~mdw / sgt / putty / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Separate out the code for creating and sending SSH version strings so that in
[sgt/putty] / ssh.c
1 /*
2 * SSH backend.
3 */
4
5 #include <stdio.h>
6 #include <stdlib.h>
7 #include <stdarg.h>
8 #include <assert.h>
9 #include <limits.h>
10 #include <signal.h>
11
12 #include "putty.h"
13 #include "tree234.h"
14 #include "ssh.h"
15
16 #ifndef FALSE
17 #define FALSE 0
18 #endif
19 #ifndef TRUE
20 #define TRUE 1
21 #endif
22
23 #define SSH1_MSG_DISCONNECT 1 /* 0x1 */
24 #define SSH1_SMSG_PUBLIC_KEY 2 /* 0x2 */
25 #define SSH1_CMSG_SESSION_KEY 3 /* 0x3 */
26 #define SSH1_CMSG_USER 4 /* 0x4 */
27 #define SSH1_CMSG_AUTH_RSA 6 /* 0x6 */
28 #define SSH1_SMSG_AUTH_RSA_CHALLENGE 7 /* 0x7 */
29 #define SSH1_CMSG_AUTH_RSA_RESPONSE 8 /* 0x8 */
30 #define SSH1_CMSG_AUTH_PASSWORD 9 /* 0x9 */
31 #define SSH1_CMSG_REQUEST_PTY 10 /* 0xa */
32 #define SSH1_CMSG_WINDOW_SIZE 11 /* 0xb */
33 #define SSH1_CMSG_EXEC_SHELL 12 /* 0xc */
34 #define SSH1_CMSG_EXEC_CMD 13 /* 0xd */
35 #define SSH1_SMSG_SUCCESS 14 /* 0xe */
36 #define SSH1_SMSG_FAILURE 15 /* 0xf */
37 #define SSH1_CMSG_STDIN_DATA 16 /* 0x10 */
38 #define SSH1_SMSG_STDOUT_DATA 17 /* 0x11 */
39 #define SSH1_SMSG_STDERR_DATA 18 /* 0x12 */
40 #define SSH1_CMSG_EOF 19 /* 0x13 */
41 #define SSH1_SMSG_EXIT_STATUS 20 /* 0x14 */
42 #define SSH1_MSG_CHANNEL_OPEN_CONFIRMATION 21 /* 0x15 */
43 #define SSH1_MSG_CHANNEL_OPEN_FAILURE 22 /* 0x16 */
44 #define SSH1_MSG_CHANNEL_DATA 23 /* 0x17 */
45 #define SSH1_MSG_CHANNEL_CLOSE 24 /* 0x18 */
46 #define SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION 25 /* 0x19 */
47 #define SSH1_SMSG_X11_OPEN 27 /* 0x1b */
48 #define SSH1_CMSG_PORT_FORWARD_REQUEST 28 /* 0x1c */
49 #define SSH1_MSG_PORT_OPEN 29 /* 0x1d */
50 #define SSH1_CMSG_AGENT_REQUEST_FORWARDING 30 /* 0x1e */
51 #define SSH1_SMSG_AGENT_OPEN 31 /* 0x1f */
52 #define SSH1_MSG_IGNORE 32 /* 0x20 */
53 #define SSH1_CMSG_EXIT_CONFIRMATION 33 /* 0x21 */
54 #define SSH1_CMSG_X11_REQUEST_FORWARDING 34 /* 0x22 */
55 #define SSH1_CMSG_AUTH_RHOSTS_RSA 35 /* 0x23 */
56 #define SSH1_MSG_DEBUG 36 /* 0x24 */
57 #define SSH1_CMSG_REQUEST_COMPRESSION 37 /* 0x25 */
58 #define SSH1_CMSG_AUTH_TIS 39 /* 0x27 */
59 #define SSH1_SMSG_AUTH_TIS_CHALLENGE 40 /* 0x28 */
60 #define SSH1_CMSG_AUTH_TIS_RESPONSE 41 /* 0x29 */
61 #define SSH1_CMSG_AUTH_CCARD 70 /* 0x46 */
62 #define SSH1_SMSG_AUTH_CCARD_CHALLENGE 71 /* 0x47 */
63 #define SSH1_CMSG_AUTH_CCARD_RESPONSE 72 /* 0x48 */
64
65 #define SSH1_AUTH_TIS 5 /* 0x5 */
66 #define SSH1_AUTH_CCARD 16 /* 0x10 */
67
68 #define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */
69 /* Mask for protoflags we will echo back to server if seen */
70 #define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */
71
72 #define SSH2_MSG_DISCONNECT 1 /* 0x1 */
73 #define SSH2_MSG_IGNORE 2 /* 0x2 */
74 #define SSH2_MSG_UNIMPLEMENTED 3 /* 0x3 */
75 #define SSH2_MSG_DEBUG 4 /* 0x4 */
76 #define SSH2_MSG_SERVICE_REQUEST 5 /* 0x5 */
77 #define SSH2_MSG_SERVICE_ACCEPT 6 /* 0x6 */
78 #define SSH2_MSG_KEXINIT 20 /* 0x14 */
79 #define SSH2_MSG_NEWKEYS 21 /* 0x15 */
80 #define SSH2_MSG_KEXDH_INIT 30 /* 0x1e */
81 #define SSH2_MSG_KEXDH_REPLY 31 /* 0x1f */
82 #define SSH2_MSG_KEX_DH_GEX_REQUEST 30 /* 0x1e */
83 #define SSH2_MSG_KEX_DH_GEX_GROUP 31 /* 0x1f */
84 #define SSH2_MSG_KEX_DH_GEX_INIT 32 /* 0x20 */
85 #define SSH2_MSG_KEX_DH_GEX_REPLY 33 /* 0x21 */
86 #define SSH2_MSG_KEXRSA_PUBKEY 30 /* 0x1e */
87 #define SSH2_MSG_KEXRSA_SECRET 31 /* 0x1f */
88 #define SSH2_MSG_KEXRSA_DONE 32 /* 0x20 */
89 #define SSH2_MSG_USERAUTH_REQUEST 50 /* 0x32 */
90 #define SSH2_MSG_USERAUTH_FAILURE 51 /* 0x33 */
91 #define SSH2_MSG_USERAUTH_SUCCESS 52 /* 0x34 */
92 #define SSH2_MSG_USERAUTH_BANNER 53 /* 0x35 */
93 #define SSH2_MSG_USERAUTH_PK_OK 60 /* 0x3c */
94 #define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60 /* 0x3c */
95 #define SSH2_MSG_USERAUTH_INFO_REQUEST 60 /* 0x3c */
96 #define SSH2_MSG_USERAUTH_INFO_RESPONSE 61 /* 0x3d */
97 #define SSH2_MSG_GLOBAL_REQUEST 80 /* 0x50 */
98 #define SSH2_MSG_REQUEST_SUCCESS 81 /* 0x51 */
99 #define SSH2_MSG_REQUEST_FAILURE 82 /* 0x52 */
100 #define SSH2_MSG_CHANNEL_OPEN 90 /* 0x5a */
101 #define SSH2_MSG_CHANNEL_OPEN_CONFIRMATION 91 /* 0x5b */
102 #define SSH2_MSG_CHANNEL_OPEN_FAILURE 92 /* 0x5c */
103 #define SSH2_MSG_CHANNEL_WINDOW_ADJUST 93 /* 0x5d */
104 #define SSH2_MSG_CHANNEL_DATA 94 /* 0x5e */
105 #define SSH2_MSG_CHANNEL_EXTENDED_DATA 95 /* 0x5f */
106 #define SSH2_MSG_CHANNEL_EOF 96 /* 0x60 */
107 #define SSH2_MSG_CHANNEL_CLOSE 97 /* 0x61 */
108 #define SSH2_MSG_CHANNEL_REQUEST 98 /* 0x62 */
109 #define SSH2_MSG_CHANNEL_SUCCESS 99 /* 0x63 */
110 #define SSH2_MSG_CHANNEL_FAILURE 100 /* 0x64 */
111
112 /*
113 * Packet type contexts, so that ssh2_pkt_type can correctly decode
114 * the ambiguous type numbers back into the correct type strings.
115 */
116 #define SSH2_PKTCTX_DHGROUP 0x0001
117 #define SSH2_PKTCTX_DHGEX 0x0002
118 #define SSH2_PKTCTX_RSAKEX 0x0004
119 #define SSH2_PKTCTX_KEX_MASK 0x000F
120 #define SSH2_PKTCTX_PUBLICKEY 0x0010
121 #define SSH2_PKTCTX_PASSWORD 0x0020
122 #define SSH2_PKTCTX_KBDINTER 0x0040
123 #define SSH2_PKTCTX_AUTH_MASK 0x00F0
124
125 #define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */
126 #define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */
127 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */
128 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */
129 #define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */
130 #define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */
131 #define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */
132 #define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */
133 #define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */
134 #define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */
135 #define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */
136 #define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */
137 #define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */
138 #define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */
139 #define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */
140
141 static const char *const ssh2_disconnect_reasons[] = {
142 NULL,
143 "host not allowed to connect",
144 "protocol error",
145 "key exchange failed",
146 "host authentication failed",
147 "MAC error",
148 "compression error",
149 "service not available",
150 "protocol version not supported",
151 "host key not verifiable",
152 "connection lost",
153 "by application",
154 "too many connections",
155 "auth cancelled by user",
156 "no more auth methods available",
157 "illegal user name",
158 };
159
160 #define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */
161 #define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */
162 #define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */
163 #define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */
164
165 #define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */
166
167 /*
168 * Various remote-bug flags.
169 */
170 #define BUG_CHOKES_ON_SSH1_IGNORE 1
171 #define BUG_SSH2_HMAC 2
172 #define BUG_NEEDS_SSH1_PLAIN_PASSWORD 4
173 #define BUG_CHOKES_ON_RSA 8
174 #define BUG_SSH2_RSA_PADDING 16
175 #define BUG_SSH2_DERIVEKEY 32
176 #define BUG_SSH2_REKEY 64
177 #define BUG_SSH2_PK_SESSIONID 128
178
179 /*
180 * Codes for terminal modes.
181 * Most of these are the same in SSH-1 and SSH-2.
182 * This list is derived from draft-ietf-secsh-connect-25 and
183 * SSH-1 RFC-1.2.31.
184 */
185 static const struct {
186 const char* const mode;
187 int opcode;
188 enum { TTY_OP_CHAR, TTY_OP_BOOL } type;
189 } ssh_ttymodes[] = {
190 /* "V" prefix discarded for special characters relative to SSH specs */
191 { "INTR", 1, TTY_OP_CHAR },
192 { "QUIT", 2, TTY_OP_CHAR },
193 { "ERASE", 3, TTY_OP_CHAR },
194 { "KILL", 4, TTY_OP_CHAR },
195 { "EOF", 5, TTY_OP_CHAR },
196 { "EOL", 6, TTY_OP_CHAR },
197 { "EOL2", 7, TTY_OP_CHAR },
198 { "START", 8, TTY_OP_CHAR },
199 { "STOP", 9, TTY_OP_CHAR },
200 { "SUSP", 10, TTY_OP_CHAR },
201 { "DSUSP", 11, TTY_OP_CHAR },
202 { "REPRINT", 12, TTY_OP_CHAR },
203 { "WERASE", 13, TTY_OP_CHAR },
204 { "LNEXT", 14, TTY_OP_CHAR },
205 { "FLUSH", 15, TTY_OP_CHAR },
206 { "SWTCH", 16, TTY_OP_CHAR },
207 { "STATUS", 17, TTY_OP_CHAR },
208 { "DISCARD", 18, TTY_OP_CHAR },
209 { "IGNPAR", 30, TTY_OP_BOOL },
210 { "PARMRK", 31, TTY_OP_BOOL },
211 { "INPCK", 32, TTY_OP_BOOL },
212 { "ISTRIP", 33, TTY_OP_BOOL },
213 { "INLCR", 34, TTY_OP_BOOL },
214 { "IGNCR", 35, TTY_OP_BOOL },
215 { "ICRNL", 36, TTY_OP_BOOL },
216 { "IUCLC", 37, TTY_OP_BOOL },
217 { "IXON", 38, TTY_OP_BOOL },
218 { "IXANY", 39, TTY_OP_BOOL },
219 { "IXOFF", 40, TTY_OP_BOOL },
220 { "IMAXBEL", 41, TTY_OP_BOOL },
221 { "ISIG", 50, TTY_OP_BOOL },
222 { "ICANON", 51, TTY_OP_BOOL },
223 { "XCASE", 52, TTY_OP_BOOL },
224 { "ECHO", 53, TTY_OP_BOOL },
225 { "ECHOE", 54, TTY_OP_BOOL },
226 { "ECHOK", 55, TTY_OP_BOOL },
227 { "ECHONL", 56, TTY_OP_BOOL },
228 { "NOFLSH", 57, TTY_OP_BOOL },
229 { "TOSTOP", 58, TTY_OP_BOOL },
230 { "IEXTEN", 59, TTY_OP_BOOL },
231 { "ECHOCTL", 60, TTY_OP_BOOL },
232 { "ECHOKE", 61, TTY_OP_BOOL },
233 { "PENDIN", 62, TTY_OP_BOOL }, /* XXX is this a real mode? */
234 { "OPOST", 70, TTY_OP_BOOL },
235 { "OLCUC", 71, TTY_OP_BOOL },
236 { "ONLCR", 72, TTY_OP_BOOL },
237 { "OCRNL", 73, TTY_OP_BOOL },
238 { "ONOCR", 74, TTY_OP_BOOL },
239 { "ONLRET", 75, TTY_OP_BOOL },
240 { "CS7", 90, TTY_OP_BOOL },
241 { "CS8", 91, TTY_OP_BOOL },
242 { "PARENB", 92, TTY_OP_BOOL },
243 { "PARODD", 93, TTY_OP_BOOL }
244 };
245
246 /* Miscellaneous other tty-related constants. */
247 #define SSH_TTY_OP_END 0
248 /* The opcodes for ISPEED/OSPEED differ between SSH-1 and SSH-2. */
249 #define SSH1_TTY_OP_ISPEED 192
250 #define SSH1_TTY_OP_OSPEED 193
251 #define SSH2_TTY_OP_ISPEED 128
252 #define SSH2_TTY_OP_OSPEED 129
253
254 /* Helper functions for parsing tty-related config. */
255 static unsigned int ssh_tty_parse_specchar(char *s)
256 {
257 unsigned int ret;
258 if (*s) {
259 char *next = NULL;
260 ret = ctrlparse(s, &next);
261 if (!next) ret = s[0];
262 } else {
263 ret = 255; /* special value meaning "don't set" */
264 }
265 return ret;
266 }
267 static unsigned int ssh_tty_parse_boolean(char *s)
268 {
269 if (stricmp(s, "yes") == 0 ||
270 stricmp(s, "on") == 0 ||
271 stricmp(s, "true") == 0 ||
272 stricmp(s, "+") == 0)
273 return 1; /* true */
274 else if (stricmp(s, "no") == 0 ||
275 stricmp(s, "off") == 0 ||
276 stricmp(s, "false") == 0 ||
277 stricmp(s, "-") == 0)
278 return 0; /* false */
279 else
280 return (atoi(s) != 0);
281 }
282
283 #define translate(x) if (type == x) return #x
284 #define translatec(x,ctx) if (type == x && (pkt_ctx & ctx)) return #x
285 static char *ssh1_pkt_type(int type)
286 {
287 translate(SSH1_MSG_DISCONNECT);
288 translate(SSH1_SMSG_PUBLIC_KEY);
289 translate(SSH1_CMSG_SESSION_KEY);
290 translate(SSH1_CMSG_USER);
291 translate(SSH1_CMSG_AUTH_RSA);
292 translate(SSH1_SMSG_AUTH_RSA_CHALLENGE);
293 translate(SSH1_CMSG_AUTH_RSA_RESPONSE);
294 translate(SSH1_CMSG_AUTH_PASSWORD);
295 translate(SSH1_CMSG_REQUEST_PTY);
296 translate(SSH1_CMSG_WINDOW_SIZE);
297 translate(SSH1_CMSG_EXEC_SHELL);
298 translate(SSH1_CMSG_EXEC_CMD);
299 translate(SSH1_SMSG_SUCCESS);
300 translate(SSH1_SMSG_FAILURE);
301 translate(SSH1_CMSG_STDIN_DATA);
302 translate(SSH1_SMSG_STDOUT_DATA);
303 translate(SSH1_SMSG_STDERR_DATA);
304 translate(SSH1_CMSG_EOF);
305 translate(SSH1_SMSG_EXIT_STATUS);
306 translate(SSH1_MSG_CHANNEL_OPEN_CONFIRMATION);
307 translate(SSH1_MSG_CHANNEL_OPEN_FAILURE);
308 translate(SSH1_MSG_CHANNEL_DATA);
309 translate(SSH1_MSG_CHANNEL_CLOSE);
310 translate(SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION);
311 translate(SSH1_SMSG_X11_OPEN);
312 translate(SSH1_CMSG_PORT_FORWARD_REQUEST);
313 translate(SSH1_MSG_PORT_OPEN);
314 translate(SSH1_CMSG_AGENT_REQUEST_FORWARDING);
315 translate(SSH1_SMSG_AGENT_OPEN);
316 translate(SSH1_MSG_IGNORE);
317 translate(SSH1_CMSG_EXIT_CONFIRMATION);
318 translate(SSH1_CMSG_X11_REQUEST_FORWARDING);
319 translate(SSH1_CMSG_AUTH_RHOSTS_RSA);
320 translate(SSH1_MSG_DEBUG);
321 translate(SSH1_CMSG_REQUEST_COMPRESSION);
322 translate(SSH1_CMSG_AUTH_TIS);
323 translate(SSH1_SMSG_AUTH_TIS_CHALLENGE);
324 translate(SSH1_CMSG_AUTH_TIS_RESPONSE);
325 translate(SSH1_CMSG_AUTH_CCARD);
326 translate(SSH1_SMSG_AUTH_CCARD_CHALLENGE);
327 translate(SSH1_CMSG_AUTH_CCARD_RESPONSE);
328 return "unknown";
329 }
330 static char *ssh2_pkt_type(int pkt_ctx, int type)
331 {
332 translate(SSH2_MSG_DISCONNECT);
333 translate(SSH2_MSG_IGNORE);
334 translate(SSH2_MSG_UNIMPLEMENTED);
335 translate(SSH2_MSG_DEBUG);
336 translate(SSH2_MSG_SERVICE_REQUEST);
337 translate(SSH2_MSG_SERVICE_ACCEPT);
338 translate(SSH2_MSG_KEXINIT);
339 translate(SSH2_MSG_NEWKEYS);
340 translatec(SSH2_MSG_KEXDH_INIT, SSH2_PKTCTX_DHGROUP);
341 translatec(SSH2_MSG_KEXDH_REPLY, SSH2_PKTCTX_DHGROUP);
342 translatec(SSH2_MSG_KEX_DH_GEX_REQUEST, SSH2_PKTCTX_DHGEX);
343 translatec(SSH2_MSG_KEX_DH_GEX_GROUP, SSH2_PKTCTX_DHGEX);
344 translatec(SSH2_MSG_KEX_DH_GEX_INIT, SSH2_PKTCTX_DHGEX);
345 translatec(SSH2_MSG_KEX_DH_GEX_REPLY, SSH2_PKTCTX_DHGEX);
346 translatec(SSH2_MSG_KEXRSA_PUBKEY, SSH2_PKTCTX_RSAKEX);
347 translatec(SSH2_MSG_KEXRSA_SECRET, SSH2_PKTCTX_RSAKEX);
348 translatec(SSH2_MSG_KEXRSA_DONE, SSH2_PKTCTX_RSAKEX);
349 translate(SSH2_MSG_USERAUTH_REQUEST);
350 translate(SSH2_MSG_USERAUTH_FAILURE);
351 translate(SSH2_MSG_USERAUTH_SUCCESS);
352 translate(SSH2_MSG_USERAUTH_BANNER);
353 translatec(SSH2_MSG_USERAUTH_PK_OK, SSH2_PKTCTX_PUBLICKEY);
354 translatec(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, SSH2_PKTCTX_PASSWORD);
355 translatec(SSH2_MSG_USERAUTH_INFO_REQUEST, SSH2_PKTCTX_KBDINTER);
356 translatec(SSH2_MSG_USERAUTH_INFO_RESPONSE, SSH2_PKTCTX_KBDINTER);
357 translate(SSH2_MSG_GLOBAL_REQUEST);
358 translate(SSH2_MSG_REQUEST_SUCCESS);
359 translate(SSH2_MSG_REQUEST_FAILURE);
360 translate(SSH2_MSG_CHANNEL_OPEN);
361 translate(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
362 translate(SSH2_MSG_CHANNEL_OPEN_FAILURE);
363 translate(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
364 translate(SSH2_MSG_CHANNEL_DATA);
365 translate(SSH2_MSG_CHANNEL_EXTENDED_DATA);
366 translate(SSH2_MSG_CHANNEL_EOF);
367 translate(SSH2_MSG_CHANNEL_CLOSE);
368 translate(SSH2_MSG_CHANNEL_REQUEST);
369 translate(SSH2_MSG_CHANNEL_SUCCESS);
370 translate(SSH2_MSG_CHANNEL_FAILURE);
371 return "unknown";
372 }
373 #undef translate
374 #undef translatec
375
376 /* Enumeration values for fields in SSH-1 packets */
377 enum {
378 PKT_END, PKT_INT, PKT_CHAR, PKT_DATA, PKT_STR, PKT_BIGNUM,
379 /* These values are for communicating relevant semantics of
380 * fields to the packet logging code. */
381 PKTT_OTHER, PKTT_PASSWORD, PKTT_DATA
382 };
383
384 /*
385 * Coroutine mechanics for the sillier bits of the code. If these
386 * macros look impenetrable to you, you might find it helpful to
387 * read
388 *
389 * http://www.chiark.greenend.org.uk/~sgtatham/coroutines.html
390 *
391 * which explains the theory behind these macros.
392 *
393 * In particular, if you are getting `case expression not constant'
394 * errors when building with MS Visual Studio, this is because MS's
395 * Edit and Continue debugging feature causes their compiler to
396 * violate ANSI C. To disable Edit and Continue debugging:
397 *
398 * - right-click ssh.c in the FileView
399 * - click Settings
400 * - select the C/C++ tab and the General category
401 * - under `Debug info:', select anything _other_ than `Program
402 * Database for Edit and Continue'.
403 */
404 #define crBegin(v) { int *crLine = &v; switch(v) { case 0:;
405 #define crState(t) \
406 struct t *s; \
407 if (!ssh->t) ssh->t = snew(struct t); \
408 s = ssh->t;
409 #define crFinish(z) } *crLine = 0; return (z); }
410 #define crFinishV } *crLine = 0; return; }
411 #define crReturn(z) \
412 do {\
413 *crLine =__LINE__; return (z); case __LINE__:;\
414 } while (0)
415 #define crReturnV \
416 do {\
417 *crLine=__LINE__; return; case __LINE__:;\
418 } while (0)
419 #define crStop(z) do{ *crLine = 0; return (z); }while(0)
420 #define crStopV do{ *crLine = 0; return; }while(0)
421 #define crWaitUntil(c) do { crReturn(0); } while (!(c))
422 #define crWaitUntilV(c) do { crReturnV; } while (!(c))
423
424 typedef struct ssh_tag *Ssh;
425 struct Packet;
426
427 static struct Packet *ssh1_pkt_init(int pkt_type);
428 static struct Packet *ssh2_pkt_init(int pkt_type);
429 static void ssh_pkt_ensure(struct Packet *, int length);
430 static void ssh_pkt_adddata(struct Packet *, void *data, int len);
431 static void ssh_pkt_addbyte(struct Packet *, unsigned char value);
432 static void ssh2_pkt_addbool(struct Packet *, unsigned char value);
433 static void ssh_pkt_adduint32(struct Packet *, unsigned long value);
434 static void ssh_pkt_addstring_start(struct Packet *);
435 static void ssh_pkt_addstring_str(struct Packet *, char *data);
436 static void ssh_pkt_addstring_data(struct Packet *, char *data, int len);
437 static void ssh_pkt_addstring(struct Packet *, char *data);
438 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len);
439 static void ssh1_pkt_addmp(struct Packet *, Bignum b);
440 static void ssh2_pkt_addmp(struct Packet *, Bignum b);
441 static int ssh2_pkt_construct(Ssh, struct Packet *);
442 static void ssh2_pkt_send(Ssh, struct Packet *);
443 static void ssh2_pkt_send_noqueue(Ssh, struct Packet *);
444 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
445 struct Packet *pktin);
446 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
447 struct Packet *pktin);
448
449 /*
450 * Buffer management constants. There are several of these for
451 * various different purposes:
452 *
453 * - SSH1_BUFFER_LIMIT is the amount of backlog that must build up
454 * on a local data stream before we throttle the whole SSH
455 * connection (in SSH-1 only). Throttling the whole connection is
456 * pretty drastic so we set this high in the hope it won't
457 * happen very often.
458 *
459 * - SSH_MAX_BACKLOG is the amount of backlog that must build up
460 * on the SSH connection itself before we defensively throttle
461 * _all_ local data streams. This is pretty drastic too (though
462 * thankfully unlikely in SSH-2 since the window mechanism should
463 * ensure that the server never has any need to throttle its end
464 * of the connection), so we set this high as well.
465 *
466 * - OUR_V2_WINSIZE is the maximum window size we present on SSH-2
467 * channels.
468 */
469
470 #define SSH1_BUFFER_LIMIT 32768
471 #define SSH_MAX_BACKLOG 32768
472 #define OUR_V2_WINSIZE 16384
473 #define OUR_V2_MAXPKT 0x4000UL
474
475 /* Maximum length of passwords/passphrases (arbitrary) */
476 #define SSH_MAX_PASSWORD_LEN 100
477
478 const static struct ssh_signkey *hostkey_algs[] = { &ssh_rsa, &ssh_dss };
479
480 const static struct ssh_mac *macs[] = {
481 &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
482 };
483 const static struct ssh_mac *buggymacs[] = {
484 &ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
485 };
486
487 static void *ssh_comp_none_init(void)
488 {
489 return NULL;
490 }
491 static void ssh_comp_none_cleanup(void *handle)
492 {
493 }
494 static int ssh_comp_none_block(void *handle, unsigned char *block, int len,
495 unsigned char **outblock, int *outlen)
496 {
497 return 0;
498 }
499 static int ssh_comp_none_disable(void *handle)
500 {
501 return 0;
502 }
503 const static struct ssh_compress ssh_comp_none = {
504 "none",
505 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
506 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
507 ssh_comp_none_disable, NULL
508 };
509 extern const struct ssh_compress ssh_zlib;
510 const static struct ssh_compress *compressions[] = {
511 &ssh_zlib, &ssh_comp_none
512 };
513
514 enum { /* channel types */
515 CHAN_MAINSESSION,
516 CHAN_X11,
517 CHAN_AGENT,
518 CHAN_SOCKDATA,
519 CHAN_SOCKDATA_DORMANT /* one the remote hasn't confirmed */
520 };
521
522 /*
523 * 2-3-4 tree storing channels.
524 */
525 struct ssh_channel {
526 Ssh ssh; /* pointer back to main context */
527 unsigned remoteid, localid;
528 int type;
529 /* True if we opened this channel but server hasn't confirmed. */
530 int halfopen;
531 /*
532 * In SSH-1, this value contains four bits:
533 *
534 * 1 We have sent SSH1_MSG_CHANNEL_CLOSE.
535 * 2 We have sent SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
536 * 4 We have received SSH1_MSG_CHANNEL_CLOSE.
537 * 8 We have received SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
538 *
539 * A channel is completely finished with when all four bits are set.
540 */
541 int closes;
542 union {
543 struct ssh1_data_channel {
544 int throttling;
545 } v1;
546 struct ssh2_data_channel {
547 bufchain outbuffer;
548 unsigned remwindow, remmaxpkt;
549 unsigned locwindow;
550 } v2;
551 } v;
552 union {
553 struct ssh_agent_channel {
554 unsigned char *message;
555 unsigned char msglen[4];
556 unsigned lensofar, totallen;
557 } a;
558 struct ssh_x11_channel {
559 Socket s;
560 } x11;
561 struct ssh_pfd_channel {
562 Socket s;
563 } pfd;
564 } u;
565 };
566
567 /*
568 * 2-3-4 tree storing remote->local port forwardings. SSH-1 and SSH-2
569 * use this structure in different ways, reflecting SSH-2's
570 * altogether saner approach to port forwarding.
571 *
572 * In SSH-1, you arrange a remote forwarding by sending the server
573 * the remote port number, and the local destination host:port.
574 * When a connection comes in, the server sends you back that
575 * host:port pair, and you connect to it. This is a ready-made
576 * security hole if you're not on the ball: a malicious server
577 * could send you back _any_ host:port pair, so if you trustingly
578 * connect to the address it gives you then you've just opened the
579 * entire inside of your corporate network just by connecting
580 * through it to a dodgy SSH server. Hence, we must store a list of
581 * host:port pairs we _are_ trying to forward to, and reject a
582 * connection request from the server if it's not in the list.
583 *
584 * In SSH-2, each side of the connection minds its own business and
585 * doesn't send unnecessary information to the other. You arrange a
586 * remote forwarding by sending the server just the remote port
587 * number. When a connection comes in, the server tells you which
588 * of its ports was connected to; and _you_ have to remember what
589 * local host:port pair went with that port number.
590 *
591 * Hence, in SSH-1 this structure is indexed by destination
592 * host:port pair, whereas in SSH-2 it is indexed by source port.
593 */
594 struct ssh_portfwd; /* forward declaration */
595
596 struct ssh_rportfwd {
597 unsigned sport, dport;
598 char dhost[256];
599 char *sportdesc;
600 struct ssh_portfwd *pfrec;
601 };
602 #define free_rportfwd(pf) ( \
603 ((pf) ? (sfree((pf)->sportdesc)) : (void)0 ), sfree(pf) )
604
605 /*
606 * Separately to the rportfwd tree (which is for looking up port
607 * open requests from the server), a tree of _these_ structures is
608 * used to keep track of all the currently open port forwardings,
609 * so that we can reconfigure in mid-session if the user requests
610 * it.
611 */
612 struct ssh_portfwd {
613 enum { DESTROY, KEEP, CREATE } status;
614 int type;
615 unsigned sport, dport;
616 char *saddr, *daddr;
617 char *sserv, *dserv;
618 struct ssh_rportfwd *remote;
619 int addressfamily;
620 void *local;
621 };
622 #define free_portfwd(pf) ( \
623 ((pf) ? (sfree((pf)->saddr), sfree((pf)->daddr), \
624 sfree((pf)->sserv), sfree((pf)->dserv)) : (void)0 ), sfree(pf) )
625
626 struct Packet {
627 long length; /* length of `data' actually used */
628 long forcepad; /* SSH-2: force padding to at least this length */
629 int type; /* only used for incoming packets */
630 unsigned long sequence; /* SSH-2 incoming sequence number */
631 unsigned char *data; /* allocated storage */
632 unsigned char *body; /* offset of payload within `data' */
633 long savedpos; /* temporary index into `data' (for strings) */
634 long maxlen; /* amount of storage allocated for `data' */
635 long encrypted_len; /* for SSH-2 total-size counting */
636
637 /*
638 * State associated with packet logging
639 */
640 int logmode;
641 int nblanks;
642 struct logblank_t *blanks;
643 };
644
645 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
646 struct Packet *pktin);
647 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
648 struct Packet *pktin);
649 static void ssh1_protocol_setup(Ssh ssh);
650 static void ssh2_protocol_setup(Ssh ssh);
651 static void ssh_size(void *handle, int width, int height);
652 static void ssh_special(void *handle, Telnet_Special);
653 static int ssh2_try_send(struct ssh_channel *c);
654 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf, int len);
655 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize);
656 static void ssh2_set_window(struct ssh_channel *c, unsigned newwin);
657 static int ssh_sendbuffer(void *handle);
658 static int ssh_do_close(Ssh ssh, int notify_exit);
659 static unsigned long ssh_pkt_getuint32(struct Packet *pkt);
660 static int ssh2_pkt_getbool(struct Packet *pkt);
661 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length);
662 static void ssh2_timer(void *ctx, long now);
663 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
664 struct Packet *pktin);
665
666 struct rdpkt1_state_tag {
667 long len, pad, biglen, to_read;
668 unsigned long realcrc, gotcrc;
669 unsigned char *p;
670 int i;
671 int chunk;
672 struct Packet *pktin;
673 };
674
675 struct rdpkt2_state_tag {
676 long len, pad, payload, packetlen, maclen;
677 int i;
678 int cipherblk;
679 unsigned long incoming_sequence;
680 struct Packet *pktin;
681 };
682
683 typedef void (*handler_fn_t)(Ssh ssh, struct Packet *pktin);
684 typedef void (*chandler_fn_t)(Ssh ssh, struct Packet *pktin, void *ctx);
685
686 struct queued_handler;
687 struct queued_handler {
688 int msg1, msg2;
689 chandler_fn_t handler;
690 void *ctx;
691 struct queued_handler *next;
692 };
693
694 struct ssh_tag {
695 const struct plug_function_table *fn;
696 /* the above field _must_ be first in the structure */
697
698 char *v_c, *v_s;
699 void *exhash;
700
701 Socket s;
702
703 void *ldisc;
704 void *logctx;
705
706 unsigned char session_key[32];
707 int v1_compressing;
708 int v1_remote_protoflags;
709 int v1_local_protoflags;
710 int agentfwd_enabled;
711 int X11_fwd_enabled;
712 int remote_bugs;
713 const struct ssh_cipher *cipher;
714 void *v1_cipher_ctx;
715 void *crcda_ctx;
716 const struct ssh2_cipher *cscipher, *sccipher;
717 void *cs_cipher_ctx, *sc_cipher_ctx;
718 const struct ssh_mac *csmac, *scmac;
719 void *cs_mac_ctx, *sc_mac_ctx;
720 const struct ssh_compress *cscomp, *sccomp;
721 void *cs_comp_ctx, *sc_comp_ctx;
722 const struct ssh_kex *kex;
723 const struct ssh_signkey *hostkey;
724 unsigned char v2_session_id[SSH2_KEX_MAX_HASH_LEN];
725 int v2_session_id_len;
726 void *kex_ctx;
727
728 char *savedhost;
729 int savedport;
730 int send_ok;
731 int echoing, editing;
732
733 void *frontend;
734
735 int ospeed, ispeed; /* temporaries */
736 int term_width, term_height;
737
738 tree234 *channels; /* indexed by local id */
739 struct ssh_channel *mainchan; /* primary session channel */
740 int ncmode; /* is primary channel direct-tcpip? */
741 int exitcode;
742 int close_expected;
743 int clean_exit;
744
745 tree234 *rportfwds, *portfwds;
746
747 enum {
748 SSH_STATE_PREPACKET,
749 SSH_STATE_BEFORE_SIZE,
750 SSH_STATE_INTERMED,
751 SSH_STATE_SESSION,
752 SSH_STATE_CLOSED
753 } state;
754
755 int size_needed, eof_needed;
756
757 struct Packet **queue;
758 int queuelen, queuesize;
759 int queueing;
760 unsigned char *deferred_send_data;
761 int deferred_len, deferred_size;
762
763 /*
764 * Gross hack: pscp will try to start SFTP but fall back to
765 * scp1 if that fails. This variable is the means by which
766 * scp.c can reach into the SSH code and find out which one it
767 * got.
768 */
769 int fallback_cmd;
770
771 bufchain banner; /* accumulates banners during do_ssh2_authconn */
772
773 int pkt_ctx;
774
775 void *x11auth;
776
777 int version;
778 int v1_throttle_count;
779 int overall_bufsize;
780 int throttled_all;
781 int v1_stdout_throttling;
782 unsigned long v2_outgoing_sequence;
783
784 int ssh1_rdpkt_crstate;
785 int ssh2_rdpkt_crstate;
786 int do_ssh_init_crstate;
787 int ssh_gotdata_crstate;
788 int do_ssh1_login_crstate;
789 int do_ssh1_connection_crstate;
790 int do_ssh2_transport_crstate;
791 int do_ssh2_authconn_crstate;
792
793 void *do_ssh_init_state;
794 void *do_ssh1_login_state;
795 void *do_ssh2_transport_state;
796 void *do_ssh2_authconn_state;
797
798 struct rdpkt1_state_tag rdpkt1_state;
799 struct rdpkt2_state_tag rdpkt2_state;
800
801 /* SSH-1 and SSH-2 use this for different things, but both use it */
802 int protocol_initial_phase_done;
803
804 void (*protocol) (Ssh ssh, void *vin, int inlen,
805 struct Packet *pkt);
806 struct Packet *(*s_rdpkt) (Ssh ssh, unsigned char **data, int *datalen);
807
808 /*
809 * We maintain a full _copy_ of a Config structure here, not
810 * merely a pointer to it. That way, when we're passed a new
811 * one for reconfiguration, we can check the differences and
812 * potentially reconfigure port forwardings etc in mid-session.
813 */
814 Config cfg;
815
816 /*
817 * Used to transfer data back from async callbacks.
818 */
819 void *agent_response;
820 int agent_response_len;
821 int user_response;
822
823 /*
824 * The SSH connection can be set as `frozen', meaning we are
825 * not currently accepting incoming data from the network. This
826 * is slightly more serious than setting the _socket_ as
827 * frozen, because we may already have had data passed to us
828 * from the network which we need to delay processing until
829 * after the freeze is lifted, so we also need a bufchain to
830 * store that data.
831 */
832 int frozen;
833 bufchain queued_incoming_data;
834
835 /*
836 * Dispatch table for packet types that we may have to deal
837 * with at any time.
838 */
839 handler_fn_t packet_dispatch[256];
840
841 /*
842 * Queues of one-off handler functions for success/failure
843 * indications from a request.
844 */
845 struct queued_handler *qhead, *qtail;
846
847 /*
848 * This module deals with sending keepalives.
849 */
850 Pinger pinger;
851
852 /*
853 * Track incoming and outgoing data sizes and time, for
854 * size-based rekeys.
855 */
856 unsigned long incoming_data_size, outgoing_data_size, deferred_data_size;
857 unsigned long max_data_size;
858 int kex_in_progress;
859 long next_rekey, last_rekey;
860 char *deferred_rekey_reason; /* points to STATIC string; don't free */
861 };
862
863 #define logevent(s) logevent(ssh->frontend, s)
864
865 /* logevent, only printf-formatted. */
866 static void logeventf(Ssh ssh, const char *fmt, ...)
867 {
868 va_list ap;
869 char *buf;
870
871 va_start(ap, fmt);
872 buf = dupvprintf(fmt, ap);
873 va_end(ap);
874 logevent(buf);
875 sfree(buf);
876 }
877
878 #define bombout(msg) \
879 do { \
880 char *text = dupprintf msg; \
881 ssh_do_close(ssh, FALSE); \
882 logevent(text); \
883 connection_fatal(ssh->frontend, "%s", text); \
884 sfree(text); \
885 } while (0)
886
887 /* Functions to leave bits out of the SSH packet log file. */
888
889 static void dont_log_password(Ssh ssh, struct Packet *pkt, int blanktype)
890 {
891 if (ssh->cfg.logomitpass)
892 pkt->logmode = blanktype;
893 }
894
895 static void dont_log_data(Ssh ssh, struct Packet *pkt, int blanktype)
896 {
897 if (ssh->cfg.logomitdata)
898 pkt->logmode = blanktype;
899 }
900
901 static void end_log_omission(Ssh ssh, struct Packet *pkt)
902 {
903 pkt->logmode = PKTLOG_EMIT;
904 }
905
906 /* Helper function for common bits of parsing cfg.ttymodes. */
907 static void parse_ttymodes(Ssh ssh, char *modes,
908 void (*do_mode)(void *data, char *mode, char *val),
909 void *data)
910 {
911 while (*modes) {
912 char *t = strchr(modes, '\t');
913 char *m = snewn(t-modes+1, char);
914 char *val;
915 strncpy(m, modes, t-modes);
916 m[t-modes] = '\0';
917 if (*(t+1) == 'A')
918 val = get_ttymode(ssh->frontend, m);
919 else
920 val = dupstr(t+2);
921 if (val)
922 do_mode(data, m, val);
923 sfree(m);
924 sfree(val);
925 modes += strlen(modes) + 1;
926 }
927 }
928
929 static int ssh_channelcmp(void *av, void *bv)
930 {
931 struct ssh_channel *a = (struct ssh_channel *) av;
932 struct ssh_channel *b = (struct ssh_channel *) bv;
933 if (a->localid < b->localid)
934 return -1;
935 if (a->localid > b->localid)
936 return +1;
937 return 0;
938 }
939 static int ssh_channelfind(void *av, void *bv)
940 {
941 unsigned *a = (unsigned *) av;
942 struct ssh_channel *b = (struct ssh_channel *) bv;
943 if (*a < b->localid)
944 return -1;
945 if (*a > b->localid)
946 return +1;
947 return 0;
948 }
949
950 static int ssh_rportcmp_ssh1(void *av, void *bv)
951 {
952 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
953 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
954 int i;
955 if ( (i = strcmp(a->dhost, b->dhost)) != 0)
956 return i < 0 ? -1 : +1;
957 if (a->dport > b->dport)
958 return +1;
959 if (a->dport < b->dport)
960 return -1;
961 return 0;
962 }
963
964 static int ssh_rportcmp_ssh2(void *av, void *bv)
965 {
966 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
967 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
968
969 if (a->sport > b->sport)
970 return +1;
971 if (a->sport < b->sport)
972 return -1;
973 return 0;
974 }
975
976 /*
977 * Special form of strcmp which can cope with NULL inputs. NULL is
978 * defined to sort before even the empty string.
979 */
980 static int nullstrcmp(const char *a, const char *b)
981 {
982 if (a == NULL && b == NULL)
983 return 0;
984 if (a == NULL)
985 return -1;
986 if (b == NULL)
987 return +1;
988 return strcmp(a, b);
989 }
990
991 static int ssh_portcmp(void *av, void *bv)
992 {
993 struct ssh_portfwd *a = (struct ssh_portfwd *) av;
994 struct ssh_portfwd *b = (struct ssh_portfwd *) bv;
995 int i;
996 if (a->type > b->type)
997 return +1;
998 if (a->type < b->type)
999 return -1;
1000 if (a->addressfamily > b->addressfamily)
1001 return +1;
1002 if (a->addressfamily < b->addressfamily)
1003 return -1;
1004 if ( (i = nullstrcmp(a->saddr, b->saddr)) != 0)
1005 return i < 0 ? -1 : +1;
1006 if (a->sport > b->sport)
1007 return +1;
1008 if (a->sport < b->sport)
1009 return -1;
1010 if (a->type != 'D') {
1011 if ( (i = nullstrcmp(a->daddr, b->daddr)) != 0)
1012 return i < 0 ? -1 : +1;
1013 if (a->dport > b->dport)
1014 return +1;
1015 if (a->dport < b->dport)
1016 return -1;
1017 }
1018 return 0;
1019 }
1020
1021 static int alloc_channel_id(Ssh ssh)
1022 {
1023 const unsigned CHANNEL_NUMBER_OFFSET = 256;
1024 unsigned low, high, mid;
1025 int tsize;
1026 struct ssh_channel *c;
1027
1028 /*
1029 * First-fit allocation of channel numbers: always pick the
1030 * lowest unused one. To do this, binary-search using the
1031 * counted B-tree to find the largest channel ID which is in a
1032 * contiguous sequence from the beginning. (Precisely
1033 * everything in that sequence must have ID equal to its tree
1034 * index plus CHANNEL_NUMBER_OFFSET.)
