|
|
@@ -0,0 +1,2967 @@
|
|
|
+/*
|
|
|
+ * Packet protocol layer for the SSH-2 transport protocol (RFC 4253).
|
|
|
+ */
|
|
|
+
|
|
|
+#include <assert.h>
|
|
|
+
|
|
|
+#include "putty.h"
|
|
|
+#include "ssh.h"
|
|
|
+#include "sshbpp.h"
|
|
|
+#include "sshppl.h"
|
|
|
+#include "sshcr.h"
|
|
|
+#include "storage.h"
|
|
|
+
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+#include "sshgssc.h"
|
|
|
+#include "sshgss.h"
|
|
|
+#define MIN_CTXT_LIFETIME 5 /* Avoid rekey with short lifetime (seconds) */
|
|
|
+#define GSS_KEX_CAPABLE (1<<0) /* Can do GSS KEX */
|
|
|
+#define GSS_CRED_UPDATED (1<<1) /* Cred updated since previous delegation */
|
|
|
+#define GSS_CTXT_EXPIRES (1<<2) /* Context expires before next timer */
|
|
|
+#define GSS_CTXT_MAYFAIL (1<<3) /* Context may expire during handshake */
|
|
|
+#endif
|
|
|
+
|
|
|
+#define DH_MIN_SIZE 1024
|
|
|
+#define DH_MAX_SIZE 8192
|
|
|
+
|
|
|
+enum kexlist {
|
|
|
+ KEXLIST_KEX, KEXLIST_HOSTKEY, KEXLIST_CSCIPHER, KEXLIST_SCCIPHER,
|
|
|
+ KEXLIST_CSMAC, KEXLIST_SCMAC, KEXLIST_CSCOMP, KEXLIST_SCCOMP,
|
|
|
+ NKEXLIST
|
|
|
+};
|
|
|
+#define MAXKEXLIST 16
|
|
|
+struct kexinit_algorithm {
|
|
|
+ const char *name;
|
|
|
+ union {
|
|
|
+ struct {
|
|
|
+ const struct ssh_kex *kex;
|
|
|
+ int warn;
|
|
|
+ } kex;
|
|
|
+ struct {
|
|
|
+ const ssh_keyalg *hostkey;
|
|
|
+ int warn;
|
|
|
+ } hk;
|
|
|
+ struct {
|
|
|
+ const struct ssh2_cipheralg *cipher;
|
|
|
+ int warn;
|
|
|
+ } cipher;
|
|
|
+ struct {
|
|
|
+ const struct ssh2_macalg *mac;
|
|
|
+ int etm;
|
|
|
+ } mac;
|
|
|
+ const struct ssh_compression_alg *comp;
|
|
|
+ } u;
|
|
|
+};
|
|
|
+
|
|
|
+struct ssh_signkey_with_user_pref_id {
|
|
|
+ const ssh_keyalg *alg;
|
|
|
+ int id;
|
|
|
+};
|
|
|
+const static struct ssh_signkey_with_user_pref_id hostkey_algs[] = {
|
|
|
+ { &ssh_ecdsa_ed25519, HK_ED25519 },
|
|
|
+ { &ssh_ecdsa_nistp256, HK_ECDSA },
|
|
|
+ { &ssh_ecdsa_nistp384, HK_ECDSA },
|
|
|
+ { &ssh_ecdsa_nistp521, HK_ECDSA },
|
|
|
+ { &ssh_dss, HK_DSA },
|
|
|
+ { &ssh_rsa, HK_RSA },
|
|
|
+};
|
|
|
+
|
|
|
+const static struct ssh2_macalg *const macs[] = {
|
|
|
+ &ssh_hmac_sha256, &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
|
|
|
+};
|
|
|
+const static struct ssh2_macalg *const buggymacs[] = {
|
|
|
+ &ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
|
|
|
+};
|
|
|
+
|
|
|
+static ssh_compressor *ssh_comp_none_init(void)
|
|
|
+{
|
|
|
+ return NULL;
|
|
|
+}
|
|
|
+static void ssh_comp_none_cleanup(ssh_compressor *handle)
|
|
|
+{
|
|
|
+}
|
|
|
+static ssh_decompressor *ssh_decomp_none_init(void)
|
|
|
+{
|
|
|
+ return NULL;
|
|
|
+}
|
|
|
+static void ssh_decomp_none_cleanup(ssh_decompressor *handle)
|
|
|
+{
|
|
|
+}
|
|
|
+static void ssh_comp_none_block(ssh_compressor *handle,
|
|
|
+ unsigned char *block, int len,
|
|
|
+ unsigned char **outblock, int *outlen,
|
|
|
+ int minlen)
|
|
|
+{
|
|
|
+}
|
|
|
+static int ssh_decomp_none_block(ssh_decompressor *handle,
|
|
|
+ unsigned char *block, int len,
|
|
|
+ unsigned char **outblock, int *outlen)
|
|
|
+{
|
|
|
+ return 0;
|
|
|
+}
|
|
|
+const static struct ssh_compression_alg ssh_comp_none = {
|
|
|
+ "none", NULL,
|
|
|
+ ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
|
|
|
+ ssh_decomp_none_init, ssh_decomp_none_cleanup, ssh_decomp_none_block,
|
|
|
+ NULL
|
|
|
+};
|
|
|
+const static struct ssh_compression_alg *const compressions[] = {
|
|
|
+ &ssh_zlib, &ssh_comp_none
|
|
|
+};
|
|
|
+
|
|
|
+/*
|
|
|
+ * Enumeration of high-level classes of reason why we might need to do
|
|
|
+ * a repeat key exchange. A full detailed reason in human-readable
|
|
|
+ * string form for the Event Log is also provided, but this enum type
|
|
|
+ * is used to discriminate between classes of reason that the code
|
|
|
+ * needs to treat differently.
|
|
|
+ *
|
|
|
+ * RK_NONE == 0 is the value indicating that no rekey is currently
|
|
|
+ * needed at all. RK_INITIAL indicates that we haven't even done the
|
|
|
+ * _first_ key exchange yet. RK_SERVER indicates that we're rekeying
|
|
|
+ * because the server asked for it, not because we decided it
|
|
|
+ * ourselves. RK_NORMAL is the usual case. RK_GSS_UPDATE indicates
|
|
|
+ * that we're rekeying because we've just got new GSSAPI credentials
|
|
|
+ * (hence there's no point in doing a preliminary check for new GSS
|
|
|
+ * creds, because we already know the answer); RK_POST_USERAUTH
|
|
|
+ * indicates that _if_ we're going to need a post-userauth immediate
|
|
|
+ * rekey for any reason, this is the moment to do it.
|
|
|
+ *
|
|
|
+ * So RK_POST_USERAUTH only tells the transport layer to _consider_
|
|
|
+ * rekeying, not to definitely do it. Also, that one enum value is
|
|
|
+ * special in that the user-readable reason text is passed in to the
|
|
|
+ * transport layer as NULL, whereas fills in the reason text after it
|
|
|
+ * decides whether it needs a rekey at all. In the other cases,
|
|
|
+ * rekey_reason is passed in to the at the same time as rekey_class.
|
|
|
+ */
|
|
|
+typedef enum RekeyClass {
|
|
|
+ RK_NONE = 0,
|
|
|
+ RK_INITIAL,
|
|
|
+ RK_SERVER,
|
|
|
+ RK_NORMAL,
|
|
|
+ RK_POST_USERAUTH,
|
|
|
+ RK_GSS_UPDATE
|
|
|
+} RekeyClass;
|
|
|
+
|
|
|
+struct ssh2_transport_state {
|
|
|
+ int crState;
|
|
|
+
|
|
|
+ PacketProtocolLayer *higher_layer;
|
|
|
+ PktInQueue pq_in_higher;
|
|
|
+ PktOutQueue pq_out_higher;
|
|
|
+ IdempotentCallback ic_pq_out_higher;
|
|
|
+
|
|
|
+ Conf *conf;
|
|
|
+ char *savedhost;
|
|
|
+ int savedport;
|
|
|
+ const char *rekey_reason;
|
|
|
+ enum RekeyClass rekey_class;
|
|
|
+
|
|
|
+ unsigned long max_data_size;
|
|
|
+
|
|
|
+ const struct ssh_kex *kex_alg;
|
|
|
+ const ssh_keyalg *hostkey_alg;
|
|
|
+ char *hostkey_str; /* string representation, for easy checking in rekeys */
|
|
|
+ unsigned char session_id[SSH2_KEX_MAX_HASH_LEN];
|
|
|
+ int session_id_len;
|
|
|
+ struct dh_ctx *dh_ctx;
|
|
|
+ ssh_hash *exhash;
|
|
|
+
|
|
|
+ struct DataTransferStats *stats;
|
|
|
+
|
|
|
+ char *client_greeting, *server_greeting;
|
|
|
+
|
|
|
+ int kex_in_progress;
|
|
|
+ unsigned long next_rekey, last_rekey;
|
|
|
+ const char *deferred_rekey_reason;
|
|
|
+ int higher_layer_ok;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Fully qualified host name, which we need if doing GSSAPI.
|
|
|
+ */
|
|
|
+ char *fullhostname;
|
|
|
+
|
|
|
+ /* shgss is outside the ifdef on purpose to keep APIs simple. If
|
|
|
+ * NO_GSSAPI is not defined, then it's just an opaque structure
|
|
|
+ * tag and the pointer will be NULL. */
|
|
|
+ struct ssh_connection_shared_gss_state *shgss;
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+ int gss_status;
|
|
|
+ time_t gss_cred_expiry; /* Re-delegate if newer */
|
|
|
+ unsigned long gss_ctxt_lifetime; /* Re-delegate when short */
|
|
|
+ tree234 *transient_hostkey_cache;
|
|
|
+#endif
|
|
|
+
|
|
|
+ int gss_kex_used;
|
|
|
+
|
|
|
+ int nbits, pbits, warn_kex, warn_hk, warn_cscipher, warn_sccipher;
|
|
|
+ Bignum p, g, e, f, K;
|
|
|
+ void *our_kexinit;
|
|
|
+ int our_kexinitlen;
|
|
|
+ int kex_init_value, kex_reply_value;
|
|
|
+ const struct ssh2_macalg *const *maclist;
|
|
|
+ int nmacs;
|
|
|
+ struct {
|
|
|
+ const struct ssh2_cipheralg *cipher;
|
|
|
+ const struct ssh2_macalg *mac;
|
|
|
+ int etm_mode;
|
|
|
+ const struct ssh_compression_alg *comp;
|
|
|
+ } in, out;
|
|
|
+ ptrlen hostkeydata, sigdata;
|
|
|
+ char *keystr, *fingerprint;
|
|
|
+ ssh_key *hkey; /* actual host key */
|
|
|
+ struct RSAKey *rsa_kex_key; /* for RSA kex */
|
|
|
+ struct ec_key *ecdh_key; /* for ECDH kex */
|
|
|
+ unsigned char exchange_hash[SSH2_KEX_MAX_HASH_LEN];
|
|
|
+ int n_preferred_kex;
|
|
|
+ int can_gssapi_keyex;
|
|
|
+ int need_gss_transient_hostkey;
|
|
|
+ int warned_about_no_gss_transient_hostkey;
|
|
|
+ const struct ssh_kexes *preferred_kex[KEX_MAX + 1]; /* +1 for GSSAPI */
|
|
|
+ int n_preferred_hk;
|
|
|
+ int preferred_hk[HK_MAX];
|
|
|
+ int n_preferred_ciphers;
|
|
|
+ const struct ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
|
|
|
+ const struct ssh_compression_alg *preferred_comp;
|
|
|
+ int userauth_succeeded; /* for delayed compression */
|
|
|
+ int pending_compression;
|
|
|
+ int got_session_id;
|
|
|
+ int dlgret;
|
|
|
+ int guessok;
|
|
|
+ int ignorepkt;
|
|
|
+ struct kexinit_algorithm kexlists[NKEXLIST][MAXKEXLIST];
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+ Ssh_gss_buf gss_buf;
|
|
|
+ Ssh_gss_buf gss_rcvtok, gss_sndtok;
|
|
|
+ Ssh_gss_stat gss_stat;
|
|
|
+ Ssh_gss_buf mic;
|
|
|
+ int init_token_sent;
|
|
|
+ int complete_rcvd;
|
|
|
+ int gss_delegate;
|
|
|
+#endif
|
|
|
+
|
|
|
+ /*
|
|
|
+ * List of host key algorithms for which we _don't_ have a stored
|
|
|
+ * host key. These are indices into the main hostkey_algs[] array
|
|
|
+ */
|
|
|
+ int uncert_hostkeys[lenof(hostkey_algs)];
|
|
|
+ int n_uncert_hostkeys;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Flag indicating that the current rekey is intended to finish
|
|
|
+ * with a newly cross-certified host key.
|
|
|
+ */
|
|
|
+ int cross_certifying;
|
|
|
+
|
|
|
+ PacketProtocolLayer ppl;
|
|
|
+};
|
|
|
+
|
|
|
+static void ssh2_transport_free(PacketProtocolLayer *);
|
|
|
+static void ssh2_transport_process_queue(PacketProtocolLayer *);
|
|
|
+static int ssh2_transport_get_specials(
|
|
|
+ PacketProtocolLayer *ppl, add_special_fn_t add_special, void *ctx);
|
|
|
+static void ssh2_transport_special_cmd(PacketProtocolLayer *ppl,
|
|
|
+ SessionSpecialCode code, int arg);
|
|
|
+static int ssh2_transport_want_user_input(PacketProtocolLayer *ppl);
|
|
|
+static void ssh2_transport_got_user_input(PacketProtocolLayer *ppl);
|
|
|
+static void ssh2_transport_reconfigure(PacketProtocolLayer *ppl, Conf *conf);
|
|
|
+
|
|
|
+static void ssh2_transport_dialog_callback(void *, int);
|
|
|
+static void ssh2_transport_set_max_data_size(struct ssh2_transport_state *s);
|
|
|
+static unsigned long sanitise_rekey_time(int rekey_time, unsigned long def);
|
|
|
+static void ssh2_transport_higher_layer_packet_callback(void *context);
|
|
|
+
|
|
|
+static const struct PacketProtocolLayerVtable ssh2_transport_vtable = {
|
|
|
+ ssh2_transport_free,
|
|
|
+ ssh2_transport_process_queue,
|
|
|
+ ssh2_transport_get_specials,
|
|
|
+ ssh2_transport_special_cmd,
|
|
|
+ ssh2_transport_want_user_input,
|
|
|
+ ssh2_transport_got_user_input,
|
|
|
+ ssh2_transport_reconfigure,
|
|
|
+ NULL, /* no protocol name for this layer */
|
|
|
+};
|
|
|
+
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+static void ssh2_transport_gss_update(struct ssh2_transport_state *s,
|
|
|
+ int definitely_rekeying);
|
|
|
+static void ssh_init_transient_hostkey_store(struct ssh2_transport_state *);
|
|
|
+static void ssh_cleanup_transient_hostkey_store(struct ssh2_transport_state *);
|
|
|
+static void ssh_store_transient_hostkey(
|
|
|
+ struct ssh2_transport_state *s, ssh_key *key);
|
|
|
+static int ssh_verify_transient_hostkey(
|
|
|
+ struct ssh2_transport_state *s, ssh_key *key);
|
|
|
+static int ssh_have_transient_hostkey(
|
|
|
+ struct ssh2_transport_state *s, const ssh_keyalg *alg);
|
|
|
+static int ssh_have_any_transient_hostkey(
|
|
|
+ struct ssh2_transport_state *s);
|
|
|
+#endif
|
|
|
+
|
|
|
+static int ssh2_transport_timer_update(struct ssh2_transport_state *s,
|
|
|
+ unsigned long rekey_time);
|
|
|
+
|
|
|
+static const char *const kexlist_descr[NKEXLIST] = {
|
|
|
+ "key exchange algorithm",
|
|
|
+ "host key algorithm",
|
|
|
+ "client-to-server cipher",
|
|
|
+ "server-to-client cipher",
|
|
|
+ "client-to-server MAC",
|
|
|
+ "server-to-client MAC",
|
|
|
+ "client-to-server compression method",
|
|
|
+ "server-to-client compression method"
|
|
|
+};
|
|
|
+
|
|
|
+PacketProtocolLayer *ssh2_transport_new(
|
|
|
+ Conf *conf, const char *host, int port, const char *fullhostname,
|
|
|
+ const char *client_greeting, const char *server_greeting,
|
|
|
+ struct ssh_connection_shared_gss_state *shgss,
|
|
|
+ struct DataTransferStats *stats,
|
|
|
+ PacketProtocolLayer *higher_layer)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s = snew(struct ssh2_transport_state);
|
|
|
+ memset(s, 0, sizeof(*s));
|
|
|
+ s->ppl.vt = &ssh2_transport_vtable;
|
|
|
+
|
|
|
+ s->conf = conf_copy(conf);
|
|
|
+ s->savedhost = dupstr(host);
|
|
|
+ s->savedport = port;
|
|
|
+ s->fullhostname = dupstr(fullhostname);
|
|
|
+ s->shgss = shgss;
|
|
|
+ s->client_greeting = dupstr(client_greeting);
|
|
|
+ s->server_greeting = dupstr(server_greeting);
|
|
|
+ s->stats = stats;
|
|
|
+
|
|
|
+ pq_in_init(&s->pq_in_higher);
|
|
|
+ pq_out_init(&s->pq_out_higher);
|
|
|
+ s->pq_out_higher.pqb.ic = &s->ic_pq_out_higher;
|
|
|
+ s->ic_pq_out_higher.fn = ssh2_transport_higher_layer_packet_callback;
|
|
|
+ s->ic_pq_out_higher.ctx = &s->ppl;
|
|
|
+
|
|
|
+ s->higher_layer = higher_layer;
|
|
|
+ s->higher_layer->selfptr = &s->higher_layer;
|
|
|
+ ssh_ppl_setup_queues(s->higher_layer, &s->pq_in_higher, &s->pq_out_higher);
|
|
|
+
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+ s->gss_cred_expiry = GSS_NO_EXPIRATION;
|
|
|
+ s->shgss->srv_name = GSS_C_NO_NAME;
|
|
|
+ s->shgss->ctx = NULL;
|
|
|
+ ssh_init_transient_hostkey_store(s);
|
|
|
+#endif
|
|
|
+ s->gss_kex_used = FALSE;
|
|
|
+
|
|
|
+ ssh2_transport_set_max_data_size(s);
|
|
|
+
|
|
|
+ return &s->ppl;
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh2_transport_free(PacketProtocolLayer *ppl)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s =
|
|
|
+ FROMFIELD(ppl, struct ssh2_transport_state, ppl);
|
|
|
+
|
|
|
+ /*
|
|
|
+ * As our last act before being freed, move any outgoing packets
|
|
|
+ * off our higher layer's output queue on to our own output queue.
