/*
* OpenSSH encrypt-then-MAC mode: the packet length is
- * unencrypted.
+ * unencrypted, unless the cipher supports length encryption.
*/
for (st->i = st->len = 0; st->i < 4; st->i++) {
while ((*datalen) == 0)
st->pktin->data[st->i] = *(*data)++;
(*datalen)--;
}
- st->len = toint(GET_32BIT(st->pktin->data));
+ /* Cipher supports length decryption, so do it */
+ if (ssh->sccipher && (ssh->sccipher->flags & SSH_CIPHER_SEPARATE_LENGTH)) {
+ /* Keep the packet the same though, so the MAC passes */
+ unsigned char len[4];
+ memcpy(len, st->pktin->data, 4);
+ ssh->sccipher->decrypt_length(ssh->sc_cipher_ctx, len, 4, st->incoming_sequence);
+ st->len = toint(GET_32BIT(len));
+ } else {
+ st->len = toint(GET_32BIT(st->pktin->data));
+ }
/*
* _Completely_ silly lengths should be stomped on before they
for (i = 0; i < padding; i++)
pkt->data[pkt->length + i] = random_byte();
PUT_32BIT(pkt->data, pkt->length + padding - 4);
+
+ /* Encrypt length if the scheme requires it */
+ if (ssh->cscipher && (ssh->cscipher->flags & SSH_CIPHER_SEPARATE_LENGTH)) {
+ ssh->cscipher->encrypt_length(ssh->cs_cipher_ctx, pkt->data, 4,
+ ssh->v2_outgoing_sequence);
+ }
+
if (ssh->csmac && ssh->csmac_etm) {
/*
* OpenSSH-defined encrypt-then-MAC protocol.
/*
* Add a value to the comma-separated string at the end of the packet.
- * If the value is already in the string, don't bother adding it again.
*/
static void ssh2_pkt_addstring_commasep(struct Packet *pkt, const char *data)
{
- if (in_commasep_string(data, (char *)pkt->data + pkt->savedpos,
- pkt->length - pkt->savedpos)) return;
if (pkt->length - pkt->savedpos > 0)
ssh_pkt_addstring_str(pkt, ",");
ssh_pkt_addstring_str(pkt, data);
h->final(s, keyspace + h->hlen);
}
+/*
+ * Structure for constructing KEXINIT algorithm lists.
+ */
+#define MAXKEXLIST 16
+struct kexinit_algorithm {
+ const char *name;
+ union {
+ struct {
+ const struct ssh_kex *kex;
+ int warn;
+ } kex;
+ const struct ssh_signkey *hostkey;
+ struct {
+ const struct ssh2_cipher *cipher;
+ int warn;
+ } cipher;
+ struct {
+ const struct ssh_mac *mac;
+ int etm;
+ } mac;
+ const struct ssh_compress *comp;
+ } u;
+};
+
+/*
+ * Find a slot in a KEXINIT algorithm list to use for a new algorithm.
+ * If the algorithm is already in the list, return a pointer to its
+ * entry, otherwise return an entry from the end of the list.
+ * This assumes that every time a particular name is passed in, it
+ * comes from the same string constant. If this isn't true, this
+ * function may need to be rewritten to use strcmp() instead.
+ */
+static struct kexinit_algorithm *ssh2_kexinit_addalg(struct kexinit_algorithm
+ *list, const char *name)
+{
+ int i;
+
+ for (i = 0; i < MAXKEXLIST; i++)
+ if (list[i].name == NULL || list[i].name == name) {
+ list[i].name = name;
+ return &list[i];
+ }
+ assert(!"No space in KEXINIT list");
+ return NULL;
+}
+
/*
* Handle the SSH-2 transport layer.
*/
int dlgret;
int guessok;
int ignorepkt;
-#define MAXKEXLIST 16
- struct kexinit_algorithm {
- const char *name;
- union {
- struct {
- const struct ssh_kex *kex;
- int warn;
- } kex;
- const struct ssh_signkey *hostkey;
- struct {
- const struct ssh2_cipher *cipher;
- int warn;
- } cipher;
- struct {
- const struct ssh_mac *mac;
- int etm;
- } mac;
- const struct ssh_compress *comp;
- } u;
- } kexlists[NKEXLIST][MAXKEXLIST];
+ struct kexinit_algorithm kexlists[NKEXLIST][MAXKEXLIST];
};
crState(do_ssh2_transport_state);
begin_key_exchange:
ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
{
- int i, j, k, n, warn;
+ int i, j, k, warn;
+ struct kexinit_algorithm *alg;
/*
* Set up the preferred key exchange. (NULL => warn below here)
case CIPHER_ARCFOUR:
s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_arcfour;
break;
+ case CIPHER_CHACHA20:
+ s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_ccp;
+ break;
case CIPHER_WARN:
/* Flag for later. Don't bother if it's the last in
* the list. */
for (j = 0; j < MAXKEXLIST; j++)
s->kexlists[i][j].name = NULL;
/* List key exchange algorithms. */
- n = 0;
warn = FALSE;
for (i = 0; i < s->n_preferred_kex; i++) {
const struct ssh_kexes *k = s->preferred_kex[i];
if (!k) warn = TRUE;
else for (j = 0; j < k->nkexes; j++) {
- assert(n < MAXKEXLIST);
- s->kexlists[KEXLIST_KEX][n].name = k->list[j]->name;
- s->kexlists[KEXLIST_KEX][n].u.kex.kex = k->list[j];
- s->kexlists[KEXLIST_KEX][n].u.kex.warn = warn;
- n++;
+ alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_KEX],
+ k->list[j]->name);
+ alg->u.kex.kex = k->list[j];
+ alg->u.kex.warn = warn;
}
}
/* List server host key algorithms. */
if (!s->got_session_id) {
/*
* In the first key exchange, we list all the algorithms
- * we're prepared to cope with.
