23 #define SSH1_MSG_DISCONNECT 1 /* 0x1 */
24 #define SSH1_SMSG_PUBLIC_KEY 2 /* 0x2 */
25 #define SSH1_CMSG_SESSION_KEY 3 /* 0x3 */
26 #define SSH1_CMSG_USER 4 /* 0x4 */
27 #define SSH1_CMSG_AUTH_RSA 6 /* 0x6 */
28 #define SSH1_SMSG_AUTH_RSA_CHALLENGE 7 /* 0x7 */
29 #define SSH1_CMSG_AUTH_RSA_RESPONSE 8 /* 0x8 */
30 #define SSH1_CMSG_AUTH_PASSWORD 9 /* 0x9 */
31 #define SSH1_CMSG_REQUEST_PTY 10 /* 0xa */
32 #define SSH1_CMSG_WINDOW_SIZE 11 /* 0xb */
33 #define SSH1_CMSG_EXEC_SHELL 12 /* 0xc */
34 #define SSH1_CMSG_EXEC_CMD 13 /* 0xd */
35 #define SSH1_SMSG_SUCCESS 14 /* 0xe */
36 #define SSH1_SMSG_FAILURE 15 /* 0xf */
37 #define SSH1_CMSG_STDIN_DATA 16 /* 0x10 */
38 #define SSH1_SMSG_STDOUT_DATA 17 /* 0x11 */
39 #define SSH1_SMSG_STDERR_DATA 18 /* 0x12 */
40 #define SSH1_CMSG_EOF 19 /* 0x13 */
41 #define SSH1_SMSG_EXIT_STATUS 20 /* 0x14 */
42 #define SSH1_MSG_CHANNEL_OPEN_CONFIRMATION 21 /* 0x15 */
43 #define SSH1_MSG_CHANNEL_OPEN_FAILURE 22 /* 0x16 */
44 #define SSH1_MSG_CHANNEL_DATA 23 /* 0x17 */
45 #define SSH1_MSG_CHANNEL_CLOSE 24 /* 0x18 */
46 #define SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION 25 /* 0x19 */
47 #define SSH1_SMSG_X11_OPEN 27 /* 0x1b */
48 #define SSH1_CMSG_PORT_FORWARD_REQUEST 28 /* 0x1c */
49 #define SSH1_MSG_PORT_OPEN 29 /* 0x1d */
50 #define SSH1_CMSG_AGENT_REQUEST_FORWARDING 30 /* 0x1e */
51 #define SSH1_SMSG_AGENT_OPEN 31 /* 0x1f */
52 #define SSH1_MSG_IGNORE 32 /* 0x20 */
53 #define SSH1_CMSG_EXIT_CONFIRMATION 33 /* 0x21 */
54 #define SSH1_CMSG_X11_REQUEST_FORWARDING 34 /* 0x22 */
55 #define SSH1_CMSG_AUTH_RHOSTS_RSA 35 /* 0x23 */
56 #define SSH1_MSG_DEBUG 36 /* 0x24 */
57 #define SSH1_CMSG_REQUEST_COMPRESSION 37 /* 0x25 */
58 #define SSH1_CMSG_AUTH_TIS 39 /* 0x27 */
59 #define SSH1_SMSG_AUTH_TIS_CHALLENGE 40 /* 0x28 */
60 #define SSH1_CMSG_AUTH_TIS_RESPONSE 41 /* 0x29 */
61 #define SSH1_CMSG_AUTH_CCARD 70 /* 0x46 */
62 #define SSH1_SMSG_AUTH_CCARD_CHALLENGE 71 /* 0x47 */
63 #define SSH1_CMSG_AUTH_CCARD_RESPONSE 72 /* 0x48 */
65 #define SSH1_AUTH_RHOSTS 1 /* 0x1 */
66 #define SSH1_AUTH_RSA 2 /* 0x2 */
67 #define SSH1_AUTH_PASSWORD 3 /* 0x3 */
68 #define SSH1_AUTH_RHOSTS_RSA 4 /* 0x4 */
69 #define SSH1_AUTH_TIS 5 /* 0x5 */
70 #define SSH1_AUTH_CCARD 16 /* 0x10 */
72 #define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */
73 /* Mask for protoflags we will echo back to server if seen */
74 #define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */
76 #define SSH2_MSG_DISCONNECT 1 /* 0x1 */
77 #define SSH2_MSG_IGNORE 2 /* 0x2 */
78 #define SSH2_MSG_UNIMPLEMENTED 3 /* 0x3 */
79 #define SSH2_MSG_DEBUG 4 /* 0x4 */
80 #define SSH2_MSG_SERVICE_REQUEST 5 /* 0x5 */
81 #define SSH2_MSG_SERVICE_ACCEPT 6 /* 0x6 */
82 #define SSH2_MSG_KEXINIT 20 /* 0x14 */
83 #define SSH2_MSG_NEWKEYS 21 /* 0x15 */
84 #define SSH2_MSG_KEXDH_INIT 30 /* 0x1e */
85 #define SSH2_MSG_KEXDH_REPLY 31 /* 0x1f */
86 #define SSH2_MSG_KEX_DH_GEX_REQUEST 30 /* 0x1e */
87 #define SSH2_MSG_KEX_DH_GEX_GROUP 31 /* 0x1f */
88 #define SSH2_MSG_KEX_DH_GEX_INIT 32 /* 0x20 */
89 #define SSH2_MSG_KEX_DH_GEX_REPLY 33 /* 0x21 */
90 #define SSH2_MSG_KEXRSA_PUBKEY 30 /* 0x1e */
91 #define SSH2_MSG_KEXRSA_SECRET 31 /* 0x1f */
92 #define SSH2_MSG_KEXRSA_DONE 32 /* 0x20 */
93 #define SSH2_MSG_USERAUTH_REQUEST 50 /* 0x32 */
94 #define SSH2_MSG_USERAUTH_FAILURE 51 /* 0x33 */
95 #define SSH2_MSG_USERAUTH_SUCCESS 52 /* 0x34 */
96 #define SSH2_MSG_USERAUTH_BANNER 53 /* 0x35 */
97 #define SSH2_MSG_USERAUTH_PK_OK 60 /* 0x3c */
98 #define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60 /* 0x3c */
99 #define SSH2_MSG_USERAUTH_INFO_REQUEST 60 /* 0x3c */
100 #define SSH2_MSG_USERAUTH_INFO_RESPONSE 61 /* 0x3d */
101 #define SSH2_MSG_GLOBAL_REQUEST 80 /* 0x50 */
102 #define SSH2_MSG_REQUEST_SUCCESS 81 /* 0x51 */
103 #define SSH2_MSG_REQUEST_FAILURE 82 /* 0x52 */
104 #define SSH2_MSG_CHANNEL_OPEN 90 /* 0x5a */
105 #define SSH2_MSG_CHANNEL_OPEN_CONFIRMATION 91 /* 0x5b */
106 #define SSH2_MSG_CHANNEL_OPEN_FAILURE 92 /* 0x5c */
107 #define SSH2_MSG_CHANNEL_WINDOW_ADJUST 93 /* 0x5d */
108 #define SSH2_MSG_CHANNEL_DATA 94 /* 0x5e */
109 #define SSH2_MSG_CHANNEL_EXTENDED_DATA 95 /* 0x5f */
110 #define SSH2_MSG_CHANNEL_EOF 96 /* 0x60 */
111 #define SSH2_MSG_CHANNEL_CLOSE 97 /* 0x61 */
112 #define SSH2_MSG_CHANNEL_REQUEST 98 /* 0x62 */
113 #define SSH2_MSG_CHANNEL_SUCCESS 99 /* 0x63 */
114 #define SSH2_MSG_CHANNEL_FAILURE 100 /* 0x64 */
117 * Packet type contexts, so that ssh2_pkt_type can correctly decode
118 * the ambiguous type numbers back into the correct type strings.
128 SSH2_PKTCTX_PUBLICKEY,
129 SSH2_PKTCTX_PASSWORD,
133 #define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */
134 #define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */
135 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */
136 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */
137 #define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */
138 #define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */
139 #define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */
140 #define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */
141 #define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */
142 #define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */
143 #define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */
144 #define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */
145 #define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */
146 #define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */
147 #define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */
149 static const char *const ssh2_disconnect_reasons[] = {
151 "host not allowed to connect",
153 "key exchange failed",
154 "host authentication failed",
157 "service not available",
158 "protocol version not supported",
159 "host key not verifiable",
162 "too many connections",
163 "auth cancelled by user",
164 "no more auth methods available",
168 #define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */
169 #define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */
170 #define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */
171 #define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */
173 #define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */
176 * Various remote-bug flags.
178 #define BUG_CHOKES_ON_SSH1_IGNORE 1
179 #define BUG_SSH2_HMAC 2
180 #define BUG_NEEDS_SSH1_PLAIN_PASSWORD 4
181 #define BUG_CHOKES_ON_RSA 8
182 #define BUG_SSH2_RSA_PADDING 16
183 #define BUG_SSH2_DERIVEKEY 32
184 #define BUG_SSH2_REKEY 64
185 #define BUG_SSH2_PK_SESSIONID 128
186 #define BUG_SSH2_MAXPKT 256
189 * Codes for terminal modes.
190 * Most of these are the same in SSH-1 and SSH-2.
191 * This list is derived from RFC 4254 and
194 static const struct {
195 const char* const mode;
197 enum { TTY_OP_CHAR, TTY_OP_BOOL } type;
199 /* "V" prefix discarded for special characters relative to SSH specs */
200 { "INTR", 1, TTY_OP_CHAR },
201 { "QUIT", 2, TTY_OP_CHAR },
202 { "ERASE", 3, TTY_OP_CHAR },
203 { "KILL", 4, TTY_OP_CHAR },
204 { "EOF", 5, TTY_OP_CHAR },
205 { "EOL", 6, TTY_OP_CHAR },
206 { "EOL2", 7, TTY_OP_CHAR },
207 { "START", 8, TTY_OP_CHAR },
208 { "STOP", 9, TTY_OP_CHAR },
209 { "SUSP", 10, TTY_OP_CHAR },
210 { "DSUSP", 11, TTY_OP_CHAR },
211 { "REPRINT", 12, TTY_OP_CHAR },
212 { "WERASE", 13, TTY_OP_CHAR },
213 { "LNEXT", 14, TTY_OP_CHAR },
214 { "FLUSH", 15, TTY_OP_CHAR },
215 { "SWTCH", 16, TTY_OP_CHAR },
216 { "STATUS", 17, TTY_OP_CHAR },
217 { "DISCARD", 18, TTY_OP_CHAR },
218 { "IGNPAR", 30, TTY_OP_BOOL },
219 { "PARMRK", 31, TTY_OP_BOOL },
220 { "INPCK", 32, TTY_OP_BOOL },
221 { "ISTRIP", 33, TTY_OP_BOOL },
222 { "INLCR", 34, TTY_OP_BOOL },
223 { "IGNCR", 35, TTY_OP_BOOL },
224 { "ICRNL", 36, TTY_OP_BOOL },
225 { "IUCLC", 37, TTY_OP_BOOL },
226 { "IXON", 38, TTY_OP_BOOL },
227 { "IXANY", 39, TTY_OP_BOOL },
228 { "IXOFF", 40, TTY_OP_BOOL },
229 { "IMAXBEL", 41, TTY_OP_BOOL },
230 { "ISIG", 50, TTY_OP_BOOL },
231 { "ICANON", 51, TTY_OP_BOOL },
232 { "XCASE", 52, TTY_OP_BOOL },
233 { "ECHO", 53, TTY_OP_BOOL },
234 { "ECHOE", 54, TTY_OP_BOOL },
235 { "ECHOK", 55, TTY_OP_BOOL },
236 { "ECHONL", 56, TTY_OP_BOOL },
237 { "NOFLSH", 57, TTY_OP_BOOL },
238 { "TOSTOP", 58, TTY_OP_BOOL },
239 { "IEXTEN", 59, TTY_OP_BOOL },
240 { "ECHOCTL", 60, TTY_OP_BOOL },
241 { "ECHOKE", 61, TTY_OP_BOOL },
242 { "PENDIN", 62, TTY_OP_BOOL }, /* XXX is this a real mode? */
243 { "OPOST", 70, TTY_OP_BOOL },
244 { "OLCUC", 71, TTY_OP_BOOL },
245 { "ONLCR", 72, TTY_OP_BOOL },
246 { "OCRNL", 73, TTY_OP_BOOL },
247 { "ONOCR", 74, TTY_OP_BOOL },
248 { "ONLRET", 75, TTY_OP_BOOL },
249 { "CS7", 90, TTY_OP_BOOL },
250 { "CS8", 91, TTY_OP_BOOL },
251 { "PARENB", 92, TTY_OP_BOOL },
252 { "PARODD", 93, TTY_OP_BOOL }
255 /* Miscellaneous other tty-related constants. */
256 #define SSH_TTY_OP_END 0
257 /* The opcodes for ISPEED/OSPEED differ between SSH-1 and SSH-2. */
258 #define SSH1_TTY_OP_ISPEED 192
259 #define SSH1_TTY_OP_OSPEED 193
260 #define SSH2_TTY_OP_ISPEED 128
261 #define SSH2_TTY_OP_OSPEED 129
263 /* Helper functions for parsing tty-related config. */
264 static unsigned int ssh_tty_parse_specchar(char *s)
269 ret = ctrlparse(s, &next);
270 if (!next) ret = s[0];
272 ret = 255; /* special value meaning "don't set" */
276 static unsigned int ssh_tty_parse_boolean(char *s)
278 if (stricmp(s, "yes") == 0 ||
279 stricmp(s, "on") == 0 ||
280 stricmp(s, "true") == 0 ||
281 stricmp(s, "+") == 0)
283 else if (stricmp(s, "no") == 0 ||
284 stricmp(s, "off") == 0 ||
285 stricmp(s, "false") == 0 ||
286 stricmp(s, "-") == 0)
287 return 0; /* false */
289 return (atoi(s) != 0);
292 #define translate(x) if (type == x) return #x
293 #define translatek(x,ctx) if (type == x && (pkt_kctx == ctx)) return #x
294 #define translatea(x,ctx) if (type == x && (pkt_actx == ctx)) return #x
295 static char *ssh1_pkt_type(int type)
297 translate(SSH1_MSG_DISCONNECT);
298 translate(SSH1_SMSG_PUBLIC_KEY);
299 translate(SSH1_CMSG_SESSION_KEY);
300 translate(SSH1_CMSG_USER);
301 translate(SSH1_CMSG_AUTH_RSA);
302 translate(SSH1_SMSG_AUTH_RSA_CHALLENGE);
303 translate(SSH1_CMSG_AUTH_RSA_RESPONSE);
304 translate(SSH1_CMSG_AUTH_PASSWORD);
305 translate(SSH1_CMSG_REQUEST_PTY);
306 translate(SSH1_CMSG_WINDOW_SIZE);
307 translate(SSH1_CMSG_EXEC_SHELL);
308 translate(SSH1_CMSG_EXEC_CMD);
309 translate(SSH1_SMSG_SUCCESS);
310 translate(SSH1_SMSG_FAILURE);
311 translate(SSH1_CMSG_STDIN_DATA);
312 translate(SSH1_SMSG_STDOUT_DATA);
313 translate(SSH1_SMSG_STDERR_DATA);
314 translate(SSH1_CMSG_EOF);
315 translate(SSH1_SMSG_EXIT_STATUS);
316 translate(SSH1_MSG_CHANNEL_OPEN_CONFIRMATION);
317 translate(SSH1_MSG_CHANNEL_OPEN_FAILURE);
318 translate(SSH1_MSG_CHANNEL_DATA);
319 translate(SSH1_MSG_CHANNEL_CLOSE);
320 translate(SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION);
321 translate(SSH1_SMSG_X11_OPEN);
322 translate(SSH1_CMSG_PORT_FORWARD_REQUEST);
323 translate(SSH1_MSG_PORT_OPEN);
324 translate(SSH1_CMSG_AGENT_REQUEST_FORWARDING);
325 translate(SSH1_SMSG_AGENT_OPEN);
326 translate(SSH1_MSG_IGNORE);
327 translate(SSH1_CMSG_EXIT_CONFIRMATION);
328 translate(SSH1_CMSG_X11_REQUEST_FORWARDING);
329 translate(SSH1_CMSG_AUTH_RHOSTS_RSA);
330 translate(SSH1_MSG_DEBUG);
331 translate(SSH1_CMSG_REQUEST_COMPRESSION);
332 translate(SSH1_CMSG_AUTH_TIS);
333 translate(SSH1_SMSG_AUTH_TIS_CHALLENGE);
334 translate(SSH1_CMSG_AUTH_TIS_RESPONSE);
335 translate(SSH1_CMSG_AUTH_CCARD);
336 translate(SSH1_SMSG_AUTH_CCARD_CHALLENGE);
337 translate(SSH1_CMSG_AUTH_CCARD_RESPONSE);
340 static char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type)
342 translate(SSH2_MSG_DISCONNECT);
343 translate(SSH2_MSG_IGNORE);
344 translate(SSH2_MSG_UNIMPLEMENTED);
345 translate(SSH2_MSG_DEBUG);
346 translate(SSH2_MSG_SERVICE_REQUEST);
347 translate(SSH2_MSG_SERVICE_ACCEPT);
348 translate(SSH2_MSG_KEXINIT);
349 translate(SSH2_MSG_NEWKEYS);
350 translatek(SSH2_MSG_KEXDH_INIT, SSH2_PKTCTX_DHGROUP);
351 translatek(SSH2_MSG_KEXDH_REPLY, SSH2_PKTCTX_DHGROUP);
352 translatek(SSH2_MSG_KEX_DH_GEX_REQUEST, SSH2_PKTCTX_DHGEX);
353 translatek(SSH2_MSG_KEX_DH_GEX_GROUP, SSH2_PKTCTX_DHGEX);
354 translatek(SSH2_MSG_KEX_DH_GEX_INIT, SSH2_PKTCTX_DHGEX);
355 translatek(SSH2_MSG_KEX_DH_GEX_REPLY, SSH2_PKTCTX_DHGEX);
356 translatek(SSH2_MSG_KEXRSA_PUBKEY, SSH2_PKTCTX_RSAKEX);
357 translatek(SSH2_MSG_KEXRSA_SECRET, SSH2_PKTCTX_RSAKEX);
358 translatek(SSH2_MSG_KEXRSA_DONE, SSH2_PKTCTX_RSAKEX);
359 translate(SSH2_MSG_USERAUTH_REQUEST);
360 translate(SSH2_MSG_USERAUTH_FAILURE);
361 translate(SSH2_MSG_USERAUTH_SUCCESS);
362 translate(SSH2_MSG_USERAUTH_BANNER);
363 translatea(SSH2_MSG_USERAUTH_PK_OK, SSH2_PKTCTX_PUBLICKEY);
364 translatea(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, SSH2_PKTCTX_PASSWORD);
365 translatea(SSH2_MSG_USERAUTH_INFO_REQUEST, SSH2_PKTCTX_KBDINTER);
366 translatea(SSH2_MSG_USERAUTH_INFO_RESPONSE, SSH2_PKTCTX_KBDINTER);
367 translate(SSH2_MSG_GLOBAL_REQUEST);
368 translate(SSH2_MSG_REQUEST_SUCCESS);
369 translate(SSH2_MSG_REQUEST_FAILURE);
370 translate(SSH2_MSG_CHANNEL_OPEN);
371 translate(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
372 translate(SSH2_MSG_CHANNEL_OPEN_FAILURE);
373 translate(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
374 translate(SSH2_MSG_CHANNEL_DATA);
375 translate(SSH2_MSG_CHANNEL_EXTENDED_DATA);
376 translate(SSH2_MSG_CHANNEL_EOF);
377 translate(SSH2_MSG_CHANNEL_CLOSE);
378 translate(SSH2_MSG_CHANNEL_REQUEST);
379 translate(SSH2_MSG_CHANNEL_SUCCESS);
380 translate(SSH2_MSG_CHANNEL_FAILURE);
386 /* Enumeration values for fields in SSH-1 packets */
388 PKT_END, PKT_INT, PKT_CHAR, PKT_DATA, PKT_STR, PKT_BIGNUM,
389 /* These values are for communicating relevant semantics of
390 * fields to the packet logging code. */
391 PKTT_OTHER, PKTT_PASSWORD, PKTT_DATA
395 * Coroutine mechanics for the sillier bits of the code. If these
396 * macros look impenetrable to you, you might find it helpful to
399 * http://www.chiark.greenend.org.uk/~sgtatham/coroutines.html
401 * which explains the theory behind these macros.
403 * In particular, if you are getting `case expression not constant'
404 * errors when building with MS Visual Studio, this is because MS's
405 * Edit and Continue debugging feature causes their compiler to
406 * violate ANSI C. To disable Edit and Continue debugging:
408 * - right-click ssh.c in the FileView
410 * - select the C/C++ tab and the General category
411 * - under `Debug info:', select anything _other_ than `Program
412 * Database for Edit and Continue'.
414 #define crBegin(v) { int *crLine = &v; switch(v) { case 0:;
417 if (!ssh->t) ssh->t = snew(struct t); \
419 #define crFinish(z) } *crLine = 0; return (z); }
420 #define crFinishV } *crLine = 0; return; }
421 #define crReturn(z) \
423 *crLine =__LINE__; return (z); case __LINE__:;\
427 *crLine=__LINE__; return; case __LINE__:;\
429 #define crStop(z) do{ *crLine = 0; return (z); }while(0)
430 #define crStopV do{ *crLine = 0; return; }while(0)
431 #define crWaitUntil(c) do { crReturn(0); } while (!(c))
432 #define crWaitUntilV(c) do { crReturnV; } while (!(c))
434 typedef struct ssh_tag *Ssh;
437 static struct Packet *ssh1_pkt_init(int pkt_type);
438 static struct Packet *ssh2_pkt_init(int pkt_type);
439 static void ssh_pkt_ensure(struct Packet *, int length);
440 static void ssh_pkt_adddata(struct Packet *, void *data, int len);
441 static void ssh_pkt_addbyte(struct Packet *, unsigned char value);
442 static void ssh2_pkt_addbool(struct Packet *, unsigned char value);
443 static void ssh_pkt_adduint32(struct Packet *, unsigned long value);
444 static void ssh_pkt_addstring_start(struct Packet *);
445 static void ssh_pkt_addstring_str(struct Packet *, char *data);
446 static void ssh_pkt_addstring_data(struct Packet *, char *data, int len);
447 static void ssh_pkt_addstring(struct Packet *, char *data);
448 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len);
449 static void ssh1_pkt_addmp(struct Packet *, Bignum b);
450 static void ssh2_pkt_addmp(struct Packet *, Bignum b);
451 static int ssh2_pkt_construct(Ssh, struct Packet *);
452 static void ssh2_pkt_send(Ssh, struct Packet *);
453 static void ssh2_pkt_send_noqueue(Ssh, struct Packet *);
454 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
455 struct Packet *pktin);
456 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
457 struct Packet *pktin);
460 * Buffer management constants. There are several of these for
461 * various different purposes:
463 * - SSH1_BUFFER_LIMIT is the amount of backlog that must build up
464 * on a local data stream before we throttle the whole SSH
465 * connection (in SSH-1 only). Throttling the whole connection is
466 * pretty drastic so we set this high in the hope it won't
469 * - SSH_MAX_BACKLOG is the amount of backlog that must build up
470 * on the SSH connection itself before we defensively throttle
471 * _all_ local data streams. This is pretty drastic too (though
472 * thankfully unlikely in SSH-2 since the window mechanism should
473 * ensure that the server never has any need to throttle its end
474 * of the connection), so we set this high as well.
476 * - OUR_V2_WINSIZE is the maximum window size we present on SSH-2
479 * - OUR_V2_BIGWIN is the window size we advertise for the only
480 * channel in a simple connection. It must be <= INT_MAX.
483 #define SSH1_BUFFER_LIMIT 32768
484 #define SSH_MAX_BACKLOG 32768
485 #define OUR_V2_WINSIZE 16384
486 #define OUR_V2_BIGWIN 0x7fffffff
487 #define OUR_V2_MAXPKT 0x4000UL
489 /* Maximum length of passwords/passphrases (arbitrary) */
490 #define SSH_MAX_PASSWORD_LEN 100
492 const static struct ssh_signkey *hostkey_algs[] = { &ssh_rsa, &ssh_dss };
494 const static struct ssh_mac *macs[] = {
495 &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
497 const static struct ssh_mac *buggymacs[] = {
498 &ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
501 static void *ssh_comp_none_init(void)
505 static void ssh_comp_none_cleanup(void *handle)
508 static int ssh_comp_none_block(void *handle, unsigned char *block, int len,
509 unsigned char **outblock, int *outlen)
513 static int ssh_comp_none_disable(void *handle)
517 const static struct ssh_compress ssh_comp_none = {
519 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
520 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
521 ssh_comp_none_disable, NULL
523 extern const struct ssh_compress ssh_zlib;
524 const static struct ssh_compress *compressions[] = {
525 &ssh_zlib, &ssh_comp_none
528 enum { /* channel types */
533 CHAN_SOCKDATA_DORMANT /* one the remote hasn't confirmed */
537 * little structure to keep track of outstanding WINDOW_ADJUSTs
545 * 2-3-4 tree storing channels.
548 Ssh ssh; /* pointer back to main context */
549 unsigned remoteid, localid;
551 /* True if we opened this channel but server hasn't confirmed. */
554 * In SSH-1, this value contains four bits:
556 * 1 We have sent SSH1_MSG_CHANNEL_CLOSE.
557 * 2 We have sent SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
558 * 4 We have received SSH1_MSG_CHANNEL_CLOSE.
559 * 8 We have received SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
561 * A channel is completely finished with when all four bits are set.
565 * True if this channel is causing the underlying connection to be
570 struct ssh2_data_channel {
572 unsigned remwindow, remmaxpkt;
573 /* locwindow is signed so we can cope with excess data. */
574 int locwindow, locmaxwin;
576 * remlocwin is the amount of local window that we think
577 * the remote end had available to it after it sent the
578 * last data packet or window adjust ack.
582 * These store the list of window adjusts that haven't
585 struct winadj *winadj_head, *winadj_tail;
586 enum { THROTTLED, UNTHROTTLING, UNTHROTTLED } throttle_state;
590 struct ssh_agent_channel {
591 unsigned char *message;
592 unsigned char msglen[4];
593 unsigned lensofar, totallen;
595 struct ssh_x11_channel {
598 struct ssh_pfd_channel {
605 * 2-3-4 tree storing remote->local port forwardings. SSH-1 and SSH-2
606 * use this structure in different ways, reflecting SSH-2's
607 * altogether saner approach to port forwarding.
609 * In SSH-1, you arrange a remote forwarding by sending the server
610 * the remote port number, and the local destination host:port.
611 * When a connection comes in, the server sends you back that
612 * host:port pair, and you connect to it. This is a ready-made
613 * security hole if you're not on the ball: a malicious server
614 * could send you back _any_ host:port pair, so if you trustingly
615 * connect to the address it gives you then you've just opened the
616 * entire inside of your corporate network just by connecting
617 * through it to a dodgy SSH server. Hence, we must store a list of
618 * host:port pairs we _are_ trying to forward to, and reject a
619 * connection request from the server if it's not in the list.
621 * In SSH-2, each side of the connection minds its own business and
622 * doesn't send unnecessary information to the other. You arrange a
623 * remote forwarding by sending the server just the remote port
624 * number. When a connection comes in, the server tells you which
625 * of its ports was connected to; and _you_ have to remember what
626 * local host:port pair went with that port number.
628 * Hence, in SSH-1 this structure is indexed by destination
629 * host:port pair, whereas in SSH-2 it is indexed by source port.
631 struct ssh_portfwd; /* forward declaration */
633 struct ssh_rportfwd {
634 unsigned sport, dport;
637 struct ssh_portfwd *pfrec;
639 #define free_rportfwd(pf) ( \
640 ((pf) ? (sfree((pf)->sportdesc)) : (void)0 ), sfree(pf) )
643 * Separately to the rportfwd tree (which is for looking up port
644 * open requests from the server), a tree of _these_ structures is
645 * used to keep track of all the currently open port forwardings,
646 * so that we can reconfigure in mid-session if the user requests
650 enum { DESTROY, KEEP, CREATE } status;
652 unsigned sport, dport;
655 struct ssh_rportfwd *remote;
659 #define free_portfwd(pf) ( \
660 ((pf) ? (sfree((pf)->saddr), sfree((pf)->daddr), \
661 sfree((pf)->sserv), sfree((pf)->dserv)) : (void)0 ), sfree(pf) )
664 long length; /* length of `data' actually used */
665 long forcepad; /* SSH-2: force padding to at least this length */
666 int type; /* only used for incoming packets */
667 unsigned long sequence; /* SSH-2 incoming sequence number */
668 unsigned char *data; /* allocated storage */
669 unsigned char *body; /* offset of payload within `data' */
670 long savedpos; /* temporary index into `data' (for strings) */
671 long maxlen; /* amount of storage allocated for `data' */
672 long encrypted_len; /* for SSH-2 total-size counting */
675 * State associated with packet logging
679 struct logblank_t *blanks;
682 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
683 struct Packet *pktin);
684 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
685 struct Packet *pktin);
686 static void ssh1_protocol_setup(Ssh ssh);
687 static void ssh2_protocol_setup(Ssh ssh);
688 static void ssh_size(void *handle, int width, int height);
689 static void ssh_special(void *handle, Telnet_Special);
690 static int ssh2_try_send(struct ssh_channel *c);
691 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf, int len);
692 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize);
693 static void ssh2_set_window(struct ssh_channel *c, int newwin);
694 static int ssh_sendbuffer(void *handle);
695 static int ssh_do_close(Ssh ssh, int notify_exit);
696 static unsigned long ssh_pkt_getuint32(struct Packet *pkt);
697 static int ssh2_pkt_getbool(struct Packet *pkt);
698 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length);
699 static void ssh2_timer(void *ctx, long now);
700 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
701 struct Packet *pktin);
703 struct rdpkt1_state_tag {
704 long len, pad, biglen, to_read;
705 unsigned long realcrc, gotcrc;
709 struct Packet *pktin;
712 struct rdpkt2_state_tag {
713 long len, pad, payload, packetlen, maclen;
716 unsigned long incoming_sequence;
717 struct Packet *pktin;
720 typedef void (*handler_fn_t)(Ssh ssh, struct Packet *pktin);
721 typedef void (*chandler_fn_t)(Ssh ssh, struct Packet *pktin, void *ctx);
723 struct queued_handler;
724 struct queued_handler {
726 chandler_fn_t handler;
728 struct queued_handler *next;
732 const struct plug_function_table *fn;
733 /* the above field _must_ be first in the structure */
743 unsigned char session_key[32];
745 int v1_remote_protoflags;
746 int v1_local_protoflags;
747 int agentfwd_enabled;
750 const struct ssh_cipher *cipher;
753 const struct ssh2_cipher *cscipher, *sccipher;
754 void *cs_cipher_ctx, *sc_cipher_ctx;
755 const struct ssh_mac *csmac, *scmac;
756 void *cs_mac_ctx, *sc_mac_ctx;
757 const struct ssh_compress *cscomp, *sccomp;
758 void *cs_comp_ctx, *sc_comp_ctx;
759 const struct ssh_kex *kex;
760 const struct ssh_signkey *hostkey;
761 unsigned char v2_session_id[SSH2_KEX_MAX_HASH_LEN];
762 int v2_session_id_len;
768 int echoing, editing;
772 int ospeed, ispeed; /* temporaries */
773 int term_width, term_height;
775 tree234 *channels; /* indexed by local id */
776 struct ssh_channel *mainchan; /* primary session channel */
777 int ncmode; /* is primary channel direct-tcpip? */
782 tree234 *rportfwds, *portfwds;
786 SSH_STATE_BEFORE_SIZE,
792 int size_needed, eof_needed;
794 struct Packet **queue;
795 int queuelen, queuesize;
797 unsigned char *deferred_send_data;
798 int deferred_len, deferred_size;
801 * Gross hack: pscp will try to start SFTP but fall back to
802 * scp1 if that fails. This variable is the means by which
803 * scp.c can reach into the SSH code and find out which one it
808 bufchain banner; /* accumulates banners during do_ssh2_authconn */
816 int conn_throttle_count;
819 int v1_stdout_throttling;
820 unsigned long v2_outgoing_sequence;
822 int ssh1_rdpkt_crstate;
823 int ssh2_rdpkt_crstate;
824 int do_ssh_init_crstate;
825 int ssh_gotdata_crstate;
826 int do_ssh1_login_crstate;
827 int do_ssh1_connection_crstate;
828 int do_ssh2_transport_crstate;
829 int do_ssh2_authconn_crstate;
831 void *do_ssh_init_state;
832 void *do_ssh1_login_state;
833 void *do_ssh2_transport_state;
834 void *do_ssh2_authconn_state;
836 struct rdpkt1_state_tag rdpkt1_state;
837 struct rdpkt2_state_tag rdpkt2_state;
839 /* SSH-1 and SSH-2 use this for different things, but both use it */
840 int protocol_initial_phase_done;
842 void (*protocol) (Ssh ssh, void *vin, int inlen,
844 struct Packet *(*s_rdpkt) (Ssh ssh, unsigned char **data, int *datalen);
847 * We maintain a full _copy_ of a Config structure here, not
848 * merely a pointer to it. That way, when we're passed a new
849 * one for reconfiguration, we can check the differences and
850 * potentially reconfigure port forwardings etc in mid-session.
855 * Used to transfer data back from async callbacks.
857 void *agent_response;
858 int agent_response_len;
862 * The SSH connection can be set as `frozen', meaning we are
863 * not currently accepting incoming data from the network. This
864 * is slightly more serious than setting the _socket_ as
865 * frozen, because we may already have had data passed to us
866 * from the network which we need to delay processing until
867 * after the freeze is lifted, so we also need a bufchain to
871 bufchain queued_incoming_data;
874 * Dispatch table for packet types that we may have to deal
877 handler_fn_t packet_dispatch[256];
880 * Queues of one-off handler functions for success/failure
881 * indications from a request.
883 struct queued_handler *qhead, *qtail;
886 * This module deals with sending keepalives.
891 * Track incoming and outgoing data sizes and time, for
894 unsigned long incoming_data_size, outgoing_data_size, deferred_data_size;
895 unsigned long max_data_size;
897 long next_rekey, last_rekey;
898 char *deferred_rekey_reason; /* points to STATIC string; don't free */
901 #define logevent(s) logevent(ssh->frontend, s)
903 /* logevent, only printf-formatted. */
904 static void logeventf(Ssh ssh, const char *fmt, ...)
910 buf = dupvprintf(fmt, ap);
916 #define bombout(msg) \
918 char *text = dupprintf msg; \
919 ssh_do_close(ssh, FALSE); \
921 connection_fatal(ssh->frontend, "%s", text); \
925 /* Functions to leave bits out of the SSH packet log file. */
927 static void dont_log_password(Ssh ssh, struct Packet *pkt, int blanktype)
929 if (ssh->cfg.logomitpass)
930 pkt->logmode = blanktype;
933 static void dont_log_data(Ssh ssh, struct Packet *pkt, int blanktype)
935 if (ssh->cfg.logomitdata)
936 pkt->logmode = blanktype;
939 static void end_log_omission(Ssh ssh, struct Packet *pkt)
941 pkt->logmode = PKTLOG_EMIT;
944 /* Helper function for common bits of parsing cfg.ttymodes. */
945 static void parse_ttymodes(Ssh ssh, char *modes,
946 void (*do_mode)(void *data, char *mode, char *val),
950 char *t = strchr(modes, '\t');
951 char *m = snewn(t-modes+1, char);
953 strncpy(m, modes, t-modes);
956 val = get_ttymode(ssh->frontend, m);
960 do_mode(data, m, val);
963 modes += strlen(modes) + 1;
967 static int ssh_channelcmp(void *av, void *bv)
969 struct ssh_channel *a = (struct ssh_channel *) av;
970 struct ssh_channel *b = (struct ssh_channel *) bv;
971 if (a->localid < b->localid)
973 if (a->localid > b->localid)
977 static int ssh_channelfind(void *av, void *bv)
979 unsigned *a = (unsigned *) av;
980 struct ssh_channel *b = (struct ssh_channel *) bv;
988 static int ssh_rportcmp_ssh1(void *av, void *bv)
990 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
991 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
993 if ( (i = strcmp(a->dhost, b->dhost)) != 0)
994 return i < 0 ? -1 : +1;
995 if (a->dport > b->dport)
997 if (a->dport < b->dport)
1002 static int ssh_rportcmp_ssh2(void *av, void *bv)
1004 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
1005 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
1007 if (a->sport > b->sport)
1009 if (a->sport < b->sport)
1015 * Special form of strcmp which can cope with NULL inputs. NULL is
1016 * defined to sort before even the empty string.