1035 */
1036 tsize = count234(ssh->channels);
1037
1038 low = -1;
1039 high = tsize;
1040 while (high - low > 1) {
1041 mid = (high + low) / 2;
1042 c = index234(ssh->channels, mid);
1043 if (c->localid == mid + CHANNEL_NUMBER_OFFSET)
1044 low = mid; /* this one is fine */
1045 else
1046 high = mid; /* this one is past it */
1047 }
1048 /*
1049 * Now low points to either -1, or the tree index of the
1050 * largest ID in the initial sequence.
1051 */
1052 {
1053 unsigned i = low + 1 + CHANNEL_NUMBER_OFFSET;
1054 assert(NULL == find234(ssh->channels, &i, ssh_channelfind));
1055 }
1056 return low + 1 + CHANNEL_NUMBER_OFFSET;
1057 }
1058
1059 static void c_write_stderr(int trusted, const char *buf, int len)
1060 {
1061 int i;
1062 for (i = 0; i < len; i++)
1063 if (buf[i] != '\r' && (trusted || buf[i] == '\n' || (buf[i] & 0x60)))
1064 fputc(buf[i], stderr);
1065 }
1066
1067 static void c_write(Ssh ssh, const char *buf, int len)
1068 {
1069 if (flags & FLAG_STDERR)
1070 c_write_stderr(1, buf, len);
1071 else
1072 from_backend(ssh->frontend, 1, buf, len);
1073 }
1074
1075 static void c_write_untrusted(Ssh ssh, const char *buf, int len)
1076 {
1077 if (flags & FLAG_STDERR)
1078 c_write_stderr(0, buf, len);
1079 else
1080 from_backend_untrusted(ssh->frontend, buf, len);
1081 }
1082
1083 static void c_write_str(Ssh ssh, const char *buf)
1084 {
1085 c_write(ssh, buf, strlen(buf));
1086 }
1087
1088 static void ssh_free_packet(struct Packet *pkt)
1089 {
1090 sfree(pkt->data);
1091 sfree(pkt);
1092 }
1093 static struct Packet *ssh_new_packet(void)
1094 {
1095 struct Packet *pkt = snew(struct Packet);
1096
1097 pkt->body = pkt->data = NULL;
1098 pkt->maxlen = 0;
1099 pkt->logmode = PKTLOG_EMIT;
1100 pkt->nblanks = 0;
1101 pkt->blanks = NULL;
1102
1103 return pkt;
1104 }
1105
1106 /*
1107 * Collect incoming data in the incoming packet buffer.
1108 * Decipher and verify the packet when it is completely read.
1109 * Drop SSH1_MSG_DEBUG and SSH1_MSG_IGNORE packets.
1110 * Update the *data and *datalen variables.
1111 * Return a Packet structure when a packet is completed.
1112 */
1113 static struct Packet *ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1114 {
1115 struct rdpkt1_state_tag *st = &ssh->rdpkt1_state;
1116
1117 crBegin(ssh->ssh1_rdpkt_crstate);
1118
1119 st->pktin = ssh_new_packet();
1120
1121 st->pktin->type = 0;
1122 st->pktin->length = 0;
1123
1124 for (st->i = st->len = 0; st->i < 4; st->i++) {
1125 while ((*datalen) == 0)
1126 crReturn(NULL);
1127 st->len = (st->len << 8) + **data;
1128 (*data)++, (*datalen)--;
1129 }
1130
1131 st->pad = 8 - (st->len % 8);
1132 st->biglen = st->len + st->pad;
1133 st->pktin->length = st->len - 5;
1134
1135 if (st->biglen < 0) {
1136 bombout(("Extremely large packet length from server suggests"
1137 " data stream corruption"));
1138 ssh_free_packet(st->pktin);
1139 crStop(NULL);
1140 }
1141
1142 st->pktin->maxlen = st->biglen;
1143 st->pktin->data = snewn(st->biglen + APIEXTRA, unsigned char);
1144
1145 st->to_read = st->biglen;
1146 st->p = st->pktin->data;
1147 while (st->to_read > 0) {
1148 st->chunk = st->to_read;
1149 while ((*datalen) == 0)
1150 crReturn(NULL);
1151 if (st->chunk > (*datalen))
1152 st->chunk = (*datalen);
1153 memcpy(st->p, *data, st->chunk);
1154 *data += st->chunk;
1155 *datalen -= st->chunk;
1156 st->p += st->chunk;
1157 st->to_read -= st->chunk;
1158 }
1159
1160 if (ssh->cipher && detect_attack(ssh->crcda_ctx, st->pktin->data,
1161 st->biglen, NULL)) {
1162 bombout(("Network attack (CRC compensation) detected!"));
1163 ssh_free_packet(st->pktin);
1164 crStop(NULL);
1165 }
1166
1167 if (ssh->cipher)
1168 ssh->cipher->decrypt(ssh->v1_cipher_ctx, st->pktin->data, st->biglen);
1169
1170 st->realcrc = crc32_compute(st->pktin->data, st->biglen - 4);
1171 st->gotcrc = GET_32BIT(st->pktin->data + st->biglen - 4);
1172 if (st->gotcrc != st->realcrc) {
1173 bombout(("Incorrect CRC received on packet"));
1174 ssh_free_packet(st->pktin);
1175 crStop(NULL);
1176 }
1177
1178 st->pktin->body = st->pktin->data + st->pad + 1;
1179 st->pktin->savedpos = 0;
1180
1181 if (ssh->v1_compressing) {
1182 unsigned char *decompblk;
1183 int decomplen;
1184 if (!zlib_decompress_block(ssh->sc_comp_ctx,
1185 st->pktin->body - 1, st->pktin->length + 1,
1186 &decompblk, &decomplen)) {
1187 bombout(("Zlib decompression encountered invalid data"));
1188 ssh_free_packet(st->pktin);
1189 crStop(NULL);
1190 }
1191
1192 if (st->pktin->maxlen < st->pad + decomplen) {
1193 st->pktin->maxlen = st->pad + decomplen;
1194 st->pktin->data = sresize(st->pktin->data,
1195 st->pktin->maxlen + APIEXTRA,
1196 unsigned char);
1197 st->pktin->body = st->pktin->data + st->pad + 1;
1198 }
1199
1200 memcpy(st->pktin->body - 1, decompblk, decomplen);
1201 sfree(decompblk);
1202 st->pktin->length = decomplen - 1;
1203 }
1204
1205 st->pktin->type = st->pktin->body[-1];
1206
1207 /*
1208 * Log incoming packet, possibly omitting sensitive fields.
1209 */
1210 if (ssh->logctx) {
1211 int nblanks = 0;
1212 struct logblank_t blank;
1213 if (ssh->cfg.logomitdata) {
1214 int do_blank = FALSE, blank_prefix = 0;
1215 /* "Session data" packets - omit the data field */
1216 if ((st->pktin->type == SSH1_SMSG_STDOUT_DATA) ||
1217 (st->pktin->type == SSH1_SMSG_STDERR_DATA)) {
1218 do_blank = TRUE; blank_prefix = 0;
1219 } else if (st->pktin->type == SSH1_MSG_CHANNEL_DATA) {
1220 do_blank = TRUE; blank_prefix = 4;
1221 }
1222 if (do_blank) {
1223 blank.offset = blank_prefix;
1224 blank.len = st->pktin->length;
1225 blank.type = PKTLOG_OMIT;
1226 nblanks = 1;
1227 }
1228 }
1229 log_packet(ssh->logctx,
1230 PKT_INCOMING, st->pktin->type,
1231 ssh1_pkt_type(st->pktin->type),
1232 st->pktin->body, st->pktin->length,
1233 nblanks, &blank);
1234 }
1235
1236 crFinish(st->pktin);
1237 }
1238
1239 static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1240 {
1241 struct rdpkt2_state_tag *st = &ssh->rdpkt2_state;
1242
1243 crBegin(ssh->ssh2_rdpkt_crstate);
1244
1245 st->pktin = ssh_new_packet();
1246
1247 st->pktin->type = 0;
1248 st->pktin->length = 0;
1249 if (ssh->sccipher)
1250 st->cipherblk = ssh->sccipher->blksize;
1251 else
1252 st->cipherblk = 8;
1253 if (st->cipherblk < 8)
1254 st->cipherblk = 8;
1255
1256 st->pktin->data = snewn(st->cipherblk + APIEXTRA, unsigned char);
1257
1258 /*
1259 * Acquire and decrypt the first block of the packet. This will
1260 * contain the length and padding details.
1261 */
1262 for (st->i = st->len = 0; st->i < st->cipherblk; st->i++) {
1263 while ((*datalen) == 0)
1264 crReturn(NULL);
1265 st->pktin->data[st->i] = *(*data)++;
1266 (*datalen)--;
1267 }
1268
1269 if (ssh->sccipher)
1270 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1271 st->pktin->data, st->cipherblk);
1272
1273 /*
1274 * Now get the length and padding figures.
1275 */
1276 st->len = GET_32BIT(st->pktin->data);
1277 st->pad = st->pktin->data[4];
1278
1279 /*
1280 * _Completely_ silly lengths should be stomped on before they
1281 * do us any more damage.
1282 */
1283 if (st->len < 0 || st->len > 35000 || st->pad < 4 ||
1284 st->len - st->pad < 1 || (st->len + 4) % st->cipherblk != 0) {
1285 bombout(("Incoming packet was garbled on decryption"));
1286 ssh_free_packet(st->pktin);
1287 crStop(NULL);
1288 }
1289
1290 /*
1291 * This enables us to deduce the payload length.
1292 */
1293 st->payload = st->len - st->pad - 1;
1294
1295 st->pktin->length = st->payload + 5;
1296
1297 /*
1298 * So now we can work out the total packet length.
1299 */
1300 st->packetlen = st->len + 4;
1301 st->maclen = ssh->scmac ? ssh->scmac->len : 0;
1302
1303 /*
1304 * Allocate memory for the rest of the packet.
1305 */
1306 st->pktin->maxlen = st->packetlen + st->maclen;
1307 st->pktin->data = sresize(st->pktin->data,
1308 st->pktin->maxlen + APIEXTRA,
1309 unsigned char);
1310
1311 /*
1312 * Read and decrypt the remainder of the packet.
1313 */
1314 for (st->i = st->cipherblk; st->i < st->packetlen + st->maclen;
1315 st->i++) {
1316 while ((*datalen) == 0)
1317 crReturn(NULL);
1318 st->pktin->data[st->i] = *(*data)++;
1319 (*datalen)--;
1320 }
1321 /* Decrypt everything _except_ the MAC. */
1322 if (ssh->sccipher)
1323 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1324 st->pktin->data + st->cipherblk,
1325 st->packetlen - st->cipherblk);
1326
1327 st->pktin->encrypted_len = st->packetlen;
1328
1329 /*
1330 * Check the MAC.
1331 */
1332 if (ssh->scmac
1333 && !ssh->scmac->verify(ssh->sc_mac_ctx, st->pktin->data, st->len + 4,
1334 st->incoming_sequence)) {
1335 bombout(("Incorrect MAC received on packet"));
1336 ssh_free_packet(st->pktin);
1337 crStop(NULL);
1338 }
1339
1340 st->pktin->sequence = st->incoming_sequence++;
1341
1342 /*
1343 * Decompress packet payload.
1344 */
1345 {
1346 unsigned char *newpayload;
1347 int newlen;
1348 if (ssh->sccomp &&
1349 ssh->sccomp->decompress(ssh->sc_comp_ctx,
1350 st->pktin->data + 5, st->pktin->length - 5,
1351 &newpayload, &newlen)) {
1352 if (st->pktin->maxlen < newlen + 5) {
1353 st->pktin->maxlen = newlen + 5;
1354 st->pktin->data = sresize(st->pktin->data,
1355 st->pktin->maxlen + APIEXTRA,
1356 unsigned char);
1357 }
1358 st->pktin->length = 5 + newlen;
1359 memcpy(st->pktin->data + 5, newpayload, newlen);
1360 sfree(newpayload);
1361 }
1362 }
1363
1364 st->pktin->savedpos = 6;
1365 st->pktin->body = st->pktin->data;
1366 st->pktin->type = st->pktin->data[5];
1367
1368 /*
1369 * Log incoming packet, possibly omitting sensitive fields.
1370 */
1371 if (ssh->logctx) {
1372 int nblanks = 0;
1373 struct logblank_t blank;
1374 if (ssh->cfg.logomitdata) {
1375 int do_blank = FALSE, blank_prefix = 0;
1376 /* "Session data" packets - omit the data field */
1377 if (st->pktin->type == SSH2_MSG_CHANNEL_DATA) {
1378 do_blank = TRUE; blank_prefix = 4;
1379 } else if (st->pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA) {
1380 do_blank = TRUE; blank_prefix = 8;
1381 }
1382 if (do_blank) {
1383 blank.offset = blank_prefix;
1384 blank.len = (st->pktin->length-6) - blank_prefix;
1385 blank.type = PKTLOG_OMIT;
1386 nblanks = 1;
1387 }
1388 }
1389 log_packet(ssh->logctx, PKT_INCOMING, st->pktin->type,
1390 ssh2_pkt_type(ssh->pkt_ctx, st->pktin->type),
1391 st->pktin->data+6, st->pktin->length-6,
1392 nblanks, &blank);
1393 }
1394
1395 crFinish(st->pktin);
1396 }
1397
1398 static int s_wrpkt_prepare(Ssh ssh, struct Packet *pkt, int *offset_p)
1399 {
1400 int pad, biglen, i, pktoffs;
1401 unsigned long crc;
1402 #ifdef __SC__
1403 /*
1404 * XXX various versions of SC (including 8.8.4) screw up the
1405 * register allocation in this function and use the same register
1406 * (D6) for len and as a temporary, with predictable results. The
1407 * following sledgehammer prevents this.
1408 */
1409 volatile
1410 #endif
1411 int len;
1412
1413 if (ssh->logctx)
1414 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[12],
1415 ssh1_pkt_type(pkt->data[12]),
1416 pkt->body, pkt->length - (pkt->body - pkt->data),
1417 pkt->nblanks, pkt->blanks);
1418 sfree(pkt->blanks); pkt->blanks = NULL;
1419 pkt->nblanks = 0;
1420
1421 if (ssh->v1_compressing) {
1422 unsigned char *compblk;
1423 int complen;
1424 zlib_compress_block(ssh->cs_comp_ctx,
1425 pkt->data + 12, pkt->length - 12,
1426 &compblk, &complen);
1427 ssh_pkt_ensure(pkt, complen + 2); /* just in case it's got bigger */
1428 memcpy(pkt->data + 12, compblk, complen);
1429 sfree(compblk);
1430 pkt->length = complen + 12;
1431 }
1432
1433 ssh_pkt_ensure(pkt, pkt->length + 4); /* space for CRC */
1434 pkt->length += 4;
1435 len = pkt->length - 4 - 8; /* len(type+data+CRC) */
1436 pad = 8 - (len % 8);
1437 pktoffs = 8 - pad;
1438 biglen = len + pad; /* len(padding+type+data+CRC) */
1439
1440 for (i = pktoffs; i < 4+8; i++)
1441 pkt->data[i] = random_byte();
1442 crc = crc32_compute(pkt->data + pktoffs + 4, biglen - 4); /* all ex len */
1443 PUT_32BIT(pkt->data + pktoffs + 4 + biglen - 4, crc);
1444 PUT_32BIT(pkt->data + pktoffs, len);
1445
1446 if (ssh->cipher)
1447 ssh->cipher->encrypt(ssh->v1_cipher_ctx,
1448 pkt->data + pktoffs + 4, biglen);
1449
1450 if (offset_p) *offset_p = pktoffs;
1451 return biglen + 4; /* len(length+padding+type+data+CRC) */
1452 }
1453
1454 static int s_write(Ssh ssh, void *data, int len)
1455 {
1456 log_packet(ssh->logctx, PKT_OUTGOING, -1, NULL, data, len, 0, NULL);
1457 return sk_write(ssh->s, (char *)data, len);
1458 }
1459
1460 static void s_wrpkt(Ssh ssh, struct Packet *pkt)
1461 {
1462 int len, backlog, offset;
1463 len = s_wrpkt_prepare(ssh, pkt, &offset);
1464 backlog = s_write(ssh, pkt->data + offset, len);
1465 if (backlog > SSH_MAX_BACKLOG)
1466 ssh_throttle_all(ssh, 1, backlog);
1467 ssh_free_packet(pkt);
1468 }
1469
1470 static void s_wrpkt_defer(Ssh ssh, struct Packet *pkt)
1471 {
1472 int len, offset;
1473 len = s_wrpkt_prepare(ssh, pkt, &offset);
1474 if (ssh->deferred_len + len > ssh->deferred_size) {
1475 ssh->deferred_size = ssh->deferred_len + len + 128;
1476 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1477 ssh->deferred_size,
1478 unsigned char);
1479 }
1480 memcpy(ssh->deferred_send_data + ssh->deferred_len,
1481 pkt->data + offset, len);
1482 ssh->deferred_len += len;
1483 ssh_free_packet(pkt);
1484 }
1485
1486 /*
1487 * Construct a SSH-1 packet with the specified contents.
1488 * (This all-at-once interface used to be the only one, but now SSH-1
1489 * packets can also be constructed incrementally.)
1490 */
1491 static struct Packet *construct_packet(Ssh ssh, int pkttype, va_list ap)
1492 {
1493 int argtype;
1494 Bignum bn;
1495 struct Packet *pkt;
1496
1497 pkt = ssh1_pkt_init(pkttype);
1498
1499 while ((argtype = va_arg(ap, int)) != PKT_END) {
1500 unsigned char *argp, argchar;
1501 char *sargp;
1502 unsigned long argint;
1503 int arglen;
1504 switch (argtype) {
1505 /* Actual fields in the packet */
1506 case PKT_INT:
1507 argint = va_arg(ap, int);
1508 ssh_pkt_adduint32(pkt, argint);
1509 break;
1510 case PKT_CHAR:
1511 argchar = (unsigned char) va_arg(ap, int);
1512 ssh_pkt_addbyte(pkt, argchar);
1513 break;
1514 case PKT_DATA:
1515 argp = va_arg(ap, unsigned char *);
1516 arglen = va_arg(ap, int);
1517 ssh_pkt_adddata(pkt, argp, arglen);
1518 break;
1519 case PKT_STR:
1520 sargp = va_arg(ap, char *);
1521 ssh_pkt_addstring(pkt, sargp);
1522 break;
1523 case PKT_BIGNUM:
1524 bn = va_arg(ap, Bignum);
1525 ssh1_pkt_addmp(pkt, bn);
1526 break;
1527 /* Tokens for modifications to packet logging */
1528 case PKTT_PASSWORD:
1529 dont_log_password(ssh, pkt, PKTLOG_BLANK);
1530 break;
1531 case PKTT_DATA:
1532 dont_log_data(ssh, pkt, PKTLOG_OMIT);
1533 break;
1534 case PKTT_OTHER:
1535 end_log_omission(ssh, pkt);
1536 break;
1537 }
1538 }
1539
1540 return pkt;
1541 }
1542
1543 static void send_packet(Ssh ssh, int pkttype, ...)
1544 {
1545 struct Packet *pkt;
1546 va_list ap;
1547 va_start(ap, pkttype);
1548 pkt = construct_packet(ssh, pkttype, ap);
1549 va_end(ap);
1550 s_wrpkt(ssh, pkt);
1551 }
1552
1553 static void defer_packet(Ssh ssh, int pkttype, ...)
1554 {
1555 struct Packet *pkt;
1556 va_list ap;
1557 va_start(ap, pkttype);
1558 pkt = construct_packet(ssh, pkttype, ap);
1559 va_end(ap);
1560 s_wrpkt_defer(ssh, pkt);
1561 }
1562
1563 static int ssh_versioncmp(char *a, char *b)
1564 {
1565 char *ae, *be;
1566 unsigned long av, bv;
1567
1568 av = strtoul(a, &ae, 10);
1569 bv = strtoul(b, &be, 10);
1570 if (av != bv)
1571 return (av < bv ? -1 : +1);
1572 if (*ae == '.')
1573 ae++;
1574 if (*be == '.')
1575 be++;
1576 av = strtoul(ae, &ae, 10);
1577 bv = strtoul(be, &be, 10);
1578 if (av != bv)
1579 return (av < bv ? -1 : +1);
1580 return 0;
1581 }
1582
1583 /*
1584 * Utility routines for putting an SSH-protocol `string' and
1585 * `uint32' into a hash state.
1586 */
1587 static void hash_string(const struct ssh_hash *h, void *s, void *str, int len)
1588 {
1589 unsigned char lenblk[4];
1590 PUT_32BIT(lenblk, len);
1591 h->bytes(s, lenblk, 4);
1592 h->bytes(s, str, len);
1593 }
1594
1595 static void hash_uint32(const struct ssh_hash *h, void *s, unsigned i)
1596 {
1597 unsigned char intblk[4];
1598 PUT_32BIT(intblk, i);
1599 h->bytes(s, intblk, 4);
1600 }
1601
1602 /*
1603 * Packet construction functions. Mostly shared between SSH-1 and SSH-2.
1604 */
1605 static void ssh_pkt_ensure(struct Packet *pkt, int length)
1606 {
1607 if (pkt->maxlen < length) {
1608 unsigned char *body = pkt->body;
1609 int offset = body ? body - pkt->data : 0;
1610 pkt->maxlen = length + 256;
1611 pkt->data = sresize(pkt->data, pkt->maxlen + APIEXTRA, unsigned char);
1612 if (body) pkt->body = pkt->data + offset;
1613 }
1614 }
1615 static void ssh_pkt_adddata(struct Packet *pkt, void *data, int len)
1616 {
1617 if (pkt->logmode != PKTLOG_EMIT) {
1618 pkt->nblanks++;
1619 pkt->blanks = sresize(pkt->blanks, pkt->nblanks, struct logblank_t);
1620 assert(pkt->body);
1621 pkt->blanks[pkt->nblanks-1].offset = pkt->length -
1622 (pkt->body - pkt->data);
1623 pkt->blanks[pkt->nblanks-1].len = len;
1624 pkt->blanks[pkt->nblanks-1].type = pkt->logmode;
1625 }
1626 pkt->length += len;
1627 ssh_pkt_ensure(pkt, pkt->length);
1628 memcpy(pkt->data + pkt->length - len, data, len);
1629 }
1630 static void ssh_pkt_addbyte(struct Packet *pkt, unsigned char byte)
1631 {
1632 ssh_pkt_adddata(pkt, &byte, 1);
1633 }
1634 static void ssh2_pkt_addbool(struct Packet *pkt, unsigned char value)
1635 {
1636 ssh_pkt_adddata(pkt, &value, 1);
1637 }
1638 static void ssh_pkt_adduint32(struct Packet *pkt, unsigned long value)
1639 {
1640 unsigned char x[4];
1641 PUT_32BIT(x, value);
1642 ssh_pkt_adddata(pkt, x, 4);
1643 }
1644 static void ssh_pkt_addstring_start(struct Packet *pkt)
1645 {
1646 ssh_pkt_adduint32(pkt, 0);
1647 pkt->savedpos = pkt->length;
1648 }
1649 static void ssh_pkt_addstring_str(struct Packet *pkt, char *data)
1650 {
1651 ssh_pkt_adddata(pkt, data, strlen(data));
1652 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1653 }
1654 static void ssh_pkt_addstring_data(struct Packet *pkt, char *data, int len)
1655 {
1656 ssh_pkt_adddata(pkt, data, len);
1657 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1658 }
1659 static void ssh_pkt_addstring(struct Packet *pkt, char *data)
1660 {
1661 ssh_pkt_addstring_start(pkt);
1662 ssh_pkt_addstring_str(pkt, data);
1663 }
1664 static void ssh1_pkt_addmp(struct Packet *pkt, Bignum b)
1665 {
1666 int len = ssh1_bignum_length(b);
1667 unsigned char *data = snewn(len, unsigned char);
1668 (void) ssh1_write_bignum(data, b);
1669 ssh_pkt_adddata(pkt, data, len);
1670 sfree(data);
1671 }
1672 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len)
1673 {
1674 unsigned char *p;
1675 int i, n = (bignum_bitcount(b) + 7) / 8;
1676 p = snewn(n + 1, unsigned char);
1677 p[0] = 0;
1678 for (i = 1; i <= n; i++)
1679 p[i] = bignum_byte(b, n - i);
1680 i = 0;
1681 while (i <= n && p[i] == 0 && (p[i + 1] & 0x80) == 0)
1682 i++;
1683 memmove(p, p + i, n + 1 - i);
1684 *len = n + 1 - i;
1685 return p;
1686 }
1687 static void ssh2_pkt_addmp(struct Packet *pkt, Bignum b)
1688 {
1689 unsigned char *p;
1690 int len;
1691 p = ssh2_mpint_fmt(b, &len);
1692 ssh_pkt_addstring_start(pkt);
1693 ssh_pkt_addstring_data(pkt, (char *)p, len);
1694 sfree(p);
1695 }
1696
1697 static struct Packet *ssh1_pkt_init(int pkt_type)
1698 {
1699 struct Packet *pkt = ssh_new_packet();
1700 pkt->length = 4 + 8; /* space for length + max padding */
1701 ssh_pkt_addbyte(pkt, pkt_type);
1702 pkt->body = pkt->data + pkt->length;
1703 return pkt;
1704 }
1705
1706 /* For legacy code (SSH-1 and -2 packet construction used to be separate) */
1707 #define ssh2_pkt_ensure(pkt, length) ssh_pkt_ensure(pkt, length)
1708 #define ssh2_pkt_adddata(pkt, data, len) ssh_pkt_adddata(pkt, data, len)
1709 #define ssh2_pkt_addbyte(pkt, byte) ssh_pkt_addbyte(pkt, byte)
1710 #define ssh2_pkt_adduint32(pkt, value) ssh_pkt_adduint32(pkt, value)
1711 #define ssh2_pkt_addstring_start(pkt) ssh_pkt_addstring_start(pkt)
1712 #define ssh2_pkt_addstring_str(pkt, data) ssh_pkt_addstring_str(pkt, data)
1713 #define ssh2_pkt_addstring_data(pkt, data, len) ssh_pkt_addstring_data(pkt, data, len)
1714 #define ssh2_pkt_addstring(pkt, data) ssh_pkt_addstring(pkt, data)
1715
1716 static struct Packet *ssh2_pkt_init(int pkt_type)
1717 {
1718 struct Packet *pkt = ssh_new_packet();
1719 pkt->length = 5; /* space for packet length + padding length */
1720 pkt->forcepad = 0;
1721 ssh_pkt_addbyte(pkt, (unsigned char) pkt_type);
1722 pkt->body = pkt->data + pkt->length; /* after packet type */
1723 return pkt;
1724 }
1725
1726 /*
1727 * Construct an SSH-2 final-form packet: compress it, encrypt it,
1728 * put the MAC on it. Final packet, ready to be sent, is stored in
1729 * pkt->data. Total length is returned.
1730 */
1731 static int ssh2_pkt_construct(Ssh ssh, struct Packet *pkt)
1732 {
1733 int cipherblk, maclen, padding, i;
1734
1735 if (ssh->logctx)
1736 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[5],
1737 ssh2_pkt_type(ssh->pkt_ctx, pkt->data[5]),
1738 pkt->body, pkt->length - (pkt->body - pkt->data),
1739 pkt->nblanks, pkt->blanks);
1740 sfree(pkt->blanks); pkt->blanks = NULL;
1741 pkt->nblanks = 0;
1742
1743 /*
1744 * Compress packet payload.
1745 */
1746 {
1747 unsigned char *newpayload;
1748 int newlen;
1749 if (ssh->cscomp &&
1750 ssh->cscomp->compress(ssh->cs_comp_ctx, pkt->data + 5,
1751 pkt->length - 5,
1752 &newpayload, &newlen)) {
1753 pkt->length = 5;
1754 ssh2_pkt_adddata(pkt, newpayload, newlen);
1755 sfree(newpayload);
1756 }
1757 }
1758
1759 /*
1760 * Add padding. At least four bytes, and must also bring total
1761 * length (minus MAC) up to a multiple of the block size.
1762 * If pkt->forcepad is set, make sure the packet is at least that size
1763 * after padding.
1764 */
1765 cipherblk = ssh->cscipher ? ssh->cscipher->blksize : 8; /* block size */
1766 cipherblk = cipherblk < 8 ? 8 : cipherblk; /* or 8 if blksize < 8 */
1767 padding = 4;
1768 if (pkt->length + padding < pkt->forcepad)
1769 padding = pkt->forcepad - pkt->length;
1770 padding +=
1771 (cipherblk - (pkt->length + padding) % cipherblk) % cipherblk;
1772 assert(padding <= 255);
1773 maclen = ssh->csmac ? ssh->csmac->len : 0;
1774 ssh2_pkt_ensure(pkt, pkt->length + padding + maclen);
1775 pkt->data[4] = padding;
1776 for (i = 0; i < padding; i++)
1777 pkt->data[pkt->length + i] = random_byte();
1778 PUT_32BIT(pkt->data, pkt->length + padding - 4);
1779 if (ssh->csmac)
1780 ssh->csmac->generate(ssh->cs_mac_ctx, pkt->data,
1781 pkt->length + padding,
1782 ssh->v2_outgoing_sequence);
1783 ssh->v2_outgoing_sequence++; /* whether or not we MACed */
1784
1785 if (ssh->cscipher)
1786 ssh->cscipher->encrypt(ssh->cs_cipher_ctx,
1787 pkt->data, pkt->length + padding);
1788
1789 pkt->encrypted_len = pkt->length + padding;
1790
1791 /* Ready-to-send packet starts at pkt->data. We return length. */
1792 return pkt->length + padding + maclen;
1793 }
1794
1795 /*
1796 * Routines called from the main SSH code to send packets. There
1797 * are quite a few of these, because we have two separate
1798 * mechanisms for delaying the sending of packets:
1799 *
1800 * - In order to send an IGNORE message and a password message in
1801 * a single fixed-length blob, we require the ability to
1802 * concatenate the encrypted forms of those two packets _into_ a
1803 * single blob and then pass it to our <network.h> transport
1804 * layer in one go. Hence, there's a deferment mechanism which
1805 * works after packet encryption.
1806 *
1807 * - In order to avoid sending any connection-layer messages
1808 * during repeat key exchange, we have to queue up any such
1809 * outgoing messages _before_ they are encrypted (and in
1810 * particular before they're allocated sequence numbers), and
1811 * then send them once we've finished.
1812 *
1813 * I call these mechanisms `defer' and `queue' respectively, so as
1814 * to distinguish them reasonably easily.
1815 *
1816 * The functions send_noqueue() and defer_noqueue() free the packet
1817 * structure they are passed. Every outgoing packet goes through
1818 * precisely one of these functions in its life; packets passed to
1819 * ssh2_pkt_send() or ssh2_pkt_defer() either go straight to one of
1820 * these or get queued, and then when the queue is later emptied
1821 * the packets are all passed to defer_noqueue().
1822 *
1823 * When using a CBC-mode cipher, it's necessary to ensure that an
1824 * attacker can't provide data to be encrypted using an IV that they
1825 * know. We ensure this by prefixing each packet that might contain
1826 * user data with an SSH_MSG_IGNORE. This is done using the deferral
1827 * mechanism, so in this case send_noqueue() ends up redirecting to
1828 * defer_noqueue(). If you don't like this inefficiency, don't use
1829 * CBC.
1830 */
1831
1832 static void ssh2_pkt_defer_noqueue(Ssh, struct Packet *, int);
1833 static void ssh_pkt_defersend(Ssh);
1834
1835 /*
1836 * Send an SSH-2 packet immediately, without queuing or deferring.
1837 */
1838 static void ssh2_pkt_send_noqueue(Ssh ssh, struct Packet *pkt)
1839 {
1840 int len;
1841 int backlog;
1842 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC)) {
1843 /* We need to send two packets, so use the deferral mechanism. */
1844 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
1845 ssh_pkt_defersend(ssh);
1846 return;
1847 }
1848 len = ssh2_pkt_construct(ssh, pkt);
1849 backlog = s_write(ssh, pkt->data, len);
1850 if (backlog > SSH_MAX_BACKLOG)
1851 ssh_throttle_all(ssh, 1, backlog);
1852
1853 ssh->outgoing_data_size += pkt->encrypted_len;
1854 if (!ssh->kex_in_progress &&
1855 ssh->max_data_size != 0 &&
1856 ssh->outgoing_data_size > ssh->max_data_size)
1857 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
1858
1859 ssh_free_packet(pkt);
1860 }
1861
1862 /*
1863 * Defer an SSH-2 packet.
1864 */
1865 static void ssh2_pkt_defer_noqueue(Ssh ssh, struct Packet *pkt, int noignore)
1866 {
1867 int len;
1868 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC) &&
1869 ssh->deferred_len == 0 && !noignore) {
1870 /*
1871 * Interpose an SSH_MSG_IGNORE to ensure that user data don't
1872 * get encrypted with a known IV.
1873 */
1874 struct Packet *ipkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
1875 ssh2_pkt_addstring_start(ipkt);
1876 ssh2_pkt_defer_noqueue(ssh, ipkt, TRUE);
1877 }
1878 len = ssh2_pkt_construct(ssh, pkt);
1879 if (ssh->deferred_len + len > ssh->deferred_size) {
1880 ssh->deferred_size = ssh->deferred_len + len + 128;
1881 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1882 ssh->deferred_size,
1883 unsigned char);
1884 }
1885 memcpy(ssh->deferred_send_data + ssh->deferred_len, pkt->data, len);
1886 ssh->deferred_len += len;
1887 ssh->deferred_data_size += pkt->encrypted_len;
1888 ssh_free_packet(pkt);
1889 }
1890
1891 /*
1892 * Queue an SSH-2 packet.
1893 */
1894 static void ssh2_pkt_queue(Ssh ssh, struct Packet *pkt)
1895 {
1896 assert(ssh->queueing);
1897
1898 if (ssh->queuelen >= ssh->queuesize) {
1899 ssh->queuesize = ssh->queuelen + 32;
1900 ssh->queue = sresize(ssh->queue, ssh->queuesize, struct Packet *);
1901 }
1902
1903 ssh->queue[ssh->queuelen++] = pkt;
1904 }
1905
1906 /*
1907 * Either queue or send a packet, depending on whether queueing is
1908 * set.
1909 */
1910 static void ssh2_pkt_send(Ssh ssh, struct Packet *pkt)
1911 {
1912 if (ssh->queueing)
1913 ssh2_pkt_queue(ssh, pkt);
1914 else
1915 ssh2_pkt_send_noqueue(ssh, pkt);
1916 }
1917
1918 /*
1919 * Either queue or defer a packet, depending on whether queueing is
1920 * set.
1921 */
1922 static void ssh2_pkt_defer(Ssh ssh, struct Packet *pkt)
1923 {
1924 if (ssh->queueing)
1925 ssh2_pkt_queue(ssh, pkt);
1926 else
1927 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
1928 }
1929
1930 /*
1931 * Send the whole deferred data block constructed by
1932 * ssh2_pkt_defer() or SSH-1's defer_packet().
1933 *
1934 * The expected use of the defer mechanism is that you call
1935 * ssh2_pkt_defer() a few times, then call ssh_pkt_defersend(). If
1936 * not currently queueing, this simply sets up deferred_send_data
1937 * and then sends it. If we _are_ currently queueing, the calls to
1938 * ssh2_pkt_defer() put the deferred packets on to the queue
1939 * instead, and therefore ssh_pkt_defersend() has no deferred data
1940 * to send. Hence, there's no need to make it conditional on
1941 * ssh->queueing.
1942 */
1943 static void ssh_pkt_defersend(Ssh ssh)
1944 {
1945 int backlog;
1946 backlog = s_write(ssh, ssh->deferred_send_data, ssh->deferred_len);
1947 ssh->deferred_len = ssh->deferred_size = 0;
1948 sfree(ssh->deferred_send_data);
1949 ssh->deferred_send_data = NULL;
1950 if (backlog > SSH_MAX_BACKLOG)
1951 ssh_throttle_all(ssh, 1, backlog);
1952
1953 ssh->outgoing_data_size += ssh->deferred_data_size;
1954 if (!ssh->kex_in_progress &&
1955 ssh->max_data_size != 0 &&
1956 ssh->outgoing_data_size > ssh->max_data_size)
1957 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
1958 ssh->deferred_data_size = 0;
1959 }
1960
1961 /*
1962 * Send a packet whose length needs to be disguised (typically
1963 * passwords or keyboard-interactive responses).
1964 */
1965 static void ssh2_pkt_send_with_padding(Ssh ssh, struct Packet *pkt,
1966 int padsize)
1967 {
1968 #if 0
1969 if (0) {
1970 /*
1971 * The simplest way to do this is to adjust the
1972 * variable-length padding field in the outgoing packet.
1973 *
1974 * Currently compiled out, because some Cisco SSH servers
1975 * don't like excessively padded packets (bah, why's it
1976 * always Cisco?)
1977 */
1978 pkt->forcepad = padsize;
1979 ssh2_pkt_send(ssh, pkt);
1980 } else
1981 #endif
1982 {
1983 /*
1984 * If we can't do that, however, an alternative approach is
1985 * to use the pkt_defer mechanism to bundle the packet
1986 * tightly together with an SSH_MSG_IGNORE such that their
1987 * combined length is a constant. So first we construct the
1988 * final form of this packet and defer its sending.
1989 */
1990 ssh2_pkt_defer(ssh, pkt);
1991
1992 /*
1993 * Now construct an SSH_MSG_IGNORE which includes a string
1994 * that's an exact multiple of the cipher block size. (If
1995 * the cipher is NULL so that the block size is
1996 * unavailable, we don't do this trick at all, because we
1997 * gain nothing by it.)
1998 */
1999 if (ssh->cscipher) {
2000 int stringlen, i;
2001
2002 stringlen = (256 - ssh->deferred_len);
2003 stringlen += ssh->cscipher->blksize - 1;
2004 stringlen -= (stringlen % ssh->cscipher->blksize);
2005 if (ssh->cscomp) {
2006 /*
2007 * Temporarily disable actual compression, so we
2008 * can guarantee to get this string exactly the
2009 * length we want it. The compression-disabling
2010 * routine should return an integer indicating how
2011 * many bytes we should adjust our string length
2012 * by.
2013 */
2014 stringlen -=
2015 ssh->cscomp->disable_compression(ssh->cs_comp_ctx);
2016 }
2017 pkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
2018 ssh2_pkt_addstring_start(pkt);
2019 for (i = 0; i < stringlen; i++) {
2020 char c = (char) random_byte();
2021 ssh2_pkt_addstring_data(pkt, &c, 1);
2022 }
2023 ssh2_pkt_defer(ssh, pkt);
2024 }
2025 ssh_pkt_defersend(ssh);
2026 }
2027 }
2028
2029 /*
2030 * Send all queued SSH-2 packets. We send them by means of
2031 * ssh2_pkt_defer_noqueue(), in case they included a pair of
2032 * packets that needed to be lumped together.
2033 */
2034 static void ssh2_pkt_queuesend(Ssh ssh)
2035 {
2036 int i;
2037
2038 assert(!ssh->queueing);
2039
2040 for (i = 0; i < ssh->queuelen; i++)
2041 ssh2_pkt_defer_noqueue(ssh, ssh->queue[i], FALSE);
2042 ssh->queuelen = 0;
2043
2044 ssh_pkt_defersend(ssh);
2045 }
2046
2047 #if 0
2048 void bndebug(char *string, Bignum b)
2049 {
2050 unsigned char *p;
2051 int i, len;
2052 p = ssh2_mpint_fmt(b, &len);
2053 debug(("%s", string));
2054 for (i = 0; i < len; i++)
2055 debug((" %02x", p[i]));
2056 debug(("\n"));
2057 sfree(p);
2058 }
2059 #endif
2060
2061 static void hash_mpint(const struct ssh_hash *h, void *s, Bignum b)
2062 {
2063 unsigned char *p;
2064 int len;
2065 p = ssh2_mpint_fmt(b, &len);
2066 hash_string(h, s, p, len);
2067 sfree(p);
2068 }
2069
2070 /*
2071 * Packet decode functions for both SSH-1 and SSH-2.
2072 */
2073 static unsigned long ssh_pkt_getuint32(struct Packet *pkt)
2074 {
2075 unsigned long value;
2076 if (pkt->length - pkt->savedpos < 4)
2077 return 0; /* arrgh, no way to decline (FIXME?) */
2078 value = GET_32BIT(pkt->body + pkt->savedpos);
2079 pkt->savedpos += 4;
2080 return value;
2081 }
2082 static int ssh2_pkt_getbool(struct Packet *pkt)
2083 {
2084 unsigned long value;
2085 if (pkt->length - pkt->savedpos < 1)
2086 return 0; /* arrgh, no way to decline (FIXME?) */
2087 value = pkt->body[pkt->savedpos] != 0;
2088 pkt->savedpos++;
2089 return value;
2090 }
2091 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length)
2092 {
2093 int len;
2094 *p = NULL;
2095 *length = 0;
2096 if (pkt->length - pkt->savedpos < 4)
2097 return;
2098 len = GET_32BIT(pkt->body + pkt->savedpos);
2099 if (len < 0)
2100 return;
2101 *length = len;
2102 pkt->savedpos += 4;
2103 if (pkt->length - pkt->savedpos < *length)
2104 return;
2105 *p = (char *)(pkt->body + pkt->savedpos);
2106 pkt->savedpos += *length;
2107 }
2108 static void *ssh_pkt_getdata(struct Packet *pkt, int length)
2109 {
2110 if (pkt->length - pkt->savedpos < length)
2111 return NULL;
2112 pkt->savedpos += length;
2113 return pkt->body + (pkt->savedpos - length);
2114 }
2115 static int ssh1_pkt_getrsakey(struct Packet *pkt, struct RSAKey *key,
2116 unsigned char **keystr)
2117 {
2118 int j;
2119
2120 j = makekey(pkt->body + pkt->savedpos,
2121 pkt->length - pkt->savedpos,
2122 key, keystr, 0);
2123
2124 if (j < 0)
2125 return FALSE;
2126
2127 pkt->savedpos += j;
2128 assert(pkt->savedpos < pkt->length);
2129
2130 return TRUE;
2131 }
2132 static Bignum ssh1_pkt_getmp(struct Packet *pkt)
2133 {
2134 int j;
2135 Bignum b;
2136
2137 j = ssh1_read_bignum(pkt->body + pkt->savedpos,
2138 pkt->length - pkt->savedpos, &b);
2139
2140 if (j < 0)
2141 return NULL;
2142
2143 pkt->savedpos += j;
2144 return b;
2145 }
2146 static Bignum ssh2_pkt_getmp(struct Packet *pkt)
2147 {
2148 char *p;
2149 int length;
2150 Bignum b;
2151
2152 ssh_pkt_getstring(pkt, &p, &length);
2153 if (!p)
2154 return NULL;
2155 if (p[0] & 0x80)
2156 return NULL;
2157 b = bignum_from_bytes((unsigned char *)p, length);
2158 return b;
2159 }
2160
2161 /*
2162 * Helper function to add an SSH-2 signature blob to a packet.
2163 * Expects to be shown the public key blob as well as the signature
2164 * blob. Normally works just like ssh2_pkt_addstring, but will
2165 * fiddle with the signature packet if necessary for
2166 * BUG_SSH2_RSA_PADDING.
2167 */
2168 static void ssh2_add_sigblob(Ssh ssh, struct Packet *pkt,
2169 void *pkblob_v, int pkblob_len,
2170 void *sigblob_v, int sigblob_len)
2171 {
2172 unsigned char *pkblob = (unsigned char *)pkblob_v;
2173 unsigned char *sigblob = (unsigned char *)sigblob_v;
2174
2175 /* dmemdump(pkblob, pkblob_len); */
2176 /* dmemdump(sigblob, sigblob_len); */
2177
2178 /*
2179 * See if this is in fact an ssh-rsa signature and a buggy
2180 * server; otherwise we can just do this the easy way.
