X-Git-Url: https://git.distorted.org.uk/~mdw/sgt/putty/blobdiff_plain/0357890f5bbf6f291645e153a9080389d1c04435..cae0c0233cb7c0180bfb7a5bca934b6e57805471:/ssh.c?ds=inline

diff --git a/ssh.c b/ssh.c
index a23ead91..3e8396fd 100644
--- a/ssh.c
+++ b/ssh.c
@@ -183,6 +183,7 @@ static const char *const ssh2_disconnect_reasons[] = {
 #define BUG_CHOKES_ON_RSA	        	  8
 #define BUG_SSH2_RSA_PADDING	        	 16
 #define BUG_SSH2_DERIVEKEY                       32
+#define BUG_SSH2_DH_GEX                          64
 
 static int ssh_pkt_ctx = 0;
 
@@ -1742,6 +1743,14 @@ static void ssh_detect_bugs(char *vstring)
 	ssh_remote_bugs |= BUG_SSH2_RSA_PADDING;
 	logevent("We believe remote version has SSH2 RSA padding bug");
     }
+
+    if (cfg.sshbug_dhgex2 == BUG_ON) {
+	/*
+	 * These versions have the SSH2 DH GEX bug.
+	 */
+	ssh_remote_bugs |= BUG_SSH2_DH_GEX;
+	logevent("We believe remote version has SSH2 DH group exchange bug");
+    }
 }
 
 static int do_ssh_init(unsigned char c)
@@ -3354,7 +3363,7 @@ static void ssh1_protocol(unsigned char *in, int inlen, int ispkt)
 		unsigned i = GET_32BIT(pktin.body);
 		struct ssh_channel *c;
 		c = find234(ssh_channels, &i, ssh_channelfind);
-		if (c) {
+		if (c && ((int)c->remoteid) != -1) {
 		    int closetype;
 		    closetype =
 			(pktin.type == SSH1_MSG_CHANNEL_CLOSE ? 1 : 2);
@@ -3383,6 +3392,11 @@ static void ssh1_protocol(unsigned char *in, int inlen, int ispkt)
 			del234(ssh_channels, c);
 			sfree(c);
 		    }
+		} else {
+		    bombout(("Received CHANNEL_CLOSE%s for %s channel %d\n",
+			     pktin.type == SSH1_MSG_CHANNEL_CLOSE ? "" :
+			     "_CONFIRMATION", c ? "half-open" : "nonexistent",
+			     i));
 		}
 	    } else if (pktin.type == SSH1_MSG_CHANNEL_DATA) {
 		/* Data sent down one of our channels. */
@@ -3628,7 +3642,7 @@ static int do_ssh2_transport(unsigned char *in, int inlen, int ispkt)
     /*
      * Be prepared to work around the buggy MAC problem.
      */
-    if (cfg.buggymac || (ssh_remote_bugs & BUG_SSH2_HMAC))
+    if (ssh_remote_bugs & BUG_SSH2_HMAC)
 	maclist = buggymacs, nmacs = lenof(buggymacs);
     else
 	maclist = macs, nmacs = lenof(macs);
@@ -3643,6 +3657,9 @@ static int do_ssh2_transport(unsigned char *in, int inlen, int ispkt)
     /* List key exchange algorithms. */
     ssh2_pkt_addstring_start();
     for (i = 0; i < lenof(kex_algs); i++) {
+	if (kex_algs[i] == &ssh_diffiehellman_gex &&
+	    (ssh_remote_bugs & BUG_SSH2_DH_GEX))
+	    continue;
 	ssh2_pkt_addstring_str(kex_algs[i]->name);
 	if (i < lenof(kex_algs) - 1)
 	    ssh2_pkt_addstring_str(",");
@@ -3749,6 +3766,9 @@ static int do_ssh2_transport(unsigned char *in, int inlen, int ispkt)
     pktin.savedpos += 16;	       /* skip garbage cookie */
     ssh2_pkt_getstring(&str, &len);    /* key exchange algorithms */
     for (i = 0; i < lenof(kex_algs); i++) {
+	if (kex_algs[i] == &ssh_diffiehellman_gex &&
+	    (ssh_remote_bugs & BUG_SSH2_DH_GEX))
+	    continue;
 	if (in_commasep_string(kex_algs[i]->name, str, len)) {
 	    kex = kex_algs[i];
 	    break;
@@ -5359,8 +5379,10 @@ static void do_ssh2_authconn(unsigned char *in, int inlen, int ispkt)
 		struct ssh_channel *c;
 
 		c = find234(ssh_channels, &i, ssh_channelfind);
-		if (!c)
-		    continue;	       /* nonexistent channel */
+		if (!c || ((int)c->remoteid) == -1) {
+		    bombout(("Received CHANNEL_CLOSE for %s channel %d\n",
+			     c ? "half-open" : "nonexistent", i));
+		}
 		/* Do pre-close processing on the channel. */
 		switch (c->type) {
 		  case CHAN_MAINSESSION: