22 #define SSH1_MSG_DISCONNECT 1 /* 0x1 */
23 #define SSH1_SMSG_PUBLIC_KEY 2 /* 0x2 */
24 #define SSH1_CMSG_SESSION_KEY 3 /* 0x3 */
25 #define SSH1_CMSG_USER 4 /* 0x4 */
26 #define SSH1_CMSG_AUTH_RSA 6 /* 0x6 */
27 #define SSH1_SMSG_AUTH_RSA_CHALLENGE 7 /* 0x7 */
28 #define SSH1_CMSG_AUTH_RSA_RESPONSE 8 /* 0x8 */
29 #define SSH1_CMSG_AUTH_PASSWORD 9 /* 0x9 */
30 #define SSH1_CMSG_REQUEST_PTY 10 /* 0xa */
31 #define SSH1_CMSG_WINDOW_SIZE 11 /* 0xb */
32 #define SSH1_CMSG_EXEC_SHELL 12 /* 0xc */
33 #define SSH1_CMSG_EXEC_CMD 13 /* 0xd */
34 #define SSH1_SMSG_SUCCESS 14 /* 0xe */
35 #define SSH1_SMSG_FAILURE 15 /* 0xf */
36 #define SSH1_CMSG_STDIN_DATA 16 /* 0x10 */
37 #define SSH1_SMSG_STDOUT_DATA 17 /* 0x11 */
38 #define SSH1_SMSG_STDERR_DATA 18 /* 0x12 */
39 #define SSH1_CMSG_EOF 19 /* 0x13 */
40 #define SSH1_SMSG_EXIT_STATUS 20 /* 0x14 */
41 #define SSH1_MSG_CHANNEL_OPEN_CONFIRMATION 21 /* 0x15 */
42 #define SSH1_MSG_CHANNEL_OPEN_FAILURE 22 /* 0x16 */
43 #define SSH1_MSG_CHANNEL_DATA 23 /* 0x17 */
44 #define SSH1_MSG_CHANNEL_CLOSE 24 /* 0x18 */
45 #define SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION 25 /* 0x19 */
46 #define SSH1_SMSG_X11_OPEN 27 /* 0x1b */
47 #define SSH1_CMSG_PORT_FORWARD_REQUEST 28 /* 0x1c */
48 #define SSH1_MSG_PORT_OPEN 29 /* 0x1d */
49 #define SSH1_CMSG_AGENT_REQUEST_FORWARDING 30 /* 0x1e */
50 #define SSH1_SMSG_AGENT_OPEN 31 /* 0x1f */
51 #define SSH1_MSG_IGNORE 32 /* 0x20 */
52 #define SSH1_CMSG_EXIT_CONFIRMATION 33 /* 0x21 */
53 #define SSH1_CMSG_X11_REQUEST_FORWARDING 34 /* 0x22 */
54 #define SSH1_CMSG_AUTH_RHOSTS_RSA 35 /* 0x23 */
55 #define SSH1_MSG_DEBUG 36 /* 0x24 */
56 #define SSH1_CMSG_REQUEST_COMPRESSION 37 /* 0x25 */
57 #define SSH1_CMSG_AUTH_TIS 39 /* 0x27 */
58 #define SSH1_SMSG_AUTH_TIS_CHALLENGE 40 /* 0x28 */
59 #define SSH1_CMSG_AUTH_TIS_RESPONSE 41 /* 0x29 */
60 #define SSH1_CMSG_AUTH_CCARD 70 /* 0x46 */
61 #define SSH1_SMSG_AUTH_CCARD_CHALLENGE 71 /* 0x47 */
62 #define SSH1_CMSG_AUTH_CCARD_RESPONSE 72 /* 0x48 */
64 #define SSH1_AUTH_TIS 5 /* 0x5 */
65 #define SSH1_AUTH_CCARD 16 /* 0x10 */
67 #define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */
68 /* Mask for protoflags we will echo back to server if seen */
69 #define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */
71 #define SSH2_MSG_DISCONNECT 1 /* 0x1 */
72 #define SSH2_MSG_IGNORE 2 /* 0x2 */
73 #define SSH2_MSG_UNIMPLEMENTED 3 /* 0x3 */
74 #define SSH2_MSG_DEBUG 4 /* 0x4 */
75 #define SSH2_MSG_SERVICE_REQUEST 5 /* 0x5 */
76 #define SSH2_MSG_SERVICE_ACCEPT 6 /* 0x6 */
77 #define SSH2_MSG_KEXINIT 20 /* 0x14 */
78 #define SSH2_MSG_NEWKEYS 21 /* 0x15 */
79 #define SSH2_MSG_KEXDH_INIT 30 /* 0x1e */
80 #define SSH2_MSG_KEXDH_REPLY 31 /* 0x1f */
81 #define SSH2_MSG_KEX_DH_GEX_REQUEST 30 /* 0x1e */
82 #define SSH2_MSG_KEX_DH_GEX_GROUP 31 /* 0x1f */
83 #define SSH2_MSG_KEX_DH_GEX_INIT 32 /* 0x20 */
84 #define SSH2_MSG_KEX_DH_GEX_REPLY 33 /* 0x21 */
85 #define SSH2_MSG_USERAUTH_REQUEST 50 /* 0x32 */
86 #define SSH2_MSG_USERAUTH_FAILURE 51 /* 0x33 */
87 #define SSH2_MSG_USERAUTH_SUCCESS 52 /* 0x34 */
88 #define SSH2_MSG_USERAUTH_BANNER 53 /* 0x35 */
89 #define SSH2_MSG_USERAUTH_PK_OK 60 /* 0x3c */
90 #define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60 /* 0x3c */
91 #define SSH2_MSG_USERAUTH_INFO_REQUEST 60 /* 0x3c */
92 #define SSH2_MSG_USERAUTH_INFO_RESPONSE 61 /* 0x3d */
93 #define SSH2_MSG_GLOBAL_REQUEST 80 /* 0x50 */
94 #define SSH2_MSG_REQUEST_SUCCESS 81 /* 0x51 */
95 #define SSH2_MSG_REQUEST_FAILURE 82 /* 0x52 */
96 #define SSH2_MSG_CHANNEL_OPEN 90 /* 0x5a */
97 #define SSH2_MSG_CHANNEL_OPEN_CONFIRMATION 91 /* 0x5b */
98 #define SSH2_MSG_CHANNEL_OPEN_FAILURE 92 /* 0x5c */
99 #define SSH2_MSG_CHANNEL_WINDOW_ADJUST 93 /* 0x5d */
100 #define SSH2_MSG_CHANNEL_DATA 94 /* 0x5e */
101 #define SSH2_MSG_CHANNEL_EXTENDED_DATA 95 /* 0x5f */
102 #define SSH2_MSG_CHANNEL_EOF 96 /* 0x60 */
103 #define SSH2_MSG_CHANNEL_CLOSE 97 /* 0x61 */
104 #define SSH2_MSG_CHANNEL_REQUEST 98 /* 0x62 */
105 #define SSH2_MSG_CHANNEL_SUCCESS 99 /* 0x63 */
106 #define SSH2_MSG_CHANNEL_FAILURE 100 /* 0x64 */
109 * Packet type contexts, so that ssh2_pkt_type can correctly decode
110 * the ambiguous type numbers back into the correct type strings.
112 #define SSH2_PKTCTX_DHGROUP 0x0001
113 #define SSH2_PKTCTX_DHGEX 0x0002
114 #define SSH2_PKTCTX_KEX_MASK 0x000F
115 #define SSH2_PKTCTX_PUBLICKEY 0x0010
116 #define SSH2_PKTCTX_PASSWORD 0x0020
117 #define SSH2_PKTCTX_KBDINTER 0x0040
118 #define SSH2_PKTCTX_AUTH_MASK 0x00F0
120 #define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */
121 #define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */
122 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */
123 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */
124 #define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */
125 #define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */
126 #define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */
127 #define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */
128 #define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */
129 #define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */
130 #define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */
131 #define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */
132 #define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */
133 #define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */
134 #define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */
136 static const char *const ssh2_disconnect_reasons[] = {
138 "host not allowed to connect",
140 "key exchange failed",
141 "host authentication failed",
144 "service not available",
145 "protocol version not supported",
146 "host key not verifiable",
149 "too many connections",
150 "auth cancelled by user",
151 "no more auth methods available",
155 #define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */
156 #define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */
157 #define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */
158 #define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */
160 #define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */
163 * Various remote-bug flags.
165 #define BUG_CHOKES_ON_SSH1_IGNORE 1
166 #define BUG_SSH2_HMAC 2
167 #define BUG_NEEDS_SSH1_PLAIN_PASSWORD 4
168 #define BUG_CHOKES_ON_RSA 8
169 #define BUG_SSH2_RSA_PADDING 16
170 #define BUG_SSH2_DERIVEKEY 32
171 #define BUG_SSH2_REKEY 64
172 #define BUG_SSH2_PK_SESSIONID 128
175 * Codes for terminal modes.
176 * Most of these are the same in SSH-1 and SSH-2.
177 * This list is derived from draft-ietf-secsh-connect-25 and
180 static const struct {
181 const char* const mode;
183 enum { TTY_OP_CHAR, TTY_OP_BOOL } type;
185 /* "V" prefix discarded for special characters relative to SSH specs */
186 { "INTR", 1, TTY_OP_CHAR },
187 { "QUIT", 2, TTY_OP_CHAR },
188 { "ERASE", 3, TTY_OP_CHAR },
189 { "KILL", 4, TTY_OP_CHAR },
190 { "EOF", 5, TTY_OP_CHAR },
191 { "EOL", 6, TTY_OP_CHAR },
192 { "EOL2", 7, TTY_OP_CHAR },
193 { "START", 8, TTY_OP_CHAR },
194 { "STOP", 9, TTY_OP_CHAR },
195 { "SUSP", 10, TTY_OP_CHAR },
196 { "DSUSP", 11, TTY_OP_CHAR },
197 { "REPRINT", 12, TTY_OP_CHAR },
198 { "WERASE", 13, TTY_OP_CHAR },
199 { "LNEXT", 14, TTY_OP_CHAR },
200 { "FLUSH", 15, TTY_OP_CHAR },
201 { "SWTCH", 16, TTY_OP_CHAR },
202 { "STATUS", 17, TTY_OP_CHAR },
203 { "DISCARD", 18, TTY_OP_CHAR },
204 { "IGNPAR", 30, TTY_OP_BOOL },
205 { "PARMRK", 31, TTY_OP_BOOL },
206 { "INPCK", 32, TTY_OP_BOOL },
207 { "ISTRIP", 33, TTY_OP_BOOL },
208 { "INLCR", 34, TTY_OP_BOOL },
209 { "IGNCR", 35, TTY_OP_BOOL },
210 { "ICRNL", 36, TTY_OP_BOOL },
211 { "IUCLC", 37, TTY_OP_BOOL },
212 { "IXON", 38, TTY_OP_BOOL },
213 { "IXANY", 39, TTY_OP_BOOL },
214 { "IXOFF", 40, TTY_OP_BOOL },
215 { "IMAXBEL", 41, TTY_OP_BOOL },
216 { "ISIG", 50, TTY_OP_BOOL },
217 { "ICANON", 51, TTY_OP_BOOL },
218 { "XCASE", 52, TTY_OP_BOOL },
219 { "ECHO", 53, TTY_OP_BOOL },
220 { "ECHOE", 54, TTY_OP_BOOL },
221 { "ECHOK", 55, TTY_OP_BOOL },
222 { "ECHONL", 56, TTY_OP_BOOL },
223 { "NOFLSH", 57, TTY_OP_BOOL },
224 { "TOSTOP", 58, TTY_OP_BOOL },
225 { "IEXTEN", 59, TTY_OP_BOOL },
226 { "ECHOCTL", 60, TTY_OP_BOOL },
227 { "ECHOKE", 61, TTY_OP_BOOL },
228 { "PENDIN", 62, TTY_OP_BOOL }, /* XXX is this a real mode? */
229 { "OPOST", 70, TTY_OP_BOOL },
230 { "OLCUC", 71, TTY_OP_BOOL },
231 { "ONLCR", 72, TTY_OP_BOOL },
232 { "OCRNL", 73, TTY_OP_BOOL },
233 { "ONOCR", 74, TTY_OP_BOOL },
234 { "ONLRET", 75, TTY_OP_BOOL },
235 { "CS7", 90, TTY_OP_BOOL },
236 { "CS8", 91, TTY_OP_BOOL },
237 { "PARENB", 92, TTY_OP_BOOL },
238 { "PARODD", 93, TTY_OP_BOOL }
241 /* Miscellaneous other tty-related constants. */
242 #define SSH_TTY_OP_END 0
243 /* The opcodes for ISPEED/OSPEED differ between SSH-1 and SSH-2. */
244 #define SSH1_TTY_OP_ISPEED 192
245 #define SSH1_TTY_OP_OSPEED 193
246 #define SSH2_TTY_OP_ISPEED 128
247 #define SSH2_TTY_OP_OSPEED 129
249 /* Helper functions for parsing tty-related config. */
250 static unsigned int ssh_tty_parse_specchar(char *s)
255 ret = ctrlparse(s, &next);
256 if (!next) ret = s[0];
258 ret = 255; /* special value meaning "don't set" */
262 static unsigned int ssh_tty_parse_boolean(char *s)
264 if (stricmp(s, "yes") == 0 ||
265 stricmp(s, "on") == 0 ||
266 stricmp(s, "true") == 0 ||
267 stricmp(s, "+") == 0)
269 else if (stricmp(s, "no") == 0 ||
270 stricmp(s, "off") == 0 ||
271 stricmp(s, "false") == 0 ||
272 stricmp(s, "-") == 0)
273 return 0; /* false */
275 return (atoi(s) != 0);
278 #define translate(x) if (type == x) return #x
279 #define translatec(x,ctx) if (type == x && (pkt_ctx & ctx)) return #x
280 static char *ssh1_pkt_type(int type)
282 translate(SSH1_MSG_DISCONNECT);
283 translate(SSH1_SMSG_PUBLIC_KEY);
284 translate(SSH1_CMSG_SESSION_KEY);
285 translate(SSH1_CMSG_USER);
286 translate(SSH1_CMSG_AUTH_RSA);
287 translate(SSH1_SMSG_AUTH_RSA_CHALLENGE);
288 translate(SSH1_CMSG_AUTH_RSA_RESPONSE);
289 translate(SSH1_CMSG_AUTH_PASSWORD);
290 translate(SSH1_CMSG_REQUEST_PTY);
291 translate(SSH1_CMSG_WINDOW_SIZE);
292 translate(SSH1_CMSG_EXEC_SHELL);
293 translate(SSH1_CMSG_EXEC_CMD);
294 translate(SSH1_SMSG_SUCCESS);
295 translate(SSH1_SMSG_FAILURE);
296 translate(SSH1_CMSG_STDIN_DATA);
297 translate(SSH1_SMSG_STDOUT_DATA);
298 translate(SSH1_SMSG_STDERR_DATA);
299 translate(SSH1_CMSG_EOF);
300 translate(SSH1_SMSG_EXIT_STATUS);
301 translate(SSH1_MSG_CHANNEL_OPEN_CONFIRMATION);
302 translate(SSH1_MSG_CHANNEL_OPEN_FAILURE);
303 translate(SSH1_MSG_CHANNEL_DATA);
304 translate(SSH1_MSG_CHANNEL_CLOSE);
305 translate(SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION);
306 translate(SSH1_SMSG_X11_OPEN);
307 translate(SSH1_CMSG_PORT_FORWARD_REQUEST);
308 translate(SSH1_MSG_PORT_OPEN);
309 translate(SSH1_CMSG_AGENT_REQUEST_FORWARDING);
310 translate(SSH1_SMSG_AGENT_OPEN);
311 translate(SSH1_MSG_IGNORE);
312 translate(SSH1_CMSG_EXIT_CONFIRMATION);
313 translate(SSH1_CMSG_X11_REQUEST_FORWARDING);
314 translate(SSH1_CMSG_AUTH_RHOSTS_RSA);
315 translate(SSH1_MSG_DEBUG);
316 translate(SSH1_CMSG_REQUEST_COMPRESSION);
317 translate(SSH1_CMSG_AUTH_TIS);
318 translate(SSH1_SMSG_AUTH_TIS_CHALLENGE);
319 translate(SSH1_CMSG_AUTH_TIS_RESPONSE);
320 translate(SSH1_CMSG_AUTH_CCARD);
321 translate(SSH1_SMSG_AUTH_CCARD_CHALLENGE);
322 translate(SSH1_CMSG_AUTH_CCARD_RESPONSE);
325 static char *ssh2_pkt_type(int pkt_ctx, int type)
327 translate(SSH2_MSG_DISCONNECT);
328 translate(SSH2_MSG_IGNORE);
329 translate(SSH2_MSG_UNIMPLEMENTED);
330 translate(SSH2_MSG_DEBUG);
331 translate(SSH2_MSG_SERVICE_REQUEST);
332 translate(SSH2_MSG_SERVICE_ACCEPT);
333 translate(SSH2_MSG_KEXINIT);
334 translate(SSH2_MSG_NEWKEYS);
335 translatec(SSH2_MSG_KEXDH_INIT, SSH2_PKTCTX_DHGROUP);
336 translatec(SSH2_MSG_KEXDH_REPLY, SSH2_PKTCTX_DHGROUP);
337 translatec(SSH2_MSG_KEX_DH_GEX_REQUEST, SSH2_PKTCTX_DHGEX);
338 translatec(SSH2_MSG_KEX_DH_GEX_GROUP, SSH2_PKTCTX_DHGEX);
339 translatec(SSH2_MSG_KEX_DH_GEX_INIT, SSH2_PKTCTX_DHGEX);
340 translatec(SSH2_MSG_KEX_DH_GEX_REPLY, SSH2_PKTCTX_DHGEX);
341 translate(SSH2_MSG_USERAUTH_REQUEST);
342 translate(SSH2_MSG_USERAUTH_FAILURE);
343 translate(SSH2_MSG_USERAUTH_SUCCESS);
344 translate(SSH2_MSG_USERAUTH_BANNER);
345 translatec(SSH2_MSG_USERAUTH_PK_OK, SSH2_PKTCTX_PUBLICKEY);
346 translatec(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, SSH2_PKTCTX_PASSWORD);
347 translatec(SSH2_MSG_USERAUTH_INFO_REQUEST, SSH2_PKTCTX_KBDINTER);
348 translatec(SSH2_MSG_USERAUTH_INFO_RESPONSE, SSH2_PKTCTX_KBDINTER);
349 translate(SSH2_MSG_GLOBAL_REQUEST);
350 translate(SSH2_MSG_REQUEST_SUCCESS);
351 translate(SSH2_MSG_REQUEST_FAILURE);
352 translate(SSH2_MSG_CHANNEL_OPEN);
353 translate(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
354 translate(SSH2_MSG_CHANNEL_OPEN_FAILURE);
355 translate(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
356 translate(SSH2_MSG_CHANNEL_DATA);
357 translate(SSH2_MSG_CHANNEL_EXTENDED_DATA);
358 translate(SSH2_MSG_CHANNEL_EOF);
359 translate(SSH2_MSG_CHANNEL_CLOSE);
360 translate(SSH2_MSG_CHANNEL_REQUEST);
361 translate(SSH2_MSG_CHANNEL_SUCCESS);
362 translate(SSH2_MSG_CHANNEL_FAILURE);
368 /* Enumeration values for fields in SSH-1 packets */
370 PKT_END, PKT_INT, PKT_CHAR, PKT_DATA, PKT_STR, PKT_BIGNUM,
371 /* These values are for communicating relevant semantics of
372 * fields to the packet logging code. */
373 PKTT_OTHER, PKTT_PASSWORD, PKTT_DATA
377 * Coroutine mechanics for the sillier bits of the code. If these
378 * macros look impenetrable to you, you might find it helpful to
381 * http://www.chiark.greenend.org.uk/~sgtatham/coroutines.html
383 * which explains the theory behind these macros.
385 * In particular, if you are getting `case expression not constant'
386 * errors when building with MS Visual Studio, this is because MS's
387 * Edit and Continue debugging feature causes their compiler to
388 * violate ANSI C. To disable Edit and Continue debugging:
390 * - right-click ssh.c in the FileView
392 * - select the C/C++ tab and the General category
393 * - under `Debug info:', select anything _other_ than `Program
394 * Database for Edit and Continue'.
396 #define crBegin(v) { int *crLine = &v; switch(v) { case 0:;
399 if (!ssh->t) ssh->t = snew(struct t); \
401 #define crFinish(z) } *crLine = 0; return (z); }
402 #define crFinishV } *crLine = 0; return; }
403 #define crReturn(z) \
405 *crLine =__LINE__; return (z); case __LINE__:;\
409 *crLine=__LINE__; return; case __LINE__:;\
411 #define crStop(z) do{ *crLine = 0; return (z); }while(0)
412 #define crStopV do{ *crLine = 0; return; }while(0)
413 #define crWaitUntil(c) do { crReturn(0); } while (!(c))
414 #define crWaitUntilV(c) do { crReturnV; } while (!(c))
416 typedef struct ssh_tag *Ssh;
419 static struct Packet *ssh1_pkt_init(int pkt_type);
420 static struct Packet *ssh2_pkt_init(int pkt_type);
421 static void ssh_pkt_ensure(struct Packet *, int length);
422 static void ssh_pkt_adddata(struct Packet *, void *data, int len);
423 static void ssh_pkt_addbyte(struct Packet *, unsigned char value);
424 static void ssh2_pkt_addbool(struct Packet *, unsigned char value);
425 static void ssh_pkt_adduint32(struct Packet *, unsigned long value);
426 static void ssh_pkt_addstring_start(struct Packet *);
427 static void ssh_pkt_addstring_str(struct Packet *, char *data);
428 static void ssh_pkt_addstring_data(struct Packet *, char *data, int len);
429 static void ssh_pkt_addstring(struct Packet *, char *data);
430 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len);
431 static void ssh1_pkt_addmp(struct Packet *, Bignum b);
432 static void ssh2_pkt_addmp(struct Packet *, Bignum b);
433 static int ssh2_pkt_construct(Ssh, struct Packet *);
434 static void ssh2_pkt_send(Ssh, struct Packet *);
435 static void ssh2_pkt_send_noqueue(Ssh, struct Packet *);
436 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
437 struct Packet *pktin);
438 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
439 struct Packet *pktin);
442 * Buffer management constants. There are several of these for
443 * various different purposes:
445 * - SSH1_BUFFER_LIMIT is the amount of backlog that must build up
446 * on a local data stream before we throttle the whole SSH
447 * connection (in SSH-1 only). Throttling the whole connection is
448 * pretty drastic so we set this high in the hope it won't
451 * - SSH_MAX_BACKLOG is the amount of backlog that must build up
452 * on the SSH connection itself before we defensively throttle
453 * _all_ local data streams. This is pretty drastic too (though
454 * thankfully unlikely in SSH-2 since the window mechanism should
455 * ensure that the server never has any need to throttle its end
456 * of the connection), so we set this high as well.
458 * - OUR_V2_WINSIZE is the maximum window size we present on SSH-2
462 #define SSH1_BUFFER_LIMIT 32768
463 #define SSH_MAX_BACKLOG 32768
464 #define OUR_V2_WINSIZE 16384
465 #define OUR_V2_MAXPKT 0x4000UL
467 /* Maximum length of passwords/passphrases (arbitrary) */
468 #define SSH_MAX_PASSWORD_LEN 100
470 const static struct ssh_signkey *hostkey_algs[] = { &ssh_rsa, &ssh_dss };
472 const static struct ssh_mac *macs[] = {
473 &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
475 const static struct ssh_mac *buggymacs[] = {
476 &ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
479 static void *ssh_comp_none_init(void)
483 static void ssh_comp_none_cleanup(void *handle)
486 static int ssh_comp_none_block(void *handle, unsigned char *block, int len,
487 unsigned char **outblock, int *outlen)
491 static int ssh_comp_none_disable(void *handle)
495 const static struct ssh_compress ssh_comp_none = {
497 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
498 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
499 ssh_comp_none_disable, NULL
501 extern const struct ssh_compress ssh_zlib;
502 const static struct ssh_compress *compressions[] = {
503 &ssh_zlib, &ssh_comp_none
506 enum { /* channel types */
511 CHAN_SOCKDATA_DORMANT /* one the remote hasn't confirmed */
515 * 2-3-4 tree storing channels.
518 Ssh ssh; /* pointer back to main context */
519 unsigned remoteid, localid;
521 /* True if we opened this channel but server hasn't confirmed. */
524 * In SSH-1, this value contains four bits:
526 * 1 We have sent SSH1_MSG_CHANNEL_CLOSE.
527 * 2 We have sent SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
528 * 4 We have received SSH1_MSG_CHANNEL_CLOSE.
529 * 8 We have received SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
531 * A channel is completely finished with when all four bits are set.
535 struct ssh1_data_channel {
538 struct ssh2_data_channel {
540 unsigned remwindow, remmaxpkt;
545 struct ssh_agent_channel {
546 unsigned char *message;
547 unsigned char msglen[4];
548 unsigned lensofar, totallen;
550 struct ssh_x11_channel {
553 struct ssh_pfd_channel {
560 * 2-3-4 tree storing remote->local port forwardings. SSH-1 and SSH-2
561 * use this structure in different ways, reflecting SSH-2's
562 * altogether saner approach to port forwarding.
564 * In SSH-1, you arrange a remote forwarding by sending the server
565 * the remote port number, and the local destination host:port.
566 * When a connection comes in, the server sends you back that
567 * host:port pair, and you connect to it. This is a ready-made
568 * security hole if you're not on the ball: a malicious server
569 * could send you back _any_ host:port pair, so if you trustingly
570 * connect to the address it gives you then you've just opened the
571 * entire inside of your corporate network just by connecting
572 * through it to a dodgy SSH server. Hence, we must store a list of
573 * host:port pairs we _are_ trying to forward to, and reject a
574 * connection request from the server if it's not in the list.
576 * In SSH-2, each side of the connection minds its own business and
577 * doesn't send unnecessary information to the other. You arrange a
578 * remote forwarding by sending the server just the remote port
579 * number. When a connection comes in, the server tells you which
580 * of its ports was connected to; and _you_ have to remember what
581 * local host:port pair went with that port number.
583 * Hence, in SSH-1 this structure is indexed by destination
584 * host:port pair, whereas in SSH-2 it is indexed by source port.
586 struct ssh_portfwd; /* forward declaration */
588 struct ssh_rportfwd {
589 unsigned sport, dport;
592 struct ssh_portfwd *pfrec;
594 #define free_rportfwd(pf) ( \
595 ((pf) ? (sfree((pf)->sportdesc)) : (void)0 ), sfree(pf) )
598 * Separately to the rportfwd tree (which is for looking up port
599 * open requests from the server), a tree of _these_ structures is
600 * used to keep track of all the currently open port forwardings,
601 * so that we can reconfigure in mid-session if the user requests
605 enum { DESTROY, KEEP, CREATE } status;
607 unsigned sport, dport;
610 struct ssh_rportfwd *remote;
614 #define free_portfwd(pf) ( \
615 ((pf) ? (sfree((pf)->saddr), sfree((pf)->daddr), \
616 sfree((pf)->sserv), sfree((pf)->dserv)) : (void)0 ), sfree(pf) )
619 long length; /* length of `data' actually used */
620 long forcepad; /* SSH-2: force padding to at least this length */
621 int type; /* only used for incoming packets */
622 unsigned long sequence; /* SSH-2 incoming sequence number */
623 unsigned char *data; /* allocated storage */
624 unsigned char *body; /* offset of payload within `data' */
625 long savedpos; /* temporary index into `data' (for strings) */
626 long maxlen; /* amount of storage allocated for `data' */
627 long encrypted_len; /* for SSH-2 total-size counting */
630 * State associated with packet logging
634 struct logblank_t *blanks;
637 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
638 struct Packet *pktin);
639 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
640 struct Packet *pktin);
641 static void ssh1_protocol_setup(Ssh ssh);
642 static void ssh2_protocol_setup(Ssh ssh);
643 static void ssh_size(void *handle, int width, int height);
644 static void ssh_special(void *handle, Telnet_Special);
645 static int ssh2_try_send(struct ssh_channel *c);
646 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf, int len);
647 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize);
648 static void ssh2_set_window(struct ssh_channel *c, unsigned newwin);
649 static int ssh_sendbuffer(void *handle);
650 static int ssh_do_close(Ssh ssh, int notify_exit);
651 static unsigned long ssh_pkt_getuint32(struct Packet *pkt);
652 static int ssh2_pkt_getbool(struct Packet *pkt);
653 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length);
654 static void ssh2_timer(void *ctx, long now);
655 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
656 struct Packet *pktin);
658 struct rdpkt1_state_tag {
659 long len, pad, biglen, to_read;
660 unsigned long realcrc, gotcrc;
664 struct Packet *pktin;
667 struct rdpkt2_state_tag {
668 long len, pad, payload, packetlen, maclen;
671 unsigned long incoming_sequence;
672 struct Packet *pktin;
675 typedef void (*handler_fn_t)(Ssh ssh, struct Packet *pktin);
676 typedef void (*chandler_fn_t)(Ssh ssh, struct Packet *pktin, void *ctx);
678 struct queued_handler;
679 struct queued_handler {
681 chandler_fn_t handler;
683 struct queued_handler *next;
687 const struct plug_function_table *fn;
688 /* the above field _must_ be first in the structure */
698 unsigned char session_key[32];
700 int v1_remote_protoflags;
701 int v1_local_protoflags;
702 int agentfwd_enabled;
705 const struct ssh_cipher *cipher;
708 const struct ssh2_cipher *cscipher, *sccipher;
709 void *cs_cipher_ctx, *sc_cipher_ctx;
710 const struct ssh_mac *csmac, *scmac;
711 void *cs_mac_ctx, *sc_mac_ctx;
712 const struct ssh_compress *cscomp, *sccomp;
713 void *cs_comp_ctx, *sc_comp_ctx;
714 const struct ssh_kex *kex;
715 const struct ssh_signkey *hostkey;
716 unsigned char v2_session_id[SSH2_KEX_MAX_HASH_LEN];
717 int v2_session_id_len;
723 int echoing, editing;
727 int ospeed, ispeed; /* temporaries */
728 int term_width, term_height;
730 tree234 *channels; /* indexed by local id */
731 struct ssh_channel *mainchan; /* primary session channel */
732 int ncmode; /* is primary channel direct-tcpip? */
737 tree234 *rportfwds, *portfwds;
741 SSH_STATE_BEFORE_SIZE,
747 int size_needed, eof_needed;
749 struct Packet **queue;
750 int queuelen, queuesize;
752 unsigned char *deferred_send_data;
753 int deferred_len, deferred_size;
756 * Gross hack: pscp will try to start SFTP but fall back to
757 * scp1 if that fails. This variable is the means by which
758 * scp.c can reach into the SSH code and find out which one it
763 bufchain banner; /* accumulates banners during do_ssh2_authconn */
770 int v1_throttle_count;
773 int v1_stdout_throttling;
774 unsigned long v2_outgoing_sequence;
776 int ssh1_rdpkt_crstate;
777 int ssh2_rdpkt_crstate;
778 int do_ssh_init_crstate;
779 int ssh_gotdata_crstate;
780 int do_ssh1_login_crstate;
781 int do_ssh1_connection_crstate;
782 int do_ssh2_transport_crstate;
783 int do_ssh2_authconn_crstate;
785 void *do_ssh_init_state;
786 void *do_ssh1_login_state;
787 void *do_ssh2_transport_state;
788 void *do_ssh2_authconn_state;
790 struct rdpkt1_state_tag rdpkt1_state;
791 struct rdpkt2_state_tag rdpkt2_state;
793 /* SSH-1 and SSH-2 use this for different things, but both use it */
794 int protocol_initial_phase_done;
796 void (*protocol) (Ssh ssh, void *vin, int inlen,
798 struct Packet *(*s_rdpkt) (Ssh ssh, unsigned char **data, int *datalen);
801 * We maintain a full _copy_ of a Config structure here, not
802 * merely a pointer to it. That way, when we're passed a new
803 * one for reconfiguration, we can check the differences and
804 * potentially reconfigure port forwardings etc in mid-session.
809 * Used to transfer data back from async callbacks.
811 void *agent_response;
812 int agent_response_len;
816 * The SSH connection can be set as `frozen', meaning we are
817 * not currently accepting incoming data from the network. This
818 * is slightly more serious than setting the _socket_ as
819 * frozen, because we may already have had data passed to us
820 * from the network which we need to delay processing until
821 * after the freeze is lifted, so we also need a bufchain to
825 bufchain queued_incoming_data;
828 * Dispatch table for packet types that we may have to deal
831 handler_fn_t packet_dispatch[256];
834 * Queues of one-off handler functions for success/failure
835 * indications from a request.
837 struct queued_handler *qhead, *qtail;
840 * This module deals with sending keepalives.
845 * Track incoming and outgoing data sizes and time, for
848 unsigned long incoming_data_size, outgoing_data_size, deferred_data_size;
849 unsigned long max_data_size;
851 long next_rekey, last_rekey;
852 char *deferred_rekey_reason; /* points to STATIC string; don't free */
855 #define logevent(s) logevent(ssh->frontend, s)
857 /* logevent, only printf-formatted. */
858 static void logeventf(Ssh ssh, const char *fmt, ...)