2181 */
2182 if ((ssh->remote_bugs & BUG_SSH2_RSA_PADDING) &&
2183 (GET_32BIT(pkblob) == 7 && !memcmp(pkblob+4, "ssh-rsa", 7))) {
2184 int pos, len, siglen;
2185
2186 /*
2187 * Find the byte length of the modulus.
2188 */
2189
2190 pos = 4+7; /* skip over "ssh-rsa" */
2191 pos += 4 + GET_32BIT(pkblob+pos); /* skip over exponent */
2192 len = GET_32BIT(pkblob+pos); /* find length of modulus */
2193 pos += 4; /* find modulus itself */
2194 while (len > 0 && pkblob[pos] == 0)
2195 len--, pos++;
2196 /* debug(("modulus length is %d\n", len)); */
2197
2198 /*
2199 * Now find the signature integer.
2200 */
2201 pos = 4+7; /* skip over "ssh-rsa" */
2202 siglen = GET_32BIT(sigblob+pos);
2203 /* debug(("signature length is %d\n", siglen)); */
2204
2205 if (len != siglen) {
2206 unsigned char newlen[4];
2207 ssh2_pkt_addstring_start(pkt);
2208 ssh2_pkt_addstring_data(pkt, (char *)sigblob, pos);
2209 /* dmemdump(sigblob, pos); */
2210 pos += 4; /* point to start of actual sig */
2211 PUT_32BIT(newlen, len);
2212 ssh2_pkt_addstring_data(pkt, (char *)newlen, 4);
2213 /* dmemdump(newlen, 4); */
2214 newlen[0] = 0;
2215 while (len-- > siglen) {
2216 ssh2_pkt_addstring_data(pkt, (char *)newlen, 1);
2217 /* dmemdump(newlen, 1); */
2218 }
2219 ssh2_pkt_addstring_data(pkt, (char *)(sigblob+pos), siglen);
2220 /* dmemdump(sigblob+pos, siglen); */
2221 return;
2222 }
2223
2224 /* Otherwise fall through and do it the easy way. */
2225 }
2226
2227 ssh2_pkt_addstring_start(pkt);
2228 ssh2_pkt_addstring_data(pkt, (char *)sigblob, sigblob_len);
2229 }
2230
2231 /*
2232 * Examine the remote side's version string and compare it against
2233 * a list of known buggy implementations.
2234 */
2235 static void ssh_detect_bugs(Ssh ssh, char *vstring)
2236 {
2237 char *imp; /* pointer to implementation part */
2238 imp = vstring;
2239 imp += strcspn(imp, "-");
2240 if (*imp) imp++;
2241 imp += strcspn(imp, "-");
2242 if (*imp) imp++;
2243
2244 ssh->remote_bugs = 0;
2245
2246 /*
2247 * General notes on server version strings:
2248 * - Not all servers reporting "Cisco-1.25" have all the bugs listed
2249 * here -- in particular, we've heard of one that's perfectly happy
2250 * with SSH1_MSG_IGNOREs -- but this string never seems to change,
2251 * so we can't distinguish them.
2252 */
2253 if (ssh->cfg.sshbug_ignore1 == FORCE_ON ||
2254 (ssh->cfg.sshbug_ignore1 == AUTO &&
2255 (!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
2256 !strcmp(imp, "1.2.20") || !strcmp(imp, "1.2.21") ||
2257 !strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25") ||
2258 !strcmp(imp, "OSU_1.4alpha3") || !strcmp(imp, "OSU_1.5alpha4")))) {
2259 /*
2260 * These versions don't support SSH1_MSG_IGNORE, so we have
2261 * to use a different defence against password length
2262 * sniffing.
2263 */
2264 ssh->remote_bugs |= BUG_CHOKES_ON_SSH1_IGNORE;
2265 logevent("We believe remote version has SSH-1 ignore bug");
2266 }
2267
2268 if (ssh->cfg.sshbug_plainpw1 == FORCE_ON ||
2269 (ssh->cfg.sshbug_plainpw1 == AUTO &&
2270 (!strcmp(imp, "Cisco-1.25") || !strcmp(imp, "OSU_1.4alpha3")))) {
2271 /*
2272 * These versions need a plain password sent; they can't
2273 * handle having a null and a random length of data after
2274 * the password.
2275 */
2276 ssh->remote_bugs |= BUG_NEEDS_SSH1_PLAIN_PASSWORD;
2277 logevent("We believe remote version needs a plain SSH-1 password");
2278 }
2279
2280 if (ssh->cfg.sshbug_rsa1 == FORCE_ON ||
2281 (ssh->cfg.sshbug_rsa1 == AUTO &&
2282 (!strcmp(imp, "Cisco-1.25")))) {
2283 /*
2284 * These versions apparently have no clue whatever about
2285 * RSA authentication and will panic and die if they see
2286 * an AUTH_RSA message.
2287 */
2288 ssh->remote_bugs |= BUG_CHOKES_ON_RSA;
2289 logevent("We believe remote version can't handle SSH-1 RSA authentication");
2290 }
2291
2292 if (ssh->cfg.sshbug_hmac2 == FORCE_ON ||
2293 (ssh->cfg.sshbug_hmac2 == AUTO &&
2294 !wc_match("* VShell", imp) &&
2295 (wc_match("2.1.0*", imp) || wc_match("2.0.*", imp) ||
2296 wc_match("2.2.0*", imp) || wc_match("2.3.0*", imp) ||
2297 wc_match("2.1 *", imp)))) {
2298 /*
2299 * These versions have the HMAC bug.
2300 */
2301 ssh->remote_bugs |= BUG_SSH2_HMAC;
2302 logevent("We believe remote version has SSH-2 HMAC bug");
2303 }
2304
2305 if (ssh->cfg.sshbug_derivekey2 == FORCE_ON ||
2306 (ssh->cfg.sshbug_derivekey2 == AUTO &&
2307 !wc_match("* VShell", imp) &&
2308 (wc_match("2.0.0*", imp) || wc_match("2.0.10*", imp) ))) {
2309 /*
2310 * These versions have the key-derivation bug (failing to
2311 * include the literal shared secret in the hashes that
2312 * generate the keys).
2313 */
2314 ssh->remote_bugs |= BUG_SSH2_DERIVEKEY;
2315 logevent("We believe remote version has SSH-2 key-derivation bug");
2316 }
2317
2318 if (ssh->cfg.sshbug_rsapad2 == FORCE_ON ||
2319 (ssh->cfg.sshbug_rsapad2 == AUTO &&
2320 (wc_match("OpenSSH_2.[5-9]*", imp) ||
2321 wc_match("OpenSSH_3.[0-2]*", imp)))) {
2322 /*
2323 * These versions have the SSH-2 RSA padding bug.
2324 */
2325 ssh->remote_bugs |= BUG_SSH2_RSA_PADDING;
2326 logevent("We believe remote version has SSH-2 RSA padding bug");
2327 }
2328
2329 if (ssh->cfg.sshbug_pksessid2 == FORCE_ON ||
2330 (ssh->cfg.sshbug_pksessid2 == AUTO &&
2331 wc_match("OpenSSH_2.[0-2]*", imp))) {
2332 /*
2333 * These versions have the SSH-2 session-ID bug in
2334 * public-key authentication.
2335 */
2336 ssh->remote_bugs |= BUG_SSH2_PK_SESSIONID;
2337 logevent("We believe remote version has SSH-2 public-key-session-ID bug");
2338 }
2339
2340 if (ssh->cfg.sshbug_rekey2 == FORCE_ON ||
2341 (ssh->cfg.sshbug_rekey2 == AUTO &&
2342 (wc_match("DigiSSH_2.0", imp) ||
2343 wc_match("OpenSSH_2.[0-4]*", imp) ||
2344 wc_match("OpenSSH_2.5.[0-3]*", imp) ||
2345 wc_match("Sun_SSH_1.0", imp) ||
2346 wc_match("Sun_SSH_1.0.1", imp) ||
2347 /* All versions <= 1.2.6 (they changed their format in 1.2.7) */
2348 wc_match("WeOnlyDo-*", imp)))) {
2349 /*
2350 * These versions have the SSH-2 rekey bug.
2351 */
2352 ssh->remote_bugs |= BUG_SSH2_REKEY;
2353 logevent("We believe remote version has SSH-2 rekey bug");
2354 }
2355 }
2356
2357 /*
2358 * The `software version' part of an SSH version string is required
2359 * to contain no spaces or minus signs.
2360 */
2361 static void ssh_fix_verstring(char *str)
2362 {
2363 /* Eat "SSH-<protoversion>-". */
2364 assert(*str == 'S'); str++;
2365 assert(*str == 'S'); str++;
2366 assert(*str == 'H'); str++;
2367 assert(*str == '-'); str++;
2368 while (*str && *str != '-') str++;
2369 assert(*str == '-'); str++;
2370
2371 /* Convert minus signs and spaces in the remaining string into
2372 * underscores. */
2373 while (*str) {
2374 if (*str == '-' || *str == ' ')
2375 *str = '_';
2376 str++;
2377 }
2378 }
2379
2380 /*
2381 * Send an appropriate SSH version string.
2382 */
2383 static void ssh_send_verstring(Ssh ssh, char *svers)
2384 {
2385 char *verstring;
2386
2387 if (ssh->version == 2) {
2388 /*
2389 * Construct a v2 version string.
2390 */
2391 verstring = dupprintf("SSH-2.0-%s\015\012", sshver);
2392 } else {
2393 /*
2394 * Construct a v1 version string.
2395 */
2396 verstring = dupprintf("SSH-%s-%s\012",
2397 (ssh_versioncmp(svers, "1.5") <= 0 ?
2398 svers : "1.5"),
2399 sshver);
2400 }
2401
2402 ssh_fix_verstring(verstring);
2403
2404 if (ssh->version == 2) {
2405 size_t len;
2406 /*
2407 * Record our version string.
2408 */
2409 len = strcspn(verstring, "\015\012");
2410 ssh->v_c = snewn(len + 1, char);
2411 memcpy(ssh->v_c, verstring, len);
2412 ssh->v_c[len] = 0;
2413 }
2414
2415 logeventf(ssh, "We claim version: %.*s",
2416 strcspn(verstring, "\015\012"), verstring);
2417 s_write(ssh, verstring, strlen(verstring));
2418 sfree(verstring);
2419 }
2420
2421 static int do_ssh_init(Ssh ssh, unsigned char c)
2422 {
2423 struct do_ssh_init_state {
2424 int vslen;
2425 char version[10];
2426 char *vstring;
2427 int vstrsize;
2428 int i;
2429 int proto1, proto2;
2430 };
2431 crState(do_ssh_init_state);
2432
2433 crBegin(ssh->do_ssh_init_crstate);
2434
2435 /*
2436 * If the SSH version number's fixed, set it now, and if it's SSH-2,
2437 * send the version string too.
2438 *
2439 * XXX This isn't actually early enough to be useful, since we only
2440 * get here when the first incoming byte turns up.
2441 */
2442 if (ssh->cfg.sshprot == 0)
2443 ssh->version = 1;
2444 if (ssh->cfg.sshprot == 3) {
2445 ssh->version = 2;
2446 ssh_send_verstring(ssh, NULL);
2447 }
2448
2449 /* Search for a line beginning with the string "SSH-" in the input. */
2450 for (;;) {
2451 if (c != 'S') goto no;
2452 crReturn(1);
2453 if (c != 'S') goto no;
2454 crReturn(1);
2455 if (c != 'H') goto no;
2456 crReturn(1);
2457 if (c != '-') goto no;
2458 break;
2459 no:
2460 while (c != '\012')
2461 crReturn(1);
2462 crReturn(1);
2463 }
2464
2465 s->vstrsize = 16;
2466 s->vstring = snewn(s->vstrsize, char);
2467 strcpy(s->vstring, "SSH-");
2468 s->vslen = 4;
2469 s->i = 0;
2470 while (1) {
2471 crReturn(1); /* get another char */
2472 if (s->vslen >= s->vstrsize - 1) {
2473 s->vstrsize += 16;
2474 s->vstring = sresize(s->vstring, s->vstrsize, char);
2475 }
2476 s->vstring[s->vslen++] = c;
2477 if (s->i >= 0) {
2478 if (c == '-') {
2479 s->version[s->i] = '\0';
2480 s->i = -1;
2481 } else if (s->i < sizeof(s->version) - 1)
2482 s->version[s->i++] = c;
2483 } else if (c == '\012')
2484 break;
2485 }
2486
2487 ssh->agentfwd_enabled = FALSE;
2488 ssh->rdpkt2_state.incoming_sequence = 0;
2489
2490 s->vstring[s->vslen] = 0;
2491 s->vstring[strcspn(s->vstring, "\015\012")] = '\0';/* remove EOL chars */
2492 logeventf(ssh, "Server version: %s", s->vstring);
2493 ssh_detect_bugs(ssh, s->vstring);
2494
2495 /*
2496 * Decide which SSH protocol version to support.
2497 */
2498
2499 /* Anything strictly below "2.0" means protocol 1 is supported. */
2500 s->proto1 = ssh_versioncmp(s->version, "2.0") < 0;
2501 /* Anything greater or equal to "1.99" means protocol 2 is supported. */
2502 s->proto2 = ssh_versioncmp(s->version, "1.99") >= 0;
2503
2504 if (ssh->cfg.sshprot == 0 && !s->proto1) {
2505 bombout(("SSH protocol version 1 required by user but not provided by server"));
2506 crStop(0);
2507 }
2508 if (ssh->cfg.sshprot == 3 && !s->proto2) {
2509 bombout(("SSH protocol version 2 required by user but not provided by server"));
2510 crStop(0);
2511 }
2512
2513 if (s->proto2 && (ssh->cfg.sshprot >= 2 || !s->proto1))
2514 ssh->version = 2;
2515 else
2516 ssh->version = 1;
2517
2518 logeventf(ssh, "Using SSH protocol version %d", ssh->version);
2519
2520 /* Send the version string, if we haven't already */
2521 if (ssh->cfg.sshprot != 3)
2522 ssh_send_verstring(ssh, s->version);
2523
2524 if (ssh->version == 2) {
2525 size_t len;
2526 /*
2527 * Record their version string.
2528 */
2529 len = strcspn(s->vstring, "\015\012");
2530 ssh->v_s = snewn(len + 1, char);
2531 memcpy(ssh->v_s, s->vstring, len);
2532 ssh->v_s[len] = 0;
2533
2534 /*
2535 * Initialise SSH-2 protocol.
2536 */
2537 ssh->protocol = ssh2_protocol;
2538 ssh2_protocol_setup(ssh);
2539 ssh->s_rdpkt = ssh2_rdpkt;
2540 } else {
2541 /*
2542 * Initialise SSH-1 protocol.
2543 */
2544 ssh->protocol = ssh1_protocol;
2545 ssh1_protocol_setup(ssh);
2546 ssh->s_rdpkt = ssh1_rdpkt;
2547 }
2548 if (ssh->version == 2)
2549 do_ssh2_transport(ssh, NULL, -1, NULL);
2550
2551 update_specials_menu(ssh->frontend);
2552 ssh->state = SSH_STATE_BEFORE_SIZE;
2553 ssh->pinger = pinger_new(&ssh->cfg, &ssh_backend, ssh);
2554
2555 sfree(s->vstring);
2556
2557 crFinish(0);
2558 }
2559
2560 static void ssh_process_incoming_data(Ssh ssh,
2561 unsigned char **data, int *datalen)
2562 {
2563 struct Packet *pktin;
2564
2565 pktin = ssh->s_rdpkt(ssh, data, datalen);
2566 if (pktin) {
2567 ssh->protocol(ssh, NULL, 0, pktin);
2568 ssh_free_packet(pktin);
2569 }
2570 }
2571
2572 static void ssh_queue_incoming_data(Ssh ssh,
2573 unsigned char **data, int *datalen)
2574 {
2575 bufchain_add(&ssh->queued_incoming_data, *data, *datalen);
2576 *data += *datalen;
2577 *datalen = 0;
2578 }
2579
2580 static void ssh_process_queued_incoming_data(Ssh ssh)
2581 {
2582 void *vdata;
2583 unsigned char *data;
2584 int len, origlen;
2585
2586 while (!ssh->frozen && bufchain_size(&ssh->queued_incoming_data)) {
2587 bufchain_prefix(&ssh->queued_incoming_data, &vdata, &len);
2588 data = vdata;
2589 origlen = len;
2590
2591 while (!ssh->frozen && len > 0)
2592 ssh_process_incoming_data(ssh, &data, &len);
2593
2594 if (origlen > len)
2595 bufchain_consume(&ssh->queued_incoming_data, origlen - len);
2596 }
2597 }
2598
2599 static void ssh_set_frozen(Ssh ssh, int frozen)
2600 {
2601 if (ssh->s)
2602 sk_set_frozen(ssh->s, frozen);
2603 ssh->frozen = frozen;
2604 }
2605
2606 static void ssh_gotdata(Ssh ssh, unsigned char *data, int datalen)
2607 {
2608 /* Log raw data, if we're in that mode. */
2609 log_packet(ssh->logctx, PKT_INCOMING, -1, NULL, data, datalen, 0, NULL);
2610
2611 crBegin(ssh->ssh_gotdata_crstate);
2612
2613 /*
2614 * To begin with, feed the characters one by one to the
2615 * protocol initialisation / selection function do_ssh_init().
2616 * When that returns 0, we're done with the initial greeting
2617 * exchange and can move on to packet discipline.
2618 */
2619 while (1) {
2620 int ret; /* need not be kept across crReturn */
2621 if (datalen == 0)
2622 crReturnV; /* more data please */
2623 ret = do_ssh_init(ssh, *data);
2624 data++;
2625 datalen--;
2626 if (ret == 0)
2627 break;
2628 }
2629
2630 /*
2631 * We emerge from that loop when the initial negotiation is
2632 * over and we have selected an s_rdpkt function. Now pass
2633 * everything to s_rdpkt, and then pass the resulting packets
2634 * to the proper protocol handler.
2635 */
2636
2637 while (1) {
2638 while (bufchain_size(&ssh->queued_incoming_data) > 0 || datalen > 0) {
2639 if (ssh->frozen) {
2640 ssh_queue_incoming_data(ssh, &data, &datalen);
2641 /* This uses up all data and cannot cause anything interesting
2642 * to happen; indeed, for anything to happen at all, we must
2643 * return, so break out. */
2644 break;
2645 } else if (bufchain_size(&ssh->queued_incoming_data) > 0) {
2646 /* This uses up some or all data, and may freeze the
2647 * session. */
2648 ssh_process_queued_incoming_data(ssh);
2649 } else {
2650 /* This uses up some or all data, and may freeze the
2651 * session. */
2652 ssh_process_incoming_data(ssh, &data, &datalen);
2653 }
2654 /* FIXME this is probably EBW. */
2655 if (ssh->state == SSH_STATE_CLOSED)
2656 return;
2657 }
2658 /* We're out of data. Go and get some more. */
2659 crReturnV;
2660 }
2661 crFinishV;
2662 }
2663
2664 static int ssh_do_close(Ssh ssh, int notify_exit)
2665 {
2666 int ret = 0;
2667 struct ssh_channel *c;
2668
2669 ssh->state = SSH_STATE_CLOSED;
2670 expire_timer_context(ssh);
2671 if (ssh->s) {
2672 sk_close(ssh->s);
2673 ssh->s = NULL;
2674 if (notify_exit)
2675 notify_remote_exit(ssh->frontend);
2676 else
2677 ret = 1;
2678 }
2679 /*
2680 * Now we must shut down any port- and X-forwarded channels going
2681 * through this connection.
2682 */
2683 if (ssh->channels) {
2684 while (NULL != (c = index234(ssh->channels, 0))) {
2685 switch (c->type) {
2686 case CHAN_X11:
2687 x11_close(c->u.x11.s);
2688 break;
2689 case CHAN_SOCKDATA:
2690 pfd_close(c->u.pfd.s);
2691 break;
2692 }
2693 del234(ssh->channels, c); /* moving next one to index 0 */
2694 if (ssh->version == 2)
2695 bufchain_clear(&c->v.v2.outbuffer);
2696 sfree(c);
2697 }
2698 }
2699 /*
2700 * Go through port-forwardings, and close any associated
2701 * listening sockets.
2702 */
2703 if (ssh->portfwds) {
2704 struct ssh_portfwd *pf;
2705 while (NULL != (pf = index234(ssh->portfwds, 0))) {
2706 /* Dispose of any listening socket. */
2707 if (pf->local)
2708 pfd_terminate(pf->local);
2709 del234(ssh->portfwds, pf); /* moving next one to index 0 */
2710 free_portfwd(pf);
2711 }
2712 }
2713
2714 return ret;
2715 }
2716
2717 static void ssh_log(Plug plug, int type, SockAddr addr, int port,
2718 const char *error_msg, int error_code)
2719 {
2720 Ssh ssh = (Ssh) plug;
2721 char addrbuf[256], *msg;
2722
2723 sk_getaddr(addr, addrbuf, lenof(addrbuf));
2724
2725 if (type == 0)
2726 msg = dupprintf("Connecting to %s port %d", addrbuf, port);
2727 else
2728 msg = dupprintf("Failed to connect to %s: %s", addrbuf, error_msg);
2729
2730 logevent(msg);
2731 sfree(msg);
2732 }
2733
2734 static int ssh_closing(Plug plug, const char *error_msg, int error_code,
2735 int calling_back)
2736 {
2737 Ssh ssh = (Ssh) plug;
2738 int need_notify = ssh_do_close(ssh, FALSE);
2739
2740 if (!error_msg) {
2741 if (!ssh->close_expected)
2742 error_msg = "Server unexpectedly closed network connection";
2743 else
2744 error_msg = "Server closed network connection";
2745 }
2746
2747 if (ssh->close_expected && ssh->clean_exit && ssh->exitcode < 0)
2748 ssh->exitcode = 0;
2749
2750 if (need_notify)
2751 notify_remote_exit(ssh->frontend);
2752
2753 if (error_msg)
2754 logevent(error_msg);
2755 if (!ssh->close_expected || !ssh->clean_exit)
2756 connection_fatal(ssh->frontend, "%s", error_msg);
2757 return 0;
2758 }
2759
2760 static int ssh_receive(Plug plug, int urgent, char *data, int len)
2761 {
2762 Ssh ssh = (Ssh) plug;
2763 ssh_gotdata(ssh, (unsigned char *)data, len);
2764 if (ssh->state == SSH_STATE_CLOSED) {
2765 ssh_do_close(ssh, TRUE);
2766 return 0;
2767 }
2768 return 1;
2769 }
2770
2771 static void ssh_sent(Plug plug, int bufsize)
2772 {
2773 Ssh ssh = (Ssh) plug;
2774 /*
2775 * If the send backlog on the SSH socket itself clears, we
2776 * should unthrottle the whole world if it was throttled.
2777 */
2778 if (bufsize < SSH_MAX_BACKLOG)
2779 ssh_throttle_all(ssh, 0, bufsize);
2780 }
2781
2782 /*
2783 * Connect to specified host and port.
2784 * Returns an error message, or NULL on success.
2785 * Also places the canonical host name into `realhost'. It must be
2786 * freed by the caller.
2787 */
2788 static const char *connect_to_host(Ssh ssh, char *host, int port,
2789 char **realhost, int nodelay, int keepalive)
2790 {
2791 static const struct plug_function_table fn_table = {
2792 ssh_log,
2793 ssh_closing,
2794 ssh_receive,
2795 ssh_sent,
2796 NULL
2797 };
2798
2799 SockAddr addr;
2800 const char *err;
2801
2802 ssh->savedhost = snewn(1 + strlen(host), char);
2803 strcpy(ssh->savedhost, host);
2804
2805 if (port < 0)
2806 port = 22; /* default ssh port */
2807 ssh->savedport = port;
2808
2809 /*
2810 * Try to find host.
2811 */
2812 logeventf(ssh, "Looking up host \"%s\"%s", host,
2813 (ssh->cfg.addressfamily == ADDRTYPE_IPV4 ? " (IPv4)" :
2814 (ssh->cfg.addressfamily == ADDRTYPE_IPV6 ? " (IPv6)" : "")));
2815 addr = name_lookup(host, port, realhost, &ssh->cfg,
2816 ssh->cfg.addressfamily);
2817 if ((err = sk_addr_error(addr)) != NULL) {
2818 sk_addr_free(addr);
2819 return err;
2820 }
2821
2822 /*
2823 * Open socket.
2824 */
2825 ssh->fn = &fn_table;
2826 ssh->s = new_connection(addr, *realhost, port,
2827 0, 1, nodelay, keepalive, (Plug) ssh, &ssh->cfg);
2828 if ((err = sk_socket_error(ssh->s)) != NULL) {
2829 ssh->s = NULL;
2830 notify_remote_exit(ssh->frontend);
2831 return err;
2832 }
2833
2834 return NULL;
2835 }
2836
2837 /*
2838 * Throttle or unthrottle the SSH connection.
2839 */
2840 static void ssh1_throttle(Ssh ssh, int adjust)
2841 {
2842 int old_count = ssh->v1_throttle_count;
2843 ssh->v1_throttle_count += adjust;
2844 assert(ssh->v1_throttle_count >= 0);
2845 if (ssh->v1_throttle_count && !old_count) {
2846 ssh_set_frozen(ssh, 1);
2847 } else if (!ssh->v1_throttle_count && old_count) {
2848 ssh_set_frozen(ssh, 0);
2849 }
2850 }
2851
2852 /*
2853 * Throttle or unthrottle _all_ local data streams (for when sends
2854 * on the SSH connection itself back up).
2855 */
2856 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize)
2857 {
2858 int i;
2859 struct ssh_channel *c;
2860
2861 if (enable == ssh->throttled_all)
2862 return;
2863 ssh->throttled_all = enable;
2864 ssh->overall_bufsize = bufsize;
2865 if (!ssh->channels)
2866 return;
2867 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++) {
2868 switch (c->type) {
2869 case CHAN_MAINSESSION:
2870 /*
2871 * This is treated separately, outside the switch.
2872 */
2873 break;
2874 case CHAN_X11:
2875 x11_override_throttle(c->u.x11.s, enable);
2876 break;
2877 case CHAN_AGENT:
2878 /* Agent channels require no buffer management. */
2879 break;
2880 case CHAN_SOCKDATA:
2881 pfd_override_throttle(c->u.pfd.s, enable);
2882 break;
2883 }
2884 }
2885 }
2886
2887 static void ssh_agent_callback(void *sshv, void *reply, int replylen)
2888 {
2889 Ssh ssh = (Ssh) sshv;
2890
2891 ssh->agent_response = reply;
2892 ssh->agent_response_len = replylen;
2893
2894 if (ssh->version == 1)
2895 do_ssh1_login(ssh, NULL, -1, NULL);
2896 else
2897 do_ssh2_authconn(ssh, NULL, -1, NULL);
2898 }
2899
2900 static void ssh_dialog_callback(void *sshv, int ret)
2901 {
2902 Ssh ssh = (Ssh) sshv;
2903
2904 ssh->user_response = ret;
2905
2906 if (ssh->version == 1)
2907 do_ssh1_login(ssh, NULL, -1, NULL);
2908 else
2909 do_ssh2_transport(ssh, NULL, -1, NULL);
2910
2911 /*
2912 * This may have unfrozen the SSH connection, so do a
2913 * queued-data run.
2914 */
2915 ssh_process_queued_incoming_data(ssh);
2916 }
2917
2918 static void ssh_agentf_callback(void *cv, void *reply, int replylen)
2919 {
2920 struct ssh_channel *c = (struct ssh_channel *)cv;
2921 Ssh ssh = c->ssh;
2922 void *sentreply = reply;
2923
2924 if (!sentreply) {
2925 /* Fake SSH_AGENT_FAILURE. */
2926 sentreply = "\0\0\0\1\5";
2927 replylen = 5;
2928 }
2929 if (ssh->version == 2) {
2930 ssh2_add_channel_data(c, sentreply, replylen);
2931 ssh2_try_send(c);
2932 } else {
2933 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
2934 PKT_INT, c->remoteid,
2935 PKTT_DATA,
2936 PKT_INT, replylen,
2937 PKT_DATA, sentreply, replylen,
2938 PKTT_OTHER,
2939 PKT_END);
2940 }
2941 if (reply)
2942 sfree(reply);
2943 }
2944
2945 /*
2946 * Client-initiated disconnection. Send a DISCONNECT if `wire_reason'
2947 * non-NULL, otherwise just close the connection. `client_reason' == NULL
2948 * => log `wire_reason'.
2949 */
2950 static void ssh_disconnect(Ssh ssh, char *client_reason, char *wire_reason,
2951 int code, int clean_exit)
2952 {
2953 char *error;
2954 if (!client_reason)
2955 client_reason = wire_reason;
2956 if (client_reason)
2957 error = dupprintf("Disconnected: %s", client_reason);
2958 else
2959 error = dupstr("Disconnected");
2960 if (wire_reason) {
2961 if (ssh->version == 1) {
2962 send_packet(ssh, SSH1_MSG_DISCONNECT, PKT_STR, wire_reason,
2963 PKT_END);
2964 } else if (ssh->version == 2) {
2965 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_DISCONNECT);
2966 ssh2_pkt_adduint32(pktout, code);
2967 ssh2_pkt_addstring(pktout, wire_reason);
2968 ssh2_pkt_addstring(pktout, "en"); /* language tag */
2969 ssh2_pkt_send_noqueue(ssh, pktout);
2970 }
2971 }
2972 ssh->close_expected = TRUE;
2973 ssh->clean_exit = clean_exit;
2974 ssh_closing((Plug)ssh, error, 0, 0);
2975 sfree(error);
2976 }
2977
2978 /*
2979 * Handle the key exchange and user authentication phases.
2980 */
2981 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
2982 struct Packet *pktin)
2983 {
2984 int i, j, ret;
2985 unsigned char cookie[8], *ptr;
2986 struct RSAKey servkey, hostkey;
2987 struct MD5Context md5c;
2988 struct do_ssh1_login_state {
2989 int len;
2990 unsigned char *rsabuf, *keystr1, *keystr2;
2991 unsigned long supported_ciphers_mask, supported_auths_mask;
2992 int tried_publickey, tried_agent;
2993 int tis_auth_refused, ccard_auth_refused;
2994 unsigned char session_id[16];
2995 int cipher_type;
2996 char username[100];
2997 void *publickey_blob;
2998 int publickey_bloblen;
2999 char *publickey_comment;
3000 int publickey_encrypted;
3001 prompts_t *cur_prompt;
3002 char c;
3003 int pwpkt_type;
3004 unsigned char request[5], *response, *p;
3005 int responselen;
3006 int keyi, nkeys;
3007 int authed;
3008 struct RSAKey key;
3009 Bignum challenge;
3010 char *commentp;
3011 int commentlen;
3012 int dlgret;
3013 };
3014 crState(do_ssh1_login_state);
3015
3016 crBegin(ssh->do_ssh1_login_crstate);
3017
3018 if (!pktin)
3019 crWaitUntil(pktin);
3020
3021 if (pktin->type != SSH1_SMSG_PUBLIC_KEY) {
3022 bombout(("Public key packet not received"));
3023 crStop(0);
3024 }
3025
3026 logevent("Received public keys");
3027
3028 ptr = ssh_pkt_getdata(pktin, 8);
3029 if (!ptr) {
3030 bombout(("SSH-1 public key packet stopped before random cookie"));
3031 crStop(0);
3032 }
3033 memcpy(cookie, ptr, 8);
3034
3035 if (!ssh1_pkt_getrsakey(pktin, &servkey, &s->keystr1) ||
3036 !ssh1_pkt_getrsakey(pktin, &hostkey, &s->keystr2)) {
3037 bombout(("Failed to read SSH-1 public keys from public key packet"));
3038 crStop(0);
3039 }
3040
3041 /*
3042 * Log the host key fingerprint.
3043 */
3044 {
3045 char logmsg[80];
3046 logevent("Host key fingerprint is:");
3047 strcpy(logmsg, " ");
3048 hostkey.comment = NULL;
3049 rsa_fingerprint(logmsg + strlen(logmsg),
3050 sizeof(logmsg) - strlen(logmsg), &hostkey);
3051 logevent(logmsg);
3052 }
3053
3054 ssh->v1_remote_protoflags = ssh_pkt_getuint32(pktin);
3055 s->supported_ciphers_mask = ssh_pkt_getuint32(pktin);
3056 s->supported_auths_mask = ssh_pkt_getuint32(pktin);
3057
3058 ssh->v1_local_protoflags =
3059 ssh->v1_remote_protoflags & SSH1_PROTOFLAGS_SUPPORTED;
3060 ssh->v1_local_protoflags |= SSH1_PROTOFLAG_SCREEN_NUMBER;
3061
3062 MD5Init(&md5c);
3063 MD5Update(&md5c, s->keystr2, hostkey.bytes);
3064 MD5Update(&md5c, s->keystr1, servkey.bytes);
3065 MD5Update(&md5c, cookie, 8);
3066 MD5Final(s->session_id, &md5c);
3067
3068 for (i = 0; i < 32; i++)
3069 ssh->session_key[i] = random_byte();
3070
3071 /*
3072 * Verify that the `bits' and `bytes' parameters match.
3073 */
3074 if (hostkey.bits > hostkey.bytes * 8 ||
3075 servkey.bits > servkey.bytes * 8) {
3076 bombout(("SSH-1 public keys were badly formatted"));
3077 crStop(0);
3078 }
3079
3080 s->len = (hostkey.bytes > servkey.bytes ? hostkey.bytes : servkey.bytes);
3081
3082 s->rsabuf = snewn(s->len, unsigned char);
3083
3084 /*
3085 * Verify the host key.
3086 */
3087 {
3088 /*
3089 * First format the key into a string.
3090 */
3091 int len = rsastr_len(&hostkey);
3092 char fingerprint[100];
3093 char *keystr = snewn(len, char);
3094 rsastr_fmt(keystr, &hostkey);
3095 rsa_fingerprint(fingerprint, sizeof(fingerprint), &hostkey);
3096
3097 ssh_set_frozen(ssh, 1);
3098 s->dlgret = verify_ssh_host_key(ssh->frontend,
3099 ssh->savedhost, ssh->savedport,
3100 "rsa", keystr, fingerprint,
3101 ssh_dialog_callback, ssh);
3102 sfree(keystr);
3103 if (s->dlgret < 0) {
3104 do {
3105 crReturn(0);
3106 if (pktin) {
3107 bombout(("Unexpected data from server while waiting"
3108 " for user host key response"));
3109 crStop(0);
3110 }
3111 } while (pktin || inlen > 0);
3112 s->dlgret = ssh->user_response;
3113 }
3114 ssh_set_frozen(ssh, 0);
3115
3116 if (s->dlgret == 0) {
3117 ssh_disconnect(ssh, "User aborted at host key verification",
3118 NULL, 0, TRUE);
3119 crStop(0);
3120 }
3121 }
3122
3123 for (i = 0; i < 32; i++) {
3124 s->rsabuf[i] = ssh->session_key[i];
3125 if (i < 16)
3126 s->rsabuf[i] ^= s->session_id[i];
3127 }
3128
3129 if (hostkey.bytes > servkey.bytes) {
3130 ret = rsaencrypt(s->rsabuf, 32, &servkey);
3131 if (ret)
3132 ret = rsaencrypt(s->rsabuf, servkey.bytes, &hostkey);
3133 } else {
3134 ret = rsaencrypt(s->rsabuf, 32, &hostkey);
3135 if (ret)
3136 ret = rsaencrypt(s->rsabuf, hostkey.bytes, &servkey);
3137 }
3138 if (!ret) {
3139 bombout(("SSH-1 public key encryptions failed due to bad formatting"));
3140 crStop(0);
3141 }
3142
3143 logevent("Encrypted session key");
3144
3145 {
3146 int cipher_chosen = 0, warn = 0;
3147 char *cipher_string = NULL;
3148 int i;
3149 for (i = 0; !cipher_chosen && i < CIPHER_MAX; i++) {
3150 int next_cipher = ssh->cfg.ssh_cipherlist[i];
3151 if (next_cipher == CIPHER_WARN) {
3152 /* If/when we choose a cipher, warn about it */
3153 warn = 1;
3154 } else if (next_cipher == CIPHER_AES) {
3155 /* XXX Probably don't need to mention this. */
3156 logevent("AES not supported in SSH-1, skipping");
3157 } else {
3158 switch (next_cipher) {
3159 case CIPHER_3DES: s->cipher_type = SSH_CIPHER_3DES;
3160 cipher_string = "3DES"; break;
3161 case CIPHER_BLOWFISH: s->cipher_type = SSH_CIPHER_BLOWFISH;
3162 cipher_string = "Blowfish"; break;
3163 case CIPHER_DES: s->cipher_type = SSH_CIPHER_DES;
3164 cipher_string = "single-DES"; break;
3165 }
3166 if (s->supported_ciphers_mask & (1 << s->cipher_type))
3167 cipher_chosen = 1;
3168 }
3169 }
3170 if (!cipher_chosen) {
3171 if ((s->supported_ciphers_mask & (1 << SSH_CIPHER_3DES)) == 0)
3172 bombout(("Server violates SSH-1 protocol by not "
3173 "supporting 3DES encryption"));
3174 else
3175 /* shouldn't happen */
3176 bombout(("No supported ciphers found"));
3177 crStop(0);
3178 }
3179
3180 /* Warn about chosen cipher if necessary. */
3181 if (warn) {
3182 ssh_set_frozen(ssh, 1);
3183 s->dlgret = askalg(ssh->frontend, "cipher", cipher_string,
3184 ssh_dialog_callback, ssh);
3185 if (s->dlgret < 0) {
3186 do {
3187 crReturn(0);
3188 if (pktin) {
3189 bombout(("Unexpected data from server while waiting"
3190 " for user response"));
3191 crStop(0);
3192 }
3193 } while (pktin || inlen > 0);
3194 s->dlgret = ssh->user_response;
3195 }
3196 ssh_set_frozen(ssh, 0);
3197 if (s->dlgret == 0) {
3198 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
3199 0, TRUE);
3200 crStop(0);
3201 }
3202 }
3203 }
3204
3205 switch (s->cipher_type) {
3206 case SSH_CIPHER_3DES:
3207 logevent("Using 3DES encryption");
3208 break;
3209 case SSH_CIPHER_DES:
3210 logevent("Using single-DES encryption");
3211 break;
3212 case SSH_CIPHER_BLOWFISH:
3213 logevent("Using Blowfish encryption");
3214 break;
3215 }
3216
3217 send_packet(ssh, SSH1_CMSG_SESSION_KEY,
3218 PKT_CHAR, s->cipher_type,
3219 PKT_DATA, cookie, 8,
3220 PKT_CHAR, (s->len * 8) >> 8, PKT_CHAR, (s->len * 8) & 0xFF,
3221 PKT_DATA, s->rsabuf, s->len,
3222 PKT_INT, ssh->v1_local_protoflags, PKT_END);
3223
3224 logevent("Trying to enable encryption...");
3225
3226 sfree(s->rsabuf);
3227
3228 ssh->cipher = (s->cipher_type == SSH_CIPHER_BLOWFISH ? &ssh_blowfish_ssh1 :
3229 s->cipher_type == SSH_CIPHER_DES ? &ssh_des :
3230 &ssh_3des);
3231 ssh->v1_cipher_ctx = ssh->cipher->make_context();
3232 ssh->cipher->sesskey(ssh->v1_cipher_ctx, ssh->session_key);
3233 logeventf(ssh, "Initialised %s encryption", ssh->cipher->text_name);
3234
3235 ssh->crcda_ctx = crcda_make_context();
3236 logevent("Installing CRC compensation attack detector");
3237
3238 if (servkey.modulus) {
3239 sfree(servkey.modulus);
3240 servkey.modulus = NULL;
3241 }
3242 if (servkey.exponent) {
3243 sfree(servkey.exponent);
3244 servkey.exponent = NULL;
3245 }
3246 if (hostkey.modulus) {
3247 sfree(hostkey.modulus);
3248 hostkey.modulus = NULL;
3249 }
3250 if (hostkey.exponent) {
3251 sfree(hostkey.exponent);
3252 hostkey.exponent = NULL;
3253 }
3254 crWaitUntil(pktin);
3255
3256 if (pktin->type != SSH1_SMSG_SUCCESS) {
3257 bombout(("Encryption not successfully enabled"));
3258 crStop(0);
3259 }
3260
3261 logevent("Successfully started encryption");
3262
3263 fflush(stdout); /* FIXME eh? */
3264 {
3265 if (!*ssh->cfg.username) {
3266 int ret; /* need not be kept over crReturn */
3267 s->cur_prompt = new_prompts(ssh->frontend);
3268 s->cur_prompt->to_server = TRUE;
3269 s->cur_prompt->name = dupstr("SSH login name");
3270 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
3271 lenof(s->username));
3272 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3273 while (ret < 0) {
3274 ssh->send_ok = 1;
3275 crWaitUntil(!pktin);
3276 ret = get_userpass_input(s->cur_prompt, in, inlen);
3277 ssh->send_ok = 0;
3278 }
3279 if (!ret) {
3280 /*
3281 * Failed to get a username. Terminate.
3282 */
3283 free_prompts(s->cur_prompt);
3284 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
3285 crStop(0);
3286 }
3287 memcpy(s->username, s->cur_prompt->prompts[0]->result,
3288 lenof(s->username));
3289 free_prompts(s->cur_prompt);
3290 } else {
3291 strncpy(s->username, ssh->cfg.username, sizeof(s->username));
3292 s->username[sizeof(s->username)-1] = '\0';
3293 }
3294
3295 send_packet(ssh, SSH1_CMSG_USER, PKT_STR, s->username, PKT_END);
3296 {
3297 char *userlog = dupprintf("Sent username \"%s\"", s->username);
3298 logevent(userlog);
3299 if (flags & FLAG_INTERACTIVE &&
3300 (!((flags & FLAG_STDERR) && (flags & FLAG_VERBOSE)))) {
3301 c_write_str(ssh, userlog);
3302 c_write_str(ssh, "\r\n");
3303 }
3304 sfree(userlog);
3305 }
3306 }
3307
3308 crWaitUntil(pktin);
3309
3310 if ((ssh->remote_bugs & BUG_CHOKES_ON_RSA)) {
3311 /* We must not attempt PK auth. Pretend we've already tried it. */
3312 s->tried_publickey = s->tried_agent = 1;
3313 } else {
3314 s->tried_publickey = s->tried_agent = 0;
3315 }
3316 s->tis_auth_refused = s->ccard_auth_refused = 0;
3317 /*
3318 * Load the public half of any configured keyfile for later use.
3319 */
3320 if (!filename_is_null(ssh->cfg.keyfile)) {
3321 int keytype;
3322 logeventf(ssh, "Reading private key file \"%.150s\"",
3323 filename_to_str(&ssh->cfg.keyfile));
3324 keytype = key_type(&ssh->cfg.keyfile);
3325 if (keytype == SSH_KEYTYPE_SSH1) {
3326 const char *error;
3327 if (rsakey_pubblob(&ssh->cfg.keyfile,
3328 &s->publickey_blob, &s->publickey_bloblen,
3329 &s->publickey_comment, &error)) {
3330 s->publickey_encrypted = rsakey_encrypted(&ssh->cfg.keyfile,
3331 NULL);
3332 } else {
3333 char *msgbuf;
3334 logeventf(ssh, "Unable to load private key (%s)", error);
3335 msgbuf = dupprintf("Unable to load private key file "
3336 "\"%.150s\" (%s)\r\n",
3337 filename_to_str(&ssh->cfg.keyfile),
3338 error);
3339 c_write_str(ssh, msgbuf);
3340 sfree(msgbuf);
3341 s->publickey_blob = NULL;
3342 }
3343 } else {
3344 char *msgbuf;
3345 logeventf(ssh, "Unable to use this key file (%s)",
3346 key_type_to_str(keytype));
3347 msgbuf = dupprintf("Unable to use key file \"%.150s\""
3348 " (%s)\r\n",
3349 filename_to_str(&ssh->cfg.keyfile),
3350 key_type_to_str(keytype));
3351 c_write_str(ssh, msgbuf);
3352 sfree(msgbuf);
3353 s->publickey_blob = NULL;
3354 }
3355 } else
3356 s->publickey_blob = NULL;
3357
3358 while (pktin->type == SSH1_SMSG_FAILURE) {
3359 s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
3360
3361 if (ssh->cfg.tryagent && agent_exists() && !s->tried_agent) {
3362 /*
3363 * Attempt RSA authentication using Pageant.
