Rationalise access to, and content of, backends[] array.
[u/mdw/putty] / ssh.c
diff --git a/ssh.c b/ssh.c
index 808327d..e5d2364 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -7,6 +7,7 @@
 #include <stdarg.h>
 #include <assert.h>
 #include <limits.h>
+#include <signal.h>
 
 #include "putty.h"
 #include "tree234.h"
@@ -82,6 +83,9 @@
 #define SSH2_MSG_KEX_DH_GEX_GROUP                 31   /* 0x1f */
 #define SSH2_MSG_KEX_DH_GEX_INIT                  32   /* 0x20 */
 #define SSH2_MSG_KEX_DH_GEX_REPLY                 33   /* 0x21 */
+#define SSH2_MSG_KEXRSA_PUBKEY                    30    /* 0x1e */
+#define SSH2_MSG_KEXRSA_SECRET                    31    /* 0x1f */
+#define SSH2_MSG_KEXRSA_DONE                      32    /* 0x20 */
 #define SSH2_MSG_USERAUTH_REQUEST                 50   /* 0x32 */
 #define SSH2_MSG_USERAUTH_FAILURE                 51   /* 0x33 */
 #define SSH2_MSG_USERAUTH_SUCCESS                 52   /* 0x34 */
  */
 #define SSH2_PKTCTX_DHGROUP          0x0001
 #define SSH2_PKTCTX_DHGEX            0x0002
+#define SSH2_PKTCTX_RSAKEX           0x0004
 #define SSH2_PKTCTX_KEX_MASK         0x000F
 #define SSH2_PKTCTX_PUBLICKEY        0x0010
 #define SSH2_PKTCTX_PASSWORD         0x0020
@@ -338,6 +343,9 @@ static char *ssh2_pkt_type(int pkt_ctx, int type)
     translatec(SSH2_MSG_KEX_DH_GEX_GROUP, SSH2_PKTCTX_DHGEX);
     translatec(SSH2_MSG_KEX_DH_GEX_INIT, SSH2_PKTCTX_DHGEX);
     translatec(SSH2_MSG_KEX_DH_GEX_REPLY, SSH2_PKTCTX_DHGEX);
+    translatec(SSH2_MSG_KEXRSA_PUBKEY, SSH2_PKTCTX_RSAKEX);
+    translatec(SSH2_MSG_KEXRSA_SECRET, SSH2_PKTCTX_RSAKEX);
+    translatec(SSH2_MSG_KEXRSA_DONE, SSH2_PKTCTX_RSAKEX);
     translate(SSH2_MSG_USERAUTH_REQUEST);
     translate(SSH2_MSG_USERAUTH_FAILURE);
     translate(SSH2_MSG_USERAUTH_SUCCESS);
@@ -1052,7 +1060,7 @@ static void c_write_stderr(int trusted, const char *buf, int len)
 {
     int i;
     for (i = 0; i < len; i++)
-       if (buf[i] != '\r' && (trusted || buf[i] & 0x60))
+       if (buf[i] != '\r' && (trusted || buf[i] == '\n' || (buf[i] & 0x60)))
            fputc(buf[i], stderr);
 }
 
@@ -1416,6 +1424,7 @@ static int s_wrpkt_prepare(Ssh ssh, struct Packet *pkt, int *offset_p)
        zlib_compress_block(ssh->cs_comp_ctx,
                            pkt->data + 12, pkt->length - 12,
                            &compblk, &complen);
+       ssh_pkt_ensure(pkt, complen + 2);   /* just in case it's got bigger */
        memcpy(pkt->data + 12, compblk, complen);
        sfree(compblk);
        pkt->length = complen + 12;
@@ -1489,6 +1498,7 @@ static struct Packet *construct_packet(Ssh ssh, int pkttype, va_list ap)
 