|
|
|
+ * We might be being freed while the SSH connection is still alive
|
|
|
+ * (because we're initiating shutdown from our end), in which case
|
|
|
+ * we don't want those last few packets to get lost.
|
|
|
+ *
|
|
|
+ * (If our owner were to have already destroyed our output pq
|
|
|
+ * before wanting to free us, then it would have to reset our
|
|
|
+ * publicly visible out_pq field to NULL to inhibit this attempt.
|
|
|
+ * But that's not how I expect the shutdown sequence to go in
|
|
|
+ * practice.)
|
|
|
+ */
|
|
|
+ if (s->ppl.out_pq)
|
|
|
+ pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
|
|
|
+
|
|
|
+ conf_free(s->conf);
|
|
|
+
|
|
|
+ ssh_ppl_free(s->higher_layer);
|
|
|
+
|
|
|
+ pq_in_clear(&s->pq_in_higher);
|
|
|
+ pq_out_clear(&s->pq_out_higher);
|
|
|
+
|
|
|
+ sfree(s->savedhost);
|
|
|
+ sfree(s->fullhostname);
|
|
|
+ sfree(s->client_greeting);
|
|
|
+ sfree(s->server_greeting);
|
|
|
+ sfree(s->keystr);
|
|
|
+ sfree(s->hostkey_str);
|
|
|
+ sfree(s->fingerprint);
|
|
|
+ if (s->hkey) {
|
|
|
+ ssh_key_free(s->hkey);
|
|
|
+ s->hkey = NULL;
|
|
|
+ }
|
|
|
+ if (s->e) freebn(s->e);
|
|
|
+ if (s->f) freebn(s->f);
|
|
|
+ if (s->p) freebn(s->p);
|
|
|
+ if (s->g) freebn(s->g);
|
|
|
+ if (s->K) freebn(s->K);
|
|
|
+ if (s->dh_ctx)
|
|
|
+ dh_cleanup(s->dh_ctx);
|
|
|
+ if (s->rsa_kex_key)
|
|
|
+ ssh_rsakex_freekey(s->rsa_kex_key);
|
|
|
+ if (s->ecdh_key)
|
|
|
+ ssh_ecdhkex_freekey(s->ecdh_key);
|
|
|
+ if (s->exhash)
|
|
|
+ ssh_hash_free(s->exhash);
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+ ssh_cleanup_transient_hostkey_store(s);
|
|
|
+#endif
|
|
|
+ sfree(s);
|
|
|
+}
|
|
|
+
|
|
|
+/*
|
|
|
+ * SSH-2 key derivation (RFC 4253 section 7.2).
|
|
|
+ */
|
|
|
+static void ssh2_mkkey(
|
|
|
+ struct ssh2_transport_state *s, strbuf *out,
|
|
|
+ Bignum K, unsigned char *H, char chr, int keylen)
|
|
|
+{
|
|
|
+ int hlen = s->kex_alg->hash->hlen;
|
|
|
+ int keylen_padded;
|
|
|
+ unsigned char *key;
|
|
|
+ ssh_hash *h;
|
|
|
+
|
|
|
+ if (keylen == 0)
|
|
|
+ return;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Round the requested amount of key material up to a multiple of
|
|
|
+ * the length of the hash we're using to make it. This makes life
|
|
|
+ * simpler because then we can just write each hash output block
|
|
|
+ * straight into the output buffer without fiddling about
|
|
|
+ * truncating the last one. Since it's going into a strbuf, and
|
|
|
+ * strbufs are always smemclr()ed on free, there's no need to
|
|
|
+ * worry about leaving extra potentially-sensitive data in memory
|
|
|
+ * that the caller didn't ask for.
|
|
|
+ */
|
|
|
+ keylen_padded = ((keylen + hlen - 1) / hlen) * hlen;
|
|
|
+
|
|
|
+ out->len = 0;
|
|
|
+ key = strbuf_append(out, keylen_padded);
|
|
|
+
|
|
|
+ /* First hlen bytes. */
|
|
|
+ h = ssh_hash_new(s->kex_alg->hash);
|
|
|
+ if (!(s->ppl.remote_bugs & BUG_SSH2_DERIVEKEY))
|
|
|
+ put_mp_ssh2(h, K);
|
|
|
+ put_data(h, H, hlen);
|
|
|
+ put_byte(h, chr);
|
|
|
+ put_data(h, s->session_id, s->session_id_len);
|
|
|
+ ssh_hash_final(h, key);
|
|
|
+
|
|
|
+ /* Subsequent blocks of hlen bytes. */
|
|
|
+ if (keylen_padded > hlen) {
|
|
|
+ int offset;
|
|
|
+
|
|
|
+ h = ssh_hash_new(s->kex_alg->hash);
|
|
|
+ if (!(s->ppl.remote_bugs & BUG_SSH2_DERIVEKEY))
|
|
|
+ put_mp_ssh2(h, K);
|
|
|
+ put_data(h, H, hlen);
|
|
|
+
|
|
|
+ for (offset = hlen; offset < keylen_padded; offset += hlen) {
|
|
|
+ put_data(h, key + offset - hlen, hlen);
|
|
|
+ ssh_hash *h2 = ssh_hash_copy(h);
|
|
|
+ ssh_hash_final(h2, key + offset);
|
|
|
+ }
|
|
|
+
|
|
|
+ ssh_hash_free(h);
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+/*
|
|
|
+ * Find a slot in a KEXINIT algorithm list to use for a new algorithm.
|
|
|
+ * If the algorithm is already in the list, return a pointer to its
|
|
|
+ * entry, otherwise return an entry from the end of the list.
|
|
|
+ * This assumes that every time a particular name is passed in, it
|
|
|
+ * comes from the same string constant. If this isn't true, this
|
|
|
+ * function may need to be rewritten to use strcmp() instead.
|
|
|
+ */
|
|
|
+static struct kexinit_algorithm *ssh2_kexinit_addalg(struct kexinit_algorithm
|
|
|
+ *list, const char *name)
|
|
|
+{
|
|
|
+ int i;
|
|
|
+
|
|
|
+ for (i = 0; i < MAXKEXLIST; i++)
|
|
|
+ if (list[i].name == NULL || list[i].name == name) {
|
|
|
+ list[i].name = name;
|
|
|
+ return &list[i];
|
|
|
+ }
|
|
|
+ assert(!"No space in KEXINIT list");
|
|
|
+ return NULL;
|
|
|
+}
|
|
|
+
|
|
|
+int ssh2_common_filter_queue(PacketProtocolLayer *ppl)
|
|
|
+{
|
|
|
+ static const char *const ssh2_disconnect_reasons[] = {
|
|
|
+ NULL,
|
|
|
+ "host not allowed to connect",
|
|
|
+ "protocol error",
|
|
|
+ "key exchange failed",
|
|
|
+ "host authentication failed",
|
|
|
+ "MAC error",
|
|
|
+ "compression error",
|
|
|
+ "service not available",
|
|
|
+ "protocol version not supported",
|
|
|
+ "host key not verifiable",
|
|
|
+ "connection lost",
|
|
|
+ "by application",
|
|
|
+ "too many connections",
|
|
|
+ "auth cancelled by user",
|
|
|
+ "no more auth methods available",
|
|
|
+ "illegal user name",
|
|
|
+ };
|
|
|
+
|
|
|
+ PktIn *pktin;
|
|
|
+ ptrlen msg;
|
|
|
+ int reason;
|
|
|
+
|
|
|
+ while ((pktin = pq_peek(ppl->in_pq)) != NULL) {
|
|
|
+ switch (pktin->type) {
|
|
|
+ case SSH2_MSG_DISCONNECT:
|
|
|
+ reason = get_uint32(pktin);
|
|
|
+ msg = get_string(pktin);
|
|
|
+
|
|
|
+ ssh_remote_error(
|
|
|
+ ppl->ssh, "Server sent disconnect message\n"
|
|
|
+ "type %d (%s):\n\"%.*s\"", reason,
|
|
|
+ ((reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ?
|
|
|
+ ssh2_disconnect_reasons[reason] : "unknown"),
|
|
|
+ PTRLEN_PRINTF(msg));
|
|
|
+ return TRUE; /* indicate that we've been freed */
|
|
|
+
|
|
|
+ case SSH2_MSG_DEBUG:
|
|
|
+ /* XXX maybe we should actually take notice of the return value */
|
|
|
+ get_bool(pktin);
|
|
|
+ msg = get_string(pktin);
|
|
|
+ ppl_logevent(("Remote debug message: %.*s", PTRLEN_PRINTF(msg)));
|
|
|
+ pq_pop(ppl->in_pq);
|
|
|
+ break;
|
|
|
+
|
|
|
+ case SSH2_MSG_IGNORE:
|
|
|
+ /* Do nothing, because we're ignoring it! Duhh. */
|
|
|
+ pq_pop(ppl->in_pq);
|
|
|
+ break;
|
|
|
+
|
|
|
+ default:
|
|
|
+ return FALSE;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ return FALSE;
|
|
|
+}
|
|
|
+
|
|
|
+static int ssh2_transport_filter_queue(struct ssh2_transport_state *s)
|
|
|
+{
|
|
|
+ PktIn *pktin;
|
|
|
+
|
|
|
+ while (1) {
|
|
|
+ if (ssh2_common_filter_queue(&s->ppl))
|
|
|
+ return TRUE;
|
|
|
+ if ((pktin = pq_peek(s->ppl.in_pq)) == NULL)
|
|
|
+ return FALSE;
|
|
|
+
|
|
|
+ /* Pass on packets to the next layer if they're outside
|
|
|
+ * the range reserved for the transport protocol. */
|
|
|
+ if (pktin->type >= 50) {
|
|
|
+ /* ... except that we shouldn't tolerate higher-layer
|
|
|
+ * packets coming from the server before we've seen
|
|
|
+ * the first NEWKEYS. */
|
|
|
+ if (!s->higher_layer_ok) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received premature higher-"
|
|
|
+ "layer packet, type %d (%s)", pktin->type,
|
|
|
+ ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
+ s->ppl.bpp->pls->actx,
|
|
|
+ pktin->type));
|
|
|
+ return TRUE;
|
|
|
+ }
|
|
|
+
|
|
|
+ pq_pop(s->ppl.in_pq);
|
|
|
+ pq_push(&s->pq_in_higher, pktin);
|
|
|
+ } else {
|
|
|
+ /* Anything else is a transport-layer packet that the main
|
|
|
+ * process_queue coroutine should handle. */
|
|
|
+ return FALSE;
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+static PktIn *ssh2_transport_pop(struct ssh2_transport_state *s)
|
|
|
+{
|
|
|
+ ssh2_transport_filter_queue(s);
|
|
|
+ return pq_pop(s->ppl.in_pq);
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s =
|
|
|
+ FROMFIELD(ppl, struct ssh2_transport_state, ppl);
|
|
|
+ PktIn *pktin;
|
|
|
+ PktOut *pktout;
|
|
|
+
|
|
|
+ /* Filter centrally handled messages off the front of the queue on
|
|
|
+ * every entry to this coroutine, no matter where we're resuming
|
|
|
+ * from, even if we're _not_ looping on pq_pop. That way we can
|
|
|
+ * still proactively handle those messages even if we're waiting
|
|
|
+ * for a user response. */
|
|
|
+ ssh2_transport_filter_queue(s);
|
|
|
+
|
|
|
+ crBegin(s->crState);
|
|
|
+
|
|
|
+ s->in.cipher = s->out.cipher = NULL;
|
|
|
+ s->in.mac = s->out.mac = NULL;
|
|
|
+ s->in.comp = s->out.comp = NULL;
|
|
|
+
|
|
|
+ s->got_session_id = FALSE;
|
|
|
+ s->userauth_succeeded = FALSE;
|
|
|
+ s->pending_compression = FALSE;
|
|
|
+ s->need_gss_transient_hostkey = FALSE;
|
|
|
+ s->warned_about_no_gss_transient_hostkey = FALSE;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Be prepared to work around the buggy MAC problem.
|
|
|
+ */
|
|
|
+ if (s->ppl.remote_bugs & BUG_SSH2_HMAC)
|
|
|
+ s->maclist = buggymacs, s->nmacs = lenof(buggymacs);
|
|
|
+ else
|
|
|
+ s->maclist = macs, s->nmacs = lenof(macs);
|
|
|
+
|
|
|
+ begin_key_exchange:
|
|
|
+
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+ if (s->need_gss_transient_hostkey) {
|
|
|
+ /*
|
|
|
+ * This flag indicates a special case in which we must not do
|
|
|
+ * GSS key exchange even if we could. (See comments below,
|
|
|
+ * where the flag was set on the previous key exchange.)
|
|
|
+ */
|
|
|
+ s->can_gssapi_keyex = FALSE;
|
|
|
+ } else if (conf_get_int(s->conf, CONF_try_gssapi_kex)) {
|
|
|
+ /*
|
|
|
+ * We always check if we have GSS creds before we come up with
|
|
|
+ * the kex algorithm list, otherwise future rekeys will fail
|
|
|
+ * when creds expire. To make this so, this code section must
|
|
|
+ * follow the begin_key_exchange label above, otherwise this
|
|
|
+ * section would execute just once per-connection.
|
|
|
+ *
|
|
|
+ * Update GSS state unless the reason we're here is that a
|
|
|
+ * timer just checked the GSS state and decided that we should
|
|
|
+ * rekey to update delegated credentials. In that case, the
|
|
|
+ * state is "fresh".
|
|
|
+ */
|
|
|
+ if (s->rekey_class != RK_GSS_UPDATE)
|
|
|
+ ssh2_transport_gss_update(s, TRUE);
|
|
|
+
|
|
|
+ /* Do GSSAPI KEX when capable */
|
|
|
+ s->can_gssapi_keyex = s->gss_status & GSS_KEX_CAPABLE;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * But not when failure is likely. [ GSS implementations may
|
|
|
+ * attempt (and fail) to use a ticket that is almost expired
|
|
|
+ * when retrieved from the ccache that actually expires by the
|
|
|
+ * time the server receives it. ]
|
|
|
+ *
|
|
|
+ * Note: The first time always try KEXGSS if we can, failures
|
|
|
+ * will be very rare, and disabling the initial GSS KEX is
|
|
|
+ * worse. Some day GSS libraries will ignore cached tickets
|
|
|
+ * whose lifetime is critically short, and will instead use
|
|
|
+ * fresh ones.
|
|
|
+ */
|
|
|
+ if (!s->got_session_id && (s->gss_status & GSS_CTXT_MAYFAIL) != 0)
|
|
|
+ s->can_gssapi_keyex = 0;
|
|
|
+ s->gss_delegate = conf_get_int(s->conf, CONF_gssapifwd);
|
|
|
+ } else {
|
|
|
+ s->can_gssapi_keyex = FALSE;
|
|
|
+ }
|
|
|
+#endif
|
|
|
+
|
|
|
+ s->ppl.bpp->pls->kctx = SSH2_PKTCTX_NOKEX;
|
|
|
+ {
|
|
|
+ int i, j, k, warn;
|
|
|
+ struct kexinit_algorithm *alg;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Set up the preferred key exchange. (NULL => warn below here)
|
|
|
+ */
|
|
|
+ s->n_preferred_kex = 0;
|
|
|
+ if (s->can_gssapi_keyex)
|
|
|
+ s->preferred_kex[s->n_preferred_kex++] = &ssh_gssk5_sha1_kex;
|
|
|
+ for (i = 0; i < KEX_MAX; i++) {
|
|
|
+ switch (conf_get_int_int(s->conf, CONF_ssh_kexlist, i)) {
|
|
|
+ case KEX_DHGEX:
|
|
|
+ s->preferred_kex[s->n_preferred_kex++] =
|
|
|
+ &ssh_diffiehellman_gex;
|
|
|
+ break;
|
|
|
+ case KEX_DHGROUP14:
|
|
|
+ s->preferred_kex[s->n_preferred_kex++] =
|
|
|
+ &ssh_diffiehellman_group14;
|
|
|
+ break;
|
|
|
+ case KEX_DHGROUP1:
|
|
|
+ s->preferred_kex[s->n_preferred_kex++] =
|
|
|
+ &ssh_diffiehellman_group1;
|
|
|
+ break;
|
|
|
+ case KEX_RSA:
|
|
|
+ s->preferred_kex[s->n_preferred_kex++] =
|
|
|
+ &ssh_rsa_kex;
|
|
|
+ break;
|
|
|
+ case KEX_ECDH:
|
|
|
+ s->preferred_kex[s->n_preferred_kex++] =
|
|
|
+ &ssh_ecdh_kex;
|
|
|
+ break;
|
|
|
+ case KEX_WARN:
|
|
|
+ /* Flag for later. Don't bother if it's the last in
|
|
|
+ * the list. */
|
|
|
+ if (i < KEX_MAX - 1) {
|
|
|
+ s->preferred_kex[s->n_preferred_kex++] = NULL;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Set up the preferred host key types. These are just the ids
|
|
|
+ * in the enum in putty.h, so 'warn below here' is indicated
|
|
|
+ * by HK_WARN.
