X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=blobdiff_plain;f=ssh.c;h=01c5caa1caa58a61bb90a927ac23f429625dc062;hb=6e1ac921944fc1210bfdc93e4360201d23a9de7d;hp=dcb791da3970bc510cadc727de8a18f0e1967eb4;hpb=88a3baa06541fc6563f5f94bac4758141eada690;p=PuTTY.git diff --git a/ssh.c b/ssh.c index dcb791da..01c5caa1 100644 --- a/ssh.c +++ b/ssh.c @@ -309,6 +309,18 @@ extern void pfd_confirm(Socket s); extern void pfd_unthrottle(Socket s); extern void pfd_override_throttle(Socket s, int enable); +static void ssh2_pkt_init(int pkt_type); +static void ssh2_pkt_addbool(unsigned char value); +static void ssh2_pkt_adduint32(unsigned long value); +static void ssh2_pkt_addstring_start(void); +static void ssh2_pkt_addstring_str(char *data); +static void ssh2_pkt_addstring_data(char *data, int len); +static void ssh2_pkt_addstring(char *data); +static char *ssh2_mpint_fmt(Bignum b, int *len); +static void ssh2_pkt_addmp(Bignum b); +static int ssh2_pkt_construct(void); +static void ssh2_pkt_send(void); + /* * Buffer management constants. There are several of these for * various different purposes: @@ -499,6 +511,7 @@ static int ssh_echoing, ssh_editing; static tree234 *ssh_channels; /* indexed by local id */ static struct ssh_channel *mainchan; /* primary session channel */ +static int ssh_exitcode = -1; static tree234 *ssh_rportfwds; @@ -723,6 +736,11 @@ static int ssh1_rdpkt(unsigned char **data, int *datalen) st->to_read -= st->chunk; } + if (cipher && detect_attack(pktin.data, st->biglen, NULL)) { + bombout(("Network attack (CRC compensation) detected!")); + crReturn(0); + } + if (cipher) cipher->decrypt(pktin.data, st->biglen); @@ -764,8 +782,8 @@ static int ssh1_rdpkt(unsigned char **data, int *datalen) pktin.type == SSH1_MSG_DEBUG || pktin.type == SSH1_SMSG_AUTH_TIS_CHALLENGE || pktin.type == SSH1_SMSG_AUTH_CCARD_CHALLENGE) { - long strlen = GET_32BIT(pktin.body); - if (strlen + 4 != pktin.length) { + long stringlen = GET_32BIT(pktin.body); + if (stringlen + 4 != pktin.length) { bombout(("Received data packet with bogus string length")); crReturn(0); } @@ -774,12 +792,12 @@ static int ssh1_rdpkt(unsigned char **data, int *datalen) if (pktin.type == SSH1_MSG_DEBUG) { /* log debug message */ char buf[80]; - int strlen = GET_32BIT(pktin.body); + int stringlen = GET_32BIT(pktin.body); strcpy(buf, "Remote: "); - if (strlen > 70) - strlen = 70; - memcpy(buf + 8, pktin.body + 4, strlen); - buf[8 + strlen] = '\0'; + if (stringlen > 70) + stringlen = 70; + memcpy(buf + 8, pktin.body + 4, stringlen); + buf[8 + stringlen] = '\0'; logevent(buf); goto next_packet; } else if (pktin.type == SSH1_MSG_IGNORE) { @@ -939,36 +957,105 @@ static int ssh2_rdpkt(unsigned char **data, int *datalen) log_packet(PKT_INCOMING, pktin.type, ssh2_pkt_type(pktin.type), pktin.data+6, pktin.length-6); - if (pktin.type == SSH2_MSG_IGNORE || pktin.type == SSH2_MSG_DEBUG) - goto next_packet; /* FIXME: print DEBUG message */ - - if (pktin.type == SSH2_MSG_DISCONNECT) { - /* log reason code in disconnect message */ - char buf[256]; - int reason = GET_32BIT(pktin.data + 6); - unsigned msglen = GET_32BIT(pktin.data + 10); - unsigned nowlen; - if (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) { - sprintf(buf, "Received disconnect message (%s)", - ssh2_disconnect_reasons[reason]); - } else { - sprintf(buf, "Received disconnect message (unknown type %d)", - reason); + switch (pktin.type) { + /* + * These packets we must handle instantly. + */ + case SSH2_MSG_DISCONNECT: + { + /* log reason code in disconnect message */ + char buf[256]; + int reason = GET_32BIT(pktin.data + 6); + unsigned msglen = GET_32BIT(pktin.data + 10); + unsigned nowlen; + if (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) { + sprintf(buf, "Received disconnect message (%s)", + ssh2_disconnect_reasons[reason]); + } else { + sprintf(buf, "Received disconnect message (unknown type %d)", + reason); + } + logevent(buf); + strcpy(buf, "Disconnection message text: "); + nowlen = strlen(buf); + if (msglen > sizeof(buf) - nowlen - 1) + msglen = sizeof(buf) - nowlen - 1; + memcpy(buf + nowlen, pktin.data + 14, msglen); + buf[nowlen + msglen] = '\0'; + logevent(buf); + bombout(("Server sent disconnect message\ntype %d (%s):\n\"%s\"", + reason, + (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ? + ssh2_disconnect_reasons[reason] : "unknown", + buf+nowlen)); + crReturn(0); + } + break; + case SSH2_MSG_IGNORE: + goto next_packet; + case SSH2_MSG_DEBUG: + { + /* log the debug message */ + char buf[512]; + /* int display = pktin.body[6]; */ + int stringlen = GET_32BIT(pktin.data+7); + int prefix; + strcpy(buf, "Remote debug message: "); + prefix = strlen(buf); + if (stringlen > sizeof(buf)-prefix-1) + stringlen = sizeof(buf)-prefix-1; + memcpy(buf + prefix, pktin.data + 11, stringlen); + buf[prefix + stringlen] = '\0'; + logevent(buf); } - logevent(buf); - strcpy(buf, "Disconnection message text: "); - nowlen = strlen(buf); - if (msglen > sizeof(buf) - nowlen - 1) - msglen = sizeof(buf) - nowlen - 1; - memcpy(buf + nowlen, pktin.data + 14, msglen); - buf[nowlen + msglen] = '\0'; - logevent(buf); - bombout(("Server sent disconnect message\ntype %d (%s):\n\"%s\"", - reason, - (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ? - ssh2_disconnect_reasons[reason] : "unknown", - buf+nowlen)); - crReturn(0); + goto next_packet; /* FIXME: print the debug message */ + + /* + * These packets we need do nothing about here. + */ + case SSH2_MSG_UNIMPLEMENTED: + case SSH2_MSG_SERVICE_REQUEST: + case SSH2_MSG_SERVICE_ACCEPT: + case SSH2_MSG_KEXINIT: + case SSH2_MSG_NEWKEYS: + case SSH2_MSG_KEXDH_INIT: + case SSH2_MSG_KEXDH_REPLY: + /* case SSH2_MSG_KEX_DH_GEX_REQUEST: duplicate case value */ + /* case SSH2_MSG_KEX_DH_GEX_GROUP: duplicate case value */ + case SSH2_MSG_KEX_DH_GEX_INIT: + case SSH2_MSG_KEX_DH_GEX_REPLY: + case SSH2_MSG_USERAUTH_REQUEST: + case SSH2_MSG_USERAUTH_FAILURE: + case SSH2_MSG_USERAUTH_SUCCESS: + case SSH2_MSG_USERAUTH_BANNER: + case SSH2_MSG_USERAUTH_PK_OK: + /* case SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ: duplicate case value */ + /* case SSH2_MSG_USERAUTH_INFO_REQUEST: duplicate case value */ + case SSH2_MSG_USERAUTH_INFO_RESPONSE: + case SSH2_MSG_GLOBAL_REQUEST: + case SSH2_MSG_REQUEST_SUCCESS: + case SSH2_MSG_REQUEST_FAILURE: + case SSH2_MSG_CHANNEL_OPEN: + case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: + case SSH2_MSG_CHANNEL_OPEN_FAILURE: + case SSH2_MSG_CHANNEL_WINDOW_ADJUST: + case SSH2_MSG_CHANNEL_DATA: + case SSH2_MSG_CHANNEL_EXTENDED_DATA: + case SSH2_MSG_CHANNEL_EOF: + case SSH2_MSG_CHANNEL_CLOSE: + case SSH2_MSG_CHANNEL_REQUEST: + case SSH2_MSG_CHANNEL_SUCCESS: + case SSH2_MSG_CHANNEL_FAILURE: + break; + + /* + * For anything else we send SSH2_MSG_UNIMPLEMENTED. + */ + default: + ssh2_pkt_init(SSH2_MSG_UNIMPLEMENTED); + ssh2_pkt_adduint32(st->incoming_sequence - 1); + ssh2_pkt_send(); + break; } crFinish(0); @@ -1853,11 +1940,13 @@ static int do_ssh1_login(unsigned char *in, int inlen, int ispkt) struct RSAKey servkey, hostkey; struct MD5Context md5c; static unsigned long supported_ciphers_mask, supported_auths_mask; - static int tried_publickey; + static int tried_publickey, tried_agent; static int tis_auth_refused, ccard_auth_refused; static unsigned char session_id[16]; static int cipher_type; static char username[100]; + static void *publickey_blob; + int publickey_bloblen; crBegin; @@ -2102,8 +2191,14 @@ static int do_ssh1_login(unsigned char *in, int inlen, int ispkt) crWaitUntil(ispkt); - tried_publickey = 0; + tried_publickey = tried_agent = 0; tis_auth_refused = ccard_auth_refused = 0; + /* Load the public half of cfg.keyfile so we notice if it's in Pageant */ + if (*cfg.keyfile) { + if (!rsakey_pubblob(cfg.keyfile, &publickey_blob, &publickey_bloblen)) + publickey_blob = NULL; + } else + publickey_blob = NULL; while (pktin.type == SSH1_SMSG_FAILURE) { static char password[100]; @@ -2113,7 +2208,7 @@ static int do_ssh1_login(unsigned char *in, int inlen, int ispkt) static int pwpkt_type; pwpkt_type = SSH1_CMSG_AUTH_PASSWORD; - if (agent_exists()) { + if (agent_exists() && !tried_agent) { /* * Attempt RSA authentication using Pageant. */ @@ -2123,6 +2218,7 @@ static int do_ssh1_login(unsigned char *in, int inlen, int ispkt) static int authed = FALSE; void *r; + tried_agent = 1; logevent("Pageant is running. Requesting keys."); /* Request the keys held by the agent. */ @@ -2151,6 +2247,11 @@ static int do_ssh1_login(unsigned char *in, int inlen, int ispkt) sprintf(buf, "Trying Pageant key #%d", i); logevent(buf); } + if (publickey_blob && + !memcmp(p, publickey_blob, publickey_bloblen)) { + logevent("This key matches configured key file"); + tried_publickey = 1; + } p += 4; p += ssh1_read_bignum(p, &key.exponent); p += ssh1_read_bignum(p, &key.modulus); @@ -3110,6 +3211,11 @@ static void ssh1_protocol(unsigned char *in, int inlen, int ispkt) /* may be from EXEC_SHELL on some servers * if no pty is available or in other odd cases. Ignore */ } else if (pktin.type == SSH1_SMSG_EXIT_STATUS) { + char buf[100]; + ssh_exitcode = GET_32BIT(pktin.body); + sprintf(buf, "Server sent command exit status %d", + ssh_exitcode); + logevent(buf); send_packet(SSH1_CMSG_EXIT_CONFIRMATION, PKT_END); /* * In case `helpful' firewalls or proxies tack @@ -3709,6 +3815,14 @@ static int ssh2_try_send(struct ssh_channel *c) */ static void ssh2_set_window(struct ssh_channel *c, unsigned newwin) { + /* + * Never send WINDOW_ADJUST for a channel that the remote side + * already thinks it's closed; there's no point, since it won't + * be sending