     while ((argtype = va_arg(ap, int)) != PKT_END) {
        unsigned char *argp, argchar;
+       char *sargp;
        unsigned long argint;
        int arglen;
        switch (argtype) {
@@ -1507,8 +1517,8 @@ static struct Packet *construct_packet(Ssh ssh, int pkttype, va_list ap)
            ssh_pkt_adddata(pkt, argp, arglen);
            break;
          case PKT_STR:
-           argp = va_arg(ap, unsigned char *);
-           ssh_pkt_addstring(pkt, argp);
+           sargp = va_arg(ap, char *);
+           ssh_pkt_addstring(pkt, sargp);
            break;
          case PKT_BIGNUM:
            bn = va_arg(ap, Bignum);
@@ -1654,7 +1664,7 @@ static void ssh_pkt_addstring(struct Packet *pkt, char *data)
 static void ssh1_pkt_addmp(struct Packet *pkt, Bignum b)
 {
     int len = ssh1_bignum_length(b);
-    unsigned char *data = snewn(len, char);
+    unsigned char *data = snewn(len, unsigned char);
     (void) ssh1_write_bignum(data, b);
     ssh_pkt_adddata(pkt, data, len);
     sfree(data);
@@ -1862,6 +1872,7 @@ static void ssh2_pkt_defer_noqueue(Ssh ssh, struct Packet *pkt, int noignore)
         * get encrypted with a known IV.
         */
        struct Packet *ipkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
+       ssh2_pkt_addstring_start(ipkt);
        ssh2_pkt_defer_noqueue(ssh, ipkt, TRUE);
     }
     len = ssh2_pkt_construct(ssh, pkt);
@@ -1904,7 +1915,6 @@ static void ssh2_pkt_send(Ssh ssh, struct Packet *pkt)
        ssh2_pkt_send_noqueue(ssh, pkt);
 }
 
-#if 0 /* disused */
 /*
  * Either queue or defer a packet, depending on whether queueing is
  * set.
@@ -1916,7 +1926,6 @@ static void ssh2_pkt_defer(Ssh ssh, struct Packet *pkt)
     else
        ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
 }
-#endif
 
 /*
  * Send the whole deferred data block constructed by
@@ -1950,6 +1959,74 @@ static void ssh_pkt_defersend(Ssh ssh)
 }
 
 /*
+ * Send a packet whose length needs to be disguised (typically
+ * passwords or keyboard-interactive responses).
+ */
+static void ssh2_pkt_send_with_padding(Ssh ssh, struct Packet *pkt,
+                                      int padsize)
+{
+#if 0
+    if (0) {
+       /*
+        * The simplest way to do this is to adjust the
+        * variable-length padding field in the outgoing packet.
+        * 
+        * Currently compiled out, because some Cisco SSH servers
+        * don't like excessively padded packets (bah, why's it
+        * always Cisco?)
+        */
+       pkt->forcepad = padsize;
+       ssh2_pkt_send(ssh, pkt);
+    } else
+#endif
+    {
+       /*
+        * If we can't do that, however, an alternative approach is
+        * to use the pkt_defer mechanism to bundle the packet
+        * tightly together with an SSH_MSG_IGNORE such that their
+        * combined length is a constant. So first we construct the
+        * final form of this packet and defer its sending.
+        */
+       ssh2_pkt_defer(ssh, pkt);
+
+       /*
+        * Now construct an SSH_MSG_IGNORE which includes a string
+        * that's an exact multiple of the cipher block size. (If
+        * the cipher is NULL so that the block size is
+        * unavailable, we don't do this trick at all, because we
+        * gain nothing by it.)
+        */
+       if (ssh->cscipher) {
+           int stringlen, i;
+
+           stringlen = (256 - ssh->deferred_len);
+           stringlen += ssh->cscipher->blksize - 1;
+           stringlen -= (stringlen % ssh->cscipher->blksize);
+           if (ssh->cscomp) {
+               /*
+                * Temporarily disable actual compression, so we
+                * can guarantee to get this string exactly the
+                * length we want it. The compression-disabling
+                * routine should return an integer indicating how
+                * many bytes we should adjust our string length
+                * by.
+                */
+               stringlen -=
+                   ssh->cscomp->disable_compression(ssh->cs_comp_ctx);
+           }
+           pkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
+           ssh2_pkt_addstring_start(pkt);
+           for (i = 0; i < stringlen; i++) {
+               char c = (char) random_byte();
+               ssh2_pkt_addstring_data(pkt, &c, 1);
+           }
+           ssh2_pkt_defer(ssh, pkt);
+       }
+       ssh_pkt_defersend(ssh);
+    }
+}
+
+/*
  * Send all queued SSH-2 packets. We send them by means of
  * ssh2_pkt_defer_noqueue(), in case they included a pair of
  * packets that needed to be lumped together.
@@ -2166,6 +2243,13 @@ static void ssh_detect_bugs(Ssh ssh, char *vstring)
 
     ssh->remote_bugs = 0;
 
