 translate(SSH2_MSG_USERAUTH_SUCCESS);
376 translate(SSH2_MSG_USERAUTH_BANNER);
377 translatea(SSH2_MSG_USERAUTH_PK_OK, SSH2_PKTCTX_PUBLICKEY);
378 translatea(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, SSH2_PKTCTX_PASSWORD);
379 translatea(SSH2_MSG_USERAUTH_INFO_REQUEST, SSH2_PKTCTX_KBDINTER);
380 translatea(SSH2_MSG_USERAUTH_INFO_RESPONSE, SSH2_PKTCTX_KBDINTER);
381 translate(SSH2_MSG_GLOBAL_REQUEST);
382 translate(SSH2_MSG_REQUEST_SUCCESS);
383 translate(SSH2_MSG_REQUEST_FAILURE);
384 translate(SSH2_MSG_CHANNEL_OPEN);
385 translate(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
386 translate(SSH2_MSG_CHANNEL_OPEN_FAILURE);
387 translate(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
388 translate(SSH2_MSG_CHANNEL_DATA);
389 translate(SSH2_MSG_CHANNEL_EXTENDED_DATA);
390 translate(SSH2_MSG_CHANNEL_EOF);
391 translate(SSH2_MSG_CHANNEL_CLOSE);
392 translate(SSH2_MSG_CHANNEL_REQUEST);
393 translate(SSH2_MSG_CHANNEL_SUCCESS);
394 translate(SSH2_MSG_CHANNEL_FAILURE);
395 return "unknown";
396 }
397 #undef translate
398 #undef translatec
399
400 /* Enumeration values for fields in SSH-1 packets */
401 enum {
402 PKT_END, PKT_INT, PKT_CHAR, PKT_DATA, PKT_STR, PKT_BIGNUM,
403 /* These values are for communicating relevant semantics of
404 * fields to the packet logging code. */
405 PKTT_OTHER, PKTT_PASSWORD, PKTT_DATA
406 };
407
408 /*
409 * Coroutine mechanics for the sillier bits of the code. If these
410 * macros look impenetrable to you, you might find it helpful to
411 * read
412 *
413 * http://www.chiark.greenend.org.uk/~sgtatham/coroutines.html
414 *
415 * which explains the theory behind these macros.
416 *
417 * In particular, if you are getting `case expression not constant'
418 * errors when building with MS Visual Studio, this is because MS's
419 * Edit and Continue debugging feature causes their compiler to
420 * violate ANSI C. To disable Edit and Continue debugging:
421 *
422 * - right-click ssh.c in the FileView
423 * - click Settings
424 * - select the C/C++ tab and the General category
425 * - under `Debug info:', select anything _other_ than `Program
426 * Database for Edit and Continue'.
427 */
428 #define crBegin(v) { int *crLine = &v; switch(v) { case 0:;
429 #define crState(t) \
430 struct t *s; \
431 if (!ssh->t) ssh->t = snew(struct t); \
432 s = ssh->t;
433 #define crFinish(z) } *crLine = 0; return (z); }
434 #define crFinishV } *crLine = 0; return; }
435 #define crReturn(z) \
436 do {\
437 *crLine =__LINE__; return (z); case __LINE__:;\
438 } while (0)
439 #define crReturnV \
440 do {\
441 *crLine=__LINE__; return; case __LINE__:;\
442 } while (0)
443 #define crStop(z) do{ *crLine = 0; return (z); }while(0)
444 #define crStopV do{ *crLine = 0; return; }while(0)
445 #define crWaitUntil(c) do { crReturn(0); } while (!(c))
446 #define crWaitUntilV(c) do { crReturnV; } while (!(c))
447
448 typedef struct ssh_tag *Ssh;
449 struct Packet;
450
451 static struct Packet *ssh1_pkt_init(int pkt_type);
452 static struct Packet *ssh2_pkt_init(int pkt_type);
453 static void ssh_pkt_ensure(struct Packet *, int length);
454 static void ssh_pkt_adddata(struct Packet *, void *data, int len);
455 static void ssh_pkt_addbyte(struct Packet *, unsigned char value);
456 static void ssh2_pkt_addbool(struct Packet *, unsigned char value);
457 static void ssh_pkt_adduint32(struct Packet *, unsigned long value);
458 static void ssh_pkt_addstring_start(struct Packet *);
459 static void ssh_pkt_addstring_str(struct Packet *, char *data);
460 static void ssh_pkt_addstring_data(struct Packet *, char *data, int len);
461 static void ssh_pkt_addstring(struct Packet *, char *data);
462 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len);
463 static void ssh1_pkt_addmp(struct Packet *, Bignum b);
464 static void ssh2_pkt_addmp(struct Packet *, Bignum b);
465 static int ssh2_pkt_construct(Ssh, struct Packet *);
466 static void ssh2_pkt_send(Ssh, struct Packet *);
467 static void ssh2_pkt_send_noqueue(Ssh, struct Packet *);
468 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
469 struct Packet *pktin);
470 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
471 struct Packet *pktin);
472
473 /*
474 * Buffer management constants. There are several of these for
475 * various different purposes:
476 *
477 * - SSH1_BUFFER_LIMIT is the amount of backlog that must build up
478 * on a local data stream before we throttle the whole SSH
479 * connection (in SSH-1 only). Throttling the whole connection is
480 * pretty drastic so we set this high in the hope it won't
481 * happen very often.
482 *
483 * - SSH_MAX_BACKLOG is the amount of backlog that must build up
484 * on the SSH connection itself before we defensively throttle
485 * _all_ local data streams. This is pretty drastic too (though
486 * thankfully unlikely in SSH-2 since the window mechanism should
487 * ensure that the server never has any need to throttle its end
488 * of the connection), so we set this high as well.
489 *
490 * - OUR_V2_WINSIZE is the maximum window size we present on SSH-2
491 * channels.
492 *
493 * - OUR_V2_BIGWIN is the window size we advertise for the only
494 * channel in a simple connection. It must be <= INT_MAX.
495 *
496 * - OUR_V2_MAXPKT is the official "maximum packet size" we send
497 * to the remote side. This actually has nothing to do with the
498 * size of the _packet_, but is instead a limit on the amount
499 * of data we're willing to receive in a single SSH2 channel
500 * data message.
501 *
502 * - OUR_V2_PACKETLIMIT is actually the maximum size of SSH
503 * _packet_ we're prepared to cope with. It must be a multiple
504 * of the cipher block size, and must be at least 35000.
505 */
506
507 #define SSH1_BUFFER_LIMIT 32768
508 #define SSH_MAX_BACKLOG 32768
509 #define OUR_V2_WINSIZE 16384
510 #define OUR_V2_BIGWIN 0x7fffffff
511 #define OUR_V2_MAXPKT 0x4000UL
512 #define OUR_V2_PACKETLIMIT 0x9000UL
513
514 /* Maximum length of passwords/passphrases (arbitrary) */
515 #define SSH_MAX_PASSWORD_LEN 100
516
517 const static struct ssh_signkey *hostkey_algs[] = { &ssh_rsa, &ssh_dss };
518
519 const static struct ssh_mac *macs[] = {
520 &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
521 };
522 const static struct ssh_mac *buggymacs[] = {
523 &ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
524 };
525
526 static void *ssh_comp_none_init(void)
527 {
528 return NULL;
529 }
530 static void ssh_comp_none_cleanup(void *handle)
531 {
532 }
533 static int ssh_comp_none_block(void *handle, unsigned char *block, int len,
534 unsigned char **outblock, int *outlen)
535 {
536 return 0;
537 }
538 static int ssh_comp_none_disable(void *handle)
539 {
540 return 0;
541 }
542 const static struct ssh_compress ssh_comp_none = {
543 "none",
544 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
545 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
546 ssh_comp_none_disable, NULL
547 };
548 extern const struct ssh_compress ssh_zlib;
549 const static struct ssh_compress *compressions[] = {
550 &ssh_zlib, &ssh_comp_none
551 };
552
553 enum { /* channel types */
554 CHAN_MAINSESSION,
555 CHAN_X11,
556 CHAN_AGENT,
557 CHAN_SOCKDATA,
558 CHAN_SOCKDATA_DORMANT /* one the remote hasn't confirmed */
559 };
560
561 /*
562 * little structure to keep track of outstanding WINDOW_ADJUSTs
563 */
564 struct winadj {
565 struct winadj *next;
566 unsigned size;
567 };
568
569 /*
570 * 2-3-4 tree storing channels.
571 */
572 struct ssh_channel {
573 Ssh ssh; /* pointer back to main context */
574 unsigned remoteid, localid;
575 int type;
576 /* True if we opened this channel but server hasn't confirmed. */
577 int halfopen;
578 /*
579 * In SSH-1, this value contains four bits:
580 *
581 * 1 We have sent SSH1_MSG_CHANNEL_CLOSE.
582 * 2 We have sent SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
583 * 4 We have received SSH1_MSG_CHANNEL_CLOSE.
584 * 8 We have received SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
585 *
586 * A channel is completely finished with when all four bits are set.
587 */
588 int closes;
589 /*
590 * True if this channel is causing the underlying connection to be
591 * throttled.
592 */
593 int throttling_conn;
594 union {
595 struct ssh2_data_channel {
596 bufchain outbuffer;
597 unsigned remwindow, remmaxpkt;
598 /* locwindow is signed so we can cope with excess data. */
599 int locwindow, locmaxwin;
600 /*
601 * remlocwin is the amount of local window that we think
602 * the remote end had available to it after it sent the
603 * last data packet or window adjust ack.
604 */
605 int remlocwin;
606 /*
607 * These store the list of window adjusts that haven't
608 * been acked.
609 */
610 struct winadj *winadj_head, *winadj_tail;
611 enum { THROTTLED, UNTHROTTLING, UNTHROTTLED } throttle_state;
612 } v2;
613 } v;
614 union {
615 struct ssh_agent_channel {
616 unsigned char *message;
617 unsigned char msglen[4];
618 unsigned lensofar, totallen;
619 } a;
620 struct ssh_x11_channel {
621 Socket s;
622 } x11;
623 struct ssh_pfd_channel {
624 Socket s;
625 } pfd;
626 } u;
627 };
628
629 /*
630 * 2-3-4 tree storing remote->local port forwardings. SSH-1 and SSH-2
631 * use this structure in different ways, reflecting SSH-2's
632 * altogether saner approach to port forwarding.
633 *
634 * In SSH-1, you arrange a remote forwarding by sending the server
635 * the remote port number, and the local destination host:port.
636 * When a connection comes in, the server sends you back that
637 * host:port pair, and you connect to it. This is a ready-made
638 * security hole if you're not on the ball: a malicious server
639 * could send you back _any_ host:port pair, so if you trustingly
640 * connect to the address it gives you then you've just opened the
641 * entire inside of your corporate network just by connecting
642 * through it to a dodgy SSH server. Hence, we must store a list of
643 * host:port pairs we _are_ trying to forward to, and reject a
644 * connection request from the server if it's not in the list.
645 *
646 * In SSH-2, each side of the connection minds its own business and
647 * doesn't send unnecessary information to the other. You arrange a
648 * remote forwarding by sending the server just the remote port
649 * number. When a connection comes in, the server tells you which
650 * of its ports was connected to; and _you_ have to remember what
651 * local host:port pair went with that port number.
652 *
653 * Hence, in SSH-1 this structure is indexed by destination
654 * host:port pair, whereas in SSH-2 it is indexed by source port.
655 */
656 struct ssh_portfwd; /* forward declaration */
657
658 struct ssh_rportfwd {
659 unsigned sport, dport;
660 char dhost[256];
661 char *sportdesc;
662 struct ssh_portfwd *pfrec;
663 };
664 #define free_rportfwd(pf) ( \
665 ((pf) ? (sfree((pf)->sportdesc)) : (void)0 ), sfree(pf) )
666
667 /*
668 * Separately to the rportfwd tree (which is for looking up port
669 * open requests from the server), a tree of _these_ structures is
670 * used to keep track of all the currently open port forwardings,
671 * so that we can reconfigure in mid-session if the user requests
672 * it.
673 */
674 struct ssh_portfwd {
675 enum { DESTROY, KEEP, CREATE } status;
676 int type;
677 unsigned sport, dport;
678 char *saddr, *daddr;
679 char *sserv, *dserv;
680 struct ssh_rportfwd *remote;
681 int addressfamily;
682 void *local;
683 };
684 #define free_portfwd(pf) ( \
685 ((pf) ? (sfree((pf)->saddr), sfree((pf)->daddr), \
686 sfree((pf)->sserv), sfree((pf)->dserv)) : (void)0 ), sfree(pf) )
687
688 struct Packet {
689 long length; /* length of `data' actually used */
690 long forcepad; /* SSH-2: force padding to at least this length */
691 int type; /* only used for incoming packets */
692 unsigned long sequence; /* SSH-2 incoming sequence number */
693 unsigned char *data; /* allocated storage */
694 unsigned char *body; /* offset of payload within `data' */
695 long savedpos; /* temporary index into `data' (for strings) */
696 long maxlen; /* amount of storage allocated for `data' */
697 long encrypted_len; /* for SSH-2 total-size counting */
698
699 /*
700 * State associated with packet logging
701 */
702 int logmode;
703 int nblanks;
704 struct logblank_t *blanks;
705 };
706
707 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
708 struct Packet *pktin);
709 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
710 struct Packet *pktin);
711 static void ssh1_protocol_setup(Ssh ssh);
712 static void ssh2_protocol_setup(Ssh ssh);
713 static void ssh_size(void *handle, int width, int height);
714 static void ssh_special(void *handle, Telnet_Special);
715 static int ssh2_try_send(struct ssh_channel *c);
716 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf, int len);
717 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize);
718 static void ssh2_set_window(struct ssh_channel *c, int newwin);
719 static int ssh_sendbuffer(void *handle);
720 static int ssh_do_close(Ssh ssh, int notify_exit);
721 static unsigned long ssh_pkt_getuint32(struct Packet *pkt);
722 static int ssh2_pkt_getbool(struct Packet *pkt);
723 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length);
724 static void ssh2_timer(void *ctx, long now);
725 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
726 struct Packet *pktin);
727
728 struct rdpkt1_state_tag {
729 long len, pad, biglen, to_read;
730 unsigned long realcrc, gotcrc;
731 unsigned char *p;
732 int i;
733 int chunk;
734 struct Packet *pktin;
735 };
736
737 struct rdpkt2_state_tag {
738 long len, pad, payload, packetlen, maclen;
739 int i;
740 int cipherblk;
741 unsigned long incoming_sequence;
742 struct Packet *pktin;
743 };
744
745 typedef void (*handler_fn_t)(Ssh ssh, struct Packet *pktin);
746 typedef void (*chandler_fn_t)(Ssh ssh, struct Packet *pktin, void *ctx);
747
748 struct queued_handler;
749 struct queued_handler {
750 int msg1, msg2;
751 chandler_fn_t handler;
752 void *ctx;
753 struct queued_handler *next;
754 };
755
756 struct ssh_tag {
757 const struct plug_function_table *fn;
758 /* the above field _must_ be first in the structure */
759
760 char *v_c, *v_s;
761 void *exhash;
762
763 Socket s;
764
765 void *ldisc;
766 void *logctx;
767
768 unsigned char session_key[32];
769 int v1_compressing;
770 int v1_remote_protoflags;
771 int v1_local_protoflags;
772 int agentfwd_enabled;
773 int X11_fwd_enabled;
774 int remote_bugs;
775 const struct ssh_cipher *cipher;
776 void *v1_cipher_ctx;
777 void *crcda_ctx;
778 const struct ssh2_cipher *cscipher, *sccipher;
779 void *cs_cipher_ctx, *sc_cipher_ctx;
780 const struct ssh_mac *csmac, *scmac;
781 void *cs_mac_ctx, *sc_mac_ctx;
782 const struct ssh_compress *cscomp, *sccomp;
783 void *cs_comp_ctx, *sc_comp_ctx;
784 const struct ssh_kex *kex;
785 const struct ssh_signkey *hostkey;
786 unsigned char v2_session_id[SSH2_KEX_MAX_HASH_LEN];
787 int v2_session_id_len;
788 void *kex_ctx;
789
790 char *savedhost;
791 int savedport;
792 int send_ok;
793 int echoing, editing;
794
795 void *frontend;
796
797 int ospeed, ispeed; /* temporaries */
798 int term_width, term_height;
799
800 tree234 *channels; /* indexed by local id */
801 struct ssh_channel *mainchan; /* primary session channel */
802 int ncmode; /* is primary channel direct-tcpip? */
803 int exitcode;
804 int close_expected;
805 int clean_exit;
806
807 tree234 *rportfwds, *portfwds;
808
809 enum {
810 SSH_STATE_PREPACKET,
811 SSH_STATE_BEFORE_SIZE,
812 SSH_STATE_INTERMED,
813 SSH_STATE_SESSION,
814 SSH_STATE_CLOSED
815 } state;
816
817 int size_needed, eof_needed;
818
819 struct Packet **queue;
820 int queuelen, queuesize;
821 int queueing;
822 unsigned char *deferred_send_data;
823 int deferred_len, deferred_size;
824
825 /*
826 * Gross hack: pscp will try to start SFTP but fall back to
827 * scp1 if that fails. This variable is the means by which
828 * scp.c can reach into the SSH code and find out which one it
829 * got.
830 */
831 int fallback_cmd;
832
833 bufchain banner; /* accumulates banners during do_ssh2_authconn */
834
835 Pkt_KCtx pkt_kctx;
836 Pkt_ACtx pkt_actx;
837
838 struct X11Display *x11disp;
839
840 int version;
841 int conn_throttle_count;
842 int overall_bufsize;
843 int throttled_all;
844 int v1_stdout_throttling;
845 unsigned long v2_outgoing_sequence;
846
847 int ssh1_rdpkt_crstate;
848 int ssh2_rdpkt_crstate;
849 int do_ssh_init_crstate;
850 int ssh_gotdata_crstate;
851 int do_ssh1_login_crstate;
852 int do_ssh1_connection_crstate;
853 int do_ssh2_transport_crstate;
854 int do_ssh2_authconn_crstate;
855
856 void *do_ssh_init_state;
857 void *do_ssh1_login_state;
858 void *do_ssh2_transport_state;
859 void *do_ssh2_authconn_state;
860
861 struct rdpkt1_state_tag rdpkt1_state;
862 struct rdpkt2_state_tag rdpkt2_state;
863
864 /* SSH-1 and SSH-2 use this for different things, but both use it */
865 int protocol_initial_phase_done;
866
867 void (*protocol) (Ssh ssh, void *vin, int inlen,
868 struct Packet *pkt);
869 struct Packet *(*s_rdpkt) (Ssh ssh, unsigned char **data, int *datalen);
870
871 /*
872 * We maintain a full _copy_ of a Config structure here, not
873 * merely a pointer to it. That way, when we're passed a new
874 * one for reconfiguration, we can check the differences and
875 * potentially reconfigure port forwardings etc in mid-session.
876 */
877 Config cfg;
878
879 /*
880 * Used to transfer data back from async callbacks.
881 */
882 void *agent_response;
883 int agent_response_len;
884 int user_response;
885
886 /*
887 * The SSH connection can be set as `frozen', meaning we are
888 * not currently accepting incoming data from the network. This
889 * is slightly more serious than setting the _socket_ as
890 * frozen, because we may already have had data passed to us
891 * from the network which we need to delay processing until
892 * after the freeze is lifted, so we also need a bufchain to
893 * store that data.
894 */
895 int frozen;
896 bufchain queued_incoming_data;
897
898 /*
899 * Dispatch table for packet types that we may have to deal
900 * with at any time.
901 */
902 handler_fn_t packet_dispatch[256];
903
904 /*
905 * Queues of one-off handler functions for success/failure
906 * indications from a request.
907 */
908 struct queued_handler *qhead, *qtail;
909
910 /*
911 * This module deals with sending keepalives.
912 */
913 Pinger pinger;
914
915 /*
916 * Track incoming and outgoing data sizes and time, for
917 * size-based rekeys.
918 */
919 unsigned long incoming_data_size, outgoing_data_size, deferred_data_size;
920 unsigned long max_data_size;
921 int kex_in_progress;
922 long next_rekey, last_rekey;
923 char *deferred_rekey_reason; /* points to STATIC string; don't free */
924
925 /*
926 * Fully qualified host name, which we need if doing GSSAPI.
927 */
928 char *fullhostname;
929 };
930
931 #define logevent(s) logevent(ssh->frontend, s)
932
933 /* logevent, only printf-formatted. */
934 static void logeventf(Ssh ssh, const char *fmt, ...)
935 {
936 va_list ap;
937 char *buf;
938
939 va_start(ap, fmt);
940 buf = dupvprintf(fmt, ap);
941 va_end(ap);
942 logevent(buf);
943 sfree(buf);
944 }
945
946 #define bombout(msg) \
947 do { \
948 char *text = dupprintf msg; \
949 ssh_do_close(ssh, FALSE); \
950 logevent(text); \
951 connection_fatal(ssh->frontend, "%s", text); \
952 sfree(text); \
953 } while (0)
954
955 /* Functions to leave bits out of the SSH packet log file. */
956
957 static void dont_log_password(Ssh ssh, struct Packet *pkt, int blanktype)
958 {
959 if (ssh->cfg.logomitpass)
960 pkt->logmode = blanktype;
961 }
962
963 static void dont_log_data(Ssh ssh, struct Packet *pkt, int blanktype)
964 {
965 if (ssh->cfg.logomitdata)
966 pkt->logmode = blanktype;
967 }
968
969 static void end_log_omission(Ssh ssh, struct Packet *pkt)
970 {
971 pkt->logmode = PKTLOG_EMIT;
972 }
973
974 /* Helper function for common bits of parsing cfg.ttymodes. */
975 static void parse_ttymodes(Ssh ssh, char *modes,
976 void (*do_mode)(void *data, char *mode, char *val),
977 void *data)
978 {
979 while (*modes) {
980 char *t = strchr(modes, '\t');
981 char *m = snewn(t-modes+1, char);
982 char *val;
983 strncpy(m, modes, t-modes);
984 m[t-modes] = '\0';
985 if (*(t+1) == 'A')
986 val = get_ttymode(ssh->frontend, m);
987 else
988 val = dupstr(t+2);
989 if (val)
990 do_mode(data, m, val);
991 sfree(m);
992 sfree(val);
993 modes += strlen(modes) + 1;
994 }
995 }
996
997 static int ssh_channelcmp(void *av, void *bv)
998 {
999 struct ssh_channel *a = (struct ssh_channel *) av;
1000 struct ssh_channel *b = (struct ssh_channel *) bv;
1001 if (a->localid < b->localid)
1002 return -1;
1003 if (a->localid > b->localid)
1004 return +1;
1005 return 0;
1006 }
1007 static int ssh_channelfind(void *av, void *bv)
1008 {
1009 unsigned *a = (unsigned *) av;
1010 struct ssh_channel *b = (struct ssh_channel *) bv;
1011 if (*a < b->localid)
1012 return -1;
1013 if (*a > b->localid)
1014 return +1;
1015 return 0;
1016 }
1017
1018 static int ssh_rportcmp_ssh1(void *av, void *bv)
1019 {
1020 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
1021 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
1022 int i;
1023 if ( (i = strcmp(a->dhost, b->dhost)) != 0)
1024 return i < 0 ? -1 : +1;
1025 if (a->dport > b->dport)
1026 return +1;
1027 if (a->dport < b->dport)
1028 return -1;
1029 return 0;
1030 }
1031
1032 static int ssh_rportcmp_ssh2(void *av, void *bv)
1033 {
1034 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
1035 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
1036
1037 if (a->sport > b->sport)
1038 return +1;
1039 if (a->sport < b->sport)
1040 return -1;
1041 return 0;
1042 }
1043
1044 /*
1045 * Special form of strcmp which can cope with NULL inputs. NULL is
1046 * defined to sort before even the empty string.
1047 */
1048 static int nullstrcmp(const char *a, const char *b)
1049 {
1050 if (a == NULL && b == NULL)
1051 return 0;
1052 if (a == NULL)
1053 return -1;
1054 if (b == NULL)
1055 return +1;
1056 return strcmp(a, b);
1057 }
1058
1059 static int ssh_portcmp(void *av, void *bv)
1060 {
1061 struct ssh_portfwd *a = (struct ssh_portfwd *) av;
1062 struct ssh_portfwd *b = (struct ssh_portfwd *) bv;
1063 int i;
1064 if (a->type > b->type)
1065 return +1;
1066 if (a->type < b->type)
1067 return -1;
1068 if (a->addressfamily > b->addressfamily)
1069 return +1;
1070 if (a->addressfamily < b->addressfamily)
1071 return -1;
1072 if ( (i = nullstrcmp(a->saddr, b->saddr)) != 0)
1073 return i < 0 ? -1 : +1;
1074 if (a->sport > b->sport)
1075 return +1;
1076 if (a->sport < b->sport)
1077 return -1;
1078 if (a->type != 'D') {
1079 if ( (i = nullstrcmp(a->daddr, b->daddr)) != 0)
1080 return i < 0 ? -1 : +1;
1081 if (a->dport > b->dport)
1082 return +1;
1083 if (a->dport < b->dport)
1084 return -1;
1085 }
1086 return 0;
1087 }
1088
1089 static int alloc_channel_id(Ssh ssh)
1090 {
1091 const unsigned CHANNEL_NUMBER_OFFSET = 256;
1092 unsigned low, high, mid;
1093 int tsize;
1094 struct ssh_channel *c;
1095
1096 /*
1097 * First-fit allocation of channel numbers: always pick the
1098 * lowest unused one. To do this, binary-search using the
1099 * counted B-tree to find the largest channel ID which is in a
1100 * contiguous sequence from the beginning. (Precisely
1101 * everything in that sequence must have ID equal to its tree
1102 * index plus CHANNEL_NUMBER_OFFSET.)
1103 */
1104 tsize = count234(ssh->channels);
1105
1106 low = -1;
1107 high = tsize;
1108 while (high - low > 1) {
1109 mid = (high + low) / 2;
1110 c = index234(ssh->channels, mid);
1111 if (c->localid == mid + CHANNEL_NUMBER_OFFSET)
1112 low = mid; /* this one is fine */
1113 else
1114 high = mid; /* this one is past it */
1115 }
1116 /*
1117 * Now low points to either -1, or the tree index of the
1118 * largest ID in the initial sequence.
1119 */
1120 {
1121 unsigned i = low + 1 + CHANNEL_NUMBER_OFFSET;
1122 assert(NULL == find234(ssh->channels, &i, ssh_channelfind));
1123 }
1124 return low + 1 + CHANNEL_NUMBER_OFFSET;
1125 }
1126
1127 static void c_write_stderr(int trusted, const char *buf, int len)
1128 {
1129 int i;
1130 for (i = 0; i < len; i++)
1131 if (buf[i] != '\r' && (trusted || buf[i] == '\n' || (buf[i] & 0x60)))
1132 fputc(buf[i], stderr);
1133 }
1134
1135 static void c_write(Ssh ssh, const char *buf, int len)
1136 {
1137 if (flags & FLAG_STDERR)
1138 c_write_stderr(1, buf, len);
1139 else
1140 from_backend(ssh->frontend, 1, buf, len);
1141 }
1142
1143 static void c_write_untrusted(Ssh ssh, const char *buf, int len)
1144 {
1145 if (flags & FLAG_STDERR)
1146 c_write_stderr(0, buf, len);
1147 else
1148 from_backend_untrusted(ssh->frontend, buf, len);
1149 }
1150
1151 static void c_write_str(Ssh ssh, const char *buf)
1152 {
1153 c_write(ssh, buf, strlen(buf));
1154 }
1155
1156 static void ssh_free_packet(struct Packet *pkt)
1157 {
1158 sfree(pkt->data);
1159 sfree(pkt);
1160 }
1161 static struct Packet *ssh_new_packet(void)
1162 {
1163 struct Packet *pkt = snew(struct Packet);
1164
1165 pkt->body = pkt->data = NULL;
1166 pkt->maxlen = 0;
1167 pkt->logmode = PKTLOG_EMIT;
1168 pkt->nblanks = 0;
1169 pkt->blanks = NULL;
1170
1171 return pkt;
1172 }
1173
1174 /*
1175 * Collect incoming data in the incoming packet buffer.
1176 * Decipher and verify the packet when it is completely read.
1177 * Drop SSH1_MSG_DEBUG and SSH1_MSG_IGNORE packets.
1178 * Update the *data and *datalen variables.
1179 * Return a Packet structure when a packet is completed.
1180 */
1181 static struct Packet *ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1182 {
1183 struct rdpkt1_state_tag *st = &ssh->rdpkt1_state;
1184
1185 crBegin(ssh->ssh1_rdpkt_crstate);
1186
1187 st->pktin = ssh_new_packet();
1188
1189 st->pktin->type = 0;
1190 st->pktin->length = 0;
1191
1192 for (st->i = st->len = 0; st->i < 4; st->i++) {
1193 while ((*datalen) == 0)
1194 crReturn(NULL);
1195 st->len = (st->len << 8) + **data;
1196 (*data)++, (*datalen)--;
1197 }
1198
1199 st->pad = 8 - (st->len % 8);
1200 st->biglen = st->len + st->pad;
1201 st->pktin->length = st->len - 5;
1202
1203 if (st->biglen < 0) {
1204 bombout(("Extremely large packet length from server suggests"
1205 " data stream corruption"));
1206 ssh_free_packet(st->pktin);
1207 crStop(NULL);
1208 }
1209
1210 st->pktin->maxlen = st->biglen;
1211 st->pktin->data = snewn(st->biglen + APIEXTRA, unsigned char);
1212
1213 st->to_read = st->biglen;
1214 st->p = st->pktin->data;
1215 while (st->to_read > 0) {
1216 st->chunk = st->to_read;
1217 while ((*datalen) == 0)
1218 crReturn(NULL);
1219 if (st->chunk > (*datalen))
1220 st->chunk = (*datalen);
1221 memcpy(st->p, *data, st->chunk);
1222 *data += st->chunk;
1223 *datalen -= st->chunk;
1224 st->p += st->chunk;
1225 st->to_read -= st->chunk;
1226 }
1227
1228 if (ssh->cipher && detect_attack(ssh->crcda_ctx, st->pktin->data,
1229 st->biglen, NULL)) {
1230 bombout(("Network attack (CRC compensation) detected!"));
1231 ssh_free_packet(st->pktin);
1232 crStop(NULL);
1233 }
1234
1235 if (ssh->cipher)
1236 ssh->cipher->decrypt(ssh->v1_cipher_ctx, st->pktin->data, st->biglen);
1237
1238 st->realcrc = crc32_compute(st->pktin->data, st->biglen - 4);
1239 st->gotcrc = GET_32BIT(st->pktin->data + st->biglen - 4);
1240 if (st->gotcrc != st->realcrc) {
1241 bombout(("Incorrect CRC received on packet"));
1242 ssh_free_packet(st->pktin);
1243 crStop(NULL);
1244 }
1245
1246 st->pktin->body = st->pktin->data + st->pad + 1;
1247 st->pktin->savedpos = 0;
1248
1249 if (ssh->v1_compressing) {
1250 unsigned char *decompblk;
1251 int decomplen;
1252 if (!zlib_decompress_block(ssh->sc_comp_ctx,
1253 st->pktin->body - 1, st->pktin->length + 1,
1254 &decompblk, &decomplen)) {
1255 bombout(("Zlib decompression encountered invalid data"));
1256 ssh_free_packet(st->pktin);
1257 crStop(NULL);
1258 }
1259
1260 if (st->pktin->maxlen < st->pad + decomplen) {
1261 st->pktin->maxlen = st->pad + decomplen;
1262 st->pktin->data = sresize(st->pktin->data,
1263 st->pktin->maxlen + APIEXTRA,
1264 unsigned char);
1265 st->pktin->body = st->pktin->data + st->pad + 1;
1266 }
1267
1268 memcpy(st->pktin->body - 1, decompblk, decomplen);
1269 sfree(decompblk);
1270 st->pktin->length = decomplen - 1;
1271 }
1272
1273 st->pktin->type = st->pktin->body[-1];
1274
1275 /*
1276 * Log incoming packet, possibly omitting sensitive fields.
1277 */
1278 if (ssh->logctx) {
1279 int nblanks = 0;
1280 struct logblank_t blank;
1281 if (ssh->cfg.logomitdata) {
1282 int do_blank = FALSE, blank_prefix = 0;
1283 /* "Session data" packets - omit the data field */
1284 if ((st->pktin->type == SSH1_SMSG_STDOUT_DATA) ||
1285 (st->pktin->type == SSH1_SMSG_STDERR_DATA)) {
1286 do_blank = TRUE; blank_prefix = 4;
1287 } else if (st->pktin->type == SSH1_MSG_CHANNEL_DATA) {
1288 do_blank = TRUE; blank_prefix = 8;
1289 }
1290 if (do_blank) {
1291 blank.offset = blank_prefix;
1292 blank.len = st->pktin->length;
1293 blank.type = PKTLOG_OMIT;
1294 nblanks = 1;
1295 }
1296 }
1297 log_packet(ssh->logctx,
1298 PKT_INCOMING, st->pktin->type,
1299 ssh1_pkt_type(st->pktin->type),
1300 st->pktin->body, st->pktin->length,
1301 nblanks, &blank, NULL);
1302 }
1303
1304 crFinish(st->pktin);
1305 }
1306
1307 static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1308 {
1309 struct rdpkt2_state_tag *st = &ssh->rdpkt2_state;
1310
1311 crBegin(ssh->ssh2_rdpkt_crstate);
1312
1313 st->pktin = ssh_new_packet();
1314
1315 st->pktin->type = 0;
1316 st->pktin->length = 0;
1317 if (ssh->sccipher)
1318 st->cipherblk = ssh->sccipher->blksize;
1319 else
1320 st->cipherblk = 8;
1321 if (st->cipherblk < 8)
1322 st->cipherblk = 8;
1323 st->maclen = ssh->scmac ? ssh->scmac->len : 0;
1324
1325 if (ssh->sccipher && (ssh->sccipher->flags & SSH_CIPHER_IS_CBC) &&
1326 ssh->scmac) {
1327 /*
1328 * When dealing with a CBC-mode cipher, we want to avoid the
1329 * possibility of an attacker's tweaking the ciphertext stream
1330 * so as to cause us to feed the same block to the block
1331 * cipher more than once and thus leak information
1332 * (VU#958563). The way we do this is not to take any
1333 * decisions on the basis of anything we've decrypted until
1334 * we've verified it with a MAC. That includes the packet
1335 * length, so we just read data and check the MAC repeatedly,
1336 * and when the MAC passes, see if the length we've got is
1337 * plausible.
1338 */
1339
1340 /* May as well allocate the whole lot now. */
1341 st->pktin->data = snewn(OUR_V2_PACKETLIMIT + st->maclen + APIEXTRA,
1342 unsigned char);
1343
1344 /* Read an amount corresponding to the MAC. */
1345 for (st->i = 0; st->i < st->maclen; st->i++) {
1346 while ((*datalen) == 0)
1347 crReturn(NULL);
1348 st->pktin->data[st->i] = *(*data)++;
1349 (*datalen)--;
1350 }
1351
1352 st->packetlen = 0;
1353 {
1354 unsigned char seq[4];
1355 ssh->scmac->start(ssh->sc_mac_ctx);
1356 PUT_32BIT(seq, st->incoming_sequence);
1357 ssh->scmac->bytes(ssh->sc_mac_ctx, seq, 4);
1358 }
1359
1360 for (;;) { /* Once around this loop per cipher block. */
1361 /* Read another cipher-block's worth, and tack it onto the end. */
1362 for (st->i = 0; st->i < st->cipherblk; st->i++) {
1363 while ((*datalen) == 0)
1364 crReturn(NULL);
1365 st->pktin->data[st->packetlen+st->maclen+st->i] = *(*data)++;
1366 (*datalen)--;
1367 }
1368 /* Decrypt one more block (a little further back in the stream). */
1369 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1370 st->pktin->data + st->packetlen,
1371 st->cipherblk);
1372 /* Feed that block to the MAC. */
1373 ssh->scmac->bytes(ssh->sc_mac_ctx,
1374 st->pktin->data + st->packetlen, st->cipherblk);
1375 st->packetlen += st->cipherblk;
1376 /* See if that gives us a valid packet. */
1377 if (ssh->scmac->verresult(ssh->sc_mac_ctx,
1378 st->pktin->data + st->packetlen) &&
1379 (st->len = GET_32BIT(st->pktin->data)) + 4 == st->packetlen)
1380 break;
1381 if (st->packetlen >= OUR_V2_PACKETLIMIT) {
1382 bombout(("No valid incoming packet found"));
1383 ssh_free_packet(st->pktin);
1384 crStop(NULL);
1385 }
1386 }
1387 st->pktin->maxlen = st->packetlen + st->maclen;
1388 st->pktin->data = sresize(st->pktin->data,
1389 st->pktin->maxlen + APIEXTRA,
1390 unsigned char);
1391 } else {
1392 st->pktin->data = snewn(st->cipherblk + APIEXTRA, unsigned char);
1393
1394 /*
1395 * Acquire and decrypt the first block of the packet. This will
1396 * contain the length and padding details.
1397 */
1398 for (st->i = st->len = 0; st->i < st->cipherblk; st->i++) {
1399 while ((*datalen) == 0)
1400 crReturn(NULL);
1401 st->pktin->data[st->i] = *(*data)++;
1402 (*datalen)--;
1403 }
1404
1405 if (ssh->sccipher)
1406 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1407 st->pktin->data, st->cipherblk);
1408
1409 /*
1410 * Now get the length figure.
1411 */
1412 st->len = GET_32BIT(st->pktin->data);
1413
1414 /*
1415 * _Completely_ silly lengths should be stomped on before they
1416 * do us any more damage.
1417 */
1418 if (st->len < 0 || st->len > OUR_V2_PACKETLIMIT ||
1419 (st->len + 4) % st->cipherblk != 0) {
1420 bombout(("Incoming packet was garbled on decryption"));
1421 ssh_free_packet(st->pktin);
1422 crStop(NULL);
1423 }
1424
1425 /*
1426 * So now we can work out the total packet length.
1427 */
1428 st->packetlen = st->len + 4;
1429
1430 /*
1431 * Allocate memory for the rest of the packet.
1432 */
1433 st->pktin->maxlen = st->packetlen + st->maclen;
1434 st->pktin->data = sresize(st->pktin->data,
1435 st->pktin->maxlen + APIEXTRA,
1436 unsigned char);
1437
1438 /*
1439 * Read and decrypt the remainder of the packet.
1440 */
1441 for (st->i = st->cipherblk; st->i < st->packetlen + st->maclen;
1442 st->i++) {
1443 while ((*datalen) == 0)
1444 crReturn(NULL);
1445 st->pktin->data[st->i] = *(*data)++;
1446 (*datalen)--;
1447 }
1448 /* Decrypt everything _except_ the MAC. */
1449 if (ssh->sccipher)
1450 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1451 st->pktin->data + st->cipherblk,
1452 st->packetlen - st->cipherblk);
1453
1454 /*
1455 * Check the MAC.
1456 */
1457 if (ssh->scmac
1458 && !ssh->scmac->verify(ssh->sc_mac_ctx, st->pktin->data,
1459 st->len + 4, st->incoming_sequence)) {
1460 bombout(("Incorrect MAC received on packet"));
1461 ssh_free_packet(st->pktin);
1462 crStop(NULL);
1463 }
1464 }
1465 /* Get and sanity-check the amount of random padding. */
1466 st->pad = st->pktin->data[4];
1467 if (st->pad < 4 || st->len - st->pad < 1) {
1468 bombout(("Invalid padding length on received packet"));
1469 ssh_free_packet(st->pktin);
1470 crStop(NULL);
1471 }
1472 /*
1473 * This enables us to deduce the payload length.
1474 */
1475 st->payload = st->len - st->pad - 1;
1476
1477 st->pktin->length = st->payload + 5;
1478 st->pktin->encrypted_len = st->packetlen;
1479
1480 st->pktin->sequence = st->incoming_sequence++;
1481
1482 /*
1483 * Decompress packet payload.
1484 */
1485 {
1486 unsigned char *newpayload;
1487 int newlen;
1488 if (ssh->sccomp &&
1489 ssh->sccomp->decompress(ssh->sc_comp_ctx,
1490 st->pktin->data + 5, st->pktin->length - 5,
1491 &newpayload, &newlen)) {
1492 if (st->pktin->maxlen < newlen + 5) {
1493 st->pktin->maxlen = newlen + 5;
1494 st->pktin->data = sresize(st->pktin->data,
1495 st->pktin->maxlen + APIEXTRA,
1496 unsigned char);
1497 }
1498 st->pktin->length = 5 + newlen;
1499 memcpy(st->pktin->data + 5, newpayload, newlen);
1500 sfree(newpayload);
1501 }
1502 }
1503
1504 st->pktin->savedpos = 6;
1505 st->pktin->body = st->pktin->data;
1506 st->pktin->type = st->pktin->data[5];
1507
1508 /*
1509 * Log incoming packet, possibly omitting sensitive fields.
1510 */
1511 if (ssh->logctx) {
1512 int nblanks = 0;
1513 struct logblank_t blank;
1514 if (ssh->cfg.logomitdata) {
1515 int do_blank = FALSE, blank_prefix = 0;
1516 /* "Session data" packets - omit the data field */
1517 if (st->pktin->type == SSH2_MSG_CHANNEL_DATA) {
1518 do_blank = TRUE; blank_prefix = 8;
1519 } else if (st->pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA) {
1520 do_blank = TRUE; blank_prefix = 12;
1521 }
1522 if (do_blank) {
1523 blank.offset = blank_prefix;
1524 blank.len = (st->pktin->length-6) - blank_prefix;
1525 blank.type = PKTLOG_OMIT;
1526 nblanks = 1;
1527 }
1528 }
1529 log_packet(ssh->logctx, PKT_INCOMING, st->pktin->type,
1530 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx,
1531 st->pktin->type),
1532 st->pktin->data+6, st->pktin->length-6,
1533 nblanks, &blank, &st->pktin->sequence);
1534 }
1535
1536 crFinish(st->pktin);
1537 }
1538
1539 static int s_wrpkt_prepare(Ssh ssh, struct Packet *pkt, int *offset_p)
1540 {
1541 int pad, biglen, i, pktoffs;
1542 unsigned long crc;
1543 #ifdef __SC__
1544 /*
1545 * XXX various versions of SC (including 8.8.4) screw up the
1546 * register allocation in this function and use the same register
1547 * (D6) for len and as a temporary, with predictable results. The
1548 * following sledgehammer prevents this.
