X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=blobdiff_plain;f=ssh.c;h=5d6514b5ae7829509c8001f435517d1e44061c6f;hb=0629f1dfa53fe63bce41eaefd9358ea8c7227eeb;hp=e6acec6271f3848f10271a7001a82c9efbbe3bdd;hpb=5de81cb0356187a8dff7b776b9f6abcee2ed0e91;p=PuTTY.git diff --git a/ssh.c b/ssh.c index e6acec62..5d6514b5 100644 --- a/ssh.c +++ b/ssh.c @@ -1649,7 +1649,7 @@ static struct Packet *ssh2_rdpkt(Ssh ssh, const unsigned char **data, /* * OpenSSH encrypt-then-MAC mode: the packet length is - * unencrypted. + * unencrypted, unless the cipher supports length encryption. */ for (st->i = st->len = 0; st->i < 4; st->i++) { while ((*datalen) == 0) @@ -1657,7 +1657,16 @@ static struct Packet *ssh2_rdpkt(Ssh ssh, const unsigned char **data, st->pktin->data[st->i] = *(*data)++; (*datalen)--; } - st->len = toint(GET_32BIT(st->pktin->data)); + /* Cipher supports length decryption, so do it */ + if (ssh->sccipher && (ssh->sccipher->flags & SSH_CIPHER_SEPARATE_LENGTH)) { + /* Keep the packet the same though, so the MAC passes */ + unsigned char len[4]; + memcpy(len, st->pktin->data, 4); + ssh->sccipher->decrypt_length(ssh->sc_cipher_ctx, len, 4, st->incoming_sequence); + st->len = toint(GET_32BIT(len)); + } else { + st->len = toint(GET_32BIT(st->pktin->data)); + } /* * _Completely_ silly lengths should be stomped on before they @@ -2277,6 +2286,13 @@ static int ssh2_pkt_construct(Ssh ssh, struct Packet *pkt) for (i = 0; i < padding; i++) pkt->data[pkt->length + i] = random_byte(); PUT_32BIT(pkt->data, pkt->length + padding - 4); + + /* Encrypt length if the scheme requires it */ + if (ssh->cscipher && (ssh->cscipher->flags & SSH_CIPHER_SEPARATE_LENGTH)) { + ssh->cscipher->encrypt_length(ssh->cs_cipher_ctx, pkt->data, 4, + ssh->v2_outgoing_sequence); + } + if (ssh->csmac && ssh->csmac_etm) { /* * OpenSSH-defined encrypt-then-MAC protocol. @@ -3533,35 +3549,20 @@ static void ssh_sent(Plug plug, int bufsize) ssh_throttle_all(ssh, 0, bufsize); } -/* - * Connect to specified host and port. - * Returns an error message, or NULL on success. - * Also places the canonical host name into `realhost'. It must be - * freed by the caller. - */ -static const char *connect_to_host(Ssh ssh, const char *host, int port, - char **realhost, int nodelay, int keepalive) +static void ssh_hostport_setup(const char *host, int port, Conf *conf, + char **savedhost, int *savedport, + char **loghost_ret) { - static const struct plug_function_table fn_table = { - ssh_socket_log, - ssh_closing, - ssh_receive, - ssh_sent, - NULL - }; + char *loghost = conf_get_str(conf, CONF_loghost); + if (loghost_ret) + *loghost_ret = loghost; - SockAddr addr; - const char *err; - char *loghost; - int addressfamily, sshprot; - - loghost = conf_get_str(ssh->conf, CONF_loghost); if (*loghost) { char *tmphost; char *colon; tmphost = dupstr(loghost); - ssh->savedport = 22; /* default ssh port */ + *savedport = 22; /* default ssh port */ /* * A colon suffix on the hostname string also lets us affect @@ -3572,17 +3573,58 @@ static const char *connect_to_host(Ssh ssh, const char *host, int port, if (colon && colon == host_strchr(tmphost, ':')) { *colon++ = '\0'; if (*colon) - ssh->savedport = atoi(colon); + *savedport = atoi(colon); } - ssh->savedhost = host_strduptrim(tmphost); + *savedhost = host_strduptrim(tmphost); sfree(tmphost); } else { - ssh->savedhost = host_strduptrim(host); + *savedhost = host_strduptrim(host); if (port < 0) port = 22; /* default ssh port */ - ssh->savedport = port; + *savedport = port; } +} + +static int ssh_test_for_upstream(const char *host, int port, Conf *conf) +{ + char *savedhost; + int savedport; + int ret; + + random_ref(); /* platform may need this to determine share socket name */ + ssh_hostport_setup(host, port, conf, &savedhost, &savedport, NULL); + ret = ssh_share_test_for_upstream(savedhost, savedport, conf); + sfree(savedhost); + random_unref(); + + return ret; +} + +/* + * Connect to specified host and port. + * Returns an error message, or NULL on success. + * Also places the canonical host name into `realhost'. It must be + * freed by the caller. + */ +static const char *connect_to_host(Ssh ssh, const char *host, int port, + char **realhost, int nodelay, int keepalive) +{ + static const struct plug_function_table fn_table = { + ssh_socket_log, + ssh_closing, + ssh_receive, + ssh_sent, + NULL + }; + + SockAddr addr; + const char *err; + char *loghost; + int addressfamily, sshprot; + + ssh_hostport_setup(host, port, ssh->conf, + &ssh->savedhost, &ssh->savedport, &loghost); ssh->fn = &fn_table; /* make 'ssh' usable as a Plug */ @@ -6058,39 +6100,7 @@ static void ssh1_protocol(Ssh ssh, const void *vin, int inlen, } /* - * Utility routine for decoding comma-separated strings in KEXINIT. - */ -static int in_commasep_string(char const *needle, char const *haystack, - int haylen) -{ - int needlen; - if (!needle || !haystack) /* protect against null pointers */ - return 0; - needlen = strlen(needle); - while (1) { - /* - * Is it at the start of the string? - */ - if (haylen >= needlen && /* haystack is long enough */ - !memcmp(needle, haystack, needlen) && /* initial match */ - (haylen == needlen || haystack[needlen] == ',') - /* either , or EOS follows */ - ) - return 1; - /* - * If not, search for the next comma and resume after that. - * If no comma found, terminate. - */ - while (haylen > 0 && *haystack != ',') - haylen--, haystack++; - if (haylen == 0) - return 0; - haylen--, haystack++; /* skip over comma itself */ - } -} - -/* - * Similar routine for checking whether we have the first string in a list. + * Utility routines for decoding comma-separated strings in KEXINIT. */ static int first_in_commasep_string(char const *needle, char const *haystack, int haylen) @@ -6099,9 +6109,7 @@ static int first_in_commasep_string(char const *needle, char const *haystack, if (!needle || !haystack) /* protect against null pointers */ return 0; needlen = strlen(needle); - /* - * Is it at the start of the string? - */ + if (haylen >= needlen && /* haystack is long enough */ !memcmp(needle, haystack, needlen) && /* initial match */ (haylen == needlen || haystack[needlen] == ',') @@ -6111,14 +6119,33 @@ static int first_in_commasep_string(char const *needle, char const *haystack, return 0; } +static int in_commasep_string(char const *needle, char const *haystack, + int haylen) +{ + char *p; + + if (!needle || !haystack) /* protect against null pointers */ + return 0; + /* + * Is it at the start of the string? + */ + if (first_in_commasep_string(needle, haystack, haylen)) + return 1; + /* + * If not, search for the next comma and resume after that. + * If no comma found, terminate. + */ + p = memchr(haystack, ',', haylen); + if (!p) return 0; + /* + 1 to skip over comma */ + return in_commasep_string(needle, p + 1, haylen - (p + 1 - haystack)); +} + /* * Add a value to the comma-separated string at the end of the packet. - * If the value is already in the string, don't