X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=blobdiff_plain;f=ssh.c;h=b5fa3f2124505ce8c7d68f39a6506a189e6f194a;hb=df913d00360aea784521662ad42c11e3933bb6f8;hp=f26eafd24d77a14c07ee7fb583d41e269b9475fb;hpb=fb581ac62541bfe09ebbc1de07ef678998b9a539;p=PuTTY.git

diff --git a/ssh.c b/ssh.c
index f26eafd2..b5fa3f21 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1797,8 +1797,19 @@ static int ssh2_pkt_construct(Ssh ssh, struct Packet *pkt)
  * ssh2_pkt_send() or ssh2_pkt_defer() either go straight to one of
  * these or get queued, and then when the queue is later emptied
  * the packets are all passed to defer_noqueue().
+ *
+ * When using a CBC-mode cipher, it's necessary to ensure that an
+ * attacker can't provide data to be encrypted using an IV that they
+ * know.  We ensure this by prefixing each packet that might contain
+ * user data with an SSH_MSG_IGNORE.  This is done using the deferral
+ * mechanism, so in this case send_noqueue() ends up redirecting to
+ * defer_noqueue().  If you don't like this inefficiency, don't use
+ * CBC.
  */
 
+static void ssh2_pkt_defer_noqueue(Ssh, struct Packet *, int);
+static void ssh_pkt_defersend(Ssh);
+
 /*
  * Send an SSH-2 packet immediately, without queuing or deferring.
  */
@@ -1806,6 +1817,12 @@ static void ssh2_pkt_send_noqueue(Ssh ssh, struct Packet *pkt)
 {
     int len;
     int backlog;
+    if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC)) {
+	/* We need to send two packets, so use the deferral mechanism. */
+	ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
+	ssh_pkt_defersend(ssh);
+	return;
+    }
     len = ssh2_pkt_construct(ssh, pkt);
     backlog = sk_write(ssh->s, (char *)pkt->data, len);
     if (backlog > SSH_MAX_BACKLOG)
@@ -1823,9 +1840,19 @@ static void ssh2_pkt_send_noqueue(Ssh ssh, struct Packet *pkt)
 /*
  * Defer an SSH-2 packet.
  */
-static void ssh2_pkt_defer_noqueue(Ssh ssh, struct Packet *pkt)
+static void ssh2_pkt_defer_noqueue(Ssh ssh, struct Packet *pkt, int noignore)
 {
-    int len = ssh2_pkt_construct(ssh, pkt);
+    int len;
+    if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC) &&
+	ssh->deferred_len == 0 && !noignore) {
+	/*
+	 * Interpose an SSH_MSG_IGNORE to ensure that user data don't
+	 * get encrypted with a known IV.
+	 */
+	struct Packet *ipkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
+	ssh2_pkt_defer_noqueue(ssh, ipkt, TRUE);
+    }
+    len = ssh2_pkt_construct(ssh, pkt);
     if (ssh->deferred_len + len > ssh->deferred_size) {
 	ssh->deferred_size = ssh->deferred_len + len + 128;
 	ssh->deferred_send_data = sresize(ssh->deferred_send_data,
@@ -1875,7 +1902,7 @@ static void ssh2_pkt_defer(Ssh ssh, struct Packet *pkt)
     if (ssh->queueing)
 	ssh2_pkt_queue(ssh, pkt);
     else
-	ssh2_pkt_defer_noqueue(ssh, pkt);
+	ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
 }
 #endif
 
@@ -1923,7 +1950,7 @@ static void ssh2_pkt_queuesend(Ssh ssh)
     assert(!ssh->queueing);
 
     for (i = 0; i < ssh->queuelen; i++)
-	ssh2_pkt_defer_noqueue(ssh, ssh->queue[i]);
+	ssh2_pkt_defer_noqueue(ssh, ssh->queue[i], FALSE);
     ssh->queuelen = 0;
 
     ssh_pkt_defersend(ssh);
@@ -2383,6 +2410,8 @@ static int do_ssh_init(Ssh ssh, unsigned char c)
                   strcspn(verstring, "\015\012"), verstring);
 	sk_write(ssh->s, verstring, strlen(verstring));
         sfree(verstring);
+	if (ssh->version == 2)
+	    do_ssh2_transport(ssh, NULL, -1, NULL);
     }
 
     logeventf(ssh, "Using SSH protocol version %d", ssh->version);
@@ -4603,14 +4632,23 @@ static void do_ssh1_connection(Ssh ssh, unsigned char *in, int inlen,
 	ssh->x11auth = x11_invent_auth(proto, sizeof(proto),
 				       data, sizeof(data), ssh->cfg.x11_auth);
         x11_get_real_auth(ssh->x11auth, ssh->cfg.x11_display);
+	/*
+	 * Note that while we blank the X authentication data here, we don't
+	 * take any special action to blank the start of an X11 channel,
+	 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
+	 * without having session blanking enabled is likely to leak your
+	 * cookie into the log.
+	 */
 	if (ssh->v1_local_protoflags & SSH1_PROTOFLAG_SCREEN_NUMBER) {
 	    send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
-			PKT_STR, proto, PKT_STR, data,
+			PKT_STR, proto,
+			PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER,
 			PKT_INT, x11_get_screen_number(ssh->cfg.x11_display),
 			PKT_END);
 	} else {
 	    send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
-			PKT_STR, proto, PKT_STR, data, PKT_END);
+			PKT_STR, proto,
+			PKTT_PASSWORD, PKT_STR, data, PKTT_OTHER, PKT_END);
 	}
 	do {
 	    crReturnV;
@@ -7285,7 +7323,16 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
 	ssh2_pkt_addbool(s->pktout, 1);	       /* want reply */
 	ssh2_pkt_addbool(s->pktout, 0);	       /* many connections */
 	ssh2_pkt_addstring(s->pktout, proto);
+	/*
+	 * Note that while we blank the X authentication data here, we don't
+	 * take any special action to blank the start of an X11 channel,
+	 * so using MIT-MAGIC-COOKIE-1 and actually opening an X connection
+	 * without having session blanking enabled is likely to leak your
+	 * cookie into the log.
+	 */
+	dont_log_password(ssh, s->pktout, PKTLOG_BLANK);
 	ssh2_pkt_addstring(s->pktout, data);
+	end_log_omission(ssh, s->pktout);
 	ssh2_pkt_adduint32(s->pktout, x11_get_screen_number(ssh->cfg.x11_display));
 	ssh2_pkt_send(ssh, s->pktout);