+    /*
+     * General notes on server version strings:
+     *  - Not all servers reporting "Cisco-1.25" have all the bugs listed
+     *    here -- in particular, we've heard of one that's perfectly happy
+     *    with SSH1_MSG_IGNOREs -- but this string never seems to change,
+     *    so we can't distinguish them.
+     */
     if (ssh->cfg.sshbug_ignore1 == FORCE_ON ||
        (ssh->cfg.sshbug_ignore1 == AUTO &&
         (!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
@@ -2627,6 +2711,9 @@ static int ssh_closing(Plug plug, const char *error_msg, int error_code,
            error_msg = "Server closed network connection";
     }
 
+    if (ssh->close_expected && ssh->clean_exit && ssh->exitcode < 0)
+       ssh->exitcode = 0;
+
     if (need_notify)
         notify_remote_exit(ssh->frontend);
 
@@ -3486,6 +3573,7 @@ static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
                    /* and try again */
                } else {
                    assert(0 && "unexpected return from loadrsakey()");
+                   got_passphrase = FALSE;   /* placate optimisers */
                }
            }
 
@@ -3703,19 +3791,19 @@ static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
             *    magnitude of the password length, but it will
             *    introduce a bit of extra uncertainty.
             * 
-            * A few servers (the old 1.2.18 through 1.2.22)
-            * can't deal with SSH1_MSG_IGNORE. For these
-            * servers, we need an alternative defence. We make
-            * use of the fact that the password is interpreted
-            * as a C string: so we can append a NUL, then some
-            * random data.
+            * A few servers can't deal with SSH1_MSG_IGNORE, at
+            * least in this context. For these servers, we need
+            * an alternative defence. We make use of the fact
+            * that the password is interpreted as a C string:
+            * so we can append a NUL, then some random data.
             * 
-            * One server (a Cisco one) can deal with neither
-            * SSH1_MSG_IGNORE _nor_ a padded password string.
-            * For this server we are left with no defences
+            * A few servers can deal with neither SSH1_MSG_IGNORE
+            * here _nor_ a padded password string.
+            * For these servers we are left with no defences
             * against password length sniffing.
             */
-           if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE)) {
+           if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE) &&
+               !(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
                /*
                 * The server can deal with SSH1_MSG_IGNORE, so
                 * we can use the primary defence.
@@ -3784,10 +3872,8 @@ static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
                            PKTT_OTHER, PKT_END);
            } else {
                /*
-                * The server has _both_
-                * BUG_CHOKES_ON_SSH1_IGNORE and
-                * BUG_NEEDS_SSH1_PLAIN_PASSWORD. There is
-                * therefore nothing we can do.
+                * The server is believed unable to cope with
+                * any of our password camouflage methods.
                 */
                int len;
                len = strlen(s->cur_prompt->prompts[0]->result);
@@ -4569,7 +4655,7 @@ static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
            /* Data for an agent message. Buffer it. */
            while (len > 0) {
                if (c->u.a.lensofar < 4) {
-                   unsigned int l = min(4 - c->u.a.lensofar, len);
+                   unsigned int l = min(4 - c->u.a.lensofar, (unsigned)len);
                    memcpy(c->u.a.msglen + c->u.a.lensofar, p,
                           l);
                    p += l;
@@ -4586,7 +4672,7 @@ static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
                if (c->u.a.lensofar >= 4 && len > 0) {
                    unsigned int l =
                        min(c->u.a.totallen - c->u.a.lensofar,
-                           len);
+                           (unsigned)len);
                    memcpy(c->u.a.message + c->u.a.lensofar, p,
                           l);
                    p += l;
@@ -5027,9 +5113,10 @@ static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
        const struct ssh_mac *scmac_tobe;
        const struct ssh_compress *cscomp_tobe;
        const struct ssh_compress *sccomp_tobe;
-       char *hostkeydata, *sigdata, *keystr, *fingerprint;
-       int hostkeylen, siglen;
+       char *hostkeydata, *sigdata, *rsakeydata, *keystr, *fingerprint;
+       int hostkeylen, siglen, rsakeylen;
        void *hkey;                    /* actual host key */
+       void *rsakey;                  /* for RSA kex */
        unsigned char exchange_hash[SSH2_KEX_MAX_HASH_LEN];
        int n_preferred_kex;
        const struct ssh_kexes *preferred_kex[KEX_MAX];
@@ -5083,6 +5170,10 @@ static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
                s->preferred_kex[s->n_preferred_kex++] =
                    &ssh_diffiehellman_group1;
                break;
+             case KEX_RSA:
+               s->preferred_kex[s->n_preferred_kex++] =
+                   &ssh_rsa_kex;
+               break;
              case KEX_WARN:
                /* Flag for later. Don't bother if it's the last in
                 * the list. */
@@ -5482,107 +5573,217 @@ static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
            crWaitUntil(pktin);                /* Ignore packet */
     }
 
