2003-01-05 23:28:02 +00:00
|
|
|
#include <stdio.h>
|
1999-01-08 13:10:19 +00:00
|
|
|
#include <string.h>
|
|
|
|
|
2000-12-12 10:33:13 +00:00
|
|
|
#include "puttymem.h"
|
2008-11-17 18:38:09 +00:00
|
|
|
#include "tree234.h"
|
2001-08-08 20:44:35 +00:00
|
|
|
#include "network.h"
|
2001-09-22 20:52:21 +00:00
|
|
|
#include "int64.h"
|
2003-02-01 12:54:40 +00:00
|
|
|
#include "misc.h"
|
2000-12-12 10:33:13 +00:00
|
|
|
|
2001-09-15 14:58:26 +00:00
|
|
|
struct ssh_channel;
|
|
|
|
|
2018-06-09 08:07:18 +00:00
|
|
|
/*
|
|
|
|
* Buffer management constants. There are several of these for
|
|
|
|
* various different purposes:
|
|
|
|
*
|
|
|
|
* - SSH1_BUFFER_LIMIT is the amount of backlog that must build up
|
|
|
|
* on a local data stream before we throttle the whole SSH
|
|
|
|
* connection (in SSH-1 only). Throttling the whole connection is
|
|
|
|
* pretty drastic so we set this high in the hope it won't
|
|
|
|
* happen very often.
|
|
|
|
*
|
|
|
|
* - SSH_MAX_BACKLOG is the amount of backlog that must build up
|
|
|
|
* on the SSH connection itself before we defensively throttle
|
|
|
|
* _all_ local data streams. This is pretty drastic too (though
|
|
|
|
* thankfully unlikely in SSH-2 since the window mechanism should
|
|
|
|
* ensure that the server never has any need to throttle its end
|
|
|
|
* of the connection), so we set this high as well.
|
|
|
|
*
|
|
|
|
* - OUR_V2_WINSIZE is the default window size we present on SSH-2
|
|
|
|
* channels.
|
|
|
|
*
|
|
|
|
* - OUR_V2_BIGWIN is the window size we advertise for the only
|
|
|
|
* channel in a simple connection. It must be <= INT_MAX.
|
|
|
|
*
|
|
|
|
* - OUR_V2_MAXPKT is the official "maximum packet size" we send
|
|
|
|
* to the remote side. This actually has nothing to do with the
|
|
|
|
* size of the _packet_, but is instead a limit on the amount
|
|
|
|
* of data we're willing to receive in a single SSH2 channel
|
|
|
|
* data message.
|
|
|
|
*
|
|
|
|
* - OUR_V2_PACKETLIMIT is actually the maximum size of SSH
|
|
|
|
* _packet_ we're prepared to cope with. It must be a multiple
|
|
|
|
* of the cipher block size, and must be at least 35000.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define SSH1_BUFFER_LIMIT 32768
|
|
|
|
#define SSH_MAX_BACKLOG 32768
|
|
|
|
#define OUR_V2_WINSIZE 16384
|
|
|
|
#define OUR_V2_BIGWIN 0x7fffffff
|
|
|
|
#define OUR_V2_MAXPKT 0x4000UL
|
|
|
|
#define OUR_V2_PACKETLIMIT 0x9000UL
|
|
|
|
|
|
|
|
typedef struct PacketQueueNode PacketQueueNode;
|
|
|
|
struct PacketQueueNode {
|
|
|
|
PacketQueueNode *next, *prev;
|
|
|
|
};
|
|
|
|
|
|
|
|
typedef struct PktIn {
|
|
|
|
int refcount;
|
|
|
|
int type;
|
|
|
|
unsigned long sequence; /* SSH-2 incoming sequence number */
|
|
|
|
long encrypted_len; /* for SSH-2 total-size counting */
|
|
|
|
PacketQueueNode qnode; /* for linking this packet on to a queue */
|
|
|
|
BinarySource_IMPLEMENTATION;
|
|
|
|
} PktIn;
|
|
|
|
|
|
|
|
typedef struct PktOut {
|
|
|
|
long prefix; /* bytes up to and including type field */
|
|
|
|
long length; /* total bytes, including prefix */
|
|
|
|
int type;
|
Move password-packet padding into the BPP module.
Now when we construct a packet containing sensitive data, we just set
a field saying '... and make it take up at least this much space, to
disguise its true size', and nothing in the rest of the system worries
about that flag until ssh2bpp.c acts on it.
Also, I've changed the strategy for doing the padding. Previously, we
were following the real packet with an SSH_MSG_IGNORE to make up the
size. But that was only a partial defence: it works OK against passive
traffic analysis, but an attacker proxying the TCP stream and
dribbling it out one byte at a time could still have found out the
size of the real packet by noting when the dribbled data provoked a
response. Now I put the SSH_MSG_IGNORE _first_, which should defeat
that attack.
But that in turn doesn't work when we're doing compression, because we
can't predict the compressed sizes accurately enough to make that
strategy sensible. Fortunately, compression provides an alternative
strategy anyway: if we've got zlib turned on when we send one of these
sensitive packets, then we can pad out the compressed zlib data as
much as we like by adding empty RFC1951 blocks (effectively chaining
ZLIB_PARTIAL_FLUSHes). So both strategies should now be dribble-proof.
2018-07-09 19:30:11 +00:00
|
|
|
long minlen; /* SSH-2: ensure wire length is at least this */
|
2018-06-09 08:07:18 +00:00
|
|
|
unsigned char *data; /* allocated storage */
|
|
|
|
long maxlen; /* amount of storage allocated for `data' */
|
|
|
|
long encrypted_len; /* for SSH-2 total-size counting */
|
|
|
|
|
|
|
|
/* Extra metadata used in SSH packet logging mode, allowing us to
|
|
|
|
* log in the packet header line that the packet came from a
|
|
|
|
* connection-sharing downstream and what if anything unusual was
|
|
|
|
* done to it. The additional_log_text field is expected to be a
|
|
|
|
* static string - it will not be freed. */
|
|
|
|
unsigned downstream_id;
|
|
|
|
const char *additional_log_text;
|
|
|
|
|
|
|
|
BinarySink_IMPLEMENTATION;
|
|
|
|
} PktOut;
|
|
|
|
|
|
|
|
typedef struct PacketQueue {
|
|
|
|
PacketQueueNode end;
|
|
|
|
} PacketQueue;
|
|
|
|
|
|
|
|
void pq_init(struct PacketQueue *pq);
|
|
|
|
void pq_push(struct PacketQueue *pq, PktIn *pkt);
|
|
|
|
void pq_push_front(struct PacketQueue *pq, PktIn *pkt);
|
|
|
|
PktIn *pq_peek(struct PacketQueue *pq);
|
|
|
|
PktIn *pq_pop(struct PacketQueue *pq);
|
|
|
|
void pq_clear(struct PacketQueue *pq);
|
|
|
|
int pq_empty_on_to_front_of(struct PacketQueue *src, struct PacketQueue *dest);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Packet type contexts, so that ssh2_pkt_type can correctly decode
|
|
|
|
* the ambiguous type numbers back into the correct type strings.
|
|
|
|
*/
|
|
|
|
typedef enum {
|
|
|
|
SSH2_PKTCTX_NOKEX,
|
|
|
|
SSH2_PKTCTX_DHGROUP,
|
|
|
|
SSH2_PKTCTX_DHGEX,
|
|
|
|
SSH2_PKTCTX_ECDHKEX,
|
|
|
|
SSH2_PKTCTX_GSSKEX,
|
|
|
|
SSH2_PKTCTX_RSAKEX
|
|
|
|
} Pkt_KCtx;
|
|
|
|
typedef enum {
|
|
|
|
SSH2_PKTCTX_NOAUTH,
|
|
|
|
SSH2_PKTCTX_PUBLICKEY,
|
|
|
|
SSH2_PKTCTX_PASSWORD,
|
|
|
|
SSH2_PKTCTX_GSSAPI,
|
|
|
|
SSH2_PKTCTX_KBDINTER
|
|
|
|
} Pkt_ACtx;
|
|
|
|
|
Move binary packet protocols and censoring out of ssh.c.
sshbpp.h now defines a classoid that encapsulates both directions of
an SSH binary packet protocol - that is, a system for reading a
bufchain of incoming data and turning it into a stream of PktIn, and
another system for taking a PktOut and turning it into data on an
outgoing bufchain.
The state structure in each of those files contains everything that
used to be in the 'rdpkt2_state' structure and its friends, and also
quite a lot of bits and pieces like cipher and MAC states that used to
live in the main Ssh structure.
One minor effect of this layer separation is that I've had to extend
the packet dispatch table by one, because the BPP layer can no longer
directly trigger sending of SSH_MSG_UNIMPLEMENTED for a message too
short to have a type byte. Instead, I extend the PktIn type field to
use an out-of-range value to encode that, and the easiest way to make
that trigger an UNIMPLEMENTED message is to have the dispatch table
contain an entry for it.
(That's a system that may come in useful again - I was also wondering
about inventing a fake type code to indicate network EOF, so that that
could be propagated through the layers and be handled by whichever one
currently knew best how to respond.)
I've also moved the packet-censoring code into its own pair of files,
partly because I was going to want to do that anyway sooner or later,
and mostly because it's called from the BPP code, and the SSH-2
version in particular has to be called from both the main SSH-2 BPP
and the bare unencrypted protocol used for connection sharing. While I
was at it, I took the opportunity to merge the outgoing and incoming
censor functions, so that the parts that were common between them
(e.g. CHANNEL_DATA messages look the same in both directions) didn't
need to be repeated.
2018-06-09 08:09:10 +00:00
|
|
|
typedef struct PacketLogSettings {
|
|
|
|
int omit_passwords, omit_data;
|
|
|
|
Pkt_KCtx kctx;
|
|
|
|
Pkt_ACtx actx;
|
|
|
|
} PacketLogSettings;
|
|
|
|
|
|
|
|
#define MAX_BLANKS 4 /* no packet needs more censored sections than this */
|
|
|
|
int ssh1_censor_packet(
|
|
|
|
const PacketLogSettings *pls, int type, int sender_is_client,
|
|
|
|
ptrlen pkt, logblank_t *blanks);
|
|
|
|
int ssh2_censor_packet(
|
|
|
|
const PacketLogSettings *pls, int type, int sender_is_client,
|
|
|
|
ptrlen pkt, logblank_t *blanks);
|
|
|
|
|
|
|
|
PktOut *ssh_new_packet(void);
|
2018-06-09 08:07:18 +00:00
|
|
|
void ssh_unref_packet(PktIn *pkt);
|
|
|
|
void ssh_free_pktout(PktOut *pkt);
|
|
|
|
|
2018-05-27 08:29:33 +00:00
|
|
|
extern Socket ssh_connection_sharing_init(
|
2018-09-17 11:14:00 +00:00
|
|
|
const char *host, int port, Conf *conf, ConnectionLayer *cl,
|
|
|
|
Plug sshplug, ssh_sharing_state **state);
|
2015-09-25 10:46:28 +00:00
|
|
|
int ssh_share_test_for_upstream(const char *host, int port, Conf *conf);
|
2018-09-13 08:09:10 +00:00
|
|
|
void share_got_pkt_from_server(ssh_sharing_connstate *ctx, int type,
|
2018-06-06 06:19:57 +00:00
|
|
|
const void *pkt, int pktlen);
|
2018-09-13 08:09:10 +00:00
|
|
|
void share_activate(ssh_sharing_state *sharestate,
|
|
|
|
const char *server_verstring);
|
|
|
|
void sharestate_free(ssh_sharing_state *state);
|
|
|
|
int share_ndownstreams(ssh_sharing_state *state);
|
2013-11-17 14:05:41 +00:00
|
|
|
|
|
|
|
void ssh_connshare_log(Ssh ssh, int event, const char *logtext,
|
|
|
|
const char *ds_err, const char *us_err);
|
2018-09-13 08:09:10 +00:00
|
|
|
void share_setup_x11_channel(ssh_sharing_connstate *cs, share_channel *chan,
|
2013-11-17 14:05:41 +00:00
|
|
|
unsigned upstream_id, unsigned server_id,
|
|
|
|
unsigned server_currwin, unsigned server_maxpkt,
|
|
|
|
unsigned client_adjusted_window,
|
|
|
|
const char *peer_addr, int peer_port, int endian,
|
|
|
|
int protomajor, int protominor,
|
|
|
|
const void *initial_data, int initial_len);
|
2001-08-25 17:09:23 +00:00
|
|
|
|
2018-09-14 16:04:39 +00:00
|
|
|
struct ssh_rportfwd;
|
2018-09-17 11:14:00 +00:00
|
|
|
|
|
|
|
struct ConnectionLayerVtable {
|
|
|
|
/* Allocate and free remote-to-local port forwardings, called by
|
|
|
|
* PortFwdManager or by connection sharing */
|
|
|
|
struct ssh_rportfwd *(*rportfwd_alloc)(
|
|
|
|
ConnectionLayer *cl,
|
|
|
|
const char *shost, int sport, const char *dhost, int dport,
|
|
|
|
int addressfamily, const char *log_description, PortFwdRecord *pfr,
|
|
|
|
ssh_sharing_connstate *share_ctx);
|
|
|
|
void (*rportfwd_remove)(ConnectionLayer *cl, struct ssh_rportfwd *rpf);
|
|
|
|
|
|
|
|
/* Open a local-to-remote port forwarding channel, called by
|
|
|
|
* PortFwdManager */
|
|
|
|
SshChannel *(*lportfwd_open)(
|
|
|
|
ConnectionLayer *cl, const char *hostname, int port,
|
|
|
|
const char *org, Channel *chan);
|
|
|
|
|
|
|
|
/* Add and remove X11 displays for connection sharing downstreams */
|
|
|
|
struct X11FakeAuth *(*add_sharing_x11_display)(
|
|
|
|
ConnectionLayer *cl, int authtype, ssh_sharing_connstate *share_cs,
|
|
|
|
share_channel *share_chan);
|
|
|
|
void (*remove_sharing_x11_display)(
|
|
|
|
ConnectionLayer *cl, struct X11FakeAuth *auth);
|
|
|
|
|
|
|
|
/* Pass through an outgoing SSH packet from a downstream */
|
|
|
|
void (*send_packet_from_downstream)(
|
|
|
|
ConnectionLayer *cl, unsigned id, int type,
|
|
|
|
const void *pkt, int pktlen, const char *additional_log_text);
|
|
|
|
|
|
|
|
/* Allocate/free an upstream channel number associated with a
|
|
|
|
* sharing downstream */
|
|
|
|
unsigned (*alloc_sharing_channel)(ConnectionLayer *cl,
|
|
|
|
ssh_sharing_connstate *connstate);
|
|
|
|
void (*delete_sharing_channel)(ConnectionLayer *cl, unsigned localid);
|
|
|
|
|
|
|
|
/* Indicate that a downstream has sent a global request with the
|
|
|
|
* want-reply flag, so that when a reply arrives it will be passed
|
|
|
|
* back to that downstrean */
|
|
|
|
void (*sharing_queue_global_request)(
|
|
|
|
ConnectionLayer *cl, ssh_sharing_connstate *connstate);
|
|
|
|
|
|
|
|
/* Query whether the connection layer is doing agent forwarding */
|
|
|
|
int (*agent_forwarding_permitted)(ConnectionLayer *cl);
|
|
|
|
};
|
|
|
|
|
|
|
|
struct ConnectionLayer {
|
|
|
|
Frontend *frontend;
|
|
|
|
const struct ConnectionLayerVtable *vt;
|
|
|
|
};
|
|
|
|
|
|
|
|
#define ssh_rportfwd_alloc(cl, sh, sp, dh, dp, af, ld, pfr, share) \
|
|
|
|
((cl)->vt->rportfwd_alloc(cl, sh, sp, dh, dp, af, ld, pfr, share))
|
|
|
|
#define ssh_rportfwd_remove(cl, rpf) ((cl)->vt->rportfwd_remove(cl, rpf))
|
|
|
|
#define ssh_lportfwd_open(cl, h, p, org, chan) \
|
|
|
|
((cl)->vt->lportfwd_open(cl, h, p, org, chan))
|
|
|
|
#define ssh_add_sharing_x11_display(cl, auth, cs, ch) \
|
|
|
|
((cl)->vt->add_sharing_x11_display(cl, auth, cs, ch))
|
|
|
|
#define ssh_remove_sharing_x11_display(cl, fa) \
|
|
|
|
((cl)->vt->remove_sharing_x11_display(cl, fa))
|
|
|
|
#define ssh_send_packet_from_downstream(cl, id, type, pkt, len, log) \
|
|
|
|
((cl)->vt->send_packet_from_downstream(cl, id, type, pkt, len, log))
|
|
|
|
#define ssh_alloc_sharing_channel(cl, cs) \
|
|
|
|
((cl)->vt->alloc_sharing_channel(cl, cs))
|
|
|
|
#define ssh_delete_sharing_channel(cl, ch) \
|
|
|
|
((cl)->vt->delete_sharing_channel(cl, ch))
|
|
|
|
#define ssh_sharing_queue_global_request(cl, cs) \
|
|
|
|
((cl)->vt->sharing_queue_global_request(cl, cs))
|
|
|
|
#define ssh_agent_forwarding_permitted(cl) \
|
|
|
|
((cl)->vt->agent_forwarding_permitted(cl))
|
2018-09-14 16:04:39 +00:00
|
|
|
|
|
|
|
/* Exports from portfwd.c */
|
2018-09-17 11:14:00 +00:00
|
|
|
PortFwdManager *portfwdmgr_new(ConnectionLayer *cl);
|
2018-09-14 16:04:39 +00:00
|
|
|
void portfwdmgr_free(PortFwdManager *mgr);
|
|
|
|
void portfwdmgr_config(PortFwdManager *mgr, Conf *conf);
|
|
|
|
void portfwdmgr_close(PortFwdManager *mgr, PortFwdRecord *pfr);
|
|
|
|
void portfwdmgr_close_all(PortFwdManager *mgr);
|
|
|
|
char *portfwdmgr_connect(PortFwdManager *mgr, Channel **chan_ret,
|
|
|
|
char *hostname, int port, SshChannel *c,
|
|
|
|
int addressfamily);
|
|
|
|
|
Replace enum+union of local channel types with a vtable.
