23 #define SSH1_MSG_DISCONNECT 1 /* 0x1 */
24 #define SSH1_SMSG_PUBLIC_KEY 2 /* 0x2 */
25 #define SSH1_CMSG_SESSION_KEY 3 /* 0x3 */
26 #define SSH1_CMSG_USER 4 /* 0x4 */
27 #define SSH1_CMSG_AUTH_RSA 6 /* 0x6 */
28 #define SSH1_SMSG_AUTH_RSA_CHALLENGE 7 /* 0x7 */
29 #define SSH1_CMSG_AUTH_RSA_RESPONSE 8 /* 0x8 */
30 #define SSH1_CMSG_AUTH_PASSWORD 9 /* 0x9 */
31 #define SSH1_CMSG_REQUEST_PTY 10 /* 0xa */
32 #define SSH1_CMSG_WINDOW_SIZE 11 /* 0xb */
33 #define SSH1_CMSG_EXEC_SHELL 12 /* 0xc */
34 #define SSH1_CMSG_EXEC_CMD 13 /* 0xd */
35 #define SSH1_SMSG_SUCCESS 14 /* 0xe */
36 #define SSH1_SMSG_FAILURE 15 /* 0xf */
37 #define SSH1_CMSG_STDIN_DATA 16 /* 0x10 */
38 #define SSH1_SMSG_STDOUT_DATA 17 /* 0x11 */
39 #define SSH1_SMSG_STDERR_DATA 18 /* 0x12 */
40 #define SSH1_CMSG_EOF 19 /* 0x13 */
41 #define SSH1_SMSG_EXIT_STATUS 20 /* 0x14 */
42 #define SSH1_MSG_CHANNEL_OPEN_CONFIRMATION 21 /* 0x15 */
43 #define SSH1_MSG_CHANNEL_OPEN_FAILURE 22 /* 0x16 */
44 #define SSH1_MSG_CHANNEL_DATA 23 /* 0x17 */
45 #define SSH1_MSG_CHANNEL_CLOSE 24 /* 0x18 */
46 #define SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION 25 /* 0x19 */
47 #define SSH1_SMSG_X11_OPEN 27 /* 0x1b */
48 #define SSH1_CMSG_PORT_FORWARD_REQUEST 28 /* 0x1c */
49 #define SSH1_MSG_PORT_OPEN 29 /* 0x1d */
50 #define SSH1_CMSG_AGENT_REQUEST_FORWARDING 30 /* 0x1e */
51 #define SSH1_SMSG_AGENT_OPEN 31 /* 0x1f */
52 #define SSH1_MSG_IGNORE 32 /* 0x20 */
53 #define SSH1_CMSG_EXIT_CONFIRMATION 33 /* 0x21 */
54 #define SSH1_CMSG_X11_REQUEST_FORWARDING 34 /* 0x22 */
55 #define SSH1_CMSG_AUTH_RHOSTS_RSA 35 /* 0x23 */
56 #define SSH1_MSG_DEBUG 36 /* 0x24 */
57 #define SSH1_CMSG_REQUEST_COMPRESSION 37 /* 0x25 */
58 #define SSH1_CMSG_AUTH_TIS 39 /* 0x27 */
59 #define SSH1_SMSG_AUTH_TIS_CHALLENGE 40 /* 0x28 */
60 #define SSH1_CMSG_AUTH_TIS_RESPONSE 41 /* 0x29 */
61 #define SSH1_CMSG_AUTH_CCARD 70 /* 0x46 */
62 #define SSH1_SMSG_AUTH_CCARD_CHALLENGE 71 /* 0x47 */
63 #define SSH1_CMSG_AUTH_CCARD_RESPONSE 72 /* 0x48 */
65 #define SSH1_AUTH_RHOSTS 1 /* 0x1 */
66 #define SSH1_AUTH_RSA 2 /* 0x2 */
67 #define SSH1_AUTH_PASSWORD 3 /* 0x3 */
68 #define SSH1_AUTH_RHOSTS_RSA 4 /* 0x4 */
69 #define SSH1_AUTH_TIS 5 /* 0x5 */
70 #define SSH1_AUTH_CCARD 16 /* 0x10 */
72 #define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */
73 /* Mask for protoflags we will echo back to server if seen */
74 #define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */
76 #define SSH2_MSG_DISCONNECT 1 /* 0x1 */
77 #define SSH2_MSG_IGNORE 2 /* 0x2 */
78 #define SSH2_MSG_UNIMPLEMENTED 3 /* 0x3 */
79 #define SSH2_MSG_DEBUG 4 /* 0x4 */
80 #define SSH2_MSG_SERVICE_REQUEST 5 /* 0x5 */
81 #define SSH2_MSG_SERVICE_ACCEPT 6 /* 0x6 */
82 #define SSH2_MSG_KEXINIT 20 /* 0x14 */
83 #define SSH2_MSG_NEWKEYS 21 /* 0x15 */
84 #define SSH2_MSG_KEXDH_INIT 30 /* 0x1e */
85 #define SSH2_MSG_KEXDH_REPLY 31 /* 0x1f */
86 #define SSH2_MSG_KEX_DH_GEX_REQUEST 30 /* 0x1e */
87 #define SSH2_MSG_KEX_DH_GEX_GROUP 31 /* 0x1f */
88 #define SSH2_MSG_KEX_DH_GEX_INIT 32 /* 0x20 */
89 #define SSH2_MSG_KEX_DH_GEX_REPLY 33 /* 0x21 */
90 #define SSH2_MSG_KEXRSA_PUBKEY 30 /* 0x1e */
91 #define SSH2_MSG_KEXRSA_SECRET 31 /* 0x1f */
92 #define SSH2_MSG_KEXRSA_DONE 32 /* 0x20 */
93 #define SSH2_MSG_USERAUTH_REQUEST 50 /* 0x32 */
94 #define SSH2_MSG_USERAUTH_FAILURE 51 /* 0x33 */
95 #define SSH2_MSG_USERAUTH_SUCCESS 52 /* 0x34 */
96 #define SSH2_MSG_USERAUTH_BANNER 53 /* 0x35 */
97 #define SSH2_MSG_USERAUTH_PK_OK 60 /* 0x3c */
98 #define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60 /* 0x3c */
99 #define SSH2_MSG_USERAUTH_INFO_REQUEST 60 /* 0x3c */
100 #define SSH2_MSG_USERAUTH_INFO_RESPONSE 61 /* 0x3d */
101 #define SSH2_MSG_GLOBAL_REQUEST 80 /* 0x50 */
102 #define SSH2_MSG_REQUEST_SUCCESS 81 /* 0x51 */
103 #define SSH2_MSG_REQUEST_FAILURE 82 /* 0x52 */
104 #define SSH2_MSG_CHANNEL_OPEN 90 /* 0x5a */
105 #define SSH2_MSG_CHANNEL_OPEN_CONFIRMATION 91 /* 0x5b */
106 #define SSH2_MSG_CHANNEL_OPEN_FAILURE 92 /* 0x5c */
107 #define SSH2_MSG_CHANNEL_WINDOW_ADJUST 93 /* 0x5d */
108 #define SSH2_MSG_CHANNEL_DATA 94 /* 0x5e */
109 #define SSH2_MSG_CHANNEL_EXTENDED_DATA 95 /* 0x5f */
110 #define SSH2_MSG_CHANNEL_EOF 96 /* 0x60 */
111 #define SSH2_MSG_CHANNEL_CLOSE 97 /* 0x61 */
112 #define SSH2_MSG_CHANNEL_REQUEST 98 /* 0x62 */
113 #define SSH2_MSG_CHANNEL_SUCCESS 99 /* 0x63 */
114 #define SSH2_MSG_CHANNEL_FAILURE 100 /* 0x64 */
117 * Packet type contexts, so that ssh2_pkt_type can correctly decode
118 * the ambiguous type numbers back into the correct type strings.
128 SSH2_PKTCTX_PUBLICKEY,
129 SSH2_PKTCTX_PASSWORD,
133 #define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */
134 #define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */
135 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */
136 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */
137 #define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */
138 #define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */
139 #define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */
140 #define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */
141 #define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */
142 #define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */
143 #define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */
144 #define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */
145 #define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */
146 #define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */
147 #define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */
149 static const char *const ssh2_disconnect_reasons[] = {
151 "host not allowed to connect",
153 "key exchange failed",
154 "host authentication failed",
157 "service not available",
158 "protocol version not supported",
159 "host key not verifiable",
162 "too many connections",
163 "auth cancelled by user",
164 "no more auth methods available",
168 #define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */
169 #define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */
170 #define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */
171 #define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */
173 #define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */
176 * Various remote-bug flags.
178 #define BUG_CHOKES_ON_SSH1_IGNORE 1
179 #define BUG_SSH2_HMAC 2
180 #define BUG_NEEDS_SSH1_PLAIN_PASSWORD 4
181 #define BUG_CHOKES_ON_RSA 8
182 #define BUG_SSH2_RSA_PADDING 16
183 #define BUG_SSH2_DERIVEKEY 32
184 #define BUG_SSH2_REKEY 64
185 #define BUG_SSH2_PK_SESSIONID 128
188 * Codes for terminal modes.
189 * Most of these are the same in SSH-1 and SSH-2.
190 * This list is derived from RFC 4254 and
193 static const struct {
194 const char* const mode;
196 enum { TTY_OP_CHAR, TTY_OP_BOOL } type;
198 /* "V" prefix discarded for special characters relative to SSH specs */
199 { "INTR", 1, TTY_OP_CHAR },
200 { "QUIT", 2, TTY_OP_CHAR },
201 { "ERASE", 3, TTY_OP_CHAR },
202 { "KILL", 4, TTY_OP_CHAR },
203 { "EOF", 5, TTY_OP_CHAR },
204 { "EOL", 6, TTY_OP_CHAR },
205 { "EOL2", 7, TTY_OP_CHAR },
206 { "START", 8, TTY_OP_CHAR },
207 { "STOP", 9, TTY_OP_CHAR },
208 { "SUSP", 10, TTY_OP_CHAR },
209 { "DSUSP", 11, TTY_OP_CHAR },
210 { "REPRINT", 12, TTY_OP_CHAR },
211 { "WERASE", 13, TTY_OP_CHAR },
212 { "LNEXT", 14, TTY_OP_CHAR },
213 { "FLUSH", 15, TTY_OP_CHAR },
214 { "SWTCH", 16, TTY_OP_CHAR },
215 { "STATUS", 17, TTY_OP_CHAR },
216 { "DISCARD", 18, TTY_OP_CHAR },
217 { "IGNPAR", 30, TTY_OP_BOOL },
218 { "PARMRK", 31, TTY_OP_BOOL },
219 { "INPCK", 32, TTY_OP_BOOL },
220 { "ISTRIP", 33, TTY_OP_BOOL },
221 { "INLCR", 34, TTY_OP_BOOL },
222 { "IGNCR", 35, TTY_OP_BOOL },
223 { "ICRNL", 36, TTY_OP_BOOL },
224 { "IUCLC", 37, TTY_OP_BOOL },
225 { "IXON", 38, TTY_OP_BOOL },
226 { "IXANY", 39, TTY_OP_BOOL },
227 { "IXOFF", 40, TTY_OP_BOOL },
228 { "IMAXBEL", 41, TTY_OP_BOOL },
229 { "ISIG", 50, TTY_OP_BOOL },
230 { "ICANON", 51, TTY_OP_BOOL },
231 { "XCASE", 52, TTY_OP_BOOL },
232 { "ECHO", 53, TTY_OP_BOOL },
233 { "ECHOE", 54, TTY_OP_BOOL },
234 { "ECHOK", 55, TTY_OP_BOOL },
235 { "ECHONL", 56, TTY_OP_BOOL },
236 { "NOFLSH", 57, TTY_OP_BOOL },
237 { "TOSTOP", 58, TTY_OP_BOOL },
238 { "IEXTEN", 59, TTY_OP_BOOL },
239 { "ECHOCTL", 60, TTY_OP_BOOL },
240 { "ECHOKE", 61, TTY_OP_BOOL },
241 { "PENDIN", 62, TTY_OP_BOOL }, /* XXX is this a real mode? */
242 { "OPOST", 70, TTY_OP_BOOL },
243 { "OLCUC", 71, TTY_OP_BOOL },
244 { "ONLCR", 72, TTY_OP_BOOL },
245 { "OCRNL", 73, TTY_OP_BOOL },
246 { "ONOCR", 74, TTY_OP_BOOL },
247 { "ONLRET", 75, TTY_OP_BOOL },
248 { "CS7", 90, TTY_OP_BOOL },
249 { "CS8", 91, TTY_OP_BOOL },
250 { "PARENB", 92, TTY_OP_BOOL },
251 { "PARODD", 93, TTY_OP_BOOL }
254 /* Miscellaneous other tty-related constants. */
255 #define SSH_TTY_OP_END 0
256 /* The opcodes for ISPEED/OSPEED differ between SSH-1 and SSH-2. */
257 #define SSH1_TTY_OP_ISPEED 192
258 #define SSH1_TTY_OP_OSPEED 193
259 #define SSH2_TTY_OP_ISPEED 128
260 #define SSH2_TTY_OP_OSPEED 129
262 /* Helper functions for parsing tty-related config. */
263 static unsigned int ssh_tty_parse_specchar(char *s)
268 ret = ctrlparse(s, &next);
269 if (!next) ret = s[0];
271 ret = 255; /* special value meaning "don't set" */
275 static unsigned int ssh_tty_parse_boolean(char *s)
277 if (stricmp(s, "yes") == 0 ||
278 stricmp(s, "on") == 0 ||
279 stricmp(s, "true") == 0 ||
280 stricmp(s, "+") == 0)
282 else if (stricmp(s, "no") == 0 ||
283 stricmp(s, "off") == 0 ||
284 stricmp(s, "false") == 0 ||
285 stricmp(s, "-") == 0)
286 return 0; /* false */
288 return (atoi(s) != 0);
291 #define translate(x) if (type == x) return #x
292 #define translatek(x,ctx) if (type == x && (pkt_kctx == ctx)) return #x
293 #define translatea(x,ctx) if (type == x && (pkt_actx == ctx)) return #x
294 static char *ssh1_pkt_type(int type)
296 translate(SSH1_MSG_DISCONNECT);
297 translate(SSH1_SMSG_PUBLIC_KEY);
298 translate(SSH1_CMSG_SESSION_KEY);
299 translate(SSH1_CMSG_USER);
300 translate(SSH1_CMSG_AUTH_RSA);
301 translate(SSH1_SMSG_AUTH_RSA_CHALLENGE);
302 translate(SSH1_CMSG_AUTH_RSA_RESPONSE);
303 translate(SSH1_CMSG_AUTH_PASSWORD);
304 translate(SSH1_CMSG_REQUEST_PTY);
305 translate(SSH1_CMSG_WINDOW_SIZE);
306 translate(SSH1_CMSG_EXEC_SHELL);
307 translate(SSH1_CMSG_EXEC_CMD);
308 translate(SSH1_SMSG_SUCCESS);
309 translate(SSH1_SMSG_FAILURE);
310 translate(SSH1_CMSG_STDIN_DATA);
311 translate(SSH1_SMSG_STDOUT_DATA);
312 translate(SSH1_SMSG_STDERR_DATA);
313 translate(SSH1_CMSG_EOF);
314 translate(SSH1_SMSG_EXIT_STATUS);
315 translate(SSH1_MSG_CHANNEL_OPEN_CONFIRMATION);
316 translate(SSH1_MSG_CHANNEL_OPEN_FAILURE);
317 translate(SSH1_MSG_CHANNEL_DATA);
318 translate(SSH1_MSG_CHANNEL_CLOSE);
319 translate(SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION);
320 translate(SSH1_SMSG_X11_OPEN);
321 translate(SSH1_CMSG_PORT_FORWARD_REQUEST);
322 translate(SSH1_MSG_PORT_OPEN);
323 translate(SSH1_CMSG_AGENT_REQUEST_FORWARDING);
324 translate(SSH1_SMSG_AGENT_OPEN);
325 translate(SSH1_MSG_IGNORE);
326 translate(SSH1_CMSG_EXIT_CONFIRMATION);
327 translate(SSH1_CMSG_X11_REQUEST_FORWARDING);
328 translate(SSH1_CMSG_AUTH_RHOSTS_RSA);
329 translate(SSH1_MSG_DEBUG);
330 translate(SSH1_CMSG_REQUEST_COMPRESSION);
331 translate(SSH1_CMSG_AUTH_TIS);
332 translate(SSH1_SMSG_AUTH_TIS_CHALLENGE);
333 translate(SSH1_CMSG_AUTH_TIS_RESPONSE);
334 translate(SSH1_CMSG_AUTH_CCARD);
335 translate(SSH1_SMSG_AUTH_CCARD_CHALLENGE);
336 translate(SSH1_CMSG_AUTH_CCARD_RESPONSE);
339 static char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type)
341 translate(SSH2_MSG_DISCONNECT);
342 translate(SSH2_MSG_IGNORE);
343 translate(SSH2_MSG_UNIMPLEMENTED);
344 translate(SSH2_MSG_DEBUG);
345 translate(SSH2_MSG_SERVICE_REQUEST);
346 translate(SSH2_MSG_SERVICE_ACCEPT);
347 translate(SSH2_MSG_KEXINIT);
348 translate(SSH2_MSG_NEWKEYS);
349 translatek(SSH2_MSG_KEXDH_INIT, SSH2_PKTCTX_DHGROUP);
350 translatek(SSH2_MSG_KEXDH_REPLY, SSH2_PKTCTX_DHGROUP);
351 translatek(SSH2_MSG_KEX_DH_GEX_REQUEST, SSH2_PKTCTX_DHGEX);
352 translatek(SSH2_MSG_KEX_DH_GEX_GROUP, SSH2_PKTCTX_DHGEX);
353 translatek(SSH2_MSG_KEX_DH_GEX_INIT, SSH2_PKTCTX_DHGEX);
354 translatek(SSH2_MSG_KEX_DH_GEX_REPLY, SSH2_PKTCTX_DHGEX);
355 translatek(SSH2_MSG_KEXRSA_PUBKEY, SSH2_PKTCTX_RSAKEX);
356 translatek(SSH2_MSG_KEXRSA_SECRET, SSH2_PKTCTX_RSAKEX);
357 translatek(SSH2_MSG_KEXRSA_DONE, SSH2_PKTCTX_RSAKEX);
358 translate(SSH2_MSG_USERAUTH_REQUEST);
359 translate(SSH2_MSG_USERAUTH_FAILURE);
360 translate(SSH2_MSG_USERAUTH_SUCCESS);
361 translate(SSH2_MSG_USERAUTH_BANNER);
362 translatea(SSH2_MSG_USERAUTH_PK_OK, SSH2_PKTCTX_PUBLICKEY);
363 translatea(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, SSH2_PKTCTX_PASSWORD);
364 translatea(SSH2_MSG_USERAUTH_INFO_REQUEST, SSH2_PKTCTX_KBDINTER);
365 translatea(SSH2_MSG_USERAUTH_INFO_RESPONSE, SSH2_PKTCTX_KBDINTER);
366 translate(SSH2_MSG_GLOBAL_REQUEST);
367 translate(SSH2_MSG_REQUEST_SUCCESS);
368 translate(SSH2_MSG_REQUEST_FAILURE);
369 translate(SSH2_MSG_CHANNEL_OPEN);
370 translate(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
371 translate(SSH2_MSG_CHANNEL_OPEN_FAILURE);
372 translate(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
373 translate(SSH2_MSG_CHANNEL_DATA);
374 translate(SSH2_MSG_CHANNEL_EXTENDED_DATA);
375 translate(SSH2_MSG_CHANNEL_EOF);
376 translate(SSH2_MSG_CHANNEL_CLOSE);
377 translate(SSH2_MSG_CHANNEL_REQUEST);
378 translate(SSH2_MSG_CHANNEL_SUCCESS);
379 translate(SSH2_MSG_CHANNEL_FAILURE);
385 /* Enumeration values for fields in SSH-1 packets */
387 PKT_END, PKT_INT, PKT_CHAR, PKT_DATA, PKT_STR, PKT_BIGNUM,
388 /* These values are for communicating relevant semantics of
389 * fields to the packet logging code. */
390 PKTT_OTHER, PKTT_PASSWORD, PKTT_DATA
394 * Coroutine mechanics for the sillier bits of the code. If these
395 * macros look impenetrable to you, you might find it helpful to
398 * http://www.chiark.greenend.org.uk/~sgtatham/coroutines.html
400 * which explains the theory behind these macros.
402 * In particular, if you are getting `case expression not constant'
403 * errors when building with MS Visual Studio, this is because MS's
404 * Edit and Continue debugging feature causes their compiler to
405 * violate ANSI C. To disable Edit and Continue debugging:
407 * - right-click ssh.c in the FileView
409 * - select the C/C++ tab and the General category
410 * - under `Debug info:', select anything _other_ than `Program
411 * Database for Edit and Continue'.
413 #define crBegin(v) { int *crLine = &v; switch(v) { case 0:;
416 if (!ssh->t) ssh->t = snew(struct t); \
418 #define crFinish(z) } *crLine = 0; return (z); }
419 #define crFinishV } *crLine = 0; return; }
420 #define crReturn(z) \
422 *crLine =__LINE__; return (z); case __LINE__:;\
426 *crLine=__LINE__; return; case __LINE__:;\
428 #define crStop(z) do{ *crLine = 0; return (z); }while(0)
429 #define crStopV do{ *crLine = 0; return; }while(0)
430 #define crWaitUntil(c) do { crReturn(0); } while (!(c))
431 #define crWaitUntilV(c) do { crReturnV; } while (!(c))
433 typedef struct ssh_tag *Ssh;
436 static struct Packet *ssh1_pkt_init(int pkt_type);
437 static struct Packet *ssh2_pkt_init(int pkt_type);
438 static void ssh_pkt_ensure(struct Packet *, int length);
439 static void ssh_pkt_adddata(struct Packet *, void *data, int len);
440 static void ssh_pkt_addbyte(struct Packet *, unsigned char value);
441 static void ssh2_pkt_addbool(struct Packet *, unsigned char value);
442 static void ssh_pkt_adduint32(struct Packet *, unsigned long value);
443 static void ssh_pkt_addstring_start(struct Packet *);
444 static void ssh_pkt_addstring_str(struct Packet *, char *data);
445 static void ssh_pkt_addstring_data(struct Packet *, char *data, int len);
446 static void ssh_pkt_addstring(struct Packet *, char *data);
447 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len);
448 static void ssh1_pkt_addmp(struct Packet *, Bignum b);
449 static void ssh2_pkt_addmp(struct Packet *, Bignum b);
450 static int ssh2_pkt_construct(Ssh, struct Packet *);
451 static void ssh2_pkt_send(Ssh, struct Packet *);
452 static void ssh2_pkt_send_noqueue(Ssh, struct Packet *);
453 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
454 struct Packet *pktin);
455 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
456 struct Packet *pktin);
459 * Buffer management constants. There are several of these for
460 * various different purposes:
462 * - SSH1_BUFFER_LIMIT is the amount of backlog that must build up
463 * on a local data stream before we throttle the whole SSH
464 * connection (in SSH-1 only). Throttling the whole connection is
465 * pretty drastic so we set this high in the hope it won't
468 * - SSH_MAX_BACKLOG is the amount of backlog that must build up
469 * on the SSH connection itself before we defensively throttle
470 * _all_ local data streams. This is pretty drastic too (though
471 * thankfully unlikely in SSH-2 since the window mechanism should
472 * ensure that the server never has any need to throttle its end
473 * of the connection), so we set this high as well.
475 * - OUR_V2_WINSIZE is the maximum window size we present on SSH-2
478 * - OUR_V2_BIGWIN is the window size we advertise for the only
479 * channel in a simple connection. It must be <= INT_MAX.
482 #define SSH1_BUFFER_LIMIT 32768
483 #define SSH_MAX_BACKLOG 32768
484 #define OUR_V2_WINSIZE 16384
485 #define OUR_V2_BIGWIN 0x7fffffff
486 #define OUR_V2_MAXPKT 0x4000UL
488 /* Maximum length of passwords/passphrases (arbitrary) */
489 #define SSH_MAX_PASSWORD_LEN 100
491 const static struct ssh_signkey *hostkey_algs[] = { &ssh_rsa, &ssh_dss };
493 const static struct ssh_mac *macs[] = {
494 &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
496 const static struct ssh_mac *buggymacs[] = {
497 &ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
500 static void *ssh_comp_none_init(void)
504 static void ssh_comp_none_cleanup(void *handle)
507 static int ssh_comp_none_block(void *handle, unsigned char *block, int len,
508 unsigned char **outblock, int *outlen)
512 static int ssh_comp_none_disable(void *handle)
516 const static struct ssh_compress ssh_comp_none = {
518 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
519 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
520 ssh_comp_none_disable, NULL
522 extern const struct ssh_compress ssh_zlib;
523 const static struct ssh_compress *compressions[] = {
524 &ssh_zlib, &ssh_comp_none
527 enum { /* channel types */
532 CHAN_SOCKDATA_DORMANT /* one the remote hasn't confirmed */
536 * 2-3-4 tree storing channels.
539 Ssh ssh; /* pointer back to main context */
540 unsigned remoteid, localid;
542 /* True if we opened this channel but server hasn't confirmed. */
545 * In SSH-1, this value contains four bits:
547 * 1 We have sent SSH1_MSG_CHANNEL_CLOSE.
548 * 2 We have sent SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
549 * 4 We have received SSH1_MSG_CHANNEL_CLOSE.
550 * 8 We have received SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
552 * A channel is completely finished with when all four bits are set.
556 struct ssh1_data_channel {
559 struct ssh2_data_channel {
561 unsigned remwindow, remmaxpkt;
562 /* locwindow is signed so we can cope with excess data. */
563 int locwindow, locmaxwin;
567 struct ssh_agent_channel {
568 unsigned char *message;
569 unsigned char msglen[4];
570 unsigned lensofar, totallen;
572 struct ssh_x11_channel {
575 struct ssh_pfd_channel {
582 * 2-3-4 tree storing remote->local port forwardings. SSH-1 and SSH-2
583 * use this structure in different ways, reflecting SSH-2's
584 * altogether saner approach to port forwarding.
586 * In SSH-1, you arrange a remote forwarding by sending the server
587 * the remote port number, and the local destination host:port.
588 * When a connection comes in, the server sends you back that
589 * host:port pair, and you connect to it. This is a ready-made
590 * security hole if you're not on the ball: a malicious server
591 * could send you back _any_ host:port pair, so if you trustingly
592 * connect to the address it gives you then you've just opened the
593 * entire inside of your corporate network just by connecting
594 * through it to a dodgy SSH server. Hence, we must store a list of
595 * host:port pairs we _are_ trying to forward to, and reject a
596 * connection request from the server if it's not in the list.
598 * In SSH-2, each side of the connection minds its own business and
599 * doesn't send unnecessary information to the other. You arrange a
600 * remote forwarding by sending the server just the remote port
601 * number. When a connection comes in, the server tells you which
602 * of its ports was connected to; and _you_ have to remember what
603 * local host:port pair went with that port number.
605 * Hence, in SSH-1 this structure is indexed by destination
606 * host:port pair, whereas in SSH-2 it is indexed by source port.
608 struct ssh_portfwd; /* forward declaration */
610 struct ssh_rportfwd {
611 unsigned sport, dport;
614 struct ssh_portfwd *pfrec;
616 #define free_rportfwd(pf) ( \
617 ((pf) ? (sfree((pf)->sportdesc)) : (void)0 ), sfree(pf) )
620 * Separately to the rportfwd tree (which is for looking up port
621 * open requests from the server), a tree of _these_ structures is
622 * used to keep track of all the currently open port forwardings,
623 * so that we can reconfigure in mid-session if the user requests
627 enum { DESTROY, KEEP, CREATE } status;
629 unsigned sport, dport;
632 struct ssh_rportfwd *remote;
636 #define free_portfwd(pf) ( \
637 ((pf) ? (sfree((pf)->saddr), sfree((pf)->daddr), \
638 sfree((pf)->sserv), sfree((pf)->dserv)) : (void)0 ), sfree(pf) )
641 long length; /* length of `data' actually used */
642 long forcepad; /* SSH-2: force padding to at least this length */
643 int type; /* only used for incoming packets */
644 unsigned long sequence; /* SSH-2 incoming sequence number */
645 unsigned char *data; /* allocated storage */
646 unsigned char *body; /* offset of payload within `data' */
647 long savedpos; /* temporary index into `data' (for strings) */
648 long maxlen; /* amount of storage allocated for `data' */
649 long encrypted_len; /* for SSH-2 total-size counting */
652 * State associated with packet logging
656 struct logblank_t *blanks;
659 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
660 struct Packet *pktin);
661 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
662 struct Packet *pktin);
663 static void ssh1_protocol_setup(Ssh ssh);
664 static void ssh2_protocol_setup(Ssh ssh);
665 static void ssh_size(void *handle, int width, int height);
666 static void ssh_special(void *handle, Telnet_Special);
667 static int ssh2_try_send(struct ssh_channel *c);
668 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf, int len);
669 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize);
670 static void ssh2_set_window(struct ssh_channel *c, int newwin);
671 static int ssh_sendbuffer(void *handle);
672 static int ssh_do_close(Ssh ssh, int notify_exit);
673 static unsigned long ssh_pkt_getuint32(struct Packet *pkt);
674 static int ssh2_pkt_getbool(struct Packet *pkt);
675 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length);
676 static void ssh2_timer(void *ctx, long now);
677 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
678 struct Packet *pktin);
680 struct rdpkt1_state_tag {
681 long len, pad, biglen, to_read;
682 unsigned long realcrc, gotcrc;
686 struct Packet *pktin;
689 struct rdpkt2_state_tag {
690 long len, pad, payload, packetlen, maclen;
693 unsigned long incoming_sequence;
694 struct Packet *pktin;
697 typedef void (*handler_fn_t)(Ssh ssh, struct Packet *pktin);
698 typedef void (*chandler_fn_t)(Ssh ssh, struct Packet *pktin, void *ctx);
700 struct queued_handler;
701 struct queued_handler {
703 chandler_fn_t handler;
705 struct queued_handler *next;
709 const struct plug_function_table *fn;
710 /* the above field _must_ be first in the structure */
720 unsigned char session_key[32];
722 int v1_remote_protoflags;
723 int v1_local_protoflags;
724 int agentfwd_enabled;
727 const struct ssh_cipher *cipher;
730 const struct ssh2_cipher *cscipher, *sccipher;
731 void *cs_cipher_ctx, *sc_cipher_ctx;
732 const struct ssh_mac *csmac, *scmac;
733 void *cs_mac_ctx, *sc_mac_ctx;
734 const struct ssh_compress *cscomp, *sccomp;
735 void *cs_comp_ctx, *sc_comp_ctx;
736 const struct ssh_kex *kex;
737 const struct ssh_signkey *hostkey;
738 unsigned char v2_session_id[SSH2_KEX_MAX_HASH_LEN];
739 int v2_session_id_len;
745 int echoing, editing;
749 int ospeed, ispeed; /* temporaries */
750 int term_width, term_height;
752 tree234 *channels; /* indexed by local id */
753 struct ssh_channel *mainchan; /* primary session channel */
754 int ncmode; /* is primary channel direct-tcpip? */
759 tree234 *rportfwds, *portfwds;
763 SSH_STATE_BEFORE_SIZE,
769 int size_needed, eof_needed;
771 struct Packet **queue;
772 int queuelen, queuesize;
774 unsigned char *deferred_send_data;
775 int deferred_len, deferred_size;
778 * Gross hack: pscp will try to start SFTP but fall back to
779 * scp1 if that fails. This variable is the means by which
780 * scp.c can reach into the SSH code and find out which one it
785 bufchain banner; /* accumulates banners during do_ssh2_authconn */
793 int v1_throttle_count;
796 int v1_stdout_throttling;
797 unsigned long v2_outgoing_sequence;
799 int ssh1_rdpkt_crstate;
800 int ssh2_rdpkt_crstate;
801 int do_ssh_init_crstate;
802 int ssh_gotdata_crstate;
803 int do_ssh1_login_crstate;
804 int do_ssh1_connection_crstate;
805 int do_ssh2_transport_crstate;
806 int do_ssh2_authconn_crstate;
808 void *do_ssh_init_state;
809 void *do_ssh1_login_state;
810 void *do_ssh2_transport_state;
811 void *do_ssh2_authconn_state;
813 struct rdpkt1_state_tag rdpkt1_state;
814 struct rdpkt2_state_tag rdpkt2_state;
816 /* SSH-1 and SSH-2 use this for different things, but both use it */
817 int protocol_initial_phase_done;
819 void (*protocol) (Ssh ssh, void *vin, int inlen,
821 struct Packet *(*s_rdpkt) (Ssh ssh, unsigned char **data, int *datalen);
824 * We maintain a full _copy_ of a Config structure here, not
825 * merely a pointer to it. That way, when we're passed a new
826 * one for reconfiguration, we can check the differences and
827 * potentially reconfigure port forwardings etc in mid-session.
832 * Used to transfer data back from async callbacks.
834 void *agent_response;
835 int agent_response_len;
839 * The SSH connection can be set as `frozen', meaning we are
840 * not currently accepting incoming data from the network. This
841 * is slightly more serious than setting the _socket_ as
842 * frozen, because we may already have had data passed to us
843 * from the network which we need to delay processing until
844 * after the freeze is lifted, so we also need a bufchain to
848 bufchain queued_incoming_data;
851 * Dispatch table for packet types that we may have to deal
854 handler_fn_t packet_dispatch[256];
857 * Queues of one-off handler functions for success/failure
858 * indications from a request.
860 struct queued_handler *qhead, *qtail;
863 * This module deals with sending keepalives.
868 * Track incoming and outgoing data sizes and time, for
871 unsigned long incoming_data_size, outgoing_data_size, deferred_data_size;
872 unsigned long max_data_size;
874 long next_rekey, last_rekey;
875 char *deferred_rekey_reason; /* points to STATIC string; don't free */
878 #define logevent(s) logevent(ssh->frontend, s)
880 /* logevent, only printf-formatted. */
881 static void logeventf(Ssh ssh, const char *fmt, ...)
887 buf = dupvprintf(fmt, ap);
893 #define bombout(msg) \
895 char *text = dupprintf msg; \
896 ssh_do_close(ssh, FALSE); \
898 connection_fatal(ssh->frontend, "%s", text); \
902 /* Functions to leave bits out of the SSH packet log file. */
904 static void dont_log_password(Ssh ssh, struct Packet *pkt, int blanktype)
906 if (ssh->cfg.logomitpass)
907 pkt->logmode = blanktype;
910 static void dont_log_data(Ssh ssh, struct Packet *pkt, int blanktype)
912 if (ssh->cfg.logomitdata)
913 pkt->logmode = blanktype;
916 static void end_log_omission(Ssh ssh, struct Packet *pkt)
918 pkt->logmode = PKTLOG_EMIT;
921 /* Helper function for common bits of parsing cfg.ttymodes. */
922 static void parse_ttymodes(Ssh ssh, char *modes,
923 void (*do_mode)(void *data, char *mode, char *val),
927 char *t = strchr(modes, '\t');
928 char *m = snewn(t-modes+1, char);
930 strncpy(m, modes, t-modes);
933 val = get_ttymode(ssh->frontend, m);
937 do_mode(data, m, val);
940 modes += strlen(modes) + 1;
944 static int ssh_channelcmp(void *av, void *bv)
946 struct ssh_channel *a = (struct ssh_channel *) av;
947 struct ssh_channel *b = (struct ssh_channel *) bv;
948 if (a->localid < b->localid)
950 if (a->localid > b->localid)
954 static int ssh_channelfind(void *av, void *bv)
956 unsigned *a = (unsigned *) av;
957 struct ssh_channel *b = (struct ssh_channel *) bv;
965 static int ssh_rportcmp_ssh1(void *av, void *bv)
967 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
968 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
970 if ( (i = strcmp(a->dhost, b->dhost)) != 0)
971 return i < 0 ? -1 : +1;
972 if (a->dport > b->dport)
974 if (a->dport < b->dport)
979 static int ssh_rportcmp_ssh2(void *av, void *bv)
981 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
982 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
984 if (a->sport > b->sport)
986 if (a->sport < b->sport)
992 * Special form of strcmp which can cope with NULL inputs. NULL is
993 * defined to sort before even the empty string.