+ * we're prepared to cope with, but prefer those algorithms
+ * for which we have a host key for this host.
*/
- n = 0;
for (i = 0; i < lenof(hostkey_algs); i++) {
- assert(n < MAXKEXLIST);
- s->kexlists[KEXLIST_HOSTKEY][n].name = hostkey_algs[i]->name;
- s->kexlists[KEXLIST_HOSTKEY][n].u.hostkey = hostkey_algs[i];
- n++;
+ if (have_ssh_host_key(ssh->savedhost, ssh->savedport,
+ hostkey_algs[i]->keytype)) {
+ alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY],
+ hostkey_algs[i]->name);
+ alg->u.hostkey = hostkey_algs[i];
+ }
+ }
+ for (i = 0; i < lenof(hostkey_algs); i++) {
+ alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY],
+ hostkey_algs[i]->name);
+ alg->u.hostkey = hostkey_algs[i];
}
} else {
/*
* reverification.
*/
assert(ssh->kex);
- s->kexlists[KEXLIST_HOSTKEY][0].name = ssh->hostkey->name;
- s->kexlists[KEXLIST_HOSTKEY][0].u.hostkey = ssh->hostkey;
+ alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY],
+ ssh->hostkey->name);
+ alg->u.hostkey = ssh->hostkey;
}
/* List encryption algorithms (client->server then server->client). */
for (k = KEXLIST_CSCIPHER; k <= KEXLIST_SCCIPHER; k++) {
- n = 0;
warn = FALSE;
for (i = 0; i < s->n_preferred_ciphers; i++) {
const struct ssh2_ciphers *c = s->preferred_ciphers[i];
if (!c) warn = TRUE;
else for (j = 0; j < c->nciphers; j++) {
- assert(n < MAXKEXLIST);
- s->kexlists[k][n].name = c->list[j]->name;
- s->kexlists[k][n].u.cipher.cipher = c->list[j];
- s->kexlists[k][n].u.cipher.warn = warn;
- n++;
+ alg = ssh2_kexinit_addalg(s->kexlists[k],
+ c->list[j]->name);
+ alg->u.cipher.cipher = c->list[j];
+ alg->u.cipher.warn = warn;
}
}
}
/* List MAC algorithms (client->server then server->client). */
for (j = KEXLIST_CSMAC; j <= KEXLIST_SCMAC; j++) {
- n = 0;
for (i = 0; i < s->nmacs; i++) {
- assert(n < MAXKEXLIST);
- s->kexlists[j][n].name = s->maclist[i]->name;
- s->kexlists[j][n].u.mac.mac = s->maclist[i];
- s->kexlists[j][n].u.mac.etm = FALSE;
- n++;
+ alg = ssh2_kexinit_addalg(s->kexlists[j], s->maclist[i]->name);
+ alg->u.mac.mac = s->maclist[i];
+ alg->u.mac.etm = FALSE;
}
for (i = 0; i < s->nmacs; i++)
/* For each MAC, there may also be an ETM version,
* which we list second. */
if (s->maclist[i]->etm_name) {
- assert(n < MAXKEXLIST);
- s->kexlists[j][n].name = s->maclist[i]->etm_name;
- s->kexlists[j][n].u.mac.mac = s->maclist[i];
- s->kexlists[j][n].u.mac.etm = TRUE;
- n++;
+ alg = ssh2_kexinit_addalg(s->kexlists[j],
+ s->maclist[i]->etm_name);
+ alg->u.mac.mac = s->maclist[i];
+ alg->u.mac.etm = TRUE;
}
}
/* List client->server compression algorithms,
for (j = KEXLIST_CSCOMP; j <= KEXLIST_SCCOMP; j++) {
assert(lenof(compressions) > 1);
/* Prefer non-delayed versions */
- s->kexlists[j][0].name = s->preferred_comp->name;
- s->kexlists[j][0].u.comp = s->preferred_comp;
+ alg = ssh2_kexinit_addalg(s->kexlists[j], s->preferred_comp->name);
+ alg->u.comp = s->preferred_comp;
/* We don't even list delayed versions of algorithms until
* they're allowed to be used, to avoid a race. See the end of
* this function. */
- n = 1;
if (s->userauth_succeeded && s->preferred_comp->delayed_name) {
- s->kexlists[j][1].name = s->preferred_comp->delayed_name;
- s->kexlists[j][1].u.comp = s->preferred_comp;
- n = 2;
+ alg = ssh2_kexinit_addalg(s->kexlists[j],
+ s->preferred_comp->delayed_name);
+ alg->u.comp = s->preferred_comp;
}
