+ s->tis_auth_refused = s->ccard_auth_refused = 0;
+ /* Load the public half of ssh->cfg.keyfile so we notice if it's in Pageant */
+ if (!filename_is_null(ssh->cfg.keyfile)) {
+ if (!rsakey_pubblob(&ssh->cfg.keyfile,
+ &s->publickey_blob, &s->publickey_bloblen))
+ s->publickey_blob = NULL;
+ } else
+ s->publickey_blob = NULL;
+
+ while (ssh->pktin.type == SSH1_SMSG_FAILURE) {
+ s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
+
+ if (agent_exists() && !s->tried_agent) {
+ /*
+ * Attempt RSA authentication using Pageant.
+ */
+ void *r;
+
+ s->authed = FALSE;
+ s->tried_agent = 1;
+ logevent("Pageant is running. Requesting keys.");
+
+ /* Request the keys held by the agent. */
+ PUT_32BIT(s->request, 1);
+ s->request[4] = SSH1_AGENTC_REQUEST_RSA_IDENTITIES;
+ agent_query(s->request, 5, &r, &s->responselen);
+ s->response = (unsigned char *) r;
+ if (s->response && s->responselen >= 5 &&
+ s->response[4] == SSH1_AGENT_RSA_IDENTITIES_ANSWER) {
+ s->p = s->response + 5;
+ s->nkeys = GET_32BIT(s->p);
+ s->p += 4;
+ {
+ char buf[64];
+ sprintf(buf, "Pageant has %d SSH1 keys", s->nkeys);
+ logevent(buf);
+ }
+ for (s->keyi = 0; s->keyi < s->nkeys; s->keyi++) {
+ {
+ char buf[64];
+ sprintf(buf, "Trying Pageant key #%d", s->keyi);
+ logevent(buf);
+ }
+ if (s->publickey_blob &&
+ !memcmp(s->p, s->publickey_blob,
+ s->publickey_bloblen)) {
+ logevent("This key matches configured key file");
+ s->tried_publickey = 1;
+ }
+ s->p += 4;
+ s->p += ssh1_read_bignum(s->p, &s->key.exponent);
+ s->p += ssh1_read_bignum(s->p, &s->key.modulus);
+ s->commentlen = GET_32BIT(s->p);
+ s->p += 4;
+ s->commentp = (char *)s->p;
+ s->p += s->commentlen;
+ send_packet(ssh, SSH1_CMSG_AUTH_RSA,
+ PKT_BIGNUM, s->key.modulus, PKT_END);
+ crWaitUntil(ispkt);
+ if (ssh->pktin.type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
+ logevent("Key refused");
+ continue;
+ }
+ logevent("Received RSA challenge");
+ ssh1_read_bignum(ssh->pktin.body, &s->challenge);
+ {
+ char *agentreq, *q, *ret;
+ void *vret;
+ int len, retlen;
+ len = 1 + 4; /* message type, bit count */
+ len += ssh1_bignum_length(s->key.exponent);
+ len += ssh1_bignum_length(s->key.modulus);
+ len += ssh1_bignum_length(s->challenge);
+ len += 16; /* session id */
+ len += 4; /* response format */
+ agentreq = smalloc(4 + len);
+ PUT_32BIT(agentreq, len);
+ q = agentreq + 4;
+ *q++ = SSH1_AGENTC_RSA_CHALLENGE;
+ PUT_32BIT(q, bignum_bitcount(s->key.modulus));
+ q += 4;
+ q += ssh1_write_bignum(q, s->key.exponent);
+ q += ssh1_write_bignum(q, s->key.modulus);
+ q += ssh1_write_bignum(q, s->challenge);
+ memcpy(q, s->session_id, 16);
+ q += 16;
+ PUT_32BIT(q, 1); /* response format */
+ agent_query(agentreq, len + 4, &vret, &retlen);
+ ret = vret;
+ sfree(agentreq);
+ if (ret) {