-    /*
-     * Work out the number of bits of key we will need from the key
-     * exchange. We start with the maximum key length of either
-     * cipher...
-     */
-    {
-       int csbits, scbits;
+    if (ssh->kex->main_type == KEXTYPE_DH) {
+        /*
+         * Work out the number of bits of key we will need from the
+         * key exchange. We start with the maximum key length of
+         * either cipher...
+         */
+        {
+            int csbits, scbits;
 
-       csbits = s->cscipher_tobe->keylen;
-       scbits = s->sccipher_tobe->keylen;
-       s->nbits = (csbits > scbits ? csbits : scbits);
-    }
-    /* The keys only have hlen-bit entropy, since they're based on
-     * a hash. So cap the key size at hlen bits. */
-    if (s->nbits > ssh->kex->hash->hlen * 8)
-       s->nbits = ssh->kex->hash->hlen * 8;
+            csbits = s->cscipher_tobe->keylen;
+            scbits = s->sccipher_tobe->keylen;
+            s->nbits = (csbits > scbits ? csbits : scbits);
+        }
+        /* The keys only have hlen-bit entropy, since they're based on
+         * a hash. So cap the key size at hlen bits. */
+        if (s->nbits > ssh->kex->hash->hlen * 8)
+            s->nbits = ssh->kex->hash->hlen * 8;
 
-    /*
-     * If we're doing Diffie-Hellman group exchange, start by
-     * requesting a group.
-     */
-    if (!ssh->kex->pdata) {
-       logevent("Doing Diffie-Hellman group exchange");
-       ssh->pkt_ctx |= SSH2_PKTCTX_DHGEX;
-       /*
-        * Work out how big a DH group we will need to allow that
-        * much data.
-        */
-       s->pbits = 512 << ((s->nbits - 1) / 64);
-       s->pktout = ssh2_pkt_init(SSH2_MSG_KEX_DH_GEX_REQUEST);
-       ssh2_pkt_adduint32(s->pktout, s->pbits);
-       ssh2_pkt_send_noqueue(ssh, s->pktout);
+        /*
+         * If we're doing Diffie-Hellman group exchange, start by
+         * requesting a group.
+         */
+        if (!ssh->kex->pdata) {
+            logevent("Doing Diffie-Hellman group exchange");
+            ssh->pkt_ctx |= SSH2_PKTCTX_DHGEX;
+            /*
+             * Work out how big a DH group we will need to allow that
+             * much data.
+             */
+            s->pbits = 512 << ((s->nbits - 1) / 64);
+            s->pktout = ssh2_pkt_init(SSH2_MSG_KEX_DH_GEX_REQUEST);
+            ssh2_pkt_adduint32(s->pktout, s->pbits);
+            ssh2_pkt_send_noqueue(ssh, s->pktout);
+
+            crWaitUntil(pktin);
+            if (pktin->type != SSH2_MSG_KEX_DH_GEX_GROUP) {
+                bombout(("expected key exchange group packet from server"));
+                crStop(0);
+            }
+            s->p = ssh2_pkt_getmp(pktin);
+            s->g = ssh2_pkt_getmp(pktin);
+            if (!s->p || !s->g) {
+                bombout(("unable to read mp-ints from incoming group packet"));
+                crStop(0);
+            }
+            ssh->kex_ctx = dh_setup_gex(s->p, s->g);
+            s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
+            s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
+        } else {
+            ssh->pkt_ctx |= SSH2_PKTCTX_DHGROUP;
+            ssh->kex_ctx = dh_setup_group(ssh->kex);
+            s->kex_init_value = SSH2_MSG_KEXDH_INIT;
+            s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
+            logeventf(ssh, "Using Diffie-Hellman with standard group \"%s\"",
+                      ssh->kex->groupname);
+        }
 