|
|
|
+ */
|
|
|
+ s->n_preferred_hk = 0;
|
|
|
+ for (i = 0; i < HK_MAX; i++) {
|
|
|
+ int id = conf_get_int_int(s->conf, CONF_ssh_hklist, i);
|
|
|
+ /* As above, don't bother with HK_WARN if it's last in the
|
|
|
+ * list */
|
|
|
+ if (id != HK_WARN || i < HK_MAX - 1)
|
|
|
+ s->preferred_hk[s->n_preferred_hk++] = id;
|
|
|
+ }
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Set up the preferred ciphers. (NULL => warn below here)
|
|
|
+ */
|
|
|
+ s->n_preferred_ciphers = 0;
|
|
|
+ for (i = 0; i < CIPHER_MAX; i++) {
|
|
|
+ switch (conf_get_int_int(s->conf, CONF_ssh_cipherlist, i)) {
|
|
|
+ case CIPHER_BLOWFISH:
|
|
|
+ s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_blowfish;
|
|
|
+ break;
|
|
|
+ case CIPHER_DES:
|
|
|
+ if (conf_get_int(s->conf, CONF_ssh2_des_cbc))
|
|
|
+ s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_des;
|
|
|
+ break;
|
|
|
+ case CIPHER_3DES:
|
|
|
+ s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_3des;
|
|
|
+ break;
|
|
|
+ case CIPHER_AES:
|
|
|
+ s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_aes;
|
|
|
+ break;
|
|
|
+ case CIPHER_ARCFOUR:
|
|
|
+ s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_arcfour;
|
|
|
+ break;
|
|
|
+ case CIPHER_CHACHA20:
|
|
|
+ s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_ccp;
|
|
|
+ break;
|
|
|
+ case CIPHER_WARN:
|
|
|
+ /* Flag for later. Don't bother if it's the last in
|
|
|
+ * the list. */
|
|
|
+ if (i < CIPHER_MAX - 1) {
|
|
|
+ s->preferred_ciphers[s->n_preferred_ciphers++] = NULL;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Set up preferred compression.
|
|
|
+ */
|
|
|
+ if (conf_get_int(s->conf, CONF_compression))
|
|
|
+ s->preferred_comp = &ssh_zlib;
|
|
|
+ else
|
|
|
+ s->preferred_comp = &ssh_comp_none;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Flag that KEX is in progress.
|
|
|
+ */
|
|
|
+ s->kex_in_progress = TRUE;
|
|
|
+
|
|
|
+ for (i = 0; i < NKEXLIST; i++)
|
|
|
+ for (j = 0; j < MAXKEXLIST; j++)
|
|
|
+ s->kexlists[i][j].name = NULL;
|
|
|
+ /* List key exchange algorithms. */
|
|
|
+ warn = FALSE;
|
|
|
+ for (i = 0; i < s->n_preferred_kex; i++) {
|
|
|
+ const struct ssh_kexes *k = s->preferred_kex[i];
|
|
|
+ if (!k) warn = TRUE;
|
|
|
+ else for (j = 0; j < k->nkexes; j++) {
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_KEX],
|
|
|
+ k->list[j]->name);
|
|
|
+ alg->u.kex.kex = k->list[j];
|
|
|
+ alg->u.kex.warn = warn;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ /* List server host key algorithms. */
|
|
|
+ if (!s->got_session_id) {
|
|
|
+ /*
|
|
|
+ * In the first key exchange, we list all the algorithms
|
|
|
+ * we're prepared to cope with, but prefer those algorithms
|
|
|
+ * for which we have a host key for this host.
|
|
|
+ *
|
|
|
+ * If the host key algorithm is below the warning
|
|
|
+ * threshold, we warn even if we did already have a key
|
|
|
+ * for it, on the basis that if the user has just
|
|
|
+ * reconfigured that host key type to be warned about,
|
|
|
+ * they surely _do_ want to be alerted that a server
|
|
|
+ * they're actually connecting to is using it.
|
|
|
+ */
|
|
|
+ warn = FALSE;
|
|
|
+ for (i = 0; i < s->n_preferred_hk; i++) {
|
|
|
+ if (s->preferred_hk[i] == HK_WARN)
|
|
|
+ warn = TRUE;
|
|
|
+ for (j = 0; j < lenof(hostkey_algs); j++) {
|
|
|
+ if (hostkey_algs[j].id != s->preferred_hk[i])
|
|
|
+ continue;
|
|
|
+ if (have_ssh_host_key(s->savedhost, s->savedport,
|
|
|
+ hostkey_algs[j].alg->cache_id)) {
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY],
|
|
|
+ hostkey_algs[j].alg->ssh_id);
|
|
|
+ alg->u.hk.hostkey = hostkey_algs[j].alg;
|
|
|
+ alg->u.hk.warn = warn;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ warn = FALSE;
|
|
|
+ for (i = 0; i < s->n_preferred_hk; i++) {
|
|
|
+ if (s->preferred_hk[i] == HK_WARN)
|
|
|
+ warn = TRUE;
|
|
|
+ for (j = 0; j < lenof(hostkey_algs); j++) {
|
|
|
+ if (hostkey_algs[j].id != s->preferred_hk[i])
|
|
|
+ continue;
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY],
|
|
|
+ hostkey_algs[j].alg->ssh_id);
|
|
|
+ alg->u.hk.hostkey = hostkey_algs[j].alg;
|
|
|
+ alg->u.hk.warn = warn;
|
|
|
+ }
|
|
|
+ }
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+ } else if (s->gss_kex_used && !s->need_gss_transient_hostkey) {
|
|
|
+ /*
|
|
|
+ * If we've previously done a GSSAPI KEX, then we list
|
|
|
+ * precisely the algorithms for which a previous GSS key
|
|
|
+ * exchange has delivered us a host key, because we expect
|
|
|
+ * one of exactly those keys to be used in any subsequent
|
|
|
+ * non-GSS-based rekey.
|
|
|
+ *
|
|
|
+ * An exception is if this is the key exchange we
|
|
|
+ * triggered for the purposes of populating that cache -
|
|
|
+ * in which case the cache will currently be empty, which
|
|
|
+ * isn't helpful!
|
|
|
+ */
|
|
|
+ warn = FALSE;
|
|
|
+ for (i = 0; i < s->n_preferred_hk; i++) {
|
|
|
+ if (s->preferred_hk[i] == HK_WARN)
|
|
|
+ warn = TRUE;
|
|
|
+ for (j = 0; j < lenof(hostkey_algs); j++) {
|
|
|
+ if (hostkey_algs[j].id != s->preferred_hk[i])
|
|
|
+ continue;
|
|
|
+ if (ssh_have_transient_hostkey(s, hostkey_algs[j].alg)) {
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY],
|
|
|
+ hostkey_algs[j].alg->ssh_id);
|
|
|
+ alg->u.hk.hostkey = hostkey_algs[j].alg;
|
|
|
+ alg->u.hk.warn = warn;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+#endif
|
|
|
+ } else {
|
|
|
+ /*
|
|
|
+ * In subsequent key exchanges, we list only the kex
|
|
|
+ * algorithm that was selected in the first key exchange,
|
|
|
+ * so that we keep getting the same host key and hence
|
|
|
+ * don't have to interrupt the user's session to ask for
|
|
|
+ * reverification.
|
|
|
+ */
|
|
|
+ assert(s->kex_alg);
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY],
|
|
|
+ s->hostkey_alg->ssh_id);
|
|
|
+ alg->u.hk.hostkey = s->hostkey_alg;
|
|
|
+ alg->u.hk.warn = FALSE;
|
|
|
+ }
|
|
|
+ if (s->can_gssapi_keyex) {
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY], "null");
|
|
|
+ alg->u.hk.hostkey = NULL;
|
|
|
+ }
|
|
|
+ /* List encryption algorithms (client->server then server->client). */
|
|
|
+ for (k = KEXLIST_CSCIPHER; k <= KEXLIST_SCCIPHER; k++) {
|
|
|
+ warn = FALSE;
|
|
|
+#ifdef FUZZING
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[k], "none");
|
|
|
+ alg->u.cipher.cipher = NULL;
|
|
|
+ alg->u.cipher.warn = warn;
|
|
|
+#endif /* FUZZING */
|
|
|
+ for (i = 0; i < s->n_preferred_ciphers; i++) {
|
|
|
+ const struct ssh2_ciphers *c = s->preferred_ciphers[i];
|
|
|
+ if (!c) warn = TRUE;
|
|
|
+ else for (j = 0; j < c->nciphers; j++) {
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[k],
|
|
|
+ c->list[j]->name);
|
|
|
+ alg->u.cipher.cipher = c->list[j];
|
|
|
+ alg->u.cipher.warn = warn;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ /* List MAC algorithms (client->server then server->client). */
|
|
|
+ for (j = KEXLIST_CSMAC; j <= KEXLIST_SCMAC; j++) {
|
|
|
+#ifdef FUZZING
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[j], "none");
|
|
|
+ alg->u.mac.mac = NULL;
|
|
|
+ alg->u.mac.etm = FALSE;
|
|
|
+#endif /* FUZZING */
|
|
|
+ for (i = 0; i < s->nmacs; i++) {
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[j], s->maclist[i]->name);
|
|
|
+ alg->u.mac.mac = s->maclist[i];
|
|
|
+ alg->u.mac.etm = FALSE;
|
|
|
+ }
|
|
|
+ for (i = 0; i < s->nmacs; i++)
|
|
|
+ /* For each MAC, there may also be an ETM version,
|
|
|
+ * which we list second. */
|
|
|
+ if (s->maclist[i]->etm_name) {
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[j],
|
|
|
+ s->maclist[i]->etm_name);
|
|
|
+ alg->u.mac.mac = s->maclist[i];
|
|
|
+ alg->u.mac.etm = TRUE;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ /* List client->server compression algorithms,
|
|
|
+ * then server->client compression algorithms. (We use the
|
|
|
+ * same set twice.) */
|
|
|
+ for (j = KEXLIST_CSCOMP; j <= KEXLIST_SCCOMP; j++) {
|
|
|
+ assert(lenof(compressions) > 1);
|
|
|
+ /* Prefer non-delayed versions */
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[j], s->preferred_comp->name);
|
|
|
+ alg->u.comp = s->preferred_comp;
|
|
|
+ /* We don't even list delayed versions of algorithms until
|
|
|
+ * they're allowed to be used, to avoid a race. See the end of
|
|
|
+ * this function. */
|
|
|
+ if (s->userauth_succeeded && s->preferred_comp->delayed_name) {
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[j],
|
|
|
+ s->preferred_comp->delayed_name);
|
|
|
+ alg->u.comp = s->preferred_comp;
|
|
|
+ }
|
|
|
+ for (i = 0; i < lenof(compressions); i++) {
|
|
|
+ const struct ssh_compression_alg *c = compressions[i];
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[j], c->name);
|
|
|
+ alg->u.comp = c;
|
|
|
+ if (s->userauth_succeeded && c->delayed_name) {
|
|
|
+ alg = ssh2_kexinit_addalg(s->kexlists[j], c->delayed_name);
|
|
|
+ alg->u.comp = c;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ /*
|
|
|
+ * Construct and send our key exchange packet.
|
|
|
+ */
|
|
|
+ pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXINIT);
|
|
|
+ for (i = 0; i < 16; i++)
|
|
|
+ put_byte(pktout, (unsigned char) random_byte());
|
|
|
+ for (i = 0; i < NKEXLIST; i++) {
|
|
|
+ strbuf *list = strbuf_new();
|
|
|
+ for (j = 0; j < MAXKEXLIST; j++) {
|
|
|
+ if (s->kexlists[i][j].name == NULL) break;
|
|
|
+ add_to_commasep(list, s->kexlists[i][j].name);
|
|
|
+ }
|
|
|
+ put_stringsb(pktout, list);
|
|
|
+ }
|
|
|
+ /* List client->server languages. Empty list. */
|
|
|
+ put_stringz(pktout, "");
|
|
|
+ /* List server->client languages. Empty list. */
|
|
|
+ put_stringz(pktout, "");
|
|
|
+ /* First KEX packet does _not_ follow, because we're not that brave. */
|
|
|
+ put_bool(pktout, FALSE);
|
|
|
+ /* Reserved. */
|
|
|
+ put_uint32(pktout, 0);
|
|
|
+ }
|
|
|
+
|
|
|
+ s->our_kexinitlen = pktout->length - 5;
|
|
|
+ s->our_kexinit = snewn(s->our_kexinitlen, unsigned char);
|
|
|
+ memcpy(s->our_kexinit, pktout->data + 5, s->our_kexinitlen);
|
|
|
+
|
|
|
+ pq_push(s->ppl.out_pq, pktout);
|
|
|
+
|
|
|
+ crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Now examine the other side's KEXINIT to see what we're up
|
|
|
+ * to.
|
|
|
+ */
|
|
|
+ {
|
|
|
+ ptrlen str;
|
|
|
+ int i, j;
|
|
|
+
|
|
|
+ if (pktin->type != SSH2_MSG_KEXINIT) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
+ "expecting KEXINIT, type %d (%s)", pktin->type,
|
|
|
+ ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
+ s->ppl.bpp->pls->actx, pktin->type));
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ s->kex_alg = NULL;
|
|
|
+ s->hostkey_alg = NULL;
|
|
|
+ s->in.cipher = s->out.cipher = NULL;
|
|
|
+ s->in.mac = s->out.mac = NULL;
|
|
|
+ s->in.comp = s->out.comp = NULL;
|
|
|
+ s->warn_kex = s->warn_hk = FALSE;
|
|
|
+ s->warn_cscipher = s->warn_sccipher = FALSE;
|
|
|
+
|
|
|
+ get_data(pktin, 16); /* skip garbage cookie */
|
|
|
+
|
|
|
+ s->guessok = FALSE;
|
|
|
+ for (i = 0; i < NKEXLIST; i++) {
|
|
|
+ str = get_string(pktin);
|
|
|
+ if (get_err(pktin)) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "KEXINIT packet was incomplete");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ /* If we've already selected a cipher which requires a
|
|
|
+ * particular MAC, then just select that, and don't even
|
|
|
+ * bother looking through the server's KEXINIT string for
|
|
|
+ * MACs. */
|
|
|
+ if (i == KEXLIST_CSMAC && s->out.cipher &&
|
|
|
+ s->out.cipher->required_mac) {
|
|
|
+ s->out.mac = s->out.cipher->required_mac;
|
|
|
+ s->out.etm_mode = !!(s->out.mac->etm_name);
|
|
|
+ goto matched;
|
|
|
+ }
|
|
|
+ if (i == KEXLIST_SCMAC && s->in.cipher &&
|
|
|
+ s->in.cipher->required_mac) {
|
|
|
+ s->in.mac = s->in.cipher->required_mac;
|
|
|
+ s->in.etm_mode = !!(s->in.mac->etm_name);
|
|
|
+ goto matched;
|
|
|
+ }
|
|
|
+
|
|
|
+ for (j = 0; j < MAXKEXLIST; j++) {
|
|
|
+ struct kexinit_algorithm *alg = &s->kexlists[i][j];
|
|
|
+ if (alg->name == NULL) break;
|
|
|
+ if (in_commasep_string(alg->name, str.ptr, str.len)) {
|
|
|
+ /* We've found a matching algorithm. */
|
|
|
+ if (i == KEXLIST_KEX || i == KEXLIST_HOSTKEY) {
|
|
|
+ /* Check if we might need to ignore first kex pkt */
|
|
|
+ if (j != 0 ||
|
|
|
+ !first_in_commasep_string(alg->name,
|
|
|
+ str.ptr, str.len))
|
|
|
+ s->guessok = FALSE;
|
|
|
+ }
|
|
|
+ if (i == KEXLIST_KEX) {
|
|
|
+ s->kex_alg = alg->u.kex.kex;
|
|
|
+ s->warn_kex = alg->u.kex.warn;
|
|
|
+ } else if (i == KEXLIST_HOSTKEY) {
|
|
|
+ /*
|
|
|
+ * Ignore an unexpected/inappropriate offer of "null",
|
|
|
+ * we offer "null" when we're willing to use GSS KEX,
|
|
|
+ * but it is only acceptable when GSSKEX is actually
|
|
|
+ * selected.
|
|
|
+ */
|
|
|
+ if (alg->u.hk.hostkey == NULL &&
|
|
|
+ s->kex_alg->main_type != KEXTYPE_GSS)
|
|
|
+ continue;
|
|
|
+ s->hostkey_alg = alg->u.hk.hostkey;
|
|
|
+ s->warn_hk = alg->u.hk.warn;
|
|
|
+ } else if (i == KEXLIST_CSCIPHER) {
|
|
|
+ s->out.cipher = alg->u.cipher.cipher;
|
|
|
+ s->warn_cscipher = alg->u.cipher.warn;
|
|
|
+ } else if (i == KEXLIST_SCCIPHER) {
|
|
|
+ s->in.cipher = alg->u.cipher.cipher;
|
|
|
+ s->warn_sccipher = alg->u.cipher.warn;
|
|
|
+ } else if (i == KEXLIST_CSMAC) {
|
|
|
+ s->out.mac = alg->u.mac.mac;
|
|
|
+ s->out.etm_mode = alg->u.mac.etm;
|
|
|
+ } else if (i == KEXLIST_SCMAC) {
|
|
|
+ s->in.mac = alg->u.mac.mac;
|
|
|
+ s->in.etm_mode = alg->u.mac.etm;
|
|
|
+ } else if (i == KEXLIST_CSCOMP) {
|
|
|
+ s->out.comp = alg->u.comp;
|
|
|
+ } else if (i == KEXLIST_SCCOMP) {
|
|
|
+ s->in.comp = alg->u.comp;
|
|
|
+ }
|
|
|
+ goto matched;
|
|
|
+ }
|
|
|
+
|
|
|
+ /* Set a flag if there's a delayed compression option
|
|
|
+ * available for a compression method that we just
|
|
|
+ * failed to select the immediate version of. */
|
|
|
+ s->pending_compression = (
|
|
|
+ (i == KEXLIST_CSCOMP || i == KEXLIST_SCCOMP) &&
|
|
|
+ in_commasep_string(alg->u.comp->delayed_name,
|
|
|
+ str.ptr, str.len) &&
|
|
|
+ !s->userauth_succeeded);
|
|
|
+ }
|
|
|
+ ssh_sw_abort(s->ppl.ssh, "Couldn't agree a %s (available: %.*s)",
|
|
|
+ kexlist_descr[i], PTRLEN_PRINTF(str));
|
|
|
+ return;
|
|
|
+ matched:;
|
|
|
+
|
|
|
+ if (i == KEXLIST_HOSTKEY &&
|
|
|
+ !s->gss_kex_used &&
|
|
|
+ s->kex_alg->main_type != KEXTYPE_GSS) {
|
|
|
+ int j;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * In addition to deciding which host key we're
|
|
|
+ * actually going to use, we should make a list of the
|
|
|
+ * host keys offered by the server which we _don't_
|
|
|
+ * have cached. These will be offered as cross-
|
|
|
+ * certification options by ssh_get_specials.