864 buf = dupvprintf(fmt, ap);
870 #define bombout(msg) \
872 char *text = dupprintf msg; \
873 ssh_do_close(ssh, FALSE); \
875 connection_fatal(ssh->frontend, "%s", text); \
879 /* Functions to leave bits out of the SSH packet log file. */
881 static void dont_log_password(Ssh ssh, struct Packet *pkt, int blanktype)
883 if (ssh->cfg.logomitpass)
884 pkt->logmode = blanktype;
887 static void dont_log_data(Ssh ssh, struct Packet *pkt, int blanktype)
889 if (ssh->cfg.logomitdata)
890 pkt->logmode = blanktype;
893 static void end_log_omission(Ssh ssh, struct Packet *pkt)
895 pkt->logmode = PKTLOG_EMIT;
898 /* Helper function for common bits of parsing cfg.ttymodes. */
899 static void parse_ttymodes(Ssh ssh, char *modes,
900 void (*do_mode)(void *data, char *mode, char *val),
904 char *t = strchr(modes, '\t');
905 char *m = snewn(t-modes+1, char);
907 strncpy(m, modes, t-modes);
910 val = get_ttymode(ssh->frontend, m);
914 do_mode(data, m, val);
917 modes += strlen(modes) + 1;
921 static int ssh_channelcmp(void *av, void *bv)
923 struct ssh_channel *a = (struct ssh_channel *) av;
924 struct ssh_channel *b = (struct ssh_channel *) bv;
925 if (a->localid < b->localid)
927 if (a->localid > b->localid)
931 static int ssh_channelfind(void *av, void *bv)
933 unsigned *a = (unsigned *) av;
934 struct ssh_channel *b = (struct ssh_channel *) bv;
942 static int ssh_rportcmp_ssh1(void *av, void *bv)
944 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
945 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
947 if ( (i = strcmp(a->dhost, b->dhost)) != 0)
948 return i < 0 ? -1 : +1;
949 if (a->dport > b->dport)
951 if (a->dport < b->dport)
956 static int ssh_rportcmp_ssh2(void *av, void *bv)
958 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
959 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
961 if (a->sport > b->sport)
963 if (a->sport < b->sport)
969 * Special form of strcmp which can cope with NULL inputs. NULL is
970 * defined to sort before even the empty string.
972 static int nullstrcmp(const char *a, const char *b)
974 if (a == NULL && b == NULL)
983 static int ssh_portcmp(void *av, void *bv)
985 struct ssh_portfwd *a = (struct ssh_portfwd *) av;
986 struct ssh_portfwd *b = (struct ssh_portfwd *) bv;
988 if (a->type > b->type)
990 if (a->type < b->type)
992 if (a->addressfamily > b->addressfamily)
994 if (a->addressfamily < b->addressfamily)
996 if ( (i = nullstrcmp(a->saddr, b->saddr)) != 0)
997 return i < 0 ? -1 : +1;
998 if (a->sport > b->sport)
1000 if (a->sport < b->sport)
1002 if (a->type != 'D') {
1003 if ( (i = nullstrcmp(a->daddr, b->daddr)) != 0)
1004 return i < 0 ? -1 : +1;
1005 if (a->dport > b->dport)
1007 if (a->dport < b->dport)
1013 static int alloc_channel_id(Ssh ssh)
1015 const unsigned CHANNEL_NUMBER_OFFSET = 256;
1016 unsigned low, high, mid;
1018 struct ssh_channel *c;
1021 * First-fit allocation of channel numbers: always pick the
1022 * lowest unused one. To do this, binary-search using the
1023 * counted B-tree to find the largest channel ID which is in a
1024 * contiguous sequence from the beginning. (Precisely
1025 * everything in that sequence must have ID equal to its tree
1026 * index plus CHANNEL_NUMBER_OFFSET.)
1028 tsize = count234(ssh->channels);
1032 while (high - low > 1) {
1033 mid = (high + low) / 2;
1034 c = index234(ssh->channels, mid);
1035 if (c->localid == mid + CHANNEL_NUMBER_OFFSET)
1036 low = mid; /* this one is fine */
1038 high = mid; /* this one is past it */
1041 * Now low points to either -1, or the tree index of the
1042 * largest ID in the initial sequence.
1045 unsigned i = low + 1 + CHANNEL_NUMBER_OFFSET;
1046 assert(NULL == find234(ssh->channels, &i, ssh_channelfind));
1048 return low + 1 + CHANNEL_NUMBER_OFFSET;
1051 static void c_write_stderr(int trusted, const char *buf, int len)
1054 for (i = 0; i < len; i++)
1055 if (buf[i] != '\r' && (trusted || buf[i] == '\n' || (buf[i] & 0x60)))
1056 fputc(buf[i], stderr);
1059 static void c_write(Ssh ssh, const char *buf, int len)
1061 if (flags & FLAG_STDERR)
1062 c_write_stderr(1, buf, len);
1064 from_backend(ssh->frontend, 1, buf, len);
1067 static void c_write_untrusted(Ssh ssh, const char *buf, int len)
1069 if (flags & FLAG_STDERR)
1070 c_write_stderr(0, buf, len);
1072 from_backend_untrusted(ssh->frontend, buf, len);
1075 static void c_write_str(Ssh ssh, const char *buf)
1077 c_write(ssh, buf, strlen(buf));
1080 static void ssh_free_packet(struct Packet *pkt)
1085 static struct Packet *ssh_new_packet(void)
1087 struct Packet *pkt = snew(struct Packet);
1089 pkt->body = pkt->data = NULL;
1091 pkt->logmode = PKTLOG_EMIT;
1099 * Collect incoming data in the incoming packet buffer.
1100 * Decipher and verify the packet when it is completely read.
1101 * Drop SSH1_MSG_DEBUG and SSH1_MSG_IGNORE packets.
1102 * Update the *data and *datalen variables.
1103 * Return a Packet structure when a packet is completed.
1105 static struct Packet *ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1107 struct rdpkt1_state_tag *st = &ssh->rdpkt1_state;
1109 crBegin(ssh->ssh1_rdpkt_crstate);
1111 st->pktin = ssh_new_packet();
1113 st->pktin->type = 0;
1114 st->pktin->length = 0;
1116 for (st->i = st->len = 0; st->i < 4; st->i++) {
1117 while ((*datalen) == 0)
1119 st->len = (st->len << 8) + **data;
1120 (*data)++, (*datalen)--;
1123 st->pad = 8 - (st->len % 8);
1124 st->biglen = st->len + st->pad;
1125 st->pktin->length = st->len - 5;
1127 if (st->biglen < 0) {
1128 bombout(("Extremely large packet length from server suggests"
1129 " data stream corruption"));
1130 ssh_free_packet(st->pktin);
1134 st->pktin->maxlen = st->biglen;
1135 st->pktin->data = snewn(st->biglen + APIEXTRA, unsigned char);
1137 st->to_read = st->biglen;
1138 st->p = st->pktin->data;
1139 while (st->to_read > 0) {
1140 st->chunk = st->to_read;
1141 while ((*datalen) == 0)
1143 if (st->chunk > (*datalen))
1144 st->chunk = (*datalen);
1145 memcpy(st->p, *data, st->chunk);
1147 *datalen -= st->chunk;
1149 st->to_read -= st->chunk;
1152 if (ssh->cipher && detect_attack(ssh->crcda_ctx, st->pktin->data,
1153 st->biglen, NULL)) {
1154 bombout(("Network attack (CRC compensation) detected!"));
1155 ssh_free_packet(st->pktin);
1160 ssh->cipher->decrypt(ssh->v1_cipher_ctx, st->pktin->data, st->biglen);
1162 st->realcrc = crc32_compute(st->pktin->data, st->biglen - 4);
1163 st->gotcrc = GET_32BIT(st->pktin->data + st->biglen - 4);
1164 if (st->gotcrc != st->realcrc) {
1165 bombout(("Incorrect CRC received on packet"));
1166 ssh_free_packet(st->pktin);
1170 st->pktin->body = st->pktin->data + st->pad + 1;
1171 st->pktin->savedpos = 0;
1173 if (ssh->v1_compressing) {
1174 unsigned char *decompblk;
1176 if (!zlib_decompress_block(ssh->sc_comp_ctx,
1177 st->pktin->body - 1, st->pktin->length + 1,
1178 &decompblk, &decomplen)) {
1179 bombout(("Zlib decompression encountered invalid data"));
1180 ssh_free_packet(st->pktin);
1184 if (st->pktin->maxlen < st->pad + decomplen) {
1185 st->pktin->maxlen = st->pad + decomplen;
1186 st->pktin->data = sresize(st->pktin->data,
1187 st->pktin->maxlen + APIEXTRA,
1189 st->pktin->body = st->pktin->data + st->pad + 1;
1192 memcpy(st->pktin->body - 1, decompblk, decomplen);
1194 st->pktin->length = decomplen - 1;
1197 st->pktin->type = st->pktin->body[-1];
1200 * Log incoming packet, possibly omitting sensitive fields.
1204 struct logblank_t blank;
1205 if (ssh->cfg.logomitdata) {
1206 int do_blank = FALSE, blank_prefix = 0;
1207 /* "Session data" packets - omit the data field */
1208 if ((st->pktin->type == SSH1_SMSG_STDOUT_DATA) ||
1209 (st->pktin->type == SSH1_SMSG_STDERR_DATA)) {
1210 do_blank = TRUE; blank_prefix = 0;
1211 } else if (st->pktin->type == SSH1_MSG_CHANNEL_DATA) {
1212 do_blank = TRUE; blank_prefix = 4;
1215 blank.offset = blank_prefix;
1216 blank.len = st->pktin->length;
1217 blank.type = PKTLOG_OMIT;
1221 log_packet(ssh->logctx,
1222 PKT_INCOMING, st->pktin->type,
1223 ssh1_pkt_type(st->pktin->type),
1224 st->pktin->body, st->pktin->length,
1228 crFinish(st->pktin);
1231 static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1233 struct rdpkt2_state_tag *st = &ssh->rdpkt2_state;
1235 crBegin(ssh->ssh2_rdpkt_crstate);
1237 st->pktin = ssh_new_packet();
1239 st->pktin->type = 0;
1240 st->pktin->length = 0;
1242 st->cipherblk = ssh->sccipher->blksize;
1245 if (st->cipherblk < 8)
1248 st->pktin->data = snewn(st->cipherblk + APIEXTRA, unsigned char);
1251 * Acquire and decrypt the first block of the packet. This will
1252 * contain the length and padding details.
1254 for (st->i = st->len = 0; st->i < st->cipherblk; st->i++) {
1255 while ((*datalen) == 0)
1257 st->pktin->data[st->i] = *(*data)++;
1262 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1263 st->pktin->data, st->cipherblk);
1266 * Now get the length and padding figures.
1268 st->len = GET_32BIT(st->pktin->data);
1269 st->pad = st->pktin->data[4];
1272 * _Completely_ silly lengths should be stomped on before they
1273 * do us any more damage.
1275 if (st->len < 0 || st->len > 35000 || st->pad < 4 ||
1276 st->len - st->pad < 1 || (st->len + 4) % st->cipherblk != 0) {
1277 bombout(("Incoming packet was garbled on decryption"));
1278 ssh_free_packet(st->pktin);
1283 * This enables us to deduce the payload length.
1285 st->payload = st->len - st->pad - 1;
1287 st->pktin->length = st->payload + 5;
1290 * So now we can work out the total packet length.
1292 st->packetlen = st->len + 4;
1293 st->maclen = ssh->scmac ? ssh->scmac->len : 0;
1296 * Allocate memory for the rest of the packet.
1298 st->pktin->maxlen = st->packetlen + st->maclen;
1299 st->pktin->data = sresize(st->pktin->data,
1300 st->pktin->maxlen + APIEXTRA,
1304 * Read and decrypt the remainder of the packet.
1306 for (st->i = st->cipherblk; st->i < st->packetlen + st->maclen;
1308 while ((*datalen) == 0)
1310 st->pktin->data[st->i] = *(*data)++;
1313 /* Decrypt everything _except_ the MAC. */
1315 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1316 st->pktin->data + st->cipherblk,
1317 st->packetlen - st->cipherblk);
1319 st->pktin->encrypted_len = st->packetlen;
1325 && !ssh->scmac->verify(ssh->sc_mac_ctx, st->pktin->data, st->len + 4,
1326 st->incoming_sequence)) {
1327 bombout(("Incorrect MAC received on packet"));
1328 ssh_free_packet(st->pktin);
1332 st->pktin->sequence = st->incoming_sequence++;
1335 * Decompress packet payload.
1338 unsigned char *newpayload;
1341 ssh->sccomp->decompress(ssh->sc_comp_ctx,
1342 st->pktin->data + 5, st->pktin->length - 5,
1343 &newpayload, &newlen)) {
1344 if (st->pktin->maxlen < newlen + 5) {
1345 st->pktin->maxlen = newlen + 5;
1346 st->pktin->data = sresize(st->pktin->data,
1347 st->pktin->maxlen + APIEXTRA,
1350 st->pktin->length = 5 + newlen;
1351 memcpy(st->pktin->data + 5, newpayload, newlen);
1356 st->pktin->savedpos = 6;
1357 st->pktin->body = st->pktin->data;
1358 st->pktin->type = st->pktin->data[5];
1361 * Log incoming packet, possibly omitting sensitive fields.
1365 struct logblank_t blank;
1366 if (ssh->cfg.logomitdata) {
1367 int do_blank = FALSE, blank_prefix = 0;
1368 /* "Session data" packets - omit the data field */
1369 if (st->pktin->type == SSH2_MSG_CHANNEL_DATA) {
1370 do_blank = TRUE; blank_prefix = 4;
1371 } else if (st->pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA) {
1372 do_blank = TRUE; blank_prefix = 8;
1375 blank.offset = blank_prefix;
1376 blank.len = (st->pktin->length-6) - blank_prefix;
1377 blank.type = PKTLOG_OMIT;
1381 log_packet(ssh->logctx, PKT_INCOMING, st->pktin->type,
1382 ssh2_pkt_type(ssh->pkt_ctx, st->pktin->type),
1383 st->pktin->data+6, st->pktin->length-6,
1387 crFinish(st->pktin);
1390 static int s_wrpkt_prepare(Ssh ssh, struct Packet *pkt, int *offset_p)
1392 int pad, biglen, i, pktoffs;
1396 * XXX various versions of SC (including 8.8.4) screw up the
1397 * register allocation in this function and use the same register
1398 * (D6) for len and as a temporary, with predictable results. The
1399 * following sledgehammer prevents this.
1406 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[12],
1407 ssh1_pkt_type(pkt->data[12]),
1408 pkt->body, pkt->length - (pkt->body - pkt->data),
1409 pkt->nblanks, pkt->blanks);
1410 sfree(pkt->blanks); pkt->blanks = NULL;
1413 if (ssh->v1_compressing) {
1414 unsigned char *compblk;
1416 zlib_compress_block(ssh->cs_comp_ctx,
1417 pkt->data + 12, pkt->length - 12,
1418 &compblk, &complen);
1419 memcpy(pkt->data + 12, compblk, complen);
1421 pkt->length = complen + 12;
1424 ssh_pkt_ensure(pkt, pkt->length + 4); /* space for CRC */
1426 len = pkt->length - 4 - 8; /* len(type+data+CRC) */
1427 pad = 8 - (len % 8);
1429 biglen = len + pad; /* len(padding+type+data+CRC) */
1431 for (i = pktoffs; i < 4+8; i++)
1432 pkt->data[i] = random_byte();
1433 crc = crc32_compute(pkt->data + pktoffs + 4, biglen - 4); /* all ex len */
1434 PUT_32BIT(pkt->data + pktoffs + 4 + biglen - 4, crc);
1435 PUT_32BIT(pkt->data + pktoffs, len);
1438 ssh->cipher->encrypt(ssh->v1_cipher_ctx,
1439 pkt->data + pktoffs + 4, biglen);
1441 if (offset_p) *offset_p = pktoffs;
1442 return biglen + 4; /* len(length+padding+type+data+CRC) */
1445 static int s_write(Ssh ssh, void *data, int len)
1447 log_packet(ssh->logctx, PKT_OUTGOING, -1, NULL, data, len, 0, NULL);
1448 return sk_write(ssh->s, (char *)data, len);
1451 static void s_wrpkt(Ssh ssh, struct Packet *pkt)
1453 int len, backlog, offset;
1454 len = s_wrpkt_prepare(ssh, pkt, &offset);
1455 backlog = s_write(ssh, pkt->data + offset, len);
1456 if (backlog > SSH_MAX_BACKLOG)
1457 ssh_throttle_all(ssh, 1, backlog);
1458 ssh_free_packet(pkt);
1461 static void s_wrpkt_defer(Ssh ssh, struct Packet *pkt)
1464 len = s_wrpkt_prepare(ssh, pkt, &offset);
1465 if (ssh->deferred_len + len > ssh->deferred_size) {
1466 ssh->deferred_size = ssh->deferred_len + len + 128;
1467 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1471 memcpy(ssh->deferred_send_data + ssh->deferred_len,
1472 pkt->data + offset, len);
1473 ssh->deferred_len += len;
1474 ssh_free_packet(pkt);
1478 * Construct a SSH-1 packet with the specified contents.
1479 * (This all-at-once interface used to be the only one, but now SSH-1
1480 * packets can also be constructed incrementally.)
1482 static struct Packet *construct_packet(Ssh ssh, int pkttype, va_list ap)
1488 pkt = ssh1_pkt_init(pkttype);
1490 while ((argtype = va_arg(ap, int)) != PKT_END) {
1491 unsigned char *argp, argchar;
1492 unsigned long argint;
1495 /* Actual fields in the packet */
1497 argint = va_arg(ap, int);
1498 ssh_pkt_adduint32(pkt, argint);
1501 argchar = (unsigned char) va_arg(ap, int);
1502 ssh_pkt_addbyte(pkt, argchar);
1505 argp = va_arg(ap, unsigned char *);
1506 arglen = va_arg(ap, int);
1507 ssh_pkt_adddata(pkt, argp, arglen);
1510 argp = va_arg(ap, unsigned char *);
1511 ssh_pkt_addstring(pkt, argp);
1514 bn = va_arg(ap, Bignum);
1515 ssh1_pkt_addmp(pkt, bn);
1517 /* Tokens for modifications to packet logging */
1519 dont_log_password(ssh, pkt, PKTLOG_BLANK);
1522 dont_log_data(ssh, pkt, PKTLOG_OMIT);
1525 end_log_omission(ssh, pkt);
1533 static void send_packet(Ssh ssh, int pkttype, ...)
1537 va_start(ap, pkttype);
1538 pkt = construct_packet(ssh, pkttype, ap);
1543 static void defer_packet(Ssh ssh, int pkttype, ...)
1547 va_start(ap, pkttype);
1548 pkt = construct_packet(ssh, pkttype, ap);
1550 s_wrpkt_defer(ssh, pkt);
1553 static int ssh_versioncmp(char *a, char *b)
1556 unsigned long av, bv;
1558 av = strtoul(a, &ae, 10);
1559 bv = strtoul(b, &be, 10);
1561 return (av < bv ? -1 : +1);
1566 av = strtoul(ae, &ae, 10);
1567 bv = strtoul(be, &be, 10);
1569 return (av < bv ? -1 : +1);
1574 * Utility routines for putting an SSH-protocol `string' and
1575 * `uint32' into a hash state.
1577 static void hash_string(const struct ssh_hash *h, void *s, void *str, int len)
1579 unsigned char lenblk[4];
1580 PUT_32BIT(lenblk, len);
1581 h->bytes(s, lenblk, 4);
1582 h->bytes(s, str, len);
1585 static void hash_uint32(const struct ssh_hash *h, void *s, unsigned i)
1587 unsigned char intblk[4];
1588 PUT_32BIT(intblk, i);
1589 h->bytes(s, intblk, 4);
1593 * Packet construction functions. Mostly shared between SSH-1 and SSH-2.
1595 static void ssh_pkt_ensure(struct Packet *pkt, int length)
1597 if (pkt->maxlen < length) {
1598 unsigned char *body = pkt->body;
1599 int offset = body ? body - pkt->data : 0;
1600 pkt->maxlen = length + 256;
1601 pkt->data = sresize(pkt->data, pkt->maxlen + APIEXTRA, unsigned char);
1602 if (body) pkt->body = pkt->data + offset;
1605 static void ssh_pkt_adddata(struct Packet *pkt, void *data, int len)
1607 if (pkt->logmode != PKTLOG_EMIT) {
1609 pkt->blanks = sresize(pkt->blanks, pkt->nblanks, struct logblank_t);
1611 pkt->blanks[pkt->nblanks-1].offset = pkt->length -
1612 (pkt->body - pkt->data);
1613 pkt->blanks[pkt->nblanks-1].len = len;
1614 pkt->blanks[pkt->nblanks-1].type = pkt->logmode;
1617 ssh_pkt_ensure(pkt, pkt->length);
1618 memcpy(pkt->data + pkt->length - len, data, len);
1620 static void ssh_pkt_addbyte(struct Packet *pkt, unsigned char byte)
1622 ssh_pkt_adddata(pkt, &byte, 1);
1624 static void ssh2_pkt_addbool(struct Packet *pkt, unsigned char value)
1626 ssh_pkt_adddata(pkt, &value, 1);
1628 static void ssh_pkt_adduint32(struct Packet *pkt, unsigned long value)
1631 PUT_32BIT(x, value);
1632 ssh_pkt_adddata(pkt, x, 4);
1634 static void ssh_pkt_addstring_start(struct Packet *pkt)
1636 ssh_pkt_adduint32(pkt, 0);
1637 pkt->savedpos = pkt->length;
1639 static void ssh_pkt_addstring_str(struct Packet *pkt, char *data)
1641 ssh_pkt_adddata(pkt, data, strlen(data));
1642 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1644 static void ssh_pkt_addstring_data(struct Packet *pkt, char *data, int len)
1646 ssh_pkt_adddata(pkt, data, len);
1647 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1649 static void ssh_pkt_addstring(struct Packet *pkt, char *data)
1651 ssh_pkt_addstring_start(pkt);
1652 ssh_pkt_addstring_str(pkt, data);
1654 static void ssh1_pkt_addmp(struct Packet *pkt, Bignum b)
1656 int len = ssh1_bignum_length(b);
1657 unsigned char *data = snewn(len, char);
1658 (void) ssh1_write_bignum(data, b);
1659 ssh_pkt_adddata(pkt, data, len);
1662 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len)
1665 int i, n = (bignum_bitcount(b) + 7) / 8;
1666 p = snewn(n + 1, unsigned char);
1668 for (i = 1; i <= n; i++)
1669 p[i] = bignum_byte(b, n - i);
1671 while (i <= n && p[i] == 0 && (p[i + 1] & 0x80) == 0)
1673 memmove(p, p + i, n + 1 - i);
1677 static void ssh2_pkt_addmp(struct Packet *pkt, Bignum b)
1681 p = ssh2_mpint_fmt(b, &len);
1682 ssh_pkt_addstring_start(pkt);
1683 ssh_pkt_addstring_data(pkt, (char *)p, len);
1687 static struct Packet *ssh1_pkt_init(int pkt_type)
1689 struct Packet *pkt = ssh_new_packet();
1690 pkt->length = 4 + 8; /* space for length + max padding */
1691 ssh_pkt_addbyte(pkt, pkt_type);
1692 pkt->body = pkt->data + pkt->length;
1696 /* For legacy code (SSH-1 and -2 packet construction used to be separate) */
1697 #define ssh2_pkt_ensure(pkt, length) ssh_pkt_ensure(pkt, length)
1698 #define ssh2_pkt_adddata(pkt, data, len) ssh_pkt_adddata(pkt, data, len)
1699 #define ssh2_pkt_addbyte(pkt, byte) ssh_pkt_addbyte(pkt, byte)
1700 #define ssh2_pkt_adduint32(pkt, value) ssh_pkt_adduint32(pkt, value)
1701 #define ssh2_pkt_addstring_start(pkt) ssh_pkt_addstring_start(pkt)
1702 #define ssh2_pkt_addstring_str(pkt, data) ssh_pkt_addstring_str(pkt, data)
1703 #define ssh2_pkt_addstring_data(pkt, data, len) ssh_pkt_addstring_data(pkt, data, len)
1704 #define ssh2_pkt_addstring(pkt, data) ssh_pkt_addstring(pkt, data)
1706 static struct Packet *ssh2_pkt_init(int pkt_type)
1708 struct Packet *pkt = ssh_new_packet();
1709 pkt->length = 5; /* space for packet length + padding length */
1711 ssh_pkt_addbyte(pkt, (unsigned char) pkt_type);
1712 pkt->body = pkt->data + pkt->length; /* after packet type */
1717 * Construct an SSH-2 final-form packet: compress it, encrypt it,
1718 * put the MAC on it. Final packet, ready to be sent, is stored in
1719 * pkt->data. Total length is returned.
1721 static int ssh2_pkt_construct(Ssh ssh, struct Packet *pkt)
1723 int cipherblk, maclen, padding, i;
1726 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[5],
1727 ssh2_pkt_type(ssh->pkt_ctx, pkt->data[5]),
1728 pkt->body, pkt->length - (pkt->body - pkt->data),
1729 pkt->nblanks, pkt->blanks);
1730 sfree(pkt->blanks); pkt->blanks = NULL;
1734 * Compress packet payload.
1737 unsigned char *newpayload;
1740 ssh->cscomp->compress(ssh->cs_comp_ctx, pkt->data + 5,
1742 &newpayload, &newlen)) {
1744 ssh2_pkt_adddata(pkt, newpayload, newlen);
1750 * Add padding. At least four bytes, and must also bring total
1751 * length (minus MAC) up to a multiple of the block size.
1752 * If pkt->forcepad is set, make sure the packet is at least that size
1755 cipherblk = ssh->cscipher ? ssh->cscipher->blksize : 8; /* block size */
1756 cipherblk = cipherblk < 8 ? 8 : cipherblk; /* or 8 if blksize < 8 */
1758 if (pkt->length + padding < pkt->forcepad)
1759 padding = pkt->forcepad - pkt->length;
1761 (cipherblk - (pkt->length + padding) % cipherblk) % cipherblk;
1762 assert(padding <= 255);
1763 maclen = ssh->csmac ? ssh->csmac->len : 0;
1764 ssh2_pkt_ensure(pkt, pkt->length + padding + maclen);
1765 pkt->data[4] = padding;
1766 for (i = 0; i < padding; i++)
1767 pkt->data[pkt->length + i] = random_byte();
1768 PUT_32BIT(pkt->data, pkt->length + padding - 4);
1770 ssh->csmac->generate(ssh->cs_mac_ctx, pkt->data,
1771 pkt->length + padding,
1772 ssh->v2_outgoing_sequence);
1773 ssh->v2_outgoing_sequence++; /* whether or not we MACed */
1776 ssh->cscipher->encrypt(ssh->cs_cipher_ctx,
1777 pkt->data, pkt->length + padding);
1779 pkt->encrypted_len = pkt->length + padding;
1781 /* Ready-to-send packet starts at pkt->data. We return length. */
1782 return pkt->length + padding + maclen;
1786 * Routines called from the main SSH code to send packets. There
1787 * are quite a few of these, because we have two separate
1788 * mechanisms for delaying the sending of packets:
1790 * - In order to send an IGNORE message and a password message in
1791 * a single fixed-length blob, we require the ability to
1792 * concatenate the encrypted forms of those two packets _into_ a
1793 * single blob and then pass it to our <network.h> transport
1794 * layer in one go. Hence, there's a deferment mechanism which
1795 * works after packet encryption.
1797 * - In order to avoid sending any connection-layer messages
1798 * during repeat key exchange, we have to queue up any such
1799 * outgoing messages _before_ they are encrypted (and in
1800 * particular before they're allocated sequence numbers), and
1801 * then send them once we've finished.
1803 * I call these mechanisms `defer' and `queue' respectively, so as
1804 * to distinguish them reasonably easily.
1806 * The functions send_noqueue() and defer_noqueue() free the packet
1807 * structure they are passed. Every outgoing packet goes through
1808 * precisely one of these functions in its life; packets passed to
1809 * ssh2_pkt_send() or ssh2_pkt_defer() either go straight to one of
1810 * these or get queued, and then when the queue is later emptied
1811 * the packets are all passed to defer_noqueue().
1813 * When using a CBC-mode cipher, it's necessary to ensure that an
1814 * attacker can't provide data to be encrypted using an IV that they
1815 * know. We ensure this by prefixing each packet that might contain
1816 * user data with an SSH_MSG_IGNORE. This is done using the deferral
1817 * mechanism, so in this case send_noqueue() ends up redirecting to
1818 * defer_noqueue(). If you don't like this inefficiency, don't use
1822 static void ssh2_pkt_defer_noqueue(Ssh, struct Packet *, int);
1823 static void ssh_pkt_defersend(Ssh);
1826 * Send an SSH-2 packet immediately, without queuing or deferring.
1828 static void ssh2_pkt_send_noqueue(Ssh ssh, struct Packet *pkt)
1832 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC)) {
1833 /* We need to send two packets, so use the deferral mechanism. */
1834 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
1835 ssh_pkt_defersend(ssh);
1838 len = ssh2_pkt_construct(ssh, pkt);
1839 backlog = s_write(ssh, pkt->data, len);
1840 if (backlog > SSH_MAX_BACKLOG)
1841 ssh_throttle_all(ssh, 1, backlog);
1843 ssh->outgoing_data_size += pkt->encrypted_len;
1844 if (!ssh->kex_in_progress &&
1845 ssh->max_data_size != 0 &&
1846 ssh->outgoing_data_size > ssh->max_data_size)
1847 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
1849 ssh_free_packet(pkt);
1853 * Defer an SSH-2 packet.
1855 static void ssh2_pkt_defer_noqueue(Ssh ssh, struct Packet *pkt, int noignore)
1858 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC) &&
1859 ssh->deferred_len == 0 && !noignore) {
1861 * Interpose an SSH_MSG_IGNORE to ensure that user data don't
1862 * get encrypted with a known IV.
1864 struct Packet *ipkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
1865 ssh2_pkt_defer_noqueue(ssh, ipkt, TRUE);
1867 len = ssh2_pkt_construct(ssh, pkt);
1868 if (ssh->deferred_len + len > ssh->deferred_size) {
1869 ssh->deferred_size = ssh->deferred_len + len + 128;
1870 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1874 memcpy(ssh->deferred_send_data + ssh->deferred_len, pkt->data, len);
1875 ssh->deferred_len += len;
1876 ssh->deferred_data_size += pkt->encrypted_len;
1877 ssh_free_packet(pkt);
1881 * Queue an SSH-2 packet.
1883 static void ssh2_pkt_queue(Ssh ssh, struct Packet *pkt)
1885 assert(ssh->queueing);
1887 if (ssh->queuelen >= ssh->queuesize) {
1888 ssh->queuesize = ssh->queuelen + 32;
1889 ssh->queue = sresize(ssh->queue, ssh->queuesize, struct Packet *);
1892 ssh->queue[ssh->queuelen++] = pkt;
1896 * Either queue or send a packet, depending on whether queueing is
1899 static void ssh2_pkt_send(Ssh ssh, struct Packet *pkt)
1902 ssh2_pkt_queue(ssh, pkt);
1904 ssh2_pkt_send_noqueue(ssh, pkt);
1909 * Either queue or defer a packet, depending on whether queueing is
1912 static void ssh2_pkt_defer(Ssh ssh, struct Packet *pkt)
1915 ssh2_pkt_queue(ssh, pkt);
1917 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
1922 * Send the whole deferred data block constructed by
1923 * ssh2_pkt_defer() or SSH-1's defer_packet().
1925 * The expected use of the defer mechanism is that you call
1926 * ssh2_pkt_defer() a few times, then call ssh_pkt_defersend(). If
1927 * not currently queueing, this simply sets up deferred_send_data
1928 * and then sends it. If we _are_ currently queueing, the calls to
1929 * ssh2_pkt_defer() put the deferred packets on to the queue
1930 * instead, and therefore ssh_pkt_defersend() has no deferred data
1931 * to send. Hence, there's no need to make it conditional on
1934 static void ssh_pkt_defersend(Ssh ssh)
1937 backlog = s_write(ssh, ssh->deferred_send_data, ssh->deferred_len);
1938 ssh->deferred_len = ssh->deferred_size = 0;
1939 sfree(ssh->deferred_send_data);
1940 ssh->deferred_send_data = NULL;
1941 if (backlog > SSH_MAX_BACKLOG)
1942 ssh_throttle_all(ssh, 1, backlog);
1944 ssh->outgoing_data_size += ssh->deferred_data_size;
1945 if (!ssh->kex_in_progress &&
1946 ssh->max_data_size != 0 &&
1947 ssh->outgoing_data_size > ssh->max_data_size)
1948 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
1949 ssh->deferred_data_size = 0;
1953 * Send all queued SSH-2 packets. We send them by means of
1954 * ssh2_pkt_defer_noqueue(), in case they included a pair of
1955 * packets that needed to be lumped together.
1957 static void ssh2_pkt_queuesend(Ssh ssh)
1961 assert(!ssh->queueing);
1963 for (i = 0; i < ssh->queuelen; i++)
1964 ssh2_pkt_defer_noqueue(ssh, ssh->queue[i], FALSE);
1967 ssh_pkt_defersend(ssh);
1971 void bndebug(char *string, Bignum b)
1975 p = ssh2_mpint_fmt(b, &len);
1976 debug(("%s", string));
1977 for (i = 0; i < len; i++)
1978 debug((" %02x", p[i]));
1984 static void hash_mpint(const struct ssh_hash *h, void *s, Bignum b)
1988 p = ssh2_mpint_fmt(b, &len);
1989 hash_string(h, s, p, len);
1994 * Packet decode functions for both SSH-1 and SSH-2.
1996 static unsigned long ssh_pkt_getuint32(struct Packet *pkt)
1998 unsigned long value;
1999 if (pkt->length - pkt->savedpos < 4)
2000 return 0; /* arrgh, no way to decline (FIXME?) */
2001 value = GET_32BIT(pkt->body + pkt->savedpos);
2005 static int ssh2_pkt_getbool(struct Packet *pkt)
2007 unsigned long value;
2008 if (pkt->length - pkt->savedpos < 1)
2009 return 0; /* arrgh, no way to decline (FIXME?) */
2010 value = pkt->body[pkt->savedpos] != 0;
2014 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length)
2019 if (pkt->length - pkt->savedpos < 4)
2021 len = GET_32BIT(pkt->body + pkt->savedpos);
2026 if (pkt->length - pkt->savedpos < *length)
2028 *p = (char *)(pkt->body + pkt->savedpos);
2029 pkt->savedpos += *length;
2031 static void *ssh_pkt_getdata(struct Packet *pkt, int length)
2033 if (pkt->length - pkt->savedpos < length)
2035 pkt->savedpos += length;
2036 return pkt->body + (pkt->savedpos - length);
2038 static int ssh1_pkt_getrsakey(struct Packet *pkt, struct RSAKey *key,
2039 unsigned char **keystr)
2043 j = makekey(pkt->body + pkt->savedpos,
2044 pkt->length - pkt->savedpos,
2051 assert(pkt->savedpos < pkt->length);
2055 static Bignum ssh1_pkt_getmp(struct Packet *pkt)
2060 j = ssh1_read_bignum(pkt->body + pkt->savedpos,
2061 pkt->length - pkt->savedpos, &b);
2069 static Bignum ssh2_pkt_getmp(struct Packet *pkt)
2075 ssh_pkt_getstring(pkt, &p, &length);
2080 b = bignum_from_bytes((unsigned char *)p, length);
2085 * Helper function to add an SSH-2 signature blob to a packet.