1018 static int nullstrcmp(const char *a, const char *b)
1020 if (a == NULL && b == NULL)
1026 return strcmp(a, b);
1029 static int ssh_portcmp(void *av, void *bv)
1031 struct ssh_portfwd *a = (struct ssh_portfwd *) av;
1032 struct ssh_portfwd *b = (struct ssh_portfwd *) bv;
1034 if (a->type > b->type)
1036 if (a->type < b->type)
1038 if (a->addressfamily > b->addressfamily)
1040 if (a->addressfamily < b->addressfamily)
1042 if ( (i = nullstrcmp(a->saddr, b->saddr)) != 0)
1043 return i < 0 ? -1 : +1;
1044 if (a->sport > b->sport)
1046 if (a->sport < b->sport)
1048 if (a->type != 'D') {
1049 if ( (i = nullstrcmp(a->daddr, b->daddr)) != 0)
1050 return i < 0 ? -1 : +1;
1051 if (a->dport > b->dport)
1053 if (a->dport < b->dport)
1059 static int alloc_channel_id(Ssh ssh)
1061 const unsigned CHANNEL_NUMBER_OFFSET = 256;
1062 unsigned low, high, mid;
1064 struct ssh_channel *c;
1067 * First-fit allocation of channel numbers: always pick the
1068 * lowest unused one. To do this, binary-search using the
1069 * counted B-tree to find the largest channel ID which is in a
1070 * contiguous sequence from the beginning. (Precisely
1071 * everything in that sequence must have ID equal to its tree
1072 * index plus CHANNEL_NUMBER_OFFSET.)
1074 tsize = count234(ssh->channels);
1078 while (high - low > 1) {
1079 mid = (high + low) / 2;
1080 c = index234(ssh->channels, mid);
1081 if (c->localid == mid + CHANNEL_NUMBER_OFFSET)
1082 low = mid; /* this one is fine */
1084 high = mid; /* this one is past it */
1087 * Now low points to either -1, or the tree index of the
1088 * largest ID in the initial sequence.
1091 unsigned i = low + 1 + CHANNEL_NUMBER_OFFSET;
1092 assert(NULL == find234(ssh->channels, &i, ssh_channelfind));
1094 return low + 1 + CHANNEL_NUMBER_OFFSET;
1097 static void c_write_stderr(int trusted, const char *buf, int len)
1100 for (i = 0; i < len; i++)
1101 if (buf[i] != '\r' && (trusted || buf[i] == '\n' || (buf[i] & 0x60)))
1102 fputc(buf[i], stderr);
1105 static void c_write(Ssh ssh, const char *buf, int len)
1107 if (flags & FLAG_STDERR)
1108 c_write_stderr(1, buf, len);
1110 from_backend(ssh->frontend, 1, buf, len);
1113 static void c_write_untrusted(Ssh ssh, const char *buf, int len)
1115 if (flags & FLAG_STDERR)
1116 c_write_stderr(0, buf, len);
1118 from_backend_untrusted(ssh->frontend, buf, len);
1121 static void c_write_str(Ssh ssh, const char *buf)
1123 c_write(ssh, buf, strlen(buf));
1126 static void ssh_free_packet(struct Packet *pkt)
1131 static struct Packet *ssh_new_packet(void)
1133 struct Packet *pkt = snew(struct Packet);
1135 pkt->body = pkt->data = NULL;
1137 pkt->logmode = PKTLOG_EMIT;
1145 * Collect incoming data in the incoming packet buffer.
1146 * Decipher and verify the packet when it is completely read.
1147 * Drop SSH1_MSG_DEBUG and SSH1_MSG_IGNORE packets.
1148 * Update the *data and *datalen variables.
1149 * Return a Packet structure when a packet is completed.
1151 static struct Packet *ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1153 struct rdpkt1_state_tag *st = &ssh->rdpkt1_state;
1155 crBegin(ssh->ssh1_rdpkt_crstate);
1157 st->pktin = ssh_new_packet();
1159 st->pktin->type = 0;
1160 st->pktin->length = 0;
1162 for (st->i = st->len = 0; st->i < 4; st->i++) {
1163 while ((*datalen) == 0)
1165 st->len = (st->len << 8) + **data;
1166 (*data)++, (*datalen)--;
1169 st->pad = 8 - (st->len % 8);
1170 st->biglen = st->len + st->pad;
1171 st->pktin->length = st->len - 5;
1173 if (st->biglen < 0) {
1174 bombout(("Extremely large packet length from server suggests"
1175 " data stream corruption"));
1176 ssh_free_packet(st->pktin);
1180 st->pktin->maxlen = st->biglen;
1181 st->pktin->data = snewn(st->biglen + APIEXTRA, unsigned char);
1183 st->to_read = st->biglen;
1184 st->p = st->pktin->data;
1185 while (st->to_read > 0) {
1186 st->chunk = st->to_read;
1187 while ((*datalen) == 0)
1189 if (st->chunk > (*datalen))
1190 st->chunk = (*datalen);
1191 memcpy(st->p, *data, st->chunk);
1193 *datalen -= st->chunk;
1195 st->to_read -= st->chunk;
1198 if (ssh->cipher && detect_attack(ssh->crcda_ctx, st->pktin->data,
1199 st->biglen, NULL)) {
1200 bombout(("Network attack (CRC compensation) detected!"));
1201 ssh_free_packet(st->pktin);
1206 ssh->cipher->decrypt(ssh->v1_cipher_ctx, st->pktin->data, st->biglen);
1208 st->realcrc = crc32_compute(st->pktin->data, st->biglen - 4);
1209 st->gotcrc = GET_32BIT(st->pktin->data + st->biglen - 4);
1210 if (st->gotcrc != st->realcrc) {
1211 bombout(("Incorrect CRC received on packet"));
1212 ssh_free_packet(st->pktin);
1216 st->pktin->body = st->pktin->data + st->pad + 1;
1217 st->pktin->savedpos = 0;
1219 if (ssh->v1_compressing) {
1220 unsigned char *decompblk;
1222 if (!zlib_decompress_block(ssh->sc_comp_ctx,
1223 st->pktin->body - 1, st->pktin->length + 1,
1224 &decompblk, &decomplen)) {
1225 bombout(("Zlib decompression encountered invalid data"));
1226 ssh_free_packet(st->pktin);
1230 if (st->pktin->maxlen < st->pad + decomplen) {
1231 st->pktin->maxlen = st->pad + decomplen;
1232 st->pktin->data = sresize(st->pktin->data,
1233 st->pktin->maxlen + APIEXTRA,
1235 st->pktin->body = st->pktin->data + st->pad + 1;
1238 memcpy(st->pktin->body - 1, decompblk, decomplen);
1240 st->pktin->length = decomplen - 1;
1243 st->pktin->type = st->pktin->body[-1];
1246 * Log incoming packet, possibly omitting sensitive fields.
1250 struct logblank_t blank;
1251 if (ssh->cfg.logomitdata) {
1252 int do_blank = FALSE, blank_prefix = 0;
1253 /* "Session data" packets - omit the data field */
1254 if ((st->pktin->type == SSH1_SMSG_STDOUT_DATA) ||
1255 (st->pktin->type == SSH1_SMSG_STDERR_DATA)) {
1256 do_blank = TRUE; blank_prefix = 4;
1257 } else if (st->pktin->type == SSH1_MSG_CHANNEL_DATA) {
1258 do_blank = TRUE; blank_prefix = 8;
1261 blank.offset = blank_prefix;
1262 blank.len = st->pktin->length;
1263 blank.type = PKTLOG_OMIT;
1267 log_packet(ssh->logctx,
1268 PKT_INCOMING, st->pktin->type,
1269 ssh1_pkt_type(st->pktin->type),
1270 st->pktin->body, st->pktin->length,
1274 crFinish(st->pktin);
1277 static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1279 struct rdpkt2_state_tag *st = &ssh->rdpkt2_state;
1281 crBegin(ssh->ssh2_rdpkt_crstate);
1283 st->pktin = ssh_new_packet();
1285 st->pktin->type = 0;
1286 st->pktin->length = 0;
1288 st->cipherblk = ssh->sccipher->blksize;
1291 if (st->cipherblk < 8)
1294 st->pktin->data = snewn(st->cipherblk + APIEXTRA, unsigned char);
1297 * Acquire and decrypt the first block of the packet. This will
1298 * contain the length and padding details.
1300 for (st->i = st->len = 0; st->i < st->cipherblk; st->i++) {
1301 while ((*datalen) == 0)
1303 st->pktin->data[st->i] = *(*data)++;
1308 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1309 st->pktin->data, st->cipherblk);
1312 * Now get the length and padding figures.
1314 st->len = GET_32BIT(st->pktin->data);
1315 st->pad = st->pktin->data[4];
1318 * _Completely_ silly lengths should be stomped on before they
1319 * do us any more damage.
1321 if (st->len < 0 || st->len > 35000 || st->pad < 4 ||
1322 st->len - st->pad < 1 || (st->len + 4) % st->cipherblk != 0) {
1323 bombout(("Incoming packet was garbled on decryption"));
1324 ssh_free_packet(st->pktin);
1329 * This enables us to deduce the payload length.
1331 st->payload = st->len - st->pad - 1;
1333 st->pktin->length = st->payload + 5;
1336 * So now we can work out the total packet length.
1338 st->packetlen = st->len + 4;
1339 st->maclen = ssh->scmac ? ssh->scmac->len : 0;
1342 * Allocate memory for the rest of the packet.
1344 st->pktin->maxlen = st->packetlen + st->maclen;
1345 st->pktin->data = sresize(st->pktin->data,
1346 st->pktin->maxlen + APIEXTRA,
1350 * Read and decrypt the remainder of the packet.
1352 for (st->i = st->cipherblk; st->i < st->packetlen + st->maclen;
1354 while ((*datalen) == 0)
1356 st->pktin->data[st->i] = *(*data)++;
1359 /* Decrypt everything _except_ the MAC. */
1361 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1362 st->pktin->data + st->cipherblk,
1363 st->packetlen - st->cipherblk);
1365 st->pktin->encrypted_len = st->packetlen;
1371 && !ssh->scmac->verify(ssh->sc_mac_ctx, st->pktin->data, st->len + 4,
1372 st->incoming_sequence)) {
1373 bombout(("Incorrect MAC received on packet"));
1374 ssh_free_packet(st->pktin);
1378 st->pktin->sequence = st->incoming_sequence++;
1381 * Decompress packet payload.
1384 unsigned char *newpayload;
1387 ssh->sccomp->decompress(ssh->sc_comp_ctx,
1388 st->pktin->data + 5, st->pktin->length - 5,
1389 &newpayload, &newlen)) {
1390 if (st->pktin->maxlen < newlen + 5) {
1391 st->pktin->maxlen = newlen + 5;
1392 st->pktin->data = sresize(st->pktin->data,
1393 st->pktin->maxlen + APIEXTRA,
1396 st->pktin->length = 5 + newlen;
1397 memcpy(st->pktin->data + 5, newpayload, newlen);
1402 st->pktin->savedpos = 6;
1403 st->pktin->body = st->pktin->data;
1404 st->pktin->type = st->pktin->data[5];
1407 * Log incoming packet, possibly omitting sensitive fields.
1411 struct logblank_t blank;
1412 if (ssh->cfg.logomitdata) {
1413 int do_blank = FALSE, blank_prefix = 0;
1414 /* "Session data" packets - omit the data field */
1415 if (st->pktin->type == SSH2_MSG_CHANNEL_DATA) {
1416 do_blank = TRUE; blank_prefix = 8;
1417 } else if (st->pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA) {
1418 do_blank = TRUE; blank_prefix = 12;
1421 blank.offset = blank_prefix;
1422 blank.len = (st->pktin->length-6) - blank_prefix;
1423 blank.type = PKTLOG_OMIT;
1427 log_packet(ssh->logctx, PKT_INCOMING, st->pktin->type,
1428 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx,
1430 st->pktin->data+6, st->pktin->length-6,
1434 crFinish(st->pktin);
1437 static int s_wrpkt_prepare(Ssh ssh, struct Packet *pkt, int *offset_p)
1439 int pad, biglen, i, pktoffs;
1443 * XXX various versions of SC (including 8.8.4) screw up the
1444 * register allocation in this function and use the same register
1445 * (D6) for len and as a temporary, with predictable results. The
1446 * following sledgehammer prevents this.
1453 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[12],
1454 ssh1_pkt_type(pkt->data[12]),
1455 pkt->body, pkt->length - (pkt->body - pkt->data),
1456 pkt->nblanks, pkt->blanks);
1457 sfree(pkt->blanks); pkt->blanks = NULL;
1460 if (ssh->v1_compressing) {
1461 unsigned char *compblk;
1463 zlib_compress_block(ssh->cs_comp_ctx,
1464 pkt->data + 12, pkt->length - 12,
1465 &compblk, &complen);
1466 ssh_pkt_ensure(pkt, complen + 2); /* just in case it's got bigger */
1467 memcpy(pkt->data + 12, compblk, complen);
1469 pkt->length = complen + 12;
1472 ssh_pkt_ensure(pkt, pkt->length + 4); /* space for CRC */
1474 len = pkt->length - 4 - 8; /* len(type+data+CRC) */
1475 pad = 8 - (len % 8);
1477 biglen = len + pad; /* len(padding+type+data+CRC) */
1479 for (i = pktoffs; i < 4+8; i++)
1480 pkt->data[i] = random_byte();
1481 crc = crc32_compute(pkt->data + pktoffs + 4, biglen - 4); /* all ex len */
1482 PUT_32BIT(pkt->data + pktoffs + 4 + biglen - 4, crc);
1483 PUT_32BIT(pkt->data + pktoffs, len);
1486 ssh->cipher->encrypt(ssh->v1_cipher_ctx,
1487 pkt->data + pktoffs + 4, biglen);
1489 if (offset_p) *offset_p = pktoffs;
1490 return biglen + 4; /* len(length+padding+type+data+CRC) */
1493 static int s_write(Ssh ssh, void *data, int len)
1496 log_packet(ssh->logctx, PKT_OUTGOING, -1, NULL, data, len, 0, NULL);
1497 return sk_write(ssh->s, (char *)data, len);
1500 static void s_wrpkt(Ssh ssh, struct Packet *pkt)
1502 int len, backlog, offset;
1503 len = s_wrpkt_prepare(ssh, pkt, &offset);
1504 backlog = s_write(ssh, pkt->data + offset, len);
1505 if (backlog > SSH_MAX_BACKLOG)
1506 ssh_throttle_all(ssh, 1, backlog);
1507 ssh_free_packet(pkt);
1510 static void s_wrpkt_defer(Ssh ssh, struct Packet *pkt)
1513 len = s_wrpkt_prepare(ssh, pkt, &offset);
1514 if (ssh->deferred_len + len > ssh->deferred_size) {
1515 ssh->deferred_size = ssh->deferred_len + len + 128;
1516 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1520 memcpy(ssh->deferred_send_data + ssh->deferred_len,
1521 pkt->data + offset, len);
1522 ssh->deferred_len += len;
1523 ssh_free_packet(pkt);
1527 * Construct a SSH-1 packet with the specified contents.
1528 * (This all-at-once interface used to be the only one, but now SSH-1
1529 * packets can also be constructed incrementally.)
1531 static struct Packet *construct_packet(Ssh ssh, int pkttype, va_list ap)
1537 pkt = ssh1_pkt_init(pkttype);
1539 while ((argtype = va_arg(ap, int)) != PKT_END) {
1540 unsigned char *argp, argchar;
1542 unsigned long argint;
1545 /* Actual fields in the packet */
1547 argint = va_arg(ap, int);
1548 ssh_pkt_adduint32(pkt, argint);
1551 argchar = (unsigned char) va_arg(ap, int);
1552 ssh_pkt_addbyte(pkt, argchar);
1555 argp = va_arg(ap, unsigned char *);
1556 arglen = va_arg(ap, int);
1557 ssh_pkt_adddata(pkt, argp, arglen);
1560 sargp = va_arg(ap, char *);
1561 ssh_pkt_addstring(pkt, sargp);
1564 bn = va_arg(ap, Bignum);
1565 ssh1_pkt_addmp(pkt, bn);
1567 /* Tokens for modifications to packet logging */
1569 dont_log_password(ssh, pkt, PKTLOG_BLANK);
1572 dont_log_data(ssh, pkt, PKTLOG_OMIT);
1575 end_log_omission(ssh, pkt);
1583 static void send_packet(Ssh ssh, int pkttype, ...)
1587 va_start(ap, pkttype);
1588 pkt = construct_packet(ssh, pkttype, ap);
1593 static void defer_packet(Ssh ssh, int pkttype, ...)
1597 va_start(ap, pkttype);
1598 pkt = construct_packet(ssh, pkttype, ap);
1600 s_wrpkt_defer(ssh, pkt);
1603 static int ssh_versioncmp(char *a, char *b)
1606 unsigned long av, bv;
1608 av = strtoul(a, &ae, 10);
1609 bv = strtoul(b, &be, 10);
1611 return (av < bv ? -1 : +1);
1616 av = strtoul(ae, &ae, 10);
1617 bv = strtoul(be, &be, 10);
1619 return (av < bv ? -1 : +1);
1624 * Utility routines for putting an SSH-protocol `string' and
1625 * `uint32' into a hash state.
1627 static void hash_string(const struct ssh_hash *h, void *s, void *str, int len)
1629 unsigned char lenblk[4];
1630 PUT_32BIT(lenblk, len);
1631 h->bytes(s, lenblk, 4);
1632 h->bytes(s, str, len);
1635 static void hash_uint32(const struct ssh_hash *h, void *s, unsigned i)
1637 unsigned char intblk[4];
1638 PUT_32BIT(intblk, i);
1639 h->bytes(s, intblk, 4);
1643 * Packet construction functions. Mostly shared between SSH-1 and SSH-2.
1645 static void ssh_pkt_ensure(struct Packet *pkt, int length)
1647 if (pkt->maxlen < length) {
1648 unsigned char *body = pkt->body;
1649 int offset = body ? body - pkt->data : 0;
1650 pkt->maxlen = length + 256;
1651 pkt->data = sresize(pkt->data, pkt->maxlen + APIEXTRA, unsigned char);
1652 if (body) pkt->body = pkt->data + offset;
1655 static void ssh_pkt_adddata(struct Packet *pkt, void *data, int len)
1657 if (pkt->logmode != PKTLOG_EMIT) {
1659 pkt->blanks = sresize(pkt->blanks, pkt->nblanks, struct logblank_t);
1661 pkt->blanks[pkt->nblanks-1].offset = pkt->length -
1662 (pkt->body - pkt->data);
1663 pkt->blanks[pkt->nblanks-1].len = len;
1664 pkt->blanks[pkt->nblanks-1].type = pkt->logmode;
1667 ssh_pkt_ensure(pkt, pkt->length);
1668 memcpy(pkt->data + pkt->length - len, data, len);
1670 static void ssh_pkt_addbyte(struct Packet *pkt, unsigned char byte)
1672 ssh_pkt_adddata(pkt, &byte, 1);
1674 static void ssh2_pkt_addbool(struct Packet *pkt, unsigned char value)
1676 ssh_pkt_adddata(pkt, &value, 1);
1678 static void ssh_pkt_adduint32(struct Packet *pkt, unsigned long value)
1681 PUT_32BIT(x, value);
1682 ssh_pkt_adddata(pkt, x, 4);
1684 static void ssh_pkt_addstring_start(struct Packet *pkt)
1686 ssh_pkt_adduint32(pkt, 0);
1687 pkt->savedpos = pkt->length;
1689 static void ssh_pkt_addstring_str(struct Packet *pkt, char *data)
1691 ssh_pkt_adddata(pkt, data, strlen(data));
1692 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1694 static void ssh_pkt_addstring_data(struct Packet *pkt, char *data, int len)
1696 ssh_pkt_adddata(pkt, data, len);
1697 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
1699 static void ssh_pkt_addstring(struct Packet *pkt, char *data)
1701 ssh_pkt_addstring_start(pkt);
1702 ssh_pkt_addstring_str(pkt, data);
1704 static void ssh1_pkt_addmp(struct Packet *pkt, Bignum b)
1706 int len = ssh1_bignum_length(b);
1707 unsigned char *data = snewn(len, unsigned char);
1708 (void) ssh1_write_bignum(data, b);
1709 ssh_pkt_adddata(pkt, data, len);
1712 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len)
1715 int i, n = (bignum_bitcount(b) + 7) / 8;
1716 p = snewn(n + 1, unsigned char);
1718 for (i = 1; i <= n; i++)
1719 p[i] = bignum_byte(b, n - i);
1721 while (i <= n && p[i] == 0 && (p[i + 1] & 0x80) == 0)
1723 memmove(p, p + i, n + 1 - i);
1727 static void ssh2_pkt_addmp(struct Packet *pkt, Bignum b)
1731 p = ssh2_mpint_fmt(b, &len);
1732 ssh_pkt_addstring_start(pkt);
1733 ssh_pkt_addstring_data(pkt, (char *)p, len);
1737 static struct Packet *ssh1_pkt_init(int pkt_type)
1739 struct Packet *pkt = ssh_new_packet();
1740 pkt->length = 4 + 8; /* space for length + max padding */
1741 ssh_pkt_addbyte(pkt, pkt_type);
1742 pkt->body = pkt->data + pkt->length;
1746 /* For legacy code (SSH-1 and -2 packet construction used to be separate) */
1747 #define ssh2_pkt_ensure(pkt, length) ssh_pkt_ensure(pkt, length)
1748 #define ssh2_pkt_adddata(pkt, data, len) ssh_pkt_adddata(pkt, data, len)
1749 #define ssh2_pkt_addbyte(pkt, byte) ssh_pkt_addbyte(pkt, byte)
1750 #define ssh2_pkt_adduint32(pkt, value) ssh_pkt_adduint32(pkt, value)
1751 #define ssh2_pkt_addstring_start(pkt) ssh_pkt_addstring_start(pkt)
1752 #define ssh2_pkt_addstring_str(pkt, data) ssh_pkt_addstring_str(pkt, data)
1753 #define ssh2_pkt_addstring_data(pkt, data, len) ssh_pkt_addstring_data(pkt, data, len)
1754 #define ssh2_pkt_addstring(pkt, data) ssh_pkt_addstring(pkt, data)
1756 static struct Packet *ssh2_pkt_init(int pkt_type)
1758 struct Packet *pkt = ssh_new_packet();
1759 pkt->length = 5; /* space for packet length + padding length */
1761 ssh_pkt_addbyte(pkt, (unsigned char) pkt_type);
1762 pkt->body = pkt->data + pkt->length; /* after packet type */
1767 * Construct an SSH-2 final-form packet: compress it, encrypt it,
1768 * put the MAC on it. Final packet, ready to be sent, is stored in
1769 * pkt->data. Total length is returned.
1771 static int ssh2_pkt_construct(Ssh ssh, struct Packet *pkt)
1773 int cipherblk, maclen, padding, i;
1776 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[5],
1777 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx, pkt->data[5]),
1778 pkt->body, pkt->length - (pkt->body - pkt->data),
1779 pkt->nblanks, pkt->blanks);
1780 sfree(pkt->blanks); pkt->blanks = NULL;
1784 * Compress packet payload.
1787 unsigned char *newpayload;
1790 ssh->cscomp->compress(ssh->cs_comp_ctx, pkt->data + 5,
1792 &newpayload, &newlen)) {
1794 ssh2_pkt_adddata(pkt, newpayload, newlen);
1800 * Add padding. At least four bytes, and must also bring total
1801 * length (minus MAC) up to a multiple of the block size.
1802 * If pkt->forcepad is set, make sure the packet is at least that size
1805 cipherblk = ssh->cscipher ? ssh->cscipher->blksize : 8; /* block size */
1806 cipherblk = cipherblk < 8 ? 8 : cipherblk; /* or 8 if blksize < 8 */
1808 if (pkt->length + padding < pkt->forcepad)
1809 padding = pkt->forcepad - pkt->length;
1811 (cipherblk - (pkt->length + padding) % cipherblk) % cipherblk;
1812 assert(padding <= 255);
1813 maclen = ssh->csmac ? ssh->csmac->len : 0;
1814 ssh2_pkt_ensure(pkt, pkt->length + padding + maclen);
1815 pkt->data[4] = padding;
1816 for (i = 0; i < padding; i++)
1817 pkt->data[pkt->length + i] = random_byte();
1818 PUT_32BIT(pkt->data, pkt->length + padding - 4);
1820 ssh->csmac->generate(ssh->cs_mac_ctx, pkt->data,
1821 pkt->length + padding,
1822 ssh->v2_outgoing_sequence);
1823 ssh->v2_outgoing_sequence++; /* whether or not we MACed */
1826 ssh->cscipher->encrypt(ssh->cs_cipher_ctx,
1827 pkt->data, pkt->length + padding);
1829 pkt->encrypted_len = pkt->length + padding;
1831 /* Ready-to-send packet starts at pkt->data. We return length. */
1832 return pkt->length + padding + maclen;
1836 * Routines called from the main SSH code to send packets. There
1837 * are quite a few of these, because we have two separate
1838 * mechanisms for delaying the sending of packets:
1840 * - In order to send an IGNORE message and a password message in
1841 * a single fixed-length blob, we require the ability to
1842 * concatenate the encrypted forms of those two packets _into_ a
1843 * single blob and then pass it to our <network.h> transport
1844 * layer in one go. Hence, there's a deferment mechanism which
1845 * works after packet encryption.
1847 * - In order to avoid sending any connection-layer messages
1848 * during repeat key exchange, we have to queue up any such
1849 * outgoing messages _before_ they are encrypted (and in
1850 * particular before they're allocated sequence numbers), and
1851 * then send them once we've finished.
1853 * I call these mechanisms `defer' and `queue' respectively, so as
1854 * to distinguish them reasonably easily.
1856 * The functions send_noqueue() and defer_noqueue() free the packet
1857 * structure they are passed. Every outgoing packet goes through
1858 * precisely one of these functions in its life; packets passed to
1859 * ssh2_pkt_send() or ssh2_pkt_defer() either go straight to one of
1860 * these or get queued, and then when the queue is later emptied
1861 * the packets are all passed to defer_noqueue().
1863 * When using a CBC-mode cipher, it's necessary to ensure that an
1864 * attacker can't provide data to be encrypted using an IV that they
1865 * know. We ensure this by prefixing each packet that might contain
1866 * user data with an SSH_MSG_IGNORE. This is done using the deferral
1867 * mechanism, so in this case send_noqueue() ends up redirecting to
1868 * defer_noqueue(). If you don't like this inefficiency, don't use
1872 static void ssh2_pkt_defer_noqueue(Ssh, struct Packet *, int);
1873 static void ssh_pkt_defersend(Ssh);
1876 * Send an SSH-2 packet immediately, without queuing or deferring.
1878 static void ssh2_pkt_send_noqueue(Ssh ssh, struct Packet *pkt)
1882 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC)) {
1883 /* We need to send two packets, so use the deferral mechanism. */
1884 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
1885 ssh_pkt_defersend(ssh);
1888 len = ssh2_pkt_construct(ssh, pkt);
1889 backlog = s_write(ssh, pkt->data, len);
1890 if (backlog > SSH_MAX_BACKLOG)
1891 ssh_throttle_all(ssh, 1, backlog);
1893 ssh->outgoing_data_size += pkt->encrypted_len;
1894 if (!ssh->kex_in_progress &&
1895 ssh->max_data_size != 0 &&
1896 ssh->outgoing_data_size > ssh->max_data_size)
1897 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
1899 ssh_free_packet(pkt);
1903 * Defer an SSH-2 packet.
1905 static void ssh2_pkt_defer_noqueue(Ssh ssh, struct Packet *pkt, int noignore)
1908 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC) &&
1909 ssh->deferred_len == 0 && !noignore) {
1911 * Interpose an SSH_MSG_IGNORE to ensure that user data don't
1912 * get encrypted with a known IV.
1914 struct Packet *ipkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
1915 ssh2_pkt_addstring_start(ipkt);
1916 ssh2_pkt_defer_noqueue(ssh, ipkt, TRUE);
1918 len = ssh2_pkt_construct(ssh, pkt);
1919 if (ssh->deferred_len + len > ssh->deferred_size) {
1920 ssh->deferred_size = ssh->deferred_len + len + 128;
1921 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1925 memcpy(ssh->deferred_send_data + ssh->deferred_len, pkt->data, len);
1926 ssh->deferred_len += len;
1927 ssh->deferred_data_size += pkt->encrypted_len;
1928 ssh_free_packet(pkt);
1932 * Queue an SSH-2 packet.
1934 static void ssh2_pkt_queue(Ssh ssh, struct Packet *pkt)
1936 assert(ssh->queueing);
1938 if (ssh->queuelen >= ssh->queuesize) {
1939 ssh->queuesize = ssh->queuelen + 32;
1940 ssh->queue = sresize(ssh->queue, ssh->queuesize, struct Packet *);
1943 ssh->queue[ssh->queuelen++] = pkt;
1947 * Either queue or send a packet, depending on whether queueing is
1950 static void ssh2_pkt_send(Ssh ssh, struct Packet *pkt)
1953 ssh2_pkt_queue(ssh, pkt);
1955 ssh2_pkt_send_noqueue(ssh, pkt);
1959 * Either queue or defer a packet, depending on whether queueing is
1962 static void ssh2_pkt_defer(Ssh ssh, struct Packet *pkt)
1965 ssh2_pkt_queue(ssh, pkt);
1967 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
1971 * Send the whole deferred data block constructed by
1972 * ssh2_pkt_defer() or SSH-1's defer_packet().
1974 * The expected use of the defer mechanism is that you call
1975 * ssh2_pkt_defer() a few times, then call ssh_pkt_defersend(). If
1976 * not currently queueing, this simply sets up deferred_send_data
1977 * and then sends it. If we _are_ currently queueing, the calls to
1978 * ssh2_pkt_defer() put the deferred packets on to the queue
1979 * instead, and therefore ssh_pkt_defersend() has no deferred data
1980 * to send. Hence, there's no need to make it conditional on
1983 static void ssh_pkt_defersend(Ssh ssh)
1986 backlog = s_write(ssh, ssh->deferred_send_data, ssh->deferred_len);
1987 ssh->deferred_len = ssh->deferred_size = 0;
1988 sfree(ssh->deferred_send_data);
1989 ssh->deferred_send_data = NULL;
1990 if (backlog > SSH_MAX_BACKLOG)
1991 ssh_throttle_all(ssh, 1, backlog);
1993 ssh->outgoing_data_size += ssh->deferred_data_size;
1994 if (!ssh->kex_in_progress &&
1995 ssh->max_data_size != 0 &&
1996 ssh->outgoing_data_size > ssh->max_data_size)
1997 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
1998 ssh->deferred_data_size = 0;
2002 * Send a packet whose length needs to be disguised (typically
2003 * passwords or keyboard-interactive responses).
2005 static void ssh2_pkt_send_with_padding(Ssh ssh, struct Packet *pkt,
2011 * The simplest way to do this is to adjust the
2012 * variable-length padding field in the outgoing packet.
2014 * Currently compiled out, because some Cisco SSH servers
2015 * don't like excessively padded packets (bah, why's it
2018 pkt->forcepad = padsize;
2019 ssh2_pkt_send(ssh, pkt);
2024 * If we can't do that, however, an alternative approach is
2025 * to use the pkt_defer mechanism to bundle the packet
2026 * tightly together with an SSH_MSG_IGNORE such that their
2027 * combined length is a constant. So first we construct the
2028 * final form of this packet and defer its sending.
2030 ssh2_pkt_defer(ssh, pkt);
2033 * Now construct an SSH_MSG_IGNORE which includes a string
2034 * that's an exact multiple of the cipher block size. (If
2035 * the cipher is NULL so that the block size is
2036 * unavailable, we don't do this trick at all, because we
2037 * gain nothing by it.)
2039 if (ssh->cscipher) {
2042 stringlen = (256 - ssh->deferred_len);
2043 stringlen += ssh->cscipher->blksize - 1;
2044 stringlen -= (stringlen % ssh->cscipher->blksize);
2047 * Temporarily disable actual compression, so we
2048 * can guarantee to get this string exactly the
2049 * length we want it. The compression-disabling
2050 * routine should return an integer indicating how
2051 * many bytes we should adjust our string length
2055 ssh->cscomp->disable_compression(ssh->cs_comp_ctx);
2057 pkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
2058 ssh2_pkt_addstring_start(pkt);
2059 for (i = 0; i < stringlen; i++) {
2060 char c = (char) random_byte();
2061 ssh2_pkt_addstring_data(pkt, &c, 1);
2063 ssh2_pkt_defer(ssh, pkt);
2065 ssh_pkt_defersend(ssh);
2070 * Send all queued SSH-2 packets. We send them by means of
2071 * ssh2_pkt_defer_noqueue(), in case they included a pair of
2072 * packets that needed to be lumped together.
2074 static void ssh2_pkt_queuesend(Ssh ssh)
2078 assert(!ssh->queueing);
2080 for (i = 0; i < ssh->queuelen; i++)
2081 ssh2_pkt_defer_noqueue(ssh, ssh->queue[i], FALSE);
2084 ssh_pkt_defersend(ssh);
2088 void bndebug(char *string, Bignum b)
2092 p = ssh2_mpint_fmt(b, &len);
2093 debug(("%s", string));
2094 for (i = 0; i < len; i++)
2095 debug((" %02x", p[i]));
2101 static void hash_mpint(const struct ssh_hash *h, void *s, Bignum b)
2105 p = ssh2_mpint_fmt(b, &len);
2106 hash_string(h, s, p, len);
2111 * Packet decode functions for both SSH-1 and SSH-2.
2113 static unsigned long ssh_pkt_getuint32(struct Packet *pkt)
2115 unsigned long value;
2116 if (pkt->length - pkt->savedpos < 4)
2117 return 0; /* arrgh, no way to decline (FIXME?) */
2118 value = GET_32BIT(pkt->body + pkt->savedpos);
2122 static int ssh2_pkt_getbool(struct Packet *pkt)
2124 unsigned long value;
2125 if (pkt->length - pkt->savedpos < 1)
2126 return 0; /* arrgh, no way to decline (FIXME?) */
2127 value = pkt->body[pkt->savedpos] != 0;
2131 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length)
2136 if (pkt->length - pkt->savedpos < 4)
2138 len = GET_32BIT(pkt->body + pkt->savedpos);
2143 if (pkt->length - pkt->savedpos < *length)
2145 *p = (char *)(pkt->body + pkt->savedpos);
2146 pkt->savedpos += *length;
2148 static void *ssh_pkt_getdata(struct Packet *pkt, int length)
2150 if (pkt->length - pkt->savedpos < length)
2152 pkt->savedpos += length;
2153 return pkt->body + (pkt->savedpos - length);
2155 static int ssh1_pkt_getrsakey(struct Packet *pkt, struct RSAKey *key,
2156 unsigned char **keystr)
2160 j = makekey(pkt->body + pkt->savedpos,
2161 pkt->length - pkt->savedpos,
2168 assert(pkt->savedpos < pkt->length);
2172 static Bignum ssh1_pkt_getmp(struct Packet *pkt)
2177 j = ssh1_read_bignum(pkt->body + pkt->savedpos,
2178 pkt->length - pkt->savedpos, &b);
2186 static Bignum ssh2_pkt_getmp(struct Packet *pkt)
2192 ssh_pkt_getstring(pkt, &p, &length);
2197 b = bignum_from_bytes((unsigned char *)p, length);
2202 * Helper function to add an SSH-2 signature blob to a packet.
2203 * Expects to be shown the public key blob as well as the signature
2204 * blob. Normally works just like ssh2_pkt_addstring, but will
2205 * fiddle with the signature packet if necessary for
2206 * BUG_SSH2_RSA_PADDING.
2208 static void ssh2_add_sigblob(Ssh ssh, struct Packet *pkt,
2209 void *pkblob_v, int pkblob_len,
2210 void *sigblob_v, int sigblob_len)
2212 unsigned char *pkblob = (unsigned char *)pkblob_v;
2213 unsigned char *sigblob = (unsigned char *)sigblob_v;
2215 /* dmemdump(pkblob, pkblob_len); */
2216 /* dmemdump(sigblob, sigblob_len); */
2219 * See if this is in fact an ssh-rsa signature and a buggy
2220 * server; otherwise we can just do this the easy way.
