pktout.type = type;
}
-static void s_wrpkt(void) {
+static int s_wrpkt_prepare(void) {
int pad, len, biglen, i;
unsigned long crc;
if (cipher)
cipher->encrypt(pktout.data+4, biglen);
- sk_write(s, pktout.data, biglen+4);
+ return biglen+4;
+}
+
+static void s_wrpkt(void) {
+ int len;
+ len = s_wrpkt_prepare();
+ sk_write(s, pktout.data, len);
+}
+
+static void s_wrpkt_defer(void) {
+ int len;
+ len = s_wrpkt_prepare();
+ if (deferred_len + len > deferred_size) {
+ deferred_size = deferred_len + len + 128;
+ deferred_send_data = srealloc(deferred_send_data, deferred_size);
+ }
+ memcpy(deferred_send_data+deferred_len, pktout.data, len);
+ deferred_len += len;
}
/*
- * Construct a packet with the specified contents and
- * send it to the server.
+ * Construct a packet with the specified contents.
*/
-static void send_packet(int pkttype, ...)
+static void construct_packet(int pkttype, va_list ap1, va_list ap2)
{
- va_list args;
unsigned char *p, *argp, argchar;
unsigned long argint;
int pktlen, argtype, arglen;
Bignum bn;
pktlen = 0;
- va_start(args, pkttype);
- while ((argtype = va_arg(args, int)) != PKT_END) {
+ while ((argtype = va_arg(ap1, int)) != PKT_END) {
switch (argtype) {
case PKT_INT:
- (void) va_arg(args, int);
+ (void) va_arg(ap1, int);
pktlen += 4;
break;
case PKT_CHAR:
- (void) va_arg(args, char);
+ (void) va_arg(ap1, char);
pktlen++;
break;
case PKT_DATA:
- (void) va_arg(args, unsigned char *);
- arglen = va_arg(args, int);
+ (void) va_arg(ap1, unsigned char *);
+ arglen = va_arg(ap1, int);
pktlen += arglen;
break;
case PKT_STR:
- argp = va_arg(args, unsigned char *);
+ argp = va_arg(ap1, unsigned char *);
arglen = strlen(argp);
pktlen += 4 + arglen;
break;
case PKT_BIGNUM:
- bn = va_arg(args, Bignum);
+ bn = va_arg(ap1, Bignum);
pktlen += ssh1_bignum_length(bn);
break;
default:
assert(0);
}
}
- va_end(args);
s_wrpkt_start(pkttype, pktlen);
p = pktout.body;
- va_start(args, pkttype);
- while ((argtype = va_arg(args, int)) != PKT_END) {
+ while ((argtype = va_arg(ap2, int)) != PKT_END) {
switch (argtype) {
case PKT_INT:
- argint = va_arg(args, int);
+ argint = va_arg(ap2, int);
PUT_32BIT(p, argint);
p += 4;
break;
case PKT_CHAR:
- argchar = va_arg(args, unsigned char);
+ argchar = va_arg(ap2, unsigned char);
*p = argchar;
p++;
break;
case PKT_DATA:
- argp = va_arg(args, unsigned char *);
- arglen = va_arg(args, int);
+ argp = va_arg(ap2, unsigned char *);
+ arglen = va_arg(ap2, int);
memcpy(p, argp, arglen);
p += arglen;
break;
case PKT_STR:
- argp = va_arg(args, unsigned char *);
+ argp = va_arg(ap2, unsigned char *);
arglen = strlen(argp);
PUT_32BIT(p, arglen);
memcpy(p + 4, argp, arglen);
p += 4 + arglen;
break;
case PKT_BIGNUM:
- bn = va_arg(args, Bignum);
+ bn = va_arg(ap2, Bignum);
p += ssh1_write_bignum(p, bn);
break;
}
}
- va_end(args);
+}
+static void send_packet(int pkttype, ...) {
+ va_list ap1, ap2;
+ va_start(ap1, pkttype);
+ va_start(ap2, pkttype);
+ construct_packet(pkttype, ap1, ap2);
s_wrpkt();
}
+static void defer_packet(int pkttype, ...) {
+ va_list ap1, ap2;
+ va_start(ap1, pkttype);
+ va_start(ap2, pkttype);
+ construct_packet(pkttype, ap1, ap2);
+ s_wrpkt_defer();
+}
+
static int ssh_versioncmp(char *a, char *b) {
char *ae, *be;
unsigned long av, bv;
/*
* Send the whole deferred data block constructed by
- * ssh2_pkt_defer().