995 static int nullstrcmp(const char *a, const char *b)
997 if (a == NULL && b == NULL)
1003 return strcmp(a, b);
1006 static int ssh_portcmp(void *av, void *bv)
1008 struct ssh_portfwd *a = (struct ssh_portfwd *) av;
1009 struct ssh_portfwd *b = (struct ssh_portfwd *) bv;
1011 if (a->type > b->type)
1013 if (a->type < b->type)
1015 if (a->addressfamily > b->addressfamily)
1017 if (a->addressfamily < b->addressfamily)
1019 if ( (i = nullstrcmp(a->saddr, b->saddr)) != 0)
1020 return i < 0 ? -1 : +1;
1021 if (a->sport > b->sport)
1023 if (a->sport < b->sport)
1025 if (a->type != 'D') {
1026 if ( (i = nullstrcmp(a->daddr, b->daddr)) != 0)
1027 return i < 0 ? -1 : +1;
1028 if (a->dport > b->dport)
1030 if (a->dport < b->dport)
1036 static int alloc_channel_id(Ssh ssh)
1038 const unsigned CHANNEL_NUMBER_OFFSET = 256;
1039 unsigned low, high, mid;
1041 struct ssh_channel *c;
1044 * First-fit allocation of channel numbers: always pick the
1045 * lowest unused one. To do this, binary-search using the
1046 * counted B-tree to find the largest channel ID which is in a
1047 * contiguous sequence from the beginning. (Precisely
1048 * everything in that sequence must have ID equal to its tree
1049 * index plus CHANNEL_NUMBER_OFFSET.)
1051 tsize = count234(ssh->channels);
1055 while (high - low > 1) {
1056 mid = (high + low) / 2;
1057 c = index234(ssh->channels, mid);
1058 if (c->localid == mid + CHANNEL_NUMBER_OFFSET)
1059 low = mid; /* this one is fine */
1061 high = mid; /* this one is past it */
1064 * Now low points to either -1, or the tree index of the
1065 * largest ID in the initial sequence.
1068 unsigned i = low + 1 + CHANNEL_NUMBER_OFFSET;
1069 assert(NULL == find234(ssh->channels, &i, ssh_channelfind));
1071 return low + 1 + CHANNEL_NUMBER_OFFSET;
1074 static void c_write_stderr(int trusted, const char *buf, int len)
1077 for (i = 0; i < len; i++)
1078 if (buf[i] != '\r' && (trusted || buf[i] == '\n' || (buf[i] & 0x60)))
1079 fputc(buf[i], stderr);
1082 static void c_write(Ssh ssh, const char *buf, int len)
1084 if (flags & FLAG_STDERR)
1085 c_write_stderr(1, buf, len);
1087 from_backend(ssh->frontend, 1, buf, len);
1090 static void c_write_untrusted(Ssh ssh, const char *buf, int len)
1092 if (flags & FLAG_STDERR)
1093 c_write_stderr(0, buf, len);
1095 from_backend_untrusted(ssh->frontend, buf, len);
1098 static void c_write_str(Ssh ssh, const char *buf)
1100 c_write(ssh, buf, strlen(buf));
1103 static void ssh_free_packet(struct Packet *pkt)
1108 static struct Packet *ssh_new_packet(void)
1110 struct Packet *pkt = snew(struct Packet);
1112 pkt->body = pkt->data = NULL;
1114 pkt->logmode = PKTLOG_EMIT;
1122 * Collect incoming data in the incoming packet buffer.
1123 * Decipher and verify the packet when it is completely read.
1124 * Drop SSH1_MSG_DEBUG and SSH1_MSG_IGNORE packets.
1125 * Update the *data and *datalen variables.
1126 * Return a Packet structure when a packet is completed.
1128 static struct Packet *ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1130 struct rdpkt1_state_tag *st = &ssh->rdpkt1_state;
1132 crBegin(ssh->ssh1_rdpkt_crstate);
1134 st->pktin = ssh_new_packet();
1136 st->pktin->type = 0;
1137 st->pktin->length = 0;
1139 for (st->i = st->len = 0; st->i < 4; st->i++) {
1140 while ((*datalen) == 0)
1142 st->len = (st->len << 8) + **data;
1143 (*data)++, (*datalen)--;
1146 st->pad = 8 - (st->len % 8);
1147 st->biglen = st->len + st->pad;
1148 st->pktin->length = st->len - 5;
1150 if (st->biglen < 0) {
1151 bombout(("Extremely large packet length from server suggests"
1152 " data stream corruption"));
1153 ssh_free_packet(st->pktin);
1157 st->pktin->maxlen = st->biglen;
1158 st->pktin->data = snewn(st->biglen + APIEXTRA, unsigned char);
1160 st->to_read = st->biglen;
1161 st->p = st->pktin->data;
1162 while (st->to_read > 0) {
1163 st->chunk = st->to_read;
1164 while ((*datalen) == 0)
1166 if (st->chunk > (*datalen))
1167 st->chunk = (*datalen);
1168 memcpy(st->p, *data, st->chunk);
1170 *datalen -= st->chunk;
1172 st->to_read -= st->chunk;
1175 if (ssh->cipher && detect_attack(ssh->crcda_ctx, st->pktin->data,
1176 st->biglen, NULL)) {
1177 bombout(("Network attack (CRC compensation) detected!"));
1178 ssh_free_packet(st->pktin);
1183 ssh->cipher->decrypt(ssh->v1_cipher_ctx, st->pktin->data, st->biglen);
1185 st->realcrc = crc32_compute(st->pktin->data, st->biglen - 4);
1186 st->gotcrc = GET_32BIT(st->pktin->data + st->biglen - 4);
1187 if (st->gotcrc != st->realcrc) {
1188 bombout(("Incorrect CRC received on packet"));
1189 ssh_free_packet(st->pktin);
1193 st->pktin->body = st->pktin->data + st->pad + 1;
1194 st->pktin->savedpos = 0;
1196 if (ssh->v1_compressing) {
1197 unsigned char *decompblk;
1199 if (!zlib_decompress_block(ssh->sc_comp_ctx,
1200 st->pktin->body - 1, st->pktin->length + 1,
1201 &decompblk, &decomplen)) {
1202 bombout(("Zlib decompression encountered invalid data"));
1203 ssh_free_packet(st->pktin);
1207 if (st->pktin->maxlen < st->pad + decomplen) {
1208 st->pktin->maxlen = st->pad + decomplen;
1209 st->pktin->data = sresize(st->pktin->data,
1210 st->pktin->maxlen + APIEXTRA,
1212 st->pktin->body = st->pktin->data + st->pad + 1;
1215 memcpy(st->pktin->body - 1, decompblk, decomplen);
1217 st->pktin->length = decomplen - 1;
1220 st->pktin->type = st->pktin->body[-1];
1223 * Log incoming packet, possibly omitting sensitive fields.
1227 struct logblank_t blank;
1228 if (ssh->cfg.logomitdata) {
1229 int do_blank = FALSE, blank_prefix = 0;
1230 /* "Session data" packets - omit the data field */
1231 if ((st->pktin->type == SSH1_SMSG_STDOUT_DATA) ||
1232 (st->pktin->type == SSH1_SMSG_STDERR_DATA)) {
1233 do_blank = TRUE; blank_prefix = 4;
1234 } else if (st->pktin->type == SSH1_MSG_CHANNEL_DATA) {
1235 do_blank = TRUE; blank_prefix = 8;
1238 blank.offset = blank_prefix;
1239 blank.len = st->pktin->length;
1240 blank.type = PKTLOG_OMIT;
1244 log_packet(ssh->logctx,
1245 PKT_INCOMING, st->pktin->type,
1246 ssh1_pkt_type(st->pktin->type),
1247 st->pktin->body, st->pktin->length,
1251 crFinish(st->pktin);
1254 static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1256 struct rdpkt2_state_tag *st = &ssh->rdpkt2_state;
1258 crBegin(ssh->ssh2_rdpkt_crstate);
1260 st->pktin = ssh_new_packet();
1262 st->pktin->type = 0;
1263 st->pktin->length = 0;
1265 st->cipherblk = ssh->sccipher->blksize;
1268 if (st->cipherblk < 8)
1271 st->pktin->data = snewn(st->cipherblk + APIEXTRA, unsigned char);
1274 * Acquire and decrypt the first block of the packet. This will
1275 * contain the length and padding details.
1277 for (st->i = st->len = 0; st->i < st->cipherblk; st->i++) {
1278 while ((*datalen) == 0)
1280 st->pktin->data[st->i] = *(*data)++;
1285 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1286 st->pktin->data, st->cipherblk);
1289 * Now get the length and padding figures.
1291 st->len = GET_32BIT(st->pktin->data);
1292 st->pad = st->pktin->data[4];
1295 * _Completely_ silly lengths should be stomped on before they
1296 * do us any more damage.
1298 if (st->len < 0 || st->len > 35000 || st->pad < 4 ||
1299 st->len - st->pad < 1 || (st->len + 4) % st->cipherblk != 0) {
1300 bombout(("Incoming packet was garbled on decryption"));
1301 ssh_free_packet(st->pktin);
1306 * This enables us to deduce the payload length.
1308 st->payload = st->len - st->pad - 1;
1310 st->pktin->length = st->payload + 5;
1313 * So now we can work out the total packet length.
1315 st->packetlen = st->len + 4;
1316 st->maclen = ssh->scmac ? ssh->scmac->len : 0;
1319 * Allocate memory for the rest of the packet.
1321 st->pktin->maxlen = st->packetlen + st->maclen;
1322 st->pktin->data = sresize(st->pktin->data,
1323 st->pktin->maxlen + APIEXTRA,
1327 * Read and decrypt the remainder of the packet.
1329 for (st->i = st->cipherblk; st->i < st->packetlen + st->maclen;
1331 while ((*datalen) == 0)
1333 st->pktin->data[st->i] = *(*data)++;
1336 /* Decrypt everything _except_ the MAC. */
1338 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1339 st->pktin->data + st->cipherblk,
1340 st->packetlen - st->cipherblk);
1342 st->pktin->encrypted_len = st->packetlen;
1348 && !ssh->scmac->verify(ssh->sc_mac_ctx, st->pktin->data, st->len + 4,
1349 st->incoming_sequence)) {
1350 bombout(("Incorrect MAC received on packet"));
1351 ssh_free_packet(st->pktin);
1355 st->pktin->sequence = st->incoming_sequence++;
1358 * Decompress packet payload.
1361 unsigned char *newpayload;
1364 ssh->sccomp->decompress(ssh->sc_comp_ctx,
1365 st->pktin->data + 5, st->pktin->length - 5,
1366 &newpayload, &newlen)) {
1367 if (st->pktin->maxlen < newlen + 5) {
1368 st->pktin->maxlen = newlen + 5;
1369 st->pktin->data = sresize(st->pktin->data,
1370 st->pktin->maxlen + APIEXTRA,
1373 st->pktin->length = 5 + newlen;
1374 memcpy(st->pktin->data + 5, newpayload, newlen);
1379 st->pktin->savedpos = 6;
1380 st->pktin->body = st->pktin->data;
1381 st->pktin->type = st->pktin->data[5];
1384 * Log incoming packet, possibly omitting sensitive fields.
1388 struct logblank_t blank;
1389 if (ssh->cfg.logomitdata) {
1390 int do_blank = FALSE, blank_prefix = 0;
1391 /* "Session data" packets - omit the data field */
1392 if (st->pktin->type == SSH2_MSG_CHANNEL_DATA) {
1393 do_blank = TRUE; blank_prefix = 8;
1394 } else if (st->pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA) {
1395 do_blank = TRUE; blank_prefix = 12;
1398 blank.offset = blank_prefix;
1399 blank.len = (st->pktin->length-6) - blank_prefix;
1400 blank.type = PKTLOG_OMIT;
1404 log_packet(ssh->logctx, PKT_INCOMING, st->pktin->type,
1405 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx,
1407 st->pktin->data+6, st->pktin->length-6,
1411 crFinish(st->pktin);
1414 static int s_wrpkt_prepare(Ssh ssh, struct Packet *pkt, int *offset_p)
1416 int pad, biglen, i, pktoffs;
1420 * XXX various versions of SC (including 8.8.4) screw up the
1421 * register allocation in this function and use the same register
1422 * (D6) for len and as a temporary, with predictable results. The
1423 * following sledgehammer prevents this.
1430 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[12],
1431 ssh1_pkt_type(pkt->data[12]),
1432 pkt->body, pkt->length - (pkt->body - pkt->data),
1433 pkt->nblanks, pkt->blanks);
1434 sfree(pkt->blanks); pkt->blanks = NULL;
1437 if (ssh->v1_compressing) {
1438 unsigned char *compblk;
1440 zlib_compress_block(ssh->cs_comp_ctx,
1441 pkt->data + 12, pkt->length - 12,
1442 &compblk, &complen);
1443 ssh_pkt_ensure(pkt, complen + 2); /* just in case it's got bigger */
1444 memcpy(pkt->data + 12, compblk, complen);
1446 pkt->length = complen + 12;
1449 ssh_pkt_ensure(pkt, pkt->length + 4); /* space for CRC */
1451 len = pkt->length - 4 - 8; /* len(type+data+CRC) */
1452 pad = 8 - (len % 8);
1454 biglen = len + pad; /* len(padding+type+data+CRC) */
1456 for (i = pktoffs; i < 4+8; i++)
1457 pkt->data[i] = random_byte();
1458 crc = crc32_compute(pkt->data + pktoffs + 4, biglen - 4); /* all ex len */
1459 PUT_32BIT(pkt->data + pktoffs + 4 + biglen - 4, crc);
1460 PUT_32BIT(pkt->data + pktoffs, len);
1463 ssh->cipher->encrypt(ssh->v1_cipher_ctx,
1464 pkt->data + pktoffs + 4, biglen);
1466 if (offset_p) *offset_p = pktoffs;
1467 return biglen + 4; /* len(length+padding+type+data+CRC) */
1470 static int s_write(Ssh ssh, void *data, int len)
1473 log_packet(ssh->logctx, PKT_OUTGOING, -1, NULL, data, len, 0, NULL);
1474 return sk_write(ssh->s, (char *)data, len);
1477 static void s_wrpkt(Ssh ssh, struct Packet *pkt)
1479 int len, backlog, offset;
1480 len = s_wrpkt_prepare(ssh, pkt, &offset);
1481 backlog = s_write(ssh, pkt->data + offset, len);
1482 if (backlog > SSH_MAX_BACKLOG)
1483 ssh_throttle_all(ssh, 1, backlog);
1484 ssh_free_packet(pkt);
1487 static void s_wrpkt_defer(Ssh ssh, struct Packet *pkt)
1490 len = s_wrpkt_prepare(ssh, pkt, &offset);
1491 if (ssh->deferred_len + len > ssh->deferred_size) {
1492 ssh->deferred_size = ssh->deferred_len + len + 128;
1493 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1497 memcpy(ssh->deferred_send_data + ssh->deferred_len,
1498 pkt->data + offset, len);
1499 ssh->deferred_len += len;
1500 ssh_free_packet(pkt);
1504 * Construct a SSH-1 packet with the specified contents.
1505 * (This all-at-once interface used to be the only one, but now SSH-1
1506 * packets can also be constructed incrementally.)
1508 static struct Packet *construct_packet(Ssh ssh, int pkttype, va_list ap)
1514 pkt = ssh1_pkt_init(pkttype);
1516 while ((argtype = va_arg(ap, int)) != PKT_END) {
1517 unsigned char *argp, argchar;
1519 unsigned long argint;
1522 /* Actual fields in the packet */
1524 argint = va_arg(ap, int);
1525 ssh_pkt_adduint32(pkt, argint);
1528 argchar = (unsigned char) va_arg(ap, int);
1529 ssh_pkt_addbyte(pkt, argchar);
1532 argp = va_arg(ap, unsigned char *);
1533 arglen = va_arg(ap, int);
1534 ssh_pkt_adddata(pkt, argp, arglen);
1537 sargp = va_arg(ap, char *);
1538 ssh_pkt_addstring(pkt, sargp);
1541 bn = va_arg(ap, Bignum);
1542 ssh1_pkt_addmp(pkt, bn);
1544 /* Tokens for modifications to packet logging */
1546 dont_log_password(ssh, pkt, PKTLOG_BLANK);
1549 dont_log_data(ssh, pkt, PKTLOG_OMIT);
1552 end_log_omission(ssh, pkt);
1560 static void send_packet(Ssh ssh, int pkttype, ...)
1564 va_start(ap, pkttype);
1565 pkt = construct_packet(ssh, pkttype, ap);
1570 static void defer_packet(Ssh ssh, int pkttype, ...)
1574 va_start(ap, pkttype);
1575 pkt = construct_packet(ssh, pkttype, ap);
1577 s_wrpkt_defer(ssh, pkt);
1580 static int ssh_versioncmp(char *a, char *b)
1583 unsigned long av, bv;
1585 av = strtoul(a, &ae, 10);
1586 bv = strtoul(b, &be, 10);
1588 return (av < bv ? -1 : +1);
1593 av = strtoul(ae, &ae, 10);
1594 bv = strtoul(be, &be, 10);
1596 return (av < bv ? -1 : +1);
1601 * Utility routines for putting an SSH-protocol `string' and
1602 * `uint32' into a hash state.
1604 static void hash_string(const struct ssh_hash *h, void *s, void *str, int len)
1606 unsigned char lenblk[4];
1607 PUT_32BIT(lenblk, len);
1608 h->bytes(s, lenblk, 4);
1609 h->bytes(s, str, len);
1612 static void hash_uint32(const struct ssh_hash *h, void *s, unsigned i)
1614 unsigned char intblk[4];
1615 PUT_32BIT(intblk, i);
1616 h->bytes(s, intblk, 4);
1620 * Packet construction functions. Mostly shared between SSH-1 and SSH-2.
1622 static void ssh_pkt_ensure(struct Packet *pkt, int length)
1624 if (pkt->maxlen < length) {
1625 unsigned char *body = pkt->body;
1626 int offset = body ? body - pkt->data : 0;
1627 pkt->maxlen = length + 256;
1628 pkt->data = sresize(pkt->data, pkt->maxlen + APIEXTRA, unsigned char);
1629 if (body) pkt->body = pkt->data + offset;
1632 static void ssh_pkt_adddata(struct Packet *pkt, void *data, int len)
1634 if (pkt->logmode != PKTLOG_EMIT) {
1636 pkt->blanks = sresize(pkt->blanks, pkt->nblanks, struct logblank_t);
1638 pkt->blanks[pkt->nblanks-1].offset = pkt->length -
1639 (pkt->body - pkt->data);
1640 pkt->blanks[pkt->nblanks-1].len = len;
1641 pkt->blanks[pkt->nblanks-1].type = pkt->logmode;
1644 ssh_pkt_ensure(pkt, pkt->length);
1645 memcpy(pkt->data + pkt->length - len, data, len);
1647 static void ssh_pkt_addbyte(struct Packet *pkt, unsigned char byte)
1649 ssh_pkt_adddata(pkt, &byte, 1);
1651 static void ssh2_pkt_addbool(struct Packet *pkt, unsigned char value)
1653 ssh_pkt_adddata(pkt, &value, 1);
1655 static void ssh_pkt_adduint32(struct Packet *pkt, unsigned long value)
1658 PUT_32BIT(x, value);
1659 ssh_pkt_adddata(pkt, x, 4);
1661 static void ssh_pkt_addstring_start(struct Packet *pkt)
1663 ssh_pkt_adduint32(pkt, 0);
1664 pkt->savedpos = pkt->length;
1666 static void ssh_pkt_addstring_str(struct Packet *pkt, char *data)
1668 ssh_pkt_adddata(pkt, data, strlen(data));
1669 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1671 static void ssh_pkt_addstring_data(struct Packet *pkt, char *data, int len)
1673 ssh_pkt_adddata(pkt, data, len);
1674 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1676 static void ssh_pkt_addstring(struct Packet *pkt, char *data)
1678 ssh_pkt_addstring_start(pkt);
1679 ssh_pkt_addstring_str(pkt, data);
1681 static void ssh1_pkt_addmp(struct Packet *pkt, Bignum b)
1683 int len = ssh1_bignum_length(b);
1684 unsigned char *data = snewn(len, unsigned char);
1685 (void) ssh1_write_bignum(data, b);
1686 ssh_pkt_adddata(pkt, data, len);
1689 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len)
1692 int i, n = (bignum_bitcount(b) + 7) / 8;
1693 p = snewn(n + 1, unsigned char);
1695 for (i = 1; i <= n; i++)
1696 p[i] = bignum_byte(b, n - i);
1698 while (i <= n && p[i] == 0 && (p[i + 1] & 0x80) == 0)
1700 memmove(p, p + i, n + 1 - i);
1704 static void ssh2_pkt_addmp(struct Packet *pkt, Bignum b)
1708 p = ssh2_mpint_fmt(b, &len);
1709 ssh_pkt_addstring_start(pkt);
1710 ssh_pkt_addstring_data(pkt, (char *)p, len);
1714 static struct Packet *ssh1_pkt_init(int pkt_type)
1716 struct Packet *pkt = ssh_new_packet();
1717 pkt->length = 4 + 8; /* space for length + max padding */
1718 ssh_pkt_addbyte(pkt, pkt_type);
1719 pkt->body = pkt->data + pkt->length;
1723 /* For legacy code (SSH-1 and -2 packet construction used to be separate) */
1724 #define ssh2_pkt_ensure(pkt, length) ssh_pkt_ensure(pkt, length)
1725 #define ssh2_pkt_adddata(pkt, data, len) ssh_pkt_adddata(pkt, data, len)
1726 #define ssh2_pkt_addbyte(pkt, byte) ssh_pkt_addbyte(pkt, byte)
1727 #define ssh2_pkt_adduint32(pkt, value) ssh_pkt_adduint32(pkt, value)
1728 #define ssh2_pkt_addstring_start(pkt) ssh_pkt_addstring_start(pkt)
1729 #define ssh2_pkt_addstring_str(pkt, data) ssh_pkt_addstring_str(pkt, data)
1730 #define ssh2_pkt_addstring_data(pkt, data, len) ssh_pkt_addstring_data(pkt, data, len)
1731 #define ssh2_pkt_addstring(pkt, data) ssh_pkt_addstring(pkt, data)
1733 static struct Packet *ssh2_pkt_init(int pkt_type)
1735 struct Packet *pkt = ssh_new_packet();
1736 pkt->length = 5; /* space for packet length + padding length */
1738 ssh_pkt_addbyte(pkt, (unsigned char) pkt_type);
1739 pkt->body = pkt->data + pkt->length; /* after packet type */
1744 * Construct an SSH-2 final-form packet: compress it, encrypt it,
1745 * put the MAC on it. Final packet, ready to be sent, is stored in
1746 * pkt->data. Total length is returned.
1748 static int ssh2_pkt_construct(Ssh ssh, struct Packet *pkt)
1750 int cipherblk, maclen, padding, i;
1753 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[5],
1754 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx, pkt->data[5]),
1755 pkt->body, pkt->length - (pkt->body - pkt->data),
1756 pkt->nblanks, pkt->blanks);
1757 sfree(pkt->blanks); pkt->blanks = NULL;
1761 * Compress packet payload.
1764 unsigned char *newpayload;
1767 ssh->cscomp->compress(ssh->cs_comp_ctx, pkt->data + 5,
1769 &newpayload, &newlen)) {
1771 ssh2_pkt_adddata(pkt, newpayload, newlen);
1777 * Add padding. At least four bytes, and must also bring total
1778 * length (minus MAC) up to a multiple of the block size.
1779 * If pkt->forcepad is set, make sure the packet is at least that size
1782 cipherblk = ssh->cscipher ? ssh->cscipher->blksize : 8; /* block size */
1783 cipherblk = cipherblk < 8 ? 8 : cipherblk; /* or 8 if blksize < 8 */
1785 if (pkt->length + padding < pkt->forcepad)
1786 padding = pkt->forcepad - pkt->length;
1788 (cipherblk - (pkt->length + padding) % cipherblk) % cipherblk;
1789 assert(padding <= 255);
1790 maclen = ssh->csmac ? ssh->csmac->len : 0;
1791 ssh2_pkt_ensure(pkt, pkt->length + padding + maclen);
1792 pkt->data[4] = padding;
1793 for (i = 0; i < padding; i++)
1794 pkt->data[pkt->length + i] = random_byte();
1795 PUT_32BIT(pkt->data, pkt->length + padding - 4);
1797 ssh->csmac->generate(ssh->cs_mac_ctx, pkt->data,
1798 pkt->length + padding,
1799 ssh->v2_outgoing_sequence);
1800 ssh->v2_outgoing_sequence++; /* whether or not we MACed */
1803 ssh->cscipher->encrypt(ssh->cs_cipher_ctx,
1804 pkt->data, pkt->length + padding);
1806 pkt->encrypted_len = pkt->length + padding;
1808 /* Ready-to-send packet starts at pkt->data. We return length. */
1809 return pkt->length + padding + maclen;
1813 * Routines called from the main SSH code to send packets. There
1814 * are quite a few of these, because we have two separate
1815 * mechanisms for delaying the sending of packets:
1817 * - In order to send an IGNORE message and a password message in
1818 * a single fixed-length blob, we require the ability to
1819 * concatenate the encrypted forms of those two packets _into_ a
1820 * single blob and then pass it to our <network.h> transport
1821 * layer in one go. Hence, there's a deferment mechanism which
1822 * works after packet encryption.
1824 * - In order to avoid sending any connection-layer messages
1825 * during repeat key exchange, we have to queue up any such
1826 * outgoing messages _before_ they are encrypted (and in
1827 * particular before they're allocated sequence numbers), and
1828 * then send them once we've finished.
1830 * I call these mechanisms `defer' and `queue' respectively, so as
1831 * to distinguish them reasonably easily.
1833 * The functions send_noqueue() and defer_noqueue() free the packet
1834 * structure they are passed. Every outgoing packet goes through
1835 * precisely one of these functions in its life; packets passed to
1836 * ssh2_pkt_send() or ssh2_pkt_defer() either go straight to one of
1837 * these or get queued, and then when the queue is later emptied
1838 * the packets are all passed to defer_noqueue().
1840 * When using a CBC-mode cipher, it's necessary to ensure that an
1841 * attacker can't provide data to be encrypted using an IV that they
1842 * know. We ensure this by prefixing each packet that might contain
1843 * user data with an SSH_MSG_IGNORE. This is done using the deferral
1844 * mechanism, so in this case send_noqueue() ends up redirecting to
1845 * defer_noqueue(). If you don't like this inefficiency, don't use
1849 static void ssh2_pkt_defer_noqueue(Ssh, struct Packet *, int);
1850 static void ssh_pkt_defersend(Ssh);
1853 * Send an SSH-2 packet immediately, without queuing or deferring.
1855 static void ssh2_pkt_send_noqueue(Ssh ssh, struct Packet *pkt)
1859 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC)) {
1860 /* We need to send two packets, so use the deferral mechanism. */
1861 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
1862 ssh_pkt_defersend(ssh);
1865 len = ssh2_pkt_construct(ssh, pkt);
1866 backlog = s_write(ssh, pkt->data, len);
1867 if (backlog > SSH_MAX_BACKLOG)
1868 ssh_throttle_all(ssh, 1, backlog);
1870 ssh->outgoing_data_size += pkt->encrypted_len;
1871 if (!ssh->kex_in_progress &&
1872 ssh->max_data_size != 0 &&
1873 ssh->outgoing_data_size > ssh->max_data_size)
1874 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
1876 ssh_free_packet(pkt);
1880 * Defer an SSH-2 packet.
1882 static void ssh2_pkt_defer_noqueue(Ssh ssh, struct Packet *pkt, int noignore)
1885 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC) &&
1886 ssh->deferred_len == 0 && !noignore) {
1888 * Interpose an SSH_MSG_IGNORE to ensure that user data don't
1889 * get encrypted with a known IV.
1891 struct Packet *ipkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
1892 ssh2_pkt_addstring_start(ipkt);
1893 ssh2_pkt_defer_noqueue(ssh, ipkt, TRUE);
1895 len = ssh2_pkt_construct(ssh, pkt);
1896 if (ssh->deferred_len + len > ssh->deferred_size) {
1897 ssh->deferred_size = ssh->deferred_len + len + 128;
1898 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1902 memcpy(ssh->deferred_send_data + ssh->deferred_len, pkt->data, len);
1903 ssh->deferred_len += len;
1904 ssh->deferred_data_size += pkt->encrypted_len;
1905 ssh_free_packet(pkt);
1909 * Queue an SSH-2 packet.
1911 static void ssh2_pkt_queue(Ssh ssh, struct Packet *pkt)
1913 assert(ssh->queueing);
1915 if (ssh->queuelen >= ssh->queuesize) {
1916 ssh->queuesize = ssh->queuelen + 32;
1917 ssh->queue = sresize(ssh->queue, ssh->queuesize, struct Packet *);
1920 ssh->queue[ssh->queuelen++] = pkt;
1924 * Either queue or send a packet, depending on whether queueing is
1927 static void ssh2_pkt_send(Ssh ssh, struct Packet *pkt)
1930 ssh2_pkt_queue(ssh, pkt);
1932 ssh2_pkt_send_noqueue(ssh, pkt);
1936 * Either queue or defer a packet, depending on whether queueing is
1939 static void ssh2_pkt_defer(Ssh ssh, struct Packet *pkt)
1942 ssh2_pkt_queue(ssh, pkt);
1944 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
1948 * Send the whole deferred data block constructed by
1949 * ssh2_pkt_defer() or SSH-1's defer_packet().
1951 * The expected use of the defer mechanism is that you call
1952 * ssh2_pkt_defer() a few times, then call ssh_pkt_defersend(). If
1953 * not currently queueing, this simply sets up deferred_send_data
1954 * and then sends it. If we _are_ currently queueing, the calls to
1955 * ssh2_pkt_defer() put the deferred packets on to the queue
1956 * instead, and therefore ssh_pkt_defersend() has no deferred data
1957 * to send. Hence, there's no need to make it conditional on
1960 static void ssh_pkt_defersend(Ssh ssh)
1963 backlog = s_write(ssh, ssh->deferred_send_data, ssh->deferred_len);
1964 ssh->deferred_len = ssh->deferred_size = 0;
1965 sfree(ssh->deferred_send_data);
1966 ssh->deferred_send_data = NULL;
1967 if (backlog > SSH_MAX_BACKLOG)
1968 ssh_throttle_all(ssh, 1, backlog);
1970 ssh->outgoing_data_size += ssh->deferred_data_size;
1971 if (!ssh->kex_in_progress &&
1972 ssh->max_data_size != 0 &&
1973 ssh->outgoing_data_size > ssh->max_data_size)
1974 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
1975 ssh->deferred_data_size = 0;
1979 * Send a packet whose length needs to be disguised (typically
1980 * passwords or keyboard-interactive responses).
1982 static void ssh2_pkt_send_with_padding(Ssh ssh, struct Packet *pkt,
1988 * The simplest way to do this is to adjust the
1989 * variable-length padding field in the outgoing packet.
1991 * Currently compiled out, because some Cisco SSH servers
1992 * don't like excessively padded packets (bah, why's it
1995 pkt->forcepad = padsize;
1996 ssh2_pkt_send(ssh, pkt);
2001 * If we can't do that, however, an alternative approach is
2002 * to use the pkt_defer mechanism to bundle the packet
2003 * tightly together with an SSH_MSG_IGNORE such that their
2004 * combined length is a constant. So first we construct the
2005 * final form of this packet and defer its sending.
2007 ssh2_pkt_defer(ssh, pkt);
2010 * Now construct an SSH_MSG_IGNORE which includes a string
2011 * that's an exact multiple of the cipher block size. (If
2012 * the cipher is NULL so that the block size is
2013 * unavailable, we don't do this trick at all, because we
2014 * gain nothing by it.)
2016 if (ssh->cscipher) {
2019 stringlen = (256 - ssh->deferred_len);
2020 stringlen += ssh->cscipher->blksize - 1;
2021 stringlen -= (stringlen % ssh->cscipher->blksize);
2024 * Temporarily disable actual compression, so we
2025 * can guarantee to get this string exactly the
2026 * length we want it. The compression-disabling
2027 * routine should return an integer indicating how
2028 * many bytes we should adjust our string length
2032 ssh->cscomp->disable_compression(ssh->cs_comp_ctx);
2034 pkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
2035 ssh2_pkt_addstring_start(pkt);
2036 for (i = 0; i < stringlen; i++) {
2037 char c = (char) random_byte();
2038 ssh2_pkt_addstring_data(pkt, &c, 1);
2040 ssh2_pkt_defer(ssh, pkt);
2042 ssh_pkt_defersend(ssh);
2047 * Send all queued SSH-2 packets. We send them by means of
2048 * ssh2_pkt_defer_noqueue(), in case they included a pair of
2049 * packets that needed to be lumped together.
2051 static void ssh2_pkt_queuesend(Ssh ssh)
2055 assert(!ssh->queueing);
2057 for (i = 0; i < ssh->queuelen; i++)
2058 ssh2_pkt_defer_noqueue(ssh, ssh->queue[i], FALSE);
2061 ssh_pkt_defersend(ssh);
2065 void bndebug(char *string, Bignum b)
2069 p = ssh2_mpint_fmt(b, &len);
2070 debug(("%s", string));
2071 for (i = 0; i < len; i++)
2072 debug((" %02x", p[i]));
2078 static void hash_mpint(const struct ssh_hash *h, void *s, Bignum b)
2082 p = ssh2_mpint_fmt(b, &len);
2083 hash_string(h, s, p, len);
2088 * Packet decode functions for both SSH-1 and SSH-2.
2090 static unsigned long ssh_pkt_getuint32(struct Packet *pkt)
2092 unsigned long value;
2093 if (pkt->length - pkt->savedpos < 4)
2094 return 0; /* arrgh, no way to decline (FIXME?) */
2095 value = GET_32BIT(pkt->body + pkt->savedpos);
2099 static int ssh2_pkt_getbool(struct Packet *pkt)
2101 unsigned long value;
2102 if (pkt->length - pkt->savedpos < 1)
2103 return 0; /* arrgh, no way to decline (FIXME?) */
2104 value = pkt->body[pkt->savedpos] != 0;
2108 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length)
2113 if (pkt->length - pkt->savedpos < 4)
2115 len = GET_32BIT(pkt->body + pkt->savedpos);
2120 if (pkt->length - pkt->savedpos < *length)
2122 *p = (char *)(pkt->body + pkt->savedpos);
2123 pkt->savedpos += *length;
2125 static void *ssh_pkt_getdata(struct Packet *pkt, int length)
2127 if (pkt->length - pkt->savedpos < length)
2129 pkt->savedpos += length;
2130 return pkt->body + (pkt->savedpos - length);
2132 static int ssh1_pkt_getrsakey(struct Packet *pkt, struct RSAKey *key,
2133 unsigned char **keystr)
2137 j = makekey(pkt->body + pkt->savedpos,
2138 pkt->length - pkt->savedpos,
2145 assert(pkt->savedpos < pkt->length);
2149 static Bignum ssh1_pkt_getmp(struct Packet *pkt)
2154 j = ssh1_read_bignum(pkt->body + pkt->savedpos,
2155 pkt->length - pkt->savedpos, &b);
2163 static Bignum ssh2_pkt_getmp(struct Packet *pkt)
2169 ssh_pkt_getstring(pkt, &p, &length);
2174 b = bignum_from_bytes((unsigned char *)p, length);
2179 * Helper function to add an SSH-2 signature blob to a packet.