bother adding it again. */ static void ssh2_pkt_addstring_commasep(struct Packet *pkt, const char *data) { - if (in_commasep_string(data, (char *)pkt->data + pkt->savedpos, - pkt->length - pkt->savedpos)) return; if (pkt->length - pkt->savedpos > 0) ssh_pkt_addstring_str(pkt, ","); ssh_pkt_addstring_str(pkt, data); @@ -6126,16 +6153,24 @@ static void ssh2_pkt_addstring_commasep(struct Packet *pkt, const char *data) /* - * SSH-2 key creation method. - * (Currently assumes 2 lots of any hash are sufficient to generate - * keys/IVs for any cipher/MAC. SSH2_MKKEY_ITERS documents this assumption.) + * SSH-2 key derivation (RFC 4253 section 7.2). */ -#define SSH2_MKKEY_ITERS (2) -static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr, - unsigned char *keyspace) +static unsigned char *ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, + char chr, int keylen) { const struct ssh_hash *h = ssh->kex->hash; - void *s; + int keylen_padded; + unsigned char *key; + void *s, *s2; + + if (keylen == 0) + return NULL; + + /* Round up to the next multiple of hash length. */ + keylen_padded = ((keylen + h->hlen - 1) / h->hlen) * h->hlen; + + key = snewn(keylen_padded, unsigned char); + /* First hlen bytes. */ s = h->init(); if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY)) @@ -6143,14 +6178,79 @@ static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr, h->bytes(s, H, h->hlen); h->bytes(s, &chr, 1); h->bytes(s, ssh->v2_session_id, ssh->v2_session_id_len); - h->final(s, keyspace); - /* Next hlen bytes. */ - s = h->init(); - if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY)) - hash_mpint(h, s, K); - h->bytes(s, H, h->hlen); - h->bytes(s, keyspace, h->hlen); - h->final(s, keyspace + h->hlen); + h->final(s, key); + + /* Subsequent blocks of hlen bytes. */ + if (keylen_padded > h->hlen) { + int offset; + + s = h->init(); + if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY)) + hash_mpint(h, s, K); + h->bytes(s, H, h->hlen); + + for (offset = h->hlen; offset < keylen_padded; offset += h->hlen) { + h->bytes(s, key + offset - h->hlen, h->hlen); + s2 = h->copy(s); + h->final(s2, key + offset); + } + + h->free(s); + } + + /* Now clear any extra bytes of key material beyond the length + * we're officially returning, because the caller won't know to + * smemclr those. */ + if (keylen_padded > keylen) + smemclr(key + keylen, keylen_padded - keylen); + + return key; +} + +/* + * Structure for constructing KEXINIT algorithm lists. + */ +#define MAXKEXLIST 16 +struct kexinit_algorithm { + const char *name; + union { + struct { + const struct ssh_kex *kex; + int warn; + } kex; + const struct ssh_signkey *hostkey; + struct { + const struct ssh2_cipher *cipher; + int warn; + } cipher; + struct { + const struct ssh_mac *mac; + int etm; + } mac; + const struct ssh_compress *comp; + } u; +}; + +/* + * Find a slot in a KEXINIT algorithm list to use for a new algorithm. + * If the algorithm is already in the list, return a pointer to its + * entry, otherwise return an entry from the end of the list. + * This assumes that every time a particular name is passed in, it + * comes from the same string constant. If this isn't true, this + * function may need to be rewritten to use strcmp() instead. + */ +static struct kexinit_algorithm *ssh2_kexinit_addalg(struct kexinit_algorithm + *list, const char *name) +{ + int i; + + for (i = 0; i < MAXKEXLIST; i++) + if (list[i].name == NULL || list[i].name == name) { + list[i].name = name; + return &list[i]; + } + assert(!"No space in KEXINIT list"); + return NULL; } /* @@ -6205,26 +6305,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, int dlgret; int guessok; int ignorepkt; -#define MAXKEXLIST 16 - struct kexinit_algorithm { - const char *name; - union { - struct { - const struct ssh_kex *kex; - int warn; - } kex; - const struct ssh_signkey *hostkey; - struct { - const struct ssh2_cipher *cipher; - int warn; - } cipher; - struct { - const struct ssh_mac *mac; - int etm; - } mac; - const struct ssh_compress *comp; - } u; - } kexlists[NKEXLIST][MAXKEXLIST]; + struct kexinit_algorithm kexlists[NKEXLIST][MAXKEXLIST]; }; crState(do_ssh2_transport_state); @@ -6251,7 +6332,8 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, begin_key_exchange: ssh->pkt_kctx = SSH2_PKTCTX_NOKEX; { - int i, j, k, n, warn; + int i, j, k, warn; + struct kexinit_algorithm *alg; /* * Set up the preferred key exchange. (NULL => warn below here) @@ -6312,6 +6394,9 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, case CIPHER_ARCFOUR: s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_arcfour; break; + case CIPHER_CHACHA20: + s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_ccp; + break; case CIPHER_WARN: /* Flag for later. Don't bother if it's the last in * the list. */ @@ -6345,31 +6430,36 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, for (j = 0; j < MAXKEXLIST; j++) s->kexlists[i][j].name = NULL; /* List key exchange algorithms. */ - n = 0; warn = FALSE; for (i = 0; i < s->n_preferred_kex; i++) { const struct ssh_kexes *k = s->preferred_kex[i]; if (!k) warn = TRUE; else for (j = 0; j < k->nkexes; j++) { - assert(n < MAXKEXLIST); - s->kexlists[KEXLIST_KEX][n].name = k->list[j]->name; - s->kexlists[KEXLIST_KEX][n].u.kex.kex = k->list[j]; - s->kexlists[KEXLIST_KEX][n].u.kex.warn = warn; - n++; + alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_KEX], + k->list[j]->name); + alg->u.kex.kex = k->list[j]; + alg->u.kex.warn = warn; } } /* List server host key algorithms. */ if (!s->got_session_id) { /* * In the first key exchange, we list all the algorithms - * we're prepared to cope with. + * we're prepared to cope with, but prefer those algorithms + * for which we have a host key for this host. */ - n = 0; for (i = 0; i < lenof(hostkey_algs); i++) { - assert(n < MAXKEXLIST); - s->kexlists[KEXLIST_HOSTKEY][n].name = hostkey_algs[i]->name; - s->kexlists[KEXLIST_HOSTKEY][n].u.hostkey = hostkey_algs[i]; - n++; + if (have_ssh_host_key(ssh->savedhost, ssh->savedport, + hostkey_algs[i]->keytype)) { + alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY], + hostkey_algs[i]->name); + alg->u.hostkey = hostkey_algs[i]; + } + } + for (i = 0; i < lenof(hostkey_algs); i++) { + alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY], + hostkey_algs[i]->name); + alg->u.hostkey = hostkey_algs[i]; } } else { /* @@ -6380,44 +6470,39 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, * reverification. */ assert(ssh->kex); - s->kexlists[KEXLIST_HOSTKEY][0].name = ssh->hostkey->name; - s->kexlists[KEXLIST_HOSTKEY][0].u.hostkey = ssh->hostkey; + alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY], + ssh->hostkey->name); + alg->u.hostkey = ssh->hostkey; } /* List encryption algorithms (client->server then server->client). */ for (k = KEXLIST_CSCIPHER; k <= KEXLIST_SCCIPHER; k++) { - n = 0; warn = FALSE; for (i = 0; i < s->n_preferred_ciphers; i++) { const struct ssh2_ciphers *c = s->preferred_ciphers[i]; if (!c) warn = TRUE; else for (j = 0; j < c->nciphers; j++) { - assert(n < MAXKEXLIST); - s->kexlists[k][n].name = c->list[j]->name; - s->kexlists[k][n].u.cipher.cipher = c->list[j]; - s->kexlists[k][n].u.cipher.warn = warn; - n++; + alg = ssh2_kexinit_addalg(s->kexlists[k], + c->list[j]->name); + alg->u.cipher.cipher = c->list[j]; + alg->u.cipher.warn = warn; } } } /* List MAC algorithms (client->server then server->client). */ for (j = KEXLIST_CSMAC; j <= KEXLIST_SCMAC; j++) { - n = 0; for (i = 0; i < s->nmacs; i++) { - assert(n < MAXKEXLIST); - s->kexlists[j][n].name = s->maclist[i]->name; - s->kexlists[j][n].u.mac.mac = s->maclist[i]; - s->kexlists[j][n].u.mac.etm = FALSE; - n++; + alg = ssh2_kexinit_addalg(s->kexlists[j], s->maclist[i]->name); + alg->u.mac.mac = s->maclist[i]; + alg->u.mac.etm = FALSE; } for (i = 0; i < s->nmacs; i++) /* For each MAC, there may also be an ETM version, * which we list second. */ if (s->maclist[i]->etm_name) { - assert(n < MAXKEXLIST); - s->kexlists[j][n].name = s->maclist[i]->etm_name; - s->kexlists[j][n].u.mac.mac = s->maclist[i]; - s->kexlists[j][n].u.mac.etm = TRUE; - n++; + alg = ssh2_kexinit_addalg(s->kexlists[j], + s->maclist[i]->etm_name); + alg->u.mac.mac = s->maclist[i]; + alg->u.mac.etm = TRUE; } } /* List client->server compression algorithms, @@ -6426,26 +6511,23 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, for (j = KEXLIST_CSCOMP; j <= KEXLIST_SCCOMP; j++) { assert(lenof(compressions) > 1); /* Prefer non-delayed versions */ - s->kexlists[j][0].name = s->preferred_comp->name; - s->kexlists[j][0].u.comp = s->preferred_comp; + alg = ssh2_kexinit_addalg(s->kexlists[j], s->preferred_comp->name); + alg->u.comp = s->preferred_comp; /* We don't even list delayed versions of algorithms until * they're allowed to be used, to avoid a race. See the end of * this function. */ - n = 1; if (s->userauth_succeeded && s->preferred_comp->delayed_name) { - s->kexlists[j][1].name = s->preferred_comp->delayed_name; - s->kexlists[j][1].u.comp = s->preferred_comp; - n = 2; + alg = ssh2_kexinit_addalg(s->kexlists[j], + s->preferred_comp->delayed_name); + alg->u.comp = s->preferred_comp; } for (i = 0; i < lenof(compressions); i++) { const struct ssh_compress *c = compressions[i]; - s->kexlists[j][n].name = c->name; - s->kexlists[j][n].u.comp = c; - n++; + alg = ssh2_kexinit_addalg(s->kexlists[j], c->name); + alg->u.comp = c; if (s->userauth_succeeded && c->delayed_name) { - s->kexlists[j][n].name = c->delayed_name; - s->kexlists[j][n].u.comp = c; - n++; + alg = ssh2_kexinit_addalg(s->kexlists[j], c->delayed_name); + alg->u.comp = c; } } } @@ -6512,6 +6594,24 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, bombout(("KEXINIT packet was incomplete")); crStopV; } + + /* If we've already selected a cipher which requires a + * particular MAC, then just select that, and don't even + * bother looking through the server's KEXINIT string for + * MACs. */ + if (i == KEXLIST_CSMAC && s->cscipher_tobe && + s->cscipher_tobe->required_mac) { + s->csmac_tobe = s->cscipher_tobe->required_mac; + s->csmac_etm_tobe = !!(s->csmac_tobe->etm_name); + goto matched; + } + if (i == KEXLIST_SCMAC && s->sccipher_tobe && + s->sccipher_tobe->required_mac) { + s->scmac_tobe = s->sccipher_tobe->required_mac; + s->scmac_etm_tobe = !!