There's now an interface called 'Channel', which handles the local
side of an SSH connection-layer channel, in terms of knowing where to
send incoming channel data to, whether to close the channel, etc.
Channel and the previous 'struct ssh_channel' mutually refer. The
latter contains all the SSH-specific parts, and as much of the common
logic as possible: in particular, Channel doesn't have to know
anything about SSH packet formats, or which SSH protocol version is in
use, or deal with all the fiddly stuff about window sizes - with the
exception that x11fwd.c's implementation of it does have to be able to
ask for a small fixed initial window size for the bodgy system that
distinguishes upstream from downstream X forwardings.
I've taken the opportunity to move the code implementing the detailed
behaviour of agent forwarding out of ssh.c, now that all of it is on
the far side of a uniform interface. (This also means that if I later
implement agent forwarding directly to a Unix socket as an
alternative, it'll be a matter of changing just the one call to
agentf_new() that makes the Channel to plug into a forwarding.)
2018-09-12 14:03:47 +00:00
|
|
|
Frontend *ssh_get_frontend(Ssh ssh);
|
|
|
|
|
1999-07-06 19:42:57 +00:00
|
|
|
#define SSH_CIPHER_IDEA 1
|
1999-10-25 08:59:40 +00:00
|
|
|
#define SSH_CIPHER_DES 2
|
1999-07-06 19:42:57 +00:00
|
|
|
#define SSH_CIPHER_3DES 3
|
|
|
|
#define SSH_CIPHER_BLOWFISH 6
|
|
|
|
|
2001-03-01 17:41:26 +00:00
|
|
|
#ifndef BIGNUM_INTERNAL
|
|
|
|
typedef void *Bignum;
|
|
|
|
#endif
|
2000-09-07 16:33:49 +00:00
|
|
|
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
typedef struct ssh_keyalg ssh_keyalg;
|
2018-06-03 11:58:05 +00:00
|
|
|
typedef const struct ssh_keyalg *ssh_key;
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
|
1999-01-08 13:02:13 +00:00
|
|
|
struct RSAKey {
|
|
|
|
int bits;
|
|
|
|
int bytes;
|
2000-09-07 16:33:49 +00:00
|
|
|
Bignum modulus;
|
|
|
|
Bignum exponent;
|
|
|
|
Bignum private_exponent;
|
2000-10-18 15:00:36 +00:00
|
|
|
Bignum p;
|
|
|
|
Bignum q;
|
|
|
|
Bignum iqmp;
|
2001-03-03 11:54:34 +00:00
|
|
|
char *comment;
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
ssh_key sshk;
|
2000-10-18 15:00:36 +00:00
|
|
|
};
|
|
|
|
|
2001-09-22 20:52:21 +00:00
|
|
|
struct dss_key {
|
|
|
|
Bignum p, q, g, y, x;
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
ssh_key sshk;
|
2001-09-22 20:52:21 +00:00
|
|
|
};
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
struct ec_curve;
|
|
|
|
|
|
|
|
struct ec_point {
|
|
|
|
const struct ec_curve *curve;
|
|
|
|
Bignum x, y;
|
2014-11-03 18:41:56 +00:00
|
|
|
Bignum z; /* Jacobian denominator */
|
2014-11-01 09:45:20 +00:00
|
|
|
unsigned char infinity;
|
|
|
|
};
|
|
|
|
|
|
|
|
void ec_point_free(struct ec_point *point);
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
/* Weierstrass form curve */
|
|
|
|
struct ec_wcurve
|
|
|
|
{
|
|
|
|
Bignum a, b, n;
|
|
|
|
struct ec_point G;
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Montgomery form curve */
|
|
|
|
struct ec_mcurve
|
|
|
|
{
|
|
|
|
Bignum a, b;
|
|
|
|
struct ec_point G;
|
|
|
|
};
|
|
|
|
|
2015-05-09 14:02:54 +00:00
|
|
|
/* Edwards form curve */
|
|
|
|
struct ec_ecurve
|
|
|
|
{
|
|
|
|
Bignum l, d;
|
|
|
|
struct ec_point B;
|
|
|
|
};
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
struct ec_curve {
|
2015-05-09 14:02:54 +00:00
|
|
|
enum { EC_WEIERSTRASS, EC_MONTGOMERY, EC_EDWARDS } type;
|
2015-05-19 07:42:23 +00:00
|
|
|
/* 'name' is the identifier of the curve when it has to appear in
|
|
|
|
* wire protocol encodings, as it does in e.g. the public key and
|
|
|
|
* signature formats for NIST curves. Curves which do not format
|
|
|
|
* their keys or signatures in this way just have name==NULL.
|
|
|
|
*
|
|
|
|
* 'textname' is non-NULL for all curves, and is a human-readable
|
|
|
|
* identification suitable for putting in log messages. */
|
|
|
|
const char *name, *textname;
|
2014-11-01 09:45:20 +00:00
|
|
|
unsigned int fieldBits;
|
2015-05-09 14:02:52 +00:00
|
|
|
Bignum p;
|
|
|
|
union {
|
|
|
|
struct ec_wcurve w;
|
|
|
|
struct ec_mcurve m;
|
2015-05-09 14:02:54 +00:00
|
|
|
struct ec_ecurve e;
|
2015-05-09 14:02:52 +00:00
|
|
|
};
|
2014-11-01 09:45:20 +00:00
|
|
|
};
|
|
|
|
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
const ssh_keyalg *ec_alg_by_oid(int len, const void *oid,
|
2015-05-15 09:13:05 +00:00
|
|
|
const struct ec_curve **curve);
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
const unsigned char *ec_alg_oid(const ssh_keyalg *alg, int *oidlen);
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
extern const int ec_nist_curve_lengths[], n_ec_nist_curve_lengths;
|
2017-02-05 12:08:13 +00:00
|
|
|
int ec_nist_alg_and_curve_by_bits(int bits,
|
|
|
|
const struct ec_curve **curve,
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
const ssh_keyalg **alg);
|
2017-02-05 12:08:13 +00:00
|
|
|
int ec_ed_alg_and_curve_by_bits(int bits,
|
|
|
|
const struct ec_curve **curve,
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
const ssh_keyalg **alg);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
struct ec_key {
|
|
|
|
struct ec_point publicKey;
|
|
|
|
Bignum privateKey;
|
2018-06-03 11:58:05 +00:00
|
|
|
ssh_key sshk;
|
2014-11-01 09:45:20 +00:00
|
|
|
};
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
struct ec_point *ec_public(const Bignum privateKey, const struct ec_curve *curve);
|
|
|
|
|
2018-05-24 07:22:44 +00:00
|
|
|
/*
|
|
|
|
* SSH-1 never quite decided which order to store the two components
|
|
|
|
* of an RSA key. During connection setup, the server sends its host
|
|
|
|
* and server keys with the exponent first; private key files store
|
|
|
|
* the modulus first. The agent protocol is even more confusing,
|
|
|
|
* because the client specifies a key to the server in one order and
|
|
|
|
* the server lists the keys it knows about in the other order!