|
|
|
+ *
|
|
|
+ * We also count the key we're currently using for KEX
|
|
|
+ * as one we've already got, because by the time this
|
|
|
+ * menu becomes visible, it will be.
|
|
|
+ */
|
|
|
+ s->n_uncert_hostkeys = 0;
|
|
|
+
|
|
|
+ for (j = 0; j < lenof(hostkey_algs); j++) {
|
|
|
+ if (hostkey_algs[j].alg != s->hostkey_alg &&
|
|
|
+ in_commasep_string(hostkey_algs[j].alg->ssh_id,
|
|
|
+ str.ptr, str.len) &&
|
|
|
+ !have_ssh_host_key(s->savedhost, s->savedport,
|
|
|
+ hostkey_algs[j].alg->cache_id)) {
|
|
|
+ s->uncert_hostkeys[s->n_uncert_hostkeys++] = j;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (s->pending_compression) {
|
|
|
+ ppl_logevent(("Server supports delayed compression; "
|
|
|
+ "will try this later"));
|
|
|
+ }
|
|
|
+ get_string(pktin); /* client->server language */
|
|
|
+ get_string(pktin); /* server->client language */
|
|
|
+ s->ignorepkt = get_bool(pktin) && !s->guessok;
|
|
|
+
|
|
|
+ s->exhash = ssh_hash_new(s->kex_alg->hash);
|
|
|
+ put_stringz(s->exhash, s->client_greeting);
|
|
|
+ put_stringz(s->exhash, s->server_greeting);
|
|
|
+ put_string(s->exhash, s->our_kexinit, s->our_kexinitlen);
|
|
|
+ sfree(s->our_kexinit);
|
|
|
+ /* Include the type byte in the hash of server's KEXINIT */
|
|
|
+ put_string(s->exhash,
|
|
|
+ (const char *)BinarySource_UPCAST(pktin)->data - 1,
|
|
|
+ BinarySource_UPCAST(pktin)->len + 1);
|
|
|
+
|
|
|
+ if (s->warn_kex) {
|
|
|
+ s->dlgret = askalg(s->ppl.frontend, "key-exchange algorithm",
|
|
|
+ s->kex_alg->name,
|
|
|
+ ssh2_transport_dialog_callback, s);
|
|
|
+ crMaybeWaitUntilV(s->dlgret >= 0);
|
|
|
+ if (s->dlgret == 0) {
|
|
|
+ ssh_user_close(s->ppl.ssh, "User aborted at kex warning");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (s->warn_hk) {
|
|
|
+ int j, k;
|
|
|
+ char *betteralgs;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Change warning box wording depending on why we chose a
|
|
|
+ * warning-level host key algorithm. If it's because
|
|
|
+ * that's all we have *cached*, use the askhk mechanism,
|
|
|
+ * and list the host keys we could usefully cross-certify.
|
|
|
+ * Otherwise, use askalg for the standard wording.
|
|
|
+ */
|
|
|
+ betteralgs = NULL;
|
|
|
+ for (j = 0; j < s->n_uncert_hostkeys; j++) {
|
|
|
+ const struct ssh_signkey_with_user_pref_id *hktype =
|
|
|
+ &hostkey_algs[s->uncert_hostkeys[j]];
|
|
|
+ int better = FALSE;
|
|
|
+ for (k = 0; k < HK_MAX; k++) {
|
|
|
+ int id = conf_get_int_int(s->conf, CONF_ssh_hklist, k);
|
|
|
+ if (id == HK_WARN) {
|
|
|
+ break;
|
|
|
+ } else if (id == hktype->id) {
|
|
|
+ better = TRUE;
|
|
|
+ break;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ if (better) {
|
|
|
+ if (betteralgs) {
|
|
|
+ char *old_ba = betteralgs;
|
|
|
+ betteralgs = dupcat(betteralgs, ",",
|
|
|
+ hktype->alg->ssh_id,
|
|
|
+ (const char *)NULL);
|
|
|
+ sfree(old_ba);
|
|
|
+ } else {
|
|
|
+ betteralgs = dupstr(hktype->alg->ssh_id);
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ if (betteralgs) {
|
|
|
+ s->dlgret = askhk(
|
|
|
+ s->ppl.frontend, s->hostkey_alg->ssh_id, betteralgs,
|
|
|
+ ssh2_transport_dialog_callback, s);
|
|
|
+ sfree(betteralgs);
|
|
|
+ } else {
|
|
|
+ s->dlgret = askalg(s->ppl.frontend, "host key type",
|
|
|
+ s->hostkey_alg->ssh_id,
|
|
|
+ ssh2_transport_dialog_callback, s);
|
|
|
+ }
|
|
|
+ crMaybeWaitUntilV(s->dlgret >= 0);
|
|
|
+ if (s->dlgret == 0) {
|
|
|
+ ssh_user_close(s->ppl.ssh, "User aborted at host key warning");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (s->warn_cscipher) {
|
|
|
+ s->dlgret = askalg(s->ppl.frontend,
|
|
|
+ "client-to-server cipher",
|
|
|
+ s->out.cipher->name,
|
|
|
+ ssh2_transport_dialog_callback, s);
|
|
|
+ crMaybeWaitUntilV(s->dlgret >= 0);
|
|
|
+ if (s->dlgret == 0) {
|
|
|
+ ssh_user_close(s->ppl.ssh, "User aborted at cipher warning");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (s->warn_sccipher) {
|
|
|
+ s->dlgret = askalg(s->ppl.frontend,
|
|
|
+ "server-to-client cipher",
|
|
|
+ s->in.cipher->name,
|
|
|
+ ssh2_transport_dialog_callback, s);
|
|
|
+ crMaybeWaitUntilV(s->dlgret >= 0);
|
|
|
+ if (s->dlgret == 0) {
|
|
|
+ ssh_user_close(s->ppl.ssh, "User aborted at cipher warning");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (s->ignorepkt) /* first_kex_packet_follows */
|
|
|
+ crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
+ }
|
|
|
+
|
|
|
+ if (s->kex_alg->main_type == KEXTYPE_DH) {
|
|
|
+ /*
|
|
|
+ * Work out the number of bits of key we will need from the
|
|
|
+ * key exchange. We start with the maximum key length of
|
|
|
+ * either cipher...
|
|
|
+ */
|
|
|
+ {
|
|
|
+ int csbits, scbits;
|
|
|
+
|
|
|
+ csbits = s->out.cipher ? s->out.cipher->real_keybits : 0;
|
|
|
+ scbits = s->in.cipher ? s->in.cipher->real_keybits : 0;
|
|
|
+ s->nbits = (csbits > scbits ? csbits : scbits);
|
|
|
+ }
|
|
|
+ /* The keys only have hlen-bit entropy, since they're based on
|
|
|
+ * a hash. So cap the key size at hlen bits. */
|
|
|
+ if (s->nbits > s->kex_alg->hash->hlen * 8)
|
|
|
+ s->nbits = s->kex_alg->hash->hlen * 8;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * If we're doing Diffie-Hellman group exchange, start by
|
|
|
+ * requesting a group.
|
|
|
+ */
|
|
|
+ if (dh_is_gex(s->kex_alg)) {
|
|
|
+ ppl_logevent(("Doing Diffie-Hellman group exchange"));
|
|
|
+ s->ppl.bpp->pls->kctx = SSH2_PKTCTX_DHGEX;
|
|
|
+ /*
|
|
|
+ * Work out how big a DH group we will need to allow that
|
|
|
+ * much data.
|
|
|
+ */
|
|
|
+ s->pbits = 512 << ((s->nbits - 1) / 64);
|
|
|
+ if (s->pbits < DH_MIN_SIZE)
|
|
|
+ s->pbits = DH_MIN_SIZE;
|
|
|
+ if (s->pbits > DH_MAX_SIZE)
|
|
|
+ s->pbits = DH_MAX_SIZE;
|
|
|
+ if ((s->ppl.remote_bugs & BUG_SSH2_OLDGEX)) {
|
|
|
+ pktout = ssh_bpp_new_pktout(
|
|
|
+ s->ppl.bpp, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
|
|
|
+ put_uint32(pktout, s->pbits);
|
|
|
+ } else {
|
|
|
+ pktout = ssh_bpp_new_pktout(
|
|
|
+ s->ppl.bpp, SSH2_MSG_KEX_DH_GEX_REQUEST);
|
|
|
+ put_uint32(pktout, DH_MIN_SIZE);
|
|
|
+ put_uint32(pktout, s->pbits);
|
|
|
+ put_uint32(pktout, DH_MAX_SIZE);
|
|
|
+ }
|
|
|
+ pq_push(s->ppl.out_pq, pktout);
|
|
|
+
|
|
|
+ crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
+ if (pktin->type != SSH2_MSG_KEX_DH_GEX_GROUP) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
+ "expecting Diffie-Hellman group, type %d (%s)",
|
|
|
+ pktin->type,
|
|
|
+ ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
+ s->ppl.bpp->pls->actx,
|
|
|
+ pktin->type));
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ s->p = get_mp_ssh2(pktin);
|
|
|
+ s->g = get_mp_ssh2(pktin);
|
|
|
+ if (get_err(pktin)) {
|
|
|
+ ssh_proto_error(s->ppl.ssh,
|
|
|
+ "Unable to parse Diffie-Hellman group packet");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ s->dh_ctx = dh_setup_gex(s->p, s->g);
|
|
|
+ s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
|
|
|
+ s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
|
|
|
+ } else {
|
|
|
+ s->ppl.bpp->pls->kctx = SSH2_PKTCTX_DHGROUP;
|
|
|
+ s->dh_ctx = dh_setup_group(s->kex_alg);
|
|
|
+ s->kex_init_value = SSH2_MSG_KEXDH_INIT;
|
|
|
+ s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
|
|
|
+ ppl_logevent(("Using Diffie-Hellman with standard group \"%s\"",
|
|
|
+ s->kex_alg->groupname));
|
|
|
+ }
|
|
|
+
|
|
|
+ ppl_logevent(("Doing Diffie-Hellman key exchange with hash %s",
|
|
|
+ s->kex_alg->hash->text_name));
|
|
|
+ /*
|
|
|
+ * Now generate and send e for Diffie-Hellman.
|
|
|
+ */
|
|
|
+ set_busy_status(s->ppl.frontend, BUSY_CPU); /* this can take a while */
|
|
|
+ s->e = dh_create_e(s->dh_ctx, s->nbits * 2);
|
|
|
+ pktout = ssh_bpp_new_pktout(s->ppl.bpp, s->kex_init_value);
|
|
|
+ put_mp_ssh2(pktout, s->e);
|
|
|
+ pq_push(s->ppl.out_pq, pktout);
|
|
|
+
|
|
|
+ set_busy_status(s->ppl.frontend, BUSY_WAITING); /* wait for server */
|
|
|
+ crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
+ if (pktin->type != s->kex_reply_value) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
+ "expecting Diffie-Hellman reply, type %d (%s)",
|
|
|
+ pktin->type,
|
|
|
+ ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
+ s->ppl.bpp->pls->actx,
|
|
|
+ pktin->type));
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ set_busy_status(s->ppl.frontend, BUSY_CPU); /* cogitate */
|
|
|
+ s->hostkeydata = get_string(pktin);
|
|
|
+ s->hkey = ssh_key_new_pub(s->hostkey_alg, s->hostkeydata);
|
|
|
+ s->f = get_mp_ssh2(pktin);
|
|
|
+ s->sigdata = get_string(pktin);
|
|
|
+ if (get_err(pktin)) {
|
|
|
+ ssh_proto_error(s->ppl.ssh,
|
|
|
+ "Unable to parse Diffie-Hellman reply packet");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ {
|
|
|
+ const char *err = dh_validate_f(s->dh_ctx, s->f);
|
|
|
+ if (err) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Diffie-Hellman reply failed "
|
|
|
+ "validation: %s", err);
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ s->K = dh_find_K(s->dh_ctx, s->f);
|
|
|
+
|
|
|
+ /* We assume everything from now on will be quick, and it might
|
|
|
+ * involve user interaction. */
|
|
|
+ set_busy_status(s->ppl.frontend, BUSY_NOT);
|
|
|
+
|
|
|
+ put_stringpl(s->exhash, s->hostkeydata);
|
|
|
+ if (dh_is_gex(s->kex_alg)) {
|
|
|
+ if (!(s->ppl.remote_bugs & BUG_SSH2_OLDGEX))
|
|
|
+ put_uint32(s->exhash, DH_MIN_SIZE);
|
|
|
+ put_uint32(s->exhash, s->pbits);
|
|
|
+ if (!(s->ppl.remote_bugs & BUG_SSH2_OLDGEX))
|
|
|
+ put_uint32(s->exhash, DH_MAX_SIZE);
|
|
|
+ put_mp_ssh2(s->exhash, s->p);
|
|
|
+ put_mp_ssh2(s->exhash, s->g);
|
|
|
+ }
|
|
|
+ put_mp_ssh2(s->exhash, s->e);
|
|
|
+ put_mp_ssh2(s->exhash, s->f);
|
|
|
+
|
|
|
+ dh_cleanup(s->dh_ctx);
|
|
|
+ s->dh_ctx = NULL;
|
|
|
+ freebn(s->f); s->f = NULL;
|
|
|
+ freebn(s->e); s->e = NULL;
|
|
|
+ if (dh_is_gex(s->kex_alg)) {
|
|
|
+ freebn(s->g); s->g = NULL;
|
|
|
+ freebn(s->p); s->p = NULL;
|
|
|
+ }
|
|
|
+ } else if (s->kex_alg->main_type == KEXTYPE_ECDH) {
|
|
|
+
|
|
|
+ ppl_logevent(("Doing ECDH key exchange with curve %s and hash %s",
|
|
|
+ ssh_ecdhkex_curve_textname(s->kex_alg),
|
|
|
+ s->kex_alg->hash->text_name));
|
|
|
+ s->ppl.bpp->pls->kctx = SSH2_PKTCTX_ECDHKEX;
|
|
|
+
|
|
|
+ s->ecdh_key = ssh_ecdhkex_newkey(s->kex_alg);
|
|
|
+ if (!s->ecdh_key) {
|
|
|
+ ssh_sw_abort(s->ppl.ssh, "Unable to generate key for ECDH");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEX_ECDH_INIT);
|
|
|
+ {
|
|
|
+ strbuf *pubpoint = strbuf_new();
|
|
|
+ ssh_ecdhkex_getpublic(s->ecdh_key, BinarySink_UPCAST(pubpoint));
|
|
|
+ put_stringsb(pktout, pubpoint);
|
|
|
+ }
|
|
|
+
|
|
|
+ pq_push(s->ppl.out_pq, pktout);
|
|
|
+
|
|
|
+ crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
+ if (pktin->type != SSH2_MSG_KEX_ECDH_REPLY) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
+ "expecting ECDH reply, type %d (%s)", pktin->type,
|
|
|
+ ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
+ s->ppl.bpp->pls->actx,
|
|
|
+ pktin->type));
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ s->hostkeydata = get_string(pktin);
|
|
|
+ put_stringpl(s->exhash, s->hostkeydata);
|
|
|
+ s->hkey = ssh_key_new_pub(s->hostkey_alg, s->hostkeydata);
|
|
|
+
|
|
|
+ {
|
|
|
+ strbuf *pubpoint = strbuf_new();
|
|
|
+ ssh_ecdhkex_getpublic(s->ecdh_key, BinarySink_UPCAST(pubpoint));
|
|
|
+ put_string(s->exhash, pubpoint->u, pubpoint->len);
|
|
|
+ strbuf_free(pubpoint);
|
|
|
+ }
|
|
|
+
|
|
|
+ {
|
|
|
+ ptrlen keydata = get_string(pktin);
|
|
|
+ put_stringpl(s->exhash, keydata);
|
|
|
+ s->K = ssh_ecdhkex_getkey(s->ecdh_key, keydata.ptr, keydata.len);
|
|
|
+ if (!get_err(pktin) && !s->K) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received invalid elliptic curve "
|
|
|
+ "point in ECDH reply");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ s->sigdata = get_string(pktin);
|
|
|
+ if (get_err(pktin)) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Unable to parse ECDH reply packet");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ ssh_ecdhkex_freekey(s->ecdh_key);
|
|
|
+ s->ecdh_key = NULL;
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+ } else if (s->kex_alg->main_type == KEXTYPE_GSS) {
|
|
|
+ ptrlen data;
|
|
|
+
|
|
|
+ s->ppl.bpp->pls->kctx = SSH2_PKTCTX_GSSKEX;
|
|
|
+ s->init_token_sent = 0;
|
|
|
+ s->complete_rcvd = 0;
|
|
|
+ s->hkey = NULL;
|
|
|
+ s->fingerprint = NULL;
|
|
|
+ s->keystr = NULL;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Work out the number of bits of key we will need from the
|
|
|
+ * key exchange. We start with the maximum key length of
|
|
|
+ * either cipher...
|
|
|
+ *
|
|
|
+ * This is rote from the KEXTYPE_DH section above.
|
|
|
+ */
|
|
|
+ {
|
|
|
+ int csbits, scbits;
|
|
|
+
|
|
|
+ csbits = s->out.cipher->real_keybits;
|
|
|
+ scbits = s->in.cipher->real_keybits;
|
|
|
+ s->nbits = (csbits > scbits ? csbits : scbits);
|
|
|
+ }
|
|
|
+ /* The keys only have hlen-bit entropy, since they're based on
|
|
|
+ * a hash. So cap the key size at hlen bits. */
|
|
|
+ if (s->nbits > s->kex_alg->hash->hlen * 8)
|
|
|
+ s->nbits = s->kex_alg->hash->hlen * 8;
|
|
|
+
|
|
|
+ if (dh_is_gex(s->kex_alg)) {
|
|
|
+ /*
|
|
|
+ * Work out how big a DH group we will need to allow that
|
|
|
+ * much data.