2180 * Expects to be shown the public key blob as well as the signature
2181 * blob. Normally works just like ssh2_pkt_addstring, but will
2182 * fiddle with the signature packet if necessary for
2183 * BUG_SSH2_RSA_PADDING.
2185 static void ssh2_add_sigblob(Ssh ssh, struct Packet *pkt,
2186 void *pkblob_v, int pkblob_len,
2187 void *sigblob_v, int sigblob_len)
2189 unsigned char *pkblob = (unsigned char *)pkblob_v;
2190 unsigned char *sigblob = (unsigned char *)sigblob_v;
2192 /* dmemdump(pkblob, pkblob_len); */
2193 /* dmemdump(sigblob, sigblob_len); */
2196 * See if this is in fact an ssh-rsa signature and a buggy
2197 * server; otherwise we can just do this the easy way.
2199 if ((ssh->remote_bugs & BUG_SSH2_RSA_PADDING) &&
2200 (GET_32BIT(pkblob) == 7 && !memcmp(pkblob+4, "ssh-rsa", 7))) {
2201 int pos, len, siglen;
2204 * Find the byte length of the modulus.
2207 pos = 4+7; /* skip over "ssh-rsa" */
2208 pos += 4 + GET_32BIT(pkblob+pos); /* skip over exponent */
2209 len = GET_32BIT(pkblob+pos); /* find length of modulus */
2210 pos += 4; /* find modulus itself */
2211 while (len > 0 && pkblob[pos] == 0)
2213 /* debug(("modulus length is %d\n", len)); */
2216 * Now find the signature integer.
2218 pos = 4+7; /* skip over "ssh-rsa" */
2219 siglen = GET_32BIT(sigblob+pos);
2220 /* debug(("signature length is %d\n", siglen)); */
2222 if (len != siglen) {
2223 unsigned char newlen[4];
2224 ssh2_pkt_addstring_start(pkt);
2225 ssh2_pkt_addstring_data(pkt, (char *)sigblob, pos);
2226 /* dmemdump(sigblob, pos); */
2227 pos += 4; /* point to start of actual sig */
2228 PUT_32BIT(newlen, len);
2229 ssh2_pkt_addstring_data(pkt, (char *)newlen, 4);
2230 /* dmemdump(newlen, 4); */
2232 while (len-- > siglen) {
2233 ssh2_pkt_addstring_data(pkt, (char *)newlen, 1);
2234 /* dmemdump(newlen, 1); */
2236 ssh2_pkt_addstring_data(pkt, (char *)(sigblob+pos), siglen);
2237 /* dmemdump(sigblob+pos, siglen); */
2241 /* Otherwise fall through and do it the easy way. */
2244 ssh2_pkt_addstring_start(pkt);
2245 ssh2_pkt_addstring_data(pkt, (char *)sigblob, sigblob_len);
2249 * Examine the remote side's version string and compare it against
2250 * a list of known buggy implementations.
2252 static void ssh_detect_bugs(Ssh ssh, char *vstring)
2254 char *imp; /* pointer to implementation part */
2256 imp += strcspn(imp, "-");
2258 imp += strcspn(imp, "-");
2261 ssh->remote_bugs = 0;
2264 * General notes on server version strings:
2265 * - Not all servers reporting "Cisco-1.25" have all the bugs listed
2266 * here -- in particular, we've heard of one that's perfectly happy
2267 * with SSH1_MSG_IGNOREs -- but this string never seems to change,
2268 * so we can't distinguish them.
2270 if (ssh->cfg.sshbug_ignore1 == FORCE_ON ||
2271 (ssh->cfg.sshbug_ignore1 == AUTO &&
2272 (!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
2273 !strcmp(imp, "1.2.20") || !strcmp(imp, "1.2.21") ||
2274 !strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25") ||
2275 !strcmp(imp, "OSU_1.4alpha3") || !strcmp(imp, "OSU_1.5alpha4")))) {
2277 * These versions don't support SSH1_MSG_IGNORE, so we have
2278 * to use a different defence against password length
2281 ssh->remote_bugs |= BUG_CHOKES_ON_SSH1_IGNORE;
2282 logevent("We believe remote version has SSH-1 ignore bug");
2285 if (ssh->cfg.sshbug_plainpw1 == FORCE_ON ||
2286 (ssh->cfg.sshbug_plainpw1 == AUTO &&
2287 (!strcmp(imp, "Cisco-1.25") || !strcmp(imp, "OSU_1.4alpha3")))) {
2289 * These versions need a plain password sent; they can't
2290 * handle having a null and a random length of data after
2293 ssh->remote_bugs |= BUG_NEEDS_SSH1_PLAIN_PASSWORD;
2294 logevent("We believe remote version needs a plain SSH-1 password");
2297 if (ssh->cfg.sshbug_rsa1 == FORCE_ON ||
2298 (ssh->cfg.sshbug_rsa1 == AUTO &&
2299 (!strcmp(imp, "Cisco-1.25")))) {
2301 * These versions apparently have no clue whatever about
2302 * RSA authentication and will panic and die if they see
2303 * an AUTH_RSA message.
2305 ssh->remote_bugs |= BUG_CHOKES_ON_RSA;
2306 logevent("We believe remote version can't handle SSH-1 RSA authentication");
2309 if (ssh->cfg.sshbug_hmac2 == FORCE_ON ||
2310 (ssh->cfg.sshbug_hmac2 == AUTO &&
2311 !wc_match("* VShell", imp) &&
2312 (wc_match("2.1.0*", imp) || wc_match("2.0.*", imp) ||
2313 wc_match("2.2.0*", imp) || wc_match("2.3.0*", imp) ||
2314 wc_match("2.1 *", imp)))) {
2316 * These versions have the HMAC bug.
2318 ssh->remote_bugs |= BUG_SSH2_HMAC;
2319 logevent("We believe remote version has SSH-2 HMAC bug");
2322 if (ssh->cfg.sshbug_derivekey2 == FORCE_ON ||
2323 (ssh->cfg.sshbug_derivekey2 == AUTO &&
2324 !wc_match("* VShell", imp) &&
2325 (wc_match("2.0.0*", imp) || wc_match("2.0.10*", imp) ))) {
2327 * These versions have the key-derivation bug (failing to
2328 * include the literal shared secret in the hashes that
2329 * generate the keys).
2331 ssh->remote_bugs |= BUG_SSH2_DERIVEKEY;
2332 logevent("We believe remote version has SSH-2 key-derivation bug");
2335 if (ssh->cfg.sshbug_rsapad2 == FORCE_ON ||
2336 (ssh->cfg.sshbug_rsapad2 == AUTO &&
2337 (wc_match("OpenSSH_2.[5-9]*", imp) ||
2338 wc_match("OpenSSH_3.[0-2]*", imp)))) {
2340 * These versions have the SSH-2 RSA padding bug.
2342 ssh->remote_bugs |= BUG_SSH2_RSA_PADDING;
2343 logevent("We believe remote version has SSH-2 RSA padding bug");
2346 if (ssh->cfg.sshbug_pksessid2 == FORCE_ON ||
2347 (ssh->cfg.sshbug_pksessid2 == AUTO &&
2348 wc_match("OpenSSH_2.[0-2]*", imp))) {
2350 * These versions have the SSH-2 session-ID bug in
2351 * public-key authentication.
2353 ssh->remote_bugs |= BUG_SSH2_PK_SESSIONID;
2354 logevent("We believe remote version has SSH-2 public-key-session-ID bug");
2357 if (ssh->cfg.sshbug_rekey2 == FORCE_ON ||
2358 (ssh->cfg.sshbug_rekey2 == AUTO &&
2359 (wc_match("DigiSSH_2.0", imp) ||
2360 wc_match("OpenSSH_2.[0-4]*", imp) ||
2361 wc_match("OpenSSH_2.5.[0-3]*", imp) ||
2362 wc_match("Sun_SSH_1.0", imp) ||
2363 wc_match("Sun_SSH_1.0.1", imp) ||
2364 /* All versions <= 1.2.6 (they changed their format in 1.2.7) */
2365 wc_match("WeOnlyDo-*", imp)))) {
2367 * These versions have the SSH-2 rekey bug.
2369 ssh->remote_bugs |= BUG_SSH2_REKEY;
2370 logevent("We believe remote version has SSH-2 rekey bug");
2375 * The `software version' part of an SSH version string is required
2376 * to contain no spaces or minus signs.
2378 static void ssh_fix_verstring(char *str)
2380 /* Eat "SSH-<protoversion>-". */
2381 assert(*str == 'S'); str++;
2382 assert(*str == 'S'); str++;
2383 assert(*str == 'H'); str++;
2384 assert(*str == '-'); str++;
2385 while (*str && *str != '-') str++;
2386 assert(*str == '-'); str++;
2388 /* Convert minus signs and spaces in the remaining string into
2391 if (*str == '-' || *str == ' ')
2398 * Send an appropriate SSH version string.
2400 static void ssh_send_verstring(Ssh ssh, char *svers)
2404 if (ssh->version == 2) {
2406 * Construct a v2 version string.
2408 verstring = dupprintf("SSH-2.0-%s\015\012", sshver);
2411 * Construct a v1 version string.
2413 verstring = dupprintf("SSH-%s-%s\012",
2414 (ssh_versioncmp(svers, "1.5") <= 0 ?
2419 ssh_fix_verstring(verstring);
2421 if (ssh->version == 2) {
2424 * Record our version string.
2426 len = strcspn(verstring, "\015\012");
2427 ssh->v_c = snewn(len + 1, char);
2428 memcpy(ssh->v_c, verstring, len);
2432 logeventf(ssh, "We claim version: %.*s",
2433 strcspn(verstring, "\015\012"), verstring);
2434 s_write(ssh, verstring, strlen(verstring));
2438 static int do_ssh_init(Ssh ssh, unsigned char c)
2440 struct do_ssh_init_state {
2448 crState(do_ssh_init_state);
2450 crBegin(ssh->do_ssh_init_crstate);
2452 /* Search for a line beginning with the string "SSH-" in the input. */
2454 if (c != 'S') goto no;
2456 if (c != 'S') goto no;
2458 if (c != 'H') goto no;
2460 if (c != '-') goto no;
2469 s->vstring = snewn(s->vstrsize, char);
2470 strcpy(s->vstring, "SSH-");
2474 crReturn(1); /* get another char */
2475 if (s->vslen >= s->vstrsize - 1) {
2477 s->vstring = sresize(s->vstring, s->vstrsize, char);
2479 s->vstring[s->vslen++] = c;
2482 s->version[s->i] = '\0';
2484 } else if (s->i < sizeof(s->version) - 1)
2485 s->version[s->i++] = c;
2486 } else if (c == '\012')
2490 ssh->agentfwd_enabled = FALSE;
2491 ssh->rdpkt2_state.incoming_sequence = 0;
2493 s->vstring[s->vslen] = 0;
2494 s->vstring[strcspn(s->vstring, "\015\012")] = '\0';/* remove EOL chars */
2495 logeventf(ssh, "Server version: %s", s->vstring);
2496 ssh_detect_bugs(ssh, s->vstring);
2499 * Decide which SSH protocol version to support.
2502 /* Anything strictly below "2.0" means protocol 1 is supported. */
2503 s->proto1 = ssh_versioncmp(s->version, "2.0") < 0;
2504 /* Anything greater or equal to "1.99" means protocol 2 is supported. */
2505 s->proto2 = ssh_versioncmp(s->version, "1.99") >= 0;
2507 if (ssh->cfg.sshprot == 0 && !s->proto1) {
2508 bombout(("SSH protocol version 1 required by user but not provided by server"));
2511 if (ssh->cfg.sshprot == 3 && !s->proto2) {
2512 bombout(("SSH protocol version 2 required by user but not provided by server"));
2516 if (s->proto2 && (ssh->cfg.sshprot >= 2 || !s->proto1))
2521 logeventf(ssh, "Using SSH protocol version %d", ssh->version);
2523 /* Send the version string, if we haven't already */
2524 if (ssh->cfg.sshprot != 3)
2525 ssh_send_verstring(ssh, s->version);
2527 if (ssh->version == 2) {
2530 * Record their version string.
2532 len = strcspn(s->vstring, "\015\012");
2533 ssh->v_s = snewn(len + 1, char);
2534 memcpy(ssh->v_s, s->vstring, len);
2538 * Initialise SSH-2 protocol.
2540 ssh->protocol = ssh2_protocol;
2541 ssh2_protocol_setup(ssh);
2542 ssh->s_rdpkt = ssh2_rdpkt;
2545 * Initialise SSH-1 protocol.
2547 ssh->protocol = ssh1_protocol;
2548 ssh1_protocol_setup(ssh);
2549 ssh->s_rdpkt = ssh1_rdpkt;
2551 if (ssh->version == 2)
2552 do_ssh2_transport(ssh, NULL, -1, NULL);
2554 update_specials_menu(ssh->frontend);
2555 ssh->state = SSH_STATE_BEFORE_SIZE;
2556 ssh->pinger = pinger_new(&ssh->cfg, &ssh_backend, ssh);
2563 static void ssh_process_incoming_data(Ssh ssh,
2564 unsigned char **data, int *datalen)
2566 struct Packet *pktin;
2568 pktin = ssh->s_rdpkt(ssh, data, datalen);
2570 ssh->protocol(ssh, NULL, 0, pktin);
2571 ssh_free_packet(pktin);
2575 static void ssh_queue_incoming_data(Ssh ssh,
2576 unsigned char **data, int *datalen)
2578 bufchain_add(&ssh->queued_incoming_data, *data, *datalen);
2583 static void ssh_process_queued_incoming_data(Ssh ssh)
2586 unsigned char *data;
2589 while (!ssh->frozen && bufchain_size(&ssh->queued_incoming_data)) {
2590 bufchain_prefix(&ssh->queued_incoming_data, &vdata, &len);
2594 while (!ssh->frozen && len > 0)
2595 ssh_process_incoming_data(ssh, &data, &len);
2598 bufchain_consume(&ssh->queued_incoming_data, origlen - len);
2602 static void ssh_set_frozen(Ssh ssh, int frozen)
2605 sk_set_frozen(ssh->s, frozen);
2606 ssh->frozen = frozen;
2609 static void ssh_gotdata(Ssh ssh, unsigned char *data, int datalen)
2611 /* Log raw data, if we're in that mode. */
2613 log_packet(ssh->logctx, PKT_INCOMING, -1, NULL, data, datalen,
2616 crBegin(ssh->ssh_gotdata_crstate);
2619 * To begin with, feed the characters one by one to the
2620 * protocol initialisation / selection function do_ssh_init().
2621 * When that returns 0, we're done with the initial greeting
2622 * exchange and can move on to packet discipline.
2625 int ret; /* need not be kept across crReturn */
2627 crReturnV; /* more data please */
2628 ret = do_ssh_init(ssh, *data);
2636 * We emerge from that loop when the initial negotiation is
2637 * over and we have selected an s_rdpkt function. Now pass
2638 * everything to s_rdpkt, and then pass the resulting packets
2639 * to the proper protocol handler.
2643 while (bufchain_size(&ssh->queued_incoming_data) > 0 || datalen > 0) {
2645 ssh_queue_incoming_data(ssh, &data, &datalen);
2646 /* This uses up all data and cannot cause anything interesting
2647 * to happen; indeed, for anything to happen at all, we must
2648 * return, so break out. */
2650 } else if (bufchain_size(&ssh->queued_incoming_data) > 0) {
2651 /* This uses up some or all data, and may freeze the
2653 ssh_process_queued_incoming_data(ssh);
2655 /* This uses up some or all data, and may freeze the
2657 ssh_process_incoming_data(ssh, &data, &datalen);
2659 /* FIXME this is probably EBW. */
2660 if (ssh->state == SSH_STATE_CLOSED)
2663 /* We're out of data. Go and get some more. */
2669 static int ssh_do_close(Ssh ssh, int notify_exit)
2672 struct ssh_channel *c;
2674 ssh->state = SSH_STATE_CLOSED;
2675 expire_timer_context(ssh);
2680 notify_remote_exit(ssh->frontend);
2685 * Now we must shut down any port- and X-forwarded channels going
2686 * through this connection.
2688 if (ssh->channels) {
2689 while (NULL != (c = index234(ssh->channels, 0))) {
2692 x11_close(c->u.x11.s);
2695 pfd_close(c->u.pfd.s);
2698 del234(ssh->channels, c); /* moving next one to index 0 */
2699 if (ssh->version == 2)
2700 bufchain_clear(&c->v.v2.outbuffer);
2705 * Go through port-forwardings, and close any associated
2706 * listening sockets.
2708 if (ssh->portfwds) {
2709 struct ssh_portfwd *pf;
2710 while (NULL != (pf = index234(ssh->portfwds, 0))) {
2711 /* Dispose of any listening socket. */
2713 pfd_terminate(pf->local);
2714 del234(ssh->portfwds, pf); /* moving next one to index 0 */
2722 static void ssh_log(Plug plug, int type, SockAddr addr, int port,
2723 const char *error_msg, int error_code)
2725 Ssh ssh = (Ssh) plug;
2726 char addrbuf[256], *msg;
2728 sk_getaddr(addr, addrbuf, lenof(addrbuf));
2731 msg = dupprintf("Connecting to %s port %d", addrbuf, port);
2733 msg = dupprintf("Failed to connect to %s: %s", addrbuf, error_msg);
2739 static int ssh_closing(Plug plug, const char *error_msg, int error_code,
2742 Ssh ssh = (Ssh) plug;
2743 int need_notify = ssh_do_close(ssh, FALSE);
2746 if (!ssh->close_expected)
2747 error_msg = "Server unexpectedly closed network connection";
2749 error_msg = "Server closed network connection";
2752 if (ssh->close_expected && ssh->clean_exit && ssh->exitcode < 0)
2756 notify_remote_exit(ssh->frontend);
2759 logevent(error_msg);
2760 if (!ssh->close_expected || !ssh->clean_exit)
2761 connection_fatal(ssh->frontend, "%s", error_msg);
2765 static int ssh_receive(Plug plug, int urgent, char *data, int len)
2767 Ssh ssh = (Ssh) plug;
2768 ssh_gotdata(ssh, (unsigned char *)data, len);
2769 if (ssh->state == SSH_STATE_CLOSED) {
2770 ssh_do_close(ssh, TRUE);
2776 static void ssh_sent(Plug plug, int bufsize)
2778 Ssh ssh = (Ssh) plug;
2780 * If the send backlog on the SSH socket itself clears, we
2781 * should unthrottle the whole world if it was throttled.
2783 if (bufsize < SSH_MAX_BACKLOG)
2784 ssh_throttle_all(ssh, 0, bufsize);
2788 * Connect to specified host and port.
2789 * Returns an error message, or NULL on success.
2790 * Also places the canonical host name into `realhost'. It must be
2791 * freed by the caller.
2793 static const char *connect_to_host(Ssh ssh, char *host, int port,
2794 char **realhost, int nodelay, int keepalive)
2796 static const struct plug_function_table fn_table = {
2807 ssh->savedhost = snewn(1 + strlen(host), char);
2808 strcpy(ssh->savedhost, host);
2811 port = 22; /* default ssh port */
2812 ssh->savedport = port;
2817 logeventf(ssh, "Looking up host \"%s\"%s", host,
2818 (ssh->cfg.addressfamily == ADDRTYPE_IPV4 ? " (IPv4)" :
2819 (ssh->cfg.addressfamily == ADDRTYPE_IPV6 ? " (IPv6)" : "")));
2820 addr = name_lookup(host, port, realhost, &ssh->cfg,
2821 ssh->cfg.addressfamily);
2822 if ((err = sk_addr_error(addr)) != NULL) {
2830 ssh->fn = &fn_table;
2831 ssh->s = new_connection(addr, *realhost, port,
2832 0, 1, nodelay, keepalive, (Plug) ssh, &ssh->cfg);
2833 if ((err = sk_socket_error(ssh->s)) != NULL) {
2835 notify_remote_exit(ssh->frontend);
2840 * If the SSH version number's fixed, set it now, and if it's SSH-2,
2841 * send the version string too.
2843 if (ssh->cfg.sshprot == 0)
2845 if (ssh->cfg.sshprot == 3) {
2847 ssh_send_verstring(ssh, NULL);
2854 * Throttle or unthrottle the SSH connection.
2856 static void ssh1_throttle(Ssh ssh, int adjust)
2858 int old_count = ssh->v1_throttle_count;
2859 ssh->v1_throttle_count += adjust;
2860 assert(ssh->v1_throttle_count >= 0);
2861 if (ssh->v1_throttle_count && !old_count) {
2862 ssh_set_frozen(ssh, 1);
2863 } else if (!ssh->v1_throttle_count && old_count) {
2864 ssh_set_frozen(ssh, 0);
2869 * Throttle or unthrottle _all_ local data streams (for when sends
2870 * on the SSH connection itself back up).
2872 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize)
2875 struct ssh_channel *c;
2877 if (enable == ssh->throttled_all)
2879 ssh->throttled_all = enable;
2880 ssh->overall_bufsize = bufsize;
2883 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++) {
2885 case CHAN_MAINSESSION:
2887 * This is treated separately, outside the switch.
2891 x11_override_throttle(c->u.x11.s, enable);
2894 /* Agent channels require no buffer management. */
2897 pfd_override_throttle(c->u.pfd.s, enable);
2903 static void ssh_agent_callback(void *sshv, void *reply, int replylen)
2905 Ssh ssh = (Ssh) sshv;
2907 ssh->agent_response = reply;
2908 ssh->agent_response_len = replylen;
2910 if (ssh->version == 1)
2911 do_ssh1_login(ssh, NULL, -1, NULL);
2913 do_ssh2_authconn(ssh, NULL, -1, NULL);
2916 static void ssh_dialog_callback(void *sshv, int ret)
2918 Ssh ssh = (Ssh) sshv;
2920 ssh->user_response = ret;
2922 if (ssh->version == 1)
2923 do_ssh1_login(ssh, NULL, -1, NULL);
2925 do_ssh2_transport(ssh, NULL, -1, NULL);
2928 * This may have unfrozen the SSH connection, so do a
2931 ssh_process_queued_incoming_data(ssh);
2934 static void ssh_agentf_callback(void *cv, void *reply, int replylen)
2936 struct ssh_channel *c = (struct ssh_channel *)cv;
2938 void *sentreply = reply;
2941 /* Fake SSH_AGENT_FAILURE. */
2942 sentreply = "\0\0\0\1\5";
2945 if (ssh->version == 2) {
2946 ssh2_add_channel_data(c, sentreply, replylen);
2949 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
2950 PKT_INT, c->remoteid,
2953 PKT_DATA, sentreply, replylen,
2962 * Client-initiated disconnection. Send a DISCONNECT if `wire_reason'
2963 * non-NULL, otherwise just close the connection. `client_reason' == NULL
2964 * => log `wire_reason'.
2966 static void ssh_disconnect(Ssh ssh, char *client_reason, char *wire_reason,
2967 int code, int clean_exit)
2971 client_reason = wire_reason;
2973 error = dupprintf("Disconnected: %s", client_reason);
2975 error = dupstr("Disconnected");
2977 if (ssh->version == 1) {
2978 send_packet(ssh, SSH1_MSG_DISCONNECT, PKT_STR, wire_reason,
2980 } else if (ssh->version == 2) {
2981 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_DISCONNECT);
2982 ssh2_pkt_adduint32(pktout, code);
2983 ssh2_pkt_addstring(pktout, wire_reason);
2984 ssh2_pkt_addstring(pktout, "en"); /* language tag */
2985 ssh2_pkt_send_noqueue(ssh, pktout);
2988 ssh->close_expected = TRUE;
2989 ssh->clean_exit = clean_exit;
2990 ssh_closing((Plug)ssh, error, 0, 0);
2995 * Handle the key exchange and user authentication phases.
2997 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
2998 struct Packet *pktin)
3001 unsigned char cookie[8], *ptr;
3002 struct RSAKey servkey, hostkey;
3003 struct MD5Context md5c;
3004 struct do_ssh1_login_state {
3006 unsigned char *rsabuf, *keystr1, *keystr2;
3007 unsigned long supported_ciphers_mask, supported_auths_mask;
3008 int tried_publickey, tried_agent;
3009 int tis_auth_refused, ccard_auth_refused;
3010 unsigned char session_id[16];
3013 void *publickey_blob;
3014 int publickey_bloblen;
3015 char *publickey_comment;
3016 int publickey_encrypted;
3017 prompts_t *cur_prompt;
3020 unsigned char request[5], *response, *p;
3030 crState(do_ssh1_login_state);
3032 crBegin(ssh->do_ssh1_login_crstate);
3037 if (pktin->type != SSH1_SMSG_PUBLIC_KEY) {
3038 bombout(("Public key packet not received"));
3042 logevent("Received public keys");
3044 ptr = ssh_pkt_getdata(pktin, 8);
3046 bombout(("SSH-1 public key packet stopped before random cookie"));
3049 memcpy(cookie, ptr, 8);
3051 if (!ssh1_pkt_getrsakey(pktin, &servkey, &s->keystr1) ||
3052 !ssh1_pkt_getrsakey(pktin, &hostkey, &s->keystr2)) {
3053 bombout(("Failed to read SSH-1 public keys from public key packet"));
3058 * Log the host key fingerprint.
3062 logevent("Host key fingerprint is:");
3063 strcpy(logmsg, " ");
3064 hostkey.comment = NULL;
3065 rsa_fingerprint(logmsg + strlen(logmsg),
3066 sizeof(logmsg) - strlen(logmsg), &hostkey);
3070 ssh->v1_remote_protoflags = ssh_pkt_getuint32(pktin);
3071 s->supported_ciphers_mask = ssh_pkt_getuint32(pktin);
3072 s->supported_auths_mask = ssh_pkt_getuint32(pktin);
3073 if ((ssh->remote_bugs & BUG_CHOKES_ON_RSA))
3074 s->supported_auths_mask &= ~(1 << SSH1_AUTH_RSA);
3076 ssh->v1_local_protoflags =
3077 ssh->v1_remote_protoflags & SSH1_PROTOFLAGS_SUPPORTED;
3078 ssh->v1_local_protoflags |= SSH1_PROTOFLAG_SCREEN_NUMBER;
3081 MD5Update(&md5c, s->keystr2, hostkey.bytes);
3082 MD5Update(&md5c, s->keystr1, servkey.bytes);
3083 MD5Update(&md5c, cookie, 8);
3084 MD5Final(s->session_id, &md5c);
3086 for (i = 0; i < 32; i++)
3087 ssh->session_key[i] = random_byte();
3090 * Verify that the `bits' and `bytes' parameters match.
3092 if (hostkey.bits > hostkey.bytes * 8 ||
3093 servkey.bits > servkey.bytes * 8) {
3094 bombout(("SSH-1 public keys were badly formatted"));
3098 s->len = (hostkey.bytes > servkey.bytes ? hostkey.bytes : servkey.bytes);
3100 s->rsabuf = snewn(s->len, unsigned char);
3103 * Verify the host key.
3107 * First format the key into a string.
3109 int len = rsastr_len(&hostkey);
3110 char fingerprint[100];
3111 char *keystr = snewn(len, char);
3112 rsastr_fmt(keystr, &hostkey);
3113 rsa_fingerprint(fingerprint, sizeof(fingerprint), &hostkey);
3115 ssh_set_frozen(ssh, 1);
3116 s->dlgret = verify_ssh_host_key(ssh->frontend,
3117 ssh->savedhost, ssh->savedport,
3118 "rsa", keystr, fingerprint,
3119 ssh_dialog_callback, ssh);
3121 if (s->dlgret < 0) {
3125 bombout(("Unexpected data from server while waiting"
3126 " for user host key response"));
3129 } while (pktin || inlen > 0);
3130 s->dlgret = ssh->user_response;
3132 ssh_set_frozen(ssh, 0);
3134 if (s->dlgret == 0) {
3135 ssh_disconnect(ssh, "User aborted at host key verification",
3141 for (i = 0; i < 32; i++) {
3142 s->rsabuf[i] = ssh->session_key[i];
3144 s->rsabuf[i] ^= s->session_id[i];
3147 if (hostkey.bytes > servkey.bytes) {
3148 ret = rsaencrypt(s->rsabuf, 32, &servkey);
3150 ret = rsaencrypt(s->rsabuf, servkey.bytes, &hostkey);
3152 ret = rsaencrypt(s->rsabuf, 32, &hostkey);
3154 ret = rsaencrypt(s->rsabuf, hostkey.bytes, &servkey);
3157 bombout(("SSH-1 public key encryptions failed due to bad formatting"));
3161 logevent("Encrypted session key");
3164 int cipher_chosen = 0, warn = 0;
3165 char *cipher_string = NULL;
3167 for (i = 0; !cipher_chosen && i < CIPHER_MAX; i++) {
3168 int next_cipher = ssh->cfg.ssh_cipherlist[i];
3169 if (next_cipher == CIPHER_WARN) {
3170 /* If/when we choose a cipher, warn about it */
3172 } else if (next_cipher == CIPHER_AES) {
3173 /* XXX Probably don't need to mention this. */
3174 logevent("AES not supported in SSH-1, skipping");
3176 switch (next_cipher) {
3177 case CIPHER_3DES: s->cipher_type = SSH_CIPHER_3DES;
3178 cipher_string = "3DES"; break;
3179 case CIPHER_BLOWFISH: s->cipher_type = SSH_CIPHER_BLOWFISH;
3180 cipher_string = "Blowfish"; break;
3181 case CIPHER_DES: s->cipher_type = SSH_CIPHER_DES;
3182 cipher_string = "single-DES"; break;
3184 if (s->supported_ciphers_mask & (1 << s->cipher_type))
3188 if (!cipher_chosen) {
3189 if ((s->supported_ciphers_mask & (1 << SSH_CIPHER_3DES)) == 0)
3190 bombout(("Server violates SSH-1 protocol by not "
3191 "supporting 3DES encryption"));
3193 /* shouldn't happen */
3194 bombout(("No supported ciphers found"));
3198 /* Warn about chosen cipher if necessary. */
3200 ssh_set_frozen(ssh, 1);
3201 s->dlgret = askalg(ssh->frontend, "cipher", cipher_string,
3202 ssh_dialog_callback, ssh);
3203 if (s->dlgret < 0) {
3207 bombout(("Unexpected data from server while waiting"
3208 " for user response"));
3211 } while (pktin || inlen > 0);
3212 s->dlgret = ssh->user_response;
3214 ssh_set_frozen(ssh, 0);
3215 if (s->dlgret == 0) {
3216 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
3223 switch (s->cipher_type) {
3224 case SSH_CIPHER_3DES:
3225 logevent("Using 3DES encryption");
3227 case SSH_CIPHER_DES:
3228 logevent("Using single-DES encryption");
3230 case SSH_CIPHER_BLOWFISH:
3231 logevent("Using Blowfish encryption");
3235 send_packet(ssh, SSH1_CMSG_SESSION_KEY,
3236 PKT_CHAR, s->cipher_type,
3237 PKT_DATA, cookie, 8,
3238 PKT_CHAR, (s->len * 8) >> 8, PKT_CHAR, (s->len * 8) & 0xFF,
3239 PKT_DATA, s->rsabuf, s->len,
3240 PKT_INT, ssh->v1_local_protoflags, PKT_END);
3242 logevent("Trying to enable encryption...");
3246 ssh->cipher = (s->cipher_type == SSH_CIPHER_BLOWFISH ? &ssh_blowfish_ssh1 :
3247 s->cipher_type == SSH_CIPHER_DES ? &ssh_des :
3249 ssh->v1_cipher_ctx = ssh->cipher->make_context();
3250 ssh->cipher->sesskey(ssh->v1_cipher_ctx, ssh->session_key);
3251 logeventf(ssh, "Initialised %s encryption", ssh->cipher->text_name);
3253 ssh->crcda_ctx = crcda_make_context();
3254 logevent("Installing CRC compensation attack detector");
3256 if (servkey.modulus) {
3257 sfree(servkey.modulus);
3258 servkey.modulus = NULL;
3260 if (servkey.exponent) {
3261 sfree(servkey.exponent);
3262 servkey.exponent = NULL;
3264 if (hostkey.modulus) {
3265 sfree(hostkey.modulus);
3266 hostkey.modulus = NULL;
3268 if (hostkey.exponent) {
3269 sfree(hostkey.exponent);
3270 hostkey.exponent = NULL;
3274 if (pktin->type != SSH1_SMSG_SUCCESS) {
3275 bombout(("Encryption not successfully enabled"));
3279 logevent("Successfully started encryption");
3281 fflush(stdout); /* FIXME eh? */
3283 if (!*ssh->cfg.username) {
3284 int ret; /* need not be kept over crReturn */
3285 s->cur_prompt = new_prompts(ssh->frontend);
3286 s->cur_prompt->to_server = TRUE;
3287 s->cur_prompt->name = dupstr("SSH login name");
3288 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
3289 lenof(s->username));
3290 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3293 crWaitUntil(!pktin);
3294 ret = get_userpass_input(s->cur_prompt, in, inlen);
3299 * Failed to get a username. Terminate.
3301 free_prompts(s->cur_prompt);
3302 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
3305 memcpy(s->username, s->cur_prompt->prompts[0]->result,
3306 lenof(s->username));
3307 free_prompts(s->cur_prompt);
3309 strncpy(s->username, ssh->cfg.username, sizeof(s->username));
3310 s->username[sizeof(s->username)-1] = '\0';
3313 send_packet(ssh, SSH1_CMSG_USER, PKT_STR, s->username, PKT_END);
3315 char *userlog = dupprintf("Sent username \"%s\"", s->username);
3317 if (flags & FLAG_INTERACTIVE &&
3318 (!((flags & FLAG_STDERR) && (flags & FLAG_VERBOSE)))) {
3319 c_write_str(ssh, userlog);
3320 c_write_str(ssh, "\r\n");
3328 if ((s->supported_auths_mask & (1 << SSH1_AUTH_RSA)) == 0) {
3329 /* We must not attempt PK auth. Pretend we've already tried it. */
3330 s->tried_publickey = s->tried_agent = 1;
3332 s->tried_publickey = s->tried_agent = 0;
3334 s->tis_auth_refused = s->ccard_auth_refused = 0;
3336 * Load the public half of any configured keyfile for later use.