|
|
|
|
*/
|
|
|
|
typedef enum { RSA_SSH1_EXPONENT_FIRST, RSA_SSH1_MODULUS_FIRST } RsaSsh1Order;
|
|
|
|
|
2018-05-27 20:51:36 +00:00
|
|
|
void BinarySource_get_rsa_ssh1_pub(
|
2018-06-03 07:23:07 +00:00
|
|
|
BinarySource *src, struct RSAKey *result, RsaSsh1Order order);
|
2018-05-27 20:51:36 +00:00
|
|
|
void BinarySource_get_rsa_ssh1_priv(
|
|
|
|
BinarySource *src, struct RSAKey *rsa);
|
2018-05-24 07:22:44 +00:00
|
|
|
int rsa_ssh1_encrypt(unsigned char *data, int length, struct RSAKey *key);
|
|
|
|
Bignum rsa_ssh1_decrypt(Bignum input, struct RSAKey *key);
|
2000-09-07 16:33:49 +00:00
|
|
|
void rsasanitise(struct RSAKey *key);
|
1999-01-08 13:02:13 +00:00
|
|
|
int rsastr_len(struct RSAKey *key);
|
|
|
|
void rsastr_fmt(char *str, struct RSAKey *key);
|
2018-06-03 07:08:53 +00:00
|
|
|
char *rsa_ssh1_fingerprint(struct RSAKey *key);
|
2001-03-23 09:20:43 +00:00
|
|
|
int rsa_verify(struct RSAKey *key);
|
2018-05-24 09:59:39 +00:00
|
|
|
void rsa_ssh1_public_blob(BinarySink *bs, struct RSAKey *key,
|
|
|
|
RsaSsh1Order order);
|
2018-06-03 07:12:57 +00:00
|
|
|
int rsa_ssh1_public_blob_len(void *data, int maxlen);
|
2000-09-14 15:02:50 +00:00
|
|
|
void freersakey(struct RSAKey *key);
|
1999-01-08 13:02:13 +00:00
|
|
|
|
2010-05-19 18:22:17 +00:00
|
|
|
typedef uint32 word32;
|
1999-01-08 13:02:13 +00:00
|
|
|
|
2003-05-13 18:23:43 +00:00
|
|
|
unsigned long crc32_compute(const void *s, size_t len);
|
2002-01-08 11:57:32 +00:00
|
|
|
unsigned long crc32_update(unsigned long crc_input, const void *s, size_t len);
|
|
|
|
|
|
|
|
/* SSH CRC compensation attack detector */
|
2018-09-13 12:00:56 +00:00
|
|
|
struct crcda_ctx;
|
|
|
|
struct crcda_ctx *crcda_make_context(void);
|
|
|
|
void crcda_free_context(struct crcda_ctx *ctx);
|
|
|
|
int detect_attack(struct crcda_ctx *ctx, unsigned char *buf, uint32 len,
|
2002-10-25 12:58:21 +00:00
|
|
|
unsigned char *IV);
|
1999-01-08 13:02:13 +00:00
|
|
|
|
2007-04-30 22:09:26 +00:00
|
|
|
/*
|
|
|
|
* SSH2 RSA key exchange functions
|
|
|
|
*/
|
2018-09-13 15:41:46 +00:00
|
|
|
struct ssh_hashalg;
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
struct RSAKey *ssh_rsakex_newkey(const void *data, int len);
|
|
|
|
void ssh_rsakex_freekey(struct RSAKey *key);
|
|
|
|
int ssh_rsakex_klen(struct RSAKey *key);
|
2018-09-13 15:41:46 +00:00
|
|
|
void ssh_rsakex_encrypt(const struct ssh_hashalg *h,
|
|
|
|
unsigned char *in, int inlen,
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
unsigned char *out, int outlen, struct RSAKey *key);
|
2007-04-30 22:09:26 +00:00
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
/*
|
|
|
|
* SSH2 ECDH key exchange functions
|
|
|
|
*/
|
2015-05-15 09:13:05 +00:00
|
|
|
struct ssh_kex;
|
2015-05-19 07:42:23 +00:00
|
|
|
const char *ssh_ecdhkex_curve_textname(const struct ssh_kex *kex);
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
struct ec_key *ssh_ecdhkex_newkey(const struct ssh_kex *kex);
|
|
|
|
void ssh_ecdhkex_freekey(struct ec_key *key);
|
|
|
|
void ssh_ecdhkex_getpublic(struct ec_key *key, BinarySink *bs);
|
|
|
|
Bignum ssh_ecdhkex_getkey(struct ec_key *key,
|
2018-06-02 06:52:26 +00:00
|
|
|
const void *remoteKey, int remoteKeyLen);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
2014-11-01 19:48:48 +00:00
|
|
|
/*
|
|
|
|
* Helper function for k generation in DSA, reused in ECDSA
|
|
|
|
*/
|
|
|
|
Bignum *dss_gen_k(const char *id_string, Bignum modulus, Bignum private_key,
|
|
|
|
unsigned char *digest, int digest_len);
|
|
|
|
|
2018-09-13 13:43:04 +00:00
|
|
|
struct ssh2_cipheralg;
|
|
|
|
typedef const struct ssh2_cipheralg *ssh2_cipher;
|
|
|
|
|
2000-04-04 14:47:22 +00:00
|
|
|
typedef struct {
|
|
|
|
uint32 h[4];
|
|
|
|
} MD5_Core_State;
|
|
|
|
|
1999-01-08 13:02:13 +00:00
|
|
|
struct MD5Context {
|
2000-04-04 14:47:22 +00:00
|
|
|
MD5_Core_State core;
|
2000-04-04 14:51:17 +00:00
|
|
|
unsigned char block[64];
|
2000-04-04 14:47:22 +00:00
|
|
|
int blkused;
|
|
|
|
uint32 lenhi, lenlo;
|
2018-05-24 08:17:13 +00:00
|
|
|
BinarySink_IMPLEMENTATION;
|
1999-01-08 13:02:13 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
void MD5Init(struct MD5Context *context);
|
|
|
|
void MD5Final(unsigned char digest[16], struct MD5Context *context);
|
2004-08-30 13:11:17 +00:00
|
|
|
void MD5Simple(void const *p, unsigned len, unsigned char output[16]);
|
|
|
|
|
2018-09-13 15:15:17 +00:00
|
|
|
struct hmacmd5_context;
|
|
|
|
struct hmacmd5_context *hmacmd5_make_context(void);
|
|
|
|
void hmacmd5_free_context(struct hmacmd5_context *ctx);
|
|
|
|
void hmacmd5_key(struct hmacmd5_context *ctx, void const *key, int len);
|
|
|
|
void hmacmd5_do_hmac(struct hmacmd5_context *ctx,
|
2018-09-13 15:43:30 +00:00
|
|
|
const void *blk, int len, unsigned char *hmac);
|
1999-01-08 13:02:13 +00:00
|
|
|
|
2018-02-18 21:06:14 +00:00
|
|
|
int supports_sha_ni(void);
|
|
|
|
|
2018-02-11 10:40:24 +00:00
|
|
|
typedef struct SHA_State {
|
2000-09-05 14:28:17 +00:00
|
|
|
uint32 h[5];
|
|
|
|
unsigned char block[64];
|
|
|
|
int blkused;
|
|
|
|
uint32 lenhi, lenlo;
|
2018-02-11 10:40:24 +00:00
|
|
|
void (*sha1)(struct SHA_State * s, const unsigned char *p, int len);
|
2018-05-24 08:17:13 +00:00
|
|
|
BinarySink_IMPLEMENTATION;
|
2000-09-05 14:28:17 +00:00
|
|
|
} SHA_State;
|
2001-05-06 14:35:20 +00:00
|
|
|
void SHA_Init(SHA_State * s);
|
|
|
|
void SHA_Final(SHA_State * s, unsigned char *output);
|
2013-07-27 18:35:48 +00:00
|
|
|
void SHA_Simple(const void *p, int len, unsigned char *output);
|
2000-09-05 14:28:17 +00:00
|
|
|
|
2018-09-13 15:43:30 +00:00
|
|
|
void hmac_sha1_simple(const void *key, int keylen,
|
|
|
|
const void *data, int datalen,
|
2001-09-22 20:52:21 +00:00
|
|
|
unsigned char *output);
|
2018-02-11 10:40:24 +00:00
|
|
|
typedef struct SHA256_State {
|
2005-08-31 21:48:22 +00:00
|
|
|
uint32 h[8];
|
|
|
|
unsigned char block[64];
|
|
|
|
int blkused;
|
|
|
|
uint32 lenhi, lenlo;
|
2018-02-11 10:40:24 +00:00
|
|
|
void (*sha256)(struct SHA256_State * s, const unsigned char *p, int len);
|
2018-05-24 08:17:13 +00:00
|
|
|
BinarySink_IMPLEMENTATION;
|
2005-08-31 21:48:22 +00:00
|
|
|
} SHA256_State;
|
|
|
|
void SHA256_Init(SHA256_State * s);
|
|
|
|
void SHA256_Final(SHA256_State * s, unsigned char *output);
|
|
|
|
void SHA256_Simple(const void *p, int len, unsigned char *output);
|
2001-09-22 20:52:21 +00:00
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
uint64 h[8];
|
|
|
|
unsigned char block[128];
|
|
|
|
int blkused;
|
|
|
|
uint32 len[4];
|
2018-05-24 08:17:13 +00:00
|
|
|
BinarySink_IMPLEMENTATION;
|
2001-09-22 20:52:21 +00:00
|
|
|
} SHA512_State;
|
2014-11-01 08:59:25 +00:00
|
|
|
#define SHA384_State SHA512_State
|
2001-09-22 20:52:21 +00:00
|
|
|
void SHA512_Init(SHA512_State * s);
|
|
|
|
void SHA512_Final(SHA512_State * s, unsigned char *output);
|
|
|
|
void SHA512_Simple(const void *p, int len, unsigned char *output);
|
2014-11-01 08:59:25 +00:00
|
|
|
void SHA384_Init(SHA384_State * s);
|
|
|
|
void SHA384_Final(SHA384_State * s, unsigned char *output);
|
|
|
|
void SHA384_Simple(const void *p, int len, unsigned char *output);
|
2001-09-22 20:52:21 +00:00
|
|
|
|
2018-09-13 12:29:32 +00:00
|
|
|
struct ssh2_macalg;
|
|
|
|
|
|
|
|
struct ssh1_cipheralg;
|
|
|
|
typedef const struct ssh1_cipheralg *ssh1_cipher;
|
|
|
|
|
|
|
|
struct ssh1_cipheralg {
|
|
|
|
ssh1_cipher *(*new)(void);
|
|
|
|
void (*free)(ssh1_cipher *);
|
|
|
|
void (*sesskey)(ssh1_cipher *, const void *key);
|
|
|
|
void (*encrypt)(ssh1_cipher *, void *blk, int len);
|
|
|
|
void (*decrypt)(ssh1_cipher *, void *blk, int len);
|
2001-03-02 13:55:23 +00:00
|
|
|
int blksize;
|
2015-05-15 09:12:06 +00:00
|
|
|
const char *text_name;
|
2001-03-02 13:55:23 +00:00
|
|
|
};
|
|
|
|
|
2018-09-13 12:29:32 +00:00
|
|
|
#define ssh1_cipher_new(alg) ((alg)->new())
|
|
|
|
#define ssh1_cipher_free(ctx) ((*(ctx))->free(ctx))
|
|
|
|
#define ssh1_cipher_sesskey(ctx, key) ((*(ctx))->sesskey(ctx, key))
|
|
|
|
#define ssh1_cipher_encrypt(ctx, blk, len) ((*(ctx))->encrypt(ctx, blk, len))
|
|
|
|
#define ssh1_cipher_decrypt(ctx, blk, len) ((*(ctx))->decrypt(ctx, blk, len))
|
|
|
|
|
2018-09-13 13:43:04 +00:00
|
|
|
struct ssh2_cipheralg {
|
|
|
|
ssh2_cipher *(*new)(const struct ssh2_cipheralg *alg);
|
|
|
|
void (*free)(ssh2_cipher *);
|
|
|
|
void (*setiv)(ssh2_cipher *, const void *iv);
|
|
|
|
void (*setkey)(ssh2_cipher *, const void *key);
|
|
|
|
void (*encrypt)(ssh2_cipher *, void *blk, int len);
|
|
|
|
void (*decrypt)(ssh2_cipher *, void *blk, int len);
|
2015-06-07 11:51:24 +00:00
|
|
|
/* Ignored unless SSH_CIPHER_SEPARATE_LENGTH flag set */
|
2018-09-13 13:43:04 +00:00
|
|
|
void (*encrypt_length)(ssh2_cipher *, void *blk, int len,
|
|
|
|
unsigned long seq);
|
|
|
|
void (*decrypt_length)(ssh2_cipher *, void *blk, int len,
|
|
|
|
unsigned long seq);
|
2015-05-15 10:15:42 +00:00
|
|
|
const char *name;
|
2000-09-05 14:28:17 +00:00
|
|
|
int blksize;
|
2015-09-10 07:10:52 +00:00
|
|
|
/* real_keybits is the number of bits of entropy genuinely used by
|
|
|
|
* the cipher scheme; it's used for deciding how big a
|
|
|
|
* Diffie-Hellman group is needed to exchange a key for the
|
|
|
|
* cipher. */
|
|
|
|
int real_keybits;
|
|
|
|
/* padded_keybytes is the number of bytes of key data expected as
|
|
|
|
* input to the setkey function; it's used for deciding how much
|
|
|
|
* data needs to be generated from the post-kex generation of key
|
|
|
|
* material. In a sensible cipher which uses all its key bytes for
|
|
|
|
* real work, this will just be real_keybits/8, but in DES-type
|
|
|
|
* ciphers which ignore one bit in each byte, it'll be slightly
|
|
|
|
* different. */
|
|
|
|
int padded_keybytes;
|
2005-04-23 16:22:51 +00:00
|
|
|
unsigned int flags;
|
|
|
|
#define SSH_CIPHER_IS_CBC 1
|
2015-06-07 11:51:24 +00:00
|
|
|
#define SSH_CIPHER_SEPARATE_LENGTH 2
|
2015-05-15 09:12:06 +00:00
|
|
|
const char *text_name;
|
2015-06-07 12:40:11 +00:00
|
|
|
/* If set, this takes priority over other MAC. */
|
2018-09-13 15:15:17 +00:00
|
|
|
const struct ssh2_macalg *required_mac;
|
2000-09-05 14:28:17 +00:00
|
|
|
};
|
|
|
|
|
2018-09-13 13:43:04 +00:00
|
|
|
#define ssh2_cipher_new(alg) ((alg)->new(alg))
|
|
|
|
#define ssh2_cipher_free(ctx) ((*(ctx))->free(ctx))
|
|
|
|
#define ssh2_cipher_setiv(ctx, iv) ((*(ctx))->setiv(ctx, iv))
|
|
|
|
#define ssh2_cipher_setkey(ctx, key) ((*(ctx))->setkey(ctx, key))
|
|
|
|
#define ssh2_cipher_encrypt(ctx, blk, len) ((*(ctx))->encrypt(ctx, blk, len))
|
|
|
|
#define ssh2_cipher_decrypt(ctx, blk, len) ((*(ctx))->decrypt(ctx, blk, len))
|
|
|
|
#define ssh2_cipher_encrypt_length(ctx, blk, len, seq) \
|
|
|
|
((*(ctx))->encrypt_length(ctx, blk, len, seq))
|
|
|
|
#define ssh2_cipher_decrypt_length(ctx, blk, len, seq) \
|
|
|
|
((*(ctx))->decrypt_length(ctx, blk, len, seq))
|
|
|
|
#define ssh2_cipher_alg(ctx) (*(ctx))
|
|
|
|
|
2001-03-02 13:55:23 +00:00
|
|
|
struct ssh2_ciphers {
|
|
|
|
int nciphers;
|
2018-09-13 13:43:04 +00:00
|
|
|
const struct ssh2_cipheralg *const *list;
|
2001-03-02 13:55:23 +00:00
|
|
|
};
|
|
|
|
|
2018-09-13 15:15:17 +00:00
|
|
|
struct ssh2_macalg;
|
|
|
|
typedef struct ssh2_mac {
|
|
|
|
const struct ssh2_macalg *vt;
|
|
|
|
BinarySink_DELEGATE_IMPLEMENTATION;
|
|
|
|
} ssh2_mac;
|
|
|
|
|
|
|
|
struct ssh2_macalg {
|
2015-06-07 12:40:11 +00:00
|
|
|
/* Passes in the cipher context */
|
2018-09-13 15:15:17 +00:00
|
|
|
ssh2_mac *(*new)(const struct ssh2_macalg *alg, ssh2_cipher *cipher);
|
|
|
|
void (*free)(ssh2_mac *);
|
|
|
|
void (*setkey)(ssh2_mac *, const void *key);
|
|
|
|
void (*start)(ssh2_mac *);
|
|
|
|
void (*genresult)(ssh2_mac *, unsigned char *);
|
2015-05-15 09:12:06 +00:00
|
|
|
const char *name, *etm_name;
|
2015-08-21 22:20:12 +00:00
|
|
|
int len, keylen;
|
2015-05-15 09:12:06 +00:00
|
|
|
const char *text_name;
|
2000-09-05 14:28:17 +00:00
|
|
|
};
|
|
|
|
|
2018-09-13 15:15:17 +00:00
|
|
|
#define ssh2_mac_new(alg, cipher) ((alg)->new(alg, cipher))
|
|
|
|
#define ssh2_mac_free(ctx) ((ctx)->vt->free(ctx))
|
|
|
|
#define ssh2_mac_setkey(ctx, key) ((ctx)->vt->free(ctx, key))
|
|
|
|
#define ssh2_mac_start(ctx) ((ctx)->vt->start(ctx))
|
|
|
|
#define ssh2_mac_genresult(ctx, out) ((ctx)->vt->genresult(ctx, out))
|
|
|
|
#define ssh2_mac_alg(ctx) ((ctx)->vt)
|
|
|
|
|
|
|
|
/* Centralised 'methods' for ssh2_mac, defined in sshmac.c */
|
|
|
|
int ssh2_mac_verresult(ssh2_mac *, const void *);
|
|
|
|
void ssh2_mac_generate(ssh2_mac *, void *, int, unsigned long seq);
|
|
|
|
int ssh2_mac_verify(ssh2_mac *, const void *, int, unsigned long seq);
|
|
|
|
|
2018-09-13 15:41:46 +00:00
|
|
|
typedef struct ssh_hash {
|
|
|
|
const struct ssh_hashalg *vt;
|
|
|
|
BinarySink_DELEGATE_IMPLEMENTATION;
|
|
|
|
} ssh_hash;
|
|
|
|
|
|
|
|
struct ssh_hashalg {
|
|
|
|
ssh_hash *(*new)(const struct ssh_hashalg *alg);
|
|
|
|
ssh_hash *(*copy)(ssh_hash *);
|
|
|
|
void (*final)(ssh_hash *, unsigned char *); /* ALSO FREES THE ssh_hash! */
|
|
|
|
void (*free)(ssh_hash *);
|
2005-08-31 20:43:06 +00:00
|
|
|
int hlen; /* output length in bytes */
|
2015-05-15 09:12:06 +00:00
|
|
|
const char *text_name;
|
2005-08-31 20:43:06 +00:00
|
|
|
};
|
|
|
|
|
2018-09-13 15:41:46 +00:00
|
|
|
#define ssh_hash_new(alg) ((alg)->new(alg))
|
|
|
|
#define ssh_hash_copy(ctx) ((ctx)->vt->copy(ctx))
|
|
|
|
#define ssh_hash_final(ctx, out) ((ctx)->vt->final(ctx, out))
|
|
|
|
#define ssh_hash_free(ctx) ((ctx)->vt->free(ctx))
|
|
|
|
#define ssh_hash_alg(ctx) ((ctx)->vt)
|
|
|
|
|
2000-09-05 14:28:17 +00:00
|
|
|
struct ssh_kex {
|
2015-05-15 10:15:42 +00:00
|
|
|
const char *name, *groupname;
|
Support GSS key exchange, for Kerberos 5 only.