|
|
|
+ */
|
|
|
+ s->pbits = 512 << ((s->nbits - 1) / 64);
|
|
|
+ ppl_logevent(("Doing GSSAPI (with Kerberos V5) Diffie-Hellman "
|
|
|
+ "group exchange, with minimum %d bits", s->pbits));
|
|
|
+ pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXGSS_GROUPREQ);
|
|
|
+ put_uint32(pktout, s->pbits); /* min */
|
|
|
+ put_uint32(pktout, s->pbits); /* preferred */
|
|
|
+ put_uint32(pktout, s->pbits * 2); /* max */
|
|
|
+ pq_push(s->ppl.out_pq, pktout);
|
|
|
+
|
|
|
+ crMaybeWaitUntilV(
|
|
|
+ (pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
+ if (pktin->type != SSH2_MSG_KEXGSS_GROUP) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
+ "expecting Diffie-Hellman group, type %d (%s)",
|
|
|
+ pktin->type,
|
|
|
+ ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
+ s->ppl.bpp->pls->actx,
|
|
|
+ pktin->type));
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ s->p = get_mp_ssh2(pktin);
|
|
|
+ s->g = get_mp_ssh2(pktin);
|
|
|
+ if (get_err(pktin)) {
|
|
|
+ ssh_proto_error(s->ppl.ssh,
|
|
|
+ "Unable to parse Diffie-Hellman group packet");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ s->dh_ctx = dh_setup_gex(s->p, s->g);
|
|
|
+ } else {
|
|
|
+ s->dh_ctx = dh_setup_group(s->kex_alg);
|
|
|
+ ppl_logevent(("Using GSSAPI (with Kerberos V5) Diffie-Hellman with"
|
|
|
+ " standard group \"%s\"", s->kex_alg->groupname));
|
|
|
+ }
|
|
|
+
|
|
|
+ ppl_logevent(("Doing GSSAPI (with Kerberos V5) Diffie-Hellman key "
|
|
|
+ "exchange with hash %s", s->kex_alg->hash->text_name));
|
|
|
+ /* Now generate e for Diffie-Hellman. */
|
|
|
+ set_busy_status(s->ppl.frontend, BUSY_CPU); /* this can take a while */
|
|
|
+ s->e = dh_create_e(s->dh_ctx, s->nbits * 2);
|
|
|
+
|
|
|
+ if (s->shgss->lib->gsslogmsg)
|
|
|
+ ppl_logevent(("%s", s->shgss->lib->gsslogmsg));
|
|
|
+
|
|
|
+ /* initial tokens are empty */
|
|
|
+ SSH_GSS_CLEAR_BUF(&s->gss_rcvtok);
|
|
|
+ SSH_GSS_CLEAR_BUF(&s->gss_sndtok);
|
|
|
+ SSH_GSS_CLEAR_BUF(&s->mic);
|
|
|
+ s->gss_stat = s->shgss->lib->acquire_cred(
|
|
|
+ s->shgss->lib, &s->shgss->ctx, &s->gss_cred_expiry);
|
|
|
+ if (s->gss_stat != SSH_GSS_OK) {
|
|
|
+ ssh_sw_abort(s->ppl.ssh,
|
|
|
+ "GSSAPI key exchange failed to initialise");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ /* now enter the loop */
|
|
|
+ assert(s->shgss->srv_name);
|
|
|
+ do {
|
|
|
+ /*
|
|
|
+ * When acquire_cred yields no useful expiration, go with the
|
|
|
+ * service ticket expiration.
|
|
|
+ */
|
|
|
+ s->gss_stat = s->shgss->lib->init_sec_context(
|
|
|
+ s->shgss->lib, &s->shgss->ctx, s->shgss->srv_name,
|
|
|
+ s->gss_delegate, &s->gss_rcvtok, &s->gss_sndtok,
|
|
|
+ (s->gss_cred_expiry == GSS_NO_EXPIRATION ?
|
|
|
+ &s->gss_cred_expiry : NULL), NULL);
|
|
|
+ SSH_GSS_CLEAR_BUF(&s->gss_rcvtok);
|
|
|
+
|
|
|
+ if (s->gss_stat == SSH_GSS_S_COMPLETE && s->complete_rcvd)
|
|
|
+ break; /* MIC is verified after the loop */
|
|
|
+
|
|
|
+ if (s->gss_stat != SSH_GSS_S_COMPLETE &&
|
|
|
+ s->gss_stat != SSH_GSS_S_CONTINUE_NEEDED) {
|
|
|
+ if (s->shgss->lib->display_status(
|
|
|
+ s->shgss->lib, s->shgss->ctx,
|
|
|
+ &s->gss_buf) == SSH_GSS_OK) {
|
|
|
+ char *err = s->gss_buf.value;
|
|
|
+ ssh_sw_abort(s->ppl.ssh,
|
|
|
+ "GSSAPI key exchange failed to initialise "
|
|
|
+ "context: %s", err);
|
|
|
+ sfree(err);
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ assert(s->gss_stat == SSH_GSS_S_COMPLETE ||
|
|
|
+ s->gss_stat == SSH_GSS_S_CONTINUE_NEEDED);
|
|
|
+
|
|
|
+ if (!s->init_token_sent) {
|
|
|
+ s->init_token_sent = 1;
|
|
|
+ pktout = ssh_bpp_new_pktout(s->ppl.bpp,
|
|
|
+ SSH2_MSG_KEXGSS_INIT);
|
|
|
+ if (s->gss_sndtok.length == 0) {
|
|
|
+ ssh_sw_abort(s->ppl.ssh, "GSSAPI key exchange failed: "
|
|
|
+ "no initial context token");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ put_string(pktout,
|
|
|
+ s->gss_sndtok.value, s->gss_sndtok.length);
|
|
|
+ put_mp_ssh2(pktout, s->e);
|
|
|
+ pq_push(s->ppl.out_pq, pktout);
|
|
|
+ s->shgss->lib->free_tok(s->shgss->lib, &s->gss_sndtok);
|
|
|
+ ppl_logevent(("GSSAPI key exchange initialised"));
|
|
|
+ } else if (s->gss_sndtok.length != 0) {
|
|
|
+ pktout = ssh_bpp_new_pktout(
|
|
|
+ s->ppl.bpp, SSH2_MSG_KEXGSS_CONTINUE);
|
|
|
+ put_string(pktout,
|
|
|
+ s->gss_sndtok.value, s->gss_sndtok.length);
|
|
|
+ pq_push(s->ppl.out_pq, pktout);
|
|
|
+ s->shgss->lib->free_tok(s->shgss->lib, &s->gss_sndtok);
|
|
|
+ }
|
|
|
+
|
|
|
+ if (s->gss_stat == SSH_GSS_S_COMPLETE && s->complete_rcvd)
|
|
|
+ break;
|
|
|
+
|
|
|
+ wait_for_gss_token:
|
|
|
+ crMaybeWaitUntilV(
|
|
|
+ (pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
+ switch (pktin->type) {
|
|
|
+ case SSH2_MSG_KEXGSS_CONTINUE:
|
|
|
+ data = get_string(pktin);
|
|
|
+ s->gss_rcvtok.value = (char *)data.ptr;
|
|
|
+ s->gss_rcvtok.length = data.len;
|
|
|
+ continue;
|
|
|
+ case SSH2_MSG_KEXGSS_COMPLETE:
|
|
|
+ s->complete_rcvd = 1;
|
|
|
+ s->f = get_mp_ssh2(pktin);
|
|
|
+ data = get_string(pktin);
|
|
|
+ s->mic.value = (char *)data.ptr;
|
|
|
+ s->mic.length = data.len;
|
|
|
+ /* Save expiration time of cred when delegating */
|
|
|
+ if (s->gss_delegate && s->gss_cred_expiry != GSS_NO_EXPIRATION)
|
|
|
+ s->gss_cred_expiry = s->gss_cred_expiry;
|
|
|
+ /* If there's a final token we loop to consume it */
|
|
|
+ if (get_bool(pktin)) {
|
|
|
+ data = get_string(pktin);
|
|
|
+ s->gss_rcvtok.value = (char *)data.ptr;
|
|
|
+ s->gss_rcvtok.length = data.len;
|
|
|
+ continue;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ case SSH2_MSG_KEXGSS_HOSTKEY:
|
|
|
+ s->hostkeydata = get_string(pktin);
|
|
|
+ if (s->hostkey_alg) {
|
|
|
+ s->hkey = ssh_key_new_pub(s->hostkey_alg,
|
|
|
+ s->hostkeydata);
|
|
|
+ put_string(s->exhash,
|
|
|
+ s->hostkeydata.ptr, s->hostkeydata.len);
|
|
|
+ }
|
|
|
+ /*
|
|
|
+ * Can't loop as we have no token to pass to
|
|
|
+ * init_sec_context.
|
|
|
+ */
|
|
|
+ goto wait_for_gss_token;
|
|
|
+ case SSH2_MSG_KEXGSS_ERROR:
|
|
|
+ /*
|
|
|
+ * We have no use for the server's major and minor
|
|
|
+ * status. The minor status is really only
|
|
|
+ * meaningful to the server, and with luck the major
|
|
|
+ * status means something to us (but not really all
|
|
|
+ * that much). The string is more meaningful, and
|
|
|
+ * hopefully the server sends any error tokens, as
|
|
|
+ * that will produce the most useful information for
|
|
|
+ * us.
|
|
|
+ */
|
|
|
+ get_uint32(pktin); /* server's major status */
|
|
|
+ get_uint32(pktin); /* server's minor status */
|
|
|
+ data = get_string(pktin);
|
|
|
+ ppl_logevent(("GSSAPI key exchange failed; "
|
|
|
+ "server's message: %.*s", PTRLEN_PRINTF(data)));
|
|
|
+ /* Language tag, but we have no use for it */
|
|
|
+ get_string(pktin);
|
|
|
+ /*
|
|
|
+ * Wait for an error token, if there is one, or the
|
|
|
+ * server's disconnect. The error token, if there
|
|
|
+ * is one, must follow the SSH2_MSG_KEXGSS_ERROR
|
|
|
+ * message, per the RFC.
|
|
|
+ */
|
|
|
+ goto wait_for_gss_token;
|
|
|
+ default:
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received unexpected packet "
|
|
|
+ "during GSSAPI key exchange, type %d (%s)",
|
|
|
+ pktin->type,
|
|
|
+ ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
+ s->ppl.bpp->pls->actx,
|
|
|
+ pktin->type));
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ } while (s->gss_rcvtok.length ||
|
|
|
+ s->gss_stat == SSH_GSS_S_CONTINUE_NEEDED ||
|
|
|
+ !s->complete_rcvd);
|
|
|
+
|
|
|
+ s->K = dh_find_K(s->dh_ctx, s->f);
|
|
|
+
|
|
|
+ /* We assume everything from now on will be quick, and it might
|
|
|
+ * involve user interaction. */
|
|
|
+ set_busy_status(s->ppl.frontend, BUSY_NOT);
|
|
|
+
|
|
|
+ if (!s->hkey)
|
|
|
+ put_stringz(s->exhash, "");
|
|
|
+ if (dh_is_gex(s->kex_alg)) {
|
|
|
+ /* min, preferred, max */
|
|
|
+ put_uint32(s->exhash, s->pbits);
|
|
|
+ put_uint32(s->exhash, s->pbits);
|
|
|
+ put_uint32(s->exhash, s->pbits * 2);
|
|
|
+
|
|
|
+ put_mp_ssh2(s->exhash, s->p);
|
|
|
+ put_mp_ssh2(s->exhash, s->g);
|
|
|
+ }
|
|
|
+ put_mp_ssh2(s->exhash, s->e);
|
|
|
+ put_mp_ssh2(s->exhash, s->f);
|
|
|
+
|
|
|
+ /*
|
|
|
+ * MIC verification is done below, after we compute the hash
|
|
|
+ * used as the MIC input.
|
|
|
+ */
|
|
|
+
|
|
|
+ dh_cleanup(s->dh_ctx);
|
|
|
+ s->dh_ctx = NULL;
|
|
|
+ freebn(s->f); s->f = NULL;
|
|
|
+ freebn(s->e); s->e = NULL;
|
|
|
+ if (dh_is_gex(s->kex_alg)) {
|
|
|
+ freebn(s->g); s->g = NULL;
|
|
|
+ freebn(s->p); s->p = NULL;
|
|
|
+ }
|
|
|
+#endif
|
|
|
+ } else {
|
|
|
+ ptrlen rsakeydata;
|
|
|
+
|
|
|
+ assert(s->kex_alg->main_type == KEXTYPE_RSA);
|
|
|
+ ppl_logevent(("Doing RSA key exchange with hash %s",
|
|
|
+ s->kex_alg->hash->text_name));
|
|
|
+ s->ppl.bpp->pls->kctx = SSH2_PKTCTX_RSAKEX;
|
|
|
+ /*
|
|
|
+ * RSA key exchange. First expect a KEXRSA_PUBKEY packet
|
|
|
+ * from the server.
|
|
|
+ */
|
|
|
+ crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
+ if (pktin->type != SSH2_MSG_KEXRSA_PUBKEY) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
+ "expecting RSA public key, type %d (%s)",
|
|
|
+ pktin->type,
|
|
|
+ ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
+ s->ppl.bpp->pls->actx,
|
|
|
+ pktin->type));
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ s->hostkeydata = get_string(pktin);
|
|
|
+ put_stringpl(s->exhash, s->hostkeydata);
|
|
|
+ s->hkey = ssh_key_new_pub(s->hostkey_alg, s->hostkeydata);
|
|
|
+
|
|
|
+ rsakeydata = get_string(pktin);
|
|
|
+
|
|
|
+ s->rsa_kex_key = ssh_rsakex_newkey(rsakeydata.ptr, rsakeydata.len);
|
|
|
+ if (!s->rsa_kex_key) {
|
|
|
+ ssh_proto_error(s->ppl.ssh,
|
|
|
+ "Unable to parse RSA public key packet");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ put_stringpl(s->exhash, rsakeydata);
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Next, set up a shared secret K, of precisely KLEN -
|
|
|
+ * 2*HLEN - 49 bits, where KLEN is the bit length of the
|
|
|
+ * RSA key modulus and HLEN is the bit length of the hash
|
|
|
+ * we're using.
|
|
|
+ */
|
|
|
+ {
|
|
|
+ int klen = ssh_rsakex_klen(s->rsa_kex_key);
|
|
|
+ int nbits = klen - (2*s->kex_alg->hash->hlen*8 + 49);
|
|
|
+ int i, byte = 0;
|
|
|
+ strbuf *buf;
|
|
|
+ unsigned char *outstr;
|
|
|
+ int outstrlen;
|
|
|
+
|
|
|
+ s->K = bn_power_2(nbits - 1);
|
|
|
+
|
|
|
+ for (i = 0; i < nbits; i++) {
|
|
|
+ if ((i & 7) == 0) {
|
|
|
+ byte = random_byte();
|
|
|
+ }
|
|
|
+ bignum_set_bit(s->K, i, (byte >> (i & 7)) & 1);
|
|
|
+ }
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Encode this as an mpint.
|
|
|
+ */
|
|
|
+ buf = strbuf_new();
|
|
|
+ put_mp_ssh2(buf, s->K);
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Encrypt it with the given RSA key.
|
|
|
+ */
|
|
|
+ outstrlen = (klen + 7) / 8;
|
|
|
+ outstr = snewn(outstrlen, unsigned char);
|
|
|
+ ssh_rsakex_encrypt(s->kex_alg->hash, buf->u, buf->len,
|
|
|
+ outstr, outstrlen, s->rsa_kex_key);
|
|
|
+
|
|
|
+ /*
|
|
|
+ * And send it off in a return packet.
|
|
|
+ */
|
|
|
+ pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXRSA_SECRET);
|
|
|
+ put_string(pktout, outstr, outstrlen);
|
|
|
+ pq_push(s->ppl.out_pq, pktout);
|
|
|
+
|
|
|
+ put_string(s->exhash, outstr, outstrlen);
|
|
|
+
|
|
|
+ strbuf_free(buf);
|
|
|
+ sfree(outstr);
|
|
|
+ }
|
|
|
+
|
|
|
+ ssh_rsakex_freekey(s->rsa_kex_key);
|
|
|
+ s->rsa_kex_key = NULL;
|
|
|
+
|
|
|
+ crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
+ if (pktin->type != SSH2_MSG_KEXRSA_DONE) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
+ "expecting RSA kex signature, type %d (%s)",
|
|
|
+ pktin->type,
|
|
|
+ ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
+ s->ppl.bpp->pls->actx,
|
|
|
+ pktin->type));
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ s->sigdata = get_string(pktin);
|
|
|
+ if (get_err(pktin)) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Unable to parse RSA kex signature");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ put_mp_ssh2(s->exhash, s->K);
|
|
|
+ assert(ssh_hash_alg(s->exhash)->hlen <= sizeof(s->exchange_hash));
|
|
|
+ ssh_hash_final(s->exhash, s->exchange_hash);
|
|
|
+ s->exhash = NULL;
|
|
|
+
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+ if (s->kex_alg->main_type == KEXTYPE_GSS) {
|
|
|
+ Ssh_gss_buf gss_buf;
|
|
|
+ SSH_GSS_CLEAR_BUF(&s->gss_buf);
|
|
|
+
|
|
|
+ gss_buf.value = s->exchange_hash;
|
|
|
+ gss_buf.length = s->kex_alg->hash->hlen;
|
|
|
+ s->gss_stat = s->shgss->lib->verify_mic(
|
|
|
+ s->shgss->lib, s->shgss->ctx, &gss_buf, &s->mic);
|
|
|
+ if (s->gss_stat != SSH_GSS_OK) {
|
|
|
+ if (s->shgss->lib->display_status(
|
|
|
+ s->shgss->lib, s->shgss->ctx, &s->gss_buf) == SSH_GSS_OK) {
|
|
|
+ char *err = s->gss_buf.value;
|
|
|
+ ssh_sw_abort(s->ppl.ssh, "GSSAPI key exchange MIC was "
|
|
|
+ "not valid: %s", err);
|
|
|
+ sfree(err);
|
|
|
+ } else {
|
|
|
+ ssh_sw_abort(s->ppl.ssh, "GSSAPI key exchange MIC was "
|
|
|
+ "not valid");
|
|
|
+ }
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ s->gss_kex_used = TRUE;
|
|
|
+
|
|
|
+ /*-
|
|
|
+ * If this the first KEX, save the GSS context for "gssapi-keyex"
|
|
|
+ * authentication.