+ if (ret[4] == SSH1_AGENT_RSA_RESPONSE) {
+ logevent("Sending Pageant's response");
+ send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
+ PKT_DATA, ret + 5, 16,
+ PKT_END);
+ sfree(ret);
+ crWaitUntil(ispkt);
+ if (ssh->pktin.type == SSH1_SMSG_SUCCESS) {
+ logevent
+ ("Pageant's response accepted");
+ if (flags & FLAG_VERBOSE) {
+ c_write_str(ssh, "Authenticated using"
+ " RSA key \"");
+ c_write(ssh, s->commentp,
+ s->commentlen);
+ c_write_str(ssh, "\" from agent\r\n");
+ }
+ s->authed = TRUE;
+ } else
+ logevent
+ ("Pageant's response not accepted");
+ } else {
+ logevent
+ ("Pageant failed to answer challenge");
+ sfree(ret);
+ }
+ } else {
+ logevent("No reply received from Pageant");
+ }
+ }
+ freebn(s->key.exponent);
+ freebn(s->key.modulus);
+ freebn(s->challenge);
+ if (s->authed)
+ break;
+ }
+ }
+ if (s->authed)
+ break;
+ }
+ if (!filename_is_null(ssh->cfg.keyfile) && !s->tried_publickey)
+ s->pwpkt_type = SSH1_CMSG_AUTH_RSA;
+
+ if (ssh->cfg.try_tis_auth &&
+ (s->supported_auths_mask & (1 << SSH1_AUTH_TIS)) &&
+ !s->tis_auth_refused) {
+ s->pwpkt_type = SSH1_CMSG_AUTH_TIS_RESPONSE;
+ logevent("Requested TIS authentication");
+ send_packet(ssh, SSH1_CMSG_AUTH_TIS, PKT_END);
+ crWaitUntil(ispkt);
+ if (ssh->pktin.type != SSH1_SMSG_AUTH_TIS_CHALLENGE) {
+ logevent("TIS authentication declined");
+ if (flags & FLAG_INTERACTIVE)
+ c_write_str(ssh, "TIS authentication refused.\r\n");
+ s->tis_auth_refused = 1;
+ continue;
+ } else {
+ int challengelen = GET_32BIT(ssh->pktin.body);
+ logevent("Received TIS challenge");
+ if (challengelen > sizeof(s->prompt) - 1)
+ challengelen = sizeof(s->prompt) - 1;/* prevent overrun */
+ memcpy(s->prompt, ssh->pktin.body + 4, challengelen);
+ /* Prompt heuristic comes from OpenSSH */
+ strncpy(s->prompt + challengelen,
+ memchr(s->prompt, '\n', challengelen) ?
+ "": "\r\nResponse: ",
+ (sizeof s->prompt) - challengelen);
+ s->prompt[(sizeof s->prompt) - 1] = '\0';
+ }
+ }
+ if (ssh->cfg.try_tis_auth &&
+ (s->supported_auths_mask & (1 << SSH1_AUTH_CCARD)) &&
+ !s->ccard_auth_refused) {
+ s->pwpkt_type = SSH1_CMSG_AUTH_CCARD_RESPONSE;
+ logevent("Requested CryptoCard authentication");
+ send_packet(ssh, SSH1_CMSG_AUTH_CCARD, PKT_END);
+ crWaitUntil(ispkt);
+ if (ssh->pktin.type != SSH1_SMSG_AUTH_CCARD_CHALLENGE) {
+ logevent("CryptoCard authentication declined");
+ c_write_str(ssh, "CryptoCard authentication refused.\r\n");
+ s->ccard_auth_refused = 1;
+ continue;
+ } else {
+ int challengelen = GET_32BIT(ssh->pktin.body);
+ logevent("Received CryptoCard challenge");
+ if (challengelen > sizeof(s->prompt) - 1)
+ challengelen = sizeof(s->prompt) - 1;/* prevent overrun */
+ memcpy(s->prompt, ssh->pktin.body + 4, challengelen);
+ strncpy(s->prompt + challengelen,
+ memchr(s->prompt, '\n', challengelen) ?