2086 * Expects to be shown the public key blob as well as the signature
2087 * blob. Normally works just like ssh2_pkt_addstring, but will
2088 * fiddle with the signature packet if necessary for
2089 * BUG_SSH2_RSA_PADDING.
2091 static void ssh2_add_sigblob(Ssh ssh, struct Packet *pkt,
2092 void *pkblob_v, int pkblob_len,
2093 void *sigblob_v, int sigblob_len)
2095 unsigned char *pkblob = (unsigned char *)pkblob_v;
2096 unsigned char *sigblob = (unsigned char *)sigblob_v;
2098 /* dmemdump(pkblob, pkblob_len); */
2099 /* dmemdump(sigblob, sigblob_len); */
2102 * See if this is in fact an ssh-rsa signature and a buggy
2103 * server; otherwise we can just do this the easy way.
2105 if ((ssh->remote_bugs & BUG_SSH2_RSA_PADDING) &&
2106 (GET_32BIT(pkblob) == 7 && !memcmp(pkblob+4, "ssh-rsa", 7))) {
2107 int pos, len, siglen;
2110 * Find the byte length of the modulus.
2113 pos = 4+7; /* skip over "ssh-rsa" */
2114 pos += 4 + GET_32BIT(pkblob+pos); /* skip over exponent */
2115 len = GET_32BIT(pkblob+pos); /* find length of modulus */
2116 pos += 4; /* find modulus itself */
2117 while (len > 0 && pkblob[pos] == 0)
2119 /* debug(("modulus length is %d\n", len)); */
2122 * Now find the signature integer.
2124 pos = 4+7; /* skip over "ssh-rsa" */
2125 siglen = GET_32BIT(sigblob+pos);
2126 /* debug(("signature length is %d\n", siglen)); */
2128 if (len != siglen) {
2129 unsigned char newlen[4];
2130 ssh2_pkt_addstring_start(pkt);
2131 ssh2_pkt_addstring_data(pkt, (char *)sigblob, pos);
2132 /* dmemdump(sigblob, pos); */
2133 pos += 4; /* point to start of actual sig */
2134 PUT_32BIT(newlen, len);
2135 ssh2_pkt_addstring_data(pkt, (char *)newlen, 4);
2136 /* dmemdump(newlen, 4); */
2138 while (len-- > siglen) {
2139 ssh2_pkt_addstring_data(pkt, (char *)newlen, 1);
2140 /* dmemdump(newlen, 1); */
2142 ssh2_pkt_addstring_data(pkt, (char *)(sigblob+pos), siglen);
2143 /* dmemdump(sigblob+pos, siglen); */
2147 /* Otherwise fall through and do it the easy way. */
2150 ssh2_pkt_addstring_start(pkt);
2151 ssh2_pkt_addstring_data(pkt, (char *)sigblob, sigblob_len);
2155 * Examine the remote side's version string and compare it against
2156 * a list of known buggy implementations.
2158 static void ssh_detect_bugs(Ssh ssh, char *vstring)
2160 char *imp; /* pointer to implementation part */
2162 imp += strcspn(imp, "-");
2164 imp += strcspn(imp, "-");
2167 ssh->remote_bugs = 0;
2170 * General notes on server version strings:
2171 * - Not all servers reporting "Cisco-1.25" have all the bugs listed
2172 * here -- in particular, we've heard of one that's perfectly happy
2173 * with SSH1_MSG_IGNOREs -- but this string never seems to change,
2174 * so we can't distinguish them.
2176 if (ssh->cfg.sshbug_ignore1 == FORCE_ON ||
2177 (ssh->cfg.sshbug_ignore1 == AUTO &&
2178 (!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
2179 !strcmp(imp, "1.2.20") || !strcmp(imp, "1.2.21") ||
2180 !strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25") ||
2181 !strcmp(imp, "OSU_1.4alpha3") || !strcmp(imp, "OSU_1.5alpha4")))) {
2183 * These versions don't support SSH1_MSG_IGNORE, so we have
2184 * to use a different defence against password length
2187 ssh->remote_bugs |= BUG_CHOKES_ON_SSH1_IGNORE;
2188 logevent("We believe remote version has SSH-1 ignore bug");
2191 if (ssh->cfg.sshbug_plainpw1 == FORCE_ON ||
2192 (ssh->cfg.sshbug_plainpw1 == AUTO &&
2193 (!strcmp(imp, "Cisco-1.25") || !strcmp(imp, "OSU_1.4alpha3")))) {
2195 * These versions need a plain password sent; they can't
2196 * handle having a null and a random length of data after
2199 ssh->remote_bugs |= BUG_NEEDS_SSH1_PLAIN_PASSWORD;
2200 logevent("We believe remote version needs a plain SSH-1 password");
2203 if (ssh->cfg.sshbug_rsa1 == FORCE_ON ||
2204 (ssh->cfg.sshbug_rsa1 == AUTO &&
2205 (!strcmp(imp, "Cisco-1.25")))) {
2207 * These versions apparently have no clue whatever about
2208 * RSA authentication and will panic and die if they see
2209 * an AUTH_RSA message.
2211 ssh->remote_bugs |= BUG_CHOKES_ON_RSA;
2212 logevent("We believe remote version can't handle SSH-1 RSA authentication");
2215 if (ssh->cfg.sshbug_hmac2 == FORCE_ON ||
2216 (ssh->cfg.sshbug_hmac2 == AUTO &&
2217 !wc_match("* VShell", imp) &&
2218 (wc_match("2.1.0*", imp) || wc_match("2.0.*", imp) ||
2219 wc_match("2.2.0*", imp) || wc_match("2.3.0*", imp) ||
2220 wc_match("2.1 *", imp)))) {
2222 * These versions have the HMAC bug.
2224 ssh->remote_bugs |= BUG_SSH2_HMAC;
2225 logevent("We believe remote version has SSH-2 HMAC bug");
2228 if (ssh->cfg.sshbug_derivekey2 == FORCE_ON ||
2229 (ssh->cfg.sshbug_derivekey2 == AUTO &&
2230 !wc_match("* VShell", imp) &&
2231 (wc_match("2.0.0*", imp) || wc_match("2.0.10*", imp) ))) {
2233 * These versions have the key-derivation bug (failing to
2234 * include the literal shared secret in the hashes that
2235 * generate the keys).
2237 ssh->remote_bugs |= BUG_SSH2_DERIVEKEY;
2238 logevent("We believe remote version has SSH-2 key-derivation bug");
2241 if (ssh->cfg.sshbug_rsapad2 == FORCE_ON ||
2242 (ssh->cfg.sshbug_rsapad2 == AUTO &&
2243 (wc_match("OpenSSH_2.[5-9]*", imp) ||
2244 wc_match("OpenSSH_3.[0-2]*", imp)))) {
2246 * These versions have the SSH-2 RSA padding bug.
2248 ssh->remote_bugs |= BUG_SSH2_RSA_PADDING;
2249 logevent("We believe remote version has SSH-2 RSA padding bug");
2252 if (ssh->cfg.sshbug_pksessid2 == FORCE_ON ||
2253 (ssh->cfg.sshbug_pksessid2 == AUTO &&
2254 wc_match("OpenSSH_2.[0-2]*", imp))) {
2256 * These versions have the SSH-2 session-ID bug in
2257 * public-key authentication.
2259 ssh->remote_bugs |= BUG_SSH2_PK_SESSIONID;
2260 logevent("We believe remote version has SSH-2 public-key-session-ID bug");
2263 if (ssh->cfg.sshbug_rekey2 == FORCE_ON ||
2264 (ssh->cfg.sshbug_rekey2 == AUTO &&
2265 (wc_match("DigiSSH_2.0", imp) ||
2266 wc_match("OpenSSH_2.[0-4]*", imp) ||
2267 wc_match("OpenSSH_2.5.[0-3]*", imp) ||
2268 wc_match("Sun_SSH_1.0", imp) ||
2269 wc_match("Sun_SSH_1.0.1", imp) ||
2270 /* All versions <= 1.2.6 (they changed their format in 1.2.7) */
2271 wc_match("WeOnlyDo-*", imp)))) {
2273 * These versions have the SSH-2 rekey bug.
2275 ssh->remote_bugs |= BUG_SSH2_REKEY;
2276 logevent("We believe remote version has SSH-2 rekey bug");
2281 * The `software version' part of an SSH version string is required
2282 * to contain no spaces or minus signs.
2284 static void ssh_fix_verstring(char *str)
2286 /* Eat "SSH-<protoversion>-". */
2287 assert(*str == 'S'); str++;
2288 assert(*str == 'S'); str++;
2289 assert(*str == 'H'); str++;
2290 assert(*str == '-'); str++;
2291 while (*str && *str != '-') str++;
2292 assert(*str == '-'); str++;
2294 /* Convert minus signs and spaces in the remaining string into
2297 if (*str == '-' || *str == ' ')
2303 static int do_ssh_init(Ssh ssh, unsigned char c)
2305 struct do_ssh_init_state {
2313 crState(do_ssh_init_state);
2315 crBegin(ssh->do_ssh_init_crstate);
2317 /* Search for a line beginning with the string "SSH-" in the input. */
2319 if (c != 'S') goto no;
2321 if (c != 'S') goto no;
2323 if (c != 'H') goto no;
2325 if (c != '-') goto no;
2334 s->vstring = snewn(s->vstrsize, char);
2335 strcpy(s->vstring, "SSH-");
2339 crReturn(1); /* get another char */
2340 if (s->vslen >= s->vstrsize - 1) {
2342 s->vstring = sresize(s->vstring, s->vstrsize, char);
2344 s->vstring[s->vslen++] = c;
2347 s->version[s->i] = '\0';
2349 } else if (s->i < sizeof(s->version) - 1)
2350 s->version[s->i++] = c;
2351 } else if (c == '\012')
2355 ssh->agentfwd_enabled = FALSE;
2356 ssh->rdpkt2_state.incoming_sequence = 0;
2358 s->vstring[s->vslen] = 0;
2359 s->vstring[strcspn(s->vstring, "\015\012")] = '\0';/* remove EOL chars */
2360 logeventf(ssh, "Server version: %s", s->vstring);
2361 ssh_detect_bugs(ssh, s->vstring);
2364 * Decide which SSH protocol version to support.
2367 /* Anything strictly below "2.0" means protocol 1 is supported. */
2368 s->proto1 = ssh_versioncmp(s->version, "2.0") < 0;
2369 /* Anything greater or equal to "1.99" means protocol 2 is supported. */
2370 s->proto2 = ssh_versioncmp(s->version, "1.99") >= 0;
2372 if (ssh->cfg.sshprot == 0 && !s->proto1) {
2373 bombout(("SSH protocol version 1 required by user but not provided by server"));
2376 if (ssh->cfg.sshprot == 3 && !s->proto2) {
2377 bombout(("SSH protocol version 2 required by user but not provided by server"));
2384 if (s->proto2 && (ssh->cfg.sshprot >= 2 || !s->proto1)) {
2386 * Construct a v2 version string.
2388 verstring = dupprintf("SSH-2.0-%s\015\012", sshver);
2392 * Construct a v1 version string.
2394 verstring = dupprintf("SSH-%s-%s\012",
2395 (ssh_versioncmp(s->version, "1.5") <= 0 ?
2396 s->version : "1.5"),
2401 ssh_fix_verstring(verstring);
2403 if (ssh->version == 2) {
2406 * Hash our version string and their version string.
2408 len = strcspn(verstring, "\015\012");
2409 ssh->v_c = snewn(len + 1, char);
2410 memcpy(ssh->v_c, verstring, len);
2412 len = strcspn(s->vstring, "\015\012");
2413 ssh->v_s = snewn(len + 1, char);
2414 memcpy(ssh->v_s, s->vstring, len);
2418 * Initialise SSH-2 protocol.
2420 ssh->protocol = ssh2_protocol;
2421 ssh2_protocol_setup(ssh);
2422 ssh->s_rdpkt = ssh2_rdpkt;
2425 * Initialise SSH-1 protocol.
2427 ssh->protocol = ssh1_protocol;
2428 ssh1_protocol_setup(ssh);
2429 ssh->s_rdpkt = ssh1_rdpkt;
2431 logeventf(ssh, "We claim version: %.*s",
2432 strcspn(verstring, "\015\012"), verstring);
2433 s_write(ssh, verstring, strlen(verstring));
2435 if (ssh->version == 2)
2436 do_ssh2_transport(ssh, NULL, -1, NULL);
2439 logeventf(ssh, "Using SSH protocol version %d", ssh->version);
2441 update_specials_menu(ssh->frontend);
2442 ssh->state = SSH_STATE_BEFORE_SIZE;
2443 ssh->pinger = pinger_new(&ssh->cfg, &ssh_backend, ssh);
2450 static void ssh_process_incoming_data(Ssh ssh,
2451 unsigned char **data, int *datalen)
2453 struct Packet *pktin;
2455 pktin = ssh->s_rdpkt(ssh, data, datalen);
2457 ssh->protocol(ssh, NULL, 0, pktin);
2458 ssh_free_packet(pktin);
2462 static void ssh_queue_incoming_data(Ssh ssh,
2463 unsigned char **data, int *datalen)
2465 bufchain_add(&ssh->queued_incoming_data, *data, *datalen);
2470 static void ssh_process_queued_incoming_data(Ssh ssh)
2473 unsigned char *data;
2476 while (!ssh->frozen && bufchain_size(&ssh->queued_incoming_data)) {
2477 bufchain_prefix(&ssh->queued_incoming_data, &vdata, &len);
2481 while (!ssh->frozen && len > 0)
2482 ssh_process_incoming_data(ssh, &data, &len);
2485 bufchain_consume(&ssh->queued_incoming_data, origlen - len);
2489 static void ssh_set_frozen(Ssh ssh, int frozen)
2492 sk_set_frozen(ssh->s, frozen);
2493 ssh->frozen = frozen;
2496 static void ssh_gotdata(Ssh ssh, unsigned char *data, int datalen)
2498 /* Log raw data, if we're in that mode. */
2499 log_packet(ssh->logctx, PKT_INCOMING, -1, NULL, data, datalen, 0, NULL);
2501 crBegin(ssh->ssh_gotdata_crstate);
2504 * To begin with, feed the characters one by one to the
2505 * protocol initialisation / selection function do_ssh_init().
2506 * When that returns 0, we're done with the initial greeting
2507 * exchange and can move on to packet discipline.
2510 int ret; /* need not be kept across crReturn */
2512 crReturnV; /* more data please */
2513 ret = do_ssh_init(ssh, *data);
2521 * We emerge from that loop when the initial negotiation is
2522 * over and we have selected an s_rdpkt function. Now pass
2523 * everything to s_rdpkt, and then pass the resulting packets
2524 * to the proper protocol handler.
2528 while (bufchain_size(&ssh->queued_incoming_data) > 0 || datalen > 0) {
2530 ssh_queue_incoming_data(ssh, &data, &datalen);
2531 /* This uses up all data and cannot cause anything interesting
2532 * to happen; indeed, for anything to happen at all, we must
2533 * return, so break out. */
2535 } else if (bufchain_size(&ssh->queued_incoming_data) > 0) {
2536 /* This uses up some or all data, and may freeze the
2538 ssh_process_queued_incoming_data(ssh);
2540 /* This uses up some or all data, and may freeze the
2542 ssh_process_incoming_data(ssh, &data, &datalen);
2544 /* FIXME this is probably EBW. */
2545 if (ssh->state == SSH_STATE_CLOSED)
2548 /* We're out of data. Go and get some more. */
2554 static int ssh_do_close(Ssh ssh, int notify_exit)
2557 struct ssh_channel *c;
2559 ssh->state = SSH_STATE_CLOSED;
2560 expire_timer_context(ssh);
2565 notify_remote_exit(ssh->frontend);
2570 * Now we must shut down any port- and X-forwarded channels going
2571 * through this connection.
2573 if (ssh->channels) {
2574 while (NULL != (c = index234(ssh->channels, 0))) {
2577 x11_close(c->u.x11.s);
2580 pfd_close(c->u.pfd.s);
2583 del234(ssh->channels, c); /* moving next one to index 0 */
2584 if (ssh->version == 2)
2585 bufchain_clear(&c->v.v2.outbuffer);
2590 * Go through port-forwardings, and close any associated
2591 * listening sockets.
2593 if (ssh->portfwds) {
2594 struct ssh_portfwd *pf;
2595 while (NULL != (pf = index234(ssh->portfwds, 0))) {
2596 /* Dispose of any listening socket. */
2598 pfd_terminate(pf->local);
2599 del234(ssh->portfwds, pf); /* moving next one to index 0 */
2607 static void ssh_log(Plug plug, int type, SockAddr addr, int port,
2608 const char *error_msg, int error_code)
2610 Ssh ssh = (Ssh) plug;
2611 char addrbuf[256], *msg;
2613 sk_getaddr(addr, addrbuf, lenof(addrbuf));
2616 msg = dupprintf("Connecting to %s port %d", addrbuf, port);
2618 msg = dupprintf("Failed to connect to %s: %s", addrbuf, error_msg);
2624 static int ssh_closing(Plug plug, const char *error_msg, int error_code,
2627 Ssh ssh = (Ssh) plug;
2628 int need_notify = ssh_do_close(ssh, FALSE);
2631 if (!ssh->close_expected)
2632 error_msg = "Server unexpectedly closed network connection";
2634 error_msg = "Server closed network connection";
2638 notify_remote_exit(ssh->frontend);
2641 logevent(error_msg);
2642 if (!ssh->close_expected || !ssh->clean_exit)
2643 connection_fatal(ssh->frontend, "%s", error_msg);
2647 static int ssh_receive(Plug plug, int urgent, char *data, int len)
2649 Ssh ssh = (Ssh) plug;
2650 ssh_gotdata(ssh, (unsigned char *)data, len);
2651 if (ssh->state == SSH_STATE_CLOSED) {
2652 ssh_do_close(ssh, TRUE);
2658 static void ssh_sent(Plug plug, int bufsize)
2660 Ssh ssh = (Ssh) plug;
2662 * If the send backlog on the SSH socket itself clears, we
2663 * should unthrottle the whole world if it was throttled.
2665 if (bufsize < SSH_MAX_BACKLOG)
2666 ssh_throttle_all(ssh, 0, bufsize);
2670 * Connect to specified host and port.
2671 * Returns an error message, or NULL on success.
2672 * Also places the canonical host name into `realhost'. It must be
2673 * freed by the caller.
2675 static const char *connect_to_host(Ssh ssh, char *host, int port,
2676 char **realhost, int nodelay, int keepalive)
2678 static const struct plug_function_table fn_table = {
2689 ssh->savedhost = snewn(1 + strlen(host), char);
2690 strcpy(ssh->savedhost, host);
2693 port = 22; /* default ssh port */
2694 ssh->savedport = port;
2699 logeventf(ssh, "Looking up host \"%s\"%s", host,
2700 (ssh->cfg.addressfamily == ADDRTYPE_IPV4 ? " (IPv4)" :
2701 (ssh->cfg.addressfamily == ADDRTYPE_IPV6 ? " (IPv6)" : "")));
2702 addr = name_lookup(host, port, realhost, &ssh->cfg,
2703 ssh->cfg.addressfamily);
2704 if ((err = sk_addr_error(addr)) != NULL) {
2712 ssh->fn = &fn_table;
2713 ssh->s = new_connection(addr, *realhost, port,
2714 0, 1, nodelay, keepalive, (Plug) ssh, &ssh->cfg);
2715 if ((err = sk_socket_error(ssh->s)) != NULL) {
2717 notify_remote_exit(ssh->frontend);
2725 * Throttle or unthrottle the SSH connection.
2727 static void ssh1_throttle(Ssh ssh, int adjust)
2729 int old_count = ssh->v1_throttle_count;
2730 ssh->v1_throttle_count += adjust;
2731 assert(ssh->v1_throttle_count >= 0);
2732 if (ssh->v1_throttle_count && !old_count) {
2733 ssh_set_frozen(ssh, 1);
2734 } else if (!ssh->v1_throttle_count && old_count) {
2735 ssh_set_frozen(ssh, 0);
2740 * Throttle or unthrottle _all_ local data streams (for when sends
2741 * on the SSH connection itself back up).
2743 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize)
2746 struct ssh_channel *c;
2748 if (enable == ssh->throttled_all)
2750 ssh->throttled_all = enable;
2751 ssh->overall_bufsize = bufsize;
2754 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++) {
2756 case CHAN_MAINSESSION:
2758 * This is treated separately, outside the switch.
2762 x11_override_throttle(c->u.x11.s, enable);
2765 /* Agent channels require no buffer management. */
2768 pfd_override_throttle(c->u.pfd.s, enable);
2774 static void ssh_agent_callback(void *sshv, void *reply, int replylen)
2776 Ssh ssh = (Ssh) sshv;
2778 ssh->agent_response = reply;
2779 ssh->agent_response_len = replylen;
2781 if (ssh->version == 1)
2782 do_ssh1_login(ssh, NULL, -1, NULL);
2784 do_ssh2_authconn(ssh, NULL, -1, NULL);
2787 static void ssh_dialog_callback(void *sshv, int ret)
2789 Ssh ssh = (Ssh) sshv;
2791 ssh->user_response = ret;
2793 if (ssh->version == 1)
2794 do_ssh1_login(ssh, NULL, -1, NULL);
2796 do_ssh2_transport(ssh, NULL, -1, NULL);
2799 * This may have unfrozen the SSH connection, so do a
2802 ssh_process_queued_incoming_data(ssh);
2805 static void ssh_agentf_callback(void *cv, void *reply, int replylen)
2807 struct ssh_channel *c = (struct ssh_channel *)cv;
2809 void *sentreply = reply;
2812 /* Fake SSH_AGENT_FAILURE. */
2813 sentreply = "\0\0\0\1\5";
2816 if (ssh->version == 2) {
2817 ssh2_add_channel_data(c, sentreply, replylen);
2820 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
2821 PKT_INT, c->remoteid,
2824 PKT_DATA, sentreply, replylen,
2833 * Client-initiated disconnection. Send a DISCONNECT if `wire_reason'
2834 * non-NULL, otherwise just close the connection. `client_reason' == NULL
2835 * => log `wire_reason'.
2837 static void ssh_disconnect(Ssh ssh, char *client_reason, char *wire_reason,
2838 int code, int clean_exit)
2842 client_reason = wire_reason;
2844 error = dupprintf("Disconnected: %s", client_reason);
2846 error = dupstr("Disconnected");
2848 if (ssh->version == 1) {
2849 send_packet(ssh, SSH1_MSG_DISCONNECT, PKT_STR, wire_reason,
2851 } else if (ssh->version == 2) {
2852 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_DISCONNECT);
2853 ssh2_pkt_adduint32(pktout, code);
2854 ssh2_pkt_addstring(pktout, wire_reason);
2855 ssh2_pkt_addstring(pktout, "en"); /* language tag */
2856 ssh2_pkt_send_noqueue(ssh, pktout);
2859 ssh->close_expected = TRUE;
2860 ssh->clean_exit = clean_exit;
2861 ssh_closing((Plug)ssh, error, 0, 0);
2866 * Handle the key exchange and user authentication phases.
2868 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
2869 struct Packet *pktin)
2872 unsigned char cookie[8], *ptr;
2873 struct RSAKey servkey, hostkey;
2874 struct MD5Context md5c;
2875 struct do_ssh1_login_state {
2877 unsigned char *rsabuf, *keystr1, *keystr2;
2878 unsigned long supported_ciphers_mask, supported_auths_mask;
2879 int tried_publickey, tried_agent;
2880 int tis_auth_refused, ccard_auth_refused;
2881 unsigned char session_id[16];
2884 void *publickey_blob;
2885 int publickey_bloblen;
2886 char *publickey_comment;
2887 int publickey_encrypted;
2888 prompts_t *cur_prompt;
2891 unsigned char request[5], *response, *p;
2901 crState(do_ssh1_login_state);
2903 crBegin(ssh->do_ssh1_login_crstate);
2908 if (pktin->type != SSH1_SMSG_PUBLIC_KEY) {
2909 bombout(("Public key packet not received"));
2913 logevent("Received public keys");
2915 ptr = ssh_pkt_getdata(pktin, 8);
2917 bombout(("SSH-1 public key packet stopped before random cookie"));
2920 memcpy(cookie, ptr, 8);
2922 if (!ssh1_pkt_getrsakey(pktin, &servkey, &s->keystr1) ||
2923 !ssh1_pkt_getrsakey(pktin, &hostkey, &s->keystr2)) {
2924 bombout(("Failed to read SSH-1 public keys from public key packet"));
2929 * Log the host key fingerprint.
2933 logevent("Host key fingerprint is:");
2934 strcpy(logmsg, " ");
2935 hostkey.comment = NULL;
2936 rsa_fingerprint(logmsg + strlen(logmsg),
2937 sizeof(logmsg) - strlen(logmsg), &hostkey);
2941 ssh->v1_remote_protoflags = ssh_pkt_getuint32(pktin);
2942 s->supported_ciphers_mask = ssh_pkt_getuint32(pktin);
2943 s->supported_auths_mask = ssh_pkt_getuint32(pktin);
2945 ssh->v1_local_protoflags =
2946 ssh->v1_remote_protoflags & SSH1_PROTOFLAGS_SUPPORTED;
2947 ssh->v1_local_protoflags |= SSH1_PROTOFLAG_SCREEN_NUMBER;
2950 MD5Update(&md5c, s->keystr2, hostkey.bytes);
2951 MD5Update(&md5c, s->keystr1, servkey.bytes);
2952 MD5Update(&md5c, cookie, 8);
2953 MD5Final(s->session_id, &md5c);
2955 for (i = 0; i < 32; i++)
2956 ssh->session_key[i] = random_byte();
2959 * Verify that the `bits' and `bytes' parameters match.
2961 if (hostkey.bits > hostkey.bytes * 8 ||
2962 servkey.bits > servkey.bytes * 8) {
2963 bombout(("SSH-1 public keys were badly formatted"));
2967 s->len = (hostkey.bytes > servkey.bytes ? hostkey.bytes : servkey.bytes);
2969 s->rsabuf = snewn(s->len, unsigned char);
2972 * Verify the host key.
2976 * First format the key into a string.
2978 int len = rsastr_len(&hostkey);
2979 char fingerprint[100];
2980 char *keystr = snewn(len, char);
2981 rsastr_fmt(keystr, &hostkey);
2982 rsa_fingerprint(fingerprint, sizeof(fingerprint), &hostkey);
2984 ssh_set_frozen(ssh, 1);
2985 s->dlgret = verify_ssh_host_key(ssh->frontend,
2986 ssh->savedhost, ssh->savedport,
2987 "rsa", keystr, fingerprint,
2988 ssh_dialog_callback, ssh);
2990 if (s->dlgret < 0) {
2994 bombout(("Unexpected data from server while waiting"
2995 " for user host key response"));
2998 } while (pktin || inlen > 0);
2999 s->dlgret = ssh->user_response;
3001 ssh_set_frozen(ssh, 0);
3003 if (s->dlgret == 0) {
3004 ssh_disconnect(ssh, "User aborted at host key verification",
3010 for (i = 0; i < 32; i++) {
3011 s->rsabuf[i] = ssh->session_key[i];
3013 s->rsabuf[i] ^= s->session_id[i];
3016 if (hostkey.bytes > servkey.bytes) {
3017 ret = rsaencrypt(s->rsabuf, 32, &servkey);
3019 ret = rsaencrypt(s->rsabuf, servkey.bytes, &hostkey);
3021 ret = rsaencrypt(s->rsabuf, 32, &hostkey);
3023 ret = rsaencrypt(s->rsabuf, hostkey.bytes, &servkey);
3026 bombout(("SSH-1 public key encryptions failed due to bad formatting"));
3030 logevent("Encrypted session key");
3033 int cipher_chosen = 0, warn = 0;
3034 char *cipher_string = NULL;
3036 for (i = 0; !cipher_chosen && i < CIPHER_MAX; i++) {
3037 int next_cipher = ssh->cfg.ssh_cipherlist[i];
3038 if (next_cipher == CIPHER_WARN) {
3039 /* If/when we choose a cipher, warn about it */
3041 } else if (next_cipher == CIPHER_AES) {
3042 /* XXX Probably don't need to mention this. */
3043 logevent("AES not supported in SSH-1, skipping");
3045 switch (next_cipher) {
3046 case CIPHER_3DES: s->cipher_type = SSH_CIPHER_3DES;
3047 cipher_string = "3DES"; break;
3048 case CIPHER_BLOWFISH: s->cipher_type = SSH_CIPHER_BLOWFISH;
3049 cipher_string = "Blowfish"; break;
3050 case CIPHER_DES: s->cipher_type = SSH_CIPHER_DES;
3051 cipher_string = "single-DES"; break;
3053 if (s->supported_ciphers_mask & (1 << s->cipher_type))
3057 if (!cipher_chosen) {
3058 if ((s->supported_ciphers_mask & (1 << SSH_CIPHER_3DES)) == 0)
3059 bombout(("Server violates SSH-1 protocol by not "
3060 "supporting 3DES encryption"));
3062 /* shouldn't happen */
3063 bombout(("No supported ciphers found"));
3067 /* Warn about chosen cipher if necessary. */
3069 ssh_set_frozen(ssh, 1);
3070 s->dlgret = askalg(ssh->frontend, "cipher", cipher_string,
3071 ssh_dialog_callback, ssh);
3072 if (s->dlgret < 0) {
3076 bombout(("Unexpected data from server while waiting"
3077 " for user response"));
3080 } while (pktin || inlen > 0);
3081 s->dlgret = ssh->user_response;
3083 ssh_set_frozen(ssh, 0);
3084 if (s->dlgret == 0) {
3085 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
3092 switch (s->cipher_type) {
3093 case SSH_CIPHER_3DES:
3094 logevent("Using 3DES encryption");
3096 case SSH_CIPHER_DES:
3097 logevent("Using single-DES encryption");
3099 case SSH_CIPHER_BLOWFISH:
3100 logevent("Using Blowfish encryption");
3104 send_packet(ssh, SSH1_CMSG_SESSION_KEY,
3105 PKT_CHAR, s->cipher_type,
3106 PKT_DATA, cookie, 8,
3107 PKT_CHAR, (s->len * 8) >> 8, PKT_CHAR, (s->len * 8) & 0xFF,
3108 PKT_DATA, s->rsabuf, s->len,
3109 PKT_INT, ssh->v1_local_protoflags, PKT_END);
3111 logevent("Trying to enable encryption...");
3115 ssh->cipher = (s->cipher_type == SSH_CIPHER_BLOWFISH ? &ssh_blowfish_ssh1 :
3116 s->cipher_type == SSH_CIPHER_DES ? &ssh_des :
3118 ssh->v1_cipher_ctx = ssh->cipher->make_context();
3119 ssh->cipher->sesskey(ssh->v1_cipher_ctx, ssh->session_key);
3120 logeventf(ssh, "Initialised %s encryption", ssh->cipher->text_name);
3122 ssh->crcda_ctx = crcda_make_context();
3123 logevent("Installing CRC compensation attack detector");
3125 if (servkey.modulus) {
3126 sfree(servkey.modulus);
3127 servkey.modulus = NULL;
3129 if (servkey.exponent) {
3130 sfree(servkey.exponent);
3131 servkey.exponent = NULL;
3133 if (hostkey.modulus) {
3134 sfree(hostkey.modulus);
3135 hostkey.modulus = NULL;
3137 if (hostkey.exponent) {
3138 sfree(hostkey.exponent);
3139 hostkey.exponent = NULL;
3143 if (pktin->type != SSH1_SMSG_SUCCESS) {
3144 bombout(("Encryption not successfully enabled"));
3148 logevent("Successfully started encryption");
3150 fflush(stdout); /* FIXME eh? */
3152 if (!*ssh->cfg.username) {
3153 int ret; /* need not be kept over crReturn */
3154 s->cur_prompt = new_prompts(ssh->frontend);
3155 s->cur_prompt->to_server = TRUE;
3156 s->cur_prompt->name = dupstr("SSH login name");
3157 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
3158 lenof(s->username));
3159 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3162 crWaitUntil(!pktin);
3163 ret = get_userpass_input(s->cur_prompt, in, inlen);
3168 * Failed to get a username. Terminate.
3170 free_prompts(s->cur_prompt);
3171 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
3174 memcpy(s->username, s->cur_prompt->prompts[0]->result,
3175 lenof(s->username));
3176 free_prompts(s->cur_prompt);
3178 strncpy(s->username, ssh->cfg.username, sizeof(s->username));
3179 s->username[sizeof(s->username)-1] = '\0';
3182 send_packet(ssh, SSH1_CMSG_USER, PKT_STR, s->username, PKT_END);
3184 char *userlog = dupprintf("Sent username \"%s\"", s->username);
3186 if (flags & FLAG_INTERACTIVE &&
3187 (!((flags & FLAG_STDERR) && (flags & FLAG_VERBOSE)))) {
3188 c_write_str(ssh, userlog);
3189 c_write_str(ssh, "\r\n");
3197 if ((ssh->remote_bugs & BUG_CHOKES_ON_RSA)) {
3198 /* We must not attempt PK auth. Pretend we've already tried it. */
3199 s->tried_publickey = s->tried_agent = 1;
3201 s->tried_publickey = s->tried_agent = 0;
3203 s->tis_auth_refused = s->ccard_auth_refused = 0;
3205 * Load the public half of any configured keyfile for later use.
3207 if (!filename_is_null(ssh->cfg.keyfile)) {
3209 logeventf(ssh, "Reading private key file \"%.150s\"",
3210 filename_to_str(&ssh->cfg.keyfile));
3211 keytype = key_type(&ssh->cfg.keyfile);
3212 if (keytype == SSH_KEYTYPE_SSH1) {
3214 if (rsakey_pubblob(&ssh->cfg.keyfile,
3215 &s->publickey_blob, &s->publickey_bloblen,
3216 &s->publickey_comment, &error)) {
3217 s->publickey_encrypted = rsakey_encrypted(&ssh->cfg.keyfile,
3221 logeventf(ssh, "Unable to load private key (%s)", error);
3222 msgbuf = dupprintf("Unable to load private key file "
3223 "\"%.150s\" (%s)\r\n",
3224 filename_to_str(&ssh->cfg.keyfile),
3226 c_write_str(ssh, msgbuf);
3228 s->publickey_blob = NULL;
3232 logeventf(ssh, "Unable to use this key file (%s)",
3233 key_type_to_str(keytype));
3234 msgbuf = dupprintf("Unable to use key file \"%.150s\""
3236 filename_to_str(&ssh->cfg.keyfile),
3237 key_type_to_str(keytype));
3238 c_write_str(ssh, msgbuf);
3240 s->publickey_blob = NULL;
3243 s->publickey_blob = NULL;
3245 while (pktin->type == SSH1_SMSG_FAILURE) {
3246 s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
3248 if (ssh->cfg.tryagent && agent_exists() && !s->tried_agent) {
3250 * Attempt RSA authentication using Pageant.