2222 if ((ssh->remote_bugs & BUG_SSH2_RSA_PADDING) &&
2223 (GET_32BIT(pkblob) == 7 && !memcmp(pkblob+4, "ssh-rsa", 7))) {
2224 int pos, len, siglen;
2227 * Find the byte length of the modulus.
2230 pos = 4+7; /* skip over "ssh-rsa" */
2231 pos += 4 + GET_32BIT(pkblob+pos); /* skip over exponent */
2232 len = GET_32BIT(pkblob+pos); /* find length of modulus */
2233 pos += 4; /* find modulus itself */
2234 while (len > 0 && pkblob[pos] == 0)
2236 /* debug(("modulus length is %d\n", len)); */
2239 * Now find the signature integer.
2241 pos = 4+7; /* skip over "ssh-rsa" */
2242 siglen = GET_32BIT(sigblob+pos);
2243 /* debug(("signature length is %d\n", siglen)); */
2245 if (len != siglen) {
2246 unsigned char newlen[4];
2247 ssh2_pkt_addstring_start(pkt);
2248 ssh2_pkt_addstring_data(pkt, (char *)sigblob, pos);
2249 /* dmemdump(sigblob, pos); */
2250 pos += 4; /* point to start of actual sig */
2251 PUT_32BIT(newlen, len);
2252 ssh2_pkt_addstring_data(pkt, (char *)newlen, 4);
2253 /* dmemdump(newlen, 4); */
2255 while (len-- > siglen) {
2256 ssh2_pkt_addstring_data(pkt, (char *)newlen, 1);
2257 /* dmemdump(newlen, 1); */
2259 ssh2_pkt_addstring_data(pkt, (char *)(sigblob+pos), siglen);
2260 /* dmemdump(sigblob+pos, siglen); */
2264 /* Otherwise fall through and do it the easy way. */
2267 ssh2_pkt_addstring_start(pkt);
2268 ssh2_pkt_addstring_data(pkt, (char *)sigblob, sigblob_len);
2272 * Examine the remote side's version string and compare it against
2273 * a list of known buggy implementations.
2275 static void ssh_detect_bugs(Ssh ssh, char *vstring)
2277 char *imp; /* pointer to implementation part */
2279 imp += strcspn(imp, "-");
2281 imp += strcspn(imp, "-");
2284 ssh->remote_bugs = 0;
2287 * General notes on server version strings:
2288 * - Not all servers reporting "Cisco-1.25" have all the bugs listed
2289 * here -- in particular, we've heard of one that's perfectly happy
2290 * with SSH1_MSG_IGNOREs -- but this string never seems to change,
2291 * so we can't distinguish them.
2293 if (ssh->cfg.sshbug_ignore1 == FORCE_ON ||
2294 (ssh->cfg.sshbug_ignore1 == AUTO &&
2295 (!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
2296 !strcmp(imp, "1.2.20") || !strcmp(imp, "1.2.21") ||
2297 !strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25") ||
2298 !strcmp(imp, "OSU_1.4alpha3") || !strcmp(imp, "OSU_1.5alpha4")))) {
2300 * These versions don't support SSH1_MSG_IGNORE, so we have
2301 * to use a different defence against password length
2304 ssh->remote_bugs |= BUG_CHOKES_ON_SSH1_IGNORE;
2305 logevent("We believe remote version has SSH-1 ignore bug");
2308 if (ssh->cfg.sshbug_plainpw1 == FORCE_ON ||
2309 (ssh->cfg.sshbug_plainpw1 == AUTO &&
2310 (!strcmp(imp, "Cisco-1.25") || !strcmp(imp, "OSU_1.4alpha3")))) {
2312 * These versions need a plain password sent; they can't
2313 * handle having a null and a random length of data after
2316 ssh->remote_bugs |= BUG_NEEDS_SSH1_PLAIN_PASSWORD;
2317 logevent("We believe remote version needs a plain SSH-1 password");
2320 if (ssh->cfg.sshbug_rsa1 == FORCE_ON ||
2321 (ssh->cfg.sshbug_rsa1 == AUTO &&
2322 (!strcmp(imp, "Cisco-1.25")))) {
2324 * These versions apparently have no clue whatever about
2325 * RSA authentication and will panic and die if they see
2326 * an AUTH_RSA message.
2328 ssh->remote_bugs |= BUG_CHOKES_ON_RSA;
2329 logevent("We believe remote version can't handle SSH-1 RSA authentication");
2332 if (ssh->cfg.sshbug_hmac2 == FORCE_ON ||
2333 (ssh->cfg.sshbug_hmac2 == AUTO &&
2334 !wc_match("* VShell", imp) &&
2335 (wc_match("2.1.0*", imp) || wc_match("2.0.*", imp) ||
2336 wc_match("2.2.0*", imp) || wc_match("2.3.0*", imp) ||
2337 wc_match("2.1 *", imp)))) {
2339 * These versions have the HMAC bug.
2341 ssh->remote_bugs |= BUG_SSH2_HMAC;
2342 logevent("We believe remote version has SSH-2 HMAC bug");
2345 if (ssh->cfg.sshbug_derivekey2 == FORCE_ON ||
2346 (ssh->cfg.sshbug_derivekey2 == AUTO &&
2347 !wc_match("* VShell", imp) &&
2348 (wc_match("2.0.0*", imp) || wc_match("2.0.10*", imp) ))) {
2350 * These versions have the key-derivation bug (failing to
2351 * include the literal shared secret in the hashes that
2352 * generate the keys).
2354 ssh->remote_bugs |= BUG_SSH2_DERIVEKEY;
2355 logevent("We believe remote version has SSH-2 key-derivation bug");
2358 if (ssh->cfg.sshbug_rsapad2 == FORCE_ON ||
2359 (ssh->cfg.sshbug_rsapad2 == AUTO &&
2360 (wc_match("OpenSSH_2.[5-9]*", imp) ||
2361 wc_match("OpenSSH_3.[0-2]*", imp)))) {
2363 * These versions have the SSH-2 RSA padding bug.
2365 ssh->remote_bugs |= BUG_SSH2_RSA_PADDING;
2366 logevent("We believe remote version has SSH-2 RSA padding bug");
2369 if (ssh->cfg.sshbug_pksessid2 == FORCE_ON ||
2370 (ssh->cfg.sshbug_pksessid2 == AUTO &&
2371 wc_match("OpenSSH_2.[0-2]*", imp))) {
2373 * These versions have the SSH-2 session-ID bug in
2374 * public-key authentication.
2376 ssh->remote_bugs |= BUG_SSH2_PK_SESSIONID;
2377 logevent("We believe remote version has SSH-2 public-key-session-ID bug");
2380 if (ssh->cfg.sshbug_rekey2 == FORCE_ON ||
2381 (ssh->cfg.sshbug_rekey2 == AUTO &&
2382 (wc_match("DigiSSH_2.0", imp) ||
2383 wc_match("OpenSSH_2.[0-4]*", imp) ||
2384 wc_match("OpenSSH_2.5.[0-3]*", imp) ||
2385 wc_match("Sun_SSH_1.0", imp) ||
2386 wc_match("Sun_SSH_1.0.1", imp) ||
2387 /* All versions <= 1.2.6 (they changed their format in 1.2.7) */
2388 wc_match("WeOnlyDo-*", imp)))) {
2390 * These versions have the SSH-2 rekey bug.
2392 ssh->remote_bugs |= BUG_SSH2_REKEY;
2393 logevent("We believe remote version has SSH-2 rekey bug");
2396 if (ssh->cfg.sshbug_maxpkt2 == FORCE_ON ||
2397 (ssh->cfg.sshbug_maxpkt2 == AUTO &&
2398 (wc_match("1.36_sshlib GlobalSCAPE", imp) ||
2399 wc_match("1.36 sshlib: GlobalScape", imp)))) {
2401 * This version ignores our makpkt and needs to be throttled.
2403 ssh->remote_bugs |= BUG_SSH2_MAXPKT;
2404 logevent("We believe remote version ignores SSH-2 maximum packet size");
2409 * The `software version' part of an SSH version string is required
2410 * to contain no spaces or minus signs.
2412 static void ssh_fix_verstring(char *str)
2414 /* Eat "SSH-<protoversion>-". */
2415 assert(*str == 'S'); str++;
2416 assert(*str == 'S'); str++;
2417 assert(*str == 'H'); str++;
2418 assert(*str == '-'); str++;
2419 while (*str && *str != '-') str++;
2420 assert(*str == '-'); str++;
2422 /* Convert minus signs and spaces in the remaining string into
2425 if (*str == '-' || *str == ' ')
2432 * Send an appropriate SSH version string.
2434 static void ssh_send_verstring(Ssh ssh, char *svers)
2438 if (ssh->version == 2) {
2440 * Construct a v2 version string.
2442 verstring = dupprintf("SSH-2.0-%s\015\012", sshver);
2445 * Construct a v1 version string.
2447 verstring = dupprintf("SSH-%s-%s\012",
2448 (ssh_versioncmp(svers, "1.5") <= 0 ?
2453 ssh_fix_verstring(verstring);
2455 if (ssh->version == 2) {
2458 * Record our version string.
2460 len = strcspn(verstring, "\015\012");
2461 ssh->v_c = snewn(len + 1, char);
2462 memcpy(ssh->v_c, verstring, len);
2466 logeventf(ssh, "We claim version: %.*s",
2467 strcspn(verstring, "\015\012"), verstring);
2468 s_write(ssh, verstring, strlen(verstring));
2472 static int do_ssh_init(Ssh ssh, unsigned char c)
2474 struct do_ssh_init_state {
2482 crState(do_ssh_init_state);
2484 crBegin(ssh->do_ssh_init_crstate);
2486 /* Search for a line beginning with the string "SSH-" in the input. */
2488 if (c != 'S') goto no;
2490 if (c != 'S') goto no;
2492 if (c != 'H') goto no;
2494 if (c != '-') goto no;
2503 s->vstring = snewn(s->vstrsize, char);
2504 strcpy(s->vstring, "SSH-");
2508 crReturn(1); /* get another char */
2509 if (s->vslen >= s->vstrsize - 1) {
2511 s->vstring = sresize(s->vstring, s->vstrsize, char);
2513 s->vstring[s->vslen++] = c;
2516 s->version[s->i] = '\0';
2518 } else if (s->i < sizeof(s->version) - 1)
2519 s->version[s->i++] = c;
2520 } else if (c == '\012')
2524 ssh->agentfwd_enabled = FALSE;
2525 ssh->rdpkt2_state.incoming_sequence = 0;
2527 s->vstring[s->vslen] = 0;
2528 s->vstring[strcspn(s->vstring, "\015\012")] = '\0';/* remove EOL chars */
2529 logeventf(ssh, "Server version: %s", s->vstring);
2530 ssh_detect_bugs(ssh, s->vstring);
2533 * Decide which SSH protocol version to support.
2536 /* Anything strictly below "2.0" means protocol 1 is supported. */
2537 s->proto1 = ssh_versioncmp(s->version, "2.0") < 0;
2538 /* Anything greater or equal to "1.99" means protocol 2 is supported. */
2539 s->proto2 = ssh_versioncmp(s->version, "1.99") >= 0;
2541 if (ssh->cfg.sshprot == 0 && !s->proto1) {
2542 bombout(("SSH protocol version 1 required by user but not provided by server"));
2545 if (ssh->cfg.sshprot == 3 && !s->proto2) {
2546 bombout(("SSH protocol version 2 required by user but not provided by server"));
2550 if (s->proto2 && (ssh->cfg.sshprot >= 2 || !s->proto1))
2555 logeventf(ssh, "Using SSH protocol version %d", ssh->version);
2557 /* Send the version string, if we haven't already */
2558 if (ssh->cfg.sshprot != 3)
2559 ssh_send_verstring(ssh, s->version);
2561 if (ssh->version == 2) {
2564 * Record their version string.
2566 len = strcspn(s->vstring, "\015\012");
2567 ssh->v_s = snewn(len + 1, char);
2568 memcpy(ssh->v_s, s->vstring, len);
2572 * Initialise SSH-2 protocol.
2574 ssh->protocol = ssh2_protocol;
2575 ssh2_protocol_setup(ssh);
2576 ssh->s_rdpkt = ssh2_rdpkt;
2579 * Initialise SSH-1 protocol.
2581 ssh->protocol = ssh1_protocol;
2582 ssh1_protocol_setup(ssh);
2583 ssh->s_rdpkt = ssh1_rdpkt;
2585 if (ssh->version == 2)
2586 do_ssh2_transport(ssh, NULL, -1, NULL);
2588 update_specials_menu(ssh->frontend);
2589 ssh->state = SSH_STATE_BEFORE_SIZE;
2590 ssh->pinger = pinger_new(&ssh->cfg, &ssh_backend, ssh);
2597 static void ssh_process_incoming_data(Ssh ssh,
2598 unsigned char **data, int *datalen)
2600 struct Packet *pktin;
2602 pktin = ssh->s_rdpkt(ssh, data, datalen);
2604 ssh->protocol(ssh, NULL, 0, pktin);
2605 ssh_free_packet(pktin);
2609 static void ssh_queue_incoming_data(Ssh ssh,
2610 unsigned char **data, int *datalen)
2612 bufchain_add(&ssh->queued_incoming_data, *data, *datalen);
2617 static void ssh_process_queued_incoming_data(Ssh ssh)
2620 unsigned char *data;
2623 while (!ssh->frozen && bufchain_size(&ssh->queued_incoming_data)) {
2624 bufchain_prefix(&ssh->queued_incoming_data, &vdata, &len);
2628 while (!ssh->frozen && len > 0)
2629 ssh_process_incoming_data(ssh, &data, &len);
2632 bufchain_consume(&ssh->queued_incoming_data, origlen - len);
2636 static void ssh_set_frozen(Ssh ssh, int frozen)
2639 sk_set_frozen(ssh->s, frozen);
2640 ssh->frozen = frozen;
2643 static void ssh_gotdata(Ssh ssh, unsigned char *data, int datalen)
2645 /* Log raw data, if we're in that mode. */
2647 log_packet(ssh->logctx, PKT_INCOMING, -1, NULL, data, datalen,
2650 crBegin(ssh->ssh_gotdata_crstate);
2653 * To begin with, feed the characters one by one to the
2654 * protocol initialisation / selection function do_ssh_init().
2655 * When that returns 0, we're done with the initial greeting
2656 * exchange and can move on to packet discipline.
2659 int ret; /* need not be kept across crReturn */
2661 crReturnV; /* more data please */
2662 ret = do_ssh_init(ssh, *data);
2670 * We emerge from that loop when the initial negotiation is
2671 * over and we have selected an s_rdpkt function. Now pass
2672 * everything to s_rdpkt, and then pass the resulting packets
2673 * to the proper protocol handler.
2677 while (bufchain_size(&ssh->queued_incoming_data) > 0 || datalen > 0) {
2679 ssh_queue_incoming_data(ssh, &data, &datalen);
2680 /* This uses up all data and cannot cause anything interesting
2681 * to happen; indeed, for anything to happen at all, we must
2682 * return, so break out. */
2684 } else if (bufchain_size(&ssh->queued_incoming_data) > 0) {
2685 /* This uses up some or all data, and may freeze the
2687 ssh_process_queued_incoming_data(ssh);
2689 /* This uses up some or all data, and may freeze the
2691 ssh_process_incoming_data(ssh, &data, &datalen);
2693 /* FIXME this is probably EBW. */
2694 if (ssh->state == SSH_STATE_CLOSED)
2697 /* We're out of data. Go and get some more. */
2703 static int ssh_do_close(Ssh ssh, int notify_exit)
2706 struct ssh_channel *c;
2708 ssh->state = SSH_STATE_CLOSED;
2709 expire_timer_context(ssh);
2714 notify_remote_exit(ssh->frontend);
2719 * Now we must shut down any port- and X-forwarded channels going
2720 * through this connection.
2722 if (ssh->channels) {
2723 while (NULL != (c = index234(ssh->channels, 0))) {
2726 x11_close(c->u.x11.s);
2729 pfd_close(c->u.pfd.s);
2732 del234(ssh->channels, c); /* moving next one to index 0 */
2733 if (ssh->version == 2)
2734 bufchain_clear(&c->v.v2.outbuffer);
2739 * Go through port-forwardings, and close any associated
2740 * listening sockets.
2742 if (ssh->portfwds) {
2743 struct ssh_portfwd *pf;
2744 while (NULL != (pf = index234(ssh->portfwds, 0))) {
2745 /* Dispose of any listening socket. */
2747 pfd_terminate(pf->local);
2748 del234(ssh->portfwds, pf); /* moving next one to index 0 */
2756 static void ssh_log(Plug plug, int type, SockAddr addr, int port,
2757 const char *error_msg, int error_code)
2759 Ssh ssh = (Ssh) plug;
2760 char addrbuf[256], *msg;
2762 sk_getaddr(addr, addrbuf, lenof(addrbuf));
2765 msg = dupprintf("Connecting to %s port %d", addrbuf, port);
2767 msg = dupprintf("Failed to connect to %s: %s", addrbuf, error_msg);
2773 static int ssh_closing(Plug plug, const char *error_msg, int error_code,
2776 Ssh ssh = (Ssh) plug;
2777 int need_notify = ssh_do_close(ssh, FALSE);
2780 if (!ssh->close_expected)
2781 error_msg = "Server unexpectedly closed network connection";
2783 error_msg = "Server closed network connection";
2786 if (ssh->close_expected && ssh->clean_exit && ssh->exitcode < 0)
2790 notify_remote_exit(ssh->frontend);
2793 logevent(error_msg);
2794 if (!ssh->close_expected || !ssh->clean_exit)
2795 connection_fatal(ssh->frontend, "%s", error_msg);
2799 static int ssh_receive(Plug plug, int urgent, char *data, int len)
2801 Ssh ssh = (Ssh) plug;
2802 ssh_gotdata(ssh, (unsigned char *)data, len);
2803 if (ssh->state == SSH_STATE_CLOSED) {
2804 ssh_do_close(ssh, TRUE);
2810 static void ssh_sent(Plug plug, int bufsize)
2812 Ssh ssh = (Ssh) plug;
2814 * If the send backlog on the SSH socket itself clears, we
2815 * should unthrottle the whole world if it was throttled.
2817 if (bufsize < SSH_MAX_BACKLOG)
2818 ssh_throttle_all(ssh, 0, bufsize);
2822 * Connect to specified host and port.
2823 * Returns an error message, or NULL on success.
2824 * Also places the canonical host name into `realhost'. It must be
2825 * freed by the caller.
2827 static const char *connect_to_host(Ssh ssh, char *host, int port,
2828 char **realhost, int nodelay, int keepalive)
2830 static const struct plug_function_table fn_table = {
2841 if (*ssh->cfg.loghost) {
2844 ssh->savedhost = dupstr(ssh->cfg.loghost);
2845 ssh->savedport = 22; /* default ssh port */
2848 * A colon suffix on savedhost also lets us affect
2851 * (FIXME: do something about IPv6 address literals here.)
2853 colon = strrchr(ssh->savedhost, ':');
2857 ssh->savedport = atoi(colon);
2860 ssh->savedhost = dupstr(host);
2862 port = 22; /* default ssh port */
2863 ssh->savedport = port;
2869 logeventf(ssh, "Looking up host \"%s\"%s", host,
2870 (ssh->cfg.addressfamily == ADDRTYPE_IPV4 ? " (IPv4)" :
2871 (ssh->cfg.addressfamily == ADDRTYPE_IPV6 ? " (IPv6)" : "")));
2872 addr = name_lookup(host, port, realhost, &ssh->cfg,
2873 ssh->cfg.addressfamily);
2874 if ((err = sk_addr_error(addr)) != NULL) {
2882 ssh->fn = &fn_table;
2883 ssh->s = new_connection(addr, *realhost, port,
2884 0, 1, nodelay, keepalive, (Plug) ssh, &ssh->cfg);
2885 if ((err = sk_socket_error(ssh->s)) != NULL) {
2887 notify_remote_exit(ssh->frontend);
2892 * If the SSH version number's fixed, set it now, and if it's SSH-2,
2893 * send the version string too.
2895 if (ssh->cfg.sshprot == 0)
2897 if (ssh->cfg.sshprot == 3) {
2899 ssh_send_verstring(ssh, NULL);
2903 * loghost, if configured, overrides realhost.
2905 if (*ssh->cfg.loghost) {
2907 *realhost = dupstr(ssh->cfg.loghost);
2914 * Throttle or unthrottle the SSH connection.
2916 static void ssh_throttle_conn(Ssh ssh, int adjust)
2918 int old_count = ssh->conn_throttle_count;
2919 ssh->conn_throttle_count += adjust;
2920 assert(ssh->conn_throttle_count >= 0);
2921 if (ssh->conn_throttle_count && !old_count) {
2922 ssh_set_frozen(ssh, 1);
2923 } else if (!ssh->conn_throttle_count && old_count) {
2924 ssh_set_frozen(ssh, 0);
2929 * Throttle or unthrottle _all_ local data streams (for when sends
2930 * on the SSH connection itself back up).
2932 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize)
2935 struct ssh_channel *c;
2937 if (enable == ssh->throttled_all)
2939 ssh->throttled_all = enable;
2940 ssh->overall_bufsize = bufsize;
2943 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++) {
2945 case CHAN_MAINSESSION:
2947 * This is treated separately, outside the switch.
2951 x11_override_throttle(c->u.x11.s, enable);
2954 /* Agent channels require no buffer management. */
2957 pfd_override_throttle(c->u.pfd.s, enable);
2963 static void ssh_agent_callback(void *sshv, void *reply, int replylen)
2965 Ssh ssh = (Ssh) sshv;
2967 ssh->agent_response = reply;
2968 ssh->agent_response_len = replylen;
2970 if (ssh->version == 1)
2971 do_ssh1_login(ssh, NULL, -1, NULL);
2973 do_ssh2_authconn(ssh, NULL, -1, NULL);
2976 static void ssh_dialog_callback(void *sshv, int ret)
2978 Ssh ssh = (Ssh) sshv;
2980 ssh->user_response = ret;
2982 if (ssh->version == 1)
2983 do_ssh1_login(ssh, NULL, -1, NULL);
2985 do_ssh2_transport(ssh, NULL, -1, NULL);
2988 * This may have unfrozen the SSH connection, so do a
2991 ssh_process_queued_incoming_data(ssh);
2994 static void ssh_agentf_callback(void *cv, void *reply, int replylen)
2996 struct ssh_channel *c = (struct ssh_channel *)cv;
2998 void *sentreply = reply;
3001 /* Fake SSH_AGENT_FAILURE. */
3002 sentreply = "\0\0\0\1\5";
3005 if (ssh->version == 2) {
3006 ssh2_add_channel_data(c, sentreply, replylen);
3009 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
3010 PKT_INT, c->remoteid,
3013 PKT_DATA, sentreply, replylen,
3022 * Client-initiated disconnection. Send a DISCONNECT if `wire_reason'
3023 * non-NULL, otherwise just close the connection. `client_reason' == NULL
3024 * => log `wire_reason'.
3026 static void ssh_disconnect(Ssh ssh, char *client_reason, char *wire_reason,
3027 int code, int clean_exit)
3031 client_reason = wire_reason;
3033 error = dupprintf("Disconnected: %s", client_reason);
3035 error = dupstr("Disconnected");
3037 if (ssh->version == 1) {
3038 send_packet(ssh, SSH1_MSG_DISCONNECT, PKT_STR, wire_reason,
3040 } else if (ssh->version == 2) {
3041 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_DISCONNECT);
3042 ssh2_pkt_adduint32(pktout, code);
3043 ssh2_pkt_addstring(pktout, wire_reason);
3044 ssh2_pkt_addstring(pktout, "en"); /* language tag */
3045 ssh2_pkt_send_noqueue(ssh, pktout);
3048 ssh->close_expected = TRUE;
3049 ssh->clean_exit = clean_exit;
3050 ssh_closing((Plug)ssh, error, 0, 0);
3055 * Handle the key exchange and user authentication phases.
3057 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
3058 struct Packet *pktin)
3061 unsigned char cookie[8], *ptr;
3062 struct RSAKey servkey, hostkey;
3063 struct MD5Context md5c;
3064 struct do_ssh1_login_state {
3066 unsigned char *rsabuf, *keystr1, *keystr2;
3067 unsigned long supported_ciphers_mask, supported_auths_mask;
3068 int tried_publickey, tried_agent;
3069 int tis_auth_refused, ccard_auth_refused;
3070 unsigned char session_id[16];
3073 void *publickey_blob;
3074 int publickey_bloblen;
3075 char *publickey_comment;
3076 int publickey_encrypted;
3077 prompts_t *cur_prompt;
3080 unsigned char request[5], *response, *p;
3090 crState(do_ssh1_login_state);
3092 crBegin(ssh->do_ssh1_login_crstate);
3097 if (pktin->type != SSH1_SMSG_PUBLIC_KEY) {
3098 bombout(("Public key packet not received"));
3102 logevent("Received public keys");
3104 ptr = ssh_pkt_getdata(pktin, 8);
3106 bombout(("SSH-1 public key packet stopped before random cookie"));
3109 memcpy(cookie, ptr, 8);
3111 if (!ssh1_pkt_getrsakey(pktin, &servkey, &s->keystr1) ||
3112 !ssh1_pkt_getrsakey(pktin, &hostkey, &s->keystr2)) {
3113 bombout(("Failed to read SSH-1 public keys from public key packet"));
3118 * Log the host key fingerprint.
3122 logevent("Host key fingerprint is:");
3123 strcpy(logmsg, " ");
3124 hostkey.comment = NULL;
3125 rsa_fingerprint(logmsg + strlen(logmsg),
3126 sizeof(logmsg) - strlen(logmsg), &hostkey);
3130 ssh->v1_remote_protoflags = ssh_pkt_getuint32(pktin);
3131 s->supported_ciphers_mask = ssh_pkt_getuint32(pktin);
3132 s->supported_auths_mask = ssh_pkt_getuint32(pktin);
3133 if ((ssh->remote_bugs & BUG_CHOKES_ON_RSA))
3134 s->supported_auths_mask &= ~(1 << SSH1_AUTH_RSA);
3136 ssh->v1_local_protoflags =
3137 ssh->v1_remote_protoflags & SSH1_PROTOFLAGS_SUPPORTED;
3138 ssh->v1_local_protoflags |= SSH1_PROTOFLAG_SCREEN_NUMBER;
3141 MD5Update(&md5c, s->keystr2, hostkey.bytes);
3142 MD5Update(&md5c, s->keystr1, servkey.bytes);
3143 MD5Update(&md5c, cookie, 8);
3144 MD5Final(s->session_id, &md5c);
3146 for (i = 0; i < 32; i++)
3147 ssh->session_key[i] = random_byte();
3150 * Verify that the `bits' and `bytes' parameters match.
3152 if (hostkey.bits > hostkey.bytes * 8 ||
3153 servkey.bits > servkey.bytes * 8) {
3154 bombout(("SSH-1 public keys were badly formatted"));
3158 s->len = (hostkey.bytes > servkey.bytes ? hostkey.bytes : servkey.bytes);
3160 s->rsabuf = snewn(s->len, unsigned char);
3163 * Verify the host key.
3167 * First format the key into a string.
3169 int len = rsastr_len(&hostkey);
3170 char fingerprint[100];
3171 char *keystr = snewn(len, char);
3172 rsastr_fmt(keystr, &hostkey);
3173 rsa_fingerprint(fingerprint, sizeof(fingerprint), &hostkey);
3175 ssh_set_frozen(ssh, 1);
3176 s->dlgret = verify_ssh_host_key(ssh->frontend,
3177 ssh->savedhost, ssh->savedport,
3178 "rsa", keystr, fingerprint,
3179 ssh_dialog_callback, ssh);
3181 if (s->dlgret < 0) {
3185 bombout(("Unexpected data from server while waiting"
3186 " for user host key response"));
3189 } while (pktin || inlen > 0);
3190 s->dlgret = ssh->user_response;
3192 ssh_set_frozen(ssh, 0);
3194 if (s->dlgret == 0) {
3195 ssh_disconnect(ssh, "User aborted at host key verification",
3201 for (i = 0; i < 32; i++) {
3202 s->rsabuf[i] = ssh->session_key[i];
3204 s->rsabuf[i] ^= s->session_id[i];
3207 if (hostkey.bytes > servkey.bytes) {
3208 ret = rsaencrypt(s->rsabuf, 32, &servkey);
3210 ret = rsaencrypt(s->rsabuf, servkey.bytes, &hostkey);
3212 ret = rsaencrypt(s->rsabuf, 32, &hostkey);
3214 ret = rsaencrypt(s->rsabuf, hostkey.bytes, &servkey);
3217 bombout(("SSH-1 public key encryptions failed due to bad formatting"));
3221 logevent("Encrypted session key");
3224 int cipher_chosen = 0, warn = 0;
3225 char *cipher_string = NULL;
3227 for (i = 0; !cipher_chosen && i < CIPHER_MAX; i++) {
3228 int next_cipher = ssh->cfg.ssh_cipherlist[i];
3229 if (next_cipher == CIPHER_WARN) {
3230 /* If/when we choose a cipher, warn about it */
3232 } else if (next_cipher == CIPHER_AES) {
3233 /* XXX Probably don't need to mention this. */
3234 logevent("AES not supported in SSH-1, skipping");
3236 switch (next_cipher) {
3237 case CIPHER_3DES: s->cipher_type = SSH_CIPHER_3DES;
3238 cipher_string = "3DES"; break;
3239 case CIPHER_BLOWFISH: s->cipher_type = SSH_CIPHER_BLOWFISH;
3240 cipher_string = "Blowfish"; break;
3241 case CIPHER_DES: s->cipher_type = SSH_CIPHER_DES;
3242 cipher_string = "single-DES"; break;
3244 if (s->supported_ciphers_mask & (1 << s->cipher_type))
3248 if (!cipher_chosen) {
3249 if ((s->supported_ciphers_mask & (1 << SSH_CIPHER_3DES)) == 0)
3250 bombout(("Server violates SSH-1 protocol by not "
3251 "supporting 3DES encryption"));
3253 /* shouldn't happen */
3254 bombout(("No supported ciphers found"));
3258 /* Warn about chosen cipher if necessary. */
3260 ssh_set_frozen(ssh, 1);
3261 s->dlgret = askalg(ssh->frontend, "cipher", cipher_string,
3262 ssh_dialog_callback, ssh);
3263 if (s->dlgret < 0) {
3267 bombout(("Unexpected data from server while waiting"
3268 " for user response"));
3271 } while (pktin || inlen > 0);
3272 s->dlgret = ssh->user_response;
3274 ssh_set_frozen(ssh, 0);
3275 if (s->dlgret == 0) {
3276 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
3283 switch (s->cipher_type) {
3284 case SSH_CIPHER_3DES:
3285 logevent("Using 3DES encryption");
3287 case SSH_CIPHER_DES:
3288 logevent("Using single-DES encryption");
3290 case SSH_CIPHER_BLOWFISH:
3291 logevent("Using Blowfish encryption");
3295 send_packet(ssh, SSH1_CMSG_SESSION_KEY,
3296 PKT_CHAR, s->cipher_type,
3297 PKT_DATA, cookie, 8,
3298 PKT_CHAR, (s->len * 8) >> 8, PKT_CHAR, (s->len * 8) & 0xFF,
3299 PKT_DATA, s->rsabuf, s->len,
3300 PKT_INT, ssh->v1_local_protoflags, PKT_END);
3302 logevent("Trying to enable encryption...");
3306 ssh->cipher = (s->cipher_type == SSH_CIPHER_BLOWFISH ? &ssh_blowfish_ssh1 :
3307 s->cipher_type == SSH_CIPHER_DES ? &ssh_des :
3309 ssh->v1_cipher_ctx = ssh->cipher->make_context();
3310 ssh->cipher->sesskey(ssh->v1_cipher_ctx, ssh->session_key);
3311 logeventf(ssh, "Initialised %s encryption", ssh->cipher->text_name);
3313 ssh->crcda_ctx = crcda_make_context();
3314 logevent("Installing CRC compensation attack detector");
3316 if (servkey.modulus) {
3317 sfree(servkey.modulus);
3318 servkey.modulus = NULL;
3320 if (servkey.exponent) {
3321 sfree(servkey.exponent);
3322 servkey.exponent = NULL;
3324 if (hostkey.modulus) {
3325 sfree(hostkey.modulus);
3326 hostkey.modulus = NULL;
3328 if (hostkey.exponent) {
3329 sfree(hostkey.exponent);
3330 hostkey.exponent = NULL;
3334 if (pktin->type != SSH1_SMSG_SUCCESS) {
3335 bombout(("Encryption not successfully enabled"));
3339 logevent("Successfully started encryption");
3341 fflush(stdout); /* FIXME eh? */
3343 if (!*ssh->cfg.username) {
3344 int ret; /* need not be kept over crReturn */
3345 s->cur_prompt = new_prompts(ssh->frontend);
3346 s->cur_prompt->to_server = TRUE;
3347 s->cur_prompt->name = dupstr("SSH login name");
3348 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
3349 lenof(s->username));
3350 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3353 crWaitUntil(!pktin);
3354 ret = get_userpass_input(s->cur_prompt, in, inlen);
3359 * Failed to get a username. Terminate.
3361 free_prompts(s->cur_prompt);
3362 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
3365 memcpy(s->username, s->cur_prompt->prompts[0]->result,
3366 lenof(s->username));
3367 free_prompts(s->cur_prompt);
3369 strncpy(s->username, ssh->cfg.username, sizeof(s->username));
3370 s->username[sizeof(s->username)-1] = '\0';
3373 send_packet(ssh, SSH1_CMSG_USER, PKT_STR, s->username, PKT_END);
3375 char *userlog = dupprintf("Sent username \"%s\"", s->username);
3377 if (flags & FLAG_INTERACTIVE &&
3378 (!((flags & FLAG_STDERR) && (flags & FLAG_VERBOSE)))) {
3379 c_write_str(ssh, userlog);
3380 c_write_str(ssh, "\r\n");
3388 if ((s->supported_auths_mask & (1 << SSH1_AUTH_RSA)) == 0) {
3389 /* We must not attempt PK auth. Pretend we've already tried it. */
3390 s->tried_publickey = s->tried_agent = 1;
3392 s->tried_publickey = s->tried_agent = 0;
3394 s->tis_auth_refused = s->ccard_auth_refused = 0;
3396 * Load the public half of any configured keyfile for later use.
3398 if (!filename_is_null(ssh->cfg.keyfile)) {
3400 logeventf(ssh, "Reading private key file \"%.150s\"",
3401 filename_to_str(&ssh->cfg.keyfile));
3402 keytype = key_type(&ssh->cfg.keyfile);
3403 if (keytype == SSH_KEYTYPE_SSH1) {
3405 if (rsakey_pubblob(&ssh->cfg.keyfile,
3406 &s->publickey_blob, &s->publickey_bloblen,
3407 &s->publickey_comment, &error)) {
3408 s->publickey_encrypted = rsakey_encrypted(&ssh->cfg.keyfile,
3412 logeventf(ssh, "Unable to load private key (%s)", error);
3413 msgbuf = dupprintf("Unable to load private key file "
3414 "\"%.150s\" (%s)\r\n",
3415 filename_to_str(&ssh->cfg.keyfile),
3417 c_write_str(ssh, msgbuf);
3419 s->publickey_blob = NULL;
3423 logeventf(ssh, "Unable to use this key file (%s)",
3424 key_type_to_str(keytype));
3425 msgbuf = dupprintf("Unable to use key file \"%.150s\""
3427 filename_to_str(&ssh->cfg.keyfile),
3428 key_type_to_str(keytype));
3429 c_write_str(ssh, msgbuf);
3431 s->publickey_blob = NULL;
3434 s->publickey_blob = NULL;
3436 while (pktin->type == SSH1_SMSG_FAILURE) {
3437 s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
3439 if (ssh->cfg.tryagent && agent_exists() && !s->tried_agent) {
3441 * Attempt RSA authentication using Pageant.