for (i = 0; i < lenof(compressions); i++) {
const struct ssh_compress *c = compressions[i];
- s->kexlists[j][n].name = c->name;
- s->kexlists[j][n].u.comp = c;
- n++;
+ alg = ssh2_kexinit_addalg(s->kexlists[j], c->name);
+ alg->u.comp = c;
if (s->userauth_succeeded && c->delayed_name) {
- s->kexlists[j][n].name = c->delayed_name;
- s->kexlists[j][n].u.comp = c;
- n++;
+ alg = ssh2_kexinit_addalg(s->kexlists[j], c->delayed_name);
+ alg->u.comp = c;
}
}
}
crStopV;
matched:;
}
+
+ /* If the cipher over-rides the mac, then pick it */
+ if (s->cscipher_tobe && s->cscipher_tobe->required_mac) {
+ s->csmac_tobe = s->cscipher_tobe->required_mac;
+ s->csmac_etm_tobe = !!(s->csmac_tobe->etm_name);
+ }
+ if (s->sccipher_tobe && s->sccipher_tobe->required_mac) {
+ s->scmac_tobe = s->sccipher_tobe->required_mac;
+ s->scmac_etm_tobe = !!(s->scmac_tobe->etm_name);
+ }
+
if (s->pending_compression) {
logevent("Server supports delayed compression; "
"will try this later");
}
set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */
ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
+ if (!s->hostkeydata) {
+ bombout(("unable to parse key exchange reply packet"));
+ crStopV;
+ }
s->hkey = ssh->hostkey->newkey(ssh->hostkey,
s->hostkeydata, s->hostkeylen);
s->f = ssh2_pkt_getmp(pktin);
crStopV;
}
ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
+ if (!s->sigdata) {
+ bombout(("unable to parse key exchange reply packet"));
+ crStopV;
+ }
{
const char *err = dh_validate_f(ssh->kex_ctx, s->f);
}
} else if (ssh->kex->main_type == KEXTYPE_ECDH) {
- logeventf(ssh, "Doing ECDH key exchange with hash %s",
+ logeventf(ssh, "Doing ECDH key exchange with curve %s and hash %s",
+ ssh_ecdhkex_curve_textname(ssh->kex),
ssh->kex->hash->text_name);
ssh->pkt_kctx = SSH2_PKTCTX_ECDHKEX;
}
ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
+ if (!s->hostkeydata) {
+ bombout(("unable to parse ECDH reply packet"));
+ crStopV;
+ }
hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen);
s->hkey = ssh->hostkey->newkey(ssh->hostkey,
s->hostkeydata, s->hostkeylen);
char *keydata;
int keylen;
ssh_pkt_getstring(pktin, &keydata, &keylen);
+ if (!keydata) {
+ bombout(("unable to parse ECDH reply packet"));
+ crStopV;
+ }
hash_string(ssh->kex->hash, ssh->exhash, keydata, keylen);
s->K = ssh_ecdhkex_getkey(s->eckey, keydata, keylen);
if (!s->K) {
}
ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
+ if (!s->sigdata) {
+ bombout(("unable to parse key exchange reply packet"));
+ crStopV;
+ }
ssh_ecdhkex_freekey(s->eckey);
} else {
}
ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
+ if (!s->hostkeydata) {
+ bombout(("unable to parse RSA public key packet"));
+ crStopV;
+ }
hash_string(ssh->kex->hash, ssh->exhash,
s->hostkeydata, s->hostkeylen);
s->hkey = ssh->hostkey->newkey(ssh->hostkey,
{
char *keydata;
ssh_pkt_getstring(pktin, &keydata, &s->rsakeylen);
+ if (!keydata) {
+ bombout(("unable to parse RSA public key packet"));
+ crStopV;
+ }
s->rsakeydata = snewn(s->rsakeylen, char);
memcpy(s->rsakeydata, keydata, s->rsakeylen);
}
}
ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
+ if (!s->sigdata) {
+ bombout(("unable to parse signature packet"));
+ crStopV;
+ }
sfree(s->rsakeydata);
}
ssh->csmac->free_context(ssh->cs_mac_ctx);
ssh->csmac = s->csmac_tobe;
ssh->csmac_etm = s->csmac_etm_tobe;
- ssh->cs_mac_ctx = ssh->csmac->make_context();