+ "" : "\r\nResponse: ",
+ sizeof(s->prompt) - challengelen);
+ s->prompt[sizeof(s->prompt) - 1] = '\0';
+ }
+ }
+ if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
+ sprintf(s->prompt, "%.90s@%.90s's password: ",
+ s->username, ssh->savedhost);
+ }
+ if (s->pwpkt_type == SSH1_CMSG_AUTH_RSA) {
+ char *comment = NULL;
+ int type;
+ char msgbuf[256];
+ if (flags & FLAG_VERBOSE)
+ c_write_str(ssh, "Trying public key authentication.\r\n");
+ logeventf(ssh, "Trying public key \"%s\"",
+ filename_to_str(&ssh->cfg.keyfile));
+ type = key_type(&ssh->cfg.keyfile);
+ if (type != SSH_KEYTYPE_SSH1) {
+ sprintf(msgbuf, "Key is of wrong type (%s)",
+ key_type_to_str(type));
+ logevent(msgbuf);
+ c_write_str(ssh, msgbuf);
+ c_write_str(ssh, "\r\n");
+ s->tried_publickey = 1;
+ continue;
+ }
+ if (!rsakey_encrypted(&ssh->cfg.keyfile, &comment)) {
+ if (flags & FLAG_VERBOSE)
+ c_write_str(ssh, "No passphrase required.\r\n");
+ goto tryauth;
+ }
+ sprintf(s->prompt, "Passphrase for key \"%.100s\": ", comment);
+ sfree(comment);
+ }
+
+ /*
+ * Show password prompt, having first obtained it via a TIS
+ * or CryptoCard exchange if we're doing TIS or CryptoCard
+ * authentication.
+ */
+ if (ssh_get_line) {
+ if (!ssh_get_line(s->prompt, s->password,
+ sizeof(s->password), TRUE)) {
+ /*
+ * get_line failed to get a password (for example
+ * because one was supplied on the command line
+ * which has already failed to work). Terminate.
+ */
+ send_packet(ssh, SSH1_MSG_DISCONNECT,
+ PKT_STR, "No more passwords available to try",
+ PKT_END);
+ logevent("Unable to authenticate");
+ connection_fatal(ssh->frontend, "Unable to authenticate");
+ ssh->state = SSH_STATE_CLOSED;
+ crReturn(1);
+ }
+ } else {
+ /* Prompt may have come from server. We've munged it a bit, so
+ * we know it to be zero-terminated at least once. */
+ int ret; /* need not be saved over crReturn */
+ c_write_untrusted(ssh, s->prompt, strlen(s->prompt));
+ s->pos = 0;
+
+ setup_userpass_input(ssh, s->password, sizeof(s->password), 0);
+ do {
+ crWaitUntil(!ispkt);
+ ret = process_userpass_input(ssh, in, inlen);
+ } while (ret == 0);
+ if (ret < 0)
+ cleanup_exit(0);
+ c_write_str(ssh, "\r\n");
+ }
+
+ tryauth:
+ if (s->pwpkt_type == SSH1_CMSG_AUTH_RSA) {
+ /*
+ * Try public key authentication with the specified
+ * key file.
+ */
+ s->tried_publickey = 1;
+
+ {
+ int ret = loadrsakey(&ssh->cfg.keyfile, &s->key, s->password);
+ if (ret == 0) {
+ c_write_str(ssh, "Couldn't load private key from ");
+ c_write_str(ssh, filename_to_str(&ssh->cfg.keyfile));
+ c_write_str(ssh, ".\r\n");
+ continue; /* go and try password */
+ }
+ if (ret == -1) {
+ c_write_str(ssh, "Wrong passphrase.\r\n");
+ s->tried_publickey = 0;
+ continue; /* try again */
+ }
+ }
+
+ /*
+ * Send a public key attempt.