1549 */
1550 volatile
1551 #endif
1552 int len;
1553
1554 if (ssh->logctx)
1555 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[12],
1556 ssh1_pkt_type(pkt->data[12]),
1557 pkt->body, pkt->length - (pkt->body - pkt->data),
1558 pkt->nblanks, pkt->blanks, NULL);
1559 sfree(pkt->blanks); pkt->blanks = NULL;
1560 pkt->nblanks = 0;
1561
1562 if (ssh->v1_compressing) {
1563 unsigned char *compblk;
1564 int complen;
1565 zlib_compress_block(ssh->cs_comp_ctx,
1566 pkt->data + 12, pkt->length - 12,
1567 &compblk, &complen);
1568 ssh_pkt_ensure(pkt, complen + 2); /* just in case it's got bigger */
1569 memcpy(pkt->data + 12, compblk, complen);
1570 sfree(compblk);
1571 pkt->length = complen + 12;
1572 }
1573
1574 ssh_pkt_ensure(pkt, pkt->length + 4); /* space for CRC */
1575 pkt->length += 4;
1576 len = pkt->length - 4 - 8; /* len(type+data+CRC) */
1577 pad = 8 - (len % 8);
1578 pktoffs = 8 - pad;
1579 biglen = len + pad; /* len(padding+type+data+CRC) */
1580
1581 for (i = pktoffs; i < 4+8; i++)
1582 pkt->data[i] = random_byte();
1583 crc = crc32_compute(pkt->data + pktoffs + 4, biglen - 4); /* all ex len */
1584 PUT_32BIT(pkt->data + pktoffs + 4 + biglen - 4, crc);
1585 PUT_32BIT(pkt->data + pktoffs, len);
1586
1587 if (ssh->cipher)
1588 ssh->cipher->encrypt(ssh->v1_cipher_ctx,
1589 pkt->data + pktoffs + 4, biglen);
1590
1591 if (offset_p) *offset_p = pktoffs;
1592 return biglen + 4; /* len(length+padding+type+data+CRC) */
1593 }
1594
1595 static int s_write(Ssh ssh, void *data, int len)
1596 {
1597 if (ssh->logctx)
1598 log_packet(ssh->logctx, PKT_OUTGOING, -1, NULL, data, len,
1599 0, NULL, NULL);
1600 return sk_write(ssh->s, (char *)data, len);
1601 }
1602
1603 static void s_wrpkt(Ssh ssh, struct Packet *pkt)
1604 {
1605 int len, backlog, offset;
1606 len = s_wrpkt_prepare(ssh, pkt, &offset);
1607 backlog = s_write(ssh, pkt->data + offset, len);
1608 if (backlog > SSH_MAX_BACKLOG)
1609 ssh_throttle_all(ssh, 1, backlog);
1610 ssh_free_packet(pkt);
1611 }
1612
1613 static void s_wrpkt_defer(Ssh ssh, struct Packet *pkt)
1614 {
1615 int len, offset;
1616 len = s_wrpkt_prepare(ssh, pkt, &offset);
1617 if (ssh->deferred_len + len > ssh->deferred_size) {
1618 ssh->deferred_size = ssh->deferred_len + len + 128;
1619 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1620 ssh->deferred_size,
1621 unsigned char);
1622 }
1623 memcpy(ssh->deferred_send_data + ssh->deferred_len,
1624 pkt->data + offset, len);
1625 ssh->deferred_len += len;
1626 ssh_free_packet(pkt);
1627 }
1628
1629 /*
1630 * Construct a SSH-1 packet with the specified contents.
1631 * (This all-at-once interface used to be the only one, but now SSH-1
1632 * packets can also be constructed incrementally.)
1633 */
1634 static struct Packet *construct_packet(Ssh ssh, int pkttype, va_list ap)
1635 {
1636 int argtype;
1637 Bignum bn;
1638 struct Packet *pkt;
1639
1640 pkt = ssh1_pkt_init(pkttype);
1641
1642 while ((argtype = va_arg(ap, int)) != PKT_END) {
1643 unsigned char *argp, argchar;
1644 char *sargp;
1645 unsigned long argint;
1646 int arglen;
1647 switch (argtype) {
1648 /* Actual fields in the packet */
1649 case PKT_INT:
1650 argint = va_arg(ap, int);
1651 ssh_pkt_adduint32(pkt, argint);
1652 break;
1653 case PKT_CHAR:
1654 argchar = (unsigned char) va_arg(ap, int);
1655 ssh_pkt_addbyte(pkt, argchar);
1656 break;
1657 case PKT_DATA:
1658 argp = va_arg(ap, unsigned char *);
1659 arglen = va_arg(ap, int);
1660 ssh_pkt_adddata(pkt, argp, arglen);
1661 break;
1662 case PKT_STR:
1663 sargp = va_arg(ap, char *);
1664 ssh_pkt_addstring(pkt, sargp);
1665 break;
1666 case PKT_BIGNUM:
1667 bn = va_arg(ap, Bignum);
1668 ssh1_pkt_addmp(pkt, bn);
1669 break;
1670 /* Tokens for modifications to packet logging */
1671 case PKTT_PASSWORD:
1672 dont_log_password(ssh, pkt, PKTLOG_BLANK);
1673 break;
1674 case PKTT_DATA:
1675 dont_log_data(ssh, pkt, PKTLOG_OMIT);
1676 break;
1677 case PKTT_OTHER:
1678 end_log_omission(ssh, pkt);
1679 break;
1680 }
1681 }
1682
1683 return pkt;
1684 }
1685
1686 static void send_packet(Ssh ssh, int pkttype, ...)
1687 {
1688 struct Packet *pkt;
1689 va_list ap;
1690 va_start(ap, pkttype);
1691 pkt = construct_packet(ssh, pkttype, ap);
1692 va_end(ap);
1693 s_wrpkt(ssh, pkt);
1694 }
1695
1696 static void defer_packet(Ssh ssh, int pkttype, ...)
1697 {
1698 struct Packet *pkt;
1699 va_list ap;
1700 va_start(ap, pkttype);
1701 pkt = construct_packet(ssh, pkttype, ap);
1702 va_end(ap);
1703 s_wrpkt_defer(ssh, pkt);
1704 }
1705
1706 static int ssh_versioncmp(char *a, char *b)
1707 {
1708 char *ae, *be;
1709 unsigned long av, bv;
1710
1711 av = strtoul(a, &ae, 10);
1712 bv = strtoul(b, &be, 10);
1713 if (av != bv)
1714 return (av < bv ? -1 : +1);
1715 if (*ae == '.')
1716 ae++;
1717 if (*be == '.')
1718 be++;
1719 av = strtoul(ae, &ae, 10);
1720 bv = strtoul(be, &be, 10);
1721 if (av != bv)
1722 return (av < bv ? -1 : +1);
1723 return 0;
1724 }
1725
1726 /*
1727 * Utility routines for putting an SSH-protocol `string' and
1728 * `uint32' into a hash state.
1729 */
1730 static void hash_string(const struct ssh_hash *h, void *s, void *str, int len)
1731 {
1732 unsigned char lenblk[4];
1733 PUT_32BIT(lenblk, len);
1734 h->bytes(s, lenblk, 4);
1735 h->bytes(s, str, len);
1736 }
1737
1738 static void hash_uint32(const struct ssh_hash *h, void *s, unsigned i)
1739 {
1740 unsigned char intblk[4];
1741 PUT_32BIT(intblk, i);
1742 h->bytes(s, intblk, 4);
1743 }
1744
1745 /*
1746 * Packet construction functions. Mostly shared between SSH-1 and SSH-2.
1747 */
1748 static void ssh_pkt_ensure(struct Packet *pkt, int length)
1749 {
1750 if (pkt->maxlen < length) {
1751 unsigned char *body = pkt->body;
1752 int offset = body ? body - pkt->data : 0;
1753 pkt->maxlen = length + 256;
1754 pkt->data = sresize(pkt->data, pkt->maxlen + APIEXTRA, unsigned char);
1755 if (body) pkt->body = pkt->data + offset;
1756 }
1757 }
1758 static void ssh_pkt_adddata(struct Packet *pkt, void *data, int len)
1759 {
1760 if (pkt->logmode != PKTLOG_EMIT) {
1761 pkt->nblanks++;
1762 pkt->blanks = sresize(pkt->blanks, pkt->nblanks, struct logblank_t);
1763 assert(pkt->body);
1764 pkt->blanks[pkt->nblanks-1].offset = pkt->length -
1765 (pkt->body - pkt->data);
1766 pkt->blanks[pkt->nblanks-1].len = len;
1767 pkt->blanks[pkt->nblanks-1].type = pkt->logmode;
1768 }
1769 pkt->length += len;
1770 ssh_pkt_ensure(pkt, pkt->length);
1771 memcpy(pkt->data + pkt->length - len, data, len);
1772 }
1773 static void ssh_pkt_addbyte(struct Packet *pkt, unsigned char byte)
1774 {
1775 ssh_pkt_adddata(pkt, &byte, 1);
1776 }
1777 static void ssh2_pkt_addbool(struct Packet *pkt, unsigned char value)
1778 {
1779 ssh_pkt_adddata(pkt, &value, 1);
1780 }
1781 static void ssh_pkt_adduint32(struct Packet *pkt, unsigned long value)
1782 {
1783 unsigned char x[4];
1784 PUT_32BIT(x, value);
1785 ssh_pkt_adddata(pkt, x, 4);
1786 }
1787 static void ssh_pkt_addstring_start(struct Packet *pkt)
1788 {
1789 ssh_pkt_adduint32(pkt, 0);
1790 pkt->savedpos = pkt->length;
1791 }
1792 static void ssh_pkt_addstring_str(struct Packet *pkt, char *data)
1793 {
1794 ssh_pkt_adddata(pkt, data, strlen(data));
1795 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1796 }
1797 static void ssh_pkt_addstring_data(struct Packet *pkt, char *data, int len)
1798 {
1799 ssh_pkt_adddata(pkt, data, len);
1800 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1801 }
1802 static void ssh_pkt_addstring(struct Packet *pkt, char *data)
1803 {
1804 ssh_pkt_addstring_start(pkt);
1805 ssh_pkt_addstring_str(pkt, data);
1806 }
1807 static void ssh1_pkt_addmp(struct Packet *pkt, Bignum b)
1808 {
1809 int len = ssh1_bignum_length(b);
1810 unsigned char *data = snewn(len, unsigned char);
1811 (void) ssh1_write_bignum(data, b);
1812 ssh_pkt_adddata(pkt, data, len);
1813 sfree(data);
1814 }
1815 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len)
1816 {
1817 unsigned char *p;
1818 int i, n = (bignum_bitcount(b) + 7) / 8;
1819 p = snewn(n + 1, unsigned char);
1820 p[0] = 0;
1821 for (i = 1; i <= n; i++)
1822 p[i] = bignum_byte(b, n - i);
1823 i = 0;
1824 while (i <= n && p[i] == 0 && (p[i + 1] & 0x80) == 0)
1825 i++;
1826 memmove(p, p + i, n + 1 - i);
1827 *len = n + 1 - i;
1828 return p;
1829 }
1830 static void ssh2_pkt_addmp(struct Packet *pkt, Bignum b)
1831 {
1832 unsigned char *p;
1833 int len;
1834 p = ssh2_mpint_fmt(b, &len);
1835 ssh_pkt_addstring_start(pkt);
1836 ssh_pkt_addstring_data(pkt, (char *)p, len);
1837 sfree(p);
1838 }
1839
1840 static struct Packet *ssh1_pkt_init(int pkt_type)
1841 {
1842 struct Packet *pkt = ssh_new_packet();
1843 pkt->length = 4 + 8; /* space for length + max padding */
1844 ssh_pkt_addbyte(pkt, pkt_type);
1845 pkt->body = pkt->data + pkt->length;
1846 return pkt;
1847 }
1848
1849 /* For legacy code (SSH-1 and -2 packet construction used to be separate) */
1850 #define ssh2_pkt_ensure(pkt, length) ssh_pkt_ensure(pkt, length)
1851 #define ssh2_pkt_adddata(pkt, data, len) ssh_pkt_adddata(pkt, data, len)
1852 #define ssh2_pkt_addbyte(pkt, byte) ssh_pkt_addbyte(pkt, byte)
1853 #define ssh2_pkt_adduint32(pkt, value) ssh_pkt_adduint32(pkt, value)
1854 #define ssh2_pkt_addstring_start(pkt) ssh_pkt_addstring_start(pkt)
1855 #define ssh2_pkt_addstring_str(pkt, data) ssh_pkt_addstring_str(pkt, data)
1856 #define ssh2_pkt_addstring_data(pkt, data, len) ssh_pkt_addstring_data(pkt, data, len)
1857 #define ssh2_pkt_addstring(pkt, data) ssh_pkt_addstring(pkt, data)
1858
1859 static struct Packet *ssh2_pkt_init(int pkt_type)
1860 {
1861 struct Packet *pkt = ssh_new_packet();
1862 pkt->length = 5; /* space for packet length + padding length */
1863 pkt->forcepad = 0;
1864 ssh_pkt_addbyte(pkt, (unsigned char) pkt_type);
1865 pkt->body = pkt->data + pkt->length; /* after packet type */
1866 return pkt;
1867 }
1868
1869 /*
1870 * Construct an SSH-2 final-form packet: compress it, encrypt it,
1871 * put the MAC on it. Final packet, ready to be sent, is stored in
1872 * pkt->data. Total length is returned.
1873 */
1874 static int ssh2_pkt_construct(Ssh ssh, struct Packet *pkt)
1875 {
1876 int cipherblk, maclen, padding, i;
1877
1878 if (ssh->logctx)
1879 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[5],
1880 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx, pkt->data[5]),
1881 pkt->body, pkt->length - (pkt->body - pkt->data),
1882 pkt->nblanks, pkt->blanks, &ssh->v2_outgoing_sequence);
1883 sfree(pkt->blanks); pkt->blanks = NULL;
1884 pkt->nblanks = 0;
1885
1886 /*
1887 * Compress packet payload.
1888 */
1889 {
1890 unsigned char *newpayload;
1891 int newlen;
1892 if (ssh->cscomp &&
1893 ssh->cscomp->compress(ssh->cs_comp_ctx, pkt->data + 5,
1894 pkt->length - 5,
1895 &newpayload, &newlen)) {
1896 pkt->length = 5;
1897 ssh2_pkt_adddata(pkt, newpayload, newlen);
1898 sfree(newpayload);
1899 }
1900 }
1901
1902 /*
1903 * Add padding. At least four bytes, and must also bring total
1904 * length (minus MAC) up to a multiple of the block size.
1905 * If pkt->forcepad is set, make sure the packet is at least that size
1906 * after padding.
1907 */
1908 cipherblk = ssh->cscipher ? ssh->cscipher->blksize : 8; /* block size */
1909 cipherblk = cipherblk < 8 ? 8 : cipherblk; /* or 8 if blksize < 8 */
1910 padding = 4;
1911 if (pkt->length + padding < pkt->forcepad)
1912 padding = pkt->forcepad - pkt->length;
1913 padding +=
1914 (cipherblk - (pkt->length + padding) % cipherblk) % cipherblk;
1915 assert(padding <= 255);
1916 maclen = ssh->csmac ? ssh->csmac->len : 0;
1917 ssh2_pkt_ensure(pkt, pkt->length + padding + maclen);
1918 pkt->data[4] = padding;
1919 for (i = 0; i < padding; i++)
1920 pkt->data[pkt->length + i] = random_byte();
1921 PUT_32BIT(pkt->data, pkt->length + padding - 4);
1922 if (ssh->csmac)
1923 ssh->csmac->generate(ssh->cs_mac_ctx, pkt->data,
1924 pkt->length + padding,
1925 ssh->v2_outgoing_sequence);
1926 ssh->v2_outgoing_sequence++; /* whether or not we MACed */
1927
1928 if (ssh->cscipher)
1929 ssh->cscipher->encrypt(ssh->cs_cipher_ctx,
1930 pkt->data, pkt->length + padding);
1931
1932 pkt->encrypted_len = pkt->length + padding;
1933
1934 /* Ready-to-send packet starts at pkt->data. We return length. */
1935 return pkt->length + padding + maclen;
1936 }
1937
1938 /*
1939 * Routines called from the main SSH code to send packets. There
1940 * are quite a few of these, because we have two separate
1941 * mechanisms for delaying the sending of packets:
1942 *
1943 * - In order to send an IGNORE message and a password message in
1944 * a single fixed-length blob, we require the ability to
1945 * concatenate the encrypted forms of those two packets _into_ a
1946 * single blob and then pass it to our <network.h> transport
1947 * layer in one go. Hence, there's a deferment mechanism which
1948 * works after packet encryption.
1949 *
1950 * - In order to avoid sending any connection-layer messages
1951 * during repeat key exchange, we have to queue up any such
1952 * outgoing messages _before_ they are encrypted (and in
1953 * particular before they're allocated sequence numbers), and
1954 * then send them once we've finished.
1955 *
1956 * I call these mechanisms `defer' and `queue' respectively, so as
1957 * to distinguish them reasonably easily.
1958 *
1959 * The functions send_noqueue() and defer_noqueue() free the packet
1960 * structure they are passed. Every outgoing packet goes through
1961 * precisely one of these functions in its life; packets passed to
1962 * ssh2_pkt_send() or ssh2_pkt_defer() either go straight to one of
1963 * these or get queued, and then when the queue is later emptied
1964 * the packets are all passed to defer_noqueue().
1965 *
1966 * When using a CBC-mode cipher, it's necessary to ensure that an
1967 * attacker can't provide data to be encrypted using an IV that they
1968 * know. We ensure this by prefixing each packet that might contain
1969 * user data with an SSH_MSG_IGNORE. This is done using the deferral
1970 * mechanism, so in this case send_noqueue() ends up redirecting to
1971 * defer_noqueue(). If you don't like this inefficiency, don't use
1972 * CBC.
1973 */
1974
1975 static void ssh2_pkt_defer_noqueue(Ssh, struct Packet *, int);
1976 static void ssh_pkt_defersend(Ssh);
1977
1978 /*
1979 * Send an SSH-2 packet immediately, without queuing or deferring.
1980 */
1981 static void ssh2_pkt_send_noqueue(Ssh ssh, struct Packet *pkt)
1982 {
1983 int len;
1984 int backlog;
1985 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC)) {
1986 /* We need to send two packets, so use the deferral mechanism. */
1987 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
1988 ssh_pkt_defersend(ssh);
1989 return;
1990 }
1991 len = ssh2_pkt_construct(ssh, pkt);
1992 backlog = s_write(ssh, pkt->data, len);
1993 if (backlog > SSH_MAX_BACKLOG)
1994 ssh_throttle_all(ssh, 1, backlog);
1995
1996 ssh->outgoing_data_size += pkt->encrypted_len;
1997 if (!ssh->kex_in_progress &&
1998 ssh->max_data_size != 0 &&
1999 ssh->outgoing_data_size > ssh->max_data_size)
2000 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
2001
2002 ssh_free_packet(pkt);
2003 }
2004
2005 /*
2006 * Defer an SSH-2 packet.
2007 */
2008 static void ssh2_pkt_defer_noqueue(Ssh ssh, struct Packet *pkt, int noignore)
2009 {
2010 int len;
2011 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC) &&
2012 ssh->deferred_len == 0 && !noignore) {
2013 /*
2014 * Interpose an SSH_MSG_IGNORE to ensure that user data don't
2015 * get encrypted with a known IV.
2016 */
2017 struct Packet *ipkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
2018 ssh2_pkt_addstring_start(ipkt);
2019 ssh2_pkt_defer_noqueue(ssh, ipkt, TRUE);
2020 }
2021 len = ssh2_pkt_construct(ssh, pkt);
2022 if (ssh->deferred_len + len > ssh->deferred_size) {
2023 ssh->deferred_size = ssh->deferred_len + len + 128;
2024 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
2025 ssh->deferred_size,
2026 unsigned char);
2027 }
2028 memcpy(ssh->deferred_send_data + ssh->deferred_len, pkt->data, len);
2029 ssh->deferred_len += len;
2030 ssh->deferred_data_size += pkt->encrypted_len;
2031 ssh_free_packet(pkt);
2032 }
2033
2034 /*
2035 * Queue an SSH-2 packet.
2036 */
2037 static void ssh2_pkt_queue(Ssh ssh, struct Packet *pkt)
2038 {
2039 assert(ssh->queueing);
2040
2041 if (ssh->queuelen >= ssh->queuesize) {
2042 ssh->queuesize = ssh->queuelen + 32;
2043 ssh->queue = sresize(ssh->queue, ssh->queuesize, struct Packet *);
2044 }
2045
2046 ssh->queue[ssh->queuelen++] = pkt;
2047 }
2048
2049 /*
2050 * Either queue or send a packet, depending on whether queueing is
2051 * set.
2052 */
2053 static void ssh2_pkt_send(Ssh ssh, struct Packet *pkt)
2054 {
2055 if (ssh->queueing)
2056 ssh2_pkt_queue(ssh, pkt);
2057 else
2058 ssh2_pkt_send_noqueue(ssh, pkt);
2059 }
2060
2061 /*
2062 * Either queue or defer a packet, depending on whether queueing is
2063 * set.
2064 */
2065 static void ssh2_pkt_defer(Ssh ssh, struct Packet *pkt)
2066 {
2067 if (ssh->queueing)
2068 ssh2_pkt_queue(ssh, pkt);
2069 else
2070 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
2071 }
2072
2073 /*
2074 * Send the whole deferred data block constructed by
2075 * ssh2_pkt_defer() or SSH-1's defer_packet().
2076 *
2077 * The expected use of the defer mechanism is that you call
2078 * ssh2_pkt_defer() a few times, then call ssh_pkt_defersend(). If
2079 * not currently queueing, this simply sets up deferred_send_data
2080 * and then sends it. If we _are_ currently queueing, the calls to
2081 * ssh2_pkt_defer() put the deferred packets on to the queue
2082 * instead, and therefore ssh_pkt_defersend() has no deferred data
2083 * to send. Hence, there's no need to make it conditional on
2084 * ssh->queueing.
2085 */
2086 static void ssh_pkt_defersend(Ssh ssh)
2087 {
2088 int backlog;
2089 backlog = s_write(ssh, ssh->deferred_send_data, ssh->deferred_len);
2090 ssh->deferred_len = ssh->deferred_size = 0;
2091 sfree(ssh->deferred_send_data);
2092 ssh->deferred_send_data = NULL;
2093 if (backlog > SSH_MAX_BACKLOG)
2094 ssh_throttle_all(ssh, 1, backlog);
2095
2096 ssh->outgoing_data_size += ssh->deferred_data_size;
2097 if (!ssh->kex_in_progress &&
2098 ssh->max_data_size != 0 &&
2099 ssh->outgoing_data_size > ssh->max_data_size)
2100 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
2101 ssh->deferred_data_size = 0;
2102 }
2103
2104 /*
2105 * Send a packet whose length needs to be disguised (typically
2106 * passwords or keyboard-interactive responses).
2107 */
2108 static void ssh2_pkt_send_with_padding(Ssh ssh, struct Packet *pkt,
2109 int padsize)
2110 {
2111 #if 0
2112 if (0) {
2113 /*
2114 * The simplest way to do this is to adjust the
2115 * variable-length padding field in the outgoing packet.
2116 *
2117 * Currently compiled out, because some Cisco SSH servers
2118 * don't like excessively padded packets (bah, why's it
2119 * always Cisco?)
2120 */
2121 pkt->forcepad = padsize;
2122 ssh2_pkt_send(ssh, pkt);
2123 } else
2124 #endif
2125 {
2126 /*
2127 * If we can't do that, however, an alternative approach is
2128 * to use the pkt_defer mechanism to bundle the packet
2129 * tightly together with an SSH_MSG_IGNORE such that their
2130 * combined length is a constant. So first we construct the
2131 * final form of this packet and defer its sending.
2132 */
2133 ssh2_pkt_defer(ssh, pkt);
2134
2135 /*
2136 * Now construct an SSH_MSG_IGNORE which includes a string
2137 * that's an exact multiple of the cipher block size. (If
2138 * the cipher is NULL so that the block size is
2139 * unavailable, we don't do this trick at all, because we
2140 * gain nothing by it.)
2141 */
2142 if (ssh->cscipher) {
2143 int stringlen, i;
2144
2145 stringlen = (256 - ssh->deferred_len);
2146 stringlen += ssh->cscipher->blksize - 1;
2147 stringlen -= (stringlen % ssh->cscipher->blksize);
2148 if (ssh->cscomp) {
2149 /*
2150 * Temporarily disable actual compression, so we
2151 * can guarantee to get this string exactly the
2152 * length we want it. The compression-disabling
2153 * routine should return an integer indicating how
2154 * many bytes we should adjust our string length
2155 * by.
2156 */
2157 stringlen -=
2158 ssh->cscomp->disable_compression(ssh->cs_comp_ctx);
2159 }
2160 pkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
2161 ssh2_pkt_addstring_start(pkt);
2162 for (i = 0; i < stringlen; i++) {
2163 char c = (char) random_byte();
2164 ssh2_pkt_addstring_data(pkt, &c, 1);
2165 }
2166 ssh2_pkt_defer(ssh, pkt);
2167 }
2168 ssh_pkt_defersend(ssh);
2169 }
2170 }
2171
2172 /*
2173 * Send all queued SSH-2 packets. We send them by means of
2174 * ssh2_pkt_defer_noqueue(), in case they included a pair of
2175 * packets that needed to be lumped together.
2176 */
2177 static void ssh2_pkt_queuesend(Ssh ssh)
2178 {
2179 int i;
2180
2181 assert(!ssh->queueing);
2182
2183 for (i = 0; i < ssh->queuelen; i++)
2184 ssh2_pkt_defer_noqueue(ssh, ssh->queue[i], FALSE);
2185 ssh->queuelen = 0;
2186
2187 ssh_pkt_defersend(ssh);
2188 }
2189
2190 #if 0
2191 void bndebug(char *string, Bignum b)
2192 {
2193 unsigned char *p;
2194 int i, len;
2195 p = ssh2_mpint_fmt(b, &len);
2196 debug(("%s", string));
2197 for (i = 0; i < len; i++)
2198 debug((" %02x", p[i]));
2199 debug(("\n"));
2200 sfree(p);
2201 }
2202 #endif
2203
2204 static void hash_mpint(const struct ssh_hash *h, void *s, Bignum b)
2205 {
2206 unsigned char *p;
2207 int len;
2208 p = ssh2_mpint_fmt(b, &len);
2209 hash_string(h, s, p, len);
2210 sfree(p);
2211 }
2212
2213 /*
2214 * Packet decode functions for both SSH-1 and SSH-2.
2215 */
2216 static unsigned long ssh_pkt_getuint32(struct Packet *pkt)
2217 {
2218 unsigned long value;
2219 if (pkt->length - pkt->savedpos < 4)
2220 return 0; /* arrgh, no way to decline (FIXME?) */
2221 value = GET_32BIT(pkt->body + pkt->savedpos);
2222 pkt->savedpos += 4;
2223 return value;
2224 }
2225 static int ssh2_pkt_getbool(struct Packet *pkt)
2226 {
2227 unsigned long value;
2228 if (pkt->length - pkt->savedpos < 1)
2229 return 0; /* arrgh, no way to decline (FIXME?) */
2230 value = pkt->body[pkt->savedpos] != 0;
2231 pkt->savedpos++;
2232 return value;
2233 }
2234 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length)
2235 {
2236 int len;
2237 *p = NULL;
2238 *length = 0;
2239 if (pkt->length - pkt->savedpos < 4)
2240 return;
2241 len = GET_32BIT(pkt->body + pkt->savedpos);
2242 if (len < 0)
2243 return;
2244 *length = len;
2245 pkt->savedpos += 4;
2246 if (pkt->length - pkt->savedpos < *length)
2247 return;
2248 *p = (char *)(pkt->body + pkt->savedpos);
2249 pkt->savedpos += *length;
2250 }
2251 static void *ssh_pkt_getdata(struct Packet *pkt, int length)
2252 {
2253 if (pkt->length - pkt->savedpos < length)
2254 return NULL;
2255 pkt->savedpos += length;
2256 return pkt->body + (pkt->savedpos - length);
2257 }
2258 static int ssh1_pkt_getrsakey(struct Packet *pkt, struct RSAKey *key,
2259 unsigned char **keystr)
2260 {
2261 int j;
2262
2263 j = makekey(pkt->body + pkt->savedpos,
2264 pkt->length - pkt->savedpos,
2265 key, keystr, 0);
2266
2267 if (j < 0)
2268 return FALSE;
2269
2270 pkt->savedpos += j;
2271 assert(pkt->savedpos < pkt->length);
2272
2273 return TRUE;
2274 }
2275 static Bignum ssh1_pkt_getmp(struct Packet *pkt)
2276 {
2277 int j;
2278 Bignum b;
2279
2280 j = ssh1_read_bignum(pkt->body + pkt->savedpos,
2281 pkt->length - pkt->savedpos, &b);
2282
2283 if (j < 0)
2284 return NULL;
2285
2286 pkt->savedpos += j;
2287 return b;
2288 }
2289 static Bignum ssh2_pkt_getmp(struct Packet *pkt)
2290 {
2291 char *p;
2292 int length;
2293 Bignum b;
2294
2295 ssh_pkt_getstring(pkt, &p, &length);
2296 if (!p)
2297 return NULL;
2298 if (p[0] & 0x80)
2299 return NULL;
2300 b = bignum_from_bytes((unsigned char *)p, length);
2301 return b;
2302 }
2303
2304 /*
2305 * Helper function to add an SSH-2 signature blob to a packet.
2306 * Expects to be shown the public key blob as well as the signature
2307 * blob. Normally works just like ssh2_pkt_addstring, but will
2308 * fiddle with the signature packet if necessary for
2309 * BUG_SSH2_RSA_PADDING.
2310 */
2311 static void ssh2_add_sigblob(Ssh ssh, struct Packet *pkt,
2312 void *pkblob_v, int pkblob_len,
2313 void *sigblob_v, int sigblob_len)
2314 {
2315 unsigned char *pkblob = (unsigned char *)pkblob_v;
2316 unsigned char *sigblob = (unsigned char *)sigblob_v;
2317
2318 /* dmemdump(pkblob, pkblob_len); */
2319 /* dmemdump(sigblob, sigblob_len); */
2320
2321 /*
2322 * See if this is in fact an ssh-rsa signature and a buggy
2323 * server; otherwise we can just do this the easy way.
2324 */
2325 if ((ssh->remote_bugs & BUG_SSH2_RSA_PADDING) &&
2326 (GET_32BIT(pkblob) == 7 && !memcmp(pkblob+4, "ssh-rsa", 7))) {
2327 int pos, len, siglen;
2328
2329 /*
2330 * Find the byte length of the modulus.
2331 */
2332
2333 pos = 4+7; /* skip over "ssh-rsa" */
2334 pos += 4 + GET_32BIT(pkblob+pos); /* skip over exponent */
2335 len = GET_32BIT(pkblob+pos); /* find length of modulus */
2336 pos += 4; /* find modulus itself */
2337 while (len > 0 && pkblob[pos] == 0)
2338 len--, pos++;
2339 /* debug(("modulus length is %d\n", len)); */
2340
2341 /*
2342 * Now find the signature integer.
2343 */
2344 pos = 4+7; /* skip over "ssh-rsa" */
2345 siglen = GET_32BIT(sigblob+pos);
2346 /* debug(("signature length is %d\n", siglen)); */
2347
2348 if (len != siglen) {
2349 unsigned char newlen[4];
2350 ssh2_pkt_addstring_start(pkt);
2351 ssh2_pkt_addstring_data(pkt, (char *)sigblob, pos);
2352 /* dmemdump(sigblob, pos); */
2353 pos += 4; /* point to start of actual sig */
2354 PUT_32BIT(newlen, len);
2355 ssh2_pkt_addstring_data(pkt, (char *)newlen, 4);
2356 /* dmemdump(newlen, 4); */
2357 newlen[0] = 0;
2358 while (len-- > siglen) {
2359 ssh2_pkt_addstring_data(pkt, (char *)newlen, 1);
2360 /* dmemdump(newlen, 1); */
2361 }
2362 ssh2_pkt_addstring_data(pkt, (char *)(sigblob+pos), siglen);
2363 /* dmemdump(sigblob+pos, siglen); */
2364 return;
2365 }
2366
2367 /* Otherwise fall through and do it the easy way. */
2368 }
2369
2370 ssh2_pkt_addstring_start(pkt);
2371 ssh2_pkt_addstring_data(pkt, (char *)sigblob, sigblob_len);
2372 }
2373
2374 /*
2375 * Examine the remote side's version string and compare it against
2376 * a list of known buggy implementations.
2377 */
2378 static void ssh_detect_bugs(Ssh ssh, char *vstring)
2379 {
2380 char *imp; /* pointer to implementation part */
2381 imp = vstring;
2382 imp += strcspn(imp, "-");
2383 if (*imp) imp++;
2384 imp += strcspn(imp, "-");
2385 if (*imp) imp++;
2386
2387 ssh->remote_bugs = 0;
2388
2389 /*
2390 * General notes on server version strings:
2391 * - Not all servers reporting "Cisco-1.25" have all the bugs listed
2392 * here -- in particular, we've heard of one that's perfectly happy
2393 * with SSH1_MSG_IGNOREs -- but this string never seems to change,
2394 * so we can't distinguish them.
2395 */
2396 if (ssh->cfg.sshbug_ignore1 == FORCE_ON ||
2397 (ssh->cfg.sshbug_ignore1 == AUTO &&
2398 (!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
2399 !strcmp(imp, "1.2.20") || !strcmp(imp, "1.2.21") ||
2400 !strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25") ||
2401 !strcmp(imp, "OSU_1.4alpha3") || !strcmp(imp, "OSU_1.5alpha4")))) {
2402 /*
2403 * These versions don't support SSH1_MSG_IGNORE, so we have
2404 * to use a different defence against password length
2405 * sniffing.
2406 */
2407 ssh->remote_bugs |= BUG_CHOKES_ON_SSH1_IGNORE;
2408 logevent("We believe remote version has SSH-1 ignore bug");
2409 }
2410
2411 if (ssh->cfg.sshbug_plainpw1 == FORCE_ON ||
2412 (ssh->cfg.sshbug_plainpw1 == AUTO &&
2413 (!strcmp(imp, "Cisco-1.25") || !strcmp(imp, "OSU_1.4alpha3")))) {
2414 /*
2415 * These versions need a plain password sent; they can't
2416 * handle having a null and a random length of data after
2417 * the password.
2418 */
2419 ssh->remote_bugs |= BUG_NEEDS_SSH1_PLAIN_PASSWORD;
2420 logevent("We believe remote version needs a plain SSH-1 password");
2421 }
2422
2423 if (ssh->cfg.sshbug_rsa1 == FORCE_ON ||
2424 (ssh->cfg.sshbug_rsa1 == AUTO &&
2425 (!strcmp(imp, "Cisco-1.25")))) {
2426 /*
2427 * These versions apparently have no clue whatever about
2428 * RSA authentication and will panic and die if they see
2429 * an AUTH_RSA message.
2430 */
2431 ssh->remote_bugs |= BUG_CHOKES_ON_RSA;
2432 logevent("We believe remote version can't handle SSH-1 RSA authentication");
2433 }
2434
2435 if (ssh->cfg.sshbug_hmac2 == FORCE_ON ||
2436 (ssh->cfg.sshbug_hmac2 == AUTO &&
2437 !wc_match("* VShell", imp) &&
2438 (wc_match("2.1.0*", imp) || wc_match("2.0.*", imp) ||
2439 wc_match("2.2.0*", imp) || wc_match("2.3.0*", imp) ||
2440 wc_match("2.1 *", imp)))) {
2441 /*
2442 * These versions have the HMAC bug.
2443 */
2444 ssh->remote_bugs |= BUG_SSH2_HMAC;
2445 logevent("We believe remote version has SSH-2 HMAC bug");
2446 }
2447
2448 if (ssh->cfg.sshbug_derivekey2 == FORCE_ON ||
2449 (ssh->cfg.sshbug_derivekey2 == AUTO &&
2450 !wc_match("* VShell", imp) &&
2451 (wc_match("2.0.0*", imp) || wc_match("2.0.10*", imp) ))) {
2452 /*
2453 * These versions have the key-derivation bug (failing to
2454 * include the literal shared secret in the hashes that
2455 * generate the keys).
2456 */
2457 ssh->remote_bugs |= BUG_SSH2_DERIVEKEY;
2458 logevent("We believe remote version has SSH-2 key-derivation bug");
2459 }
2460
2461 if (ssh->cfg.sshbug_rsapad2 == FORCE_ON ||
2462 (ssh->cfg.sshbug_rsapad2 == AUTO &&
2463 (wc_match("OpenSSH_2.[5-9]*", imp) ||
2464 wc_match("OpenSSH_3.[0-2]*", imp)))) {
2465 /*
2466 * These versions have the SSH-2 RSA padding bug.
2467 */
2468 ssh->remote_bugs |= BUG_SSH2_RSA_PADDING;
2469 logevent("We believe remote version has SSH-2 RSA padding bug");
2470 }
2471
2472 if (ssh->cfg.sshbug_pksessid2 == FORCE_ON ||
2473 (ssh->cfg.sshbug_pksessid2 == AUTO &&
2474 wc_match("OpenSSH_2.[0-2]*", imp))) {
2475 /*
2476 * These versions have the SSH-2 session-ID bug in
2477 * public-key authentication.
2478 */
2479 ssh->remote_bugs |= BUG_SSH2_PK_SESSIONID;
2480 logevent("We believe remote version has SSH-2 public-key-session-ID bug");
2481 }
2482
2483 if (ssh->cfg.sshbug_rekey2 == FORCE_ON ||
2484 (ssh->cfg.sshbug_rekey2 == AUTO &&
2485 (wc_match("DigiSSH_2.0", imp) ||
2486 wc_match("OpenSSH_2.[0-4]*", imp) ||
2487 wc_match("OpenSSH_2.5.[0-3]*", imp) ||
2488 wc_match("Sun_SSH_1.0", imp) ||
2489 wc_match("Sun_SSH_1.0.1", imp) ||
2490 /* All versions <= 1.2.6 (they changed their format in 1.2.7) */
2491 wc_match("WeOnlyDo-*", imp)))) {
2492 /*
2493 * These versions have the SSH-2 rekey bug.
2494 */
2495 ssh->remote_bugs |= BUG_SSH2_REKEY;
2496 logevent("We believe remote version has SSH-2 rekey bug");
2497 }
2498
2499 if (ssh->cfg.sshbug_maxpkt2 == FORCE_ON ||
2500 (ssh->cfg.sshbug_maxpkt2 == AUTO &&
2501 (wc_match("1.36_sshlib GlobalSCAPE", imp) ||
2502 wc_match("1.36 sshlib: GlobalScape", imp)))) {
2503 /*
2504 * This version ignores our makpkt and needs to be throttled.
2505 */
2506 ssh->remote_bugs |= BUG_SSH2_MAXPKT;
2507 logevent("We believe remote version ignores SSH-2 maximum packet size");
2508 }
2509 }
2510
2511 /*
2512 * The `software version' part of an SSH version string is required
2513 * to contain no spaces or minus signs.
2514 */
2515 static void ssh_fix_verstring(char *str)
2516 {
2517 /* Eat "SSH-<protoversion>-". */
2518 assert(*str == 'S'); str++;
2519 assert(*str == 'S'); str++;
2520 assert(*str == 'H'); str++;
2521 assert(*str == '-'); str++;
2522 while (*str && *str != '-') str++;
2523 assert(*str == '-'); str++;
2524
2525 /* Convert minus signs and spaces in the remaining string into
2526 * underscores. */
2527 while (*str) {
2528 if (*str == '-' || *str == ' ')
2529 *str = '_';
2530 str++;
2531 }
2532 }
2533
2534 /*
2535 * Send an appropriate SSH version string.
2536 */
2537 static void ssh_send_verstring(Ssh ssh, char *svers)
2538 {
2539 char *verstring;
2540
2541 if (ssh->version == 2) {
2542 /*
2543 * Construct a v2 version string.
2544 */
2545 verstring = dupprintf("SSH-2.0-%s\015\012", sshver);
2546 } else {
2547 /*
2548 * Construct a v1 version string.
2549 */
2550 verstring = dupprintf("SSH-%s-%s\012",
2551 (ssh_versioncmp(svers, "1.5") <= 0 ?
2552 svers : "1.5"),
2553 sshver);
2554 }
2555
2556 ssh_fix_verstring(verstring);
2557
2558 if (ssh->version == 2) {
2559 size_t len;
2560 /*
2561 * Record our version string.
2562 */
2563 len = strcspn(verstring, "\015\012");
2564 ssh->v_c = snewn(len + 1, char);
2565 memcpy(ssh->v_c, verstring, len);
2566 ssh->v_c[len] = 0;
2567 }
2568
2569 logeventf(ssh, "We claim version: %.*s",
2570 strcspn(verstring, "\015\012"), verstring);
2571 s_write(ssh, verstring, strlen(verstring));
2572 sfree(verstring);
2573 }
2574
2575 static int do_ssh_init(Ssh ssh, unsigned char c)
2576 {
2577 struct do_ssh_init_state {
2578 int vslen;
2579 char version[10];
2580 char *vstring;
2581 int vstrsize;
2582 int i;
2583 int proto1, proto2;
2584 };
2585 crState(do_ssh_init_state);
2586
2587 crBegin(ssh->do_ssh_init_crstate);
2588
2589 /* Search for a line beginning with the string "SSH-" in the input. */
2590 for (;;) {
2591 if (c != 'S') goto no;
2592 crReturn(1);
2593 if (c != 'S') goto no;
2594 crReturn(1);
2595 if (c != 'H') goto no;
2596 crReturn(1);
2597 if (c != '-') goto no;
2598 break;
2599 no:
2600 while (c != '\012')
2601 crReturn(1);
2602 crReturn(1);
2603 }
2604
2605 s->vstrsize = 16;
2606 s->vstring = snewn(s->vstrsize, char);
2607 strcpy(s->vstring, "SSH-");
2608 s->vslen = 4;
2609 s->i = 0;
2610 while (1) {
2611 crReturn(1); /* get another char */
2612 if (s->vslen >= s->vstrsize - 1) {
2613 s->vstrsize += 16;
2614 s->vstring = sresize(s->vstring, s->vstrsize, char);
2615 }
2616 s->vstring[s->vslen++] = c;
2617 if (s->i >= 0) {
2618 if (c == '-') {
2619 s->version[s->i] = '\0';
2620 s->i = -1;
2621 } else if (s->i < sizeof(s->version) - 1)
2622 s->version[s->i++] = c;
2623 } else if (c == '\012')
2624 break;
2625 }
2626
2627 ssh->agentfwd_enabled = FALSE;
2628 ssh->rdpkt2_state.incoming_sequence = 0;
2629
2630 s->vstring[s->vslen] = 0;
2631 s->vstring[strcspn(s->vstring, "\015\012")] = '\0';/* remove EOL chars */
2632 logeventf(ssh, "Server version: %s", s->vstring);
2633 ssh_detect_bugs(ssh, s->vstring);
2634
2635 /*
2636 * Decide which SSH protocol version to support.
2637 */
2638
2639 /* Anything strictly below "2.0" means protocol 1 is supported. */
2640 s->proto1 = ssh_versioncmp(s->version, "2.0") < 0;
2641 /* Anything greater or equal to "1.99" means protocol 2 is supported. */
2642 s->proto2 = ssh_versioncmp(s->version, "1.99") >= 0;
2643
2644 if (ssh->cfg.sshprot == 0 && !s->proto1) {
2645 bombout(("SSH protocol version 1 required by user but not provided by server"));
2646 crStop(0);
2647 }
2648 if (ssh->cfg.sshprot == 3 && !s->proto2) {
2649 bombout(("SSH protocol version 2 required by user but not provided by server"));
2650 crStop(0);
2651 }
2652
2653 if (s->proto2 && (ssh->cfg.sshprot >= 2 || !s->proto1))
2654 ssh->version = 2;
2655 else
2656 ssh->version = 1;
2657
2658 logeventf(ssh, "Using SSH protocol version %d", ssh->version);
2659
2660 /* Send the version string, if we haven't already */
2661 if (ssh->cfg.sshprot != 3)
2662 ssh_send_verstring(ssh, s->version);
2663
2664 if (ssh->version == 2) {
2665 size_t len;
2666 /*
2667 * Record their version string.
2668 */
2669 len = strcspn(s->vstring, "\015\012");
2670 ssh->v_s = snewn(len + 1, char);
2671 memcpy(ssh->v_s, s->vstring, len);
2672 ssh->v_s[len] = 0;
2673
2674 /*
2675 * Initialise SSH-2 protocol.
2676 */
2677 ssh->protocol = ssh2_protocol;
2678 ssh2_protocol_setup(ssh);
2679 ssh->s_rdpkt = ssh2_rdpkt;
2680 } else {
2681 /*
2682 * Initialise SSH-1 protocol.