3364 */
3365 void *r;
3366
3367 s->authed = FALSE;
3368 s->tried_agent = 1;
3369 logevent("Pageant is running. Requesting keys.");
3370
3371 /* Request the keys held by the agent. */
3372 PUT_32BIT(s->request, 1);
3373 s->request[4] = SSH1_AGENTC_REQUEST_RSA_IDENTITIES;
3374 if (!agent_query(s->request, 5, &r, &s->responselen,
3375 ssh_agent_callback, ssh)) {
3376 do {
3377 crReturn(0);
3378 if (pktin) {
3379 bombout(("Unexpected data from server while waiting"
3380 " for agent response"));
3381 crStop(0);
3382 }
3383 } while (pktin || inlen > 0);
3384 r = ssh->agent_response;
3385 s->responselen = ssh->agent_response_len;
3386 }
3387 s->response = (unsigned char *) r;
3388 if (s->response && s->responselen >= 5 &&
3389 s->response[4] == SSH1_AGENT_RSA_IDENTITIES_ANSWER) {
3390 s->p = s->response + 5;
3391 s->nkeys = GET_32BIT(s->p);
3392 s->p += 4;
3393 logeventf(ssh, "Pageant has %d SSH-1 keys", s->nkeys);
3394 for (s->keyi = 0; s->keyi < s->nkeys; s->keyi++) {
3395 unsigned char *pkblob = s->p;
3396 s->p += 4;
3397 {
3398 int n, ok = FALSE;
3399 do { /* do while (0) to make breaking easy */
3400 n = ssh1_read_bignum
3401 (s->p, s->responselen-(s->p-s->response),
3402 &s->key.exponent);
3403 if (n < 0)
3404 break;
3405 s->p += n;
3406 n = ssh1_read_bignum
3407 (s->p, s->responselen-(s->p-s->response),
3408 &s->key.modulus);
3409 if (n < 0)
3410 break;
3411 s->p += n;
3412 if (s->responselen - (s->p-s->response) < 4)
3413 break;
3414 s->commentlen = GET_32BIT(s->p);
3415 s->p += 4;
3416 if (s->responselen - (s->p-s->response) <
3417 s->commentlen)
3418 break;
3419 s->commentp = (char *)s->p;
3420 s->p += s->commentlen;
3421 ok = TRUE;
3422 } while (0);
3423 if (!ok) {
3424 logevent("Pageant key list packet was truncated");
3425 break;
3426 }
3427 }
3428 if (s->publickey_blob) {
3429 if (!memcmp(pkblob, s->publickey_blob,
3430 s->publickey_bloblen)) {
3431 logeventf(ssh, "Pageant key #%d matches "
3432 "configured key file", s->keyi);
3433 s->tried_publickey = 1;
3434 } else
3435 /* Skip non-configured key */
3436 continue;
3437 }
3438 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
3439 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3440 PKT_BIGNUM, s->key.modulus, PKT_END);
3441 crWaitUntil(pktin);
3442 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3443 logevent("Key refused");
3444 continue;
3445 }
3446 logevent("Received RSA challenge");
3447 if ((s->challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3448 bombout(("Server's RSA challenge was badly formatted"));
3449 crStop(0);
3450 }
3451
3452 {
3453 char *agentreq, *q, *ret;
3454 void *vret;
3455 int len, retlen;
3456 len = 1 + 4; /* message type, bit count */
3457 len += ssh1_bignum_length(s->key.exponent);
3458 len += ssh1_bignum_length(s->key.modulus);
3459 len += ssh1_bignum_length(s->challenge);
3460 len += 16; /* session id */
3461 len += 4; /* response format */
3462 agentreq = snewn(4 + len, char);
3463 PUT_32BIT(agentreq, len);
3464 q = agentreq + 4;
3465 *q++ = SSH1_AGENTC_RSA_CHALLENGE;
3466 PUT_32BIT(q, bignum_bitcount(s->key.modulus));
3467 q += 4;
3468 q += ssh1_write_bignum(q, s->key.exponent);
3469 q += ssh1_write_bignum(q, s->key.modulus);
3470 q += ssh1_write_bignum(q, s->challenge);
3471 memcpy(q, s->session_id, 16);
3472 q += 16;
3473 PUT_32BIT(q, 1); /* response format */
3474 if (!agent_query(agentreq, len + 4, &vret, &retlen,
3475 ssh_agent_callback, ssh)) {
3476 sfree(agentreq);
3477 do {
3478 crReturn(0);
3479 if (pktin) {
3480 bombout(("Unexpected data from server"
3481 " while waiting for agent"
3482 " response"));
3483 crStop(0);
3484 }
3485 } while (pktin || inlen > 0);
3486 vret = ssh->agent_response;
3487 retlen = ssh->agent_response_len;
3488 } else
3489 sfree(agentreq);
3490 ret = vret;
3491 if (ret) {
3492 if (ret[4] == SSH1_AGENT_RSA_RESPONSE) {
3493 logevent("Sending Pageant's response");
3494 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3495 PKT_DATA, ret + 5, 16,
3496 PKT_END);
3497 sfree(ret);
3498 crWaitUntil(pktin);
3499 if (pktin->type == SSH1_SMSG_SUCCESS) {
3500 logevent
3501 ("Pageant's response accepted");
3502 if (flags & FLAG_VERBOSE) {
3503 c_write_str(ssh, "Authenticated using"
3504 " RSA key \"");
3505 c_write(ssh, s->commentp,
3506 s->commentlen);
3507 c_write_str(ssh, "\" from agent\r\n");
3508 }
3509 s->authed = TRUE;
3510 } else
3511 logevent
3512 ("Pageant's response not accepted");
3513 } else {
3514 logevent
3515 ("Pageant failed to answer challenge");
3516 sfree(ret);
3517 }
3518 } else {
3519 logevent("No reply received from Pageant");
3520 }
3521 }
3522 freebn(s->key.exponent);
3523 freebn(s->key.modulus);
3524 freebn(s->challenge);
3525 if (s->authed)
3526 break;
3527 }
3528 sfree(s->response);
3529 if (s->publickey_blob && !s->tried_publickey)
3530 logevent("Configured key file not in Pageant");
3531 }
3532 if (s->authed)
3533 break;
3534 }
3535 if (s->publickey_blob && !s->tried_publickey) {
3536 /*
3537 * Try public key authentication with the specified
3538 * key file.
3539 */
3540 int got_passphrase; /* need not be kept over crReturn */
3541 if (flags & FLAG_VERBOSE)
3542 c_write_str(ssh, "Trying public key authentication.\r\n");
3543 logeventf(ssh, "Trying public key \"%s\"",
3544 filename_to_str(&ssh->cfg.keyfile));
3545 s->tried_publickey = 1;
3546 got_passphrase = FALSE;
3547 while (!got_passphrase) {
3548 /*
3549 * Get a passphrase, if necessary.
3550 */
3551 char *passphrase = NULL; /* only written after crReturn */
3552 const char *error;
3553 if (!s->publickey_encrypted) {
3554 if (flags & FLAG_VERBOSE)
3555 c_write_str(ssh, "No passphrase required.\r\n");
3556 passphrase = NULL;
3557 } else {
3558 int ret; /* need not be kept over crReturn */
3559 s->cur_prompt = new_prompts(ssh->frontend);
3560 s->cur_prompt->to_server = FALSE;
3561 s->cur_prompt->name = dupstr("SSH key passphrase");
3562 add_prompt(s->cur_prompt,
3563 dupprintf("Passphrase for key \"%.100s\": ",
3564 s->publickey_comment),
3565 FALSE, SSH_MAX_PASSWORD_LEN);
3566 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3567 while (ret < 0) {
3568 ssh->send_ok = 1;
3569 crWaitUntil(!pktin);
3570 ret = get_userpass_input(s->cur_prompt, in, inlen);
3571 ssh->send_ok = 0;
3572 }
3573 if (!ret) {
3574 /* Failed to get a passphrase. Terminate. */
3575 free_prompts(s->cur_prompt);
3576 ssh_disconnect(ssh, NULL, "Unable to authenticate",
3577 0, TRUE);
3578 crStop(0);
3579 }
3580 passphrase = dupstr(s->cur_prompt->prompts[0]->result);
3581 free_prompts(s->cur_prompt);
3582 }
3583 /*
3584 * Try decrypting key with passphrase.
3585 */
3586 ret = loadrsakey(&ssh->cfg.keyfile, &s->key, passphrase,
3587 &error);
3588 if (passphrase) {
3589 memset(passphrase, 0, strlen(passphrase));
3590 sfree(passphrase);
3591 }
3592 if (ret == 1) {
3593 /* Correct passphrase. */
3594 got_passphrase = TRUE;
3595 } else if (ret == 0) {
3596 c_write_str(ssh, "Couldn't load private key from ");
3597 c_write_str(ssh, filename_to_str(&ssh->cfg.keyfile));
3598 c_write_str(ssh, " (");
3599 c_write_str(ssh, error);
3600 c_write_str(ssh, ").\r\n");
3601 got_passphrase = FALSE;
3602 break; /* go and try something else */
3603 } else if (ret == -1) {
3604 c_write_str(ssh, "Wrong passphrase.\r\n"); /* FIXME */
3605 got_passphrase = FALSE;
3606 /* and try again */
3607 } else {
3608 assert(0 && "unexpected return from loadrsakey()");
3609 got_passphrase = FALSE; /* placate optimisers */
3610 }
3611 }
3612
3613 if (got_passphrase) {
3614
3615 /*
3616 * Send a public key attempt.
3617 */
3618 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3619 PKT_BIGNUM, s->key.modulus, PKT_END);
3620
3621 crWaitUntil(pktin);
3622 if (pktin->type == SSH1_SMSG_FAILURE) {
3623 c_write_str(ssh, "Server refused our public key.\r\n");
3624 continue; /* go and try something else */
3625 }
3626 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3627 bombout(("Bizarre response to offer of public key"));
3628 crStop(0);
3629 }
3630
3631 {
3632 int i;
3633 unsigned char buffer[32];
3634 Bignum challenge, response;
3635
3636 if ((challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3637 bombout(("Server's RSA challenge was badly formatted"));
3638 crStop(0);
3639 }
3640 response = rsadecrypt(challenge, &s->key);
3641 freebn(s->key.private_exponent);/* burn the evidence */
3642
3643 for (i = 0; i < 32; i++) {
3644 buffer[i] = bignum_byte(response, 31 - i);
3645 }
3646
3647 MD5Init(&md5c);
3648 MD5Update(&md5c, buffer, 32);
3649 MD5Update(&md5c, s->session_id, 16);
3650 MD5Final(buffer, &md5c);
3651
3652 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3653 PKT_DATA, buffer, 16, PKT_END);
3654
3655 freebn(challenge);
3656 freebn(response);
3657 }
3658
3659 crWaitUntil(pktin);
3660 if (pktin->type == SSH1_SMSG_FAILURE) {
3661 if (flags & FLAG_VERBOSE)
3662 c_write_str(ssh, "Failed to authenticate with"
3663 " our public key.\r\n");
3664 continue; /* go and try something else */
3665 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
3666 bombout(("Bizarre response to RSA authentication response"));
3667 crStop(0);
3668 }
3669
3670 break; /* we're through! */
3671 }
3672
3673 }
3674
3675 /*
3676 * Otherwise, try various forms of password-like authentication.
3677 */
3678 s->cur_prompt = new_prompts(ssh->frontend);
3679
3680 if (ssh->cfg.try_tis_auth &&
3681 (s->supported_auths_mask & (1 << SSH1_AUTH_TIS)) &&
3682 !s->tis_auth_refused) {
3683 s->pwpkt_type = SSH1_CMSG_AUTH_TIS_RESPONSE;
3684 logevent("Requested TIS authentication");
3685 send_packet(ssh, SSH1_CMSG_AUTH_TIS, PKT_END);
3686 crWaitUntil(pktin);
3687 if (pktin->type != SSH1_SMSG_AUTH_TIS_CHALLENGE) {
3688 logevent("TIS authentication declined");
3689 if (flags & FLAG_INTERACTIVE)
3690 c_write_str(ssh, "TIS authentication refused.\r\n");
3691 s->tis_auth_refused = 1;
3692 continue;
3693 } else {
3694 char *challenge;
3695 int challengelen;
3696 char *instr_suf, *prompt;
3697
3698 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3699 if (!challenge) {
3700 bombout(("TIS challenge packet was badly formed"));
3701 crStop(0);
3702 }
3703 logevent("Received TIS challenge");
3704 s->cur_prompt->to_server = TRUE;
3705 s->cur_prompt->name = dupstr("SSH TIS authentication");
3706 /* Prompt heuristic comes from OpenSSH */
3707 if (memchr(challenge, '\n', challengelen)) {
3708 instr_suf = dupstr("");
3709 prompt = dupprintf("%.*s", challengelen, challenge);
3710 } else {
3711 instr_suf = dupprintf("%.*s", challengelen, challenge);
3712 prompt = dupstr("Response: ");
3713 }
3714 s->cur_prompt->instruction =
3715 dupprintf("Using TIS authentication.%s%s",
3716 (*instr_suf) ? "\n" : "",
3717 instr_suf);
3718 s->cur_prompt->instr_reqd = TRUE;
3719 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3720 sfree(instr_suf);
3721 }
3722 }
3723 if (ssh->cfg.try_tis_auth &&
3724 (s->supported_auths_mask & (1 << SSH1_AUTH_CCARD)) &&
3725 !s->ccard_auth_refused) {
3726 s->pwpkt_type = SSH1_CMSG_AUTH_CCARD_RESPONSE;
3727 logevent("Requested CryptoCard authentication");
3728 send_packet(ssh, SSH1_CMSG_AUTH_CCARD, PKT_END);
3729 crWaitUntil(pktin);
3730 if (pktin->type != SSH1_SMSG_AUTH_CCARD_CHALLENGE) {
3731 logevent("CryptoCard authentication declined");
3732 c_write_str(ssh, "CryptoCard authentication refused.\r\n");
3733 s->ccard_auth_refused = 1;
3734 continue;
3735 } else {
3736 char *challenge;
3737 int challengelen;
3738 char *instr_suf, *prompt;
3739
3740 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3741 if (!challenge) {
3742 bombout(("CryptoCard challenge packet was badly formed"));
3743 crStop(0);
3744 }
3745 logevent("Received CryptoCard challenge");
3746 s->cur_prompt->to_server = TRUE;
3747 s->cur_prompt->name = dupstr("SSH CryptoCard authentication");
3748 s->cur_prompt->name_reqd = FALSE;
3749 /* Prompt heuristic comes from OpenSSH */
3750 if (memchr(challenge, '\n', challengelen)) {
3751 instr_suf = dupstr("");
3752 prompt = dupprintf("%.*s", challengelen, challenge);
3753 } else {
3754 instr_suf = dupprintf("%.*s", challengelen, challenge);
3755 prompt = dupstr("Response: ");
3756 }
3757 s->cur_prompt->instruction =
3758 dupprintf("Using CryptoCard authentication.%s%s",
3759 (*instr_suf) ? "\n" : "",
3760 instr_suf);
3761 s->cur_prompt->instr_reqd = TRUE;
3762 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3763 sfree(instr_suf);
3764 }
3765 }
3766 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3767 s->cur_prompt->to_server = TRUE;
3768 s->cur_prompt->name = dupstr("SSH password");
3769 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
3770 s->username, ssh->savedhost),
3771 FALSE, SSH_MAX_PASSWORD_LEN);
3772 }
3773
3774 /*
3775 * Show password prompt, having first obtained it via a TIS
3776 * or CryptoCard exchange if we're doing TIS or CryptoCard
3777 * authentication.
3778 */
3779 {
3780 int ret; /* need not be kept over crReturn */
3781 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3782 while (ret < 0) {
3783 ssh->send_ok = 1;
3784 crWaitUntil(!pktin);
3785 ret = get_userpass_input(s->cur_prompt, in, inlen);
3786 ssh->send_ok = 0;
3787 }
3788 if (!ret) {
3789 /*
3790 * Failed to get a password (for example
3791 * because one was supplied on the command line
3792 * which has already failed to work). Terminate.
3793 */
3794 free_prompts(s->cur_prompt);
3795 ssh_disconnect(ssh, NULL, "Unable to authenticate", 0, TRUE);
3796 crStop(0);
3797 }
3798 }
3799
3800 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3801 /*
3802 * Defence against traffic analysis: we send a
3803 * whole bunch of packets containing strings of
3804 * different lengths. One of these strings is the
3805 * password, in a SSH1_CMSG_AUTH_PASSWORD packet.
3806 * The others are all random data in
3807 * SSH1_MSG_IGNORE packets. This way a passive
3808 * listener can't tell which is the password, and
3809 * hence can't deduce the password length.
3810 *
3811 * Anybody with a password length greater than 16
3812 * bytes is going to have enough entropy in their
3813 * password that a listener won't find it _that_
3814 * much help to know how long it is. So what we'll
3815 * do is:
3816 *
3817 * - if password length < 16, we send 15 packets
3818 * containing string lengths 1 through 15
3819 *
3820 * - otherwise, we let N be the nearest multiple
3821 * of 8 below the password length, and send 8
3822 * packets containing string lengths N through
3823 * N+7. This won't obscure the order of
3824 * magnitude of the password length, but it will
3825 * introduce a bit of extra uncertainty.
3826 *
3827 * A few servers can't deal with SSH1_MSG_IGNORE, at
3828 * least in this context. For these servers, we need
3829 * an alternative defence. We make use of the fact
3830 * that the password is interpreted as a C string:
3831 * so we can append a NUL, then some random data.
3832 *
3833 * A few servers can deal with neither SSH1_MSG_IGNORE
3834 * here _nor_ a padded password string.
3835 * For these servers we are left with no defences
3836 * against password length sniffing.
3837 */
3838 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE) &&
3839 !(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
3840 /*
3841 * The server can deal with SSH1_MSG_IGNORE, so
3842 * we can use the primary defence.
3843 */
3844 int bottom, top, pwlen, i;
3845 char *randomstr;
3846
3847 pwlen = strlen(s->cur_prompt->prompts[0]->result);
3848 if (pwlen < 16) {
3849 bottom = 0; /* zero length passwords are OK! :-) */
3850 top = 15;
3851 } else {
3852 bottom = pwlen & ~7;
3853 top = bottom + 7;
3854 }
3855
3856 assert(pwlen >= bottom && pwlen <= top);
3857
3858 randomstr = snewn(top + 1, char);
3859
3860 for (i = bottom; i <= top; i++) {
3861 if (i == pwlen) {
3862 defer_packet(ssh, s->pwpkt_type,
3863 PKTT_PASSWORD, PKT_STR,
3864 s->cur_prompt->prompts[0]->result,
3865 PKTT_OTHER, PKT_END);
3866 } else {
3867 for (j = 0; j < i; j++) {
3868 do {
3869 randomstr[j] = random_byte();
3870 } while (randomstr[j] == '\0');
3871 }
3872 randomstr[i] = '\0';
3873 defer_packet(ssh, SSH1_MSG_IGNORE,
3874 PKT_STR, randomstr, PKT_END);
3875 }
3876 }
3877 logevent("Sending password with camouflage packets");
3878 ssh_pkt_defersend(ssh);
3879 sfree(randomstr);
3880 }
3881 else if (!(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
3882 /*
3883 * The server can't deal with SSH1_MSG_IGNORE
3884 * but can deal with padded passwords, so we
3885 * can use the secondary defence.
3886 */
3887 char string[64];
3888 char *ss;
3889 int len;
3890
3891 len = strlen(s->cur_prompt->prompts[0]->result);
3892 if (len < sizeof(string)) {
3893 ss = string;
3894 strcpy(string, s->cur_prompt->prompts[0]->result);
3895 len++; /* cover the zero byte */
3896 while (len < sizeof(string)) {
3897 string[len++] = (char) random_byte();
3898 }
3899 } else {
3900 ss = s->cur_prompt->prompts[0]->result;
3901 }
3902 logevent("Sending length-padded password");
3903 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
3904 PKT_INT, len, PKT_DATA, ss, len,
3905 PKTT_OTHER, PKT_END);
3906 } else {
3907 /*
3908 * The server is believed unable to cope with
3909 * any of our password camouflage methods.
3910 */
3911 int len;
3912 len = strlen(s->cur_prompt->prompts[0]->result);
3913 logevent("Sending unpadded password");
3914 send_packet(ssh, s->pwpkt_type,
3915 PKTT_PASSWORD, PKT_INT, len,
3916 PKT_DATA, s->cur_prompt->prompts[0]->result, len,
3917 PKTT_OTHER, PKT_END);
3918 }
3919 } else {
3920 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
3921 PKT_STR, s->cur_prompt->prompts[0]->result,
3922 PKTT_OTHER, PKT_END);
3923 }
3924 logevent("Sent password");
3925 free_prompts(s->cur_prompt);
3926 crWaitUntil(pktin);
3927 if (pktin->type == SSH1_SMSG_FAILURE) {
3928 if (flags & FLAG_VERBOSE)
3929 c_write_str(ssh, "Access denied\r\n");
3930 logevent("Authentication refused");
3931 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
3932 bombout(("Strange packet received, type %d", pktin->type));
3933 crStop(0);
3934 }
3935 }
3936
3937 /* Clear up */
3938 if (s->publickey_blob) {
3939 sfree(s->publickey_blob);
3940 sfree(s->publickey_comment);
3941 }
3942
3943 logevent("Authentication successful");
3944
3945 crFinish(1);
3946 }
3947
3948 void sshfwd_close(struct ssh_channel *c)
3949 {
3950 Ssh ssh = c->ssh;
3951
3952 if (ssh->state == SSH_STATE_CLOSED)
3953 return;
3954
3955 if (c && !c->closes) {
3956 /*
3957 * If halfopen is true, we have sent
3958 * CHANNEL_OPEN for this channel, but it hasn't even been
3959 * acknowledged by the server. So we must set a close flag
3960 * on it now, and then when the server acks the channel
3961 * open, we can close it then.
3962 */
3963 if (!c->halfopen) {
3964 if (ssh->version == 1) {
3965 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE, PKT_INT, c->remoteid,
3966 PKT_END);
3967 } else {
3968 struct Packet *pktout;
3969 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
3970 ssh2_pkt_adduint32(pktout, c->remoteid);
3971 ssh2_pkt_send(ssh, pktout);
3972 }
3973 }
3974 c->closes = 1; /* sent MSG_CLOSE */
3975 if (c->type == CHAN_X11) {
3976 c->u.x11.s = NULL;
3977 logevent("Forwarded X11 connection terminated");
3978 } else if (c->type == CHAN_SOCKDATA ||
3979 c->type == CHAN_SOCKDATA_DORMANT) {
3980 c->u.pfd.s = NULL;
3981 logevent("Forwarded port closed");
3982 }
3983 }
3984 }
3985
3986 int sshfwd_write(struct ssh_channel *c, char *buf, int len)
3987 {
3988 Ssh ssh = c->ssh;
3989
3990 if (ssh->state == SSH_STATE_CLOSED)
3991 return 0;
3992
3993 if (ssh->version == 1) {
3994 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
3995 PKT_INT, c->remoteid,
3996 PKTT_DATA,
3997 PKT_INT, len, PKT_DATA, buf, len,
3998 PKTT_OTHER, PKT_END);
3999 /*
4000 * In SSH-1 we can return 0 here - implying that forwarded
4001 * connections are never individually throttled - because
4002 * the only circumstance that can cause throttling will be
4003 * the whole SSH connection backing up, in which case
4004 * _everything_ will be throttled as a whole.
4005 */
4006 return 0;
4007 } else {
4008 ssh2_add_channel_data(c, buf, len);
4009 return ssh2_try_send(c);
4010 }
4011 }
4012
4013 void sshfwd_unthrottle(struct ssh_channel *c, int bufsize)
4014 {
4015 Ssh ssh = c->ssh;
4016
4017 if (ssh->state == SSH_STATE_CLOSED)
4018 return;
4019
4020 if (ssh->version == 1) {
4021 if (c->v.v1.throttling && bufsize < SSH1_BUFFER_LIMIT) {
4022 c->v.v1.throttling = 0;
4023 ssh1_throttle(ssh, -1);
4024 }
4025 } else {
4026 ssh2_set_window(c, OUR_V2_WINSIZE - bufsize);
4027 }
4028 }
4029
4030 static void ssh_queueing_handler(Ssh ssh, struct Packet *pktin)
4031 {
4032 struct queued_handler *qh = ssh->qhead;
4033
4034 assert(qh != NULL);
4035
4036 assert(pktin->type == qh->msg1 || pktin->type == qh->msg2);
4037
4038 if (qh->msg1 > 0) {
4039 assert(ssh->packet_dispatch[qh->msg1] == ssh_queueing_handler);
4040 ssh->packet_dispatch[qh->msg1] = NULL;
4041 }
4042 if (qh->msg2 > 0) {
4043 assert(ssh->packet_dispatch[qh->msg2] == ssh_queueing_handler);
4044 ssh->packet_dispatch[qh->msg2] = NULL;
4045 }
4046
4047 if (qh->next) {
4048 ssh->qhead = qh->next;
4049
4050 if (ssh->qhead->msg1 > 0) {
4051 assert(ssh->packet_dispatch[ssh->qhead->msg1] == NULL);
4052 ssh->packet_dispatch[ssh->qhead->msg1] = ssh_queueing_handler;
4053 }
4054 if (ssh->qhead->msg2 > 0) {
4055 assert(ssh->packet_dispatch[ssh->qhead->msg2] == NULL);
4056 ssh->packet_dispatch[ssh->qhead->msg2] = ssh_queueing_handler;
4057 }
4058 } else {
4059 ssh->qhead = ssh->qtail = NULL;
4060 ssh->packet_dispatch[pktin->type] = NULL;
4061 }
4062
4063 qh->handler(ssh, pktin, qh->ctx);
4064
4065 sfree(qh);
4066 }
4067
4068 static void ssh_queue_handler(Ssh ssh, int msg1, int msg2,
4069 chandler_fn_t handler, void *ctx)
4070 {
4071 struct queued_handler *qh;
4072
4073 qh = snew(struct queued_handler);
4074 qh->msg1 = msg1;
4075 qh->msg2 = msg2;
4076 qh->handler = handler;
4077 qh->ctx = ctx;
4078 qh->next = NULL;
4079
4080 if (ssh->qtail == NULL) {
4081 ssh->qhead = qh;
4082
4083 if (qh->msg1 > 0) {
4084 assert(ssh->packet_dispatch[qh->msg1] == NULL);
4085 ssh->packet_dispatch[qh->msg1] = ssh_queueing_handler;
4086 }
4087 if (qh->msg2 > 0) {
4088 assert(ssh->packet_dispatch[qh->msg2] == NULL);
4089 ssh->packet_dispatch[qh->msg2] = ssh_queueing_handler;
4090 }
4091 } else {
4092 ssh->qtail->next = qh;
4093 }
4094 ssh->qtail = qh;
4095 }
4096
4097 static void ssh_rportfwd_succfail(Ssh ssh, struct Packet *pktin, void *ctx)
4098 {
4099 struct ssh_rportfwd *rpf, *pf = (struct ssh_rportfwd *)ctx;
4100
4101 if (pktin->type == (ssh->version == 1 ? SSH1_SMSG_SUCCESS :
4102 SSH2_MSG_REQUEST_SUCCESS)) {
4103 logeventf(ssh, "Remote port forwarding from %s enabled",
4104 pf->sportdesc);
4105 } else {
4106 logeventf(ssh, "Remote port forwarding from %s refused",
4107 pf->sportdesc);
4108
4109 rpf = del234(ssh->rportfwds, pf);
4110 assert(rpf == pf);
4111 free_rportfwd(pf);
4112 }
4113 }
4114
4115 static void ssh_setup_portfwd(Ssh ssh, const Config *cfg)
4116 {
4117 const char *portfwd_strptr = cfg->portfwd;
4118 struct ssh_portfwd *epf;
4119 int i;
4120
4121 if (!ssh->portfwds) {
4122 ssh->portfwds = newtree234(ssh_portcmp);
4123 } else {
4124 /*
4125 * Go through the existing port forwardings and tag them
4126 * with status==DESTROY. Any that we want to keep will be
4127 * re-enabled (status==KEEP) as we go through the
4128 * configuration and find out which bits are the same as
4129 * they were before.
4130 */
4131 struct ssh_portfwd *epf;
4132 int i;
4133 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4134 epf->status = DESTROY;
4135 }
4136
4137 while (*portfwd_strptr) {
4138 char address_family, type;
4139 int sport,dport,sserv,dserv;
4140 char sports[256], dports[256], saddr[256], host[256];
4141 int n;
4142
4143 address_family = 'A';
4144 type = 'L';
4145 if (*portfwd_strptr == 'A' ||
4146 *portfwd_strptr == '4' ||
4147 *portfwd_strptr == '6')
4148 address_family = *portfwd_strptr++;
4149 if (*portfwd_strptr == 'L' ||
4150 *portfwd_strptr == 'R' ||
4151 *portfwd_strptr == 'D')
4152 type = *portfwd_strptr++;
4153
4154 saddr[0] = '\0';
4155
4156 n = 0;
4157 while (*portfwd_strptr && *portfwd_strptr != '\t') {
4158 if (*portfwd_strptr == ':') {
4159 /*
4160 * We've seen a colon in the middle of the
4161 * source port number. This means that
4162 * everything we've seen until now is the
4163 * source _address_, so we'll move it into
4164 * saddr and start sports from the beginning
4165 * again.
4166 */
4167 portfwd_strptr++;
4168 sports[n] = '\0';
4169 if (ssh->version == 1 && type == 'R') {
4170 logeventf(ssh, "SSH-1 cannot handle remote source address "
4171 "spec \"%s\"; ignoring", sports);
4172 } else
4173 strcpy(saddr, sports);
4174 n = 0;
4175 }
4176 if (n < lenof(sports)-1) sports[n++] = *portfwd_strptr++;
4177 }
4178 sports[n] = 0;
4179 if (type != 'D') {
4180 if (*portfwd_strptr == '\t')
4181 portfwd_strptr++;
4182 n = 0;
4183 while (*portfwd_strptr && *portfwd_strptr != ':') {
4184 if (n < lenof(host)-1) host[n++] = *portfwd_strptr++;
4185 }
4186 host[n] = 0;
4187 if (*portfwd_strptr == ':')
4188 portfwd_strptr++;
4189 n = 0;
4190 while (*portfwd_strptr) {
4191 if (n < lenof(dports)-1) dports[n++] = *portfwd_strptr++;
4192 }
4193 dports[n] = 0;
4194 portfwd_strptr++;
4195 dport = atoi(dports);
4196 dserv = 0;
4197 if (dport == 0) {
4198 dserv = 1;
4199 dport = net_service_lookup(dports);
4200 if (!dport) {
4201 logeventf(ssh, "Service lookup failed for destination"
4202 " port \"%s\"", dports);
4203 }
4204 }
4205 } else {
4206 while (*portfwd_strptr) portfwd_strptr++;
4207 host[0] = 0;
4208 dports[0] = 0;
4209 dport = dserv = -1;
4210 portfwd_strptr++; /* eat the NUL and move to next one */
4211 }
4212 sport = atoi(sports);
4213 sserv = 0;
4214 if (sport == 0) {
4215 sserv = 1;
4216 sport = net_service_lookup(sports);
4217 if (!sport) {
4218 logeventf(ssh, "Service lookup failed for source"
4219 " port \"%s\"", sports);
4220 }
4221 }
4222 if (sport && dport) {
4223 /* Set up a description of the source port. */
4224 struct ssh_portfwd *pfrec, *epfrec;
4225
4226 pfrec = snew(struct ssh_portfwd);
4227 pfrec->type = type;
4228 pfrec->saddr = *saddr ? dupstr(saddr) : NULL;
4229 pfrec->sserv = sserv ? dupstr(sports) : NULL;
4230 pfrec->sport = sport;
4231 pfrec->daddr = *host ? dupstr(host) : NULL;
4232 pfrec->dserv = dserv ? dupstr(dports) : NULL;
4233 pfrec->dport = dport;
4234 pfrec->local = NULL;
4235 pfrec->remote = NULL;
4236 pfrec->addressfamily = (address_family == '4' ? ADDRTYPE_IPV4 :
4237 address_family == '6' ? ADDRTYPE_IPV6 :
4238 ADDRTYPE_UNSPEC);
4239
4240 epfrec = add234(ssh->portfwds, pfrec);
4241 if (epfrec != pfrec) {
4242 /*
4243 * We already have a port forwarding with precisely
4244 * these parameters. Hence, no need to do anything;
4245 * simply tag the existing one as KEEP.
4246 */
4247 epfrec->status = KEEP;
4248 free_portfwd(pfrec);
4249 } else {
4250 pfrec->status = CREATE;
4251 }
4252 }
4253 }
4254
4255 /*
4256 * Now go through and destroy any port forwardings which were
4257 * not re-enabled.
4258 */
4259 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4260 if (epf->status == DESTROY) {
4261 char *message;
4262
4263 message = dupprintf("%s port forwarding from %s%s%d",
4264 epf->type == 'L' ? "local" :
4265 epf->type == 'R' ? "remote" : "dynamic",
4266 epf->saddr ? epf->saddr : "",
4267 epf->saddr ? ":" : "",
4268 epf->sport);
4269
4270 if (epf->type != 'D') {
4271 char *msg2 = dupprintf("%s to %s:%d", message,
4272 epf->daddr, epf->dport);
4273 sfree(message);
4274 message = msg2;
4275 }
4276
4277 logeventf(ssh, "Cancelling %s", message);
4278 sfree(message);
4279
4280 if (epf->remote) {
4281 struct ssh_rportfwd *rpf = epf->remote;
4282 struct Packet *pktout;
4283
4284 /*
4285 * Cancel the port forwarding at the server
4286 * end.
4287 */
4288 if (ssh->version == 1) {
4289 /*
4290 * We cannot cancel listening ports on the
4291 * server side in SSH-1! There's no message
4292 * to support it. Instead, we simply remove
4293 * the rportfwd record from the local end
4294 * so that any connections the server tries
4295 * to make on it are rejected.
4296 */
4297 } else {
4298 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4299 ssh2_pkt_addstring(pktout, "cancel-tcpip-forward");
4300 ssh2_pkt_addbool(pktout, 0);/* _don't_ want reply */
4301 if (epf->saddr) {
4302 ssh2_pkt_addstring(pktout, epf->saddr);
4303 } else if (ssh->cfg.rport_acceptall) {
4304 /* XXX: ssh->cfg.rport_acceptall may not represent
4305 * what was used to open the original connection,
4306 * since it's reconfigurable. */
4307 ssh2_pkt_addstring(pktout, "0.0.0.0");
4308 } else {
4309 ssh2_pkt_addstring(pktout, "127.0.0.1");
4310 }
4311 ssh2_pkt_adduint32(pktout, epf->sport);
4312 ssh2_pkt_send(ssh, pktout);
4313 }
4314
4315 del234(ssh->rportfwds, rpf);
4316 free_rportfwd(rpf);
4317 } else if (epf->local) {
4318 pfd_terminate(epf->local);
4319 }
4320
4321 delpos234(ssh->portfwds, i);
4322 free_portfwd(epf);
4323 i--; /* so we don't skip one in the list */
4324 }
4325
4326 /*
4327 * And finally, set up any new port forwardings (status==CREATE).
4328 */
4329 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4330 if (epf->status == CREATE) {
4331 char *sportdesc, *dportdesc;
4332 sportdesc = dupprintf("%s%s%s%s%d%s",
4333 epf->saddr ? epf->saddr : "",
4334 epf->saddr ? ":" : "",
4335 epf->sserv ? epf->sserv : "",
4336 epf->sserv ? "(" : "",
4337 epf->sport,
4338 epf->sserv ? ")" : "");
4339 if (epf->type == 'D') {
4340 dportdesc = NULL;
4341 } else {
4342 dportdesc = dupprintf("%s:%s%s%d%s",
4343 epf->daddr,
4344 epf->dserv ? epf->dserv : "",
4345 epf->dserv ? "(" : "",
4346 epf->dport,
4347 epf->dserv ? ")" : "");
4348 }
4349
4350 if (epf->type == 'L') {
4351 const char *err = pfd_addforward(epf->daddr, epf->dport,
4352 epf->saddr, epf->sport,
4353 ssh, cfg,
4354 &epf->local,
4355 epf->addressfamily);
4356
4357 logeventf(ssh, "Local %sport %s forwarding to %s%s%s",
4358 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4359 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4360 sportdesc, dportdesc,
4361 err ? " failed: " : "", err ? err : "");
4362 } else if (epf->type == 'D') {
4363 const char *err = pfd_addforward(NULL, -1,
4364 epf->saddr, epf->sport,
4365 ssh, cfg,
4366 &epf->local,
4367 epf->addressfamily);
4368
4369 logeventf(ssh, "Local %sport %s SOCKS dynamic forwarding%s%s",
4370 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4371 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4372 sportdesc,
4373 err ? " failed: " : "", err ? err : "");
4374 } else {
4375 struct ssh_rportfwd *pf;
4376
4377 /*
4378 * Ensure the remote port forwardings tree exists.
4379 */
4380 if (!ssh->rportfwds) {
4381 if (ssh->version == 1)
4382 ssh->rportfwds = newtree234(ssh_rportcmp_ssh1);
4383 else
4384 ssh->rportfwds = newtree234(ssh_rportcmp_ssh2);
4385 }
4386
4387 pf = snew(struct ssh_rportfwd);
4388 strncpy(pf->dhost, epf->daddr, lenof(pf->dhost)-1);
4389 pf->dhost[lenof(pf->dhost)-1] = '\0';
4390 pf->dport = epf->dport;
4391 pf->sport = epf->sport;
4392 if (add234(ssh->rportfwds, pf) != pf) {
4393 logeventf(ssh, "Duplicate remote port forwarding to %s:%d",
4394 epf->daddr, epf->dport);
4395 sfree(pf);
4396 } else {
4397 logeventf(ssh, "Requesting remote port %s"
4398 " forward to %s", sportdesc, dportdesc);
4399
4400 pf->sportdesc = sportdesc;
4401 sportdesc = NULL;
4402 epf->remote = pf;
4403 pf->pfrec = epf;
4404
4405 if (ssh->version == 1) {
4406 send_packet(ssh, SSH1_CMSG_PORT_FORWARD_REQUEST,
4407 PKT_INT, epf->sport,
4408 PKT_STR, epf->daddr,
4409 PKT_INT, epf->dport,
4410 PKT_END);
4411 ssh_queue_handler(ssh, SSH1_SMSG_SUCCESS,
4412 SSH1_SMSG_FAILURE,
4413 ssh_rportfwd_succfail, pf);
4414 } else {
4415 struct Packet *pktout;
4416 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4417 ssh2_pkt_addstring(pktout, "tcpip-forward");
4418 ssh2_pkt_addbool(pktout, 1);/* want reply */
4419 if (epf->saddr) {
4420 ssh2_pkt_addstring(pktout, epf->saddr);
4421 } else if (cfg->rport_acceptall) {
4422 ssh2_pkt_addstring(pktout, "0.0.0.0");
4423 } else {
4424 ssh2_pkt_addstring(pktout, "127.0.0.1");
4425 }
4426 ssh2_pkt_adduint32(pktout, epf->sport);
4427 ssh2_pkt_send(ssh, pktout);
4428
4429 ssh_queue_handler(ssh, SSH2_MSG_REQUEST_SUCCESS,
4430 SSH2_MSG_REQUEST_FAILURE,
4431 ssh_rportfwd_succfail, pf);
4432 }
4433 }
4434 }
4435 sfree(sportdesc);
4436 sfree(dportdesc);
4437 }
4438 }
4439
4440 static void ssh1_smsg_stdout_stderr_data(Ssh ssh, struct Packet *pktin)
4441 {
4442 char *string;
4443 int stringlen, bufsize;
4444
4445 ssh_pkt_getstring(pktin, &string, &stringlen);
4446 if (string == NULL) {
4447 bombout(("Incoming terminal data packet was badly formed"));
4448 return;
4449 }
4450
4451 bufsize = from_backend(ssh->frontend, pktin->type == SSH1_SMSG_STDERR_DATA,
4452 string, stringlen);
4453 if (!ssh->v1_stdout_throttling && bufsize > SSH1_BUFFER_LIMIT) {
4454 ssh->v1_stdout_throttling = 1;
4455 ssh1_throttle(ssh, +1);
4456 }
4457 }
4458
4459 static void ssh1_smsg_x11_open(Ssh ssh, struct Packet *pktin)
4460 {
4461 /* Remote side is trying to open a channel to talk to our
4462 * X-Server. Give them back a local channel number. */
4463 struct ssh_channel *c;
4464 int remoteid = ssh_pkt_getuint32(pktin);
4465
4466 logevent("Received X11 connect request");
4467 /* Refuse if X11 forwarding is disabled. */
4468 if (!ssh->X11_fwd_enabled) {
4469 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4470 PKT_INT, remoteid, PKT_END);
4471 logevent("Rejected X11 connect request");
4472 } else {
4473 c = snew(struct ssh_channel);
4474 c->ssh = ssh;
4475
4476 if (x11_init(&c->u.x11.s, ssh->cfg.x11_display, c,
4477 ssh->x11auth, NULL, -1, &ssh->cfg) != NULL) {
4478 logevent("Opening X11 forward connection failed");
4479 sfree(c);
4480 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4481 PKT_INT, remoteid, PKT_END);
4482 } else {
4483 logevent
4484 ("Opening X11 forward connection succeeded");
4485 c->remoteid = remoteid;
4486 c->halfopen = FALSE;
4487 c->localid = alloc_channel_id(ssh);
4488 c->closes = 0;
4489 c->v.v1.throttling = 0;
4490 c->type = CHAN_X11; /* identify channel type */
4491 add234(ssh->channels, c);
4492 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4493 PKT_INT, c->remoteid, PKT_INT,
4494 c->localid, PKT_END);
4495 logevent("Opened X11 forward channel");
4496 }
4497 }
4498 }
4499
4500 static void ssh1_smsg_agent_open(Ssh ssh, struct Packet *pktin)
4501 {
4502 /* Remote side is trying to open a channel to talk to our
4503 * agent. Give them back a local channel number. */
4504 struct ssh_channel *c;
4505 int remoteid = ssh_pkt_getuint32(pktin);
4506
4507 /* Refuse if agent forwarding is disabled. */
4508 if (!ssh->agentfwd_enabled) {
4509 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4510 PKT_INT, remoteid, PKT_END);
4511 } else {
4512 c = snew(struct ssh_channel);
4513 c->ssh = ssh;
4514 c->remoteid = remoteid;
4515 c->halfopen = FALSE;
4516 c->localid = alloc_channel_id(ssh);
4517 c->closes = 0;
4518 c->v.v1.throttling = 0;
4519 c->type = CHAN_AGENT; /* identify channel type */
4520 c->u.a.lensofar = 0;
4521 add234(ssh->channels, c);
4522 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4523 PKT_INT, c->remoteid, PKT_INT, c->localid,
4524 PKT_END);
4525 }
4526 }
4527
4528 static void ssh1_msg_port_open(Ssh ssh, struct Packet *pktin)
4529 {
4530 /* Remote side is trying to open a channel to talk to a
4531 * forwarded port. Give them back a local channel number. */
4532 struct ssh_channel *c;
4533 struct ssh_rportfwd pf, *pfp;
4534 int remoteid;
4535 int hostsize, port;
4536 char *host;
4537 const char *e;
4538 c = snew(struct ssh_channel);
4539 c->ssh = ssh;
4540
4541 remoteid = ssh_pkt_getuint32(pktin);
4542 ssh_pkt_getstring(pktin, &host, &hostsize);
4543 port = ssh_pkt_getuint32(pktin);
4544
4545 if (hostsize >= lenof(pf.dhost))
4546 hostsize = lenof(pf.dhost)-1;
4547 memcpy(pf.dhost, host, hostsize);
4548 pf.dhost[hostsize] = '\0';
4549 pf.dport = port;
4550 pfp = find234(ssh->rportfwds, &pf, NULL);
4551
4552 if (pfp == NULL) {
4553 logeventf(ssh, "Rejected remote port open request for %s:%d",
4554 pf.dhost, port);
4555 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4556 PKT_INT, remoteid, PKT_END);
4557 } else {
4558 logeventf(ssh, "Received remote port open request for %s:%d",
4559 pf.dhost, port);
4560 e = pfd_newconnect(&c->u.pfd.s, pf.dhost, port,
4561 c, &ssh->cfg, pfp->pfrec->addressfamily);
4562 if (e != NULL) {
4563 logeventf(ssh, "Port open failed: %s", e);
4564 sfree(c);
4565 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4566 PKT_INT, remoteid, PKT_END);
4567 } else {
4568 c->remoteid = remoteid;
4569 c->halfopen = FALSE;
4570 c->localid = alloc_channel_id(ssh);
4571 c->closes = 0;
4572 c->v.v1.throttling = 0;
4573 c->type = CHAN_SOCKDATA; /* identify channel type */
4574 add234(ssh->channels, c);
4575 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4576 PKT_INT, c->remoteid, PKT_INT,
4577 c->localid, PKT_END);
4578 logevent("Forwarded port opened successfully");
4579 }
4580 }
4581 }
4582
4583 static void ssh1_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
4584 {
4585 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4586 unsigned int localid = ssh_pkt_getuint32(pktin);
4587 struct ssh_channel *c;
4588
4589 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4590 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4591 c->remoteid = localid;
4592 c->halfopen = FALSE;
4593 c->type = CHAN_SOCKDATA;
4594 c->v.v1.throttling = 0;
4595 pfd_confirm(c->u.pfd.s);
4596 }
4597
4598 if (c && c->closes) {
4599 /*
4600 * We have a pending close on this channel,
4601 * which we decided on before the server acked
4602 * the channel open. So now we know the
4603 * remoteid, we can close it again.
