projects / u / mdw / putty / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Replace mentions of SSH-2 I-Ds with references to the corresponding RFCs.
[u/mdw/putty] / ssh.c
1 /*
2 * SSH backend.
3 */
4
5 #include <stdio.h>
6 #include <stdlib.h>
7 #include <stdarg.h>
8 #include <assert.h>
9 #include <limits.h>
10 #include <signal.h>
11
12 #include "putty.h"
13 #include "tree234.h"
14 #include "ssh.h"
15
16 #ifndef FALSE
17 #define FALSE 0
18 #endif
19 #ifndef TRUE
20 #define TRUE 1
21 #endif
22
23 #define SSH1_MSG_DISCONNECT 1 /* 0x1 */
24 #define SSH1_SMSG_PUBLIC_KEY 2 /* 0x2 */
25 #define SSH1_CMSG_SESSION_KEY 3 /* 0x3 */
26 #define SSH1_CMSG_USER 4 /* 0x4 */
27 #define SSH1_CMSG_AUTH_RSA 6 /* 0x6 */
28 #define SSH1_SMSG_AUTH_RSA_CHALLENGE 7 /* 0x7 */
29 #define SSH1_CMSG_AUTH_RSA_RESPONSE 8 /* 0x8 */
30 #define SSH1_CMSG_AUTH_PASSWORD 9 /* 0x9 */
31 #define SSH1_CMSG_REQUEST_PTY 10 /* 0xa */
32 #define SSH1_CMSG_WINDOW_SIZE 11 /* 0xb */
33 #define SSH1_CMSG_EXEC_SHELL 12 /* 0xc */
34 #define SSH1_CMSG_EXEC_CMD 13 /* 0xd */
35 #define SSH1_SMSG_SUCCESS 14 /* 0xe */
36 #define SSH1_SMSG_FAILURE 15 /* 0xf */
37 #define SSH1_CMSG_STDIN_DATA 16 /* 0x10 */
38 #define SSH1_SMSG_STDOUT_DATA 17 /* 0x11 */
39 #define SSH1_SMSG_STDERR_DATA 18 /* 0x12 */
40 #define SSH1_CMSG_EOF 19 /* 0x13 */
41 #define SSH1_SMSG_EXIT_STATUS 20 /* 0x14 */
42 #define SSH1_MSG_CHANNEL_OPEN_CONFIRMATION 21 /* 0x15 */
43 #define SSH1_MSG_CHANNEL_OPEN_FAILURE 22 /* 0x16 */
44 #define SSH1_MSG_CHANNEL_DATA 23 /* 0x17 */
45 #define SSH1_MSG_CHANNEL_CLOSE 24 /* 0x18 */
46 #define SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION 25 /* 0x19 */
47 #define SSH1_SMSG_X11_OPEN 27 /* 0x1b */
48 #define SSH1_CMSG_PORT_FORWARD_REQUEST 28 /* 0x1c */
49 #define SSH1_MSG_PORT_OPEN 29 /* 0x1d */
50 #define SSH1_CMSG_AGENT_REQUEST_FORWARDING 30 /* 0x1e */
51 #define SSH1_SMSG_AGENT_OPEN 31 /* 0x1f */
52 #define SSH1_MSG_IGNORE 32 /* 0x20 */
53 #define SSH1_CMSG_EXIT_CONFIRMATION 33 /* 0x21 */
54 #define SSH1_CMSG_X11_REQUEST_FORWARDING 34 /* 0x22 */
55 #define SSH1_CMSG_AUTH_RHOSTS_RSA 35 /* 0x23 */
56 #define SSH1_MSG_DEBUG 36 /* 0x24 */
57 #define SSH1_CMSG_REQUEST_COMPRESSION 37 /* 0x25 */
58 #define SSH1_CMSG_AUTH_TIS 39 /* 0x27 */
59 #define SSH1_SMSG_AUTH_TIS_CHALLENGE 40 /* 0x28 */
60 #define SSH1_CMSG_AUTH_TIS_RESPONSE 41 /* 0x29 */
61 #define SSH1_CMSG_AUTH_CCARD 70 /* 0x46 */
62 #define SSH1_SMSG_AUTH_CCARD_CHALLENGE 71 /* 0x47 */
63 #define SSH1_CMSG_AUTH_CCARD_RESPONSE 72 /* 0x48 */
64
65 #define SSH1_AUTH_RHOSTS 1 /* 0x1 */
66 #define SSH1_AUTH_RSA 2 /* 0x2 */
67 #define SSH1_AUTH_PASSWORD 3 /* 0x3 */
68 #define SSH1_AUTH_RHOSTS_RSA 4 /* 0x4 */
69 #define SSH1_AUTH_TIS 5 /* 0x5 */
70 #define SSH1_AUTH_CCARD 16 /* 0x10 */
71
72 #define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */
73 /* Mask for protoflags we will echo back to server if seen */
74 #define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */
75
76 #define SSH2_MSG_DISCONNECT 1 /* 0x1 */
77 #define SSH2_MSG_IGNORE 2 /* 0x2 */
78 #define SSH2_MSG_UNIMPLEMENTED 3 /* 0x3 */
79 #define SSH2_MSG_DEBUG 4 /* 0x4 */
80 #define SSH2_MSG_SERVICE_REQUEST 5 /* 0x5 */
81 #define SSH2_MSG_SERVICE_ACCEPT 6 /* 0x6 */
82 #define SSH2_MSG_KEXINIT 20 /* 0x14 */
83 #define SSH2_MSG_NEWKEYS 21 /* 0x15 */
84 #define SSH2_MSG_KEXDH_INIT 30 /* 0x1e */
85 #define SSH2_MSG_KEXDH_REPLY 31 /* 0x1f */
86 #define SSH2_MSG_KEX_DH_GEX_REQUEST 30 /* 0x1e */
87 #define SSH2_MSG_KEX_DH_GEX_GROUP 31 /* 0x1f */
88 #define SSH2_MSG_KEX_DH_GEX_INIT 32 /* 0x20 */
89 #define SSH2_MSG_KEX_DH_GEX_REPLY 33 /* 0x21 */
90 #define SSH2_MSG_KEXRSA_PUBKEY 30 /* 0x1e */
91 #define SSH2_MSG_KEXRSA_SECRET 31 /* 0x1f */
92 #define SSH2_MSG_KEXRSA_DONE 32 /* 0x20 */
93 #define SSH2_MSG_USERAUTH_REQUEST 50 /* 0x32 */
94 #define SSH2_MSG_USERAUTH_FAILURE 51 /* 0x33 */
95 #define SSH2_MSG_USERAUTH_SUCCESS 52 /* 0x34 */
96 #define SSH2_MSG_USERAUTH_BANNER 53 /* 0x35 */
97 #define SSH2_MSG_USERAUTH_PK_OK 60 /* 0x3c */
98 #define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60 /* 0x3c */
99 #define SSH2_MSG_USERAUTH_INFO_REQUEST 60 /* 0x3c */
100 #define SSH2_MSG_USERAUTH_INFO_RESPONSE 61 /* 0x3d */
101 #define SSH2_MSG_GLOBAL_REQUEST 80 /* 0x50 */
102 #define SSH2_MSG_REQUEST_SUCCESS 81 /* 0x51 */
103 #define SSH2_MSG_REQUEST_FAILURE 82 /* 0x52 */
104 #define SSH2_MSG_CHANNEL_OPEN 90 /* 0x5a */
105 #define SSH2_MSG_CHANNEL_OPEN_CONFIRMATION 91 /* 0x5b */
106 #define SSH2_MSG_CHANNEL_OPEN_FAILURE 92 /* 0x5c */
107 #define SSH2_MSG_CHANNEL_WINDOW_ADJUST 93 /* 0x5d */
108 #define SSH2_MSG_CHANNEL_DATA 94 /* 0x5e */
109 #define SSH2_MSG_CHANNEL_EXTENDED_DATA 95 /* 0x5f */
110 #define SSH2_MSG_CHANNEL_EOF 96 /* 0x60 */
111 #define SSH2_MSG_CHANNEL_CLOSE 97 /* 0x61 */
112 #define SSH2_MSG_CHANNEL_REQUEST 98 /* 0x62 */
113 #define SSH2_MSG_CHANNEL_SUCCESS 99 /* 0x63 */
114 #define SSH2_MSG_CHANNEL_FAILURE 100 /* 0x64 */
115
116 /*
117 * Packet type contexts, so that ssh2_pkt_type can correctly decode
118 * the ambiguous type numbers back into the correct type strings.
119 */
120 typedef enum {
121 SSH2_PKTCTX_NOKEX,
122 SSH2_PKTCTX_DHGROUP,
123 SSH2_PKTCTX_DHGEX,
124 SSH2_PKTCTX_RSAKEX
125 } Pkt_KCtx;
126 typedef enum {
127 SSH2_PKTCTX_NOAUTH,
128 SSH2_PKTCTX_PUBLICKEY,
129 SSH2_PKTCTX_PASSWORD,
130 SSH2_PKTCTX_KBDINTER
131 } Pkt_ACtx;
132
133 #define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */
134 #define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */
135 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */
136 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */
137 #define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */
138 #define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */
139 #define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */
140 #define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */
141 #define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */
142 #define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */
143 #define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */
144 #define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */
145 #define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */
146 #define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */
147 #define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */
148
149 static const char *const ssh2_disconnect_reasons[] = {
150 NULL,
151 "host not allowed to connect",
152 "protocol error",
153 "key exchange failed",
154 "host authentication failed",
155 "MAC error",
156 "compression error",
157 "service not available",
158 "protocol version not supported",
159 "host key not verifiable",
160 "connection lost",
161 "by application",
162 "too many connections",
163 "auth cancelled by user",
164 "no more auth methods available",
165 "illegal user name",
166 };
167
168 #define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */
169 #define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */
170 #define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */
171 #define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */
172
173 #define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */
174
175 /*
176 * Various remote-bug flags.
177 */
178 #define BUG_CHOKES_ON_SSH1_IGNORE 1
179 #define BUG_SSH2_HMAC 2
180 #define BUG_NEEDS_SSH1_PLAIN_PASSWORD 4
181 #define BUG_CHOKES_ON_RSA 8
182 #define BUG_SSH2_RSA_PADDING 16
183 #define BUG_SSH2_DERIVEKEY 32
184 #define BUG_SSH2_REKEY 64
185 #define BUG_SSH2_PK_SESSIONID 128
186
187 /*
188 * Codes for terminal modes.
189 * Most of these are the same in SSH-1 and SSH-2.
190 * This list is derived from RFC 4254 and
191 * SSH-1 RFC-1.2.31.
192 */
193 static const struct {
194 const char* const mode;
195 int opcode;
196 enum { TTY_OP_CHAR, TTY_OP_BOOL } type;
197 } ssh_ttymodes[] = {
198 /* "V" prefix discarded for special characters relative to SSH specs */
199 { "INTR", 1, TTY_OP_CHAR },
200 { "QUIT", 2, TTY_OP_CHAR },
201 { "ERASE", 3, TTY_OP_CHAR },
202 { "KILL", 4, TTY_OP_CHAR },
203 { "EOF", 5, TTY_OP_CHAR },
204 { "EOL", 6, TTY_OP_CHAR },
205 { "EOL2", 7, TTY_OP_CHAR },
206 { "START", 8, TTY_OP_CHAR },
207 { "STOP", 9, TTY_OP_CHAR },
208 { "SUSP", 10, TTY_OP_CHAR },
209 { "DSUSP", 11, TTY_OP_CHAR },
210 { "REPRINT", 12, TTY_OP_CHAR },
211 { "WERASE", 13, TTY_OP_CHAR },
212 { "LNEXT", 14, TTY_OP_CHAR },
213 { "FLUSH", 15, TTY_OP_CHAR },
214 { "SWTCH", 16, TTY_OP_CHAR },
215 { "STATUS", 17, TTY_OP_CHAR },
216 { "DISCARD", 18, TTY_OP_CHAR },
217 { "IGNPAR", 30, TTY_OP_BOOL },
218 { "PARMRK", 31, TTY_OP_BOOL },
219 { "INPCK", 32, TTY_OP_BOOL },
220 { "ISTRIP", 33, TTY_OP_BOOL },
221 { "INLCR", 34, TTY_OP_BOOL },
222 { "IGNCR", 35, TTY_OP_BOOL },
223 { "ICRNL", 36, TTY_OP_BOOL },
224 { "IUCLC", 37, TTY_OP_BOOL },
225 { "IXON", 38, TTY_OP_BOOL },
226 { "IXANY", 39, TTY_OP_BOOL },
227 { "IXOFF", 40, TTY_OP_BOOL },
228 { "IMAXBEL", 41, TTY_OP_BOOL },
229 { "ISIG", 50, TTY_OP_BOOL },
230 { "ICANON", 51, TTY_OP_BOOL },
231 { "XCASE", 52, TTY_OP_BOOL },
232 { "ECHO", 53, TTY_OP_BOOL },
233 { "ECHOE", 54, TTY_OP_BOOL },
234 { "ECHOK", 55, TTY_OP_BOOL },
235 { "ECHONL", 56, TTY_OP_BOOL },
236 { "NOFLSH", 57, TTY_OP_BOOL },
237 { "TOSTOP", 58, TTY_OP_BOOL },
238 { "IEXTEN", 59, TTY_OP_BOOL },
239 { "ECHOCTL", 60, TTY_OP_BOOL },
240 { "ECHOKE", 61, TTY_OP_BOOL },
241 { "PENDIN", 62, TTY_OP_BOOL }, /* XXX is this a real mode? */
242 { "OPOST", 70, TTY_OP_BOOL },
243 { "OLCUC", 71, TTY_OP_BOOL },
244 { "ONLCR", 72, TTY_OP_BOOL },
245 { "OCRNL", 73, TTY_OP_BOOL },
246 { "ONOCR", 74, TTY_OP_BOOL },
247 { "ONLRET", 75, TTY_OP_BOOL },
248 { "CS7", 90, TTY_OP_BOOL },
249 { "CS8", 91, TTY_OP_BOOL },
250 { "PARENB", 92, TTY_OP_BOOL },
251 { "PARODD", 93, TTY_OP_BOOL }
252 };
253
254 /* Miscellaneous other tty-related constants. */
255 #define SSH_TTY_OP_END 0
256 /* The opcodes for ISPEED/OSPEED differ between SSH-1 and SSH-2. */
257 #define SSH1_TTY_OP_ISPEED 192
258 #define SSH1_TTY_OP_OSPEED 193
259 #define SSH2_TTY_OP_ISPEED 128
260 #define SSH2_TTY_OP_OSPEED 129
261
262 /* Helper functions for parsing tty-related config. */
263 static unsigned int ssh_tty_parse_specchar(char *s)
264 {
265 unsigned int ret;
266 if (*s) {
267 char *next = NULL;
268 ret = ctrlparse(s, &next);
269 if (!next) ret = s[0];
270 } else {
271 ret = 255; /* special value meaning "don't set" */
272 }
273 return ret;
274 }
275 static unsigned int ssh_tty_parse_boolean(char *s)
276 {
277 if (stricmp(s, "yes") == 0 ||
278 stricmp(s, "on") == 0 ||
279 stricmp(s, "true") == 0 ||
280 stricmp(s, "+") == 0)
281 return 1; /* true */
282 else if (stricmp(s, "no") == 0 ||
283 stricmp(s, "off") == 0 ||
284 stricmp(s, "false") == 0 ||
285 stricmp(s, "-") == 0)
286 return 0; /* false */
287 else
288 return (atoi(s) != 0);
289 }
290
291 #define translate(x) if (type == x) return #x
292 #define translatek(x,ctx) if (type == x && (pkt_kctx == ctx)) return #x
293 #define translatea(x,ctx) if (type == x && (pkt_actx == ctx)) return #x
294 static char *ssh1_pkt_type(int type)
295 {
296 translate(SSH1_MSG_DISCONNECT);
297 translate(SSH1_SMSG_PUBLIC_KEY);
298 translate(SSH1_CMSG_SESSION_KEY);
299 translate(SSH1_CMSG_USER);
300 translate(SSH1_CMSG_AUTH_RSA);
301 translate(SSH1_SMSG_AUTH_RSA_CHALLENGE);
302 translate(SSH1_CMSG_AUTH_RSA_RESPONSE);
303 translate(SSH1_CMSG_AUTH_PASSWORD);
304 translate(SSH1_CMSG_REQUEST_PTY);
305 translate(SSH1_CMSG_WINDOW_SIZE);
306 translate(SSH1_CMSG_EXEC_SHELL);
307 translate(SSH1_CMSG_EXEC_CMD);
308 translate(SSH1_SMSG_SUCCESS);
309 translate(SSH1_SMSG_FAILURE);
310 translate(SSH1_CMSG_STDIN_DATA);
311 translate(SSH1_SMSG_STDOUT_DATA);
312 translate(SSH1_SMSG_STDERR_DATA);
313 translate(SSH1_CMSG_EOF);
314 translate(SSH1_SMSG_EXIT_STATUS);
315 translate(SSH1_MSG_CHANNEL_OPEN_CONFIRMATION);
316 translate(SSH1_MSG_CHANNEL_OPEN_FAILURE);
317 translate(SSH1_MSG_CHANNEL_DATA);
318 translate(SSH1_MSG_CHANNEL_CLOSE);
319 translate(SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION);
320 translate(SSH1_SMSG_X11_OPEN);
321 translate(SSH1_CMSG_PORT_FORWARD_REQUEST);
322 translate(SSH1_MSG_PORT_OPEN);
323 translate(SSH1_CMSG_AGENT_REQUEST_FORWARDING);
324 translate(SSH1_SMSG_AGENT_OPEN);
325 translate(SSH1_MSG_IGNORE);
326 translate(SSH1_CMSG_EXIT_CONFIRMATION);
327 translate(SSH1_CMSG_X11_REQUEST_FORWARDING);
328 translate(SSH1_CMSG_AUTH_RHOSTS_RSA);
329 translate(SSH1_MSG_DEBUG);
330 translate(SSH1_CMSG_REQUEST_COMPRESSION);
331 translate(SSH1_CMSG_AUTH_TIS);
332 translate(SSH1_SMSG_AUTH_TIS_CHALLENGE);
333 translate(SSH1_CMSG_AUTH_TIS_RESPONSE);
334 translate(SSH1_CMSG_AUTH_CCARD);
335 translate(SSH1_SMSG_AUTH_CCARD_CHALLENGE);
336 translate(SSH1_CMSG_AUTH_CCARD_RESPONSE);
337 return "unknown";
338 }
339 static char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type)
340 {
341 translate(SSH2_MSG_DISCONNECT);
342 translate(SSH2_MSG_IGNORE);
343 translate(SSH2_MSG_UNIMPLEMENTED);
344 translate(SSH2_MSG_DEBUG);
345 translate(SSH2_MSG_SERVICE_REQUEST);
346 translate(SSH2_MSG_SERVICE_ACCEPT);
347 translate(SSH2_MSG_KEXINIT);
348 translate(SSH2_MSG_NEWKEYS);
349 translatek(SSH2_MSG_KEXDH_INIT, SSH2_PKTCTX_DHGROUP);
350 translatek(SSH2_MSG_KEXDH_REPLY, SSH2_PKTCTX_DHGROUP);
351 translatek(SSH2_MSG_KEX_DH_GEX_REQUEST, SSH2_PKTCTX_DHGEX);
352 translatek(SSH2_MSG_KEX_DH_GEX_GROUP, SSH2_PKTCTX_DHGEX);
353 translatek(SSH2_MSG_KEX_DH_GEX_INIT, SSH2_PKTCTX_DHGEX);
354 translatek(SSH2_MSG_KEX_DH_GEX_REPLY, SSH2_PKTCTX_DHGEX);
355 translatek(SSH2_MSG_KEXRSA_PUBKEY, SSH2_PKTCTX_RSAKEX);
356 translatek(SSH2_MSG_KEXRSA_SECRET, SSH2_PKTCTX_RSAKEX);
357 translatek(SSH2_MSG_KEXRSA_DONE, SSH2_PKTCTX_RSAKEX);
358 translate(SSH2_MSG_USERAUTH_REQUEST);
359 translate(SSH2_MSG_USERAUTH_FAILURE);
360 translate(SSH2_MSG_USERAUTH_SUCCESS);
361 translate(SSH2_MSG_USERAUTH_BANNER);
362 translatea(SSH2_MSG_USERAUTH_PK_OK, SSH2_PKTCTX_PUBLICKEY);
363 translatea(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, SSH2_PKTCTX_PASSWORD);
364 translatea(SSH2_MSG_USERAUTH_INFO_REQUEST, SSH2_PKTCTX_KBDINTER);
365 translatea(SSH2_MSG_USERAUTH_INFO_RESPONSE, SSH2_PKTCTX_KBDINTER);
366 translate(SSH2_MSG_GLOBAL_REQUEST);
367 translate(SSH2_MSG_REQUEST_SUCCESS);
368 translate(SSH2_MSG_REQUEST_FAILURE);
369 translate(SSH2_MSG_CHANNEL_OPEN);
370 translate(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
371 translate(SSH2_MSG_CHANNEL_OPEN_FAILURE);
372 translate(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
373 translate(SSH2_MSG_CHANNEL_DATA);
374 translate(SSH2_MSG_CHANNEL_EXTENDED_DATA);
375 translate(SSH2_MSG_CHANNEL_EOF);
376 translate(SSH2_MSG_CHANNEL_CLOSE);
377 translate(SSH2_MSG_CHANNEL_REQUEST);
378 translate(SSH2_MSG_CHANNEL_SUCCESS);
379 translate(SSH2_MSG_CHANNEL_FAILURE);
380 return "unknown";
381 }
382 #undef translate
383 #undef translatec
384
385 /* Enumeration values for fields in SSH-1 packets */
386 enum {
387 PKT_END, PKT_INT, PKT_CHAR, PKT_DATA, PKT_STR, PKT_BIGNUM,
388 /* These values are for communicating relevant semantics of
389 * fields to the packet logging code. */
390 PKTT_OTHER, PKTT_PASSWORD, PKTT_DATA
391 };
392
393 /*
394 * Coroutine mechanics for the sillier bits of the code. If these
395 * macros look impenetrable to you, you might find it helpful to
396 * read
397 *
398 * http://www.chiark.greenend.org.uk/~sgtatham/coroutines.html
399 *
400 * which explains the theory behind these macros.
401 *
402 * In particular, if you are getting `case expression not constant'
403 * errors when building with MS Visual Studio, this is because MS's
404 * Edit and Continue debugging feature causes their compiler to
405 * violate ANSI C. To disable Edit and Continue debugging:
406 *
407 * - right-click ssh.c in the FileView
408 * - click Settings
409 * - select the C/C++ tab and the General category
410 * - under `Debug info:', select anything _other_ than `Program
411 * Database for Edit and Continue'.
412 */
413 #define crBegin(v) { int *crLine = &v; switch(v) { case 0:;
414 #define crState(t) \
415 struct t *s; \
416 if (!ssh->t) ssh->t = snew(struct t); \
417 s = ssh->t;
418 #define crFinish(z) } *crLine = 0; return (z); }
419 #define crFinishV } *crLine = 0; return; }
420 #define crReturn(z) \
421 do {\
422 *crLine =__LINE__; return (z); case __LINE__:;\
423 } while (0)
424 #define crReturnV \
425 do {\
426 *crLine=__LINE__; return; case __LINE__:;\
427 } while (0)
428 #define crStop(z) do{ *crLine = 0; return (z); }while(0)
429 #define crStopV do{ *crLine = 0; return; }while(0)
430 #define crWaitUntil(c) do { crReturn(0); } while (!(c))
431 #define crWaitUntilV(c) do { crReturnV; } while (!(c))
432
433 typedef struct ssh_tag *Ssh;
434 struct Packet;
435
436 static struct Packet *ssh1_pkt_init(int pkt_type);
437 static struct Packet *ssh2_pkt_init(int pkt_type);
438 static void ssh_pkt_ensure(struct Packet *, int length);
439 static void ssh_pkt_adddata(struct Packet *, void *data, int len);
440 static void ssh_pkt_addbyte(struct Packet *, unsigned char value);
441 static void ssh2_pkt_addbool(struct Packet *, unsigned char value);
442 static void ssh_pkt_adduint32(struct Packet *, unsigned long value);
443 static void ssh_pkt_addstring_start(struct Packet *);
444 static void ssh_pkt_addstring_str(struct Packet *, char *data);
445 static void ssh_pkt_addstring_data(struct Packet *, char *data, int len);
446 static void ssh_pkt_addstring(struct Packet *, char *data);
447 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len);
448 static void ssh1_pkt_addmp(struct Packet *, Bignum b);
449 static void ssh2_pkt_addmp(struct Packet *, Bignum b);
450 static int ssh2_pkt_construct(Ssh, struct Packet *);
451 static void ssh2_pkt_send(Ssh, struct Packet *);
452 static void ssh2_pkt_send_noqueue(Ssh, struct Packet *);
453 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
454 struct Packet *pktin);
455 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
456 struct Packet *pktin);
457
458 /*
459 * Buffer management constants. There are several of these for
460 * various different purposes:
461 *
462 * - SSH1_BUFFER_LIMIT is the amount of backlog that must build up
463 * on a local data stream before we throttle the whole SSH
464 * connection (in SSH-1 only). Throttling the whole connection is
465 * pretty drastic so we set this high in the hope it won't
466 * happen very often.
467 *
468 * - SSH_MAX_BACKLOG is the amount of backlog that must build up
469 * on the SSH connection itself before we defensively throttle
470 * _all_ local data streams. This is pretty drastic too (though
471 * thankfully unlikely in SSH-2 since the window mechanism should
472 * ensure that the server never has any need to throttle its end
473 * of the connection), so we set this high as well.
474 *
475 * - OUR_V2_WINSIZE is the maximum window size we present on SSH-2
476 * channels.
477 *
478 * - OUR_V2_BIGWIN is the window size we advertise for the only
479 * channel in a simple connection. It must be <= INT_MAX.
480 */
481
482 #define SSH1_BUFFER_LIMIT 32768
483 #define SSH_MAX_BACKLOG 32768
484 #define OUR_V2_WINSIZE 16384
485 #define OUR_V2_BIGWIN 0x7fffffff
486 #define OUR_V2_MAXPKT 0x4000UL
487
488 /* Maximum length of passwords/passphrases (arbitrary) */
489 #define SSH_MAX_PASSWORD_LEN 100
490
491 const static struct ssh_signkey *hostkey_algs[] = { &ssh_rsa, &ssh_dss };
492
493 const static struct ssh_mac *macs[] = {
494 &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
495 };
496 const static struct ssh_mac *buggymacs[] = {
497 &ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
498 };
499
500 static void *ssh_comp_none_init(void)
501 {
502 return NULL;
503 }
504 static void ssh_comp_none_cleanup(void *handle)
505 {
506 }
507 static int ssh_comp_none_block(void *handle, unsigned char *block, int len,
508 unsigned char **outblock, int *outlen)
509 {
510 return 0;
511 }
512 static int ssh_comp_none_disable(void *handle)
513 {
514 return 0;
515 }
516 const static struct ssh_compress ssh_comp_none = {
517 "none",
518 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
519 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
520 ssh_comp_none_disable, NULL
521 };
522 extern const struct ssh_compress ssh_zlib;
523 const static struct ssh_compress *compressions[] = {
524 &ssh_zlib, &ssh_comp_none
525 };
526
527 enum { /* channel types */
528 CHAN_MAINSESSION,
529 CHAN_X11,
530 CHAN_AGENT,
531 CHAN_SOCKDATA,
532 CHAN_SOCKDATA_DORMANT /* one the remote hasn't confirmed */
533 };
534
535 /*
536 * little structure to keep track of outstanding WINDOW_ADJUSTs
537 */
538 struct winadj {
539 struct winadj *next;
540 unsigned size;
541 };
542
543 /*
544 * 2-3-4 tree storing channels.
545 */
546 struct ssh_channel {
547 Ssh ssh; /* pointer back to main context */
548 unsigned remoteid, localid;
549 int type;
550 /* True if we opened this channel but server hasn't confirmed. */
551 int halfopen;
552 /*
553 * In SSH-1, this value contains four bits:
554 *
555 * 1 We have sent SSH1_MSG_CHANNEL_CLOSE.
556 * 2 We have sent SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
557 * 4 We have received SSH1_MSG_CHANNEL_CLOSE.
558 * 8 We have received SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
559 *
560 * A channel is completely finished with when all four bits are set.
561 */
562 int closes;
563 /*
564 * True if this channel is causing the underlying connection to be
565 * throttled.
566 */
567 int throttling_conn;
568 union {
569 struct ssh2_data_channel {
570 bufchain outbuffer;
571 unsigned remwindow, remmaxpkt;
572 /* locwindow is signed so we can cope with excess data. */
573 int locwindow, locmaxwin;
574 /*
575 * remlocwin is the amount of local window that we think
576 * the remote end had available to it after it sent the
577 * last data packet or window adjust ack.
578 */
579 int remlocwin;
580 /*
581 * These store the list of window adjusts that haven't
582 * been acked.
583 */
584 struct winadj *winadj_head, *winadj_tail;
585 enum { THROTTLED, UNTHROTTLING, UNTHROTTLED } throttle_state;
586 } v2;
587 } v;
588 union {
589 struct ssh_agent_channel {
590 unsigned char *message;
591 unsigned char msglen[4];
592 unsigned lensofar, totallen;
593 } a;
594 struct ssh_x11_channel {
595 Socket s;
596 } x11;
597 struct ssh_pfd_channel {
598 Socket s;
599 } pfd;
600 } u;
601 };
602
603 /*
604 * 2-3-4 tree storing remote->local port forwardings. SSH-1 and SSH-2
605 * use this structure in different ways, reflecting SSH-2's
606 * altogether saner approach to port forwarding.
607 *
608 * In SSH-1, you arrange a remote forwarding by sending the server
609 * the remote port number, and the local destination host:port.
610 * When a connection comes in, the server sends you back that
611 * host:port pair, and you connect to it. This is a ready-made
612 * security hole if you're not on the ball: a malicious server
613 * could send you back _any_ host:port pair, so if you trustingly
614 * connect to the address it gives you then you've just opened the
615 * entire inside of your corporate network just by connecting
616 * through it to a dodgy SSH server. Hence, we must store a list of
617 * host:port pairs we _are_ trying to forward to, and reject a
618 * connection request from the server if it's not in the list.
619 *
620 * In SSH-2, each side of the connection minds its own business and
621 * doesn't send unnecessary information to the other. You arrange a
622 * remote forwarding by sending the server just the remote port
623 * number. When a connection comes in, the server tells you which
624 * of its ports was connected to; and _you_ have to remember what
625 * local host:port pair went with that port number.
626 *
627 * Hence, in SSH-1 this structure is indexed by destination
628 * host:port pair, whereas in SSH-2 it is indexed by source port.
629 */
630 struct ssh_portfwd; /* forward declaration */
631
632 struct ssh_rportfwd {
633 unsigned sport, dport;
634 char dhost[256];
635 char *sportdesc;
636 struct ssh_portfwd *pfrec;
637 };
638 #define free_rportfwd(pf) ( \
639 ((pf) ? (sfree((pf)->sportdesc)) : (void)0 ), sfree(pf) )
640
641 /*
642 * Separately to the rportfwd tree (which is for looking up port
643 * open requests from the server), a tree of _these_ structures is
644 * used to keep track of all the currently open port forwardings,
645 * so that we can reconfigure in mid-session if the user requests
646 * it.
647 */
648 struct ssh_portfwd {
649 enum { DESTROY, KEEP, CREATE } status;
650 int type;
651 unsigned sport, dport;
652 char *saddr, *daddr;
653 char *sserv, *dserv;
654 struct ssh_rportfwd *remote;
655 int addressfamily;
656 void *local;
657 };
658 #define free_portfwd(pf) ( \
659 ((pf) ? (sfree((pf)->saddr), sfree((pf)->daddr), \
660 sfree((pf)->sserv), sfree((pf)->dserv)) : (void)0 ), sfree(pf) )
661
662 struct Packet {
663 long length; /* length of `data' actually used */
664 long forcepad; /* SSH-2: force padding to at least this length */
665 int type; /* only used for incoming packets */
666 unsigned long sequence; /* SSH-2 incoming sequence number */
667 unsigned char *data; /* allocated storage */
668 unsigned char *body; /* offset of payload within `data' */
669 long savedpos; /* temporary index into `data' (for strings) */
670 long maxlen; /* amount of storage allocated for `data' */
671 long encrypted_len; /* for SSH-2 total-size counting */
672
673 /*
674 * State associated with packet logging
675 */
676 int logmode;
677 int nblanks;
678 struct logblank_t *blanks;
679 };
680
681 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
682 struct Packet *pktin);
683 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
684 struct Packet *pktin);
685 static void ssh1_protocol_setup(Ssh ssh);
686 static void ssh2_protocol_setup(Ssh ssh);
687 static void ssh_size(void *handle, int width, int height);
688 static void ssh_special(void *handle, Telnet_Special);
689 static int ssh2_try_send(struct ssh_channel *c);
690 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf, int len);
691 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize);
692 static void ssh2_set_window(struct ssh_channel *c, int newwin);
693 static int ssh_sendbuffer(void *handle);
694 static int ssh_do_close(Ssh ssh, int notify_exit);
695 static unsigned long ssh_pkt_getuint32(struct Packet *pkt);
696 static int ssh2_pkt_getbool(struct Packet *pkt);
697 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length);
698 static void ssh2_timer(void *ctx, long now);
699 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
700 struct Packet *pktin);
701
702 struct rdpkt1_state_tag {
703 long len, pad, biglen, to_read;
704 unsigned long realcrc, gotcrc;
705 unsigned char *p;
706 int i;
707 int chunk;
708 struct Packet *pktin;
709 };
710
711 struct rdpkt2_state_tag {
712 long len, pad, payload, packetlen, maclen;
713 int i;
714 int cipherblk;
715 unsigned long incoming_sequence;
716 struct Packet *pktin;
717 };
718
719 typedef void (*handler_fn_t)(Ssh ssh, struct Packet *pktin);
720 typedef void (*chandler_fn_t)(Ssh ssh, struct Packet *pktin, void *ctx);
721
722 struct queued_handler;
723 struct queued_handler {
724 int msg1, msg2;
725 chandler_fn_t handler;
726 void *ctx;
727 struct queued_handler *next;
728 };
729
730 struct ssh_tag {
731 const struct plug_function_table *fn;
732 /* the above field _must_ be first in the structure */
733
734 char *v_c, *v_s;
735 void *exhash;
736
737 Socket s;
738
739 void *ldisc;
740 void *logctx;
741
742 unsigned char session_key[32];
743 int v1_compressing;
744 int v1_remote_protoflags;
745 int v1_local_protoflags;
746 int agentfwd_enabled;
747 int X11_fwd_enabled;
748 int remote_bugs;
749 const struct ssh_cipher *cipher;
750 void *v1_cipher_ctx;
751 void *crcda_ctx;
752 const struct ssh2_cipher *cscipher, *sccipher;
753 void *cs_cipher_ctx, *sc_cipher_ctx;
754 const struct ssh_mac *csmac, *scmac;
755 void *cs_mac_ctx, *sc_mac_ctx;
756 const struct ssh_compress *cscomp, *sccomp;
757 void *cs_comp_ctx, *sc_comp_ctx;
758 const struct ssh_kex *kex;
759 const struct ssh_signkey *hostkey;
760 unsigned char v2_session_id[SSH2_KEX_MAX_HASH_LEN];
761 int v2_session_id_len;
762 void *kex_ctx;
763
764 char *savedhost;
765 int savedport;
766 int send_ok;
767 int echoing, editing;
768
769 void *frontend;
770
771 int ospeed, ispeed; /* temporaries */
772 int term_width, term_height;
773
774 tree234 *channels; /* indexed by local id */
775 struct ssh_channel *mainchan; /* primary session channel */
776 int ncmode; /* is primary channel direct-tcpip? */
777 int exitcode;
778 int close_expected;
779 int clean_exit;
780
781 tree234 *rportfwds, *portfwds;
782
783 enum {
784 SSH_STATE_PREPACKET,
785 SSH_STATE_BEFORE_SIZE,
786 SSH_STATE_INTERMED,
787 SSH_STATE_SESSION,
788 SSH_STATE_CLOSED
789 } state;
790
791 int size_needed, eof_needed;
792
793 struct Packet **queue;
794 int queuelen, queuesize;
795 int queueing;
796 unsigned char *deferred_send_data;
797 int deferred_len, deferred_size;
798
799 /*
800 * Gross hack: pscp will try to start SFTP but fall back to
801 * scp1 if that fails. This variable is the means by which
802 * scp.c can reach into the SSH code and find out which one it
803 * got.
804 */
805 int fallback_cmd;
806
807 bufchain banner; /* accumulates banners during do_ssh2_authconn */
808
809 Pkt_KCtx pkt_kctx;
810 Pkt_ACtx pkt_actx;
811
812 void *x11auth;
813
814 int version;
815 int conn_throttle_count;
816 int overall_bufsize;
817 int throttled_all;
818 int v1_stdout_throttling;
819 unsigned long v2_outgoing_sequence;
820
821 int ssh1_rdpkt_crstate;
822 int ssh2_rdpkt_crstate;
823 int do_ssh_init_crstate;
824 int ssh_gotdata_crstate;
825 int do_ssh1_login_crstate;
826 int do_ssh1_connection_crstate;
827 int do_ssh2_transport_crstate;
828 int do_ssh2_authconn_crstate;
829
830 void *do_ssh_init_state;
831 void *do_ssh1_login_state;
832 void *do_ssh2_transport_state;
833 void *do_ssh2_authconn_state;
834
835 struct rdpkt1_state_tag rdpkt1_state;
836 struct rdpkt2_state_tag rdpkt2_state;
837
838 /* SSH-1 and SSH-2 use this for different things, but both use it */
839 int protocol_initial_phase_done;
840
841 void (*protocol) (Ssh ssh, void *vin, int inlen,
842 struct Packet *pkt);
843 struct Packet *(*s_rdpkt) (Ssh ssh, unsigned char **data, int *datalen);
844
845 /*
846 * We maintain a full _copy_ of a Config structure here, not
847 * merely a pointer to it. That way, when we're passed a new
848 * one for reconfiguration, we can check the differences and
849 * potentially reconfigure port forwardings etc in mid-session.
850 */
851 Config cfg;
852
853 /*
854 * Used to transfer data back from async callbacks.
855 */
856 void *agent_response;
857 int agent_response_len;
858 int user_response;
859
860 /*
861 * The SSH connection can be set as `frozen', meaning we are
862 * not currently accepting incoming data from the network. This
863 * is slightly more serious than setting the _socket_ as
864 * frozen, because we may already have had data passed to us
865 * from the network which we need to delay processing until
866 * after the freeze is lifted, so we also need a bufchain to
867 * store that data.
868 */
869 int frozen;
870 bufchain queued_incoming_data;
871
872 /*
873 * Dispatch table for packet types that we may have to deal
874 * with at any time.
875 */
876 handler_fn_t packet_dispatch[256];
877
878 /*
879 * Queues of one-off handler functions for success/failure
880 * indications from a request.
881 */
882 struct queued_handler *qhead, *qtail;
883
884 /*
885 * This module deals with sending keepalives.
886 */
887 Pinger pinger;
888
889 /*
890 * Track incoming and outgoing data sizes and time, for
891 * size-based rekeys.
892 */
893 unsigned long incoming_data_size, outgoing_data_size, deferred_data_size;
894 unsigned long max_data_size;
895 int kex_in_progress;
896 long next_rekey, last_rekey;
897 char *deferred_rekey_reason; /* points to STATIC string; don't free */
898 };
899
900 #define logevent(s) logevent(ssh->frontend, s)
901
902 /* logevent, only printf-formatted. */
903 static void logeventf(Ssh ssh, const char *fmt, ...)
904 {
905 va_list ap;
906 char *buf;
907
908 va_start(ap, fmt);
909 buf = dupvprintf(fmt, ap);
910 va_end(ap);
911 logevent(buf);
912 sfree(buf);
913 }
914
915 #define bombout(msg) \
916 do { \
917 char *text = dupprintf msg; \
918 ssh_do_close(ssh, FALSE); \
919 logevent(text); \
920 connection_fatal(ssh->frontend, "%s", text); \
921 sfree(text); \
922 } while (0)
923
924 /* Functions to leave bits out of the SSH packet log file. */
925
926 static void dont_log_password(Ssh ssh, struct Packet *pkt, int blanktype)
927 {
928 if (ssh->cfg.logomitpass)
929 pkt->logmode = blanktype;
930 }
931
932 static void dont_log_data(Ssh ssh, struct Packet *pkt, int blanktype)
933 {
934 if (ssh->cfg.logomitdata)
935 pkt->logmode = blanktype;
936 }
937
938 static void end_log_omission(Ssh ssh, struct Packet *pkt)
939 {
940 pkt->logmode = PKTLOG_EMIT;
941 }
942
943 /* Helper function for common bits of parsing cfg.ttymodes. */
944 static void parse_ttymodes(Ssh ssh, char *modes,
945 void (*do_mode)(void *data, char *mode, char *val),
946 void *data)
947 {
948 while (*modes) {
949 char *t = strchr(modes, '\t');
950 char *m = snewn(t-modes+1, char);
951 char *val;
952 strncpy(m, modes, t-modes);
953 m[t-modes] = '\0';
954 if (*(t+1) == 'A')
955 val = get_ttymode(ssh->frontend, m);
956 else
957 val = dupstr(t+2);
958 if (val)
959 do_mode(data, m, val);
960 sfree(m);
961 sfree(val);
962 modes += strlen(modes) + 1;
963 }
964 }
965
966 static int ssh_channelcmp(void *av, void *bv)
967 {
968 struct ssh_channel *a = (struct ssh_channel *) av;
969 struct ssh_channel *b = (struct ssh_channel *) bv;
970 if (a->localid < b->localid)
971 return -1;
972 if (a->localid > b->localid)
973 return +1;
974 return 0;
975 }
976 static int ssh_channelfind(void *av, void *bv)
977 {
978 unsigned *a = (unsigned *) av;
979 struct ssh_channel *b = (struct ssh_channel *) bv;
980 if (*a < b->localid)
981 return -1;
982 if (*a > b->localid)
983 return +1;
984 return 0;
985 }
986
987 static int ssh_rportcmp_ssh1(void *av, void *bv)
988 {
989 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
990 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
991 int i;
992 if ( (i = strcmp(a->dhost, b->dhost)) != 0)
993 return i < 0 ? -1 : +1;
994 if (a->dport > b->dport)
995 return +1;
996 if (a->dport < b->dport)
997 return -1;
998 return 0;
999 }
1000
1001 static int ssh_rportcmp_ssh2(void *av, void *bv)
1002 {
1003 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
1004 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
1005
1006 if (a->sport > b->sport)
1007 return +1;
1008 if (a->sport < b->sport)
1009 return -1;
1010 return 0;
1011 }
1012
1013 /*
1014 * Special form of strcmp which can cope with NULL inputs. NULL is
1015 * defined to sort before even the empty string.
1016 */
1017 static int nullstrcmp(const char *a, const char *b)
1018 {
1019 if (a == NULL && b == NULL)
1020 return 0;
1021 if (a == NULL)
1022 return -1;
1023 if (b == NULL)
1024 return +1;
1025 return strcmp(a, b);
1026 }
1027
1028 static int ssh_portcmp(void *av, void *bv)
1029 {
1030 struct ssh_portfwd *a = (struct ssh_portfwd *) av;
1031 struct ssh_portfwd *b = (struct ssh_portfwd *) bv;
1032 int i;
1033 if (a->type > b->type)
1034 return +1;
1035 if (a->type < b->type)
1036 return -1;
1037 if (a->addressfamily > b->addressfamily)
1038 return +1;
1039 if (a->addressfamily < b->addressfamily)
1040 return -1;
1041 if ( (i = nullstrcmp(a->saddr, b->saddr)) != 0)
1042 return i < 0 ? -1 : +1;
1043 if (a->sport > b->sport)
1044 return +1;
1045 if (a->sport < b->sport)
1046 return -1;
1047 if (a->type != 'D') {
1048 if ( (i = nullstrcmp(a->daddr, b->daddr)) != 0)
1049 return i < 0 ? -1 : +1;
1050 if (a->dport > b->dport)
1051 return +1;
1052 if (a->dport < b->dport)
1053 return -1;
1054 }
1055 return 0;
1056 }
1057
1058 static int alloc_channel_id(Ssh ssh)
1059 {
1060 const unsigned CHANNEL_NUMBER_OFFSET = 256;
1061 unsigned low, high, mid;
1062 int tsize;
1063 struct ssh_channel *c;
1064
1065 /*
1066 * First-fit allocation of channel numbers: always pick the
1067 * lowest unused one. To do this, binary-search using the
1068 * counted B-tree to find the largest channel ID which is in a
1069 * contiguous sequence from the beginning. (Precisely
1070 * everything in that sequence must have ID equal to its tree
1071 * index plus CHANNEL_NUMBER_OFFSET.)