This is a heavily edited (by me) version of a patch originally due to
Nico Williams and Viktor Dukhovni. Their comments:
* Don't delegate credentials when rekeying unless there's a new TGT
or the old service ticket is nearly expired.
* Check for the above conditions more frequently (every two minutes
by default) and rekey when we would delegate credentials.
* Do not rekey with very short service ticket lifetimes; some GSSAPI
libraries may lose the race to use an almost expired ticket. Adjust
the timing of rekey checks to try to avoid this possibility.
My further comments:
The most interesting thing about this patch to me is that the use of
GSS key exchange causes a switch over to a completely different model
of what host keys are for. This comes from RFC 4462 section 2.1: the
basic idea is that when your session is mostly bidirectionally
authenticated by the GSSAPI exchanges happening in initial kex and
every rekey, host keys become more or less vestigial, and their
remaining purpose is to allow a rekey to happen if the requirements of
the SSH protocol demand it at an awkward moment when the GSS
credentials are not currently available (e.g. timed out and haven't
been renewed yet). As such, there's no need for host keys to be
_permanent_ or to be a reliable identifier of a particular host, and
RFC 4462 allows for the possibility that they might be purely
transient and only for this kind of emergency fallback purpose.
Therefore, once PuTTY has done a GSS key exchange, it disconnects
itself completely from the permanent host key cache functions in
storage.h, and instead switches to a _transient_ host key cache stored
in memory with the lifetime of just that SSH session. That cache is
populated with keys received from the server as a side effect of GSS
kex (via the optional SSH2_MSG_KEXGSS_HOSTKEY message), and used if
later in the session we have to fall back to a non-GSS key exchange.
However, in practice servers we've tested against do not send a host
key in that way, so we also have a fallback method of populating the
transient cache by triggering an immediate non-GSS rekey straight
after userauth (reusing the code path we also use to turn on OpenSSH
delayed encryption without the race condition).
2018-04-26 06:18:59 +00:00
|
|
|
enum { KEXTYPE_DH, KEXTYPE_RSA, KEXTYPE_ECDH, KEXTYPE_GSS } main_type;
|
2018-09-13 15:41:46 +00:00
|
|
|
const struct ssh_hashalg *hash;
|
2015-05-15 09:12:08 +00:00
|
|
|
const void *extra; /* private to the kex methods */
|
2000-09-05 14:28:17 +00:00
|
|
|
};
|
|
|
|
|
2005-09-03 13:41:43 +00:00
|
|
|
struct ssh_kexes {
|
|
|
|
int nkexes;
|
|
|
|
const struct ssh_kex *const *list;
|
|
|
|
};
|
|
|
|
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
struct ssh_keyalg {
|
2018-06-03 11:58:05 +00:00
|
|
|
/* Constructors that create an ssh_key */
|
|
|
|
ssh_key *(*new_pub) (const ssh_keyalg *self, ptrlen pub);
|
|
|
|
ssh_key *(*new_priv) (const ssh_keyalg *self, ptrlen pub, ptrlen priv);
|
|
|
|
ssh_key *(*new_priv_openssh) (const ssh_keyalg *self, BinarySource *);
|
|
|
|
|
|
|
|
/* Methods that operate on an existing ssh_key */
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
void (*freekey) (ssh_key *key);
|
2018-06-03 11:58:05 +00:00
|
|
|
void (*sign) (ssh_key *key, const void *data, int datalen, BinarySink *);
|
|
|
|
int (*verify) (ssh_key *key, ptrlen sig, ptrlen data);
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
void (*public_blob)(ssh_key *key, BinarySink *);
|
|
|
|
void (*private_blob)(ssh_key *key, BinarySink *);
|
2018-06-03 11:58:05 +00:00
|
|
|
void (*openssh_blob) (ssh_key *key, BinarySink *);
|
|
|
|
char *(*cache_str) (ssh_key *key);
|
|
|
|
|
|
|
|
/* 'Class methods' that don't deal with an ssh_key at all */
|
Clean up ssh_keyalg APIs and implementations.
Quite a few of the function pointers in the ssh_keyalg vtable now take
ptrlen arguments in place of separate pointer and length pairs.
Meanwhile, the various key types' implementations of those functions
now work by initialising a BinarySource with the input ptrlen and
using the new decode functions to walk along it.
One exception is the openssh_createkey method which reads a private
key in the wire format used by OpenSSH's SSH-2 agent protocol, which
has to consume a prefix of a larger data stream, and tell the caller
how much of that data was the private key. That function now takes an
actual BinarySource, and passes that directly to the decode functions,
so that on return the caller finds that the BinarySource's read
pointer has been advanced exactly past the private key.
This let me throw away _several_ reimplementations of mpint-reading
functions, one in each of sshrsa, sshdss.c and sshecc.c. Worse still,
they didn't all have exactly the SSH-2 semantics, because the thing in
sshrsa.c whose name suggested it was an mpint-reading function
actually tolerated the wrong number of leading zero bytes, which it
had to be able to do to cope with the "ssh-rsa" signature format which
contains a thing that isn't quite an SSH-2 mpint. Now that deviation
is clearly commented!
2018-05-31 17:40:51 +00:00
|
|
|
int (*pubkey_bits) (const ssh_keyalg *self, ptrlen blob);
|
2018-06-03 11:58:05 +00:00
|
|
|
|
|
|
|
/* Constant data fields giving information about the key type */
|
|
|
|
const char *ssh_id; /* string identifier in the SSH protocol */
|
|
|
|
const char *cache_id; /* identifier used in PuTTY's host key cache */
|
|
|
|
const void *extra; /* private to the public key methods */
|
2000-09-05 14:28:17 +00:00
|
|
|
};
|
|
|
|
|
2018-06-03 11:58:05 +00:00
|
|
|
#define ssh_key_new_pub(alg, data) ((alg)->new_pub(alg, data))
|
|
|
|
#define ssh_key_new_priv(alg, pub, priv) ((alg)->new_priv(alg, pub, priv))
|
|
|
|
#define ssh_key_new_priv_openssh(alg, bs) ((alg)->new_priv_openssh(alg, bs))
|
|
|
|
|
|
|
|
#define ssh_key_free(key) ((*(key))->freekey(key))
|
|
|
|
#define ssh_key_sign(key, data, len, bs) ((*(key))->sign(key, data, len, bs))
|
|
|
|
#define ssh_key_verify(key, sig, data) ((*(key))->verify(key, sig, data))
|
|
|
|
#define ssh_key_public_blob(key, bs) ((*(key))->public_blob(key, bs))
|
|
|
|
#define ssh_key_private_blob(key, bs) ((*(key))->private_blob(key, bs))
|
|
|
|
#define ssh_key_openssh_blob(key, bs) ((*(key))->openssh_blob(key, bs))
|
|
|
|
#define ssh_key_cache_str(key) ((*(key))->cache_str(key))
|
|
|
|
|
|
|
|
#define ssh_key_public_bits(alg, blob) ((alg)->pubkey_bits(alg, blob))
|
|
|
|
|
|
|
|
#define ssh_key_alg(key) (*(key))
|
|
|
|
#define ssh_key_ssh_id(key) ((*(key))->ssh_id)
|
|
|
|
#define ssh_key_cache_id(key) ((*(key))->cache_id)
|
|
|
|
|
2018-09-14 08:16:41 +00:00
|
|
|
typedef struct ssh_compressor {
|
|
|
|
const struct ssh_compression_alg *vt;
|
|
|
|
} ssh_compressor;
|
|
|
|
typedef struct ssh_decompressor {
|
|
|
|
const struct ssh_compression_alg *vt;
|
|
|
|
} ssh_decompressor;
|
|
|
|
|
|
|
|
struct ssh_compression_alg {
|
2015-05-15 10:15:42 +00:00
|
|
|
const char *name;
|
2011-03-04 22:34:47 +00:00
|
|
|
/* For zlib@openssh.com: if non-NULL, this name will be considered once
|
|
|
|
* userauth has completed successfully. */
|
2015-05-15 10:15:42 +00:00
|
|
|
const char *delayed_name;
|
2018-09-14 08:16:41 +00:00
|
|
|
ssh_compressor *(*compress_new)(void);
|
|
|
|
void (*compress_free)(ssh_compressor *);
|
|
|
|
void (*compress)(ssh_compressor *, unsigned char *block, int len,
|
|
|
|
unsigned char **outblock, int *outlen,
|
|
|
|
int minlen);
|
|
|
|
ssh_decompressor *(*decompress_new)(void);
|
|
|
|
void (*decompress_free)(ssh_decompressor *);
|
|
|
|
int (*decompress)(ssh_decompressor *, unsigned char *block, int len,
|
|
|
|
unsigned char **outblock, int *outlen);
|
2015-05-15 09:12:06 +00:00
|
|
|
const char *text_name;
|
1999-01-08 13:02:13 +00:00
|
|
|
};
|
|
|
|
|
2018-09-14 08:16:41 +00:00
|
|
|
#define ssh_compressor_new(alg) ((alg)->compress_new())
|
|
|
|
#define ssh_compressor_free(comp) ((comp)->vt->compress_free(comp))
|
|
|
|
#define ssh_compressor_compress(comp, in, inlen, out, outlen, minlen) \
|
|
|
|
((comp)->vt->compress(comp, in, inlen, out, outlen, minlen))
|
|
|
|
#define ssh_decompressor_new(alg) ((alg)->decompress_new())
|
|
|
|
#define ssh_decompressor_free(comp) ((comp)->vt->decompress_free(comp))
|
|
|
|
#define ssh_decompressor_decompress(comp, in, inlen, out, outlen) \
|
|
|
|
((comp)->vt->decompress(comp, in, inlen, out, outlen))
|
|
|
|
|
2001-03-03 11:54:34 +00:00
|
|
|
struct ssh2_userkey {
|
2018-06-03 11:58:05 +00:00
|
|
|
ssh_key *key; /* the key itself */
|
2001-03-03 11:54:34 +00:00
|
|
|
char *comment; /* the key comment */
|
|
|
|
};
|
|
|
|
|
2006-03-12 19:24:05 +00:00
|
|
|
/* The maximum length of any hash algorithm used in kex. (bytes) */
|
2014-11-01 09:45:20 +00:00
|
|
|
#define SSH2_KEX_MAX_HASH_LEN (64) /* SHA-512 */
|
2006-03-12 19:24:05 +00:00
|
|
|
|
2018-09-13 12:29:32 +00:00
|
|
|
extern const struct ssh1_cipheralg ssh1_3des;
|
|
|
|
extern const struct ssh1_cipheralg ssh1_des;
|
|
|
|
extern const struct ssh1_cipheralg ssh1_blowfish;
|
2001-03-03 11:54:34 +00:00
|
|
|
extern const struct ssh2_ciphers ssh2_3des;
|
2001-11-21 23:06:10 +00:00
|
|
|
extern const struct ssh2_ciphers ssh2_des;
|
2001-03-03 11:54:34 +00:00
|
|
|
extern const struct ssh2_ciphers ssh2_aes;
|
|
|
|
extern const struct ssh2_ciphers ssh2_blowfish;
|
2005-04-14 22:58:29 +00:00
|
|
|
extern const struct ssh2_ciphers ssh2_arcfour;
|
2015-06-07 11:51:51 +00:00
|
|
|
extern const struct ssh2_ciphers ssh2_ccp;
|
2018-09-13 15:41:46 +00:00
|
|
|
extern const struct ssh_hashalg ssh_sha1;
|
|
|
|
extern const struct ssh_hashalg ssh_sha256;
|
|
|
|
extern const struct ssh_hashalg ssh_sha384;
|
|
|
|
extern const struct ssh_hashalg ssh_sha512;
|
2005-09-03 13:41:43 +00:00
|
|
|
extern const struct ssh_kexes ssh_diffiehellman_group1;
|
|
|
|
extern const struct ssh_kexes ssh_diffiehellman_group14;
|
|
|
|
extern const struct ssh_kexes ssh_diffiehellman_gex;
|
Support GSS key exchange, for Kerberos 5 only.