|
|
|
+ *
|
|
|
+ * http://tools.ietf.org/html/rfc4462#section-4
|
|
|
+ *
|
|
|
+ * This method may be used only if the initial key exchange was
|
|
|
+ * performed using a GSS-API-based key exchange method defined in
|
|
|
+ * accordance with Section 2. The GSS-API context used with this
|
|
|
+ * method is always that established during an initial GSS-API-based
|
|
|
+ * key exchange. Any context established during key exchange for the
|
|
|
+ * purpose of rekeying MUST NOT be used with this method.
|
|
|
+ */
|
|
|
+ if (s->got_session_id) {
|
|
|
+ s->shgss->lib->release_cred(s->shgss->lib, &s->shgss->ctx);
|
|
|
+ }
|
|
|
+ ppl_logevent(("GSSAPI Key Exchange complete!"));
|
|
|
+ }
|
|
|
+#endif
|
|
|
+
|
|
|
+ s->dh_ctx = NULL;
|
|
|
+
|
|
|
+#if 0
|
|
|
+ debug(("Exchange hash is:\n"));
|
|
|
+ dmemdump(s->exchange_hash, s->kex_alg->hash->hlen);
|
|
|
+#endif
|
|
|
+
|
|
|
+ /* In GSS keyex there's no hostkey signature to verify */
|
|
|
+ if (s->kex_alg->main_type != KEXTYPE_GSS) {
|
|
|
+ if (!s->hkey) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Server's host key is invalid");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (!ssh_key_verify(
|
|
|
+ s->hkey, s->sigdata,
|
|
|
+ make_ptrlen(s->exchange_hash, s->kex_alg->hash->hlen))) {
|
|
|
+#ifndef FUZZING
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Signature from server's host key "
|
|
|
+ "is invalid");
|
|
|
+ return;
|
|
|
+#endif
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ s->keystr = (s->hkey ? ssh_key_cache_str(s->hkey) : NULL);
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+ if (s->gss_kex_used) {
|
|
|
+ /*
|
|
|
+ * In a GSS-based session, check the host key (if any) against
|
|
|
+ * the transient host key cache. See comment above, at the
|
|
|
+ * definition of ssh_transient_hostkey_cache_entry.
|
|
|
+ */
|
|
|
+ if (s->kex_alg->main_type == KEXTYPE_GSS) {
|
|
|
+
|
|
|
+ /*
|
|
|
+ * We've just done a GSS key exchange. If it gave us a
|
|
|
+ * host key, store it.
|
|
|
+ */
|
|
|
+ if (s->hkey) {
|
|
|
+ s->fingerprint = ssh2_fingerprint(s->hkey);
|
|
|
+ ppl_logevent(("GSS kex provided fallback host key:"));
|
|
|
+ ppl_logevent(("%s", s->fingerprint));
|
|
|
+ sfree(s->fingerprint);
|
|
|
+ s->fingerprint = NULL;
|
|
|
+ ssh_store_transient_hostkey(s, s->hkey);
|
|
|
+ } else if (!ssh_have_any_transient_hostkey(s)) {
|
|
|
+ /*
|
|
|
+ * But if it didn't, then we currently have no
|
|
|
+ * fallback host key to use in subsequent non-GSS
|
|
|
+ * rekeys. So we should immediately trigger a non-GSS
|
|
|
+ * rekey of our own, to set one up, before the session
|
|
|
+ * keys have been used for anything else.
|
|
|
+ *
|
|
|
+ * This is similar to the cross-certification done at
|
|
|
+ * user request in the permanent host key cache, but
|
|
|
+ * here we do it automatically, once, at session
|
|
|
+ * startup, and only add the key to the transient
|
|
|
+ * cache.
|
|
|
+ */
|
|
|
+ if (s->hostkey_alg) {
|
|
|
+ s->need_gss_transient_hostkey = TRUE;
|
|
|
+ } else {
|
|
|
+ /*
|
|
|
+ * If we negotiated the "null" host key algorithm
|
|
|
+ * in the key exchange, that's an indication that
|
|
|
+ * no host key at all is available from the server
|
|
|
+ * (both because we listed "null" last, and
|
|
|
+ * because RFC 4462 section 5 says that a server
|
|
|
+ * MUST NOT offer "null" as a host key algorithm
|
|
|
+ * unless that is the only algorithm it provides
|
|
|
+ * at all).
|
|
|
+ *
|
|
|
+ * In that case we actually _can't_ perform a
|
|
|
+ * non-GSSAPI key exchange, so it's pointless to
|
|
|
+ * attempt one proactively. This is also likely to
|
|
|
+ * cause trouble later if a rekey is required at a
|
|
|
+ * moment whne GSS credentials are not available,
|
|
|
+ * but someone setting up a server in this
|
|
|
+ * configuration presumably accepts that as a
|
|
|
+ * consequence.
|
|
|
+ */
|
|
|
+ if (!s->warned_about_no_gss_transient_hostkey) {
|
|
|
+ ppl_logevent(("No fallback host key available"));
|
|
|
+ s->warned_about_no_gss_transient_hostkey = TRUE;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ } else {
|
|
|
+ /*
|
|
|
+ * We've just done a fallback key exchange, so make
|
|
|
+ * sure the host key it used is in the cache of keys
|
|
|
+ * we previously received in GSS kexes.
|
|
|
+ *
|
|
|
+ * An exception is if this was the non-GSS key exchange we
|
|
|
+ * triggered on purpose to populate the transient cache.
|
|
|
+ */
|
|
|
+ assert(s->hkey); /* only KEXTYPE_GSS lets this be null */
|
|
|
+ s->fingerprint = ssh2_fingerprint(s->hkey);
|
|
|
+
|
|
|
+ if (s->need_gss_transient_hostkey) {
|
|
|
+ ppl_logevent(("Post-GSS rekey provided fallback host key:"));
|
|
|
+ ppl_logevent(("%s", s->fingerprint));
|
|
|
+ ssh_store_transient_hostkey(s, s->hkey);
|
|
|
+ s->need_gss_transient_hostkey = FALSE;
|
|
|
+ } else if (!ssh_verify_transient_hostkey(s, s->hkey)) {
|
|
|
+ ppl_logevent(("Non-GSS rekey after initial GSS kex "
|
|
|
+ "used host key:"));
|
|
|
+ ppl_logevent(("%s", s->fingerprint));
|
|
|
+ ssh_sw_abort(s->ppl.ssh, "Server's host key did not match any "
|
|
|
+ "used in previous GSS kex");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ sfree(s->fingerprint);
|
|
|
+ s->fingerprint = NULL;
|
|
|
+ }
|
|
|
+ } else
|
|
|
+#endif /* NO_GSSAPI */
|
|
|
+ if (!s->got_session_id) {
|
|
|
+ /*
|
|
|
+ * Make a note of any other host key formats that are available.
|
|
|
+ */
|
|
|
+ {
|
|
|
+ int i, j, nkeys = 0;
|
|
|
+ char *list = NULL;
|
|
|
+ for (i = 0; i < lenof(hostkey_algs); i++) {
|
|
|
+ if (hostkey_algs[i].alg == s->hostkey_alg)
|
|
|
+ continue;
|
|
|
+
|
|
|
+ for (j = 0; j < s->n_uncert_hostkeys; j++)
|
|
|
+ if (s->uncert_hostkeys[j] == i)
|
|
|
+ break;
|
|
|
+
|
|
|
+ if (j < s->n_uncert_hostkeys) {
|
|
|
+ char *newlist;
|
|
|
+ if (list)
|
|
|
+ newlist = dupprintf("%s/%s", list,
|
|
|
+ hostkey_algs[i].alg->ssh_id);
|
|
|
+ else
|
|
|
+ newlist = dupprintf("%s", hostkey_algs[i].alg->ssh_id);
|
|
|
+ sfree(list);
|
|
|
+ list = newlist;
|
|
|
+ nkeys++;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ if (list) {
|
|
|
+ ppl_logevent(("Server also has %s host key%s, but we "
|
|
|
+ "don't know %s", list,
|
|
|
+ nkeys > 1 ? "s" : "",
|
|
|
+ nkeys > 1 ? "any of them" : "it"));
|
|
|
+ sfree(list);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Authenticate remote host: verify host key. (We've already
|
|
|
+ * checked the signature of the exchange hash.)
|
|
|
+ */
|
|
|
+ s->fingerprint = ssh2_fingerprint(s->hkey);
|
|
|
+ ppl_logevent(("Host key fingerprint is:"));
|
|
|
+ ppl_logevent(("%s", s->fingerprint));
|
|
|
+ /* First check against manually configured host keys. */
|
|
|
+ s->dlgret = verify_ssh_manual_host_key(
|
|
|
+ s->conf, s->fingerprint, s->hkey);
|
|
|
+ if (s->dlgret == 0) { /* did not match */
|
|
|
+ ssh_sw_abort(s->ppl.ssh, "Host key did not appear in manually "
|
|
|
+ "configured list");
|
|
|
+ return;
|
|
|
+ } else if (s->dlgret < 0) { /* none configured; use standard handling */
|
|
|
+ s->dlgret = verify_ssh_host_key(s->ppl.frontend,
|
|
|
+ s->savedhost, s->savedport,
|
|
|
+ ssh_key_cache_id(s->hkey),
|
|
|
+ s->keystr, s->fingerprint,
|
|
|
+ ssh2_transport_dialog_callback, s);
|
|
|
+#ifdef FUZZING
|
|
|
+ s->dlgret = 1;
|
|
|
+#endif
|
|
|
+ crMaybeWaitUntilV(s->dlgret >= 0);
|
|
|
+ if (s->dlgret == 0) {
|
|
|
+ ssh_user_close(s->ppl.ssh,
|
|
|
+ "User aborted at host key verification");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ sfree(s->fingerprint);
|
|
|
+ s->fingerprint = NULL;
|
|
|
+ /*
|
|
|
+ * Save this host key, to check against the one presented in
|
|
|
+ * subsequent rekeys.
|
|
|
+ */
|
|
|
+ s->hostkey_str = s->keystr;
|
|
|
+ s->keystr = NULL;
|
|
|
+ } else if (s->cross_certifying) {
|
|
|
+ s->fingerprint = ssh2_fingerprint(s->hkey);
|
|
|
+ ppl_logevent(("Storing additional host key for this host:"));
|
|
|
+ ppl_logevent(("%s", s->fingerprint));
|
|
|
+ sfree(s->fingerprint);
|
|
|
+ s->fingerprint = NULL;
|
|
|
+ store_host_key(s->savedhost, s->savedport,
|
|
|
+ ssh_key_cache_id(s->hkey), s->keystr);
|
|
|
+ s->cross_certifying = FALSE;
|
|
|
+ /*
|
|
|
+ * Don't forget to store the new key as the one we'll be
|
|
|
+ * re-checking in future normal rekeys.
|
|
|
+ */
|
|
|
+ s->hostkey_str = s->keystr;
|
|
|
+ s->keystr = NULL;
|
|
|
+ } else {
|
|
|
+ /*
|
|
|
+ * In a rekey, we never present an interactive host key
|
|
|
+ * verification request to the user. Instead, we simply
|
|
|
+ * enforce that the key we're seeing this time is identical to
|
|
|
+ * the one we saw before.
|
|
|
+ */
|
|
|
+ if (strcmp(s->hostkey_str, s->keystr)) {
|
|
|
+#ifndef FUZZING
|
|
|
+ ssh_sw_abort(s->ppl.ssh,
|
|
|
+ "Host key was different in repeat key exchange");
|
|
|
+ return;
|
|
|
+#endif
|
|
|
+ }
|
|
|
+ }
|
|
|
+ sfree(s->keystr);
|
|
|
+ s->keystr = NULL;
|
|
|
+ if (s->hkey) {
|
|
|
+ ssh_key_free(s->hkey);
|
|
|
+ s->hkey = NULL;
|
|
|
+ }
|
|
|
+
|
|
|
+ /*
|
|
|
+ * The exchange hash from the very first key exchange is also
|
|
|
+ * the session id, used in session key construction and
|
|
|
+ * authentication.
|
|
|
+ */
|
|
|
+ if (!s->got_session_id) {
|
|
|
+ assert(sizeof(s->exchange_hash) <= sizeof(s->session_id));
|
|
|
+ memcpy(s->session_id, s->exchange_hash, sizeof(s->exchange_hash));
|
|
|
+ s->session_id_len = s->kex_alg->hash->hlen;
|
|
|
+ assert(s->session_id_len <= sizeof(s->session_id));
|
|
|
+ s->got_session_id = TRUE;
|
|
|
+ }
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Send SSH2_MSG_NEWKEYS.
|
|
|
+ */
|
|
|
+ pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_NEWKEYS);
|
|
|
+ pq_push(s->ppl.out_pq, pktout);
|
|
|
+ /* Start counting down the outgoing-data limit for these cipher keys. */
|
|
|
+ s->stats->out.running = TRUE;
|
|
|
+ s->stats->out.remaining = s->max_data_size;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Force the BPP to synchronously marshal all packets up to and
|
|
|
+ * including that NEWKEYS into wire format, before we switch over
|
|
|
+ * to new crypto.
|
|
|
+ */
|
|
|
+ ssh_bpp_handle_output(s->ppl.bpp);
|
|
|
+
|
|
|
+ /*
|
|
|
+ * We've sent client NEWKEYS, so create and initialise
|
|
|
+ * client-to-server session keys.
|
|
|
+ */
|
|
|
+ {
|
|
|
+ strbuf *cipher_key = strbuf_new();
|
|
|
+ strbuf *cipher_iv = strbuf_new();
|
|
|
+ strbuf *mac_key = strbuf_new();
|
|
|
+
|
|
|
+ if (s->out.cipher) {
|
|
|
+ ssh2_mkkey(s, cipher_iv, s->K, s->exchange_hash, 'A',
|
|
|
+ s->out.cipher->blksize);
|
|
|
+ ssh2_mkkey(s, cipher_key, s->K, s->exchange_hash, 'C',
|
|
|
+ s->out.cipher->padded_keybytes);
|
|
|
+ }
|
|
|
+ if (s->out.mac) {
|
|
|
+ ssh2_mkkey(s, mac_key, s->K, s->exchange_hash, 'E',
|
|
|
+ s->out.mac->keylen);
|
|
|
+ }
|
|
|
+
|
|
|
+ ssh2_bpp_new_outgoing_crypto(
|
|
|
+ s->ppl.bpp,
|
|
|
+ s->out.cipher, cipher_key->u, cipher_iv->u,
|
|
|
+ s->out.mac, s->out.etm_mode, mac_key->u,
|
|
|
+ s->out.comp);
|
|
|
+
|
|
|
+ strbuf_free(cipher_key);
|
|
|
+ strbuf_free(cipher_iv);
|
|
|
+ strbuf_free(mac_key);
|
|
|
+ }
|
|
|
+
|
|
|
+ if (s->out.cipher)
|
|
|
+ ppl_logevent(("Initialised %.200s client->server encryption",
|
|
|
+ s->out.cipher->text_name));
|
|
|
+ if (s->out.mac)
|
|
|
+ ppl_logevent(("Initialised %.200s client->server"
|
|
|
+ " MAC algorithm%s%s",
|
|
|
+ s->out.mac->text_name,
|
|
|
+ s->out.etm_mode ? " (in ETM mode)" : "",
|
|
|
+ (s->out.cipher->required_mac ?
|
|
|
+ " (required by cipher)" : "")));
|
|
|
+ if (s->out.comp->text_name)
|
|
|
+ ppl_logevent(("Initialised %s compression",
|
|
|
+ s->out.comp->text_name));
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Now our end of the key exchange is complete, we can send all
|
|
|
+ * our queued higher-layer packets. Transfer the whole of the next
|
|
|
+ * layer's outgoing queue on to our own.
|
|
|
+ */
|
|
|
+ pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Expect SSH2_MSG_NEWKEYS from server.
|
|
|
+ */
|
|
|
+ crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
+ if (pktin->type != SSH2_MSG_NEWKEYS) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
+ "expecting SSH_MSG_NEWKEYS, type %d (%s)",
|
|
|
+ pktin->type,
|
|
|
+ ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
+ s->ppl.bpp->pls->actx,
|
|
|
+ pktin->type));
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ /* Start counting down the incoming-data limit for these cipher keys. */
|
|
|
+ s->stats->in.running = TRUE;
|
|
|
+ s->stats->in.remaining = s->max_data_size;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * We've seen server NEWKEYS, so create and initialise
|
|
|
+ * server-to-client session keys.
|
|
|
+ */
|
|
|
+ {
|
|
|
+ strbuf *cipher_key = strbuf_new();
|
|
|
+ strbuf *cipher_iv = strbuf_new();
|
|
|
+ strbuf *mac_key = strbuf_new();
|
|
|
+
|
|
|
+ if (s->in.cipher) {
|
|
|
+ ssh2_mkkey(s, cipher_iv, s->K, s->exchange_hash, 'B',
|
|
|
+ s->in.cipher->blksize);
|
|
|
+ ssh2_mkkey(s, cipher_key, s->K, s->exchange_hash, 'D',
|
|
|
+ s->in.cipher->padded_keybytes);
|
|
|
+ }
|
|
|
+ if (s->in.mac) {
|
|
|
+ ssh2_mkkey(s, mac_key, s->K, s->exchange_hash, 'F',
|
|
|
+ s->in.mac->keylen);
|
|
|
+ }
|
|
|
+
|
|
|
+ ssh2_bpp_new_incoming_crypto(
|
|
|
+ s->ppl.bpp,
|
|
|
+ s->in.cipher, cipher_key->u, cipher_iv->u,
|
|
|
+ s->in.mac, s->in.etm_mode, mac_key->u,
|
|
|
+ s->in.comp);
|
|
|
+
|
|
|
+ strbuf_free(cipher_key);
|
|
|
+ strbuf_free(cipher_iv);
|
|
|
+ strbuf_free(mac_key);
|
|
|
+ }
|
|
|
+
|
|
|
+ if (s->in.cipher)
|
|
|
+ ppl_logevent(("Initialised %.200s server->client encryption",
|
|
|
+ s->in.cipher->text_name));
|
|
|
+ if (s->in.mac)
|
|
|
+ ppl_logevent(("Initialised %.200s server->client MAC algorithm%s%s",
|
|
|
+ s->in.mac->text_name,
|
|
|
+ s->in.etm_mode ? " (in ETM mode)" : "",
|
|
|
+ (s->in.cipher->required_mac ?