3447 logevent("Pageant is running. Requesting keys.");
3449 /* Request the keys held by the agent. */
3450 PUT_32BIT(s->request, 1);
3451 s->request[4] = SSH1_AGENTC_REQUEST_RSA_IDENTITIES;
3452 if (!agent_query(s->request, 5, &r, &s->responselen,
3453 ssh_agent_callback, ssh)) {
3457 bombout(("Unexpected data from server while waiting"
3458 " for agent response"));
3461 } while (pktin || inlen > 0);
3462 r = ssh->agent_response;
3463 s->responselen = ssh->agent_response_len;
3465 s->response = (unsigned char *) r;
3466 if (s->response && s->responselen >= 5 &&
3467 s->response[4] == SSH1_AGENT_RSA_IDENTITIES_ANSWER) {
3468 s->p = s->response + 5;
3469 s->nkeys = GET_32BIT(s->p);
3471 logeventf(ssh, "Pageant has %d SSH-1 keys", s->nkeys);
3472 for (s->keyi = 0; s->keyi < s->nkeys; s->keyi++) {
3473 unsigned char *pkblob = s->p;
3477 do { /* do while (0) to make breaking easy */
3478 n = ssh1_read_bignum
3479 (s->p, s->responselen-(s->p-s->response),
3484 n = ssh1_read_bignum
3485 (s->p, s->responselen-(s->p-s->response),
3490 if (s->responselen - (s->p-s->response) < 4)
3492 s->commentlen = GET_32BIT(s->p);
3494 if (s->responselen - (s->p-s->response) <
3497 s->commentp = (char *)s->p;
3498 s->p += s->commentlen;
3502 logevent("Pageant key list packet was truncated");
3506 if (s->publickey_blob) {
3507 if (!memcmp(pkblob, s->publickey_blob,
3508 s->publickey_bloblen)) {
3509 logeventf(ssh, "Pageant key #%d matches "
3510 "configured key file", s->keyi);
3511 s->tried_publickey = 1;
3513 /* Skip non-configured key */
3516 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
3517 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3518 PKT_BIGNUM, s->key.modulus, PKT_END);
3520 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3521 logevent("Key refused");
3524 logevent("Received RSA challenge");
3525 if ((s->challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3526 bombout(("Server's RSA challenge was badly formatted"));
3531 char *agentreq, *q, *ret;
3534 len = 1 + 4; /* message type, bit count */
3535 len += ssh1_bignum_length(s->key.exponent);
3536 len += ssh1_bignum_length(s->key.modulus);
3537 len += ssh1_bignum_length(s->challenge);
3538 len += 16; /* session id */
3539 len += 4; /* response format */
3540 agentreq = snewn(4 + len, char);
3541 PUT_32BIT(agentreq, len);
3543 *q++ = SSH1_AGENTC_RSA_CHALLENGE;
3544 PUT_32BIT(q, bignum_bitcount(s->key.modulus));
3546 q += ssh1_write_bignum(q, s->key.exponent);
3547 q += ssh1_write_bignum(q, s->key.modulus);
3548 q += ssh1_write_bignum(q, s->challenge);
3549 memcpy(q, s->session_id, 16);
3551 PUT_32BIT(q, 1); /* response format */
3552 if (!agent_query(agentreq, len + 4, &vret, &retlen,
3553 ssh_agent_callback, ssh)) {
3558 bombout(("Unexpected data from server"
3559 " while waiting for agent"
3563 } while (pktin || inlen > 0);
3564 vret = ssh->agent_response;
3565 retlen = ssh->agent_response_len;
3570 if (ret[4] == SSH1_AGENT_RSA_RESPONSE) {
3571 logevent("Sending Pageant's response");
3572 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3573 PKT_DATA, ret + 5, 16,
3577 if (pktin->type == SSH1_SMSG_SUCCESS) {
3579 ("Pageant's response accepted");
3580 if (flags & FLAG_VERBOSE) {
3581 c_write_str(ssh, "Authenticated using"
3583 c_write(ssh, s->commentp,
3585 c_write_str(ssh, "\" from agent\r\n");
3590 ("Pageant's response not accepted");
3593 ("Pageant failed to answer challenge");
3597 logevent("No reply received from Pageant");
3600 freebn(s->key.exponent);
3601 freebn(s->key.modulus);
3602 freebn(s->challenge);
3607 if (s->publickey_blob && !s->tried_publickey)
3608 logevent("Configured key file not in Pageant");
3613 if (s->publickey_blob && !s->tried_publickey) {
3615 * Try public key authentication with the specified
3618 int got_passphrase; /* need not be kept over crReturn */
3619 if (flags & FLAG_VERBOSE)
3620 c_write_str(ssh, "Trying public key authentication.\r\n");
3621 logeventf(ssh, "Trying public key \"%s\"",
3622 filename_to_str(&ssh->cfg.keyfile));
3623 s->tried_publickey = 1;
3624 got_passphrase = FALSE;
3625 while (!got_passphrase) {
3627 * Get a passphrase, if necessary.
3629 char *passphrase = NULL; /* only written after crReturn */
3631 if (!s->publickey_encrypted) {
3632 if (flags & FLAG_VERBOSE)
3633 c_write_str(ssh, "No passphrase required.\r\n");
3636 int ret; /* need not be kept over crReturn */
3637 s->cur_prompt = new_prompts(ssh->frontend);
3638 s->cur_prompt->to_server = FALSE;
3639 s->cur_prompt->name = dupstr("SSH key passphrase");
3640 add_prompt(s->cur_prompt,
3641 dupprintf("Passphrase for key \"%.100s\": ",
3642 s->publickey_comment),
3643 FALSE, SSH_MAX_PASSWORD_LEN);
3644 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3647 crWaitUntil(!pktin);
3648 ret = get_userpass_input(s->cur_prompt, in, inlen);
3652 /* Failed to get a passphrase. Terminate. */
3653 free_prompts(s->cur_prompt);
3654 ssh_disconnect(ssh, NULL, "Unable to authenticate",
3658 passphrase = dupstr(s->cur_prompt->prompts[0]->result);
3659 free_prompts(s->cur_prompt);
3662 * Try decrypting key with passphrase.
3664 ret = loadrsakey(&ssh->cfg.keyfile, &s->key, passphrase,
3667 memset(passphrase, 0, strlen(passphrase));
3671 /* Correct passphrase. */
3672 got_passphrase = TRUE;
3673 } else if (ret == 0) {
3674 c_write_str(ssh, "Couldn't load private key from ");
3675 c_write_str(ssh, filename_to_str(&ssh->cfg.keyfile));
3676 c_write_str(ssh, " (");
3677 c_write_str(ssh, error);
3678 c_write_str(ssh, ").\r\n");
3679 got_passphrase = FALSE;
3680 break; /* go and try something else */
3681 } else if (ret == -1) {
3682 c_write_str(ssh, "Wrong passphrase.\r\n"); /* FIXME */
3683 got_passphrase = FALSE;
3686 assert(0 && "unexpected return from loadrsakey()");
3687 got_passphrase = FALSE; /* placate optimisers */
3691 if (got_passphrase) {
3694 * Send a public key attempt.
3696 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
3697 PKT_BIGNUM, s->key.modulus, PKT_END);
3700 if (pktin->type == SSH1_SMSG_FAILURE) {
3701 c_write_str(ssh, "Server refused our public key.\r\n");
3702 continue; /* go and try something else */
3704 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
3705 bombout(("Bizarre response to offer of public key"));
3711 unsigned char buffer[32];
3712 Bignum challenge, response;
3714 if ((challenge = ssh1_pkt_getmp(pktin)) == NULL) {
3715 bombout(("Server's RSA challenge was badly formatted"));
3718 response = rsadecrypt(challenge, &s->key);
3719 freebn(s->key.private_exponent);/* burn the evidence */
3721 for (i = 0; i < 32; i++) {
3722 buffer[i] = bignum_byte(response, 31 - i);
3726 MD5Update(&md5c, buffer, 32);
3727 MD5Update(&md5c, s->session_id, 16);
3728 MD5Final(buffer, &md5c);
3730 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
3731 PKT_DATA, buffer, 16, PKT_END);
3738 if (pktin->type == SSH1_SMSG_FAILURE) {
3739 if (flags & FLAG_VERBOSE)
3740 c_write_str(ssh, "Failed to authenticate with"
3741 " our public key.\r\n");
3742 continue; /* go and try something else */
3743 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
3744 bombout(("Bizarre response to RSA authentication response"));
3748 break; /* we're through! */
3754 * Otherwise, try various forms of password-like authentication.
3756 s->cur_prompt = new_prompts(ssh->frontend);
3758 if (ssh->cfg.try_tis_auth &&
3759 (s->supported_auths_mask & (1 << SSH1_AUTH_TIS)) &&
3760 !s->tis_auth_refused) {
3761 s->pwpkt_type = SSH1_CMSG_AUTH_TIS_RESPONSE;
3762 logevent("Requested TIS authentication");
3763 send_packet(ssh, SSH1_CMSG_AUTH_TIS, PKT_END);
3765 if (pktin->type != SSH1_SMSG_AUTH_TIS_CHALLENGE) {
3766 logevent("TIS authentication declined");
3767 if (flags & FLAG_INTERACTIVE)
3768 c_write_str(ssh, "TIS authentication refused.\r\n");
3769 s->tis_auth_refused = 1;
3774 char *instr_suf, *prompt;
3776 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3778 bombout(("TIS challenge packet was badly formed"));
3781 logevent("Received TIS challenge");
3782 s->cur_prompt->to_server = TRUE;
3783 s->cur_prompt->name = dupstr("SSH TIS authentication");
3784 /* Prompt heuristic comes from OpenSSH */
3785 if (memchr(challenge, '\n', challengelen)) {
3786 instr_suf = dupstr("");
3787 prompt = dupprintf("%.*s", challengelen, challenge);
3789 instr_suf = dupprintf("%.*s", challengelen, challenge);
3790 prompt = dupstr("Response: ");
3792 s->cur_prompt->instruction =
3793 dupprintf("Using TIS authentication.%s%s",
3794 (*instr_suf) ? "\n" : "",
3796 s->cur_prompt->instr_reqd = TRUE;
3797 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3801 if (ssh->cfg.try_tis_auth &&
3802 (s->supported_auths_mask & (1 << SSH1_AUTH_CCARD)) &&
3803 !s->ccard_auth_refused) {
3804 s->pwpkt_type = SSH1_CMSG_AUTH_CCARD_RESPONSE;
3805 logevent("Requested CryptoCard authentication");
3806 send_packet(ssh, SSH1_CMSG_AUTH_CCARD, PKT_END);
3808 if (pktin->type != SSH1_SMSG_AUTH_CCARD_CHALLENGE) {
3809 logevent("CryptoCard authentication declined");
3810 c_write_str(ssh, "CryptoCard authentication refused.\r\n");
3811 s->ccard_auth_refused = 1;
3816 char *instr_suf, *prompt;
3818 ssh_pkt_getstring(pktin, &challenge, &challengelen);
3820 bombout(("CryptoCard challenge packet was badly formed"));
3823 logevent("Received CryptoCard challenge");
3824 s->cur_prompt->to_server = TRUE;
3825 s->cur_prompt->name = dupstr("SSH CryptoCard authentication");
3826 s->cur_prompt->name_reqd = FALSE;
3827 /* Prompt heuristic comes from OpenSSH */
3828 if (memchr(challenge, '\n', challengelen)) {
3829 instr_suf = dupstr("");
3830 prompt = dupprintf("%.*s", challengelen, challenge);
3832 instr_suf = dupprintf("%.*s", challengelen, challenge);
3833 prompt = dupstr("Response: ");
3835 s->cur_prompt->instruction =
3836 dupprintf("Using CryptoCard authentication.%s%s",
3837 (*instr_suf) ? "\n" : "",
3839 s->cur_prompt->instr_reqd = TRUE;
3840 add_prompt(s->cur_prompt, prompt, FALSE, SSH_MAX_PASSWORD_LEN);
3844 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3845 if ((s->supported_auths_mask & (1 << SSH1_AUTH_PASSWORD)) == 0) {
3846 bombout(("No supported authentication methods available"));
3849 s->cur_prompt->to_server = TRUE;
3850 s->cur_prompt->name = dupstr("SSH password");
3851 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
3852 s->username, ssh->savedhost),
3853 FALSE, SSH_MAX_PASSWORD_LEN);
3857 * Show password prompt, having first obtained it via a TIS
3858 * or CryptoCard exchange if we're doing TIS or CryptoCard
3862 int ret; /* need not be kept over crReturn */
3863 ret = get_userpass_input(s->cur_prompt, NULL, 0);
3866 crWaitUntil(!pktin);
3867 ret = get_userpass_input(s->cur_prompt, in, inlen);
3872 * Failed to get a password (for example
3873 * because one was supplied on the command line
3874 * which has already failed to work). Terminate.
3876 free_prompts(s->cur_prompt);
3877 ssh_disconnect(ssh, NULL, "Unable to authenticate", 0, TRUE);
3882 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
3884 * Defence against traffic analysis: we send a
3885 * whole bunch of packets containing strings of
3886 * different lengths. One of these strings is the
3887 * password, in a SSH1_CMSG_AUTH_PASSWORD packet.
3888 * The others are all random data in
3889 * SSH1_MSG_IGNORE packets. This way a passive
3890 * listener can't tell which is the password, and
3891 * hence can't deduce the password length.
3893 * Anybody with a password length greater than 16
3894 * bytes is going to have enough entropy in their
3895 * password that a listener won't find it _that_
3896 * much help to know how long it is. So what we'll
3899 * - if password length < 16, we send 15 packets
3900 * containing string lengths 1 through 15
3902 * - otherwise, we let N be the nearest multiple
3903 * of 8 below the password length, and send 8
3904 * packets containing string lengths N through
3905 * N+7. This won't obscure the order of
3906 * magnitude of the password length, but it will
3907 * introduce a bit of extra uncertainty.
3909 * A few servers can't deal with SSH1_MSG_IGNORE, at
3910 * least in this context. For these servers, we need
3911 * an alternative defence. We make use of the fact
3912 * that the password is interpreted as a C string:
3913 * so we can append a NUL, then some random data.
3915 * A few servers can deal with neither SSH1_MSG_IGNORE
3916 * here _nor_ a padded password string.
3917 * For these servers we are left with no defences
3918 * against password length sniffing.
3920 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE) &&
3921 !(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
3923 * The server can deal with SSH1_MSG_IGNORE, so
3924 * we can use the primary defence.
3926 int bottom, top, pwlen, i;
3929 pwlen = strlen(s->cur_prompt->prompts[0]->result);
3931 bottom = 0; /* zero length passwords are OK! :-) */
3934 bottom = pwlen & ~7;
3938 assert(pwlen >= bottom && pwlen <= top);
3940 randomstr = snewn(top + 1, char);
3942 for (i = bottom; i <= top; i++) {
3944 defer_packet(ssh, s->pwpkt_type,
3945 PKTT_PASSWORD, PKT_STR,
3946 s->cur_prompt->prompts[0]->result,
3947 PKTT_OTHER, PKT_END);
3949 for (j = 0; j < i; j++) {
3951 randomstr[j] = random_byte();
3952 } while (randomstr[j] == '\0');
3954 randomstr[i] = '\0';
3955 defer_packet(ssh, SSH1_MSG_IGNORE,
3956 PKT_STR, randomstr, PKT_END);
3959 logevent("Sending password with camouflage packets");
3960 ssh_pkt_defersend(ssh);
3963 else if (!(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
3965 * The server can't deal with SSH1_MSG_IGNORE
3966 * but can deal with padded passwords, so we
3967 * can use the secondary defence.
3973 len = strlen(s->cur_prompt->prompts[0]->result);
3974 if (len < sizeof(string)) {
3976 strcpy(string, s->cur_prompt->prompts[0]->result);
3977 len++; /* cover the zero byte */
3978 while (len < sizeof(string)) {
3979 string[len++] = (char) random_byte();
3982 ss = s->cur_prompt->prompts[0]->result;
3984 logevent("Sending length-padded password");
3985 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
3986 PKT_INT, len, PKT_DATA, ss, len,
3987 PKTT_OTHER, PKT_END);
3990 * The server is believed unable to cope with
3991 * any of our password camouflage methods.
3994 len = strlen(s->cur_prompt->prompts[0]->result);
3995 logevent("Sending unpadded password");
3996 send_packet(ssh, s->pwpkt_type,
3997 PKTT_PASSWORD, PKT_INT, len,
3998 PKT_DATA, s->cur_prompt->prompts[0]->result, len,
3999 PKTT_OTHER, PKT_END);
4002 send_packet(ssh, s->pwpkt_type, PKTT_PASSWORD,
4003 PKT_STR, s->cur_prompt->prompts[0]->result,
4004 PKTT_OTHER, PKT_END);
4006 logevent("Sent password");
4007 free_prompts(s->cur_prompt);
4009 if (pktin->type == SSH1_SMSG_FAILURE) {
4010 if (flags & FLAG_VERBOSE)
4011 c_write_str(ssh, "Access denied\r\n");
4012 logevent("Authentication refused");
4013 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
4014 bombout(("Strange packet received, type %d", pktin->type));
4020 if (s->publickey_blob) {
4021 sfree(s->publickey_blob);
4022 sfree(s->publickey_comment);
4025 logevent("Authentication successful");
4030 void sshfwd_close(struct ssh_channel *c)
4034 if (ssh->state == SSH_STATE_CLOSED)
4037 if (c && !c->closes) {
4039 * If halfopen is true, we have sent
4040 * CHANNEL_OPEN for this channel, but it hasn't even been
4041 * acknowledged by the server. So we must set a close flag
4042 * on it now, and then when the server acks the channel
4043 * open, we can close it then.
4046 if (ssh->version == 1) {
4047 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE, PKT_INT, c->remoteid,
4050 struct Packet *pktout;
4051 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
4052 ssh2_pkt_adduint32(pktout, c->remoteid);
4053 ssh2_pkt_send(ssh, pktout);
4056 c->closes = 1; /* sent MSG_CLOSE */
4057 if (c->type == CHAN_X11) {
4059 logevent("Forwarded X11 connection terminated");
4060 } else if (c->type == CHAN_SOCKDATA ||
4061 c->type == CHAN_SOCKDATA_DORMANT) {
4063 logevent("Forwarded port closed");
4068 int sshfwd_write(struct ssh_channel *c, char *buf, int len)
4072 if (ssh->state == SSH_STATE_CLOSED)
4075 if (ssh->version == 1) {
4076 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
4077 PKT_INT, c->remoteid,
4078 PKT_INT, len, PKTT_DATA, PKT_DATA, buf, len,
4079 PKTT_OTHER, PKT_END);
4081 * In SSH-1 we can return 0 here - implying that forwarded
4082 * connections are never individually throttled - because
4083 * the only circumstance that can cause throttling will be
4084 * the whole SSH connection backing up, in which case
4085 * _everything_ will be throttled as a whole.
4089 ssh2_add_channel_data(c, buf, len);
4090 return ssh2_try_send(c);
4094 void sshfwd_unthrottle(struct ssh_channel *c, int bufsize)
4099 if (ssh->state == SSH_STATE_CLOSED)
4102 if (ssh->version == 1) {
4103 buflimit = SSH1_BUFFER_LIMIT;
4105 buflimit = c->v.v2.locmaxwin;
4106 ssh2_set_window(c, bufsize < buflimit ? buflimit - bufsize : 0);
4108 if (c->throttling_conn && bufsize <= buflimit) {
4109 c->throttling_conn = 0;
4110 ssh_throttle_conn(ssh, -1);
4114 static void ssh_queueing_handler(Ssh ssh, struct Packet *pktin)
4116 struct queued_handler *qh = ssh->qhead;
4120 assert(pktin->type == qh->msg1 || pktin->type == qh->msg2);
4123 assert(ssh->packet_dispatch[qh->msg1] == ssh_queueing_handler);
4124 ssh->packet_dispatch[qh->msg1] = NULL;
4127 assert(ssh->packet_dispatch[qh->msg2] == ssh_queueing_handler);
4128 ssh->packet_dispatch[qh->msg2] = NULL;
4132 ssh->qhead = qh->next;
4134 if (ssh->qhead->msg1 > 0) {
4135 assert(ssh->packet_dispatch[ssh->qhead->msg1] == NULL);
4136 ssh->packet_dispatch[ssh->qhead->msg1] = ssh_queueing_handler;
4138 if (ssh->qhead->msg2 > 0) {
4139 assert(ssh->packet_dispatch[ssh->qhead->msg2] == NULL);
4140 ssh->packet_dispatch[ssh->qhead->msg2] = ssh_queueing_handler;
4143 ssh->qhead = ssh->qtail = NULL;
4144 ssh->packet_dispatch[pktin->type] = NULL;
4147 qh->handler(ssh, pktin, qh->ctx);
4152 static void ssh_queue_handler(Ssh ssh, int msg1, int msg2,
4153 chandler_fn_t handler, void *ctx)
4155 struct queued_handler *qh;
4157 qh = snew(struct queued_handler);
4160 qh->handler = handler;
4164 if (ssh->qtail == NULL) {
4168 assert(ssh->packet_dispatch[qh->msg1] == NULL);
4169 ssh->packet_dispatch[qh->msg1] = ssh_queueing_handler;
4172 assert(ssh->packet_dispatch[qh->msg2] == NULL);
4173 ssh->packet_dispatch[qh->msg2] = ssh_queueing_handler;
4176 ssh->qtail->next = qh;
4181 static void ssh_rportfwd_succfail(Ssh ssh, struct Packet *pktin, void *ctx)
4183 struct ssh_rportfwd *rpf, *pf = (struct ssh_rportfwd *)ctx;
4185 if (pktin->type == (ssh->version == 1 ? SSH1_SMSG_SUCCESS :
4186 SSH2_MSG_REQUEST_SUCCESS)) {
4187 logeventf(ssh, "Remote port forwarding from %s enabled",
4190 logeventf(ssh, "Remote port forwarding from %s refused",
4193 rpf = del234(ssh->rportfwds, pf);
4199 static void ssh_setup_portfwd(Ssh ssh, const Config *cfg)
4201 const char *portfwd_strptr = cfg->portfwd;
4202 struct ssh_portfwd *epf;
4205 if (!ssh->portfwds) {
4206 ssh->portfwds = newtree234(ssh_portcmp);
4209 * Go through the existing port forwardings and tag them
4210 * with status==DESTROY. Any that we want to keep will be
4211 * re-enabled (status==KEEP) as we go through the
4212 * configuration and find out which bits are the same as
4215 struct ssh_portfwd *epf;
4217 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4218 epf->status = DESTROY;
4221 while (*portfwd_strptr) {
4222 char address_family, type;
4223 int sport,dport,sserv,dserv;
4224 char sports[256], dports[256], saddr[256], host[256];
4227 address_family = 'A';
4229 if (*portfwd_strptr == 'A' ||
4230 *portfwd_strptr == '4' ||
4231 *portfwd_strptr == '6')
4232 address_family = *portfwd_strptr++;
4233 if (*portfwd_strptr == 'L' ||
4234 *portfwd_strptr == 'R' ||
4235 *portfwd_strptr == 'D')
4236 type = *portfwd_strptr++;
4241 while (*portfwd_strptr && *portfwd_strptr != '\t') {
4242 if (*portfwd_strptr == ':') {
4244 * We've seen a colon in the middle of the
4245 * source port number. This means that
4246 * everything we've seen until now is the
4247 * source _address_, so we'll move it into
4248 * saddr and start sports from the beginning
4253 if (ssh->version == 1 && type == 'R') {
4254 logeventf(ssh, "SSH-1 cannot handle remote source address "
4255 "spec \"%s\"; ignoring", sports);
4257 strcpy(saddr, sports);
4260 if (n < lenof(sports)-1) sports[n++] = *portfwd_strptr++;
4264 if (*portfwd_strptr == '\t')
4267 while (*portfwd_strptr && *portfwd_strptr != ':') {
4268 if (n < lenof(host)-1) host[n++] = *portfwd_strptr++;
4271 if (*portfwd_strptr == ':')
4274 while (*portfwd_strptr) {
4275 if (n < lenof(dports)-1) dports[n++] = *portfwd_strptr++;
4279 dport = atoi(dports);
4283 dport = net_service_lookup(dports);
4285 logeventf(ssh, "Service lookup failed for destination"
4286 " port \"%s\"", dports);
4290 while (*portfwd_strptr) portfwd_strptr++;
4294 portfwd_strptr++; /* eat the NUL and move to next one */
4296 sport = atoi(sports);
4300 sport = net_service_lookup(sports);
4302 logeventf(ssh, "Service lookup failed for source"
4303 " port \"%s\"", sports);
4306 if (sport && dport) {
4307 /* Set up a description of the source port. */
4308 struct ssh_portfwd *pfrec, *epfrec;
4310 pfrec = snew(struct ssh_portfwd);
4312 pfrec->saddr = *saddr ? dupstr(saddr) : NULL;
4313 pfrec->sserv = sserv ? dupstr(sports) : NULL;
4314 pfrec->sport = sport;
4315 pfrec->daddr = *host ? dupstr(host) : NULL;
4316 pfrec->dserv = dserv ? dupstr(dports) : NULL;
4317 pfrec->dport = dport;
4318 pfrec->local = NULL;
4319 pfrec->remote = NULL;
4320 pfrec->addressfamily = (address_family == '4' ? ADDRTYPE_IPV4 :
4321 address_family == '6' ? ADDRTYPE_IPV6 :
4324 epfrec = add234(ssh->portfwds, pfrec);
4325 if (epfrec != pfrec) {
4327 * We already have a port forwarding with precisely
4328 * these parameters. Hence, no need to do anything;
4329 * simply tag the existing one as KEEP.
4331 epfrec->status = KEEP;
4332 free_portfwd(pfrec);
4334 pfrec->status = CREATE;
4340 * Now go through and destroy any port forwardings which were
4343 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4344 if (epf->status == DESTROY) {
4347 message = dupprintf("%s port forwarding from %s%s%d",
4348 epf->type == 'L' ? "local" :
4349 epf->type == 'R' ? "remote" : "dynamic",
4350 epf->saddr ? epf->saddr : "",
4351 epf->saddr ? ":" : "",
4354 if (epf->type != 'D') {
4355 char *msg2 = dupprintf("%s to %s:%d", message,
4356 epf->daddr, epf->dport);
4361 logeventf(ssh, "Cancelling %s", message);
4365 struct ssh_rportfwd *rpf = epf->remote;
4366 struct Packet *pktout;
4369 * Cancel the port forwarding at the server
4372 if (ssh->version == 1) {
4374 * We cannot cancel listening ports on the
4375 * server side in SSH-1! There's no message
4376 * to support it. Instead, we simply remove
4377 * the rportfwd record from the local end
4378 * so that any connections the server tries
4379 * to make on it are rejected.
4382 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4383 ssh2_pkt_addstring(pktout, "cancel-tcpip-forward");
4384 ssh2_pkt_addbool(pktout, 0);/* _don't_ want reply */
4386 ssh2_pkt_addstring(pktout, epf->saddr);
4387 } else if (ssh->cfg.rport_acceptall) {
4388 /* XXX: ssh->cfg.rport_acceptall may not represent
4389 * what was used to open the original connection,
4390 * since it's reconfigurable. */
4391 ssh2_pkt_addstring(pktout, "0.0.0.0");
4393 ssh2_pkt_addstring(pktout, "127.0.0.1");
4395 ssh2_pkt_adduint32(pktout, epf->sport);
4396 ssh2_pkt_send(ssh, pktout);
4399 del234(ssh->rportfwds, rpf);
4401 } else if (epf->local) {
4402 pfd_terminate(epf->local);
4405 delpos234(ssh->portfwds, i);
4407 i--; /* so we don't skip one in the list */
4411 * And finally, set up any new port forwardings (status==CREATE).
4413 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4414 if (epf->status == CREATE) {
4415 char *sportdesc, *dportdesc;
4416 sportdesc = dupprintf("%s%s%s%s%d%s",
4417 epf->saddr ? epf->saddr : "",
4418 epf->saddr ? ":" : "",
4419 epf->sserv ? epf->sserv : "",
4420 epf->sserv ? "(" : "",
4422 epf->sserv ? ")" : "");
4423 if (epf->type == 'D') {
4426 dportdesc = dupprintf("%s:%s%s%d%s",
4428 epf->dserv ? epf->dserv : "",
4429 epf->dserv ? "(" : "",
4431 epf->dserv ? ")" : "");
4434 if (epf->type == 'L') {
4435 const char *err = pfd_addforward(epf->daddr, epf->dport,
4436 epf->saddr, epf->sport,
4439 epf->addressfamily);
4441 logeventf(ssh, "Local %sport %s forwarding to %s%s%s",
4442 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4443 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4444 sportdesc, dportdesc,
4445 err ? " failed: " : "", err ? err : "");
4446 } else if (epf->type == 'D') {
4447 const char *err = pfd_addforward(NULL, -1,
4448 epf->saddr, epf->sport,
4451 epf->addressfamily);
4453 logeventf(ssh, "Local %sport %s SOCKS dynamic forwarding%s%s",
4454 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
4455 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
4457 err ? " failed: " : "", err ? err : "");
4459 struct ssh_rportfwd *pf;
4462 * Ensure the remote port forwardings tree exists.
4464 if (!ssh->rportfwds) {
4465 if (ssh->version == 1)
4466 ssh->rportfwds = newtree234(ssh_rportcmp_ssh1);
4468 ssh->rportfwds = newtree234(ssh_rportcmp_ssh2);
4471 pf = snew(struct ssh_rportfwd);
4472 strncpy(pf->dhost, epf->daddr, lenof(pf->dhost)-1);
4473 pf->dhost[lenof(pf->dhost)-1] = '\0';
4474 pf->dport = epf->dport;
4475 pf->sport = epf->sport;
4476 if (add234(ssh->rportfwds, pf) != pf) {
4477 logeventf(ssh, "Duplicate remote port forwarding to %s:%d",
4478 epf->daddr, epf->dport);
4481 logeventf(ssh, "Requesting remote port %s"
4482 " forward to %s", sportdesc, dportdesc);
4484 pf->sportdesc = sportdesc;
4489 if (ssh->version == 1) {
4490 send_packet(ssh, SSH1_CMSG_PORT_FORWARD_REQUEST,
4491 PKT_INT, epf->sport,
4492 PKT_STR, epf->daddr,
4493 PKT_INT, epf->dport,
4495 ssh_queue_handler(ssh, SSH1_SMSG_SUCCESS,
4497 ssh_rportfwd_succfail, pf);
4499 struct Packet *pktout;
4500 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
4501 ssh2_pkt_addstring(pktout, "tcpip-forward");
4502 ssh2_pkt_addbool(pktout, 1);/* want reply */
4504 ssh2_pkt_addstring(pktout, epf->saddr);
4505 } else if (cfg->rport_acceptall) {
4506 ssh2_pkt_addstring(pktout, "0.0.0.0");
4508 ssh2_pkt_addstring(pktout, "127.0.0.1");
4510 ssh2_pkt_adduint32(pktout, epf->sport);
4511 ssh2_pkt_send(ssh, pktout);
4513 ssh_queue_handler(ssh, SSH2_MSG_REQUEST_SUCCESS,
4514 SSH2_MSG_REQUEST_FAILURE,
4515 ssh_rportfwd_succfail, pf);
4524 static void ssh1_smsg_stdout_stderr_data(Ssh ssh, struct Packet *pktin)
4527 int stringlen, bufsize;
4529 ssh_pkt_getstring(pktin, &string, &stringlen);
4530 if (string == NULL) {
4531 bombout(("Incoming terminal data packet was badly formed"));
4535 bufsize = from_backend(ssh->frontend, pktin->type == SSH1_SMSG_STDERR_DATA,
4537 if (!ssh->v1_stdout_throttling && bufsize > SSH1_BUFFER_LIMIT) {
4538 ssh->v1_stdout_throttling = 1;
4539 ssh_throttle_conn(ssh, +1);
4543 static void ssh1_smsg_x11_open(Ssh ssh, struct Packet *pktin)
4545 /* Remote side is trying to open a channel to talk to our
4546 * X-Server. Give them back a local channel number. */
4547 struct ssh_channel *c;
4548 int remoteid = ssh_pkt_getuint32(pktin);
4550 logevent("Received X11 connect request");
4551 /* Refuse if X11 forwarding is disabled. */
4552 if (!ssh->X11_fwd_enabled) {
4553 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4554 PKT_INT, remoteid, PKT_END);
4555 logevent("Rejected X11 connect request");
4557 c = snew(struct ssh_channel);
4560 if (x11_init(&c->u.x11.s, ssh->cfg.x11_display, c,
4561 ssh->x11auth, NULL, -1, &ssh->cfg) != NULL) {
4562 logevent("Opening X11 forward connection failed");
4564 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4565 PKT_INT, remoteid, PKT_END);
4568 ("Opening X11 forward connection succeeded");
4569 c->remoteid = remoteid;
4570 c->halfopen = FALSE;
4571 c->localid = alloc_channel_id(ssh);
4573 c->throttling_conn = 0;
4574 c->type = CHAN_X11; /* identify channel type */
4575 add234(ssh->channels, c);
4576 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4577 PKT_INT, c->remoteid, PKT_INT,
4578 c->localid, PKT_END);
4579 logevent("Opened X11 forward channel");
4584 static void ssh1_smsg_agent_open(Ssh ssh, struct Packet *pktin)
4586 /* Remote side is trying to open a channel to talk to our
4587 * agent. Give them back a local channel number. */
4588 struct ssh_channel *c;
4589 int remoteid = ssh_pkt_getuint32(pktin);
4591 /* Refuse if agent forwarding is disabled. */
4592 if (!ssh->agentfwd_enabled) {
4593 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4594 PKT_INT, remoteid, PKT_END);
4596 c = snew(struct ssh_channel);
4598 c->remoteid = remoteid;
4599 c->halfopen = FALSE;
4600 c->localid = alloc_channel_id(ssh);
4602 c->throttling_conn = 0;
4603 c->type = CHAN_AGENT; /* identify channel type */
4604 c->u.a.lensofar = 0;
4605 add234(ssh->channels, c);
4606 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4607 PKT_INT, c->remoteid, PKT_INT, c->localid,
4612 static void ssh1_msg_port_open(Ssh ssh, struct Packet *pktin)
4614 /* Remote side is trying to open a channel to talk to a
4615 * forwarded port. Give them back a local channel number. */
4616 struct ssh_channel *c;
4617 struct ssh_rportfwd pf, *pfp;
4622 c = snew(struct ssh_channel);
4625 remoteid = ssh_pkt_getuint32(pktin);
4626 ssh_pkt_getstring(pktin, &host, &hostsize);
4627 port = ssh_pkt_getuint32(pktin);
4629 if (hostsize >= lenof(pf.dhost))
4630 hostsize = lenof(pf.dhost)-1;
4631 memcpy(pf.dhost, host, hostsize);
4632 pf.dhost[hostsize] = '\0';
4634 pfp = find234(ssh->rportfwds, &pf, NULL);
4637 logeventf(ssh, "Rejected remote port open request for %s:%d",
4639 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4640 PKT_INT, remoteid, PKT_END);
4642 logeventf(ssh, "Received remote port open request for %s:%d",
4644 e = pfd_newconnect(&c->u.pfd.s, pf.dhost, port,
4645 c, &ssh->cfg, pfp->pfrec->addressfamily);
4647 logeventf(ssh, "Port open failed: %s", e);
4649 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
4650 PKT_INT, remoteid, PKT_END);
4652 c->remoteid = remoteid;
4653 c->halfopen = FALSE;
4654 c->localid = alloc_channel_id(ssh);
4656 c->throttling_conn = 0;
4657 c->type = CHAN_SOCKDATA; /* identify channel type */
4658 add234(ssh->channels, c);
4659 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
4660 PKT_INT, c->remoteid, PKT_INT,
4661 c->localid, PKT_END);
4662 logevent("Forwarded port opened successfully");
4667 static void ssh1_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
4669 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4670 unsigned int localid = ssh_pkt_getuint32(pktin);
4671 struct ssh_channel *c;
4673 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4674 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4675 c->remoteid = localid;
4676 c->halfopen = FALSE;
4677 c->type = CHAN_SOCKDATA;
4678 c->throttling_conn = 0;
4679 pfd_confirm(c->u.pfd.s);
4682 if (c && c->closes) {
4684 * We have a pending close on this channel,
4685 * which we decided on before the server acked
4686 * the channel open. So now we know the
4687 * remoteid, we can close it again.