3338 if (!filename_is_null(ssh->cfg.keyfile)) {
3340 logeventf(ssh, "Reading private key file \"%.150s\"",
3341 filename_to_str(&ssh->cfg.keyfile));
3342 keytype = key_type(&ssh->cfg.keyfile);
3343 if (keytype == SSH_KEYTYPE_SSH1) {
3345 if (rsakey_pubblob(&ssh->cfg.keyfile,
3346 &s->publickey_blob, &s->publickey_bloblen,
3347 &s->publickey_comment, &error)) {
3348 s->publickey_encrypted = rsakey_encrypted(&ssh->cfg.keyfile,
3352 logeventf(ssh, "Unable to load private key (%s)", error);
3353 msgbuf = dupprintf("Unable to load private key file "
3354 "\"%.150s\" (%s)\r\n",
3355 filename_to_str(&ssh->cfg.keyfile),
3357 c_write_str(ssh, msgbuf);
3359 s->publickey_blob = NULL;
3363 logeventf(ssh, "Unable to use this key file (%s)",
3364 key_type_to_str(keytype));
3365 msgbuf = dupprintf("Unable to use key file \"%.150s\""
3367 filename_to_str(&ssh->cfg.keyfile),
3368 key_type_to_str(keytype));
3369 c_write_str(ssh, msgbuf);
3371 s->publickey_blob = NULL;
3374 s->publickey_blob = NULL;
3376 while (pktin->type == SSH1_SMSG_FAILURE) {
3377 s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
3379 if (ssh->cfg.tryagent && agent_exists() && !s->tried_agent) {
3381 * Attempt RSA authentication using Pageant.
3387 logevent("Pageant is running. Requesting keys.");
3389 /* Request the keys held by the agent. */
3390 PUT_32BIT(s->request, 1);
3391 s->request[4] = SSH1_AGENTC_REQUEST_RSA_IDENTITIES;
3392 if (!agent_query(s->request, 5, &r, &s->responselen,
3393 ssh_agent_callback, ssh)) {
3397 bombout(("Unexpected data from server while waiting"
3398 " for agent response"));
3401 } while (pktin || inlen > 0);
3402 r = ssh->agent_response;
3403 s->responselen = ssh->agent_response_len;
3405 s->response = (unsigned char *) r;
3406 if (s->response && s->responselen >= 5 &&
3407 s->response[4] == SSH1_AGENT_RSA_IDENTITIES_ANSWER) {
3408 s->p = s->response + 5;
3409 s->nkeys = GET_32BIT(s->p);
3411 logeventf(ssh, "Pageant has %d SSH-1 keys", s->nkeys);
3412 for (s->keyi = 0; s->keyi < s->nkeys; s->keyi++) {
3413 unsigned char *pkblob = s->p;
3417 do { /* do while (0) to make breaking easy */
3418 n = ssh1_read_bignum
3419 (s->p, s->responselen-(s->p-s->response),
3424 n = ssh1_read_bignum
3425 (s->p, s->responselen-(s->p-s->response),
3430 if (s->responselen - (s->p-s->response) < 4)
3432 s->commentlen = GET_32BIT(s->p);
3434 if (s->responselen - (s->p-s->response) <
3437 s->commentp = (char *)s->p;
3438 s->p += s->commentlen;
3442 logevent("Pageant key list packet was truncated");
3446 if (s->publickey_blob) {
3447 if (!memcmp(pkblob, s->publickey_blob,
3448 s->publickey_bloblen)) {
3449 logeventf(ssh, "Pageant key #%d matches "
3450 "configured key file", s->keyi);
3451 s->tried_publickey = 1;
3453 /* Skip non-configured key */
3456 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
3457 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3458 PKT_BIGNUM, s->key.modulus, PKT_END);
3460 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3461 logevent("Key refused");
3464 logevent("Received RSA challenge");
3465 if ((s->challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3466 bombout(("Server's RSA challenge was badly formatted"));
3471 char *agentreq, *q, *ret;
3474 len = 1 + 4; /* message type, bit count */
3475 len += ssh1_bignum_length(s->key.exponent);
3476 len += ssh1_bignum_length(s->key.modulus);
3477 len += ssh1_bignum_length(s->challenge);
3478 len += 16; /* session id */
3479 len += 4; /* response format */
3480 agentreq = snewn(4 + len, char);
3481 PUT_32BIT(agentreq, len);
3483 *q++ = SSH1_AGENTC_RSA_CHALLENGE;
3484 PUT_32BIT(q, bignum_bitcount(s->key.modulus));
3486 q += ssh1_write_bignum(q, s->key.exponent);
3487 q += ssh1_write_bignum(q, s->key.modulus);
3488 q += ssh1_write_bignum(q, s->challenge);
3489 memcpy(q, s->session_id, 16);
3491 PUT_32BIT(q, 1); /* response format */
3492 if (!agent_query(agentreq, len + 4, &vret, &retlen,
3493 ssh_agent_callback, ssh)) {
3498 bombout(("Unexpected data from server"
3499 " while waiting for agent"
3503 } while (pktin || inlen > 0);
3504 vret = ssh->agent_response;
3505 retlen = ssh->agent_response_len;
3510 if (ret[4] == SSH1_AGENT_RSA_RESPONSE) {
3511 logevent("Sending Pageant's response");
3512 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3513 PKT_DATA, ret + 5, 16,
3517 if (pktin->type == SSH1_SMSG_SUCCESS) {
3519 ("Pageant's response accepted");
3520 if (flags & FLAG_VERBOSE) {
3521 c_write_str(ssh, "Authenticated using"
3523 c_write(ssh, s->commentp,
3525 c_write_str(ssh, "\" from agent\r\n");
3530 ("Pageant's response not accepted");
3533 ("Pageant failed to answer challenge");
3537 logevent("No reply received from Pageant");
3540 freebn(s->key.exponent);
3541 freebn(s->key.modulus);
3542 freebn(s->challenge);
3547 if (s->publickey_blob && !s->tried_publickey)
3548 logevent("Configured key file not in Pageant");
3553 if (s->publickey_blob && !s->tried_publickey) {
3555 * Try public key authentication with the specified
3558 int got_passphrase; /* need not be kept over crReturn */
3559 if (flags & FLAG_VERBOSE)
3560 c_write_str(ssh, "Trying public key authentication.\r\n");
3561 logeventf(ssh, "Trying public key \"%s\"",
3562 filename_to_str(&ssh->cfg.keyfile));
3563 s->tried_publickey = 1;
3564 got_passphrase = FALSE;
3565 while (!got_passphrase) {
3567 * Get a passphrase, if necessary.
3569 char *passphrase = NULL; /* only written after crReturn */
3571 if (!s->publickey_encrypted) {
3572 if (flags & FLAG_VERBOSE)
3573 c_write_str(ssh, "No passphrase required.\r\n");
3576 int ret; /* need not be kept over crReturn */
3577 s->cur_prompt = new_prompts(ssh->frontend);
3578 s->cur_prompt->to_server = FALSE;
3579 s->cur_prompt->name = dupstr("SSH key passphrase");
3580 add_prompt(s->cur_prompt,
3581 dupprintf("Passphrase for key \"%.100s\": ",
3582 s->publickey_comment),
3583 FALSE, SSH_MAX_PASSWORD_LEN);
3584 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3587 crWaitUntil(!pktin);
3588 ret = get_userpass_input(s->cur_prompt, in, inlen);
3592 /* Failed to get a passphrase. Terminate. */
3593 free_prompts(s->cur_prompt);
3594 ssh_disconnect(ssh, NULL, "Unable to authenticate",
3598 passphrase = dupstr(s->cur_prompt->prompts[0]->result);
3599 free_prompts(s->cur_prompt);
3602 * Try decrypting key with passphrase.
3604 ret = loadrsakey(&ssh->cfg.keyfile, &s->key, passphrase,
3607 memset(passphrase, 0, strlen(passphrase));
3611 /* Correct passphrase. */
3612 got_passphrase = TRUE;
3613 } else if (ret == 0) {
3614 c_write_str(ssh, "Couldn't load private key from ");
3615 c_write_str(ssh, filename_to_str(&ssh->cfg.keyfile));
3616 c_write_str(ssh, " (");
3617 c_write_str(ssh, error);
3618 c_write_str(ssh, ").\r\n");
3619 got_passphrase = FALSE;
3620 break; /* go and try something else */
3621 } else if (ret == -1) {
3622 c_write_str(ssh, "Wrong passphrase.\r\n"); /* FIXME */
3623 got_passphrase = FALSE;
3626 assert(0 && "unexpected return from loadrsakey()");
3627 got_passphrase = FALSE; /* placate optimisers */
3631 if (got_passphrase) {
3634 * Send a public key attempt.
3636 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3637 PKT_BIGNUM, s->key.modulus, PKT_END);
3640 if (pktin->type == SSH1_SMSG_FAILURE) {
3641 c_write_str(ssh, "Server refused our public key.\r\n");
3642 continue; /* go and try something else */
3644 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3645 bombout(("Bizarre response to offer of public key"));
3651 unsigned char buffer[32];
3652 Bignum challenge, response;
3654 if ((challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3655 bombout(("Server's RSA challenge was badly formatted"));
3658 response = rsadecrypt(challenge, &s->key);
3659 freebn(s->key.private_exponent);/* burn the evidence */
3661 for (i = 0; i < 32; i++) {
3662 buffer[i] = bignum_byte(response, 31 - i);
3666 MD5Update(&md5c, buffer, 32);
3667 MD5Update(&md5c, s->session_id, 16);
3668 MD5Final(buffer, &md5c);
3670 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3671 PKT_DATA, buffer, 16, PKT_END);
3678 if (pktin->type == SSH1_SMSG_FAILURE) {
3679 if (flags & FLAG_VERBOSE)
3680 c_write_str(ssh, "Failed to authenticate with"
3681 " our public key.\r\n");
3682 continue; /* go and try something else */
3683 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
3684 bombout(("Bizarre response to RSA authentication response"));
3688 break; /* we're through! */
3694 * Otherwise, try various forms of password-like authentication.
3696 s->cur_prompt = new_prompts(ssh->frontend);
3698 if (ssh->cfg.try_tis_auth &&
3699 (s->supported_auths_mask & (1 << SSH1_AUTH_TIS)) &&
3700 !s->tis_auth_refused) {
3701 s->pwpkt_type = SSH1_CMSG_AUTH_TIS_RESPONSE;
3702 logevent("Requested TIS authentication");
3703 send_packet(ssh, SSH1_CMSG_AUTH_TIS, PKT_END);
3705 if (pktin->type != SSH1_SMSG_AUTH_TIS_CHALLENGE) {
3706 logevent("TIS authentication declined");
3707 if (flags & FLAG_INTERACTIVE)
3708 c_write_str(ssh, "TIS authentication refused.\r\n");
3709 s->tis_auth_refused = 1;
3714 char *instr_suf, *prompt;
3716 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3718 bombout(("TIS challenge packet was badly formed"));
3721 logevent("Received TIS challenge");
3722 s->cur_prompt->to_server = TRUE;
3723 s->cur_prompt->name = dupstr("SSH TIS authentication");
3724 /* Prompt heuristic comes from OpenSSH */
3725 if (memchr(challenge, '\n', challengelen)) {
3726 instr_suf = dupstr("");
3727 prompt = dupprintf("%.*s", challengelen, challenge);
3729 instr_suf = dupprintf("%.*s", challengelen, challenge);
3730 prompt = dupstr("Response: ");
3732 s->cur_prompt->instruction =
3733 dupprintf("Using TIS authentication.%s%s",
3734 (*instr_suf) ? "\n" : "",
3736 s->cur_prompt->instr_reqd = TRUE;
3737 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3741 if (ssh->cfg.try_tis_auth &&
3742 (s->supported_auths_mask & (1 << SSH1_AUTH_CCARD)) &&
3743 !s->ccard_auth_refused) {
3744 s->pwpkt_type = SSH1_CMSG_AUTH_CCARD_RESPONSE;
3745 logevent("Requested CryptoCard authentication");
3746 send_packet(ssh, SSH1_CMSG_AUTH_CCARD, PKT_END);
3748 if (pktin->type != SSH1_SMSG_AUTH_CCARD_CHALLENGE) {
3749 logevent("CryptoCard authentication declined");
3750 c_write_str(ssh, "CryptoCard authentication refused.\r\n");
3751 s->ccard_auth_refused = 1;
3756 char *instr_suf, *prompt;
3758 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3760 bombout(("CryptoCard challenge packet was badly formed"));
3763 logevent("Received CryptoCard challenge");
3764 s->cur_prompt->to_server = TRUE;
3765 s->cur_prompt->name = dupstr("SSH CryptoCard authentication");
3766 s->cur_prompt->name_reqd = FALSE;
3767 /* Prompt heuristic comes from OpenSSH */
3768 if (memchr(challenge, '\n', challengelen)) {
3769 instr_suf = dupstr("");
3770 prompt = dupprintf("%.*s", challengelen, challenge);
3772 instr_suf = dupprintf("%.*s", challengelen, challenge);
3773 prompt = dupstr("Response: ");
3775 s->cur_prompt->instruction =
3776 dupprintf("Using CryptoCard authentication.%s%s",
3777 (*instr_suf) ? "\n" : "",
3779 s->cur_prompt->instr_reqd = TRUE;
3780 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3784 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3785 if ((s->supported_auths_mask & (1 << SSH1_AUTH_PASSWORD)) == 0) {
3786 bombout(("No supported authentication methods available"));
3789 s->cur_prompt->to_server = TRUE;
3790 s->cur_prompt->name = dupstr("SSH password");
3791 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
3792 s->username, ssh->savedhost),
3793 FALSE, SSH_MAX_PASSWORD_LEN);
3797 * Show password prompt, having first obtained it via a TIS
3798 * or CryptoCard exchange if we're doing TIS or CryptoCard
3802 int ret; /* need not be kept over crReturn */
3803 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3806 crWaitUntil(!pktin);
3807 ret = get_userpass_input(s->cur_prompt, in, inlen);
3812 * Failed to get a password (for example
3813 * because one was supplied on the command line
3814 * which has already failed to work). Terminate.
3816 free_prompts(s->cur_prompt);
3817 ssh_disconnect(ssh, NULL, "Unable to authenticate", 0, TRUE);
3822 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3824 * Defence against traffic analysis: we send a
3825 * whole bunch of packets containing strings of
3826 * different lengths. One of these strings is the
3827 * password, in a SSH1_CMSG_AUTH_PASSWORD packet.
3828 * The others are all random data in
3829 * SSH1_MSG_IGNORE packets. This way a passive
3830 * listener can't tell which is the password, and
3831 * hence can't deduce the password length.
3833 * Anybody with a password length greater than 16
3834 * bytes is going to have enough entropy in their
3835 * password that a listener won't find it _that_
3836 * much help to know how long it is. So what we'll
3839 * - if password length < 16, we send 15 packets
3840 * containing string lengths 1 through 15
3842 * - otherwise, we let N be the nearest multiple
3843 * of 8 below the password length, and send 8
3844 * packets containing string lengths N through
3845 * N+7. This won't obscure the order of
3846 * magnitude of the password length, but it will
3847 * introduce a bit of extra uncertainty.
3849 * A few servers can't deal with SSH1_MSG_IGNORE, at
3850 * least in this context. For these servers, we need
3851 * an alternative defence. We make use of the fact
3852 * that the password is interpreted as a C string:
3853 * so we can append a NUL, then some random data.
3855 * A few servers can deal with neither SSH1_MSG_IGNORE
3856 * here _nor_ a padded password string.
3857 * For these servers we are left with no defences
3858 * against password length sniffing.
3860 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE) &&
3861 !(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
3863 * The server can deal with SSH1_MSG_IGNORE, so
3864 * we can use the primary defence.
3866 int bottom, top, pwlen, i;
3869 pwlen = strlen(s->cur_prompt->prompts[0]->result);
3871 bottom = 0; /* zero length passwords are OK! :-) */
3874 bottom = pwlen & ~7;
3878 assert(pwlen >= bottom && pwlen <= top);
3880 randomstr = snewn(top + 1, char);
3882 for (i = bottom; i <= top; i++) {
3884 defer_packet(ssh, s->pwpkt_type,
3885 PKTT_PASSWORD, PKT_STR,
3886 s->cur_prompt->prompts[0]->result,
3887 PKTT_OTHER, PKT_END);
3889 for (j = 0; j < i; j++) {
3891 randomstr[j] = random_byte();
3892 } while (randomstr[j] == '\0');
3894 randomstr[i] = '\0';
3895 defer_packet(ssh, SSH1_MSG_IGNORE,
3896 PKT_STR, randomstr, PKT_END);
3899 logevent("Sending password with camouflage packets");
3900 ssh_pkt_defersend(ssh);
3903 else if (!(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
3905 * The server can't deal with SSH1_MSG_IGNORE
3906 * but can deal with padded passwords, so we
3907 * can use the secondary defence.
3913 len = strlen(s->cur_prompt->prompts[0]->result);
3914 if (len < sizeof(string)) {
3916 strcpy(string, s->cur_prompt->prompts[0]->result);
3917 len++; /* cover the zero byte */
3918 while (len < sizeof(string)) {
3919 string[len++] = (char) random_byte();
3922 ss = s->cur_prompt->prompts[0]->result;
3924 logevent("Sending length-padded password");
3925 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
3926 PKT_INT, len, PKT_DATA, ss, len,
3927 PKTT_OTHER, PKT_END);
3930 * The server is believed unable to cope with
3931 * any of our password camouflage methods.
3934 len = strlen(s->cur_prompt->prompts[0]->result);
3935 logevent("Sending unpadded password");
3936 send_packet(ssh, s->pwpkt_type,
3937 PKTT_PASSWORD, PKT_INT, len,
3938 PKT_DATA, s->cur_prompt->prompts[0]->result, len,
3939 PKTT_OTHER, PKT_END);
3942 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
3943 PKT_STR, s->cur_prompt->prompts[0]->result,
3944 PKTT_OTHER, PKT_END);
3946 logevent("Sent password");
3947 free_prompts(s->cur_prompt);
3949 if (pktin->type == SSH1_SMSG_FAILURE) {
3950 if (flags & FLAG_VERBOSE)
3951 c_write_str(ssh, "Access denied\r\n");
3952 logevent("Authentication refused");
3953 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
3954 bombout(("Strange packet received, type %d", pktin->type));
3960 if (s->publickey_blob) {
3961 sfree(s->publickey_blob);
3962 sfree(s->publickey_comment);
3965 logevent("Authentication successful");
3970 void sshfwd_close(struct ssh_channel *c)
3974 if (ssh->state == SSH_STATE_CLOSED)
3977 if (c && !c->closes) {
3979 * If halfopen is true, we have sent
3980 * CHANNEL_OPEN for this channel, but it hasn't even been
3981 * acknowledged by the server. So we must set a close flag
3982 * on it now, and then when the server acks the channel
3983 * open, we can close it then.
3986 if (ssh->version == 1) {
3987 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE, PKT_INT, c->remoteid,
3990 struct Packet *pktout;
3991 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
3992 ssh2_pkt_adduint32(pktout, c->remoteid);
3993 ssh2_pkt_send(ssh, pktout);
3996 c->closes = 1; /* sent MSG_CLOSE */
3997 if (c->type == CHAN_X11) {
3999 logevent("Forwarded X11 connection terminated");
4000 } else if (c->type == CHAN_SOCKDATA ||
4001 c->type == CHAN_SOCKDATA_DORMANT) {
4003 logevent("Forwarded port closed");
4008 int sshfwd_write(struct ssh_channel *c, char *buf, int len)
4012 if (ssh->state == SSH_STATE_CLOSED)
4015 if (ssh->version == 1) {
4016 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
4017 PKT_INT, c->remoteid,
4018 PKT_INT, len, PKTT_DATA, PKT_DATA, buf, len,
4019 PKTT_OTHER, PKT_END);
4021 * In SSH-1 we can return 0 here - implying that forwarded
4022 * connections are never individually throttled - because
4023 * the only circumstance that can cause throttling will be
4024 * the whole SSH connection backing up, in which case
4025 * _everything_ will be throttled as a whole.
4029 ssh2_add_channel_data(c, buf, len);
4030 return ssh2_try_send(c);
4034 void sshfwd_unthrottle(struct ssh_channel *c, int bufsize)
4038 if (ssh->state == SSH_STATE_CLOSED)
4041 if (ssh->version == 1) {
4042 if (c->v.v1.throttling && bufsize < SSH1_BUFFER_LIMIT) {
4043 c->v.v1.throttling = 0;
4044 ssh1_throttle(ssh, -1);
4047 ssh2_set_window(c, c->v.v2.locmaxwin - bufsize);
4051 static void ssh_queueing_handler(Ssh ssh, struct Packet *pktin)
4053 struct queued_handler *qh = ssh->qhead;
4057 assert(pktin->type == qh->msg1 || pktin->type == qh->msg2);
4060 assert(ssh->packet_dispatch[qh->msg1] == ssh_queueing_handler);
4061 ssh->packet_dispatch[qh->msg1] = NULL;
4064 assert(ssh->packet_dispatch[qh->msg2] == ssh_queueing_handler);
4065 ssh->packet_dispatch[qh->msg2] = NULL;
4069 ssh->qhead = qh->next;
4071 if (ssh->qhead->msg1 > 0) {
4072 assert(ssh->packet_dispatch[ssh->qhead->msg1] == NULL);
4073 ssh->packet_dispatch[ssh->qhead->msg1] = ssh_queueing_handler;
4075 if (ssh->qhead->msg2 > 0) {
4076 assert(ssh->packet_dispatch[ssh->qhead->msg2] == NULL);
4077 ssh->packet_dispatch[ssh->qhead->msg2] = ssh_queueing_handler;
4080 ssh->qhead = ssh->qtail = NULL;
4081 ssh->packet_dispatch[pktin->type] = NULL;
4084 qh->handler(ssh, pktin, qh->ctx);
4089 static void ssh_queue_handler(Ssh ssh, int msg1, int msg2,
4090 chandler_fn_t handler, void *ctx)
4092 struct queued_handler *qh;
4094 qh = snew(struct queued_handler);
4097 qh->handler = handler;
4101 if (ssh->qtail == NULL) {
4105 assert(ssh->packet_dispatch[qh->msg1] == NULL);
4106 ssh->packet_dispatch[qh->msg1] = ssh_queueing_handler;
4109 assert(ssh->packet_dispatch[qh->msg2] == NULL);
4110 ssh->packet_dispatch[qh->msg2] = ssh_queueing_handler;
4113 ssh->qtail->next = qh;
4118 static void ssh_rportfwd_succfail(Ssh ssh, struct Packet *pktin, void *ctx)
4120 struct ssh_rportfwd *rpf, *pf = (struct ssh_rportfwd *)ctx;
4122 if (pktin->type == (ssh->version == 1 ? SSH1_SMSG_SUCCESS :
4123 SSH2_MSG_REQUEST_SUCCESS)) {
4124 logeventf(ssh, "Remote port forwarding from %s enabled",
4127 logeventf(ssh, "Remote port forwarding from %s refused",
4130 rpf = del234(ssh->rportfwds, pf);
4136 static void ssh_setup_portfwd(Ssh ssh, const Config *cfg)
4138 const char *portfwd_strptr = cfg->portfwd;
4139 struct ssh_portfwd *epf;
4142 if (!ssh->portfwds) {
4143 ssh->portfwds = newtree234(ssh_portcmp);
4146 * Go through the existing port forwardings and tag them
4147 * with status==DESTROY. Any that we want to keep will be
4148 * re-enabled (status==KEEP) as we go through the
4149 * configuration and find out which bits are the same as
4152 struct ssh_portfwd *epf;
4154 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4155 epf->status = DESTROY;
4158 while (*portfwd_strptr) {
4159 char address_family, type;
4160 int sport,dport,sserv,dserv;
4161 char sports[256], dports[256], saddr[256], host[256];
4164 address_family = 'A';
4166 if (*portfwd_strptr == 'A' ||
4167 *portfwd_strptr == '4' ||
4168 *portfwd_strptr == '6')
4169 address_family = *portfwd_strptr++;
4170 if (*portfwd_strptr == 'L' ||
4171 *portfwd_strptr == 'R' ||
4172 *portfwd_strptr == 'D')
4173 type = *portfwd_strptr++;
4178 while (*portfwd_strptr && *portfwd_strptr != '\t') {
4179 if (*portfwd_strptr == ':') {
4181 * We've seen a colon in the middle of the
4182 * source port number. This means that
4183 * everything we've seen until now is the
4184 * source _address_, so we'll move it into
4185 * saddr and start sports from the beginning
4190 if (ssh->version == 1 && type == 'R') {
4191 logeventf(ssh, "SSH-1 cannot handle remote source address "
4192 "spec \"%s\"; ignoring", sports);
4194 strcpy(saddr, sports);
4197 if (n < lenof(sports)-1) sports[n++] = *portfwd_strptr++;
4201 if (*portfwd_strptr == '\t')
4204 while (*portfwd_strptr && *portfwd_strptr != ':') {
4205 if (n < lenof(host)-1) host[n++] = *portfwd_strptr++;
4208 if (*portfwd_strptr == ':')
4211 while (*portfwd_strptr) {
4212 if (n < lenof(dports)-1) dports[n++] = *portfwd_strptr++;
4216 dport = atoi(dports);
4220 dport = net_service_lookup(dports);
4222 logeventf(ssh, "Service lookup failed for destination"
4223 " port \"%s\"", dports);
4227 while (*portfwd_strptr) portfwd_strptr++;
4231 portfwd_strptr++; /* eat the NUL and move to next one */
4233 sport = atoi(sports);
4237 sport = net_service_lookup(sports);
4239 logeventf(ssh, "Service lookup failed for source"
4240 " port \"%s\"", sports);
4243 if (sport && dport) {
4244 /* Set up a description of the source port. */
4245 struct ssh_portfwd *pfrec, *epfrec;
4247 pfrec = snew(struct ssh_portfwd);
4249 pfrec->saddr = *saddr ? dupstr(saddr) : NULL;
4250 pfrec->sserv = sserv ? dupstr(sports) : NULL;
4251 pfrec->sport = sport;
4252 pfrec->daddr = *host ? dupstr(host) : NULL;
4253 pfrec->dserv = dserv ? dupstr(dports) : NULL;
4254 pfrec->dport = dport;
4255 pfrec->local = NULL;
4256 pfrec->remote = NULL;
4257 pfrec->addressfamily = (address_family == '4' ? ADDRTYPE_IPV4 :
4258 address_family == '6' ? ADDRTYPE_IPV6 :
4261 epfrec = add234(ssh->portfwds, pfrec);
4262 if (epfrec != pfrec) {
4264 * We already have a port forwarding with precisely
4265 * these parameters. Hence, no need to do anything;
4266 * simply tag the existing one as KEEP.
4268 epfrec->status = KEEP;
4269 free_portfwd(pfrec);
4271 pfrec->status = CREATE;
4277 * Now go through and destroy any port forwardings which were
4280 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4281 if (epf->status == DESTROY) {
4284 message = dupprintf("%s port forwarding from %s%s%d",
4285 epf->type == 'L' ? "local" :
4286 epf->type == 'R' ? "remote" : "dynamic",
4287 epf->saddr ? epf->saddr : "",
4288 epf->saddr ? ":" : "",
4291 if (epf->type != 'D') {
4292 char *msg2 = dupprintf("%s to %s:%d", message,
4293 epf->daddr, epf->dport);
4298 logeventf(ssh, "Cancelling %s", message);
4302 struct ssh_rportfwd *rpf = epf->remote;
4303 struct Packet *pktout;
4306 * Cancel the port forwarding at the server
4309 if (ssh->version == 1) {
4311 * We cannot cancel listening ports on the
4312 * server side in SSH-1! There's no message
4313 * to support it. Instead, we simply remove
4314 * the rportfwd record from the local end
4315 * so that any connections the server tries
4316 * to make on it are rejected.
4319 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4320 ssh2_pkt_addstring(pktout, "cancel-tcpip-forward");
4321 ssh2_pkt_addbool(pktout, 0);/* _don't_ want reply */
4323 ssh2_pkt_addstring(pktout, epf->saddr);
4324 } else if (ssh->cfg.rport_acceptall) {
4325 /* XXX: ssh->cfg.rport_acceptall may not represent
4326 * what was used to open the original connection,
4327 * since it's reconfigurable. */
4328 ssh2_pkt_addstring(pktout, "0.0.0.0");
4330 ssh2_pkt_addstring(pktout, "127.0.0.1");
4332 ssh2_pkt_adduint32(pktout, epf->sport);
4333 ssh2_pkt_send(ssh, pktout);
4336 del234(ssh->rportfwds, rpf);
4338 } else if (epf->local) {
4339 pfd_terminate(epf->local);
4342 delpos234(ssh->portfwds, i);
4344 i--; /* so we don't skip one in the list */
4348 * And finally, set up any new port forwardings (status==CREATE).
4350 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4351 if (epf->status == CREATE) {
4352 char *sportdesc, *dportdesc;
4353 sportdesc = dupprintf("%s%s%s%s%d%s",
4354 epf->saddr ? epf->saddr : "",
4355 epf->saddr ? ":" : "",
4356 epf->sserv ? epf->sserv : "",
4357 epf->sserv ? "(" : "",
4359 epf->sserv ? ")" : "");
4360 if (epf->type == 'D') {
4363 dportdesc = dupprintf("%s:%s%s%d%s",
4365 epf->dserv ? epf->dserv : "",
4366 epf->dserv ? "(" : "",
4368 epf->dserv ? ")" : "");
4371 if (epf->type == 'L') {
4372 const char *err = pfd_addforward(epf->daddr, epf->dport,
4373 epf->saddr, epf->sport,
4376 epf->addressfamily);
4378 logeventf(ssh, "Local %sport %s forwarding to %s%s%s",
4379 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4380 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4381 sportdesc, dportdesc,
4382 err ? " failed: " : "", err ? err : "");
4383 } else if (epf->type == 'D') {
4384 const char *err = pfd_addforward(NULL, -1,
4385 epf->saddr, epf->sport,
4388 epf->addressfamily);
4390 logeventf(ssh, "Local %sport %s SOCKS dynamic forwarding%s%s",
4391 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4392 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4394 err ? " failed: " : "", err ? err : "");
4396 struct ssh_rportfwd *pf;
4399 * Ensure the remote port forwardings tree exists.
4401 if (!ssh->rportfwds) {
4402 if (ssh->version == 1)
4403 ssh->rportfwds = newtree234(ssh_rportcmp_ssh1);
4405 ssh->rportfwds = newtree234(ssh_rportcmp_ssh2);
4408 pf = snew(struct ssh_rportfwd);
4409 strncpy(pf->dhost, epf->daddr, lenof(pf->dhost)-1);
4410 pf->dhost[lenof(pf->dhost)-1] = '\0';
4411 pf->dport = epf->dport;
4412 pf->sport = epf->sport;
4413 if (add234(ssh->rportfwds, pf) != pf) {
4414 logeventf(ssh, "Duplicate remote port forwarding to %s:%d",
4415 epf->daddr, epf->dport);
4418 logeventf(ssh, "Requesting remote port %s"
4419 " forward to %s", sportdesc, dportdesc);
4421 pf->sportdesc = sportdesc;
4426 if (ssh->version == 1) {
4427 send_packet(ssh, SSH1_CMSG_PORT_FORWARD_REQUEST,
4428 PKT_INT, epf->sport,
4429 PKT_STR, epf->daddr,
4430 PKT_INT, epf->dport,
4432 ssh_queue_handler(ssh, SSH1_SMSG_SUCCESS,
4434 ssh_rportfwd_succfail, pf);
4436 struct Packet *pktout;
4437 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4438 ssh2_pkt_addstring(pktout, "tcpip-forward");
4439 ssh2_pkt_addbool(pktout, 1);/* want reply */
4441 ssh2_pkt_addstring(pktout, epf->saddr);
4442 } else if (cfg->rport_acceptall) {
4443 ssh2_pkt_addstring(pktout, "0.0.0.0");
4445 ssh2_pkt_addstring(pktout, "127.0.0.1");
4447 ssh2_pkt_adduint32(pktout, epf->sport);
4448 ssh2_pkt_send(ssh, pktout);
4450 ssh_queue_handler(ssh, SSH2_MSG_REQUEST_SUCCESS,
4451 SSH2_MSG_REQUEST_FAILURE,
4452 ssh_rportfwd_succfail, pf);
4461 static void ssh1_smsg_stdout_stderr_data(Ssh ssh, struct Packet *pktin)
4464 int stringlen, bufsize;
4466 ssh_pkt_getstring(pktin, &string, &stringlen);
4467 if (string == NULL) {
4468 bombout(("Incoming terminal data packet was badly formed"));
4472 bufsize = from_backend(ssh->frontend, pktin->type == SSH1_SMSG_STDERR_DATA,
4474 if (!ssh->v1_stdout_throttling && bufsize > SSH1_BUFFER_LIMIT) {
4475 ssh->v1_stdout_throttling = 1;
4476 ssh1_throttle(ssh, +1);
4480 static void ssh1_smsg_x11_open(Ssh ssh, struct Packet *pktin)
4482 /* Remote side is trying to open a channel to talk to our
4483 * X-Server. Give them back a local channel number. */
4484 struct ssh_channel *c;
4485 int remoteid = ssh_pkt_getuint32(pktin);
4487 logevent("Received X11 connect request");
4488 /* Refuse if X11 forwarding is disabled. */
4489 if (!ssh->X11_fwd_enabled) {
4490 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4491 PKT_INT, remoteid, PKT_END);
4492 logevent("Rejected X11 connect request");
4494 c = snew(struct ssh_channel);
4497 if (x11_init(&c->u.x11.s, ssh->cfg.x11_display, c,
4498 ssh->x11auth, NULL, -1, &ssh->cfg) != NULL) {
4499 logevent("Opening X11 forward connection failed");
4501 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4502 PKT_INT, remoteid, PKT_END);
4505 ("Opening X11 forward connection succeeded");
4506 c->remoteid = remoteid;
4507 c->halfopen = FALSE;
4508 c->localid = alloc_channel_id(ssh);
4510 c->v.v1.throttling = 0;
4511 c->type = CHAN_X11; /* identify channel type */
4512 add234(ssh->channels, c);
4513 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4514 PKT_INT, c->remoteid, PKT_INT,
4515 c->localid, PKT_END);
4516 logevent("Opened X11 forward channel");
4521 static void ssh1_smsg_agent_open(Ssh ssh, struct Packet *pktin)
4523 /* Remote side is trying to open a channel to talk to our
4524 * agent. Give them back a local channel number. */
4525 struct ssh_channel *c;
4526 int remoteid = ssh_pkt_getuint32(pktin);
4528 /* Refuse if agent forwarding is disabled. */
4529 if (!ssh->agentfwd_enabled) {
4530 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4531 PKT_INT, remoteid, PKT_END);
4533 c = snew(struct ssh_channel);
4535 c->remoteid = remoteid;
4536 c->halfopen = FALSE;
4537 c->localid = alloc_channel_id(ssh);
4539 c->v.v1.throttling = 0;
4540 c->type = CHAN_AGENT; /* identify channel type */
4541 c->u.a.lensofar = 0;
4542 add234(ssh->channels, c);
4543 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4544 PKT_INT, c->remoteid, PKT_INT, c->localid,
4549 static void ssh1_msg_port_open(Ssh ssh, struct Packet *pktin)
4551 /* Remote side is trying to open a channel to talk to a
4552 * forwarded port. Give them back a local channel number. */
4553 struct ssh_channel *c;
4554 struct ssh_rportfwd pf, *pfp;
4559 c = snew(struct ssh_channel);
4562 remoteid = ssh_pkt_getuint32(pktin);
4563 ssh_pkt_getstring(pktin, &host, &hostsize);
4564 port = ssh_pkt_getuint32(pktin);
4566 if (hostsize >= lenof(pf.dhost))
4567 hostsize = lenof(pf.dhost)-1;
4568 memcpy(pf.dhost, host, hostsize);
4569 pf.dhost[hostsize] = '\0';
4571 pfp = find234(ssh->rportfwds, &pf, NULL);
4574 logeventf(ssh, "Rejected remote port open request for %s:%d",
4576 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4577 PKT_INT, remoteid, PKT_END);
4579 logeventf(ssh, "Received remote port open request for %s:%d",
4581 e = pfd_newconnect(&c->u.pfd.s, pf.dhost, port,
4582 c, &ssh->cfg, pfp->pfrec->addressfamily);
4584 logeventf(ssh, "Port open failed: %s", e);
4586 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4587 PKT_INT, remoteid, PKT_END);
4589 c->remoteid = remoteid;
4590 c->halfopen = FALSE;
4591 c->localid = alloc_channel_id(ssh);
4593 c->v.v1.throttling = 0;
4594 c->type = CHAN_SOCKDATA; /* identify channel type */
4595 add234(ssh->channels, c);
4596 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4597 PKT_INT, c->remoteid, PKT_INT,
4598 c->localid, PKT_END);
4599 logevent("Forwarded port opened successfully");
4604 static void ssh1_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
4606 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4607 unsigned int localid = ssh_pkt_getuint32(pktin);
4608 struct ssh_channel *c;
4610 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4611 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4612 c->remoteid = localid;
4613 c->halfopen = FALSE;
4614 c->type = CHAN_SOCKDATA;
4615 c->v.v1.throttling = 0;
4616 pfd_confirm(c->u.pfd.s);
4619 if (c && c->closes) {
4621 * We have a pending close on this channel,
4622 * which we decided on before the server acked
4623 * the channel open. So now we know the
4624 * remoteid, we can close it again.