(s->scmac_tobe->etm_name); + goto matched; + } + for (j = 0; j < MAXKEXLIST; j++) { struct kexinit_algorithm *alg = &s->kexlists[i][j]; if (alg->name == NULL) break; @@ -6556,6 +6656,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, crStopV; matched:; } + if (s->pending_compression) { logevent("Server supports delayed compression; " "will try this later"); @@ -6661,8 +6762,8 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, { int csbits, scbits; - csbits = s->cscipher_tobe->keylen; - scbits = s->sccipher_tobe->keylen; + csbits = s->cscipher_tobe->real_keybits; + scbits = s->sccipher_tobe->real_keybits; s->nbits = (csbits > scbits ? csbits : scbits); } /* The keys only have hlen-bit entropy, since they're based on @@ -6739,6 +6840,10 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, } set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */ ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen); + if (!s->hostkeydata) { + bombout(("unable to parse key exchange reply packet")); + crStopV; + } s->hkey = ssh->hostkey->newkey(ssh->hostkey, s->hostkeydata, s->hostkeylen); s->f = ssh2_pkt_getmp(pktin); @@ -6747,6 +6852,10 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, crStopV; } ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen); + if (!s->sigdata) { + bombout(("unable to parse key exchange reply packet")); + crStopV; + } { const char *err = dh_validate_f(ssh->kex_ctx, s->f); @@ -6782,7 +6891,8 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, } } else if (ssh->kex->main_type == KEXTYPE_ECDH) { - logeventf(ssh, "Doing ECDH key exchange with hash %s", + logeventf(ssh, "Doing ECDH key exchange with curve %s and hash %s", + ssh_ecdhkex_curve_textname(ssh->kex), ssh->kex->hash->text_name); ssh->pkt_kctx = SSH2_PKTCTX_ECDHKEX; @@ -6817,6 +6927,10 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, } ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen); + if (!s->hostkeydata) { + bombout(("unable to parse ECDH reply packet")); + crStopV; + } hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen); s->hkey = ssh->hostkey->newkey(ssh->hostkey, s->hostkeydata, s->hostkeylen); @@ -6839,6 +6953,10 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, char *keydata; int keylen; ssh_pkt_getstring(pktin, &keydata, &keylen); + if (!keydata) { + bombout(("unable to parse ECDH reply packet")); + crStopV; + } hash_string(ssh->kex->hash, ssh->exhash, keydata, keylen); s->K = ssh_ecdhkex_getkey(s->eckey, keydata, keylen); if (!s->K) { @@ -6849,6 +6967,10 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, } ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen); + if (!s->sigdata) { + bombout(("unable to parse key exchange reply packet")); + crStopV; + } ssh_ecdhkex_freekey(s->eckey); } else { @@ -6866,6 +6988,10 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, } ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen); + if (!s->hostkeydata) { + bombout(("unable to parse RSA public key packet")); + crStopV; + } hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen); s->hkey = ssh->hostkey->newkey(ssh->hostkey, @@ -6874,6 +7000,10 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, { char *keydata; ssh_pkt_getstring(pktin, &keydata, &s->rsakeylen); + if (!keydata) { + bombout(("unable to parse RSA public key packet")); + crStopV; + } s->rsakeydata = snewn(s->rsakeylen, char); memcpy(s->rsakeydata, keydata, s->rsakeylen); } @@ -6950,6 +7080,10 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, } ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen); + if (!s->sigdata) { + bombout(("unable to parse signature packet")); + crStopV; + } sfree(s->rsakeydata); } @@ -7068,7 +7202,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, ssh->csmac->free_context(ssh->cs_mac_ctx); ssh->csmac = s->csmac_tobe; ssh->csmac_etm = s->csmac_etm_tobe; - ssh->cs_mac_ctx = ssh->csmac->make_context(); + ssh->cs_mac_ctx = ssh->csmac->make_context(ssh->cs_cipher_ctx); if (ssh->cs_comp_ctx) ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx); @@ -7080,28 +7214,33 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, * hash from the _first_ key exchange. */ { - unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS]; - assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); - ssh2_mkkey(ssh,s->K,s->exchange_hash,'C',keyspace); - assert((ssh->cscipher->keylen+7) / 8 <= - ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); - ssh->cscipher->setkey(ssh->cs_cipher_ctx, keyspace); - ssh2_mkkey(ssh,s->K,s->exchange_hash,'A',keyspace); - assert(ssh->cscipher->blksize <= - ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); - ssh->cscipher->setiv(ssh->cs_cipher_ctx, keyspace); - ssh2_mkkey(ssh,s->K,s->exchange_hash,'E',keyspace); - assert(ssh->csmac->len <= - ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); - ssh->csmac->setkey(ssh->cs_mac_ctx, keyspace); - smemclr(keyspace, sizeof(keyspace)); + unsigned char *key; + + key = ssh2_mkkey(ssh, s->K, s->exchange_hash, 'C', + ssh->cscipher->padded_keybytes); + ssh->cscipher->setkey(ssh->cs_cipher_ctx, key); + smemclr(key, ssh->cscipher->padded_keybytes); + sfree(key); + + key = ssh2_mkkey(ssh, s->K, s->exchange_hash, 'A', + ssh->cscipher->blksize); + ssh->cscipher->setiv(ssh->cs_cipher_ctx, key); + smemclr(key, ssh->cscipher->blksize); + sfree(key); + + key = ssh2_mkkey(ssh, s->K, s->exchange_hash, 'E', + ssh->csmac->keylen); + ssh->csmac->setkey(ssh->cs_mac_ctx, key); + smemclr(key, ssh->csmac->keylen); + sfree(key); } logeventf(ssh, "Initialised %.200s client->server encryption", ssh->cscipher->text_name); - logeventf(ssh, "Initialised %.200s client->server MAC algorithm%s", + logeventf(ssh, "Initialised %.200s client->server MAC algorithm%s%s", ssh->csmac->text_name, - ssh->csmac_etm ? " (in ETM mode)" : ""); + ssh->csmac_etm ? " (in ETM mode)" : "", + ssh->cscipher->required_mac ? " (required by cipher)" : ""); if (ssh->cscomp->text_name) logeventf(ssh, "Initialised %s compression", ssh->cscomp->text_name); @@ -7136,7 +7275,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, ssh->scmac->free_context(ssh->sc_mac_ctx); ssh->scmac = s->scmac_tobe; ssh->scmac_etm = s->scmac_etm_tobe; - ssh->sc_mac_ctx = ssh->scmac->make_context(); + ssh->sc_mac_ctx = ssh->scmac->make_context(ssh->sc_cipher_ctx); if (ssh->sc_comp_ctx) ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx); @@ -7148,27 +7287,32 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen, * hash from the _first_ key exchange. */ { - unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS]; - assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); - ssh2_mkkey(ssh,s->K,s->exchange_hash,'D',keyspace); - assert((ssh->sccipher->keylen+7) / 8 <= - ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); - ssh->sccipher->setkey(ssh->sc_cipher_ctx, keyspace); - ssh2_mkkey(ssh,s->K,s->exchange_hash,'B',keyspace); - assert(ssh->sccipher->blksize <= - ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); - ssh->sccipher->setiv(ssh->sc_cipher_ctx, keyspace); - ssh2_mkkey(ssh,s->K,s->exchange_hash,'F',keyspace); - assert(ssh->scmac->len <= - ssh->kex->hash->hlen * SSH2_MKKEY_ITERS); - ssh->scmac->setkey(ssh->sc_mac_ctx, keyspace); - smemclr(keyspace, sizeof(keyspace)); + unsigned char *key; + + key = ssh2_mkkey(ssh, s->K, s->exchange_hash, 'D', + ssh->sccipher->padded_keybytes); + ssh->sccipher->setkey(ssh->sc_cipher_ctx, key); + smemclr(key, ssh->sccipher->padded_keybytes); + sfree(key); + + key = ssh2_mkkey(ssh, s->K, s->exchange_hash, 'B', + ssh->sccipher->blksize); + ssh->sccipher->setiv(ssh->sc_cipher_ctx, key); + smemclr(key, ssh->sccipher->blksize); + sfree(key); + + key = ssh2_mkkey(ssh, s->K, s->exchange_hash, 'F', + ssh->scmac->keylen); + ssh->scmac->setkey(ssh->sc_mac_ctx, key); + smemclr(key, ssh->scmac->keylen); + sfree(key); } logeventf(ssh, "Initialised %.200s server->client encryption", ssh->sccipher->text_name); - logeventf(ssh, "Initialised %.200s server->client MAC algorithm%s", + logeventf(ssh, "Initialised %.200s server->client MAC algorithm%s%s", ssh->scmac->text_name, - ssh->scmac_etm ? " (in ETM mode)" : ""); + ssh->scmac_etm ? " (in ETM mode)" : "", + ssh->sccipher->required_mac ? " (required by cipher)" : ""); if (ssh->sccomp->text_name) logeventf(ssh, "Initialised %s decompression", ssh->sccomp->text_name); @@ -7743,7 +7887,7 @@ static void ssh_check_termination(Ssh ssh) { if (ssh->version == 2 && !conf_get_int(ssh->conf, CONF_ssh_no_shell) && - count234(ssh->channels) == 0 && + (ssh->channels && count234(ssh->channels) == 0) && !(ssh->connshare && share_ndownstreams(ssh->connshare) > 0)) { /* * We used to send SSH_MSG_DISCONNECT here, because I'd @@ -7758,9 +7902,14 @@ static void ssh_check_termination(Ssh ssh) } } -void ssh_sharing_downstream_connected(Ssh ssh, unsigned id) +void ssh_sharing_downstream_connected(Ssh ssh, unsigned id, + const char *peerinfo) { - logeventf(ssh, "Connection sharing downstream #%u connected", id); + if (peerinfo) + logeventf(ssh, "Connection sharing downstream #%u connected from %s", + id, peerinfo); + else + logeventf(ssh, "Connection sharing downstream #%u connected", id); } void ssh_sharing_downstream_disconnected(Ssh ssh, unsigned id) @@ -9279,11 +9428,20 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen, s->can_keyb_inter = conf_get_int(ssh->conf, CONF_try_ki_auth) && in_commasep_string("keyboard-interactive", methods, methlen); #ifndef NO_GSSAPI - if (!ssh->gsslibs) - ssh->gsslibs = ssh_gss_setup(ssh->conf); - s->can_gssapi = conf_get_int(ssh->conf, CONF_try_gssapi_auth) && - in_commasep_string("gssapi-with-mic", methods, methlen) && - ssh->gsslibs->nlibraries > 0; + if (conf_get_int(ssh->conf, CONF_try_gssapi_auth) && + in_commasep_string("gssapi-with-mic", methods, methlen)) { + /* Try loading the GSS libraries and see if we + * have any. */ + if (!ssh->gsslibs) + ssh->gsslibs = ssh_gss_setup(ssh->conf); + s->can_gssapi = (ssh->gsslibs->nlibraries > 0); + } else { + /* No point in even bothering to try to load the + * GSS libraries, if the user configuration and + * server aren't both prepared to attempt GSSAPI + * auth in the first place. */ + s->can_gssapi = FALSE; + } #endif } @@ -10477,7 +10635,8 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen, * Try to send data on all channels if we can. */ for (i = 0; NULL != (c = index234(ssh->channels, i)); i++) - ssh2_try_send_and_unthrottle(ssh, c); + if (c->type != CHAN_SHARING) + ssh2_try_send_and_unthrottle(ssh, c); } } @@ -11501,6 +11660,7 @@ Backend ssh_backend = { ssh_provide_logctx, ssh_unthrottle, ssh_cfg_info, + ssh_test_for_upstream, "ssh", PROT_SSH, 22