+ * ssh2_pkt_defer() or SSH1's defer_packet().
*/
-static void ssh2_pkt_defersend(void) {
+static void ssh_pkt_defersend(void) {
sk_write(s, deferred_send_data, deferred_len);
deferred_len = deferred_size = 0;
sfree(deferred_send_data);
break; /* we're through! */
} else {
- send_packet(pwpkt_type, PKT_STR, password, PKT_END);
+ if (pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
+ /*
+ * Defence against traffic analysis: we send a
+ * whole bunch of packets containing strings of
+ * different lengths. One of these strings is the
+ * password, in a SSH1_CMSG_AUTH_PASSWORD packet.
+ * The others are all random data in
+ * SSH1_MSG_IGNORE packets. This way a passive
+ * listener can't tell which is the password, and
+ * hence can't deduce the password length.
+ *
+ * Anybody with a password length greater than 16
+ * bytes is going to have enough entropy in their
+ * password that a listener won't find it _that_
+ * much help to know how long it is. So what we'll
+ * do is:
+ *
+ * - if password length < 16, we send 15 packets
+ * containing string lengths 1 through 15
+ *
+ * - otherwise, we let N be the nearest multiple
+ * of 8 below the password length, and send 8
+ * packets containing string lengths N through
+ * N+7. This won't obscure the order of
+ * magnitude of the password length, but it will
+ * introduce a bit of extra uncertainty.
+ */
+ int bottom, top, pwlen, i;
+ char *randomstr;
+
+ pwlen = strlen(password);
+ if (pwlen < 16) {
+ bottom = 1;
+ top = 15;
+ } else {
+ bottom = pwlen &~ 7;
+ top = bottom + 7;
+ }
+
+ assert(pwlen >= bottom && pwlen <= top);
+
+ randomstr = smalloc(top+1);
+
+ for (i = bottom; i <= top; i++) {
+ if (i == pwlen)
+ defer_packet(pwpkt_type, PKT_STR, password, PKT_END);
+ else {
+ for (j = 0; j < i; j++) {
+ do {
+ randomstr[j] = random_byte();
+ } while (randomstr[j] == '\0');
+ }
+ randomstr[i] = '\0';
+ defer_packet(SSH1_MSG_IGNORE,
+ PKT_STR, randomstr, PKT_END);
+ }
+ }
+ ssh_pkt_defersend();
+ } else {
+ send_packet(pwpkt_type, PKT_STR, password, PKT_END);
+ }
}
logevent("Sent password");
memset(password, 0, strlen(password));
}
ssh2_pkt_defer();
}
- ssh2_pkt_defersend();
+ ssh_pkt_defersend();
logevent("Sent password");
type = AUTH_TYPE_PASSWORD;
} else {
}
/*
+ * Potentially enable agent forwarding.