4689 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE,
4690 PKT_INT, c->remoteid, PKT_END);
4694 static void ssh1_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
4696 unsigned int remoteid = ssh_pkt_getuint32(pktin);
4697 struct ssh_channel *c;
4699 c = find234(ssh->channels, &remoteid, ssh_channelfind);
4700 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
4701 logevent("Forwarded connection refused by server");
4702 pfd_close(c->u.pfd.s);
4703 del234(ssh->channels, c);
4708 static void ssh1_msg_channel_close(Ssh ssh, struct Packet *pktin)
4710 /* Remote side closes a channel. */
4711 unsigned i = ssh_pkt_getuint32(pktin);
4712 struct ssh_channel *c;
4713 c = find234(ssh->channels, &i, ssh_channelfind);
4714 if (c && !c->halfopen) {
4717 (pktin->type == SSH1_MSG_CHANNEL_CLOSE ? 1 : 2);
4719 if ((c->closes == 0) && (c->type == CHAN_X11)) {
4720 logevent("Forwarded X11 connection terminated");
4721 assert(c->u.x11.s != NULL);
4722 x11_close(c->u.x11.s);
4725 if ((c->closes == 0) && (c->type == CHAN_SOCKDATA)) {
4726 logevent("Forwarded port closed");
4727 assert(c->u.pfd.s != NULL);
4728 pfd_close(c->u.pfd.s);
4732 c->closes |= (closetype << 2); /* seen this message */
4733 if (!(c->closes & closetype)) {
4734 send_packet(ssh, pktin->type, PKT_INT, c->remoteid,
4736 c->closes |= closetype; /* sent it too */
4739 if (c->closes == 15) {
4740 del234(ssh->channels, c);
4744 bombout(("Received CHANNEL_CLOSE%s for %s channel %d\n",
4745 pktin->type == SSH1_MSG_CHANNEL_CLOSE ? "" :
4746 "_CONFIRMATION", c ? "half-open" : "nonexistent",
4751 static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
4753 /* Data sent down one of our channels. */
4754 int i = ssh_pkt_getuint32(pktin);
4757 struct ssh_channel *c;
4759 ssh_pkt_getstring(pktin, &p, &len);
4761 c = find234(ssh->channels, &i, ssh_channelfind);
4766 bufsize = x11_send(c->u.x11.s, p, len);
4769 bufsize = pfd_send(c->u.pfd.s, p, len);
4772 /* Data for an agent message. Buffer it. */
4774 if (c->u.a.lensofar < 4) {
4775 unsigned int l = min(4 - c->u.a.lensofar, (unsigned)len);
4776 memcpy(c->u.a.msglen + c->u.a.lensofar, p,
4780 c->u.a.lensofar += l;
4782 if (c->u.a.lensofar == 4) {
4784 4 + GET_32BIT(c->u.a.msglen);
4785 c->u.a.message = snewn(c->u.a.totallen,
4787 memcpy(c->u.a.message, c->u.a.msglen, 4);
4789 if (c->u.a.lensofar >= 4 && len > 0) {
4791 min(c->u.a.totallen - c->u.a.lensofar,
4793 memcpy(c->u.a.message + c->u.a.lensofar, p,
4797 c->u.a.lensofar += l;
4799 if (c->u.a.lensofar == c->u.a.totallen) {
4802 if (agent_query(c->u.a.message,
4805 ssh_agentf_callback, c))
4806 ssh_agentf_callback(c, reply, replylen);
4807 sfree(c->u.a.message);
4808 c->u.a.lensofar = 0;
4811 bufsize = 0; /* agent channels never back up */
4814 if (!c->throttling_conn && bufsize > SSH1_BUFFER_LIMIT) {
4815 c->throttling_conn = 1;
4816 ssh_throttle_conn(ssh, +1);
4821 static void ssh1_smsg_exit_status(Ssh ssh, struct Packet *pktin)
4823 ssh->exitcode = ssh_pkt_getuint32(pktin);
4824 logeventf(ssh, "Server sent command exit status %d", ssh->exitcode);
4825 send_packet(ssh, SSH1_CMSG_EXIT_CONFIRMATION, PKT_END);
4827 * In case `helpful' firewalls or proxies tack
4828 * extra human-readable text on the end of the
4829 * session which we might mistake for another
4830 * encrypted packet, we close the session once
4831 * we've sent EXIT_CONFIRMATION.
4833 ssh_disconnect(ssh, NULL, NULL, 0, TRUE);
4836 /* Helper function to deal with sending tty modes for REQUEST_PTY */
4837 static void ssh1_send_ttymode(void *data, char *mode, char *val)
4839 struct Packet *pktout = (struct Packet *)data;
4841 unsigned int arg = 0;
4842 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
4843 if (i == lenof(ssh_ttymodes)) return;
4844 switch (ssh_ttymodes[i].type) {
4846 arg = ssh_tty_parse_specchar(val);
4849 arg = ssh_tty_parse_boolean(val);
4852 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
4853 ssh2_pkt_addbyte(pktout, arg);
4857 static void do_ssh1_connection(Ssh ssh, unsigned char *in, int inlen,
4858 struct Packet *pktin)
4860 crBegin(ssh->do_ssh1_connection_crstate);
4862 ssh->packet_dispatch[SSH1_SMSG_STDOUT_DATA] =
4863 ssh->packet_dispatch[SSH1_SMSG_STDERR_DATA] =
4864 ssh1_smsg_stdout_stderr_data;
4866 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_CONFIRMATION] =
4867 ssh1_msg_channel_open_confirmation;
4868 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_FAILURE] =
4869 ssh1_msg_channel_open_failure;
4870 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE] =
4871 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION] =
4872 ssh1_msg_channel_close;
4873 ssh->packet_dispatch[SSH1_MSG_CHANNEL_DATA] = ssh1_msg_channel_data;
4874 ssh->packet_dispatch[SSH1_SMSG_EXIT_STATUS] = ssh1_smsg_exit_status;
4876 if (ssh->cfg.agentfwd && agent_exists()) {
4877 logevent("Requesting agent forwarding");
4878 send_packet(ssh, SSH1_CMSG_AGENT_REQUEST_FORWARDING, PKT_END);
4882 if (pktin->type != SSH1_SMSG_SUCCESS
4883 && pktin->type != SSH1_SMSG_FAILURE) {
4884 bombout(("Protocol confusion"));
4886 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4887 logevent("Agent forwarding refused");
4889 logevent("Agent forwarding enabled");
4890 ssh->agentfwd_enabled = TRUE;
4891 ssh->packet_dispatch[SSH1_SMSG_AGENT_OPEN] = ssh1_smsg_agent_open;
4895 if (ssh->cfg.x11_forward) {
4896 char proto[20], data[64];
4897 logevent("Requesting X11 forwarding");
4898 ssh->x11auth = x11_invent_auth(proto, sizeof(proto),
4899 data, sizeof(data), ssh->cfg.x11_auth);
4900 x11_get_real_auth(ssh->x11auth, ssh->cfg.x11_display);
4902 * Note that while we blank the X authentication data here, we don't
4903 * take any special action to blank the start of an X11 channel,
4904 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
4905 * without having session blanking enabled is likely to leak your
4906 * cookie into the log.
4908 if (ssh->v1_local_protoflags & SSH1_PROTOFLAG_SCREEN_NUMBER) {
4909 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
4911 PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER,
4912 PKT_INT, x11_get_screen_number(ssh->cfg.x11_display),
4915 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
4917 PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER, PKT_END);
4922 if (pktin->type != SSH1_SMSG_SUCCESS
4923 && pktin->type != SSH1_SMSG_FAILURE) {
4924 bombout(("Protocol confusion"));
4926 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4927 logevent("X11 forwarding refused");
4929 logevent("X11 forwarding enabled");
4930 ssh->X11_fwd_enabled = TRUE;
4931 ssh->packet_dispatch[SSH1_SMSG_X11_OPEN] = ssh1_smsg_x11_open;
4935 ssh_setup_portfwd(ssh, &ssh->cfg);
4936 ssh->packet_dispatch[SSH1_MSG_PORT_OPEN] = ssh1_msg_port_open;
4938 if (!ssh->cfg.nopty) {
4940 /* Unpick the terminal-speed string. */
4941 /* XXX perhaps we should allow no speeds to be sent. */
4942 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
4943 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
4944 /* Send the pty request. */
4945 pkt = ssh1_pkt_init(SSH1_CMSG_REQUEST_PTY);
4946 ssh_pkt_addstring(pkt, ssh->cfg.termtype);
4947 ssh_pkt_adduint32(pkt, ssh->term_height);
4948 ssh_pkt_adduint32(pkt, ssh->term_width);
4949 ssh_pkt_adduint32(pkt, 0); /* width in pixels */
4950 ssh_pkt_adduint32(pkt, 0); /* height in pixels */
4951 parse_ttymodes(ssh, ssh->cfg.ttymodes,
4952 ssh1_send_ttymode, (void *)pkt);
4953 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_ISPEED);
4954 ssh_pkt_adduint32(pkt, ssh->ispeed);
4955 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_OSPEED);
4956 ssh_pkt_adduint32(pkt, ssh->ospeed);
4957 ssh_pkt_addbyte(pkt, SSH_TTY_OP_END);
4959 ssh->state = SSH_STATE_INTERMED;
4963 if (pktin->type != SSH1_SMSG_SUCCESS
4964 && pktin->type != SSH1_SMSG_FAILURE) {
4965 bombout(("Protocol confusion"));
4967 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4968 c_write_str(ssh, "Server refused to allocate pty\r\n");
4969 ssh->editing = ssh->echoing = 1;
4971 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
4972 ssh->ospeed, ssh->ispeed);
4974 ssh->editing = ssh->echoing = 1;
4977 if (ssh->cfg.compression) {
4978 send_packet(ssh, SSH1_CMSG_REQUEST_COMPRESSION, PKT_INT, 6, PKT_END);
4982 if (pktin->type != SSH1_SMSG_SUCCESS
4983 && pktin->type != SSH1_SMSG_FAILURE) {
4984 bombout(("Protocol confusion"));
4986 } else if (pktin->type == SSH1_SMSG_FAILURE) {
4987 c_write_str(ssh, "Server refused to compress\r\n");
4989 logevent("Started compression");
4990 ssh->v1_compressing = TRUE;
4991 ssh->cs_comp_ctx = zlib_compress_init();
4992 logevent("Initialised zlib (RFC1950) compression");
4993 ssh->sc_comp_ctx = zlib_decompress_init();
4994 logevent("Initialised zlib (RFC1950) decompression");
4998 * Start the shell or command.
5000 * Special case: if the first-choice command is an SSH-2
5001 * subsystem (hence not usable here) and the second choice
5002 * exists, we fall straight back to that.
5005 char *cmd = ssh->cfg.remote_cmd_ptr;
5007 if (!cmd) cmd = ssh->cfg.remote_cmd;
5009 if (ssh->cfg.ssh_subsys && ssh->cfg.remote_cmd_ptr2) {
5010 cmd = ssh->cfg.remote_cmd_ptr2;
5011 ssh->fallback_cmd = TRUE;
5014 send_packet(ssh, SSH1_CMSG_EXEC_CMD, PKT_STR, cmd, PKT_END);
5016 send_packet(ssh, SSH1_CMSG_EXEC_SHELL, PKT_END);
5017 logevent("Started session");
5020 ssh->state = SSH_STATE_SESSION;
5021 if (ssh->size_needed)
5022 ssh_size(ssh, ssh->term_width, ssh->term_height);
5023 if (ssh->eof_needed)
5024 ssh_special(ssh, TS_EOF);
5027 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
5029 ssh->channels = newtree234(ssh_channelcmp);
5033 * By this point, most incoming packets are already being
5034 * handled by the dispatch table, and we need only pay
5035 * attention to the unusual ones.
5040 if (pktin->type == SSH1_SMSG_SUCCESS) {
5041 /* may be from EXEC_SHELL on some servers */
5042 } else if (pktin->type == SSH1_SMSG_FAILURE) {
5043 /* may be from EXEC_SHELL on some servers
5044 * if no pty is available or in other odd cases. Ignore */
5046 bombout(("Strange packet received: type %d", pktin->type));
5051 int len = min(inlen, 512);
5052 send_packet(ssh, SSH1_CMSG_STDIN_DATA,
5053 PKT_INT, len, PKTT_DATA, PKT_DATA, in, len,
5054 PKTT_OTHER, PKT_END);
5065 * Handle the top-level SSH-2 protocol.
5067 static void ssh1_msg_debug(Ssh ssh, struct Packet *pktin)
5072 ssh_pkt_getstring(pktin, &msg, &msglen);
5073 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
5076 static void ssh1_msg_disconnect(Ssh ssh, struct Packet *pktin)
5078 /* log reason code in disconnect message */
5082 ssh_pkt_getstring(pktin, &msg, &msglen);
5083 bombout(("Server sent disconnect message:\n\"%.*s\"", msglen, msg));
5086 static void ssh_msg_ignore(Ssh ssh, struct Packet *pktin)
5088 /* Do nothing, because we're ignoring it! Duhh. */
5091 static void ssh1_protocol_setup(Ssh ssh)
5096 * Most messages are handled by the coroutines.
5098 for (i = 0; i < 256; i++)
5099 ssh->packet_dispatch[i] = NULL;
5102 * These special message types we install handlers for.
5104 ssh->packet_dispatch[SSH1_MSG_DISCONNECT] = ssh1_msg_disconnect;
5105 ssh->packet_dispatch[SSH1_MSG_IGNORE] = ssh_msg_ignore;
5106 ssh->packet_dispatch[SSH1_MSG_DEBUG] = ssh1_msg_debug;
5109 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
5110 struct Packet *pktin)
5112 unsigned char *in=(unsigned char*)vin;
5113 if (ssh->state == SSH_STATE_CLOSED)
5116 if (pktin && ssh->packet_dispatch[pktin->type]) {
5117 ssh->packet_dispatch[pktin->type](ssh, pktin);
5121 if (!ssh->protocol_initial_phase_done) {
5122 if (do_ssh1_login(ssh, in, inlen, pktin))
5123 ssh->protocol_initial_phase_done = TRUE;
5128 do_ssh1_connection(ssh, in, inlen, pktin);
5132 * Utility routine for decoding comma-separated strings in KEXINIT.
5134 static int in_commasep_string(char *needle, char *haystack, int haylen)
5137 if (!needle || !haystack) /* protect against null pointers */
5139 needlen = strlen(needle);
5142 * Is it at the start of the string?
5144 if (haylen >= needlen && /* haystack is long enough */
5145 !memcmp(needle, haystack, needlen) && /* initial match */
5146 (haylen == needlen || haystack[needlen] == ',')
5147 /* either , or EOS follows */
5151 * If not, search for the next comma and resume after that.
5152 * If no comma found, terminate.
5154 while (haylen > 0 && *haystack != ',')
5155 haylen--, haystack++;
5158 haylen--, haystack++; /* skip over comma itself */
5163 * Similar routine for checking whether we have the first string in a list.
5165 static int first_in_commasep_string(char *needle, char *haystack, int haylen)
5168 if (!needle || !haystack) /* protect against null pointers */
5170 needlen = strlen(needle);
5172 * Is it at the start of the string?
5174 if (haylen >= needlen && /* haystack is long enough */
5175 !memcmp(needle, haystack, needlen) && /* initial match */
5176 (haylen == needlen || haystack[needlen] == ',')
5177 /* either , or EOS follows */
5185 * SSH-2 key creation method.
5186 * (Currently assumes 2 lots of any hash are sufficient to generate
5187 * keys/IVs for any cipher/MAC. SSH2_MKKEY_ITERS documents this assumption.)
5189 #define SSH2_MKKEY_ITERS (2)
5190 static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr,
5191 unsigned char *keyspace)
5193 const struct ssh_hash *h = ssh->kex->hash;
5195 /* First hlen bytes. */
5197 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5198 hash_mpint(h, s, K);
5199 h->bytes(s, H, h->hlen);
5200 h->bytes(s, &chr, 1);
5201 h->bytes(s, ssh->v2_session_id, ssh->v2_session_id_len);
5202 h->final(s, keyspace);
5203 /* Next hlen bytes. */
5205 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5206 hash_mpint(h, s, K);
5207 h->bytes(s, H, h->hlen);
5208 h->bytes(s, keyspace, h->hlen);
5209 h->final(s, keyspace + h->hlen);
5213 * Handle the SSH-2 transport layer.
5215 static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
5216 struct Packet *pktin)
5218 unsigned char *in = (unsigned char *)vin;
5219 struct do_ssh2_transport_state {
5220 int nbits, pbits, warn_kex, warn_cscipher, warn_sccipher;
5221 Bignum p, g, e, f, K;
5224 int kex_init_value, kex_reply_value;
5225 const struct ssh_mac **maclist;
5227 const struct ssh2_cipher *cscipher_tobe;
5228 const struct ssh2_cipher *sccipher_tobe;
5229 const struct ssh_mac *csmac_tobe;
5230 const struct ssh_mac *scmac_tobe;
5231 const struct ssh_compress *cscomp_tobe;
5232 const struct ssh_compress *sccomp_tobe;
5233 char *hostkeydata, *sigdata, *rsakeydata, *keystr, *fingerprint;
5234 int hostkeylen, siglen, rsakeylen;
5235 void *hkey; /* actual host key */
5236 void *rsakey; /* for RSA kex */
5237 unsigned char exchange_hash[SSH2_KEX_MAX_HASH_LEN];
5238 int n_preferred_kex;
5239 const struct ssh_kexes *preferred_kex[KEX_MAX];
5240 int n_preferred_ciphers;
5241 const struct ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
5242 const struct ssh_compress *preferred_comp;
5243 int got_session_id, activated_authconn;
5244 struct Packet *pktout;
5249 crState(do_ssh2_transport_state);
5251 crBegin(ssh->do_ssh2_transport_crstate);
5253 s->cscipher_tobe = s->sccipher_tobe = NULL;
5254 s->csmac_tobe = s->scmac_tobe = NULL;
5255 s->cscomp_tobe = s->sccomp_tobe = NULL;
5257 s->got_session_id = s->activated_authconn = FALSE;
5260 * Be prepared to work around the buggy MAC problem.
5262 if (ssh->remote_bugs & BUG_SSH2_HMAC)
5263 s->maclist = buggymacs, s->nmacs = lenof(buggymacs);
5265 s->maclist = macs, s->nmacs = lenof(macs);
5268 ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
5270 int i, j, commalist_started;
5273 * Set up the preferred key exchange. (NULL => warn below here)
5275 s->n_preferred_kex = 0;
5276 for (i = 0; i < KEX_MAX; i++) {
5277 switch (ssh->cfg.ssh_kexlist[i]) {
5279 s->preferred_kex[s->n_preferred_kex++] =
5280 &ssh_diffiehellman_gex;
5283 s->preferred_kex[s->n_preferred_kex++] =
5284 &ssh_diffiehellman_group14;
5287 s->preferred_kex[s->n_preferred_kex++] =
5288 &ssh_diffiehellman_group1;
5291 s->preferred_kex[s->n_preferred_kex++] =
5295 /* Flag for later. Don't bother if it's the last in
5297 if (i < KEX_MAX - 1) {
5298 s->preferred_kex[s->n_preferred_kex++] = NULL;
5305 * Set up the preferred ciphers. (NULL => warn below here)
5307 s->n_preferred_ciphers = 0;
5308 for (i = 0; i < CIPHER_MAX; i++) {
5309 switch (ssh->cfg.ssh_cipherlist[i]) {
5310 case CIPHER_BLOWFISH:
5311 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_blowfish;
5314 if (ssh->cfg.ssh2_des_cbc) {
5315 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_des;
5319 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_3des;
5322 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_aes;
5324 case CIPHER_ARCFOUR:
5325 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_arcfour;
5328 /* Flag for later. Don't bother if it's the last in
5330 if (i < CIPHER_MAX - 1) {
5331 s->preferred_ciphers[s->n_preferred_ciphers++] = NULL;
5338 * Set up preferred compression.
5340 if (ssh->cfg.compression)
5341 s->preferred_comp = &ssh_zlib;
5343 s->preferred_comp = &ssh_comp_none;
5346 * Enable queueing of outgoing auth- or connection-layer
5347 * packets while we are in the middle of a key exchange.
5349 ssh->queueing = TRUE;
5352 * Flag that KEX is in progress.
5354 ssh->kex_in_progress = TRUE;
5357 * Construct and send our key exchange packet.
5359 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXINIT);
5360 for (i = 0; i < 16; i++)
5361 ssh2_pkt_addbyte(s->pktout, (unsigned char) random_byte());
5362 /* List key exchange algorithms. */
5363 ssh2_pkt_addstring_start(s->pktout);
5364 commalist_started = 0;
5365 for (i = 0; i < s->n_preferred_kex; i++) {
5366 const struct ssh_kexes *k = s->preferred_kex[i];
5367 if (!k) continue; /* warning flag */
5368 for (j = 0; j < k->nkexes; j++) {
5369 if (commalist_started)
5370 ssh2_pkt_addstring_str(s->pktout, ",");
5371 ssh2_pkt_addstring_str(s->pktout, k->list[j]->name);
5372 commalist_started = 1;
5375 /* List server host key algorithms. */
5376 ssh2_pkt_addstring_start(s->pktout);
5377 for (i = 0; i < lenof(hostkey_algs); i++) {
5378 ssh2_pkt_addstring_str(s->pktout, hostkey_algs[i]->name);
5379 if (i < lenof(hostkey_algs) - 1)
5380 ssh2_pkt_addstring_str(s->pktout, ",");
5382 /* List client->server encryption algorithms. */
5383 ssh2_pkt_addstring_start(s->pktout);
5384 commalist_started = 0;
5385 for (i = 0; i < s->n_preferred_ciphers; i++) {
5386 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5387 if (!c) continue; /* warning flag */
5388 for (j = 0; j < c->nciphers; j++) {
5389 if (commalist_started)
5390 ssh2_pkt_addstring_str(s->pktout, ",");
5391 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5392 commalist_started = 1;
5395 /* List server->client encryption algorithms. */
5396 ssh2_pkt_addstring_start(s->pktout);
5397 commalist_started = 0;
5398 for (i = 0; i < s->n_preferred_ciphers; i++) {
5399 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5400 if (!c) continue; /* warning flag */
5401 for (j = 0; j < c->nciphers; j++) {
5402 if (commalist_started)
5403 ssh2_pkt_addstring_str(s->pktout, ",");
5404 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
5405 commalist_started = 1;
5408 /* List client->server MAC algorithms. */
5409 ssh2_pkt_addstring_start(s->pktout);
5410 for (i = 0; i < s->nmacs; i++) {
5411 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5412 if (i < s->nmacs - 1)
5413 ssh2_pkt_addstring_str(s->pktout, ",");
5415 /* List server->client MAC algorithms. */
5416 ssh2_pkt_addstring_start(s->pktout);
5417 for (i = 0; i < s->nmacs; i++) {
5418 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
5419 if (i < s->nmacs - 1)
5420 ssh2_pkt_addstring_str(s->pktout, ",");
5422 /* List client->server compression algorithms. */
5423 ssh2_pkt_addstring_start(s->pktout);
5424 assert(lenof(compressions) > 1);
5425 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5426 for (i = 0; i < lenof(compressions); i++) {
5427 const struct ssh_compress *c = compressions[i];
5428 if (c != s->preferred_comp) {
5429 ssh2_pkt_addstring_str(s->pktout, ",");
5430 ssh2_pkt_addstring_str(s->pktout, c->name);
5433 /* List server->client compression algorithms. */
5434 ssh2_pkt_addstring_start(s->pktout);
5435 assert(lenof(compressions) > 1);
5436 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
5437 for (i = 0; i < lenof(compressions); i++) {
5438 const struct ssh_compress *c = compressions[i];
5439 if (c != s->preferred_comp) {
5440 ssh2_pkt_addstring_str(s->pktout, ",");
5441 ssh2_pkt_addstring_str(s->pktout, c->name);
5444 /* List client->server languages. Empty list. */
5445 ssh2_pkt_addstring_start(s->pktout);
5446 /* List server->client languages. Empty list. */
5447 ssh2_pkt_addstring_start(s->pktout);
5448 /* First KEX packet does _not_ follow, because we're not that brave. */
5449 ssh2_pkt_addbool(s->pktout, FALSE);
5451 ssh2_pkt_adduint32(s->pktout, 0);
5454 s->our_kexinitlen = s->pktout->length - 5;
5455 s->our_kexinit = snewn(s->our_kexinitlen, unsigned char);
5456 memcpy(s->our_kexinit, s->pktout->data + 5, s->our_kexinitlen);
5458 ssh2_pkt_send_noqueue(ssh, s->pktout);
5464 * Now examine the other side's KEXINIT to see what we're up
5468 char *str, *preferred;
5471 if (pktin->type != SSH2_MSG_KEXINIT) {
5472 bombout(("expected key exchange packet from server"));
5476 ssh->hostkey = NULL;
5477 s->cscipher_tobe = NULL;
5478 s->sccipher_tobe = NULL;
5479 s->csmac_tobe = NULL;
5480 s->scmac_tobe = NULL;
5481 s->cscomp_tobe = NULL;
5482 s->sccomp_tobe = NULL;
5483 s->warn_kex = s->warn_cscipher = s->warn_sccipher = FALSE;
5485 pktin->savedpos += 16; /* skip garbage cookie */
5486 ssh_pkt_getstring(pktin, &str, &len); /* key exchange algorithms */
5489 for (i = 0; i < s->n_preferred_kex; i++) {
5490 const struct ssh_kexes *k = s->preferred_kex[i];
5494 for (j = 0; j < k->nkexes; j++) {
5495 if (!preferred) preferred = k->list[j]->name;
5496 if (in_commasep_string(k->list[j]->name, str, len)) {
5497 ssh->kex = k->list[j];
5506 bombout(("Couldn't agree a key exchange algorithm (available: %s)",
5507 str ? str : "(null)"));
5511 * Note that the server's guess is considered wrong if it doesn't match
5512 * the first algorithm in our list, even if it's still the algorithm
5515 s->guessok = first_in_commasep_string(preferred, str, len);
5516 ssh_pkt_getstring(pktin, &str, &len); /* host key algorithms */
5517 for (i = 0; i < lenof(hostkey_algs); i++) {
5518 if (in_commasep_string(hostkey_algs[i]->name, str, len)) {
5519 ssh->hostkey = hostkey_algs[i];
5523 s->guessok = s->guessok &&
5524 first_in_commasep_string(hostkey_algs[0]->name, str, len);
5525 ssh_pkt_getstring(pktin, &str, &len); /* client->server cipher */
5526 for (i = 0; i < s->n_preferred_ciphers; i++) {
5527 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5529 s->warn_cscipher = TRUE;
5531 for (j = 0; j < c->nciphers; j++) {
5532 if (in_commasep_string(c->list[j]->name, str, len)) {
5533 s->cscipher_tobe = c->list[j];
5538 if (s->cscipher_tobe)
5541 if (!s->cscipher_tobe) {
5542 bombout(("Couldn't agree a client-to-server cipher (available: %s)",
5543 str ? str : "(null)"));
5547 ssh_pkt_getstring(pktin, &str, &len); /* server->client cipher */
5548 for (i = 0; i < s->n_preferred_ciphers; i++) {
5549 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
5551 s->warn_sccipher = TRUE;
5553 for (j = 0; j < c->nciphers; j++) {
5554 if (in_commasep_string(c->list[j]->name, str, len)) {
5555 s->sccipher_tobe = c->list[j];
5560 if (s->sccipher_tobe)
5563 if (!s->sccipher_tobe) {
5564 bombout(("Couldn't agree a server-to-client cipher (available: %s)",
5565 str ? str : "(null)"));
5569 ssh_pkt_getstring(pktin, &str, &len); /* client->server mac */
5570 for (i = 0; i < s->nmacs; i++) {
5571 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5572 s->csmac_tobe = s->maclist[i];
5576 ssh_pkt_getstring(pktin, &str, &len); /* server->client mac */
5577 for (i = 0; i < s->nmacs; i++) {
5578 if (in_commasep_string(s->maclist[i]->name, str, len)) {
5579 s->scmac_tobe = s->maclist[i];
5583 ssh_pkt_getstring(pktin, &str, &len); /* client->server compression */
5584 for (i = 0; i < lenof(compressions) + 1; i++) {
5585 const struct ssh_compress *c =
5586 i == 0 ? s->preferred_comp : compressions[i - 1];
5587 if (in_commasep_string(c->name, str, len)) {
5592 ssh_pkt_getstring(pktin, &str, &len); /* server->client compression */
5593 for (i = 0; i < lenof(compressions) + 1; i++) {
5594 const struct ssh_compress *c =
5595 i == 0 ? s->preferred_comp : compressions[i - 1];
5596 if (in_commasep_string(c->name, str, len)) {
5601 ssh_pkt_getstring(pktin, &str, &len); /* client->server language */
5602 ssh_pkt_getstring(pktin, &str, &len); /* server->client language */
5603 s->ignorepkt = ssh2_pkt_getbool(pktin) && !s->guessok;
5606 ssh_set_frozen(ssh, 1);
5607 s->dlgret = askalg(ssh->frontend, "key-exchange algorithm",
5609 ssh_dialog_callback, ssh);
5610 if (s->dlgret < 0) {
5614 bombout(("Unexpected data from server while"
5615 " waiting for user response"));
5618 } while (pktin || inlen > 0);
5619 s->dlgret = ssh->user_response;
5621 ssh_set_frozen(ssh, 0);
5622 if (s->dlgret == 0) {
5623 ssh_disconnect(ssh, "User aborted at kex warning", NULL,
5629 if (s->warn_cscipher) {
5630 ssh_set_frozen(ssh, 1);
5631 s->dlgret = askalg(ssh->frontend,
5632 "client-to-server cipher",
5633 s->cscipher_tobe->name,
5634 ssh_dialog_callback, ssh);
5635 if (s->dlgret < 0) {
5639 bombout(("Unexpected data from server while"
5640 " waiting for user response"));
5643 } while (pktin || inlen > 0);
5644 s->dlgret = ssh->user_response;
5646 ssh_set_frozen(ssh, 0);
5647 if (s->dlgret == 0) {
5648 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5654 if (s->warn_sccipher) {
5655 ssh_set_frozen(ssh, 1);
5656 s->dlgret = askalg(ssh->frontend,
5657 "server-to-client cipher",
5658 s->sccipher_tobe->name,
5659 ssh_dialog_callback, ssh);
5660 if (s->dlgret < 0) {
5664 bombout(("Unexpected data from server while"
5665 " waiting for user response"));
5668 } while (pktin || inlen > 0);
5669 s->dlgret = ssh->user_response;
5671 ssh_set_frozen(ssh, 0);
5672 if (s->dlgret == 0) {
5673 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
5679 ssh->exhash = ssh->kex->hash->init();
5680 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_c, strlen(ssh->v_c));
5681 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_s, strlen(ssh->v_s));
5682 hash_string(ssh->kex->hash, ssh->exhash,
5683 s->our_kexinit, s->our_kexinitlen);
5684 sfree(s->our_kexinit);
5685 if (pktin->length > 5)
5686 hash_string(ssh->kex->hash, ssh->exhash,
5687 pktin->data + 5, pktin->length - 5);
5689 if (s->ignorepkt) /* first_kex_packet_follows */
5690 crWaitUntil(pktin); /* Ignore packet */
5693 if (ssh->kex->main_type == KEXTYPE_DH) {
5695 * Work out the number of bits of key we will need from the
5696 * key exchange. We start with the maximum key length of
5702 csbits = s->cscipher_tobe->keylen;
5703 scbits = s->sccipher_tobe->keylen;
5704 s->nbits = (csbits > scbits ? csbits : scbits);
5706 /* The keys only have hlen-bit entropy, since they're based on
5707 * a hash. So cap the key size at hlen bits. */
5708 if (s->nbits > ssh->kex->hash->hlen * 8)
5709 s->nbits = ssh->kex->hash->hlen * 8;
5712 * If we're doing Diffie-Hellman group exchange, start by
5713 * requesting a group.
5715 if (!ssh->kex->pdata) {
5716 logevent("Doing Diffie-Hellman group exchange");
5717 ssh->pkt_kctx = SSH2_PKTCTX_DHGEX;
5719 * Work out how big a DH group we will need to allow that
5722 s->pbits = 512 << ((s->nbits - 1) / 64);
5723 s->pktout = ssh2_pkt_init(SSH2_MSG_KEX_DH_GEX_REQUEST);
5724 ssh2_pkt_adduint32(s->pktout, s->pbits);
5725 ssh2_pkt_send_noqueue(ssh, s->pktout);
5728 if (pktin->type != SSH2_MSG_KEX_DH_GEX_GROUP) {
5729 bombout(("expected key exchange group packet from server"));
5732 s->p = ssh2_pkt_getmp(pktin);
5733 s->g = ssh2_pkt_getmp(pktin);
5734 if (!s->p || !s->g) {
5735 bombout(("unable to read mp-ints from incoming group packet"));
5738 ssh->kex_ctx = dh_setup_gex(s->p, s->g);
5739 s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
5740 s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
5742 ssh->pkt_kctx = SSH2_PKTCTX_DHGROUP;
5743 ssh->kex_ctx = dh_setup_group(ssh->kex);
5744 s->kex_init_value = SSH2_MSG_KEXDH_INIT;
5745 s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
5746 logeventf(ssh, "Using Diffie-Hellman with standard group \"%s\"",
5747 ssh->kex->groupname);
5750 logeventf(ssh, "Doing Diffie-Hellman key exchange with hash %s",
5751 ssh->kex->hash->text_name);
5753 * Now generate and send e for Diffie-Hellman.
5755 set_busy_status(ssh->frontend, BUSY_CPU); /* this can take a while */
5756 s->e = dh_create_e(ssh->kex_ctx, s->nbits * 2);
5757 s->pktout = ssh2_pkt_init(s->kex_init_value);
5758 ssh2_pkt_addmp(s->pktout, s->e);
5759 ssh2_pkt_send_noqueue(ssh, s->pktout);
5761 set_busy_status(ssh->frontend, BUSY_WAITING); /* wait for server */
5763 if (pktin->type != s->kex_reply_value) {
5764 bombout(("expected key exchange reply packet from server"));
5767 set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */
5768 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
5769 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
5770 s->f = ssh2_pkt_getmp(pktin);
5772 bombout(("unable to parse key exchange reply packet"));
5775 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
5777 s->K = dh_find_K(ssh->kex_ctx, s->f);
5779 /* We assume everything from now on will be quick, and it might
5780 * involve user interaction. */
5781 set_busy_status(ssh->frontend, BUSY_NOT);
5783 hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen);
5784 if (!ssh->kex->pdata) {
5785 hash_uint32(ssh->kex->hash, ssh->exhash, s->pbits);
5786 hash_mpint(ssh->kex->hash, ssh->exhash, s->p);
5787 hash_mpint(ssh->kex->hash, ssh->exhash, s->g);
5789 hash_mpint(ssh->kex->hash, ssh->exhash, s->e);
5790 hash_mpint(ssh->kex->hash, ssh->exhash, s->f);
5792 dh_cleanup(ssh->kex_ctx);
5794 if (!ssh->kex->pdata) {
5799 logeventf(ssh, "Doing RSA key exchange with hash %s",
5800 ssh->kex->hash->text_name);
5801 ssh->pkt_kctx = SSH2_PKTCTX_RSAKEX;
5803 * RSA key exchange. First expect a KEXRSA_PUBKEY packet
5807 if (pktin->type != SSH2_MSG_KEXRSA_PUBKEY) {
5808 bombout(("expected RSA public key packet from server"));
5812 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
5813 hash_string(ssh->kex->hash, ssh->exhash,
5814 s->hostkeydata, s->hostkeylen);
5815 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
5819 ssh_pkt_getstring(pktin, &keydata, &s->rsakeylen);
5820 s->rsakeydata = snewn(s->rsakeylen, char);
5821 memcpy(s->rsakeydata, keydata, s->rsakeylen);
5824 s->rsakey = ssh_rsakex_newkey(s->rsakeydata, s->rsakeylen);
5826 sfree(s->rsakeydata);
5827 bombout(("unable to parse RSA public key from server"));
5831 hash_string(ssh->kex->hash, ssh->exhash, s->rsakeydata, s->rsakeylen);
5834 * Next, set up a shared secret K, of precisely KLEN -
5835 * 2*HLEN - 49 bits, where KLEN is the bit length of the
5836 * RSA key modulus and HLEN is the bit length of the hash
5840 int klen = ssh_rsakex_klen(s->rsakey);
5841 int nbits = klen - (2*ssh->kex->hash->hlen*8 + 49);
5843 unsigned char *kstr1, *kstr2, *outstr;
5844 int kstr1len, kstr2len, outstrlen;
5846 s->K = bn_power_2(nbits - 1);
5848 for (i = 0; i < nbits; i++) {
5850 byte = random_byte();
5852 bignum_set_bit(s->K, i, (byte >> (i & 7)) & 1);
5856 * Encode this as an mpint.