4626 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE,
4627 PKT_INT, c->remoteid, PKT_END);
4631 static void ssh1_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
4633 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4634 struct ssh_channel *c;
4636 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4637 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4638 logevent("Forwarded connection refused by server");
4639 pfd_close(c->u.pfd.s);
4640 del234(ssh->channels, c);
4645 static void ssh1_msg_channel_close(Ssh ssh, struct Packet *pktin)
4647 /* Remote side closes a channel. */
4648 unsigned i = ssh_pkt_getuint32(pktin);
4649 struct ssh_channel *c;
4650 c = find234(ssh->channels, &i, ssh_channelfind);
4651 if (c && !c->halfopen) {
4654 (pktin->type == SSH1_MSG_CHANNEL_CLOSE ? 1 : 2);
4656 if ((c->closes == 0) && (c->type == CHAN_X11)) {
4657 logevent("Forwarded X11 connection terminated");
4658 assert(c->u.x11.s != NULL);
4659 x11_close(c->u.x11.s);
4662 if ((c->closes == 0) && (c->type == CHAN_SOCKDATA)) {
4663 logevent("Forwarded port closed");
4664 assert(c->u.pfd.s != NULL);
4665 pfd_close(c->u.pfd.s);
4669 c->closes |= (closetype << 2); /* seen this message */
4670 if (!(c->closes & closetype)) {
4671 send_packet(ssh, pktin->type, PKT_INT, c->remoteid,
4673 c->closes |= closetype; /* sent it too */
4676 if (c->closes == 15) {
4677 del234(ssh->channels, c);
4681 bombout(("Received CHANNEL_CLOSE%s for %s channel %d\n",
4682 pktin->type == SSH1_MSG_CHANNEL_CLOSE ? "" :
4683 "_CONFIRMATION", c ? "half-open" : "nonexistent",
4688 static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
4690 /* Data sent down one of our channels. */
4691 int i = ssh_pkt_getuint32(pktin);
4694 struct ssh_channel *c;
4696 ssh_pkt_getstring(pktin, &p, &len);
4698 c = find234(ssh->channels, &i, ssh_channelfind);
4703 bufsize = x11_send(c->u.x11.s, p, len);
4706 bufsize = pfd_send(c->u.pfd.s, p, len);
4709 /* Data for an agent message. Buffer it. */
4711 if (c->u.a.lensofar < 4) {
4712 unsigned int l = min(4 - c->u.a.lensofar, (unsigned)len);
4713 memcpy(c->u.a.msglen + c->u.a.lensofar, p,
4717 c->u.a.lensofar += l;
4719 if (c->u.a.lensofar == 4) {
4721 4 + GET_32BIT(c->u.a.msglen);
4722 c->u.a.message = snewn(c->u.a.totallen,
4724 memcpy(c->u.a.message, c->u.a.msglen, 4);
4726 if (c->u.a.lensofar >= 4 && len > 0) {
4728 min(c->u.a.totallen - c->u.a.lensofar,
4730 memcpy(c->u.a.message + c->u.a.lensofar, p,
4734 c->u.a.lensofar += l;
4736 if (c->u.a.lensofar == c->u.a.totallen) {
4739 if (agent_query(c->u.a.message,
4742 ssh_agentf_callback, c))
4743 ssh_agentf_callback(c, reply, replylen);
4744 sfree(c->u.a.message);
4745 c->u.a.lensofar = 0;
4748 bufsize = 0; /* agent channels never back up */
4751 if (!c->v.v1.throttling && bufsize > SSH1_BUFFER_LIMIT) {
4752 c->v.v1.throttling = 1;
4753 ssh1_throttle(ssh, +1);
4758 static void ssh1_smsg_exit_status(Ssh ssh, struct Packet *pktin)
4760 ssh->exitcode = ssh_pkt_getuint32(pktin);
4761 logeventf(ssh, "Server sent command exit status %d", ssh->exitcode);
4762 send_packet(ssh, SSH1_CMSG_EXIT_CONFIRMATION, PKT_END);
4764 * In case `helpful' firewalls or proxies tack
4765 * extra human-readable text on the end of the
4766 * session which we might mistake for another
4767 * encrypted packet, we close the session once
4768 * we've sent EXIT_CONFIRMATION.
4770 ssh_disconnect(ssh, NULL, NULL, 0, TRUE);
4773 /* Helper function to deal with sending tty modes for REQUEST_PTY */
4774 static void ssh1_send_ttymode(void *data, char *mode, char *val)
4776 struct Packet *pktout = (struct Packet *)data;
4778 unsigned int arg = 0;
4779 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
4780 if (i == lenof(ssh_ttymodes)) return;
4781 switch (ssh_ttymodes[i].type) {
4783 arg = ssh_tty_parse_specchar(val);
4786 arg = ssh_tty_parse_boolean(val);
4789 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
4790 ssh2_pkt_addbyte(pktout, arg);
4794 static void do_ssh1_connection(Ssh ssh, unsigned char *in, int inlen,
4795 struct Packet *pktin)
4797 crBegin(ssh->do_ssh1_connection_crstate);
4799 ssh->packet_dispatch[SSH1_SMSG_STDOUT_DATA] =
4800 ssh->packet_dispatch[SSH1_SMSG_STDERR_DATA] =
4801 ssh1_smsg_stdout_stderr_data;
4803 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_CONFIRMATION] =
4804 ssh1_msg_channel_open_confirmation;
4805 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_FAILURE] =
4806 ssh1_msg_channel_open_failure;
4807 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE] =
4808 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION] =
4809 ssh1_msg_channel_close;
4810 ssh->packet_dispatch[SSH1_MSG_CHANNEL_DATA] = ssh1_msg_channel_data;
4811 ssh->packet_dispatch[SSH1_SMSG_EXIT_STATUS] = ssh1_smsg_exit_status;
4813 if (ssh->cfg.agentfwd && agent_exists()) {
4814 logevent("Requesting agent forwarding");
4815 send_packet(ssh, SSH1_CMSG_AGENT_REQUEST_FORWARDING, PKT_END);
4819 if (pktin->type != SSH1_SMSG_SUCCESS
4820 && pktin->type != SSH1_SMSG_FAILURE) {
4821 bombout(("Protocol confusion"));
4823 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4824 logevent("Agent forwarding refused");
4826 logevent("Agent forwarding enabled");
4827 ssh->agentfwd_enabled = TRUE;
4828 ssh->packet_dispatch[SSH1_SMSG_AGENT_OPEN] = ssh1_smsg_agent_open;
4832 if (ssh->cfg.x11_forward) {
4833 char proto[20], data[64];
4834 logevent("Requesting X11 forwarding");
4835 ssh->x11auth = x11_invent_auth(proto, sizeof(proto),
4836 data, sizeof(data), ssh->cfg.x11_auth);
4837 x11_get_real_auth(ssh->x11auth, ssh->cfg.x11_display);
4839 * Note that while we blank the X authentication data here, we don't
4840 * take any special action to blank the start of an X11 channel,
4841 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
4842 * without having session blanking enabled is likely to leak your
4843 * cookie into the log.
4845 if (ssh->v1_local_protoflags & SSH1_PROTOFLAG_SCREEN_NUMBER) {
4846 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
4848 PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER,
4849 PKT_INT, x11_get_screen_number(ssh->cfg.x11_display),
4852 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
4854 PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER, PKT_END);
4859 if (pktin->type != SSH1_SMSG_SUCCESS
4860 && pktin->type != SSH1_SMSG_FAILURE) {
4861 bombout(("Protocol confusion"));
4863 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4864 logevent("X11 forwarding refused");
4866 logevent("X11 forwarding enabled");
4867 ssh->X11_fwd_enabled = TRUE;
4868 ssh->packet_dispatch[SSH1_SMSG_X11_OPEN] = ssh1_smsg_x11_open;
4872 ssh_setup_portfwd(ssh, &ssh->cfg);
4873 ssh->packet_dispatch[SSH1_MSG_PORT_OPEN] = ssh1_msg_port_open;
4875 if (!ssh->cfg.nopty) {
4877 /* Unpick the terminal-speed string. */
4878 /* XXX perhaps we should allow no speeds to be sent. */
4879 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
4880 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
4881 /* Send the pty request. */
4882 pkt = ssh1_pkt_init(SSH1_CMSG_REQUEST_PTY);
4883 ssh_pkt_addstring(pkt, ssh->cfg.termtype);
4884 ssh_pkt_adduint32(pkt, ssh->term_height);
4885 ssh_pkt_adduint32(pkt, ssh->term_width);
4886 ssh_pkt_adduint32(pkt, 0); /* width in pixels */
4887 ssh_pkt_adduint32(pkt, 0); /* height in pixels */
4888 parse_ttymodes(ssh, ssh->cfg.ttymodes,
4889 ssh1_send_ttymode, (void *)pkt);
4890 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_ISPEED);
4891 ssh_pkt_adduint32(pkt, ssh->ispeed);
4892 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_OSPEED);
4893 ssh_pkt_adduint32(pkt, ssh->ospeed);
4894 ssh_pkt_addbyte(pkt, SSH_TTY_OP_END);
4896 ssh->state = SSH_STATE_INTERMED;
4900 if (pktin->type != SSH1_SMSG_SUCCESS
4901 && pktin->type != SSH1_SMSG_FAILURE) {
4902 bombout(("Protocol confusion"));
4904 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4905 c_write_str(ssh, "Server refused to allocate pty\r\n");
4906 ssh->editing = ssh->echoing = 1;
4908 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
4909 ssh->ospeed, ssh->ispeed);
4911 ssh->editing = ssh->echoing = 1;
4914 if (ssh->cfg.compression) {
4915 send_packet(ssh, SSH1_CMSG_REQUEST_COMPRESSION, PKT_INT, 6, PKT_END);
4919 if (pktin->type != SSH1_SMSG_SUCCESS
4920 && pktin->type != SSH1_SMSG_FAILURE) {
4921 bombout(("Protocol confusion"));
4923 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4924 c_write_str(ssh, "Server refused to compress\r\n");
4926 logevent("Started compression");
4927 ssh->v1_compressing = TRUE;
4928 ssh->cs_comp_ctx = zlib_compress_init();
4929 logevent("Initialised zlib (RFC1950) compression");
4930 ssh->sc_comp_ctx = zlib_decompress_init();
4931 logevent("Initialised zlib (RFC1950) decompression");
4935 * Start the shell or command.
4937 * Special case: if the first-choice command is an SSH-2
4938 * subsystem (hence not usable here) and the second choice
4939 * exists, we fall straight back to that.
4942 char *cmd = ssh->cfg.remote_cmd_ptr;
4944 if (!cmd) cmd = ssh->cfg.remote_cmd;
4946 if (ssh->cfg.ssh_subsys && ssh->cfg.remote_cmd_ptr2) {
4947 cmd = ssh->cfg.remote_cmd_ptr2;
4948 ssh->fallback_cmd = TRUE;
4951 send_packet(ssh, SSH1_CMSG_EXEC_CMD, PKT_STR, cmd, PKT_END);
4953 send_packet(ssh, SSH1_CMSG_EXEC_SHELL, PKT_END);
4954 logevent("Started session");
4957 ssh->state = SSH_STATE_SESSION;
4958 if (ssh->size_needed)
4959 ssh_size(ssh, ssh->term_width, ssh->term_height);
4960 if (ssh->eof_needed)
4961 ssh_special(ssh, TS_EOF);
4964 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
4966 ssh->channels = newtree234(ssh_channelcmp);
4970 * By this point, most incoming packets are already being
4971 * handled by the dispatch table, and we need only pay
4972 * attention to the unusual ones.
4977 if (pktin->type == SSH1_SMSG_SUCCESS) {
4978 /* may be from EXEC_SHELL on some servers */
4979 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4980 /* may be from EXEC_SHELL on some servers
4981 * if no pty is available or in other odd cases. Ignore */
4983 bombout(("Strange packet received: type %d", pktin->type));
4988 int len = min(inlen, 512);
4989 send_packet(ssh, SSH1_CMSG_STDIN_DATA,
4990 PKT_INT, len, PKTT_DATA, PKT_DATA, in, len,
4991 PKTT_OTHER, PKT_END);
5002 * Handle the top-level SSH-2 protocol.
5004 static void ssh1_msg_debug(Ssh ssh, struct Packet *pktin)
5009 ssh_pkt_getstring(pktin, &msg, &msglen);
5010 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
5013 static void ssh1_msg_disconnect(Ssh ssh, struct Packet *pktin)
5015 /* log reason code in disconnect message */
5019 ssh_pkt_getstring(pktin, &msg, &msglen);
5020 bombout(("Server sent disconnect message:\n\"%.*s\"", msglen, msg));
5023 static void ssh_msg_ignore(Ssh ssh, struct Packet *pktin)
5025 /* Do nothing, because we're ignoring it! Duhh. */
5028 static void ssh1_protocol_setup(Ssh ssh)
5033 * Most messages are handled by the coroutines.
5035 for (i = 0; i < 256; i++)
5036 ssh->packet_dispatch[i] = NULL;
5039 * These special message types we install handlers for.
5041 ssh->packet_dispatch[SSH1_MSG_DISCONNECT] = ssh1_msg_disconnect;
5042 ssh->packet_dispatch[SSH1_MSG_IGNORE] = ssh_msg_ignore;
5043 ssh->packet_dispatch[SSH1_MSG_DEBUG] = ssh1_msg_debug;
5046 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
5047 struct Packet *pktin)
5049 unsigned char *in=(unsigned char*)vin;
5050 if (ssh->state == SSH_STATE_CLOSED)
5053 if (pktin && ssh->packet_dispatch[pktin->type]) {
5054 ssh->packet_dispatch[pktin->type](ssh, pktin);
5058 if (!ssh->protocol_initial_phase_done) {
5059 if (do_ssh1_login(ssh, in, inlen, pktin))
5060 ssh->protocol_initial_phase_done = TRUE;
5065 do_ssh1_connection(ssh, in, inlen, pktin);
5069 * Utility routine for decoding comma-separated strings in KEXINIT.
5071 static int in_commasep_string(char *needle, char *haystack, int haylen)
5074 if (!needle || !haystack) /* protect against null pointers */
5076 needlen = strlen(needle);
5079 * Is it at the start of the string?
5081 if (haylen >= needlen && /* haystack is long enough */
5082 !memcmp(needle, haystack, needlen) && /* initial match */
5083 (haylen == needlen || haystack[needlen] == ',')
5084 /* either , or EOS follows */
5088 * If not, search for the next comma and resume after that.
5089 * If no comma found, terminate.
5091 while (haylen > 0 && *haystack != ',')
5092 haylen--, haystack++;
5095 haylen--, haystack++; /* skip over comma itself */
5100 * Similar routine for checking whether we have the first string in a list.
5102 static int first_in_commasep_string(char *needle, char *haystack, int haylen)
5105 if (!needle || !haystack) /* protect against null pointers */
5107 needlen = strlen(needle);
5109 * Is it at the start of the string?
5111 if (haylen >= needlen && /* haystack is long enough */
5112 !memcmp(needle, haystack, needlen) && /* initial match */
5113 (haylen == needlen || haystack[needlen] == ',')
5114 /* either , or EOS follows */
5122 * SSH-2 key creation method.
5123 * (Currently assumes 2 lots of any hash are sufficient to generate
5124 * keys/IVs for any cipher/MAC. SSH2_MKKEY_ITERS documents this assumption.)
5126 #define SSH2_MKKEY_ITERS (2)
5127 static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr,
5128 unsigned char *keyspace)
5130 const struct ssh_hash *h = ssh->kex->hash;
5132 /* First hlen bytes. */
5134 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5135 hash_mpint(h, s, K);
5136 h->bytes(s, H, h->hlen);
5137 h->bytes(s, &chr, 1);
5138 h->bytes(s, ssh->v2_session_id, ssh->v2_session_id_len);
5139 h->final(s, keyspace);
5140 /* Next hlen bytes. */
5142 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5143 hash_mpint(h, s, K);
5144 h->bytes(s, H, h->hlen);
5145 h->bytes(s, keyspace, h->hlen);
5146 h->final(s, keyspace + h->hlen);
5150 * Handle the SSH-2 transport layer.
5152 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
5153 struct Packet *pktin)
5155 unsigned char *in = (unsigned char *)vin;
5156 struct do_ssh2_transport_state {
5157 int nbits, pbits, warn_kex, warn_cscipher, warn_sccipher;
5158 Bignum p, g, e, f, K;
5161 int kex_init_value, kex_reply_value;
5162 const struct ssh_mac **maclist;
5164 const struct ssh2_cipher *cscipher_tobe;
5165 const struct ssh2_cipher *sccipher_tobe;
5166 const struct ssh_mac *csmac_tobe;
5167 const struct ssh_mac *scmac_tobe;
5168 const struct ssh_compress *cscomp_tobe;
5169 const struct ssh_compress *sccomp_tobe;
5170 char *hostkeydata, *sigdata, *rsakeydata, *keystr, *fingerprint;
5171 int hostkeylen, siglen, rsakeylen;
5172 void *hkey; /* actual host key */
5173 void *rsakey; /* for RSA kex */
5174 unsigned char exchange_hash[SSH2_KEX_MAX_HASH_LEN];
5175 int n_preferred_kex;
5176 const struct ssh_kexes *preferred_kex[KEX_MAX];
5177 int n_preferred_ciphers;
5178 const struct ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
5179 const struct ssh_compress *preferred_comp;
5180 int got_session_id, activated_authconn;
5181 struct Packet *pktout;
5186 crState(do_ssh2_transport_state);
5188 crBegin(ssh->do_ssh2_transport_crstate);
5190 s->cscipher_tobe = s->sccipher_tobe = NULL;
5191 s->csmac_tobe = s->scmac_tobe = NULL;
5192 s->cscomp_tobe = s->sccomp_tobe = NULL;
5194 s->got_session_id = s->activated_authconn = FALSE;
5197 * Be prepared to work around the buggy MAC problem.
5199 if (ssh->remote_bugs & BUG_SSH2_HMAC)
5200 s->maclist = buggymacs, s->nmacs = lenof(buggymacs);
5202 s->maclist = macs, s->nmacs = lenof(macs);
5205 ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
5207 int i, j, commalist_started;
5210 * Set up the preferred key exchange. (NULL => warn below here)
5212 s->n_preferred_kex = 0;
5213 for (i = 0; i < KEX_MAX; i++) {
5214 switch (ssh->cfg.ssh_kexlist[i]) {
5216 s->preferred_kex[s->n_preferred_kex++] =
5217 &ssh_diffiehellman_gex;
5220 s->preferred_kex[s->n_preferred_kex++] =
5221 &ssh_diffiehellman_group14;
5224 s->preferred_kex[s->n_preferred_kex++] =
5225 &ssh_diffiehellman_group1;
5228 s->preferred_kex[s->n_preferred_kex++] =
5232 /* Flag for later. Don't bother if it's the last in
5234 if (i < KEX_MAX - 1) {
5235 s->preferred_kex[s->n_preferred_kex++] = NULL;
5242 * Set up the preferred ciphers. (NULL => warn below here)
5244 s->n_preferred_ciphers = 0;
5245 for (i = 0; i < CIPHER_MAX; i++) {
5246 switch (ssh->cfg.ssh_cipherlist[i]) {
5247 case CIPHER_BLOWFISH:
5248 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_blowfish;
5251 if (ssh->cfg.ssh2_des_cbc) {
5252 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_des;
5256 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_3des;
5259 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_aes;
5261 case CIPHER_ARCFOUR:
5262 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_arcfour;
5265 /* Flag for later. Don't bother if it's the last in
5267 if (i < CIPHER_MAX - 1) {
5268 s->preferred_ciphers[s->n_preferred_ciphers++] = NULL;
5275 * Set up preferred compression.
5277 if (ssh->cfg.compression)
5278 s->preferred_comp = &ssh_zlib;
5280 s->preferred_comp = &ssh_comp_none;
5283 * Enable queueing of outgoing auth- or connection-layer
5284 * packets while we are in the middle of a key exchange.
5286 ssh->queueing = TRUE;
5289 * Flag that KEX is in progress.
5291 ssh->kex_in_progress = TRUE;
5294 * Construct and send our key exchange packet.
5296 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXINIT);
5297 for (i = 0; i < 16; i++)
5298 ssh2_pkt_addbyte(s->pktout, (unsigned char) random_byte());
5299 /* List key exchange algorithms. */
5300 ssh2_pkt_addstring_start(s->pktout);
5301 commalist_started = 0;
5302 for (i = 0; i < s->n_preferred_kex; i++) {
5303 const struct ssh_kexes *k = s->preferred_kex[i];
5304 if (!k) continue; /* warning flag */
5305 for (j = 0; j < k->nkexes; j++) {
5306 if (commalist_started)
5307 ssh2_pkt_addstring_str(s->pktout, ",");
5308 ssh2_pkt_addstring_str(s->pktout, k->list[j]->name);
5309 commalist_started = 1;
5312 /* List server host key algorithms. */
5313 ssh2_pkt_addstring_start(s->pktout);
5314 for (i = 0; i < lenof(hostkey_algs); i++) {
5315 ssh2_pkt_addstring_str(s->pktout, hostkey_algs[i]->name);
5316 if (i < lenof(hostkey_algs) - 1)
5317 ssh2_pkt_addstring_str(s->pktout, ",");
5319 /* List client->server encryption algorithms. */
5320 ssh2_pkt_addstring_start(s->pktout);
5321 commalist_started = 0;
5322 for (i = 0; i < s->n_preferred_ciphers; i++) {
5323 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5324 if (!c) continue; /* warning flag */
5325 for (j = 0; j < c->nciphers; j++) {
5326 if (commalist_started)
5327 ssh2_pkt_addstring_str(s->pktout, ",");
5328 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5329 commalist_started = 1;
5332 /* List server->client encryption algorithms. */
5333 ssh2_pkt_addstring_start(s->pktout);
5334 commalist_started = 0;
5335 for (i = 0; i < s->n_preferred_ciphers; i++) {
5336 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5337 if (!c) continue; /* warning flag */
5338 for (j = 0; j < c->nciphers; j++) {
5339 if (commalist_started)
5340 ssh2_pkt_addstring_str(s->pktout, ",");
5341 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5342 commalist_started = 1;
5345 /* List client->server MAC algorithms. */
5346 ssh2_pkt_addstring_start(s->pktout);
5347 for (i = 0; i < s->nmacs; i++) {
5348 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5349 if (i < s->nmacs - 1)
5350 ssh2_pkt_addstring_str(s->pktout, ",");
5352 /* List server->client MAC algorithms. */
5353 ssh2_pkt_addstring_start(s->pktout);
5354 for (i = 0; i < s->nmacs; i++) {
5355 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5356 if (i < s->nmacs - 1)
5357 ssh2_pkt_addstring_str(s->pktout, ",");
5359 /* List client->server compression algorithms. */
5360 ssh2_pkt_addstring_start(s->pktout);
5361 assert(lenof(compressions) > 1);
5362 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5363 for (i = 0; i < lenof(compressions); i++) {
5364 const struct ssh_compress *c = compressions[i];
5365 if (c != s->preferred_comp) {
5366 ssh2_pkt_addstring_str(s->pktout, ",");
5367 ssh2_pkt_addstring_str(s->pktout, c->name);
5370 /* List server->client compression algorithms. */
5371 ssh2_pkt_addstring_start(s->pktout);
5372 assert(lenof(compressions) > 1);
5373 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5374 for (i = 0; i < lenof(compressions); i++) {
5375 const struct ssh_compress *c = compressions[i];
5376 if (c != s->preferred_comp) {
5377 ssh2_pkt_addstring_str(s->pktout, ",");
5378 ssh2_pkt_addstring_str(s->pktout, c->name);
5381 /* List client->server languages. Empty list. */
5382 ssh2_pkt_addstring_start(s->pktout);
5383 /* List server->client languages. Empty list. */
5384 ssh2_pkt_addstring_start(s->pktout);
5385 /* First KEX packet does _not_ follow, because we're not that brave. */
5386 ssh2_pkt_addbool(s->pktout, FALSE);
5388 ssh2_pkt_adduint32(s->pktout, 0);
5391 s->our_kexinitlen = s->pktout->length - 5;
5392 s->our_kexinit = snewn(s->our_kexinitlen, unsigned char);
5393 memcpy(s->our_kexinit, s->pktout->data + 5, s->our_kexinitlen);
5395 ssh2_pkt_send_noqueue(ssh, s->pktout);
5401 * Now examine the other side's KEXINIT to see what we're up
5405 char *str, *preferred;
5408 if (pktin->type != SSH2_MSG_KEXINIT) {
5409 bombout(("expected key exchange packet from server"));
5413 ssh->hostkey = NULL;
5414 s->cscipher_tobe = NULL;
5415 s->sccipher_tobe = NULL;
5416 s->csmac_tobe = NULL;
5417 s->scmac_tobe = NULL;
5418 s->cscomp_tobe = NULL;
5419 s->sccomp_tobe = NULL;
5420 s->warn_kex = s->warn_cscipher = s->warn_sccipher = FALSE;
5422 pktin->savedpos += 16; /* skip garbage cookie */
5423 ssh_pkt_getstring(pktin, &str, &len); /* key exchange algorithms */
5426 for (i = 0; i < s->n_preferred_kex; i++) {
5427 const struct ssh_kexes *k = s->preferred_kex[i];
5431 for (j = 0; j < k->nkexes; j++) {
5432 if (!preferred) preferred = k->list[j]->name;
5433 if (in_commasep_string(k->list[j]->name, str, len)) {
5434 ssh->kex = k->list[j];
5443 bombout(("Couldn't agree a key exchange algorithm (available: %s)",
5444 str ? str : "(null)"));
5448 * Note that the server's guess is considered wrong if it doesn't match
5449 * the first algorithm in our list, even if it's still the algorithm
5452 s->guessok = first_in_commasep_string(preferred, str, len);
5453 ssh_pkt_getstring(pktin, &str, &len); /* host key algorithms */
5454 for (i = 0; i < lenof(hostkey_algs); i++) {
5455 if (in_commasep_string(hostkey_algs[i]->name, str, len)) {
5456 ssh->hostkey = hostkey_algs[i];
5460 s->guessok = s->guessok &&
5461 first_in_commasep_string(hostkey_algs[0]->name, str, len);
5462 ssh_pkt_getstring(pktin, &str, &len); /* client->server cipher */
5463 for (i = 0; i < s->n_preferred_ciphers; i++) {
5464 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5466 s->warn_cscipher = TRUE;
5468 for (j = 0; j < c->nciphers; j++) {
5469 if (in_commasep_string(c->list[j]->name, str, len)) {
5470 s->cscipher_tobe = c->list[j];
5475 if (s->cscipher_tobe)
5478 if (!s->cscipher_tobe) {
5479 bombout(("Couldn't agree a client-to-server cipher (available: %s)",
5480 str ? str : "(null)"));
5484 ssh_pkt_getstring(pktin, &str, &len); /* server->client cipher */
5485 for (i = 0; i < s->n_preferred_ciphers; i++) {
5486 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5488 s->warn_sccipher = TRUE;
5490 for (j = 0; j < c->nciphers; j++) {
5491 if (in_commasep_string(c->list[j]->name, str, len)) {
5492 s->sccipher_tobe = c->list[j];
5497 if (s->sccipher_tobe)
5500 if (!s->sccipher_tobe) {
5501 bombout(("Couldn't agree a server-to-client cipher (available: %s)",
5502 str ? str : "(null)"));
5506 ssh_pkt_getstring(pktin, &str, &len); /* client->server mac */
5507 for (i = 0; i < s->nmacs; i++) {
5508 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5509 s->csmac_tobe = s->maclist[i];
5513 ssh_pkt_getstring(pktin, &str, &len); /* server->client mac */
5514 for (i = 0; i < s->nmacs; i++) {
5515 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5516 s->scmac_tobe = s->maclist[i];
5520 ssh_pkt_getstring(pktin, &str, &len); /* client->server compression */
5521 for (i = 0; i < lenof(compressions) + 1; i++) {
5522 const struct ssh_compress *c =
5523 i == 0 ? s->preferred_comp : compressions[i - 1];
5524 if (in_commasep_string(c->name, str, len)) {
5529 ssh_pkt_getstring(pktin, &str, &len); /* server->client compression */
5530 for (i = 0; i < lenof(compressions) + 1; i++) {
5531 const struct ssh_compress *c =
5532 i == 0 ? s->preferred_comp : compressions[i - 1];
5533 if (in_commasep_string(c->name, str, len)) {
5538 ssh_pkt_getstring(pktin, &str, &len); /* client->server language */
5539 ssh_pkt_getstring(pktin, &str, &len); /* server->client language */
5540 s->ignorepkt = ssh2_pkt_getbool(pktin) && !s->guessok;
5543 ssh_set_frozen(ssh, 1);
5544 s->dlgret = askalg(ssh->frontend, "key-exchange algorithm",
5546 ssh_dialog_callback, ssh);
5547 if (s->dlgret < 0) {
5551 bombout(("Unexpected data from server while"
5552 " waiting for user response"));
5555 } while (pktin || inlen > 0);
5556 s->dlgret = ssh->user_response;
5558 ssh_set_frozen(ssh, 0);
5559 if (s->dlgret == 0) {
5560 ssh_disconnect(ssh, "User aborted at kex warning", NULL,
5566 if (s->warn_cscipher) {
5567 ssh_set_frozen(ssh, 1);
5568 s->dlgret = askalg(ssh->frontend,
5569 "client-to-server cipher",
5570 s->cscipher_tobe->name,
5571 ssh_dialog_callback, ssh);
5572 if (s->dlgret < 0) {
5576 bombout(("Unexpected data from server while"
5577 " waiting for user response"));
5580 } while (pktin || inlen > 0);
5581 s->dlgret = ssh->user_response;
5583 ssh_set_frozen(ssh, 0);
5584 if (s->dlgret == 0) {
5585 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5591 if (s->warn_sccipher) {
5592 ssh_set_frozen(ssh, 1);
5593 s->dlgret = askalg(ssh->frontend,
5594 "server-to-client cipher",
5595 s->sccipher_tobe->name,
5596 ssh_dialog_callback, ssh);
5597 if (s->dlgret < 0) {
5601 bombout(("Unexpected data from server while"
5602 " waiting for user response"));
5605 } while (pktin || inlen > 0);
5606 s->dlgret = ssh->user_response;
5608 ssh_set_frozen(ssh, 0);
5609 if (s->dlgret == 0) {
5610 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5616 ssh->exhash = ssh->kex->hash->init();
5617 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_c, strlen(ssh->v_c));
5618 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_s, strlen(ssh->v_s));
5619 hash_string(ssh->kex->hash, ssh->exhash,
5620 s->our_kexinit, s->our_kexinitlen);
5621 sfree(s->our_kexinit);
5622 if (pktin->length > 5)
5623 hash_string(ssh->kex->hash, ssh->exhash,
5624 pktin->data + 5, pktin->length - 5);
5626 if (s->ignorepkt) /* first_kex_packet_follows */
5627 crWaitUntil(pktin); /* Ignore packet */
5630 if (ssh->kex->main_type == KEXTYPE_DH) {
5632 * Work out the number of bits of key we will need from the
5633 * key exchange. We start with the maximum key length of
5639 csbits = s->cscipher_tobe->keylen;
5640 scbits = s->sccipher_tobe->keylen;
5641 s->nbits = (csbits > scbits ? csbits : scbits);
5643 /* The keys only have hlen-bit entropy, since they're based on
5644 * a hash. So cap the key size at hlen bits. */
5645 if (s->nbits > ssh->kex->hash->hlen * 8)
5646 s->nbits = ssh->kex->hash->hlen * 8;
5649 * If we're doing Diffie-Hellman group exchange, start by
5650 * requesting a group.
5652 if (!ssh->kex->pdata) {
5653 logevent("Doing Diffie-Hellman group exchange");
5654 ssh->pkt_kctx = SSH2_PKTCTX_DHGEX;
5656 * Work out how big a DH group we will need to allow that
5659 s->pbits = 512 << ((s->nbits - 1) / 64);
5660 s->pktout = ssh2_pkt_init(SSH2_MSG_KEX_DH_GEX_REQUEST);
5661 ssh2_pkt_adduint32(s->pktout, s->pbits);
5662 ssh2_pkt_send_noqueue(ssh, s->pktout);
5665 if (pktin->type != SSH2_MSG_KEX_DH_GEX_GROUP) {
5666 bombout(("expected key exchange group packet from server"));
5669 s->p = ssh2_pkt_getmp(pktin);
5670 s->g = ssh2_pkt_getmp(pktin);
5671 if (!s->p || !s->g) {
5672 bombout(("unable to read mp-ints from incoming group packet"));
5675 ssh->kex_ctx = dh_setup_gex(s->p, s->g);
5676 s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
5677 s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
5679 ssh->pkt_kctx = SSH2_PKTCTX_DHGROUP;
5680 ssh->kex_ctx = dh_setup_group(ssh->kex);
5681 s->kex_init_value = SSH2_MSG_KEXDH_INIT;
5682 s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
5683 logeventf(ssh, "Using Diffie-Hellman with standard group \"%s\"",
5684 ssh->kex->groupname);
5687 logeventf(ssh, "Doing Diffie-Hellman key exchange with hash %s",
5688 ssh->kex->hash->text_name);
5690 * Now generate and send e for Diffie-Hellman.