This is a heavily edited (by me) version of a patch originally due to
Nico Williams and Viktor Dukhovni. Their comments:
* Don't delegate credentials when rekeying unless there's a new TGT
or the old service ticket is nearly expired.
* Check for the above conditions more frequently (every two minutes
by default) and rekey when we would delegate credentials.
* Do not rekey with very short service ticket lifetimes; some GSSAPI
libraries may lose the race to use an almost expired ticket. Adjust
the timing of rekey checks to try to avoid this possibility.
My further comments:
The most interesting thing about this patch to me is that the use of
GSS key exchange causes a switch over to a completely different model
of what host keys are for. This comes from RFC 4462 section 2.1: the
basic idea is that when your session is mostly bidirectionally
authenticated by the GSSAPI exchanges happening in initial kex and
every rekey, host keys become more or less vestigial, and their
remaining purpose is to allow a rekey to happen if the requirements of
the SSH protocol demand it at an awkward moment when the GSS
credentials are not currently available (e.g. timed out and haven't
been renewed yet). As such, there's no need for host keys to be
_permanent_ or to be a reliable identifier of a particular host, and
RFC 4462 allows for the possibility that they might be purely
transient and only for this kind of emergency fallback purpose.
Therefore, once PuTTY has done a GSS key exchange, it disconnects
itself completely from the permanent host key cache functions in
storage.h, and instead switches to a _transient_ host key cache stored
in memory with the lifetime of just that SSH session. That cache is
populated with keys received from the server as a side effect of GSS
kex (via the optional SSH2_MSG_KEXGSS_HOSTKEY message), and used if
later in the session we have to fall back to a non-GSS key exchange.
However, in practice servers we've tested against do not send a host
key in that way, so we also have a fallback method of populating the
transient cache by triggering an immediate non-GSS rekey straight
after userauth (reusing the code path we also use to turn on OpenSSH
delayed encryption without the race condition).
2018-04-26 06:18:59 +00:00
|
|
|
extern const struct ssh_kexes ssh_gssk5_sha1_kex;
|
2007-04-30 22:09:26 +00:00
|
|
|
extern const struct ssh_kexes ssh_rsa_kex;
|
2014-11-01 09:45:20 +00:00
|
|
|
extern const struct ssh_kexes ssh_ecdh_kex;
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
extern const ssh_keyalg ssh_dss;
|
|
|
|
extern const ssh_keyalg ssh_rsa;
|
|
|
|
extern const ssh_keyalg ssh_ecdsa_ed25519;
|
|
|
|
extern const ssh_keyalg ssh_ecdsa_nistp256;
|
|
|
|
extern const ssh_keyalg ssh_ecdsa_nistp384;
|
|
|
|
extern const ssh_keyalg ssh_ecdsa_nistp521;
|
2018-09-13 15:15:17 +00:00
|
|
|
extern const struct ssh2_macalg ssh_hmac_md5;
|
|
|
|
extern const struct ssh2_macalg ssh_hmac_sha1;
|
|
|
|
extern const struct ssh2_macalg ssh_hmac_sha1_buggy;
|
|
|
|
extern const struct ssh2_macalg ssh_hmac_sha1_96;
|
|
|
|
extern const struct ssh2_macalg ssh_hmac_sha1_96_buggy;
|
|
|
|
extern const struct ssh2_macalg ssh_hmac_sha256;
|
2018-09-14 08:16:41 +00:00
|
|
|
extern const struct ssh_compression_alg ssh_zlib;
|
2005-08-31 19:11:19 +00:00
|
|
|
|
2018-09-13 13:43:04 +00:00
|
|
|
typedef struct AESContext AESContext;
|
|
|
|
AESContext *aes_make_context(void);
|
|
|
|
void aes_free_context(AESContext *ctx);
|
|
|
|
void aes128_key(AESContext *ctx, const void *key);
|
|
|
|
void aes192_key(AESContext *ctx, const void *key);
|
|
|
|
void aes256_key(AESContext *ctx, const void *key);
|
|
|
|
void aes_iv(AESContext *ctx, const void *iv);
|
|
|
|
void aes_ssh2_encrypt_blk(AESContext *ctx, void *blk, int len);
|
|
|
|
void aes_ssh2_decrypt_blk(AESContext *ctx, void *blk, int len);
|
|
|
|
void aes_ssh2_sdctr(AESContext *ctx, void *blk, int len);
|
2001-03-03 11:54:34 +00:00
|
|
|
|
2001-03-15 12:15:02 +00:00
|
|
|
/*
|
|
|
|
* PuTTY version number formatted as an SSH version string.
|
|
|
|
*/
|
2016-04-07 06:52:55 +00:00
|
|
|
extern const char sshver[];
|
2001-03-15 12:15:02 +00:00
|
|
|
|
2001-08-26 18:32:28 +00:00
|
|
|
/*
|
|
|
|
* Gross hack: pscp will try to start SFTP but fall back to scp1 if
|
|
|
|
* that fails. This variable is the means by which scp.c can reach
|
|
|
|
* into the SSH code and find out which one it got.
|
|
|
|
*/
|
2018-09-11 15:23:38 +00:00
|
|
|
extern int ssh_fallback_cmd(Backend *backend);
|
2001-08-26 18:32:28 +00:00
|
|
|
|
2001-05-06 14:35:20 +00:00
|
|
|
void SHATransform(word32 * digest, word32 * data);
|
1999-01-08 13:02:13 +00:00
|
|
|
|
2018-02-11 10:27:39 +00:00
|
|
|
/*
|
|
|
|
* Check of compiler version
|
|
|
|
*/
|
|
|
|
#ifdef _FORCE_SHA_NI
|
|
|
|
# define COMPILER_SUPPORTS_SHA_NI
|
|
|
|
#elif defined(__clang__)
|
2018-03-14 10:51:19 +00:00
|
|
|
# if __has_attribute(target) && __has_include(<shaintrin.h>) && (defined(__x86_64__) || defined(__i386))
|
2018-02-11 10:27:39 +00:00
|
|
|
# define COMPILER_SUPPORTS_SHA_NI
|
|
|
|
# endif
|
|
|
|
#elif defined(__GNUC__)
|
|
|
|
# if ((__GNUC__ >= 5) && (defined(__x86_64__) || defined(__i386)))
|
|
|
|
# define COMPILER_SUPPORTS_SHA_NI
|
|
|
|
# endif
|
|
|
|
#elif defined (_MSC_VER)
|
|
|
|
# if (defined(_M_X64) || defined(_M_IX86)) && _MSC_VER >= 1900
|
|
|
|
# define COMPILER_SUPPORTS_SHA_NI
|
|
|
|
# endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef _FORCE_SOFTWARE_SHA
|
|
|
|
# undef COMPILER_SUPPORTS_SHA_NI
|
|
|
|
#endif
|
|
|
|
|
1999-01-08 13:02:13 +00:00
|
|
|
int random_byte(void);
|
|
|
|
void random_add_noise(void *noise, int length);
|
2000-10-19 15:43:08 +00:00
|
|
|
void random_add_heavynoise(void *noise, int length);
|
1999-11-09 11:10:04 +00:00
|
|
|
|
2003-01-05 22:53:23 +00:00
|
|
|
/* Exports from x11fwd.c */
|
2008-11-17 18:38:09 +00:00
|
|
|
enum {
|
|
|
|
X11_TRANS_IPV4 = 0, X11_TRANS_IPV6 = 6, X11_TRANS_UNIX = 256
|
|
|
|
};
|
|
|
|
struct X11Display {
|
|
|
|
/* Broken-down components of the display name itself */
|
|
|
|
int unixdomain;
|
|
|
|
char *hostname;
|
|
|
|
int displaynum;
|
|
|
|
int screennum;
|
|
|
|
/* OSX sometimes replaces all the above with a full Unix-socket pathname */
|
|
|
|
char *unixsocketpath;
|
|
|
|
|
|
|
|
/* PuTTY networking SockAddr to connect to the display, and associated
|
|
|
|
* gubbins */
|
|
|
|
SockAddr addr;
|
|
|
|
int port;
|
|
|
|
char *realhost;
|
|
|
|
|
|
|
|
/* Our local auth details for talking to the real X display. */
|
|
|
|
int localauthproto;
|
|
|
|
unsigned char *localauthdata;
|
|
|
|
int localauthdatalen;
|
2013-11-17 14:05:10 +00:00
|
|
|
};
|
|
|
|
struct X11FakeAuth {
|
|
|
|
/* Auth details we invented for a virtual display on the SSH server. */
|
|
|
|
int proto;
|
|
|
|
unsigned char *data;
|
|
|
|
int datalen;
|
|
|
|
char *protoname;
|
|
|
|
char *datastring;
|
|
|
|
|
|
|
|
/* The encrypted form of the first block, in XDM-AUTHORIZATION-1.
|
|
|
|
* Used as part of the key when these structures are organised
|
|
|
|
* into a tree. See x11_invent_fake_auth for explanation. */
|
|
|
|
unsigned char *xa1_firstblock;
|
2008-11-17 18:38:09 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Used inside x11fwd.c to remember recently seen
|
|
|
|
* XDM-AUTHORIZATION-1 strings, to avoid replay attacks.
|
|
|
|
*/
|
|
|
|
tree234 *xdmseen;
|
2013-11-17 14:05:10 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* What to do with an X connection matching this auth data.
|
|
|
|
*/
|
|
|
|
struct X11Display *disp;
|
2018-09-13 08:09:10 +00:00
|
|
|
ssh_sharing_connstate *share_cs;
|
|
|
|
share_channel *share_chan;
|
2008-11-17 18:38:09 +00:00
|
|
|
};
|
2013-11-17 14:05:17 +00:00
|
|
|
void *x11_make_greeting(int endian, int protomajor, int protominor,
|
|
|
|
int auth_proto, const void *auth_data, int auth_len,
|
|
|
|
const char *peer_ip, int peer_port,
|
|
|
|
int *outlen);
|
2013-11-17 14:05:10 +00:00
|
|
|
int x11_authcmp(void *av, void *bv); /* for putting X11FakeAuth in a tree234 */
|
2008-11-17 18:38:09 +00:00
|
|
|
/*
|
|
|
|
* x11_setup_display() parses the display variable and fills in an
|
|
|
|
* X11Display structure. Some remote auth details are invented;
|
|
|
|
* the supplied authtype parameter configures the preferred
|
|
|
|
* authorisation protocol to use at the remote end. The local auth
|
|
|
|
* details are looked up by calling platform_get_x11_auth.
|
|
|
|
*/
|
2015-05-05 19:16:18 +00:00
|
|
|
extern struct X11Display *x11_setup_display(const char *display, Conf *);
|
2008-11-17 18:38:09 +00:00
|
|
|
void x11_free_display(struct X11Display *disp);
|
2013-11-17 14:05:10 +00:00
|
|
|
struct X11FakeAuth *x11_invent_fake_auth(tree234 *t, int authtype);
|
|
|
|
void x11_free_fake_auth(struct X11FakeAuth *auth);
|
2018-09-14 12:47:13 +00:00
|
|
|
Channel *x11_new_channel(tree234 *authtree, SshChannel *c,
|
Replace enum+union of local channel types with a vtable.
There's now an interface called 'Channel', which handles the local
side of an SSH connection-layer channel, in terms of knowing where to
send incoming channel data to, whether to close the channel, etc.
Channel and the previous 'struct ssh_channel' mutually refer. The
latter contains all the SSH-specific parts, and as much of the common
logic as possible: in particular, Channel doesn't have to know
anything about SSH packet formats, or which SSH protocol version is in
use, or deal with all the fiddly stuff about window sizes - with the
exception that x11fwd.c's implementation of it does have to be able to
ask for a small fixed initial window size for the bodgy system that
distinguishes upstream from downstream X forwardings.
I've taken the opportunity to move the code implementing the detailed
behaviour of agent forwarding out of ssh.c, now that all of it is on
the far side of a uniform interface. (This also means that if I later
implement agent forwarding directly to a Unix socket as an
alternative, it'll be a matter of changing just the one call to
agentf_new() that makes the Channel to plug into a forwarding.)
2018-09-12 14:03:47 +00:00
|
|
|
const char *peeraddr, int peerport,
|
|
|
|
int connection_sharing_possible);
|
2004-05-31 14:01:52 +00:00
|
|
|
char *x11_display(const char *display);
|
|
|
|
/* Platform-dependent X11 functions */
|
Post-release destabilisation! Completely remove the struct type
'Config' in putty.h, which stores all PuTTY's settings and includes an
arbitrary length limit on every single one of those settings which is
stored in string form. In place of it is 'Conf', an opaque data type
everywhere outside the new file conf.c, which stores a list of (key,
value) pairs in which every key contains an integer identifying a
configuration setting, and for some of those integers the key also
contains extra parts (so that, for instance, CONF_environmt is a
string-to-string mapping). Everywhere that a Config was previously
used, a Conf is now; everywhere there was a Config structure copy,
conf_copy() is called; every lookup, adjustment, load and save
operation on a Config has been rewritten; and there's a mechanism for
serialising a Conf into a binary blob and back for use with Duplicate
Session.