1072 */
1073 tsize = count234(ssh->channels);
1074
1075 low = -1;
1076 high = tsize;
1077 while (high - low > 1) {
1078 mid = (high + low) / 2;
1079 c = index234(ssh->channels, mid);
1080 if (c->localid == mid + CHANNEL_NUMBER_OFFSET)
1081 low = mid; /* this one is fine */
1082 else
1083 high = mid; /* this one is past it */
1084 }
1085 /*
1086 * Now low points to either -1, or the tree index of the
1087 * largest ID in the initial sequence.
1088 */
1089 {
1090 unsigned i = low + 1 + CHANNEL_NUMBER_OFFSET;
1091 assert(NULL == find234(ssh->channels, &i, ssh_channelfind));
1092 }
1093 return low + 1 + CHANNEL_NUMBER_OFFSET;
1094 }
1095
1096 static void c_write_stderr(int trusted, const char *buf, int len)
1097 {
1098 int i;
1099 for (i = 0; i < len; i++)
1100 if (buf[i] != '\r' && (trusted || buf[i] == '\n' || (buf[i] & 0x60)))
1101 fputc(buf[i], stderr);
1102 }
1103
1104 static void c_write(Ssh ssh, const char *buf, int len)
1105 {
1106 if (flags & FLAG_STDERR)
1107 c_write_stderr(1, buf, len);
1108 else
1109 from_backend(ssh->frontend, 1, buf, len);
1110 }
1111
1112 static void c_write_untrusted(Ssh ssh, const char *buf, int len)
1113 {
1114 if (flags & FLAG_STDERR)
1115 c_write_stderr(0, buf, len);
1116 else
1117 from_backend_untrusted(ssh->frontend, buf, len);
1118 }
1119
1120 static void c_write_str(Ssh ssh, const char *buf)
1121 {
1122 c_write(ssh, buf, strlen(buf));
1123 }
1124
1125 static void ssh_free_packet(struct Packet *pkt)
1126 {
1127 sfree(pkt->data);
1128 sfree(pkt);
1129 }
1130 static struct Packet *ssh_new_packet(void)
1131 {
1132 struct Packet *pkt = snew(struct Packet);
1133
1134 pkt->body = pkt->data = NULL;
1135 pkt->maxlen = 0;
1136 pkt->logmode = PKTLOG_EMIT;
1137 pkt->nblanks = 0;
1138 pkt->blanks = NULL;
1139
1140 return pkt;
1141 }
1142
1143 /*
1144 * Collect incoming data in the incoming packet buffer.
1145 * Decipher and verify the packet when it is completely read.
1146 * Drop SSH1_MSG_DEBUG and SSH1_MSG_IGNORE packets.
1147 * Update the *data and *datalen variables.
1148 * Return a Packet structure when a packet is completed.
1149 */
1150 static struct Packet *ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1151 {
1152 struct rdpkt1_state_tag *st = &ssh->rdpkt1_state;
1153
1154 crBegin(ssh->ssh1_rdpkt_crstate);
1155
1156 st->pktin = ssh_new_packet();
1157
1158 st->pktin->type = 0;
1159 st->pktin->length = 0;
1160
1161 for (st->i = st->len = 0; st->i < 4; st->i++) {
1162 while ((*datalen) == 0)
1163 crReturn(NULL);
1164 st->len = (st->len << 8) + **data;
1165 (*data)++, (*datalen)--;
1166 }
1167
1168 st->pad = 8 - (st->len % 8);
1169 st->biglen = st->len + st->pad;
1170 st->pktin->length = st->len - 5;
1171
1172 if (st->biglen < 0) {
1173 bombout(("Extremely large packet length from server suggests"
1174 " data stream corruption"));
1175 ssh_free_packet(st->pktin);
1176 crStop(NULL);
1177 }
1178
1179 st->pktin->maxlen = st->biglen;
1180 st->pktin->data = snewn(st->biglen + APIEXTRA, unsigned char);
1181
1182 st->to_read = st->biglen;
1183 st->p = st->pktin->data;
1184 while (st->to_read > 0) {
1185 st->chunk = st->to_read;
1186 while ((*datalen) == 0)
1187 crReturn(NULL);
1188 if (st->chunk > (*datalen))
1189 st->chunk = (*datalen);
1190 memcpy(st->p, *data, st->chunk);
1191 *data += st->chunk;
1192 *datalen -= st->chunk;
1193 st->p += st->chunk;
1194 st->to_read -= st->chunk;
1195 }
1196
1197 if (ssh->cipher && detect_attack(ssh->crcda_ctx, st->pktin->data,
1198 st->biglen, NULL)) {
1199 bombout(("Network attack (CRC compensation) detected!"));
1200 ssh_free_packet(st->pktin);
1201 crStop(NULL);
1202 }
1203
1204 if (ssh->cipher)
1205 ssh->cipher->decrypt(ssh->v1_cipher_ctx, st->pktin->data, st->biglen);
1206
1207 st->realcrc = crc32_compute(st->pktin->data, st->biglen - 4);
1208 st->gotcrc = GET_32BIT(st->pktin->data + st->biglen - 4);
1209 if (st->gotcrc != st->realcrc) {
1210 bombout(("Incorrect CRC received on packet"));
1211 ssh_free_packet(st->pktin);
1212 crStop(NULL);
1213 }
1214
1215 st->pktin->body = st->pktin->data + st->pad + 1;
1216 st->pktin->savedpos = 0;
1217
1218 if (ssh->v1_compressing) {
1219 unsigned char *decompblk;
1220 int decomplen;
1221 if (!zlib_decompress_block(ssh->sc_comp_ctx,
1222 st->pktin->body - 1, st->pktin->length + 1,
1223 &decompblk, &decomplen)) {
1224 bombout(("Zlib decompression encountered invalid data"));
1225 ssh_free_packet(st->pktin);
1226 crStop(NULL);
1227 }
1228
1229 if (st->pktin->maxlen < st->pad + decomplen) {
1230 st->pktin->maxlen = st->pad + decomplen;
1231 st->pktin->data = sresize(st->pktin->data,
1232 st->pktin->maxlen + APIEXTRA,
1233 unsigned char);
1234 st->pktin->body = st->pktin->data + st->pad + 1;
1235 }
1236
1237 memcpy(st->pktin->body - 1, decompblk, decomplen);
1238 sfree(decompblk);
1239 st->pktin->length = decomplen - 1;
1240 }
1241
1242 st->pktin->type = st->pktin->body[-1];
1243
1244 /*
1245 * Log incoming packet, possibly omitting sensitive fields.
1246 */
1247 if (ssh->logctx) {
1248 int nblanks = 0;
1249 struct logblank_t blank;
1250 if (ssh->cfg.logomitdata) {
1251 int do_blank = FALSE, blank_prefix = 0;
1252 /* "Session data" packets - omit the data field */
1253 if ((st->pktin->type == SSH1_SMSG_STDOUT_DATA) ||
1254 (st->pktin->type == SSH1_SMSG_STDERR_DATA)) {
1255 do_blank = TRUE; blank_prefix = 4;
1256 } else if (st->pktin->type == SSH1_MSG_CHANNEL_DATA) {
1257 do_blank = TRUE; blank_prefix = 8;
1258 }
1259 if (do_blank) {
1260 blank.offset = blank_prefix;
1261 blank.len = st->pktin->length;
1262 blank.type = PKTLOG_OMIT;
1263 nblanks = 1;
1264 }
1265 }
1266 log_packet(ssh->logctx,
1267 PKT_INCOMING, st->pktin->type,
1268 ssh1_pkt_type(st->pktin->type),
1269 st->pktin->body, st->pktin->length,
1270 nblanks, &blank);
1271 }
1272
1273 crFinish(st->pktin);
1274 }
1275
1276 static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1277 {
1278 struct rdpkt2_state_tag *st = &ssh->rdpkt2_state;
1279
1280 crBegin(ssh->ssh2_rdpkt_crstate);
1281
1282 st->pktin = ssh_new_packet();
1283
1284 st->pktin->type = 0;
1285 st->pktin->length = 0;
1286 if (ssh->sccipher)
1287 st->cipherblk = ssh->sccipher->blksize;
1288 else
1289 st->cipherblk = 8;
1290 if (st->cipherblk < 8)
1291 st->cipherblk = 8;
1292
1293 st->pktin->data = snewn(st->cipherblk + APIEXTRA, unsigned char);
1294
1295 /*
1296 * Acquire and decrypt the first block of the packet. This will
1297 * contain the length and padding details.
1298 */
1299 for (st->i = st->len = 0; st->i < st->cipherblk; st->i++) {
1300 while ((*datalen) == 0)
1301 crReturn(NULL);
1302 st->pktin->data[st->i] = *(*data)++;
1303 (*datalen)--;
1304 }
1305
1306 if (ssh->sccipher)
1307 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1308 st->pktin->data, st->cipherblk);
1309
1310 /*
1311 * Now get the length and padding figures.
1312 */
1313 st->len = GET_32BIT(st->pktin->data);
1314 st->pad = st->pktin->data[4];
1315
1316 /*
1317 * _Completely_ silly lengths should be stomped on before they
1318 * do us any more damage.
1319 */
1320 if (st->len < 0 || st->len > 35000 || st->pad < 4 ||
1321 st->len - st->pad < 1 || (st->len + 4) % st->cipherblk != 0) {
1322 bombout(("Incoming packet was garbled on decryption"));
1323 ssh_free_packet(st->pktin);
1324 crStop(NULL);
1325 }
1326
1327 /*
1328 * This enables us to deduce the payload length.
1329 */
1330 st->payload = st->len - st->pad - 1;
1331
1332 st->pktin->length = st->payload + 5;
1333
1334 /*
1335 * So now we can work out the total packet length.
1336 */
1337 st->packetlen = st->len + 4;
1338 st->maclen = ssh->scmac ? ssh->scmac->len : 0;
1339
1340 /*
1341 * Allocate memory for the rest of the packet.
1342 */
1343 st->pktin->maxlen = st->packetlen + st->maclen;
1344 st->pktin->data = sresize(st->pktin->data,
1345 st->pktin->maxlen + APIEXTRA,
1346 unsigned char);
1347
1348 /*
1349 * Read and decrypt the remainder of the packet.
1350 */
1351 for (st->i = st->cipherblk; st->i < st->packetlen + st->maclen;
1352 st->i++) {
1353 while ((*datalen) == 0)
1354 crReturn(NULL);
1355 st->pktin->data[st->i] = *(*data)++;
1356 (*datalen)--;
1357 }
1358 /* Decrypt everything _except_ the MAC. */
1359 if (ssh->sccipher)
1360 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1361 st->pktin->data + st->cipherblk,
1362 st->packetlen - st->cipherblk);
1363
1364 st->pktin->encrypted_len = st->packetlen;
1365
1366 /*
1367 * Check the MAC.
1368 */
1369 if (ssh->scmac
1370 && !ssh->scmac->verify(ssh->sc_mac_ctx, st->pktin->data, st->len + 4,
1371 st->incoming_sequence)) {
1372 bombout(("Incorrect MAC received on packet"));
1373 ssh_free_packet(st->pktin);
1374 crStop(NULL);
1375 }
1376
1377 st->pktin->sequence = st->incoming_sequence++;
1378
1379 /*
1380 * Decompress packet payload.
1381 */
1382 {
1383 unsigned char *newpayload;
1384 int newlen;
1385 if (ssh->sccomp &&
1386 ssh->sccomp->decompress(ssh->sc_comp_ctx,
1387 st->pktin->data + 5, st->pktin->length - 5,
1388 &newpayload, &newlen)) {
1389 if (st->pktin->maxlen < newlen + 5) {
1390 st->pktin->maxlen = newlen + 5;
1391 st->pktin->data = sresize(st->pktin->data,
1392 st->pktin->maxlen + APIEXTRA,
1393 unsigned char);
1394 }
1395 st->pktin->length = 5 + newlen;
1396 memcpy(st->pktin->data + 5, newpayload, newlen);
1397 sfree(newpayload);
1398 }
1399 }
1400
1401 st->pktin->savedpos = 6;
1402 st->pktin->body = st->pktin->data;
1403 st->pktin->type = st->pktin->data[5];
1404
1405 /*
1406 * Log incoming packet, possibly omitting sensitive fields.
1407 */
1408 if (ssh->logctx) {
1409 int nblanks = 0;
1410 struct logblank_t blank;
1411 if (ssh->cfg.logomitdata) {
1412 int do_blank = FALSE, blank_prefix = 0;
1413 /* "Session data" packets - omit the data field */
1414 if (st->pktin->type == SSH2_MSG_CHANNEL_DATA) {
1415 do_blank = TRUE; blank_prefix = 8;
1416 } else if (st->pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA) {
1417 do_blank = TRUE; blank_prefix = 12;
1418 }
1419 if (do_blank) {
1420 blank.offset = blank_prefix;
1421 blank.len = (st->pktin->length-6) - blank_prefix;
1422 blank.type = PKTLOG_OMIT;
1423 nblanks = 1;
1424 }
1425 }
1426 log_packet(ssh->logctx, PKT_INCOMING, st->pktin->type,
1427 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx,
1428 st->pktin->type),
1429 st->pktin->data+6, st->pktin->length-6,
1430 nblanks, &blank);
1431 }
1432
1433 crFinish(st->pktin);
1434 }
1435
1436 static int s_wrpkt_prepare(Ssh ssh, struct Packet *pkt, int *offset_p)
1437 {
1438 int pad, biglen, i, pktoffs;
1439 unsigned long crc;
1440 #ifdef __SC__
1441 /*
1442 * XXX various versions of SC (including 8.8.4) screw up the
1443 * register allocation in this function and use the same register
1444 * (D6) for len and as a temporary, with predictable results. The
1445 * following sledgehammer prevents this.
1446 */
1447 volatile
1448 #endif
1449 int len;
1450
1451 if (ssh->logctx)
1452 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[12],
1453 ssh1_pkt_type(pkt->data[12]),
1454 pkt->body, pkt->length - (pkt->body - pkt->data),
1455 pkt->nblanks, pkt->blanks);
1456 sfree(pkt->blanks); pkt->blanks = NULL;
1457 pkt->nblanks = 0;
1458
1459 if (ssh->v1_compressing) {
1460 unsigned char *compblk;
1461 int complen;
1462 zlib_compress_block(ssh->cs_comp_ctx,
1463 pkt->data + 12, pkt->length - 12,
1464 &compblk, &complen);
1465 ssh_pkt_ensure(pkt, complen + 2); /* just in case it's got bigger */
1466 memcpy(pkt->data + 12, compblk, complen);
1467 sfree(compblk);
1468 pkt->length = complen + 12;
1469 }
1470
1471 ssh_pkt_ensure(pkt, pkt->length + 4); /* space for CRC */
1472 pkt->length += 4;
1473 len = pkt->length - 4 - 8; /* len(type+data+CRC) */
1474 pad = 8 - (len % 8);
1475 pktoffs = 8 - pad;
1476 biglen = len + pad; /* len(padding+type+data+CRC) */
1477
1478 for (i = pktoffs; i < 4+8; i++)
1479 pkt->data[i] = random_byte();
1480 crc = crc32_compute(pkt->data + pktoffs + 4, biglen - 4); /* all ex len */
1481 PUT_32BIT(pkt->data + pktoffs + 4 + biglen - 4, crc);
1482 PUT_32BIT(pkt->data + pktoffs, len);
1483
1484 if (ssh->cipher)
1485 ssh->cipher->encrypt(ssh->v1_cipher_ctx,
1486 pkt->data + pktoffs + 4, biglen);
1487
1488 if (offset_p) *offset_p = pktoffs;
1489 return biglen + 4; /* len(length+padding+type+data+CRC) */
1490 }
1491
1492 static int s_write(Ssh ssh, void *data, int len)
1493 {
1494 if (ssh->logctx)
1495 log_packet(ssh->logctx, PKT_OUTGOING, -1, NULL, data, len, 0, NULL);
1496 return sk_write(ssh->s, (char *)data, len);
1497 }
1498
1499 static void s_wrpkt(Ssh ssh, struct Packet *pkt)
1500 {
1501 int len, backlog, offset;
1502 len = s_wrpkt_prepare(ssh, pkt, &offset);
1503 backlog = s_write(ssh, pkt->data + offset, len);
1504 if (backlog > SSH_MAX_BACKLOG)
1505 ssh_throttle_all(ssh, 1, backlog);
1506 ssh_free_packet(pkt);
1507 }
1508
1509 static void s_wrpkt_defer(Ssh ssh, struct Packet *pkt)
1510 {
1511 int len, offset;
1512 len = s_wrpkt_prepare(ssh, pkt, &offset);
1513 if (ssh->deferred_len + len > ssh->deferred_size) {
1514 ssh->deferred_size = ssh->deferred_len + len + 128;
1515 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1516 ssh->deferred_size,
1517 unsigned char);
1518 }
1519 memcpy(ssh->deferred_send_data + ssh->deferred_len,
1520 pkt->data + offset, len);
1521 ssh->deferred_len += len;
1522 ssh_free_packet(pkt);
1523 }
1524
1525 /*
1526 * Construct a SSH-1 packet with the specified contents.
1527 * (This all-at-once interface used to be the only one, but now SSH-1
1528 * packets can also be constructed incrementally.)
1529 */
1530 static struct Packet *construct_packet(Ssh ssh, int pkttype, va_list ap)
1531 {
1532 int argtype;
1533 Bignum bn;
1534 struct Packet *pkt;
1535
1536 pkt = ssh1_pkt_init(pkttype);
1537
1538 while ((argtype = va_arg(ap, int)) != PKT_END) {
1539 unsigned char *argp, argchar;
1540 char *sargp;
1541 unsigned long argint;
1542 int arglen;
1543 switch (argtype) {
1544 /* Actual fields in the packet */
1545 case PKT_INT:
1546 argint = va_arg(ap, int);
1547 ssh_pkt_adduint32(pkt, argint);
1548 break;
1549 case PKT_CHAR:
1550 argchar = (unsigned char) va_arg(ap, int);
1551 ssh_pkt_addbyte(pkt, argchar);
1552 break;
1553 case PKT_DATA:
1554 argp = va_arg(ap, unsigned char *);
1555 arglen = va_arg(ap, int);
1556 ssh_pkt_adddata(pkt, argp, arglen);
1557 break;
1558 case PKT_STR:
1559 sargp = va_arg(ap, char *);
1560 ssh_pkt_addstring(pkt, sargp);
1561 break;
1562 case PKT_BIGNUM:
1563 bn = va_arg(ap, Bignum);
1564 ssh1_pkt_addmp(pkt, bn);
1565 break;
1566 /* Tokens for modifications to packet logging */
1567 case PKTT_PASSWORD:
1568 dont_log_password(ssh, pkt, PKTLOG_BLANK);
1569 break;
1570 case PKTT_DATA:
1571 dont_log_data(ssh, pkt, PKTLOG_OMIT);
1572 break;
1573 case PKTT_OTHER:
1574 end_log_omission(ssh, pkt);
1575 break;
1576 }
1577 }
1578
1579 return pkt;
1580 }
1581
1582 static void send_packet(Ssh ssh, int pkttype, ...)
1583 {
1584 struct Packet *pkt;
1585 va_list ap;
1586 va_start(ap, pkttype);
1587 pkt = construct_packet(ssh, pkttype, ap);
1588 va_end(ap);
1589 s_wrpkt(ssh, pkt);
1590 }
1591
1592 static void defer_packet(Ssh ssh, int pkttype, ...)
1593 {
1594 struct Packet *pkt;
1595 va_list ap;
1596 va_start(ap, pkttype);
1597 pkt = construct_packet(ssh, pkttype, ap);
1598 va_end(ap);
1599 s_wrpkt_defer(ssh, pkt);
1600 }
1601
1602 static int ssh_versioncmp(char *a, char *b)
1603 {
1604 char *ae, *be;
1605 unsigned long av, bv;
1606
1607 av = strtoul(a, &ae, 10);
1608 bv = strtoul(b, &be, 10);
1609 if (av != bv)
1610 return (av < bv ? -1 : +1);
1611 if (*ae == '.')
1612 ae++;
1613 if (*be == '.')
1614 be++;
1615 av = strtoul(ae, &ae, 10);
1616 bv = strtoul(be, &be, 10);
1617 if (av != bv)
1618 return (av < bv ? -1 : +1);
1619 return 0;
1620 }
1621
1622 /*
1623 * Utility routines for putting an SSH-protocol `string' and
1624 * `uint32' into a hash state.
1625 */
1626 static void hash_string(const struct ssh_hash *h, void *s, void *str, int len)
1627 {
1628 unsigned char lenblk[4];
1629 PUT_32BIT(lenblk, len);
1630 h->bytes(s, lenblk, 4);
1631 h->bytes(s, str, len);
1632 }
1633
1634 static void hash_uint32(const struct ssh_hash *h, void *s, unsigned i)
1635 {
1636 unsigned char intblk[4];
1637 PUT_32BIT(intblk, i);
1638 h->bytes(s, intblk, 4);
1639 }
1640
1641 /*
1642 * Packet construction functions. Mostly shared between SSH-1 and SSH-2.
1643 */
1644 static void ssh_pkt_ensure(struct Packet *pkt, int length)
1645 {
1646 if (pkt->maxlen < length) {
1647 unsigned char *body = pkt->body;
1648 int offset = body ? body - pkt->data : 0;
1649 pkt->maxlen = length + 256;
1650 pkt->data = sresize(pkt->data, pkt->maxlen + APIEXTRA, unsigned char);
1651 if (body) pkt->body = pkt->data + offset;
1652 }
1653 }
1654 static void ssh_pkt_adddata(struct Packet *pkt, void *data, int len)
1655 {
1656 if (pkt->logmode != PKTLOG_EMIT) {
1657 pkt->nblanks++;
1658 pkt->blanks = sresize(pkt->blanks, pkt->nblanks, struct logblank_t);
1659 assert(pkt->body);
1660 pkt->blanks[pkt->nblanks-1].offset = pkt->length -
1661 (pkt->body - pkt->data);
1662 pkt->blanks[pkt->nblanks-1].len = len;
1663 pkt->blanks[pkt->nblanks-1].type = pkt->logmode;
1664 }
1665 pkt->length += len;
1666 ssh_pkt_ensure(pkt, pkt->length);
1667 memcpy(pkt->data + pkt->length - len, data, len);
1668 }
1669 static void ssh_pkt_addbyte(struct Packet *pkt, unsigned char byte)
1670 {
1671 ssh_pkt_adddata(pkt, &byte, 1);
1672 }
1673 static void ssh2_pkt_addbool(struct Packet *pkt, unsigned char value)
1674 {
1675 ssh_pkt_adddata(pkt, &value, 1);
1676 }
1677 static void ssh_pkt_adduint32(struct Packet *pkt, unsigned long value)
1678 {
1679 unsigned char x[4];
1680 PUT_32BIT(x, value);
1681 ssh_pkt_adddata(pkt, x, 4);
1682 }
1683 static void ssh_pkt_addstring_start(struct Packet *pkt)
1684 {
1685 ssh_pkt_adduint32(pkt, 0);
1686 pkt->savedpos = pkt->length;
1687 }
1688 static void ssh_pkt_addstring_str(struct Packet *pkt, char *data)
1689 {
1690 ssh_pkt_adddata(pkt, data, strlen(data));
1691 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1692 }
1693 static void ssh_pkt_addstring_data(struct Packet *pkt, char *data, int len)
1694 {
1695 ssh_pkt_adddata(pkt, data, len);
1696 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1697 }
1698 static void ssh_pkt_addstring(struct Packet *pkt, char *data)
1699 {
1700 ssh_pkt_addstring_start(pkt);
1701 ssh_pkt_addstring_str(pkt, data);
1702 }
1703 static void ssh1_pkt_addmp(struct Packet *pkt, Bignum b)
1704 {
1705 int len = ssh1_bignum_length(b);
1706 unsigned char *data = snewn(len, unsigned char);
1707 (void) ssh1_write_bignum(data, b);
1708 ssh_pkt_adddata(pkt, data, len);
1709 sfree(data);
1710 }
1711 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len)
1712 {
1713 unsigned char *p;
1714 int i, n = (bignum_bitcount(b) + 7) / 8;
1715 p = snewn(n + 1, unsigned char);
1716 p[0] = 0;
1717 for (i = 1; i <= n; i++)
1718 p[i] = bignum_byte(b, n - i);
1719 i = 0;
1720 while (i <= n && p[i] == 0 && (p[i + 1] & 0x80) == 0)
1721 i++;
1722 memmove(p, p + i, n + 1 - i);
1723 *len = n + 1 - i;
1724 return p;
1725 }
1726 static void ssh2_pkt_addmp(struct Packet *pkt, Bignum b)
1727 {
1728 unsigned char *p;
1729 int len;
1730 p = ssh2_mpint_fmt(b, &len);
1731 ssh_pkt_addstring_start(pkt);
1732 ssh_pkt_addstring_data(pkt, (char *)p, len);
1733 sfree(p);
1734 }
1735
1736 static struct Packet *ssh1_pkt_init(int pkt_type)
1737 {
1738 struct Packet *pkt = ssh_new_packet();
1739 pkt->length = 4 + 8; /* space for length + max padding */
1740 ssh_pkt_addbyte(pkt, pkt_type);
1741 pkt->body = pkt->data + pkt->length;
1742 return pkt;
1743 }
1744
1745 /* For legacy code (SSH-1 and -2 packet construction used to be separate) */
1746 #define ssh2_pkt_ensure(pkt, length) ssh_pkt_ensure(pkt, length)
1747 #define ssh2_pkt_adddata(pkt, data, len) ssh_pkt_adddata(pkt, data, len)
1748 #define ssh2_pkt_addbyte(pkt, byte) ssh_pkt_addbyte(pkt, byte)
1749 #define ssh2_pkt_adduint32(pkt, value) ssh_pkt_adduint32(pkt, value)
1750 #define ssh2_pkt_addstring_start(pkt) ssh_pkt_addstring_start(pkt)
1751 #define ssh2_pkt_addstring_str(pkt, data) ssh_pkt_addstring_str(pkt, data)
1752 #define ssh2_pkt_addstring_data(pkt, data, len) ssh_pkt_addstring_data(pkt, data, len)
1753 #define ssh2_pkt_addstring(pkt, data) ssh_pkt_addstring(pkt, data)
1754
1755 static struct Packet *ssh2_pkt_init(int pkt_type)
1756 {
1757 struct Packet *pkt = ssh_new_packet();
1758 pkt->length = 5; /* space for packet length + padding length */
1759 pkt->forcepad = 0;
1760 ssh_pkt_addbyte(pkt, (unsigned char) pkt_type);
1761 pkt->body = pkt->data + pkt->length; /* after packet type */
1762 return pkt;
1763 }
1764
1765 /*
1766 * Construct an SSH-2 final-form packet: compress it, encrypt it,
1767 * put the MAC on it. Final packet, ready to be sent, is stored in
1768 * pkt->data. Total length is returned.
1769 */
1770 static int ssh2_pkt_construct(Ssh ssh, struct Packet *pkt)
1771 {
1772 int cipherblk, maclen, padding, i;
1773
1774 if (ssh->logctx)
1775 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[5],
1776 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx, pkt->data[5]),
1777 pkt->body, pkt->length - (pkt->body - pkt->data),
1778 pkt->nblanks, pkt->blanks);
1779 sfree(pkt->blanks); pkt->blanks = NULL;
1780 pkt->nblanks = 0;
1781
1782 /*
1783 * Compress packet payload.
1784 */
1785 {
1786 unsigned char *newpayload;
1787 int newlen;
1788 if (ssh->cscomp &&
1789 ssh->cscomp->compress(ssh->cs_comp_ctx, pkt->data + 5,
1790 pkt->length - 5,
1791 &newpayload, &newlen)) {
1792 pkt->length = 5;
1793 ssh2_pkt_adddata(pkt, newpayload, newlen);
1794 sfree(newpayload);
1795 }
1796 }
1797
1798 /*
1799 * Add padding. At least four bytes, and must also bring total
1800 * length (minus MAC) up to a multiple of the block size.
1801 * If pkt->forcepad is set, make sure the packet is at least that size
1802 * after padding.
1803 */
1804 cipherblk = ssh->cscipher ? ssh->cscipher->blksize : 8; /* block size */
1805 cipherblk = cipherblk < 8 ? 8 : cipherblk; /* or 8 if blksize < 8 */
1806 padding = 4;
1807 if (pkt->length + padding < pkt->forcepad)
1808 padding = pkt->forcepad - pkt->length;
1809 padding +=
1810 (cipherblk - (pkt->length + padding) % cipherblk) % cipherblk;
1811 assert(padding <= 255);
1812 maclen = ssh->csmac ? ssh->csmac->len : 0;
1813 ssh2_pkt_ensure(pkt, pkt->length + padding + maclen);
1814 pkt->data[4] = padding;
1815 for (i = 0; i < padding; i++)
1816 pkt->data[pkt->length + i] = random_byte();
1817 PUT_32BIT(pkt->data, pkt->length + padding - 4);
1818 if (ssh->csmac)
1819 ssh->csmac->generate(ssh->cs_mac_ctx, pkt->data,
1820 pkt->length + padding,
1821 ssh->v2_outgoing_sequence);
1822 ssh->v2_outgoing_sequence++; /* whether or not we MACed */
1823
1824 if (ssh->cscipher)
1825 ssh->cscipher->encrypt(ssh->cs_cipher_ctx,
1826 pkt->data, pkt->length + padding);
1827
1828 pkt->encrypted_len = pkt->length + padding;
1829
1830 /* Ready-to-send packet starts at pkt->data. We return length. */
1831 return pkt->length + padding + maclen;
1832 }
1833
1834 /*
1835 * Routines called from the main SSH code to send packets. There
1836 * are quite a few of these, because we have two separate
1837 * mechanisms for delaying the sending of packets:
1838 *
1839 * - In order to send an IGNORE message and a password message in
1840 * a single fixed-length blob, we require the ability to
1841 * concatenate the encrypted forms of those two packets _into_ a
1842 * single blob and then pass it to our <network.h> transport
1843 * layer in one go. Hence, there's a deferment mechanism which
1844 * works after packet encryption.
1845 *
1846 * - In order to avoid sending any connection-layer messages
1847 * during repeat key exchange, we have to queue up any such
1848 * outgoing messages _before_ they are encrypted (and in
1849 * particular before they're allocated sequence numbers), and
1850 * then send them once we've finished.
1851 *
1852 * I call these mechanisms `defer' and `queue' respectively, so as
1853 * to distinguish them reasonably easily.
1854 *
1855 * The functions send_noqueue() and defer_noqueue() free the packet
1856 * structure they are passed. Every outgoing packet goes through
1857 * precisely one of these functions in its life; packets passed to
1858 * ssh2_pkt_send() or ssh2_pkt_defer() either go straight to one of
1859 * these or get queued, and then when the queue is later emptied
1860 * the packets are all passed to defer_noqueue().
1861 *
1862 * When using a CBC-mode cipher, it's necessary to ensure that an
1863 * attacker can't provide data to be encrypted using an IV that they
1864 * know. We ensure this by prefixing each packet that might contain
1865 * user data with an SSH_MSG_IGNORE. This is done using the deferral
1866 * mechanism, so in this case send_noqueue() ends up redirecting to
1867 * defer_noqueue(). If you don't like this inefficiency, don't use
1868 * CBC.
1869 */
1870
1871 static void ssh2_pkt_defer_noqueue(Ssh, struct Packet *, int);
1872 static void ssh_pkt_defersend(Ssh);
1873
1874 /*
1875 * Send an SSH-2 packet immediately, without queuing or deferring.
1876 */
1877 static void ssh2_pkt_send_noqueue(Ssh ssh, struct Packet *pkt)
1878 {
1879 int len;
1880 int backlog;
1881 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC)) {
1882 /* We need to send two packets, so use the deferral mechanism. */
1883 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
1884 ssh_pkt_defersend(ssh);
1885 return;
1886 }
1887 len = ssh2_pkt_construct(ssh, pkt);
1888 backlog = s_write(ssh, pkt->data, len);
1889 if (backlog > SSH_MAX_BACKLOG)
1890 ssh_throttle_all(ssh, 1, backlog);
1891
1892 ssh->outgoing_data_size += pkt->encrypted_len;
1893 if (!ssh->kex_in_progress &&
1894 ssh->max_data_size != 0 &&
1895 ssh->outgoing_data_size > ssh->max_data_size)
1896 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
1897
1898 ssh_free_packet(pkt);
1899 }
1900
1901 /*
1902 * Defer an SSH-2 packet.
1903 */
1904 static void ssh2_pkt_defer_noqueue(Ssh ssh, struct Packet *pkt, int noignore)
1905 {
1906 int len;
1907 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC) &&
1908 ssh->deferred_len == 0 && !noignore) {
1909 /*
1910 * Interpose an SSH_MSG_IGNORE to ensure that user data don't
1911 * get encrypted with a known IV.
1912 */
1913 struct Packet *ipkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
1914 ssh2_pkt_addstring_start(ipkt);
1915 ssh2_pkt_defer_noqueue(ssh, ipkt, TRUE);
1916 }
1917 len = ssh2_pkt_construct(ssh, pkt);
1918 if (ssh->deferred_len + len > ssh->deferred_size) {
1919 ssh->deferred_size = ssh->deferred_len + len + 128;
1920 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1921 ssh->deferred_size,
1922 unsigned char);
1923 }
1924 memcpy(ssh->deferred_send_data + ssh->deferred_len, pkt->data, len);
1925 ssh->deferred_len += len;
1926 ssh->deferred_data_size += pkt->encrypted_len;
1927 ssh_free_packet(pkt);
1928 }
1929
1930 /*
1931 * Queue an SSH-2 packet.
1932 */
1933 static void ssh2_pkt_queue(Ssh ssh, struct Packet *pkt)
1934 {
1935 assert(ssh->queueing);
1936
1937 if (ssh->queuelen >= ssh->queuesize) {
1938 ssh->queuesize = ssh->queuelen + 32;
1939 ssh->queue = sresize(ssh->queue, ssh->queuesize, struct Packet *);
1940 }
1941
1942 ssh->queue[ssh->queuelen++] = pkt;
1943 }
1944
1945 /*
1946 * Either queue or send a packet, depending on whether queueing is
1947 * set.
1948 */
1949 static void ssh2_pkt_send(Ssh ssh, struct Packet *pkt)
1950 {
1951 if (ssh->queueing)
1952 ssh2_pkt_queue(ssh, pkt);
1953 else
1954 ssh2_pkt_send_noqueue(ssh, pkt);
1955 }
1956
1957 /*
1958 * Either queue or defer a packet, depending on whether queueing is
1959 * set.
1960 */
1961 static void ssh2_pkt_defer(Ssh ssh, struct Packet *pkt)
1962 {
1963 if (ssh->queueing)
1964 ssh2_pkt_queue(ssh, pkt);
1965 else
1966 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
1967 }
1968
1969 /*
1970 * Send the whole deferred data block constructed by
1971 * ssh2_pkt_defer() or SSH-1's defer_packet().
1972 *
1973 * The expected use of the defer mechanism is that you call
1974 * ssh2_pkt_defer() a few times, then call ssh_pkt_defersend(). If
1975 * not currently queueing, this simply sets up deferred_send_data
1976 * and then sends it. If we _are_ currently queueing, the calls to
1977 * ssh2_pkt_defer() put the deferred packets on to the queue
1978 * instead, and therefore ssh_pkt_defersend() has no deferred data
1979 * to send. Hence, there's no need to make it conditional on
1980 * ssh->queueing.
1981 */
1982 static void ssh_pkt_defersend(Ssh ssh)
1983 {
1984 int backlog;
1985 backlog = s_write(ssh, ssh->deferred_send_data, ssh->deferred_len);
1986 ssh->deferred_len = ssh->deferred_size = 0;
1987 sfree(ssh->deferred_send_data);
1988 ssh->deferred_send_data = NULL;
1989 if (backlog > SSH_MAX_BACKLOG)
1990 ssh_throttle_all(ssh, 1, backlog);
1991
1992 ssh->outgoing_data_size += ssh->deferred_data_size;
1993 if (!ssh->kex_in_progress &&
1994 ssh->max_data_size != 0 &&
1995 ssh->outgoing_data_size > ssh->max_data_size)
1996 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
1997 ssh->deferred_data_size = 0;
1998 }
1999
2000 /*
2001 * Send a packet whose length needs to be disguised (typically
2002 * passwords or keyboard-interactive responses).
2003 */
2004 static void ssh2_pkt_send_with_padding(Ssh ssh, struct Packet *pkt,
2005 int padsize)
2006 {
2007 #if 0
2008 if (0) {
2009 /*
2010 * The simplest way to do this is to adjust the
2011 * variable-length padding field in the outgoing packet.
2012 *
2013 * Currently compiled out, because some Cisco SSH servers
2014 * don't like excessively padded packets (bah, why's it
2015 * always Cisco?)
2016 */
2017 pkt->forcepad = padsize;
2018 ssh2_pkt_send(ssh, pkt);
2019 } else
2020 #endif
2021 {
2022 /*
2023 * If we can't do that, however, an alternative approach is
2024 * to use the pkt_defer mechanism to bundle the packet
2025 * tightly together with an SSH_MSG_IGNORE such that their
2026 * combined length is a constant. So first we construct the
2027 * final form of this packet and defer its sending.
2028 */
2029 ssh2_pkt_defer(ssh, pkt);
2030
2031 /*
2032 * Now construct an SSH_MSG_IGNORE which includes a string
2033 * that's an exact multiple of the cipher block size. (If
2034 * the cipher is NULL so that the block size is
2035 * unavailable, we don't do this trick at all, because we
2036 * gain nothing by it.)
2037 */
2038 if (ssh->cscipher) {
2039 int stringlen, i;
2040
2041 stringlen = (256 - ssh->deferred_len);
2042 stringlen += ssh->cscipher->blksize - 1;
2043 stringlen -= (stringlen % ssh->cscipher->blksize);
2044 if (ssh->cscomp) {
2045 /*
2046 * Temporarily disable actual compression, so we
2047 * can guarantee to get this string exactly the
2048 * length we want it. The compression-disabling
2049 * routine should return an integer indicating how
2050 * many bytes we should adjust our string length
2051 * by.
2052 */
2053 stringlen -=
2054 ssh->cscomp->disable_compression(ssh->cs_comp_ctx);
2055 }
2056 pkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
2057 ssh2_pkt_addstring_start(pkt);
2058 for (i = 0; i < stringlen; i++) {
2059 char c = (char) random_byte();
2060 ssh2_pkt_addstring_data(pkt, &c, 1);
2061 }
2062 ssh2_pkt_defer(ssh, pkt);
2063 }
2064 ssh_pkt_defersend(ssh);
2065 }
2066 }
2067
2068 /*
2069 * Send all queued SSH-2 packets. We send them by means of
2070 * ssh2_pkt_defer_noqueue(), in case they included a pair of
2071 * packets that needed to be lumped together.
2072 */
2073 static void ssh2_pkt_queuesend(Ssh ssh)
2074 {
2075 int i;
2076
2077 assert(!ssh->queueing);
2078
2079 for (i = 0; i < ssh->queuelen; i++)
2080 ssh2_pkt_defer_noqueue(ssh, ssh->queue[i], FALSE);
2081 ssh->queuelen = 0;
2082
2083 ssh_pkt_defersend(ssh);
2084 }
2085
2086 #if 0
2087 void bndebug(char *string, Bignum b)
2088 {
2089 unsigned char *p;
2090 int i, len;
2091 p = ssh2_mpint_fmt(b, &len);
2092 debug(("%s", string));
2093 for (i = 0; i < len; i++)
2094 debug((" %02x", p[i]));
2095 debug(("\n"));
2096 sfree(p);
2097 }
2098 #endif
2099
2100 static void hash_mpint(const struct ssh_hash *h, void *s, Bignum b)
2101 {
2102 unsigned char *p;
2103 int len;
2104 p = ssh2_mpint_fmt(b, &len);
2105 hash_string(h, s, p, len);
2106 sfree(p);
2107 }
2108
2109 /*
2110 * Packet decode functions for both SSH-1 and SSH-2.
2111 */
2112 static unsigned long ssh_pkt_getuint32(struct Packet *pkt)
2113 {
2114 unsigned long value;
2115 if (pkt->length - pkt->savedpos < 4)
2116 return 0; /* arrgh, no way to decline (FIXME?) */
2117 value = GET_32BIT(pkt->body + pkt->savedpos);
2118 pkt->savedpos += 4;
2119 return value;
2120 }
2121 static int ssh2_pkt_getbool(struct Packet *pkt)
2122 {
2123 unsigned long value;
2124 if (pkt->length - pkt->savedpos < 1)
2125 return 0; /* arrgh, no way to decline (FIXME?) */
2126 value = pkt->body[pkt->savedpos] != 0;
2127 pkt->savedpos++;
2128 return value;
2129 }
2130 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length)
2131 {
2132 int len;
2133 *p = NULL;
2134 *length = 0;
2135 if (pkt->length - pkt->savedpos < 4)
2136 return;
2137 len = GET_32BIT(pkt->body + pkt->savedpos);
2138 if (len < 0)
2139 return;
2140 *length = len;
2141 pkt->savedpos += 4;
2142 if (pkt->length - pkt->savedpos < *length)
2143 return;
2144 *p = (char *)(pkt->body + pkt->savedpos);
2145 pkt->savedpos += *length;
2146 }
2147 static void *ssh_pkt_getdata(struct Packet *pkt, int length)
2148 {
2149 if (pkt->length - pkt->savedpos < length)
2150 return NULL;
2151 pkt->savedpos += length;
2152 return pkt->body + (pkt->savedpos - length);
2153 }
2154 static int ssh1_pkt_getrsakey(struct Packet *pkt, struct RSAKey *key,
2155 unsigned char **keystr)
2156 {
2157 int j;
2158
2159 j = makekey(pkt->body + pkt->savedpos,
2160 pkt->length - pkt->savedpos,
2161 key, keystr, 0);
2162
2163 if (j < 0)
2164 return FALSE;
2165
2166 pkt->savedpos += j;
2167 assert(pkt->savedpos < pkt->length);
2168
2169 return TRUE;
2170 }
2171 static Bignum ssh1_pkt_getmp(struct Packet *pkt)
2172 {
2173 int j;
2174 Bignum b;
2175
2176 j = ssh1_read_bignum(pkt->body + pkt->savedpos,
2177 pkt->length - pkt->savedpos, &b);
2178
2179 if (j < 0)
2180 return NULL;
2181
2182 pkt->savedpos += j;
2183 return b;
2184 }
2185 static Bignum ssh2_pkt_getmp(struct Packet *pkt)
2186 {
2187 char *p;
2188 int length;
2189 Bignum b;
2190
2191 ssh_pkt_getstring(pkt, &p, &length);
2192 if (!p)
2193 return NULL;
2194 if (p[0] & 0x80)
2195 return NULL;
2196 b = bignum_from_bytes((unsigned char *)p, length);
2197 return b;
2198 }
2199
2200 /*
2201 * Helper function to add an SSH-2 signature blob to a packet.
2202 * Expects to be shown the public key blob as well as the signature
2203 * blob. Normally works just like ssh2_pkt_addstring, but will
2204 * fiddle with the signature packet if necessary for
2205 * BUG_SSH2_RSA_PADDING.
2206 */
2207 static void ssh2_add_sigblob(Ssh ssh, struct Packet *pkt,
2208 void *pkblob_v, int pkblob_len,
2209 void *sigblob_v, int sigblob_len)
2210 {
2211 unsigned char *pkblob = (unsigned char *)pkblob_v;
2212 unsigned char *sigblob = (unsigned char *)sigblob_v;
2213
2214 /* dmemdump(pkblob, pkblob_len); */
2215 /* dmemdump(sigblob, sigblob_len); */
2216
2217 /*
2218 * See if this is in fact an ssh-rsa signature and a buggy
2219 * server; otherwise we can just do this the easy way.
2220 */
2221 if ((ssh->remote_bugs & BUG_SSH2_RSA_PADDING) &&
2222 (GET_32BIT(pkblob) == 7 && !memcmp(pkblob+4, "ssh-rsa", 7))) {
2223 int pos, len, siglen;
2224
2225 /*
2226 * Find the byte length of the modulus.