5692 set_busy_status(ssh->frontend, BUSY_CPU); /* this can take a while */
5693 s->e = dh_create_e(ssh->kex_ctx, s->nbits * 2);
5694 s->pktout = ssh2_pkt_init(s->kex_init_value);
5695 ssh2_pkt_addmp(s->pktout, s->e);
5696 ssh2_pkt_send_noqueue(ssh, s->pktout);
5698 set_busy_status(ssh->frontend, BUSY_WAITING); /* wait for server */
5700 if (pktin->type != s->kex_reply_value) {
5701 bombout(("expected key exchange reply packet from server"));
5704 set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */
5705 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
5706 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
5707 s->f = ssh2_pkt_getmp(pktin);
5709 bombout(("unable to parse key exchange reply packet"));
5712 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
5714 s->K = dh_find_K(ssh->kex_ctx, s->f);
5716 /* We assume everything from now on will be quick, and it might
5717 * involve user interaction. */
5718 set_busy_status(ssh->frontend, BUSY_NOT);
5720 hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen);
5721 if (!ssh->kex->pdata) {
5722 hash_uint32(ssh->kex->hash, ssh->exhash, s->pbits);
5723 hash_mpint(ssh->kex->hash, ssh->exhash, s->p);
5724 hash_mpint(ssh->kex->hash, ssh->exhash, s->g);
5726 hash_mpint(ssh->kex->hash, ssh->exhash, s->e);
5727 hash_mpint(ssh->kex->hash, ssh->exhash, s->f);
5729 dh_cleanup(ssh->kex_ctx);
5731 if (!ssh->kex->pdata) {
5736 logeventf(ssh, "Doing RSA key exchange with hash %s",
5737 ssh->kex->hash->text_name);
5738 ssh->pkt_kctx = SSH2_PKTCTX_RSAKEX;
5740 * RSA key exchange. First expect a KEXRSA_PUBKEY packet
5744 if (pktin->type != SSH2_MSG_KEXRSA_PUBKEY) {
5745 bombout(("expected RSA public key packet from server"));
5749 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
5750 hash_string(ssh->kex->hash, ssh->exhash,
5751 s->hostkeydata, s->hostkeylen);
5752 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
5756 ssh_pkt_getstring(pktin, &keydata, &s->rsakeylen);
5757 s->rsakeydata = snewn(s->rsakeylen, char);
5758 memcpy(s->rsakeydata, keydata, s->rsakeylen);
5761 s->rsakey = ssh_rsakex_newkey(s->rsakeydata, s->rsakeylen);
5763 sfree(s->rsakeydata);
5764 bombout(("unable to parse RSA public key from server"));
5768 hash_string(ssh->kex->hash, ssh->exhash, s->rsakeydata, s->rsakeylen);
5771 * Next, set up a shared secret K, of precisely KLEN -
5772 * 2*HLEN - 49 bits, where KLEN is the bit length of the
5773 * RSA key modulus and HLEN is the bit length of the hash
5777 int klen = ssh_rsakex_klen(s->rsakey);
5778 int nbits = klen - (2*ssh->kex->hash->hlen*8 + 49);
5780 unsigned char *kstr1, *kstr2, *outstr;
5781 int kstr1len, kstr2len, outstrlen;
5783 s->K = bn_power_2(nbits - 1);
5785 for (i = 0; i < nbits; i++) {
5787 byte = random_byte();
5789 bignum_set_bit(s->K, i, (byte >> (i & 7)) & 1);
5793 * Encode this as an mpint.
5795 kstr1 = ssh2_mpint_fmt(s->K, &kstr1len);
5796 kstr2 = snewn(kstr2len = 4 + kstr1len, unsigned char);
5797 PUT_32BIT(kstr2, kstr1len);
5798 memcpy(kstr2 + 4, kstr1, kstr1len);
5801 * Encrypt it with the given RSA key.
5803 outstrlen = (klen + 7) / 8;
5804 outstr = snewn(outstrlen, unsigned char);
5805 ssh_rsakex_encrypt(ssh->kex->hash, kstr2, kstr2len,
5806 outstr, outstrlen, s->rsakey);
5809 * And send it off in a return packet.
5811 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXRSA_SECRET);
5812 ssh2_pkt_addstring_start(s->pktout);
5813 ssh2_pkt_addstring_data(s->pktout, (char *)outstr, outstrlen);
5814 ssh2_pkt_send_noqueue(ssh, s->pktout);
5816 hash_string(ssh->kex->hash, ssh->exhash, outstr, outstrlen);
5823 ssh_rsakex_freekey(s->rsakey);
5826 if (pktin->type != SSH2_MSG_KEXRSA_DONE) {
5827 sfree(s->rsakeydata);
5828 bombout(("expected signature packet from server"));
5832 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
5834 sfree(s->rsakeydata);
5837 hash_mpint(ssh->kex->hash, ssh->exhash, s->K);
5838 assert(ssh->kex->hash->hlen <= sizeof(s->exchange_hash));
5839 ssh->kex->hash->final(ssh->exhash, s->exchange_hash);
5841 ssh->kex_ctx = NULL;
5844 debug(("Exchange hash is:\n"));
5845 dmemdump(s->exchange_hash, ssh->kex->hash->hlen);
5849 !ssh->hostkey->verifysig(s->hkey, s->sigdata, s->siglen,
5850 (char *)s->exchange_hash,
5851 ssh->kex->hash->hlen)) {
5852 bombout(("Server's host key did not match the signature supplied"));
5857 * Authenticate remote host: verify host key. (We've already
5858 * checked the signature of the exchange hash.)
5860 s->keystr = ssh->hostkey->fmtkey(s->hkey);
5861 s->fingerprint = ssh->hostkey->fingerprint(s->hkey);
5862 ssh_set_frozen(ssh, 1);
5863 s->dlgret = verify_ssh_host_key(ssh->frontend,
5864 ssh->savedhost, ssh->savedport,
5865 ssh->hostkey->keytype, s->keystr,
5867 ssh_dialog_callback, ssh);
5868 if (s->dlgret < 0) {
5872 bombout(("Unexpected data from server while waiting"
5873 " for user host key response"));
5876 } while (pktin || inlen > 0);
5877 s->dlgret = ssh->user_response;
5879 ssh_set_frozen(ssh, 0);
5880 if (s->dlgret == 0) {
5881 ssh_disconnect(ssh, "User aborted at host key verification", NULL,
5885 if (!s->got_session_id) { /* don't bother logging this in rekeys */
5886 logevent("Host key fingerprint is:");
5887 logevent(s->fingerprint);
5889 sfree(s->fingerprint);
5891 ssh->hostkey->freekey(s->hkey);
5894 * The exchange hash from the very first key exchange is also
5895 * the session id, used in session key construction and
5898 if (!s->got_session_id) {
5899 assert(sizeof(s->exchange_hash) <= sizeof(ssh->v2_session_id));
5900 memcpy(ssh->v2_session_id, s->exchange_hash,
5901 sizeof(s->exchange_hash));
5902 ssh->v2_session_id_len = ssh->kex->hash->hlen;
5903 assert(ssh->v2_session_id_len <= sizeof(ssh->v2_session_id));
5904 s->got_session_id = TRUE;
5908 * Send SSH2_MSG_NEWKEYS.
5910 s->pktout = ssh2_pkt_init(SSH2_MSG_NEWKEYS);
5911 ssh2_pkt_send_noqueue(ssh, s->pktout);
5912 ssh->outgoing_data_size = 0; /* start counting from here */
5915 * We've sent client NEWKEYS, so create and initialise
5916 * client-to-server session keys.
5918 if (ssh->cs_cipher_ctx)
5919 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
5920 ssh->cscipher = s->cscipher_tobe;
5921 ssh->cs_cipher_ctx = ssh->cscipher->make_context();
5923 if (ssh->cs_mac_ctx)
5924 ssh->csmac->free_context(ssh->cs_mac_ctx);
5925 ssh->csmac = s->csmac_tobe;
5926 ssh->cs_mac_ctx = ssh->csmac->make_context();
5928 if (ssh->cs_comp_ctx)
5929 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
5930 ssh->cscomp = s->cscomp_tobe;
5931 ssh->cs_comp_ctx = ssh->cscomp->compress_init();
5934 * Set IVs on client-to-server keys. Here we use the exchange
5935 * hash from the _first_ key exchange.
5938 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
5939 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5940 ssh2_mkkey(ssh,s->K,s->exchange_hash,'C',keyspace);
5941 assert((ssh->cscipher->keylen+7) / 8 <=
5942 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5943 ssh->cscipher->setkey(ssh->cs_cipher_ctx, keyspace);
5944 ssh2_mkkey(ssh,s->K,s->exchange_hash,'A',keyspace);
5945 assert(ssh->cscipher->blksize <=
5946 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5947 ssh->cscipher->setiv(ssh->cs_cipher_ctx, keyspace);
5948 ssh2_mkkey(ssh,s->K,s->exchange_hash,'E',keyspace);
5949 assert(ssh->csmac->len <=
5950 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5951 ssh->csmac->setkey(ssh->cs_mac_ctx, keyspace);
5952 memset(keyspace, 0, sizeof(keyspace));
5955 logeventf(ssh, "Initialised %.200s client->server encryption",
5956 ssh->cscipher->text_name);
5957 logeventf(ssh, "Initialised %.200s client->server MAC algorithm",
5958 ssh->csmac->text_name);
5959 if (ssh->cscomp->text_name)
5960 logeventf(ssh, "Initialised %s compression",
5961 ssh->cscomp->text_name);
5964 * Now our end of the key exchange is complete, we can send all
5965 * our queued higher-layer packets.
5967 ssh->queueing = FALSE;
5968 ssh2_pkt_queuesend(ssh);
5971 * Expect SSH2_MSG_NEWKEYS from server.
5974 if (pktin->type != SSH2_MSG_NEWKEYS) {
5975 bombout(("expected new-keys packet from server"));
5978 ssh->incoming_data_size = 0; /* start counting from here */
5981 * We've seen server NEWKEYS, so create and initialise
5982 * server-to-client session keys.
5984 if (ssh->sc_cipher_ctx)
5985 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
5986 ssh->sccipher = s->sccipher_tobe;
5987 ssh->sc_cipher_ctx = ssh->sccipher->make_context();
5989 if (ssh->sc_mac_ctx)
5990 ssh->scmac->free_context(ssh->sc_mac_ctx);
5991 ssh->scmac = s->scmac_tobe;
5992 ssh->sc_mac_ctx = ssh->scmac->make_context();
5994 if (ssh->sc_comp_ctx)
5995 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
5996 ssh->sccomp = s->sccomp_tobe;
5997 ssh->sc_comp_ctx = ssh->sccomp->decompress_init();
6000 * Set IVs on server-to-client keys. Here we use the exchange
6001 * hash from the _first_ key exchange.
6004 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
6005 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6006 ssh2_mkkey(ssh,s->K,s->exchange_hash,'D',keyspace);
6007 assert((ssh->sccipher->keylen+7) / 8 <=
6008 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6009 ssh->sccipher->setkey(ssh->sc_cipher_ctx, keyspace);
6010 ssh2_mkkey(ssh,s->K,s->exchange_hash,'B',keyspace);
6011 assert(ssh->sccipher->blksize <=
6012 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6013 ssh->sccipher->setiv(ssh->sc_cipher_ctx, keyspace);
6014 ssh2_mkkey(ssh,s->K,s->exchange_hash,'F',keyspace);
6015 assert(ssh->scmac->len <=
6016 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6017 ssh->scmac->setkey(ssh->sc_mac_ctx, keyspace);
6018 memset(keyspace, 0, sizeof(keyspace));
6020 logeventf(ssh, "Initialised %.200s server->client encryption",
6021 ssh->sccipher->text_name);
6022 logeventf(ssh, "Initialised %.200s server->client MAC algorithm",
6023 ssh->scmac->text_name);
6024 if (ssh->sccomp->text_name)
6025 logeventf(ssh, "Initialised %s decompression",
6026 ssh->sccomp->text_name);
6029 * Free shared secret.
6034 * Key exchange is over. Loop straight back round if we have a
6035 * deferred rekey reason.
6037 if (ssh->deferred_rekey_reason) {
6038 logevent(ssh->deferred_rekey_reason);
6040 ssh->deferred_rekey_reason = NULL;
6041 goto begin_key_exchange;
6045 * Otherwise, schedule a timer for our next rekey.
6047 ssh->kex_in_progress = FALSE;
6048 ssh->last_rekey = GETTICKCOUNT();
6049 if (ssh->cfg.ssh_rekey_time != 0)
6050 ssh->next_rekey = schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
6054 * If this is the first key exchange phase, we must pass the
6055 * SSH2_MSG_NEWKEYS packet to the next layer, not because it
6056 * wants to see it but because it will need time to initialise
6057 * itself before it sees an actual packet. In subsequent key
6058 * exchange phases, we don't pass SSH2_MSG_NEWKEYS on, because
6059 * it would only confuse the layer above.
6061 if (s->activated_authconn) {
6064 s->activated_authconn = TRUE;
6067 * Now we're encrypting. Begin returning 1 to the protocol main
6068 * function so that other things can run on top of the
6069 * transport. If we ever see a KEXINIT, we must go back to the
6072 * We _also_ go back to the start if we see pktin==NULL and
6073 * inlen==-1, because this is a special signal meaning
6074 * `initiate client-driven rekey', and `in' contains a message
6075 * giving the reason for the rekey.
6077 while (!((pktin && pktin->type == SSH2_MSG_KEXINIT) ||
6078 (!pktin && inlen == -1))) {
6083 logevent("Server initiated key re-exchange");
6086 * Special case: if the server bug is set that doesn't
6087 * allow rekeying, we give a different log message and
6088 * continue waiting. (If such a server _initiates_ a rekey,
6089 * we process it anyway!)
6091 if ((ssh->remote_bugs & BUG_SSH2_REKEY)) {
6092 logeventf(ssh, "Server bug prevents key re-exchange (%s)",
6094 /* Reset the counters, so that at least this message doesn't
6095 * hit the event log _too_ often. */
6096 ssh->outgoing_data_size = 0;
6097 ssh->incoming_data_size = 0;
6098 if (ssh->cfg.ssh_rekey_time != 0) {
6100 schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
6103 goto wait_for_rekey; /* this is utterly horrid */
6105 logeventf(ssh, "Initiating key re-exchange (%s)", (char *)in);
6108 goto begin_key_exchange;
6114 * Add data to an SSH-2 channel output buffer.
6116 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf,
6119 bufchain_add(&c->v.v2.outbuffer, buf, len);
6123 * Attempt to send data on an SSH-2 channel.
6125 static int ssh2_try_send(struct ssh_channel *c)
6128 struct Packet *pktout;
6130 while (c->v.v2.remwindow > 0 && bufchain_size(&c->v.v2.outbuffer) > 0) {
6133 bufchain_prefix(&c->v.v2.outbuffer, &data, &len);
6134 if ((unsigned)len > c->v.v2.remwindow)
6135 len = c->v.v2.remwindow;
6136 if ((unsigned)len > c->v.v2.remmaxpkt)
6137 len = c->v.v2.remmaxpkt;
6138 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_DATA);
6139 ssh2_pkt_adduint32(pktout, c->remoteid);
6140 ssh2_pkt_addstring_start(pktout);
6141 dont_log_data(ssh, pktout, PKTLOG_OMIT);
6142 ssh2_pkt_addstring_data(pktout, data, len);
6143 end_log_omission(ssh, pktout);
6144 ssh2_pkt_send(ssh, pktout);
6145 bufchain_consume(&c->v.v2.outbuffer, len);
6146 c->v.v2.remwindow -= len;
6150 * After having sent as much data as we can, return the amount
6153 return bufchain_size(&c->v.v2.outbuffer);
6156 static void ssh2_try_send_and_unthrottle(struct ssh_channel *c)
6160 return; /* don't send on closing channels */
6161 bufsize = ssh2_try_send(c);
6164 case CHAN_MAINSESSION:
6165 /* stdin need not receive an unthrottle
6166 * notification since it will be polled */
6169 x11_unthrottle(c->u.x11.s);
6172 /* agent sockets are request/response and need no
6173 * buffer management */
6176 pfd_unthrottle(c->u.pfd.s);
6183 * Potentially enlarge the window on an SSH-2 channel.
6185 static void ssh2_set_window(struct ssh_channel *c, int newwin)
6190 * Never send WINDOW_ADJUST for a channel that the remote side
6191 * already thinks it's closed; there's no point, since it won't
6192 * be sending any more data anyway.
6198 * Only send a WINDOW_ADJUST if there's significantly more window
6199 * available than the other end thinks there is. This saves us
6200 * sending a WINDOW_ADJUST for every character in a shell session.
6202 * "Significant" is arbitrarily defined as half the window size.
6204 if (newwin / 2 >= c->v.v2.locwindow) {
6205 struct Packet *pktout;
6207 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
6208 ssh2_pkt_adduint32(pktout, c->remoteid);
6209 ssh2_pkt_adduint32(pktout, newwin - c->v.v2.locwindow);
6210 ssh2_pkt_send(ssh, pktout);
6211 c->v.v2.locwindow = newwin;
6215 static void ssh2_msg_channel_window_adjust(Ssh ssh, struct Packet *pktin)
6217 unsigned i = ssh_pkt_getuint32(pktin);
6218 struct ssh_channel *c;
6219 c = find234(ssh->channels, &i, ssh_channelfind);
6220 if (c && !c->closes) {
6221 c->v.v2.remwindow += ssh_pkt_getuint32(pktin);
6222 ssh2_try_send_and_unthrottle(c);
6226 static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
6230 unsigned i = ssh_pkt_getuint32(pktin);
6231 struct ssh_channel *c;
6232 c = find234(ssh->channels, &i, ssh_channelfind);
6234 return; /* nonexistent channel */
6235 if (pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA &&
6236 ssh_pkt_getuint32(pktin) != SSH2_EXTENDED_DATA_STDERR)
6237 return; /* extended but not stderr */
6238 ssh_pkt_getstring(pktin, &data, &length);
6241 c->v.v2.locwindow -= length;
6243 case CHAN_MAINSESSION:
6245 from_backend(ssh->frontend, pktin->type ==
6246 SSH2_MSG_CHANNEL_EXTENDED_DATA,
6250 bufsize = x11_send(c->u.x11.s, data, length);
6253 bufsize = pfd_send(c->u.pfd.s, data, length);
6256 while (length > 0) {
6257 if (c->u.a.lensofar < 4) {
6258 unsigned int l = min(4 - c->u.a.lensofar,
6260 memcpy(c->u.a.msglen + c->u.a.lensofar,
6264 c->u.a.lensofar += l;
6266 if (c->u.a.lensofar == 4) {
6268 4 + GET_32BIT(c->u.a.msglen);
6269 c->u.a.message = snewn(c->u.a.totallen,
6271 memcpy(c->u.a.message, c->u.a.msglen, 4);
6273 if (c->u.a.lensofar >= 4 && length > 0) {
6275 min(c->u.a.totallen - c->u.a.lensofar,
6277 memcpy(c->u.a.message + c->u.a.lensofar,
6281 c->u.a.lensofar += l;
6283 if (c->u.a.lensofar == c->u.a.totallen) {
6286 if (agent_query(c->u.a.message,
6289 ssh_agentf_callback, c))
6290 ssh_agentf_callback(c, reply, replylen);
6291 sfree(c->u.a.message);
6292 c->u.a.lensofar = 0;
6299 * If we are not buffering too much data,
6300 * enlarge the window again at the remote side.
6301 * If we are buffering too much, we may still
6302 * need to adjust the window if the server's
6305 ssh2_set_window(c, bufsize < c->v.v2.locmaxwin ?
6306 c->v.v2.locmaxwin - bufsize : 0);
6310 static void ssh2_msg_channel_eof(Ssh ssh, struct Packet *pktin)
6312 unsigned i = ssh_pkt_getuint32(pktin);
6313 struct ssh_channel *c;
6315 c = find234(ssh->channels, &i, ssh_channelfind);
6317 return; /* nonexistent channel */
6319 if (c->type == CHAN_X11) {
6321 * Remote EOF on an X11 channel means we should
6322 * wrap up and close the channel ourselves.
6324 x11_close(c->u.x11.s);
6326 } else if (c->type == CHAN_AGENT) {
6328 } else if (c->type == CHAN_SOCKDATA) {
6329 pfd_close(c->u.pfd.s);
6334 static void ssh2_msg_channel_close(Ssh ssh, struct Packet *pktin)
6336 unsigned i = ssh_pkt_getuint32(pktin);
6337 struct ssh_channel *c;
6338 struct Packet *pktout;
6340 c = find234(ssh->channels, &i, ssh_channelfind);
6341 if (!c || c->halfopen) {
6342 bombout(("Received CHANNEL_CLOSE for %s channel %d\n",
6343 c ? "half-open" : "nonexistent", i));
6346 /* Do pre-close processing on the channel. */
6348 case CHAN_MAINSESSION:
6349 ssh->mainchan = NULL;
6350 update_specials_menu(ssh->frontend);
6353 if (c->u.x11.s != NULL)
6354 x11_close(c->u.x11.s);
6361 if (c->u.pfd.s != NULL)
6362 pfd_close(c->u.pfd.s);
6366 if (c->closes == 0) {
6367 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6368 ssh2_pkt_adduint32(pktout, c->remoteid);
6369 ssh2_pkt_send(ssh, pktout);
6371 del234(ssh->channels, c);
6372 bufchain_clear(&c->v.v2.outbuffer);
6376 * See if that was the last channel left open.
6377 * (This is only our termination condition if we're
6378 * not running in -N mode.)
6380 if (!ssh->cfg.ssh_no_shell && count234(ssh->channels) == 0) {
6382 * We used to send SSH_MSG_DISCONNECT here,
6383 * because I'd believed that _every_ conforming
6384 * SSH-2 connection had to end with a disconnect
6385 * being sent by at least one side; apparently
6386 * I was wrong and it's perfectly OK to
6387 * unceremoniously slam the connection shut
6388 * when you're done, and indeed OpenSSH feels
6389 * this is more polite than sending a
6390 * DISCONNECT. So now we don't.
6392 ssh_disconnect(ssh, "All channels closed", NULL, 0, TRUE);
6396 static void ssh2_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
6398 unsigned i = ssh_pkt_getuint32(pktin);
6399 struct ssh_channel *c;
6400 struct Packet *pktout;
6402 c = find234(ssh->channels, &i, ssh_channelfind);
6404 return; /* nonexistent channel */
6405 if (c->type != CHAN_SOCKDATA_DORMANT)
6406 return; /* dunno why they're confirming this */
6407 c->remoteid = ssh_pkt_getuint32(pktin);
6408 c->halfopen = FALSE;
6409 c->type = CHAN_SOCKDATA;
6410 c->v.v2.remwindow = ssh_pkt_getuint32(pktin);
6411 c->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
6413 pfd_confirm(c->u.pfd.s);
6416 * We have a pending close on this channel,
6417 * which we decided on before the server acked
6418 * the channel open. So now we know the
6419 * remoteid, we can close it again.
6421 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6422 ssh2_pkt_adduint32(pktout, c->remoteid);
6423 ssh2_pkt_send(ssh, pktout);
6427 static void ssh2_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
6429 static const char *const reasons[] = {
6430 "<unknown reason code>",
6431 "Administratively prohibited",
6433 "Unknown channel type",
6434 "Resource shortage",
6436 unsigned i = ssh_pkt_getuint32(pktin);
6437 unsigned reason_code;
6438 char *reason_string;
6440 struct ssh_channel *c;
6441 c = find234(ssh->channels, &i, ssh_channelfind);
6443 return; /* nonexistent channel */
6444 if (c->type != CHAN_SOCKDATA_DORMANT)
6445 return; /* dunno why they're failing this */
6447 reason_code = ssh_pkt_getuint32(pktin);
6448 if (reason_code >= lenof(reasons))
6449 reason_code = 0; /* ensure reasons[reason_code] in range */
6450 ssh_pkt_getstring(pktin, &reason_string, &reason_length);
6451 logeventf(ssh, "Forwarded connection refused by server: %s [%.*s]",
6452 reasons[reason_code], reason_length, reason_string);
6454 pfd_close(c->u.pfd.s);
6456 del234(ssh->channels, c);
6460 static void ssh2_msg_channel_request(Ssh ssh, struct Packet *pktin)
6464 int typelen, want_reply;
6465 int reply = SSH2_MSG_CHANNEL_FAILURE; /* default */
6466 struct ssh_channel *c;
6467 struct Packet *pktout;
6469 localid = ssh_pkt_getuint32(pktin);
6470 ssh_pkt_getstring(pktin, &type, &typelen);
6471 want_reply = ssh2_pkt_getbool(pktin);
6474 * First, check that the channel exists. Otherwise,
6475 * we can instantly disconnect with a rude message.
6477 c = find234(ssh->channels, &localid, ssh_channelfind);
6479 char *buf = dupprintf("Received channel request for nonexistent"
6480 " channel %d", localid);
6481 ssh_disconnect(ssh, NULL, buf, SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6487 * Having got the channel number, we now look at
6488 * the request type string to see if it's something
6491 if (c == ssh->mainchan) {
6493 * We recognise "exit-status" and "exit-signal" on
6494 * the primary channel.
6496 if (typelen == 11 &&
6497 !memcmp(type, "exit-status", 11)) {
6499 ssh->exitcode = ssh_pkt_getuint32(pktin);
6500 logeventf(ssh, "Server sent command exit status %d",
6502 reply = SSH2_MSG_CHANNEL_SUCCESS;
6504 } else if (typelen == 11 &&
6505 !memcmp(type, "exit-signal", 11)) {
6507 int is_plausible = TRUE, is_int = FALSE;
6508 char *fmt_sig = "", *fmt_msg = "";
6510 int msglen = 0, core = FALSE;
6511 /* ICK: older versions of OpenSSH (e.g. 3.4p1)
6512 * provide an `int' for the signal, despite its
6513 * having been a `string' in the drafts since at
6514 * least 2001. (Fixed in session.c 1.147.) Try to
6515 * infer which we can safely parse it as. */
6517 unsigned char *p = pktin->body +
6519 long len = pktin->length - pktin->savedpos;
6520 unsigned long num = GET_32BIT(p); /* what is it? */
6521 /* If it's 0, it hardly matters; assume string */
6525 int maybe_int = FALSE, maybe_str = FALSE;
6526 #define CHECK_HYPOTHESIS(offset, result) \
6529 if (q >= 0 && q+4 <= len) { \
6530 q = q + 4 + GET_32BIT(p+q); \
6531 if (q >= 0 && q+4 <= len && \
6532 ((q = q + 4 + GET_32BIT(p+q))!= 0) && q == len) \
6536 CHECK_HYPOTHESIS(4+1, maybe_int);
6537 CHECK_HYPOTHESIS(4+num+1, maybe_str);
6538 #undef CHECK_HYPOTHESIS
6539 if (maybe_int && !maybe_str)
6541 else if (!maybe_int && maybe_str)
6544 /* Crikey. Either or neither. Panic. */
6545 is_plausible = FALSE;
6548 ssh->exitcode = 128; /* means `unknown signal' */
6551 /* Old non-standard OpenSSH. */
6552 int signum = ssh_pkt_getuint32(pktin);
6553 fmt_sig = dupprintf(" %d", signum);
6554 ssh->exitcode = 128 + signum;
6556 /* As per the drafts. */
6559 ssh_pkt_getstring(pktin, &sig, &siglen);
6560 /* Signal name isn't supposed to be blank, but
6561 * let's cope gracefully if it is. */
6563 fmt_sig = dupprintf(" \"%.*s\"",
6568 * Really hideous method of translating the
6569 * signal description back into a locally
6570 * meaningful number.
6575 #define TRANSLATE_SIGNAL(s) \
6576 else if (siglen == lenof(#s)-1 && !memcmp(sig, #s, siglen)) \
6577 ssh->exitcode = 128 + SIG ## s
6579 TRANSLATE_SIGNAL(ABRT);
6582 TRANSLATE_SIGNAL(ALRM);
6585 TRANSLATE_SIGNAL(FPE);
6588 TRANSLATE_SIGNAL(HUP);
6591 TRANSLATE_SIGNAL(ILL);
6594 TRANSLATE_SIGNAL(INT);
6597 TRANSLATE_SIGNAL(KILL);
6600 TRANSLATE_SIGNAL(PIPE);
6603 TRANSLATE_SIGNAL(QUIT);
6606 TRANSLATE_SIGNAL(SEGV);
6609 TRANSLATE_SIGNAL(TERM);
6612 TRANSLATE_SIGNAL(USR1);
6615 TRANSLATE_SIGNAL(USR2);
6617 #undef TRANSLATE_SIGNAL
6619 ssh->exitcode = 128;
6621 core = ssh2_pkt_getbool(pktin);
6622 ssh_pkt_getstring(pktin, &msg, &msglen);
6624 fmt_msg = dupprintf(" (\"%.*s\")", msglen, msg);
6626 /* ignore lang tag */
6627 } /* else don't attempt to parse */
6628 logeventf(ssh, "Server exited on signal%s%s%s",
6629 fmt_sig, core ? " (core dumped)" : "",
6631 if (*fmt_sig) sfree(fmt_sig);
6632 if (*fmt_msg) sfree(fmt_msg);
6633 reply = SSH2_MSG_CHANNEL_SUCCESS;
6638 * This is a channel request we don't know
6639 * about, so we now either ignore the request
6640 * or respond with CHANNEL_FAILURE, depending
6643 reply = SSH2_MSG_CHANNEL_FAILURE;
6646 pktout = ssh2_pkt_init(reply);
6647 ssh2_pkt_adduint32(pktout, c->remoteid);
6648 ssh2_pkt_send(ssh, pktout);
6652 static void ssh2_msg_global_request(Ssh ssh, struct Packet *pktin)
6655 int typelen, want_reply;
6656 struct Packet *pktout;
6658 ssh_pkt_getstring(pktin, &type, &typelen);
6659 want_reply = ssh2_pkt_getbool(pktin);
6662 * We currently don't support any global requests
6663 * at all, so we either ignore the request or
6664 * respond with REQUEST_FAILURE, depending on
6668 pktout = ssh2_pkt_init(SSH2_MSG_REQUEST_FAILURE);
6669 ssh2_pkt_send(ssh, pktout);
6673 static void ssh2_msg_channel_open(Ssh ssh, struct Packet *pktin)
6681 struct ssh_channel *c;
6682 unsigned remid, winsize, pktsize;
6683 struct Packet *pktout;
6685 ssh_pkt_getstring(pktin, &type, &typelen);
6686 c = snew(struct ssh_channel);
6689 remid = ssh_pkt_getuint32(pktin);
6690 winsize = ssh_pkt_getuint32(pktin);
6691 pktsize = ssh_pkt_getuint32(pktin);
6693 if (typelen == 3 && !memcmp(type, "x11", 3)) {
6696 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
6697 addrstr = snewn(peeraddrlen+1, char);
6698 memcpy(addrstr, peeraddr, peeraddrlen);
6699 addrstr[peeraddrlen] = '\0';
6700 peerport = ssh_pkt_getuint32(pktin);
6702 logeventf(ssh, "Received X11 connect request from %s:%d",
6705 if (!ssh->X11_fwd_enabled)
6706 error = "X11 forwarding is not enabled";
6707 else if (x11_init(&c->u.x11.s, ssh->cfg.x11_display, c,
6708 ssh->x11auth, addrstr, peerport,
6709 &ssh->cfg) != NULL) {
6710 error = "Unable to open an X11 connection";
6712 logevent("Opening X11 forward connection succeeded");
6717 } else if (typelen == 15 &&
6718 !memcmp(type, "forwarded-tcpip", 15)) {
6719 struct ssh_rportfwd pf, *realpf;
6722 ssh_pkt_getstring(pktin, &dummy, &dummylen);/* skip address */
6723 pf.sport = ssh_pkt_getuint32(pktin);
6724 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
6725 peerport = ssh_pkt_getuint32(pktin);
6726 realpf = find234(ssh->rportfwds, &pf, NULL);
6727 logeventf(ssh, "Received remote port %d open request "
6728 "from %s:%d", pf.sport, peeraddr, peerport);
6729 if (realpf == NULL) {
6730 error = "Remote port is not recognised";
6732 const char *e = pfd_newconnect(&c->u.pfd.s,
6736 realpf->pfrec->addressfamily);
6737 logeventf(ssh, "Attempting to forward remote port to "
6738 "%s:%d", realpf->dhost, realpf->dport);
6740 logeventf(ssh, "Port open failed: %s", e);
6741 error = "Port open failed";
6743 logevent("Forwarded port opened successfully");
6744 c->type = CHAN_SOCKDATA;
6747 } else if (typelen == 22 &&
6748 !memcmp(type, "auth-agent@openssh.com", 22)) {
6749 if (!ssh->agentfwd_enabled)
6750 error = "Agent forwarding is not enabled";
6752 c->type = CHAN_AGENT; /* identify channel type */
6753 c->u.a.lensofar = 0;
6756 error = "Unsupported channel type requested";
6759 c->remoteid = remid;
6760 c->halfopen = FALSE;
6762 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_FAILURE);
6763 ssh2_pkt_adduint32(pktout, c->remoteid);
6764 ssh2_pkt_adduint32(pktout, SSH2_OPEN_CONNECT_FAILED);
6765 ssh2_pkt_addstring(pktout, error);
6766 ssh2_pkt_addstring(pktout, "en"); /* language tag */
6767 ssh2_pkt_send(ssh, pktout);
6768 logeventf(ssh, "Rejected channel open: %s", error);
6771 c->localid = alloc_channel_id(ssh);
6773 c->v.v2.locwindow = c->v.v2.locmaxwin = OUR_V2_WINSIZE;
6774 c->v.v2.remwindow = winsize;
6775 c->v.v2.remmaxpkt = pktsize;
6776 bufchain_init(&c->v.v2.outbuffer);
6777 add234(ssh->channels, c);
6778 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
6779 ssh2_pkt_adduint32(pktout, c->remoteid);
6780 ssh2_pkt_adduint32(pktout, c->localid);
6781 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);
6782 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
6783 ssh2_pkt_send(ssh, pktout);
6788 * Buffer banner messages for later display at some convenient point.
6790 static void ssh2_msg_userauth_banner(Ssh ssh, struct Packet *pktin)
6792 /* Arbitrary limit to prevent unbounded inflation of buffer */
6793 if (bufchain_size(&ssh->banner) <= 131072) {
6794 char *banner = NULL;
6796 ssh_pkt_getstring(pktin, &banner, &size);
6798 bufchain_add(&ssh->banner, banner, size);
6802 /* Helper function to deal with sending tty modes for "pty-req" */
6803 static void ssh2_send_ttymode(void *data, char *mode, char *val)
6805 struct Packet *pktout = (struct Packet *)data;
6807 unsigned int arg = 0;
6808 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
6809 if (i == lenof(ssh_ttymodes)) return;
6810 switch (ssh_ttymodes[i].type) {
6812 arg = ssh_tty_parse_specchar(val);
6815 arg = ssh_tty_parse_boolean(val);
6818 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
6819 ssh2_pkt_adduint32(pktout, arg);
6823 * Handle the SSH-2 userauth and connection layers.
6825 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
6826 struct Packet *pktin)
6828 struct do_ssh2_authconn_state {
6831 AUTH_TYPE_PUBLICKEY,
6832 AUTH_TYPE_PUBLICKEY_OFFER_LOUD,
6833 AUTH_TYPE_PUBLICKEY_OFFER_QUIET,
6835 AUTH_TYPE_KEYBOARD_INTERACTIVE,
6836 AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
6838 int done_service_req;
6839 int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter;
6840 int tried_pubkey_config, done_agent;
6841 int kbd_inter_refused;
6843 prompts_t *cur_prompt;
6848 void *publickey_blob;
6849 int publickey_bloblen;
6850 int publickey_encrypted;
6851 char *publickey_algorithm;
6852 char *publickey_comment;
6853 unsigned char agent_request[5], *agent_response, *agentp;
6854 int agent_responselen;
6855 unsigned char *pkblob_in_agent;
6857 char *pkblob, *alg, *commentp;
6858 int pklen, alglen, commentlen;
6859 int siglen, retlen, len;
6860 char *q, *agentreq, *ret;
6862 int num_env, env_left, env_ok;
6863 struct Packet *pktout;
6865 crState(do_ssh2_authconn_state);
6867 crBegin(ssh->do_ssh2_authconn_crstate);
6869 s->done_service_req = FALSE;
6870 s->we_are_in = FALSE;
6871 if (!ssh->cfg.ssh_no_userauth) {
6873 * Request userauth protocol, and await a response to it.