+ */
+ send_packet(ssh, SSH1_CMSG_AUTH_RSA,
+ PKT_BIGNUM, s->key.modulus, PKT_END);
+
+ crWaitUntil(ispkt);
+ if (ssh->pktin.type == SSH1_SMSG_FAILURE) {
+ c_write_str(ssh, "Server refused our public key.\r\n");
+ continue; /* go and try password */
+ }
+ if (ssh->pktin.type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
+ bombout((ssh,"Bizarre response to offer of public key"));
+ crReturn(0);
+ }
+
+ {
+ int i;
+ unsigned char buffer[32];
+ Bignum challenge, response;
+
+ ssh1_read_bignum(ssh->pktin.body, &challenge);
+ response = rsadecrypt(challenge, &s->key);
+ freebn(s->key.private_exponent);/* burn the evidence */
+
+ for (i = 0; i < 32; i++) {
+ buffer[i] = bignum_byte(response, 31 - i);
+ }
+
+ MD5Init(&md5c);
+ MD5Update(&md5c, buffer, 32);
+ MD5Update(&md5c, s->session_id, 16);
+ MD5Final(buffer, &md5c);
+
+ send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
+ PKT_DATA, buffer, 16, PKT_END);
+
+ freebn(challenge);
+ freebn(response);
+ }
+
+ crWaitUntil(ispkt);
+ if (ssh->pktin.type == SSH1_SMSG_FAILURE) {
+ if (flags & FLAG_VERBOSE)
+ c_write_str(ssh, "Failed to authenticate with"
+ " our public key.\r\n");
+ continue; /* go and try password */
+ } else if (ssh->pktin.type != SSH1_SMSG_SUCCESS) {
+ bombout((ssh,"Bizarre response to RSA authentication response"));
+ crReturn(0);
+ }
+
+ break; /* we're through! */
+ } else {
+ if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
+ /*
+ * Defence against traffic analysis: we send a
+ * whole bunch of packets containing strings of
+ * different lengths. One of these strings is the
+ * password, in a SSH1_CMSG_AUTH_PASSWORD packet.
+ * The others are all random data in
+ * SSH1_MSG_IGNORE packets. This way a passive
+ * listener can't tell which is the password, and
+ * hence can't deduce the password length.
+ *
+ * Anybody with a password length greater than 16
+ * bytes is going to have enough entropy in their
+ * password that a listener won't find it _that_
+ * much help to know how long it is. So what we'll
+ * do is:
+ *
+ * - if password length < 16, we send 15 packets
+ * containing string lengths 1 through 15
+ *
+ * - otherwise, we let N be the nearest multiple
+ * of 8 below the password length, and send 8
+ * packets containing string lengths N through
+ * N+7. This won't obscure the order of
+ * magnitude of the password length, but it will
+ * introduce a bit of extra uncertainty.
+ *
+ * A few servers (the old 1.2.18 through 1.2.22)
+ * can't deal with SSH1_MSG_IGNORE. For these
+ * servers, we need an alternative defence. We make
+ * use of the fact that the password is interpreted
+ * as a C string: so we can append a NUL, then some
+ * random data.
+ *
+ * One server (a Cisco one) can deal with neither
+ * SSH1_MSG_IGNORE _nor_ a padded password string.
+ * For this server we are left with no defences
+ * against password length sniffing.
+ */
+ if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE)) {
+ /*
+ * The server can deal with SSH1_MSG_IGNORE, so
+ * we can use the primary defence.
+ */
+ int bottom, top, pwlen, i;
+ char *randomstr;
+
+ pwlen = strlen(s->password);
+ if (pwlen < 16) {
+ bottom = 0; /* zero length passwords are OK! :-) */
+ top = 15;
+ } else {
+ bottom = pwlen & ~7;
+ top = bottom + 7;
+ }
+
+ assert(pwlen >= bottom && pwlen <= top);
+
+ randomstr = smalloc(top + 1);
+
+ for (i = bottom; i <= top; i++) {
+ if (i == pwlen)
+ defer_packet(ssh, s->pwpkt_type,
+ PKT_STR, s->password, PKT_END);
+ else {
+ for (j = 0; j < i; j++) {
+ do {
+ randomstr[j] = random_byte();
+ } while (randomstr[j] == '\0');
+ }
+ randomstr[i] = '\0';
+ defer_packet(ssh, SSH1_MSG_IGNORE,
+ PKT_STR, randomstr, PKT_END);
+ }
+ }
+ logevent("Sending password with camouflage packets");
+ ssh_pkt_defersend(ssh);
+ }
+ else if (!(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
+ /*
+ * The server can't deal with SSH1_MSG_IGNORE
+ * but can deal with padded passwords, so we
+ * can use the secondary defence.