4604 */
4605 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE,
4606 PKT_INT, c->remoteid, PKT_END);
4607 }
4608 }
4609
4610 static void ssh1_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
4611 {
4612 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4613 struct ssh_channel *c;
4614
4615 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4616 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4617 logevent("Forwarded connection refused by server");
4618 pfd_close(c->u.pfd.s);
4619 del234(ssh->channels, c);
4620 sfree(c);
4621 }
4622 }
4623
4624 static void ssh1_msg_channel_close(Ssh ssh, struct Packet *pktin)
4625 {
4626 /* Remote side closes a channel. */
4627 unsigned i = ssh_pkt_getuint32(pktin);
4628 struct ssh_channel *c;
4629 c = find234(ssh->channels, &i, ssh_channelfind);
4630 if (c && !c->halfopen) {
4631 int closetype;
4632 closetype =
4633 (pktin->type == SSH1_MSG_CHANNEL_CLOSE ? 1 : 2);
4634
4635 if ((c->closes == 0) && (c->type == CHAN_X11)) {
4636 logevent("Forwarded X11 connection terminated");
4637 assert(c->u.x11.s != NULL);
4638 x11_close(c->u.x11.s);
4639 c->u.x11.s = NULL;
4640 }
4641 if ((c->closes == 0) && (c->type == CHAN_SOCKDATA)) {
4642 logevent("Forwarded port closed");
4643 assert(c->u.pfd.s != NULL);
4644 pfd_close(c->u.pfd.s);
4645 c->u.pfd.s = NULL;
4646 }
4647
4648 c->closes |= (closetype << 2); /* seen this message */
4649 if (!(c->closes & closetype)) {
4650 send_packet(ssh, pktin->type, PKT_INT, c->remoteid,
4651 PKT_END);
4652 c->closes |= closetype; /* sent it too */
4653 }
4654
4655 if (c->closes == 15) {
4656 del234(ssh->channels, c);
4657 sfree(c);
4658 }
4659 } else {
4660 bombout(("Received CHANNEL_CLOSE%s for %s channel %d\n",
4661 pktin->type == SSH1_MSG_CHANNEL_CLOSE ? "" :
4662 "_CONFIRMATION", c ? "half-open" : "nonexistent",
4663 i));
4664 }
4665 }
4666
4667 static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
4668 {
4669 /* Data sent down one of our channels. */
4670 int i = ssh_pkt_getuint32(pktin);
4671 char *p;
4672 int len;
4673 struct ssh_channel *c;
4674
4675 ssh_pkt_getstring(pktin, &p, &len);
4676
4677 c = find234(ssh->channels, &i, ssh_channelfind);
4678 if (c) {
4679 int bufsize = 0;
4680 switch (c->type) {
4681 case CHAN_X11:
4682 bufsize = x11_send(c->u.x11.s, p, len);
4683 break;
4684 case CHAN_SOCKDATA:
4685 bufsize = pfd_send(c->u.pfd.s, p, len);
4686 break;
4687 case CHAN_AGENT:
4688 /* Data for an agent message. Buffer it. */
4689 while (len > 0) {
4690 if (c->u.a.lensofar < 4) {
4691 unsigned int l = min(4 - c->u.a.lensofar, (unsigned)len);
4692 memcpy(c->u.a.msglen + c->u.a.lensofar, p,
4693 l);
4694 p += l;
4695 len -= l;
4696 c->u.a.lensofar += l;
4697 }
4698 if (c->u.a.lensofar == 4) {
4699 c->u.a.totallen =
4700 4 + GET_32BIT(c->u.a.msglen);
4701 c->u.a.message = snewn(c->u.a.totallen,
4702 unsigned char);
4703 memcpy(c->u.a.message, c->u.a.msglen, 4);
4704 }
4705 if (c->u.a.lensofar >= 4 && len > 0) {
4706 unsigned int l =
4707 min(c->u.a.totallen - c->u.a.lensofar,
4708 (unsigned)len);
4709 memcpy(c->u.a.message + c->u.a.lensofar, p,
4710 l);
4711 p += l;
4712 len -= l;
4713 c->u.a.lensofar += l;
4714 }
4715 if (c->u.a.lensofar == c->u.a.totallen) {
4716 void *reply;
4717 int replylen;
4718 if (agent_query(c->u.a.message,
4719 c->u.a.totallen,
4720 &reply, &replylen,
4721 ssh_agentf_callback, c))
4722 ssh_agentf_callback(c, reply, replylen);
4723 sfree(c->u.a.message);
4724 c->u.a.lensofar = 0;
4725 }
4726 }
4727 bufsize = 0; /* agent channels never back up */
4728 break;
4729 }
4730 if (!c->v.v1.throttling && bufsize > SSH1_BUFFER_LIMIT) {
4731 c->v.v1.throttling = 1;
4732 ssh1_throttle(ssh, +1);
4733 }
4734 }
4735 }
4736
4737 static void ssh1_smsg_exit_status(Ssh ssh, struct Packet *pktin)
4738 {
4739 ssh->exitcode = ssh_pkt_getuint32(pktin);
4740 logeventf(ssh, "Server sent command exit status %d", ssh->exitcode);
4741 send_packet(ssh, SSH1_CMSG_EXIT_CONFIRMATION, PKT_END);
4742 /*
4743 * In case `helpful' firewalls or proxies tack
4744 * extra human-readable text on the end of the
4745 * session which we might mistake for another
4746 * encrypted packet, we close the session once
4747 * we've sent EXIT_CONFIRMATION.
4748 */
4749 ssh_disconnect(ssh, NULL, NULL, 0, TRUE);
4750 }
4751
4752 /* Helper function to deal with sending tty modes for REQUEST_PTY */
4753 static void ssh1_send_ttymode(void *data, char *mode, char *val)
4754 {
4755 struct Packet *pktout = (struct Packet *)data;
4756 int i = 0;
4757 unsigned int arg = 0;
4758 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
4759 if (i == lenof(ssh_ttymodes)) return;
4760 switch (ssh_ttymodes[i].type) {
4761 case TTY_OP_CHAR:
4762 arg = ssh_tty_parse_specchar(val);
4763 break;
4764 case TTY_OP_BOOL:
4765 arg = ssh_tty_parse_boolean(val);
4766 break;
4767 }
4768 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
4769 ssh2_pkt_addbyte(pktout, arg);
4770 }
4771
4772
4773 static void do_ssh1_connection(Ssh ssh, unsigned char *in, int inlen,
4774 struct Packet *pktin)
4775 {
4776 crBegin(ssh->do_ssh1_connection_crstate);
4777
4778 ssh->packet_dispatch[SSH1_SMSG_STDOUT_DATA] =
4779 ssh->packet_dispatch[SSH1_SMSG_STDERR_DATA] =
4780 ssh1_smsg_stdout_stderr_data;
4781
4782 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_CONFIRMATION] =
4783 ssh1_msg_channel_open_confirmation;
4784 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_FAILURE] =
4785 ssh1_msg_channel_open_failure;
4786 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE] =
4787 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION] =
4788 ssh1_msg_channel_close;
4789 ssh->packet_dispatch[SSH1_MSG_CHANNEL_DATA] = ssh1_msg_channel_data;
4790 ssh->packet_dispatch[SSH1_SMSG_EXIT_STATUS] = ssh1_smsg_exit_status;
4791
4792 if (ssh->cfg.agentfwd && agent_exists()) {
4793 logevent("Requesting agent forwarding");
4794 send_packet(ssh, SSH1_CMSG_AGENT_REQUEST_FORWARDING, PKT_END);
4795 do {
4796 crReturnV;
4797 } while (!pktin);
4798 if (pktin->type != SSH1_SMSG_SUCCESS
4799 && pktin->type != SSH1_SMSG_FAILURE) {
4800 bombout(("Protocol confusion"));
4801 crStopV;
4802 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4803 logevent("Agent forwarding refused");
4804 } else {
4805 logevent("Agent forwarding enabled");
4806 ssh->agentfwd_enabled = TRUE;
4807 ssh->packet_dispatch[SSH1_SMSG_AGENT_OPEN] = ssh1_smsg_agent_open;
4808 }
4809 }
4810
4811 if (ssh->cfg.x11_forward) {
4812 char proto[20], data[64];
4813 logevent("Requesting X11 forwarding");
4814 ssh->x11auth = x11_invent_auth(proto, sizeof(proto),
4815 data, sizeof(data), ssh->cfg.x11_auth);
4816 x11_get_real_auth(ssh->x11auth, ssh->cfg.x11_display);
4817 /*
4818 * Note that while we blank the X authentication data here, we don't
4819 * take any special action to blank the start of an X11 channel,
4820 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
4821 * without having session blanking enabled is likely to leak your
4822 * cookie into the log.
4823 */
4824 if (ssh->v1_local_protoflags & SSH1_PROTOFLAG_SCREEN_NUMBER) {
4825 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
4826 PKT_STR, proto,
4827 PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER,
4828 PKT_INT, x11_get_screen_number(ssh->cfg.x11_display),
4829 PKT_END);
4830 } else {
4831 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
4832 PKT_STR, proto,
4833 PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER, PKT_END);
4834 }
4835 do {
4836 crReturnV;
4837 } while (!pktin);
4838 if (pktin->type != SSH1_SMSG_SUCCESS
4839 && pktin->type != SSH1_SMSG_FAILURE) {
4840 bombout(("Protocol confusion"));
4841 crStopV;
4842 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4843 logevent("X11 forwarding refused");
4844 } else {
4845 logevent("X11 forwarding enabled");
4846 ssh->X11_fwd_enabled = TRUE;
4847 ssh->packet_dispatch[SSH1_SMSG_X11_OPEN] = ssh1_smsg_x11_open;
4848 }
4849 }
4850
4851 ssh_setup_portfwd(ssh, &ssh->cfg);
4852 ssh->packet_dispatch[SSH1_MSG_PORT_OPEN] = ssh1_msg_port_open;
4853
4854 if (!ssh->cfg.nopty) {
4855 struct Packet *pkt;
4856 /* Unpick the terminal-speed string. */
4857 /* XXX perhaps we should allow no speeds to be sent. */
4858 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
4859 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
4860 /* Send the pty request. */
4861 pkt = ssh1_pkt_init(SSH1_CMSG_REQUEST_PTY);
4862 ssh_pkt_addstring(pkt, ssh->cfg.termtype);
4863 ssh_pkt_adduint32(pkt, ssh->term_height);
4864 ssh_pkt_adduint32(pkt, ssh->term_width);
4865 ssh_pkt_adduint32(pkt, 0); /* width in pixels */
4866 ssh_pkt_adduint32(pkt, 0); /* height in pixels */
4867 parse_ttymodes(ssh, ssh->cfg.ttymodes,
4868 ssh1_send_ttymode, (void *)pkt);
4869 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_ISPEED);
4870 ssh_pkt_adduint32(pkt, ssh->ispeed);
4871 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_OSPEED);
4872 ssh_pkt_adduint32(pkt, ssh->ospeed);
4873 ssh_pkt_addbyte(pkt, SSH_TTY_OP_END);
4874 s_wrpkt(ssh, pkt);
4875 ssh->state = SSH_STATE_INTERMED;
4876 do {
4877 crReturnV;
4878 } while (!pktin);
4879 if (pktin->type != SSH1_SMSG_SUCCESS
4880 && pktin->type != SSH1_SMSG_FAILURE) {
4881 bombout(("Protocol confusion"));
4882 crStopV;
4883 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4884 c_write_str(ssh, "Server refused to allocate pty\r\n");
4885 ssh->editing = ssh->echoing = 1;
4886 }
4887 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
4888 ssh->ospeed, ssh->ispeed);
4889 } else {
4890 ssh->editing = ssh->echoing = 1;
4891 }
4892
4893 if (ssh->cfg.compression) {
4894 send_packet(ssh, SSH1_CMSG_REQUEST_COMPRESSION, PKT_INT, 6, PKT_END);
4895 do {
4896 crReturnV;
4897 } while (!pktin);
4898 if (pktin->type != SSH1_SMSG_SUCCESS
4899 && pktin->type != SSH1_SMSG_FAILURE) {
4900 bombout(("Protocol confusion"));
4901 crStopV;
4902 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4903 c_write_str(ssh, "Server refused to compress\r\n");
4904 }
4905 logevent("Started compression");
4906 ssh->v1_compressing = TRUE;
4907 ssh->cs_comp_ctx = zlib_compress_init();
4908 logevent("Initialised zlib (RFC1950) compression");
4909 ssh->sc_comp_ctx = zlib_decompress_init();
4910 logevent("Initialised zlib (RFC1950) decompression");
4911 }
4912
4913 /*
4914 * Start the shell or command.
4915 *
4916 * Special case: if the first-choice command is an SSH-2
4917 * subsystem (hence not usable here) and the second choice
4918 * exists, we fall straight back to that.
4919 */
4920 {
4921 char *cmd = ssh->cfg.remote_cmd_ptr;
4922
4923 if (!cmd) cmd = ssh->cfg.remote_cmd;
4924
4925 if (ssh->cfg.ssh_subsys && ssh->cfg.remote_cmd_ptr2) {
4926 cmd = ssh->cfg.remote_cmd_ptr2;
4927 ssh->fallback_cmd = TRUE;
4928 }
4929 if (*cmd)
4930 send_packet(ssh, SSH1_CMSG_EXEC_CMD, PKT_STR, cmd, PKT_END);
4931 else
4932 send_packet(ssh, SSH1_CMSG_EXEC_SHELL, PKT_END);
4933 logevent("Started session");
4934 }
4935
4936 ssh->state = SSH_STATE_SESSION;
4937 if (ssh->size_needed)
4938 ssh_size(ssh, ssh->term_width, ssh->term_height);
4939 if (ssh->eof_needed)
4940 ssh_special(ssh, TS_EOF);
4941
4942 if (ssh->ldisc)
4943 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
4944 ssh->send_ok = 1;
4945 ssh->channels = newtree234(ssh_channelcmp);
4946 while (1) {
4947
4948 /*
4949 * By this point, most incoming packets are already being
4950 * handled by the dispatch table, and we need only pay
4951 * attention to the unusual ones.
4952 */
4953
4954 crReturnV;
4955 if (pktin) {
4956 if (pktin->type == SSH1_SMSG_SUCCESS) {
4957 /* may be from EXEC_SHELL on some servers */
4958 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4959 /* may be from EXEC_SHELL on some servers
4960 * if no pty is available or in other odd cases. Ignore */
4961 } else {
4962 bombout(("Strange packet received: type %d", pktin->type));
4963 crStopV;
4964 }
4965 } else {
4966 while (inlen > 0) {
4967 int len = min(inlen, 512);
4968 send_packet(ssh, SSH1_CMSG_STDIN_DATA, PKTT_DATA,
4969 PKT_INT, len, PKT_DATA, in, len,
4970 PKTT_OTHER, PKT_END);
4971 in += len;
4972 inlen -= len;
4973 }
4974 }
4975 }
4976
4977 crFinishV;
4978 }
4979
4980 /*
4981 * Handle the top-level SSH-2 protocol.
4982 */
4983 static void ssh1_msg_debug(Ssh ssh, struct Packet *pktin)
4984 {
4985 char *msg;
4986 int msglen;
4987
4988 ssh_pkt_getstring(pktin, &msg, &msglen);
4989 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
4990 }
4991
4992 static void ssh1_msg_disconnect(Ssh ssh, struct Packet *pktin)
4993 {
4994 /* log reason code in disconnect message */
4995 char *msg;
4996 int msglen;
4997
4998 ssh_pkt_getstring(pktin, &msg, &msglen);
4999 bombout(("Server sent disconnect message:\n\"%.*s\"", msglen, msg));
5000 }
5001
5002 static void ssh_msg_ignore(Ssh ssh, struct Packet *pktin)
5003 {
5004 /* Do nothing, because we're ignoring it! Duhh. */
5005 }
5006
5007 static void ssh1_protocol_setup(Ssh ssh)
5008 {
5009 int i;
5010
5011 /*
5012 * Most messages are handled by the coroutines.
5013 */
5014 for (i = 0; i < 256; i++)
5015 ssh->packet_dispatch[i] = NULL;
5016
5017 /*
5018 * These special message types we install handlers for.
5019 */
5020 ssh->packet_dispatch[SSH1_MSG_DISCONNECT] = ssh1_msg_disconnect;
5021 ssh->packet_dispatch[SSH1_MSG_IGNORE] = ssh_msg_ignore;
5022 ssh->packet_dispatch[SSH1_MSG_DEBUG] = ssh1_msg_debug;
5023 }
5024
5025 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
5026 struct Packet *pktin)
5027 {
5028 unsigned char *in=(unsigned char*)vin;
5029 if (ssh->state == SSH_STATE_CLOSED)
5030 return;
5031
5032 if (pktin && ssh->packet_dispatch[pktin->type]) {
5033 ssh->packet_dispatch[pktin->type](ssh, pktin);
5034 return;
5035 }
5036
5037 if (!ssh->protocol_initial_phase_done) {
5038 if (do_ssh1_login(ssh, in, inlen, pktin))
5039 ssh->protocol_initial_phase_done = TRUE;
5040 else
5041 return;
5042 }
5043
5044 do_ssh1_connection(ssh, in, inlen, pktin);
5045 }
5046
5047 /*
5048 * Utility routine for decoding comma-separated strings in KEXINIT.
5049 */
5050 static int in_commasep_string(char *needle, char *haystack, int haylen)
5051 {
5052 int needlen;
5053 if (!needle || !haystack) /* protect against null pointers */
5054 return 0;
5055 needlen = strlen(needle);
5056 while (1) {
5057 /*
5058 * Is it at the start of the string?
5059 */
5060 if (haylen >= needlen && /* haystack is long enough */
5061 !memcmp(needle, haystack, needlen) && /* initial match */
5062 (haylen == needlen || haystack[needlen] == ',')
5063 /* either , or EOS follows */
5064 )
5065 return 1;
5066 /*
5067 * If not, search for the next comma and resume after that.
5068 * If no comma found, terminate.
5069 */
5070 while (haylen > 0 && *haystack != ',')
5071 haylen--, haystack++;
5072 if (haylen == 0)
5073 return 0;
5074 haylen--, haystack++; /* skip over comma itself */
5075 }
5076 }
5077
5078 /*
5079 * Similar routine for checking whether we have the first string in a list.
5080 */
5081 static int first_in_commasep_string(char *needle, char *haystack, int haylen)
5082 {
5083 int needlen;
5084 if (!needle || !haystack) /* protect against null pointers */
5085 return 0;
5086 needlen = strlen(needle);
5087 /*
5088 * Is it at the start of the string?
5089 */
5090 if (haylen >= needlen && /* haystack is long enough */
5091 !memcmp(needle, haystack, needlen) && /* initial match */
5092 (haylen == needlen || haystack[needlen] == ',')
5093 /* either , or EOS follows */
5094 )
5095 return 1;
5096 return 0;
5097 }
5098
5099
5100 /*
5101 * SSH-2 key creation method.
5102 * (Currently assumes 2 lots of any hash are sufficient to generate
5103 * keys/IVs for any cipher/MAC. SSH2_MKKEY_ITERS documents this assumption.)
5104 */
5105 #define SSH2_MKKEY_ITERS (2)
5106 static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr,
5107 unsigned char *keyspace)
5108 {
5109 const struct ssh_hash *h = ssh->kex->hash;
5110 void *s;
5111 /* First hlen bytes. */
5112 s = h->init();
5113 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5114 hash_mpint(h, s, K);
5115 h->bytes(s, H, h->hlen);
5116 h->bytes(s, &chr, 1);
5117 h->bytes(s, ssh->v2_session_id, ssh->v2_session_id_len);
5118 h->final(s, keyspace);
5119 /* Next hlen bytes. */
5120 s = h->init();
5121 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5122 hash_mpint(h, s, K);
5123 h->bytes(s, H, h->hlen);
5124 h->bytes(s, keyspace, h->hlen);
5125 h->final(s, keyspace + h->hlen);
5126 }
5127
5128 /*
5129 * Handle the SSH-2 transport layer.
5130 */
5131 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
5132 struct Packet *pktin)
5133 {
5134 unsigned char *in = (unsigned char *)vin;
5135 struct do_ssh2_transport_state {
5136 int nbits, pbits, warn_kex, warn_cscipher, warn_sccipher;
5137 Bignum p, g, e, f, K;
5138 void *our_kexinit;
5139 int our_kexinitlen;
5140 int kex_init_value, kex_reply_value;
5141 const struct ssh_mac **maclist;
5142 int nmacs;
5143 const struct ssh2_cipher *cscipher_tobe;
5144 const struct ssh2_cipher *sccipher_tobe;
5145 const struct ssh_mac *csmac_tobe;
5146 const struct ssh_mac *scmac_tobe;
5147 const struct ssh_compress *cscomp_tobe;
5148 const struct ssh_compress *sccomp_tobe;
5149 char *hostkeydata, *sigdata, *rsakeydata, *keystr, *fingerprint;
5150 int hostkeylen, siglen, rsakeylen;
5151 void *hkey; /* actual host key */
5152 void *rsakey; /* for RSA kex */
5153 unsigned char exchange_hash[SSH2_KEX_MAX_HASH_LEN];
5154 int n_preferred_kex;
5155 const struct ssh_kexes *preferred_kex[KEX_MAX];
5156 int n_preferred_ciphers;
5157 const struct ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
5158 const struct ssh_compress *preferred_comp;
5159 int got_session_id, activated_authconn;
5160 struct Packet *pktout;
5161 int dlgret;
5162 int guessok;
5163 int ignorepkt;
5164 };
5165 crState(do_ssh2_transport_state);
5166
5167 crBegin(ssh->do_ssh2_transport_crstate);
5168
5169 s->cscipher_tobe = s->sccipher_tobe = NULL;
5170 s->csmac_tobe = s->scmac_tobe = NULL;
5171 s->cscomp_tobe = s->sccomp_tobe = NULL;
5172
5173 s->got_session_id = s->activated_authconn = FALSE;
5174
5175 /*
5176 * Be prepared to work around the buggy MAC problem.
5177 */
5178 if (ssh->remote_bugs & BUG_SSH2_HMAC)
5179 s->maclist = buggymacs, s->nmacs = lenof(buggymacs);
5180 else
5181 s->maclist = macs, s->nmacs = lenof(macs);
5182
5183 begin_key_exchange:
5184 ssh->pkt_ctx &= ~SSH2_PKTCTX_KEX_MASK;
5185 {
5186 int i, j, commalist_started;
5187
5188 /*
5189 * Set up the preferred key exchange. (NULL => warn below here)
5190 */
5191 s->n_preferred_kex = 0;
5192 for (i = 0; i < KEX_MAX; i++) {
5193 switch (ssh->cfg.ssh_kexlist[i]) {
5194 case KEX_DHGEX:
5195 s->preferred_kex[s->n_preferred_kex++] =
5196 &ssh_diffiehellman_gex;
5197 break;
5198 case KEX_DHGROUP14:
5199 s->preferred_kex[s->n_preferred_kex++] =
5200 &ssh_diffiehellman_group14;
5201 break;
5202 case KEX_DHGROUP1:
5203 s->preferred_kex[s->n_preferred_kex++] =
5204 &ssh_diffiehellman_group1;
5205 break;
5206 case KEX_RSA:
5207 s->preferred_kex[s->n_preferred_kex++] =
5208 &ssh_rsa_kex;
5209 break;
5210 case KEX_WARN:
5211 /* Flag for later. Don't bother if it's the last in
5212 * the list. */
5213 if (i < KEX_MAX - 1) {
5214 s->preferred_kex[s->n_preferred_kex++] = NULL;
5215 }
5216 break;
5217 }
5218 }
5219
5220 /*
5221 * Set up the preferred ciphers. (NULL => warn below here)
5222 */
5223 s->n_preferred_ciphers = 0;
5224 for (i = 0; i < CIPHER_MAX; i++) {
5225 switch (ssh->cfg.ssh_cipherlist[i]) {
5226 case CIPHER_BLOWFISH:
5227 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_blowfish;
5228 break;
5229 case CIPHER_DES:
5230 if (ssh->cfg.ssh2_des_cbc) {
5231 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_des;
5232 }
5233 break;
5234 case CIPHER_3DES:
5235 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_3des;
5236 break;
5237 case CIPHER_AES:
5238 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_aes;
5239 break;
5240 case CIPHER_ARCFOUR:
5241 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_arcfour;
5242 break;
5243 case CIPHER_WARN:
5244 /* Flag for later. Don't bother if it's the last in
5245 * the list. */
5246 if (i < CIPHER_MAX - 1) {
5247 s->preferred_ciphers[s->n_preferred_ciphers++] = NULL;
5248 }
5249 break;
5250 }
5251 }
5252
5253 /*
5254 * Set up preferred compression.
5255 */
5256 if (ssh->cfg.compression)
5257 s->preferred_comp = &ssh_zlib;
5258 else
5259 s->preferred_comp = &ssh_comp_none;
5260
5261 /*
5262 * Enable queueing of outgoing auth- or connection-layer
5263 * packets while we are in the middle of a key exchange.
5264 */
5265 ssh->queueing = TRUE;
5266
5267 /*
5268 * Flag that KEX is in progress.
5269 */
5270 ssh->kex_in_progress = TRUE;
5271
5272 /*
5273 * Construct and send our key exchange packet.
5274 */
5275 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXINIT);
5276 for (i = 0; i < 16; i++)
5277 ssh2_pkt_addbyte(s->pktout, (unsigned char) random_byte());
5278 /* List key exchange algorithms. */
5279 ssh2_pkt_addstring_start(s->pktout);
5280 commalist_started = 0;
5281 for (i = 0; i < s->n_preferred_kex; i++) {
5282 const struct ssh_kexes *k = s->preferred_kex[i];
5283 if (!k) continue; /* warning flag */
5284 for (j = 0; j < k->nkexes; j++) {
5285 if (commalist_started)
5286 ssh2_pkt_addstring_str(s->pktout, ",");
5287 ssh2_pkt_addstring_str(s->pktout, k->list[j]->name);
5288 commalist_started = 1;
5289 }
5290 }
5291 /* List server host key algorithms. */
5292 ssh2_pkt_addstring_start(s->pktout);
5293 for (i = 0; i < lenof(hostkey_algs); i++) {
5294 ssh2_pkt_addstring_str(s->pktout, hostkey_algs[i]->name);
5295 if (i < lenof(hostkey_algs) - 1)
5296 ssh2_pkt_addstring_str(s->pktout, ",");
5297 }
5298 /* List client->server encryption algorithms. */
5299 ssh2_pkt_addstring_start(s->pktout);
5300 commalist_started = 0;
5301 for (i = 0; i < s->n_preferred_ciphers; i++) {
5302 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5303 if (!c) continue; /* warning flag */
5304 for (j = 0; j < c->nciphers; j++) {
5305 if (commalist_started)
5306 ssh2_pkt_addstring_str(s->pktout, ",");
5307 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5308 commalist_started = 1;
5309 }
5310 }
5311 /* List server->client encryption algorithms. */
5312 ssh2_pkt_addstring_start(s->pktout);
5313 commalist_started = 0;
5314 for (i = 0; i < s->n_preferred_ciphers; i++) {
5315 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5316 if (!c) continue; /* warning flag */
5317 for (j = 0; j < c->nciphers; j++) {
5318 if (commalist_started)
5319 ssh2_pkt_addstring_str(s->pktout, ",");
5320 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5321 commalist_started = 1;
5322 }
5323 }
5324 /* List client->server MAC algorithms. */
5325 ssh2_pkt_addstring_start(s->pktout);
5326 for (i = 0; i < s->nmacs; i++) {
5327 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5328 if (i < s->nmacs - 1)
5329 ssh2_pkt_addstring_str(s->pktout, ",");
5330 }
5331 /* List server->client MAC algorithms. */
5332 ssh2_pkt_addstring_start(s->pktout);
5333 for (i = 0; i < s->nmacs; i++) {
5334 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5335 if (i < s->nmacs - 1)
5336 ssh2_pkt_addstring_str(s->pktout, ",");
5337 }
5338 /* List client->server compression algorithms. */
5339 ssh2_pkt_addstring_start(s->pktout);
5340 assert(lenof(compressions) > 1);
5341 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5342 for (i = 0; i < lenof(compressions); i++) {
5343 const struct ssh_compress *c = compressions[i];
5344 if (c != s->preferred_comp) {
5345 ssh2_pkt_addstring_str(s->pktout, ",");
5346 ssh2_pkt_addstring_str(s->pktout, c->name);
5347 }
5348 }
5349 /* List server->client compression algorithms. */
5350 ssh2_pkt_addstring_start(s->pktout);
5351 assert(lenof(compressions) > 1);
5352 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5353 for (i = 0; i < lenof(compressions); i++) {
5354 const struct ssh_compress *c = compressions[i];
5355 if (c != s->preferred_comp) {
5356 ssh2_pkt_addstring_str(s->pktout, ",");
5357 ssh2_pkt_addstring_str(s->pktout, c->name);
5358 }
5359 }
5360 /* List client->server languages. Empty list. */
5361 ssh2_pkt_addstring_start(s->pktout);
5362 /* List server->client languages. Empty list. */
5363 ssh2_pkt_addstring_start(s->pktout);
5364 /* First KEX packet does _not_ follow, because we're not that brave. */
5365 ssh2_pkt_addbool(s->pktout, FALSE);
5366 /* Reserved. */
5367 ssh2_pkt_adduint32(s->pktout, 0);
5368 }
5369
5370 s->our_kexinitlen = s->pktout->length - 5;
5371 s->our_kexinit = snewn(s->our_kexinitlen, unsigned char);
5372 memcpy(s->our_kexinit, s->pktout->data + 5, s->our_kexinitlen);
5373
5374 ssh2_pkt_send_noqueue(ssh, s->pktout);
5375
5376 if (!pktin)
5377 crWaitUntil(pktin);
5378
5379 /*
5380 * Now examine the other side's KEXINIT to see what we're up
5381 * to.
5382 */
5383 {
5384 char *str, *preferred;
5385 int i, j, len;
5386
5387 if (pktin->type != SSH2_MSG_KEXINIT) {
5388 bombout(("expected key exchange packet from server"));
5389 crStop(0);
5390 }
5391 ssh->kex = NULL;
5392 ssh->hostkey = NULL;
5393 s->cscipher_tobe = NULL;
5394 s->sccipher_tobe = NULL;
5395 s->csmac_tobe = NULL;
5396 s->scmac_tobe = NULL;
5397 s->cscomp_tobe = NULL;
5398 s->sccomp_tobe = NULL;
5399 s->warn_kex = s->warn_cscipher = s->warn_sccipher = FALSE;
5400
5401 pktin->savedpos += 16; /* skip garbage cookie */
5402 ssh_pkt_getstring(pktin, &str, &len); /* key exchange algorithms */
5403
5404 preferred = NULL;
5405 for (i = 0; i < s->n_preferred_kex; i++) {
5406 const struct ssh_kexes *k = s->preferred_kex[i];
5407 if (!k) {
5408 s->warn_kex = TRUE;
5409 } else {
5410 for (j = 0; j < k->nkexes; j++) {
5411 if (!preferred) preferred = k->list[j]->name;
5412 if (in_commasep_string(k->list[j]->name, str, len)) {
5413 ssh->kex = k->list[j];
5414 break;
5415 }
5416 }
5417 }
5418 if (ssh->kex)
5419 break;
5420 }
5421 if (!ssh->kex) {
5422 bombout(("Couldn't agree a key exchange algorithm (available: %s)",
5423 str ? str : "(null)"));
5424 crStop(0);
5425 }
5426 /*
5427 * Note that the server's guess is considered wrong if it doesn't match
5428 * the first algorithm in our list, even if it's still the algorithm
5429 * we end up using.
5430 */
5431 s->guessok = first_in_commasep_string(preferred, str, len);
5432 ssh_pkt_getstring(pktin, &str, &len); /* host key algorithms */
5433 for (i = 0; i < lenof(hostkey_algs); i++) {
5434 if (in_commasep_string(hostkey_algs[i]->name, str, len)) {
5435 ssh->hostkey = hostkey_algs[i];
5436 break;
5437 }
5438 }
5439 s->guessok = s->guessok &&
5440 first_in_commasep_string(hostkey_algs[0]->name, str, len);
5441 ssh_pkt_getstring(pktin, &str, &len); /* client->server cipher */
5442 for (i = 0; i < s->n_preferred_ciphers; i++) {
5443 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5444 if (!c) {
5445 s->warn_cscipher = TRUE;
5446 } else {
5447 for (j = 0; j < c->nciphers; j++) {
5448 if (in_commasep_string(c->list[j]->name, str, len)) {
5449 s->cscipher_tobe = c->list[j];
5450 break;
5451 }
5452 }
5453 }
5454 if (s->cscipher_tobe)
5455 break;
5456 }
5457 if (!s->cscipher_tobe) {
5458 bombout(("Couldn't agree a client-to-server cipher (available: %s)",
5459 str ? str : "(null)"));
5460 crStop(0);
5461 }
5462
5463 ssh_pkt_getstring(pktin, &str, &len); /* server->client cipher */
5464 for (i = 0; i < s->n_preferred_ciphers; i++) {
5465 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5466 if (!c) {
5467 s->warn_sccipher = TRUE;
5468 } else {
5469 for (j = 0; j < c->nciphers; j++) {
5470 if (in_commasep_string(c->list[j]->name, str, len)) {
5471 s->sccipher_tobe = c->list[j];
5472 break;
5473 }
5474 }
5475 }
5476 if (s->sccipher_tobe)
5477 break;
5478 }
5479 if (!s->sccipher_tobe) {
5480 bombout(("Couldn't agree a server-to-client cipher (available: %s)",
5481 str ? str : "(null)"));
5482 crStop(0);
5483 }
5484
5485 ssh_pkt_getstring(pktin, &str, &len); /* client->server mac */
5486 for (i = 0; i < s->nmacs; i++) {
5487 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5488 s->csmac_tobe = s->maclist[i];
5489 break;
5490 }
5491 }
5492 ssh_pkt_getstring(pktin, &str, &len); /* server->client mac */
5493 for (i = 0; i < s->nmacs; i++) {
5494 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5495 s->scmac_tobe = s->maclist[i];
5496 break;
5497 }
5498 }
5499 ssh_pkt_getstring(pktin, &str, &len); /* client->server compression */
5500 for (i = 0; i < lenof(compressions) + 1; i++) {
5501 const struct ssh_compress *c =
5502 i == 0 ? s->preferred_comp : compressions[i - 1];
5503 if (in_commasep_string(c->name, str, len)) {
5504 s->cscomp_tobe = c;
5505 break;
5506 }
5507 }
5508 ssh_pkt_getstring(pktin, &str, &len); /* server->client compression */
5509 for (i = 0; i < lenof(compressions) + 1; i++) {
5510 const struct ssh_compress *c =
5511 i == 0 ? s->preferred_comp : compressions[i - 1];
5512 if (in_commasep_string(c->name, str, len)) {
5513 s->sccomp_tobe = c;
5514 break;
5515 }
5516 }
5517 ssh_pkt_getstring(pktin, &str, &len); /* client->server language */
5518 ssh_pkt_getstring(pktin, &str, &len); /* server->client language */
5519 s->ignorepkt = ssh2_pkt_getbool(pktin) && !s->guessok;
5520
5521 if (s->warn_kex) {
5522 ssh_set_frozen(ssh, 1);
5523 s->dlgret = askalg(ssh->frontend, "key-exchange algorithm",
5524 ssh->kex->name,
5525 ssh_dialog_callback, ssh);
5526 if (s->dlgret < 0) {
5527 do {
5528 crReturn(0);
5529 if (pktin) {
5530 bombout(("Unexpected data from server while"
5531 " waiting for user response"));
5532 crStop(0);
5533 }
5534 } while (pktin || inlen > 0);
5535 s->dlgret = ssh->user_response;
5536 }
5537 ssh_set_frozen(ssh, 0);
5538 if (s->dlgret == 0) {
5539 ssh_disconnect(ssh, "User aborted at kex warning", NULL,
5540 0, TRUE);
5541 crStop(0);
5542 }
5543 }
5544
5545 if (s->warn_cscipher) {
5546 ssh_set_frozen(ssh, 1);
5547 s->dlgret = askalg(ssh->frontend,
5548 "client-to-server cipher",
5549 s->cscipher_tobe->name,
5550 ssh_dialog_callback, ssh);
5551 if (s->dlgret < 0) {
5552 do {
5553 crReturn(0);
5554 if (pktin) {
5555 bombout(("Unexpected data from server while"
5556 " waiting for user response"));
5557 crStop(0);
5558 }
5559 } while (pktin || inlen > 0);
5560 s->dlgret = ssh->user_response;
5561 }
5562 ssh_set_frozen(ssh, 0);
5563 if (s->dlgret == 0) {
5564 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5565 0, TRUE);
5566 crStop(0);
5567 }
5568 }
5569
5570 if (s->warn_sccipher) {
5571 ssh_set_frozen(ssh, 1);
5572 s->dlgret = askalg(ssh->frontend,
5573 "server-to-client cipher",
5574 s->sccipher_tobe->name,
5575 ssh_dialog_callback, ssh);
5576 if (s->dlgret < 0) {
5577 do {
5578 crReturn(0);
5579 if (pktin) {
5580 bombout(("Unexpected data from server while"
5581 " waiting for user response"));
5582 crStop(0);
5583 }
5584 } while (pktin || inlen > 0);
5585 s->dlgret = ssh->user_response;
5586 }
5587 ssh_set_frozen(ssh, 0);
5588 if (s->dlgret == 0) {
5589 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5590 0, TRUE);
5591 crStop(0);
5592 }
5593 }
5594
5595 ssh->exhash = ssh->kex->hash->init();
5596 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_c, strlen(ssh->v_c));
5597 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_s, strlen(ssh->v_s));
5598 hash_string(ssh->kex->hash, ssh->exhash,
5599 s->our_kexinit, s->our_kexinitlen);
5600 sfree(s->our_kexinit);
5601 if (pktin->length > 5)
5602 hash_string(ssh->kex->hash, ssh->exhash,
5603 pktin->data + 5, pktin->length - 5);
5604
5605 if (s->ignorepkt) /* first_kex_packet_follows */
5606 crWaitUntil(pktin); /* Ignore packet */
5607 }
5608
5609 if (ssh->kex->main_type == KEXTYPE_DH) {
5610 /*
5611 * Work out the number of bits of key we will need from the
5612 * key exchange. We start with the maximum key length of
5613 * either cipher...
5614 */
5615 {
5616 int csbits, scbits;
5617
5618 csbits = s->cscipher_tobe->keylen;
5619 scbits = s->sccipher_tobe->keylen;
5620 s->nbits = (csbits > scbits ? csbits : scbits);
5621 }
5622 /* The keys only have hlen-bit entropy, since they're based on
5623 * a hash. So cap the key size at hlen bits. */
5624 if (s->nbits > ssh->kex->hash->hlen * 8)
5625 s->nbits = ssh->kex->hash->hlen * 8;
5626
5627 /*
5628 * If we're doing Diffie-Hellman group exchange, start by
5629 * requesting a group.
5630 */
5631 if (!ssh->kex->pdata) {
5632 logevent("Doing Diffie-Hellman group exchange");
5633 ssh->pkt_ctx |= SSH2_PKTCTX_DHGEX;
5634 /*
5635 * Work out how big a DH group we will need to allow that
5636 * much data.
5637 */
5638 s->pbits = 512 << ((s->nbits - 1) / 64);
5639 s->pktout = ssh2_pkt_init(SSH2_MSG_KEX_DH_GEX_REQUEST);
5640 ssh2_pkt_adduint32(s->pktout, s->pbits);
5641 ssh2_pkt_send_noqueue(ssh, s->pktout);
5642
5643 crWaitUntil(pktin);
5644 if (pktin->type != SSH2_MSG_KEX_DH_GEX_GROUP) {
5645 bombout(("expected key exchange group packet from server"));
5646 crStop(0);
5647 }
5648 s->p = ssh2_pkt_getmp(pktin);
5649 s->g = ssh2_pkt_getmp(pktin);
5650 if (!s->p || !s->g) {
5651 bombout(("unable to read mp-ints from incoming group packet"));
5652 crStop(0);
5653 }
5654 ssh->kex_ctx = dh_setup_gex(s->p, s->g);
5655 s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
5656 s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
5657 } else {
5658 ssh->pkt_ctx |= SSH2_PKTCTX_DHGROUP;
5659 ssh->kex_ctx = dh_setup_group(ssh->kex);
5660 s->kex_init_value = SSH2_MSG_KEXDH_INIT;
5661 s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
5662 logeventf(ssh, "Using Diffie-Hellman with standard group \"%s\"",
5663 ssh->kex->groupname);
5664 }
5665
5666 logeventf(ssh, "Doing Diffie-Hellman key exchange with hash %s",
5667 ssh->kex->hash->text_name);
5668 /*
5669 * Now generate and send e for Diffie-Hellman.