2227 */
2228
2229 pos = 4+7; /* skip over "ssh-rsa" */
2230 pos += 4 + GET_32BIT(pkblob+pos); /* skip over exponent */
2231 len = GET_32BIT(pkblob+pos); /* find length of modulus */
2232 pos += 4; /* find modulus itself */
2233 while (len > 0 && pkblob[pos] == 0)
2234 len--, pos++;
2235 /* debug(("modulus length is %d\n", len)); */
2236
2237 /*
2238 * Now find the signature integer.
2239 */
2240 pos = 4+7; /* skip over "ssh-rsa" */
2241 siglen = GET_32BIT(sigblob+pos);
2242 /* debug(("signature length is %d\n", siglen)); */
2243
2244 if (len != siglen) {
2245 unsigned char newlen[4];
2246 ssh2_pkt_addstring_start(pkt);
2247 ssh2_pkt_addstring_data(pkt, (char *)sigblob, pos);
2248 /* dmemdump(sigblob, pos); */
2249 pos += 4; /* point to start of actual sig */
2250 PUT_32BIT(newlen, len);
2251 ssh2_pkt_addstring_data(pkt, (char *)newlen, 4);
2252 /* dmemdump(newlen, 4); */
2253 newlen[0] = 0;
2254 while (len-- > siglen) {
2255 ssh2_pkt_addstring_data(pkt, (char *)newlen, 1);
2256 /* dmemdump(newlen, 1); */
2257 }
2258 ssh2_pkt_addstring_data(pkt, (char *)(sigblob+pos), siglen);
2259 /* dmemdump(sigblob+pos, siglen); */
2260 return;
2261 }
2262
2263 /* Otherwise fall through and do it the easy way. */
2264 }
2265
2266 ssh2_pkt_addstring_start(pkt);
2267 ssh2_pkt_addstring_data(pkt, (char *)sigblob, sigblob_len);
2268 }
2269
2270 /*
2271 * Examine the remote side's version string and compare it against
2272 * a list of known buggy implementations.
2273 */
2274 static void ssh_detect_bugs(Ssh ssh, char *vstring)
2275 {
2276 char *imp; /* pointer to implementation part */
2277 imp = vstring;
2278 imp += strcspn(imp, "-");
2279 if (*imp) imp++;
2280 imp += strcspn(imp, "-");
2281 if (*imp) imp++;
2282
2283 ssh->remote_bugs = 0;
2284
2285 /*
2286 * General notes on server version strings:
2287 * - Not all servers reporting "Cisco-1.25" have all the bugs listed
2288 * here -- in particular, we've heard of one that's perfectly happy
2289 * with SSH1_MSG_IGNOREs -- but this string never seems to change,
2290 * so we can't distinguish them.
2291 */
2292 if (ssh->cfg.sshbug_ignore1 == FORCE_ON ||
2293 (ssh->cfg.sshbug_ignore1 == AUTO &&
2294 (!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
2295 !strcmp(imp, "1.2.20") || !strcmp(imp, "1.2.21") ||
2296 !strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25") ||
2297 !strcmp(imp, "OSU_1.4alpha3") || !strcmp(imp, "OSU_1.5alpha4")))) {
2298 /*
2299 * These versions don't support SSH1_MSG_IGNORE, so we have
2300 * to use a different defence against password length
2301 * sniffing.
2302 */
2303 ssh->remote_bugs |= BUG_CHOKES_ON_SSH1_IGNORE;
2304 logevent("We believe remote version has SSH-1 ignore bug");
2305 }
2306
2307 if (ssh->cfg.sshbug_plainpw1 == FORCE_ON ||
2308 (ssh->cfg.sshbug_plainpw1 == AUTO &&
2309 (!strcmp(imp, "Cisco-1.25") || !strcmp(imp, "OSU_1.4alpha3")))) {
2310 /*
2311 * These versions need a plain password sent; they can't
2312 * handle having a null and a random length of data after
2313 * the password.
2314 */
2315 ssh->remote_bugs |= BUG_NEEDS_SSH1_PLAIN_PASSWORD;
2316 logevent("We believe remote version needs a plain SSH-1 password");
2317 }
2318
2319 if (ssh->cfg.sshbug_rsa1 == FORCE_ON ||
2320 (ssh->cfg.sshbug_rsa1 == AUTO &&
2321 (!strcmp(imp, "Cisco-1.25")))) {
2322 /*
2323 * These versions apparently have no clue whatever about
2324 * RSA authentication and will panic and die if they see
2325 * an AUTH_RSA message.
2326 */
2327 ssh->remote_bugs |= BUG_CHOKES_ON_RSA;
2328 logevent("We believe remote version can't handle SSH-1 RSA authentication");
2329 }
2330
2331 if (ssh->cfg.sshbug_hmac2 == FORCE_ON ||
2332 (ssh->cfg.sshbug_hmac2 == AUTO &&
2333 !wc_match("* VShell", imp) &&
2334 (wc_match("2.1.0*", imp) || wc_match("2.0.*", imp) ||
2335 wc_match("2.2.0*", imp) || wc_match("2.3.0*", imp) ||
2336 wc_match("2.1 *", imp)))) {
2337 /*
2338 * These versions have the HMAC bug.
2339 */
2340 ssh->remote_bugs |= BUG_SSH2_HMAC;
2341 logevent("We believe remote version has SSH-2 HMAC bug");
2342 }
2343
2344 if (ssh->cfg.sshbug_derivekey2 == FORCE_ON ||
2345 (ssh->cfg.sshbug_derivekey2 == AUTO &&
2346 !wc_match("* VShell", imp) &&
2347 (wc_match("2.0.0*", imp) || wc_match("2.0.10*", imp) ))) {
2348 /*
2349 * These versions have the key-derivation bug (failing to
2350 * include the literal shared secret in the hashes that
2351 * generate the keys).
2352 */
2353 ssh->remote_bugs |= BUG_SSH2_DERIVEKEY;
2354 logevent("We believe remote version has SSH-2 key-derivation bug");
2355 }
2356
2357 if (ssh->cfg.sshbug_rsapad2 == FORCE_ON ||
2358 (ssh->cfg.sshbug_rsapad2 == AUTO &&
2359 (wc_match("OpenSSH_2.[5-9]*", imp) ||
2360 wc_match("OpenSSH_3.[0-2]*", imp)))) {
2361 /*
2362 * These versions have the SSH-2 RSA padding bug.
2363 */
2364 ssh->remote_bugs |= BUG_SSH2_RSA_PADDING;
2365 logevent("We believe remote version has SSH-2 RSA padding bug");
2366 }
2367
2368 if (ssh->cfg.sshbug_pksessid2 == FORCE_ON ||
2369 (ssh->cfg.sshbug_pksessid2 == AUTO &&
2370 wc_match("OpenSSH_2.[0-2]*", imp))) {
2371 /*
2372 * These versions have the SSH-2 session-ID bug in
2373 * public-key authentication.
2374 */
2375 ssh->remote_bugs |= BUG_SSH2_PK_SESSIONID;
2376 logevent("We believe remote version has SSH-2 public-key-session-ID bug");
2377 }
2378
2379 if (ssh->cfg.sshbug_rekey2 == FORCE_ON ||
2380 (ssh->cfg.sshbug_rekey2 == AUTO &&
2381 (wc_match("DigiSSH_2.0", imp) ||
2382 wc_match("OpenSSH_2.[0-4]*", imp) ||
2383 wc_match("OpenSSH_2.5.[0-3]*", imp) ||
2384 wc_match("Sun_SSH_1.0", imp) ||
2385 wc_match("Sun_SSH_1.0.1", imp) ||
2386 /* All versions <= 1.2.6 (they changed their format in 1.2.7) */
2387 wc_match("WeOnlyDo-*", imp)))) {
2388 /*
2389 * These versions have the SSH-2 rekey bug.
2390 */
2391 ssh->remote_bugs |= BUG_SSH2_REKEY;
2392 logevent("We believe remote version has SSH-2 rekey bug");
2393 }
2394 }
2395
2396 /*
2397 * The `software version' part of an SSH version string is required
2398 * to contain no spaces or minus signs.
2399 */
2400 static void ssh_fix_verstring(char *str)
2401 {
2402 /* Eat "SSH-<protoversion>-". */
2403 assert(*str == 'S'); str++;
2404 assert(*str == 'S'); str++;
2405 assert(*str == 'H'); str++;
2406 assert(*str == '-'); str++;
2407 while (*str && *str != '-') str++;
2408 assert(*str == '-'); str++;
2409
2410 /* Convert minus signs and spaces in the remaining string into
2411 * underscores. */
2412 while (*str) {
2413 if (*str == '-' || *str == ' ')
2414 *str = '_';
2415 str++;
2416 }
2417 }
2418
2419 /*
2420 * Send an appropriate SSH version string.
2421 */
2422 static void ssh_send_verstring(Ssh ssh, char *svers)
2423 {
2424 char *verstring;
2425
2426 if (ssh->version == 2) {
2427 /*
2428 * Construct a v2 version string.
2429 */
2430 verstring = dupprintf("SSH-2.0-%s\015\012", sshver);
2431 } else {
2432 /*
2433 * Construct a v1 version string.
2434 */
2435 verstring = dupprintf("SSH-%s-%s\012",
2436 (ssh_versioncmp(svers, "1.5") <= 0 ?
2437 svers : "1.5"),
2438 sshver);
2439 }
2440
2441 ssh_fix_verstring(verstring);
2442
2443 if (ssh->version == 2) {
2444 size_t len;
2445 /*
2446 * Record our version string.
2447 */
2448 len = strcspn(verstring, "\015\012");
2449 ssh->v_c = snewn(len + 1, char);
2450 memcpy(ssh->v_c, verstring, len);
2451 ssh->v_c[len] = 0;
2452 }
2453
2454 logeventf(ssh, "We claim version: %.*s",
2455 strcspn(verstring, "\015\012"), verstring);
2456 s_write(ssh, verstring, strlen(verstring));
2457 sfree(verstring);
2458 }
2459
2460 static int do_ssh_init(Ssh ssh, unsigned char c)
2461 {
2462 struct do_ssh_init_state {
2463 int vslen;
2464 char version[10];
2465 char *vstring;
2466 int vstrsize;
2467 int i;
2468 int proto1, proto2;
2469 };
2470 crState(do_ssh_init_state);
2471
2472 crBegin(ssh->do_ssh_init_crstate);
2473
2474 /* Search for a line beginning with the string "SSH-" in the input. */
2475 for (;;) {
2476 if (c != 'S') goto no;
2477 crReturn(1);
2478 if (c != 'S') goto no;
2479 crReturn(1);
2480 if (c != 'H') goto no;
2481 crReturn(1);
2482 if (c != '-') goto no;
2483 break;
2484 no:
2485 while (c != '\012')
2486 crReturn(1);
2487 crReturn(1);
2488 }
2489
2490 s->vstrsize = 16;
2491 s->vstring = snewn(s->vstrsize, char);
2492 strcpy(s->vstring, "SSH-");
2493 s->vslen = 4;
2494 s->i = 0;
2495 while (1) {
2496 crReturn(1); /* get another char */
2497 if (s->vslen >= s->vstrsize - 1) {
2498 s->vstrsize += 16;
2499 s->vstring = sresize(s->vstring, s->vstrsize, char);
2500 }
2501 s->vstring[s->vslen++] = c;
2502 if (s->i >= 0) {
2503 if (c == '-') {
2504 s->version[s->i] = '\0';
2505 s->i = -1;
2506 } else if (s->i < sizeof(s->version) - 1)
2507 s->version[s->i++] = c;
2508 } else if (c == '\012')
2509 break;
2510 }
2511
2512 ssh->agentfwd_enabled = FALSE;
2513 ssh->rdpkt2_state.incoming_sequence = 0;
2514
2515 s->vstring[s->vslen] = 0;
2516 s->vstring[strcspn(s->vstring, "\015\012")] = '\0';/* remove EOL chars */
2517 logeventf(ssh, "Server version: %s", s->vstring);
2518 ssh_detect_bugs(ssh, s->vstring);
2519
2520 /*
2521 * Decide which SSH protocol version to support.
2522 */
2523
2524 /* Anything strictly below "2.0" means protocol 1 is supported. */
2525 s->proto1 = ssh_versioncmp(s->version, "2.0") < 0;
2526 /* Anything greater or equal to "1.99" means protocol 2 is supported. */
2527 s->proto2 = ssh_versioncmp(s->version, "1.99") >= 0;
2528
2529 if (ssh->cfg.sshprot == 0 && !s->proto1) {
2530 bombout(("SSH protocol version 1 required by user but not provided by server"));
2531 crStop(0);
2532 }
2533 if (ssh->cfg.sshprot == 3 && !s->proto2) {
2534 bombout(("SSH protocol version 2 required by user but not provided by server"));
2535 crStop(0);
2536 }
2537
2538 if (s->proto2 && (ssh->cfg.sshprot >= 2 || !s->proto1))
2539 ssh->version = 2;
2540 else
2541 ssh->version = 1;
2542
2543 logeventf(ssh, "Using SSH protocol version %d", ssh->version);
2544
2545 /* Send the version string, if we haven't already */
2546 if (ssh->cfg.sshprot != 3)
2547 ssh_send_verstring(ssh, s->version);
2548
2549 if (ssh->version == 2) {
2550 size_t len;
2551 /*
2552 * Record their version string.
2553 */
2554 len = strcspn(s->vstring, "\015\012");
2555 ssh->v_s = snewn(len + 1, char);
2556 memcpy(ssh->v_s, s->vstring, len);
2557 ssh->v_s[len] = 0;
2558
2559 /*
2560 * Initialise SSH-2 protocol.
2561 */
2562 ssh->protocol = ssh2_protocol;
2563 ssh2_protocol_setup(ssh);
2564 ssh->s_rdpkt = ssh2_rdpkt;
2565 } else {
2566 /*
2567 * Initialise SSH-1 protocol.
2568 */
2569 ssh->protocol = ssh1_protocol;
2570 ssh1_protocol_setup(ssh);
2571 ssh->s_rdpkt = ssh1_rdpkt;
2572 }
2573 if (ssh->version == 2)
2574 do_ssh2_transport(ssh, NULL, -1, NULL);
2575
2576 update_specials_menu(ssh->frontend);
2577 ssh->state = SSH_STATE_BEFORE_SIZE;
2578 ssh->pinger = pinger_new(&ssh->cfg, &ssh_backend, ssh);
2579
2580 sfree(s->vstring);
2581
2582 crFinish(0);
2583 }
2584
2585 static void ssh_process_incoming_data(Ssh ssh,
2586 unsigned char **data, int *datalen)
2587 {
2588 struct Packet *pktin;
2589
2590 pktin = ssh->s_rdpkt(ssh, data, datalen);
2591 if (pktin) {
2592 ssh->protocol(ssh, NULL, 0, pktin);
2593 ssh_free_packet(pktin);
2594 }
2595 }
2596
2597 static void ssh_queue_incoming_data(Ssh ssh,
2598 unsigned char **data, int *datalen)
2599 {
2600 bufchain_add(&ssh->queued_incoming_data, *data, *datalen);
2601 *data += *datalen;
2602 *datalen = 0;
2603 }
2604
2605 static void ssh_process_queued_incoming_data(Ssh ssh)
2606 {
2607 void *vdata;
2608 unsigned char *data;
2609 int len, origlen;
2610
2611 while (!ssh->frozen && bufchain_size(&ssh->queued_incoming_data)) {
2612 bufchain_prefix(&ssh->queued_incoming_data, &vdata, &len);
2613 data = vdata;
2614 origlen = len;
2615
2616 while (!ssh->frozen && len > 0)
2617 ssh_process_incoming_data(ssh, &data, &len);
2618
2619 if (origlen > len)
2620 bufchain_consume(&ssh->queued_incoming_data, origlen - len);
2621 }
2622 }
2623
2624 static void ssh_set_frozen(Ssh ssh, int frozen)
2625 {
2626 if (ssh->s)
2627 sk_set_frozen(ssh->s, frozen);
2628 ssh->frozen = frozen;
2629 }
2630
2631 static void ssh_gotdata(Ssh ssh, unsigned char *data, int datalen)
2632 {
2633 /* Log raw data, if we're in that mode. */
2634 if (ssh->logctx)
2635 log_packet(ssh->logctx, PKT_INCOMING, -1, NULL, data, datalen,
2636 0, NULL);
2637
2638 crBegin(ssh->ssh_gotdata_crstate);
2639
2640 /*
2641 * To begin with, feed the characters one by one to the
2642 * protocol initialisation / selection function do_ssh_init().
2643 * When that returns 0, we're done with the initial greeting
2644 * exchange and can move on to packet discipline.
2645 */
2646 while (1) {
2647 int ret; /* need not be kept across crReturn */
2648 if (datalen == 0)
2649 crReturnV; /* more data please */
2650 ret = do_ssh_init(ssh, *data);
2651 data++;
2652 datalen--;
2653 if (ret == 0)
2654 break;
2655 }
2656
2657 /*
2658 * We emerge from that loop when the initial negotiation is
2659 * over and we have selected an s_rdpkt function. Now pass
2660 * everything to s_rdpkt, and then pass the resulting packets
2661 * to the proper protocol handler.
2662 */
2663
2664 while (1) {
2665 while (bufchain_size(&ssh->queued_incoming_data) > 0 || datalen > 0) {
2666 if (ssh->frozen) {
2667 ssh_queue_incoming_data(ssh, &data, &datalen);
2668 /* This uses up all data and cannot cause anything interesting
2669 * to happen; indeed, for anything to happen at all, we must
2670 * return, so break out. */
2671 break;
2672 } else if (bufchain_size(&ssh->queued_incoming_data) > 0) {
2673 /* This uses up some or all data, and may freeze the
2674 * session. */
2675 ssh_process_queued_incoming_data(ssh);
2676 } else {
2677 /* This uses up some or all data, and may freeze the
2678 * session. */
2679 ssh_process_incoming_data(ssh, &data, &datalen);
2680 }
2681 /* FIXME this is probably EBW. */
2682 if (ssh->state == SSH_STATE_CLOSED)
2683 return;
2684 }
2685 /* We're out of data. Go and get some more. */
2686 crReturnV;
2687 }
2688 crFinishV;
2689 }
2690
2691 static int ssh_do_close(Ssh ssh, int notify_exit)
2692 {
2693 int ret = 0;
2694 struct ssh_channel *c;
2695
2696 ssh->state = SSH_STATE_CLOSED;
2697 expire_timer_context(ssh);
2698 if (ssh->s) {
2699 sk_close(ssh->s);
2700 ssh->s = NULL;
2701 if (notify_exit)
2702 notify_remote_exit(ssh->frontend);
2703 else
2704 ret = 1;
2705 }
2706 /*
2707 * Now we must shut down any port- and X-forwarded channels going
2708 * through this connection.
2709 */
2710 if (ssh->channels) {
2711 while (NULL != (c = index234(ssh->channels, 0))) {
2712 switch (c->type) {
2713 case CHAN_X11:
2714 x11_close(c->u.x11.s);
2715 break;
2716 case CHAN_SOCKDATA:
2717 pfd_close(c->u.pfd.s);
2718 break;
2719 }
2720 del234(ssh->channels, c); /* moving next one to index 0 */
2721 if (ssh->version == 2)
2722 bufchain_clear(&c->v.v2.outbuffer);
2723 sfree(c);
2724 }
2725 }
2726 /*
2727 * Go through port-forwardings, and close any associated
2728 * listening sockets.
2729 */
2730 if (ssh->portfwds) {
2731 struct ssh_portfwd *pf;
2732 while (NULL != (pf = index234(ssh->portfwds, 0))) {
2733 /* Dispose of any listening socket. */
2734 if (pf->local)
2735 pfd_terminate(pf->local);
2736 del234(ssh->portfwds, pf); /* moving next one to index 0 */
2737 free_portfwd(pf);
2738 }
2739 }
2740
2741 return ret;
2742 }
2743
2744 static void ssh_log(Plug plug, int type, SockAddr addr, int port,
2745 const char *error_msg, int error_code)
2746 {
2747 Ssh ssh = (Ssh) plug;
2748 char addrbuf[256], *msg;
2749
2750 sk_getaddr(addr, addrbuf, lenof(addrbuf));
2751
2752 if (type == 0)
2753 msg = dupprintf("Connecting to %s port %d", addrbuf, port);
2754 else
2755 msg = dupprintf("Failed to connect to %s: %s", addrbuf, error_msg);
2756
2757 logevent(msg);
2758 sfree(msg);
2759 }
2760
2761 static int ssh_closing(Plug plug, const char *error_msg, int error_code,
2762 int calling_back)
2763 {
2764 Ssh ssh = (Ssh) plug;
2765 int need_notify = ssh_do_close(ssh, FALSE);
2766
2767 if (!error_msg) {
2768 if (!ssh->close_expected)
2769 error_msg = "Server unexpectedly closed network connection";
2770 else
2771 error_msg = "Server closed network connection";
2772 }
2773
2774 if (ssh->close_expected && ssh->clean_exit && ssh->exitcode < 0)
2775 ssh->exitcode = 0;
2776
2777 if (need_notify)
2778 notify_remote_exit(ssh->frontend);
2779
2780 if (error_msg)
2781 logevent(error_msg);
2782 if (!ssh->close_expected || !ssh->clean_exit)
2783 connection_fatal(ssh->frontend, "%s", error_msg);
2784 return 0;
2785 }
2786
2787 static int ssh_receive(Plug plug, int urgent, char *data, int len)
2788 {
2789 Ssh ssh = (Ssh) plug;
2790 ssh_gotdata(ssh, (unsigned char *)data, len);
2791 if (ssh->state == SSH_STATE_CLOSED) {
2792 ssh_do_close(ssh, TRUE);
2793 return 0;
2794 }
2795 return 1;
2796 }
2797
2798 static void ssh_sent(Plug plug, int bufsize)
2799 {
2800 Ssh ssh = (Ssh) plug;
2801 /*
2802 * If the send backlog on the SSH socket itself clears, we
2803 * should unthrottle the whole world if it was throttled.
2804 */
2805 if (bufsize < SSH_MAX_BACKLOG)
2806 ssh_throttle_all(ssh, 0, bufsize);
2807 }
2808
2809 /*
2810 * Connect to specified host and port.
2811 * Returns an error message, or NULL on success.
2812 * Also places the canonical host name into `realhost'. It must be
2813 * freed by the caller.
2814 */
2815 static const char *connect_to_host(Ssh ssh, char *host, int port,
2816 char **realhost, int nodelay, int keepalive)
2817 {
2818 static const struct plug_function_table fn_table = {
2819 ssh_log,
2820 ssh_closing,
2821 ssh_receive,
2822 ssh_sent,
2823 NULL
2824 };
2825
2826 SockAddr addr;
2827 const char *err;
2828
2829 ssh->savedhost = snewn(1 + strlen(host), char);
2830 strcpy(ssh->savedhost, host);
2831
2832 if (port < 0)
2833 port = 22; /* default ssh port */
2834 ssh->savedport = port;
2835
2836 /*
2837 * Try to find host.
2838 */
2839 logeventf(ssh, "Looking up host \"%s\"%s", host,
2840 (ssh->cfg.addressfamily == ADDRTYPE_IPV4 ? " (IPv4)" :
2841 (ssh->cfg.addressfamily == ADDRTYPE_IPV6 ? " (IPv6)" : "")));
2842 addr = name_lookup(host, port, realhost, &ssh->cfg,
2843 ssh->cfg.addressfamily);
2844 if ((err = sk_addr_error(addr)) != NULL) {
2845 sk_addr_free(addr);
2846 return err;
2847 }
2848
2849 /*
2850 * Open socket.
2851 */
2852 ssh->fn = &fn_table;
2853 ssh->s = new_connection(addr, *realhost, port,
2854 0, 1, nodelay, keepalive, (Plug) ssh, &ssh->cfg);
2855 if ((err = sk_socket_error(ssh->s)) != NULL) {
2856 ssh->s = NULL;
2857 notify_remote_exit(ssh->frontend);
2858 return err;
2859 }
2860
2861 /*
2862 * If the SSH version number's fixed, set it now, and if it's SSH-2,
2863 * send the version string too.
2864 */
2865 if (ssh->cfg.sshprot == 0)
2866 ssh->version = 1;
2867 if (ssh->cfg.sshprot == 3) {
2868 ssh->version = 2;
2869 ssh_send_verstring(ssh, NULL);
2870 }
2871
2872 return NULL;
2873 }
2874
2875 /*
2876 * Throttle or unthrottle the SSH connection.
2877 */
2878 static void ssh_throttle_conn(Ssh ssh, int adjust)
2879 {
2880 int old_count = ssh->conn_throttle_count;
2881 ssh->conn_throttle_count += adjust;
2882 assert(ssh->conn_throttle_count >= 0);
2883 if (ssh->conn_throttle_count && !old_count) {
2884 ssh_set_frozen(ssh, 1);
2885 } else if (!ssh->conn_throttle_count && old_count) {
2886 ssh_set_frozen(ssh, 0);
2887 }
2888 }
2889
2890 /*
2891 * Throttle or unthrottle _all_ local data streams (for when sends
2892 * on the SSH connection itself back up).
2893 */
2894 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize)
2895 {
2896 int i;
2897 struct ssh_channel *c;
2898
2899 if (enable == ssh->throttled_all)
2900 return;
2901 ssh->throttled_all = enable;
2902 ssh->overall_bufsize = bufsize;
2903 if (!ssh->channels)
2904 return;
2905 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++) {
2906 switch (c->type) {
2907 case CHAN_MAINSESSION:
2908 /*
2909 * This is treated separately, outside the switch.
2910 */
2911 break;
2912 case CHAN_X11:
2913 x11_override_throttle(c->u.x11.s, enable);
2914 break;
2915 case CHAN_AGENT:
2916 /* Agent channels require no buffer management. */
2917 break;
2918 case CHAN_SOCKDATA:
2919 pfd_override_throttle(c->u.pfd.s, enable);
2920 break;
2921 }
2922 }
2923 }
2924
2925 static void ssh_agent_callback(void *sshv, void *reply, int replylen)
2926 {
2927 Ssh ssh = (Ssh) sshv;
2928
2929 ssh->agent_response = reply;
2930 ssh->agent_response_len = replylen;
2931
2932 if (ssh->version == 1)
2933 do_ssh1_login(ssh, NULL, -1, NULL);
2934 else
2935 do_ssh2_authconn(ssh, NULL, -1, NULL);
2936 }
2937
2938 static void ssh_dialog_callback(void *sshv, int ret)
2939 {
2940 Ssh ssh = (Ssh) sshv;
2941
2942 ssh->user_response = ret;
2943
2944 if (ssh->version == 1)
2945 do_ssh1_login(ssh, NULL, -1, NULL);
2946 else
2947 do_ssh2_transport(ssh, NULL, -1, NULL);
2948
2949 /*
2950 * This may have unfrozen the SSH connection, so do a
2951 * queued-data run.
2952 */
2953 ssh_process_queued_incoming_data(ssh);
2954 }
2955
2956 static void ssh_agentf_callback(void *cv, void *reply, int replylen)
2957 {
2958 struct ssh_channel *c = (struct ssh_channel *)cv;
2959 Ssh ssh = c->ssh;
2960 void *sentreply = reply;
2961
2962 if (!sentreply) {
2963 /* Fake SSH_AGENT_FAILURE. */
2964 sentreply = "\0\0\0\1\5";
2965 replylen = 5;
2966 }
2967 if (ssh->version == 2) {
2968 ssh2_add_channel_data(c, sentreply, replylen);
2969 ssh2_try_send(c);
2970 } else {
2971 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
2972 PKT_INT, c->remoteid,
2973 PKT_INT, replylen,
2974 PKTT_DATA,
2975 PKT_DATA, sentreply, replylen,
2976 PKTT_OTHER,
2977 PKT_END);
2978 }
2979 if (reply)
2980 sfree(reply);
2981 }
2982
2983 /*
2984 * Client-initiated disconnection. Send a DISCONNECT if `wire_reason'
2985 * non-NULL, otherwise just close the connection. `client_reason' == NULL
2986 * => log `wire_reason'.
2987 */
2988 static void ssh_disconnect(Ssh ssh, char *client_reason, char *wire_reason,
2989 int code, int clean_exit)
2990 {
2991 char *error;
2992 if (!client_reason)
2993 client_reason = wire_reason;
2994 if (client_reason)
2995 error = dupprintf("Disconnected: %s", client_reason);
2996 else
2997 error = dupstr("Disconnected");
2998 if (wire_reason) {
2999 if (ssh->version == 1) {
3000 send_packet(ssh, SSH1_MSG_DISCONNECT, PKT_STR, wire_reason,
3001 PKT_END);
3002 } else if (ssh->version == 2) {
3003 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_DISCONNECT);
3004 ssh2_pkt_adduint32(pktout, code);
3005 ssh2_pkt_addstring(pktout, wire_reason);
3006 ssh2_pkt_addstring(pktout, "en"); /* language tag */
3007 ssh2_pkt_send_noqueue(ssh, pktout);
3008 }
3009 }
3010 ssh->close_expected = TRUE;
3011 ssh->clean_exit = clean_exit;
3012 ssh_closing((Plug)ssh, error, 0, 0);
3013 sfree(error);
3014 }
3015
3016 /*
3017 * Handle the key exchange and user authentication phases.
3018 */
3019 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
3020 struct Packet *pktin)
3021 {
3022 int i, j, ret;
3023 unsigned char cookie[8], *ptr;
3024 struct RSAKey servkey, hostkey;
3025 struct MD5Context md5c;
3026 struct do_ssh1_login_state {
3027 int len;
3028 unsigned char *rsabuf, *keystr1, *keystr2;
3029 unsigned long supported_ciphers_mask, supported_auths_mask;
3030 int tried_publickey, tried_agent;
3031 int tis_auth_refused, ccard_auth_refused;
3032 unsigned char session_id[16];
3033 int cipher_type;
3034 char username[100];
3035 void *publickey_blob;
3036 int publickey_bloblen;
3037 char *publickey_comment;
3038 int publickey_encrypted;
3039 prompts_t *cur_prompt;
3040 char c;
3041 int pwpkt_type;
3042 unsigned char request[5], *response, *p;
3043 int responselen;
3044 int keyi, nkeys;
3045 int authed;
3046 struct RSAKey key;
3047 Bignum challenge;
3048 char *commentp;
3049 int commentlen;
3050 int dlgret;
3051 };
3052 crState(do_ssh1_login_state);
3053
3054 crBegin(ssh->do_ssh1_login_crstate);
3055
3056 if (!pktin)
3057 crWaitUntil(pktin);
3058
3059 if (pktin->type != SSH1_SMSG_PUBLIC_KEY) {
3060 bombout(("Public key packet not received"));
3061 crStop(0);
3062 }
3063
3064 logevent("Received public keys");
3065
3066 ptr = ssh_pkt_getdata(pktin, 8);
3067 if (!ptr) {
3068 bombout(("SSH-1 public key packet stopped before random cookie"));
3069 crStop(0);
3070 }
3071 memcpy(cookie, ptr, 8);
3072
3073 if (!ssh1_pkt_getrsakey(pktin, &servkey, &s->keystr1) ||
3074 !ssh1_pkt_getrsakey(pktin, &hostkey, &s->keystr2)) {
3075 bombout(("Failed to read SSH-1 public keys from public key packet"));
3076 crStop(0);
3077 }
3078
3079 /*
3080 * Log the host key fingerprint.
3081 */
3082 {
3083 char logmsg[80];
3084 logevent("Host key fingerprint is:");
3085 strcpy(logmsg, " ");
3086 hostkey.comment = NULL;
3087 rsa_fingerprint(logmsg + strlen(logmsg),
3088 sizeof(logmsg) - strlen(logmsg), &hostkey);
3089 logevent(logmsg);
3090 }
3091
3092 ssh->v1_remote_protoflags = ssh_pkt_getuint32(pktin);
3093 s->supported_ciphers_mask = ssh_pkt_getuint32(pktin);
3094 s->supported_auths_mask = ssh_pkt_getuint32(pktin);
3095 if ((ssh->remote_bugs & BUG_CHOKES_ON_RSA))
3096 s->supported_auths_mask &= ~(1 << SSH1_AUTH_RSA);
3097
3098 ssh->v1_local_protoflags =
3099 ssh->v1_remote_protoflags & SSH1_PROTOFLAGS_SUPPORTED;
3100 ssh->v1_local_protoflags |= SSH1_PROTOFLAG_SCREEN_NUMBER;
3101
3102 MD5Init(&md5c);
3103 MD5Update(&md5c, s->keystr2, hostkey.bytes);
3104 MD5Update(&md5c, s->keystr1, servkey.bytes);
3105 MD5Update(&md5c, cookie, 8);
3106 MD5Final(s->session_id, &md5c);
3107
3108 for (i = 0; i < 32; i++)
3109 ssh->session_key[i] = random_byte();
3110
3111 /*
3112 * Verify that the `bits' and `bytes' parameters match.
3113 */
3114 if (hostkey.bits > hostkey.bytes * 8 ||
3115 servkey.bits > servkey.bytes * 8) {
3116 bombout(("SSH-1 public keys were badly formatted"));
3117 crStop(0);
3118 }
3119
3120 s->len = (hostkey.bytes > servkey.bytes ? hostkey.bytes : servkey.bytes);
3121
3122 s->rsabuf = snewn(s->len, unsigned char);
3123
3124 /*
3125 * Verify the host key.
3126 */
3127 {
3128 /*
3129 * First format the key into a string.
3130 */
3131 int len = rsastr_len(&hostkey);
3132 char fingerprint[100];
3133 char *keystr = snewn(len, char);
3134 rsastr_fmt(keystr, &hostkey);
3135 rsa_fingerprint(fingerprint, sizeof(fingerprint), &hostkey);
3136
3137 ssh_set_frozen(ssh, 1);
3138 s->dlgret = verify_ssh_host_key(ssh->frontend,
3139 ssh->savedhost, ssh->savedport,
3140 "rsa", keystr, fingerprint,
3141 ssh_dialog_callback, ssh);
3142 sfree(keystr);
3143 if (s->dlgret < 0) {
3144 do {
3145 crReturn(0);
3146 if (pktin) {
3147 bombout(("Unexpected data from server while waiting"
3148 " for user host key response"));
3149 crStop(0);
3150 }
3151 } while (pktin || inlen > 0);
3152 s->dlgret = ssh->user_response;
3153 }
3154 ssh_set_frozen(ssh, 0);
3155
3156 if (s->dlgret == 0) {
3157 ssh_disconnect(ssh, "User aborted at host key verification",
3158 NULL, 0, TRUE);
3159 crStop(0);
3160 }
3161 }
3162
3163 for (i = 0; i < 32; i++) {
3164 s->rsabuf[i] = ssh->session_key[i];
3165 if (i < 16)
3166 s->rsabuf[i] ^= s->session_id[i];
3167 }
3168
3169 if (hostkey.bytes > servkey.bytes) {
3170 ret = rsaencrypt(s->rsabuf, 32, &servkey);
3171 if (ret)
3172 ret = rsaencrypt(s->rsabuf, servkey.bytes, &hostkey);
3173 } else {
3174 ret = rsaencrypt(s->rsabuf, 32, &hostkey);
3175 if (ret)
3176 ret = rsaencrypt(s->rsabuf, hostkey.bytes, &servkey);
3177 }
3178 if (!ret) {
3179 bombout(("SSH-1 public key encryptions failed due to bad formatting"));
3180 crStop(0);
3181 }
3182
3183 logevent("Encrypted session key");
3184
3185 {
3186 int cipher_chosen = 0, warn = 0;
3187 char *cipher_string = NULL;
3188 int i;
3189 for (i = 0; !cipher_chosen && i < CIPHER_MAX; i++) {
3190 int next_cipher = ssh->cfg.ssh_cipherlist[i];
3191 if (next_cipher == CIPHER_WARN) {
3192 /* If/when we choose a cipher, warn about it */
3193 warn = 1;
3194 } else if (next_cipher == CIPHER_AES) {
3195 /* XXX Probably don't need to mention this. */
3196 logevent("AES not supported in SSH-1, skipping");
3197 } else {
3198 switch (next_cipher) {
3199 case CIPHER_3DES: s->cipher_type = SSH_CIPHER_3DES;
3200 cipher_string = "3DES"; break;
3201 case CIPHER_BLOWFISH: s->cipher_type = SSH_CIPHER_BLOWFISH;
3202 cipher_string = "Blowfish"; break;
3203 case CIPHER_DES: s->cipher_type = SSH_CIPHER_DES;
3204 cipher_string = "single-DES"; break;
3205 }
3206 if (s->supported_ciphers_mask & (1 << s->cipher_type))
3207 cipher_chosen = 1;
3208 }
3209 }
3210 if (!cipher_chosen) {
3211 if ((s->supported_ciphers_mask & (1 << SSH_CIPHER_3DES)) == 0)
3212 bombout(("Server violates SSH-1 protocol by not "
3213 "supporting 3DES encryption"));
3214 else
3215 /* shouldn't happen */
3216 bombout(("No supported ciphers found"));
3217 crStop(0);
3218 }
3219
3220 /* Warn about chosen cipher if necessary. */
3221 if (warn) {
3222 ssh_set_frozen(ssh, 1);
3223 s->dlgret = askalg(ssh->frontend, "cipher", cipher_string,
3224 ssh_dialog_callback, ssh);
3225 if (s->dlgret < 0) {
3226 do {
3227 crReturn(0);
3228 if (pktin) {
3229 bombout(("Unexpected data from server while waiting"
3230 " for user response"));
3231 crStop(0);
3232 }
3233 } while (pktin || inlen > 0);
3234 s->dlgret = ssh->user_response;
3235 }
3236 ssh_set_frozen(ssh, 0);
3237 if (s->dlgret == 0) {
3238 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
3239 0, TRUE);
3240 crStop(0);
3241 }
3242 }
3243 }
3244
3245 switch (s->cipher_type) {
3246 case SSH_CIPHER_3DES:
3247 logevent("Using 3DES encryption");
3248 break;
3249 case SSH_CIPHER_DES:
3250 logevent("Using single-DES encryption");
3251 break;
3252 case SSH_CIPHER_BLOWFISH:
3253 logevent("Using Blowfish encryption");
3254 break;
3255 }
3256
3257 send_packet(ssh, SSH1_CMSG_SESSION_KEY,
3258 PKT_CHAR, s->cipher_type,
3259 PKT_DATA, cookie, 8,
3260 PKT_CHAR, (s->len * 8) >> 8, PKT_CHAR, (s->len * 8) & 0xFF,
3261 PKT_DATA, s->rsabuf, s->len,
3262 PKT_INT, ssh->v1_local_protoflags, PKT_END);
3263
3264 logevent("Trying to enable encryption...");
3265
3266 sfree(s->rsabuf);
3267
3268 ssh->cipher = (s->cipher_type == SSH_CIPHER_BLOWFISH ? &ssh_blowfish_ssh1 :
3269 s->cipher_type == SSH_CIPHER_DES ? &ssh_des :
3270 &ssh_3des);
3271 ssh->v1_cipher_ctx = ssh->cipher->make_context();
3272 ssh->cipher->sesskey(ssh->v1_cipher_ctx, ssh->session_key);
3273 logeventf(ssh, "Initialised %s encryption", ssh->cipher->text_name);
3274
3275 ssh->crcda_ctx = crcda_make_context();
3276 logevent("Installing CRC compensation attack detector");
3277
3278 if (servkey.modulus) {
3279 sfree(servkey.modulus);
3280 servkey.modulus = NULL;
3281 }
3282 if (servkey.exponent) {
3283 sfree(servkey.exponent);
3284 servkey.exponent = NULL;
3285 }
3286 if (hostkey.modulus) {
3287 sfree(hostkey.modulus);
3288 hostkey.modulus = NULL;
3289 }
3290 if (hostkey.exponent) {
3291 sfree(hostkey.exponent);
3292 hostkey.exponent = NULL;
3293 }
3294 crWaitUntil(pktin);
3295
3296 if (pktin->type != SSH1_SMSG_SUCCESS) {
3297 bombout(("Encryption not successfully enabled"));
3298 crStop(0);
3299 }
3300
3301 logevent("Successfully started encryption");
3302
3303 fflush(stdout); /* FIXME eh? */
3304 {
3305 if (!*ssh->cfg.username) {
3306 int ret; /* need not be kept over crReturn */
3307 s->cur_prompt = new_prompts(ssh->frontend);
3308 s->cur_prompt->to_server = TRUE;
3309 s->cur_prompt->name = dupstr("SSH login name");
3310 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
3311 lenof(s->username));
3312 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3313 while (ret < 0) {
3314 ssh->send_ok = 1;
3315 crWaitUntil(!pktin);
3316 ret = get_userpass_input(s->cur_prompt, in, inlen);
3317 ssh->send_ok = 0;
3318 }
3319 if (!ret) {
3320 /*
3321 * Failed to get a username. Terminate.
3322 */
3323 free_prompts(s->cur_prompt);
3324 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
3325 crStop(0);
3326 }
3327 memcpy(s->username, s->cur_prompt->prompts[0]->result,
3328 lenof(s->username));
3329 free_prompts(s->cur_prompt);
3330 } else {
3331 strncpy(s->username, ssh->cfg.username, sizeof(s->username));
3332 s->username[sizeof(s->username)-1] = '\0';
3333 }
3334
3335 send_packet(ssh, SSH1_CMSG_USER, PKT_STR, s->username, PKT_END);
3336 {
3337 char *userlog = dupprintf("Sent username \"%s\"", s->username);
3338 logevent(userlog);
3339 if (flags & FLAG_INTERACTIVE &&
3340 (!((flags & FLAG_STDERR) && (flags & FLAG_VERBOSE)))) {
3341 c_write_str(ssh, userlog);
3342 c_write_str(ssh, "\r\n");
3343 }
3344 sfree(userlog);
3345 }
3346 }
3347
3348 crWaitUntil(pktin);
3349
3350 if ((s->supported_auths_mask & (1 << SSH1_AUTH_RSA)) == 0) {
3351 /* We must not attempt PK auth. Pretend we've already tried it. */
3352 s->tried_publickey = s->tried_agent = 1;
3353 } else {
3354 s->tried_publickey = s->tried_agent = 0;
3355 }
3356 s->tis_auth_refused = s->ccard_auth_refused = 0;
3357 /*
3358 * Load the public half of any configured keyfile for later use.
3359 */
3360 if (!filename_is_null(ssh->cfg.keyfile)) {
3361 int keytype;
3362 logeventf(ssh, "Reading private key file \"%.150s\"",
3363 filename_to_str(&ssh->cfg.keyfile));
3364 keytype = key_type(&ssh->cfg.keyfile);
3365 if (keytype == SSH_KEYTYPE_SSH1) {
3366 const char *error;
3367 if (rsakey_pubblob(&ssh->cfg.keyfile,
3368 &s->publickey_blob, &s->publickey_bloblen,
3369 &s->publickey_comment, &error)) {
3370 s->publickey_encrypted = rsakey_encrypted(&ssh->cfg.keyfile,
3371 NULL);
3372 } else {
3373 char *msgbuf;
3374 logeventf(ssh, "Unable to load private key (%s)", error);
3375 msgbuf = dupprintf("Unable to load private key file "
3376 "\"%.150s\" (%s)\r\n",
3377 filename_to_str(&ssh->cfg.keyfile),
3378 error);
3379 c_write_str(ssh, msgbuf);
3380 sfree(msgbuf);
3381 s->publickey_blob = NULL;
3382 }
3383 } else {
3384 char *msgbuf;
3385 logeventf(ssh, "Unable to use this key file (%s)",
3386 key_type_to_str(keytype));
3387 msgbuf = dupprintf("Unable to use key file \"%.150s\""
3388 " (%s)\r\n",
3389 filename_to_str(&ssh->cfg.keyfile),
3390 key_type_to_str(keytype));
3391 c_write_str(ssh, msgbuf);
3392 sfree(msgbuf);
3393 s->publickey_blob = NULL;
3394 }
3395 } else
3396 s->publickey_blob = NULL;
3397
3398 while (pktin->type == SSH1_SMSG_FAILURE) {
3399 s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
3400
3401 if (ssh->cfg.tryagent && agent_exists() && !s->tried_agent) {
3402 /*
3403 * Attempt RSA authentication using Pageant.