+ */
+ char string[64];
+ char *ss;
+ int len;
+
+ len = strlen(s->password);
+ if (len < sizeof(string)) {
+ ss = string;
+ strcpy(string, s->password);
+ len++; /* cover the zero byte */
+ while (len < sizeof(string)) {
+ string[len++] = (char) random_byte();
+ }
+ } else {
+ ss = s->password;
+ }
+ logevent("Sending length-padded password");
+ send_packet(ssh, s->pwpkt_type, PKT_INT, len,
+ PKT_DATA, ss, len, PKT_END);
+ } else {
+ /*
+ * The server has _both_
+ * BUG_CHOKES_ON_SSH1_IGNORE and
+ * BUG_NEEDS_SSH1_PLAIN_PASSWORD. There is
+ * therefore nothing we can do.
+ */
+ int len;
+ len = strlen(s->password);
+ logevent("Sending unpadded password");
+ send_packet(ssh, s->pwpkt_type, PKT_INT, len,
+ PKT_DATA, s->password, len, PKT_END);
+ }
+ } else {
+ send_packet(ssh, s->pwpkt_type, PKT_STR, s->password, PKT_END);
+ }
+ }
+ logevent("Sent password");
+ memset(s->password, 0, strlen(s->password));
+ crWaitUntil(ispkt);
+ if (ssh->pktin.type == SSH1_SMSG_FAILURE) {
+ if (flags & FLAG_VERBOSE)
+ c_write_str(ssh, "Access denied\r\n");
+ logevent("Authentication refused");
+ } else if (ssh->pktin.type != SSH1_SMSG_SUCCESS) {
+ bombout((ssh,"Strange packet received, type %d", ssh->pktin.type));
+ crReturn(0);
+ }
+ }
+
+ logevent("Authentication successful");
+
+ crFinish(1);
+}
+
+void sshfwd_close(struct ssh_channel *c)
+{
+ Ssh ssh = c->ssh;
+
+ if (c && !c->closes) {
+ /*
+ * If the channel's remoteid is -1, we have sent
+ * CHANNEL_OPEN for this channel, but it hasn't even been
+ * acknowledged by the server. So we must set a close flag
+ * on it now, and then when the server acks the channel
+ * open, we can close it then.
+ */
+ if (((int)c->remoteid) != -1) {
+ if (ssh->version == 1) {
+ send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE, PKT_INT, c->remoteid,
+ PKT_END);
+ } else {
+ ssh2_pkt_init(ssh, SSH2_MSG_CHANNEL_CLOSE);
+ ssh2_pkt_adduint32(ssh, c->remoteid);
+ ssh2_pkt_send(ssh);
+ }
+ }
+ c->closes = 1; /* sent MSG_CLOSE */
+ if (c->type == CHAN_X11) {
+ c->u.x11.s = NULL;
+ logevent("Forwarded X11 connection terminated");
+ } else if (c->type == CHAN_SOCKDATA ||
+ c->type == CHAN_SOCKDATA_DORMANT) {
+ c->u.pfd.s = NULL;
+ logevent("Forwarded port closed");
+ }
+ }
+}
+
+int sshfwd_write(struct ssh_channel *c, char *buf, int len)
+{
+ Ssh ssh = c->ssh;
+
+ if (ssh->version == 1) {
+ send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
+ PKT_INT, c->remoteid,
+ PKT_INT, len, PKT_DATA, buf, len, PKT_END);
+ /*
+ * In SSH1 we can return 0 here - implying that forwarded
+ * connections are never individually throttled - because
+ * the only circumstance that can cause throttling will be
+ * the whole SSH connection backing up, in which case
+ * _everything_ will be throttled as a whole.
+ */
+ return 0;
+ } else {
+ ssh2_add_channel_data(c, buf, len);
+ return ssh2_try_send(c);
+ }
+}
+
+void sshfwd_unthrottle(struct ssh_channel *c, int bufsize)
+{
+ Ssh ssh = c->ssh;
+
+ if (ssh->version == 1) {
+ if (c->v.v1.throttling && bufsize < SSH1_BUFFER_LIMIT) {
+ c->v.v1.throttling = 0;
+ ssh1_throttle(ssh, -1);
+ }
+ } else {
+ ssh2_set_window(c, OUR_V2_WINSIZE - bufsize);
+ }
+}