User-visible effects of this change _should_ be minimal, though I
don't doubt I've introduced one or two bugs here and there which will
eventually be found. The _intended_ visible effects of this change are
that all arbitrary limits on configuration strings and lists (e.g.
limit on number of port forwardings) should now disappear; that list
boxes in the configuration will now be displayed in a sorted order
rather than the arbitrary order in which they were added to the list
(since the underlying data structure is now a sorted tree234 rather
than an ad-hoc comma-separated string); and one more specific change,
which is that local and dynamic port forwardings on the same port
number are now mutually exclusive in the configuration (putting 'D' in
the key rather than the value was a mistake in the first place).
One other reorganisation as a result of this is that I've moved all
the dialog.c standard handlers (dlg_stdeditbox_handler and friends)
out into config.c, because I can't really justify calling them generic
any more. When they took a pointer to an arbitrary structure type and
the offset of a field within that structure, they were independent of
whether that structure was a Config or something completely different,
but now they really do expect to talk to a Conf, which can _only_ be
used for PuTTY configuration, so I've renamed them all things like
conf_editbox_handler and moved them out of the nominally independent
dialog-box management module into the PuTTY-specific config.c.
[originally from svn r9214]
2011-07-14 18:52:21 +00:00
|
|
|
extern void platform_get_x11_auth(struct X11Display *display, Conf *);
|
2008-11-17 18:38:09 +00:00
|
|
|
/* examine a mostly-filled-in X11Display and fill in localauth* */
|
|
|
|
extern const int platform_uses_x11_unix_by_default;
|
|
|
|
/* choose default X transport in the absence of a specified one */
|
|
|
|
SockAddr platform_get_x11_unix_address(const char *path, int displaynum);
|
|
|
|
/* make up a SockAddr naming the address for displaynum */
|
2004-10-06 22:31:07 +00:00
|
|
|
char *platform_get_x_display(void);
|
2008-11-17 18:38:09 +00:00
|
|
|
/* allocated local X display string, if any */
|
|
|
|
/* Callbacks in x11.c usable _by_ platform X11 functions */
|
|
|
|
/*
|
|
|
|
* This function does the job of platform_get_x11_auth, provided
|
|
|
|
* it is told where to find a normally formatted .Xauthority file:
|
|
|
|
* it opens that file, parses it to find an auth record which
|
|
|
|
* matches the display details in "display", and fills in the
|
|
|
|
* localauth fields.
|
|
|
|
*
|
|
|
|
* It is expected that most implementations of
|
|
|
|
* platform_get_x11_auth() will work by finding their system's
|
|
|
|
* .Xauthority file, adjusting the display details if necessary
|
|
|
|
* for local oddities like Unix-domain socket transport, and
|
|
|
|
* calling this function to do the rest of the work.
|
|
|
|
*/
|
|
|
|
void x11_get_auth_from_authfile(struct X11Display *display,
|
|
|
|
const char *authfilename);
|
2018-05-29 18:11:22 +00:00
|
|
|
int x11_identify_auth_proto(ptrlen protoname);
|
|
|
|
void *x11_dehexify(ptrlen hex, int *outlen);
|
2003-01-11 14:20:00 +00:00
|
|
|
|
2018-09-14 12:47:13 +00:00
|
|
|
Channel *agentf_new(SshChannel *c);
|
Replace enum+union of local channel types with a vtable.
There's now an interface called 'Channel', which handles the local
side of an SSH connection-layer channel, in terms of knowing where to
send incoming channel data to, whether to close the channel, etc.
Channel and the previous 'struct ssh_channel' mutually refer. The
latter contains all the SSH-specific parts, and as much of the common
logic as possible: in particular, Channel doesn't have to know
anything about SSH packet formats, or which SSH protocol version is in
use, or deal with all the fiddly stuff about window sizes - with the
exception that x11fwd.c's implementation of it does have to be able to
ask for a small fixed initial window size for the bodgy system that
distinguishes upstream from downstream X forwardings.
I've taken the opportunity to move the code implementing the detailed
behaviour of agent forwarding out of ssh.c, now that all of it is on
the far side of a uniform interface. (This also means that if I later
implement agent forwarding directly to a Unix socket as an
alternative, it'll be a matter of changing just the one call to
agentf_new() that makes the Channel to plug into a forwarding.)
2018-09-12 14:03:47 +00:00
|
|
|
|
2000-09-07 16:33:49 +00:00
|
|
|
Bignum copybn(Bignum b);
|
2001-03-01 17:41:26 +00:00
|
|
|
Bignum bn_power_2(int n);
|
|
|
|
void bn_restore_invariant(Bignum b);
|
2001-09-22 20:52:21 +00:00
|
|
|
Bignum bignum_from_long(unsigned long n);
|
2000-09-05 14:28:17 +00:00
|
|
|
void freebn(Bignum b);
|
2000-10-23 16:11:31 +00:00
|
|
|
Bignum modpow(Bignum base, Bignum exp, Bignum mod);
|
|
|
|
Bignum modmul(Bignum a, Bignum b, Bignum mod);
|
2014-11-01 09:15:08 +00:00
|
|
|
Bignum modsub(const Bignum a, const Bignum b, const Bignum n);
|
2000-09-07 16:33:49 +00:00
|
|
|
void decbn(Bignum n);
|
|
|
|
extern Bignum Zero, One;
|
2018-05-26 07:31:34 +00:00
|
|
|
Bignum bignum_from_bytes(const void *data, int nbytes);
|
|
|
|
Bignum bignum_from_bytes_le(const void *data, int nbytes);
|
2014-11-01 09:15:08 +00:00
|
|
|
Bignum bignum_random_in_range(const Bignum lower, const Bignum upper);
|
2001-04-16 11:16:58 +00:00
|
|
|
int bignum_bitcount(Bignum bn);
|
2000-09-14 15:02:50 +00:00
|
|
|
int bignum_byte(Bignum bn, int i);
|
2000-10-18 15:00:36 +00:00
|
|
|
int bignum_bit(Bignum bn, int i);
|
|
|
|
void bignum_set_bit(Bignum bn, int i, int value);
|
|
|
|
Bignum biggcd(Bignum a, Bignum b);
|
|
|
|
unsigned short bignum_mod_short(Bignum number, unsigned short modulus);
|
|
|
|
Bignum bignum_add_long(Bignum number, unsigned long addend);
|
2011-02-18 08:25:39 +00:00
|
|
|
Bignum bigadd(Bignum a, Bignum b);
|
|
|
|
Bignum bigsub(Bignum a, Bignum b);
|
2000-10-18 15:00:36 +00:00
|
|
|
Bignum bigmul(Bignum a, Bignum b);
|
2001-09-22 20:52:21 +00:00
|
|
|
Bignum bigmuladd(Bignum a, Bignum b, Bignum addend);
|
|
|
|
Bignum bigdiv(Bignum a, Bignum b);
|
|
|
|
Bignum bigmod(Bignum a, Bignum b);
|
2000-10-18 15:00:36 +00:00
|
|
|
Bignum modinv(Bignum number, Bignum modulus);
|
2001-03-01 17:41:26 +00:00
|
|
|
Bignum bignum_bitmask(Bignum number);
|
2000-10-18 15:00:36 +00:00
|
|
|
Bignum bignum_rshift(Bignum number, int shift);
|
2014-11-01 09:15:08 +00:00
|
|
|
Bignum bignum_lshift(Bignum number, int shift);
|
2000-10-18 15:36:32 +00:00
|
|
|
int bignum_cmp(Bignum a, Bignum b);
|
2000-10-19 15:43:08 +00:00
|
|
|
char *bignum_decimal(Bignum x);
|
2015-05-12 11:10:42 +00:00
|
|
|
Bignum bignum_from_decimal(const char *decimal);
|
2000-09-05 14:28:17 +00:00
|
|
|
|
2018-05-24 08:17:13 +00:00
|
|
|
void BinarySink_put_mp_ssh1(BinarySink *, Bignum);
|
|
|
|
void BinarySink_put_mp_ssh2(BinarySink *, Bignum);
|
Introduce a centralised unmarshaller, 'BinarySource'.
This is the companion to the BinarySink system I introduced a couple
of weeks ago, and provides the same type-genericity which will let me
use the same get_* routines on an SSH packet, an SFTP packet or
anything else that chooses to include an implementing substructure.
However, unlike BinarySink which contained a (one-function) vtable,
BinarySource contains only mutable data fields - so another thing you
might very well want to do is to simply instantiate a bare one without
any containing object at all. I couldn't quite coerce C into letting
me use the same setup macro in both cases, so I've arranged a
BinarySource_INIT you can use on larger implementing objects and a
BinarySource_BARE_INIT you can use on a BinarySource not contained in
anything.
The API follows the general principle that even if decoding fails, the
decode functions will always return _some_ kind of value, with the
same dynamically-allocated-ness they would have used for a completely
successful value. But they also set an error flag in the BinarySource
which can be tested later. So instead of having to decode a 10-field
packet by means of 10 separate 'if (!get_foo(src)) throw error'
clauses, you can just write 10 'variable = get_foo(src)' statements
followed by a single check of get_err(src), and if the error check
fails, you have to do exactly the same set of frees you would have
after a successful decode.
2018-06-02 07:25:19 +00:00
|
|
|
Bignum BinarySource_get_mp_ssh1(BinarySource *);
|
|
|
|
Bignum BinarySource_get_mp_ssh2(BinarySource *);
|
2018-05-24 08:17:13 +00:00
|
|
|
|
2003-04-23 14:48:57 +00:00
|
|
|
#ifdef DEBUG
|
|
|
|
void diagbn(char *prefix, Bignum md);
|
|
|
|
#endif
|
|
|
|
|
2015-05-15 09:12:08 +00:00
|
|
|
int dh_is_gex(const struct ssh_kex *kex);
|
2018-09-14 07:48:54 +00:00
|
|
|
struct dh_ctx;
|
|
|
|
struct dh_ctx *dh_setup_group(const struct ssh_kex *kex);
|
|
|
|
struct dh_ctx *dh_setup_gex(Bignum pval, Bignum gval);
|
|
|
|
void dh_cleanup(struct dh_ctx *);
|
|
|
|
Bignum dh_create_e(struct dh_ctx *, int nbits);
|
|
|
|
const char *dh_validate_f(struct dh_ctx *, Bignum f);
|
|
|
|
Bignum dh_find_K(struct dh_ctx *, Bignum f);
|
2000-09-07 16:33:49 +00:00
|
|
|
|
2018-05-24 07:22:44 +00:00
|
|
|
int rsa_ssh1_encrypted(const Filename *filename, char **comment);
|
2018-05-24 09:59:39 +00:00
|
|
|
int rsa_ssh1_loadpub(const Filename *filename, BinarySink *bs,
|
2018-05-24 07:22:44 +00:00
|
|
|
char **commentptr, const char **errorstr);
|
|
|
|
int rsa_ssh1_loadkey(const Filename *filename, struct RSAKey *key,
|
|
|
|
const char *passphrase, const char **errorstr);
|
|
|
|
int rsa_ssh1_savekey(const Filename *filename, struct RSAKey *key,
|
|
|
|
char *passphrase);
|
2001-03-03 11:54:34 +00:00
|
|
|
|
2015-05-12 13:00:04 +00:00
|
|
|
extern int base64_decode_atom(const char *atom, unsigned char *out);
|
2003-01-05 23:28:02 +00:00
|
|
|
extern int base64_lines(int datalen);
|
2015-05-12 13:00:04 +00:00
|
|
|
extern void base64_encode_atom(const unsigned char *data, int n, char *out);
|
|
|
|
extern void base64_encode(FILE *fp, const unsigned char *data, int datalen,
|
|
|
|
int cpl);
|
2001-03-03 11:54:34 +00:00
|
|
|
|
|
|
|
/* ssh2_load_userkey can return this as an error */
|
|
|
|
extern struct ssh2_userkey ssh2_wrong_passphrase;
|
|
|
|
#define SSH2_WRONG_PASSPHRASE (&ssh2_wrong_passphrase)
|
|
|
|
|
2003-02-01 12:54:40 +00:00
|
|
|
int ssh2_userkey_encrypted(const Filename *filename, char **comment);
|
|
|
|
struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
|
2015-05-11 14:23:48 +00:00
|
|
|
const char *passphrase,
|
|
|
|
const char **errorstr);
|
2018-05-24 09:59:39 +00:00
|
|
|
int ssh2_userkey_loadpub(const Filename *filename, char **algorithm,
|
|
|
|
BinarySink *bs,
|
|
|
|
char **commentptr, const char **errorstr);
|
2003-02-01 12:54:40 +00:00
|
|
|
int ssh2_save_userkey(const Filename *filename, struct ssh2_userkey *key,
|
2001-05-06 14:35:20 +00:00
|
|
|
char *passphrase);
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
const ssh_keyalg *find_pubkey_alg(const char *name);
|
2018-05-27 15:56:51 +00:00
|
|
|
const ssh_keyalg *find_pubkey_alg_len(ptrlen name);
|
2001-03-03 11:54:34 +00:00
|
|
|
|
2002-05-11 12:13:42 +00:00
|
|
|
enum {
|
|
|
|
SSH_KEYTYPE_UNOPENABLE,
|
|
|
|
SSH_KEYTYPE_UNKNOWN,
|
|
|
|
SSH_KEYTYPE_SSH1, SSH_KEYTYPE_SSH2,
|
2015-05-10 06:42:48 +00:00
|
|
|
/*
|
|
|
|
* The OpenSSH key types deserve a little explanation. OpenSSH has
|
|
|
|
* two physical formats for private key storage: an old PEM-based
|
|
|
|
* one largely dictated by their use of OpenSSL and full of ASN.1,
|
|
|
|
* and a new one using the same private key formats used over the
|
|
|
|
* wire for talking to ssh-agent. The old format can only support
|
|
|
|
* a subset of the key types, because it needs redesign for each
|
|
|
|
* key type, and after a while they decided to move to the new
|
|
|
|
* format so as not to have to do that.
|
|
|
|
*
|
|
|
|
* On input, key files are identified as either
|
|
|
|
* SSH_KEYTYPE_OPENSSH_PEM or SSH_KEYTYPE_OPENSSH_NEW, describing
|
|
|
|
* accurately which actual format the keys are stored in.