2683 */
2684 ssh->protocol = ssh1_protocol;
2685 ssh1_protocol_setup(ssh);
2686 ssh->s_rdpkt = ssh1_rdpkt;
2687 }
2688 if (ssh->version == 2)
2689 do_ssh2_transport(ssh, NULL, -1, NULL);
2690
2691 update_specials_menu(ssh->frontend);
2692 ssh->state = SSH_STATE_BEFORE_SIZE;
2693 ssh->pinger = pinger_new(&ssh->cfg, &ssh_backend, ssh);
2694
2695 sfree(s->vstring);
2696
2697 crFinish(0);
2698 }
2699
2700 static void ssh_process_incoming_data(Ssh ssh,
2701 unsigned char **data, int *datalen)
2702 {
2703 struct Packet *pktin;
2704
2705 pktin = ssh->s_rdpkt(ssh, data, datalen);
2706 if (pktin) {
2707 ssh->protocol(ssh, NULL, 0, pktin);
2708 ssh_free_packet(pktin);
2709 }
2710 }
2711
2712 static void ssh_queue_incoming_data(Ssh ssh,
2713 unsigned char **data, int *datalen)
2714 {
2715 bufchain_add(&ssh->queued_incoming_data, *data, *datalen);
2716 *data += *datalen;
2717 *datalen = 0;
2718 }
2719
2720 static void ssh_process_queued_incoming_data(Ssh ssh)
2721 {
2722 void *vdata;
2723 unsigned char *data;
2724 int len, origlen;
2725
2726 while (!ssh->frozen && bufchain_size(&ssh->queued_incoming_data)) {
2727 bufchain_prefix(&ssh->queued_incoming_data, &vdata, &len);
2728 data = vdata;
2729 origlen = len;
2730
2731 while (!ssh->frozen && len > 0)
2732 ssh_process_incoming_data(ssh, &data, &len);
2733
2734 if (origlen > len)
2735 bufchain_consume(&ssh->queued_incoming_data, origlen - len);
2736 }
2737 }
2738
2739 static void ssh_set_frozen(Ssh ssh, int frozen)
2740 {
2741 if (ssh->s)
2742 sk_set_frozen(ssh->s, frozen);
2743 ssh->frozen = frozen;
2744 }
2745
2746 static void ssh_gotdata(Ssh ssh, unsigned char *data, int datalen)
2747 {
2748 /* Log raw data, if we're in that mode. */
2749 if (ssh->logctx)
2750 log_packet(ssh->logctx, PKT_INCOMING, -1, NULL, data, datalen,
2751 0, NULL, NULL);
2752
2753 crBegin(ssh->ssh_gotdata_crstate);
2754
2755 /*
2756 * To begin with, feed the characters one by one to the
2757 * protocol initialisation / selection function do_ssh_init().
2758 * When that returns 0, we're done with the initial greeting
2759 * exchange and can move on to packet discipline.
2760 */
2761 while (1) {
2762 int ret; /* need not be kept across crReturn */
2763 if (datalen == 0)
2764 crReturnV; /* more data please */
2765 ret = do_ssh_init(ssh, *data);
2766 data++;
2767 datalen--;
2768 if (ret == 0)
2769 break;
2770 }
2771
2772 /*
2773 * We emerge from that loop when the initial negotiation is
2774 * over and we have selected an s_rdpkt function. Now pass
2775 * everything to s_rdpkt, and then pass the resulting packets
2776 * to the proper protocol handler.
2777 */
2778
2779 while (1) {
2780 while (bufchain_size(&ssh->queued_incoming_data) > 0 || datalen > 0) {
2781 if (ssh->frozen) {
2782 ssh_queue_incoming_data(ssh, &data, &datalen);
2783 /* This uses up all data and cannot cause anything interesting
2784 * to happen; indeed, for anything to happen at all, we must
2785 * return, so break out. */
2786 break;
2787 } else if (bufchain_size(&ssh->queued_incoming_data) > 0) {
2788 /* This uses up some or all data, and may freeze the
2789 * session. */
2790 ssh_process_queued_incoming_data(ssh);
2791 } else {
2792 /* This uses up some or all data, and may freeze the
2793 * session. */
2794 ssh_process_incoming_data(ssh, &data, &datalen);
2795 }
2796 /* FIXME this is probably EBW. */
2797 if (ssh->state == SSH_STATE_CLOSED)
2798 return;
2799 }
2800 /* We're out of data. Go and get some more. */
2801 crReturnV;
2802 }
2803 crFinishV;
2804 }
2805
2806 static int ssh_do_close(Ssh ssh, int notify_exit)
2807 {
2808 int ret = 0;
2809 struct ssh_channel *c;
2810
2811 ssh->state = SSH_STATE_CLOSED;
2812 expire_timer_context(ssh);
2813 if (ssh->s) {
2814 sk_close(ssh->s);
2815 ssh->s = NULL;
2816 if (notify_exit)
2817 notify_remote_exit(ssh->frontend);
2818 else
2819 ret = 1;
2820 }
2821 /*
2822 * Now we must shut down any port- and X-forwarded channels going
2823 * through this connection.
2824 */
2825 if (ssh->channels) {
2826 while (NULL != (c = index234(ssh->channels, 0))) {
2827 switch (c->type) {
2828 case CHAN_X11:
2829 x11_close(c->u.x11.s);
2830 break;
2831 case CHAN_SOCKDATA:
2832 pfd_close(c->u.pfd.s);
2833 break;
2834 }
2835 del234(ssh->channels, c); /* moving next one to index 0 */
2836 if (ssh->version == 2)
2837 bufchain_clear(&c->v.v2.outbuffer);
2838 sfree(c);
2839 }
2840 }
2841 /*
2842 * Go through port-forwardings, and close any associated
2843 * listening sockets.
2844 */
2845 if (ssh->portfwds) {
2846 struct ssh_portfwd *pf;
2847 while (NULL != (pf = index234(ssh->portfwds, 0))) {
2848 /* Dispose of any listening socket. */
2849 if (pf->local)
2850 pfd_terminate(pf->local);
2851 del234(ssh->portfwds, pf); /* moving next one to index 0 */
2852 free_portfwd(pf);
2853 }
2854 }
2855
2856 return ret;
2857 }
2858
2859 static void ssh_log(Plug plug, int type, SockAddr addr, int port,
2860 const char *error_msg, int error_code)
2861 {
2862 Ssh ssh = (Ssh) plug;
2863 char addrbuf[256], *msg;
2864
2865 sk_getaddr(addr, addrbuf, lenof(addrbuf));
2866
2867 if (type == 0)
2868 msg = dupprintf("Connecting to %s port %d", addrbuf, port);
2869 else
2870 msg = dupprintf("Failed to connect to %s: %s", addrbuf, error_msg);
2871
2872 logevent(msg);
2873 sfree(msg);
2874 }
2875
2876 static int ssh_closing(Plug plug, const char *error_msg, int error_code,
2877 int calling_back)
2878 {
2879 Ssh ssh = (Ssh) plug;
2880 int need_notify = ssh_do_close(ssh, FALSE);
2881
2882 if (!error_msg) {
2883 if (!ssh->close_expected)
2884 error_msg = "Server unexpectedly closed network connection";
2885 else
2886 error_msg = "Server closed network connection";
2887 }
2888
2889 if (ssh->close_expected && ssh->clean_exit && ssh->exitcode < 0)
2890 ssh->exitcode = 0;
2891
2892 if (need_notify)
2893 notify_remote_exit(ssh->frontend);
2894
2895 if (error_msg)
2896 logevent(error_msg);
2897 if (!ssh->close_expected || !ssh->clean_exit)
2898 connection_fatal(ssh->frontend, "%s", error_msg);
2899 return 0;
2900 }
2901
2902 static int ssh_receive(Plug plug, int urgent, char *data, int len)
2903 {
2904 Ssh ssh = (Ssh) plug;
2905 ssh_gotdata(ssh, (unsigned char *)data, len);
2906 if (ssh->state == SSH_STATE_CLOSED) {
2907 ssh_do_close(ssh, TRUE);
2908 return 0;
2909 }
2910 return 1;
2911 }
2912
2913 static void ssh_sent(Plug plug, int bufsize)
2914 {
2915 Ssh ssh = (Ssh) plug;
2916 /*
2917 * If the send backlog on the SSH socket itself clears, we
2918 * should unthrottle the whole world if it was throttled.
2919 */
2920 if (bufsize < SSH_MAX_BACKLOG)
2921 ssh_throttle_all(ssh, 0, bufsize);
2922 }
2923
2924 /*
2925 * Connect to specified host and port.
2926 * Returns an error message, or NULL on success.
2927 * Also places the canonical host name into `realhost'. It must be
2928 * freed by the caller.
2929 */
2930 static const char *connect_to_host(Ssh ssh, char *host, int port,
2931 char **realhost, int nodelay, int keepalive)
2932 {
2933 static const struct plug_function_table fn_table = {
2934 ssh_log,
2935 ssh_closing,
2936 ssh_receive,
2937 ssh_sent,
2938 NULL
2939 };
2940
2941 SockAddr addr;
2942 const char *err;
2943
2944 if (*ssh->cfg.loghost) {
2945 char *colon;
2946
2947 ssh->savedhost = dupstr(ssh->cfg.loghost);
2948 ssh->savedport = 22; /* default ssh port */
2949
2950 /*
2951 * A colon suffix on savedhost also lets us affect
2952 * savedport.
2953 *
2954 * (FIXME: do something about IPv6 address literals here.)
2955 */
2956 colon = strrchr(ssh->savedhost, ':');
2957 if (colon) {
2958 *colon++ = '\0';
2959 if (*colon)
2960 ssh->savedport = atoi(colon);
2961 }
2962 } else {
2963 ssh->savedhost = dupstr(host);
2964 if (port < 0)
2965 port = 22; /* default ssh port */
2966 ssh->savedport = port;
2967 }
2968
2969 /*
2970 * Try to find host.
2971 */
2972 logeventf(ssh, "Looking up host \"%s\"%s", host,
2973 (ssh->cfg.addressfamily == ADDRTYPE_IPV4 ? " (IPv4)" :
2974 (ssh->cfg.addressfamily == ADDRTYPE_IPV6 ? " (IPv6)" : "")));
2975 addr = name_lookup(host, port, realhost, &ssh->cfg,
2976 ssh->cfg.addressfamily);
2977 if ((err = sk_addr_error(addr)) != NULL) {
2978 sk_addr_free(addr);
2979 return err;
2980 }
2981 ssh->fullhostname = dupstr(*realhost); /* save in case of GSSAPI */
2982
2983 /*
2984 * Open socket.
2985 */
2986 ssh->fn = &fn_table;
2987 ssh->s = new_connection(addr, *realhost, port,
2988 0, 1, nodelay, keepalive, (Plug) ssh, &ssh->cfg);
2989 if ((err = sk_socket_error(ssh->s)) != NULL) {
2990 ssh->s = NULL;
2991 notify_remote_exit(ssh->frontend);
2992 return err;
2993 }
2994
2995 /*
2996 * If the SSH version number's fixed, set it now, and if it's SSH-2,
2997 * send the version string too.
2998 */
2999 if (ssh->cfg.sshprot == 0)
3000 ssh->version = 1;
3001 if (ssh->cfg.sshprot == 3) {
3002 ssh->version = 2;
3003 ssh_send_verstring(ssh, NULL);
3004 }
3005
3006 /*
3007 * loghost, if configured, overrides realhost.
3008 */
3009 if (*ssh->cfg.loghost) {
3010 sfree(*realhost);
3011 *realhost = dupstr(ssh->cfg.loghost);
3012 }
3013
3014 return NULL;
3015 }
3016
3017 /*
3018 * Throttle or unthrottle the SSH connection.
3019 */
3020 static void ssh_throttle_conn(Ssh ssh, int adjust)
3021 {
3022 int old_count = ssh->conn_throttle_count;
3023 ssh->conn_throttle_count += adjust;
3024 assert(ssh->conn_throttle_count >= 0);
3025 if (ssh->conn_throttle_count && !old_count) {
3026 ssh_set_frozen(ssh, 1);
3027 } else if (!ssh->conn_throttle_count && old_count) {
3028 ssh_set_frozen(ssh, 0);
3029 }
3030 }
3031
3032 /*
3033 * Throttle or unthrottle _all_ local data streams (for when sends
3034 * on the SSH connection itself back up).
3035 */
3036 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize)
3037 {
3038 int i;
3039 struct ssh_channel *c;
3040
3041 if (enable == ssh->throttled_all)
3042 return;
3043 ssh->throttled_all = enable;
3044 ssh->overall_bufsize = bufsize;
3045 if (!ssh->channels)
3046 return;
3047 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++) {
3048 switch (c->type) {
3049 case CHAN_MAINSESSION:
3050 /*
3051 * This is treated separately, outside the switch.
3052 */
3053 break;
3054 case CHAN_X11:
3055 x11_override_throttle(c->u.x11.s, enable);
3056 break;
3057 case CHAN_AGENT:
3058 /* Agent channels require no buffer management. */
3059 break;
3060 case CHAN_SOCKDATA:
3061 pfd_override_throttle(c->u.pfd.s, enable);
3062 break;
3063 }
3064 }
3065 }
3066
3067 static void ssh_agent_callback(void *sshv, void *reply, int replylen)
3068 {
3069 Ssh ssh = (Ssh) sshv;
3070
3071 ssh->agent_response = reply;
3072 ssh->agent_response_len = replylen;
3073
3074 if (ssh->version == 1)
3075 do_ssh1_login(ssh, NULL, -1, NULL);
3076 else
3077 do_ssh2_authconn(ssh, NULL, -1, NULL);
3078 }
3079
3080 static void ssh_dialog_callback(void *sshv, int ret)
3081 {
3082 Ssh ssh = (Ssh) sshv;
3083
3084 ssh->user_response = ret;
3085
3086 if (ssh->version == 1)
3087 do_ssh1_login(ssh, NULL, -1, NULL);
3088 else
3089 do_ssh2_transport(ssh, NULL, -1, NULL);
3090
3091 /*
3092 * This may have unfrozen the SSH connection, so do a
3093 * queued-data run.
3094 */
3095 ssh_process_queued_incoming_data(ssh);
3096 }
3097
3098 static void ssh_agentf_callback(void *cv, void *reply, int replylen)
3099 {
3100 struct ssh_channel *c = (struct ssh_channel *)cv;
3101 Ssh ssh = c->ssh;
3102 void *sentreply = reply;
3103
3104 if (!sentreply) {
3105 /* Fake SSH_AGENT_FAILURE. */
3106 sentreply = "\0\0\0\1\5";
3107 replylen = 5;
3108 }
3109 if (ssh->version == 2) {
3110 ssh2_add_channel_data(c, sentreply, replylen);
3111 ssh2_try_send(c);
3112 } else {
3113 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
3114 PKT_INT, c->remoteid,
3115 PKT_INT, replylen,
3116 PKTT_DATA,
3117 PKT_DATA, sentreply, replylen,
3118 PKTT_OTHER,
3119 PKT_END);
3120 }
3121 if (reply)
3122 sfree(reply);
3123 }
3124
3125 /*
3126 * Client-initiated disconnection. Send a DISCONNECT if `wire_reason'
3127 * non-NULL, otherwise just close the connection. `client_reason' == NULL
3128 * => log `wire_reason'.
3129 */
3130 static void ssh_disconnect(Ssh ssh, char *client_reason, char *wire_reason,
3131 int code, int clean_exit)
3132 {
3133 char *error;
3134 if (!client_reason)
3135 client_reason = wire_reason;
3136 if (client_reason)
3137 error = dupprintf("Disconnected: %s", client_reason);
3138 else
3139 error = dupstr("Disconnected");
3140 if (wire_reason) {
3141 if (ssh->version == 1) {
3142 send_packet(ssh, SSH1_MSG_DISCONNECT, PKT_STR, wire_reason,
3143 PKT_END);
3144 } else if (ssh->version == 2) {
3145 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_DISCONNECT);
3146 ssh2_pkt_adduint32(pktout, code);
3147 ssh2_pkt_addstring(pktout, wire_reason);
3148 ssh2_pkt_addstring(pktout, "en"); /* language tag */
3149 ssh2_pkt_send_noqueue(ssh, pktout);
3150 }
3151 }
3152 ssh->close_expected = TRUE;
3153 ssh->clean_exit = clean_exit;
3154 ssh_closing((Plug)ssh, error, 0, 0);
3155 sfree(error);
3156 }
3157
3158 /*
3159 * Handle the key exchange and user authentication phases.
3160 */
3161 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
3162 struct Packet *pktin)
3163 {
3164 int i, j, ret;
3165 unsigned char cookie[8], *ptr;
3166 struct RSAKey servkey, hostkey;
3167 struct MD5Context md5c;
3168 struct do_ssh1_login_state {
3169 int len;
3170 unsigned char *rsabuf, *keystr1, *keystr2;
3171 unsigned long supported_ciphers_mask, supported_auths_mask;
3172 int tried_publickey, tried_agent;
3173 int tis_auth_refused, ccard_auth_refused;
3174 unsigned char session_id[16];
3175 int cipher_type;
3176 char username[100];
3177 void *publickey_blob;
3178 int publickey_bloblen;
3179 char *publickey_comment;
3180 int publickey_encrypted;
3181 prompts_t *cur_prompt;
3182 char c;
3183 int pwpkt_type;
3184 unsigned char request[5], *response, *p;
3185 int responselen;
3186 int keyi, nkeys;
3187 int authed;
3188 struct RSAKey key;
3189 Bignum challenge;
3190 char *commentp;
3191 int commentlen;
3192 int dlgret;
3193 };
3194 crState(do_ssh1_login_state);
3195
3196 crBegin(ssh->do_ssh1_login_crstate);
3197
3198 if (!pktin)
3199 crWaitUntil(pktin);
3200
3201 if (pktin->type != SSH1_SMSG_PUBLIC_KEY) {
3202 bombout(("Public key packet not received"));
3203 crStop(0);
3204 }
3205
3206 logevent("Received public keys");
3207
3208 ptr = ssh_pkt_getdata(pktin, 8);
3209 if (!ptr) {
3210 bombout(("SSH-1 public key packet stopped before random cookie"));
3211 crStop(0);
3212 }
3213 memcpy(cookie, ptr, 8);
3214
3215 if (!ssh1_pkt_getrsakey(pktin, &servkey, &s->keystr1) ||
3216 !ssh1_pkt_getrsakey(pktin, &hostkey, &s->keystr2)) {
3217 bombout(("Failed to read SSH-1 public keys from public key packet"));
3218 crStop(0);
3219 }
3220
3221 /*
3222 * Log the host key fingerprint.
3223 */
3224 {
3225 char logmsg[80];
3226 logevent("Host key fingerprint is:");
3227 strcpy(logmsg, " ");
3228 hostkey.comment = NULL;
3229 rsa_fingerprint(logmsg + strlen(logmsg),
3230 sizeof(logmsg) - strlen(logmsg), &hostkey);
3231 logevent(logmsg);
3232 }
3233
3234 ssh->v1_remote_protoflags = ssh_pkt_getuint32(pktin);
3235 s->supported_ciphers_mask = ssh_pkt_getuint32(pktin);
3236 s->supported_auths_mask = ssh_pkt_getuint32(pktin);
3237 if ((ssh->remote_bugs & BUG_CHOKES_ON_RSA))
3238 s->supported_auths_mask &= ~(1 << SSH1_AUTH_RSA);
3239
3240 ssh->v1_local_protoflags =
3241 ssh->v1_remote_protoflags & SSH1_PROTOFLAGS_SUPPORTED;
3242 ssh->v1_local_protoflags |= SSH1_PROTOFLAG_SCREEN_NUMBER;
3243
3244 MD5Init(&md5c);
3245 MD5Update(&md5c, s->keystr2, hostkey.bytes);
3246 MD5Update(&md5c, s->keystr1, servkey.bytes);
3247 MD5Update(&md5c, cookie, 8);
3248 MD5Final(s->session_id, &md5c);
3249
3250 for (i = 0; i < 32; i++)
3251 ssh->session_key[i] = random_byte();
3252
3253 /*
3254 * Verify that the `bits' and `bytes' parameters match.
3255 */
3256 if (hostkey.bits > hostkey.bytes * 8 ||
3257 servkey.bits > servkey.bytes * 8) {
3258 bombout(("SSH-1 public keys were badly formatted"));
3259 crStop(0);
3260 }
3261
3262 s->len = (hostkey.bytes > servkey.bytes ? hostkey.bytes : servkey.bytes);
3263
3264 s->rsabuf = snewn(s->len, unsigned char);
3265
3266 /*
3267 * Verify the host key.
3268 */
3269 {
3270 /*
3271 * First format the key into a string.
3272 */
3273 int len = rsastr_len(&hostkey);
3274 char fingerprint[100];
3275 char *keystr = snewn(len, char);
3276 rsastr_fmt(keystr, &hostkey);
3277 rsa_fingerprint(fingerprint, sizeof(fingerprint), &hostkey);
3278
3279 ssh_set_frozen(ssh, 1);
3280 s->dlgret = verify_ssh_host_key(ssh->frontend,
3281 ssh->savedhost, ssh->savedport,
3282 "rsa", keystr, fingerprint,
3283 ssh_dialog_callback, ssh);
3284 sfree(keystr);
3285 if (s->dlgret < 0) {
3286 do {
3287 crReturn(0);
3288 if (pktin) {
3289 bombout(("Unexpected data from server while waiting"
3290 " for user host key response"));
3291 crStop(0);
3292 }
3293 } while (pktin || inlen > 0);
3294 s->dlgret = ssh->user_response;
3295 }
3296 ssh_set_frozen(ssh, 0);
3297
3298 if (s->dlgret == 0) {
3299 ssh_disconnect(ssh, "User aborted at host key verification",
3300 NULL, 0, TRUE);
3301 crStop(0);
3302 }
3303 }
3304
3305 for (i = 0; i < 32; i++) {
3306 s->rsabuf[i] = ssh->session_key[i];
3307 if (i < 16)
3308 s->rsabuf[i] ^= s->session_id[i];
3309 }
3310
3311 if (hostkey.bytes > servkey.bytes) {
3312 ret = rsaencrypt(s->rsabuf, 32, &servkey);
3313 if (ret)
3314 ret = rsaencrypt(s->rsabuf, servkey.bytes, &hostkey);
3315 } else {
3316 ret = rsaencrypt(s->rsabuf, 32, &hostkey);
3317 if (ret)
3318 ret = rsaencrypt(s->rsabuf, hostkey.bytes, &servkey);
3319 }
3320 if (!ret) {
3321 bombout(("SSH-1 public key encryptions failed due to bad formatting"));
3322 crStop(0);
3323 }
3324
3325 logevent("Encrypted session key");
3326
3327 {
3328 int cipher_chosen = 0, warn = 0;
3329 char *cipher_string = NULL;
3330 int i;
3331 for (i = 0; !cipher_chosen && i < CIPHER_MAX; i++) {
3332 int next_cipher = ssh->cfg.ssh_cipherlist[i];
3333 if (next_cipher == CIPHER_WARN) {
3334 /* If/when we choose a cipher, warn about it */
3335 warn = 1;
3336 } else if (next_cipher == CIPHER_AES) {
3337 /* XXX Probably don't need to mention this. */
3338 logevent("AES not supported in SSH-1, skipping");
3339 } else {
3340 switch (next_cipher) {
3341 case CIPHER_3DES: s->cipher_type = SSH_CIPHER_3DES;
3342 cipher_string = "3DES"; break;
3343 case CIPHER_BLOWFISH: s->cipher_type = SSH_CIPHER_BLOWFISH;
3344 cipher_string = "Blowfish"; break;
3345 case CIPHER_DES: s->cipher_type = SSH_CIPHER_DES;
3346 cipher_string = "single-DES"; break;
3347 }
3348 if (s->supported_ciphers_mask & (1 << s->cipher_type))
3349 cipher_chosen = 1;
3350 }
3351 }
3352 if (!cipher_chosen) {
3353 if ((s->supported_ciphers_mask & (1 << SSH_CIPHER_3DES)) == 0)
3354 bombout(("Server violates SSH-1 protocol by not "
3355 "supporting 3DES encryption"));
3356 else
3357 /* shouldn't happen */
3358 bombout(("No supported ciphers found"));
3359 crStop(0);
3360 }
3361
3362 /* Warn about chosen cipher if necessary. */
3363 if (warn) {
3364 ssh_set_frozen(ssh, 1);
3365 s->dlgret = askalg(ssh->frontend, "cipher", cipher_string,
3366 ssh_dialog_callback, ssh);
3367 if (s->dlgret < 0) {
3368 do {
3369 crReturn(0);
3370 if (pktin) {
3371 bombout(("Unexpected data from server while waiting"
3372 " for user response"));
3373 crStop(0);
3374 }
3375 } while (pktin || inlen > 0);
3376 s->dlgret = ssh->user_response;
3377 }
3378 ssh_set_frozen(ssh, 0);
3379 if (s->dlgret == 0) {
3380 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
3381 0, TRUE);
3382 crStop(0);
3383 }
3384 }
3385 }
3386
3387 switch (s->cipher_type) {
3388 case SSH_CIPHER_3DES:
3389 logevent("Using 3DES encryption");
3390 break;
3391 case SSH_CIPHER_DES:
3392 logevent("Using single-DES encryption");
3393 break;
3394 case SSH_CIPHER_BLOWFISH:
3395 logevent("Using Blowfish encryption");
3396 break;
3397 }
3398
3399 send_packet(ssh, SSH1_CMSG_SESSION_KEY,
3400 PKT_CHAR, s->cipher_type,
3401 PKT_DATA, cookie, 8,
3402 PKT_CHAR, (s->len * 8) >> 8, PKT_CHAR, (s->len * 8) & 0xFF,
3403 PKT_DATA, s->rsabuf, s->len,
3404 PKT_INT, ssh->v1_local_protoflags, PKT_END);
3405
3406 logevent("Trying to enable encryption...");
3407
3408 sfree(s->rsabuf);
3409
3410 ssh->cipher = (s->cipher_type == SSH_CIPHER_BLOWFISH ? &ssh_blowfish_ssh1 :
3411 s->cipher_type == SSH_CIPHER_DES ? &ssh_des :
3412 &ssh_3des);
3413 ssh->v1_cipher_ctx = ssh->cipher->make_context();
3414 ssh->cipher->sesskey(ssh->v1_cipher_ctx, ssh->session_key);
3415 logeventf(ssh, "Initialised %s encryption", ssh->cipher->text_name);
3416
3417 ssh->crcda_ctx = crcda_make_context();
3418 logevent("Installing CRC compensation attack detector");
3419
3420 if (servkey.modulus) {
3421 sfree(servkey.modulus);
3422 servkey.modulus = NULL;
3423 }
3424 if (servkey.exponent) {
3425 sfree(servkey.exponent);
3426 servkey.exponent = NULL;
3427 }
3428 if (hostkey.modulus) {
3429 sfree(hostkey.modulus);
3430 hostkey.modulus = NULL;
3431 }
3432 if (hostkey.exponent) {
3433 sfree(hostkey.exponent);
3434 hostkey.exponent = NULL;
3435 }
3436 crWaitUntil(pktin);
3437
3438 if (pktin->type != SSH1_SMSG_SUCCESS) {
3439 bombout(("Encryption not successfully enabled"));
3440 crStop(0);
3441 }
3442
3443 logevent("Successfully started encryption");
3444
3445 fflush(stdout); /* FIXME eh? */
3446 {
3447 if (!get_remote_username(&ssh->cfg, s->username,
3448 sizeof(s->username))) {
3449 int ret; /* need not be kept over crReturn */
3450 s->cur_prompt = new_prompts(ssh->frontend);
3451 s->cur_prompt->to_server = TRUE;
3452 s->cur_prompt->name = dupstr("SSH login name");
3453 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
3454 lenof(s->username));
3455 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3456 while (ret < 0) {
3457 ssh->send_ok = 1;
3458 crWaitUntil(!pktin);
3459 ret = get_userpass_input(s->cur_prompt, in, inlen);
3460 ssh->send_ok = 0;
3461 }
3462 if (!ret) {
3463 /*
3464 * Failed to get a username. Terminate.
3465 */
3466 free_prompts(s->cur_prompt);
3467 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
3468 crStop(0);
3469 }
3470 memcpy(s->username, s->cur_prompt->prompts[0]->result,
3471 lenof(s->username));
3472 free_prompts(s->cur_prompt);
3473 }
3474
3475 send_packet(ssh, SSH1_CMSG_USER, PKT_STR, s->username, PKT_END);
3476 {
3477 char *userlog = dupprintf("Sent username \"%s\"", s->username);
3478 logevent(userlog);
3479 if (flags & FLAG_INTERACTIVE &&
3480 (!((flags & FLAG_STDERR) && (flags & FLAG_VERBOSE)))) {
3481 c_write_str(ssh, userlog);
3482 c_write_str(ssh, "\r\n");
3483 }
3484 sfree(userlog);
3485 }
3486 }
3487
3488 crWaitUntil(pktin);
3489
3490 if ((s->supported_auths_mask & (1 << SSH1_AUTH_RSA)) == 0) {
3491 /* We must not attempt PK auth. Pretend we've already tried it. */
3492 s->tried_publickey = s->tried_agent = 1;
3493 } else {
3494 s->tried_publickey = s->tried_agent = 0;
3495 }
3496 s->tis_auth_refused = s->ccard_auth_refused = 0;
3497 /*
3498 * Load the public half of any configured keyfile for later use.
3499 */
3500 if (!filename_is_null(ssh->cfg.keyfile)) {
3501 int keytype;
3502 logeventf(ssh, "Reading private key file \"%.150s\"",
3503 filename_to_str(&ssh->cfg.keyfile));
3504 keytype = key_type(&ssh->cfg.keyfile);
3505 if (keytype == SSH_KEYTYPE_SSH1) {
3506 const char *error;
3507 if (rsakey_pubblob(&ssh->cfg.keyfile,
3508 &s->publickey_blob, &s->publickey_bloblen,
3509 &s->publickey_comment, &error)) {
3510 s->publickey_encrypted = rsakey_encrypted(&ssh->cfg.keyfile,
3511 NULL);
3512 } else {
3513 char *msgbuf;
3514 logeventf(ssh, "Unable to load private key (%s)", error);
3515 msgbuf = dupprintf("Unable to load private key file "
3516 "\"%.150s\" (%s)\r\n",
3517 filename_to_str(&ssh->cfg.keyfile),
3518 error);
3519 c_write_str(ssh, msgbuf);
3520 sfree(msgbuf);
3521 s->publickey_blob = NULL;
3522 }
3523 } else {
3524 char *msgbuf;
3525 logeventf(ssh, "Unable to use this key file (%s)",
3526 key_type_to_str(keytype));
3527 msgbuf = dupprintf("Unable to use key file \"%.150s\""
3528 " (%s)\r\n",
3529 filename_to_str(&ssh->cfg.keyfile),
3530 key_type_to_str(keytype));
3531 c_write_str(ssh, msgbuf);
3532 sfree(msgbuf);
3533 s->publickey_blob = NULL;
3534 }
3535 } else
3536 s->publickey_blob = NULL;
3537
3538 while (pktin->type == SSH1_SMSG_FAILURE) {
3539 s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
3540
3541 if (ssh->cfg.tryagent && agent_exists() && !s->tried_agent) {
3542 /*
3543 * Attempt RSA authentication using Pageant.
3544 */
3545 void *r;
3546
3547 s->authed = FALSE;
3548 s->tried_agent = 1;
3549 logevent("Pageant is running. Requesting keys.");
3550
3551 /* Request the keys held by the agent. */
3552 PUT_32BIT(s->request, 1);
3553 s->request[4] = SSH1_AGENTC_REQUEST_RSA_IDENTITIES;
3554 if (!agent_query(s->request, 5, &r, &s->responselen,
3555 ssh_agent_callback, ssh)) {
3556 do {
3557 crReturn(0);
3558 if (pktin) {
3559 bombout(("Unexpected data from server while waiting"
3560 " for agent response"));
3561 crStop(0);
3562 }
3563 } while (pktin || inlen > 0);
3564 r = ssh->agent_response;
3565 s->responselen = ssh->agent_response_len;
3566 }
3567 s->response = (unsigned char *) r;
3568 if (s->response && s->responselen >= 5 &&
3569 s->response[4] == SSH1_AGENT_RSA_IDENTITIES_ANSWER) {
3570 s->p = s->response + 5;
3571 s->nkeys = GET_32BIT(s->p);
3572 s->p += 4;
3573 logeventf(ssh, "Pageant has %d SSH-1 keys", s->nkeys);
3574 for (s->keyi = 0; s->keyi < s->nkeys; s->keyi++) {
3575 unsigned char *pkblob = s->p;
3576 s->p += 4;
3577 {
3578 int n, ok = FALSE;
3579 do { /* do while (0) to make breaking easy */
3580 n = ssh1_read_bignum
3581 (s->p, s->responselen-(s->p-s->response),
3582 &s->key.exponent);
3583 if (n < 0)
3584 break;
3585 s->p += n;
3586 n = ssh1_read_bignum
3587 (s->p, s->responselen-(s->p-s->response),
3588 &s->key.modulus);
3589 if (n < 0)
3590 break;
3591 s->p += n;
3592 if (s->responselen - (s->p-s->response) < 4)
3593 break;
3594 s->commentlen = GET_32BIT(s->p);
3595 s->p += 4;
3596 if (s->responselen - (s->p-s->response) <
3597 s->commentlen)
3598 break;
3599 s->commentp = (char *)s->p;
3600 s->p += s->commentlen;
3601 ok = TRUE;
3602 } while (0);
3603 if (!ok) {
3604 logevent("Pageant key list packet was truncated");
3605 break;
3606 }
3607 }
3608 if (s->publickey_blob) {
3609 if (!memcmp(pkblob, s->publickey_blob,
3610 s->publickey_bloblen)) {
3611 logeventf(ssh, "Pageant key #%d matches "
3612 "configured key file", s->keyi);
3613 s->tried_publickey = 1;
3614 } else
3615 /* Skip non-configured key */
3616 continue;
3617 }
3618 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
3619 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3620 PKT_BIGNUM, s->key.modulus, PKT_END);
3621 crWaitUntil(pktin);
3622 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3623 logevent("Key refused");
3624 continue;
3625 }
3626 logevent("Received RSA challenge");
3627 if ((s->challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3628 bombout(("Server's RSA challenge was badly formatted"));
3629 crStop(0);
3630 }
3631
3632 {
3633 char *agentreq, *q, *ret;
3634 void *vret;
3635 int len, retlen;
3636 len = 1 + 4; /* message type, bit count */
3637 len += ssh1_bignum_length(s->key.exponent);
3638 len += ssh1_bignum_length(s->key.modulus);
3639 len += ssh1_bignum_length(s->challenge);
3640 len += 16; /* session id */
3641 len += 4; /* response format */
3642 agentreq = snewn(4 + len, char);
3643 PUT_32BIT(agentreq, len);
3644 q = agentreq + 4;
3645 *q++ = SSH1_AGENTC_RSA_CHALLENGE;
3646 PUT_32BIT(q, bignum_bitcount(s->key.modulus));
3647 q += 4;
3648 q += ssh1_write_bignum(q, s->key.exponent);
3649 q += ssh1_write_bignum(q, s->key.modulus);
3650 q += ssh1_write_bignum(q, s->challenge);
3651 memcpy(q, s->session_id, 16);
3652 q += 16;
3653 PUT_32BIT(q, 1); /* response format */
3654 if (!agent_query(agentreq, len + 4, &vret, &retlen,
3655 ssh_agent_callback, ssh)) {
3656 sfree(agentreq);
3657 do {
3658 crReturn(0);
3659 if (pktin) {
3660 bombout(("Unexpected data from server"
3661 " while waiting for agent"
3662 " response"));
3663 crStop(0);
3664 }
3665 } while (pktin || inlen > 0);
3666 vret = ssh->agent_response;
3667 retlen = ssh->agent_response_len;
3668 } else
3669 sfree(agentreq);
3670 ret = vret;
3671 if (ret) {
3672 if (ret[4] == SSH1_AGENT_RSA_RESPONSE) {
3673 logevent("Sending Pageant's response");
3674 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3675 PKT_DATA, ret + 5, 16,
3676 PKT_END);
3677 sfree(ret);
3678 crWaitUntil(pktin);
3679 if (pktin->type == SSH1_SMSG_SUCCESS) {
3680 logevent
3681 ("Pageant's response accepted");
3682 if (flags & FLAG_VERBOSE) {
3683 c_write_str(ssh, "Authenticated using"
3684 " RSA key \"");
3685 c_write(ssh, s->commentp,
3686 s->commentlen);
3687 c_write_str(ssh, "\" from agent\r\n");
3688 }
3689 s->authed = TRUE;
3690 } else
3691 logevent
3692 ("Pageant's response not accepted");
3693 } else {
3694 logevent
3695 ("Pageant failed to answer challenge");
3696 sfree(ret);
3697 }
3698 } else {
3699 logevent("No reply received from Pageant");
3700 }
3701 }
3702 freebn(s->key.exponent);
3703 freebn(s->key.modulus);
3704 freebn(s->challenge);
3705 if (s->authed)
3706 break;
3707 }
3708 sfree(s->response);
3709 if (s->publickey_blob && !s->tried_publickey)
3710 logevent("Configured key file not in Pageant");
3711 }
3712 if (s->authed)
3713 break;
3714 }
3715 if (s->publickey_blob && !s->tried_publickey) {
3716 /*
3717 * Try public key authentication with the specified
3718 * key file.
3719 */
3720 int got_passphrase; /* need not be kept over crReturn */
3721 if (flags & FLAG_VERBOSE)
3722 c_write_str(ssh, "Trying public key authentication.\r\n");
3723 logeventf(ssh, "Trying public key \"%s\"",
3724 filename_to_str(&ssh->cfg.keyfile));
3725 s->tried_publickey = 1;
3726 got_passphrase = FALSE;
3727 while (!got_passphrase) {
3728 /*
3729 * Get a passphrase, if necessary.
3730 */
3731 char *passphrase = NULL; /* only written after crReturn */
3732 const char *error;
3733 if (!s->publickey_encrypted) {
3734 if (flags & FLAG_VERBOSE)
3735 c_write_str(ssh, "No passphrase required.\r\n");
3736 passphrase = NULL;
3737 } else {
3738 int ret; /* need not be kept over crReturn */
3739 s->cur_prompt = new_prompts(ssh->frontend);
3740 s->cur_prompt->to_server = FALSE;
3741 s->cur_prompt->name = dupstr("SSH key passphrase");
3742 add_prompt(s->cur_prompt,
3743 dupprintf("Passphrase for key \"%.100s\": ",
3744 s->publickey_comment),
3745 FALSE, SSH_MAX_PASSWORD_LEN);
3746 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3747 while (ret < 0) {
3748 ssh->send_ok = 1;
3749 crWaitUntil(!pktin);
3750 ret = get_userpass_input(s->cur_prompt, in, inlen);
3751 ssh->send_ok = 0;
3752 }
3753 if (!ret) {
3754 /* Failed to get a passphrase. Terminate. */
3755 free_prompts(s->cur_prompt);
3756 ssh_disconnect(ssh, NULL, "Unable to authenticate",
3757 0, TRUE);
3758 crStop(0);
3759 }
3760 passphrase = dupstr(s->cur_prompt->prompts[0]->result);
3761 free_prompts(s->cur_prompt);
3762 }
3763 /*
3764 * Try decrypting key with passphrase.
3765 */
3766 ret = loadrsakey(&ssh->cfg.keyfile, &s->key, passphrase,
3767 &error);
3768 if (passphrase) {
3769 memset(passphrase, 0, strlen(passphrase));
3770 sfree(passphrase);
3771 }
3772 if (ret == 1) {
3773 /* Correct passphrase. */
3774 got_passphrase = TRUE;
3775 } else if (ret == 0) {
3776 c_write_str(ssh, "Couldn't load private key from ");
3777 c_write_str(ssh, filename_to_str(&ssh->cfg.keyfile));
3778 c_write_str(ssh, " (");
3779 c_write_str(ssh, error);
3780 c_write_str(ssh, ").\r\n");
3781 got_passphrase = FALSE;
3782 break; /* go and try something else */
3783 } else if (ret == -1) {
3784 c_write_str(ssh, "Wrong passphrase.\r\n"); /* FIXME */
3785 got_passphrase = FALSE;
3786 /* and try again */
3787 } else {
3788 assert(0 && "unexpected return from loadrsakey()");
3789 got_passphrase = FALSE; /* placate optimisers */
3790 }
3791 }
3792
3793 if (got_passphrase) {
3794
3795 /*
3796 * Send a public key attempt.
3797 */
3798 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3799 PKT_BIGNUM, s->key.modulus, PKT_END);
3800
3801 crWaitUntil(pktin);
3802 if (pktin->type == SSH1_SMSG_FAILURE) {
3803 c_write_str(ssh, "Server refused our public key.\r\n");
3804 continue; /* go and try something else */
3805 }
3806 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3807 bombout(("Bizarre response to offer of public key"));
3808 crStop(0);
3809 }
3810
3811 {
3812 int i;
3813 unsigned char buffer[32];
3814 Bignum challenge, response;
3815
3816 if ((challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3817 bombout(("Server's RSA challenge was badly formatted"));
3818 crStop(0);
3819 }
3820 response = rsadecrypt(challenge, &s->key);
3821 freebn(s->key.private_exponent);/* burn the evidence */
3822
3823 for (i = 0; i < 32; i++) {
3824 buffer[i] = bignum_byte(response, 31 - i);
3825 }
3826
3827 MD5Init(&md5c);
3828 MD5Update(&md5c, buffer, 32);
3829 MD5Update(&md5c, s->session_id, 16);
3830 MD5Final(buffer, &md5c);
3831
3832 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3833 PKT_DATA, buffer, 16, PKT_END);
3834
3835 freebn(challenge);
3836 freebn(response);
3837 }
3838
3839 crWaitUntil(pktin);
3840 if (pktin->type == SSH1_SMSG_FAILURE) {
3841 if (flags & FLAG_VERBOSE)
3842 c_write_str(ssh, "Failed to authenticate with"
3843 " our public key.\r\n");
3844 continue; /* go and try something else */
3845 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
3846 bombout(("Bizarre response to RSA authentication response"));
3847 crStop(0);
3848 }
3849
3850 break; /* we're through! */
3851 }
3852
3853 }
3854
3855 /*
3856 * Otherwise, try various forms of password-like authentication.