6875 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
6876 ssh2_pkt_addstring(s->pktout, "ssh-userauth");
6877 ssh2_pkt_send(ssh, s->pktout);
6878 crWaitUntilV(pktin);
6879 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT)
6880 s->done_service_req = TRUE;
6882 if (!s->done_service_req) {
6884 * Request connection protocol directly, without authentication.
6886 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
6887 ssh2_pkt_addstring(s->pktout, "ssh-connection");
6888 ssh2_pkt_send(ssh, s->pktout);
6889 crWaitUntilV(pktin);
6890 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) {
6891 s->we_are_in = TRUE; /* no auth required */
6893 bombout(("Server refused service request"));
6898 /* Arrange to be able to deal with any BANNERs that come in.
6899 * (We do this now as packets may come in during the next bit.) */
6900 bufchain_init(&ssh->banner);
6901 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] =
6902 ssh2_msg_userauth_banner;
6905 * Misc one-time setup for authentication.
6907 s->publickey_blob = NULL;
6908 if (!s->we_are_in) {
6911 * Load the public half of any configured public key file
6914 if (!filename_is_null(ssh->cfg.keyfile)) {
6916 logeventf(ssh, "Reading private key file \"%.150s\"",
6917 filename_to_str(&ssh->cfg.keyfile));
6918 keytype = key_type(&ssh->cfg.keyfile);
6919 if (keytype == SSH_KEYTYPE_SSH2) {
6922 ssh2_userkey_loadpub(&ssh->cfg.keyfile,
6923 &s->publickey_algorithm,
6924 &s->publickey_bloblen,
6925 &s->publickey_comment, &error);
6926 if (s->publickey_blob) {
6927 s->publickey_encrypted =
6928 ssh2_userkey_encrypted(&ssh->cfg.keyfile, NULL);
6931 logeventf(ssh, "Unable to load private key (%s)",
6933 msgbuf = dupprintf("Unable to load private key file "
6934 "\"%.150s\" (%s)\r\n",
6935 filename_to_str(&ssh->cfg.keyfile),
6937 c_write_str(ssh, msgbuf);
6942 logeventf(ssh, "Unable to use this key file (%s)",
6943 key_type_to_str(keytype));
6944 msgbuf = dupprintf("Unable to use key file \"%.150s\""
6946 filename_to_str(&ssh->cfg.keyfile),
6947 key_type_to_str(keytype));
6948 c_write_str(ssh, msgbuf);
6950 s->publickey_blob = NULL;
6955 * Find out about any keys Pageant has (but if there's a
6956 * public key configured, filter out all others).
6959 s->agent_response = NULL;
6960 s->pkblob_in_agent = NULL;
6961 if (ssh->cfg.tryagent && agent_exists()) {
6965 logevent("Pageant is running. Requesting keys.");
6967 /* Request the keys held by the agent. */
6968 PUT_32BIT(s->agent_request, 1);
6969 s->agent_request[4] = SSH2_AGENTC_REQUEST_IDENTITIES;
6970 if (!agent_query(s->agent_request, 5, &r, &s->agent_responselen,
6971 ssh_agent_callback, ssh)) {
6975 bombout(("Unexpected data from server while"
6976 " waiting for agent response"));
6979 } while (pktin || inlen > 0);
6980 r = ssh->agent_response;
6981 s->agent_responselen = ssh->agent_response_len;
6983 s->agent_response = (unsigned char *) r;
6984 if (s->agent_response && s->agent_responselen >= 5 &&
6985 s->agent_response[4] == SSH2_AGENT_IDENTITIES_ANSWER) {
6988 p = s->agent_response + 5;
6989 s->nkeys = GET_32BIT(p);
6991 logeventf(ssh, "Pageant has %d SSH-2 keys", s->nkeys);
6992 if (s->publickey_blob) {
6993 /* See if configured key is in agent. */
6994 for (keyi = 0; keyi < s->nkeys; keyi++) {
6995 s->pklen = GET_32BIT(p);
6996 if (s->pklen == s->publickey_bloblen &&
6997 !memcmp(p+4, s->publickey_blob,
6998 s->publickey_bloblen)) {
6999 logeventf(ssh, "Pageant key #%d matches "
7000 "configured key file", keyi);
7002 s->pkblob_in_agent = p;
7006 p += GET_32BIT(p) + 4; /* comment */
7008 if (!s->pkblob_in_agent) {
7009 logevent("Configured key file not in Pageant");
7019 * We repeat this whole loop, including the username prompt,
7020 * until we manage a successful authentication. If the user
7021 * types the wrong _password_, they can be sent back to the
7022 * beginning to try another username, if this is configured on.
7023 * (If they specify a username in the config, they are never
7024 * asked, even if they do give a wrong password.)
7026 * I think this best serves the needs of
7028 * - the people who have no configuration, no keys, and just
7029 * want to try repeated (username,password) pairs until they
7030 * type both correctly
7032 * - people who have keys and configuration but occasionally
7033 * need to fall back to passwords
7035 * - people with a key held in Pageant, who might not have
7036 * logged in to a particular machine before; so they want to
7037 * type a username, and then _either_ their key will be
7038 * accepted, _or_ they will type a password. If they mistype
7039 * the username they will want to be able to get back and
7042 s->username[0] = '\0';
7043 s->got_username = FALSE;
7044 while (!s->we_are_in) {
7048 if (s->got_username && !ssh->cfg.change_username) {
7050 * We got a username last time round this loop, and
7051 * with change_username turned off we don't try to get
7054 } else if (!*ssh->cfg.username) {
7055 int ret; /* need not be kept over crReturn */
7056 s->cur_prompt = new_prompts(ssh->frontend);
7057 s->cur_prompt->to_server = TRUE;
7058 s->cur_prompt->name = dupstr("SSH login name");
7059 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
7060 lenof(s->username));
7061 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7064 crWaitUntilV(!pktin);
7065 ret = get_userpass_input(s->cur_prompt, in, inlen);
7070 * get_userpass_input() failed to get a username.
7073 free_prompts(s->cur_prompt);
7074 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
7077 memcpy(s->username, s->cur_prompt->prompts[0]->result,
7078 lenof(s->username));
7079 free_prompts(s->cur_prompt);
7082 strncpy(s->username, ssh->cfg.username, sizeof(s->username));
7083 s->username[sizeof(s->username)-1] = '\0';
7084 if ((flags & FLAG_VERBOSE) || (flags & FLAG_INTERACTIVE)) {
7085 stuff = dupprintf("Using username \"%s\".\r\n", s->username);
7086 c_write_str(ssh, stuff);
7090 s->got_username = TRUE;
7093 * Send an authentication request using method "none": (a)
7094 * just in case it succeeds, and (b) so that we know what
7095 * authentication methods we can usefully try next.
7097 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
7099 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7100 ssh2_pkt_addstring(s->pktout, s->username);
7101 ssh2_pkt_addstring(s->pktout, "ssh-connection");/* service requested */
7102 ssh2_pkt_addstring(s->pktout, "none"); /* method */
7103 ssh2_pkt_send(ssh, s->pktout);
7104 s->type = AUTH_TYPE_NONE;
7106 s->we_are_in = FALSE;
7108 s->tried_pubkey_config = FALSE;
7109 s->kbd_inter_refused = FALSE;
7111 /* Reset agent request state. */
7112 s->done_agent = FALSE;
7113 if (s->agent_response) {
7114 if (s->pkblob_in_agent) {
7115 s->agentp = s->pkblob_in_agent;
7117 s->agentp = s->agent_response + 5 + 4;
7124 * Wait for the result of the last authentication request.
7127 crWaitUntilV(pktin);
7129 * Now is a convenient point to spew any banner material
7130 * that we've accumulated. (This should ensure that when
7131 * we exit the auth loop, we haven't any left to deal
7135 int size = bufchain_size(&ssh->banner);
7137 * Don't show the banner if we're operating in
7138 * non-verbose non-interactive mode. (It's probably
7139 * a script, which means nobody will read the
7140 * banner _anyway_, and moreover the printing of
7141 * the banner will screw up processing on the
7142 * output of (say) plink.)
7144 if (size && (flags & (FLAG_VERBOSE | FLAG_INTERACTIVE))) {
7145 char *banner = snewn(size, char);
7146 bufchain_fetch(&ssh->banner, banner, size);
7147 c_write_untrusted(ssh, banner, size);
7150 bufchain_clear(&ssh->banner);
7152 if (pktin->type == SSH2_MSG_USERAUTH_SUCCESS) {
7153 logevent("Access granted");
7154 s->we_are_in = TRUE;
7158 if (pktin->type != SSH2_MSG_USERAUTH_FAILURE) {
7159 bombout(("Strange packet received during authentication: "
7160 "type %d", pktin->type));
7167 * OK, we're now sitting on a USERAUTH_FAILURE message, so
7168 * we can look at the string in it and know what we can
7169 * helpfully try next.
7171 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE) {
7174 ssh_pkt_getstring(pktin, &methods, &methlen);
7175 if (!ssh2_pkt_getbool(pktin)) {
7177 * We have received an unequivocal Access
7178 * Denied. This can translate to a variety of
7181 * - if we'd just tried "none" authentication,
7182 * it's not worth printing anything at all
7184 * - if we'd just tried a public key _offer_,
7185 * the message should be "Server refused our
7186 * key" (or no message at all if the key
7187 * came from Pageant)
7189 * - if we'd just tried anything else, the
7190 * message really should be "Access denied".
7192 * Additionally, if we'd just tried password
7193 * authentication, we should break out of this
7194 * whole loop so as to go back to the username
7195 * prompt (iff we're configured to allow
7196 * username change attempts).
7198 if (s->type == AUTH_TYPE_NONE) {
7200 } else if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD ||
7201 s->type == AUTH_TYPE_PUBLICKEY_OFFER_QUIET) {
7202 if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD)
7203 c_write_str(ssh, "Server refused our key\r\n");
7204 logevent("Server refused public key");
7205 } else if (s->type==AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET) {
7206 /* server declined keyboard-interactive; ignore */
7208 c_write_str(ssh, "Access denied\r\n");
7209 logevent("Access denied");
7210 if (s->type == AUTH_TYPE_PASSWORD &&
7211 ssh->cfg.change_username) {
7212 /* XXX perhaps we should allow
7213 * keyboard-interactive to do this too? */
7214 s->we_are_in = FALSE;
7219 c_write_str(ssh, "Further authentication required\r\n");
7220 logevent("Further authentication required");
7224 in_commasep_string("publickey", methods, methlen);
7226 in_commasep_string("password", methods, methlen);
7227 s->can_keyb_inter = ssh->cfg.try_ki_auth &&
7228 in_commasep_string("keyboard-interactive", methods, methlen);
7231 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
7233 if (s->can_pubkey && !s->done_agent && s->nkeys) {
7236 * Attempt public-key authentication using a key from Pageant.
7239 ssh->pkt_actx = SSH2_PKTCTX_PUBLICKEY;
7241 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
7243 /* Unpack key from agent response */
7244 s->pklen = GET_32BIT(s->agentp);
7246 s->pkblob = (char *)s->agentp;
7247 s->agentp += s->pklen;
7248 s->alglen = GET_32BIT(s->pkblob);
7249 s->alg = s->pkblob + 4;
7250 s->commentlen = GET_32BIT(s->agentp);
7252 s->commentp = (char *)s->agentp;
7253 s->agentp += s->commentlen;
7254 /* s->agentp now points at next key, if any */
7256 /* See if server will accept it */
7257 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7258 ssh2_pkt_addstring(s->pktout, s->username);
7259 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7260 /* service requested */
7261 ssh2_pkt_addstring(s->pktout, "publickey");
7263 ssh2_pkt_addbool(s->pktout, FALSE); /* no signature included */
7264 ssh2_pkt_addstring_start(s->pktout);
7265 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
7266 ssh2_pkt_addstring_start(s->pktout);
7267 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
7268 ssh2_pkt_send(ssh, s->pktout);
7269 s->type = AUTH_TYPE_PUBLICKEY_OFFER_QUIET;
7271 crWaitUntilV(pktin);
7272 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
7274 /* Offer of key refused. */
7281 if (flags & FLAG_VERBOSE) {
7282 c_write_str(ssh, "Authenticating with "
7284 c_write(ssh, s->commentp, s->commentlen);
7285 c_write_str(ssh, "\" from agent\r\n");
7289 * Server is willing to accept the key.
7290 * Construct a SIGN_REQUEST.
7292 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7293 ssh2_pkt_addstring(s->pktout, s->username);
7294 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7295 /* service requested */
7296 ssh2_pkt_addstring(s->pktout, "publickey");
7298 ssh2_pkt_addbool(s->pktout, TRUE); /* signature included */
7299 ssh2_pkt_addstring_start(s->pktout);
7300 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
7301 ssh2_pkt_addstring_start(s->pktout);
7302 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
7304 /* Ask agent for signature. */
7305 s->siglen = s->pktout->length - 5 + 4 +
7306 ssh->v2_session_id_len;
7307 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7309 s->len = 1; /* message type */
7310 s->len += 4 + s->pklen; /* key blob */
7311 s->len += 4 + s->siglen; /* data to sign */
7312 s->len += 4; /* flags */
7313 s->agentreq = snewn(4 + s->len, char);
7314 PUT_32BIT(s->agentreq, s->len);
7315 s->q = s->agentreq + 4;
7316 *s->q++ = SSH2_AGENTC_SIGN_REQUEST;
7317 PUT_32BIT(s->q, s->pklen);
7319 memcpy(s->q, s->pkblob, s->pklen);
7321 PUT_32BIT(s->q, s->siglen);
7323 /* Now the data to be signed... */
7324 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7325 PUT_32BIT(s->q, ssh->v2_session_id_len);
7328 memcpy(s->q, ssh->v2_session_id,
7329 ssh->v2_session_id_len);
7330 s->q += ssh->v2_session_id_len;
7331 memcpy(s->q, s->pktout->data + 5,
7332 s->pktout->length - 5);
7333 s->q += s->pktout->length - 5;
7334 /* And finally the (zero) flags word. */
7336 if (!agent_query(s->agentreq, s->len + 4,
7338 ssh_agent_callback, ssh)) {
7342 bombout(("Unexpected data from server"
7343 " while waiting for agent"
7347 } while (pktin || inlen > 0);
7348 vret = ssh->agent_response;
7349 s->retlen = ssh->agent_response_len;
7354 if (s->ret[4] == SSH2_AGENT_SIGN_RESPONSE) {
7355 logevent("Sending Pageant's response");
7356 ssh2_add_sigblob(ssh, s->pktout,
7357 s->pkblob, s->pklen,
7359 GET_32BIT(s->ret + 5));
7360 ssh2_pkt_send(ssh, s->pktout);
7361 s->type = AUTH_TYPE_PUBLICKEY;
7363 /* FIXME: less drastic response */
7364 bombout(("Pageant failed to answer challenge"));
7370 /* Do we have any keys left to try? */
7371 if (s->pkblob_in_agent) {
7372 s->done_agent = TRUE;
7373 s->tried_pubkey_config = TRUE;
7376 if (s->keyi >= s->nkeys)
7377 s->done_agent = TRUE;
7380 } else if (s->can_pubkey && s->publickey_blob &&
7381 !s->tried_pubkey_config) {
7383 struct ssh2_userkey *key; /* not live over crReturn */
7384 char *passphrase; /* not live over crReturn */
7386 ssh->pkt_actx = SSH2_PKTCTX_PUBLICKEY;
7388 s->tried_pubkey_config = TRUE;
7391 * Try the public key supplied in the configuration.
7393 * First, offer the public blob to see if the server is
7394 * willing to accept it.
7396 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7397 ssh2_pkt_addstring(s->pktout, s->username);
7398 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7399 /* service requested */
7400 ssh2_pkt_addstring(s->pktout, "publickey"); /* method */
7401 ssh2_pkt_addbool(s->pktout, FALSE);
7402 /* no signature included */
7403 ssh2_pkt_addstring(s->pktout, s->publickey_algorithm);
7404 ssh2_pkt_addstring_start(s->pktout);
7405 ssh2_pkt_addstring_data(s->pktout,
7406 (char *)s->publickey_blob,
7407 s->publickey_bloblen);
7408 ssh2_pkt_send(ssh, s->pktout);
7409 logevent("Offered public key");
7411 crWaitUntilV(pktin);
7412 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
7413 /* Key refused. Give up. */
7414 s->gotit = TRUE; /* reconsider message next loop */
7415 s->type = AUTH_TYPE_PUBLICKEY_OFFER_LOUD;
7416 continue; /* process this new message */
7418 logevent("Offer of public key accepted");
7421 * Actually attempt a serious authentication using
7424 if (flags & FLAG_VERBOSE) {
7425 c_write_str(ssh, "Authenticating with public key \"");
7426 c_write_str(ssh, s->publickey_comment);
7427 c_write_str(ssh, "\"\r\n");
7431 const char *error; /* not live over crReturn */
7432 if (s->publickey_encrypted) {
7434 * Get a passphrase from the user.
7436 int ret; /* need not be kept over crReturn */
7437 s->cur_prompt = new_prompts(ssh->frontend);
7438 s->cur_prompt->to_server = FALSE;
7439 s->cur_prompt->name = dupstr("SSH key passphrase");
7440 add_prompt(s->cur_prompt,
7441 dupprintf("Passphrase for key \"%.100s\": ",
7442 s->publickey_comment),
7443 FALSE, SSH_MAX_PASSWORD_LEN);
7444 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7447 crWaitUntilV(!pktin);
7448 ret = get_userpass_input(s->cur_prompt,
7453 /* Failed to get a passphrase. Terminate. */
7454 free_prompts(s->cur_prompt);
7455 ssh_disconnect(ssh, NULL,
7456 "Unable to authenticate",
7457 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7462 dupstr(s->cur_prompt->prompts[0]->result);
7463 free_prompts(s->cur_prompt);
7465 passphrase = NULL; /* no passphrase needed */
7469 * Try decrypting the key.
7471 key = ssh2_load_userkey(&ssh->cfg.keyfile, passphrase,
7474 /* burn the evidence */
7475 memset(passphrase, 0, strlen(passphrase));
7478 if (key == SSH2_WRONG_PASSPHRASE || key == NULL) {
7480 (key == SSH2_WRONG_PASSPHRASE)) {
7481 c_write_str(ssh, "Wrong passphrase\r\n");
7483 /* and loop again */
7485 c_write_str(ssh, "Unable to load private key (");
7486 c_write_str(ssh, error);
7487 c_write_str(ssh, ")\r\n");
7489 break; /* try something else */
7495 unsigned char *pkblob, *sigblob, *sigdata;
7496 int pkblob_len, sigblob_len, sigdata_len;
7500 * We have loaded the private key and the server
7501 * has announced that it's willing to accept it.
7502 * Hallelujah. Generate a signature and send it.
7504 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7505 ssh2_pkt_addstring(s->pktout, s->username);
7506 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7507 /* service requested */
7508 ssh2_pkt_addstring(s->pktout, "publickey");
7510 ssh2_pkt_addbool(s->pktout, TRUE);
7511 /* signature follows */
7512 ssh2_pkt_addstring(s->pktout, key->alg->name);
7513 pkblob = key->alg->public_blob(key->data,
7515 ssh2_pkt_addstring_start(s->pktout);
7516 ssh2_pkt_addstring_data(s->pktout, (char *)pkblob,
7520 * The data to be signed is:
7524 * followed by everything so far placed in the
7527 sigdata_len = s->pktout->length - 5 + 4 +
7528 ssh->v2_session_id_len;
7529 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7531 sigdata = snewn(sigdata_len, unsigned char);
7533 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7534 PUT_32BIT(sigdata+p, ssh->v2_session_id_len);
7537 memcpy(sigdata+p, ssh->v2_session_id,
7538 ssh->v2_session_id_len);
7539 p += ssh->v2_session_id_len;
7540 memcpy(sigdata+p, s->pktout->data + 5,
7541 s->pktout->length - 5);
7542 p += s->pktout->length - 5;
7543 assert(p == sigdata_len);
7544 sigblob = key->alg->sign(key->data, (char *)sigdata,
7545 sigdata_len, &sigblob_len);
7546 ssh2_add_sigblob(ssh, s->pktout, pkblob, pkblob_len,
7547 sigblob, sigblob_len);
7552 ssh2_pkt_send(ssh, s->pktout);
7553 s->type = AUTH_TYPE_PUBLICKEY;
7554 key->alg->freekey(key->data);
7557 } else if (s->can_keyb_inter && !s->kbd_inter_refused) {
7560 * Keyboard-interactive authentication.
7563 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE;
7565 ssh->pkt_actx = SSH2_PKTCTX_KBDINTER;
7567 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7568 ssh2_pkt_addstring(s->pktout, s->username);
7569 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7570 /* service requested */
7571 ssh2_pkt_addstring(s->pktout, "keyboard-interactive");
7573 ssh2_pkt_addstring(s->pktout, ""); /* lang */
7574 ssh2_pkt_addstring(s->pktout, ""); /* submethods */
7575 ssh2_pkt_send(ssh, s->pktout);
7577 crWaitUntilV(pktin);
7578 if (pktin->type != SSH2_MSG_USERAUTH_INFO_REQUEST) {
7579 /* Server is not willing to do keyboard-interactive
7580 * at all (or, bizarrely but legally, accepts the
7581 * user without actually issuing any prompts).
7582 * Give up on it entirely. */
7584 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE)
7585 logevent("Keyboard-interactive authentication refused");
7586 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET;
7587 s->kbd_inter_refused = TRUE; /* don't try it again */
7592 * Loop while the server continues to send INFO_REQUESTs.
7594 while (pktin->type == SSH2_MSG_USERAUTH_INFO_REQUEST) {
7596 char *name, *inst, *lang;
7597 int name_len, inst_len, lang_len;
7601 * We've got a fresh USERAUTH_INFO_REQUEST.
7602 * Get the preamble and start building a prompt.
7604 ssh_pkt_getstring(pktin, &name, &name_len);
7605 ssh_pkt_getstring(pktin, &inst, &inst_len);
7606 ssh_pkt_getstring(pktin, &lang, &lang_len);
7607 s->cur_prompt = new_prompts(ssh->frontend);
7608 s->cur_prompt->to_server = TRUE;
7610 /* FIXME: better prefix to distinguish from
7612 s->cur_prompt->name =
7613 dupprintf("SSH server: %.*s", name_len, name);
7614 s->cur_prompt->name_reqd = TRUE;
7616 s->cur_prompt->name =
7617 dupstr("SSH server authentication");
7618 s->cur_prompt->name_reqd = FALSE;
7620 /* FIXME: ugly to print "Using..." in prompt _every_
7621 * time round. Can this be done more subtly? */
7622 s->cur_prompt->instruction =
7623 dupprintf("Using keyboard-interactive authentication.%s%.*s",
7624 inst_len ? "\n" : "", inst_len, inst);
7625 s->cur_prompt->instr_reqd = TRUE;
7628 * Get the prompts from the packet.
7630 s->num_prompts = ssh_pkt_getuint32(pktin);
7631 for (i = 0; i < s->num_prompts; i++) {
7635 static char noprompt[] =
7636 "<server failed to send prompt>: ";
7638 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
7639 echo = ssh2_pkt_getbool(pktin);
7642 prompt_len = lenof(noprompt)-1;
7644 add_prompt(s->cur_prompt,
7645 dupprintf("%.*s", prompt_len, prompt),
7646 echo, SSH_MAX_PASSWORD_LEN);
7650 * Get the user's responses.
7652 if (s->num_prompts) {
7653 int ret; /* not live over crReturn */
7654 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7657 crWaitUntilV(!pktin);
7658 ret = get_userpass_input(s->cur_prompt, in, inlen);
7663 * Failed to get responses. Terminate.
7665 free_prompts(s->cur_prompt);
7666 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7667 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7674 * Send the responses to the server.
7676 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_INFO_RESPONSE);
7677 ssh2_pkt_adduint32(s->pktout, s->num_prompts);
7678 for (i=0; i < s->num_prompts; i++) {
7679 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7680 ssh2_pkt_addstring(s->pktout,
7681 s->cur_prompt->prompts[i]->result);
7682 end_log_omission(ssh, s->pktout);
7684 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
7687 * Get the next packet in case it's another
7690 crWaitUntilV(pktin);
7695 * We should have SUCCESS or FAILURE now.
7699 } else if (s->can_passwd) {
7702 * Plain old password authentication.
7704 int ret; /* not live over crReturn */
7705 int changereq_first_time; /* not live over crReturn */
7707 ssh->pkt_actx = SSH2_PKTCTX_PASSWORD;
7709 s->cur_prompt = new_prompts(ssh->frontend);
7710 s->cur_prompt->to_server = TRUE;
7711 s->cur_prompt->name = dupstr("SSH password");
7712 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
7715 FALSE, SSH_MAX_PASSWORD_LEN);
7717 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7720 crWaitUntilV(!pktin);
7721 ret = get_userpass_input(s->cur_prompt, in, inlen);
7726 * Failed to get responses. Terminate.
7728 free_prompts(s->cur_prompt);
7729 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7730 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7735 * Squirrel away the password. (We may need it later if
7736 * asked to change it.)
7738 s->password = dupstr(s->cur_prompt->prompts[0]->result);
7739 free_prompts(s->cur_prompt);
7742 * Send the password packet.
7744 * We pad out the password packet to 256 bytes to make
7745 * it harder for an attacker to find the length of the
7748 * Anyone using a password longer than 256 bytes
7749 * probably doesn't have much to worry about from
7750 * people who find out how long their password is!
7752 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7753 ssh2_pkt_addstring(s->pktout, s->username);
7754 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7755 /* service requested */
7756 ssh2_pkt_addstring(s->pktout, "password");
7757 ssh2_pkt_addbool(s->pktout, FALSE);
7758 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7759 ssh2_pkt_addstring(s->pktout, s->password);
7760 end_log_omission(ssh, s->pktout);
7761 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
7762 logevent("Sent password");
7763 s->type = AUTH_TYPE_PASSWORD;
7766 * Wait for next packet, in case it's a password change
7769 crWaitUntilV(pktin);
7770 changereq_first_time = TRUE;
7772 while (pktin->type == SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ) {
7775 * We're being asked for a new password
7776 * (perhaps not for the first time).
7777 * Loop until the server accepts it.
7780 int got_new = FALSE; /* not live over crReturn */
7781 char *prompt; /* not live over crReturn */
7782 int prompt_len; /* not live over crReturn */
7786 if (changereq_first_time)
7787 msg = "Server requested password change";
7789 msg = "Server rejected new password";
7791 c_write_str(ssh, msg);
7792 c_write_str(ssh, "\r\n");
7795 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
7797 s->cur_prompt = new_prompts(ssh->frontend);
7798 s->cur_prompt->to_server = TRUE;
7799 s->cur_prompt->name = dupstr("New SSH password");
7800 s->cur_prompt->instruction =
7801 dupprintf("%.*s", prompt_len, prompt);
7802 s->cur_prompt->instr_reqd = TRUE;
7804 * There's no explicit requirement in the protocol
7805 * for the "old" passwords in the original and
7806 * password-change messages to be the same, and
7807 * apparently some Cisco kit supports password change
7808 * by the user entering a blank password originally
7809 * and the real password subsequently, so,
7810 * reluctantly, we prompt for the old password again.
7812 * (On the other hand, some servers don't even bother
7813 * to check this field.)
7815 add_prompt(s->cur_prompt,
7816 dupstr("Current password (blank for previously entered password): "),
7817 FALSE, SSH_MAX_PASSWORD_LEN);
7818 add_prompt(s->cur_prompt, dupstr("Enter new password: "),
7819 FALSE, SSH_MAX_PASSWORD_LEN);
7820 add_prompt(s->cur_prompt, dupstr("Confirm new password: "),
7821 FALSE, SSH_MAX_PASSWORD_LEN);
7824 * Loop until the user manages to enter the same
7829 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7832 crWaitUntilV(!pktin);
7833 ret = get_userpass_input(s->cur_prompt, in, inlen);
7838 * Failed to get responses. Terminate.
7840 /* burn the evidence */
7841 free_prompts(s->cur_prompt);
7842 memset(s->password, 0, strlen(s->password));
7844 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7845 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7851 * If the user specified a new original password
7852 * (IYSWIM), overwrite any previously specified
7854 * (A side effect is that the user doesn't have to
7855 * re-enter it if they louse up the new password.)
7857 if (s->cur_prompt->prompts[0]->result[0]) {
7858 memset(s->password, 0, strlen(s->password));
7859 /* burn the evidence */
7862 dupstr(s->cur_prompt->prompts[0]->result);
7866 * Check the two new passwords match.
7868 got_new = (strcmp(s->cur_prompt->prompts[1]->result,
7869 s->cur_prompt->prompts[2]->result)
7872 /* They don't. Silly user. */
7873 c_write_str(ssh, "Passwords do not match\r\n");
7878 * Send the new password (along with the old one).
7879 * (see above for padding rationale)
7881 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7882 ssh2_pkt_addstring(s->pktout, s->username);
7883 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7884 /* service requested */
7885 ssh2_pkt_addstring(s->pktout, "password");
7886 ssh2_pkt_addbool(s->pktout, TRUE);
7887 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7888 ssh2_pkt_addstring(s->pktout, s->password);
7889 ssh2_pkt_addstring(s->pktout,
7890 s->cur_prompt->prompts[1]->result);
7891 free_prompts(s->cur_prompt);
7892 end_log_omission(ssh, s->pktout);
7893 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
7894 logevent("Sent new password");
7897 * Now see what the server has to say about it.
7898 * (If it's CHANGEREQ again, it's not happy with the
7901 crWaitUntilV(pktin);
7902 changereq_first_time = FALSE;
7907 * We need to reexamine the current pktin at the top
7908 * of the loop. Either:
7909 * - we weren't asked to change password at all, in
7910 * which case it's a SUCCESS or FAILURE with the
7912 * - we sent a new password, and the server was
7913 * either OK with it (SUCCESS or FAILURE w/partial
7914 * success) or unhappy with the _old_ password
7915 * (FAILURE w/o partial success)
7916 * In any of these cases, we go back to the top of
7917 * the loop and start again.
7922 * We don't need the old password any more, in any
7923 * case. Burn the evidence.
7925 memset(s->password, 0, strlen(s->password));
7930 ssh_disconnect(ssh, NULL,
7931 "No supported authentication methods available",
7932 SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE,
7940 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
7942 /* Clear up various bits and pieces from authentication. */
7943 if (s->publickey_blob) {
7944 sfree(s->publickey_blob);
7945 sfree(s->publickey_comment);
7947 if (s->agent_response)
7948 sfree(s->agent_response);
7951 * Now the connection protocol has started, one way or another.
7954 ssh->channels = newtree234(ssh_channelcmp);
7957 * Set up handlers for some connection protocol messages, so we
7958 * don't have to handle them repeatedly in this coroutine.
7960 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] =
7961 ssh2_msg_channel_window_adjust;
7962 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] =
7963 ssh2_msg_global_request;
7966 * Create the main session channel.
7968 if (ssh->cfg.ssh_no_shell) {
7969 ssh->mainchan = NULL;
7970 } else if (*ssh->cfg.ssh_nc_host) {
7972 * Just start a direct-tcpip channel and use it as the main
7975 ssh->mainchan = snew(struct ssh_channel);
7976 ssh->mainchan->ssh = ssh;
7977 ssh->mainchan->localid = alloc_channel_id(ssh);
7979 "Opening direct-tcpip channel to %s:%d in place of session",
7980 ssh->cfg.ssh_nc_host, ssh->cfg.ssh_nc_port);
7981 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
7982 ssh2_pkt_addstring(s->pktout, "direct-tcpip");
7983 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
7984 ssh->mainchan->v.v2.locwindow = ssh->mainchan->v.v2.locmaxwin =
7985 ssh->cfg.ssh_simple ? OUR_V2_BIGWIN : OUR_V2_WINSIZE;
7986 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
7987 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
7988 ssh2_pkt_addstring(s->pktout, ssh->cfg.ssh_nc_host);
7989 ssh2_pkt_adduint32(s->pktout, ssh->cfg.ssh_nc_port);
7991 * There's nothing meaningful to put in the originator
7992 * fields, but some servers insist on syntactically correct
7995 ssh2_pkt_addstring(s->pktout, "0.0.0.0");
7996 ssh2_pkt_adduint32(s->pktout, 0);
7997 ssh2_pkt_send(ssh, s->pktout);
7999 crWaitUntilV(pktin);
8000 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
8001 bombout(("Server refused to open a direct-tcpip channel"));
8003 /* FIXME: error data comes back in FAILURE packet */
8005 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
8006 bombout(("Server's channel confirmation cited wrong channel"));
8009 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
8010 ssh->mainchan->halfopen = FALSE;
8011 ssh->mainchan->type = CHAN_MAINSESSION;
8012 ssh->mainchan->closes = 0;
8013 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
8014 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
8015 bufchain_init(&ssh->mainchan->v.v2.outbuffer);
8016 add234(ssh->channels, ssh->mainchan);
8017 update_specials_menu(ssh->frontend);
8018 logevent("Opened direct-tcpip channel");
8021 ssh->mainchan = snew(struct ssh_channel);
8022 ssh->mainchan->ssh = ssh;
8023 ssh->mainchan->localid = alloc_channel_id(ssh);
8024 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
8025 ssh2_pkt_addstring(s->pktout, "session");
8026 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
8027 ssh->mainchan->v.v2.locwindow = ssh->mainchan->v.v2.locmaxwin =
8028 ssh->cfg.ssh_simple ? OUR_V2_BIGWIN : OUR_V2_WINSIZE;
8029 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
8030 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
8031 ssh2_pkt_send(ssh, s->pktout);
8032 crWaitUntilV(pktin);
8033 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
8034 bombout(("Server refused to open a session"));
8036 /* FIXME: error data comes back in FAILURE packet */
8038 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
8039 bombout(("Server's channel confirmation cited wrong channel"));
8042 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
8043 ssh->mainchan->halfopen = FALSE;
8044 ssh->mainchan->type = CHAN_MAINSESSION;
8045 ssh->mainchan->closes = 0;
8046 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
8047 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
8048 bufchain_init(&ssh->mainchan->v.v2.outbuffer);
8049 add234(ssh->channels, ssh->mainchan);
8050 update_specials_menu(ssh->frontend);
8051 logevent("Opened channel for session");
8052 ssh->ncmode = FALSE;
8056 * Now we have a channel, make dispatch table entries for
8057 * general channel-based messages.
8059 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] =
8060 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] =
8061 ssh2_msg_channel_data;
8062 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = ssh2_msg_channel_eof;
8063 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = ssh2_msg_channel_close;
8064 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] =
8065 ssh2_msg_channel_open_confirmation;
8066 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] =
8067 ssh2_msg_channel_open_failure;
8068 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] =
8069 ssh2_msg_channel_request;
8070 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] =
8071 ssh2_msg_channel_open;
8073 if (ssh->cfg.ssh_simple) {
8075 * This message indicates to the server that we promise
8076 * not to try to run any other channel in parallel with
8077 * this one, so it's safe for it to advertise a very large
8078 * window and leave the flow control to TCP.