5670 */
5671 set_busy_status(ssh->frontend, BUSY_CPU); /* this can take a while */
5672 s->e = dh_create_e(ssh->kex_ctx, s->nbits * 2);
5673 s->pktout = ssh2_pkt_init(s->kex_init_value);
5674 ssh2_pkt_addmp(s->pktout, s->e);
5675 ssh2_pkt_send_noqueue(ssh, s->pktout);
5676
5677 set_busy_status(ssh->frontend, BUSY_WAITING); /* wait for server */
5678 crWaitUntil(pktin);
5679 if (pktin->type != s->kex_reply_value) {
5680 bombout(("expected key exchange reply packet from server"));
5681 crStop(0);
5682 }
5683 set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */
5684 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
5685 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
5686 s->f = ssh2_pkt_getmp(pktin);
5687 if (!s->f) {
5688 bombout(("unable to parse key exchange reply packet"));
5689 crStop(0);
5690 }
5691 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
5692
5693 s->K = dh_find_K(ssh->kex_ctx, s->f);
5694
5695 /* We assume everything from now on will be quick, and it might
5696 * involve user interaction. */
5697 set_busy_status(ssh->frontend, BUSY_NOT);
5698
5699 hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen);
5700 if (!ssh->kex->pdata) {
5701 hash_uint32(ssh->kex->hash, ssh->exhash, s->pbits);
5702 hash_mpint(ssh->kex->hash, ssh->exhash, s->p);
5703 hash_mpint(ssh->kex->hash, ssh->exhash, s->g);
5704 }
5705 hash_mpint(ssh->kex->hash, ssh->exhash, s->e);
5706 hash_mpint(ssh->kex->hash, ssh->exhash, s->f);
5707
5708 dh_cleanup(ssh->kex_ctx);
5709 freebn(s->f);
5710 if (!ssh->kex->pdata) {
5711 freebn(s->g);
5712 freebn(s->p);
5713 }
5714 } else {
5715 logeventf(ssh, "Doing RSA key exchange with hash %s",
5716 ssh->kex->hash->text_name);
5717 ssh->pkt_ctx |= SSH2_PKTCTX_RSAKEX;
5718 /*
5719 * RSA key exchange. First expect a KEXRSA_PUBKEY packet
5720 * from the server.
5721 */
5722 crWaitUntil(pktin);
5723 if (pktin->type != SSH2_MSG_KEXRSA_PUBKEY) {
5724 bombout(("expected RSA public key packet from server"));
5725 crStop(0);
5726 }
5727
5728 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
5729 hash_string(ssh->kex->hash, ssh->exhash,
5730 s->hostkeydata, s->hostkeylen);
5731 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
5732
5733 {
5734 char *keydata;
5735 ssh_pkt_getstring(pktin, &keydata, &s->rsakeylen);
5736 s->rsakeydata = snewn(s->rsakeylen, char);
5737 memcpy(s->rsakeydata, keydata, s->rsakeylen);
5738 }
5739
5740 s->rsakey = ssh_rsakex_newkey(s->rsakeydata, s->rsakeylen);
5741 if (!s->rsakey) {
5742 sfree(s->rsakeydata);
5743 bombout(("unable to parse RSA public key from server"));
5744 crStop(0);
5745 }
5746
5747 hash_string(ssh->kex->hash, ssh->exhash, s->rsakeydata, s->rsakeylen);
5748
5749 /*
5750 * Next, set up a shared secret K, of precisely KLEN -
5751 * 2*HLEN - 49 bits, where KLEN is the bit length of the
5752 * RSA key modulus and HLEN is the bit length of the hash
5753 * we're using.
5754 */
5755 {
5756 int klen = ssh_rsakex_klen(s->rsakey);
5757 int nbits = klen - (2*ssh->kex->hash->hlen*8 + 49);
5758 int i, byte = 0;
5759 unsigned char *kstr1, *kstr2, *outstr;
5760 int kstr1len, kstr2len, outstrlen;
5761
5762 s->K = bn_power_2(nbits - 1);
5763
5764 for (i = 0; i < nbits; i++) {
5765 if ((i & 7) == 0) {
5766 byte = random_byte();
5767 }
5768 bignum_set_bit(s->K, i, (byte >> (i & 7)) & 1);
5769 }
5770
5771 /*
5772 * Encode this as an mpint.
5773 */
5774 kstr1 = ssh2_mpint_fmt(s->K, &kstr1len);
5775 kstr2 = snewn(kstr2len = 4 + kstr1len, unsigned char);
5776 PUT_32BIT(kstr2, kstr1len);
5777 memcpy(kstr2 + 4, kstr1, kstr1len);
5778
5779 /*
5780 * Encrypt it with the given RSA key.
5781 */
5782 outstrlen = (klen + 7) / 8;
5783 outstr = snewn(outstrlen, unsigned char);
5784 ssh_rsakex_encrypt(ssh->kex->hash, kstr2, kstr2len,
5785 outstr, outstrlen, s->rsakey);
5786
5787 /*
5788 * And send it off in a return packet.
5789 */
5790 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXRSA_SECRET);
5791 ssh2_pkt_addstring_start(s->pktout);
5792 ssh2_pkt_addstring_data(s->pktout, (char *)outstr, outstrlen);
5793 ssh2_pkt_send_noqueue(ssh, s->pktout);
5794
5795 hash_string(ssh->kex->hash, ssh->exhash, outstr, outstrlen);
5796
5797 sfree(kstr2);
5798 sfree(kstr1);
5799 sfree(outstr);
5800 }
5801
5802 ssh_rsakex_freekey(s->rsakey);
5803
5804 crWaitUntil(pktin);
5805 if (pktin->type != SSH2_MSG_KEXRSA_DONE) {
5806 sfree(s->rsakeydata);
5807 bombout(("expected signature packet from server"));
5808 crStop(0);
5809 }
5810
5811 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
5812
5813 sfree(s->rsakeydata);
5814 }
5815
5816 hash_mpint(ssh->kex->hash, ssh->exhash, s->K);
5817 assert(ssh->kex->hash->hlen <= sizeof(s->exchange_hash));
5818 ssh->kex->hash->final(ssh->exhash, s->exchange_hash);
5819
5820 ssh->kex_ctx = NULL;
5821
5822 #if 0
5823 debug(("Exchange hash is:\n"));
5824 dmemdump(s->exchange_hash, ssh->kex->hash->hlen);
5825 #endif
5826
5827 if (!s->hkey ||
5828 !ssh->hostkey->verifysig(s->hkey, s->sigdata, s->siglen,
5829 (char *)s->exchange_hash,
5830 ssh->kex->hash->hlen)) {
5831 bombout(("Server's host key did not match the signature supplied"));
5832 crStop(0);
5833 }
5834
5835 /*
5836 * Authenticate remote host: verify host key. (We've already
5837 * checked the signature of the exchange hash.)
5838 */
5839 s->keystr = ssh->hostkey->fmtkey(s->hkey);
5840 s->fingerprint = ssh->hostkey->fingerprint(s->hkey);
5841 ssh_set_frozen(ssh, 1);
5842 s->dlgret = verify_ssh_host_key(ssh->frontend,
5843 ssh->savedhost, ssh->savedport,
5844 ssh->hostkey->keytype, s->keystr,
5845 s->fingerprint,
5846 ssh_dialog_callback, ssh);
5847 if (s->dlgret < 0) {
5848 do {
5849 crReturn(0);
5850 if (pktin) {
5851 bombout(("Unexpected data from server while waiting"
5852 " for user host key response"));
5853 crStop(0);
5854 }
5855 } while (pktin || inlen > 0);
5856 s->dlgret = ssh->user_response;
5857 }
5858 ssh_set_frozen(ssh, 0);
5859 if (s->dlgret == 0) {
5860 ssh_disconnect(ssh, "User aborted at host key verification", NULL,
5861 0, TRUE);
5862 crStop(0);
5863 }
5864 if (!s->got_session_id) { /* don't bother logging this in rekeys */
5865 logevent("Host key fingerprint is:");
5866 logevent(s->fingerprint);
5867 }
5868 sfree(s->fingerprint);
5869 sfree(s->keystr);
5870 ssh->hostkey->freekey(s->hkey);
5871
5872 /*
5873 * The exchange hash from the very first key exchange is also
5874 * the session id, used in session key construction and
5875 * authentication.
5876 */
5877 if (!s->got_session_id) {
5878 assert(sizeof(s->exchange_hash) <= sizeof(ssh->v2_session_id));
5879 memcpy(ssh->v2_session_id, s->exchange_hash,
5880 sizeof(s->exchange_hash));
5881 ssh->v2_session_id_len = ssh->kex->hash->hlen;
5882 assert(ssh->v2_session_id_len <= sizeof(ssh->v2_session_id));
5883 s->got_session_id = TRUE;
5884 }
5885
5886 /*
5887 * Send SSH2_MSG_NEWKEYS.
5888 */
5889 s->pktout = ssh2_pkt_init(SSH2_MSG_NEWKEYS);
5890 ssh2_pkt_send_noqueue(ssh, s->pktout);
5891 ssh->outgoing_data_size = 0; /* start counting from here */
5892
5893 /*
5894 * We've sent client NEWKEYS, so create and initialise
5895 * client-to-server session keys.
5896 */
5897 if (ssh->cs_cipher_ctx)
5898 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
5899 ssh->cscipher = s->cscipher_tobe;
5900 ssh->cs_cipher_ctx = ssh->cscipher->make_context();
5901
5902 if (ssh->cs_mac_ctx)
5903 ssh->csmac->free_context(ssh->cs_mac_ctx);
5904 ssh->csmac = s->csmac_tobe;
5905 ssh->cs_mac_ctx = ssh->csmac->make_context();
5906
5907 if (ssh->cs_comp_ctx)
5908 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
5909 ssh->cscomp = s->cscomp_tobe;
5910 ssh->cs_comp_ctx = ssh->cscomp->compress_init();
5911
5912 /*
5913 * Set IVs on client-to-server keys. Here we use the exchange
5914 * hash from the _first_ key exchange.
5915 */
5916 {
5917 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
5918 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5919 ssh2_mkkey(ssh,s->K,s->exchange_hash,'C',keyspace);
5920 assert((ssh->cscipher->keylen+7) / 8 <=
5921 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5922 ssh->cscipher->setkey(ssh->cs_cipher_ctx, keyspace);
5923 ssh2_mkkey(ssh,s->K,s->exchange_hash,'A',keyspace);
5924 assert(ssh->cscipher->blksize <=
5925 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5926 ssh->cscipher->setiv(ssh->cs_cipher_ctx, keyspace);
5927 ssh2_mkkey(ssh,s->K,s->exchange_hash,'E',keyspace);
5928 assert(ssh->csmac->len <=
5929 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5930 ssh->csmac->setkey(ssh->cs_mac_ctx, keyspace);
5931 memset(keyspace, 0, sizeof(keyspace));
5932 }
5933
5934 logeventf(ssh, "Initialised %.200s client->server encryption",
5935 ssh->cscipher->text_name);
5936 logeventf(ssh, "Initialised %.200s client->server MAC algorithm",
5937 ssh->csmac->text_name);
5938 if (ssh->cscomp->text_name)
5939 logeventf(ssh, "Initialised %s compression",
5940 ssh->cscomp->text_name);
5941
5942 /*
5943 * Now our end of the key exchange is complete, we can send all
5944 * our queued higher-layer packets.
5945 */
5946 ssh->queueing = FALSE;
5947 ssh2_pkt_queuesend(ssh);
5948
5949 /*
5950 * Expect SSH2_MSG_NEWKEYS from server.
5951 */
5952 crWaitUntil(pktin);
5953 if (pktin->type != SSH2_MSG_NEWKEYS) {
5954 bombout(("expected new-keys packet from server"));
5955 crStop(0);
5956 }
5957 ssh->incoming_data_size = 0; /* start counting from here */
5958
5959 /*
5960 * We've seen server NEWKEYS, so create and initialise
5961 * server-to-client session keys.
5962 */
5963 if (ssh->sc_cipher_ctx)
5964 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
5965 ssh->sccipher = s->sccipher_tobe;
5966 ssh->sc_cipher_ctx = ssh->sccipher->make_context();
5967
5968 if (ssh->sc_mac_ctx)
5969 ssh->scmac->free_context(ssh->sc_mac_ctx);
5970 ssh->scmac = s->scmac_tobe;
5971 ssh->sc_mac_ctx = ssh->scmac->make_context();
5972
5973 if (ssh->sc_comp_ctx)
5974 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
5975 ssh->sccomp = s->sccomp_tobe;
5976 ssh->sc_comp_ctx = ssh->sccomp->decompress_init();
5977
5978 /*
5979 * Set IVs on server-to-client keys. Here we use the exchange
5980 * hash from the _first_ key exchange.
5981 */
5982 {
5983 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
5984 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5985 ssh2_mkkey(ssh,s->K,s->exchange_hash,'D',keyspace);
5986 assert((ssh->sccipher->keylen+7) / 8 <=
5987 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5988 ssh->sccipher->setkey(ssh->sc_cipher_ctx, keyspace);
5989 ssh2_mkkey(ssh,s->K,s->exchange_hash,'B',keyspace);
5990 assert(ssh->sccipher->blksize <=
5991 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5992 ssh->sccipher->setiv(ssh->sc_cipher_ctx, keyspace);
5993 ssh2_mkkey(ssh,s->K,s->exchange_hash,'F',keyspace);
5994 assert(ssh->scmac->len <=
5995 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5996 ssh->scmac->setkey(ssh->sc_mac_ctx, keyspace);
5997 memset(keyspace, 0, sizeof(keyspace));
5998 }
5999 logeventf(ssh, "Initialised %.200s server->client encryption",
6000 ssh->sccipher->text_name);
6001 logeventf(ssh, "Initialised %.200s server->client MAC algorithm",
6002 ssh->scmac->text_name);
6003 if (ssh->sccomp->text_name)
6004 logeventf(ssh, "Initialised %s decompression",
6005 ssh->sccomp->text_name);
6006
6007 /*
6008 * Free shared secret.
6009 */
6010 freebn(s->K);
6011
6012 /*
6013 * Key exchange is over. Loop straight back round if we have a
6014 * deferred rekey reason.
6015 */
6016 if (ssh->deferred_rekey_reason) {
6017 logevent(ssh->deferred_rekey_reason);
6018 pktin = NULL;
6019 ssh->deferred_rekey_reason = NULL;
6020 goto begin_key_exchange;
6021 }
6022
6023 /*
6024 * Otherwise, schedule a timer for our next rekey.
6025 */
6026 ssh->kex_in_progress = FALSE;
6027 ssh->last_rekey = GETTICKCOUNT();
6028 if (ssh->cfg.ssh_rekey_time != 0)
6029 ssh->next_rekey = schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
6030 ssh2_timer, ssh);
6031
6032 /*
6033 * If this is the first key exchange phase, we must pass the
6034 * SSH2_MSG_NEWKEYS packet to the next layer, not because it
6035 * wants to see it but because it will need time to initialise
6036 * itself before it sees an actual packet. In subsequent key
6037 * exchange phases, we don't pass SSH2_MSG_NEWKEYS on, because
6038 * it would only confuse the layer above.
6039 */
6040 if (s->activated_authconn) {
6041 crReturn(0);
6042 }
6043 s->activated_authconn = TRUE;
6044
6045 /*
6046 * Now we're encrypting. Begin returning 1 to the protocol main
6047 * function so that other things can run on top of the
6048 * transport. If we ever see a KEXINIT, we must go back to the
6049 * start.
6050 *
6051 * We _also_ go back to the start if we see pktin==NULL and
6052 * inlen==-1, because this is a special signal meaning
6053 * `initiate client-driven rekey', and `in' contains a message
6054 * giving the reason for the rekey.
6055 */
6056 while (!((pktin && pktin->type == SSH2_MSG_KEXINIT) ||
6057 (!pktin && inlen == -1))) {
6058 wait_for_rekey:
6059 crReturn(1);
6060 }
6061 if (pktin) {
6062 logevent("Server initiated key re-exchange");
6063 } else {
6064 /*
6065 * Special case: if the server bug is set that doesn't
6066 * allow rekeying, we give a different log message and
6067 * continue waiting. (If such a server _initiates_ a rekey,
6068 * we process it anyway!)
6069 */
6070 if ((ssh->remote_bugs & BUG_SSH2_REKEY)) {
6071 logeventf(ssh, "Server bug prevents key re-exchange (%s)",
6072 (char *)in);
6073 /* Reset the counters, so that at least this message doesn't
6074 * hit the event log _too_ often. */
6075 ssh->outgoing_data_size = 0;
6076 ssh->incoming_data_size = 0;
6077 if (ssh->cfg.ssh_rekey_time != 0) {
6078 ssh->next_rekey =
6079 schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
6080 ssh2_timer, ssh);
6081 }
6082 goto wait_for_rekey; /* this is utterly horrid */
6083 } else {
6084 logeventf(ssh, "Initiating key re-exchange (%s)", (char *)in);
6085 }
6086 }
6087 goto begin_key_exchange;
6088
6089 crFinish(1);
6090 }
6091
6092 /*
6093 * Add data to an SSH-2 channel output buffer.
6094 */
6095 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf,
6096 int len)
6097 {
6098 bufchain_add(&c->v.v2.outbuffer, buf, len);
6099 }
6100
6101 /*
6102 * Attempt to send data on an SSH-2 channel.
6103 */
6104 static int ssh2_try_send(struct ssh_channel *c)
6105 {
6106 Ssh ssh = c->ssh;
6107 struct Packet *pktout;
6108
6109 while (c->v.v2.remwindow > 0 && bufchain_size(&c->v.v2.outbuffer) > 0) {
6110 int len;
6111 void *data;
6112 bufchain_prefix(&c->v.v2.outbuffer, &data, &len);
6113 if ((unsigned)len > c->v.v2.remwindow)
6114 len = c->v.v2.remwindow;
6115 if ((unsigned)len > c->v.v2.remmaxpkt)
6116 len = c->v.v2.remmaxpkt;
6117 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_DATA);
6118 ssh2_pkt_adduint32(pktout, c->remoteid);
6119 dont_log_data(ssh, pktout, PKTLOG_OMIT);
6120 ssh2_pkt_addstring_start(pktout);
6121 ssh2_pkt_addstring_data(pktout, data, len);
6122 end_log_omission(ssh, pktout);
6123 ssh2_pkt_send(ssh, pktout);
6124 bufchain_consume(&c->v.v2.outbuffer, len);
6125 c->v.v2.remwindow -= len;
6126 }
6127
6128 /*
6129 * After having sent as much data as we can, return the amount
6130 * still buffered.
6131 */
6132 return bufchain_size(&c->v.v2.outbuffer);
6133 }
6134
6135 static void ssh2_try_send_and_unthrottle(struct ssh_channel *c)
6136 {
6137 int bufsize;
6138 if (c->closes)
6139 return; /* don't send on closing channels */
6140 bufsize = ssh2_try_send(c);
6141 if (bufsize == 0) {
6142 switch (c->type) {
6143 case CHAN_MAINSESSION:
6144 /* stdin need not receive an unthrottle
6145 * notification since it will be polled */
6146 break;
6147 case CHAN_X11:
6148 x11_unthrottle(c->u.x11.s);
6149 break;
6150 case CHAN_AGENT:
6151 /* agent sockets are request/response and need no
6152 * buffer management */
6153 break;
6154 case CHAN_SOCKDATA:
6155 pfd_unthrottle(c->u.pfd.s);
6156 break;
6157 }
6158 }
6159 }
6160
6161 /*
6162 * Potentially enlarge the window on an SSH-2 channel.
6163 */
6164 static void ssh2_set_window(struct ssh_channel *c, unsigned newwin)
6165 {
6166 Ssh ssh = c->ssh;
6167
6168 /*
6169 * Never send WINDOW_ADJUST for a channel that the remote side
6170 * already thinks it's closed; there's no point, since it won't
6171 * be sending any more data anyway.
6172 */
6173 if (c->closes != 0)
6174 return;
6175
6176 /*
6177 * Only send a WINDOW_ADJUST if there's significantly more window
6178 * available than the other end thinks there is. This saves us
6179 * sending a WINDOW_ADJUST for every character in a shell session.
6180 *
6181 * "Significant" is arbitrarily defined as half the window size.
6182 */
6183 if (newwin > c->v.v2.locwindow * 2) {
6184 struct Packet *pktout;
6185
6186 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
6187 ssh2_pkt_adduint32(pktout, c->remoteid);
6188 ssh2_pkt_adduint32(pktout, newwin - c->v.v2.locwindow);
6189 ssh2_pkt_send(ssh, pktout);
6190 c->v.v2.locwindow = newwin;
6191 }
6192 }
6193
6194 static void ssh2_msg_channel_window_adjust(Ssh ssh, struct Packet *pktin)
6195 {
6196 unsigned i = ssh_pkt_getuint32(pktin);
6197 struct ssh_channel *c;
6198 c = find234(ssh->channels, &i, ssh_channelfind);
6199 if (c && !c->closes) {
6200 c->v.v2.remwindow += ssh_pkt_getuint32(pktin);
6201 ssh2_try_send_and_unthrottle(c);
6202 }
6203 }
6204
6205 static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
6206 {
6207 char *data;
6208 int length;
6209 unsigned i = ssh_pkt_getuint32(pktin);
6210 struct ssh_channel *c;
6211 c = find234(ssh->channels, &i, ssh_channelfind);
6212 if (!c)
6213 return; /* nonexistent channel */
6214 if (pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA &&
6215 ssh_pkt_getuint32(pktin) != SSH2_EXTENDED_DATA_STDERR)
6216 return; /* extended but not stderr */
6217 ssh_pkt_getstring(pktin, &data, &length);
6218 if (data) {
6219 int bufsize = 0;
6220 c->v.v2.locwindow -= length;
6221 switch (c->type) {
6222 case CHAN_MAINSESSION:
6223 bufsize =
6224 from_backend(ssh->frontend, pktin->type ==
6225 SSH2_MSG_CHANNEL_EXTENDED_DATA,
6226 data, length);
6227 break;
6228 case CHAN_X11:
6229 bufsize = x11_send(c->u.x11.s, data, length);
6230 break;
6231 case CHAN_SOCKDATA:
6232 bufsize = pfd_send(c->u.pfd.s, data, length);
6233 break;
6234 case CHAN_AGENT:
6235 while (length > 0) {
6236 if (c->u.a.lensofar < 4) {
6237 unsigned int l = min(4 - c->u.a.lensofar,
6238 (unsigned)length);
6239 memcpy(c->u.a.msglen + c->u.a.lensofar,
6240 data, l);
6241 data += l;
6242 length -= l;
6243 c->u.a.lensofar += l;
6244 }
6245 if (c->u.a.lensofar == 4) {
6246 c->u.a.totallen =
6247 4 + GET_32BIT(c->u.a.msglen);
6248 c->u.a.message = snewn(c->u.a.totallen,
6249 unsigned char);
6250 memcpy(c->u.a.message, c->u.a.msglen, 4);
6251 }
6252 if (c->u.a.lensofar >= 4 && length > 0) {
6253 unsigned int l =
6254 min(c->u.a.totallen - c->u.a.lensofar,
6255 (unsigned)length);
6256 memcpy(c->u.a.message + c->u.a.lensofar,
6257 data, l);
6258 data += l;
6259 length -= l;
6260 c->u.a.lensofar += l;
6261 }
6262 if (c->u.a.lensofar == c->u.a.totallen) {
6263 void *reply;
6264 int replylen;
6265 if (agent_query(c->u.a.message,
6266 c->u.a.totallen,
6267 &reply, &replylen,
6268 ssh_agentf_callback, c))
6269 ssh_agentf_callback(c, reply, replylen);
6270 sfree(c->u.a.message);
6271 c->u.a.lensofar = 0;
6272 }
6273 }
6274 bufsize = 0;
6275 break;
6276 }
6277 /*
6278 * If we are not buffering too much data,
6279 * enlarge the window again at the remote side.
6280 */
6281 if (bufsize < OUR_V2_WINSIZE)
6282 ssh2_set_window(c, OUR_V2_WINSIZE - bufsize);
6283 }
6284 }
6285
6286 static void ssh2_msg_channel_eof(Ssh ssh, struct Packet *pktin)
6287 {
6288 unsigned i = ssh_pkt_getuint32(pktin);
6289 struct ssh_channel *c;
6290
6291 c = find234(ssh->channels, &i, ssh_channelfind);
6292 if (!c)
6293 return; /* nonexistent channel */
6294
6295 if (c->type == CHAN_X11) {
6296 /*
6297 * Remote EOF on an X11 channel means we should
6298 * wrap up and close the channel ourselves.
6299 */
6300 x11_close(c->u.x11.s);
6301 sshfwd_close(c);
6302 } else if (c->type == CHAN_AGENT) {
6303 sshfwd_close(c);
6304 } else if (c->type == CHAN_SOCKDATA) {
6305 pfd_close(c->u.pfd.s);
6306 sshfwd_close(c);
6307 }
6308 }
6309
6310 static void ssh2_msg_channel_close(Ssh ssh, struct Packet *pktin)
6311 {
6312 unsigned i = ssh_pkt_getuint32(pktin);
6313 struct ssh_channel *c;
6314 struct Packet *pktout;
6315
6316 c = find234(ssh->channels, &i, ssh_channelfind);
6317 if (!c || c->halfopen) {
6318 bombout(("Received CHANNEL_CLOSE for %s channel %d\n",
6319 c ? "half-open" : "nonexistent", i));
6320 return;
6321 }
6322 /* Do pre-close processing on the channel. */
6323 switch (c->type) {
6324 case CHAN_MAINSESSION:
6325 ssh->mainchan = NULL;
6326 update_specials_menu(ssh->frontend);
6327 break;
6328 case CHAN_X11:
6329 if (c->u.x11.s != NULL)
6330 x11_close(c->u.x11.s);
6331 sshfwd_close(c);
6332 break;
6333 case CHAN_AGENT:
6334 sshfwd_close(c);
6335 break;
6336 case CHAN_SOCKDATA:
6337 if (c->u.pfd.s != NULL)
6338 pfd_close(c->u.pfd.s);
6339 sshfwd_close(c);
6340 break;
6341 }
6342 if (c->closes == 0) {
6343 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6344 ssh2_pkt_adduint32(pktout, c->remoteid);
6345 ssh2_pkt_send(ssh, pktout);
6346 }
6347 del234(ssh->channels, c);
6348 bufchain_clear(&c->v.v2.outbuffer);
6349 sfree(c);
6350
6351 /*
6352 * See if that was the last channel left open.
6353 * (This is only our termination condition if we're
6354 * not running in -N mode.)
6355 */
6356 if (!ssh->cfg.ssh_no_shell && count234(ssh->channels) == 0) {
6357 /*
6358 * We used to send SSH_MSG_DISCONNECT here,
6359 * because I'd believed that _every_ conforming
6360 * SSH-2 connection had to end with a disconnect
6361 * being sent by at least one side; apparently
6362 * I was wrong and it's perfectly OK to
6363 * unceremoniously slam the connection shut
6364 * when you're done, and indeed OpenSSH feels
6365 * this is more polite than sending a
6366 * DISCONNECT. So now we don't.
6367 */
6368 ssh_disconnect(ssh, "All channels closed", NULL, 0, TRUE);
6369 }
6370 }
6371
6372 static void ssh2_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
6373 {
6374 unsigned i = ssh_pkt_getuint32(pktin);
6375 struct ssh_channel *c;
6376 struct Packet *pktout;
6377
6378 c = find234(ssh->channels, &i, ssh_channelfind);
6379 if (!c)
6380 return; /* nonexistent channel */
6381 if (c->type != CHAN_SOCKDATA_DORMANT)
6382 return; /* dunno why they're confirming this */
6383 c->remoteid = ssh_pkt_getuint32(pktin);
6384 c->halfopen = FALSE;
6385 c->type = CHAN_SOCKDATA;
6386 c->v.v2.remwindow = ssh_pkt_getuint32(pktin);
6387 c->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
6388 if (c->u.pfd.s)
6389 pfd_confirm(c->u.pfd.s);
6390 if (c->closes) {
6391 /*
6392 * We have a pending close on this channel,
6393 * which we decided on before the server acked
6394 * the channel open. So now we know the
6395 * remoteid, we can close it again.
6396 */
6397 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6398 ssh2_pkt_adduint32(pktout, c->remoteid);
6399 ssh2_pkt_send(ssh, pktout);
6400 }
6401 }
6402
6403 static void ssh2_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
6404 {
6405 static const char *const reasons[] = {
6406 "<unknown reason code>",
6407 "Administratively prohibited",
6408 "Connect failed",
6409 "Unknown channel type",
6410 "Resource shortage",
6411 };
6412 unsigned i = ssh_pkt_getuint32(pktin);
6413 unsigned reason_code;
6414 char *reason_string;
6415 int reason_length;
6416 struct ssh_channel *c;
6417 c = find234(ssh->channels, &i, ssh_channelfind);
6418 if (!c)
6419 return; /* nonexistent channel */
6420 if (c->type != CHAN_SOCKDATA_DORMANT)
6421 return; /* dunno why they're failing this */
6422
6423 reason_code = ssh_pkt_getuint32(pktin);
6424 if (reason_code >= lenof(reasons))
6425 reason_code = 0; /* ensure reasons[reason_code] in range */
6426 ssh_pkt_getstring(pktin, &reason_string, &reason_length);
6427 logeventf(ssh, "Forwarded connection refused by server: %s [%.*s]",
6428 reasons[reason_code], reason_length, reason_string);
6429
6430 pfd_close(c->u.pfd.s);
6431
6432 del234(ssh->channels, c);
6433 sfree(c);
6434 }
6435
6436 static void ssh2_msg_channel_request(Ssh ssh, struct Packet *pktin)
6437 {
6438 unsigned localid;
6439 char *type;
6440 int typelen, want_reply;
6441 int reply = SSH2_MSG_CHANNEL_FAILURE; /* default */
6442 struct ssh_channel *c;
6443 struct Packet *pktout;
6444
6445 localid = ssh_pkt_getuint32(pktin);
6446 ssh_pkt_getstring(pktin, &type, &typelen);
6447 want_reply = ssh2_pkt_getbool(pktin);
6448
6449 /*
6450 * First, check that the channel exists. Otherwise,
6451 * we can instantly disconnect with a rude message.
6452 */
6453 c = find234(ssh->channels, &localid, ssh_channelfind);
6454 if (!c) {
6455 char *buf = dupprintf("Received channel request for nonexistent"
6456 " channel %d", localid);
6457 ssh_disconnect(ssh, NULL, buf, SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6458 sfree(buf);
6459 return;
6460 }
6461
6462 /*
6463 * Having got the channel number, we now look at
6464 * the request type string to see if it's something
6465 * we recognise.
6466 */
6467 if (c == ssh->mainchan) {
6468 /*
6469 * We recognise "exit-status" and "exit-signal" on
6470 * the primary channel.
6471 */
6472 if (typelen == 11 &&
6473 !memcmp(type, "exit-status", 11)) {
6474
6475 ssh->exitcode = ssh_pkt_getuint32(pktin);
6476 logeventf(ssh, "Server sent command exit status %d",
6477 ssh->exitcode);
6478 reply = SSH2_MSG_CHANNEL_SUCCESS;
6479
6480 } else if (typelen == 11 &&
6481 !memcmp(type, "exit-signal", 11)) {
6482
6483 int is_plausible = TRUE, is_int = FALSE;
6484 char *fmt_sig = "", *fmt_msg = "";
6485 char *msg;
6486 int msglen = 0, core = FALSE;
6487 /* ICK: older versions of OpenSSH (e.g. 3.4p1)
6488 * provide an `int' for the signal, despite its
6489 * having been a `string' in the drafts since at
6490 * least 2001. (Fixed in session.c 1.147.) Try to
6491 * infer which we can safely parse it as. */
6492 {
6493 unsigned char *p = pktin->body +
6494 pktin->savedpos;
6495 long len = pktin->length - pktin->savedpos;
6496 unsigned long num = GET_32BIT(p); /* what is it? */
6497 /* If it's 0, it hardly matters; assume string */
6498 if (num == 0) {
6499 is_int = FALSE;
6500 } else {
6501 int maybe_int = FALSE, maybe_str = FALSE;
6502 #define CHECK_HYPOTHESIS(offset, result) \
6503 do { \
6504 long q = offset; \
6505 if (q >= 0 && q+4 <= len) { \
6506 q = q + 4 + GET_32BIT(p+q); \
6507 if (q >= 0 && q+4 <= len && \
6508 ((q = q + 4 + GET_32BIT(p+q))!= 0) && q == len) \
6509 result = TRUE; \
6510 } \
6511 } while(0)
6512 CHECK_HYPOTHESIS(4+1, maybe_int);
6513 CHECK_HYPOTHESIS(4+num+1, maybe_str);
6514 #undef CHECK_HYPOTHESIS
6515 if (maybe_int && !maybe_str)
6516 is_int = TRUE;
6517 else if (!maybe_int && maybe_str)
6518 is_int = FALSE;
6519 else
6520 /* Crikey. Either or neither. Panic. */
6521 is_plausible = FALSE;
6522 }
6523 }
6524 ssh->exitcode = 128; /* means `unknown signal' */
6525 if (is_plausible) {
6526 if (is_int) {
6527 /* Old non-standard OpenSSH. */
6528 int signum = ssh_pkt_getuint32(pktin);
6529 fmt_sig = dupprintf(" %d", signum);
6530 ssh->exitcode = 128 + signum;
6531 } else {
6532 /* As per the drafts. */
6533 char *sig;
6534 int siglen;
6535 ssh_pkt_getstring(pktin, &sig, &siglen);
6536 /* Signal name isn't supposed to be blank, but
6537 * let's cope gracefully if it is. */
6538 if (siglen) {
6539 fmt_sig = dupprintf(" \"%.*s\"",
6540 siglen, sig);
6541 }
6542
6543 /*
6544 * Really hideous method of translating the
6545 * signal description back into a locally
6546 * meaningful number.
6547 */
6548
6549 if (0)
6550 ;
6551 #define TRANSLATE_SIGNAL(s) \
6552 else if (siglen == lenof(#s)-1 && !memcmp(sig, #s, siglen)) \
6553 ssh->exitcode = 128 + SIG ## s
6554 #ifdef SIGABRT
6555 TRANSLATE_SIGNAL(ABRT);
6556 #endif
6557 #ifdef SIGALRM
6558 TRANSLATE_SIGNAL(ALRM);
6559 #endif
6560 #ifdef SIGFPE
6561 TRANSLATE_SIGNAL(FPE);
6562 #endif
6563 #ifdef SIGHUP
6564 TRANSLATE_SIGNAL(HUP);
6565 #endif
6566 #ifdef SIGILL
6567 TRANSLATE_SIGNAL(ILL);
6568 #endif
6569 #ifdef SIGINT
6570 TRANSLATE_SIGNAL(INT);
6571 #endif
6572 #ifdef SIGKILL
6573 TRANSLATE_SIGNAL(KILL);
6574 #endif
6575 #ifdef SIGPIPE
6576 TRANSLATE_SIGNAL(PIPE);
6577 #endif
6578 #ifdef SIGQUIT
6579 TRANSLATE_SIGNAL(QUIT);
6580 #endif
6581 #ifdef SIGSEGV
6582 TRANSLATE_SIGNAL(SEGV);
6583 #endif
6584 #ifdef SIGTERM
6585 TRANSLATE_SIGNAL(TERM);
6586 #endif
6587 #ifdef SIGUSR1
6588 TRANSLATE_SIGNAL(USR1);
6589 #endif
6590 #ifdef SIGUSR2
6591 TRANSLATE_SIGNAL(USR2);
6592 #endif
6593 #undef TRANSLATE_SIGNAL
6594 else
6595 ssh->exitcode = 128;
6596 }
6597 core = ssh2_pkt_getbool(pktin);
6598 ssh_pkt_getstring(pktin, &msg, &msglen);
6599 if (msglen) {
6600 fmt_msg = dupprintf(" (\"%.*s\")", msglen, msg);
6601 }
6602 /* ignore lang tag */
6603 } /* else don't attempt to parse */
6604 logeventf(ssh, "Server exited on signal%s%s%s",
6605 fmt_sig, core ? " (core dumped)" : "",
6606 fmt_msg);
6607 if (*fmt_sig) sfree(fmt_sig);
6608 if (*fmt_msg) sfree(fmt_msg);
6609 reply = SSH2_MSG_CHANNEL_SUCCESS;
6610
6611 }
6612 } else {
6613 /*
6614 * This is a channel request we don't know
6615 * about, so we now either ignore the request
6616 * or respond with CHANNEL_FAILURE, depending
6617 * on want_reply.
6618 */
6619 reply = SSH2_MSG_CHANNEL_FAILURE;
6620 }
6621 if (want_reply) {
6622 pktout = ssh2_pkt_init(reply);
6623 ssh2_pkt_adduint32(pktout, c->remoteid);
6624 ssh2_pkt_send(ssh, pktout);
6625 }
6626 }
6627
6628 static void ssh2_msg_global_request(Ssh ssh, struct Packet *pktin)
6629 {
6630 char *type;
6631 int typelen, want_reply;
6632 struct Packet *pktout;
6633
6634 ssh_pkt_getstring(pktin, &type, &typelen);
6635 want_reply = ssh2_pkt_getbool(pktin);
6636
6637 /*
6638 * We currently don't support any global requests
6639 * at all, so we either ignore the request or
6640 * respond with REQUEST_FAILURE, depending on
6641 * want_reply.
6642 */
6643 if (want_reply) {
6644 pktout = ssh2_pkt_init(SSH2_MSG_REQUEST_FAILURE);
6645 ssh2_pkt_send(ssh, pktout);
6646 }
6647 }
6648
6649 static void ssh2_msg_channel_open(Ssh ssh, struct Packet *pktin)
6650 {
6651 char *type;
6652 int typelen;
6653 char *peeraddr;
6654 int peeraddrlen;
6655 int peerport;
6656 char *error = NULL;
6657 struct ssh_channel *c;
6658 unsigned remid, winsize, pktsize;
6659 struct Packet *pktout;
6660
6661 ssh_pkt_getstring(pktin, &type, &typelen);
6662 c = snew(struct ssh_channel);
6663 c->ssh = ssh;
6664
6665 remid = ssh_pkt_getuint32(pktin);
6666 winsize = ssh_pkt_getuint32(pktin);
6667 pktsize = ssh_pkt_getuint32(pktin);
6668
6669 if (typelen == 3 && !memcmp(type, "x11", 3)) {
6670 char *addrstr;
6671
6672 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
6673 addrstr = snewn(peeraddrlen+1, char);
6674 memcpy(addrstr, peeraddr, peeraddrlen);
6675 addrstr[peeraddrlen] = '\0';
6676 peerport = ssh_pkt_getuint32(pktin);
6677
6678 logeventf(ssh, "Received X11 connect request from %s:%d",
6679 addrstr, peerport);
6680
6681 if (!ssh->X11_fwd_enabled)
6682 error = "X11 forwarding is not enabled";
6683 else if (x11_init(&c->u.x11.s, ssh->cfg.x11_display, c,
6684 ssh->x11auth, addrstr, peerport,
6685 &ssh->cfg) != NULL) {
6686 error = "Unable to open an X11 connection";
6687 } else {
6688 logevent("Opening X11 forward connection succeeded");
6689 c->type = CHAN_X11;
6690 }
6691
6692 sfree(addrstr);
6693 } else if (typelen == 15 &&
6694 !memcmp(type, "forwarded-tcpip", 15)) {
6695 struct ssh_rportfwd pf, *realpf;
6696 char *dummy;
6697 int dummylen;
6698 ssh_pkt_getstring(pktin, &dummy, &dummylen);/* skip address */
6699 pf.sport = ssh_pkt_getuint32(pktin);
6700 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
6701 peerport = ssh_pkt_getuint32(pktin);
6702 realpf = find234(ssh->rportfwds, &pf, NULL);
6703 logeventf(ssh, "Received remote port %d open request "
6704 "from %s:%d", pf.sport, peeraddr, peerport);
6705 if (realpf == NULL) {
6706 error = "Remote port is not recognised";
6707 } else {
6708 const char *e = pfd_newconnect(&c->u.pfd.s,
6709 realpf->dhost,
6710 realpf->dport, c,
6711 &ssh->cfg,
6712 realpf->pfrec->addressfamily);
6713 logeventf(ssh, "Attempting to forward remote port to "
6714 "%s:%d", realpf->dhost, realpf->dport);
6715 if (e != NULL) {
6716 logeventf(ssh, "Port open failed: %s", e);
6717 error = "Port open failed";
6718 } else {
6719 logevent("Forwarded port opened successfully");
6720 c->type = CHAN_SOCKDATA;
6721 }
6722 }
6723 } else if (typelen == 22 &&
6724 !memcmp(type, "auth-agent@openssh.com", 22)) {
6725 if (!ssh->agentfwd_enabled)
6726 error = "Agent forwarding is not enabled";
6727 else {
6728 c->type = CHAN_AGENT; /* identify channel type */
6729 c->u.a.lensofar = 0;
6730 }
6731 } else {
6732 error = "Unsupported channel type requested";
6733 }
6734
6735 c->remoteid = remid;
6736 c->halfopen = FALSE;
6737 if (error) {
6738 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_FAILURE);
6739 ssh2_pkt_adduint32(pktout, c->remoteid);
6740 ssh2_pkt_adduint32(pktout, SSH2_OPEN_CONNECT_FAILED);
6741 ssh2_pkt_addstring(pktout, error);
6742 ssh2_pkt_addstring(pktout, "en"); /* language tag */
6743 ssh2_pkt_send(ssh, pktout);
6744 logeventf(ssh, "Rejected channel open: %s", error);
6745 sfree(c);
6746 } else {
6747 c->localid = alloc_channel_id(ssh);
6748 c->closes = 0;
6749 c->v.v2.locwindow = OUR_V2_WINSIZE;
6750 c->v.v2.remwindow = winsize;
6751 c->v.v2.remmaxpkt = pktsize;
6752 bufchain_init(&c->v.v2.outbuffer);
6753 add234(ssh->channels, c);
6754 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
6755 ssh2_pkt_adduint32(pktout, c->remoteid);
6756 ssh2_pkt_adduint32(pktout, c->localid);
6757 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);
6758 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
6759 ssh2_pkt_send(ssh, pktout);
6760 }
6761 }
6762
6763 /*
6764 * Buffer banner messages for later display at some convenient point.
6765 */
6766 static void ssh2_msg_userauth_banner(Ssh ssh, struct Packet *pktin)
6767 {
6768 /* Arbitrary limit to prevent unbounded inflation of buffer */
6769 if (bufchain_size(&ssh->banner) <= 131072) {
6770 char *banner = NULL;
6771 int size = 0;
6772 ssh_pkt_getstring(pktin, &banner, &size);
6773 if (banner)
6774 bufchain_add(&ssh->banner, banner, size);
6775 }
6776 }
6777
6778 /* Helper function to deal with sending tty modes for "pty-req" */
6779 static void ssh2_send_ttymode(void *data, char *mode, char *val)
6780 {
6781 struct Packet *pktout = (struct Packet *)data;
6782 int i = 0;
6783 unsigned int arg = 0;
6784 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
6785 if (i == lenof(ssh_ttymodes)) return;
6786 switch (ssh_ttymodes[i].type) {
6787 case TTY_OP_CHAR:
6788 arg = ssh_tty_parse_specchar(val);
6789 break;
6790 case TTY_OP_BOOL:
6791 arg = ssh_tty_parse_boolean(val);
6792 break;
6793 }
6794 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
6795 ssh2_pkt_adduint32(pktout, arg);
6796 }
6797
6798 /*
6799 * Handle the SSH-2 userauth and connection layers.