3857 */
3858 s->cur_prompt = new_prompts(ssh->frontend);
3859
3860 if (ssh->cfg.try_tis_auth &&
3861 (s->supported_auths_mask & (1 << SSH1_AUTH_TIS)) &&
3862 !s->tis_auth_refused) {
3863 s->pwpkt_type = SSH1_CMSG_AUTH_TIS_RESPONSE;
3864 logevent("Requested TIS authentication");
3865 send_packet(ssh, SSH1_CMSG_AUTH_TIS, PKT_END);
3866 crWaitUntil(pktin);
3867 if (pktin->type != SSH1_SMSG_AUTH_TIS_CHALLENGE) {
3868 logevent("TIS authentication declined");
3869 if (flags & FLAG_INTERACTIVE)
3870 c_write_str(ssh, "TIS authentication refused.\r\n");
3871 s->tis_auth_refused = 1;
3872 continue;
3873 } else {
3874 char *challenge;
3875 int challengelen;
3876 char *instr_suf, *prompt;
3877
3878 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3879 if (!challenge) {
3880 bombout(("TIS challenge packet was badly formed"));
3881 crStop(0);
3882 }
3883 logevent("Received TIS challenge");
3884 s->cur_prompt->to_server = TRUE;
3885 s->cur_prompt->name = dupstr("SSH TIS authentication");
3886 /* Prompt heuristic comes from OpenSSH */
3887 if (memchr(challenge, '\n', challengelen)) {
3888 instr_suf = dupstr("");
3889 prompt = dupprintf("%.*s", challengelen, challenge);
3890 } else {
3891 instr_suf = dupprintf("%.*s", challengelen, challenge);
3892 prompt = dupstr("Response: ");
3893 }
3894 s->cur_prompt->instruction =
3895 dupprintf("Using TIS authentication.%s%s",
3896 (*instr_suf) ? "\n" : "",
3897 instr_suf);
3898 s->cur_prompt->instr_reqd = TRUE;
3899 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3900 sfree(instr_suf);
3901 }
3902 }
3903 if (ssh->cfg.try_tis_auth &&
3904 (s->supported_auths_mask & (1 << SSH1_AUTH_CCARD)) &&
3905 !s->ccard_auth_refused) {
3906 s->pwpkt_type = SSH1_CMSG_AUTH_CCARD_RESPONSE;
3907 logevent("Requested CryptoCard authentication");
3908 send_packet(ssh, SSH1_CMSG_AUTH_CCARD, PKT_END);
3909 crWaitUntil(pktin);
3910 if (pktin->type != SSH1_SMSG_AUTH_CCARD_CHALLENGE) {
3911 logevent("CryptoCard authentication declined");
3912 c_write_str(ssh, "CryptoCard authentication refused.\r\n");
3913 s->ccard_auth_refused = 1;
3914 continue;
3915 } else {
3916 char *challenge;
3917 int challengelen;
3918 char *instr_suf, *prompt;
3919
3920 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3921 if (!challenge) {
3922 bombout(("CryptoCard challenge packet was badly formed"));
3923 crStop(0);
3924 }
3925 logevent("Received CryptoCard challenge");
3926 s->cur_prompt->to_server = TRUE;
3927 s->cur_prompt->name = dupstr("SSH CryptoCard authentication");
3928 s->cur_prompt->name_reqd = FALSE;
3929 /* Prompt heuristic comes from OpenSSH */
3930 if (memchr(challenge, '\n', challengelen)) {
3931 instr_suf = dupstr("");
3932 prompt = dupprintf("%.*s", challengelen, challenge);
3933 } else {
3934 instr_suf = dupprintf("%.*s", challengelen, challenge);
3935 prompt = dupstr("Response: ");
3936 }
3937 s->cur_prompt->instruction =
3938 dupprintf("Using CryptoCard authentication.%s%s",
3939 (*instr_suf) ? "\n" : "",
3940 instr_suf);
3941 s->cur_prompt->instr_reqd = TRUE;
3942 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3943 sfree(instr_suf);
3944 }
3945 }
3946 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3947 if ((s->supported_auths_mask & (1 << SSH1_AUTH_PASSWORD)) == 0) {
3948 bombout(("No supported authentication methods available"));
3949 crStop(0);
3950 }
3951 s->cur_prompt->to_server = TRUE;
3952 s->cur_prompt->name = dupstr("SSH password");
3953 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
3954 s->username, ssh->savedhost),
3955 FALSE, SSH_MAX_PASSWORD_LEN);
3956 }
3957
3958 /*
3959 * Show password prompt, having first obtained it via a TIS
3960 * or CryptoCard exchange if we're doing TIS or CryptoCard
3961 * authentication.
3962 */
3963 {
3964 int ret; /* need not be kept over crReturn */
3965 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3966 while (ret < 0) {
3967 ssh->send_ok = 1;
3968 crWaitUntil(!pktin);
3969 ret = get_userpass_input(s->cur_prompt, in, inlen);
3970 ssh->send_ok = 0;
3971 }
3972 if (!ret) {
3973 /*
3974 * Failed to get a password (for example
3975 * because one was supplied on the command line
3976 * which has already failed to work). Terminate.
3977 */
3978 free_prompts(s->cur_prompt);
3979 ssh_disconnect(ssh, NULL, "Unable to authenticate", 0, TRUE);
3980 crStop(0);
3981 }
3982 }
3983
3984 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3985 /*
3986 * Defence against traffic analysis: we send a
3987 * whole bunch of packets containing strings of
3988 * different lengths. One of these strings is the
3989 * password, in a SSH1_CMSG_AUTH_PASSWORD packet.
3990 * The others are all random data in
3991 * SSH1_MSG_IGNORE packets. This way a passive
3992 * listener can't tell which is the password, and
3993 * hence can't deduce the password length.
3994 *
3995 * Anybody with a password length greater than 16
3996 * bytes is going to have enough entropy in their
3997 * password that a listener won't find it _that_
3998 * much help to know how long it is. So what we'll
3999 * do is:
4000 *
4001 * - if password length < 16, we send 15 packets
4002 * containing string lengths 1 through 15
4003 *
4004 * - otherwise, we let N be the nearest multiple
4005 * of 8 below the password length, and send 8
4006 * packets containing string lengths N through
4007 * N+7. This won't obscure the order of
4008 * magnitude of the password length, but it will
4009 * introduce a bit of extra uncertainty.
4010 *
4011 * A few servers can't deal with SSH1_MSG_IGNORE, at
4012 * least in this context. For these servers, we need
4013 * an alternative defence. We make use of the fact
4014 * that the password is interpreted as a C string:
4015 * so we can append a NUL, then some random data.
4016 *
4017 * A few servers can deal with neither SSH1_MSG_IGNORE
4018 * here _nor_ a padded password string.
4019 * For these servers we are left with no defences
4020 * against password length sniffing.
4021 */
4022 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE) &&
4023 !(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
4024 /*
4025 * The server can deal with SSH1_MSG_IGNORE, so
4026 * we can use the primary defence.
4027 */
4028 int bottom, top, pwlen, i;
4029 char *randomstr;
4030
4031 pwlen = strlen(s->cur_prompt->prompts[0]->result);
4032 if (pwlen < 16) {
4033 bottom = 0; /* zero length passwords are OK! :-) */
4034 top = 15;
4035 } else {
4036 bottom = pwlen & ~7;
4037 top = bottom + 7;
4038 }
4039
4040 assert(pwlen >= bottom && pwlen <= top);
4041
4042 randomstr = snewn(top + 1, char);
4043
4044 for (i = bottom; i <= top; i++) {
4045 if (i == pwlen) {
4046 defer_packet(ssh, s->pwpkt_type,
4047 PKTT_PASSWORD, PKT_STR,
4048 s->cur_prompt->prompts[0]->result,
4049 PKTT_OTHER, PKT_END);
4050 } else {
4051 for (j = 0; j < i; j++) {
4052 do {
4053 randomstr[j] = random_byte();
4054 } while (randomstr[j] == '\0');
4055 }
4056 randomstr[i] = '\0';
4057 defer_packet(ssh, SSH1_MSG_IGNORE,
4058 PKT_STR, randomstr, PKT_END);
4059 }
4060 }
4061 logevent("Sending password with camouflage packets");
4062 ssh_pkt_defersend(ssh);
4063 sfree(randomstr);
4064 }
4065 else if (!(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
4066 /*
4067 * The server can't deal with SSH1_MSG_IGNORE
4068 * but can deal with padded passwords, so we
4069 * can use the secondary defence.
4070 */
4071 char string[64];
4072 char *ss;
4073 int len;
4074
4075 len = strlen(s->cur_prompt->prompts[0]->result);
4076 if (len < sizeof(string)) {
4077 ss = string;
4078 strcpy(string, s->cur_prompt->prompts[0]->result);
4079 len++; /* cover the zero byte */
4080 while (len < sizeof(string)) {
4081 string[len++] = (char) random_byte();
4082 }
4083 } else {
4084 ss = s->cur_prompt->prompts[0]->result;
4085 }
4086 logevent("Sending length-padded password");
4087 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
4088 PKT_INT, len, PKT_DATA, ss, len,
4089 PKTT_OTHER, PKT_END);
4090 } else {
4091 /*
4092 * The server is believed unable to cope with
4093 * any of our password camouflage methods.
4094 */
4095 int len;
4096 len = strlen(s->cur_prompt->prompts[0]->result);
4097 logevent("Sending unpadded password");
4098 send_packet(ssh, s->pwpkt_type,
4099 PKTT_PASSWORD, PKT_INT, len,
4100 PKT_DATA, s->cur_prompt->prompts[0]->result, len,
4101 PKTT_OTHER, PKT_END);
4102 }
4103 } else {
4104 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
4105 PKT_STR, s->cur_prompt->prompts[0]->result,
4106 PKTT_OTHER, PKT_END);
4107 }
4108 logevent("Sent password");
4109 free_prompts(s->cur_prompt);
4110 crWaitUntil(pktin);
4111 if (pktin->type == SSH1_SMSG_FAILURE) {
4112 if (flags & FLAG_VERBOSE)
4113 c_write_str(ssh, "Access denied\r\n");
4114 logevent("Authentication refused");
4115 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
4116 bombout(("Strange packet received, type %d", pktin->type));
4117 crStop(0);
4118 }
4119 }
4120
4121 /* Clear up */
4122 if (s->publickey_blob) {
4123 sfree(s->publickey_blob);
4124 sfree(s->publickey_comment);
4125 }
4126
4127 logevent("Authentication successful");
4128
4129 crFinish(1);
4130 }
4131
4132 void sshfwd_close(struct ssh_channel *c)
4133 {
4134 Ssh ssh = c->ssh;
4135
4136 if (ssh->state == SSH_STATE_CLOSED)
4137 return;
4138
4139 if (c && !c->closes) {
4140 /*
4141 * If halfopen is true, we have sent
4142 * CHANNEL_OPEN for this channel, but it hasn't even been
4143 * acknowledged by the server. So we must set a close flag
4144 * on it now, and then when the server acks the channel
4145 * open, we can close it then.
4146 */
4147 if (!c->halfopen) {
4148 if (ssh->version == 1) {
4149 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE, PKT_INT, c->remoteid,
4150 PKT_END);
4151 } else {
4152 struct Packet *pktout;
4153 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
4154 ssh2_pkt_adduint32(pktout, c->remoteid);
4155 ssh2_pkt_send(ssh, pktout);
4156 }
4157 }
4158 c->closes = 1; /* sent MSG_CLOSE */
4159 if (c->type == CHAN_X11) {
4160 c->u.x11.s = NULL;
4161 logevent("Forwarded X11 connection terminated");
4162 } else if (c->type == CHAN_SOCKDATA ||
4163 c->type == CHAN_SOCKDATA_DORMANT) {
4164 c->u.pfd.s = NULL;
4165 logevent("Forwarded port closed");
4166 }
4167 }
4168 }
4169
4170 int sshfwd_write(struct ssh_channel *c, char *buf, int len)
4171 {
4172 Ssh ssh = c->ssh;
4173
4174 if (ssh->state == SSH_STATE_CLOSED)
4175 return 0;
4176
4177 if (ssh->version == 1) {
4178 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
4179 PKT_INT, c->remoteid,
4180 PKT_INT, len, PKTT_DATA, PKT_DATA, buf, len,
4181 PKTT_OTHER, PKT_END);
4182 /*
4183 * In SSH-1 we can return 0 here - implying that forwarded
4184 * connections are never individually throttled - because
4185 * the only circumstance that can cause throttling will be
4186 * the whole SSH connection backing up, in which case
4187 * _everything_ will be throttled as a whole.
4188 */
4189 return 0;
4190 } else {
4191 ssh2_add_channel_data(c, buf, len);
4192 return ssh2_try_send(c);
4193 }
4194 }
4195
4196 void sshfwd_unthrottle(struct ssh_channel *c, int bufsize)
4197 {
4198 Ssh ssh = c->ssh;
4199 int buflimit;
4200
4201 if (ssh->state == SSH_STATE_CLOSED)
4202 return;
4203
4204 if (ssh->version == 1) {
4205 buflimit = SSH1_BUFFER_LIMIT;
4206 } else {
4207 buflimit = c->v.v2.locmaxwin;
4208 ssh2_set_window(c, bufsize < buflimit ? buflimit - bufsize : 0);
4209 }
4210 if (c->throttling_conn && bufsize <= buflimit) {
4211 c->throttling_conn = 0;
4212 ssh_throttle_conn(ssh, -1);
4213 }
4214 }
4215
4216 static void ssh_queueing_handler(Ssh ssh, struct Packet *pktin)
4217 {
4218 struct queued_handler *qh = ssh->qhead;
4219
4220 assert(qh != NULL);
4221
4222 assert(pktin->type == qh->msg1 || pktin->type == qh->msg2);
4223
4224 if (qh->msg1 > 0) {
4225 assert(ssh->packet_dispatch[qh->msg1] == ssh_queueing_handler);
4226 ssh->packet_dispatch[qh->msg1] = NULL;
4227 }
4228 if (qh->msg2 > 0) {
4229 assert(ssh->packet_dispatch[qh->msg2] == ssh_queueing_handler);
4230 ssh->packet_dispatch[qh->msg2] = NULL;
4231 }
4232
4233 if (qh->next) {
4234 ssh->qhead = qh->next;
4235
4236 if (ssh->qhead->msg1 > 0) {
4237 assert(ssh->packet_dispatch[ssh->qhead->msg1] == NULL);
4238 ssh->packet_dispatch[ssh->qhead->msg1] = ssh_queueing_handler;
4239 }
4240 if (ssh->qhead->msg2 > 0) {
4241 assert(ssh->packet_dispatch[ssh->qhead->msg2] == NULL);
4242 ssh->packet_dispatch[ssh->qhead->msg2] = ssh_queueing_handler;
4243 }
4244 } else {
4245 ssh->qhead = ssh->qtail = NULL;
4246 ssh->packet_dispatch[pktin->type] = NULL;
4247 }
4248
4249 qh->handler(ssh, pktin, qh->ctx);
4250
4251 sfree(qh);
4252 }
4253
4254 static void ssh_queue_handler(Ssh ssh, int msg1, int msg2,
4255 chandler_fn_t handler, void *ctx)
4256 {
4257 struct queued_handler *qh;
4258
4259 qh = snew(struct queued_handler);
4260 qh->msg1 = msg1;
4261 qh->msg2 = msg2;
4262 qh->handler = handler;
4263 qh->ctx = ctx;
4264 qh->next = NULL;
4265
4266 if (ssh->qtail == NULL) {
4267 ssh->qhead = qh;
4268
4269 if (qh->msg1 > 0) {
4270 assert(ssh->packet_dispatch[qh->msg1] == NULL);
4271 ssh->packet_dispatch[qh->msg1] = ssh_queueing_handler;
4272 }
4273 if (qh->msg2 > 0) {
4274 assert(ssh->packet_dispatch[qh->msg2] == NULL);
4275 ssh->packet_dispatch[qh->msg2] = ssh_queueing_handler;
4276 }
4277 } else {
4278 ssh->qtail->next = qh;
4279 }
4280 ssh->qtail = qh;
4281 }
4282
4283 static void ssh_rportfwd_succfail(Ssh ssh, struct Packet *pktin, void *ctx)
4284 {
4285 struct ssh_rportfwd *rpf, *pf = (struct ssh_rportfwd *)ctx;
4286
4287 if (pktin->type == (ssh->version == 1 ? SSH1_SMSG_SUCCESS :
4288 SSH2_MSG_REQUEST_SUCCESS)) {
4289 logeventf(ssh, "Remote port forwarding from %s enabled",
4290 pf->sportdesc);
4291 } else {
4292 logeventf(ssh, "Remote port forwarding from %s refused",
4293 pf->sportdesc);
4294
4295 rpf = del234(ssh->rportfwds, pf);
4296 assert(rpf == pf);
4297 free_rportfwd(pf);
4298 }
4299 }
4300
4301 static void ssh_setup_portfwd(Ssh ssh, const Config *cfg)
4302 {
4303 const char *portfwd_strptr = cfg->portfwd;
4304 struct ssh_portfwd *epf;
4305 int i;
4306
4307 if (!ssh->portfwds) {
4308 ssh->portfwds = newtree234(ssh_portcmp);
4309 } else {
4310 /*
4311 * Go through the existing port forwardings and tag them
4312 * with status==DESTROY. Any that we want to keep will be
4313 * re-enabled (status==KEEP) as we go through the
4314 * configuration and find out which bits are the same as
4315 * they were before.
4316 */
4317 struct ssh_portfwd *epf;
4318 int i;
4319 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4320 epf->status = DESTROY;
4321 }
4322
4323 while (*portfwd_strptr) {
4324 char address_family, type;
4325 int sport,dport,sserv,dserv;
4326 char sports[256], dports[256], saddr[256], host[256];
4327 int n;
4328
4329 address_family = 'A';
4330 type = 'L';
4331 if (*portfwd_strptr == 'A' ||
4332 *portfwd_strptr == '4' ||
4333 *portfwd_strptr == '6')
4334 address_family = *portfwd_strptr++;
4335 if (*portfwd_strptr == 'L' ||
4336 *portfwd_strptr == 'R' ||
4337 *portfwd_strptr == 'D')
4338 type = *portfwd_strptr++;
4339
4340 saddr[0] = '\0';
4341
4342 n = 0;
4343 while (*portfwd_strptr && *portfwd_strptr != '\t') {
4344 if (*portfwd_strptr == ':') {
4345 /*
4346 * We've seen a colon in the middle of the
4347 * source port number. This means that
4348 * everything we've seen until now is the
4349 * source _address_, so we'll move it into
4350 * saddr and start sports from the beginning
4351 * again.
4352 */
4353 portfwd_strptr++;
4354 sports[n] = '\0';
4355 if (ssh->version == 1 && type == 'R') {
4356 logeventf(ssh, "SSH-1 cannot handle remote source address "
4357 "spec \"%s\"; ignoring", sports);
4358 } else
4359 strcpy(saddr, sports);
4360 n = 0;
4361 }
4362 if (n < lenof(sports)-1) sports[n++] = *portfwd_strptr++;
4363 }
4364 sports[n] = 0;
4365 if (type != 'D') {
4366 if (*portfwd_strptr == '\t')
4367 portfwd_strptr++;
4368 n = 0;
4369 while (*portfwd_strptr && *portfwd_strptr != ':') {
4370 if (n < lenof(host)-1) host[n++] = *portfwd_strptr++;
4371 }
4372 host[n] = 0;
4373 if (*portfwd_strptr == ':')
4374 portfwd_strptr++;
4375 n = 0;
4376 while (*portfwd_strptr) {
4377 if (n < lenof(dports)-1) dports[n++] = *portfwd_strptr++;
4378 }
4379 dports[n] = 0;
4380 portfwd_strptr++;
4381 dport = atoi(dports);
4382 dserv = 0;
4383 if (dport == 0) {
4384 dserv = 1;
4385 dport = net_service_lookup(dports);
4386 if (!dport) {
4387 logeventf(ssh, "Service lookup failed for destination"
4388 " port \"%s\"", dports);
4389 }
4390 }
4391 } else {
4392 while (*portfwd_strptr) portfwd_strptr++;
4393 host[0] = 0;
4394 dports[0] = 0;
4395 dport = dserv = -1;
4396 portfwd_strptr++; /* eat the NUL and move to next one */
4397 }
4398 sport = atoi(sports);
4399 sserv = 0;
4400 if (sport == 0) {
4401 sserv = 1;
4402 sport = net_service_lookup(sports);
4403 if (!sport) {
4404 logeventf(ssh, "Service lookup failed for source"
4405 " port \"%s\"", sports);
4406 }
4407 }
4408 if (sport && dport) {
4409 /* Set up a description of the source port. */
4410 struct ssh_portfwd *pfrec, *epfrec;
4411
4412 pfrec = snew(struct ssh_portfwd);
4413 pfrec->type = type;
4414 pfrec->saddr = *saddr ? dupstr(saddr) : NULL;
4415 pfrec->sserv = sserv ? dupstr(sports) : NULL;
4416 pfrec->sport = sport;
4417 pfrec->daddr = *host ? dupstr(host) : NULL;
4418 pfrec->dserv = dserv ? dupstr(dports) : NULL;
4419 pfrec->dport = dport;
4420 pfrec->local = NULL;
4421 pfrec->remote = NULL;
4422 pfrec->addressfamily = (address_family == '4' ? ADDRTYPE_IPV4 :
4423 address_family == '6' ? ADDRTYPE_IPV6 :
4424 ADDRTYPE_UNSPEC);
4425
4426 epfrec = add234(ssh->portfwds, pfrec);
4427 if (epfrec != pfrec) {
4428 /*
4429 * We already have a port forwarding with precisely
4430 * these parameters. Hence, no need to do anything;
4431 * simply tag the existing one as KEEP.
4432 */
4433 epfrec->status = KEEP;
4434 free_portfwd(pfrec);
4435 } else {
4436 pfrec->status = CREATE;
4437 }
4438 }
4439 }
4440
4441 /*
4442 * Now go through and destroy any port forwardings which were
4443 * not re-enabled.
4444 */
4445 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4446 if (epf->status == DESTROY) {
4447 char *message;
4448
4449 message = dupprintf("%s port forwarding from %s%s%d",
4450 epf->type == 'L' ? "local" :
4451 epf->type == 'R' ? "remote" : "dynamic",
4452 epf->saddr ? epf->saddr : "",
4453 epf->saddr ? ":" : "",
4454 epf->sport);
4455
4456 if (epf->type != 'D') {
4457 char *msg2 = dupprintf("%s to %s:%d", message,
4458 epf->daddr, epf->dport);
4459 sfree(message);
4460 message = msg2;
4461 }
4462
4463 logeventf(ssh, "Cancelling %s", message);
4464 sfree(message);
4465
4466 if (epf->remote) {
4467 struct ssh_rportfwd *rpf = epf->remote;
4468 struct Packet *pktout;
4469
4470 /*
4471 * Cancel the port forwarding at the server
4472 * end.
4473 */
4474 if (ssh->version == 1) {
4475 /*
4476 * We cannot cancel listening ports on the
4477 * server side in SSH-1! There's no message
4478 * to support it. Instead, we simply remove
4479 * the rportfwd record from the local end
4480 * so that any connections the server tries
4481 * to make on it are rejected.
4482 */
4483 } else {
4484 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4485 ssh2_pkt_addstring(pktout, "cancel-tcpip-forward");
4486 ssh2_pkt_addbool(pktout, 0);/* _don't_ want reply */
4487 if (epf->saddr) {
4488 ssh2_pkt_addstring(pktout, epf->saddr);
4489 } else if (ssh->cfg.rport_acceptall) {
4490 /* XXX: ssh->cfg.rport_acceptall may not represent
4491 * what was used to open the original connection,
4492 * since it's reconfigurable. */
4493 ssh2_pkt_addstring(pktout, "0.0.0.0");
4494 } else {
4495 ssh2_pkt_addstring(pktout, "127.0.0.1");
4496 }
4497 ssh2_pkt_adduint32(pktout, epf->sport);
4498 ssh2_pkt_send(ssh, pktout);
4499 }
4500
4501 del234(ssh->rportfwds, rpf);
4502 free_rportfwd(rpf);
4503 } else if (epf->local) {
4504 pfd_terminate(epf->local);
4505 }
4506
4507 delpos234(ssh->portfwds, i);
4508 free_portfwd(epf);
4509 i--; /* so we don't skip one in the list */
4510 }
4511
4512 /*
4513 * And finally, set up any new port forwardings (status==CREATE).
4514 */
4515 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4516 if (epf->status == CREATE) {
4517 char *sportdesc, *dportdesc;
4518 sportdesc = dupprintf("%s%s%s%s%d%s",
4519 epf->saddr ? epf->saddr : "",
4520 epf->saddr ? ":" : "",
4521 epf->sserv ? epf->sserv : "",
4522 epf->sserv ? "(" : "",
4523 epf->sport,
4524 epf->sserv ? ")" : "");
4525 if (epf->type == 'D') {
4526 dportdesc = NULL;
4527 } else {
4528 dportdesc = dupprintf("%s:%s%s%d%s",
4529 epf->daddr,
4530 epf->dserv ? epf->dserv : "",
4531 epf->dserv ? "(" : "",
4532 epf->dport,
4533 epf->dserv ? ")" : "");
4534 }
4535
4536 if (epf->type == 'L') {
4537 const char *err = pfd_addforward(epf->daddr, epf->dport,
4538 epf->saddr, epf->sport,
4539 ssh, cfg,
4540 &epf->local,
4541 epf->addressfamily);
4542
4543 logeventf(ssh, "Local %sport %s forwarding to %s%s%s",
4544 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4545 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4546 sportdesc, dportdesc,
4547 err ? " failed: " : "", err ? err : "");
4548 } else if (epf->type == 'D') {
4549 const char *err = pfd_addforward(NULL, -1,
4550 epf->saddr, epf->sport,
4551 ssh, cfg,
4552 &epf->local,
4553 epf->addressfamily);
4554
4555 logeventf(ssh, "Local %sport %s SOCKS dynamic forwarding%s%s",
4556 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4557 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4558 sportdesc,
4559 err ? " failed: " : "", err ? err : "");
4560 } else {
4561 struct ssh_rportfwd *pf;
4562
4563 /*
4564 * Ensure the remote port forwardings tree exists.
4565 */
4566 if (!ssh->rportfwds) {
4567 if (ssh->version == 1)
4568 ssh->rportfwds = newtree234(ssh_rportcmp_ssh1);
4569 else
4570 ssh->rportfwds = newtree234(ssh_rportcmp_ssh2);
4571 }
4572
4573 pf = snew(struct ssh_rportfwd);
4574 strncpy(pf->dhost, epf->daddr, lenof(pf->dhost)-1);
4575 pf->dhost[lenof(pf->dhost)-1] = '\0';
4576 pf->dport = epf->dport;
4577 pf->sport = epf->sport;
4578 if (add234(ssh->rportfwds, pf) != pf) {
4579 logeventf(ssh, "Duplicate remote port forwarding to %s:%d",
4580 epf->daddr, epf->dport);
4581 sfree(pf);
4582 } else {
4583 logeventf(ssh, "Requesting remote port %s"
4584 " forward to %s", sportdesc, dportdesc);
4585
4586 pf->sportdesc = sportdesc;
4587 sportdesc = NULL;
4588 epf->remote = pf;
4589 pf->pfrec = epf;
4590
4591 if (ssh->version == 1) {
4592 send_packet(ssh, SSH1_CMSG_PORT_FORWARD_REQUEST,
4593 PKT_INT, epf->sport,
4594 PKT_STR, epf->daddr,
4595 PKT_INT, epf->dport,
4596 PKT_END);
4597 ssh_queue_handler(ssh, SSH1_SMSG_SUCCESS,
4598 SSH1_SMSG_FAILURE,
4599 ssh_rportfwd_succfail, pf);
4600 } else {
4601 struct Packet *pktout;
4602 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4603 ssh2_pkt_addstring(pktout, "tcpip-forward");
4604 ssh2_pkt_addbool(pktout, 1);/* want reply */
4605 if (epf->saddr) {
4606 ssh2_pkt_addstring(pktout, epf->saddr);
4607 } else if (cfg->rport_acceptall) {
4608 ssh2_pkt_addstring(pktout, "0.0.0.0");
4609 } else {
4610 ssh2_pkt_addstring(pktout, "127.0.0.1");
4611 }
4612 ssh2_pkt_adduint32(pktout, epf->sport);
4613 ssh2_pkt_send(ssh, pktout);
4614
4615 ssh_queue_handler(ssh, SSH2_MSG_REQUEST_SUCCESS,
4616 SSH2_MSG_REQUEST_FAILURE,
4617 ssh_rportfwd_succfail, pf);
4618 }
4619 }
4620 }
4621 sfree(sportdesc);
4622 sfree(dportdesc);
4623 }
4624 }
4625
4626 static void ssh1_smsg_stdout_stderr_data(Ssh ssh, struct Packet *pktin)
4627 {
4628 char *string;
4629 int stringlen, bufsize;
4630
4631 ssh_pkt_getstring(pktin, &string, &stringlen);
4632 if (string == NULL) {
4633 bombout(("Incoming terminal data packet was badly formed"));
4634 return;
4635 }
4636
4637 bufsize = from_backend(ssh->frontend, pktin->type == SSH1_SMSG_STDERR_DATA,
4638 string, stringlen);
4639 if (!ssh->v1_stdout_throttling && bufsize > SSH1_BUFFER_LIMIT) {
4640 ssh->v1_stdout_throttling = 1;
4641 ssh_throttle_conn(ssh, +1);
4642 }
4643 }
4644
4645 static void ssh1_smsg_x11_open(Ssh ssh, struct Packet *pktin)
4646 {
4647 /* Remote side is trying to open a channel to talk to our
4648 * X-Server. Give them back a local channel number. */
4649 struct ssh_channel *c;
4650 int remoteid = ssh_pkt_getuint32(pktin);
4651
4652 logevent("Received X11 connect request");
4653 /* Refuse if X11 forwarding is disabled. */
4654 if (!ssh->X11_fwd_enabled) {
4655 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4656 PKT_INT, remoteid, PKT_END);
4657 logevent("Rejected X11 connect request");
4658 } else {
4659 c = snew(struct ssh_channel);
4660 c->ssh = ssh;
4661
4662 if (x11_init(&c->u.x11.s, ssh->x11disp, c,
4663 NULL, -1, &ssh->cfg) != NULL) {
4664 logevent("Opening X11 forward connection failed");
4665 sfree(c);
4666 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4667 PKT_INT, remoteid, PKT_END);
4668 } else {
4669 logevent
4670 ("Opening X11 forward connection succeeded");
4671 c->remoteid = remoteid;
4672 c->halfopen = FALSE;
4673 c->localid = alloc_channel_id(ssh);
4674 c->closes = 0;
4675 c->throttling_conn = 0;
4676 c->type = CHAN_X11; /* identify channel type */
4677 add234(ssh->channels, c);
4678 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4679 PKT_INT, c->remoteid, PKT_INT,
4680 c->localid, PKT_END);
4681 logevent("Opened X11 forward channel");
4682 }
4683 }
4684 }
4685
4686 static void ssh1_smsg_agent_open(Ssh ssh, struct Packet *pktin)
4687 {
4688 /* Remote side is trying to open a channel to talk to our
4689 * agent. Give them back a local channel number. */
4690 struct ssh_channel *c;
4691 int remoteid = ssh_pkt_getuint32(pktin);
4692
4693 /* Refuse if agent forwarding is disabled. */
4694 if (!ssh->agentfwd_enabled) {
4695 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4696 PKT_INT, remoteid, PKT_END);
4697 } else {
4698 c = snew(struct ssh_channel);
4699 c->ssh = ssh;
4700 c->remoteid = remoteid;
4701 c->halfopen = FALSE;
4702 c->localid = alloc_channel_id(ssh);
4703 c->closes = 0;
4704 c->throttling_conn = 0;
4705 c->type = CHAN_AGENT; /* identify channel type */
4706 c->u.a.lensofar = 0;
4707 add234(ssh->channels, c);
4708 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4709 PKT_INT, c->remoteid, PKT_INT, c->localid,
4710 PKT_END);
4711 }
4712 }
4713
4714 static void ssh1_msg_port_open(Ssh ssh, struct Packet *pktin)
4715 {
4716 /* Remote side is trying to open a channel to talk to a
4717 * forwarded port. Give them back a local channel number. */
4718 struct ssh_channel *c;
4719 struct ssh_rportfwd pf, *pfp;
4720 int remoteid;
4721 int hostsize, port;
4722 char *host;
4723 const char *e;
4724 c = snew(struct ssh_channel);
4725 c->ssh = ssh;
4726
4727 remoteid = ssh_pkt_getuint32(pktin);
4728 ssh_pkt_getstring(pktin, &host, &hostsize);
4729 port = ssh_pkt_getuint32(pktin);
4730
4731 if (hostsize >= lenof(pf.dhost))
4732 hostsize = lenof(pf.dhost)-1;
4733 memcpy(pf.dhost, host, hostsize);
4734 pf.dhost[hostsize] = '\0';
4735 pf.dport = port;
4736 pfp = find234(ssh->rportfwds, &pf, NULL);
4737
4738 if (pfp == NULL) {
4739 logeventf(ssh, "Rejected remote port open request for %s:%d",
4740 pf.dhost, port);
4741 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4742 PKT_INT, remoteid, PKT_END);
4743 } else {
4744 logeventf(ssh, "Received remote port open request for %s:%d",
4745 pf.dhost, port);
4746 e = pfd_newconnect(&c->u.pfd.s, pf.dhost, port,
4747 c, &ssh->cfg, pfp->pfrec->addressfamily);
4748 if (e != NULL) {
4749 logeventf(ssh, "Port open failed: %s", e);
4750 sfree(c);
4751 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4752 PKT_INT, remoteid, PKT_END);
4753 } else {
4754 c->remoteid = remoteid;
4755 c->halfopen = FALSE;
4756 c->localid = alloc_channel_id(ssh);
4757 c->closes = 0;
4758 c->throttling_conn = 0;
4759 c->type = CHAN_SOCKDATA; /* identify channel type */
4760 add234(ssh->channels, c);
4761 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4762 PKT_INT, c->remoteid, PKT_INT,
4763 c->localid, PKT_END);
4764 logevent("Forwarded port opened successfully");
4765 }
4766 }
4767 }
4768
4769 static void ssh1_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
4770 {
4771 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4772 unsigned int localid = ssh_pkt_getuint32(pktin);
4773 struct ssh_channel *c;
4774
4775 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4776 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4777 c->remoteid = localid;
4778 c->halfopen = FALSE;
4779 c->type = CHAN_SOCKDATA;
4780 c->throttling_conn = 0;
4781 pfd_confirm(c->u.pfd.s);
4782 }
4783
4784 if (c && c->closes) {
4785 /*
4786 * We have a pending close on this channel,
4787 * which we decided on before the server acked
4788 * the channel open. So now we know the
4789 * remoteid, we can close it again.
4790 */
4791 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE,
4792 PKT_INT, c->remoteid, PKT_END);
4793 }
4794 }
4795
4796 static void ssh1_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
4797 {
4798 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4799 struct ssh_channel *c;
4800
4801 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4802 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4803 logevent("Forwarded connection refused by server");
4804 pfd_close(c->u.pfd.s);
4805 del234(ssh->channels, c);
4806 sfree(c);
4807 }
4808 }
4809
4810 static void ssh1_msg_channel_close(Ssh ssh, struct Packet *pktin)
4811 {
4812 /* Remote side closes a channel. */
4813 unsigned i = ssh_pkt_getuint32(pktin);
4814 struct ssh_channel *c;
4815 c = find234(ssh->channels, &i, ssh_channelfind);
4816 if (c && !c->halfopen) {
4817 int closetype;
4818 closetype =
4819 (pktin->type == SSH1_MSG_CHANNEL_CLOSE ? 1 : 2);
4820
4821 if ((c->closes == 0) && (c->type == CHAN_X11)) {
4822 logevent("Forwarded X11 connection terminated");
4823 assert(c->u.x11.s != NULL);
4824 x11_close(c->u.x11.s);
4825 c->u.x11.s = NULL;
4826 }
4827 if ((c->closes == 0) && (c->type == CHAN_SOCKDATA)) {
4828 logevent("Forwarded port closed");
4829 assert(c->u.pfd.s != NULL);
4830 pfd_close(c->u.pfd.s);
4831 c->u.pfd.s = NULL;
4832 }
4833
4834 c->closes |= (closetype << 2); /* seen this message */
4835 if (!(c->closes & closetype)) {
4836 send_packet(ssh, pktin->type, PKT_INT, c->remoteid,
4837 PKT_END);
4838 c->closes |= closetype; /* sent it too */
4839 }
4840
4841 if (c->closes == 15) {
4842 del234(ssh->channels, c);
4843 sfree(c);
4844 }
4845 } else {
4846 bombout(("Received CHANNEL_CLOSE%s for %s channel %d\n",
4847 pktin->type == SSH1_MSG_CHANNEL_CLOSE ? "" :
4848 "_CONFIRMATION", c ? "half-open" : "nonexistent",
4849 i));
4850 }
4851 }
4852
4853 static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
4854 {
4855 /* Data sent down one of our channels. */
4856 int i = ssh_pkt_getuint32(pktin);
4857 char *p;
4858 int len;
4859 struct ssh_channel *c;
4860
4861 ssh_pkt_getstring(pktin, &p, &len);
4862
4863 c = find234(ssh->channels, &i, ssh_channelfind);
4864 if (c) {
4865 int bufsize = 0;
4866 switch (c->type) {
4867 case CHAN_X11:
4868 bufsize = x11_send(c->u.x11.s, p, len);
4869 break;
4870 case CHAN_SOCKDATA:
4871 bufsize = pfd_send(c->u.pfd.s, p, len);
4872 break;
4873 case CHAN_AGENT:
4874 /* Data for an agent message. Buffer it. */
4875 while (len > 0) {
4876 if (c->u.a.lensofar < 4) {
4877 unsigned int l = min(4 - c->u.a.lensofar, (unsigned)len);
4878 memcpy(c->u.a.msglen + c->u.a.lensofar, p,
4879 l);
4880 p += l;
4881 len -= l;
4882 c->u.a.lensofar += l;
4883 }
4884 if (c->u.a.lensofar == 4) {
4885 c->u.a.totallen =
4886 4 + GET_32BIT(c->u.a.msglen);
4887 c->u.a.message = snewn(c->u.a.totallen,
4888 unsigned char);
4889 memcpy(c->u.a.message, c->u.a.msglen, 4);
4890 }
4891 if (c->u.a.lensofar >= 4 && len > 0) {
4892 unsigned int l =
4893 min(c->u.a.totallen - c->u.a.lensofar,
4894 (unsigned)len);
4895 memcpy(c->u.a.message + c->u.a.lensofar, p,
4896 l);
4897 p += l;
4898 len -= l;
4899 c->u.a.lensofar += l;
4900 }
4901 if (c->u.a.lensofar == c->u.a.totallen) {
4902 void *reply;
4903 int replylen;
4904 if (agent_query(c->u.a.message,
4905 c->u.a.totallen,
4906 &reply, &replylen,
4907 ssh_agentf_callback, c))
4908 ssh_agentf_callback(c, reply, replylen);
4909 sfree(c->u.a.message);
4910 c->u.a.lensofar = 0;
4911 }
4912 }
4913 bufsize = 0; /* agent channels never back up */
4914 break;
4915 }
4916 if (!c->throttling_conn && bufsize > SSH1_BUFFER_LIMIT) {
4917 c->throttling_conn = 1;
4918 ssh_throttle_conn(ssh, +1);
4919 }
4920 }
4921 }
4922
4923 static void ssh1_smsg_exit_status(Ssh ssh, struct Packet *pktin)
4924 {
4925 ssh->exitcode = ssh_pkt_getuint32(pktin);
4926 logeventf(ssh, "Server sent command exit status %d", ssh->exitcode);
4927 send_packet(ssh, SSH1_CMSG_EXIT_CONFIRMATION, PKT_END);
4928 /*
4929 * In case `helpful' firewalls or proxies tack
4930 * extra human-readable text on the end of the
4931 * session which we might mistake for another
4932 * encrypted packet, we close the session once
4933 * we've sent EXIT_CONFIRMATION.
4934 */
4935 ssh_disconnect(ssh, NULL, NULL, 0, TRUE);
4936 }
4937
4938 /* Helper function to deal with sending tty modes for REQUEST_PTY */
4939 static void ssh1_send_ttymode(void *data, char *mode, char *val)
4940 {
4941 struct Packet *pktout = (struct Packet *)data;
4942 int i = 0;
4943 unsigned int arg = 0;
4944 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
4945 if (i == lenof(ssh_ttymodes)) return;
4946 switch (ssh_ttymodes[i].type) {
4947 case TTY_OP_CHAR:
4948 arg = ssh_tty_parse_specchar(val);
4949 break;
4950 case TTY_OP_BOOL:
4951 arg = ssh_tty_parse_boolean(val);
4952 break;
4953 }
4954 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
4955 ssh2_pkt_addbyte(pktout, arg);
4956 }
4957
4958
4959 static void do_ssh1_connection(Ssh ssh, unsigned char *in, int inlen,
4960 struct Packet *pktin)
4961 {
4962 crBegin(ssh->do_ssh1_connection_crstate);
4963
4964 ssh->packet_dispatch[SSH1_SMSG_STDOUT_DATA] =
4965 ssh->packet_dispatch[SSH1_SMSG_STDERR_DATA] =
4966 ssh1_smsg_stdout_stderr_data;
4967
4968 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_CONFIRMATION] =
4969 ssh1_msg_channel_open_confirmation;
4970 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_FAILURE] =
4971 ssh1_msg_channel_open_failure;
4972 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE] =
4973 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION] =
4974 ssh1_msg_channel_close;
4975 ssh->packet_dispatch[SSH1_MSG_CHANNEL_DATA] = ssh1_msg_channel_data;
4976 ssh->packet_dispatch[SSH1_SMSG_EXIT_STATUS] = ssh1_smsg_exit_status;
4977
4978 if (ssh->cfg.agentfwd && agent_exists()) {
4979 logevent("Requesting agent forwarding");
4980 send_packet(ssh, SSH1_CMSG_AGENT_REQUEST_FORWARDING, PKT_END);
4981 do {
4982 crReturnV;
4983 } while (!pktin);
4984 if (pktin->type != SSH1_SMSG_SUCCESS
4985 && pktin->type != SSH1_SMSG_FAILURE) {
4986 bombout(("Protocol confusion"));
4987 crStopV;
4988 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4989 logevent("Agent forwarding refused");
4990 } else {
4991 logevent("Agent forwarding enabled");
4992 ssh->agentfwd_enabled = TRUE;
4993 ssh->packet_dispatch[SSH1_SMSG_AGENT_OPEN] = ssh1_smsg_agent_open;
4994 }
4995 }
4996
4997 if (ssh->cfg.x11_forward) {
4998 logevent("Requesting X11 forwarding");
4999 ssh->x11disp = x11_setup_display(ssh->cfg.x11_display,
5000 ssh->cfg.x11_auth, &ssh->cfg);
5001 /*
5002 * Note that while we blank the X authentication data here, we don't
5003 * take any special action to blank the start of an X11 channel,
5004 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
5005 * without having session blanking enabled is likely to leak your
5006 * cookie into the log.
5007 */
5008 if (ssh->v1_local_protoflags & SSH1_PROTOFLAG_SCREEN_NUMBER) {
5009 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
5010 PKT_STR, ssh->x11disp->remoteauthprotoname,
5011 PKTT_PASSWORD,
5012 PKT_STR, ssh->x11disp->remoteauthdatastring,
5013 PKTT_OTHER,
5014 PKT_INT, ssh->x11disp->screennum,
5015 PKT_END);
5016 } else {
5017 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
5018 PKT_STR, ssh->x11disp->remoteauthprotoname,
5019 PKTT_PASSWORD,
5020 PKT_STR, ssh->x11disp->remoteauthdatastring,
5021 PKTT_OTHER,
5022 PKT_END);
5023 }
5024 do {
5025 crReturnV;
5026 } while (!pktin);
5027 if (pktin->type != SSH1_SMSG_SUCCESS
5028 && pktin->type != SSH1_SMSG_FAILURE) {
5029 bombout(("Protocol confusion"));
5030 crStopV;
5031 } else if (pktin->type == SSH1_SMSG_FAILURE) {
5032 logevent("X11 forwarding refused");
5033 } else {
5034 logevent("X11 forwarding enabled");
5035 ssh->X11_fwd_enabled = TRUE;
5036 ssh->packet_dispatch[SSH1_SMSG_X11_OPEN] = ssh1_smsg_x11_open;
5037 }
5038 }
5039
5040 ssh_setup_portfwd(ssh, &ssh->cfg);
5041 ssh->packet_dispatch[SSH1_MSG_PORT_OPEN] = ssh1_msg_port_open;
5042
5043 if (!ssh->cfg.nopty) {
5044 struct Packet *pkt;
5045 /* Unpick the terminal-speed string. */
5046 /* XXX perhaps we should allow no speeds to be sent. */
5047 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
5048 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
5049 /* Send the pty request. */
5050 pkt = ssh1_pkt_init(SSH1_CMSG_REQUEST_PTY);
5051 ssh_pkt_addstring(pkt, ssh->cfg.termtype);
5052 ssh_pkt_adduint32(pkt, ssh->term_height);
5053 ssh_pkt_adduint32(pkt, ssh->term_width);
5054 ssh_pkt_adduint32(pkt, 0); /* width in pixels */
5055 ssh_pkt_adduint32(pkt, 0); /* height in pixels */
5056 parse_ttymodes(ssh, ssh->cfg.ttymodes,
5057 ssh1_send_ttymode, (void *)pkt);
5058 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_ISPEED);
5059 ssh_pkt_adduint32(pkt, ssh->ispeed);
5060 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_OSPEED);
5061 ssh_pkt_adduint32(pkt, ssh->ospeed);
5062 ssh_pkt_addbyte(pkt, SSH_TTY_OP_END);
5063 s_wrpkt(ssh, pkt);
5064 ssh->state = SSH_STATE_INTERMED;
5065 do {
5066 crReturnV;
5067 } while (!pktin);
5068 if (pktin->type != SSH1_SMSG_SUCCESS
5069 && pktin->type != SSH1_SMSG_FAILURE) {
5070 bombout(("Protocol confusion"));
5071 crStopV;
5072 } else if (pktin->type == SSH1_SMSG_FAILURE) {
5073 c_write_str(ssh, "Server refused to allocate pty\r\n");
5074 ssh->editing = ssh->echoing = 1;
5075 }
5076 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
5077 ssh->ospeed, ssh->ispeed);
5078 } else {
5079 ssh->editing = ssh->echoing = 1;
5080 }
5081
5082 if (ssh->cfg.compression) {
5083 send_packet(ssh, SSH1_CMSG_REQUEST_COMPRESSION, PKT_INT, 6, PKT_END);
5084 do {
5085 crReturnV;
5086 } while (!pktin);
5087 if (pktin->type != SSH1_SMSG_SUCCESS
5088 && pktin->type != SSH1_SMSG_FAILURE) {
5089 bombout(("Protocol confusion"));
5090 crStopV;
5091 } else if (pktin->type == SSH1_SMSG_FAILURE) {
5092 c_write_str(ssh, "Server refused to compress\r\n");
5093 }
5094 logevent("Started compression");
5095 ssh->v1_compressing = TRUE;
5096 ssh->cs_comp_ctx = zlib_compress_init();
5097 logevent("Initialised zlib (RFC1950) compression");
5098 ssh->sc_comp_ctx = zlib_decompress_init();
5099 logevent("Initialised zlib (RFC1950) decompression");
5100 }
5101
5102 /*
5103 * Start the shell or command.