-       crWaitUntil(pktin);
-       if (pktin->type != SSH2_MSG_KEX_DH_GEX_GROUP) {
-           bombout(("expected key exchange group packet from server"));
-           crStop(0);
-       }
-       s->p = ssh2_pkt_getmp(pktin);
-       s->g = ssh2_pkt_getmp(pktin);
-       if (!s->p || !s->g) {
-           bombout(("unable to read mp-ints from incoming group packet"));
-           crStop(0);
-       }
-       ssh->kex_ctx = dh_setup_gex(s->p, s->g);
-       s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
-       s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
+        logeventf(ssh, "Doing Diffie-Hellman key exchange with hash %s",
+                  ssh->kex->hash->text_name);
+        /*
+         * Now generate and send e for Diffie-Hellman.
+         */
+        set_busy_status(ssh->frontend, BUSY_CPU); /* this can take a while */
+        s->e = dh_create_e(ssh->kex_ctx, s->nbits * 2);
+        s->pktout = ssh2_pkt_init(s->kex_init_value);
+        ssh2_pkt_addmp(s->pktout, s->e);
+        ssh2_pkt_send_noqueue(ssh, s->pktout);
+
+        set_busy_status(ssh->frontend, BUSY_WAITING); /* wait for server */
+        crWaitUntil(pktin);
+        if (pktin->type != s->kex_reply_value) {
+            bombout(("expected key exchange reply packet from server"));
+            crStop(0);
+        }
+        set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */
+        ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
+        s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
+        s->f = ssh2_pkt_getmp(pktin);
+        if (!s->f) {
+            bombout(("unable to parse key exchange reply packet"));
+            crStop(0);
+        }
+        ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
+
+        s->K = dh_find_K(ssh->kex_ctx, s->f);
+
+        /* We assume everything from now on will be quick, and it might
+         * involve user interaction. */
+        set_busy_status(ssh->frontend, BUSY_NOT);
+
+        hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen);
+        if (!ssh->kex->pdata) {
+            hash_uint32(ssh->kex->hash, ssh->exhash, s->pbits);
+            hash_mpint(ssh->kex->hash, ssh->exhash, s->p);
+            hash_mpint(ssh->kex->hash, ssh->exhash, s->g);
+        }
+        hash_mpint(ssh->kex->hash, ssh->exhash, s->e);
+        hash_mpint(ssh->kex->hash, ssh->exhash, s->f);
+
+        dh_cleanup(ssh->kex_ctx);
+        freebn(s->f);
+        if (!ssh->kex->pdata) {
+            freebn(s->g);
+            freebn(s->p);
+        }
     } else {
-       ssh->pkt_ctx |= SSH2_PKTCTX_DHGROUP;
-       ssh->kex_ctx = dh_setup_group(ssh->kex);
-       s->kex_init_value = SSH2_MSG_KEXDH_INIT;
-       s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
-       logeventf(ssh, "Using Diffie-Hellman with standard group \"%s\"",
-                 ssh->kex->groupname);
-    }
+       logeventf(ssh, "Doing RSA key exchange with hash %s",
+                 ssh->kex->hash->text_name);
+       ssh->pkt_ctx |= SSH2_PKTCTX_RSAKEX;
+        /*
+         * RSA key exchange. First expect a KEXRSA_PUBKEY packet
+         * from the server.
+         */
+        crWaitUntil(pktin);
+        if (pktin->type != SSH2_MSG_KEXRSA_PUBKEY) {
+            bombout(("expected RSA public key packet from server"));
+            crStop(0);
+        }
 