3256 logevent("Pageant is running. Requesting keys.");
3258 /* Request the keys held by the agent. */
3259 PUT_32BIT(s->request, 1);
3260 s->request[4] = SSH1_AGENTC_REQUEST_RSA_IDENTITIES;
3261 if (!agent_query(s->request, 5, &r, &s->responselen,
3262 ssh_agent_callback, ssh)) {
3266 bombout(("Unexpected data from server while waiting"
3267 " for agent response"));
3270 } while (pktin || inlen > 0);
3271 r = ssh->agent_response;
3272 s->responselen = ssh->agent_response_len;
3274 s->response = (unsigned char *) r;
3275 if (s->response && s->responselen >= 5 &&
3276 s->response[4] == SSH1_AGENT_RSA_IDENTITIES_ANSWER) {
3277 s->p = s->response + 5;
3278 s->nkeys = GET_32BIT(s->p);
3280 logeventf(ssh, "Pageant has %d SSH-1 keys", s->nkeys);
3281 for (s->keyi = 0; s->keyi < s->nkeys; s->keyi++) {
3282 unsigned char *pkblob = s->p;
3286 do { /* do while (0) to make breaking easy */
3287 n = ssh1_read_bignum
3288 (s->p, s->responselen-(s->p-s->response),
3293 n = ssh1_read_bignum
3294 (s->p, s->responselen-(s->p-s->response),
3299 if (s->responselen - (s->p-s->response) < 4)
3301 s->commentlen = GET_32BIT(s->p);
3303 if (s->responselen - (s->p-s->response) <
3306 s->commentp = (char *)s->p;
3307 s->p += s->commentlen;
3311 logevent("Pageant key list packet was truncated");
3315 if (s->publickey_blob) {
3316 if (!memcmp(pkblob, s->publickey_blob,
3317 s->publickey_bloblen)) {
3318 logeventf(ssh, "Pageant key #%d matches "
3319 "configured key file", s->keyi);
3320 s->tried_publickey = 1;
3322 /* Skip non-configured key */
3325 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
3326 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3327 PKT_BIGNUM, s->key.modulus, PKT_END);
3329 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3330 logevent("Key refused");
3333 logevent("Received RSA challenge");
3334 if ((s->challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3335 bombout(("Server's RSA challenge was badly formatted"));
3340 char *agentreq, *q, *ret;
3343 len = 1 + 4; /* message type, bit count */
3344 len += ssh1_bignum_length(s->key.exponent);
3345 len += ssh1_bignum_length(s->key.modulus);
3346 len += ssh1_bignum_length(s->challenge);
3347 len += 16; /* session id */
3348 len += 4; /* response format */
3349 agentreq = snewn(4 + len, char);
3350 PUT_32BIT(agentreq, len);
3352 *q++ = SSH1_AGENTC_RSA_CHALLENGE;
3353 PUT_32BIT(q, bignum_bitcount(s->key.modulus));
3355 q += ssh1_write_bignum(q, s->key.exponent);
3356 q += ssh1_write_bignum(q, s->key.modulus);
3357 q += ssh1_write_bignum(q, s->challenge);
3358 memcpy(q, s->session_id, 16);
3360 PUT_32BIT(q, 1); /* response format */
3361 if (!agent_query(agentreq, len + 4, &vret, &retlen,
3362 ssh_agent_callback, ssh)) {
3367 bombout(("Unexpected data from server"
3368 " while waiting for agent"
3372 } while (pktin || inlen > 0);
3373 vret = ssh->agent_response;
3374 retlen = ssh->agent_response_len;
3379 if (ret[4] == SSH1_AGENT_RSA_RESPONSE) {
3380 logevent("Sending Pageant's response");
3381 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3382 PKT_DATA, ret + 5, 16,
3386 if (pktin->type == SSH1_SMSG_SUCCESS) {
3388 ("Pageant's response accepted");
3389 if (flags & FLAG_VERBOSE) {
3390 c_write_str(ssh, "Authenticated using"
3392 c_write(ssh, s->commentp,
3394 c_write_str(ssh, "\" from agent\r\n");
3399 ("Pageant's response not accepted");
3402 ("Pageant failed to answer challenge");
3406 logevent("No reply received from Pageant");
3409 freebn(s->key.exponent);
3410 freebn(s->key.modulus);
3411 freebn(s->challenge);
3416 if (s->publickey_blob && !s->tried_publickey)
3417 logevent("Configured key file not in Pageant");
3422 if (s->publickey_blob && !s->tried_publickey) {
3424 * Try public key authentication with the specified
3427 int got_passphrase; /* need not be kept over crReturn */
3428 if (flags & FLAG_VERBOSE)
3429 c_write_str(ssh, "Trying public key authentication.\r\n");
3430 logeventf(ssh, "Trying public key \"%s\"",
3431 filename_to_str(&ssh->cfg.keyfile));
3432 s->tried_publickey = 1;
3433 got_passphrase = FALSE;
3434 while (!got_passphrase) {
3436 * Get a passphrase, if necessary.
3438 char *passphrase = NULL; /* only written after crReturn */
3440 if (!s->publickey_encrypted) {
3441 if (flags & FLAG_VERBOSE)
3442 c_write_str(ssh, "No passphrase required.\r\n");
3445 int ret; /* need not be kept over crReturn */
3446 s->cur_prompt = new_prompts(ssh->frontend);
3447 s->cur_prompt->to_server = FALSE;
3448 s->cur_prompt->name = dupstr("SSH key passphrase");
3449 add_prompt(s->cur_prompt,
3450 dupprintf("Passphrase for key \"%.100s\": ",
3451 s->publickey_comment),
3452 FALSE, SSH_MAX_PASSWORD_LEN);
3453 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3456 crWaitUntil(!pktin);
3457 ret = get_userpass_input(s->cur_prompt, in, inlen);
3461 /* Failed to get a passphrase. Terminate. */
3462 free_prompts(s->cur_prompt);
3463 ssh_disconnect(ssh, NULL, "Unable to authenticate",
3467 passphrase = dupstr(s->cur_prompt->prompts[0]->result);
3468 free_prompts(s->cur_prompt);
3471 * Try decrypting key with passphrase.
3473 ret = loadrsakey(&ssh->cfg.keyfile, &s->key, passphrase,
3476 memset(passphrase, 0, strlen(passphrase));
3480 /* Correct passphrase. */
3481 got_passphrase = TRUE;
3482 } else if (ret == 0) {
3483 c_write_str(ssh, "Couldn't load private key from ");
3484 c_write_str(ssh, filename_to_str(&ssh->cfg.keyfile));
3485 c_write_str(ssh, " (");
3486 c_write_str(ssh, error);
3487 c_write_str(ssh, ").\r\n");
3488 got_passphrase = FALSE;
3489 break; /* go and try something else */
3490 } else if (ret == -1) {
3491 c_write_str(ssh, "Wrong passphrase.\r\n"); /* FIXME */
3492 got_passphrase = FALSE;
3495 assert(0 && "unexpected return from loadrsakey()");
3499 if (got_passphrase) {
3502 * Send a public key attempt.
3504 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3505 PKT_BIGNUM, s->key.modulus, PKT_END);
3508 if (pktin->type == SSH1_SMSG_FAILURE) {
3509 c_write_str(ssh, "Server refused our public key.\r\n");
3510 continue; /* go and try something else */
3512 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3513 bombout(("Bizarre response to offer of public key"));
3519 unsigned char buffer[32];
3520 Bignum challenge, response;
3522 if ((challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3523 bombout(("Server's RSA challenge was badly formatted"));
3526 response = rsadecrypt(challenge, &s->key);
3527 freebn(s->key.private_exponent);/* burn the evidence */
3529 for (i = 0; i < 32; i++) {
3530 buffer[i] = bignum_byte(response, 31 - i);
3534 MD5Update(&md5c, buffer, 32);
3535 MD5Update(&md5c, s->session_id, 16);
3536 MD5Final(buffer, &md5c);
3538 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3539 PKT_DATA, buffer, 16, PKT_END);
3546 if (pktin->type == SSH1_SMSG_FAILURE) {
3547 if (flags & FLAG_VERBOSE)
3548 c_write_str(ssh, "Failed to authenticate with"
3549 " our public key.\r\n");
3550 continue; /* go and try something else */
3551 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
3552 bombout(("Bizarre response to RSA authentication response"));
3556 break; /* we're through! */
3562 * Otherwise, try various forms of password-like authentication.
3564 s->cur_prompt = new_prompts(ssh->frontend);
3566 if (ssh->cfg.try_tis_auth &&
3567 (s->supported_auths_mask & (1 << SSH1_AUTH_TIS)) &&
3568 !s->tis_auth_refused) {
3569 s->pwpkt_type = SSH1_CMSG_AUTH_TIS_RESPONSE;
3570 logevent("Requested TIS authentication");
3571 send_packet(ssh, SSH1_CMSG_AUTH_TIS, PKT_END);
3573 if (pktin->type != SSH1_SMSG_AUTH_TIS_CHALLENGE) {
3574 logevent("TIS authentication declined");
3575 if (flags & FLAG_INTERACTIVE)
3576 c_write_str(ssh, "TIS authentication refused.\r\n");
3577 s->tis_auth_refused = 1;
3582 char *instr_suf, *prompt;
3584 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3586 bombout(("TIS challenge packet was badly formed"));
3589 logevent("Received TIS challenge");
3590 s->cur_prompt->to_server = TRUE;
3591 s->cur_prompt->name = dupstr("SSH TIS authentication");
3592 /* Prompt heuristic comes from OpenSSH */
3593 if (memchr(challenge, '\n', challengelen)) {
3594 instr_suf = dupstr("");
3595 prompt = dupprintf("%.*s", challengelen, challenge);
3597 instr_suf = dupprintf("%.*s", challengelen, challenge);
3598 prompt = dupstr("Response: ");
3600 s->cur_prompt->instruction =
3601 dupprintf("Using TIS authentication.%s%s",
3602 (*instr_suf) ? "\n" : "",
3604 s->cur_prompt->instr_reqd = TRUE;
3605 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3609 if (ssh->cfg.try_tis_auth &&
3610 (s->supported_auths_mask & (1 << SSH1_AUTH_CCARD)) &&
3611 !s->ccard_auth_refused) {
3612 s->pwpkt_type = SSH1_CMSG_AUTH_CCARD_RESPONSE;
3613 logevent("Requested CryptoCard authentication");
3614 send_packet(ssh, SSH1_CMSG_AUTH_CCARD, PKT_END);
3616 if (pktin->type != SSH1_SMSG_AUTH_CCARD_CHALLENGE) {
3617 logevent("CryptoCard authentication declined");
3618 c_write_str(ssh, "CryptoCard authentication refused.\r\n");
3619 s->ccard_auth_refused = 1;
3624 char *instr_suf, *prompt;
3626 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3628 bombout(("CryptoCard challenge packet was badly formed"));
3631 logevent("Received CryptoCard challenge");
3632 s->cur_prompt->to_server = TRUE;
3633 s->cur_prompt->name = dupstr("SSH CryptoCard authentication");
3634 s->cur_prompt->name_reqd = FALSE;
3635 /* Prompt heuristic comes from OpenSSH */
3636 if (memchr(challenge, '\n', challengelen)) {
3637 instr_suf = dupstr("");
3638 prompt = dupprintf("%.*s", challengelen, challenge);
3640 instr_suf = dupprintf("%.*s", challengelen, challenge);
3641 prompt = dupstr("Response: ");
3643 s->cur_prompt->instruction =
3644 dupprintf("Using CryptoCard authentication.%s%s",
3645 (*instr_suf) ? "\n" : "",
3647 s->cur_prompt->instr_reqd = TRUE;
3648 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3652 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3653 s->cur_prompt->to_server = TRUE;
3654 s->cur_prompt->name = dupstr("SSH password");
3655 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
3656 s->username, ssh->savedhost),
3657 FALSE, SSH_MAX_PASSWORD_LEN);
3661 * Show password prompt, having first obtained it via a TIS
3662 * or CryptoCard exchange if we're doing TIS or CryptoCard
3666 int ret; /* need not be kept over crReturn */
3667 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3670 crWaitUntil(!pktin);
3671 ret = get_userpass_input(s->cur_prompt, in, inlen);
3676 * Failed to get a password (for example
3677 * because one was supplied on the command line
3678 * which has already failed to work). Terminate.
3680 free_prompts(s->cur_prompt);
3681 ssh_disconnect(ssh, NULL, "Unable to authenticate", 0, TRUE);
3686 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3688 * Defence against traffic analysis: we send a
3689 * whole bunch of packets containing strings of
3690 * different lengths. One of these strings is the
3691 * password, in a SSH1_CMSG_AUTH_PASSWORD packet.
3692 * The others are all random data in
3693 * SSH1_MSG_IGNORE packets. This way a passive
3694 * listener can't tell which is the password, and
3695 * hence can't deduce the password length.
3697 * Anybody with a password length greater than 16
3698 * bytes is going to have enough entropy in their
3699 * password that a listener won't find it _that_
3700 * much help to know how long it is. So what we'll
3703 * - if password length < 16, we send 15 packets
3704 * containing string lengths 1 through 15
3706 * - otherwise, we let N be the nearest multiple
3707 * of 8 below the password length, and send 8
3708 * packets containing string lengths N through
3709 * N+7. This won't obscure the order of
3710 * magnitude of the password length, but it will
3711 * introduce a bit of extra uncertainty.
3713 * A few servers can't deal with SSH1_MSG_IGNORE, at
3714 * least in this context. For these servers, we need
3715 * an alternative defence. We make use of the fact
3716 * that the password is interpreted as a C string:
3717 * so we can append a NUL, then some random data.
3719 * A few servers can deal with neither SSH1_MSG_IGNORE
3720 * here _nor_ a padded password string.
3721 * For these servers we are left with no defences
3722 * against password length sniffing.
3724 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE) &&
3725 !(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
3727 * The server can deal with SSH1_MSG_IGNORE, so
3728 * we can use the primary defence.
3730 int bottom, top, pwlen, i;
3733 pwlen = strlen(s->cur_prompt->prompts[0]->result);
3735 bottom = 0; /* zero length passwords are OK! :-) */
3738 bottom = pwlen & ~7;
3742 assert(pwlen >= bottom && pwlen <= top);
3744 randomstr = snewn(top + 1, char);
3746 for (i = bottom; i <= top; i++) {
3748 defer_packet(ssh, s->pwpkt_type,
3749 PKTT_PASSWORD, PKT_STR,
3750 s->cur_prompt->prompts[0]->result,
3751 PKTT_OTHER, PKT_END);
3753 for (j = 0; j < i; j++) {
3755 randomstr[j] = random_byte();
3756 } while (randomstr[j] == '\0');
3758 randomstr[i] = '\0';
3759 defer_packet(ssh, SSH1_MSG_IGNORE,
3760 PKT_STR, randomstr, PKT_END);
3763 logevent("Sending password with camouflage packets");
3764 ssh_pkt_defersend(ssh);
3767 else if (!(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
3769 * The server can't deal with SSH1_MSG_IGNORE
3770 * but can deal with padded passwords, so we
3771 * can use the secondary defence.
3777 len = strlen(s->cur_prompt->prompts[0]->result);
3778 if (len < sizeof(string)) {
3780 strcpy(string, s->cur_prompt->prompts[0]->result);
3781 len++; /* cover the zero byte */
3782 while (len < sizeof(string)) {
3783 string[len++] = (char) random_byte();
3786 ss = s->cur_prompt->prompts[0]->result;
3788 logevent("Sending length-padded password");
3789 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
3790 PKT_INT, len, PKT_DATA, ss, len,
3791 PKTT_OTHER, PKT_END);
3794 * The server is believed unable to cope with
3795 * any of our password camouflage methods.
3798 len = strlen(s->cur_prompt->prompts[0]->result);
3799 logevent("Sending unpadded password");
3800 send_packet(ssh, s->pwpkt_type,
3801 PKTT_PASSWORD, PKT_INT, len,
3802 PKT_DATA, s->cur_prompt->prompts[0]->result, len,
3803 PKTT_OTHER, PKT_END);
3806 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
3807 PKT_STR, s->cur_prompt->prompts[0]->result,
3808 PKTT_OTHER, PKT_END);
3810 logevent("Sent password");
3811 free_prompts(s->cur_prompt);
3813 if (pktin->type == SSH1_SMSG_FAILURE) {
3814 if (flags & FLAG_VERBOSE)
3815 c_write_str(ssh, "Access denied\r\n");
3816 logevent("Authentication refused");
3817 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
3818 bombout(("Strange packet received, type %d", pktin->type));
3824 if (s->publickey_blob) {
3825 sfree(s->publickey_blob);
3826 sfree(s->publickey_comment);
3829 logevent("Authentication successful");
3834 void sshfwd_close(struct ssh_channel *c)
3838 if (ssh->state == SSH_STATE_CLOSED)
3841 if (c && !c->closes) {
3843 * If halfopen is true, we have sent
3844 * CHANNEL_OPEN for this channel, but it hasn't even been
3845 * acknowledged by the server. So we must set a close flag
3846 * on it now, and then when the server acks the channel
3847 * open, we can close it then.
3850 if (ssh->version == 1) {
3851 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE, PKT_INT, c->remoteid,
3854 struct Packet *pktout;
3855 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
3856 ssh2_pkt_adduint32(pktout, c->remoteid);
3857 ssh2_pkt_send(ssh, pktout);
3860 c->closes = 1; /* sent MSG_CLOSE */
3861 if (c->type == CHAN_X11) {
3863 logevent("Forwarded X11 connection terminated");
3864 } else if (c->type == CHAN_SOCKDATA ||
3865 c->type == CHAN_SOCKDATA_DORMANT) {
3867 logevent("Forwarded port closed");
3872 int sshfwd_write(struct ssh_channel *c, char *buf, int len)
3876 if (ssh->state == SSH_STATE_CLOSED)
3879 if (ssh->version == 1) {
3880 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
3881 PKT_INT, c->remoteid,
3883 PKT_INT, len, PKT_DATA, buf, len,
3884 PKTT_OTHER, PKT_END);
3886 * In SSH-1 we can return 0 here - implying that forwarded
3887 * connections are never individually throttled - because
3888 * the only circumstance that can cause throttling will be
3889 * the whole SSH connection backing up, in which case
3890 * _everything_ will be throttled as a whole.
3894 ssh2_add_channel_data(c, buf, len);
3895 return ssh2_try_send(c);
3899 void sshfwd_unthrottle(struct ssh_channel *c, int bufsize)
3903 if (ssh->state == SSH_STATE_CLOSED)
3906 if (ssh->version == 1) {
3907 if (c->v.v1.throttling && bufsize < SSH1_BUFFER_LIMIT) {
3908 c->v.v1.throttling = 0;
3909 ssh1_throttle(ssh, -1);
3912 ssh2_set_window(c, OUR_V2_WINSIZE - bufsize);
3916 static void ssh_queueing_handler(Ssh ssh, struct Packet *pktin)
3918 struct queued_handler *qh = ssh->qhead;
3922 assert(pktin->type == qh->msg1 || pktin->type == qh->msg2);
3925 assert(ssh->packet_dispatch[qh->msg1] == ssh_queueing_handler);
3926 ssh->packet_dispatch[qh->msg1] = NULL;
3929 assert(ssh->packet_dispatch[qh->msg2] == ssh_queueing_handler);
3930 ssh->packet_dispatch[qh->msg2] = NULL;
3934 ssh->qhead = qh->next;
3936 if (ssh->qhead->msg1 > 0) {
3937 assert(ssh->packet_dispatch[ssh->qhead->msg1] == NULL);
3938 ssh->packet_dispatch[ssh->qhead->msg1] = ssh_queueing_handler;
3940 if (ssh->qhead->msg2 > 0) {
3941 assert(ssh->packet_dispatch[ssh->qhead->msg2] == NULL);
3942 ssh->packet_dispatch[ssh->qhead->msg2] = ssh_queueing_handler;
3945 ssh->qhead = ssh->qtail = NULL;
3946 ssh->packet_dispatch[pktin->type] = NULL;
3949 qh->handler(ssh, pktin, qh->ctx);
3954 static void ssh_queue_handler(Ssh ssh, int msg1, int msg2,
3955 chandler_fn_t handler, void *ctx)
3957 struct queued_handler *qh;
3959 qh = snew(struct queued_handler);
3962 qh->handler = handler;
3966 if (ssh->qtail == NULL) {
3970 assert(ssh->packet_dispatch[qh->msg1] == NULL);
3971 ssh->packet_dispatch[qh->msg1] = ssh_queueing_handler;
3974 assert(ssh->packet_dispatch[qh->msg2] == NULL);
3975 ssh->packet_dispatch[qh->msg2] = ssh_queueing_handler;
3978 ssh->qtail->next = qh;
3983 static void ssh_rportfwd_succfail(Ssh ssh, struct Packet *pktin, void *ctx)
3985 struct ssh_rportfwd *rpf, *pf = (struct ssh_rportfwd *)ctx;
3987 if (pktin->type == (ssh->version == 1 ? SSH1_SMSG_SUCCESS :
3988 SSH2_MSG_REQUEST_SUCCESS)) {
3989 logeventf(ssh, "Remote port forwarding from %s enabled",
3992 logeventf(ssh, "Remote port forwarding from %s refused",
3995 rpf = del234(ssh->rportfwds, pf);
4001 static void ssh_setup_portfwd(Ssh ssh, const Config *cfg)
4003 const char *portfwd_strptr = cfg->portfwd;
4004 struct ssh_portfwd *epf;
4007 if (!ssh->portfwds) {
4008 ssh->portfwds = newtree234(ssh_portcmp);
4011 * Go through the existing port forwardings and tag them
4012 * with status==DESTROY. Any that we want to keep will be
4013 * re-enabled (status==KEEP) as we go through the
4014 * configuration and find out which bits are the same as
4017 struct ssh_portfwd *epf;
4019 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4020 epf->status = DESTROY;
4023 while (*portfwd_strptr) {
4024 char address_family, type;
4025 int sport,dport,sserv,dserv;
4026 char sports[256], dports[256], saddr[256], host[256];
4029 address_family = 'A';
4031 if (*portfwd_strptr == 'A' ||
4032 *portfwd_strptr == '4' ||
4033 *portfwd_strptr == '6')
4034 address_family = *portfwd_strptr++;
4035 if (*portfwd_strptr == 'L' ||
4036 *portfwd_strptr == 'R' ||
4037 *portfwd_strptr == 'D')
4038 type = *portfwd_strptr++;
4043 while (*portfwd_strptr && *portfwd_strptr != '\t') {
4044 if (*portfwd_strptr == ':') {
4046 * We've seen a colon in the middle of the
4047 * source port number. This means that
4048 * everything we've seen until now is the
4049 * source _address_, so we'll move it into
4050 * saddr and start sports from the beginning
4055 if (ssh->version == 1 && type == 'R') {
4056 logeventf(ssh, "SSH-1 cannot handle remote source address "
4057 "spec \"%s\"; ignoring", sports);
4059 strcpy(saddr, sports);
4062 if (n < lenof(sports)-1) sports[n++] = *portfwd_strptr++;
4066 if (*portfwd_strptr == '\t')
4069 while (*portfwd_strptr && *portfwd_strptr != ':') {
4070 if (n < lenof(host)-1) host[n++] = *portfwd_strptr++;
4073 if (*portfwd_strptr == ':')
4076 while (*portfwd_strptr) {
4077 if (n < lenof(dports)-1) dports[n++] = *portfwd_strptr++;
4081 dport = atoi(dports);
4085 dport = net_service_lookup(dports);
4087 logeventf(ssh, "Service lookup failed for destination"
4088 " port \"%s\"", dports);
4092 while (*portfwd_strptr) portfwd_strptr++;
4096 portfwd_strptr++; /* eat the NUL and move to next one */
4098 sport = atoi(sports);
4102 sport = net_service_lookup(sports);
4104 logeventf(ssh, "Service lookup failed for source"
4105 " port \"%s\"", sports);
4108 if (sport && dport) {
4109 /* Set up a description of the source port. */
4110 struct ssh_portfwd *pfrec, *epfrec;
4112 pfrec = snew(struct ssh_portfwd);
4114 pfrec->saddr = *saddr ? dupstr(saddr) : NULL;
4115 pfrec->sserv = sserv ? dupstr(sports) : NULL;
4116 pfrec->sport = sport;
4117 pfrec->daddr = *host ? dupstr(host) : NULL;
4118 pfrec->dserv = dserv ? dupstr(dports) : NULL;
4119 pfrec->dport = dport;
4120 pfrec->local = NULL;
4121 pfrec->remote = NULL;
4122 pfrec->addressfamily = (address_family == '4' ? ADDRTYPE_IPV4 :
4123 address_family == '6' ? ADDRTYPE_IPV6 :
4126 epfrec = add234(ssh->portfwds, pfrec);
4127 if (epfrec != pfrec) {
4129 * We already have a port forwarding with precisely
4130 * these parameters. Hence, no need to do anything;
4131 * simply tag the existing one as KEEP.
4133 epfrec->status = KEEP;
4134 free_portfwd(pfrec);
4136 pfrec->status = CREATE;
4142 * Now go through and destroy any port forwardings which were
4145 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4146 if (epf->status == DESTROY) {
4149 message = dupprintf("%s port forwarding from %s%s%d",
4150 epf->type == 'L' ? "local" :
4151 epf->type == 'R' ? "remote" : "dynamic",
4152 epf->saddr ? epf->saddr : "",
4153 epf->saddr ? ":" : "",
4156 if (epf->type != 'D') {
4157 char *msg2 = dupprintf("%s to %s:%d", message,
4158 epf->daddr, epf->dport);
4163 logeventf(ssh, "Cancelling %s", message);
4167 struct ssh_rportfwd *rpf = epf->remote;
4168 struct Packet *pktout;
4171 * Cancel the port forwarding at the server
4174 if (ssh->version == 1) {
4176 * We cannot cancel listening ports on the
4177 * server side in SSH-1! There's no message
4178 * to support it. Instead, we simply remove
4179 * the rportfwd record from the local end
4180 * so that any connections the server tries
4181 * to make on it are rejected.
4184 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4185 ssh2_pkt_addstring(pktout, "cancel-tcpip-forward");
4186 ssh2_pkt_addbool(pktout, 0);/* _don't_ want reply */
4188 ssh2_pkt_addstring(pktout, epf->saddr);
4189 } else if (ssh->cfg.rport_acceptall) {
4190 /* XXX: ssh->cfg.rport_acceptall may not represent
4191 * what was used to open the original connection,
4192 * since it's reconfigurable. */
4193 ssh2_pkt_addstring(pktout, "0.0.0.0");
4195 ssh2_pkt_addstring(pktout, "127.0.0.1");
4197 ssh2_pkt_adduint32(pktout, epf->sport);
4198 ssh2_pkt_send(ssh, pktout);
4201 del234(ssh->rportfwds, rpf);
4203 } else if (epf->local) {
4204 pfd_terminate(epf->local);
4207 delpos234(ssh->portfwds, i);
4209 i--; /* so we don't skip one in the list */
4213 * And finally, set up any new port forwardings (status==CREATE).
4215 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4216 if (epf->status == CREATE) {
4217 char *sportdesc, *dportdesc;
4218 sportdesc = dupprintf("%s%s%s%s%d%s",
4219 epf->saddr ? epf->saddr : "",
4220 epf->saddr ? ":" : "",
4221 epf->sserv ? epf->sserv : "",
4222 epf->sserv ? "(" : "",
4224 epf->sserv ? ")" : "");
4225 if (epf->type == 'D') {
4228 dportdesc = dupprintf("%s:%s%s%d%s",
4230 epf->dserv ? epf->dserv : "",
4231 epf->dserv ? "(" : "",
4233 epf->dserv ? ")" : "");
4236 if (epf->type == 'L') {
4237 const char *err = pfd_addforward(epf->daddr, epf->dport,
4238 epf->saddr, epf->sport,
4241 epf->addressfamily);
4243 logeventf(ssh, "Local %sport %s forwarding to %s%s%s",
4244 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4245 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4246 sportdesc, dportdesc,
4247 err ? " failed: " : "", err ? err : "");
4248 } else if (epf->type == 'D') {
4249 const char *err = pfd_addforward(NULL, -1,
4250 epf->saddr, epf->sport,
4253 epf->addressfamily);
4255 logeventf(ssh, "Local %sport %s SOCKS dynamic forwarding%s%s",
4256 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4257 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4259 err ? " failed: " : "", err ? err : "");
4261 struct ssh_rportfwd *pf;
4264 * Ensure the remote port forwardings tree exists.
4266 if (!ssh->rportfwds) {
4267 if (ssh->version == 1)
4268 ssh->rportfwds = newtree234(ssh_rportcmp_ssh1);
4270 ssh->rportfwds = newtree234(ssh_rportcmp_ssh2);
4273 pf = snew(struct ssh_rportfwd);
4274 strncpy(pf->dhost, epf->daddr, lenof(pf->dhost)-1);
4275 pf->dhost[lenof(pf->dhost)-1] = '\0';
4276 pf->dport = epf->dport;
4277 pf->sport = epf->sport;
4278 if (add234(ssh->rportfwds, pf) != pf) {
4279 logeventf(ssh, "Duplicate remote port forwarding to %s:%d",
4280 epf->daddr, epf->dport);
4283 logeventf(ssh, "Requesting remote port %s"
4284 " forward to %s", sportdesc, dportdesc);
4286 pf->sportdesc = sportdesc;
4291 if (ssh->version == 1) {
4292 send_packet(ssh, SSH1_CMSG_PORT_FORWARD_REQUEST,
4293 PKT_INT, epf->sport,
4294 PKT_STR, epf->daddr,
4295 PKT_INT, epf->dport,
4297 ssh_queue_handler(ssh, SSH1_SMSG_SUCCESS,
4299 ssh_rportfwd_succfail, pf);
4301 struct Packet *pktout;
4302 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4303 ssh2_pkt_addstring(pktout, "tcpip-forward");
4304 ssh2_pkt_addbool(pktout, 1);/* want reply */
4306 ssh2_pkt_addstring(pktout, epf->saddr);
4307 } else if (cfg->rport_acceptall) {
4308 ssh2_pkt_addstring(pktout, "0.0.0.0");
4310 ssh2_pkt_addstring(pktout, "127.0.0.1");
4312 ssh2_pkt_adduint32(pktout, epf->sport);
4313 ssh2_pkt_send(ssh, pktout);
4315 ssh_queue_handler(ssh, SSH2_MSG_REQUEST_SUCCESS,
4316 SSH2_MSG_REQUEST_FAILURE,
4317 ssh_rportfwd_succfail, pf);
4326 static void ssh1_smsg_stdout_stderr_data(Ssh ssh, struct Packet *pktin)
4329 int stringlen, bufsize;
4331 ssh_pkt_getstring(pktin, &string, &stringlen);
4332 if (string == NULL) {
4333 bombout(("Incoming terminal data packet was badly formed"));
4337 bufsize = from_backend(ssh->frontend, pktin->type == SSH1_SMSG_STDERR_DATA,
4339 if (!ssh->v1_stdout_throttling && bufsize > SSH1_BUFFER_LIMIT) {
4340 ssh->v1_stdout_throttling = 1;
4341 ssh1_throttle(ssh, +1);
4345 static void ssh1_smsg_x11_open(Ssh ssh, struct Packet *pktin)
4347 /* Remote side is trying to open a channel to talk to our
4348 * X-Server. Give them back a local channel number. */
4349 struct ssh_channel *c;
4350 int remoteid = ssh_pkt_getuint32(pktin);
4352 logevent("Received X11 connect request");
4353 /* Refuse if X11 forwarding is disabled. */
4354 if (!ssh->X11_fwd_enabled) {
4355 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4356 PKT_INT, remoteid, PKT_END);
4357 logevent("Rejected X11 connect request");
4359 c = snew(struct ssh_channel);
4362 if (x11_init(&c->u.x11.s, ssh->cfg.x11_display, c,
4363 ssh->x11auth, NULL, -1, &ssh->cfg) != NULL) {
4364 logevent("Opening X11 forward connection failed");
4366 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4367 PKT_INT, remoteid, PKT_END);
4370 ("Opening X11 forward connection succeeded");
4371 c->remoteid = remoteid;
4372 c->halfopen = FALSE;
4373 c->localid = alloc_channel_id(ssh);
4375 c->v.v1.throttling = 0;
4376 c->type = CHAN_X11; /* identify channel type */
4377 add234(ssh->channels, c);
4378 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4379 PKT_INT, c->remoteid, PKT_INT,
4380 c->localid, PKT_END);
4381 logevent("Opened X11 forward channel");
4386 static void ssh1_smsg_agent_open(Ssh ssh, struct Packet *pktin)
4388 /* Remote side is trying to open a channel to talk to our
4389 * agent. Give them back a local channel number. */
4390 struct ssh_channel *c;
4391 int remoteid = ssh_pkt_getuint32(pktin);
4393 /* Refuse if agent forwarding is disabled. */
4394 if (!ssh->agentfwd_enabled) {
4395 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4396 PKT_INT, remoteid, PKT_END);
4398 c = snew(struct ssh_channel);
4400 c->remoteid = remoteid;
4401 c->halfopen = FALSE;
4402 c->localid = alloc_channel_id(ssh);
4404 c->v.v1.throttling = 0;
4405 c->type = CHAN_AGENT; /* identify channel type */
4406 c->u.a.lensofar = 0;
4407 add234(ssh->channels, c);
4408 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4409 PKT_INT, c->remoteid, PKT_INT, c->localid,
4414 static void ssh1_msg_port_open(Ssh ssh, struct Packet *pktin)
4416 /* Remote side is trying to open a channel to talk to a
4417 * forwarded port. Give them back a local channel number. */
4418 struct ssh_channel *c;
4419 struct ssh_rportfwd pf, *pfp;
4424 c = snew(struct ssh_channel);
4427 remoteid = ssh_pkt_getuint32(pktin);
4428 ssh_pkt_getstring(pktin, &host, &hostsize);
4429 port = ssh_pkt_getuint32(pktin);
4431 if (hostsize >= lenof(pf.dhost))
4432 hostsize = lenof(pf.dhost)-1;
4433 memcpy(pf.dhost, host, hostsize);
4434 pf.dhost[hostsize] = '\0';
4436 pfp = find234(ssh->rportfwds, &pf, NULL);
4439 logeventf(ssh, "Rejected remote port open request for %s:%d",
4441 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4442 PKT_INT, remoteid, PKT_END);
4444 logeventf(ssh, "Received remote port open request for %s:%d",
4446 e = pfd_newconnect(&c->u.pfd.s, pf.dhost, port,
4447 c, &ssh->cfg, pfp->pfrec->addressfamily);
4449 logeventf(ssh, "Port open failed: %s", e);
4451 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4452 PKT_INT, remoteid, PKT_END);
4454 c->remoteid = remoteid;
4455 c->halfopen = FALSE;
4456 c->localid = alloc_channel_id(ssh);
4458 c->v.v1.throttling = 0;
4459 c->type = CHAN_SOCKDATA; /* identify channel type */
4460 add234(ssh->channels, c);
4461 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4462 PKT_INT, c->remoteid, PKT_INT,
4463 c->localid, PKT_END);
4464 logevent("Forwarded port opened successfully");
4469 static void ssh1_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
4471 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4472 unsigned int localid = ssh_pkt_getuint32(pktin);
4473 struct ssh_channel *c;
4475 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4476 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4477 c->remoteid = localid;
4478 c->halfopen = FALSE;
4479 c->type = CHAN_SOCKDATA;
4480 c->v.v1.throttling = 0;
4481 pfd_confirm(c->u.pfd.s);
4484 if (c && c->closes) {
4486 * We have a pending close on this channel,
4487 * which we decided on before the server acked
4488 * the channel open. So now we know the
4489 * remoteid, we can close it again.