5104 *
5105 * Special case: if the first-choice command is an SSH-2
5106 * subsystem (hence not usable here) and the second choice
5107 * exists, we fall straight back to that.
5108 */
5109 {
5110 char *cmd = ssh->cfg.remote_cmd_ptr;
5111
5112 if (!cmd) cmd = ssh->cfg.remote_cmd;
5113
5114 if (ssh->cfg.ssh_subsys && ssh->cfg.remote_cmd_ptr2) {
5115 cmd = ssh->cfg.remote_cmd_ptr2;
5116 ssh->fallback_cmd = TRUE;
5117 }
5118 if (*cmd)
5119 send_packet(ssh, SSH1_CMSG_EXEC_CMD, PKT_STR, cmd, PKT_END);
5120 else
5121 send_packet(ssh, SSH1_CMSG_EXEC_SHELL, PKT_END);
5122 logevent("Started session");
5123 }
5124
5125 ssh->state = SSH_STATE_SESSION;
5126 if (ssh->size_needed)
5127 ssh_size(ssh, ssh->term_width, ssh->term_height);
5128 if (ssh->eof_needed)
5129 ssh_special(ssh, TS_EOF);
5130
5131 if (ssh->ldisc)
5132 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
5133 ssh->send_ok = 1;
5134 ssh->channels = newtree234(ssh_channelcmp);
5135 while (1) {
5136
5137 /*
5138 * By this point, most incoming packets are already being
5139 * handled by the dispatch table, and we need only pay
5140 * attention to the unusual ones.
5141 */
5142
5143 crReturnV;
5144 if (pktin) {
5145 if (pktin->type == SSH1_SMSG_SUCCESS) {
5146 /* may be from EXEC_SHELL on some servers */
5147 } else if (pktin->type == SSH1_SMSG_FAILURE) {
5148 /* may be from EXEC_SHELL on some servers
5149 * if no pty is available or in other odd cases. Ignore */
5150 } else {
5151 bombout(("Strange packet received: type %d", pktin->type));
5152 crStopV;
5153 }
5154 } else {
5155 while (inlen > 0) {
5156 int len = min(inlen, 512);
5157 send_packet(ssh, SSH1_CMSG_STDIN_DATA,
5158 PKT_INT, len, PKTT_DATA, PKT_DATA, in, len,
5159 PKTT_OTHER, PKT_END);
5160 in += len;
5161 inlen -= len;
5162 }
5163 }
5164 }
5165
5166 crFinishV;
5167 }
5168
5169 /*
5170 * Handle the top-level SSH-2 protocol.
5171 */
5172 static void ssh1_msg_debug(Ssh ssh, struct Packet *pktin)
5173 {
5174 char *msg;
5175 int msglen;
5176
5177 ssh_pkt_getstring(pktin, &msg, &msglen);
5178 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
5179 }
5180
5181 static void ssh1_msg_disconnect(Ssh ssh, struct Packet *pktin)
5182 {
5183 /* log reason code in disconnect message */
5184 char *msg;
5185 int msglen;
5186
5187 ssh_pkt_getstring(pktin, &msg, &msglen);
5188 bombout(("Server sent disconnect message:\n\"%.*s\"", msglen, msg));
5189 }
5190
5191 static void ssh_msg_ignore(Ssh ssh, struct Packet *pktin)
5192 {
5193 /* Do nothing, because we're ignoring it! Duhh. */
5194 }
5195
5196 static void ssh1_protocol_setup(Ssh ssh)
5197 {
5198 int i;
5199
5200 /*
5201 * Most messages are handled by the coroutines.
5202 */
5203 for (i = 0; i < 256; i++)
5204 ssh->packet_dispatch[i] = NULL;
5205
5206 /*
5207 * These special message types we install handlers for.
5208 */
5209 ssh->packet_dispatch[SSH1_MSG_DISCONNECT] = ssh1_msg_disconnect;
5210 ssh->packet_dispatch[SSH1_MSG_IGNORE] = ssh_msg_ignore;
5211 ssh->packet_dispatch[SSH1_MSG_DEBUG] = ssh1_msg_debug;
5212 }
5213
5214 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
5215 struct Packet *pktin)
5216 {
5217 unsigned char *in=(unsigned char*)vin;
5218 if (ssh->state == SSH_STATE_CLOSED)
5219 return;
5220
5221 if (pktin && ssh->packet_dispatch[pktin->type]) {
5222 ssh->packet_dispatch[pktin->type](ssh, pktin);
5223 return;
5224 }
5225
5226 if (!ssh->protocol_initial_phase_done) {
5227 if (do_ssh1_login(ssh, in, inlen, pktin))
5228 ssh->protocol_initial_phase_done = TRUE;
5229 else
5230 return;
5231 }
5232
5233 do_ssh1_connection(ssh, in, inlen, pktin);
5234 }
5235
5236 /*
5237 * Utility routine for decoding comma-separated strings in KEXINIT.
5238 */
5239 static int in_commasep_string(char *needle, char *haystack, int haylen)
5240 {
5241 int needlen;
5242 if (!needle || !haystack) /* protect against null pointers */
5243 return 0;
5244 needlen = strlen(needle);
5245 while (1) {
5246 /*
5247 * Is it at the start of the string?
5248 */
5249 if (haylen >= needlen && /* haystack is long enough */
5250 !memcmp(needle, haystack, needlen) && /* initial match */
5251 (haylen == needlen || haystack[needlen] == ',')
5252 /* either , or EOS follows */
5253 )
5254 return 1;
5255 /*
5256 * If not, search for the next comma and resume after that.
5257 * If no comma found, terminate.
5258 */
5259 while (haylen > 0 && *haystack != ',')
5260 haylen--, haystack++;
5261 if (haylen == 0)
5262 return 0;
5263 haylen--, haystack++; /* skip over comma itself */
5264 }
5265 }
5266
5267 /*
5268 * Similar routine for checking whether we have the first string in a list.
5269 */
5270 static int first_in_commasep_string(char *needle, char *haystack, int haylen)
5271 {
5272 int needlen;
5273 if (!needle || !haystack) /* protect against null pointers */
5274 return 0;
5275 needlen = strlen(needle);
5276 /*
5277 * Is it at the start of the string?
5278 */
5279 if (haylen >= needlen && /* haystack is long enough */
5280 !memcmp(needle, haystack, needlen) && /* initial match */
5281 (haylen == needlen || haystack[needlen] == ',')
5282 /* either , or EOS follows */
5283 )
5284 return 1;
5285 return 0;
5286 }
5287
5288
5289 /*
5290 * SSH-2 key creation method.
5291 * (Currently assumes 2 lots of any hash are sufficient to generate
5292 * keys/IVs for any cipher/MAC. SSH2_MKKEY_ITERS documents this assumption.)
5293 */
5294 #define SSH2_MKKEY_ITERS (2)
5295 static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr,
5296 unsigned char *keyspace)
5297 {
5298 const struct ssh_hash *h = ssh->kex->hash;
5299 void *s;
5300 /* First hlen bytes. */
5301 s = h->init();
5302 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5303 hash_mpint(h, s, K);
5304 h->bytes(s, H, h->hlen);
5305 h->bytes(s, &chr, 1);
5306 h->bytes(s, ssh->v2_session_id, ssh->v2_session_id_len);
5307 h->final(s, keyspace);
5308 /* Next hlen bytes. */
5309 s = h->init();
5310 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5311 hash_mpint(h, s, K);
5312 h->bytes(s, H, h->hlen);
5313 h->bytes(s, keyspace, h->hlen);
5314 h->final(s, keyspace + h->hlen);
5315 }
5316
5317 /*
5318 * Handle the SSH-2 transport layer.
5319 */
5320 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
5321 struct Packet *pktin)
5322 {
5323 unsigned char *in = (unsigned char *)vin;
5324 struct do_ssh2_transport_state {
5325 int nbits, pbits, warn_kex, warn_cscipher, warn_sccipher;
5326 Bignum p, g, e, f, K;
5327 void *our_kexinit;
5328 int our_kexinitlen;
5329 int kex_init_value, kex_reply_value;
5330 const struct ssh_mac **maclist;
5331 int nmacs;
5332 const struct ssh2_cipher *cscipher_tobe;
5333 const struct ssh2_cipher *sccipher_tobe;
5334 const struct ssh_mac *csmac_tobe;
5335 const struct ssh_mac *scmac_tobe;
5336 const struct ssh_compress *cscomp_tobe;
5337 const struct ssh_compress *sccomp_tobe;
5338 char *hostkeydata, *sigdata, *rsakeydata, *keystr, *fingerprint;
5339 int hostkeylen, siglen, rsakeylen;
5340 void *hkey; /* actual host key */
5341 void *rsakey; /* for RSA kex */
5342 unsigned char exchange_hash[SSH2_KEX_MAX_HASH_LEN];
5343 int n_preferred_kex;
5344 const struct ssh_kexes *preferred_kex[KEX_MAX];
5345 int n_preferred_ciphers;
5346 const struct ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
5347 const struct ssh_compress *preferred_comp;
5348 int got_session_id, activated_authconn;
5349 struct Packet *pktout;
5350 int dlgret;
5351 int guessok;
5352 int ignorepkt;
5353 };
5354 crState(do_ssh2_transport_state);
5355
5356 crBegin(ssh->do_ssh2_transport_crstate);
5357
5358 s->cscipher_tobe = s->sccipher_tobe = NULL;
5359 s->csmac_tobe = s->scmac_tobe = NULL;
5360 s->cscomp_tobe = s->sccomp_tobe = NULL;
5361
5362 s->got_session_id = s->activated_authconn = FALSE;
5363
5364 /*
5365 * Be prepared to work around the buggy MAC problem.
5366 */
5367 if (ssh->remote_bugs & BUG_SSH2_HMAC)
5368 s->maclist = buggymacs, s->nmacs = lenof(buggymacs);
5369 else
5370 s->maclist = macs, s->nmacs = lenof(macs);
5371
5372 begin_key_exchange:
5373 ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
5374 {
5375 int i, j, commalist_started;
5376
5377 /*
5378 * Set up the preferred key exchange. (NULL => warn below here)
5379 */
5380 s->n_preferred_kex = 0;
5381 for (i = 0; i < KEX_MAX; i++) {
5382 switch (ssh->cfg.ssh_kexlist[i]) {
5383 case KEX_DHGEX:
5384 s->preferred_kex[s->n_preferred_kex++] =
5385 &ssh_diffiehellman_gex;
5386 break;
5387 case KEX_DHGROUP14:
5388 s->preferred_kex[s->n_preferred_kex++] =
5389 &ssh_diffiehellman_group14;
5390 break;
5391 case KEX_DHGROUP1:
5392 s->preferred_kex[s->n_preferred_kex++] =
5393 &ssh_diffiehellman_group1;
5394 break;
5395 case KEX_RSA:
5396 s->preferred_kex[s->n_preferred_kex++] =
5397 &ssh_rsa_kex;
5398 break;
5399 case KEX_WARN:
5400 /* Flag for later. Don't bother if it's the last in
5401 * the list. */
5402 if (i < KEX_MAX - 1) {
5403 s->preferred_kex[s->n_preferred_kex++] = NULL;
5404 }
5405 break;
5406 }
5407 }
5408
5409 /*
5410 * Set up the preferred ciphers. (NULL => warn below here)
5411 */
5412 s->n_preferred_ciphers = 0;
5413 for (i = 0; i < CIPHER_MAX; i++) {
5414 switch (ssh->cfg.ssh_cipherlist[i]) {
5415 case CIPHER_BLOWFISH:
5416 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_blowfish;
5417 break;
5418 case CIPHER_DES:
5419 if (ssh->cfg.ssh2_des_cbc) {
5420 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_des;
5421 }
5422 break;
5423 case CIPHER_3DES:
5424 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_3des;
5425 break;
5426 case CIPHER_AES:
5427 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_aes;
5428 break;
5429 case CIPHER_ARCFOUR:
5430 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_arcfour;
5431 break;
5432 case CIPHER_WARN:
5433 /* Flag for later. Don't bother if it's the last in
5434 * the list. */
5435 if (i < CIPHER_MAX - 1) {
5436 s->preferred_ciphers[s->n_preferred_ciphers++] = NULL;
5437 }
5438 break;
5439 }
5440 }
5441
5442 /*
5443 * Set up preferred compression.
5444 */
5445 if (ssh->cfg.compression)
5446 s->preferred_comp = &ssh_zlib;
5447 else
5448 s->preferred_comp = &ssh_comp_none;
5449
5450 /*
5451 * Enable queueing of outgoing auth- or connection-layer
5452 * packets while we are in the middle of a key exchange.
5453 */
5454 ssh->queueing = TRUE;
5455
5456 /*
5457 * Flag that KEX is in progress.
5458 */
5459 ssh->kex_in_progress = TRUE;
5460
5461 /*
5462 * Construct and send our key exchange packet.
5463 */
5464 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXINIT);
5465 for (i = 0; i < 16; i++)
5466 ssh2_pkt_addbyte(s->pktout, (unsigned char) random_byte());
5467 /* List key exchange algorithms. */
5468 ssh2_pkt_addstring_start(s->pktout);
5469 commalist_started = 0;
5470 for (i = 0; i < s->n_preferred_kex; i++) {
5471 const struct ssh_kexes *k = s->preferred_kex[i];
5472 if (!k) continue; /* warning flag */
5473 for (j = 0; j < k->nkexes; j++) {
5474 if (commalist_started)
5475 ssh2_pkt_addstring_str(s->pktout, ",");
5476 ssh2_pkt_addstring_str(s->pktout, k->list[j]->name);
5477 commalist_started = 1;
5478 }
5479 }
5480 /* List server host key algorithms. */
5481 ssh2_pkt_addstring_start(s->pktout);
5482 for (i = 0; i < lenof(hostkey_algs); i++) {
5483 ssh2_pkt_addstring_str(s->pktout, hostkey_algs[i]->name);
5484 if (i < lenof(hostkey_algs) - 1)
5485 ssh2_pkt_addstring_str(s->pktout, ",");
5486 }
5487 /* List client->server encryption algorithms. */
5488 ssh2_pkt_addstring_start(s->pktout);
5489 commalist_started = 0;
5490 for (i = 0; i < s->n_preferred_ciphers; i++) {
5491 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5492 if (!c) continue; /* warning flag */
5493 for (j = 0; j < c->nciphers; j++) {
5494 if (commalist_started)
5495 ssh2_pkt_addstring_str(s->pktout, ",");
5496 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5497 commalist_started = 1;
5498 }
5499 }
5500 /* List server->client encryption algorithms. */
5501 ssh2_pkt_addstring_start(s->pktout);
5502 commalist_started = 0;
5503 for (i = 0; i < s->n_preferred_ciphers; i++) {
5504 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5505 if (!c) continue; /* warning flag */
5506 for (j = 0; j < c->nciphers; j++) {
5507 if (commalist_started)
5508 ssh2_pkt_addstring_str(s->pktout, ",");
5509 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5510 commalist_started = 1;
5511 }
5512 }
5513 /* List client->server MAC algorithms. */
5514 ssh2_pkt_addstring_start(s->pktout);
5515 for (i = 0; i < s->nmacs; i++) {
5516 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5517 if (i < s->nmacs - 1)
5518 ssh2_pkt_addstring_str(s->pktout, ",");
5519 }
5520 /* List server->client MAC algorithms. */
5521 ssh2_pkt_addstring_start(s->pktout);
5522 for (i = 0; i < s->nmacs; i++) {
5523 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5524 if (i < s->nmacs - 1)
5525 ssh2_pkt_addstring_str(s->pktout, ",");
5526 }
5527 /* List client->server compression algorithms. */
5528 ssh2_pkt_addstring_start(s->pktout);
5529 assert(lenof(compressions) > 1);
5530 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5531 for (i = 0; i < lenof(compressions); i++) {
5532 const struct ssh_compress *c = compressions[i];
5533 if (c != s->preferred_comp) {
5534 ssh2_pkt_addstring_str(s->pktout, ",");
5535 ssh2_pkt_addstring_str(s->pktout, c->name);
5536 }
5537 }
5538 /* List server->client compression algorithms. */
5539 ssh2_pkt_addstring_start(s->pktout);
5540 assert(lenof(compressions) > 1);
5541 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5542 for (i = 0; i < lenof(compressions); i++) {
5543 const struct ssh_compress *c = compressions[i];
5544 if (c != s->preferred_comp) {
5545 ssh2_pkt_addstring_str(s->pktout, ",");
5546 ssh2_pkt_addstring_str(s->pktout, c->name);
5547 }
5548 }
5549 /* List client->server languages. Empty list. */
5550 ssh2_pkt_addstring_start(s->pktout);
5551 /* List server->client languages. Empty list. */
5552 ssh2_pkt_addstring_start(s->pktout);
5553 /* First KEX packet does _not_ follow, because we're not that brave. */
5554 ssh2_pkt_addbool(s->pktout, FALSE);
5555 /* Reserved. */
5556 ssh2_pkt_adduint32(s->pktout, 0);
5557 }
5558
5559 s->our_kexinitlen = s->pktout->length - 5;
5560 s->our_kexinit = snewn(s->our_kexinitlen, unsigned char);
5561 memcpy(s->our_kexinit, s->pktout->data + 5, s->our_kexinitlen);
5562
5563 ssh2_pkt_send_noqueue(ssh, s->pktout);
5564
5565 if (!pktin)
5566 crWaitUntil(pktin);
5567
5568 /*
5569 * Now examine the other side's KEXINIT to see what we're up
5570 * to.
5571 */
5572 {
5573 char *str, *preferred;
5574 int i, j, len;
5575
5576 if (pktin->type != SSH2_MSG_KEXINIT) {
5577 bombout(("expected key exchange packet from server"));
5578 crStop(0);
5579 }
5580 ssh->kex = NULL;
5581 ssh->hostkey = NULL;
5582 s->cscipher_tobe = NULL;
5583 s->sccipher_tobe = NULL;
5584 s->csmac_tobe = NULL;
5585 s->scmac_tobe = NULL;
5586 s->cscomp_tobe = NULL;
5587 s->sccomp_tobe = NULL;
5588 s->warn_kex = s->warn_cscipher = s->warn_sccipher = FALSE;
5589
5590 pktin->savedpos += 16; /* skip garbage cookie */
5591 ssh_pkt_getstring(pktin, &str, &len); /* key exchange algorithms */
5592
5593 preferred = NULL;
5594 for (i = 0; i < s->n_preferred_kex; i++) {
5595 const struct ssh_kexes *k = s->preferred_kex[i];
5596 if (!k) {
5597 s->warn_kex = TRUE;
5598 } else {
5599 for (j = 0; j < k->nkexes; j++) {
5600 if (!preferred) preferred = k->list[j]->name;
5601 if (in_commasep_string(k->list[j]->name, str, len)) {
5602 ssh->kex = k->list[j];
5603 break;
5604 }
5605 }
5606 }
5607 if (ssh->kex)
5608 break;
5609 }
5610 if (!ssh->kex) {
5611 bombout(("Couldn't agree a key exchange algorithm (available: %s)",
5612 str ? str : "(null)"));
5613 crStop(0);
5614 }
5615 /*
5616 * Note that the server's guess is considered wrong if it doesn't match
5617 * the first algorithm in our list, even if it's still the algorithm
5618 * we end up using.
5619 */
5620 s->guessok = first_in_commasep_string(preferred, str, len);
5621 ssh_pkt_getstring(pktin, &str, &len); /* host key algorithms */
5622 for (i = 0; i < lenof(hostkey_algs); i++) {
5623 if (in_commasep_string(hostkey_algs[i]->name, str, len)) {
5624 ssh->hostkey = hostkey_algs[i];
5625 break;
5626 }
5627 }
5628 s->guessok = s->guessok &&
5629 first_in_commasep_string(hostkey_algs[0]->name, str, len);
5630 ssh_pkt_getstring(pktin, &str, &len); /* client->server cipher */
5631 for (i = 0; i < s->n_preferred_ciphers; i++) {
5632 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5633 if (!c) {
5634 s->warn_cscipher = TRUE;
5635 } else {
5636 for (j = 0; j < c->nciphers; j++) {
5637 if (in_commasep_string(c->list[j]->name, str, len)) {
5638 s->cscipher_tobe = c->list[j];
5639 break;
5640 }
5641 }
5642 }
5643 if (s->cscipher_tobe)
5644 break;
5645 }
5646 if (!s->cscipher_tobe) {
5647 bombout(("Couldn't agree a client-to-server cipher (available: %s)",
5648 str ? str : "(null)"));
5649 crStop(0);
5650 }
5651
5652 ssh_pkt_getstring(pktin, &str, &len); /* server->client cipher */
5653 for (i = 0; i < s->n_preferred_ciphers; i++) {
5654 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5655 if (!c) {
5656 s->warn_sccipher = TRUE;
5657 } else {
5658 for (j = 0; j < c->nciphers; j++) {
5659 if (in_commasep_string(c->list[j]->name, str, len)) {
5660 s->sccipher_tobe = c->list[j];
5661 break;
5662 }
5663 }
5664 }
5665 if (s->sccipher_tobe)
5666 break;
5667 }
5668 if (!s->sccipher_tobe) {
5669 bombout(("Couldn't agree a server-to-client cipher (available: %s)",
5670 str ? str : "(null)"));
5671 crStop(0);
5672 }
5673
5674 ssh_pkt_getstring(pktin, &str, &len); /* client->server mac */
5675 for (i = 0; i < s->nmacs; i++) {
5676 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5677 s->csmac_tobe = s->maclist[i];
5678 break;
5679 }
5680 }
5681 ssh_pkt_getstring(pktin, &str, &len); /* server->client mac */
5682 for (i = 0; i < s->nmacs; i++) {
5683 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5684 s->scmac_tobe = s->maclist[i];
5685 break;
5686 }
5687 }
5688 ssh_pkt_getstring(pktin, &str, &len); /* client->server compression */
5689 for (i = 0; i < lenof(compressions) + 1; i++) {
5690 const struct ssh_compress *c =
5691 i == 0 ? s->preferred_comp : compressions[i - 1];
5692 if (in_commasep_string(c->name, str, len)) {
5693 s->cscomp_tobe = c;
5694 break;
5695 }
5696 }
5697 ssh_pkt_getstring(pktin, &str, &len); /* server->client compression */
5698 for (i = 0; i < lenof(compressions) + 1; i++) {
5699 const struct ssh_compress *c =
5700 i == 0 ? s->preferred_comp : compressions[i - 1];
5701 if (in_commasep_string(c->name, str, len)) {
5702 s->sccomp_tobe = c;
5703 break;
5704 }
5705 }
5706 ssh_pkt_getstring(pktin, &str, &len); /* client->server language */
5707 ssh_pkt_getstring(pktin, &str, &len); /* server->client language */
5708 s->ignorepkt = ssh2_pkt_getbool(pktin) && !s->guessok;
5709
5710 if (s->warn_kex) {
5711 ssh_set_frozen(ssh, 1);
5712 s->dlgret = askalg(ssh->frontend, "key-exchange algorithm",
5713 ssh->kex->name,
5714 ssh_dialog_callback, ssh);
5715 if (s->dlgret < 0) {
5716 do {
5717 crReturn(0);
5718 if (pktin) {
5719 bombout(("Unexpected data from server while"
5720 " waiting for user response"));
5721 crStop(0);
5722 }
5723 } while (pktin || inlen > 0);
5724 s->dlgret = ssh->user_response;
5725 }
5726 ssh_set_frozen(ssh, 0);
5727 if (s->dlgret == 0) {
5728 ssh_disconnect(ssh, "User aborted at kex warning", NULL,
5729 0, TRUE);
5730 crStop(0);
5731 }
5732 }
5733
5734 if (s->warn_cscipher) {
5735 ssh_set_frozen(ssh, 1);
5736 s->dlgret = askalg(ssh->frontend,
5737 "client-to-server cipher",
5738 s->cscipher_tobe->name,
5739 ssh_dialog_callback, ssh);
5740 if (s->dlgret < 0) {
5741 do {
5742 crReturn(0);
5743 if (pktin) {
5744 bombout(("Unexpected data from server while"
5745 " waiting for user response"));
5746 crStop(0);
5747 }
5748 } while (pktin || inlen > 0);
5749 s->dlgret = ssh->user_response;
5750 }
5751 ssh_set_frozen(ssh, 0);
5752 if (s->dlgret == 0) {
5753 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5754 0, TRUE);
5755 crStop(0);
5756 }
5757 }
5758
5759 if (s->warn_sccipher) {
5760 ssh_set_frozen(ssh, 1);
5761 s->dlgret = askalg(ssh->frontend,
5762 "server-to-client cipher",
5763 s->sccipher_tobe->name,
5764 ssh_dialog_callback, ssh);
5765 if (s->dlgret < 0) {
5766 do {
5767 crReturn(0);
5768 if (pktin) {
5769 bombout(("Unexpected data from server while"
5770 " waiting for user response"));
5771 crStop(0);
5772 }
5773 } while (pktin || inlen > 0);
5774 s->dlgret = ssh->user_response;
5775 }
5776 ssh_set_frozen(ssh, 0);
5777 if (s->dlgret == 0) {
5778 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5779 0, TRUE);
5780 crStop(0);
5781 }
5782 }
5783
5784 ssh->exhash = ssh->kex->hash->init();
5785 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_c, strlen(ssh->v_c));
5786 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_s, strlen(ssh->v_s));
5787 hash_string(ssh->kex->hash, ssh->exhash,
5788 s->our_kexinit, s->our_kexinitlen);
5789 sfree(s->our_kexinit);
5790 if (pktin->length > 5)
5791 hash_string(ssh->kex->hash, ssh->exhash,
5792 pktin->data + 5, pktin->length - 5);
5793
5794 if (s->ignorepkt) /* first_kex_packet_follows */
5795 crWaitUntil(pktin); /* Ignore packet */
5796 }
5797
5798 if (ssh->kex->main_type == KEXTYPE_DH) {
5799 /*
5800 * Work out the number of bits of key we will need from the
5801 * key exchange. We start with the maximum key length of
5802 * either cipher...
5803 */
5804 {
5805 int csbits, scbits;
5806
5807 csbits = s->cscipher_tobe->keylen;
5808 scbits = s->sccipher_tobe->keylen;
5809 s->nbits = (csbits > scbits ? csbits : scbits);
5810 }
5811 /* The keys only have hlen-bit entropy, since they're based on
5812 * a hash. So cap the key size at hlen bits. */
5813 if (s->nbits > ssh->kex->hash->hlen * 8)
5814 s->nbits = ssh->kex->hash->hlen * 8;
5815
5816 /*
5817 * If we're doing Diffie-Hellman group exchange, start by
5818 * requesting a group.
5819 */
5820 if (!ssh->kex->pdata) {
5821 logevent("Doing Diffie-Hellman group exchange");
5822 ssh->pkt_kctx = SSH2_PKTCTX_DHGEX;
5823 /*
5824 * Work out how big a DH group we will need to allow that
5825 * much data.
5826 */
5827 s->pbits = 512 << ((s->nbits - 1) / 64);
5828 s->pktout = ssh2_pkt_init(SSH2_MSG_KEX_DH_GEX_REQUEST);
5829 ssh2_pkt_adduint32(s->pktout, s->pbits);
5830 ssh2_pkt_send_noqueue(ssh, s->pktout);
5831
5832 crWaitUntil(pktin);
5833 if (pktin->type != SSH2_MSG_KEX_DH_GEX_GROUP) {
5834 bombout(("expected key exchange group packet from server"));
5835 crStop(0);
5836 }
5837 s->p = ssh2_pkt_getmp(pktin);
5838 s->g = ssh2_pkt_getmp(pktin);
5839 if (!s->p || !s->g) {
5840 bombout(("unable to read mp-ints from incoming group packet"));
5841 crStop(0);
5842 }
5843 ssh->kex_ctx = dh_setup_gex(s->p, s->g);
5844 s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
5845 s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
5846 } else {
5847 ssh->pkt_kctx = SSH2_PKTCTX_DHGROUP;
5848 ssh->kex_ctx = dh_setup_group(ssh->kex);
5849 s->kex_init_value = SSH2_MSG_KEXDH_INIT;
5850 s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
5851 logeventf(ssh, "Using Diffie-Hellman with standard group \"%s\"",
5852 ssh->kex->groupname);
5853 }
5854
5855 logeventf(ssh, "Doing Diffie-Hellman key exchange with hash %s",
5856 ssh->kex->hash->text_name);
5857 /*
5858 * Now generate and send e for Diffie-Hellman.
5859 */
5860 set_busy_status(ssh->frontend, BUSY_CPU); /* this can take a while */
5861 s->e = dh_create_e(ssh->kex_ctx, s->nbits * 2);
5862 s->pktout = ssh2_pkt_init(s->kex_init_value);
5863 ssh2_pkt_addmp(s->pktout, s->e);
5864 ssh2_pkt_send_noqueue(ssh, s->pktout);
5865
5866 set_busy_status(ssh->frontend, BUSY_WAITING); /* wait for server */
5867 crWaitUntil(pktin);
5868 if (pktin->type != s->kex_reply_value) {
5869 bombout(("expected key exchange reply packet from server"));
5870 crStop(0);
5871 }
5872 set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */
5873 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
5874 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
5875 s->f = ssh2_pkt_getmp(pktin);
5876 if (!s->f) {
5877 bombout(("unable to parse key exchange reply packet"));
5878 crStop(0);
5879 }
5880 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
5881
5882 s->K = dh_find_K(ssh->kex_ctx, s->f);
5883
5884 /* We assume everything from now on will be quick, and it might
5885 * involve user interaction. */
5886 set_busy_status(ssh->frontend, BUSY_NOT);
5887
5888 hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen);
5889 if (!ssh->kex->pdata) {
5890 hash_uint32(ssh->kex->hash, ssh->exhash, s->pbits);
5891 hash_mpint(ssh->kex->hash, ssh->exhash, s->p);
5892 hash_mpint(ssh->kex->hash, ssh->exhash, s->g);
5893 }
5894 hash_mpint(ssh->kex->hash, ssh->exhash, s->e);
5895 hash_mpint(ssh->kex->hash, ssh->exhash, s->f);
5896
5897 dh_cleanup(ssh->kex_ctx);
5898 freebn(s->f);
5899 if (!ssh->kex->pdata) {
5900 freebn(s->g);
5901 freebn(s->p);
5902 }
5903 } else {
5904 logeventf(ssh, "Doing RSA key exchange with hash %s",
5905 ssh->kex->hash->text_name);
5906 ssh->pkt_kctx = SSH2_PKTCTX_RSAKEX;
5907 /*
5908 * RSA key exchange. First expect a KEXRSA_PUBKEY packet
5909 * from the server.
5910 */
5911 crWaitUntil(pktin);
5912 if (pktin->type != SSH2_MSG_KEXRSA_PUBKEY) {
5913 bombout(("expected RSA public key packet from server"));
5914 crStop(0);
5915 }
5916
5917 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
5918 hash_string(ssh->kex->hash, ssh->exhash,
5919 s->hostkeydata, s->hostkeylen);
5920 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
5921
5922 {
5923 char *keydata;
5924 ssh_pkt_getstring(pktin, &keydata, &s->rsakeylen);
5925 s->rsakeydata = snewn(s->rsakeylen, char);
5926 memcpy(s->rsakeydata, keydata, s->rsakeylen);
5927 }
5928
5929 s->rsakey = ssh_rsakex_newkey(s->rsakeydata, s->rsakeylen);
5930 if (!s->rsakey) {
5931 sfree(s->rsakeydata);
5932 bombout(("unable to parse RSA public key from server"));
5933 crStop(0);
5934 }
5935
5936 hash_string(ssh->kex->hash, ssh->exhash, s->rsakeydata, s->rsakeylen);
5937
5938 /*
5939 * Next, set up a shared secret K, of precisely KLEN -
5940 * 2*HLEN - 49 bits, where KLEN is the bit length of the
5941 * RSA key modulus and HLEN is the bit length of the hash
5942 * we're using.
5943 */
5944 {
5945 int klen = ssh_rsakex_klen(s->rsakey);
5946 int nbits = klen - (2*ssh->kex->hash->hlen*8 + 49);
5947 int i, byte = 0;
5948 unsigned char *kstr1, *kstr2, *outstr;
5949 int kstr1len, kstr2len, outstrlen;
5950
5951 s->K = bn_power_2(nbits - 1);
5952
5953 for (i = 0; i < nbits; i++) {
5954 if ((i & 7) == 0) {
5955 byte = random_byte();
5956 }
5957 bignum_set_bit(s->K, i, (byte >> (i & 7)) & 1);
5958 }
5959
5960 /*
5961 * Encode this as an mpint.
5962 */
5963 kstr1 = ssh2_mpint_fmt(s->K, &kstr1len);
5964 kstr2 = snewn(kstr2len = 4 + kstr1len, unsigned char);
5965 PUT_32BIT(kstr2, kstr1len);
5966 memcpy(kstr2 + 4, kstr1, kstr1len);
5967
5968 /*
5969 * Encrypt it with the given RSA key.
5970 */
5971 outstrlen = (klen + 7) / 8;
5972 outstr = snewn(outstrlen, unsigned char);
5973 ssh_rsakex_encrypt(ssh->kex->hash, kstr2, kstr2len,
5974 outstr, outstrlen, s->rsakey);
5975
5976 /*
5977 * And send it off in a return packet.
5978 */
5979 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXRSA_SECRET);
5980 ssh2_pkt_addstring_start(s->pktout);
5981 ssh2_pkt_addstring_data(s->pktout, (char *)outstr, outstrlen);
5982 ssh2_pkt_send_noqueue(ssh, s->pktout);
5983
5984 hash_string(ssh->kex->hash, ssh->exhash, outstr, outstrlen);
5985
5986 sfree(kstr2);
5987 sfree(kstr1);
5988 sfree(outstr);
5989 }
5990
5991 ssh_rsakex_freekey(s->rsakey);
5992
5993 crWaitUntil(pktin);
5994 if (pktin->type != SSH2_MSG_KEXRSA_DONE) {
5995 sfree(s->rsakeydata);
5996 bombout(("expected signature packet from server"));
5997 crStop(0);
5998 }
5999
6000 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
6001
6002 sfree(s->rsakeydata);
6003 }
6004
6005 hash_mpint(ssh->kex->hash, ssh->exhash, s->K);
6006 assert(ssh->kex->hash->hlen <= sizeof(s->exchange_hash));
6007 ssh->kex->hash->final(ssh->exhash, s->exchange_hash);
6008
6009 ssh->kex_ctx = NULL;
6010
6011 #if 0
6012 debug(("Exchange hash is:\n"));
6013 dmemdump(s->exchange_hash, ssh->kex->hash->hlen);
6014 #endif
6015
6016 if (!s->hkey ||
6017 !ssh->hostkey->verifysig(s->hkey, s->sigdata, s->siglen,
6018 (char *)s->exchange_hash,
6019 ssh->kex->hash->hlen)) {
6020 bombout(("Server's host key did not match the signature supplied"));
6021 crStop(0);
6022 }
6023
6024 /*
6025 * Authenticate remote host: verify host key. (We've already
6026 * checked the signature of the exchange hash.)
6027 */
6028 s->keystr = ssh->hostkey->fmtkey(s->hkey);
6029 s->fingerprint = ssh->hostkey->fingerprint(s->hkey);
6030 ssh_set_frozen(ssh, 1);
6031 s->dlgret = verify_ssh_host_key(ssh->frontend,
6032 ssh->savedhost, ssh->savedport,
6033 ssh->hostkey->keytype, s->keystr,
6034 s->fingerprint,
6035 ssh_dialog_callback, ssh);
6036 if (s->dlgret < 0) {
6037 do {
6038 crReturn(0);
6039 if (pktin) {
6040 bombout(("Unexpected data from server while waiting"
6041 " for user host key response"));
6042 crStop(0);
6043 }
6044 } while (pktin || inlen > 0);
6045 s->dlgret = ssh->user_response;
6046 }
6047 ssh_set_frozen(ssh, 0);
6048 if (s->dlgret == 0) {
6049 ssh_disconnect(ssh, "User aborted at host key verification", NULL,
6050 0, TRUE);
6051 crStop(0);
6052 }
6053 if (!s->got_session_id) { /* don't bother logging this in rekeys */
6054 logevent("Host key fingerprint is:");
6055 logevent(s->fingerprint);
6056 }
6057 sfree(s->fingerprint);
6058 sfree(s->keystr);
6059 ssh->hostkey->freekey(s->hkey);
6060
6061 /*
6062 * The exchange hash from the very first key exchange is also
6063 * the session id, used in session key construction and
6064 * authentication.
6065 */
6066 if (!s->got_session_id) {
6067 assert(sizeof(s->exchange_hash) <= sizeof(ssh->v2_session_id));
6068 memcpy(ssh->v2_session_id, s->exchange_hash,
6069 sizeof(s->exchange_hash));
6070 ssh->v2_session_id_len = ssh->kex->hash->hlen;
6071 assert(ssh->v2_session_id_len <= sizeof(ssh->v2_session_id));
6072 s->got_session_id = TRUE;
6073 }
6074
6075 /*
6076 * Send SSH2_MSG_NEWKEYS.
6077 */
6078 s->pktout = ssh2_pkt_init(SSH2_MSG_NEWKEYS);
6079 ssh2_pkt_send_noqueue(ssh, s->pktout);
6080 ssh->outgoing_data_size = 0; /* start counting from here */
6081
6082 /*
6083 * We've sent client NEWKEYS, so create and initialise
6084 * client-to-server session keys.
6085 */
6086 if (ssh->cs_cipher_ctx)
6087 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
6088 ssh->cscipher = s->cscipher_tobe;
6089 ssh->cs_cipher_ctx = ssh->cscipher->make_context();
6090
6091 if (ssh->cs_mac_ctx)
6092 ssh->csmac->free_context(ssh->cs_mac_ctx);
6093 ssh->csmac = s->csmac_tobe;
6094 ssh->cs_mac_ctx = ssh->csmac->make_context();
6095
6096 if (ssh->cs_comp_ctx)
6097 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
6098 ssh->cscomp = s->cscomp_tobe;
6099 ssh->cs_comp_ctx = ssh->cscomp->compress_init();
6100
6101 /*
6102 * Set IVs on client-to-server keys. Here we use the exchange
6103 * hash from the _first_ key exchange.
6104 */
6105 {
6106 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
6107 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6108 ssh2_mkkey(ssh,s->K,s->exchange_hash,'C',keyspace);
6109 assert((ssh->cscipher->keylen+7) / 8 <=
6110 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6111 ssh->cscipher->setkey(ssh->cs_cipher_ctx, keyspace);
6112 ssh2_mkkey(ssh,s->K,s->exchange_hash,'A',keyspace);
6113 assert(ssh->cscipher->blksize <=
6114 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6115 ssh->cscipher->setiv(ssh->cs_cipher_ctx, keyspace);
6116 ssh2_mkkey(ssh,s->K,s->exchange_hash,'E',keyspace);
6117 assert(ssh->csmac->len <=
6118 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6119 ssh->csmac->setkey(ssh->cs_mac_ctx, keyspace);
6120 memset(keyspace, 0, sizeof(keyspace));
6121 }
6122
6123 logeventf(ssh, "Initialised %.200s client->server encryption",
6124 ssh->cscipher->text_name);
6125 logeventf(ssh, "Initialised %.200s client->server MAC algorithm",
6126 ssh->csmac->text_name);
6127 if (ssh->cscomp->text_name)
6128 logeventf(ssh, "Initialised %s compression",
6129 ssh->cscomp->text_name);
6130
6131 /*
6132 * Now our end of the key exchange is complete, we can send all
6133 * our queued higher-layer packets.
6134 */
6135 ssh->queueing = FALSE;
6136 ssh2_pkt_queuesend(ssh);
6137
6138 /*
6139 * Expect SSH2_MSG_NEWKEYS from server.
6140 */
6141 crWaitUntil(pktin);
6142 if (pktin->type != SSH2_MSG_NEWKEYS) {
6143 bombout(("expected new-keys packet from server"));
6144 crStop(0);
6145 }
6146 ssh->incoming_data_size = 0; /* start counting from here */
6147
6148 /*
6149 * We've seen server NEWKEYS, so create and initialise
6150 * server-to-client session keys.
6151 */
6152 if (ssh->sc_cipher_ctx)
6153 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
6154 ssh->sccipher = s->sccipher_tobe;
6155 ssh->sc_cipher_ctx = ssh->sccipher->make_context();
6156
6157 if (ssh->sc_mac_ctx)
6158 ssh->scmac->free_context(ssh->sc_mac_ctx);
6159 ssh->scmac = s->scmac_tobe;
6160 ssh->sc_mac_ctx = ssh->scmac->make_context();
6161
6162 if (ssh->sc_comp_ctx)
6163 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
6164 ssh->sccomp = s->sccomp_tobe;
6165 ssh->sc_comp_ctx = ssh->sccomp->decompress_init();
6166
6167 /*
6168 * Set IVs on server-to-client keys. Here we use the exchange
6169 * hash from the _first_ key exchange.
6170 */
6171 {
6172 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
6173 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6174 ssh2_mkkey(ssh,s->K,s->exchange_hash,'D',keyspace);
6175 assert((ssh->sccipher->keylen+7) / 8 <=
6176 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6177 ssh->sccipher->setkey(ssh->sc_cipher_ctx, keyspace);
6178 ssh2_mkkey(ssh,s->K,s->exchange_hash,'B',keyspace);
6179 assert(ssh->sccipher->blksize <=
6180 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6181 ssh->sccipher->setiv(ssh->sc_cipher_ctx, keyspace);
6182 ssh2_mkkey(ssh,s->K,s->exchange_hash,'F',keyspace);
6183 assert(ssh->scmac->len <=
6184 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6185 ssh->scmac->setkey(ssh->sc_mac_ctx, keyspace);
6186 memset(keyspace, 0, sizeof(keyspace));
6187 }
6188 logeventf(ssh, "Initialised %.200s server->client encryption",
6189 ssh->sccipher->text_name);
6190 logeventf(ssh, "Initialised %.200s server->client MAC algorithm",
6191 ssh->scmac->text_name);
6192 if (ssh->sccomp->text_name)
6193 logeventf(ssh, "Initialised %s decompression",
6194 ssh->sccomp->text_name);
6195
6196 /*
6197 * Free shared secret.