+ */
+ if (cfg.agentfwd && agent_exists()) {
+ char proto[20], data[64];
+ logevent("Requesting OpenSSH-style agent forwarding");
+ x11_invent_auth(proto, sizeof(proto), data, sizeof(data));
+ ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
+ ssh2_pkt_adduint32(mainchan->remoteid);
+ ssh2_pkt_addstring("auth-agent-req@openssh.com");
+ ssh2_pkt_addbool(1); /* want reply */
+ ssh2_pkt_send();
+
+ do {
+ crWaitUntilV(ispkt);
+ if (pktin.type == SSH2_MSG_CHANNEL_WINDOW_ADJUST) {
+ unsigned i = ssh2_pkt_getuint32();
+ struct ssh_channel *c;
+ c = find234(ssh_channels, &i, ssh_channelfind);
+ if (!c)
+ continue; /* nonexistent channel */
+ c->v2.remwindow += ssh2_pkt_getuint32();
+ }
+ } while (pktin.type == SSH2_MSG_CHANNEL_WINDOW_ADJUST);
+
+ if (pktin.type != SSH2_MSG_CHANNEL_SUCCESS) {
+ if (pktin.type != SSH2_MSG_CHANNEL_FAILURE) {
+ bombout(("Server got confused by agent forwarding request"));
+ crReturnV;
+ }
+ logevent("Agent forwarding refused");
+ } else {
+ logevent("Agent forwarding enabled");
+ ssh_agentfwd_enabled = TRUE;
+ }
+ }
+
+ /*
* Now allocate a pty for the session.
*/
if (!cfg.nopty) {
case CHAN_X11:
x11_send(c->u.x11.s, data, length);
break;
+ case CHAN_AGENT:
+ while (length > 0) {
+ if (c->u.a.lensofar < 4) {
+ int l = min(4 - c->u.a.lensofar, length);
+ memcpy(c->u.a.msglen + c->u.a.lensofar, data, l);
+ data += l; length -= l; c->u.a.lensofar += l;
+ }
+ if (c->u.a.lensofar == 4) {
+ c->u.a.totallen = 4 + GET_32BIT(c->u.a.msglen);
+ c->u.a.message = smalloc(c->u.a.totallen);
+ memcpy(c->u.a.message, c->u.a.msglen, 4);
+ }
+ if (c->u.a.lensofar >= 4 && length > 0) {
+ int l = min(c->u.a.totallen - c->u.a.lensofar,
+ length);
+ memcpy(c->u.a.message + c->u.a.lensofar, data, l);
+ data += l; length -= l; c->u.a.lensofar += l;
+ }
+ if (c->u.a.lensofar == c->u.a.totallen) {
+ void *reply, *sentreply;
+ int replylen;
+ agent_query(c->u.a.message, c->u.a.totallen,
+ &reply, &replylen);
+ if (reply)
+ sentreply = reply;
+ else {
+ /* Fake SSH_AGENT_FAILURE. */
+ sentreply = "\0\0\0\1\5";
+ replylen = 5;
+ }
+ ssh2_add_channel_data(c, sentreply, replylen);
+ try_send = TRUE;
+ if (reply)
+ sfree(reply);
+ sfree(c->u.a.message);
+ c->u.a.lensofar = 0;
+ }
+ }
+ break;
}
/*
* Enlarge the window again at the remote
*/
x11_close(c->u.x11.s);
sshfwd_close(c);
- }
+ } else if (c->type == CHAN_AGENT) {
+ sshfwd_close(c);
+ }
} else if (pktin.type == SSH2_MSG_CHANNEL_CLOSE) {
unsigned i = ssh2_pkt_getuint32();
struct ssh_channel *c;
break; /* nothing to see here, move along */
case CHAN_X11:
break;
+ case CHAN_AGENT:
+ break;
}
del234(ssh_channels, c);
sfree(c->v2.outbuffer);
} else {
c->type = CHAN_X11;
}
+ } else if (typelen == 22 &&
+ !memcmp(type, "auth-agent@openssh.com", 3)) {
+ if (!ssh_agentfwd_enabled)
+ error = "Agent forwarding is not enabled";
+ else {
+ c->type = CHAN_AGENT; /* identify channel type */
+ c->u.a.lensofar = 0;
+ }
} else {
error = "Unsupported channel type requested";
}