4491 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE,
4492 PKT_INT, c->remoteid, PKT_END);
4496 static void ssh1_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
4498 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4499 struct ssh_channel *c;
4501 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4502 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4503 logevent("Forwarded connection refused by server");
4504 pfd_close(c->u.pfd.s);
4505 del234(ssh->channels, c);
4510 static void ssh1_msg_channel_close(Ssh ssh, struct Packet *pktin)
4512 /* Remote side closes a channel. */
4513 unsigned i = ssh_pkt_getuint32(pktin);
4514 struct ssh_channel *c;
4515 c = find234(ssh->channels, &i, ssh_channelfind);
4516 if (c && !c->halfopen) {
4519 (pktin->type == SSH1_MSG_CHANNEL_CLOSE ? 1 : 2);
4521 if ((c->closes == 0) && (c->type == CHAN_X11)) {
4522 logevent("Forwarded X11 connection terminated");
4523 assert(c->u.x11.s != NULL);
4524 x11_close(c->u.x11.s);
4527 if ((c->closes == 0) && (c->type == CHAN_SOCKDATA)) {
4528 logevent("Forwarded port closed");
4529 assert(c->u.pfd.s != NULL);
4530 pfd_close(c->u.pfd.s);
4534 c->closes |= (closetype << 2); /* seen this message */
4535 if (!(c->closes & closetype)) {
4536 send_packet(ssh, pktin->type, PKT_INT, c->remoteid,
4538 c->closes |= closetype; /* sent it too */
4541 if (c->closes == 15) {
4542 del234(ssh->channels, c);
4546 bombout(("Received CHANNEL_CLOSE%s for %s channel %d\n",
4547 pktin->type == SSH1_MSG_CHANNEL_CLOSE ? "" :
4548 "_CONFIRMATION", c ? "half-open" : "nonexistent",
4553 static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
4555 /* Data sent down one of our channels. */
4556 int i = ssh_pkt_getuint32(pktin);
4559 struct ssh_channel *c;
4561 ssh_pkt_getstring(pktin, &p, &len);
4563 c = find234(ssh->channels, &i, ssh_channelfind);
4568 bufsize = x11_send(c->u.x11.s, p, len);
4571 bufsize = pfd_send(c->u.pfd.s, p, len);
4574 /* Data for an agent message. Buffer it. */
4576 if (c->u.a.lensofar < 4) {
4577 unsigned int l = min(4 - c->u.a.lensofar, len);
4578 memcpy(c->u.a.msglen + c->u.a.lensofar, p,
4582 c->u.a.lensofar += l;
4584 if (c->u.a.lensofar == 4) {
4586 4 + GET_32BIT(c->u.a.msglen);
4587 c->u.a.message = snewn(c->u.a.totallen,
4589 memcpy(c->u.a.message, c->u.a.msglen, 4);
4591 if (c->u.a.lensofar >= 4 && len > 0) {
4593 min(c->u.a.totallen - c->u.a.lensofar,
4595 memcpy(c->u.a.message + c->u.a.lensofar, p,
4599 c->u.a.lensofar += l;
4601 if (c->u.a.lensofar == c->u.a.totallen) {
4604 if (agent_query(c->u.a.message,
4607 ssh_agentf_callback, c))
4608 ssh_agentf_callback(c, reply, replylen);
4609 sfree(c->u.a.message);
4610 c->u.a.lensofar = 0;
4613 bufsize = 0; /* agent channels never back up */
4616 if (!c->v.v1.throttling && bufsize > SSH1_BUFFER_LIMIT) {
4617 c->v.v1.throttling = 1;
4618 ssh1_throttle(ssh, +1);
4623 static void ssh1_smsg_exit_status(Ssh ssh, struct Packet *pktin)
4625 ssh->exitcode = ssh_pkt_getuint32(pktin);
4626 logeventf(ssh, "Server sent command exit status %d", ssh->exitcode);
4627 send_packet(ssh, SSH1_CMSG_EXIT_CONFIRMATION, PKT_END);
4629 * In case `helpful' firewalls or proxies tack
4630 * extra human-readable text on the end of the
4631 * session which we might mistake for another
4632 * encrypted packet, we close the session once
4633 * we've sent EXIT_CONFIRMATION.
4635 ssh_disconnect(ssh, NULL, NULL, 0, TRUE);
4638 /* Helper function to deal with sending tty modes for REQUEST_PTY */
4639 static void ssh1_send_ttymode(void *data, char *mode, char *val)
4641 struct Packet *pktout = (struct Packet *)data;
4643 unsigned int arg = 0;
4644 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
4645 if (i == lenof(ssh_ttymodes)) return;
4646 switch (ssh_ttymodes[i].type) {
4648 arg = ssh_tty_parse_specchar(val);
4651 arg = ssh_tty_parse_boolean(val);
4654 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
4655 ssh2_pkt_addbyte(pktout, arg);
4659 static void do_ssh1_connection(Ssh ssh, unsigned char *in, int inlen,
4660 struct Packet *pktin)
4662 crBegin(ssh->do_ssh1_connection_crstate);
4664 ssh->packet_dispatch[SSH1_SMSG_STDOUT_DATA] =
4665 ssh->packet_dispatch[SSH1_SMSG_STDERR_DATA] =
4666 ssh1_smsg_stdout_stderr_data;
4668 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_CONFIRMATION] =
4669 ssh1_msg_channel_open_confirmation;
4670 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_FAILURE] =
4671 ssh1_msg_channel_open_failure;
4672 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE] =
4673 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION] =
4674 ssh1_msg_channel_close;
4675 ssh->packet_dispatch[SSH1_MSG_CHANNEL_DATA] = ssh1_msg_channel_data;
4676 ssh->packet_dispatch[SSH1_SMSG_EXIT_STATUS] = ssh1_smsg_exit_status;
4678 if (ssh->cfg.agentfwd && agent_exists()) {
4679 logevent("Requesting agent forwarding");
4680 send_packet(ssh, SSH1_CMSG_AGENT_REQUEST_FORWARDING, PKT_END);
4684 if (pktin->type != SSH1_SMSG_SUCCESS
4685 && pktin->type != SSH1_SMSG_FAILURE) {
4686 bombout(("Protocol confusion"));
4688 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4689 logevent("Agent forwarding refused");
4691 logevent("Agent forwarding enabled");
4692 ssh->agentfwd_enabled = TRUE;
4693 ssh->packet_dispatch[SSH1_SMSG_AGENT_OPEN] = ssh1_smsg_agent_open;
4697 if (ssh->cfg.x11_forward) {
4698 char proto[20], data[64];
4699 logevent("Requesting X11 forwarding");
4700 ssh->x11auth = x11_invent_auth(proto, sizeof(proto),
4701 data, sizeof(data), ssh->cfg.x11_auth);
4702 x11_get_real_auth(ssh->x11auth, ssh->cfg.x11_display);
4704 * Note that while we blank the X authentication data here, we don't
4705 * take any special action to blank the start of an X11 channel,
4706 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
4707 * without having session blanking enabled is likely to leak your
4708 * cookie into the log.
4710 if (ssh->v1_local_protoflags & SSH1_PROTOFLAG_SCREEN_NUMBER) {
4711 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
4713 PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER,
4714 PKT_INT, x11_get_screen_number(ssh->cfg.x11_display),
4717 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
4719 PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER, PKT_END);
4724 if (pktin->type != SSH1_SMSG_SUCCESS
4725 && pktin->type != SSH1_SMSG_FAILURE) {
4726 bombout(("Protocol confusion"));
4728 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4729 logevent("X11 forwarding refused");
4731 logevent("X11 forwarding enabled");
4732 ssh->X11_fwd_enabled = TRUE;
4733 ssh->packet_dispatch[SSH1_SMSG_X11_OPEN] = ssh1_smsg_x11_open;
4737 ssh_setup_portfwd(ssh, &ssh->cfg);
4738 ssh->packet_dispatch[SSH1_MSG_PORT_OPEN] = ssh1_msg_port_open;
4740 if (!ssh->cfg.nopty) {
4742 /* Unpick the terminal-speed string. */
4743 /* XXX perhaps we should allow no speeds to be sent. */
4744 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
4745 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
4746 /* Send the pty request. */
4747 pkt = ssh1_pkt_init(SSH1_CMSG_REQUEST_PTY);
4748 ssh_pkt_addstring(pkt, ssh->cfg.termtype);
4749 ssh_pkt_adduint32(pkt, ssh->term_height);
4750 ssh_pkt_adduint32(pkt, ssh->term_width);
4751 ssh_pkt_adduint32(pkt, 0); /* width in pixels */
4752 ssh_pkt_adduint32(pkt, 0); /* height in pixels */
4753 parse_ttymodes(ssh, ssh->cfg.ttymodes,
4754 ssh1_send_ttymode, (void *)pkt);
4755 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_ISPEED);
4756 ssh_pkt_adduint32(pkt, ssh->ispeed);
4757 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_OSPEED);
4758 ssh_pkt_adduint32(pkt, ssh->ospeed);
4759 ssh_pkt_addbyte(pkt, SSH_TTY_OP_END);
4761 ssh->state = SSH_STATE_INTERMED;
4765 if (pktin->type != SSH1_SMSG_SUCCESS
4766 && pktin->type != SSH1_SMSG_FAILURE) {
4767 bombout(("Protocol confusion"));
4769 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4770 c_write_str(ssh, "Server refused to allocate pty\r\n");
4771 ssh->editing = ssh->echoing = 1;
4773 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
4774 ssh->ospeed, ssh->ispeed);
4776 ssh->editing = ssh->echoing = 1;
4779 if (ssh->cfg.compression) {
4780 send_packet(ssh, SSH1_CMSG_REQUEST_COMPRESSION, PKT_INT, 6, PKT_END);
4784 if (pktin->type != SSH1_SMSG_SUCCESS
4785 && pktin->type != SSH1_SMSG_FAILURE) {
4786 bombout(("Protocol confusion"));
4788 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4789 c_write_str(ssh, "Server refused to compress\r\n");
4791 logevent("Started compression");
4792 ssh->v1_compressing = TRUE;
4793 ssh->cs_comp_ctx = zlib_compress_init();
4794 logevent("Initialised zlib (RFC1950) compression");
4795 ssh->sc_comp_ctx = zlib_decompress_init();
4796 logevent("Initialised zlib (RFC1950) decompression");
4800 * Start the shell or command.
4802 * Special case: if the first-choice command is an SSH-2
4803 * subsystem (hence not usable here) and the second choice
4804 * exists, we fall straight back to that.
4807 char *cmd = ssh->cfg.remote_cmd_ptr;
4809 if (!cmd) cmd = ssh->cfg.remote_cmd;
4811 if (ssh->cfg.ssh_subsys && ssh->cfg.remote_cmd_ptr2) {
4812 cmd = ssh->cfg.remote_cmd_ptr2;
4813 ssh->fallback_cmd = TRUE;
4816 send_packet(ssh, SSH1_CMSG_EXEC_CMD, PKT_STR, cmd, PKT_END);
4818 send_packet(ssh, SSH1_CMSG_EXEC_SHELL, PKT_END);
4819 logevent("Started session");
4822 ssh->state = SSH_STATE_SESSION;
4823 if (ssh->size_needed)
4824 ssh_size(ssh, ssh->term_width, ssh->term_height);
4825 if (ssh->eof_needed)
4826 ssh_special(ssh, TS_EOF);
4829 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
4831 ssh->channels = newtree234(ssh_channelcmp);
4835 * By this point, most incoming packets are already being
4836 * handled by the dispatch table, and we need only pay
4837 * attention to the unusual ones.
4842 if (pktin->type == SSH1_SMSG_SUCCESS) {
4843 /* may be from EXEC_SHELL on some servers */
4844 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4845 /* may be from EXEC_SHELL on some servers
4846 * if no pty is available or in other odd cases. Ignore */
4848 bombout(("Strange packet received: type %d", pktin->type));
4853 int len = min(inlen, 512);
4854 send_packet(ssh, SSH1_CMSG_STDIN_DATA, PKTT_DATA,
4855 PKT_INT, len, PKT_DATA, in, len,
4856 PKTT_OTHER, PKT_END);
4867 * Handle the top-level SSH-2 protocol.
4869 static void ssh1_msg_debug(Ssh ssh, struct Packet *pktin)
4874 ssh_pkt_getstring(pktin, &msg, &msglen);
4875 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
4878 static void ssh1_msg_disconnect(Ssh ssh, struct Packet *pktin)
4880 /* log reason code in disconnect message */
4884 ssh_pkt_getstring(pktin, &msg, &msglen);
4885 bombout(("Server sent disconnect message:\n\"%.*s\"", msglen, msg));
4888 static void ssh_msg_ignore(Ssh ssh, struct Packet *pktin)
4890 /* Do nothing, because we're ignoring it! Duhh. */
4893 static void ssh1_protocol_setup(Ssh ssh)
4898 * Most messages are handled by the coroutines.
4900 for (i = 0; i < 256; i++)
4901 ssh->packet_dispatch[i] = NULL;
4904 * These special message types we install handlers for.
4906 ssh->packet_dispatch[SSH1_MSG_DISCONNECT] = ssh1_msg_disconnect;
4907 ssh->packet_dispatch[SSH1_MSG_IGNORE] = ssh_msg_ignore;
4908 ssh->packet_dispatch[SSH1_MSG_DEBUG] = ssh1_msg_debug;
4911 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
4912 struct Packet *pktin)
4914 unsigned char *in=(unsigned char*)vin;
4915 if (ssh->state == SSH_STATE_CLOSED)
4918 if (pktin && ssh->packet_dispatch[pktin->type]) {
4919 ssh->packet_dispatch[pktin->type](ssh, pktin);
4923 if (!ssh->protocol_initial_phase_done) {
4924 if (do_ssh1_login(ssh, in, inlen, pktin))
4925 ssh->protocol_initial_phase_done = TRUE;
4930 do_ssh1_connection(ssh, in, inlen, pktin);
4934 * Utility routine for decoding comma-separated strings in KEXINIT.
4936 static int in_commasep_string(char *needle, char *haystack, int haylen)
4939 if (!needle || !haystack) /* protect against null pointers */
4941 needlen = strlen(needle);
4944 * Is it at the start of the string?
4946 if (haylen >= needlen && /* haystack is long enough */
4947 !memcmp(needle, haystack, needlen) && /* initial match */
4948 (haylen == needlen || haystack[needlen] == ',')
4949 /* either , or EOS follows */
4953 * If not, search for the next comma and resume after that.
4954 * If no comma found, terminate.
4956 while (haylen > 0 && *haystack != ',')
4957 haylen--, haystack++;
4960 haylen--, haystack++; /* skip over comma itself */
4965 * Similar routine for checking whether we have the first string in a list.
4967 static int first_in_commasep_string(char *needle, char *haystack, int haylen)
4970 if (!needle || !haystack) /* protect against null pointers */
4972 needlen = strlen(needle);
4974 * Is it at the start of the string?
4976 if (haylen >= needlen && /* haystack is long enough */
4977 !memcmp(needle, haystack, needlen) && /* initial match */
4978 (haylen == needlen || haystack[needlen] == ',')
4979 /* either , or EOS follows */
4987 * SSH-2 key creation method.
4988 * (Currently assumes 2 lots of any hash are sufficient to generate
4989 * keys/IVs for any cipher/MAC. SSH2_MKKEY_ITERS documents this assumption.)
4991 #define SSH2_MKKEY_ITERS (2)
4992 static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr,
4993 unsigned char *keyspace)
4995 const struct ssh_hash *h = ssh->kex->hash;
4997 /* First hlen bytes. */
4999 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5000 hash_mpint(h, s, K);
5001 h->bytes(s, H, h->hlen);
5002 h->bytes(s, &chr, 1);
5003 h->bytes(s, ssh->v2_session_id, ssh->v2_session_id_len);
5004 h->final(s, keyspace);
5005 /* Next hlen bytes. */
5007 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5008 hash_mpint(h, s, K);
5009 h->bytes(s, H, h->hlen);
5010 h->bytes(s, keyspace, h->hlen);
5011 h->final(s, keyspace + h->hlen);
5015 * Handle the SSH-2 transport layer.
5017 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
5018 struct Packet *pktin)
5020 unsigned char *in = (unsigned char *)vin;
5021 struct do_ssh2_transport_state {
5022 int nbits, pbits, warn_kex, warn_cscipher, warn_sccipher;
5023 Bignum p, g, e, f, K;
5026 int kex_init_value, kex_reply_value;
5027 const struct ssh_mac **maclist;
5029 const struct ssh2_cipher *cscipher_tobe;
5030 const struct ssh2_cipher *sccipher_tobe;
5031 const struct ssh_mac *csmac_tobe;
5032 const struct ssh_mac *scmac_tobe;
5033 const struct ssh_compress *cscomp_tobe;
5034 const struct ssh_compress *sccomp_tobe;
5035 char *hostkeydata, *sigdata, *keystr, *fingerprint;
5036 int hostkeylen, siglen;
5037 void *hkey; /* actual host key */
5038 unsigned char exchange_hash[SSH2_KEX_MAX_HASH_LEN];
5039 int n_preferred_kex;
5040 const struct ssh_kexes *preferred_kex[KEX_MAX];
5041 int n_preferred_ciphers;
5042 const struct ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
5043 const struct ssh_compress *preferred_comp;
5044 int got_session_id, activated_authconn;
5045 struct Packet *pktout;
5050 crState(do_ssh2_transport_state);
5052 crBegin(ssh->do_ssh2_transport_crstate);
5054 s->cscipher_tobe = s->sccipher_tobe = NULL;
5055 s->csmac_tobe = s->scmac_tobe = NULL;
5056 s->cscomp_tobe = s->sccomp_tobe = NULL;
5058 s->got_session_id = s->activated_authconn = FALSE;
5061 * Be prepared to work around the buggy MAC problem.
5063 if (ssh->remote_bugs & BUG_SSH2_HMAC)
5064 s->maclist = buggymacs, s->nmacs = lenof(buggymacs);
5066 s->maclist = macs, s->nmacs = lenof(macs);
5069 ssh->pkt_ctx &= ~SSH2_PKTCTX_KEX_MASK;
5071 int i, j, commalist_started;
5074 * Set up the preferred key exchange. (NULL => warn below here)
5076 s->n_preferred_kex = 0;
5077 for (i = 0; i < KEX_MAX; i++) {
5078 switch (ssh->cfg.ssh_kexlist[i]) {
5080 s->preferred_kex[s->n_preferred_kex++] =
5081 &ssh_diffiehellman_gex;
5084 s->preferred_kex[s->n_preferred_kex++] =
5085 &ssh_diffiehellman_group14;
5088 s->preferred_kex[s->n_preferred_kex++] =
5089 &ssh_diffiehellman_group1;
5092 /* Flag for later. Don't bother if it's the last in
5094 if (i < KEX_MAX - 1) {
5095 s->preferred_kex[s->n_preferred_kex++] = NULL;
5102 * Set up the preferred ciphers. (NULL => warn below here)
5104 s->n_preferred_ciphers = 0;
5105 for (i = 0; i < CIPHER_MAX; i++) {
5106 switch (ssh->cfg.ssh_cipherlist[i]) {
5107 case CIPHER_BLOWFISH:
5108 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_blowfish;
5111 if (ssh->cfg.ssh2_des_cbc) {
5112 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_des;
5116 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_3des;
5119 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_aes;
5121 case CIPHER_ARCFOUR:
5122 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_arcfour;
5125 /* Flag for later. Don't bother if it's the last in
5127 if (i < CIPHER_MAX - 1) {
5128 s->preferred_ciphers[s->n_preferred_ciphers++] = NULL;
5135 * Set up preferred compression.
5137 if (ssh->cfg.compression)
5138 s->preferred_comp = &ssh_zlib;
5140 s->preferred_comp = &ssh_comp_none;
5143 * Enable queueing of outgoing auth- or connection-layer
5144 * packets while we are in the middle of a key exchange.
5146 ssh->queueing = TRUE;
5149 * Flag that KEX is in progress.
5151 ssh->kex_in_progress = TRUE;
5154 * Construct and send our key exchange packet.
5156 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXINIT);
5157 for (i = 0; i < 16; i++)
5158 ssh2_pkt_addbyte(s->pktout, (unsigned char) random_byte());
5159 /* List key exchange algorithms. */
5160 ssh2_pkt_addstring_start(s->pktout);
5161 commalist_started = 0;
5162 for (i = 0; i < s->n_preferred_kex; i++) {
5163 const struct ssh_kexes *k = s->preferred_kex[i];
5164 if (!k) continue; /* warning flag */
5165 for (j = 0; j < k->nkexes; j++) {
5166 if (commalist_started)
5167 ssh2_pkt_addstring_str(s->pktout, ",");
5168 ssh2_pkt_addstring_str(s->pktout, k->list[j]->name);
5169 commalist_started = 1;
5172 /* List server host key algorithms. */
5173 ssh2_pkt_addstring_start(s->pktout);
5174 for (i = 0; i < lenof(hostkey_algs); i++) {
5175 ssh2_pkt_addstring_str(s->pktout, hostkey_algs[i]->name);
5176 if (i < lenof(hostkey_algs) - 1)
5177 ssh2_pkt_addstring_str(s->pktout, ",");
5179 /* List client->server encryption algorithms. */
5180 ssh2_pkt_addstring_start(s->pktout);
5181 commalist_started = 0;
5182 for (i = 0; i < s->n_preferred_ciphers; i++) {
5183 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5184 if (!c) continue; /* warning flag */
5185 for (j = 0; j < c->nciphers; j++) {
5186 if (commalist_started)
5187 ssh2_pkt_addstring_str(s->pktout, ",");
5188 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5189 commalist_started = 1;
5192 /* List server->client encryption algorithms. */
5193 ssh2_pkt_addstring_start(s->pktout);
5194 commalist_started = 0;
5195 for (i = 0; i < s->n_preferred_ciphers; i++) {
5196 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5197 if (!c) continue; /* warning flag */
5198 for (j = 0; j < c->nciphers; j++) {
5199 if (commalist_started)
5200 ssh2_pkt_addstring_str(s->pktout, ",");
5201 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5202 commalist_started = 1;
5205 /* List client->server MAC algorithms. */
5206 ssh2_pkt_addstring_start(s->pktout);
5207 for (i = 0; i < s->nmacs; i++) {
5208 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5209 if (i < s->nmacs - 1)
5210 ssh2_pkt_addstring_str(s->pktout, ",");
5212 /* List server->client MAC algorithms. */
5213 ssh2_pkt_addstring_start(s->pktout);
5214 for (i = 0; i < s->nmacs; i++) {
5215 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5216 if (i < s->nmacs - 1)
5217 ssh2_pkt_addstring_str(s->pktout, ",");
5219 /* List client->server compression algorithms. */
5220 ssh2_pkt_addstring_start(s->pktout);
5221 assert(lenof(compressions) > 1);
5222 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5223 for (i = 0; i < lenof(compressions); i++) {
5224 const struct ssh_compress *c = compressions[i];
5225 if (c != s->preferred_comp) {
5226 ssh2_pkt_addstring_str(s->pktout, ",");
5227 ssh2_pkt_addstring_str(s->pktout, c->name);
5230 /* List server->client compression algorithms. */
5231 ssh2_pkt_addstring_start(s->pktout);
5232 assert(lenof(compressions) > 1);
5233 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5234 for (i = 0; i < lenof(compressions); i++) {
5235 const struct ssh_compress *c = compressions[i];
5236 if (c != s->preferred_comp) {
5237 ssh2_pkt_addstring_str(s->pktout, ",");
5238 ssh2_pkt_addstring_str(s->pktout, c->name);
5241 /* List client->server languages. Empty list. */
5242 ssh2_pkt_addstring_start(s->pktout);
5243 /* List server->client languages. Empty list. */
5244 ssh2_pkt_addstring_start(s->pktout);
5245 /* First KEX packet does _not_ follow, because we're not that brave. */
5246 ssh2_pkt_addbool(s->pktout, FALSE);
5248 ssh2_pkt_adduint32(s->pktout, 0);
5251 s->our_kexinitlen = s->pktout->length - 5;
5252 s->our_kexinit = snewn(s->our_kexinitlen, unsigned char);
5253 memcpy(s->our_kexinit, s->pktout->data + 5, s->our_kexinitlen);
5255 ssh2_pkt_send_noqueue(ssh, s->pktout);
5261 * Now examine the other side's KEXINIT to see what we're up
5265 char *str, *preferred;
5268 if (pktin->type != SSH2_MSG_KEXINIT) {
5269 bombout(("expected key exchange packet from server"));
5273 ssh->hostkey = NULL;
5274 s->cscipher_tobe = NULL;
5275 s->sccipher_tobe = NULL;
5276 s->csmac_tobe = NULL;
5277 s->scmac_tobe = NULL;
5278 s->cscomp_tobe = NULL;
5279 s->sccomp_tobe = NULL;
5280 s->warn_kex = s->warn_cscipher = s->warn_sccipher = FALSE;
5282 pktin->savedpos += 16; /* skip garbage cookie */
5283 ssh_pkt_getstring(pktin, &str, &len); /* key exchange algorithms */
5286 for (i = 0; i < s->n_preferred_kex; i++) {
5287 const struct ssh_kexes *k = s->preferred_kex[i];
5291 for (j = 0; j < k->nkexes; j++) {
5292 if (!preferred) preferred = k->list[j]->name;
5293 if (in_commasep_string(k->list[j]->name, str, len)) {
5294 ssh->kex = k->list[j];
5303 bombout(("Couldn't agree a key exchange algorithm (available: %s)",
5304 str ? str : "(null)"));
5308 * Note that the server's guess is considered wrong if it doesn't match
5309 * the first algorithm in our list, even if it's still the algorithm
5312 s->guessok = first_in_commasep_string(preferred, str, len);
5313 ssh_pkt_getstring(pktin, &str, &len); /* host key algorithms */
5314 for (i = 0; i < lenof(hostkey_algs); i++) {
5315 if (in_commasep_string(hostkey_algs[i]->name, str, len)) {
5316 ssh->hostkey = hostkey_algs[i];
5320 s->guessok = s->guessok &&
5321 first_in_commasep_string(hostkey_algs[0]->name, str, len);
5322 ssh_pkt_getstring(pktin, &str, &len); /* client->server cipher */
5323 for (i = 0; i < s->n_preferred_ciphers; i++) {
5324 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5326 s->warn_cscipher = TRUE;
5328 for (j = 0; j < c->nciphers; j++) {
5329 if (in_commasep_string(c->list[j]->name, str, len)) {
5330 s->cscipher_tobe = c->list[j];
5335 if (s->cscipher_tobe)
5338 if (!s->cscipher_tobe) {
5339 bombout(("Couldn't agree a client-to-server cipher (available: %s)",
5340 str ? str : "(null)"));
5344 ssh_pkt_getstring(pktin, &str, &len); /* server->client cipher */
5345 for (i = 0; i < s->n_preferred_ciphers; i++) {
5346 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5348 s->warn_sccipher = TRUE;
5350 for (j = 0; j < c->nciphers; j++) {
5351 if (in_commasep_string(c->list[j]->name, str, len)) {
5352 s->sccipher_tobe = c->list[j];
5357 if (s->sccipher_tobe)
5360 if (!s->sccipher_tobe) {
5361 bombout(("Couldn't agree a server-to-client cipher (available: %s)",
5362 str ? str : "(null)"));
5366 ssh_pkt_getstring(pktin, &str, &len); /* client->server mac */
5367 for (i = 0; i < s->nmacs; i++) {
5368 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5369 s->csmac_tobe = s->maclist[i];
5373 ssh_pkt_getstring(pktin, &str, &len); /* server->client mac */
5374 for (i = 0; i < s->nmacs; i++) {
5375 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5376 s->scmac_tobe = s->maclist[i];
5380 ssh_pkt_getstring(pktin, &str, &len); /* client->server compression */
5381 for (i = 0; i < lenof(compressions) + 1; i++) {
5382 const struct ssh_compress *c =
5383 i == 0 ? s->preferred_comp : compressions[i - 1];
5384 if (in_commasep_string(c->name, str, len)) {
5389 ssh_pkt_getstring(pktin, &str, &len); /* server->client compression */
5390 for (i = 0; i < lenof(compressions) + 1; i++) {
5391 const struct ssh_compress *c =
5392 i == 0 ? s->preferred_comp : compressions[i - 1];
5393 if (in_commasep_string(c->name, str, len)) {
5398 ssh_pkt_getstring(pktin, &str, &len); /* client->server language */
5399 ssh_pkt_getstring(pktin, &str, &len); /* server->client language */
5400 s->ignorepkt = ssh2_pkt_getbool(pktin) && !s->guessok;
5403 ssh_set_frozen(ssh, 1);
5404 s->dlgret = askalg(ssh->frontend, "key-exchange algorithm",
5406 ssh_dialog_callback, ssh);
5407 if (s->dlgret < 0) {
5411 bombout(("Unexpected data from server while"
5412 " waiting for user response"));
5415 } while (pktin || inlen > 0);
5416 s->dlgret = ssh->user_response;
5418 ssh_set_frozen(ssh, 0);
5419 if (s->dlgret == 0) {
5420 ssh_disconnect(ssh, "User aborted at kex warning", NULL,
5426 if (s->warn_cscipher) {
5427 ssh_set_frozen(ssh, 1);
5428 s->dlgret = askalg(ssh->frontend,
5429 "client-to-server cipher",
5430 s->cscipher_tobe->name,
5431 ssh_dialog_callback, ssh);
5432 if (s->dlgret < 0) {
5436 bombout(("Unexpected data from server while"
5437 " waiting for user response"));
5440 } while (pktin || inlen > 0);
5441 s->dlgret = ssh->user_response;
5443 ssh_set_frozen(ssh, 0);
5444 if (s->dlgret == 0) {
5445 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5451 if (s->warn_sccipher) {
5452 ssh_set_frozen(ssh, 1);
5453 s->dlgret = askalg(ssh->frontend,
5454 "server-to-client cipher",
5455 s->sccipher_tobe->name,
5456 ssh_dialog_callback, ssh);
5457 if (s->dlgret < 0) {
5461 bombout(("Unexpected data from server while"
5462 " waiting for user response"));
5465 } while (pktin || inlen > 0);
5466 s->dlgret = ssh->user_response;
5468 ssh_set_frozen(ssh, 0);
5469 if (s->dlgret == 0) {
5470 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5476 ssh->exhash = ssh->kex->hash->init();
5477 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_c, strlen(ssh->v_c));
5478 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_s, strlen(ssh->v_s));
5479 hash_string(ssh->kex->hash, ssh->exhash,
5480 s->our_kexinit, s->our_kexinitlen);
5481 sfree(s->our_kexinit);
5482 if (pktin->length > 5)
5483 hash_string(ssh->kex->hash, ssh->exhash,
5484 pktin->data + 5, pktin->length - 5);
5486 if (s->ignorepkt) /* first_kex_packet_follows */
5487 crWaitUntil(pktin); /* Ignore packet */
5491 * Work out the number of bits of key we will need from the key
5492 * exchange. We start with the maximum key length of either
5498 csbits = s->cscipher_tobe->keylen;
5499 scbits = s->sccipher_tobe->keylen;
5500 s->nbits = (csbits > scbits ? csbits : scbits);
5502 /* The keys only have hlen-bit entropy, since they're based on
5503 * a hash. So cap the key size at hlen bits. */
5504 if (s->nbits > ssh->kex->hash->hlen * 8)
5505 s->nbits = ssh->kex->hash->hlen * 8;
5508 * If we're doing Diffie-Hellman group exchange, start by
5509 * requesting a group.
5511 if (!ssh->kex->pdata) {
5512 logevent("Doing Diffie-Hellman group exchange");
5513 ssh->pkt_ctx |= SSH2_PKTCTX_DHGEX;
5515 * Work out how big a DH group we will need to allow that
5518 s->pbits = 512 << ((s->nbits - 1) / 64);
5519 s->pktout = ssh2_pkt_init(SSH2_MSG_KEX_DH_GEX_REQUEST);
5520 ssh2_pkt_adduint32(s->pktout, s->pbits);
5521 ssh2_pkt_send_noqueue(ssh, s->pktout);
5524 if (pktin->type != SSH2_MSG_KEX_DH_GEX_GROUP) {
5525 bombout(("expected key exchange group packet from server"));
5528 s->p = ssh2_pkt_getmp(pktin);
5529 s->g = ssh2_pkt_getmp(pktin);
5530 if (!s->p || !s->g) {
5531 bombout(("unable to read mp-ints from incoming group packet"));
5534 ssh->kex_ctx = dh_setup_gex(s->p, s->g);
5535 s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
5536 s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
5538 ssh->pkt_ctx |= SSH2_PKTCTX_DHGROUP;
5539 ssh->kex_ctx = dh_setup_group(ssh->kex);
5540 s->kex_init_value = SSH2_MSG_KEXDH_INIT;
5541 s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
5542 logeventf(ssh, "Using Diffie-Hellman with standard group \"%s\"",
5543 ssh->kex->groupname);
5546 logeventf(ssh, "Doing Diffie-Hellman key exchange with hash %s",
5547 ssh->kex->hash->text_name);
5549 * Now generate and send e for Diffie-Hellman.