3404 */
3405 void *r;
3406
3407 s->authed = FALSE;
3408 s->tried_agent = 1;
3409 logevent("Pageant is running. Requesting keys.");
3410
3411 /* Request the keys held by the agent. */
3412 PUT_32BIT(s->request, 1);
3413 s->request[4] = SSH1_AGENTC_REQUEST_RSA_IDENTITIES;
3414 if (!agent_query(s->request, 5, &r, &s->responselen,
3415 ssh_agent_callback, ssh)) {
3416 do {
3417 crReturn(0);
3418 if (pktin) {
3419 bombout(("Unexpected data from server while waiting"
3420 " for agent response"));
3421 crStop(0);
3422 }
3423 } while (pktin || inlen > 0);
3424 r = ssh->agent_response;
3425 s->responselen = ssh->agent_response_len;
3426 }
3427 s->response = (unsigned char *) r;
3428 if (s->response && s->responselen >= 5 &&
3429 s->response[4] == SSH1_AGENT_RSA_IDENTITIES_ANSWER) {
3430 s->p = s->response + 5;
3431 s->nkeys = GET_32BIT(s->p);
3432 s->p += 4;
3433 logeventf(ssh, "Pageant has %d SSH-1 keys", s->nkeys);
3434 for (s->keyi = 0; s->keyi < s->nkeys; s->keyi++) {
3435 unsigned char *pkblob = s->p;
3436 s->p += 4;
3437 {
3438 int n, ok = FALSE;
3439 do { /* do while (0) to make breaking easy */
3440 n = ssh1_read_bignum
3441 (s->p, s->responselen-(s->p-s->response),
3442 &s->key.exponent);
3443 if (n < 0)
3444 break;
3445 s->p += n;
3446 n = ssh1_read_bignum
3447 (s->p, s->responselen-(s->p-s->response),
3448 &s->key.modulus);
3449 if (n < 0)
3450 break;
3451 s->p += n;
3452 if (s->responselen - (s->p-s->response) < 4)
3453 break;
3454 s->commentlen = GET_32BIT(s->p);
3455 s->p += 4;
3456 if (s->responselen - (s->p-s->response) <
3457 s->commentlen)
3458 break;
3459 s->commentp = (char *)s->p;
3460 s->p += s->commentlen;
3461 ok = TRUE;
3462 } while (0);
3463 if (!ok) {
3464 logevent("Pageant key list packet was truncated");
3465 break;
3466 }
3467 }
3468 if (s->publickey_blob) {
3469 if (!memcmp(pkblob, s->publickey_blob,
3470 s->publickey_bloblen)) {
3471 logeventf(ssh, "Pageant key #%d matches "
3472 "configured key file", s->keyi);
3473 s->tried_publickey = 1;
3474 } else
3475 /* Skip non-configured key */
3476 continue;
3477 }
3478 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
3479 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3480 PKT_BIGNUM, s->key.modulus, PKT_END);
3481 crWaitUntil(pktin);
3482 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3483 logevent("Key refused");
3484 continue;
3485 }
3486 logevent("Received RSA challenge");
3487 if ((s->challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3488 bombout(("Server's RSA challenge was badly formatted"));
3489 crStop(0);
3490 }
3491
3492 {
3493 char *agentreq, *q, *ret;
3494 void *vret;
3495 int len, retlen;
3496 len = 1 + 4; /* message type, bit count */
3497 len += ssh1_bignum_length(s->key.exponent);
3498 len += ssh1_bignum_length(s->key.modulus);
3499 len += ssh1_bignum_length(s->challenge);
3500 len += 16; /* session id */
3501 len += 4; /* response format */
3502 agentreq = snewn(4 + len, char);
3503 PUT_32BIT(agentreq, len);
3504 q = agentreq + 4;
3505 *q++ = SSH1_AGENTC_RSA_CHALLENGE;
3506 PUT_32BIT(q, bignum_bitcount(s->key.modulus));
3507 q += 4;
3508 q += ssh1_write_bignum(q, s->key.exponent);
3509 q += ssh1_write_bignum(q, s->key.modulus);
3510 q += ssh1_write_bignum(q, s->challenge);
3511 memcpy(q, s->session_id, 16);
3512 q += 16;
3513 PUT_32BIT(q, 1); /* response format */
3514 if (!agent_query(agentreq, len + 4, &vret, &retlen,
3515 ssh_agent_callback, ssh)) {
3516 sfree(agentreq);
3517 do {
3518 crReturn(0);
3519 if (pktin) {
3520 bombout(("Unexpected data from server"
3521 " while waiting for agent"
3522 " response"));
3523 crStop(0);
3524 }
3525 } while (pktin || inlen > 0);
3526 vret = ssh->agent_response;
3527 retlen = ssh->agent_response_len;
3528 } else
3529 sfree(agentreq);
3530 ret = vret;
3531 if (ret) {
3532 if (ret[4] == SSH1_AGENT_RSA_RESPONSE) {
3533 logevent("Sending Pageant's response");
3534 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3535 PKT_DATA, ret + 5, 16,
3536 PKT_END);
3537 sfree(ret);
3538 crWaitUntil(pktin);
3539 if (pktin->type == SSH1_SMSG_SUCCESS) {
3540 logevent
3541 ("Pageant's response accepted");
3542 if (flags & FLAG_VERBOSE) {
3543 c_write_str(ssh, "Authenticated using"
3544 " RSA key \"");
3545 c_write(ssh, s->commentp,
3546 s->commentlen);
3547 c_write_str(ssh, "\" from agent\r\n");
3548 }
3549 s->authed = TRUE;
3550 } else
3551 logevent
3552 ("Pageant's response not accepted");
3553 } else {
3554 logevent
3555 ("Pageant failed to answer challenge");
3556 sfree(ret);
3557 }
3558 } else {
3559 logevent("No reply received from Pageant");
3560 }
3561 }
3562 freebn(s->key.exponent);
3563 freebn(s->key.modulus);
3564 freebn(s->challenge);
3565 if (s->authed)
3566 break;
3567 }
3568 sfree(s->response);
3569 if (s->publickey_blob && !s->tried_publickey)
3570 logevent("Configured key file not in Pageant");
3571 }
3572 if (s->authed)
3573 break;
3574 }
3575 if (s->publickey_blob && !s->tried_publickey) {
3576 /*
3577 * Try public key authentication with the specified
3578 * key file.
3579 */
3580 int got_passphrase; /* need not be kept over crReturn */
3581 if (flags & FLAG_VERBOSE)
3582 c_write_str(ssh, "Trying public key authentication.\r\n");
3583 logeventf(ssh, "Trying public key \"%s\"",
3584 filename_to_str(&ssh->cfg.keyfile));
3585 s->tried_publickey = 1;
3586 got_passphrase = FALSE;
3587 while (!got_passphrase) {
3588 /*
3589 * Get a passphrase, if necessary.
3590 */
3591 char *passphrase = NULL; /* only written after crReturn */
3592 const char *error;
3593 if (!s->publickey_encrypted) {
3594 if (flags & FLAG_VERBOSE)
3595 c_write_str(ssh, "No passphrase required.\r\n");
3596 passphrase = NULL;
3597 } else {
3598 int ret; /* need not be kept over crReturn */
3599 s->cur_prompt = new_prompts(ssh->frontend);
3600 s->cur_prompt->to_server = FALSE;
3601 s->cur_prompt->name = dupstr("SSH key passphrase");
3602 add_prompt(s->cur_prompt,
3603 dupprintf("Passphrase for key \"%.100s\": ",
3604 s->publickey_comment),
3605 FALSE, SSH_MAX_PASSWORD_LEN);
3606 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3607 while (ret < 0) {
3608 ssh->send_ok = 1;
3609 crWaitUntil(!pktin);
3610 ret = get_userpass_input(s->cur_prompt, in, inlen);
3611 ssh->send_ok = 0;
3612 }
3613 if (!ret) {
3614 /* Failed to get a passphrase. Terminate. */
3615 free_prompts(s->cur_prompt);
3616 ssh_disconnect(ssh, NULL, "Unable to authenticate",
3617 0, TRUE);
3618 crStop(0);
3619 }
3620 passphrase = dupstr(s->cur_prompt->prompts[0]->result);
3621 free_prompts(s->cur_prompt);
3622 }
3623 /*
3624 * Try decrypting key with passphrase.
3625 */
3626 ret = loadrsakey(&ssh->cfg.keyfile, &s->key, passphrase,
3627 &error);
3628 if (passphrase) {
3629 memset(passphrase, 0, strlen(passphrase));
3630 sfree(passphrase);
3631 }
3632 if (ret == 1) {
3633 /* Correct passphrase. */
3634 got_passphrase = TRUE;
3635 } else if (ret == 0) {
3636 c_write_str(ssh, "Couldn't load private key from ");
3637 c_write_str(ssh, filename_to_str(&ssh->cfg.keyfile));
3638 c_write_str(ssh, " (");
3639 c_write_str(ssh, error);
3640 c_write_str(ssh, ").\r\n");
3641 got_passphrase = FALSE;
3642 break; /* go and try something else */
3643 } else if (ret == -1) {
3644 c_write_str(ssh, "Wrong passphrase.\r\n"); /* FIXME */
3645 got_passphrase = FALSE;
3646 /* and try again */
3647 } else {
3648 assert(0 && "unexpected return from loadrsakey()");
3649 got_passphrase = FALSE; /* placate optimisers */
3650 }
3651 }
3652
3653 if (got_passphrase) {
3654
3655 /*
3656 * Send a public key attempt.
3657 */
3658 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3659 PKT_BIGNUM, s->key.modulus, PKT_END);
3660
3661 crWaitUntil(pktin);
3662 if (pktin->type == SSH1_SMSG_FAILURE) {
3663 c_write_str(ssh, "Server refused our public key.\r\n");
3664 continue; /* go and try something else */
3665 }
3666 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3667 bombout(("Bizarre response to offer of public key"));
3668 crStop(0);
3669 }
3670
3671 {
3672 int i;
3673 unsigned char buffer[32];
3674 Bignum challenge, response;
3675
3676 if ((challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3677 bombout(("Server's RSA challenge was badly formatted"));
3678 crStop(0);
3679 }
3680 response = rsadecrypt(challenge, &s->key);
3681 freebn(s->key.private_exponent);/* burn the evidence */
3682
3683 for (i = 0; i < 32; i++) {
3684 buffer[i] = bignum_byte(response, 31 - i);
3685 }
3686
3687 MD5Init(&md5c);
3688 MD5Update(&md5c, buffer, 32);
3689 MD5Update(&md5c, s->session_id, 16);
3690 MD5Final(buffer, &md5c);
3691
3692 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3693 PKT_DATA, buffer, 16, PKT_END);
3694
3695 freebn(challenge);
3696 freebn(response);
3697 }
3698
3699 crWaitUntil(pktin);
3700 if (pktin->type == SSH1_SMSG_FAILURE) {
3701 if (flags & FLAG_VERBOSE)
3702 c_write_str(ssh, "Failed to authenticate with"
3703 " our public key.\r\n");
3704 continue; /* go and try something else */
3705 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
3706 bombout(("Bizarre response to RSA authentication response"));
3707 crStop(0);
3708 }
3709
3710 break; /* we're through! */
3711 }
3712
3713 }
3714
3715 /*
3716 * Otherwise, try various forms of password-like authentication.
3717 */
3718 s->cur_prompt = new_prompts(ssh->frontend);
3719
3720 if (ssh->cfg.try_tis_auth &&
3721 (s->supported_auths_mask & (1 << SSH1_AUTH_TIS)) &&
3722 !s->tis_auth_refused) {
3723 s->pwpkt_type = SSH1_CMSG_AUTH_TIS_RESPONSE;
3724 logevent("Requested TIS authentication");
3725 send_packet(ssh, SSH1_CMSG_AUTH_TIS, PKT_END);
3726 crWaitUntil(pktin);
3727 if (pktin->type != SSH1_SMSG_AUTH_TIS_CHALLENGE) {
3728 logevent("TIS authentication declined");
3729 if (flags & FLAG_INTERACTIVE)
3730 c_write_str(ssh, "TIS authentication refused.\r\n");
3731 s->tis_auth_refused = 1;
3732 continue;
3733 } else {
3734 char *challenge;
3735 int challengelen;
3736 char *instr_suf, *prompt;
3737
3738 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3739 if (!challenge) {
3740 bombout(("TIS challenge packet was badly formed"));
3741 crStop(0);
3742 }
3743 logevent("Received TIS challenge");
3744 s->cur_prompt->to_server = TRUE;
3745 s->cur_prompt->name = dupstr("SSH TIS authentication");
3746 /* Prompt heuristic comes from OpenSSH */
3747 if (memchr(challenge, '\n', challengelen)) {
3748 instr_suf = dupstr("");
3749 prompt = dupprintf("%.*s", challengelen, challenge);
3750 } else {
3751 instr_suf = dupprintf("%.*s", challengelen, challenge);
3752 prompt = dupstr("Response: ");
3753 }
3754 s->cur_prompt->instruction =
3755 dupprintf("Using TIS authentication.%s%s",
3756 (*instr_suf) ? "\n" : "",
3757 instr_suf);
3758 s->cur_prompt->instr_reqd = TRUE;
3759 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3760 sfree(instr_suf);
3761 }
3762 }
3763 if (ssh->cfg.try_tis_auth &&
3764 (s->supported_auths_mask & (1 << SSH1_AUTH_CCARD)) &&
3765 !s->ccard_auth_refused) {
3766 s->pwpkt_type = SSH1_CMSG_AUTH_CCARD_RESPONSE;
3767 logevent("Requested CryptoCard authentication");
3768 send_packet(ssh, SSH1_CMSG_AUTH_CCARD, PKT_END);
3769 crWaitUntil(pktin);
3770 if (pktin->type != SSH1_SMSG_AUTH_CCARD_CHALLENGE) {
3771 logevent("CryptoCard authentication declined");
3772 c_write_str(ssh, "CryptoCard authentication refused.\r\n");
3773 s->ccard_auth_refused = 1;
3774 continue;
3775 } else {
3776 char *challenge;
3777 int challengelen;
3778 char *instr_suf, *prompt;
3779
3780 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3781 if (!challenge) {
3782 bombout(("CryptoCard challenge packet was badly formed"));
3783 crStop(0);
3784 }
3785 logevent("Received CryptoCard challenge");
3786 s->cur_prompt->to_server = TRUE;
3787 s->cur_prompt->name = dupstr("SSH CryptoCard authentication");
3788 s->cur_prompt->name_reqd = FALSE;
3789 /* Prompt heuristic comes from OpenSSH */
3790 if (memchr(challenge, '\n', challengelen)) {
3791 instr_suf = dupstr("");
3792 prompt = dupprintf("%.*s", challengelen, challenge);
3793 } else {
3794 instr_suf = dupprintf("%.*s", challengelen, challenge);
3795 prompt = dupstr("Response: ");
3796 }
3797 s->cur_prompt->instruction =
3798 dupprintf("Using CryptoCard authentication.%s%s",
3799 (*instr_suf) ? "\n" : "",
3800 instr_suf);
3801 s->cur_prompt->instr_reqd = TRUE;
3802 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3803 sfree(instr_suf);
3804 }
3805 }
3806 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3807 if ((s->supported_auths_mask & (1 << SSH1_AUTH_PASSWORD)) == 0) {
3808 bombout(("No supported authentication methods available"));
3809 crStop(0);
3810 }
3811 s->cur_prompt->to_server = TRUE;
3812 s->cur_prompt->name = dupstr("SSH password");
3813 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
3814 s->username, ssh->savedhost),
3815 FALSE, SSH_MAX_PASSWORD_LEN);
3816 }
3817
3818 /*
3819 * Show password prompt, having first obtained it via a TIS
3820 * or CryptoCard exchange if we're doing TIS or CryptoCard
3821 * authentication.
3822 */
3823 {
3824 int ret; /* need not be kept over crReturn */
3825 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3826 while (ret < 0) {
3827 ssh->send_ok = 1;
3828 crWaitUntil(!pktin);
3829 ret = get_userpass_input(s->cur_prompt, in, inlen);
3830 ssh->send_ok = 0;
3831 }
3832 if (!ret) {
3833 /*
3834 * Failed to get a password (for example
3835 * because one was supplied on the command line
3836 * which has already failed to work). Terminate.
3837 */
3838 free_prompts(s->cur_prompt);
3839 ssh_disconnect(ssh, NULL, "Unable to authenticate", 0, TRUE);
3840 crStop(0);
3841 }
3842 }
3843
3844 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3845 /*
3846 * Defence against traffic analysis: we send a
3847 * whole bunch of packets containing strings of
3848 * different lengths. One of these strings is the
3849 * password, in a SSH1_CMSG_AUTH_PASSWORD packet.
3850 * The others are all random data in
3851 * SSH1_MSG_IGNORE packets. This way a passive
3852 * listener can't tell which is the password, and
3853 * hence can't deduce the password length.
3854 *
3855 * Anybody with a password length greater than 16
3856 * bytes is going to have enough entropy in their
3857 * password that a listener won't find it _that_
3858 * much help to know how long it is. So what we'll
3859 * do is:
3860 *
3861 * - if password length < 16, we send 15 packets
3862 * containing string lengths 1 through 15
3863 *
3864 * - otherwise, we let N be the nearest multiple
3865 * of 8 below the password length, and send 8
3866 * packets containing string lengths N through
3867 * N+7. This won't obscure the order of
3868 * magnitude of the password length, but it will
3869 * introduce a bit of extra uncertainty.
3870 *
3871 * A few servers can't deal with SSH1_MSG_IGNORE, at
3872 * least in this context. For these servers, we need
3873 * an alternative defence. We make use of the fact
3874 * that the password is interpreted as a C string:
3875 * so we can append a NUL, then some random data.
3876 *
3877 * A few servers can deal with neither SSH1_MSG_IGNORE
3878 * here _nor_ a padded password string.
3879 * For these servers we are left with no defences
3880 * against password length sniffing.
3881 */
3882 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE) &&
3883 !(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
3884 /*
3885 * The server can deal with SSH1_MSG_IGNORE, so
3886 * we can use the primary defence.
3887 */
3888 int bottom, top, pwlen, i;
3889 char *randomstr;
3890
3891 pwlen = strlen(s->cur_prompt->prompts[0]->result);
3892 if (pwlen < 16) {
3893 bottom = 0; /* zero length passwords are OK! :-) */
3894 top = 15;
3895 } else {
3896 bottom = pwlen & ~7;
3897 top = bottom + 7;
3898 }
3899
3900 assert(pwlen >= bottom && pwlen <= top);
3901
3902 randomstr = snewn(top + 1, char);
3903
3904 for (i = bottom; i <= top; i++) {
3905 if (i == pwlen) {
3906 defer_packet(ssh, s->pwpkt_type,
3907 PKTT_PASSWORD, PKT_STR,
3908 s->cur_prompt->prompts[0]->result,
3909 PKTT_OTHER, PKT_END);
3910 } else {
3911 for (j = 0; j < i; j++) {
3912 do {
3913 randomstr[j] = random_byte();
3914 } while (randomstr[j] == '\0');
3915 }
3916 randomstr[i] = '\0';
3917 defer_packet(ssh, SSH1_MSG_IGNORE,
3918 PKT_STR, randomstr, PKT_END);
3919 }
3920 }
3921 logevent("Sending password with camouflage packets");
3922 ssh_pkt_defersend(ssh);
3923 sfree(randomstr);
3924 }
3925 else if (!(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
3926 /*
3927 * The server can't deal with SSH1_MSG_IGNORE
3928 * but can deal with padded passwords, so we
3929 * can use the secondary defence.
3930 */
3931 char string[64];
3932 char *ss;
3933 int len;
3934
3935 len = strlen(s->cur_prompt->prompts[0]->result);
3936 if (len < sizeof(string)) {
3937 ss = string;
3938 strcpy(string, s->cur_prompt->prompts[0]->result);
3939 len++; /* cover the zero byte */
3940 while (len < sizeof(string)) {
3941 string[len++] = (char) random_byte();
3942 }
3943 } else {
3944 ss = s->cur_prompt->prompts[0]->result;
3945 }
3946 logevent("Sending length-padded password");
3947 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
3948 PKT_INT, len, PKT_DATA, ss, len,
3949 PKTT_OTHER, PKT_END);
3950 } else {
3951 /*
3952 * The server is believed unable to cope with
3953 * any of our password camouflage methods.
3954 */
3955 int len;
3956 len = strlen(s->cur_prompt->prompts[0]->result);
3957 logevent("Sending unpadded password");
3958 send_packet(ssh, s->pwpkt_type,
3959 PKTT_PASSWORD, PKT_INT, len,
3960 PKT_DATA, s->cur_prompt->prompts[0]->result, len,
3961 PKTT_OTHER, PKT_END);
3962 }
3963 } else {
3964 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
3965 PKT_STR, s->cur_prompt->prompts[0]->result,
3966 PKTT_OTHER, PKT_END);
3967 }
3968 logevent("Sent password");
3969 free_prompts(s->cur_prompt);
3970 crWaitUntil(pktin);
3971 if (pktin->type == SSH1_SMSG_FAILURE) {
3972 if (flags & FLAG_VERBOSE)
3973 c_write_str(ssh, "Access denied\r\n");
3974 logevent("Authentication refused");
3975 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
3976 bombout(("Strange packet received, type %d", pktin->type));
3977 crStop(0);
3978 }
3979 }
3980
3981 /* Clear up */
3982 if (s->publickey_blob) {
3983 sfree(s->publickey_blob);
3984 sfree(s->publickey_comment);
3985 }
3986
3987 logevent("Authentication successful");
3988
3989 crFinish(1);
3990 }
3991
3992 void sshfwd_close(struct ssh_channel *c)
3993 {
3994 Ssh ssh = c->ssh;
3995
3996 if (ssh->state == SSH_STATE_CLOSED)
3997 return;
3998
3999 if (c && !c->closes) {
4000 /*
4001 * If halfopen is true, we have sent
4002 * CHANNEL_OPEN for this channel, but it hasn't even been
4003 * acknowledged by the server. So we must set a close flag
4004 * on it now, and then when the server acks the channel
4005 * open, we can close it then.
4006 */
4007 if (!c->halfopen) {
4008 if (ssh->version == 1) {
4009 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE, PKT_INT, c->remoteid,
4010 PKT_END);
4011 } else {
4012 struct Packet *pktout;
4013 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
4014 ssh2_pkt_adduint32(pktout, c->remoteid);
4015 ssh2_pkt_send(ssh, pktout);
4016 }
4017 }
4018 c->closes = 1; /* sent MSG_CLOSE */
4019 if (c->type == CHAN_X11) {
4020 c->u.x11.s = NULL;
4021 logevent("Forwarded X11 connection terminated");
4022 } else if (c->type == CHAN_SOCKDATA ||
4023 c->type == CHAN_SOCKDATA_DORMANT) {
4024 c->u.pfd.s = NULL;
4025 logevent("Forwarded port closed");
4026 }
4027 }
4028 }
4029
4030 int sshfwd_write(struct ssh_channel *c, char *buf, int len)
4031 {
4032 Ssh ssh = c->ssh;
4033
4034 if (ssh->state == SSH_STATE_CLOSED)
4035 return 0;
4036
4037 if (ssh->version == 1) {
4038 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
4039 PKT_INT, c->remoteid,
4040 PKT_INT, len, PKTT_DATA, PKT_DATA, buf, len,
4041 PKTT_OTHER, PKT_END);
4042 /*
4043 * In SSH-1 we can return 0 here - implying that forwarded
4044 * connections are never individually throttled - because
4045 * the only circumstance that can cause throttling will be
4046 * the whole SSH connection backing up, in which case
4047 * _everything_ will be throttled as a whole.
4048 */
4049 return 0;
4050 } else {
4051 ssh2_add_channel_data(c, buf, len);
4052 return ssh2_try_send(c);
4053 }
4054 }
4055
4056 void sshfwd_unthrottle(struct ssh_channel *c, int bufsize)
4057 {
4058 Ssh ssh = c->ssh;
4059 int buflimit;
4060
4061 if (ssh->state == SSH_STATE_CLOSED)
4062 return;
4063
4064 if (ssh->version == 1) {
4065 buflimit = SSH1_BUFFER_LIMIT;
4066 } else {
4067 buflimit = c->v.v2.locmaxwin;
4068 ssh2_set_window(c, bufsize < buflimit ? buflimit - bufsize : 0);
4069 }
4070 if (c->throttling_conn && bufsize <= buflimit) {
4071 c->throttling_conn = 0;
4072 ssh_throttle_conn(ssh, -1);
4073 }
4074 }
4075
4076 static void ssh_queueing_handler(Ssh ssh, struct Packet *pktin)
4077 {
4078 struct queued_handler *qh = ssh->qhead;
4079
4080 assert(qh != NULL);
4081
4082 assert(pktin->type == qh->msg1 || pktin->type == qh->msg2);
4083
4084 if (qh->msg1 > 0) {
4085 assert(ssh->packet_dispatch[qh->msg1] == ssh_queueing_handler);
4086 ssh->packet_dispatch[qh->msg1] = NULL;
4087 }
4088 if (qh->msg2 > 0) {
4089 assert(ssh->packet_dispatch[qh->msg2] == ssh_queueing_handler);
4090 ssh->packet_dispatch[qh->msg2] = NULL;
4091 }
4092
4093 if (qh->next) {
4094 ssh->qhead = qh->next;
4095
4096 if (ssh->qhead->msg1 > 0) {
4097 assert(ssh->packet_dispatch[ssh->qhead->msg1] == NULL);
4098 ssh->packet_dispatch[ssh->qhead->msg1] = ssh_queueing_handler;
4099 }
4100 if (ssh->qhead->msg2 > 0) {
4101 assert(ssh->packet_dispatch[ssh->qhead->msg2] == NULL);
4102 ssh->packet_dispatch[ssh->qhead->msg2] = ssh_queueing_handler;
4103 }
4104 } else {
4105 ssh->qhead = ssh->qtail = NULL;
4106 ssh->packet_dispatch[pktin->type] = NULL;
4107 }
4108
4109 qh->handler(ssh, pktin, qh->ctx);
4110
4111 sfree(qh);
4112 }
4113
4114 static void ssh_queue_handler(Ssh ssh, int msg1, int msg2,
4115 chandler_fn_t handler, void *ctx)
4116 {
4117 struct queued_handler *qh;
4118
4119 qh = snew(struct queued_handler);
4120 qh->msg1 = msg1;
4121 qh->msg2 = msg2;
4122 qh->handler = handler;
4123 qh->ctx = ctx;
4124 qh->next = NULL;
4125
4126 if (ssh->qtail == NULL) {
4127 ssh->qhead = qh;
4128
4129 if (qh->msg1 > 0) {
4130 assert(ssh->packet_dispatch[qh->msg1] == NULL);
4131 ssh->packet_dispatch[qh->msg1] = ssh_queueing_handler;
4132 }
4133 if (qh->msg2 > 0) {
4134 assert(ssh->packet_dispatch[qh->msg2] == NULL);
4135 ssh->packet_dispatch[qh->msg2] = ssh_queueing_handler;
4136 }
4137 } else {
4138 ssh->qtail->next = qh;
4139 }
4140 ssh->qtail = qh;
4141 }
4142
4143 static void ssh_rportfwd_succfail(Ssh ssh, struct Packet *pktin, void *ctx)
4144 {
4145 struct ssh_rportfwd *rpf, *pf = (struct ssh_rportfwd *)ctx;
4146
4147 if (pktin->type == (ssh->version == 1 ? SSH1_SMSG_SUCCESS :
4148 SSH2_MSG_REQUEST_SUCCESS)) {
4149 logeventf(ssh, "Remote port forwarding from %s enabled",
4150 pf->sportdesc);
4151 } else {
4152 logeventf(ssh, "Remote port forwarding from %s refused",
4153 pf->sportdesc);
4154
4155 rpf = del234(ssh->rportfwds, pf);
4156 assert(rpf == pf);
4157 free_rportfwd(pf);
4158 }
4159 }
4160
4161 static void ssh_setup_portfwd(Ssh ssh, const Config *cfg)
4162 {
4163 const char *portfwd_strptr = cfg->portfwd;
4164 struct ssh_portfwd *epf;
4165 int i;
4166
4167 if (!ssh->portfwds) {
4168 ssh->portfwds = newtree234(ssh_portcmp);
4169 } else {
4170 /*
4171 * Go through the existing port forwardings and tag them
4172 * with status==DESTROY. Any that we want to keep will be
4173 * re-enabled (status==KEEP) as we go through the
4174 * configuration and find out which bits are the same as
4175 * they were before.
4176 */
4177 struct ssh_portfwd *epf;
4178 int i;
4179 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4180 epf->status = DESTROY;
4181 }
4182
4183 while (*portfwd_strptr) {
4184 char address_family, type;
4185 int sport,dport,sserv,dserv;
4186 char sports[256], dports[256], saddr[256], host[256];
4187 int n;
4188
4189 address_family = 'A';
4190 type = 'L';
4191 if (*portfwd_strptr == 'A' ||
4192 *portfwd_strptr == '4' ||
4193 *portfwd_strptr == '6')
4194 address_family = *portfwd_strptr++;
4195 if (*portfwd_strptr == 'L' ||
4196 *portfwd_strptr == 'R' ||
4197 *portfwd_strptr == 'D')
4198 type = *portfwd_strptr++;
4199
4200 saddr[0] = '\0';
4201
4202 n = 0;
4203 while (*portfwd_strptr && *portfwd_strptr != '\t') {
4204 if (*portfwd_strptr == ':') {
4205 /*
4206 * We've seen a colon in the middle of the
4207 * source port number. This means that
4208 * everything we've seen until now is the
4209 * source _address_, so we'll move it into
4210 * saddr and start sports from the beginning
4211 * again.
4212 */
4213 portfwd_strptr++;
4214 sports[n] = '\0';
4215 if (ssh->version == 1 && type == 'R') {
4216 logeventf(ssh, "SSH-1 cannot handle remote source address "
4217 "spec \"%s\"; ignoring", sports);
4218 } else
4219 strcpy(saddr, sports);
4220 n = 0;
4221 }
4222 if (n < lenof(sports)-1) sports[n++] = *portfwd_strptr++;
4223 }
4224 sports[n] = 0;
4225 if (type != 'D') {
4226 if (*portfwd_strptr == '\t')
4227 portfwd_strptr++;
4228 n = 0;
4229 while (*portfwd_strptr && *portfwd_strptr != ':') {
4230 if (n < lenof(host)-1) host[n++] = *portfwd_strptr++;
4231 }
4232 host[n] = 0;
4233 if (*portfwd_strptr == ':')
4234 portfwd_strptr++;
4235 n = 0;
4236 while (*portfwd_strptr) {
4237 if (n < lenof(dports)-1) dports[n++] = *portfwd_strptr++;
4238 }
4239 dports[n] = 0;
4240 portfwd_strptr++;
4241 dport = atoi(dports);
4242 dserv = 0;
4243 if (dport == 0) {
4244 dserv = 1;
4245 dport = net_service_lookup(dports);
4246 if (!dport) {
4247 logeventf(ssh, "Service lookup failed for destination"
4248 " port \"%s\"", dports);
4249 }
4250 }
4251 } else {
4252 while (*portfwd_strptr) portfwd_strptr++;
4253 host[0] = 0;
4254 dports[0] = 0;
4255 dport = dserv = -1;
4256 portfwd_strptr++; /* eat the NUL and move to next one */
4257 }
4258 sport = atoi(sports);
4259 sserv = 0;
4260 if (sport == 0) {
4261 sserv = 1;
4262 sport = net_service_lookup(sports);
4263 if (!sport) {
4264 logeventf(ssh, "Service lookup failed for source"
4265 " port \"%s\"", sports);
4266 }
4267 }
4268 if (sport && dport) {
4269 /* Set up a description of the source port. */
4270 struct ssh_portfwd *pfrec, *epfrec;
4271
4272 pfrec = snew(struct ssh_portfwd);
4273 pfrec->type = type;
4274 pfrec->saddr = *saddr ? dupstr(saddr) : NULL;
4275 pfrec->sserv = sserv ? dupstr(sports) : NULL;
4276 pfrec->sport = sport;
4277 pfrec->daddr = *host ? dupstr(host) : NULL;
4278 pfrec->dserv = dserv ? dupstr(dports) : NULL;
4279 pfrec->dport = dport;
4280 pfrec->local = NULL;
4281 pfrec->remote = NULL;
4282 pfrec->addressfamily = (address_family == '4' ? ADDRTYPE_IPV4 :
4283 address_family == '6' ? ADDRTYPE_IPV6 :
4284 ADDRTYPE_UNSPEC);
4285
4286 epfrec = add234(ssh->portfwds, pfrec);
4287 if (epfrec != pfrec) {
4288 /*
4289 * We already have a port forwarding with precisely
4290 * these parameters. Hence, no need to do anything;
4291 * simply tag the existing one as KEEP.
4292 */
4293 epfrec->status = KEEP;
4294 free_portfwd(pfrec);
4295 } else {
4296 pfrec->status = CREATE;
4297 }
4298 }
4299 }
4300
4301 /*
4302 * Now go through and destroy any port forwardings which were
4303 * not re-enabled.
4304 */
4305 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4306 if (epf->status == DESTROY) {
4307 char *message;
4308
4309 message = dupprintf("%s port forwarding from %s%s%d",
4310 epf->type == 'L' ? "local" :
4311 epf->type == 'R' ? "remote" : "dynamic",
4312 epf->saddr ? epf->saddr : "",
4313 epf->saddr ? ":" : "",
4314 epf->sport);
4315
4316 if (epf->type != 'D') {
4317 char *msg2 = dupprintf("%s to %s:%d", message,
4318 epf->daddr, epf->dport);
4319 sfree(message);
4320 message = msg2;
4321 }
4322
4323 logeventf(ssh, "Cancelling %s", message);
4324 sfree(message);
4325
4326 if (epf->remote) {
4327 struct ssh_rportfwd *rpf = epf->remote;
4328 struct Packet *pktout;
4329
4330 /*
4331 * Cancel the port forwarding at the server
4332 * end.
4333 */
4334 if (ssh->version == 1) {
4335 /*
4336 * We cannot cancel listening ports on the
4337 * server side in SSH-1! There's no message
4338 * to support it. Instead, we simply remove
4339 * the rportfwd record from the local end
4340 * so that any connections the server tries
4341 * to make on it are rejected.
4342 */
4343 } else {
4344 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4345 ssh2_pkt_addstring(pktout, "cancel-tcpip-forward");
4346 ssh2_pkt_addbool(pktout, 0);/* _don't_ want reply */
4347 if (epf->saddr) {
4348 ssh2_pkt_addstring(pktout, epf->saddr);
4349 } else if (ssh->cfg.rport_acceptall) {
4350 /* XXX: ssh->cfg.rport_acceptall may not represent
4351 * what was used to open the original connection,
4352 * since it's reconfigurable. */
4353 ssh2_pkt_addstring(pktout, "0.0.0.0");
4354 } else {
4355 ssh2_pkt_addstring(pktout, "127.0.0.1");
4356 }
4357 ssh2_pkt_adduint32(pktout, epf->sport);
4358 ssh2_pkt_send(ssh, pktout);
4359 }
4360
4361 del234(ssh->rportfwds, rpf);
4362 free_rportfwd(rpf);
4363 } else if (epf->local) {
4364 pfd_terminate(epf->local);
4365 }
4366
4367 delpos234(ssh->portfwds, i);
4368 free_portfwd(epf);
4369 i--; /* so we don't skip one in the list */
4370 }
4371
4372 /*
4373 * And finally, set up any new port forwardings (status==CREATE).
4374 */
4375 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4376 if (epf->status == CREATE) {
4377 char *sportdesc, *dportdesc;
4378 sportdesc = dupprintf("%s%s%s%s%d%s",
4379 epf->saddr ? epf->saddr : "",
4380 epf->saddr ? ":" : "",
4381 epf->sserv ? epf->sserv : "",
4382 epf->sserv ? "(" : "",
4383 epf->sport,
4384 epf->sserv ? ")" : "");
4385 if (epf->type == 'D') {
4386 dportdesc = NULL;
4387 } else {
4388 dportdesc = dupprintf("%s:%s%s%d%s",
4389 epf->daddr,
4390 epf->dserv ? epf->dserv : "",
4391 epf->dserv ? "(" : "",
4392 epf->dport,
4393 epf->dserv ? ")" : "");
4394 }
4395
4396 if (epf->type == 'L') {
4397 const char *err = pfd_addforward(epf->daddr, epf->dport,
4398 epf->saddr, epf->sport,
4399 ssh, cfg,
4400 &epf->local,
4401 epf->addressfamily);
4402
4403 logeventf(ssh, "Local %sport %s forwarding to %s%s%s",
4404 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4405 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4406 sportdesc, dportdesc,
4407 err ? " failed: " : "", err ? err : "");
4408 } else if (epf->type == 'D') {
4409 const char *err = pfd_addforward(NULL, -1,
4410 epf->saddr, epf->sport,
4411 ssh, cfg,
4412 &epf->local,
4413 epf->addressfamily);
4414
4415 logeventf(ssh, "Local %sport %s SOCKS dynamic forwarding%s%s",
4416 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4417 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4418 sportdesc,
4419 err ? " failed: " : "", err ? err : "");
4420 } else {
4421 struct ssh_rportfwd *pf;
4422
4423 /*
4424 * Ensure the remote port forwardings tree exists.
4425 */
4426 if (!ssh->rportfwds) {
4427 if (ssh->version == 1)
4428 ssh->rportfwds = newtree234(ssh_rportcmp_ssh1);
4429 else
4430 ssh->rportfwds = newtree234(ssh_rportcmp_ssh2);
4431 }
4432
4433 pf = snew(struct ssh_rportfwd);
4434 strncpy(pf->dhost, epf->daddr, lenof(pf->dhost)-1);
4435 pf->dhost[lenof(pf->dhost)-1] = '\0';
4436 pf->dport = epf->dport;
4437 pf->sport = epf->sport;
4438 if (add234(ssh->rportfwds, pf) != pf) {
4439 logeventf(ssh, "Duplicate remote port forwarding to %s:%d",
4440 epf->daddr, epf->dport);
4441 sfree(pf);
4442 } else {
4443 logeventf(ssh, "Requesting remote port %s"
4444 " forward to %s", sportdesc, dportdesc);
4445
4446 pf->sportdesc = sportdesc;
4447 sportdesc = NULL;
4448 epf->remote = pf;
4449 pf->pfrec = epf;
4450
4451 if (ssh->version == 1) {
4452 send_packet(ssh, SSH1_CMSG_PORT_FORWARD_REQUEST,
4453 PKT_INT, epf->sport,
4454 PKT_STR, epf->daddr,
4455 PKT_INT, epf->dport,
4456 PKT_END);
4457 ssh_queue_handler(ssh, SSH1_SMSG_SUCCESS,
4458 SSH1_SMSG_FAILURE,
4459 ssh_rportfwd_succfail, pf);
4460 } else {
4461 struct Packet *pktout;
4462 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4463 ssh2_pkt_addstring(pktout, "tcpip-forward");
4464 ssh2_pkt_addbool(pktout, 1);/* want reply */
4465 if (epf->saddr) {
4466 ssh2_pkt_addstring(pktout, epf->saddr);
4467 } else if (cfg->rport_acceptall) {
4468 ssh2_pkt_addstring(pktout, "0.0.0.0");
4469 } else {
4470 ssh2_pkt_addstring(pktout, "127.0.0.1");
4471 }
4472 ssh2_pkt_adduint32(pktout, epf->sport);
4473 ssh2_pkt_send(ssh, pktout);
4474
4475 ssh_queue_handler(ssh, SSH2_MSG_REQUEST_SUCCESS,
4476 SSH2_MSG_REQUEST_FAILURE,
4477 ssh_rportfwd_succfail, pf);
4478 }
4479 }
4480 }
4481 sfree(sportdesc);
4482 sfree(dportdesc);
4483 }
4484 }
4485
4486 static void ssh1_smsg_stdout_stderr_data(Ssh ssh, struct Packet *pktin)
4487 {
4488 char *string;
4489 int stringlen, bufsize;
4490
4491 ssh_pkt_getstring(pktin, &string, &stringlen);
4492 if (string == NULL) {
4493 bombout(("Incoming terminal data packet was badly formed"));
4494 return;
4495 }
4496
4497 bufsize = from_backend(ssh->frontend, pktin->type == SSH1_SMSG_STDERR_DATA,
4498 string, stringlen);
4499 if (!ssh->v1_stdout_throttling && bufsize > SSH1_BUFFER_LIMIT) {
4500 ssh->v1_stdout_throttling = 1;
4501 ssh_throttle_conn(ssh, +1);
4502 }
4503 }
4504
4505 static void ssh1_smsg_x11_open(Ssh ssh, struct Packet *pktin)
4506 {
4507 /* Remote side is trying to open a channel to talk to our
4508 * X-Server. Give them back a local channel number. */
4509 struct ssh_channel *c;
4510 int remoteid = ssh_pkt_getuint32(pktin);
4511
4512 logevent("Received X11 connect request");
4513 /* Refuse if X11 forwarding is disabled. */
4514 if (!ssh->X11_fwd_enabled) {
4515 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4516 PKT_INT, remoteid, PKT_END);
4517 logevent("Rejected X11 connect request");
4518 } else {
4519 c = snew(struct ssh_channel);
4520 c->ssh = ssh;
4521
4522 if (x11_init(&c->u.x11.s, ssh->cfg.x11_display, c,
4523 ssh->x11auth, NULL, -1, &ssh->cfg) != NULL) {
4524 logevent("Opening X11 forward connection failed");
4525 sfree(c);
4526 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4527 PKT_INT, remoteid, PKT_END);
4528 } else {
4529 logevent
4530 ("Opening X11 forward connection succeeded");
4531 c->remoteid = remoteid;
4532 c->halfopen = FALSE;
4533 c->localid = alloc_channel_id(ssh);
4534 c->closes = 0;
4535 c->throttling_conn = 0;
4536 c->type = CHAN_X11; /* identify channel type */
4537 add234(ssh->channels, c);
4538 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4539 PKT_INT, c->remoteid, PKT_INT,
4540 c->localid, PKT_END);
4541 logevent("Opened X11 forward channel");
4542 }
4543 }
4544 }
4545
4546 static void ssh1_smsg_agent_open(Ssh ssh, struct Packet *pktin)
4547 {
4548 /* Remote side is trying to open a channel to talk to our
4549 * agent. Give them back a local channel number. */
4550 struct ssh_channel *c;
4551 int remoteid = ssh_pkt_getuint32(pktin);
4552
4553 /* Refuse if agent forwarding is disabled. */
4554 if (!ssh->agentfwd_enabled) {
4555 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4556 PKT_INT, remoteid, PKT_END);
4557 } else {
4558 c = snew(struct ssh_channel);
4559 c->ssh = ssh;
4560 c->remoteid = remoteid;
4561 c->halfopen = FALSE;
4562 c->localid = alloc_channel_id(ssh);
4563 c->closes = 0;
4564 c->throttling_conn = 0;
4565 c->type = CHAN_AGENT; /* identify channel type */
4566 c->u.a.lensofar = 0;
4567 add234(ssh->channels, c);
4568 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4569 PKT_INT, c->remoteid, PKT_INT, c->localid,
4570 PKT_END);
4571 }
4572 }
4573
4574 static void ssh1_msg_port_open(Ssh ssh, struct Packet *pktin)
4575 {
4576 /* Remote side is trying to open a channel to talk to a
4577 * forwarded port. Give them back a local channel number. */
4578 struct ssh_channel *c;
4579 struct ssh_rportfwd pf, *pfp;
4580 int remoteid;
4581 int hostsize, port;
4582 char *host;
4583 const char *e;
4584 c = snew(struct ssh_channel);
4585 c->ssh = ssh;
4586
4587 remoteid = ssh_pkt_getuint32(pktin);
4588 ssh_pkt_getstring(pktin, &host, &hostsize);
4589 port = ssh_pkt_getuint32(pktin);
4590
4591 if (hostsize >= lenof(pf.dhost))
4592 hostsize = lenof(pf.dhost)-1;
4593 memcpy(pf.dhost, host, hostsize);
4594 pf.dhost[hostsize] = '\0';
4595 pf.dport = port;
4596 pfp = find234(ssh->rportfwds, &pf, NULL);
4597
4598 if (pfp == NULL) {
4599 logeventf(ssh, "Rejected remote port open request for %s:%d",
4600 pf.dhost, port);
4601 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4602 PKT_INT, remoteid, PKT_END);
4603 } else {
4604 logeventf(ssh, "Received remote port open request for %s:%d",
4605 pf.dhost, port);
4606 e = pfd_newconnect(&c->u.pfd.s, pf.dhost, port,
4607 c, &ssh->cfg, pfp->pfrec->addressfamily);
4608 if (e != NULL) {
4609 logeventf(ssh, "Port open failed: %s", e);
4610 sfree(c);
4611 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4612 PKT_INT, remoteid, PKT_END);
4613 } else {
4614 c->remoteid = remoteid;
4615 c->halfopen = FALSE;
4616 c->localid = alloc_channel_id(ssh);
4617 c->closes = 0;
4618 c->throttling_conn = 0;
4619 c->type = CHAN_SOCKDATA; /* identify channel type */
4620 add234(ssh->channels, c);
4621 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4622 PKT_INT, c->remoteid, PKT_INT,
4623 c->localid, PKT_END);
4624 logevent("Forwarded port opened successfully");
4625 }
4626 }
4627 }
4628
4629 static void ssh1_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
4630 {
4631 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4632 unsigned int localid = ssh_pkt_getuint32(pktin);
4633 struct ssh_channel *c;
4634
4635 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4636 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4637 c->remoteid = localid;
4638 c->halfopen = FALSE;
4639 c->type = CHAN_SOCKDATA;
4640 c->throttling_conn = 0;
4641 pfd_confirm(c->u.pfd.s);
4642 }
4643
4644 if (c && c->closes) {
4645 /*
4646 * We have a pending close on this channel,
4647 * which we decided on before the server acked
4648 * the channel open. So now we know the
4649 * remoteid, we can close it again.