6800 */
6801 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
6802 struct Packet *pktin)
6803 {
6804 struct do_ssh2_authconn_state {
6805 enum {
6806 AUTH_TYPE_NONE,
6807 AUTH_TYPE_PUBLICKEY,
6808 AUTH_TYPE_PUBLICKEY_OFFER_LOUD,
6809 AUTH_TYPE_PUBLICKEY_OFFER_QUIET,
6810 AUTH_TYPE_PASSWORD,
6811 AUTH_TYPE_KEYBOARD_INTERACTIVE,
6812 AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
6813 } type;
6814 int done_service_req;
6815 int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter;
6816 int tried_pubkey_config, done_agent;
6817 int kbd_inter_refused;
6818 int we_are_in;
6819 prompts_t *cur_prompt;
6820 int num_prompts;
6821 char username[100];
6822 char *password;
6823 int got_username;
6824 void *publickey_blob;
6825 int publickey_bloblen;
6826 int publickey_encrypted;
6827 char *publickey_algorithm;
6828 char *publickey_comment;
6829 unsigned char agent_request[5], *agent_response, *agentp;
6830 int agent_responselen;
6831 unsigned char *pkblob_in_agent;
6832 int keyi, nkeys;
6833 char *pkblob, *alg, *commentp;
6834 int pklen, alglen, commentlen;
6835 int siglen, retlen, len;
6836 char *q, *agentreq, *ret;
6837 int try_send;
6838 int num_env, env_left, env_ok;
6839 struct Packet *pktout;
6840 };
6841 crState(do_ssh2_authconn_state);
6842
6843 crBegin(ssh->do_ssh2_authconn_crstate);
6844
6845 s->done_service_req = FALSE;
6846 s->we_are_in = FALSE;
6847 if (!ssh->cfg.ssh_no_userauth) {
6848 /*
6849 * Request userauth protocol, and await a response to it.
6850 */
6851 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
6852 ssh2_pkt_addstring(s->pktout, "ssh-userauth");
6853 ssh2_pkt_send(ssh, s->pktout);
6854 crWaitUntilV(pktin);
6855 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT)
6856 s->done_service_req = TRUE;
6857 }
6858 if (!s->done_service_req) {
6859 /*
6860 * Request connection protocol directly, without authentication.
6861 */
6862 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
6863 ssh2_pkt_addstring(s->pktout, "ssh-connection");
6864 ssh2_pkt_send(ssh, s->pktout);
6865 crWaitUntilV(pktin);
6866 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) {
6867 s->we_are_in = TRUE; /* no auth required */
6868 } else {
6869 bombout(("Server refused service request"));
6870 crStopV;
6871 }
6872 }
6873
6874 /* Arrange to be able to deal with any BANNERs that come in.
6875 * (We do this now as packets may come in during the next bit.) */
6876 bufchain_init(&ssh->banner);
6877 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] =
6878 ssh2_msg_userauth_banner;
6879
6880 /*
6881 * Misc one-time setup for authentication.
6882 */
6883 s->publickey_blob = NULL;
6884 if (!s->we_are_in) {
6885
6886 /*
6887 * Load the public half of any configured public key file
6888 * for later use.
6889 */
6890 if (!filename_is_null(ssh->cfg.keyfile)) {
6891 int keytype;
6892 logeventf(ssh, "Reading private key file \"%.150s\"",
6893 filename_to_str(&ssh->cfg.keyfile));
6894 keytype = key_type(&ssh->cfg.keyfile);
6895 if (keytype == SSH_KEYTYPE_SSH2) {
6896 const char *error;
6897 s->publickey_blob =
6898 ssh2_userkey_loadpub(&ssh->cfg.keyfile,
6899 &s->publickey_algorithm,
6900 &s->publickey_bloblen,
6901 &s->publickey_comment, &error);
6902 if (s->publickey_blob) {
6903 s->publickey_encrypted =
6904 ssh2_userkey_encrypted(&ssh->cfg.keyfile, NULL);
6905 } else {
6906 char *msgbuf;
6907 logeventf(ssh, "Unable to load private key (%s)",
6908 error);
6909 msgbuf = dupprintf("Unable to load private key file "
6910 "\"%.150s\" (%s)\r\n",
6911 filename_to_str(&ssh->cfg.keyfile),
6912 error);
6913 c_write_str(ssh, msgbuf);
6914 sfree(msgbuf);
6915 }
6916 } else {
6917 char *msgbuf;
6918 logeventf(ssh, "Unable to use this key file (%s)",
6919 key_type_to_str(keytype));
6920 msgbuf = dupprintf("Unable to use key file \"%.150s\""
6921 " (%s)\r\n",
6922 filename_to_str(&ssh->cfg.keyfile),
6923 key_type_to_str(keytype));
6924 c_write_str(ssh, msgbuf);
6925 sfree(msgbuf);
6926 s->publickey_blob = NULL;
6927 }
6928 }
6929
6930 /*
6931 * Find out about any keys Pageant has (but if there's a
6932 * public key configured, filter out all others).
6933 */
6934 s->nkeys = 0;
6935 s->agent_response = NULL;
6936 s->pkblob_in_agent = NULL;
6937 if (ssh->cfg.tryagent && agent_exists()) {
6938
6939 void *r;
6940
6941 logevent("Pageant is running. Requesting keys.");
6942
6943 /* Request the keys held by the agent. */
6944 PUT_32BIT(s->agent_request, 1);
6945 s->agent_request[4] = SSH2_AGENTC_REQUEST_IDENTITIES;
6946 if (!agent_query(s->agent_request, 5, &r, &s->agent_responselen,
6947 ssh_agent_callback, ssh)) {
6948 do {
6949 crReturnV;
6950 if (pktin) {
6951 bombout(("Unexpected data from server while"
6952 " waiting for agent response"));
6953 crStopV;
6954 }
6955 } while (pktin || inlen > 0);
6956 r = ssh->agent_response;
6957 s->agent_responselen = ssh->agent_response_len;
6958 }
6959 s->agent_response = (unsigned char *) r;
6960 if (s->agent_response && s->agent_responselen >= 5 &&
6961 s->agent_response[4] == SSH2_AGENT_IDENTITIES_ANSWER) {
6962 int keyi;
6963 unsigned char *p;
6964 p = s->agent_response + 5;
6965 s->nkeys = GET_32BIT(p);
6966 p += 4;
6967 logeventf(ssh, "Pageant has %d SSH-2 keys", s->nkeys);
6968 if (s->publickey_blob) {
6969 /* See if configured key is in agent. */
6970 for (keyi = 0; keyi < s->nkeys; keyi++) {
6971 s->pklen = GET_32BIT(p);
6972 if (s->pklen == s->publickey_bloblen &&
6973 !memcmp(p+4, s->publickey_blob,
6974 s->publickey_bloblen)) {
6975 logeventf(ssh, "Pageant key #%d matches "
6976 "configured key file", keyi);
6977 s->keyi = keyi;
6978 s->pkblob_in_agent = p;
6979 break;
6980 }
6981 p += 4 + s->pklen;
6982 p += GET_32BIT(p) + 4; /* comment */
6983 }
6984 if (!s->pkblob_in_agent) {
6985 logevent("Configured key file not in Pageant");
6986 s->nkeys = 0;
6987 }
6988 }
6989 }
6990 }
6991
6992 }
6993
6994 /*
6995 * We repeat this whole loop, including the username prompt,
6996 * until we manage a successful authentication. If the user
6997 * types the wrong _password_, they can be sent back to the
6998 * beginning to try another username, if this is configured on.
6999 * (If they specify a username in the config, they are never
7000 * asked, even if they do give a wrong password.)
7001 *
7002 * I think this best serves the needs of
7003 *
7004 * - the people who have no configuration, no keys, and just
7005 * want to try repeated (username,password) pairs until they
7006 * type both correctly
7007 *
7008 * - people who have keys and configuration but occasionally
7009 * need to fall back to passwords
7010 *
7011 * - people with a key held in Pageant, who might not have
7012 * logged in to a particular machine before; so they want to
7013 * type a username, and then _either_ their key will be
7014 * accepted, _or_ they will type a password. If they mistype
7015 * the username they will want to be able to get back and
7016 * retype it!
7017 */
7018 s->username[0] = '\0';
7019 s->got_username = FALSE;
7020 while (!s->we_are_in) {
7021 /*
7022 * Get a username.
7023 */
7024 if (s->got_username && !ssh->cfg.change_username) {
7025 /*
7026 * We got a username last time round this loop, and
7027 * with change_username turned off we don't try to get
7028 * it again.
7029 */
7030 } else if (!*ssh->cfg.username) {
7031 int ret; /* need not be kept over crReturn */
7032 s->cur_prompt = new_prompts(ssh->frontend);
7033 s->cur_prompt->to_server = TRUE;
7034 s->cur_prompt->name = dupstr("SSH login name");
7035 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
7036 lenof(s->username));
7037 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7038 while (ret < 0) {
7039 ssh->send_ok = 1;
7040 crWaitUntilV(!pktin);
7041 ret = get_userpass_input(s->cur_prompt, in, inlen);
7042 ssh->send_ok = 0;
7043 }
7044 if (!ret) {
7045 /*
7046 * get_userpass_input() failed to get a username.
7047 * Terminate.
7048 */
7049 free_prompts(s->cur_prompt);
7050 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
7051 crStopV;
7052 }
7053 memcpy(s->username, s->cur_prompt->prompts[0]->result,
7054 lenof(s->username));
7055 free_prompts(s->cur_prompt);
7056 } else {
7057 char *stuff;
7058 strncpy(s->username, ssh->cfg.username, sizeof(s->username));
7059 s->username[sizeof(s->username)-1] = '\0';
7060 if ((flags & FLAG_VERBOSE) || (flags & FLAG_INTERACTIVE)) {
7061 stuff = dupprintf("Using username \"%s\".\r\n", s->username);
7062 c_write_str(ssh, stuff);
7063 sfree(stuff);
7064 }
7065 }
7066 s->got_username = TRUE;
7067
7068 /*
7069 * Send an authentication request using method "none": (a)
7070 * just in case it succeeds, and (b) so that we know what
7071 * authentication methods we can usefully try next.
7072 */
7073 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
7074
7075 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7076 ssh2_pkt_addstring(s->pktout, s->username);
7077 ssh2_pkt_addstring(s->pktout, "ssh-connection");/* service requested */
7078 ssh2_pkt_addstring(s->pktout, "none"); /* method */
7079 ssh2_pkt_send(ssh, s->pktout);
7080 s->type = AUTH_TYPE_NONE;
7081 s->gotit = FALSE;
7082 s->we_are_in = FALSE;
7083
7084 s->tried_pubkey_config = FALSE;
7085 s->kbd_inter_refused = FALSE;
7086
7087 /* Reset agent request state. */
7088 s->done_agent = FALSE;
7089 if (s->agent_response) {
7090 if (s->pkblob_in_agent) {
7091 s->agentp = s->pkblob_in_agent;
7092 } else {
7093 s->agentp = s->agent_response + 5 + 4;
7094 s->keyi = 0;
7095 }
7096 }
7097
7098 while (1) {
7099 /*
7100 * Wait for the result of the last authentication request.
7101 */
7102 if (!s->gotit)
7103 crWaitUntilV(pktin);
7104 /*
7105 * Now is a convenient point to spew any banner material
7106 * that we've accumulated. (This should ensure that when
7107 * we exit the auth loop, we haven't any left to deal
7108 * with.)
7109 */
7110 {
7111 int size = bufchain_size(&ssh->banner);
7112 /*
7113 * Don't show the banner if we're operating in
7114 * non-verbose non-interactive mode. (It's probably
7115 * a script, which means nobody will read the
7116 * banner _anyway_, and moreover the printing of
7117 * the banner will screw up processing on the
7118 * output of (say) plink.)
7119 */
7120 if (size && (flags & (FLAG_VERBOSE | FLAG_INTERACTIVE))) {
7121 char *banner = snewn(size, char);
7122 bufchain_fetch(&ssh->banner, banner, size);
7123 c_write_untrusted(ssh, banner, size);
7124 sfree(banner);
7125 }
7126 bufchain_clear(&ssh->banner);
7127 }
7128 if (pktin->type == SSH2_MSG_USERAUTH_SUCCESS) {
7129 logevent("Access granted");
7130 s->we_are_in = TRUE;
7131 break;
7132 }
7133
7134 if (pktin->type != SSH2_MSG_USERAUTH_FAILURE) {
7135 bombout(("Strange packet received during authentication: "
7136 "type %d", pktin->type));
7137 crStopV;
7138 }
7139
7140 s->gotit = FALSE;
7141
7142 /*
7143 * OK, we're now sitting on a USERAUTH_FAILURE message, so
7144 * we can look at the string in it and know what we can
7145 * helpfully try next.
7146 */
7147 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE) {
7148 char *methods;
7149 int methlen;
7150 ssh_pkt_getstring(pktin, &methods, &methlen);
7151 if (!ssh2_pkt_getbool(pktin)) {
7152 /*
7153 * We have received an unequivocal Access
7154 * Denied. This can translate to a variety of
7155 * messages:
7156 *
7157 * - if we'd just tried "none" authentication,
7158 * it's not worth printing anything at all
7159 *
7160 * - if we'd just tried a public key _offer_,
7161 * the message should be "Server refused our
7162 * key" (or no message at all if the key
7163 * came from Pageant)
7164 *
7165 * - if we'd just tried anything else, the
7166 * message really should be "Access denied".
7167 *
7168 * Additionally, if we'd just tried password
7169 * authentication, we should break out of this
7170 * whole loop so as to go back to the username
7171 * prompt (iff we're configured to allow
7172 * username change attempts).
7173 */
7174 if (s->type == AUTH_TYPE_NONE) {
7175 /* do nothing */
7176 } else if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD ||
7177 s->type == AUTH_TYPE_PUBLICKEY_OFFER_QUIET) {
7178 if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD)
7179 c_write_str(ssh, "Server refused our key\r\n");
7180 logevent("Server refused public key");
7181 } else if (s->type==AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET) {
7182 /* server declined keyboard-interactive; ignore */
7183 } else {
7184 c_write_str(ssh, "Access denied\r\n");
7185 logevent("Access denied");
7186 if (s->type == AUTH_TYPE_PASSWORD &&
7187 ssh->cfg.change_username) {
7188 /* XXX perhaps we should allow
7189 * keyboard-interactive to do this too? */
7190 s->we_are_in = FALSE;
7191 break;
7192 }
7193 }
7194 } else {
7195 c_write_str(ssh, "Further authentication required\r\n");
7196 logevent("Further authentication required");
7197 }
7198
7199 s->can_pubkey =
7200 in_commasep_string("publickey", methods, methlen);
7201 s->can_passwd =
7202 in_commasep_string("password", methods, methlen);
7203 s->can_keyb_inter = ssh->cfg.try_ki_auth &&
7204 in_commasep_string("keyboard-interactive", methods, methlen);
7205 }
7206
7207 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
7208
7209 if (s->can_pubkey && !s->done_agent && s->nkeys) {
7210
7211 /*
7212 * Attempt public-key authentication using a key from Pageant.
7213 */
7214
7215 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
7216 ssh->pkt_ctx |= SSH2_PKTCTX_PUBLICKEY;
7217
7218 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
7219
7220 /* Unpack key from agent response */
7221 s->pklen = GET_32BIT(s->agentp);
7222 s->agentp += 4;
7223 s->pkblob = (char *)s->agentp;
7224 s->agentp += s->pklen;
7225 s->alglen = GET_32BIT(s->pkblob);
7226 s->alg = s->pkblob + 4;
7227 s->commentlen = GET_32BIT(s->agentp);
7228 s->agentp += 4;
7229 s->commentp = (char *)s->agentp;
7230 s->agentp += s->commentlen;
7231 /* s->agentp now points at next key, if any */
7232
7233 /* See if server will accept it */
7234 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7235 ssh2_pkt_addstring(s->pktout, s->username);
7236 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7237 /* service requested */
7238 ssh2_pkt_addstring(s->pktout, "publickey");
7239 /* method */
7240 ssh2_pkt_addbool(s->pktout, FALSE); /* no signature included */
7241 ssh2_pkt_addstring_start(s->pktout);
7242 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
7243 ssh2_pkt_addstring_start(s->pktout);
7244 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
7245 ssh2_pkt_send(ssh, s->pktout);
7246 s->type = AUTH_TYPE_PUBLICKEY_OFFER_QUIET;
7247
7248 crWaitUntilV(pktin);
7249 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
7250
7251 /* Offer of key refused. */
7252 s->gotit = TRUE;
7253
7254 } else {
7255
7256 void *vret;
7257
7258 if (flags & FLAG_VERBOSE) {
7259 c_write_str(ssh, "Authenticating with "
7260 "public key \"");
7261 c_write(ssh, s->commentp, s->commentlen);
7262 c_write_str(ssh, "\" from agent\r\n");
7263 }
7264
7265 /*
7266 * Server is willing to accept the key.
7267 * Construct a SIGN_REQUEST.
7268 */
7269 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7270 ssh2_pkt_addstring(s->pktout, s->username);
7271 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7272 /* service requested */
7273 ssh2_pkt_addstring(s->pktout, "publickey");
7274 /* method */
7275 ssh2_pkt_addbool(s->pktout, TRUE); /* signature included */
7276 ssh2_pkt_addstring_start(s->pktout);
7277 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
7278 ssh2_pkt_addstring_start(s->pktout);
7279 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
7280
7281 /* Ask agent for signature. */
7282 s->siglen = s->pktout->length - 5 + 4 +
7283 ssh->v2_session_id_len;
7284 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7285 s->siglen -= 4;
7286 s->len = 1; /* message type */
7287 s->len += 4 + s->pklen; /* key blob */
7288 s->len += 4 + s->siglen; /* data to sign */
7289 s->len += 4; /* flags */
7290 s->agentreq = snewn(4 + s->len, char);
7291 PUT_32BIT(s->agentreq, s->len);
7292 s->q = s->agentreq + 4;
7293 *s->q++ = SSH2_AGENTC_SIGN_REQUEST;
7294 PUT_32BIT(s->q, s->pklen);
7295 s->q += 4;
7296 memcpy(s->q, s->pkblob, s->pklen);
7297 s->q += s->pklen;
7298 PUT_32BIT(s->q, s->siglen);
7299 s->q += 4;
7300 /* Now the data to be signed... */
7301 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7302 PUT_32BIT(s->q, ssh->v2_session_id_len);
7303 s->q += 4;
7304 }
7305 memcpy(s->q, ssh->v2_session_id,
7306 ssh->v2_session_id_len);
7307 s->q += ssh->v2_session_id_len;
7308 memcpy(s->q, s->pktout->data + 5,
7309 s->pktout->length - 5);
7310 s->q += s->pktout->length - 5;
7311 /* And finally the (zero) flags word. */
7312 PUT_32BIT(s->q, 0);
7313 if (!agent_query(s->agentreq, s->len + 4,
7314 &vret, &s->retlen,
7315 ssh_agent_callback, ssh)) {
7316 do {
7317 crReturnV;
7318 if (pktin) {
7319 bombout(("Unexpected data from server"
7320 " while waiting for agent"
7321 " response"));
7322 crStopV;
7323 }
7324 } while (pktin || inlen > 0);
7325 vret = ssh->agent_response;
7326 s->retlen = ssh->agent_response_len;
7327 }
7328 s->ret = vret;
7329 sfree(s->agentreq);
7330 if (s->ret) {
7331 if (s->ret[4] == SSH2_AGENT_SIGN_RESPONSE) {
7332 logevent("Sending Pageant's response");
7333 ssh2_add_sigblob(ssh, s->pktout,
7334 s->pkblob, s->pklen,
7335 s->ret + 9,
7336 GET_32BIT(s->ret + 5));
7337 ssh2_pkt_send(ssh, s->pktout);
7338 s->type = AUTH_TYPE_PUBLICKEY;
7339 } else {
7340 /* FIXME: less drastic response */
7341 bombout(("Pageant failed to answer challenge"));
7342 crStopV;
7343 }
7344 }
7345 }
7346
7347 /* Do we have any keys left to try? */
7348 if (s->pkblob_in_agent) {
7349 s->done_agent = TRUE;
7350 s->tried_pubkey_config = TRUE;
7351 } else {
7352 s->keyi++;
7353 if (s->keyi >= s->nkeys)
7354 s->done_agent = TRUE;
7355 }
7356
7357 } else if (s->can_pubkey && s->publickey_blob &&
7358 !s->tried_pubkey_config) {
7359
7360 struct ssh2_userkey *key; /* not live over crReturn */
7361 char *passphrase; /* not live over crReturn */
7362
7363 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
7364 ssh->pkt_ctx |= SSH2_PKTCTX_PUBLICKEY;
7365
7366 s->tried_pubkey_config = TRUE;
7367
7368 /*
7369 * Try the public key supplied in the configuration.
7370 *
7371 * First, offer the public blob to see if the server is
7372 * willing to accept it.
7373 */
7374 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7375 ssh2_pkt_addstring(s->pktout, s->username);
7376 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7377 /* service requested */
7378 ssh2_pkt_addstring(s->pktout, "publickey"); /* method */
7379 ssh2_pkt_addbool(s->pktout, FALSE);
7380 /* no signature included */
7381 ssh2_pkt_addstring(s->pktout, s->publickey_algorithm);
7382 ssh2_pkt_addstring_start(s->pktout);
7383 ssh2_pkt_addstring_data(s->pktout,
7384 (char *)s->publickey_blob,
7385 s->publickey_bloblen);
7386 ssh2_pkt_send(ssh, s->pktout);
7387 logevent("Offered public key");
7388
7389 crWaitUntilV(pktin);
7390 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
7391 /* Key refused. Give up. */
7392 s->gotit = TRUE; /* reconsider message next loop */
7393 s->type = AUTH_TYPE_PUBLICKEY_OFFER_LOUD;
7394 continue; /* process this new message */
7395 }
7396 logevent("Offer of public key accepted");
7397
7398 /*
7399 * Actually attempt a serious authentication using
7400 * the key.
7401 */
7402 if (flags & FLAG_VERBOSE) {
7403 c_write_str(ssh, "Authenticating with public key \"");
7404 c_write_str(ssh, s->publickey_comment);
7405 c_write_str(ssh, "\"\r\n");
7406 }
7407 key = NULL;
7408 while (!key) {
7409 const char *error; /* not live over crReturn */
7410 if (s->publickey_encrypted) {
7411 /*
7412 * Get a passphrase from the user.
7413 */
7414 int ret; /* need not be kept over crReturn */
7415 s->cur_prompt = new_prompts(ssh->frontend);
7416 s->cur_prompt->to_server = FALSE;
7417 s->cur_prompt->name = dupstr("SSH key passphrase");
7418 add_prompt(s->cur_prompt,
7419 dupprintf("Passphrase for key \"%.100s\": ",
7420 s->publickey_comment),
7421 FALSE, SSH_MAX_PASSWORD_LEN);
7422 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7423 while (ret < 0) {
7424 ssh->send_ok = 1;
7425 crWaitUntilV(!pktin);
7426 ret = get_userpass_input(s->cur_prompt,
7427 in, inlen);
7428 ssh->send_ok = 0;
7429 }
7430 if (!ret) {
7431 /* Failed to get a passphrase. Terminate. */
7432 free_prompts(s->cur_prompt);
7433 ssh_disconnect(ssh, NULL,
7434 "Unable to authenticate",
7435 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7436 TRUE);
7437 crStopV;
7438 }
7439 passphrase =
7440 dupstr(s->cur_prompt->prompts[0]->result);
7441 free_prompts(s->cur_prompt);
7442 } else {
7443 passphrase = NULL; /* no passphrase needed */
7444 }
7445
7446 /*
7447 * Try decrypting the key.
7448 */
7449 key = ssh2_load_userkey(&ssh->cfg.keyfile, passphrase,
7450 &error);
7451 if (passphrase) {
7452 /* burn the evidence */
7453 memset(passphrase, 0, strlen(passphrase));
7454 sfree(passphrase);
7455 }
7456 if (key == SSH2_WRONG_PASSPHRASE || key == NULL) {
7457 if (passphrase &&
7458 (key == SSH2_WRONG_PASSPHRASE)) {
7459 c_write_str(ssh, "Wrong passphrase\r\n");
7460 key = NULL;
7461 /* and loop again */
7462 } else {
7463 c_write_str(ssh, "Unable to load private key (");
7464 c_write_str(ssh, error);
7465 c_write_str(ssh, ")\r\n");
7466 key = NULL;
7467 break; /* try something else */
7468 }
7469 }
7470 }
7471
7472 if (key) {
7473 unsigned char *pkblob, *sigblob, *sigdata;
7474 int pkblob_len, sigblob_len, sigdata_len;
7475 int p;
7476
7477 /*
7478 * We have loaded the private key and the server
7479 * has announced that it's willing to accept it.
7480 * Hallelujah. Generate a signature and send it.
7481 */
7482 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7483 ssh2_pkt_addstring(s->pktout, s->username);
7484 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7485 /* service requested */
7486 ssh2_pkt_addstring(s->pktout, "publickey");
7487 /* method */
7488 ssh2_pkt_addbool(s->pktout, TRUE);
7489 /* signature follows */
7490 ssh2_pkt_addstring(s->pktout, key->alg->name);
7491 pkblob = key->alg->public_blob(key->data,
7492 &pkblob_len);
7493 ssh2_pkt_addstring_start(s->pktout);
7494 ssh2_pkt_addstring_data(s->pktout, (char *)pkblob,
7495 pkblob_len);
7496
7497 /*
7498 * The data to be signed is:
7499 *
7500 * string session-id
7501 *
7502 * followed by everything so far placed in the
7503 * outgoing packet.
7504 */
7505 sigdata_len = s->pktout->length - 5 + 4 +
7506 ssh->v2_session_id_len;
7507 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7508 sigdata_len -= 4;
7509 sigdata = snewn(sigdata_len, unsigned char);
7510 p = 0;
7511 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7512 PUT_32BIT(sigdata+p, ssh->v2_session_id_len);
7513 p += 4;
7514 }
7515 memcpy(sigdata+p, ssh->v2_session_id,
7516 ssh->v2_session_id_len);
7517 p += ssh->v2_session_id_len;
7518 memcpy(sigdata+p, s->pktout->data + 5,
7519 s->pktout->length - 5);
7520 p += s->pktout->length - 5;
7521 assert(p == sigdata_len);
7522 sigblob = key->alg->sign(key->data, (char *)sigdata,
7523 sigdata_len, &sigblob_len);
7524 ssh2_add_sigblob(ssh, s->pktout, pkblob, pkblob_len,
7525 sigblob, sigblob_len);
7526 sfree(pkblob);
7527 sfree(sigblob);
7528 sfree(sigdata);
7529
7530 ssh2_pkt_send(ssh, s->pktout);
7531 s->type = AUTH_TYPE_PUBLICKEY;
7532 key->alg->freekey(key->data);
7533 }
7534
7535 } else if (s->can_keyb_inter && !s->kbd_inter_refused) {
7536
7537 /*
7538 * Keyboard-interactive authentication.
7539 */
7540
7541 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE;
7542
7543 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
7544 ssh->pkt_ctx |= SSH2_PKTCTX_KBDINTER;
7545
7546 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7547 ssh2_pkt_addstring(s->pktout, s->username);
7548 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7549 /* service requested */
7550 ssh2_pkt_addstring(s->pktout, "keyboard-interactive");
7551 /* method */
7552 ssh2_pkt_addstring(s->pktout, ""); /* lang */
7553 ssh2_pkt_addstring(s->pktout, ""); /* submethods */
7554 ssh2_pkt_send(ssh, s->pktout);
7555
7556 crWaitUntilV(pktin);
7557 if (pktin->type != SSH2_MSG_USERAUTH_INFO_REQUEST) {
7558 /* Server is not willing to do keyboard-interactive
7559 * at all (or, bizarrely but legally, accepts the
7560 * user without actually issuing any prompts).
7561 * Give up on it entirely. */
7562 s->gotit = TRUE;
7563 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE)
7564 logevent("Keyboard-interactive authentication refused");
7565 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET;
7566 s->kbd_inter_refused = TRUE; /* don't try it again */
7567 continue;
7568 }
7569
7570 /*
7571 * Loop while the server continues to send INFO_REQUESTs.
7572 */
7573 while (pktin->type == SSH2_MSG_USERAUTH_INFO_REQUEST) {
7574
7575 char *name, *inst, *lang;
7576 int name_len, inst_len, lang_len;
7577 int i;
7578
7579 /*
7580 * We've got a fresh USERAUTH_INFO_REQUEST.
7581 * Get the preamble and start building a prompt.
7582 */
7583 ssh_pkt_getstring(pktin, &name, &name_len);
7584 ssh_pkt_getstring(pktin, &inst, &inst_len);
7585 ssh_pkt_getstring(pktin, &lang, &lang_len);
7586 s->cur_prompt = new_prompts(ssh->frontend);
7587 s->cur_prompt->to_server = TRUE;
7588 if (name_len) {
7589 /* FIXME: better prefix to distinguish from
7590 * local prompts? */
7591 s->cur_prompt->name =
7592 dupprintf("SSH server: %.*s", name_len, name);
7593 s->cur_prompt->name_reqd = TRUE;
7594 } else {
7595 s->cur_prompt->name =
7596 dupstr("SSH server authentication");
7597 s->cur_prompt->name_reqd = FALSE;
7598 }
7599 /* FIXME: ugly to print "Using..." in prompt _every_
7600 * time round. Can this be done more subtly? */
7601 s->cur_prompt->instruction =
7602 dupprintf("Using keyboard-interactive authentication.%s%.*s",
7603 inst_len ? "\n" : "", inst_len, inst);
7604 s->cur_prompt->instr_reqd = TRUE;
7605
7606 /*
7607 * Get the prompts from the packet.
7608 */
7609 s->num_prompts = ssh_pkt_getuint32(pktin);
7610 for (i = 0; i < s->num_prompts; i++) {
7611 char *prompt;
7612 int prompt_len;
7613 int echo;
7614 static char noprompt[] =
7615 "<server failed to send prompt>: ";
7616
7617 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
7618 echo = ssh2_pkt_getbool(pktin);
7619 if (!prompt_len) {
7620 prompt = noprompt;
7621 prompt_len = lenof(noprompt)-1;
7622 }
7623 add_prompt(s->cur_prompt,
7624 dupprintf("%.*s", prompt_len, prompt),
7625 echo, SSH_MAX_PASSWORD_LEN);
7626 }
7627
7628 /*
7629 * Get the user's responses.
7630 */
7631 if (s->num_prompts) {
7632 int ret; /* not live over crReturn */
7633 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7634 while (ret < 0) {
7635 ssh->send_ok = 1;
7636 crWaitUntilV(!pktin);
7637 ret = get_userpass_input(s->cur_prompt, in, inlen);
7638 ssh->send_ok = 0;
7639 }
7640 if (!ret) {
7641 /*
7642 * Failed to get responses. Terminate.
7643 */
7644 free_prompts(s->cur_prompt);
7645 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7646 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7647 TRUE);
7648 crStopV;
7649 }
7650 }
7651
7652 /*
7653 * Send the responses to the server.
7654 */
7655 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_INFO_RESPONSE);
7656 ssh2_pkt_adduint32(s->pktout, s->num_prompts);
7657 for (i=0; i < s->num_prompts; i++) {
7658 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7659 ssh2_pkt_addstring(s->pktout,
7660 s->cur_prompt->prompts[i]->result);
7661 end_log_omission(ssh, s->pktout);
7662 }
7663 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
7664
7665 /*
7666 * Get the next packet in case it's another
7667 * INFO_REQUEST.
7668 */
7669 crWaitUntilV(pktin);
7670
7671 }
7672
7673 /*
7674 * We should have SUCCESS or FAILURE now.
7675 */
7676 s->gotit = TRUE;
7677
7678 } else if (s->can_passwd) {
7679
7680 /*
7681 * Plain old password authentication.
7682 */
7683 int ret; /* not live over crReturn */
7684 int changereq_first_time; /* not live over crReturn */
7685
7686 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
7687 ssh->pkt_ctx |= SSH2_PKTCTX_PASSWORD;
7688
7689 s->cur_prompt = new_prompts(ssh->frontend);
7690 s->cur_prompt->to_server = TRUE;
7691 s->cur_prompt->name = dupstr("SSH password");
7692 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
7693 s->username,
7694 ssh->savedhost),
7695 FALSE, SSH_MAX_PASSWORD_LEN);
7696
7697 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7698 while (ret < 0) {
7699 ssh->send_ok = 1;
7700 crWaitUntilV(!pktin);
7701 ret = get_userpass_input(s->cur_prompt, in, inlen);
7702 ssh->send_ok = 0;
7703 }
7704 if (!ret) {
7705 /*
7706 * Failed to get responses. Terminate.
7707 */
7708 free_prompts(s->cur_prompt);
7709 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7710 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7711 TRUE);
7712 crStopV;
7713 }
7714 /*
7715 * Squirrel away the password. (We may need it later if
7716 * asked to change it.)
7717 */
7718 s->password = dupstr(s->cur_prompt->prompts[0]->result);
7719 free_prompts(s->cur_prompt);
7720
7721 /*
7722 * Send the password packet.
7723 *
7724 * We pad out the password packet to 256 bytes to make
7725 * it harder for an attacker to find the length of the
7726 * user's password.
7727 *
7728 * Anyone using a password longer than 256 bytes
7729 * probably doesn't have much to worry about from
7730 * people who find out how long their password is!
7731 */
7732 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7733 ssh2_pkt_addstring(s->pktout, s->username);
7734 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7735 /* service requested */
7736 ssh2_pkt_addstring(s->pktout, "password");
7737 ssh2_pkt_addbool(s->pktout, FALSE);
7738 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7739 ssh2_pkt_addstring(s->pktout, s->password);
7740 end_log_omission(ssh, s->pktout);
7741 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
7742 logevent("Sent password");
7743 s->type = AUTH_TYPE_PASSWORD;
7744
7745 /*
7746 * Wait for next packet, in case it's a password change
7747 * request.
7748 */
7749 crWaitUntilV(pktin);
7750 changereq_first_time = TRUE;
7751
7752 while (pktin->type == SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ) {
7753
7754 /*
7755 * We're being asked for a new password
7756 * (perhaps not for the first time).
7757 * Loop until the server accepts it.
7758 */
7759
7760 int got_new = FALSE; /* not live over crReturn */
7761 char *prompt; /* not live over crReturn */
7762 int prompt_len; /* not live over crReturn */
7763
7764 {
7765 char *msg;
7766 if (changereq_first_time)
7767 msg = "Server requested password change";
7768 else
7769 msg = "Server rejected new password";
7770 logevent(msg);
7771 c_write_str(ssh, msg);
7772 c_write_str(ssh, "\r\n");
7773 }
7774
7775 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
7776
7777 s->cur_prompt = new_prompts(ssh->frontend);
7778 s->cur_prompt->to_server = TRUE;
7779 s->cur_prompt->name = dupstr("New SSH password");
7780 s->cur_prompt->instruction =
7781 dupprintf("%.*s", prompt_len, prompt);
7782 s->cur_prompt->instr_reqd = TRUE;
7783 /*
7784 * There's no explicit requirement in the protocol
7785 * for the "old" passwords in the original and
7786 * password-change messages to be the same, and
7787 * apparently some Cisco kit supports password change
7788 * by the user entering a blank password originally
7789 * and the real password subsequently, so,
7790 * reluctantly, we prompt for the old password again.
7791 *
7792 * (On the other hand, some servers don't even bother
7793 * to check this field.)
7794 */
7795 add_prompt(s->cur_prompt,
7796 dupstr("Current password (blank for previously entered password): "),
7797 FALSE, SSH_MAX_PASSWORD_LEN);
7798 add_prompt(s->cur_prompt, dupstr("Enter new password: "),
7799 FALSE, SSH_MAX_PASSWORD_LEN);
7800 add_prompt(s->cur_prompt, dupstr("Confirm new password: "),
7801 FALSE, SSH_MAX_PASSWORD_LEN);
7802
7803 /*
7804 * Loop until the user manages to enter the same
7805 * password twice.
7806 */
7807 while (!got_new) {
7808
7809 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7810 while (ret < 0) {
7811 ssh->send_ok = 1;
7812 crWaitUntilV(!pktin);
7813 ret = get_userpass_input(s->cur_prompt, in, inlen);
7814 ssh->send_ok = 0;
7815 }
7816 if (!ret) {
7817 /*
7818 * Failed to get responses. Terminate.
7819 */
7820 /* burn the evidence */
7821 free_prompts(s->cur_prompt);
7822 memset(s->password, 0, strlen(s->password));
7823 sfree(s->password);
7824 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7825 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7826 TRUE);
7827 crStopV;
7828 }
7829
7830 /*
7831 * If the user specified a new original password
7832 * (IYSWIM), overwrite any previously specified
7833 * one.
7834 * (A side effect is that the user doesn't have to
7835 * re-enter it if they louse up the new password.)
7836 */
7837 if (s->cur_prompt->prompts[0]->result[0]) {
7838 memset(s->password, 0, strlen(s->password));
7839 /* burn the evidence */
7840 sfree(s->password);
7841 s->password =
7842 dupstr(s->cur_prompt->prompts[0]->result);
7843 }
7844
7845 /*
7846 * Check the two new passwords match.
7847 */
7848 got_new = (strcmp(s->cur_prompt->prompts[1]->result,
7849 s->cur_prompt->prompts[2]->result)
7850 == 0);
7851 if (!got_new)
7852 /* They don't. Silly user. */
7853 c_write_str(ssh, "Passwords do not match\r\n");
7854
7855 }
7856
7857 /*
7858 * Send the new password (along with the old one).
7859 * (see above for padding rationale)
7860 */
7861 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7862 ssh2_pkt_addstring(s->pktout, s->username);
7863 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7864 /* service requested */
7865 ssh2_pkt_addstring(s->pktout, "password");
7866 ssh2_pkt_addbool(s->pktout, TRUE);
7867 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7868 ssh2_pkt_addstring(s->pktout, s->password);
7869 ssh2_pkt_addstring(s->pktout,
7870 s->cur_prompt->prompts[1]->result);
7871 free_prompts(s->cur_prompt);
7872 end_log_omission(ssh, s->pktout);
7873 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
7874 logevent("Sent new password");
7875
7876 /*
7877 * Now see what the server has to say about it.
7878 * (If it's CHANGEREQ again, it's not happy with the
7879 * new password.)
7880 */
7881 crWaitUntilV(pktin);
7882 changereq_first_time = FALSE;
7883
7884 }
7885
7886 /*
7887 * We need to reexamine the current pktin at the top
7888 * of the loop. Either:
7889 * - we weren't asked to change password at all, in
7890 * which case it's a SUCCESS or FAILURE with the
7891 * usual meaning
7892 * - we sent a new password, and the server was
7893 * either OK with it (SUCCESS or FAILURE w/partial
7894 * success) or unhappy with the _old_ password
7895 * (FAILURE w/o partial success)
7896 * In any of these cases, we go back to the top of
7897 * the loop and start again.
7898 */
7899 s->gotit = TRUE;
7900
7901 /*
7902 * We don't need the old password any more, in any
7903 * case. Burn the evidence.
7904 */
7905 memset(s->password, 0, strlen(s->password));
7906 sfree(s->password);
7907
7908 } else {
7909
7910 ssh_disconnect(ssh, NULL,
7911 "No supported authentication methods available",
7912 SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE,
7913 FALSE);
7914 crStopV;
7915
7916 }
7917
7918 }
7919 }
7920 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
7921
7922 /* Clear up various bits and pieces from authentication. */
7923 if (s->publickey_blob) {
7924 sfree(s->publickey_blob);
7925 sfree(s->publickey_comment);
7926 }
7927 if (s->agent_response)
7928 sfree(s->agent_response);
7929
7930 /*
7931 * Now the connection protocol has started, one way or another.
7932 */
7933
7934 ssh->channels = newtree234(ssh_channelcmp);
7935
7936 /*
7937 * Set up handlers for some connection protocol messages, so we
7938 * don't have to handle them repeatedly in this coroutine.
7939 */
7940 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] =
7941 ssh2_msg_channel_window_adjust;
7942 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] =
7943 ssh2_msg_global_request;
7944
7945 /*
7946 * Create the main session channel.
7947 */
7948 if (ssh->cfg.ssh_no_shell) {
7949 ssh->mainchan = NULL;
7950 } else if (*ssh->cfg.ssh_nc_host) {
7951 /*
7952 * Just start a direct-tcpip channel and use it as the main
7953 * channel.
7954 */
7955 ssh->mainchan = snew(struct ssh_channel);
7956 ssh->mainchan->ssh = ssh;
7957 ssh->mainchan->localid = alloc_channel_id(ssh);
7958 logeventf(ssh,
7959 "Opening direct-tcpip channel to %s:%d in place of session",
7960 ssh->cfg.ssh_nc_host, ssh->cfg.ssh_nc_port);
7961 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
7962 ssh2_pkt_addstring(s->pktout, "direct-tcpip");
7963 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
7964 ssh->mainchan->v.v2.locwindow = OUR_V2_WINSIZE;
7965 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
7966 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
7967 ssh2_pkt_addstring(s->pktout, ssh->cfg.ssh_nc_host);
7968 ssh2_pkt_adduint32(s->pktout, ssh->cfg.ssh_nc_port);
7969 /*
7970 * There's nothing meaningful to put in the originator
7971 * fields, but some servers insist on syntactically correct
7972 * information.
7973 */
7974 ssh2_pkt_addstring(s->pktout, "0.0.0.0");
7975 ssh2_pkt_adduint32(s->pktout, 0);
7976 ssh2_pkt_send(ssh, s->pktout);
7977
7978 crWaitUntilV(pktin);
7979 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
7980 bombout(("Server refused to open a direct-tcpip channel"));
7981 crStopV;
7982 /* FIXME: error data comes back in FAILURE packet */
7983 }
7984 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
7985 bombout(("Server's channel confirmation cited wrong channel"));
7986 crStopV;
7987 }
7988 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
7989 ssh->mainchan->halfopen = FALSE;
7990 ssh->mainchan->type = CHAN_MAINSESSION;
7991 ssh->mainchan->closes = 0;
7992 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
7993 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
7994 bufchain_init(&ssh->mainchan->v.v2.outbuffer);
7995 add234(ssh->channels, ssh->mainchan);
7996 update_specials_menu(ssh->frontend);
7997 logevent("Opened direct-tcpip channel");
7998 ssh->ncmode = TRUE;
7999 } else {
8000 ssh->mainchan = snew(struct ssh_channel);
8001 ssh->mainchan->ssh = ssh;
8002 ssh->mainchan->localid = alloc_channel_id(ssh);
8003 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
8004 ssh2_pkt_addstring(s->pktout, "session");
8005 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
8006 ssh->mainchan->v.v2.locwindow = OUR_V2_WINSIZE;
8007 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
8008 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
8009 ssh2_pkt_send(ssh, s->pktout);
8010 crWaitUntilV(pktin);
8011 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
8012 bombout(("Server refused to open a session"));
8013 crStopV;
8014 /* FIXME: error data comes back in FAILURE packet */
8015 }
8016 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
8017 bombout(("Server's channel confirmation cited wrong channel"));
8018 crStopV;
8019 }
8020 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
8021 ssh->mainchan->halfopen = FALSE;
8022 ssh->mainchan->type = CHAN_MAINSESSION;
8023 ssh->mainchan->closes = 0;
8024 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
8025 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
8026 bufchain_init(&ssh->mainchan->v.v2.outbuffer);
8027 add234(ssh->channels, ssh->mainchan);
8028 update_specials_menu(ssh->frontend);
8029 logevent("Opened channel for session");
8030 ssh->ncmode = FALSE;
8031 }
8032
8033 /*
8034 * Now we have a channel, make dispatch table entries for
8035 * general channel-based messages.