5551 set_busy_status(ssh->frontend, BUSY_CPU); /* this can take a while */
5552 s->e = dh_create_e(ssh->kex_ctx, s->nbits * 2);
5553 s->pktout = ssh2_pkt_init(s->kex_init_value);
5554 ssh2_pkt_addmp(s->pktout, s->e);
5555 ssh2_pkt_send_noqueue(ssh, s->pktout);
5557 set_busy_status(ssh->frontend, BUSY_WAITING); /* wait for server */
5559 if (pktin->type != s->kex_reply_value) {
5560 bombout(("expected key exchange reply packet from server"));
5563 set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */
5564 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
5565 s->f = ssh2_pkt_getmp(pktin);
5567 bombout(("unable to parse key exchange reply packet"));
5570 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
5572 s->K = dh_find_K(ssh->kex_ctx, s->f);
5574 /* We assume everything from now on will be quick, and it might
5575 * involve user interaction. */
5576 set_busy_status(ssh->frontend, BUSY_NOT);
5578 hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen);
5579 if (!ssh->kex->pdata) {
5580 hash_uint32(ssh->kex->hash, ssh->exhash, s->pbits);
5581 hash_mpint(ssh->kex->hash, ssh->exhash, s->p);
5582 hash_mpint(ssh->kex->hash, ssh->exhash, s->g);
5584 hash_mpint(ssh->kex->hash, ssh->exhash, s->e);
5585 hash_mpint(ssh->kex->hash, ssh->exhash, s->f);
5586 hash_mpint(ssh->kex->hash, ssh->exhash, s->K);
5587 assert(ssh->kex->hash->hlen <= sizeof(s->exchange_hash));
5588 ssh->kex->hash->final(ssh->exhash, s->exchange_hash);
5590 dh_cleanup(ssh->kex_ctx);
5591 ssh->kex_ctx = NULL;
5594 debug(("Exchange hash is:\n"));
5595 dmemdump(s->exchange_hash, ssh->kex->hash->hlen);
5598 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
5600 !ssh->hostkey->verifysig(s->hkey, s->sigdata, s->siglen,
5601 (char *)s->exchange_hash,
5602 ssh->kex->hash->hlen)) {
5603 bombout(("Server's host key did not match the signature supplied"));
5608 * Authenticate remote host: verify host key. (We've already
5609 * checked the signature of the exchange hash.)
5611 s->keystr = ssh->hostkey->fmtkey(s->hkey);
5612 s->fingerprint = ssh->hostkey->fingerprint(s->hkey);
5613 ssh_set_frozen(ssh, 1);
5614 s->dlgret = verify_ssh_host_key(ssh->frontend,
5615 ssh->savedhost, ssh->savedport,
5616 ssh->hostkey->keytype, s->keystr,
5618 ssh_dialog_callback, ssh);
5619 if (s->dlgret < 0) {
5623 bombout(("Unexpected data from server while waiting"
5624 " for user host key response"));
5627 } while (pktin || inlen > 0);
5628 s->dlgret = ssh->user_response;
5630 ssh_set_frozen(ssh, 0);
5631 if (s->dlgret == 0) {
5632 ssh_disconnect(ssh, "User aborted at host key verification", NULL,
5636 if (!s->got_session_id) { /* don't bother logging this in rekeys */
5637 logevent("Host key fingerprint is:");
5638 logevent(s->fingerprint);
5640 sfree(s->fingerprint);
5642 ssh->hostkey->freekey(s->hkey);
5645 * The exchange hash from the very first key exchange is also
5646 * the session id, used in session key construction and
5649 if (!s->got_session_id) {
5650 assert(sizeof(s->exchange_hash) <= sizeof(ssh->v2_session_id));
5651 memcpy(ssh->v2_session_id, s->exchange_hash,
5652 sizeof(s->exchange_hash));
5653 ssh->v2_session_id_len = ssh->kex->hash->hlen;
5654 assert(ssh->v2_session_id_len <= sizeof(ssh->v2_session_id));
5655 s->got_session_id = TRUE;
5659 * Send SSH2_MSG_NEWKEYS.
5661 s->pktout = ssh2_pkt_init(SSH2_MSG_NEWKEYS);
5662 ssh2_pkt_send_noqueue(ssh, s->pktout);
5663 ssh->outgoing_data_size = 0; /* start counting from here */
5666 * We've sent client NEWKEYS, so create and initialise
5667 * client-to-server session keys.
5669 if (ssh->cs_cipher_ctx)
5670 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
5671 ssh->cscipher = s->cscipher_tobe;
5672 ssh->cs_cipher_ctx = ssh->cscipher->make_context();
5674 if (ssh->cs_mac_ctx)
5675 ssh->csmac->free_context(ssh->cs_mac_ctx);
5676 ssh->csmac = s->csmac_tobe;
5677 ssh->cs_mac_ctx = ssh->csmac->make_context();
5679 if (ssh->cs_comp_ctx)
5680 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
5681 ssh->cscomp = s->cscomp_tobe;
5682 ssh->cs_comp_ctx = ssh->cscomp->compress_init();
5685 * Set IVs on client-to-server keys. Here we use the exchange
5686 * hash from the _first_ key exchange.
5689 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
5690 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5691 ssh2_mkkey(ssh,s->K,s->exchange_hash,'C',keyspace);
5692 assert((ssh->cscipher->keylen+7) / 8 <=
5693 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5694 ssh->cscipher->setkey(ssh->cs_cipher_ctx, keyspace);
5695 ssh2_mkkey(ssh,s->K,s->exchange_hash,'A',keyspace);
5696 assert(ssh->cscipher->blksize <=
5697 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5698 ssh->cscipher->setiv(ssh->cs_cipher_ctx, keyspace);
5699 ssh2_mkkey(ssh,s->K,s->exchange_hash,'E',keyspace);
5700 assert(ssh->csmac->len <=
5701 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5702 ssh->csmac->setkey(ssh->cs_mac_ctx, keyspace);
5703 memset(keyspace, 0, sizeof(keyspace));
5706 logeventf(ssh, "Initialised %.200s client->server encryption",
5707 ssh->cscipher->text_name);
5708 logeventf(ssh, "Initialised %.200s client->server MAC algorithm",
5709 ssh->csmac->text_name);
5710 if (ssh->cscomp->text_name)
5711 logeventf(ssh, "Initialised %s compression",
5712 ssh->cscomp->text_name);
5715 * Now our end of the key exchange is complete, we can send all
5716 * our queued higher-layer packets.
5718 ssh->queueing = FALSE;
5719 ssh2_pkt_queuesend(ssh);
5722 * Expect SSH2_MSG_NEWKEYS from server.
5725 if (pktin->type != SSH2_MSG_NEWKEYS) {
5726 bombout(("expected new-keys packet from server"));
5729 ssh->incoming_data_size = 0; /* start counting from here */
5732 * We've seen server NEWKEYS, so create and initialise
5733 * server-to-client session keys.
5735 if (ssh->sc_cipher_ctx)
5736 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
5737 ssh->sccipher = s->sccipher_tobe;
5738 ssh->sc_cipher_ctx = ssh->sccipher->make_context();
5740 if (ssh->sc_mac_ctx)
5741 ssh->scmac->free_context(ssh->sc_mac_ctx);
5742 ssh->scmac = s->scmac_tobe;
5743 ssh->sc_mac_ctx = ssh->scmac->make_context();
5745 if (ssh->sc_comp_ctx)
5746 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
5747 ssh->sccomp = s->sccomp_tobe;
5748 ssh->sc_comp_ctx = ssh->sccomp->decompress_init();
5751 * Set IVs on server-to-client keys. Here we use the exchange
5752 * hash from the _first_ key exchange.
5755 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
5756 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5757 ssh2_mkkey(ssh,s->K,s->exchange_hash,'D',keyspace);
5758 assert((ssh->sccipher->keylen+7) / 8 <=
5759 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5760 ssh->sccipher->setkey(ssh->sc_cipher_ctx, keyspace);
5761 ssh2_mkkey(ssh,s->K,s->exchange_hash,'B',keyspace);
5762 assert(ssh->sccipher->blksize <=
5763 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5764 ssh->sccipher->setiv(ssh->sc_cipher_ctx, keyspace);
5765 ssh2_mkkey(ssh,s->K,s->exchange_hash,'F',keyspace);
5766 assert(ssh->scmac->len <=
5767 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
5768 ssh->scmac->setkey(ssh->sc_mac_ctx, keyspace);
5769 memset(keyspace, 0, sizeof(keyspace));
5771 logeventf(ssh, "Initialised %.200s server->client encryption",
5772 ssh->sccipher->text_name);
5773 logeventf(ssh, "Initialised %.200s server->client MAC algorithm",
5774 ssh->scmac->text_name);
5775 if (ssh->sccomp->text_name)
5776 logeventf(ssh, "Initialised %s decompression",
5777 ssh->sccomp->text_name);
5780 * Free key exchange data.
5784 if (!ssh->kex->pdata) {
5790 * Key exchange is over. Loop straight back round if we have a
5791 * deferred rekey reason.
5793 if (ssh->deferred_rekey_reason) {
5794 logevent(ssh->deferred_rekey_reason);
5796 ssh->deferred_rekey_reason = NULL;
5797 goto begin_key_exchange;
5801 * Otherwise, schedule a timer for our next rekey.
5803 ssh->kex_in_progress = FALSE;
5804 ssh->last_rekey = GETTICKCOUNT();
5805 if (ssh->cfg.ssh_rekey_time != 0)
5806 ssh->next_rekey = schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
5810 * If this is the first key exchange phase, we must pass the
5811 * SSH2_MSG_NEWKEYS packet to the next layer, not because it
5812 * wants to see it but because it will need time to initialise
5813 * itself before it sees an actual packet. In subsequent key
5814 * exchange phases, we don't pass SSH2_MSG_NEWKEYS on, because
5815 * it would only confuse the layer above.
5817 if (s->activated_authconn) {
5820 s->activated_authconn = TRUE;
5823 * Now we're encrypting. Begin returning 1 to the protocol main
5824 * function so that other things can run on top of the
5825 * transport. If we ever see a KEXINIT, we must go back to the
5828 * We _also_ go back to the start if we see pktin==NULL and
5829 * inlen==-1, because this is a special signal meaning
5830 * `initiate client-driven rekey', and `in' contains a message
5831 * giving the reason for the rekey.
5833 while (!((pktin && pktin->type == SSH2_MSG_KEXINIT) ||
5834 (!pktin && inlen == -1))) {
5839 logevent("Server initiated key re-exchange");
5842 * Special case: if the server bug is set that doesn't
5843 * allow rekeying, we give a different log message and
5844 * continue waiting. (If such a server _initiates_ a rekey,
5845 * we process it anyway!)
5847 if ((ssh->remote_bugs & BUG_SSH2_REKEY)) {
5848 logeventf(ssh, "Server bug prevents key re-exchange (%s)",
5850 /* Reset the counters, so that at least this message doesn't
5851 * hit the event log _too_ often. */
5852 ssh->outgoing_data_size = 0;
5853 ssh->incoming_data_size = 0;
5854 if (ssh->cfg.ssh_rekey_time != 0) {
5856 schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
5859 goto wait_for_rekey; /* this is utterly horrid */
5861 logeventf(ssh, "Initiating key re-exchange (%s)", (char *)in);
5864 goto begin_key_exchange;
5870 * Add data to an SSH-2 channel output buffer.
5872 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf,
5875 bufchain_add(&c->v.v2.outbuffer, buf, len);
5879 * Attempt to send data on an SSH-2 channel.
5881 static int ssh2_try_send(struct ssh_channel *c)
5884 struct Packet *pktout;
5886 while (c->v.v2.remwindow > 0 && bufchain_size(&c->v.v2.outbuffer) > 0) {
5889 bufchain_prefix(&c->v.v2.outbuffer, &data, &len);
5890 if ((unsigned)len > c->v.v2.remwindow)
5891 len = c->v.v2.remwindow;
5892 if ((unsigned)len > c->v.v2.remmaxpkt)
5893 len = c->v.v2.remmaxpkt;
5894 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_DATA);
5895 ssh2_pkt_adduint32(pktout, c->remoteid);
5896 dont_log_data(ssh, pktout, PKTLOG_OMIT);
5897 ssh2_pkt_addstring_start(pktout);
5898 ssh2_pkt_addstring_data(pktout, data, len);
5899 end_log_omission(ssh, pktout);
5900 ssh2_pkt_send(ssh, pktout);
5901 bufchain_consume(&c->v.v2.outbuffer, len);
5902 c->v.v2.remwindow -= len;
5906 * After having sent as much data as we can, return the amount
5909 return bufchain_size(&c->v.v2.outbuffer);
5912 static void ssh2_try_send_and_unthrottle(struct ssh_channel *c)
5916 return; /* don't send on closing channels */
5917 bufsize = ssh2_try_send(c);
5920 case CHAN_MAINSESSION:
5921 /* stdin need not receive an unthrottle
5922 * notification since it will be polled */
5925 x11_unthrottle(c->u.x11.s);
5928 /* agent sockets are request/response and need no
5929 * buffer management */
5932 pfd_unthrottle(c->u.pfd.s);
5939 * Potentially enlarge the window on an SSH-2 channel.
5941 static void ssh2_set_window(struct ssh_channel *c, unsigned newwin)
5946 * Never send WINDOW_ADJUST for a channel that the remote side
5947 * already thinks it's closed; there's no point, since it won't
5948 * be sending any more data anyway.
5954 * Only send a WINDOW_ADJUST if there's significantly more window
5955 * available than the other end thinks there is. This saves us
5956 * sending a WINDOW_ADJUST for every character in a shell session.
5958 * "Significant" is arbitrarily defined as half the window size.
5960 if (newwin > c->v.v2.locwindow * 2) {
5961 struct Packet *pktout;
5963 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
5964 ssh2_pkt_adduint32(pktout, c->remoteid);
5965 ssh2_pkt_adduint32(pktout, newwin - c->v.v2.locwindow);
5966 ssh2_pkt_send(ssh, pktout);
5967 c->v.v2.locwindow = newwin;
5971 static void ssh2_msg_channel_window_adjust(Ssh ssh, struct Packet *pktin)
5973 unsigned i = ssh_pkt_getuint32(pktin);
5974 struct ssh_channel *c;
5975 c = find234(ssh->channels, &i, ssh_channelfind);
5976 if (c && !c->closes) {
5977 c->v.v2.remwindow += ssh_pkt_getuint32(pktin);
5978 ssh2_try_send_and_unthrottle(c);
5982 static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
5986 unsigned i = ssh_pkt_getuint32(pktin);
5987 struct ssh_channel *c;
5988 c = find234(ssh->channels, &i, ssh_channelfind);
5990 return; /* nonexistent channel */
5991 if (pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA &&
5992 ssh_pkt_getuint32(pktin) != SSH2_EXTENDED_DATA_STDERR)
5993 return; /* extended but not stderr */
5994 ssh_pkt_getstring(pktin, &data, &length);
5997 c->v.v2.locwindow -= length;
5999 case CHAN_MAINSESSION:
6001 from_backend(ssh->frontend, pktin->type ==
6002 SSH2_MSG_CHANNEL_EXTENDED_DATA,
6006 bufsize = x11_send(c->u.x11.s, data, length);
6009 bufsize = pfd_send(c->u.pfd.s, data, length);
6012 while (length > 0) {
6013 if (c->u.a.lensofar < 4) {
6014 unsigned int l = min(4 - c->u.a.lensofar, length);
6015 memcpy(c->u.a.msglen + c->u.a.lensofar,
6019 c->u.a.lensofar += l;
6021 if (c->u.a.lensofar == 4) {
6023 4 + GET_32BIT(c->u.a.msglen);
6024 c->u.a.message = snewn(c->u.a.totallen,
6026 memcpy(c->u.a.message, c->u.a.msglen, 4);
6028 if (c->u.a.lensofar >= 4 && length > 0) {
6030 min(c->u.a.totallen - c->u.a.lensofar,
6032 memcpy(c->u.a.message + c->u.a.lensofar,
6036 c->u.a.lensofar += l;
6038 if (c->u.a.lensofar == c->u.a.totallen) {
6041 if (agent_query(c->u.a.message,
6044 ssh_agentf_callback, c))
6045 ssh_agentf_callback(c, reply, replylen);
6046 sfree(c->u.a.message);
6047 c->u.a.lensofar = 0;
6054 * If we are not buffering too much data,
6055 * enlarge the window again at the remote side.
6057 if (bufsize < OUR_V2_WINSIZE)
6058 ssh2_set_window(c, OUR_V2_WINSIZE - bufsize);
6062 static void ssh2_msg_channel_eof(Ssh ssh, struct Packet *pktin)
6064 unsigned i = ssh_pkt_getuint32(pktin);
6065 struct ssh_channel *c;
6067 c = find234(ssh->channels, &i, ssh_channelfind);
6069 return; /* nonexistent channel */
6071 if (c->type == CHAN_X11) {
6073 * Remote EOF on an X11 channel means we should
6074 * wrap up and close the channel ourselves.
6076 x11_close(c->u.x11.s);
6078 } else if (c->type == CHAN_AGENT) {
6080 } else if (c->type == CHAN_SOCKDATA) {
6081 pfd_close(c->u.pfd.s);
6086 static void ssh2_msg_channel_close(Ssh ssh, struct Packet *pktin)
6088 unsigned i = ssh_pkt_getuint32(pktin);
6089 struct ssh_channel *c;
6090 struct Packet *pktout;
6092 c = find234(ssh->channels, &i, ssh_channelfind);
6093 if (!c || c->halfopen) {
6094 bombout(("Received CHANNEL_CLOSE for %s channel %d\n",
6095 c ? "half-open" : "nonexistent", i));
6098 /* Do pre-close processing on the channel. */
6100 case CHAN_MAINSESSION:
6101 ssh->mainchan = NULL;
6102 update_specials_menu(ssh->frontend);
6105 if (c->u.x11.s != NULL)
6106 x11_close(c->u.x11.s);
6113 if (c->u.pfd.s != NULL)
6114 pfd_close(c->u.pfd.s);
6118 if (c->closes == 0) {
6119 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6120 ssh2_pkt_adduint32(pktout, c->remoteid);
6121 ssh2_pkt_send(ssh, pktout);
6123 del234(ssh->channels, c);
6124 bufchain_clear(&c->v.v2.outbuffer);
6128 * See if that was the last channel left open.
6129 * (This is only our termination condition if we're
6130 * not running in -N mode.)
6132 if (!ssh->cfg.ssh_no_shell && count234(ssh->channels) == 0) {
6134 * We used to send SSH_MSG_DISCONNECT here,
6135 * because I'd believed that _every_ conforming
6136 * SSH-2 connection had to end with a disconnect
6137 * being sent by at least one side; apparently
6138 * I was wrong and it's perfectly OK to
6139 * unceremoniously slam the connection shut
6140 * when you're done, and indeed OpenSSH feels
6141 * this is more polite than sending a
6142 * DISCONNECT. So now we don't.
6144 ssh_disconnect(ssh, "All channels closed", NULL, 0, TRUE);
6148 static void ssh2_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
6150 unsigned i = ssh_pkt_getuint32(pktin);
6151 struct ssh_channel *c;
6152 struct Packet *pktout;
6154 c = find234(ssh->channels, &i, ssh_channelfind);
6156 return; /* nonexistent channel */
6157 if (c->type != CHAN_SOCKDATA_DORMANT)
6158 return; /* dunno why they're confirming this */
6159 c->remoteid = ssh_pkt_getuint32(pktin);
6160 c->halfopen = FALSE;
6161 c->type = CHAN_SOCKDATA;
6162 c->v.v2.remwindow = ssh_pkt_getuint32(pktin);
6163 c->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
6165 pfd_confirm(c->u.pfd.s);
6168 * We have a pending close on this channel,
6169 * which we decided on before the server acked
6170 * the channel open. So now we know the
6171 * remoteid, we can close it again.
6173 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6174 ssh2_pkt_adduint32(pktout, c->remoteid);
6175 ssh2_pkt_send(ssh, pktout);
6179 static void ssh2_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
6181 static const char *const reasons[] = {
6182 "<unknown reason code>",
6183 "Administratively prohibited",
6185 "Unknown channel type",
6186 "Resource shortage",
6188 unsigned i = ssh_pkt_getuint32(pktin);
6189 unsigned reason_code;
6190 char *reason_string;
6192 struct ssh_channel *c;
6193 c = find234(ssh->channels, &i, ssh_channelfind);
6195 return; /* nonexistent channel */
6196 if (c->type != CHAN_SOCKDATA_DORMANT)
6197 return; /* dunno why they're failing this */
6199 reason_code = ssh_pkt_getuint32(pktin);
6200 if (reason_code >= lenof(reasons))
6201 reason_code = 0; /* ensure reasons[reason_code] in range */
6202 ssh_pkt_getstring(pktin, &reason_string, &reason_length);
6203 logeventf(ssh, "Forwarded connection refused by server: %s [%.*s]",
6204 reasons[reason_code], reason_length, reason_string);
6206 pfd_close(c->u.pfd.s);
6208 del234(ssh->channels, c);
6212 static void ssh2_msg_channel_request(Ssh ssh, struct Packet *pktin)
6216 int typelen, want_reply;
6217 int reply = SSH2_MSG_CHANNEL_FAILURE; /* default */
6218 struct ssh_channel *c;
6219 struct Packet *pktout;
6221 localid = ssh_pkt_getuint32(pktin);
6222 ssh_pkt_getstring(pktin, &type, &typelen);
6223 want_reply = ssh2_pkt_getbool(pktin);
6226 * First, check that the channel exists. Otherwise,
6227 * we can instantly disconnect with a rude message.
6229 c = find234(ssh->channels, &localid, ssh_channelfind);
6231 char *buf = dupprintf("Received channel request for nonexistent"
6232 " channel %d", localid);
6233 ssh_disconnect(ssh, NULL, buf, SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6239 * Having got the channel number, we now look at
6240 * the request type string to see if it's something
6243 if (c == ssh->mainchan) {
6245 * We recognise "exit-status" and "exit-signal" on
6246 * the primary channel.
6248 if (typelen == 11 &&
6249 !memcmp(type, "exit-status", 11)) {
6251 ssh->exitcode = ssh_pkt_getuint32(pktin);
6252 logeventf(ssh, "Server sent command exit status %d",
6254 reply = SSH2_MSG_CHANNEL_SUCCESS;
6256 } else if (typelen == 11 &&
6257 !memcmp(type, "exit-signal", 11)) {
6259 int is_plausible = TRUE, is_int = FALSE;
6260 char *fmt_sig = "", *fmt_msg = "";
6262 int msglen = 0, core = FALSE;
6263 /* ICK: older versions of OpenSSH (e.g. 3.4p1)
6264 * provide an `int' for the signal, despite its
6265 * having been a `string' in the drafts since at
6266 * least 2001. (Fixed in session.c 1.147.) Try to
6267 * infer which we can safely parse it as. */
6269 unsigned char *p = pktin->body +
6271 long len = pktin->length - pktin->savedpos;
6272 unsigned long num = GET_32BIT(p); /* what is it? */
6273 /* If it's 0, it hardly matters; assume string */
6277 int maybe_int = FALSE, maybe_str = FALSE;
6278 #define CHECK_HYPOTHESIS(offset, result) \
6281 if (q >= 0 && q+4 <= len) { \
6282 q = q + 4 + GET_32BIT(p+q); \
6283 if (q >= 0 && q+4 <= len && \
6284 ((q = q + 4 + GET_32BIT(p+q))!= 0) && q == len) \
6288 CHECK_HYPOTHESIS(4+1, maybe_int);
6289 CHECK_HYPOTHESIS(4+num+1, maybe_str);
6290 #undef CHECK_HYPOTHESIS
6291 if (maybe_int && !maybe_str)
6293 else if (!maybe_int && maybe_str)
6296 /* Crikey. Either or neither. Panic. */
6297 is_plausible = FALSE;
6302 /* Old non-standard OpenSSH. */
6303 int signum = ssh_pkt_getuint32(pktin);
6304 fmt_sig = dupprintf(" %d", signum);
6306 /* As per the drafts. */
6309 ssh_pkt_getstring(pktin, &sig, &siglen);
6310 /* Signal name isn't supposed to be blank, but
6311 * let's cope gracefully if it is. */
6313 fmt_sig = dupprintf(" \"%.*s\"",
6317 core = ssh2_pkt_getbool(pktin);
6318 ssh_pkt_getstring(pktin, &msg, &msglen);
6320 fmt_msg = dupprintf(" (\"%.*s\")", msglen, msg);
6322 /* ignore lang tag */
6323 } /* else don't attempt to parse */
6324 logeventf(ssh, "Server exited on signal%s%s%s",
6325 fmt_sig, core ? " (core dumped)" : "",
6327 if (*fmt_sig) sfree(fmt_sig);
6328 if (*fmt_msg) sfree(fmt_msg);
6329 reply = SSH2_MSG_CHANNEL_SUCCESS;
6334 * This is a channel request we don't know
6335 * about, so we now either ignore the request
6336 * or respond with CHANNEL_FAILURE, depending
6339 reply = SSH2_MSG_CHANNEL_FAILURE;
6342 pktout = ssh2_pkt_init(reply);
6343 ssh2_pkt_adduint32(pktout, c->remoteid);
6344 ssh2_pkt_send(ssh, pktout);
6348 static void ssh2_msg_global_request(Ssh ssh, struct Packet *pktin)
6351 int typelen, want_reply;
6352 struct Packet *pktout;
6354 ssh_pkt_getstring(pktin, &type, &typelen);
6355 want_reply = ssh2_pkt_getbool(pktin);
6358 * We currently don't support any global requests
6359 * at all, so we either ignore the request or
6360 * respond with REQUEST_FAILURE, depending on
6364 pktout = ssh2_pkt_init(SSH2_MSG_REQUEST_FAILURE);
6365 ssh2_pkt_send(ssh, pktout);
6369 static void ssh2_msg_channel_open(Ssh ssh, struct Packet *pktin)
6377 struct ssh_channel *c;
6378 unsigned remid, winsize, pktsize;
6379 struct Packet *pktout;
6381 ssh_pkt_getstring(pktin, &type, &typelen);
6382 c = snew(struct ssh_channel);
6385 remid = ssh_pkt_getuint32(pktin);
6386 winsize = ssh_pkt_getuint32(pktin);
6387 pktsize = ssh_pkt_getuint32(pktin);
6389 if (typelen == 3 && !memcmp(type, "x11", 3)) {
6392 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
6393 addrstr = snewn(peeraddrlen+1, char);
6394 memcpy(addrstr, peeraddr, peeraddrlen);
6395 addrstr[peeraddrlen] = '\0';
6396 peerport = ssh_pkt_getuint32(pktin);
6398 logeventf(ssh, "Received X11 connect request from %s:%d",
6401 if (!ssh->X11_fwd_enabled)
6402 error = "X11 forwarding is not enabled";
6403 else if (x11_init(&c->u.x11.s, ssh->cfg.x11_display, c,
6404 ssh->x11auth, addrstr, peerport,
6405 &ssh->cfg) != NULL) {
6406 error = "Unable to open an X11 connection";
6408 logevent("Opening X11 forward connection succeeded");
6413 } else if (typelen == 15 &&
6414 !memcmp(type, "forwarded-tcpip", 15)) {
6415 struct ssh_rportfwd pf, *realpf;
6418 ssh_pkt_getstring(pktin, &dummy, &dummylen);/* skip address */
6419 pf.sport = ssh_pkt_getuint32(pktin);
6420 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
6421 peerport = ssh_pkt_getuint32(pktin);
6422 realpf = find234(ssh->rportfwds, &pf, NULL);
6423 logeventf(ssh, "Received remote port %d open request "
6424 "from %s:%d", pf.sport, peeraddr, peerport);
6425 if (realpf == NULL) {
6426 error = "Remote port is not recognised";
6428 const char *e = pfd_newconnect(&c->u.pfd.s,
6432 realpf->pfrec->addressfamily);
6433 logeventf(ssh, "Attempting to forward remote port to "
6434 "%s:%d", realpf->dhost, realpf->dport);
6436 logeventf(ssh, "Port open failed: %s", e);
6437 error = "Port open failed";
6439 logevent("Forwarded port opened successfully");
6440 c->type = CHAN_SOCKDATA;
6443 } else if (typelen == 22 &&
6444 !memcmp(type, "auth-agent@openssh.com", 22)) {
6445 if (!ssh->agentfwd_enabled)
6446 error = "Agent forwarding is not enabled";
6448 c->type = CHAN_AGENT; /* identify channel type */
6449 c->u.a.lensofar = 0;
6452 error = "Unsupported channel type requested";
6455 c->remoteid = remid;
6456 c->halfopen = FALSE;
6458 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_FAILURE);
6459 ssh2_pkt_adduint32(pktout, c->remoteid);
6460 ssh2_pkt_adduint32(pktout, SSH2_OPEN_CONNECT_FAILED);
6461 ssh2_pkt_addstring(pktout, error);
6462 ssh2_pkt_addstring(pktout, "en"); /* language tag */
6463 ssh2_pkt_send(ssh, pktout);
6464 logeventf(ssh, "Rejected channel open: %s", error);
6467 c->localid = alloc_channel_id(ssh);
6469 c->v.v2.locwindow = OUR_V2_WINSIZE;
6470 c->v.v2.remwindow = winsize;
6471 c->v.v2.remmaxpkt = pktsize;
6472 bufchain_init(&c->v.v2.outbuffer);
6473 add234(ssh->channels, c);
6474 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
6475 ssh2_pkt_adduint32(pktout, c->remoteid);
6476 ssh2_pkt_adduint32(pktout, c->localid);
6477 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);
6478 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
6479 ssh2_pkt_send(ssh, pktout);
6484 * Buffer banner messages for later display at some convenient point.
6486 static void ssh2_msg_userauth_banner(Ssh ssh, struct Packet *pktin)
6488 /* Arbitrary limit to prevent unbounded inflation of buffer */
6489 if (bufchain_size(&ssh->banner) <= 131072) {
6490 char *banner = NULL;
6492 ssh_pkt_getstring(pktin, &banner, &size);
6494 bufchain_add(&ssh->banner, banner, size);
6498 /* Helper function to deal with sending tty modes for "pty-req" */
6499 static void ssh2_send_ttymode(void *data, char *mode, char *val)
6501 struct Packet *pktout = (struct Packet *)data;
6503 unsigned int arg = 0;
6504 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
6505 if (i == lenof(ssh_ttymodes)) return;
6506 switch (ssh_ttymodes[i].type) {
6508 arg = ssh_tty_parse_specchar(val);
6511 arg = ssh_tty_parse_boolean(val);
6514 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
6515 ssh2_pkt_adduint32(pktout, arg);
6519 * Handle the SSH-2 userauth and connection layers.
6521 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
6522 struct Packet *pktin)
6524 struct do_ssh2_authconn_state {
6527 AUTH_TYPE_PUBLICKEY,
6528 AUTH_TYPE_PUBLICKEY_OFFER_LOUD,
6529 AUTH_TYPE_PUBLICKEY_OFFER_QUIET,
6531 AUTH_TYPE_KEYBOARD_INTERACTIVE,
6532 AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
6534 int done_service_req;
6535 int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter;
6536 int tried_pubkey_config, done_agent;
6537 int kbd_inter_refused;
6539 prompts_t *cur_prompt;
6544 void *publickey_blob;
6545 int publickey_bloblen;
6546 int publickey_encrypted;
6547 char *publickey_algorithm;
6548 char *publickey_comment;
6549 unsigned char agent_request[5], *agent_response, *agentp;
6550 int agent_responselen;
6551 unsigned char *pkblob_in_agent;
6553 char *pkblob, *alg, *commentp;
6554 int pklen, alglen, commentlen;
6555 int siglen, retlen, len;
6556 char *q, *agentreq, *ret;
6558 int num_env, env_left, env_ok;
6559 struct Packet *pktout;
6561 crState(do_ssh2_authconn_state);
6563 crBegin(ssh->do_ssh2_authconn_crstate);
6565 s->done_service_req = FALSE;
6566 s->we_are_in = FALSE;
6567 if (!ssh->cfg.ssh_no_userauth) {
6569 * Request userauth protocol, and await a response to it.
6571 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
6572 ssh2_pkt_addstring(s->pktout, "ssh-userauth");
6573 ssh2_pkt_send(ssh, s->pktout);
6574 crWaitUntilV(pktin);
6575 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT)
6576 s->done_service_req = TRUE;
6578 if (!s->done_service_req) {
6580 * Request connection protocol directly, without authentication.
6582 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
6583 ssh2_pkt_addstring(s->pktout, "ssh-connection");
6584 ssh2_pkt_send(ssh, s->pktout);
6585 crWaitUntilV(pktin);
6586 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) {
6587 s->we_are_in = TRUE; /* no auth required */
6589 bombout(("Server refused service request"));
6594 /* Arrange to be able to deal with any BANNERs that come in.
6595 * (We do this now as packets may come in during the next bit.) */
6596 bufchain_init(&ssh->banner);
6597 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] =
6598 ssh2_msg_userauth_banner;
6601 * Misc one-time setup for authentication.