4650 */
4651 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE,
4652 PKT_INT, c->remoteid, PKT_END);
4653 }
4654 }
4655
4656 static void ssh1_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
4657 {
4658 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4659 struct ssh_channel *c;
4660
4661 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4662 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4663 logevent("Forwarded connection refused by server");
4664 pfd_close(c->u.pfd.s);
4665 del234(ssh->channels, c);
4666 sfree(c);
4667 }
4668 }
4669
4670 static void ssh1_msg_channel_close(Ssh ssh, struct Packet *pktin)
4671 {
4672 /* Remote side closes a channel. */
4673 unsigned i = ssh_pkt_getuint32(pktin);
4674 struct ssh_channel *c;
4675 c = find234(ssh->channels, &i, ssh_channelfind);
4676 if (c && !c->halfopen) {
4677 int closetype;
4678 closetype =
4679 (pktin->type == SSH1_MSG_CHANNEL_CLOSE ? 1 : 2);
4680
4681 if ((c->closes == 0) && (c->type == CHAN_X11)) {
4682 logevent("Forwarded X11 connection terminated");
4683 assert(c->u.x11.s != NULL);
4684 x11_close(c->u.x11.s);
4685 c->u.x11.s = NULL;
4686 }
4687 if ((c->closes == 0) && (c->type == CHAN_SOCKDATA)) {
4688 logevent("Forwarded port closed");
4689 assert(c->u.pfd.s != NULL);
4690 pfd_close(c->u.pfd.s);
4691 c->u.pfd.s = NULL;
4692 }
4693
4694 c->closes |= (closetype << 2); /* seen this message */
4695 if (!(c->closes & closetype)) {
4696 send_packet(ssh, pktin->type, PKT_INT, c->remoteid,
4697 PKT_END);
4698 c->closes |= closetype; /* sent it too */
4699 }
4700
4701 if (c->closes == 15) {
4702 del234(ssh->channels, c);
4703 sfree(c);
4704 }
4705 } else {
4706 bombout(("Received CHANNEL_CLOSE%s for %s channel %d\n",
4707 pktin->type == SSH1_MSG_CHANNEL_CLOSE ? "" :
4708 "_CONFIRMATION", c ? "half-open" : "nonexistent",
4709 i));
4710 }
4711 }
4712
4713 static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
4714 {
4715 /* Data sent down one of our channels. */
4716 int i = ssh_pkt_getuint32(pktin);
4717 char *p;
4718 int len;
4719 struct ssh_channel *c;
4720
4721 ssh_pkt_getstring(pktin, &p, &len);
4722
4723 c = find234(ssh->channels, &i, ssh_channelfind);
4724 if (c) {
4725 int bufsize = 0;
4726 switch (c->type) {
4727 case CHAN_X11:
4728 bufsize = x11_send(c->u.x11.s, p, len);
4729 break;
4730 case CHAN_SOCKDATA:
4731 bufsize = pfd_send(c->u.pfd.s, p, len);
4732 break;
4733 case CHAN_AGENT:
4734 /* Data for an agent message. Buffer it. */
4735 while (len > 0) {
4736 if (c->u.a.lensofar < 4) {
4737 unsigned int l = min(4 - c->u.a.lensofar, (unsigned)len);
4738 memcpy(c->u.a.msglen + c->u.a.lensofar, p,
4739 l);
4740 p += l;
4741 len -= l;
4742 c->u.a.lensofar += l;
4743 }
4744 if (c->u.a.lensofar == 4) {
4745 c->u.a.totallen =
4746 4 + GET_32BIT(c->u.a.msglen);
4747 c->u.a.message = snewn(c->u.a.totallen,
4748 unsigned char);
4749 memcpy(c->u.a.message, c->u.a.msglen, 4);
4750 }
4751 if (c->u.a.lensofar >= 4 && len > 0) {
4752 unsigned int l =
4753 min(c->u.a.totallen - c->u.a.lensofar,
4754 (unsigned)len);
4755 memcpy(c->u.a.message + c->u.a.lensofar, p,
4756 l);
4757 p += l;
4758 len -= l;
4759 c->u.a.lensofar += l;
4760 }
4761 if (c->u.a.lensofar == c->u.a.totallen) {
4762 void *reply;
4763 int replylen;
4764 if (agent_query(c->u.a.message,
4765 c->u.a.totallen,
4766 &reply, &replylen,
4767 ssh_agentf_callback, c))
4768 ssh_agentf_callback(c, reply, replylen);
4769 sfree(c->u.a.message);
4770 c->u.a.lensofar = 0;
4771 }
4772 }
4773 bufsize = 0; /* agent channels never back up */
4774 break;
4775 }
4776 if (!c->throttling_conn && bufsize > SSH1_BUFFER_LIMIT) {
4777 c->throttling_conn = 1;
4778 ssh_throttle_conn(ssh, +1);
4779 }
4780 }
4781 }
4782
4783 static void ssh1_smsg_exit_status(Ssh ssh, struct Packet *pktin)
4784 {
4785 ssh->exitcode = ssh_pkt_getuint32(pktin);
4786 logeventf(ssh, "Server sent command exit status %d", ssh->exitcode);
4787 send_packet(ssh, SSH1_CMSG_EXIT_CONFIRMATION, PKT_END);
4788 /*
4789 * In case `helpful' firewalls or proxies tack
4790 * extra human-readable text on the end of the
4791 * session which we might mistake for another
4792 * encrypted packet, we close the session once
4793 * we've sent EXIT_CONFIRMATION.
4794 */
4795 ssh_disconnect(ssh, NULL, NULL, 0, TRUE);
4796 }
4797
4798 /* Helper function to deal with sending tty modes for REQUEST_PTY */
4799 static void ssh1_send_ttymode(void *data, char *mode, char *val)
4800 {
4801 struct Packet *pktout = (struct Packet *)data;
4802 int i = 0;
4803 unsigned int arg = 0;
4804 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
4805 if (i == lenof(ssh_ttymodes)) return;
4806 switch (ssh_ttymodes[i].type) {
4807 case TTY_OP_CHAR:
4808 arg = ssh_tty_parse_specchar(val);
4809 break;
4810 case TTY_OP_BOOL:
4811 arg = ssh_tty_parse_boolean(val);
4812 break;
4813 }
4814 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
4815 ssh2_pkt_addbyte(pktout, arg);
4816 }
4817
4818
4819 static void do_ssh1_connection(Ssh ssh, unsigned char *in, int inlen,
4820 struct Packet *pktin)
4821 {
4822 crBegin(ssh->do_ssh1_connection_crstate);
4823
4824 ssh->packet_dispatch[SSH1_SMSG_STDOUT_DATA] =
4825 ssh->packet_dispatch[SSH1_SMSG_STDERR_DATA] =
4826 ssh1_smsg_stdout_stderr_data;
4827
4828 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_CONFIRMATION] =
4829 ssh1_msg_channel_open_confirmation;
4830 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_FAILURE] =
4831 ssh1_msg_channel_open_failure;
4832 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE] =
4833 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION] =
4834 ssh1_msg_channel_close;
4835 ssh->packet_dispatch[SSH1_MSG_CHANNEL_DATA] = ssh1_msg_channel_data;
4836 ssh->packet_dispatch[SSH1_SMSG_EXIT_STATUS] = ssh1_smsg_exit_status;
4837
4838 if (ssh->cfg.agentfwd && agent_exists()) {
4839 logevent("Requesting agent forwarding");
4840 send_packet(ssh, SSH1_CMSG_AGENT_REQUEST_FORWARDING, PKT_END);
4841 do {
4842 crReturnV;
4843 } while (!pktin);
4844 if (pktin->type != SSH1_SMSG_SUCCESS
4845 && pktin->type != SSH1_SMSG_FAILURE) {
4846 bombout(("Protocol confusion"));
4847 crStopV;
4848 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4849 logevent("Agent forwarding refused");
4850 } else {
4851 logevent("Agent forwarding enabled");
4852 ssh->agentfwd_enabled = TRUE;
4853 ssh->packet_dispatch[SSH1_SMSG_AGENT_OPEN] = ssh1_smsg_agent_open;
4854 }
4855 }
4856
4857 if (ssh->cfg.x11_forward) {
4858 char proto[20], data[64];
4859 logevent("Requesting X11 forwarding");
4860 ssh->x11auth = x11_invent_auth(proto, sizeof(proto),
4861 data, sizeof(data), ssh->cfg.x11_auth);
4862 x11_get_real_auth(ssh->x11auth, ssh->cfg.x11_display);
4863 /*
4864 * Note that while we blank the X authentication data here, we don't
4865 * take any special action to blank the start of an X11 channel,
4866 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
4867 * without having session blanking enabled is likely to leak your
4868 * cookie into the log.
4869 */
4870 if (ssh->v1_local_protoflags & SSH1_PROTOFLAG_SCREEN_NUMBER) {
4871 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
4872 PKT_STR, proto,
4873 PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER,
4874 PKT_INT, x11_get_screen_number(ssh->cfg.x11_display),
4875 PKT_END);
4876 } else {
4877 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
4878 PKT_STR, proto,
4879 PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER, PKT_END);
4880 }
4881 do {
4882 crReturnV;
4883 } while (!pktin);
4884 if (pktin->type != SSH1_SMSG_SUCCESS
4885 && pktin->type != SSH1_SMSG_FAILURE) {
4886 bombout(("Protocol confusion"));
4887 crStopV;
4888 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4889 logevent("X11 forwarding refused");
4890 } else {
4891 logevent("X11 forwarding enabled");
4892 ssh->X11_fwd_enabled = TRUE;
4893 ssh->packet_dispatch[SSH1_SMSG_X11_OPEN] = ssh1_smsg_x11_open;
4894 }
4895 }
4896
4897 ssh_setup_portfwd(ssh, &ssh->cfg);
4898 ssh->packet_dispatch[SSH1_MSG_PORT_OPEN] = ssh1_msg_port_open;
4899
4900 if (!ssh->cfg.nopty) {
4901 struct Packet *pkt;
4902 /* Unpick the terminal-speed string. */
4903 /* XXX perhaps we should allow no speeds to be sent. */
4904 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
4905 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
4906 /* Send the pty request. */
4907 pkt = ssh1_pkt_init(SSH1_CMSG_REQUEST_PTY);
4908 ssh_pkt_addstring(pkt, ssh->cfg.termtype);
4909 ssh_pkt_adduint32(pkt, ssh->term_height);
4910 ssh_pkt_adduint32(pkt, ssh->term_width);
4911 ssh_pkt_adduint32(pkt, 0); /* width in pixels */
4912 ssh_pkt_adduint32(pkt, 0); /* height in pixels */
4913 parse_ttymodes(ssh, ssh->cfg.ttymodes,
4914 ssh1_send_ttymode, (void *)pkt);
4915 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_ISPEED);
4916 ssh_pkt_adduint32(pkt, ssh->ispeed);
4917 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_OSPEED);
4918 ssh_pkt_adduint32(pkt, ssh->ospeed);
4919 ssh_pkt_addbyte(pkt, SSH_TTY_OP_END);
4920 s_wrpkt(ssh, pkt);
4921 ssh->state = SSH_STATE_INTERMED;
4922 do {
4923 crReturnV;
4924 } while (!pktin);
4925 if (pktin->type != SSH1_SMSG_SUCCESS
4926 && pktin->type != SSH1_SMSG_FAILURE) {
4927 bombout(("Protocol confusion"));
4928 crStopV;
4929 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4930 c_write_str(ssh, "Server refused to allocate pty\r\n");
4931 ssh->editing = ssh->echoing = 1;
4932 }
4933 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
4934 ssh->ospeed, ssh->ispeed);
4935 } else {
4936 ssh->editing = ssh->echoing = 1;
4937 }
4938
4939 if (ssh->cfg.compression) {
4940 send_packet(ssh, SSH1_CMSG_REQUEST_COMPRESSION, PKT_INT, 6, PKT_END);
4941 do {
4942 crReturnV;
4943 } while (!pktin);
4944 if (pktin->type != SSH1_SMSG_SUCCESS
4945 && pktin->type != SSH1_SMSG_FAILURE) {
4946 bombout(("Protocol confusion"));
4947 crStopV;
4948 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4949 c_write_str(ssh, "Server refused to compress\r\n");
4950 }
4951 logevent("Started compression");
4952 ssh->v1_compressing = TRUE;
4953 ssh->cs_comp_ctx = zlib_compress_init();
4954 logevent("Initialised zlib (RFC1950) compression");
4955 ssh->sc_comp_ctx = zlib_decompress_init();
4956 logevent("Initialised zlib (RFC1950) decompression");
4957 }
4958
4959 /*
4960 * Start the shell or command.
4961 *
4962 * Special case: if the first-choice command is an SSH-2
4963 * subsystem (hence not usable here) and the second choice
4964 * exists, we fall straight back to that.
4965 */
4966 {
4967 char *cmd = ssh->cfg.remote_cmd_ptr;
4968
4969 if (!cmd) cmd = ssh->cfg.remote_cmd;
4970
4971 if (ssh->cfg.ssh_subsys && ssh->cfg.remote_cmd_ptr2) {
4972 cmd = ssh->cfg.remote_cmd_ptr2;
4973 ssh->fallback_cmd = TRUE;
4974 }
4975 if (*cmd)
4976 send_packet(ssh, SSH1_CMSG_EXEC_CMD, PKT_STR, cmd, PKT_END);
4977 else
4978 send_packet(ssh, SSH1_CMSG_EXEC_SHELL, PKT_END);
4979 logevent("Started session");
4980 }
4981
4982 ssh->state = SSH_STATE_SESSION;
4983 if (ssh->size_needed)
4984 ssh_size(ssh, ssh->term_width, ssh->term_height);
4985 if (ssh->eof_needed)
4986 ssh_special(ssh, TS_EOF);
4987
4988 if (ssh->ldisc)
4989 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
4990 ssh->send_ok = 1;
4991 ssh->channels = newtree234(ssh_channelcmp);
4992 while (1) {
4993
4994 /*
4995 * By this point, most incoming packets are already being
4996 * handled by the dispatch table, and we need only pay
4997 * attention to the unusual ones.
4998 */
4999
5000 crReturnV;
5001 if (pktin) {
5002 if (pktin->type == SSH1_SMSG_SUCCESS) {
5003 /* may be from EXEC_SHELL on some servers */
5004 } else if (pktin->type == SSH1_SMSG_FAILURE) {
5005 /* may be from EXEC_SHELL on some servers
5006 * if no pty is available or in other odd cases. Ignore */
5007 } else {
5008 bombout(("Strange packet received: type %d", pktin->type));
5009 crStopV;
5010 }
5011 } else {
5012 while (inlen > 0) {
5013 int len = min(inlen, 512);
5014 send_packet(ssh, SSH1_CMSG_STDIN_DATA,
5015 PKT_INT, len, PKTT_DATA, PKT_DATA, in, len,
5016 PKTT_OTHER, PKT_END);
5017 in += len;
5018 inlen -= len;
5019 }
5020 }
5021 }
5022
5023 crFinishV;
5024 }
5025
5026 /*
5027 * Handle the top-level SSH-2 protocol.
5028 */
5029 static void ssh1_msg_debug(Ssh ssh, struct Packet *pktin)
5030 {
5031 char *msg;
5032 int msglen;
5033
5034 ssh_pkt_getstring(pktin, &msg, &msglen);
5035 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
5036 }
5037
5038 static void ssh1_msg_disconnect(Ssh ssh, struct Packet *pktin)
5039 {
5040 /* log reason code in disconnect message */
5041 char *msg;
5042 int msglen;
5043
5044 ssh_pkt_getstring(pktin, &msg, &msglen);
5045 bombout(("Server sent disconnect message:\n\"%.*s\"", msglen, msg));
5046 }
5047
5048 static void ssh_msg_ignore(Ssh ssh, struct Packet *pktin)
5049 {
5050 /* Do nothing, because we're ignoring it! Duhh. */
5051 }
5052
5053 static void ssh1_protocol_setup(Ssh ssh)
5054 {
5055 int i;
5056
5057 /*
5058 * Most messages are handled by the coroutines.
5059 */
5060 for (i = 0; i < 256; i++)
5061 ssh->packet_dispatch[i] = NULL;
5062
5063 /*
5064 * These special message types we install handlers for.
5065 */
5066 ssh->packet_dispatch[SSH1_MSG_DISCONNECT] = ssh1_msg_disconnect;
5067 ssh->packet_dispatch[SSH1_MSG_IGNORE] = ssh_msg_ignore;
5068 ssh->packet_dispatch[SSH1_MSG_DEBUG] = ssh1_msg_debug;
5069 }
5070
5071 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
5072 struct Packet *pktin)
5073 {
5074 unsigned char *in=(unsigned char*)vin;
5075 if (ssh->state == SSH_STATE_CLOSED)
5076 return;
5077
5078 if (pktin && ssh->packet_dispatch[pktin->type]) {
5079 ssh->packet_dispatch[pktin->type](ssh, pktin);
5080 return;
5081 }
5082
5083 if (!ssh->protocol_initial_phase_done) {
5084 if (do_ssh1_login(ssh, in, inlen, pktin))
5085 ssh->protocol_initial_phase_done = TRUE;
5086 else
5087 return;
5088 }
5089
5090 do_ssh1_connection(ssh, in, inlen, pktin);
5091 }
5092
5093 /*
5094 * Utility routine for decoding comma-separated strings in KEXINIT.
5095 */
5096 static int in_commasep_string(char *needle, char *haystack, int haylen)
5097 {
5098 int needlen;
5099 if (!needle || !haystack) /* protect against null pointers */
5100 return 0;
5101 needlen = strlen(needle);
5102 while (1) {
5103 /*
5104 * Is it at the start of the string?
5105 */
5106 if (haylen >= needlen && /* haystack is long enough */
5107 !memcmp(needle, haystack, needlen) && /* initial match */
5108 (haylen == needlen || haystack[needlen] == ',')
5109 /* either , or EOS follows */
5110 )
5111 return 1;
5112 /*
5113 * If not, search for the next comma and resume after that.
5114 * If no comma found, terminate.
5115 */
5116 while (haylen > 0 && *haystack != ',')
5117 haylen--, haystack++;
5118 if (haylen == 0)
5119 return 0;
5120 haylen--, haystack++; /* skip over comma itself */
5121 }
5122 }
5123
5124 /*
5125 * Similar routine for checking whether we have the first string in a list.
5126 */
5127 static int first_in_commasep_string(char *needle, char *haystack, int haylen)
5128 {
5129 int needlen;
5130 if (!needle || !haystack) /* protect against null pointers */
5131 return 0;
5132 needlen = strlen(needle);
5133 /*
5134 * Is it at the start of the string?
5135 */
5136 if (haylen >= needlen && /* haystack is long enough */
5137 !memcmp(needle, haystack, needlen) && /* initial match */
5138 (haylen == needlen || haystack[needlen] == ',')
5139 /* either , or EOS follows */
5140 )
5141 return 1;
5142 return 0;
5143 }
5144
5145
5146 /*
5147 * SSH-2 key creation method.
5148 * (Currently assumes 2 lots of any hash are sufficient to generate
5149 * keys/IVs for any cipher/MAC. SSH2_MKKEY_ITERS documents this assumption.)
5150 */
5151 #define SSH2_MKKEY_ITERS (2)
5152 static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr,
5153 unsigned char *keyspace)
5154 {
5155 const struct ssh_hash *h = ssh->kex->hash;
5156 void *s;
5157 /* First hlen bytes. */
5158 s = h->init();
5159 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5160 hash_mpint(h, s, K);
5161 h->bytes(s, H, h->hlen);
5162 h->bytes(s, &chr, 1);
5163 h->bytes(s, ssh->v2_session_id, ssh->v2_session_id_len);
5164 h->final(s, keyspace);
5165 /* Next hlen bytes. */
5166 s = h->init();
5167 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5168 hash_mpint(h, s, K);
5169 h->bytes(s, H, h->hlen);
5170 h->bytes(s, keyspace, h->hlen);
5171 h->final(s, keyspace + h->hlen);
5172 }
5173
5174 /*
5175 * Handle the SSH-2 transport layer.
5176 */
5177 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
5178 struct Packet *pktin)
5179 {
5180 unsigned char *in = (unsigned char *)vin;
5181 struct do_ssh2_transport_state {
5182 int nbits, pbits, warn_kex, warn_cscipher, warn_sccipher;
5183 Bignum p, g, e, f, K;
5184 void *our_kexinit;
5185 int our_kexinitlen;
5186 int kex_init_value, kex_reply_value;
5187 const struct ssh_mac **maclist;
5188 int nmacs;
5189 const struct ssh2_cipher *cscipher_tobe;
5190 const struct ssh2_cipher *sccipher_tobe;
5191 const struct ssh_mac *csmac_tobe;
5192 const struct ssh_mac *scmac_tobe;
5193 const struct ssh_compress *cscomp_tobe;
5194 const struct ssh_compress *sccomp_tobe;
5195 char *hostkeydata, *sigdata, *rsakeydata, *keystr, *fingerprint;
5196 int hostkeylen, siglen, rsakeylen;
5197 void *hkey; /* actual host key */
5198 void *rsakey; /* for RSA kex */
5199 unsigned char exchange_hash[SSH2_KEX_MAX_HASH_LEN];
5200 int n_preferred_kex;
5201 const struct ssh_kexes *preferred_kex[KEX_MAX];
5202 int n_preferred_ciphers;
5203 const struct ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
5204 const struct ssh_compress *preferred_comp;
5205 int got_session_id, activated_authconn;
5206 struct Packet *pktout;
5207 int dlgret;
5208 int guessok;
5209 int ignorepkt;
5210 };
5211 crState(do_ssh2_transport_state);
5212
5213 crBegin(ssh->do_ssh2_transport_crstate);
5214
5215 s->cscipher_tobe = s->sccipher_tobe = NULL;
5216 s->csmac_tobe = s->scmac_tobe = NULL;
5217 s->cscomp_tobe = s->sccomp_tobe = NULL;
5218
5219 s->got_session_id = s->activated_authconn = FALSE;
5220
5221 /*
5222 * Be prepared to work around the buggy MAC problem.
5223 */
5224 if (ssh->remote_bugs & BUG_SSH2_HMAC)
5225 s->maclist = buggymacs, s->nmacs = lenof(buggymacs);
5226 else
5227 s->maclist = macs, s->nmacs = lenof(macs);
5228
5229 begin_key_exchange:
5230 ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
5231 {
5232 int i, j, commalist_started;
5233
5234 /*
5235 * Set up the preferred key exchange. (NULL => warn below here)
5236 */
5237 s->n_preferred_kex = 0;
5238 for (i = 0; i < KEX_MAX; i++) {
5239 switch (ssh->cfg.ssh_kexlist[i]) {
5240 case KEX_DHGEX:
5241 s->preferred_kex[s->n_preferred_kex++] =
5242 &ssh_diffiehellman_gex;
5243 break;
5244 case KEX_DHGROUP14:
5245 s->preferred_kex[s->n_preferred_kex++] =
5246 &ssh_diffiehellman_group14;
5247 break;
5248 case KEX_DHGROUP1:
5249 s->preferred_kex[s->n_preferred_kex++] =
5250 &ssh_diffiehellman_group1;
5251 break;
5252 case KEX_RSA:
5253 s->preferred_kex[s->n_preferred_kex++] =
5254 &ssh_rsa_kex;
5255 break;
5256 case KEX_WARN:
5257 /* Flag for later. Don't bother if it's the last in
5258 * the list. */
5259 if (i < KEX_MAX - 1) {
5260 s->preferred_kex[s->n_preferred_kex++] = NULL;
5261 }
5262 break;
5263 }
5264 }
5265
5266 /*
5267 * Set up the preferred ciphers. (NULL => warn below here)
5268 */
5269 s->n_preferred_ciphers = 0;
5270 for (i = 0; i < CIPHER_MAX; i++) {
5271 switch (ssh->cfg.ssh_cipherlist[i]) {
5272 case CIPHER_BLOWFISH:
5273 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_blowfish;
5274 break;
5275 case CIPHER_DES:
5276 if (ssh->cfg.ssh2_des_cbc) {
5277 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_des;
5278 }
5279 break;
5280 case CIPHER_3DES:
5281 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_3des;
5282 break;
5283 case CIPHER_AES:
5284 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_aes;
5285 break;
5286 case CIPHER_ARCFOUR:
5287 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_arcfour;
5288 break;
5289 case CIPHER_WARN:
5290 /* Flag for later. Don't bother if it's the last in
5291 * the list. */
5292 if (i < CIPHER_MAX - 1) {
5293 s->preferred_ciphers[s->n_preferred_ciphers++] = NULL;
5294 }
5295 break;
5296 }
5297 }
5298
5299 /*
5300 * Set up preferred compression.
5301 */
5302 if (ssh->cfg.compression)
5303 s->preferred_comp = &ssh_zlib;
5304 else
5305 s->preferred_comp = &ssh_comp_none;
5306
5307 /*
5308 * Enable queueing of outgoing auth- or connection-layer
5309 * packets while we are in the middle of a key exchange.
5310 */
5311 ssh->queueing = TRUE;
5312
5313 /*
5314 * Flag that KEX is in progress.
5315 */
5316 ssh->kex_in_progress = TRUE;
5317
5318 /*
5319 * Construct and send our key exchange packet.
5320 */
5321 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXINIT);
5322 for (i = 0; i < 16; i++)
5323 ssh2_pkt_addbyte(s->pktout, (unsigned char) random_byte());
5324 /* List key exchange algorithms. */
5325 ssh2_pkt_addstring_start(s->pktout);
5326 commalist_started = 0;
5327 for (i = 0; i < s->n_preferred_kex; i++) {
5328 const struct ssh_kexes *k = s->preferred_kex[i];
5329 if (!k) continue; /* warning flag */
5330 for (j = 0; j < k->nkexes; j++) {
5331 if (commalist_started)
5332 ssh2_pkt_addstring_str(s->pktout, ",");
5333 ssh2_pkt_addstring_str(s->pktout, k->list[j]->name);
5334 commalist_started = 1;
5335 }
5336 }
5337 /* List server host key algorithms. */
5338 ssh2_pkt_addstring_start(s->pktout);
5339 for (i = 0; i < lenof(hostkey_algs); i++) {
5340 ssh2_pkt_addstring_str(s->pktout, hostkey_algs[i]->name);
5341 if (i < lenof(hostkey_algs) - 1)
5342 ssh2_pkt_addstring_str(s->pktout, ",");
5343 }
5344 /* List client->server encryption algorithms. */
5345 ssh2_pkt_addstring_start(s->pktout);
5346 commalist_started = 0;
5347 for (i = 0; i < s->n_preferred_ciphers; i++) {
5348 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5349 if (!c) continue; /* warning flag */
5350 for (j = 0; j < c->nciphers; j++) {
5351 if (commalist_started)
5352 ssh2_pkt_addstring_str(s->pktout, ",");
5353 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5354 commalist_started = 1;
5355 }
5356 }
5357 /* List server->client encryption algorithms. */
5358 ssh2_pkt_addstring_start(s->pktout);
5359 commalist_started = 0;
5360 for (i = 0; i < s->n_preferred_ciphers; i++) {
5361 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5362 if (!c) continue; /* warning flag */
5363 for (j = 0; j < c->nciphers; j++) {
5364 if (commalist_started)
5365 ssh2_pkt_addstring_str(s->pktout, ",");
5366 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5367 commalist_started = 1;
5368 }
5369 }
5370 /* List client->server MAC algorithms. */
5371 ssh2_pkt_addstring_start(s->pktout);
5372 for (i = 0; i < s->nmacs; i++) {
5373 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5374 if (i < s->nmacs - 1)
5375 ssh2_pkt_addstring_str(s->pktout, ",");
5376 }
5377 /* List server->client MAC algorithms. */
5378 ssh2_pkt_addstring_start(s->pktout);
5379 for (i = 0; i < s->nmacs; i++) {
5380 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5381 if (i < s->nmacs - 1)
5382 ssh2_pkt_addstring_str(s->pktout, ",");
5383 }
5384 /* List client->server compression algorithms. */
5385 ssh2_pkt_addstring_start(s->pktout);
5386 assert(lenof(compressions) > 1);
5387 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5388 for (i = 0; i < lenof(compressions); i++) {
5389 const struct ssh_compress *c = compressions[i];
5390 if (c != s->preferred_comp) {
5391 ssh2_pkt_addstring_str(s->pktout, ",");
5392 ssh2_pkt_addstring_str(s->pktout, c->name);
5393 }
5394 }
5395 /* List server->client compression algorithms. */
5396 ssh2_pkt_addstring_start(s->pktout);
5397 assert(lenof(compressions) > 1);
5398 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5399 for (i = 0; i < lenof(compressions); i++) {
5400 const struct ssh_compress *c = compressions[i];
5401 if (c != s->preferred_comp) {
5402 ssh2_pkt_addstring_str(s->pktout, ",");
5403 ssh2_pkt_addstring_str(s->pktout, c->name);
5404 }
5405 }
5406 /* List client->server languages. Empty list. */
5407 ssh2_pkt_addstring_start(s->pktout);
5408 /* List server->client languages. Empty list. */
5409 ssh2_pkt_addstring_start(s->pktout);
5410 /* First KEX packet does _not_ follow, because we're not that brave. */
5411 ssh2_pkt_addbool(s->pktout, FALSE);
5412 /* Reserved. */
5413 ssh2_pkt_adduint32(s->pktout, 0);
5414 }
5415
5416 s->our_kexinitlen = s->pktout->length - 5;
5417 s->our_kexinit = snewn(s->our_kexinitlen, unsigned char);
5418 memcpy(s->our_kexinit, s->pktout->data + 5, s->our_kexinitlen);
5419
5420 ssh2_pkt_send_noqueue(ssh, s->pktout);
5421
5422 if (!pktin)
5423 crWaitUntil(pktin);
5424
5425 /*
5426 * Now examine the other side's KEXINIT to see what we're up
5427 * to.
5428 */
5429 {
5430 char *str, *preferred;
5431 int i, j, len;
5432
5433 if (pktin->type != SSH2_MSG_KEXINIT) {
5434 bombout(("expected key exchange packet from server"));
5435 crStop(0);
5436 }
5437 ssh->kex = NULL;
5438 ssh->hostkey = NULL;
5439 s->cscipher_tobe = NULL;
5440 s->sccipher_tobe = NULL;
5441 s->csmac_tobe = NULL;
5442 s->scmac_tobe = NULL;
5443 s->cscomp_tobe = NULL;
5444 s->sccomp_tobe = NULL;
5445 s->warn_kex = s->warn_cscipher = s->warn_sccipher = FALSE;
5446
5447 pktin->savedpos += 16; /* skip garbage cookie */
5448 ssh_pkt_getstring(pktin, &str, &len); /* key exchange algorithms */
5449
5450 preferred = NULL;
5451 for (i = 0; i < s->n_preferred_kex; i++) {
5452 const struct ssh_kexes *k = s->preferred_kex[i];
5453 if (!k) {
5454 s->warn_kex = TRUE;
5455 } else {
5456 for (j = 0; j < k->nkexes; j++) {
5457 if (!preferred) preferred = k->list[j]->name;
5458 if (in_commasep_string(k->list[j]->name, str, len)) {
5459 ssh->kex = k->list[j];
5460 break;
5461 }
5462 }
5463 }
5464 if (ssh->kex)
5465 break;
5466 }
5467 if (!ssh->kex) {
5468 bombout(("Couldn't agree a key exchange algorithm (available: %s)",
5469 str ? str : "(null)"));
5470 crStop(0);
5471 }
5472 /*
5473 * Note that the server's guess is considered wrong if it doesn't match
5474 * the first algorithm in our list, even if it's still the algorithm
5475 * we end up using.
5476 */
5477 s->guessok = first_in_commasep_string(preferred, str, len);
5478 ssh_pkt_getstring(pktin, &str, &len); /* host key algorithms */
5479 for (i = 0; i < lenof(hostkey_algs); i++) {
5480 if (in_commasep_string(hostkey_algs[i]->name, str, len)) {
5481 ssh->hostkey = hostkey_algs[i];
5482 break;
5483 }
5484 }
5485 s->guessok = s->guessok &&
5486 first_in_commasep_string(hostkey_algs[0]->name, str, len);
5487 ssh_pkt_getstring(pktin, &str, &len); /* client->server cipher */
5488 for (i = 0; i < s->n_preferred_ciphers; i++) {
5489 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5490 if (!c) {
5491 s->warn_cscipher = TRUE;
5492 } else {
5493 for (j = 0; j < c->nciphers; j++) {
5494 if (in_commasep_string(c->list[j]->name, str, len)) {
5495 s->cscipher_tobe = c->list[j];
5496 break;
5497 }
5498 }
5499 }
5500 if (s->cscipher_tobe)
5501 break;
5502 }
5503 if (!s->cscipher_tobe) {
5504 bombout(("Couldn't agree a client-to-server cipher (available: %s)",
5505 str ? str : "(null)"));
5506 crStop(0);
5507 }
5508
5509 ssh_pkt_getstring(pktin, &str, &len); /* server->client cipher */
5510 for (i = 0; i < s->n_preferred_ciphers; i++) {
5511 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5512 if (!c) {
5513 s->warn_sccipher = TRUE;
5514 } else {
5515 for (j = 0; j < c->nciphers; j++) {
5516 if (in_commasep_string(c->list[j]->name, str, len)) {
5517 s->sccipher_tobe = c->list[j];
5518 break;
5519 }
5520 }
5521 }
5522 if (s->sccipher_tobe)
5523 break;
5524 }
5525 if (!s->sccipher_tobe) {
5526 bombout(("Couldn't agree a server-to-client cipher (available: %s)",
5527 str ? str : "(null)"));
5528 crStop(0);
5529 }
5530
5531 ssh_pkt_getstring(pktin, &str, &len); /* client->server mac */
5532 for (i = 0; i < s->nmacs; i++) {
5533 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5534 s->csmac_tobe = s->maclist[i];
5535 break;
5536 }
5537 }
5538 ssh_pkt_getstring(pktin, &str, &len); /* server->client mac */
5539 for (i = 0; i < s->nmacs; i++) {
5540 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5541 s->scmac_tobe = s->maclist[i];
5542 break;
5543 }
5544 }
5545 ssh_pkt_getstring(pktin, &str, &len); /* client->server compression */
5546 for (i = 0; i < lenof(compressions) + 1; i++) {
5547 const struct ssh_compress *c =
5548 i == 0 ? s->preferred_comp : compressions[i - 1];
5549 if (in_commasep_string(c->name, str, len)) {
5550 s->cscomp_tobe = c;
5551 break;
5552 }
5553 }
5554 ssh_pkt_getstring(pktin, &str, &len); /* server->client compression */
5555 for (i = 0; i < lenof(compressions) + 1; i++) {
5556 const struct ssh_compress *c =
5557 i == 0 ? s->preferred_comp : compressions[i - 1];
5558 if (in_commasep_string(c->name, str, len)) {
5559 s->sccomp_tobe = c;
5560 break;
5561 }
5562 }
5563 ssh_pkt_getstring(pktin, &str, &len); /* client->server language */
5564 ssh_pkt_getstring(pktin, &str, &len); /* server->client language */
5565 s->ignorepkt = ssh2_pkt_getbool(pktin) && !s->guessok;
5566
5567 if (s->warn_kex) {
5568 ssh_set_frozen(ssh, 1);
5569 s->dlgret = askalg(ssh->frontend, "key-exchange algorithm",
5570 ssh->kex->name,
5571 ssh_dialog_callback, ssh);
5572 if (s->dlgret < 0) {
5573 do {
5574 crReturn(0);
5575 if (pktin) {
5576 bombout(("Unexpected data from server while"
5577 " waiting for user response"));
5578 crStop(0);
5579 }
5580 } while (pktin || inlen > 0);
5581 s->dlgret = ssh->user_response;
5582 }
5583 ssh_set_frozen(ssh, 0);
5584 if (s->dlgret == 0) {
5585 ssh_disconnect(ssh, "User aborted at kex warning", NULL,
5586 0, TRUE);
5587 crStop(0);
5588 }
5589 }
5590
5591 if (s->warn_cscipher) {
5592 ssh_set_frozen(ssh, 1);
5593 s->dlgret = askalg(ssh->frontend,
5594 "client-to-server cipher",
5595 s->cscipher_tobe->name,
5596 ssh_dialog_callback, ssh);
5597 if (s->dlgret < 0) {
5598 do {
5599 crReturn(0);
5600 if (pktin) {
5601 bombout(("Unexpected data from server while"
5602 " waiting for user response"));
5603 crStop(0);
5604 }
5605 } while (pktin || inlen > 0);
5606 s->dlgret = ssh->user_response;
5607 }
5608 ssh_set_frozen(ssh, 0);
5609 if (s->dlgret == 0) {
5610 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5611 0, TRUE);
5612 crStop(0);
5613 }
5614 }
5615
5616 if (s->warn_sccipher) {
5617 ssh_set_frozen(ssh, 1);
5618 s->dlgret = askalg(ssh->frontend,
5619 "server-to-client cipher",
5620 s->sccipher_tobe->name,
5621 ssh_dialog_callback, ssh);
5622 if (s->dlgret < 0) {
5623 do {
5624 crReturn(0);
5625 if (pktin) {
5626 bombout(("Unexpected data from server while"
5627 " waiting for user response"));
5628 crStop(0);
5629 }
5630 } while (pktin || inlen > 0);
5631 s->dlgret = ssh->user_response;
5632 }
5633 ssh_set_frozen(ssh, 0);
5634 if (s->dlgret == 0) {
5635 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5636 0, TRUE);
5637 crStop(0);
5638 }
5639 }
5640
5641 ssh->exhash = ssh->kex->hash->init();
5642 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_c, strlen(ssh->v_c));
5643 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_s, strlen(ssh->v_s));
5644 hash_string(ssh->kex->hash, ssh->exhash,
5645 s->our_kexinit, s->our_kexinitlen);
5646 sfree(s->our_kexinit);
5647 if (pktin->length > 5)
5648 hash_string(ssh->kex->hash, ssh->exhash,
5649 pktin->data + 5, pktin->length - 5);
5650
5651 if (s->ignorepkt) /* first_kex_packet_follows */
5652 crWaitUntil(pktin); /* Ignore packet */
5653 }
5654
5655 if (ssh->kex->main_type == KEXTYPE_DH) {
5656 /*
5657 * Work out the number of bits of key we will need from the
5658 * key exchange. We start with the maximum key length of
5659 * either cipher...
5660 */
5661 {
5662 int csbits, scbits;
5663
5664 csbits = s->cscipher_tobe->keylen;
5665 scbits = s->sccipher_tobe->keylen;
5666 s->nbits = (csbits > scbits ? csbits : scbits);
5667 }
5668 /* The keys only have hlen-bit entropy, since they're based on
5669 * a hash. So cap the key size at hlen bits. */
5670 if (s->nbits > ssh->kex->hash->hlen * 8)
5671 s->nbits = ssh->kex->hash->hlen * 8;
5672
5673 /*
5674 * If we're doing Diffie-Hellman group exchange, start by
5675 * requesting a group.
5676 */
5677 if (!ssh->kex->pdata) {
5678 logevent("Doing Diffie-Hellman group exchange");
5679 ssh->pkt_kctx = SSH2_PKTCTX_DHGEX;
5680 /*
5681 * Work out how big a DH group we will need to allow that
5682 * much data.
5683 */
5684 s->pbits = 512 << ((s->nbits - 1) / 64);
5685 s->pktout = ssh2_pkt_init(SSH2_MSG_KEX_DH_GEX_REQUEST);
5686 ssh2_pkt_adduint32(s->pktout, s->pbits);
5687 ssh2_pkt_send_noqueue(ssh, s->pktout);
5688
5689 crWaitUntil(pktin);
5690 if (pktin->type != SSH2_MSG_KEX_DH_GEX_GROUP) {
5691 bombout(("expected key exchange group packet from server"));
5692 crStop(0);
5693 }
5694 s->p = ssh2_pkt_getmp(pktin);
5695 s->g = ssh2_pkt_getmp(pktin);
5696 if (!s->p || !s->g) {
5697 bombout(("unable to read mp-ints from incoming group packet"));
5698 crStop(0);
5699 }
5700 ssh->kex_ctx = dh_setup_gex(s->p, s->g);
5701 s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
5702 s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
5703 } else {
5704 ssh->pkt_kctx = SSH2_PKTCTX_DHGROUP;
5705 ssh->kex_ctx = dh_setup_group(ssh->kex);
5706 s->kex_init_value = SSH2_MSG_KEXDH_INIT;
5707 s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
5708 logeventf(ssh, "Using Diffie-Hellman with standard group \"%s\"",
5709 ssh->kex->groupname);
5710 }
5711
5712 logeventf(ssh, "Doing Diffie-Hellman key exchange with hash %s",
5713 ssh->kex->hash->text_name);
5714 /*
5715 * Now generate and send e for Diffie-Hellman.
5716 */
5717 set_busy_status(ssh->frontend, BUSY_CPU); /* this can take a while */
5718 s->e = dh_create_e(ssh->kex_ctx, s->nbits * 2);
5719 s->pktout = ssh2_pkt_init(s->kex_init_value);
5720 ssh2_pkt_addmp(s->pktout, s->e);
5721 ssh2_pkt_send_noqueue(ssh, s->pktout);
5722
5723 set_busy_status(ssh->frontend, BUSY_WAITING); /* wait for server */
5724 crWaitUntil(pktin);
5725 if (pktin->type != s->kex_reply_value) {
5726 bombout(("expected key exchange reply packet from server"));
5727 crStop(0);
5728 }
5729 set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */
5730 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
5731 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
5732 s->f = ssh2_pkt_getmp(pktin);
5733 if (!s->f) {
5734 bombout(("unable to parse key exchange reply packet"));
5735 crStop(0);
5736 }
5737 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
5738
5739 s->K = dh_find_K(ssh->kex_ctx, s->f);
5740
5741 /* We assume everything from now on will be quick, and it might
5742 * involve user interaction. */
5743 set_busy_status(ssh->frontend, BUSY_NOT);
5744
5745 hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen);
5746 if (!ssh->kex->pdata) {
5747 hash_uint32(ssh->kex->hash, ssh->exhash, s->pbits);
5748 hash_mpint(ssh->kex->hash, ssh->exhash, s->p);
5749 hash_mpint(ssh->kex->hash, ssh->exhash, s->g);
5750 }
5751 hash_mpint(ssh->kex->hash, ssh->exhash, s->e);
5752 hash_mpint(ssh->kex->hash, ssh->exhash, s->f);
5753
5754 dh_cleanup(ssh->kex_ctx);
5755 freebn(s->f);
5756 if (!ssh->kex->pdata) {
5757 freebn(s->g);
5758 freebn(s->p);
5759 }
5760 } else {
5761 logeventf(ssh, "Doing RSA key exchange with hash %s",
5762 ssh->kex->hash->text_name);
5763 ssh->pkt_kctx = SSH2_PKTCTX_RSAKEX;
5764 /*
5765 * RSA key exchange. First expect a KEXRSA_PUBKEY packet
5766 * from the server.
5767 */
5768 crWaitUntil(pktin);
5769 if (pktin->type != SSH2_MSG_KEXRSA_PUBKEY) {
5770 bombout(("expected RSA public key packet from server"));
5771 crStop(0);
5772 }
5773
5774 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
5775 hash_string(ssh->kex->hash, ssh->exhash,
5776 s->hostkeydata, s->hostkeylen);
5777 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
5778
5779 {
5780 char *keydata;
5781 ssh_pkt_getstring(pktin, &keydata, &s->rsakeylen);
5782 s->rsakeydata = snewn(s->rsakeylen, char);
5783 memcpy(s->rsakeydata, keydata, s->rsakeylen);
5784 }
5785
5786 s->rsakey = ssh_rsakex_newkey(s->rsakeydata, s->rsakeylen);
5787 if (!s->rsakey) {
5788 sfree(s->rsakeydata);
5789 bombout(("unable to parse RSA public key from server"));
5790 crStop(0);
5791 }
5792
5793 hash_string(ssh->kex->hash, ssh->exhash, s->rsakeydata, s->rsakeylen);
5794
5795 /*
5796 * Next, set up a shared secret K, of precisely KLEN -
5797 * 2*HLEN - 49 bits, where KLEN is the bit length of the
5798 * RSA key modulus and HLEN is the bit length of the hash
5799 * we're using.