+ ssh->cs_mac_ctx = ssh->csmac->make_context(ssh->cs_cipher_ctx);
if (ssh->cs_comp_ctx)
ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
logeventf(ssh, "Initialised %.200s client->server encryption",
ssh->cscipher->text_name);
- logeventf(ssh, "Initialised %.200s client->server MAC algorithm%s",
+ logeventf(ssh, "Initialised %.200s client->server MAC algorithm%s%s",
ssh->csmac->text_name,
- ssh->csmac_etm ? " (in ETM mode)" : "");
+ ssh->csmac_etm ? " (in ETM mode)" : "",
+ ssh->cscipher->required_mac ? " (required by cipher)" : "");
if (ssh->cscomp->text_name)
logeventf(ssh, "Initialised %s compression",
ssh->cscomp->text_name);
ssh->scmac->free_context(ssh->sc_mac_ctx);
ssh->scmac = s->scmac_tobe;
ssh->scmac_etm = s->scmac_etm_tobe;
- ssh->sc_mac_ctx = ssh->scmac->make_context();
+ ssh->sc_mac_ctx = ssh->scmac->make_context(ssh->sc_cipher_ctx);
if (ssh->sc_comp_ctx)
ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
}
logeventf(ssh, "Initialised %.200s server->client encryption",
ssh->sccipher->text_name);
- logeventf(ssh, "Initialised %.200s server->client MAC algorithm%s",
+ logeventf(ssh, "Initialised %.200s server->client MAC algorithm%s%s",
ssh->scmac->text_name,
- ssh->scmac_etm ? " (in ETM mode)" : "");
+ ssh->scmac_etm ? " (in ETM mode)" : "",
+ ssh->sccipher->required_mac ? " (required by cipher)" : "");
if (ssh->sccomp->text_name)
logeventf(ssh, "Initialised %s decompression",
ssh->sccomp->text_name);
{
if (ssh->version == 2 &&
!conf_get_int(ssh->conf, CONF_ssh_no_shell) &&
- count234(ssh->channels) == 0 &&
+ (ssh->channels && count234(ssh->channels) == 0) &&
!(ssh->connshare && share_ndownstreams(ssh->connshare) > 0)) {
/*
* We used to send SSH_MSG_DISCONNECT here, because I'd
}
}
-void ssh_sharing_downstream_connected(Ssh ssh, unsigned id)
+void ssh_sharing_downstream_connected(Ssh ssh, unsigned id,
+ const char *peerinfo)
{
- logeventf(ssh, "Connection sharing downstream #%u connected", id);
+ if (peerinfo)
+ logeventf(ssh, "Connection sharing downstream #%u connected from %s",
+ id, peerinfo);
+ else
+ logeventf(ssh, "Connection sharing downstream #%u connected", id);
}
void ssh_sharing_downstream_disconnected(Ssh ssh, unsigned id)
s->can_keyb_inter = conf_get_int(ssh->conf, CONF_try_ki_auth) &&
in_commasep_string("keyboard-interactive", methods, methlen);
#ifndef NO_GSSAPI
- if (!ssh->gsslibs)
- ssh->gsslibs = ssh_gss_setup(ssh->conf);
- s->can_gssapi = conf_get_int(ssh->conf, CONF_try_gssapi_auth) &&
- in_commasep_string("gssapi-with-mic", methods, methlen) &&
- ssh->gsslibs->nlibraries > 0;
+ if (conf_get_int(ssh->conf, CONF_try_gssapi_auth) &&
+ in_commasep_string("gssapi-with-mic", methods, methlen)) {
+ /* Try loading the GSS libraries and see if we
+ * have any. */
+ if (!ssh->gsslibs)
+ ssh->gsslibs = ssh_gss_setup(ssh->conf);
+ s->can_gssapi = (ssh->gsslibs->nlibraries > 0);
+ } else {
+ /* No point in even bothering to try to load the
+ * GSS libraries, if the user configuration and
+ * server aren't both prepared to attempt GSSAPI
+ * auth in the first place. */
+ s->can_gssapi = FALSE;
+ }
#endif
}
* Try to send data on all channels if we can.
*/
for (i = 0; NULL != (c = index234(ssh->channels, i)); i++)
- ssh2_try_send_and_unthrottle(ssh, c);
+ if (c->type != CHAN_SHARING)
+ ssh2_try_send_and_unthrottle(ssh, c);
}
}
projects / PuTTY.git / blobdiff