8036 */
8037 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] =
8038 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] =
8039 ssh2_msg_channel_data;
8040 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = ssh2_msg_channel_eof;
8041 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = ssh2_msg_channel_close;
8042 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] =
8043 ssh2_msg_channel_open_confirmation;
8044 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] =
8045 ssh2_msg_channel_open_failure;
8046 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] =
8047 ssh2_msg_channel_request;
8048 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] =
8049 ssh2_msg_channel_open;
8050
8051 /*
8052 * Potentially enable X11 forwarding.
8053 */
8054 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.x11_forward) {
8055 char proto[20], data[64];
8056 logevent("Requesting X11 forwarding");
8057 ssh->x11auth = x11_invent_auth(proto, sizeof(proto),
8058 data, sizeof(data), ssh->cfg.x11_auth);
8059 x11_get_real_auth(ssh->x11auth, ssh->cfg.x11_display);
8060 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8061 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8062 ssh2_pkt_addstring(s->pktout, "x11-req");
8063 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8064 ssh2_pkt_addbool(s->pktout, 0); /* many connections */
8065 ssh2_pkt_addstring(s->pktout, proto);
8066 /*
8067 * Note that while we blank the X authentication data here, we don't
8068 * take any special action to blank the start of an X11 channel,
8069 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
8070 * without having session blanking enabled is likely to leak your
8071 * cookie into the log.
8072 */
8073 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
8074 ssh2_pkt_addstring(s->pktout, data);
8075 end_log_omission(ssh, s->pktout);
8076 ssh2_pkt_adduint32(s->pktout, x11_get_screen_number(ssh->cfg.x11_display));
8077 ssh2_pkt_send(ssh, s->pktout);
8078
8079 crWaitUntilV(pktin);
8080
8081 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8082 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8083 bombout(("Unexpected response to X11 forwarding request:"
8084 " packet type %d", pktin->type));
8085 crStopV;
8086 }
8087 logevent("X11 forwarding refused");
8088 } else {
8089 logevent("X11 forwarding enabled");
8090 ssh->X11_fwd_enabled = TRUE;
8091 }
8092 }
8093
8094 /*
8095 * Enable port forwardings.
8096 */
8097 ssh_setup_portfwd(ssh, &ssh->cfg);
8098
8099 /*
8100 * Potentially enable agent forwarding.
8101 */
8102 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.agentfwd && agent_exists()) {
8103 logevent("Requesting OpenSSH-style agent forwarding");
8104 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8105 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8106 ssh2_pkt_addstring(s->pktout, "auth-agent-req@openssh.com");
8107 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8108 ssh2_pkt_send(ssh, s->pktout);
8109
8110 crWaitUntilV(pktin);
8111
8112 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8113 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8114 bombout(("Unexpected response to agent forwarding request:"
8115 " packet type %d", pktin->type));
8116 crStopV;
8117 }
8118 logevent("Agent forwarding refused");
8119 } else {
8120 logevent("Agent forwarding enabled");
8121 ssh->agentfwd_enabled = TRUE;
8122 }
8123 }
8124
8125 /*
8126 * Now allocate a pty for the session.
8127 */
8128 if (ssh->mainchan && !ssh->ncmode && !ssh->cfg.nopty) {
8129 /* Unpick the terminal-speed string. */
8130 /* XXX perhaps we should allow no speeds to be sent. */
8131 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
8132 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
8133 /* Build the pty request. */
8134 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8135 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
8136 ssh2_pkt_addstring(s->pktout, "pty-req");
8137 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8138 ssh2_pkt_addstring(s->pktout, ssh->cfg.termtype);
8139 ssh2_pkt_adduint32(s->pktout, ssh->term_width);
8140 ssh2_pkt_adduint32(s->pktout, ssh->term_height);
8141 ssh2_pkt_adduint32(s->pktout, 0); /* pixel width */
8142 ssh2_pkt_adduint32(s->pktout, 0); /* pixel height */
8143 ssh2_pkt_addstring_start(s->pktout);
8144 parse_ttymodes(ssh, ssh->cfg.ttymodes,
8145 ssh2_send_ttymode, (void *)s->pktout);
8146 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_ISPEED);
8147 ssh2_pkt_adduint32(s->pktout, ssh->ispeed);
8148 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_OSPEED);
8149 ssh2_pkt_adduint32(s->pktout, ssh->ospeed);
8150 ssh2_pkt_addstring_data(s->pktout, "\0", 1); /* TTY_OP_END */
8151 ssh2_pkt_send(ssh, s->pktout);
8152 ssh->state = SSH_STATE_INTERMED;
8153
8154 crWaitUntilV(pktin);
8155
8156 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8157 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8158 bombout(("Unexpected response to pty request:"
8159 " packet type %d", pktin->type));
8160 crStopV;
8161 }
8162 c_write_str(ssh, "Server refused to allocate pty\r\n");
8163 ssh->editing = ssh->echoing = 1;
8164 } else {
8165 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
8166 ssh->ospeed, ssh->ispeed);
8167 }
8168 } else {
8169 ssh->editing = ssh->echoing = 1;
8170 }
8171
8172 /*
8173 * Send environment variables.
8174 *
8175 * Simplest thing here is to send all the requests at once, and
8176 * then wait for a whole bunch of successes or failures.
8177 */
8178 if (ssh->mainchan && !ssh->ncmode && *ssh->cfg.environmt) {
8179 char *e = ssh->cfg.environmt;
8180 char *var, *varend, *val;
8181
8182 s->num_env = 0;
8183
8184 while (*e) {
8185 var = e;
8186 while (*e && *e != '\t') e++;
8187 varend = e;
8188 if (*e == '\t') e++;
8189 val = e;
8190 while (*e) e++;
8191 e++;
8192
8193 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8194 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8195 ssh2_pkt_addstring(s->pktout, "env");
8196 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8197 ssh2_pkt_addstring_start(s->pktout);
8198 ssh2_pkt_addstring_data(s->pktout, var, varend-var);
8199 ssh2_pkt_addstring(s->pktout, val);
8200 ssh2_pkt_send(ssh, s->pktout);
8201
8202 s->num_env++;
8203 }
8204
8205 logeventf(ssh, "Sent %d environment variables", s->num_env);
8206
8207 s->env_ok = 0;
8208 s->env_left = s->num_env;
8209
8210 while (s->env_left > 0) {
8211 crWaitUntilV(pktin);
8212
8213 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8214 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8215 bombout(("Unexpected response to environment request:"
8216 " packet type %d", pktin->type));
8217 crStopV;
8218 }
8219 } else {
8220 s->env_ok++;
8221 }
8222
8223 s->env_left--;
8224 }
8225
8226 if (s->env_ok == s->num_env) {
8227 logevent("All environment variables successfully set");
8228 } else if (s->env_ok == 0) {
8229 logevent("All environment variables refused");
8230 c_write_str(ssh, "Server refused to set environment variables\r\n");
8231 } else {
8232 logeventf(ssh, "%d environment variables refused",
8233 s->num_env - s->env_ok);
8234 c_write_str(ssh, "Server refused to set all environment variables\r\n");
8235 }
8236 }
8237
8238 /*
8239 * Start a shell or a remote command. We may have to attempt
8240 * this twice if the config data has provided a second choice
8241 * of command.
8242 */
8243 if (ssh->mainchan && !ssh->ncmode) while (1) {
8244 int subsys;
8245 char *cmd;
8246
8247 if (ssh->fallback_cmd) {
8248 subsys = ssh->cfg.ssh_subsys2;
8249 cmd = ssh->cfg.remote_cmd_ptr2;
8250 } else {
8251 subsys = ssh->cfg.ssh_subsys;
8252 cmd = ssh->cfg.remote_cmd_ptr;
8253 if (!cmd) cmd = ssh->cfg.remote_cmd;
8254 }
8255
8256 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8257 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
8258 if (subsys) {
8259 ssh2_pkt_addstring(s->pktout, "subsystem");
8260 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8261 ssh2_pkt_addstring(s->pktout, cmd);
8262 } else if (*cmd) {
8263 ssh2_pkt_addstring(s->pktout, "exec");
8264 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8265 ssh2_pkt_addstring(s->pktout, cmd);
8266 } else {
8267 ssh2_pkt_addstring(s->pktout, "shell");
8268 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8269 }
8270 ssh2_pkt_send(ssh, s->pktout);
8271
8272 crWaitUntilV(pktin);
8273
8274 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8275 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8276 bombout(("Unexpected response to shell/command request:"
8277 " packet type %d", pktin->type));
8278 crStopV;
8279 }
8280 /*
8281 * We failed to start the command. If this is the
8282 * fallback command, we really are finished; if it's
8283 * not, and if the fallback command exists, try falling
8284 * back to it before complaining.
8285 */
8286 if (!ssh->fallback_cmd && ssh->cfg.remote_cmd_ptr2 != NULL) {
8287 logevent("Primary command failed; attempting fallback");
8288 ssh->fallback_cmd = TRUE;
8289 continue;
8290 }
8291 bombout(("Server refused to start a shell/command"));
8292 crStopV;
8293 } else {
8294 logevent("Started a shell/command");
8295 }
8296 break;
8297 }
8298
8299 ssh->state = SSH_STATE_SESSION;
8300 if (ssh->size_needed)
8301 ssh_size(ssh, ssh->term_width, ssh->term_height);
8302 if (ssh->eof_needed)
8303 ssh_special(ssh, TS_EOF);
8304
8305 /*
8306 * Transfer data!
8307 */
8308 if (ssh->ldisc)
8309 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
8310 if (ssh->mainchan)
8311 ssh->send_ok = 1;
8312 while (1) {
8313 crReturnV;
8314 s->try_send = FALSE;
8315 if (pktin) {
8316
8317 /*
8318 * _All_ the connection-layer packets we expect to
8319 * receive are now handled by the dispatch table.
8320 * Anything that reaches here must be bogus.
8321 */
8322
8323 bombout(("Strange packet received: type %d", pktin->type));
8324 crStopV;
8325 } else if (ssh->mainchan) {
8326 /*
8327 * We have spare data. Add it to the channel buffer.
8328 */
8329 ssh2_add_channel_data(ssh->mainchan, (char *)in, inlen);
8330 s->try_send = TRUE;
8331 }
8332 if (s->try_send) {
8333 int i;
8334 struct ssh_channel *c;
8335 /*
8336 * Try to send data on all channels if we can.
8337 */
8338 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++)
8339 ssh2_try_send_and_unthrottle(c);
8340 }
8341 }
8342
8343 crFinishV;
8344 }
8345
8346 /*
8347 * Handlers for SSH-2 messages that might arrive at any moment.
8348 */
8349 static void ssh2_msg_disconnect(Ssh ssh, struct Packet *pktin)
8350 {
8351 /* log reason code in disconnect message */
8352 char *buf, *msg;
8353 int nowlen, reason, msglen;
8354
8355 reason = ssh_pkt_getuint32(pktin);
8356 ssh_pkt_getstring(pktin, &msg, &msglen);
8357
8358 if (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) {
8359 buf = dupprintf("Received disconnect message (%s)",
8360 ssh2_disconnect_reasons[reason]);
8361 } else {
8362 buf = dupprintf("Received disconnect message (unknown"
8363 " type %d)", reason);
8364 }
8365 logevent(buf);
8366 sfree(buf);
8367 buf = dupprintf("Disconnection message text: %n%.*s",
8368 &nowlen, msglen, msg);
8369 logevent(buf);
8370 bombout(("Server sent disconnect message\ntype %d (%s):\n\"%s\"",
8371 reason,
8372 (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ?
8373 ssh2_disconnect_reasons[reason] : "unknown",
8374 buf+nowlen));
8375 sfree(buf);
8376 }
8377
8378 static void ssh2_msg_debug(Ssh ssh, struct Packet *pktin)
8379 {
8380 /* log the debug message */
8381 char *msg;
8382 int msglen;
8383 int always_display;
8384
8385 /* XXX maybe we should actually take notice of this */
8386 always_display = ssh2_pkt_getbool(pktin);
8387 ssh_pkt_getstring(pktin, &msg, &msglen);
8388
8389 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
8390 }
8391
8392 static void ssh2_msg_something_unimplemented(Ssh ssh, struct Packet *pktin)
8393 {
8394 struct Packet *pktout;
8395 pktout = ssh2_pkt_init(SSH2_MSG_UNIMPLEMENTED);
8396 ssh2_pkt_adduint32(pktout, pktin->sequence);
8397 /*
8398 * UNIMPLEMENTED messages MUST appear in the same order as the
8399 * messages they respond to. Hence, never queue them.
8400 */
8401 ssh2_pkt_send_noqueue(ssh, pktout);
8402 }
8403
8404 /*
8405 * Handle the top-level SSH-2 protocol.
8406 */
8407 static void ssh2_protocol_setup(Ssh ssh)
8408 {
8409 int i;
8410
8411 /*
8412 * Most messages cause SSH2_MSG_UNIMPLEMENTED.
8413 */
8414 for (i = 0; i < 256; i++)
8415 ssh->packet_dispatch[i] = ssh2_msg_something_unimplemented;
8416
8417 /*
8418 * Any message we actually understand, we set to NULL so that
8419 * the coroutines will get it.
8420 */
8421 ssh->packet_dispatch[SSH2_MSG_UNIMPLEMENTED] = NULL;
8422 ssh->packet_dispatch[SSH2_MSG_SERVICE_REQUEST] = NULL;
8423 ssh->packet_dispatch[SSH2_MSG_SERVICE_ACCEPT] = NULL;
8424 ssh->packet_dispatch[SSH2_MSG_KEXINIT] = NULL;
8425 ssh->packet_dispatch[SSH2_MSG_NEWKEYS] = NULL;
8426 ssh->packet_dispatch[SSH2_MSG_KEXDH_INIT] = NULL;
8427 ssh->packet_dispatch[SSH2_MSG_KEXDH_REPLY] = NULL;
8428 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REQUEST] = NULL; duplicate case value */
8429 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_GROUP] = NULL; duplicate case value */
8430 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_INIT] = NULL;
8431 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REPLY] = NULL;
8432 ssh->packet_dispatch[SSH2_MSG_USERAUTH_REQUEST] = NULL;
8433 ssh->packet_dispatch[SSH2_MSG_USERAUTH_FAILURE] = NULL;
8434 ssh->packet_dispatch[SSH2_MSG_USERAUTH_SUCCESS] = NULL;
8435 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
8436 ssh->packet_dispatch[SSH2_MSG_USERAUTH_PK_OK] = NULL;
8437 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ] = NULL; duplicate case value */
8438 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_REQUEST] = NULL; duplicate case value */
8439 ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_RESPONSE] = NULL;
8440 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] = NULL;
8441 ssh->packet_dispatch[SSH2_MSG_REQUEST_SUCCESS] = NULL;
8442 ssh->packet_dispatch[SSH2_MSG_REQUEST_FAILURE] = NULL;
8443 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] = NULL;
8444 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] = NULL;
8445 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] = NULL;
8446 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] = NULL;
8447 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] = NULL;
8448 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] = NULL;
8449 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = NULL;
8450 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = NULL;
8451 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] = NULL;
8452 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = NULL;
8453 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = NULL;
8454
8455 /*
8456 * These special message types we install handlers for.
8457 */
8458 ssh->packet_dispatch[SSH2_MSG_DISCONNECT] = ssh2_msg_disconnect;
8459 ssh->packet_dispatch[SSH2_MSG_IGNORE] = ssh_msg_ignore; /* shared with SSH-1 */
8460 ssh->packet_dispatch[SSH2_MSG_DEBUG] = ssh2_msg_debug;
8461 }
8462
8463 static void ssh2_timer(void *ctx, long now)
8464 {
8465 Ssh ssh = (Ssh)ctx;
8466
8467 if (ssh->state == SSH_STATE_CLOSED)
8468 return;
8469
8470 if (!ssh->kex_in_progress && ssh->cfg.ssh_rekey_time != 0 &&
8471 now - ssh->next_rekey >= 0) {
8472 do_ssh2_transport(ssh, "timeout", -1, NULL);
8473 }
8474 }
8475
8476 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
8477 struct Packet *pktin)
8478 {
8479 unsigned char *in = (unsigned char *)vin;
8480 if (ssh->state == SSH_STATE_CLOSED)
8481 return;
8482
8483 if (pktin) {
8484 ssh->incoming_data_size += pktin->encrypted_len;
8485 if (!ssh->kex_in_progress &&
8486 ssh->max_data_size != 0 &&
8487 ssh->incoming_data_size > ssh->max_data_size)
8488 do_ssh2_transport(ssh, "too much data received", -1, NULL);
8489 }
8490
8491 if (pktin && ssh->packet_dispatch[pktin->type]) {
8492 ssh->packet_dispatch[pktin->type](ssh, pktin);
8493 return;
8494 }
8495
8496 if (!ssh->protocol_initial_phase_done ||
8497 (pktin && pktin->type >= 20 && pktin->type < 50)) {
8498 if (do_ssh2_transport(ssh, in, inlen, pktin) &&
8499 !ssh->protocol_initial_phase_done) {
8500 ssh->protocol_initial_phase_done = TRUE;
8501 /*
8502 * Allow authconn to initialise itself.
8503 */
8504 do_ssh2_authconn(ssh, NULL, 0, NULL);
8505 }
8506 } else {
8507 do_ssh2_authconn(ssh, in, inlen, pktin);
8508 }
8509 }
8510
8511 /*
8512 * Called to set up the connection.
8513 *
8514 * Returns an error message, or NULL on success.
8515 */
8516 static const char *ssh_init(void *frontend_handle, void **backend_handle,
8517 Config *cfg,
8518 char *host, int port, char **realhost, int nodelay,
8519 int keepalive)
8520 {
8521 const char *p;
8522 Ssh ssh;
8523
8524 ssh = snew(struct ssh_tag);
8525 ssh->cfg = *cfg; /* STRUCTURE COPY */
8526 ssh->version = 0; /* when not ready yet */
8527 ssh->s = NULL;
8528 ssh->cipher = NULL;
8529 ssh->v1_cipher_ctx = NULL;
8530 ssh->crcda_ctx = NULL;
8531 ssh->cscipher = NULL;
8532 ssh->cs_cipher_ctx = NULL;
8533 ssh->sccipher = NULL;
8534 ssh->sc_cipher_ctx = NULL;
8535 ssh->csmac = NULL;
8536 ssh->cs_mac_ctx = NULL;
8537 ssh->scmac = NULL;
8538 ssh->sc_mac_ctx = NULL;
8539 ssh->cscomp = NULL;
8540 ssh->cs_comp_ctx = NULL;
8541 ssh->sccomp = NULL;
8542 ssh->sc_comp_ctx = NULL;
8543 ssh->kex = NULL;
8544 ssh->kex_ctx = NULL;
8545 ssh->hostkey = NULL;
8546 ssh->exitcode = -1;
8547 ssh->close_expected = FALSE;
8548 ssh->clean_exit = FALSE;
8549 ssh->state = SSH_STATE_PREPACKET;
8550 ssh->size_needed = FALSE;
8551 ssh->eof_needed = FALSE;
8552 ssh->ldisc = NULL;
8553 ssh->logctx = NULL;
8554 ssh->deferred_send_data = NULL;
8555 ssh->deferred_len = 0;
8556 ssh->deferred_size = 0;
8557 ssh->fallback_cmd = 0;
8558 ssh->pkt_ctx = 0;
8559 ssh->x11auth = NULL;
8560 ssh->v1_compressing = FALSE;
8561 ssh->v2_outgoing_sequence = 0;
8562 ssh->ssh1_rdpkt_crstate = 0;
8563 ssh->ssh2_rdpkt_crstate = 0;
8564 ssh->do_ssh_init_crstate = 0;
8565 ssh->ssh_gotdata_crstate = 0;
8566 ssh->do_ssh1_connection_crstate = 0;
8567 ssh->do_ssh1_login_crstate = 0;
8568 ssh->do_ssh2_transport_crstate = 0;
8569 ssh->do_ssh2_authconn_crstate = 0;
8570 ssh->do_ssh_init_state = NULL;
8571 ssh->do_ssh1_login_state = NULL;
8572 ssh->do_ssh2_transport_state = NULL;
8573 ssh->do_ssh2_authconn_state = NULL;
8574 ssh->v_c = NULL;
8575 ssh->v_s = NULL;
8576 ssh->mainchan = NULL;
8577 ssh->throttled_all = 0;
8578 ssh->v1_stdout_throttling = 0;
8579 ssh->queue = NULL;
8580 ssh->queuelen = ssh->queuesize = 0;
8581 ssh->queueing = FALSE;
8582 ssh->qhead = ssh->qtail = NULL;
8583 ssh->deferred_rekey_reason = NULL;
8584 bufchain_init(&ssh->queued_incoming_data);
8585 ssh->frozen = FALSE;
8586
8587 *backend_handle = ssh;
8588
8589 #ifdef MSCRYPTOAPI
8590 if (crypto_startup() == 0)
8591 return "Microsoft high encryption pack not installed!";
8592 #endif
8593
8594 ssh->frontend = frontend_handle;
8595 ssh->term_width = ssh->cfg.width;
8596 ssh->term_height = ssh->cfg.height;
8597
8598 ssh->channels = NULL;
8599 ssh->rportfwds = NULL;
8600 ssh->portfwds = NULL;
8601
8602 ssh->send_ok = 0;
8603 ssh->editing = 0;
8604 ssh->echoing = 0;
8605 ssh->v1_throttle_count = 0;
8606 ssh->overall_bufsize = 0;
8607 ssh->fallback_cmd = 0;
8608
8609 ssh->protocol = NULL;
8610
8611 ssh->protocol_initial_phase_done = FALSE;
8612
8613 ssh->pinger = NULL;
8614
8615 ssh->incoming_data_size = ssh->outgoing_data_size =
8616 ssh->deferred_data_size = 0L;
8617 ssh->max_data_size = parse_blocksize(ssh->cfg.ssh_rekey_data);
8618 ssh->kex_in_progress = FALSE;
8619
8620 p = connect_to_host(ssh, host, port, realhost, nodelay, keepalive);
8621 if (p != NULL)
8622 return p;
8623
8624 random_ref();
8625
8626 return NULL;
8627 }
8628
8629 static void ssh_free(void *handle)
8630 {
8631 Ssh ssh = (Ssh) handle;
8632 struct ssh_channel *c;
8633 struct ssh_rportfwd *pf;
8634
8635 if (ssh->v1_cipher_ctx)
8636 ssh->cipher->free_context(ssh->v1_cipher_ctx);
8637 if (ssh->cs_cipher_ctx)
8638 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
8639 if (ssh->sc_cipher_ctx)
8640 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
8641 if (ssh->cs_mac_ctx)
8642 ssh->csmac->free_context(ssh->cs_mac_ctx);
8643 if (ssh->sc_mac_ctx)
8644 ssh->scmac->free_context(ssh->sc_mac_ctx);
8645 if (ssh->cs_comp_ctx) {
8646 if (ssh->cscomp)
8647 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
8648 else
8649 zlib_compress_cleanup(ssh->cs_comp_ctx);
8650 }
8651 if (ssh->sc_comp_ctx) {
8652 if (ssh->sccomp)
8653 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
8654 else
8655 zlib_decompress_cleanup(ssh->sc_comp_ctx);
8656 }
8657 if (ssh->kex_ctx)
8658 dh_cleanup(ssh->kex_ctx);
8659 sfree(ssh->savedhost);
8660
8661 while (ssh->queuelen-- > 0)
8662 ssh_free_packet(ssh->queue[ssh->queuelen]);
8663 sfree(ssh->queue);
8664
8665 while (ssh->qhead) {
8666 struct queued_handler *qh = ssh->qhead;
8667 ssh->qhead = qh->next;
8668 sfree(ssh->qhead);
8669 }
8670 ssh->qhead = ssh->qtail = NULL;
8671
8672 if (ssh->channels) {
8673 while ((c = delpos234(ssh->channels, 0)) != NULL) {
8674 switch (c->type) {
8675 case CHAN_X11:
8676 if (c->u.x11.s != NULL)
8677 x11_close(c->u.x11.s);
8678 break;
8679 case CHAN_SOCKDATA:
8680 if (c->u.pfd.s != NULL)
8681 pfd_close(c->u.pfd.s);
8682 break;
8683 }
8684 sfree(c);
8685 }
8686 freetree234(ssh->channels);
8687 ssh->channels = NULL;
8688 }
8689
8690 if (ssh->rportfwds) {
8691 while ((pf = delpos234(ssh->rportfwds, 0)) != NULL)
8692 sfree(pf);
8693 freetree234(ssh->rportfwds);
8694 ssh->rportfwds = NULL;
8695 }
8696 sfree(ssh->deferred_send_data);
8697 if (ssh->x11auth)
8698 x11_free_auth(ssh->x11auth);
8699 sfree(ssh->do_ssh_init_state);
8700 sfree(ssh->do_ssh1_login_state);
8701 sfree(ssh->do_ssh2_transport_state);
8702 sfree(ssh->do_ssh2_authconn_state);
8703 sfree(ssh->v_c);
8704 sfree(ssh->v_s);
8705 if (ssh->crcda_ctx) {
8706 crcda_free_context(ssh->crcda_ctx);
8707 ssh->crcda_ctx = NULL;
8708 }
8709 if (ssh->s)
8710 ssh_do_close(ssh, TRUE);
8711 expire_timer_context(ssh);
8712 if (ssh->pinger)
8713 pinger_free(ssh->pinger);
8714 bufchain_clear(&ssh->queued_incoming_data);
8715 sfree(ssh);
8716
8717 random_unref();
8718 }
8719
8720 /*
8721 * Reconfigure the SSH backend.
8722 */
8723 static void ssh_reconfig(void *handle, Config *cfg)
8724 {
8725 Ssh ssh = (Ssh) handle;
8726 char *rekeying = NULL, rekey_mandatory = FALSE;
8727 unsigned long old_max_data_size;
8728
8729 pinger_reconfig(ssh->pinger, &ssh->cfg, cfg);
8730 if (ssh->portfwds)
8731 ssh_setup_portfwd(ssh, cfg);
8732
8733 if (ssh->cfg.ssh_rekey_time != cfg->ssh_rekey_time &&
8734 cfg->ssh_rekey_time != 0) {
8735 long new_next = ssh->last_rekey + cfg->ssh_rekey_time*60*TICKSPERSEC;
8736 long now = GETTICKCOUNT();
8737
8738 if (new_next - now < 0) {
8739 rekeying = "timeout shortened";
8740 } else {
8741 ssh->next_rekey = schedule_timer(new_next - now, ssh2_timer, ssh);
8742 }
8743 }
8744
8745 old_max_data_size = ssh->max_data_size;
8746 ssh->max_data_size = parse_blocksize(cfg->ssh_rekey_data);
8747 if (old_max_data_size != ssh->max_data_size &&
8748 ssh->max_data_size != 0) {
8749 if (ssh->outgoing_data_size > ssh->max_data_size ||
8750 ssh->incoming_data_size > ssh->max_data_size)
8751 rekeying = "data limit lowered";
8752 }
8753
8754 if (ssh->cfg.compression != cfg->compression) {
8755 rekeying = "compression setting changed";
8756 rekey_mandatory = TRUE;
8757 }
8758
8759 if (ssh->cfg.ssh2_des_cbc != cfg->ssh2_des_cbc ||
8760 memcmp(ssh->cfg.ssh_cipherlist, cfg->ssh_cipherlist,
8761 sizeof(ssh->cfg.ssh_cipherlist))) {
8762 rekeying = "cipher settings changed";
8763 rekey_mandatory = TRUE;
8764 }
8765
8766 ssh->cfg = *cfg; /* STRUCTURE COPY */
8767
8768 if (rekeying) {
8769 if (!ssh->kex_in_progress) {
8770 do_ssh2_transport(ssh, rekeying, -1, NULL);
8771 } else if (rekey_mandatory) {
8772 ssh->deferred_rekey_reason = rekeying;
8773 }
8774 }
8775 }
8776
8777 /*
8778 * Called to send data down the SSH connection.
8779 */
8780 static int ssh_send(void *handle, char *buf, int len)
8781 {
8782 Ssh ssh = (Ssh) handle;
8783
8784 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
8785 return 0;
8786
8787 ssh->protocol(ssh, (unsigned char *)buf, len, 0);
8788
8789 return ssh_sendbuffer(ssh);
8790 }
8791
8792 /*
8793 * Called to query the current amount of buffered stdin data.
8794 */
8795 static int ssh_sendbuffer(void *handle)
8796 {
8797 Ssh ssh = (Ssh) handle;
8798 int override_value;
8799
8800 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
8801 return 0;
8802
8803 /*
8804 * If the SSH socket itself has backed up, add the total backup
8805 * size on that to any individual buffer on the stdin channel.
8806 */
8807 override_value = 0;
8808 if (ssh->throttled_all)
8809 override_value = ssh->overall_bufsize;
8810
8811 if (ssh->version == 1) {
8812 return override_value;
8813 } else if (ssh->version == 2) {
8814 if (!ssh->mainchan || ssh->mainchan->closes > 0)
8815 return override_value;
8816 else
8817 return (override_value +
8818 bufchain_size(&ssh->mainchan->v.v2.outbuffer));
8819 }
8820
8821 return 0;
8822 }
8823
8824 /*
8825 * Called to set the size of the window from SSH's POV.
8826 */
8827 static void ssh_size(void *handle, int width, int height)
8828 {
8829 Ssh ssh = (Ssh) handle;
8830 struct Packet *pktout;
8831
8832 ssh->term_width = width;
8833 ssh->term_height = height;
8834
8835 switch (ssh->state) {
8836 case SSH_STATE_BEFORE_SIZE:
8837 case SSH_STATE_PREPACKET:
8838 case SSH_STATE_CLOSED:
8839 break; /* do nothing */
8840 case SSH_STATE_INTERMED:
8841 ssh->size_needed = TRUE; /* buffer for later */
8842 break;
8843 case SSH_STATE_SESSION:
8844 if (!ssh->cfg.nopty) {
8845 if (ssh->version == 1) {
8846 send_packet(ssh, SSH1_CMSG_WINDOW_SIZE,
8847 PKT_INT, ssh->term_height,
8848 PKT_INT, ssh->term_width,
8849 PKT_INT, 0, PKT_INT, 0, PKT_END);
8850 } else if (ssh->mainchan) {
8851 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8852 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
8853 ssh2_pkt_addstring(pktout, "window-change");
8854 ssh2_pkt_addbool(pktout, 0);
8855 ssh2_pkt_adduint32(pktout, ssh->term_width);
8856 ssh2_pkt_adduint32(pktout, ssh->term_height);
8857 ssh2_pkt_adduint32(pktout, 0);
8858 ssh2_pkt_adduint32(pktout, 0);
8859 ssh2_pkt_send(ssh, pktout);
8860 }
8861 }
8862 break;
8863 }
8864 }
8865
8866 /*
8867 * Return a list of the special codes that make sense in this
8868 * protocol.
8869 */
8870 static const struct telnet_special *ssh_get_specials(void *handle)
8871 {
8872 static const struct telnet_special ssh1_ignore_special[] = {
8873 {"IGNORE message", TS_NOP}
8874 };
8875 static const struct telnet_special ssh2_transport_specials[] = {
8876 {"IGNORE message", TS_NOP},
8877 {"Repeat key exchange", TS_REKEY},
8878 };
8879 static const struct telnet_special ssh2_session_specials[] = {
8880 {NULL, TS_SEP},
8881 {"Break", TS_BRK},
8882 /* These are the signal names defined by draft-ietf-secsh-connect-23.
8883 * They include all the ISO C signals, but are a subset of the POSIX
8884 * required signals. */
8885 {"SIGINT (Interrupt)", TS_SIGINT},
8886 {"SIGTERM (Terminate)", TS_SIGTERM},
8887 {"SIGKILL (Kill)", TS_SIGKILL},
8888 {"SIGQUIT (Quit)", TS_SIGQUIT},
8889 {"SIGHUP (Hangup)", TS_SIGHUP},
8890 {"More signals", TS_SUBMENU},
8891 {"SIGABRT", TS_SIGABRT}, {"SIGALRM", TS_SIGALRM},
8892 {"SIGFPE", TS_SIGFPE}, {"SIGILL", TS_SIGILL},
8893 {"SIGPIPE", TS_SIGPIPE}, {"SIGSEGV", TS_SIGSEGV},
8894 {"SIGUSR1", TS_SIGUSR1}, {"SIGUSR2", TS_SIGUSR2},
8895 {NULL, TS_EXITMENU}
8896 };
8897 static const struct telnet_special specials_end[] = {
8898 {NULL, TS_EXITMENU}
8899 };
8900 /* XXX review this length for any changes: */
8901 static struct telnet_special ssh_specials[lenof(ssh2_transport_specials) +
8902 lenof(ssh2_session_specials) +
8903 lenof(specials_end)];
8904 Ssh ssh = (Ssh) handle;
8905 int i = 0;
8906 #define ADD_SPECIALS(name) \
8907 do { \
8908 assert((i + lenof(name)) <= lenof(ssh_specials)); \
8909 memcpy(&ssh_specials[i], name, sizeof name); \
8910 i += lenof(name); \
8911 } while(0)
8912
8913 if (ssh->version == 1) {
8914 /* Don't bother offering IGNORE if we've decided the remote
8915 * won't cope with it, since we wouldn't bother sending it if
8916 * asked anyway. */
8917 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
8918 ADD_SPECIALS(ssh1_ignore_special);
8919 } else if (ssh->version == 2) {
8920 ADD_SPECIALS(ssh2_transport_specials);
8921 if (ssh->mainchan)
8922 ADD_SPECIALS(ssh2_session_specials);
8923 } /* else we're not ready yet */
8924
8925 if (i) {
8926 ADD_SPECIALS(specials_end);
8927 return ssh_specials;
8928 } else {
8929 return NULL;
8930 }
8931 #undef ADD_SPECIALS
8932 }
8933
8934 /*
8935 * Send special codes. TS_EOF is useful for `plink', so you
8936 * can send an EOF and collect resulting output (e.g. `plink
8937 * hostname sort').
8938 */
8939 static void ssh_special(void *handle, Telnet_Special code)
8940 {
8941 Ssh ssh = (Ssh) handle;
8942 struct Packet *pktout;
8943
8944 if (code == TS_EOF) {
8945 if (ssh->state != SSH_STATE_SESSION) {
8946 /*
8947 * Buffer the EOF in case we are pre-SESSION, so we can
8948 * send it as soon as we reach SESSION.
8949 */
8950 if (code == TS_EOF)
8951 ssh->eof_needed = TRUE;
8952 return;
8953 }
8954 if (ssh->version == 1) {
8955 send_packet(ssh, SSH1_CMSG_EOF, PKT_END);
8956 } else if (ssh->mainchan) {
8957 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_EOF);
8958 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
8959 ssh2_pkt_send(ssh, pktout);
8960 ssh->send_ok = 0; /* now stop trying to read from stdin */
8961 }
8962 logevent("Sent EOF message");
8963 } else if (code == TS_PING || code == TS_NOP) {
8964 if (ssh->state == SSH_STATE_CLOSED
8965 || ssh->state == SSH_STATE_PREPACKET) return;
8966 if (ssh->version == 1) {
8967 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
8968 send_packet(ssh, SSH1_MSG_IGNORE, PKT_STR, "", PKT_END);
8969 } else {
8970 pktout = ssh2_pkt_init(SSH2_MSG_IGNORE);
8971 ssh2_pkt_addstring_start(pktout);
8972 ssh2_pkt_send_noqueue(ssh, pktout);
8973 }
8974 } else if (code == TS_REKEY) {
8975 if (!ssh->kex_in_progress && ssh->version == 2) {
8976 do_ssh2_transport(ssh, "at user request", -1, NULL);
8977 }
8978 } else if (code == TS_BRK) {
8979 if (ssh->state == SSH_STATE_CLOSED
8980 || ssh->state == SSH_STATE_PREPACKET) return;
8981 if (ssh->version == 1) {
8982 logevent("Unable to send BREAK signal in SSH-1");
8983 } else if (ssh->mainchan) {
8984 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8985 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
8986 ssh2_pkt_addstring(pktout, "break");
8987 ssh2_pkt_addbool(pktout, 0);
8988 ssh2_pkt_adduint32(pktout, 0); /* default break length */
8989 ssh2_pkt_send(ssh, pktout);
8990 }
8991 } else {
8992 /* Is is a POSIX signal? */
8993 char *signame = NULL;
8994 if (code == TS_SIGABRT) signame = "ABRT";
8995 if (code == TS_SIGALRM) signame = "ALRM";
8996 if (code == TS_SIGFPE) signame = "FPE";
8997 if (code == TS_SIGHUP) signame = "HUP";
8998 if (code == TS_SIGILL) signame = "ILL";
8999 if (code == TS_SIGINT) signame = "INT";
9000 if (code == TS_SIGKILL) signame = "KILL";
9001 if (code == TS_SIGPIPE) signame = "PIPE";
9002 if (code == TS_SIGQUIT) signame = "QUIT";
9003 if (code == TS_SIGSEGV) signame = "SEGV";
9004 if (code == TS_SIGTERM) signame = "TERM";
9005 if (code == TS_SIGUSR1) signame = "USR1";
9006 if (code == TS_SIGUSR2) signame = "USR2";
9007 /* The SSH-2 protocol does in principle support arbitrary named
9008 * signals, including signame@domain, but we don't support those. */
9009 if (signame) {
9010 /* It's a signal. */
9011 if (ssh->version == 2 && ssh->mainchan) {
9012 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9013 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9014 ssh2_pkt_addstring(pktout, "signal");
9015 ssh2_pkt_addbool(pktout, 0);
9016 ssh2_pkt_addstring(pktout, signame);
9017 ssh2_pkt_send(ssh, pktout);
9018 logeventf(ssh, "Sent signal SIG%s", signame);
9019 }
9020 } else {
9021 /* Never heard of it. Do nothing */
9022 }
9023 }
9024 }
9025
9026 void *new_sock_channel(void *handle, Socket s)
9027 {
9028 Ssh ssh = (Ssh) handle;
9029 struct ssh_channel *c;
9030 c = snew(struct ssh_channel);
9031 c->ssh = ssh;
9032
9033 if (c) {
9034 c->halfopen = TRUE;
9035 c->localid = alloc_channel_id(ssh);
9036 c->closes = 0;
9037 c->type = CHAN_SOCKDATA_DORMANT;/* identify channel type */
9038 c->u.pfd.s = s;
9039 bufchain_init(&c->v.v2.outbuffer);
9040 add234(ssh->channels, c);
9041 }
9042 return c;
9043 }
9044
9045 /*
9046 * This is called when stdout/stderr (the entity to which
9047 * from_backend sends data) manages to clear some backlog.
9048 */
9049 static void ssh_unthrottle(void *handle, int bufsize)
9050 {
9051 Ssh ssh = (Ssh) handle;
9052 if (ssh->version == 1) {
9053 if (ssh->v1_stdout_throttling && bufsize < SSH1_BUFFER_LIMIT) {
9054 ssh->v1_stdout_throttling = 0;
9055 ssh1_throttle(ssh, -1);
9056 }
9057 } else {
9058 ssh2_set_window(ssh->mainchan, OUR_V2_WINSIZE - bufsize);
9059 }
9060 }
9061
9062 void ssh_send_port_open(void *channel, char *hostname, int port, char *org)
9063 {
9064 struct ssh_channel *c = (struct ssh_channel *)channel;
9065 Ssh ssh = c->ssh;
9066 struct Packet *pktout;
9067
9068 logeventf(ssh, "Opening forwarded connection to %s:%d", hostname, port);
9069
9070 if (ssh->version == 1) {
9071 send_packet(ssh, SSH1_MSG_PORT_OPEN,
9072 PKT_INT, c->localid,
9073 PKT_STR, hostname,
9074 PKT_INT, port,
9075 /* PKT_STR, <org:orgport>, */
9076 PKT_END);
9077 } else {
9078 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
9079 ssh2_pkt_addstring(pktout, "direct-tcpip");
9080 ssh2_pkt_adduint32(pktout, c->localid);
9081 c->v.v2.locwindow = OUR_V2_WINSIZE;
9082 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);/* our window size */
9083 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
9084 ssh2_pkt_addstring(pktout, hostname);
9085 ssh2_pkt_adduint32(pktout, port);
9086 /*
9087 * We make up values for the originator data; partly it's
9088 * too much hassle to keep track, and partly I'm not
9089 * convinced the server should be told details like that
9090 * about my local network configuration.
9091 * The "originator IP address" is syntactically a numeric
9092 * IP address, and some servers (e.g., Tectia) get upset
9093 * if it doesn't match this syntax.
9094 */
9095 ssh2_pkt_addstring(pktout, "0.0.0.0");
9096 ssh2_pkt_adduint32(pktout, 0);
9097 ssh2_pkt_send(ssh, pktout);
9098 }
9099 }
9100
9101 static int ssh_connected(void *handle)
9102 {
9103 Ssh ssh = (Ssh) handle;
9104 return ssh->s != NULL;
9105 }
9106
9107 static int ssh_sendok(void *handle)
9108 {
9109 Ssh ssh = (Ssh) handle;
9110 return ssh->send_ok;
9111 }
9112
9113 static int ssh_ldisc(void *handle, int option)
9114 {
9115 Ssh ssh = (Ssh) handle;
9116 if (option == LD_ECHO)
9117 return ssh->echoing;
9118 if (option == LD_EDIT)
9119 return ssh->editing;
9120 return FALSE;
9121 }
9122
9123 static void ssh_provide_ldisc(void *handle, void *ldisc)
9124 {
9125 Ssh ssh = (Ssh) handle;
9126 ssh->ldisc = ldisc;
9127 }
9128
9129 static void ssh_provide_logctx(void *handle, void *logctx)
9130 {
9131 Ssh ssh = (Ssh) handle;
9132 ssh->logctx = logctx;
9133 }
9134
9135 static int ssh_return_exitcode(void *handle)
9136 {
9137 Ssh ssh = (Ssh) handle;
9138 if (ssh->s != NULL)
9139 return -1;
9140 else
9141 return (ssh->exitcode >= 0 ? ssh->exitcode : INT_MAX);
9142 }
9143
9144 /*
9145 * cfg_info for SSH is the currently running version of the
9146 * protocol. (1 for 1; 2 for 2; 0 for not-decided-yet.)
9147 */
9148 static int ssh_cfg_info(void *handle)
9149 {
9150 Ssh ssh = (Ssh) handle;
9151 return ssh->version;
9152 }
9153
9154 /*
9155 * Gross hack: pscp will try to start SFTP but fall back to scp1 if
9156 * that fails. This variable is the means by which scp.c can reach
9157 * into the SSH code and find out which one it got.
9158 */
9159 extern int ssh_fallback_cmd(void *handle)
9160 {
9161 Ssh ssh = (Ssh) handle;
9162 return ssh->fallback_cmd;
9163 }
9164
9165 Backend ssh_backend = {
9166 ssh_init,
9167 ssh_free,
9168 ssh_reconfig,
9169 ssh_send,
9170 ssh_sendbuffer,
9171 ssh_size,
9172 ssh_special,
9173 ssh_get_specials,
9174 ssh_connected,
9175 ssh_return_exitcode,
9176 ssh_sendok,
9177 ssh_ldisc,
9178 ssh_provide_ldisc,
9179 ssh_provide_logctx,
9180 ssh_unthrottle,
9181 ssh_cfg_info,
9182 "ssh",
9183 PROT_SSH,
9184 22
9185 };
Simon Tatham's PuTTY GUI SSH client; import of svn://svn.tartarus.org/sgt/putty