5858 kstr1 = ssh2_mpint_fmt(s->K, &kstr1len);
5859 kstr2 = snewn(kstr2len = 4 + kstr1len, unsigned char);
5860 PUT_32BIT(kstr2, kstr1len);
5861 memcpy(kstr2 + 4, kstr1, kstr1len);
5864 * Encrypt it with the given RSA key.
5866 outstrlen = (klen + 7) / 8;
5867 outstr = snewn(outstrlen, unsigned char);
5868 ssh_rsakex_encrypt(ssh->kex->hash, kstr2, kstr2len,
5869 outstr, outstrlen, s->rsakey);
5872 * And send it off in a return packet.
5874 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXRSA_SECRET);
5875 ssh2_pkt_addstring_start(s->pktout);
5876 ssh2_pkt_addstring_data(s->pktout, (char *)outstr, outstrlen);
5877 ssh2_pkt_send_noqueue(ssh, s->pktout);
5879 hash_string(ssh->kex->hash, ssh->exhash, outstr, outstrlen);
5886 ssh_rsakex_freekey(s->rsakey);
5889 if (pktin->type != SSH2_MSG_KEXRSA_DONE) {
5890 sfree(s->rsakeydata);
5891 bombout(("expected signature packet from server"));
5895 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
5897 sfree(s->rsakeydata);
5900 hash_mpint(ssh->kex->hash, ssh->exhash, s->K);
5901 assert(ssh->kex->hash->hlen <= sizeof(s->exchange_hash));
5902 ssh->kex->hash->final(ssh->exhash, s->exchange_hash);
5904 ssh->kex_ctx = NULL;
5907 debug(("Exchange hash is:\n"));
5908 dmemdump(s->exchange_hash, ssh->kex->hash->hlen);
5912 !ssh->hostkey->verifysig(s->hkey, s->sigdata, s->siglen,
5913 (char *)s->exchange_hash,
5914 ssh->kex->hash->hlen)) {
5915 bombout(("Server's host key did not match the signature supplied"));
5920 * Authenticate remote host: verify host key. (We've already
5921 * checked the signature of the exchange hash.)
5923 s->keystr = ssh->hostkey->fmtkey(s->hkey);
5924 s->fingerprint = ssh->hostkey->fingerprint(s->hkey);
5925 ssh_set_frozen(ssh, 1);
5926 s->dlgret = verify_ssh_host_key(ssh->frontend,
5927 ssh->savedhost, ssh->savedport,
5928 ssh->hostkey->keytype, s->keystr,
5930 ssh_dialog_callback, ssh);
5931 if (s->dlgret < 0) {
5935 bombout(("Unexpected data from server while waiting"
5936 " for user host key response"));
5939 } while (pktin || inlen > 0);
5940 s->dlgret = ssh->user_response;
5942 ssh_set_frozen(ssh, 0);
5943 if (s->dlgret == 0) {
5944 ssh_disconnect(ssh, "User aborted at host key verification", NULL,
5948 if (!s->got_session_id) { /* don't bother logging this in rekeys */
5949 logevent("Host key fingerprint is:");
5950 logevent(s->fingerprint);
5952 sfree(s->fingerprint);
5954 ssh->hostkey->freekey(s->hkey);
5957 * The exchange hash from the very first key exchange is also
5958 * the session id, used in session key construction and
5961 if (!s->got_session_id) {
5962 assert(sizeof(s->exchange_hash) <= sizeof(ssh->v2_session_id));
5963 memcpy(ssh->v2_session_id, s->exchange_hash,
5964 sizeof(s->exchange_hash));
5965 ssh->v2_session_id_len = ssh->kex->hash->hlen;
5966 assert(ssh->v2_session_id_len <= sizeof(ssh->v2_session_id));
5967 s->got_session_id = TRUE;
5971 * Send SSH2_MSG_NEWKEYS.
5973 s->pktout = ssh2_pkt_init(SSH2_MSG_NEWKEYS);
5974 ssh2_pkt_send_noqueue(ssh, s->pktout);
5975 ssh->outgoing_data_size = 0; /* start counting from here */
5978 * We've sent client NEWKEYS, so create and initialise
5979 * client-to-server session keys.
5981 if (ssh->cs_cipher_ctx)
5982 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
5983 ssh->cscipher = s->cscipher_tobe;
5984 ssh->cs_cipher_ctx = ssh->cscipher->make_context();
5986 if (ssh->cs_mac_ctx)
5987 ssh->csmac->free_context(ssh->cs_mac_ctx);
5988 ssh->csmac = s->csmac_tobe;
5989 ssh->cs_mac_ctx = ssh->csmac->make_context();
5991 if (ssh->cs_comp_ctx)
5992 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
5993 ssh->cscomp = s->cscomp_tobe;
5994 ssh->cs_comp_ctx = ssh->cscomp->compress_init();
5997 * Set IVs on client-to-server keys. Here we use the exchange
5998 * hash from the _first_ key exchange.
6001 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
6002 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6003 ssh2_mkkey(ssh,s->K,s->exchange_hash,'C',keyspace);
6004 assert((ssh->cscipher->keylen+7) / 8 <=
6005 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6006 ssh->cscipher->setkey(ssh->cs_cipher_ctx, keyspace);
6007 ssh2_mkkey(ssh,s->K,s->exchange_hash,'A',keyspace);
6008 assert(ssh->cscipher->blksize <=
6009 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6010 ssh->cscipher->setiv(ssh->cs_cipher_ctx, keyspace);
6011 ssh2_mkkey(ssh,s->K,s->exchange_hash,'E',keyspace);
6012 assert(ssh->csmac->len <=
6013 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6014 ssh->csmac->setkey(ssh->cs_mac_ctx, keyspace);
6015 memset(keyspace, 0, sizeof(keyspace));
6018 logeventf(ssh, "Initialised %.200s client->server encryption",
6019 ssh->cscipher->text_name);
6020 logeventf(ssh, "Initialised %.200s client->server MAC algorithm",
6021 ssh->csmac->text_name);
6022 if (ssh->cscomp->text_name)
6023 logeventf(ssh, "Initialised %s compression",
6024 ssh->cscomp->text_name);
6027 * Now our end of the key exchange is complete, we can send all
6028 * our queued higher-layer packets.
6030 ssh->queueing = FALSE;
6031 ssh2_pkt_queuesend(ssh);
6034 * Expect SSH2_MSG_NEWKEYS from server.
6037 if (pktin->type != SSH2_MSG_NEWKEYS) {
6038 bombout(("expected new-keys packet from server"));
6041 ssh->incoming_data_size = 0; /* start counting from here */
6044 * We've seen server NEWKEYS, so create and initialise
6045 * server-to-client session keys.
6047 if (ssh->sc_cipher_ctx)
6048 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
6049 ssh->sccipher = s->sccipher_tobe;
6050 ssh->sc_cipher_ctx = ssh->sccipher->make_context();
6052 if (ssh->sc_mac_ctx)
6053 ssh->scmac->free_context(ssh->sc_mac_ctx);
6054 ssh->scmac = s->scmac_tobe;
6055 ssh->sc_mac_ctx = ssh->scmac->make_context();
6057 if (ssh->sc_comp_ctx)
6058 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
6059 ssh->sccomp = s->sccomp_tobe;
6060 ssh->sc_comp_ctx = ssh->sccomp->decompress_init();
6063 * Set IVs on server-to-client keys. Here we use the exchange
6064 * hash from the _first_ key exchange.
6067 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
6068 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6069 ssh2_mkkey(ssh,s->K,s->exchange_hash,'D',keyspace);
6070 assert((ssh->sccipher->keylen+7) / 8 <=
6071 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6072 ssh->sccipher->setkey(ssh->sc_cipher_ctx, keyspace);
6073 ssh2_mkkey(ssh,s->K,s->exchange_hash,'B',keyspace);
6074 assert(ssh->sccipher->blksize <=
6075 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6076 ssh->sccipher->setiv(ssh->sc_cipher_ctx, keyspace);
6077 ssh2_mkkey(ssh,s->K,s->exchange_hash,'F',keyspace);
6078 assert(ssh->scmac->len <=
6079 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6080 ssh->scmac->setkey(ssh->sc_mac_ctx, keyspace);
6081 memset(keyspace, 0, sizeof(keyspace));
6083 logeventf(ssh, "Initialised %.200s server->client encryption",
6084 ssh->sccipher->text_name);
6085 logeventf(ssh, "Initialised %.200s server->client MAC algorithm",
6086 ssh->scmac->text_name);
6087 if (ssh->sccomp->text_name)
6088 logeventf(ssh, "Initialised %s decompression",
6089 ssh->sccomp->text_name);
6092 * Free shared secret.
6097 * Key exchange is over. Loop straight back round if we have a
6098 * deferred rekey reason.
6100 if (ssh->deferred_rekey_reason) {
6101 logevent(ssh->deferred_rekey_reason);
6103 ssh->deferred_rekey_reason = NULL;
6104 goto begin_key_exchange;
6108 * Otherwise, schedule a timer for our next rekey.
6110 ssh->kex_in_progress = FALSE;
6111 ssh->last_rekey = GETTICKCOUNT();
6112 if (ssh->cfg.ssh_rekey_time != 0)
6113 ssh->next_rekey = schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
6117 * If this is the first key exchange phase, we must pass the
6118 * SSH2_MSG_NEWKEYS packet to the next layer, not because it
6119 * wants to see it but because it will need time to initialise
6120 * itself before it sees an actual packet. In subsequent key
6121 * exchange phases, we don't pass SSH2_MSG_NEWKEYS on, because
6122 * it would only confuse the layer above.
6124 if (s->activated_authconn) {
6127 s->activated_authconn = TRUE;
6130 * Now we're encrypting. Begin returning 1 to the protocol main
6131 * function so that other things can run on top of the
6132 * transport. If we ever see a KEXINIT, we must go back to the
6135 * We _also_ go back to the start if we see pktin==NULL and
6136 * inlen==-1, because this is a special signal meaning
6137 * `initiate client-driven rekey', and `in' contains a message
6138 * giving the reason for the rekey.
6140 while (!((pktin && pktin->type == SSH2_MSG_KEXINIT) ||
6141 (!pktin && inlen == -1))) {
6146 logevent("Server initiated key re-exchange");
6149 * Special case: if the server bug is set that doesn't
6150 * allow rekeying, we give a different log message and
6151 * continue waiting. (If such a server _initiates_ a rekey,
6152 * we process it anyway!)
6154 if ((ssh->remote_bugs & BUG_SSH2_REKEY)) {
6155 logeventf(ssh, "Server bug prevents key re-exchange (%s)",
6157 /* Reset the counters, so that at least this message doesn't
6158 * hit the event log _too_ often. */
6159 ssh->outgoing_data_size = 0;
6160 ssh->incoming_data_size = 0;
6161 if (ssh->cfg.ssh_rekey_time != 0) {
6163 schedule_timer(ssh->cfg.ssh_rekey_time*60*TICKSPERSEC,
6166 goto wait_for_rekey; /* this is utterly horrid */
6168 logeventf(ssh, "Initiating key re-exchange (%s)", (char *)in);
6171 goto begin_key_exchange;
6177 * Add data to an SSH-2 channel output buffer.
6179 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf,
6182 bufchain_add(&c->v.v2.outbuffer, buf, len);
6186 * Attempt to send data on an SSH-2 channel.
6188 static int ssh2_try_send(struct ssh_channel *c)
6191 struct Packet *pktout;
6193 while (c->v.v2.remwindow > 0 && bufchain_size(&c->v.v2.outbuffer) > 0) {
6196 bufchain_prefix(&c->v.v2.outbuffer, &data, &len);
6197 if ((unsigned)len > c->v.v2.remwindow)
6198 len = c->v.v2.remwindow;
6199 if ((unsigned)len > c->v.v2.remmaxpkt)
6200 len = c->v.v2.remmaxpkt;
6201 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_DATA);
6202 ssh2_pkt_adduint32(pktout, c->remoteid);
6203 ssh2_pkt_addstring_start(pktout);
6204 dont_log_data(ssh, pktout, PKTLOG_OMIT);
6205 ssh2_pkt_addstring_data(pktout, data, len);
6206 end_log_omission(ssh, pktout);
6207 ssh2_pkt_send(ssh, pktout);
6208 bufchain_consume(&c->v.v2.outbuffer, len);
6209 c->v.v2.remwindow -= len;
6213 * After having sent as much data as we can, return the amount
6216 return bufchain_size(&c->v.v2.outbuffer);
6219 static void ssh2_try_send_and_unthrottle(struct ssh_channel *c)
6223 return; /* don't send on closing channels */
6224 bufsize = ssh2_try_send(c);
6227 case CHAN_MAINSESSION:
6228 /* stdin need not receive an unthrottle
6229 * notification since it will be polled */
6232 x11_unthrottle(c->u.x11.s);
6235 /* agent sockets are request/response and need no
6236 * buffer management */
6239 pfd_unthrottle(c->u.pfd.s);
6246 * Set up most of a new ssh_channel for SSH-2.
6248 static void ssh2_channel_init(struct ssh_channel *c)
6251 c->localid = alloc_channel_id(ssh);
6253 c->throttling_conn = FALSE;
6254 c->v.v2.locwindow = c->v.v2.locmaxwin = c->v.v2.remlocwin =
6255 ssh->cfg.ssh_simple ? OUR_V2_BIGWIN : OUR_V2_WINSIZE;
6256 c->v.v2.winadj_head = c->v.v2.winadj_tail = NULL;
6257 c->v.v2.throttle_state = UNTHROTTLED;
6258 bufchain_init(&c->v.v2.outbuffer);
6262 * Potentially enlarge the window on an SSH-2 channel.
6264 static void ssh2_set_window(struct ssh_channel *c, int newwin)
6269 * Never send WINDOW_ADJUST for a channel that the remote side
6270 * already thinks it's closed; there's no point, since it won't
6271 * be sending any more data anyway.
6277 * If the remote end has a habit of ignoring maxpkt, limit the
6278 * window so that it has no choice (assuming it doesn't ignore the
6281 if ((ssh->remote_bugs & BUG_SSH2_MAXPKT) && newwin > OUR_V2_MAXPKT)
6282 newwin = OUR_V2_MAXPKT;
6286 * Only send a WINDOW_ADJUST if there's significantly more window
6287 * available than the other end thinks there is. This saves us
6288 * sending a WINDOW_ADJUST for every character in a shell session.
6290 * "Significant" is arbitrarily defined as half the window size.
6292 if (newwin / 2 >= c->v.v2.locwindow) {
6293 struct Packet *pktout;
6297 * In order to keep track of how much window the client
6298 * actually has available, we'd like it to acknowledge each
6299 * WINDOW_ADJUST. We can't do that directly, so we accompany
6300 * it with a CHANNEL_REQUEST that has to be acknowledged.
6302 * This is only necessary if we're opening the window wide.
6303 * If we're not, then throughput is being constrained by
6304 * something other than the maximum window size anyway.
6306 * We also only send this if the main channel has finished its
6307 * initial CHANNEL_REQUESTs and installed the default
6308 * CHANNEL_FAILURE handler, so as not to risk giving it
6309 * unexpected CHANNEL_FAILUREs.
6311 if (newwin == c->v.v2.locmaxwin &&
6312 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE]) {
6313 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
6314 ssh2_pkt_adduint32(pktout, c->remoteid);
6315 ssh2_pkt_addstring(pktout, "winadj@putty.projects.tartarus.org");
6316 ssh2_pkt_addbool(pktout, TRUE);
6317 ssh2_pkt_send(ssh, pktout);
6320 * CHANNEL_FAILURE doesn't come with any indication of
6321 * what message caused it, so we have to keep track of the
6322 * outstanding CHANNEL_REQUESTs ourselves.
6324 wa = snew(struct winadj);
6325 wa->size = newwin - c->v.v2.locwindow;
6327 if (!c->v.v2.winadj_head)
6328 c->v.v2.winadj_head = wa;
6330 c->v.v2.winadj_tail->next = wa;
6331 c->v.v2.winadj_tail = wa;
6332 if (c->v.v2.throttle_state != UNTHROTTLED)
6333 c->v.v2.throttle_state = UNTHROTTLING;
6335 /* Pretend the WINDOW_ADJUST was acked immediately. */
6336 c->v.v2.remlocwin = newwin;
6337 c->v.v2.throttle_state = THROTTLED;
6339 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
6340 ssh2_pkt_adduint32(pktout, c->remoteid);
6341 ssh2_pkt_adduint32(pktout, newwin - c->v.v2.locwindow);
6342 ssh2_pkt_send(ssh, pktout);
6343 c->v.v2.locwindow = newwin;
6348 * Find the channel associated with a message. If there's no channel,
6349 * or it's not properly open, make a noise about it and return NULL.
6351 static struct ssh_channel *ssh2_channel_msg(Ssh ssh, struct Packet *pktin)
6353 unsigned localid = ssh_pkt_getuint32(pktin);
6354 struct ssh_channel *c;
6356 c = find234(ssh->channels, &localid, ssh_channelfind);
6358 (c->halfopen && pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION &&
6359 pktin->type != SSH2_MSG_CHANNEL_OPEN_FAILURE)) {
6360 char *buf = dupprintf("Received %s for %s channel %u",
6361 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx,
6363 c ? "half-open" : "nonexistent", localid);
6364 ssh_disconnect(ssh, NULL, buf, SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6371 static void ssh2_msg_channel_success(Ssh ssh, struct Packet *pktin)
6374 * This should never get called. All channel requests are either
6375 * sent with want_reply false or are sent before this handler gets
6378 struct ssh_channel *c;
6381 c = ssh2_channel_msg(ssh, pktin);
6384 wa = c->v.v2.winadj_head;
6386 ssh_disconnect(ssh, NULL, "Received SSH_MSG_CHANNEL_SUCCESS for "
6387 "\"winadj@putty.projects.tartarus.org\"",
6388 SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6390 ssh_disconnect(ssh, NULL,
6391 "Received unsolicited SSH_MSG_CHANNEL_SUCCESS",
6392 SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6395 static void ssh2_msg_channel_failure(Ssh ssh, struct Packet *pktin)
6398 * The only time this should get called is for "winadj@putty"
6399 * messages sent above. All other channel requests are either
6400 * sent with want_reply false or are sent before this handler gets
6403 struct ssh_channel *c;
6406 c = ssh2_channel_msg(ssh, pktin);
6409 wa = c->v.v2.winadj_head;
6411 ssh_disconnect(ssh, NULL,
6412 "Received unsolicited SSH_MSG_CHANNEL_FAILURE",
6413 SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
6416 c->v.v2.winadj_head = wa->next;
6417 c->v.v2.remlocwin += wa->size;
6420 * winadj messages are only sent when the window is fully open, so
6421 * if we get an ack of one, we know any pending unthrottle is
6424 if (c->v.v2.throttle_state == UNTHROTTLING)
6425 c->v.v2.throttle_state = UNTHROTTLED;
6428 static void ssh2_msg_channel_window_adjust(Ssh ssh, struct Packet *pktin)
6430 struct ssh_channel *c;
6431 c = ssh2_channel_msg(ssh, pktin);
6435 c->v.v2.remwindow += ssh_pkt_getuint32(pktin);
6436 ssh2_try_send_and_unthrottle(c);
6440 static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
6444 struct ssh_channel *c;
6445 c = ssh2_channel_msg(ssh, pktin);
6448 if (pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA &&
6449 ssh_pkt_getuint32(pktin) != SSH2_EXTENDED_DATA_STDERR)
6450 return; /* extended but not stderr */
6451 ssh_pkt_getstring(pktin, &data, &length);
6454 c->v.v2.locwindow -= length;
6455 c->v.v2.remlocwin -= length;
6457 case CHAN_MAINSESSION:
6459 from_backend(ssh->frontend, pktin->type ==
6460 SSH2_MSG_CHANNEL_EXTENDED_DATA,
6464 bufsize = x11_send(c->u.x11.s, data, length);
6467 bufsize = pfd_send(c->u.pfd.s, data, length);
6470 while (length > 0) {
6471 if (c->u.a.lensofar < 4) {
6472 unsigned int l = min(4 - c->u.a.lensofar,
6474 memcpy(c->u.a.msglen + c->u.a.lensofar,
6478 c->u.a.lensofar += l;
6480 if (c->u.a.lensofar == 4) {
6482 4 + GET_32BIT(c->u.a.msglen);
6483 c->u.a.message = snewn(c->u.a.totallen,
6485 memcpy(c->u.a.message, c->u.a.msglen, 4);
6487 if (c->u.a.lensofar >= 4 && length > 0) {
6489 min(c->u.a.totallen - c->u.a.lensofar,
6491 memcpy(c->u.a.message + c->u.a.lensofar,
6495 c->u.a.lensofar += l;
6497 if (c->u.a.lensofar == c->u.a.totallen) {
6500 if (agent_query(c->u.a.message,
6503 ssh_agentf_callback, c))
6504 ssh_agentf_callback(c, reply, replylen);
6505 sfree(c->u.a.message);
6506 c->u.a.lensofar = 0;
6513 * If it looks like the remote end hit the end of its window,
6514 * and we didn't want it to do that, think about using a
6517 if (c->v.v2.remlocwin <= 0 && c->v.v2.throttle_state == UNTHROTTLED &&
6518 c->v.v2.locmaxwin < 0x40000000)
6519 c->v.v2.locmaxwin += OUR_V2_WINSIZE;
6521 * If we are not buffering too much data,
6522 * enlarge the window again at the remote side.
6523 * If we are buffering too much, we may still
6524 * need to adjust the window if the server's
6527 ssh2_set_window(c, bufsize < c->v.v2.locmaxwin ?
6528 c->v.v2.locmaxwin - bufsize : 0);
6530 * If we're either buffering way too much data, or if we're
6531 * buffering anything at all and we're in "simple" mode,
6532 * throttle the whole channel.
6534 if ((bufsize > c->v.v2.locmaxwin ||
6535 (ssh->cfg.ssh_simple && bufsize > 0)) &&
6536 !c->throttling_conn) {
6537 c->throttling_conn = 1;
6538 ssh_throttle_conn(ssh, +1);
6543 static void ssh2_msg_channel_eof(Ssh ssh, struct Packet *pktin)
6545 struct ssh_channel *c;
6547 c = ssh2_channel_msg(ssh, pktin);
6551 if (c->type == CHAN_X11) {
6553 * Remote EOF on an X11 channel means we should
6554 * wrap up and close the channel ourselves.
6556 x11_close(c->u.x11.s);
6558 } else if (c->type == CHAN_AGENT) {
6560 } else if (c->type == CHAN_SOCKDATA) {
6561 pfd_close(c->u.pfd.s);
6566 static void ssh2_msg_channel_close(Ssh ssh, struct Packet *pktin)
6568 struct ssh_channel *c;
6569 struct Packet *pktout;
6571 c = ssh2_channel_msg(ssh, pktin);
6574 /* Do pre-close processing on the channel. */
6576 case CHAN_MAINSESSION:
6577 ssh->mainchan = NULL;
6578 update_specials_menu(ssh->frontend);
6581 if (c->u.x11.s != NULL)
6582 x11_close(c->u.x11.s);
6589 if (c->u.pfd.s != NULL)
6590 pfd_close(c->u.pfd.s);
6594 if (c->closes == 0) {
6595 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6596 ssh2_pkt_adduint32(pktout, c->remoteid);
6597 ssh2_pkt_send(ssh, pktout);
6599 del234(ssh->channels, c);
6600 bufchain_clear(&c->v.v2.outbuffer);
6604 * See if that was the last channel left open.
6605 * (This is only our termination condition if we're
6606 * not running in -N mode.)
6608 if (!ssh->cfg.ssh_no_shell && count234(ssh->channels) == 0) {
6610 * We used to send SSH_MSG_DISCONNECT here,
6611 * because I'd believed that _every_ conforming
6612 * SSH-2 connection had to end with a disconnect
6613 * being sent by at least one side; apparently
6614 * I was wrong and it's perfectly OK to
6615 * unceremoniously slam the connection shut
6616 * when you're done, and indeed OpenSSH feels
6617 * this is more polite than sending a
6618 * DISCONNECT. So now we don't.
6620 ssh_disconnect(ssh, "All channels closed", NULL, 0, TRUE);
6624 static void ssh2_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
6626 struct ssh_channel *c;
6627 struct Packet *pktout;
6629 c = ssh2_channel_msg(ssh, pktin);
6632 if (c->type != CHAN_SOCKDATA_DORMANT)
6633 return; /* dunno why they're confirming this */
6634 c->remoteid = ssh_pkt_getuint32(pktin);
6635 c->halfopen = FALSE;
6636 c->type = CHAN_SOCKDATA;
6637 c->v.v2.remwindow = ssh_pkt_getuint32(pktin);
6638 c->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
6640 pfd_confirm(c->u.pfd.s);
6643 * We have a pending close on this channel,
6644 * which we decided on before the server acked
6645 * the channel open. So now we know the
6646 * remoteid, we can close it again.
6648 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
6649 ssh2_pkt_adduint32(pktout, c->remoteid);
6650 ssh2_pkt_send(ssh, pktout);
6654 static void ssh2_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
6656 static const char *const reasons[] = {
6657 "<unknown reason code>",
6658 "Administratively prohibited",
6660 "Unknown channel type",
6661 "Resource shortage",
6663 unsigned reason_code;
6664 char *reason_string;
6666 struct ssh_channel *c;
6667 c = ssh2_channel_msg(ssh, pktin);
6670 if (c->type != CHAN_SOCKDATA_DORMANT)
6671 return; /* dunno why they're failing this */
6673 reason_code = ssh_pkt_getuint32(pktin);
6674 if (reason_code >= lenof(reasons))
6675 reason_code = 0; /* ensure reasons[reason_code] in range */
6676 ssh_pkt_getstring(pktin, &reason_string, &reason_length);
6677 logeventf(ssh, "Forwarded connection refused by server: %s [%.*s]",
6678 reasons[reason_code], reason_length, reason_string);
6680 pfd_close(c->u.pfd.s);
6682 del234(ssh->channels, c);
6686 static void ssh2_msg_channel_request(Ssh ssh, struct Packet *pktin)
6689 int typelen, want_reply;
6690 int reply = SSH2_MSG_CHANNEL_FAILURE; /* default */
6691 struct ssh_channel *c;
6692 struct Packet *pktout;
6694 c = ssh2_channel_msg(ssh, pktin);
6697 ssh_pkt_getstring(pktin, &type, &typelen);
6698 want_reply = ssh2_pkt_getbool(pktin);
6701 * Having got the channel number, we now look at
6702 * the request type string to see if it's something
6705 if (c == ssh->mainchan) {
6707 * We recognise "exit-status" and "exit-signal" on
6708 * the primary channel.
6710 if (typelen == 11 &&
6711 !memcmp(type, "exit-status", 11)) {
6713 ssh->exitcode = ssh_pkt_getuint32(pktin);
6714 logeventf(ssh, "Server sent command exit status %d",
6716 reply = SSH2_MSG_CHANNEL_SUCCESS;
6718 } else if (typelen == 11 &&
6719 !memcmp(type, "exit-signal", 11)) {
6721 int is_plausible = TRUE, is_int = FALSE;
6722 char *fmt_sig = "", *fmt_msg = "";
6724 int msglen = 0, core = FALSE;
6725 /* ICK: older versions of OpenSSH (e.g. 3.4p1)
6726 * provide an `int' for the signal, despite its
6727 * having been a `string' in the drafts of RFC 4254 since at
6728 * least 2001. (Fixed in session.c 1.147.) Try to
6729 * infer which we can safely parse it as. */
6731 unsigned char *p = pktin->body +
6733 long len = pktin->length - pktin->savedpos;
6734 unsigned long num = GET_32BIT(p); /* what is it? */
6735 /* If it's 0, it hardly matters; assume string */
6739 int maybe_int = FALSE, maybe_str = FALSE;
6740 #define CHECK_HYPOTHESIS(offset, result) \
6743 if (q >= 0 && q+4 <= len) { \
6744 q = q + 4 + GET_32BIT(p+q); \
6745 if (q >= 0 && q+4 <= len && \
6746 ((q = q + 4 + GET_32BIT(p+q))!= 0) && q == len) \
6750 CHECK_HYPOTHESIS(4+1, maybe_int);
6751 CHECK_HYPOTHESIS(4+num+1, maybe_str);
6752 #undef CHECK_HYPOTHESIS
6753 if (maybe_int && !maybe_str)
6755 else if (!maybe_int && maybe_str)
6758 /* Crikey. Either or neither. Panic. */
6759 is_plausible = FALSE;
6762 ssh->exitcode = 128; /* means `unknown signal' */
6765 /* Old non-standard OpenSSH. */
6766 int signum = ssh_pkt_getuint32(pktin);
6767 fmt_sig = dupprintf(" %d", signum);
6768 ssh->exitcode = 128 + signum;
6770 /* As per RFC 4254. */
6773 ssh_pkt_getstring(pktin, &sig, &siglen);
6774 /* Signal name isn't supposed to be blank, but
6775 * let's cope gracefully if it is. */
6777 fmt_sig = dupprintf(" \"%.*s\"",
6782 * Really hideous method of translating the
6783 * signal description back into a locally
6784 * meaningful number.
6789 #define TRANSLATE_SIGNAL(s) \
6790 else if (siglen == lenof(#s)-1 && !memcmp(sig, #s, siglen)) \
6791 ssh->exitcode = 128 + SIG ## s
6793 TRANSLATE_SIGNAL(ABRT);
6796 TRANSLATE_SIGNAL(ALRM);
6799 TRANSLATE_SIGNAL(FPE);
6802 TRANSLATE_SIGNAL(HUP);
6805 TRANSLATE_SIGNAL(ILL);
6808 TRANSLATE_SIGNAL(INT);
6811 TRANSLATE_SIGNAL(KILL);
6814 TRANSLATE_SIGNAL(PIPE);
6817 TRANSLATE_SIGNAL(QUIT);
6820 TRANSLATE_SIGNAL(SEGV);
6823 TRANSLATE_SIGNAL(TERM);
6826 TRANSLATE_SIGNAL(USR1);
6829 TRANSLATE_SIGNAL(USR2);
6831 #undef TRANSLATE_SIGNAL
6833 ssh->exitcode = 128;
6835 core = ssh2_pkt_getbool(pktin);
6836 ssh_pkt_getstring(pktin, &msg, &msglen);
6838 fmt_msg = dupprintf(" (\"%.*s\")", msglen, msg);
6840 /* ignore lang tag */
6841 } /* else don't attempt to parse */
6842 logeventf(ssh, "Server exited on signal%s%s%s",
6843 fmt_sig, core ? " (core dumped)" : "",
6845 if (*fmt_sig) sfree(fmt_sig);
6846 if (*fmt_msg) sfree(fmt_msg);
6847 reply = SSH2_MSG_CHANNEL_SUCCESS;
6852 * This is a channel request we don't know
6853 * about, so we now either ignore the request
6854 * or respond with CHANNEL_FAILURE, depending
6857 reply = SSH2_MSG_CHANNEL_FAILURE;
6860 pktout = ssh2_pkt_init(reply);
6861 ssh2_pkt_adduint32(pktout, c->remoteid);
6862 ssh2_pkt_send(ssh, pktout);
6866 static void ssh2_msg_global_request(Ssh ssh, struct Packet *pktin)
6869 int typelen, want_reply;
6870 struct Packet *pktout;
6872 ssh_pkt_getstring(pktin, &type, &typelen);
6873 want_reply = ssh2_pkt_getbool(pktin);
6876 * We currently don't support any global requests
6877 * at all, so we either ignore the request or
6878 * respond with REQUEST_FAILURE, depending on
6882 pktout = ssh2_pkt_init(SSH2_MSG_REQUEST_FAILURE);
6883 ssh2_pkt_send(ssh, pktout);
6887 static void ssh2_msg_channel_open(Ssh ssh, struct Packet *pktin)
6895 struct ssh_channel *c;
6896 unsigned remid, winsize, pktsize;
6897 struct Packet *pktout;
6899 ssh_pkt_getstring(pktin, &type, &typelen);
6900 c = snew(struct ssh_channel);
6903 remid = ssh_pkt_getuint32(pktin);
6904 winsize = ssh_pkt_getuint32(pktin);
6905 pktsize = ssh_pkt_getuint32(pktin);
6907 if (typelen == 3 && !memcmp(type, "x11", 3)) {
6910 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
6911 addrstr = snewn(peeraddrlen+1, char);
6912 memcpy(addrstr, peeraddr, peeraddrlen);
6913 addrstr[peeraddrlen] = '\0';
6914 peerport = ssh_pkt_getuint32(pktin);
6916 logeventf(ssh, "Received X11 connect request from %s:%d",
6919 if (!ssh->X11_fwd_enabled)
6920 error = "X11 forwarding is not enabled";
6921 else if (x11_init(&c->u.x11.s, ssh->cfg.x11_display, c,
6922 ssh->x11auth, addrstr, peerport,
6923 &ssh->cfg) != NULL) {
6924 error = "Unable to open an X11 connection";
6926 logevent("Opening X11 forward connection succeeded");
6931 } else if (typelen == 15 &&
6932 !memcmp(type, "forwarded-tcpip", 15)) {
6933 struct ssh_rportfwd pf, *realpf;
6936 ssh_pkt_getstring(pktin, &dummy, &dummylen);/* skip address */
6937 pf.sport = ssh_pkt_getuint32(pktin);
6938 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
6939 peerport = ssh_pkt_getuint32(pktin);
6940 realpf = find234(ssh->rportfwds, &pf, NULL);
6941 logeventf(ssh, "Received remote port %d open request "
6942 "from %s:%d", pf.sport, peeraddr, peerport);
6943 if (realpf == NULL) {
6944 error = "Remote port is not recognised";
6946 const char *e = pfd_newconnect(&c->u.pfd.s,
6950 realpf->pfrec->addressfamily);
6951 logeventf(ssh, "Attempting to forward remote port to "
6952 "%s:%d", realpf->dhost, realpf->dport);
6954 logeventf(ssh, "Port open failed: %s", e);
6955 error = "Port open failed";
6957 logevent("Forwarded port opened successfully");
6958 c->type = CHAN_SOCKDATA;
6961 } else if (typelen == 22 &&
6962 !memcmp(type, "auth-agent@openssh.com", 22)) {
6963 if (!ssh->agentfwd_enabled)
6964 error = "Agent forwarding is not enabled";
6966 c->type = CHAN_AGENT; /* identify channel type */
6967 c->u.a.lensofar = 0;
6970 error = "Unsupported channel type requested";
6973 c->remoteid = remid;
6974 c->halfopen = FALSE;
6976 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_FAILURE);
6977 ssh2_pkt_adduint32(pktout, c->remoteid);
6978 ssh2_pkt_adduint32(pktout, SSH2_OPEN_CONNECT_FAILED);
6979 ssh2_pkt_addstring(pktout, error);
6980 ssh2_pkt_addstring(pktout, "en"); /* language tag */
6981 ssh2_pkt_send(ssh, pktout);
6982 logeventf(ssh, "Rejected channel open: %s", error);
6985 ssh2_channel_init(c);
6986 c->v.v2.remwindow = winsize;
6987 c->v.v2.remmaxpkt = pktsize;
6988 add234(ssh->channels, c);
6989 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
6990 ssh2_pkt_adduint32(pktout, c->remoteid);
6991 ssh2_pkt_adduint32(pktout, c->localid);
6992 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);
6993 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
6994 ssh2_pkt_send(ssh, pktout);
6999 * Buffer banner messages for later display at some convenient point.
7001 static void ssh2_msg_userauth_banner(Ssh ssh, struct Packet *pktin)
7003 /* Arbitrary limit to prevent unbounded inflation of buffer */
7004 if (bufchain_size(&ssh->banner) <= 131072) {
7005 char *banner = NULL;
7007 ssh_pkt_getstring(pktin, &banner, &size);
7009 bufchain_add(&ssh->banner, banner, size);
7013 /* Helper function to deal with sending tty modes for "pty-req" */
7014 static void ssh2_send_ttymode(void *data, char *mode, char *val)
7016 struct Packet *pktout = (struct Packet *)data;
7018 unsigned int arg = 0;
7019 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
7020 if (i == lenof(ssh_ttymodes)) return;
7021 switch (ssh_ttymodes[i].type) {
7023 arg = ssh_tty_parse_specchar(val);
7026 arg = ssh_tty_parse_boolean(val);
7029 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
7030 ssh2_pkt_adduint32(pktout, arg);
7034 * Handle the SSH-2 userauth and connection layers.