6198 */
6199 freebn(s->K);
6200
6201 /*
6202 * Key exchange is over. Loop straight back round if we have a
6203 * deferred rekey reason.
6204 */
6205 if (ssh->deferred_rekey_reason) {
6206 logevent(ssh->deferred_rekey_reason);
6207 pktin = NULL;
6208 ssh->deferred_rekey_reason = NULL;
6209 goto begin_key_exchange;
6210 }
6211
6212 /*
6213 * Otherwise, schedule a timer for our next rekey.
6214 */
6215 ssh->kex_in_progress = FALSE;
6216 ssh->last_rekey = GETTICKCOUNT();
6217 if (ssh->cfg.ssh_rekey_time != 0)
6218 ssh->next_rekey = schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
6219 ssh2_timer, ssh);
6220
6221 /*
6222 * If this is the first key exchange phase, we must pass the
6223 * SSH2_MSG_NEWKEYS packet to the next layer, not because it
6224 * wants to see it but because it will need time to initialise
6225 * itself before it sees an actual packet. In subsequent key
6226 * exchange phases, we don't pass SSH2_MSG_NEWKEYS on, because
6227 * it would only confuse the layer above.
6228 */
6229 if (s->activated_authconn) {
6230 crReturn(0);
6231 }
6232 s->activated_authconn = TRUE;
6233
6234 /*
6235 * Now we're encrypting. Begin returning 1 to the protocol main
6236 * function so that other things can run on top of the
6237 * transport. If we ever see a KEXINIT, we must go back to the
6238 * start.
6239 *
6240 * We _also_ go back to the start if we see pktin==NULL and
6241 * inlen==-1, because this is a special signal meaning
6242 * `initiate client-driven rekey', and `in' contains a message
6243 * giving the reason for the rekey.
6244 */
6245 while (!((pktin && pktin->type == SSH2_MSG_KEXINIT) ||
6246 (!pktin && inlen == -1))) {
6247 wait_for_rekey:
6248 crReturn(1);
6249 }
6250 if (pktin) {
6251 logevent("Server initiated key re-exchange");
6252 } else {
6253 /*
6254 * Special case: if the server bug is set that doesn't
6255 * allow rekeying, we give a different log message and
6256 * continue waiting. (If such a server _initiates_ a rekey,
6257 * we process it anyway!)
6258 */
6259 if ((ssh->remote_bugs & BUG_SSH2_REKEY)) {
6260 logeventf(ssh, "Server bug prevents key re-exchange (%s)",
6261 (char *)in);
6262 /* Reset the counters, so that at least this message doesn't
6263 * hit the event log _too_ often. */
6264 ssh->outgoing_data_size = 0;
6265 ssh->incoming_data_size = 0;
6266 if (ssh->cfg.ssh_rekey_time != 0) {
6267 ssh->next_rekey =
6268 schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
6269 ssh2_timer, ssh);
6270 }
6271 goto wait_for_rekey; /* this is utterly horrid */
6272 } else {
6273 logeventf(ssh, "Initiating key re-exchange (%s)", (char *)in);
6274 }
6275 }
6276 goto begin_key_exchange;
6277
6278 crFinish(1);
6279 }
6280
6281 /*
6282 * Add data to an SSH-2 channel output buffer.
6283 */
6284 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf,
6285 int len)
6286 {
6287 bufchain_add(&c->v.v2.outbuffer, buf, len);
6288 }
6289
6290 /*
6291 * Attempt to send data on an SSH-2 channel.
6292 */
6293 static int ssh2_try_send(struct ssh_channel *c)
6294 {
6295 Ssh ssh = c->ssh;
6296 struct Packet *pktout;
6297
6298 while (c->v.v2.remwindow > 0 && bufchain_size(&c->v.v2.outbuffer) > 0) {
6299 int len;
6300 void *data;
6301 bufchain_prefix(&c->v.v2.outbuffer, &data, &len);
6302 if ((unsigned)len > c->v.v2.remwindow)
6303 len = c->v.v2.remwindow;
6304 if ((unsigned)len > c->v.v2.remmaxpkt)
6305 len = c->v.v2.remmaxpkt;
6306 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_DATA);
6307 ssh2_pkt_adduint32(pktout, c->remoteid);
6308 ssh2_pkt_addstring_start(pktout);
6309 dont_log_data(ssh, pktout, PKTLOG_OMIT);
6310 ssh2_pkt_addstring_data(pktout, data, len);
6311 end_log_omission(ssh, pktout);
6312 ssh2_pkt_send(ssh, pktout);
6313 bufchain_consume(&c->v.v2.outbuffer, len);
6314 c->v.v2.remwindow -= len;
6315 }
6316
6317 /*
6318 * After having sent as much data as we can, return the amount
6319 * still buffered.
6320 */
6321 return bufchain_size(&c->v.v2.outbuffer);
6322 }
6323
6324 static void ssh2_try_send_and_unthrottle(struct ssh_channel *c)
6325 {
6326 int bufsize;
6327 if (c->closes)
6328 return; /* don't send on closing channels */
6329 bufsize = ssh2_try_send(c);
6330 if (bufsize == 0) {
6331 switch (c->type) {
6332 case CHAN_MAINSESSION:
6333 /* stdin need not receive an unthrottle
6334 * notification since it will be polled */
6335 break;
6336 case CHAN_X11:
6337 x11_unthrottle(c->u.x11.s);
6338 break;
6339 case CHAN_AGENT:
6340 /* agent sockets are request/response and need no
6341 * buffer management */
6342 break;
6343 case CHAN_SOCKDATA:
6344 pfd_unthrottle(c->u.pfd.s);
6345 break;
6346 }
6347 }
6348 }
6349
6350 /*
6351 * Set up most of a new ssh_channel for SSH-2.
6352 */
6353 static void ssh2_channel_init(struct ssh_channel *c)
6354 {
6355 Ssh ssh = c->ssh;
6356 c->localid = alloc_channel_id(ssh);
6357 c->closes = 0;
6358 c->throttling_conn = FALSE;
6359 c->v.v2.locwindow = c->v.v2.locmaxwin = c->v.v2.remlocwin =
6360 ssh->cfg.ssh_simple ? OUR_V2_BIGWIN : OUR_V2_WINSIZE;
6361 c->v.v2.winadj_head = c->v.v2.winadj_tail = NULL;
6362 c->v.v2.throttle_state = UNTHROTTLED;
6363 bufchain_init(&c->v.v2.outbuffer);
6364 }
6365
6366 /*
6367 * Potentially enlarge the window on an SSH-2 channel.
6368 */
6369 static void ssh2_set_window(struct ssh_channel *c, int newwin)
6370 {
6371 Ssh ssh = c->ssh;
6372
6373 /*
6374 * Never send WINDOW_ADJUST for a channel that the remote side
6375 * already thinks it's closed; there's no point, since it won't
6376 * be sending any more data anyway.
6377 */
6378 if (c->closes != 0)
6379 return;
6380
6381 /*
6382 * If the remote end has a habit of ignoring maxpkt, limit the
6383 * window so that it has no choice (assuming it doesn't ignore the
6384 * window as well).
6385 */
6386 if ((ssh->remote_bugs & BUG_SSH2_MAXPKT) && newwin > OUR_V2_MAXPKT)
6387 newwin = OUR_V2_MAXPKT;
6388
6389
6390 /*
6391 * Only send a WINDOW_ADJUST if there's significantly more window
6392 * available than the other end thinks there is. This saves us
6393 * sending a WINDOW_ADJUST for every character in a shell session.
6394 *
6395 * "Significant" is arbitrarily defined as half the window size.
6396 */
6397 if (newwin / 2 >= c->v.v2.locwindow) {
6398 struct Packet *pktout;
6399 struct winadj *wa;
6400
6401 /*
6402 * In order to keep track of how much window the client
6403 * actually has available, we'd like it to acknowledge each
6404 * WINDOW_ADJUST. We can't do that directly, so we accompany
6405 * it with a CHANNEL_REQUEST that has to be acknowledged.
6406 *
6407 * This is only necessary if we're opening the window wide.
6408 * If we're not, then throughput is being constrained by
6409 * something other than the maximum window size anyway.
6410 *
6411 * We also only send this if the main channel has finished its
6412 * initial CHANNEL_REQUESTs and installed the default
6413 * CHANNEL_FAILURE handler, so as not to risk giving it
6414 * unexpected CHANNEL_FAILUREs.
6415 */
6416 if (newwin == c->v.v2.locmaxwin &&
6417 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE]) {
6418 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
6419 ssh2_pkt_adduint32(pktout, c->remoteid);
6420 ssh2_pkt_addstring(pktout, "winadj@putty.projects.tartarus.org");
6421 ssh2_pkt_addbool(pktout, TRUE);
6422 ssh2_pkt_send(ssh, pktout);
6423
6424 /*
6425 * CHANNEL_FAILURE doesn't come with any indication of
6426 * what message caused it, so we have to keep track of the
6427 * outstanding CHANNEL_REQUESTs ourselves.
6428 */
6429 wa = snew(struct winadj);
6430 wa->size = newwin - c->v.v2.locwindow;
6431 wa->next = NULL;
6432 if (!c->v.v2.winadj_head)
6433 c->v.v2.winadj_head = wa;
6434 else
6435 c->v.v2.winadj_tail->next = wa;
6436 c->v.v2.winadj_tail = wa;
6437 if (c->v.v2.throttle_state != UNTHROTTLED)
6438 c->v.v2.throttle_state = UNTHROTTLING;
6439 } else {
6440 /* Pretend the WINDOW_ADJUST was acked immediately. */
6441 c->v.v2.remlocwin = newwin;
6442 c->v.v2.throttle_state = THROTTLED;
6443 }
6444 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
6445 ssh2_pkt_adduint32(pktout, c->remoteid);
6446 ssh2_pkt_adduint32(pktout, newwin - c->v.v2.locwindow);
6447 ssh2_pkt_send(ssh, pktout);
6448 c->v.v2.locwindow = newwin;
6449 }
6450 }
6451
6452 /*
6453 * Find the channel associated with a message. If there's no channel,
6454 * or it's not properly open, make a noise about it and return NULL.
6455 */
6456 static struct ssh_channel *ssh2_channel_msg(Ssh ssh, struct Packet *pktin)
6457 {
6458 unsigned localid = ssh_pkt_getuint32(pktin);
6459 struct ssh_channel *c;
6460
6461 c = find234(ssh->channels, &localid, ssh_channelfind);
6462 if (!c ||
6463 (c->halfopen && pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION &&
6464 pktin->type != SSH2_MSG_CHANNEL_OPEN_FAILURE)) {
6465 char *buf = dupprintf("Received %s for %s channel %u",
6466 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx,
6467 pktin->type),
6468 c ? "half-open" : "nonexistent", localid);
6469 ssh_disconnect(ssh, NULL, buf, SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6470 sfree(buf);
6471 return NULL;
6472 }
6473 return c;
6474 }
6475
6476 static void ssh2_msg_channel_success(Ssh ssh, struct Packet *pktin)
6477 {
6478 /*
6479 * This should never get called. All channel requests are either
6480 * sent with want_reply false or are sent before this handler gets
6481 * installed.
6482 */
6483 struct ssh_channel *c;
6484 struct winadj *wa;
6485
6486 c = ssh2_channel_msg(ssh, pktin);
6487 if (!c)
6488 return;
6489 wa = c->v.v2.winadj_head;
6490 if (wa)
6491 ssh_disconnect(ssh, NULL, "Received SSH_MSG_CHANNEL_SUCCESS for "
6492 "\"winadj@putty.projects.tartarus.org\"",
6493 SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6494 else
6495 ssh_disconnect(ssh, NULL,
6496 "Received unsolicited SSH_MSG_CHANNEL_SUCCESS",
6497 SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6498 }
6499
6500 static void ssh2_msg_channel_failure(Ssh ssh, struct Packet *pktin)
6501 {
6502 /*
6503 * The only time this should get called is for "winadj@putty"
6504 * messages sent above. All other channel requests are either
6505 * sent with want_reply false or are sent before this handler gets
6506 * installed.
6507 */
6508 struct ssh_channel *c;
6509 struct winadj *wa;
6510
6511 c = ssh2_channel_msg(ssh, pktin);
6512 if (!c)
6513 return;
6514 wa = c->v.v2.winadj_head;
6515 if (!wa) {
6516 ssh_disconnect(ssh, NULL,
6517 "Received unsolicited SSH_MSG_CHANNEL_FAILURE",
6518 SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6519 return;
6520 }
6521 c->v.v2.winadj_head = wa->next;
6522 c->v.v2.remlocwin += wa->size;
6523 sfree(wa);
6524 /*
6525 * winadj messages are only sent when the window is fully open, so
6526 * if we get an ack of one, we know any pending unthrottle is
6527 * complete.
6528 */
6529 if (c->v.v2.throttle_state == UNTHROTTLING)
6530 c->v.v2.throttle_state = UNTHROTTLED;
6531 }
6532
6533 static void ssh2_msg_channel_window_adjust(Ssh ssh, struct Packet *pktin)
6534 {
6535 struct ssh_channel *c;
6536 c = ssh2_channel_msg(ssh, pktin);
6537 if (!c)
6538 return;
6539 if (!c->closes) {
6540 c->v.v2.remwindow += ssh_pkt_getuint32(pktin);
6541 ssh2_try_send_and_unthrottle(c);
6542 }
6543 }
6544
6545 static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
6546 {
6547 char *data;
6548 int length;
6549 struct ssh_channel *c;
6550 c = ssh2_channel_msg(ssh, pktin);
6551 if (!c)
6552 return;
6553 if (pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA &&
6554 ssh_pkt_getuint32(pktin) != SSH2_EXTENDED_DATA_STDERR)
6555 return; /* extended but not stderr */
6556 ssh_pkt_getstring(pktin, &data, &length);
6557 if (data) {
6558 int bufsize = 0;
6559 c->v.v2.locwindow -= length;
6560 c->v.v2.remlocwin -= length;
6561 switch (c->type) {
6562 case CHAN_MAINSESSION:
6563 bufsize =
6564 from_backend(ssh->frontend, pktin->type ==
6565 SSH2_MSG_CHANNEL_EXTENDED_DATA,
6566 data, length);
6567 break;
6568 case CHAN_X11:
6569 bufsize = x11_send(c->u.x11.s, data, length);
6570 break;
6571 case CHAN_SOCKDATA:
6572 bufsize = pfd_send(c->u.pfd.s, data, length);
6573 break;
6574 case CHAN_AGENT:
6575 while (length > 0) {
6576 if (c->u.a.lensofar < 4) {
6577 unsigned int l = min(4 - c->u.a.lensofar,
6578 (unsigned)length);
6579 memcpy(c->u.a.msglen + c->u.a.lensofar,
6580 data, l);
6581 data += l;
6582 length -= l;
6583 c->u.a.lensofar += l;
6584 }
6585 if (c->u.a.lensofar == 4) {
6586 c->u.a.totallen =
6587 4 + GET_32BIT(c->u.a.msglen);
6588 c->u.a.message = snewn(c->u.a.totallen,
6589 unsigned char);
6590 memcpy(c->u.a.message, c->u.a.msglen, 4);
6591 }
6592 if (c->u.a.lensofar >= 4 && length > 0) {
6593 unsigned int l =
6594 min(c->u.a.totallen - c->u.a.lensofar,
6595 (unsigned)length);
6596 memcpy(c->u.a.message + c->u.a.lensofar,
6597 data, l);
6598 data += l;
6599 length -= l;
6600 c->u.a.lensofar += l;
6601 }
6602 if (c->u.a.lensofar == c->u.a.totallen) {
6603 void *reply;
6604 int replylen;
6605 if (agent_query(c->u.a.message,
6606 c->u.a.totallen,
6607 &reply, &replylen,
6608 ssh_agentf_callback, c))
6609 ssh_agentf_callback(c, reply, replylen);
6610 sfree(c->u.a.message);
6611 c->u.a.lensofar = 0;
6612 }
6613 }
6614 bufsize = 0;
6615 break;
6616 }
6617 /*
6618 * If it looks like the remote end hit the end of its window,
6619 * and we didn't want it to do that, think about using a
6620 * larger window.
6621 */
6622 if (c->v.v2.remlocwin <= 0 && c->v.v2.throttle_state == UNTHROTTLED &&
6623 c->v.v2.locmaxwin < 0x40000000)
6624 c->v.v2.locmaxwin += OUR_V2_WINSIZE;
6625 /*
6626 * If we are not buffering too much data,
6627 * enlarge the window again at the remote side.
6628 * If we are buffering too much, we may still
6629 * need to adjust the window if the server's
6630 * sent excess data.
6631 */
6632 ssh2_set_window(c, bufsize < c->v.v2.locmaxwin ?
6633 c->v.v2.locmaxwin - bufsize : 0);
6634 /*
6635 * If we're either buffering way too much data, or if we're
6636 * buffering anything at all and we're in "simple" mode,
6637 * throttle the whole channel.
6638 */
6639 if ((bufsize > c->v.v2.locmaxwin ||
6640 (ssh->cfg.ssh_simple && bufsize > 0)) &&
6641 !c->throttling_conn) {
6642 c->throttling_conn = 1;
6643 ssh_throttle_conn(ssh, +1);
6644 }
6645 }
6646 }
6647
6648 static void ssh2_msg_channel_eof(Ssh ssh, struct Packet *pktin)
6649 {
6650 struct ssh_channel *c;
6651
6652 c = ssh2_channel_msg(ssh, pktin);
6653 if (!c)
6654 return;
6655
6656 if (c->type == CHAN_X11) {
6657 /*
6658 * Remote EOF on an X11 channel means we should
6659 * wrap up and close the channel ourselves.
6660 */
6661 x11_close(c->u.x11.s);
6662 sshfwd_close(c);
6663 } else if (c->type == CHAN_AGENT) {
6664 sshfwd_close(c);
6665 } else if (c->type == CHAN_SOCKDATA) {
6666 pfd_close(c->u.pfd.s);
6667 sshfwd_close(c);
6668 }
6669 }
6670
6671 static void ssh2_msg_channel_close(Ssh ssh, struct Packet *pktin)
6672 {
6673 struct ssh_channel *c;
6674 struct Packet *pktout;
6675
6676 c = ssh2_channel_msg(ssh, pktin);
6677 if (!c)
6678 return;
6679 /* Do pre-close processing on the channel. */
6680 switch (c->type) {
6681 case CHAN_MAINSESSION:
6682 ssh->mainchan = NULL;
6683 update_specials_menu(ssh->frontend);
6684 break;
6685 case CHAN_X11:
6686 if (c->u.x11.s != NULL)
6687 x11_close(c->u.x11.s);
6688 sshfwd_close(c);
6689 break;
6690 case CHAN_AGENT:
6691 sshfwd_close(c);
6692 break;
6693 case CHAN_SOCKDATA:
6694 if (c->u.pfd.s != NULL)
6695 pfd_close(c->u.pfd.s);
6696 sshfwd_close(c);
6697 break;
6698 }
6699 if (c->closes == 0) {
6700 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6701 ssh2_pkt_adduint32(pktout, c->remoteid);
6702 ssh2_pkt_send(ssh, pktout);
6703 }
6704 del234(ssh->channels, c);
6705 bufchain_clear(&c->v.v2.outbuffer);
6706 sfree(c);
6707
6708 /*
6709 * See if that was the last channel left open.
6710 * (This is only our termination condition if we're
6711 * not running in -N mode.)
6712 */
6713 if (!ssh->cfg.ssh_no_shell && count234(ssh->channels) == 0) {
6714 /*
6715 * We used to send SSH_MSG_DISCONNECT here,
6716 * because I'd believed that _every_ conforming
6717 * SSH-2 connection had to end with a disconnect
6718 * being sent by at least one side; apparently
6719 * I was wrong and it's perfectly OK to
6720 * unceremoniously slam the connection shut
6721 * when you're done, and indeed OpenSSH feels
6722 * this is more polite than sending a
6723 * DISCONNECT. So now we don't.
6724 */
6725 ssh_disconnect(ssh, "All channels closed", NULL, 0, TRUE);
6726 }
6727 }
6728
6729 static void ssh2_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
6730 {
6731 struct ssh_channel *c;
6732 struct Packet *pktout;
6733
6734 c = ssh2_channel_msg(ssh, pktin);
6735 if (!c)
6736 return;
6737 if (c->type != CHAN_SOCKDATA_DORMANT)
6738 return; /* dunno why they're confirming this */
6739 c->remoteid = ssh_pkt_getuint32(pktin);
6740 c->halfopen = FALSE;
6741 c->type = CHAN_SOCKDATA;
6742 c->v.v2.remwindow = ssh_pkt_getuint32(pktin);
6743 c->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
6744 if (c->u.pfd.s)
6745 pfd_confirm(c->u.pfd.s);
6746 if (c->closes) {
6747 /*
6748 * We have a pending close on this channel,
6749 * which we decided on before the server acked
6750 * the channel open. So now we know the
6751 * remoteid, we can close it again.
6752 */
6753 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6754 ssh2_pkt_adduint32(pktout, c->remoteid);
6755 ssh2_pkt_send(ssh, pktout);
6756 }
6757 }
6758
6759 static void ssh2_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
6760 {
6761 static const char *const reasons[] = {
6762 "<unknown reason code>",
6763 "Administratively prohibited",
6764 "Connect failed",
6765 "Unknown channel type",
6766 "Resource shortage",
6767 };
6768 unsigned reason_code;
6769 char *reason_string;
6770 int reason_length;
6771 struct ssh_channel *c;
6772 c = ssh2_channel_msg(ssh, pktin);
6773 if (!c)
6774 return;
6775 if (c->type != CHAN_SOCKDATA_DORMANT)
6776 return; /* dunno why they're failing this */
6777
6778 reason_code = ssh_pkt_getuint32(pktin);
6779 if (reason_code >= lenof(reasons))
6780 reason_code = 0; /* ensure reasons[reason_code] in range */
6781 ssh_pkt_getstring(pktin, &reason_string, &reason_length);
6782 logeventf(ssh, "Forwarded connection refused by server: %s [%.*s]",
6783 reasons[reason_code], reason_length, reason_string);
6784
6785 pfd_close(c->u.pfd.s);
6786
6787 del234(ssh->channels, c);
6788 sfree(c);
6789 }
6790
6791 static void ssh2_msg_channel_request(Ssh ssh, struct Packet *pktin)
6792 {
6793 char *type;
6794 int typelen, want_reply;
6795 int reply = SSH2_MSG_CHANNEL_FAILURE; /* default */
6796 struct ssh_channel *c;
6797 struct Packet *pktout;
6798
6799 c = ssh2_channel_msg(ssh, pktin);
6800 if (!c)
6801 return;
6802 ssh_pkt_getstring(pktin, &type, &typelen);
6803 want_reply = ssh2_pkt_getbool(pktin);
6804
6805 /*
6806 * Having got the channel number, we now look at
6807 * the request type string to see if it's something
6808 * we recognise.
6809 */
6810 if (c == ssh->mainchan) {
6811 /*
6812 * We recognise "exit-status" and "exit-signal" on
6813 * the primary channel.
6814 */
6815 if (typelen == 11 &&
6816 !memcmp(type, "exit-status", 11)) {
6817
6818 ssh->exitcode = ssh_pkt_getuint32(pktin);
6819 logeventf(ssh, "Server sent command exit status %d",
6820 ssh->exitcode);
6821 reply = SSH2_MSG_CHANNEL_SUCCESS;
6822
6823 } else if (typelen == 11 &&
6824 !memcmp(type, "exit-signal", 11)) {
6825
6826 int is_plausible = TRUE, is_int = FALSE;
6827 char *fmt_sig = "", *fmt_msg = "";
6828 char *msg;
6829 int msglen = 0, core = FALSE;
6830 /* ICK: older versions of OpenSSH (e.g. 3.4p1)
6831 * provide an `int' for the signal, despite its
6832 * having been a `string' in the drafts of RFC 4254 since at
6833 * least 2001. (Fixed in session.c 1.147.) Try to
6834 * infer which we can safely parse it as. */
6835 {
6836 unsigned char *p = pktin->body +
6837 pktin->savedpos;
6838 long len = pktin->length - pktin->savedpos;
6839 unsigned long num = GET_32BIT(p); /* what is it? */
6840 /* If it's 0, it hardly matters; assume string */
6841 if (num == 0) {
6842 is_int = FALSE;
6843 } else {
6844 int maybe_int = FALSE, maybe_str = FALSE;
6845 #define CHECK_HYPOTHESIS(offset, result) \
6846 do { \
6847 long q = offset; \
6848 if (q >= 0 && q+4 <= len) { \
6849 q = q + 4 + GET_32BIT(p+q); \
6850 if (q >= 0 && q+4 <= len && \
6851 ((q = q + 4 + GET_32BIT(p+q))!= 0) && q == len) \
6852 result = TRUE; \
6853 } \
6854 } while(0)
6855 CHECK_HYPOTHESIS(4+1, maybe_int);
6856 CHECK_HYPOTHESIS(4+num+1, maybe_str);
6857 #undef CHECK_HYPOTHESIS
6858 if (maybe_int && !maybe_str)
6859 is_int = TRUE;
6860 else if (!maybe_int && maybe_str)
6861 is_int = FALSE;
6862 else
6863 /* Crikey. Either or neither. Panic. */
6864 is_plausible = FALSE;
6865 }
6866 }
6867 ssh->exitcode = 128; /* means `unknown signal' */
6868 if (is_plausible) {
6869 if (is_int) {
6870 /* Old non-standard OpenSSH. */
6871 int signum = ssh_pkt_getuint32(pktin);
6872 fmt_sig = dupprintf(" %d", signum);
6873 ssh->exitcode = 128 + signum;
6874 } else {
6875 /* As per RFC 4254. */
6876 char *sig;
6877 int siglen;
6878 ssh_pkt_getstring(pktin, &sig, &siglen);
6879 /* Signal name isn't supposed to be blank, but
6880 * let's cope gracefully if it is. */
6881 if (siglen) {
6882 fmt_sig = dupprintf(" \"%.*s\"",
6883 siglen, sig);
6884 }
6885
6886 /*
6887 * Really hideous method of translating the
6888 * signal description back into a locally
6889 * meaningful number.
6890 */
6891
6892 if (0)
6893 ;
6894 #define TRANSLATE_SIGNAL(s) \
6895 else if (siglen == lenof(#s)-1 && !memcmp(sig, #s, siglen)) \
6896 ssh->exitcode = 128 + SIG ## s
6897 #ifdef SIGABRT
6898 TRANSLATE_SIGNAL(ABRT);
6899 #endif
6900 #ifdef SIGALRM
6901 TRANSLATE_SIGNAL(ALRM);
6902 #endif
6903 #ifdef SIGFPE
6904 TRANSLATE_SIGNAL(FPE);
6905 #endif
6906 #ifdef SIGHUP
6907 TRANSLATE_SIGNAL(HUP);
6908 #endif
6909 #ifdef SIGILL
6910 TRANSLATE_SIGNAL(ILL);
6911 #endif
6912 #ifdef SIGINT
6913 TRANSLATE_SIGNAL(INT);
6914 #endif
6915 #ifdef SIGKILL
6916 TRANSLATE_SIGNAL(KILL);
6917 #endif
6918 #ifdef SIGPIPE
6919 TRANSLATE_SIGNAL(PIPE);
6920 #endif
6921 #ifdef SIGQUIT
6922 TRANSLATE_SIGNAL(QUIT);
6923 #endif
6924 #ifdef SIGSEGV
6925 TRANSLATE_SIGNAL(SEGV);
6926 #endif
6927 #ifdef SIGTERM
6928 TRANSLATE_SIGNAL(TERM);
6929 #endif
6930 #ifdef SIGUSR1
6931 TRANSLATE_SIGNAL(USR1);
6932 #endif
6933 #ifdef SIGUSR2
6934 TRANSLATE_SIGNAL(USR2);
6935 #endif
6936 #undef TRANSLATE_SIGNAL
6937 else
6938 ssh->exitcode = 128;
6939 }
6940 core = ssh2_pkt_getbool(pktin);
6941 ssh_pkt_getstring(pktin, &msg, &msglen);
6942 if (msglen) {
6943 fmt_msg = dupprintf(" (\"%.*s\")", msglen, msg);
6944 }
6945 /* ignore lang tag */
6946 } /* else don't attempt to parse */
6947 logeventf(ssh, "Server exited on signal%s%s%s",
6948 fmt_sig, core ? " (core dumped)" : "",
6949 fmt_msg);
6950 if (*fmt_sig) sfree(fmt_sig);
6951 if (*fmt_msg) sfree(fmt_msg);
6952 reply = SSH2_MSG_CHANNEL_SUCCESS;
6953
6954 }
6955 } else {
6956 /*
6957 * This is a channel request we don't know
6958 * about, so we now either ignore the request
6959 * or respond with CHANNEL_FAILURE, depending
6960 * on want_reply.
6961 */
6962 reply = SSH2_MSG_CHANNEL_FAILURE;
6963 }
6964 if (want_reply) {
6965 pktout = ssh2_pkt_init(reply);
6966 ssh2_pkt_adduint32(pktout, c->remoteid);
6967 ssh2_pkt_send(ssh, pktout);
6968 }
6969 }
6970
6971 static void ssh2_msg_global_request(Ssh ssh, struct Packet *pktin)
6972 {
6973 char *type;
6974 int typelen, want_reply;
6975 struct Packet *pktout;
6976
6977 ssh_pkt_getstring(pktin, &type, &typelen);
6978 want_reply = ssh2_pkt_getbool(pktin);
6979
6980 /*
6981 * We currently don't support any global requests
6982 * at all, so we either ignore the request or
6983 * respond with REQUEST_FAILURE, depending on
6984 * want_reply.
6985 */
6986 if (want_reply) {
6987 pktout = ssh2_pkt_init(SSH2_MSG_REQUEST_FAILURE);
6988 ssh2_pkt_send(ssh, pktout);
6989 }
6990 }
6991
6992 static void ssh2_msg_channel_open(Ssh ssh, struct Packet *pktin)
6993 {
6994 char *type;
6995 int typelen;
6996 char *peeraddr;
6997 int peeraddrlen;
6998 int peerport;
6999 char *error = NULL;
7000 struct ssh_channel *c;
7001 unsigned remid, winsize, pktsize;
7002 struct Packet *pktout;
7003
7004 ssh_pkt_getstring(pktin, &type, &typelen);
7005 c = snew(struct ssh_channel);
7006 c->ssh = ssh;
7007
7008 remid = ssh_pkt_getuint32(pktin);
7009 winsize = ssh_pkt_getuint32(pktin);
7010 pktsize = ssh_pkt_getuint32(pktin);
7011
7012 if (typelen == 3 && !memcmp(type, "x11", 3)) {
7013 char *addrstr;
7014
7015 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
7016 addrstr = snewn(peeraddrlen+1, char);
7017 memcpy(addrstr, peeraddr, peeraddrlen);
7018 addrstr[peeraddrlen] = '\0';
7019 peerport = ssh_pkt_getuint32(pktin);
7020
7021 logeventf(ssh, "Received X11 connect request from %s:%d",
7022 addrstr, peerport);
7023
7024 if (!ssh->X11_fwd_enabled)
7025 error = "X11 forwarding is not enabled";
7026 else if (x11_init(&c->u.x11.s, ssh->x11disp, c,
7027 addrstr, peerport, &ssh->cfg) != NULL) {
7028 error = "Unable to open an X11 connection";
7029 } else {
7030 logevent("Opening X11 forward connection succeeded");
7031 c->type = CHAN_X11;
7032 }
7033
7034 sfree(addrstr);
7035 } else if (typelen == 15 &&
7036 !memcmp(type, "forwarded-tcpip", 15)) {
7037 struct ssh_rportfwd pf, *realpf;
7038 char *dummy;
7039 int dummylen;
7040 ssh_pkt_getstring(pktin, &dummy, &dummylen);/* skip address */
7041 pf.sport = ssh_pkt_getuint32(pktin);
7042 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
7043 peerport = ssh_pkt_getuint32(pktin);
7044 realpf = find234(ssh->rportfwds, &pf, NULL);
7045 logeventf(ssh, "Received remote port %d open request "
7046 "from %s:%d", pf.sport, peeraddr, peerport);
7047 if (realpf == NULL) {
7048 error = "Remote port is not recognised";
7049 } else {
7050 const char *e = pfd_newconnect(&c->u.pfd.s,
7051 realpf->dhost,
7052 realpf->dport, c,
7053 &ssh->cfg,
7054 realpf->pfrec->addressfamily);
7055 logeventf(ssh, "Attempting to forward remote port to "
7056 "%s:%d", realpf->dhost, realpf->dport);
7057 if (e != NULL) {
7058 logeventf(ssh, "Port open failed: %s", e);
7059 error = "Port open failed";
7060 } else {
7061 logevent("Forwarded port opened successfully");
7062 c->type = CHAN_SOCKDATA;
7063 }
7064 }
7065 } else if (typelen == 22 &&
7066 !memcmp(type, "auth-agent@openssh.com", 22)) {
7067 if (!ssh->agentfwd_enabled)
7068 error = "Agent forwarding is not enabled";
7069 else {
7070 c->type = CHAN_AGENT; /* identify channel type */
7071 c->u.a.lensofar = 0;
7072 }
7073 } else {
7074 error = "Unsupported channel type requested";
7075 }
7076
7077 c->remoteid = remid;
7078 c->halfopen = FALSE;
7079 if (error) {
7080 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_FAILURE);
7081 ssh2_pkt_adduint32(pktout, c->remoteid);
7082 ssh2_pkt_adduint32(pktout, SSH2_OPEN_CONNECT_FAILED);
7083 ssh2_pkt_addstring(pktout, error);
7084 ssh2_pkt_addstring(pktout, "en"); /* language tag */
7085 ssh2_pkt_send(ssh, pktout);
7086 logeventf(ssh, "Rejected channel open: %s", error);
7087 sfree(c);
7088 } else {
7089 ssh2_channel_init(c);
7090 c->v.v2.remwindow = winsize;
7091 c->v.v2.remmaxpkt = pktsize;
7092 add234(ssh->channels, c);
7093 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
7094 ssh2_pkt_adduint32(pktout, c->remoteid);
7095 ssh2_pkt_adduint32(pktout, c->localid);
7096 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);
7097 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
7098 ssh2_pkt_send(ssh, pktout);
7099 }
7100 }
7101
7102 /*
7103 * Buffer banner messages for later display at some convenient point.
7104 */
7105 static void ssh2_msg_userauth_banner(Ssh ssh, struct Packet *pktin)
7106 {
7107 /* Arbitrary limit to prevent unbounded inflation of buffer */
7108 if (bufchain_size(&ssh->banner) <= 131072) {
7109 char *banner = NULL;
7110 int size = 0;
7111 ssh_pkt_getstring(pktin, &banner, &size);
7112 if (banner)
7113 bufchain_add(&ssh->banner, banner, size);
7114 }
7115 }
7116
7117 /* Helper function to deal with sending tty modes for "pty-req" */
7118 static void ssh2_send_ttymode(void *data, char *mode, char *val)
7119 {
7120 struct Packet *pktout = (struct Packet *)data;
7121 int i = 0;
7122 unsigned int arg = 0;
7123 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
7124 if (i == lenof(ssh_ttymodes)) return;
7125 switch (ssh_ttymodes[i].type) {
7126 case TTY_OP_CHAR:
7127 arg = ssh_tty_parse_specchar(val);
7128 break;
7129 case TTY_OP_BOOL:
7130 arg = ssh_tty_parse_boolean(val);
7131 break;
7132 }
7133 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
7134 ssh2_pkt_adduint32(pktout, arg);
7135 }
7136
7137 /*
7138 * Handle the SSH-2 userauth and connection layers.
7139 */
7140 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
7141 struct Packet *pktin)
7142 {
7143 struct do_ssh2_authconn_state {
7144 enum {
7145 AUTH_TYPE_NONE,
7146 AUTH_TYPE_PUBLICKEY,
7147 AUTH_TYPE_PUBLICKEY_OFFER_LOUD,
7148 AUTH_TYPE_PUBLICKEY_OFFER_QUIET,
7149 AUTH_TYPE_PASSWORD,
7150 AUTH_TYPE_GSSAPI,
7151 AUTH_TYPE_KEYBOARD_INTERACTIVE,
7152 AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
7153 } type;
7154 int done_service_req;
7155 int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter;
7156 int tried_pubkey_config, done_agent;
7157 int can_gssapi;
7158 int tried_gssapi;
7159 int kbd_inter_refused;
7160 int we_are_in;
7161 prompts_t *cur_prompt;
7162 int num_prompts;
7163 char username[100];
7164 char *password;
7165 int got_username;
7166 void *publickey_blob;
7167 int publickey_bloblen;
7168 int publickey_encrypted;
7169 char *publickey_algorithm;
7170 char *publickey_comment;
7171 unsigned char agent_request[5], *agent_response, *agentp;
7172 int agent_responselen;
7173 unsigned char *pkblob_in_agent;
7174 int keyi, nkeys;
7175 char *pkblob, *alg, *commentp;
7176 int pklen, alglen, commentlen;
7177 int siglen, retlen, len;
7178 char *q, *agentreq, *ret;
7179 int try_send;
7180 int num_env, env_left, env_ok;
7181 struct Packet *pktout;
7182 Ssh_gss_ctx gss_ctx;
7183 Ssh_gss_buf gss_buf;
7184 Ssh_gss_buf gss_rcvtok, gss_sndtok;
7185 Ssh_gss_name gss_srv_name;
7186 Ssh_gss_stat gss_stat;
7187 };
7188 crState(do_ssh2_authconn_state);
7189
7190 crBegin(ssh->do_ssh2_authconn_crstate);
7191
7192 s->done_service_req = FALSE;
7193 s->we_are_in = FALSE;
7194 s->tried_gssapi = FALSE;
7195
7196 if (!ssh->cfg.ssh_no_userauth) {
7197 /*
7198 * Request userauth protocol, and await a response to it.
7199 */
7200 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
7201 ssh2_pkt_addstring(s->pktout, "ssh-userauth");
7202 ssh2_pkt_send(ssh, s->pktout);
7203 crWaitUntilV(pktin);
7204 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT)
7205 s->done_service_req = TRUE;
7206 }
7207 if (!s->done_service_req) {
7208 /*
7209 * Request connection protocol directly, without authentication.
7210 */
7211 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
7212 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7213 ssh2_pkt_send(ssh, s->pktout);
7214 crWaitUntilV(pktin);
7215 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) {
7216 s->we_are_in = TRUE; /* no auth required */
7217 } else {
7218 bombout(("Server refused service request"));
7219 crStopV;
7220 }
7221 }
7222
7223 /* Arrange to be able to deal with any BANNERs that come in.
7224 * (We do this now as packets may come in during the next bit.) */
7225 bufchain_init(&ssh->banner);
7226 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] =
7227 ssh2_msg_userauth_banner;
7228
7229 /*
7230 * Misc one-time setup for authentication.
7231 */
7232 s->publickey_blob = NULL;
7233 if (!s->we_are_in) {
7234
7235 /*
7236 * Load the public half of any configured public key file
7237 * for later use.
7238 */
7239 if (!filename_is_null(ssh->cfg.keyfile)) {
7240 int keytype;
7241 logeventf(ssh, "Reading private key file \"%.150s\"",
7242 filename_to_str(&ssh->cfg.keyfile));
7243 keytype = key_type(&ssh->cfg.keyfile);
7244 if (keytype == SSH_KEYTYPE_SSH2) {
7245 const char *error;
7246 s->publickey_blob =
7247 ssh2_userkey_loadpub(&ssh->cfg.keyfile,
7248 &s->publickey_algorithm,
7249 &s->publickey_bloblen,
7250 &s->publickey_comment, &error);
7251 if (s->publickey_blob) {
7252 s->publickey_encrypted =
7253 ssh2_userkey_encrypted(&ssh->cfg.keyfile, NULL);
7254 } else {
7255 char *msgbuf;
7256 logeventf(ssh, "Unable to load private key (%s)",
7257 error);
7258 msgbuf = dupprintf("Unable to load private key file "
7259 "\"%.150s\" (%s)\r\n",
7260 filename_to_str(&ssh->cfg.keyfile),
7261 error);
7262 c_write_str(ssh, msgbuf);
7263 sfree(msgbuf);
7264 }
7265 } else {
7266 char *msgbuf;
7267 logeventf(ssh, "Unable to use this key file (%s)",
7268 key_type_to_str(keytype));
7269 msgbuf = dupprintf("Unable to use key file \"%.150s\""
7270 " (%s)\r\n",
7271 filename_to_str(&ssh->cfg.keyfile),
7272 key_type_to_str(keytype));
7273 c_write_str(ssh, msgbuf);
7274 sfree(msgbuf);
7275 s->publickey_blob = NULL;
7276 }
7277 }
7278
7279 /*
7280 * Find out about any keys Pageant has (but if there's a
7281 * public key configured, filter out all others).
7282 */
7283 s->nkeys = 0;
7284 s->agent_response = NULL;
7285 s->pkblob_in_agent = NULL;
7286 if (ssh->cfg.tryagent && agent_exists()) {
7287
7288 void *r;
7289
7290 logevent("Pageant is running. Requesting keys.");
7291
7292 /* Request the keys held by the agent. */
7293 PUT_32BIT(s->agent_request, 1);
7294 s->agent_request[4] = SSH2_AGENTC_REQUEST_IDENTITIES;
7295 if (!agent_query(s->agent_request, 5, &r, &s->agent_responselen,
7296 ssh_agent_callback, ssh)) {
7297 do {
7298 crReturnV;
7299 if (pktin) {
7300 bombout(("Unexpected data from server while"
7301 " waiting for agent response"));
7302 crStopV;
7303 }
7304 } while (pktin || inlen > 0);
7305 r = ssh->agent_response;
7306 s->agent_responselen = ssh->agent_response_len;
7307 }
7308 s->agent_response = (unsigned char *) r;
7309 if (s->agent_response && s->agent_responselen >= 5 &&
7310 s->agent_response[4] == SSH2_AGENT_IDENTITIES_ANSWER) {
7311 int keyi;
7312 unsigned char *p;
7313 p = s->agent_response + 5;
7314 s->nkeys = GET_32BIT(p);
7315 p += 4;
7316 logeventf(ssh, "Pageant has %d SSH-2 keys", s->nkeys);
7317 if (s->publickey_blob) {
7318 /* See if configured key is in agent. */
7319 for (keyi = 0; keyi < s->nkeys; keyi++) {
7320 s->pklen = GET_32BIT(p);
7321 if (s->pklen == s->publickey_bloblen &&
7322 !memcmp(p+4, s->publickey_blob,
7323 s->publickey_bloblen)) {
7324 logeventf(ssh, "Pageant key #%d matches "
7325 "configured key file", keyi);
7326 s->keyi = keyi;
7327 s->pkblob_in_agent = p;
7328 break;
7329 }
7330 p += 4 + s->pklen;
7331 p += GET_32BIT(p) + 4; /* comment */
7332 }
7333 if (!s->pkblob_in_agent) {
7334 logevent("Configured key file not in Pageant");
7335 s->nkeys = 0;
7336 }
7337 }
7338 }
7339 }
7340
7341 }
7342
7343 /*
7344 * We repeat this whole loop, including the username prompt,
7345 * until we manage a successful authentication. If the user
7346 * types the wrong _password_, they can be sent back to the
7347 * beginning to try another username, if this is configured on.
7348 * (If they specify a username in the config, they are never
7349 * asked, even if they do give a wrong password.)
7350 *
7351 * I think this best serves the needs of
7352 *
7353 * - the people who have no configuration, no keys, and just
7354 * want to try repeated (username,password) pairs until they
7355 * type both correctly
7356 *
7357 * - people who have keys and configuration but occasionally
7358 * need to fall back to passwords
7359 *
7360 * - people with a key held in Pageant, who might not have
7361 * logged in to a particular machine before; so they want to
7362 * type a username, and then _either_ their key will be
7363 * accepted, _or_ they will type a password. If they mistype
7364 * the username they will want to be able to get back and
7365 * retype it!