6603 s->publickey_blob = NULL;
6604 if (!s->we_are_in) {
6607 * Load the public half of any configured public key file
6610 if (!filename_is_null(ssh->cfg.keyfile)) {
6612 logeventf(ssh, "Reading private key file \"%.150s\"",
6613 filename_to_str(&ssh->cfg.keyfile));
6614 keytype = key_type(&ssh->cfg.keyfile);
6615 if (keytype == SSH_KEYTYPE_SSH2) {
6618 ssh2_userkey_loadpub(&ssh->cfg.keyfile,
6619 &s->publickey_algorithm,
6620 &s->publickey_bloblen,
6621 &s->publickey_comment, &error);
6622 if (s->publickey_blob) {
6623 s->publickey_encrypted =
6624 ssh2_userkey_encrypted(&ssh->cfg.keyfile, NULL);
6627 logeventf(ssh, "Unable to load private key (%s)",
6629 msgbuf = dupprintf("Unable to load private key file "
6630 "\"%.150s\" (%s)\r\n",
6631 filename_to_str(&ssh->cfg.keyfile),
6633 c_write_str(ssh, msgbuf);
6638 logeventf(ssh, "Unable to use this key file (%s)",
6639 key_type_to_str(keytype));
6640 msgbuf = dupprintf("Unable to use key file \"%.150s\""
6642 filename_to_str(&ssh->cfg.keyfile),
6643 key_type_to_str(keytype));
6644 c_write_str(ssh, msgbuf);
6646 s->publickey_blob = NULL;
6651 * Find out about any keys Pageant has (but if there's a
6652 * public key configured, filter out all others).
6655 s->agent_response = NULL;
6656 s->pkblob_in_agent = NULL;
6657 if (ssh->cfg.tryagent && agent_exists()) {
6661 logevent("Pageant is running. Requesting keys.");
6663 /* Request the keys held by the agent. */
6664 PUT_32BIT(s->agent_request, 1);
6665 s->agent_request[4] = SSH2_AGENTC_REQUEST_IDENTITIES;
6666 if (!agent_query(s->agent_request, 5, &r, &s->agent_responselen,
6667 ssh_agent_callback, ssh)) {
6671 bombout(("Unexpected data from server while"
6672 " waiting for agent response"));
6675 } while (pktin || inlen > 0);
6676 r = ssh->agent_response;
6677 s->agent_responselen = ssh->agent_response_len;
6679 s->agent_response = (unsigned char *) r;
6680 if (s->agent_response && s->agent_responselen >= 5 &&
6681 s->agent_response[4] == SSH2_AGENT_IDENTITIES_ANSWER) {
6684 p = s->agent_response + 5;
6685 s->nkeys = GET_32BIT(p);
6687 logeventf(ssh, "Pageant has %d SSH-2 keys", s->nkeys);
6688 if (s->publickey_blob) {
6689 /* See if configured key is in agent. */
6690 for (keyi = 0; keyi < s->nkeys; keyi++) {
6691 s->pklen = GET_32BIT(p);
6692 if (s->pklen == s->publickey_bloblen &&
6693 !memcmp(p+4, s->publickey_blob,
6694 s->publickey_bloblen)) {
6695 logeventf(ssh, "Pageant key #%d matches "
6696 "configured key file", keyi);
6698 s->pkblob_in_agent = p;
6702 p += GET_32BIT(p) + 4; /* comment */
6704 if (!s->pkblob_in_agent) {
6705 logevent("Configured key file not in Pageant");
6715 * We repeat this whole loop, including the username prompt,
6716 * until we manage a successful authentication. If the user
6717 * types the wrong _password_, they can be sent back to the
6718 * beginning to try another username, if this is configured on.
6719 * (If they specify a username in the config, they are never
6720 * asked, even if they do give a wrong password.)
6722 * I think this best serves the needs of
6724 * - the people who have no configuration, no keys, and just
6725 * want to try repeated (username,password) pairs until they
6726 * type both correctly
6728 * - people who have keys and configuration but occasionally
6729 * need to fall back to passwords
6731 * - people with a key held in Pageant, who might not have
6732 * logged in to a particular machine before; so they want to
6733 * type a username, and then _either_ their key will be
6734 * accepted, _or_ they will type a password. If they mistype
6735 * the username they will want to be able to get back and
6738 s->username[0] = '\0';
6739 s->got_username = FALSE;
6740 while (!s->we_are_in) {
6744 if (s->got_username && !ssh->cfg.change_username) {
6746 * We got a username last time round this loop, and
6747 * with change_username turned off we don't try to get
6750 } else if (!*ssh->cfg.username) {
6751 int ret; /* need not be kept over crReturn */
6752 s->cur_prompt = new_prompts(ssh->frontend);
6753 s->cur_prompt->to_server = TRUE;
6754 s->cur_prompt->name = dupstr("SSH login name");
6755 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
6756 lenof(s->username));
6757 ret = get_userpass_input(s->cur_prompt, NULL, 0);
6760 crWaitUntilV(!pktin);
6761 ret = get_userpass_input(s->cur_prompt, in, inlen);
6766 * get_userpass_input() failed to get a username.
6769 free_prompts(s->cur_prompt);
6770 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
6773 memcpy(s->username, s->cur_prompt->prompts[0]->result,
6774 lenof(s->username));
6775 free_prompts(s->cur_prompt);
6778 strncpy(s->username, ssh->cfg.username, sizeof(s->username));
6779 s->username[sizeof(s->username)-1] = '\0';
6780 if ((flags & FLAG_VERBOSE) || (flags & FLAG_INTERACTIVE)) {
6781 stuff = dupprintf("Using username \"%s\".\r\n", s->username);
6782 c_write_str(ssh, stuff);
6786 s->got_username = TRUE;
6789 * Send an authentication request using method "none": (a)
6790 * just in case it succeeds, and (b) so that we know what
6791 * authentication methods we can usefully try next.
6793 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
6795 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
6796 ssh2_pkt_addstring(s->pktout, s->username);
6797 ssh2_pkt_addstring(s->pktout, "ssh-connection");/* service requested */
6798 ssh2_pkt_addstring(s->pktout, "none"); /* method */
6799 ssh2_pkt_send(ssh, s->pktout);
6800 s->type = AUTH_TYPE_NONE;
6802 s->we_are_in = FALSE;
6804 s->tried_pubkey_config = FALSE;
6805 s->kbd_inter_refused = FALSE;
6807 /* Reset agent request state. */
6808 s->done_agent = FALSE;
6809 if (s->agent_response) {
6810 if (s->pkblob_in_agent) {
6811 s->agentp = s->pkblob_in_agent;
6813 s->agentp = s->agent_response + 5 + 4;
6820 * Wait for the result of the last authentication request.
6823 crWaitUntilV(pktin);
6825 * Now is a convenient point to spew any banner material
6826 * that we've accumulated. (This should ensure that when
6827 * we exit the auth loop, we haven't any left to deal
6831 int size = bufchain_size(&ssh->banner);
6833 * Don't show the banner if we're operating in
6834 * non-verbose non-interactive mode. (It's probably
6835 * a script, which means nobody will read the
6836 * banner _anyway_, and moreover the printing of
6837 * the banner will screw up processing on the
6838 * output of (say) plink.)
6840 if (size && (flags & (FLAG_VERBOSE | FLAG_INTERACTIVE))) {
6841 char *banner = snewn(size, char);
6842 bufchain_fetch(&ssh->banner, banner, size);
6843 c_write_untrusted(ssh, banner, size);
6846 bufchain_clear(&ssh->banner);
6848 if (pktin->type == SSH2_MSG_USERAUTH_SUCCESS) {
6849 logevent("Access granted");
6850 s->we_are_in = TRUE;
6854 if (pktin->type != SSH2_MSG_USERAUTH_FAILURE) {
6855 bombout(("Strange packet received during authentication: "
6856 "type %d", pktin->type));
6863 * OK, we're now sitting on a USERAUTH_FAILURE message, so
6864 * we can look at the string in it and know what we can
6865 * helpfully try next.
6867 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE) {
6870 ssh_pkt_getstring(pktin, &methods, &methlen);
6871 if (!ssh2_pkt_getbool(pktin)) {
6873 * We have received an unequivocal Access
6874 * Denied. This can translate to a variety of
6877 * - if we'd just tried "none" authentication,
6878 * it's not worth printing anything at all
6880 * - if we'd just tried a public key _offer_,
6881 * the message should be "Server refused our
6882 * key" (or no message at all if the key
6883 * came from Pageant)
6885 * - if we'd just tried anything else, the
6886 * message really should be "Access denied".
6888 * Additionally, if we'd just tried password
6889 * authentication, we should break out of this
6890 * whole loop so as to go back to the username
6891 * prompt (iff we're configured to allow
6892 * username change attempts).
6894 if (s->type == AUTH_TYPE_NONE) {
6896 } else if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD ||
6897 s->type == AUTH_TYPE_PUBLICKEY_OFFER_QUIET) {
6898 if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD)
6899 c_write_str(ssh, "Server refused our key\r\n");
6900 logevent("Server refused public key");
6901 } else if (s->type==AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET) {
6902 /* server declined keyboard-interactive; ignore */
6904 c_write_str(ssh, "Access denied\r\n");
6905 logevent("Access denied");
6906 if (s->type == AUTH_TYPE_PASSWORD &&
6907 ssh->cfg.change_username) {
6908 /* XXX perhaps we should allow
6909 * keyboard-interactive to do this too? */
6910 s->we_are_in = FALSE;
6915 c_write_str(ssh, "Further authentication required\r\n");
6916 logevent("Further authentication required");
6920 in_commasep_string("publickey", methods, methlen);
6922 in_commasep_string("password", methods, methlen);
6923 s->can_keyb_inter = ssh->cfg.try_ki_auth &&
6924 in_commasep_string("keyboard-interactive", methods, methlen);
6927 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
6929 if (s->can_pubkey && !s->done_agent && s->nkeys) {
6932 * Attempt public-key authentication using a key from Pageant.
6935 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
6936 ssh->pkt_ctx |= SSH2_PKTCTX_PUBLICKEY;
6938 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
6940 /* Unpack key from agent response */
6941 s->pklen = GET_32BIT(s->agentp);
6943 s->pkblob = (char *)s->agentp;
6944 s->agentp += s->pklen;
6945 s->alglen = GET_32BIT(s->pkblob);
6946 s->alg = s->pkblob + 4;
6947 s->commentlen = GET_32BIT(s->agentp);
6949 s->commentp = (char *)s->agentp;
6950 s->agentp += s->commentlen;
6951 /* s->agentp now points at next key, if any */
6953 /* See if server will accept it */
6954 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
6955 ssh2_pkt_addstring(s->pktout, s->username);
6956 ssh2_pkt_addstring(s->pktout, "ssh-connection");
6957 /* service requested */
6958 ssh2_pkt_addstring(s->pktout, "publickey");
6960 ssh2_pkt_addbool(s->pktout, FALSE); /* no signature included */
6961 ssh2_pkt_addstring_start(s->pktout);
6962 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
6963 ssh2_pkt_addstring_start(s->pktout);
6964 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
6965 ssh2_pkt_send(ssh, s->pktout);
6966 s->type = AUTH_TYPE_PUBLICKEY_OFFER_QUIET;
6968 crWaitUntilV(pktin);
6969 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
6971 /* Offer of key refused. */
6978 if (flags & FLAG_VERBOSE) {
6979 c_write_str(ssh, "Authenticating with "
6981 c_write(ssh, s->commentp, s->commentlen);
6982 c_write_str(ssh, "\" from agent\r\n");
6986 * Server is willing to accept the key.
6987 * Construct a SIGN_REQUEST.
6989 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
6990 ssh2_pkt_addstring(s->pktout, s->username);
6991 ssh2_pkt_addstring(s->pktout, "ssh-connection");
6992 /* service requested */
6993 ssh2_pkt_addstring(s->pktout, "publickey");
6995 ssh2_pkt_addbool(s->pktout, TRUE); /* signature included */
6996 ssh2_pkt_addstring_start(s->pktout);
6997 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
6998 ssh2_pkt_addstring_start(s->pktout);
6999 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
7001 /* Ask agent for signature. */
7002 s->siglen = s->pktout->length - 5 + 4 +
7003 ssh->v2_session_id_len;
7004 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7006 s->len = 1; /* message type */
7007 s->len += 4 + s->pklen; /* key blob */
7008 s->len += 4 + s->siglen; /* data to sign */
7009 s->len += 4; /* flags */
7010 s->agentreq = snewn(4 + s->len, char);
7011 PUT_32BIT(s->agentreq, s->len);
7012 s->q = s->agentreq + 4;
7013 *s->q++ = SSH2_AGENTC_SIGN_REQUEST;
7014 PUT_32BIT(s->q, s->pklen);
7016 memcpy(s->q, s->pkblob, s->pklen);
7018 PUT_32BIT(s->q, s->siglen);
7020 /* Now the data to be signed... */
7021 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7022 PUT_32BIT(s->q, ssh->v2_session_id_len);
7025 memcpy(s->q, ssh->v2_session_id,
7026 ssh->v2_session_id_len);
7027 s->q += ssh->v2_session_id_len;
7028 memcpy(s->q, s->pktout->data + 5,
7029 s->pktout->length - 5);
7030 s->q += s->pktout->length - 5;
7031 /* And finally the (zero) flags word. */
7033 if (!agent_query(s->agentreq, s->len + 4,
7035 ssh_agent_callback, ssh)) {
7039 bombout(("Unexpected data from server"
7040 " while waiting for agent"
7044 } while (pktin || inlen > 0);
7045 vret = ssh->agent_response;
7046 s->retlen = ssh->agent_response_len;
7051 if (s->ret[4] == SSH2_AGENT_SIGN_RESPONSE) {
7052 logevent("Sending Pageant's response");
7053 ssh2_add_sigblob(ssh, s->pktout,
7054 s->pkblob, s->pklen,
7056 GET_32BIT(s->ret + 5));
7057 ssh2_pkt_send(ssh, s->pktout);
7058 s->type = AUTH_TYPE_PUBLICKEY;
7060 /* FIXME: less drastic response */
7061 bombout(("Pageant failed to answer challenge"));
7067 /* Do we have any keys left to try? */
7068 if (s->pkblob_in_agent) {
7069 s->done_agent = TRUE;
7070 s->tried_pubkey_config = TRUE;
7073 if (s->keyi >= s->nkeys)
7074 s->done_agent = TRUE;
7077 } else if (s->can_pubkey && s->publickey_blob &&
7078 !s->tried_pubkey_config) {
7080 struct ssh2_userkey *key; /* not live over crReturn */
7081 char *passphrase; /* not live over crReturn */
7083 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
7084 ssh->pkt_ctx |= SSH2_PKTCTX_PUBLICKEY;
7086 s->tried_pubkey_config = TRUE;
7089 * Try the public key supplied in the configuration.
7091 * First, offer the public blob to see if the server is
7092 * willing to accept it.
7094 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7095 ssh2_pkt_addstring(s->pktout, s->username);
7096 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7097 /* service requested */
7098 ssh2_pkt_addstring(s->pktout, "publickey"); /* method */
7099 ssh2_pkt_addbool(s->pktout, FALSE);
7100 /* no signature included */
7101 ssh2_pkt_addstring(s->pktout, s->publickey_algorithm);
7102 ssh2_pkt_addstring_start(s->pktout);
7103 ssh2_pkt_addstring_data(s->pktout,
7104 (char *)s->publickey_blob,
7105 s->publickey_bloblen);
7106 ssh2_pkt_send(ssh, s->pktout);
7107 logevent("Offered public key");
7109 crWaitUntilV(pktin);
7110 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
7111 /* Key refused. Give up. */
7112 s->gotit = TRUE; /* reconsider message next loop */
7113 s->type = AUTH_TYPE_PUBLICKEY_OFFER_LOUD;
7114 continue; /* process this new message */
7116 logevent("Offer of public key accepted");
7119 * Actually attempt a serious authentication using
7122 if (flags & FLAG_VERBOSE) {
7123 c_write_str(ssh, "Authenticating with public key \"");
7124 c_write_str(ssh, s->publickey_comment);
7125 c_write_str(ssh, "\"\r\n");
7129 const char *error; /* not live over crReturn */
7130 if (s->publickey_encrypted) {
7132 * Get a passphrase from the user.
7134 int ret; /* need not be kept over crReturn */
7135 s->cur_prompt = new_prompts(ssh->frontend);
7136 s->cur_prompt->to_server = FALSE;
7137 s->cur_prompt->name = dupstr("SSH key passphrase");
7138 add_prompt(s->cur_prompt,
7139 dupprintf("Passphrase for key \"%.100s\": ",
7140 s->publickey_comment),
7141 FALSE, SSH_MAX_PASSWORD_LEN);
7142 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7145 crWaitUntilV(!pktin);
7146 ret = get_userpass_input(s->cur_prompt,
7151 /* Failed to get a passphrase. Terminate. */
7152 free_prompts(s->cur_prompt);
7153 ssh_disconnect(ssh, NULL,
7154 "Unable to authenticate",
7155 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7160 dupstr(s->cur_prompt->prompts[0]->result);
7161 free_prompts(s->cur_prompt);
7163 passphrase = NULL; /* no passphrase needed */
7167 * Try decrypting the key.
7169 key = ssh2_load_userkey(&ssh->cfg.keyfile, passphrase,
7172 /* burn the evidence */
7173 memset(passphrase, 0, strlen(passphrase));
7176 if (key == SSH2_WRONG_PASSPHRASE || key == NULL) {
7178 (key == SSH2_WRONG_PASSPHRASE)) {
7179 c_write_str(ssh, "Wrong passphrase\r\n");
7181 /* and loop again */
7183 c_write_str(ssh, "Unable to load private key (");
7184 c_write_str(ssh, error);
7185 c_write_str(ssh, ")\r\n");
7187 break; /* try something else */
7193 unsigned char *pkblob, *sigblob, *sigdata;
7194 int pkblob_len, sigblob_len, sigdata_len;
7198 * We have loaded the private key and the server
7199 * has announced that it's willing to accept it.
7200 * Hallelujah. Generate a signature and send it.
7202 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7203 ssh2_pkt_addstring(s->pktout, s->username);
7204 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7205 /* service requested */
7206 ssh2_pkt_addstring(s->pktout, "publickey");
7208 ssh2_pkt_addbool(s->pktout, TRUE);
7209 /* signature follows */
7210 ssh2_pkt_addstring(s->pktout, key->alg->name);
7211 pkblob = key->alg->public_blob(key->data,
7213 ssh2_pkt_addstring_start(s->pktout);
7214 ssh2_pkt_addstring_data(s->pktout, (char *)pkblob,
7218 * The data to be signed is:
7222 * followed by everything so far placed in the
7225 sigdata_len = s->pktout->length - 5 + 4 +
7226 ssh->v2_session_id_len;
7227 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7229 sigdata = snewn(sigdata_len, unsigned char);
7231 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7232 PUT_32BIT(sigdata+p, ssh->v2_session_id_len);
7235 memcpy(sigdata+p, ssh->v2_session_id,
7236 ssh->v2_session_id_len);
7237 p += ssh->v2_session_id_len;
7238 memcpy(sigdata+p, s->pktout->data + 5,
7239 s->pktout->length - 5);
7240 p += s->pktout->length - 5;
7241 assert(p == sigdata_len);
7242 sigblob = key->alg->sign(key->data, (char *)sigdata,
7243 sigdata_len, &sigblob_len);
7244 ssh2_add_sigblob(ssh, s->pktout, pkblob, pkblob_len,
7245 sigblob, sigblob_len);
7250 ssh2_pkt_send(ssh, s->pktout);
7251 s->type = AUTH_TYPE_PUBLICKEY;
7252 key->alg->freekey(key->data);
7255 } else if (s->can_keyb_inter && !s->kbd_inter_refused) {
7258 * Keyboard-interactive authentication.
7261 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE;
7263 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
7264 ssh->pkt_ctx |= SSH2_PKTCTX_KBDINTER;
7266 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7267 ssh2_pkt_addstring(s->pktout, s->username);
7268 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7269 /* service requested */
7270 ssh2_pkt_addstring(s->pktout, "keyboard-interactive");
7272 ssh2_pkt_addstring(s->pktout, ""); /* lang */
7273 ssh2_pkt_addstring(s->pktout, ""); /* submethods */
7274 ssh2_pkt_send(ssh, s->pktout);
7276 crWaitUntilV(pktin);
7277 if (pktin->type != SSH2_MSG_USERAUTH_INFO_REQUEST) {
7278 /* Server is not willing to do keyboard-interactive
7279 * at all (or, bizarrely but legally, accepts the
7280 * user without actually issuing any prompts).
7281 * Give up on it entirely. */
7283 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE)
7284 logevent("Keyboard-interactive authentication refused");
7285 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET;
7286 s->kbd_inter_refused = TRUE; /* don't try it again */
7291 * Loop while the server continues to send INFO_REQUESTs.
7293 while (pktin->type == SSH2_MSG_USERAUTH_INFO_REQUEST) {
7295 char *name, *inst, *lang;
7296 int name_len, inst_len, lang_len;
7300 * We've got a fresh USERAUTH_INFO_REQUEST.
7301 * Get the preamble and start building a prompt.
7303 ssh_pkt_getstring(pktin, &name, &name_len);
7304 ssh_pkt_getstring(pktin, &inst, &inst_len);
7305 ssh_pkt_getstring(pktin, &lang, &lang_len);
7306 s->cur_prompt = new_prompts(ssh->frontend);
7307 s->cur_prompt->to_server = TRUE;
7309 /* FIXME: better prefix to distinguish from
7311 s->cur_prompt->name =
7312 dupprintf("SSH server: %.*s", name_len, name);
7313 s->cur_prompt->name_reqd = TRUE;
7315 s->cur_prompt->name =
7316 dupstr("SSH server authentication");
7317 s->cur_prompt->name_reqd = FALSE;
7319 /* FIXME: ugly to print "Using..." in prompt _every_
7320 * time round. Can this be done more subtly? */
7321 s->cur_prompt->instruction =
7322 dupprintf("Using keyboard-interactive authentication.%s%.*s",
7323 inst_len ? "\n" : "", inst_len, inst);
7324 s->cur_prompt->instr_reqd = TRUE;
7327 * Get the prompts from the packet.
7329 s->num_prompts = ssh_pkt_getuint32(pktin);
7330 for (i = 0; i < s->num_prompts; i++) {
7334 static char noprompt[] =
7335 "<server failed to send prompt>: ";
7337 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
7338 echo = ssh2_pkt_getbool(pktin);
7341 prompt_len = lenof(noprompt)-1;
7343 add_prompt(s->cur_prompt,
7344 dupprintf("%.*s", prompt_len, prompt),
7345 echo, SSH_MAX_PASSWORD_LEN);
7349 * Get the user's responses.
7351 if (s->num_prompts) {
7352 int ret; /* not live over crReturn */
7353 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7356 crWaitUntilV(!pktin);
7357 ret = get_userpass_input(s->cur_prompt, in, inlen);
7362 * Failed to get responses. Terminate.
7364 free_prompts(s->cur_prompt);
7365 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7366 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7373 * Send the responses to the server.
7375 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_INFO_RESPONSE);
7376 s->pktout->forcepad = 256;
7377 ssh2_pkt_adduint32(s->pktout, s->num_prompts);
7378 for (i=0; i < s->num_prompts; i++) {
7379 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7380 ssh2_pkt_addstring(s->pktout,
7381 s->cur_prompt->prompts[i]->result);
7382 end_log_omission(ssh, s->pktout);
7384 ssh2_pkt_send(ssh, s->pktout);
7387 * Get the next packet in case it's another
7390 crWaitUntilV(pktin);
7395 * We should have SUCCESS or FAILURE now.
7399 } else if (s->can_passwd) {
7402 * Plain old password authentication.
7404 int ret; /* not live over crReturn */
7405 int changereq_first_time; /* not live over crReturn */
7407 ssh->pkt_ctx &= ~SSH2_PKTCTX_AUTH_MASK;
7408 ssh->pkt_ctx |= SSH2_PKTCTX_PASSWORD;
7410 s->cur_prompt = new_prompts(ssh->frontend);
7411 s->cur_prompt->to_server = TRUE;
7412 s->cur_prompt->name = dupstr("SSH password");
7413 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
7416 FALSE, SSH_MAX_PASSWORD_LEN);
7418 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7421 crWaitUntilV(!pktin);
7422 ret = get_userpass_input(s->cur_prompt, in, inlen);
7427 * Failed to get responses. Terminate.
7429 free_prompts(s->cur_prompt);
7430 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7431 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7436 * Squirrel away the password. (We may need it later if
7437 * asked to change it.)
7439 s->password = dupstr(s->cur_prompt->prompts[0]->result);
7440 free_prompts(s->cur_prompt);
7443 * Send the password packet.
7445 * We pad out the password packet to 256 bytes to make
7446 * it harder for an attacker to find the length of the
7449 * Anyone using a password longer than 256 bytes
7450 * probably doesn't have much to worry about from
7451 * people who find out how long their password is!
7453 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7454 s->pktout->forcepad = 256;
7455 ssh2_pkt_addstring(s->pktout, s->username);
7456 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7457 /* service requested */
7458 ssh2_pkt_addstring(s->pktout, "password");
7459 ssh2_pkt_addbool(s->pktout, FALSE);
7460 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7461 ssh2_pkt_addstring(s->pktout, s->password);
7462 end_log_omission(ssh, s->pktout);
7463 ssh2_pkt_send(ssh, s->pktout);
7464 logevent("Sent password");
7465 s->type = AUTH_TYPE_PASSWORD;
7468 * Wait for next packet, in case it's a password change
7471 crWaitUntilV(pktin);
7472 changereq_first_time = TRUE;
7474 while (pktin->type == SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ) {
7477 * We're being asked for a new password
7478 * (perhaps not for the first time).
7479 * Loop until the server accepts it.
7482 int got_new = FALSE; /* not live over crReturn */
7483 char *prompt; /* not live over crReturn */
7484 int prompt_len; /* not live over crReturn */
7488 if (changereq_first_time)
7489 msg = "Server requested password change";
7491 msg = "Server rejected new password";
7493 c_write_str(ssh, msg);
7494 c_write_str(ssh, "\r\n");
7497 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
7499 s->cur_prompt = new_prompts(ssh->frontend);
7500 s->cur_prompt->to_server = TRUE;
7501 s->cur_prompt->name = dupstr("New SSH password");
7502 s->cur_prompt->instruction =
7503 dupprintf("%.*s", prompt_len, prompt);
7504 s->cur_prompt->instr_reqd = TRUE;
7506 * There's no explicit requirement in the protocol
7507 * for the "old" passwords in the original and
7508 * password-change messages to be the same, and
7509 * apparently some Cisco kit supports password change
7510 * by the user entering a blank password originally
7511 * and the real password subsequently, so,
7512 * reluctantly, we prompt for the old password again.
7514 * (On the other hand, some servers don't even bother
7515 * to check this field.)
7517 add_prompt(s->cur_prompt,
7518 dupstr("Current password (blank for previously entered password): "),
7519 FALSE, SSH_MAX_PASSWORD_LEN);
7520 add_prompt(s->cur_prompt, dupstr("Enter new password: "),
7521 FALSE, SSH_MAX_PASSWORD_LEN);
7522 add_prompt(s->cur_prompt, dupstr("Confirm new password: "),
7523 FALSE, SSH_MAX_PASSWORD_LEN);
7526 * Loop until the user manages to enter the same
7531 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7534 crWaitUntilV(!pktin);
7535 ret = get_userpass_input(s->cur_prompt, in, inlen);
7540 * Failed to get responses. Terminate.
7542 /* burn the evidence */
7543 free_prompts(s->cur_prompt);
7544 memset(s->password, 0, strlen(s->password));
7546 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7547 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7553 * If the user specified a new original password
7554 * (IYSWIM), overwrite any previously specified
7556 * (A side effect is that the user doesn't have to
7557 * re-enter it if they louse up the new password.)
7559 if (s->cur_prompt->prompts[0]->result[0]) {
7560 memset(s->password, 0, strlen(s->password));
7561 /* burn the evidence */
7564 dupstr(s->cur_prompt->prompts[0]->result);
7568 * Check the two new passwords match.
7570 got_new = (strcmp(s->cur_prompt->prompts[1]->result,
7571 s->cur_prompt->prompts[2]->result)
7574 /* They don't. Silly user. */
7575 c_write_str(ssh, "Passwords do not match\r\n");
7580 * Send the new password (along with the old one).
7581 * (see above for padding rationale)
7583 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7584 s->pktout->forcepad = 256;
7585 ssh2_pkt_addstring(s->pktout, s->username);
7586 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7587 /* service requested */
7588 ssh2_pkt_addstring(s->pktout, "password");
7589 ssh2_pkt_addbool(s->pktout, TRUE);
7590 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7591 ssh2_pkt_addstring(s->pktout, s->password);
7592 ssh2_pkt_addstring(s->pktout,
7593 s->cur_prompt->prompts[1]->result);
7594 free_prompts(s->cur_prompt);
7595 end_log_omission(ssh, s->pktout);
7596 ssh2_pkt_send(ssh, s->pktout);
7597 logevent("Sent new password");
7600 * Now see what the server has to say about it.
7601 * (If it's CHANGEREQ again, it's not happy with the
7604 crWaitUntilV(pktin);
7605 changereq_first_time = FALSE;
7610 * We need to reexamine the current pktin at the top
7611 * of the loop. Either:
7612 * - we weren't asked to change password at all, in
7613 * which case it's a SUCCESS or FAILURE with the
7615 * - we sent a new password, and the server was
7616 * either OK with it (SUCCESS or FAILURE w/partial
7617 * success) or unhappy with the _old_ password
7618 * (FAILURE w/o partial success)
7619 * In any of these cases, we go back to the top of
7620 * the loop and start again.
7625 * We don't need the old password any more, in any
7626 * case. Burn the evidence.
7628 memset(s->password, 0, strlen(s->password));
7633 ssh_disconnect(ssh, NULL,
7634 "No supported authentication methods available",
7635 SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE,
7643 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
7645 /* Clear up various bits and pieces from authentication. */
7646 if (s->publickey_blob) {
7647 sfree(s->publickey_blob);
7648 sfree(s->publickey_comment);
7650 if (s->agent_response)
7651 sfree(s->agent_response);
7654 * Now the connection protocol has started, one way or another.
7657 ssh->channels = newtree234(ssh_channelcmp);
7660 * Set up handlers for some connection protocol messages, so we
7661 * don't have to handle them repeatedly in this coroutine.
7663 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] =
7664 ssh2_msg_channel_window_adjust;
7665 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] =
7666 ssh2_msg_global_request;
7669 * Create the main session channel.
7671 if (ssh->cfg.ssh_no_shell) {
7672 ssh->mainchan = NULL;
7673 } else if (*ssh->cfg.ssh_nc_host) {
7675 * Just start a direct-tcpip channel and use it as the main
7678 ssh->mainchan = snew(struct ssh_channel);
7679 ssh->mainchan->ssh = ssh;
7680 ssh->mainchan->localid = alloc_channel_id(ssh);
7682 "Opening direct-tcpip channel to %s:%d in place of session",
7683 ssh->cfg.ssh_nc_host, ssh->cfg.ssh_nc_port);
7684 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
7685 ssh2_pkt_addstring(s->pktout, "direct-tcpip");
7686 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
7687 ssh->mainchan->v.v2.locwindow = OUR_V2_WINSIZE;
7688 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
7689 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
7690 ssh2_pkt_addstring(s->pktout, ssh->cfg.ssh_nc_host);
7691 ssh2_pkt_adduint32(s->pktout, ssh->cfg.ssh_nc_port);
7693 * There's nothing meaningful to put in the originator
7694 * fields, but some servers insist on syntactically correct
7697 ssh2_pkt_addstring(s->pktout, "0.0.0.0");
7698 ssh2_pkt_adduint32(s->pktout, 0);
7699 ssh2_pkt_send(ssh, s->pktout);
7701 crWaitUntilV(pktin);
7702 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
7703 bombout(("Server refused to open a direct-tcpip channel"));
7705 /* FIXME: error data comes back in FAILURE packet */
7707 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
7708 bombout(("Server's channel confirmation cited wrong channel"));
7711 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
7712 ssh->mainchan->halfopen = FALSE;
7713 ssh->mainchan->type = CHAN_MAINSESSION;
7714 ssh->mainchan->closes = 0;
7715 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
7716 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
7717 bufchain_init(&ssh->mainchan->v.v2.outbuffer);
7718 add234(ssh->channels, ssh->mainchan);
7719 update_specials_menu(ssh->frontend);
7720 logevent("Opened direct-tcpip channel");
7723 ssh->mainchan = snew(struct ssh_channel);
7724 ssh->mainchan->ssh = ssh;
7725 ssh->mainchan->localid = alloc_channel_id(ssh);
7726 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
7727 ssh2_pkt_addstring(s->pktout, "session");
7728 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
7729 ssh->mainchan->v.v2.locwindow = OUR_V2_WINSIZE;
7730 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
7731 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
7732 ssh2_pkt_send(ssh, s->pktout);
7733 crWaitUntilV(pktin);
7734 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
7735 bombout(("Server refused to open a session"));
7737 /* FIXME: error data comes back in FAILURE packet */
7739 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
7740 bombout(("Server's channel confirmation cited wrong channel"));
7743 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
7744 ssh->mainchan->halfopen = FALSE;
7745 ssh->mainchan->type = CHAN_MAINSESSION;
7746 ssh->mainchan->closes = 0;
7747 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
7748 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
7749 bufchain_init(&ssh->mainchan->v.v2.outbuffer);
7750 add234(ssh->channels, ssh->mainchan);
7751 update_specials_menu(ssh->frontend);
7752 logevent("Opened channel for session");
7753 ssh->ncmode = FALSE;
7757 * Now we have a channel, make dispatch table entries for
7758 * general channel-based messages.
7760 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] =
7761 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] =
7762 ssh2_msg_channel_data;
7763 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = ssh2_msg_channel_eof;
7764 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = ssh2_msg_channel_close;
7765 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] =
7766 ssh2_msg_channel_open_confirmation;
7767 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] =
7768 ssh2_msg_channel_open_failure;
7769 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] =
7770 ssh2_msg_channel_request;
7771 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] =
7772 ssh2_msg_channel_open;
7775 * Potentially enable X11 forwarding.
7777 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.x11_forward) {
7778 char proto[20], data[64];
7779 logevent("Requesting X11 forwarding");
7780 ssh->x11auth = x11_invent_auth(proto, sizeof(proto),
7781 data, sizeof(data), ssh->cfg.x11_auth);
7782 x11_get_real_auth(ssh->x11auth, ssh->cfg.x11_display);
7783 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
7784 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
7785 ssh2_pkt_addstring(s->pktout, "x11-req");
7786 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
7787 ssh2_pkt_addbool(s->pktout, 0); /* many connections */
7788 ssh2_pkt_addstring(s->pktout, proto);
7790 * Note that while we blank the X authentication data here, we don't
7791 * take any special action to blank the start of an X11 channel,
7792 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
7793 * without having session blanking enabled is likely to leak your
7794 * cookie into the log.