7036 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
7037 struct Packet *pktin)
7039 struct do_ssh2_authconn_state {
7042 AUTH_TYPE_PUBLICKEY,
7043 AUTH_TYPE_PUBLICKEY_OFFER_LOUD,
7044 AUTH_TYPE_PUBLICKEY_OFFER_QUIET,
7046 AUTH_TYPE_KEYBOARD_INTERACTIVE,
7047 AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
7049 int done_service_req;
7050 int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter;
7051 int tried_pubkey_config, done_agent;
7052 int kbd_inter_refused;
7054 prompts_t *cur_prompt;
7059 void *publickey_blob;
7060 int publickey_bloblen;
7061 int publickey_encrypted;
7062 char *publickey_algorithm;
7063 char *publickey_comment;
7064 unsigned char agent_request[5], *agent_response, *agentp;
7065 int agent_responselen;
7066 unsigned char *pkblob_in_agent;
7068 char *pkblob, *alg, *commentp;
7069 int pklen, alglen, commentlen;
7070 int siglen, retlen, len;
7071 char *q, *agentreq, *ret;
7073 int num_env, env_left, env_ok;
7074 struct Packet *pktout;
7076 crState(do_ssh2_authconn_state);
7078 crBegin(ssh->do_ssh2_authconn_crstate);
7080 s->done_service_req = FALSE;
7081 s->we_are_in = FALSE;
7082 if (!ssh->cfg.ssh_no_userauth) {
7084 * Request userauth protocol, and await a response to it.
7086 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
7087 ssh2_pkt_addstring(s->pktout, "ssh-userauth");
7088 ssh2_pkt_send(ssh, s->pktout);
7089 crWaitUntilV(pktin);
7090 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT)
7091 s->done_service_req = TRUE;
7093 if (!s->done_service_req) {
7095 * Request connection protocol directly, without authentication.
7097 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
7098 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7099 ssh2_pkt_send(ssh, s->pktout);
7100 crWaitUntilV(pktin);
7101 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) {
7102 s->we_are_in = TRUE; /* no auth required */
7104 bombout(("Server refused service request"));
7109 /* Arrange to be able to deal with any BANNERs that come in.
7110 * (We do this now as packets may come in during the next bit.) */
7111 bufchain_init(&ssh->banner);
7112 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] =
7113 ssh2_msg_userauth_banner;
7116 * Misc one-time setup for authentication.
7118 s->publickey_blob = NULL;
7119 if (!s->we_are_in) {
7122 * Load the public half of any configured public key file
7125 if (!filename_is_null(ssh->cfg.keyfile)) {
7127 logeventf(ssh, "Reading private key file \"%.150s\"",
7128 filename_to_str(&ssh->cfg.keyfile));
7129 keytype = key_type(&ssh->cfg.keyfile);
7130 if (keytype == SSH_KEYTYPE_SSH2) {
7133 ssh2_userkey_loadpub(&ssh->cfg.keyfile,
7134 &s->publickey_algorithm,
7135 &s->publickey_bloblen,
7136 &s->publickey_comment, &error);
7137 if (s->publickey_blob) {
7138 s->publickey_encrypted =
7139 ssh2_userkey_encrypted(&ssh->cfg.keyfile, NULL);
7142 logeventf(ssh, "Unable to load private key (%s)",
7144 msgbuf = dupprintf("Unable to load private key file "
7145 "\"%.150s\" (%s)\r\n",
7146 filename_to_str(&ssh->cfg.keyfile),
7148 c_write_str(ssh, msgbuf);
7153 logeventf(ssh, "Unable to use this key file (%s)",
7154 key_type_to_str(keytype));
7155 msgbuf = dupprintf("Unable to use key file \"%.150s\""
7157 filename_to_str(&ssh->cfg.keyfile),
7158 key_type_to_str(keytype));
7159 c_write_str(ssh, msgbuf);
7161 s->publickey_blob = NULL;
7166 * Find out about any keys Pageant has (but if there's a
7167 * public key configured, filter out all others).
7170 s->agent_response = NULL;
7171 s->pkblob_in_agent = NULL;
7172 if (ssh->cfg.tryagent && agent_exists()) {
7176 logevent("Pageant is running. Requesting keys.");
7178 /* Request the keys held by the agent. */
7179 PUT_32BIT(s->agent_request, 1);
7180 s->agent_request[4] = SSH2_AGENTC_REQUEST_IDENTITIES;
7181 if (!agent_query(s->agent_request, 5, &r, &s->agent_responselen,
7182 ssh_agent_callback, ssh)) {
7186 bombout(("Unexpected data from server while"
7187 " waiting for agent response"));
7190 } while (pktin || inlen > 0);
7191 r = ssh->agent_response;
7192 s->agent_responselen = ssh->agent_response_len;
7194 s->agent_response = (unsigned char *) r;
7195 if (s->agent_response && s->agent_responselen >= 5 &&
7196 s->agent_response[4] == SSH2_AGENT_IDENTITIES_ANSWER) {
7199 p = s->agent_response + 5;
7200 s->nkeys = GET_32BIT(p);
7202 logeventf(ssh, "Pageant has %d SSH-2 keys", s->nkeys);
7203 if (s->publickey_blob) {
7204 /* See if configured key is in agent. */
7205 for (keyi = 0; keyi < s->nkeys; keyi++) {
7206 s->pklen = GET_32BIT(p);
7207 if (s->pklen == s->publickey_bloblen &&
7208 !memcmp(p+4, s->publickey_blob,
7209 s->publickey_bloblen)) {
7210 logeventf(ssh, "Pageant key #%d matches "
7211 "configured key file", keyi);
7213 s->pkblob_in_agent = p;
7217 p += GET_32BIT(p) + 4; /* comment */
7219 if (!s->pkblob_in_agent) {
7220 logevent("Configured key file not in Pageant");
7230 * We repeat this whole loop, including the username prompt,
7231 * until we manage a successful authentication. If the user
7232 * types the wrong _password_, they can be sent back to the
7233 * beginning to try another username, if this is configured on.
7234 * (If they specify a username in the config, they are never
7235 * asked, even if they do give a wrong password.)
7237 * I think this best serves the needs of
7239 * - the people who have no configuration, no keys, and just
7240 * want to try repeated (username,password) pairs until they
7241 * type both correctly
7243 * - people who have keys and configuration but occasionally
7244 * need to fall back to passwords
7246 * - people with a key held in Pageant, who might not have
7247 * logged in to a particular machine before; so they want to
7248 * type a username, and then _either_ their key will be
7249 * accepted, _or_ they will type a password. If they mistype
7250 * the username they will want to be able to get back and
7253 s->username[0] = '\0';
7254 s->got_username = FALSE;
7255 while (!s->we_are_in) {
7259 if (s->got_username && !ssh->cfg.change_username) {
7261 * We got a username last time round this loop, and
7262 * with change_username turned off we don't try to get
7265 } else if (!*ssh->cfg.username) {
7266 int ret; /* need not be kept over crReturn */
7267 s->cur_prompt = new_prompts(ssh->frontend);
7268 s->cur_prompt->to_server = TRUE;
7269 s->cur_prompt->name = dupstr("SSH login name");
7270 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE,
7271 lenof(s->username));
7272 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7275 crWaitUntilV(!pktin);
7276 ret = get_userpass_input(s->cur_prompt, in, inlen);
7281 * get_userpass_input() failed to get a username.
7284 free_prompts(s->cur_prompt);
7285 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
7288 memcpy(s->username, s->cur_prompt->prompts[0]->result,
7289 lenof(s->username));
7290 free_prompts(s->cur_prompt);
7293 strncpy(s->username, ssh->cfg.username, sizeof(s->username));
7294 s->username[sizeof(s->username)-1] = '\0';
7295 if ((flags & FLAG_VERBOSE) || (flags & FLAG_INTERACTIVE)) {
7296 stuff = dupprintf("Using username \"%s\".\r\n", s->username);
7297 c_write_str(ssh, stuff);
7301 s->got_username = TRUE;
7304 * Send an authentication request using method "none": (a)
7305 * just in case it succeeds, and (b) so that we know what
7306 * authentication methods we can usefully try next.
7308 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
7310 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7311 ssh2_pkt_addstring(s->pktout, s->username);
7312 ssh2_pkt_addstring(s->pktout, "ssh-connection");/* service requested */
7313 ssh2_pkt_addstring(s->pktout, "none"); /* method */
7314 ssh2_pkt_send(ssh, s->pktout);
7315 s->type = AUTH_TYPE_NONE;
7317 s->we_are_in = FALSE;
7319 s->tried_pubkey_config = FALSE;
7320 s->kbd_inter_refused = FALSE;
7322 /* Reset agent request state. */
7323 s->done_agent = FALSE;
7324 if (s->agent_response) {
7325 if (s->pkblob_in_agent) {
7326 s->agentp = s->pkblob_in_agent;
7328 s->agentp = s->agent_response + 5 + 4;
7335 * Wait for the result of the last authentication request.
7338 crWaitUntilV(pktin);
7340 * Now is a convenient point to spew any banner material
7341 * that we've accumulated. (This should ensure that when
7342 * we exit the auth loop, we haven't any left to deal
7346 int size = bufchain_size(&ssh->banner);
7348 * Don't show the banner if we're operating in
7349 * non-verbose non-interactive mode. (It's probably
7350 * a script, which means nobody will read the
7351 * banner _anyway_, and moreover the printing of
7352 * the banner will screw up processing on the
7353 * output of (say) plink.)
7355 if (size && (flags & (FLAG_VERBOSE | FLAG_INTERACTIVE))) {
7356 char *banner = snewn(size, char);
7357 bufchain_fetch(&ssh->banner, banner, size);
7358 c_write_untrusted(ssh, banner, size);
7361 bufchain_clear(&ssh->banner);
7363 if (pktin->type == SSH2_MSG_USERAUTH_SUCCESS) {
7364 logevent("Access granted");
7365 s->we_are_in = TRUE;
7369 if (pktin->type != SSH2_MSG_USERAUTH_FAILURE) {
7370 bombout(("Strange packet received during authentication: "
7371 "type %d", pktin->type));
7378 * OK, we're now sitting on a USERAUTH_FAILURE message, so
7379 * we can look at the string in it and know what we can
7380 * helpfully try next.
7382 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE) {
7385 ssh_pkt_getstring(pktin, &methods, &methlen);
7386 if (!ssh2_pkt_getbool(pktin)) {
7388 * We have received an unequivocal Access
7389 * Denied. This can translate to a variety of
7392 * - if we'd just tried "none" authentication,
7393 * it's not worth printing anything at all
7395 * - if we'd just tried a public key _offer_,
7396 * the message should be "Server refused our
7397 * key" (or no message at all if the key
7398 * came from Pageant)
7400 * - if we'd just tried anything else, the
7401 * message really should be "Access denied".
7403 * Additionally, if we'd just tried password
7404 * authentication, we should break out of this
7405 * whole loop so as to go back to the username
7406 * prompt (iff we're configured to allow
7407 * username change attempts).
7409 if (s->type == AUTH_TYPE_NONE) {
7411 } else if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD ||
7412 s->type == AUTH_TYPE_PUBLICKEY_OFFER_QUIET) {
7413 if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD)
7414 c_write_str(ssh, "Server refused our key\r\n");
7415 logevent("Server refused public key");
7416 } else if (s->type==AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET) {
7417 /* server declined keyboard-interactive; ignore */
7419 c_write_str(ssh, "Access denied\r\n");
7420 logevent("Access denied");
7421 if (s->type == AUTH_TYPE_PASSWORD &&
7422 ssh->cfg.change_username) {
7423 /* XXX perhaps we should allow
7424 * keyboard-interactive to do this too? */
7425 s->we_are_in = FALSE;
7430 c_write_str(ssh, "Further authentication required\r\n");
7431 logevent("Further authentication required");
7435 in_commasep_string("publickey", methods, methlen);
7437 in_commasep_string("password", methods, methlen);
7438 s->can_keyb_inter = ssh->cfg.try_ki_auth &&
7439 in_commasep_string("keyboard-interactive", methods, methlen);
7442 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
7444 if (s->can_pubkey && !s->done_agent && s->nkeys) {
7447 * Attempt public-key authentication using a key from Pageant.
7450 ssh->pkt_actx = SSH2_PKTCTX_PUBLICKEY;
7452 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
7454 /* Unpack key from agent response */
7455 s->pklen = GET_32BIT(s->agentp);
7457 s->pkblob = (char *)s->agentp;
7458 s->agentp += s->pklen;
7459 s->alglen = GET_32BIT(s->pkblob);
7460 s->alg = s->pkblob + 4;
7461 s->commentlen = GET_32BIT(s->agentp);
7463 s->commentp = (char *)s->agentp;
7464 s->agentp += s->commentlen;
7465 /* s->agentp now points at next key, if any */
7467 /* See if server will accept it */
7468 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7469 ssh2_pkt_addstring(s->pktout, s->username);
7470 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7471 /* service requested */
7472 ssh2_pkt_addstring(s->pktout, "publickey");
7474 ssh2_pkt_addbool(s->pktout, FALSE); /* no signature included */
7475 ssh2_pkt_addstring_start(s->pktout);
7476 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
7477 ssh2_pkt_addstring_start(s->pktout);
7478 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
7479 ssh2_pkt_send(ssh, s->pktout);
7480 s->type = AUTH_TYPE_PUBLICKEY_OFFER_QUIET;
7482 crWaitUntilV(pktin);
7483 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
7485 /* Offer of key refused. */
7492 if (flags & FLAG_VERBOSE) {
7493 c_write_str(ssh, "Authenticating with "
7495 c_write(ssh, s->commentp, s->commentlen);
7496 c_write_str(ssh, "\" from agent\r\n");
7500 * Server is willing to accept the key.
7501 * Construct a SIGN_REQUEST.
7503 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7504 ssh2_pkt_addstring(s->pktout, s->username);
7505 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7506 /* service requested */
7507 ssh2_pkt_addstring(s->pktout, "publickey");
7509 ssh2_pkt_addbool(s->pktout, TRUE); /* signature included */
7510 ssh2_pkt_addstring_start(s->pktout);
7511 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
7512 ssh2_pkt_addstring_start(s->pktout);
7513 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
7515 /* Ask agent for signature. */
7516 s->siglen = s->pktout->length - 5 + 4 +
7517 ssh->v2_session_id_len;
7518 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7520 s->len = 1; /* message type */
7521 s->len += 4 + s->pklen; /* key blob */
7522 s->len += 4 + s->siglen; /* data to sign */
7523 s->len += 4; /* flags */
7524 s->agentreq = snewn(4 + s->len, char);
7525 PUT_32BIT(s->agentreq, s->len);
7526 s->q = s->agentreq + 4;
7527 *s->q++ = SSH2_AGENTC_SIGN_REQUEST;
7528 PUT_32BIT(s->q, s->pklen);
7530 memcpy(s->q, s->pkblob, s->pklen);
7532 PUT_32BIT(s->q, s->siglen);
7534 /* Now the data to be signed... */
7535 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7536 PUT_32BIT(s->q, ssh->v2_session_id_len);
7539 memcpy(s->q, ssh->v2_session_id,
7540 ssh->v2_session_id_len);
7541 s->q += ssh->v2_session_id_len;
7542 memcpy(s->q, s->pktout->data + 5,
7543 s->pktout->length - 5);
7544 s->q += s->pktout->length - 5;
7545 /* And finally the (zero) flags word. */
7547 if (!agent_query(s->agentreq, s->len + 4,
7549 ssh_agent_callback, ssh)) {
7553 bombout(("Unexpected data from server"
7554 " while waiting for agent"
7558 } while (pktin || inlen > 0);
7559 vret = ssh->agent_response;
7560 s->retlen = ssh->agent_response_len;
7565 if (s->ret[4] == SSH2_AGENT_SIGN_RESPONSE) {
7566 logevent("Sending Pageant's response");
7567 ssh2_add_sigblob(ssh, s->pktout,
7568 s->pkblob, s->pklen,
7570 GET_32BIT(s->ret + 5));
7571 ssh2_pkt_send(ssh, s->pktout);
7572 s->type = AUTH_TYPE_PUBLICKEY;
7574 /* FIXME: less drastic response */
7575 bombout(("Pageant failed to answer challenge"));
7581 /* Do we have any keys left to try? */
7582 if (s->pkblob_in_agent) {
7583 s->done_agent = TRUE;
7584 s->tried_pubkey_config = TRUE;
7587 if (s->keyi >= s->nkeys)
7588 s->done_agent = TRUE;
7591 } else if (s->can_pubkey && s->publickey_blob &&
7592 !s->tried_pubkey_config) {
7594 struct ssh2_userkey *key; /* not live over crReturn */
7595 char *passphrase; /* not live over crReturn */
7597 ssh->pkt_actx = SSH2_PKTCTX_PUBLICKEY;
7599 s->tried_pubkey_config = TRUE;
7602 * Try the public key supplied in the configuration.
7604 * First, offer the public blob to see if the server is
7605 * willing to accept it.
7607 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7608 ssh2_pkt_addstring(s->pktout, s->username);
7609 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7610 /* service requested */
7611 ssh2_pkt_addstring(s->pktout, "publickey"); /* method */
7612 ssh2_pkt_addbool(s->pktout, FALSE);
7613 /* no signature included */
7614 ssh2_pkt_addstring(s->pktout, s->publickey_algorithm);
7615 ssh2_pkt_addstring_start(s->pktout);
7616 ssh2_pkt_addstring_data(s->pktout,
7617 (char *)s->publickey_blob,
7618 s->publickey_bloblen);
7619 ssh2_pkt_send(ssh, s->pktout);
7620 logevent("Offered public key");
7622 crWaitUntilV(pktin);
7623 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
7624 /* Key refused. Give up. */
7625 s->gotit = TRUE; /* reconsider message next loop */
7626 s->type = AUTH_TYPE_PUBLICKEY_OFFER_LOUD;
7627 continue; /* process this new message */
7629 logevent("Offer of public key accepted");
7632 * Actually attempt a serious authentication using
7635 if (flags & FLAG_VERBOSE) {
7636 c_write_str(ssh, "Authenticating with public key \"");
7637 c_write_str(ssh, s->publickey_comment);
7638 c_write_str(ssh, "\"\r\n");
7642 const char *error; /* not live over crReturn */
7643 if (s->publickey_encrypted) {
7645 * Get a passphrase from the user.
7647 int ret; /* need not be kept over crReturn */
7648 s->cur_prompt = new_prompts(ssh->frontend);
7649 s->cur_prompt->to_server = FALSE;
7650 s->cur_prompt->name = dupstr("SSH key passphrase");
7651 add_prompt(s->cur_prompt,
7652 dupprintf("Passphrase for key \"%.100s\": ",
7653 s->publickey_comment),
7654 FALSE, SSH_MAX_PASSWORD_LEN);
7655 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7658 crWaitUntilV(!pktin);
7659 ret = get_userpass_input(s->cur_prompt,
7664 /* Failed to get a passphrase. Terminate. */
7665 free_prompts(s->cur_prompt);
7666 ssh_disconnect(ssh, NULL,
7667 "Unable to authenticate",
7668 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7673 dupstr(s->cur_prompt->prompts[0]->result);
7674 free_prompts(s->cur_prompt);
7676 passphrase = NULL; /* no passphrase needed */
7680 * Try decrypting the key.
7682 key = ssh2_load_userkey(&ssh->cfg.keyfile, passphrase,
7685 /* burn the evidence */
7686 memset(passphrase, 0, strlen(passphrase));
7689 if (key == SSH2_WRONG_PASSPHRASE || key == NULL) {
7691 (key == SSH2_WRONG_PASSPHRASE)) {
7692 c_write_str(ssh, "Wrong passphrase\r\n");
7694 /* and loop again */
7696 c_write_str(ssh, "Unable to load private key (");
7697 c_write_str(ssh, error);
7698 c_write_str(ssh, ")\r\n");
7700 break; /* try something else */
7706 unsigned char *pkblob, *sigblob, *sigdata;
7707 int pkblob_len, sigblob_len, sigdata_len;
7711 * We have loaded the private key and the server
7712 * has announced that it's willing to accept it.
7713 * Hallelujah. Generate a signature and send it.
7715 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7716 ssh2_pkt_addstring(s->pktout, s->username);
7717 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7718 /* service requested */
7719 ssh2_pkt_addstring(s->pktout, "publickey");
7721 ssh2_pkt_addbool(s->pktout, TRUE);
7722 /* signature follows */
7723 ssh2_pkt_addstring(s->pktout, key->alg->name);
7724 pkblob = key->alg->public_blob(key->data,
7726 ssh2_pkt_addstring_start(s->pktout);
7727 ssh2_pkt_addstring_data(s->pktout, (char *)pkblob,
7731 * The data to be signed is:
7735 * followed by everything so far placed in the
7738 sigdata_len = s->pktout->length - 5 + 4 +
7739 ssh->v2_session_id_len;
7740 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
7742 sigdata = snewn(sigdata_len, unsigned char);
7744 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
7745 PUT_32BIT(sigdata+p, ssh->v2_session_id_len);
7748 memcpy(sigdata+p, ssh->v2_session_id,
7749 ssh->v2_session_id_len);
7750 p += ssh->v2_session_id_len;
7751 memcpy(sigdata+p, s->pktout->data + 5,
7752 s->pktout->length - 5);
7753 p += s->pktout->length - 5;
7754 assert(p == sigdata_len);
7755 sigblob = key->alg->sign(key->data, (char *)sigdata,
7756 sigdata_len, &sigblob_len);
7757 ssh2_add_sigblob(ssh, s->pktout, pkblob, pkblob_len,
7758 sigblob, sigblob_len);
7763 ssh2_pkt_send(ssh, s->pktout);
7764 s->type = AUTH_TYPE_PUBLICKEY;
7765 key->alg->freekey(key->data);
7768 } else if (s->can_keyb_inter && !s->kbd_inter_refused) {
7771 * Keyboard-interactive authentication.
7774 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE;
7776 ssh->pkt_actx = SSH2_PKTCTX_KBDINTER;
7778 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7779 ssh2_pkt_addstring(s->pktout, s->username);
7780 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7781 /* service requested */
7782 ssh2_pkt_addstring(s->pktout, "keyboard-interactive");
7784 ssh2_pkt_addstring(s->pktout, ""); /* lang */
7785 ssh2_pkt_addstring(s->pktout, ""); /* submethods */
7786 ssh2_pkt_send(ssh, s->pktout);
7788 crWaitUntilV(pktin);
7789 if (pktin->type != SSH2_MSG_USERAUTH_INFO_REQUEST) {
7790 /* Server is not willing to do keyboard-interactive
7791 * at all (or, bizarrely but legally, accepts the
7792 * user without actually issuing any prompts).
7793 * Give up on it entirely. */
7795 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE)
7796 logevent("Keyboard-interactive authentication refused");
7797 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET;
7798 s->kbd_inter_refused = TRUE; /* don't try it again */
7803 * Loop while the server continues to send INFO_REQUESTs.
7805 while (pktin->type == SSH2_MSG_USERAUTH_INFO_REQUEST) {
7807 char *name, *inst, *lang;
7808 int name_len, inst_len, lang_len;
7812 * We've got a fresh USERAUTH_INFO_REQUEST.
7813 * Get the preamble and start building a prompt.
7815 ssh_pkt_getstring(pktin, &name, &name_len);
7816 ssh_pkt_getstring(pktin, &inst, &inst_len);
7817 ssh_pkt_getstring(pktin, &lang, &lang_len);
7818 s->cur_prompt = new_prompts(ssh->frontend);
7819 s->cur_prompt->to_server = TRUE;
7821 /* FIXME: better prefix to distinguish from
7823 s->cur_prompt->name =
7824 dupprintf("SSH server: %.*s", name_len, name);
7825 s->cur_prompt->name_reqd = TRUE;
7827 s->cur_prompt->name =
7828 dupstr("SSH server authentication");
7829 s->cur_prompt->name_reqd = FALSE;
7831 /* FIXME: ugly to print "Using..." in prompt _every_
7832 * time round. Can this be done more subtly? */
7833 s->cur_prompt->instruction =
7834 dupprintf("Using keyboard-interactive authentication.%s%.*s",
7835 inst_len ? "\n" : "", inst_len, inst);
7836 s->cur_prompt->instr_reqd = TRUE;
7839 * Get the prompts from the packet.
7841 s->num_prompts = ssh_pkt_getuint32(pktin);
7842 for (i = 0; i < s->num_prompts; i++) {
7846 static char noprompt[] =
7847 "<server failed to send prompt>: ";
7849 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
7850 echo = ssh2_pkt_getbool(pktin);
7853 prompt_len = lenof(noprompt)-1;
7855 add_prompt(s->cur_prompt,
7856 dupprintf("%.*s", prompt_len, prompt),
7857 echo, SSH_MAX_PASSWORD_LEN);
7861 * Get the user's responses.
7863 if (s->num_prompts) {
7864 int ret; /* not live over crReturn */
7865 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7868 crWaitUntilV(!pktin);
7869 ret = get_userpass_input(s->cur_prompt, in, inlen);
7874 * Failed to get responses. Terminate.
7876 free_prompts(s->cur_prompt);
7877 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7878 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7885 * Send the responses to the server.
7887 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_INFO_RESPONSE);
7888 ssh2_pkt_adduint32(s->pktout, s->num_prompts);
7889 for (i=0; i < s->num_prompts; i++) {
7890 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7891 ssh2_pkt_addstring(s->pktout,
7892 s->cur_prompt->prompts[i]->result);
7893 end_log_omission(ssh, s->pktout);
7895 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
7898 * Get the next packet in case it's another
7901 crWaitUntilV(pktin);
7906 * We should have SUCCESS or FAILURE now.
7910 } else if (s->can_passwd) {
7913 * Plain old password authentication.
7915 int ret; /* not live over crReturn */
7916 int changereq_first_time; /* not live over crReturn */
7918 ssh->pkt_actx = SSH2_PKTCTX_PASSWORD;
7920 s->cur_prompt = new_prompts(ssh->frontend);
7921 s->cur_prompt->to_server = TRUE;
7922 s->cur_prompt->name = dupstr("SSH password");
7923 add_prompt(s->cur_prompt, dupprintf("%.90s@%.90s's password: ",
7926 FALSE, SSH_MAX_PASSWORD_LEN);
7928 ret = get_userpass_input(s->cur_prompt, NULL, 0);
7931 crWaitUntilV(!pktin);
7932 ret = get_userpass_input(s->cur_prompt, in, inlen);
7937 * Failed to get responses. Terminate.
7939 free_prompts(s->cur_prompt);
7940 ssh_disconnect(ssh, NULL, "Unable to authenticate",
7941 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
7946 * Squirrel away the password. (We may need it later if
7947 * asked to change it.)
7949 s->password = dupstr(s->cur_prompt->prompts[0]->result);
7950 free_prompts(s->cur_prompt);
7953 * Send the password packet.
7955 * We pad out the password packet to 256 bytes to make
7956 * it harder for an attacker to find the length of the
7959 * Anyone using a password longer than 256 bytes
7960 * probably doesn't have much to worry about from
7961 * people who find out how long their password is!
7963 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
7964 ssh2_pkt_addstring(s->pktout, s->username);
7965 ssh2_pkt_addstring(s->pktout, "ssh-connection");
7966 /* service requested */
7967 ssh2_pkt_addstring(s->pktout, "password");
7968 ssh2_pkt_addbool(s->pktout, FALSE);
7969 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
7970 ssh2_pkt_addstring(s->pktout, s->password);
7971 end_log_omission(ssh, s->pktout);
7972 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
7973 logevent("Sent password");
7974 s->type = AUTH_TYPE_PASSWORD;
7977 * Wait for next packet, in case it's a password change
7980 crWaitUntilV(pktin);
7981 changereq_first_time = TRUE;
7983 while (pktin->type == SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ) {
7986 * We're being asked for a new password
7987 * (perhaps not for the first time).
7988 * Loop until the server accepts it.
7991 int got_new = FALSE; /* not live over crReturn */
7992 char *prompt; /* not live over crReturn */
7993 int prompt_len; /* not live over crReturn */
7997 if (changereq_first_time)
7998 msg = "Server requested password change";
8000 msg = "Server rejected new password";
8002 c_write_str(ssh, msg);
8003 c_write_str(ssh, "\r\n");
8006 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
8008 s->cur_prompt = new_prompts(ssh->frontend);
8009 s->cur_prompt->to_server = TRUE;
8010 s->cur_prompt->name = dupstr("New SSH password");
8011 s->cur_prompt->instruction =
8012 dupprintf("%.*s", prompt_len, prompt);
8013 s->cur_prompt->instr_reqd = TRUE;
8015 * There's no explicit requirement in the protocol
8016 * for the "old" passwords in the original and
8017 * password-change messages to be the same, and
8018 * apparently some Cisco kit supports password change
8019 * by the user entering a blank password originally
8020 * and the real password subsequently, so,
8021 * reluctantly, we prompt for the old password again.
8023 * (On the other hand, some servers don't even bother
8024 * to check this field.)
8026 add_prompt(s->cur_prompt,
8027 dupstr("Current password (blank for previously entered password): "),
8028 FALSE, SSH_MAX_PASSWORD_LEN);
8029 add_prompt(s->cur_prompt, dupstr("Enter new password: "),
8030 FALSE, SSH_MAX_PASSWORD_LEN);
8031 add_prompt(s->cur_prompt, dupstr("Confirm new password: "),
8032 FALSE, SSH_MAX_PASSWORD_LEN);
8035 * Loop until the user manages to enter the same
8040 ret = get_userpass_input(s->cur_prompt, NULL, 0);
8043 crWaitUntilV(!pktin);
8044 ret = get_userpass_input(s->cur_prompt, in, inlen);
8049 * Failed to get responses. Terminate.
8051 /* burn the evidence */
8052 free_prompts(s->cur_prompt);
8053 memset(s->password, 0, strlen(s->password));
8055 ssh_disconnect(ssh, NULL, "Unable to authenticate",
8056 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
8062 * If the user specified a new original password
8063 * (IYSWIM), overwrite any previously specified
8065 * (A side effect is that the user doesn't have to
8066 * re-enter it if they louse up the new password.)
8068 if (s->cur_prompt->prompts[0]->result[0]) {
8069 memset(s->password, 0, strlen(s->password));
8070 /* burn the evidence */
8073 dupstr(s->cur_prompt->prompts[0]->result);
8077 * Check the two new passwords match.
8079 got_new = (strcmp(s->cur_prompt->prompts[1]->result,
8080 s->cur_prompt->prompts[2]->result)
8083 /* They don't. Silly user. */
8084 c_write_str(ssh, "Passwords do not match\r\n");
8089 * Send the new password (along with the old one).
8090 * (see above for padding rationale)
8092 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
8093 ssh2_pkt_addstring(s->pktout, s->username);
8094 ssh2_pkt_addstring(s->pktout, "ssh-connection");
8095 /* service requested */
8096 ssh2_pkt_addstring(s->pktout, "password");
8097 ssh2_pkt_addbool(s->pktout, TRUE);
8098 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
8099 ssh2_pkt_addstring(s->pktout, s->password);
8100 ssh2_pkt_addstring(s->pktout,
8101 s->cur_prompt->prompts[1]->result);
8102 free_prompts(s->cur_prompt);
8103 end_log_omission(ssh, s->pktout);
8104 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
8105 logevent("Sent new password");
8108 * Now see what the server has to say about it.
8109 * (If it's CHANGEREQ again, it's not happy with the
8112 crWaitUntilV(pktin);
8113 changereq_first_time = FALSE;
8118 * We need to reexamine the current pktin at the top
8119 * of the loop. Either:
8120 * - we weren't asked to change password at all, in
8121 * which case it's a SUCCESS or FAILURE with the
8123 * - we sent a new password, and the server was
8124 * either OK with it (SUCCESS or FAILURE w/partial
8125 * success) or unhappy with the _old_ password
8126 * (FAILURE w/o partial success)
8127 * In any of these cases, we go back to the top of
8128 * the loop and start again.
8133 * We don't need the old password any more, in any
8134 * case. Burn the evidence.
8136 memset(s->password, 0, strlen(s->password));
8141 ssh_disconnect(ssh, NULL,
8142 "No supported authentication methods available",
8143 SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE,
8151 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
8153 /* Clear up various bits and pieces from authentication. */
8154 if (s->publickey_blob) {
8155 sfree(s->publickey_blob);
8156 sfree(s->publickey_comment);
8158 if (s->agent_response)
8159 sfree(s->agent_response);
8162 * Now the connection protocol has started, one way or another.
8165 ssh->channels = newtree234(ssh_channelcmp);
8168 * Set up handlers for some connection protocol messages, so we
8169 * don't have to handle them repeatedly in this coroutine.
8171 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] =
8172 ssh2_msg_channel_window_adjust;
8173 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] =
8174 ssh2_msg_global_request;
8177 * Create the main session channel.
8179 if (ssh->cfg.ssh_no_shell) {
8180 ssh->mainchan = NULL;
8181 } else if (*ssh->cfg.ssh_nc_host) {
8183 * Just start a direct-tcpip channel and use it as the main
8186 ssh->mainchan = snew(struct ssh_channel);
8187 ssh->mainchan->ssh = ssh;
8188 ssh2_channel_init(ssh->mainchan);
8190 "Opening direct-tcpip channel to %s:%d in place of session",
8191 ssh->cfg.ssh_nc_host, ssh->cfg.ssh_nc_port);
8192 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
8193 ssh2_pkt_addstring(s->pktout, "direct-tcpip");
8194 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
8195 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
8196 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
8197 ssh2_pkt_addstring(s->pktout, ssh->cfg.ssh_nc_host);
8198 ssh2_pkt_adduint32(s->pktout, ssh->cfg.ssh_nc_port);
8200 * There's nothing meaningful to put in the originator
8201 * fields, but some servers insist on syntactically correct
8204 ssh2_pkt_addstring(s->pktout, "0.0.0.0");
8205 ssh2_pkt_adduint32(s->pktout, 0);
8206 ssh2_pkt_send(ssh, s->pktout);
8208 crWaitUntilV(pktin);
8209 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
8210 bombout(("Server refused to open a direct-tcpip channel"));
8212 /* FIXME: error data comes back in FAILURE packet */
8214 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
8215 bombout(("Server's channel confirmation cited wrong channel"));
8218 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
8219 ssh->mainchan->halfopen = FALSE;
8220 ssh->mainchan->type = CHAN_MAINSESSION;
8221 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
8222 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
8223 add234(ssh->channels, ssh->mainchan);
8224 update_specials_menu(ssh->frontend);
8225 logevent("Opened direct-tcpip channel");
8228 ssh->mainchan = snew(struct ssh_channel);
8229 ssh->mainchan->ssh = ssh;
8230 ssh2_channel_init(ssh->mainchan);
8231 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
8232 ssh2_pkt_addstring(s->pktout, "session");
8233 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->localid);
8234 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->v.v2.locwindow);/* our window size */
8235 ssh2_pkt_adduint32(s->pktout, OUR_V2_MAXPKT); /* our max pkt size */
8236 ssh2_pkt_send(ssh, s->pktout);
8237 crWaitUntilV(pktin);
8238 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
8239 bombout(("Server refused to open a session"));
8241 /* FIXME: error data comes back in FAILURE packet */
8243 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
8244 bombout(("Server's channel confirmation cited wrong channel"));
8247 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
8248 ssh->mainchan->halfopen = FALSE;
8249 ssh->mainchan->type = CHAN_MAINSESSION;
8250 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
8251 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
8252 add234(ssh->channels, ssh->mainchan);
8253 update_specials_menu(ssh->frontend);
8254 logevent("Opened channel for session");
8255 ssh->ncmode = FALSE;
8259 * Now we have a channel, make dispatch table entries for
8260 * general channel-based messages.
8262 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] =
8263 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] =
8264 ssh2_msg_channel_data;
8265 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = ssh2_msg_channel_eof;
8266 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = ssh2_msg_channel_close;
8267 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] =
8268 ssh2_msg_channel_open_confirmation;
8269 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] =
8270 ssh2_msg_channel_open_failure;
8271 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] =
8272 ssh2_msg_channel_request;
8273 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] =
8274 ssh2_msg_channel_open;
8276 if (ssh->cfg.ssh_simple) {
8278 * This message indicates to the server that we promise
8279 * not to try to run any other channel in parallel with
8280 * this one, so it's safe for it to advertise a very large
8281 * window and leave the flow control to TCP.