7366 */
7367 s->username[0] = '\0';
7368 s->got_username = FALSE;
7369 while (!s->we_are_in) {
7370 /*
7371 * Get a username.
7372 */
7373 if (s->got_username && !ssh->cfg.change_username) {
7374 /*
7375 * We got a username last time round this loop, and
7376 * with change_username turned off we don't try to get
7377 * it again.
7378 */
7379 } else if (!get_remote_username(&ssh->cfg, s->username,
7380 sizeof(s->username))) {
7381 int ret; /* need not be kept over crReturn */
7382 s->cur_prompt = new_prompts(ssh->frontend);
7383 s->cur_prompt->to_server = TRUE;
7384 s->cur_prompt->name = dupstr("SSH login name");
7385 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
7386 lenof(s->username));
7387 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7388 while (ret < 0) {
7389 ssh->send_ok = 1;
7390 crWaitUntilV(!pktin);
7391 ret = get_userpass_input(s->cur_prompt, in, inlen);
7392 ssh->send_ok = 0;
7393 }
7394 if (!ret) {
7395 /*
7396 * get_userpass_input() failed to get a username.
7397 * Terminate.
7398 */
7399 free_prompts(s->cur_prompt);
7400 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
7401 crStopV;
7402 }
7403 memcpy(s->username, s->cur_prompt->prompts[0]->result,
7404 lenof(s->username));
7405 free_prompts(s->cur_prompt);
7406 } else {
7407 char *stuff;
7408 if ((flags & FLAG_VERBOSE) || (flags & FLAG_INTERACTIVE)) {
7409 stuff = dupprintf("Using username \"%s\".\r\n", s->username);
7410 c_write_str(ssh, stuff);
7411 sfree(stuff);
7412 }
7413 }
7414 s->got_username = TRUE;
7415
7416 /*
7417 * Send an authentication request using method "none": (a)
7418 * just in case it succeeds, and (b) so that we know what
7419 * authentication methods we can usefully try next.
7420 */
7421 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
7422
7423 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7424 ssh2_pkt_addstring(s->pktout, s->username);
7425 ssh2_pkt_addstring(s->pktout, "ssh-connection");/* service requested */
7426 ssh2_pkt_addstring(s->pktout, "none"); /* method */
7427 ssh2_pkt_send(ssh, s->pktout);
7428 s->type = AUTH_TYPE_NONE;
7429 s->gotit = FALSE;
7430 s->we_are_in = FALSE;
7431
7432 s->tried_pubkey_config = FALSE;
7433 s->kbd_inter_refused = FALSE;
7434
7435 /* Reset agent request state. */
7436 s->done_agent = FALSE;
7437 if (s->agent_response) {
7438 if (s->pkblob_in_agent) {
7439 s->agentp = s->pkblob_in_agent;
7440 } else {
7441 s->agentp = s->agent_response + 5 + 4;
7442 s->keyi = 0;
7443 }
7444 }
7445
7446 while (1) {
7447 /*
7448 * Wait for the result of the last authentication request.
7449 */
7450 if (!s->gotit)
7451 crWaitUntilV(pktin);
7452 /*
7453 * Now is a convenient point to spew any banner material
7454 * that we've accumulated. (This should ensure that when
7455 * we exit the auth loop, we haven't any left to deal
7456 * with.)
7457 */
7458 {
7459 int size = bufchain_size(&ssh->banner);
7460 /*
7461 * Don't show the banner if we're operating in
7462 * non-verbose non-interactive mode. (It's probably
7463 * a script, which means nobody will read the
7464 * banner _anyway_, and moreover the printing of
7465 * the banner will screw up processing on the
7466 * output of (say) plink.)
7467 */
7468 if (size && (flags & (FLAG_VERBOSE | FLAG_INTERACTIVE))) {
7469 char *banner = snewn(size, char);
7470 bufchain_fetch(&ssh->banner, banner, size);
7471 c_write_untrusted(ssh, banner, size);
7472 sfree(banner);
7473 }
7474 bufchain_clear(&ssh->banner);
7475 }
7476 if (pktin->type == SSH2_MSG_USERAUTH_SUCCESS) {
7477 logevent("Access granted");
7478 s->we_are_in = TRUE;
7479 break;
7480 }
7481
7482 if (pktin->type != SSH2_MSG_USERAUTH_FAILURE && s->type != AUTH_TYPE_GSSAPI) {
7483 bombout(("Strange packet received during authentication: "
7484 "type %d", pktin->type));
7485 crStopV;
7486 }
7487
7488 s->gotit = FALSE;
7489
7490 /*
7491 * OK, we're now sitting on a USERAUTH_FAILURE message, so
7492 * we can look at the string in it and know what we can
7493 * helpfully try next.
7494 */
7495 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE) {
7496 char *methods;
7497 int methlen;
7498 ssh_pkt_getstring(pktin, &methods, &methlen);
7499 if (!ssh2_pkt_getbool(pktin)) {
7500 /*
7501 * We have received an unequivocal Access
7502 * Denied. This can translate to a variety of
7503 * messages:
7504 *
7505 * - if we'd just tried "none" authentication,
7506 * it's not worth printing anything at all
7507 *
7508 * - if we'd just tried a public key _offer_,
7509 * the message should be "Server refused our
7510 * key" (or no message at all if the key
7511 * came from Pageant)
7512 *
7513 * - if we'd just tried anything else, the
7514 * message really should be "Access denied".
7515 *
7516 * Additionally, if we'd just tried password
7517 * authentication, we should break out of this
7518 * whole loop so as to go back to the username
7519 * prompt (iff we're configured to allow
7520 * username change attempts).
7521 */
7522 if (s->type == AUTH_TYPE_NONE) {
7523 /* do nothing */
7524 } else if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD ||
7525 s->type == AUTH_TYPE_PUBLICKEY_OFFER_QUIET) {
7526 if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD)
7527 c_write_str(ssh, "Server refused our key\r\n");
7528 logevent("Server refused public key");
7529 } else if (s->type==AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET) {
7530 /* server declined keyboard-interactive; ignore */
7531 } else {
7532 c_write_str(ssh, "Access denied\r\n");
7533 logevent("Access denied");
7534 if (s->type == AUTH_TYPE_PASSWORD &&
7535 ssh->cfg.change_username) {
7536 /* XXX perhaps we should allow
7537 * keyboard-interactive to do this too? */
7538 s->we_are_in = FALSE;
7539 break;
7540 }
7541 }
7542 } else {
7543 c_write_str(ssh, "Further authentication required\r\n");
7544 logevent("Further authentication required");
7545 }
7546
7547 s->can_pubkey =
7548 in_commasep_string("publickey", methods, methlen);
7549 s->can_passwd =
7550 in_commasep_string("password", methods, methlen);
7551 s->can_keyb_inter = ssh->cfg.try_ki_auth &&
7552 in_commasep_string("keyboard-interactive", methods, methlen);
7553 #ifndef NO_GSSAPI
7554 s->can_gssapi = ssh->cfg.try_gssapi_auth &&
7555 in_commasep_string("gssapi-with-mic", methods, methlen) &&
7556 ssh_gss_init();
7557 #endif
7558 }
7559
7560 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
7561
7562 if (s->can_pubkey && !s->done_agent && s->nkeys) {
7563
7564 /*
7565 * Attempt public-key authentication using a key from Pageant.
7566 */
7567
7568 ssh->pkt_actx = SSH2_PKTCTX_PUBLICKEY;
7569
7570 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
7571
7572 /* Unpack key from agent response */
7573 s->pklen = GET_32BIT(s->agentp);
7574 s->agentp += 4;
7575 s->pkblob = (char *)s->agentp;
7576 s->agentp += s->pklen;
7577 s->alglen = GET_32BIT(s->pkblob);
7578 s->alg = s->pkblob + 4;
7579 s->commentlen = GET_32BIT(s->agentp);
7580 s->agentp += 4;
7581 s->commentp = (char *)s->agentp;
7582 s->agentp += s->commentlen;
7583 /* s->agentp now points at next key, if any */
7584
7585 /* See if server will accept it */
7586 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7587 ssh2_pkt_addstring(s->pktout, s->username);
7588 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7589 /* service requested */
7590 ssh2_pkt_addstring(s->pktout, "publickey");
7591 /* method */
7592 ssh2_pkt_addbool(s->pktout, FALSE); /* no signature included */
7593 ssh2_pkt_addstring_start(s->pktout);
7594 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
7595 ssh2_pkt_addstring_start(s->pktout);
7596 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
7597 ssh2_pkt_send(ssh, s->pktout);
7598 s->type = AUTH_TYPE_PUBLICKEY_OFFER_QUIET;
7599
7600 crWaitUntilV(pktin);
7601 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
7602
7603 /* Offer of key refused. */
7604 s->gotit = TRUE;
7605
7606 } else {
7607
7608 void *vret;
7609
7610 if (flags & FLAG_VERBOSE) {
7611 c_write_str(ssh, "Authenticating with "
7612 "public key \"");
7613 c_write(ssh, s->commentp, s->commentlen);
7614 c_write_str(ssh, "\" from agent\r\n");
7615 }
7616
7617 /*
7618 * Server is willing to accept the key.
7619 * Construct a SIGN_REQUEST.
7620 */
7621 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7622 ssh2_pkt_addstring(s->pktout, s->username);
7623 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7624 /* service requested */
7625 ssh2_pkt_addstring(s->pktout, "publickey");
7626 /* method */
7627 ssh2_pkt_addbool(s->pktout, TRUE); /* signature included */
7628 ssh2_pkt_addstring_start(s->pktout);
7629 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
7630 ssh2_pkt_addstring_start(s->pktout);
7631 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
7632
7633 /* Ask agent for signature. */
7634 s->siglen = s->pktout->length - 5 + 4 +
7635 ssh->v2_session_id_len;
7636 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7637 s->siglen -= 4;
7638 s->len = 1; /* message type */
7639 s->len += 4 + s->pklen; /* key blob */
7640 s->len += 4 + s->siglen; /* data to sign */
7641 s->len += 4; /* flags */
7642 s->agentreq = snewn(4 + s->len, char);
7643 PUT_32BIT(s->agentreq, s->len);
7644 s->q = s->agentreq + 4;
7645 *s->q++ = SSH2_AGENTC_SIGN_REQUEST;
7646 PUT_32BIT(s->q, s->pklen);
7647 s->q += 4;
7648 memcpy(s->q, s->pkblob, s->pklen);
7649 s->q += s->pklen;
7650 PUT_32BIT(s->q, s->siglen);
7651 s->q += 4;
7652 /* Now the data to be signed... */
7653 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7654 PUT_32BIT(s->q, ssh->v2_session_id_len);
7655 s->q += 4;
7656 }
7657 memcpy(s->q, ssh->v2_session_id,
7658 ssh->v2_session_id_len);
7659 s->q += ssh->v2_session_id_len;
7660 memcpy(s->q, s->pktout->data + 5,
7661 s->pktout->length - 5);
7662 s->q += s->pktout->length - 5;
7663 /* And finally the (zero) flags word. */
7664 PUT_32BIT(s->q, 0);
7665 if (!agent_query(s->agentreq, s->len + 4,
7666 &vret, &s->retlen,
7667 ssh_agent_callback, ssh)) {
7668 do {
7669 crReturnV;
7670 if (pktin) {
7671 bombout(("Unexpected data from server"
7672 " while waiting for agent"
7673 " response"));
7674 crStopV;
7675 }
7676 } while (pktin || inlen > 0);
7677 vret = ssh->agent_response;
7678 s->retlen = ssh->agent_response_len;
7679 }
7680 s->ret = vret;
7681 sfree(s->agentreq);
7682 if (s->ret) {
7683 if (s->ret[4] == SSH2_AGENT_SIGN_RESPONSE) {
7684 logevent("Sending Pageant's response");
7685 ssh2_add_sigblob(ssh, s->pktout,
7686 s->pkblob, s->pklen,
7687 s->ret + 9,
7688 GET_32BIT(s->ret + 5));
7689 ssh2_pkt_send(ssh, s->pktout);
7690 s->type = AUTH_TYPE_PUBLICKEY;
7691 } else {
7692 /* FIXME: less drastic response */
7693 bombout(("Pageant failed to answer challenge"));
7694 crStopV;
7695 }
7696 }
7697 }
7698
7699 /* Do we have any keys left to try? */
7700 if (s->pkblob_in_agent) {
7701 s->done_agent = TRUE;
7702 s->tried_pubkey_config = TRUE;
7703 } else {
7704 s->keyi++;
7705 if (s->keyi >= s->nkeys)
7706 s->done_agent = TRUE;
7707 }
7708
7709 } else if (s->can_pubkey && s->publickey_blob &&
7710 !s->tried_pubkey_config) {
7711
7712 struct ssh2_userkey *key; /* not live over crReturn */
7713 char *passphrase; /* not live over crReturn */
7714
7715 ssh->pkt_actx = SSH2_PKTCTX_PUBLICKEY;
7716
7717 s->tried_pubkey_config = TRUE;
7718
7719 /*
7720 * Try the public key supplied in the configuration.
7721 *
7722 * First, offer the public blob to see if the server is
7723 * willing to accept it.
7724 */
7725 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7726 ssh2_pkt_addstring(s->pktout, s->username);
7727 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7728 /* service requested */
7729 ssh2_pkt_addstring(s->pktout, "publickey"); /* method */
7730 ssh2_pkt_addbool(s->pktout, FALSE);
7731 /* no signature included */
7732 ssh2_pkt_addstring(s->pktout, s->publickey_algorithm);
7733 ssh2_pkt_addstring_start(s->pktout);
7734 ssh2_pkt_addstring_data(s->pktout,
7735 (char *)s->publickey_blob,
7736 s->publickey_bloblen);
7737 ssh2_pkt_send(ssh, s->pktout);
7738 logevent("Offered public key");
7739
7740 crWaitUntilV(pktin);
7741 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
7742 /* Key refused. Give up. */
7743 s->gotit = TRUE; /* reconsider message next loop */
7744 s->type = AUTH_TYPE_PUBLICKEY_OFFER_LOUD;
7745 continue; /* process this new message */
7746 }
7747 logevent("Offer of public key accepted");
7748
7749 /*
7750 * Actually attempt a serious authentication using
7751 * the key.
7752 */
7753 if (flags & FLAG_VERBOSE) {
7754 c_write_str(ssh, "Authenticating with public key \"");
7755 c_write_str(ssh, s->publickey_comment);
7756 c_write_str(ssh, "\"\r\n");
7757 }
7758 key = NULL;
7759 while (!key) {
7760 const char *error; /* not live over crReturn */
7761 if (s->publickey_encrypted) {
7762 /*
7763 * Get a passphrase from the user.
7764 */
7765 int ret; /* need not be kept over crReturn */
7766 s->cur_prompt = new_prompts(ssh->frontend);
7767 s->cur_prompt->to_server = FALSE;
7768 s->cur_prompt->name = dupstr("SSH key passphrase");
7769 add_prompt(s->cur_prompt,
7770 dupprintf("Passphrase for key \"%.100s\": ",
7771 s->publickey_comment),
7772 FALSE, SSH_MAX_PASSWORD_LEN);
7773 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7774 while (ret < 0) {
7775 ssh->send_ok = 1;
7776 crWaitUntilV(!pktin);
7777 ret = get_userpass_input(s->cur_prompt,
7778 in, inlen);
7779 ssh->send_ok = 0;
7780 }
7781 if (!ret) {
7782 /* Failed to get a passphrase. Terminate. */
7783 free_prompts(s->cur_prompt);
7784 ssh_disconnect(ssh, NULL,
7785 "Unable to authenticate",
7786 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7787 TRUE);
7788 crStopV;
7789 }
7790 passphrase =
7791 dupstr(s->cur_prompt->prompts[0]->result);
7792 free_prompts(s->cur_prompt);
7793 } else {
7794 passphrase = NULL; /* no passphrase needed */
7795 }
7796
7797 /*
7798 * Try decrypting the key.
7799 */
7800 key = ssh2_load_userkey(&ssh->cfg.keyfile, passphrase,
7801 &error);
7802 if (passphrase) {
7803 /* burn the evidence */
7804 memset(passphrase, 0, strlen(passphrase));
7805 sfree(passphrase);
7806 }
7807 if (key == SSH2_WRONG_PASSPHRASE || key == NULL) {
7808 if (passphrase &&
7809 (key == SSH2_WRONG_PASSPHRASE)) {
7810 c_write_str(ssh, "Wrong passphrase\r\n");
7811 key = NULL;
7812 /* and loop again */
7813 } else {
7814 c_write_str(ssh, "Unable to load private key (");
7815 c_write_str(ssh, error);
7816 c_write_str(ssh, ")\r\n");
7817 key = NULL;
7818 break; /* try something else */
7819 }
7820 }
7821 }
7822
7823 if (key) {
7824 unsigned char *pkblob, *sigblob, *sigdata;
7825 int pkblob_len, sigblob_len, sigdata_len;
7826 int p;
7827
7828 /*
7829 * We have loaded the private key and the server
7830 * has announced that it's willing to accept it.
7831 * Hallelujah. Generate a signature and send it.
7832 */
7833 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7834 ssh2_pkt_addstring(s->pktout, s->username);
7835 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7836 /* service requested */
7837 ssh2_pkt_addstring(s->pktout, "publickey");
7838 /* method */
7839 ssh2_pkt_addbool(s->pktout, TRUE);
7840 /* signature follows */
7841 ssh2_pkt_addstring(s->pktout, key->alg->name);
7842 pkblob = key->alg->public_blob(key->data,
7843 &pkblob_len);
7844 ssh2_pkt_addstring_start(s->pktout);
7845 ssh2_pkt_addstring_data(s->pktout, (char *)pkblob,
7846 pkblob_len);
7847
7848 /*
7849 * The data to be signed is:
7850 *
7851 * string session-id
7852 *
7853 * followed by everything so far placed in the
7854 * outgoing packet.
7855 */
7856 sigdata_len = s->pktout->length - 5 + 4 +
7857 ssh->v2_session_id_len;
7858 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7859 sigdata_len -= 4;
7860 sigdata = snewn(sigdata_len, unsigned char);
7861 p = 0;
7862 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7863 PUT_32BIT(sigdata+p, ssh->v2_session_id_len);
7864 p += 4;
7865 }
7866 memcpy(sigdata+p, ssh->v2_session_id,
7867 ssh->v2_session_id_len);
7868 p += ssh->v2_session_id_len;
7869 memcpy(sigdata+p, s->pktout->data + 5,
7870 s->pktout->length - 5);
7871 p += s->pktout->length - 5;
7872 assert(p == sigdata_len);
7873 sigblob = key->alg->sign(key->data, (char *)sigdata,
7874 sigdata_len, &sigblob_len);
7875 ssh2_add_sigblob(ssh, s->pktout, pkblob, pkblob_len,
7876 sigblob, sigblob_len);
7877 sfree(pkblob);
7878 sfree(sigblob);
7879 sfree(sigdata);
7880
7881 ssh2_pkt_send(ssh, s->pktout);
7882 s->type = AUTH_TYPE_PUBLICKEY;
7883 key->alg->freekey(key->data);
7884 }
7885
7886 #ifndef NO_GSSAPI
7887 } else if (s->can_gssapi && !s->tried_gssapi) {
7888
7889 /* GSSAPI Authentication */
7890
7891 int micoffset, len;
7892 char *data;
7893 Ssh_gss_buf mic;
7894 s->type = AUTH_TYPE_GSSAPI;
7895 s->tried_gssapi = TRUE;
7896 s->gotit = TRUE;
7897 ssh->pkt_actx = SSH2_PKTCTX_GSSAPI;
7898
7899 /* Sending USERAUTH_REQUEST with "gssapi-with-mic" method */
7900 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7901 ssh2_pkt_addstring(s->pktout, s->username);
7902 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7903 ssh2_pkt_addstring(s->pktout, "gssapi-with-mic");
7904
7905 /* add mechanism info */
7906 ssh_gss_indicate_mech(&s->gss_buf);
7907
7908 /* number of GSSAPI mechanisms */
7909 ssh2_pkt_adduint32(s->pktout,1);
7910
7911 /* length of OID + 2 */
7912 ssh2_pkt_adduint32(s->pktout, s->gss_buf.length + 2);
7913 ssh2_pkt_addbyte(s->pktout, SSH2_GSS_OIDTYPE);
7914
7915 /* length of OID */
7916 ssh2_pkt_addbyte(s->pktout, (unsigned char) s->gss_buf.length);
7917
7918 ssh_pkt_adddata(s->pktout, s->gss_buf.value,
7919 s->gss_buf.length);
7920 ssh2_pkt_send(ssh, s->pktout);
7921 crWaitUntilV(pktin);
7922 if (pktin->type != SSH2_MSG_USERAUTH_GSSAPI_RESPONSE) {
7923 logevent("GSSAPI authentication request refused");
7924 continue;
7925 }
7926
7927 /* check returned packet ... */
7928
7929 ssh_pkt_getstring(pktin, &data, &len);
7930 s->gss_rcvtok.value = data;
7931 s->gss_rcvtok.length = len;
7932 if (s->gss_rcvtok.length != s->gss_buf.length + 2 ||
7933 ((char *)s->gss_rcvtok.value)[0] != SSH2_GSS_OIDTYPE ||
7934 ((char *)s->gss_rcvtok.value)[1] != s->gss_buf.length ||
7935 memcmp((char *)s->gss_rcvtok.value + 2,
7936 s->gss_buf.value,s->gss_buf.length) ) {
7937 logevent("GSSAPI authentication - wrong response from server");
7938 continue;
7939 }
7940
7941 /* now start running */
7942 s->gss_stat = ssh_gss_import_name(ssh->fullhostname,
7943 &s->gss_srv_name);
7944 if (s->gss_stat != SSH_GSS_OK) {
7945 if (s->gss_stat == SSH_GSS_BAD_HOST_NAME)
7946 logevent("GSSAPI import name failed - Bad service name");
7947 else
7948 logevent("GSSAPI import name failed");
7949 continue;
7950 }
7951
7952 /* fetch TGT into GSS engine */
7953 s->gss_stat = ssh_gss_acquire_cred(&s->gss_ctx);
7954
7955 if (s->gss_stat != SSH_GSS_OK) {
7956 logevent("GSSAPI authentication failed to get credentials");
7957 ssh_gss_release_name(&s->gss_srv_name);
7958 continue;
7959 }
7960
7961 /* initial tokens are empty */
7962 SSH_GSS_CLEAR_BUF(&s->gss_rcvtok);
7963 SSH_GSS_CLEAR_BUF(&s->gss_sndtok);
7964
7965 /* now enter the loop */
7966 do {
7967 s->gss_stat = ssh_gss_init_sec_context(&s->gss_ctx,
7968 s->gss_srv_name,
7969 ssh->cfg.gssapifwd,
7970 &s->gss_rcvtok,
7971 &s->gss_sndtok);
7972
7973 if (s->gss_stat!=SSH_GSS_S_COMPLETE &&
7974 s->gss_stat!=SSH_GSS_S_CONTINUE_NEEDED) {
7975 logevent("GSSAPI authentication initialisation failed");
7976
7977 if (ssh_gss_display_status(s->gss_ctx,&s->gss_buf) == SSH_GSS_OK) {
7978 logevent(s->gss_buf.value);
7979 sfree(s->gss_buf.value);
7980 }
7981
7982 break;
7983 }
7984 logevent("GSSAPI authentication initialised");
7985
7986 /* Client and server now exchange tokens until GSSAPI
7987 * no longer says CONTINUE_NEEDED */
7988
7989 if (s->gss_sndtok.length != 0) {
7990 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
7991 ssh_pkt_addstring_start(s->pktout);
7992 ssh_pkt_addstring_data(s->pktout,s->gss_sndtok.value,s->gss_sndtok.length);
7993 ssh2_pkt_send(ssh, s->pktout);
7994 ssh_gss_free_tok(&s->gss_sndtok);
7995 }
7996
7997 if (s->gss_stat == SSH_GSS_S_CONTINUE_NEEDED) {
7998 crWaitUntilV(pktin);
7999 if (pktin->type != SSH2_MSG_USERAUTH_GSSAPI_TOKEN) {
8000 logevent("GSSAPI authentication - bad server response");
8001 s->gss_stat = SSH_GSS_FAILURE;
8002 break;
8003 }
8004 ssh_pkt_getstring(pktin, &data, &len);
8005 s->gss_rcvtok.value = data;
8006 s->gss_rcvtok.length = len;
8007 }
8008 } while (s-> gss_stat == SSH_GSS_S_CONTINUE_NEEDED);
8009
8010 if (s->gss_stat != SSH_GSS_OK) {
8011 ssh_gss_release_name(&s->gss_srv_name);
8012 ssh_gss_release_cred(&s->gss_ctx);
8013 continue;
8014 }
8015 logevent("GSSAPI authentication loop finished OK");
8016
8017 /* Now send the MIC */
8018
8019 s->pktout = ssh2_pkt_init(0);
8020 micoffset = s->pktout->length;
8021 ssh_pkt_addstring_start(s->pktout);
8022 ssh_pkt_addstring_data(s->pktout, (char *)ssh->v2_session_id, ssh->v2_session_id_len);
8023 ssh_pkt_addbyte(s->pktout, SSH2_MSG_USERAUTH_REQUEST);
8024 ssh_pkt_addstring(s->pktout, s->username);
8025 ssh_pkt_addstring(s->pktout, "ssh-connection");
8026 ssh_pkt_addstring(s->pktout, "gssapi-with-mic");
8027
8028 s->gss_buf.value = (char *)s->pktout->data + micoffset;
8029 s->gss_buf.length = s->pktout->length - micoffset;
8030
8031 ssh_gss_get_mic(s->gss_ctx, &s->gss_buf, &mic);
8032 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_GSSAPI_MIC);
8033 ssh_pkt_addstring_start(s->pktout);
8034 ssh_pkt_addstring_data(s->pktout, mic.value, mic.length);
8035 ssh2_pkt_send(ssh, s->pktout);
8036 ssh_gss_free_mic(&mic);
8037
8038 s->gotit = FALSE;
8039
8040 ssh_gss_release_name(&s->gss_srv_name);
8041 ssh_gss_release_cred(&s->gss_ctx);
8042 continue;
8043 #endif
8044 } else if (s->can_keyb_inter && !s->kbd_inter_refused) {
8045
8046 /*
8047 * Keyboard-interactive authentication.
8048 */
8049
8050 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE;
8051
8052 ssh->pkt_actx = SSH2_PKTCTX_KBDINTER;
8053
8054 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
8055 ssh2_pkt_addstring(s->pktout, s->username);
8056 ssh2_pkt_addstring(s->pktout, "ssh-connection");
8057 /* service requested */
8058 ssh2_pkt_addstring(s->pktout, "keyboard-interactive");
8059 /* method */
8060 ssh2_pkt_addstring(s->pktout, ""); /* lang */
8061 ssh2_pkt_addstring(s->pktout, ""); /* submethods */
8062 ssh2_pkt_send(ssh, s->pktout);
8063
8064 crWaitUntilV(pktin);
8065 if (pktin->type != SSH2_MSG_USERAUTH_INFO_REQUEST) {
8066 /* Server is not willing to do keyboard-interactive
8067 * at all (or, bizarrely but legally, accepts the
8068 * user without actually issuing any prompts).
8069 * Give up on it entirely. */
8070 s->gotit = TRUE;
8071 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE)
8072 logevent("Keyboard-interactive authentication refused");
8073 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET;
8074 s->kbd_inter_refused = TRUE; /* don't try it again */
8075 continue;
8076 }
8077
8078 /*
8079 * Loop while the server continues to send INFO_REQUESTs.
8080 */
8081 while (pktin->type == SSH2_MSG_USERAUTH_INFO_REQUEST) {
8082
8083 char *name, *inst, *lang;
8084 int name_len, inst_len, lang_len;
8085 int i;
8086
8087 /*
8088 * We've got a fresh USERAUTH_INFO_REQUEST.
8089 * Get the preamble and start building a prompt.
8090 */
8091 ssh_pkt_getstring(pktin, &name, &name_len);
8092 ssh_pkt_getstring(pktin, &inst, &inst_len);
8093 ssh_pkt_getstring(pktin, &lang, &lang_len);
8094 s->cur_prompt = new_prompts(ssh->frontend);
8095 s->cur_prompt->to_server = TRUE;
8096 if (name_len) {
8097 /* FIXME: better prefix to distinguish from
8098 * local prompts? */
8099 s->cur_prompt->name =
8100 dupprintf("SSH server: %.*s", name_len, name);
8101 s->cur_prompt->name_reqd = TRUE;
8102 } else {
8103 s->cur_prompt->name =
8104 dupstr("SSH server authentication");
8105 s->cur_prompt->name_reqd = FALSE;
8106 }
8107 /* FIXME: ugly to print "Using..." in prompt _every_
8108 * time round. Can this be done more subtly? */
8109 s->cur_prompt->instruction =
8110 dupprintf("Using keyboard-interactive authentication.%s%.*s",
8111 inst_len ? "\n" : "", inst_len, inst);
8112 s->cur_prompt->instr_reqd = TRUE;
8113
8114 /*
8115 * Get any prompt(s) from the packet.
8116 */
8117 s->num_prompts = ssh_pkt_getuint32(pktin);
8118 for (i = 0; i < s->num_prompts; i++) {
8119 char *prompt;
8120 int prompt_len;
8121 int echo;
8122 static char noprompt[] =
8123 "<server failed to send prompt>: ";
8124
8125 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
8126 echo = ssh2_pkt_getbool(pktin);
8127 if (!prompt_len) {
8128 prompt = noprompt;
8129 prompt_len = lenof(noprompt)-1;
8130 }
8131 add_prompt(s->cur_prompt,
8132 dupprintf("%.*s", prompt_len, prompt),
8133 echo, SSH_MAX_PASSWORD_LEN);
8134 }
8135
8136 /*
8137 * Display any instructions, and get the user's
8138 * response(s).
8139 */
8140 {
8141 int ret; /* not live over crReturn */
8142 ret = get_userpass_input(s->cur_prompt, NULL, 0);
8143 while (ret < 0) {
8144 ssh->send_ok = 1;
8145 crWaitUntilV(!pktin);
8146 ret = get_userpass_input(s->cur_prompt, in, inlen);
8147 ssh->send_ok = 0;
8148 }
8149 if (!ret) {
8150 /*
8151 * Failed to get responses. Terminate.
8152 */
8153 free_prompts(s->cur_prompt);
8154 ssh_disconnect(ssh, NULL, "Unable to authenticate",
8155 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
8156 TRUE);
8157 crStopV;
8158 }
8159 }
8160
8161 /*
8162 * Send the response(s) to the server.
8163 */
8164 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_INFO_RESPONSE);
8165 ssh2_pkt_adduint32(s->pktout, s->num_prompts);
8166 for (i=0; i < s->num_prompts; i++) {
8167 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
8168 ssh2_pkt_addstring(s->pktout,
8169 s->cur_prompt->prompts[i]->result);
8170 end_log_omission(ssh, s->pktout);
8171 }
8172 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
8173
8174 /*
8175 * Get the next packet in case it's another
8176 * INFO_REQUEST.
8177 */
8178 crWaitUntilV(pktin);
8179
8180 }
8181
8182 /*
8183 * We should have SUCCESS or FAILURE now.
8184 */
8185 s->gotit = TRUE;
8186
8187 } else if (s->can_passwd) {
8188
8189 /*
8190 * Plain old password authentication.
8191 */
8192 int ret; /* not live over crReturn */
8193 int changereq_first_time; /* not live over crReturn */
8194
8195 ssh->pkt_actx = SSH2_PKTCTX_PASSWORD;
8196
8197 s->cur_prompt = new_prompts(ssh->frontend);
8198 s->cur_prompt->to_server = TRUE;
8199 s->cur_prompt->name = dupstr("SSH password");
8200 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
8201 s->username,
8202 ssh->savedhost),
8203 FALSE, SSH_MAX_PASSWORD_LEN);
8204
8205 ret = get_userpass_input(s->cur_prompt, NULL, 0);
8206 while (ret < 0) {
8207 ssh->send_ok = 1;
8208 crWaitUntilV(!pktin);
8209 ret = get_userpass_input(s->cur_prompt, in, inlen);
8210 ssh->send_ok = 0;
8211 }
8212 if (!ret) {
8213 /*
8214 * Failed to get responses. Terminate.
8215 */
8216 free_prompts(s->cur_prompt);
8217 ssh_disconnect(ssh, NULL, "Unable to authenticate",
8218 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
8219 TRUE);
8220 crStopV;
8221 }
8222 /*
8223 * Squirrel away the password. (We may need it later if
8224 * asked to change it.)
8225 */
8226 s->password = dupstr(s->cur_prompt->prompts[0]->result);
8227 free_prompts(s->cur_prompt);
8228
8229 /*
8230 * Send the password packet.
8231 *
8232 * We pad out the password packet to 256 bytes to make
8233 * it harder for an attacker to find the length of the
8234 * user's password.
8235 *
8236 * Anyone using a password longer than 256 bytes
8237 * probably doesn't have much to worry about from
8238 * people who find out how long their password is!
8239 */
8240 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
8241 ssh2_pkt_addstring(s->pktout, s->username);
8242 ssh2_pkt_addstring(s->pktout, "ssh-connection");
8243 /* service requested */
8244 ssh2_pkt_addstring(s->pktout, "password");
8245 ssh2_pkt_addbool(s->pktout, FALSE);
8246 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
8247 ssh2_pkt_addstring(s->pktout, s->password);
8248 end_log_omission(ssh, s->pktout);
8249 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
8250 logevent("Sent password");
8251 s->type = AUTH_TYPE_PASSWORD;
8252
8253 /*
8254 * Wait for next packet, in case it's a password change
8255 * request.
8256 */
8257 crWaitUntilV(pktin);
8258 changereq_first_time = TRUE;
8259
8260 while (pktin->type == SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ) {
8261
8262 /*
8263 * We're being asked for a new password
8264 * (perhaps not for the first time).
8265 * Loop until the server accepts it.
8266 */
8267
8268 int got_new = FALSE; /* not live over crReturn */
8269 char *prompt; /* not live over crReturn */
8270 int prompt_len; /* not live over crReturn */
8271
8272 {
8273 char *msg;
8274 if (changereq_first_time)
8275 msg = "Server requested password change";
8276 else
8277 msg = "Server rejected new password";
8278 logevent(msg);
8279 c_write_str(ssh, msg);
8280 c_write_str(ssh, "\r\n");
8281 }
8282
8283 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
8284
8285 s->cur_prompt = new_prompts(ssh->frontend);
8286 s->cur_prompt->to_server = TRUE;
8287 s->cur_prompt->name = dupstr("New SSH password");
8288 s->cur_prompt->instruction =
8289 dupprintf("%.*s", prompt_len, prompt);
8290 s->cur_prompt->instr_reqd = TRUE;
8291 /*
8292 * There's no explicit requirement in the protocol
8293 * for the "old" passwords in the original and
8294 * password-change messages to be the same, and
8295 * apparently some Cisco kit supports password change
8296 * by the user entering a blank password originally
8297 * and the real password subsequently, so,
8298 * reluctantly, we prompt for the old password again.
8299 *
8300 * (On the other hand, some servers don't even bother
8301 * to check this field.)
8302 */
8303 add_prompt(s->cur_prompt,
8304 dupstr("Current password (blank for previously entered password): "),
8305 FALSE, SSH_MAX_PASSWORD_LEN);
8306 add_prompt(s->cur_prompt, dupstr("Enter new password: "),
8307 FALSE, SSH_MAX_PASSWORD_LEN);
8308 add_prompt(s->cur_prompt, dupstr("Confirm new password: "),
8309 FALSE, SSH_MAX_PASSWORD_LEN);
8310
8311 /*
8312 * Loop until the user manages to enter the same
8313 * password twice.
8314 */
8315 while (!got_new) {
8316
8317 ret = get_userpass_input(s->cur_prompt, NULL, 0);
8318 while (ret < 0) {
8319 ssh->send_ok = 1;
8320 crWaitUntilV(!pktin);
8321 ret = get_userpass_input(s->cur_prompt, in, inlen);
8322 ssh->send_ok = 0;
8323 }
8324 if (!ret) {
8325 /*
8326 * Failed to get responses. Terminate.
8327 */
8328 /* burn the evidence */
8329 free_prompts(s->cur_prompt);
8330 memset(s->password, 0, strlen(s->password));
8331 sfree(s->password);
8332 ssh_disconnect(ssh, NULL, "Unable to authenticate",
8333 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
8334 TRUE);
8335 crStopV;
8336 }
8337
8338 /*
8339 * If the user specified a new original password
8340 * (IYSWIM), overwrite any previously specified
8341 * one.
8342 * (A side effect is that the user doesn't have to
8343 * re-enter it if they louse up the new password.)
8344 */
8345 if (s->cur_prompt->prompts[0]->result[0]) {
8346 memset(s->password, 0, strlen(s->password));
8347 /* burn the evidence */
8348 sfree(s->password);
8349 s->password =
8350 dupstr(s->cur_prompt->prompts[0]->result);
8351 }
8352
8353 /*
8354 * Check the two new passwords match.
8355 */
8356 got_new = (strcmp(s->cur_prompt->prompts[1]->result,
8357 s->cur_prompt->prompts[2]->result)
8358 == 0);
8359 if (!got_new)
8360 /* They don't. Silly user. */
8361 c_write_str(ssh, "Passwords do not match\r\n");
8362
8363 }
8364
8365 /*
8366 * Send the new password (along with the old one).
8367 * (see above for padding rationale)
8368 */
8369 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
8370 ssh2_pkt_addstring(s->pktout, s->username);
8371 ssh2_pkt_addstring(s->pktout, "ssh-connection");
8372 /* service requested */
8373 ssh2_pkt_addstring(s->pktout, "password");
8374 ssh2_pkt_addbool(s->pktout, TRUE);
8375 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
8376 ssh2_pkt_addstring(s->pktout, s->password);
8377 ssh2_pkt_addstring(s->pktout,
8378 s->cur_prompt->prompts[1]->result);
8379 free_prompts(s->cur_prompt);
8380 end_log_omission(ssh, s->pktout);
8381 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
8382 logevent("Sent new password");
8383
8384 /*
8385 * Now see what the server has to say about it.
8386 * (If it's CHANGEREQ again, it's not happy with the
8387 * new password.)
8388 */
8389 crWaitUntilV(pktin);
8390 changereq_first_time = FALSE;
8391
8392 }
8393
8394 /*
8395 * We need to reexamine the current pktin at the top
8396 * of the loop. Either:
8397 * - we weren't asked to change password at all, in
8398 * which case it's a SUCCESS or FAILURE with the
8399 * usual meaning
8400 * - we sent a new password, and the server was
8401 * either OK with it (SUCCESS or FAILURE w/partial
8402 * success) or unhappy with the _old_ password
8403 * (FAILURE w/o partial success)
8404 * In any of these cases, we go back to the top of
8405 * the loop and start again.
8406 */
8407 s->gotit = TRUE;
8408
8409 /*
8410 * We don't need the old password any more, in any
8411 * case. Burn the evidence.
8412 */
8413 memset(s->password, 0, strlen(s->password));
8414 sfree(s->password);
8415
8416 } else {
8417
8418 ssh_disconnect(ssh, NULL,
8419 "No supported authentication methods available",
8420 SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE,
8421 FALSE);
8422 crStopV;
8423
8424 }
8425
8426 }
8427 }
8428 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
8429
8430 /* Clear up various bits and pieces from authentication. */
8431 if (s->publickey_blob) {
8432 sfree(s->publickey_blob);
8433 sfree(s->publickey_comment);
8434 }
8435 if (s->agent_response)
8436 sfree(s->agent_response);
8437
8438 /*
8439 * Now the connection protocol has started, one way or another.
8440 */
8441
8442 ssh->channels = newtree234(ssh_channelcmp);
8443
8444 /*
8445 * Set up handlers for some connection protocol messages, so we
8446 * don't have to handle them repeatedly in this coroutine.
8447 */
8448 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] =
8449 ssh2_msg_channel_window_adjust;
8450 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] =
8451 ssh2_msg_global_request;
8452
8453 /*
8454 * Create the main session channel.
8455 */
8456 if (ssh->cfg.ssh_no_shell) {
8457 ssh->mainchan = NULL;
8458 } else if (*ssh->cfg.ssh_nc_host) {
8459 /*
8460 * Just start a direct-tcpip channel and use it as the main
8461 * channel.
8462 */
8463 ssh->mainchan = snew(struct ssh_channel);
8464 ssh->mainchan->ssh = ssh;
8465 ssh2_channel_init(ssh->mainchan);
8466 logeventf(ssh,
8467 "Opening direct-tcpip channel to %s:%d in place of session",
8468 ssh->cfg.ssh_nc_host, ssh->cfg.ssh_nc_port);
8469 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
8470 ssh2_pkt_addstring(s->pktout, "direct-tcpip");
8471 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
8472 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
8473 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
8474 ssh2_pkt_addstring(s->pktout, ssh->cfg.ssh_nc_host);
8475 ssh2_pkt_adduint32(s->pktout, ssh->cfg.ssh_nc_port);
8476 /*
8477 * There's nothing meaningful to put in the originator
8478 * fields, but some servers insist on syntactically correct
8479 * information.
8480 */
8481 ssh2_pkt_addstring(s->pktout, "0.0.0.0");
8482 ssh2_pkt_adduint32(s->pktout, 0);
8483 ssh2_pkt_send(ssh, s->pktout);
8484
8485 crWaitUntilV(pktin);
8486 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
8487 bombout(("Server refused to open a direct-tcpip channel"));
8488 crStopV;
8489 /* FIXME: error data comes back in FAILURE packet */
8490 }
8491 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
8492 bombout(("Server's channel confirmation cited wrong channel"));
8493 crStopV;
8494 }
8495 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
8496 ssh->mainchan->halfopen = FALSE;
8497 ssh->mainchan->type = CHAN_MAINSESSION;
8498 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
8499 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
8500 add234(ssh->channels, ssh->mainchan);
8501 update_specials_menu(ssh->frontend);
8502 logevent("Opened direct-tcpip channel");
8503 ssh->ncmode = TRUE;
8504 } else {
8505 ssh->mainchan = snew(struct ssh_channel);
8506 ssh->mainchan->ssh = ssh;
8507 ssh2_channel_init(ssh->mainchan);
8508 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
8509 ssh2_pkt_addstring(s->pktout, "session");
8510 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
8511 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
8512 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
8513 ssh2_pkt_send(ssh, s->pktout);
8514 crWaitUntilV(pktin);
8515 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
8516 bombout(("Server refused to open a session"));
8517 crStopV;
8518 /* FIXME: error data comes back in FAILURE packet */
8519 }
8520 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
8521 bombout(("Server's channel confirmation cited wrong channel"));
8522 crStopV;
8523 }
8524 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
8525 ssh->mainchan->halfopen = FALSE;
8526 ssh->mainchan->type = CHAN_MAINSESSION;
8527 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
8528 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
8529 add234(ssh->channels, ssh->mainchan);
8530 update_specials_menu(ssh->frontend);
8531 logevent("Opened channel for session");
8532 ssh->ncmode = FALSE;
8533 }
8534
8535 /*
8536 * Now we have a channel, make dispatch table entries for
8537 * general channel-based messages.
8538 */
8539 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] =
8540 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] =
8541 ssh2_msg_channel_data;
8542 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = ssh2_msg_channel_eof;
8543 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = ssh2_msg_channel_close;
8544 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] =
8545 ssh2_msg_channel_open_confirmation;
8546 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] =
8547 ssh2_msg_channel_open_failure;
8548 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] =
8549 ssh2_msg_channel_request;
8550 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] =
8551 ssh2_msg_channel_open;
8552
8553 if (ssh->cfg.ssh_simple) {
8554 /*
8555 * This message indicates to the server that we promise
8556 * not to try to run any other channel in parallel with
8557 * this one, so it's safe for it to advertise a very large
8558 * window and leave the flow control to TCP.
8559 */
8560 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8561 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8562 ssh2_pkt_addstring(s->pktout, "simple@putty.projects.tartarus.org");
8563 ssh2_pkt_addbool(s->pktout, 0); /* no reply */
8564 ssh2_pkt_send(ssh, s->pktout);
8565 }
8566
8567 /*
8568 * Potentially enable X11 forwarding.
8569 */
8570 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.x11_forward) {
8571 logevent("Requesting X11 forwarding");
8572 ssh->x11disp = x11_setup_display(ssh->cfg.x11_display,
8573 ssh->cfg.x11_auth, &ssh->cfg);
8574 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8575 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8576 ssh2_pkt_addstring(s->pktout, "x11-req");
8577 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8578 ssh2_pkt_addbool(s->pktout, 0); /* many connections */
8579 ssh2_pkt_addstring(s->pktout, ssh->x11disp->remoteauthprotoname);
8580 /*
8581 * Note that while we blank the X authentication data here, we don't
8582 * take any special action to blank the start of an X11 channel,
8583 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
8584 * without having session blanking enabled is likely to leak your
8585 * cookie into the log.
8586 */
8587 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
8588 ssh2_pkt_addstring(s->pktout, ssh->x11disp->remoteauthdatastring);
8589 end_log_omission(ssh, s->pktout);
8590 ssh2_pkt_adduint32(s->pktout, ssh->x11disp->screennum);
8591 ssh2_pkt_send(ssh, s->pktout);
8592
8593 crWaitUntilV(pktin);
8594
8595 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8596 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8597 bombout(("Unexpected response to X11 forwarding request:"
8598 " packet type %d", pktin->type));
8599 crStopV;
8600 }
8601 logevent("X11 forwarding refused");
8602 } else {
8603 logevent("X11 forwarding enabled");
8604 ssh->X11_fwd_enabled = TRUE;
8605 }
8606 }
8607
8608 /*
8609 * Enable port forwardings.
8610 */
8611 ssh_setup_portfwd(ssh, &ssh->cfg);
8612
8613 /*
8614 * Potentially enable agent forwarding.
8615 */
8616 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.agentfwd && agent_exists()) {
8617 logevent("Requesting OpenSSH-style agent forwarding");
8618 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8619 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8620 ssh2_pkt_addstring(s->pktout, "auth-agent-req@openssh.com");
8621 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8622 ssh2_pkt_send(ssh, s->pktout);
8623
8624 crWaitUntilV(pktin);
8625
8626 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8627 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8628 bombout(("Unexpected response to agent forwarding request:"
8629 " packet type %d", pktin->type));
8630 crStopV;
8631 }
8632 logevent("Agent forwarding refused");
8633 } else {
8634 logevent("Agent forwarding enabled");
8635 ssh->agentfwd_enabled = TRUE;
8636 }
8637 }
8638
8639 /*
8640 * Now allocate a pty for the session.
8641 */
8642 if (ssh->mainchan && !ssh->ncmode && !ssh->cfg.nopty) {
8643 /* Unpick the terminal-speed string. */
8644 /* XXX perhaps we should allow no speeds to be sent. */
8645 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
8646 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
8647 /* Build the pty request. */
8648 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8649 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
8650 ssh2_pkt_addstring(s->pktout, "pty-req");
8651 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8652 ssh2_pkt_addstring(s->pktout, ssh->cfg.termtype);
8653 ssh2_pkt_adduint32(s->pktout, ssh->term_width);
8654 ssh2_pkt_adduint32(s->pktout, ssh->term_height);
8655 ssh2_pkt_adduint32(s->pktout, 0); /* pixel width */
8656 ssh2_pkt_adduint32(s->pktout, 0); /* pixel height */
8657 ssh2_pkt_addstring_start(s->pktout);
8658 parse_ttymodes(ssh, ssh->cfg.ttymodes,
8659 ssh2_send_ttymode, (void *)s->pktout);
8660 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_ISPEED);
8661 ssh2_pkt_adduint32(s->pktout, ssh->ispeed);
8662 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_OSPEED);
8663 ssh2_pkt_adduint32(s->pktout, ssh->ospeed);
8664 ssh2_pkt_addstring_data(s->pktout, "\0", 1); /* TTY_OP_END */
8665 ssh2_pkt_send(ssh, s->pktout);
8666 ssh->state = SSH_STATE_INTERMED;
8667
8668 crWaitUntilV(pktin);
8669
8670 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8671 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8672 bombout(("Unexpected response to pty request:"
8673 " packet type %d", pktin->type));
8674 crStopV;
8675 }
8676 c_write_str(ssh, "Server refused to allocate pty\r\n");
8677 ssh->editing = ssh->echoing = 1;
8678 } else {
8679 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
8680 ssh->ospeed, ssh->ispeed);
8681 }
8682 } else {
8683 ssh->editing = ssh->echoing = 1;
8684 }
8685
8686 /*
8687 * Send environment variables.
8688 *
8689 * Simplest thing here is to send all the requests at once, and
8690 * then wait for a whole bunch of successes or failures.
8691 */
8692 if (ssh->mainchan && !ssh->ncmode && *ssh->cfg.environmt) {
8693 char *e = ssh->cfg.environmt;
8694 char *var, *varend, *val;
8695
8696 s->num_env = 0;
8697
8698 while (*e) {
8699 var = e;
8700 while (*e && *e != '\t') e++;
8701 varend = e;
8702 if (*e == '\t') e++;
8703 val = e;
8704 while (*e) e++;
8705 e++;
8706
8707 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8708 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8709 ssh2_pkt_addstring(s->pktout, "env");
8710 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8711 ssh2_pkt_addstring_start(s->pktout);
8712 ssh2_pkt_addstring_data(s->pktout, var, varend-var);
8713 ssh2_pkt_addstring(s->pktout, val);
8714 ssh2_pkt_send(ssh, s->pktout);
8715
8716 s->num_env++;
8717 }
8718
8719 logeventf(ssh, "Sent %d environment variables", s->num_env);
8720
8721 s->env_ok = 0;
8722 s->env_left = s->num_env;
8723
8724 while (s->env_left > 0) {
8725 crWaitUntilV(pktin);
8726
8727 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8728 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8729 bombout(("Unexpected response to environment request:"
8730 " packet type %d", pktin->type));
8731 crStopV;
8732 }
8733 } else {
8734 s->env_ok++;
8735 }
8736
8737 s->env_left--;
8738 }
8739
8740 if (s->env_ok == s->num_env) {
8741 logevent("All environment variables successfully set");
8742 } else if (s->env_ok == 0) {
8743 logevent("All environment variables refused");
8744 c_write_str(ssh, "Server refused to set environment variables\r\n");
8745 } else {
8746 logeventf(ssh, "%d environment variables refused",
8747 s->num_env - s->env_ok);
8748 c_write_str(ssh, "Server refused to set all environment variables\r\n");
8749 }
8750 }
8751
8752 /*
8753 * Start a shell or a remote command. We may have to attempt
8754 * this twice if the config data has provided a second choice
8755 * of command.
8756 */
8757 if (ssh->mainchan && !ssh->ncmode) while (1) {
8758 int subsys;
8759 char *cmd;
8760
8761 if (ssh->fallback_cmd) {
8762 subsys = ssh->cfg.ssh_subsys2;
8763 cmd = ssh->cfg.remote_cmd_ptr2;
8764 } else {
8765 subsys = ssh->cfg.ssh_subsys;
8766 cmd = ssh->cfg.remote_cmd_ptr;
8767 if (!cmd) cmd = ssh->cfg.remote_cmd;
8768 }
8769
8770 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8771 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
8772 if (subsys) {
8773 ssh2_pkt_addstring(s->pktout, "subsystem");
8774 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8775 ssh2_pkt_addstring(s->pktout, cmd);
8776 } else if (*cmd) {
8777 ssh2_pkt_addstring(s->pktout, "exec");
8778 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8779 ssh2_pkt_addstring(s->pktout, cmd);
8780 } else {
8781 ssh2_pkt_addstring(s->pktout, "shell");
8782 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8783 }
8784 ssh2_pkt_send(ssh, s->pktout);
8785
8786 crWaitUntilV(pktin);
8787
8788 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8789 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8790 bombout(("Unexpected response to shell/command request:"
8791 " packet type %d", pktin->type));
8792 crStopV;
8793 }
8794 /*
8795 * We failed to start the command. If this is the
8796 * fallback command, we really are finished; if it's
8797 * not, and if the fallback command exists, try falling
8798 * back to it before complaining.
8799 */
8800 if (!ssh->fallback_cmd && ssh->cfg.remote_cmd_ptr2 != NULL) {
8801 logevent("Primary command failed; attempting fallback");
8802 ssh->fallback_cmd = TRUE;
8803 continue;
8804 }
8805 bombout(("Server refused to start a shell/command"));
8806 crStopV;
8807 } else {
8808 logevent("Started a shell/command");
8809 }
8810 break;
8811 }
8812
8813 ssh->state = SSH_STATE_SESSION;
8814 if (ssh->size_needed)
8815 ssh_size(ssh, ssh->term_width, ssh->term_height);
8816 if (ssh->eof_needed)
8817 ssh_special(ssh, TS_EOF);
8818
8819 /*
8820 * All the initial channel requests are done, so install the default
8821 * failure handler.
8822 */
8823 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = ssh2_msg_channel_success;
8824 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = ssh2_msg_channel_failure;
8825
8826 /*
8827 * Transfer data!
8828 */
8829 if (ssh->ldisc)
8830 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
8831 if (ssh->mainchan)
8832 ssh->send_ok = 1;
8833 while (1) {
8834 crReturnV;
8835 s->try_send = FALSE;
8836 if (pktin) {
8837
8838 /*
8839 * _All_ the connection-layer packets we expect to
8840 * receive are now handled by the dispatch table.
8841 * Anything that reaches here must be bogus.
8842 */
8843
8844 bombout(("Strange packet received: type %d", pktin->type));
8845 crStopV;
8846 } else if (ssh->mainchan) {
8847 /*
8848 * We have spare data. Add it to the channel buffer.
8849 */
8850 ssh2_add_channel_data(ssh->mainchan, (char *)in, inlen);
8851 s->try_send = TRUE;
8852 }
8853 if (s->try_send) {
8854 int i;
8855 struct ssh_channel *c;
8856 /*
8857 * Try to send data on all channels if we can.
8858 */
8859 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++)
8860 ssh2_try_send_and_unthrottle(c);
8861 }
8862 }
8863
8864 crFinishV;
8865 }
8866
8867 /*
8868 * Handlers for SSH-2 messages that might arrive at any moment.
8869 */
8870 static void ssh2_msg_disconnect(Ssh ssh, struct Packet *pktin)
8871 {
8872 /* log reason code in disconnect message */
8873 char *buf, *msg;
8874 int reason, msglen;
8875
8876 reason = ssh_pkt_getuint32(pktin);
8877 ssh_pkt_getstring(pktin, &msg, &msglen);
8878
8879 if (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) {
8880 buf = dupprintf("Received disconnect message (%s)",
8881 ssh2_disconnect_reasons[reason]);
8882 } else {
8883 buf = dupprintf("Received disconnect message (unknown"
8884 " type %d)", reason);
8885 }
8886 logevent(buf);
8887 sfree(buf);
8888 buf = dupprintf("Disconnection message text: %.*s",
8889 msglen, msg);
8890 logevent(buf);
8891 bombout(("Server sent disconnect message\ntype %d (%s):\n\"%.*s\"",
8892 reason,
8893 (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ?
8894 ssh2_disconnect_reasons[reason] : "unknown",
8895 msglen, msg));
8896 sfree(buf);
8897 }
8898
8899 static void ssh2_msg_debug(Ssh ssh, struct Packet *pktin)
8900 {
8901 /* log the debug message */
8902 char *msg;
8903 int msglen;
8904 int always_display;
8905
8906 /* XXX maybe we should actually take notice of this */
8907 always_display = ssh2_pkt_getbool(pktin);
8908 ssh_pkt_getstring(pktin, &msg, &msglen);
8909
8910 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
8911 }
8912
8913 static void ssh2_msg_something_unimplemented(Ssh ssh, struct Packet *pktin)
8914 {
8915 struct Packet *pktout;
8916 pktout = ssh2_pkt_init(SSH2_MSG_UNIMPLEMENTED);
8917 ssh2_pkt_adduint32(pktout, pktin->sequence);
8918 /*
8919 * UNIMPLEMENTED messages MUST appear in the same order as the
8920 * messages they respond to. Hence, never queue them.
8921 */
8922 ssh2_pkt_send_noqueue(ssh, pktout);
8923 }
8924
8925 /*
8926 * Handle the top-level SSH-2 protocol.
8927 */
8928 static void ssh2_protocol_setup(Ssh ssh)
8929 {
8930 int i;
8931
8932 /*
8933 * Most messages cause SSH2_MSG_UNIMPLEMENTED.
8934 */
8935 for (i = 0; i < 256; i++)
8936 ssh->packet_dispatch[i] = ssh2_msg_something_unimplemented;
8937
8938 /*
8939 * Any message we actually understand, we set to NULL so that
8940 * the coroutines will get it.
8941 */
8942 ssh->packet_dispatch[SSH2_MSG_UNIMPLEMENTED] = NULL;
8943 ssh->packet_dispatch[SSH2_MSG_SERVICE_REQUEST] = NULL;
8944 ssh->packet_dispatch[SSH2_MSG_SERVICE_ACCEPT] = NULL;
8945 ssh->packet_dispatch[SSH2_MSG_KEXINIT] = NULL;
8946 ssh->packet_dispatch[SSH2_MSG_NEWKEYS] = NULL;
8947 ssh->packet_dispatch[SSH2_MSG_KEXDH_INIT] = NULL;
8948 ssh->packet_dispatch[SSH2_MSG_KEXDH_REPLY] = NULL;
8949 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REQUEST] = NULL; duplicate case value */
8950 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_GROUP] = NULL; duplicate case value */
8951 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_INIT] = NULL;
8952 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REPLY] = NULL;
8953 ssh->packet_dispatch[SSH2_MSG_USERAUTH_REQUEST] = NULL;
8954 ssh->packet_dispatch[SSH2_MSG_USERAUTH_FAILURE] = NULL;
8955 ssh->packet_dispatch[SSH2_MSG_USERAUTH_SUCCESS] = NULL;
8956 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
8957 ssh->packet_dispatch[SSH2_MSG_USERAUTH_PK_OK] = NULL;
8958 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ] = NULL; duplicate case value */
8959 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_REQUEST] = NULL; duplicate case value */
8960 ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_RESPONSE] = NULL;
8961 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] = NULL;
8962 ssh->packet_dispatch[SSH2_MSG_REQUEST_SUCCESS] = NULL;
8963 ssh->packet_dispatch[SSH2_MSG_REQUEST_FAILURE] = NULL;
8964 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] = NULL;
8965 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] = NULL;
8966 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] = NULL;
8967 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] = NULL;
8968 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] = NULL;
8969 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] = NULL;
8970 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = NULL;
8971 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = NULL;
8972 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] = NULL;
8973 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = NULL;
8974 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = NULL;
8975
8976 /*
8977 * These special message types we install handlers for.
8978 */
8979 ssh->packet_dispatch[SSH2_MSG_DISCONNECT] = ssh2_msg_disconnect;
8980 ssh->packet_dispatch[SSH2_MSG_IGNORE] = ssh_msg_ignore; /* shared with SSH-1 */
8981 ssh->packet_dispatch[SSH2_MSG_DEBUG] = ssh2_msg_debug;
8982 }
8983
8984 static void ssh2_timer(void *ctx, long now)
8985 {
8986 Ssh ssh = (Ssh)ctx;
8987
8988 if (ssh->state == SSH_STATE_CLOSED)
8989 return;
8990
8991 if (!ssh->kex_in_progress && ssh->cfg.ssh_rekey_time != 0 &&
8992 now - ssh->next_rekey >= 0) {
8993 do_ssh2_transport(ssh, "timeout", -1, NULL);
8994 }
8995 }
8996
8997 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
8998 struct Packet *pktin)
8999 {
9000 unsigned char *in = (unsigned char *)vin;
9001 if (ssh->state == SSH_STATE_CLOSED)
9002 return;
9003
9004 if (pktin) {
9005 ssh->incoming_data_size += pktin->encrypted_len;
9006 if (!ssh->kex_in_progress &&
9007 ssh->max_data_size != 0 &&
9008 ssh->incoming_data_size > ssh->max_data_size)
9009 do_ssh2_transport(ssh, "too much data received", -1, NULL);
9010 }
9011
9012 if (pktin && ssh->packet_dispatch[pktin->type]) {
9013 ssh->packet_dispatch[pktin->type](ssh, pktin);
9014 return;
9015 }
9016
9017 if (!ssh->protocol_initial_phase_done ||
9018 (pktin && pktin->type >= 20 && pktin->type < 50)) {
9019 if (do_ssh2_transport(ssh, in, inlen, pktin) &&
9020 !ssh->protocol_initial_phase_done) {
9021 ssh->protocol_initial_phase_done = TRUE;
9022 /*
9023 * Allow authconn to initialise itself.
9024 */
9025 do_ssh2_authconn(ssh, NULL, 0, NULL);
9026 }
9027 } else {
9028 do_ssh2_authconn(ssh, in, inlen, pktin);
9029 }
9030 }
9031
9032 /*
9033 * Called to set up the connection.
9034 *
9035 * Returns an error message, or NULL on success.
9036 */
9037 static const char *ssh_init(void *frontend_handle, void **backend_handle,
9038 Config *cfg,
9039 char *host, int port, char **realhost, int nodelay,
9040 int keepalive)
9041 {
9042 const char *p;
9043 Ssh ssh;
9044
9045 ssh = snew(struct ssh_tag);
9046 ssh->cfg = *cfg; /* STRUCTURE COPY */
9047 ssh->version = 0; /* when not ready yet */
9048 ssh->s = NULL;
9049 ssh->cipher = NULL;
9050 ssh->v1_cipher_ctx = NULL;
9051 ssh->crcda_ctx = NULL;
9052 ssh->cscipher = NULL;
9053 ssh->cs_cipher_ctx = NULL;
9054 ssh->sccipher = NULL;
9055 ssh->sc_cipher_ctx = NULL;
9056 ssh->csmac = NULL;
9057 ssh->cs_mac_ctx = NULL;
9058 ssh->scmac = NULL;
9059 ssh->sc_mac_ctx = NULL;
9060 ssh->cscomp = NULL;
9061 ssh->cs_comp_ctx = NULL;
9062 ssh->sccomp = NULL;
9063 ssh->sc_comp_ctx = NULL;
9064 ssh->kex = NULL;
9065 ssh->kex_ctx = NULL;
9066 ssh->hostkey = NULL;
9067 ssh->exitcode = -1;
9068 ssh->close_expected = FALSE;
9069 ssh->clean_exit = FALSE;
9070 ssh->state = SSH_STATE_PREPACKET;
9071 ssh->size_needed = FALSE;
9072 ssh->eof_needed = FALSE;
9073 ssh->ldisc = NULL;
9074 ssh->logctx = NULL;
9075 ssh->deferred_send_data = NULL;
9076 ssh->deferred_len = 0;
9077 ssh->deferred_size = 0;
9078 ssh->fallback_cmd = 0;
9079 ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
9080 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
9081 ssh->x11disp = NULL;
9082 ssh->v1_compressing = FALSE;
9083 ssh->v2_outgoing_sequence = 0;
9084 ssh->ssh1_rdpkt_crstate = 0;
9085 ssh->ssh2_rdpkt_crstate = 0;
9086 ssh->do_ssh_init_crstate = 0;
9087 ssh->ssh_gotdata_crstate = 0;
9088 ssh->do_ssh1_connection_crstate = 0;
9089 ssh->do_ssh1_login_crstate = 0;
9090 ssh->do_ssh2_transport_crstate = 0;
9091 ssh->do_ssh2_authconn_crstate = 0;
9092 ssh->do_ssh_init_state = NULL;
9093 ssh->do_ssh1_login_state = NULL;
9094 ssh->do_ssh2_transport_state = NULL;
9095 ssh->do_ssh2_authconn_state = NULL;
9096 ssh->v_c = NULL;
9097 ssh->v_s = NULL;
9098 ssh->mainchan = NULL;
9099 ssh->throttled_all = 0;
9100 ssh->v1_stdout_throttling = 0;
9101 ssh->queue = NULL;
9102 ssh->queuelen = ssh->queuesize = 0;
9103 ssh->queueing = FALSE;
9104 ssh->qhead = ssh->qtail = NULL;
9105 ssh->deferred_rekey_reason = NULL;
9106 bufchain_init(&ssh->queued_incoming_data);
9107 ssh->frozen = FALSE;
9108
9109 *backend_handle = ssh;
9110
9111 #ifdef MSCRYPTOAPI
9112 if (crypto_startup() == 0)
9113 return "Microsoft high encryption pack not installed!";
9114 #endif
9115
9116 ssh->frontend = frontend_handle;
9117 ssh->term_width = ssh->cfg.width;
9118 ssh->term_height = ssh->cfg.height;
9119
9120 ssh->channels = NULL;
9121 ssh->rportfwds = NULL;
9122 ssh->portfwds = NULL;
9123
9124 ssh->send_ok = 0;
9125 ssh->editing = 0;
9126 ssh->echoing = 0;
9127 ssh->conn_throttle_count = 0;
9128 ssh->overall_bufsize = 0;
9129 ssh->fallback_cmd = 0;
9130
9131 ssh->protocol = NULL;
9132
9133 ssh->protocol_initial_phase_done = FALSE;
9134
9135 ssh->pinger = NULL;
9136
9137 ssh->incoming_data_size = ssh->outgoing_data_size =
9138 ssh->deferred_data_size = 0L;
9139 ssh->max_data_size = parse_blocksize(ssh->cfg.ssh_rekey_data);
9140 ssh->kex_in_progress = FALSE;
9141
9142 p = connect_to_host(ssh, host, port, realhost, nodelay, keepalive);
9143 if (p != NULL)
9144 return p;
9145
9146 random_ref();
9147
9148 return NULL;
9149 }
9150
9151 static void ssh_free(void *handle)
9152 {
9153 Ssh ssh = (Ssh) handle;
9154 struct ssh_channel *c;
9155 struct ssh_rportfwd *pf;
9156
9157 if (ssh->v1_cipher_ctx)
9158 ssh->cipher->free_context(ssh->v1_cipher_ctx);
9159 if (ssh->cs_cipher_ctx)
9160 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
9161 if (ssh->sc_cipher_ctx)
9162 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
9163 if (ssh->cs_mac_ctx)
9164 ssh->csmac->free_context(ssh->cs_mac_ctx);
9165 if (ssh->sc_mac_ctx)
9166 ssh->scmac->free_context(ssh->sc_mac_ctx);
9167 if (ssh->cs_comp_ctx) {
9168 if (ssh->cscomp)
9169 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
9170 else
9171 zlib_compress_cleanup(ssh->cs_comp_ctx);
9172 }
9173 if (ssh->sc_comp_ctx) {
9174 if (ssh->sccomp)
9175 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
9176 else
9177 zlib_decompress_cleanup(ssh->sc_comp_ctx);
9178 }
9179 if (ssh->kex_ctx)
9180 dh_cleanup(ssh->kex_ctx);
9181 sfree(ssh->savedhost);
9182
9183 while (ssh->queuelen-- > 0)
9184 ssh_free_packet(ssh->queue[ssh->queuelen]);
9185 sfree(ssh->queue);
9186
9187 while (ssh->qhead) {
9188 struct queued_handler *qh = ssh->qhead;
9189 ssh->qhead = qh->next;
9190 sfree(ssh->qhead);
9191 }
9192 ssh->qhead = ssh->qtail = NULL;
9193
9194 if (ssh->channels) {
9195 while ((c = delpos234(ssh->channels, 0)) != NULL) {
9196 switch (c->type) {
9197 case CHAN_X11:
9198 if (c->u.x11.s != NULL)
9199 x11_close(c->u.x11.s);
9200 break;
9201 case CHAN_SOCKDATA:
9202 if (c->u.pfd.s != NULL)
9203 pfd_close(c->u.pfd.s);
9204 break;
9205 }
9206 sfree(c);
9207 }
9208 freetree234(ssh->channels);
9209 ssh->channels = NULL;
9210 }
9211
9212 if (ssh->rportfwds) {
9213 while ((pf = delpos234(ssh->rportfwds, 0)) != NULL)
9214 sfree(pf);
9215 freetree234(ssh->rportfwds);
9216 ssh->rportfwds = NULL;
9217 }
9218 sfree(ssh->deferred_send_data);
9219 if (ssh->x11disp)
9220 x11_free_display(ssh->x11disp);
9221 sfree(ssh->do_ssh_init_state);
9222 sfree(ssh->do_ssh1_login_state);
9223 sfree(ssh->do_ssh2_transport_state);
9224 sfree(ssh->do_ssh2_authconn_state);
9225 sfree(ssh->v_c);
9226 sfree(ssh->v_s);
9227 sfree(ssh->fullhostname);
9228 if (ssh->crcda_ctx) {
9229 crcda_free_context(ssh->crcda_ctx);
9230 ssh->crcda_ctx = NULL;
9231 }
9232 if (ssh->s)
9233 ssh_do_close(ssh, TRUE);
9234 expire_timer_context(ssh);
9235 if (ssh->pinger)
9236 pinger_free(ssh->pinger);
9237 bufchain_clear(&ssh->queued_incoming_data);
9238 sfree(ssh);
9239
9240 random_unref();
9241 }
9242
9243 /*
9244 * Reconfigure the SSH backend.
9245 */
9246 static void ssh_reconfig(void *handle, Config *cfg)
9247 {
9248 Ssh ssh = (Ssh) handle;
9249 char *rekeying = NULL, rekey_mandatory = FALSE;
9250 unsigned long old_max_data_size;
9251
9252 pinger_reconfig(ssh->pinger, &ssh->cfg, cfg);
9253 if (ssh->portfwds)
9254 ssh_setup_portfwd(ssh, cfg);
9255
9256 if (ssh->cfg.ssh_rekey_time != cfg->ssh_rekey_time &&
9257 cfg->ssh_rekey_time != 0) {
9258 long new_next = ssh->last_rekey + cfg->ssh_rekey_time*60*TICKSPERSEC;
9259 long now = GETTICKCOUNT();
9260
9261 if (new_next - now < 0) {
9262 rekeying = "timeout shortened";
9263 } else {
9264 ssh->next_rekey = schedule_timer(new_next - now, ssh2_timer, ssh);
9265 }
9266 }
9267
9268 old_max_data_size = ssh->max_data_size;
9269 ssh->max_data_size = parse_blocksize(cfg->ssh_rekey_data);
9270 if (old_max_data_size != ssh->max_data_size &&
9271 ssh->max_data_size != 0) {
9272 if (ssh->outgoing_data_size > ssh->max_data_size ||
9273 ssh->incoming_data_size > ssh->max_data_size)
9274 rekeying = "data limit lowered";
9275 }
9276
9277 if (ssh->cfg.compression != cfg->compression) {
9278 rekeying = "compression setting changed";
9279 rekey_mandatory = TRUE;
9280 }
9281
9282 if (ssh->cfg.ssh2_des_cbc != cfg->ssh2_des_cbc ||
9283 memcmp(ssh->cfg.ssh_cipherlist, cfg->ssh_cipherlist,
9284 sizeof(ssh->cfg.ssh_cipherlist))) {
9285 rekeying = "cipher settings changed";
9286 rekey_mandatory = TRUE;
9287 }
9288
9289 ssh->cfg = *cfg; /* STRUCTURE COPY */
9290
9291 if (rekeying) {
9292 if (!ssh->kex_in_progress) {
9293 do_ssh2_transport(ssh, rekeying, -1, NULL);
9294 } else if (rekey_mandatory) {
9295 ssh->deferred_rekey_reason = rekeying;
9296 }
9297 }
9298 }
9299
9300 /*
9301 * Called to send data down the SSH connection.
9302 */
9303 static int ssh_send(void *handle, char *buf, int len)
9304 {
9305 Ssh ssh = (Ssh) handle;
9306
9307 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
9308 return 0;
9309
9310 ssh->protocol(ssh, (unsigned char *)buf, len, 0);
9311
9312 return ssh_sendbuffer(ssh);
9313 }
9314
9315 /*
9316 * Called to query the current amount of buffered stdin data.
9317 */
9318 static int ssh_sendbuffer(void *handle)
9319 {
9320 Ssh ssh = (Ssh) handle;
9321 int override_value;
9322
9323 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
9324 return 0;
9325
9326 /*
9327 * If the SSH socket itself has backed up, add the total backup
9328 * size on that to any individual buffer on the stdin channel.
9329 */
9330 override_value = 0;
9331 if (ssh->throttled_all)
9332 override_value = ssh->overall_bufsize;
9333
9334 if (ssh->version == 1) {
9335 return override_value;
9336 } else if (ssh->version == 2) {
9337 if (!ssh->mainchan || ssh->mainchan->closes > 0)
9338 return override_value;
9339 else
9340 return (override_value +
9341 bufchain_size(&ssh->mainchan->v.v2.outbuffer));
9342 }
9343
9344 return 0;
9345 }
9346
9347 /*
9348 * Called to set the size of the window from SSH's POV.
9349 */
9350 static void ssh_size(void *handle, int width, int height)
9351 {
9352 Ssh ssh = (Ssh) handle;
9353 struct Packet *pktout;
9354
9355 ssh->term_width = width;
9356 ssh->term_height = height;
9357
9358 switch (ssh->state) {
9359 case SSH_STATE_BEFORE_SIZE:
9360 case SSH_STATE_PREPACKET:
9361 case SSH_STATE_CLOSED:
9362 break; /* do nothing */
9363 case SSH_STATE_INTERMED:
9364 ssh->size_needed = TRUE; /* buffer for later */
9365 break;
9366 case SSH_STATE_SESSION:
9367 if (!ssh->cfg.nopty) {
9368 if (ssh->version == 1) {
9369 send_packet(ssh, SSH1_CMSG_WINDOW_SIZE,
9370 PKT_INT, ssh->term_height,
9371 PKT_INT, ssh->term_width,
9372 PKT_INT, 0, PKT_INT, 0, PKT_END);
9373 } else if (ssh->mainchan) {
9374 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9375 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9376 ssh2_pkt_addstring(pktout, "window-change");
9377 ssh2_pkt_addbool(pktout, 0);
9378 ssh2_pkt_adduint32(pktout, ssh->term_width);
9379 ssh2_pkt_adduint32(pktout, ssh->term_height);
9380 ssh2_pkt_adduint32(pktout, 0);
9381 ssh2_pkt_adduint32(pktout, 0);
9382 ssh2_pkt_send(ssh, pktout);
9383 }
9384 }
9385 break;
9386 }
9387 }
9388
9389 /*
9390 * Return a list of the special codes that make sense in this
9391 * protocol.
9392 */
9393 static const struct telnet_special *ssh_get_specials(void *handle)
9394 {
9395 static const struct telnet_special ssh1_ignore_special[] = {
9396 {"IGNORE message", TS_NOP}
9397 };
9398 static const struct telnet_special ssh2_transport_specials[] = {
9399 {"IGNORE message", TS_NOP},
9400 {"Repeat key exchange", TS_REKEY},
9401 };
9402 static const struct telnet_special ssh2_session_specials[] = {
9403 {NULL, TS_SEP},
9404 {"Break", TS_BRK},
9405 /* These are the signal names defined by RFC 4254.
9406 * They include all the ISO C signals, but are a subset of the POSIX
9407 * required signals. */
9408 {"SIGINT (Interrupt)", TS_SIGINT},
9409 {"SIGTERM (Terminate)", TS_SIGTERM},
9410 {"SIGKILL (Kill)", TS_SIGKILL},
9411 {"SIGQUIT (Quit)", TS_SIGQUIT},
9412 {"SIGHUP (Hangup)", TS_SIGHUP},
9413 {"More signals", TS_SUBMENU},
9414 {"SIGABRT", TS_SIGABRT}, {"SIGALRM", TS_SIGALRM},
9415 {"SIGFPE", TS_SIGFPE}, {"SIGILL", TS_SIGILL},
9416 {"SIGPIPE", TS_SIGPIPE}, {"SIGSEGV", TS_SIGSEGV},
9417 {"SIGUSR1", TS_SIGUSR1}, {"SIGUSR2", TS_SIGUSR2},
9418 {NULL, TS_EXITMENU}
9419 };
9420 static const struct telnet_special specials_end[] = {
9421 {NULL, TS_EXITMENU}
9422 };
9423 /* XXX review this length for any changes: */
9424 static struct telnet_special ssh_specials[lenof(ssh2_transport_specials) +
9425 lenof(ssh2_session_specials) +
9426 lenof(specials_end)];
9427 Ssh ssh = (Ssh) handle;
9428 int i = 0;
9429 #define ADD_SPECIALS(name) \
9430 do { \
9431 assert((i + lenof(name)) <= lenof(ssh_specials)); \
9432 memcpy(&ssh_specials[i], name, sizeof name); \
9433 i += lenof(name); \
9434 } while(0)
9435
9436 if (ssh->version == 1) {
9437 /* Don't bother offering IGNORE if we've decided the remote
9438 * won't cope with it, since we wouldn't bother sending it if
9439 * asked anyway. */
9440 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
9441 ADD_SPECIALS(ssh1_ignore_special);
9442 } else if (ssh->version == 2) {
9443 ADD_SPECIALS(ssh2_transport_specials);
9444 if (ssh->mainchan)
9445 ADD_SPECIALS(ssh2_session_specials);
9446 } /* else we're not ready yet */
9447
9448 if (i) {
9449 ADD_SPECIALS(specials_end);
9450 return ssh_specials;
9451 } else {
9452 return NULL;
9453 }
9454 #undef ADD_SPECIALS
9455 }
9456
9457 /*
9458 * Send special codes. TS_EOF is useful for `plink', so you
9459 * can send an EOF and collect resulting output (e.g. `plink
9460 * hostname sort').
9461 */
9462 static void ssh_special(void *handle, Telnet_Special code)
9463 {
9464 Ssh ssh = (Ssh) handle;
9465 struct Packet *pktout;
9466
9467 if (code == TS_EOF) {
9468 if (ssh->state != SSH_STATE_SESSION) {
9469 /*
9470 * Buffer the EOF in case we are pre-SESSION, so we can
9471 * send it as soon as we reach SESSION.
9472 */
9473 if (code == TS_EOF)
9474 ssh->eof_needed = TRUE;
9475 return;
9476 }
9477 if (ssh->version == 1) {
9478 send_packet(ssh, SSH1_CMSG_EOF, PKT_END);
9479 } else if (ssh->mainchan) {
9480 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_EOF);
9481 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9482 ssh2_pkt_send(ssh, pktout);
9483 ssh->send_ok = 0; /* now stop trying to read from stdin */
9484 }
9485 logevent("Sent EOF message");
9486 } else if (code == TS_PING || code == TS_NOP) {
9487 if (ssh->state == SSH_STATE_CLOSED
9488 || ssh->state == SSH_STATE_PREPACKET) return;
9489 if (ssh->version == 1) {
9490 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
9491 send_packet(ssh, SSH1_MSG_IGNORE, PKT_STR, "", PKT_END);
9492 } else {
9493 pktout = ssh2_pkt_init(SSH2_MSG_IGNORE);
9494 ssh2_pkt_addstring_start(pktout);
9495 ssh2_pkt_send_noqueue(ssh, pktout);
9496 }
9497 } else if (code == TS_REKEY) {
9498 if (!ssh->kex_in_progress && ssh->version == 2) {
9499 do_ssh2_transport(ssh, "at user request", -1, NULL);
9500 }
9501 } else if (code == TS_BRK) {
9502 if (ssh->state == SSH_STATE_CLOSED
9503 || ssh->state == SSH_STATE_PREPACKET) return;
9504 if (ssh->version == 1) {
9505 logevent("Unable to send BREAK signal in SSH-1");
9506 } else if (ssh->mainchan) {
9507 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9508 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9509 ssh2_pkt_addstring(pktout, "break");
9510 ssh2_pkt_addbool(pktout, 0);
9511 ssh2_pkt_adduint32(pktout, 0); /* default break length */
9512 ssh2_pkt_send(ssh, pktout);
9513 }
9514 } else {
9515 /* Is is a POSIX signal? */
9516 char *signame = NULL;
9517 if (code == TS_SIGABRT) signame = "ABRT";
9518 if (code == TS_SIGALRM) signame = "ALRM";
9519 if (code == TS_SIGFPE) signame = "FPE";
9520 if (code == TS_SIGHUP) signame = "HUP";
9521 if (code == TS_SIGILL) signame = "ILL";
9522 if (code == TS_SIGINT) signame = "INT";
9523 if (code == TS_SIGKILL) signame = "KILL";
9524 if (code == TS_SIGPIPE) signame = "PIPE";
9525 if (code == TS_SIGQUIT) signame = "QUIT";
9526 if (code == TS_SIGSEGV) signame = "SEGV";
9527 if (code == TS_SIGTERM) signame = "TERM";
9528 if (code == TS_SIGUSR1) signame = "USR1";
9529 if (code == TS_SIGUSR2) signame = "USR2";
9530 /* The SSH-2 protocol does in principle support arbitrary named
9531 * signals, including signame@domain, but we don't support those. */
9532 if (signame) {
9533 /* It's a signal. */
9534 if (ssh->version == 2 && ssh->mainchan) {
9535 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9536 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9537 ssh2_pkt_addstring(pktout, "signal");
9538 ssh2_pkt_addbool(pktout, 0);
9539 ssh2_pkt_addstring(pktout, signame);
9540 ssh2_pkt_send(ssh, pktout);
9541 logeventf(ssh, "Sent signal SIG%s", signame);
9542 }
9543 } else {
9544 /* Never heard of it. Do nothing */
9545 }
9546 }
9547 }
9548
9549 void *new_sock_channel(void *handle, Socket s)
9550 {
9551 Ssh ssh = (Ssh) handle;
9552 struct ssh_channel *c;
9553 c = snew(struct ssh_channel);
9554
9555 c->ssh = ssh;
9556 ssh2_channel_init(c);
9557 c->halfopen = TRUE;
9558 c->type = CHAN_SOCKDATA_DORMANT;/* identify channel type */
9559 c->u.pfd.s = s;
9560 add234(ssh->channels, c);
9561 return c;
9562 }
9563
9564 /*
9565 * This is called when stdout/stderr (the entity to which
9566 * from_backend sends data) manages to clear some backlog.
9567 */
9568 static void ssh_unthrottle(void *handle, int bufsize)
9569 {
9570 Ssh ssh = (Ssh) handle;
9571 int buflimit;
9572
9573 if (ssh->version == 1) {
9574 if (ssh->v1_stdout_throttling && bufsize < SSH1_BUFFER_LIMIT) {
9575 ssh->v1_stdout_throttling = 0;
9576 ssh_throttle_conn(ssh, -1);
9577 }
9578 } else {
9579 if (ssh->mainchan) {
9580 ssh2_set_window(ssh->mainchan,
9581 bufsize < ssh->mainchan->v.v2.locmaxwin ?
9582 ssh->mainchan->v.v2.locmaxwin - bufsize : 0);
9583 if (ssh->cfg.ssh_simple)
9584 buflimit = 0;
9585 else
9586 buflimit = ssh->mainchan->v.v2.locmaxwin;
9587 if (ssh->mainchan->throttling_conn && bufsize <= buflimit) {
9588 ssh->mainchan->throttling_conn = 0;
9589 ssh_throttle_conn(ssh, -1);
9590 }
9591 }
9592 }
9593 }
9594
9595 void ssh_send_port_open(void *channel, char *hostname, int port, char *org)
9596 {
9597 struct ssh_channel *c = (struct ssh_channel *)channel;
9598 Ssh ssh = c->ssh;
9599 struct Packet *pktout;
9600
9601 logeventf(ssh, "Opening forwarded connection to %s:%d", hostname, port);
9602
9603 if (ssh->version == 1) {
9604 send_packet(ssh, SSH1_MSG_PORT_OPEN,
9605 PKT_INT, c->localid,
9606 PKT_STR, hostname,
9607 PKT_INT, port,
9608 /* PKT_STR, <org:orgport>, */
9609 PKT_END);
9610 } else {
9611 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
9612 ssh2_pkt_addstring(pktout, "direct-tcpip");
9613 ssh2_pkt_adduint32(pktout, c->localid);
9614 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);/* our window size */
9615 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
9616 ssh2_pkt_addstring(pktout, hostname);
9617 ssh2_pkt_adduint32(pktout, port);
9618 /*
9619 * We make up values for the originator data; partly it's
9620 * too much hassle to keep track, and partly I'm not
9621 * convinced the server should be told details like that
9622 * about my local network configuration.
9623 * The "originator IP address" is syntactically a numeric
9624 * IP address, and some servers (e.g., Tectia) get upset
9625 * if it doesn't match this syntax.
9626 */
9627 ssh2_pkt_addstring(pktout, "0.0.0.0");
9628 ssh2_pkt_adduint32(pktout, 0);
9629 ssh2_pkt_send(ssh, pktout);
9630 }
9631 }
9632
9633 static int ssh_connected(void *handle)
9634 {
9635 Ssh ssh = (Ssh) handle;
9636 return ssh->s != NULL;
9637 }
9638
9639 static int ssh_sendok(void *handle)
9640 {
9641 Ssh ssh = (Ssh) handle;
9642 return ssh->send_ok;
9643 }
9644
9645 static int ssh_ldisc(void *handle, int option)
9646 {
9647 Ssh ssh = (Ssh) handle;
9648 if (option == LD_ECHO)
9649 return ssh->echoing;
9650 if (option == LD_EDIT)
9651 return ssh->editing;
9652 return FALSE;
9653 }
9654
9655 static void ssh_provide_ldisc(void *handle, void *ldisc)
9656 {
9657 Ssh ssh = (Ssh) handle;
9658 ssh->ldisc = ldisc;
9659 }
9660
9661 static void ssh_provide_logctx(void *handle, void *logctx)
9662 {
9663 Ssh ssh = (Ssh) handle;
9664 ssh->logctx = logctx;
9665 }
9666
9667 static int ssh_return_exitcode(void *handle)
9668 {
9669 Ssh ssh = (Ssh) handle;
9670 if (ssh->s != NULL)
9671 return -1;
9672 else
9673 return (ssh->exitcode >= 0 ? ssh->exitcode : INT_MAX);
9674 }
9675
9676 /*
9677 * cfg_info for SSH is the currently running version of the
9678 * protocol. (1 for 1; 2 for 2; 0 for not-decided-yet.)
9679 */
9680 static int ssh_cfg_info(void *handle)
9681 {
9682 Ssh ssh = (Ssh) handle;
9683 return ssh->version;
9684 }
9685
9686 /*
9687 * Gross hack: pscp will try to start SFTP but fall back to scp1 if
9688 * that fails. This variable is the means by which scp.c can reach
9689 * into the SSH code and find out which one it got.
9690 */
9691 extern int ssh_fallback_cmd(void *handle)
9692 {
9693 Ssh ssh = (Ssh) handle;
9694 return ssh->fallback_cmd;
9695 }
9696
9697 Backend ssh_backend = {
9698 ssh_init,
9699 ssh_free,
9700 ssh_reconfig,
9701 ssh_send,
9702 ssh_sendbuffer,
9703 ssh_size,
9704 ssh_special,
9705 ssh_get_specials,
9706 ssh_connected,
9707 ssh_return_exitcode,
9708 ssh_sendok,
9709 ssh_ldisc,
9710 ssh_provide_ldisc,
9711 ssh_provide_logctx,
9712 ssh_unthrottle,
9713 ssh_cfg_info,
9714 "ssh",
9715 PROT_SSH,
9716 22
9717 };
Local modifications for Simon Tatham's `PuTTY' SSH client and terminal emulator