8080 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8081 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8082 ssh2_pkt_addstring(s->pktout, "simple@putty.projects.tartarus.org");
8083 ssh2_pkt_addbool(s->pktout, 0); /* no reply */
8084 ssh2_pkt_send(ssh, s->pktout);
8088 * Potentially enable X11 forwarding.
8090 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.x11_forward) {
8091 char proto[20], data[64];
8092 logevent("Requesting X11 forwarding");
8093 ssh->x11auth = x11_invent_auth(proto, sizeof(proto),
8094 data, sizeof(data), ssh->cfg.x11_auth);
8095 x11_get_real_auth(ssh->x11auth, ssh->cfg.x11_display);
8096 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8097 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8098 ssh2_pkt_addstring(s->pktout, "x11-req");
8099 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8100 ssh2_pkt_addbool(s->pktout, 0); /* many connections */
8101 ssh2_pkt_addstring(s->pktout, proto);
8103 * Note that while we blank the X authentication data here, we don't
8104 * take any special action to blank the start of an X11 channel,
8105 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
8106 * without having session blanking enabled is likely to leak your
8107 * cookie into the log.
8109 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
8110 ssh2_pkt_addstring(s->pktout, data);
8111 end_log_omission(ssh, s->pktout);
8112 ssh2_pkt_adduint32(s->pktout, x11_get_screen_number(ssh->cfg.x11_display));
8113 ssh2_pkt_send(ssh, s->pktout);
8115 crWaitUntilV(pktin);
8117 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8118 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8119 bombout(("Unexpected response to X11 forwarding request:"
8120 " packet type %d", pktin->type));
8123 logevent("X11 forwarding refused");
8125 logevent("X11 forwarding enabled");
8126 ssh->X11_fwd_enabled = TRUE;
8131 * Enable port forwardings.
8133 ssh_setup_portfwd(ssh, &ssh->cfg);
8136 * Potentially enable agent forwarding.
8138 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.agentfwd && agent_exists()) {
8139 logevent("Requesting OpenSSH-style agent forwarding");
8140 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8141 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8142 ssh2_pkt_addstring(s->pktout, "auth-agent-req@openssh.com");
8143 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8144 ssh2_pkt_send(ssh, s->pktout);
8146 crWaitUntilV(pktin);
8148 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8149 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8150 bombout(("Unexpected response to agent forwarding request:"
8151 " packet type %d", pktin->type));
8154 logevent("Agent forwarding refused");
8156 logevent("Agent forwarding enabled");
8157 ssh->agentfwd_enabled = TRUE;
8162 * Now allocate a pty for the session.
8164 if (ssh->mainchan && !ssh->ncmode && !ssh->cfg.nopty) {
8165 /* Unpick the terminal-speed string. */
8166 /* XXX perhaps we should allow no speeds to be sent. */
8167 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
8168 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
8169 /* Build the pty request. */
8170 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8171 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
8172 ssh2_pkt_addstring(s->pktout, "pty-req");
8173 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8174 ssh2_pkt_addstring(s->pktout, ssh->cfg.termtype);
8175 ssh2_pkt_adduint32(s->pktout, ssh->term_width);
8176 ssh2_pkt_adduint32(s->pktout, ssh->term_height);
8177 ssh2_pkt_adduint32(s->pktout, 0); /* pixel width */
8178 ssh2_pkt_adduint32(s->pktout, 0); /* pixel height */
8179 ssh2_pkt_addstring_start(s->pktout);
8180 parse_ttymodes(ssh, ssh->cfg.ttymodes,
8181 ssh2_send_ttymode, (void *)s->pktout);
8182 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_ISPEED);
8183 ssh2_pkt_adduint32(s->pktout, ssh->ispeed);
8184 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_OSPEED);
8185 ssh2_pkt_adduint32(s->pktout, ssh->ospeed);
8186 ssh2_pkt_addstring_data(s->pktout, "\0", 1); /* TTY_OP_END */
8187 ssh2_pkt_send(ssh, s->pktout);
8188 ssh->state = SSH_STATE_INTERMED;
8190 crWaitUntilV(pktin);
8192 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8193 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8194 bombout(("Unexpected response to pty request:"
8195 " packet type %d", pktin->type));
8198 c_write_str(ssh, "Server refused to allocate pty\r\n");
8199 ssh->editing = ssh->echoing = 1;
8201 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
8202 ssh->ospeed, ssh->ispeed);
8205 ssh->editing = ssh->echoing = 1;
8209 * Send environment variables.
8211 * Simplest thing here is to send all the requests at once, and
8212 * then wait for a whole bunch of successes or failures.
8214 if (ssh->mainchan && !ssh->ncmode && *ssh->cfg.environmt) {
8215 char *e = ssh->cfg.environmt;
8216 char *var, *varend, *val;
8222 while (*e && *e != '\t') e++;
8224 if (*e == '\t') e++;
8229 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8230 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8231 ssh2_pkt_addstring(s->pktout, "env");
8232 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8233 ssh2_pkt_addstring_start(s->pktout);
8234 ssh2_pkt_addstring_data(s->pktout, var, varend-var);
8235 ssh2_pkt_addstring(s->pktout, val);
8236 ssh2_pkt_send(ssh, s->pktout);
8241 logeventf(ssh, "Sent %d environment variables", s->num_env);
8244 s->env_left = s->num_env;
8246 while (s->env_left > 0) {
8247 crWaitUntilV(pktin);
8249 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8250 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8251 bombout(("Unexpected response to environment request:"
8252 " packet type %d", pktin->type));
8262 if (s->env_ok == s->num_env) {
8263 logevent("All environment variables successfully set");
8264 } else if (s->env_ok == 0) {
8265 logevent("All environment variables refused");
8266 c_write_str(ssh, "Server refused to set environment variables\r\n");
8268 logeventf(ssh, "%d environment variables refused",
8269 s->num_env - s->env_ok);
8270 c_write_str(ssh, "Server refused to set all environment variables\r\n");
8275 * Start a shell or a remote command. We may have to attempt
8276 * this twice if the config data has provided a second choice
8279 if (ssh->mainchan && !ssh->ncmode) while (1) {
8283 if (ssh->fallback_cmd) {
8284 subsys = ssh->cfg.ssh_subsys2;
8285 cmd = ssh->cfg.remote_cmd_ptr2;
8287 subsys = ssh->cfg.ssh_subsys;
8288 cmd = ssh->cfg.remote_cmd_ptr;
8289 if (!cmd) cmd = ssh->cfg.remote_cmd;
8292 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8293 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
8295 ssh2_pkt_addstring(s->pktout, "subsystem");
8296 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8297 ssh2_pkt_addstring(s->pktout, cmd);
8299 ssh2_pkt_addstring(s->pktout, "exec");
8300 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8301 ssh2_pkt_addstring(s->pktout, cmd);
8303 ssh2_pkt_addstring(s->pktout, "shell");
8304 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8306 ssh2_pkt_send(ssh, s->pktout);
8308 crWaitUntilV(pktin);
8310 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8311 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8312 bombout(("Unexpected response to shell/command request:"
8313 " packet type %d", pktin->type));
8317 * We failed to start the command. If this is the
8318 * fallback command, we really are finished; if it's
8319 * not, and if the fallback command exists, try falling
8320 * back to it before complaining.
8322 if (!ssh->fallback_cmd && ssh->cfg.remote_cmd_ptr2 != NULL) {
8323 logevent("Primary command failed; attempting fallback");
8324 ssh->fallback_cmd = TRUE;
8327 bombout(("Server refused to start a shell/command"));
8330 logevent("Started a shell/command");
8335 ssh->state = SSH_STATE_SESSION;
8336 if (ssh->size_needed)
8337 ssh_size(ssh, ssh->term_width, ssh->term_height);
8338 if (ssh->eof_needed)
8339 ssh_special(ssh, TS_EOF);
8345 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
8350 s->try_send = FALSE;
8354 * _All_ the connection-layer packets we expect to
8355 * receive are now handled by the dispatch table.
8356 * Anything that reaches here must be bogus.
8359 bombout(("Strange packet received: type %d", pktin->type));
8361 } else if (ssh->mainchan) {
8363 * We have spare data. Add it to the channel buffer.
8365 ssh2_add_channel_data(ssh->mainchan, (char *)in, inlen);
8370 struct ssh_channel *c;
8372 * Try to send data on all channels if we can.
8374 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++)
8375 ssh2_try_send_and_unthrottle(c);
8383 * Handlers for SSH-2 messages that might arrive at any moment.
8385 static void ssh2_msg_disconnect(Ssh ssh, struct Packet *pktin)
8387 /* log reason code in disconnect message */
8389 int nowlen, reason, msglen;
8391 reason = ssh_pkt_getuint32(pktin);
8392 ssh_pkt_getstring(pktin, &msg, &msglen);
8394 if (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) {
8395 buf = dupprintf("Received disconnect message (%s)",
8396 ssh2_disconnect_reasons[reason]);
8398 buf = dupprintf("Received disconnect message (unknown"
8399 " type %d)", reason);
8403 buf = dupprintf("Disconnection message text: %n%.*s",
8404 &nowlen, msglen, msg);
8406 bombout(("Server sent disconnect message\ntype %d (%s):\n\"%s\"",
8408 (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ?
8409 ssh2_disconnect_reasons[reason] : "unknown",
8414 static void ssh2_msg_debug(Ssh ssh, struct Packet *pktin)
8416 /* log the debug message */
8421 /* XXX maybe we should actually take notice of this */
8422 always_display = ssh2_pkt_getbool(pktin);
8423 ssh_pkt_getstring(pktin, &msg, &msglen);
8425 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
8428 static void ssh2_msg_something_unimplemented(Ssh ssh, struct Packet *pktin)
8430 struct Packet *pktout;
8431 pktout = ssh2_pkt_init(SSH2_MSG_UNIMPLEMENTED);
8432 ssh2_pkt_adduint32(pktout, pktin->sequence);
8434 * UNIMPLEMENTED messages MUST appear in the same order as the
8435 * messages they respond to. Hence, never queue them.
8437 ssh2_pkt_send_noqueue(ssh, pktout);
8441 * Handle the top-level SSH-2 protocol.
8443 static void ssh2_protocol_setup(Ssh ssh)
8448 * Most messages cause SSH2_MSG_UNIMPLEMENTED.
8450 for (i = 0; i < 256; i++)
8451 ssh->packet_dispatch[i] = ssh2_msg_something_unimplemented;
8454 * Any message we actually understand, we set to NULL so that
8455 * the coroutines will get it.
8457 ssh->packet_dispatch[SSH2_MSG_UNIMPLEMENTED] = NULL;
8458 ssh->packet_dispatch[SSH2_MSG_SERVICE_REQUEST] = NULL;
8459 ssh->packet_dispatch[SSH2_MSG_SERVICE_ACCEPT] = NULL;
8460 ssh->packet_dispatch[SSH2_MSG_KEXINIT] = NULL;
8461 ssh->packet_dispatch[SSH2_MSG_NEWKEYS] = NULL;
8462 ssh->packet_dispatch[SSH2_MSG_KEXDH_INIT] = NULL;
8463 ssh->packet_dispatch[SSH2_MSG_KEXDH_REPLY] = NULL;
8464 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REQUEST] = NULL; duplicate case value */
8465 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_GROUP] = NULL; duplicate case value */
8466 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_INIT] = NULL;
8467 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REPLY] = NULL;
8468 ssh->packet_dispatch[SSH2_MSG_USERAUTH_REQUEST] = NULL;
8469 ssh->packet_dispatch[SSH2_MSG_USERAUTH_FAILURE] = NULL;
8470 ssh->packet_dispatch[SSH2_MSG_USERAUTH_SUCCESS] = NULL;
8471 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
8472 ssh->packet_dispatch[SSH2_MSG_USERAUTH_PK_OK] = NULL;
8473 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ] = NULL; duplicate case value */
8474 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_REQUEST] = NULL; duplicate case value */
8475 ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_RESPONSE] = NULL;
8476 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] = NULL;
8477 ssh->packet_dispatch[SSH2_MSG_REQUEST_SUCCESS] = NULL;
8478 ssh->packet_dispatch[SSH2_MSG_REQUEST_FAILURE] = NULL;
8479 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] = NULL;
8480 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] = NULL;
8481 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] = NULL;
8482 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] = NULL;
8483 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] = NULL;
8484 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] = NULL;
8485 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = NULL;
8486 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = NULL;
8487 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] = NULL;
8488 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = NULL;
8489 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = NULL;
8492 * These special message types we install handlers for.
8494 ssh->packet_dispatch[SSH2_MSG_DISCONNECT] = ssh2_msg_disconnect;
8495 ssh->packet_dispatch[SSH2_MSG_IGNORE] = ssh_msg_ignore; /* shared with SSH-1 */
8496 ssh->packet_dispatch[SSH2_MSG_DEBUG] = ssh2_msg_debug;
8499 static void ssh2_timer(void *ctx, long now)
8503 if (ssh->state == SSH_STATE_CLOSED)
8506 if (!ssh->kex_in_progress && ssh->cfg.ssh_rekey_time != 0 &&
8507 now - ssh->next_rekey >= 0) {
8508 do_ssh2_transport(ssh, "timeout", -1, NULL);
8512 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
8513 struct Packet *pktin)
8515 unsigned char *in = (unsigned char *)vin;
8516 if (ssh->state == SSH_STATE_CLOSED)
8520 ssh->incoming_data_size += pktin->encrypted_len;
8521 if (!ssh->kex_in_progress &&
8522 ssh->max_data_size != 0 &&
8523 ssh->incoming_data_size > ssh->max_data_size)
8524 do_ssh2_transport(ssh, "too much data received", -1, NULL);
8527 if (pktin && ssh->packet_dispatch[pktin->type]) {
8528 ssh->packet_dispatch[pktin->type](ssh, pktin);
8532 if (!ssh->protocol_initial_phase_done ||
8533 (pktin && pktin->type >= 20 && pktin->type < 50)) {
8534 if (do_ssh2_transport(ssh, in, inlen, pktin) &&
8535 !ssh->protocol_initial_phase_done) {
8536 ssh->protocol_initial_phase_done = TRUE;
8538 * Allow authconn to initialise itself.
8540 do_ssh2_authconn(ssh, NULL, 0, NULL);
8543 do_ssh2_authconn(ssh, in, inlen, pktin);
8548 * Called to set up the connection.
8550 * Returns an error message, or NULL on success.
8552 static const char *ssh_init(void *frontend_handle, void **backend_handle,
8554 char *host, int port, char **realhost, int nodelay,
8560 ssh = snew(struct ssh_tag);
8561 ssh->cfg = *cfg; /* STRUCTURE COPY */
8562 ssh->version = 0; /* when not ready yet */
8565 ssh->v1_cipher_ctx = NULL;
8566 ssh->crcda_ctx = NULL;
8567 ssh->cscipher = NULL;
8568 ssh->cs_cipher_ctx = NULL;
8569 ssh->sccipher = NULL;
8570 ssh->sc_cipher_ctx = NULL;
8572 ssh->cs_mac_ctx = NULL;
8574 ssh->sc_mac_ctx = NULL;
8576 ssh->cs_comp_ctx = NULL;
8578 ssh->sc_comp_ctx = NULL;
8580 ssh->kex_ctx = NULL;
8581 ssh->hostkey = NULL;
8583 ssh->close_expected = FALSE;
8584 ssh->clean_exit = FALSE;
8585 ssh->state = SSH_STATE_PREPACKET;
8586 ssh->size_needed = FALSE;
8587 ssh->eof_needed = FALSE;
8590 ssh->deferred_send_data = NULL;
8591 ssh->deferred_len = 0;
8592 ssh->deferred_size = 0;
8593 ssh->fallback_cmd = 0;
8594 ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
8595 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
8596 ssh->x11auth = NULL;
8597 ssh->v1_compressing = FALSE;
8598 ssh->v2_outgoing_sequence = 0;
8599 ssh->ssh1_rdpkt_crstate = 0;
8600 ssh->ssh2_rdpkt_crstate = 0;
8601 ssh->do_ssh_init_crstate = 0;
8602 ssh->ssh_gotdata_crstate = 0;
8603 ssh->do_ssh1_connection_crstate = 0;
8604 ssh->do_ssh1_login_crstate = 0;
8605 ssh->do_ssh2_transport_crstate = 0;
8606 ssh->do_ssh2_authconn_crstate = 0;
8607 ssh->do_ssh_init_state = NULL;
8608 ssh->do_ssh1_login_state = NULL;
8609 ssh->do_ssh2_transport_state = NULL;
8610 ssh->do_ssh2_authconn_state = NULL;
8613 ssh->mainchan = NULL;
8614 ssh->throttled_all = 0;
8615 ssh->v1_stdout_throttling = 0;
8617 ssh->queuelen = ssh->queuesize = 0;
8618 ssh->queueing = FALSE;
8619 ssh->qhead = ssh->qtail = NULL;
8620 ssh->deferred_rekey_reason = NULL;
8621 bufchain_init(&ssh->queued_incoming_data);
8622 ssh->frozen = FALSE;
8624 *backend_handle = ssh;
8627 if (crypto_startup() == 0)
8628 return "Microsoft high encryption pack not installed!";
8631 ssh->frontend = frontend_handle;
8632 ssh->term_width = ssh->cfg.width;
8633 ssh->term_height = ssh->cfg.height;
8635 ssh->channels = NULL;
8636 ssh->rportfwds = NULL;
8637 ssh->portfwds = NULL;
8642 ssh->v1_throttle_count = 0;
8643 ssh->overall_bufsize = 0;
8644 ssh->fallback_cmd = 0;
8646 ssh->protocol = NULL;
8648 ssh->protocol_initial_phase_done = FALSE;
8652 ssh->incoming_data_size = ssh->outgoing_data_size =
8653 ssh->deferred_data_size = 0L;
8654 ssh->max_data_size = parse_blocksize(ssh->cfg.ssh_rekey_data);
8655 ssh->kex_in_progress = FALSE;
8657 p = connect_to_host(ssh, host, port, realhost, nodelay, keepalive);
8666 static void ssh_free(void *handle)
8668 Ssh ssh = (Ssh) handle;
8669 struct ssh_channel *c;
8670 struct ssh_rportfwd *pf;
8672 if (ssh->v1_cipher_ctx)
8673 ssh->cipher->free_context(ssh->v1_cipher_ctx);
8674 if (ssh->cs_cipher_ctx)
8675 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
8676 if (ssh->sc_cipher_ctx)
8677 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
8678 if (ssh->cs_mac_ctx)
8679 ssh->csmac->free_context(ssh->cs_mac_ctx);
8680 if (ssh->sc_mac_ctx)
8681 ssh->scmac->free_context(ssh->sc_mac_ctx);
8682 if (ssh->cs_comp_ctx) {
8684 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
8686 zlib_compress_cleanup(ssh->cs_comp_ctx);
8688 if (ssh->sc_comp_ctx) {
8690 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
8692 zlib_decompress_cleanup(ssh->sc_comp_ctx);
8695 dh_cleanup(ssh->kex_ctx);
8696 sfree(ssh->savedhost);
8698 while (ssh->queuelen-- > 0)
8699 ssh_free_packet(ssh->queue[ssh->queuelen]);
8702 while (ssh->qhead) {
8703 struct queued_handler *qh = ssh->qhead;
8704 ssh->qhead = qh->next;
8707 ssh->qhead = ssh->qtail = NULL;
8709 if (ssh->channels) {
8710 while ((c = delpos234(ssh->channels, 0)) != NULL) {
8713 if (c->u.x11.s != NULL)
8714 x11_close(c->u.x11.s);
8717 if (c->u.pfd.s != NULL)
8718 pfd_close(c->u.pfd.s);
8723 freetree234(ssh->channels);
8724 ssh->channels = NULL;
8727 if (ssh->rportfwds) {
8728 while ((pf = delpos234(ssh->rportfwds, 0)) != NULL)
8730 freetree234(ssh->rportfwds);
8731 ssh->rportfwds = NULL;
8733 sfree(ssh->deferred_send_data);
8735 x11_free_auth(ssh->x11auth);
8736 sfree(ssh->do_ssh_init_state);
8737 sfree(ssh->do_ssh1_login_state);
8738 sfree(ssh->do_ssh2_transport_state);
8739 sfree(ssh->do_ssh2_authconn_state);
8742 if (ssh->crcda_ctx) {
8743 crcda_free_context(ssh->crcda_ctx);
8744 ssh->crcda_ctx = NULL;
8747 ssh_do_close(ssh, TRUE);
8748 expire_timer_context(ssh);
8750 pinger_free(ssh->pinger);
8751 bufchain_clear(&ssh->queued_incoming_data);
8758 * Reconfigure the SSH backend.
8760 static void ssh_reconfig(void *handle, Config *cfg)
8762 Ssh ssh = (Ssh) handle;
8763 char *rekeying = NULL, rekey_mandatory = FALSE;
8764 unsigned long old_max_data_size;
8766 pinger_reconfig(ssh->pinger, &ssh->cfg, cfg);
8768 ssh_setup_portfwd(ssh, cfg);
8770 if (ssh->cfg.ssh_rekey_time != cfg->ssh_rekey_time &&
8771 cfg->ssh_rekey_time != 0) {
8772 long new_next = ssh->last_rekey + cfg->ssh_rekey_time*60*TICKSPERSEC;
8773 long now = GETTICKCOUNT();
8775 if (new_next - now < 0) {
8776 rekeying = "timeout shortened";
8778 ssh->next_rekey = schedule_timer(new_next - now, ssh2_timer, ssh);
8782 old_max_data_size = ssh->max_data_size;
8783 ssh->max_data_size = parse_blocksize(cfg->ssh_rekey_data);
8784 if (old_max_data_size != ssh->max_data_size &&
8785 ssh->max_data_size != 0) {
8786 if (ssh->outgoing_data_size > ssh->max_data_size ||
8787 ssh->incoming_data_size > ssh->max_data_size)
8788 rekeying = "data limit lowered";
8791 if (ssh->cfg.compression != cfg->compression) {
8792 rekeying = "compression setting changed";
8793 rekey_mandatory = TRUE;
8796 if (ssh->cfg.ssh2_des_cbc != cfg->ssh2_des_cbc ||
8797 memcmp(ssh->cfg.ssh_cipherlist, cfg->ssh_cipherlist,
8798 sizeof(ssh->cfg.ssh_cipherlist))) {
8799 rekeying = "cipher settings changed";
8800 rekey_mandatory = TRUE;
8803 ssh->cfg = *cfg; /* STRUCTURE COPY */
8806 if (!ssh->kex_in_progress) {
8807 do_ssh2_transport(ssh, rekeying, -1, NULL);
8808 } else if (rekey_mandatory) {
8809 ssh->deferred_rekey_reason = rekeying;
8815 * Called to send data down the SSH connection.
8817 static int ssh_send(void *handle, char *buf, int len)
8819 Ssh ssh = (Ssh) handle;
8821 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
8824 ssh->protocol(ssh, (unsigned char *)buf, len, 0);
8826 return ssh_sendbuffer(ssh);
8830 * Called to query the current amount of buffered stdin data.
8832 static int ssh_sendbuffer(void *handle)
8834 Ssh ssh = (Ssh) handle;
8837 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
8841 * If the SSH socket itself has backed up, add the total backup
8842 * size on that to any individual buffer on the stdin channel.
8845 if (ssh->throttled_all)
8846 override_value = ssh->overall_bufsize;
8848 if (ssh->version == 1) {
8849 return override_value;
8850 } else if (ssh->version == 2) {
8851 if (!ssh->mainchan || ssh->mainchan->closes > 0)
8852 return override_value;
8854 return (override_value +
8855 bufchain_size(&ssh->mainchan->v.v2.outbuffer));
8862 * Called to set the size of the window from SSH's POV.
8864 static void ssh_size(void *handle, int width, int height)
8866 Ssh ssh = (Ssh) handle;
8867 struct Packet *pktout;
8869 ssh->term_width = width;
8870 ssh->term_height = height;
8872 switch (ssh->state) {
8873 case SSH_STATE_BEFORE_SIZE:
8874 case SSH_STATE_PREPACKET:
8875 case SSH_STATE_CLOSED:
8876 break; /* do nothing */
8877 case SSH_STATE_INTERMED:
8878 ssh->size_needed = TRUE; /* buffer for later */
8880 case SSH_STATE_SESSION:
8881 if (!ssh->cfg.nopty) {
8882 if (ssh->version == 1) {
8883 send_packet(ssh, SSH1_CMSG_WINDOW_SIZE,
8884 PKT_INT, ssh->term_height,
8885 PKT_INT, ssh->term_width,
8886 PKT_INT, 0, PKT_INT, 0, PKT_END);
8887 } else if (ssh->mainchan) {
8888 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8889 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
8890 ssh2_pkt_addstring(pktout, "window-change");
8891 ssh2_pkt_addbool(pktout, 0);
8892 ssh2_pkt_adduint32(pktout, ssh->term_width);
8893 ssh2_pkt_adduint32(pktout, ssh->term_height);
8894 ssh2_pkt_adduint32(pktout, 0);
8895 ssh2_pkt_adduint32(pktout, 0);
8896 ssh2_pkt_send(ssh, pktout);
8904 * Return a list of the special codes that make sense in this
8907 static const struct telnet_special *ssh_get_specials(void *handle)
8909 static const struct telnet_special ssh1_ignore_special[] = {
8910 {"IGNORE message", TS_NOP}
8912 static const struct telnet_special ssh2_transport_specials[] = {
8913 {"IGNORE message", TS_NOP},
8914 {"Repeat key exchange", TS_REKEY},
8916 static const struct telnet_special ssh2_session_specials[] = {
8919 /* These are the signal names defined by draft-ietf-secsh-connect-23.
8920 * They include all the ISO C signals, but are a subset of the POSIX
8921 * required signals. */
8922 {"SIGINT (Interrupt)", TS_SIGINT},
8923 {"SIGTERM (Terminate)", TS_SIGTERM},
8924 {"SIGKILL (Kill)", TS_SIGKILL},
8925 {"SIGQUIT (Quit)", TS_SIGQUIT},
8926 {"SIGHUP (Hangup)", TS_SIGHUP},
8927 {"More signals", TS_SUBMENU},
8928 {"SIGABRT", TS_SIGABRT}, {"SIGALRM", TS_SIGALRM},
8929 {"SIGFPE", TS_SIGFPE}, {"SIGILL", TS_SIGILL},
8930 {"SIGPIPE", TS_SIGPIPE}, {"SIGSEGV", TS_SIGSEGV},
8931 {"SIGUSR1", TS_SIGUSR1}, {"SIGUSR2", TS_SIGUSR2},
8934 static const struct telnet_special specials_end[] = {
8937 /* XXX review this length for any changes: */
8938 static struct telnet_special ssh_specials[lenof(ssh2_transport_specials) +
8939 lenof(ssh2_session_specials) +
8940 lenof(specials_end)];
8941 Ssh ssh = (Ssh) handle;
8943 #define ADD_SPECIALS(name) \
8945 assert((i + lenof(name)) <= lenof(ssh_specials)); \
8946 memcpy(&ssh_specials[i], name, sizeof name); \
8950 if (ssh->version == 1) {
8951 /* Don't bother offering IGNORE if we've decided the remote
8952 * won't cope with it, since we wouldn't bother sending it if
8954 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
8955 ADD_SPECIALS(ssh1_ignore_special);
8956 } else if (ssh->version == 2) {
8957 ADD_SPECIALS(ssh2_transport_specials);
8959 ADD_SPECIALS(ssh2_session_specials);
8960 } /* else we're not ready yet */
8963 ADD_SPECIALS(specials_end);
8964 return ssh_specials;
8972 * Send special codes. TS_EOF is useful for `plink', so you
8973 * can send an EOF and collect resulting output (e.g. `plink
8976 static void ssh_special(void *handle, Telnet_Special code)
8978 Ssh ssh = (Ssh) handle;
8979 struct Packet *pktout;
8981 if (code == TS_EOF) {
8982 if (ssh->state != SSH_STATE_SESSION) {
8984 * Buffer the EOF in case we are pre-SESSION, so we can
8985 * send it as soon as we reach SESSION.
8988 ssh->eof_needed = TRUE;
8991 if (ssh->version == 1) {
8992 send_packet(ssh, SSH1_CMSG_EOF, PKT_END);
8993 } else if (ssh->mainchan) {
8994 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_EOF);
8995 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
8996 ssh2_pkt_send(ssh, pktout);
8997 ssh->send_ok = 0; /* now stop trying to read from stdin */
8999 logevent("Sent EOF message");
9000 } else if (code == TS_PING || code == TS_NOP) {
9001 if (ssh->state == SSH_STATE_CLOSED
9002 || ssh->state == SSH_STATE_PREPACKET) return;
9003 if (ssh->version == 1) {
9004 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
9005 send_packet(ssh, SSH1_MSG_IGNORE, PKT_STR, "", PKT_END);
9007 pktout = ssh2_pkt_init(SSH2_MSG_IGNORE);
9008 ssh2_pkt_addstring_start(pktout);
9009 ssh2_pkt_send_noqueue(ssh, pktout);
9011 } else if (code == TS_REKEY) {
9012 if (!ssh->kex_in_progress && ssh->version == 2) {
9013 do_ssh2_transport(ssh, "at user request", -1, NULL);
9015 } else if (code == TS_BRK) {
9016 if (ssh->state == SSH_STATE_CLOSED
9017 || ssh->state == SSH_STATE_PREPACKET) return;
9018 if (ssh->version == 1) {
9019 logevent("Unable to send BREAK signal in SSH-1");
9020 } else if (ssh->mainchan) {
9021 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9022 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9023 ssh2_pkt_addstring(pktout, "break");
9024 ssh2_pkt_addbool(pktout, 0);
9025 ssh2_pkt_adduint32(pktout, 0); /* default break length */
9026 ssh2_pkt_send(ssh, pktout);
9029 /* Is is a POSIX signal? */
9030 char *signame = NULL;
9031 if (code == TS_SIGABRT) signame = "ABRT";
9032 if (code == TS_SIGALRM) signame = "ALRM";
9033 if (code == TS_SIGFPE) signame = "FPE";
9034 if (code == TS_SIGHUP) signame = "HUP";
9035 if (code == TS_SIGILL) signame = "ILL";
9036 if (code == TS_SIGINT) signame = "INT";
9037 if (code == TS_SIGKILL) signame = "KILL";
9038 if (code == TS_SIGPIPE) signame = "PIPE";
9039 if (code == TS_SIGQUIT) signame = "QUIT";
9040 if (code == TS_SIGSEGV) signame = "SEGV";
9041 if (code == TS_SIGTERM) signame = "TERM";
9042 if (code == TS_SIGUSR1) signame = "USR1";
9043 if (code == TS_SIGUSR2) signame = "USR2";
9044 /* The SSH-2 protocol does in principle support arbitrary named
9045 * signals, including signame@domain, but we don't support those. */
9047 /* It's a signal. */
9048 if (ssh->version == 2 && ssh->mainchan) {
9049 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9050 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9051 ssh2_pkt_addstring(pktout, "signal");
9052 ssh2_pkt_addbool(pktout, 0);
9053 ssh2_pkt_addstring(pktout, signame);
9054 ssh2_pkt_send(ssh, pktout);
9055 logeventf(ssh, "Sent signal SIG%s", signame);
9058 /* Never heard of it. Do nothing */
9063 void *new_sock_channel(void *handle, Socket s)
9065 Ssh ssh = (Ssh) handle;
9066 struct ssh_channel *c;
9067 c = snew(struct ssh_channel);
9072 c->localid = alloc_channel_id(ssh);
9074 c->type = CHAN_SOCKDATA_DORMANT;/* identify channel type */
9076 bufchain_init(&c->v.v2.outbuffer);
9077 add234(ssh->channels, c);
9083 * This is called when stdout/stderr (the entity to which
9084 * from_backend sends data) manages to clear some backlog.
9086 static void ssh_unthrottle(void *handle, int bufsize)
9088 Ssh ssh = (Ssh) handle;
9089 if (ssh->version == 1) {
9090 if (ssh->v1_stdout_throttling && bufsize < SSH1_BUFFER_LIMIT) {
9091 ssh->v1_stdout_throttling = 0;
9092 ssh1_throttle(ssh, -1);
9096 ssh2_set_window(ssh->mainchan,
9097 ssh->mainchan->v.v2.locmaxwin - bufsize);
9101 void ssh_send_port_open(void *channel, char *hostname, int port, char *org)
9103 struct ssh_channel *c = (struct ssh_channel *)channel;
9105 struct Packet *pktout;
9107 logeventf(ssh, "Opening forwarded connection to %s:%d", hostname, port);
9109 if (ssh->version == 1) {
9110 send_packet(ssh, SSH1_MSG_PORT_OPEN,
9111 PKT_INT, c->localid,
9114 /* PKT_STR, <org:orgport>, */
9117 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
9118 ssh2_pkt_addstring(pktout, "direct-tcpip");
9119 ssh2_pkt_adduint32(pktout, c->localid);
9120 c->v.v2.locwindow = c->v.v2.locmaxwin = OUR_V2_WINSIZE;
9121 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);/* our window size */
9122 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
9123 ssh2_pkt_addstring(pktout, hostname);
9124 ssh2_pkt_adduint32(pktout, port);
9126 * We make up values for the originator data; partly it's
9127 * too much hassle to keep track, and partly I'm not
9128 * convinced the server should be told details like that
9129 * about my local network configuration.
9130 * The "originator IP address" is syntactically a numeric
9131 * IP address, and some servers (e.g., Tectia) get upset
9132 * if it doesn't match this syntax.
9134 ssh2_pkt_addstring(pktout, "0.0.0.0");
9135 ssh2_pkt_adduint32(pktout, 0);
9136 ssh2_pkt_send(ssh, pktout);
9140 static int ssh_connected(void *handle)
9142 Ssh ssh = (Ssh) handle;
9143 return ssh->s != NULL;
9146 static int ssh_sendok(void *handle)
9148 Ssh ssh = (Ssh) handle;
9149 return ssh->send_ok;
9152 static int ssh_ldisc(void *handle, int option)
9154 Ssh ssh = (Ssh) handle;
9155 if (option == LD_ECHO)
9156 return ssh->echoing;
9157 if (option == LD_EDIT)
9158 return ssh->editing;
9162 static void ssh_provide_ldisc(void *handle, void *ldisc)
9164 Ssh ssh = (Ssh) handle;
9168 static void ssh_provide_logctx(void *handle, void *logctx)
9170 Ssh ssh = (Ssh) handle;
9171 ssh->logctx = logctx;
9174 static int ssh_return_exitcode(void *handle)
9176 Ssh ssh = (Ssh) handle;
9180 return (ssh->exitcode >= 0 ? ssh->exitcode : INT_MAX);
9184 * cfg_info for SSH is the currently running version of the
9185 * protocol. (1 for 1; 2 for 2; 0 for not-decided-yet.)
9187 static int ssh_cfg_info(void *handle)
9189 Ssh ssh = (Ssh) handle;
9190 return ssh->version;
9194 * Gross hack: pscp will try to start SFTP but fall back to scp1 if
9195 * that fails. This variable is the means by which scp.c can reach
9196 * into the SSH code and find out which one it got.
9198 extern int ssh_fallback_cmd(void *handle)
9200 Ssh ssh = (Ssh) handle;
9201 return ssh->fallback_cmd;
9204 Backend ssh_backend = {
9214 ssh_return_exitcode,