|
|
|
|
*
|
|
|
|
* On output, however, we default to following OpenSSH's own
|
|
|
|
* policy of writing out PEM-style keys for maximum backwards
|
|
|
|
* compatibility if the key type supports it, and otherwise
|
|
|
|
* switching to the new format. So the formats you can select for
|
|
|
|
* output are SSH_KEYTYPE_OPENSSH_NEW (forcing the new format for
|
|
|
|
* any key type), and SSH_KEYTYPE_OPENSSH_AUTO to use the oldest
|
|
|
|
* format supported by whatever key type you're writing out.
|
|
|
|
*
|
|
|
|
* So we have three type codes, but only two of them usable in any
|
|
|
|
* given circumstance. An input key file will never be identified
|
|
|
|
* as AUTO, only PEM or NEW; key export UIs should not be able to
|
|
|
|
* select PEM, only AUTO or NEW.
|
|
|
|
*/
|
|
|
|
SSH_KEYTYPE_OPENSSH_AUTO,
|
2015-04-28 18:46:58 +00:00
|
|
|
SSH_KEYTYPE_OPENSSH_PEM,
|
|
|
|
SSH_KEYTYPE_OPENSSH_NEW,
|
2015-05-12 11:19:57 +00:00
|
|
|
SSH_KEYTYPE_SSHCOM,
|
|
|
|
/*
|
|
|
|
* Public-key-only formats, which we still want to be able to read
|
|
|
|
* for various purposes.
|
|
|
|
*/
|
|
|
|
SSH_KEYTYPE_SSH1_PUBLIC,
|
|
|
|
SSH_KEYTYPE_SSH2_PUBLIC_RFC4716,
|
|
|
|
SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH
|
2002-05-11 12:13:42 +00:00
|
|
|
};
|
2015-05-12 12:42:26 +00:00
|
|
|
char *ssh1_pubkey_str(struct RSAKey *ssh1key);
|
|
|
|
void ssh1_write_pubkey(FILE *fp, struct RSAKey *ssh1key);
|
|
|
|
char *ssh2_pubkey_openssh_str(struct ssh2_userkey *key);
|
|
|
|
void ssh2_write_pubkey(FILE *fp, const char *comment,
|
|
|
|
const void *v_pub_blob, int pub_len,
|
|
|
|
int keytype);
|
2015-05-12 13:35:44 +00:00
|
|
|
char *ssh2_fingerprint_blob(const void *blob, int bloblen);
|
2018-06-03 11:58:05 +00:00
|
|
|
char *ssh2_fingerprint(ssh_key *key);
|
2003-02-01 12:54:40 +00:00
|
|
|
int key_type(const Filename *filename);
|
2015-05-15 10:15:42 +00:00
|
|
|
const char *key_type_to_str(int type);
|
2000-10-19 15:43:08 +00:00
|
|
|
|
2002-05-11 16:45:29 +00:00
|
|
|
int import_possible(int type);
|
|
|
|
int import_target_type(int type);
|
2003-02-01 12:54:40 +00:00
|
|
|
int import_encrypted(const Filename *filename, int type, char **comment);
|
|
|
|
int import_ssh1(const Filename *filename, int type,
|
2005-02-27 23:01:11 +00:00
|
|
|
struct RSAKey *key, char *passphrase, const char **errmsg_p);
|
2003-02-01 12:54:40 +00:00
|
|
|
struct ssh2_userkey *import_ssh2(const Filename *filename, int type,
|
2005-02-27 23:01:11 +00:00
|
|
|
char *passphrase, const char **errmsg_p);
|
2003-02-01 12:54:40 +00:00
|
|
|
int export_ssh1(const Filename *filename, int type,
|
|
|
|
struct RSAKey *key, char *passphrase);
|
|
|
|
int export_ssh2(const Filename *filename, int type,
|
2002-05-13 16:56:11 +00:00
|
|
|
struct ssh2_userkey *key, char *passphrase);
|
2002-05-11 16:45:29 +00:00
|
|
|
|
2018-05-26 07:31:34 +00:00
|
|
|
void des3_decrypt_pubkey(const void *key, void *blk, int len);
|
|
|
|
void des3_encrypt_pubkey(const void *key, void *blk, int len);
|
|
|
|
void des3_decrypt_pubkey_ossh(const void *key, const void *iv,
|
|
|
|
void *blk, int len);
|
|
|
|
void des3_encrypt_pubkey_ossh(const void *key, const void *iv,
|
|
|
|
void *blk, int len);
|
|
|
|
void aes256_encrypt_pubkey(const void *key, void *blk, int len);
|
|
|
|
void aes256_decrypt_pubkey(const void *key, void *blk, int len);
|
|
|
|
|
|
|
|
void des_encrypt_xdmauth(const void *key, void *blk, int len);
|
|
|
|
void des_decrypt_xdmauth(const void *key, void *blk, int len);
|
2003-01-11 09:31:54 +00:00
|
|
|
|
2015-04-27 19:48:29 +00:00
|
|
|
void openssh_bcrypt(const char *passphrase,
|
|
|
|
const unsigned char *salt, int saltbytes,
|
|
|
|
int rounds, unsigned char *out, int outbytes);
|
|
|
|
|
2000-10-18 15:00:36 +00:00
|
|
|
/*
|
|
|
|
* For progress updates in the key generation utility.
|
|
|
|
*/
|
2001-11-12 09:19:57 +00:00
|
|
|
#define PROGFN_INITIALISE 1
|
|
|
|
#define PROGFN_LIN_PHASE 2
|
|
|
|
#define PROGFN_EXP_PHASE 3
|
|
|
|
#define PROGFN_PHASE_EXTENT 4
|
|
|
|
#define PROGFN_READY 5
|
|
|
|
#define PROGFN_PROGRESS 6
|
2001-09-22 20:52:21 +00:00
|
|
|
typedef void (*progfn_t) (void *param, int action, int phase, int progress);
|
2000-10-18 15:00:36 +00:00
|
|
|
|
2001-05-06 14:35:20 +00:00
|
|
|
int rsa_generate(struct RSAKey *key, int bits, progfn_t pfn,
|
|
|
|
void *pfnparam);
|
2001-09-22 20:52:21 +00:00
|
|
|
int dsa_generate(struct dss_key *key, int bits, progfn_t pfn,
|
|
|
|
void *pfnparam);
|
2014-11-01 09:45:20 +00:00
|
|
|
int ec_generate(struct ec_key *key, int bits, progfn_t pfn,
|
|
|
|
void *pfnparam);
|
2015-05-09 14:02:54 +00:00
|
|
|
int ec_edgenerate(struct ec_key *key, int bits, progfn_t pfn,
|
|
|
|
void *pfnparam);
|
2001-09-22 20:52:21 +00:00
|
|
|
Bignum primegen(int bits, int modulus, int residue, Bignum factor,
|
2012-03-04 00:24:49 +00:00
|
|
|
int phase, progfn_t pfn, void *pfnparam, unsigned firstbits);
|
|
|
|
void invent_firstbits(unsigned *one, unsigned *two);
|
2000-11-01 21:34:21 +00:00
|
|
|
|
2013-11-17 14:05:41 +00:00
|
|
|
/*
|
|
|
|
* Connection-sharing API provided by platforms. This function must
|
|
|
|
* either:
|
|
|
|
* - return SHARE_NONE and do nothing
|
|
|
|
* - return SHARE_DOWNSTREAM and set *sock to a Socket connected to
|
|
|
|
* downplug
|
|
|
|
* - return SHARE_UPSTREAM and set *sock to a Socket connected to
|
|
|
|
* upplug.
|
|
|
|
*/
|
|
|
|
enum { SHARE_NONE, SHARE_DOWNSTREAM, SHARE_UPSTREAM };
|
|
|
|
int platform_ssh_share(const char *name, Conf *conf,
|
|
|
|
Plug downplug, Plug upplug, Socket *sock,
|
|
|
|
char **logtext, char **ds_err, char **us_err,
|
|
|
|
int can_upstream, int can_downstream);
|
|
|
|
void platform_ssh_share_cleanup(const char *name);
|
|
|
|
|
2013-11-17 14:03:29 +00:00
|
|
|
/*
|
|
|
|
* SSH-1 message type codes.
|
|
|
|
*/
|
|
|
|
#define SSH1_MSG_DISCONNECT 1 /* 0x1 */
|
|
|
|
#define SSH1_SMSG_PUBLIC_KEY 2 /* 0x2 */
|
|
|
|
#define SSH1_CMSG_SESSION_KEY 3 /* 0x3 */
|
|
|
|
#define SSH1_CMSG_USER 4 /* 0x4 */
|
|
|
|
#define SSH1_CMSG_AUTH_RSA 6 /* 0x6 */
|
|
|
|
#define SSH1_SMSG_AUTH_RSA_CHALLENGE 7 /* 0x7 */
|
|
|
|
#define SSH1_CMSG_AUTH_RSA_RESPONSE 8 /* 0x8 */
|
|
|
|
#define SSH1_CMSG_AUTH_PASSWORD 9 /* 0x9 */
|
|
|
|
#define SSH1_CMSG_REQUEST_PTY 10 /* 0xa */
|
|
|
|
#define SSH1_CMSG_WINDOW_SIZE 11 /* 0xb */
|
|
|
|
#define SSH1_CMSG_EXEC_SHELL 12 /* 0xc */
|
|
|
|
#define SSH1_CMSG_EXEC_CMD 13 /* 0xd */
|
|
|
|
#define SSH1_SMSG_SUCCESS 14 /* 0xe */
|
|
|
|
#define SSH1_SMSG_FAILURE 15 /* 0xf */
|
|
|
|
#define SSH1_CMSG_STDIN_DATA 16 /* 0x10 */
|
|
|
|
#define SSH1_SMSG_STDOUT_DATA 17 /* 0x11 */
|
|
|
|
#define SSH1_SMSG_STDERR_DATA 18 /* 0x12 */
|
|
|
|
#define SSH1_CMSG_EOF 19 /* 0x13 */
|
|
|
|
#define SSH1_SMSG_EXIT_STATUS 20 /* 0x14 */
|
|
|
|
#define SSH1_MSG_CHANNEL_OPEN_CONFIRMATION 21 /* 0x15 */
|
|
|
|
#define SSH1_MSG_CHANNEL_OPEN_FAILURE 22 /* 0x16 */
|
|
|
|
#define SSH1_MSG_CHANNEL_DATA 23 /* 0x17 */
|
|
|
|
#define SSH1_MSG_CHANNEL_CLOSE 24 /* 0x18 */
|
|
|
|
#define SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION 25 /* 0x19 */
|
|
|
|
#define SSH1_SMSG_X11_OPEN 27 /* 0x1b */
|
|
|
|
#define SSH1_CMSG_PORT_FORWARD_REQUEST 28 /* 0x1c */
|
|
|
|
#define SSH1_MSG_PORT_OPEN 29 /* 0x1d */
|
|
|
|
#define SSH1_CMSG_AGENT_REQUEST_FORWARDING 30 /* 0x1e */
|
|
|
|
#define SSH1_SMSG_AGENT_OPEN 31 /* 0x1f */
|
|
|
|
#define SSH1_MSG_IGNORE 32 /* 0x20 */
|
|
|
|
#define SSH1_CMSG_EXIT_CONFIRMATION 33 /* 0x21 */
|
|
|
|
#define SSH1_CMSG_X11_REQUEST_FORWARDING 34 /* 0x22 */
|
|
|
|
#define SSH1_CMSG_AUTH_RHOSTS_RSA 35 /* 0x23 */
|
|
|
|
#define SSH1_MSG_DEBUG 36 /* 0x24 */
|
|
|
|
#define SSH1_CMSG_REQUEST_COMPRESSION 37 /* 0x25 */
|
|
|
|
#define SSH1_CMSG_AUTH_TIS 39 /* 0x27 */
|
|
|
|
#define SSH1_SMSG_AUTH_TIS_CHALLENGE 40 /* 0x28 */
|
|
|
|
#define SSH1_CMSG_AUTH_TIS_RESPONSE 41 /* 0x29 */
|
|
|
|
#define SSH1_CMSG_AUTH_CCARD 70 /* 0x46 */
|
|
|
|
#define SSH1_SMSG_AUTH_CCARD_CHALLENGE 71 /* 0x47 */
|
|
|
|
#define SSH1_CMSG_AUTH_CCARD_RESPONSE 72 /* 0x48 */
|
|
|
|
|
|
|
|
#define SSH1_AUTH_RHOSTS 1 /* 0x1 */
|
|
|
|
#define SSH1_AUTH_RSA 2 /* 0x2 */
|
|
|
|
#define SSH1_AUTH_PASSWORD 3 /* 0x3 */
|
|
|
|
#define SSH1_AUTH_RHOSTS_RSA 4 /* 0x4 */
|
|
|
|
#define SSH1_AUTH_TIS 5 /* 0x5 */
|
|
|
|
#define SSH1_AUTH_CCARD 16 /* 0x10 */
|
|
|
|
|
|
|
|
#define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */
|
|
|
|
/* Mask for protoflags we will echo back to server if seen */
|
|
|
|
#define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* SSH-2 message type codes.
|
|
|
|
*/
|
|
|
|
#define SSH2_MSG_DISCONNECT 1 /* 0x1 */
|
|
|
|
#define SSH2_MSG_IGNORE 2 /* 0x2 */
|
|
|
|
#define SSH2_MSG_UNIMPLEMENTED 3 /* 0x3 */
|
|
|
|
#define SSH2_MSG_DEBUG 4 /* 0x4 */
|
|
|
|
#define SSH2_MSG_SERVICE_REQUEST 5 /* 0x5 */
|
|
|
|
#define SSH2_MSG_SERVICE_ACCEPT 6 /* 0x6 */
|
|
|
|
#define SSH2_MSG_KEXINIT 20 /* 0x14 */
|
|
|
|
#define SSH2_MSG_NEWKEYS 21 /* 0x15 */
|
|
|
|
#define SSH2_MSG_KEXDH_INIT 30 /* 0x1e */
|
|
|
|
#define SSH2_MSG_KEXDH_REPLY 31 /* 0x1f */
|
2015-04-25 09:46:53 +00:00
|
|
|
#define SSH2_MSG_KEX_DH_GEX_REQUEST_OLD 30 /* 0x1e */
|
2015-04-27 05:54:21 +00:00
|
|
|
#define SSH2_MSG_KEX_DH_GEX_REQUEST 34 /* 0x22 */
|
2013-11-17 14:03:29 +00:00
|
|
|
#define SSH2_MSG_KEX_DH_GEX_GROUP 31 /* 0x1f */
|
|
|
|
#define SSH2_MSG_KEX_DH_GEX_INIT 32 /* 0x20 */
|
|
|
|
#define SSH2_MSG_KEX_DH_GEX_REPLY 33 /* 0x21 */
|
Support GSS key exchange, for Kerberos 5 only.