5800 */
5801 {
5802 int klen = ssh_rsakex_klen(s->rsakey);
5803 int nbits = klen - (2*ssh->kex->hash->hlen*8 + 49);
5804 int i, byte = 0;
5805 unsigned char *kstr1, *kstr2, *outstr;
5806 int kstr1len, kstr2len, outstrlen;
5807
5808 s->K = bn_power_2(nbits - 1);
5809
5810 for (i = 0; i < nbits; i++) {
5811 if ((i & 7) == 0) {
5812 byte = random_byte();
5813 }
5814 bignum_set_bit(s->K, i, (byte >> (i & 7)) & 1);
5815 }
5816
5817 /*
5818 * Encode this as an mpint.
5819 */
5820 kstr1 = ssh2_mpint_fmt(s->K, &kstr1len);
5821 kstr2 = snewn(kstr2len = 4 + kstr1len, unsigned char);
5822 PUT_32BIT(kstr2, kstr1len);
5823 memcpy(kstr2 + 4, kstr1, kstr1len);
5824
5825 /*
5826 * Encrypt it with the given RSA key.
5827 */
5828 outstrlen = (klen + 7) / 8;
5829 outstr = snewn(outstrlen, unsigned char);
5830 ssh_rsakex_encrypt(ssh->kex->hash, kstr2, kstr2len,
5831 outstr, outstrlen, s->rsakey);
5832
5833 /*
5834 * And send it off in a return packet.
5835 */
5836 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXRSA_SECRET);
5837 ssh2_pkt_addstring_start(s->pktout);
5838 ssh2_pkt_addstring_data(s->pktout, (char *)outstr, outstrlen);
5839 ssh2_pkt_send_noqueue(ssh, s->pktout);
5840
5841 hash_string(ssh->kex->hash, ssh->exhash, outstr, outstrlen);
5842
5843 sfree(kstr2);
5844 sfree(kstr1);
5845 sfree(outstr);
5846 }
5847
5848 ssh_rsakex_freekey(s->rsakey);
5849
5850 crWaitUntil(pktin);
5851 if (pktin->type != SSH2_MSG_KEXRSA_DONE) {
5852 sfree(s->rsakeydata);
5853 bombout(("expected signature packet from server"));
5854 crStop(0);
5855 }
5856
5857 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
5858
5859 sfree(s->rsakeydata);
5860 }
5861
5862 hash_mpint(ssh->kex->hash, ssh->exhash, s->K);
5863 assert(ssh->kex->hash->hlen <= sizeof(s->exchange_hash));
5864 ssh->kex->hash->final(ssh->exhash, s->exchange_hash);
5865
5866 ssh->kex_ctx = NULL;
5867
5868 #if 0
5869 debug(("Exchange hash is:\n"));
5870 dmemdump(s->exchange_hash, ssh->kex->hash->hlen);
5871 #endif
5872
5873 if (!s->hkey ||
5874 !ssh->hostkey->verifysig(s->hkey, s->sigdata, s->siglen,
5875 (char *)s->exchange_hash,
5876 ssh->kex->hash->hlen)) {
5877 bombout(("Server's host key did not match the signature supplied"));
5878 crStop(0);
5879 }
5880
5881 /*
5882 * Authenticate remote host: verify host key. (We've already
5883 * checked the signature of the exchange hash.)
5884 */
5885 s->keystr = ssh->hostkey->fmtkey(s->hkey);
5886 s->fingerprint = ssh->hostkey->fingerprint(s->hkey);
5887 ssh_set_frozen(ssh, 1);
5888 s->dlgret = verify_ssh_host_key(ssh->frontend,
5889 ssh->savedhost, ssh->savedport,
5890 ssh->hostkey->keytype, s->keystr,
5891 s->fingerprint,
5892 ssh_dialog_callback, ssh);
5893 if (s->dlgret < 0) {
5894 do {
5895 crReturn(0);
5896 if (pktin) {
5897 bombout(("Unexpected data from server while waiting"
5898 " for user host key response"));
5899 crStop(0);
5900 }
5901 } while (pktin || inlen > 0);
5902 s->dlgret = ssh->user_response;
5903 }
5904 ssh_set_frozen(ssh, 0);
5905 if (s->dlgret == 0) {
5906 ssh_disconnect(ssh, "User aborted at host key verification", NULL,
5907 0, TRUE);
5908 crStop(0);
5909 }
5910 if (!s->got_session_id) { /* don't bother logging this in rekeys */
5911 logevent("Host key fingerprint is:");
5912 logevent(s->fingerprint);
5913 }
5914 sfree(s->fingerprint);
5915 sfree(s->keystr);
5916 ssh->hostkey->freekey(s->hkey);
5917
5918 /*
5919 * The exchange hash from the very first key exchange is also
5920 * the session id, used in session key construction and
5921 * authentication.
5922 */
5923 if (!s->got_session_id) {
5924 assert(sizeof(s->exchange_hash) <= sizeof(ssh->v2_session_id));
5925 memcpy(ssh->v2_session_id, s->exchange_hash,
5926 sizeof(s->exchange_hash));
5927 ssh->v2_session_id_len = ssh->kex->hash->hlen;
5928 assert(ssh->v2_session_id_len <= sizeof(ssh->v2_session_id));
5929 s->got_session_id = TRUE;
5930 }
5931
5932 /*
5933 * Send SSH2_MSG_NEWKEYS.
5934 */
5935 s->pktout = ssh2_pkt_init(SSH2_MSG_NEWKEYS);
5936 ssh2_pkt_send_noqueue(ssh, s->pktout);
5937 ssh->outgoing_data_size = 0; /* start counting from here */
5938
5939 /*
5940 * We've sent client NEWKEYS, so create and initialise
5941 * client-to-server session keys.
5942 */
5943 if (ssh->cs_cipher_ctx)
5944 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
5945 ssh->cscipher = s->cscipher_tobe;
5946 ssh->cs_cipher_ctx = ssh->cscipher->make_context();
5947
5948 if (ssh->cs_mac_ctx)
5949 ssh->csmac->free_context(ssh->cs_mac_ctx);
5950 ssh->csmac = s->csmac_tobe;
5951 ssh->cs_mac_ctx = ssh->csmac->make_context();
5952
5953 if (ssh->cs_comp_ctx)
5954 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
5955 ssh->cscomp = s->cscomp_tobe;
5956 ssh->cs_comp_ctx = ssh->cscomp->compress_init();
5957
5958 /*
5959 * Set IVs on client-to-server keys. Here we use the exchange
5960 * hash from the _first_ key exchange.
5961 */
5962 {
5963 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
5964 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5965 ssh2_mkkey(ssh,s->K,s->exchange_hash,'C',keyspace);
5966 assert((ssh->cscipher->keylen+7) / 8 <=
5967 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5968 ssh->cscipher->setkey(ssh->cs_cipher_ctx, keyspace);
5969 ssh2_mkkey(ssh,s->K,s->exchange_hash,'A',keyspace);
5970 assert(ssh->cscipher->blksize <=
5971 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5972 ssh->cscipher->setiv(ssh->cs_cipher_ctx, keyspace);
5973 ssh2_mkkey(ssh,s->K,s->exchange_hash,'E',keyspace);
5974 assert(ssh->csmac->len <=
5975 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5976 ssh->csmac->setkey(ssh->cs_mac_ctx, keyspace);
5977 memset(keyspace, 0, sizeof(keyspace));
5978 }
5979
5980 logeventf(ssh, "Initialised %.200s client->server encryption",
5981 ssh->cscipher->text_name);
5982 logeventf(ssh, "Initialised %.200s client->server MAC algorithm",
5983 ssh->csmac->text_name);
5984 if (ssh->cscomp->text_name)
5985 logeventf(ssh, "Initialised %s compression",
5986 ssh->cscomp->text_name);
5987
5988 /*
5989 * Now our end of the key exchange is complete, we can send all
5990 * our queued higher-layer packets.
5991 */
5992 ssh->queueing = FALSE;
5993 ssh2_pkt_queuesend(ssh);
5994
5995 /*
5996 * Expect SSH2_MSG_NEWKEYS from server.
5997 */
5998 crWaitUntil(pktin);
5999 if (pktin->type != SSH2_MSG_NEWKEYS) {
6000 bombout(("expected new-keys packet from server"));
6001 crStop(0);
6002 }
6003 ssh->incoming_data_size = 0; /* start counting from here */
6004
6005 /*
6006 * We've seen server NEWKEYS, so create and initialise
6007 * server-to-client session keys.
6008 */
6009 if (ssh->sc_cipher_ctx)
6010 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
6011 ssh->sccipher = s->sccipher_tobe;
6012 ssh->sc_cipher_ctx = ssh->sccipher->make_context();
6013
6014 if (ssh->sc_mac_ctx)
6015 ssh->scmac->free_context(ssh->sc_mac_ctx);
6016 ssh->scmac = s->scmac_tobe;
6017 ssh->sc_mac_ctx = ssh->scmac->make_context();
6018
6019 if (ssh->sc_comp_ctx)
6020 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
6021 ssh->sccomp = s->sccomp_tobe;
6022 ssh->sc_comp_ctx = ssh->sccomp->decompress_init();
6023
6024 /*
6025 * Set IVs on server-to-client keys. Here we use the exchange
6026 * hash from the _first_ key exchange.
6027 */
6028 {
6029 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
6030 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6031 ssh2_mkkey(ssh,s->K,s->exchange_hash,'D',keyspace);
6032 assert((ssh->sccipher->keylen+7) / 8 <=
6033 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6034 ssh->sccipher->setkey(ssh->sc_cipher_ctx, keyspace);
6035 ssh2_mkkey(ssh,s->K,s->exchange_hash,'B',keyspace);
6036 assert(ssh->sccipher->blksize <=
6037 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6038 ssh->sccipher->setiv(ssh->sc_cipher_ctx, keyspace);
6039 ssh2_mkkey(ssh,s->K,s->exchange_hash,'F',keyspace);
6040 assert(ssh->scmac->len <=
6041 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6042 ssh->scmac->setkey(ssh->sc_mac_ctx, keyspace);
6043 memset(keyspace, 0, sizeof(keyspace));
6044 }
6045 logeventf(ssh, "Initialised %.200s server->client encryption",
6046 ssh->sccipher->text_name);
6047 logeventf(ssh, "Initialised %.200s server->client MAC algorithm",
6048 ssh->scmac->text_name);
6049 if (ssh->sccomp->text_name)
6050 logeventf(ssh, "Initialised %s decompression",
6051 ssh->sccomp->text_name);
6052
6053 /*
6054 * Free shared secret.
6055 */
6056 freebn(s->K);
6057
6058 /*
6059 * Key exchange is over. Loop straight back round if we have a
6060 * deferred rekey reason.
6061 */
6062 if (ssh->deferred_rekey_reason) {
6063 logevent(ssh->deferred_rekey_reason);
6064 pktin = NULL;
6065 ssh->deferred_rekey_reason = NULL;
6066 goto begin_key_exchange;
6067 }
6068
6069 /*
6070 * Otherwise, schedule a timer for our next rekey.
6071 */
6072 ssh->kex_in_progress = FALSE;
6073 ssh->last_rekey = GETTICKCOUNT();
6074 if (ssh->cfg.ssh_rekey_time != 0)
6075 ssh->next_rekey = schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
6076 ssh2_timer, ssh);
6077
6078 /*
6079 * If this is the first key exchange phase, we must pass the
6080 * SSH2_MSG_NEWKEYS packet to the next layer, not because it
6081 * wants to see it but because it will need time to initialise
6082 * itself before it sees an actual packet. In subsequent key
6083 * exchange phases, we don't pass SSH2_MSG_NEWKEYS on, because
6084 * it would only confuse the layer above.
6085 */
6086 if (s->activated_authconn) {
6087 crReturn(0);
6088 }
6089 s->activated_authconn = TRUE;
6090
6091 /*
6092 * Now we're encrypting. Begin returning 1 to the protocol main
6093 * function so that other things can run on top of the
6094 * transport. If we ever see a KEXINIT, we must go back to the
6095 * start.
6096 *
6097 * We _also_ go back to the start if we see pktin==NULL and
6098 * inlen==-1, because this is a special signal meaning
6099 * `initiate client-driven rekey', and `in' contains a message
6100 * giving the reason for the rekey.
6101 */
6102 while (!((pktin && pktin->type == SSH2_MSG_KEXINIT) ||
6103 (!pktin && inlen == -1))) {
6104 wait_for_rekey:
6105 crReturn(1);
6106 }
6107 if (pktin) {
6108 logevent("Server initiated key re-exchange");
6109 } else {
6110 /*
6111 * Special case: if the server bug is set that doesn't
6112 * allow rekeying, we give a different log message and
6113 * continue waiting. (If such a server _initiates_ a rekey,
6114 * we process it anyway!)
6115 */
6116 if ((ssh->remote_bugs & BUG_SSH2_REKEY)) {
6117 logeventf(ssh, "Server bug prevents key re-exchange (%s)",
6118 (char *)in);
6119 /* Reset the counters, so that at least this message doesn't
6120 * hit the event log _too_ often. */
6121 ssh->outgoing_data_size = 0;
6122 ssh->incoming_data_size = 0;
6123 if (ssh->cfg.ssh_rekey_time != 0) {
6124 ssh->next_rekey =
6125 schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
6126 ssh2_timer, ssh);
6127 }
6128 goto wait_for_rekey; /* this is utterly horrid */
6129 } else {
6130 logeventf(ssh, "Initiating key re-exchange (%s)", (char *)in);
6131 }
6132 }
6133 goto begin_key_exchange;
6134
6135 crFinish(1);
6136 }
6137
6138 /*
6139 * Add data to an SSH-2 channel output buffer.
6140 */
6141 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf,
6142 int len)
6143 {
6144 bufchain_add(&c->v.v2.outbuffer, buf, len);
6145 }
6146
6147 /*
6148 * Attempt to send data on an SSH-2 channel.
6149 */
6150 static int ssh2_try_send(struct ssh_channel *c)
6151 {
6152 Ssh ssh = c->ssh;
6153 struct Packet *pktout;
6154
6155 while (c->v.v2.remwindow > 0 && bufchain_size(&c->v.v2.outbuffer) > 0) {
6156 int len;
6157 void *data;
6158 bufchain_prefix(&c->v.v2.outbuffer, &data, &len);
6159 if ((unsigned)len > c->v.v2.remwindow)
6160 len = c->v.v2.remwindow;
6161 if ((unsigned)len > c->v.v2.remmaxpkt)
6162 len = c->v.v2.remmaxpkt;
6163 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_DATA);
6164 ssh2_pkt_adduint32(pktout, c->remoteid);
6165 ssh2_pkt_addstring_start(pktout);
6166 dont_log_data(ssh, pktout, PKTLOG_OMIT);
6167 ssh2_pkt_addstring_data(pktout, data, len);
6168 end_log_omission(ssh, pktout);
6169 ssh2_pkt_send(ssh, pktout);
6170 bufchain_consume(&c->v.v2.outbuffer, len);
6171 c->v.v2.remwindow -= len;
6172 }
6173
6174 /*
6175 * After having sent as much data as we can, return the amount
6176 * still buffered.
6177 */
6178 return bufchain_size(&c->v.v2.outbuffer);
6179 }
6180
6181 static void ssh2_try_send_and_unthrottle(struct ssh_channel *c)
6182 {
6183 int bufsize;
6184 if (c->closes)
6185 return; /* don't send on closing channels */
6186 bufsize = ssh2_try_send(c);
6187 if (bufsize == 0) {
6188 switch (c->type) {
6189 case CHAN_MAINSESSION:
6190 /* stdin need not receive an unthrottle
6191 * notification since it will be polled */
6192 break;
6193 case CHAN_X11:
6194 x11_unthrottle(c->u.x11.s);
6195 break;
6196 case CHAN_AGENT:
6197 /* agent sockets are request/response and need no
6198 * buffer management */
6199 break;
6200 case CHAN_SOCKDATA:
6201 pfd_unthrottle(c->u.pfd.s);
6202 break;
6203 }
6204 }
6205 }
6206
6207 /*
6208 * Set up most of a new ssh_channel for SSH-2.
6209 */
6210 static void ssh2_channel_init(struct ssh_channel *c)
6211 {
6212 Ssh ssh = c->ssh;
6213 c->localid = alloc_channel_id(ssh);
6214 c->closes = 0;
6215 c->throttling_conn = FALSE;
6216 c->v.v2.locwindow = c->v.v2.locmaxwin = c->v.v2.remlocwin =
6217 ssh->cfg.ssh_simple ? OUR_V2_BIGWIN : OUR_V2_WINSIZE;
6218 c->v.v2.winadj_head = c->v.v2.winadj_tail = NULL;
6219 c->v.v2.throttle_state = UNTHROTTLED;
6220 bufchain_init(&c->v.v2.outbuffer);
6221 }
6222
6223 /*
6224 * Potentially enlarge the window on an SSH-2 channel.
6225 */
6226 static void ssh2_set_window(struct ssh_channel *c, int newwin)
6227 {
6228 Ssh ssh = c->ssh;
6229
6230 /*
6231 * Never send WINDOW_ADJUST for a channel that the remote side
6232 * already thinks it's closed; there's no point, since it won't
6233 * be sending any more data anyway.
6234 */
6235 if (c->closes != 0)
6236 return;
6237
6238 /*
6239 * Only send a WINDOW_ADJUST if there's significantly more window
6240 * available than the other end thinks there is. This saves us
6241 * sending a WINDOW_ADJUST for every character in a shell session.
6242 *
6243 * "Significant" is arbitrarily defined as half the window size.
6244 */
6245 if (newwin / 2 >= c->v.v2.locwindow) {
6246 struct Packet *pktout;
6247 struct winadj *wa;
6248
6249 /*
6250 * In order to keep track of how much window the client
6251 * actually has available, we'd like it to acknowledge each
6252 * WINDOW_ADJUST. We can't do that directly, so we accompany
6253 * it with a CHANNEL_REQUEST that has to be acknowledged.
6254 *
6255 * This is only necessary if we're opening the window wide.
6256 * If we're not, then throughput is being constrained by
6257 * something other than the maximum window size anyway.
6258 *
6259 * We also only send this if the main channel has finished its
6260 * initial CHANNEL_REQUESTs and installed the default
6261 * CHANNEL_FAILURE handler, so as not to risk giving it
6262 * unexpected CHANNEL_FAILUREs.
6263 */
6264 if (newwin == c->v.v2.locmaxwin &&
6265 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE]) {
6266 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
6267 ssh2_pkt_adduint32(pktout, c->remoteid);
6268 ssh2_pkt_addstring(pktout, "winadj@putty.projects.tartarus.org");
6269 ssh2_pkt_addbool(pktout, TRUE);
6270 ssh2_pkt_send(ssh, pktout);
6271
6272 /*
6273 * CHANNEL_FAILURE doesn't come with any indication of
6274 * what message caused it, so we have to keep track of the
6275 * outstanding CHANNEL_REQUESTs ourselves.
6276 */
6277 wa = snew(struct winadj);
6278 wa->size = newwin - c->v.v2.locwindow;
6279 wa->next = NULL;
6280 if (!c->v.v2.winadj_head)
6281 c->v.v2.winadj_head = wa;
6282 else
6283 c->v.v2.winadj_tail->next = wa;
6284 c->v.v2.winadj_tail = wa;
6285 if (c->v.v2.throttle_state != UNTHROTTLED)
6286 c->v.v2.throttle_state = UNTHROTTLING;
6287 } else {
6288 /* Pretend the WINDOW_ADJUST was acked immediately. */
6289 c->v.v2.remlocwin = newwin;
6290 c->v.v2.throttle_state = THROTTLED;
6291 }
6292 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
6293 ssh2_pkt_adduint32(pktout, c->remoteid);
6294 ssh2_pkt_adduint32(pktout, newwin - c->v.v2.locwindow);
6295 ssh2_pkt_send(ssh, pktout);
6296 c->v.v2.locwindow = newwin;
6297 }
6298 }
6299
6300 /*
6301 * Find the channel associated with a message. If there's no channel,
6302 * or it's not properly open, make a noise about it and return NULL.
6303 */
6304 static struct ssh_channel *ssh2_channel_msg(Ssh ssh, struct Packet *pktin)
6305 {
6306 unsigned localid = ssh_pkt_getuint32(pktin);
6307 struct ssh_channel *c;
6308
6309 c = find234(ssh->channels, &localid, ssh_channelfind);
6310 if (!c ||
6311 (c->halfopen && pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION &&
6312 pktin->type != SSH2_MSG_CHANNEL_OPEN_FAILURE)) {
6313 char *buf = dupprintf("Received %s for %s channel %u",
6314 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx,
6315 pktin->type),
6316 c ? "half-open" : "nonexistent", localid);
6317 ssh_disconnect(ssh, NULL, buf, SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6318 sfree(buf);
6319 return NULL;
6320 }
6321 return c;
6322 }
6323
6324 static void ssh2_msg_channel_success(Ssh ssh, struct Packet *pktin)
6325 {
6326 /*
6327 * This should never get called. All channel requests are either
6328 * sent with want_reply false or are sent before this handler gets
6329 * installed.
6330 */
6331 struct ssh_channel *c;
6332 struct winadj *wa;
6333
6334 c = ssh2_channel_msg(ssh, pktin);
6335 if (!c)
6336 return;
6337 wa = c->v.v2.winadj_head;
6338 if (wa)
6339 ssh_disconnect(ssh, NULL, "Received SSH_MSG_CHANNEL_SUCCESS for "
6340 "\"winadj@putty.projects.tartarus.org\"",
6341 SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6342 else
6343 ssh_disconnect(ssh, NULL,
6344 "Received unsolicited SSH_MSG_CHANNEL_SUCCESS",
6345 SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6346 }
6347
6348 static void ssh2_msg_channel_failure(Ssh ssh, struct Packet *pktin)
6349 {
6350 /*
6351 * The only time this should get called is for "winadj@putty"
6352 * messages sent above. All other channel requests are either
6353 * sent with want_reply false or are sent before this handler gets
6354 * installed.
6355 */
6356 struct ssh_channel *c;
6357 struct winadj *wa;
6358
6359 c = ssh2_channel_msg(ssh, pktin);
6360 if (!c)
6361 return;
6362 wa = c->v.v2.winadj_head;
6363 if (!wa) {
6364 ssh_disconnect(ssh, NULL,
6365 "Received unsolicited SSH_MSG_CHANNEL_FAILURE",
6366 SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6367 return;
6368 }
6369 c->v.v2.winadj_head = wa->next;
6370 c->v.v2.remlocwin += wa->size;
6371 sfree(wa);
6372 /*
6373 * winadj messages are only sent when the window is fully open, so
6374 * if we get an ack of one, we know any pending unthrottle is
6375 * complete.
6376 */
6377 if (c->v.v2.throttle_state == UNTHROTTLING)
6378 c->v.v2.throttle_state = UNTHROTTLED;
6379 }
6380
6381 static void ssh2_msg_channel_window_adjust(Ssh ssh, struct Packet *pktin)
6382 {
6383 struct ssh_channel *c;
6384 c = ssh2_channel_msg(ssh, pktin);
6385 if (!c)
6386 return;
6387 if (!c->closes) {
6388 c->v.v2.remwindow += ssh_pkt_getuint32(pktin);
6389 ssh2_try_send_and_unthrottle(c);
6390 }
6391 }
6392
6393 static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
6394 {
6395 char *data;
6396 int length;
6397 struct ssh_channel *c;
6398 c = ssh2_channel_msg(ssh, pktin);
6399 if (!c)
6400 return;
6401 if (pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA &&
6402 ssh_pkt_getuint32(pktin) != SSH2_EXTENDED_DATA_STDERR)
6403 return; /* extended but not stderr */
6404 ssh_pkt_getstring(pktin, &data, &length);
6405 if (data) {
6406 int bufsize = 0;
6407 c->v.v2.locwindow -= length;
6408 c->v.v2.remlocwin -= length;
6409 switch (c->type) {
6410 case CHAN_MAINSESSION:
6411 bufsize =
6412 from_backend(ssh->frontend, pktin->type ==
6413 SSH2_MSG_CHANNEL_EXTENDED_DATA,
6414 data, length);
6415 break;
6416 case CHAN_X11:
6417 bufsize = x11_send(c->u.x11.s, data, length);
6418 break;
6419 case CHAN_SOCKDATA:
6420 bufsize = pfd_send(c->u.pfd.s, data, length);
6421 break;
6422 case CHAN_AGENT:
6423 while (length > 0) {
6424 if (c->u.a.lensofar < 4) {
6425 unsigned int l = min(4 - c->u.a.lensofar,
6426 (unsigned)length);
6427 memcpy(c->u.a.msglen + c->u.a.lensofar,
6428 data, l);
6429 data += l;
6430 length -= l;
6431 c->u.a.lensofar += l;
6432 }
6433 if (c->u.a.lensofar == 4) {
6434 c->u.a.totallen =
6435 4 + GET_32BIT(c->u.a.msglen);
6436 c->u.a.message = snewn(c->u.a.totallen,
6437 unsigned char);
6438 memcpy(c->u.a.message, c->u.a.msglen, 4);
6439 }
6440 if (c->u.a.lensofar >= 4 && length > 0) {
6441 unsigned int l =
6442 min(c->u.a.totallen - c->u.a.lensofar,
6443 (unsigned)length);
6444 memcpy(c->u.a.message + c->u.a.lensofar,
6445 data, l);
6446 data += l;
6447 length -= l;
6448 c->u.a.lensofar += l;
6449 }
6450 if (c->u.a.lensofar == c->u.a.totallen) {
6451 void *reply;
6452 int replylen;
6453 if (agent_query(c->u.a.message,
6454 c->u.a.totallen,
6455 &reply, &replylen,
6456 ssh_agentf_callback, c))
6457 ssh_agentf_callback(c, reply, replylen);
6458 sfree(c->u.a.message);
6459 c->u.a.lensofar = 0;
6460 }
6461 }
6462 bufsize = 0;
6463 break;
6464 }
6465 /*
6466 * If it looks like the remote end hit the end of its window,
6467 * and we didn't want it to do that, think about using a
6468 * larger window.
6469 */
6470 if (c->v.v2.remlocwin <= 0 && c->v.v2.throttle_state == UNTHROTTLED &&
6471 c->v.v2.locmaxwin < 0x40000000)
6472 c->v.v2.locmaxwin += OUR_V2_WINSIZE;
6473 /*
6474 * If we are not buffering too much data,
6475 * enlarge the window again at the remote side.
6476 * If we are buffering too much, we may still
6477 * need to adjust the window if the server's
6478 * sent excess data.
6479 */
6480 ssh2_set_window(c, bufsize < c->v.v2.locmaxwin ?
6481 c->v.v2.locmaxwin - bufsize : 0);
6482 /*
6483 * If we're either buffering way too much data, or if we're
6484 * buffering anything at all and we're in "simple" mode,
6485 * throttle the whole channel.
6486 */
6487 if ((bufsize > c->v.v2.locmaxwin ||
6488 (ssh->cfg.ssh_simple && bufsize > 0)) &&
6489 !c->throttling_conn) {
6490 c->throttling_conn = 1;
6491 ssh_throttle_conn(ssh, +1);
6492 }
6493 }
6494 }
6495
6496 static void ssh2_msg_channel_eof(Ssh ssh, struct Packet *pktin)
6497 {
6498 struct ssh_channel *c;
6499
6500 c = ssh2_channel_msg(ssh, pktin);
6501 if (!c)
6502 return;
6503
6504 if (c->type == CHAN_X11) {
6505 /*
6506 * Remote EOF on an X11 channel means we should
6507 * wrap up and close the channel ourselves.
6508 */
6509 x11_close(c->u.x11.s);
6510 sshfwd_close(c);
6511 } else if (c->type == CHAN_AGENT) {
6512 sshfwd_close(c);
6513 } else if (c->type == CHAN_SOCKDATA) {
6514 pfd_close(c->u.pfd.s);
6515 sshfwd_close(c);
6516 }
6517 }
6518
6519 static void ssh2_msg_channel_close(Ssh ssh, struct Packet *pktin)
6520 {
6521 struct ssh_channel *c;
6522 struct Packet *pktout;
6523
6524 c = ssh2_channel_msg(ssh, pktin);
6525 if (!c)
6526 return;
6527 /* Do pre-close processing on the channel. */
6528 switch (c->type) {
6529 case CHAN_MAINSESSION:
6530 ssh->mainchan = NULL;
6531 update_specials_menu(ssh->frontend);
6532 break;
6533 case CHAN_X11:
6534 if (c->u.x11.s != NULL)
6535 x11_close(c->u.x11.s);
6536 sshfwd_close(c);
6537 break;
6538 case CHAN_AGENT:
6539 sshfwd_close(c);
6540 break;
6541 case CHAN_SOCKDATA:
6542 if (c->u.pfd.s != NULL)
6543 pfd_close(c->u.pfd.s);
6544 sshfwd_close(c);
6545 break;
6546 }
6547 if (c->closes == 0) {
6548 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6549 ssh2_pkt_adduint32(pktout, c->remoteid);
6550 ssh2_pkt_send(ssh, pktout);
6551 }
6552 del234(ssh->channels, c);
6553 bufchain_clear(&c->v.v2.outbuffer);
6554 sfree(c);
6555
6556 /*
6557 * See if that was the last channel left open.
6558 * (This is only our termination condition if we're
6559 * not running in -N mode.)
6560 */
6561 if (!ssh->cfg.ssh_no_shell && count234(ssh->channels) == 0) {
6562 /*
6563 * We used to send SSH_MSG_DISCONNECT here,
6564 * because I'd believed that _every_ conforming
6565 * SSH-2 connection had to end with a disconnect
6566 * being sent by at least one side; apparently
6567 * I was wrong and it's perfectly OK to
6568 * unceremoniously slam the connection shut
6569 * when you're done, and indeed OpenSSH feels
6570 * this is more polite than sending a
6571 * DISCONNECT. So now we don't.
6572 */
6573 ssh_disconnect(ssh, "All channels closed", NULL, 0, TRUE);
6574 }
6575 }
6576
6577 static void ssh2_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
6578 {
6579 struct ssh_channel *c;
6580 struct Packet *pktout;
6581
6582 c = ssh2_channel_msg(ssh, pktin);
6583 if (!c)
6584 return;
6585 if (c->type != CHAN_SOCKDATA_DORMANT)
6586 return; /* dunno why they're confirming this */
6587 c->remoteid = ssh_pkt_getuint32(pktin);
6588 c->halfopen = FALSE;
6589 c->type = CHAN_SOCKDATA;
6590 c->v.v2.remwindow = ssh_pkt_getuint32(pktin);
6591 c->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
6592 if (c->u.pfd.s)
6593 pfd_confirm(c->u.pfd.s);
6594 if (c->closes) {
6595 /*
6596 * We have a pending close on this channel,
6597 * which we decided on before the server acked
6598 * the channel open. So now we know the
6599 * remoteid, we can close it again.
6600 */
6601 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6602 ssh2_pkt_adduint32(pktout, c->remoteid);
6603 ssh2_pkt_send(ssh, pktout);
6604 }
6605 }
6606
6607 static void ssh2_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
6608 {
6609 static const char *const reasons[] = {
6610 "<unknown reason code>",
6611 "Administratively prohibited",
6612 "Connect failed",
6613 "Unknown channel type",
6614 "Resource shortage",
6615 };
6616 unsigned reason_code;
6617 char *reason_string;
6618 int reason_length;
6619 struct ssh_channel *c;
6620 c = ssh2_channel_msg(ssh, pktin);
6621 if (!c)
6622 return;
6623 if (c->type != CHAN_SOCKDATA_DORMANT)
6624 return; /* dunno why they're failing this */
6625
6626 reason_code = ssh_pkt_getuint32(pktin);
6627 if (reason_code >= lenof(reasons))
6628 reason_code = 0; /* ensure reasons[reason_code] in range */
6629 ssh_pkt_getstring(pktin, &reason_string, &reason_length);
6630 logeventf(ssh, "Forwarded connection refused by server: %s [%.*s]",
6631 reasons[reason_code], reason_length, reason_string);
6632
6633 pfd_close(c->u.pfd.s);
6634
6635 del234(ssh->channels, c);
6636 sfree(c);
6637 }
6638
6639 static void ssh2_msg_channel_request(Ssh ssh, struct Packet *pktin)
6640 {
6641 char *type;
6642 int typelen, want_reply;
6643 int reply = SSH2_MSG_CHANNEL_FAILURE; /* default */
6644 struct ssh_channel *c;
6645 struct Packet *pktout;
6646
6647 c = ssh2_channel_msg(ssh, pktin);
6648 if (!c)
6649 return;
6650 ssh_pkt_getstring(pktin, &type, &typelen);
6651 want_reply = ssh2_pkt_getbool(pktin);
6652
6653 /*
6654 * Having got the channel number, we now look at
6655 * the request type string to see if it's something
6656 * we recognise.
6657 */
6658 if (c == ssh->mainchan) {
6659 /*
6660 * We recognise "exit-status" and "exit-signal" on
6661 * the primary channel.
6662 */
6663 if (typelen == 11 &&
6664 !memcmp(type, "exit-status", 11)) {
6665
6666 ssh->exitcode = ssh_pkt_getuint32(pktin);
6667 logeventf(ssh, "Server sent command exit status %d",
6668 ssh->exitcode);
6669 reply = SSH2_MSG_CHANNEL_SUCCESS;
6670
6671 } else if (typelen == 11 &&
6672 !memcmp(type, "exit-signal", 11)) {
6673
6674 int is_plausible = TRUE, is_int = FALSE;
6675 char *fmt_sig = "", *fmt_msg = "";
6676 char *msg;
6677 int msglen = 0, core = FALSE;
6678 /* ICK: older versions of OpenSSH (e.g. 3.4p1)
6679 * provide an `int' for the signal, despite its
6680 * having been a `string' in the drafts of RFC 4254 since at
6681 * least 2001. (Fixed in session.c 1.147.) Try to
6682 * infer which we can safely parse it as. */
6683 {
6684 unsigned char *p = pktin->body +
6685 pktin->savedpos;
6686 long len = pktin->length - pktin->savedpos;
6687 unsigned long num = GET_32BIT(p); /* what is it? */
6688 /* If it's 0, it hardly matters; assume string */
6689 if (num == 0) {
6690 is_int = FALSE;
6691 } else {
6692 int maybe_int = FALSE, maybe_str = FALSE;
6693 #define CHECK_HYPOTHESIS(offset, result) \
6694 do { \
6695 long q = offset; \
6696 if (q >= 0 && q+4 <= len) { \
6697 q = q + 4 + GET_32BIT(p+q); \
6698 if (q >= 0 && q+4 <= len && \
6699 ((q = q + 4 + GET_32BIT(p+q))!= 0) && q == len) \
6700 result = TRUE; \
6701 } \
6702 } while(0)
6703 CHECK_HYPOTHESIS(4+1, maybe_int);
6704 CHECK_HYPOTHESIS(4+num+1, maybe_str);
6705 #undef CHECK_HYPOTHESIS
6706 if (maybe_int && !maybe_str)
6707 is_int = TRUE;
6708 else if (!maybe_int && maybe_str)
6709 is_int = FALSE;
6710 else
6711 /* Crikey. Either or neither. Panic. */
6712 is_plausible = FALSE;
6713 }
6714 }
6715 ssh->exitcode = 128; /* means `unknown signal' */
6716 if (is_plausible) {
6717 if (is_int) {
6718 /* Old non-standard OpenSSH. */
6719 int signum = ssh_pkt_getuint32(pktin);
6720 fmt_sig = dupprintf(" %d", signum);
6721 ssh->exitcode = 128 + signum;
6722 } else {
6723 /* As per RFC 4254. */
6724 char *sig;
6725 int siglen;
6726 ssh_pkt_getstring(pktin, &sig, &siglen);
6727 /* Signal name isn't supposed to be blank, but
6728 * let's cope gracefully if it is. */
6729 if (siglen) {
6730 fmt_sig = dupprintf(" \"%.*s\"",
6731 siglen, sig);
6732 }
6733
6734 /*
6735 * Really hideous method of translating the
6736 * signal description back into a locally
6737 * meaningful number.
6738 */
6739
6740 if (0)
6741 ;
6742 #define TRANSLATE_SIGNAL(s) \
6743 else if (siglen == lenof(#s)-1 && !memcmp(sig, #s, siglen)) \
6744 ssh->exitcode = 128 + SIG ## s
6745 #ifdef SIGABRT
6746 TRANSLATE_SIGNAL(ABRT);
6747 #endif
6748 #ifdef SIGALRM
6749 TRANSLATE_SIGNAL(ALRM);
6750 #endif
6751 #ifdef SIGFPE
6752 TRANSLATE_SIGNAL(FPE);
6753 #endif
6754 #ifdef SIGHUP
6755 TRANSLATE_SIGNAL(HUP);
6756 #endif
6757 #ifdef SIGILL
6758 TRANSLATE_SIGNAL(ILL);
6759 #endif
6760 #ifdef SIGINT
6761 TRANSLATE_SIGNAL(INT);
6762 #endif
6763 #ifdef SIGKILL
6764 TRANSLATE_SIGNAL(KILL);
6765 #endif
6766 #ifdef SIGPIPE
6767 TRANSLATE_SIGNAL(PIPE);
6768 #endif
6769 #ifdef SIGQUIT
6770 TRANSLATE_SIGNAL(QUIT);
6771 #endif
6772 #ifdef SIGSEGV
6773 TRANSLATE_SIGNAL(SEGV);
6774 #endif
6775 #ifdef SIGTERM
6776 TRANSLATE_SIGNAL(TERM);
6777 #endif
6778 #ifdef SIGUSR1
6779 TRANSLATE_SIGNAL(USR1);
6780 #endif
6781 #ifdef SIGUSR2
6782 TRANSLATE_SIGNAL(USR2);
6783 #endif
6784 #undef TRANSLATE_SIGNAL
6785 else
6786 ssh->exitcode = 128;
6787 }
6788 core = ssh2_pkt_getbool(pktin);
6789 ssh_pkt_getstring(pktin, &msg, &msglen);
6790 if (msglen) {
6791 fmt_msg = dupprintf(" (\"%.*s\")", msglen, msg);
6792 }
6793 /* ignore lang tag */
6794 } /* else don't attempt to parse */
6795 logeventf(ssh, "Server exited on signal%s%s%s",
6796 fmt_sig, core ? " (core dumped)" : "",
6797 fmt_msg);
6798 if (*fmt_sig) sfree(fmt_sig);
6799 if (*fmt_msg) sfree(fmt_msg);
6800 reply = SSH2_MSG_CHANNEL_SUCCESS;
6801
6802 }
6803 } else {
6804 /*
6805 * This is a channel request we don't know
6806 * about, so we now either ignore the request
6807 * or respond with CHANNEL_FAILURE, depending
6808 * on want_reply.
6809 */
6810 reply = SSH2_MSG_CHANNEL_FAILURE;
6811 }
6812 if (want_reply) {
6813 pktout = ssh2_pkt_init(reply);
6814 ssh2_pkt_adduint32(pktout, c->remoteid);
6815 ssh2_pkt_send(ssh, pktout);
6816 }
6817 }
6818
6819 static void ssh2_msg_global_request(Ssh ssh, struct Packet *pktin)
6820 {
6821 char *type;
6822 int typelen, want_reply;
6823 struct Packet *pktout;
6824
6825 ssh_pkt_getstring(pktin, &type, &typelen);
6826 want_reply = ssh2_pkt_getbool(pktin);
6827
6828 /*
6829 * We currently don't support any global requests
6830 * at all, so we either ignore the request or
6831 * respond with REQUEST_FAILURE, depending on
6832 * want_reply.
6833 */
6834 if (want_reply) {
6835 pktout = ssh2_pkt_init(SSH2_MSG_REQUEST_FAILURE);
6836 ssh2_pkt_send(ssh, pktout);
6837 }
6838 }
6839
6840 static void ssh2_msg_channel_open(Ssh ssh, struct Packet *pktin)
6841 {
6842 char *type;
6843 int typelen;
6844 char *peeraddr;
6845 int peeraddrlen;
6846 int peerport;
6847 char *error = NULL;
6848 struct ssh_channel *c;
6849 unsigned remid, winsize, pktsize;
6850 struct Packet *pktout;
6851
6852 ssh_pkt_getstring(pktin, &type, &typelen);
6853 c = snew(struct ssh_channel);
6854 c->ssh = ssh;
6855
6856 remid = ssh_pkt_getuint32(pktin);
6857 winsize = ssh_pkt_getuint32(pktin);
6858 pktsize = ssh_pkt_getuint32(pktin);
6859
6860 if (typelen == 3 && !memcmp(type, "x11", 3)) {
6861 char *addrstr;
6862
6863 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
6864 addrstr = snewn(peeraddrlen+1, char);
6865 memcpy(addrstr, peeraddr, peeraddrlen);
6866 addrstr[peeraddrlen] = '\0';
6867 peerport = ssh_pkt_getuint32(pktin);
6868
6869 logeventf(ssh, "Received X11 connect request from %s:%d",
6870 addrstr, peerport);
6871
6872 if (!ssh->X11_fwd_enabled)
6873 error = "X11 forwarding is not enabled";
6874 else if (x11_init(&c->u.x11.s, ssh->cfg.x11_display, c,
6875 ssh->x11auth, addrstr, peerport,
6876 &ssh->cfg) != NULL) {
6877 error = "Unable to open an X11 connection";
6878 } else {
6879 logevent("Opening X11 forward connection succeeded");
6880 c->type = CHAN_X11;
6881 }
6882
6883 sfree(addrstr);
6884 } else if (typelen == 15 &&
6885 !memcmp(type, "forwarded-tcpip", 15)) {
6886 struct ssh_rportfwd pf, *realpf;
6887 char *dummy;
6888 int dummylen;
6889 ssh_pkt_getstring(pktin, &dummy, &dummylen);/* skip address */
6890 pf.sport = ssh_pkt_getuint32(pktin);
6891 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
6892 peerport = ssh_pkt_getuint32(pktin);
6893 realpf = find234(ssh->rportfwds, &pf, NULL);
6894 logeventf(ssh, "Received remote port %d open request "
6895 "from %s:%d", pf.sport, peeraddr, peerport);
6896 if (realpf == NULL) {
6897 error = "Remote port is not recognised";
6898 } else {
6899 const char *e = pfd_newconnect(&c->u.pfd.s,
6900 realpf->dhost,
6901 realpf->dport, c,
6902 &ssh->cfg,
6903 realpf->pfrec->addressfamily);
6904 logeventf(ssh, "Attempting to forward remote port to "
6905 "%s:%d", realpf->dhost, realpf->dport);
6906 if (e != NULL) {
6907 logeventf(ssh, "Port open failed: %s", e);
6908 error = "Port open failed";
6909 } else {
6910 logevent("Forwarded port opened successfully");
6911 c->type = CHAN_SOCKDATA;
6912 }
6913 }
6914 } else if (typelen == 22 &&
6915 !memcmp(type, "auth-agent@openssh.com", 22)) {
6916 if (!ssh->agentfwd_enabled)
6917 error = "Agent forwarding is not enabled";
6918 else {
6919 c->type = CHAN_AGENT; /* identify channel type */
6920 c->u.a.lensofar = 0;
6921 }
6922 } else {
6923 error = "Unsupported channel type requested";
6924 }
6925
6926 c->remoteid = remid;
6927 c->halfopen = FALSE;
6928 if (error) {
6929 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_FAILURE);
6930 ssh2_pkt_adduint32(pktout, c->remoteid);
6931 ssh2_pkt_adduint32(pktout, SSH2_OPEN_CONNECT_FAILED);
6932 ssh2_pkt_addstring(pktout, error);
6933 ssh2_pkt_addstring(pktout, "en"); /* language tag */
6934 ssh2_pkt_send(ssh, pktout);
6935 logeventf(ssh, "Rejected channel open: %s", error);
6936 sfree(c);
6937 } else {
6938 ssh2_channel_init(c);
6939 c->v.v2.remwindow = winsize;
6940 c->v.v2.remmaxpkt = pktsize;
6941 add234(ssh->channels, c);
6942 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
6943 ssh2_pkt_adduint32(pktout, c->remoteid);
6944 ssh2_pkt_adduint32(pktout, c->localid);
6945 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);
6946 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
6947 ssh2_pkt_send(ssh, pktout);
6948 }
6949 }
6950
6951 /*
6952 * Buffer banner messages for later display at some convenient point.