8283 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8284 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8285 ssh2_pkt_addstring(s->pktout, "simple@putty.projects.tartarus.org");
8286 ssh2_pkt_addbool(s->pktout, 0); /* no reply */
8287 ssh2_pkt_send(ssh, s->pktout);
8291 * Potentially enable X11 forwarding.
8293 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.x11_forward) {
8294 char proto[20], data[64];
8295 logevent("Requesting X11 forwarding");
8296 ssh->x11auth = x11_invent_auth(proto, sizeof(proto),
8297 data, sizeof(data), ssh->cfg.x11_auth);
8298 x11_get_real_auth(ssh->x11auth, ssh->cfg.x11_display);
8299 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8300 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8301 ssh2_pkt_addstring(s->pktout, "x11-req");
8302 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8303 ssh2_pkt_addbool(s->pktout, 0); /* many connections */
8304 ssh2_pkt_addstring(s->pktout, proto);
8306 * Note that while we blank the X authentication data here, we don't
8307 * take any special action to blank the start of an X11 channel,
8308 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
8309 * without having session blanking enabled is likely to leak your
8310 * cookie into the log.
8312 dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
8313 ssh2_pkt_addstring(s->pktout, data);
8314 end_log_omission(ssh, s->pktout);
8315 ssh2_pkt_adduint32(s->pktout, x11_get_screen_number(ssh->cfg.x11_display));
8316 ssh2_pkt_send(ssh, s->pktout);
8318 crWaitUntilV(pktin);
8320 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8321 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8322 bombout(("Unexpected response to X11 forwarding request:"
8323 " packet type %d", pktin->type));
8326 logevent("X11 forwarding refused");
8328 logevent("X11 forwarding enabled");
8329 ssh->X11_fwd_enabled = TRUE;
8334 * Enable port forwardings.
8336 ssh_setup_portfwd(ssh, &ssh->cfg);
8339 * Potentially enable agent forwarding.
8341 if (ssh->mainchan && !ssh->ncmode && ssh->cfg.agentfwd && agent_exists()) {
8342 logevent("Requesting OpenSSH-style agent forwarding");
8343 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8344 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8345 ssh2_pkt_addstring(s->pktout, "auth-agent-req@openssh.com");
8346 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8347 ssh2_pkt_send(ssh, s->pktout);
8349 crWaitUntilV(pktin);
8351 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8352 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8353 bombout(("Unexpected response to agent forwarding request:"
8354 " packet type %d", pktin->type));
8357 logevent("Agent forwarding refused");
8359 logevent("Agent forwarding enabled");
8360 ssh->agentfwd_enabled = TRUE;
8365 * Now allocate a pty for the session.
8367 if (ssh->mainchan && !ssh->ncmode && !ssh->cfg.nopty) {
8368 /* Unpick the terminal-speed string. */
8369 /* XXX perhaps we should allow no speeds to be sent. */
8370 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
8371 sscanf(ssh->cfg.termspeed, "%d,%d", &ssh->ospeed, &ssh->ispeed);
8372 /* Build the pty request. */
8373 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8374 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
8375 ssh2_pkt_addstring(s->pktout, "pty-req");
8376 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8377 ssh2_pkt_addstring(s->pktout, ssh->cfg.termtype);
8378 ssh2_pkt_adduint32(s->pktout, ssh->term_width);
8379 ssh2_pkt_adduint32(s->pktout, ssh->term_height);
8380 ssh2_pkt_adduint32(s->pktout, 0); /* pixel width */
8381 ssh2_pkt_adduint32(s->pktout, 0); /* pixel height */
8382 ssh2_pkt_addstring_start(s->pktout);
8383 parse_ttymodes(ssh, ssh->cfg.ttymodes,
8384 ssh2_send_ttymode, (void *)s->pktout);
8385 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_ISPEED);
8386 ssh2_pkt_adduint32(s->pktout, ssh->ispeed);
8387 ssh2_pkt_addbyte(s->pktout, SSH2_TTY_OP_OSPEED);
8388 ssh2_pkt_adduint32(s->pktout, ssh->ospeed);
8389 ssh2_pkt_addstring_data(s->pktout, "\0", 1); /* TTY_OP_END */
8390 ssh2_pkt_send(ssh, s->pktout);
8391 ssh->state = SSH_STATE_INTERMED;
8393 crWaitUntilV(pktin);
8395 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8396 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8397 bombout(("Unexpected response to pty request:"
8398 " packet type %d", pktin->type));
8401 c_write_str(ssh, "Server refused to allocate pty\r\n");
8402 ssh->editing = ssh->echoing = 1;
8404 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
8405 ssh->ospeed, ssh->ispeed);
8408 ssh->editing = ssh->echoing = 1;
8412 * Send environment variables.
8414 * Simplest thing here is to send all the requests at once, and
8415 * then wait for a whole bunch of successes or failures.
8417 if (ssh->mainchan && !ssh->ncmode && *ssh->cfg.environmt) {
8418 char *e = ssh->cfg.environmt;
8419 char *var, *varend, *val;
8425 while (*e && *e != '\t') e++;
8427 if (*e == '\t') e++;
8432 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8433 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid);
8434 ssh2_pkt_addstring(s->pktout, "env");
8435 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8436 ssh2_pkt_addstring_start(s->pktout);
8437 ssh2_pkt_addstring_data(s->pktout, var, varend-var);
8438 ssh2_pkt_addstring(s->pktout, val);
8439 ssh2_pkt_send(ssh, s->pktout);
8444 logeventf(ssh, "Sent %d environment variables", s->num_env);
8447 s->env_left = s->num_env;
8449 while (s->env_left > 0) {
8450 crWaitUntilV(pktin);
8452 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8453 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8454 bombout(("Unexpected response to environment request:"
8455 " packet type %d", pktin->type));
8465 if (s->env_ok == s->num_env) {
8466 logevent("All environment variables successfully set");
8467 } else if (s->env_ok == 0) {
8468 logevent("All environment variables refused");
8469 c_write_str(ssh, "Server refused to set environment variables\r\n");
8471 logeventf(ssh, "%d environment variables refused",
8472 s->num_env - s->env_ok);
8473 c_write_str(ssh, "Server refused to set all environment variables\r\n");
8478 * Start a shell or a remote command. We may have to attempt
8479 * this twice if the config data has provided a second choice
8482 if (ssh->mainchan && !ssh->ncmode) while (1) {
8486 if (ssh->fallback_cmd) {
8487 subsys = ssh->cfg.ssh_subsys2;
8488 cmd = ssh->cfg.remote_cmd_ptr2;
8490 subsys = ssh->cfg.ssh_subsys;
8491 cmd = ssh->cfg.remote_cmd_ptr;
8492 if (!cmd) cmd = ssh->cfg.remote_cmd;
8495 s->pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
8496 ssh2_pkt_adduint32(s->pktout, ssh->mainchan->remoteid); /* recipient channel */
8498 ssh2_pkt_addstring(s->pktout, "subsystem");
8499 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8500 ssh2_pkt_addstring(s->pktout, cmd);
8502 ssh2_pkt_addstring(s->pktout, "exec");
8503 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8504 ssh2_pkt_addstring(s->pktout, cmd);
8506 ssh2_pkt_addstring(s->pktout, "shell");
8507 ssh2_pkt_addbool(s->pktout, 1); /* want reply */
8509 ssh2_pkt_send(ssh, s->pktout);
8511 crWaitUntilV(pktin);
8513 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
8514 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
8515 bombout(("Unexpected response to shell/command request:"
8516 " packet type %d", pktin->type));
8520 * We failed to start the command. If this is the
8521 * fallback command, we really are finished; if it's
8522 * not, and if the fallback command exists, try falling
8523 * back to it before complaining.
8525 if (!ssh->fallback_cmd && ssh->cfg.remote_cmd_ptr2 != NULL) {
8526 logevent("Primary command failed; attempting fallback");
8527 ssh->fallback_cmd = TRUE;
8530 bombout(("Server refused to start a shell/command"));
8533 logevent("Started a shell/command");
8538 ssh->state = SSH_STATE_SESSION;
8539 if (ssh->size_needed)
8540 ssh_size(ssh, ssh->term_width, ssh->term_height);
8541 if (ssh->eof_needed)
8542 ssh_special(ssh, TS_EOF);
8545 * All the initial channel requests are done, so install the default
8548 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = ssh2_msg_channel_success;
8549 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = ssh2_msg_channel_failure;
8555 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
8560 s->try_send = FALSE;
8564 * _All_ the connection-layer packets we expect to
8565 * receive are now handled by the dispatch table.
8566 * Anything that reaches here must be bogus.
8569 bombout(("Strange packet received: type %d", pktin->type));
8571 } else if (ssh->mainchan) {
8573 * We have spare data. Add it to the channel buffer.
8575 ssh2_add_channel_data(ssh->mainchan, (char *)in, inlen);
8580 struct ssh_channel *c;
8582 * Try to send data on all channels if we can.
8584 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++)
8585 ssh2_try_send_and_unthrottle(c);
8593 * Handlers for SSH-2 messages that might arrive at any moment.
8595 static void ssh2_msg_disconnect(Ssh ssh, struct Packet *pktin)
8597 /* log reason code in disconnect message */
8601 reason = ssh_pkt_getuint32(pktin);
8602 ssh_pkt_getstring(pktin, &msg, &msglen);
8604 if (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) {
8605 buf = dupprintf("Received disconnect message (%s)",
8606 ssh2_disconnect_reasons[reason]);
8608 buf = dupprintf("Received disconnect message (unknown"
8609 " type %d)", reason);
8613 buf = dupprintf("Disconnection message text: %.*s",
8616 bombout(("Server sent disconnect message\ntype %d (%s):\n\"%.*s\"",
8618 (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ?
8619 ssh2_disconnect_reasons[reason] : "unknown",
8624 static void ssh2_msg_debug(Ssh ssh, struct Packet *pktin)
8626 /* log the debug message */
8631 /* XXX maybe we should actually take notice of this */
8632 always_display = ssh2_pkt_getbool(pktin);
8633 ssh_pkt_getstring(pktin, &msg, &msglen);
8635 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
8638 static void ssh2_msg_something_unimplemented(Ssh ssh, struct Packet *pktin)
8640 struct Packet *pktout;
8641 pktout = ssh2_pkt_init(SSH2_MSG_UNIMPLEMENTED);
8642 ssh2_pkt_adduint32(pktout, pktin->sequence);
8644 * UNIMPLEMENTED messages MUST appear in the same order as the
8645 * messages they respond to. Hence, never queue them.
8647 ssh2_pkt_send_noqueue(ssh, pktout);
8651 * Handle the top-level SSH-2 protocol.
8653 static void ssh2_protocol_setup(Ssh ssh)
8658 * Most messages cause SSH2_MSG_UNIMPLEMENTED.
8660 for (i = 0; i < 256; i++)
8661 ssh->packet_dispatch[i] = ssh2_msg_something_unimplemented;
8664 * Any message we actually understand, we set to NULL so that
8665 * the coroutines will get it.
8667 ssh->packet_dispatch[SSH2_MSG_UNIMPLEMENTED] = NULL;
8668 ssh->packet_dispatch[SSH2_MSG_SERVICE_REQUEST] = NULL;
8669 ssh->packet_dispatch[SSH2_MSG_SERVICE_ACCEPT] = NULL;
8670 ssh->packet_dispatch[SSH2_MSG_KEXINIT] = NULL;
8671 ssh->packet_dispatch[SSH2_MSG_NEWKEYS] = NULL;
8672 ssh->packet_dispatch[SSH2_MSG_KEXDH_INIT] = NULL;
8673 ssh->packet_dispatch[SSH2_MSG_KEXDH_REPLY] = NULL;
8674 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REQUEST] = NULL; duplicate case value */
8675 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_GROUP] = NULL; duplicate case value */
8676 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_INIT] = NULL;
8677 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REPLY] = NULL;
8678 ssh->packet_dispatch[SSH2_MSG_USERAUTH_REQUEST] = NULL;
8679 ssh->packet_dispatch[SSH2_MSG_USERAUTH_FAILURE] = NULL;
8680 ssh->packet_dispatch[SSH2_MSG_USERAUTH_SUCCESS] = NULL;
8681 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
8682 ssh->packet_dispatch[SSH2_MSG_USERAUTH_PK_OK] = NULL;
8683 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ] = NULL; duplicate case value */
8684 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_REQUEST] = NULL; duplicate case value */
8685 ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_RESPONSE] = NULL;
8686 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] = NULL;
8687 ssh->packet_dispatch[SSH2_MSG_REQUEST_SUCCESS] = NULL;
8688 ssh->packet_dispatch[SSH2_MSG_REQUEST_FAILURE] = NULL;
8689 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] = NULL;
8690 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] = NULL;
8691 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] = NULL;
8692 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] = NULL;
8693 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] = NULL;
8694 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] = NULL;
8695 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = NULL;
8696 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = NULL;
8697 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] = NULL;
8698 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = NULL;
8699 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = NULL;
8702 * These special message types we install handlers for.
8704 ssh->packet_dispatch[SSH2_MSG_DISCONNECT] = ssh2_msg_disconnect;
8705 ssh->packet_dispatch[SSH2_MSG_IGNORE] = ssh_msg_ignore; /* shared with SSH-1 */
8706 ssh->packet_dispatch[SSH2_MSG_DEBUG] = ssh2_msg_debug;
8709 static void ssh2_timer(void *ctx, long now)
8713 if (ssh->state == SSH_STATE_CLOSED)
8716 if (!ssh->kex_in_progress && ssh->cfg.ssh_rekey_time != 0 &&
8717 now - ssh->next_rekey >= 0) {
8718 do_ssh2_transport(ssh, "timeout", -1, NULL);
8722 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
8723 struct Packet *pktin)
8725 unsigned char *in = (unsigned char *)vin;
8726 if (ssh->state == SSH_STATE_CLOSED)
8730 ssh->incoming_data_size += pktin->encrypted_len;
8731 if (!ssh->kex_in_progress &&
8732 ssh->max_data_size != 0 &&
8733 ssh->incoming_data_size > ssh->max_data_size)
8734 do_ssh2_transport(ssh, "too much data received", -1, NULL);
8737 if (pktin && ssh->packet_dispatch[pktin->type]) {
8738 ssh->packet_dispatch[pktin->type](ssh, pktin);
8742 if (!ssh->protocol_initial_phase_done ||
8743 (pktin && pktin->type >= 20 && pktin->type < 50)) {
8744 if (do_ssh2_transport(ssh, in, inlen, pktin) &&
8745 !ssh->protocol_initial_phase_done) {
8746 ssh->protocol_initial_phase_done = TRUE;
8748 * Allow authconn to initialise itself.
8750 do_ssh2_authconn(ssh, NULL, 0, NULL);
8753 do_ssh2_authconn(ssh, in, inlen, pktin);
8758 * Called to set up the connection.
8760 * Returns an error message, or NULL on success.
8762 static const char *ssh_init(void *frontend_handle, void **backend_handle,
8764 char *host, int port, char **realhost, int nodelay,
8770 ssh = snew(struct ssh_tag);
8771 ssh->cfg = *cfg; /* STRUCTURE COPY */
8772 ssh->version = 0; /* when not ready yet */
8775 ssh->v1_cipher_ctx = NULL;
8776 ssh->crcda_ctx = NULL;
8777 ssh->cscipher = NULL;
8778 ssh->cs_cipher_ctx = NULL;
8779 ssh->sccipher = NULL;
8780 ssh->sc_cipher_ctx = NULL;
8782 ssh->cs_mac_ctx = NULL;
8784 ssh->sc_mac_ctx = NULL;
8786 ssh->cs_comp_ctx = NULL;
8788 ssh->sc_comp_ctx = NULL;
8790 ssh->kex_ctx = NULL;
8791 ssh->hostkey = NULL;
8793 ssh->close_expected = FALSE;
8794 ssh->clean_exit = FALSE;
8795 ssh->state = SSH_STATE_PREPACKET;
8796 ssh->size_needed = FALSE;
8797 ssh->eof_needed = FALSE;
8800 ssh->deferred_send_data = NULL;
8801 ssh->deferred_len = 0;
8802 ssh->deferred_size = 0;
8803 ssh->fallback_cmd = 0;
8804 ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
8805 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
8806 ssh->x11auth = NULL;
8807 ssh->v1_compressing = FALSE;
8808 ssh->v2_outgoing_sequence = 0;
8809 ssh->ssh1_rdpkt_crstate = 0;
8810 ssh->ssh2_rdpkt_crstate = 0;
8811 ssh->do_ssh_init_crstate = 0;
8812 ssh->ssh_gotdata_crstate = 0;
8813 ssh->do_ssh1_connection_crstate = 0;
8814 ssh->do_ssh1_login_crstate = 0;
8815 ssh->do_ssh2_transport_crstate = 0;
8816 ssh->do_ssh2_authconn_crstate = 0;
8817 ssh->do_ssh_init_state = NULL;
8818 ssh->do_ssh1_login_state = NULL;
8819 ssh->do_ssh2_transport_state = NULL;
8820 ssh->do_ssh2_authconn_state = NULL;
8823 ssh->mainchan = NULL;
8824 ssh->throttled_all = 0;
8825 ssh->v1_stdout_throttling = 0;
8827 ssh->queuelen = ssh->queuesize = 0;
8828 ssh->queueing = FALSE;
8829 ssh->qhead = ssh->qtail = NULL;
8830 ssh->deferred_rekey_reason = NULL;
8831 bufchain_init(&ssh->queued_incoming_data);
8832 ssh->frozen = FALSE;
8834 *backend_handle = ssh;
8837 if (crypto_startup() == 0)
8838 return "Microsoft high encryption pack not installed!";
8841 ssh->frontend = frontend_handle;
8842 ssh->term_width = ssh->cfg.width;
8843 ssh->term_height = ssh->cfg.height;
8845 ssh->channels = NULL;
8846 ssh->rportfwds = NULL;
8847 ssh->portfwds = NULL;
8852 ssh->conn_throttle_count = 0;
8853 ssh->overall_bufsize = 0;
8854 ssh->fallback_cmd = 0;
8856 ssh->protocol = NULL;
8858 ssh->protocol_initial_phase_done = FALSE;
8862 ssh->incoming_data_size = ssh->outgoing_data_size =
8863 ssh->deferred_data_size = 0L;
8864 ssh->max_data_size = parse_blocksize(ssh->cfg.ssh_rekey_data);
8865 ssh->kex_in_progress = FALSE;
8867 p = connect_to_host(ssh, host, port, realhost, nodelay, keepalive);
8876 static void ssh_free(void *handle)
8878 Ssh ssh = (Ssh) handle;
8879 struct ssh_channel *c;
8880 struct ssh_rportfwd *pf;
8882 if (ssh->v1_cipher_ctx)
8883 ssh->cipher->free_context(ssh->v1_cipher_ctx);
8884 if (ssh->cs_cipher_ctx)
8885 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
8886 if (ssh->sc_cipher_ctx)
8887 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
8888 if (ssh->cs_mac_ctx)
8889 ssh->csmac->free_context(ssh->cs_mac_ctx);
8890 if (ssh->sc_mac_ctx)
8891 ssh->scmac->free_context(ssh->sc_mac_ctx);
8892 if (ssh->cs_comp_ctx) {
8894 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
8896 zlib_compress_cleanup(ssh->cs_comp_ctx);
8898 if (ssh->sc_comp_ctx) {
8900 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
8902 zlib_decompress_cleanup(ssh->sc_comp_ctx);
8905 dh_cleanup(ssh->kex_ctx);
8906 sfree(ssh->savedhost);
8908 while (ssh->queuelen-- > 0)
8909 ssh_free_packet(ssh->queue[ssh->queuelen]);
8912 while (ssh->qhead) {
8913 struct queued_handler *qh = ssh->qhead;
8914 ssh->qhead = qh->next;
8917 ssh->qhead = ssh->qtail = NULL;
8919 if (ssh->channels) {
8920 while ((c = delpos234(ssh->channels, 0)) != NULL) {
8923 if (c->u.x11.s != NULL)
8924 x11_close(c->u.x11.s);
8927 if (c->u.pfd.s != NULL)
8928 pfd_close(c->u.pfd.s);
8933 freetree234(ssh->channels);
8934 ssh->channels = NULL;
8937 if (ssh->rportfwds) {
8938 while ((pf = delpos234(ssh->rportfwds, 0)) != NULL)
8940 freetree234(ssh->rportfwds);
8941 ssh->rportfwds = NULL;
8943 sfree(ssh->deferred_send_data);
8945 x11_free_auth(ssh->x11auth);
8946 sfree(ssh->do_ssh_init_state);
8947 sfree(ssh->do_ssh1_login_state);
8948 sfree(ssh->do_ssh2_transport_state);
8949 sfree(ssh->do_ssh2_authconn_state);
8952 if (ssh->crcda_ctx) {
8953 crcda_free_context(ssh->crcda_ctx);
8954 ssh->crcda_ctx = NULL;
8957 ssh_do_close(ssh, TRUE);
8958 expire_timer_context(ssh);
8960 pinger_free(ssh->pinger);
8961 bufchain_clear(&ssh->queued_incoming_data);
8968 * Reconfigure the SSH backend.
8970 static void ssh_reconfig(void *handle, Config *cfg)
8972 Ssh ssh = (Ssh) handle;
8973 char *rekeying = NULL, rekey_mandatory = FALSE;
8974 unsigned long old_max_data_size;
8976 pinger_reconfig(ssh->pinger, &ssh->cfg, cfg);
8978 ssh_setup_portfwd(ssh, cfg);
8980 if (ssh->cfg.ssh_rekey_time != cfg->ssh_rekey_time &&
8981 cfg->ssh_rekey_time != 0) {
8982 long new_next = ssh->last_rekey + cfg->ssh_rekey_time*60*TICKSPERSEC;
8983 long now = GETTICKCOUNT();
8985 if (new_next - now < 0) {
8986 rekeying = "timeout shortened";
8988 ssh->next_rekey = schedule_timer(new_next - now, ssh2_timer, ssh);
8992 old_max_data_size = ssh->max_data_size;
8993 ssh->max_data_size = parse_blocksize(cfg->ssh_rekey_data);
8994 if (old_max_data_size != ssh->max_data_size &&
8995 ssh->max_data_size != 0) {
8996 if (ssh->outgoing_data_size > ssh->max_data_size ||
8997 ssh->incoming_data_size > ssh->max_data_size)
8998 rekeying = "data limit lowered";
9001 if (ssh->cfg.compression != cfg->compression) {
9002 rekeying = "compression setting changed";
9003 rekey_mandatory = TRUE;
9006 if (ssh->cfg.ssh2_des_cbc != cfg->ssh2_des_cbc ||
9007 memcmp(ssh->cfg.ssh_cipherlist, cfg->ssh_cipherlist,
9008 sizeof(ssh->cfg.ssh_cipherlist))) {
9009 rekeying = "cipher settings changed";
9010 rekey_mandatory = TRUE;
9013 ssh->cfg = *cfg; /* STRUCTURE COPY */
9016 if (!ssh->kex_in_progress) {
9017 do_ssh2_transport(ssh, rekeying, -1, NULL);
9018 } else if (rekey_mandatory) {
9019 ssh->deferred_rekey_reason = rekeying;
9025 * Called to send data down the SSH connection.
9027 static int ssh_send(void *handle, char *buf, int len)
9029 Ssh ssh = (Ssh) handle;
9031 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
9034 ssh->protocol(ssh, (unsigned char *)buf, len, 0);
9036 return ssh_sendbuffer(ssh);
9040 * Called to query the current amount of buffered stdin data.
9042 static int ssh_sendbuffer(void *handle)
9044 Ssh ssh = (Ssh) handle;
9047 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
9051 * If the SSH socket itself has backed up, add the total backup
9052 * size on that to any individual buffer on the stdin channel.
9055 if (ssh->throttled_all)
9056 override_value = ssh->overall_bufsize;
9058 if (ssh->version == 1) {
9059 return override_value;
9060 } else if (ssh->version == 2) {
9061 if (!ssh->mainchan || ssh->mainchan->closes > 0)
9062 return override_value;
9064 return (override_value +
9065 bufchain_size(&ssh->mainchan->v.v2.outbuffer));
9072 * Called to set the size of the window from SSH's POV.
9074 static void ssh_size(void *handle, int width, int height)
9076 Ssh ssh = (Ssh) handle;
9077 struct Packet *pktout;
9079 ssh->term_width = width;
9080 ssh->term_height = height;
9082 switch (ssh->state) {
9083 case SSH_STATE_BEFORE_SIZE:
9084 case SSH_STATE_PREPACKET:
9085 case SSH_STATE_CLOSED:
9086 break; /* do nothing */
9087 case SSH_STATE_INTERMED:
9088 ssh->size_needed = TRUE; /* buffer for later */
9090 case SSH_STATE_SESSION:
9091 if (!ssh->cfg.nopty) {
9092 if (ssh->version == 1) {
9093 send_packet(ssh, SSH1_CMSG_WINDOW_SIZE,
9094 PKT_INT, ssh->term_height,
9095 PKT_INT, ssh->term_width,
9096 PKT_INT, 0, PKT_INT, 0, PKT_END);
9097 } else if (ssh->mainchan) {
9098 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9099 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9100 ssh2_pkt_addstring(pktout, "window-change");
9101 ssh2_pkt_addbool(pktout, 0);
9102 ssh2_pkt_adduint32(pktout, ssh->term_width);
9103 ssh2_pkt_adduint32(pktout, ssh->term_height);
9104 ssh2_pkt_adduint32(pktout, 0);
9105 ssh2_pkt_adduint32(pktout, 0);
9106 ssh2_pkt_send(ssh, pktout);
9114 * Return a list of the special codes that make sense in this
9117 static const struct telnet_special *ssh_get_specials(void *handle)
9119 static const struct telnet_special ssh1_ignore_special[] = {
9120 {"IGNORE message", TS_NOP}
9122 static const struct telnet_special ssh2_transport_specials[] = {
9123 {"IGNORE message", TS_NOP},
9124 {"Repeat key exchange", TS_REKEY},
9126 static const struct telnet_special ssh2_session_specials[] = {
9129 /* These are the signal names defined by RFC 4254.
9130 * They include all the ISO C signals, but are a subset of the POSIX
9131 * required signals. */
9132 {"SIGINT (Interrupt)", TS_SIGINT},
9133 {"SIGTERM (Terminate)", TS_SIGTERM},
9134 {"SIGKILL (Kill)", TS_SIGKILL},
9135 {"SIGQUIT (Quit)", TS_SIGQUIT},
9136 {"SIGHUP (Hangup)", TS_SIGHUP},
9137 {"More signals", TS_SUBMENU},
9138 {"SIGABRT", TS_SIGABRT}, {"SIGALRM", TS_SIGALRM},
9139 {"SIGFPE", TS_SIGFPE}, {"SIGILL", TS_SIGILL},
9140 {"SIGPIPE", TS_SIGPIPE}, {"SIGSEGV", TS_SIGSEGV},
9141 {"SIGUSR1", TS_SIGUSR1}, {"SIGUSR2", TS_SIGUSR2},
9144 static const struct telnet_special specials_end[] = {
9147 /* XXX review this length for any changes: */
9148 static struct telnet_special ssh_specials[lenof(ssh2_transport_specials) +
9149 lenof(ssh2_session_specials) +
9150 lenof(specials_end)];
9151 Ssh ssh = (Ssh) handle;
9153 #define ADD_SPECIALS(name) \
9155 assert((i + lenof(name)) <= lenof(ssh_specials)); \
9156 memcpy(&ssh_specials[i], name, sizeof name); \
9160 if (ssh->version == 1) {
9161 /* Don't bother offering IGNORE if we've decided the remote
9162 * won't cope with it, since we wouldn't bother sending it if
9164 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
9165 ADD_SPECIALS(ssh1_ignore_special);
9166 } else if (ssh->version == 2) {
9167 ADD_SPECIALS(ssh2_transport_specials);
9169 ADD_SPECIALS(ssh2_session_specials);
9170 } /* else we're not ready yet */
9173 ADD_SPECIALS(specials_end);
9174 return ssh_specials;
9182 * Send special codes. TS_EOF is useful for `plink', so you
9183 * can send an EOF and collect resulting output (e.g. `plink
9186 static void ssh_special(void *handle, Telnet_Special code)
9188 Ssh ssh = (Ssh) handle;
9189 struct Packet *pktout;
9191 if (code == TS_EOF) {
9192 if (ssh->state != SSH_STATE_SESSION) {
9194 * Buffer the EOF in case we are pre-SESSION, so we can
9195 * send it as soon as we reach SESSION.
9198 ssh->eof_needed = TRUE;
9201 if (ssh->version == 1) {
9202 send_packet(ssh, SSH1_CMSG_EOF, PKT_END);
9203 } else if (ssh->mainchan) {
9204 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_EOF);
9205 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9206 ssh2_pkt_send(ssh, pktout);
9207 ssh->send_ok = 0; /* now stop trying to read from stdin */
9209 logevent("Sent EOF message");
9210 } else if (code == TS_PING || code == TS_NOP) {
9211 if (ssh->state == SSH_STATE_CLOSED
9212 || ssh->state == SSH_STATE_PREPACKET) return;
9213 if (ssh->version == 1) {
9214 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
9215 send_packet(ssh, SSH1_MSG_IGNORE, PKT_STR, "", PKT_END);
9217 pktout = ssh2_pkt_init(SSH2_MSG_IGNORE);
9218 ssh2_pkt_addstring_start(pktout);
9219 ssh2_pkt_send_noqueue(ssh, pktout);
9221 } else if (code == TS_REKEY) {
9222 if (!ssh->kex_in_progress && ssh->version == 2) {
9223 do_ssh2_transport(ssh, "at user request", -1, NULL);
9225 } else if (code == TS_BRK) {
9226 if (ssh->state == SSH_STATE_CLOSED
9227 || ssh->state == SSH_STATE_PREPACKET) return;
9228 if (ssh->version == 1) {
9229 logevent("Unable to send BREAK signal in SSH-1");
9230 } else if (ssh->mainchan) {
9231 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9232 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9233 ssh2_pkt_addstring(pktout, "break");
9234 ssh2_pkt_addbool(pktout, 0);
9235 ssh2_pkt_adduint32(pktout, 0); /* default break length */
9236 ssh2_pkt_send(ssh, pktout);
9239 /* Is is a POSIX signal? */
9240 char *signame = NULL;
9241 if (code == TS_SIGABRT) signame = "ABRT";
9242 if (code == TS_SIGALRM) signame = "ALRM";
9243 if (code == TS_SIGFPE) signame = "FPE";
9244 if (code == TS_SIGHUP) signame = "HUP";
9245 if (code == TS_SIGILL) signame = "ILL";
9246 if (code == TS_SIGINT) signame = "INT";
9247 if (code == TS_SIGKILL) signame = "KILL";
9248 if (code == TS_SIGPIPE) signame = "PIPE";
9249 if (code == TS_SIGQUIT) signame = "QUIT";
9250 if (code == TS_SIGSEGV) signame = "SEGV";
9251 if (code == TS_SIGTERM) signame = "TERM";
9252 if (code == TS_SIGUSR1) signame = "USR1";
9253 if (code == TS_SIGUSR2) signame = "USR2";
9254 /* The SSH-2 protocol does in principle support arbitrary named
9255 * signals, including signame@domain, but we don't support those. */
9257 /* It's a signal. */
9258 if (ssh->version == 2 && ssh->mainchan) {
9259 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
9260 ssh2_pkt_adduint32(pktout, ssh->mainchan->remoteid);
9261 ssh2_pkt_addstring(pktout, "signal");
9262 ssh2_pkt_addbool(pktout, 0);
9263 ssh2_pkt_addstring(pktout, signame);
9264 ssh2_pkt_send(ssh, pktout);
9265 logeventf(ssh, "Sent signal SIG%s", signame);
9268 /* Never heard of it. Do nothing */
9273 void *new_sock_channel(void *handle, Socket s)
9275 Ssh ssh = (Ssh) handle;
9276 struct ssh_channel *c;
9277 c = snew(struct ssh_channel);
9280 ssh2_channel_init(c);
9282 c->type = CHAN_SOCKDATA_DORMANT;/* identify channel type */
9284 add234(ssh->channels, c);
9289 * This is called when stdout/stderr (the entity to which
9290 * from_backend sends data) manages to clear some backlog.
9292 static void ssh_unthrottle(void *handle, int bufsize)
9294 Ssh ssh = (Ssh) handle;
9297 if (ssh->version == 1) {
9298 if (ssh->v1_stdout_throttling && bufsize < SSH1_BUFFER_LIMIT) {
9299 ssh->v1_stdout_throttling = 0;
9300 ssh_throttle_conn(ssh, -1);
9303 if (ssh->mainchan) {
9304 ssh2_set_window(ssh->mainchan,
9305 bufsize < ssh->mainchan->v.v2.locmaxwin ?
9306 ssh->mainchan->v.v2.locmaxwin - bufsize : 0);
9307 if (ssh->cfg.ssh_simple)
9310 buflimit = ssh->mainchan->v.v2.locmaxwin;
9311 if (ssh->mainchan->throttling_conn && bufsize <= buflimit) {
9312 ssh->mainchan->throttling_conn = 0;
9313 ssh_throttle_conn(ssh, -1);
9319 void ssh_send_port_open(void *channel, char *hostname, int port, char *org)
9321 struct ssh_channel *c = (struct ssh_channel *)channel;
9323 struct Packet *pktout;
9325 logeventf(ssh, "Opening forwarded connection to %s:%d", hostname, port);
9327 if (ssh->version == 1) {
9328 send_packet(ssh, SSH1_MSG_PORT_OPEN,
9329 PKT_INT, c->localid,
9332 /* PKT_STR, <org:orgport>, */
9335 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
9336 ssh2_pkt_addstring(pktout, "direct-tcpip");
9337 ssh2_pkt_adduint32(pktout, c->localid);
9338 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);/* our window size */
9339 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
9340 ssh2_pkt_addstring(pktout, hostname);
9341 ssh2_pkt_adduint32(pktout, port);
9343 * We make up values for the originator data; partly it's
9344 * too much hassle to keep track, and partly I'm not
9345 * convinced the server should be told details like that
9346 * about my local network configuration.
9347 * The "originator IP address" is syntactically a numeric
9348 * IP address, and some servers (e.g., Tectia) get upset
9349 * if it doesn't match this syntax.
9351 ssh2_pkt_addstring(pktout, "0.0.0.0");
9352 ssh2_pkt_adduint32(pktout, 0);
9353 ssh2_pkt_send(ssh, pktout);
9357 static int ssh_connected(void *handle)
9359 Ssh ssh = (Ssh) handle;
9360 return ssh->s != NULL;
9363 static int ssh_sendok(void *handle)
9365 Ssh ssh = (Ssh) handle;
9366 return ssh->send_ok;
9369 static int ssh_ldisc(void *handle, int option)
9371 Ssh ssh = (Ssh) handle;
9372 if (option == LD_ECHO)
9373 return ssh->echoing;
9374 if (option == LD_EDIT)
9375 return ssh->editing;
9379 static void ssh_provide_ldisc(void *handle, void *ldisc)
9381 Ssh ssh = (Ssh) handle;
9385 static void ssh_provide_logctx(void *handle, void *logctx)
9387 Ssh ssh = (Ssh) handle;
9388 ssh->logctx = logctx;
9391 static int ssh_return_exitcode(void *handle)
9393 Ssh ssh = (Ssh) handle;
9397 return (ssh->exitcode >= 0 ? ssh->exitcode : INT_MAX);
9401 * cfg_info for SSH is the currently running version of the
9402 * protocol. (1 for 1; 2 for 2; 0 for not-decided-yet.)
9404 static int ssh_cfg_info(void *handle)
9406 Ssh ssh = (Ssh) handle;
9407 return ssh->version;
9411 * Gross hack: pscp will try to start SFTP but fall back to scp1 if
9412 * that fails. This variable is the means by which scp.c can reach
9413 * into the SSH code and find out which one it got.
9415 extern int ssh_fallback_cmd(void *handle)
9417 Ssh ssh = (Ssh) handle;
9418 return ssh->fallback_cmd;
9421 Backend ssh_backend = {
9431 ssh_return_exitcode,
projects / PuTTY_svn.git / blob