-    logeventf(ssh, "Doing Diffie-Hellman key exchange with hash %s",
-             ssh->kex->hash->text_name);
-    /*
-     * Now generate and send e for Diffie-Hellman.
-     */
-    set_busy_status(ssh->frontend, BUSY_CPU); /* this can take a while */
-    s->e = dh_create_e(ssh->kex_ctx, s->nbits * 2);
-    s->pktout = ssh2_pkt_init(s->kex_init_value);
-    ssh2_pkt_addmp(s->pktout, s->e);
-    ssh2_pkt_send_noqueue(ssh, s->pktout);
+        ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
+        hash_string(ssh->kex->hash, ssh->exhash,
+                   s->hostkeydata, s->hostkeylen);
+       s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
 
-    set_busy_status(ssh->frontend, BUSY_WAITING); /* wait for server */
-    crWaitUntil(pktin);
-    if (pktin->type != s->kex_reply_value) {
-       bombout(("expected key exchange reply packet from server"));
-       crStop(0);
-    }
-    set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */
-    ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
-    s->f = ssh2_pkt_getmp(pktin);
-    if (!s->f) {
-       bombout(("unable to parse key exchange reply packet"));
-       crStop(0);
-    }
-    ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
+        {
+            char *keydata;
+            ssh_pkt_getstring(pktin, &keydata, &s->rsakeylen);
+            s->rsakeydata = snewn(s->rsakeylen, char);
+            memcpy(s->rsakeydata, keydata, s->rsakeylen);
+        }
 
-    s->K = dh_find_K(ssh->kex_ctx, s->f);
+        s->rsakey = ssh_rsakex_newkey(s->rsakeydata, s->rsakeylen);
+        if (!s->rsakey) {
+            sfree(s->rsakeydata);
+            bombout(("unable to parse RSA public key from server"));
+            crStop(0);
+        }
+
+        hash_string(ssh->kex->hash, ssh->exhash, s->rsakeydata, s->rsakeylen);
+
+        /*
+         * Next, set up a shared secret K, of precisely KLEN -
+         * 2*HLEN - 49 bits, where KLEN is the bit length of the
+         * RSA key modulus and HLEN is the bit length of the hash
+         * we're using.
+         */
+        {
+            int klen = ssh_rsakex_klen(s->rsakey);
+            int nbits = klen - (2*ssh->kex->hash->hlen*8 + 49);
+            int i, byte = 0;
+            unsigned char *kstr1, *kstr2, *outstr;
+            int kstr1len, kstr2len, outstrlen;
+
+            s->K = bn_power_2(nbits - 1);
+
+            for (i = 0; i < nbits; i++) {
+                if ((i & 7) == 0) {
+                    byte = random_byte();
+                }
+                bignum_set_bit(s->K, i, (byte >> (i & 7)) & 1);
+            }
 
-    /* We assume everything from now on will be quick, and it might
-     * involve user interaction. */
-    set_busy_status(ssh->frontend, BUSY_NOT);
+            /*
+             * Encode this as an mpint.
+             */
+            kstr1 = ssh2_mpint_fmt(s->K, &kstr1len);
+            kstr2 = snewn(kstr2len = 4 + kstr1len, unsigned char);
+            PUT_32BIT(kstr2, kstr1len);
+            memcpy(kstr2 + 4, kstr1, kstr1len);
+
+            /*
+             * Encrypt it with the given RSA key.
+             */
+            outstrlen = (klen + 7) / 8;
+            outstr = snewn(outstrlen, unsigned char);
+            ssh_rsakex_encrypt(ssh->kex->hash, kstr2, kstr2len,
+                              outstr, outstrlen, s->rsakey);
+
+            /*
+             * And send it off in a return packet.
+             */
+            s->pktout = ssh2_pkt_init(SSH2_MSG_KEXRSA_SECRET);
+            ssh2_pkt_addstring_start(s->pktout);
+            ssh2_pkt_addstring_data(s->pktout, (char *)outstr, outstrlen);
+            ssh2_pkt_send_noqueue(ssh, s->pktout);
 