6953 */
6954 static void ssh2_msg_userauth_banner(Ssh ssh, struct Packet *pktin)
6955 {
6956 /* Arbitrary limit to prevent unbounded inflation of buffer */
6957 if (bufchain_size(&ssh->banner) <= 131072) {
6958 char *banner = NULL;
6959 int size = 0;
6960 ssh_pkt_getstring(pktin, &banner, &size);
6961 if (banner)
6962 bufchain_add(&ssh->banner, banner, size);
6963 }
6964 }
6965
6966 /* Helper function to deal with sending tty modes for "pty-req" */
6967 static void ssh2_send_ttymode(void *data, char *mode, char *val)
6968 {
6969 struct Packet *pktout = (struct Packet *)data;
6970 int i = 0;
6971 unsigned int arg = 0;
6972 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
6973 if (i == lenof(ssh_ttymodes)) return;
6974 switch (ssh_ttymodes[i].type) {
6975 case TTY_OP_CHAR:
6976 arg = ssh_tty_parse_specchar(val);
6977 break;
6978 case TTY_OP_BOOL:
6979 arg = ssh_tty_parse_boolean(val);
6980 break;
6981 }
6982 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
6983 ssh2_pkt_adduint32(pktout, arg);
6984 }
6985
6986 /*
6987 * Handle the SSH-2 userauth and connection layers.
6988 */
6989 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
6990 struct Packet *pktin)
6991 {
6992 struct do_ssh2_authconn_state {
6993 enum {
6994 AUTH_TYPE_NONE,
6995 AUTH_TYPE_PUBLICKEY,
6996 AUTH_TYPE_PUBLICKEY_OFFER_LOUD,
6997 AUTH_TYPE_PUBLICKEY_OFFER_QUIET,
6998 AUTH_TYPE_PASSWORD,
6999 AUTH_TYPE_KEYBOARD_INTERACTIVE,
7000 AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
7001 } type;
7002 int done_service_req;
7003 int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter;
7004 int tried_pubkey_config, done_agent;
7005 int kbd_inter_refused;
7006 int we_are_in;
7007 prompts_t *cur_prompt;
7008 int num_prompts;
7009 char username[100];
7010 char *password;
7011 int got_username;
7012 void *publickey_blob;
7013 int publickey_bloblen;
7014 int publickey_encrypted;
7015 char *publickey_algorithm;
7016 char *publickey_comment;
7017 unsigned char agent_request[5], *agent_response, *agentp;
7018 int agent_responselen;
7019 unsigned char *pkblob_in_agent;
7020 int keyi, nkeys;
7021 char *pkblob, *alg, *commentp;
7022 int pklen, alglen, commentlen;
7023 int siglen, retlen, len;
7024 char *q, *agentreq, *ret;
7025 int try_send;
7026 int num_env, env_left, env_ok;
7027 struct Packet *pktout;
7028 };
7029 crState(do_ssh2_authconn_state);
7030
7031 crBegin(ssh->do_ssh2_authconn_crstate);
7032
7033 s->done_service_req = FALSE;
7034 s->we_are_in = FALSE;
7035 if (!ssh->cfg.ssh_no_userauth) {
7036 /*
7037 * Request userauth protocol, and await a response to it.
7038 */
7039 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
7040 ssh2_pkt_addstring(s->pktout, "ssh-userauth");
7041 ssh2_pkt_send(ssh, s->pktout);
7042 crWaitUntilV(pktin);
7043 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT)
7044 s->done_service_req = TRUE;
7045 }
7046 if (!s->done_service_req) {
7047 /*
7048 * Request connection protocol directly, without authentication.
7049 */
7050 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
7051 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7052 ssh2_pkt_send(ssh, s->pktout);
7053 crWaitUntilV(pktin);
7054 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) {
7055 s->we_are_in = TRUE; /* no auth required */
7056 } else {
7057 bombout(("Server refused service request"));
7058 crStopV;
7059 }
7060 }
7061
7062 /* Arrange to be able to deal with any BANNERs that come in.
7063 * (We do this now as packets may come in during the next bit.) */
7064 bufchain_init(&ssh->banner);
7065 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] =
7066 ssh2_msg_userauth_banner;
7067
7068 /*
7069 * Misc one-time setup for authentication.
7070 */
7071 s->publickey_blob = NULL;
7072 if (!s->we_are_in) {
7073
7074 /*
7075 * Load the public half of any configured public key file
7076 * for later use.
7077 */
7078 if (!filename_is_null(ssh->cfg.keyfile)) {
7079 int keytype;
7080 logeventf(ssh, "Reading private key file \"%.150s\"",
7081 filename_to_str(&ssh->cfg.keyfile));
7082 keytype = key_type(&ssh->cfg.keyfile);
7083 if (keytype == SSH_KEYTYPE_SSH2) {
7084 const char *error;
7085 s->publickey_blob =
7086 ssh2_userkey_loadpub(&ssh->cfg.keyfile,
7087 &s->publickey_algorithm,
7088 &s->publickey_bloblen,
7089 &s->publickey_comment, &error);
7090 if (s->publickey_blob) {
7091 s->publickey_encrypted =
7092 ssh2_userkey_encrypted(&ssh->cfg.keyfile, NULL);
7093 } else {
7094 char *msgbuf;
7095 logeventf(ssh, "Unable to load private key (%s)",
7096 error);
7097 msgbuf = dupprintf("Unable to load private key file "
7098 "\"%.150s\" (%s)\r\n",
7099 filename_to_str(&ssh->cfg.keyfile),
7100 error);
7101 c_write_str(ssh, msgbuf);
7102 sfree(msgbuf);
7103 }
7104 } else {
7105 char *msgbuf;
7106 logeventf(ssh, "Unable to use this key file (%s)",
7107 key_type_to_str(keytype));
7108 msgbuf = dupprintf("Unable to use key file \"%.150s\""
7109 " (%s)\r\n",
7110 filename_to_str(&ssh->cfg.keyfile),
7111 key_type_to_str(keytype));
7112 c_write_str(ssh, msgbuf);
7113 sfree(msgbuf);
7114 s->publickey_blob = NULL;
7115 }
7116 }
7117
7118 /*
7119 * Find out about any keys Pageant has (but if there's a
7120 * public key configured, filter out all others).
7121 */
7122 s->nkeys = 0;
7123 s->agent_response = NULL;
7124 s->pkblob_in_agent = NULL;
7125 if (ssh->cfg.tryagent && agent_exists()) {
7126
7127 void *r;
7128
7129 logevent("Pageant is running. Requesting keys.");
7130
7131 /* Request the keys held by the agent. */
7132 PUT_32BIT(s->agent_request, 1);
7133 s->agent_request[4] = SSH2_AGENTC_REQUEST_IDENTITIES;
7134 if (!agent_query(s->agent_request, 5, &r, &s->agent_responselen,
7135 ssh_agent_callback, ssh)) {
7136 do {
7137 crReturnV;
7138 if (pktin) {
7139 bombout(("Unexpected data from server while"
7140 " waiting for agent response"));
7141 crStopV;
7142 }
7143 } while (pktin || inlen > 0);
7144 r = ssh->agent_response;
7145 s->agent_responselen = ssh->agent_response_len;
7146 }
7147 s->agent_response = (unsigned char *) r;
7148 if (s->agent_response && s->agent_responselen >= 5 &&
7149 s->agent_response[4] == SSH2_AGENT_IDENTITIES_ANSWER) {
7150 int keyi;
7151 unsigned char *p;
7152 p = s->agent_response + 5;
7153 s->nkeys = GET_32BIT(p);
7154 p += 4;
7155 logeventf(ssh, "Pageant has %d SSH-2 keys", s->nkeys);
7156 if (s->publickey_blob) {
7157 /* See if configured key is in agent. */
7158 for (keyi = 0; keyi < s->nkeys; keyi++) {
7159 s->pklen = GET_32BIT(p);
7160 if (s->pklen == s->publickey_bloblen &&
7161 !memcmp(p+4, s->publickey_blob,
7162 s->publickey_bloblen)) {
7163 logeventf(ssh, "Pageant key #%d matches "
7164 "configured key file", keyi);
7165 s->keyi = keyi;
7166 s->pkblob_in_agent = p;
7167 break;
7168 }
7169 p += 4 + s->pklen;
7170 p += GET_32BIT(p) + 4; /* comment */
7171 }
7172 if (!s->pkblob_in_agent) {
7173 logevent("Configured key file not in Pageant");
7174 s->nkeys = 0;
7175 }
7176 }
7177 }
7178 }
7179
7180 }
7181
7182 /*
7183 * We repeat this whole loop, including the username prompt,
7184 * until we manage a successful authentication. If the user
7185 * types the wrong _password_, they can be sent back to the
7186 * beginning to try another username, if this is configured on.
7187 * (If they specify a username in the config, they are never
7188 * asked, even if they do give a wrong password.)
7189 *
7190 * I think this best serves the needs of
7191 *
7192 * - the people who have no configuration, no keys, and just
7193 * want to try repeated (username,password) pairs until they
7194 * type both correctly
7195 *
7196 * - people who have keys and configuration but occasionally
7197 * need to fall back to passwords
7198 *
7199 * - people with a key held in Pageant, who might not have
7200 * logged in to a particular machine before; so they want to
7201 * type a username, and then _either_ their key will be
7202 * accepted, _or_ they will type a password. If they mistype
7203 * the username they will want to be able to get back and
7204 * retype it!
7205 */
7206 s->username[0] = '\0';
7207 s->got_username = FALSE;
7208 while (!s->we_are_in) {
7209 /*
7210 * Get a username.
7211 */
7212 if (s->got_username && !ssh->cfg.change_username) {
7213 /*
7214 * We got a username last time round this loop, and
7215 * with change_username turned off we don't try to get
7216 * it again.
7217 */
7218 } else if (!*ssh->cfg.username) {
7219 int ret; /* need not be kept over crReturn */
7220 s->cur_prompt = new_prompts(ssh->frontend);
7221 s->cur_prompt->to_server = TRUE;
7222 s->cur_prompt->name = dupstr("SSH login name");
7223 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
7224 lenof(s->username));
7225 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7226 while (ret < 0) {
7227 ssh->send_ok = 1;
7228 crWaitUntilV(!pktin);
7229 ret = get_userpass_input(s->cur_prompt, in, inlen);
7230 ssh->send_ok = 0;
7231 }
7232 if (!ret) {
7233 /*
7234 * get_userpass_input() failed to get a username.
7235 * Terminate.
7236 */
7237 free_prompts(s->cur_prompt);
7238 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
7239 crStopV;
7240 }
7241 memcpy(s->username, s->cur_prompt->prompts[0]->result,
7242 lenof(s->username));
7243 free_prompts(s->cur_prompt);
7244 } else {
7245 char *stuff;
7246 strncpy(s->username, ssh->cfg.username, sizeof(s->username));
7247 s->username[sizeof(s->username)-1] = '\0';
7248 if ((flags & FLAG_VERBOSE) || (flags & FLAG_INTERACTIVE)) {
7249 stuff = dupprintf("Using username \"%s\".\r\n", s->username);
7250 c_write_str(ssh, stuff);
7251 sfree(stuff);
7252 }
7253 }
7254 s->got_username = TRUE;
7255
7256 /*
7257 * Send an authentication request using method "none": (a)
7258 * just in case it succeeds, and (b) so that we know what
7259 * authentication methods we can usefully try next.
7260 */
7261 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
7262
7263 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7264 ssh2_pkt_addstring(s->pktout, s->username);
7265 ssh2_pkt_addstring(s->pktout, "ssh-connection");/* service requested */
7266 ssh2_pkt_addstring(s->pktout, "none"); /* method */
7267 ssh2_pkt_send(ssh, s->pktout);
7268 s->type = AUTH_TYPE_NONE;
7269 s->gotit = FALSE;
7270 s->we_are_in = FALSE;
7271
7272 s->tried_pubkey_config = FALSE;
7273 s->kbd_inter_refused = FALSE;
7274
7275 /* Reset agent request state. */
7276 s->done_agent = FALSE;
7277 if (s->agent_response) {
7278 if (s->pkblob_in_agent) {
7279 s->agentp = s->pkblob_in_agent;
7280 } else {
7281 s->agentp = s->agent_response + 5 + 4;
7282 s->keyi = 0;
7283 }
7284 }
7285
7286 while (1) {
7287 /*
7288 * Wait for the result of the last authentication request.
7289 */
7290 if (!s->gotit)
7291 crWaitUntilV(pktin);
7292 /*
7293 * Now is a convenient point to spew any banner material
7294 * that we've accumulated. (This should ensure that when
7295 * we exit the auth loop, we haven't any left to deal
7296 * with.)
7297 */
7298 {
7299 int size = bufchain_size(&ssh->banner);
7300 /*
7301 * Don't show the banner if we're operating in
7302 * non-verbose non-interactive mode. (It's probably
7303 * a script, which means nobody will read the
7304 * banner _anyway_, and moreover the printing of
7305 * the banner will screw up processing on the
7306 * output of (say) plink.)
7307 */
7308 if (size && (flags & (FLAG_VERBOSE | FLAG_INTERACTIVE))) {
7309 char *banner = snewn(size, char);
7310 bufchain_fetch(&ssh->banner, banner, size);
7311 c_write_untrusted(ssh, banner, size);
7312 sfree(banner);
7313 }
7314 bufchain_clear(&ssh->banner);
7315 }
7316 if (pktin->type == SSH2_MSG_USERAUTH_SUCCESS) {
7317 logevent("Access granted");
7318 s->we_are_in = TRUE;
7319 break;
7320 }
7321
7322 if (pktin->type != SSH2_MSG_USERAUTH_FAILURE) {
7323 bombout(("Strange packet received during authentication: "
7324 "type %d", pktin->type));
7325 crStopV;
7326 }
7327
7328 s->gotit = FALSE;
7329
7330 /*
7331 * OK, we're now sitting on a USERAUTH_FAILURE message, so
7332 * we can look at the string in it and know what we can
7333 * helpfully try next.
7334 */
7335 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE) {
7336 char *methods;
7337 int methlen;
7338 ssh_pkt_getstring(pktin, &methods, &methlen);
7339 if (!ssh2_pkt_getbool(pktin)) {
7340 /*
7341 * We have received an unequivocal Access
7342 * Denied. This can translate to a variety of
7343 * messages:
7344 *
7345 * - if we'd just tried "none" authentication,
7346 * it's not worth printing anything at all
7347 *
7348 * - if we'd just tried a public key _offer_,
7349 * the message should be "Server refused our
7350 * key" (or no message at all if the key
7351 * came from Pageant)
7352 *
7353 * - if we'd just tried anything else, the
7354 * message really should be "Access denied".
7355 *
7356 * Additionally, if we'd just tried password
7357 * authentication, we should break out of this
7358 * whole loop so as to go back to the username
7359 * prompt (iff we're configured to allow
7360 * username change attempts).
7361 */
7362 if (s->type == AUTH_TYPE_NONE) {
7363 /* do nothing */
7364 } else if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD ||
7365 s->type == AUTH_TYPE_PUBLICKEY_OFFER_QUIET) {
7366 if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD)
7367 c_write_str(ssh, "Server refused our key\r\n");
7368 logevent("Server refused public key");
7369 } else if (s->type==AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET) {
7370 /* server declined keyboard-interactive; ignore */
7371 } else {
7372 c_write_str(ssh, "Access denied\r\n");
7373 logevent("Access denied");
7374 if (s->type == AUTH_TYPE_PASSWORD &&
7375 ssh->cfg.change_username) {
7376 /* XXX perhaps we should allow
7377 * keyboard-interactive to do this too? */
7378 s->we_are_in = FALSE;
7379 break;
7380 }
7381 }
7382 } else {
7383 c_write_str(ssh, "Further authentication required\r\n");
7384 logevent("Further authentication required");
7385 }
7386
7387 s->can_pubkey =
7388 in_commasep_string("publickey", methods, methlen);
7389 s->can_passwd =
7390 in_commasep_string("password", methods, methlen);
7391 s->can_keyb_inter = ssh->cfg.try_ki_auth &&
7392 in_commasep_string("keyboard-interactive", methods, methlen);
7393 }
7394
7395 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
7396
7397 if (s->can_pubkey && !s->done_agent && s->nkeys) {
7398
7399 /*
7400 * Attempt public-key authentication using a key from Pageant.
7401 */
7402
7403 ssh->pkt_actx = SSH2_PKTCTX_PUBLICKEY;
7404
7405 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
7406
7407 /* Unpack key from agent response */
7408 s->pklen = GET_32BIT(s->agentp);
7409 s->agentp += 4;
7410 s->pkblob = (char *)s->agentp;
7411 s->agentp += s->pklen;
7412 s->alglen = GET_32BIT(s->pkblob);
7413 s->alg = s->pkblob + 4;
7414 s->commentlen = GET_32BIT(s->agentp);
7415 s->agentp += 4;
7416 s->commentp = (char *)s->agentp;
7417 s->agentp += s->commentlen;
7418 /* s->agentp now points at next key, if any */
7419
7420 /* See if server will accept it */
7421 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7422 ssh2_pkt_addstring(s->pktout, s->username);
7423 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7424 /* service requested */
7425 ssh2_pkt_addstring(s->pktout, "publickey");
7426 /* method */
7427 ssh2_pkt_addbool(s->pktout, FALSE); /* no signature included */
7428 ssh2_pkt_addstring_start(s->pktout);
7429 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
7430 ssh2_pkt_addstring_start(s->pktout);
7431 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
7432 ssh2_pkt_send(ssh, s->pktout);
7433 s->type = AUTH_TYPE_PUBLICKEY_OFFER_QUIET;
7434
7435 crWaitUntilV(pktin);
7436 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
7437
7438 /* Offer of key refused. */
7439 s->gotit = TRUE;
7440
7441 } else {
7442
7443 void *vret;
7444
7445 if (flags & FLAG_VERBOSE) {
7446 c_write_str(ssh, "Authenticating with "
7447 "public key \"");
7448 c_write(ssh, s->commentp, s->commentlen);
7449 c_write_str(ssh, "\" from agent\r\n");
7450 }
7451
7452 /*
7453 * Server is willing to accept the key.
7454 * Construct a SIGN_REQUEST.
7455 */
7456 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7457 ssh2_pkt_addstring(s->pktout, s->username);
7458 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7459 /* service requested */
7460 ssh2_pkt_addstring(s->pktout, "publickey");
7461 /* method */
7462 ssh2_pkt_addbool(s->pktout, TRUE); /* signature included */
7463 ssh2_pkt_addstring_start(s->pktout);
7464 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
7465 ssh2_pkt_addstring_start(s->pktout);
7466 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
7467
7468 /* Ask agent for signature. */
7469 s->siglen = s->pktout->length - 5 + 4 +
7470 ssh->v2_session_id_len;
7471 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7472 s->siglen -= 4;
7473 s->len = 1; /* message type */
7474 s->len += 4 + s->pklen; /* key blob */
7475 s->len += 4 + s->siglen; /* data to sign */
7476 s->len += 4; /* flags */
7477 s->agentreq = snewn(4 + s->len, char);
7478 PUT_32BIT(s->agentreq, s->len);
7479 s->q = s->agentreq + 4;
7480 *s->q++ = SSH2_AGENTC_SIGN_REQUEST;
7481 PUT_32BIT(s->q, s->pklen);
7482 s->q += 4;
7483 memcpy(s->q, s->pkblob, s->pklen);
7484 s->q += s->pklen;
7485 PUT_32BIT(s->q, s->siglen);
7486 s->q += 4;
7487 /* Now the data to be signed... */
7488 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7489 PUT_32BIT(s->q, ssh->v2_session_id_len);
7490 s->q += 4;
7491 }
7492 memcpy(s->q, ssh->v2_session_id,
7493 ssh->v2_session_id_len);
7494 s->q += ssh->v2_session_id_len;
7495 memcpy(s->q, s->pktout->data + 5,
7496 s->pktout->length - 5);
7497 s->q += s->pktout->length - 5;
7498 /* And finally the (zero) flags word. */
7499 PUT_32BIT(s->q, 0);
7500 if (!agent_query(s->agentreq, s->len + 4,
7501 &vret, &s->retlen,
7502 ssh_agent_callback, ssh)) {
7503 do {
7504 crReturnV;
7505 if (pktin) {
7506 bombout(("Unexpected data from server"
7507 " while waiting for agent"
7508 " response"));
7509 crStopV;
7510 }
7511 } while (pktin || inlen > 0);
7512 vret = ssh->agent_response;
7513 s->retlen = ssh->agent_response_len;
7514 }
7515 s->ret = vret;
7516 sfree(s->agentreq);
7517 if (s->ret) {
7518 if (s->ret[4] == SSH2_AGENT_SIGN_RESPONSE) {
7519 logevent("Sending Pageant's response");
7520 ssh2_add_sigblob(ssh, s->pktout,
7521 s->pkblob, s->pklen,
7522 s->ret + 9,
7523 GET_32BIT(s->ret + 5));
7524 ssh2_pkt_send(ssh, s->pktout);
7525 s->type = AUTH_TYPE_PUBLICKEY;
7526 } else {
7527 /* FIXME: less drastic response */
7528 bombout(("Pageant failed to answer challenge"));
7529 crStopV;
7530 }
7531 }
7532 }
7533
7534 /* Do we have any keys left to try? */
7535 if (s->pkblob_in_agent) {
7536 s->done_agent = TRUE;
7537 s->tried_pubkey_config = TRUE;
7538 } else {
7539 s->keyi++;
7540 if (s->keyi >= s->nkeys)
7541 s->done_agent = TRUE;
7542 }
7543
7544 } else if (s->can_pubkey && s->publickey_blob &&
7545 !s->tried_pubkey_config) {
7546
7547 struct ssh2_userkey *key; /* not live over crReturn */
7548 char *passphrase; /* not live over crReturn */
7549
7550 ssh->pkt_actx = SSH2_PKTCTX_PUBLICKEY;
7551
7552 s->tried_pubkey_config = TRUE;
7553
7554 /*
7555 * Try the public key supplied in the configuration.
7556 *
7557 * First, offer the public blob to see if the server is
7558 * willing to accept it.
7559 */
7560 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7561 ssh2_pkt_addstring(s->pktout, s->username);
7562 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7563 /* service requested */
7564 ssh2_pkt_addstring(s->pktout, "publickey"); /* method */
7565 ssh2_pkt_addbool(s->pktout, FALSE);
7566 /* no signature included */
7567 ssh2_pkt_addstring(s->pktout, s->publickey_algorithm);
7568 ssh2_pkt_addstring_start(s->pktout);
7569 ssh2_pkt_addstring_data(s->pktout,
7570 (char *)s->publickey_blob,
7571 s->publickey_bloblen);
7572 ssh2_pkt_send(ssh, s->pktout);
7573 logevent("Offered public key");
7574
7575 crWaitUntilV(pktin);
7576 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
7577 /* Key refused. Give up. */
7578 s->gotit = TRUE; /* reconsider message next loop */
7579 s->type = AUTH_TYPE_PUBLICKEY_OFFER_LOUD;
7580 continue; /* process this new message */
7581 }
7582 logevent("Offer of public key accepted");
7583
7584 /*
7585 * Actually attempt a serious authentication using
7586 * the key.
7587 */
7588 if (flags & FLAG_VERBOSE) {
7589 c_write_str(ssh, "Authenticating with public key \"");
7590 c_write_str(ssh, s->publickey_comment);
7591 c_write_str(ssh, "\"\r\n");
7592 }
7593 key = NULL;
7594 while (!key) {
7595 const char *error; /* not live over crReturn */
7596 if (s->publickey_encrypted) {
7597 /*
7598 * Get a passphrase from the user.
7599 */
7600 int ret; /* need not be kept over crReturn */
7601 s->cur_prompt = new_prompts(ssh->frontend);
7602 s->cur_prompt->to_server = FALSE;
7603 s->cur_prompt->name = dupstr("SSH key passphrase");
7604 add_prompt(s->cur_prompt,
7605 dupprintf("Passphrase for key \"%.100s\": ",
7606 s->publickey_comment),
7607 FALSE, SSH_MAX_PASSWORD_LEN);
7608 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7609 while (ret < 0) {
7610 ssh->send_ok = 1;
7611 crWaitUntilV(!pktin);
7612 ret = get_userpass_input(s->cur_prompt,
7613 in, inlen);
7614 ssh->send_ok = 0;
7615 }
7616 if (!ret) {
7617 /* Failed to get a passphrase. Terminate. */
7618 free_prompts(s->cur_prompt);
7619 ssh_disconnect(ssh, NULL,
7620 "Unable to authenticate",
7621 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7622 TRUE);
7623 crStopV;
7624 }
7625 passphrase =
7626 dupstr(s->cur_prompt->prompts[0]->result);
7627 free_prompts(s->cur_prompt);
7628 } else {
7629 passphrase = NULL; /* no passphrase needed */
7630 }
7631
7632 /*
7633 * Try decrypting the key.
7634 */
7635 key = ssh2_load_userkey(&ssh->cfg.keyfile, passphrase,
7636 &error);
7637 if (passphrase) {
7638 /* burn the evidence */
7639 memset(passphrase, 0, strlen(passphrase));
7640 sfree(passphrase);
7641 }
7642 if (key == SSH2_WRONG_PASSPHRASE || key == NULL) {
7643 if (passphrase &&
7644 (key == SSH2_WRONG_PASSPHRASE)) {
7645 c_write_str(ssh, "Wrong passphrase\r\n");
7646 key = NULL;
7647 /* and loop again */
7648 } else {
7649 c_write_str(ssh, "Unable to load private key (");
7650 c_write_str(ssh, error);
7651 c_write_str(ssh, ")\r\n");
7652 key = NULL;
7653 break; /* try something else */
7654 }
7655 }
7656 }
7657
7658 if (key) {
7659 unsigned char *pkblob, *sigblob, *sigdata;
7660 int pkblob_len, sigblob_len, sigdata_len;
7661 int p;
7662
7663 /*
7664 * We have loaded the private key and the server
7665 * has announced that it's willing to accept it.
7666 * Hallelujah. Generate a signature and send it.
7667 */
7668 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7669 ssh2_pkt_addstring(s->pktout, s->username);
7670 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7671 /* service requested */
7672 ssh2_pkt_addstring(s->pktout, "publickey");
7673 /* method */
7674 ssh2_pkt_addbool(s->pktout, TRUE);
7675 /* signature follows */
7676 ssh2_pkt_addstring(s->pktout, key->alg->name);
7677 pkblob = key->alg->public_blob(key->data,
7678 &pkblob_len);
7679 ssh2_pkt_addstring_start(s->pktout);
7680 ssh2_pkt_addstring_data(s->pktout, (char *)pkblob,
7681 pkblob_len);
7682
7683 /*
7684 * The data to be signed is:
7685 *
7686 * string session-id
7687 *
7688 * followed by everything so far placed in the
7689 * outgoing packet.
7690 */
7691 sigdata_len = s->pktout->length - 5 + 4 +
7692 ssh->v2_session_id_len;
7693 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7694 sigdata_len -= 4;
7695 sigdata = snewn(sigdata_len, unsigned char);
7696 p = 0;
7697 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7698 PUT_32BIT(sigdata+p, ssh->v2_session_id_len);
7699 p += 4;
7700 }
7701 memcpy(sigdata+p, ssh->v2_session_id,
7702 ssh->v2_session_id_len);
7703 p += ssh->v2_session_id_len;
7704 memcpy(sigdata+p, s->pktout->data + 5,
7705 s->pktout->length - 5);
7706 p += s->pktout->length - 5;
7707 assert(p == sigdata_len);
7708 sigblob = key->alg->sign(key->data, (char *)sigdata,
7709 sigdata_len, &sigblob_len);
7710 ssh2_add_sigblob(ssh, s->pktout, pkblob, pkblob_len,
7711 sigblob, sigblob_len);
7712 sfree(pkblob);
7713 sfree(sigblob);
7714 sfree(sigdata);
7715
7716 ssh2_pkt_send(ssh, s->pktout);
7717 s->type = AUTH_TYPE_PUBLICKEY;
7718 key->alg->freekey(key->data);
7719 }
7720
7721 } else if (s->can_keyb_inter && !s->kbd_inter_refused) {
7722
7723 /*
7724 * Keyboard-interactive authentication.
7725 */
7726
7727 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE;
7728
7729 ssh->pkt_actx = SSH2_PKTCTX_KBDINTER;
7730
7731 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7732 ssh2_pkt_addstring(s->pktout, s->username);
7733 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7734 /* service requested */
7735 ssh2_pkt_addstring(s->pktout, "keyboard-interactive");
7736 /* method */
7737 ssh2_pkt_addstring(s->pktout, ""); /* lang */
7738 ssh2_pkt_addstring(s->pktout, ""); /* submethods */
7739 ssh2_pkt_send(ssh, s->pktout);
7740
7741 crWaitUntilV(pktin);
7742 if (pktin->type != SSH2_MSG_USERAUTH_INFO_REQUEST) {
7743 /* Server is not willing to do keyboard-interactive
7744 * at all (or, bizarrely but legally, accepts the
7745 * user without actually issuing any prompts).
7746 * Give up on it entirely. */
7747 s->gotit = TRUE;
7748 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE)
7749 logevent("Keyboard-interactive authentication refused");
7750 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET;
7751 s->kbd_inter_refused = TRUE; /* don't try it again */
7752 continue;
7753 }
7754
7755 /*
7756 * Loop while the server continues to send INFO_REQUESTs.
7757 */
7758 while (pktin->type == SSH2_MSG_USERAUTH_INFO_REQUEST) {
7759
7760 char *name, *inst, *lang;
7761 int name_len, inst_len, lang_len;
7762 int i;
7763
7764 /*
7765 * We've got a fresh USERAUTH_INFO_REQUEST.
7766 * Get the preamble and start building a prompt.
7767 */
7768 ssh_pkt_getstring(pktin, &name, &name_len);
7769 ssh_pkt_getstring(pktin, &inst, &inst_len);
7770 ssh_pkt_getstring(pktin, &lang, &lang_len);
7771 s->cur_prompt = new_prompts(ssh->frontend);
7772 s->cur_prompt->to_server = TRUE;
7773 if (name_len) {
7774 /* FIXME: better prefix to distinguish from
7775 * local prompts? */
7776 s->cur_prompt->name =
7777 dupprintf("SSH server: %.*s", name_len, name);
7778 s->cur_prompt->name_reqd = TRUE;
7779 } else {
7780 s->cur_prompt->name =
7781 dupstr("SSH server authentication");
7782 s->cur_prompt->name_reqd = FALSE;
7783 }
7784 /* FIXME: ugly to print "Using..." in prompt _every_
7785 * time round. Can this be done more subtly? */
7786 s->cur_prompt->instruction =
7787 dupprintf("Using keyboard-interactive authentication.%s%.*s",
7788 inst_len ? "\n" : "", inst_len, inst);
7789 s->cur_prompt->instr_reqd = TRUE;
7790
7791 /*
7792 * Get the prompts from the packet.
7793 */
7794 s->num_prompts = ssh_pkt_getuint32(pktin);
7795 for (i = 0; i < s->num_prompts; i++) {
7796 char *prompt;
7797 int prompt_len;
7798 int echo;
7799 static char noprompt[] =
7800 "<server failed to send prompt>: ";
7801
7802 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
7803 echo = ssh2_pkt_getbool(pktin);
7804 if (!prompt_len) {
7805 prompt = noprompt;
7806 prompt_len = lenof(noprompt)-1;
7807 }
7808 add_prompt(s->cur_prompt,
7809 dupprintf("%.*s", prompt_len, prompt),
7810 echo, SSH_MAX_PASSWORD_LEN);
7811 }
7812
7813 /*
7814 * Get the user's responses.
7815 */
7816 if (s->num_prompts) {
7817 int ret; /* not live over crReturn */
7818 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7819 while (ret < 0) {
7820 ssh->send_ok = 1;
7821 crWaitUntilV(!pktin);
7822 ret = get_userpass_input(s->cur_prompt, in, inlen);
7823 ssh->send_ok = 0;
7824 }
7825 if (!ret) {
7826 /*
7827 * Failed to get responses. Terminate.
7828 */
7829 free_prompts(s->cur_prompt);
7830 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7831 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7832 TRUE);
7833 crStopV;
7834 }
7835 }
7836
7837 /*
7838 * Send the responses to the server.
7839 */
7840 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_INFO_RESPONSE);
7841 ssh2_pkt_adduint32(s->pktout, s->num_prompts);
7842 for (i=0; i < s->num_prompts; i++) {
7843 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7844 ssh2_pkt_addstring(s->pktout,
7845 s->cur_prompt->prompts[i]->result);
7846 end_log_omission(ssh, s->pktout);
7847 }
7848 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
7849
7850 /*
7851 * Get the next packet in case it's another
7852 * INFO_REQUEST.
7853 */
7854 crWaitUntilV(pktin);
7855
7856 }
7857
7858 /*
7859 * We should have SUCCESS or FAILURE now.
7860 */
7861 s->gotit = TRUE;
7862
7863 } else if (s->can_passwd) {
7864
7865 /*
7866 * Plain old password authentication.
7867 */
7868 int ret; /* not live over crReturn */
7869 int changereq_first_time; /* not live over crReturn */
7870
7871 ssh->pkt_actx = SSH2_PKTCTX_PASSWORD;
7872
7873 s->cur_prompt = new_prompts(ssh->frontend);
7874 s->cur_prompt->to_server = TRUE;
7875 s->cur_prompt->name = dupstr("SSH password");
7876 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
7877 s->username,
7878 ssh->savedhost),
7879 FALSE, SSH_MAX_PASSWORD_LEN);
7880
7881 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7882 while (ret < 0) {
7883 ssh->send_ok = 1;
7884 crWaitUntilV(!pktin);
7885 ret = get_userpass_input(s->cur_prompt, in, inlen);
7886 ssh->send_ok = 0;
7887 }
7888 if (!ret) {
7889 /*
7890 * Failed to get responses. Terminate.
7891 */
7892 free_prompts(s->cur_prompt);
7893 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7894 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7895 TRUE);
7896 crStopV;
7897 }
7898 /*
7899 * Squirrel away the password. (We may need it later if
7900 * asked to change it.)
7901 */
7902 s->password = dupstr(s->cur_prompt->prompts[0]->result);
7903 free_prompts(s->cur_prompt);
7904
7905 /*
7906 * Send the password packet.
7907 *
7908 * We pad out the password packet to 256 bytes to make
7909 * it harder for an attacker to find the length of the
7910 * user's password.
7911 *
7912 * Anyone using a password longer than 256 bytes
7913 * probably doesn't have much to worry about from
7914 * people who find out how long their password is!
7915 */
7916 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7917 ssh2_pkt_addstring(s->pktout, s->username);
7918 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7919 /* service requested */
7920 ssh2_pkt_addstring(s->pktout, "password");
7921 ssh2_pkt_addbool(s->pktout, FALSE);
7922 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7923 ssh2_pkt_addstring(s->pktout, s->password);
7924 end_log_omission(ssh, s->pktout);
7925 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
7926 logevent("Sent password");
7927 s->type = AUTH_TYPE_PASSWORD;
7928
7929 /*
7930 * Wait for next packet, in case it's a password change
7931 * request.
7932 */
7933 crWaitUntilV(pktin);
7934 changereq_first_time = TRUE;
7935
7936 while (pktin->type == SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ) {
7937
7938 /*
7939 * We're being asked for a new password
7940 * (perhaps not for the first time).
7941 * Loop until the server accepts it.
7942 */
7943
7944 int got_new = FALSE; /* not live over crReturn */
7945 char *prompt; /* not live over crReturn */
7946 int prompt_len; /* not live over crReturn */
7947
7948 {
7949 char *msg;
7950 if (changereq_first_time)
7951 msg = "Server requested password change";
7952 else
7953 msg = "Server rejected new password";
7954 logevent(msg);
7955 c_write_str(ssh, msg);
7956 c_write_str(ssh, "\r\n");
7957 }
7958
7959 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
7960
7961 s->cur_prompt = new_prompts(ssh->frontend);
7962 s->cur_prompt->to_server = TRUE;
7963 s->cur_prompt->name = dupstr("New SSH password");
7964 s->cur_prompt->instruction =
7965 dupprintf("%.*s", prompt_len, prompt);
7966 s->cur_prompt->instr_reqd = TRUE;
7967 /*
7968 * There's no explicit requirement in the protocol
7969 * for the "old" passwords in the original and
7970 * password-change messages to be the same, and
7971 * apparently some Cisco kit supports password change
7972 * by the user entering a blank password originally
7973 * and the real password subsequently, so,
7974 * reluctantly, we prompt for the old password again.
7975 *
7976 * (On the other hand, some servers don't even bother
7977 * to check this field.)
7978 */
7979 add_prompt(s->cur_prompt,
7980 dupstr("Current password (blank for previously entered password): "),
7981 FALSE, SSH_MAX_PASSWORD_LEN);
7982 add_prompt(s->cur_prompt, dupstr("Enter new password: "),
7983 FALSE, SSH_MAX_PASSWORD_LEN);
7984 add_prompt(s->cur_prompt, dupstr("Confirm new password: "),
7985 FALSE, SSH_MAX_PASSWORD_LEN);
7986
7987 /*
7988 * Loop until the user manages to enter the same
7989 * password twice.
7990 */
7991 while (!got_new) {
7992
7993 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7994 while (ret < 0) {
7995 ssh->send_ok = 1;
7996 crWaitUntilV(!pktin);
7997 ret = get_userpass_input(s->cur_prompt, in, inlen);
7998 ssh->send_ok = 0;
7999 }
8000 if (!ret) {
8001 /*
8002 * Failed to get responses. Terminate.
8003 */
8004 /* burn the evidence */
8005 free_prompts(s->cur_prompt);
8006 memset(s->password, 0, strlen(s->password));
8007 sfree(s->password);
8008 ssh_disconnect(ssh, NULL, "Unable to authenticate",
8009 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
8010 TRUE);
8011 crStopV;
8012 }
8013
8014 /*
8015 * If the user specified a new original password
8016 * (IYSWIM), overwrite any previously specified
8017 * one.
8018 * (A side effect is that the user doesn't have to
8019 * re-enter it if they louse up the new password.)
8020 */
8021 if (s->cur_prompt->prompts[0]->result[0]) {
8022 memset(s->password, 0, strlen(s->password));
8023 /* burn the evidence */
8024 sfree(s->password);
8025 s->password =
8026 dupstr(s->cur_prompt->prompts[0]->result);
8027 }
8028
8029 /*
8030 * Check the two new passwords match.
8031 */
8032 got_new = (strcmp(s->cur_prompt->prompts[1]->result,
8033 s->cur_prompt->prompts[2]->result)
8034 == 0);
8035 if (!got_new)
8036 /* They don't. Silly user. */
8037 c_write_str(ssh, "Passwords do not match\r\n");
8038
8039 }
8040
8041 /*
8042 * Send the new password (along with the old one).
8043 * (see above for padding rationale)
8044 */
8045 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
8046 ssh2_pkt_addstring(s->pktout, s->username);
8047 ssh2_pkt_addstring(s->pktout, "ssh-connection");
8048 /* service requested */
8049 ssh2_pkt_addstring(s->pktout, "password");
8050 ssh2_pkt_addbool(s->pktout, TRUE);
8051 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
8052 ssh2_pkt_addstring(s->pktout, s->password);
8053 ssh2_pkt_addstring(s->pktout,
8054 s->cur_prompt->prompts[1]->result);
8055 free_prompts(s->cur_prompt);
8056 end_log_omission(ssh, s->pktout);
8057 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
8058 logevent("Sent new password");
8059
8060 /*
8061 * Now see what the server has to say about it.
8062 * (If it's CHANGEREQ again, it's not happy with the
8063 * new password.)
8064 */
8065 crWaitUntilV(pktin);
8066 changereq_first_time = FALSE;
8067
8068 }
8069
8070 /*
8071 * We need to reexamine the current pktin at the top
8072 * of the loop. Either:
8073 * - we weren't asked to change password at all, in
8074 * which case it's a SUCCESS or FAILURE with the
8075 * usual meaning
8076 * - we sent a new password, and the server was
8077 * either OK with it (SUCCESS or FAILURE w/partial
8078 * success) or unhappy with the _old_ password
8079 * (FAILURE w/o partial success)
8080 * In any of these cases, we go back to the top of
8081 * the loop and start again.
8082 */
8083 s->gotit = TRUE;
8084
8085 /*
8086 * We don't need the old password any more, in any
8087 * case. Burn the evidence.
8088 */
8089 memset(s->password, 0, strlen(s->password));
8090 sfree(s->password);
8091
8092 } else {
8093
8094 ssh_disconnect(ssh, NULL,
8095 "No supported authentication methods available",
8096 SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE,
8097 FALSE);
8098 crStopV;
8099
8100 }
8101
8102 }
8103 }
8104 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
8105
8106 /* Clear up various bits and pieces from authentication. */
8107 if (s->publickey_blob) {
8108 sfree(s->publickey_blob);
8109 sfree(s->publickey_comment);
8110 }
8111 if (s->agent_response)
8112 sfree(s->agent_response);
8113
8114 /*
8115 * Now the connection protocol has started, one way or another.
8116 */
8117
8118 ssh->channels = newtree234(ssh_channelcmp);
8119
8120 /*
8121 * Set up handlers for some connection protocol messages, so we
8122 * don't have to handle them repeatedly in this coroutine.
8123 */
8124 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] =
8125 ssh2_msg_channel_window_adjust;
8126 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] =
8127 ssh2_msg_global_request;
8128
8129 /*
8130 * Create the main session channel.
8131 */
8132 if (ssh->cfg.ssh_no_shell) {
8133 ssh->mainchan = NULL;
8134 } else if (*ssh->cfg.ssh_nc_host) {
8135 /*
8136 * Just start a direct-tcpip channel and use it as the main
8137 * channel.
8138 */
8139 ssh->mainchan = snew(struct ssh_channel);
8140 ssh->mainchan->ssh = ssh;
8141 ssh2_channel_init(ssh->mainchan);
8142 logeventf(ssh,
8143 "Opening direct-tcpip channel to %s:%d in place of session",
8144 ssh->cfg.ssh_nc_host, ssh->cfg.ssh_nc_port);
8145 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
8146 ssh2_pkt_addstring(s->pktout, "direct-tcpip");
8147 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
8148 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
8149 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
8150 ssh2_pkt_addstring(s->pktout, ssh->cfg.ssh_nc_host);
8151 ssh2_pkt_adduint32(s->pktout, ssh->cfg.ssh_nc_port);
8152 /*
8153 * There's nothing meaningful to put in the originator
8154 * fields, but some servers insist on syntactically correct
8155 * information.
8156 */
8157 ssh2_pkt_addstring(s->pktout, "0.0.0.0");
8158 ssh2_pkt_adduint32(s->pktout, 0);
8159 ssh2_pkt_send(ssh, s->pktout);
8160
8161 crWaitUntilV(pktin);
8162 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
8163 bombout(("Server refused to open a direct-tcpip channel"));
8164 crStopV;
8165 /* FIXME: error data comes back in FAILURE packet */
8166 }
8167 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
8168 bombout(("Server's channel confirmation cited wrong channel"));
8169 crStopV;
8170 }
8171 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
8172 ssh->mainchan->halfopen = FALSE;
8173 ssh->mainchan->type = CHAN_MAINSESSION;
8174 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
8175 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
8176 add234(ssh->channels, ssh->mainchan);
8177 update_specials_menu(ssh->frontend);
8178 logevent("Opened direct-tcpip channel");
8179 ssh->ncmode = TRUE;
8180 } else {
8181 ssh->mainchan = snew(struct ssh_channel);
8182 ssh->mainchan->ssh = ssh;
8183 ssh2_channel_init(ssh->mainchan);
8184 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
8185 ssh2_pkt_addstring(s->pktout, "session");
8186 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
8187 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
8188 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
8189 ssh2_pkt_send(ssh, s->pktout);
8190 crWaitUntilV(pktin);
8191 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
8192 bombout(("Server refused to open a session"));
8193 crStopV;
8194 /* FIXME: error data comes back in FAILURE packet */
8195 }
8196 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
8197 bombout(("Server's channel confirmation cited wrong channel"));
8198 crStopV;
8199 }
8200 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
8201 ssh->mainchan->halfopen = FALSE;
8202 ssh->mainchan->type = CHAN_MAINSESSION;
8203 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
8204 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
8205 add234(ssh->channels, ssh->mainchan);
8206 update_specials_menu(ssh->frontend);
8207 logevent("Opened channel for session");
8208 ssh->ncmode = FALSE;
8209 }
8210
8211 /*
8212 * Now we have a channel, make dispatch table entries for
8213 * general channel-based messages.