|
|
|
+ " (required by cipher)" : "")));
|
|
|
+ if (s->in.comp->text_name)
|
|
|
+ ppl_logevent(("Initialised %s decompression",
|
|
|
+ s->in.comp->text_name));
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Free shared secret.
|
|
|
+ */
|
|
|
+ freebn(s->K); s->K = NULL;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Update the specials menu to list the remaining uncertified host
|
|
|
+ * keys.
|
|
|
+ */
|
|
|
+ update_specials_menu(s->ppl.frontend);
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Key exchange is over. Loop straight back round if we have a
|
|
|
+ * deferred rekey reason.
|
|
|
+ */
|
|
|
+ if (s->deferred_rekey_reason) {
|
|
|
+ ppl_logevent(("%s", s->deferred_rekey_reason));
|
|
|
+ pktin = NULL;
|
|
|
+ s->deferred_rekey_reason = NULL;
|
|
|
+ goto begin_key_exchange;
|
|
|
+ }
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Otherwise, schedule a timer for our next rekey.
|
|
|
+ */
|
|
|
+ s->kex_in_progress = FALSE;
|
|
|
+ s->last_rekey = GETTICKCOUNT();
|
|
|
+ (void) ssh2_transport_timer_update(s, 0);
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Now we're encrypting. Get the next-layer protocol started if it
|
|
|
+ * hasn't already, and then sit here waiting for reasons to go
|
|
|
+ * back to the start and do a repeat key exchange. One of those
|
|
|
+ * reasons is that we receive KEXINIT from the other end; the
|
|
|
+ * other is if we find rekey_reason is non-NULL, i.e. we've
|
|
|
+ * decided to initiate a rekey ourselves for some reason.
|
|
|
+ */
|
|
|
+ if (!s->higher_layer_ok) {
|
|
|
+ pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_SERVICE_REQUEST);
|
|
|
+ put_stringz(pktout, s->higher_layer->vt->name);
|
|
|
+ pq_push(s->ppl.out_pq, pktout);
|
|
|
+ crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
+ if (pktin->type != SSH2_MSG_SERVICE_ACCEPT) {
|
|
|
+ ssh_sw_abort(s->ppl.ssh, "Server refused request to start "
|
|
|
+ "'%s' protocol", s->higher_layer->vt->name);
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ s->higher_layer_ok = TRUE;
|
|
|
+ queue_idempotent_callback(&s->higher_layer->ic_process_queue);
|
|
|
+ }
|
|
|
+
|
|
|
+ s->rekey_class = RK_NONE;
|
|
|
+ do {
|
|
|
+ crReturnV;
|
|
|
+
|
|
|
+ /* Pass through outgoing packets from the higher layer. */
|
|
|
+ pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
|
|
|
+
|
|
|
+ /* Wait for either a KEXINIT, or something setting
|
|
|
+ * s->rekey_class. This call to ssh2_transport_pop also has
|
|
|
+ * the side effect of transferring incoming packets _to_ the
|
|
|
+ * higher layer (via filter_queue). */
|
|
|
+ if ((pktin = ssh2_transport_pop(s)) != NULL) {
|
|
|
+ if (pktin->type != SSH2_MSG_KEXINIT) {
|
|
|
+ ssh_proto_error(s->ppl.ssh, "Received unexpected transport-"
|
|
|
+ "layer packet outside a key exchange, "
|
|
|
+ "type %d (%s)", pktin->type,
|
|
|
+ ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
+ s->ppl.bpp->pls->actx,
|
|
|
+ pktin->type));
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ pq_push_front(s->ppl.in_pq, pktin);
|
|
|
+ ppl_logevent(("Server initiated key re-exchange"));
|
|
|
+ s->rekey_class = RK_SERVER;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (s->rekey_class == RK_POST_USERAUTH) {
|
|
|
+ /*
|
|
|
+ * userauth has seen a USERAUTH_SUCCEEDED. For a couple of
|
|
|
+ * reasons, this may be the moment to do an immediate
|
|
|
+ * rekey with different parameters. But it may not; so
|
|
|
+ * here we turn that rekey class into either RK_NONE or
|
|
|
+ * RK_NORMAL.
|
|
|
+ *
|
|
|
+ * One is to turn on delayed compression. We do this by a
|
|
|
+ * rekey to work around a protocol design bug:
|
|
|
+ * draft-miller-secsh-compression-delayed-00 says that you
|
|
|
+ * negotiate delayed compression in the first key
|
|
|
+ * exchange, and both sides start compressing when the
|
|
|
+ * server has sent USERAUTH_SUCCESS. This has a race
|
|
|
+ * condition -- the server can't know when the client has
|
|
|
+ * seen it, and thus which incoming packets it should
|
|
|
+ * treat as compressed.
|
|
|
+ *
|
|
|
+ * Instead, we do the initial key exchange without
|
|
|
+ * offering the delayed methods, but note if the server
|
|
|
+ * offers them; when we get here, if a delayed method was
|
|
|
+ * available that was higher on our list than what we got,
|
|
|
+ * we initiate a rekey in which we _do_ list the delayed
|
|
|
+ * methods (and hopefully get it as a result). Subsequent
|
|
|
+ * rekeys will do the same.
|
|
|
+ *
|
|
|
+ * Another reason for a rekey at this point is if we've
|
|
|
+ * done a GSS key exchange and don't have anything in our
|
|
|
+ * transient hostkey cache, in which case we should make
|
|
|
+ * an attempt to populate the cache now.
|
|
|
+ */
|
|
|
+ assert(!s->userauth_succeeded); /* should only happen once */
|
|
|
+ s->userauth_succeeded = TRUE;
|
|
|
+ if (s->pending_compression) {
|
|
|
+ s->rekey_reason = "enabling delayed compression";
|
|
|
+ s->rekey_class = RK_NORMAL;
|
|
|
+ } else if (s->need_gss_transient_hostkey) {
|
|
|
+ s->rekey_reason = "populating transient host key cache";
|
|
|
+ s->rekey_class = RK_NORMAL;
|
|
|
+ } else {
|
|
|
+ /* No need to rekey at this time. */
|
|
|
+ s->rekey_class = RK_NONE;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (!s->rekey_class) {
|
|
|
+ /* If we don't yet have any other reason to rekey, check
|
|
|
+ * if we've hit our data limit in either direction. */
|
|
|
+ if (!s->stats->in.running) {
|
|
|
+ s->rekey_reason = "too much data received";
|
|
|
+ s->rekey_class = RK_NORMAL;
|
|
|
+ } else if (!s->stats->out.running) {
|
|
|
+ s->rekey_reason = "too much data sent";
|
|
|
+ s->rekey_class = RK_NORMAL;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (s->rekey_class != RK_NONE && s->rekey_class != RK_SERVER) {
|
|
|
+ /*
|
|
|
+ * Special case: if the server bug is set that doesn't
|
|
|
+ * allow rekeying, we give a different log message and
|
|
|
+ * continue waiting. (If such a server _initiates_ a
|
|
|
+ * rekey, we process it anyway!)
|
|
|
+ */
|
|
|
+ if ((s->ppl.remote_bugs & BUG_SSH2_REKEY)) {
|
|
|
+ ppl_logevent(("Server bug prevents key re-exchange (%s)",
|
|
|
+ s->rekey_reason));
|
|
|
+ /* Reset the counters, so that at least this message doesn't
|
|
|
+ * hit the event log _too_ often. */
|
|
|
+ s->stats->in.running = s->stats->out.running = TRUE;
|
|
|
+ s->stats->in.remaining = s->stats->out.remaining =
|
|
|
+ s->max_data_size;
|
|
|
+ (void) ssh2_transport_timer_update(s, 0);
|
|
|
+ s->rekey_class = RK_NONE;
|
|
|
+ } else {
|
|
|
+ ppl_logevent(("Initiating key re-exchange (%s)",
|
|
|
+ s->rekey_reason));
|
|
|
+ }
|
|
|
+ }
|
|
|
+ } while (s->rekey_reason == RK_NONE);
|
|
|
+
|
|
|
+ /* Once we exit the above loop, we really are rekeying. */
|
|
|
+ goto begin_key_exchange;
|
|
|
+
|
|
|
+ crFinishV;
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh2_transport_higher_layer_packet_callback(void *context)
|
|
|
+{
|
|
|
+ PacketProtocolLayer *ppl = (PacketProtocolLayer *)context;
|
|
|
+ ssh_ppl_process_queue(ppl);
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh2_transport_timer(void *ctx, unsigned long now)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s = (struct ssh2_transport_state *)ctx;
|
|
|
+ unsigned long mins;
|
|
|
+ unsigned long ticks;
|
|
|
+
|
|
|
+ if (s->kex_in_progress || now != s->next_rekey)
|
|
|
+ return;
|
|
|
+
|
|
|
+ mins = sanitise_rekey_time(conf_get_int(s->conf, CONF_ssh_rekey_time), 60);
|
|
|
+ if (mins == 0)
|
|
|
+ return;
|
|
|
+
|
|
|
+ /* Rekey if enough time has elapsed */
|
|
|
+ ticks = mins * 60 * TICKSPERSEC;
|
|
|
+ if (now - s->last_rekey > ticks - 30*TICKSPERSEC) {
|
|
|
+ s->rekey_reason = "timeout";
|
|
|
+ s->rekey_class = RK_NORMAL;
|
|
|
+ queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+ /*
|
|
|
+ * Rekey now if we have a new cred or context expires this cycle,
|
|
|
+ * but not if this is unsafe.
|
|
|
+ */
|
|
|
+ if (conf_get_int(s->conf, CONF_gssapirekey)) {
|
|
|
+ ssh2_transport_gss_update(s, FALSE);
|
|
|
+ if ((s->gss_status & GSS_KEX_CAPABLE) != 0 &&
|
|
|
+ (s->gss_status & GSS_CTXT_MAYFAIL) == 0 &&
|
|
|
+ (s->gss_status & (GSS_CRED_UPDATED|GSS_CTXT_EXPIRES)) != 0) {
|
|
|
+ s->rekey_reason = "GSS credentials updated";
|
|
|
+ s->rekey_class = RK_GSS_UPDATE;
|
|
|
+ queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+#endif
|
|
|
+
|
|
|
+ /* Try again later. */
|
|
|
+ (void) ssh2_transport_timer_update(s, 0);
|
|
|
+}
|
|
|
+
|
|
|
+/*
|
|
|
+ * The rekey_time is zero except when re-configuring.
|
|
|
+ *
|
|
|
+ * We either schedule the next timer and return 0, or return 1 to run the
|
|
|
+ * callback now, which will call us again to re-schedule on completion.
|
|
|
+ */
|
|
|
+static int ssh2_transport_timer_update(struct ssh2_transport_state *s,
|
|
|
+ unsigned long rekey_time)
|
|
|
+{
|
|
|
+ unsigned long mins;
|
|
|
+ unsigned long ticks;
|
|
|
+
|
|
|
+ mins = sanitise_rekey_time(conf_get_int(s->conf, CONF_ssh_rekey_time), 60);
|
|
|
+ ticks = mins * 60 * TICKSPERSEC;
|
|
|
+
|
|
|
+ /* Handle change from previous setting */
|
|
|
+ if (rekey_time != 0 && rekey_time != mins) {
|
|
|
+ unsigned long next;
|
|
|
+ unsigned long now = GETTICKCOUNT();
|
|
|
+
|
|
|
+ mins = rekey_time;
|
|
|
+ ticks = mins * 60 * TICKSPERSEC;
|
|
|
+ next = s->last_rekey + ticks;
|
|
|
+
|
|
|
+ /* If overdue, caller will rekey synchronously now */
|
|
|
+ if (now - s->last_rekey > ticks)
|
|
|
+ return 1;
|
|
|
+ ticks = next - now;
|
|
|
+ }
|
|
|
+
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+ if (s->gss_kex_used) {
|
|
|
+ /*
|
|
|
+ * If we've used GSSAPI key exchange, then we should
|
|
|
+ * periodically check whether we need to do another one to
|
|
|
+ * pass new credentials to the server.
|
|
|
+ */
|
|
|
+ unsigned long gssmins;
|
|
|
+
|
|
|
+ /* Check cascade conditions more frequently if configured */
|
|
|
+ gssmins = sanitise_rekey_time(
|
|
|
+ conf_get_int(s->conf, CONF_gssapirekey), GSS_DEF_REKEY_MINS);
|
|
|
+ if (gssmins > 0) {
|
|
|
+ if (gssmins < mins)
|
|
|
+ ticks = (mins = gssmins) * 60 * TICKSPERSEC;
|
|
|
+
|
|
|
+ if ((s->gss_status & GSS_KEX_CAPABLE) != 0) {
|
|
|
+ /*
|
|
|
+ * Run next timer even sooner if it would otherwise be
|
|
|
+ * too close to the context expiration time
|
|
|
+ */
|
|
|
+ if ((s->gss_status & GSS_CTXT_EXPIRES) == 0 &&
|
|
|
+ s->gss_ctxt_lifetime - mins * 60 < 2 * MIN_CTXT_LIFETIME)
|
|
|
+ ticks -= 2 * MIN_CTXT_LIFETIME * TICKSPERSEC;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+#endif
|
|
|
+
|
|
|
+ /* Schedule the next timer */
|
|
|
+ s->next_rekey = schedule_timer(ticks, ssh2_transport_timer, s);
|
|
|
+ return 0;
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh2_transport_dialog_callback(void *loginv, int ret)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s = (struct ssh2_transport_state *)loginv;
|
|
|
+ s->dlgret = ret;
|
|
|
+ ssh_ppl_process_queue(&s->ppl);
|
|
|
+}
|
|
|
+
|
|
|
+#ifndef NO_GSSAPI
|
|
|
+/*
|
|
|
+ * This is called at the beginning of each SSH rekey to determine
|
|
|
+ * whether we are GSS capable, and if we did GSS key exchange, and are
|
|
|
+ * delegating credentials, it is also called periodically to determine
|
|
|
+ * whether we should rekey in order to delegate (more) fresh
|
|
|
+ * credentials. This is called "credential cascading".
|
|
|
+ *
|
|
|
+ * On Windows, with SSPI, we may not get the credential expiration, as
|
|
|
+ * Windows automatically renews from cached passwords, so the
|
|
|
+ * credential effectively never expires. Since we still want to
|
|
|
+ * cascade when the local TGT is updated, we use the expiration of a
|
|
|
+ * newly obtained context as a proxy for the expiration of the TGT.
|
|
|
+ */
|
|
|
+static void ssh2_transport_gss_update(struct ssh2_transport_state *s,
|
|
|
+ int definitely_rekeying)
|
|
|
+{
|
|
|
+ PacketProtocolLayer *ppl = &s->ppl; /* for ppl_logevent */
|
|
|
+ int gss_stat;
|
|
|
+ time_t gss_cred_expiry;
|
|
|
+ unsigned long mins;
|
|
|
+ Ssh_gss_buf gss_sndtok;
|
|
|
+ Ssh_gss_buf gss_rcvtok;
|
|
|
+ Ssh_gss_ctx gss_ctx;
|
|
|
+
|
|
|
+ s->gss_status = 0;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Nothing to do if no GSSAPI libraries are configured or GSSAPI
|
|
|
+ * auth is not enabled.
|
|
|
+ */
|
|
|
+ if (s->shgss->libs->nlibraries == 0)
|
|
|
+ return;
|
|
|
+ if (!conf_get_int(s->conf, CONF_try_gssapi_auth) &&
|
|
|
+ !conf_get_int(s->conf, CONF_try_gssapi_kex))
|
|
|
+ return;
|
|
|
+
|
|
|
+ /* Import server name and cache it */
|
|
|
+ if (s->shgss->srv_name == GSS_C_NO_NAME) {
|
|
|
+ gss_stat = s->shgss->lib->import_name(
|
|
|
+ s->shgss->lib, s->fullhostname, &s->shgss->srv_name);
|
|
|
+ if (gss_stat != SSH_GSS_OK) {
|
|
|
+ if (gss_stat == SSH_GSS_BAD_HOST_NAME)
|
|
|
+ ppl_logevent(("GSSAPI import name failed - Bad service name;"
|
|
|
+ " won't use GSS key exchange"));
|
|
|
+ else
|
|
|
+ ppl_logevent(("GSSAPI import name failed;"
|
|
|
+ " won't use GSS key exchange"));
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Do we (still) have credentials? Capture the credential
|
|
|
+ * expiration when available
|
|
|
+ */
|
|
|
+ gss_stat = s->shgss->lib->acquire_cred(
|
|
|
+ s->shgss->lib, &gss_ctx, &gss_cred_expiry);
|
|
|
+ if (gss_stat != SSH_GSS_OK)
|
|
|
+ return;
|
|
|
+
|
|
|
+ SSH_GSS_CLEAR_BUF(&gss_sndtok);
|
|
|
+ SSH_GSS_CLEAR_BUF(&gss_rcvtok);
|
|
|
+
|
|
|
+ /*
|
|
|
+ * When acquire_cred yields no useful expiration, get a proxy for
|
|
|
+ * the cred expiration from the context expiration.
|
|
|
+ */
|
|
|
+ gss_stat = s->shgss->lib->init_sec_context(
|
|
|
+ s->shgss->lib, &gss_ctx, s->shgss->srv_name,
|
|
|
+ 0 /* don't delegate */, &gss_rcvtok, &gss_sndtok,
|
|
|
+ (gss_cred_expiry == GSS_NO_EXPIRATION ? &gss_cred_expiry : NULL),
|
|
|
+ &s->gss_ctxt_lifetime);
|
|
|
+
|
|
|
+ /* This context was for testing only. */
|
|
|
+ if (gss_ctx)
|
|
|
+ s->shgss->lib->release_cred(s->shgss->lib, &gss_ctx);
|
|
|
+
|
|
|
+ if (gss_stat != SSH_GSS_OK &&
|
|
|
+ gss_stat != SSH_GSS_S_CONTINUE_NEEDED) {
|
|
|
+ /*
|
|
|
+ * No point in verbosely interrupting the user to tell them we
|
|
|
+ * couldn't get GSS credentials, if this was only a check
|
|
|
+ * between key exchanges to see if fresh ones were available.