-    hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen);
-    if (!ssh->kex->pdata) {
-       hash_uint32(ssh->kex->hash, ssh->exhash, s->pbits);
-       hash_mpint(ssh->kex->hash, ssh->exhash, s->p);
-       hash_mpint(ssh->kex->hash, ssh->exhash, s->g);
+           hash_string(ssh->kex->hash, ssh->exhash, outstr, outstrlen);
+
+            sfree(kstr2);
+            sfree(kstr1);
+            sfree(outstr);
+        }
+
+        ssh_rsakex_freekey(s->rsakey);
+
+        crWaitUntil(pktin);
+        if (pktin->type != SSH2_MSG_KEXRSA_DONE) {
+            sfree(s->rsakeydata);
+            bombout(("expected signature packet from server"));
+            crStop(0);
+        }
+
+        ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
+
+        sfree(s->rsakeydata);
     }
-    hash_mpint(ssh->kex->hash, ssh->exhash, s->e);
-    hash_mpint(ssh->kex->hash, ssh->exhash, s->f);
+
     hash_mpint(ssh->kex->hash, ssh->exhash, s->K);
     assert(ssh->kex->hash->hlen <= sizeof(s->exchange_hash));
     ssh->kex->hash->final(ssh->exhash, s->exchange_hash);
 
-    dh_cleanup(ssh->kex_ctx);
     ssh->kex_ctx = NULL;
 
 #if 0
@@ -5590,7 +5791,6 @@ static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
     dmemdump(s->exchange_hash, ssh->kex->hash->hlen);
 #endif
 
-    s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
     if (!s->hkey ||
        !ssh->hostkey->verifysig(s->hkey, s->sigdata, s->siglen,
                                 (char *)s->exchange_hash,
@@ -5772,14 +5972,9 @@ static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
                  ssh->sccomp->text_name);
 
     /*
-     * Free key exchange data.
+     * Free shared secret.
      */
-    freebn(s->f);
     freebn(s->K);
-    if (!ssh->kex->pdata) {
-       freebn(s->g);
-       freebn(s->p);
-    }
 