any more data anyway. + */ + if (c->closes != 0) + return; + if (newwin > c->v.v2.locwindow) { ssh2_pkt_init(SSH2_MSG_CHANNEL_WINDOW_ADJUST); ssh2_pkt_adduint32(c->remoteid); @@ -3745,6 +3859,8 @@ static void do_ssh2_authconn(unsigned char *in, int inlen, int ispkt) static char username[100]; static char pwprompt[200]; static char password[100]; + static void *publickey_blob; + static int publickey_bloblen; crBegin; @@ -3885,6 +4001,12 @@ static void do_ssh2_authconn(unsigned char *in, int inlen, int ispkt) tried_agent = FALSE; tried_keyb_inter = FALSE; kbd_inter_running = FALSE; + /* Load the pub half of cfg.keyfile so we notice if it's in Pageant */ + if (*cfg.keyfile) { + publickey_blob = ssh2_userkey_loadpub(cfg.keyfile, NULL, + &publickey_bloblen); + } else + publickey_blob = NULL; while (1) { /* @@ -4040,6 +4162,12 @@ static void do_ssh2_authconn(unsigned char *in, int inlen, int ispkt) } pklen = GET_32BIT(p); p += 4; + if (publickey_blob && + pklen == publickey_bloblen && + !memcmp(p, publickey_blob, publickey_bloblen)) { + logevent("This key matches configured key file"); + tried_pubkey_config = 1; + } pkblob = p; p += pklen; alglen = GET_32BIT(pkblob); @@ -5061,14 +5189,52 @@ static void do_ssh2_authconn(unsigned char *in, int inlen, int ispkt) } /* - * We don't recognise any form of channel request, - * so we now either ignore the request or respond - * with CHANNEL_FAILURE, depending on want_reply. + * Having got the channel number, we now look at + * the request type string to see if it's something + * we recognise. */ - if (want_reply) { - ssh2_pkt_init(SSH2_MSG_CHANNEL_FAILURE); - ssh2_pkt_adduint32(c->remoteid); - ssh2_pkt_send(); + if (typelen == 11 && !memcmp(type, "exit-status", 11) && + c == mainchan) { + /* We recognise "exit-status" on the primary channel. */ + char buf[100]; + ssh_exitcode = ssh2_pkt_getuint32(); + sprintf(buf, "Server sent command exit status %d", + ssh_exitcode); + logevent(buf); + if (want_reply) { + ssh2_pkt_init(SSH2_MSG_CHANNEL_SUCCESS); + ssh2_pkt_adduint32(c->remoteid); + ssh2_pkt_send(); + } + } else { + /* + * This is a channel request we don't know + * about, so we now either ignore the request + * or respond with CHANNEL_FAILURE, depending + * on want_reply. + */ + if (want_reply) { + ssh2_pkt_init(SSH2_MSG_CHANNEL_FAILURE); + ssh2_pkt_adduint32(c->remoteid); + ssh2_pkt_send(); + } + } + } else if (pktin.type == SSH2_MSG_GLOBAL_REQUEST) { + char *type; + int typelen, want_reply; + + ssh2_pkt_getstring(&type, &typelen); + want_reply = ssh2_pkt_getbool(); + + /* + * We currently don't support any global requests + * at all, so we either ignore the request or + * respond with REQUEST_FAILURE, depending on + * want_reply. + */ + if (want_reply) { + ssh2_pkt_init(SSH2_MSG_REQUEST_FAILURE); + ssh2_pkt_send(); } } else if (pktin.type == SSH2_MSG_CHANNEL_OPEN) { char *type; @@ -5443,6 +5609,11 @@ static int ssh_ldisc(int option) return FALSE; } +static int ssh_return_exitcode(void) +{ + return ssh_exitcode; +} + Backend ssh_backend = { ssh_init, ssh_send, @@ -5450,6 +5621,7 @@ Backend ssh_backend = { ssh_size, ssh_special, ssh_socket, + ssh_return_exitcode, ssh_sendok, ssh_ldisc, ssh_unthrottle,