This is a heavily edited (by me) version of a patch originally due to
Nico Williams and Viktor Dukhovni. Their comments:
* Don't delegate credentials when rekeying unless there's a new TGT
or the old service ticket is nearly expired.
* Check for the above conditions more frequently (every two minutes
by default) and rekey when we would delegate credentials.
* Do not rekey with very short service ticket lifetimes; some GSSAPI
libraries may lose the race to use an almost expired ticket. Adjust
the timing of rekey checks to try to avoid this possibility.
My further comments:
The most interesting thing about this patch to me is that the use of
GSS key exchange causes a switch over to a completely different model
of what host keys are for. This comes from RFC 4462 section 2.1: the
basic idea is that when your session is mostly bidirectionally
authenticated by the GSSAPI exchanges happening in initial kex and
every rekey, host keys become more or less vestigial, and their
remaining purpose is to allow a rekey to happen if the requirements of
the SSH protocol demand it at an awkward moment when the GSS
credentials are not currently available (e.g. timed out and haven't
been renewed yet). As such, there's no need for host keys to be
_permanent_ or to be a reliable identifier of a particular host, and
RFC 4462 allows for the possibility that they might be purely
transient and only for this kind of emergency fallback purpose.
Therefore, once PuTTY has done a GSS key exchange, it disconnects
itself completely from the permanent host key cache functions in
storage.h, and instead switches to a _transient_ host key cache stored
in memory with the lifetime of just that SSH session. That cache is
populated with keys received from the server as a side effect of GSS
kex (via the optional SSH2_MSG_KEXGSS_HOSTKEY message), and used if
later in the session we have to fall back to a non-GSS key exchange.
However, in practice servers we've tested against do not send a host
key in that way, so we also have a fallback method of populating the
transient cache by triggering an immediate non-GSS rekey straight
after userauth (reusing the code path we also use to turn on OpenSSH
delayed encryption without the race condition).
2018-04-26 06:18:59 +00:00
|
|
|
#define SSH2_MSG_KEXGSS_INIT 30 /* 0x1e */
|
|
|
|
#define SSH2_MSG_KEXGSS_CONTINUE 31 /* 0x1f */
|
|
|
|
#define SSH2_MSG_KEXGSS_COMPLETE 32 /* 0x20 */
|
|
|
|
#define SSH2_MSG_KEXGSS_HOSTKEY 33 /* 0x21 */
|
|
|
|
#define SSH2_MSG_KEXGSS_ERROR 34 /* 0x22 */
|
|
|
|
#define SSH2_MSG_KEXGSS_GROUPREQ 40 /* 0x28 */
|
|
|
|
#define SSH2_MSG_KEXGSS_GROUP 41 /* 0x29 */
|
2013-11-17 14:03:29 +00:00
|
|
|
#define SSH2_MSG_KEXRSA_PUBKEY 30 /* 0x1e */
|
|
|
|
#define SSH2_MSG_KEXRSA_SECRET 31 /* 0x1f */
|
|
|
|
#define SSH2_MSG_KEXRSA_DONE 32 /* 0x20 */
|
2014-11-01 09:45:20 +00:00
|
|
|
#define SSH2_MSG_KEX_ECDH_INIT 30 /* 0x1e */
|
|
|
|
#define SSH2_MSG_KEX_ECDH_REPLY 31 /* 0x1f */
|
|
|
|
#define SSH2_MSG_KEX_ECMQV_INIT 30 /* 0x1e */
|
|
|
|
#define SSH2_MSG_KEX_ECMQV_REPLY 31 /* 0x1f */
|
2013-11-17 14:03:29 +00:00
|
|
|
#define SSH2_MSG_USERAUTH_REQUEST 50 /* 0x32 */
|
|
|
|
#define SSH2_MSG_USERAUTH_FAILURE 51 /* 0x33 */
|
|
|
|
#define SSH2_MSG_USERAUTH_SUCCESS 52 /* 0x34 */
|
|
|
|
#define SSH2_MSG_USERAUTH_BANNER 53 /* 0x35 */
|
|
|
|
#define SSH2_MSG_USERAUTH_PK_OK 60 /* 0x3c */
|
|
|
|
#define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60 /* 0x3c */
|
|
|
|
#define SSH2_MSG_USERAUTH_INFO_REQUEST 60 /* 0x3c */
|
|
|
|
#define SSH2_MSG_USERAUTH_INFO_RESPONSE 61 /* 0x3d */
|
|
|
|
#define SSH2_MSG_GLOBAL_REQUEST 80 /* 0x50 */
|
|
|
|
#define SSH2_MSG_REQUEST_SUCCESS 81 /* 0x51 */
|
|
|
|
#define SSH2_MSG_REQUEST_FAILURE 82 /* 0x52 */
|
|
|
|
#define SSH2_MSG_CHANNEL_OPEN 90 /* 0x5a */
|
|
|
|
#define SSH2_MSG_CHANNEL_OPEN_CONFIRMATION 91 /* 0x5b */
|
|
|
|
#define SSH2_MSG_CHANNEL_OPEN_FAILURE 92 /* 0x5c */
|
|
|
|
#define SSH2_MSG_CHANNEL_WINDOW_ADJUST 93 /* 0x5d */
|
|
|
|
#define SSH2_MSG_CHANNEL_DATA 94 /* 0x5e */
|
|
|
|
#define SSH2_MSG_CHANNEL_EXTENDED_DATA 95 /* 0x5f */
|
|
|
|
#define SSH2_MSG_CHANNEL_EOF 96 /* 0x60 */
|
|
|
|
#define SSH2_MSG_CHANNEL_CLOSE 97 /* 0x61 */
|
|
|
|
#define SSH2_MSG_CHANNEL_REQUEST 98 /* 0x62 */
|
|
|
|
#define SSH2_MSG_CHANNEL_SUCCESS 99 /* 0x63 */
|
|
|
|
#define SSH2_MSG_CHANNEL_FAILURE 100 /* 0x64 */
|
|
|
|
#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60
|
|
|
|
#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61
|
|
|
|
#define SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE 63
|
|
|
|
#define SSH2_MSG_USERAUTH_GSSAPI_ERROR 64
|
|
|
|
#define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65
|
|
|
|
#define SSH2_MSG_USERAUTH_GSSAPI_MIC 66
|
|
|
|
|
Move binary packet protocols and censoring out of ssh.c.
sshbpp.h now defines a classoid that encapsulates both directions of
an SSH binary packet protocol - that is, a system for reading a
bufchain of incoming data and turning it into a stream of PktIn, and
another system for taking a PktOut and turning it into data on an
outgoing bufchain.
The state structure in each of those files contains everything that
used to be in the 'rdpkt2_state' structure and its friends, and also
quite a lot of bits and pieces like cipher and MAC states that used to
live in the main Ssh structure.
One minor effect of this layer separation is that I've had to extend
the packet dispatch table by one, because the BPP layer can no longer
directly trigger sending of SSH_MSG_UNIMPLEMENTED for a message too
short to have a type byte. Instead, I extend the PktIn type field to
use an out-of-range value to encode that, and the easiest way to make
that trigger an UNIMPLEMENTED message is to have the dispatch table
contain an entry for it.
(That's a system that may come in useful again - I was also wondering
about inventing a fake type code to indicate network EOF, so that that
could be propagated through the layers and be handled by whichever one
currently knew best how to respond.)
I've also moved the packet-censoring code into its own pair of files,
partly because I was going to want to do that anyway sooner or later,
and mostly because it's called from the BPP code, and the SSH-2
version in particular has to be called from both the main SSH-2 BPP
and the bare unencrypted protocol used for connection sharing. While I
was at it, I took the opportunity to merge the outgoing and incoming
censor functions, so that the parts that were common between them
(e.g. CHANNEL_DATA messages look the same in both directions) didn't
need to be repeated.
2018-06-09 08:09:10 +00:00
|
|
|
/* Virtual packet type, for packets too short to even have a type */
|
|
|
|
#define SSH_MSG_NO_TYPE_CODE 0x100
|
|
|
|
|
|
|
|
/* Given that virtual packet types exist, this is how big the dispatch
|
|
|
|
* table has to be */
|
|
|
|
#define SSH_MAX_MSG 0x101
|
|
|
|
|
2001-03-03 15:56:39 +00:00
|
|
|
/*
|
2005-03-10 16:36:05 +00:00
|
|
|
* SSH-1 agent messages.
|
2001-03-03 15:56:39 +00:00
|
|
|
*/
|
|
|
|
#define SSH1_AGENTC_REQUEST_RSA_IDENTITIES 1
|
|
|
|
#define SSH1_AGENT_RSA_IDENTITIES_ANSWER 2
|
|
|
|
#define SSH1_AGENTC_RSA_CHALLENGE 3
|
|
|
|
#define SSH1_AGENT_RSA_RESPONSE 4
|
|
|
|
#define SSH1_AGENTC_ADD_RSA_IDENTITY 7
|
|
|
|
#define SSH1_AGENTC_REMOVE_RSA_IDENTITY 8
|
2001-05-06 14:35:20 +00:00
|
|
|
#define SSH1_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9 /* openssh private? */
|
2001-03-03 15:56:39 +00:00
|
|
|
|
|
|
|
/*
|
2005-03-10 16:36:05 +00:00
|
|
|
* Messages common to SSH-1 and OpenSSH's SSH-2.
|
2001-03-03 15:56:39 +00:00
|
|
|
*/
|
|
|
|
#define SSH_AGENT_FAILURE 5
|
|
|
|
#define SSH_AGENT_SUCCESS 6
|
|
|
|
|
|
|
|
/*
|
2005-03-10 16:36:05 +00:00
|
|
|
* OpenSSH's SSH-2 agent messages.
|
2001-03-03 15:56:39 +00:00
|
|
|
*/
|
|
|
|
#define SSH2_AGENTC_REQUEST_IDENTITIES 11
|
|
|
|
#define SSH2_AGENT_IDENTITIES_ANSWER 12
|
|
|
|
#define SSH2_AGENTC_SIGN_REQUEST 13
|
|
|
|
#define SSH2_AGENT_SIGN_RESPONSE 14
|
|
|
|
#define SSH2_AGENTC_ADD_IDENTITY 17
|
|
|
|
#define SSH2_AGENTC_REMOVE_IDENTITY 18
|
|
|
|
#define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19
|
2001-11-25 14:31:46 +00:00
|
|
|
|
2013-11-17 14:03:29 +00:00
|
|
|
/*
|
|
|
|
* Assorted other SSH-related enumerations.
|
|
|
|
*/
|
|
|
|
#define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */
|
|
|
|
#define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */
|
|
|
|
#define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */
|
|
|
|
#define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */
|
|
|
|
#define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */
|
|
|
|
#define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */
|
|
|
|
#define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */
|
|
|
|
#define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */
|
|
|
|
#define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */
|
|
|
|
#define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */
|
|
|
|
#define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */
|
|
|
|
#define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */
|
|
|
|
#define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */
|
|
|
|
#define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */
|
|
|
|
#define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */
|
|
|
|
|
|
|
|
#define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */
|
|
|
|
#define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */
|
|
|
|
#define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */
|
|
|
|
#define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */
|
|
|
|
|
|
|
|
#define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */
|
|
|
|
|
2018-06-09 08:07:18 +00:00
|
|
|
const char *ssh1_pkt_type(int type);
|
|
|
|
const char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type);
|
|
|
|
|
2001-11-25 14:31:46 +00:00
|
|
|
/*
|
2005-03-10 16:36:05 +00:00
|
|
|
* Need this to warn about support for the original SSH-2 keyfile
|
2001-11-25 14:31:46 +00:00
|
|
|
* format.
|
|
|
|
*/
|
|
|
|
void old_keyfile_warning(void);
|
2018-09-19 16:59:38 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Flags indicating implementation bugs that we know how to mitigate
|
|
|
|
* if we think the other end has them.
|
|
|
|
*/
|
|
|
|
#define SSH_IMPL_BUG_LIST(X) \
|
|
|
|
X(BUG_CHOKES_ON_SSH1_IGNORE) \
|
|
|
|
X(BUG_SSH2_HMAC) \
|
|
|
|
X(BUG_NEEDS_SSH1_PLAIN_PASSWORD) \
|
|
|
|
X(BUG_CHOKES_ON_RSA) \
|
|
|
|
X(BUG_SSH2_RSA_PADDING) \
|
|
|
|
X(BUG_SSH2_DERIVEKEY) \
|
|
|
|
X(BUG_SSH2_REKEY) \
|
|
|
|
X(BUG_SSH2_PK_SESSIONID) \
|
|
|
|
X(BUG_SSH2_MAXPKT) \
|
|
|
|
X(BUG_CHOKES_ON_SSH2_IGNORE) \
|
|
|
|
X(BUG_CHOKES_ON_WINADJ) \
|
|
|
|
X(BUG_SENDS_LATE_REQUEST_REPLY) \
|
|
|
|
X(BUG_SSH2_OLDGEX) \
|
|
|
|
/* end of list */
|
|
|
|
#define TMP_DECLARE_LOG2_ENUM(thing) log2_##thing,
|
|
|
|
enum { SSH_IMPL_BUG_LIST(TMP_DECLARE_LOG2_ENUM) };
|
|
|
|
#undef TMP_DECLARE_LOG2_ENUM
|
|
|
|
#define TMP_DECLARE_REAL_ENUM(thing) thing = 1 << log2_##thing,
|
|
|
|
enum { SSH_IMPL_BUG_LIST(TMP_DECLARE_REAL_ENUM) };
|
|
|
|
#undef TMP_DECLARE_REAL_ENUM
|