8214 */
8215 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] =
8216 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] =
8217 ssh2_msg_channel_data;
8218 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = ssh2_msg_channel_eof;
8219 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = ssh2_msg_channel_close;
8220 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] =
8221 ssh2_msg_channel_open_confirmation;
8222 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] =
8223 ssh2_msg_channel_open_failure;
8224 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] =
8225 ssh2_msg_channel_request;
8226 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] =
8227 ssh2_msg_channel_open;
8228
8229 if (ssh->cfg.ssh_simple) {
8230 /*
8231 * This message indicates to the server that we promise
8232 * not to try to run any other channel in parallel with
8233 * this one, so it's safe for it to advertise a very large
8234 * window and leave the flow control to TCP.
8235 */
8236 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8237 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8238 ssh2_pkt_addstring(s->pktout, "simple@putty.projects.tartarus.org");
8239 ssh2_pkt_addbool(s->pktout, 0); /* no reply */
8240 ssh2_pkt_send(ssh, s->pktout);
8241 }
8242
8243 /*
8244 * Potentially enable X11 forwarding.
8245 */
8246 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.x11_forward) {
8247 char proto[20], data[64];
8248 logevent("Requesting X11 forwarding");
8249 ssh->x11auth = x11_invent_auth(proto, sizeof(proto),
8250 data, sizeof(data), ssh->cfg.x11_auth);
8251 x11_get_real_auth(ssh->x11auth, ssh->cfg.x11_display);
8252 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8253 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8254 ssh2_pkt_addstring(s->pktout, "x11-req");
8255 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8256 ssh2_pkt_addbool(s->pktout, 0); /* many connections */
8257 ssh2_pkt_addstring(s->pktout, proto);
8258 /*
8259 * Note that while we blank the X authentication data here, we don't
8260 * take any special action to blank the start of an X11 channel,
8261 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
8262 * without having session blanking enabled is likely to leak your
8263 * cookie into the log.
8264 */
8265 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
8266 ssh2_pkt_addstring(s->pktout, data);
8267 end_log_omission(ssh, s->pktout);
8268 ssh2_pkt_adduint32(s->pktout, x11_get_screen_number(ssh->cfg.x11_display));
8269 ssh2_pkt_send(ssh, s->pktout);
8270
8271 crWaitUntilV(pktin);
8272
8273 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8274 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8275 bombout(("Unexpected response to X11 forwarding request:"
8276 " packet type %d", pktin->type));
8277 crStopV;
8278 }
8279 logevent("X11 forwarding refused");
8280 } else {
8281 logevent("X11 forwarding enabled");
8282 ssh->X11_fwd_enabled = TRUE;
8283 }
8284 }
8285
8286 /*
8287 * Enable port forwardings.
8288 */
8289 ssh_setup_portfwd(ssh, &ssh->cfg);
8290
8291 /*
8292 * Potentially enable agent forwarding.
8293 */
8294 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.agentfwd && agent_exists()) {
8295 logevent("Requesting OpenSSH-style agent forwarding");
8296 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8297 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8298 ssh2_pkt_addstring(s->pktout, "auth-agent-req@openssh.com");
8299 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8300 ssh2_pkt_send(ssh, s->pktout);
8301
8302 crWaitUntilV(pktin);
8303
8304 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8305 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8306 bombout(("Unexpected response to agent forwarding request:"
8307 " packet type %d", pktin->type));
8308 crStopV;
8309 }
8310 logevent("Agent forwarding refused");
8311 } else {
8312 logevent("Agent forwarding enabled");
8313 ssh->agentfwd_enabled = TRUE;
8314 }
8315 }
8316
8317 /*
8318 * Now allocate a pty for the session.
8319 */
8320 if (ssh->mainchan && !ssh->ncmode && !ssh->cfg.nopty) {
8321 /* Unpick the terminal-speed string. */
8322 /* XXX perhaps we should allow no speeds to be sent. */
8323 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
8324 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
8325 /* Build the pty request. */
8326 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8327 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
8328 ssh2_pkt_addstring(s->pktout, "pty-req");
8329 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8330 ssh2_pkt_addstring(s->pktout, ssh->cfg.termtype);
8331 ssh2_pkt_adduint32(s->pktout, ssh->term_width);
8332 ssh2_pkt_adduint32(s->pktout, ssh->term_height);
8333 ssh2_pkt_adduint32(s->pktout, 0); /* pixel width */
8334 ssh2_pkt_adduint32(s->pktout, 0); /* pixel height */
8335 ssh2_pkt_addstring_start(s->pktout);
8336 parse_ttymodes(ssh, ssh->cfg.ttymodes,
8337 ssh2_send_ttymode, (void *)s->pktout);
8338 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_ISPEED);
8339 ssh2_pkt_adduint32(s->pktout, ssh->ispeed);
8340 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_OSPEED);
8341 ssh2_pkt_adduint32(s->pktout, ssh->ospeed);
8342 ssh2_pkt_addstring_data(s->pktout, "\0", 1); /* TTY_OP_END */
8343 ssh2_pkt_send(ssh, s->pktout);
8344 ssh->state = SSH_STATE_INTERMED;
8345
8346 crWaitUntilV(pktin);
8347
8348 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8349 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8350 bombout(("Unexpected response to pty request:"
8351 " packet type %d", pktin->type));
8352 crStopV;
8353 }
8354 c_write_str(ssh, "Server refused to allocate pty\r\n");
8355 ssh->editing = ssh->echoing = 1;
8356 } else {
8357 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
8358 ssh->ospeed, ssh->ispeed);
8359 }
8360 } else {
8361 ssh->editing = ssh->echoing = 1;
8362 }
8363
8364 /*
8365 * Send environment variables.
8366 *
8367 * Simplest thing here is to send all the requests at once, and
8368 * then wait for a whole bunch of successes or failures.
8369 */
8370 if (ssh->mainchan && !ssh->ncmode && *ssh->cfg.environmt) {
8371 char *e = ssh->cfg.environmt;
8372 char *var, *varend, *val;
8373
8374 s->num_env = 0;
8375
8376 while (*e) {
8377 var = e;
8378 while (*e && *e != '\t') e++;
8379 varend = e;
8380 if (*e == '\t') e++;
8381 val = e;
8382 while (*e) e++;
8383 e++;
8384
8385 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8386 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8387 ssh2_pkt_addstring(s->pktout, "env");
8388 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8389 ssh2_pkt_addstring_start(s->pktout);
8390 ssh2_pkt_addstring_data(s->pktout, var, varend-var);
8391 ssh2_pkt_addstring(s->pktout, val);
8392 ssh2_pkt_send(ssh, s->pktout);
8393
8394 s->num_env++;
8395 }
8396
8397 logeventf(ssh, "Sent %d environment variables", s->num_env);
8398
8399 s->env_ok = 0;
8400 s->env_left = s->num_env;
8401
8402 while (s->env_left > 0) {
8403 crWaitUntilV(pktin);
8404
8405 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8406 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8407 bombout(("Unexpected response to environment request:"
8408 " packet type %d", pktin->type));
8409 crStopV;
8410 }
8411 } else {
8412 s->env_ok++;
8413 }
8414
8415 s->env_left--;
8416 }
8417
8418 if (s->env_ok == s->num_env) {
8419 logevent("All environment variables successfully set");
8420 } else if (s->env_ok == 0) {
8421 logevent("All environment variables refused");
8422 c_write_str(ssh, "Server refused to set environment variables\r\n");
8423 } else {
8424 logeventf(ssh, "%d environment variables refused",
8425 s->num_env - s->env_ok);
8426 c_write_str(ssh, "Server refused to set all environment variables\r\n");
8427 }
8428 }
8429
8430 /*
8431 * Start a shell or a remote command. We may have to attempt
8432 * this twice if the config data has provided a second choice
8433 * of command.
8434 */
8435 if (ssh->mainchan && !ssh->ncmode) while (1) {
8436 int subsys;
8437 char *cmd;
8438
8439 if (ssh->fallback_cmd) {
8440 subsys = ssh->cfg.ssh_subsys2;
8441 cmd = ssh->cfg.remote_cmd_ptr2;
8442 } else {
8443 subsys = ssh->cfg.ssh_subsys;
8444 cmd = ssh->cfg.remote_cmd_ptr;
8445 if (!cmd) cmd = ssh->cfg.remote_cmd;
8446 }
8447
8448 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8449 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
8450 if (subsys) {
8451 ssh2_pkt_addstring(s->pktout, "subsystem");
8452 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8453 ssh2_pkt_addstring(s->pktout, cmd);
8454 } else if (*cmd) {
8455 ssh2_pkt_addstring(s->pktout, "exec");
8456 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8457 ssh2_pkt_addstring(s->pktout, cmd);
8458 } else {
8459 ssh2_pkt_addstring(s->pktout, "shell");
8460 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8461 }
8462 ssh2_pkt_send(ssh, s->pktout);
8463
8464 crWaitUntilV(pktin);
8465
8466 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8467 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8468 bombout(("Unexpected response to shell/command request:"
8469 " packet type %d", pktin->type));
8470 crStopV;
8471 }
8472 /*
8473 * We failed to start the command. If this is the
8474 * fallback command, we really are finished; if it's
8475 * not, and if the fallback command exists, try falling
8476 * back to it before complaining.
8477 */
8478 if (!ssh->fallback_cmd && ssh->cfg.remote_cmd_ptr2 != NULL) {
8479 logevent("Primary command failed; attempting fallback");
8480 ssh->fallback_cmd = TRUE;
8481 continue;
8482 }
8483 bombout(("Server refused to start a shell/command"));
8484 crStopV;
8485 } else {
8486 logevent("Started a shell/command");
8487 }
8488 break;
8489 }
8490
8491 ssh->state = SSH_STATE_SESSION;
8492 if (ssh->size_needed)
8493 ssh_size(ssh, ssh->term_width, ssh->term_height);
8494 if (ssh->eof_needed)
8495 ssh_special(ssh, TS_EOF);
8496
8497 /*
8498 * All the initial channel requests are done, so install the default
8499 * failure handler.
8500 */
8501 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = ssh2_msg_channel_success;
8502 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = ssh2_msg_channel_failure;
8503
8504 /*
8505 * Transfer data!
8506 */
8507 if (ssh->ldisc)
8508 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
8509 if (ssh->mainchan)
8510 ssh->send_ok = 1;
8511 while (1) {
8512 crReturnV;
8513 s->try_send = FALSE;
8514 if (pktin) {
8515
8516 /*
8517 * _All_ the connection-layer packets we expect to
8518 * receive are now handled by the dispatch table.
8519 * Anything that reaches here must be bogus.
8520 */
8521
8522 bombout(("Strange packet received: type %d", pktin->type));
8523 crStopV;
8524 } else if (ssh->mainchan) {
8525 /*
8526 * We have spare data. Add it to the channel buffer.
8527 */
8528 ssh2_add_channel_data(ssh->mainchan, (char *)in, inlen);
8529 s->try_send = TRUE;
8530 }
8531 if (s->try_send) {
8532 int i;
8533 struct ssh_channel *c;
8534 /*
8535 * Try to send data on all channels if we can.
8536 */
8537 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++)
8538 ssh2_try_send_and_unthrottle(c);
8539 }
8540 }
8541
8542 crFinishV;
8543 }
8544
8545 /*
8546 * Handlers for SSH-2 messages that might arrive at any moment.
8547 */
8548 static void ssh2_msg_disconnect(Ssh ssh, struct Packet *pktin)
8549 {
8550 /* log reason code in disconnect message */
8551 char *buf, *msg;
8552 int nowlen, reason, msglen;
8553
8554 reason = ssh_pkt_getuint32(pktin);
8555 ssh_pkt_getstring(pktin, &msg, &msglen);
8556
8557 if (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) {
8558 buf = dupprintf("Received disconnect message (%s)",
8559 ssh2_disconnect_reasons[reason]);
8560 } else {
8561 buf = dupprintf("Received disconnect message (unknown"
8562 " type %d)", reason);
8563 }
8564 logevent(buf);
8565 sfree(buf);
8566 buf = dupprintf("Disconnection message text: %n%.*s",
8567 &nowlen, msglen, msg);
8568 logevent(buf);
8569 bombout(("Server sent disconnect message\ntype %d (%s):\n\"%s\"",
8570 reason,
8571 (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ?
8572 ssh2_disconnect_reasons[reason] : "unknown",
8573 buf+nowlen));
8574 sfree(buf);
8575 }
8576
8577 static void ssh2_msg_debug(Ssh ssh, struct Packet *pktin)
8578 {
8579 /* log the debug message */
8580 char *msg;
8581 int msglen;
8582 int always_display;
8583
8584 /* XXX maybe we should actually take notice of this */
8585 always_display = ssh2_pkt_getbool(pktin);
8586 ssh_pkt_getstring(pktin, &msg, &msglen);
8587
8588 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
8589 }
8590
8591 static void ssh2_msg_something_unimplemented(Ssh ssh, struct Packet *pktin)
8592 {
8593 struct Packet *pktout;
8594 pktout = ssh2_pkt_init(SSH2_MSG_UNIMPLEMENTED);
8595 ssh2_pkt_adduint32(pktout, pktin->sequence);
8596 /*
8597 * UNIMPLEMENTED messages MUST appear in the same order as the
8598 * messages they respond to. Hence, never queue them.
8599 */
8600 ssh2_pkt_send_noqueue(ssh, pktout);
8601 }
8602
8603 /*
8604 * Handle the top-level SSH-2 protocol.
8605 */
8606 static void ssh2_protocol_setup(Ssh ssh)
8607 {
8608 int i;
8609
8610 /*
8611 * Most messages cause SSH2_MSG_UNIMPLEMENTED.
8612 */
8613 for (i = 0; i < 256; i++)
8614 ssh->packet_dispatch[i] = ssh2_msg_something_unimplemented;
8615
8616 /*
8617 * Any message we actually understand, we set to NULL so that
8618 * the coroutines will get it.
8619 */
8620 ssh->packet_dispatch[SSH2_MSG_UNIMPLEMENTED] = NULL;
8621 ssh->packet_dispatch[SSH2_MSG_SERVICE_REQUEST] = NULL;
8622 ssh->packet_dispatch[SSH2_MSG_SERVICE_ACCEPT] = NULL;
8623 ssh->packet_dispatch[SSH2_MSG_KEXINIT] = NULL;
8624 ssh->packet_dispatch[SSH2_MSG_NEWKEYS] = NULL;
8625 ssh->packet_dispatch[SSH2_MSG_KEXDH_INIT] = NULL;
8626 ssh->packet_dispatch[SSH2_MSG_KEXDH_REPLY] = NULL;
8627 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REQUEST] = NULL; duplicate case value */
8628 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_GROUP] = NULL; duplicate case value */
8629 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_INIT] = NULL;
8630 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REPLY] = NULL;
8631 ssh->packet_dispatch[SSH2_MSG_USERAUTH_REQUEST] = NULL;
8632 ssh->packet_dispatch[SSH2_MSG_USERAUTH_FAILURE] = NULL;
8633 ssh->packet_dispatch[SSH2_MSG_USERAUTH_SUCCESS] = NULL;
8634 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
8635 ssh->packet_dispatch[SSH2_MSG_USERAUTH_PK_OK] = NULL;
8636 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ] = NULL; duplicate case value */
8637 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_REQUEST] = NULL; duplicate case value */
8638 ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_RESPONSE] = NULL;
8639 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] = NULL;
8640 ssh->packet_dispatch[SSH2_MSG_REQUEST_SUCCESS] = NULL;
8641 ssh->packet_dispatch[SSH2_MSG_REQUEST_FAILURE] = NULL;
8642 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] = NULL;
8643 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] = NULL;
8644 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] = NULL;
8645 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] = NULL;
8646 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] = NULL;
8647 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] = NULL;
8648 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = NULL;
8649 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = NULL;
8650 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] = NULL;
8651 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = NULL;
8652 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = NULL;
8653
8654 /*
8655 * These special message types we install handlers for.
8656 */
8657 ssh->packet_dispatch[SSH2_MSG_DISCONNECT] = ssh2_msg_disconnect;
8658 ssh->packet_dispatch[SSH2_MSG_IGNORE] = ssh_msg_ignore; /* shared with SSH-1 */
8659 ssh->packet_dispatch[SSH2_MSG_DEBUG] = ssh2_msg_debug;
8660 }
8661
8662 static void ssh2_timer(void *ctx, long now)
8663 {
8664 Ssh ssh = (Ssh)ctx;
8665
8666 if (ssh->state == SSH_STATE_CLOSED)
8667 return;
8668
8669 if (!ssh->kex_in_progress && ssh->cfg.ssh_rekey_time != 0 &&
8670 now - ssh->next_rekey >= 0) {
8671 do_ssh2_transport(ssh, "timeout", -1, NULL);
8672 }
8673 }
8674
8675 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
8676 struct Packet *pktin)
8677 {
8678 unsigned char *in = (unsigned char *)vin;
8679 if (ssh->state == SSH_STATE_CLOSED)
8680 return;
8681
8682 if (pktin) {
8683 ssh->incoming_data_size += pktin->encrypted_len;
8684 if (!ssh->kex_in_progress &&
8685 ssh->max_data_size != 0 &&
8686 ssh->incoming_data_size > ssh->max_data_size)
8687 do_ssh2_transport(ssh, "too much data received", -1, NULL);
8688 }
8689
8690 if (pktin && ssh->packet_dispatch[pktin->type]) {
8691 ssh->packet_dispatch[pktin->type](ssh, pktin);
8692 return;
8693 }
8694
8695 if (!ssh->protocol_initial_phase_done ||
8696 (pktin && pktin->type >= 20 && pktin->type < 50)) {
8697 if (do_ssh2_transport(ssh, in, inlen, pktin) &&
8698 !ssh->protocol_initial_phase_done) {
8699 ssh->protocol_initial_phase_done = TRUE;
8700 /*
8701 * Allow authconn to initialise itself.
8702 */
8703 do_ssh2_authconn(ssh, NULL, 0, NULL);
8704 }
8705 } else {
8706 do_ssh2_authconn(ssh, in, inlen, pktin);
8707 }
8708 }
8709
8710 /*
8711 * Called to set up the connection.
8712 *
8713 * Returns an error message, or NULL on success.
8714 */
8715 static const char *ssh_init(void *frontend_handle, void **backend_handle,
8716 Config *cfg,
8717 char *host, int port, char **realhost, int nodelay,
8718 int keepalive)
8719 {
8720 const char *p;
8721 Ssh ssh;
8722
8723 ssh = snew(struct ssh_tag);
8724 ssh->cfg = *cfg; /* STRUCTURE COPY */
8725 ssh->version = 0; /* when not ready yet */
8726 ssh->s = NULL;
8727 ssh->cipher = NULL;
8728 ssh->v1_cipher_ctx = NULL;
8729 ssh->crcda_ctx = NULL;
8730 ssh->cscipher = NULL;
8731 ssh->cs_cipher_ctx = NULL;
8732 ssh->sccipher = NULL;
8733 ssh->sc_cipher_ctx = NULL;
8734 ssh->csmac = NULL;
8735 ssh->cs_mac_ctx = NULL;
8736 ssh->scmac = NULL;
8737 ssh->sc_mac_ctx = NULL;
8738 ssh->cscomp = NULL;
8739 ssh->cs_comp_ctx = NULL;
8740 ssh->sccomp = NULL;
8741 ssh->sc_comp_ctx = NULL;
8742 ssh->kex = NULL;
8743 ssh->kex_ctx = NULL;
8744 ssh->hostkey = NULL;
8745 ssh->exitcode = -1;
8746 ssh->close_expected = FALSE;
8747 ssh->clean_exit = FALSE;
8748 ssh->state = SSH_STATE_PREPACKET;
8749 ssh->size_needed = FALSE;
8750 ssh->eof_needed = FALSE;
8751 ssh->ldisc = NULL;
8752 ssh->logctx = NULL;
8753 ssh->deferred_send_data = NULL;
8754 ssh->deferred_len = 0;
8755 ssh->deferred_size = 0;
8756 ssh->fallback_cmd = 0;
8757 ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
8758 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
8759 ssh->x11auth = NULL;
8760 ssh->v1_compressing = FALSE;
8761 ssh->v2_outgoing_sequence = 0;
8762 ssh->ssh1_rdpkt_crstate = 0;
8763 ssh->ssh2_rdpkt_crstate = 0;
8764 ssh->do_ssh_init_crstate = 0;
8765 ssh->ssh_gotdata_crstate = 0;
8766 ssh->do_ssh1_connection_crstate = 0;
8767 ssh->do_ssh1_login_crstate = 0;
8768 ssh->do_ssh2_transport_crstate = 0;
8769 ssh->do_ssh2_authconn_crstate = 0;
8770 ssh->do_ssh_init_state = NULL;
8771 ssh->do_ssh1_login_state = NULL;
8772 ssh->do_ssh2_transport_state = NULL;
8773 ssh->do_ssh2_authconn_state = NULL;
8774 ssh->v_c = NULL;
8775 ssh->v_s = NULL;
8776 ssh->mainchan = NULL;
8777 ssh->throttled_all = 0;
8778 ssh->v1_stdout_throttling = 0;
8779 ssh->queue = NULL;
8780 ssh->queuelen = ssh->queuesize = 0;
8781 ssh->queueing = FALSE;
8782 ssh->qhead = ssh->qtail = NULL;
8783 ssh->deferred_rekey_reason = NULL;
8784 bufchain_init(&ssh->queued_incoming_data);
8785 ssh->frozen = FALSE;
8786
8787 *backend_handle = ssh;
8788
8789 #ifdef MSCRYPTOAPI
8790 if (crypto_startup() == 0)
8791 return "Microsoft high encryption pack not installed!";
8792 #endif
8793
8794 ssh->frontend = frontend_handle;
8795 ssh->term_width = ssh->cfg.width;
8796 ssh->term_height = ssh->cfg.height;
8797
8798 ssh->channels = NULL;
8799 ssh->rportfwds = NULL;
8800 ssh->portfwds = NULL;
8801
8802 ssh->send_ok = 0;
8803 ssh->editing = 0;
8804 ssh->echoing = 0;
8805 ssh->conn_throttle_count = 0;
8806 ssh->overall_bufsize = 0;
8807 ssh->fallback_cmd = 0;
8808
8809 ssh->protocol = NULL;
8810
8811 ssh->protocol_initial_phase_done = FALSE;
8812
8813 ssh->pinger = NULL;
8814
8815 ssh->incoming_data_size = ssh->outgoing_data_size =
8816 ssh->deferred_data_size = 0L;
8817 ssh->max_data_size = parse_blocksize(ssh->cfg.ssh_rekey_data);
8818 ssh->kex_in_progress = FALSE;
8819
8820 p = connect_to_host(ssh, host, port, realhost, nodelay, keepalive);
8821 if (p != NULL)
8822 return p;
8823
8824 random_ref();
8825
8826 return NULL;
8827 }
8828
8829 static void ssh_free(void *handle)
8830 {
8831 Ssh ssh = (Ssh) handle;
8832 struct ssh_channel *c;
8833 struct ssh_rportfwd *pf;
8834
8835 if (ssh->v1_cipher_ctx)
8836 ssh->cipher->free_context(ssh->v1_cipher_ctx);
8837 if (ssh->cs_cipher_ctx)
8838 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
8839 if (ssh->sc_cipher_ctx)
8840 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
8841 if (ssh->cs_mac_ctx)
8842 ssh->csmac->free_context(ssh->cs_mac_ctx);
8843 if (ssh->sc_mac_ctx)
8844 ssh->scmac->free_context(ssh->sc_mac_ctx);
8845 if (ssh->cs_comp_ctx) {
8846 if (ssh->cscomp)
8847 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
8848 else
8849 zlib_compress_cleanup(ssh->cs_comp_ctx);
8850 }
8851 if (ssh->sc_comp_ctx) {
8852 if (ssh->sccomp)
8853 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
8854 else
8855 zlib_decompress_cleanup(ssh->sc_comp_ctx);
8856 }
8857 if (ssh->kex_ctx)
8858 dh_cleanup(ssh->kex_ctx);
8859 sfree(ssh->savedhost);
8860
8861 while (ssh->queuelen-- > 0)
8862 ssh_free_packet(ssh->queue[ssh->queuelen]);
8863 sfree(ssh->queue);
8864
8865 while (ssh->qhead) {
8866 struct queued_handler *qh = ssh->qhead;
8867 ssh->qhead = qh->next;
8868 sfree(ssh->qhead);
8869 }
8870 ssh->qhead = ssh->qtail = NULL;
8871
8872 if (ssh->channels) {
8873 while ((c = delpos234(ssh->channels, 0)) != NULL) {
8874 switch (c->type) {
8875 case CHAN_X11:
8876 if (c->u.x11.s != NULL)
8877 x11_close(c->u.x11.s);
8878 break;
8879 case CHAN_SOCKDATA:
8880 if (c->u.pfd.s != NULL)
8881 pfd_close(c->u.pfd.s);
8882 break;
8883 }
8884 sfree(c);
8885 }
8886 freetree234(ssh->channels);
8887 ssh->channels = NULL;
8888 }
8889
8890 if (ssh->rportfwds) {
8891 while ((pf = delpos234(ssh->rportfwds, 0)) != NULL)
8892 sfree(pf);
8893 freetree234(ssh->rportfwds);
8894 ssh->rportfwds = NULL;
8895 }
8896 sfree(ssh->deferred_send_data);
8897 if (ssh->x11auth)
8898 x11_free_auth(ssh->x11auth);
8899 sfree(ssh->do_ssh_init_state);
8900 sfree(ssh->do_ssh1_login_state);
8901 sfree(ssh->do_ssh2_transport_state);
8902 sfree(ssh->do_ssh2_authconn_state);
8903 sfree(ssh->v_c);
8904 sfree(ssh->v_s);
8905 if (ssh->crcda_ctx) {
8906 crcda_free_context(ssh->crcda_ctx);
8907 ssh->crcda_ctx = NULL;
8908 }
8909 if (ssh->s)
8910 ssh_do_close(ssh, TRUE);
8911 expire_timer_context(ssh);
8912 if (ssh->pinger)
8913 pinger_free(ssh->pinger);
8914 bufchain_clear(&ssh->queued_incoming_data);
8915 sfree(ssh);
8916
8917 random_unref();
8918 }
8919
8920 /*
8921 * Reconfigure the SSH backend.
8922 */
8923 static void ssh_reconfig(void *handle, Config *cfg)
8924 {
8925 Ssh ssh = (Ssh) handle;
8926 char *rekeying = NULL, rekey_mandatory = FALSE;
8927 unsigned long old_max_data_size;
8928
8929 pinger_reconfig(ssh->pinger, &ssh->cfg, cfg);
8930 if (ssh->portfwds)
8931 ssh_setup_portfwd(ssh, cfg);
8932
8933 if (ssh->cfg.ssh_rekey_time != cfg->ssh_rekey_time &&
8934 cfg->ssh_rekey_time != 0) {
8935 long new_next = ssh->last_rekey + cfg->ssh_rekey_time*60*TICKSPERSEC;
8936 long now = GETTICKCOUNT();
8937
8938 if (new_next - now < 0) {
8939 rekeying = "timeout shortened";
8940 } else {
8941 ssh->next_rekey = schedule_timer(new_next - now, ssh2_timer, ssh);
8942 }
8943 }
8944
8945 old_max_data_size = ssh->max_data_size;
8946 ssh->max_data_size = parse_blocksize(cfg->ssh_rekey_data);
8947 if (old_max_data_size != ssh->max_data_size &&
8948 ssh->max_data_size != 0) {
8949 if (ssh->outgoing_data_size > ssh->max_data_size ||
8950 ssh->incoming_data_size > ssh->max_data_size)
8951 rekeying = "data limit lowered";
8952 }
8953
8954 if (ssh->cfg.compression != cfg->compression) {
8955 rekeying = "compression setting changed";
8956 rekey_mandatory = TRUE;
8957 }
8958
8959 if (ssh->cfg.ssh2_des_cbc != cfg->ssh2_des_cbc ||
8960 memcmp(ssh->cfg.ssh_cipherlist, cfg->ssh_cipherlist,
8961 sizeof(ssh->cfg.ssh_cipherlist))) {
8962 rekeying = "cipher settings changed";
8963 rekey_mandatory = TRUE;
8964 }
8965
8966 ssh->cfg = *cfg; /* STRUCTURE COPY */
8967
8968 if (rekeying) {
8969 if (!ssh->kex_in_progress) {
8970 do_ssh2_transport(ssh, rekeying, -1, NULL);
8971 } else if (rekey_mandatory) {
8972 ssh->deferred_rekey_reason = rekeying;
8973 }
8974 }
8975 }
8976
8977 /*
8978 * Called to send data down the SSH connection.
8979 */
8980 static int ssh_send(void *handle, char *buf, int len)
8981 {
8982 Ssh ssh = (Ssh) handle;
8983
8984 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
8985 return 0;
8986
8987 ssh->protocol(ssh, (unsigned char *)buf, len, 0);
8988
8989 return ssh_sendbuffer(ssh);
8990 }
8991
8992 /*
8993 * Called to query the current amount of buffered stdin data.
8994 */
8995 static int ssh_sendbuffer(void *handle)
8996 {
8997 Ssh ssh = (Ssh) handle;
8998 int override_value;
8999
9000 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
9001 return 0;
9002
9003 /*
9004 * If the SSH socket itself has backed up, add the total backup
9005 * size on that to any individual buffer on the stdin channel.
9006 */
9007 override_value = 0;
9008 if (ssh->throttled_all)
9009 override_value = ssh->overall_bufsize;
9010
9011 if (ssh->version == 1) {
9012 return override_value;
9013 } else if (ssh->version == 2) {
9014 if (!ssh->mainchan || ssh->mainchan->closes > 0)
9015 return override_value;
9016 else
9017 return (override_value +
9018 bufchain_size(&ssh->mainchan->v.v2.outbuffer));
9019 }
9020
9021 return 0;
9022 }
9023
9024 /*
9025 * Called to set the size of the window from SSH's POV.
9026 */
9027 static void ssh_size(void *handle, int width, int height)
9028 {
9029 Ssh ssh = (Ssh) handle;
9030 struct Packet *pktout;
9031
9032 ssh->term_width = width;
9033 ssh->term_height = height;
9034
9035 switch (ssh->state) {
9036 case SSH_STATE_BEFORE_SIZE:
9037 case SSH_STATE_PREPACKET:
9038 case SSH_STATE_CLOSED:
9039 break; /* do nothing */
9040 case SSH_STATE_INTERMED:
9041 ssh->size_needed = TRUE; /* buffer for later */
9042 break;
9043 case SSH_STATE_SESSION:
9044 if (!ssh->cfg.nopty) {
9045 if (ssh->version == 1) {
9046 send_packet(ssh, SSH1_CMSG_WINDOW_SIZE,
9047 PKT_INT, ssh->term_height,
9048 PKT_INT, ssh->term_width,
9049 PKT_INT, 0, PKT_INT, 0, PKT_END);
9050 } else if (ssh->mainchan) {
9051 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9052 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9053 ssh2_pkt_addstring(pktout, "window-change");
9054 ssh2_pkt_addbool(pktout, 0);
9055 ssh2_pkt_adduint32(pktout, ssh->term_width);
9056 ssh2_pkt_adduint32(pktout, ssh->term_height);
9057 ssh2_pkt_adduint32(pktout, 0);
9058 ssh2_pkt_adduint32(pktout, 0);
9059 ssh2_pkt_send(ssh, pktout);
9060 }
9061 }
9062 break;
9063 }
9064 }
9065
9066 /*
9067 * Return a list of the special codes that make sense in this
9068 * protocol.
9069 */
9070 static const struct telnet_special *ssh_get_specials(void *handle)
9071 {
9072 static const struct telnet_special ssh1_ignore_special[] = {
9073 {"IGNORE message", TS_NOP}
9074 };
9075 static const struct telnet_special ssh2_transport_specials[] = {
9076 {"IGNORE message", TS_NOP},
9077 {"Repeat key exchange", TS_REKEY},
9078 };
9079 static const struct telnet_special ssh2_session_specials[] = {
9080 {NULL, TS_SEP},
9081 {"Break", TS_BRK},
9082 /* These are the signal names defined by RFC 4254.
9083 * They include all the ISO C signals, but are a subset of the POSIX
9084 * required signals. */
9085 {"SIGINT (Interrupt)", TS_SIGINT},
9086 {"SIGTERM (Terminate)", TS_SIGTERM},
9087 {"SIGKILL (Kill)", TS_SIGKILL},
9088 {"SIGQUIT (Quit)", TS_SIGQUIT},
9089 {"SIGHUP (Hangup)", TS_SIGHUP},
9090 {"More signals", TS_SUBMENU},
9091 {"SIGABRT", TS_SIGABRT}, {"SIGALRM", TS_SIGALRM},
9092 {"SIGFPE", TS_SIGFPE}, {"SIGILL", TS_SIGILL},
9093 {"SIGPIPE", TS_SIGPIPE}, {"SIGSEGV", TS_SIGSEGV},
9094 {"SIGUSR1", TS_SIGUSR1}, {"SIGUSR2", TS_SIGUSR2},
9095 {NULL, TS_EXITMENU}
9096 };
9097 static const struct telnet_special specials_end[] = {
9098 {NULL, TS_EXITMENU}
9099 };
9100 /* XXX review this length for any changes: */
9101 static struct telnet_special ssh_specials[lenof(ssh2_transport_specials) +
9102 lenof(ssh2_session_specials) +
9103 lenof(specials_end)];
9104 Ssh ssh = (Ssh) handle;
9105 int i = 0;
9106 #define ADD_SPECIALS(name) \
9107 do { \
9108 assert((i + lenof(name)) <= lenof(ssh_specials)); \
9109 memcpy(&ssh_specials[i], name, sizeof name); \
9110 i += lenof(name); \
9111 } while(0)
9112
9113 if (ssh->version == 1) {
9114 /* Don't bother offering IGNORE if we've decided the remote
9115 * won't cope with it, since we wouldn't bother sending it if
9116 * asked anyway. */
9117 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
9118 ADD_SPECIALS(ssh1_ignore_special);
9119 } else if (ssh->version == 2) {
9120 ADD_SPECIALS(ssh2_transport_specials);
9121 if (ssh->mainchan)
9122 ADD_SPECIALS(ssh2_session_specials);
9123 } /* else we're not ready yet */
9124
9125 if (i) {
9126 ADD_SPECIALS(specials_end);
9127 return ssh_specials;
9128 } else {
9129 return NULL;
9130 }
9131 #undef ADD_SPECIALS
9132 }
9133
9134 /*
9135 * Send special codes. TS_EOF is useful for `plink', so you
9136 * can send an EOF and collect resulting output (e.g. `plink
9137 * hostname sort').
9138 */
9139 static void ssh_special(void *handle, Telnet_Special code)
9140 {
9141 Ssh ssh = (Ssh) handle;
9142 struct Packet *pktout;
9143
9144 if (code == TS_EOF) {
9145 if (ssh->state != SSH_STATE_SESSION) {
9146 /*
9147 * Buffer the EOF in case we are pre-SESSION, so we can
9148 * send it as soon as we reach SESSION.
9149 */
9150 if (code == TS_EOF)
9151 ssh->eof_needed = TRUE;
9152 return;
9153 }
9154 if (ssh->version == 1) {
9155 send_packet(ssh, SSH1_CMSG_EOF, PKT_END);
9156 } else if (ssh->mainchan) {
9157 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_EOF);
9158 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9159 ssh2_pkt_send(ssh, pktout);
9160 ssh->send_ok = 0; /* now stop trying to read from stdin */
9161 }
9162 logevent("Sent EOF message");
9163 } else if (code == TS_PING || code == TS_NOP) {
9164 if (ssh->state == SSH_STATE_CLOSED
9165 || ssh->state == SSH_STATE_PREPACKET) return;
9166 if (ssh->version == 1) {
9167 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
9168 send_packet(ssh, SSH1_MSG_IGNORE, PKT_STR, "", PKT_END);
9169 } else {
9170 pktout = ssh2_pkt_init(SSH2_MSG_IGNORE);
9171 ssh2_pkt_addstring_start(pktout);
9172 ssh2_pkt_send_noqueue(ssh, pktout);
9173 }
9174 } else if (code == TS_REKEY) {
9175 if (!ssh->kex_in_progress && ssh->version == 2) {
9176 do_ssh2_transport(ssh, "at user request", -1, NULL);
9177 }
9178 } else if (code == TS_BRK) {
9179 if (ssh->state == SSH_STATE_CLOSED
9180 || ssh->state == SSH_STATE_PREPACKET) return;
9181 if (ssh->version == 1) {
9182 logevent("Unable to send BREAK signal in SSH-1");
9183 } else if (ssh->mainchan) {
9184 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9185 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9186 ssh2_pkt_addstring(pktout, "break");
9187 ssh2_pkt_addbool(pktout, 0);
9188 ssh2_pkt_adduint32(pktout, 0); /* default break length */
9189 ssh2_pkt_send(ssh, pktout);
9190 }
9191 } else {
9192 /* Is is a POSIX signal? */
9193 char *signame = NULL;
9194 if (code == TS_SIGABRT) signame = "ABRT";
9195 if (code == TS_SIGALRM) signame = "ALRM";
9196 if (code == TS_SIGFPE) signame = "FPE";
9197 if (code == TS_SIGHUP) signame = "HUP";
9198 if (code == TS_SIGILL) signame = "ILL";
9199 if (code == TS_SIGINT) signame = "INT";
9200 if (code == TS_SIGKILL) signame = "KILL";
9201 if (code == TS_SIGPIPE) signame = "PIPE";
9202 if (code == TS_SIGQUIT) signame = "QUIT";
9203 if (code == TS_SIGSEGV) signame = "SEGV";
9204 if (code == TS_SIGTERM) signame = "TERM";
9205 if (code == TS_SIGUSR1) signame = "USR1";
9206 if (code == TS_SIGUSR2) signame = "USR2";
9207 /* The SSH-2 protocol does in principle support arbitrary named
9208 * signals, including signame@domain, but we don't support those. */
9209 if (signame) {
9210 /* It's a signal. */
9211 if (ssh->version == 2 && ssh->mainchan) {
9212 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9213 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9214 ssh2_pkt_addstring(pktout, "signal");
9215 ssh2_pkt_addbool(pktout, 0);
9216 ssh2_pkt_addstring(pktout, signame);
9217 ssh2_pkt_send(ssh, pktout);
9218 logeventf(ssh, "Sent signal SIG%s", signame);
9219 }
9220 } else {
9221 /* Never heard of it. Do nothing */
9222 }
9223 }
9224 }
9225
9226 void *new_sock_channel(void *handle, Socket s)
9227 {
9228 Ssh ssh = (Ssh) handle;
9229 struct ssh_channel *c;
9230 c = snew(struct ssh_channel);
9231
9232 c->ssh = ssh;
9233 ssh2_channel_init(c);
9234 c->halfopen = TRUE;
9235 c->type = CHAN_SOCKDATA_DORMANT;/* identify channel type */
9236 c->u.pfd.s = s;
9237 add234(ssh->channels, c);
9238 return c;
9239 }
9240
9241 /*
9242 * This is called when stdout/stderr (the entity to which
9243 * from_backend sends data) manages to clear some backlog.
9244 */
9245 static void ssh_unthrottle(void *handle, int bufsize)
9246 {
9247 Ssh ssh = (Ssh) handle;
9248 int buflimit;
9249
9250 if (ssh->version == 1) {
9251 if (ssh->v1_stdout_throttling && bufsize < SSH1_BUFFER_LIMIT) {
9252 ssh->v1_stdout_throttling = 0;
9253 ssh_throttle_conn(ssh, -1);
9254 }
9255 } else {
9256 if (ssh->mainchan) {
9257 ssh2_set_window(ssh->mainchan,
9258 bufsize < ssh->mainchan->v.v2.locmaxwin ?
9259 ssh->mainchan->v.v2.locmaxwin - bufsize : 0);
9260 if (ssh->cfg.ssh_simple)
9261 buflimit = 0;
9262 else
9263 buflimit = ssh->mainchan->v.v2.locmaxwin;
9264 if (ssh->mainchan->throttling_conn && bufsize <= buflimit) {
9265 ssh->mainchan->throttling_conn = 0;
9266 ssh_throttle_conn(ssh, -1);
9267 }
9268 }
9269 }
9270 }
9271
9272 void ssh_send_port_open(void *channel, char *hostname, int port, char *org)
9273 {
9274 struct ssh_channel *c = (struct ssh_channel *)channel;
9275 Ssh ssh = c->ssh;
9276 struct Packet *pktout;
9277
9278 logeventf(ssh, "Opening forwarded connection to %s:%d", hostname, port);
9279
9280 if (ssh->version == 1) {
9281 send_packet(ssh, SSH1_MSG_PORT_OPEN,
9282 PKT_INT, c->localid,
9283 PKT_STR, hostname,
9284 PKT_INT, port,
9285 /* PKT_STR, <org:orgport>, */
9286 PKT_END);
9287 } else {
9288 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
9289 ssh2_pkt_addstring(pktout, "direct-tcpip");
9290 ssh2_pkt_adduint32(pktout, c->localid);
9291 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);/* our window size */
9292 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
9293 ssh2_pkt_addstring(pktout, hostname);
9294 ssh2_pkt_adduint32(pktout, port);
9295 /*
9296 * We make up values for the originator data; partly it's
9297 * too much hassle to keep track, and partly I'm not
9298 * convinced the server should be told details like that
9299 * about my local network configuration.
9300 * The "originator IP address" is syntactically a numeric
9301 * IP address, and some servers (e.g., Tectia) get upset
9302 * if it doesn't match this syntax.
9303 */
9304 ssh2_pkt_addstring(pktout, "0.0.0.0");
9305 ssh2_pkt_adduint32(pktout, 0);
9306 ssh2_pkt_send(ssh, pktout);
9307 }
9308 }
9309
9310 static int ssh_connected(void *handle)
9311 {
9312 Ssh ssh = (Ssh) handle;
9313 return ssh->s != NULL;
9314 }
9315
9316 static int ssh_sendok(void *handle)
9317 {
9318 Ssh ssh = (Ssh) handle;
9319 return ssh->send_ok;
9320 }
9321
9322 static int ssh_ldisc(void *handle, int option)
9323 {
9324 Ssh ssh = (Ssh) handle;
9325 if (option == LD_ECHO)
9326 return ssh->echoing;
9327 if (option == LD_EDIT)
9328 return ssh->editing;
9329 return FALSE;
9330 }
9331
9332 static void ssh_provide_ldisc(void *handle, void *ldisc)
9333 {
9334 Ssh ssh = (Ssh) handle;
9335 ssh->ldisc = ldisc;
9336 }
9337
9338 static void ssh_provide_logctx(void *handle, void *logctx)
9339 {
9340 Ssh ssh = (Ssh) handle;
9341 ssh->logctx = logctx;
9342 }
9343
9344 static int ssh_return_exitcode(void *handle)
9345 {
9346 Ssh ssh = (Ssh) handle;
9347 if (ssh->s != NULL)
9348 return -1;
9349 else
9350 return (ssh->exitcode >= 0 ? ssh->exitcode : INT_MAX);
9351 }
9352
9353 /*
9354 * cfg_info for SSH is the currently running version of the
9355 * protocol. (1 for 1; 2 for 2; 0 for not-decided-yet.)
9356 */
9357 static int ssh_cfg_info(void *handle)
9358 {
9359 Ssh ssh = (Ssh) handle;
9360 return ssh->version;
9361 }
9362
9363 /*
9364 * Gross hack: pscp will try to start SFTP but fall back to scp1 if
9365 * that fails. This variable is the means by which scp.c can reach
9366 * into the SSH code and find out which one it got.
9367 */
9368 extern int ssh_fallback_cmd(void *handle)
9369 {
9370 Ssh ssh = (Ssh) handle;
9371 return ssh->fallback_cmd;
9372 }
9373
9374 Backend ssh_backend = {
9375 ssh_init,
9376 ssh_free,
9377 ssh_reconfig,
9378 ssh_send,
9379 ssh_sendbuffer,
9380 ssh_size,
9381 ssh_special,
9382 ssh_get_specials,
9383 ssh_connected,
9384 ssh_return_exitcode,
9385 ssh_sendok,
9386 ssh_ldisc,
9387 ssh_provide_ldisc,
9388 ssh_provide_logctx,
9389 ssh_unthrottle,
9390 ssh_cfg_info,
9391 "ssh",
9392 PROT_SSH,
9393 22
9394 };
Local modifications for Simon Tatham's `PuTTY' SSH client and terminal emulator