|
|
|
+ * When we do do a rekey, this message (if displayed) will
|
|
|
+ * appear among the standard rekey blurb, but when we're not,
|
|
|
+ * it shouldn't pop up all the time regardless.
|
|
|
+ */
|
|
|
+ if (definitely_rekeying)
|
|
|
+ ppl_logevent(("No GSSAPI security context available"));
|
|
|
+
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (gss_sndtok.length)
|
|
|
+ s->shgss->lib->free_tok(s->shgss->lib, &gss_sndtok);
|
|
|
+
|
|
|
+ s->gss_status |= GSS_KEX_CAPABLE;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * When rekeying to cascade, avoding doing this too close to the
|
|
|
+ * context expiration time, since the key exchange might fail.
|
|
|
+ */
|
|
|
+ if (s->gss_ctxt_lifetime < MIN_CTXT_LIFETIME)
|
|
|
+ s->gss_status |= GSS_CTXT_MAYFAIL;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * If we're not delegating credentials, rekeying is not used to
|
|
|
+ * refresh them. We must avoid setting GSS_CRED_UPDATED or
|
|
|
+ * GSS_CTXT_EXPIRES when credential delegation is disabled.
|
|
|
+ */
|
|
|
+ if (conf_get_int(s->conf, CONF_gssapifwd) == 0)
|
|
|
+ return;
|
|
|
+
|
|
|
+ if (s->gss_cred_expiry != GSS_NO_EXPIRATION &&
|
|
|
+ difftime(gss_cred_expiry, s->gss_cred_expiry) > 0)
|
|
|
+ s->gss_status |= GSS_CRED_UPDATED;
|
|
|
+
|
|
|
+ mins = sanitise_rekey_time(
|
|
|
+ conf_get_int(s->conf, CONF_gssapirekey), GSS_DEF_REKEY_MINS);
|
|
|
+ if (mins > 0 && s->gss_ctxt_lifetime <= mins * 60)
|
|
|
+ s->gss_status |= GSS_CTXT_EXPIRES;
|
|
|
+}
|
|
|
+
|
|
|
+/*
|
|
|
+ * Data structure managing host keys in sessions based on GSSAPI KEX.
|
|
|
+ *
|
|
|
+ * In a session we started with a GSSAPI key exchange, the concept of
|
|
|
+ * 'host key' has completely different lifetime and security semantics
|
|
|
+ * from the usual ones. Per RFC 4462 section 2.1, we assume that any
|
|
|
+ * host key delivered to us in the course of a GSSAPI key exchange is
|
|
|
+ * _solely_ there to use as a transient fallback within the same
|
|
|
+ * session, if at the time of a subsequent rekey the GSS credentials
|
|
|
+ * are temporarily invalid and so a non-GSS KEX method has to be used.
|
|
|
+ *
|
|
|
+ * In particular, in a GSS-based SSH deployment, host keys may not
|
|
|
+ * even _be_ persistent identities for the server; it would be
|
|
|
+ * legitimate for a server to generate a fresh one routinely if it
|
|
|
+ * wanted to, like SSH-1 server keys.
|
|
|
+ *
|
|
|
+ * So, in this mode, we never touch the persistent host key cache at
|
|
|
+ * all, either to check keys against it _or_ to store keys in it.
|
|
|
+ * Instead, we maintain an in-memory cache of host keys that have been
|
|
|
+ * mentioned in GSS key exchanges within this particular session, and
|
|
|
+ * we permit precisely those host keys in non-GSS rekeys.
|
|
|
+ */
|
|
|
+struct ssh_transient_hostkey_cache_entry {
|
|
|
+ const ssh_keyalg *alg;
|
|
|
+ strbuf *pub_blob;
|
|
|
+};
|
|
|
+
|
|
|
+static int ssh_transient_hostkey_cache_cmp(void *av, void *bv)
|
|
|
+{
|
|
|
+ const struct ssh_transient_hostkey_cache_entry
|
|
|
+ *a = (const struct ssh_transient_hostkey_cache_entry *)av,
|
|
|
+ *b = (const struct ssh_transient_hostkey_cache_entry *)bv;
|
|
|
+ return strcmp(a->alg->ssh_id, b->alg->ssh_id);
|
|
|
+}
|
|
|
+
|
|
|
+static int ssh_transient_hostkey_cache_find(void *av, void *bv)
|
|
|
+{
|
|
|
+ const ssh_keyalg *aalg = (const ssh_keyalg *)av;
|
|
|
+ const struct ssh_transient_hostkey_cache_entry
|
|
|
+ *b = (const struct ssh_transient_hostkey_cache_entry *)bv;
|
|
|
+ return strcmp(aalg->ssh_id, b->alg->ssh_id);
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh_init_transient_hostkey_store(
|
|
|
+ struct ssh2_transport_state *s)
|
|
|
+{
|
|
|
+ s->transient_hostkey_cache =
|
|
|
+ newtree234(ssh_transient_hostkey_cache_cmp);
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh_cleanup_transient_hostkey_store(
|
|
|
+ struct ssh2_transport_state *s)
|
|
|
+{
|
|
|
+ struct ssh_transient_hostkey_cache_entry *ent;
|
|
|
+ while ((ent = delpos234(s->transient_hostkey_cache, 0)) != NULL) {
|
|
|
+ strbuf_free(ent->pub_blob);
|
|
|
+ sfree(ent);
|
|
|
+ }
|
|
|
+ freetree234(s->transient_hostkey_cache);
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh_store_transient_hostkey(
|
|
|
+ struct ssh2_transport_state *s, ssh_key *key)
|
|
|
+{
|
|
|
+ struct ssh_transient_hostkey_cache_entry *ent, *retd;
|
|
|
+
|
|
|
+ if ((ent = find234(s->transient_hostkey_cache, (void *)ssh_key_alg(key),
|
|
|
+ ssh_transient_hostkey_cache_find)) != NULL) {
|
|
|
+ strbuf_free(ent->pub_blob);
|
|
|
+ sfree(ent);
|
|
|
+ }
|
|
|
+
|
|
|
+ ent = snew(struct ssh_transient_hostkey_cache_entry);
|
|
|
+ ent->alg = ssh_key_alg(key);
|
|
|
+ ent->pub_blob = strbuf_new();
|
|
|
+ ssh_key_public_blob(key, BinarySink_UPCAST(ent->pub_blob));
|
|
|
+ retd = add234(s->transient_hostkey_cache, ent);
|
|
|
+ assert(retd == ent);
|
|
|
+}
|
|
|
+
|
|
|
+static int ssh_verify_transient_hostkey(
|
|
|
+ struct ssh2_transport_state *s, ssh_key *key)
|
|
|
+{
|
|
|
+ struct ssh_transient_hostkey_cache_entry *ent;
|
|
|
+ int toret = FALSE;
|
|
|
+
|
|
|
+ if ((ent = find234(s->transient_hostkey_cache, (void *)ssh_key_alg(key),
|
|
|
+ ssh_transient_hostkey_cache_find)) != NULL) {
|
|
|
+ strbuf *this_blob = strbuf_new();
|
|
|
+ ssh_key_public_blob(key, BinarySink_UPCAST(this_blob));
|
|
|
+
|
|
|
+ if (this_blob->len == ent->pub_blob->len &&
|
|
|
+ !memcmp(this_blob->s, ent->pub_blob->s,
|
|
|
+ this_blob->len))
|
|
|
+ toret = TRUE;
|
|
|
+
|
|
|
+ strbuf_free(this_blob);
|
|
|
+ }
|
|
|
+
|
|
|
+ return toret;
|
|
|
+}
|
|
|
+
|
|
|
+static int ssh_have_transient_hostkey(
|
|
|
+ struct ssh2_transport_state *s, const ssh_keyalg *alg)
|
|
|
+{
|
|
|
+ struct ssh_transient_hostkey_cache_entry *ent =
|
|
|
+ find234(s->transient_hostkey_cache, (void *)alg,
|
|
|
+ ssh_transient_hostkey_cache_find);
|
|
|
+ return ent != NULL;
|
|
|
+}
|
|
|
+
|
|
|
+static int ssh_have_any_transient_hostkey(
|
|
|
+ struct ssh2_transport_state *s)
|
|
|
+{
|
|
|
+ return count234(s->transient_hostkey_cache) > 0;
|
|
|
+}
|
|
|
+
|
|
|
+ptrlen ssh2_transport_get_session_id(PacketProtocolLayer *ppl)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s;
|
|
|
+
|
|
|
+ assert(ppl->vt == &ssh2_transport_vtable);
|
|
|
+ s = FROMFIELD(ppl, struct ssh2_transport_state, ppl);
|
|
|
+
|
|
|
+ assert(s->got_session_id);
|
|
|
+ return make_ptrlen(s->session_id, s->session_id_len);
|
|
|
+}
|
|
|
+
|
|
|
+void ssh2_transport_notify_auth_done(PacketProtocolLayer *ppl)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s;
|
|
|
+
|
|
|
+ assert(ppl->vt == &ssh2_transport_vtable);
|
|
|
+ s = FROMFIELD(ppl, struct ssh2_transport_state, ppl);
|
|
|
+
|
|
|
+ s->rekey_reason = NULL; /* will be filled in later */
|
|
|
+ s->rekey_class = RK_POST_USERAUTH;
|
|
|
+ queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
+}
|
|
|
+
|
|
|
+#endif /* NO_GSSAPI */
|
|
|
+
|
|
|
+static int ssh2_transport_get_specials(
|
|
|
+ PacketProtocolLayer *ppl, add_special_fn_t add_special, void *ctx)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s =
|
|
|
+ FROMFIELD(ppl, struct ssh2_transport_state, ppl);
|
|
|
+ int need_separator = FALSE;
|
|
|
+ int toret;
|
|
|
+
|
|
|
+ if (ssh_ppl_get_specials(s->higher_layer, add_special, ctx)) {
|
|
|
+ need_separator = TRUE;
|
|
|
+ toret = TRUE;
|
|
|
+ }
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Don't bother offering rekey-based specials if we've decided the
|
|
|
+ * remote won't cope with it, since we wouldn't bother sending it
|
|
|
+ * if asked anyway.
|
|
|
+ */
|
|
|
+ if (!(s->ppl.remote_bugs & BUG_SSH2_REKEY)) {
|
|
|
+ if (need_separator) {
|
|
|
+ add_special(ctx, NULL, SS_SEP, 0);
|
|
|
+ need_separator = FALSE;
|
|
|
+ }
|
|
|
+
|
|
|
+ add_special(ctx, "Repeat key exchange", SS_REKEY, 0);
|
|
|
+ toret = TRUE;
|
|
|
+
|
|
|
+ if (s->n_uncert_hostkeys) {
|
|
|
+ int i;
|
|
|
+
|
|
|
+ add_special(ctx, NULL, SS_SEP, 0);
|
|
|
+ add_special(ctx, "Cache new host key type", SS_SUBMENU, 0);
|
|
|
+ for (i = 0; i < s->n_uncert_hostkeys; i++) {
|
|
|
+ const ssh_keyalg *alg =
|
|
|
+ hostkey_algs[s->uncert_hostkeys[i]].alg;
|
|
|
+
|
|
|
+ add_special(ctx, alg->ssh_id, SS_XCERT, s->uncert_hostkeys[i]);
|
|
|
+ }
|
|
|
+ add_special(ctx, NULL, SS_EXITMENU, 0);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ return toret;
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh2_transport_special_cmd(PacketProtocolLayer *ppl,
|
|
|
+ SessionSpecialCode code, int arg)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s =
|
|
|
+ FROMFIELD(ppl, struct ssh2_transport_state, ppl);
|
|
|
+
|
|
|
+ if (code == SS_REKEY) {
|
|
|
+ if (!s->kex_in_progress) {
|
|
|
+ s->rekey_reason = "at user request";
|
|
|
+ s->rekey_class = RK_NORMAL;
|
|
|
+ queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
+ }
|
|
|
+ } else if (code == SS_XCERT) {
|
|
|
+ if (!s->kex_in_progress) {
|
|
|
+ s->hostkey_alg = hostkey_algs[arg].alg;
|
|
|
+ s->cross_certifying = TRUE;
|
|
|
+ s->rekey_reason = "cross-certifying new host key";
|
|
|
+ s->rekey_class = RK_NORMAL;
|
|
|
+ queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
+ }
|
|
|
+ } else {
|
|
|
+ /* Send everything else to the next layer up. This includes
|
|
|
+ * SS_PING/SS_NOP, which we _could_ handle here - but it's
|
|
|
+ * better to put them in the connection layer, so they'll
|
|
|
+ * still work in bare connection mode. */
|
|
|
+ ssh_ppl_special_cmd(s->higher_layer, code, arg);
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+/* Safely convert rekey_time to unsigned long minutes */
|
|
|
+static unsigned long sanitise_rekey_time(int rekey_time, unsigned long def)
|
|
|
+{
|
|
|
+ if (rekey_time < 0 || rekey_time > MAX_TICK_MINS)
|
|
|
+ rekey_time = def;
|
|
|
+ return (unsigned long)rekey_time;
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh2_transport_set_max_data_size(struct ssh2_transport_state *s)
|
|
|
+{
|
|
|
+ s->max_data_size = parse_blocksize(
|
|
|
+ conf_get_str(s->conf, CONF_ssh_rekey_data));
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh2_transport_reconfigure(PacketProtocolLayer *ppl, Conf *conf)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s;
|
|
|
+ const char *rekey_reason = NULL;
|
|
|
+ int rekey_mandatory = FALSE;
|
|
|
+ unsigned long old_max_data_size, rekey_time;
|
|
|
+ int i;
|
|
|
+
|
|
|
+ assert(ppl->vt == &ssh2_transport_vtable);
|
|
|
+ s = FROMFIELD(ppl, struct ssh2_transport_state, ppl);
|
|
|
+
|
|
|
+ rekey_time = sanitise_rekey_time(
|
|
|
+ conf_get_int(conf, CONF_ssh_rekey_time), 60);
|
|
|
+ if (ssh2_transport_timer_update(s, rekey_time))
|
|
|
+ rekey_reason = "timeout shortened";
|
|
|
+
|
|
|
+ old_max_data_size = s->max_data_size;
|
|
|
+ ssh2_transport_set_max_data_size(s);
|
|
|
+ if (old_max_data_size != s->max_data_size &&
|
|
|
+ s->max_data_size != 0) {
|
|
|
+ if (s->max_data_size < old_max_data_size) {
|
|
|
+ unsigned long diff = old_max_data_size - s->max_data_size;
|
|
|
+
|
|
|
+ /* Intentionally use bitwise OR instead of logical, so
|
|
|
+ * that we decrement both counters even if the first one
|
|
|
+ * runs out */
|
|
|
+ if ((DTS_CONSUME(s->stats, out, diff) != 0) |
|
|
|
+ (DTS_CONSUME(s->stats, in, diff) != 0))
|
|
|
+ rekey_reason = "data limit lowered";
|
|
|
+ } else {
|
|
|
+ unsigned long diff = s->max_data_size - old_max_data_size;
|
|
|
+ if (s->stats->out.running)
|
|
|
+ s->stats->out.remaining += diff;
|
|
|
+ if (s->stats->in.running)
|
|
|
+ s->stats->in.remaining += diff;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (conf_get_int(s->conf, CONF_compression) !=
|
|
|
+ conf_get_int(conf, CONF_compression)) {
|
|
|
+ rekey_reason = "compression setting changed";
|
|
|
+ rekey_mandatory = TRUE;
|
|
|
+ }
|
|
|
+
|
|
|
+ for (i = 0; i < CIPHER_MAX; i++)
|
|
|
+ if (conf_get_int_int(s->conf, CONF_ssh_cipherlist, i) !=
|
|
|
+ conf_get_int_int(conf, CONF_ssh_cipherlist, i)) {
|
|
|
+ rekey_reason = "cipher settings changed";
|
|
|
+ rekey_mandatory = TRUE;
|
|
|
+ }
|
|
|
+ if (conf_get_int(s->conf, CONF_ssh2_des_cbc) !=
|
|
|
+ conf_get_int(conf, CONF_ssh2_des_cbc)) {
|
|
|
+ rekey_reason = "cipher settings changed";
|
|
|
+ rekey_mandatory = TRUE;
|
|
|
+ }
|
|
|
+
|
|
|
+ conf_free(s->conf);
|
|
|
+ s->conf = conf_copy(conf);
|
|
|
+
|
|
|
+ if (rekey_reason) {
|
|
|
+ if (!s->kex_in_progress) {
|
|
|
+ s->rekey_reason = rekey_reason;
|
|
|
+ s->rekey_class = RK_NORMAL;
|
|
|
+ queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
+ } else if (rekey_mandatory) {
|
|
|
+ s->deferred_rekey_reason = rekey_reason;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ /* Also pass the configuration along to our higher layer */
|
|
|
+ ssh_ppl_reconfigure(s->higher_layer, conf);
|
|
|
+}
|
|
|
+
|
|
|
+static int ssh2_transport_want_user_input(PacketProtocolLayer *ppl)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s =
|
|
|
+ FROMFIELD(ppl, struct ssh2_transport_state, ppl);
|
|
|
+
|
|
|
+ /* Just delegate this to the higher layer */
|
|
|
+ return ssh_ppl_want_user_input(s->higher_layer);
|
|
|
+}
|
|
|
+
|
|
|
+static void ssh2_transport_got_user_input(PacketProtocolLayer *ppl)
|
|
|
+{
|
|
|
+ struct ssh2_transport_state *s =
|
|
|
+ FROMFIELD(ppl, struct ssh2_transport_state, ppl);
|
|
|
+
|
|
|
+ /* Just delegate this to the higher layer */
|
|
|
+ ssh_ppl_got_user_input(s->higher_layer);
|
|
|
+}
|
Martin Prikryl