     /*
      * Key exchange is over. Loop straight back round if we have a
@@ -6006,7 +6201,8 @@ static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
          case CHAN_AGENT:
            while (length > 0) {
                if (c->u.a.lensofar < 4) {
-                   unsigned int l = min(4 - c->u.a.lensofar, length);
+                   unsigned int l = min(4 - c->u.a.lensofar,
+                                        (unsigned)length);
                    memcpy(c->u.a.msglen + c->u.a.lensofar,
                           data, l);
                    data += l;
@@ -6023,7 +6219,7 @@ static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
                if (c->u.a.lensofar >= 4 && length > 0) {
                    unsigned int l =
                        min(c->u.a.totallen - c->u.a.lensofar,
-                           length);
+                           (unsigned)length);
                    memcpy(c->u.a.message + c->u.a.lensofar,
                           data, l);
                    data += l;
@@ -6292,11 +6488,13 @@ static void ssh2_msg_channel_request(Ssh ssh, struct Packet *pktin)
                        is_plausible = FALSE;
                }
            }
+           ssh->exitcode = 128;       /* means `unknown signal' */
            if (is_plausible) {
                if (is_int) {
                    /* Old non-standard OpenSSH. */
                    int signum = ssh_pkt_getuint32(pktin);
                    fmt_sig = dupprintf(" %d", signum);
+                   ssh->exitcode = 128 + signum;
                } else {
                    /* As per the drafts. */
                    char *sig;
@@ -6308,6 +6506,60 @@ static void ssh2_msg_channel_request(Ssh ssh, struct Packet *pktin)
                        fmt_sig = dupprintf(" \"%.*s\"",
                                            siglen, sig);
                    }
+
+                   /*
+                    * Really hideous method of translating the
+                    * signal description back into a locally
+                    * meaningful number.
+                    */
+
+                   if (0)
+                       ;
+#define TRANSLATE_SIGNAL(s) \
+    else if (siglen == lenof(#s)-1 && !memcmp(sig, #s, siglen)) \
+        ssh->exitcode = 128 + SIG ## s
+#ifdef SIGABRT
+                   TRANSLATE_SIGNAL(ABRT);
+#endif
+#ifdef SIGALRM
+                   TRANSLATE_SIGNAL(ALRM);
+#endif
+#ifdef SIGFPE
+                   TRANSLATE_SIGNAL(FPE);
+#endif
+#ifdef SIGHUP
+                   TRANSLATE_SIGNAL(HUP);
+#endif
+#ifdef SIGILL
+                   TRANSLATE_SIGNAL(ILL);
+#endif
+#ifdef SIGINT
+                   TRANSLATE_SIGNAL(INT);
+#endif
+#ifdef SIGKILL
+                   TRANSLATE_SIGNAL(KILL);
+#endif
+#ifdef SIGPIPE
+                   TRANSLATE_SIGNAL(PIPE);
+#endif
+#ifdef SIGQUIT
+                   TRANSLATE_SIGNAL(QUIT);
+#endif
+#ifdef SIGSEGV
+                   TRANSLATE_SIGNAL(SEGV);
+#endif
+#ifdef SIGTERM
+                   TRANSLATE_SIGNAL(TERM);
+#endif
+#ifdef SIGUSR1
+                   TRANSLATE_SIGNAL(USR1);
+#endif
+#ifdef SIGUSR2
+                   TRANSLATE_SIGNAL(USR2);
+#endif
+#undef TRANSLATE_SIGNAL
+                   else
+                       ssh->exitcode = 128;
                }
                core = ssh2_pkt_getbool(pktin);
                ssh_pkt_getstring(pktin, &msg, &msglen);
@@ -7368,7 +7620,6 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
                     * Send the responses to the server.
                     */
                    s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_INFO_RESPONSE);
-                   s->pktout->forcepad = 256;
                    ssh2_pkt_adduint32(s->pktout, s->num_prompts);
                    for (i=0; i < s->num_prompts; i++) {
                        dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
@@ -7376,7 +7627,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
                                           s->cur_prompt->prompts[i]->result);
                        end_log_omission(ssh, s->pktout);
                    }
-                   ssh2_pkt_send(ssh, s->pktout);
+                   ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
 
                    /*
                     * Get the next packet in case it's another
@@ -7446,7 +7697,6 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
                 * people who find out how long their password is!
                 */
                s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
-               s->pktout->forcepad = 256;
                ssh2_pkt_addstring(s->pktout, s->username);
                ssh2_pkt_addstring(s->pktout, "ssh-connection");
                                                        /* service requested */
@@ -7455,7 +7705,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
                dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
                ssh2_pkt_addstring(s->pktout, s->password);
                end_log_omission(ssh, s->pktout);
-               ssh2_pkt_send(ssh, s->pktout);
+               ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
                logevent("Sent password");
                s->type = AUTH_TYPE_PASSWORD;
 
@@ -7576,7 +7826,6 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
                     * (see above for padding rationale)
                     */
                    s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
-                   s->pktout->forcepad = 256;
                    ssh2_pkt_addstring(s->pktout, s->username);
                    ssh2_pkt_addstring(s->pktout, "ssh-connection");
                                                        /* service requested */
@@ -7588,7 +7837,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
                                       s->cur_prompt->prompts[1]->result);
                    free_prompts(s->cur_prompt);
                    end_log_omission(ssh, s->pktout);
-                   ssh2_pkt_send(ssh, s->pktout);
+                   ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
                    logevent("Sent new password");
                    
                    /*
@@ -8773,8 +9022,7 @@ static void ssh_unthrottle(void *handle, int bufsize)
            ssh1_throttle(ssh, -1);
        }
     } else {
-       if (ssh->mainchan && ssh->mainchan->closes == 0)
-           ssh2_set_window(ssh->mainchan, OUR_V2_WINSIZE - bufsize);
+       ssh2_set_window(ssh->mainchan, OUR_V2_WINSIZE - bufsize);
     }
 }
 
@@ -8898,5 +9146,7 @@ Backend ssh_backend = {
     ssh_provide_logctx,
     ssh_unthrottle,
     ssh_cfg_info,
+    "ssh",
+    PROT_SSH,
     22
 };