7796 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7797 ssh2_pkt_addstring(s->pktout, data);
7798 end_log_omission(ssh, s->pktout);
7799 ssh2_pkt_adduint32(s->pktout, x11_get_screen_number(ssh->cfg.x11_display));
7800 ssh2_pkt_send(ssh, s->pktout);
7802 crWaitUntilV(pktin);
7804 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
7805 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
7806 bombout(("Unexpected response to X11 forwarding request:"
7807 " packet type %d", pktin->type));
7810 logevent("X11 forwarding refused");
7812 logevent("X11 forwarding enabled");
7813 ssh->X11_fwd_enabled = TRUE;
7818 * Enable port forwardings.
7820 ssh_setup_portfwd(ssh, &ssh->cfg);
7823 * Potentially enable agent forwarding.
7825 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.agentfwd && agent_exists()) {
7826 logevent("Requesting OpenSSH-style agent forwarding");
7827 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
7828 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
7829 ssh2_pkt_addstring(s->pktout, "auth-agent-req@openssh.com");
7830 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
7831 ssh2_pkt_send(ssh, s->pktout);
7833 crWaitUntilV(pktin);
7835 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
7836 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
7837 bombout(("Unexpected response to agent forwarding request:"
7838 " packet type %d", pktin->type));
7841 logevent("Agent forwarding refused");
7843 logevent("Agent forwarding enabled");
7844 ssh->agentfwd_enabled = TRUE;
7849 * Now allocate a pty for the session.
7851 if (ssh->mainchan && !ssh->ncmode && !ssh->cfg.nopty) {
7852 /* Unpick the terminal-speed string. */
7853 /* XXX perhaps we should allow no speeds to be sent. */
7854 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
7855 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
7856 /* Build the pty request. */
7857 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
7858 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
7859 ssh2_pkt_addstring(s->pktout, "pty-req");
7860 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
7861 ssh2_pkt_addstring(s->pktout, ssh->cfg.termtype);
7862 ssh2_pkt_adduint32(s->pktout, ssh->term_width);
7863 ssh2_pkt_adduint32(s->pktout, ssh->term_height);
7864 ssh2_pkt_adduint32(s->pktout, 0); /* pixel width */
7865 ssh2_pkt_adduint32(s->pktout, 0); /* pixel height */
7866 ssh2_pkt_addstring_start(s->pktout);
7867 parse_ttymodes(ssh, ssh->cfg.ttymodes,
7868 ssh2_send_ttymode, (void *)s->pktout);
7869 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_ISPEED);
7870 ssh2_pkt_adduint32(s->pktout, ssh->ispeed);
7871 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_OSPEED);
7872 ssh2_pkt_adduint32(s->pktout, ssh->ospeed);
7873 ssh2_pkt_addstring_data(s->pktout, "\0", 1); /* TTY_OP_END */
7874 ssh2_pkt_send(ssh, s->pktout);
7875 ssh->state = SSH_STATE_INTERMED;
7877 crWaitUntilV(pktin);
7879 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
7880 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
7881 bombout(("Unexpected response to pty request:"
7882 " packet type %d", pktin->type));
7885 c_write_str(ssh, "Server refused to allocate pty\r\n");
7886 ssh->editing = ssh->echoing = 1;
7888 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
7889 ssh->ospeed, ssh->ispeed);
7892 ssh->editing = ssh->echoing = 1;
7896 * Send environment variables.
7898 * Simplest thing here is to send all the requests at once, and
7899 * then wait for a whole bunch of successes or failures.
7901 if (ssh->mainchan && !ssh->ncmode && *ssh->cfg.environmt) {
7902 char *e = ssh->cfg.environmt;
7903 char *var, *varend, *val;
7909 while (*e && *e != '\t') e++;
7911 if (*e == '\t') e++;
7916 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
7917 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
7918 ssh2_pkt_addstring(s->pktout, "env");
7919 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
7920 ssh2_pkt_addstring_start(s->pktout);
7921 ssh2_pkt_addstring_data(s->pktout, var, varend-var);
7922 ssh2_pkt_addstring(s->pktout, val);
7923 ssh2_pkt_send(ssh, s->pktout);
7928 logeventf(ssh, "Sent %d environment variables", s->num_env);
7931 s->env_left = s->num_env;
7933 while (s->env_left > 0) {
7934 crWaitUntilV(pktin);
7936 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
7937 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
7938 bombout(("Unexpected response to environment request:"
7939 " packet type %d", pktin->type));
7949 if (s->env_ok == s->num_env) {
7950 logevent("All environment variables successfully set");
7951 } else if (s->env_ok == 0) {
7952 logevent("All environment variables refused");
7953 c_write_str(ssh, "Server refused to set environment variables\r\n");
7955 logeventf(ssh, "%d environment variables refused",
7956 s->num_env - s->env_ok);
7957 c_write_str(ssh, "Server refused to set all environment variables\r\n");
7962 * Start a shell or a remote command. We may have to attempt
7963 * this twice if the config data has provided a second choice
7966 if (ssh->mainchan && !ssh->ncmode) while (1) {
7970 if (ssh->fallback_cmd) {
7971 subsys = ssh->cfg.ssh_subsys2;
7972 cmd = ssh->cfg.remote_cmd_ptr2;
7974 subsys = ssh->cfg.ssh_subsys;
7975 cmd = ssh->cfg.remote_cmd_ptr;
7976 if (!cmd) cmd = ssh->cfg.remote_cmd;
7979 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
7980 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
7982 ssh2_pkt_addstring(s->pktout, "subsystem");
7983 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
7984 ssh2_pkt_addstring(s->pktout, cmd);
7986 ssh2_pkt_addstring(s->pktout, "exec");
7987 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
7988 ssh2_pkt_addstring(s->pktout, cmd);
7990 ssh2_pkt_addstring(s->pktout, "shell");
7991 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
7993 ssh2_pkt_send(ssh, s->pktout);
7995 crWaitUntilV(pktin);
7997 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
7998 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
7999 bombout(("Unexpected response to shell/command request:"
8000 " packet type %d", pktin->type));
8004 * We failed to start the command. If this is the
8005 * fallback command, we really are finished; if it's
8006 * not, and if the fallback command exists, try falling
8007 * back to it before complaining.
8009 if (!ssh->fallback_cmd && ssh->cfg.remote_cmd_ptr2 != NULL) {
8010 logevent("Primary command failed; attempting fallback");
8011 ssh->fallback_cmd = TRUE;
8014 bombout(("Server refused to start a shell/command"));
8017 logevent("Started a shell/command");
8022 ssh->state = SSH_STATE_SESSION;
8023 if (ssh->size_needed)
8024 ssh_size(ssh, ssh->term_width, ssh->term_height);
8025 if (ssh->eof_needed)
8026 ssh_special(ssh, TS_EOF);
8032 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
8037 s->try_send = FALSE;
8041 * _All_ the connection-layer packets we expect to
8042 * receive are now handled by the dispatch table.
8043 * Anything that reaches here must be bogus.
8046 bombout(("Strange packet received: type %d", pktin->type));
8048 } else if (ssh->mainchan) {
8050 * We have spare data. Add it to the channel buffer.
8052 ssh2_add_channel_data(ssh->mainchan, (char *)in, inlen);
8057 struct ssh_channel *c;
8059 * Try to send data on all channels if we can.
8061 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++)
8062 ssh2_try_send_and_unthrottle(c);
8070 * Handlers for SSH-2 messages that might arrive at any moment.
8072 static void ssh2_msg_disconnect(Ssh ssh, struct Packet *pktin)
8074 /* log reason code in disconnect message */
8076 int nowlen, reason, msglen;
8078 reason = ssh_pkt_getuint32(pktin);
8079 ssh_pkt_getstring(pktin, &msg, &msglen);
8081 if (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) {
8082 buf = dupprintf("Received disconnect message (%s)",
8083 ssh2_disconnect_reasons[reason]);
8085 buf = dupprintf("Received disconnect message (unknown"
8086 " type %d)", reason);
8090 buf = dupprintf("Disconnection message text: %n%.*s",
8091 &nowlen, msglen, msg);
8093 bombout(("Server sent disconnect message\ntype %d (%s):\n\"%s\"",
8095 (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ?
8096 ssh2_disconnect_reasons[reason] : "unknown",
8101 static void ssh2_msg_debug(Ssh ssh, struct Packet *pktin)
8103 /* log the debug message */
8108 /* XXX maybe we should actually take notice of this */
8109 always_display = ssh2_pkt_getbool(pktin);
8110 ssh_pkt_getstring(pktin, &msg, &msglen);
8112 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
8115 static void ssh2_msg_something_unimplemented(Ssh ssh, struct Packet *pktin)
8117 struct Packet *pktout;
8118 pktout = ssh2_pkt_init(SSH2_MSG_UNIMPLEMENTED);
8119 ssh2_pkt_adduint32(pktout, pktin->sequence);
8121 * UNIMPLEMENTED messages MUST appear in the same order as the
8122 * messages they respond to. Hence, never queue them.
8124 ssh2_pkt_send_noqueue(ssh, pktout);
8128 * Handle the top-level SSH-2 protocol.
8130 static void ssh2_protocol_setup(Ssh ssh)
8135 * Most messages cause SSH2_MSG_UNIMPLEMENTED.
8137 for (i = 0; i < 256; i++)
8138 ssh->packet_dispatch[i] = ssh2_msg_something_unimplemented;
8141 * Any message we actually understand, we set to NULL so that
8142 * the coroutines will get it.
8144 ssh->packet_dispatch[SSH2_MSG_UNIMPLEMENTED] = NULL;
8145 ssh->packet_dispatch[SSH2_MSG_SERVICE_REQUEST] = NULL;
8146 ssh->packet_dispatch[SSH2_MSG_SERVICE_ACCEPT] = NULL;
8147 ssh->packet_dispatch[SSH2_MSG_KEXINIT] = NULL;
8148 ssh->packet_dispatch[SSH2_MSG_NEWKEYS] = NULL;
8149 ssh->packet_dispatch[SSH2_MSG_KEXDH_INIT] = NULL;
8150 ssh->packet_dispatch[SSH2_MSG_KEXDH_REPLY] = NULL;
8151 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REQUEST] = NULL; duplicate case value */
8152 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_GROUP] = NULL; duplicate case value */
8153 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_INIT] = NULL;
8154 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REPLY] = NULL;
8155 ssh->packet_dispatch[SSH2_MSG_USERAUTH_REQUEST] = NULL;
8156 ssh->packet_dispatch[SSH2_MSG_USERAUTH_FAILURE] = NULL;
8157 ssh->packet_dispatch[SSH2_MSG_USERAUTH_SUCCESS] = NULL;
8158 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
8159 ssh->packet_dispatch[SSH2_MSG_USERAUTH_PK_OK] = NULL;
8160 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ] = NULL; duplicate case value */
8161 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_REQUEST] = NULL; duplicate case value */
8162 ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_RESPONSE] = NULL;
8163 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] = NULL;
8164 ssh->packet_dispatch[SSH2_MSG_REQUEST_SUCCESS] = NULL;
8165 ssh->packet_dispatch[SSH2_MSG_REQUEST_FAILURE] = NULL;
8166 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] = NULL;
8167 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] = NULL;
8168 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] = NULL;
8169 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] = NULL;
8170 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] = NULL;
8171 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] = NULL;
8172 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = NULL;
8173 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = NULL;
8174 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] = NULL;
8175 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = NULL;
8176 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = NULL;
8179 * These special message types we install handlers for.
8181 ssh->packet_dispatch[SSH2_MSG_DISCONNECT] = ssh2_msg_disconnect;
8182 ssh->packet_dispatch[SSH2_MSG_IGNORE] = ssh_msg_ignore; /* shared with SSH-1 */
8183 ssh->packet_dispatch[SSH2_MSG_DEBUG] = ssh2_msg_debug;
8186 static void ssh2_timer(void *ctx, long now)
8190 if (ssh->state == SSH_STATE_CLOSED)
8193 if (!ssh->kex_in_progress && ssh->cfg.ssh_rekey_time != 0 &&
8194 now - ssh->next_rekey >= 0) {
8195 do_ssh2_transport(ssh, "timeout", -1, NULL);
8199 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
8200 struct Packet *pktin)
8202 unsigned char *in = (unsigned char *)vin;
8203 if (ssh->state == SSH_STATE_CLOSED)
8207 ssh->incoming_data_size += pktin->encrypted_len;
8208 if (!ssh->kex_in_progress &&
8209 ssh->max_data_size != 0 &&
8210 ssh->incoming_data_size > ssh->max_data_size)
8211 do_ssh2_transport(ssh, "too much data received", -1, NULL);
8214 if (pktin && ssh->packet_dispatch[pktin->type]) {
8215 ssh->packet_dispatch[pktin->type](ssh, pktin);
8219 if (!ssh->protocol_initial_phase_done ||
8220 (pktin && pktin->type >= 20 && pktin->type < 50)) {
8221 if (do_ssh2_transport(ssh, in, inlen, pktin) &&
8222 !ssh->protocol_initial_phase_done) {
8223 ssh->protocol_initial_phase_done = TRUE;
8225 * Allow authconn to initialise itself.
8227 do_ssh2_authconn(ssh, NULL, 0, NULL);
8230 do_ssh2_authconn(ssh, in, inlen, pktin);
8235 * Called to set up the connection.
8237 * Returns an error message, or NULL on success.
8239 static const char *ssh_init(void *frontend_handle, void **backend_handle,
8241 char *host, int port, char **realhost, int nodelay,
8247 ssh = snew(struct ssh_tag);
8248 ssh->cfg = *cfg; /* STRUCTURE COPY */
8249 ssh->version = 0; /* when not ready yet */
8252 ssh->v1_cipher_ctx = NULL;
8253 ssh->crcda_ctx = NULL;
8254 ssh->cscipher = NULL;
8255 ssh->cs_cipher_ctx = NULL;
8256 ssh->sccipher = NULL;
8257 ssh->sc_cipher_ctx = NULL;
8259 ssh->cs_mac_ctx = NULL;
8261 ssh->sc_mac_ctx = NULL;
8263 ssh->cs_comp_ctx = NULL;
8265 ssh->sc_comp_ctx = NULL;
8267 ssh->kex_ctx = NULL;
8268 ssh->hostkey = NULL;
8270 ssh->close_expected = FALSE;
8271 ssh->clean_exit = FALSE;
8272 ssh->state = SSH_STATE_PREPACKET;
8273 ssh->size_needed = FALSE;
8274 ssh->eof_needed = FALSE;
8277 ssh->deferred_send_data = NULL;
8278 ssh->deferred_len = 0;
8279 ssh->deferred_size = 0;
8280 ssh->fallback_cmd = 0;
8282 ssh->x11auth = NULL;
8283 ssh->v1_compressing = FALSE;
8284 ssh->v2_outgoing_sequence = 0;
8285 ssh->ssh1_rdpkt_crstate = 0;
8286 ssh->ssh2_rdpkt_crstate = 0;
8287 ssh->do_ssh_init_crstate = 0;
8288 ssh->ssh_gotdata_crstate = 0;
8289 ssh->do_ssh1_connection_crstate = 0;
8290 ssh->do_ssh1_login_crstate = 0;
8291 ssh->do_ssh2_transport_crstate = 0;
8292 ssh->do_ssh2_authconn_crstate = 0;
8293 ssh->do_ssh_init_state = NULL;
8294 ssh->do_ssh1_login_state = NULL;
8295 ssh->do_ssh2_transport_state = NULL;
8296 ssh->do_ssh2_authconn_state = NULL;
8299 ssh->mainchan = NULL;
8300 ssh->throttled_all = 0;
8301 ssh->v1_stdout_throttling = 0;
8303 ssh->queuelen = ssh->queuesize = 0;
8304 ssh->queueing = FALSE;
8305 ssh->qhead = ssh->qtail = NULL;
8306 ssh->deferred_rekey_reason = NULL;
8307 bufchain_init(&ssh->queued_incoming_data);
8308 ssh->frozen = FALSE;
8310 *backend_handle = ssh;
8313 if (crypto_startup() == 0)
8314 return "Microsoft high encryption pack not installed!";
8317 ssh->frontend = frontend_handle;
8318 ssh->term_width = ssh->cfg.width;
8319 ssh->term_height = ssh->cfg.height;
8321 ssh->channels = NULL;
8322 ssh->rportfwds = NULL;
8323 ssh->portfwds = NULL;
8328 ssh->v1_throttle_count = 0;
8329 ssh->overall_bufsize = 0;
8330 ssh->fallback_cmd = 0;
8332 ssh->protocol = NULL;
8334 ssh->protocol_initial_phase_done = FALSE;
8338 ssh->incoming_data_size = ssh->outgoing_data_size =
8339 ssh->deferred_data_size = 0L;
8340 ssh->max_data_size = parse_blocksize(ssh->cfg.ssh_rekey_data);
8341 ssh->kex_in_progress = FALSE;
8343 p = connect_to_host(ssh, host, port, realhost, nodelay, keepalive);
8352 static void ssh_free(void *handle)
8354 Ssh ssh = (Ssh) handle;
8355 struct ssh_channel *c;
8356 struct ssh_rportfwd *pf;
8358 if (ssh->v1_cipher_ctx)
8359 ssh->cipher->free_context(ssh->v1_cipher_ctx);
8360 if (ssh->cs_cipher_ctx)
8361 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
8362 if (ssh->sc_cipher_ctx)
8363 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
8364 if (ssh->cs_mac_ctx)
8365 ssh->csmac->free_context(ssh->cs_mac_ctx);
8366 if (ssh->sc_mac_ctx)
8367 ssh->scmac->free_context(ssh->sc_mac_ctx);
8368 if (ssh->cs_comp_ctx) {
8370 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
8372 zlib_compress_cleanup(ssh->cs_comp_ctx);
8374 if (ssh->sc_comp_ctx) {
8376 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
8378 zlib_decompress_cleanup(ssh->sc_comp_ctx);
8381 dh_cleanup(ssh->kex_ctx);
8382 sfree(ssh->savedhost);
8384 while (ssh->queuelen-- > 0)
8385 ssh_free_packet(ssh->queue[ssh->queuelen]);
8388 while (ssh->qhead) {
8389 struct queued_handler *qh = ssh->qhead;
8390 ssh->qhead = qh->next;
8393 ssh->qhead = ssh->qtail = NULL;
8395 if (ssh->channels) {
8396 while ((c = delpos234(ssh->channels, 0)) != NULL) {
8399 if (c->u.x11.s != NULL)
8400 x11_close(c->u.x11.s);
8403 if (c->u.pfd.s != NULL)
8404 pfd_close(c->u.pfd.s);
8409 freetree234(ssh->channels);
8410 ssh->channels = NULL;
8413 if (ssh->rportfwds) {
8414 while ((pf = delpos234(ssh->rportfwds, 0)) != NULL)
8416 freetree234(ssh->rportfwds);
8417 ssh->rportfwds = NULL;
8419 sfree(ssh->deferred_send_data);
8421 x11_free_auth(ssh->x11auth);
8422 sfree(ssh->do_ssh_init_state);
8423 sfree(ssh->do_ssh1_login_state);
8424 sfree(ssh->do_ssh2_transport_state);
8425 sfree(ssh->do_ssh2_authconn_state);
8428 if (ssh->crcda_ctx) {
8429 crcda_free_context(ssh->crcda_ctx);
8430 ssh->crcda_ctx = NULL;
8433 ssh_do_close(ssh, TRUE);
8434 expire_timer_context(ssh);
8436 pinger_free(ssh->pinger);
8437 bufchain_clear(&ssh->queued_incoming_data);
8444 * Reconfigure the SSH backend.
8446 static void ssh_reconfig(void *handle, Config *cfg)
8448 Ssh ssh = (Ssh) handle;
8449 char *rekeying = NULL, rekey_mandatory = FALSE;
8450 unsigned long old_max_data_size;
8452 pinger_reconfig(ssh->pinger, &ssh->cfg, cfg);
8454 ssh_setup_portfwd(ssh, cfg);
8456 if (ssh->cfg.ssh_rekey_time != cfg->ssh_rekey_time &&
8457 cfg->ssh_rekey_time != 0) {
8458 long new_next = ssh->last_rekey + cfg->ssh_rekey_time*60*TICKSPERSEC;
8459 long now = GETTICKCOUNT();
8461 if (new_next - now < 0) {
8462 rekeying = "timeout shortened";
8464 ssh->next_rekey = schedule_timer(new_next - now, ssh2_timer, ssh);
8468 old_max_data_size = ssh->max_data_size;
8469 ssh->max_data_size = parse_blocksize(cfg->ssh_rekey_data);
8470 if (old_max_data_size != ssh->max_data_size &&
8471 ssh->max_data_size != 0) {
8472 if (ssh->outgoing_data_size > ssh->max_data_size ||
8473 ssh->incoming_data_size > ssh->max_data_size)
8474 rekeying = "data limit lowered";
8477 if (ssh->cfg.compression != cfg->compression) {
8478 rekeying = "compression setting changed";
8479 rekey_mandatory = TRUE;
8482 if (ssh->cfg.ssh2_des_cbc != cfg->ssh2_des_cbc ||
8483 memcmp(ssh->cfg.ssh_cipherlist, cfg->ssh_cipherlist,
8484 sizeof(ssh->cfg.ssh_cipherlist))) {
8485 rekeying = "cipher settings changed";
8486 rekey_mandatory = TRUE;
8489 ssh->cfg = *cfg; /* STRUCTURE COPY */
8492 if (!ssh->kex_in_progress) {
8493 do_ssh2_transport(ssh, rekeying, -1, NULL);
8494 } else if (rekey_mandatory) {
8495 ssh->deferred_rekey_reason = rekeying;
8501 * Called to send data down the SSH connection.
8503 static int ssh_send(void *handle, char *buf, int len)
8505 Ssh ssh = (Ssh) handle;
8507 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
8510 ssh->protocol(ssh, (unsigned char *)buf, len, 0);
8512 return ssh_sendbuffer(ssh);
8516 * Called to query the current amount of buffered stdin data.
8518 static int ssh_sendbuffer(void *handle)
8520 Ssh ssh = (Ssh) handle;
8523 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
8527 * If the SSH socket itself has backed up, add the total backup
8528 * size on that to any individual buffer on the stdin channel.
8531 if (ssh->throttled_all)
8532 override_value = ssh->overall_bufsize;
8534 if (ssh->version == 1) {
8535 return override_value;
8536 } else if (ssh->version == 2) {
8537 if (!ssh->mainchan || ssh->mainchan->closes > 0)
8538 return override_value;
8540 return (override_value +
8541 bufchain_size(&ssh->mainchan->v.v2.outbuffer));
8548 * Called to set the size of the window from SSH's POV.
8550 static void ssh_size(void *handle, int width, int height)
8552 Ssh ssh = (Ssh) handle;
8553 struct Packet *pktout;
8555 ssh->term_width = width;
8556 ssh->term_height = height;
8558 switch (ssh->state) {
8559 case SSH_STATE_BEFORE_SIZE:
8560 case SSH_STATE_PREPACKET:
8561 case SSH_STATE_CLOSED:
8562 break; /* do nothing */
8563 case SSH_STATE_INTERMED:
8564 ssh->size_needed = TRUE; /* buffer for later */
8566 case SSH_STATE_SESSION:
8567 if (!ssh->cfg.nopty) {
8568 if (ssh->version == 1) {
8569 send_packet(ssh, SSH1_CMSG_WINDOW_SIZE,
8570 PKT_INT, ssh->term_height,
8571 PKT_INT, ssh->term_width,
8572 PKT_INT, 0, PKT_INT, 0, PKT_END);
8573 } else if (ssh->mainchan) {
8574 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8575 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
8576 ssh2_pkt_addstring(pktout, "window-change");
8577 ssh2_pkt_addbool(pktout, 0);
8578 ssh2_pkt_adduint32(pktout, ssh->term_width);
8579 ssh2_pkt_adduint32(pktout, ssh->term_height);
8580 ssh2_pkt_adduint32(pktout, 0);
8581 ssh2_pkt_adduint32(pktout, 0);
8582 ssh2_pkt_send(ssh, pktout);
8590 * Return a list of the special codes that make sense in this
8593 static const struct telnet_special *ssh_get_specials(void *handle)
8595 static const struct telnet_special ssh1_ignore_special[] = {
8596 {"IGNORE message", TS_NOP}
8598 static const struct telnet_special ssh2_transport_specials[] = {
8599 {"IGNORE message", TS_NOP},
8600 {"Repeat key exchange", TS_REKEY},
8602 static const struct telnet_special ssh2_session_specials[] = {
8605 /* These are the signal names defined by draft-ietf-secsh-connect-23.
8606 * They include all the ISO C signals, but are a subset of the POSIX
8607 * required signals. */
8608 {"SIGINT (Interrupt)", TS_SIGINT},
8609 {"SIGTERM (Terminate)", TS_SIGTERM},
8610 {"SIGKILL (Kill)", TS_SIGKILL},
8611 {"SIGQUIT (Quit)", TS_SIGQUIT},
8612 {"SIGHUP (Hangup)", TS_SIGHUP},
8613 {"More signals", TS_SUBMENU},
8614 {"SIGABRT", TS_SIGABRT}, {"SIGALRM", TS_SIGALRM},
8615 {"SIGFPE", TS_SIGFPE}, {"SIGILL", TS_SIGILL},
8616 {"SIGPIPE", TS_SIGPIPE}, {"SIGSEGV", TS_SIGSEGV},
8617 {"SIGUSR1", TS_SIGUSR1}, {"SIGUSR2", TS_SIGUSR2},
8620 static const struct telnet_special specials_end[] = {
8623 /* XXX review this length for any changes: */
8624 static struct telnet_special ssh_specials[lenof(ssh2_transport_specials) +
8625 lenof(ssh2_session_specials) +
8626 lenof(specials_end)];
8627 Ssh ssh = (Ssh) handle;
8629 #define ADD_SPECIALS(name) \
8631 assert((i + lenof(name)) <= lenof(ssh_specials)); \
8632 memcpy(&ssh_specials[i], name, sizeof name); \
8636 if (ssh->version == 1) {
8637 /* Don't bother offering IGNORE if we've decided the remote
8638 * won't cope with it, since we wouldn't bother sending it if
8640 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
8641 ADD_SPECIALS(ssh1_ignore_special);
8642 } else if (ssh->version == 2) {
8643 ADD_SPECIALS(ssh2_transport_specials);
8645 ADD_SPECIALS(ssh2_session_specials);
8646 } /* else we're not ready yet */
8649 ADD_SPECIALS(specials_end);
8650 return ssh_specials;
8658 * Send special codes. TS_EOF is useful for `plink', so you
8659 * can send an EOF and collect resulting output (e.g. `plink
8662 static void ssh_special(void *handle, Telnet_Special code)
8664 Ssh ssh = (Ssh) handle;
8665 struct Packet *pktout;
8667 if (code == TS_EOF) {
8668 if (ssh->state != SSH_STATE_SESSION) {
8670 * Buffer the EOF in case we are pre-SESSION, so we can
8671 * send it as soon as we reach SESSION.
8674 ssh->eof_needed = TRUE;
8677 if (ssh->version == 1) {
8678 send_packet(ssh, SSH1_CMSG_EOF, PKT_END);
8679 } else if (ssh->mainchan) {
8680 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_EOF);
8681 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
8682 ssh2_pkt_send(ssh, pktout);
8683 ssh->send_ok = 0; /* now stop trying to read from stdin */
8685 logevent("Sent EOF message");
8686 } else if (code == TS_PING || code == TS_NOP) {
8687 if (ssh->state == SSH_STATE_CLOSED
8688 || ssh->state == SSH_STATE_PREPACKET) return;
8689 if (ssh->version == 1) {
8690 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
8691 send_packet(ssh, SSH1_MSG_IGNORE, PKT_STR, "", PKT_END);
8693 pktout = ssh2_pkt_init(SSH2_MSG_IGNORE);
8694 ssh2_pkt_addstring_start(pktout);
8695 ssh2_pkt_send_noqueue(ssh, pktout);
8697 } else if (code == TS_REKEY) {
8698 if (!ssh->kex_in_progress && ssh->version == 2) {
8699 do_ssh2_transport(ssh, "at user request", -1, NULL);
8701 } else if (code == TS_BRK) {
8702 if (ssh->state == SSH_STATE_CLOSED
8703 || ssh->state == SSH_STATE_PREPACKET) return;
8704 if (ssh->version == 1) {
8705 logevent("Unable to send BREAK signal in SSH-1");
8706 } else if (ssh->mainchan) {
8707 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8708 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
8709 ssh2_pkt_addstring(pktout, "break");
8710 ssh2_pkt_addbool(pktout, 0);
8711 ssh2_pkt_adduint32(pktout, 0); /* default break length */
8712 ssh2_pkt_send(ssh, pktout);
8715 /* Is is a POSIX signal? */
8716 char *signame = NULL;
8717 if (code == TS_SIGABRT) signame = "ABRT";
8718 if (code == TS_SIGALRM) signame = "ALRM";
8719 if (code == TS_SIGFPE) signame = "FPE";
8720 if (code == TS_SIGHUP) signame = "HUP";
8721 if (code == TS_SIGILL) signame = "ILL";
8722 if (code == TS_SIGINT) signame = "INT";
8723 if (code == TS_SIGKILL) signame = "KILL";
8724 if (code == TS_SIGPIPE) signame = "PIPE";
8725 if (code == TS_SIGQUIT) signame = "QUIT";
8726 if (code == TS_SIGSEGV) signame = "SEGV";
8727 if (code == TS_SIGTERM) signame = "TERM";
8728 if (code == TS_SIGUSR1) signame = "USR1";
8729 if (code == TS_SIGUSR2) signame = "USR2";
8730 /* The SSH-2 protocol does in principle support arbitrary named
8731 * signals, including signame@domain, but we don't support those. */
8733 /* It's a signal. */
8734 if (ssh->version == 2 && ssh->mainchan) {
8735 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8736 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
8737 ssh2_pkt_addstring(pktout, "signal");
8738 ssh2_pkt_addbool(pktout, 0);
8739 ssh2_pkt_addstring(pktout, signame);
8740 ssh2_pkt_send(ssh, pktout);
8741 logeventf(ssh, "Sent signal SIG%s", signame);
8744 /* Never heard of it. Do nothing */
8749 void *new_sock_channel(void *handle, Socket s)
8751 Ssh ssh = (Ssh) handle;
8752 struct ssh_channel *c;
8753 c = snew(struct ssh_channel);
8758 c->localid = alloc_channel_id(ssh);
8760 c->type = CHAN_SOCKDATA_DORMANT;/* identify channel type */
8762 bufchain_init(&c->v.v2.outbuffer);
8763 add234(ssh->channels, c);
8769 * This is called when stdout/stderr (the entity to which
8770 * from_backend sends data) manages to clear some backlog.
8772 static void ssh_unthrottle(void *handle, int bufsize)
8774 Ssh ssh = (Ssh) handle;
8775 if (ssh->version == 1) {
8776 if (ssh->v1_stdout_throttling && bufsize < SSH1_BUFFER_LIMIT) {
8777 ssh->v1_stdout_throttling = 0;
8778 ssh1_throttle(ssh, -1);
8781 if (ssh->mainchan && ssh->mainchan->closes == 0)
8782 ssh2_set_window(ssh->mainchan, OUR_V2_WINSIZE - bufsize);
8786 void ssh_send_port_open(void *channel, char *hostname, int port, char *org)
8788 struct ssh_channel *c = (struct ssh_channel *)channel;
8790 struct Packet *pktout;
8792 logeventf(ssh, "Opening forwarded connection to %s:%d", hostname, port);
8794 if (ssh->version == 1) {
8795 send_packet(ssh, SSH1_MSG_PORT_OPEN,
8796 PKT_INT, c->localid,
8799 /* PKT_STR, <org:orgport>, */
8802 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
8803 ssh2_pkt_addstring(pktout, "direct-tcpip");
8804 ssh2_pkt_adduint32(pktout, c->localid);
8805 c->v.v2.locwindow = OUR_V2_WINSIZE;
8806 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);/* our window size */
8807 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
8808 ssh2_pkt_addstring(pktout, hostname);
8809 ssh2_pkt_adduint32(pktout, port);
8811 * We make up values for the originator data; partly it's
8812 * too much hassle to keep track, and partly I'm not
8813 * convinced the server should be told details like that
8814 * about my local network configuration.
8815 * The "originator IP address" is syntactically a numeric
8816 * IP address, and some servers (e.g., Tectia) get upset
8817 * if it doesn't match this syntax.
8819 ssh2_pkt_addstring(pktout, "0.0.0.0");
8820 ssh2_pkt_adduint32(pktout, 0);
8821 ssh2_pkt_send(ssh, pktout);
8825 static int ssh_connected(void *handle)
8827 Ssh ssh = (Ssh) handle;
8828 return ssh->s != NULL;
8831 static int ssh_sendok(void *handle)
8833 Ssh ssh = (Ssh) handle;
8834 return ssh->send_ok;
8837 static int ssh_ldisc(void *handle, int option)
8839 Ssh ssh = (Ssh) handle;
8840 if (option == LD_ECHO)
8841 return ssh->echoing;
8842 if (option == LD_EDIT)
8843 return ssh->editing;
8847 static void ssh_provide_ldisc(void *handle, void *ldisc)
8849 Ssh ssh = (Ssh) handle;
8853 static void ssh_provide_logctx(void *handle, void *logctx)
8855 Ssh ssh = (Ssh) handle;
8856 ssh->logctx = logctx;
8859 static int ssh_return_exitcode(void *handle)
8861 Ssh ssh = (Ssh) handle;
8865 return (ssh->exitcode >= 0 ? ssh->exitcode : INT_MAX);
8869 * cfg_info for SSH is the currently running version of the
8870 * protocol. (1 for 1; 2 for 2; 0 for not-decided-yet.)
8872 static int ssh_cfg_info(void *handle)
8874 Ssh ssh = (Ssh) handle;
8875 return ssh->version;
8879 * Gross hack: pscp will try to start SFTP but fall back to scp1 if
8880 * that fails. This variable is the means by which scp.c can reach
8881 * into the SSH code and find out which one it got.
8883 extern int ssh_fallback_cmd(void *handle)
8885 Ssh ssh = (Ssh) handle;
8886 return ssh->fallback_cmd;
8889 Backend ssh_backend = {
8899 ssh_return_exitcode,